#ifndef VGPU_PERCEPTION_H #define VGPU_PERCEPTION_H /* vgpu_perception.h — host-side, read-only perception over the vgpu region. * * A pure functional core that builds vgpu semantics ON TOP OF a guest * address-space root handed in by the caller. It only PERCEIVES: it discovers * the region by structural invariants, samples frames and reads cursor / * geometry / lifecycle, and returns SNAPSHOTS (POD values). It never owns * coherence, never opens RW guest memory, never decides control or behavioural * timing, never emits events upward. * * Where the region lives (the correction that shapes this API): the region is a * RW shared mapping projected into the USER address space of a producer PROCESS, * NOT a kernel VA in the System address space. So the core is handed a RO win32 * context (which the caller opened with the System kcr3), enumerates processes * with proc_list, and finds the region in a process user-AS under that process's * own cr3 (process.cr3). The System kcr3 is needed ONLY to open the context and * walk processes; once the region is found, it is always read under the * producer's process.cr3 (cached in the handle). The handle carries proc_cr3. * * What this core does NOT do (by design — those belong to the caller): * - It does NOT own the vmie_win32 context / vmie_mem: both are BORROWED. The * caller opens the RO win32 context (its lifetime is tied to the guest * address-space mapping epoch) and closes it when that mapping goes stale. * The core never opens or closes either. * - It does NOT sleep / poll / spawn threads / arm timers: the two-phase * liveness handshake is two calls; the WAIT between them is the caller's. * - It does NOT transport frames. Frame transport is the caller's concern; * the core is a PULL source — the caller takes desc+bytes from * vgpup_sample_frame and routes them. No sink callback here. * - It does NOT write control. vgpup_build_control_write only BUILDS the * desired frame + offsets; the actual write is performed elsewhere, by a * component that holds read-write access to the region. * * Two epochs + producer restart (the caller owns the policy; the core only * reports facts — this is a flat pull model, no polling from below): * - Address-space invalidation (new kcr3 / new epoch): the caller closes the * win32 context, drops the old vgpup_region, opens a fresh context on the * new epoch and re-discovers (vgpup_open). The old handle is invalid (a * different address space entirely). * - vgpu run_epoch advance while the context stays live (session break, same * process): vgpup_read_status records r->run_epoch; vgpup_run_epoch reports * it. The caller compares and decides whether to reset vgpu state — the * region/process are unchanged. The core holds no reset policy. * - Producer process restart (new pid/cr3 under the same live kcr3): the win32 * context is still valid (kernel alive), but the old handle's proc_cr3 / * region_gva point at a dead process address space. Symptom: a read under * r->proc_cr3 returns <0 (the process pages are gone). The core only REPORTS * this (<0 from a read); the DECISION to re-discover is the caller's — it * calls vgpup_close(old) + vgpup_open(v) so a fresh proc_list finds the * restarted producer with its new cr3. * * Ownership convention: * - vmie_win32* v, vmie_mem* m — BORROWED. The caller owns their lifecycle * (tied to the address-space mapping). The core only reads through them. * - vgpup_region* — heap-owned by the core (small private state). Create with * vgpup_open, release with vgpup_close. Closing it does NOT touch v / m. * * Conventions (mirror memmodel.h): * - The System kcr3 opens the RO win32 context; the REGION lives in the USER * address space of the producer process and is read under its process.cr3 * (cached in the handle as proc_cr3). A "GVA" is a 64-bit guest VA in that * process address space. * - All guest reads go through gva_read into a local copy; no borrowed * pointer into guest memory ever escapes a seqlock window or this API. * - Integer returns: 0 success / negative failure for deterministic calls. * Lossy read calls (sample/cursor/geometry) are tristate: 1 = consistent * snapshot produced, 0 = no fresh data / writer kept it busy past the retry * limit / would not fit (a SKIP, never an error — do not block), <0 = a * hard memory-read error (page gone / process restarted — the caller * re-discovers; see "Two epochs + producer restart" above). * * Example (the caller drives the two-phase liveness and the read loop): * * // caller already opened a RO win32 context with the System kcr3: * vmie_win32* v = caller_ctx; // BORROWED by the core * vmie_mem* m = vmie_win32_mem(v); // BORROWED; for the generic gva_* * * vgpup_region* r = vgpup_open(v); // phase 1: find producer + candidate * if (!r) { return; } // no region in any process * * // phase 2 is the caller's: it waits >= VGPU_HEARTBEAT_PERIOD_MS, then * uint64_t proc_cr3, region_gva, hb0; * vgpup_discover_candidate(v, &proc_cr3, ®ion_gva, &hb0); // (or reuse open's) * // ... the caller sleeps here, NOT the core ... * int alive = vgpup_confirm_alive(m, proc_cr3, region_gva, hb0); * * // sampling (lossy pull): * static uint8_t buf[VGPU_SLOT_STRIDE]; * vgpup_frame_info fi; * if (vgpup_sample_frame(r, m, buf, sizeof buf, &fi) == 1) { * // route fi.desc + buf[0..fi.bytes) to the chosen transport * } * * vgpup_close(r); // frees core state only; v / m stay with the caller */ #include #include #include "vgpu_stream.h" /* region ABI: producer/control types, slot geometry */ #include "win32.h" /* vmie_win32*, proc_list, process, vmie_win32_mem; * pulls in memmodel.h for vmie_mem / gva_* — the * producer is found via proc_list under the System * kcr3, then the region is read under process.cr3 */ /* Opaque found vgpu region in a producer's user address space. Heap-owned by the * core; holds only small private state (proc_cr3, region/ctrl/ring GVA, last * frame_id, last run_epoch). It does NOT own v / m — those are passed back in on * every read. */ typedef struct vgpup_region vgpup_region; /* ---- handle / lifecycle (the core does NOT own the win32 context) --------- */ /* Phase-1 discover + bind: enumerate processes (proc_list) over the BORROWED RO * win32 context v, scan each process user-AS by structural invariants, snapshot * hb0, and build a handle carrying the producer's proc_cr3 + region/ctrl/ring * GVA. v is BORROWED — the core reads through it but never closes it (its * lifetime is the caller's, tied to the address-space mapping epoch). Returns a * heap-owned vgpup_region*, or NULL if no region is found in any process. * Liveness is NOT * yet proven: the caller must call vgpup_confirm_alive after waiting * >= VGPU_HEARTBEAT_PERIOD_MS. Sampling before confirmation is allowed (lossy); * "producer alive" is true only after a positive confirm. * * If a later read returns <0, the producer process may have restarted (its * pages are gone): the caller re-discovers via vgpup_close(r) + vgpup_open(v). */ vgpup_region* vgpup_open(vmie_win32* v); /* Release ONLY the core state. Does NOT touch v / m — the caller closes those * (their lifetime is the caller's). Safe on NULL. */ void vgpup_close(vgpup_region* r); /* ---- two-phase discovery (the WAIT belongs to the caller) ----------------- */ /* Phase 1: find a producer and a candidate region in its user-AS (no liveness). * Walks proc_list over v and, for each process, scans its user-AS under * process.cr3 by structural invariants. On the first hit writes the producer's * cr3 to *out_proc_cr3, the region base GVA to *out_region_gva and the heartbeat * snapshot to *out_hb0, and returns 0. Returns <0 if no candidate is found in * any process or a read fails. Pure; does NOT wait. Needs v for proc_list. */ int vgpup_discover_candidate(vmie_win32* v, uint64_t* out_proc_cr3, uint64_t* out_region_gva, uint64_t* out_hb0); /* Phase 2: confirm liveness. The caller calls this >= VGPU_HEARTBEAT_PERIOD_MS * after phase 1. Re-reads heartbeat at region_gva under proc_cr3 and returns 1 * if it advanced (alive producer), 0 if it did not tick (dead / not the region), * <0 on a read error. Takes vmie_mem* m (== vmie_win32_mem(v)) and proc_cr3 — * the win32 surface is no longer needed here, only gva_read. Pure; does NOT * wait — the inter-phase delay is the caller's. */ int vgpup_confirm_alive(vmie_mem* m, uint64_t proc_cr3, uint64_t region_gva, uint64_t hb0); /* ---- snapshots (POD values; read under their seqlock discipline) ---------- */ /* Snapshot of the last published frame's descriptor (read under seq[slot]). */ typedef struct { uint32_t width, height, stride, format; uint64_t frame_id; uint64_t timestamp_ns; } vgpup_frame_desc; /* Result of a frame sample: the descriptor plus the count of bytes copied into * the caller's buffer (== height*stride, tight). */ typedef struct { vgpup_frame_desc desc; size_t bytes; } vgpup_frame_info; /* Cursor snapshot (read under the cursor_seq acquire gate). seq lets the caller * tell "cursor idle" from "producer stopped reporting". */ typedef struct { uint32_t seq; /* cursor_seq observed for this snapshot */ uint32_t visible; /* 1 = shown, 0 = hidden */ int32_t x, y; /* unpacked from cursor_pos (signed) */ uint16_t hot_x, hot_y; /* unpacked from cursor_hotspot */ uint16_t glyph_w, glyph_h; /* unpacked from cursor_glyph */ uint32_t id; /* VGPU_CURSOR_ID_* */ } vgpup_cursor; /* Display-geometry snapshot (read under the geom_seq seqlock). */ typedef struct { int32_t virt_x, virt_y; uint32_t virt_w, virt_h; int32_t cap_x, cap_y; uint32_t dpi, refresh_mhz; } vgpup_geometry; /* Lifecycle / status snapshot (cold line; single naturally-aligned atomic * fields, no seqlock — "fresh enough" by the lossy contract). */ typedef struct { uint64_t heartbeat; uint32_t run_epoch; uint32_t status; /* VGPU_ST_* */ uint32_t backend; /* VGPU_BK_* */ uint32_t error_code; uint32_t applied_fps; uint32_t supported_formats; uint32_t ctrl_ack; uint32_t full_frame_ack; uint64_t content_change_ns; } vgpup_status; /* ---- read API (lossy; seqlock discipline lives inside) -------------------- * * All read functions read under r->proc_cr3 (the producer's cr3, cached in the * handle at discovery). m is a BORROWED vmie_mem* (== vmie_win32_mem(v)); the * cr3 is NOT in the signature — it travels in the handle. A <0 return is a hard * memory-read error: the producer process may have restarted, so the caller * re-discovers (see "Two epochs + producer restart" in the file header). */ /* Sample the latest frame. Seqlock-reads latest/seq[slot]/desc, copies the slot * bytes out of the RING via gva_read, then re-checks seq[slot] in one window. * dst is the caller's buffer, cap its capacity. Returns 1 = a fresh frame was * copied (info filled), 0 = no new frame / writer busy past the retry limit / * frame would not fit cap (lossy SKIP, not an error), <0 = a memory-read error. * "Fresh" dedups by frame_id: a frame_id <= the last sampled one returns 0. */ int vgpup_sample_frame(vgpup_region* r, vmie_mem* m, uint8_t* dst, size_t cap, vgpup_frame_info* info); /* Read the cursor under the cursor_seq acquire gate. 1 = consistent snapshot, * 0 = writer busy past the retry limit, <0 = read error. */ int vgpup_read_cursor(vgpup_region* r, vmie_mem* m, vgpup_cursor* out); /* Read display geometry under the geom_seq seqlock. Returns as read_cursor. */ int vgpup_read_geometry(vgpup_region* r, vmie_mem* m, vgpup_geometry* out); /* Read the cold-line status/lifecycle. 0 = success, <0 = read error. The single * atomic fields carry no seqlock; the snapshot is "fresh enough" (lossy). */ int vgpup_read_status(vgpup_region* r, vmie_mem* m, vgpup_status* out); /* The run_epoch from the last vgpup_read_status — a session-break detector for * the caller while the address space stays live. The core only reports the raw * value; it holds no reset policy (what to reset is the caller's decision). */ uint32_t vgpup_run_epoch(const vgpup_region* r); /* ---- control-write — SEAM ONLY (this never writes) ------------------------ */ /* Desired control-block value (host-RW fields). The caller builds it and later * forwards it to the writer; the actual gva_write is performed elsewhere, by the * component that holds read-write access to the region. */ typedef struct { uint32_t desired_state; /* VGPU_CMD_* */ uint32_t target_fps; /* 0 = producer default */ uint32_t draw_cursor; /* 0/1 */ uint32_t full_frame_req; /* edge counter (caller bumps vs the previous) */ } vgpup_control_intent; /* Build a control frame WITHOUT writing: fill a vgpu_control_t image from `in`, * and report the control-block GVA plus the offset/length of the significant * field range, so an external read-write writer can perform an atomic write * under the ctrl_gen seqlock. This NEVER touches guest memory (the RO fd would * not allow it anyway). ctrl_gen is left zero here: the writer owns it under the * seqlock. The significant range is desired_state .. full_frame_req; * consumer_tick/attached carry separate heartbeat/intent semantics and are NOT * part of this intent. * out_frame — filled vgpu_control_t (significant fields from `in`) * out_ctrl_gva — control-block GVA (region base + VGPU_CONTROL_OFFSET). This * GVA is valid in the PRODUCER's user address space: the * external write MUST be performed under r->proc_cr3, NOT the * System kcr3. * out_off — offset of the first significant field (offsetof desired_state) * out_len — length of the significant range (through full_frame_req) * Returns 0 on success, <0 if r is NULL. The write itself is performed * elsewhere; there is no live gva_write here and there must not be. */ int vgpup_build_control_write(vgpup_region* r, const vgpup_control_intent* in, vgpu_control_t* out_frame, uint64_t* out_ctrl_gva, uint32_t* out_off, uint32_t* out_len); #endif /* VGPU_PERCEPTION_H */