Rust is gaining popularity for its well-known memory safety guarantees and high performance, distinguishing it from C/C++ and JVM-based languages. Its compiler, rustc, enforces these guarantees through specialized mechanisms such as trait solving, borrow checking, and specific optimizations. However, Rust's unique language mechanisms introduce complexity to its compiler, leading to Rust-specific compiler bugs that are less common in traditional compilers. With Rust's increasing adoption in safety-critical domains, understanding these language mechanisms and their impact on compiler bugs is essential for improving the reliability of both rustc and Rust programs. Yet, we still lack a large-scale, detailed, and in-depth study of Rust-specific bugs in rustc. To bridge this gap, this work conducts a comprehensive and systematic study of Rust-specific bugs in rustc, with a particular focus on the components that support its unique language features. Our analysis examines issues and fixes reported between 2022 and 2024, with a manual review of 301 valid issues. We categorize these bugs based on their causes, symptoms, affected compilation stages, and test case characteristics. Additionall
Rust is gaining popularity for its well-known memory safety guarantees and high performance, distinguishing it from C/C++ and JVM-based languages. Its compiler, rustc, enforces these guarantees through specialized mechanisms such as trait solving, borrow checking, and specific optimizations. However, Rust's unique language mechanisms introduce complexity to its compiler, resulting in bugs that are uncommon in traditional compilers. With Rust's increasing adoption in safety-critical domains, understanding these language mechanisms and their impact on compiler bugs is essential for improving the reliability of both rustc and Rust programs. Such understanding could provide the foundation for developing more effective testing strategies tailored to rustc. Improving the quality of rustc testing is essential for enhancing compiler reliability, which in turn strengthens the safety and correctness of all Rust programs, as compiler bugs can silently propagate into every compiled program. Yet, we still lack a large-scale, detailed, and in-depth study of rustc bugs. To bridge this gap, this work presents a comprehensive and systematic study of rustc bugs, specifically those originating in semantic analysis and intermediate representation (IR) processing, which are stages that implement essential Rust language features such as ownership and lifetimes. Our analysis examines issues and fixes reported between 2022 and 2024, with a manual review of 301 valid issues. We categorize these bugs based on their causes, symptoms, affected compilation stages, and test case characteristics. Additionally, we evaluate existing rustc testing tools to assess their effectiveness and limitations. Our key findings include: (1) rustc bugs primarily arise from Rust's type system and lifetime model, with frequent errors in the High-Level Intermediate Representation (HIR) and Mid-Level Intermediate Representation (MIR) modules due to complex checkers and optimizations; (2) bug-revealing test cases often involve unstable features, advanced trait usages, lifetime annotations, standard APIs, and specific optimization levels; (3) while both valid and invalid programs can trigger bugs, existing testing tools struggle to detect non-crash errors, underscoring the need for further advancements in rustc testing.
Maintaining consistency between source code and its associated comments is essential for software reliability, maintainability, and user experience, particularly in the Rust programming ecosystem where comment serves as both developer guidance and an authoritative API contract. However, existing automated inconsistency detection approaches are largely tailored for object-oriented languages and fall short of addressing Rust’s unique features, such as explicit panic semantics, trait-based abstraction, and idiomatic use of option and finiteness constraints. In this paper, we introduce RustC 4 ++ , a novel hybrid framework that integrates large language model (LLM)-driven constraint extraction, static program analysis, and SMT-based bidirectional verification to detect and diagnose code-comment inconsistencies in Rust. RustC 4 ++ extends previous solutions by supporting a richer taxonomy of constraints, including interval, boundary, existence, option, and finiteness constraints, and pioneers a systematic method for propagating comment constraint across trait and implementation boundaries. Leveraging chain-of-thought prompt engineering, RustC 4 ++ robustly interprets natural language comment, maps it to formal specifications, and checks their alignment with code logic through precise static analysis and formal reasoning. We conduct extensive experiments on 17 diverse, real-world Rust projects, demonstrating that RustC 4 ++ substantially outperforms prior tools in both precision and recall, and is capable of uncovering subtle, actionable inconsistencies that have led to confirmed fixes in upstream repositories. By elevating comments to enforceable, verifiable contracts, RustC 4 ++ not only enhances code quality and comment reliability in the Rust ecosystem, but also offers generalizable techniques and insights for automated code comment analysis in other modern programming languages.
This is the artifact for the paper "Rust's Type Checker is Unsound: An Empirical Study on Soundness Bugs in rustc" submitted to ISSTA'26. In the paper, we study 30 soundness issues collected from the rustc GitHub issue tracker, each representing a case where a developer reported that the compiler accepted code that should not pass type checking. We analyze each issue in depth to characterize the following: the affected feature, the symptom (i.e., how the feature is erroneously handled), the consequence (i.e., the specific undesirable behavior enabled by the issue), the features that trigger the issue, the consensus of the community regarding whether it is indeed a bug, and the lifecycle of the issue, encompassing its introduction, discovery, and fix. We collected rustc's soundness issues reported between January 1, 2022, and September 1, 2025, focusing on issues pertinent to recent compiler releases. We initially collected issues related to type checking by utilizing the area labels (prefixed with "A-"), which indicate the issue-relevant compiler area, component, or language feature. This automatic crawling yielded 969 issues. We then refined the dataset using two label-based criteria: we kept only issues marked with either C-bug or I-unsound (signifying a bug report or a type-soundness issue), and we filtered out issues marked with labels indicating irrelevance to soundness. This filtering left 320 issues. Finally, we manually investigated each remaining issue (and removed duplicates) to determine whether it is a soundness issue, identifying 23 soundness issues. After the collection, we compared our dataset with that of Liu et al. [1]. Among the 18 issues unique to the previous study, we found that 7 satisfy our manual inspection criteria. Therefore, we complemented our dataset with these 7 issues, resulting in the final dataset of 30 issues. The artifact contains: the three issue datasets (crawled, label-filtered, and manually identified), the Python script that performs the crawling and the label-based filtering, the analysis sheets that answer the paper's research questions (RQ1–RQ4), and the Python script that generates Figure 1 (the issue-lifecycle figure) of the paper. [1] Zixi Liu, Yang Feng, Yunbo Ni, Shaohua Li, Xizhe Yin, Qingkai Shi, Baowen Xu, and Zhendong Su. 2025. An Empirical Study of Bugs in the rustc Compiler. Proc. ACM Program. Lang 9, OOPSLA2 (Oct. 2025). doi:10.1145/3763800
This is the artifact for the paper "Rust's Type Checker Implementation is Unsound: An Empirical Study on Soundness Bugs in rustc" submitted to ISSTA'26. In the paper, we study 30 soundness issues collected from the rustc GitHub issue tracker, each representing a case where a developer reported that the compiler accepted code that should not pass type checking. We analyze each issue in depth to characterize the following: the affected feature, the symptom (i.e., how the feature is erroneously handled), the consequence (i.e., the specific undesirable behavior enabled by the issue), the features that trigger the issue, the consensus of the community regarding whether it is indeed a bug, and the lifecycle of the issue, encompassing its introduction, discovery, and fix. We collected rustc's soundness issues reported between January 1, 2022, and September 1, 2025, focusing on issues pertinent to recent compiler releases. We initially collected issues related to type checking by utilizing the area labels (prefixed with "A-"), which indicate the issue-relevant compiler area, component, or language feature. This automatic crawling yielded 969 issues. We then refined the dataset using two label-based criteria: we kept only issues marked with either C-bug or I-unsound (signifying a bug report or a type-soundness issue), and we filtered out issues marked with labels indicating irrelevance to soundness. This filtering left 320 issues. Finally, we manually investigated each remaining issue (and removed duplicates) to determine whether it is a soundness issue, identifying 23 soundness issues. After the collection, we compared our dataset with that of Liu et al. [1]. Among the 18 issues unique to the previous study, we found that 7 satisfy our manual inspection criteria. Therefore, we complemented our dataset with these 7 issues, resulting in the final dataset of 30 issues. The artifact contains: the three issue datasets (crawled, label-filtered, and manually identified), the Python script that performs the crawling and the label-based filtering, the analysis sheets that answer the paper's research questions (RQ1–RQ4), and the Python script that generates Figure 1 (the issue-lifecycle figure) of the paper. [1] Zixi Liu, Yang Feng, Yunbo Ni, Shaohua Li, Xizhe Yin, Qingkai Shi, Baowen Xu, and Zhendong Su. 2025. An Empirical Study of Bugs in the rustc Compiler. Proc. ACM Program. Lang 9, OOPSLA2 (Oct. 2025). doi:10.1145/3763800
This artifact supports the paper "Can Existing Compiler Auto-tuning Experience Transfer to Rust? An Empirical Study." It contains the summarized data, figures, and experiment scripts used in the paper. The artifact is organized for inspecting the main results and rerunning selected experiments. The associated anonymous GitHub repository is available at: https://github.com/ICSE2027/rustc-autotuning-study
This paper explores the architecture of the Rust compiler's (rustc) frontend, focusing on the crucial role of intermediate representations (IRs) of source code in the compilation process. Phases from lexical analysis and parsing to the generation of the Abstract Syntax Tree (AST), through the High-Level Intermediate Representation (HIR), Typed HIR (THIR), to the Mid-Level Intermediate Representation (MIR) are analyzed. The paper explains how each of these representations enables key features of the Rust language, including type checking, error diagnostics, incremental compilation, borrow checking, and preparation for further optimization and code generation in LLVM. The aim is to demonstrate how generation of compiler infrastructure contributes to Rust's guarantees of memory safety and high performance.
Compiler optimization is a critical component for improving program performance. However, the Rustc optimization process may introduce vulnerabilities due to algorithmic flaws or issues arising from component interactions. Existing testing methods face several challenges, including high randomness in test cases, inadequate targeting of vulnerability-prone regions, and low-quality initial fuzzing seeds. This paper proposes a test case generation method based on large language models (LLMs), which utilizes prompt templates and optimization algorithms to generate a code relevant to specific optimization passes, especially for real-time control logic and safety-critical modules unique to the industrial control field. A vulnerability screening approach based on static analysis and rule matching is designed to locate potential risk points in the optimization regions of both the MIR and LLVM IR layers, as well as in unsafe code sections. Furthermore, the targeted fuzzing strategy is enhanced by designing seed queues and selection algorithms that consider the correlation between optimization areas. The implemented system, RustOptFuzz, has been evaluated on both custom datasets and real-world programs. Compared with state-of-the-art tools, RustOptFuzz improves vulnerability discovery capabilities by 16%–50% and significantly reduces vulnerability reproduction time, thereby enhancing the overall efficiency of detecting optimization-related vulnerabilities in Rustc, providing key technical support for the reliability of industrial control systems.
Rust is a popular programming language with strong memory-safety guarantees, achieved through its ownership and borrowing model. Rust allows a programmer to escape memory safety using explicitly marked unsafe code in order to facilitate integration with existing C/C++ code. Such safe code is not immune to typical memory errors. To avoid such bugs researchers try to provide both static and dynamic analysis tools and incorporate C/C++ hardening techniques for unsafe Rust. However, such analysis is not always trivial as Rust uses multiple intermediate representations (IR), and when lowering a higher level IR to a lower level IR, all information that marks a specific block of code as unsafe is lost. Since the two worlds of Rust, safe and unsafe, are built on different assumptions many analysis tools and techniques can benefit from knowing where the safe context changes to unsafe and vice-versa.
