jan/rrt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rule out shellless event metadata clone path

Browse source
This commit is contained in:
Jan Petykiewicz 2026-04-21 19:07:07 -07:00
commit 2b57690c1d
4 changed files with 33 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
artifacts/exports/rt3-1.06/function-map.csv
View file

@ -291,7 +291,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
0x0042df70,63,scenario_event_condition_row_list_has_class_bit1_or_flag7fa_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Companion predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as `0x0042df30`, tests each nonnegative row id against class-bit `0x02` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to event-record byte `[event+0x7fa]`. Current grounded caller is the `EventConditions.win` refresh path at `0x004da1de`, so this now reads as the class-bit-1 condition-summary gate rather than another anonymous list helper.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-flag correlation" 0x0042df70,63,scenario_event_condition_row_list_has_class_bit1_or_flag7fa_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Companion predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as `0x0042df30`, tests each nonnegative row id against class-bit `0x02` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to event-record byte `[event+0x7fa]`. Current grounded caller is the `EventConditions.win` refresh path at `0x004da1de`, so this now reads as the class-bit-1 condition-summary gate rather than another anonymous list helper.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-flag correlation"
0x0042dfb0,62,scenario_event_condition_row_list_has_class_bit2_or_type63_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Companion predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as `0x0042df30`, tests each nonnegative row id against class-bit `0x04` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to the event-record dword check `[event+0x7f0] == 0x63`. Current grounded caller is the `EventConditions.win` refresh path at `0x004da2be`, so this now reads as the class-bit-2 condition-summary gate rather than another generic scan.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-type correlation" 0x0042dfb0,62,scenario_event_condition_row_list_has_class_bit2_or_type63_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Companion predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as `0x0042df30`, tests each nonnegative row id against class-bit `0x04` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to the event-record dword check `[event+0x7f0] == 0x63`. Current grounded caller is the `EventConditions.win` refresh path at `0x004da2be`, so this now reads as the class-bit-2 condition-summary gate rather than another generic scan.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-type correlation"
0x0042dff0,82,scenario_event_condition_row_list_has_any_class_bit012_or_special_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Broad predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as the smaller `0x0042df30/0x0042df70/0x0042dfb0` family, tests each nonnegative row id against any of class bits `0x01|0x02|0x04` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to any of the three special event-record checks `[event+0x7f9]`, `[event+0x7fa]`, or `[event+0x7f0] == 0x63`. Current grounded caller is the early `EventConditions.win` refresh gate at `0x004da17d`, so this now reads as the broad condition-summary eligibility probe rather than a generic linked-list walk.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-flag correlation" 0x0042dff0,82,scenario_event_condition_row_list_has_any_class_bit012_or_special_fallback,scenario,thiscall,inferred,objdump + EventConditions.win refresh correlation + static-bit-table inspection,2,"Broad predicate over the standalone `0x1e`-row event-condition list. The helper walks the same linked list as the smaller `0x0042df30/0x0042df70/0x0042dfb0` family, tests each nonnegative row id against any of class bits `0x01|0x02|0x04` in the static condition table at `0x005f3e04 + id*0x81`, and returns true on the first match. Rows with id `-1` instead fall back to any of the three special event-record checks `[event+0x7f9]`, `[event+0x7fa]`, or `[event+0x7f0] == 0x63`. Current grounded caller is the early `EventConditions.win` refresh gate at `0x004da17d`, so this now reads as the broad condition-summary eligibility probe rather than a generic linked-list walk.","objdump + EventConditions.win refresh correlation + static-bit-table inspection + fallback-flag correlation"
