CristalCaveGem » LustreC

/* C code generated by main_lustre_compiler.native

   SVN version number 393

   Code is C99 compliant */

#ifndef _ALT_2_LUSTREC

#define _ALT_2_LUSTREC

/* Imports standard library */

#include "/home/davyg/local_proofcompilation//include/lustrec/arrow.h"

/* Types definitions */

/*@ lemma missing: \forall _Bool x; (x != 0) <==> (((int) x) != 0);*/

/* Global constant (declarations, definitions are in C file) */

/* Struct declarations */

struct integrator_reset_mem {struct integrator_reset_reg {double __integrator_reset_2;} _reg; struct _arrow_mem ni_3; };

struct VariableRateLimit_mem {struct VariableRateLimit_reg {double __VariableRateLimit_3;} _reg; struct _arrow_mem ni_2; struct integrator_reset_mem ni_1; };

struct AltitudeControl_mem {struct AltitudeControl_reg {int dummy;} _reg; struct VariableRateLimit_mem ni_0; };

/* Nodes declarations */

/*@ predicate trans_VariableLimitSaturation(real up_lim,

                                            real Signal,

                                            real lo_lim,

                                            real out,

                                            boolean __VariableLimitSaturation_1,

                                            boolean __VariableLimitSaturation_2,

                                            real enforce_lo_lim) =

       ((__VariableLimitSaturation_1?\true:\false) == ((Signal) >= (lo_lim))) &&

       ((enforce_lo_lim) == ((__VariableLimitSaturation_1?\true:\false)?((Signal)):((lo_lim)))) &&

       ((__VariableLimitSaturation_2?\true:\false) == ((enforce_lo_lim) <= (up_lim))) &&

       ((out) == ((__VariableLimitSaturation_2?\true:\false)?((enforce_lo_lim)):((up_lim))));

*/

/*@ predicate Ctrans_VariableLimitSaturation(real up_lim,

                                             real Signal,

                                             real lo_lim,

                                             real out) =

       \exists boolean __VariableLimitSaturation_1;

       \exists boolean __VariableLimitSaturation_2;

       \exists real enforce_lo_lim;

       trans_VariableLimitSaturation((up_lim),

                                     (Signal),

                                     (lo_lim),

                                     (out),

                                     (__VariableLimitSaturation_1?\true:\false),

                                     (__VariableLimitSaturation_2?\true:\false),

                                     (enforce_lo_lim));

*/

/*@ requires \valid(out);

  ensures Ctrans_VariableLimitSaturation((up_lim),

                                         (Signal),

                                         (lo_lim),

                                         (*out));

  assigns *out;

  */

extern void VariableLimitSaturation_step (double up_lim, double Signal,

                                          double lo_lim, 

                                          double (*out)

                                          );

/*@ predicate trans_integrator_reset(real Fx,

                                     boolean ResetLevel,

                                     real x0,

                                     real ir_out,

                                     struct integrator_reset_mem self1,

                                     struct integrator_reset_mem self2,

                                     boolean __integrator_reset_1) =

       ((__integrator_reset_1?\true:\false)==(self1.ni_3._reg._first?(1):(0))) && (self2.ni_3._reg._first==0) &&

       ((ir_out) == ((__integrator_reset_1?\true:\false)?((x0)):(((ResetLevel?\true:\false)?((x0)):((((Fx) * 1.) + self1._reg.__integrator_reset_2)))))) &&

       (self2._reg.__integrator_reset_2 == (ir_out));

*/

/*@ predicate Ctrans_integrator_reset(real Fx,

                                      boolean ResetLevel,

                                      real x0,

                                      real ir_out,

                                      struct integrator_reset_mem self1,

                                      struct integrator_reset_mem self2) =

       \exists boolean __integrator_reset_1;

       trans_integrator_reset((Fx),

                              (ResetLevel?\true:\false),

                              (x0),

                              (ir_out),

                              self1,

                              self2,

                              (__integrator_reset_1?\true:\false));

*/

/*@ predicate init_integrator_reset(struct integrator_reset_mem self) =

       (self.ni_3._reg._first==1);

*/

#define integrator_reset_DECLARE(attr, inst)\

  attr struct integrator_reset_mem inst;\

  _arrow_DECLARE(attr, inst ## _ni_3);

#define integrator_reset_ALLOC(attr,inst)\

  integrator_reset_DECLARE(attr,inst);

/*@requires \valid(self);

ensures init_integrator_reset(\at(*self, Here));

assigns *self;*/

extern void integrator_reset_reset (struct integrator_reset_mem *self);

/*@ requires \valid(ir_out);

  requires \valid(self);

  requires \separated(ir_out, self);

  ensures Ctrans_integrator_reset((Fx),

                                  (ResetLevel?\true:\false),

                                  (x0),

                                  (*ir_out),

                                  \at(*self, Pre),

                                  (*self));

  assigns *ir_out, *self;

  */

extern void integrator_reset_step (double Fx, _Bool ResetLevel, double x0, 

                                   double (*ir_out),

                                   struct integrator_reset_mem *self);

/*@ predicate trans_Saturation(real Signal,

                               real s_out,

                               boolean __Saturation_1,

                               boolean __Saturation_2,

                               real enforce_lo_lim) =

       ((__Saturation_1?\true:\false) == (0.0001 >= (Signal))) &&

       ((enforce_lo_lim) == ((__Saturation_1?\true:\false)?(0.0001):((Signal)))) &&

       ((__Saturation_2?\true:\false) == (1000. <= (enforce_lo_lim))) &&

       ((s_out) == ((__Saturation_2?\true:\false)?(1000.):((enforce_lo_lim))));

*/

/*@ predicate Ctrans_Saturation(real Signal,

                                real s_out) =

       \exists boolean __Saturation_1;

       \exists boolean __Saturation_2;

       \exists real enforce_lo_lim;

       trans_Saturation((Signal),

                        (s_out),

                        (__Saturation_1?\true:\false),

                        (__Saturation_2?\true:\false),

                        (enforce_lo_lim));

*/

/*@ requires \valid(s_out);

  ensures Ctrans_Saturation((Signal),

                            (*s_out));

  assigns *s_out;

  */

extern void Saturation_step (double Signal, 

                             double (*s_out)

                             );

/*@ predicate trans_VariableRateLimit(real ratelim_Out1_334,

                                      real input_Out1_344,

                                      boolean ICtrig_Out1_354,

                                      real IC_Out1_364,

                                      real output_In1_489,

                                      struct VariableRateLimit_mem self1,

                                      struct VariableRateLimit_mem self2,

                                      real Gain1_Out1_382,

                                      real Gain_Out1_373,

                                      real Integrator1_Out1_391,

                                      real Sum2_Out1_401,

                                      real Variable_Limit_Saturation_Out1_410,

                                      boolean __VariableRateLimit_1,

                                      real __VariableRateLimit_2) =

       ((__VariableRateLimit_1?\true:\false)==(self1.ni_2._reg._first?(1):(0))) && (self2.ni_2._reg._first==0) &&

       ((Integrator1_Out1_391) == ((__VariableRateLimit_1?\true:\false)?((IC_Out1_364)):(self1._reg.__VariableRateLimit_3))) &&

       ((output_In1_489) == (Integrator1_Out1_391)) &&

       ((Gain1_Out1_382) == (- (ratelim_Out1_334))) &&

       ((Sum2_Out1_401) == ((input_Out1_344) + (- (Integrator1_Out1_391)))) &&

       ((Gain_Out1_373) == (20. * (Sum2_Out1_401))) &&

       Ctrans_VariableLimitSaturation((ratelim_Out1_334),

                                      (Gain_Out1_373),

                                      (Gain1_Out1_382),

                                      (Variable_Limit_Saturation_Out1_410)) &&

       Ctrans_integrator_reset((Variable_Limit_Saturation_Out1_410),

                               (ICtrig_Out1_354?\true:\false),

                               (IC_Out1_364),

                               (__VariableRateLimit_2),

                               self1.ni_1,

                               self2.ni_1) &&

       (self2._reg.__VariableRateLimit_3 == (__VariableRateLimit_2));

*/

/*@ predicate Ctrans_VariableRateLimit(real ratelim_Out1_334,

                                       real input_Out1_344,

                                       boolean ICtrig_Out1_354,

                                       real IC_Out1_364,

                                       real output_In1_489,

                                       struct VariableRateLimit_mem self1,

                                       struct VariableRateLimit_mem self2) =

       \exists real Gain1_Out1_382;

       \exists real Gain_Out1_373;

       \exists real Integrator1_Out1_391;

