From 5bc7b3090e5e8f358fc0483212c59d2ba7943bf5 Mon Sep 17 00:00:00 2001 From: Jan Petykiewicz Date: Sat, 18 Apr 2026 19:20:53 -0700 Subject: [PATCH] Tighten region payload callback semantics --- crates/rrt-runtime/src/smp.rs | 2 +- docs/rehost-queue.md | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/crates/rrt-runtime/src/smp.rs b/crates/rrt-runtime/src/smp.rs index 550a0c1..a171940 100644 --- a/crates/rrt-runtime/src/smp.rs +++ b/crates/rrt-runtime/src/smp.rs @@ -4536,7 +4536,7 @@ fn build_region_service_trace_report( "the checked-in function map already grounds 0x0041f5c0 as the per-record load slot that reloads the tagged payload through 0x00455fc0 and then rebuilds profile collection [region+0x37f]".to_string(), "constructor-side evidence now proves the latches are initialized locally, so the remaining gap can legitimately be framed as post-construction restore or rebuild".to_string(), "direct disassembly of 0x0041f590/0x0041f5b0 now proves the world-region vtable root is 0x005c9a28, so the 0x00455fc0 dispatch at slot +0x48 lands on 0x00455870 and the serializer sibling at +0x4c lands on 0x00455930".to_string(), - "direct disassembly of 0x00455870/0x00455930 now shows that callback pair only restores and serializes two triplet-like three-lane scalar bands through 0x531150/0x531030 plus 0x530720/0x52e8b0, not [region+0x276/+0x302/+0x316]".to_string(), + "direct disassembly of 0x00455870/0x00455930 now shows that callback pair only restores and serializes two helper-local three-lane scalar bands: 0x00455870 reads six dwords through 0x531150 and forwards them to 0x530720 -> [helper+0x1e2/+0x1e6/+0x1ea] and 0x52e8b0 -> [helper+0x4b/+0x4f/+0x53], while 0x00455930 writes that same pair back through 0x531030; it still does not touch acquisition-side lanes [region+0x2a4] or [region+0x310/+0x338/+0x360]".to_string(), "direct disassembly now tightens the rest of 0x00455fc0 too: after the +0x48 callback it only runs 0x0052ebd0 to read two one-byte generic flags through 0x531150 into base object bytes [this+0x20], [this+0x8d], [this+0x5c..+0x61], [this+0x1ee], [this+0x1fa], and [this+0x3e], then opens 0x55f3 only for span accounting before returning, so the missing region latches are not hiding in the remainder of 0x00455fc0 either".to_string(), "direct disassembly of 0x00421510 now also shows the exact tagged loop shape: it opens 0x5209, reads 0x520a, iterates live entry ordinals through 0x518380/0x518140, seeds a stack-local world-region vtable helper through 0x0041f590/0x0041f5b0, dispatches each loaded record through slot +0x40, and only then closes 0x520b".to_string(), "direct disassembly of 0x0041f5c0 now also shows its post-0x00455fc0 work is local to the profile collection path: it clamps [region+0x31b] back to 1.0f when needed, zeroes [region+0x317], allocates one 0x88-sized helper through 0x53b070/0x518b90, stores it at [region+0x37f], loads that helper through 0x518680, and clears [region+0x385] before returning".to_string(), diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md index 60adc4b..b2a7677 100644 --- a/docs/rehost-queue.md +++ b/docs/rehost-queue.md @@ -537,8 +537,11 @@ Working rule: - Direct disassembly now closes that callback identity too: `0x0041f590/0x0041f5b0` prove the world-region vtable root is `0x005c9a28`, so the `0x00455fc0` dispatch at slot `+0x48` lands on `0x00455870` and the serializer sibling at `+0x4c` lands on `0x00455930`. Those two callbacks - only restore and serialize two triplet-like three-lane scalar bands through - `0x00531150/0x00531030` plus `0x00530720/0x0052e8b0`; they still do not touch + only restore and serialize two helper-local three-lane scalar bands: `0x00455870` reads six + dwords through `0x00531150` and forwards them to `0x00530720 -> [helper+0x1e2/+0x1e6/+0x1ea]` + and `0x0052e8b0 -> [helper+0x4b/+0x4f/+0x53]`, while `0x00455930` writes that same pair back + through `0x00531030`; they still do not touch acquisition-side lanes + `[region+0x2a4]` or `[region+0x310/+0x338/+0x360]`, and they still do not touch `[region+0x276/+0x302/+0x316]`. That means the remaining region restore target is now the later owner that rebuilds those latches or the separate tagged body seam that persists them. - The rest of `0x00455fc0` is ruled down further now too: after the `+0x48` callback it only runs