Deploy nuXmv to Europe — FBK Trento 🇮🇹 (CAV 2014), the IC3/PDR Infinite-State Model Checker with MathSAT5, on EU Infrastructure in 2026

BDD-based symbolic model checking — the technique at the heart of NuSMV and the original CMU SMV — achieved something remarkable: it proved correctness of hardware circuits with 10¹²⁰ states by representing those states as compact Boolean formulae. But BDDs have a fundamental limitation. They can only represent finite-state systems. The moment a specification involves unbounded integers, real-valued sensor readings, or arrays of variable length, the BDD approach breaks down. The state space becomes infinite and no finite formula can capture it.

This is the problem nuXmv was built to solve.

Released in 2014 at the Computer Aided Verification (CAV) conference by the FBK Trento research group — the same Fondazione Bruno Kessler in northern Italy that produced NuSMV in 2002 — nuXmv extends its predecessor with two capabilities that together enable model checking of real software systems, not just hardware circuits. The first is the IC3/PDR algorithm (Incremental Construction of Inductive Clauses / Property Directed Reachability), Aaron Bradley's 2011 breakthrough method for finding inductive invariants without ever constructing a BDD. The second is MathSAT5, an industrial-strength SMT solver developed at the same FBK Trento lab, which can reason about infinite-state systems by encoding them in Satisfiability Modulo Theories — Boolean structure combined with arithmetic over integers, rationals, bit-vectors, and arrays.

The result is a verification toolchain where every component — the model checking engine, the SAT backend, the SMT backend, the research team — traces to a single public EU institution: Fondazione Bruno Kessler, funded by the Trentino regional government in northern Italy. This is the most complete EU provenance of any model checker in active industrial use.

IC3/PDR: A Different Way to Prove Safety

Classical model checking (NuSMV's BDD approach) works by computing the set of reachable states from an initial state and checking whether any reachable state violates the safety property. This works well when the reachable set is small enough to represent as a BDD. But for software systems — with counters, timers, or memory — the reachable set is infinite.

IC3 (Incremental Construction of Inductive Clauses, Aaron Bradley, FMCAD 2011) sidesteps the reachability computation entirely. Instead of asking "what states are reachable?", IC3 asks: "can I find an inductive invariant that implies the property?"

An inductive invariant I is a formula over system variables satisfying three conditions:

1. Initiation: I holds in every initial state — Init ⇒ I
2. Consecution: if I holds now and the system takes one step, I holds next — (I ∧ T) ⇒ I'
3. Safety: I implies the property — I ⇒ P

If such an I exists, the property P holds for all reachable states, in all execution lengths — not just up to a bounded depth (as SAT-based Bounded Model Checking checks). IC3 searches for I incrementally, using a SAT solver to block counterexample-to-induction (CTI) states and generalise blocked clauses into stronger inductive strengthenings.

-- nuXmv: counter with overflow invariant
-- Proves: AG (counter <= MAX) under all transitions
MODULE counter_module
  VAR
    counter : 0..255;
  DEFINE
    MAX := 200;
  ASSIGN
    init(counter) := 0;
    next(counter) :=
      case
        counter < MAX : counter + 1;
        TRUE          : counter;  -- saturates at MAX
      esac;
SPEC AG (counter <= MAX)
-- IC3 finds the inductive invariant: counter >= 0 & counter <= MAX
-- Proved in milliseconds for bounded integers via SAT
-- For unbounded integers: MathSAT5 LIA takes over

IC3/PDR (Bradley's 2011 name; the "PDR" variant by Hoder and Bjørner at Microsoft Research) became the dominant technique in hardware verification within two years of its publication. nuXmv brought it to software — the first publicly available model checker to implement IC3 for both finite-state and, via MathSAT5, infinite-state systems.

MathSAT5: SMT Verification from the Same EU Lab

MathSAT5 is an SMT solver developed at FBK Trento by Alberto Griggio 🇮🇹, Alessandro Cimatti 🇮🇹, Sergio Mover 🇮🇹, and colleagues. MathSAT5 supports the following theories:

When nuXmv encounters an SMV model with integer variables (not just bounded enumerated types), it invokes MathSAT5 as the theory-reasoning backend. IC3/PDR coordinates the high-level search; MathSAT5 solves the individual satisfiability queries over the chosen theory. The combination is called IC3 modulo theories — IC3ia in the nuXmv literature.

