# Changeset 571

Ignore:
Timestamp:
Feb 18, 2011, 11:49:36 AM (6 years ago)
Message:

Finished tightening everything up. Just under 16 pages. Cannot add another sentence without it going over!

Location:
Deliverables/D4.1/ITP-Paper
Files:
2 edited

Unmodified
Removed
• ## Deliverables/D4.1/ITP-Paper/itp-2011.bib

 r568 { atkey:coqjvm:2007, author = {Robert Atkey}, title = {{CoqJVM}: An executable specification of the Java virtual machine using dependent types}, title = {{CoqJVM}: An executable specification of the {Java Virtual Machine} using dependent types}, booktitle = {Proceedings of the Conference of the {TYPES} Project}, pages = {18--32},
• ## Deliverables/D4.1/ITP-Paper/itp-2011.tex

 r570 \label{subsect.anatomy.matita.emulator} The internal state of our Matita emulator is represented as a record: The internal state of the Matita emulator is represented as a record: \begin{lstlisting} record Status: Type[0] ≝ { ...  }. \end{lstlisting} This record neatly encapsulates the current memory contents, the program counter, the state of the current SFRs, and so on. Here the MCS-51 memory model is implemented using four disjoint memory spaces plus the SFRs. From the programmer's point of view, what matters are addressing modes that are in a many-to-many relation with the spaces. \texttt{DIRECT} addressing can be used to address either low internal RAM (if the first bit is 0) or the SFRs (if the first bit is 1), for instance. That's why DIRECT uses 8-bit addresses but pointers to the low internal RAM only use 7 bits. The complexity of the memory model is captured in the \texttt{get\_arg\_XX} and \texttt{set\_arg\_XX} functions that get and set data of size \texttt{XX} from memory, considering all addressing modes This record encapsulates the current memory contents, the program counter, the state of the current SFRs, and so on. Here the MCS-51's memory model is implemented using four disjoint memory spaces, plus SFRs. From the programmer's point of view, what \emph{really} matters are the addressing modes that are in a many-to-many relationship with the spaces. \texttt{DIRECT} addressing can be used to address either lower IRAM (if the first bit is 0) or the SFRs (if the first bit is 1), for instance. That's why DIRECT uses 8-bit addresses but pointers to lower IRAM only use 7 bits. The complexity of the memory model is captured in a pair of functions, \texttt{get\_arg\_XX} and \texttt{set\_arg\_XX}, that get' and set' data of size \texttt{XX} from memory. %Overlapping, and checking which addressing modes can be used to address particular memory spaces, is handled through numerous \texttt{get\_arg\_XX} and \texttt{set\_arg\_XX} (for 1, 8 and 16 bits) functions. Both the Matita and O'Caml emulators follows the classic fetch-decode-execute' model of processor operation. Both the Matita and O'Caml emulators follow the classic fetch-decode-execute' model of processor operation. The next instruction to be processed, indexed by the program counter, is fetched from code memory with \texttt{fetch}. An updated program counter, along with the concrete cost, in processor cycles for executing this instruction, is also returned. These costs are taken from a Siemens Semiconductor Group data sheet for the MCS-51~\cite{siemens:2011}, and will likely vary across manufacturers and particular derivatives of the processor. An updated program counter, along with its concrete cost in processor cycles, is also returned. These costs are taken from a Siemens Semiconductor Group data sheet for the MCS-51~\cite{siemens:2011}, and will likely vary across manufacturers and derivatives of the processor. \begin{lstlisting} definition fetch: BitVectorTrie Byte 16 $\rightarrow$ Word $\rightarrow$ instruction $\times$ Word $\times$ nat A callback function was also accepted as an argument, which could witness' the execution as it happened, providing a print-out of the processor state. Due to Matita's termination requirement, \texttt{execute} cannot execute a program indefinitely. An alternative would be to produce an infinite stream of statuses representing an execution trace. An alternative approach would be to produce an infinite stream of statuses representing an execution trace. Matita supports infinite streams through co-inductive types. \label{subsect.instruction.set.unorthogonality} A peculiarity of the MCS-51 is the non-orthogonality of its instruction set. For instance, the \texttt{MOV} instruction, can be invoked using one of 16 combinations of addressing modes out of a possible 361. A peculiarity of the MCS-51 is its unorthogonal instruction set. For instance, the \texttt{MOV} instruction can be invoked using one of 16 combinations of addressing modes out of a possible 361. % Show example of pattern matching with polymorphic variants Such non-orthogonality in the instruction set was handled with the use of polymorphic variants in the O'Caml emulator. Such unorthogonality in the instruction set was handled with the use of polymorphic variants in O'Caml. For instance, we introduced types corresponding to each addressing mode: \begin{lstlisting} For our purposes, the types \texttt{union2}, \texttt{union3} and \texttt{union6} sufficed. This polymorphic variant machinery worked