Add short message buffer to IPC fastpath

[jserv]

This extends IPC fastpath capacity from 32 bytes (MR0-MR7 register only) to 160 bytes by adding a 128-byte buffer in TCB structure.

• Add msg_buffer[32] to TCB (maps to MR8-MR39)
• Update ipc_read_mr/ipc_write_mr for three-tier MR access
• Extend fastpath eligibility from n_untyped<=7 to n_untyped<=39
• Add ipc-fastpath.h with optimized copy logic
• Preserve R4-R11 across SVC handler for message register integrity
• Add pointer validation in user_log for safety

Memory layout:

• MR0-MR7: ctx.regs[0-7] (32 bytes, R4-R11 registers)
• MR8-MR39: msg_buffer[0-31] (128 bytes, TCB buffer)
• MR40-MR47: utcb->mr[0-7] (32 bytes, UTCB overflow)

Inspired by QNX Neutrino short message optimization.

---

Summary by cubic

Expand IPC fastpath to 160 bytes using a per-thread short message buffer and a register-safe SVC path. Most short sends now skip the slowpath.

• New Features

  • Map MR8–MR39 to a new TCB msg_buffer[32]; MR40–47 stay in UTCB; IPC_MR_COUNT=48.
  • Add ipc-fastpath.h and SVC changes to save R4–R11, read the PSP frame, and copy MRs from regs/buffer when receiver is ready and no typed items.
  • Update ipc_read_mr/ipc_write_mr for three-tier MR access (regs, buffer, UTCB).
  • Add qemu-gdb and gdb-attach make targets.

• Bug Fixes

  • Prevent MR corruption by preserving R4–R11 in SVC and marking them clobbered in user L4_Ipc.
  • Validate pointers in user_log to avoid kernel faults from bad user inputs.

^{Written for commit 3a31f91. Summary will update on new commits.}

[cubic-dev-ai]

5 issues found across 11 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="mk/generic.mk">

<violation number="1" location="mk/generic.mk:120">
P3: `gdb-attach` uses the ELF binary but doesn’t depend on it, so `make gdb-attach` can fail if the project isn’t built. Add `$(out)/$(PROJECT).elf` as a prerequisite.</violation>
</file>

<file name="kernel/syscall.c">

<violation number="1" location="kernel/syscall.c:85">
P0: Function always returns 0, but the assembly checks for return value 1. This makes `fastpath_schedule` dead code and the immediate context switch via `do_fastpath_schedule()` never happens. Based on the function contract, this should return 1 when fastpath succeeds.</violation>
</file>

<file name="include/platform/ipc-fastpath.h">

<violation number="1" location="include/platform/ipc-fastpath.h:193">
P2: Documentation is outdated: comment says `n_untyped <= 7` but the code actually supports `n_untyped <= 39`. This mismatch could mislead developers about fastpath capacity.</violation>

<violation number="2" location="include/platform/ipc-fastpath.h:202">
P1: Casting away `volatile` from `__irq_saved_regs` is unsafe. This shared memory between interrupt context (SVC handler) and C code requires volatile semantics to prevent the compiler from caching stale values or reordering accesses. Either keep the volatile in the cast or update `ipc_fastpath_helper` to accept `volatile uint32_t*`.</violation>
</file>

<file name="kernel/user-log.c">

<violation number="1" location="kernel/user-log.c:35">
P1: Security: Format pointer validation is missing permission check. The code validates that `format` is in a valid memory pool but doesn't verify user read permissions (unlike the `va` validation which checks `MP_UR | MP_UW`). A malicious user could point `format` to kernel-only memory, causing `dbg_vprintf` to leak kernel data. Add a permission check after getting the pool.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}