jan/rrt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rule out shellless event metadata clone path

Browse source
This commit is contained in:
Jan Petykiewicz 2026-04-21 19:07:07 -07:00
commit 2b57690c1d
4 changed files with 33 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
artifacts/exports/rt3-1.06/function-map.csv
View file

@ -291,7 +291,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
0x0042df70,63,scenario_event_condition_row_list_has_class_bit1_or_flag7fa_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Companion predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as `0x0042df30`, tests each nonnegative row id against class-bit `0x02` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to event-record byte `[event+0x7fa]`. Current grounded caller is the `EventConditions.win` refresh path at `0x004da1de`, so this now reads as the class-bit-1 condition-summary gate rather than another anonymous list helper.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-flag correlation"
0x0042dfb0,62,scenario_event_condition_row_list_has_class_bit2_or_type63_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Companion predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as `0x0042df30`, tests each nonnegative row id against class-bit `0x04` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to the event-record dword check `[event+0x7f0] == 0x63`. Current grounded caller is the `EventConditions.win` refresh path at `0x004da2be`, so this now reads as the class-bit-2 condition-summary gate rather than another generic scan.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-type correlation"
0x0042dff0,82,scenario_event_condition_row_list_has_any_class_bit012_or_special_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Broad predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as the smaller `0x0042df30/0x0042df70/0x0042dfb0` family, tests each nonnegative row id against any of class bits `0x01|0x02|0x04` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to any of the three special event-record checks `[event+0x7f9]`, `[event+0x7fa]`, or `[event+0x7f0] == 0x63`. Current grounded caller is the early `EventConditions.win` refresh gate at `0x004da17d`, so this now reads as the broad condition-summary eligibility probe rather than a generic linked-list walk.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-flag correlation"
0x0042e050,603,scenario_event_clone_runtime_record_deep_copy,scenario,cdecl,inferred,objdump + caller xrefs + local disassembly + shell-event-window correlation,2,"Deep-copy helper for one already-materialized live event runtime record. The helper copies the six fixed text bands at destination offsets `+0x0e0`, `+0x401`, `+0x4ca`, `+0x593`, `+0x65c`, and `+0x725`, mirrors the compact event metadata band at `+0x7ee..+0x80e`, then deep-copies the standalone `0x1e`-row linked list and the four grouped `0x28`-row linked lists from one live event-runtime record into the caller-supplied destination record. Current grounded caller is `shell_event_conditions_window_append_blank_or_clone_selected_event_via_name_modal` `0x004db8b0`, where it clones the currently selected live event into a newly created event record before selector refresh. This is therefore the safest current owner for deep-copy of an already-materialized event runtime record rather than another packed-state loader or an effects-only staging helper.","objdump + caller xrefs + local disassembly + shell-event-window correlation + deep-copy correlation"
0x0042e050,603,scenario_event_clone_runtime_record_deep_copy,scenario,cdecl,inferred,objdump + caller xrefs + local disassembly + shell-event-window correlation,2,"Deep-copy helper for one already-materialized live event runtime record. The helper copies the six fixed text bands at destination offsets `+0x0e0`, `+0x401`, `+0x4ca`, `+0x593`, `+0x65c`, and `+0x725`, mirrors the compact event metadata band at `+0x7ee..+0x80e`, then deep-copies the standalone `0x1e`-row linked list and the four grouped `0x28`-row linked lists from one live event-runtime record into the caller-supplied destination record. The negative boundary is tighter now too: the current whole-binary caller search still grounds only one caller, `shell_event_conditions_window_append_blank_or_clone_selected_event_via_name_modal` `0x004db8b0`, where it clones the currently selected live event into a newly created event record before selector refresh; no grounded post-load, world-entry, or periodic-service caller currently re-enters this helper. This is therefore the safest current owner for deep-copy of an already-materialized event runtime record rather than another packed-state loader or an effects-only staging helper.","objdump + caller xrefs + local disassembly + shell-event-window correlation + deep-copy correlation + caller-boundary correlation"
