1
0

emualtor working

This commit is contained in:
Aiden
2026-05-25 21:00:25 +10:00
parent 3ab79648ff
commit 752148c585
22 changed files with 588 additions and 22 deletions

View File

@@ -186062,6 +186062,42 @@
}
}
],
"decompiler_consistency": {
"kind": "decompiler_pseudocode_consistency",
"summary": "3 byte-immediate-to-word destination case(s) require explicit zero-extension in pseudocode.",
"checks": [
{
"kind": "byte_immediate_to_word_destination",
"status": "requires_zero_extend8_to16_pseudocode",
"address": 4163,
"address_hex": "H'1043",
"instruction": "MOV:G.W #H'00, @FRT1_FRC_H",
"expected_pseudocode_hint": "zero_extend8_to16",
"zero_extended_value_hex": "0x0000",
"summary": "Word-sized MOV with an 8-bit immediate writes a zero-extended word. Pseudocode should not model this as a one-byte write or preserve the old low byte."
},
{
"kind": "byte_immediate_to_word_destination",
"status": "requires_zero_extend8_to16_pseudocode",
"address": 4184,
"address_hex": "H'1058",
"instruction": "MOV:G.W #H'00, @FRT2_FRC_H",
"expected_pseudocode_hint": "zero_extend8_to16",
"zero_extended_value_hex": "0x0000",
"summary": "Word-sized MOV with an 8-bit immediate writes a zero-extended word. Pseudocode should not model this as a one-byte write or preserve the old low byte."
},
{
"kind": "byte_immediate_to_word_destination",
"status": "requires_zero_extend8_to16_pseudocode",
"address": 16487,
"address_hex": "H'4067",
"instruction": "MOV:G.W #H'00, @(-H'0790,R2)",
"expected_pseudocode_hint": "zero_extend8_to16",
"zero_extended_value_hex": "0x0000",
"summary": "Word-sized MOV with an 8-bit immediate writes a zero-extended word. Pseudocode should not model this as a one-byte write or preserve the old low byte."
}
]
},
"serial_semantics": {
"kind": "serial_semantics",
"protocol_semantics": [
@@ -196427,7 +196463,7 @@
"entry_label": "loc_4046",
"target_label": "loc_4067",
"condition_candidate": "F9C4 == 0 && ((FAA5.bit7 == 0) || (F9C3 == 0)) && F9B0 == F9B5",
"summary": "Idle/default report gate; when the FRT2 countdown clears and the queue is empty, loc_4046 can enqueue H'00FF for the later loc_BAF2 -> loc_BA26 send path.",
"summary": "Idle/default report gate; when the FRT2 countdown clears and the queue is empty, loc_4046 can enqueue H'0000 for the later loc_BAF2 -> loc_BA26 send path.",
"state_addresses_hex": [
"H'F9C4",
"H'FAA5",
@@ -196435,7 +196471,26 @@
"H'F9B0",
"H'F9B5"
],
"enqueued_report_candidate_hex": "H'00FF",
"enqueued_report_candidate_hex": "H'0000",
"write_semantics_candidate": "loc_4067 is MOV:G.W #H'00, @(-H'0790,R2): the byte immediate is zero-extended by the word destination, so the queue slot becomes H'0000.",
"runtime_trace_confirmation": {
"source": "h8536_emulator_probe target-frame run",
"report_id_hex": "H'0000",
"queue_write_address_hex": "H'4067",
"queue_write_semantics": "H'FFFF -> H'0000, not H'00FF",
"dequeue_path": [
"loc_4046",
"loc_BAF2",
"loc_BB08",
"loc_BB1C",
"loc_BB20",
"loc_BB2B",
"loc_BA26"
],
"emitted_frame_hex": "00 00 00 00 80 DA",
"checksum_seed_hex": "H'5A",
"checksum_hex": "H'DA"
},
"evidence_addresses": [
16454,
16458,
@@ -196847,6 +196902,32 @@
]
}
],
"runtime_confirmed_paths": [
{
"name": "idle_heartbeat_report_runtime_confirmation",
"report_id_hex": "H'0000",
"queue_write_address_hex": "H'4067",
"queue_write_semantics": "MOV:G.W #H'00 writes H'0000 to the queue slot",
