From 9051966276e4a539c6471b58310ae6c0fcc28094 Mon Sep 17 00:00:00 2001 From: Jan Petykiewicz Date: Sat, 18 Apr 2026 16:34:58 -0700 Subject: [PATCH] Map infrastructure constructor argument bundles --- crates/rrt-runtime/src/smp.rs | 21 ++++++++----------- ...ntime-roots-camera-and-support-families.md | 14 ++++++++++++- docs/rehost-queue.md | 18 +++++++++++++++- 3 files changed, 39 insertions(+), 14 deletions(-) diff --git a/crates/rrt-runtime/src/smp.rs b/crates/rrt-runtime/src/smp.rs index d44a0eb..5dbb4d9 100644 --- a/crates/rrt-runtime/src/smp.rs +++ b/crates/rrt-runtime/src/smp.rs @@ -4474,7 +4474,7 @@ fn build_infrastructure_asset_trace_report( "direct disassembly now also shows 0x00490960 copying selector fields into the child object ([this+0x219], [this+0x251], bit 0x20 in [this+0x24c], and [this+0x226]), allocating a fresh 0x23a Infrastructure child, seeding it through 0x00455b70 with caller-supplied stem input plus fixed literal Infrastructure at 0x005cfd74, attaching it through 0x005395d0, seeding position lanes through 0x00539530/0x0053a5b0, and optionally caching it as primary child in [this+0x248]".to_string(), "the currently grounded direct-constructor chooser branches are narrower now too: the repeated calls at 0x004a2eba/0x004a30f9/0x004a339c feed 0x00490960 with mode arg 0x0a and stem arg 0x005cb138 = BallastCapDT_Cap.3dp, so they bypass the selector-copy block at 0x004909e2 and go straight into fresh child allocation/seeding".to_string(), "the wider direct-calls sweep now also grounds stable 0x00490960 mode families: mode 0x0b pairs with fixed TrackCapDT/ST_Cap literals at 0x0048ed01/0x0048ed20, mode 0x03 with OverpassST_section at 0x00495a44, mode 0x02 with the decoded TunnelST/TunnelDT tables and zero-stem fallbacks across 0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d/0x004a1b95, and mode 0x01 with the decoded BridgeDT/BridgeST tables plus bridge zero-stem fallbacks across 0x004a1dae/0x004a2043/0x004a2082/0x004a221e/0x004a22a5/0x004a23aa/0x004a23eb/0x004a2409/0x004a24f6".to_string(), - "objdump on 0x00490960 now also sharpens the source-side comparison for the remaining mixed exact-prefix classes: mode lives at [esp+0x10], the selector-copy block at 0x004909e2..0x00490a32 reads bytes from [esp+0x28]/[esp+0x2c]/[esp+0x30] into [this+0x219]/[this+0x251]/bit0x20 in [this+0x24c], the fixed TrackCap mode-0x0b branches at 0x0048ed01/0x0048ed20 push literals 0x005cb198/0x005cb1ac after the same pre-seeded 1,-1,-1,0,0 flag bundle and bypass that selector-copy block because mode >= 4, while the tunnel mode-0x02 family at 0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d plus zero-stem fallback 0x004a1b95 necessarily flows through the selector-copy block because mode < 4".to_string(), + "objdump on 0x00490960 now also sharpens the source-side comparison for the remaining mixed exact-prefix classes: mode lives at [esp+0x10], stem at [esp+0x14], args 3/4 at [esp+0x18]/[esp+0x1c] feed 0x539530, arg 5 at [esp+0x20] feeds 0x53a5b0, arg 10 at [esp+0x34] gates whether the new child is cached into [this+0x248], and the selector-copy block at 0x004909e2..0x00490a32 reads bytes from [esp+0x28]/[esp+0x2c]/[esp+0x30] into [this+0x219]/[this+0x251]/bit0x20 in [this+0x24c]. The fixed TrackCap mode-0x0b branches at 0x0048ed01/0x0048ed20 push literals 0x005cb198/0x005cb1ac after the same pre-seeded 1,-1,-1,0,0 flag bundle, so they reach 0x490960 with arg7/arg8/arg9 = -1/-1/0 and bypass that selector-copy block because mode >= 4. The tunnel mode-0x02 family at 0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d plus zero-stem fallback 0x004a1b95 necessarily flows through the selector-copy block because mode < 4, and the objdump caller bundles show those branches reaching 0x490960 with arg8 fixed at 1, arg9 fixed at 0, and only arg7 varying through the branch-local register (ebx/ebp) before the table or fallback stem is pushed".to_string(), "the current grounded q.gms side-buffer name corpus now maps directly onto those constructor families too: BridgeSTWood_Section.3dp aligns with mode 0x01 Bridge, TunnelSTBrick_Cap/Section.3dp with mode 0x02 Tunnel, BallastCapST_Cap.3dp with mode 0x0a BallastCap, and TrackCapST_Cap.3dp with mode 0x0b TrackCap; only the Overpass mode-0x03 family remains static-only in the current save corpus".to_string(), "direct disassembly now also shows 0x00490200 reading the seeded lanes [this+0x206/+0x20a/+0x20e] back through the live route collection at 0x006cfca8, classifying peer relationships with [this+0x216/+0x218/+0x201/+0x202], and therefore acting as a route/link comparator above the same child payload fields that 0x004559d0 later serializes".to_string(), "the chooser tables now decode to concrete asset families too: 0x621a44/0x621a54 feed BridgeST caps/sections, 0x621a64 feeds TunnelST cap/section variants, 0x621a74/0x621a84 feed BridgeDT caps/sections, and 0x621a94 feeds TunnelDT variants; fixed literals 0x5cb138/0x5cb150 are BallastCapDT/ST and 0x5cb168/0x5cb180 are OverpassDT/ST".to_string(), @@ -25828,22 +25828,19 @@ mod tests { .evidence .iter() .any(|line| line.contains("objdump on 0x00490960") + && line.contains("stem at [esp+0x14]") + && line.contains("[esp+0x18]/[esp+0x1c] feed 0x539530") + && line.contains("[esp+0x20] feeds 0x53a5b0") + && line.contains("[esp+0x34] gates whether the new child is cached") && line.contains("selector-copy block") && line.contains("[esp+0x28]/[esp+0x2c]/[esp+0x30]") && line.contains("0x0048ed01/0x0048ed20") && line.contains("bypass") && line.contains("0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d") - && line.contains("0x004a1b95")) - ); - assert!