Map infrastructure constructor argument bundles
This commit is contained in:
parent
834fb04f00
commit
9051966276
3 changed files with 39 additions and 14 deletions
|
|
@ -4474,7 +4474,7 @@ fn build_infrastructure_asset_trace_report(
|
|||
"direct disassembly now also shows 0x00490960 copying selector fields into the child object ([this+0x219], [this+0x251], bit 0x20 in [this+0x24c], and [this+0x226]), allocating a fresh 0x23a Infrastructure child, seeding it through 0x00455b70 with caller-supplied stem input plus fixed literal Infrastructure at 0x005cfd74, attaching it through 0x005395d0, seeding position lanes through 0x00539530/0x0053a5b0, and optionally caching it as primary child in [this+0x248]".to_string(),
|
||||
"the currently grounded direct-constructor chooser branches are narrower now too: the repeated calls at 0x004a2eba/0x004a30f9/0x004a339c feed 0x00490960 with mode arg 0x0a and stem arg 0x005cb138 = BallastCapDT_Cap.3dp, so they bypass the selector-copy block at 0x004909e2 and go straight into fresh child allocation/seeding".to_string(),
|
||||
"the wider direct-calls sweep now also grounds stable 0x00490960 mode families: mode 0x0b pairs with fixed TrackCapDT/ST_Cap literals at 0x0048ed01/0x0048ed20, mode 0x03 with OverpassST_section at 0x00495a44, mode 0x02 with the decoded TunnelST/TunnelDT tables and zero-stem fallbacks across 0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d/0x004a1b95, and mode 0x01 with the decoded BridgeDT/BridgeST tables plus bridge zero-stem fallbacks across 0x004a1dae/0x004a2043/0x004a2082/0x004a221e/0x004a22a5/0x004a23aa/0x004a23eb/0x004a2409/0x004a24f6".to_string(),
|
||||
"objdump on 0x00490960 now also sharpens the source-side comparison for the remaining mixed exact-prefix classes: mode lives at [esp+0x10], the selector-copy block at 0x004909e2..0x00490a32 reads bytes from [esp+0x28]/[esp+0x2c]/[esp+0x30] into [this+0x219]/[this+0x251]/bit0x20 in [this+0x24c], the fixed TrackCap mode-0x0b branches at 0x0048ed01/0x0048ed20 push literals 0x005cb198/0x005cb1ac after the same pre-seeded 1,-1,-1,0,0 flag bundle and bypass that selector-copy block because mode >= 4, while the tunnel mode-0x02 family at 0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d plus zero-stem fallback 0x004a1b95 necessarily flows through the selector-copy block because mode < 4".to_string(),
|
||||
"objdump on 0x00490960 now also sharpens the source-side comparison for the remaining mixed exact-prefix classes: mode lives at [esp+0x10], stem at [esp+0x14], args 3/4 at [esp+0x18]/[esp+0x1c] feed 0x539530, arg 5 at [esp+0x20] feeds 0x53a5b0, arg 10 at [esp+0x34] gates whether the new child is cached into [this+0x248], and the selector-copy block at 0x004909e2..0x00490a32 reads bytes from [esp+0x28]/[esp+0x2c]/[esp+0x30] into [this+0x219]/[this+0x251]/bit0x20 in [this+0x24c]. The fixed TrackCap mode-0x0b branches at 0x0048ed01/0x0048ed20 push literals 0x005cb198/0x005cb1ac after the same pre-seeded 1,-1,-1,0,0 flag bundle, so they reach 0x490960 with arg7/arg8/arg9 = -1/-1/0 and bypass that selector-copy block because mode >= 4. The tunnel mode-0x02 family at 0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d plus zero-stem fallback 0x004a1b95 necessarily flows through the selector-copy block because mode < 4, and the objdump caller bundles show those branches reaching 0x490960 with arg8 fixed at 1, arg9 fixed at 0, and only arg7 varying through the branch-local register (ebx/ebp) before the table or fallback stem is pushed".to_string(),
