sota.io
2026-04-05·11 min read·sota.io team

Deploy Rebeca to Europe — Marjan Sirjani 🇸🇪 (Mälardalen University → Reykjavik University 🇮🇸), the Actor-Based Reactive Objects Language for Formally Verified Concurrent Systems, on EU Infrastructure in 2026

Concurrent software is hard to reason about because shared mutable state creates an exponential space of possible thread interleavings. Traditional process algebras — CSP, CCS, mCRL2 — model concurrency at a low level: explicit processes, channels, synchronisation steps. They are powerful but verbose. Writing a 50-component distributed system in CCS requires painstaking encoding of every protocol step.

In 1999, Marjan Sirjani — then at the Institute for Research in Fundamental Sciences (IPM) in Tehran, later Professor at Reykjavik University 🇮🇸 and Mälardalen University 🇸🇪 — proposed a different approach: start not from processes and channels, but from actors. The actor model, introduced by Carl Hewitt at MIT in 1973, describes computation as a population of autonomous entities — each with private state, each communicating only through asynchronous message passing, each processing exactly one message at a time. No shared memory. No blocking synchronisation. No locks.

Sirjani's insight was that the actor model's structural constraints — private state, finite mailboxes, asynchronous single-threaded dispatch — are not just a programming convenience but a formal specification discipline that makes model checking decidable for a practically important class of systems. The result was Rebeca (Reactive Objects Language), published formally at the Workshop on Foundations of Software Engineering in 2001 and developed through a decade of EU-funded research at Reykjavik University and Mälardalen University's MDART (Mälardalen Real-Time Research Centre) in Västerås, Sweden.

The Actor Model: Formal Foundations

The actor model defines three primitives. An actor can, in response to a message: send a finite number of messages to known actors, create a finite number of new actors, and designate a new behaviour for the next message it receives. These three primitives, combined with the constraint that message delivery is eventually guaranteed but order between different senders is not, define a Turing-complete computational model.

Rebeca translates these primitives into a class-based syntax designed for engineers, not logicians:

reactiveclass Counter(3) {        // mailbox capacity: 3
    knownrebecs { }               // no known actors
    statevars {
        int value;
        boolean busy;
    }

    Counter() {                   // constructor
        value = 0;
        busy = false;
    }

    msgsrv increment() {          // message server (handler)
        value = value + 1;
    }

    msgsrv reset() {
        value = 0;
    }

    msgsrv get(int expected) {    // check invariant
        assert(value == expected);
    }
}

reactiveclass Controller(5) {
    knownrebecs {
        Counter c1, c2;
    }
    statevars {
        int step;
    }

    Controller() {
        step = 0;
        c1.increment();
        c2.increment();
    }

    msgsrv done() {
        step = step + 1;
        if (step < 10) {
            c1.increment();
            c2.increment();
        } else {
            c1.get(10);
            c2.get(10);
        }
    }
}

main {
    Counter c1(  ):(  );    // instance name, known actors, init params
    Counter c2(  ):(  );
    Controller ctrl(c1, c2):(  );
}

The msgsrv keyword — message server — is Rebeca's central construct. Each msgsrv is an atomic handler: it runs to completion before the next message in the mailbox is dispatched. This run-to-completion semantics eliminates re-entrancy bugs and makes the interleaving structure of a Rebeca program a well-defined labelled transition system: one global state = tuple of actor states + mailbox contents, one transition = one actor processes one message.

Why Actor Semantics Enable Formal Verification

The key property that makes Rebeca amenable to model checking is bounded asynchrony. Each reactiveclass declaration specifies a mailbox capacity. Combined with a bounded number of actor instances (declared in main), the total state space of the system is finite. The model checker can enumerate all possible interleavings — all possible orderings in which actors pick messages from their mailboxes — and verify temporal logic properties over this state space.

Compare this with threads-and-shared-memory: verifying a 10-thread program with shared memory requires reasoning about arbitrary interleaving of arbitrary memory accesses. The state space is the product of all thread stacks and the shared heap — combinatorially explosive and undecidable in general. Rebeca's actor model replaces this with the product of actor local states and finite mailboxes — still exponential, but finite and enumerable.

Symmetry reduction makes Rebeca model checking practical for industrial systems. When multiple actors are instances of the same reactiveclass and play symmetric roles in the protocol, their state spaces can be collapsed into equivalence classes. A 10-server, 10-client distributed system need not explore 20! interleaving orderings — symmetric actor configurations reduce to a fraction of the full state space. The Afra IDE implements symmetry reduction automatically, reading the main block to identify symmetric actor groups.

Timed Rebeca: Real-Time Formal Modeling

Standard Rebeca models logical concurrency — who-acts-before-whom — but not physical time. For embedded systems, real-time constraints are the essence of correctness: a control loop must respond within 5 milliseconds, a watchdog must fire before the hardware timeout, a communication protocol must deliver a message within a deadline.

Timed Rebeca, introduced in 2012 by Sirjani and colleagues at Reykjavik University, extends Rebeca with two timing primitives:

reactiveclass Sensor(2) {
    knownrebecs { Controller ctrl; }
    statevars { int reading; }

    msgsrv sample() {
        reading = readHardware();
        ctrl.report(reading);
        delay(5);            // execution takes 5 time units
        self.sample() after(10);  // reschedule sampling 10 units from now
    }
}

reactiveclass Controller(4) {
    knownrebecs { Actuator act; }

    msgsrv report(int v) {
        if (v > THRESHOLD) {
            act.brake() after(2);   // send with 2-unit delay
        }
    }
}

The delay(t) annotation specifies execution time — how long a message handler takes to process. The after(t) annotation specifies message delivery delay — when a sent message will arrive in the recipient's mailbox. Together, they allow modeling of compute time, communication latency, hardware response time, and scheduling jitter.

Timed Rebeca's semantics uses dense time (real-valued clocks), but the model checker exploits a region-based abstraction — identical to the zones and difference bound matrices used in timed automata (UPPAAL). The key insight is that for Timed Rebeca models with bounded clocks, the reachable zone graph is finite, making decidable model checking of TCTL (Timed CTL) and timed reachability properties achievable.

TRebeca, the Timed Rebeca model checker within Afra, verifies:

Afra: The Rebeca Verification IDE

Afra is the integrated development environment for Rebeca, developed at Reykjavik University and maintained by Sirjani's research group. It provides a graphical model editor, simulation engine, and model checking integration in a single Eclipse-based tool.

Afra's model checking pipeline translates Rebeca/Timed Rebeca models into mCRL2 for LTL verification, leveraging the TU Eindhoven 🇳🇱 process algebra toolset's powerful verification backend. This gives Afra access to mCRL2's BDD-based symbolic model checking, partial-order reduction, and counterexample generation — all implemented in EU-native software maintained by the Eindhoven Formal Methods group.

Rebeca model
     │
     ▼ Afra translator
mCRL2 process specification
     │
     ▼ mCRL2 lps2lts
Labelled Transition System (LTS)
     │
     ▼ mCRL2 lts2pbes
Parameterised Boolean Equation System (PBES)
     │
     ▼ mCRL2 pbessolve / pbessolvesymbolic
Verification result: TRUE / FALSE + counterexample

For probabilistic systems — wireless protocols with packet loss, randomised algorithms, stochastic schedulers — Afra supports Probabilistic Rebeca verification via a translation to PRISM (University of Birmingham 🇬🇧) or Storm (RWTH Aachen 🇩🇪), enabling PCTL (Probabilistic CTL) and steady-state analysis of actor systems.

EU Research Lineage: Mälardalen and Reykjavik

Rebeca's development has been driven by two European research institutions that make it a 100% EU-originated tool:

Mälardalen University 🇸🇪 in Västerås, Sweden hosts the MDART (Mälardalen Real-Time Research Centre) — Sweden's leading embedded systems research group. MDART produced WCET analysis (Worst-Case Execution Time, tools: aiT from AbsInt DE, Chronos from NUS), component-based embedded software (ProCom), and real-time middleware for automotive and avionics. Sirjani joined Mälardalen in 2016, embedding Rebeca directly in the real-time embedded systems engineering context where it has maximum industrial impact.

Reykjavik University 🇮🇸 (Iceland, EEA) hosted the Software Engineering Laboratory where Timed Rebeca, Probabilistic Rebeca, and Hybrid Rebeca were developed under EU Horizon and Icelandic Research Fund grants. Iceland's EEA membership gives Reykjavik University full access to EU Horizon Europe funding and EU-EFTA research collaboration, while maintaining complete GDPR alignment and no US Cloud Act exposure.

EU funding: Rebeca's development has been supported by Vetenskapsrådet (Swedish Research Council), Icelandic Research Fund, and EU Horizon projects including DESTINE (Dependable Software Tight-loop Innovation for Network Edge systems) — a €3.2M Horizon Europe project for actor-based formal modeling of edge computing infrastructure. The Mälardalen MDART group also participates in ECSEL JU (Electronic Components and Systems for European Leadership), funding automotive-grade Rebeca applications under ISO 26262.

Rebeca and the Actor Model Ecosystem

Rebeca sits at the intersection of formal methods and modern distributed programming paradigms. The actor model — Rebeca's computational foundation — is the design model underlying Erlang/OTP (Ericsson 🇸🇪, 1987), the Go concurrency model (goroutines + channels), Akka (Lightbend, Scala/Java), and Microsoft Orleans (.NET virtual actors). Formally verifying actor-based systems in Rebeca gives direct assurance about properties of software written in these frameworks:

Erlang/OTP 🇸🇪 (Ericsson): Erlang processes are actors. A Rebeca model of an OTP supervision tree — supervisor, gen_server, gen_fsm processes communicating via ! message send — directly captures the fault-tolerance protocol. Afra verification confirms that the supervision restart strategy maintains the safety invariant even under specified failure patterns.