"staging_path": [
"loc_4046",
"loc_BAF2",
"loc_BB08",
"loc_BB1C",
"loc_BB20",
"loc_BB2B",
"loc_BA26"
],
"emitted_frame_hex": "00 00 00 00 80 DA",
"checksum_hex": "H'DA"
}
],
"consistency_checks": [
{
"name": "idle_heartbeat_report_id_width",
"status": "pass",
"summary": "Decompiler mnemonic MOV:G.W and emulator execution now agree that the H'00 immediate at loc_4067 is zero-extended to report H'0000."
}
],
"observed_autonomous_output_caveat": "Real captures supplied so far show only heartbeat/idle, call, and camera-power autonomous TX frames. Other panel controls may require a host/device request or state transition before the firmware reports them.",
"confidence": "candidate-medium",
"caveat": "This is a TX/report model for the BB43 -> BA26 path, separate from RX command dispatch. Observed report names are a capture overlay candidate only, not hard-coded source truth.",
@@ -206677,7 +206758,7 @@
"entry_label": "loc_4046",
"target_label": "loc_4067",
"condition_candidate": "F9C4 == 0 && ((FAA5.bit7 == 0) || (F9C3 == 0)) && F9B0 == F9B5",
"summary": "Idle/default report gate; when the FRT2 countdown clears and the queue is empty, loc_4046 can enqueue H'00FF for the later loc_BAF2 -> loc_BA26 send path.",
"summary": "Idle/default report gate; when the FRT2 countdown clears and the queue is empty, loc_4046 can enqueue H'0000 for the later loc_BAF2 -> loc_BA26 send path.",
"state_addresses_hex": [
"H'F9C4",
"H'FAA5",
@@ -206685,7 +206766,26 @@
"H'F9B0",
"H'F9B5"
],
"enqueued_report_candidate_hex": "H'00FF",
"enqueued_report_candidate_hex": "H'0000",
"write_semantics_candidate": "loc_4067 is MOV:G.W #H'00, @(-H'0790,R2): the byte immediate is zero-extended by the word destination, so the queue slot becomes H'0000.",
"runtime_trace_confirmation": {
"source": "h8536_emulator_probe target-frame run",
"report_id_hex": "H'0000",
"queue_write_address_hex": "H'4067",
"queue_write_semantics": "H'FFFF -> H'0000, not H'00FF",
"dequeue_path": [
"loc_4046",
"loc_BAF2",
"loc_BB08",
"loc_BB1C",
"loc_BB20",
"loc_BB2B",
"loc_BA26"
],
"emitted_frame_hex": "00 00 00 00 80 DA",
"checksum_seed_hex": "H'5A",
"checksum_hex": "H'DA"
},
"evidence_addresses": [
16454,
16458,
@@ -207097,6 +207197,32 @@
]
}
],
"runtime_confirmed_paths": [
{
"name": "idle_heartbeat_report_runtime_confirmation",
"report_id_hex": "H'0000",
"queue_write_address_hex": "H'4067",
"queue_write_semantics": "MOV:G.W #H'00 writes H'0000 to the queue slot",
"staging_path": [
"loc_4046",
"loc_BAF2",
"loc_BB08",
"loc_BB1C",
"loc_BB20",
"loc_BB2B",
"loc_BA26"
],
"emitted_frame_hex": "00 00 00 00 80 DA",
"checksum_hex": "H'DA"
}
],
"consistency_checks": [
{
"name": "idle_heartbeat_report_id_width",
"status": "pass",
"summary": "Decompiler mnemonic MOV:G.W and emulator execution now agree that the H'00 immediate at loc_4067 is zero-extended to report H'0000."
}
],
"observed_autonomous_output_caveat": "Real captures supplied so far show only heartbeat/idle, call, and camera-power autonomous TX frames. Other panel controls may require a host/device request or state transition before the firmware reports them.",
"confidence": "candidate-medium",
"caveat": "This is a TX/report model for the BB43 -> BA26 path, separate from RX command dispatch. Observed report names are a capture overlay candidate only, not hard-coded source truth.",