       \exists real Sum2_Out1_401;

       \exists real Variable_Limit_Saturation_Out1_410;

       \exists boolean __VariableRateLimit_1;

       \exists real __VariableRateLimit_2;

       trans_VariableRateLimit((ratelim_Out1_334),

                               (input_Out1_344),

                               (ICtrig_Out1_354?\true:\false),

                               (IC_Out1_364),

                               (output_In1_489),

                               self1,

                               self2,

                               (Gain1_Out1_382),

                               (Gain_Out1_373),

                               (Integrator1_Out1_391),

                               (Sum2_Out1_401),

                               (Variable_Limit_Saturation_Out1_410),

                               (__VariableRateLimit_1?\true:\false),

                               (__VariableRateLimit_2));

*/

/*@ predicate init_VariableRateLimit(struct VariableRateLimit_mem self) =

       (self.ni_2._reg._first==1) &&

       init_integrator_reset(self.ni_1);

*/

#define VariableRateLimit_DECLARE(attr, inst)\

  attr struct VariableRateLimit_mem inst;\

  _arrow_DECLARE(attr, inst ## _ni_2);\

  integrator_reset_DECLARE(attr, inst ## _ni_1);

#define VariableRateLimit_ALLOC(attr,inst)\

  VariableRateLimit_DECLARE(attr,inst);

/*@requires \valid(self);

ensures init_VariableRateLimit(\at(*self, Here));

assigns *self;*/

extern void VariableRateLimit_reset (struct VariableRateLimit_mem *self);

/*@ requires \valid(output_In1_489);

  requires \valid(self);

  requires \separated(output_In1_489, self);

  ensures Ctrans_VariableRateLimit((ratelim_Out1_334),

                                   (input_Out1_344),

                                   (ICtrig_Out1_354?\true:\false),

                                   (IC_Out1_364),

                                   (*output_In1_489),

                                   \at(*self, Pre),

                                   (*self));

  assigns *output_In1_489, *self;

  */

extern void VariableRateLimit_step (double ratelim_Out1_334,

                                    double input_Out1_344,

                                    _Bool ICtrig_Out1_354,

                                    double IC_Out1_364, 

                                    double (*output_In1_489),

                                    struct VariableRateLimit_mem *self);

/*@ predicate spec_85(real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661, struct AltitudeControl_mem self) =

       (AntEng_Out1_19 == 0.);

*/

/*@ predicate spec_90(real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661, struct AltitudeControl_mem self) =

       (altgammacmd_In1_661 == 0.);

*/

/*@ predicate trans_AltitudeControl(real AntEng_Out1_19,

                                    real AltCmd_Out1_29,

                                    real Alt_Out1_39,

                                    real GsKts_Out1_49,

                                    real hdot_Out1_59,

                                    real hdotChgRate_Out1_69,

                                    real altgammacmd_In1_661,

                                    struct AltitudeControl_mem self1,

                                    struct AltitudeControl_mem self2,

                                    real Abs_Out1_144,

                                    real Kh_Out1_193,

                                    boolean Logical_Operator_In1_197,

                                    boolean Logical_Operator_Out1_198,

                                    real Saturation1_Out1_213,

                                    real Sum3_Out1_296,

                                    real Sum_Out1_286,

                                    boolean Switch1_In2_312,

                                    real Switch1_Out1_314,

                                    boolean Switch_In2_303,

                                    real Switch_Out1_305,

                                    real Variable_Limit_Saturation_0_Out1_509,

                                    real Variable__Rate_Limit_Out1_324,

                                    boolean __AltitudeControl_1,

                                    boolean __AltitudeControl_2,

                                    real k_Out1_585,

                                    real kts2fps_Out1_594,

                                    real r2d_Out1_603) =

       ((__AltitudeControl_1?\true:\false) == ((hdot_Out1_59) < 0.)) &&

       ((Abs_Out1_144) == ((__AltitudeControl_1?\true:\false)?((- (hdot_Out1_59))):((hdot_Out1_59)))) &&

       ((Sum3_Out1_296) == ((Abs_Out1_144) + 10.)) &&

       ((k_Out1_585) == (- (Sum3_Out1_296))) &&

       ((__AltitudeControl_2?\true:\false) == ((AntEng_Out1_19) == 0.)) &&

       ((!(Logical_Operator_In1_197?\true:\false)) == (!((__AltitudeControl_2?\true:\false)?(0):(1)))) &&