ABS (Abstract Behavioral Specification): Developed jointly by University of Oslo 🇳🇴, University of Kaiserslautern-Landau 🇩🇪, CWI Amsterdam 🇳🇱, and Chalmers University 🇸🇪 — ABS is a closely related EU-native actor-based formal modeling language with deductive verification (KeY ABS) and resource analysis. The ABS/Rebeca cluster represents EU-native actor formal methods with no US intellectual provenance.

Regulatory Compliance Angles

ISO 26262 ASIL D (automotive functional safety): Automotive electronic control units — engine management, brake-by-wire, ADAS perception pipelines — implement reactive concurrent software responding to sensor events. Timed Rebeca models capture the timing constraints (CAN bus latency, sensor sampling periods, actuator response deadlines) and the Afra model checker verifies ASIL D safety requirements: absence of deadlock in the control loop, bounded response time from sensor event to actuator command, absence of priority inversion. EU OEMs — Volvo Cars 🇸🇪, Stellantis FR/IT, BMW DE, Volkswagen DE — all operate under ISO 26262 and EU UNECE WP.29/ALKS regulation for automated lane keeping.

IEC 62304 Class C (medical device software): Multi-threaded medical device control — infusion pump state machines, patient monitoring alert propagation, diagnostic imaging acquisition — can be modeled as Rebeca actor systems where each device subsystem is a reactive object responding to sensor messages. IEC 62304 Class C requires documented systematic verification; Afra counterexample output serves as evidence for the safety case.

NIS2 Art. 21 (network and information security): Concurrent network protocol state machines — TLS session negotiation, BGP route update processing, SNMP agent handlers — are natural Rebeca models. Actor semantics ensures no shared state between protocol handlers; Afra LTL verification checks protocol properties (authentication, session integrity, absence of confused deputy) required under NIS2 for critical infrastructure operators.

EU AI Act Art. 9 (high-risk AI risk management): Concurrent AI inference services built on actor frameworks (Akka, Erlang) for distributed ML inference can be modeled in Rebeca to verify absence of deadlock, bounded inference latency, and correct concurrent model parameter access. For high-risk AI systems under EU AI Act Annex III — autonomous vehicles, medical diagnosis, infrastructure management — machine-checked absence of concurrency bugs provides auditable evidence under Art. 9(1)(b) systematic risk management.

IEC 61508 SIL 3/4 (functional safety of E/E/PE systems): Industrial control systems — PLC networks, SCADA distributed control, safety instrumented systems — implement reactive distributed architectures. Rebeca models of PLC message passing protocols enable IEC 61508 SIL 3/4 formal verification evidence.

Deploy Rebeca on sota.io — EU-Native Infrastructure

Rebeca is developed entirely within the European Economic Area — Mälardalen University 🇸🇪, Reykjavik University 🇮🇸, CWI Amsterdam 🇳🇱, TU Eindhoven 🇳🇱 (mCRL2 backend) — funded by Vetenskapsrådet, Icelandic Research Fund, and EU Horizon Europe. Running Rebeca on European infrastructure preserves the EU intellectual and legal provenance of verification results: no US Cloud Act exposure, no GDPR Art. 46 transfer restrictions, no third-country jurisdiction over formal verification evidence used in EU certification processes.

Deploy to sota.io — EU-native PaaS, GDPR-compliant, free tier →

sota.io runs on German infrastructure 🇩🇪 — Deutsche Telekom backbone, Frankfurt data centers, GDPR Art. 25 privacy by design. Managed PostgreSQL 17 for storing Rebeca model verification results, counterexample traces, and timing analysis reports. Zero DevOps: push your Dockerfile, get a running Rebeca/Afra verification service in minutes.

FROM eclipse-temurin:17-jdk-jammy

# Install Afra dependencies: mCRL2, Java
RUN apt-get update && apt-get install -y \
    mcrl2 \
    wget \
    && rm -rf /var/lib/apt/lists/*

# Download Afra IDE (headless verification mode)
RUN wget -q https://github.com/rebeca-lang/rebeca-lang.github.io/raw/main/assets/afra/Afra-headless.jar \
    -O /opt/afra-headless.jar

WORKDIR /workspace

COPY models/ ./models/

# Run Rebeca model checking in headless mode
CMD ["java", "-jar", "/opt/afra-headless.jar", \
     "--model", "models/system.rebeca", \
     "--formula", "models/properties.mcf", \
     "--output", "results/report.json"]

See Also