Bound scenario fixup trigger-kind retags
This commit is contained in:
parent
e57b07c9bc
commit
76396ee12e
4 changed files with 30 additions and 1 deletions
|
|
@ -740,7 +740,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
|
|||
0x00442ad3,14,locomotive_policy_map_primary_issue_id_to_engine_family_index,simulation,cdecl,inferred,objdump + caller xrefs + local disassembly + stream-save correlation,3,"Inverse sibling of `0x00442a85` in the same locomotive-policy strip. The helper subtracts base issue id `0x0f0`, and when the resulting compact index rises above `0x6f` it removes the inserted gap `0x69` to recover the original primary engine-family or policy index. Current grounded caller is the stream-save path `0x00430ff2`, which uses this inverse map when serializing the primary issue band back into the compact save-side index space. This is the safest current read for the primary issue-id-to-index inverse rather than a free-standing subtractive helper.","objdump + caller xrefs + local disassembly + stream-save correlation + locomotive-policy correlation"
|
||||
0x00442ae1,14,locomotive_policy_map_secondary_issue_id_to_engine_family_index,simulation,cdecl,inferred,objdump + caller xrefs + local disassembly + stream-save correlation,3,"Inverse sibling of `0x00442aac` in the same locomotive-policy strip. The helper subtracts base issue id `0x15f`, and when the resulting compact index rises above `0x65` it removes the inserted gap `0x16` to recover the original secondary engine-family or policy index. Current grounded caller is the stream-save path `0x00431007`, which uses this inverse map when serializing the secondary issue band back into the compact save-side index space. This is the safest current read for the secondary issue-id-to-index inverse rather than another subtractive arithmetic stub.","objdump + caller xrefs + local disassembly + stream-save correlation + locomotive-policy correlation"
|
||||
0x00442ba0,143,shell_export_live_setup_preview_payload_record_and_normalize_pixel_block_0x100x0x100,shell,thiscall,inferred,objdump + caller inspection + local disassembly + payload-export correlation,3,"Concrete live-payload export helper in the setup and map-bundle strip. The helper copies one `0x403c2`-byte live payload record from `[this+0x66be]` into the caller buffer, forces the leading validity byte to `1`, patches the exported world dimensions from `[0x0062c120+0x2155/+0x2159]` into offsets `+0x01/+0x05`, mirrors two live shell-controlled sidecar dwords from `[0x006d4024+0x11471a]` and `[0x006d4024+0x11471e]` into offsets `+0x09/+0x0a`, mirrors the low byte of shared dword `0x0062bec4` into offset `+0x0b`, and then normalizes the embedded pixel block at `+0x03c2` through `0x0047a120` with fixed dimensions `0x100 x 0x100`. That sidecar-byte trio is tighter now too: the later package-save tail reads `[world+0x66c8]` and `[world+0x66c9]` as the companion-image and companion-payload sidecar gates, so the exported payload bytes `+0x0a` and `+0x0b` are the same two save-side gate lanes inside the copied `0x66be` block. Current local save-side evidence also shows `0x0062bec4` being reseeded by `shell_map_file_world_bundle_coordinator` `0x00445de0` from the shell-owned selector pair `[0x006d4024+0x11472a/+0x11472e]` before this exporter runs, while the broader settings owner `shell_settings_window_handle_message_dispatch_and_persist_display_runtime_sidecar_family` `0x00464c80` toggles the same shell dwords `0x11471a/0x11471e/0x11472a/0x11472e` and enforces the grounded implication rules `!0x11471e -> clear 0x11472a` and `(0x11472a || 0x11472e) -> set 0x11471e`. The two current save-side callers now split cleanly: package-save branch `0x00444f42` calls `0x00442ba0` and then immediately re-enters `0x00441ec0`, while the `.smp` serializer branch at `0x00446312` calls `0x00442ba0` and then emits `0x2ee0`, writes the full `0x403c2` payload through `0x00531030`, and closes `0x2ee1` directly. This is the safest current read for the live setup-preview payload exporter rather than a generic memcpy wrapper.","objdump + caller inspection + local disassembly + payload-export correlation + companion-image correlation + bundle-tag correlation + payload-size correlation + sidecar-gate correlation + save-coordinator correlation + shell-sidecar-selector correlation + save-branch-split correlation"
|
||||
