source: Deliverables/D4.1/Report/report.tex @ 380

\documentclass[11pt, epsf, a4wide]{article}

\usepackage{../../style/cerco}

\usepackage{amsfonts}
\usepackage{amsmath}
\usepackage{amssymb} 
\usepackage[english]{babel}
\usepackage[utf8x]{inputenc}
\usepackage{listings}
\usepackage{stmaryrd}
\usepackage{url}

\title{
INFORMATION AND COMMUNICATION TECHNOLOGIES\\
(ICT)\\
PROGRAMME\\
\vspace*{1cm}Project FP7-ICT-2009-C-243881 \cerco{}}

\lstdefinelanguage{matita}
  {keywords={ndefinition,ncoercion,nlemma,ntheorem,nremark,ninductive,nrecord,nqed,nlet,let,in,rec,match,return,with,Type},
   morekeywords={[2]nwhd,nnormalize,nelim,ncases,ndestruct},
   mathescape=true,
  }

\lstset{language=matita,basicstyle=\small\tt,columns=flexible,breaklines=false,
        keywordstyle=\color{red}\bfseries,
        keywordstyle=[2]\color{blue},
        commentstyle=\color{green},
        stringstyle=\color{blue},
        showspaces=false,showstringspaces=false}

\lstset{extendedchars=false}
\lstset{inputencoding=utf8x}
\DeclareUnicodeCharacter{8797}{:=}
\DeclareUnicodeCharacter{10746}{++}
\DeclareUnicodeCharacter{9001}{\ensuremath{\langle}}
\DeclareUnicodeCharacter{9002}{\ensuremath{\rangle}}

\date{}
\author{}

\begin{document}

\thispagestyle{empty}

\vspace*{-1cm}
\begin{center}
\includegraphics[width=0.6\textwidth]{../../style/cerco_logo.png}
\end{center}

\begin{minipage}{\textwidth}
\maketitle
\end{minipage}

\vspace*{0.5cm}
\begin{center}
\begin{LARGE}
\textbf{
Report n. D4.1\\
Intel 8051/8052 emulator prototype, and formalisation in Matita}
\end{LARGE} 
\end{center}

\vspace*{2cm}
\begin{center}
\begin{large}
Version 1.0
\end{large}
\end{center}

\vspace*{0.5cm}
\begin{center}
\begin{large}
Main Authors:\\
Claudio Sacerdoti Coen and Dominic P. Mulligan
\end{large}
\end{center}

\vspace*{\fill}

\noindent
Project Acronym: \cerco{}\\
Project full title: Certified Complexity\\
Proposal/Contract no.: FP7-ICT-2009-C-243881 \cerco{}\\

\clearpage
\pagestyle{myheadings}
\markright{\cerco{}, FP7-ICT-2009-C-243881}

\newpage

\vspace*{7cm}
\paragraph{Abstract}
We discuss the design and implementation of an O'Caml emulator for the Intel 8051/8052 eight bit processor, and its subsequent formalisation in the dependently typed proof assistant Matita.

\newpage

\tableofcontents

\newpage

\section{Introduction}
\label{sect.introduction}

\subsection{Task}
\label{subsect.task}

The Grant Agreement states the D4.1/D4.2 deliverables consist of:

\begin{quotation}
\textbf{Executable Formal Semantics of Machine Code}: Formal definition of the semantics of the target language.
The semantics will be given in a functional (and hence executable) form, useful for testing, validation and project assessment.
\end{quotation}

\begin{quotation}
\textbf{CIC encoding: Back-end}: Functional Specification in the internal language of the Proof Assistant (the Calculus of Inductive Construction) of the back end of the compiler.
This unit is meant to be composable with the front-end of deliverable D3.2, to obtain a full working compiler for Milestone M2.
A first validation of the design principles and implementation choices for the Untrusted Cost-annotating OCaml Compiler D2.2 is achieved and reported in the deliverable, possibly triggering updates of the Untrusted Cost-annotating OCaml Compiler sources.
\end{quotation}
We now report on our implementation of these deliverables.

