ec82764bef
RTL (GS rasterizer, EE core stub, platform bridge, LPDDR4B path), sim regression (272 TBs), docs, and tooling. Copyrighted PS2 content (BIOS, game code, GS dumps, and all dump-derived textures/traces) is excluded via .gitignore and stays local. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
122 lines
4.7 KiB
Markdown
122 lines
4.7 KiB
Markdown
# Ch302 closeout — syscall 0x13 HLE; channel-5 syscall sequence emerging
|
|
|
|
**Status:** Closed. **Verdict from re-running qbert.elf:**
|
|
`elf_first_unhandled_syscall (pc=0x00111D64 $v1=0x6B (=107))` —
|
|
qbert advanced 28,726 → **28,813 retires (+87)** through the paired
|
|
0x13 and into a THIRD syscall sharing the same channel-5 args.
|
|
|
|
## What landed
|
|
|
|
10th narrow $v0=0 case in the Ch273 dispatcher + 7th runner
|
|
observer (distinct-tuple tracking, paralleling 0x17). All
|
|
mechanical. Regression 177/177 (no new TB).
|
|
|
|
## The channel-5 syscall sequence (NEW structural finding)
|
|
|
|
The runner observers now show qbert running a **repeating
|
|
per-channel sequence**, not just isolated paired calls:
|
|
|
|
```
|
|
syscall_0x17 = count=2 args=(5, 0, -1, 0x00137568) distinct_tuples=1
|
|
syscall_0x13 = count=2 args=(5, 0, -1, 0x00137568) distinct_tuples=1
|
|
(next blocker) $v1=0x6B args=(5, 0, -1, 0x00137568)
|
|
```
|
|
|
|
Three observations:
|
|
|
|
1. **0x17 and 0x13 are each now called TWICE** (count=2, up from
|
|
count=1 in Ch301). When Ch301 HLE'd 0x17, qbert was blocked
|
|
before its second 0x17 call. With 0x13 now HLE'd too, qbert
|
|
loops back and makes both calls a second time — then hits 0x6B.
|
|
|
|
2. **All three syscalls (0x17, 0x13, 0x6B) share identical args**:
|
|
`$a0=5` (channel id), `$a1=0`, `$a2=0xFFFFFFFF` (-1 sentinel),
|
|
`$a3=0x00137568` (the per-channel ctx).
|
|
|
|
3. **This is a per-channel-resource sequence**, not a one-shot
|
|
pair. qbert appears to be iterating: for each channel resource,
|
|
it calls a sequence of kernel functions (0x17, 0x13, 0x6B, …)
|
|
with the same channel id and context.
|
|
|
|
## Codex's pause-for-autopsy condition — assessment
|
|
|
|
Codex said: "if this clears and the next thing is a wait loop or
|
|
channel-5 event, pause for autopsy rather than adding more blind
|
|
success cases."
|
|
|
|
**The next blocker IS a channel-5 event** (0x6B with $a0=5). But
|
|
it is **not a wait loop** — it's a concrete unhandled syscall
|
|
(`elf_first_unhandled_syscall`, not `elf_timeout_with_hot_pc`).
|
|
qbert is making forward progress (+87 retires), not spinning.
|
|
|
|
**My read:** this is the boundary Codex flagged. The pattern has
|
|
shifted from "isolated syscall blockers" to "a repeating
|
|
channel-init sequence." Two paths for Ch303:
|
|
|
|
### Path A — continue mechanical (one more $v0=0 for 0x6B)
|
|
|
|
If 0x6B is just the third call in a finite per-channel init
|
|
sequence (e.g., the SDK does `SetX(ch); RegisterY(ch); EnableZ(ch)`
|
|
for each channel), then a few more mechanical $v0=0 cases will
|
|
clear the whole sequence and qbert moves on. Cheap to try; the
|
|
runner observers will show whether the sequence is finite.
|
|
|
|
### Path B — autopsy the sequence now
|
|
|
|
Disassemble the code region around PC 0x00111D64..0x00111DA0 (the
|
|
caller of these syscall wrappers) to understand the loop
|
|
structure. If it's `for (ch = 0..N) { syscall_0x17(ch); ... }`,
|
|
we learn N and the full syscall set up front, instead of
|
|
discovering them one trap at a time.
|
|
|
|
**Recommendation: Path B (brief autopsy) before Ch303.** The
|
|
triplet + count=2 pattern is strong evidence of a bounded loop.
|
|
A 20-minute disassembly of the caller would reveal:
|
|
- the loop bound (how many channels),
|
|
- the full syscall sequence per channel,
|
|
- whether any of these syscalls' return values are checked
|
|
(which would make a blind $v0=0 wrong).
|
|
|
|
This matches Codex's instinct: stop adding blind success cases
|
|
once a *structured sequence* (not isolated calls) emerges. The
|
|
autopsy is cheap and prevents a string of one-trap-at-a-time
|
|
chapters.
|
|
|
|
## qbert progression
|
|
|
|
| Chapter | Blocker | retire_count |
|
|
|---|---|---|
|
|
| Post-Ch301 (0x17) | syscall $v1=0x13 | 28,726 |
|
|
| **Post-Ch302 (0x13)** | **syscall $v1=0x6B at 0x00111D64 (channel-5 args)** | **28,813 (+87)** |
|
|
|
|
## Files changed
|
|
|
|
- `rtl/ee/ee_core_stub.sv` — 1 new HLE case.
|
|
- `sim/tb/integration/tb_ee_core_syscall_hle.sv` — 0x13 subcase.
|
|
- `sim/tb/integration/tb_ee_core_elf_runner.sv` — 0x13 observer
|
|
(distinct-tuple) + SUMMARY.
|
|
|
|
No new TB; regression unchanged at **177/177**.
|
|
|
|
## Ch303 framing — autopsy the channel-init sequence
|
|
|
|
Concrete first step for Codex/next chapter:
|
|
|
|
1. Disassemble 0x00111D40..0x00111DC0 (the wrappers + their
|
|
caller). The syscall wrappers are likely 4-instruction stubs
|
|
like 0x00110990 (the 0x7A wrapper from Ch294); the *caller* is
|
|
what loops.
|
|
2. Identify the loop: is it `for each channel` or `for each
|
|
resource`? What's the bound?
|
|
3. Enumerate the full syscall sequence per iteration (0x17, 0x13,
|
|
0x6B, and whatever follows).
|
|
4. Decide: mechanical batch (add all the sequence's syscalls as
|
|
$v0=0 at once) vs. modeling actual per-channel state.
|
|
|
|
The runner observer infrastructure (distinct-tuple tracking) is
|
|
already in place to validate whatever Ch303 decides.
|
|
|
|
## Regression
|
|
|
|
**177/177 PASS** (unchanged from Ch301; no new TB).
|