0x00442c30,3600,shell_apply_scenario_name_specific_post_load_world_and_object_fixups,shell,thiscall,inferred,objdump + caller inspection + local disassembly + scenario-string correlation,4,"Broad post-load fixup owner reached from `world_entry_transition_and_runtime_bringup` at `0x00444b50`. The helper compares the caller-supplied scenario title against many fixed `.rdata` names including `Go West!`, `Germany`, `France`, `State of Germany`, `New Beginnings`, `Dutchlantis`, `Britain`, `New Zealand`, `South East Australia`, `Tex-Mex`, `Germantown`, `The American`, `Central Pacific`, and `Orient Express`, with several branches further gated by campaign-scenario byte `[this+0x66de]`. The matched bodies are no longer just generic title-side edits. Current local disassembly now grounds several concrete examples: the non-campaign `Go West!` branch retags linked world-object row `7` named `Open Aus` by promoting byte `[obj+0x7f9]` from `1` to `2` when its nested opcode-`0x1b` payload is still in the expected starter state; the campaign-gated `Go West!`/`Germany`/`Orient Express` side nudges selected city float pairs `[city+0x25a/+0x25e]` upward when they remain below fixed thresholds; the `Central Pacific` branch injects repeated localized `Company Track Miles`-style text lines into the shell band `[this+0x4f30]` through `0x0051e5d0`; later branches copy paired ten-dword record blocks when specific object-name/class pairs match; patch secondary-raster bits through the fixed table `0x005ee508..0x005ee5cc`; mutate opcode payload dwords and bytes inside collections rooted at `0x0062be18`, `0x0062bae0`, and `0x006ada80`; and update one later collection at `0x0062b268`. This is the safest current read for the scenario-name-specific post-load fixup owner rather than a generic string-dispatch helper.","objdump + caller inspection + local disassembly + scenario-string correlation + live-world mutation correlation + post-load-fixup correlation + campaign-flag correlation"
|
||||
0x00442c30,3600,shell_apply_scenario_name_specific_post_load_world_and_object_fixups,shell,thiscall,inferred,objdump + caller inspection + local disassembly + scenario-string correlation,4,"Broad post-load fixup owner reached from `world_entry_transition_and_runtime_bringup` at `0x00444b50`. The helper compares the caller-supplied scenario title against many fixed `.rdata` names including `Go West!`, `Germany`, `France`, `State of Germany`, `New Beginnings`, `Dutchlantis`, `Britain`, `New Zealand`, `South East Australia`, `Tex-Mex`, `Germantown`, `The American`, `Central Pacific`, and `Orient Express`, with several branches further gated by campaign-scenario byte `[this+0x66de]`. The matched bodies are no longer just generic title-side edits. Current local disassembly now grounds several concrete examples: the non-campaign `Go West!` branch retags linked world-object row `7` named `Open Aus` by promoting byte `[obj+0x7f9]` from `1` to `2` when its nested opcode-`0x1b` payload is still in the expected starter state; the campaign-gated `Go West!`/`Germany`/`Orient Express` side nudges selected city float pairs `[city+0x25a/+0x25e]` upward when they remain below fixed thresholds; the `Central Pacific` branch injects repeated localized `Company Track Miles`-style text lines into the shell band `[this+0x4f30]` through `0x0051e5d0`; later branches copy paired ten-dword record blocks when specific object-name/class pairs match; patch secondary-raster bits through the fixed table `0x005ee508..0x005ee5cc`; mutate opcode payload dwords and bytes inside collections rooted at `0x0062be18`, `0x0062bae0`, and `0x006ada80`; and update one later collection at `0x0062b268`. The event-side trigger-kind boundary is tighter now too: the grounded `[event+0x7ef]` writes inside this helper are still only the `SP - GOLD` retag at `0x00443526` (`row 1`, `1 -> 5`) and the `Labor` retag at `0x00443601` (`row 0x0d`, `0 -> 2`), while the surrounding event-side branches at `0x004436ca`, `0x004438e8`, `0x00443948`, and `0x004439a8` only patch modifier bytes `[event+0x7f9/+0x7fa]` or nested payload dwords under already-existing trigger kinds `6`, `5`, `1`, `2`, `3`, or `9`. No grounded branch here seeds `[event+0x7ef] = 8`. This is the safest current read for the scenario-name-specific post-load fixup owner rather than a generic string-dispatch helper.","objdump + caller inspection + local disassembly + scenario-string correlation + live-world mutation correlation + post-load-fixup correlation + campaign-flag correlation + event-trigger-kind-retag correlation"
|
||||
