strat9_kernel/syscall/

dispatcher.rs

//! Strat9-OS syscall dispatcher.
//!
//! Routes syscall numbers to handler functions and converts results to RAX values.
//! Called from the naked `syscall_entry` assembly with a pointer to `SyscallFrame`.
//!
//! The main dispatch function is `__strat9_syscall_dispatch`, which matches on the syscall number and calls the appropriate handler. Each handler returns a `Result<u64, SyscallError>`, which is converted to a raw value in RAX (positive for success, negative for error).
//! The `dispatch` function is an alias for `__strat9_syscall_dispatch` used by the assembly entry point.
//! The syscall handlers are defined in this module and in submodules (e.g. `mmap`, `process`, `signal`, etc.) and cover a wide range of functionality including process management, memory management, IPC, file I/O, networking, and more.
//! The dispatcher also includes diagnostic logging with rate-limiting to avoid log spam under high syscall rates. For example, it logs the first 20 syscalls unconditionally, then every 10,000 syscalls thereafter. It also has budgeted logging for network send/recv errors and DHCP frame tracing.
//!
//!
use super::{
    error::SyscallError, exec::sys_execve, fork::sys_fork, numbers::*, process as proc_sys,
    SyscallFrame,
};
use crate::{
    arch::x86_64::pci,
    capability::{get_capability_manager, release_capability, CapId, CapPermissions, ResourceType},
    hardware::storage::{
        ahci,
        virtio_block::{self, BlockDevice, SECTOR_SIZE},
    },
    ipc::{
        channel::{self, ChanId},
        message::IpcMessage,
        port::{self, PortId},
        reply,
        semaphore::{self, SemId},
        shared_ring::{self, RingId},
    },
    memory::{UserSliceRead, UserSliceWrite},
    process::current_task_clone,
    silo,
};
use alloc::{sync::Arc, vec};
use core::sync::atomic::{AtomicU32, Ordering};

/// One-shot diagnostic flag to confirm syscalls reach the dispatcher.
static SYSCALL_DIAG_DONE: core::sync::atomic::AtomicBool =
    core::sync::atomic::AtomicBool::new(false);

/// Rate-limit counter for the per-syscall ENTER trace (avoid flooding FORCE_LOCK under SMP).
/// Prints first 20 dispatches unconditionally, then every 10 000.
static SYSCALL_TRACE_COUNT: core::sync::atomic::AtomicU64 = core::sync::atomic::AtomicU64::new(0);

/// Budget for logging network send errors to prevent log spam.
static NET_SEND_ERR_LOG_BUDGET: AtomicU32 = AtomicU32::new(32);
/// Budget for logging network receive errors to prevent log spam.
static NET_RECV_ERR_LOG_BUDGET: AtomicU32 = AtomicU32::new(32);
/// Budget for logging DHCP trace frames to prevent log spam.
static DHCP_TRACE_LOG_BUDGET: AtomicU32 = AtomicU32::new(64);

/// Performs the trace dhcp frame operation.
fn trace_dhcp_frame(tag: &str, frame: &[u8]) {
    if DHCP_TRACE_LOG_BUDGET.fetch_sub(1, Ordering::Relaxed) == 0 {
        return;
    }
    if frame.len() < 14 {
        return;
    }
    let ethertype = u16::from_be_bytes([frame[12], frame[13]]);
    if ethertype != 0x0800 {
        return;
    }
    if frame.len() < 34 {
        return;
    }
    let ip_hlen = ((frame[14] & 0x0f) as usize) * 4;
    if ip_hlen < 20 || frame.len() < 14 + ip_hlen + 8 {
        return;
    }
    if frame[23] != 17 {
        return;
    }
    let udp = 14 + ip_hlen;
    let src_port = u16::from_be_bytes([frame[udp], frame[udp + 1]]);
    let dst_port = u16::from_be_bytes([frame[udp + 2], frame[udp + 3]]);
    let is_dhcp = (src_port == 68 && dst_port == 67) || (src_port == 67 && dst_port == 68);
    if !is_dhcp {
        return;
    }
    let mut xid: u32 = 0;
    let bootp = udp + 8;
    if frame.len() >= bootp + 8 {
        xid = u32::from_be_bytes([
            frame[bootp + 4],
            frame[bootp + 5],
            frame[bootp + 6],
            frame[bootp + 7],
        ]);
    }
    crate::serial_println!(
        "[dhcp-trace] {} src_port={} dst_port={} len={} xid=0x{:08x}",
        tag,
        src_port,
        dst_port,
        frame.len(),
        xid
    );
}

/// Main dispatch function called from `syscall_entry` assembly.
///
/// # Arguments
/// * `frame` - Pointer to the SyscallFrame on the kernel stack.
///
/// # Returns
/// The value to place in RAX (positive = success, negative = error).
///
/// # Safety
/// Called from naked assembly. `frame` must be a valid pointer to a
/// `SyscallFrame` on the current kernel stack.
#[no_mangle]
pub extern "C" fn __strat9_syscall_dispatch(frame: &mut SyscallFrame) -> u64 {
    let syscall_num = frame.rax as usize;
    let arg1 = frame.rdi;
    let arg2 = frame.rsi;
    let arg3 = frame.rdx;

    // One-shot diagnostic: confirm first syscall reaches the dispatcher.
    if !SYSCALL_DIAG_DONE.swap(true, core::sync::atomic::Ordering::Relaxed) {
        crate::e9_println!(
            "[syscall-FIRST] nr={} rip={:#x} tid={:?}",
            syscall_num,
            frame.rcx,
            crate::process::current_task_id().map(|t| t.as_u64())
        );
    }
    let arg4 = frame.r10;
    let _arg5 = frame.r8;
    let _arg6 = frame.r9;

    // Rate-limited trace to avoid saturating FORCE_LOCK under SMP.
    // First 20 calls unconditional, then a sample every 10_000.
    {
        let n = SYSCALL_TRACE_COUNT.fetch_add(1, core::sync::atomic::Ordering::Relaxed);
        if n < 20 || n % 10_000 == 0 {
            if let Some(tid) = crate::process::current_task_id() {
                crate::e9_println!(
                    "[syscall] ENTER n={} tid={} nr={} arg1={:#x} arg2={:#x} rip={:#x} cpu={}",
                    n,
                    tid,
                    syscall_num,
                    arg1,
                    arg2,
                    frame.rcx,
                    crate::arch::x86_64::percpu::current_cpu_index()
                );
            }
        }
    }

    let result = match syscall_num {
        SYS_NULL => sys_null(),
        SYS_HANDLE_DUPLICATE => sys_handle_duplicate(arg1),
        SYS_HANDLE_CLOSE => sys_handle_close(arg1),
        SYS_HANDLE_WAIT => sys_handle_wait(arg1, arg2),
        SYS_HANDLE_GRANT => sys_handle_grant(arg1, arg2),
        SYS_HANDLE_REVOKE => sys_handle_revoke(arg1),
        SYS_HANDLE_INFO => sys_handle_info(arg1, arg2),

        // Memory management (block 100-199)
        SYS_MMAP => super::mmap::sys_mmap(arg1, arg2, arg3 as u32, arg4 as u32, frame.r8, frame.r9),
        SYS_MUNMAP => super::mmap::sys_munmap(arg1, arg2),
        SYS_BRK => super::mmap::sys_brk(arg1),
        SYS_MREMAP => super::mmap::sys_mremap(arg1, arg2, arg3, arg4),
        SYS_MPROTECT => super::mmap::sys_mprotect(arg1, arg2, arg3),
        SYS_MEM_REGION_EXPORT => super::mmap::sys_mem_region_export(arg1),
        SYS_MEM_REGION_MAP => super::mmap::sys_mem_region_map(arg1, arg2, arg3),
        SYS_MEM_REGION_INFO => super::mmap::sys_mem_region_info(arg1, arg2),

        // Process management (block 300-399)
        SYS_PROC_EXIT => sys_proc_exit(arg1),
        SYS_PROC_YIELD => sys_proc_yield(),
        SYS_PROC_FORK => sys_fork(frame).map(|result| result.child_pid as u64),
        SYS_PROC_GETPID | SYS_GETPID => proc_sys::sys_getpid(),
        SYS_PROC_GETPPID => proc_sys::sys_getppid(),
        SYS_GETTID => proc_sys::sys_gettid(),
        SYS_PROC_WAITPID => {
            super::wait::sys_waitpid(arg1 as i64, arg2, arg3 as u32).map(|pid| pid as u64)
        }
        SYS_PROC_WAIT => super::wait::sys_wait(arg1),
        SYS_PROC_EXECVE => sys_execve(frame, arg1, arg2, arg3),

        // File I/O (block 400-499)
        SYS_FCNTL => super::fcntl::sys_fcntl(arg1, arg2, arg3),
        SYS_SETPGID => proc_sys::sys_setpgid(arg1 as i64, arg2 as i64),
        SYS_GETPGID => proc_sys::sys_getpgid(arg1 as i64),
        SYS_SETSID => proc_sys::sys_setsid(),
        SYS_GETPGRP => proc_sys::sys_getpgrp(),
        SYS_GETSID => proc_sys::sys_getsid(arg1 as i64),

        SYS_GETUID => proc_sys::sys_getuid(),
        SYS_GETEUID => proc_sys::sys_geteuid(),
        SYS_GETGID => proc_sys::sys_getgid(),
        SYS_GETEGID => proc_sys::sys_getegid(),
        SYS_SETUID => proc_sys::sys_setuid(arg1),
        SYS_SETGID => proc_sys::sys_setgid(arg1),
        SYS_THREAD_CREATE => proc_sys::sys_thread_create(frame, arg1, arg2, arg3, arg4, frame.r8),
        SYS_THREAD_JOIN => proc_sys::sys_thread_join(arg1, arg2, arg3),
        SYS_THREAD_EXIT => proc_sys::sys_thread_exit(arg1),
        SYS_UNAME => sys_uname(arg1),
        //  Thread lifecycle (333-334) ===========================================
        SYS_SET_TID_ADDRESS => proc_sys::sys_set_tid_address(arg1),
        SYS_EXIT_GROUP => proc_sys::sys_exit_group(arg1),
        //  Architecture-specific (350) ==========================================
        SYS_ARCH_PRCTL => proc_sys::sys_arch_prctl(arg1, arg2),