       ((!(Logical_Operator_Out1_198?\true:\false)) == (!(!(Logical_Operator_In1_197?\true:\false)))) &&

       ((!(Switch_In2_303?\true:\false)) == (!((__AltitudeControl_2?\true:\false)?(0):(1)))) &&

       ((Sum_Out1_286) == ((AltCmd_Out1_29) + (- (Alt_Out1_39)))) &&

       ((Kh_Out1_193) == (0.08 * (Sum_Out1_286))) &&

       ((Switch_Out1_305) == ((Switch_In2_303?\true:\false)?((Kh_Out1_193)):(0.))) &&

       Ctrans_VariableLimitSaturation((Sum3_Out1_296),

                                      (Switch_Out1_305),

                                      (k_Out1_585),

                                      (Variable_Limit_Saturation_0_Out1_509)) &&

       Ctrans_VariableRateLimit((hdotChgRate_Out1_69),

                                (Variable_Limit_Saturation_0_Out1_509),

                                (Logical_Operator_Out1_198?\true:\false),

                                (hdot_Out1_59),

                                (Variable__Rate_Limit_Out1_324),

                                self1.ni_0,

                                self2.ni_0) &&

       ((r2d_Out1_603) == (57.2958 * (Variable__Rate_Limit_Out1_324))) &&

       ((kts2fps_Out1_594) == (1.6878 * (GsKts_Out1_49))) &&

       ((!(Switch1_In2_312?\true:\false)) == (!((__AltitudeControl_2?\true:\false)?(0):(1)))) &&

       ((Switch1_Out1_314) == ((Switch1_In2_312?\true:\false)?((r2d_Out1_603)):(0.))) &&

       ((altgammacmd_In1_661) == (Switch1_Out1_314)) &&

       Ctrans_Saturation((kts2fps_Out1_594),

                         (Saturation1_Out1_213));

*/

/*@ predicate Ctrans_AltitudeControl(real AntEng_Out1_19,

                                     real AltCmd_Out1_29,

                                     real Alt_Out1_39,

                                     real GsKts_Out1_49,

                                     real hdot_Out1_59,

                                     real hdotChgRate_Out1_69,

                                     real altgammacmd_In1_661,

                                     struct AltitudeControl_mem self1,

                                     struct AltitudeControl_mem self2) =

       \exists real Abs_Out1_144;

       \exists real Kh_Out1_193;

       \exists boolean Logical_Operator_In1_197;

       \exists boolean Logical_Operator_Out1_198;

       \exists real Saturation1_Out1_213;

       \exists real Sum3_Out1_296;

       \exists real Sum_Out1_286;

       \exists boolean Switch1_In2_312;

       \exists real Switch1_Out1_314;

       \exists boolean Switch_In2_303;

       \exists real Switch_Out1_305;

       \exists real Variable_Limit_Saturation_0_Out1_509;

       \exists real Variable__Rate_Limit_Out1_324;

       \exists boolean __AltitudeControl_1;

       \exists boolean __AltitudeControl_2;

       \exists real k_Out1_585;

       \exists real kts2fps_Out1_594;

       \exists real r2d_Out1_603;

       trans_AltitudeControl((AntEng_Out1_19),

                             (AltCmd_Out1_29),

                             (Alt_Out1_39),

                             (GsKts_Out1_49),

                             (hdot_Out1_59),

                             (hdotChgRate_Out1_69),

                             (altgammacmd_In1_661),

                             self1,

                             self2,

                             (Abs_Out1_144),

                             (Kh_Out1_193),

                             (Logical_Operator_In1_197?\true:\false),

                             (Logical_Operator_Out1_198?\true:\false),

                             (Saturation1_Out1_213),

                             (Sum3_Out1_296),

                             (Sum_Out1_286),

                             (Switch1_In2_312?\true:\false),

                             (Switch1_Out1_314),

                             (Switch_In2_303?\true:\false),

                             (Switch_Out1_305),

                             (Variable_Limit_Saturation_0_Out1_509),

                             (Variable__Rate_Limit_Out1_324),

                             (__AltitudeControl_1?\true:\false),

                             (__AltitudeControl_2?\true:\false),

                             (k_Out1_585),

                             (kts2fps_Out1_594),

                             (r2d_Out1_603));

