riscv · arichardson · Feb 10, 2025 · Feb 10, 2025 · andresag01 · Feb 11, 2025
diff --git a/src/insns/addi16sp_16bit.adoc b/src/insns/addi16sp_16bit.adoc
@@ -26,6 +26,8 @@ include::wavedrom/c-int-reg-immed.adoc[]
 Add the non-zero sign-extended 6-bit immediate to the value in the stack pointer (`csp=c2`), where the immediate is scaled to represent multiples of 16 in the range (-512,496). Clear the tag if the resulting capability is
 unrepresentable or `csp` is sealed.
 
+include::malformed_clear_tag_csp.adoc[]
+
 {cheri_int_mode_name} Description::
 
 Add the non-zero sign-extended 6-bit immediate to the value in the stack pointer (`sp=x2`), where the immediate is scaled to represent multiples of 16 in the range (-512,496).

diff --git a/src/insns/addi4spn_16bit.adoc b/src/insns/addi4spn_16bit.adoc
@@ -25,6 +25,8 @@ include::wavedrom/c-ciw.adoc[]
 
 Add a zero-extended non-zero immediate, scaled by 4, to the stack pointer, `csp`, and writes the result to `cd'`. This instruction is used to generate pointers to stack-allocated variables. Clear the tag if the resulting capability is unrepresentable or `csp` is sealed.
 
+include::malformed_clear_tag_csp.adoc[]
+
 {cheri_int_mode_name} Description::
 
 Add a zero-extended non-zero immediate, scaled by 4, to the stack pointer, `sp`, and writes the result to `rd'`. This instruction is used to generate pointers to stack-allocated variables.

diff --git a/src/insns/malformed_clear_tag_csp.adoc b/src/insns/malformed_clear_tag_csp.adoc
@@ -0,0 +1,2 @@
+NOTE: This instruction sets `cd.tag=0` if `csp` 's bounds are <<section_cap_malformed,malformed>>,
+or if any of the reserved fields are set.
diff --git a/src/riscv-integration.adoc b/src/riscv-integration.adoc
@@ -26,14 +26,14 @@ privileged architecture specified in the RISC-V ISA.
 === Memory
 
 A hart supporting {cheri_base_ext_name} has a single byte-addressable address
-space of 2^XLEN^ bytes for all memory accesses. Each memory region capable of
+space of 2^MXLEN^ bytes for all memory accesses. Each memory region capable of
 holding a capability also stores a tag bit for each naturally aligned CLEN bits
 (e.g. 16 bytes in RV64), so that capabilities with their tag set can only be
 stored in naturally aligned addresses. Tags must be atomically bound to the
 data they protect.
 
 The memory address space is circular, so the byte at address
-2^XLEN^ - 1 is adjacent to the byte at address zero. A capability's
+2^MXLEN^ - 1 is adjacent to the byte at address zero. A capability's
 <<section_cap_representable_check>> described in xref:section_cap_encoding[xrefstyle=short] is
 also circular, so address 0 is within the <<section_cap_representable_check>> of a capability
 where address 2^MXLEN^ - 1 is within the bounds.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		NOTE: This instruction sets `cd.tag=0` if `csp` 's bounds are <<section_cap_malformed,malformed>>,
		or if any of the reserved fields are set.