caprevoke should update aliasing mappings when marking a page capdirty

[markjdb]

Suppose a page is mapped multiple times into an address space. During revocation scans, there is a window between visits to the aliasing mappings of that page. During that window, it is possible for capabilities to be written to a unvisited alias, and loaded from the visited alias. The loads may not trap if the LCLG has already been updated, in which case capabilities escape the revoker.

A rough solution would consist of broadcasting the transition to capdirty to all PTEs, i.e., increment the LCLGs of aliases upon this state transition, ensuring that a subsequent load will be noticed by the revoker.