fabi/xenia-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a4926c73f40b2fa574f9bb6aca837e543218f506
xenia-rs/audit-runs/phase-host-audio-bridge/investigation.md
MechaCat02 ef93a4fa14 handoff: VSync/event-wedge fixes + iterate 2.A–2.BC research notes 
Source changes (dormant parity infra, retained from iterate 2.AI/2.AO):
- xenia-kernel/exports.rs: nt_create_event manual_reset polarity +
  related event wiring
- xenia-gpu/mmio_region.rs: D1MODE_VBLANK_VLINE_STATUS hardcode parity

Also lands the audit-runs/ analysis notes (.md/.txt/.json digests) for the
iterate 2.x VSync/0x10e8/0x1004 wedge investigation. Raw trace dumps
(.jsonl/.gz/.csv/.stdout) and agent worktrees (.claude/) are gitignored as
regenerable local artifacts — see memory + HANDOFF for the running findings.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 07:19:08 +02:00

197 lines
9.3 KiB
Markdown
Raw Blame History

# Phase Host-Audio-Bridge — Investigation (2026-05-19)
**Outcome**: AUDIT-048 cascade C NOT landed this session. Root cause is upstream
state divergence in XAudio voice struct initialization, NOT a missing host-side
write. Progression metric (swaps=1, draws=0) unchanged. Per-chain matched-prefix
unchanged.
## Diagnosis
### Canary semantics (verified)
- `xenia-canary/src/xenia/apu/audio_system.cc:84-159``AudioSystem::WorkerThreadMain`
is a HOST thread that loops: `WaitAny(client_semaphores_)``processor_->Execute(callback)`.
Semaphores are seeded by `RegisterClient` line 210: `client_semaphore->Release(queued_frames_=8, nullptr)`.
- After SDL plays a frame, `sdl_audio_driver.cc:199` calls `semaphore_->Release(1)` — re-arming
the loop. With `--mute=true`, SDL still consumes frames via `SDLCallback` and still releases.
- **There is NO host-side write to a guest field at offset +356**. The XAudio voice struct
at `r31` is GUEST-allocated and managed entirely by the GUEST callback code at
`0x824D6640` and the XAudio worker thread bodies at `0x824D2878 / 0x824D2940`.
### Ours's current state
- AUDIT-048 Plan B (dedicated guest worker thread, parked on synthetic handle, injected
by ticker) is wired in `xenia-kernel/src/exports.rs:4048-4168` + `xenia-kernel/src/xaudio.rs`
+ `xenia-app/src/main.rs:3461-3536`.
- Ours's tid=11 (entry=0x824D6640 = the registered callback) DOES execute. Per
deadlock dump: `pc=0x824d2a94 lr=0x824d2a94 state=Blocked(WaitAny { handles:
[0x82928B04, 0x82928AE0] })` — the callback called `KeWaitForMultipleObjects`
on two guest dispatchers and is now waiting.
- `xaudio.callback.delivered=1` — only one injection, because `is_in_callback`
stays true while tid=11 is blocked on the real handles (the saved context is
only cleared on `LR_HALT_SENTINEL` return, which tid=11 never reaches).
### The spin loop in tid=9/10 (the XAudio worker guest threads)
PCs `0x824D1400-0x824D141C` (canary tid=14 / ours tid=9):
```
0x824d1400: beqlr cr6 ; return if cr6.eq (success)
0x824d1404: cmpd cr6, r10, r11 ; compare r10 with r11
0x824d1408: beq cr6, 0x824D1420 ; ok-branch on match
0x824d140c: mr r31, r31 ; yield nop
0x824d1410: ld r11, 0(r4) ; reload [r4]
0x824d1414: cmpdi cr6, r11, 0 ; check r11 == 0
0x824d1418: bne cr6, 0x824D1404 ; loop if nonzero
0x824d141c: blr ; return on r11 == 0
```
LR=0x824D22B4 (caller does `addi r4, r31, 356; bl ...; <0x824D22B4 is next>`).
### Live runtime probe (ours, 100M instr, --dump-addr 0x42511040 and 0x42510edc)
At halt (tid=9 still spinning at pc=0x824d140c):
- `r3 = r31 = 0x42510edc` (an XAudio voice/driver struct in heap-mapped guest mem).
- `r4 = r31 + 0x164 (=356) = 0x42511040`.
- `r10 = 0x01010000` (expected success value).
- Last-known `r11 = 0x00000000` (from the load) — **but the spin continues**, so
the value at `[r4]` keeps changing? Or the snapshot doesn't reflect steady state.
Memory dump at `0x42511040`:
```
+0x00: 01 00 00 00 00 00 00 00 → ld interpretation = 0x0100000000000000
+0x10: 00 00 00 03 42 51 10 54 → linked-list head with 3 entries
+0x20...: list nodes with prev/next pointers in 0x4251xxxx range
```
This is a **GUEST-OWNED linked-list / voice-state struct**. Byte 0 = 0x01 is
clearly a "state flag" that distinguishes the poll target. `ld` reads 8 bytes
BE → 0x0100000000000000. r10 expected is 0x01010000 (zero-extended). r11 read
is 0x0100000000000000. Not equal, not zero → spin.
Memory dump at `r31=0x42510edc`:
```
+0x00: 82 00 6c f4 → VTABLE POINTER (code at .rdata 0x82006cf4)
+0x04: 00 00 00 02 → refcount or count
+0x08: 42 51 0e c0 → back-pointer
+0x40: 41 ea 0d 5c → matches XAudio register callback_arg
```
So `r31` is the XAudio voice object Sylpheed allocates and passes as the callback
argument. The vtable at `0x82006cf4` is `ANON_Class_*` per `sylpheed.db`. The
voice owns a linked list (head at +0x164) that tracks audio buffers / voice state.
### Why ours diverges from canary
Ours's tid=9 sees `[r31+356]` as `0x0100000000000000`; canary's tid=14 sees it as
`0x0000000000000000` (or `0x0000000001010000` matching r10). Both engines run
identical guest code starting from the same .data values. So the divergence