0x0044c450,96,world_rebuild_all_grid_cell_candidate_cargo_service_bitsets,map,thiscall,inferred,objdump + local disassembly + caller inspection,3,"Late world-reactivation sweep inside `world_entry_transition_and_runtime_bringup` `0x00443a50`. The helper walks the full live world grid rooted at `[this+0x2129]` through dimensions `[this+0x2145/+0x2149]`, resolves each cell pointer, and re-enters `placed_structure_rebuild_candidate_cargo_service_bitsets` `0x0042c690` on every cell record. Current grounded caller is the later world-entry tail at `0x444b24`, immediately after `world_clear_and_reseed_region_center_world_grid_flag_bit` `0x0044c4b0` and before the route-style link rebuild at `0x468300`, so this is the current safest read for the world-wide grid-cell cargo-service-bitset refresh wrapper rather than another generic world-grid loop.","objdump + local disassembly + caller inspection + world-grid correlation + cargo-service correlation"
|
||||
0x0044c4b0,192,world_clear_and_reseed_region_center_world_grid_flag_bit,map,cdecl,inferred,objdump + local disassembly + caller inspection,3,"Late world-reactivation helper inside `world_entry_transition_and_runtime_bringup` `0x00443a50`. The first sweep walks the full live world grid rooted at `[0x0062c120+0x2129]` through dimensions `[+0x2145/+0x2149]` and clears bit `0x10` in each cell byte `[cell+0xe6]`. It then walks the live region collection at `0x0062bae0`, keeps only regions whose class byte `[region+0x23e]` is zero, resolves one representative center cell through `world_region_resolve_center_world_grid_cell` `0x00455f60`, and sets that same bit on the resolved cell. Current grounded caller is the later world-entry tail at `0x444b19`, between the post-bundle runtime refresh phase and the later shell or company-cache follow-ons, so this is the current safest read for the region-center world-grid flag reseed pass rather than another generic grid scrub.","objdump + local disassembly + caller inspection + region-grid correlation"
|
||||
0x0044c570,256,world_mark_secondary_raster_clear_cell_mask_0x3e_as_class_2_and_cache_bounds,map,thiscall,inferred,objdump + caller xrefs + local disassembly + secondary-raster correlation,3,"Small secondary-raster mutation helper beneath the later marked-cell scan and overlay-cache family. After clamping the caller cell coordinates against the current secondary-grid dimensions, the helper resolves the byte raster rooted at `[this+0x2135]` using row stride `[this+0x2155] + 1` and only proceeds when the target byte has no bits in mask `0x3e` and the parallel class predicate `world_secondary_raster_query_cell_class_in_set_1_3_4_5` `0x00534e10` also reports false. On the admit path it widens cached min/max bounds `[this+0x21c6..+0x21d2]`, increments the marked-cell count `[this+0x21d6]`, and then rewrites the target raster byte with `(byte & 0xc3) | 0x02`, i.e. it preserves the outer two bits and the low bit while forcing the masked class field to `0x02`. Current grounded caller is the later radial mutation branch at `0x0044e8e7`, and the written bounds/count fields are the same ones later scanned by `world_scan_secondary_grid_marked_cell_bounds` `0x0044ce60`, so this is the safest current read for the small secondary-raster cell-marker helper rather than another generic bounds updater.","objdump + caller xrefs + local disassembly + secondary-raster correlation + marked-cell-bound correlation"
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
|
|
@ -172,6 +172,13 @@ editor strip rather than to ordinary post-load simulation bringup.
|
|||
- `0x0062bae0`
|
||||
- `0x006ada80`
|
||||
- `0x0062b268`
|
||||
- The event-side trigger-kind boundary is narrower now too:
|
||||
- grounded `[event+0x7ef]` writes inside `0x00442c30` are still only:
|
||||
- `0x00443526`: event row `1`, `1 -> 5`
|
||||
- `0x00443601`: event row `0x0d`, `0 -> 2`
|
||||
- the surrounding surfaced event branches only patch modifier bytes `[event+0x7f9/+0x7fa]`
|
||||
or nested payload dwords under already-existing kinds `6`, `5`, `1`, `2`, `3`, or `9`
|
||||
- no grounded branch in `0x00442c30` seeds `[event+0x7ef] = 8`
|
||||
|
||||
## Explicit Trigger-Kind Retags Already Grounded
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ This file is the short active queue for the current runtime and reverse-engineer
|
|||
- Keep the periodic-company trace as the main shellless simulation frontier, with the next concrete control-lane pass focused on the ordinary loaded runtime-effect strip `0x00444d92 -> 0x00432f40(kind 8) -> 0x004323a0 -> 0x00431b20`.
