2026-06-23·9 min read·sota.io team

Deploy Why3 to Europe — Jean-Christophe Filliâtre 🇫🇷 + INRIA Saclay (2010), the EU-Native Multi-Prover Deductive Verification Platform Behind Frama-C and SPARK Ada, on EU Infrastructure in 2026

In formal verification, proof obligations do not verify themselves. A formal verifier — whether it is Frama-C's WP plugin proving a C function against its ACSL contract, or SPARK Ada's GNATprove discharging proof obligations for Ada subprograms — must ultimately dispatch logical formulas to automated theorem provers. The question is: which prover, in which format, orchestrated by what infrastructure?

Why3 answers that question. Developed by Jean-Christophe Filliâtre 🇫🇷 and Claude Marché 🇫🇷 at the LRI (Laboratoire de Recherche en Informatique, CNRS UMR 8623, Université Paris-Sud) and INRIA Saclay — Île-de-France — the Toccata research team — Why3 is both a deductive program verification platform and the intermediate verification language (IVL) of choice for EU formal methods toolchains. Its first publication appeared in 2010 under the title "Why3: Shepherd Your Herd of Provers."

Why3 operates at two levels simultaneously. As a verification platform, it accepts programs written in WhyML — a purely functional and mutable imperative language with built-in specification constructs — and reduces them to logical proof obligations. As an IVL, it accepts proof obligations generated by upstream tools (Frama-C, GNATprove, Krakatoa, Jessie) and shepherds them to whichever automated prover can discharge each obligation fastest.

The institutional pedigree is unambiguous: LRI is a joint research unit of CNRS (French National Centre for Scientific Research) and Université Paris-Sud (now Université Paris-Saclay), funded by the French Ministry of Higher Education and Research. INRIA Saclay is a French public research institute. Why3 is 100% EU-origin — no US Cloud Act jurisdiction, no ITAR encumbrance.

WhyML — The Specification and Implementation Language

Why3's input language is WhyML: a first-order functional programming language augmented with mutable references, loops, exceptions, and algebraic data types, unified with a specification sublanguage. WhyML programs are simultaneously implementations (executable after extraction) and specifications (annotated with formal contracts that Why3 verifies).

module BinarySearch
  use int.Int
  use array.Array

  (* Binary search: find element in sorted array *)
  let binary_search (a: array int) (v: int) : int
    requires { forall i j. 0 <= i <= j < length a -> a[i] <= a[j] }  (* sorted *)
    ensures  { result = -1 \/ (0 <= result < length a /\ a[result] = v) }
    ensures  { result = -1 -> forall i. 0 <= i < length a -> a[i] <> v }
  =
    let lo = ref 0 in
    let hi = ref (length a - 1) in
    let result = ref (-1) in
    while !lo <= !hi && !result = -1 do
      invariant { 0 <= !lo /\ !hi < length a }
      invariant { forall i. 0 <= i < !lo -> a[i] < v }
      invariant { forall i. !hi < i < length a -> a[i] > v }
      invariant { !result = -1 \/ a[!result] = v }
      variant   { !hi - !lo }
      let mid = !lo + (!hi - !lo) / 2 in
      if a[mid] = v then result := mid
      else if a[mid] < v then lo := mid + 1
      else hi := mid - 1
    done;
    !result

end

The WhyML specification constructs express:

requires — precondition: what must be true before the function is called
ensures — postcondition: what must be true when the function returns (result is the return value)
invariant — loop invariant: inductive property maintained at every iteration
variant — loop variant: a decreasing expression proving termination
\/ — logical or; -> — logical implication; forall — universal quantification

Why3 reduces the binary search to a set of proof obligations: mathematical formulas that must be true for the code to satisfy its contract. These are dispatched to automated provers. For the binary search above, Why3 typically discharges all obligations in under one second using Alt-Ergo — no human interaction required.

The Multi-Prover Architecture

Why3's central insight is that no single automated prover dominates all obligation types. Integer arithmetic obligations are solved instantly by Alt-Ergo. Array theory obligations may require Z3. Obligations involving complex induction require Isabelle or Coq. The developer should not need to know which prover handles which obligation — Why3's driver system handles the routing.

WhyML program / external verification conditions
              ↓
        Why3 VCgen (verification condition generation)
              ↓
        Proof obligations (first-order logic + theories)
              ↓
    ┌─────────────────────────────────────────────────────┐
    │  Alt-Ergo 🇫🇷 (OCamlPro, Paris)  — EU-native SMT    │
    │  Z3 (Microsoft Research)          — arithmetic heavy │
    │  CVC5 (Stanford/NYU)             — bit-vectors, UF   │
    │  Eprover (TU Munich 🇩🇪)          — pure first-order  │
    │  SPASS (MPI Saarbrücken 🇩🇪)      — first-order logic │
    │  Isabelle/HOL (TU Munich 🇩🇪 + Cambridge 🇬🇧) — complex induction │
    │  Coq/Rocq (INRIA 🇫🇷)            — interactive proof │
    └─────────────────────────────────────────────────────┘
              ↓
    Proof session (why3 session): remembers which prover
    discharged each obligation, enables incremental re-verification

The proof session mechanism is crucial for industrial use: Why3 records which prover discharged each proof obligation in a session file (.why3session). When the program is modified, only changed obligations are re-dispatched. A 10,000-line module that was fully verified does not re-verify unchanged functions — only the delta. This makes iterative development with formal verification practical.

Why3 as the EU Formal Methods Backbone

Why3's significance extends far beyond standalone use. It functions as the intermediate verification language for the two most important EU formal methods toolchains.

Frama-C WP → Why3

Frama-C's WP plugin computes weakest preconditions of C functions annotated with ACSL contracts, then encodes the resulting proof obligations into Why3 format and dispatches them via Why3's prover drivers. The complete EU C verification stack is:

C source with ACSL contracts
         ↓ Frama-C WP plugin (CEA LIST 🇫🇷)
Weakest Precondition computation
         ↓ Why3 encoding
First-order proof obligations
         ↓ Alt-Ergo 🇫🇷 + Z3 + CVC5
         Discharged / Unproved

Every formal proof of a C function at Airbus 🇫🇷, EDF 🇫🇷, or Thales 🇫🇷 that uses Frama-C WP passes through Why3. The three tools — Frama-C (CEA LIST + INRIA), Why3 (LRI + INRIA Saclay), Alt-Ergo (OCamlPro Paris) — form a 100% EU-origin deductive verification stack for C with no US dependency.

SPARK Ada GNATprove → Why3

AdaCore 🇫🇷 (Paris), the French company that develops GNAT and SPARK Ada, uses Why3 as the intermediate verification language for GNATprove — the formal verification backend for SPARK Ada. GNATprove encodes SPARK subprogram contracts and loop invariants as Why3 proof obligations:

Ada source with SPARK contracts
         ↓ GNATprove (AdaCore 🇫🇷 Paris)
SPARK flow analysis + proof generation
         ↓ Why3 encoding
First-order proof obligations
         ↓ Alt-Ergo 🇫🇷 + Z3 + CVC5
         Discharged / Unproved

Why3's role as GNATprove's IVL means that every SPARK Ada proof in Airbus 🇫🇷 A350 DO-178C Level A avionics, EUROCONTROL 🇧🇪 SESAR ATM, and Rolls-Royce FADEC 🇬🇧 passes through Why3 on French public infrastructure. The Why3 team and AdaCore collaborate directly — the Toccata team (INRIA Saclay) and AdaCore's verification team share publications and tool development.

Alt-Ergo — The EU-Native SMT Solver

Why3's primary EU-native prover is Alt-Ergo: an SMT (Satisfiability Modulo Theories) solver developed by Sylvain Conchon 🇫🇷 and Evelyne Contejean 🇫🇷 (LRI Paris-Sud, 2006), now maintained and developed commercially by OCamlPro 🇫🇷 (Paris).

Alt-Ergo supports:

Linear arithmetic over integers and rationals
Uninterpreted functions (congruence closure + Shostak combination)
Array theory (McCarthy arrays, extensional)
Bitvectors (for hardware/AUTOSAR C code)
Algebraic data types
Quantifiers with pattern-based instantiation (E-matching)

Alt-Ergo is optimised for the shapes of proof obligations that arise from C and Ada programs annotated with function contracts — precisely the obligations generated by Frama-C WP and GNATprove. This gives it a structural performance advantage over general-purpose SMT solvers on this specific problem class.