must be a **kernel-call return value** OR a **memory write** that happens
between thread spawn and the spin loop.
Per cross-trace of tid=9 events idx 0..76 vs canary tid=14 events 0..~80,
the **kernel return values match** (KeWaitForSingleObject→0, KeRaiseIrqlToDpcLevel
returns the same sequence 0,2,2,2 etc., KfLowerIrql→0). The setup chain emits
the same events. **But host_ns wall-clock diverges**: canary's KeWaitForSingleObject
blocks for ~85ms (1727→1813 ms); ours's wait returns in ~7 microseconds
(1603890→1603904 ns).
### The root cause class
This is **upstream scheduling divergence**, not host-bridge missing:
1. In **canary**: tid=11 (host AudioSystem WorkerThreadMain) starts FIRST and runs
the callback at 0x824D6640. The callback modifies the XAudio voice struct
(clearing byte at +0x164). Then tid=14 spawns, hits the spin, sees zero,
proceeds.
2. In **ours**: tid=9/10 are spawned by main and resumed via `KeResumeThread`.
They start running BEFORE the audio ticker (period 48,000 instructions) ever
fires. tid=9 hits the spin loop with the struct in its uninitialized state
(byte +0x164 = 0x01). Stuck forever.
The audio worker (tid=11) DOES eventually get injected and runs, but by then
tid=9/10 are stuck in the spin loop and the callback blocks on guest dispatchers
that only tid=9/10 can signal — circular deadlock.
## Why a host-side write is the wrong fix
The session brief hypothesizes a missing host-side write to clear `[r31+356]`.
This is not correct:
- Canary's host audio worker does NOT write to any guest VA in the +356 range.
It only calls `processor_->Execute(callback)` and waits on its host semaphore.
- The byte at offset 0x164 of the voice struct is touched only by GUEST code
(the callback or the worker functions). No host code in either engine reaches
into that field.
- The "missing write" framing came from assuming the host audio worker does
something analogous to SubmitFrame's buffer-complete bookkeeping. SubmitFrame
only acks the host SDL driver semaphore (line 199); it does not modify the
voice struct at +356.
Writing 0 to `[r31+356]` from host code would be a band-aid that crosses
reading-error #23 (matching divergent guest behavior) and risks corrupting
the voice struct's invariants.
## What the correct fix shape would be
To make ours converge to canary's behavior, the audio worker callback at
0x824D6640 needs to RUN AND COMPLETE before tid=9/10 reach the spin loop.
**Option A — Force-fire callback at register time**: Inside
`xaudio_register_render_driver`, after spawning tid=11, synchronously execute
the callback to completion (treat as a synchronous shim). Tricky because the
callback calls KeWaitForMultipleObjects which would block.
**Option B — Defer spawn of tid=9/10 in guest**: Not feasible — guest controls
spawn timing.
**Option C — Inject the callback eagerly + spin tid=11 forward**: Tick the
audio loop hundreds of times immediately at register. But tid=11 blocks on
guest objects that need tid=9/10 to be running already.
**Option D — Match canary's actual concurrency model**: Spawn tid=11 as a
native HOST thread that runs `processor_->Execute(callback)`-equivalent. This
is a significant rework of the threading model.
**Option E — Identify the specific guest write that clears +0x164 in canary**:
Disassemble sub_824D6640 (the callback) and find the store. Then ensure ours's
execution of the callback reaches that store before tid=9/10 spin. Requires
fixing the deeper scheduling-ordering issue.
None of these is a 30-150 LOC fix. All require either:
- Architectural threading-model changes
- Sub-cycle ordering control between guest threads
- Deep guest-code disassembly + emulation of the byte-clear path
## Recommendation
This session declines to land a fix. The session brief's hypothesis (missing
host-side write to clear [r31+356]) is empirically wrong: the byte is owned
by guest code in both engines. The deferred AUDIT-048 cascade C is correctly
deferred — the necessary work is **scheduling-ordering matching**, not
host-bridge wiring.
Next-session recommendation: probe-instrument the byte at `r31+0x164` for the
XAudio voice (around `0x42511040` ours, similar address canary) on FIRST guest
write. Identify in canary trace which PC writes the byte and on which tid.
That's the actual fix target.
## Per-chain delta (no change)
| chain | pre | post | delta |
|------:|----:|-----:|------:|
| main tid=6→1 | 105,046 | 105,046 | 0 |
| sister tid=14→9 | 41 | 41 | 0 |
| sister tid=15→10 | 16 | 16 | 0 |
| sister tid=4→4 | preserved | preserved | 0 |
| sister tid=11→11 | preserved | preserved | 0 |
| sister tid=16→16 | preserved | preserved | 0 |
| **swaps** | **1** | **1** | **0** |
| **draws** | **0** | **0** | **0** |
## Artifacts
- `investigation.md` (this file)
- Cold trace: `/tmp/ours-cold.jsonl` (121k events, halt-on-deadlock after 100M instr cap)
- Memory dumps captured via `--dump-addr 0x42511040` and `--dump-addr 0x42510edc`
- Phase B `image_canonical_sha256 = ea8d160e…` UNCHANGED (no engine modification)
Reference in New Issue View Git Blame Copy Permalink