well: it introduced a certain level of type safety (for instance, the type of our \texttt{MOV} instruction above guarantees it cannot be invoked with arguments in the \texttt{carry} and \texttt{data16} addressing modes, respectively), and also allowed us to pattern match against instructions, when necessary. This polymorphic variant machinery worked well: it introduced a certain level of type safety (for instance, the type of \texttt{MOV} above guarantees it cannot be invoked with arguments in the \texttt{carry} and \texttt{data16} addressing modes, respectively), and also allowed us to pattern match against instructions, when necessary. However, this polymorphic variant machinery is \emph{not} present in Matita. We needed some way to produce the same effect, which Matita supported. The \texttt{is\_in} function checks if an \texttt{addressing\_mode} matches a set of tags represented as a vector. It simply extends the \texttt{is\_a} function in the obvious manner. Finally, a \texttt{subaddressing\_mode} is an ad-hoc non empty $\Sigma$-type of addressing modes constrained to be in a given set of tags: A \texttt{subaddressing\_mode} is an \emph{ad hoc} non-empty $\Sigma$-type of \texttt{addressing\_mode}s constrained to be in a set of tags: \begin{lstlisting} record subaddressing_mode n (l: Vector addressing_mode_tag (S n)): Type[0] := subaddressing_modein: bool_to_Prop (is_in ? l subaddressing_modeel) }. \end{lstlisting} An implicit coercion is provided to promote vectors of tags (denoted with $\llbracket - \rrbracket$) to the corresponding \texttt{subaddressing\_mode} so that we can use a syntax close to the O'Caml one to specify preinstructions: An implicit coercion is provided to promote vectors of tags (denoted with $\llbracket - \rrbracket$) to the corresponding \texttt{subaddressing\_mode} so that we can use a syntax close to that of O'Caml to specify \texttt{preinstruction}s: \begin{lstlisting} inductive preinstruction (A: Type[0]): Type[0] ≝ % One of these coercions opens up a proof obligation which needs discussing % Have lemmas proving that if an element is a member of a sub, then it is a member of a superlist, and so on The final, missing component is a pair of type coercions from \texttt{addressing\_mode} to \texttt{subaddressing\_mode} and from \texttt{subaddressing\_mode} to \texttt{Type$\lbrack0\rbrack$}, respectively. The final component is a pair of type coercions from \texttt{addressing\_mode} to \texttt{subaddressing\_mode} and from \texttt{subaddressing\_mode} to \texttt{Type$\lbrack0\rbrack$}, respectively. The first is a forgetful coercion, while the second opens a proof obligation wherein we must prove that the provided value is in the admissible set. These coercions were first introduced by PVS to implement subset types~\cite{shankar:principles:1999}, and later in Coq as an addition~\cite{sozeau:subset:2006}. These coercions were first introduced by PVS to implement subset types~\cite{shankar:principles:1999}, and later in Coq as part of Russell~\cite{sozeau:subset:2006}. In Matita all coercions can open proof obligations. Proof obligations impels us to state and prove a few auxilliary lemmas related to transitivity of subtyping. For instance, an addressing mode that belongs to an allowed set also belongs to any one of its super-set. At the moment, Matita's automation exploits these lemmas to completely solve all the proof obligations opened in our formalization, comprising the 200 proof obligations related to the main \texttt{execute\_1} function. The machinery just described allows us to restrict the set of addressing modes expected by a function and use this information during pattern matching to skip impossible cases. Proof obligations require us to state and prove a few auxilliary lemmas related to the transitivity of subtyping. For instance, an \texttt{addressing\_mode} that belongs to an allowed set also belongs to any one of its supersets. At the moment, Matita's automation exploits these lemmas to completely solve all the proof obligations opened in our formalisation. The \texttt{execute\_1} function, for instance, opens over 200 proof obligations during type checking. The machinery just described allows us to restrict the set of \texttt{addressing\_mode}s expected by a function and use this information during pattern matching. This allows us to skip impossible cases. For instance, consider \texttt{set\_arg\_16}, which expects only a \texttt{DPTR}: \begin{lstlisting} | _ $\Rightarrow$ $\lambda$_: False. $\bot$ ] $~$(subaddressing_modein $\ldots$ a). \end{lstlisting} We give a proof (the expression \texttt{(subaddressing\_modein} $\ldots$ \texttt{a)}) that the argument $a$ is in the set $\llbracket$ \texttt{dptr} $\rrbracket$ to the match expression. We give a proof (the expression \texttt{(subaddressing\_modein} $\ldots$ \texttt{a)}) that the argument $a$ is in the set $\llbracket$ \texttt{dptr} $\rrbracket$ to the \texttt{match} expression. In every case but \texttt{DPTR}, the proof is a proof of \texttt{False}, and the system opens a proof obligation $\bot$ that can be discarded using \emph{ex falso}. Attempting to match against a disallowed addressing mode (replacing \texttt{False} with \texttt{True} in the