# Changeset 2083 for src/ASM/CPP2012-asm

Ignore:
Timestamp:
Jun 14, 2012, 5:32:04 PM (8 years ago)
Message:

More work on paper from today.

Location:
src/ASM/CPP2012-asm
Files:
2 edited

### Legend:

Unmodified
 r2069 $\fbox{\TheSbox}$} \title{On the correctness of an assembler for the Intel MCS-51 microprocessor\thanks{The project CerCo acknowledges the financial support of the Future and Emerging Technologies (FET) programme within the Seventh Framework Programme for Research of the European Commission, under FET-Open grant number: 243881}} \title{On the correctness of an optimising assembler for the Intel MCS-51 microprocessor\thanks{The project CerCo acknowledges the financial support of the Future and Emerging Technologies (FET) programme within the Seventh Framework Programme for Research of the European Commission, under FET-Open grant number: 243881}} \author{Dominic P. Mulligan \and Claudio Sacerdoti Coen} \institute{Dipartimento di Scienze dell'Informazione, Universit\'a di Bologna} \begin{abstract} We present a proof of correctness, in the Matita proof assistant, for an optimising assembler for the MCS-51 8-bit microcontroller. This assembler constitutes a major component of the EU's CerCo (Certified Complexity') project. We present a proof of correctness, in Matita, for an optimising assembler for the MCS-51 microcontroller. This assembler constitutes a major component of the EU's CerCo project. The efficient expansion of pseudoinstructions---particularly jumps---into MCS-51 machine instructions is complex. We observe that it is impossible for an optimising assembler to preserve the semantics of every assembly program. Assembly language programs can manipulate concrete addresses in arbitrary ways. Our proof strategy contains a notion of good addresses' and only assembly programs that use good addresses have their semantics preserved under assembly. Our proof strategy contains a tracking facility for good addresses' and only programs that use good addresses have their semantics preserved under assembly. Our strategy offers increased flexibility over the traditional approach of keeping addresses in assembly opaque. In particular, we may experiment with allowing the benign manipulation of addresses. The MCS-51 dates from the early 1980s and is commonly called the 8051/8052. Despite the microprocessor's age, derivatives are still widely manufactured by a number of semiconductor foundries. As a result the processor is widely used, especially in embedded systems development, where well-tested, cheap, predictable microprocessors find their niche. The MCS-51 has a relative paucity of features compared to its more modern brethren, with the lack of any caching or pipelining features means that timing of execution is predictable, making the MCS-51 very attractive for CerCo's ends. Yet, as in most things, what one hand giveth the other taketh away, and the MCS-51's paucity of features---though an advantage in many respects---also quickly becomes a hindrance. Despite the microprocessor's age, derivatives are still widely manufactured by a number of semiconductor foundries, with the processor being used especially in embedded systems development, where well-tested, cheap, predictable microprocessors find their niche. The MCS-51 has a relative paucity of features compared to its more modern brethren, with the lack of any caching or pipelining features meaning that timing of execution is predictable, making the MCS-51 very attractive for CerCo's ends. Yet---as with many things---what one hand giveth, the other taketh away, and the MCS-51's paucity of features---though an advantage in many respects---also quickly becomes a hindrance. In particular, the MCS-51 features a relatively minuscule series of memory spaces by modern standards. As a result our C compiler, to have any sort of hope of successfully compiling realistic programs for embedded devices, ought to produce tight' machine code. In order to do this, we must solve the branch displacement' problem---deciding how best to expand jumps to labels in assembly language to machine code jumps. Clearly a correct but efficient strategy would be to expand all unconditional jumps to the MCS-51's \texttt{LJMP} instruction, and all conditional jumps to a set configuration of jumps using \texttt{LJMP} instructions; this is inefficient. Finding an efficient solution with this expansion process is not trivial, and is a well-known problem for those writing assemblers targetting RISC architectures. Branch displacement is not a simple problem to solve and requires the implementation of an optimising assembler. Labels, conditional jumps to labels, a program preamble containing global data and a \texttt{MOV} instruction for moving this global data into the MCS-51's one 16-bit register all feature in our assembly language. We simplify the process by assuming that all assembly programs are pre-linked (i.e. we do not formalise a linker). The assembler expands pseudoinstructions into MCS-51 machine code, but this assembly process is not trivial, for numerous reasons. For example, our conditional jumps to labels behave differently from their machine code counterparts. At the machine code level, all conditional jumps are short', limiting their range. However, at the assembly level, conditional jumps may jump to a label that appears anywhere in the program, significantly liberalising the use of conditional jumps. Yet, the situation is even more complex than having to expand pseudoinstructions correctly. In particular, when formalising the assembler, we must make sure that the assembly process does not change the timing characteristics of an assembly program for two reasons. We simplify the proof by assuming that all our assembly programs are pre-linked (i.e. we do not formalise a linker). Further, we must make sure that the assembly process does not change the timing characteristics of an assembly program for two reasons. First, the semantics of some functions of the MCS-51, notably I/O, depend on the microprocessor's clock. This cost model is induced by the compilation process itself, and its non-compositional nature allows us to assign different costs to identical blocks of instructions depending on how they are compiled. In short, we aim to obtain a very precise costing for a program by embracing the compilation process, not ignoring it. This, however, complicates the proof of correctness for the compiler proper. In each translation pass from intermediate language to intermediate language, we must prove that both the meaning and concrete complexity characteristics of the program are preserved. This also applies for the translation from assembly language to machine code. Yet one more question remains: how do we decide whether to expand a jump into an \texttt{SJMP} or an \texttt{LJMP}? To understand, again, why this problem is not trivial, consider the following snippet of assembly code: {\small{ \begin{displaymath} \begin{array}{r@{\qquad}r@{\quad}l@{\;\;}l@{\qquad}l} \text{1:} & \mathtt{(0x000)}  & \texttt{LJMP} & \texttt{0x100}  & \text{\texttt{;; Jump forward 256.}} \\ \text{2:} & \mathtt{...}    & \mathtt{...}  &                 &                                               \\ \text{3:} & \mathtt{(0x0FA)}  & \texttt{LJMP} & \texttt{0x100}  & \text{\texttt{;; Jump forward 256.}} \\ \text{4:} & \mathtt{...}    & \mathtt{...}  &                 &                                               \\ \text{5:} & \mathtt{(0x100)}  & \texttt{LJMP} & \texttt{-0x100}  & \text{\texttt{;; Jump backward 256.}} \\ \end{array} \end{displaymath}}} We observe that $100_{16} = 256_{10}$, and lies \emph{just} outside the range expressible in an 8-bit byte (0--255). As our example shows, given an occurrence $l$ of an \texttt{LJMP} instruction, it may be possible to shrink $l$ to an occurrence of an \texttt{SJMP}---consuming fewer bytes of code memory---provided we can shrink any \texttt{LJMP}s that exist between $l$ and its target location. In particular, if we wish to shrink the \texttt{LJMP} occurring at line 1, then we must shrink the \texttt{LJMP} occurring at line 3. However, to shrink the \texttt{LJMP} occurring at line 3 we must also shrink the \texttt{LJMP} occurring at line 5, and \emph{vice versa}. Further, consider what happens if, instead of appearing at memory address \texttt{0x100}, the instruction at line 5 appeared \emph{just} beyond the size of code memory, and all other memory addresses were shifted accordingly. Now, in order to be able to successfully fit our program into the MCS-51's limited code memory, we are \emph{obliged} to shrink the \texttt{LJMP} occurring at line 5. That is, the shrinking process is not just related to the optimisation of generated machine code but also the completeness of the assembler itself. This, however, complicates the proof of correctness for the compiler proper, and we must prove that both the meaning and concrete complexity characteristics of the program are preserved for every translation pass in the compiler, including the assembler. How we went about resolving this problem affected the shape of our proof of correctness for the whole assembler in a rather profound way. The function \texttt{execute\_1} closely matches the operation of the MCS-51 hardware, as described by a Siemen's manufacturer's data sheet. We first fetch, using the program counter, from code memory the first byte of the instruction to be executed, decoding the resulting opcode, fetching more bytes as is necessary. Decoded instructions are represented as an inductive type: Decoded instructions are represented as an inductive type, where $\llbracket - \rrbracket$ denotes a vector: \begin{lstlisting} inductive preinstruction (A: Type[0]): Type[0] := | ADD: [[acc_a]] → [[ registr; direct; indirect; data ]] → preinstruction A | INC: [[ acc_a; registr; direct ; indirect ; dptr ]] → preinstruction A | JB: [[bit_addr]] → A → preinstruction A | ADD: $\llbracket$acc_a$\rrbracket$ → $\llbracket$registr; direct; indirect; data$\rrbracket$ $\rightarrow$ preinstruction A | INC: $\llbracket$ acc_a; registr; direct; indirect; dptr$\rrbracket$ $\rightarrow$ preinstruction A | JB: $\llbracket$bit_addr$\rrbracket$ $\rightarrow$ A $\rightarrow$ preinstruction A | ... inductive instruction: Type[0] ≝ | LCALL: [[addr16]] → instruction | AJMP: [[addr11]] → instruction | RealInstruction: preinstruction [[ relative ]] → instruction. inductive instruction: Type[0] := | LCALL: $\llbracket$addr16$\rrbracket$ $\rightarrow$ instruction | AJMP: $\llbracket$addr11$\rrbracket$ $\rightarrow$ instruction | RealInstruction: preinstruction $\llbracket$relative$\rrbracket$ $\rightarrow$ instruction. | ... \end{lstlisting} Here, we use dependent types to provide a precise typing for instructions, specifying in their type the permitted addressing modes that their arguments can belong to. \begin{lstlisting} | DEC addr $\Rightarrow$ let s := add_ticks1 s in let $\langle$result, flags$\rangle$ := sub_8_with_carry (get_arg_8 $\ldots$ s true addr) (bitvector_of_nat 8 1) false in set_arg_8 $\ldots$ s addr result | DEC addr $\Rightarrow$ let s := add_ticks1 s in let $\langle$result, flags$\rangle$ := sub_8_with_carry (get_arg_8 $\ldots$ s true addr) (bitvector_of_nat 8 1) false in set_arg_8 $\ldots$ s addr result \end{lstlisting} Pseudoinstructions are implemented as an inductive type: \begin{lstlisting} inductive pseudo_instruction: Type[0] ≝ | Instruction: preinstruction Identifier → pseudo_instruction inductive pseudo_instruction: Type[0] := | Instruction: preinstruction Identifier $\rightarrow$ pseudo_instruction ... | Jmp: Identifier → pseudo_instruction | Call: Identifier → pseudo_instruction | Mov: [[dptr]] → Identifier → pseudo_instruction. | Jmp: Identifier $\rightarrow$ pseudo_instruction | Call: Identifier $\rightarrow$ pseudo_instruction | Mov: $\llbracket$dptr$\rrbracket$ $\rightarrow$ Identifier $\rightarrow$ pseudo_instruction. \end{lstlisting} The pseudoinstructions \texttt{Jmp}, \texttt{Call} and \texttt{Mov} are generalisations of machine code unconditional jumps, calls and move instructions respectively, all of whom act on labels, as opposed to concrete memory addresses. \end{displaymath} The most complex of the two passes is the first, which expands pseudoinstructions and must perform the task of branch displacement~\cite{holmes:branch:2006}. The function \texttt{assembly\_1\_pseudo\_instruction} used in the body of the paper is essentially the composition of the two passes. The branch displacement problems consists of the problem of expanding pseudojumps into their concrete counterparts, preferably as efficiently as possible. \end{displaymath} Here, \texttt{current\_instruction\_size} is the size in bytes of the encoding of the expanded pseudoinstruction found at \texttt{ppc}. Note that the entanglement we hinted at is only partially solved in this way: the assembler code can ignore the implementative details of the algorithm that finds a policy; however, the algorithm that finds a policy must know the exact behaviour of the assembly because it needs to predict the way the assembly will expand and encode pseudoinstructions, once feeded with a policy. The companion paper~\cite{jaap} certifies an algorithm that finds branch displacement policies for the assembler described in this paper. Note that the entanglement we hinted at is only partially solved in this way: the assembler code can ignore the implementation details of the algorithm that finds a policy; however, the algorithm that finds a policy must know the exact behaviour of the assembly program because it needs to predict the way the assembly will expand and encode pseudoinstructions, once fed with a policy. A companion paper to this one~\cite{boender:correctness:2012} certifies an algorithm that finds branch displacement policies for the assembler described in this paper. The \texttt{expand\_pseudo\_instruction} function uses the \texttt{sigma} map to determine the size of jump required when expanding pseudojumps, computing the jump size by examining the size of the differences between program counters. For instance, if at address $ppc$ in the assembly program we found $Jmp~l$ such that \texttt{lookup\_labels~l} $= a$, if the offset $d = \sigma(a) - \sigma(ppc+1)$ is such that $d < 128$ then $Jmp~l$ is normally translated to the best local solution, the short jump $SJMP~d$. A global best solution to the branch displacement problem, however, is not always made of locally best solutions. Therefore, in some circumstances, it is necessary to force the assembler to expand jumps into larger ones. This is achieved by the \texttt{policy} function: if \texttt{policy~ppc}$= true$ then a $Jmp~l$ at address $ppc$ is always translated to a long jump. The mechanism is essentially identical for calls. For instance, if at address \texttt{ppc} in the assembly program we found \texttt{Jmp l} such that \texttt{lookup\_labels l = a}, if the offset \texttt{d = sigma(a) - sigma(ppc + 1)} is such that \texttt{d} $< 128$ then \texttt{Jmp l} is normally translated to the best local solution, the short jump \texttt{SJMP d}. A global best solution to the branch displacement problem, however, is not always made of locally best solutions. Therefore, in some circumstances, it is necessary to force the assembler to expand jumps into larger ones. This is achieved by the \texttt{policy} function: if \texttt{policy ppc = true} then a \texttt{Jmp l} at address \texttt{ppc} is always translated to a long jump. An essentially identical mechanism exists for call instructions. % ---------------------------------------------------------------------------- % By total correctness', we mean that the assembly process never fails when provided with a correct policy and that the process does not change the semantics of a certain class of well behaved assembly programs. The aim of this section is to prove the following informal statement: when we fetch an assembly pseudoinstruction $I$ at address $ppc$, then we can fetch the expanded pseudoinstruction(s) $[J^1;\ldots;J^n] = fetch\_pseudo\_instruction \ldots I~ppc$ from $\sigma(ppc)$ in the code memory obtained loading the assembled object code. This constitutes the first major step in the proof of correctness of the assembler, the next one being the simulation of $I$ by $[J^1;\ldots;J^n]$ (see Section~\ref{???}). We can express the following lemma, expressing the correctness of the assembly function (slightly simplified): \begin{lstlisting} lemma assembly_ok: $\forall$program: pseudo_assembly_program. The aim of this section is to prove the following informal statement: when we fetch an assembly pseudoinstruction \texttt{I} at address \texttt{ppc}, then we can fetch the expanded pseudoinstruction(s) \texttt{[J1, \ldots, Jn] = fetch\_pseudo\_instruction \ldots\ I\ ppc} from \texttt{sigma(ppc)} in the code memory obtained loading the assembled object code. This constitutes the first major step in the proof of correctness of the assembler, the next one being the simulation of \texttt{I} by \texttt{[J1, \ldots, Jn]} (see Subsection~\ref{subsect.total.correctness.for.well.behaved.assembly.programs}). The \texttt{assembly} function is given a Russell type (slightly simplified here): \begin{lstlisting} definition assembly: $\forall$p: pseudo_assembly_program. $\forall$sigma: Word $\rightarrow$ Word. $\forall$policy: Word $\rightarrow$ bool. $\forall$sigma_policy_witness. $\forall$assembled. $\forall$costs': BitVectorTrie costlabel 16. let $\langle$preamble, instr_list$\rangle$ := program in let $\langle$labels, costs$\rangle$ := create_label_cost_map instr_list in $\langle$assembled,costs'$\rangle$ = assembly program sigma policy $\rightarrow$ let cmem := load_code_memory assembled in $\forall$ppc. let $\langle$pi, newppc$\rangle$ := fetch_pseudo_instruction instr_list ppc in let $\langle$len,assembled$\rangle$ := assembly_1_pseudoinstruction $\ldots$ ppc $\ldots$ pi in let pc := sigma ppc in let pc_plus_len := add $\ldots$ pc (bitvector_of_nat $\ldots$ len) in encoding_check cmem pc pc_plus_len assembled $\wedge$ sigma newppc = add $\ldots$ pc (bitvector_of_nat $\ldots$ len). \end{lstlisting} Here, \texttt{encoding\_check} is a recursive function that checks that assembled machine code is correctly stored in code memory. Suppose also we assemble our program \texttt{p} in accordance with a policy \texttt{sigma} to obtain \texttt{assembled}, loading the assembled program into code memory \texttt{cmem}. Then, for every pseudoinstruction \texttt{pi}, pseudo program counter \texttt{ppc} and new pseudo program counter \texttt{newppc}, such that we obtain \texttt{pi} and \texttt{newppc} from fetching a pseudoinstruction at \texttt{ppc}, we check that assembling this pseudoinstruction produces the correct number of machine code instructions, and that the new pseudo program counter \texttt{ppc} has the value expected of it. $\Sigma$res:list Byte $\times$ (BitVectorTrie costlabel 16). sigma_meets_specification p sigma policy $\rightarrow$ let $\langle$preamble, instr_list$\rangle$ := p in |instr_list| < 2^16 $\rightarrow$ let $\langle$assembled,costs$\rangle$ := res in $\forall$ppc. $\forall$ppc_ok:nat_of_bitvector $\ldots$ ppc < |instr_list|. let $\langle$pi,newppc$\rangle$ := fetch_pseudo_instruction instr_list ppc ppc_ok in let $\langle$l,a$\rangle$ := assembly_1_pseudoinstruction $\ldots$ sigma policy ppc $\ldots$ pi in $\forall$j:nat. j < |a| nth j a = nth (add $\ldots$ (sigma ppc) (bitvector_of_nat ? j))) assembled \end{lstlisting} In plain words, the type of assembly states the following. Suppose we are given a policy that is correct for the program we are assembling, and suppose the program to be assembled is fully addressable by a 16-bit word. Then if we fetch from the pseudo program counter \texttt{ppc} we get a pseudoinstruction \texttt{pi} and a new pseudo program counter \texttt{ppc}. Further, assembling the pseudoinstruction \texttt{pi} results in a list of bytes, \texttt{a}. Then, indexing into this list with any natural number \texttt{j} less than the length of \texttt{a} gives the same result as indexing into \texttt{assembled} with \texttt{sigma(ppc)} (the program counter pointing to the start of the expansion in \texttt{assembled}) plus \texttt{j}. Essentially the lemma above states that the \texttt{assembly} function correctly expands pseudoinstructions. This result is lifted from lists of bytes into a result on tries of bytes (i.e. code memories), using an additional lemma: \texttt{assembly\_ok}. Lemma \texttt{fetch\_assembly} establishes that the \texttt{fetch} and \texttt{assembly1} functions interact correctly. encoding_check code_memory pc pc_plus_len assembled $\rightarrow$ let $\langle$instr, pc', ticks$\rangle$ := fetch code_memory pc in (eq_instruction instr i $\wedge$ eqb ticks (ticks_of_instruction instr) $\wedge$ eq_bv $\ldots$ pc' pc_plus_len) = true. instr = i $\wedge$ ticks = (ticks_of_instruction instr) $\wedge$ pc' = pc_plus_len. \end{lstlisting} In particular, we read \texttt{fetch\_assembly} as follows. $\forall$sigma. $\forall$policy. $\forall$sigma_policy_specification_witness. $\forall$sigma_meets_specification. $\forall$ppc. let $\langle$preamble, instr_list$\rangle$ := program in We read \texttt{fetch\_assembly\_pseudo2} as follows. Suppose we are able to successfully assemble an assembly program using \texttt{assembly} and produce a code memory, \texttt{cmem}. Then, fetching a pseudoinstruction from the pseudo code memory at address \texttt{ppc} corresponds to fetching a sequence of instructions from the real code memory using $\sigma$ to expand pseudoinstructions. Then, fetching a pseudoinstruction from the pseudo-code memory at address \texttt{ppc} corresponds to fetching a sequence of instructions from the real code memory using $\sigma$ to expand pseudoinstructions. The fetched sequence corresponds to the expansion, according to \texttt{sigma}, of the pseudoinstruction. At first, the lemmas appears to immediately imply the correctness of the assembler. However, this property is \emph{not} strong enough to establish that the semantics of an assembly program has been preserved by the assembly process since it does not establish the correspondence between the semantics of a pseudo-instruction and that of its expansion. However, this property is \emph{not} strong enough to establish that the semantics of an assembly program has been preserved by the assembly process since it does not establish the correspondence between the semantics of a pseudoinstruction and that of its expansion. In particular, the two semantics differ on instructions that \emph{could} directly manipulate program addresses. The traditional approach to verifying the correctness of an assembler is to treat memory addresses as opaque structures that cannot be modified. This prevents assembly programs from performing any dangerous', semantics breaking manipulations of memory addresses by making these programs simply unrepresentable in the source language. Here, we take a different approach to this problem: we trace memory locations (and, potentially, registers) that contain memory addresses. We then prove that only those assembly programs that use addresses in safe' ways have their semantics preserved by the assembly process. Memory is represented as a map from opaque addresses to the disjoint union of data and opaque addresses---addresses are kept opaque to prevent their possible semantics breaking' manipulation by assembly programs: \begin{displaymath} \mathtt{Mem} : \mathtt{Addr} \rightarrow \mathtt{Bytes} + \mathtt{Addr} \qquad \llbracket - \rrbracket : \mathtt{Instr} \rightarrow \mathtt{Mem} \rightarrow \mathtt{option\ Mem} \end{displaymath} The semantics of a pseudoinstruction, $\llbracket - \rrbracket$, is given as a possibly failing function from pseudoinstructions and memory spaces to new memory spaces. The semantic function proceeds by case analysis over the operands of a given instruction, failing if either operand is an opaque address, or otherwise succeeding, updating memory. \begin{gather*} \llbracket \mathtt{ADD\ @A1\ @A2} \rrbracket^\mathtt{M} = \begin{cases} \mathtt{Byte\ b1},\ \mathtt{Byte\ b2} & \rightarrow \mathtt{Some}(\mathtt{M}\ \text{with}\ \mathtt{b1} + \mathtt{b2}) \\ -,\ \mathtt{Addr\ a} & \rightarrow \mathtt{None} \\ \mathtt{Addr\ a},\ - & \rightarrow \mathtt{None} \end{cases} \end{gather*} In contrast, in this paper we take a different approach. We trace memory locations (and, potentially, registers) that contain memory addresses. We then prove that only those assembly programs that use addresses in safe' ways have their semantics preserved by the assembly process---a sort of type system sitting atop memory. We believe that this approach is more flexible when compared to the traditional approach, as in principle it allows us to introduce some permitted \emph{benign} manipulations of addresses that the traditional approach, using opaque addresses, cannot handle, therefore expanding the set of input programs that can be assembled correctly. This approach, of using real addresses coupled with a weak, dynamic typing system sitting atop of memory, is similar to one taken by Huth \emph{et al}~\cite{tuch:types:2007}, for reasoning about low-level C code. Our analogue of the semantic function above is then merely a wrapper around the function that implements the semantics of machine code, paired with a function that keeps track of addresses. This permits a large amount of code reuse, as the semantics of pseudo- and machine code is essentially shared. The only thing that changes as the assembly level is the presence of the new tracking function. However, with this approach we must detect (at run time) programs that manipulate addresses in well behaved ways, according to some approximation of well-behavedness. Second, we must compute statuses that correspond to pseudo-statuses. The contents of the program counter must be translated, as well as the contents of all traced locations, by applying the \texttt{sigma} map. Remaining memory cells are copied \emph{verbatim}. For instance, after a function call, the two bytes that form the return pseudo address are pushed on top of the stack, i.e. in internal RAM. This pseudo internal RAM corresponds to an internal RAM where the stack holds the real addresses after optimisation, and all the other values remain untouched. We use an \texttt{internal\_pseudo\_address\_map} to trace addresses of code memory addresses in internal RAM: \begin{lstlisting} internal_pseudo_address_map$\rightarrow$BitVectorTrie Byte 7$\rightarrow$BitVectorTrie Byte 7. \end{lstlisting} Another pair of axioms precisely describes the supposed behaviour of \texttt{low\_internal\_ram\_of\_pseudo\_low\_internal\_ram} and its high internal ram counterpart. Next, we are able to translate \texttt{PseudoStatus} records into \texttt{Status} records using \texttt{status\_of\_pseudo\_status}. Note, if we wished to allow benign manipulations' of addresses, it would be this function that needs to be changed. The function \texttt{ticks\_of} computes how long---in clock cycles---a pseudoinstruction will take to execute when expanded in accordance with a given policy. The function \texttt{ticks\_of0} computes how long---in clock cycles---a pseudoinstruction will take to execute when expanded in accordance with a given policy. The function returns a pair of natural numbers, needed for recording the execution times of each branch of a conditional jump. \begin{lstlisting} axiom ticks_of: $\forall$p:pseudo_assembly_program. policy p $\rightarrow$ Word $\rightarrow$ nat $\times$ nat := $\ldots$ \end{lstlisting} definition ticks_of0: pseudo_assembly_program $\rightarrow$ (Word $\rightarrow$ Word) $\rightarrow$ (Word $\rightarrow$ bool) $\rightarrow$ Word $\rightarrow$ pseudo_instruction $\rightarrow$ nat $\times$ nat := $\ldots$ \end{lstlisting} An additional function, \texttt{ticks\_of}, is merely a wrapper around this function. Finally, we are able to state and prove our main theorem. $\forall$sigma: Word $\rightarrow$ Word. $\forall$policy: Word $\rightarrow$ bool. $\forall$sigma_policy_specification_witness. $\forall$sigma_meets_specification. $\forall$ps: PseudoStatus program. $\forall$program_counter_in_bounds. We believe some other verified assemblers exist in the literature. However, what sets our work apart from that above is our attempt to optimise the machine code generated by our assembler. This complicates any formalisation effort, as an attempt at the best possible selection of machine instructions must be made, especially important on a device such as the MCS-51 with a miniscule code memory. This complicates any formalisation effort, as an attempt at the best possible selection of machine instructions must be made, especially important on a device such as the MCS-51 with a minuscule code memory. Further, care must be taken to ensure that the time properties of an assembly program are not modified by the assembly process lest we affect the semantics of any program employing the MCS-51's I/O facilities. This is only possible by inducing a cost model on the source code from the optimisation strategy and input program. All files relating to our formalisation effort can be found online at~\url{http://cerco.cs.unibo.it}. The code of the compiler has been completed, and the proof of correctness described here is still in progress. In particular, we have assumed several properties of library functions'' related in particular to modular arithmetic and datastructure manipulation. Moreover, we have axiomatised various ancillary functions needed to complete the main theorems, as well as some `routine' proof obligations of the theorems themselves, preferring instead to focus on the main meat of the theorems.