benchmark/: three-way RE-tool comparison + first real C-lift

Three small functions extracted from the v1.19 conservative blob with
ground-truth C and per-tool (Ghidra / retdec / decomp.me) docs:
  01_memset        — byte memset, 28 B
  02_memcpy32      — word-aligned memcpy, 36 B
  03_magic_memset  — magic check + tail-call to memset, 40 B
  04_train_phy_block — first real poll-site function (104 B, 26 insts),
                       contains poll sites 12-15

Results in RESULTS.md:
  - Ghidra: A on all four. Auto-decompile is close to final.
  - retdec: A on #3, F on #1 and #2 (no register-arg inference on raw),
    C on #4 (mistakes & 0xF0000000 for < 0x10000000).

GRIND_LOG.md (in 04_train_phy_block/) records the matching-decomp
iteration: 116-byte candidate.c at -Os vs vendor 104 bytes = 89.7%
size match on first real iteration. Remaining gap is GCC's choice of
`cmp w, w_const; b.ls` over vendor's `tst w, #imm; b.eq` for the
mask tests.

gdb_debug/ holds a native-aarch64 GDB single-stepper for the three
benchmark functions — boltzmann smoke test passed (memset:
buf[10] 0x00→0xab).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

benchmark/03_magic_memset/func.s

@@ -0,0 +1,17 @@
+
+03_magic_memset/func.bin:     file format binary
+
+
+Disassembly of section .data:
+
+0000000000000da4 <.data>:
+ da4:	b2731fe0 	mov	x0, #0x1fe000              	// #2088960
+ da8:	52800021 	mov	w1, #0x1                   	// #1
+ dac:	72aa8821 	movk	w1, #0x5441, lsl #16
+ db0:	b9400402 	ldr	w2, [x0, #4]
+ db4:	6b01005f 	cmp	w2, w1
+ db8:	54000081 	b.ne	0xdc8  // b.any
+ dbc:	d2806582 	mov	x2, #0x32c                 	// #812
+ dc0:	52800001 	mov	w1, #0x0                   	// #0
+ dc4:	17ffff3a 	b	0xaac
+ dc8:	d65f03c0 	ret

benchmark/03_magic_memset/reference.c

@@ -0,0 +1,44 @@
+/* Ground-truth C for FUN_00000da4 @ blob offset 0xda4 (40 bytes / 9 insts).
+ *
+ * Pattern:  magic-number check at absolute address, then tail-call to memset.
+ * Signature:  void check_and_zero(void);
+ *
+ * AArch64 ABI:  no args, no return value
+ * Scratch:      X0..X2, W1, W2
+ *
+ * Behaviour:
+ *   uint32_t *magic = (uint32_t *)0x1fe000;
+ *   if (magic[1] == 0x54410001)           // 'TA'\x01 — Trusted App header?
+ *       memset(magic, 0, 0x32c);          // tail-call to FUN_00000aac
+ *   // else: fall through, return
+ *
+ * Notes the decompiler should ideally recover:
+ *   - `orr x0, xzr, #0x1fe000` is an immediate-load idiom for `x0 = 0x1fe000`;
+ *     encoded as OR-with-zero so ARM assemblers can pack it.
+ *     Tools that don't know the ORR-imm trick may render this as
+ *     `x0 = 0 | 0x1fe000` or worse `x0 = 0 | 0x1FE000UL` with weird types.
+ *   - `MOV w1, #0x1 ; MOVK w1, #0x5441, LSL #16` composes a 32-bit literal
+ *     0x54410001. A good tool collapses both into `w1 = 0x54410001`.
+ *   - `LDR w2, [X0, #0x4]` reads `magic[1]`, i.e. the second word at the
+ *     magic region. Comparing against 0x54410001 = 'TA'\x01 is the
+ *     ARMv8 "Trusted Application" header signature convention.
+ *   - `B 0xaac` is a tail-call: control transfers to memset with X0, W1, X2
+ *     already set up; no BL / return path. Tools should emit this as
+ *     `return memset(x0, w1, x2);` or at least a clear call — not an
+ *     inlined body.
+ *
+ * Address 0x1fe000 lies in RK3588 SRAM (PMU-SRAM region 0x1fe0_0000–…).
+ * Not MMIO in the strict sense — it's memory — but tools may flag it as
+ * special because of the large constant.
+ */
+#include <stddef.h>
+#include <stdint.h>
+
+extern void memset_byte(void *buf, uint8_t val, size_t len); /* FUN_00000aac */
+
+void check_and_zero(void) {
+    uint32_t *magic = (uint32_t *)0x1fe000UL;
+    if (magic[1] == 0x54410001U) {
+        memset_byte(magic, 0, 0x32c);
+    }
+}

benchmark/03_magic_memset/retdec.c

@@ -0,0 +1,30 @@
+//
+// This file was generated by the Retargetable Decompiler
+// Website: https://retdec.com
+//
+
+#include <stdint.h>
+
+// ------------------- Function Prototypes --------------------
+
+int64_t entry_point(void);
+int64_t unknown_aac(int64_t a1, int64_t a2, int64_t a3);
+
+// ------------------------ Functions -------------------------
+
+// Address range: 0xda4 - 0xdcc
+int64_t entry_point(void) {
+    // 0xda4
+    if (*(int32_t *)0x1fe004 == 0x54410001) {
+        // 0xdbc
+        return unknown_aac(0x1fe000, 0, 812);
+    }
+    // 0xdc8
+    return 0x1fe000;
+}
+
+// --------------------- Meta-Information ---------------------
+
+// Detected compiler/packer: molebox (2.0)
+// Detected functions: 1
+