|
||||
The checked `rt3_105/maps` compact-dispatch corpus is now exported directly and partially mirrored into the periodic-company trace: `41` maps scanned, `38` with dispatch-strip rows, `318` nondirect rows total, the add-building subset is only `10` grouped occurrences across `7` descriptor keys, and the strongest broader nondirect families are now bounded too at `36` grouped occurrences across `18` maps for `nondirect-ge1e-h0001-0360-0004-0100-0200-p0000-0000-0000-ffff :: [864:4]` plus `27` across `14` maps for the mixed `[-1:4]` cluster. All of those checked rows still lack recovered trigger kind. The packed-state bridge is narrower than that queue head used to allow too: `0x0042db20/0x00430d70` rebuild and serialize only the fixed text bands plus the standalone and grouped row lists, while the metadata band `+0x7ee..+0x80e` is only mirrored by deep-copy helper `0x0042e050`. The active open question is therefore which ordinary loaded rows acquire or bypass the missing trigger-kind control lane before they can reach placed-structure mutation opcodes.
|
||||
The largest direct writer table is ruled out now too: `0x004d8ea0` is the shell-side `EventConditions.win` commit helper, where controls `0x4e98..0x4ea2` write `[event+0x7ef] = 0..10` on the currently selected live event, so that seed family does not explain shellless post-load bringup.
|
||||
The broad scenario-name fixup owner is narrower in the same direction: `0x00442c30` really does mutate live event rows after reload, but its grounded trigger-kind writes still only retag `1 -> 5` and `0 -> 2`, while the surrounding event-side branches only patch modifier bytes or nested payload dwords under already-existing kinds. No grounded branch there seeds kind `8`.
|
||||
The direct write census is tighter in the same direction: the only grounded explicit write of value `8` into `[event+0x7ef]` is `0x004d91b3` inside that same shell helper, while the runtime-side grounded writers still only cover zero-init, copy, `2/3` follow-on seeds, and the later `5` / `2` retags.
|
||||
Preserved checked control-lane detail now lives in [Periodic company control lane](rehost-queue/periodic-company-control-lane-2026-04-21.md).
|
||||
- Keep the next static Tier-2 building pass focused on the earlier seed/projection seam into `0x00412d70`, not another broad `BuildingTypes` sweep.
|
||||
|
|
|
|||
|
|
@ -116,6 +116,27 @@ So the next non-hook question stays above those already-known title or scenario-
|
|||
- which late bringup branch between ordinary reload `0x00433130` and final kind-`8` service
|
||||
`0x00432f40` materializes the live mutation-capable ordinary rows
|
||||
|
||||
## Scenario-Name Fixup Bound
|
||||
|
||||
The broad scenario-name post-load fixer is narrower now too:
|
||||
|
||||
- `0x00442c30`
|
||||
- definitely mutates live event rows in collection `0x0062be18` before the late kind-`8`
|
||||
service
|
||||
- but the grounded event-side trigger-kind writes there are still only:
|
||||
- `0x00443526`: event row `1`, `1 -> 5`
|
||||
- `0x00443601`: event row `0x0d`, `0 -> 2`
|
||||
- the other surfaced event-side branches around `0x004436ca`, `0x004438e8`,
|
||||
`0x00443948`, and `0x004439a8` only patch modifier bytes or payload fields under already
|
||||
existing trigger kinds `6`, `5`, `1`, `1`, `2`, `3`, or `9`
|
||||
- no grounded branch inside `0x00442c30` seeds `[event+0x7ef] = 8`
|
||||
|
||||
So the active shellless control-lane question is narrower again:
|
||||
|
||||
- `0x00442c30` is a real event-side post-load mutator
|
||||
- but it still does not explain how ordinary loaded rows acquire the later world-entry kind `8`
|
||||
gate
|
||||
|
||||
## Direct Trigger-Kind Gate
|
||||
|
||||
Fresh `objdump` over the control-lane strip now keeps the missing trigger-kind boundary concrete:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue