#include #include #define NULL 0 // A task is represented by a unique unsigned interger typedef unsigned taskID; /* Following structure defines the type for the object to be returned from the function 'vTaskDelayUntil'. */ typedef struct taskAndpWT{ _( ghost taskID running ) _( ghost \natural pWT ) unsigned dummy; }runningAndPWTZ2; /* Following structure models the set of tasks in the system */ _(dynamic_owns) typedef struct task{ /* Following map models the set of tasks in the system, given the ID of a task, the value under this map tells whether the given task is present in the system (value 'true') or not (value 'false'). */ _( ghost \bool member[ taskID ] ) /* Following is a dummy field to satisfy the requirement that "every structure must contain at least one physical field". */ unsigned dummy; /* Let 0 be the task ID for 'idle' task and UINT_MAX be the task ID for 'null' task */ /*INV-1: 'idle' and 'null' tasks are present in the system at any valid state. */ _( invariant ( ( member[ 0 ] == \true ) && ( member[ UINT_MAX ] == \true ) ) ) } Task; /* Following structure models the sequence 'iseq TASK' in the Z models. */ _(dynamic_owns) typedef struct iseq{ /* Following map models a sequence of task IDs, the value for a given natural number 'i' gives the ID of the ith task in the sequence. */ _( ghost taskID list[ \natural ] ) /* Following map gives the index ( between '0' and 'length - 1' )of the given taskID in the above sequence. This field allows easy specification of some properties like membership. */ _( ghost \natural index[ taskID ] ) /* Following field gives the number of valid tasks in the sequence */ _( ghost \natural length ) /* Following is a dummy field to satisfy the requirement that "every structure must contain at least one physical field". */ unsigned dummy; /*INV-1: The Task IDs in the sequence are distinct. */ _( invariant \forall \natural i,j; ( ( ( i < length ) && ( j < length ) && ( i != j ) ) ==> ( list[ i ] != list[ j ] ) ) ) /*INV-2: The sequence 'list' contains valid taskIDs ( '0' to 'UINT_MAX - 1') from '0' to 'length - 1'. 'UINT_MAX' is the ID for the task 'null'. */ _( invariant \forall \natural i; ( i < length ) ==> ( list[ i ] < UINT_MAX ) ) /*INV-3: The sequence 'list' contains 'null' task beyond 'length - 1'. This allows easy and consistent update on this map. */ _( invariant \forall \natural i; ( i >= length ) ==> ( list[ i ] == UINT_MAX ) ) /*INV-4: The maps 'index' and 'list' are in sync up to the position 'lngth - 1'. */ _( invariant \forall \natural i; ( i < length ) ==> ( index[ list[ i ] ] == i ) ) /*INV-5: If the index value for a task is valid then the task is present in the list at the concerned position. */ _( invariant \forall taskID t; ( index[ t ] < length ) ==> ( list[ index[ t ] ] == t ) ) } iSeq; /* Following structure models different task lists in the system */ _(dynamic_owns) typedef struct lists{ /* Following field models the set of ready tasks in the system. There is one sequence of tasks for each priority ( from 1 to maximum priority value ). The order of the tasks in each sequence is decided by the time of insertion into the sequence. */ _( ghost iSeq ready[ UINT_MAX ] ) /* Following map models whether a given task ( ID ) is present in ready lists, and is ensured by an invariant in the structure 'system'. */ _( ghost \bool isInReady[ taskID ] ) /* Following field models the sequence of blocked tasks in the system. The order of the tasks in this sequence is decided by the priority of the tasks present. This order is ensured by an invariant in the structure 'system'. */ _( ghost iSeq blocked ) /* Following map models the sequence of delayed tasks in the system Z2. The order of the tasks in this sequence is decided by the time to awake for each task and which is modelled by the field/map 'timeToAwakeZ2'. */ _( ghost taskID delayedZ2[ \natural ] ) /* Following field models the length of the sequence 'delayedZ2' (same as the length of the sequence 'timeToAwakeZ2'). */ _( ghost \natural delayedLengthZ2 ) /* Following map gives the index ( between '0' and 'delayedLengthZ2 - 1' )of the given taskID in the above sequence. This field allows easy specification of some properties like membership. */ _( ghost \natural indexDelayedZ2[ taskID ] ) /* Following map models the sequence of values representing the time to awake for the tasks present in the list 'delayedZ2'. */ _( ghost \natural timeToAwakeZ2[ \natural ] ) /* Following map models the sequence of delayed tasks in the model Z2 for which the value of time to awake is greater than than the maximum possible value for 'tickCount'. The order of the tasks in this sequence is decided by the time to awake for each task and which is modelled by the field/map 'timeToAwakeOD'. */ _( ghost taskID oDelayed[ \natural ] ) /* Following field models the length of the sequence 'oDelayed' (same as the length of the sequence 'timeToAwakeOD') */ _( ghost \natural oDelayedLength ) /* Following map gives the index ( between '0' and 'oDelayedLength - 1' )of the given taskID in the above list. This field allows easy specification of some properties like membership. */ _( ghost \natural indexODelayed[ taskID ] ) /* Following map models the sequence of values representing the time to awake for the tasks present in the list 'oDelayed'. */ _( ghost \natural timeToAwakeOD[ \natural ] ) /* Following map models the set of suspended tasks in the system, given the ID of a task, the value under this map represents whether the given task is present in the list 'suspended'(value 'true') or not (value 'false'). */ _( ghost \bool suspended[ taskID ] ) /* Following map models the sequence of suspended tasks in the system. This is required for bounding the cardinality of the set 'suspended'. */ _( ghost taskID suspendedTasks[ \natural ] ) /* Following field models the cardinality of the set 'suspended', defined/constrained in terms of the sequence and index corresponding to the set if suspended tasks. */ _( ghost \natural suspendedLength ) /* Following map gives the index ( between '0' and 'suspendedLength - 1' )of the given taskID in the above sequence. . This is also required for bounding the cardinality of the set 'suspended'. */ _( ghost \natural indexSuspended[ taskID ] ) /* Following is a dummy field to satisfy the requirement that "every structure must contain at least one physical field". */ unsigned dummy; /*INV-1: If a task is in ready then it cannot be present in any other list. Moved to the structure 'system'. */ /*INV-2: If a task is in ready[ i ] then it cannot be present in ready[ j ] if i != j. Moved to the structure 'system'. */ /*INV-3: If a task is in 'delayedZ2' or 'oDelayed' list then it cannot be present in 'suspended' list. */ _( invariant \forall taskID t; ( ( indexODelayed[ t ] < oDelayedLength ) || ( indexDelayedZ2[ t ] < delayedLengthZ2 ) ) ==> !( suspended[ t ] ) ) /*INV-4: A task cannot be in both 'delayedZ2' and 'oDelayed'. */ _( invariant \forall taskID t; !( ( indexDelayedZ2[ t ] < delayedLengthZ2 ) && ( indexODelayed[ t ] < oDelayedLength ) ) ) /*INV-5: List of delayed task is sorted in the nondecreasing order of time to awake. The value of time to awake for the ith task in the list 'delayedZ2' is the value for 'i' under the map 'timeToAwakeZ2'. */ _( invariant \forall \natural i,j; ( ( i < delayedLengthZ2 ) && ( j < delayedLengthZ2 ) && ( i < j ) ) ==> ( timeToAwakeZ2[ i ] <= timeToAwakeZ2[ j ] ) ) /*INV-6: List of overflow delayed task is sorted in the nondecreasing order of time to awake. The value of time to awake for the ith task in the list 'oDelayed' is the value for 'i' under the map 'timeToAwakeOD'. */ _( invariant \forall \natural i,j; ( ( i < oDelayedLength ) && ( j < oDelayedLength ) && ( i < j ) ) ==> ( timeToAwakeOD[ i ] <= timeToAwakeOD[ j ] ) ) /*INV-7: The list 'delayedZ2' contains distinct Task IDs */ _( invariant \forall \natural i,j; ( ( ( i < delayedLengthZ2 ) && ( j < delayedLengthZ2 ) && ( i != j ) ) ==> ( delayedZ2[ i ] != delayedZ2[ j ] ) ) ) /*INV-8: The list 'oDelayed' contains distinct Task IDs */ _( invariant \forall \natural i,j; ( ( ( i < oDelayedLength ) && ( j < oDelayedLength ) && ( i != j ) ) ==> ( oDelayed[ i ] != oDelayed[ j ] ) ) ) /*INV-9: ready list contains valid task lists only for the indices in the interval [ 1, maxPrio ]. Moved to the structure 'system'. */ /////////////////////////// /*INV-10: The list 'delayedZ2' contains valid task IDs at a valid index ( from '0' to 'delayedLengthZ2 - 1' ) */ _( invariant \forall \natural i; ( i < delayedLengthZ2 ) ==> ( delayedZ2[ i ] < UINT_MAX ) ) /*INV-11: The list 'oDelayed' contains valid task IDs at a valid index ( from '0' to 'oDelayedLength - 1' ) */ _( invariant \forall \natural i; ( i < oDelayedLength ) ==> ( oDelayed[ i ] < UINT_MAX ) ) /*INV-12: The list 'delayedZ2' contains 'null' task beyond index 'delayedLengthZ2 - 1' */ _( invariant \forall \natural i; ( i >= delayedLengthZ2 ) ==> ( delayedZ2[ i ] == UINT_MAX ) ) /*INV-13: The list 'oDelayed' contains 'null' task beyond index 'oDelayedLength - 1' */ _( invariant \forall \natural i; ( i >= oDelayedLength ) ==> ( oDelayed[ i ] == UINT_MAX ) ) /*INV-14: 'indexDelayedZ2' and 'delayedZ2' are in sync up to the position 'delayedLengthZ2 - 1'*/ _( invariant \forall \natural i; ( i < delayedLengthZ2 ) ==> ( indexDelayedZ2[ delayedZ2[ i ] ] == i ) ) /*INV-15: 'indexODelayed' and 'oDelayed' are in sync up to the position 'oDelayedLength - 1'*/ _( invariant \forall \natural i; ( i < oDelayedLength ) ==> ( indexODelayed[ oDelayed[ i ] ] == i ) ) /*INV-16: If the index value ( in 'delayedZ2' ) for a task is valid then the task is present in 'delayedZ2' at the concerned position. */ _( invariant \forall taskID t; ( indexDelayedZ2[ t ] < delayedLengthZ2 ) ==> ( delayedZ2[ indexDelayedZ2[ t ] ] == t ) ) /*INV-17: If the index value ( in 'oDelayed' ) for a task is valid then the task is present in 'oDelayed' at the concerned position. */ _( invariant \forall taskID t; ( indexODelayed[ t ] < oDelayedLength ) ==> ( oDelayed[ indexODelayed[ t ] ] == t ) ) /*INV-18: The sequence 'suspendedTasks' contains valid task IDs at a valid index ( from '0' to 'suspendedLength - 1' ) */ _( invariant \forall \natural i; ( i < suspendedLength ) ==> ( suspendedTasks[ i ] < UINT_MAX ) ) /*INV-19: The list 'suspendedTasks' contains 'null' task beyond index 'suspendedLength - 1' */ _( invariant \forall \natural i; ( i >= suspendedLength ) ==> ( suspendedTasks[ i ] == UINT_MAX ) ) /*INV-20: 'indexSuspended' and 'suspendedTasks' are in sync up to the position 'suspendedLength - 1'*/ _( invariant \forall \natural i; ( i < suspendedLength ) ==> ( indexSuspended[ suspendedTasks[ i ] ] == i ) ) /*INV-21: If the index value ( in 'delayed' ) for a task is valid then the task is present in 'delayed' at the concerned position. */ _( invariant \forall taskID t; ( indexSuspended[ t ] < suspendedLength ) ==> ( suspendedTasks[ indexSuspended[ t ] ] == t ) ) /*INV-22: Relatioship between the set 'suspended' and the sequence 'suspendedTasks'. */ _( invariant \forall taskID t; ( suspended[ t ] ) <==> ( indexSuspended[ t ] < suspendedLength ) ) } Lists; /* Following structure models the priorities of tasks in the system */ _(dynamic_owns) typedef struct prio{ /* Following map models the priorities of tasks in the system. The value for a given task ID is the priotiy. */ _( ghost unsigned value[ taskID ] ) /* Following is a dummy field to satisfy the requirement that "every structure must contain at least one physical field". */ unsigned dummy; } Prio; //////////////////////////////// //Global data strucures//////////////////////////////// /* Following variable represents the global variable 'maxPrio', can be initialised by the user. (for parameterized verification) */ _(ghost unsigned maxPrio ) /* Following variable represents the global variable 'maxNumVal', can be initialised by the user. (for parameterized verification) */ _(ghost \natural maxNumVal ) /* Following variable represents the global variable 'preemption', can be initialised by the user. (for parameterized verification) */ _(ghost \bool preemption ) /* Following pointer variable models the set of tasks in the system */ _(ghost Task *tasks ) /* Following pointer variable models the priorities of tasks in the system */ _(ghost Prio *priority ) /* Following pointer variable models the task lists in the system */ _(ghost Lists *lsts ) //Global data strucures//////////////////////////////// //////////////////////////////// /* Following structure models the system state */ _(dynamic_owns) typedef struct system{ /* Following field models the highest index nonempty ready list */ _( ghost unsigned topReadyPriority ) /* Following field models the status of the scheduler - running or not. */ _( ghost \bool schedulerRunning ) /* Following is a dummy field to satisfy the requirement that "every structure must contain at least one physical field". */ unsigned dummy; // Following variable models the system clock in Z2 _( ghost \natural tickCount ) /* Following variable models the currently running task */ _(ghost taskID currentTask ) /*INV-1: Idle task ( ID = 0 ) is always ready to run */ _( invariant lsts->isInReady[ 0 ] ) /*INV-2: 'topReadyPriority' is a valid index to the array of ready task lists. */ _( invariant ( ( topReadyPriority >= 1 ) && ( topReadyPriority <= maxPrio ) ) ) /*INV-3: The sequence of tasks at index 'topReadyPriority' in the array 'ready' is nonempty. */ _( invariant ( \mine( &( lsts->ready[topReadyPriority] ) )&& ( lsts->ready[ topReadyPriority ].length > 0 ) ) ) /*INV-4: Every non empty sequence of ready tasks is at an index less than or equal to 'topReadyPriority'. */ _( invariant ( \forall unsigned i; ( \mine( &( lsts->ready[ i ] ) ) && ( lsts->ready[ i ].length > 0 ) ) ==> ( i <= topReadyPriority ) ) ) /*INV-5: Running task is at the head of the ready list at index 'topReadyPriority' when the scheduler is active. */ _( invariant schedulerRunning ==> ( //\mine( &( lsts->ready[ topReadyPriority ] ) ) && ( lsts->ready[ topReadyPriority ].list[ 0 ] == currentTask ) ) ) /*INV-6: Running task is the null task ( ID = UINT_MAX ) when the scheduler is not active */ _( invariant !schedulerRunning ==> ( currentTask == UINT_MAX ) ) /*INV-7: The set of tasks in the system is the union of the tasks present in different task lists in the system. There is a special task called null (ID = UINT_MAX) which is not present in any of the task lists. */ _( invariant ( \forall taskID t; ( tasks->member[t] ) <==> ( ( lsts->isInReady[ t ] ) || ( lsts->indexDelayedZ2[ t ] < lsts->delayedLengthZ2 ) || ( lsts->indexODelayed[ t ] < lsts->oDelayedLength ) || ( lsts->blocked.index[ t ] < lsts->blocked.length ) || ( lsts->suspended[ t ] ) || ( t == UINT_MAX ) ) ) ) /*INV-8: The special task in the system - 'null' ( ID = UINT_MAX) is not present in any task lists in the system.. */ _( invariant !( ( lsts->isInReady[ UINT_MAX ] ) || ( lsts->indexDelayedZ2[ UINT_MAX ] < lsts->delayedLengthZ2 ) || ( lsts->indexODelayed[ UINT_MAX ] < lsts->oDelayedLength ) || ( lsts->blocked.index[ UINT_MAX ] < lsts->blocked.length ) || ( lsts->suspended[ UINT_MAX ] ) ) ) /*INV-9a: Prioriy is defined for all valid tasks in the system. A valid task will have a priority value in the interval [ 1,maxPrio ]. */ _( invariant ( \forall taskID t; ( ( tasks->member[ t ] ) && ( t != UINT_MAX ) ) <==> ( ( priority->value[ t ] >= 1 ) && ( priority->value[ t ] <= maxPrio ) ) ) ) /*INV-9b: Null task will have the priority value zero. */ _( invariant ( priority->value[ UINT_MAX ] == 0 ) ) /*INV-10: The value of time to awake for each delayedZ2 task is greater than the value of 'tickCount' */ _( invariant ( \forall \natural i; ( i < lsts->delayedLengthZ2 ) ==> ( lsts->timeToAwakeZ2[ i ] > tickCount ) ) ) /*INV-11: The value of time to awake for each task in the sequence 'oDelayed' is less than or equal to 'tickCount'. */ _( invariant ( \forall \natural i; ( i < lsts->oDelayedLength ) ==> ( lsts->timeToAwakeOD[ i ] <= tickCount ) ) ) /*INV-12: The value of time to awake for each task in the sequence 'delayedZ2' is less than or equal to 'maxNumVal'. */ _( invariant ( \forall \natural i; ( i < lsts->delayedLengthZ2 ) ==> ( lsts->timeToAwakeZ2[ i ] <= maxNumVal ) ) ) /*INV-13: The value of time to awake for each task in the sequence 'oDelayed' is less than or equal to 'maxNumVal'. */ _( invariant ( \forall \natural i; ( i < lsts->oDelayedLength ) ==> ( lsts->timeToAwakeOD[ i ] <= maxNumVal ) ) ) /*INV-14: The priority of tasks present in the ready sequence at index say 'i' is 'i' */ _( invariant ( \forall taskID t; ( \forall unsigned i; ( ( i >= 1 ) && ( i <= maxPrio ) && \mine( &( lsts->ready[ i ] ) ) && ( lsts->ready[ i ].index[ t ] < lsts->ready[ i ].length ) ) ==> ( priority->value[ t ] == i ) ) ) ) /*INV-15: The task list 'blocked' is sorted in the non increasing order of priority values */ _( invariant ( \forall taskID t1,t2; ( ( ( lsts->blocked.index[ t1 ] < lsts->blocked.index[ t2 ] ) && ( lsts->blocked.index[ t1 ] < lsts->blocked.length ) && ( lsts->blocked.index[ t2 ] < lsts->blocked.length ) ) ==> ( ( maxPrio - priority->value[ t1 ] ) <= ( maxPrio - priority->value[ t2 ] ) ) ) ) ) /*INV-16: The value of tickCount is bounded by 'maxNumVal". */ _( invariant ( tickCount <= maxNumVal ) ) /*INV-17: Length of each ready list is bounded by 'maxNumVal". */ _( invariant \forall unsigned i; ( ( i >= 1 ) && ( i <= maxPrio ) ) ==> ( \mine( &( lsts->ready[ i ] ) ) && ( lsts->ready[ i ].length <= maxNumVal ) ) ) /*INV-18: Length of blocked list is bounded by 'maxNumVal". */ _( invariant ( lsts->blocked.length <= maxNumVal ) ) /*INV-19: Length of the sequence 'delayedZ2' is bounded by 'maxNumVal". */ _( invariant ( lsts->delayedLengthZ2 <= maxNumVal ) ) /*INV-20: Length of the sequence 'oDelayed' is bounded by 'maxNumVal". */ _( invariant ( lsts->oDelayedLength <= maxNumVal ) ) /*INV-20: Length of the task set suspended is bounded by 'maxNumVal". */ _( invariant ( lsts->suspendedLength <= maxNumVal ) ) /////Moved from the structure 'lists' to handle ownership issues /* Following are the invariants on 'lists'. These required to be specified in a structure owning these lists. For writing into the compund fields in nested structures, one need to own such compund fields in a single strcuture and hence every such object is owned by this structure. */ /*INV-lists-auxiliary: membership in ready */ _( invariant \forall taskID t; lsts->isInReady[t] <==> ( \exists unsigned i; ( ( i >= 1 ) && ( i <= maxPrio ) && \mine( &( lsts->ready[ i ] ) ) && ( lsts->ready[ i ].index[ t ] < lsts->ready[ i ].length ) ) ) ) /*INV-lists-1: If a task is in ready[ i ] then it cannot be present in 'delayed', 'delayedZ2', 'oDelayed', 'blocked' or 'suspended'. */ _( invariant \forall taskID t; lsts->isInReady[ t ] ==> !( ( lsts->indexDelayedZ2[ t ] < lsts->delayedLengthZ2 ) || ( lsts->indexODelayed[ t ] < lsts->oDelayedLength ) || ( \mine( &( lsts->blocked ) ) && ( lsts->blocked.index[ t ] < lsts->blocked.length ) ) || ( lsts->suspended[ t ] ) ) ) /*INV-lists-2: If a task is in ready[ i ] then it cannot be present in ready[ j ] when i != j. */ _( invariant \forall taskID t; ( \forall unsigned i,j; ( ( i >= 1 ) && ( i <= maxPrio ) && ( j >= 1 ) && ( j <= maxPrio ) && ( i != j ) ) ==> !( ( \mine( &( lsts->ready[ i ] ) ) && ( lsts->ready[ i ].index[ t ] < lsts->ready[ i ].length ) ) && ( \mine( &( lsts->ready[ j ] ) ) && ( lsts->ready[ j ].index[ t ] < lsts->ready[ j ].length ) ) ) ) ) /*INV-lsts-9a: This structure owns the sequences of ready tasks for all valid index ( 1 -> maxPrio ). To support INV-12 etc.. */ _( invariant \forall unsigned i; ( ( i >= 1 ) && ( i <= maxPrio ) ) ==> \mine( &( lsts->ready[ i ] ) ) ) /*INV-lsts-9b: This structure does not own the sequences of ready tasks at invalid indices. */ _( invariant \forall unsigned i; ( ( i == 0 ) || ( i > maxPrio ) ) ==> !\mine( &( lsts->ready[ i ] ) ) ) /*INV-lsts-auxiliary: This structure owns the sequence of blocked tasks - 'blocked' */ _( invariant \mine( &( lsts->blocked ) ) ) /////Moved from the structure 'lists' to handle ownership issues /*INV-21: System owns the global varaible 'maxPrio' */ _( invariant \mine( \embedding( &maxPrio ) ) ) /*INV-22: System owns the global varaible 'maxNumVal' */ _( invariant \mine(\embedding(&maxNumVal)) ) /*INV-23: System owns the global varaible 'preemption' */ _( invariant \mine( \embedding( &preemption ) ) ) /*INV-24: System owns the global pointer varaible 'tasks'. */ _( invariant \mine( \embedding( &tasks ) ) ) _( invariant \mine( tasks ) ) /*INV-25: System owns the global pointer varaible 'priority'. */ _( invariant \mine( \embedding( &priority ) ) ) _( invariant \mine( priority ) ) /*INV-26: System owns the global pointer varaible 'lsts'. */ _( invariant \mine( \embedding( &lsts ) ) ) _( invariant \mine( lsts ) ) } System; System sstm; taskID startScheduler() _( requires ( sstm.schedulerRunning == \false ) ) _( requires ( lsts->ready[sstm.topReadyPriority].length > 0 ) ) _( requires \wrapped( &sstm ) ) _( requires ( lsts->blocked.length == 0 ) ) _( requires ( lsts->delayedLengthZ2 == 0 ) ) _( requires ( lsts->oDelayedLength == 0 ) ) _( requires ( lsts->suspendedLength == 0 ) ) _( writes &( sstm ) ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) _( ensures \forall unsigned i; \natural j; ( lsts->ready[ i ].list[ j ] == \old( lsts->ready[ i ].list[ j ] ) ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == 0 ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \true ) ) _( ensures ( \result == sstm.currentTask ) ) //_(ensures \false ) ; runningAndPWTZ2 taskDelayUntil1( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= maxNumVal ) ) _( requires ( pWT <= sstm.tickCount ) ) _( requires ( ( delay + pWT ) <= sstm.tickCount ) ) _( requires \wrapped( &sstm ) ) _( writes &( sstm ) ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( sstm.currentTask ) ) ) _( ensures \forall unsigned i; \natural j; ( lsts->ready[ i ].list[ j ] == \old( lsts->ready[ i ].list[ j ] ) ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay ) ) // _(ensures \false ) ; runningAndPWTZ2 taskDelayUntil2 ( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= maxNumVal ) ) _( requires ( pWT > sstm.tickCount ) ) _( requires ( ( delay + pWT ) <= maxNumVal ) ) _( requires \wrapped( &sstm ) ) _( writes &( sstm ) ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( sstm.currentTask ) ) ) _( ensures \forall unsigned i; \natural j; ( lsts->ready[ i ].list[ j ] == \old( lsts->ready[ i ].list[ j ] ) ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay ) ) // _(ensures \false ) ; runningAndPWTZ2 taskDelayUntil3( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= maxNumVal ) ) _( requires ( pWT > sstm.tickCount ) ) _( requires ( ( delay + pWT ) > maxNumVal ) ) _( requires ( ( delay + pWT ) < ( sstm.tickCount + ( maxNumVal + 1 ) ) ) ) _( requires \wrapped( &sstm ) ) _( writes &( sstm ) ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( sstm.currentTask ) ) ) _( ensures \forall unsigned i; \natural j; ( lsts->ready[ i ].list[ j ] == \old( lsts->ready[ i ].list[ j ] ) ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay - ( maxNumVal + 1 ) ) ) // _(ensures \false ) ; runningAndPWTZ2 taskDelayUntil4 ( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= sstm.tickCount ) ) _( requires ( sstm.tickCount < ( delay + pWT ) ) ) _( requires ( ( delay + pWT ) <= maxNumVal ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length > 1 ) ) _( requires ( lsts->delayedLengthZ2 < maxNumVal ) ) _( requires \wrapped(&sstm) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( lsts->ready[ sstm.topReadyPriority ].list[ 1 ] ) ) ) _( ensures \forall unsigned i; \natural j; ( ( i != sstm.topReadyPriority ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length == ( \old( lsts->ready[ sstm.topReadyPriority ].length ) - 1 ) ) ) _( ensures \forall taskID t; ( ( t != \old( lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) && ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) < \old( lsts->ready[ sstm.topReadyPriority ].length ) ) ) ==> ( lsts->ready[ sstm.topReadyPriority ].index[ t ] == ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) - 1 ) ) ) _( ensures \forall taskID t; ( ( t == \old( lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) || ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) >= \old( lsts->ready[ sstm.topReadyPriority ].length ) ) ) ==> ( lsts->ready[ sstm.topReadyPriority ].index[ t ] == lsts->ready[ sstm.topReadyPriority ].length ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < ( \old( lsts->delayedLengthZ2 ) - 1 ) ) ==> ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] + 1 ] > ( pWT + delay ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeZ2[ i ] ) <= ( pWT + delay ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < lsts->delayedLengthZ2 ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _(ensures ( lsts->delayedLengthZ2 == ( \old( lsts->delayedLengthZ2 ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) _( ensures ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ] == ( pWT + delay ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay ) ) //_(ensures \false ) ; runningAndPWTZ2 taskDelayUntil5( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= sstm.tickCount ) ) _( requires ( sstm.tickCount < ( delay + pWT ) ) ) _( requires ( ( delay + pWT ) <= maxNumVal ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length == 1 ) ) _( requires ( lsts->delayedLengthZ2 < maxNumVal ) ) _( requires \exists unsigned i; ( ( i >= 1 ) && ( i < sstm.topReadyPriority ) && ( lsts->ready[ i ].length > 0 ) ) ) _( requires \wrapped( &sstm ) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) _( ensures \forall unsigned i; \natural j; ( ( i != \old( sstm.topReadyPriority ) ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures \forall \natural i; ( lsts->ready[ \old( sstm.topReadyPriority ) ].list[ i ] == UINT_MAX ) ) _( ensures ( lsts->ready[ \old( sstm.topReadyPriority ) ].length == 0 ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < ( \old( lsts->delayedLengthZ2 ) - 1 ) ) ==> ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] + 1 ] > ( pWT + delay ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeZ2[ i ] ) <= ( pWT + delay ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < lsts->delayedLengthZ2 ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _(ensures ( lsts->delayedLengthZ2 == ( \old( lsts->delayedLengthZ2 ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) _( ensures ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ] == ( pWT + delay ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( ( sstm.topReadyPriority >= 1 ) && ( sstm.topReadyPriority < \old( sstm.topReadyPriority ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length > 0 ) ) _( ensures \forall unsigned j; ( ( j >= 1 ) && ( j <= maxPrio ) && ( j != \old( sstm.topReadyPriority ) ) && ( lsts->ready[ j ].length > 0 ) ) ==> ( j <= sstm.topReadyPriority ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay ) ) //_(ensures \false ) ; runningAndPWTZ2 taskDelayUntil6 ( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= sstm.tickCount ) ) _( requires ( sstm.tickCount < ( delay + pWT ) ) ) _( requires ( ( delay + pWT ) > maxNumVal ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length > 1 ) ) _( requires ( lsts->oDelayedLength < maxNumVal ) ) _( requires \wrapped(&sstm) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( lsts->ready[ sstm.topReadyPriority ].list[ 1 ] ) ) ) _( ensures \forall unsigned i; \natural j; ( ( i != sstm.topReadyPriority ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length == ( \old( lsts->ready[ sstm.topReadyPriority ].length ) - 1 ) ) ) _( ensures \forall taskID t; ( ( t != \old( lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) && ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) < \old( lsts->ready[ sstm.topReadyPriority ].length ) ) ) ==> ( lsts->ready[ sstm.topReadyPriority ].index[ t ] == ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) - 1 ) ) ) _( ensures \forall taskID t; ( ( t == \old( lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) || ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) >= \old( lsts->ready[ sstm.topReadyPriority ].length ) ) ) ==> ( lsts->ready[ sstm.topReadyPriority ].index[ t ] == lsts->ready[ sstm.topReadyPriority ].length ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) ///////////////////////////////oDelayedPrefixAndODelayedSuffix _( ensures ( ( lsts->indexODelayed[ \old( sstm.currentTask ) ] < ( \old( lsts->oDelayedLength ) - 1 ) ) ==> ( lsts->timeToAwakeOD[ lsts->indexODelayed[ \old( sstm.currentTask ) ] + 1 ] > ( pWT + delay - ( maxNumVal + 1 ) ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeOD[ i ] ) <= ( pWT + delay - ( maxNumVal + 1 ) ) ) ) ///////////////////////////////oDelayedPrefixAndODelayedSuffix _( ensures ( lsts->indexODelayed[ \old( sstm.currentTask ) ] < lsts->oDelayedLength ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _(ensures ( lsts->oDelayedLength == ( \old( lsts->oDelayedLength ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexODelayed[ \old( sstm.currentTask ) ] ) && ( i < lsts->oDelayedLength ) ) ==> ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) _( ensures ( lsts->timeToAwakeOD[ lsts->indexODelayed[ \old( sstm.currentTask ) ] ] == ( pWT + delay - ( maxNumVal + 1 ) ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexODelayed[ \old( sstm.currentTask ) ] ) && ( i < lsts->oDelayedLength ) ) ==> ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i - 1 ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay - ( maxNumVal + 1 ) ) ) //_(ensures \false ) ; runningAndPWTZ2 taskDelayUntil7( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= sstm.tickCount ) ) _( requires ( ( delay + pWT ) > maxNumVal ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length == 1 ) ) _( requires ( lsts->oDelayedLength < maxNumVal ) ) _( requires \exists unsigned i; ( ( i >= 1 ) && ( i < sstm.topReadyPriority ) && ( lsts->ready[ i ].length > 0 ) ) ) _( requires \wrapped( &sstm ) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) _( ensures \forall unsigned i; \natural j; ( ( i != \old( sstm.topReadyPriority ) ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures \forall \natural i; ( lsts->ready[ \old( sstm.topReadyPriority ) ].list[ i ] == UINT_MAX ) ) _( ensures ( lsts->ready[ \old( sstm.topReadyPriority ) ].length == 0 ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) ///////////////////////////////oDelayedPrefixAndODelayedSuffix _( ensures ( ( lsts->indexODelayed[ \old( sstm.currentTask ) ] < ( \old( lsts->oDelayedLength ) - 1 ) ) ==> ( lsts->timeToAwakeOD[ lsts->indexODelayed[ \old( sstm.currentTask ) ] + 1 ] > ( pWT + delay - ( maxNumVal + 1 ) ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeOD[ i ] ) <= ( pWT + delay - ( maxNumVal + 1 ) ) ) ) ///////////////////////////////oDelayedPrefixAndODelayedSuffix _( ensures ( lsts->indexODelayed[ \old( sstm.currentTask ) ] < lsts->oDelayedLength ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _(ensures ( lsts->oDelayedLength == ( \old( lsts->oDelayedLength ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexODelayed[ \old( sstm.currentTask ) ] ) && ( i < lsts->oDelayedLength ) ) ==> ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) _( ensures ( lsts->timeToAwakeOD[ lsts->indexODelayed[ \old( sstm.currentTask ) ] ] == ( pWT + delay - ( maxNumVal + 1 ) ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexODelayed[ \old( sstm.currentTask ) ] ) && ( i < lsts->oDelayedLength ) ) ==> ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i - 1 ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( ( sstm.topReadyPriority >= 1 ) && ( sstm.topReadyPriority < \old( sstm.topReadyPriority ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length > 0 ) ) _( ensures \forall unsigned j; ( ( j >= 1 ) && ( j <= maxPrio ) && ( j != \old( sstm.topReadyPriority ) ) && ( lsts->ready[ j ].length > 0 ) ) ==> ( j <= sstm.topReadyPriority ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay - ( maxNumVal + 1 ) ) ) //_(ensures \false ) ; runningAndPWTZ2 taskDelayUntil8 ( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= maxNumVal ) ) _( requires ( pWT > sstm.tickCount ) ) // tickCount overflowed after pWT _( requires ( ( sstm.tickCount + ( maxNumVal + 1 ) ) < ( delay + pWT ) ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length > 1 ) ) _( requires ( lsts->delayedLengthZ2 < maxNumVal ) ) _( requires \wrapped(&sstm) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( lsts->ready[ sstm.topReadyPriority ].list[ 1 ] ) ) ) _( ensures \forall unsigned i; \natural j; ( ( i != sstm.topReadyPriority ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length == ( \old( lsts->ready[ sstm.topReadyPriority ].length ) - 1 ) ) ) _( ensures \forall taskID t; ( ( t != \old( lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) && ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) < \old( lsts->ready[ sstm.topReadyPriority ].length ) ) ) ==> ( lsts->ready[ sstm.topReadyPriority ].index[ t ] == ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) - 1 ) ) ) _( ensures \forall taskID t; ( ( t == \old( lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) || ( \old( lsts->ready[ sstm.topReadyPriority ].index[ t ] ) >= \old( lsts->ready[ sstm.topReadyPriority ].length ) ) ) ==> ( lsts->ready[ sstm.topReadyPriority ].index[ t ] == lsts->ready[ sstm.topReadyPriority ].length ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < ( \old( lsts->delayedLengthZ2 ) - 1 ) ) ==> ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] + 1 ] > ( pWT + delay - ( maxNumVal + 1 ) ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeZ2[ i ] ) <= ( pWT + delay - ( maxNumVal + 1 ) ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < lsts->delayedLengthZ2 ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _(ensures ( lsts->delayedLengthZ2 == ( \old( lsts->delayedLengthZ2 ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) _( ensures ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ] == ( pWT + delay - ( maxNumVal + 1 ) ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay - ( maxNumVal + 1 ) ) ) //_(ensures \false ) ; runningAndPWTZ2 taskDelayUntil9( _( ghost \natural pWT ) _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( pWT <= maxNumVal ) ) _( requires ( pWT > sstm.tickCount ) ) _( requires ( ( sstm.tickCount + ( maxNumVal + 1 ) ) < ( delay + pWT ) ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length == 1 ) ) _( requires ( lsts->delayedLengthZ2 < maxNumVal ) ) _( requires \exists unsigned i; ( ( i >= 1 ) && ( i < sstm.topReadyPriority ) && ( lsts->ready[ i ].length > 0 ) ) ) _( requires \wrapped( &sstm ) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) _( ensures \forall unsigned i; \natural j; ( ( i != \old( sstm.topReadyPriority ) ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures \forall \natural i; ( lsts->ready[ \old( sstm.topReadyPriority ) ].list[ i ] == UINT_MAX ) ) _( ensures ( lsts->ready[ \old( sstm.topReadyPriority ) ].length == 0 ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < ( \old( lsts->delayedLengthZ2 ) - 1 ) ) ==> ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] + 1 ] > ( pWT + delay - ( maxNumVal + 1 ) ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeZ2[ i ] ) <= ( pWT + delay - ( maxNumVal + 1 ) ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < lsts->delayedLengthZ2 ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _(ensures ( lsts->delayedLengthZ2 == ( \old( lsts->delayedLengthZ2 ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) _( ensures ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ] == ( pWT + delay - ( maxNumVal + 1 ) ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( ( sstm.topReadyPriority >= 1 ) && ( sstm.topReadyPriority < \old( sstm.topReadyPriority ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length > 0 ) ) _( ensures \forall unsigned j; ( ( j >= 1 ) && ( j <= maxPrio ) && ( j != \old( sstm.topReadyPriority ) ) && ( lsts->ready[ j ].length > 0 ) ) ==> ( j <= sstm.topReadyPriority ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result.pWT == pWT + delay - ( maxNumVal + 1 ) ) ) //_(ensures \false ) ; taskID taskDelay1( _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay == 0 ) ) _( requires \wrapped( &sstm ) ) _( writes &( sstm ) ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( sstm.currentTask ) ) ) _( ensures \forall unsigned i; \natural j; ( lsts->ready[ i ].list[ j ] == \old( lsts->ready[ i ].list[ j ] ) ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result == sstm.currentTask ) ) //_(ensures \false ) ; taskID taskDelay2A( _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay > 0 ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length > 1 ) ) _( requires ( lsts->delayedLengthZ2 < maxNumVal ) ) _( requires ( ( sstm.tickCount + delay ) <= maxNumVal ) ) // Other case is considered in taskDelay2B _( requires \wrapped(&sstm) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( lsts->ready[ sstm.topReadyPriority ].list[ 1 ] ) ) ) _( ensures \forall unsigned i; \natural j; ( ( i != sstm.topReadyPriority ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length == ( \old( lsts->ready[ sstm.topReadyPriority ].length ) - 1 ) ) ) _( ensures \forall \natural i; ( ( i < lsts->ready[ sstm.topReadyPriority ].length ) ==> ( ( lsts->ready[ sstm.topReadyPriority ].list[ i ] == \old( lsts->ready[ sstm.topReadyPriority ].list[ i + 1 ] ) ) ) ) ) _( ensures \forall \natural i; ( ( i >= lsts->ready[ sstm.topReadyPriority ].length ) ==> ( ( lsts->ready[ sstm.topReadyPriority ].list[ i ] == UINT_MAX ) ) ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < ( \old( lsts->delayedLengthZ2 ) - 1 ) ) ==> ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] + 1 ] > ( sstm.tickCount + delay ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeZ2[ i ] ) <= ( sstm.tickCount + delay ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < lsts->delayedLengthZ2 ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _(ensures ( lsts->delayedLengthZ2 == ( \old( lsts->delayedLengthZ2 ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) _( ensures ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ] == ( sstm.tickCount + delay ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result == sstm.currentTask ) ) //_(ensures \false ) ; taskID taskDelay2B( _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay > 0 ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length > 1 ) ) _( requires ( lsts->oDelayedLength < maxNumVal ) ) _( requires ( ( sstm.tickCount + delay ) > maxNumVal ) ) // Other case is considered in taskDelay2A _( requires \wrapped(&sstm) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == \old( lsts->ready[ sstm.topReadyPriority ].list[ 1 ] ) ) ) _( ensures \forall unsigned i; \natural j; ( ( i != sstm.topReadyPriority ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length == ( \old( lsts->ready[ sstm.topReadyPriority ].length ) - 1 ) ) ) _( ensures \forall \natural i; ( ( i < lsts->ready[ sstm.topReadyPriority ].length ) ==> ( ( lsts->ready[ sstm.topReadyPriority ].list[ i ] == \old( lsts->ready[ sstm.topReadyPriority ].list[ i + 1 ] ) ) ) ) ) _( ensures \forall \natural i; ( ( i >= lsts->ready[ sstm.topReadyPriority ].length ) ==> ( ( lsts->ready[ sstm.topReadyPriority ].list[ i ] == UINT_MAX ) ) ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) ///////////////////////////////oDelayedPrefixAndODelayedSuffix _( ensures ( ( lsts->indexODelayed[ \old( sstm.currentTask ) ] < ( \old( lsts->oDelayedLength ) - 1 ) ) ==> ( lsts->timeToAwakeOD[ lsts->indexODelayed[ \old( sstm.currentTask ) ] + 1 ] > ( sstm.tickCount + delay - ( maxNumVal + 1 ) ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeOD[ i ] ) <= ( sstm.tickCount + delay - ( maxNumVal + 1 ) ) ) ) ///////////////////////////////oDelayedPrefixAndODelayedSuffix _( ensures ( lsts->indexODelayed[ \old( sstm.currentTask ) ] < lsts->oDelayedLength ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _(ensures ( lsts->oDelayedLength == ( \old( lsts->oDelayedLength ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexODelayed[ \old( sstm.currentTask ) ] ) && ( i < lsts->oDelayedLength ) ) ==> ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) _( ensures ( lsts->timeToAwakeOD[ lsts->indexODelayed[ \old( sstm.currentTask ) ] ] == ( sstm.tickCount + delay - ( maxNumVal + 1 ) ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexODelayed[ \old( sstm.currentTask ) ] ) && ( i < lsts->oDelayedLength ) ) ==> ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i - 1 ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( sstm.topReadyPriority == \old( sstm.topReadyPriority ) ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result == sstm.currentTask ) ) //_(ensures \false ) ; taskID taskDelay3A( _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay > 0 ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length == 1 ) ) _( requires ( lsts->delayedLengthZ2 < maxNumVal ) ) _( requires ( ( sstm.tickCount + delay ) <= maxNumVal ) ) // Other case is considered in taskDelay3B _( requires \exists unsigned i; ( ( i >= 1 ) && ( i < sstm.topReadyPriority ) && ( lsts->ready[ i ].length > 0 ) ) ) _( requires \wrapped( &sstm ) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) _( ensures \forall unsigned i; \natural j; ( ( i != \old( sstm.topReadyPriority ) ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures \forall \natural i; ( lsts->ready[ \old( sstm.topReadyPriority ) ].list[ i ] == UINT_MAX ) ) _( ensures ( lsts->ready[ \old( sstm.topReadyPriority ) ].length == 0 ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < ( \old( lsts->delayedLengthZ2 ) - 1 ) ) ==> ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] + 1 ] > ( sstm.tickCount + delay ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeZ2[ i ] ) <= ( sstm.tickCount + delay ) ) ) ///////////////////////////////delayedZ2PrefixAndDelayedZ2Suffix _( ensures ( lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] < lsts->delayedLengthZ2 ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _(ensures ( lsts->delayedLengthZ2 == ( \old( lsts->delayedLengthZ2 ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) _( ensures ( lsts->timeToAwakeZ2[ lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ] == ( sstm.tickCount + delay ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexDelayedZ2[ \old( sstm.currentTask ) ] ) && ( i < lsts->delayedLengthZ2 ) ) ==> ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( ( sstm.topReadyPriority >= 1 ) && ( sstm.topReadyPriority < \old( sstm.topReadyPriority ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length > 0 ) ) _( ensures \forall unsigned j; ( ( j >= 1 ) && ( j <= maxPrio ) && ( j != \old( sstm.topReadyPriority ) ) && ( lsts->ready[ j ].length > 0 ) ) ==> ( j <= sstm.topReadyPriority ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result == sstm.currentTask ) ) //_(ensures \false ) ; taskID taskDelay3B( _( ghost \natural delay ) ) _( requires ( sstm.schedulerRunning == \true ) ) _( requires ( delay > 0 ) ) _( requires ( delay <= maxNumVal ) ) _( requires ( sstm.currentTask != 0 ) )// ID zero means idle task _( requires ( lsts->ready[ sstm.topReadyPriority ].length == 1 ) ) _( requires ( lsts->oDelayedLength < maxNumVal ) ) _( requires ( ( sstm.tickCount + delay ) > maxNumVal ) ) // Other case is considered in taskDelay3A _( requires \exists unsigned i; ( ( i >= 1 ) && ( i < sstm.topReadyPriority ) && ( lsts->ready[ i ].length > 0 ) ) ) _( requires \wrapped( &sstm ) ) _( writes &sstm ) _( ensures \wrapped( &sstm ) ) _( ensures ( maxPrio == \old( maxPrio ) ) ) _( ensures ( preemption == \old( preemption ) ) ) _( ensures ( maxNumVal == \old( maxNumVal ) ) ) _( ensures \forall taskID t; tasks->member[ t ] == \old( tasks->member[ t ] ) ) _( ensures ( sstm.currentTask == lsts->ready[ sstm.topReadyPriority ].list[ 0 ] ) ) _( ensures \forall unsigned i; \natural j; ( ( i != \old( sstm.topReadyPriority ) ) ==> ( ( lsts->ready[ i ].list[ j ] ) == \old( lsts->ready[ i ].list[ j ] ) ) ) ) _( ensures \forall \natural i; ( lsts->ready[ \old( sstm.topReadyPriority ) ].list[ i ] == UINT_MAX ) ) _( ensures ( lsts->ready[ \old( sstm.topReadyPriority ) ].length == 0 ) ) _( ensures \forall \natural i; ( lsts->blocked.list[ i ] == \old( lsts->blocked.list[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->delayedZ2[ i ] == \old( lsts->delayedZ2[ i ] ) ) ) _( ensures \forall \natural i; ( lsts->timeToAwakeZ2[ i ] == \old( lsts->timeToAwakeZ2[ i ] ) ) ) ///////////////////////////////oDelayedPrefixAndODelayedSuffix _( ensures ( ( lsts->indexODelayed[ \old( sstm.currentTask ) ] < ( \old( lsts->oDelayedLength ) - 1 ) ) ==> ( lsts->timeToAwakeOD[ lsts->indexODelayed[ \old( sstm.currentTask ) ] + 1 ] > ( sstm.tickCount + delay - ( maxNumVal + 1 ) ) ) ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> ( \old( lsts->timeToAwakeOD[ i ] ) <= ( sstm.tickCount + delay - ( maxNumVal + 1 ) ) ) ) ///////////////////////////////oDelayedPrefixAndODelayedSuffix _( ensures ( lsts->indexODelayed[ \old( sstm.currentTask ) ] < lsts->oDelayedLength ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i ] ) ) ) _(ensures ( lsts->oDelayedLength == ( \old( lsts->oDelayedLength ) + 1 ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexODelayed[ \old( sstm.currentTask ) ] ) && ( i < lsts->oDelayedLength ) ) ==> ( lsts->oDelayed[ i ] == \old( lsts->oDelayed[ i - 1 ] ) ) ) _( ensures \forall \natural i; ( i < lsts->indexODelayed[ \old( sstm.currentTask ) ] ) ==> lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i ] ) ) _( ensures ( lsts->timeToAwakeOD[ lsts->indexODelayed[ \old( sstm.currentTask ) ] ] == ( sstm.tickCount + delay - ( maxNumVal + 1 ) ) ) ) _( ensures \forall \natural i; ( ( i > lsts->indexODelayed[ \old( sstm.currentTask ) ] ) && ( i < lsts->oDelayedLength ) ) ==> ( lsts->timeToAwakeOD[ i ] == \old( lsts->timeToAwakeOD[ i - 1 ] ) ) ) _( ensures \forall taskID t; ( lsts->suspended[ t ] == \old( lsts->suspended[ t ] ) ) ) _( ensures \forall taskID t; ( priority->value[ t ] == \old( priority->value[ t ] ) ) ) _( ensures ( sstm.tickCount == \old( sstm.tickCount ) ) ) _( ensures ( ( sstm.topReadyPriority >= 1 ) && ( sstm.topReadyPriority < \old( sstm.topReadyPriority ) ) ) ) _( ensures ( lsts->ready[ sstm.topReadyPriority ].length > 0 ) ) _( ensures \forall unsigned j; ( ( j >= 1 ) && ( j <= maxPrio ) && ( j != \old( sstm.topReadyPriority ) ) && ( lsts->ready[ j ].length > 0 ) ) ==> ( j <= sstm.topReadyPriority ) ) _( ensures ( sstm.schedulerRunning == \old( sstm.schedulerRunning ) ) ) _( ensures ( \result == sstm.currentTask ) ) //_(ensures \false ) ;