0x0042e050,603,scenario_event_clone_runtime_record_deep_copy,scenario,cdecl,inferred,objdump + caller xrefs + local disassembly + shell-event-window correlation,2,"Deep-copy helper for one already-materialized live event runtime record. The helper copies the six fixed text bands at destination offsets `+0x0e0`, `+0x401`, `+0x4ca`, `+0x593`, `+0x65c`, and `+0x725`, mirrors the compact event metadata band at `+0x7ee..+0x80e`, then deep-copies the standalone `0x1e`-row linked list and the four grouped `0x28`-row linked lists from one live event-runtime record into the caller-supplied destination record. Current grounded caller is `shell_event_conditions_window_append_blank_or_clone_selected_event_via_name_modal` `0x004db8b0`, where it clones the currently selected live event into a newly created event record before selector refresh. This is therefore the safest current owner for deep-copy of an already-materialized event runtime record rather than another packed-state loader or an effects-only staging helper.","objdump + caller xrefs + local disassembly + shell-event-window correlation + deep-copy correlation" 0x0042e050,603,scenario_event_clone_runtime_record_deep_copy,scenario,cdecl,inferred,objdump + caller xrefs + local disassembly + shell-event-window correlation,2,"Deep-copy helper for one already-materialized live event runtime record. The helper copies the six fixed text bands at destination offsets `+0x0e0`, `+0x401`, `+0x4ca`, `+0x593`, `+0x65c`, and `+0x725`, mirrors the compact event metadata band at `+0x7ee..+0x80e`, then deep-copies the standalone `0x1e`-row linked list and the four grouped `0x28`-row linked lists from one live event-runtime record into the caller-supplied destination record. The negative boundary is tighter now too: the current whole-binary caller search still grounds only one caller, `shell_event_conditions_window_append_blank_or_clone_selected_event_via_name_modal` `0x004db8b0`, where it clones the currently selected live event into a newly created event record before selector refresh; no grounded post-load, world-entry, or periodic-service caller currently re-enters this helper. This is therefore the safest current owner for deep-copy of an already-materialized event runtime record rather than another packed-state loader or an effects-only staging helper.","objdump + caller xrefs + local disassembly + shell-event-window correlation + deep-copy correlation + caller-boundary correlation"
0x0042c1b0,886,placed_structure_redistribute_local_service_pressure_from_neighbors,map,thiscall,inferred,objdump + caller xrefs + neighborhood sweep inspection,3,"Neighbor-aware local-service post-pass for one placed-structure or site record. The helper first builds a bounded set of nearby site references by scanning offset patterns from `0x00624b28` and `0x00624b48` against the world-grid tables rooted at `[0x0062c120+0x2129]`, keeping only neighbors whose state byte at `+0x0e6` is compatible with the current site and recording per-neighbor weights derived from the local word tables near `[site+0x00]` and `[site+0x0f3]`. It then walks the live candidate collection and, for each live non-remapped candidate, chooses the strongest positive neighbor deficit after scaling through the candidate-side weight at `[candidate+0x52]`; when a positive deficit remains it commits the redistribution through `0x0042bf80`. Current grounded caller is the composite local refresh `0x0042d580`, so this looks like the neighboring-site redistribution pass beneath the local service-score bundle rather than an independent outer loop.","objdump + caller xrefs + neighborhood sweep inspection + candidate-weight correlation" 0x0042c1b0,886,placed_structure_redistribute_local_service_pressure_from_neighbors,map,thiscall,inferred,objdump + caller xrefs + neighborhood sweep inspection,3,"Neighbor-aware local-service post-pass for one placed-structure or site record. The helper first builds a bounded set of nearby site references by scanning offset patterns from `0x00624b28` and `0x00624b48` against the world-grid tables rooted at `[0x0062c120+0x2129]`, keeping only neighbors whose state byte at `+0x0e6` is compatible with the current site and recording per-neighbor weights derived from the local word tables near `[site+0x00]` and `[site+0x0f3]`. It then walks the live candidate collection and, for each live non-remapped candidate, chooses the strongest positive neighbor deficit after scaling through the candidate-side weight at `[candidate+0x52]`; when a positive deficit remains it commits the redistribution through `0x0042bf80`. Current grounded caller is the composite local refresh `0x0042d580`, so this looks like the neighboring-site redistribution pass beneath the local service-score bundle rather than an independent outer loop.","objdump + caller xrefs + neighborhood sweep inspection + candidate-weight correlation"
