Deploy CPAchecker to Europe — Dirk Beyer 🇩🇪 (LMU Munich), the Configurable Program Analysis Framework that Wins SV-COMP, on EU Infrastructure in 2026

Every year since 2012, the international software verification community gathers at SV-COMP — the Competition on Software Verification, organized as part of ETAPS/TACAS — to measure which verification tools can correctly decide safety properties of C programs drawn from Linux device drivers, automotive control systems, heap-manipulating programs, and concurrency benchmarks. The scoring is unforgiving: correct SAFE answers earn points, correct UNSAFE answers earn points, incorrect answers lose more points than they were worth. Year after year, one tool appears at the top of multiple category leaderboards: CPAchecker.

CPAchecker is not a single algorithm. It is a framework for software verification — a common infrastructure in which different verification algorithms, called Configurable Program Analyses (CPAs), can be combined, composed, and switched at the command line. The same tool that uses predicate abstraction and CEGAR (CounterExample-Guided Abstraction Refinement) to verify Linux kernel drivers can be reconfigured to use k-induction to prove loop properties, BDD-based model checking for small programs, or interval analysis for numerical properties — without rewriting a line of the framework code. The CPA framework is the contribution that made CPAchecker both theoretically principled and practically dominant.

The tool was designed and built by Dirk Beyer 🇩🇪 at LMU Munich 🇩🇪 (Ludwig-Maximilians-Universität München).

Dirk Beyer and the LMU Munich Verification Group

Dirk Beyer 🇩🇪 grew up in Germany, studied computer science, and completed his doctoral work in the area of model checking and software verification. He worked at the University of Passau 🇩🇪 before a period at Simon Fraser University in Canada, then returned to Europe as a Full Professor at LMU Munich 🇩🇪, where he leads the Software and Computational Systems (SoSy) Lab.

LMU Munich is one of Germany's premier research universities — founded in 1472, with eleven Nobel laureates affiliated with the faculty. It is a founding member of the TUM-LMU Munich School of Robotics and Machine Intelligence and the Munich Center for Machine Learning (MCML) — the EU excellence hub for machine learning. The SoSy Lab sits within this broader Munich research ecosystem, and CPAchecker is developed and maintained there.

Beyer also founded and organizes SV-COMP (Competition on Software Verification), the annual competition held at TACAS (Tools and Algorithms for the Construction and Analysis of Systems), which is itself part of ETAPS — the European Joint Conferences on Theory and Practice of Software. Beyer is, in a real sense, both a principal competitor and the competition organizer — a uniquely EU academic structure made possible by the open-benchmarking ethos of the European formal methods community.

The foundational paper — Configurable Software Verification — was published at TACAS 2007 by Dirk Beyer and M. Erkan Keremoglu. The 2011 CAV (Computer-Aided Verification) tool paper CPAchecker: A Tool for Configurable Software Verification established CPAchecker's international reputation.

The CPA Framework: Verification as Composition

The central insight of CPAchecker is that all major software verification algorithms can be expressed as instances of a single mathematical framework: a Configurable Program Analysis (CPA).

A CPA is a tuple (D, ⊤, ⊑, merge, stop, transfer) where:

• D is the abstract domain — the set of abstract states the analysis uses to represent program states
• ⊤ (top) is the initial abstract element — the "know nothing" starting state
• ⊑ is the partial order over abstract elements — defines when one abstract state is "more precise" than another
• merge(e, e') is the join operator — how to combine two abstract states when control flow merges
• stop(e, R) is the termination criterion — whether an abstract state e is already "covered" by the set R of previously computed states (prevents infinite loops)
• transfer(e, op) is the transfer function — how each program operation changes the abstract state

The verification algorithm is always the same: maintain a waitlist of abstract states to process and a reached set of states already computed. Pick a state from the waitlist, apply the transfer function for each outgoing operation, merge with any existing state at the target location, check stop, and add to the waitlist if not covered. The CPA framework determines which of these states are computed by plugging in different implementations of (D, ⊑, merge, stop, transfer).

This means:

# Run predicate abstraction with CEGAR refinement
cpachecker -predicateAnalysis program.c

# Run explicit-state model checking with BDD
cpachecker -explicitAnalysis program.c

# Run k-induction for loop property proofs
cpachecker -kInduction program.c

# Run symbolic execution
cpachecker -symbolicExecution program.c

# Combine: predicate abstraction + termination analysis
cpachecker -predicateAnalysis-kInduction program.c

Each configuration activates a different CPA implementation while reusing the identical traversal engine, the identical property automaton infrastructure, the identical GOTO-program input format, and the identical counterexample output.

