From ee3f0e9b4900d00095984bd742dd230a1dfe9491 Mon Sep 17 00:00:00 2001 From: Jan Petykiewicz Date: Sat, 18 Apr 2026 22:56:07 -0700 Subject: [PATCH] Rule down remaining acquisition live controller callers --- crates/rrt-runtime/src/smp.rs | 35 +++++++++++++++++++++++++++++++++-- docs/rehost-queue.md | 4 ++++ 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/crates/rrt-runtime/src/smp.rs b/crates/rrt-runtime/src/smp.rs index cfc23af..d2f4450 100644 --- a/crates/rrt-runtime/src/smp.rs +++ b/crates/rrt-runtime/src/smp.rs @@ -4645,6 +4645,8 @@ fn build_periodic_company_service_trace_report( .to_string(), "non-transport caller 0x00422bb4 also reaches 0x004134d0, but it pushes live args plus literal flags 1/0 and returns the created row id through an out-param instead of feeding the tuple-backed finalize path" .to_string(), + "the surviving 0x00508fd1 / 0x005098eb family is bounded away from persisted restore too: it caches the created site id in [this+0x7c], re-enters 0x0040eba0 with immediate coords, and later calls 0x0040ef10 with a hard zero third arg" + .to_string(), "station-detail mutation path 0x0040dc40 already consumes [site+0x276], company stat-family 0x2329/0x0d, and candidate field [candidate+0x22], then commits linked-site side-state rebuild through 0x0040d1f0 / 0x00480710 / 0x0045b160 / 0x0045b9b0 / 0x00418be0 / 0x0040cd70" .to_string(), "city-connection direct-placement family 0x00402cb0 -> 0x00403ed5/0x0040446b -> 0x004134d0 -> 0x0040ef10 already grounds the shared allocator/finalize path for newly created site rows" @@ -4742,6 +4744,7 @@ fn build_periodic_company_service_trace_report( "the loader-side dataflow is narrower now too: 0x0046f073 / 0x004707ff push tuple fields [+0x00/+0x04/+0x0c] into 0x0040ef10, that helper reads arg3 into ebx at 0x0040ef1c, and the paired write at 0x0040f5d4 stores ebx into [site+0x276] while 0x0040f5da stores the computed companion word into [site+0x27a]".to_string(), "the outer owner above 0x004707ff is now classified too: atlas-backed recovery ties that caller to multiplayer transport selector-0x13 body 0x004706b0, which attempts the placed-structure apply path through 0x004197e0 / 0x004134d0 / 0x0040eba0 / 0x0052eb90 / 0x0040ef10 rather than ordinary save-load restore".to_string(), "another surviving 0x004134d0 caller is bounded away from persisted restore too: 0x00422bb4 pushes one live 0x0062b2fc record plus local args and literal flags 1/0 into 0x004134d0, then returns the created row id through an out-param rather than re-entering the tuple-backed finalize path".to_string(), + "the remaining 0x00508fd1 / 0x005098eb strip is bounded away from persisted restore too: 0x00508fd1 stores the new row id in [this+0x7c], immediately configures the live row through vtable slot +0x58 plus 0x00507cf0, and 0x005098eb later re-enters 0x0040ef10 with arg3 forced to zero, so this family is another live controller path rather than the missing persisted owner seam".to_string(), "inside 0x0040ef10 the [site+0x276] write at 0x0040f047 only clears owner-company under a world-flag branch, while the paired [site+0x276]/[site+0x27a] write at 0x0040f5d4 follows a 0x00436590 event/scalar path and is not the generic post-load republisher".to_string(), "direct local writer census now shows the grounded [site+0x276] write side clustering under live mutation families such as 0x004269b0 / 0x00426a10, the create-side 0x0040ef10 / 0x0040f6d0 strip, and the bulk reassignment families 0x00426dce..0x00426ea1 and 0x00430040..0x004300d6 rather than under the known replay strip".to_string(), "direct local control-flow reconstruction now shows those same writer families hanging under the 0x00431b20 opcode dispatcher over 0x0061039c: opcodes 0x04..0x07 dispatch to 0x00430040, opcodes 0x08/0x10..0x13 dispatch to 0x00426d60, and opcodes 0x0d/0x16 dispatch to 0x0042fc90".to_string(), @@ -4906,6 +4909,7 @@ fn build_periodic_company_service_trace_report( "0x0046f073 / 0x004707ff tuple field [+0x0c] feeding 0x0040ef10 arg3 and then [site+0x276] at 0x0040f5d4".to_string(), "0x004706b0 multiplayer transport selector-0x13 body re-entering 0x004197e0 / 0x004134d0 / 0x0040eba0 / 0x0052eb90 / 0x0040ef10 before 0x004707ff".to_string(), "0x00422bb4 direct non-tuple allocator caller pushing one 0x0062b2fc record plus local args and literal flags 1/0 into 0x004134d0, then returning the created row id through an out-param".to_string(), + "0x00508fd1 / 0x005098eb live controller family caching a created site id in [this+0x7c], re-entering 0x0040eba0 with immediate coords, and later calling 0x0040ef10 with arg3 forced to zero".to_string(), "0x004134d0 / 0x0040ef10 shared placed-structure allocator and finalize-or-rebuild lane for newly created or tuple-loaded site rows" .to_string(), "0x00481430 / 0x0047d8e0 dynamic side-buffer stream-load owner repopulating route-entry lists, three byte arrays, five proximity buckets, and trailing scratch band" @@ -28142,7 +28146,7 @@ mod tests { let trace = build_periodic_company_service_trace_report(&analysis); assert_eq!(trace.selected_company_id, Some(7)); assert_eq!(trace.atlas_candidate_consumers.len(), 9); - assert_eq!(trace.known_bridge_helpers.len(), 76); + assert_eq!(trace.known_bridge_helpers.len(), 77); assert_eq!(trace.next_owner_questions.len(), 5); assert_eq!(trace.companies.len(), 1); assert_eq!( @@ -28399,6 +28403,15 @@ mod tests { && line.contains("literal flags 1/0") && line.contains("out-param")) ); + assert!( + trace.near_city_acquisition_projection_hypotheses[0] + .evidence + .iter() + .any(|line| line.contains("0x00508fd1 / 0x005098eb") + && line.contains("[this+0x7c]") + && line.contains("vtable slot +0x58 plus 0x00507cf0") + && line.contains("arg3 forced to zero")) + ); assert!( trace.near_city_acquisition_projection_hypotheses[0] .evidence @@ -28494,7 +28507,7 @@ mod tests { trace .near_city_acquisition_runtime_backed_input_families .len(), - 20 + 21 ); assert_eq!(trace.near_city_acquisition_remaining_owner_gaps.len(), 2); assert_eq!(trace.near_city_acquisition_region_lane_statuses.len(), 4); @@ -28600,6 +28613,15 @@ mod tests { && line.contains("literal flags 1/0") && line.contains("out-param")) ); + assert!( + trace + .near_city_acquisition_runtime_backed_input_families + .iter() + .any(|line| line.contains("0x00508fd1 / 0x005098eb") + && line.contains("[this+0x7c]") + && line.contains("0x0040eba0") + && line.contains("hard zero third arg")) + ); assert!( trace .near_city_acquisition_runtime_backed_input_families @@ -29065,6 +29087,15 @@ mod tests { && line.contains("literal flags 1/0") && line.contains("out-param")) ); + assert!( + trace + .known_bridge_helpers + .iter() + .any(|line| line.contains("0x00508fd1 / 0x005098eb") + && line.contains("[this+0x7c]") + && line.contains("0x0040eba0") + && line.contains("arg3 forced to zero")) + ); assert!( trace .known_bridge_helpers diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md index 1b26bcf..b2b6e21 100644 --- a/docs/rehost-queue.md +++ b/docs/rehost-queue.md @@ -135,6 +135,10 @@ Working rule: `0x00422bb4` pushes one live `0x0062b2fc` record plus local args and literal flags `1/0` into `0x004134d0`, then returns the created row id through an out-param instead of feeding the tuple-backed finalize path + - the remaining `0x00508fd1 / 0x005098eb` family is bounded away too: + it caches the created site id in `[this+0x7c]`, re-enters `0x0040eba0` with immediate coords, + and later calls `0x0040ef10` with a hard zero third arg, so it reads as another live + controller path rather than the missing persisted owner seam - the remaining owner-company question is therefore narrower than “find any replay seam”: identify which non-transport persisted source family feeds that tuple and which companion restore/finalize calls are sufficient to repopulate `[site+0x276]` for shellless acquisition