source: Deliverables/D4.1/ITP-Paper/itp-2011.tex @ 578

\documentclass{llncs}

\usepackage{amsfonts}
\usepackage{amsmath}
\usepackage{amssymb} 
\usepackage[english]{babel}
\usepackage{color}
\usepackage{fancybox}
\usepackage{graphicx}
\usepackage[colorlinks]{hyperref}
\usepackage[utf8x]{inputenc}
\usepackage{listings}
\usepackage{mdwlist}
\usepackage{microtype}
\usepackage{stmaryrd}
\usepackage{url}

\newlength{\mylength} 
\newenvironment{frametxt}%
        {\setlength{\fboxsep}{5pt}
                \setlength{\mylength}{\linewidth}%
                \addtolength{\mylength}{-2\fboxsep}%
                \addtolength{\mylength}{-2\fboxrule}%
                \Sbox
                \minipage{\mylength}%
                        \setlength{\abovedisplayskip}{0pt}%
                        \setlength{\belowdisplayskip}{0pt}%
                }%
                {\endminipage\endSbox
                        \[\fbox{\TheSbox}\]}

\lstdefinelanguage{matita-ocaml}
  {keywords={definition,coercion,lemma,theorem,remark,inductive,record,qed,let,in,rec,match,return,with,Type,try,on,to},
   morekeywords={[2]whd,normalize,elim,cases,destruct},
   morekeywords={[3]type,of,val,assert,let,function},
   mathescape=true,
  }
\lstset{language=matita-ocaml,basicstyle=\small\tt,columns=flexible,breaklines=false,
        keywordstyle=\color{red}\bfseries,
        keywordstyle=[2]\color{blue},
        keywordstyle=[3]\color{blue}\bfseries,
        commentstyle=\color{green},
        stringstyle=\color{blue},
        showspaces=false,showstringspaces=false}
\lstset{extendedchars=false}
\lstset{inputencoding=utf8x}
\DeclareUnicodeCharacter{8797}{:=}
\DeclareUnicodeCharacter{10746}{++}
\DeclareUnicodeCharacter{9001}{\ensuremath{\langle}}
\DeclareUnicodeCharacter{9002}{\ensuremath{\rangle}}

\author{Dominic P. Mulligan\thanks{The project CerCo acknowledges the financial support of the Future and
Emerging Technologies (FET) programme within the Seventh Framework
Programme for Research of the European Commission, under FET-Open grant
number: 243881} \and Claudio Sacerdoti Coen$^\star$}
\authorrunning{D. P. Mulligan and C. Sacerdoti Coen}
\title{An executable formalisation of the MCS-51 microprocessor in Matita}
\titlerunning{An executable formalisation of the MCS-51}
\institute{Dipartimento di Scienze dell'Informazione, Universit\`a di Bologna}

\bibliographystyle{plain}

\begin{document}

\maketitle

\begin{abstract}
We summarise the formalisation of an emulator for the MCS-51 microprocessor in the Matita proof assistant.
The MCS-51 is a widely used 8-bit microprocessor, especially popular in embedded devices.

The formalisation proceeded in two stages, first implementing an O'Caml prototype, for quickly `ironing out' bugs, and then porting the O'Caml emulator to Matita.
Though mostly straight-forward, this porting presented multiple problems.
Of particular interest is how the unorthoganality of the MSC-51's instruction set is handled.
In O'Caml, this was handled with polymorphic variants.
In Matita, we achieved the same effect with a non-standard use of dependent types.

Both the O'Caml and Matita emulators are `executable'.
Assembly programs may be animated within Matita, producing a trace of instructions executed.
The formalisation is a major component of the ongoing EU-funded CerCo project.
\end{abstract}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Introduction}
\label{sect.introduction}

Formal methods aim to increase our confidence in the design and implementation of software.
Ideally, all software should come equipped with a formal specification and a proof of correctness for the corresponding implementation.
The majority of programs are written in high level languages and then compiled into low level ones.
Specifications are therefore also given at a high level and correctness can be proved by reasoning on the program's source code.
The code that is actually run, however, is not the high level source code that we reason on, but low level code generated by the compiler.
A few questions now arise:
\begin{itemize*}
\item
What properties are preserved during compilation?
\item
What properties are affected by the compilation strategy?
\item
To what extent can you trust your compiler in preserving those properties?
\end{itemize*}
These questions, and others like them, motivate a current `hot topic' in computer science research: \emph{compiler verification} (for instance~\cite{chlipala:verified:2010,leroy:formal:2009}, and many others).
So far, the field has only been focused on the first and last questions.
Much attention has been placed on verifying compiler correctness with respect to extensional properties of programs.
These are `easily' preserved during compilation.

If we consider intensional properties of programs---space, time, and so forth---the situation is more complex.
To express these properties, and reason about them, we must adopt a cost model that assigns a cost to single, or blocks, of instructions.
A compositional cost model, assigning the same cost to all occurrences of one instruction, would be ideal.
However, compiler optimisations are inherently non-compositional: each occurrence of a high level instruction may be compiled in a different way depending on its context.
Therefore both the cost model and intensional specifications are affected by the compilation process.

In the CerCo project (`Certified Complexity')~\cite{cerco:2011} we approach the problem of reasoning about intensional properties of programs as follows.
We are currently developing a compiler that induces a cost model on high level source code.
Costs are assigned to each block of high level instructions by considering the costs of the corresponding blocks of compiled code.
The cost model is therefore inherently non-compositional, but has the potential to be extremely \emph{precise}, capturing a program's \emph{realistic} cost.
That is, the compilation process is taken into account, not ignored.
A prototype compiler, where no approximation of the cost is provided, has been developed.
(The technical details of the cost model is explained in~\cite{amadio:certifying:2010}.)

We believe that our approach is applicable to certifying real time programs.
A user can certify that `deadlines' are met whilst wringing as many clock cycles from the processor---using a cost model that does not over-estimate---as possible.

We also see our approach as being relevant to compiler verification (and construction) itself.
\emph{An optimisation specified only extensionally is only half specified}.
Though the optimisation may preserve the denotational semantics of a program, there is no guarantee that any intensional properties of the program will be improved.

Another potential application is toward completeness and correctness of the compilation process in the presence of space constraints.
A compiler could reject a source program targetting an embedded system when the size of the compiled code exceeds the available ROM size.
Preservation of a program's semantics may only be required for those programs that do not exhaust the stack or heap.
The statement of completeness of the compiler must therefore take in to account a realistic cost model.

With the CerCo methodology, we assume we can assign to object code exact and realistic costs for sequential blocks of instructions.
This is possible with modern processors (see~\cite{bate:wcet:2011,yan:wcet:2008} for instance) but difficult, as the structure and execution of a program itself has an influence on the speed of processing.
Caching, memory effects, and advanced features such as branch prediction all have an effect on execution speed.
For this reason CerCo decided to focus on 8-bit microprocessors.
These are still used in embedded systems, with the advantage of a predictable cost model due to their relative paucity of features.

We have fully formalised an executable formal semantics of a family of 8-bit Freescale microprocessors~\cite{oliboni:matita:2008}, and provided a similar executable formal semantics for the MCS-51 microprocessor.
The latter is what we describe in this paper.
The focus of the formalisation has been on capturing the intensional behaviour of the processor.
However, the design of the MCS-51 itself has caused problems in the formalisation.
For example, the MCS-51 has a highly unorthogonal instruction set.
To cope with this unorthogonality, and to produce an executable specification, we rely on Matita's dependent types.

\paragraph{The MCS-51}\quad
The MCS-51 is an 8-bit microprocessor introduced by Intel in the late 1970s.
Commonly called the 8051, in the decades since its introduction the processor has become a popular component of embedded systems.
The processor, its successor the 8052, and derivatives are still manufactured \emph{en masse} by a host of vendors.

The 8051 is a well documented processor, and has the support of numerous open source and commercial tools, such as compilers and emulators.
For instance, the open source Small Device C Compiler (SDCC) recognises a dialect of C~\cite{sdcc:2010}, and other compilers for BASIC, Forth and Modula-2 are also extant.
An open source emulator for the processor, MCU 8051 IDE, is also available~\cite{mcu8051ide:2010}.
Both MCU 8051 IDE and SDCC were used in for validating the formalisation.

\begin{figure}[t]
\setlength{\unitlength}{0.87pt}
\begin{picture}(410,250)(-50,200)
%\put(-50,200){\framebox(410,250){}}
\put(12,410){\makebox(80,0)[b]{Internal (256B)}}
\put(13,242){\line(0,1){165}}
\put(93,242){\line(0,1){165}}
\put(13,407){\line(1,0){80}}
\put(12,400){\makebox(0,0)[r]{0h}}  \put(14,400){\makebox(0,0)[l]{Register bank 0}}
\put(13,393){\line(1,0){80}}
\put(12,386){\makebox(0,0)[r]{8h}}  \put(14,386){\makebox(0,0)[l]{Register bank 1}}
\put(13,379){\line(1,0){80}}
\put(12,372){\makebox(0,0)[r]{10h}}  \put(14,372){\makebox(0,0)[l]{Register bank 2}}
\put(13,365){\line(1,0){80}}
\put(12,358){\makebox(0,0)[r]{18h}} \put(14,358){\makebox(0,0)[l]{Register bank 3}}
\put(13,351){\line(1,0){80}}
\put(12,344){\makebox(0,0)[r]{20h}} \put(14,344){\makebox(0,0)[l]{Bit addressable}}
\put(13,323){\line(1,0){80}}
\put(12,316){\makebox(0,0)[r]{30h}}
  \put(14,309){\makebox(0,0)[l]{\quad \vdots}}
\put(13,291){\line(1,0){80}}
\put(12,284){\makebox(0,0)[r]{80h}}
  \put(14,263){\makebox(0,0)[l]{\quad \vdots}}
\put(12,249){\makebox(0,0)[r]{ffh}}
\put(13,242){\line(1,0){80}}

\qbezier(-2,407)(-6,407)(-6,393)
\qbezier(-6,393)(-6,324)(-10,324)
\put(-12,324){\makebox(0,0)[r]{Indirect/stack}}
\qbezier(-6,256)(-6,324)(-10,324)
\qbezier(-2,242)(-6,242)(-6,256)

\qbezier(94,407)(98,407)(98,393)
\qbezier(98,393)(98,349)(102,349)
\put(104,349){\makebox(0,0)[l]{Direct}}
\qbezier(98,305)(98,349)(102,349)
\qbezier(94,291)(98,291)(98,305)

\put(102,242){\framebox(20,49){SFR}}
% bit access to sfrs?

\qbezier(124,291)(128,291)(128,277)
\qbezier(128,277)(128,266)(132,266)
\put(134,266){\makebox(0,0)[l]{Direct}}
\qbezier(128,257)(128,266)(132,266)
\qbezier(124,242)(128,242)(128,256)

\put(164,410){\makebox(80,0)[b]{External (64kB)}}
\put(164,220){\line(0,1){187}}
\put(164,407){\line(1,0){80}}
\put(244,220){\line(0,1){187}}
\put(164,242){\line(1,0){80}}
\put(163,400){\makebox(0,0)[r]{0h}}
\put(164,324){\makebox(80,0){Paged access}}
  \put(164,310){\makebox(80,0){Direct/indirect}}
\put(163,235){\makebox(0,0)[r]{80h}}
  \put(164,228){\makebox(80,0){\vdots}}
  \put(164,210){\makebox(80,0){Direct/indirect}}

\put(264,410){\makebox(80,0)[b]{Code (64kB)}}
\put(264,220){\line(0,1){187}}
\put(264,407){\line(1,0){80}}
\put(344,220){\line(0,1){187}}
\put(263,400){\makebox(0,0)[r]{0h}}
  \put(264,228){\makebox(80,0){\vdots}}
  \put(264,324){\makebox(80,0){Direct}}
  \put(264,310){\makebox(80,0){PC relative}}
\end{picture}
\caption{The 8051 memory model}
\label{fig.memory.layout}
\end{figure}

The 8051 has a relatively straightforward architecture, unencumbered by advanced features of modern processors, making it an ideal target for formalisation.
A high-level overview of the processor's memory layout, along with the ways in which different memory spaces may be addressed, is provided in Figure~\ref{fig.memory.layout}.

Processor RAM is divided into numerous segments, with the most prominent division being between internal and (optional) external memory.
Internal memory, commonly provided on the die itself with fast access, is composed of 256 bytes, but, in direct addressing mode, half of them are overloaded with 128 bytes of memory-mapped Special Function Registers (SFRs).
SFRs control the operation of the processor.
Internal RAM (IRAM) is divided again into 8 general purpose bit-addressable registers (R0--R7).
These sit in the first 8 bytes of IRAM, though can be programmatically `shifted up' as needed.
Bit memory, followed by a small amount of stack space, resides in the memory space immediately following the register banks.
What remains of IRAM may be treated as general purpose memory.
A schematic view of IRAM layout is also provided in Figure~\ref{fig.memory.layout}.

External RAM (XRAM), limited to a maximum size of 64 kilobytes, is optional, and may be provided on or off chip, depending on the vendor.
XRAM is accessed using a dedicated instruction, and requires 16 bits to address fully.
External code memory (XCODE) is often stored as an EPROM, and limited to 64 kilobytes in size.
However, depending on the particular processor model, a dedicated on-die read-only memory area for program code (ICODE) may be supplied.

Memory may be addressed in numerous ways: immediate, direct, indirect, external direct and code indirect.
As the latter two addressing modes hint, there are some restrictions enforced by the 8051, and its derivatives, on which addressing modes may be used with specific types of memory.
For instance, the extra 128 bytes of IRAM of the 8052 cannot be addressed using indirect addressing; rather, external (in)direct addressing must be used. Moreover, some memory segments are addressed using 8-bit pointers while others require 16-bits.

The 8051 possesses an 8-bit Arithmetic and Logic Unit (ALU), with a variety of instructions for performing arithmetic and logical operations on bits and integers.
Two 8-bit general purpose accumulators, A and B, are provided.

Communication with the device is handled by an inbuilt UART serial port and controller.
This can operate in numerous modes.
Serial baud rate is determined by one of two 16-bit timers included with the 8051, which can be set to multiple modes of operation.
(The 8052 provides an additional 16-bit timer.)
The 8051 also provides a 4 byte bit-addressable I/O port.

The programmer may take advantage of an interrupt mechanism.
This is especially useful when dealing with I/O involving the serial device, as an interrupt can be set when a whole character is sent or received via the UART.

Interrupts immediately halt the flow of execution of the processor, and cause the program counter to jump to a fixed address, where the requisite interrupt handler is stored.
However, interrupts may be set to one of two priorities: low and high.
The interrupt handler of an interrupt with high priority is executed ahead of the interrupt handler of an interrupt of lower priority, interrupting a currently executing handler of lower priority, if necessary.

The 8051 has interrupts disabled by default.
The programmer is free to handle serial input and output manually, by poking serial flags in the SFRs.
`Exceptional circumstances' that would otherwise trigger an interrupt on more modern processors, (e.g. division by zero) are also signalled by setting flags.

%\begin{figure}[t]
%\begin{center}
%\includegraphics[scale=0.5]{iramlayout.png}
%\end{center}
%\caption{Schematic view of 8051 IRAM layout}
%\label{fig.iram.layout}
%\end{figure}

\paragraph{Overview of paper}\quad
In Section~\ref{sect.design.issues.formalisation} we discuss design issues in the development of the formalisation.
In Section~\ref{sect.validation} we discuss how we validated the design and implementation of the emulator to ensure that what we formalised was an accurate model of an MCS-51 series microprocessor.
In Section~\ref{sect.related.work} we describe previous work, with an eye toward describing its relation with the work described herein.
In Section~\ref{sect.conclusions} we conclude.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Design issues in the formalisation}
\label{sect.design.issues.formalisation}

From hereonin, we typeset O'Caml source with \texttt{\color{blue}{blue}} and Matita source with \texttt{\color{red}{red}}.
Matita's syntax is straightforward if familiar with Coq or O'Caml.
One subtlety is the use of `\texttt{?}' or `\texttt{$\ldots$}' in an argument position denoting an argument or arguments to be inferred, respectively.

A full account of the formalisation can be found in~\cite{cerco-report:2011}.

\subsection{Development strategy}
\label{subsect.development.strategy}

The implementation progressed in two stages.
We began with an emulator written in O'Caml to `iron out' any bugs in the design and implementation.
O'Caml's ability to perform file I/O also eased debugging and validation.
Once we were happy with the design of the O'Caml emulator, we moved to Matita.