*/

/*@ predicate init_AltitudeControl(struct AltitudeControl_mem self) =

       init_VariableRateLimit(self.ni_0);

*/

/*@ predicate inv_AltitudeControl(struct AltitudeControl_mem self3) =

       (init_AltitudeControl(self3))||

       (\exists struct AltitudeControl_mem self2, real AntEng_Out1_193, real AltCmd_Out1_293, real Alt_Out1_393, real GsKts_Out1_493, real hdot_Out1_593, real hdotChgRate_Out1_693, real altgammacmd_In1_6613;

       Ctrans_AltitudeControl((AntEng_Out1_193),

                              (AltCmd_Out1_293),

                              (Alt_Out1_393),

                              (GsKts_Out1_493),

                              (hdot_Out1_593),

                              (hdotChgRate_Out1_693),

                              (altgammacmd_In1_6613),

                              self2,

                              self3)&&

       (spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self2)) &&

       init_AltitudeControl(self2))||

       (\exists struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, real AntEng_Out1_193, real AntEng_Out1_192, real AltCmd_Out1_293, real AltCmd_Out1_292, real Alt_Out1_393, real Alt_Out1_392, real GsKts_Out1_493, real GsKts_Out1_492, real hdot_Out1_593, real hdot_Out1_592, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real altgammacmd_In1_6613, real altgammacmd_In1_6612;

       Ctrans_AltitudeControl((AntEng_Out1_193),

                              (AltCmd_Out1_293),

                              (Alt_Out1_393),

                              (GsKts_Out1_493),

                              (hdot_Out1_593),

                              (hdotChgRate_Out1_693),

                              (altgammacmd_In1_6613),

                              self2,

                              self3)&&

       Ctrans_AltitudeControl((AntEng_Out1_192),

                              (AltCmd_Out1_292),

                              (Alt_Out1_392),

                              (GsKts_Out1_492),

                              (hdot_Out1_592),

                              (hdotChgRate_Out1_692),

                              (altgammacmd_In1_6612),

                              self1,

                              self2)&&

       (spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self2)) &&

       (spec_85((AntEng_Out1_192), (AltCmd_Out1_292), (Alt_Out1_392), (GsKts_Out1_492), (hdot_Out1_592), (hdotChgRate_Out1_692), (altgammacmd_In1_6612), self1)) &&

       init_AltitudeControl(self1))||

       (\exists struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, struct AltitudeControl_mem self0, real AntEng_Out1_193, real AntEng_Out1_192, real AntEng_Out1_191, real AltCmd_Out1_293, real AltCmd_Out1_292, real AltCmd_Out1_291, real Alt_Out1_393, real Alt_Out1_392, real Alt_Out1_391, real GsKts_Out1_493, real GsKts_Out1_492, real GsKts_Out1_491, real hdot_Out1_593, real hdot_Out1_592, real hdot_Out1_591, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real hdotChgRate_Out1_691, real altgammacmd_In1_6613, real altgammacmd_In1_6612, real altgammacmd_In1_6611;

       Ctrans_AltitudeControl((AntEng_Out1_193),

                              (AltCmd_Out1_293),

                              (Alt_Out1_393),

                              (GsKts_Out1_493),

                              (hdot_Out1_593),

                              (hdotChgRate_Out1_693),

                              (altgammacmd_In1_6613),

                              self2,

                              self3)&&

       Ctrans_AltitudeControl((AntEng_Out1_192),

                              (AltCmd_Out1_292),

                              (Alt_Out1_392),

                              (GsKts_Out1_492),

                              (hdot_Out1_592),

                              (hdotChgRate_Out1_692),

                              (altgammacmd_In1_6612),

                              self1,

                              self2)&&

       Ctrans_AltitudeControl((AntEng_Out1_191),

                              (AltCmd_Out1_291),

                              (Alt_Out1_391),

                              (GsKts_Out1_491),

                              (hdot_Out1_591),

                              (hdotChgRate_Out1_691),

                              (altgammacmd_In1_6611),

                              self0,

                              self1)&&

       (spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self2)) &&

       (spec_85((AntEng_Out1_192), (AltCmd_Out1_292), (Alt_Out1_392), (GsKts_Out1_492), (hdot_Out1_592), (hdotChgRate_Out1_692), (altgammacmd_In1_6612), self1)) &&

       (spec_85((AntEng_Out1_191), (AltCmd_Out1_291), (Alt_Out1_391), (GsKts_Out1_491), (hdot_Out1_591), (hdotChgRate_Out1_691), (altgammacmd_In1_6611), self0)) &&

       (spec_90((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self3))&&

       (spec_90((AntEng_Out1_192), (AltCmd_Out1_292), (Alt_Out1_392), (GsKts_Out1_492), (hdot_Out1_592), (hdotChgRate_Out1_692), (altgammacmd_In1_6612), self2))&&

       (spec_90((AntEng_Out1_191), (AltCmd_Out1_291), (Alt_Out1_391), (GsKts_Out1_491), (hdot_Out1_591), (hdotChgRate_Out1_691), (altgammacmd_In1_6611), self1)));

*/

/*@ lemma inv_init_3_AltitudeControl : 

       \forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, struct AltitudeControl_mem self0, real AntEng_Out1_193, real AntEng_Out1_192, real AntEng_Out1_191, real AltCmd_Out1_293, real AltCmd_Out1_292, real AltCmd_Out1_291, real Alt_Out1_393, real Alt_Out1_392, real Alt_Out1_391, real GsKts_Out1_493, real GsKts_Out1_492, real GsKts_Out1_491, real hdot_Out1_593, real hdot_Out1_592, real hdot_Out1_591, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real hdotChgRate_Out1_691, real altgammacmd_In1_6613, real altgammacmd_In1_6612, real altgammacmd_In1_6611;

       Ctrans_AltitudeControl((AntEng_Out1_193),

                              (AltCmd_Out1_293),

                              (Alt_Out1_393),

                              (GsKts_Out1_493),

                              (hdot_Out1_593),

                              (hdotChgRate_Out1_693),

                              (altgammacmd_In1_6613),

                              self2,

                              self3)==>

       Ctrans_AltitudeControl((AntEng_Out1_192),

                              (AltCmd_Out1_292),

                              (Alt_Out1_392),

                              (GsKts_Out1_492),

                              (hdot_Out1_592),

                              (hdotChgRate_Out1_692),

                              (altgammacmd_In1_6612),

                              self1,

                              self2)==>

       Ctrans_AltitudeControl((AntEng_Out1_191),

                              (AltCmd_Out1_291),

                              (Alt_Out1_391),

                              (GsKts_Out1_491),

                              (hdot_Out1_591),

                              (hdotChgRate_Out1_691),

                              (altgammacmd_In1_6611),

                              self0,

                              self1)==>

       init_AltitudeControl(self0) ==> spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self2)==>

       spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self1)==>

       spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self0)==>

       (spec_90((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self3));

*/

/*@ lemma inv_init_2_AltitudeControl : 

       \forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, real AntEng_Out1_193, real AntEng_Out1_192, real AltCmd_Out1_293, real AltCmd_Out1_292, real Alt_Out1_393, real Alt_Out1_392, real GsKts_Out1_493, real GsKts_Out1_492, real hdot_Out1_593, real hdot_Out1_592, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real altgammacmd_In1_6613, real altgammacmd_In1_6612;

       Ctrans_AltitudeControl((AntEng_Out1_193),

                              (AltCmd_Out1_293),

                              (Alt_Out1_393),

                              (GsKts_Out1_493),

                              (hdot_Out1_593),

                              (hdotChgRate_Out1_693),

                              (altgammacmd_In1_6613),

                              self2,

                              self3)==>

       Ctrans_AltitudeControl((AntEng_Out1_192),

                              (AltCmd_Out1_292),

                              (Alt_Out1_392),

                              (GsKts_Out1_492),

                              (hdot_Out1_592),

                              (hdotChgRate_Out1_692),

                              (altgammacmd_In1_6612),

                              self1,

                              self2)==>

       init_AltitudeControl(self1) ==> spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self2)==>

       spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self1)==>

       (spec_90((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self3));

*/

/*@ lemma inv_init_1_AltitudeControl : 

       \forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, real AntEng_Out1_193, real AltCmd_Out1_293, real Alt_Out1_393, real GsKts_Out1_493, real hdot_Out1_593, real hdotChgRate_Out1_693, real altgammacmd_In1_6613;

       Ctrans_AltitudeControl((AntEng_Out1_193),

                              (AltCmd_Out1_293),

                              (Alt_Out1_393),

                              (GsKts_Out1_493),

                              (hdot_Out1_593),

                              (hdotChgRate_Out1_693),

                              (altgammacmd_In1_6613),

                              self2,

                              self3)==>

       init_AltitudeControl(self2) ==> spec_85((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self2)==>

       (spec_90((AntEng_Out1_193), (AltCmd_Out1_293), (Alt_Out1_393), (GsKts_Out1_493), (hdot_Out1_593), (hdotChgRate_Out1_693), (altgammacmd_In1_6613), self3));

*/

/*@ lemma inv_spec_AltitudeControl : 

       \forall struct AltitudeControl_mem self1, self2, real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661;

       inv_AltitudeControl(self1)==>

       Ctrans_AltitudeControl((AntEng_Out1_19),

                              (AltCmd_Out1_29),

                              (Alt_Out1_39),

                              (GsKts_Out1_49),

                              (hdot_Out1_59),

                              (hdotChgRate_Out1_69),

                              (altgammacmd_In1_661),

                              self1,

                              self2)==>

       spec_85((AntEng_Out1_19), (AltCmd_Out1_29), (Alt_Out1_39), (GsKts_Out1_49), (hdot_Out1_59), (hdotChgRate_Out1_69), (altgammacmd_In1_661), self1)==>

       spec_90((AntEng_Out1_19), (AltCmd_Out1_29), (Alt_Out1_39), (GsKts_Out1_49), (hdot_Out1_59), (hdotChgRate_Out1_69), (altgammacmd_In1_661), self2);

*/

/*@ lemma inv_inv_AltitudeControl : 

       \forall struct AltitudeControl_mem self1, self2, real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661;

       inv_AltitudeControl(self1)==>

       Ctrans_AltitudeControl((AntEng_Out1_19),

                              (AltCmd_Out1_29),

                              (Alt_Out1_39),

                              (GsKts_Out1_49),

                              (hdot_Out1_59),

                              (hdotChgRate_Out1_69),

                              (altgammacmd_In1_661),

                              self1,

                              self2)==>

       spec_85((AntEng_Out1_19), (AltCmd_Out1_29), (Alt_Out1_39), (GsKts_Out1_49), (hdot_Out1_59), (hdotChgRate_Out1_69), (altgammacmd_In1_661), self1)==>

       inv_AltitudeControl(self2);

*/

#define AltitudeControl_DECLARE(attr, inst)\

  attr struct AltitudeControl_mem inst;\

  VariableRateLimit_DECLARE(attr, inst ## _ni_0);

#define AltitudeControl_ALLOC(attr,inst)\

  AltitudeControl_DECLARE(attr,inst);

/*@requires \valid(self);

ensures init_AltitudeControl(\at(*self, Here));

ensures inv_AltitudeControl(*self);

assigns *self;*/

extern void AltitudeControl_reset (struct AltitudeControl_mem *self);

/*@ requires \valid(altgammacmd_In1_661);

  requires \valid(self);

  requires \separated(altgammacmd_In1_661, self);

  requires spec_85((AntEng_Out1_19), (AltCmd_Out1_29), (Alt_Out1_39), (GsKts_Out1_49), (hdot_Out1_59), (hdotChgRate_Out1_69), (*altgammacmd_In1_661), *self);

  requires inv_AltitudeControl(*self);

  ensures spec_90((AntEng_Out1_19), (AltCmd_Out1_29), (Alt_Out1_39), (GsKts_Out1_49), (hdot_Out1_59), (hdotChgRate_Out1_69), (*altgammacmd_In1_661), *self);

  ensures inv_AltitudeControl(*self);

  ensures Ctrans_AltitudeControl((AntEng_Out1_19),

                                 (AltCmd_Out1_29),

                                 (Alt_Out1_39),

                                 (GsKts_Out1_49),

                                 (hdot_Out1_59),

                                 (hdotChgRate_Out1_69),

                                 (*altgammacmd_In1_661),

                                 \at(*self, Pre),

                                 (*self));

  assigns *altgammacmd_In1_661, *self;

*/

extern void AltitudeControl_step (double AntEng_Out1_19,

                                  double AltCmd_Out1_29, double Alt_Out1_39,

                                  double GsKts_Out1_49, double hdot_Out1_59,

                                  double hdotChgRate_Out1_69, 

                                  double (*altgammacmd_In1_661),

                                  struct AltitudeControl_mem *self);

#endif