|
1
|
/* C code generated by main_lustre_compiler.native
|
|
2
|
SVN version number 355
|
|
3
|
Code is C99 compliant */
|
|
4
|
|
|
5
|
#ifndef _ALT_2_LUSTREC
|
|
6
|
#define _ALT_2_LUSTREC
|
|
7
|
|
|
8
|
/* Imports standard library */
|
|
9
|
#include "/home/davyg/local_proofcompilation//include/lustrec/arrow.h"
|
|
10
|
|
|
11
|
|
|
12
|
/* Types definitions */
|
|
13
|
|
|
14
|
/*@ lemma missing: \forall _Bool x; (x != 0) <==> (((int) x) != 0);*/
|
|
15
|
/* Global constant (declarations, definitions are in C file) */
|
|
16
|
|
|
17
|
/* Struct declarations */
|
|
18
|
struct integrator_reset_mem {struct integrator_reset_reg {double __integrator_reset_2;} _reg; struct _arrow_mem ni_4; };
|
|
19
|
struct VariableRateLimit_mem {struct VariableRateLimit_reg {double __VariableRateLimit_3;} _reg; struct _arrow_mem ni_3; struct integrator_reset_mem ni_2; };
|
|
20
|
struct AltitudeControl_mem {struct AltitudeControl_reg {int dummy;} _reg; struct VariableRateLimit_mem ni_1; };
|
|
21
|
struct top_mem {struct top_reg {int dummy;} _reg; struct AltitudeControl_mem ni_0; };
|
|
22
|
|
|
23
|
/* Nodes declarations */
|
|
24
|
/*@ predicate trans_VariableLimitSaturation(real up_lim,
|
|
25
|
real Signal,
|
|
26
|
real lo_lim,
|
|
27
|
real out,
|
|
28
|
_Bool __VariableLimitSaturation_1,
|
|
29
|
_Bool __VariableLimitSaturation_2,
|
|
30
|
real enforce_lo_lim) =
|
|
31
|
\let __VariableLimitSaturation_1 = (Signal >= lo_lim);
|
|
32
|
\let enforce_lo_lim = (__VariableLimitSaturation_1?(Signal):(lo_lim));
|
|
33
|
\let __VariableLimitSaturation_2 = (enforce_lo_lim <= up_lim);
|
|
34
|
(out == (__VariableLimitSaturation_2?(enforce_lo_lim):(up_lim)));
|
|
35
|
*/
|
|
36
|
/*@ predicate Ctrans_VariableLimitSaturation(real up_lim,
|
|
37
|
real Signal,
|
|
38
|
real lo_lim,
|
|
39
|
real out) =
|
|
40
|
\exists _Bool __VariableLimitSaturation_1;
|
|
41
|
\exists _Bool __VariableLimitSaturation_2;
|
|
42
|
\exists real enforce_lo_lim;
|
|
43
|
trans_VariableLimitSaturation(up_lim,
|
|
44
|
Signal,
|
|
45
|
lo_lim,
|
|
46
|
out,
|
|
47
|
__VariableLimitSaturation_1,
|
|
48
|
__VariableLimitSaturation_2,
|
|
49
|
enforce_lo_lim);
|
|
50
|
*/
|
|
51
|
/*@ requires \valid(out);
|
|
52
|
ensures Ctrans_VariableLimitSaturation(up_lim,
|
|
53
|
Signal,
|
|
54
|
lo_lim,
|
|
55
|
*out);
|
|
56
|
assigns *out;
|
|
57
|
*/
|
|
58
|
extern void VariableLimitSaturation_step (double up_lim, double Signal,
|
|
59
|
double lo_lim,
|
|
60
|
double (*out)
|
|
61
|
);
|
|
62
|
|
|
63
|
/*@ predicate trans_integrator_reset(real Fx,
|
|
64
|
_Bool ResetLevel,
|
|
65
|
real x0,
|
|
66
|
real ir_out,
|
|
67
|
struct integrator_reset_mem self1,
|
|
68
|
struct integrator_reset_mem self2,
|
|
69
|
_Bool __integrator_reset_1) =
|
|
70
|
\let __integrator_reset_1 = self1.ni_4._reg._first?1:0; (self2.ni_4._reg._first==0) &&
|
|
71
|
(self2._reg.__integrator_reset_2 == ir_out) &&
|
|
72
|
(ir_out == (__integrator_reset_1?(x0):((ResetLevel?(x0):(((Fx * 1.) + self1._reg.__integrator_reset_2))))));
|
|
73
|
*/
|
|
74
|
/*@ predicate Ctrans_integrator_reset(real Fx,
|
|
75
|
_Bool ResetLevel,
|
|
76
|
real x0,
|
|
77
|
real ir_out,
|
|
78
|
struct integrator_reset_mem self1,
|
|
79
|
struct integrator_reset_mem self2) =
|
|
80
|
\exists _Bool __integrator_reset_1;
|
|
81
|
trans_integrator_reset(Fx,
|
|
82
|
ResetLevel,
|
|
83
|
x0,
|
|
84
|
ir_out,
|
|
85
|
self1,
|
|
86
|
self2,
|
|
87
|
__integrator_reset_1);
|
|
88
|
*/
|
|
89
|
/*@ predicate init_integrator_reset(struct integrator_reset_mem self) =
|
|
90
|
|
|
91
|
(self.ni_4._reg._first==1);
|
|
92
|
*/
|
|
93
|
#define integrator_reset_DECLARE(attr, inst)\
|
|
94
|
attr struct integrator_reset_mem inst;\
|
|
95
|
_arrow_DECLARE(attr, inst ## _ni_4);
|
|
96
|
|
|
97
|
|
|
98
|
#define integrator_reset_ALLOC(attr,inst)\
|
|
99
|
integrator_reset_DECLARE(attr,inst);
|
|
100
|
|
|
101
|
|
|
102
|
/*@requires \valid(self);
|
|
103
|
ensures init_integrator_reset(\at(*self, Here));
|
|
104
|
assigns *self;*/
|
|
105
|
extern void integrator_reset_reset (struct integrator_reset_mem *self);
|
|
106
|
|
|
107
|
/*@ requires \valid(ir_out);
|
|
108
|
requires \valid(self);
|
|
109
|
requires \separated(ir_out, self);
|
|
110
|
ensures Ctrans_integrator_reset(Fx,
|
|
111
|
ResetLevel,
|
|
112
|
x0,
|
|
113
|
*ir_out,
|
|
114
|
\at(*self, Pre),
|
|
115
|
\at(*self, Here));
|
|
116
|
assigns *ir_out, *self;
|
|
117
|
*/
|
|
118
|
extern void integrator_reset_step (double Fx, _Bool ResetLevel, double x0,
|
|
119
|
double (*ir_out),
|
|
120
|
struct integrator_reset_mem *self);
|
|
121
|
|
|
122
|
/*@ predicate trans_Saturation(real Signal,
|
|
123
|
real s_out,
|
|
124
|
_Bool __Saturation_1,
|
|
125
|
_Bool __Saturation_2,
|
|
126
|
real enforce_lo_lim) =
|
|
127
|
\let __Saturation_1 = (0.0001 >= Signal);
|
|
128
|
\let enforce_lo_lim = (__Saturation_1?(0.0001):(Signal));
|
|
129
|
\let __Saturation_2 = (1000. <= enforce_lo_lim);
|
|
130
|
(s_out == (__Saturation_2?(1000.):(enforce_lo_lim)));
|
|
131
|
*/
|
|
132
|
/*@ predicate Ctrans_Saturation(real Signal,
|
|
133
|
real s_out) =
|
|
134
|
\exists _Bool __Saturation_1;
|
|
135
|
\exists _Bool __Saturation_2;
|
|
136
|
\exists real enforce_lo_lim;
|
|
137
|
trans_Saturation(Signal,
|
|
138
|
s_out,
|
|
139
|
__Saturation_1,
|
|
140
|
__Saturation_2,
|
|
141
|
enforce_lo_lim);
|
|
142
|
*/
|
|
143
|
/*@ requires \valid(s_out);
|
|
144
|
ensures Ctrans_Saturation(Signal,
|
|
145
|
*s_out);
|
|
146
|
assigns *s_out;
|
|
147
|
*/
|
|
148
|
extern void Saturation_step (double Signal,
|
|
149
|
double (*s_out)
|
|
150
|
);
|
|
151
|
|
|
152
|
/*@ predicate trans_VariableRateLimit(real ratelim_Out1_334,
|
|
153
|
real input_Out1_344,
|
|
154
|
_Bool ICtrig_Out1_354,
|
|
155
|
real IC_Out1_364,
|
|
156
|
real output_In1_489,
|
|
157
|
struct VariableRateLimit_mem self1,
|
|
158
|
struct VariableRateLimit_mem self2,
|
|
159
|
real Gain1_Out1_382,
|
|
160
|
real Gain_Out1_373,
|
|
161
|
real Integrator1_Out1_391,
|
|
162
|
real Sum2_Out1_401,
|
|
163
|
real Variable_Limit_Saturation_Out1_410,
|
|
164
|
_Bool __VariableRateLimit_1,
|
|
165
|
real __VariableRateLimit_2) =
|
|
166
|
\let __VariableRateLimit_1 = self1.ni_3._reg._first?1:0; (self2.ni_3._reg._first==0) &&
|
|
167
|
\let Integrator1_Out1_391 = (__VariableRateLimit_1?(IC_Out1_364):(self1._reg.__VariableRateLimit_3));
|
|
168
|
\let Gain1_Out1_382 = (- ratelim_Out1_334);
|
|
169
|
\let Sum2_Out1_401 = (input_Out1_344 + (- Integrator1_Out1_391));
|
|
170
|
\let Gain_Out1_373 = (20. * Sum2_Out1_401);
|
|
171
|
(self2._reg.__VariableRateLimit_3 == __VariableRateLimit_2) &&
|
|
172
|
Ctrans_integrator_reset((double) Variable_Limit_Saturation_Out1_410,
|
|
173
|
(_Bool) ((ICtrig_Out1_354)?1:0),
|
|
174
|
(double) IC_Out1_364,
|
|
175
|
__VariableRateLimit_2,
|
|
176
|
self1.ni_2,
|
|
177
|
self2.ni_2) &&
|
|
178
|
Ctrans_VariableLimitSaturation((double) ratelim_Out1_334,
|
|
179
|
(double) Gain_Out1_373,
|
|
180
|
(double) Gain1_Out1_382,
|
|
181
|
Variable_Limit_Saturation_Out1_410) &&
|
|
182
|
(output_In1_489 == Integrator1_Out1_391);
|
|
183
|
*/
|
|
184
|
/*@ predicate Ctrans_VariableRateLimit(real ratelim_Out1_334,
|
|
185
|
real input_Out1_344,
|
|
186
|
_Bool ICtrig_Out1_354,
|
|
187
|
real IC_Out1_364,
|
|
188
|
real output_In1_489,
|
|
189
|
struct VariableRateLimit_mem self1,
|
|
190
|
struct VariableRateLimit_mem self2) =
|
|
191
|
\exists real Gain1_Out1_382;
|
|
192
|
\exists real Gain_Out1_373;
|
|
193
|
\exists real Integrator1_Out1_391;
|
|
194
|
\exists real Sum2_Out1_401;
|
|
195
|
\exists real Variable_Limit_Saturation_Out1_410;
|
|
196
|
\exists _Bool __VariableRateLimit_1;
|
|
197
|
\exists real __VariableRateLimit_2;
|
|
198
|
trans_VariableRateLimit(ratelim_Out1_334,
|
|
199
|
input_Out1_344,
|
|
200
|
ICtrig_Out1_354,
|
|
201
|
IC_Out1_364,
|
|
202
|
output_In1_489,
|
|
203
|
self1,
|
|
204
|
self2,
|
|
205
|
Gain1_Out1_382,
|
|
206
|
Gain_Out1_373,
|
|
207
|
Integrator1_Out1_391,
|
|
208
|
Sum2_Out1_401,
|
|
209
|
Variable_Limit_Saturation_Out1_410,
|
|
210
|
__VariableRateLimit_1,
|
|
211
|
__VariableRateLimit_2);
|
|
212
|
*/
|
|
213
|
/*@ predicate init_VariableRateLimit(struct VariableRateLimit_mem self) =
|
|
214
|
|
|
215
|
init_integrator_reset(self.ni_2) &&
|
|
216
|
(self.ni_3._reg._first==1);
|
|
217
|
*/
|
|
218
|
#define VariableRateLimit_DECLARE(attr, inst)\
|
|
219
|
attr struct VariableRateLimit_mem inst;\
|
|
220
|
_arrow_DECLARE(attr, inst ## _ni_3);\
|
|
221
|
integrator_reset_DECLARE(attr, inst ## _ni_2);
|
|
222
|
|
|
223
|
|
|
224
|
#define VariableRateLimit_ALLOC(attr,inst)\
|
|
225
|
VariableRateLimit_DECLARE(attr,inst);
|
|
226
|
|
|
227
|
|
|
228
|
/*@requires \valid(self);
|
|
229
|
ensures init_VariableRateLimit(\at(*self, Here));
|
|
230
|
assigns *self;*/
|
|
231
|
extern void VariableRateLimit_reset (struct VariableRateLimit_mem *self);
|
|
232
|
|
|
233
|
/*@ requires \valid(output_In1_489);
|
|
234
|
requires \valid(self);
|
|
235
|
requires \separated(output_In1_489, self);
|
|
236
|
ensures Ctrans_VariableRateLimit(ratelim_Out1_334,
|
|
237
|
input_Out1_344,
|
|
238
|
ICtrig_Out1_354,
|
|
239
|
IC_Out1_364,
|
|
240
|
*output_In1_489,
|
|
241
|
\at(*self, Pre),
|
|
242
|
\at(*self, Here));
|
|
243
|
assigns *output_In1_489, *self;
|
|
244
|
*/
|
|
245
|
extern void VariableRateLimit_step (double ratelim_Out1_334,
|
|
246
|
double input_Out1_344,
|
|
247
|
_Bool ICtrig_Out1_354,
|
|
248
|
double IC_Out1_364,
|
|
249
|
double (*output_In1_489),
|
|
250
|
struct VariableRateLimit_mem *self);
|
|
251
|
|
|
252
|
/*@ predicate spec_85(real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661, struct AltitudeControl_mem self) =
|
|
253
|
(AntEng_Out1_19 == 0.);
|
|
254
|
*/
|
|
255
|
/*@ predicate spec_90(real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661, struct AltitudeControl_mem self) =
|
|
256
|
(altgammacmd_In1_661 == 0.);
|
|
257
|
*/
|
|
258
|
/*@ predicate trans_AltitudeControl(real AntEng_Out1_19,
|
|
259
|
real AltCmd_Out1_29,
|
|
260
|
real Alt_Out1_39,
|
|
261
|
real GsKts_Out1_49,
|
|
262
|
real hdot_Out1_59,
|
|
263
|
real hdotChgRate_Out1_69,
|
|
264
|
real altgammacmd_In1_661,
|
|
265
|
struct AltitudeControl_mem self1,
|
|
266
|
struct AltitudeControl_mem self2,
|
|
267
|
real Abs_Out1_144,
|
|
268
|
real Kh_Out1_193,
|
|
269
|
_Bool Logical_Operator_In1_197,
|
|
270
|
_Bool Logical_Operator_Out1_198,
|
|
271
|
real Saturation1_Out1_213,
|
|
272
|
real Sum3_Out1_296,
|
|
273
|
real Sum_Out1_286,
|
|
274
|
_Bool Switch1_In2_312,
|
|
275
|
real Switch1_Out1_314,
|
|
276
|
_Bool Switch_In2_303,
|
|
277
|
real Switch_Out1_305,
|
|
278
|
real Variable_Limit_Saturation_0_Out1_509,
|
|
279
|
real Variable__Rate_Limit_Out1_324,
|
|
280
|
_Bool __AltitudeControl_1,
|
|
281
|
_Bool __AltitudeControl_2,
|
|
282
|
real k_Out1_585,
|
|
283
|
real kts2fps_Out1_594,
|
|
284
|
real r2d_Out1_603) =
|
|
285
|
\let __AltitudeControl_1 = (hdot_Out1_59 < 0.);
|
|
286
|
\let Abs_Out1_144 = (__AltitudeControl_1?((- hdot_Out1_59)):(hdot_Out1_59));
|
|
287
|
\let Sum3_Out1_296 = (Abs_Out1_144 + 10.);
|
|
288
|
\let k_Out1_585 = (- Sum3_Out1_296);
|
|
289
|
\let __AltitudeControl_2 = (AntEng_Out1_19 == 0.);
|
|
290
|
\let Logical_Operator_In1_197 = (__AltitudeControl_2?(0):(1));
|
|
291
|
\let Logical_Operator_Out1_198 = (!Logical_Operator_In1_197);
|
|
292
|
\let Switch_In2_303 = (__AltitudeControl_2?(0):(1));
|
|
293
|
\let Sum_Out1_286 = (AltCmd_Out1_29 + (- Alt_Out1_39));
|
|
294
|
\let Kh_Out1_193 = (0.08 * Sum_Out1_286);
|
|
295
|
\let Switch_Out1_305 = (Switch_In2_303?(Kh_Out1_193):(0.));
|
|
296
|
\let r2d_Out1_603 = (57.2958 * Variable__Rate_Limit_Out1_324);
|
|
297
|
\let kts2fps_Out1_594 = (1.6878 * GsKts_Out1_49);
|
|
298
|
\let Switch1_In2_312 = (__AltitudeControl_2?(0):(1));
|
|
299
|
\let Switch1_Out1_314 = (Switch1_In2_312?(r2d_Out1_603):(0.));
|
|
300
|
Ctrans_Saturation((double) kts2fps_Out1_594,
|
|
301
|
Saturation1_Out1_213) &&
|
|
302
|
(altgammacmd_In1_661 == Switch1_Out1_314) &&
|
|
303
|
Ctrans_VariableRateLimit((double) hdotChgRate_Out1_69,
|
|
304
|
(double) Variable_Limit_Saturation_0_Out1_509,
|
|
305
|
(_Bool) ((Logical_Operator_Out1_198)?1:0),
|
|
306
|
(double) hdot_Out1_59,
|
|
307
|
Variable__Rate_Limit_Out1_324,
|
|
308
|
self1.ni_1,
|
|
309
|
self2.ni_1) &&
|
|
310
|
Ctrans_VariableLimitSaturation((double) Sum3_Out1_296,
|
|
311
|
(double) Switch_Out1_305,
|
|
312
|
(double) k_Out1_585,
|
|
313
|
Variable_Limit_Saturation_0_Out1_509);
|
|
314
|
*/
|
|
315
|
/*@ predicate Ctrans_AltitudeControl(real AntEng_Out1_19,
|
|
316
|
real AltCmd_Out1_29,
|
|
317
|
real Alt_Out1_39,
|
|
318
|
real GsKts_Out1_49,
|
|
319
|
real hdot_Out1_59,
|
|
320
|
real hdotChgRate_Out1_69,
|
|
321
|
real altgammacmd_In1_661,
|
|
322
|
struct AltitudeControl_mem self1,
|
|
323
|
struct AltitudeControl_mem self2) =
|
|
324
|
\exists real Abs_Out1_144;
|
|
325
|
\exists real Kh_Out1_193;
|
|
326
|
\exists _Bool Logical_Operator_In1_197;
|
|
327
|
\exists _Bool Logical_Operator_Out1_198;
|
|
328
|
\exists real Saturation1_Out1_213;
|
|
329
|
\exists real Sum3_Out1_296;
|
|
330
|
\exists real Sum_Out1_286;
|
|
331
|
\exists _Bool Switch1_In2_312;
|
|
332
|
\exists real Switch1_Out1_314;
|
|
333
|
\exists _Bool Switch_In2_303;
|
|
334
|
\exists real Switch_Out1_305;
|
|
335
|
\exists real Variable_Limit_Saturation_0_Out1_509;
|
|
336
|
\exists real Variable__Rate_Limit_Out1_324;
|
|
337
|
\exists _Bool __AltitudeControl_1;
|
|
338
|
\exists _Bool __AltitudeControl_2;
|
|
339
|
\exists real k_Out1_585;
|
|
340
|
\exists real kts2fps_Out1_594;
|
|
341
|
\exists real r2d_Out1_603;
|
|
342
|
trans_AltitudeControl(AntEng_Out1_19,
|
|
343
|
AltCmd_Out1_29,
|
|
344
|
Alt_Out1_39,
|
|
345
|
GsKts_Out1_49,
|
|
346
|
hdot_Out1_59,
|
|
347
|
hdotChgRate_Out1_69,
|
|
348
|
altgammacmd_In1_661,
|
|
349
|
self1,
|
|
350
|
self2,
|
|
351
|
Abs_Out1_144,
|
|
352
|
Kh_Out1_193,
|
|
353
|
Logical_Operator_In1_197,
|
|
354
|
Logical_Operator_Out1_198,
|
|
355
|
Saturation1_Out1_213,
|
|
356
|
Sum3_Out1_296,
|
|
357
|
Sum_Out1_286,
|
|
358
|
Switch1_In2_312,
|
|
359
|
Switch1_Out1_314,
|
|
360
|
Switch_In2_303,
|
|
361
|
Switch_Out1_305,
|
|
362
|
Variable_Limit_Saturation_0_Out1_509,
|
|
363
|
Variable__Rate_Limit_Out1_324,
|
|
364
|
__AltitudeControl_1,
|
|
365
|
__AltitudeControl_2,
|
|
366
|
k_Out1_585,
|
|
367
|
kts2fps_Out1_594,
|
|
368
|
r2d_Out1_603);
|
|
369
|
*/
|
|
370
|
/*@ predicate init_AltitudeControl(struct AltitudeControl_mem self) =
|
|
371
|
|
|
372
|
init_VariableRateLimit(self.ni_1);
|
|
373
|
*/
|
|
374
|
/*@ predicate inv_AltitudeControl(struct AltitudeControl_mem self3) =
|
|
375
|
(init_AltitudeControl(self3))||
|
|
376
|
(\exists struct AltitudeControl_mem self2, real AntEng_Out1_193, real AltCmd_Out1_293, real Alt_Out1_393, real GsKts_Out1_493, real hdot_Out1_593, real hdotChgRate_Out1_693, real altgammacmd_In1_6613;
|
|
377
|
Ctrans_AltitudeControl(AntEng_Out1_193,
|
|
378
|
AltCmd_Out1_293,
|
|
379
|
Alt_Out1_393,
|
|
380
|
GsKts_Out1_493,
|
|
381
|
hdot_Out1_593,
|
|
382
|
hdotChgRate_Out1_693,
|
|
383
|
altgammacmd_In1_6613,
|
|
384
|
self2,
|
|
385
|
self3)&&
|
|
386
|
(spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2))&&
|
|
387
|
init_AltitudeControl(self2))||
|
|
388
|
(\exists struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, real AntEng_Out1_193, real AntEng_Out1_192, real AltCmd_Out1_293, real AltCmd_Out1_292, real Alt_Out1_393, real Alt_Out1_392, real GsKts_Out1_493, real GsKts_Out1_492, real hdot_Out1_593, real hdot_Out1_592, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real altgammacmd_In1_6613, real altgammacmd_In1_6612;
|
|
389
|
Ctrans_AltitudeControl(AntEng_Out1_193,
|
|
390
|
AltCmd_Out1_293,
|
|
391
|
Alt_Out1_393,
|
|
392
|
GsKts_Out1_493,
|
|
393
|
hdot_Out1_593,
|
|
394
|
hdotChgRate_Out1_693,
|
|
395
|
altgammacmd_In1_6613,
|
|
396
|
self2,
|
|
397
|
self3)&&
|
|
398
|
Ctrans_AltitudeControl(AntEng_Out1_192,
|
|
399
|
AltCmd_Out1_292,
|
|
400
|
Alt_Out1_392,
|
|
401
|
GsKts_Out1_492,
|
|
402
|
hdot_Out1_592,
|
|
403
|
hdotChgRate_Out1_692,
|
|
404
|
altgammacmd_In1_6612,
|
|
405
|
self1,
|
|
406
|
self2)&&
|
|
407
|
(spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2))&&
|
|
408
|
(spec_85(AntEng_Out1_192, AltCmd_Out1_292, Alt_Out1_392, GsKts_Out1_492, hdot_Out1_592, hdotChgRate_Out1_692, altgammacmd_In1_6612, self1))&&
|
|
409
|
init_AltitudeControl(self1))||
|
|
410
|
(\exists struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, struct AltitudeControl_mem self0, real AntEng_Out1_193, real AntEng_Out1_192, real AntEng_Out1_191, real AltCmd_Out1_293, real AltCmd_Out1_292, real AltCmd_Out1_291, real Alt_Out1_393, real Alt_Out1_392, real Alt_Out1_391, real GsKts_Out1_493, real GsKts_Out1_492, real GsKts_Out1_491, real hdot_Out1_593, real hdot_Out1_592, real hdot_Out1_591, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real hdotChgRate_Out1_691, real altgammacmd_In1_6613, real altgammacmd_In1_6612, real altgammacmd_In1_6611;
|
|
411
|
Ctrans_AltitudeControl(AntEng_Out1_193,
|
|
412
|
AltCmd_Out1_293,
|
|
413
|
Alt_Out1_393,
|
|
414
|
GsKts_Out1_493,
|
|
415
|
hdot_Out1_593,
|
|
416
|
hdotChgRate_Out1_693,
|
|
417
|
altgammacmd_In1_6613,
