> Further research revealed my misunderstanding; it turned out OpenBSD
> system call stab tries to save 9-11th args in r10-12 storing system
> call number in r13.

Hmm...  I'm not sure that this is unreasonable.  What system calls use
that many registers or have that many arguments?
I don't have a running DG/UX system that I can check with (this
will change soon, but I currently only have a B2 secure installation
that I haven't had time to crack--it foiled my first couple of
half-hearted attempts).

> r0 is hardwired zero, r1 for return address, and calling convention
> defines r[2-9] for the first 8 arguments (double adjusts even/odd
> pairs).  So, either follows pass-args-on-regs scheme, with a glitch.

I think we should use the convention outlined on page 2-9 of
MC88100UM/AD:
	r0        : constant 0 (hardware)
	r1        : return address (set by jbsr)
	r2  - r9  : called procedure parameter registers
	r10 - r13 : called procedure temporary registers (scratch)
	r14 - r25 : calling procedure reserved registers (preserved by
		    callee, if used)
	r26 - r29 : reserved by linker
	r30       : frame pointer
	r31       : stack pointer

Except for r0 and r1, these are all software conventions and subject to
change.  It looks like OpenBSD chose to use r10-r13 for extra parameter
registers for system calls (13 for the system call number, as you say).
As I remarked above, I don't think this is unreasonable, and I can't
think of any reason why we should not do the same (unless we want to use
one of those registers for anything within the system call stub).

-allen