Nitpick Formal Verification & Design by Contract

Nitpick’s fundamental philosophy is the rejection of unsafe behavior. To achieve this, it deeply integrates with the Z3 SMT solver to mathematically prove the correctness of the code before it is allowed to execute.

1. Static Assertions

The assert_static builtin allows developers to encode compile-time logic checks. If the expression evaluates to false, compilation immediately halts.

assert_static(1i32 == 1i32);

2. Formal Proofs (`prove`)

The prove keyword interacts directly with the Z3 verification backend (when the --verify compiler flag is set). It forces the SMT solver to construct a mathematical proof that the subsequent expression holds true across all possible control flows and variable states.

If the solver finds a path where the expression is false, compilation fails.

int32:x = get_val();
if (x > 0) {
    prove(x != 0); // Mathematically verified at compile time.
}

3. Limit Rulesets

The limit<Rules> keyword allows developers to bind strict structural constraints to types. These constraints are heavily analyzed by the verifier to ensure physics boundaries or contract bounds are not breached during runtime execution.

(See contracts_limits_specs.txt for extensive examples on Rules limits and Design by Contract features like requires and ensures).

Nitpick Specs

Core Specs

operators

types

Nitpick Formal Verification & Design by Contract

1. Static Assertions

2. Formal Proofs (`prove`)

3. Limit Rulesets

Nitpick Specs

Core Specs

operators

types

Nitpick Formal Verification & Design by Contract

1. Static Assertions

2. Formal Proofs (prove)

3. Limit Rulesets

2. Formal Proofs (`prove`)