|
|
418
|
self2,
|
|
419
|
self3)&&
|
|
420
|
Ctrans_AltitudeControl(AntEng_Out1_192,
|
|
421
|
AltCmd_Out1_292,
|
|
422
|
Alt_Out1_392,
|
|
423
|
GsKts_Out1_492,
|
|
424
|
hdot_Out1_592,
|
|
425
|
hdotChgRate_Out1_692,
|
|
426
|
altgammacmd_In1_6612,
|
|
427
|
self1,
|
|
428
|
self2)&&
|
|
429
|
Ctrans_AltitudeControl(AntEng_Out1_191,
|
|
430
|
AltCmd_Out1_291,
|
|
431
|
Alt_Out1_391,
|
|
432
|
GsKts_Out1_491,
|
|
433
|
hdot_Out1_591,
|
|
434
|
hdotChgRate_Out1_691,
|
|
435
|
altgammacmd_In1_6611,
|
|
436
|
self0,
|
|
437
|
self1)&&
|
|
438
|
(spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2))&&
|
|
439
|
(spec_85(AntEng_Out1_192, AltCmd_Out1_292, Alt_Out1_392, GsKts_Out1_492, hdot_Out1_592, hdotChgRate_Out1_692, altgammacmd_In1_6612, self1))&&
|
|
440
|
(spec_85(AntEng_Out1_191, AltCmd_Out1_291, Alt_Out1_391, GsKts_Out1_491, hdot_Out1_591, hdotChgRate_Out1_691, altgammacmd_In1_6611, self0))&&
|
|
441
|
(spec_90(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self3))&&
|
|
442
|
(spec_90(AntEng_Out1_192, AltCmd_Out1_292, Alt_Out1_392, GsKts_Out1_492, hdot_Out1_592, hdotChgRate_Out1_692, altgammacmd_In1_6612, self2))&&
|
|
443
|
(spec_90(AntEng_Out1_191, AltCmd_Out1_291, Alt_Out1_391, GsKts_Out1_491, hdot_Out1_591, hdotChgRate_Out1_691, altgammacmd_In1_6611, self1)));
|
|
444
|
*/
|
|
445
|
/*@ lemma inv_init_3_AltitudeControl :
|
|
446
|
\forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, struct AltitudeControl_mem self0, real AntEng_Out1_193, real AntEng_Out1_192, real AntEng_Out1_191, real AltCmd_Out1_293, real AltCmd_Out1_292, real AltCmd_Out1_291, real Alt_Out1_393, real Alt_Out1_392, real Alt_Out1_391, real GsKts_Out1_493, real GsKts_Out1_492, real GsKts_Out1_491, real hdot_Out1_593, real hdot_Out1_592, real hdot_Out1_591, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real hdotChgRate_Out1_691, real altgammacmd_In1_6613, real altgammacmd_In1_6612, real altgammacmd_In1_6611;
|
|
447
|
Ctrans_AltitudeControl(AntEng_Out1_193,
|
|
448
|
AltCmd_Out1_293,
|
|
449
|
Alt_Out1_393,
|
|
450
|
GsKts_Out1_493,
|
|
451
|
hdot_Out1_593,
|
|
452
|
hdotChgRate_Out1_693,
|
|
453
|
altgammacmd_In1_6613,
|
|
454
|
self2,
|
|
455
|
self3)==>
|
|
456
|
Ctrans_AltitudeControl(AntEng_Out1_192,
|
|
457
|
AltCmd_Out1_292,
|
|
458
|
Alt_Out1_392,
|
|
459
|
GsKts_Out1_492,
|
|
460
|
hdot_Out1_592,
|
|
461
|
hdotChgRate_Out1_692,
|
|
462
|
altgammacmd_In1_6612,
|
|
463
|
self1,
|
|
464
|
self2)==>
|
|
465
|
Ctrans_AltitudeControl(AntEng_Out1_191,
|
|
466
|
AltCmd_Out1_291,
|
|
467
|
Alt_Out1_391,
|
|
468
|
GsKts_Out1_491,
|
|
469
|
hdot_Out1_591,
|
|
470
|
hdotChgRate_Out1_691,
|
|
471
|
altgammacmd_In1_6611,
|
|
472
|
self0,
|
|
473
|
self1)==>
|
|
474
|
init_AltitudeControl(self0) ==> spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2)==>
|
|
475
|
spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self1)==>
|
|
476
|
spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self0)==>
|
|
477
|
(spec_90(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self3));
|
|
478
|
*/
|
|
479
|
/*@ lemma inv_init_2_AltitudeControl :
|
|
480
|
\forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, real AntEng_Out1_193, real AntEng_Out1_192, real AltCmd_Out1_293, real AltCmd_Out1_292, real Alt_Out1_393, real Alt_Out1_392, real GsKts_Out1_493, real GsKts_Out1_492, real hdot_Out1_593, real hdot_Out1_592, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real altgammacmd_In1_6613, real altgammacmd_In1_6612;