|
||||
"the current grounded q.gms side-buffer name corpus now maps directly onto those constructor families too: BridgeSTWood_Section.3dp aligns with mode 0x01 Bridge, TunnelSTBrick_Cap/Section.3dp with mode 0x02 Tunnel, BallastCapST_Cap.3dp with mode 0x0a BallastCap, and TrackCapST_Cap.3dp with mode 0x0b TrackCap; only the Overpass mode-0x03 family remains static-only in the current save corpus".to_string(),
|
||||
"direct disassembly now also shows 0x00490200 reading the seeded lanes [this+0x206/+0x20a/+0x20e] back through the live route collection at 0x006cfca8, classifying peer relationships with [this+0x216/+0x218/+0x201/+0x202], and therefore acting as a route/link comparator above the same child payload fields that 0x004559d0 later serializes".to_string(),
|
||||
"the chooser tables now decode to concrete asset families too: 0x621a44/0x621a54 feed BridgeST caps/sections, 0x621a64 feeds TunnelST cap/section variants, 0x621a74/0x621a84 feed BridgeDT caps/sections, and 0x621a94 feeds TunnelDT variants; fixed literals 0x5cb138/0x5cb150 are BallastCapDT/ST and 0x5cb168/0x5cb180 are OverpassDT/ST".to_string(),
|
||||
|
|
@ -25828,22 +25828,19 @@ mod tests {
|
|||
.evidence
|
||||
.iter()
|
||||
.any(|line| line.contains("objdump on 0x00490960")
|
||||
&& line.contains("stem at [esp+0x14]")
|
||||
&& line.contains("[esp+0x18]/[esp+0x1c] feed 0x539530")
|
||||
&& line.contains("[esp+0x20] feeds 0x53a5b0")
|
||||
&& line.contains("[esp+0x34] gates whether the new child is cached")
|
||||
&& line.contains("selector-copy block")
|
||||
&& line.contains("[esp+0x28]/[esp+0x2c]/[esp+0x30]")
|
||||
&& line.contains("0x0048ed01/0x0048ed20")
|
||||
&& line.contains("bypass")
|
||||
&& line.contains("0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d")
|
||||
&& line.contains("0x004a1b95"))
|
||||
);
|
||||
assert!(
|
||||
trace.candidate_consumer_hypotheses[0]
|
||||
.evidence
|
||||
.iter()
|
||||
.any(|line| line.contains("fixed TrackCap mode-0x0b branches")
|
||||
&& line.contains("0x0048ed01/0x0048ed20")
|
||||
&& line.contains("0x005cb198/0x005cb1ac")
|
||||
&& line.contains("0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d")
|
||||
&& line.contains("0x004a1b95"))
|
||||
&& line.contains("0x004a1b95")
|
||||
&& line.contains("arg7/arg8/arg9 = -1/-1/0")
|
||||
&& line.contains("arg8 fixed at 1")
|
||||
&& line.contains("arg9 fixed at 0"))
|
||||
);
|
||||
assert!(
|
||||
trace.candidate_consumer_hypotheses[0]
|
||||
|
|
|
|||
|
|
@ -2996,9 +2996,21 @@ The low helper strip beneath that shared family is tighter now too: `0x0052ecd0`
|
|||
The current `0x000055f3 / 0x0001 / 0xff` class is tunnel-dominant and stays entirely on prior
|
||||
profile span `0x03`, while the current `0xff0000ff / 0x0001 / 0xff` class is `TrackCap`-
|
||||
dominant but still carries `4` tunnel rows spread across many spans.
|
||||
Source-side constructor analysis is narrower now too. `0x00490960` takes mode at stack arg 1,
|
||||
stem at stack arg 2, forwards args 3/4 into `0x539530`, arg 5 into `0x53a5b0`, arg 10 into the
|
||||
primary-child cache gate for `[this+0x248]`, and only uses args 7/8/9 for the selector-copy
|
||||
block when `mode < 4`.