\subsection{A brief overview of the target processor}
\label{subsect.brief.overview.target.processor}

\begin{figure}
\caption{High level overview of the 8051 memory layout}
\label{fig.memory.layout}
\end{figure}

The MCS-51 is an eight bit microprocessor introduced by Intel in the late 1970s.
Commonly called the 8051, in the three decades since its introduction the processor has become a highly popular target for embedded systems engineers.
Further, the processor and its immediate successor, the 8052, is still manufactured by a host of semiconductor suppliers---many of them European---including Atmel, Siemens Semiconductor, NXP (formerly Phillips Semiconductor), Texas Instruments, and Maxim (formerly Dallas Semiconductor).

The 8051 is a well documented processor, and has the additional support of numerous open source and commercial tools, such as compilers for high-level languages and emulators.
For instance, the open source Small Device C Compiler (SDCC) recognises a dialect of C, and other compilers targeting the 8051 for BASIC, Forth and Modula-2 are also extant.
An open source emulator for the processor, MCU8051 IDE, is also available.

The 8051 has a relatively straightforward architecture, unencumbered by advanced features of modern processors, making it an ideal target for formalisation.
A high-level overview of the processor's memory layout is provided in Figure~\ref{fig.memory.layout}.

Processor RAM is divided into numerous segments, with the most prominent division being between internal and (optional) external memory.
Internal memory, commonly provided on the die itself with fast access, is further divided into 128 bytes of internal RAM and numerous Special Function Registers (SFRs) which control the operation of the processor.
Internal RAM (IRAM) is further divided into a eight general purpose bit-addressable registers (R0--R7).
These sit in the first eight bytes of IRAM, though can be programmatically `shifted up' as needed.
Bit memory, followed by a small amount of stack space resides in the memory space immediately after the register banks.
What remains of the IRAM may be treated as general purpose memory.

External RAM (XRAM), limited to 64 kilobytes, is optional, and may be provided on or off chip, depending on the manufacturer.
XRAM is accessed using a dedicated instruction.
External code memory is often stored in the form of an EPROM, and limited to 64 kilobytes in size.
However, depending on the particular manufacturer and processor model, a dedicated on-die read-only memory area for program code may also be supplied (the processor has a Harvard architecture, where program code and data are separated).

Memory may be addressed in numerous ways: immediate, direct, indirect, external direct and code indirect.
As the latter two addressing modes hint, there are some restrictions enforced by the 8051 and its derivatives on which addressing modes may be used with specific types of memory.
For instance, the 128 bytes of extra internal RAM that the 8052 features cannot be addressed using indirect addressing; rather, external (in)direct addressing must be used.

The 8051 series possesses an eight bit Arithmetic and Logic Unit (ALU), with a wide variety of instructions for performing arithmetic and logical operations on bits and integers.
Further, the processor possesses two eight bit general purpose accumulators, A and B.

Communication with the device is facilitated by an onboard UART serial port, and associated serial controller, which can operate in numerous modes.
Serial baud rate is determined by one of two sixteen bit timers included with the 8051, which can be set to multiple modes of operation.
(The 8052 provides an additional sixteen bit timer.)
As an additional method of communication, the 8051 also provides a four byte bit-addressable input-output port.

The programmer may take advantage of the interrupt mechanism that the processor provides.
This is especially useful when dealing with input or output involving the serial device, as an interrupt can be set when a whole character is sent or received via the serial port.

Interrupts immediately halt the flow of execution of the processor, and cause the program counter to jump to a fixed address, where the requisite interrupt handler is stored.
However, interrupts may be set to one of two priorities: low and high.
The interrupt handler of an interrupt with high priority is executed ahead of the interrupt handler of an interrupt of lower priority, interrupting a currently executing handler of lower priority, if necessary.

The 8051 has interrupts disabled by default.
The programmer is free to handle serial input and output manually, by poking serial flags in the SFRs.
Similarly, `exceptional circumstances' that would otherwise trigger an interrupt on more modern processors, for example, division by zero, are also signalled by setting flags.