Matita's syntax is lexically similar to O'Caml's.
This eased the translation, as swathes of code were copied with minor modifications.
However, several major issues had to be addressed when moving to Matita.
These are now discussed.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Representation of bytes, words, etc.}
\label{subsect.representation.integers}

\begin{figure}[t]
\begin{minipage}[t]{0.45\textwidth}
\vspace{0pt}
\begin{lstlisting}
type 'a vect = bit list
type nibble = [`Sixteen] vect
type byte = [`Eight] vect
$\color{blue}{\mathtt{let}}$ split_word w = split_nth 4 w
$\color{blue}{\mathtt{let}}$ split_byte b = split_nth 2 b
\end{lstlisting}
\end{minipage}
%
\begin{minipage}[t]{0.55\textwidth}
\vspace{0pt}
\begin{lstlisting}
type 'a vect
type word = [`Sixteen] vect
type byte = [`Eight] vect
val split_word: word -> byte * word
val split_byte: byte -> nibble * nibble
\end{lstlisting}
\end{minipage}
\caption{Sample of O'Caml implementation and interface for bitvectors module}
\label{fig.ocaml.implementation.bitvectors}
\end{figure}

The formalization of MCS-51 must deal with bytes (8-bits), words (16-bits), and also more exoteric quantities (7, 3 and 9-bits).
To avoid difficult-to-trace size mismatch bugs, we represented all quantities using bitvectors, i.e. fixed length vectors of booleans.
In the O'Caml emulator, we `faked' bitvectors using phantom types~\cite{leijen:domain:1999} implemented with polymorphic variants~\cite{garrigue:programming:1998}, as in Figure~\ref{fig.ocaml.implementation.bitvectors}.
From within the bitvector module (left column) bitvectors are just lists of bits and no guarantee is provided on sizes.
However, the module's interface (right column) enforces size invariants in the rest of the code.

In Matita, we are able to use the full power of dependent types to always work with vectors of a known size:
\begin{lstlisting}
inductive Vector (A: Type[0]): nat $\rightarrow$ Type[0] ≝
  VEmpty: Vector A O
| VCons: $\forall$n: nat. A $\rightarrow$ Vector A n $\rightarrow$ Vector A (S n).
\end{lstlisting}
We define \texttt{BitVector} as a specialization of \texttt{Vector} to \texttt{bool}.
We may use Matita's type system to provide precise typings for functions that are polymorphic in the size without code duplication:
\begin{lstlisting}
let rec split (A: Type[0]) (m,n: nat) on m:
   Vector A (plus m n) $\rightarrow$ (Vector A m) $\times$ (Vector A n) := ...
\end{lstlisting}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Representing memory}
\label{subsect.representing.memory}

The MCS-51 has numerous disjoint memory spaces addressed by differently sized pointers.
In the O'Caml implementation, we use a map data structure (from the standard library) for each space.
Matita's standard library is small, and does not contain a generic map data structure.
We had the opportunity of crafting a dependently typed special-purpose data structure for the job to enforce the correspondence between the size of pointer and the size of the memory space.
Further, we assumed that large swathes of memory would often be uninitialized.

We picked a modified form of trie of fixed height $h$.
Paths are represented by bitvectors (already used in the implementation for addresses and registers) of length $h$:
\begin{lstlisting}
inductive BitVectorTrie (A: Type[0]): nat $\rightarrow$ Type[0] ≝
  Leaf: A $\rightarrow$ BitVectorTrie A 0
| Node: ∀n. BitVectorTrie A n $\rightarrow$ BitVectorTrie A n $\rightarrow$ BitVectorTrie A (S n)
| Stub: ∀n. BitVectorTrie A n.
\end{lstlisting}
\texttt{Stub} is a constructor that can appear at any point in a trie.
It represents `uninitialized data'.
Performing a lookup in memory is now straight-forward.
The only subtlety over normal trie lookup is how we handle \texttt{Stub}.
We traverse a path, and upon encountering \texttt{Stub}, we return a default value\footnote{All manufacturer data sheets that we consulted were silent on the subject of what should be returned if we attempt to access uninitialized memory.  We defaulted to simply returning zero, though our \texttt{lookup} function is parametric in this choice.  We do not believe that this is an outrageous decision, as SDCC for instance generates code which first `zeroes out' all memory in a preamble before executing the program proper.  This is in line with the C standard, which guarantees that all global variables will be zero initialized piecewise.}.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Labels and pseudoinstructions}
\label{subsect.labels.pseudoinstructions}

Aside from implementing the core MCS-51 instruction set, we also provided \emph{pseudoinstructions}, \emph{labels} and \emph{cost labels}.
The purpose of \emph{cost labels} will be explained in Subsection~\ref{subsect.computation.cost.traces}.

Introducing pseudoinstructions had the effect of simplifying a C compiler---another component of the CerCo project---that was being implemented in parallel with our implementation.
To see why, consider the fact that the MCS-51's instruction set has numerous instructions for unconditional and conditional jumps to memory locations.
For instance, the instructions \texttt{AJMP}, \texttt{JMP} and \texttt{LJMP} all perform unconditional jumps.
However, these instructions differ in how large the maximum size of the offset of the jump to be performed can be.
Further, all jump instructions require a concrete memory address---to jump to---to be specified.
Compilers that support separate compilation cannot directly compute these offsets and select the appropriate jump instructions.
These operations are also burdensome for compilers that do not do separate compilation and are handled by assemblers.
We followed suit.

While introducing pseudoinstructions, we also introduced labels for locations to jump to, and for global data.
To specify global data via labels, we introduced a preamble before the program where labels and the size of reserved space for data is stored.
A pseudoinstruction \texttt{Mov} moves (16-bit) data stored at a label into the MCS-51's one 16-bit register, \texttt{DPTR}.

The pseudoinstructions and labels induce an assembly language similar to that of SDCC's.
All pseudoinstructions and labels are `assembled away' prior to program execution.
Jumps are computed in two stages.
A map associating memory addresses to labels is built, before replacing pseudojumps with concrete jumps to the correct address.
The algorithm currently implemented does not try to minimize object code size by picking the shortest possible jump instruction.
A better algorithm is left for future work.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Anatomy of the (Matita) emulator}
\label{subsect.anatomy.matita.emulator}

The internal state of the Matita emulator is represented as a record:
\begin{lstlisting}
record Status: Type[0] ≝ {
  code_memory: BitVectorTrie Byte 16;
  low_internal_ram: BitVectorTrie Byte 7;
  high_internal_ram: BitVectorTrie Byte 7;
  external_ram: BitVectorTrie Byte 16;
  program_counter: Word;
  special_function_registers_8051: Vector Byte 19;
  special_function_registers_8052: Vector Byte 5;
  ...  }.
\end{lstlisting}
This record encapsulates the current memory contents, the program counter, the state of the current SFRs, and so on.

