Products / HOL Proof System

Compile-time HOL Proof System

Mathematical proof that your code is correct — before it ever runs. Not testing. Not linting. Proof.

Available Now
Distributed via Cargo
Free & Paid Tiers

The Problem

Testing finds bugs. Code review catches some more. But testing can only cover the inputs you think to try, and review is limited by human attention. In safety-critical, financial, cryptographic, and defense systems, “probably correct” isn’t good enough.

One missed edge case in a medical device, a cryptographic library, or a trading engine can mean patient safety incidents, security breaches, or millions in losses. Traditional development tools leave a gap between “tested” and “proven.”

The Solution

The GDS Compile-time HOL Proof System closes that gap. It uses higher-order logic (HOL) to mathematically prove that your Rust code is correct at compile time. If the code compiles, it is correct — not by assertion, but by mathematical demonstration from foundational axioms. Zero runtime cost. The original code is emitted unchanged.

Testing finds bugs. Proofs eliminate them. Every function annotated with #[proven] has its correctness mathematically verified at compile time. Entire categories of defects — memory safety violations, concurrency errors, logic bugs, security vulnerabilities — are eliminated before the code ever executes.

Who Benefits

Safety-Critical Systems

Aerospace, automotive, medical devices, and industrial control systems where failures can endanger lives. Formal proof replaces expensive certification testing cycles.

Financial Infrastructure

Trading systems, settlement engines, payment processors, and risk engines where a single logic error can mean regulatory penalties or catastrophic financial losses.

Cryptography & Security

Prove cryptographic implementations correct. Verify protocol properties, information flow guarantees, and access control invariants with mathematical certainty.

Operating Systems & Hypervisors

Kernel development, hypervisors, and systems software where a single bug can compromise an entire platform. Verify memory safety, scheduling, and isolation properties.

Defense & Government

Mission-critical systems requiring the highest assurance levels. Formal verification provides evidence that satisfies DO-178C, Common Criteria, and similar standards.

Blockchain & Distributed Systems

Smart contracts, consensus protocols, and distributed algorithms where bugs are irrevocable and every node must agree on correctness.

Quick Start

Add pathways-prove to your Cargo.toml and annotate functions with #[proven]:

# Cargo.toml
[dependencies]
pathways-prove = "0.1"
use pathways_prove::proven;

#[proven(pre = "x: nat, y: nat", post = "result = x + y")]
fn add(x: u64, y: u64) -> u64 {
    x + y
}

The proof runs at compile time. If the code compiles, its correctness has been mathematically verified. Zero runtime cost — the original function is emitted unchanged.

Mathematical Foundations

The proof system is built on a minimal, auditable foundation: 4 axioms, 10 foundational concepts, and 10 primitive inference rules. Every theorem in the library — over 1,400 proofs spanning 77 mathematical domains — is derived from this foundation through legitimate inference alone. After bootstrap, the definition context is permanently sealed. No shortcuts. No unverified assumptions. No back doors.

The 4 Foundational Axioms

After these four axioms are admitted, the entire definition context is permanently sealed. No new axioms, constants, type constructors, or definitions can ever be introduced through any mechanism. There is no unlock. There is no back door. All subsequent mathematics must be derived through inference from these axioms and the 10 primitive rules alone.

Extensionality (ETA)
⊢ (λx. f(x)) = f
A function that applies f to every argument is just f. This establishes that functions are determined entirely by their input-output behavior — two functions that produce the same outputs for every input are equal.
Selection (Choice)
⊢ P(x) ⇒ P(@ P)
If any witness x satisfies a property P, then the Hilbert choice operator @ selects such a witness. This enables classical reasoning and the axiom of choice in one compact statement.
Successor Injectivity
⊢ (SUC(x) = SUC(y)) = (x = y)
Different numbers have different successors. Combined with the next axiom, this establishes that the natural numbers form an infinite, well-ordered sequence — the foundation for all arithmetic.
Successor Non-Zero
⊢ SUC(n) ≠ 0
No natural number’s successor is zero. This prevents circular counting and, together with injectivity, guarantees the natural numbers are infinite, enabling mathematical induction.

The 10 Foundational Concepts

Everything in the proof system — from basic arithmetic to concurrency proofs to cryptographic verification — is constructed from these 10 concepts:

1
Type System Booleans, functions, and the primitive infinite type. The structural foundation that gives meaning to all other terms.
2
Equality The only primitive constant: = : α → α → bool. Every logical connective and all reasoning ultimately flows from equality.
3
Lambda Abstraction Function construction: λx. t creates new functions. The mechanism that makes higher-order logic “higher-order.”
4
Boolean Algebra True, False, AND, OR, IMPLIES, NOT — all defined from equality, not axiomatized. Even logic itself is derived, not assumed.
5
Quantification Universal (∀) and existential (∃) quantifiers, defined in terms of equality and lambda abstraction. Captures logical scope and variable binding.
6
Selection / Choice The Hilbert epsilon operator: given any non-empty set, it selects a member. Enables classical reasoning and constructive witness extraction.
7
Natural Numbers Zero and successor, derived from the primitive infinite type. The Peano axioms emerge as theorems, not assumptions — induction is proven, not postulated.
8
Arithmetic Addition, multiplication, subtraction, comparison, division, modulo, GCD — all defined recursively on natural numbers and proven correct by induction.
9
Primitive Inference 10 inference rules that are the only way to construct theorems. The Rust type system enforces this boundary — there is no back door.
10
Definition Context Conservative extensions for defining new constants, types, and type constructors during bootstrap. Once bootstrap completes, the context is permanently sealed — no new axioms, constants, type constructors, or definitions can ever be introduced. There is no unlock.

The 10 Primitive Inference Rules

Theorems are opaque values — constructable only through these 10 rules. Rust’s module privacy system enforces this boundary at the language level. There is no way to forge a theorem, no escape hatch, no unsafe bypass. If a Thm value exists, it was proven.