|
|
481
|
Ctrans_AltitudeControl(AntEng_Out1_193,
|
|
482
|
AltCmd_Out1_293,
|
|
483
|
Alt_Out1_393,
|
|
484
|
GsKts_Out1_493,
|
|
485
|
hdot_Out1_593,
|
|
486
|
hdotChgRate_Out1_693,
|
|
487
|
altgammacmd_In1_6613,
|
|
488
|
self2,
|
|
489
|
self3)==>
|
|
490
|
Ctrans_AltitudeControl(AntEng_Out1_192,
|
|
491
|
AltCmd_Out1_292,
|
|
492
|
Alt_Out1_392,
|
|
493
|
GsKts_Out1_492,
|
|
494
|
hdot_Out1_592,
|
|
495
|
hdotChgRate_Out1_692,
|
|
496
|
altgammacmd_In1_6612,
|
|
497
|
self1,
|
|
498
|
self2)==>
|
|
499
|
init_AltitudeControl(self1) ==> spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2)==>
|
|
500
|
spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self1)==>
|
|
501
|
(spec_90(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self3));
|
|
502
|
*/
|
|
503
|
/*@ lemma inv_init_1_AltitudeControl :
|
|
504
|
\forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, real AntEng_Out1_193, real AltCmd_Out1_293, real Alt_Out1_393, real GsKts_Out1_493, real hdot_Out1_593, real hdotChgRate_Out1_693, real altgammacmd_In1_6613;
|
|
505
|
Ctrans_AltitudeControl(AntEng_Out1_193,
|
|
506
|
AltCmd_Out1_293,
|
|
507
|
Alt_Out1_393,
|
|
508
|
GsKts_Out1_493,
|
|
509
|
hdot_Out1_593,
|
|
510
|
hdotChgRate_Out1_693,
|
|
511
|
altgammacmd_In1_6613,
|
|
512
|
self2,
|
|
513
|
self3)==>
|
|
514
|
init_AltitudeControl(self2) ==> spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2)==>
|
|
515
|
(spec_90(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self3));
|
|
516
|
*/
|
|
517
|
/*@ lemma inv_spec_AltitudeControl :
|
|
518
|
\forall struct AltitudeControl_mem self1, self2, real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661;
|
|
519
|
inv_AltitudeControl(self1)==>
|
|
520
|
Ctrans_AltitudeControl(AntEng_Out1_19,
|
|
521
|
AltCmd_Out1_29,
|
|
522
|
Alt_Out1_39,
|
|
523
|
GsKts_Out1_49,
|
|
524
|
hdot_Out1_59,
|
|
525
|
hdotChgRate_Out1_69,
|
|
526
|
altgammacmd_In1_661,
|
|
527
|
self1,
|
|
528
|
self2)==>
|
|
529
|
spec_85(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, altgammacmd_In1_661, self1)==>
|
|
530
|
spec_90(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, altgammacmd_In1_661, self2);
|
|
531
|
*/
|
|
532
|
/*@ lemma inv_inv_AltitudeControl :
|
|
533
|
\forall struct AltitudeControl_mem self1, self2, real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661;
|
|
534
|
inv_AltitudeControl(self1)==>
|
|
535
|
Ctrans_AltitudeControl(AntEng_Out1_19,
|
|
536
|
AltCmd_Out1_29,
|
|
537
|
Alt_Out1_39,
|
|
538
|
GsKts_Out1_49,
|
|
539
|
hdot_Out1_59,
|
|
540
|
hdotChgRate_Out1_69,
|
|
541
|
altgammacmd_In1_661,
|
|
542
|
self1,
|
|
543
|
self2)==>
|
|
544
|
spec_85(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, altgammacmd_In1_661, self1)==>
|
|
545
|
inv_AltitudeControl(self2);
|
|
546
|
*/
|
|
547
|
#define AltitudeControl_DECLARE(attr, inst)\
|
|
548
|
attr struct AltitudeControl_mem inst;\
|
|
549
|
VariableRateLimit_DECLARE(attr, inst ## _ni_1);
|
|
550
|
|
|
551
|
|
|
552
|
#define AltitudeControl_ALLOC(attr,inst)\
|
|
553
|
AltitudeControl_DECLARE(attr,inst);
|
|
554
|
|
|
555
|
|
|
556
|
/*@requires \valid(self);
|
|
557
|
ensures init_AltitudeControl(\at(*self, Here));
|
|
558
|
ensures inv_AltitudeControl(*self);
|
|
559
|
assigns *self;*/
|
|
560
|
extern void AltitudeControl_reset (struct AltitudeControl_mem *self);
|
|
561
|
|
|
562
|
/*@ requires \valid(altgammacmd_In1_661);