# Install nuXmv (binary release, FBK Trento)
wget https://nuxmv.fbk.eu/downloads/nuXmv-2.0.0-linux64.tar.gz
tar xzf nuXmv-2.0.0-linux64.tar.gz
export PATH=$PWD/nuXmv-2.0.0/bin:$PATH

# Verify IC3 engine is available
nuXmv -int <<< "quit"

# Run IC3 on a finite-state system (SAT backend)
nuXmv -int <<EOF
read_model -i mutual_exclusion.smv
flatten_hierarchy
encode_variables
build_boolean_model
check_property -i -e ic3
EOF

# Run IC3ia on an infinite-state system (MathSAT5 LIA backend)
nuXmv -int <<EOF
read_model -i counter_unbounded.smv
flatten_hierarchy
go_msat
check_property
EOF

The NuSMV → nuXmv Migration Path

nuXmv is designed as a drop-in extension of NuSMV. Existing .smv models run unchanged; nuXmv adds new engines on top of the established NuSMV pipeline.

-- nuXmv: infinite-state system — temperature controller
-- Variable temp : INTEGER (unbounded) — impossible in NuSMV
-- Proves: AG (temp >= COLD_LIMIT -> heater_on)
MODULE thermostat
  VAR
    temp      : integer;
    heater_on : boolean;
  DEFINE
    COLD_LIMIT := 15;
    HOT_LIMIT  := 25;
  ASSIGN
    init(temp)      := 20;
    init(heater_on) := FALSE;
    next(heater_on) :=
      case
        temp < COLD_LIMIT : TRUE;
        temp > HOT_LIMIT  : FALSE;
        TRUE              : heater_on;
      esac;
    next(temp) :=
      case
        heater_on : temp + 1;
        TRUE      : temp - 1;
      esac;
-- IC3ia (LIA) proves this invariant in seconds for unbounded integers
INVARSPEC (temp < COLD_LIMIT -> heater_on = TRUE)

Industrial Applications: Automotive and Safety-Critical Systems

Toyota Prius Brake-by-Wire Verification

Toyota's hybrid vehicle control systems — including brake-by-wire in the Prius — are formally verified using model checking. The verification challenge: prove that under all possible sensor input sequences (including faulty sensors), the brake actuator responds within specification and the vehicle never enters an unsafe state. These systems have integer-valued timing counters (millisecond timestamps), real-valued force measurements, and control logic that spans hundreds of states — exactly the infinite-state territory where nuXmv's SMT backend is required.

FBK Trento published joint work with Toyota Research Institute Europe (Toyota Motor Europe's research division, based in Brussels 🇧🇪) on verifying powertrain control specifications using nuXmv.

Siemens PLC Verification (IEC 61508 SIL 3/4)

Siemens uses NuSMV and nuXmv for Safety Integrity Level 3 and 4 verification of programmable logic controllers. PLCs that control industrial processes (turbines, compressors, emergency shutdowns) must prove absence of forbidden states. The CTL/LTL specifications map directly to IEC 61508 safety requirements:

-- PLC safety property: emergency shutdown is always reachable
-- AG EF shutdown = "From any state, there exists a path to shutdown"
SPEC AG EF (system.state = emergency_shutdown)

-- Invariant: when fault detected, alarm within 100ms
-- (100ms modelled as 10 discrete steps at 10ms tick)
INVARSPEC
  (fault_detected = TRUE -> AF[0,10] alarm_active = TRUE)

Bosch AUTOSAR Component Verification (ISO 26262 ASIL D)

Bosch verifies AUTOSAR software components — the standardised automotive software architecture — using formal methods for ASIL D (Automotive Safety Integrity Level D, the highest). nuXmv's Simulink import capability allows direct verification of Matlab/Simulink models (the modelling tool of choice in automotive), without requiring translation through an intermediate format.

Deploying nuXmv Workloads to EU Infrastructure

nuXmv verification runs are computationally intensive — IC3 iterations can take hours on complex industrial models. Parallel verification campaigns (different properties, different abstraction settings) benefit directly from cloud compute on EU infrastructure.

# nuXmv on sota.io — EU infrastructure, GDPR-compliant
FROM ubuntu:24.04
RUN apt-get update && apt-get install -y wget tar && rm -rf /var/lib/apt/lists/*

WORKDIR /opt/nuxmv
RUN wget -q https://nuxmv.fbk.eu/downloads/nuXmv-2.0.0-linux64.tar.gz \
    && tar xzf nuXmv-2.0.0-linux64.tar.gz \
    && rm nuXmv-2.0.0-linux64.tar.gz
ENV PATH="/opt/nuxmv/nuXmv-2.0.0/bin:$PATH"

WORKDIR /workspace
COPY models/ ./models/
COPY scripts/ ./scripts/

# Parallel IC3 campaign: verify all properties in models/
CMD ["bash", "scripts/verify_all.sh"]

# scripts/verify_all.sh — parallel nuXmv campaign
#!/bin/bash
for model in models/*.smv; do
    property=$(basename "$model" .smv)
    nuXmv -int <<EOF &
read_model -i $model
flatten_hierarchy
go_msat
check_property
EOF
done
wait
echo "All verification jobs complete"

