switcher: ensure that MTCC is really NULL on fault
As @davidchisnall points out, just because sp's address is zero doesn't
mean that the rest of the cap is too. So, if it looks like we're dead
in the water, make sure we're actually dead by zeroing mtcc completely.
While here, slightly tidy the code by flipping the condition and moving
the wedging operation out of line. Add an instruction guaranteed to
trap after nulling MTCC.
diff --git a/sdk/core/switcher/entry.S b/sdk/core/switcher/entry.S
index 1d6ae64..98085d6 100644
--- a/sdk/core/switcher/entry.S
+++ b/sdk/core/switcher/entry.S
@@ -450,9 +450,7 @@
// slightly preferable to clearing mtdc, which would also ensure that we
// looped, because the architectural loop is tighter and involves no
// program text, making it easier for microarchitecture to detect.
- bnez sp, .Lexception_entry_still_alive
- cspecialw mtcc, csp
-.Lexception_entry_still_alive:
+ beqz sp, .Lexception_reentered
// csp now points to the save reg frame that we can use.
// The guest csp (c2) is now in mtdc. Will be spilled later, but we
@@ -874,6 +872,11 @@
csc ca1, TrustedStack_offset_ca1(csp)
j .Linstall_context
+.Lexception_reentered:
+ cmove csp, cnull
+ cspecialw mtcc, csp
+ clc csp, 0(csp)
+ j .Lexception_reentered
.size exception_entry_asm, . - exception_entry_asm