branch) produces a type-error. Other dependently and non-dependently typed solutions we tried were clumsy in practice. As we need a large number of different combinations of addressing modes to describe the whole instruction set, it is unfeasible to declare a data type for each one of these combinations. The current solution is the one that best matches the corresponding O'Caml code, to the point that the translation from O'Caml to Matita is almost syntactical. We would like to investigate the possibility of changing the code extraction procedure of Matita to recognise this programming pattern and output O'Caml code using polymorphic variants. Attempting to match against a disallowed addressing mode (replacing \texttt{False} with \texttt{True} in the branch) produces a type error. We tried other dependently and non-dependently typed solutions before settling on this approach. As we need a large number of different combinations of addressing modes to describe the whole instruction set, it is infeasible to declare a datatype for each one of these combinations. The current solution is closest to the corresponding O'Caml code, to the point that the translation from O'Caml to Matita is almost syntactical. We would like to investigate the possibility of changing the code extraction procedure of Matita so that it recognises this programming pattern and outputs O'Caml code using polymorphic variants. % Talk about extraction to O'Caml code, which hopefully will allow us to extract back to using polymorphic variants, or when extracting vectors we could extract using phantom types To accurately model timers and I/O, we add an unbounded integral field \texttt{clock} to the central \texttt{status} record. This field is only logical, since it does not represent any quantity stored in the actual processor, and is used to keep track of the current processor time. This field is only logical, since it does not represent any quantity stored in the physical processor, and is used to keep track of the current processor time'. Before every execution step, \texttt{clock} is incremented by the number of processor cycles that the instruction just fetched will take to execute. The processor then executes the instruction, followed by the code implementing the timers and I/O\footnote{Though it isn't fully specified by the manufacturer's data sheets if I/O is handled at the beginning or the end of each cycle.}. In order to model I/O, we also store in the status a \emph{continuation} which is a description of the behaviour of the environment: The emulator then executes the instruction, followed by the code implementing the timers and I/O\footnote{Though it isn't fully specified by the manufacturer's data sheets if I/O is handled at the beginning or the end of each cycle.}. In order to model I/O, we also store in \texttt{status} a \emph{continuation} which is a description of the behaviour of the environment: \begin{lstlisting} type line = [Out of (time -> line -> time * continuation)] \end{lstlisting} At each moment, the second projection of the continuation $k$ describes how the environment will react to an output event performed in the future by the processor. Let $\pi_2(k)(\tau,o) = \langle \tau',k' \rangle$. If the processor at time $\tau$ starts an asynchronous output $o$ either on the P1 or P3 output lines, or on the UART, then the environment will receive the output at time $\tau'$. Moreover the status is immediately updated with the continuation $k'$. Further, if $\pi_1(k) = \mathtt{Some}~\langle \tau',i,\epsilon,k'\rangle$, then at time $\tau'$ the environment will send the asynchronous input $i$ to the processor and the status will be updated with the continuation $k'$. This input is visible to the processor only at time $\tau' + \epsilon$. At each moment, the second projection of the continuation $k$ describes how the environment will react to an output event performed in the future by the processor. Suppose $\pi_2(k)(\tau,o) = \langle \tau',k' \rangle$. If the emulator at time $\tau$ starts an asynchronous output $o$ either on the P1 or P3 output lines, or on the UART, then the environment will receive the output at time $\tau'$. Moreover \texttt{status} is immediately updated with the continuation $k'$. Further, if $\pi_1(k) = \mathtt{Some}~\langle \tau',i,\epsilon,k'\rangle$, then at time $\tau'$ the environment will send the asynchronous input $i$ to the emulator and \texttt{status} is updated with the continuation $k'$. This input is visible to the emulator only at time $\tau' + \epsilon$. The time required to perform an I/O operation is partially specified in the data sheets of the UART module. We use only the P1 and P3 lines despite the MCS-51 having four output lines, P0--P3. This is because P0 and P2 become inoperable if the processor is equipped with XRAM (which we assume it is). This is because P0 and P2 become inoperable if the processor is equipped with XRAM (we assume it is). The UART port can work in several modes, depending on the how the SFRs are set. In an asyncrhonous mode, the UART transmits 8 bits at a time, using a ninth line for syncrhonization. In a syncrhonous mode the ninth line is used to transmit an additional bit. In an asyncrhonous mode, the UART transmits 8 bits at a time, using a ninth line for synchronisation. In a synchronous mode the ninth line is used to transmit an additional bit. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% As mentioned in Subsection~\ref{subsect.labels.pseudoinstructions} we introduced a notion of \emph{cost label}. Cost labels are inserted by the prototype C compiler in specific locations in the object code. Cost labels are inserted by the prototype C compiler at specific locations in the object code. Roughly, for those familiar with control flow graphs, they are inserted at the start of every basic block. We spent considerable effort attempting to ensure that what we have formalised is an accurate model of the MCS-51 microprocessor. First, we made use of multiple data sheets, each from a different semiconductor manufacturer.  This helped us spot errors in the specification of the processor's instruction set, and its behaviour, for instance, in a datasheet from Philips. We made use of multiple data sheets, each from a different semiconductor manufacturer. This helped us triangulate errors in the specification of the processor's instruction set, and its behaviour, for instance, in a data sheet from Philips Semiconductor. The O'Caml prototype was especially useful for validation purposes. This is because we wrote a module for parsing and loading the Intel HEX file format. HEX is a standard format that all compilers targetting the MCS-51, and similar processors, produce. We wrote a module for parsing and loading Intel HEX format files. Intel HEX is a standard format that all compilers targetting the MCS-51, and similar processors, produce. It is essentially a snapshot of the processor's code memory in compressed form. Using this, we were able to compile C programs with SDCC, an open source compiler, and load the resulting program directly into our emulator's code memory, ready for execution. Further, we are able to produce a HEX file from our emulator's code memory, for loading into third party tools. After each step of execution, we can print out both the instruction that had been executed, along with its arguments, and a snapshot of the processor's state, including all flags and register contents. Using this we were able to compile C programs with SDCC and load the resulting program directly into our emulator's code memory, ready for execution. Further, we can produce a HEX file from our emulator's code memory for loading into third party tools. After each step of execution, we can print out both the instruction that had been executed and a snapshot of the processor's state, including all flags and register contents. For example: \begin{frametxt} \end{small} \end{frametxt} Here, the traces indicates that the instruction \texttt{mov 81 \#07} has just been executed by the processor, which is now in the state indicated. Here, the trace indicates that the instruction \texttt{mov 81 \#07} has just been executed by the processor, which is now in the state indicated. These traces were useful in spotting anything that was obviously' wrong with the execution of the program. Further, we used MCU 8051 IDE as a reference. Using our execution traces, we were able to step through a compiled program, one instruction at a time, in MCU 8051 IDE, and compare the resulting execution trace with the trace produced by our emulator. Our Matita formalisation was largely copied from the O'Caml source code, apart from changes related to addressing modes already mentioned. We further used MCU 8051 IDE as a reference, which allows a user to step through an assembly program one instruction at a time. Using our execution traces, we were able to step through a compiled program in MCU 8051 IDE and compare the resulting execution trace with the trace produced by our emulator. Our Matita formalisation was largely copied from the O'Caml source code, apart from the changes already mentioned. However, as the Matita emulator is executable, we could perform further validation by comparing the trace of a program's execution in the Matita emulator with the trace of the same program in the O'Caml emulator. \section{Related work} \label{sect.related.work} There exists a large body of literature on the formalisation of microprocessors. The majority of it aims to prove correctness of the implementation of the microprocessor at the microcode or gate level. We are interested in providing a precise specification of the behaviour of the microprocessor in order to prove the correctness of a compiler which will target the processor. A large body of literature on the formalisation of microprocessors exists. The majority of it deals with proving correctness of implementations of microprocessors at the microcode or gate level. We are interested in providing a precise specification of the behaviour of the microprocessor in order to prove the correctness of a compiler which will target the processor. In particular, we are interested in intensional properties of the processor; precise timings of instruction execution in clock cycles. Moreover, in addition to formalising the interface of an MCS-51 processor, we have also built a complete MCS-51 ecosystem: the UART, the I/O lines, and hardware timers, along with