Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this needs an “if the tag of the capability being stored to memory is set” somewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could add that to be extra clear but I since this is a note underneath "what happens when you don't have "C+W" I think it's probably fine to omit this clarification.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see nothing that states this any of this isn't for SC as a whole. The paragraph above just says the tag is cleared. C says "Allow reading capability data from memory if the authorizing capability also grants R-permission. Allow writing capability data to memory if the authorizing capability also grants W-permission." We don't define capability data anywhere, so a completely reasonable, if false, interpretation would be that any LC/SC counts as a load/store of capability data. 3.2.1 Tag talks about valid and invalid capabilities. I would in fact argue that capability data is both valid and invalid capabilities. Similarly, we have "Missing LM-permission does not affect untagged values since this could result in surprising bit patterns when copying non-capability data. Similarly, sealed capabilities are not modified as they are not directly dereferenceable." in various places, which is assuming a definition that only encompasses valid capabilities. This is all quite loose, making implicit assumptions and, I would argue, using the wrong definition.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I imagine a future extension could have at least two options: 1) trap for tagged data missing W|C, 2) trap for any cap store missing W|C (even if that is less useful.
I do agree that we should make sure to be explicit about anything defined in the spec but since this is about some hypothetical future thing being vague until that extension actually exists seems ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well my point is the latter is something that should not be permitted, because it breaks memcpy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair, would you be willing to fix this note?