|
||||
That already separates the remaining mixed classes:
|
||||
fixed `TrackCap` mode `0x0b` callers at `0x0048ed01/0x0048ed20` push arg7/arg8/arg9 as
|
||||
`-1 / -1 / 0` and bypass selector-copy entirely because `mode >= 4`,
|
||||
while tunnel mode `0x02` callers at
|
||||
`0x004a17eb / 0x004a1995 / 0x004a1b44 / 0x004a1b7d / 0x004a1b95`
|
||||
necessarily flow through selector-copy because `mode < 4`, with arg8 fixed at `1`, arg9 fixed
|
||||
at `0`, and only arg7 varying through a branch-local one-bit register.
|
||||
So the next infrastructure pass should stop treating the remaining frontier as a generic
|
||||
“mixed 0x06/outlier” problem and instead target the owning constructor/restore semantics for
|
||||
those two exact mixed compact-prefix classes.
|
||||
those two exact mixed compact-prefix classes, especially how tunnel arg7 and the fixed
|
||||
`TrackCap` no-selector bundle both still collapse into the observed mixed save-side prefixes.
|
||||
The candidate-pattern classes are explicit now too: `0x0055 / 0x00` is a pure
|
||||
`BallastCapST_Cap.3dp / Infrastructure` class across `18` rows, always preceded by a zero-length
|
||||
prior profile span, while `0x0002 / 0xff` is a pure
|
||||
|
|
|
|||
|
|
@ -197,9 +197,25 @@ Working rule:
|
|||
`TunnelSTBrick_Cap.3dp / Infrastructure:2`,
|
||||
`TunnelSTBrick_Section.3dp / Infrastructure:2`.
|
||||
Its rows are spread across many spans rather than one dominant restore span.
|
||||
- Source-side constructor analysis is narrower now too. `0x00490960` takes:
|
||||
- mode at stack arg 1
|
||||
- stem at stack arg 2
|
||||
- args 3/4 into `0x539530`
|
||||
- arg 5 into `0x53a5b0`
|
||||
- arg 10 as the primary-child cache gate for `[this+0x248]`
|
||||
- args 7/8/9 into the selector-copy block for `[this+0x219]`, `[this+0x251]`, and bit `0x20`
|
||||
in `[this+0x24c]` when `mode < 4`
|
||||
- That already separates the remaining mixed classes:
|
||||
- fixed `TrackCap` mode `0x0b` callers at `0x0048ed01/0x0048ed20` push arg7/arg8/arg9 as
|
||||
`-1 / -1 / 0` and bypass selector-copy entirely because `mode >= 4`
|
||||
- tunnel mode `0x02` callers at
|
||||
`0x004a17eb / 0x004a1995 / 0x004a1b44 / 0x004a1b7d / 0x004a1b95`
|
||||
necessarily flow through selector-copy because `mode < 4`, with arg8 fixed at `1`, arg9
|
||||
fixed at `0`, and only arg7 varying through a branch-local one-bit register
|
||||
- So the next infrastructure slice should stop treating the remaining frontier as a generic
|
||||
“mixed 0x06/outlier” problem and instead target the owning constructor/restore semantics for
|
||||
those two exact mixed compact-prefix classes.
|
||||
those two exact mixed compact-prefix classes, especially how tunnel arg7 and the fixed
|
||||
`TrackCap` no-selector bundle both still collapse into the observed mixed save-side prefixes.
|
||||
- The candidate-pattern classes are now explicit across the whole stream too: `0x0055 / 0x00`
|
||||
is a pure `BallastCapST_Cap.3dp / Infrastructure` class across `18` rows, always preceded by a
|
||||
zero-length prior profile span, while `0x0002 / 0xff` is a pure
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue