boot2

demo.M1 (11645B)

---

 ## P1 broader-ISA demo — portable across aarch64, amd64, riscv64.
 ##
 ## Exercises the P1 ISA in tranches (see P1.md §"Instruction set").
 ## Each op is applied with non-identity operands so a mis-encoded op
 ## produces a detectably-wrong final r1. If every op in every tranche
 ## is correct, r1 ends at 5, stdout is "P1 = 5\n", exit is 5.
 ##
 ## Tranche 1: reg-reg-reg arith (11 ops). Each step's result is
 ##   unique vs. neighbor ops on the same operands, e.g.
 ##     ADD(5,3)=8  SUB(8,3)=5  XOR(5,3)=6  OR(6,3)=7  AND(7,5)=5
 ##     MUL(5,3)=15 DIV(15,3)=5 REM(5,7)=5  SHL(5,3)=40 SHR(40,3)=5.
 ##   SAR vs SHR agree on positive values; SAR is separately tested
 ##   on a negative value in r4 (SAR(-1,3)=-1, SHR would give huge).
 ## Tranche 2: immediate forms. ADDI tested with BOTH positive and
 ##   negative imm12 (proves signed-immediate encoding). SHLI/SHRI
 ##   with non-zero shift amount. ANDI/ORI with overlapping-bit
 ##   masks so the result is distinguishable from ADDI/XORI. SARI
 ##   tested on negative value via r4.
 ##   (No SUBI/XORI/MULI in P1 — see PLAN.md §"Feature floor".)
 ## Tranche 3: LA + memory round-trip. LD/ST (64-bit) and LB/SB
 ##   (8-bit zero-extended). 32-bit LW/SW dropped from the ISA —
 ##   synthesize from LD + mask/shift if needed. Signed imm12 on
 ##   LD/ST is exercised via a NEG8-offset round-trip through
 ##   scratch_mid, mirroring the ADDI NEG1/NEG3 signed-imm test.
 ## Tranche 4: LI_BR-indirect branches. B, BEQ, BNE, BLT each tested
 ##   in BOTH taken and fall-through directions so an inverted
 ##   condition encoding doesn't pass. BLT additionally tested with
 ##   a negative operand (-1 < 0 signed) to prove signed semantics.
 ##   BLTU/BGEU/BGE dropped from the ISA — see P1.md.
 ## Tranche 5: CALL / RET / TAIL / PROLOGUE / EPILOGUE. Nested CALL
 ##   stresses PROLOGUE lr-save; TAIL unwinds the frame. Stack
 ##   balance is additionally verified by snapshotting sp via
 ##   MOV_R6_SP before tranche 5 and comparing after — a TAIL that
 ##   omits its epilogue (or whose epilogue clobbers the branch
 ##   target) leaks fn_parent_tail's 16-byte frame and the delta
 ##   folds into the accumulator. All three arches now run real
 ##   sp-moving PROLOGUE/EPILOGUE, so the check bites everywhere.
 ##
 ## Run-and-verify:
 ##   make PROG=demo ARCH=<arch> run && echo "exit=$?"
 ## expected stdout: "P1 = 5\n"   expected exit: 5
 
 :_start
     ## Setup: r1 is the running accumulator; r2/r5 are arith partners.
     ## r1 is seeded via the LI_R6 → MOV_R1_R6 roundtrip so the LI_R6
     ## encoding gets exercised — otherwise r6 is only written by
     ## MOV_R6_R1 in the exit path. Clobbering r1 to 0 between the two
     ## ops means a broken MOV_R1_R6 (wrong source reg) leaves r1=0 and
     ## poisons the chain; a broken LI_R6 (wrong dest reg or wrong
     ## literal-slot offset) puts the wrong value in r6 and MOV
     ## propagates it.
     li_r6 '05000000'  # r6 = 5 via LI_R6 (discriminator)
     li_r1 '00000000'  # clobber r1 before the MOV
     mov_r1,r6                # r1 = r6 = 5
     li_r2 '03000000'  # r2 = 3  (arith partner & shift amount)
     li_r5 '05000000'  # r5 = 5  (AND partner)
 
     ## Tranche 1: reg-reg-reg arith.
     add_r1,r1,r2             # 5 + 3 = 8
     sub_r1,r1,r2             # 8 - 3 = 5
     xor_r1,r1,r2             # 5 ^ 3 = 6
     or_r1,r1,r2              # 6 | 3 = 7
     and_r1,r1,r5             # 7 & 5 = 5
     mul_r1,r1,r2             # 5 * 3 = 15
     div_r1,r1,r2             # 15 / 3 = 5
     li_r5 '07000000'  # r5 = 7 for REM
     rem_r1,r1,r5             # 5 % 7 = 5
     shl_r1,r1,r2             # 5 << 3 = 40
     shr_r1,r1,r2             # 40 >> 3 = 5
 
