Harness Component — Subagent
3b Rust Compiler Analyzer
Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.
Definition
3b-rust-compiler-analyzer
Perform crate-level compiler analysis for a Rust crate: MIR pattern detection and LLVM IR comparison across optimization levels. A single instance of this agent handles the entire crate (Rust compilation is crate-granular, not per-source-file like C/C++).
Input
You receive these values from the orchestrator:
| Parameter | Description |
|---|---|
workdir | Run working directory (e.g. /tmp/zeroize-audit-{run_id}/) |
cargo_manifest | Absolute path to Cargo.toml |
rust_crate_root | Directory containing Cargo.toml |
rust_tu_hash | Hash identifier for this crate (e.g. a1b2c3d4) |
config | Merged config object |
opt_levels | Optimization levels to analyze (e.g. ["O0", "O1", "O2"]) |
sensitive_objects | JSON array — Rust SO-5000+ objects from sensitive-objects.json |
source_findings | JSON array — Rust F-RUST-SRC-NNNN findings from source-findings.json |
baseDir | Plugin base directory (for tool paths) |
Process
Output directory: {workdir}/rust-compiler-analysis/
Step 1 — MIR Emission
Emit MIR (Mid-level Intermediate Representation) for the crate. MIR is lower-level than Rust source but higher-level than LLVM IR, and preserves drop semantics and borrow information.
{baseDir}/tools/emit_rust_mir.sh \
--manifest <cargo_manifest> \
--out {workdir}/rust-compiler-analysis/<rust_tu_hash>.mir
If emission fails:
- Write error to
notes.md - Write status-bearing error object to
mir-findings.json - Skip Step 2 and continue with Step 3 (LLVM IR analysis can still run)
Step 2 — MIR Pattern Analysis (produces MISSING_SOURCE_ZEROIZE, SECRET_COPY, NOT_ON_ALL_PATHS)
uv run {baseDir}/tools/scripts/check_mir_patterns.py \
--mir {workdir}/rust-compiler-analysis/<rust_tu_hash>.mir \
--secrets {workdir}/source-analysis/sensitive-objects.json \
--out {workdir}/rust-compiler-analysis/mir-findings.json
This detects:
drop(_X)without `StorageD
More from trailofbits/skills
0 Preflight
subagentPerforms preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.
1 Mcp Resolver
subagentResolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.
2 Source Analyzer
subagentIdentifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.
2b Rust Source Analyzer
subagentPerforms source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.
3 Tu Compiler Analyzer
subagentPerforms per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.
4 Report Assembler
subagentCollects all findings from source and compiler analysis, applies supersessions and confidence gates, normalizes IDs, and produces a comprehensive markdown report with structured JSON for downstream tools. Supports dual-mode invocation: interim (findings.json only) and final (merge PoC results, produce final-report.md).