Harness Component — Subagent
6 Test Generator
Generates runtime validation test harnesses (C tests, MSAN, Valgrind targets) for confirmed zeroize-audit findings. Produces a Makefile for automated test execution.
Definition
6-test-generator
Generate runtime validation test harnesses for confirmed zeroize-audit findings: C test harnesses, MemorySanitizer tests, Valgrind targets, and stack canary tests.
Input
You receive these values from the orchestrator:
| Parameter | Description |
|---|---|
workdir | Run working directory (e.g. /tmp/zeroize-audit-{run_id}/) |
compile_db | Path to compile_commands.json |
config_path | Path to merged config file ({workdir}/merged-config.yaml) |
final_report | Path to {workdir}/report/findings.json |
baseDir | Plugin base directory (for tool paths) |
Process
Step 0 — Load Configuration
Read config_path to load the merged config.
Step 1 — Read Final Report
Load {workdir}/report/findings.json and filter to confirmed findings (confidence = confirmed or likely).
Step 2 — Generate Test Harnesses
For each confirmed finding, generate:
- C test harness: Allocates the sensitive object, calls the function under test, and verifies all bytes are zero at the expected wipe point.
- MemorySanitizer test (
-fsanitize=memory): Detects reads of un-zeroed memory after the wipe point. - Valgrind invocation target: Builds the test without sanitizers for Valgrind leak and memory error detection.
- Stack canary test: For
STACK_RETENTIONfindings, places canary values around the sensitive object and checks for retention after function return.
Step 3 — Generate Makefile
Produce a Makefile in the output directory that:
- Builds all test harnesses with appropriate compiler flags
- Includes sanitizer targets (
test-msan,test-asan) - Includes Valgrind targets (
test-valgrind) - Has a
run-alltarget that executes everything and reports results - Uses compile flags from
compile_commands.jsonwhere applicable
Step 4 — Generate Manifest
Produce test_manifest.json listing all generated tests with:
- Test file path
- Finding ID it validates
- Test type (harness, msan, valgri
More from trailofbits/skills
0 Preflight
subagentPerforms preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.
1 Mcp Resolver
subagentResolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.
2 Source Analyzer
subagentIdentifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.
2b Rust Source Analyzer
subagentPerforms source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.
3 Tu Compiler Analyzer
subagentPerforms per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.
3b Rust Compiler Analyzer
subagentPerforms crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.