REFLt = t — reflexivity of equality
TRANSa = b, b = c ⇒ a = c — transitivity
MK_COMBf = g, x = y ⇒ f(x) = g(y) — congruence
ABSt = u ⇒ (λx. t) = (λx. u) — abstraction
BETA(λx. t)(x) = t — beta reduction
ASSUME{p} ⊢ p — assumption introduction
EQ_MPp = q, p ⇒ q — equality modus ponens
DEDUCTMutual deduction: if p proves q and q proves p, then p = q
INSTSubstitute terms for free variables in theorems
INST_TYPESubstitute types for type variables in theorems

Architecture: Trust by Construction

The proof system enforces correctness through three architectural layers, each of which is load-bearing. Remove any one and the guarantees collapse.

LCF-Style Trusted Kernel
The Thm type is opaque — constructable only through the 10 primitive inference rules. Rust’s module privacy system enforces this at the language level. There is no unsafe bypass, no escape hatch, no way to forge a theorem. If a Thm value exists, it was proven.
Permanent Context Seal
After the foundational bootstrap completes (4 axioms, Peano arithmetic, and all 77 domain theories), the definition context is permanently sealed. Every mutation path is blocked: new_axiom(), define_constant(), register_constant(), and define_type_constructor() all return errors. There is no unlock method. There is no second tier. There is no back door. All subsequent mathematics must be derived purely through the 10 primitive inference rules.
Stack-Safe Queue-Based Bootstrap
The foundation loads 77 theorem domains containing 1,400+ individually proven theorems. Rather than deep call chains that would exhaust the stack, each theory module is dispatched via a flat loop over function pointer queues. Each loader call fully returns — unwinding its stack frames — before the next begins. Stack depth is bounded by the deepest single proof, not by the total number of theories. This architecture is safe on platforms with small default thread stacks (1 MB on Windows).

Available Macros

#[proven]

Verify Rust function pre/postconditions at compile time. Supports trait contracts, generic functions, closures, recursive functions, and full control flow analysis. The core macro for proving function correctness.

asm_proven!

Verify inline assembly register state, clobber sets, flag transitions, cycle bounds, memory layout, and stack balance. Supports x86_64, AArch64, RISC-V, and WebAssembly.

#[invariant]

Verify loop invariants inductively with ghost variables and monotonic predicates. Proves that loop bodies preserve stated invariant conditions across all iterations.

#[hol_spec]

Register an axiomatic specification for trusted external interfaces without verifying the body. Makes contracts available to callers for compositional reasoning.

What You Can Prove

  • Functional Correctness: Functions produce the correct output for all possible inputs, proven by induction, case analysis, and structural reasoning.
  • Memory Safety: No use-after-free, buffer overflows, null dereferences, or dangling pointers — mathematically proven, not just borrow-checked.
  • Heap Verification: Allocation tracking for Box, Vec, and raw allocations. Proves freedom from use-after-free, double-free, and memory leaks across all exit paths.
  • Resource Tracking: File descriptors, MMIO mappings, DMA buffers, and IRQ handlers tracked from acquisition to release. Proves no resource leaks, no use-after-release, and no double-release.
  • Panic Freedom: Proves unreachable panics for unwrap(), expect(), split_at(), remove(), and all library calls with implicit panic conditions. Tracks guard facts and transitive panic risk through call chains.
  • Obligation Tracking: 50 violation classes across 5 phases — arithmetic overflow, cast truncation, division by zero, shift bounds, pointer validity, aliasing, array bounds, lock ordering, information leaks, MIR divergence, and more. Every obligation must be discharged or the build fails.
  • Concurrency Correctness: Freedom from data races, deadlocks, priority inversions, and livelock. Verified mutex semantics, lock-free progress, and memory ordering guarantees.
  • Deadlock Detection: Lock ordering validation, ABBA cycle detection across function boundaries, guard scope enforcement, bare condvar wait detection, and mutex invariant tracking.
  • Taint Analysis: Secret-tainted variable propagation through all operations. Detects secret-dependent branches (timing leaks), secret-dependent memory accesses (cache leaks), and secret-dependent variable-time instructions. Enforces declassification at public boundaries.
  • Security Properties: Information flow non-interference, access control invariants, capability confinement, constant-time execution, and side-channel resistance.
  • Cryptographic Correctness: Hash function collision resistance, signature unforgeability, encryption semantic security, key exchange safety, and protocol composition.
  • Container Proofs: 10 verified container families (bitmap, buffer, deque, heap, list, map, pool, queue, set, tree) with 30+ concrete types, each with formally proven capacity invariants, ordering, and lock-free correctness.
  • Real-time Bounds: Worst-case execution time bounds proven for safety-critical scheduling. Instruction-level cycle counting with architecture-specific latency models.
  • Assembly Verification: Register state, flag transitions, clobber sets, stack balance, and memory effects verified for inline assembly across all supported architectures.
  • Termination: Well-founded recursion and loop termination with formally verified ranking functions and decreasing measures.
  • Ownership & Separation: Linear types, move semantics, heap separation (frame rule), and resource allocation/deallocation correctness.
  • Tactic System: 10+ tactics (conj_tac, disch_tac, gen_tac, spec_tac, case_split_tac, induction_tac, arith_tac, subst_tac, rewrite_once_tac, mp_tac) plus 28 derived inference rules for building proofs compositionally.
  • Term Normalization: Automatic canonicalization, constant folding, commutativity/associativity normalization, and proof-driven rewriting from the theorem library.

Obligation Tracking: 50 Violation Classes

Every #[proven] function generates proof obligations that must be discharged or the build fails. The system tracks 50 distinct violation classes across 5 phases, from arithmetic overflow to MIR divergence. Obligations are classified by severity: hard-reject (build fails), heuristic discharge (auto-provable), and informational (logged for audit).

Phase 1: Structural (Hard-Reject)

Fatal violations that prevent proof construction. No HOL terms are generated.

