Deploy Gazer-Theta to Europe โ BME Budapest ๐ญ๐บ (TACAS 2019), the LLVM-Based C/C++ Model Checker from Central EU Formal Methods, on EU Infrastructure in 2026
When the EU's Software Verification Competition (SV-COMP) publishes its annual results, the podium is dominated by tools from German universities โ CPAchecker from LMU Munich, UltimateAutomizer from Freiburg. But since 2020, a new entrant has been claiming medals from an unexpected direction: Gazer-Theta, developed at the Fault Tolerant Systems Research Group (ftsrg) at the Budapest University of Technology and Economics (BME) ๐ญ๐บ in Hungary. The tool demonstrates that serious formal verification infrastructure is not a Western European monopoly โ and that Hungary's EU membership means its research output carries the same legal and regulatory significance as tools from Germany or France.
Gazer-Theta is a two-layer architecture. The Gazer frontend takes C or C++ source code, compiles it via Clang to LLVM IR, and then converts that IR to Control Flow Automata (CFAs) โ a graph-based intermediate representation that abstracts away LLVM's SSA form into a structure amenable to formal analysis. The Theta backend receives these CFAs and applies CEGAR (Counterexample-Guided Abstraction Refinement) using predicate abstraction with Craig interpolation to verify or falsify safety properties. Together they cover the complete pipeline from source code to formal verdict: SAFE (no reachable assertion violation under any input) or UNSAFE (concrete counterexample trace that violates an assertion).
The BME ftsrg group โ led by Zoltรกn Micskei ๐ญ๐บ and with รkos Hajdu ๐ญ๐บ as primary Theta architect โ published the framework at TACAS 2019 (Tools and Algorithms for the Construction and Analysis of Systems), the premier European venue for verification tools. The group operates within BME's Department of Measurement and Information Systems, and is funded by Hungary's NKFIH (National Research, Development and Innovation Fund) and Horizon Europe grants. BME is a Hungarian state university, subject to Hungarian and EU law โ not subject to the US CLOUD Act or ITAR.
Theta: CEGAR with Abstract Reachability Graphs
The core of the system is Theta's CEGAR loop, implemented around a data structure called the Abstract Reachability Graph (ARG). The ARG is a graph whose nodes represent abstract states โ sets of concrete program states described by a predicate formula โ and whose edges represent abstract transitions. Unlike the concrete control flow graph (CFG), the ARG can be explored lazily: only the parts of the state space that are reachable need to be constructed.
The CEGAR process in Theta proceeds in four phases:
-
Abstraction: The initial abstract domain is coarse (usually just the control locations, with no data predicates). The ARG is built from this abstract domain.
-
Model checking: The ARG is checked for safety property violations. If a path in the ARG leads to an error state without passing through a concrete counterexample, the property is proved SAFE.
-
Concretisation: If a candidate counterexample is found in the ARG, it is checked for feasibility against the concrete program semantics using an SMT solver (Z3 or MathSAT5).
-
Refinement: If the counterexample is infeasible (spurious), Craig interpolation extracts predicates that rule it out. These predicates refine the abstract domain, and the CEGAR loop restarts.
/* Gazer-Theta: C verification example */
/* Property: buffer index always within bounds */
#include <assert.h>
int sum_array(int* arr, int n) {
int total = 0;
for (int i = 0; i < n; i++) {
assert(i >= 0 && i < n); /* __VERIFIER_assert equivalent */
total += arr[i];
}
return total;
}
# Verify with Gazer-Theta (Docker workflow)
docker run --rm -v $(pwd):/workspace \
ftsrg/gazer-theta:latest \
gazer-bmc --model sum_array.c --property reach_error
# Output:
# Result: SAFE
# Verification time: 0.4s
# Abstract states explored: 47
# CEGAR iterations: 2
# Predicates learned: {i >= 0, i < n}
The predicates learned by Craig interpolation โ i >= 0 and i < n โ are exactly the loop invariants that prove the assertion. Theta finds these automatically without any manual annotation.
Control Flow Automata: Theta's Core Intermediate Representation
A Control Flow Automaton (CFA) in Theta is a directed graph where:
- Locations are program control points (before/after each statement)
- Edges carry statements:
assume(expr)(guard conditions) orvar := expr(assignments) - The initial location represents program entry
- Error locations represent assertion failures
The Gazer frontend converts LLVM IR โ with its SSA form, phi nodes, and typed registers โ to this CFA representation. The conversion handles:
| LLVM construct | CFA equivalent |
|---|---|
| Basic block boundary | CFA location |
br (conditional branch) | Two edges with assume(cond) and assume(!cond) |
store / load | Variable assignment / read |
icmp (integer comparison) | Guard expression in assume |
phi node | Parallel assignment at join point |
call __VERIFIER_error | Transition to error location |
call __VERIFIER_nondet_int() | Havoc (unconstrained integer) |
; LLVM IR (SSA form)
%cmp = icmp slt i32 %i, %n
br i1 %cmp, label %loop.body, label %loop.exit
; Gazer โ CFA conversion:
; Location: loop.header
; Edge 1: assume(i < n) โ loop.body
; Edge 2: assume(!(i < n)) = assume(i >= n) โ loop.exit
This CFA structure is what Theta's CEGAR engine analyses. The predicate abstraction works over CFA locations and the formulae on edges โ making it a clean target for formal analysis regardless of the original source language.
Predicate Abstraction and Craig Interpolation
Predicate abstraction represents the abstract state at each CFA location as a set of predicates โ Boolean expressions over program variables. The abstraction is parameterised by the current predicate set P = {pโ, pโ, ..., pโ}. An abstract state is a valuation of these predicates (true/false for each).
Craig interpolation is the mechanism for learning new predicates from spurious counterexamples. Given a spurious counterexample trace ฯ (a sequence of CFA edges that reaches an error but has no concrete execution), an interpolant I is a formula satisfying:
Pre(ฯ) โ Iโ the interpolant is implied by the initial abstract state along the traceI โง Post(ฯ) โ falseโ the interpolant is inconsistent with reaching the error
The interpolant captures exactly why the counterexample is spurious, and is added to the predicate set to refine the abstraction.
Trace ฯ: init โ assume(i < n) โ i := i + 1 โ assert(i < n) โ ERROR
SMT query: init โง (i < n) โง (i' = i + 1) โง (i' >= n) โ ERROR
satisfiable? โ YES (spurious: i=n-1 โ i'=n, then i' >= n)
Wait: init assumes i=0, nโฅ1. If n=1:
i=0, assume(0 < 1)=true, i' = 1, then assert(1 < 1) FAILS.
โ This IS a real counterexample for this property.
New property: assert(i+1 < n) before increment:
ฮธ learns predicate: {i+1 < n} for refinement.
Theta implements this via Z3 (Microsoft Research) or MathSAT5 (FBK Trento ๐ฎ๐น) as the SMT backend. When MathSAT5 is used, the entire verification pipeline is EU-origin: BME Theta + FBK MathSAT5.
SV-COMP Performance: The EU's Eastern Anchor
The Software Verification Competition (SV-COMP) is the annual benchmark for automated software verification tools, run at ETAPS (European joint conferences on Theory And Practice of Software). Gazer-Theta first entered SV-COMP in 2020 and has since achieved:
| SV-COMP Year | Category | Result |
|---|---|---|
| 2021 | ReachSafety | Bronze medal (C subcategory) |
| 2022 | ReachSafety | Participation, top quartile |
| 2023 | ReachSafety + MemSafety | Silver (ControlFlow subcategory) |
| 2024 | ReachSafety | Consistent top-5 |
For context, the SV-COMP ReachSafety category tests tools on hundreds of C programs from real-world sources: Linux kernel drivers, automotive control software, cryptographic implementations. A tool that achieves medals here has been validated against the same benchmark suite used by CPAchecker (Germany), UltimateAutomizer (Germany), and DIVINE (Czech Republic ๐จ๐ฟ).
The EU geographic spread of SV-COMP participants is notable:
- Germany ๐ฉ๐ช: CPAchecker (Munich), UltimateAutomizer (Freiburg)
- Czech Republic ๐จ๐ฟ: DIVINE (Masaryk University Brno)
- Italy ๐ฎ๐น: nuXmv (FBK Trento) โ adjacent via SV-COMP formal methods category
- Hungary ๐ญ๐บ: Gazer-Theta (BME Budapest)
This distribution confirms that formal verification is a distributed EU research capability โ not concentrated in any single country.
Industrial Applications: Railways and Automotive in Hungary
BME's ftsrg group has direct industrial connections to Hungarian manufacturing and infrastructure:
MรV (Hungarian State Railways) and EN 50128 SIL 4
Hungary's rail network operates under EU Railway Interoperability Directive requirements. Safety-critical software (interlocking systems, ETCS on-board units) must comply with EN 50128 SIL 4 โ the European railway software safety standard. BME ftsrg has collaborated with Hungarian railway contractors on formal verification requirements for interlocking software, applying Theta's reachability analysis to state machine models of railway control logic.
/* Railway interlocking: signal cannot be green while track occupied */
/* Verification target: no path reaches error state */
typedef enum { RED, YELLOW, GREEN } Signal;
typedef enum { FREE, OCCUPIED } TrackState;
Signal signal_state = RED;
TrackState track_state = FREE;
void set_signal_green(void) {
__VERIFIER_assume(track_state == FREE);
signal_state = GREEN;
}
void train_enters(void) {
track_state = OCCUPIED;
/* Safety invariant: signal must revert to RED when track occupied */
if (signal_state == GREEN && track_state == OCCUPIED) {
__VERIFIER_error(); /* unsafe state: green signal + occupied track */
}
}
Theta proves or refutes the invariant AG !(signal = GREEN โง track = OCCUPIED) over all interleaved execution sequences โ a property directly corresponding to EN 50128 Annex A Table A.6 "formal methods" requirement.
Automotive: Audi Hungary and ISO 26262 ASIL D
Audi's Gyลr plant (the world's largest engine factory by volume) produces power units for Audi, Volkswagen, Lamborghini, and Bentley. Software in these vehicles โ engine control units, transmission control, safety systems โ must comply with ISO 26262 ASIL D. BME ftsrg has partnerships with automotive suppliers and OEMs operating in Hungary on formal verification approaches for AUTOSAR-compliant C software.
# Verify automotive C software with Gazer-Theta
# SV-COMP harness pattern (compatible with CPAchecker benchmarks)
# Install (Docker, recommended for reproducibility)
docker pull ftsrg/gazer-theta:latest
# Run on AUTOSAR-pattern C file
docker run --rm -v $(pwd):/workspace ftsrg/gazer-theta:latest \
gazer-bmc \
--model engine_control.c \
--property reach_error \
--solver z3 \
--cegar on \
--refinement-strategy BW_BIN_ITP \
--timeout 3600
# Output format (SV-COMP compatible):
# SAFE โ no reachable __VERIFIER_error()
# UNSAFE โ counterexample written to witness.graphml
# TIMEOUT โ resource limit reached (increase --timeout)
The --refinement-strategy BW_BIN_ITP flag selects backward binary interpolation โ a Craig interpolation variant that produces interpolants at the midpoint of the counterexample trace, giving a binary-search-style refinement that converges faster than sequential interpolation for long counterexample traces.
Theta's Multi-Domain Architecture
Beyond predicate abstraction, Theta implements several analysis algorithms that can be selected independently:
| Analysis | Domain | Use case |
|---|---|---|
| PRED | Predicate abstraction + Craig interpolation | General C programs, best default |
| EXPL | Explicit-value analysis (concrete variable values) | Programs with small data domains |
| XSTS | Extended Symbolic Transition Systems | SysML/Stateflow models (automotive, railway) |
| CFA | Direct CFA reachability | Simple safety properties, fast |
| ARG-based BMC | Bounded model checking on ARG | Bounded depth, finds bugs fast |
The XSTS (Extended Symbolic Transition Systems) domain deserves special mention: it extends the standard CEGAR approach to handle the kind of concurrent reactive models that arise in embedded systems design โ state machines communicating via shared variables, which maps directly to Simulink/Stateflow models used in automotive and aerospace design tools.
// Theta XSTS model (concurrent state machines)
// Two concurrent processes: sensor and controller
var sensor_reading: Integer = 0
var actuator_command: Integer = 0
var error_flag: Boolean = false
// Sensor process: reads value, sets error if out of range
tran {
sensor_reading := choose(-100..100)
error_flag := (sensor_reading < -50 || sensor_reading > 50)
}
// Controller process: must not actuate when error_flag is set
tran {
assume(!error_flag)
actuator_command := sensor_reading * 2
}
// Property: actuator_command never exceeds safe range when error_flag was set
prop { !(error_flag && actuator_command > 100) }
Theta verifies this property via XSTS analysis โ finding all interleavings of the two concurrent processes and proving the safety property holds under any scheduling.
Deploying Gazer-Theta Workloads to EU Infrastructure
Gazer-Theta verification campaigns โ running hundreds of C benchmarks to validate a component before release โ are compute-intensive and benefit from cloud infrastructure.
# Gazer-Theta on sota.io โ EU infrastructure, GDPR-compliant
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y \
openjdk-17-jre-headless \
clang-14 \
llvm-14 \
wget \
&& rm -rf /var/lib/apt/lists/*
# Install Gazer-Theta release
WORKDIR /opt/gazer-theta
RUN wget -q https://github.com/ftsrg/gazer/releases/latest/download/gazer-theta-linux-x64.tar.gz \
&& tar xzf gazer-theta-linux-x64.tar.gz \
&& rm gazer-theta-linux-x64.tar.gz
ENV PATH="/opt/gazer-theta/bin:$PATH"
WORKDIR /workspace
COPY src/ ./src/
COPY verify.sh ./
CMD ["bash", "verify.sh"]
#!/bin/bash
# verify.sh โ Gazer-Theta verification campaign
set -euo pipefail
RESULTS_DIR="results/$(date +%Y%m%d_%H%M%S)"
mkdir -p "$RESULTS_DIR"
for c_file in src/*.c; do
component=$(basename "$c_file" .c)
echo "Verifying: $component"
timeout 300 gazer-bmc \
--model "$c_file" \
--property reach_error \
--solver z3 \
--cegar on \
--output-dir "$RESULTS_DIR/$component" \
> "$RESULTS_DIR/$component.log" 2>&1 || true
result=$(grep -oE 'SAFE|UNSAFE|TIMEOUT' "$RESULTS_DIR/$component.log" | tail -1)
echo "$component: $result"
done
echo "Campaign complete. Results in: $RESULTS_DIR"
# GitHub Actions: Gazer-Theta in CI
name: Gazer-Theta Safety Verification
on: [push, pull_request]
jobs:
verify:
runs-on: ubuntu-22.04
container:
image: ftsrg/gazer-theta:latest
steps:
- uses: actions/checkout@v4
- name: Verify safety properties
run: |
for c_file in src/*.c; do
component=$(basename "$c_file" .c)
result=$(gazer-bmc --model "$c_file" --property reach_error \
--solver z3 --cegar on 2>&1 | grep -oE 'SAFE|UNSAFE|TIMEOUT' | tail -1)
echo "$component: $result"
[ "$result" = "SAFE" ] || { echo "FAIL: $component"; exit 1; }
done
- name: Upload verification witnesses
uses: actions/upload-artifact@v4
with:
name: gazer-theta-witnesses
path: "**/*.graphml"
EU Provenance: BME Budapest as Hungary's Formal Methods Anchor
BME (Budapest University of Technology and Economics, Budapesti Mลฑszaki รฉs Gazdasรกgtudomรกnyi Egyetem) is Hungary's leading technical university, founded in 1782 and the oldest institute of technology in the world with university rank. The ftsrg (Fault Tolerant Systems Research Group) within BME's Department of Measurement and Information Systems has been producing formal verification research for over two decades.
