fibers B1.3b-1: x86_64 / Win64 swap_context sibling, validated on a Win7 x64 VM

The context switch is now proven on a second arch/ABI pair. A Win64 swap_context
saves the complete Win64 callee-saved set: 8 GP (rbx,rbp,rdi,rsi,r12-r15) + rsp
AND xmm6-xmm15 (10 XMM, 128-bit via movups -- Win64 has callee-saved XMM, unlike
SysV/aarch64), plus a Win64 scribble_verify (264-byte frame, 32-byte shadow +
16-align at each call, COFF symbols, rsp-carried return address) driving the
2-fiber mutual scribble.

Built --target x86_64-windows-gnu --self-contained (PE32+, output via the Win32
WriteFile boundary -- the 1660 pattern) and run on a Windows 7 x64 VM (UTM):
printed '0 0 P' -- every GP + XMM callee-saved register survived the switch.
Adversarially reviewed before the VM run (worker emitted the real .s and
verified every call alignment, the frame offsets, the rsp/return-address
round-trip, swap ordering, and COFF naming against the Win64 ABI -- no
critical/minor bugs).

Locked by examples/1810-concurrency-fiber-switch-win64.sx (pinned
x86_64-windows-gnu, ir-only on this non-Windows host; the VM run is the
runtime-correctness provenance). Good-swap-only mutual scribble (self-validating
by construction; the in-process negative control was dropped to avoid an sx
fn-ptr-convention issue -- detection of this exact logic was negative-controlled
on aarch64 in 1808).

Suite green 736/0. The B1.3 switch is proven on aarch64 + x86_64/Win64. Next:
B1.4 (Io impls / M:1 scheduler).

current/CHECKPOINT-FIBERS.md

@@ -4,8 +4,26 @@ Companion to [PLAN-FIBERS.md](PLAN-FIBERS.md). Update after every step (one step
 per the cadence rule). New corpus category: `18xx` concurrency.
 
 ## Last completed step
-**B1.3b (mmap guard-page stacks) — DONE. x86_64 switch sibling DEFERRED (not runnable on this
-host).** Fiber stacks are now `mmap`'d with a `PROT_NONE` GUARD PAGE at the low end (§8.1.1: a
+**B1.3b-1 — the x86_64 / Win64 `swap_context` sibling — VALIDATED on real hardware.** The
+context switch is now proven on a SECOND architecture + ABI. A Win64 `swap_context` saves the
+COMPLETE Win64 callee-saved set — 8 GP (rbx, rbp, rdi, rsi, r12-r15) + rsp **and xmm6-xmm15**
+(10 XMM, 128-bit via `movups` — Win64 has callee-saved XMM, unlike SysV/aarch64) — plus a Win64
+`scribble_verify` (32-byte shadow + 16-align at each `call`, COFF symbols, rsp-carried return
+addr). Locked by `examples/1810-concurrency-fiber-switch-win64.sx` (pinned `x86_64-windows-gnu`,
+ir-only here): the 2-fiber mutual scribble printed **`0 0 P`** when built `--target
+x86_64-windows-gnu --self-contained` and **run on a Windows 7 x64 VM (UTM)** — every GP + XMM
+callee-saved survived. **Adversarially reviewed before the VM run** (worker emitted the real `.s`
+and verified every `call` alignment, the 264-byte frame offsets, the rsp/return-addr round-trip,
+swap ordering, and COFF naming against the Win64 ABI — no critical/minor bugs). The build→VM→run
+loop was set up this session (cross-build needs `--self-contained`; output via the Win32
+`WriteFile` boundary, the 1660 pattern). Suite green. Note: this is the GOOD-swap-only mutual
+scribble (self-validating by construction; the in-process negative control was dropped to avoid an
+sx fn-ptr-convention rabbit hole — the detection of this exact logic was negative-controlled on
+aarch64 in 1808). The SysV/Linux x86_64 sibling (different reg set: no callee-saved XMM, args
+rdi/rsi) remains for a Linux x86_64 host.
+
+### Earlier — B1.3b-2 — mmap guard-page stacks (commit `dd532ab`)
+Fiber stacks are `mmap`'d with a `PROT_NONE` GUARD PAGE at the low end (§8.1.1: a
 fixed stack without a guard silently corrupts neighbors on overflow). `mmap` the `[guard |
 usable]` region, `mprotect` the low 16KB page `PROT_NONE`; SP descends into the guard and faults
 loudly at the boundary instead of corrupting a neighbor. Locked by
@@ -14,13 +32,8 @@ loudly at the boundary instead of corrupting a neighbor. Locked by
 - **Guard FIRING validated** (manually, not corpus-pinned — a deliberate overflow crash is
   host-fragile): a fiber recursing past its 128KB stack faults with `Bus error` at the guard page
   (`region+GUARD`); the sx crash handler turns it into exit 134. Documented in the example header.
-- **x86_64 `swap_context` sibling DEFERRED:** `sx build --target x86_64-macos` mislinks on this
-  arm64 host (object is x86_64 but the link step targets arm64), and `--target x86_64-linux` can't
-  run here either — so the x86_64 switch could only ship IR-only, UNRUN. For the single
-  highest-corruption-risk asm, shipping un-run/un-negative-controlled asm violates the §10.7
-  "correctness not existence" rule. Deferred until an x86_64 host (or working cross-run) is
-  available. The aarch64 switch + its §10.7 gate are complete and reviewed; portability is the
-  only gap. SysV target notes recorded in Next step.
+- **x86_64 sibling:** was deferred here (couldn't run x86_64 on this arm64 host), then DONE as
+  Win64 once a Windows 7 x64 VM became available — see B1.3b-1 above (`examples/1810`, `0 0 P`).
 