an assembler. Similar work to ours can be found in~\cite{fox:trustworthy:2010}. Here, the authors describe the formalisation, in HOL4, of the ARMv7 instruction set architecture, and point to a good list of references to related work in the literature. This formalisation also considers the machine code level, as opposed to only considering an abstract assembly language. In particular, instruction decoding is explicitly modelled inside HOL4's logic. We go further in also providing an assembly language, complete with assembler, to translate instructions and pseudoinstruction to machine code. Moreover, in addition to formalising the interface of an MCS-51 processor, we have also built a complete MCS-51 ecosystem: UART, I/O lines, and hardware timers, complete with an assembler. Work closely related to our own can be found in~\cite{fox:trustworthy:2010}. Here, the authors describe the formalisation, in HOL4, of the ARMv7 instruction set architecture. They further point to an excellent list of references to related work in the literature for the interested reader. This formalisation also considers the machine code level, opposed to their formalisation, which only considering an abstract assembly language. In particular, instruction decoding is explicitly modeled inside HOL4's logic. We go further in also providing an assembly language, complete with assembler, to translate instructions and pseudoinstruction into machine code. Further, in~\cite{fox:trustworthy:2010} the authors validated their formalisation by using development boards and random testing. We currently rely on non-exhaustive testing against a third party emulator. We leave exhaustive testing for future work. Executability is another key difference between our work and~\cite{fox:trustworthy:2010}. Our formalisation is executable: applying the emulation function to an input state eventually reduces to an output state that already satisfies the appropriate conditions. This is because Matita is based on a logic that internalizes conversion. We recognise the importance of this exhaustive testing, but currently leave it for future work. Executability is another key difference between our work and that of~\cite{fox:trustworthy:2010}. Our formalisation is executable: applying the emulation function to an input state eventually reduces to an output state. This is because Matita is based on a logic, CIC, which internalizes conversion. In~\cite{fox:trustworthy:2010} the authors provide an automation layer to derive single step theorems: if the processor is in a particular state that satisfies some preconditions, then after execution of an instruction it will reside in another state satisfying some postconditions. We do not need single step theorems of this form. Perhaps the closest project to CerCo is CompCert~\cite{leroy:formally:2009}. CompCert concerns the certification of a C compiler and includes a formalisation in Coq of a subset of PowerPC. Coq and Matita essentially share the same logic. (Coq and Matita essentially share the same logic.) Despite this similarity, the two formalisations do not have much in common. First, CompCert provides a formalisation at the assembly level (no instruction decoding), and this impels them to trust an unformalised assembler and linker, whereas we provide our own. Our formalization is directly executable, while the one in CompCert only provides a relation that describes execution. First, CompCert provides a formalisation at the assembly level (no instruction decoding). This impels them to trust an unformalised assembler and linker, whereas we provide our own. Our formalisation is \emph{directly} executable, while the one in CompCert only provides a relation that describes execution. I/O is also not considered at all in CompCert. Moreover an idealized abstract and uniform memory model is assumed, while we take into account the complicated overlapping memory model of the MCS-51 architecture. Finally, 82 instructions of the 200+ offered by the processor are formalised in CompCert, and the assembly language is augmented with macro instructions that are turned into real' instructions only during communication with the external assembler. Even from a technical level the two formalisations differ: while we tried to exploit dependent types as often as possible, CompCert largely sticks to the non-dependent fragment of Coq. In~\cite{atkey:coqjvm:2007} Atkey presents an executable specification of the Java virtual machine which uses dependent types. As we do, dependent types are used to remove spurious partiality from the model, and to lower the need for over-specifying the behaviour of the processor in impossible cases. Our use of dependent types will also help to maintain invariants when we prove the correctness of the CerCo prototype compiler. Finally, Sarkar et al~\cite{sarkar:semantics:2009} provide an executable semantics for x86-CC multiprocessor machine code. Finally, 82 instructions of the more than 200 offered by the processor are formalised in CompCert, and the assembly language is augmented with macro instructions that are turned into real' instructions only during communication with the external assembler. Even from a technical level the two formalisations