\mathtt{absolute\_jump},\mathtt{long\_jump}\}$; a function that associates a
pseudoaddress with a memory address and a jump length. We do this to be able
+to ease the comparison of jump lengths between iterations. In the algorithm,
we use the notation $sigma_1(x)$ to denote the memory address corresponding to
$x$, and $sigma_2(x)$ to denote the jump length corresponding to $x$.
@misc{DC2012,
+ title={{On the correctness of an optimising assembler for the Intel MCS51 microprocessor}},
author = {Dominic P. Mulligan and Claudio {Sacerdoti Coen}},
year = {2012},
where it is important to have as small solution as possible.
+In itself the algorithm is already useful, as it results in a smaller solution
+than the simple `every branch instruction is long' used up until now. It also
+results in a smaller solution than the greatest fixed point algorithm that
+{\tt gcc} uses. It does this without sacrificing speed or correctness.
+
This algorithm is part of a greater whole, the CerCo project, which aims to
+completely formalise and verify a concrete cost preserving compiler for a large
subset of the C programming language. More information
on the formalisation of the assembler, of which the present work is a part,
In this section, we present the correctness proof for the algorithm in more
detail. The main correctness statement is as follows (slightly simplified, here):

\begin{lstlisting}
@@ 114,5 +112,4 @@
\begin{lstlisting}
definition sigma_compact_unsafe :=
@@ 200,5 +197,5 @@
We need to use two different formulations, because the fact that $added$ is 0
does not guarantee that no branch instructions have changed. For instance,
+it is possible that we have replaced a short jump with an absolute jump, which
does not change the size of the branch instruction.
If an iteration returns {\tt None}, we have the following invariant:
\begin{lstlisting}
definition nec_plus_ultra :=