Here the MCS-51's memory model is implemented using four disjoint memory spaces, plus SFRs.
From the programmer's point of view, what \emph{really} matters are the addressing modes that are in a many-to-many relationship with the spaces.
\texttt{DIRECT} addressing can be used to address either lower IRAM (if the first bit is 0) or the SFRs (if the first bit is 1), for instance.
That's why DIRECT uses 8-bit addresses but pointers to lower IRAM only use 7 bits.
The complexity of the memory model is captured in a pair of functions, \texttt{get\_arg\_XX} and \texttt{set\_arg\_XX}, that `get' and `set' data of size \texttt{XX} from memory.

%Overlapping, and checking which addressing modes can be used to address particular memory spaces, is handled through numerous \texttt{get\_arg\_XX} and \texttt{set\_arg\_XX} (for 1, 8 and 16 bits) functions.

Both the Matita and O'Caml emulators follow the classic `fetch-decode-execute' model of processor operation.
The next instruction to be processed, indexed by the program counter, is fetched from code memory with \texttt{fetch}.
An updated program counter, along with its concrete cost in processor cycles, is also returned.
These costs are taken from a Siemens Semiconductor Group data sheet for the MCS-51~\cite{siemens:2011}, and will likely vary across manufacturers and derivatives of the processor.
\begin{lstlisting}
definition fetch: BitVectorTrie Byte 16 $\rightarrow$ Word $\rightarrow$ instruction $\times$ Word $\times$ nat
\end{lstlisting}
Instruction are assembled to bit encodings by \texttt{assembly1}:
\begin{lstlisting}
definition assembly1: instruction $\rightarrow$ list Byte
\end{lstlisting}
An assembly program---comprising a preamble containing global data and a list of pseudoinstructions---is assembled using \texttt{assembly}.
Pseudoinstructions and labels are eliminated in favour of instructions from the MCS-51 instruction set.
A map associating memory locations and cost labels (see Subsection~\ref{subsect.computation.cost.traces}) is produced.
\begin{lstlisting}
definition assembly:
  assembly_program $\rightarrow$ option (list Byte $\times$ (BitVectorTrie String 16))
\end{lstlisting}
A single fetch-decode-execute cycle is performed by \texttt{execute\_1}:
\begin{lstlisting}
definition execute_1: Status $\rightarrow$ Status
\end{lstlisting}
The \texttt{execute} functions performs a fixed number of cycles by iterating
\texttt{execute\_1}:
\begin{lstlisting}
let rec execute (n: nat) (s: Status) on n: Status := ...
\end{lstlisting}
This differs from the O'Caml emulator, which executed a program indefinitely.
A callback function was also accepted as an argument, which could `witness' the execution as it happened, providing a print-out of the processor state.
Due to Matita's termination requirement, \texttt{execute} cannot execute a program indefinitely.
An alternative approach would be to produce an infinite stream of statuses representing an execution trace.
Matita supports infinite streams through co-inductive types.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Instruction set unorthogonality}
\label{subsect.instruction.set.unorthogonality}

A peculiarity of the MCS-51 is its unorthogonal instruction set.
For instance, the \texttt{MOV} instruction can be invoked using one of 16 combinations of addressing modes out of a possible 361.

% Show example of pattern matching with polymorphic variants

Such unorthogonality in the instruction set was handled with the use of polymorphic variants in O'Caml.
For instance, we introduced types corresponding to each addressing mode:
\begin{lstlisting}
type direct = [ `DIRECT of byte ]
type indirect = [ `INDIRECT of bit ]
...
\end{lstlisting}
Which were then combined in the inductive datatype for assembly preinstructions using the union operator `$|$':
\begin{lstlisting}
type 'addr preinstruction =
 [ `ADD of acc * [ reg | direct | indirect | data ]
...
 | `MOV of 
    (acc * [ reg | direct | indirect | data ],
     [ reg | indirect ] * [ acc | direct | data ],
     direct * [ acc | reg | direct | indirect | data ],
     dptr * data16,
     carry * bit,
     bit * carry
     ) union6
...
\end{lstlisting}
Here, \texttt{union6} is a disjoint union type, defined as follows:
\begin{lstlisting}
type ('a,'b,'c,'d,'e,'f) union6 = [ `U1 of 'a | ... | `U6 of 'f ]
\end{lstlisting}
For our purposes, the types \texttt{union2}, \texttt{union3} and \texttt{union6} sufficed.

This polymorphic variant machinery worked well: it introduced a certain level of type safety (for instance, the type of \texttt{MOV} above guarantees it cannot be invoked with arguments in the \texttt{carry} and \texttt{data16} addressing modes, respectively), and also allowed us to pattern match against instructions, when necessary.
However, this polymorphic variant machinery is \emph{not} present in Matita.
We needed some way to produce the same effect, which Matita supported.
For this task, we used dependent types.

We first provided an inductive data type representing all possible addressing modes, a type that functions will pattern match against:
\begin{lstlisting}
inductive addressing_mode: Type[0] ≝
  DIRECT: Byte $\rightarrow$ addressing_mode
| INDIRECT: Bit $\rightarrow$ addressing_mode
...
\end{lstlisting}
We also wished to express in the type of functions the \emph{impossibility} of pattern matching against certain constructors.
In order to do this, we introduced an inductive type of addressing mode `tags'.
The constructors of \texttt{addressing\_mode\_tag} are in one-to-one correspondence with the constructors of \texttt{addressing\_mode}:
\begin{lstlisting}
inductive addressing_mode_tag : Type[0] ≝
  direct: addressing_mode_tag
| indirect: addressing_mode_tag
...
\end{lstlisting}
The \texttt{is\_a} function checks if an \texttt{addressing\_mode} matches an \texttt{addressing\_mode\_tag}:
\begin{lstlisting}
let rec is_a (d: addressing_mode_tag) (A: addressing_mode) on d :=
  match d with
   [ direct $\Rightarrow$ match A with [ DIRECT _ $\Rightarrow$ true | _ $\Rightarrow$ false ]
   | indirect $\Rightarrow$ match A with [ INDIRECT _ $\Rightarrow$ true | _ $\Rightarrow$ false ]
...
\end{lstlisting}
The \texttt{is\_in} function checks if an \texttt{addressing\_mode} matches a set of tags represented as a vector. It simply extends the \texttt{is\_a} function in the obvious manner.