 ### Earlier — B1.3a-2 — the context-switch STRESS GATE (design §10.7) — DONE + adversarially reviewed
 The explicit every-callee-saved-register scribble that B1.3a-1 owed. `swap_context` now saves the
@@ -239,24 +252,19 @@ fibers/Io/scheduler code yet. Grounded floor facts:
   boundary; a sharper sx diagnostic for it is a candidate polish, not a blocker.
 
 ## Next step
-Two open threads — pick by host availability:
+**→ B1.4 — `Io` impls / the scheduler.** The switch substrate is proven on TWO arch/ABI pairs
+(aarch64 native + x86_64/Win64 on the VM), with the §10.7 stress gate, guarded mmap stacks, and
+adversarial review. That's enough to build the scheduler on. B1.4 builds the deterministic-sim
+`Io` (calibrated against blocking `Io` before trusting it — §8.1.3), then **B1.5** (M:1 scheduler)
+replaces the hand-bootstrapped ping-pong with real `spawn`/`yield`/`resume` over the switch. The
+§10.7 gate (1808) + guarded-stack path (1809) + the Win64 sibling (1810) must keep passing as the
+switch is wrapped into the scheduler.
 
-**(A) x86_64 `swap_context` sibling — needs an x86_64 host (or a working cross-run).** The per-arch
-switch. SysV-AMD64 callee-saved = rbx, rbp, r12, r13, r14, r15 + rsp (6 GP + sp; **no** callee-saved
-XMM on SysV, unlike Win64) — so a 7-slot ctx and a different `scribble_verify` reg set. No link
-register: the return address rides each fiber's stack, so the switch is `mov [from],regs… ;
-mov rsp,[to+48] ; ret` (the final `ret` pops `to`'s saved return addr). Bootstrap: push
-`&_fib_tramp` onto the new stack and set saved rsp to it (16-align: at the trampoline's `call`,
-rsp must be ≡0 mod 16). Args rdi/rsi/rdx; result rax. Carry the SAME 2-fiber mutual-scribble gate
-+ negative-control discipline + adversarial review. **Must be RUN + negative-controlled on a
-matching host** — do NOT ship it ir-only/unrun (§10.7). (1802 is the x86_64 naked-asm template.)
-
-**(B) B1.4 — `Io` impls (blocking ✅ → deterministic-sim KEYSTONE → event-loop).** The aarch64
-substrate (switch + §10.7 gate + guarded stacks) is enough to build the scheduler on. B1.4 builds
-the deterministic-sim `Io` (calibrated against blocking `Io` before trusting it — §8.1.3), then
-**B1.5** (M:1 scheduler) replaces the hand-bootstrapped ping-pong with real `spawn`/`yield`/
-`resume` over the switch. The §10.7 gate (1808) + the guarded-stack path (1809) must keep passing
-as the switch is wrapped into the scheduler.
+**Side thread (optional, low priority): the SysV/Linux x86_64 sibling.** A THIRD switch variant
+for `x86_64-linux`: SysV callee-saved = rbx, rbp, r12-r15 + rsp (6 GP + sp; **no** callee-saved
+XMM, unlike Win64) — a 7-slot ctx, args rdi/rsi/rdx, the rsp-carried return addr. Needs a Linux
+x86_64 host (or a working cross-run) to RUN + the mutual-scribble gate. Not blocking — the switch
+is already validated on two arch/ABI pairs.
 
 **Deferred (do NOT block on these):** issue **0150** (`void` struct field SIGTRAP) — only
 `Future(void)`/`timeout` (B1.4). The **`::` callable-parameter feature** (named-fn async workers
@@ -452,3 +460,19 @@ incomplete); a dedicated effort; lambda workers are the idiom meanwhile.
   highest-risk asm. SysV target notes (rbx/rbp/r12-r15/rsp, no callee-saved XMM, rsp-carried return
   addr) recorded in Next step. Suite green **735/0**. Next: x86_64 sibling (needs an x86_64 host)
   OR B1.4 (`Io` impls / scheduler) on the proven aarch64 substrate.
+- **B1.3b-1 — x86_64 / Win64 switch sibling VALIDATED on real hardware.** The user provided a
+  Windows 7 x64 VM (UTM), so the x86_64 switch became RUNNABLE (as Win64). Validated the
+  cross-build→VM→run loop (`--target x86_64-windows-gnu --self-contained` → PE32+; output via the
+  Win32 `WriteFile` boundary, the 1660 pattern). Wrote a Win64 `swap_context` (8 GP rbx/rbp/rdi/
+  rsi/r12-r15 + rsp + **xmm6-xmm15** via `movups` — Win64 has callee-saved XMM) + a Win64
+  `scribble_verify` (264-byte frame, 32-byte shadow + 16-align at each `call`, COFF symbols,
+  rsp-carried return addr) driving the 2-fiber mutual scribble. **Adversarially reviewed (worker
+  emitted the real `.s`, verified every alignment/offset/round-trip against the Win64 ABI — no
+  critical/minor bugs), THEN run on the VM → `0 0 P`** (all 8 GP + 10 XMM callee-saved survived).
+  Locked by `examples/1810-concurrency-fiber-switch-win64.sx` (pinned `x86_64-windows-gnu`,
+  ir-only on this host; the VM run is the runtime-correctness provenance). Good-swap-only (the
+  in-process negative control was dropped to avoid an sx fn-ptr-convention rabbit hole; the
+  detection of this exact logic was negative-controlled on aarch64 in 1808). Suite green **736/0**.
+  The B1.3 context switch is now proven on TWO arch/ABI pairs. Next: **B1.4** (Io impls / M:1
+  scheduler) on the proven substrate. (Side thread: the SysV/Linux x86_64 sibling, when a Linux
+  x86_64 host is available.)