Operational Semantics for Model Checking Circus Jim Woodcock, Ana Cavalcanti, and Leonardo Freitas Department of Computer Science University of York, UK {jim,alcc,leo}@cs.york.ac.uk Abstract. Circus is a combination of Z, CSP, and the refinement cal- culus, and is based on Hoare & He’s Unifying Theories of Programming. A model checker is being constructed for the language to conduct refine- ment checking in the style of FDR, but supported by theorem proving for reasoning about the complex states and data types that arise from the use of Z. FDR deals with bounded labelled transition systems (LTSs), but the Circus model checker manipulates LTSs with possibly infinite inscriptions on arcs and in nodes, and so, in general, the success or fail- ure of a refinement check depends on interaction with a theorem prover. An LTS is generated from a source text using an operational interpreta- tion of Circus ; we present a Structured Operational Semantics for Circus, including both its process-algebraic and state-rich features. 1 Introduction Circus [31, 32, 1, 23, 2, 3] is a state-rich process algebra based on Z [11, 33] and CSP [21], with a refinement calculus for deriving implementations from their specifications. Current work involves constructing a tool-set for supporting the language, including a theorem prover and a model checker. The development of the model checker is inspired by FDR, the model checker for CSP [19,5]; however, a significant and novel aspect of the Circus model checker is the need to address the state-rich aspects of the language. The resulting procedure is refinement checking supported by theorem proving. In its internal computations, FDR uses finite, labelled transition systems that are derived from source texts using the operational semantics of CSP. In order to construct the Circus model checker, we first need to explore the operational semantics of the language, including those state-based features not found in CSP. This leads to transition systems where the diagram is finite, but where the arcs and nodes may carry inscriptions involving infinite data types. This operational semantics must be proved congruent to the denotational semantics of Circus, which is different from the set-based presentation of the failures-divergences model used for CSP: it uses the unifying theories of programming (UTP) [10]. We present a Plotkin-style Structured Operational Semantics [17] for Circus, also based on UTP and using Z as a metalanguage [33], hence knowledge of Z is assumed. The operational semantics is inspired by the implementation of