Upload & Verify

Upload your code. Declare your target. Prove.

Point VeriForm at any C or Rust file and state what must hold. The agent synthesizes contracts against your goal; the Frama-C kernel discharges every proof obligation — machine-checked, returned as a green diff above each function.

veriform · buffer_copy.c
0/9 proved
1
#include <string.h>
2
#include <stdint.h>
3
#include <stdlib.h>
4
 
5
// memory-safe primitives — auto-verified
6
 
14
void safe_copy(char *dst, const char *src, size_t n) {
15
//@ loop invariant 0 <= i <= n;
16
//@ loop invariant \forall integer j; 0 <= j < i ==> dst[j] == \at(src[j],Pre);
17
//@ loop assigns i, dst[0..i-1];
18
//@ loop variant n - i;
19
for (size_t i = 0; i < n; i++) dst[i] = src[i];
20
}
27
int validate_range(const int *arr, size_t len, int lo, int hi) {
28
//@ loop invariant 0 <= i <= len;
29
//@ loop invariant \forall integer j; 0 <= j < i ==> lo <= arr[j] <= hi;
30
//@ loop assigns i;
31
//@ loop variant len - i;
32
for (size_t i = 0; i < len; i++)
33
if (arr[i] < lo || arr[i] > hi) return 0;
34
return 1;
35
}
44
int32_t sum_bounded(const int32_t *arr, size_t n) {
45
int32_t s = 0;
46
//@ loop invariant 0 <= i <= n;
47
//@ loop invariant s == \sum(0, i-1, \lambda integer k; arr[k]);
48
//@ loop invariant 0 <= s <= INT32_MAX;
49
//@ loop assigns i, s;
50
//@ loop variant n - i;
51
for (size_t i = 0; i < n; i++) s += arr[i];
52
return s;
53
}
60
void bounded_memset(uint8_t *dst, uint8_t c, size_t n) {
61
//@ loop invariant 0 <= i <= n;
62
//@ loop invariant \forall integer j; 0 <= j < i ==> dst[j] == c;
63
//@ loop assigns i, dst[0..i-1];
64
//@ loop variant n - i;
65
for (size_t i = 0; i < n; i++) dst[i] = c;
66
}
scroll to reveal contracts

Massively Parallel

Thousands of sandboxes. One verdict.

Every function, every path, every invariant — dispatched across an ephemeral proof fleet. Failures bubble up in milliseconds.

Proofs verified
12,847,203
Active sandboxes
4,372
Throughput
284.1/s
Counter-examples
148
Idle Running Verified Counter-example (persistent)

How it works

A rigorous pipeline. Zero hand-waving.

Every verdict is backed by a proof certificate — no heuristics, no hallucinations, just discharged obligations.

Dispatch VCs to WP plugin, Alt-Ergo, Z3, CVC5 across sandbox fleet.

WP · Alt-Ergo · Z3 · CVC5
Generated 1,847 proof obligations
WP dispatched · 12 provers in parallel
1,812 discharged · 99.2% automatic
Refining 35 residual VCs

Languages

Systems languages, first.

VeriForm speaks ACSL fluently and Creusot-style Rust natively. Other languages coming via the common kernel.

ACSL · Frama-C kernel

C

Supported

Full ACSL contract surface: separation, termination, memory models, and Weakest Precondition proof.

c_contract.c formal
/*@ requires \valid(p + (0..n-1));
  @ assigns p[0..n-1];
  @ ensures \forall integer i;
  @   0 <= i < n ==> p[i] == 0;
  @*/
void zero(int *p, size_t n);
  • Inherent UB · OOB · UAF detection
  • Jessie + WP backend switchable
  • MISRA-C 2012 conformance checks

Creusot dialect · Prusti compatible

Rust

Supported

Annotate ownership, lifetimes, and pure predicates. Rust safety meets mechanical proof.

rust_contract.rs formal
#[ensures(result@.len() == v@.len())]
#[ensures(forall<i: Int>
  0 <= i && i + 1 < result@.len()
  ==> result@[i] <= result@[i + 1])]
fn sort(v: Vec<i32>) -> Vec<i32>;
  • Purity + termination inference
  • Lemma synthesis for generics
  • Cargo-aware workspace analysis
Coming next: ZigC++AdaSolidityVerilog

About

Formal methods, finally usable.

For forty years formal verification has been the gold standard for correctness — and the exclusive domain of PhDs with infinite patience. VeriForm changes that.

An agent layer drives a proven mechanical kernel (Frama-C + WP + SMT), so you get the assurance of a machine-checked proof without writing a single line of ACSL. Your code stays yours. Our sandbox fleet handles the rest.

Book a demo Request the whitepaper
Frama-C
Mechanical kernel
10,000×
Parallel sandboxes
C · Rust
Languages
99.2%
Auto-discharge rate
<200ms
Median VC latency
SARIF
CI-native output