In hardware design, stateless signals change instantaneously with underlying register updates, introducing timing hazards—particularly metastability-induced glitches—yet existing HDLs lack static guarantees of signal value stability, forcing designers to rely on error-prone manual reasoning. This paper introduces Anvil, a novel general-purpose hardware description language featuring a type system that explicitly distinguishes registers from stable signals and enforces precise timing constraints between signal usage and register updates. Its key contributions are: (1) the first general-purpose HDL supporting static verification of timing safety while preserving cycle-accurate control; (2) parameterized dynamic timing contracts enabling modular composition and cross-module stability reasoning; and (3) end-to-end verification on the critical path of an open-source RISC-V CPU, demonstrating expressive power, formal timing safety, and practical engineering viability.

Hardware designs routinely use stateless signals which change with their underlying registers. Unintended behaviours arise when a register is mutated even when its dependent signals are expected to remain stable (unchanged). Such timing hazards are common because, with a few exceptions, existing HDLs lack the abstraction for stable values and delegate this responsibility to hardware designers, who then have to carefully decide whether a value remains unchanged, sometimes even across hardware modules. This paper proposes Anvil, an HDL which statically prevents timing hazards with a novel type system. Anvil is the only HDL we know of that guarantees timing safety without sacrificing expressiveness for cycle-level timing control or dynamic timing behaviours. Instead of abstracting away differences between registers and signals, Anvil's type system exposes them fully but captures timing relationships between register mutations and signal usages for enforcing timing safety. This, in turn, enables safe composition of communicating hardware modules by static enforcement of timing contracts that encode timing constraints on shared signals. Such timing contracts can be specified parametric on abstract time points that can vary during run-time, allowing the type system to statically express dynamic timing behaviour. We have implemented Anvil and successfully used it for implementing key timing-sensitive modules in an open-source RISC-V CPU, which demonstrates its expressiveness and practicality.