This state machine tracks threads residing on capabilities. Each thread can only reside on one capability, but can be migrated between them.

This state machine tracks threads running on capabilities, only one thread may run on a capability at a time.

Invariant for the (Map KernelThreadId Int, Map TaskId KernelThreadId) type: the second map is an injection (verified by the machine in insertTaskOS) and the following sets are equal: keys of the fist map and values of the second (follows from the construction of the maps by the machine).
The machine verifies as much as capabilityTaskPoolMachine and additionally the data invariant, and offers a richer verification profile.