Deploy Frama-C to Europe — CEA LIST 🇫🇷 + INRIA 🇫🇷 (2008), the EU-Native C Code Formal Verifier Behind Airbus Avionics and French Nuclear Safety, on EU Infrastructure in 2026

In the safety-critical software engineering community, there is a question that separates production-grade formal verification from academic exercises: can you formally verify C? C is the language in which flight control software is written. It is the language of nuclear reactor instrumentation and control systems, of railway interlocking computers, of AUTOSAR automotive stacks. C is the language of embedded Europe.

Frama-C answers that question. Developed by CEA LIST 🇫🇷 (Laboratoire d'Intégration des Systèmes et des Technologies, part of the Commissariat à l'Énergie Atomique et aux Energies Alternatives — the French national atomic energy commission) in collaboration with INRIA 🇫🇷 (the French national research institute for digital science and technology), Frama-C is a platform for static analysis and formal verification of ISO C source code. Its first public release appeared in 2008. Since then it has become the standard EU tool for proving correctness of safety-critical C software.

Frama-C is not a single analysis technique but a plugin architecture: each analysis method is implemented as a plugin operating on the same AST (Abstract Syntax Tree) representation of C source. The two flagship plugins are WP (Weakest Preconditions) for deductive formal verification and Eva (Evolved Value Analysis) for abstract interpretation. Both operate on code annotated with ACSL — the ANSI/ISO C Specification Language — which expresses function contracts, loop invariants, and memory safety properties in formal notation embedded in C comments.

The institutional pedigree is unambiguous: CEA LIST is a French public research institution funded by the French state. INRIA is a French public research institution funded by the French Ministry of Higher Education. Frama-C is 100% EU-origin, no US Cloud Act jurisdiction, no ITAR encumbrance.

ACSL — The Specification Language for C

Before Frama-C can verify anything, the programmer must express what must be verified. ACSL (ANSI/ISO C Specification Language) is the annotation language: formal specifications embedded in C comments starting with /*@ and //@ . It is standardised by INRIA and CEA.

/*@ requires \valid(arr + (0..n-1));
  @ requires n >= 0;
  @ assigns \nothing;
  @ ensures \result >= 0 && \result < n;
  @ ensures \forall integer i; 0 <= i < n ==> arr[\result] >= arr[i];
  @ behavior empty:
  @   assumes n == 0;
  @   ensures \result == 0;
  @ complete behaviors;
  @ disjoint behaviors;
  @*/
int find_max_index(int *arr, int n) {
  int max_idx = 0;
  /*@ loop invariant 0 <= i <= n;
    @ loop invariant 0 <= max_idx < n;
    @ loop invariant \forall integer k; 0 <= k < i ==> arr[max_idx] >= arr[k];
    @ loop assigns i, max_idx;
    @ loop variant n - i;
    @*/
  for (int i = 1; i < n; i++) {
    if (arr[i] > arr[max_idx]) max_idx = i;
  }
  return max_idx;
}

The ACSL annotations express:

• requires — preconditions: what must be true before calling the function
• assigns — the frame condition: which memory locations may be modified
• ensures — postconditions: what must be true when the function returns
• loop invariant — inductive properties maintained at every loop iteration
• loop variant — a decreasing term proving the loop terminates
• \valid(ptr) — memory safety: the pointer is dereferenceable
• \forall integer i; ... — universal quantification over integers

ACSL supports arithmetic overflow specifications, pointer aliasing constraints, separation logic-style memory region assertions, and ghost code (specification-only variables). It is expressive enough to specify the contracts that IEC 61508, DO-178C, and EN 50128 demand.

The WP Plugin — Deductive Verification via Weakest Preconditions

The WP plugin implements deductive program verification: given a C function annotated with an ACSL contract, it computes the Weakest Precondition of each statement and reduces the verification obligation to a set of proof obligations — logical formulas that must be true for the code to satisfy its contract. These proof obligations are dispatched to SMT solvers and/or interactive proof assistants.

The WP pipeline:

1. Frama-C parses C + ACSL annotations → normalised AST
2. WP computes proof obligations using Hoare logic (assignment axiom, sequence rule, conditional rule, loop rule using provided invariants)
3. Proof obligations translated to Why3 IL (intermediate language) via the Why3 platform (Jean-Christophe Filliâtre 🇫🇷, INRIA Saclay / LRI Paris)
4. Why3 dispatches to SMT solvers:
   • Alt-Ergo 🇫🇷 (OCaml-based SMT, developed at INRIA Saclay / LRI Paris, now maintained by OCamlPro 🇫🇷 Paris) — the EU-native solver
   • Z3 (Microsoft, US) — for harder arithmetic lemmas
   • CVC5 (Stanford/Iowa, US) — for additional arithmetic theories
5. Interactive proofs: Isabelle/HOL 🇬🇧🇩🇪, Coq/Rocq 🇫🇷 (INRIA), for obligations that automated solvers cannot discharge

The result is a complete EU-native verification stack from specification language to SMT solver: Frama-C (CEA LIST 🇫🇷) → ACSL (INRIA+CEA 🇫🇷) → WP plugin → Why3 (INRIA Saclay 🇫🇷) → Alt-Ergo (INRIA/OCamlPro 🇫🇷).

/*@ requires \valid(a) && \valid(b);
  @ requires *a >= 0 && *b >= 0;
  @ assigns *a, *b;
  @ ensures *a == \old(*b) && *b == \old(*a);
  @*/
void swap(int *a, int *b) {
  int tmp = *a;
  *a = *b;
  *b = tmp;
}

Running frama-c -wp -wp-rte swap.c verifies:

• No runtime errors (integer overflow, null pointer dereference, out-of-bounds access)
• Postcondition *a == \old(*b) && *b == \old(*a) holds
• Frame condition assigns *a, *b correctly bounds the memory footprint

The Eva Plugin — Abstract Interpretation for Runtime Error Detection

The Eva plugin (Evolved Value Analysis) implements abstract interpretation: rather than exhaustively exploring all concrete execution paths, it over-approximates the set of all possible values at each program point using abstract domains. Eva computes, for every variable at every instruction, a conservative approximation of all values that variable can take across all possible inputs. Any concrete execution is contained in the abstract over-approximation: if Eva proves a property on the abstract values, it holds for all concrete executions.

Eva detects runtime errors without user-provided contracts:

• Integer overflow (signed: undefined behaviour in C; unsigned: well-defined wrapping)
• Division by zero
• Null pointer dereference
• Out-of-bounds array access
• Invalid pointer arithmetic
• Uninitialized variable reads
• Unchecked cast overflow

# Run Eva: propagate abstract values, report all possible alarms
frama-c -eva -eva-precision 7 controller.c

# Output:
# [eva] Analyzing a complete application...
# [eva:alarm] controller.c:47: Warning: index 8 >= 8 in buf[8]. (out-of-bounds)
# [eva] Analysis complete in 2.3s. 1 alarm remaining.

Eva's power is whole-program analysis: it models the abstract state of the entire program simultaneously, tracking pointer aliases, global state, and inter-procedural value flow. The precision parameter (-eva-precision 0..11) controls the time/precision trade-off — precision 7 is the industrial default for safety-critical code.

Eva is used in safety assessment workflows for MISRA C violation detection, DO-178C MC/DC coverage analysis groundwork, and IEC 61508 runtime-error-freedom arguments.

Industrial EU Users — Airbus, EDF, Thales

The three flagship EU industrial users of Frama-C represent the three pillars of EU safety-critical C software:

Airbus 🇫🇷 (Toulouse): The A350 and A380 flight control computers contain hundreds of thousands of lines of safety-critical C code certified to DO-178C DAL A (Design Assurance Level A — the highest, meaning a software failure could cause an aircraft loss). Frama-C WP is used at Airbus to generate formal correctness certificates for numeric computations in the flight control law (FCL) software: aerodynamic model computations, flight envelope protection, auto-pilot control law implementations. The Airbus formal methods team published their use of Frama-C + ACSL + Alt-Ergo at multiple ERTS (Embedded Real Time Software) and FM (Formal Methods) conferences. Frama-C is part of the evidence package that demonstrates the software meets its safety objectives under DO-178C.

EDF 🇫🇷 (Électricité de France): French nuclear power plants' I&C systems (Instrumentation and Control) are certified to IEC 61508 SIL4 — the highest safety integrity level for industrial systems. The reactor protection systems, emergency shutdown sequences, and cooling system control software are written in C and must be verified to near-zero probability of dangerous failure on demand. EDF uses Frama-C Eva for runtime error freedom proofs — demonstrating that C code in safety functions can never exhibit undefined behaviour under any input condition. The ACSL + WP approach provides mathematical proof certificates that are included in the safety case documentation submitted to ASN (Autorité de Sûreté Nucléaire, the French nuclear safety regulator).

Thales 🇫🇷 (Paris): Railway signalling systems certified to EN 50128 SIL4 (European standard for railway control and protection software). Thales TAS (Transport Automation Systems) uses Frama-C for formal safety proofs of interlocking C code — the software that prevents train collisions by enforcing that no two trains can be authorized on conflicting route segments simultaneously. The same group uses Frama-C for SESAR (Single European Sky ATM Research, EU air traffic management modernization) protocol verification.

