CristalCaveGem » LustreC

/* C code generated by main_lustre_compiler.native

   SVN version number 355

   Code is C99 compliant */

#ifndef _ALT_2_LUSTREC

#define _ALT_2_LUSTREC

/* Imports standard library */

#include "/home/davyg/local_proofcompilation//include/lustrec/arrow.h"

/* Types definitions */

/*@ lemma missing: \forall _Bool x; (x != 0) <==> (((int) x) != 0);*/

/* Global constant (declarations, definitions are in C file) */

/* Struct declarations */

struct integrator_reset_mem {struct integrator_reset_reg {double __integrator_reset_2;} _reg; struct _arrow_mem ni_4; };

struct VariableRateLimit_mem {struct VariableRateLimit_reg {double __VariableRateLimit_3;} _reg; struct _arrow_mem ni_3; struct integrator_reset_mem ni_2; };

struct AltitudeControl_mem {struct AltitudeControl_reg {int dummy;} _reg; struct VariableRateLimit_mem ni_1; };

struct top_mem {struct top_reg {int dummy;} _reg; struct AltitudeControl_mem ni_0; };

/* Nodes declarations */

/*@ predicate trans_VariableLimitSaturation(real up_lim,

                                            real Signal,

                                            real lo_lim,

                                            real out,

                                            integer __VariableLimitSaturation_1,

                                            integer __VariableLimitSaturation_2,

                                            real enforce_lo_lim) =

       (__VariableLimitSaturation_1 == (Signal >= lo_lim)) &&

       (enforce_lo_lim == (__VariableLimitSaturation_1?(Signal):(lo_lim))) &&

       (__VariableLimitSaturation_2 == (enforce_lo_lim <= up_lim)) &&

       (out == (__VariableLimitSaturation_2?(enforce_lo_lim):(up_lim)));

*/

/*@ predicate Ctrans_VariableLimitSaturation(real up_lim,

                                             real Signal,

                                             real lo_lim,

                                             real out) =

       \exists integer __VariableLimitSaturation_1;

       \exists integer __VariableLimitSaturation_2;

       \exists real enforce_lo_lim;

       trans_VariableLimitSaturation(up_lim,

                                     Signal,

                                     lo_lim,

                                     out,

                                     __VariableLimitSaturation_1,

                                     __VariableLimitSaturation_2,

                                     enforce_lo_lim);

*/

/*@ requires \valid(out);

  ensures Ctrans_VariableLimitSaturation(up_lim,

                                         Signal,

                                         lo_lim,

                                         *out);

  assigns *out;

  */

extern void VariableLimitSaturation_step (double up_lim, double Signal,

                                          double lo_lim, 

                                          double (*out)

                                          );

/*@ predicate trans_integrator_reset(real Fx,

                                     integer ResetLevel,

                                     real x0,

                                     real ir_out,

                                     struct integrator_reset_mem self1,

                                     struct integrator_reset_mem self2,

                                     integer __integrator_reset_1) =

       (__integrator_reset_1==(self1.ni_4._reg._first?(1):(0))) && (self2.ni_4._reg._first==0) &&

       (ir_out == (__integrator_reset_1?(x0):((ResetLevel?(x0):(((Fx * 1.) + self1._reg.__integrator_reset_2)))))) &&

       (self2._reg.__integrator_reset_2 == ir_out);

*/

/*@ predicate Ctrans_integrator_reset(real Fx,

                                      integer ResetLevel,

                                      real x0,

                                      real ir_out,

                                      struct integrator_reset_mem self1,

                                      struct integrator_reset_mem self2) =

       \exists integer __integrator_reset_1;

       trans_integrator_reset(Fx,

                              ResetLevel,

                              x0,

                              ir_out,

                              self1,

                              self2,

                              __integrator_reset_1);

*/

/*@ predicate init_integrator_reset(struct integrator_reset_mem self) =

       (self.ni_4._reg._first==1);

*/

#define integrator_reset_DECLARE(attr, inst)\

  attr struct integrator_reset_mem inst;\

  _arrow_DECLARE(attr, inst ## _ni_4);

#define integrator_reset_ALLOC(attr,inst)\

  integrator_reset_DECLARE(attr,inst);

/*@requires \valid(self);

ensures init_integrator_reset(\at(*self, Here));

assigns *self;*/

extern void integrator_reset_reset (struct integrator_reset_mem *self);

/*@ requires \valid(ir_out);

  requires \valid(self);

  requires \separated(ir_out, self);

  ensures Ctrans_integrator_reset(Fx,

                                  ResetLevel,

                                  x0,

                                  *ir_out,

                                  \at(*self, Pre),

                                  (*self));

  assigns *ir_out, *self;

  */

extern void integrator_reset_step (double Fx, _Bool ResetLevel, double x0, 

                                   double (*ir_out),

                                   struct integrator_reset_mem *self);

/*@ predicate trans_Saturation(real Signal,

                               real s_out,

                               integer __Saturation_1,

                               integer __Saturation_2,

                               real enforce_lo_lim) =

       (__Saturation_1 == (0.0001 >= Signal)) &&

       (enforce_lo_lim == (__Saturation_1?(0.0001):(Signal))) &&

       (__Saturation_2 == (1000. <= enforce_lo_lim)) &&

       (s_out == (__Saturation_2?(1000.):(enforce_lo_lim)));

*/

/*@ predicate Ctrans_Saturation(real Signal,

                                real s_out) =

       \exists integer __Saturation_1;

       \exists integer __Saturation_2;

       \exists real enforce_lo_lim;

       trans_Saturation(Signal,

                        s_out,

                        __Saturation_1,

                        __Saturation_2,

                        enforce_lo_lim);

*/

/*@ requires \valid(s_out);

  ensures Ctrans_Saturation(Signal,

                            *s_out);

  assigns *s_out;

  */

extern void Saturation_step (double Signal, 

                             double (*s_out)

                             );

/*@ predicate trans_VariableRateLimit(real ratelim_Out1_334,

                                      real input_Out1_344,

                                      integer ICtrig_Out1_354,

                                      real IC_Out1_364,

                                      real output_In1_489,

                                      struct VariableRateLimit_mem self1,

                                      struct VariableRateLimit_mem self2,

                                      real Gain1_Out1_382,

                                      real Gain_Out1_373,

                                      real Integrator1_Out1_391,

                                      real Sum2_Out1_401,

                                      real Variable_Limit_Saturation_Out1_410,

                                      integer __VariableRateLimit_1,

                                      real __VariableRateLimit_2) =

       (__VariableRateLimit_1==(self1.ni_3._reg._first?(1):(0))) && (self2.ni_3._reg._first==0) &&

       (Integrator1_Out1_391 == (__VariableRateLimit_1?(IC_Out1_364):(self1._reg.__VariableRateLimit_3))) &&

       (output_In1_489 == Integrator1_Out1_391) &&

       (Gain1_Out1_382 == (- ratelim_Out1_334)) &&

       (Sum2_Out1_401 == (input_Out1_344 + (- Integrator1_Out1_391))) &&

       (Gain_Out1_373 == (20. * Sum2_Out1_401)) &&

       Ctrans_VariableLimitSaturation((double) ratelim_Out1_334,

                                      (double) Gain_Out1_373,

                                      (double) Gain1_Out1_382,

                                      Variable_Limit_Saturation_Out1_410) &&

       Ctrans_integrator_reset((double) Variable_Limit_Saturation_Out1_410,

                               ICtrig_Out1_354,

                               (double) IC_Out1_364,

                               __VariableRateLimit_2,

                               self1.ni_2,

                               self2.ni_2) &&

       (self2._reg.__VariableRateLimit_3 == __VariableRateLimit_2);

*/

/*@ predicate Ctrans_VariableRateLimit(real ratelim_Out1_334,

                                       real input_Out1_344,

                                       integer ICtrig_Out1_354,

                                       real IC_Out1_364,

                                       real output_In1_489,

                                       struct VariableRateLimit_mem self1,

                                       struct VariableRateLimit_mem self2) =

       \exists real Gain1_Out1_382;

       \exists real Gain_Out1_373;

       \exists real Integrator1_Out1_391;

       \exists real Sum2_Out1_401;

       \exists real Variable_Limit_Saturation_Out1_410;

       \exists integer __VariableRateLimit_1;

       \exists real __VariableRateLimit_2;

       trans_VariableRateLimit(ratelim_Out1_334,

                               input_Out1_344,

                               ICtrig_Out1_354,

                               IC_Out1_364,

                               output_In1_489,

                               self1,

                               self2,

                               Gain1_Out1_382,

                               Gain_Out1_373,

                               Integrator1_Out1_391,

                               Sum2_Out1_401,

                               Variable_Limit_Saturation_Out1_410,

                               __VariableRateLimit_1,

                               __VariableRateLimit_2);

*/

/*@ predicate init_VariableRateLimit(struct VariableRateLimit_mem self) =

       (self.ni_3._reg._first==1) &&

       init_integrator_reset(self.ni_2);

*/

#define VariableRateLimit_DECLARE(attr, inst)\

  attr struct VariableRateLimit_mem inst;\

  _arrow_DECLARE(attr, inst ## _ni_3);\

  integrator_reset_DECLARE(attr, inst ## _ni_2);

#define VariableRateLimit_ALLOC(attr,inst)\

  VariableRateLimit_DECLARE(attr,inst);

/*@requires \valid(self);

ensures init_VariableRateLimit(\at(*self, Here));

assigns *self;*/

extern void VariableRateLimit_reset (struct VariableRateLimit_mem *self);

/*@ requires \valid(output_In1_489);

  requires \valid(self);

  requires \separated(output_In1_489, self);

  ensures Ctrans_VariableRateLimit(ratelim_Out1_334,

                                   input_Out1_344,

                                   ICtrig_Out1_354,

                                   IC_Out1_364,

                                   *output_In1_489,

                                   \at(*self, Pre),

                                   (*self));

  assigns *output_In1_489, *self;

  */

extern void VariableRateLimit_step (double ratelim_Out1_334,

                                    double input_Out1_344,

                                    _Bool ICtrig_Out1_354,

                                    double IC_Out1_364, 

                                    double (*output_In1_489),

                                    struct VariableRateLimit_mem *self);

/*@ predicate spec_85(real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661, struct AltitudeControl_mem self) =

       (AntEng_Out1_19 == 0.);

*/

/*@ predicate spec_90(real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661, struct AltitudeControl_mem self) =

       (altgammacmd_In1_661 == 0.);

*/

/*@ predicate trans_AltitudeControl(real AntEng_Out1_19,

                                    real AltCmd_Out1_29,

                                    real Alt_Out1_39,

                                    real GsKts_Out1_49,

                                    real hdot_Out1_59,

                                    real hdotChgRate_Out1_69,

                                    real altgammacmd_In1_661,

                                    struct AltitudeControl_mem self1,

                                    struct AltitudeControl_mem self2,

                                    real Abs_Out1_144,

                                    real Kh_Out1_193,

                                    integer Logical_Operator_In1_197,

                                    integer Logical_Operator_Out1_198,

                                    real Saturation1_Out1_213,

                                    real Sum3_Out1_296,

                                    real Sum_Out1_286,

                                    integer Switch1_In2_312,

                                    real Switch1_Out1_314,

                                    integer Switch_In2_303,

                                    real Switch_Out1_305,

                                    real Variable_Limit_Saturation_0_Out1_509,

                                    real Variable__Rate_Limit_Out1_324,

                                    integer __AltitudeControl_1,

                                    integer __AltitudeControl_2,

                                    real k_Out1_585,

                                    real kts2fps_Out1_594,

                                    real r2d_Out1_603) =

       (__AltitudeControl_1 == (hdot_Out1_59 < 0.)) &&

       (Abs_Out1_144 == (__AltitudeControl_1?((- hdot_Out1_59)):(hdot_Out1_59))) &&

       (Sum3_Out1_296 == (Abs_Out1_144 + 10.)) &&

       (k_Out1_585 == (- Sum3_Out1_296)) &&

       (__AltitudeControl_2 == (AntEng_Out1_19 == 0.)) &&

       ((!Logical_Operator_In1_197) == (!(__AltitudeControl_2?(0):(1)))) &&

       ((!Logical_Operator_Out1_198) == (!(!Logical_Operator_In1_197))) &&

       ((!Switch_In2_303) == (!(__AltitudeControl_2?(0):(1)))) &&

       (Sum_Out1_286 == (AltCmd_Out1_29 + (- Alt_Out1_39))) &&

       (Kh_Out1_193 == (0.08 * Sum_Out1_286)) &&

       (Switch_Out1_305 == (Switch_In2_303?(Kh_Out1_193):(0.))) &&

       Ctrans_VariableLimitSaturation((double) Sum3_Out1_296,

                                      (double) Switch_Out1_305,

                                      (double) k_Out1_585,

                                      Variable_Limit_Saturation_0_Out1_509) &&

       Ctrans_VariableRateLimit((double) hdotChgRate_Out1_69,

                                (double) Variable_Limit_Saturation_0_Out1_509,

                                (_Bool) ((Logical_Operator_Out1_198)?1:0),

                                (double) hdot_Out1_59,

                                Variable__Rate_Limit_Out1_324,

                                self1.ni_1,

                                self2.ni_1) &&

       (r2d_Out1_603 == (57.2958 * Variable__Rate_Limit_Out1_324)) &&

       (kts2fps_Out1_594 == (1.6878 * GsKts_Out1_49)) &&

       ((!Switch1_In2_312) == (!(__AltitudeControl_2?(0):(1)))) &&

       (Switch1_Out1_314 == (Switch1_In2_312?(r2d_Out1_603):(0.))) &&

       (altgammacmd_In1_661 == Switch1_Out1_314) &&

       Ctrans_Saturation((double) kts2fps_Out1_594,

                         Saturation1_Out1_213);

*/

/*@ predicate Ctrans_AltitudeControl(real AntEng_Out1_19,

                                     real AltCmd_Out1_29,

                                     real Alt_Out1_39,

                                     real GsKts_Out1_49,

                                     real hdot_Out1_59,

                                     real hdotChgRate_Out1_69,

                                     real altgammacmd_In1_661,

                                     struct AltitudeControl_mem self1,

                                     struct AltitudeControl_mem self2) =

       \exists real Abs_Out1_144;

       \exists real Kh_Out1_193;

       \exists integer Logical_Operator_In1_197;

       \exists integer Logical_Operator_Out1_198;

       \exists real Saturation1_Out1_213;

       \exists real Sum3_Out1_296;

       \exists real Sum_Out1_286;

       \exists integer Switch1_In2_312;

       \exists real Switch1_Out1_314;

       \exists integer Switch_In2_303;

       \exists real Switch_Out1_305;

       \exists real Variable_Limit_Saturation_0_Out1_509;

       \exists real Variable__Rate_Limit_Out1_324;

       \exists integer __AltitudeControl_1;

       \exists integer __AltitudeControl_2;

       \exists real k_Out1_585;

       \exists real kts2fps_Out1_594;

       \exists real r2d_Out1_603;

       trans_AltitudeControl(AntEng_Out1_19,

                             AltCmd_Out1_29,

                             Alt_Out1_39,

                             GsKts_Out1_49,

                             hdot_Out1_59,

                             hdotChgRate_Out1_69,

                             altgammacmd_In1_661,

                             self1,

                             self2,

                             Abs_Out1_144,

                             Kh_Out1_193,

                             Logical_Operator_In1_197,

                             Logical_Operator_Out1_198,

                             Saturation1_Out1_213,

                             Sum3_Out1_296,

                             Sum_Out1_286,

                             Switch1_In2_312,

                             Switch1_Out1_314,

                             Switch_In2_303,

                             Switch_Out1_305,

                             Variable_Limit_Saturation_0_Out1_509,

                             Variable__Rate_Limit_Out1_324,

                             __AltitudeControl_1,

                             __AltitudeControl_2,

                             k_Out1_585,

                             kts2fps_Out1_594,

                             r2d_Out1_603);

*/

/*@ predicate init_AltitudeControl(struct AltitudeControl_mem self) =

       init_VariableRateLimit(self.ni_1);

*/

/*@ predicate inv_AltitudeControl(struct AltitudeControl_mem self3) =

       (init_AltitudeControl(self3))||

       (\exists struct AltitudeControl_mem self2, real AntEng_Out1_193, real AltCmd_Out1_293, real Alt_Out1_393, real GsKts_Out1_493, real hdot_Out1_593, real hdotChgRate_Out1_693, real altgammacmd_In1_6613;

       Ctrans_AltitudeControl(AntEng_Out1_193,

                              AltCmd_Out1_293,

                              Alt_Out1_393,

                              GsKts_Out1_493,

                              hdot_Out1_593,

                              hdotChgRate_Out1_693,

                              altgammacmd_In1_6613,

                              self2,

                              self3)&&

       (spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2))&&

       init_AltitudeControl(self2))||

       (\exists struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, real AntEng_Out1_193, real AntEng_Out1_192, real AltCmd_Out1_293, real AltCmd_Out1_292, real Alt_Out1_393, real Alt_Out1_392, real GsKts_Out1_493, real GsKts_Out1_492, real hdot_Out1_593, real hdot_Out1_592, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real altgammacmd_In1_6613, real altgammacmd_In1_6612;

       Ctrans_AltitudeControl(AntEng_Out1_193,

                              AltCmd_Out1_293,

                              Alt_Out1_393,

                              GsKts_Out1_493,

                              hdot_Out1_593,

                              hdotChgRate_Out1_693,

                              altgammacmd_In1_6613,

                              self2,

                              self3)&&

       Ctrans_AltitudeControl(AntEng_Out1_192,

                              AltCmd_Out1_292,

                              Alt_Out1_392,

                              GsKts_Out1_492,

                              hdot_Out1_592,

                              hdotChgRate_Out1_692,

                              altgammacmd_In1_6612,

                              self1,

                              self2)&&

       (spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2))&&

       (spec_85(AntEng_Out1_192, AltCmd_Out1_292, Alt_Out1_392, GsKts_Out1_492, hdot_Out1_592, hdotChgRate_Out1_692, altgammacmd_In1_6612, self1))&&

       init_AltitudeControl(self1))||

       (\exists struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, struct AltitudeControl_mem self0, real AntEng_Out1_193, real AntEng_Out1_192, real AntEng_Out1_191, real AltCmd_Out1_293, real AltCmd_Out1_292, real AltCmd_Out1_291, real Alt_Out1_393, real Alt_Out1_392, real Alt_Out1_391, real GsKts_Out1_493, real GsKts_Out1_492, real GsKts_Out1_491, real hdot_Out1_593, real hdot_Out1_592, real hdot_Out1_591, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real hdotChgRate_Out1_691, real altgammacmd_In1_6613, real altgammacmd_In1_6612, real altgammacmd_In1_6611;

       Ctrans_AltitudeControl(AntEng_Out1_193,

                              AltCmd_Out1_293,

                              Alt_Out1_393,

                              GsKts_Out1_493,

                              hdot_Out1_593,

                              hdotChgRate_Out1_693,

                              altgammacmd_In1_6613,

                              self2,

                              self3)&&

       Ctrans_AltitudeControl(AntEng_Out1_192,

                              AltCmd_Out1_292,

                              Alt_Out1_392,

                              GsKts_Out1_492,

                              hdot_Out1_592,

                              hdotChgRate_Out1_692,

                              altgammacmd_In1_6612,

                              self1,

                              self2)&&

       Ctrans_AltitudeControl(AntEng_Out1_191,

                              AltCmd_Out1_291,

                              Alt_Out1_391,

                              GsKts_Out1_491,

                              hdot_Out1_591,

                              hdotChgRate_Out1_691,

                              altgammacmd_In1_6611,

                              self0,

                              self1)&&

       (spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2))&&

       (spec_85(AntEng_Out1_192, AltCmd_Out1_292, Alt_Out1_392, GsKts_Out1_492, hdot_Out1_592, hdotChgRate_Out1_692, altgammacmd_In1_6612, self1))&&

       (spec_85(AntEng_Out1_191, AltCmd_Out1_291, Alt_Out1_391, GsKts_Out1_491, hdot_Out1_591, hdotChgRate_Out1_691, altgammacmd_In1_6611, self0))&&

       (spec_90(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self3))&&

       (spec_90(AntEng_Out1_192, AltCmd_Out1_292, Alt_Out1_392, GsKts_Out1_492, hdot_Out1_592, hdotChgRate_Out1_692, altgammacmd_In1_6612, self2))&&

       (spec_90(AntEng_Out1_191, AltCmd_Out1_291, Alt_Out1_391, GsKts_Out1_491, hdot_Out1_591, hdotChgRate_Out1_691, altgammacmd_In1_6611, self1)));

*/

/*@ lemma inv_init_3_AltitudeControl : 

       \forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, struct AltitudeControl_mem self0, real AntEng_Out1_193, real AntEng_Out1_192, real AntEng_Out1_191, real AltCmd_Out1_293, real AltCmd_Out1_292, real AltCmd_Out1_291, real Alt_Out1_393, real Alt_Out1_392, real Alt_Out1_391, real GsKts_Out1_493, real GsKts_Out1_492, real GsKts_Out1_491, real hdot_Out1_593, real hdot_Out1_592, real hdot_Out1_591, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real hdotChgRate_Out1_691, real altgammacmd_In1_6613, real altgammacmd_In1_6612, real altgammacmd_In1_6611;

       Ctrans_AltitudeControl(AntEng_Out1_193,

                              AltCmd_Out1_293,

                              Alt_Out1_393,

                              GsKts_Out1_493,

                              hdot_Out1_593,

                              hdotChgRate_Out1_693,

                              altgammacmd_In1_6613,

                              self2,

                              self3)==>

       Ctrans_AltitudeControl(AntEng_Out1_192,

                              AltCmd_Out1_292,

                              Alt_Out1_392,

                              GsKts_Out1_492,

                              hdot_Out1_592,

                              hdotChgRate_Out1_692,

                              altgammacmd_In1_6612,

                              self1,

                              self2)==>

       Ctrans_AltitudeControl(AntEng_Out1_191,

                              AltCmd_Out1_291,

                              Alt_Out1_391,

                              GsKts_Out1_491,

                              hdot_Out1_591,

                              hdotChgRate_Out1_691,

                              altgammacmd_In1_6611,

                              self0,

                              self1)==>

       init_AltitudeControl(self0) ==> spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2)==>

       spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self1)==>

       spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self0)==>

       (spec_90(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self3));

*/

/*@ lemma inv_init_2_AltitudeControl : 

       \forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, struct AltitudeControl_mem self1, real AntEng_Out1_193, real AntEng_Out1_192, real AltCmd_Out1_293, real AltCmd_Out1_292, real Alt_Out1_393, real Alt_Out1_392, real GsKts_Out1_493, real GsKts_Out1_492, real hdot_Out1_593, real hdot_Out1_592, real hdotChgRate_Out1_693, real hdotChgRate_Out1_692, real altgammacmd_In1_6613, real altgammacmd_In1_6612;

       Ctrans_AltitudeControl(AntEng_Out1_193,

                              AltCmd_Out1_293,

                              Alt_Out1_393,

                              GsKts_Out1_493,

                              hdot_Out1_593,

                              hdotChgRate_Out1_693,

                              altgammacmd_In1_6613,

                              self2,

                              self3)==>

       Ctrans_AltitudeControl(AntEng_Out1_192,

                              AltCmd_Out1_292,

                              Alt_Out1_392,

                              GsKts_Out1_492,

                              hdot_Out1_592,

                              hdotChgRate_Out1_692,

                              altgammacmd_In1_6612,

                              self1,

                              self2)==>

       init_AltitudeControl(self1) ==> spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2)==>

       spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self1)==>

       (spec_90(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self3));

*/

/*@ lemma inv_init_1_AltitudeControl : 

       \forall struct AltitudeControl_mem self3, struct AltitudeControl_mem self2, real AntEng_Out1_193, real AltCmd_Out1_293, real Alt_Out1_393, real GsKts_Out1_493, real hdot_Out1_593, real hdotChgRate_Out1_693, real altgammacmd_In1_6613;

       Ctrans_AltitudeControl(AntEng_Out1_193,

                              AltCmd_Out1_293,

                              Alt_Out1_393,

                              GsKts_Out1_493,

                              hdot_Out1_593,

                              hdotChgRate_Out1_693,

                              altgammacmd_In1_6613,

                              self2,

                              self3)==>

       init_AltitudeControl(self2) ==> spec_85(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self2)==>

       (spec_90(AntEng_Out1_193, AltCmd_Out1_293, Alt_Out1_393, GsKts_Out1_493, hdot_Out1_593, hdotChgRate_Out1_693, altgammacmd_In1_6613, self3));

*/

/*@ lemma inv_spec_AltitudeControl : 

       \forall struct AltitudeControl_mem self1, self2, real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661;

       inv_AltitudeControl(self1)==>

       Ctrans_AltitudeControl(AntEng_Out1_19,

                              AltCmd_Out1_29,

                              Alt_Out1_39,

                              GsKts_Out1_49,

                              hdot_Out1_59,

                              hdotChgRate_Out1_69,

                              altgammacmd_In1_661,

                              self1,

                              self2)==>

       spec_85(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, altgammacmd_In1_661, self1)==>

       spec_90(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, altgammacmd_In1_661, self2);

*/

/*@ lemma inv_inv_AltitudeControl : 

       \forall struct AltitudeControl_mem self1, self2, real AntEng_Out1_19, real AltCmd_Out1_29, real Alt_Out1_39, real GsKts_Out1_49, real hdot_Out1_59, real hdotChgRate_Out1_69, real altgammacmd_In1_661;

       inv_AltitudeControl(self1)==>

       Ctrans_AltitudeControl(AntEng_Out1_19,

                              AltCmd_Out1_29,

                              Alt_Out1_39,

                              GsKts_Out1_49,

                              hdot_Out1_59,

                              hdotChgRate_Out1_69,

                              altgammacmd_In1_661,

                              self1,

                              self2)==>

       spec_85(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, altgammacmd_In1_661, self1)==>

       inv_AltitudeControl(self2);

*/

#define AltitudeControl_DECLARE(attr, inst)\

  attr struct AltitudeControl_mem inst;\

  VariableRateLimit_DECLARE(attr, inst ## _ni_1);

#define AltitudeControl_ALLOC(attr,inst)\

  AltitudeControl_DECLARE(attr,inst);

/*@requires \valid(self);

ensures init_AltitudeControl(\at(*self, Here));

ensures inv_AltitudeControl(*self);

assigns *self;*/

extern void AltitudeControl_reset (struct AltitudeControl_mem *self);

/*@ requires \valid(altgammacmd_In1_661);

  requires \valid(self);

  requires \separated(altgammacmd_In1_661, self);

  requires spec_85(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, *altgammacmd_In1_661, *self);

  requires inv_AltitudeControl(*self);

  ensures spec_90(AntEng_Out1_19, AltCmd_Out1_29, Alt_Out1_39, GsKts_Out1_49, hdot_Out1_59, hdotChgRate_Out1_69, *altgammacmd_In1_661, *self);

  ensures inv_AltitudeControl(*self);

  ensures Ctrans_AltitudeControl(AntEng_Out1_19,

                                 AltCmd_Out1_29,

                                 Alt_Out1_39,

                                 GsKts_Out1_49,

                                 hdot_Out1_59,

                                 hdotChgRate_Out1_69,

                                 *altgammacmd_In1_661,

                                 \at(*self, Pre),

                                 (*self));

  assigns *altgammacmd_In1_661, *self;

*/

extern void AltitudeControl_step (double AntEng_Out1_19,

                                  double AltCmd_Out1_29, double Alt_Out1_39,

                                  double GsKts_Out1_49, double hdot_Out1_59,

                                  double hdotChgRate_Out1_69, 

                                  double (*altgammacmd_In1_661),

                                  struct AltitudeControl_mem *self);

/*@ predicate trans_top(integer AltEng,

                        real AltCmd,

                        real Altitude,

                        real gskts,

                        real hdot,

                        real hdotChgRate,

                        integer obs,

                        struct top_mem self1,

                        struct top_mem self2,

                        real altgammaCmd,

                        real tempAlt) =

       (tempAlt == (AltEng?(1.):(0.))) &&

       Ctrans_AltitudeControl((double) tempAlt,

                              (double) AltCmd,

                              (double) Altitude,

                              (double) gskts,

                              (double) hdot,

                              (double) hdotChgRate,

                              altgammaCmd,

                              self1.ni_0,

                              self2.ni_0) &&

       ((!obs) == (!(altgammaCmd == 0.)));

*/

/*@ predicate Ctrans_top(integer AltEng,

                         real AltCmd,

                         real Altitude,

                         real gskts,

                         real hdot,

                         real hdotChgRate,

                         integer obs,

                         struct top_mem self1,

                         struct top_mem self2) =

       \exists real altgammaCmd;

       \exists real tempAlt;

       trans_top(AltEng,

                 AltCmd,

                 Altitude,

                 gskts,

                 hdot,

                 hdotChgRate,

                 obs,

                 self1,

                 self2,

                 altgammaCmd,

                 tempAlt);

*/

/*@ predicate init_top(struct top_mem self) =

       init_AltitudeControl(self.ni_0);

*/

#define top_DECLARE(attr, inst)\

  attr struct top_mem inst;\

  AltitudeControl_DECLARE(attr, inst ## _ni_0);

#define top_ALLOC(attr,inst)\

  top_DECLARE(attr,inst);

/*@requires \valid(self);

ensures init_top(\at(*self, Here));

assigns *self;*/

extern void top_reset (struct top_mem *self);

/*@ requires \valid(obs);

  requires \valid(self);

  requires \separated(obs, self);

  ensures Ctrans_top(AltEng,

                     AltCmd,

                     Altitude,

                     gskts,

                     hdot,

                     hdotChgRate,

                     *obs,

                     \at(*self, Pre),

                     (*self));

  assigns *obs, *self;

  */

extern void top_step (_Bool AltEng, double AltCmd, double Altitude,

                      double gskts, double hdot, double hdotChgRate, 

                      _Bool (*obs),

                      struct top_mem *self);

#endif