\section{The emulator in O'Caml}
\label{sect.emulator.in.ocaml}

\subsection{Anatomy of the emulator}
\label{subsect.anatomy.emulator}

\subsection{Lack of orthogonality in instruction set}
\label{subsect.lack.orthogonality.instruction.set}

The instruction set of 8051 assembly is highly irregular.
For instance, consider the MOV instruction, which implements a data transfer between two memory locations, which takes eighteen possible combinations of addressing modes.

\subsection{Pseudo-instructions}
\label{subsect.pseudo-instructions}

In validating the design and implementation of the O'Caml emulator we used two tactics:
\begin{enumerate}
\item
Use of multiple manufacturer's data sheets (both the Siemens Semiconductor and Phillips Semiconductor specifications for the 8051, as well as online sources such as the Keil website).
We found typographic errors in manufacturer's data sheets which were resolved by consulting an alternative sheet.
\item
Use of reference compilers and emulators.
The operation of the emulator was manually tested by reference to \textsc{mcu 8051 ide}, an emulator for the 8051 series processor.
A number of small C programs were compiled in SDCC\footnote{See the \texttt{GCC} directory for a selection of them.}, and the resulting IHX files were disassembled by \textsc{mcu 8051 ide}.
The status changes in both emulators were then compared.

For further validation, the output of the compiled C programs from SDCC was compared with the output of the same programs in GCC, in order to pre-empt the introduction of bugs in the emulator inherited from a faulty C compiler.
\end{enumerate}

As a further check, the design and operation of the emulator was compared with the textual description of online tutorials on 8051 programming, such as those found at \url{http://www.8052.com}.

\subsection{Validation}
\label{subsect.validation}

\section{The emulator in Matita}
\label{sect.emulator.in.matita}

\subsection{What we do not implement}
\label{subsect.what.we.do.not.implement}

Our O'Caml 8051 emulator provides functions for reading and parsing Intel IHX format files.
We do not implement these functions in the Matita emulator, as Matita provides no means of input or output.

\subsection{Auxilliary data structures and libraries}
\label{subsect.auxilliary.data.structures.and.libraries}

A small library of data structures was written, along with basic functions operating over them.
Implemented data structures include: Booleans, option types, lists, Cartesian products, Natural numbers, fixed-length vectors, and sparse tries.

Our type of vectors, in particular, makes heavy use of dependent types.
Probing vectors is `type safe' for instance: we cannot index into a vector beyond the vector's length.

We represent bits as Boolean values.
Nibbles, bytes, words, and so on, are represented as fixed length (bit)vectors of the requisite length.

\subsection{The emulator state}
\label{subsect.emulator.state}

We represent all processor memory in the Matita emulator as a sparse (bitvector)trie:

\begin{quote}
\begin{lstlisting}
ninductive BitVectorTrie (A: Type[0]): Nat $\rightarrow$ Type[0] ≝
  Leaf: A $\rightarrow$ BitVectorTrie A Z
| Node: ∀n: Nat. BitVectorTrie A n $\rightarrow$ BitVectorTrie A n $\rightarrow$ BitVectorTrie A (S n)
| Stub: ∀n: Nat. BitVectorTrie A n.
\end{lstlisting}
\end{quote}

Nodes are addressed by a bitvector index, representing a path through the tree.
At any point in the tree, a \texttt{Stub} may be inserted, representing a `hole' in the tree.
All functions operating on tries use dependent types to enforce the invariant that the height of the tree and the length of the bitvector representing a path through the tree are the same.

We probe a trie with the \texttt{lookup} function.
This takes an additional argument representing the value to be returned should a stub, representing uninitialised data, be encountered during traversal.

