pointer masking and executable memory #805
Description
We're concerned that pointer masking as defined means that a single pointer will mean different things to instruction memory and data memory.
The RISC-V pointer masking extensions apply to data memory only, not to instruction memory. Instruction fetch never masks the pointer.
The RVY spec currently says:
When bounds are encoded or decoded, a masked but _not_ sign extended address is used.
and
For the representable range check, both the original and new addresses are masked.
Bounds setting instructions also mask the address in the same way.
So - to my mind - this is troubling. If I have an RWX capability where the upper PMLEN bits are 1's, then they'll be interpreted as 1's for the PC bounds check and 0's for the load/store bounds check.
Therefore the same capability means more than one thing - surely this isn't correct?
It's got me thinking that if a capability has X permission then pointer masking should be disabled for all accesses using it. Note that setting MXR disables pointer masking in the same way.
But then.... do representable range checks for ADDY also need to check X permission? to decide whether to mask the pointer?
it seems to be that the spec isn't very clear.