source: src/ASM/CPP2011/cpp-2011.tex @ 973

Last change on this file since 973 was 973, checked in by mulligan, 9 years ago

work from yesterday that could not be committed

File size: 30.1 KB
25        {\setlength{\fboxsep}{5pt}
26                \setlength{\mylength}{\linewidth}%
27                \addtolength{\mylength}{-2\fboxsep}%
28                \addtolength{\mylength}{-2\fboxrule}%
29                \Sbox
30                \minipage{\mylength}%
31                        \setlength{\abovedisplayskip}{0pt}%
32                        \setlength{\belowdisplayskip}{0pt}%
33                }%
34                {\endminipage\endSbox
35                        \[\fbox{\TheSbox}\]}
37\title{On the correctness of an assembler for the Intel MCS-51 microprocessor}
38\author{Jaap Boender \and Dominic P. Mulligan \and Claudio Sacerdoti Coen}
39\institute{Dipartimento di Scienze dell'Informazione, Universit\'a di Bologna}
48We consider the formalisation of an assembler for the Intel MCS-51 8-bit microprocessor in the Matita proof assistant.
49This formalisation forms a major component of the EU-funded CerCo project, concering the construction and formalisation of a concrete complexity preserving compiler for a large subset of the C programming language.
53% ---------------------------------------------------------------------------- %
54% SECTION                                                                      %
55% ---------------------------------------------------------------------------- %
59We consider the formalisation of an assembler for the Intel MCS-51 8-bit microprocessor in the Matita proof assistant~\cite{asperti:user:2007}.
60This formalisation forms a major component of the EU-funded CerCo project~\cite{cerco:2011}, concering the construction and formalisation of a concrete complexity preserving compiler for a large subset of the C programming language.
62The MCS-51 dates from the early 1980s and commonly called the 8051/8052.
63Despite the microprocessor's age, derivatives are still widely manufactured by a number of semiconductor foundries.
64As a result the processor is widely used, especially in embedded systems development, where well-tested, cheap, predictable microprocessors find their niche.
66The MCS-51 has a relative paucity of features compared to its more modern brethren.
67In particular, the MCS-51 does not possess a cache or any instruction pipelining that would make predicting the concrete cost of executing a single instruction an involved process.
68Instead, each semiconductor foundry that produces an MCS-51 derivative is able to provide accurate timing information in clock cycles for each instruction in their derivative's instruction set.
69It is important to stress that this timing information, unlike in more sophisticated processors, is not an estimate, it is a definition.
70For the MCS-51, if a manufacturer states that a particular opcode takes three clock cycles to execute, then that opcode \emph{always} takes three clock cycles to execute.
72This predicability of timing information is especially attractive to the CerCo consortium.
73We are in the process of constructing a certified, concrete complexity compiler for a realistic processor, and not for building and formalising the worst case execution time (WCET) tools that would be necessary to achieve the same result with, for example, a modern ARM or PowerPC microprocessor.
75However, the MCS-51's paucity of features is a double edged sword.
76In particular, the MCS-51 features relatively miniscule memory spaces (including read-only code memory, stack and internal/external random access memory) by modern standards.
77As a result our compiler, to have any sort of hope of successfully compiling realistic C programs, ought to produce `tight' machine code.
78This is not simple.
80We here focus on a single issue in the MCS-51's instruction set: unconditional jumps.
81The MCS-51 features three conditional jump instructions: \texttt{LJMP} and \texttt{SJMP}---`long jump' and `short jump' respectively---and an 11-bit oddity of the MCS-51, \texttt{AJMP}, that the prototype CerCo compiler~\cite{cerco-report-code:2011} ignores for simplicity's sake.\footnote{Ignoring \texttt{AJMP} and its analogue \texttt{ACALL} is not idiosyncratic.  The Small Device C Compiler (SDCC)~\cite{sdcc:2011}, the leading open source C compiler for the MCS-51, also seemingly does not produce \texttt{AJMP} and \texttt{ACALL} instructions.  Their utility in a modern context remains unclear.}
82Each of these three instructions expects arguments in different sizes and behaves in different ways.
83\texttt{SJMP} may only perform a `local jump' whereas \texttt{LJMP} may jump to any address in the MCS-51's memory space.
84Consequently, the size of each opcode is different, and to squeeze as much code as possible into the MCS-51's limited code memory, the smallest possible opcode should be selected.
86The prototype CerCo C compiler does not attempt to select the smallest jump opcode in this manner, as this was thought to unneccessarily complicate the compilation chain.
87Instead, the compiler targets an assembly language, complete with pseudoinstructions including bespoke \texttt{Jmp} and \texttt{Call} instructions.
88Labels, conditional jumps to labels, a program preamble containing global data and a \texttt{MOV} instruction for moving this global data into the MCS-51's one 16-bit register also feature.
89This latter feature will ease any later consideration of separate compilation in the CerCo compiler.
90An assembler is used to expand pseudoinstructions into MCS-51 machine code.
92However, this assembly process is not trivial, for numerous reasons.
93For example, our conditional jumps to labels behave differently from their machine code counterparts.
94At the machine code level, conditional jumps may only jump to a relative offset, expressed in a byte, of the current program counter, limiting their range.
95However, at the assembly level, conditional jumps may jump to a label that appears anywhere in the program, significantly liberalising the use of conditional jumps and further simplifying the design of the CerCo compiler.
97Further, trying to na\"ively relate assembly programs with their machine code counterparts simply does not work.
98Machine code programs that fetch from code memory and programs that combine the program counter with constant shifts do not make sense at the assembly level.
99More generally, memory addresses can only be compared with other memory addresses.
100However, checking that memory addresses are only compared against each other at the assembly level is in fact undecidable.
101In short, the full preservation of the semantics of the two languages is impossible.
103Yet more complications are added by the peculiarities of the CerCo project itself.
104As mentioned, the CerCo consortium is in the business of constructing a verified compiler for the C programming language.
105However, unlike CompCert~\cite{compcert:2011,leroy:formal:2009,leroy:formally:2009}---which currently represents the state of the art for `industrial grade' verified compilers---CerCo considers not just the \emph{intensional correctness} of the compiler, but also its \emph{extensional correctness}.
106That is, CompCert focusses solely on the preservation of the \emph{meaning} of a program during the compilation process, guaranteeing that the program's meaning does not change as it is gradually transformed into assembly code.
107However in any realistic compiler (even the CompCert compiler!) there is no guarantee that the program's time properties are preserved during the compilation process; a compiler's `optimisations' could, in theory, even conspire to degrade the concrete complexity of certain classes of programs.
108CerCo aims to expand the current state of the art by producing a compiler where this temporal degradation is guaranteed not to happen.
110In order to achieve this CerCo imposes a cost model on programs, or more specifically, on simple blocks of instructions.
111This cost model is induced by the compilation process itself, and its non-compositional nature allows us to assign different costs to identical blocks of instructions depending on how they are compiled.
112In short, we aim to obtain a very precise costing for a program by embracing the compilation process, not ignoring it.
113This, however, complicates the proof of correctness for the compiler proper: for every translation pass from intermediate language to intermediate language, we must prove that not only has the meaning of a program been preserved, but also its complexity characteristics.
114This also applies for the translation from assembly language to machine code.
116How do we assign a cost to a pseudoinstruction?
117As mentioned, conditional jumps at the assembly level can jump to a label appearing anywhere in the program.
118However, at the machine code level, conditional jumps are limited to jumping `locally', using a measly byte offset.
119To translate a jump to a label, a single conditional jump pseudoinstruction may be translated into a block of three real instructions, as follows (here, \texttt{JZ} is `jump if accumulator is zero'):
122       & \mathtt{JZ}  & label                      &                 & \mathtt{JZ}   & \text{size of \texttt{SJMP} instruction} \\
123       & \ldots       &                            & \text{translates to}   & \mathtt{SJMP} & \text{size of \texttt{LJMP} instruction} \\
124label: & \mathtt{MOV} & \mathtt{A}\;\;\mathtt{B}   & \Longrightarrow & \mathtt{LJMP} & \text{address of \textit{label}} \\
125       &              &                            &                 & \ldots        & \\
126       &              &                            &                 & \mathtt{MOV}  & \mathtt{A}\;\;\mathtt{B}
129In the translation, if \texttt{JZ} fails, we fall through to the \texttt{SJMP} which jumps over the \texttt{LJMP}.
130Naturally, if \textit{label} is close enough, a conditional jump pseudoinstruction is mapped directly to a conditional jump machine instruction; the above translation only applies if \textit{label} is not sufficiently local.
131This leaves the problem, addressed below, of calculating whether a label is indeed `close enough' for the simpler translation to be used.
133Crucially, the above translation demonstrates the difficulty in predicting how many clock cycles a pseudoinstruction will take to execute.
134A conditional jump may be mapped to a single machine instruction or a block of three.
135Perhaps more insidious, the number of cycles needed to execute the instructions in the two branches of a translated conditional jump may be different.
136Depending on the particular MCS-51 derivative at hand, an \texttt{SJMP} could in theory take a different number of clock cycles to execute than an \texttt{LJMP}.
137These issues must also be dealt with in order to prove that the translation pass preserves the concrete complexity of the code.
139The question remains: how do we decide whether to expand a jump into an \texttt{SJMP} or an \texttt{LJMP}?
140To understand why this problem is not trivial, consider the following snippet of assembly code:
142\text{dpm: finish me}
145As our example shows, given an occurence $l$ of an \texttt{LJMP} instruction, it may be possible to shrink $l$ to an occurence of an \texttt{SJMP} providing we can shrink any \texttt{LJMP}s that exist between $l$ and its target location.
146However, shrinking these \texttt{LJMP}s may in turn depend on shrinking $l$ to an \texttt{SJMP}, as it is perfectly possible to jump backwards.
147In short, unless we can somehow break this loop of circularity, and similar knotty configurations of jumps, we are stuck with a suboptimal solution to the expanding jumps problem.
149How we went about resolving this problem affected the shape of our proof of correctness for the whole assembler in a rather profound way.
150We first attempted to synthesize a solution bottom up: starting with no solution, we gradually refine a solution using the same functions that implement the jump expansion.
151Using this technique, solutions can fail to exist, and the proof quickly descends into a diabolical quagmire.
153Abandoning this attempt, we instead split the `policy'---the decision over how any particular jump should be expanded---from the implementation that actually expands assembly programs into machine code.
154Assuming the existence of a correct policy, we proved the implementation of the assembler correct.
155Further, we proved that the assembler fails to assemble an assembly program if and only if a correct policy does not exist.
156Policies do not exist in only a limited number of circumstances: namely, if a pseudoinstruction attempts to jump to a label that does not exist, or the program is too large to fit in code memory.
157The first case would constitute a serious compiler error, and hopefully certifying the rest of the compiler would rule this possibility out.
158The second case is unavoidable---certified compiler or not, trying to load a huge program into a small code memory will break \emph{something}.
160The rest of this paper is a detailed description of this proof.
162% ---------------------------------------------------------------------------- %
163% SECTION                                                                      %
164% ---------------------------------------------------------------------------- %
165\subsection{Overview of the paper}
167In Section~\ref{sect.matita} we provide a brief overview of the Matita proof assistant for the unfamiliar reader.
168In Section~\ref{sect.the.proof} we discuss the design and implementation of the proof proper.
169In Section~\ref{sect.conclusions} we conclude.
171% ---------------------------------------------------------------------------- %
172% SECTION                                                                      %
173% ---------------------------------------------------------------------------- %
177Matita is a proof assistant based on the (Co)inductive Calculus of Constructions~\cite{asperti:user:2007}.
178For those familiar with Coq, Matita's syntax and mode of operation should be entirely familiar.
179We take time here to explain one of Matita's syntactic idiosyncracies, however.
180The use of `$\mathtt{\ldots}$' or `$\mathtt{?}$' in an argument position denotes a type to be inferred automatically by unification.
181The use of `$\mathtt{?}$' in the body of a definition, lemma or axiom denotes an incomplete term that is to be closed, by hand, using tactics.
183% ---------------------------------------------------------------------------- %
184% SECTION                                                                      %
185% ---------------------------------------------------------------------------- %
186\section{The proof}
189\subsection{The assembler and semantics of machine code}
192The formalisation in Matita of the semantics of MCS-51 machine code is described in~\cite{mulligan:executable:2011}.
193We merely describe enough here to understand the rest of the proof.
195At heart, the MCS-51 emulator centres around a \texttt{Status} record, describing the current state of the microprocessor.
196This record contains fields corresponding to the microprocessor's program counter, special function registers, and so on.
197At the machine code level, code memory is implemented as a trie of bytes, addressed by the program counter.
198Machine code programs are loaded into \texttt{Status} using the \texttt{load\_code\_memory} function.
200We may execut a single step of a machine code program using the \texttt{execute\_1} function, which returns an updated \texttt{Status}:
202definition execute_1: Status $\rightarrow$ Status := $\ldots$
204The function \texttt{execute} allows one to execute an arbitrary, but fixed (due to Matita's normalisation requirement!) number of steps of a program.
206Naturally, assembly programs have analogues.
207The counterpart of the \texttt{Status} record is \texttt{PseudoStatus}.
208Instead of code memory being implemented as tries of bytes, code memory is here implemented as lists of pseudoinstructions, and program counters are merely indices into this list.
209Our analogue of \texttt{execute\_1} is \texttt{execute\_1\_pseudo\_instruction}:
211definition execute_1_pseudo_instruction: (Word $\rightarrow$ nat $\times$ nat) $\rightarrow$
212                                         PseudoStatus $\rightarrow$ PseudoStatus := $\ldots$
214Notice, here, that the emulation function for pseudoprograms takes an additional argument.
215This is a function that maps program counters (for the pseudoprogram) to pairs of natural numbers representing the number of clock ticks that the pseudoinstruction needs to execute, post expansion.
216We call this function a \emph{costing}, and note that the costing is induced by the particular strategy we use to expand pseudoinstructions.
217If we change how we expand conditional jumps to labels, for instance, then the costing needs to change, hence \texttt{execute\_1\_pseudo\_instruction}'s parametricity in the costing.
219The costing returns \emph{pairs} of natural numbers because, in the case of expanding conditional jumps to labels, the expansion of the `true branch' and `false branch' may differ in the number of clock ticks needed for execution.
220This timing information is used inside \texttt{execute\_1\_pseudo\_instruction} to update the clock of the \texttt{PseudoStatus}.
221During the proof of correctness of the assembler we relate the clocks of \texttt{Status}es and \texttt{PseudoStatus}es.
223The assembler, mapping programs consisting of lists of pseudoinstructions to lists of bytes, operates in a mostly straightforward manner.
224To a degree of approximation, the assembler on an assembly program, consisting of $n$ pseudoinstructions $\mathtt{P_i}$ for $1 \leq i \leq n$, works as in the following diagram:
226[\mathtt{P_1}, \ldots \mathtt{P_n}] \xrightarrow{\left(\mathtt{P_i} \xrightarrow{\mbox{\fontsize{7}{9}\selectfont$\mathtt{expand}$}} \mathtt{[I_1^i, \ldots I^q_i]} \xrightarrow{\mbox{\fontsize{7}{9}\selectfont$\mathtt{assembly1}^*$}} \mathtt{[0110]}\right)^{*}} \mathtt{[010101]}
229Here $\mathtt{I^i_j}$ for $1 \leq j \leq q$ are the $q$ machine code instructions obtained by expanding, with \texttt{expand\_pseudo\_instruction}, a single pseudoinstruction.
230Each machine code instruction $\mathtt{I^i_j}$ is then assembled, using the \texttt{assembly1} function, into a list of bytes.
231This process is iterated for each pseudoinstruction, before the lists are flattened into a single bit list representation of the original assembly program.
233% ---------------------------------------------------------------------------- %
234% SECTION                                                                      %
235% ---------------------------------------------------------------------------- %
239Policies exist to dictate how conditional and unconditional jumps at the assembly level should be expanded into machine code instructions.
240Using policies, we are able to completely decouple the decision over how jumps are expanded with the act of expansion, simplifying our proofs.
241As mentioned, the MCS-51 instruction set includes three different jump instructions: \texttt{SJMP}, \texttt{AJMP} and \texttt{LJMP}; call these `short', `medium' and `long' jumps, respectively:
243inductive jump_length: Type[0] :=
244  | short_jump: jump_length
245  | medium_jump: jump_length
246  | long_jump: jump_length.
248A \texttt{jump\_expansion\_policy} is a map from \texttt{Word}s to \texttt{jump\_length}s, implemented as a trie.
249Intuitively, a policy maps positions in a program (indexed using program counters implemented as \texttt{Word}s) to a particular variety of jump.
251definition jump_expansion_policy := BitVectorTrie jump_length 16.
253Next, we require a series of `sigma' functions.
254These functions map assembly program counters to their machine code counterparts, establishing the correspondence between `positions' in an assembly program and `positions' in a machine code program.
255At the heart of this process is \texttt{sigma0} which traverses an assembly program building maps from program counter to program counter.
256This function fails if and only if an internal call to \texttt{assembly\_1\_pseudoinstruction} fails:
258definition sigma0:
259  pseudo_assembly_program $\rightarrow$ option (nat $\times$ (nat $\times$ (BitVectorTrie Word 16))) := $\ldots$
261We eventually lift this to functions from program counters to program counters:
263definition sigma_safe:
264  pseudo_assembly_program $\rightarrow$ option (Word $\rightarrow$ Word) := $\ldots$
266Now, it's possible to define what a `good policy' is i.e. one that does not cause \texttt{sigma\_safe} to fail.
267As mentioned, \texttt{sigma\_safe} can only fail if an assembly program fails to be assembled:
269definition policy_ok := $\lambda$p. sigma_safe p $\neq$ None $\ldots$.
271Finally, we obtain \texttt{sigma}, a map from program counters to program counters, which is guranteed not to fail as we internally provide a that
273definition sigma: pseudo_assembly_program $\rightarrow$ Word $\rightarrow$ Word := $\ldots$
275An \texttt{internal\_pseudo\_address\_map} positions in the memory of a \texttt{PseudoStatus} with a physical memory address.
277definition internal_pseudo_address_map := list (BitVector 8).
279We use \texttt{internal\_pseudo\_address\_map}s to convert the lower internal RAM of a \texttt{PseudoStatus} into the lower internal RAM of a \texttt{Status}.
280Notice, the MCS-51's internal RAM is addressed with a 7-bit `byte'.
281% dpm: ugly English, fix
282The whole of the internal RAM space is addressed with bytes: the first bit is used to distinguish between the programmer addressing low and high internal memory.
284axiom low_internal_ram_of_pseudo_low_internal_ram:
285  internal_pseudo_address_map $\rightarrow$ BitVectorTrie Byte 7 $\rightarrow$ BitVectorTrie Byte 7.
287A similar axiom exists for high internal RAM.
289Next, we are able to translate \texttt{PseudoStatus} records into \texttt{Status} records using \texttt{status\_of\_pseudo\_status}.
290Translating a \texttt{PseudoStatus}'s code memory requires we expand pseudoinstructions and then assemble to obtain a trie of bytes.
291This can fail, as mentioned, in a limited number of situations, related to improper use of labels in an assembly program.
292However, it is possible to `tighten' the type of \texttt{status\_of\_pseudo\_status}, removing the option type, by using the fact that if any `good policy' exists, assembly will never fail.
294definition status_of_pseudo_status:
295 internal_pseudo_address_map → PseudoStatus → option Status
297After fetching an assembly instruction we must update any \texttt{internal\_pseudo\hyp{}\_address\_map}s that may be laying around.
298This is done with the following function:
300definition next_internal_pseudo_address_map:
301 internal_pseudo_address_map $\rightarrow$ PseudoStatus $\rightarrow$ option internal_pseudo_address_map
303Finally, we are able to state and prove our main theorem relating the execution of a single assembly instruction and the execution of (possibly) many machine code instructions:
305lemma main_thm:
306  ∀M,M',ps,s,s''.
307    next_internal_pseudo_address_map M ps = Some ... M' $\rightarrow$
308      status_of_pseudo_status M ps = Some ... s $\rightarrow$
309        status_of_pseudo_status M'
310          (execute_1_pseudo_instruction
311            (ticks_of (code_memory ... ps)) ps) = Some ... s'' $\rightarrow$
312              $\exists$n. execute n s = s''.
314The statement can be given an intuitive reading as follows.
315Suppose our \texttt{PseudoStatus} $ps$ can be successfully converted into a \texttt{Status} $s$.
316Suppose further that, after executing a single assembly instruction and converting the resulting \texttt{PseudoStatus} into a \texttt{Status}, we obtain $s''$, being careful to track the number of ticks executed.
317Then, there exists some number $n$, so that executing $n$ machine code instructions in \texttt{Status} $s$ gives us \texttt{Status} $s''$.
319% ---------------------------------------------------------------------------- %
320% SECTION                                                                      %
321% ---------------------------------------------------------------------------- %
322\subsection{Proof of correctness}
325CSC: no options using policy
327lemma fetch_assembly_pseudo2:
328 ∀program,assembled,costs,labels.
329  Some ... LANGLElabels,costsRANGLE = build_maps program →
330  Some ... LANGLEassembled,costsRANGLE = assembly program →
331   ∀ppc.
332    let code_memory ≝ load_code_memory assembled in
333    let preamble ≝ \fst program in
334    let data_labels ≝ construct_datalabels preamble in
335    let lookup_labels ≝ λx. sigma program (address_of_word_labels_code_mem (\snd program) x) in
336    let lookup_datalabels ≝ λx. lookup ? ? x data_labels (zero ?) in
337    let expansion ≝ jump_expansion ppc program in
338    let LANGLEpi,newppcRANGLE ≝ fetch_pseudo_instruction (\snd program) ppc in
339     ∃instructions.
340      Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (sigma program ppc) expansion pi ∧
341       fetch_many code_memory (sigma program newppc) (sigma program ppc) instructions.
345 definition expand_pseudo_instruction:
346  ∀lookup_labels.∀lookup_datalabels.∀pc.∀policy_decision. (sigma program ppc) expansion. pseudo_instruciton -> list instruction.
350axiom assembly_ok:
351 ∀program,assembled,costs,labels.
352  Some ... LANGLElabels,costsRANGLE = build_maps program →
353  Some ... LANGLEassembled,costsRANGLE = assembly program →
354  let code_memory ≝ load_code_memory assembled in
355  let preamble ≝ \fst program in
356  let datalabels ≝ construct_datalabels preamble in
357  let lookup_labels ≝ λx. sigma program (address_of_word_labels_code_mem (\snd program) x) in
358  let lookup_datalabels ≝ λx. lookup ?? x datalabels (zero ?) in
359   ∀ppc,len,assembledi.
360    let LANGLEpi,newppcRANGLE ≝ fetch_pseudo_instruction (\snd program) ppc in
361     Some ... LANGLElen,assemblediRANGLE = assembly_1_pseudoinstruction program ppc (sigma program ppc) lookup_labels lookup_datalabels pi →
362      encoding_check code_memory (sigma program ppc) (bitvector_of_nat ... (nat_of_bitvector ... (sigma program ppc) + len)) assembledi ∧
363       sigma program newppc = bitvector_of_nat ... (nat_of_bitvector ... (sigma program ppc) + len).
367lemma fetch_assembly_pseudo:
368 ∀program,ppc,lookup_labels,lookup_datalabels.
369  ∀pi,code_memory,len,assembled,instructions,pc.
370   let expansion ≝ jump_expansion ppc program in
371   Some ? instructions = expand_pseudo_instruction lookup_labels lookup_datalabels (bitvector_of_nat ? pc) expansion pi →
372    Some ... LANGLElen,assembledRANGLE = assembly_1_pseudoinstruction program ppc (bitvector_of_nat ? pc) lookup_labels lookup_datalabels pi →
373     encoding_check code_memory (bitvector_of_nat ... pc) (bitvector_of_nat ... (pc + len)) assembled →
374      fetch_many code_memory (bitvector_of_nat ... (pc + len)) (bitvector_of_nat ... pc) instructions.
378theorem fetch_assembly:
379  ∀pc,i,code_memory,assembled.
380    assembled = assembly1 i →
381      let len ≝ length ... assembled in
382      encoding_check code_memory (bitvector_of_nat ... pc) (bitvector_of_nat ... (pc + len)) assembled →
383      let fetched ≝ fetch code_memory (bitvector_of_nat ... pc) in
384      let LANGLEinstr_pc, ticksRANGLE ≝ fetched in
385      let LANGLEinstr,pc'RANGLE ≝ instr_pc in
386       (eq_instruction instr i ∧ eqb ticks (ticks_of_instruction instr) ∧ eq_bv ... pc' (bitvector_of_nat ... (pc + len))) = true.
389% ---------------------------------------------------------------------------- %
390% SECTION                                                                      %
391% ---------------------------------------------------------------------------- %
395  \begin{itemize}
396   \item use of dependent types to throw away wrong programs that would made
397    the statement for completeness complex. E.g. misuse of addressing modes,
398    jumps to non existent labels, etc.
399   \item try to go for small reflection; avoid inductive predicates that require
400    tactics (inversion, etc.) that do not work well with dependent types; small
401    reflection usually does
402   \item use coercions to simulate Russell; mix together the proof styles
403    a la Russell (for situations with heavy dependent types) and the standard
404    one
405  \end{itemize}
407\subsection{Use of dependent types and Russell}
410Our formalisation makes sparing use of dependent types.
411In certain datastructures, such as tries and vectors, they are used to guarantee invariants.
412However, we have currently shyed away from making extensive use of dependent types and inductive predicates in the proof of correctness for the assembler itself.
413This is because complex dependent types and inductive predicates tend not to co\"operate particularly well with tactics such as inversion.
415However, there are certain cases where the use of dependent types is unavoidable.
416For instance, when proving that the \texttt{build\_maps} function is correct, a function that collates the cost and data labels of an assembly program into map datastructures.
417In cases such as these we make use of Matita's implementation of Russell~\cite{}.
419\subsection{Related work}
Note: See TracBrowser for help on using the repository browser.