Predicate Abstraction and CEGAR

CPAchecker's most celebrated algorithm is predicate abstraction with CEGAR — the combination that drove early formal verification of Linux device drivers:

1. Start with a coarse abstraction (few predicates — "know nothing about heap contents")
2. Run the abstract reachability computation; if the property holds, done
3. If a counterexample trace is found, check if it is real (concrete execution) or spurious (artefact of abstraction)
4. If spurious: compute a Craig interpolant from the infeasible execution — a logical formula that separates the prefix of the path from the suffix
5. Add the interpolant as a new predicate, refining the abstraction
6. Goto 2

CEGAR is a fixed point in the precision-refinement loop. It converges when the predicate set is precise enough to exclude all spurious counterexamples. The key insight from the BLAST model checker (Thomas Henzinger 🇦🇹, EPFL Lausanne 🇨🇭 + UC Berkeley, 2002) was that lazy predicate abstraction — computing the abstraction on demand rather than upfront — made the approach tractable for real C programs. CPAchecker inherited this idea and made it composable.

k-Induction

For programs with loops and recursion, predicate abstraction alone is not always sufficient. CPAchecker implements k-induction — the standard technique for proving safety properties of transition systems with unbounded iteration:

1. Base case: verify that the property holds for all executions of length ≤ k (bounded model checking, like CBMC up to bound k)
2. Inductive step: assume the property holds for all executions of length ≤ k+1; prove it holds for step k+2

If both checks pass, the property holds for all executions — regardless of how many loop iterations occur. The connection to CBMC is direct: CPAchecker can invoke CBMC (or any SAT solver) as an oracle for the base case check, while the inductive step uses SMT-based interpolation.

CPAchecker's k-induction configuration won the Overall SV-COMP category in multiple years when combined with invariant generation.

BDD-Based Analysis

For programs with small integer domains — control flags, enumeration types, bounded counters — CPAchecker's BDD-based explicit-state analysis is often faster than predicate abstraction. It maintains the full set of reachable abstract states as a Binary Decision Diagram (BDD), using the Sylvan library (TU Eindhoven 🇳🇱, Tom van Dijk) or JavaBDD.

The BDD approach is essentially the symbolic model checking of Clarke/Burch/Emerson (1990) applied to the CPA framework — another EU lineage connection, since the foundational BDD model checking paper came from Randy Bryant at CMU (who developed BDDs as the data structure), and the BDD package Sylvan was built at TU Eindhoven in the Netherlands.

SV-COMP: The EU Verification Championship

SV-COMP (Competition on Software Verification) is the defining benchmark of the software verification research community. Organized annually by Dirk Beyer at TACAS/ETAPS, it currently includes:

• ReachSafety: Can this C program reach a __VERIFIER_error() call? (the primary category — safety properties)
• MemSafety: Does this C program have valid memory accesses? (no buffer overflows, no use-after-free, no null dereference)
• Overflow: Can integer overflow occur?
• Termination: Does this program always terminate?
• ConcurrencySafety: Is this multi-threaded C program race-free?
• SoftwareSystemsVerification: Real-world programs (Linux kernel modules, BusyBox, SQLite)

CPAchecker has won or placed top-three in multiple SV-COMP categories across multiple years. The ReachSafety category — the broadest, most directly applicable to real software — is the most contested. Top consistent performers:

Every top SV-COMP tool either originates from a EU institution or has EU collaborators. The competition demonstrates EU academic leadership in software verification at the highest level.

How to Run CPAchecker

CPAchecker runs on any Linux system with Java 17+. The standard command for safety verification:

# Download CPAchecker
wget https://cpachecker.sosy-lab.org/CPAchecker-latest-unix.tar.bz2
tar -xjf CPAchecker-latest-unix.tar.bz2
cd CPAchecker-*

# Verify a C program for reachability safety
./scripts/cpa.sh \
  -predicateAnalysis \
  -spec config/specification/default.spc \
  program.c

# Run k-induction (for loop properties)
./scripts/cpa.sh \
  -kInduction \
  -spec config/specification/sv-comp-reachability.spc \
  program.c

The specification file defines what properties to check. CPAchecker uses property automata — finite automata over program labels — to encode verification properties:

// sv-comp-reachability.spc: check for __VERIFIER_error() calls
OBSERVER AUTOMATON ErrorFunctionCalls

INITIAL STATE Init;

STATE USEFIRST Init:
  MATCH {__VERIFIER_error()} -> ERROR("call to __VERIFIER_error()");

END AUTOMATON

This automaton watches for calls to __VERIFIER_error() — the SV-COMP encoding for a safety property violation. For custom properties, you write a different automaton:

// custom-no-null-deref.spc
OBSERVER AUTOMATON NullDeref

INITIAL STATE Init;

STATE USEFIRST Init:
  MATCH {$? = *NULL} -> ERROR("null pointer dereference");
  MATCH {*NULL = $?} -> ERROR("null pointer write");

END AUTOMATON

Verification of Linux Kernel Drivers

CPAchecker's original use case was verifying Linux kernel device drivers for memory safety and lock correctness. A typical kernel verification invocation:

# Verify a kernel module for lock correctness
./scripts/cpa.sh \
  -valueAnalysis \
  -spec config/specification/lock.spc \
  -64 \
  -preprocess \
  drivers/usb/class/cdc-acm.c

The -preprocess flag runs the C preprocessor to inline headers. The -64 flag sets pointer width to 64 bits. The lock.spc specification automaton tracks lock/unlock pairs and reports ERROR for double-lock or unlock-without-lock patterns.

CPAchecker has been applied to Linux kernel drivers by the BLAST → SATURN → CPAchecker lineage that began with Microsoft Research's SLAM project and was carried forward through EU research groups.

Integration with PropertySpecificationLanguage (PSL)

CPAchecker supports PSL (Property Specification Language, IEEE 1850) for formal property encoding — the same language used in hardware verification (SystemVerilog Assertions, VHDL PSL). This makes CPAchecker directly applicable to ISO 26262 ASIL D automotive software where the safety requirements are expressed in PSL as part of the requirements management chain.

Industrial Relevance: EU Safety-Critical Systems

ISO 26262 ASIL D (Automotive)

German Tier-1 automotive suppliers — Bosch 🇩🇪, Continental 🇩🇪, ZF 🇩🇪, Infineon 🇩🇪 — develop AUTOSAR-compliant C code for safety functions (electronic stability control, brake-by-wire, adaptive cruise control) under ISO 26262. At ASIL D — the highest level, required for functions where failure could cause death — Part 6 recommends formal methods as verification techniques.

CPAchecker provides:

• Absence of runtime errors in the AUTOSAR runtime itself (null dereference, buffer overflow, integer overflow)
• Lock-correctness for multi-core AUTOSAR scheduling (QM-ASIL partition boundary checks)
• Formal evidence of absence for specific AUTOSAR runnable interaction patterns

Siemens Mobility 🇩🇪 and Thales Rail 🇫🇷 have applied CPAchecker-based analysis in EN 50128 SIL 4 railway signalling software verification contexts.

IEC 61508 SIL 3/4 (Industrial Safety)

CPAchecker's predicate abstraction + CEGAR workflow satisfies IEC 61508's formal methods requirement at SIL 3 and SIL 4 when:

1. The CPA configuration is documented (algorithm, solver, specification automaton)
2. Verification results are archived with tool version and configuration
3. The program under analysis has been pre-processed to remove non-safety-critical code paths

ABB 🇨🇭🇸🇪, Schneider Electric 🇫🇷, and Phoenix Contact 🇩🇪 develop IEC 61508 SIL 3/4 safety PLCs in C. CPAchecker analysis of the C runtime provides formal evidence of the absence of undefined behavior — directly relevant to functional safety claims.

EU AI Act Article 9

The EU AI Act's Article 9 risk management requirements for high-risk AI systems (Annex III categories) include embedded C inference engines for automotive perception (Tier-1 ADAS), industrial robot control, and medical device classification. CPAchecker verification of the C runtime provides:

• Formal evidence that buffer access patterns in the neural network weight arrays cannot overflow
• Proof that the inference API entry points satisfy their input contracts (via predicate abstraction)
• K-induction proof that iterative inference loops terminate

CPAchecker's output — witness files in the SV-COMP witness format — are machine-readable, XML-based proof objects that can be archived, audited, and submitted as evidence to EU conformity assessment bodies.

Witness Validation

A key CPAchecker innovation is witness-based verification: when CPAchecker produces a correctness claim, it also outputs a correctness witness — an XML annotation of the program's control-flow graph that encodes the invariants the analysis discovered:

<!-- Correctness witness: invariants at loop head -->
<invariant>
  <location file="program.c" line="47"/>
  <formula>i &gt;= 0 &amp;&amp; i &lt;= n &amp;&amp; n &lt;= 4096</formula>
</invariant>

This witness can be independently validated by a different tool (a witness validator — CPAchecker itself, or the dedicated tool FShell-w2t). Independent validation separates the trust requirement: you do not need to trust CPAchecker's full implementation — only the much smaller witness validator. This architecture directly satisfies EU regulatory requirements for tool qualification under DO-178C (Tool Qualification Plan) and IEC 61508 (software tool confidence level).

Deploying CPAchecker on sota.io

CPAchecker runs as a Java command-line tool. The standard Dockerfile for a CPAchecker CI verification service on sota.io:

FROM debian:bookworm-slim

# Install Java and dependencies
RUN apt-get update && apt-get install -y \
    wget \
    openjdk-17-jre-headless \
    gcc \
    cpp \
    && apt-get clean

# Download and install CPAchecker
ARG CPACHECKER_VERSION=2.3
RUN wget -q https://cpachecker.sosy-lab.org/CPAchecker-${CPACHECKER_VERSION}-unix.tar.bz2 \
    && tar -xjf CPAchecker-${CPACHECKER_VERSION}-unix.tar.bz2 \
    && rm CPAchecker-${CPACHECKER_VERSION}-unix.tar.bz2 \
    && mv CPAchecker-${CPACHECKER_VERSION} /opt/cpachecker

ENV PATH="/opt/cpachecker/scripts:${PATH}"

# Copy sources and specifications
COPY src/ /workspace/src/
COPY specs/ /workspace/specs/

WORKDIR /workspace

# Run CPAchecker reachability analysis
CMD ["bash", "-c", \
     "for src in src/*.c; do \
        echo \"Verifying $src...\"; \
        cpa.sh \
          -predicateAnalysis \
          -spec specs/reachability.spc \
          \"$src\" \
          -outputpath results/$(basename $src .c)/; \
      done"]

For CI/CD integration with GitHub Actions, storing formal evidence in EU PostgreSQL:

# .github/workflows/cpachecker.yml
name: CPAchecker Formal Verification

on: [push, pull_request]

jobs:
  cpachecker:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Java 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
      
      - name: Download CPAchecker
        run: |
          wget -q https://cpachecker.sosy-lab.org/CPAchecker-2.3-unix.tar.bz2
          tar -xjf CPAchecker-2.3-unix.tar.bz2
      
      - name: Run predicate abstraction analysis
        run: |
          for src in src/*.c; do
            echo "=== Verifying $(basename $src) ==="
            CPAchecker-2.3/scripts/cpa.sh \
              -predicateAnalysis \
              -spec config/specification/default.spc \
              "$src" \
              -outputpath results/$(basename $src .c)/
          done
      
      - name: Upload verification witnesses
        uses: actions/upload-artifact@v4
        with:
          name: cpachecker-witnesses
          path: results/

For k-induction on loops with complex invariants:

# K-induction with invariant generation
cpa.sh \
  -kInduction \
  -spec config/specification/sv-comp-reachability.spc \
  -setprop "cpa.loopstructure.loopHeads=true" \
  -setprop "bmc.inductionIterations=5" \
  program.c

CPAchecker Ecosystem: SoSy-Lab Tools

The SoSy-Lab at LMU Munich has built an ecosystem around CPAchecker:

• BenchExec — the benchmark execution framework used by SV-COMP. Runs tools in containers with precise CPU and memory limits, reproducible results. Used by every SV-COMP participant and published as a standalone Python library (pip install benchexec).
• FShell — a test-case generation tool that uses CPAchecker's CPA framework to generate test inputs achieving coverage criteria
• VerifierCloud — a cloud infrastructure for distributed CPAchecker runs (run on LMU Munich servers), accessible via the CPAchecker web interface

The EU Software Verification Ecosystem

CPAchecker sits at the intersection of three EU research traditions:

The German CS university system. LMU Munich, TU Munich, University of Freiburg, University of Stuttgart, TU Darmstadt — all have strong software verification groups. Beyer's SoSy-Lab at LMU Munich is funded by the German Research Foundation (DFG) and EU Horizon Europe. The German automotive industry (Bosch, Continental, ZF, BMW, Mercedes-Benz) funds applied research on ISO 26262 formal verification through bilateral university contracts.

The ETAPS conference ecosystem. TACAS (co-organized by TU Berlin 🇩🇪, INRIA 🇫🇷, CWI 🇳🇱, KU Leuven 🇧🇪), FASE, FOSSACS, ESOP, FASE, FoSSaCS — all part of ETAPS (European Joint Conferences on Theory and Practice of Software). SV-COMP results are published and reproduced at TACAS each year. This is EU academic infrastructure for software verification tooling.

The SMT solver collaboration. CPAchecker integrates with:

• Z3 (from Microsoft Research Cambridge 🇬🇧 — EU-adjacent)
• MathSAT5 (FBK Trento 🇮🇹 — 100% EU, the same group that built nuXmv)
• Princess (Philipp Rümmer 🇩🇪, Uppsala University 🇸🇪 — EU-native SMT solver for integer arithmetic)
• SMTInterpol (Jochen Hoenicke 🇩🇪, University of Freiburg 🇩🇪 — EU-native, designed for Craig interpolation)

EU Regulatory Context

EU Cyber Resilience Act (CRA) 2027

The CRA requires manufacturers of products with digital elements to demonstrate absence of known exploitable vulnerabilities. CPAchecker analysis provides:

• Machine-readable correctness witnesses for buffer overflow absence
• Formal proof that input-parsing code has no integer overflow in path-sensitive analysis
• Reachability analysis results showing attack vectors cannot reach unsafe operations

GDPR Article 25: Privacy by Design

CPAchecker's predicate abstraction analysis can verify information-flow properties — checking that personal data does not flow from a restricted memory region to an output buffer without authorization. With a custom specification automaton tracking tagged taint from GDPR-regulated input sources, CPAchecker provides formal evidence of data minimization at the C code level.

EU AI Act Article 9: Risk Management

For high-risk AI systems with C runtimes (automotive ADAS, industrial robots, medical inference), CPAchecker verification satisfies the EU AI Act's requirement for "testing procedures, correction measures, and safety measures" with machine-checkable formal evidence — not just testing coverage metrics.

CPAchecker is free software (Apache License 2.0). The SoSy-Lab publishes it at github.com/sosy-lab/cpachecker. sota.io has a free tier — sign up, deploy your first CPAchecker verification service in minutes, and generate formal evidence that satisfies EU regulatory requirements for safety-critical C code.

# Deploy CPAchecker service on sota.io
# 1. Build
docker build -t cpachecker-verifier .
docker push registry.sota.io/your-project/cpachecker-verifier

# 2. Deploy to sota.io EU infrastructure
curl -X POST https://api.sota.io/v1/projects/YOUR_PROJECT_ID/deploy \
  -H "Authorization: Bearer $SOTA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"image": "registry.sota.io/your-project/cpachecker-verifier"}'

Formal verification evidence runs on German infrastructure, under EU jurisdiction, operated by an EU entity. Correctness witnesses and verification results stay in the EU — compliant with GDPR, CRA, and EU AI Act Art. 9 from day one.

See Also

• Deploy CBMC to Europe → — Daniel Kroening 🇩🇪 (Oxford 🇬🇧), C bounded model checker, SV-COMP competitor
• Deploy CompCert to Europe → — Xavier Leroy 🇫🇷 (INRIA Paris), the formally verified C compiler
• Deploy NuSMV to Europe → — Alessandro Cimatti 🇮🇹 (FBK Trento), symbolic model checker with MathSAT5
• Deploy UPPAAL to Europe → — Kim Larsen 🇩🇰 (Aalborg) + Wang Yi 🇸🇪 (Uppsala), timed automata model checker
• All 161 languages on sota.io →

sota.io is built in Europe, for Europe. Every workload you deploy on sota.io stays under EU jurisdiction — GDPR-compliant, Cloud Act-free, and operated by an EU entity. Deploy CPAchecker now →