Zero-copy hot path, correctness hardening

gva_ptr: leaf-bounded zero-copy guest reads. gva_sweep redesigned to drive
on it — large-page leaves are lent to the callback while 4K runs stay
buffered, and the run loop is guarded against wrap at the top of the address
space. gva_gpa fetches PTEs zero-copy; optional W32MS_LTO build option folds
the per-fetch call boundary (shipped -O2 default unchanged).

Correctness: subtract-form bounds check (no add overflow), memcpy decode in
place of type-punned wide loads, zero-init PDB name before compare,
PCI-hole-crossing range rejection, single-sourced VA_CANON and USER bounds.
hot/cold attributes audited across the translation and scan path.

src/host.c

@@ -100,11 +100,9 @@ static int find_ntoskrnl(gva_ctx* ctx, uintptr_t cr3, uint64_t* base, uint8_t gu
                 }
 
                 uint64_t va = (uint64_t)p4<<39 | (uint64_t)p3<<30 | (uint64_t)p2<<21;
-                if (va & (1ull<<47)) {
-                    va |= 0xFFFF000000000000ull; /* canonical sign-extend */
-                }
+                va = VA_CANON(va);
 
-                uint16_t mz; char pdb[16];
+                uint16_t mz; char pdb[16] = {0};
                 if (gva_read(ctx, cr3, va, &mz, 2) || mz != MZ) {
                     continue;
                 }
@@ -132,10 +130,11 @@ static uint32_t ko_export_rva(gva_ctx* ctx, uintptr_t cr3, uint64_t kbase, const
     if (gva_read(ctx, cr3, kbase + exp_rva, ed, sizeof ed)) {
         return 0;
     }
-    const uint32_t nnames  = *(uint32_t*)(ed + 0x18);
-    const uint32_t a_funcs = *(uint32_t*)(ed + 0x1C);
-    const uint32_t a_names = *(uint32_t*)(ed + 0x20);
-    const uint32_t a_ords  = *(uint32_t*)(ed + 0x24);
+    uint32_t nnames, a_funcs, a_names, a_ords;
+    memcpy(&nnames,  ed + 0x18, 4);
+    memcpy(&a_funcs, ed + 0x1C, 4);
+    memcpy(&a_names, ed + 0x20, 4);
+    memcpy(&a_ords,  ed + 0x24, 4);
 
     for (uint32_t i = 0; i < nnames; i++) {
         uint32_t nrva; char nm[40];