        //  tgkill (352) =========================================
        SYS_TGKILL => proc_sys::sys_tgkill(arg1, arg2, arg3),
        SYS_RT_SIGRETURN => super::signal::sys_rt_sigreturn(frame),
        // Futex syscalls (400-409) ========================================
        SYS_FUTEX_WAIT => super::futex::sys_futex_wait(arg1, arg2 as u32, arg3),
        SYS_FUTEX_WAKE => super::futex::sys_futex_wake(arg1, arg2 as u32),
        SYS_FUTEX_REQUEUE => super::futex::sys_futex_requeue(arg1, arg2 as u32, arg3 as u32, arg4),
        SYS_FUTEX_CMP_REQUEUE => super::futex::sys_futex_cmp_requeue(
            arg1,
            arg2 as u32,
            arg3 as u32,
            arg4,
            frame.r8 as u32,
        ),
        SYS_FUTEX_WAKE_OP => {
            super::futex::sys_futex_wake_op(arg1, arg2 as u32, arg3 as u32, arg4, frame.r8 as u32)
        }
        SYS_KILL => super::signal::sys_kill(arg1 as i64, arg2 as u32),
        SYS_SIGPROCMASK => sys_sigprocmask(arg1 as i32, arg2, arg3),
        SYS_SIGACTION => super::signal::sys_sigaction(arg1, arg2, arg3),
        SYS_SIGALTSTACK => super::signal::sys_sigaltstack(arg1, arg2),
        SYS_SIGPENDING => super::signal::sys_sigpending(arg1),
        SYS_SIGSUSPEND => super::signal::sys_sigsuspend(arg1),
        SYS_SIGTIMEDWAIT => super::signal::sys_sigtimedwait(arg1, arg2, arg3),
        SYS_SIGQUEUE => super::signal::sys_sigqueue(arg1 as i64, arg2 as u32, arg3),
        SYS_KILLPG => super::signal::sys_killpg(arg1, arg2 as u32),
        SYS_GETITIMER => super::signal::sys_getitimer(arg1 as u32, arg2),
        SYS_SETITIMER => super::signal::sys_setitimer(arg1 as u32, arg2, arg3),

        // IPC syscalls (600-699) ========================================
        SYS_IPC_CREATE_PORT => sys_ipc_create_port(arg1),
        SYS_IPC_SEND => sys_ipc_send(arg1, arg2),
        SYS_IPC_RECV => sys_ipc_recv(arg1, arg2),
        SYS_IPC_TRY_RECV => sys_ipc_try_recv(arg1, arg2),
        SYS_IPC_CONNECT => sys_ipc_connect(arg1, arg2),
        SYS_IPC_CALL => sys_ipc_call(arg1, arg2),
        SYS_IPC_REPLY => sys_ipc_reply(arg1),
        SYS_IPC_BIND_PORT => sys_ipc_bind_port(arg1, arg2, arg3),
        SYS_IPC_UNBIND_PORT => sys_ipc_unbind_port(arg1, arg2),
        SYS_IPC_RING_CREATE => sys_ipc_ring_create(arg1),
        SYS_IPC_RING_MAP => sys_ipc_ring_map(arg1, arg2),
        SYS_SEM_CREATE => sys_sem_create(arg1),
        SYS_SEM_WAIT => sys_sem_wait(arg1),
        SYS_SEM_TRYWAIT => sys_sem_trywait(arg1),
        SYS_SEM_POST => sys_sem_post(arg1),
        SYS_SEM_CLOSE => sys_sem_close(arg1),
        SYS_PCI_ENUM => sys_pci_enum(arg1, arg2, arg3),
        SYS_PCI_CFG_READ => sys_pci_cfg_read(arg1, arg2, arg3),
        SYS_PCI_CFG_WRITE => sys_pci_cfg_write(arg1, arg2, arg3, arg4),

        // Typed MPMC sync-channel (IPC-02) ========================================
        SYS_CHAN_CREATE => sys_chan_create(arg1),
        SYS_CHAN_SEND => sys_chan_send(arg1, arg2),
        SYS_CHAN_RECV => sys_chan_recv(arg1, arg2),
        SYS_CHAN_TRY_RECV => sys_chan_try_recv(arg1, arg2),
        SYS_CHAN_CLOSE => sys_chan_close(arg1),
        SYS_MODULE_LOAD => silo::sys_module_load(arg1, arg2),
        SYS_MODULE_UNLOAD => silo::sys_module_unload(arg1),
        SYS_MODULE_GET_SYMBOL => silo::sys_module_get_symbol(arg1, arg2),
        SYS_MODULE_QUERY => silo::sys_module_query(arg1, arg2),
        SYS_OPEN => sys_open(arg1, arg2, arg3),
        SYS_WRITE => sys_write(arg1, arg2, arg3),
        SYS_READ => sys_read(arg1, arg2, arg3),
        SYS_CLOSE => sys_close(arg1),
        SYS_LSEEK => sys_lseek(arg1, arg2, arg3),
        SYS_FSTAT => sys_fstat(arg1, arg2),
        SYS_STAT => sys_stat(arg1, arg2, arg3),
        SYS_GETDENTS => sys_getdents(arg1, arg2, arg3),
        SYS_PIPE => sys_pipe(arg1),
        SYS_DUP => sys_dup(arg1),
        SYS_DUP2 => sys_dup2(arg1, arg2),

        // VFS syscalls (440-455)  ========================================
        SYS_CHDIR => crate::vfs::sys_chdir(arg1, arg2),
        SYS_FCHDIR => crate::vfs::sys_fchdir(arg1 as u32),
        SYS_GETCWD => crate::vfs::sys_getcwd(arg1, arg2),
        SYS_IOCTL => crate::vfs::sys_ioctl(arg1 as u32, arg2, arg3),
        SYS_UMASK => crate::vfs::sys_umask(arg1),
        SYS_UNLINK => crate::vfs::sys_unlink(arg1, arg2),
        SYS_RMDIR => crate::vfs::sys_rmdir(arg1, arg2),
        SYS_MKDIR => crate::vfs::sys_mkdir(arg1, arg2, arg3),
        SYS_RENAME => crate::vfs::sys_rename(arg1, arg2, arg3, arg4),
        SYS_LINK => crate::vfs::sys_link(arg1, arg2, arg3, arg4),
        SYS_SYMLINK => crate::vfs::sys_symlink(arg1, arg2, arg3, arg4),
        SYS_READLINK => crate::vfs::sys_readlink(arg1, arg2, arg3, arg4),
        SYS_CHMOD => crate::vfs::sys_chmod(arg1, arg2, arg3),
        SYS_FCHMOD => crate::vfs::sys_fchmod(arg1 as u32, arg2),
        SYS_TRUNCATE => crate::vfs::sys_truncate(arg1, arg2, arg3),
        SYS_FTRUNCATE => crate::vfs::sys_ftruncate(arg1 as u32, arg2),
        SYS_PREAD => crate::vfs::sys_pread(arg1 as u32, arg2, arg3, arg4),
        SYS_PWRITE => crate::vfs::sys_pwrite(arg1 as u32, arg2, arg3, arg4),
        SYS_POLL => super::poll::sys_poll(arg1, arg2, arg3),
        SYS_PPOLL => super::poll::sys_poll(arg1, arg2, 0),

        // *at() syscalls : FD-relative path resolution ======================
        SYS_OPENAT => crate::vfs::sys_openat(arg1, arg2, arg3, arg4),
        SYS_FSTATAT => crate::vfs::sys_fstatat(arg1, arg2, arg3, arg4),

        // Network syscalls (500-599) ========================================
        SYS_NET_RECV => sys_net_recv(arg1, arg2),
        SYS_NET_SEND => sys_net_send(arg1, arg2),
        SYS_NET_INFO => sys_net_info(arg1, arg2),

        // Storage syscalls (600-699) ========================================
        SYS_VOLUME_READ => sys_volume_read(arg1, arg2, arg3, arg4),
        SYS_VOLUME_WRITE => sys_volume_write(arg1, arg2, arg3, arg4),
        SYS_VOLUME_INFO => sys_volume_info(arg1),
        SYS_CLOCK_GETTIME => super::time::sys_clock_gettime(arg1 as u32, arg2),
        SYS_NANOSLEEP => super::time::sys_nanosleep(arg1, arg2),
        SYS_DEBUG_LOG => sys_debug_log(arg1, arg2),

        // Silo management (700-799) ========================================
        SYS_SILO_CREATE => silo::sys_silo_create(arg1),
        SYS_SILO_CONFIG => silo::sys_silo_config(arg1, arg2),
        SYS_SILO_ATTACH_MODULE => silo::sys_silo_attach_module(arg1, arg2),
        SYS_SILO_START => silo::sys_silo_start(arg1),
        SYS_SILO_STOP => silo::sys_silo_stop(arg1),
        SYS_SILO_KILL => silo::sys_silo_kill(arg1),
        SYS_SILO_EVENT_NEXT => silo::sys_silo_event_next(arg1),
        SYS_SILO_SUSPEND => silo::sys_silo_suspend(arg1),
        SYS_SILO_RESUME => silo::sys_silo_resume(arg1),
        SYS_SILO_PLEDGE => silo::sys_silo_pledge(arg1),
        SYS_SILO_UNVEIL => silo::sys_silo_unveil(arg1, arg2, arg3),
        SYS_SILO_ENTER_SANDBOX => silo::sys_silo_enter_sandbox(),

