Figure 12 — mLoad Validation Pipeline

Five sequential checks. Any failure at any stage routes to the single FAULT handler. No partial state, no silent fallback, no recovery. Every namespace access in the entire machine passes through this pipeline.

mLoad: THE SINGLE TRUSTED PATH FOR ALL NAMESPACE ACCESS Church Instruction Triggers mLoad CAP.LOAD | CAP.SAVE | CALL | CHANGE | GC scan | Boot phases 3-4 Input: GT from CR index, version, permissions Target: Namespace entry Location, Limit, Seals VALIDATION PIPELINE (strictly sequential) 1 PERMISSION CHECK Read the GT's 6-bit permission field: R W X L S E Compare requested operation against GT permissions: CAP.LOAD → R CAP.SAVE → W CALL → E LAMBDA → X M is elevated on the CR by microcode, never checked from the GT itself FAULT permission denied PASS 2 BOUNDS CHECK Read namespace entry's Location (base addr) and Limit (length) Verify: access offset < Limit if (GT.index >= namespace_size || offset >= entry.Limit) → FAULT FAULT out of bounds PASS 3 MAC VALIDATION (FNV Hash) Recompute MAC from namespace entry fields using hardware secret key MAC = FNV_hash(secret, index, Location, Limit, version) Compare: computed MAC == stored MAC in Seals word Also verifies: GT.version == entry.version (version mismatch = forged/revoked) FNV (Fowler-Noll-Vo) hash: fast, non-cryptographic, hardware-friendly FAULT forged / revoked version mismatch PASS 4 G-BIT RESET Reset the G (Garbage) bit on the namespace entry to 0 This marks the entry as "reachable" — it was accessed, so GC won't collect it GC integration: Mark phase sets G=1 on all entries. Every mLoad resets G=0. Sweep collects G=1 entries. always succeeds PASS 5 THREAD SHADOW UPDATE Update the thread table's shadow copy of CR0-CR7 Shadow tracks only instruction-addressable capability registers Required for context switch: thread table must reflect current CR state at all times always succeeds ⚠ SINGLE FAULT HANDLER Execution stops No recovery. No retry. ✔ VALIDATED — Capability Loaded GT placed into destination CR. Operation proceeds. PIPELINE PROPERTIES No Partial State If any check fails, no CR is modified. The machine state before mLoad is unchanged. No Silent Fallback A failed check does not return NULL or a default value. It FAULTs. Period. No Recovery FAULT is unrecoverable. Execution stops. The thread is terminated. Strictly Sequential Each check depends on the previous passing. No out-of-order execution of validation. Single Code Path Every namespace access — LOAD, SAVE, CALL, CHANGE, GC, Boot — goes through this path. Hardware-Enforced Implemented in microcode / HDL. Software cannot bypass or intercept. KEY INSIGHTS mLoad is the Golden Rule of CTMM: Every capability register write in the entire machine passes through mLoad. No exception — not the Nucleus, not Boot (except CR15 hardwired), not GC, not any abstraction. One gate, five checks, zero bypass. GC is built into the pipeline, not bolted on: Stage 4 (G-bit reset) means every successful access automatically marks the entry as reachable. GC's scan phase is just "access everything reachable" — mLoad does the marking. No separate reachability graph.