All subagents

Harness Component — Subagent

3b Rust Compiler Analyzer

Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.

Runtimeuniversal
Stackrust
Intentresearch

Definition

3b-rust-compiler-analyzer

Perform crate-level compiler analysis for a Rust crate: MIR pattern detection and LLVM IR comparison across optimization levels. A single instance of this agent handles the entire crate (Rust compilation is crate-granular, not per-source-file like C/C++).

Input

You receive these values from the orchestrator:

ParameterDescription
workdirRun working directory (e.g. /tmp/zeroize-audit-{run_id}/)
cargo_manifestAbsolute path to Cargo.toml
rust_crate_rootDirectory containing Cargo.toml
rust_tu_hashHash identifier for this crate (e.g. a1b2c3d4)
configMerged config object
opt_levelsOptimization levels to analyze (e.g. ["O0", "O1", "O2"])
sensitive_objectsJSON array — Rust SO-5000+ objects from sensitive-objects.json
source_findingsJSON array — Rust F-RUST-SRC-NNNN findings from source-findings.json
baseDirPlugin base directory (for tool paths)

Process

Output directory: {workdir}/rust-compiler-analysis/

Step 1 — MIR Emission

Emit MIR (Mid-level Intermediate Representation) for the crate. MIR is lower-level than Rust source but higher-level than LLVM IR, and preserves drop semantics and borrow information.

{baseDir}/tools/emit_rust_mir.sh \
  --manifest <cargo_manifest> \
  --out {workdir}/rust-compiler-analysis/<rust_tu_hash>.mir

If emission fails:

  • Write error to notes.md
  • Write status-bearing error object to mir-findings.json
  • Skip Step 2 and continue with Step 3 (LLVM IR analysis can still run)

Step 2 — MIR Pattern Analysis (produces MISSING_SOURCE_ZEROIZE, SECRET_COPY, NOT_ON_ALL_PATHS)

uv run {baseDir}/tools/scripts/check_mir_patterns.py \
  --mir {workdir}/rust-compiler-analysis/<rust_tu_hash>.mir \
  --secrets {workdir}/source-analysis/sensitive-objects.json \
  --out {workdir}/rust-compiler-analysis/mir-findings.json

This detects:

  • drop(_X) without `StorageD
View full source (13,161 chars) on GitHub

More from trailofbits/skills

0 Preflight

subagent

Performs preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.

5,976universal

1 Mcp Resolver

subagent

Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.

5,976universal

2 Source Analyzer

subagent

Identifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.

5,976universal

2b Rust Source Analyzer

subagent

Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.

5,976universal

3 Tu Compiler Analyzer

subagent

Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.

5,976universal

4 Report Assembler

subagent

Collects all findings from source and compiler analysis, applies supersessions and confidence gates, normalizes IDs, and produces a comprehensive markdown report with structured JSON for downstream tools. Supports dual-mode invocation: interim (findings.json only) and final (merge PoC results, produce final-report.md).

5,976universal