        // Architecture-specific (900-999) =========================================
        SYS_ABI_VERSION => {
            Ok(((strat9_abi::ABI_VERSION_MAJOR as u64) << 16)
                | (strat9_abi::ABI_VERSION_MINOR as u64))
        }
        _ => {
            log::warn!("Unknown syscall: {} (0x{:x})", syscall_num, syscall_num);
            Err(SyscallError::NotImplemented)
        }
    };

    match result {
        Ok(val) => {
            if syscall_num == SYS_PROC_FORK {
                crate::serial_println!("[syscall] FORK returning Ok({})", val);
            }
            frame.rax = val;
        }
        Err(e) => {
            if syscall_num == SYS_PROC_FORK {
                crate::serial_println!("[syscall] FORK returning err");
            }
            frame.rax = e.to_raw();
        }
    }

    crate::process::signal::deliver_pending_signal(frame);

    frame.rax
}

/// Alias used by the `call {dispatch}` in syscall_entry.
/// Re-exports `__strat9_syscall_dispatch` under the symbol the assembly expects.
#[no_mangle]
pub extern "C" fn dispatch(frame: &mut SyscallFrame) -> u64 {
    __strat9_syscall_dispatch(frame)
}

// ============================================================
// Syscall handlers
// ============================================================

/// SYS_NULL (0): Ping/test syscall. Returns magic value 0x57A79 ("STRAT9").
fn sys_null() -> Result<u64, SyscallError> {
    Ok(0x57A79)
}

/// SYS_HANDLE_CLOSE (2): Close a handle. Stub : always succeeds.
fn sys_handle_close(_handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(_handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    if let Some(cap) = caps.remove(CapId::from_raw(_handle)) {
        release_capability(&cap, Some(task.id));
        log::trace!("syscall: HANDLE_CLOSE({})", _handle);
        Ok(0)
    } else {
        Err(SyscallError::BadHandle)
    }
}

fn insert_capability_with_retention(
    caps: &mut crate::capability::CapabilityTable,
    cap: crate::capability::Capability,
) -> Result<CapId, SyscallError> {
    let id = caps.insert(cap);
    if let Some(inserted) = caps.get(id) {
        if inserted.resource_type == ResourceType::MemoryRegion {
            if let Err(error) =
                crate::memory::memory_region_registry().retain_handle(inserted.resource as u64, id)
            {
                let _ = caps.remove(id);
                return Err(match error {
                    crate::memory::RegionCapError::NotFound => SyscallError::BadHandle,
                    crate::memory::RegionCapError::InvalidRegion
                    | crate::memory::RegionCapError::IncompleteRegion
                    | crate::memory::RegionCapError::InvalidAddress => {
                        SyscallError::InvalidArgument
                    }
                    crate::memory::RegionCapError::PermissionDenied => {
                        SyscallError::PermissionDenied
                    }
                    crate::memory::RegionCapError::OutOfMemory => SyscallError::OutOfMemory,
                    crate::memory::RegionCapError::InconsistentState => SyscallError::IoError,
                });
            }
        }
    }
    Ok(id)
}

/// SYS_HANDLE_DUPLICATE (1): duplicate a handle (grant required).
fn sys_handle_duplicate(handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    let dup = caps
        .duplicate(CapId::from_raw(handle))
        .ok_or(SyscallError::PermissionDenied)?;
    let id = insert_capability_with_retention(caps, dup)?;
    Ok(id.as_u64())
}

const HANDLE_EVENT_READABLE: u64 = 1 << 0;
const HANDLE_EVENT_WRITABLE: u64 = 1 << 1;

/// Performs the poll handle events operation.
fn poll_handle_events(handle: u64) -> Result<u64, SyscallError> {
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;

    match cap.resource_type {
        ResourceType::Semaphore => {
            if !cap.permissions.read {
                return Err(SyscallError::PermissionDenied);
            }
            let sem = semaphore::get_semaphore(SemId::from_u64(cap.resource as u64))
                .ok_or(SyscallError::BadHandle)?;
            if sem.is_destroyed() {
                return Err(SyscallError::Pipe);
            }
            if sem.count() > 0 {
                Ok(HANDLE_EVENT_READABLE)
            } else {
                Ok(0)
            }
        }
        ResourceType::IpcPort => {
            let port = port::get_port(PortId::from_u64(cap.resource as u64))
                .ok_or(SyscallError::BadHandle)?;
            if port.is_destroyed() {
                return Err(SyscallError::Pipe);
            }
            let mut events = 0u64;
            if cap.permissions.read && port.has_messages() {
                events |= HANDLE_EVENT_READABLE;
            }
            if cap.permissions.write && port.can_send() {
                events |= HANDLE_EVENT_WRITABLE;
            }
            if events == 0 && !cap.permissions.read && !cap.permissions.write {
                return Err(SyscallError::PermissionDenied);
            }
            Ok(events)
        }
        ResourceType::Channel => {
            let chan = channel::get_channel(ChanId::from_u64(cap.resource as u64))
                .ok_or(SyscallError::BadHandle)?;
            if chan.is_destroyed() {
                return Err(SyscallError::Pipe);
            }
            let mut events = 0u64;
            if cap.permissions.read && !chan.is_empty() {
                events |= HANDLE_EVENT_READABLE;
            }
            if cap.permissions.write && chan.can_send() {
                events |= HANDLE_EVENT_WRITABLE;
            }
            if events == 0 && !cap.permissions.read && !cap.permissions.write {
                return Err(SyscallError::PermissionDenied);
            }
            Ok(events)
        }
        ResourceType::SharedRing => {
            let _ = shared_ring::get_ring(RingId::from_u64(cap.resource as u64))
                .ok_or(SyscallError::BadHandle)?;
            let mut events = 0u64;
            if cap.permissions.read {
                events |= HANDLE_EVENT_READABLE;
            }
            if cap.permissions.write {
                events |= HANDLE_EVENT_WRITABLE;
            }
            if events == 0 {
                return Err(SyscallError::PermissionDenied);
            }
            Ok(events)
        }
        _ => Err(SyscallError::NotSupported),
    }
}

/// Performs the sys handle wait operation.
fn sys_handle_wait(handle: u64, timeout_ns: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    let check_ready = || -> Result<u64, SyscallError> {
        let events = poll_handle_events(handle)?;
        if events != 0 {
            Ok(events)
        } else {
            Err(SyscallError::Again)
        }
    };

    if timeout_ns == 0 {
        return check_ready();
    }

    let deadline = if timeout_ns == u64::MAX {
        None
    } else {
        Some(crate::syscall::time::current_time_ns().saturating_add(timeout_ns))
    };

    loop {
        if let Ok(events) = check_ready() {
            return Ok(events);
        }

        if crate::process::has_pending_signals() {
            return Err(SyscallError::Interrupted);
        }

        let now = crate::syscall::time::current_time_ns();
        let wake_ns = if let Some(deadline_ns) = deadline {
            if now >= deadline_ns {
                return Err(SyscallError::TimedOut);
            }
            core::cmp::min(deadline_ns, now.saturating_add(10_000_000))
        } else {
            now.saturating_add(10_000_000)
        };

        if let Some(task) = current_task_clone() {
            task.wake_deadline_ns.store(wake_ns, Ordering::Relaxed);
        }
        crate::process::block_current_task();
        if let Some(task) = current_task_clone() {
            task.wake_deadline_ns.store(0, Ordering::Relaxed);
        }
    }
}

/// Performs the sys handle grant operation.
fn sys_handle_grant(handle: u64, target_pid: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    crate::silo::enforce_silo_may_grant()?;
    let pid = u32::try_from(target_pid).map_err(|_| SyscallError::InvalidArgument)?;

    let source = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let granted = {
        let source_caps = unsafe { &*source.process.capabilities.get() };
        let cap = source_caps
            .get(CapId::from_raw(handle))
            .ok_or(SyscallError::BadHandle)?;
        if !cap.permissions.grant {
            return Err(SyscallError::PermissionDenied);
        }
        let mut dup = cap.clone();
        dup.id = CapId::new();
        dup
    };

    let target = crate::process::get_task_by_pid(pid).ok_or(SyscallError::NotFound)?;
    let target_caps = unsafe { &mut *target.process.capabilities.get() };
    let new_id = insert_capability_with_retention(target_caps, granted)?;
    Ok(new_id.as_u64())
}

/// Performs the sys handle revoke operation.
fn sys_handle_revoke(handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };

    {
        let cap = caps
            .get(CapId::from_raw(handle))
            .ok_or(SyscallError::BadHandle)?;
        if !cap.permissions.revoke {
            return Err(SyscallError::PermissionDenied);
        }
    }

    let cap = caps
        .remove(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    release_capability(&cap, Some(task.id));
    Ok(0)
}

use strat9_abi::data::HandleInfo as HandleInfoAbi;

/// Performs the cap perm bits operation.
fn cap_perm_bits(p: CapPermissions) -> u32 {
    (if p.read { 1 } else { 0 })
        | (if p.write { 1 << 1 } else { 0 })
        | (if p.execute { 1 << 2 } else { 0 })
        | (if p.grant { 1 << 3 } else { 0 })
        | (if p.revoke { 1 << 4 } else { 0 })
}

/// Performs the resource type code operation.
fn resource_type_code(rt: ResourceType) -> u32 {
    match rt {
        ResourceType::MemoryRegion => 1,
        ResourceType::IoPortRange => 2,
        ResourceType::InterruptLine => 3,
        ResourceType::IpcPort => 4,
        ResourceType::Channel => 5,
        ResourceType::SharedRing => 6,
        ResourceType::Semaphore => 7,
        ResourceType::Device => 8,
        ResourceType::AddressSpace => 9,
        ResourceType::Silo => 10,
        ResourceType::Module => 11,
        ResourceType::File => 12,
        ResourceType::Nic => 13,
        ResourceType::FileSystem => 14,
        ResourceType::Console => 15,
        ResourceType::Keyboard => 16,
        ResourceType::Volume => 17,
        ResourceType::Namespace => 18,
    }
}