# GitHub Actions: nuXmv verification in CI
# Runs on every commit — proves safety properties automatically
name: nuXmv Safety Verification
on: [push, pull_request]
jobs:
  verify:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - name: Install nuXmv
        run: |
          wget -q https://nuxmv.fbk.eu/downloads/nuXmv-2.0.0-linux64.tar.gz
          tar xzf nuXmv-2.0.0-linux64.tar.gz
          echo "$PWD/nuXmv-2.0.0/bin" >> $GITHUB_PATH
      - name: Verify safety properties
        run: |
          for model in models/*.smv; do
            echo "Verifying: $model"
            nuXmv "$model" | tee results/$(basename "$model").log
            grep -q "is true" results/$(basename "$model").log || exit 1
          done
      - name: Upload verification artefacts
        uses: actions/upload-artifact@v4
        with:
          name: nuXmv-verification-results
          path: results/

EU Provenance: FBK Trento as a Complete EU Verification Stack

FBK Trento's contribution to formal verification is unique in the EU ecosystem:

FBK Trento (Fondazione Bruno Kessler) is funded by the Trentino Autonomous Province and the Italian Ministry of Research (MIUR). It is a publicly accountable Italian institution under Italian and EU law — subject to GDPR, not subject to the US CLOUD Act, and not subject to ITAR export controls on civilian software tools.

The Alessandro Cimatti group at FBK Trento has been working on model checking since the late 1990s. The nuXmv team includes Roberto Cavada 🇮🇹, Alberto Griggio 🇮🇹, Michele Dorigatti 🇮🇹, Alessandro Mariotti 🇮🇹, Andrea Micheli 🇮🇹, Sergio Mover 🇮🇹, Marco Roveri 🇮🇹, Stefano Tonetta 🇮🇹 — the most concentrated Italian formal methods group in EU research.

CRA 2027, NIS2, EU AI Act

CRA 2027 (Cyber Resilience Act) Article 13: Products with digital elements must undergo systematic security testing before CE marking. nuXmv IC3 proofs constitute mathematical evidence — not probabilistic, not sampling-based — that safety and security properties hold for all possible inputs. For CRA compliance, nuXmv verification artefacts (model + property + proof trace) provide stronger evidence than any test suite.

NIS2 Article 21(2)(d): Essential entities must implement "appropriate and proportionate technical and organisational measures" for network security. Formal verification of network protocol state machines — absence of deadlock, guaranteed progress, secure state transitions — directly satisfies this obligation. nuXmv CTL/LTL specifications map NIS2 requirements to machine-checkable formulae.

EU AI Act Article 9(2)(e): High-risk AI systems require demonstration of "appropriate testing procedures to ensure the performance of the AI system." IC3ia proofs of AI decision logic invariants — "the classifier output is always within bounds", "the recommendation system never accesses unauthorised data categories" — constitute the strongest possible form of systematic testing evidence.

GDPR Article 25 (Privacy by Design): nuXmv can verify data lifecycle invariants over infinite-state systems: "personal data is always deleted after MAX_RETENTION days", expressed as an LTL formula over integer-valued time counters. Running verification on EU infrastructure keeps both the model (which may contain GDPR-sensitive data schemas) and the proofs under EU jurisdiction.

Deploying to sota.io

sota.io is a EU-native Platform-as-a-Service on German infrastructure — GDPR-compliant by default, with managed PostgreSQL, private networking, and zero DevOps overhead. Deploying nuXmv verification workloads to sota.io keeps the entire formal verification pipeline — models, properties, proof artefacts, verification logs — within EU jurisdiction.

# Deploy nuXmv verification service to sota.io
sota deploy --name nuxmv-verifier \
  --dockerfile ./Dockerfile \
  --env NUXMV_TIMEOUT=3600 \
  --env NUXMV_PARALLEL_JOBS=4

# Stream verification logs
sota logs --service nuxmv-verifier --follow

# Scale for large verification campaigns (IC3 is embarrassingly parallel per property)
sota scale --service nuxmv-verifier --replicas 8

The free tier covers development and small property campaigns. Scale horizontally for production-grade parallel IC3 verification.

nuXmv: "nuXmv: A New Symbolic Model Checker", Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, Andrea Micheli, Sergio Mover, Marco Roveri, Stefano Tonetta. CAV 2014, LNCS 8559. FBK Trento 🇮🇹. Free for academic use: nuxmv.fbk.eu. MathSAT5: mathsat.fbk.eu.