0x0041eac0,794,structure_candidate_collection_refresh_cargo_economy_filter_flags,map,thiscall,inferred,objdump + caller xrefs + callsite inspection + rdata strings,3,"Collection-wide refresh of one cargo-economy-sensitive candidate flag in the live structure collection at `0x0062ba8c`. The helper first walks the global candidate pool at `0x0062b268`, filters category-`2` entries through the paired availability bytes `[candidate+0xba]` and `[candidate+0xbb]` plus the recipe-runtime latch `[candidate+0x7ac]`, and builds one temporary per-cargo mask keyed by cargo names such as `Clothing`, `Cheese`, `Meat`, `Ammunition`, `Weapons`, `Diesel`, `Troops`, and `Passengers`; one special-case branch also uses structure labels such as `Barracks` and `Recycling Plant` while consulting the region collection at `0x0062bae0`. It then iterates the live structure collection itself, combines that temporary cargo mask with the candidate-local bytes `[entry+0x47]`, `[entry+0x48]`, and `[entry+0x49]`, the runtime cargo-economy latch at `[0x006cec74+0x25f]`, and the live copy of special-condition slot `31` `Use Wartime Cargos` at `[0x006cec78+0x4afb]`; when that slot is set the branch at `0x0041ed37` further tests the wartime cargo family `Clothing`, `Cheese`, `Meat`, `Ammunition`, `Weapons`, and `Diesel` before writing the resulting enabled-or-filtered state into `[entry+0x56]` and re-entering `0x0041e970` to rebuild the derived visible counts. Current grounded callers are the collection-side setup path around `0x0041f4cb` and the runtime toggle branch at `0x0046577c`, where the same `0x006cec74+0x25f` bit is flipped directly; that makes this the strongest current bridge from the editor's `Disable Cargo Economy` rule plus the `Use Wartime Cargos` scenario rule into live structure-candidate filtering rather than a purely editor-side helper.","objdump + caller xrefs + callsite inspection + rdata strings + special-condition correlation" 0x0041eac0,794,structure_candidate_collection_refresh_cargo_economy_filter_flags,map,thiscall,inferred,objdump + caller xrefs + callsite inspection + rdata strings,3,"Collection-wide refresh of one cargo-economy-sensitive candidate flag in the live structure collection at `0x0062ba8c`. The helper first walks the global candidate pool at `0x0062b268`, filters category-`2` entries through the paired availability bytes `[candidate+0xba]` and `[candidate+0xbb]` plus the recipe-runtime latch `[candidate+0x7ac]`, and builds one temporary per-cargo mask keyed by cargo names such as `Clothing`, `Cheese`, `Meat`, `Ammunition`, `Weapons`, `Diesel`, `Troops`, and `Passengers`; one special-case branch also uses structure labels such as `Barracks` and `Recycling Plant` while consulting the region collection at `0x0062bae0`. It then iterates the live structure collection itself, combines that temporary cargo mask with the candidate-local bytes `[entry+0x47]`, `[entry+0x48]`, and `[entry+0x49]`, the runtime cargo-economy latch at `[0x006cec74+0x25f]`, and the live copy of special-condition slot `31` `Use Wartime Cargos` at `[0x006cec78+0x4afb]`; when that slot is set the branch at `0x0041ed37` further tests the wartime cargo family `Clothing`, `Cheese`, `Meat`, `Ammunition`, `Weapons`, and `Diesel` before writing the resulting enabled-or-filtered state into `[entry+0x56]` and re-entering `0x0041e970` to rebuild the derived visible counts. Current grounded callers are the collection-side setup path around `0x0041f4cb` and the runtime toggle branch at `0x0046577c`, where the same `0x006cec74+0x25f` bit is flipped directly; that makes this the strongest current bridge from the editor's `Disable Cargo Economy` rule plus the `Use Wartime Cargos` scenario rule into live structure-candidate filtering rather than a purely editor-side helper.","objdump + caller xrefs + callsite inspection + rdata strings + special-condition correlation"
0x00421b60,180,world_region_collection_seed_default_regions,map,thiscall,inferred,objdump + strings + callsite inspection,4,"Seeds the default numbered region family on the manager collection at `0x0062bae0`. The helper pumps shell progress through `0x004834e0`, repeatedly creates collection entries through `0x00421660`, formats their labels from localized string id `2908` `Region %1` plus the `%02d` pattern at `0x005c9aec`, marks the created records live through `[entry+0x23e]`, and then finalizes the region set through `0x00421730` against the active world root at `0x0062c120`. Current grounded callsites are the post-load generation pipeline at `0x004384d0` and the broader world-build path around `0x004476ec`, so this now looks like region-set seeding rather than generic player or company setup.","objdump + RT3.lng strings + caller xrefs + callsite inspection" 0x00421b60,180,world_region_collection_seed_default_regions,map,thiscall,inferred,objdump + strings + callsite inspection,4,"Seeds the default numbered region family on the manager collection at `0x0062bae0`. The helper pumps shell progress through `0x004834e0`, repeatedly creates collection entries through `0x00421660`, formats their labels from localized string id `2908` `Region %1` plus the `%02d` pattern at `0x005c9aec`, marks the created records live through `[entry+0x23e]`, and then finalizes the region set through `0x00421730` against the active world root at `0x0062c120`. Current grounded callsites are the post-load generation pipeline at `0x004384d0` and the broader world-build path around `0x004476ec`, so this now looks like region-set seeding rather than generic player or company setup.","objdump + RT3.lng strings + caller xrefs + callsite inspection"

Can't render this file because it is too large.

15
artifacts/exports/rt3-1.06/runtime-effect-kind8-late-bringup-note.md
View file

@ -105,6 +105,21 @@ The ordinary reload strip is bounded in the same negative way now:
So the remaining late-bringup/control-lane frontier stays between reload and service rather than So the remaining late-bringup/control-lane frontier stays between reload and service rather than
inside the already-bounded restore loop itself. inside the already-bounded restore loop itself.
## Deep-Copy Boundary
- `0x0042e050`
- remains the one grounded helper that mirrors metadata band `+0x7ee..+0x80e`, including
`[event+0x7ef]`
- but the current whole-binary caller search still grounds only the shell-side selected-event
clone path `0x004db8b0`
- no grounded post-load, world-entry, or periodic-service caller currently re-enters `0x0042e050`
So the late-bringup/control-lane question narrows again:
- shell event cloning can preserve trigger-kind metadata
- but there is still no grounded shellless duplication path between reload and the late kind-`8`
service
## Current Writer Census ## Current Writer Census
The direct writer set for `[event+0x7ef]` is narrower now too: The direct writer set for `[event+0x7ef]` is narrower now too:

1
docs/rehost-queue.md
View file

@ -14,6 +14,7 @@ This file is the short active queue for the current runtime and reverse-engineer
The checked `rt3_105/maps` compact-dispatch corpus is now exported directly and partially mirrored into the periodic-company trace: `41` maps scanned, `38` with dispatch-strip rows, `318` nondirect rows total, the add-building subset is only `10` grouped occurrences across `7` descriptor keys, and the strongest broader nondirect families are now bounded too at `36` grouped occurrences across `18` maps for `nondirect-ge1e-h0001-0360-0004-0100-0200-p0000-0000-0000-ffff :: [864:4]` plus `27` across `14` maps for the mixed `[-1:4]` cluster. All of those checked rows still lack recovered trigger kind. The packed-state bridge is narrower than that queue head used to allow too: `0x0042db20/0x00430d70` rebuild and serialize only the fixed text bands plus the standalone and grouped row lists, while the metadata band `+0x7ee..+0x80e` is only mirrored by deep-copy helper `0x0042e050`. The active open question is therefore which ordinary loaded rows acquire or bypass the missing trigger-kind control lane before they can reach placed-structure mutation opcodes. The checked `rt3_105/maps` compact-dispatch corpus is now exported directly and partially mirrored into the periodic-company trace: `41` maps scanned, `38` with dispatch-strip rows, `318` nondirect rows total, the add-building subset is only `10` grouped occurrences across `7` descriptor keys, and the strongest broader nondirect families are now bounded too at `36` grouped occurrences across `18` maps for `nondirect-ge1e-h0001-0360-0004-0100-0200-p0000-0000-0000-ffff :: [864:4]` plus `27` across `14` maps for the mixed `[-1:4]` cluster. All of those checked rows still lack recovered trigger kind. The packed-state bridge is narrower than that queue head used to allow too: `0x0042db20/0x00430d70` rebuild and serialize only the fixed text bands plus the standalone and grouped row lists, while the metadata band `+0x7ee..+0x80e` is only mirrored by deep-copy helper `0x0042e050`. The active open question is therefore which ordinary loaded rows acquire or bypass the missing trigger-kind control lane before they can reach placed-structure mutation opcodes.
The largest direct writer table is ruled out now too: `0x004d8ea0` is the shell-side `EventConditions.win` commit helper, where controls `0x4e98..0x4ea2` write `[event+0x7ef] = 0..10` on the currently selected live event, so that seed family does not explain shellless post-load bringup. The largest direct writer table is ruled out now too: `0x004d8ea0` is the shell-side `EventConditions.win` commit helper, where controls `0x4e98..0x4ea2` write `[event+0x7ef] = 0..10` on the currently selected live event, so that seed family does not explain shellless post-load bringup.
The broad scenario-name fixup owner is narrower in the same direction: `0x00442c30` really does mutate live event rows after reload, but its grounded trigger-kind writes still only retag `1 -> 5` and `0 -> 2`, while the surrounding event-side branches only patch modifier bytes or nested payload dwords under already-existing kinds. No grounded branch there seeds kind `8`. The broad scenario-name fixup owner is narrower in the same direction: `0x00442c30` really does mutate live event rows after reload, but its grounded trigger-kind writes still only retag `1 -> 5` and `0 -> 2`, while the surrounding event-side branches only patch modifier bytes or nested payload dwords under already-existing kinds. No grounded branch there seeds kind `8`.
The metadata-copy helper is ruled out in the same way: `0x0042e050` really does clone `[event+0x7ef]`, but the current whole-binary caller search still finds only the shell-side selected-event clone path `0x004db8b0`, not any shellless post-load or periodic caller.
The direct write census is tighter in the same direction: the only grounded explicit write of value `8` into `[event+0x7ef]` is `0x004d91b3` inside that same shell helper, while the runtime-side grounded writers still only cover zero-init, copy, `2/3` follow-on seeds, and the later `5` / `2` retags. The direct write census is tighter in the same direction: the only grounded explicit write of value `8` into `[event+0x7ef]` is `0x004d91b3` inside that same shell helper, while the runtime-side grounded writers still only cover zero-init, copy, `2/3` follow-on seeds, and the later `5` / `2` retags.
Preserved checked control-lane detail now lives in [Periodic company control lane](rehost-queue/periodic-company-control-lane-2026-04-21.md). Preserved checked control-lane detail now lives in [Periodic company control lane](rehost-queue/periodic-company-control-lane-2026-04-21.md).
- Keep the next static Tier-2 building pass focused on the earlier seed/projection seam into `0x00412d70`, not another broad `BuildingTypes` sweep. - Keep the next static Tier-2 building pass focused on the earlier seed/projection seam into `0x00412d70`, not another broad `BuildingTypes` sweep.

16
docs/rehost-queue/periodic-company-control-lane-2026-04-21.md
View file

@ -180,6 +180,22 @@ The ordinary reload path is narrower in the same negative way now too:
So the remaining periodic-company question stays between reload and service: the checked restore So the remaining periodic-company question stays between reload and service: the checked restore
path repopulates the rows, but the later trigger-kind gate lives only in the service strip. path repopulates the rows, but the later trigger-kind gate lives only in the service strip.
## Deep-Copy Boundary
The one remaining metadata-copy helper is narrower now too:
- `0x0042e050`
- really does mirror the omitted metadata band `+0x7ee..+0x80e`, including `[event+0x7ef]`
- but the current whole-binary caller search only grounds one caller:
`0x004db8b0`, the shell-side `EventConditions.win` clone-selected-event path
- no grounded post-load, world-entry, or periodic-service caller currently re-enters `0x0042e050`
So the control-lane frontier narrows again:
- shell event cloning can duplicate trigger-kind metadata intact
- but there is still no grounded shellless duplication path between reload `0x00433130` and the
late `kind 8` service
## Current Writer Census ## Current Writer Census
The direct writer set for `[event+0x7ef]` is narrower now too: The direct writer set for `[event+0x7ef]` is narrower now too: