From 2714e860f498c128d531175b59d8e2e12ee4b629 Mon Sep 17 00:00:00 2001 From: Jan Petykiewicz Date: Tue, 21 Apr 2026 18:59:04 -0700 Subject: [PATCH] Tighten runtime-effect kind-8 writer census --- .../runtime-effect-kind8-late-bringup-note.md | 12 ++++++++++++ docs/rehost-queue.md | 1 + .../periodic-company-control-lane-2026-04-21.md | 12 ++++++++++++ 3 files changed, 25 insertions(+) diff --git a/artifacts/exports/rt3-1.06/runtime-effect-kind8-late-bringup-note.md b/artifacts/exports/rt3-1.06/runtime-effect-kind8-late-bringup-note.md index aa56751..14603ed 100644 --- a/artifacts/exports/rt3-1.06/runtime-effect-kind8-late-bringup-note.md +++ b/artifacts/exports/rt3-1.06/runtime-effect-kind8-late-bringup-note.md @@ -131,6 +131,18 @@ So the active periodic-company/control-lane question narrows again: - and the currently grounded nonzero seed outside the scenario-name retags is the follow-on builder reached from the service/dispatch family rather than from the reload loop itself +The direct-write census is tighter than that summary alone: + +- current whole-binary `objdump` search for `mov BYTE PTR [...+0x7ef], imm/reg` grounds only: + - zero-init `0x0042d5a0` + - copy helper `0x0042e11a` + - follow-on builder `0x00430b50` + - late retags `0x00443526` and `0x00443601` + - shell editor selector table `0x004d8ea0` +- the only grounded explicit `kind 8` write is `0x004d91b3`, inside the shell-side selector table + for controls `0x4e98..0x4ea2` +- no grounded shellless runtime-side direct writer currently seeds `8` into `[event+0x7ef]` + ## Ruled-Out Shell Seed Table The large remaining direct writer table is bounded now too: diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md index 53e7fc4..c63eec6 100644 --- a/docs/rehost-queue.md +++ b/docs/rehost-queue.md @@ -13,6 +13,7 @@ This file is the short active queue for the current runtime and reverse-engineer - Keep the periodic-company trace as the main shellless simulation frontier, with the next concrete control-lane pass focused on the ordinary loaded runtime-effect strip `0x00444d92 -> 0x00432f40(kind 8) -> 0x004323a0 -> 0x00431b20`. The checked `rt3_105/maps` compact-dispatch corpus is now exported directly and partially mirrored into the periodic-company trace: `41` maps scanned, `38` with dispatch-strip rows, `318` nondirect rows total, the add-building subset is only `10` grouped occurrences across `7` descriptor keys, and the strongest broader nondirect families are now bounded too at `36` grouped occurrences across `18` maps for `nondirect-ge1e-h0001-0360-0004-0100-0200-p0000-0000-0000-ffff :: [864:4]` plus `27` across `14` maps for the mixed `[-1:4]` cluster. All of those checked rows still lack recovered trigger kind. The packed-state bridge is narrower than that queue head used to allow too: `0x0042db20/0x00430d70` rebuild and serialize only the fixed text bands plus the standalone and grouped row lists, while the metadata band `+0x7ee..+0x80e` is only mirrored by deep-copy helper `0x0042e050`. The active open question is therefore which ordinary loaded rows acquire or bypass the missing trigger-kind control lane before they can reach placed-structure mutation opcodes. The largest direct writer table is ruled out now too: `0x004d8ea0` is the shell-side `EventConditions.win` commit helper, where controls `0x4e98..0x4ea2` write `[event+0x7ef] = 0..10` on the currently selected live event, so that seed family does not explain shellless post-load bringup. + The direct write census is tighter in the same direction: the only grounded explicit write of value `8` into `[event+0x7ef]` is `0x004d91b3` inside that same shell helper, while the runtime-side grounded writers still only cover zero-init, copy, `2/3` follow-on seeds, and the later `5` / `2` retags. Preserved checked control-lane detail now lives in [Periodic company control lane](rehost-queue/periodic-company-control-lane-2026-04-21.md). - Keep the next static Tier-2 building pass focused on the earlier seed/projection seam into `0x00412d70`, not another broad `BuildingTypes` sweep. The grounded owner strip is `0x004196c0 -> 0x00414490 -> 0x00416ce0 -> 0x00419230`, and the checked candidate-table exports now keep the concrete scenario-side families explicit too: among the `37` probe-bearing maps, `Port00/Warehouse00` stay at `35/43` on `30` maps and shift earlier to `10/18` on `7`, while `Port01..11` / `Warehouse01..11` stay fixed at `45..55` / `56..66` and the numbered trailer family splits independently at `0x00000001 -> 28 maps` versus `0x00000000 -> 9 maps`. The new crossover matrix stays mixed rather than collapsing to one side too: `35/43 :: 0x00000001 -> 25 maps`, `35/43 :: 0x00000000 -> 5 maps`, `10/18 :: 0x00000000 -> 4 maps`, and `10/18 :: 0x00000001 -> 3 maps`. The checked header-cluster export keeps the same root scan bounded to only `3` families: `0x00000000 / 0x00000000 -> 27 maps`, `0xcdcdcdcd / 0xcdcdcdcd -> 9 maps`, and `0x10000000 / 0x00009000 -> 1 map` (`Alternate USA.gmp`). The stock `BuildingTypes` side is narrower too: across `77` checked `.bca` files only `MachineShop.bca` carries nonzero selector bytes at `0xb8..0xbb`, while the broader nonzero stock signal lives in the `22`-file `.bty` alias-root family with `dword_0xbb = 0x000001f4`, especially the `TextileMill` branch that already covers `Port.bty` and `Warehouse.bty`. The active open question is therefore which earlier seed/projection path lifts that narrow stock-side signal and the fixed numbered cluster into nonzero live `[candidate+0xba/+0xbb]` before `0x00412d70` and `0x00419230` consume it. diff --git a/docs/rehost-queue/periodic-company-control-lane-2026-04-21.md b/docs/rehost-queue/periodic-company-control-lane-2026-04-21.md index e0f3d44..4b44d26 100644 --- a/docs/rehost-queue/periodic-company-control-lane-2026-04-21.md +++ b/docs/rehost-queue/periodic-company-control-lane-2026-04-21.md @@ -185,6 +185,18 @@ So the remaining control-lane question is narrower again: - and the currently grounded nonzero seed outside the scenario-name retags is the follow-on builder reached from the service/dispatch family rather than from the reload loop itself +The direct-write census is narrower than that bullet list alone suggests: + +- current whole-binary `objdump` search for `mov BYTE PTR [...+0x7ef], imm/reg` grounds only: + - zero-init `0x0042d5a0` + - copy helper `0x0042e11a` + - follow-on builder `0x00430b50` + - late retags `0x00443526` and `0x00443601` + - shell editor selector table `0x004d8ea0` +- the only grounded explicit `kind 8` write is `0x004d91b3`, inside the shell-side selector table + for controls `0x4e98..0x4ea2` +- no grounded shellless runtime-side direct writer currently seeds `8` into `[event+0x7ef]` + ## Ruled-Out Shell Seed Table The largest remaining direct writer family is no longer ambiguous either: