Upload & Verify

Upload your code. Declare your target. Prove.

Point VeriForm at any C or Rust file and state what must hold. The agent synthesizes contracts against your goal; the Frama-C kernel discharges every proof obligation — machine-checked, returned as a green diff above each function.

veriform · buffer_copy.c · fn 1/4

Frama-C · WP · Alt-Ergo

0/9 proved

#include <string.h>

#include <stdint.h>

#include <stdlib.h>

// memory-safe primitives — auto-verified

void safe_copy(char *dst, const char *src, size_t n) {

for (size_t i = 0; i < n; i++) dst[i] = src[i];

}

int validate_range(const int *arr, size_t len, int lo, int hi) {

for (size_t i = 0; i < len; i++)

if (arr[i] < lo || arr[i] > hi) return 0;

return 1;

}

int32_t sum_bounded(const int32_t *arr, size_t n) {

int32_t s = 0;

for (size_t i = 0; i < n; i++) s += arr[i];

return s;

}

void bounded_memset(uint8_t *dst, uint8_t c, size_t n) {

for (size_t i = 0; i < n; i++) dst[i] = c;

}

scroll to reveal contracts

Massively Parallel

Thousands of sandboxes.
One verdict.

Every function, every path, every invariant — dispatched across an ephemeral proof fleet. Failures bubble up in milliseconds.

Proofs verified: 12,847,203
Active sandboxes: 4,372
Throughput: 284.1/s
Counter-examples: 148

Idle Running Verified Counter-example (persistent) fleet: us-east-1 · 48×16 shards shown

How it works

A rigorous pipeline. Zero hand-waving.

Every verdict is backed by a proof certificate — no heuristics, no hallucinations, just discharged obligations.

Dispatch VCs to WP plugin, Alt-Ergo, Z3, CVC5 across sandbox fleet.

WP · Alt-Ergo · Z3 · CVC5

Generated 1,847 proof obligations

WP dispatched · 12 provers in parallel

1,812 discharged · 99.2% automatic

Refining 35 residual VCs

Languages

Systems languages, first.

VeriForm speaks ACSL fluently and Creusot-style Rust natively. Other languages coming via the common kernel.

ACSL · Frama-C kernel

C

Supported

Full ACSL contract surface: separation, termination, memory models, and Weakest Precondition proof.

c_contract.c formal

/*@ requires \valid(p) && n > 0;
  @ assigns p[0..n-1];
  @ ensures \forall integer i;
  @   0 <= i < n ==> p[i] == 0;
  @*/
void zero(int *p, size_t n);

Inherent UB · OOB · UAF detection
Jessie + WP backend switchable
MISRA-C 2012 conformance checks

Creusot dialect · Prusti compatible

Rust

Supported

Annotate ownership, lifetimes, and pure predicates. Rust safety meets mechanical proof.

rust_contract.rs formal

#[requires(v.len() > 0)]
#[ensures(result.len() == v.len())]
#[ensures(forall |i: usize|
  i < result.len() - 1
  ==> result[i] <= result[i+1])]
fn sort(v: Vec<i32>) -> Vec<i32>;

Purity + termination inference
Lemma synthesis for generics
Cargo-aware workspace analysis

Coming next: ZigC++AdaSolidityVerilog

About

Formal methods, finally usable.

For forty years formal verification has been the gold standard for correctness — and the exclusive domain of PhDs with infinite patience. VeriForm changes that.

An agent layer drives a proven mechanical kernel (Frama-C + WP + SMT), so you get the assurance of a machine-checked proof without writing a single line of ACSL. Your code stays yours. Our sandbox fleet handles the rest.

Book a demo Request the whitepaper

Frama-C

Mechanical kernel

10,000×

Parallel sandboxes

C · Rust

Languages

99.2%

Auto-discharge rate

<200ms

Median VC latency

SARIF

CI-native output