differ: we tried to exploit dependent types whilst CompCert largely sticks to a non-dependent fragment of Coq. In~\cite{atkey:coqjvm:2007} an executable specification of the Java Virtual Machine, using dependent types, is presented. As we do, dependent types there are used to remove spurious partiality from the model. They also lower the need for over-specifying the behaviour of the processor in impossible cases. Our use of dependent types will also help to maintain invariants when we prove the correctness of the CerCo prototype C compiler. Finally~\cite{sarkar:semantics:2009} provides an executable semantics for x86-CC multiprocessor machine code. This machine code exhibits a high degree of non-uniformity similar to the MCS-51. However, only a small subset of the instruction set is considered, and they over-approximate the possibilities of unorthogonality of the instruction set, largely dodging the problems we had to face. A small domain specific language of patterns is formalised in HOL4. This is similar to the specification language of the x86 instruction set found in manufacturer's data sheets. A decode function is implemented by copying lines from data sheets into the proof script. A decode function is implemented by copying lines from data sheets into the proof script, which are then interpreted. We are currently considering implementing a similar domain specific language in Matita. \label{sect.conclusions} The CerCo project is interested in the certification of a compiler for C that induces a precise cost model on the source code. Our cost model assigns costs to blocks of instructions by tracing the way that blocks are compiled, and by computing exact costs on generated assembly code. To perform this accurately, we have provided an executable semantics for the MCS-51 family of processors, better known as 8051/8052. The formalisation was done twice, first in O'Caml and then in Matita, and captures the exact timings of the processor. In CerCo, we are interested in the certification of a compiler for C that induces a precise cost model on the source code. Our cost model assigns costs to blocks of instructions by tracing the way that blocks are compiled, and by computing exact costs on generated machine language. To perform this accurately, we have provided an executable semantics for the MCS-51 family of processors. The formalisation was done twice, first in O'Caml and then in Matita, and captures the exact timings of the processor (according to a Siemen's data sheet). Moreover, the O'Caml formalisation also considers timers and I/O. Adding support for I/O and timers in Matita is an on-going work that will not present any major problem, and was delayed only because the addition is not immediately useful for the formalisation of the CerCo compiler. Adding support for I/O and timers in Matita is on-going work that will not present any major problem, and was delayed only because the addition is not immediately useful for the formalisation of the CerCo compiler. The formalisation is done at machine level and not at assembly level; we also formalise fetching and decoding. We separately provide an assembly language, enhanched with labels and pseudoinstructions, and an assembler from this language to machine code. This assembly language is similar to those found in `industrial strength' compilers, such as SDCC. We introduce cost labels in the machine language to relate the data flow of the assembly program to that of the C source language, in order to associate costs to the C program. For the O'Caml version, we provide a parser and pretty printer from code memory to Intel HEX format. Our main difficulty in formalising the MCS-51 was the unorthogonality of its memory model and instruction set. These problems are easily handled in O'Caml by using advanced language features like polymorphic variants and phantom types, simulating Generalized Abstract Data Types. In Matita, we use dependent types to recover the same flexibility, to reduce spurious partiality, and to grant invariants that will be useful in the formalization of the CerCo compiler. In Matita, we use dependent types to recover the same flexibility, to reduce spurious partiality, and to grant invariants that will be later useful in other formalisations in the CerCo project. The formalisation has been partially verified by computing execution traces on selected programs and comparing them with an existing emulator. All instructions have been tested at least once, but we have not yet pushed testing further, for example with random testing or by using development boards. I/O in particular has not been tested yet, and it is currently unclear how to provide exhaustive testing in the presence of I/O. Finally, we are aware of having over-specified the processor in several places, by fixing a behaviour hopefully consistent with the real machine, where manufacturer data sheets are ambiguous or under specified. Finally, we are aware of having over-specified the processor in several places, by fixing a behaviour hopefully consistent with the real machine, where manufacturer data sheets are ambiguous or under-specified. \bibliography{itp-2011.bib}
Note: See TracChangeset for help on using the changeset viewer.