Future small tweaks to switcher?

[nwf]

While writing (and trying to actually finish) #320, follow-up work has sprung to mind. Just jotting down so I don't forget. This list might grow with time.

• [ ] Since #326 (specifically b9d2191fa34a25c15d72eab50e7c2007de1ad4d7) landed, we now do a cincoffset and cmove. We should instead convert the SPILL_SLOT_c* offsets to be negative relative to an unmoved csp and then do the cincoffset instead of the cmove. This is easy, barely worth mentioning, but I'd rather do it after rather than before #320, because rebasing is getting old.
• [ ] @davidchisnall's "assume MSHWM now" comment; it's been a long time since we've driven without it (though @rmn30 notes that it could be useful to keep configurable for benchmarking)
  • [ ] After that, it would be nice to permute the fields of TrustedStackGeneric to make its tuple-like nature (spill frame, stack, miscellaneous state) more obvious; and some more commentary here couldn't hurt.
• [ ] .Lswitch_trusted_stack_exhausted looks an awful lot like a subset of switcher_skip_compartment_call. Can we readily shuffle the latter so that the former can be made to look like .Lswitch_stack_too_small?
• [ ] .Lhandle_error_try_stackful and .Lhandle_error_try_stackless both want the value 0xffff in s1; can we shuffle things around so that that's live-in to both rather than being li-d separately in each?
• [ ] The CSetBoundsExact in .Lswitch_stack_chop could fail if stacks are large and the current cursor is not sufficiently aligned. We could, in decreasing order of preference,...
  • use CSetBoundsRoundDown (https://github.com/CHERIoT-Platform/cheriot-sail/pull/74) once it exists
  • decide that's OK, and just unwind back into the caller when we try to zero the stack, as now (because we're after the update to the TrustedStack::frameoffset at the end of .Ltrusted_stack_push) but with more documentation
  • manually test (I'd rather not stick more instructions on the fast path, but it is an option)
• [ ] .Lcommon_thread_exit clobbers mcause with a constant value, but mtval is also exposed to the scheduler and is not, at present, reset on the exit path. This allows the scheduler to see mtval values that it perhaps should not.

[davidchisnall]

One more for the list:

• [ ] Use MScratch as the temporary home of CSP so MTDC is always a trusted stack or null.