Weaken backward sentry pseudo-locality, take 1.1

[nwf]

A different take on #80, that might be more amenable to convenient microarchitectural implementation? This stab uses a latch register that's read during CSC instructions and updated on control transfers.

[rmn30]

Interesting. Are there other examples of architecture features that have such a effect explicitly delayed until control transfers? It seems a little arbitrary. RISC-V does have fence instructions for explicit uarch synchronisation so we could alternatively use one of those? I've seen complaints that 'hidden state' makes life difficult for DV which is one reason to prefer an explicit CSR. On the other hand maybe we should reconsider the pseudo-local return sentry thing altogether as it's getting rather difficult to articulate the threat model...

[nwf]

FWIW, Intel X86, not that it should be used as an example for much of anything, nominally requires "far jump"s for certain changes (protection, paging, long mode) to take effect, and the official recommendation is to make those changes one at a time. In practice, the chips tolerate a lot more.

Yes, this probably should also be triggered on fence instructions.

I agree that hidden state isn't stellar and am not hugely enamored of this approach.

Also open to revisiting/reverting the whole thing, as cute as "return addresses are confined to the stack" might seem.

[nwf]

Closing; #82