Like the O'Caml emulator, we use a record to represent processor state:

\begin{quote}
\begin{lstlisting}
nrecord Status: Type[0] ≝
{
  code_memory: BitVectorTrie Byte sixteen;
  low_internal_ram: BitVectorTrie Byte seven;
  high_internal_ram: BitVectorTrie Byte seven;
  external_ram: BitVectorTrie Byte sixteen;
 
  program_counter: Word;
  
  special_function_registers_8051: Vector Byte nineteen;
  special_function_registers_8052: Vector Byte five;
  
  ...
}.
\end{lstlisting}
\end{quote}

However, we `squash' the \texttt{Status} record in the Matita emulator by grouping all 8051 SFRs (respectively, 8052 SFRs) into a single vector of bytes, as opposed to representing them as explicit fields in the record itself.
We then provide functions that index into the respective vector to `get' and `set' the respective SFRs.
This is due to record typechecking in Matita being slow for large records.

\subsection{Dealing with partiality}
\label{subsect.dealing.with.partiality}

The O'Caml 8051 emulator makes use of a number of partial functions.
These functions either \texttt{assert false}\footnote{O'Caml idiom: immediately halts execution of the running program.} or do not perform a comprehensive pattern analysis over their inputs.
There are a number of possible reasons for this:
\begin{enumerate}
\item
\textbf{Incomplete pattern analyses} are used where we are confident that the particular pattern match in question should never occur, for instance if the calling function performs a test beforehand, or where the emulator should fail anyway if a particular unchecked pattern is used as input.
An example of a function which exhibits the latter behaviour is \texttt{set\_arg\_16} from \texttt{ASMInterpret.ml}, which fails with a pattern match exception if called on an input representing an eight bit argument.
\item
\textbf{Assert false} may be called if the emulator finds itself in an `impossible situation', such as encountering an empty list where a list containing one element is expected.
In this respect, we used \texttt{assert false} in a similar way to the previously described use of incomplete pattern analysis.
\item
\textbf{Assert false} may be called is some feature of the physical 8051 processor is not implemented in the O'Caml emulator and an executing program is attempting to use it.
\end{enumerate}

The three manifestations of partiality above can be split into two types: partiality that manifests itself due to O'Caml's type system not being strong enough to rule the cause out, and partiality that signals a `real' crash in the processor due to the user attempting to use an unimplemented feature.
Items 1 and 2 belong to the former class, Item 3 to the latter.

Clearly Items 1 and 2 above must be addressed in the Matita formalisation.
Item 2 is solved through extensive use of dependent types.
Indexing into lists and vectors, for instance, is always `type safe', as we provide probing functions with strong dependent types.

Item 1 is perhaps the most problematic of the three problems, as we either have to provide an exhaustive case analysis, use pattern wildcards, or find a clever way of encoding the possible patterns that are expected as input in the type of a function.
We employ a technique that implements the latter idea.
This is discussed in Subsection~\ref{subsect.addressing.modes.use.of.dependent.types}.

To solve Item 3 above in the Matita formalisation of the emulator, we introduce an axiom \texttt{not\_implemented} of type \texttt{False}.
When the emulator attempts to use an unimplemented feature, we introduce a metavariable, corresponding to an open proof obligation.
These obligations are closed by performing a case analysis over \texttt{not\_implemented}.

\subsection{Addressing modes: use of dependent types}
\label{subsect.addressing.modes.use.of.dependent.types}

We provide an inductive data type representing all possible addressing modes of 8051 assembly.
This is the type that functions will pattern match against.

\begin{quote}
\begin{lstlisting}
ninductive addressing_mode: Type[0] ≝
  DIRECT: Byte $\rightarrow$ addressing_mode
| INDIRECT: Bit $\rightarrow$ addressing_mode
...
\end{lstlisting}
\end{quote}
However, we also wish to express in the type of our functions the \emph{impossibility} of pattern matching against certain constructors.
In order to do this, we introduce an inductive type of addressing mode `tags'.
The constructors of \texttt{addressing\_mode\_tag} are in one-one correspondence with the constructors of \texttt{addressing\_mode}:
\begin{quote}
\begin{lstlisting}
ninductive addressing_mode_tag : Type[0] ≝
  direct: addressing_mode_tag
| indirect: addressing_mode_tag
...
\end{lstlisting}
\end{quote}
We then provide a function that checks whether an \texttt{addressing\_mode} is `morally' an \texttt{addressing\_mode\_tag}, as follows:
\begin{quote}
\begin{lstlisting}
nlet rec is_a (d:addressing_mode_tag) (A:addressing_mode) on d ≝
  match d with
   [ direct $\Rightarrow$ match A with [ DIRECT _ $\Rightarrow$ true | _ $\Rightarrow$ false ]
   | indirect $\Rightarrow$ match A with [ INDIRECT _ $\Rightarrow$ true | _ $\Rightarrow$ false ]
...
\end{lstlisting}
\end{quote}
We also extend this check to vectors of \texttt{addressing\_mode\_tag}'s in the obvious manner:
\begin{quote}
\begin{lstlisting}
nlet rec is_in (n: Nat) (l: Vector addressing_mode_tag n) (A:addressing_mode) on l ≝
 match l return $\lambda$m.$\lambda$_ :Vector addressing_mode_tag m.Bool with
  [ VEmpty $\Rightarrow$ false
  | VCons m he (tl: Vector addressing_mode_tag m) $\Rightarrow$
     is_a he A $\vee$ is_in ? tl A ].
\end{lstlisting}
\end{quote}
Here \texttt{VEmpty} and \texttt{VCons} are the two constructors of the \texttt{Vector} data type, and $\mathtt{\vee}$ is inclusive disjunction on Booleans.
\begin{quote}
\begin{lstlisting}
nrecord subaddressing_mode (n: Nat) (l: Vector addressing_mode_tag (S n)) : Type[0] ≝
{
  subaddressing_modeel :> addressing_mode;
  subaddressing_modein: bool_to_Prop (is_in ? l subaddressing_modeel)
}.
\end{lstlisting}
\end{quote}
We can now provide an inductive type of preinstructions with precise typings:
\begin{quote}
\begin{lstlisting}
ninductive preinstruction (A: Type[0]): Type[0] ≝
   ADD: $\llbracket$ acc_a $\rrbracket$ $\rightarrow$ $\llbracket$ register; direct; indirect; data $\rrbracket$ $\rightarrow$ preinstruction A
 | ADDC: $\llbracket$ acc_a $\rrbracket$ $\rightarrow$ $\llbracket$ register; direct; indirect; data $\rrbracket$ $\rightarrow$ preinstruction A
...
\end{lstlisting}
\end{quote}
Here $\llbracket - \rrbracket$ is syntax denoting a vector.
We see that the constructor \texttt{ADD} expects two parameters, the first being the accumulator A (\texttt{acc\_a}), and the second being one of a register, direct, indirect or data addressing mode.

The final, missing component is a pair of type coercions from \texttt{addressing\_mode} to \texttt{subaddressing\_mode} and from \texttt{subaddressing\_mode} to \texttt{Type$\lbrack0\rbrack$}, respectively.
The previous machinery allows us to state in the type of a function what addressing modes that function expects.
For instance, consider \texttt{set\_arg\_16}, which expects only a \texttt{DPTR}:
\begin{quote}
\begin{lstlisting}
ndefinition set_arg_16: Status $\rightarrow$ Word $\rightarrow$ $\llbracket$ dptr $\rrbracket$ $\rightarrow$ Status ≝
  $\lambda$s, v, a.
   match a return $\lambda$x. bool_to_Prop (is_in ? $\llbracket$ dptr $\rrbracket$ x) $\rightarrow$ ? with
     [ DPTR $\Rightarrow$ $\lambda$_: True.
       let 〈 bu, bl 〉 := split $\ldots$ eight eight v in
       let status := set_8051_sfr s SFR_DPH bu in
       let status := set_8051_sfr status SFR_DPL bl in
         status
     | _ $\Rightarrow$ $\lambda$_: False.
       match K in False with
       [
       ]
     ] (subaddressing_modein $\ldots$ a).
\end{lstlisting}
\end{quote}
All other cases are discharged by the catch-all at the bottom of the match expression.
Attempting to match against another addressing mode not indicated in the type (for example, \texttt{REGISTER}) will produce a type-error.

\end{document}