The Alt-Ergo + Why3 combination represents a complete EU-origin deductive verification infrastructure:

LRI / INRIA Saclay (CNRS UMR 8623, Paris-Sud): Why3
OCamlPro (Paris): Alt-Ergo commercial development, Alt-Ergo Pro
No US toolchain dependency for discharging the majority of C/Ada proof obligations

Code Extraction — From WhyML to Production Languages

Why3 programs written in WhyML can be extracted to executable code in multiple target languages. The extraction preserves the algorithmic content while discarding the specification annotations (which have no runtime representation):

# Extract verified WhyML to OCaml
why3 extract -D ocaml64 -o binary_search.ml binary_search.mlw

# Extract to Python
why3 extract -D python -o binary_search.py binary_search.mlw

# Extract to C
why3 extract -D c -o binary_search.c binary_search.mlw

# Extract to Java
why3 extract -D java -o BinarySearch.java binary_search.mlw

This means a developer can write a WhyML algorithm once, prove it correct, then deploy the proven algorithm in the target language. The proof is a certificate: the extracted OCaml/Python/C is correct by construction, not by testing.

The primary extraction target is OCaml: Why3's reference implementation is written in OCaml (itself an INRIA 🇫🇷 language), and the OCaml extraction is the most mature and complete. Extracted OCaml code runs at native speed via the OCaml native compiler and can be deployed as a standard OCaml library or binary.

Deploy Why3 on sota.io

sota.io is the EU-native PaaS. Why3 runs on Linux (amd64/arm64) with standard OCaml runtime dependencies. The tool suite — why3, why3 prove, why3 ide — installs cleanly on Ubuntu 24.04 via apt or OPAM (OCaml package manager):

# Ubuntu/Debian
sudo apt-get install why3 alt-ergo

# OPAM (OCaml ecosystem)
opam install why3 alt-ergo

# Detect available provers
why3 config detect
# Output: Alt-Ergo, Z3 (if installed), CVC5, Isabelle, ...

sota.io deployment — Dockerfile for a Why3 verification service:

FROM sotaio/builder:ubuntu-24.04

# Install Why3 + Alt-Ergo (EU-native SMT solver)
RUN apt-get update && apt-get install -y \
    why3 \
    alt-ergo \
    z3 \
    ocaml \
    && rm -rf /var/lib/apt/lists/*

# Detect installed provers
RUN why3 config detect

WORKDIR /verification
COPY theories/ ./theories/
COPY programs/ ./programs/

# Run Why3 verification suite
RUN why3 prove \
    --prover alt-ergo \
    --timelimit 30 \
    programs/critical_module.mlw

# Run with multiple provers for maximum coverage
RUN why3 prove \
    --prover "alt-ergo,z3,cvc5" \
    --timelimit 30 \
    programs/critical_module.mlw

# Extract verified code to OCaml
RUN why3 extract \
    -D ocaml64 \
    -o extracted/critical_module.ml \
    programs/critical_module.mlw

CMD ["why3", "prove", "--prover", "alt-ergo", "${TARGET:-programs/main.mlw}"]

# Combined Frama-C → Why3 → Alt-Ergo pipeline (sota.io Standard tier)
# Step 1: WP deductive verification via Why3 backend
frama-c -wp \
  -wp-rte \
  -wp-prover why3:alt-ergo,why3:z3 \
  -wp-timeout 30 \
  controller.c

# Step 2: Standalone Why3 verification of WhyML modules
why3 prove \
  --prover alt-ergo \
  --timelimit 30 \
  safety_properties.mlw

# Step 3: Extract verified algorithms to OCaml for deployment
why3 extract \
  -D ocaml64 \
  -o lib/verified_algorithms.ml \
  algorithms.mlw

sota.io free tier (512 MB RAM, 0.5 vCPU) handles Why3 verification of individual WhyML modules with Alt-Ergo for typical proof obligations (arithmetic + array theory) in under 30 seconds. Industrial-scale verification of complete SPARK Ada subsystems or Frama-C-generated obligation sets requires Standard tier (€9/month, 2 GB RAM) or higher for multi-prover sessions with 60-second solver timeouts.