A \texttt{subaddressing\_mode} is an \emph{ad hoc} non-empty $\Sigma$-type of \texttt{addressing\_mode}s constrained to be in a set of tags:
\begin{lstlisting}
record subaddressing_mode n (l: Vector addressing_mode_tag (S n)): Type[0] :=
 { subaddressing_modeel :> addressing_mode;
   subaddressing_modein: bool_to_Prop (is_in ? l subaddressing_modeel) }.
\end{lstlisting}
An implicit coercion is provided to promote vectors of tags (denoted with $\llbracket - \rrbracket$) to the corresponding \texttt{subaddressing\_mode} so that we can use a syntax close to that of O'Caml to specify \texttt{preinstruction}s:
\begin{lstlisting}
inductive preinstruction (A: Type[0]): Type[0] ≝
   ADD: $\llbracket$ acc_a $\rrbracket$ $\rightarrow$ $\llbracket$ register; direct; indirect; data $\rrbracket$ $\rightarrow$ preinstruction A
 | ADDC: $\llbracket$ acc_a $\rrbracket$ $\rightarrow$ $\llbracket$ register; direct; indirect; data $\rrbracket$ $\rightarrow$ preinstruction A
...
\end{lstlisting}
The constructor \texttt{ADD} expects two parameters, the first being the accumulator A (\texttt{acc\_a}), the second being a register, direct, indirect or data addressing mode.

% One of these coercions opens up a proof obligation which needs discussing
% Have lemmas proving that if an element is a member of a sub, then it is a member of a superlist, and so on
The final component is a pair of type coercions from \texttt{addressing\_mode} to \texttt{subaddressing\_mode} and from \texttt{subaddressing\_mode} to \texttt{Type$\lbrack0\rbrack$}, respectively.
The first is a forgetful coercion, while the second opens a proof obligation wherein we must prove that the provided value is in the admissible set.
These coercions were first introduced by PVS to implement subset types~\cite{shankar:principles:1999}, and later in Coq as part of Russell~\cite{sozeau:subset:2006}.
In Matita all coercions can open proof obligations.

Proof obligations require us to state and prove a few auxilliary lemmas related to the transitivity of subtyping.
For instance, an \texttt{addressing\_mode} that belongs to an allowed set also belongs to any one of its supersets.
At the moment, Matita's automation exploits these lemmas to completely solve all the proof obligations opened in the formalisation.
The \texttt{execute\_1} function, for instance, opens over 200 proof obligations during type checking.

The machinery just described allows us to restrict the set of \texttt{addressing\_mode}s expected by a function and use this information during pattern matching.
This allows us to skip impossible cases.
For instance, consider \texttt{set\_arg\_16}, which expects only a \texttt{DPTR}:
\begin{lstlisting}
definition set_arg_16: Status $\rightarrow$ Word $\rightarrow$ $\llbracket$ dptr $\rrbracket$ $\rightarrow$ Status ≝ $~\lambda$s, v, a.
   match a return $\lambda$x. bool_to_Prop (is_in ? $\llbracket$ dptr $\rrbracket$ x) $\rightarrow$ ? with
     [ DPTR $\Rightarrow$ $\lambda$_: True.
       let 〈 bu, bl 〉 := split $\ldots$ eight eight v in
       let status := set_8051_sfr s SFR_DPH bu in
       let status := set_8051_sfr status SFR_DPL bl in
         status
     | _ $\Rightarrow$ $\lambda$_: False. $\bot$ ] $~$(subaddressing_modein $\ldots$ a).
\end{lstlisting}
We give a proof (the expression \texttt{(subaddressing\_modein} $\ldots$ \texttt{a)}) that the argument $a$ is in the set $\llbracket$ \texttt{dptr} $\rrbracket$ to the \texttt{match} expression.
In every case but \texttt{DPTR}, the proof is a proof of \texttt{False}, and the system opens a proof obligation $\bot$ that can be discarded using \emph{ex falso}.
Attempting to match against a disallowed addressing mode (replacing \texttt{False} with \texttt{True} in the branch) produces a type error.

We tried other dependently and non-dependently typed solutions before settling on this approach.
As we need a large number of different combinations of addressing modes to describe the whole instruction set, it is infeasible to declare a datatype for each one of these combinations.
The current solution is closest to the corresponding O'Caml code, to the point that the translation from O'Caml to Matita is almost syntactical.
We would like to investigate the possibility of changing the code extraction procedure of Matita so that it recognises this programming pattern and outputs O'Caml code using polymorphic variants.

% Talk about extraction to O'Caml code, which hopefully will allow us to extract back to using polymorphic variants, or when extracting vectors we could extract using phantom types
% Discuss alternative approaches, i.e. Sigma types to piece together smaller types into larger ones, as opposed to using a predicate to `cut out' pieces of a larger type, which is what we did

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{I/O and timers}
\label{subsect.i/o.timers}

% `Real clock' for I/O and timers
The O'Caml emulator has code for handling timers, asynchronous I/O and interrupts (these are not yet ported to the Matita emulator).
All three of these features interact with each other in subtle ways.
Interrupts can `fire' when an input is detected on the processor's UART port, and, in certain modes, timers reset when a high signal is detected on one of the MCS-51's communication pins.