( - trace.candidate_consumer_hypotheses[0] - .evidence - .iter() - .any(|line| line.contains("fixed TrackCap mode-0x0b branches") - && line.contains("0x0048ed01/0x0048ed20") - && line.contains("0x005cb198/0x005cb1ac") - && line.contains("0x004a17eb/0x004a1995/0x004a1b44/0x004a1b7d") - && line.contains("0x004a1b95")) + && line.contains("0x004a1b95") + && line.contains("arg7/arg8/arg9 = -1/-1/0") + && line.contains("arg8 fixed at 1") + && line.contains("arg9 fixed at 0")) ); assert!( trace.candidate_consumer_hypotheses[0] diff --git a/docs/control-loop-atlas/runtime-roots-camera-and-support-families.md b/docs/control-loop-atlas/runtime-roots-camera-and-support-families.md index 8941671..a0d13a6 100644 --- a/docs/control-loop-atlas/runtime-roots-camera-and-support-families.md +++ b/docs/control-loop-atlas/runtime-roots-camera-and-support-families.md @@ -2996,9 +2996,21 @@ The low helper strip beneath that shared family is tighter now too: `0x0052ecd0` The current `0x000055f3 / 0x0001 / 0xff` class is tunnel-dominant and stays entirely on prior profile span `0x03`, while the current `0xff0000ff / 0x0001 / 0xff` class is `TrackCap`- dominant but still carries `4` tunnel rows spread across many spans. + Source-side constructor analysis is narrower now too. `0x00490960` takes mode at stack arg 1, + stem at stack arg 2, forwards args 3/4 into `0x539530`, arg 5 into `0x53a5b0`, arg 10 into the + primary-child cache gate for `[this+0x248]`, and only uses args 7/8/9 for the selector-copy + block when `mode < 4`. + That already separates the remaining mixed classes: + fixed `TrackCap` mode `0x0b` callers at `0x0048ed01/0x0048ed20` push arg7/arg8/arg9 as + `-1 / -1 / 0` and bypass selector-copy entirely because `mode >= 4`, + while tunnel mode `0x02` callers at + `0x004a17eb / 0x004a1995 / 0x004a1b44 / 0x004a1b7d / 0x004a1b95` + necessarily flow through selector-copy because `mode < 4`, with arg8 fixed at `1`, arg9 fixed + at `0`, and only arg7 varying through a branch-local one-bit register. So the next infrastructure pass should stop treating the remaining frontier as a generic “mixed 0x06/outlier” problem and instead target the owning constructor/restore semantics for - those two exact mixed compact-prefix classes. + those two exact mixed compact-prefix classes, especially how tunnel arg7 and the fixed + `TrackCap` no-selector bundle both still collapse into the observed mixed save-side prefixes. The candidate-pattern classes are explicit now too: `0x0055 / 0x00` is a pure `BallastCapST_Cap.3dp / Infrastructure` class across `18` rows, always preceded by a zero-length prior profile span, while `0x0002 / 0xff` is a pure diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md index f736298..93d6637 100644 --- a/docs/rehost-queue.md +++ b/docs/rehost-queue.md @@ -197,9 +197,25 @@ Working rule: `TunnelSTBrick_Cap.3dp / Infrastructure:2`, `TunnelSTBrick_Section.3dp / Infrastructure:2`. Its rows are spread across many spans rather than one dominant restore span. +- Source-side constructor analysis is narrower now too. `0x00490960` takes: + - mode at stack arg 1 + - stem at stack arg 2 + - args 3/4 into `0x539530` + - arg 5 into `0x53a5b0` + - arg 10 as the primary-child cache gate for `[this+0x248]` + - args 7/8/9 into the selector-copy block for `[this+0x219]`, `[this+0x251]`, and bit `0x20` + in `[this+0x24c]` when `mode < 4` +- That already separates the remaining mixed classes: + - fixed `TrackCap` mode `0x0b` callers at `0x0048ed01/0x0048ed20` push arg7/arg8/arg9 as + `-1 / -1 / 0` and bypass selector-copy entirely because `mode >= 4` + - tunnel mode `0x02` callers at + `0x004a17eb / 0x004a1995 / 0x004a1b44 / 0x004a1b7d / 0x004a1b95` + necessarily flow through selector-copy because `mode < 4`, with arg8 fixed at `1`, arg9 + fixed at `0`, and only arg7 varying through a branch-local one-bit register - So the next infrastructure slice should stop treating the remaining frontier as a generic “mixed 0x06/outlier” problem and instead target the owning constructor/restore semantics for - those two exact mixed compact-prefix classes. + those two exact mixed compact-prefix classes, especially how tunnel arg7 and the fixed + `TrackCap` no-selector bundle both still collapse into the observed mixed save-side prefixes. - The candidate-pattern classes are now explicit across the whole stream too: `0x0055 / 0x00` is a pure `BallastCapST_Cap.3dp / Infrastructure` class across `18` rows, always preceded by a zero-length prior profile span, while `0x0002 / 0xff` is a pure