alt.hn

7/1/2026 at 5:05:29 PM

Show HN: Salt – a systems language with Z3 theorem proving in the compiler

https://salt-lang.dev

by bneb-dev

7/1/2026 at 6:33:11 PM

This looks pretty impressive but it’s all AI-generated (or written in a similar style) and therefore the documentation is lacking.

There is a language specification [1][2] but it lacks coherence.

I think the way to improve it would be to try to teach this language to people and get feedback from them. That is, it needs beta testers. It looks like there’s no community of users yet?

[1] https://github.com/bneb/lattice/blob/main/docs/SPEC.md

[2] https://github.com/bneb/lattice/blob/main/SYNTAX.md

by skybrian

7/1/2026 at 7:09:36 PM

For complete transparency: AI augmented engineering is the core workflow for this project.

I have been pretty diligent about trying to de-slop the project after long RALPH loops and `/goal` prompts, and I review and edit documentation. Based on your feedback, I just made another pass.

Please feel free to let me know if there is anything specific lacking from the docs, and I will update them in the future.

by bneb-dev

7/1/2026 at 8:11:16 PM

If you compare say, the Go language specification for an assignment statement [1] to Salt's explanation of its let statement, there is a big difference. Salt's docs lean heavily on "it works like you would expect from other languages" so you have to reason by analogy. A specification shouldn't work that way; it should actually explain the rules for each language construct, without assuming knowledge of other languages.

[1] https://go.dev/ref/spec#Assignment_statements

by skybrian

7/1/2026 at 11:25:16 PM

Thanks, I restructured that doc and will work on it moving forward.

by bneb-dev

7/2/2026 at 6:02:31 PM

I was confused by the matrix multiply example since it doesn't show requires clauses. So I looked at what is presumably the source I'm supposed to look at: https://github.com/bneb/lattice/blob/main/basalt/src/kernels...

There's a comment saying every function in that file has requires clauses, but... They don't?

Also, the actual implementation of matrix multiply is manually tiled, while the website boasts about automatic loop tiling. It's hard to know what to trust here.

by derdi

7/2/2026 at 6:17:33 PM

Looking. I did a huge purge/rewrite of the benchmarks and this might have regressed. Happy to track here or GitHub.

by bneb-dev

7/1/2026 at 7:13:25 PM

For people looking for other languages with statically checked contracts, you might want to check out SPARK, which has been around in some form since the late 1980s. It is a subset of the Ada language and had been used for safety critical code in aerospace and defense projects, as well as for some Nvidia firmware.

It also uses Z3 to discharge proof obligations generated by the contract annotations, and it lets you use swap out different theorem provers as backends.

The GNAT Ada compiler (which is part of GCC) allows you to turn off the dynamic safety checks that are usually inserted into Ada programs at build time so you can optionally remove them if they are proven unnecessary.

Here are some resources for comparison:

- https://www.adacore.com/languages/spark

- https://learn.adacore.com/courses/intro-to-spark/chapters/01...

by csb6

7/1/2026 at 7:22:16 PM

SPARK seems interesting. Any ideas how it compares to Salt?

- C performance? - Generics? - Syntax ergonomics?

Thanks for sharing!

by bneb-dev

7/1/2026 at 7:34:22 PM

Yes, it has generics. The syntax is Pascal-like, which some people used to C-family languages dislike but I personally find nice. Performance can definitely match performant C code. (intended use cases include real-time systems and embedded devices)

The language overview can be found here: https://docs.adacore.com/spark2014-docs/html/ug/en/spark_201...

by csb6

7/2/2026 at 11:03:31 AM

It is a way to formally verify Ada, it meets all those criterias.

by pjmlp

7/1/2026 at 6:33:16 PM

> [int overflows, etc.] No runtime cost when Z3 can prove it. Otherwise, the compiler emits a safe runtime check as fallback.

Super interesting approach. I see this eventually be integrated into future mainstream languages, though that may take a while. I suspect that the game programming crowd will try to use it first, due to the possibility to prove certain edge cases at compile time and skip the runtime cost. But perhaps this optimization drive is no longer the case because we've got bazillions of cores nowadays. I may be too old for these predictions. Cool nonetheless.

by luckystarr

7/2/2026 at 7:57:15 AM

> I suspect that the game programming crowd will try to use it first

> perhaps this optimization drive is no longer the case because we've got bazillions of cores nowadays

gaming is one of the industries where developers have to care about performance. you can see it with all the backlash on unreal engine, players just dont want slow games even if you ignore the fps chasing pcmr crowd. and getting to 60 or even 30 fps with complex game logic and high res graphics is not easy.

one of the ways you can see this is actually language choice. almost all engines are written in c++ (or sometimes rust). vm languages like java are rare because you dont want gc and extra allocations on the hot path. even for scripting theres a lot of focus on fast and low overhead interpreters, thats why lua is way more popular for games than python or js.

by tancop

7/1/2026 at 7:10:23 PM

Thanks for reading and sharing your thoughts!

by bneb-dev

7/2/2026 at 2:06:47 AM

You should also look at Liquid Haskell.

by throwaway81523

7/2/2026 at 12:16:19 PM

Bounds and div-by-zero are the easy wins; the real tax with contract systems is the loop invariant Z3 can't infer on its own, where you end up hand-writing an `ensures` longer than the function body. What's the gnarliest invariant you had to spell out by hand to get one of those kernels to verify?

by valentynkit

7/2/2026 at 5:18:47 PM

For loops already worked but might not have been documented correctly. I just shipped the functionality for `while` loops now, auto-infer works for common cases of invariants:

  let mut i = 0;
  while i < 5 {
    arr[i] = val;
    i += 1;
  }
So in that case, the compiler detects `i < N` with monotonic increment and synthesizes `i >= 0 && i < N` automatically.

(Works with `<`, `<=`, `i += 1`, and `i = i + 1` via the same mechanism as for-loop induction variables.)

Complex loops (`while i + j < n`, `while p.addr() != 0`) require syntax that I have slopped together an explicit `invariant` keyword that I am not 100% happy with, but will refine later. Z3 checks base case + inductive step via Hoare logic and reports counterexamples on failure.

---

RE: "gnarliest invariant"

`ensures(result != 0)` on the SYN cookie in the kernel contract for the OS project in the monorepo.

by bneb-dev

7/2/2026 at 6:05:48 PM

The more interesting loop invariants aren't the ones about the loop counter but about the contents of the array. If you require `forall i, array[i] == value` after that loop, will the system come up with the loop invariant about the prefix of the array for any given `i`? What about something like bubblesort or insertion sort?

by derdi

7/2/2026 at 3:01:37 AM

Moving theorem proving upstream into compilers, sandboxes, and the browser seems like the future when we're dealing with increasingly sophisticated AIs. I'm working on similar formal methods but applied to agent sandboxing; do you see Z3 as a better fit than lean? https://github.com/coproduct-opensource/nucleus

by difc

7/2/2026 at 1:36:17 PM

> Moving theorem proving upstream into compilers, sandboxes, and the browser seems like the future

The way I saw this proposed, back in the 2000s: "proof-carrying code."[0]

The idea is: the compiler compiles the program, and simultaneously generates a proof that the program doesn't violate X, Y, or Z safety rules.

Later, the end-user downloads the program and the proof together, and the local execution environment (the browser, the OS itself, etc) verifies that proof.

The idea being: constructing proofs is hard and sometimes involves manual steps. But verifying a proof is easy and automatic. So do the slow, manual thing once, and the fast thing each time the program is downloaded.

[0]: https://en.wikipedia.org/wiki/Proof-carrying_code

by Taikonerd

7/2/2026 at 3:14:51 PM

Sounds a bit like Microsoft's Singularity project, though I don't know if they even used a proof system to ensure a program couldn't do bad stuff(TM). After verification they just let the program run in Ring 0 (kernel space) of the CPU to skip even the performance hit of the cpu's isolation.

by luckystarr

7/2/2026 at 3:16:07 PM

I thought Singularity was just building an OS on a memory-safe language and runtime, C# and .NET.

The same thing Java tried to do with applets at the browser level.

by pocksuppet

7/2/2026 at 5:21:08 PM

I listened to an interview with one of the researchers. They had a component to verify "this binary will never allocate mem outside it's allowed area" and by statically verifying that they could enable high performance IPC. Also, that was the source for the decision to allow it to run on Ring 0. That's what stuck in my mind.

by luckystarr

7/2/2026 at 11:27:51 AM

Salt chose Z3 because it felt right for a compiler. The 100ms timeout means it's not sound, but it's useful. Lean could be the right choice when a proof is a hard requirement?

by bneb-dev

7/2/2026 at 5:02:53 AM

Why no GC? Guaranteed memory safety would be nice

by rurban

7/2/2026 at 11:26:26 AM

It was a design decision. I chose Arenas instead.

The designed arena allocation is both faster and more predictable than GC. The trade-off is that you have to think about memory regions, but you never pay a GC pause.

by bneb-dev

7/2/2026 at 3:49:28 AM

Why not use Verus?

It augments Rust with Z3 and is not a pile of unverified slop.

by Eridrus

7/2/2026 at 4:25:43 AM

Haven't heard of Venus (the programming language), but it sounds interesting. I'm curious to know what you mean by verified?

Do you happen to know if Venus has a Result type with canonical error codes, pipes, and other ergonomics?

Does it have C parity performance?

by bneb-dev

7/2/2026 at 5:21:25 AM

Verus, not Venus: https://verus-lang.github.io/verus/guide/

by Eridrus

7/2/2026 at 9:16:13 AM

Ah, the issue is that I don't like that syntax: Salt is macro free, and doesn't need assert statements, etc... These are stylistic but I am assuming that under the hood things look quite similar.

I put an effort in to de-slop the project wherever I can. If you've noticed anything specific, I'd kindly request that you open an issue on Github or respond here with your findings so that I might correct them in the future.

Thanks for taking an in-depth look at Salt.

by bneb-dev

7/2/2026 at 12:27:07 PM

Thanks for trying to de-slop an ai-created project.

by doc_ick

7/2/2026 at 4:14:00 PM

Not sure what tone you're going for, but can you expound on what you mean by 'ai-created'?

by bneb-dev

7/2/2026 at 4:55:39 PM

I'm not that commenter, but I feel like you wouldn't have to de-slop the project if it wasn't slop to begin with.

by Hugsbox

7/2/2026 at 6:04:23 PM

My workflow is to design, then use goal and loop prompts to RALPH a feature. At that point, usually there is a bunch of AI generated code that is generally correct but needs refinement, editing, testing, benchmarking, etc... That human-in-the-loop iterative step is the 'de-slop'. Would you prefer different phrasing, or is the trigger here the use of coding agents?

by bneb-dev

7/1/2026 at 5:05:29 PM

Salt is a systems programming language that embeds the Z3 SMT solver in the compiler.

You add `requires` and `ensures` clauses to functions, and the compiler proves them at compile time. When Z3 succeeds, the check is elided (zero instructions emitted).

When it fails, you get a counterexample. When it times out (100ms limit per obligation), the check is skipped and counted.

It compiles through MLIR to LLVM and targets KeuOS, a microkernel with an ECS (Entity Component System) architecture. Both are MIT-licensed.

---

How it works

Call `safe_div(x, 7)` and Z3 proves `7 != 0`. Check elided.

Call `safe_div(x, 0)` and the compiler stops.

The key difference from Rust/Zig/C: the compiler calls Z3 during normal compilation. No separate verification tool, no annotation language, no proof assistant. The contract syntax is part of the language.

---

What's real

- Compiler: 1,752 unit tests passing, clippy clean. Compiles through MLIR to LLVM IR. x86-64 and ARM64 backends. - Kernel: 14/14 QEMU e2e tests pass. TCP stack (connect/send/recv/close), ICMP, deterministic builds. NetD (network daemon) runs as a Ring 3 process on SPSC shared memory rings.

- ECS architecture: 13 entity syscalls (402-413). Entity lifecycle (spawn/exit/wait), memory regions as entities (map/brk/alloc), I/O routing via capabilities, socket entity tracking, performance counters, world persistence diagnostics.

- Shell: Inline `ecs`, `ps_ecs`, `free_ecs` commands query ECS World without spawning child processes.

- Benchmarks: Salt vs C (`clang -O3`) on 21 algorithm benchmarks. Salt at parity or faster on 19/21. Allocation-heavy workloads (hashmap, LRU, buffered writer) see 2-10x wins from arena allocation. Compute-bound (matmul, sieve, fib) at 0.9-1.0x of C.

- LSP: VS Code extension ships with semantic tokens, go-to-def, find-refs, Z3 hover.

---

What's not done (research-quality, not production)

- The standard library is incomplete. Many things you'd expect are missing.

- Z3 handles integer arithmetic, bit-vectors, and reals. String and quantifier support is partial. Contracts outside Z3's reach are compile-time checked where possible, silently skipped otherwise.

- Error messages from the Z3 pass can be opaque.

- The kernel targets QEMU (x86-64). Tested on AWS bare metal instances, not local 'bare metal' yet.

- One nights-and-weekends developer.

---

Why this exists

The goal was to find out whether formal verification could be a compiler feature rather than a separate toolchain. The benchmarks say the compiler is fast enough (Lettuce compiles in under a second with contracts enabled). The kernel contracts catch real bugs. But the language hasn't been used by anyone outside the project, and that's the test that matters.

---

Links

- Source: https://github.com/bneb/lattice)

- Tutorial: https://github.com/bneb/lattice/blob/main/docs/tutorial/your...

- Architecture: https://github.com/bneb/lattice/blob/main/docs/ARCH.md

- Benchmarks: https://github.com/bneb/lattice/blob/main/benchmarks/BENCHMA...

by bneb-dev

7/2/2026 at 11:53:06 AM

Next time curate what Claude/Codex tells you, this text seems targeted towards you, not a potential user

by ramon156

7/2/2026 at 3:30:07 PM

What gives you that impression?

by bneb-dev

7/2/2026 at 12:27:30 PM

100%

by doc_ick

7/2/2026 at 10:18:21 AM

>One nights-and-weekends developer.

What?

by left-struck

7/2/2026 at 11:22:44 AM

This is being made by one person as a side project (not done during core working hours)

by bneb-dev

7/2/2026 at 4:59:58 PM

Why is that a bullet point under "What's not done"? It's confusing in that context, almost as if an AI wrote it and then it wasn't looked over.

by Hugsbox

7/2/2026 at 5:28:23 PM

You could nitpick the subsection title, and from that perspective "What's not done" is a bit of a catch-all for caveats.

With that said, I think it's pretty easy to infer the meaning there.

I'm not really sure how else to be more transparent about things, but I am using an AI-augmented engineering as the core workflow for the project, and that includes drafting docs and this post.

I read and edit the work. For a side-project with no current community support or users, I need to make a judicious decision when to spend time and effort. IMO it is reasonable _not_ to try to trick anyone into thinking that AI is not used. My proof reading and editing will miss things from time-to-time. I'm OK with it at the current scale of the project.

by bneb-dev