awfixers-stuff/rust-sanitizers-miri

Rust Sanitizers and Miri

Purpose

Guide agents through runtime safety validation for Rust: ASan/TSan/MSan/UBSan via RUSTFLAGS, Miri for compile-time UB detection in unsafe code, and interpreting sanitizer reports.

Triggers

• "How do I run AddressSanitizer on Rust code?"
• "How do I use Miri to check my unsafe Rust?"
• "How do I run ThreadSanitizer on a Rust program?"
• "My unsafe Rust might have UB — how do I detect it?"
• "How do I interpret a Rust ASan report?"
• "Can I run Rust sanitizers on stable?"

Workflow

1. Sanitizers in Rust (nightly required)

Rust sanitizers require nightly and a compatible platform:

# Install nightly
rustup toolchain install nightly
rustup component add rust-src --toolchain nightly

# AddressSanitizer (Linux, macOS)
RUSTFLAGS="-Z sanitizer=address" \
    cargo +nightly test -Zbuild-std \
    --target x86_64-unknown-linux-gnu

# ThreadSanitizer (Linux)
RUSTFLAGS="-Z sanitizer=thread" \
    cargo +nightly test -Zbuild-std \
    --target x86_64-unknown-linux-gnu

# MemorySanitizer (Linux, requires all-instrumented build)
RUSTFLAGS="-Z sanitizer=memory -Zsanitizer-memory-track-origins" \
    cargo +nightly test -Zbuild-std \
    --target x86_64-unknown-linux-gnu

# UndefinedBehaviorSanitizer
RUSTFLAGS="-Z sanitizer=undefined" \
    cargo +nightly test -Zbuild-std \
    --target x86_64-unknown-linux-gnu

-Zbuild-std rebuilds the standard library with the sanitizer, which is necessary for accurate results.

2. Stable sanitizer workaround

For stable Rust, use the cross tool with a Docker image that has sanitizers pre-configured, or run cargo test inside a Docker container with a nightly image.

Alternatively, for simpler UB checking without nightly:

# cargo-sanitize (wrapper)
cargo install cargo-sanitize
cargo sanitize address

3. Interpreting ASan output in Rust

==12345==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000050
READ of size 4 at 0x602000000050 thread T0
    #0 0x401234 in myapp::module::function /src/main.rs:15
    #1 0x401567 in myapp::main /src/main.rs:42

0x602000000050 is located 0 bytes after a 40-byte region allocated at:
    #0 0x... in alloc::alloc::alloc ...
    #1 0x... in myapp::create_buffer /src/main.rs:10

Rust-specific patterns: | ASan error | Likely Rust cause | |------------|------------------| | heap-buffer-overflow | unsafe slice access past bounds | | use-after-free | unsafe pointer use after Vec realloc | | stack-use-after-return | Returning reference to local | | heap-use-after-free | Use after drop() or Box::from_raw |

4. Miri — interpreter for undefined behaviour

Miri interprets Rust MIR and detects UB that sanitizers might miss:

# Install Miri (requires nightly)
rustup +nightly component add miri

# Run tests under Miri
cargo +nightly miri test

# Run specific test
cargo +nightly miri test test_name

# Run a binary under Miri
cargo +nightly miri run

# Run with Stacked Borrows model (strict aliasing)
MIRIFLAGS="-Zmiri-strict-provenance" cargo +nightly miri test

# Disable isolation (allow file I/O, randomness)
MIRIFLAGS="-Zmiri-disable-isolation" cargo +nightly miri test

5. What Miri detects

// 1. Dangling pointer use
unsafe {
    let x = Box::new(42);
    let ptr = Box::into_raw(x);
    let _ = Box::from_raw(ptr);  // drop
    let _val = *ptr;  // Miri: use of dangling pointer
}

// 2. Invalid enum discriminant
let x: u8 = 3;
let e = unsafe { std::mem::transmute::<u8, MyEnum>(x) };
// Miri: enum value has invalid tag

// 3. Uninitialized memory read
let uninit: MaybeUninit<u32> = MaybeUninit::uninit();
let val = unsafe { uninit.assume_init() };  // Miri: reading uninitialized bytes

// 4. Stacked borrows violation
let mut x = 5u32;
let ptr = &mut x as *mut u32;
let _ref = &x;  // shared reference
unsafe { *ptr = 10; }  // Miri: mutable access while shared borrow exists

// 5. Data races (with threads)
// Miri simulates sequential execution and detects races via Stacked Borrows

6. ThreadSanitizer for Rust

RUSTFLAGS="-Z sanitizer=thread" \
    RUST_TEST_THREADS=8 \
    cargo +nightly test -Zbuild-std \
    --target x86_64-unknown-linux-gnu 2>&1 | head -50

TSan output:

WARNING: ThreadSanitizer: data race (pid=12345)
  Write of size 4 at 0x7f... by thread T2 (mutexes: write M1):
    #0 myapp::counter::increment src/counter.rs:10
  Previous read of size 4 at 0x7f... by thread T1:
    #0 myapp::counter::get src/counter.rs:5

7. Miri configuration via MIRIFLAGS

| Flag | Effect | |------|--------| | -Zmiri-disable-isolation | Allow I/O, clock, randomness | | -Zmiri-strict-provenance | Strict pointer provenance (stricter than LLVM) | | -Zmiri-symbolic-alignment-check | Stricter alignment checking | | -Zmiri-check-number-validity | Check float/int validity | | -Zmiri-num-cpus=N | Simulate N CPUs (for concurrency) | | -Zmiri-seed=N | Seed for random scheduling | | -Zmiri-ignore-leaks | Suppress memory leak errors | | -Zmiri-tag-raw-pointers | Track raw pointer provenance |

8. CI integration

# GitHub Actions
- name: Miri
  run: |
    rustup toolchain install nightly
    rustup +nightly component add miri
    cargo +nightly miri test
  env:
    MIRIFLAGS: "-Zmiri-disable-isolation"

- name: ASan (nightly)
  run: |
    rustup component add rust-src --toolchain nightly
    RUSTFLAGS="-Z sanitizer=address" \
    cargo +nightly test -Zbuild-std \
    --target x86_64-unknown-linux-gnu

Related skills

• Use skills/rust/rust-debugging for GDB/LLDB debugging of Rust panics
• Use skills/runtimes/sanitizers for C/C++ sanitizer usage and comparison
• Use skills/rust/rust-unsafe for unsafe Rust patterns and review checklist
• Use skills/runtimes/fuzzing to generate inputs that trigger sanitizer errors