/// Performs the sys handle info operation.
fn sys_handle_info(handle: u64, out_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    if out_ptr == 0 {
        return Err(SyscallError::Fault);
    }
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;

    let info = HandleInfoAbi {
        resource_type: resource_type_code(cap.resource_type),
        permissions: cap_perm_bits(cap.permissions),
        resource: cap.resource as u64,
    };
    let user = UserSliceWrite::new(out_ptr, core::mem::size_of::<HandleInfoAbi>())?;
    let bytes = unsafe {
        core::slice::from_raw_parts(
            &info as *const HandleInfoAbi as *const u8,
            core::mem::size_of::<HandleInfoAbi>(),
        )
    };
    user.copy_from(bytes);
    Ok(0)
}

/// SYS_PROC_EXIT (300): Exit the current task.
///
/// Marks the task as Dead and yields. This function never returns to the caller.
fn sys_proc_exit(exit_code: u64) -> Result<u64, SyscallError> {
    log::info!("syscall: PROC_EXIT(code={})", exit_code);

    // Mark current task as Dead and yield. The scheduler won't re-queue dead tasks.
    // exit_current_task() diverges (-> !), so this function never returns.
    crate::process::scheduler::exit_current_task(exit_code as i32)
}

/// SYS_PROC_YIELD (301): Yield the current time slice.
fn sys_proc_yield() -> Result<u64, SyscallError> {
    crate::process::yield_task();
    Ok(0)
}

/// SYS_SIGPROCMASK (321): Examine and change blocked signals.
///
/// arg1 = how (0=BLOCK, 1=UNBLOCK, 2=SETMASK), arg2 = set_ptr (new mask), arg3 = oldset_ptr (old mask out)
fn sys_sigprocmask(how: i32, set_ptr: u64, oldset_ptr: u64) -> Result<u64, SyscallError> {
    use crate::process::current_task_clone;

    const SIG_BLOCK: i32 = 0;
    const SIG_UNBLOCK: i32 = 1;
    const SIG_SETMASK: i32 = 2;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;

    let blocked = &task.blocked_signals;

    if oldset_ptr != 0 {
        let old_mask = blocked.get_mask();
        let user = UserSliceWrite::new(oldset_ptr, 8)?;
        user.copy_from(&old_mask.to_ne_bytes());
    }

    if set_ptr != 0 {
        let user = UserSliceRead::new(set_ptr, 8)?;
        let mut buf = [0u8; 8];
        user.copy_to(&mut buf);
        let new_mask = u64::from_ne_bytes(buf);

        let old_mask = blocked.get_mask();
        let updated_mask = match how {
            SIG_BLOCK => old_mask | new_mask,
            SIG_UNBLOCK => old_mask & !new_mask,
            SIG_SETMASK => new_mask,
            _ => return Err(SyscallError::InvalidArgument),
        };

        blocked.set_mask(updated_mask);
    }

    Ok(0)
}

/// Performs the sys uname operation.
fn sys_uname(uts_ptr: u64) -> Result<u64, SyscallError> {
    const UTS_FIELD_LEN: usize = 65;
    const UTS_TOTAL_LEN: usize = UTS_FIELD_LEN * 6;

    if uts_ptr == 0 {
        return Err(SyscallError::Fault);
    }

    /// Writes field.
    fn write_field(dst: &mut [u8], src: &[u8]) {
        let n = core::cmp::min(src.len(), dst.len().saturating_sub(1));
        if n > 0 {
            dst[..n].copy_from_slice(&src[..n]);
        }
        dst[n] = 0;
    }

    let mut uts = [0u8; UTS_TOTAL_LEN];
    write_field(&mut uts[0 * UTS_FIELD_LEN..1 * UTS_FIELD_LEN], b"Strat9");
    write_field(&mut uts[1 * UTS_FIELD_LEN..2 * UTS_FIELD_LEN], b"localhost");
    write_field(&mut uts[2 * UTS_FIELD_LEN..3 * UTS_FIELD_LEN], b"0.1.0");
    write_field(&mut uts[3 * UTS_FIELD_LEN..4 * UTS_FIELD_LEN], b"Strat9-OS");
    write_field(&mut uts[4 * UTS_FIELD_LEN..5 * UTS_FIELD_LEN], b"x86_64");
    write_field(
        &mut uts[5 * UTS_FIELD_LEN..6 * UTS_FIELD_LEN],
        b"localdomain",
    );

    let user = UserSliceWrite::new(uts_ptr, UTS_TOTAL_LEN)?;
    user.copy_from(&uts);
    Ok(0)
}

/// SYS_WRITE (404): Write bytes to a file descriptor.
fn sys_write(fd: u64, buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_write(fd as u32, buf_ptr, buf_len)
}

/// SYS_OPEN (403): Open a path from the minimal in-kernel namespace.
fn sys_open(path_ptr: u64, path_len: u64, flags: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_open(path_ptr, path_len, flags)
}

/// SYS_READ (405): Read bytes from a handle.
fn sys_read(fd: u64, buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_read(fd as u32, buf_ptr, buf_len)
}

/// SYS_CLOSE (406): Close a handle (fd).
fn sys_close(fd: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_close(fd as u32)
}

/// SYS_LSEEK (407): Seek in a file.
fn sys_lseek(fd: u64, offset: u64, whence: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_lseek(fd as u32, offset as i64, whence as u32)
}

/// SYS_FSTAT (408): Get metadata of an open file.
fn sys_fstat(fd: u64, stat_ptr: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_fstat(fd as u32, stat_ptr)
}

/// SYS_STAT (409): Get metadata by path.
fn sys_stat(path_ptr: u64, path_len: u64, stat_ptr: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_stat(path_ptr, path_len, stat_ptr)
}

/// SYS_GETDENTS (430): Read directory entries.
fn sys_getdents(fd: u64, buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_getdents(fd as u32, buf_ptr, buf_len)
}

/// SYS_PIPE (431): Create a pipe pair.
fn sys_pipe(fds_ptr: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_pipe(fds_ptr)
}

/// SYS_DUP (432): Duplicate a file descriptor.
fn sys_dup(old_fd: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_dup(old_fd as u32)
}

/// SYS_DUP2 (433): Duplicate fd to a specific number.
fn sys_dup2(old_fd: u64, new_fd: u64) -> Result<u64, SyscallError> {
    crate::vfs::sys_dup2(old_fd as u32, new_fd as u32)
}

// ============================================================
// Volume / Block device syscalls
// ============================================================

const MAX_SECTORS_PER_CALL: u64 = 256;

enum VolumeDeviceRef {
    Virtio(&'static virtio_block::VirtioBlockDevice),
    Ahci(&'static ahci::AhciController),
}

impl VolumeDeviceRef {
    /// Performs the sector count operation.
    fn sector_count(&self) -> u64 {
        match self {
            VolumeDeviceRef::Virtio(dev) => BlockDevice::sector_count(*dev),
            VolumeDeviceRef::Ahci(dev) => BlockDevice::sector_count(*dev),
        }
    }

    /// Reads sector.
    fn read_sector(&self, sector: u64, buf: &mut [u8]) -> Result<(), SyscallError> {
        match self {
            VolumeDeviceRef::Virtio(dev) => {
                BlockDevice::read_sector(*dev, sector, buf).map_err(SyscallError::from)
            }
            VolumeDeviceRef::Ahci(dev) => {
                BlockDevice::read_sector(*dev, sector, buf).map_err(SyscallError::from)
            }
        }
    }

    /// Writes sector.
    fn write_sector(&self, sector: u64, buf: &[u8]) -> Result<(), SyscallError> {
        match self {
            VolumeDeviceRef::Virtio(dev) => {
                BlockDevice::write_sector(*dev, sector, buf).map_err(SyscallError::from)
            }
            VolumeDeviceRef::Ahci(dev) => {
                BlockDevice::write_sector(*dev, sector, buf).map_err(SyscallError::from)
            }
        }
    }
}

/// Performs the resolve volume device operation.
fn resolve_volume_device(
    handle: u64,
    required: CapPermissions,
) -> Result<VolumeDeviceRef, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get_with_permissions(CapId::from_raw(handle), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::Volume {
        return Err(SyscallError::BadHandle);
    }

    if let Some(device) = virtio_block::get_device() {
        let device_ptr = device as *const virtio_block::VirtioBlockDevice as usize;
        if cap.resource == device_ptr {
            return Ok(VolumeDeviceRef::Virtio(device));
        }
    }
    if let Some(device) = ahci::get_device() {
        let device_ptr = device as *const ahci::AhciController as usize;
        if cap.resource == device_ptr {
            return Ok(VolumeDeviceRef::Ahci(device));
        }
    }
    Err(SyscallError::BadHandle)
}

/// Performs the sys volume read operation.
fn sys_volume_read(
    handle: u64,
    sector: u64,
    buf_ptr: u64,
    sector_count: u64,
) -> Result<u64, SyscallError> {
    if sector_count == 0 {
        return Ok(0);
    }
    if sector_count > MAX_SECTORS_PER_CALL {
        return Err(SyscallError::InvalidArgument);
    }

    let required = CapPermissions {
        read: true,
        write: false,
        execute: false,
        grant: false,
        revoke: false,
    };
    let device = resolve_volume_device(handle, required)?;
    let total_sectors = device.sector_count();
    if sector >= total_sectors || sector.saturating_add(sector_count) > total_sectors {
        return Err(SyscallError::InvalidArgument);
    }

    let probe_trace = sector == 0 && sector_count == 1;
    if probe_trace {
        crate::serial_println!(
            "[volume-read] start handle={} sector={} total_sectors={} buf_ptr={:#x}",
            handle,
            sector,
            total_sectors,
            buf_ptr
        );
    }

    let mut kbuf = [0u8; SECTOR_SIZE];
    for i in 0..sector_count {
        let cur_sector = sector.checked_add(i).ok_or(SyscallError::InvalidArgument)?;
        if probe_trace {
            crate::serial_println!(
                "[volume-read] before read_sector handle={} sector={}",
                handle,
                cur_sector
            );
        }
        match device.read_sector(cur_sector, &mut kbuf) {
            Ok(()) => {
                if probe_trace {
                    crate::serial_println!(
                        "[volume-read] after read_sector handle={} sector={} magic={:02x}{:02x}{:02x}{:02x}",
                        handle,
                        cur_sector,
                        kbuf[0],
                        kbuf[1],
                        kbuf[2],
                        kbuf[3]
                    );
                }
            }
            Err(err) => {
                if probe_trace {
                    crate::serial_println!(
                        "[volume-read] read_sector failed handle={} sector={} err={:?}",
                        handle,
                        cur_sector,
                        err
                    );
                }
                return Err(err);
            }
        }
        let offset = (i as usize)
            .checked_mul(SECTOR_SIZE)
            .ok_or(SyscallError::InvalidArgument)?;
        let ptr = buf_ptr
            .checked_add(offset as u64)
            .ok_or(SyscallError::Fault)?;
        let user = match UserSliceWrite::new(ptr, SECTOR_SIZE) {
            Ok(user) => user,
            Err(err) => {
                if probe_trace {
                    crate::serial_println!(
                        "[volume-read] user slice failed handle={} sector={} ptr={:#x} err={:?}",
                        handle,
                        cur_sector,
                        ptr,
                        err
                    );
                }
                return Err(SyscallError::from(err));
            }
        };
        user.copy_from(&kbuf);
        if probe_trace {
            crate::serial_println!(
                "[volume-read] copied to user handle={} sector={} ptr={:#x}",
                handle,
                cur_sector,
                ptr
            );
        }
    }

    Ok(sector_count)
}

/// Performs the sys volume write operation.
fn sys_volume_write(
    handle: u64,
    sector: u64,
    buf_ptr: u64,
    sector_count: u64,
) -> Result<u64, SyscallError> {
    if sector_count == 0 {
        return Ok(0);
    }
    if sector_count > MAX_SECTORS_PER_CALL {
        return Err(SyscallError::InvalidArgument);
    }

    let required = CapPermissions {
        read: false,
        write: true,
        execute: false,
        grant: false,
        revoke: false,
    };
    let device = resolve_volume_device(handle, required)?;
    let total_sectors = device.sector_count();
    if sector >= total_sectors || sector.saturating_add(sector_count) > total_sectors {
        return Err(SyscallError::InvalidArgument);
    }

    let mut kbuf = [0u8; SECTOR_SIZE];
    for i in 0..sector_count {
        let cur_sector = sector.checked_add(i).ok_or(SyscallError::InvalidArgument)?;
        let offset = (i as usize)
            .checked_mul(SECTOR_SIZE)
            .ok_or(SyscallError::InvalidArgument)?;
        let ptr = buf_ptr
            .checked_add(offset as u64)
            .ok_or(SyscallError::Fault)?;
        let user = UserSliceRead::new(ptr, SECTOR_SIZE)?;
        let data = user.read_to_vec();
        if data.len() != SECTOR_SIZE {
            return Err(SyscallError::InvalidArgument);
        }
        kbuf.copy_from_slice(&data);
        device.write_sector(cur_sector, &kbuf)?;
    }

    Ok(sector_count)
}

/// Performs the sys volume info operation.
fn sys_volume_info(handle: u64) -> Result<u64, SyscallError> {
    let required = CapPermissions {
        read: true,
        write: false,
        execute: false,
        grant: false,
        revoke: false,
    };
    let device = resolve_volume_device(handle, required)?;
    Ok(device.sector_count())
}

/// SYS_DEBUG_LOG (600): Write a debug message to serial output.
///
/// arg1 = buffer pointer, arg2 = buffer length.
fn sys_debug_log(buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    if buf_len == 0 {
        return Ok(0);
    }

    // Restrict debug logging to admin or console-capable tasks.
    crate::silo::enforce_console_access()?;

    let len = core::cmp::min(buf_len as usize, 4096);

    // Validate the user buffer via UserSlice
    let user_buf = UserSliceRead::new(buf_ptr, len)?;

    // Copy into kernel buffer
    let mut kbuf = [0u8; 4096];
    let copied = user_buf.copy_to(&mut kbuf);

    let msg = core::str::from_utf8(&kbuf[..copied]).unwrap_or("<invalid utf8>");

    // Write to E9 (lock-free) to prevent deadlocks
    crate::e9_println!("[user-debug] {}", msg);

    // Mirror critical boot/network userspace logs to the serial console so
    // early silo failures are visible without attaching to per-silo output.
    if msg.starts_with("[init]")
        || msg.starts_with("[strate-net]")
        || msg.starts_with("[dhcp-client]")
    {
        crate::serial_print!("{}", msg);
    }

    if let Some(task) = crate::process::current_task_clone() {
        if let Some(silo_id) = crate::silo::task_silo_id(task.id) {
            crate::silo::silo_output_write(silo_id, &kbuf[..copied]);
        }
    }

    Ok(copied as u64)
}

// ============================================================
// Network syscalls
// ============================================================

/// Performs the sys net recv operation.
pub fn sys_net_recv(buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    let device = crate::hardware::nic::get_default_device().ok_or(SyscallError::Again)?;
    let mut kbuf = vec![0u8; buf_len as usize];

    let n = match device.receive(&mut kbuf) {
        Ok(n) => n,
        Err(e) => {
            let se = SyscallError::from(e);
            if se != SyscallError::Again
                && NET_RECV_ERR_LOG_BUDGET.fetch_sub(1, Ordering::Relaxed) > 0
            {
                crate::serial_println!("[net-sys] recv error: {:?} -> {}", e, se.name());
            }
            return Err(se);
        }
    };
    trace_dhcp_frame("rx", &kbuf[..n]);

    let user = UserSliceWrite::new(buf_ptr, n)?;
    user.copy_from(&kbuf[..n]);
    Ok(n as u64)
}

/// Performs the sys net send operation.
pub fn sys_net_send(buf_ptr: u64, buf_len: u64) -> Result<u64, SyscallError> {
    let device = crate::hardware::nic::get_default_device().ok_or(SyscallError::Again)?;
    let user = UserSliceRead::new(buf_ptr, buf_len as usize)?;
    let kbuf = user.read_to_vec();
    trace_dhcp_frame("tx", &kbuf);

    if let Err(e) = device.transmit(&kbuf) {
        let se = SyscallError::from(e);
        if NET_SEND_ERR_LOG_BUDGET.fetch_sub(1, Ordering::Relaxed) > 0 {
            crate::serial_println!("[net-sys] send error: {:?} -> {}", e, se.name());
        }
        return Err(se);
    }

    Ok(buf_len)
}

/// Performs the sys net info operation.
pub fn sys_net_info(info_type: u64, buf_ptr: u64) -> Result<u64, SyscallError> {
    let device = crate::hardware::nic::get_default_device().ok_or(SyscallError::Again)?;

    match info_type {
        0 => {
            let mac = device.mac_address();
            let user = UserSliceWrite::new(buf_ptr, 6)?;
            user.copy_from(&mac);
            Ok(6)
        }
        _ => Err(SyscallError::InvalidArgument),
    }
}

// ============================================================
// IPC syscalls (with capability enforcement)
// ============================================================

/// Performs the sys ipc create port operation.
fn sys_ipc_create_port(_flags: u64) -> Result<u64, SyscallError> {
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let port_id = port::create_port(task.id);
    let cap = get_capability_manager().create_capability(
        ResourceType::IpcPort,
        port_id.as_u64() as usize,
        CapPermissions::all(),
    );
    let cap_id = unsafe { (&mut *task.process.capabilities.get()).insert(cap) };
    Ok(cap_id.as_u64())
}

/// Performs the sys ipc send operation.
fn sys_ipc_send(port: u64, _msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(port)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: false,
        write: true,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(port), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let user = UserSliceRead::new(_msg_ptr, MSG_SIZE)?;
    let mut buf = [0u8; MSG_SIZE];
    user.copy_to(&mut buf);
    let mut msg = crate::ipc::message::ipc_message_from_raw(&buf);

    // Stamp identity
    msg.sender = task.id.as_u64();

    if msg.flags == 0 {
        if let Some((sid, _label, _mem_used, _mem_min, _mem_max)) =
            crate::silo::silo_info_for_task(task.id)
        {
            if let Some(snapshot) = crate::silo::list_silos_snapshot()
                .into_iter()
                .find(|s| s.id == sid)
            {
                let structured_label = crate::ipc::message::IpcLabel {
                    tier: snapshot.tier as u8,
                    family: 5,
                    compartment: sid as u16,
                };
                msg.flags = unsafe { core::mem::transmute(structured_label) };
            }
        }
    }

    let port_id = PortId::from_u64(cap.resource as u64);
    let port = port::get_port(port_id).ok_or(SyscallError::BadHandle)?;
    port.send(msg).map_err(SyscallError::from)?;
    Ok(0)
}

/// Performs the sys ipc recv operation.
fn sys_ipc_recv(port: u64, _msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(port)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: true,
        write: false,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(port), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    let port_id = PortId::from_u64(cap.resource as u64);
    let port = port::get_port(port_id).ok_or(SyscallError::BadHandle)?;
    let mut msg = port.recv().map_err(SyscallError::from)?;

