Why not just use a verifiable subset of C? https://compcert.org/compcert-C.html

aeneasmackenzie · 2025-02-14T14:42:16 1739544136

Compcert guarantees that the executable that comes out does what the code that went in said, it doesn’t guarantee much about the code that went in.

LiamPowell · 2025-02-14T14:51:09 1739544669

There's also Frama-C, but having used both Frama-C and SPARK I can say I'd pick SPARK any day. Having a rich type system and not having to work with pointers makes proving a program so much easier.

MaxBarraclough · 2025-02-15T10:19:34 1739614774

Right, Frama-C can formally prove properties of C code.

There are also proprietary solutions that do something similar:

• https://www.eschertech.com/products/ecv.php

• https://www.trust-in-soft.com/