Why3 and Alt-Ergo — The French Deductive Verification Stack

Why3 (Jean-Christophe Filliâtre 🇫🇷, INRIA Saclay / Université Paris-Saclay, LRI) is the intermediate platform that connects Frama-C WP to automated theorem provers. It provides:

• WhyML: a functional language with pre/post/invariants, transformed from Frama-C's proof obligations
• Multi-solver dispatch: sends the same obligation to Alt-Ergo, Z3, CVC5, Isabelle — first one to succeed wins
• Session management: records which obligations were proved by which solver at which version
• Interactive mode: for obligations that automated solvers cannot discharge

Alt-Ergo 🇫🇷 (INRIA Saclay / LRI → OCamlPro 🇫🇷, Paris): An SMT solver written in OCaml (itself an INRIA creation), designed specifically for Why3 proof obligations arising from deductive program verification. Alt-Ergo 2.x supports:

• Linear arithmetic (integers and reals)
• Non-linear arithmetic (with quantifier instantiation)
• Arrays (extensional + functional)
• Algebraic data types
• Bit-vectors
• Polymorphic first-order logic

The complete chain — Frama-C (CEA LIST 🇫🇷) + Why3 (INRIA Saclay 🇫🇷) + Alt-Ergo (OCamlPro 🇫🇷) — is a 100% French-origin, 100% EU-origin, open-source deductive verification stack. No US components required. No US Cloud Act jurisdiction. No ITAR exposure for aerospace/defence models.

sota.io — Deploy Frama-C in EU in Minutes

# Install Frama-C on sota.io (Ubuntu 22.04)
apt-get install -y frama-c

# Check version
frama-c -version
# Frama-C Silicon-26.1 (or later)

# Run WP on a simple function
cat > safe_div.c << 'EOF'
/*@ requires b != 0;
  @ assigns \nothing;
  @ ensures \result * b == a;
  @ ensures b > 0 ==> \result == a / b;
  @*/
int safe_div(int a, int b) {
  return a / b;
}
EOF

frama-c -wp -wp-rte safe_div.c
# [wp] Proved goals: 3/3

# Dockerfile: Frama-C formal verification pipeline on sota.io
FROM ubuntu:22.04
RUN apt-get update && \
    apt-get install -y frama-c why3 alt-ergo && \
    rm -rf /var/lib/apt/lists/*

# Configure Why3 with Alt-Ergo
RUN why3 config detect

WORKDIR /verification
COPY src/ ./src/
COPY specs/ ./specs/

# Run WP deductive verification — fail if any goal unproved
RUN frama-c -wp \
    -wp-rte \
    -wp-prover alt-ergo,z3 \
    -wp-timeout 30 \
    -wp-report verification_report.txt \
    src/*.c

# Run Eva abstract interpretation — fail if any alarm
RUN frama-c -eva \
    -eva-precision 7 \
    src/*.c \
    2>&1 | tee eva_report.txt | \
    grep -q "Warning:" && exit 1 || true

CMD ["bash", "-c", "frama-c -wp -wp-rte ${TARGET:-src/main.c}"]

# nuXmv + Frama-C combined pipeline (sota.io Standard tier, 2 GB RAM)
# Step 1: Eva — runtime error freedom proof
frama-c -eva -eva-precision 7 controller.c 2>&1 | grep "alarms\|Warning"

# Step 2: WP — functional correctness proof
frama-c -wp -wp-rte \
  -wp-prover alt-ergo,cvc5 \
  -wp-timeout 60 \
  controller.c

# Step 3: Generate HTML report
frama-c -wp \
  -wp-prover alt-ergo \
  -wp-fct find_max_index \
  -wp-report-json report.json \
  controller.c

sota.io free tier (512 MB RAM, 0.5 vCPU) handles Eva analysis of individual functions and WP verification of small modules (< 500 lines). Full-system analysis of industrial C modules (Airbus FCL functions, EDF safety functions) requires Standard tier (€9/month, 2 GB RAM, 1 vCPU) or higher for Why3 SMT solver dispatch with 30-60 second timeouts.

See Also

• Deploy NuSMV to Europe → — EU-native symbolic model checker (FBK Trento 🇮🇹, 2002)
• Deploy SMV to Europe → — Original BDD symbolic model verifier (CMU, ACM Turing Award 2007)
• Deploy SPARK Ada to Europe → — Formal verification for Ada (AdaCore 🇫🇷, 1993)
• Deploy Dafny to Europe → — Verification-aware language (Microsoft Research, 2009)
• Deploy Alloy to Europe → — SAT-based relational model finder (MIT CSAIL, 2002)
• Deploy CADP to Europe → — EU-native distributed systems verification toolbox (INRIA Grenoble 🇫🇷, 1989)
• Deploy Why3 to Europe → — EU-native multi-prover verification platform (LRI Paris-Sud / INRIA Saclay 🇫🇷, 2010) — Frama-C WP's backend
• All 144 languages on sota.io →