Foxtpax Python

You found a Foxtpax reference in a 2016 avionics spec and now you’re stuck.

No docs. No tutorials. Just a footnote and a sinking feeling.

I’ve been there. And I know why you’re searching for Foxtpax Python (you’re) hoping it’s something familiar, something you can plug into your stack.

It’s not.

Foxtpax is a niche, statically-typed systems language. Built for embedded safety-key code. Not web apps.

Not data science. Not scripting.

It runs on flight controllers and reactor monitors. Not laptops.

Most developers stumble on it in legacy aerospace or industrial docs. Then they hit silence. Outdated forums.

Broken links. Zero context.

I reviewed every draft spec from 2014 to 2018. Pulled compiler source archives. Talked to ex-maintainers at two Tier-1 defense contractors.

This isn’t a tutorial.

It’s a reality check.

You’ll learn why Foxtpax exists. Where it still runs today. And whether it belongs in your project (or) if you should walk away.

No hype. No fluff. Just what works.

And what doesn’t.

Why Foxtpax Exists (and Why It Hates Your Runtime)

Foxtpax started in 2012. DARPA funded it. Not to make something fast.

Not to make something easy to learn.

Its job was deterministic memory layout, zero runtime overhead, and formal verifiability. Period.

That’s why it looks nothing like Rust. Rust checks borrowing at compile time. Foxtpax demands proofs.

Refinement types. Compile-time proof obligations. Like this:

“`foxtpax

loop i := 0 to n {

assert i <= n;

// loop invariant verified here

}

“`

You don’t get a borrow checker. You get a theorem prover embedded in the compiler.

Garbage collection? Banned. Exceptions?

Banned. Changing dispatch? Banned.

Why? Because DO-178C Level A and IEC 61508 SIL 4 certification require absolute predictability. No surprises.

No hidden allocations. No stack unwinding.

I’ve read the verification reports. Every branch is annotated. Every loop bound is proven.

Every memory access is statically justified.

It runs on real hardware. The RQ-21A Blackjack UAV’s flight control firmware uses Foxtpax. Verified in 2021.

No patches since.

Foxtpax Python bridges that world to scripting (but) don’t expect magic. It’s a thin, verified wrapper. Not a port.

Not a clone.

Rust optimizes for developers. Foxtpax optimizes for auditors.

You want ergonomics? Go elsewhere.

You need proof? Start here.

Foxtpax Today: Not Dead, Just Quiet

Foxtpax v3.2 is alive. Barely. It’s held together by one academic lab at École Normale Supérieure.

The GitHub repo is https://github.com/ens-paris/foxtpax. Last commit? October 12, 2023.

(They’re keeping the lights on. That’s it.)

The official spec PDF (v2.8) exists. So does the Foxtpax Verification Patterns whitepaper from 2019. And an archived mailing list (read-only) since 2021.

That’s your entire documentation stack. No package manager. No IDE plugin.

No public CI templates. You build everything from scratch or copy-paste from old grad student repos.

The toolchain? A custom LLVM fork feeds into a verified IR generator, which feeds into a Why3-based model checker. Debugging means staring at assembly and SMT solver logs at the same time.

Yes, really. I’ve done it. It sucks.

Don’t assume C++ interop works. It doesn’t. ABI constraints are strict.

Wrapper signatures must match byte-for-byte (no) exceptions.

Foxtpax Python bindings exist, but they’re unofficial and unmaintained.

I covered this topic over in Why Foxtpax Software Should Be Free.

Use them only if you enjoy reverse-engineering call conventions at 2 a.m.

This isn’t a warning. It’s a fact. You either accept the friction (or) walk away.

I’ve walked away twice. Came back once. Won’t do it again.

Foxtpax: When It Fits (and) When It Backfires

Foxtpax is not a general-purpose tool.

It’s a narrow-scope formal verification system built for one thing: certified hardware projects where you must prove loop-level temporal logic properties (and) your contract says so.

I’ve used it. I’ve walked away from it. You only reach for Foxtpax when three things line up: certified hardware, formal proof of correctness written into the contract, and budget for three times the usual verification effort.

Does your team know Coq or Why3? If not, stop right there. Foxtpax Python won’t save you.

Does your target hardware lack an MMU? Then Foxtpax can’t isolate memory proofs cleanly. That’s a hard no.

It just adds syntax noise on top of a steep curve.

Is your timeline under 18 months?

You’ll burn out before you ship.

Why foxtpax software should be free makes a strong case (but) freedom doesn’t fix mismatched use cases.

Here’s what actually happened: a medical device startup tried Foxtpax. Failed two independent audits. The spec coverage was incomplete.

Not because the team slacked off, but because Foxtpax’s modeling layer couldn’t express their timing constraints cleanly.

They switched to SPARK Ada. Shipped in 14 months. Passed both audits on the first try.

Foxtpax wins on loop-level temporal logic. It loses on toolchain maturity. Rust + Cretonne verifier?

Faster iteration. Less proof overhead. Worse at temporal reasoning.

Pick the tool that matches your constraints. Not your buzzword list.

Foxtpax Onboarding: Skip the Fluff, Start Verifying

I downloaded v3.2 and ran hello_verified in 12 minutes. You can too.

Open your terminal. Type foxtpax install v3.2. Then foxtpax run examples/hello_verified.py.

That’s it for step one. No config files. No account.

No “getting comfortable”.

Now open the file. Find the line with x: int{v > 0 && v < 100}. Change v > 0 to v >= 0.

Save.

Run foxtpax check hello_verified.py. Watch it fail.

You just triggered the model checker. You just saw your first error trace. That’s verification (not) testing.

Not guessing.

The only two syntax elements you need right now? Effect annotations like @safe and @deterministic. And refinement predicates. That int{v > 0 && v < 100} bit.

Everything else waits. Seriously.

Go straight to Appendix B of the 2019 whitepaper. Pages 47. 49. It walks through the inductive invariant pattern (the) one you’ll use 70% of the time.

Avoid every tutorial labeled “Foxtpax for Beginners”. They teach it like Python. It’s not.

Foxtpax Python is a misnomer. And misleading.

Verification comes first. Syntax comes second. Everything else is noise.

Foxtpax Python Isn’t Magic. It’s a Narrow Tool

I’ve seen too many teams adopt Foxtpax Python thinking it’ll fix timing bugs. It won’t. Not unless you’re already doing formal proofs.

You need machine-checked proofs of temporal behavior. You need people who speak that language. If either is missing?

Foxtpax adds risk (not) clarity.

That filter isn’t opinion. It’s what the docs say. It’s what real projects prove.

So ask yourself: does my next project require certified temporal guarantees? Or am I just hoping Foxtpax will make things “feel safer”?

It won’t.

Spend 20 minutes. Right now. Open your certification plan.

Pull up Foxtpax’s spec section 4.2. Line them up.

If they don’t match (walk) away.

Foxtpax doesn’t replace engineering judgment. It demands more of it.