    // Handle transfer (optional): msg.flags contains a handle in the sender table.
    if msg.flags != 0 {
        let sender_id = crate::process::TaskId::from_u64(msg.sender);
        let sender = crate::process::get_task_by_id(sender_id).ok_or(SyscallError::BadHandle)?;
        let sender_caps = unsafe { &mut *sender.process.capabilities.get() };
        let dup = sender_caps
            .duplicate(CapId::from_raw(msg.flags as u64))
            .ok_or(SyscallError::PermissionDenied)?;

        let receiver = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
        let receiver_caps = unsafe { &mut *receiver.process.capabilities.get() };
        let new_id = insert_capability_with_retention(receiver_caps, dup)?;
        if new_id.as_u64() > u32::MAX as u64 {
            return Err(SyscallError::InvalidArgument);
        }
        msg.flags = new_id.as_u64() as u32;
    }

    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let mut buf = [0u8; MSG_SIZE];
    crate::ipc::message::ipc_message_to_raw(&msg, &mut buf);
    let user = UserSliceWrite::new(_msg_ptr, MSG_SIZE)?;
    user.copy_from(&buf);
    Ok(0)
}

/// Performs the sys ipc try recv operation.
fn sys_ipc_try_recv(port: u64, _msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(port)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: true,
        write: false,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(port), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    let port_id = PortId::from_u64(cap.resource as u64);
    let port = port::get_port(port_id).ok_or(SyscallError::BadHandle)?;
    let msg_opt = port.try_recv().map_err(SyscallError::from)?;

    let mut msg = match msg_opt {
        Some(m) => m,
        None => return Err(SyscallError::Again),
    };

    // Handle transfer (optional): msg.flags contains a handle in the sender table.
    if msg.flags != 0 {
        let sender_id = crate::process::TaskId::from_u64(msg.sender);
        let sender = crate::process::get_task_by_id(sender_id).ok_or(SyscallError::BadHandle)?;
        let sender_caps = unsafe { &mut *sender.process.capabilities.get() };
        let dup = sender_caps
            .duplicate(CapId::from_raw(msg.flags as u64))
            .ok_or(SyscallError::PermissionDenied)?;

        let receiver = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
        let receiver_caps = unsafe { &mut *receiver.process.capabilities.get() };
        let new_id = insert_capability_with_retention(receiver_caps, dup)?;
        if new_id.as_u64() > u32::MAX as u64 {
            return Err(SyscallError::InvalidArgument);
        }
        msg.flags = new_id.as_u64() as u32;
    }

    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let mut buf = [0u8; MSG_SIZE];
    crate::ipc::message::ipc_message_to_raw(&msg, &mut buf);
    let user = UserSliceWrite::new(_msg_ptr, MSG_SIZE)?;
    user.copy_from(&buf);
    Ok(0)
}

/// Performs the sys ipc connect operation.
fn sys_ipc_connect(path_ptr: u64, path_len: u64) -> Result<u64, SyscallError> {
    if path_ptr == 0 || path_len == 0 {
        return Err(SyscallError::Fault);
    }
    const MAX_PATH_LEN: usize = 4096;
    if path_len as usize > MAX_PATH_LEN {
        return Err(SyscallError::InvalidArgument);
    }
    let user = UserSliceRead::new(path_ptr, path_len as usize)?;
    let bytes = user.read_to_vec();
    let path = core::str::from_utf8(&bytes).map_err(SyscallError::from)?;

    let (port_raw, _remaining) = crate::namespace::resolve(path).ok_or(SyscallError::NotFound)?;
    let port_id = PortId::from_u64(port_raw);
    if port::get_port(port_id).is_none() {
        return Err(SyscallError::BadHandle);
    }

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let cap = get_capability_manager().create_capability(
        ResourceType::IpcPort,
        port_raw as usize,
        CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: false,
            revoke: false,
        },
    );
    let cap_id = unsafe { (&mut *task.process.capabilities.get()).insert(cap) };
    Ok(cap_id.as_u64())
}

/// Performs the sys ipc call operation.
fn sys_ipc_call(port: u64, _msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(port)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: false,
        write: true,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(port), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let user = UserSliceRead::new(_msg_ptr, MSG_SIZE)?;
    let mut buf = [0u8; MSG_SIZE];
    user.copy_to(&mut buf);
    let mut msg = crate::ipc::message::ipc_message_from_raw(&buf);
    msg.sender = task.id.as_u64();
    if msg.flags != 0 {
        let transfer_required = CapPermissions {
            read: false,
            write: false,
            execute: false,
            grant: true,
            revoke: false,
        };
        if caps
            .get_with_permissions(CapId::from_raw(msg.flags as u64), transfer_required)
            .is_none()
        {
            return Err(SyscallError::PermissionDenied);
        }
    }

    let port_id = PortId::from_u64(cap.resource as u64);
    let port = port::get_port(port_id).ok_or(SyscallError::BadHandle)?;
    let port_owner = port.owner;
    port.send(msg).map_err(SyscallError::from)?;

    let reply_msg = reply::wait_for_reply(task.id, port_owner);
    let mut out_buf = [0u8; MSG_SIZE];
    crate::ipc::message::ipc_message_to_raw(&reply_msg, &mut out_buf);
    let user = UserSliceWrite::new(_msg_ptr, MSG_SIZE)?;
    user.copy_from(&out_buf);
    Ok(0)
}

/// Performs the sys ipc reply operation.
fn sys_ipc_reply(_msg_ptr: u64) -> Result<u64, SyscallError> {
    if _msg_ptr == 0 {
        return Err(SyscallError::Fault);
    }
    const MSG_SIZE: usize = core::mem::size_of::<IpcMessage>();
    let user = UserSliceRead::new(_msg_ptr, MSG_SIZE)?;
    let mut buf = [0u8; MSG_SIZE];
    user.copy_to(&mut buf);
    let msg = crate::ipc::message::ipc_message_from_raw(&buf);

    let target = crate::process::TaskId::from_u64(msg.sender);
    let mut msg = msg;
    if msg.flags != 0 {
        let sender = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
        let sender_caps = unsafe { &mut *sender.process.capabilities.get() };
        let dup = sender_caps
            .duplicate(CapId::from_raw(msg.flags as u64))
            .ok_or(SyscallError::PermissionDenied)?;

        let receiver = crate::process::get_task_by_id(target).ok_or(SyscallError::BadHandle)?;
        let receiver_caps = unsafe { &mut *receiver.process.capabilities.get() };
        let new_id = insert_capability_with_retention(receiver_caps, dup)?;
        if new_id.as_u64() > u32::MAX as u64 {
            return Err(SyscallError::InvalidArgument);
        }
        msg.flags = new_id.as_u64() as u32;
    }

    reply::deliver_reply(target, msg).map_err(|_| SyscallError::BadHandle)?;
    Ok(0)
}

/// Performs the sys ipc bind port operation.
fn sys_ipc_bind_port(port: u64, _path_ptr: u64, _path_len: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_registry_bind_for_current_task()?;
    crate::silo::enforce_cap_for_current_task(port)?;
    if _path_ptr == 0 || _path_len == 0 {
        return Err(SyscallError::Fault);
    }
    const MAX_PATH_LEN: usize = 4096;
    if _path_len as usize > MAX_PATH_LEN {
        return Err(SyscallError::InvalidArgument);
    }
    let user = UserSliceRead::new(_path_ptr, _path_len as usize)?;
    let bytes = user.read_to_vec();
    let path = core::str::from_utf8(&bytes).map_err(SyscallError::from)?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get_with_permissions(
            CapId::from_raw(port),
            CapPermissions {
                read: true,
                write: true,
                execute: false,
                grant: true,
                revoke: false,
            },
        )
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::IpcPort {
        return Err(SyscallError::BadHandle);
    }

    crate::vfs::mount(
        path,
        Arc::new(crate::vfs::IpcScheme::new(PortId::from_u64(
            cap.resource as u64,
        ))),
    )?;
    let _ = crate::namespace::bind(path, cap.resource as u64);
    let _ = crate::silo::set_current_silo_label_from_path(path);

    // Bootstrap convenience: if a privileged userspace server binds root `/`
    // or a strate mountpoint, queue a bootstrap message.
    //
    // Volume capability seeding is optional (depends on a block device), but
    // bootstrap delivery must still happen so strate servers can bind their
    // label alias (`/srv/strate-fs-*/<label>`).
    let should_bootstrap = path == "/" || path.starts_with("/srv/strate-fs-");
    if should_bootstrap {
        let mut seeded_handle: u32 = 0;
        if let Some(device) = crate::hardware::storage::virtio_block::get_device() {
            let volume_resource = device as *const _ as usize;
            let volume_perms = CapPermissions {
                read: true,
                write: true,
                execute: false,
                grant: true,
                revoke: true,
            };
            let volume_cap = crate::capability::get_capability_manager().create_capability(
                ResourceType::Volume,
                volume_resource,
                volume_perms,
            );
            let task_caps = unsafe { &mut *task.process.capabilities.get() };
            let id = task_caps.insert(volume_cap);
            let _ = crate::silo::register_current_task_granted_resource(
                ResourceType::Volume,
                volume_resource,
                volume_perms,
            );
            if id.as_u64() <= u32::MAX as u64 {
                seeded_handle = id.as_u64() as u32;
            }
            log::info!(
                "ipc_bind_port('/'): seeded volume capability handle={} for task {:?}",
                id.as_u64(),
                task.id
            );
        }

        // Send a bootstrap message to the just-bound filesystem server.
        // Message format:
        // - msg_type = 0x10
        // - flags = optional volume capability handle (0 if none)
        // - payload[0] = label length (u8)
        // - payload[1..] = UTF-8 label bytes (truncated to fit)
        const BOOTSTRAP_MSG_TYPE: u32 = 0x10;
        let mut boot_msg = IpcMessage::new(BOOTSTRAP_MSG_TYPE);
        // Use the bound task as sender so capability transfer path can
        // duplicate `flags` from a valid capability table when present.
        boot_msg.sender = task.id.as_u64();
        boot_msg.flags = seeded_handle;
        let label_owned = crate::silo::current_task_silo_label().unwrap_or_else(|| {
            if path == "/" {
                alloc::string::String::from("root")
            } else {
                alloc::string::String::from(
                    path.rsplit('/')
                        .find(|part| !part.is_empty())
                        .unwrap_or("default"),
                )
            }
        });
        let label_bytes = label_owned.as_bytes();
        let max_len = boot_msg.payload.len().saturating_sub(1);
        let copy_len = core::cmp::min(label_bytes.len(), max_len);
        boot_msg.payload[0] = copy_len as u8;
        if copy_len > 0 {
            boot_msg.payload[1..1 + copy_len].copy_from_slice(&label_bytes[..copy_len]);
        }

        let port_id = PortId::from_u64(cap.resource as u64);
        if let Some(p) = port::get_port(port_id) {
            if p.send(boot_msg).is_ok() {
                log::info!(
                    "ipc_bind_port('{}'): queued bootstrap message (handle={}, label={})",
                    path,
                    seeded_handle,
                    label_owned
                );
            } else {
                log::warn!(
                    "ipc_bind_port('{}'): failed to queue bootstrap message",
                    path
                );
            }
        } else {
            log::warn!(
                "ipc_bind_port('{}'): bound port disappeared before bootstrap",
                path
            );
        }
    }
    Ok(0)
}

/// Performs the sys ipc unbind port operation.
fn sys_ipc_unbind_port(path_ptr: u64, path_len: u64) -> Result<u64, SyscallError> {
    crate::silo::require_silo_admin()?;
    if path_ptr == 0 || path_len == 0 {
        return Err(SyscallError::Fault);
    }
    const MAX_PATH_LEN: usize = 4096;
    if path_len as usize > MAX_PATH_LEN {
        return Err(SyscallError::InvalidArgument);
    }
    let user = UserSliceRead::new(path_ptr, path_len as usize)?;
    let bytes = user.read_to_vec();
    let path = core::str::from_utf8(&bytes).map_err(SyscallError::from)?;
    let _ = crate::namespace::unbind(path);
    crate::vfs::unmount(path)?;
    Ok(0)
}

/// Performs the sys ipc ring create operation.
fn sys_ipc_ring_create(_size: u64) -> Result<u64, SyscallError> {
    let size = usize::try_from(_size).map_err(|_| SyscallError::InvalidArgument)?;
    let ring_id = shared_ring::create_ring(size).map_err(|e| match e {
        shared_ring::RingError::InvalidSize => SyscallError::InvalidArgument,
        shared_ring::RingError::Alloc => SyscallError::OutOfMemory,
        shared_ring::RingError::NotFound => SyscallError::NotFound,
    })?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let cap = get_capability_manager().create_capability(
        ResourceType::SharedRing,
        ring_id.as_u64() as usize,
        CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: true,
            revoke: true,
        },
    );
    let cap_id = unsafe { (&mut *task.process.capabilities.get()).insert(cap) };
    Ok(cap_id.as_u64())
}

/// Performs the sys ipc ring map operation.
fn sys_ipc_ring_map(ring: u64, _out_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(ring)?;
    if _out_ptr == 0 {
        return Err(SyscallError::Fault);
    }

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let required = CapPermissions {
        read: true,
        write: true,
        execute: false,
        grant: false,
        revoke: false,
    };
    let cap = caps
        .get_with_permissions(CapId::from_raw(ring), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::SharedRing {
        return Err(SyscallError::BadHandle);
    }

    let ring_id = RingId::from_u64(cap.resource as u64);
    let ring_obj = shared_ring::get_ring(ring_id).ok_or(SyscallError::BadHandle)?;
    let frame_phys_addrs = ring_obj.frame_phys_addrs();
    let mapping_cap_ids = ring_obj.mapping_cap_ids().to_vec();
    let page_count = ring_obj.page_count();
    let map_size = page_count
        .checked_mul(4096)
        .ok_or(SyscallError::InvalidArgument)? as u64;

    let addr_space = task.process.address_space_arc();
    let base = addr_space
        .find_free_vma_range(
            super::mmap::MMAP_BASE,
            page_count,
            crate::memory::address_space::VmaPageSize::Small,
        )
        .ok_or(SyscallError::OutOfMemory)?;

    addr_space
        .map_shared_frames_with_cap_ids(
            base,
            &frame_phys_addrs,
            Some(&mapping_cap_ids),
            crate::memory::address_space::VmaFlags {
                readable: true,
                writable: true,
                executable: false,
                user_accessible: true,
            },
            crate::memory::address_space::VmaType::Anonymous,
        )
        .map_err(|_| SyscallError::OutOfMemory)?;

    let out = UserSliceWrite::new(_out_ptr, core::mem::size_of::<u64>())?;
    out.copy_from(&base.to_ne_bytes());
    Ok(map_size)
}

/// Performs the sys sem create operation.
fn sys_sem_create(initial: u64) -> Result<u64, SyscallError> {
    let initial = u32::try_from(initial).map_err(|_| SyscallError::InvalidArgument)?;
    let sem_id = semaphore::create_semaphore(initial).map_err(|e| match e {
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let cap = get_capability_manager().create_capability(
        ResourceType::Semaphore,
        sem_id.as_u64() as usize,
        CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: true,
            revoke: true,
        },
    );
    let cap_id = unsafe { (&mut *task.process.capabilities.get()).insert(cap) };
    Ok(cap_id.as_u64())
}

/// Performs the resolve sem operation.
fn resolve_sem(
    handle: u64,
    required: CapPermissions,
) -> Result<alloc::sync::Arc<semaphore::PosixSemaphore>, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get_with_permissions(CapId::from_raw(handle), required)
        .ok_or(SyscallError::PermissionDenied)?;
    if cap.resource_type != ResourceType::Semaphore {
        return Err(SyscallError::BadHandle);
    }
    let id = SemId::from_u64(cap.resource as u64);
    semaphore::get_semaphore(id).ok_or(SyscallError::BadHandle)
}

/// Performs the sys sem wait operation.
fn sys_sem_wait(handle: u64) -> Result<u64, SyscallError> {
    let sem = resolve_sem(
        handle,
        CapPermissions {
            read: true,
            write: false,
            execute: false,
            grant: false,
            revoke: false,
        },
    )?;
    sem.wait().map_err(|e| match e {
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;
    Ok(0)
}

/// Performs the sys sem trywait operation.
fn sys_sem_trywait(handle: u64) -> Result<u64, SyscallError> {
    let sem = resolve_sem(
        handle,
        CapPermissions {
            read: true,
            write: false,
            execute: false,
            grant: false,
            revoke: false,
        },
    )?;
    sem.try_wait().map_err(|e| match e {
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;
    Ok(0)
}

/// Performs the sys sem post operation.
fn sys_sem_post(handle: u64) -> Result<u64, SyscallError> {
    let sem = resolve_sem(
        handle,
        CapPermissions {
            read: false,
            write: true,
            execute: false,
            grant: false,
            revoke: false,
        },
    )?;
    sem.post().map_err(|e| match e {
        semaphore::SemaphoreError::WouldBlock => SyscallError::Again,
        semaphore::SemaphoreError::Destroyed => SyscallError::Pipe,
        semaphore::SemaphoreError::InvalidValue => SyscallError::InvalidArgument,
        semaphore::SemaphoreError::NotFound => SyscallError::NotFound,
    })?;
    Ok(0)
}

/// Performs the sys sem close operation.
fn sys_sem_close(handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    let cap = caps
        .get(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Semaphore {
        return Err(SyscallError::BadHandle);
    }
    let cap = caps
        .remove(CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    debug_assert_eq!(cap.resource_type, ResourceType::Semaphore);
    release_capability(&cap, Some(task.id));
    Ok(0)
}

use strat9_abi::data::{
    PciAddress as PciAddressAbi, PciDeviceInfo as PciDeviceInfoAbi,
    PciProbeCriteria as PciProbeCriteriaAbi, PCI_MATCH_CLASS_CODE, PCI_MATCH_DEVICE_ID,
    PCI_MATCH_PROG_IF, PCI_MATCH_SUBCLASS, PCI_MATCH_VENDOR_ID,
};

/// Reads pci address.
fn read_pci_address(addr_ptr: u64) -> Result<pci::PciAddress, SyscallError> {
    if addr_ptr == 0 {
        return Err(SyscallError::Fault);
    }
    let user = UserSliceRead::new(addr_ptr, core::mem::size_of::<PciAddressAbi>())?;
    let mut raw = [0u8; core::mem::size_of::<PciAddressAbi>()];
    user.copy_to(&mut raw);
    let abi = unsafe { core::ptr::read_unaligned(raw.as_ptr() as *const PciAddressAbi) };
    if abi.device > 31 || abi.function > 7 {
        return Err(SyscallError::InvalidArgument);
    }
    Ok(pci::PciAddress::new(abi.bus, abi.device, abi.function))
}