0x0042c1b0,886,placed_structure_redistribute_local_service_pressure_from_neighbors,map,thiscall,inferred,objdump + caller xrefs + neighborhood sweep inspection,3,"Neighbor-aware local-service post-pass for one placed-structure or site record. The helper first builds a bounded set of nearby site references by scanning offset patterns from `0x00624b28` and `0x00624b48` against the world-grid tables rooted at `[0x0062c120+0x2129]`, keeping only neighbors whose state byte at `+0x0e6` is compatible with the current site and recording per-neighbor weights derived from the local word tables near `[site+0x00]` and `[site+0x0f3]`. It then walks the live candidate collection and, for each live non-remapped candidate, chooses the strongest positive neighbor deficit after scaling through the candidate-side weight at `[candidate+0x52]`; when a positive deficit remains it commits the redistribution through `0x0042bf80`. Current grounded caller is the composite local refresh `0x0042d580`, so this looks like the neighboring-site redistribution pass beneath the local service-score bundle rather than an independent outer loop.","objdump + caller xrefs + neighborhood sweep inspection + candidate-weight correlation"
0x0041eac0,794,structure_candidate_collection_refresh_cargo_economy_filter_flags,map,thiscall,inferred,objdump + caller xrefs + callsite inspection + rdata strings,3,"Collection-wide refresh of one cargo-economy-sensitive candidate flag in the live structure collection at `0x0062ba8c`. The helper first walks the global candidate pool at `0x0062b268`, filters category-`2` entries through the paired availability bytes `[candidate+0xba]` and `[candidate+0xbb]` plus the recipe-runtime latch `[candidate+0x7ac]`, and builds one temporary per-cargo mask keyed by cargo names such as `Clothing`, `Cheese`, `Meat`, `Ammunition`, `Weapons`, `Diesel`, `Troops`, and `Passengers`; one special-case branch also uses structure labels such as `Barracks` and `Recycling Plant` while consulting the region collection at `0x0062bae0`. It then iterates the live structure collection itself, combines that temporary cargo mask with the candidate-local bytes `[entry+0x47]`, `[entry+0x48]`, and `[entry+0x49]`, the runtime cargo-economy latch at `[0x006cec74+0x25f]`, and the live copy of special-condition slot `31` `Use Wartime Cargos` at `[0x006cec78+0x4afb]`; when that slot is set the branch at `0x0041ed37` further tests the wartime cargo family `Clothing`, `Cheese`, `Meat`, `Ammunition`, `Weapons`, and `Diesel` before writing the resulting enabled-or-filtered state into `[entry+0x56]` and re-entering `0x0041e970` to rebuild the derived visible counts. Current grounded callers are the collection-side setup path around `0x0041f4cb` and the runtime toggle branch at `0x0046577c`, where the same `0x006cec74+0x25f` bit is flipped directly; that makes this the strongest current bridge from the editor's `Disable Cargo Economy` rule plus the `Use Wartime Cargos` scenario rule into live structure-candidate filtering rather than a purely editor-side helper.","objdump + caller xrefs + callsite inspection + rdata strings + special-condition correlation"
0x00421b60,180,world_region_collection_seed_default_regions,map,thiscall,inferred,objdump + strings + callsite inspection,4,"Seeds the default numbered region family on the manager collection at `0x0062bae0`. The helper pumps shell progress through `0x004834e0`, repeatedly creates collection entries through `0x00421660`, formats their labels from localized string id `2908` `Region %1` plus the `%02d` pattern at `0x005c9aec`, marks the created records live through `[entry+0x23e]`, and then finalizes the region set through `0x00421730` against the active world root at `0x0062c120`. Current grounded callsites are the post-load generation pipeline at `0x004384d0` and the broader world-build path around `0x004476ec`, so this now looks like region-set seeding rather than generic player or company setup.","objdump + RT3.lng strings + caller xrefs + callsite inspection"

Can't render this file because it is too large.

15
artifacts/exports/rt3-1.06/runtime-effect-kind8-late-bringup-note.md
View file

@ -105,6 +105,21 @@ The ordinary reload strip is bounded in the same negative way now:
So the remaining late-bringup/control-lane frontier stays between reload and service rather than
inside the already-bounded restore loop itself.
## Deep-Copy Boundary
- `0x0042e050`
- remains the one grounded helper that mirrors metadata band `+0x7ee..+0x80e`, including
`[event+0x7ef]`
- but the current whole-binary caller search still grounds only the shell-side selected-event
clone path `0x004db8b0`
- no grounded post-load, world-entry, or periodic-service caller currently re-enters `0x0042e050`
So the late-bringup/control-lane question narrows again:
- shell event cloning can preserve trigger-kind metadata
- but there is still no grounded shellless duplication path between reload and the late kind-`8`
service
## Current Writer Census
The direct writer set for `[event+0x7ef]` is narrower now too: