mod* PRED-QLOCK {
  inc(QLOCK)
  op inv1 : Sys Pid Pid -> Bool
  op inv2 : Sys Pid -> Bool
  var S : Sys
  vars I J : Pid 
  eq inv1(S,I,J) = (pc(S,I) = cs and pc(S,J) = cs implies I = J) .
  eq inv2(S,I) = (pc(S,I) = cs implies top(queue(S)) = I) .
}

--
-- Fresh constants are declared.
--
mod* BASE-QLOCK {
  inc(PRED-QLOCK)
  ops s s' : -> Sys
  ops i j k : -> Pid
}

mod* ISTEP-QLOCK {
  inc(BASE-QLOCK)
  op istep1 : -> Bool
  op istep2 : -> Bool
  eq istep1 = inv1(s,i,j) implies inv1(s',i,j) .
  eq istep2 = inv2(s,i) implies inv2(s',i) .
  --
  "
  -- I.H.
  eq inv1(s,I:Pid,J:Pid) = true .
  eq inv2(s,I:Pid) = true .
  "
}