To accurately model timers and I/O, we add an unbounded integral field \texttt{clock} to the central \texttt{status} record.
This field is only logical, since it does not represent any quantity stored in the physical processor, and is used to keep track of the current `processor time'.
Before every execution step, \texttt{clock} is incremented by the number of processor cycles that the instruction just fetched will take to execute.
The emulator then executes the instruction, followed by the code implementing the timers and I/O\footnote{Though it isn't fully specified by the manufacturer's data sheets if I/O is handled at the beginning or the end of each cycle.}.
In order to model I/O, we also store in \texttt{status} a \emph{continuation} which is a description of the behaviour of the environment:
\begin{lstlisting}
type line =
  [ `P1 of byte | `P3 of byte
  | `SerialBuff of [ `Eight of byte | `Nine of BitVectors.bit * byte ]]
type continuation =
  [`In of time * line * epsilon * continuation] option *
  [`Out of (time -> line -> time * continuation)]
\end{lstlisting}
At each moment, the second projection of the continuation $k$ describes how the environment will react to an output event performed in the future by the processor.
Suppose $\pi_2(k)(\tau,o) = \langle \tau',k' \rangle$.
If the emulator at time $\tau$ starts an asynchronous output $o$ either on the P1 or P3 output lines, or on the UART, then the environment will receive the output at time $\tau'$.
Moreover \texttt{status} is immediately updated with the continuation $k'$.

Further, if $\pi_1(k) = \mathtt{Some}~\langle \tau',i,\epsilon,k'\rangle$, then at time $\tau'$ the environment will send the asynchronous input $i$ to the emulator and \texttt{status} is updated with the continuation $k'$.
This input is visible to the emulator only at time $\tau' + \epsilon$.

The time required to perform an I/O operation is partially specified in the data sheets of the UART module.
This computation is complex so we prefer to abstract over it.
We leave the computation of the delay time to the environment.

We use only the P1 and P3 lines despite the MCS-51 having 4 output lines, P0--P3.
This is because P0 and P2 become inoperable if the processor is equipped with XRAM (we assume it is).

The UART port can work in several modes, depending on the how the SFRs are set.
In an asyncrhonous mode, the UART transmits 8 bits at a time, using a ninth line for synchronisation.
In a synchronous mode the ninth line is used to transmit an additional bit.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Computation of cost traces}
\label{subsect.computation.cost.traces}

As mentioned in Subsection~\ref{subsect.labels.pseudoinstructions} we introduced a notion of \emph{cost label}.
Cost labels are inserted by the prototype C compiler at specific locations in the object code.
Roughly, for those familiar with control flow graphs, they are inserted at the start of every basic block.

Cost labels are used to calculate a precise costing for a program by marking the location of basic blocks.
During the assembly phase, where labels and pseudoinstructions are eliminated, a map is generated associating cost labels with memory locations.
This map is later used in a separate analysis which computes the cost of a program by traversing through a program, fetching one instruction at a time, and computing the cost of blocks.
These block costings are stored in another map, and will later be passed back to the prototype compiler.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Validation}
\label{sect.validation}

We spent considerable effort attempting to ensure that what we have formalised is an accurate model of the MCS-51 microprocessor.

We made use of multiple data sheets, each from a different semiconductor manufacturer.
This helped us triangulate errors in the specification of the processor's instruction set, and its behaviour, for instance, in a data sheet from Philips Semiconductor.

The O'Caml prototype was especially useful for validation purposes.
We wrote a module for parsing and loading Intel HEX format files.
Intel HEX is a standard format that all compilers targetting the MCS-51, and similar processors, produce.
It is essentially a snapshot of the processor's code memory in compressed form.
Using this we were able to compile C programs with SDCC and load the resulting program directly into the emulator's code memory, ready for execution.
Further, we can produce a HEX file from the emulator's code memory for loading into third party tools.
After each step of execution, we can print out both the instruction that had been executed and a snapshot of the processor's state, including all flags and register contents.
For example:
\begin{frametxt}
\begin{small}
\begin{verbatim}
...
08: mov 81 #07

 Processor status:                               

   ACC: 0   B: 0   PSW: 0
    with flags set as:
     CY: false  AC: false  FO: false  RS1: false
     RS0: false  OV: false UD: false  P: false
   SP: 7  IP: 0  PC: 8  DPL: 0  DPH: 0  SCON: 0
   SBUF: 0  TMOD: 0  TCON: 0
   Registers:                                    
    R0: 0  R1: 0  R2: 0  R3: 0  R4: 0  R5: 0  R6: 0  R7: 0
...
\end{verbatim}
\end{small}
\end{frametxt}
Here, the trace indicates that the instruction \texttt{mov 81 \#07} has just been executed by the processor, which is now in the state indicated.
These traces were useful in spotting anything that was `obviously' wrong with the execution of the program.

We further used MCU 8051 IDE as a reference, which allows a user to step through an assembly program one instruction at a time.
Using these execution traces, we were able to step through a compiled program in MCU 8051 IDE and compare the resulting execution trace with the trace produced by our emulator.

The Matita formalisation was largely copied from the O'Caml source code, apart from the changes already mentioned.
However, as the Matita emulator is executable, we could perform further validation by comparing the trace of a program's execution in the Matita emulator with the trace of the same program in the O'Caml emulator.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Related work}
\label{sect.related.work}
A large body of literature on the formalisation of microprocessors exists.
The majority of it deals with proving correctness of implementations of microprocessors at the microcode or gate level.
We are interested in providing a precise specification of the behaviour of the microprocessor in order to prove the correctness of a compiler which will target the processor.
In particular, we are interested in intensional properties of the processor; precise timings of instruction execution in clock cycles.
Moreover, in addition to formalising the interface of an MCS-51 processor, we have also built a complete MCS-51 ecosystem: UART, I/O lines, and hardware timers, complete with an assembler.

Work closely related to our own can be found in~\cite{fox:trustworthy:2010}.
Here, the authors describe the formalisation, in HOL4, of the ARMv7 instruction set architecture.
They further point to an excellent list of references to related work in the literature for the interested reader.
This formalisation also considers the machine code level, opposed to their formalisation, which only considering an abstract assembly language.
In particular, instruction decoding is explicitly modeled inside HOL4's logic.
We go further in also providing an assembly language, complete with assembler, to translate instructions and pseudoinstruction into machine code.

Further, in~\cite{fox:trustworthy:2010} the authors validated their formalisation by using development boards and random testing.
We currently rely on non-exhaustive testing against a third party emulator.
We recognise the importance of this exhaustive testing, but currently leave it for future work.

Executability is another key difference between our work and that of~\cite{fox:trustworthy:2010}.
Our formalisation is executable: applying the emulation function to an input state eventually reduces to an output state.
This is because Matita is based on a logic, CIC, which internalizes conversion.
In~\cite{fox:trustworthy:2010} the authors provide an automation layer to derive single step theorems: if the processor is in a particular state that satisfies some preconditions, then after execution of an instruction it will reside in another state satisfying some postconditions.
We do not need single step theorems of this form.

Our main difficulties resided in the non-uniformity of an old 8-bit architecture, in terms of the instruction set, addressing modes and memory models.
In contrast, the ARM instruction set and memory model is relatively uniform, simplifying any formalisation considerably.

Perhaps the closest project to CerCo is CompCert~\cite{leroy:formally:2009}.
CompCert concerns the certification of a C compiler and includes a formalisation in Coq of a subset of PowerPC.
(Coq and Matita essentially share the same logic.)

Despite this similarity, the two formalisations do not have much in common.
First, CompCert provides a formalisation at the assembly level (no instruction decoding).
This impels them to trust an unformalised assembler and linker, whereas we provide our own.
Our formalisation is \emph{directly} executable, while the one in CompCert only provides a relation that describes execution.
I/O is also not considered at all in CompCert.
Moreover an idealized abstract and uniform memory model is assumed, while we take into account the complicated overlapping memory model of the MCS-51 architecture.
Finally, 82 instructions of the more than 200 offered by the processor are formalised in CompCert, and the assembly language is augmented with macro instructions that are turned into `real' instructions only during communication with the external assembler.
Even from a technical level the two formalisations differ: we tried to exploit dependent types whilst CompCert largely sticks to a non-dependent fragment of Coq.

In~\cite{atkey:coqjvm:2007} an executable specification of the Java Virtual Machine, using dependent types, is presented.
As we do, dependent types there are used to remove spurious partiality from the model.
They also lower the need for over-specifying the behaviour of the processor in impossible cases.
Our use of dependent types will also help to maintain invariants when we prove the correctness of the CerCo prototype C compiler.

Finally~\cite{sarkar:semantics:2009} provides an executable semantics for x86-CC multiprocessor machine code.
This machine code exhibits a high degree of non-uniformity similar to the MCS-51.
However, only a small subset of the instruction set is considered, and they over-approximate the possibilities of unorthogonality of the instruction set, largely dodging the problems we had to face.

Further, it seems that the definition of the decode function is potentially error prone.
A small domain specific language of patterns is formalised in HOL4.
This is similar to the specification language of the x86 instruction set found in manufacturer's data sheets.
A decode function is implemented by copying lines from data sheets into the proof script, which are then interpreted.

We are currently considering implementing a similar domain specific language in Matita.
However, we would prefer to certify in Matita the compiler for this language.
Data sheets could then be compiled down to the efficient code that we currently provide, instead of inefficiently interpreting the data sheets every time an instruction is executed.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SECTION                                                                      %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Conclusions}
\label{sect.conclusions}

In CerCo, we are interested in the certification of a compiler for C that induces a precise cost model on the source code.
Our cost model assigns costs to blocks of instructions by tracing the way that blocks are compiled, and by computing exact costs on generated machine language.
To perform this accurately, we have provided an executable semantics for the MCS-51 family of processors.
The formalisation was done twice, first in O'Caml and then in Matita, and captures the exact timings of the processor (according to a Siemen's data sheet).
Moreover, the O'Caml formalisation also considers timers and I/O.
Adding support for I/O and timers in Matita is on-going work that will not present any major problem, and was delayed only because the addition is not immediately useful for the formalisation of the CerCo compiler.

The formalisation is done at machine level and not at assembly level; we also formalise fetching and decoding.
We separately provide an assembly language, enhanched with labels and pseudoinstructions, and an assembler from this language to machine code.
This assembly language is similar to those found in `industrial strength' compilers, such as SDCC.
We introduce cost labels in the machine language to relate the data flow of the assembly program to that of the C source language, in order to associate costs to the C program.
For the O'Caml version, we provide a parser and pretty printer from code memory to Intel HEX format.
Hence we can perform testing on programs compiled using any free or commercial compiler.

Our main difficulty in formalising the MCS-51 was the unorthogonality of its memory model and instruction set.
These problems are easily handled in O'Caml by using advanced language features like polymorphic variants and phantom types, simulating Generalized Abstract Data Types.
In Matita, we use dependent types to recover the same flexibility, to reduce spurious partiality, and to grant invariants that will be later useful in other formalisations in the CerCo project.

The formalisation has been partially verified by computing execution traces on selected programs and comparing them with an existing emulator.
All instructions have been tested at least once, but we have not yet pushed testing further, for example with random testing or by using development boards.
I/O in particular has not been tested yet, and it is currently unclear how to provide exhaustive testing in the presence of I/O.
Finally, we are aware of having over-specified the processor in several places, by fixing a behaviour hopefully consistent with the real machine, where manufacturer data sheets are ambiguous or under-specified.

\bibliography{itp-2011.bib}

\end{document}