source: src/ASM/CPP2011/cpp-2011.tex @ 957

\documentclass{llncs}

\usepackage{amsmath}
\usepackage[english]{babel}
\usepackage[colorlinks]{hyperref}
\usepackage[utf8x]{inputenc}
\usepackage{listings}

\newlength{\mylength}
\newenvironment{frametxt}%
        {\setlength{\fboxsep}{5pt}
                \setlength{\mylength}{\linewidth}%
                \addtolength{\mylength}{-2\fboxsep}%
                \addtolength{\mylength}{-2\fboxrule}%
                \Sbox
                \minipage{\mylength}%
                        \setlength{\abovedisplayskip}{0pt}%
                        \setlength{\belowdisplayskip}{0pt}%
                }%
                {\endminipage\endSbox
                        \[\fbox{\TheSbox}\]}

%\lstdefinelanguage{matita-ocaml}
%  {keywords={definition,coercion,lemma,theorem,remark,inductive,record,qed,let,in,rec,match,return,with,Type,try,on,to},
%   morekeywords={[2]whd,normalize,elim,cases,destruct},
%   morekeywords={[3]type,of,val,assert,let,function},
%   mathescape=true,
%  }
%\lstset{language=matita-ocaml,basicstyle=\footnotesize\tt,columns=flexible,breaklines=false,
%        keywordstyle=\bfseries, %\color{red}\bfseries,
%        keywordstyle=[2]\bfseries, %\color{blue},
%        keywordstyle=[3]\bfseries, %\color{blue}\bfseries,
%%        commentstyle=\color{green},
%%        stringstyle=\color{blue},
%        showspaces=false,showstringspaces=false}
%\DeclareUnicodeCharacter{8797}{:=}
%\DeclareUnicodeCharacter{8797}{:=}
%\DeclareUnicodeCharacter{10746}{++}
%\DeclareUnicodeCharacter{9001}{\ensuremath{\langle}}
%\DeclareUnicodeCharacter{9002}{\ensuremath{\rangle}}

%\lstset{
%  extendedchars=false,
%  inputencoding=utf8x,
%  tabsize=1
%}

\renewcommand{\verb}{\lstinline}
\def\lstlanguagefiles{lst-grafite.tex}
\lstset{language=Grafite}

\title{On the correctness of an assembler for the Intel MCS-51 microprocessor}
\author{Jaap Boender \and Dominic P. Mulligan \and Claudio Sacerdoti Coen}
\institute{Dipartimento di Scienze dell'Informazione, Universit\'a di Bologna}

\bibliographystyle{splncs03}

\begin{document}

\maketitle

\begin{abstract}
We consider the formalisation of an assembler for the Intel MCS-51 8-bit microprocessor in the Matita proof assistant.
This formalisation forms a major component of the EU-funded CerCo project, concering the construction and formalisation of a concrete complexity preserving compiler for a large subset of the C programming language.
...
\end{abstract}

% ---------------------------------------------------------------------------- %
% SECTION                                                                      %
% ---------------------------------------------------------------------------- %
\section{Introduction}
\label{sect.introduction}

We consider the formalisation of an assembler for the Intel MCS-51 8-bit microprocessor in the Matita proof assistant~\cite{asperti:user:2007}.
This formalisation forms a major component of the EU-funded CerCo project~\cite{cerco:2011}, concering the construction and formalisation of a concrete complexity preserving compiler for a large subset of the C programming language.

The MCS-51 dates from the early 1980s and commonly called the 8051/8052.
Despite the microprocessor's age, derivatives are still widely manufactured by a number of semiconductor foundries.
As a result the processor is widely used, especially in embedded systems development, where well-tested, cheap, predictable microprocessors find their niche.

The MCS-51 has a relative paucity of features compared to its more modern brethren.
In particular, the MCS-51 does not possess a cache or any instruction pipelining that would make predicting the concrete cost of executing a single instruction an involved process.
Instead, each semiconductor foundry that produces an MCS-51 derivative is able to provide accurate timing information in clock cycles for each instruction in their derivative's instruction set.
It is important to stress that this timing information, unlike in more sophisticated processors, is not an estimate, it is a definition.
For the MCS-51, if a manufacturer states that a particular opcode takes three clock cycles to execute, then that opcode \emph{always} takes three clock cycles to execute.

This predicability of timing information is especially attractive to the CerCo consortium.
We are in the process of constructing a certified, concrete complexity compiler for a realistic processor, and not for building and formalising the worst case execution time (WCET) tools that would be necessary to achieve the same result with, for example, a modern ARM or PowerPC microprocessor.

However, the MCS-51's paucity of features is a double edged sword.
In particular, the MCS-51 features relatively miniscule memory spaces (including read-only code memory, stack and internal/external random access memory) by modern standards.
As a result our compiler, to have any sort of hope of successfully compiling realistic C programs, ought to produce `tight' machine code.
This is not simple.

We here focus on a single issue in the MCS-51's instruction set: unconditional jumps.
The MCS-51 features three conditional jump instructions: \texttt{LJMP} and \texttt{SJMP}---`long jump' and `short jump' respectively---and an 11-bit oddity of the MCS-51, \texttt{AJMP}, that the prototype CerCo compiler~\cite{cerco-report-code:2011} ignores for simplicity's sake.\footnote{Ignoring \texttt{AJMP} and its analogue \texttt{ACALL} is not idiosyncratic.  The Small Device C Compiler (SDCC)~\cite{sdcc:2011}, the leading open source C compiler for the MCS-51, also seemingly does not produce \texttt{AJMP} and \texttt{ACALL} instructions.  Their utility in a modern context remains unclear.}
Each of these three instructions expects arguments in different sizes and behaves in different ways.
\texttt{SJMP} may only perform a `local jump' whereas \texttt{LJMP} may jump to any address in the MCS-51's memory space.
Consequently, the size of each opcode is different, and to squeeze as much code as possible into the MCS-51's limited code memory, the smallest possible opcode should be selected.

The prototype CerCo C compiler does not attempt to select the smallest jump opcode in this manner, as this was thought to unneccessarily complicate the compilation chain.
Instead, the compiler targets an assembly language, complete with pseudoinstructions including bespoke \texttt{Jmp} and \texttt{Call} instructions.
Labels, conditional jumps to labels, a program preamble containing global data and a \texttt{MOV} instruction for moving this global data into the MCS-51's one 16-bit register also feature.
This latter feature will ease any later consideration of separate compilation in the CerCo compiler.
An assembler is used to expand pseudoinstructions into MCS-51 machine code.

However, this assembly process is not trivial, for numerous reasons.
For example, our conditional jumps to labels behave differently from their machine code counterparts.
At the machine code level, conditional jumps may only jump to a relative offset, expressed in a byte, of the current program counter, limiting their range.
However, at the assembly level, conditional jumps may jump to a label that appears anywhere in the program, significantly liberalising the use of conditional jumps and further simplifying the design of the CerCo compiler.

Further, trying to na\"ively relate assembly programs with their machine code counterparts simply does not work.
Machine code programs that fetch from code memory and programs that combine the program counter with constant shifts do not make sense at the assembly level.
More generally, memory addresses can only be compared with other memory addresses.
However, checking that memory addresses are only compared against each other at the assembly level is in fact undecidable.
In short, the full preservation of the semantics of the two languages is impossible.

Yet more complications are added by the peculiarities of the CerCo project itself.
As mentioned, the CerCo consortium is in the business of constructing a verified compiler for the C programming language.
However, unlike CompCert~\cite{compcert:2011,leroy:formal:2009,leroy:formally:2009}---which currently represents the state of the art for `industrial grade' verified compilers---CerCo considers not just the \emph{intensional correctness} of the compiler, but also its \emph{extensional correctness}.
That is, CompCert focusses solely on the preservation of the \emph{meaning} of a program during the compilation process, guaranteeing that the program's meaning does not change as it is gradually transformed into assembly code.
However in any realistic compiler (even the CompCert compiler!) there is no guarantee that the program's time properties are preserved during the compilation process; a compiler's `optimisations' could, in theory, even conspire to degrade the concrete complexity of certain classes of programs.
CerCo aims to expand the current state of the art by producing a compiler where this temporal degradation is guaranteed not to happen.

In order to achieve this CerCo imposes a cost model on programs, or more specifically, on simple blocks of instructions.
This cost model is induced by the compilation process itself, and its non-compositional nature allows us to assign different costs to identical blocks of instructions depending on how they are compiled.
In short, we aim to obtain a very precise costing for a program by embracing the compilation process, not ignoring it.
This, however, complicates the proof of correctness for the compiler proper: for every translation pass from intermediate language to intermediate language, we must prove that not only has the meaning of a program been preserved, but also its complexity characteristics.
This also applies for the translation from assembly language to machine code.

How do we assign a cost to a pseudoinstruction?
As mentioned, conditional jumps at the assembly level can jump to a label appearing anywhere in the program.
However, at the machine code level, conditional jumps are limited to jumping `locally', using a measly byte offset.
To translate a jump to a label, a single conditional jump pseudoinstruction may be translated into a block of three real instructions, as follows (here, \texttt{JZ} is `jump if accumulator is zero'):
\begin{displaymath}
\begin{array}{r@{\quad}l@{\;\;}l@{\qquad}c@{\qquad}l@{\;\;}l}
       & \mathtt{JZ}  & label                      &                 & \mathtt{JZ}   & \text{size of \texttt{SJMP} instruction} \\
       & \ldots       &                            & \text{translates to}   & \mathtt{SJMP} & \text{size of \texttt{LJMP} instruction} \\
label: & \mathtt{MOV} & \mathtt{A}\;\;\mathtt{B}   & \Longrightarrow & \mathtt{LJMP} & \text{address of \textit{label}} \\
       &              &                            &                 & \ldots        & \\
       &              &                            &                 & \mathtt{MOV}  & \mathtt{A}\;\;\mathtt{B}
\end{array}
\end{displaymath}
In the translation, if \texttt{JZ} fails, we fall through to the \texttt{SJMP} which jumps over the \texttt{LJMP}.
Naturally, if \textit{label} is close enough, a conditional jump pseudoinstruction is mapped directly to a conditional jump machine instruction; the above translation only applies if \textit{label} is not sufficiently local.
This leaves the problem, addressed below, of calculating whether a label is indeed `close enough' for the simpler translation to be used.

Crucially, the above translation demonstrates the difficulty in predicting how many clock cycles a pseudoinstruction will take to execute.
A conditional jump may be mapped to a single machine instruction or a block of three.
Perhaps more insidious, the number of cycles needed to execute the instructions in the two branches of a translated conditional jump may be different.
Depending on the particular MCS-51 derivative at hand, an \texttt{SJMP} could in theory take a different number of clock cycles to execute than an \texttt{LJMP}.
These issues must also be dealt with in order to prove that the translation pass preserves the concrete complexity of the code.

The question remains: how do we decide whether to expand a jump into an \texttt{SJMP} or an \texttt{LJMP}?
To understand why this problem is not trivial, consider the following snippet of assembly code:
\begin{displaymath}
\text{dpm: finish me}
\end{displaymath}

As our example shows, given an occurence $l$ of an \texttt{LJMP} instruction, it may be possible to shrink $l$ to an occurence of an \texttt{SJMP} providing we can shrink any \texttt{LJMP}s that exist between $l$ and its target location.
However, shrinking these \texttt{LJMP}s may in turn depend on shrinking $l$ to an \texttt{SJMP}, as it is perfectly possible to jump backwards.
In short, unless we can somehow break this loop of circularity, and similar knotty configurations of jumps, we are stuck with a suboptimal solution to the expanding jumps problem.

How we went about resolving this problem affected the shape of our proof of correctness for the whole assembler in a rather profound way.
We first attempted to synthesize a solution bottom up: starting with no solution, we gradually refine a solution using the same functions that implement the jump expansion.
Using this technique, solutions can fail to exist, and the proof quickly descends into a diabolical quagmire.

Abandoning this attempt, we instead split the `policy'---the decision over how any particular jump should be expanded---from the implementation that actually expands assembly programs into machine code.
Assuming the existence of a correct policy, we proved the implementation of the assembler correct.
Further, we proved that the assembler fails to assemble an assembly program if and only if a correct policy does not exist.
Policies do not exist in only a limited number of circumstances: namely, if a pseudoinstruction attempts to jump to a label that does not exist, or the program is too large to fit in code memory.
The first case would constitute a serious compiler error, and hopefully certifying the rest of the compiler would rule this possibility out.
The second case is unavoidable---certified compiler or not, trying to load a huge program into a small code memory will break \emph{something}.

The rest of this paper is a detailed description of this proof.

% ---------------------------------------------------------------------------- %
% SECTION                                                                      %
% ---------------------------------------------------------------------------- %
\subsection{Overview of the paper}
\label{subsect.overview.of.the.paper}
In Section~\ref{sect.matita} we provide a brief overview of the Matita proof assistant for the unfamiliar reader.
In Section~\ref{sect.the.proof} we discuss the design and implementation of the proof proper.
In Section~\ref{sect.conclusions} we conclude.

% ---------------------------------------------------------------------------- %
% SECTION                                                                      %
% ---------------------------------------------------------------------------- %
\section{Matita}
\label{sect.matita}


% ---------------------------------------------------------------------------- %
% SECTION                                                                      %
% ---------------------------------------------------------------------------- %
\section{The proof}
\label{sect.the.proof}

  \begin{itemize}
   \item use of dependent types to throw away wrong programs that would made
    the statement for completeness complex. E.g. misuse of addressing modes,
    jumps to non existent labels, etc.
   \item try to go for small reflection; avoid inductive predicates that require
    tactics (inversion, etc.) that do not work well with dependent types; small
    reflection usually does
   \item use coercions to simulate Russell; mix together the proof styles
    a la Russell (for situations with heavy dependent types) and the standard
    one
  \end{itemize}

\begin{lstlisting}
 definition execute_1_pseudo_instruction: PseudoStatus → PseudoStatus
\end{lstlisting}

\begin{lstlisting}
 definition execute: nat → Status → Status
\end{lstlisting}

\begin{lstlisting}
inductive jump_length: Type[0] ≝
  | short_jump: jump_length
  | medium_jump: jump_length
  | long_jump: jump_length.

definition jump_expansion_policy ≝ BitVectorTrie jump_length 16.
\end{lstlisting}

\begin{lstlisting}
definition policy_ok := λpolicy.λp. sigma_safe policy p <> None ....
\end{lstlisting}

\begin{lstlisting}
definition sigma:
 ∀p:pseudo_assembly_program.
  ∀policy. policy_ok policy p. Word → Word
\end{lstlisting}

\begin{lstlisting}
axiom low_internal_ram_of_pseudo_low_internal_ram:
 ∀M:internal_pseudo_address_map.∀ram:BitVectorTrie Byte 7.BitVectorTrie Byte 7.
\end{lstlisting}

CSC: no option using policy 
\begin{lstlisting}
definition status_of_pseudo_status:
 internal_pseudo_address_map → PseudoStatus → option Status
\end{lstlisting}

\begin{lstlisting}
definition next_internal_pseudo_address_map0:
 internal_pseudo_address_map → PseudoStatus → option internal_pseudo_address_map
\end{lstlisting}

CSC: no 2nd, 3rd options using policy 
\begin{lstlisting}
 ∀M,M',ps,s,s''.
  next_internal_pseudo_address_map M ps = Some ... M' →
  status_of_pseudo_status M ps = Some ... s →
  status_of_pseudo_status M' (execute_1_pseudo_instruction (ticks_of (code_memory ... ps)) ps) = Some ... s'' →
   ∃n. execute n s = s''.
\end{lstlisting}

CSC: no options using policy 
\begin{lstlisting}
lemma fetch_assembly_pseudo2:
 ∀program,assembled,costs,labels.
  Some ... LANGLElabels,costsRANGLE = build_maps program →
  Some ... LANGLEassembled,costsRANGLE = assembly program →
   ∀ppc.
    let code_memory ≝ load_code_memory assembled in
    let preamble ≝ \fst program in
    let data_labels ≝ construct_datalabels preamble in
    let lookup_labels ≝ λx. sigma program (address_of_word_labels_code_mem (\snd program) x) in
    let lookup_datalabels ≝ λx. lookup ? ? x data_labels (zero ?) in
    let expansion ≝ jump_expansion ppc program in
    let LANGLEpi,newppcRANGLE ≝ fetch_pseudo_instruction (\snd program) ppc in
     ∃instructions.
      Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (sigma program ppc) expansion pi ∧
       fetch_many code_memory (sigma program newppc) (sigma program ppc) instructions.
\end{lstlisting}

\begin{lstlisting}
 definition expand_pseudo_instruction:
  ∀lookup_labels.∀lookup_datalabels.∀pc.∀policy_decision. (sigma program ppc) expansion. pseudo_instruciton -> list instruction.
\end{lstlisting}

\begin{lstlisting}
axiom assembly_ok_to_expand_pseudo_instruction_ok:
 ∀program,assembled,costs.
  Some ... LANGLEassembled,costsRANGLE = assembly program →
   ∀ppc.
    let code_memory ≝ load_code_memory assembled in
    let preamble ≝ \fst program in   
    let data_labels ≝ construct_datalabels preamble in
    let lookup_labels ≝ λx. sigma program (address_of_word_labels_code_mem (\snd program) x) in
    let lookup_datalabels ≝ λx. lookup ? ? x data_labels (zero ?) in
    let expansion ≝ jump_expansion ppc program in
    let LANGLEpi,newppcRANGLE ≝ fetch_pseudo_instruction (\snd program) ppc in
     ∃instructions.
      Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (sigma program ppc) expansion pi.
\end{lstlisting}

\begin{lstlisting}
axiom assembly_ok:
 ∀program,assembled,costs,labels.
  Some ... LANGLElabels,costsRANGLE = build_maps program →
  Some ... LANGLEassembled,costsRANGLE = assembly program →
  let code_memory ≝ load_code_memory assembled in
  let preamble ≝ \fst program in
  let datalabels ≝ construct_datalabels preamble in
  let lookup_labels ≝ λx. sigma program (address_of_word_labels_code_mem (\snd program) x) in
  let lookup_datalabels ≝ λx. lookup ?? x datalabels (zero ?) in
   ∀ppc,len,assembledi.
    let LANGLEpi,newppcRANGLE ≝ fetch_pseudo_instruction (\snd program) ppc in
     Some ... LANGLElen,assemblediRANGLE = assembly_1_pseudoinstruction program ppc (sigma program ppc) lookup_labels lookup_datalabels pi →
      encoding_check code_memory (sigma program ppc) (bitvector_of_nat ... (nat_of_bitvector ... (sigma program ppc) + len)) assembledi ∧
       sigma program newppc = bitvector_of_nat ... (nat_of_bitvector ... (sigma program ppc) + len).
\end{lstlisting}

\begin{lstlisting}
lemma fetch_assembly_pseudo:
 ∀program,ppc,lookup_labels,lookup_datalabels.
  ∀pi,code_memory,len,assembled,instructions,pc.
   let expansion ≝ jump_expansion ppc program in
   Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (bitvector_of_nat ? pc) expansion pi →
    Some ... LANGLElen,assembledRANGLE = assembly_1_pseudoinstruction program ppc (bitvector_of_nat ? pc) lookup_labels lookup_datalabels pi →
     encoding_check code_memory (bitvector_of_nat ... pc) (bitvector_of_nat ... (pc + len)) assembled →
      fetch_many code_memory (bitvector_of_nat ... (pc + len)) (bitvector_of_nat ... pc) instructions.
\end{lstlisting}

\begin{lstlisting}
theorem fetch_assembly:
  ∀pc,i,code_memory,assembled.
    assembled = assembly1 i →
      let len ≝ length ... assembled in
      encoding_check code_memory (bitvector_of_nat ... pc) (bitvector_of_nat ... (pc + len)) assembled →
      let fetched ≝ fetch code_memory (bitvector_of_nat ... pc) in
      let LANGLEinstr_pc, ticksRANGLE ≝ fetched in
      let LANGLEinstr,pc'RANGLE ≝ instr_pc in
       (eq_instruction instr i ∧ eqb ticks (ticks_of_instruction instr) ∧ eq_bv ... pc' (bitvector_of_nat ... (pc + len))) = true.
\end{lstlisting}

% ---------------------------------------------------------------------------- %
% SECTION                                                                      %
% ---------------------------------------------------------------------------- %
\section{Conclusions}
\label{sect.conclusions}

\subsection{Use of dependent types and Russell}
\label{subsect.use.of.dependent.types.and.Russell}

Our formalisation makes sparing use of dependent types.
In certain datastructures, such as tries and vectors, they are used to guarantee invariants.
However, we have currently shyed away from making extensive use of dependent types and inductive predicates in the proof of correctness for the assembler itself.
This is because complex dependent types and inductive predicates tend not to co\"operate particularly well with tactics such as inversion.

However, there are certain cases where the use of dependent types is unavoidable.
For instance, when proving that the \texttt{build\_maps} function is correct, a function that collates the cost and data labels of an assembly program into map datastructures.
In cases such as these we make use of Matita's implementation of Russell~\cite{}.

\subsection{Related work}
\label{subsect.related.work}

\bibliography{cpp-2011.bib}

\end{document}