[FEATURE] Beter IPC Fuzzer

[tmleman]

Problem Description

The SOF IPC fuzzer (native_sim + libFuzzer, driven by sof/scripts/fuzz.sh) is useful, but a non-trivial share of the crashes it reports do not reproduce when the saved artifact is replayed, large parts of the IPC4 surface are effectively unreachable, libFuzzer runs without dictionaries or a curated seed corpus, there is no structured mutator, and heap errors in sys_heap are invisible to ASan. SOF #9742 is a concrete example of the cost: most of the debugging time went into ruling out the harness itself before the firmware bug could be analysed.

Planned improvements

• Full per-testcase isolation (staging state, execution loop, IPC topology) so saved artifacts always reproduce.
• Re-tune the per-testcase execution budget; add an optional "deep mode" for large inputs.
• Open up the IPC4 surface: widen harness framing, size the POSIX hostbox from the real IPC limit, mirror payload into the hostbox.
• Fix latent POSIX harness bugs surfaced by the above.
• Introduce libFuzzer dictionaries for IPC3 and IPC4 (with a generator to keep them in sync with the headers).
• Commit a curated smoke corpus for both IPC majors.
• Add a structured LLVMFuzzerCustomMutator for IPC4 envelopes (and evaluate one for IPC3).
• Enable heap-level memory error detection via zephyr#101479 (or a SOF-local shim if upstream stalls).
• Update the GitHub Actions fuzz workflow to consume the new dictionaries / corpus and re-baseline its time budget.
• Refresh the fuzzer developer documentation.

Out of scope

• Cross-architecture (xtensa) fuzzing.