|
|
563
|
requires \valid(self);
|
|
564
|
requires \separated(altgammacmd_In1_661, self);
|
|
565
|
requires spec_85(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, *altgammacmd_In1_661, *self);
|
|
566
|
requires inv_AltitudeControl(*self);
|
|
567
|
ensures spec_90(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, *altgammacmd_In1_661, *self);
|
|
568
|
ensures inv_AltitudeControl(*self);
|
|
569
|
ensures Ctrans_AltitudeControl(AntEng_Out1_19,
|
|
570
|
AltCmd_Out1_29,
|
|
571
|
Alt_Out1_39,
|
|
572
|
GsKts_Out1_49,
|
|
573
|
hdot_Out1_59,
|
|
574
|
hdotChgRate_Out1_69,
|
|
575
|
*altgammacmd_In1_661,
|
|
576
|
\at(*self, Pre),
|
|
577
|
\at(*self, Here));
|
|
578
|
|
|
579
|
assigns *altgammacmd_In1_661, *self;
|
|
580
|
|
|
581
|
*/
|
|
582
|
extern void AltitudeControl_step (double AntEng_Out1_19,
|
|
583
|
double AltCmd_Out1_29, double Alt_Out1_39,
|
|
584
|
double GsKts_Out1_49, double hdot_Out1_59,
|
|
585
|
double hdotChgRate_Out1_69,
|
|
586
|
double (*altgammacmd_In1_661),
|
|
587
|
struct AltitudeControl_mem *self);
|
|
588
|
|
|
589
|
/*@ predicate trans_top(_Bool AltEng,
|
|
590
|
real AltCmd,
|
|
591
|
real Altitude,
|
|
592
|
real gskts,
|
|
593
|
real hdot,
|
|
594
|
real hdotChgRate,
|
|
595
|
_Bool obs,
|
|
596
|
struct top_mem self1,
|
|
597
|
struct top_mem self2,
|
|
598
|
real altgammaCmd,
|
|
599
|
real tempAlt) =
|
|
600
|
\let tempAlt = (AltEng?(1.):(0.));
|
|
601
|
((!obs) == (!(altgammaCmd == 0.))) &&
|
|
602
|
Ctrans_AltitudeControl((double) tempAlt,
|
|
603
|
(double) AltCmd,
|
|
604
|
(double) Altitude,
|
|
605
|
(double) gskts,
|
|
606
|
(double) hdot,
|
|
607
|
(double) hdotChgRate,
|
|
608
|
altgammaCmd,
|
|
609
|
self1.ni_0,
|
|
610
|
self2.ni_0);
|
|
611
|
*/
|
|
612
|
/*@ predicate Ctrans_top(_Bool AltEng,
|
|
613
|
real AltCmd,
|
|
614
|
real Altitude,
|
|
615
|
real gskts,
|
|
616
|
real hdot,
|
|
617
|
real hdotChgRate,
|
|
618
|
_Bool obs,
|
|
619
|
struct top_mem self1,
|
|
620
|
struct top_mem self2) =
|
|
621
|
\exists real altgammaCmd;
|
|
622
|
\exists real tempAlt;
|
|
623
|
trans_top(AltEng,
|
|
624
|
AltCmd,
|
|
625
|
Altitude,
|
|
626
|
gskts,
|
|
627
|
hdot,
|
|
628
|
hdotChgRate,
|
|
629
|
obs,
|
|
630
|
self1,
|
|
631
|
self2,
|
|
632
|
altgammaCmd,
|
|
633
|
tempAlt);
|
|
634
|
*/
|
|
635
|
/*@ predicate init_top(struct top_mem self) =
|
|
636
|
|
|
637
|
init_AltitudeControl(self.ni_0);
|
|
638
|
*/
|
|
639
|
#define top_DECLARE(attr, inst)\
|
|
640
|
attr struct top_mem inst;\
|
|
641
|
AltitudeControl_DECLARE(attr, inst ## _ni_0);
|
|
642
|
|
|
643
|
|
|
644
|
#define top_ALLOC(attr,inst)\
|
|
645
|
top_DECLARE(attr,inst);
|
|
646
|
|
|
647
|
|
|
648
|
/*@requires \valid(self);
|
|
649
|
ensures init_top(\at(*self, Here));
|
|
650
|
assigns *self;*/
|
|
651
|
extern void top_reset (struct top_mem *self);
|
|
652
|
|
|
653
|
/*@ requires \valid(obs);
|
|
654
|
requires \valid(self);
|
|
655
|
requires \separated(obs, self);
|
|
656
|
ensures Ctrans_top(AltEng,
|
|
657
|
AltCmd,
|
|
658
|
Altitude,
|
|
659
|
gskts,
|
|
660
|
hdot,
|
|
661
|
hdotChgRate,
|
|
662
|
*obs,
|
|
663
|
\at(*self, Pre),
|
|
664
|
\at(*self, Here));
|
|
665
|
assigns *obs, *self;
|
|
666
|
*/
|
|
667
|
extern void top_step (_Bool AltEng, double AltCmd, double Altitude,
|
|
668
|
double gskts, double hdot, double hdotChgRate,
|
|
669
|
_Bool (*obs),
|
|
670
|
struct top_mem *self);
|
|
671
|
|
|
672
|
|
|
673
|
#endif
|
|
674
|
|