From 9bac9c3b08b6e7b2c869a38719bb2184dc6717d3 Mon Sep 17 00:00:00 2001 From: Jan Petykiewicz Date: Sat, 18 Apr 2026 23:01:36 -0700 Subject: [PATCH] Rule down remaining direct acquisition owner stores --- crates/rrt-runtime/src/smp.rs | 61 +++++++++++++++++++++++++++++++++-- docs/rehost-queue.md | 10 ++++-- 2 files changed, 67 insertions(+), 4 deletions(-) diff --git a/crates/rrt-runtime/src/smp.rs b/crates/rrt-runtime/src/smp.rs index 992366a..5770519 100644 --- a/crates/rrt-runtime/src/smp.rs +++ b/crates/rrt-runtime/src/smp.rs @@ -4651,6 +4651,8 @@ fn build_periodic_company_service_trace_report( .to_string(), "0x00473c20 is a separate live queue-drain family over scratch band 0x006ce808..0x006ce988: it iterates queued site ids and coordinate pairs, re-enters 0x0040eba0 at 0x00473c98, then clears each queued id, so it is a local post-create refresh path rather than a persisted replay owner" .to_string(), + "the remaining direct [site+0x276] store census is bounded away from persisted replay too: 0x0042128d is broad zero-init in the 0x00421430 constructor neighborhood, 0x00422305 computes a live score/category lane before publishing 0x7, 0x004269c9/0x00426a2a are acquisition commit and clear helpers, and 0x004282a9/0x004300d6 are bulk owner-transfer writes" + .to_string(), "station-detail mutation path 0x0040dc40 already consumes [site+0x276], company stat-family 0x2329/0x0d, and candidate field [candidate+0x22], then commits linked-site side-state rebuild through 0x0040d1f0 / 0x00480710 / 0x0045b160 / 0x0045b9b0 / 0x00418be0 / 0x0040cd70" .to_string(), "city-connection direct-placement family 0x00402cb0 -> 0x00403ed5/0x0040446b -> 0x004134d0 -> 0x0040ef10 already grounds the shared allocator/finalize path for newly created site rows" @@ -4751,6 +4753,7 @@ fn build_periodic_company_service_trace_report( "another surviving 0x004134d0 caller is bounded away from persisted restore too: 0x00422bb4 pushes one live 0x0062b2fc record plus local args and literal flags 1/0 into 0x004134d0, then returns the created row id through an out-param rather than re-entering the tuple-backed finalize path".to_string(), "the remaining 0x00508fd1 / 0x005098eb strip is bounded away from persisted restore too: 0x00508fd1 stores the new row id in [this+0x7c], immediately configures the live row through vtable slot +0x58 plus 0x00507cf0, and 0x005098eb later re-enters 0x0040ef10 with arg3 forced to zero, so this family is another live controller path rather than the missing persisted owner seam".to_string(), "the adjacent 0x00473c20 family is bounded away too: it drains queued site ids and coordinate pairs from scratch band 0x006ce808..0x006ce988, re-enters 0x0040eba0 at 0x00473c98 for each live row, and then clears the queued id slot, so it is a local post-create refresh path rather than the missing persisted owner seam".to_string(), + "the remaining direct [site+0x276] store census is bounded away too: 0x0042128d is broad zero-init in the 0x00421430 constructor neighborhood, 0x00422305 computes a live score/category lane before publishing event 0x7, 0x004269c9/0x00426a2a are acquisition commit and clear helpers, and 0x004282a9 / 0x004300d6 are bulk owner-transfer writes rather than ordinary restored-row replay".to_string(), "inside 0x0040ef10 the [site+0x276] write at 0x0040f047 only clears owner-company under a world-flag branch, while the paired [site+0x276]/[site+0x27a] write at 0x0040f5d4 follows a 0x00436590 event/scalar path and is not the generic post-load republisher".to_string(), "direct local writer census now shows the grounded [site+0x276] write side clustering under live mutation families such as 0x004269b0 / 0x00426a10, the create-side 0x0040ef10 / 0x0040f6d0 strip, and the bulk reassignment families 0x00426dce..0x00426ea1 and 0x00430040..0x004300d6 rather than under the known replay strip".to_string(), "direct local control-flow reconstruction now shows those same writer families hanging under the 0x00431b20 opcode dispatcher over 0x0061039c: opcodes 0x04..0x07 dispatch to 0x00430040, opcodes 0x08/0x10..0x13 dispatch to 0x00426d60, and opcodes 0x0d/0x16 dispatch to 0x0042fc90".to_string(), @@ -4758,6 +4761,7 @@ fn build_periodic_company_service_trace_report( ], blockers: vec![ "current atlas evidence now grounds one tuple-backed owner path too: loader tuple field [+0x0c] reaches [site+0x276] through 0x0046f073 / 0x004707ff -> 0x0040ef10, but the classified 0x004707ff caller belongs to multiplayer transport selector-0x13 rather than ordinary save-load restore, so a non-transport persisted source family is still needed for shellless acquisition".to_string(), + "the explicit store census now also rules down the remaining obvious non-transport writes, so the missing ordinary restored-row owner seam likely sits outside the currently bounded direct allocator/finalize/store families".to_string(), ], }, SmpServiceConsumerHypothesis { @@ -4918,6 +4922,10 @@ fn build_periodic_company_service_trace_report( "0x00422bb4 direct non-tuple allocator caller pushing one 0x0062b2fc record plus local args and literal flags 1/0 into 0x004134d0, then returning the created row id through an out-param".to_string(), "0x00508fd1 / 0x005098eb live controller family caching a created site id in [this+0x7c], re-entering 0x0040eba0 with immediate coords, and later calling 0x0040ef10 with arg3 forced to zero".to_string(), "0x00473c20 live queued-site refresh draining scratch band 0x006ce808..0x006ce988 and re-entering 0x0040eba0 at 0x00473c98 before clearing each queued id slot".to_string(), + "0x0042128d broad zero-init in the 0x00421430 constructor neighborhood clearing [site+0x276] with the surrounding site reset band".to_string(), + "0x00422305 live score/category publisher writing [site+0x276] before event 0x7 dispatch, not ordinary restore".to_string(), + "0x004269c9 / 0x00426a2a acquisition commit and clear helpers mutating [site+0x276]/[site+0x27a] on chosen live rows".to_string(), + "0x004282a9 / 0x004300d6 bulk owner-transfer writes over existing live placed-structure rows".to_string(), "0x004134d0 / 0x0040ef10 shared placed-structure allocator and finalize-or-rebuild lane for newly created or tuple-loaded site rows" .to_string(), "0x00481430 / 0x0047d8e0 dynamic side-buffer stream-load owner repopulating route-entry lists, three byte arrays, five proximity buckets, and trailing scratch band" @@ -28154,7 +28162,7 @@ mod tests { let trace = build_periodic_company_service_trace_report(&analysis); assert_eq!(trace.selected_company_id, Some(7)); assert_eq!(trace.atlas_candidate_consumers.len(), 9); - assert_eq!(trace.known_bridge_helpers.len(), 79); + assert_eq!(trace.known_bridge_helpers.len(), 83); assert_eq!(trace.next_owner_questions.len(), 5); assert_eq!(trace.companies.len(), 1); assert_eq!( @@ -28437,6 +28445,15 @@ mod tests { && line.contains("0x00473c98") && line.contains("queued id slot")) ); + assert!( + trace.near_city_acquisition_projection_hypotheses[0] + .evidence + .iter() + .any(|line| line.contains("0x0042128d") + && line.contains("0x00422305") + && line.contains("0x004269c9/0x00426a2a") + && line.contains("0x004282a9 / 0x004300d6")) + ); assert!( trace.near_city_acquisition_projection_hypotheses[0] .evidence @@ -28532,7 +28549,7 @@ mod tests { trace .near_city_acquisition_runtime_backed_input_families .len(), - 23 + 24 ); assert_eq!(trace.near_city_acquisition_remaining_owner_gaps.len(), 2); assert_eq!(trace.near_city_acquisition_region_lane_statuses.len(), 4); @@ -28664,6 +28681,15 @@ mod tests { && line.contains("0x00473c98") && line.contains("post-create refresh path")) ); + assert!( + trace + .near_city_acquisition_runtime_backed_input_families + .iter() + .any(|line| line.contains("0x0042128d") + && line.contains("0x00422305") + && line.contains("0x004269c9/0x00426a2a") + && line.contains("0x004282a9/0x004300d6")) + ); assert!( trace .near_city_acquisition_runtime_backed_input_families @@ -29154,6 +29180,37 @@ mod tests { && line.contains("0x006ce808..0x006ce988") && line.contains("0x00473c98")) ); + assert!( + trace + .known_bridge_helpers + .iter() + .any(|line| line.contains("0x0042128d") + && line.contains("0x00421430") + && line.contains("[site+0x276]")) + ); + assert!( + trace + .known_bridge_helpers + .iter() + .any(|line| line.contains("0x00422305") + && line.contains("event 0x7") + && line.contains("[site+0x276]")) + ); + assert!( + trace + .known_bridge_helpers + .iter() + .any(|line| line.contains("0x004269c9 / 0x00426a2a") + && line.contains("[site+0x276]/[site+0x27a]")) + ); + assert!( + trace + .known_bridge_helpers + .iter() + .any(|line| line.contains("0x004282a9 / 0x004300d6") + && line.contains("owner-transfer") + && line.contains("placed-structure")) + ); assert!( trace .known_bridge_helpers diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md index 128cdde..ac4d809 100644 --- a/docs/rehost-queue.md +++ b/docs/rehost-queue.md @@ -147,9 +147,15 @@ Working rule: it drains queued site ids and coordinate pairs from scratch band `0x006ce808..0x006ce988`, re-enters `0x0040eba0` at `0x00473c98`, and clears each queued id slot, so it is a local post-create refresh path rather than a persisted replay owner + - the remaining direct `[site+0x276]` store census is bounded away too: + `0x0042128d` is broad zero-init in the `0x00421430` constructor neighborhood, + `0x00422305` computes a live score/category lane before publishing event `0x7`, + `0x004269c9/0x00426a2a` are acquisition commit/clear helpers, and + `0x004282a9/0x004300d6` are bulk owner-transfer writes - the remaining owner-company question is therefore narrower than “find any replay seam”: - identify which non-transport persisted source family feeds that tuple and which companion - restore/finalize calls are sufficient to repopulate `[site+0x276]` for shellless acquisition + identify which non-transport persisted source family outside the currently bounded direct + allocator/finalize/store families feeds that tuple and which companion restore/finalize calls + are sufficient to repopulate `[site+0x276]` for shellless acquisition - the second is narrower in the same way: the checked-in `0x36b1/0x36b2/0x36b3` triplet seam and the `0x4a9d/0x4a3a/0x4a3b` side-buffer seam still do not serialize `[site+0x310/+0x338/+0x360]`