     ## SAR discriminator: on positive values SAR and SHR agree, so
     ## put a negative value in r4 and check that SAR preserves the
     ## sign bits. Then fold r4 into r1 so a misbehaving SAR poisons
     ## the accumulator.
     li_r4 '00000000'  # r4 = 0
     addi_r4,r4,neg1          # r4 = 0 + (-1) = -1  (sign-extended 64-bit)
     sar_r4,r4,r2             # r4 = -1 >> 3 = -1   (SHR would be 0x1FFF...FFFF)
     add_r1,r1,r4             # r1 = 5 + (-1) = 4
     addi_r1,r1,1             # r1 = 4 + 1 = 5
 
     ## Tranche 2: immediate forms. Chain 5 → 8 → 5 → 10 → 5 → 4 → 5
     ## plus a SARI discriminator via r4.
     addi_r1,r1,3             # 5 + 3 = 8
     addi_r1,r1,neg3          # 8 + (-3) = 5      (signed imm12)
     shli_r1,r1,1             # 5 << 1 = 10       (non-zero shift)
     shri_r1,r1,1             # 10 >> 1 = 5
     andi_r1,r1,6             # 5 & 6 = 4         (0b101 & 0b110 = 0b100)
     ori_r1,r1,1              # 4 | 1 = 5         (aarch64 bitmask-immediate
                                 #   requires valid-mask imm; 5 is invalid, 1 is
                                 #   valid. Tranche 1 OR_R1_R1_R2 (6|3=7) already
                                 #   discriminates OR from ADD/XOR on overlapping
                                 #   bits; ORI here just tests the imm-ORR encoding
                                 #   exists and doesn't crash, plus distinguishes
                                 #   from AND (4&1=0 would fail the chain).)
 
     li_r4 '00000000'
     addi_r4,r4,neg1          # r4 = -1
     sari_r4,r4,1             # r4 = -1 >> 1 = -1 (SHRI would be 0x7FFF...FFFF)
     add_r1,r1,r4             # r1 = 5 + (-1) = 4
     addi_r1,r1,1             # r1 = 5
 
     ## Tranche 3: memory round-trip. For each width, store r1,
     ## clobber r1 to 0, then reload. A broken ST/LD leaves r1 != 5.
     la_r4 &scratch
 
     st_r1,r4,0               # [scratch+0..8] = r1 (= 5)
     li_r1 '00000000'
     ld_r1,r4,0               # r1 = [scratch+0..8]         -> 5
 
     ## Non-zero imm12 on the 64-bit forms. Distinct value 8 at +8 so
     ## an LD_R4_8 that silently aliased to +0 would read 5 and fail the
     ## SUB step; a broken ST_R4_8 leaves [+8]=0 (scratch init) which the
     ## LD observes. The +0 round-trip above anchors the imm12=0 case.
     li_r1 '08000000'  # distinct from 5
     st_r1,r4,8               # [scratch+8..16] = 8
     li_r1 '00000000'
     ld_r1,r4,8               # r1 = [scratch+8..16]        -> 8
     sub_r1,r1,r2             # r1 = 8 - 3 = 5   (r2 still 3 from setup)
 
     sb_r1,r4,16              # [scratch+16] = r1 (low byte)
     li_r1 '00000000'
     lb_r1,r4,16              # r1 = zext [scratch+16]      -> 5
 
     ## Negative imm12 on the memory forms. LA to scratch_mid (= scratch+16)
     ## then round-trip a distinct sentinel (13) via [r4 + -8] = scratch+8.
     ## Proves the signed offset encoding sign-extends on LD/ST the same
     ## way ADDI NEG1/NEG3 proves it on arith. A symmetric "both sides
     ## miscompiled to the same wrong offset" bug could still false-pass,
     ## but the common cases (sign bit dropped, imm zero-extended) blow
     ## up via segfault or a mismatched round-trip value.
     la_r4 &scratch_mid
     li_r1 '0D000000'  # r1 = 13 (distinct sentinel)
     st_r1,r4,neg8            # [scratch+8] = 13 (overwrites +8 slot's old 8)
     li_r1 '00000000'
     ld_r1,r4,neg8            # r1 = [scratch+8]            -> 13
     addi_r1,r1,neg3          # r1 = 13 - 3 = 10
     shri_r1,r1,1             # r1 = 10 >> 1 = 5
 
     ## Tranche 4: branches. r2=0, r3=1 to start; each subtest resets
     ## as needed. Taken-path subtests clobber r1 on fall-through;
     ## fall-through subtests clobber r1 on incorrect branch.
     li_r2 '00000000'  # r2 = 0
     li_r3 '01000000'  # r3 = 1
 
     ## B — unconditional. Correct: jump to b4_1_ok, skipping clobber.
     li_br &b4_1_ok
     b
     li_r1 '00000000'
 :b4_1_ok
 
     ## BEQ taken: r3=0 so r2==r3.
     li_r3 '00000000'
     li_br &b4_2_ok
     beq_r2,r3             # 0 == 0, taken
     li_r1 '00000000'
 :b4_2_ok
     li_r3 '01000000'  # restore r3 = 1
 
     ## BEQ fall-through: 0 != 1, branch must NOT fire. If it
     ## (incorrectly) fires we jump to b4_3_bad and clobber r1.
     li_br &b4_3_bad
     beq_r2,r3             # 0 == 1? no, fall through
     li_br &b4_3_ok
     b
 :b4_3_bad
     li_r1 '00000000'
 :b4_3_ok
 
     ## BNE taken: 0 != 1.
     li_br &b4_4_ok
     bne_r2,r3             # 0 != 1, taken
     li_r1 '00000000'
 :b4_4_ok
 
     ## BNE fall-through: r3=0 so r2==r3; branch must NOT fire.
     li_r3 '00000000'
     li_br &b4_5_bad
     bne_r2,r3             # 0 != 0? no, fall through
     li_br &b4_5_ok
     b
 :b4_5_bad
     li_r1 '00000000'
 :b4_5_ok
     li_r3 '01000000'  # restore r3 = 1
 
     ## BLT taken: 0 < 1 (signed).
     li_br &b4_6_ok
     blt_r2,r3             # 0 < 1, taken
     li_r1 '00000000'
 :b4_6_ok
 
     ## BLT fall-through: 1 < 0 is false.
     li_r2 '01000000'  # r2 = 1
     li_r3 '00000000'  # r3 = 0
     li_br &b4_7_bad
     blt_r2,r3             # 1 < 0? no, fall through
     li_br &b4_7_ok
     b
 :b4_7_bad
     li_r1 '00000000'
 :b4_7_ok
 
     ## BLT signed discrimination: -1 < 0 must be taken. If BLT were
     ## accidentally unsigned, -1 as 0xFFFF...FFFF > 0 and the branch
     ## would not fire.
     li_r2 '00000000'  # r2 = 0
     li_r4 '00000000'
     addi_r4,r4,neg1          # r4 = -1 (sign-extended)
     li_br &b4_8_ok
     blt_r4,r2             # -1 < 0 (signed)? yes, taken
     li_r1 '00000000'
 :b4_8_ok
 
     ## Tranche 5: CALL / RET / PROLOGUE / EPILOGUE / TAIL.
     ## fn_identity does its own nested CALL to fn_inner — if PROLOGUE
     ## doesn't spill lr correctly, the inner CALL clobbers the
     ## return-to-_start address and we crash or hang. The function
     ## bodies live inline below the subtests, guarded by a b over
     ## them so we don't fall through after the last subtest.
     ##
     ## Stack-balance discriminator for TAIL: snapshot sp into r6
     ## (callee-saved) before any CALL. A correctly-paired call tree
     ## nets to sp_after == sp_before. A TAIL that skips its epilogue
     ## leaks fn_parent_tail's 16-byte frame — the delta is folded
     ## into the accumulator below via SUB r1, r1, delta.
     mov_r6,sp                # r6 = sp snapshot (pre-tranche)
 
     li_br &fn_identity
     call                     # nested-CALL test: returns r1 unchanged
 
     li_br &fn_parent_tail
     call                     # TAIL test: fn_identity RETs to here
 
     li_br &b5_end
     b                        # skip over the inlined function bodies
 
 :fn_inner
     prologue
     epilogue
     ret
 
 :fn_identity
     prologue
     li_br &fn_inner
     call
     epilogue
     ret
 
 :fn_parent_tail
     prologue
     li_br &fn_identity
     tail
 
 :b5_end
     mov_r2,sp                # r2 = sp snapshot (post-tranche)
     sub_r2,r2,r6             # r2 = sp_after - sp_before (0 if balanced)
     sub_r1,r1,r2             # r1 -= delta; unchanged (= 5) iff balanced
 
     mov_r6,r1                # r6 = 5 (callee-saved, survives syscalls)
 
     ## write(1, &prefix, 5)      — "P1 = "
     li_r0 sys_write
     li_r1 '01000000'
     li_r2 &prefix
     li_r3 '05000000'
     syscall
 
     ## write(1, &digits + r6, 1) — the computed digit ('5')
     li_r0 sys_write
     li_r1 '01000000'
     li_r2 &digits
     add_r2,r2,r6             # r2 = &digits + 5
     li_r3 '01000000'
     syscall
 
     ## write(1, &newline, 1)
     li_r0 sys_write
     li_r1 '01000000'
     li_r2 &newline
     li_r3 '01000000'
     syscall
 
     ## exit(r6)                  — exit status = computed result
     li_r0 sys_exit
     mov_r1,r6
     syscall
 
 :prefix
 "P1 = "
 :digits
 "0123456789"
 :newline
 "
 "
 
 ## 32 bytes reserved for tranche 3 memory round-trip. The LOAD segment
 ## is RWX (see ELF-<arch>.hex2 ph_flags=7) so we can store into this
 ## region at runtime. scratch_mid = scratch+16, the base address for
 ## the negative-imm12 LD/ST test ([scratch_mid + -8] = [scratch+8]).
 :scratch  '0000000000000000' '0000000000000000'
 :scratch_mid  '0000000000000000' '0000000000000000'
 
 :ELF_end