/// Performs the sys pci enum operation.
fn sys_pci_enum(criteria_ptr: u64, out_ptr: u64, max_entries: u64) -> Result<u64, SyscallError> {
    if criteria_ptr == 0 || out_ptr == 0 {
        return Err(SyscallError::Fault);
    }
    if max_entries == 0 {
        return Ok(0);
    }
    let max_entries = core::cmp::min(max_entries as usize, 4096);
    let user_criteria =
        UserSliceRead::new(criteria_ptr, core::mem::size_of::<PciProbeCriteriaAbi>())?;
    let mut criteria_bytes = [0u8; core::mem::size_of::<PciProbeCriteriaAbi>()];
    user_criteria.copy_to(&mut criteria_bytes);
    let criteria_abi =
        unsafe { core::ptr::read_unaligned(criteria_bytes.as_ptr() as *const PciProbeCriteriaAbi) };

    let criteria = pci::ProbeCriteria {
        vendor_id: if (criteria_abi.match_flags & PCI_MATCH_VENDOR_ID) != 0 {
            Some(criteria_abi.vendor_id)
        } else {
            None
        },
        device_id: if (criteria_abi.match_flags & PCI_MATCH_DEVICE_ID) != 0 {
            Some(criteria_abi.device_id)
        } else {
            None
        },
        class_code: if (criteria_abi.match_flags & PCI_MATCH_CLASS_CODE) != 0 {
            Some(criteria_abi.class_code)
        } else {
            None
        },
        subclass: if (criteria_abi.match_flags & PCI_MATCH_SUBCLASS) != 0 {
            Some(criteria_abi.subclass)
        } else {
            None
        },
        prog_if: if (criteria_abi.match_flags & PCI_MATCH_PROG_IF) != 0 {
            Some(criteria_abi.prog_if)
        } else {
            None
        },
    };

    let devices = pci::probe_all(criteria);
    let count = core::cmp::min(devices.len(), max_entries);
    let mut out = alloc::vec::Vec::<PciDeviceInfoAbi>::with_capacity(count);
    for dev in devices.into_iter().take(count) {
        out.push(PciDeviceInfoAbi {
            address: PciAddressAbi {
                bus: dev.address.bus,
                device: dev.address.device,
                function: dev.address.function,
                _reserved: 0,
            },
            vendor_id: dev.vendor_id,
            device_id: dev.device_id,
            class_code: dev.class_code,
            subclass: dev.subclass,
            prog_if: dev.prog_if,
            revision: dev.revision,
            header_type: dev.header_type,
            interrupt_line: dev.interrupt_line,
            interrupt_pin: dev.interrupt_pin,
            _reserved: 0,
        });
    }
    let out_bytes_len = out
        .len()
        .checked_mul(core::mem::size_of::<PciDeviceInfoAbi>())
        .ok_or(SyscallError::InvalidArgument)?;
    let user_out = UserSliceWrite::new(out_ptr, out_bytes_len)?;
    let out_bytes =
        unsafe { core::slice::from_raw_parts(out.as_ptr() as *const u8, out_bytes_len) };
    user_out.copy_from(out_bytes);
    Ok(out.len() as u64)
}

/// Performs the sys pci cfg read operation.
fn sys_pci_cfg_read(addr_ptr: u64, offset: u64, width: u64) -> Result<u64, SyscallError> {
    let dev_addr = read_pci_address(addr_ptr)?;
    let offset = u8::try_from(offset).map_err(|_| SyscallError::InvalidArgument)?;
    let width = u8::try_from(width).map_err(|_| SyscallError::InvalidArgument)?;
    if !matches!(width, 1 | 2 | 4) {
        return Err(SyscallError::InvalidArgument);
    }
    if offset > 0xFC || (offset as u16 + width as u16) > 0x100 {
        return Err(SyscallError::InvalidArgument);
    }
    if (width == 2 && (offset & 1) != 0) || (width == 4 && (offset & 3) != 0) {
        return Err(SyscallError::InvalidArgument);
    }
    let dev = pci::all_devices()
        .into_iter()
        .find(|d| d.address == dev_addr)
        .ok_or(SyscallError::NotFound)?;
    let value = match width {
        1 => dev.read_config_u8(offset) as u32,
        2 => dev.read_config_u16(offset) as u32,
        _ => dev.read_config_u32(offset),
    };
    Ok(value as u64)
}

/// Performs the sys pci cfg write operation.
fn sys_pci_cfg_write(
    addr_ptr: u64,
    offset: u64,
    width: u64,
    value: u64,
) -> Result<u64, SyscallError> {
    let dev_addr = read_pci_address(addr_ptr)?;
    let offset = u8::try_from(offset).map_err(|_| SyscallError::InvalidArgument)?;
    let width = u8::try_from(width).map_err(|_| SyscallError::InvalidArgument)?;
    if !matches!(width, 1 | 2 | 4) {
        return Err(SyscallError::InvalidArgument);
    }
    if offset > 0xFC || (offset as u16 + width as u16) > 0x100 {
        return Err(SyscallError::InvalidArgument);
    }
    if (width == 2 && (offset & 1) != 0) || (width == 4 && (offset & 3) != 0) {
        return Err(SyscallError::InvalidArgument);
    }
    let dev = pci::all_devices()
        .into_iter()
        .find(|d| d.address == dev_addr)
        .ok_or(SyscallError::NotFound)?;
    match width {
        1 => dev.write_config_u8(offset, value as u8),
        2 => dev.write_config_u16(offset, value as u16),
        _ => dev.write_config_u32(offset, value as u32),
    }
    Ok(0)
}

//  Typed MPMC sync-channel syscall handlers (IPC-02) ================================================================================

/// SYS_CHAN_CREATE (220): create a bounded sync-channel.
///
/// arg1 = capacity (clamped to [1, 1024]).
/// Returns a capability handle whose `resource` field encodes the `ChanId`.
fn sys_chan_create(capacity: u64) -> Result<u64, SyscallError> {
    let cap = capacity.clamp(1, 1024) as usize;
    let chan_id = channel::create_channel(cap);

    // Register a Channel capability in the current task's capability table.
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    let cap_id = caps.insert(crate::capability::Capability {
        id: crate::capability::CapId::new(),
        permissions: crate::capability::CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: true,
            revoke: false,
        },
        resource_type: ResourceType::Channel,
        resource: chan_id.as_u64() as usize,
    });

    log::debug!(
        "syscall: CHAN_CREATE(cap={}) → chan={} handle={}",
        cap,
        chan_id,
        cap_id.as_u64()
    );
    Ok(cap_id.as_u64())
}

/// SYS_CHAN_SEND (221): send one `IpcMessage` to a channel, blocking if full.
///
/// arg1 = channel handle (CapId), arg2 = user pointer to 64-byte IpcMessage.
fn sys_chan_send(handle: u64, msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    // Validate and copy the message from userspace.
    let user_slice = UserSliceRead::new(msg_ptr, 64).map_err(SyscallError::from)?;
    let mut msg = IpcMessage::new(0);
    // SAFETY: IpcMessage is repr(C), 64 bytes, fully initialised above.
    let n = user_slice.copy_to(unsafe {
        core::slice::from_raw_parts_mut(&mut msg as *mut IpcMessage as *mut u8, 64)
    });
    if n != 64 {
        return Err(SyscallError::Fault);
    }

    // Fill in the sender task ID.
    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    msg.sender = task.id.as_u64();

    // Look up the channel capability.
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Channel || !cap.permissions.write {
        return Err(SyscallError::PermissionDenied);
    }
    let chan_id = ChanId::from_u64(cap.resource as u64);

    let chan = channel::get_channel(chan_id).ok_or(SyscallError::BadHandle)?;
    chan.send(msg).map_err(SyscallError::from)?;

    Ok(0)
}

/// SYS_CHAN_RECV (222): receive one `IpcMessage` from a channel, blocking if empty.
///
/// arg1 = channel handle (CapId), arg2 = user pointer to 64-byte output buffer.
fn sys_chan_recv(handle: u64, msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Channel || !cap.permissions.read {
        return Err(SyscallError::PermissionDenied);
    }
    let chan_id = ChanId::from_u64(cap.resource as u64);

    let chan = channel::get_channel(chan_id).ok_or(SyscallError::BadHandle)?;
    let msg = chan.recv().map_err(SyscallError::from)?;

    // Write the received message to userspace.
    let user_slice = UserSliceWrite::new(msg_ptr, 64).map_err(SyscallError::from)?;
    // SAFETY: IpcMessage is repr(C), 64 bytes.
    let n = user_slice.copy_from(unsafe {
        core::slice::from_raw_parts(&msg as *const IpcMessage as *const u8, 64)
    });
    if n != 64 {
        return Err(SyscallError::Fault);
    }

    Ok(0)
}

/// SYS_CHAN_TRY_RECV (223): non-blocking receive.
///
/// Returns 0 if a message was delivered, -EWOULDBLOCK if the channel is empty.
fn sys_chan_try_recv(handle: u64, msg_ptr: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &*task.process.capabilities.get() };
    let cap = caps
        .get(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Channel || !cap.permissions.read {
        return Err(SyscallError::PermissionDenied);
    }
    let chan_id = ChanId::from_u64(cap.resource as u64);

    let chan = channel::get_channel(chan_id).ok_or(SyscallError::BadHandle)?;
    match chan.try_recv() {
        Ok(msg) => {
            let user_slice = UserSliceWrite::new(msg_ptr, 64).map_err(SyscallError::from)?;
            // SAFETY: IpcMessage is repr(C), 64 bytes.
            let n = user_slice.copy_from(unsafe {
                core::slice::from_raw_parts(&msg as *const IpcMessage as *const u8, 64)
            });
            if n != 64 {
                return Err(SyscallError::Fault);
            }
            Ok(0)
        }
        Err(e) => Err(SyscallError::from(e)),
    }
}

/// SYS_CHAN_CLOSE (224): destroy a channel and remove it from the registry.
///
/// Wakes all tasks blocked on this channel with `Disconnected`.
fn sys_chan_close(handle: u64) -> Result<u64, SyscallError> {
    crate::silo::enforce_cap_for_current_task(handle)?;

    let task = current_task_clone().ok_or(SyscallError::PermissionDenied)?;
    let caps = unsafe { &mut *task.process.capabilities.get() };
    let cap = caps
        .get(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    if cap.resource_type != ResourceType::Channel {
        return Err(SyscallError::BadHandle);
    }
    let chan_id = ChanId::from_u64(cap.resource as u64);
    let cap = caps
        .remove(crate::capability::CapId::from_raw(handle))
        .ok_or(SyscallError::BadHandle)?;
    debug_assert_eq!(cap.resource_type, ResourceType::Channel);
    release_capability(&cap, Some(task.id));

    log::debug!("syscall: CHAN_CLOSE(handle={}) → chan={}", handle, chan_id);
    Ok(0)
}