xenia-rs/audit-runs/phase-c6half-sister-sweep/sister-fixes.md

# Phase 1+2+3 — sister-bug + hallucination fixes (Phase C+6½)

All fixes land in `crates/xenia-kernel/src/exports.rs`. No
`state.rs` changes (re-uses the `register_unimplemented_export` API
introduced in C+6).

## Phase 1 — Class-E sister sweep (8 ords)

For each, behavior verification per CLI directive:

| ord | name | reg-kind change | body verified | severity | notes |
|---|---|---|---|---|---|
| 0x003 | DbgPrint | `register_export` → `register_unimplemented_export` | reads cstring at gpr[3], logs, sets gpr[3]=0 — harmless side effect | LOW (rename only, body kept) | Body retains `tracing::info!` for diagnostics; only Phase A emitter goes silent. |
| 0x119 | RtlCaptureContext | `register_export` → `register_unimplemented_export` | writes ctx.gpr[0..32] to guest mem at *gpr[3] — guest-visible side effect retained | LOW | Body kept; Phase A emitter silent. |
| 0x13B | sprintf | `register_export` → `register_unimplemented_export` | naïve fmt→dest copy (no varargs interpretation); harmless | LOW | Body kept; Phase A emitter silent. |
| 0x147 | RtlUnwind | `register_export` → `register_unimplemented_export` | `tracing::warn!` only — no-op | LOW | Body kept; Phase A emitter silent. |
| 0x14D | _vsnprintf | `register_export` → `register_unimplemented_export` | naïve fmt→dest copy; harmless | LOW | Body kept; Phase A emitter silent. |
| 0x1A5 | __C_specific_handler | `register_export` → `register_unimplemented_export` | logs + returns ExceptionContinueSearch (1) | LOW | Body kept; Phase A emitter silent. |
| 0x257 | XeKeysConsoleSignatureVerification | `register_export` → `register_unimplemented_export` | `stub_success` (gpr[3]=0) — no-op | LOW | Body kept; Phase A emitter silent. |
| 0x259 | StfsCreateDevice | `register_export` → `register_unimplemented_export` | `stub_success` | LOW — **drives tid=7→tid=2 advance** | C+6 noted this specifically. Verified +11 advance in Phase 4 diff. |
| 0x25A | StfsControlDevice | `register_export` → `register_unimplemented_export` | `stub_success` | LOW | Body kept; Phase A emitter silent. |

**Total Phase 1: 9 LOW-severity rename-only fixes** (all bodies kept
intact; only emitter coverage suppressed to match canary's
syscall-thunk silence).

## Phase 2 — Hallucinated import behavior fixes (2 ords)

### ord 0x82 — `KeQueryInterruptTime` (CRITICAL)

| step | action |
|---|---|
| 1. Verified ours's pre-fix body | `ke_query_ideal_processor`: returned `thread.ideal_processor` u8 via `gpr[3]`. |
| 2. Verified canary's body | `KeQueryInterruptTime_entry` (xboxkrnl_misc.cc:119-127): returns `bundle->interrupt_time` u64 via gpr[3]. |
| 3. Verified canary's shim status | DECLARED (`xboxkrnl_misc.cc:127`) — both engines emit Phase A events. NOT class E. |
| 4. Body fix | New `fn ke_query_interrupt_time` returns synthetic `0x0000_0001_0000_0000` (monotonic u64, matches `ke_query_system_time` static-fake pattern). |
| 5. Registration fix | `register_export(0x82, "KeQueryInterruptTime", ke_query_interrupt_time)`. |
| 6. Old body | `fn ke_query_ideal_processor` DELETED. Scheduler's `ideal_ref` method retained (used by `NtSetInformationThread::ThreadIdealProcessor`). |
| 7. Test | New unit test `ke_query_interrupt_time_returns_synthetic_u64` asserts non-zero u64 (> u32::MAX), guarding against regression to a byte-sized return. |

### ord 0x98 — `KeSetBackgroundProcessors` (CRITICAL)

| step | action |
|---|---|
| 1. Verified ours's pre-fix body | `ke_set_ideal_processor`: set `thread.ideal_processor = ctx.gpr[4] as u8`, returned prev. **Active wrong state mutation.** |
| 2. Verified canary's body | NOT DECLARED. Canary routes through syscall thunk → no state mutation. Effective semantics: no-op. |
| 3. Verified canary's shim status | Class E (table-entry-only). Phase A emits NOTHING for this ord. |
| 4. Body fix | Body replaced with `stub_success` (no state mutation, matches canary's no-op semantics). |
| 5. Registration fix | `register_unimplemented_export(0x98, "KeSetBackgroundProcessors", stub_success)`. Suppresses Phase A emitter (matches canary). |
| 6. Old body | `fn ke_set_ideal_processor` DELETED. Scheduler's `set_ideal_ref` method retained (used by `NtSetInformationThread::ThreadIdealProcessor`). |
| 7. Test | Renamed `ke_set_ideal_processor_round_trips` → `scheduler_ideal_processor_round_trips`, exercises the scheduler methods directly (still validating the round-trip relied on by `nt_set_information_thread`). |

## Phase 3 — Additional findings

**None.** Phase 0's full ord scan surfaced exactly 2 hallucinations
(both already flagged by C+6) and 11 class-E candidates (10 new + 1
C+6 already fixed). No ghost ords. No other name mismatches.

## LOC footprint

| section | LOC delta |
|---|---|
| Registration calls (10 lines changed + 30 lines of comment context) | +35 net |
| `fn ke_query_interrupt_time` (12 lines including doc) | +12 |
| Removed `fn ke_set_ideal_processor` body | -10 |
| Removed `fn ke_query_ideal_processor` body | -12 |
| Doc-block replacing both above | +35 |
| Unit test rename + new `ke_query_interrupt_time` test | +20 |
| **Total** | **~80 net additive** |

All changes in `crates/xenia-kernel/src/exports.rs`. State.rs untouched
(reused C+6's `register_unimplemented_export` API). Diff tool untouched.
Canary untouched.

## Behavior verification summary

Per the CLI directive "DO NOT JUST RENAME": every fix in this session
had a body-level verification step. Specifically:

* **Phase 1 (9 ords)**: bodies retained as-is. Verified each body is
  harmless side-effect-only OR `stub_success`. No behavior change;
  only emitter coverage adjusted.
* **Phase 2 (2 ords)**: bodies replaced. ord 0x82's new body returns
  semantically-correct u64 (vs. wrong u8 ideal-processor). ord 0x98's
  body removed (no state mutation, matches canary's no-op syscall
  thunk).

Both Phase 2 hallucinated ords are LATENT in the current 50M run (0
hits in event log) — fix prevents future divergence when boot
progresses past current matched-prefix horizon.