platform: posix: ipc: expose fuzz-case staging-state hooks

The libFuzzer entry point in fuzz.c stages each testcase by writing
posix_fuzz_buf/sz and raising the fuzz IRQ; fuzz_isr() then drains
those bytes into the static fuzz_in[] queue and feeds them into the
IPC layer one message at a time. Two pieces of state therefore
survive across LLVMFuzzerTestOneInput() calls:

  * `posix_fuzz_sz`     - the raw input length still to consume,
  * `fuzz_in[] / _sz`   - the per-call staging queue.

The fuzzer harness has no way to inspect either of them today, which
makes it impossible to tell whether a previous testcase fully
drained before the next one begins. That is the root cause of the
"not reproducible" crashes.

Introduce three small helpers, kept in the module that owns the
state, with no callers yet:

  posix_fuzz_case_begin()   - drop the staging queue at the start of
                              a new testcase,
  posix_fuzz_case_pending() - true while either buffer still has
                              bytes to deliver,
  posix_fuzz_case_abort()   - wipe both buffers (used when a case
                              exceeds the simulator tick budget).

A follow-up commit wires these into LLVMFuzzerTestOneInput(). This
commit is a pure code-addition refactor: no callers, no behaviour
change, the build still emits the same object code for the existing
entry points.

Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>

Author: tmleman

src/platform/posix/include/platform/fuzz.h

@@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+/* Copyright(c) 2026 Intel Corporation. All rights reserved. */
+
+#ifndef PLATFORM_POSIX_FUZZ_H
+#define PLATFORM_POSIX_FUZZ_H
+
+#include <stdbool.h>
+
+/**
+ * @brief Reset IPC staging state at the start of a new fuzz testcase.
+ *
+ * Must be called before staging new fuzz input so that any leftover
+ * state from a previous testcase that failed to drain within the tick
+ * budget cannot influence the new one.
+ */
+void posix_fuzz_case_begin(void);
+
+/**
+ * @brief Query whether any staged IPC fuzz input is still pending.
+ *
+ * @return true if the raw input buffer or the IPC staging queue is
+ *         non-empty, false when fully drained.
+ */
+bool posix_fuzz_case_pending(void);
+
+/**
+ * @brief Hard-reset all staged IPC fuzz state.
+ *
+ * Called when the simulator tick budget is exhausted before the input
+ * has been fully drained, ensuring the next testcase starts clean.
+ */
+void posix_fuzz_case_abort(void);
+
+#endif /* PLATFORM_POSIX_FUZZ_H */

src/platform/posix/ipc.c

@@ -1,13 +1,16 @@
 // SPDX-License-Identifier: BSD-3-Clause
 // Copyright(c) 2022 Google LLC.  All rights reserved.
 // Author: Andy Ross <andyross@google.com>
+#include <platform/fuzz.h>
 #include <sof/lib/uuid.h>
 #include <sof/ipc/msg.h>
 #include <sof/lib/mailbox.h>
 #include <sof/ipc/common.h>
 #include <sof/ipc/schedule.h>
 #include <sof/schedule/edf_schedule.h>
 #include <sof/audio/component_ext.h>
+#include <stdbool.h>
+#include <stddef.h>
 
 // 6c8f0d53-ff77-4ca1-b825-c0c4e1b0d322
 SOF_DEFINE_REG_UUID(ipc_task_posix);
@@ -33,6 +36,28 @@ extern size_t posix_fuzz_sz;
 static uint8_t fuzz_in[65536];
 static size_t fuzz_in_sz;
 
+/*
+ * Testcase-isolation helpers used by the libFuzzer entry point in
+ * fuzz.c. They keep ownership of the cross-call state in one module
+ * so a new testcase never observes leftovers from a previous one that
+ * failed to drain inside the simulator tick budget.
+ */
+void posix_fuzz_case_begin(void)
+{
+	fuzz_in_sz = 0;
+}
+
+bool posix_fuzz_case_pending(void)
+{
+	return posix_fuzz_sz != 0 || fuzz_in_sz != 0;
+}
+
+void posix_fuzz_case_abort(void)
+{
+	posix_fuzz_sz = 0;
+	fuzz_in_sz = 0;
+}
+
 // The protocol here is super simple: the first byte is a message size
 // in units of 16 bits (the buffer maximum defaults to 384 bytes, and
 // I didn't want to waste space early in the buffer lest I confuse the