<html>
<h1>Requirements</h1>

<p>
  In this help section we give a BNF-grammar for the requirement
  specification language used in the verifier of UPPAAL2k.
</p>

<p>
  Like in the grammar for system descriptions we use names with
  capital initial letters to denote non-terminals, <tt>NAT</tt> to
  denote natural number (including 0), <tt>ID</tt> to denote a valid
  <a href="@System Descriptions/Identifiers">identifier names</a>, and
  <tt>NULL</tt> to denote the empty string.
</p>

<pre>
Prop ::= A[] SP | E&lt;&gt; SP
  | E[] SP | A&lt;&gt; SP | SP --&gt; SP
SP ::= AP | not SP | ( SP ) | SP or SP 
  | SP and SP | SP imply SP | deadlock

AP ::= ID.ID | CGuard | IGuard
CGuard ::= ID REL NAT | ID REL ID 
  | ID REL ID + NAT | ID REL ID - NAT
IGuard ::= IExpr REL IExpr 
  | IExpr != IExpr

IExpr ::= ID | ID[IExpr] | NAT | -IExpr
  | (IExpr) | IExpr OP IExpr

REL ::= &lt; | &lt;= | &gt;= | &gt; | ==
OP ::= + | - | * | /
</pre>

<p>
  <tt>ID.ID</tt> should be in the form "process name.location name".
  <tt>CGuard</tt> and <tt>IGuard</tt> are the guards over clocks and
  integer variables, also described in the help section for the <a
  href="@System Descriptions/Introduction">system description</a>
  language.
</p>

<p>
  Notice that at the moment the <tt>deadlock</tt> state predicate is
  only allowed with <tt>E&lt;&gt;</tt> and <tt>A[]</tt> properties.
</p>

<h2>Examples:</h2>

<ul>
<li><tt>A[]( 1&lt;2 )</tt> - invariantly 1&lt;2.</li>
<li><tt>E&lt;&gt;( p1.cs and p2.cs)</tt> - 
  true if the system can reach a 
  state where both process <tt>p1</tt> and </tt>p2</tt> 
  are in their locations <tt>cs</tt>.</li>
<li><tt>A[]( p1.cs imply not p2.cs )</tt> - invariantly process
  <tt>p1</tt> in location <tt>cs</tt> implies that process <tt>p2</tt> 
  is <b>not</b> in location <tt>cs</tt>.</li>
<li><tt>A[] not deadlock</tt> - invariantly the process is not
deadlocked.</li>
</ul>

<html>