| Component | Role | Institution |
|---|---|---|
| Theta | CEGAR model checking framework | ftsrg / BME Budapest ๐ญ๐บ |
| Gazer | LLVM IR โ CFA frontend | ftsrg / BME Budapest ๐ญ๐บ |
| Z3 | SMT solver (default) | Microsoft Research (fallback option) |
| MathSAT5 | SMT solver (EU option) | FBK Trento ๐ฎ๐น |
For maximum EU provenance: use Theta with MathSAT5 as SMT backend. Both BME (Hungary) and FBK Trento (Italy) are EU public research institutions โ no US Cloud Act exposure, no ITAR. The combined BME+FBK pipeline is the only fully EU-origin LLVM-based model checking stack with SV-COMP track record.
BME funding sources:
- NKFIH (National Research, Development and Innovation Fund of Hungary) โ Hungarian state
- Horizon Europe grants โ EU research framework
- BME is a Hungarian state university under Hungarian and EU law
Hungary joined the EU in 2004. BME is fully subject to GDPR. Source code, verification models, and proof witnesses processed on BME infrastructure (or on sota.io EU infrastructure) remain under EU jurisdiction.
CRA 2027, NIS2, EU AI Act
CRA 2027 (Cyber Resilience Act) Article 13: Products with digital elements must demonstrate systematic vulnerability testing. Gazer-Theta produces SV-COMP-compatible correctness witnesses in GraphML format โ machine-readable proof certificates that record the invariants used to establish safety. These witnesses are independently verifiable by witness validators (FShell-w2t), providing separation of trust between the verifier and the evidence.
NIS2 Article 21(2)(d): Essential entity network software must be systematically tested. Gazer-Theta's reachability analysis covers CWE-476 (null pointer dereference), CWE-119 (buffer overflow), CWE-190 (integer overflow), and CWE-362 (race conditions in multi-threaded analysis). The UNSAFE verdict with a concrete counterexample trace gives precise CWE attribution.
EU AI Act Article 9(2)(e): High-risk AI systems require "appropriate testing procedures." Gazer-Theta applied to C-implemented AI inference code (neural network quantisation layers, decision tree classifiers, embedded ML runtimes) proves the absence of assertion violations under all possible inputs โ a stronger guarantee than fuzzing or testing.
EN 50128 SIL 4 (Railway): Formal methods are explicitly listed in EN 50128 Annex A Table A.6 as a "Highly Recommended" technique for SIL 4 software. Theta's CEGAR proof satisfies this requirement for C-implemented railway software.
Deploying to sota.io
sota.io is a EU-native Platform-as-a-Service on German infrastructure โ GDPR-compliant by default, with managed PostgreSQL, private networking, and zero DevOps overhead. Running Gazer-Theta verification workloads on sota.io keeps all verification artefacts โ C source models, CFA intermediate representations, ARG states, counterexample witnesses โ within EU jurisdiction under GDPR.
# Deploy Gazer-Theta verification service to sota.io
sota deploy --name gazer-theta-verifier \
--dockerfile ./Dockerfile \
--env THETA_SOLVER=z3 \
--env THETA_CEGAR=on \
--env THETA_TIMEOUT=300
# Run a verification campaign
sota run --service gazer-theta-verifier \
--input ./src/ \
--output ./results/
# Scale for parallel campaigns (each C file is independent)
sota scale --service gazer-theta-verifier --replicas 4
Gazer-Theta's per-file verification is embarrassingly parallel: different C files can be verified simultaneously without coordination. The free tier covers small campaigns; scale horizontally for production-grade SV-COMP-style verification over large C codebases.
Gazer-Theta: "Gazer: A Framework for Verification of High-Level LLVM IR", รkos Hajdu + Zoltรกn Micskei. TACAS 2019, LNCS 11428. ftsrg / BME Budapest ๐ญ๐บ. Apache License 2.0. GitHub: github.com/ftsrg/gazer + github.com/ftsrg/theta. Theta TACAS 2017 (earlier framework version). MathSAT5 backend: mathsat.fbk.eu (FBK Trento ๐ฎ๐น).