10GlobalStaticAccessGlobal or static mutation via multi-segment path
11LoopTerminationLoop or recursion missing termination proof
12AssertPanicpanic!(), unreachable!(), assert!(), todo!() reachability
15FloatParamf32 / f64 parameters (allowed via HOL floating_point theory)
16ContradictoryPreconditionsContradictory bound constraints in preconditions
33MissingTerminationMeasureMissing explicit loop variant or recursive decreases measure
34NonDecreasingMeasureVariant or decreases expression not proven to decrease
35OptionUnwrapWithoutProofOption::unwrap() / expect() without proof value is Some
36ResultUnwrapWithoutProofResult::unwrap() / expect() without proof value is Ok
37ImplicitPanicCallWithoutProofLibrary call with implicit panic precondition left unproven
38TransitivePanicRiskCall to function lacking panic-freedom summary
39TraitContractViolationImpl method postcondition diverges from declared trait contract
40MissingTraitContractDynamic dispatch call without declared trait contract

Phase 2: Arithmetic & Memory Safety (Heuristic Discharge)

Auto-dischargeable by the arithmetic solver or precondition analysis.

1ArithOverflowArithmetic overflow or underflow on +, -, *
2CastTruncationNarrowing cast truncation (u64 as u32, etc.)
3DivByZeroDivision or modulo by zero (/ or %)
4ShiftBoundsShift amount exceeds type width (<< or >>)
5SignedParamSigned integer param without non-negativity precondition
6PointerValidityPointer dereference without validity precondition
7AliasingMutTwo &mut params without DISJOINT precondition
8ArrayBoundsArray/vector/matrix/tensor index without bounds proof

Phase 3: Frame & Coverage (Informational)

Informational obligations logged for audit. Always discharged.

9MutableParamFrame&mut [T] param not fully covered by effects clause
13ReturnTypeCoverageOption<T> / Result<T,E> return without full branch coverage

Phase 4: Aliasing, Ownership & Synchronization

Heap safety, resource lifecycle, lock ordering, and ownership tracking.

14ReadAfterWriteWrite to arr[i] then read arr[j], i ≠ j unproven
19UseAfterMoveUse-after-move on tracked non-Copy binding
20UseAfterDropUse-after-drop or use-after-free on tracked binding
21DoubleDropDouble-drop or double-free on tracked binding
22DanglingBorrowBorrow outlives owner or exclusive-borrow conflict
23HeapDoubleFreeHeap region freed more than once
24MemoryLeakHeap allocation reaches exit without free or return
25HeapUseAfterFreeHeap region used after free
28LockOrderViolationAcquire lower-ranked lock while holding higher-ranked
29PotentialDeadlockCycleTwo functions acquire same locks in opposite order (ABBA)
30SyncGuardScopeProtected data or guard state escapes lock scope
31BareCondvarWaitCondition-variable wait outside retry loop
32MissingMutexInvariantMutex-protected mutation without restating invariant

Phase 5: I/O, Hardware & Security

Hardware effects, information flow, taint analysis, and MIR soundness.

17IoMmioWriteMMIO write not covered by effects clause or postcondition
18DmaAliasingDMA-writable range overlaps software buffer without DISJOINT
26InformationLeakSECRET/TOP_SECRET data reaches public sink (logging, network)
27MissingDeclassificationTainted data in public context without explicit declassification
41InsufficientMemoryBarrierInsufficient barrier/acquire/release for target ISA
42UnsafePathViolationExecution path through unsafe block violates safety
43UnsafeExplorationBoundExceededUnsafe explorer exceeded configured bound
44ResourceLeakAcquired resource not released on some exit path
45ResourceUseAfterReleaseResource handle used after release or close
46ResourceDoubleReleaseResource handle released more than once
47SecretDependentBranchControl flow depends on secret-tainted data (timing leak)
48SecretDependentMemoryAccessMemory access on secret-tainted index (cache timing leak)
49SecretDependentVariableTimeInsnVariable-latency instruction (DIV/SQRT) on secret data
50MirDivergenceCompiled MIR diverges from source proof model

Verified Container Library: 10 Families, 30+ Types

The pwos-containers crate provides 10 container families with 30+ concrete types, each with formally proven capacity invariants, ordering properties, and lock-free correctness. All container operations are modeled as HOL terms for compositional reasoning via #[proven].

Buffer

  • RingBuffer — SPSC circular buffer
  • BipBuffer — two-region contiguous writes
  • TraceRing — static ring with slot metadata
  • DynamicRing — heap-allocated dynamic ring

Queue

  • SPSC Queue — single producer, single consumer
  • MPMC RingQueue — multi producer, multi consumer
  • SPSC Priority Queue — priority-ordered SPSC
  • MPMC Priority Queue — priority-ordered MPMC
  • MPSC Queue — multi producer, single consumer
  • SPMC Queue — single producer, multi consumer

Heap

  • BoundedBinaryHeap<T, N> — const-capacity max-heap
  • AllocBinaryHeap<T> — heap-allocated max-heap

List

  • IntrusiveList<T> — zero-alloc doubly-linked
  • LinkedList<T> — heap-allocated doubly-linked

Map

  • BoundedHashMap<K, V, N> — open-addressing, const capacity
  • AllocHashMap<K, V> — dynamic resizing
  • OrderedMap<K, V> — BTree-ordered iteration

Set

  • BoundedHashSet<K, N> — open-addressing, const capacity
  • AllocHashSet<K> — dynamic resizing
  • OrderedSet<K> — BTree-ordered iteration

Deque

  • ArrayDeque<T, N> — circular buffer, const capacity
  • AllocDeque<T> — heap-allocated VecDeque
  • IntrusiveDeque<T> — zero-alloc intrusive deque

Tree

  • RadixTree<V, N> — sorted u64-keyed tree
  • IntervalTree<T, N> — interval storage with overlap queries
  • AllocRadixTree<V> — heap-allocated radix tree
  • AllocIntervalTree<T> — heap-allocated interval tree

Pool

  • Slab<T, N> — index-based object slab allocator
  • Arena<T, N> — linear bump allocator
  • ObjectPool<T, N> — reusable object pool
  • SlotMap<T, N> — versioned slot storage with generations

Bitmap

  • Bitmap<’a> — mutable bit array view
  • AtomicBitmap<’a> — lock-free atomic bitmap
  • IdAllocator<’a> — bitmap-backed ID allocator

Heap Verification

The heap verifier tracks every allocation from creation to deallocation across all exit paths, proving freedom from the three critical heap safety violations:

Box Allocation Tracking
Every Box::new() allocation is tracked as a live heap region. Drop is verified to occur exactly once before scope exit.
Vec Allocation Tracking
Vec::new() and Vec::with_capacity() allocations tracked through push, pop, resize, and drop operations.
Raw Allocation Tracking
alloc::alloc() and alloc::dealloc() pairs verified for balance across all paths including early returns and error branches.
Use-After-Free Detection (Class 25)
Any access to a heap region after it transitions to Freed state generates a hard obligation.
Double-Free Detection (Class 23)
Attempting to free a region already in Freed state is caught and rejected.
Memory Leak Detection (Class 24)
Any Live region that reaches function exit without being freed or returned to the caller is flagged.
Scope-Aware Tracking
Nested scopes inherit parent allocations. Regions returned from inner scopes are promoted to the outer scope rather than flagged as leaks.

Resource Tracking

Beyond heap memory, the system tracks four categories of system resources from acquisition through release, proving that every resource is properly cleaned up on all exit paths:

File Descriptors
Open/close pairing verified. Every open() or File::create() must have a matching close() or drop() on all paths.
MMIO Mappings
Memory-mapped I/O regions tracked from map_mmio() to unmap_mmio(). Unmapped regions cannot be accessed.
DMA Buffers
DMA-capable memory tracked from allocation to free_dma(). Aliasing with software buffers generates a DISJOINT obligation.
IRQ Handlers
Interrupt handlers tracked from register_irq() to unregister_irq(). Double-registration and orphaned handlers are caught.
Resource Leak (Class 44)
Any acquired resource not released or returned on some exit path generates an obligation.
Use-After-Release (Class 45)
Using a resource handle after it has been released generates a hard obligation.
Double-Release (Class 46)
Releasing a resource handle more than once is caught and rejected.

Deadlock Detection

The verifier performs static deadlock analysis by tracking lock acquisition ordering within and across function boundaries:

Lock Ordering Declaration
Declare ordering constraints with lock_order = "a < b < c". The verifier enforces that locks are always acquired in declared order.
Local Order Violation (Class 28)
Acquiring a lower-ranked lock while holding a higher-ranked lock within the same function is immediately rejected.
Cross-Function ABBA Detection (Class 29)
If function A acquires lock a then b, and function B acquires b then a, the cycle is detected and reported.
Mutex/RwLock Tracking
All Mutex::lock(), RwLock::read(), and RwLock::write() calls are tracked with acquisition sequences.
Guard Scope Enforcement (Class 30)
Protected data or guard state escaping the lock scope is caught and reported.
Bare Condvar Wait (Class 31)
Condition-variable wait() outside a retry loop (spurious wakeup vulnerability) is flagged.
Mutex Invariant Enforcement (Class 32)
Mutation under a mutex guard without restating the declared invariant is caught.
Callee Expansion
Lock acquisition sequences from verified callees are inlined into the caller’s analysis for cross-function cycle detection.

Tactic System & Derived Rules

Beyond the 10 primitive inference rules, the proof system provides 10+ high-level tactics and 28 derived inference rules for building proofs compositionally:

Tactics

conj_tac
Prove conjunction by proving each conjunct independently
disch_tac
Discharge assumption into implication (Γ ⊢ q → Γ ⊢ p ⇒ q)
undisch_tac
Reintroduce antecedent of implication as hypothesis
mp_tac
Modus ponens: given p ⇒ q and p, derive q
gen_tac
Generalize over bound variable (∀-introduction)
spec_tac
Specialize universally quantified theorem with concrete term
case_split_tac
Join boolean branches back into target goal
subst_tac
Substitute equality into first matching subterm
rewrite_once_tac
Apply single equality rewrite from theorem
induction_tac
Instantiate induction theorem to match universal goal
arith_tac
Prove arithmetic goals using registered theorems and normalization

Derived Inference Rules (28 Beyond the 10 Primitives)

SYMa = b ⇒ b = a — symmetry
AP_THMf = g ⇒ f(x) = g(x) — apply to argument
AP_TERMx = y ⇒ f(x) = f(y) — apply function
ADD_ASSUMΓ ⊢ p ⇒ Γ ∪ {q} ⊢ p — weakening
PROVE_HYPEliminate hypothesis by proving it from another theorem
DISJ_CASESp ∨ q, (p ⊢ r), (q ⊢ r) ⇒ r — disjunction elimination
DISCHΓ ⊢ q ⇒ Γ - {p} ⊢ p ⇒ q — discharge
UNDISCHΓ ⊢ p ⇒ q ⇒ Γ ∪ {p} ⊢ q — undischarge
MP(p ⇒ q), p ⇒ q — modus ponens
IMP_ANTISYM(p ⇒ q) ∧ (q ⇒ p) ⇒ p = q — equivalence
CONJth1, th2 ⇒ th1 ∧ th2 — conjunction
CONJUNCT1/2Extract left or right conjunct
GENΓ ⊢ t ⇒ Γ ⊢ ∀x. t — generalization
SPECΓ ⊢ ∀x. t ⇒ Γ ⊢ t[x/a] — specialization
NOT_INTRO/ELIMNegation introduction and elimination
EQT_INTRO/ELIMTruth equivalence: p ⇒ (p = T)
EQF_INTRO/ELIMFalsity equivalence: ¬p ⇒ (p = F)
BOOL_CASESCase split on boolean variable
BETA_CONVBeta-reduction conversion
UNFOLD_DEFUnfold constant definitions
EXTRACT_CONJExtract n-th conjunct from nested conjunction

Hardware Verification Support

The asm_proven! macro verifies inline assembly across 4 architectures with full register models, flag tracking, cycle counting, memory ordering, and peripheral device state machines. Every instruction effect is modeled as a HOL term.

Architectures & Register Models

x86_64

  • 16 GPR (rax–r15) with 32/16/8-bit sub-registers
  • 8-bit high registers (ah, bh, ch, dh)
  • SIMD: xmm0–15, ymm0–15, zmm0–15
  • AVX-512 mask registers k0–k7
  • RFLAGS: CF, PF, AF, ZF, SF, OF
  • RIP (instruction pointer), EFLAGS
  • ADCX/ADOX independent carry/overflow chains
  • MULX (BMI2), widening MUL/IMUL, DIV/IDIV
  • CMPXCHG, CMPXCHG8B, CMPXCHG16B (atomic CAS)
  • BSF, BSR, POPCNT, LZCNT, TZCNT (bit ops)
  • CMOV conditional moves, SETCC conditional sets
  • Memory barriers: LFENCE, SFENCE, MFENCE

AArch64

  • 31 GPR (x0–x30) with w-register aliases
  • xzr/wzr (zero register), sp, lr, fp
  • NEON: v0–v31 (q/d/s/h/b scalar views)
  • NZCV condition code register
  • ADDS/SUBS with flag update
  • UMULH, SMULH (upper-half multiply)
  • CSET, CINC (conditional set/increment)
  • Load/store exclusive: LDXR, STXR, LDAXR, STLXR
  • Load/store pair: LDP, STP
  • DMB, DSB memory barriers

RISC-V 64-bit

  • 32 GPR (zero, ra, sp, gp, tp, t0–t6, s0–s11, a0–a7)
  • 32 FP registers (fa0–fa7, fs0–fs11, ft0–ft11)
  • Machine CSRs: mstatus, mtvec, mepc, mcause, mtval, mie, mip, mhartid, misa
  • Supervisor CSRs: sstatus, stvec, sepc, scause, satp
  • User CSRs: ustatus, utvec, uepc, ucause
  • Counter CSRs: cycle, time, instret
  • FP CSRs: fflags, frm, fcsr
  • Vector CSRs: vstart, vxsat, vxrm, vl, vtype, vlenb
  • A-extension atomics: AMOSWAP, AMOADD, AMOAND, AMOOR, AMOXOR, AMOMAX, AMOMIN
  • Acquire/release suffixes: .aq, .rl, .aqrl
  • FENCE, FENCE.I memory ordering

WebAssembly

  • Typed local slots: i32, i64, f32, f64
  • v128 SIMD proposal (i8x16 through f64x2)
  • Global slots with type annotations
  • Stack machine semantics
  • Structured control flow (block, loop, if/else)
  • atomic.fence memory barrier

Peripheral Device State Machines

Hardware peripherals are modeled as state machines with typed MMIO registers, port I/O, and DMA effects. Every device interaction generates HOL terms for verification:

Local APIC Timer
One-shot, periodic, and TSC-deadline modes. LVT timer register, initial/current count, divide configuration.
I/O APIC
Interrupt redirection with delivery modes (Fixed, Lowest Priority, SMI, NMI, INIT, SIPI) and trigger modes (Edge, Level).
PIC (8259A)
Legacy interrupt controller with ICW/OCW command sequences and masking.
AES Accelerator
Hardware encryption state machine (Idle → Processing → Done). Encrypt, Decrypt, and KeySchedule operations.
TPM
Trusted Platform Module with PCR extend operations and attestation quote generation.
Timer Devices
HPET and PIT compatible timers with countdown, periodic modes, and interrupt generation.
Display / GPU
Framebuffer output with pixel format verification (RGB565, BGR888, XRGB8888). VirtIO GPU 2D/3D commands.
Network (RTL8126)
TX/RX descriptor rings, DMA operations, interrupt status/mask register tracking.
VirtIO Block
VirtIO block device read/write sector operations with descriptor chain verification.
VirtIO Network
VirtIO network TX/RX queue operations with buffer lifecycle tracking.

Virtualization (Intel VT-x / VMX)

VMX Lifecycle
VMXON, VMXOFF, VMCLEAR, VMPTRLD, VMPTRST — full VMX operation lifecycle verification.
VM Entry/Exit
VMLAUNCH and VMRESUME with 15-GPR guest state load/save verification. Error flag tracking (CF, ZF).
VMCS Field Access
VMREAD and VMWRITE for guest/host state fields. Field encoding validation.
EPT / VPID
Extended Page Table invalidation (INVEPT) and Virtual Processor ID invalidation (INVVPID).
Hypercalls
VMCALL verification for guest-to-hypervisor transitions.

Instruction Cycle Cost Accounting

Per-instruction latency and throughput models for WCET (worst-case execution time) analysis. Conditional branches split the context; both paths are tracked independently with min/max cycle bounds merged at join points:

Arithmetic
ADD/SUB: 1 cycle (0.33 throughput), IMUL/MUL: 3 cycles, DIV/IDIV: 10 cycles, MULX: 3 cycles, ADCX/ADOX: 2 cycles
Data Movement
MOV: 1 cycle, LEA: 3 cycles, PUSH/POP: 1 cycle (0.5 throughput), CMOV: 1 cycle
Control Flow
Branch: 1 cycle (0.25 throughput), CALL: 1 cycle, NOP/ENDBR64: 1 cycle
Bit Operations
POPCNT/LZCNT/TZCNT: 3 cycles, BSF/BSR: 3 cycles
Path Merging
min = min(path_a, path_b), max = max(path_a, path_b). Recursion guard at depth 32.

Theorem Library: 1,400+ Theorems Across 77 Domains

Over 1,400 pre-verified theorems organized across 77 mathematical domains, all derived from the 4 foundational axioms through legitimate inference. Every theorem has tracked dependencies and has passed mandatory quality gates (unconditional, non-tautological). All theorems are loaded via stack-safe queue dispatch during the sealed bootstrap phase.

Core Mathematics

  • Logic & propositional calculus
  • Set theory & set extensions
  • Order theory (partial/total orders, lattices)
  • Number theory (primes, GCD, CRT, Fermat)
  • Integer & rational arithmetic
  • Algebra (rings, fields, groups, modules)
  • Algebraic structures
  • Combinatorics (permutations, partitions)
  • Category theory (functors, natural transformations)

Analysis & Topology

  • Real analysis (limits, continuity, derivatives, integrals)
  • Complex analysis (holomorphic functions, residues)
  • Functional analysis (Banach/Hilbert spaces, operators)
  • Topology (compactness, connectedness)
  • Metric spaces (completeness, distance)
  • Measure theory (Lebesgue integral)
  • Differential equations (existence, uniqueness, stability)
  • Numerical analysis (error bounds, stability)

Concurrency & Synchronization

  • Mutex mutual exclusion & deadlock freedom
  • CAS atomicity & linearizability
  • Lock-free & wait-free progress guarantees
  • Acquire-release & sequential consistency ordering
  • MPMC/SPSC queue correctness
  • RCU, seqlock, & barrier semantics
  • Hazard pointers & epoch-based reclamation
  • Deadlock detection (cycle, resource graphs)
  • MVCC snapshot consistency

Cryptography & Security

  • Hash functions (SHA-256, SHA-3, BLAKE2/3)
  • Symmetric encryption (AES, ChaCha20, modes)
  • Asymmetric encryption (RSA, ECDSA, Ed25519, X25519)
  • Key derivation (PBKDF2, HKDF, Argon2, Scrypt)
  • AEAD constructions (AES-GCM, ChaCha20-Poly1305)
  • Post-quantum cryptography (lattice, code-based)
  • Security proofs (IND-CPA/CCA2, UF-CMA, hybrid arguments)
  • Zero-knowledge proofs (completeness, soundness)
  • Protocol verification (authentication, key establishment)
  • Side-channel analysis (timing, cache, power)
  • Information flow non-interference

Memory & Systems

  • Ownership & linear types (move semantics, borrows)
  • Separation logic (heap separation, frame rule)
  • Resource management (allocation/deallocation)
  • Termination (well-founded recursion, ranking functions)
  • Bitwise operations (popcount, reversal, masks)
  • Floating-point arithmetic (IEEE 754 error analysis)
  • Conservative approximation (safe bounds)

Algorithms & Data Structures

  • Sorting, searching, graph traversal correctness
  • Complexity theory (P, NP, PSPACE)
  • Automata & state machines (DFA, NFA, regular expressions)
  • Compiler theory (parsing, type checking, codegen)
  • B-trees (balancing, insertion, deletion)
  • Graph theory (paths, cycles, DAGs, coloring)
  • Relational algebra & SQL logic
  • Coding theory (error-correcting codes)

Distributed Systems & Databases

  • ACID properties & transaction semantics
  • Consensus & eventual consistency
  • Blockchain & merkle tree correctness
  • Message passing & network topology
  • Crash recovery & durability

Specialized Domains

  • Machine learning theory (PAC learning, VC dimension)
  • Probability & probabilistic reasoning
  • Information theory (entropy, channel capacity)
  • Signal processing (Fourier, convolution)
  • Optimization (convex, gradient descent, convergence)
  • Control theory (stability, feedback)
  • Game theory (Nash equilibria)
  • Quantum computing

Feature Breakdown by Target

Every capability across Rust code, inline assembly for all supported architectures, and WebAssembly:

Capability Rust x86_64 ASM AArch64 ASM RISC-V ASM WASM
Core Verification
Pre/postcondition contracts
Loop invariants with induction
Trait method contracts n/a n/a n/a n/a
Generic / polymorphic verification n/a n/a n/a n/a
Closure verification (λ abstraction) n/a n/a n/a n/a
Recursive function well-foundedness n/a n/a n/a n/a
Axiomatic spec registration n/a n/a n/a n/a
Dead code detection
Control Flow
If/else branch verification
Match expression exhaustiveness n/a n/a n/a n/a
For / while loop verification
Break / continue with invariants n/a n/a n/a n/a
Conditional branch splitting after CMP/TEST n/a n/a
Data Types & Containers
Struct / enum / tuple construction & access n/a n/a n/a n/a
Vec<T> (len, push, pop, remove, extend, retain, contains, indexing) n/a n/a n/a n/a
HashMap / BTreeMap (get, insert, remove, contains_key, entry, iter) n/a n/a n/a n/a
String operations (chars, trim, starts_with, contains, concat) n/a n/a n/a n/a
Option<T> / Result<T, E> case analysis n/a n/a n/a n/a
Array / slice indexing with bounds proof n/a n/a n/a n/a
Concurrency & Atomics
Atomic load / store / CAS / CAS-weak / swap n/a n/a n/a n/a
Atomic fetch_add / fetch_sub / fetch_or / fetch_and n/a n/a n/a n/a
Memory ordering verification (Relaxed through SeqCst) n/a n/a n/a n/a
Memory fences n/a n/a n/a n/a
Lock ordering declaration & inversion detection n/a n/a n/a n/a
All 13 atomic types (Bool, U8–U64, I8–I64, Usize, Isize) n/a n/a n/a n/a
CachePadded<T> support n/a n/a n/a n/a
Unsafe & Low-Level
Pointer read / write with validity proofs n/a n/a n/a n/a
Pointer dereference with alignment proof n/a n/a n/a n/a
slice::from_raw_parts with range validity n/a n/a n/a n/a
Transmute with size-match proof n/a n/a n/a n/a
UnsafeCell::get with exclusive access proof n/a n/a n/a n/a
MaybeUninit assume_init with initialization proof n/a n/a n/a n/a
Assembly-Specific Features
Register state pre/postconditions n/a
Flag state tracking (CF, ZF, OF, SF, NZCV) n/a n/a n/a
Carry-aware arithmetic (ADC, SBB, ADCX, ADOX) n/a n/a n/a n/a
Extended multiply (MULX / BMI2) n/a n/a n/a n/a
SIMD register tracking (XMM/YMM/ZMM) n/a n/a n/a n/a
Load/store exclusive (LDXR, STXR, LDAXR, STLXR) n/a n/a n/a n/a
Sub-register aliasing (EAX–RAX, W0–X0) n/a n/a n/a
Stack shadow / push-pop balance verification n/a n/a
Memory layout / struct field offset mapping n/a n/a
Cycle counting (min/max WCET bounds) n/a n/a
Ghost variables for induction n/a n/a
Memory corruption resilience mode n/a n/a
Secret input / side-channel annotation n/a n/a
Security & Analysis
Taint analysis (secret value propagation)
Constant-time verification
Panic condition analysis n/a n/a n/a n/a
Mutation tracking & inductive state proofs
Secret-dependent branch detection (timing leak)
Secret-dependent memory access (cache leak)
Secret-dependent variable-time instruction detection
Information flow (SECRET → public sink detection) n/a n/a n/a n/a
Declassification enforcement n/a n/a n/a n/a
MIR divergence detection n/a n/a n/a n/a
Obligation Tracking (50 Violation Classes)
Arithmetic overflow / underflow (Class 1) n/a n/a n/a n/a
Cast truncation (Class 2) n/a n/a n/a n/a
Division by zero (Class 3) n/a n/a n/a n/a
Shift bounds (Class 4) n/a n/a n/a n/a
Pointer validity (Class 6) n/a n/a n/a n/a
Mutable aliasing without DISJOINT (Class 7) n/a n/a n/a n/a
Array / tensor bounds (Class 8) n/a n/a n/a n/a
Global / static access (Class 10) n/a n/a n/a n/a
Trait contract violation / missing (Classes 39–40) n/a n/a n/a n/a
Contradictory preconditions (Class 16) n/a n/a n/a n/a
Unsafe path exploration (Classes 42–43) n/a n/a n/a n/a
MIR divergence from proof model (Class 50) n/a n/a n/a n/a
Panic Freedom
Option::unwrap / expect without proof (Class 35) n/a n/a n/a n/a
Result::unwrap / expect without proof (Class 36) n/a n/a n/a n/a
Implicit panic call detection (Class 37) n/a n/a n/a n/a
Transitive panic risk analysis (Class 38) n/a n/a n/a n/a
Guard fact tracking (is_some, is_ok, bounds) n/a n/a n/a n/a
catch_unwind boundary recognition n/a n/a n/a n/a
Termination measure / decreases (Classes 33–34) n/a n/a n/a n/a
Heap Verification
Box allocation tracking n/a n/a n/a n/a
Vec allocation tracking n/a n/a n/a n/a
Raw allocation tracking (alloc / dealloc) n/a n/a n/a n/a
Use-after-free detection (Class 25) n/a n/a n/a n/a
Double-free detection (Class 23) n/a n/a n/a n/a
Memory leak detection (Class 24) n/a n/a n/a n/a
Scope-aware region promotion n/a n/a n/a n/a
Resource Tracking
File descriptor lifecycle (open / close) n/a n/a n/a n/a
MMIO mapping lifecycle (map / unmap) n/a n/a n/a n/a
DMA buffer lifecycle (alloc / free) n/a n/a n/a n/a
IRQ handler lifecycle (register / unregister) n/a n/a n/a n/a
Resource leak detection (Class 44) n/a n/a n/a n/a
Use-after-release detection (Class 45) n/a n/a n/a n/a
Double-release detection (Class 46) n/a n/a n/a n/a
Deadlock Detection & Synchronization
Lock ordering declaration & enforcement n/a n/a n/a n/a
Local lock order violation (Class 28) n/a n/a n/a n/a
Cross-function ABBA cycle detection (Class 29) n/a n/a n/a n/a
Guard scope enforcement (Class 30) n/a n/a n/a n/a
Bare condvar wait detection (Class 31) n/a n/a n/a n/a
Mutex invariant enforcement (Class 32) n/a n/a n/a n/a
Memory barrier sufficiency (Class 41)
Callee lock acquisition expansion n/a n/a n/a n/a
Ownership & Lifetime
Use-after-move detection (Class 19) n/a n/a n/a n/a
Use-after-drop detection (Class 20) n/a n/a n/a n/a
Double-drop detection (Class 21) n/a n/a n/a n/a
Dangling borrow detection (Class 22) n/a n/a n/a n/a
Read-after-write aliasing (Class 14) n/a n/a n/a n/a
Hardware & I/O Effects
MMIO write verification (Class 17) n/a n/a
DMA aliasing detection (Class 18) n/a n/a
Peripheral device state machine verification n/a n/a
Interrupt controller models (APIC, I/O APIC, PIC) n/a n/a n/a n/a
VT-x / VMX instruction verification n/a n/a n/a n/a
VMCS field read / write n/a n/a n/a n/a
EPT / VPID invalidation verification n/a n/a n/a n/a
PCI configuration space modeling n/a n/a
VirtIO device verification (Block, Net, GPU) n/a n/a
Container Proofs
Ring buffer capacity invariants (SPSC) n/a n/a n/a n/a
MPMC slot sequence management n/a n/a n/a n/a
Bounded queue count correctness n/a n/a n/a n/a
Index wrapping proofs n/a n/a n/a n/a
Free + available = capacity - 1 invariant n/a n/a n/a n/a
Vec → HOL model (LEN, NTH, PUSH, POP, FILTER) n/a n/a n/a n/a
HashMap / BTreeMap → HOL model (GET, INSERT, REMOVE, KEYS) n/a n/a n/a n/a
String → HOL model (CHARS, TRIM, STARTS_WITH, CONTAINS) n/a n/a n/a n/a
Proof Infrastructure
11 tactics (conj, disch, gen, spec, case_split, induction, arith, …) n/a n/a n/a n/a
28 derived inference rules n/a n/a n/a n/a
Term normalization (canonicalization, constant folding) n/a n/a n/a n/a
Commutativity / associativity normalization n/a n/a n/a n/a
Proof-driven rewriting from theorem library n/a n/a n/a n/a
Pattern matching with free variable instantiation n/a n/a n/a n/a
Anticheat / tautological conclusion rejection n/a n/a n/a n/a

How We Compare

No other tool combines compile-time theorem proving, native Rust integration, assembly verification, and a pre-built proof library. Here is how the Pathways HOL Proof System compares to the leading formal verification tools:

Capability Pathways HOL Verus Kani Creusot Prusti Dafny SPARK/Ada Coq/Rocq F* Lean 4
Language & Integration
Verifies Rust directly ~ ~ ~
Compile-time (in cargo build)
No separate spec language required ~ ~
Zero runtime overhead
Proof Capabilities
Full theorem proving (not bounded)
Pre-built proof library ~
Loop invariants ~
Termination proofs ~
Dependent types
Counterexample generation
Rust Feature Coverage
Closures & generics ~ ~ ~ ~
Trait / interface contracts ~ ~ ~
Container types (Vec, Map, etc.) ~ ~ ~
Option / Result verification ~ ~
Unsafe Rust verification ~ ~
Memory & Ownership
Memory safety proofs ~ ~ ~ ~
Ownership / borrow reasoning ~ ~
Separation logic ~ ~ ~ ~ ~ ~
Concurrency & Low-Level
Concurrency proofs ~ ~ ~
Assembly verification
Multi-architecture (x86, ARM, RISC-V, WASM) ~ ~
Security & Cryptography
Cryptographic verification ~ ~ ~
Side-channel / constant-time analysis ~ ~
Information flow analysis ~
Real-Time & Certification
WCET / real-time bounds ~ ~
Safety certification (DO-178C, CC) ~
Obligation & Panic Analysis
Proof obligation tracking (50 classes) ~ ~ ~
Panic freedom analysis ~ ~
Arithmetic overflow / div-by-zero detection ~ ~ ~
Heap & Resource Verification
Heap verification (use-after-free, double-free, leaks) ~ ~ ~ ~
Resource lifecycle tracking (FD, MMIO, DMA, IRQ) ~ ~ ~
Deadlock detection (ABBA cycles, lock ordering) ~ ~
Hardware & Device Verification
Peripheral device state machines ~
VT-x / VMX hypervisor verification ~
MMIO / DMA effect verification ~
Instruction cycle cost accounting (WCET) ~ ~
Verified container library (10 families, 30+ types) ~

= Full support    ~ = Partial / limited    = Not supported    Verus uses a verus! macro extending Rust syntax; Creusot uses Pearlite; Prusti uses proc-macro attributes with custom operators. Dafny is a standalone verified language (not Rust) with integrated verification. F* assembly support is via the Vale DSL (x86-64 and AArch64). Coq/Rocq assembly and crypto via CompCert, Bedrock, and FIAT-Crypto (deployed in BoringSSL, Go, Firefox). SPARK certification support covers DO-178C (Level A), Common Criteria (EAL 5+), EN 50128, ISO 26262, and IEC 61508.

Licensing & Pricing

The HOL proof system is distributed as a Rust crate via Cargo. License keys are cryptographically signed tokens validated at compile time. Each license is tied to a single user and can be activated on up to two unique machines.

Hobby / Student / Individual

$5/mo (billed yearly)
  • #[proven] macro for Rust functions
  • #[invariant] for loop proofs
  • Core HOL kernel & proof library
  • Core theorem domains (math, logic, algorithms, data structures)
  • Closures, generics, containers, Option/Result
  • Concurrency & atomics verification
  • Unsafe Rust verification
  • No ASM verification
  • No cryptography / security / financial / defense theorems
  • No support included
  • 1 user, up to 2 machines
Get Started

Business

$99/mo per seat
  • Everything in Hobby/Student/Individual
  • Full theorem library (all 77 domains)
  • Cryptography, security, financial & defense theorems
  • CI/CD license key support
  • No ASM verification
  • All Rust developers must be licensed *
  • 1 user per seat, up to 2 machines each
Contact Sales

Enterprise

$199/mo per seat
  • Everything in Business
  • asm_proven! for all architectures
  • x86_64, AArch64, RISC-V, & WASM verification
  • WCET / cycle counting
  • Side-channel & constant-time analysis
  • Memory corruption resilience mode
  • Priority bug fixes & feature requests
  • All Rust developers must be licensed *
  • 1 user per seat, up to 2 machines each
Contact Sales

Government

Custom
  • All Enterprise features
  • Custom quote per use case
  • Compliance documentation & audit support
  • Dedicated proof engineering engagement
  • Classified environment support
  • On-premise deployment options
Request Quote

* “Rust developers” includes anyone who writes, reviews, modifies, or interacts with Rust code in any capacity — including through AI-assisted development tools.

Support Contracts

Support is available as a separate annual contract for Business and Enterprise tiers:

Standard Premium Mission Critical
Business Support
Annual cost $10,000/yr $20,000/yr $36,000/yr
Coverage hours 8×5 10×7 24/7
Response SLA 2 business days 1 business day 4 hours
Enterprise Support
Annual cost $20,000/yr $36,000/yr $50,000/yr
Coverage hours 8×5 10×7 24/7
Response SLA 4 hours 2 hours 1 hour