Vectorization is a compiler optimization that replaces multiple operations on scalar values with a single operation on vector values. Although common in traditional compilers such as rustc, clang, and gcc, vectorization is not common in the Verilog ecosystem. This happens because, even though Verilog supports vector notation, the language provides no semantic guarantee that a vectorized signal behaves as a word-level entity: synthesis tools still resolve multiple individual assignments and a single vector assignment into the same set of parallel wire connections. However, vectorization brings important benefits in other domains. In particular, it reduces symbolic complexity even when the underlying hardware remains unchanged. Formal verification tools such as Cadence Jasper operates at the symbolic level: they reason about Boolean functions, state transitions, and equivalence classes, rather than about individual wires or gates. When these tools can treat a bus as a single symbolic entity, they scale more efficiently. This paper supports this observation by introducing a Verilog vectorizer. The vectorizer, built on top of the CIRCT compilation infrastructure, recognizes several vec
In modern SSDLC, program analysis and automated testing are essential for minimizing vulnerabilities before software release, with fuzzing being a fast and widely used dynamic testing method. However, traditional coverage-guided fuzzing may be less effective in specific tasks like verifying static analysis reports or reproducing crashes, while directed fuzzing, focusing on targeted program locations using proximity metrics, proves to be more effective. Some of the earliest directed fuzzers are, for example, AFLGo and BEACON, which use different proximity metric approaches. Although most automated testing tools focus on C/C++ code, the growing popularity of Rust and Go causes the need for precise and efficient testing solutions for these languages. This work expands the applicability of directed fuzzing beyond traditional analysis of C/C++ software. We present a novel approach to directed greybox fuzzing tailored specifically for Rust and Go applications. We introduce advanced preprocessing techniques, rustc compiler customizations, and elaborate graph construction and instrumentation methods to enable effective targeting of specific program locations. Our implemented fuzzing tools,
Ensuring the reliability of the Rust compiler is of paramount importance, given increasing adoption of Rust for critical systems development, due to its emphasis on memory and thread safety. However, generating valid test programs for the Rust compiler poses significant challenges, given Rust's complex syntax and strict requirements. With the growing popularity of large language models (LLMs), much research in software testing has explored using LLMs to generate test cases. Still, directly using LLMs to generate Rust programs often results in a large number of invalid test cases. Existing studies have indicated that test cases triggering historical compiler bugs can assist in software testing. Our investigation into Rust compiler bug issues supports this observation. Inspired by existing work and our empirical research, we introduce a bracket-based masking and filling strategy called clozeMask. The clozeMask strategy involves extracting test code from historical issue reports, identifying and masking code snippets with specific structures, and using an LLM to fill in the masked portions for synthesizing new test programs. This approach harnesses the generative capabilities of LLMs
Coverage-guided kernel fuzzers such as syzkaller rely on edge coverage (trace-pc) as their sole feedback signal. This context-blind approach cannot distinguish execution paths that differ only in argument values -- for example, two invocations of copy_from_user() with different size parameters hit identical basic blocks yet have vastly different security implications. I present TOOLNAME, an LLVM-based instrumentation framework that extends Linux KCOV with data-flow extraction of function arguments and return values. A compiler pass emits lightweight callbacks capturing structured tuples of program counter, argument metadata, and field values at function entry and return. Composite types are automatically decomposed via DWARF DICompositeType metadata with zero source annotation. A lock-free per-task ring buffer delivers records to user space with no interference to existing KCOV or syzkaller infrastructure. I demonstrate dual utility: (1) fuzzers gain state-aware feedback for mutation guidance into value-dependent state transitions, and (2) security analysts obtain deterministic argument records for root-cause analysis without printk or kprobe overhead. Two Rust instrumentation path
Rust is a modern systems programming language that ensures memory safety through unique mechanisms, including ownership, borrowing, and lifetime annotations. These features prevent critical vulnerabilities but also impose strict constraints that many developers find difficult to understand. To mitigate this challenge, the Rust compiler, rustc, provides rich diagnostics and fix suggestions. However, recent studies reveal that diagnostic issues account for about 20% of all reported rustc bugs. Our analysis of rustc's suggestion bugs fixed over the past three years shows that most of them originated from errors in Rust-specific core modules, such as the type checker and borrow checker, rather than from simple mistakes in the general diagnostic logic, like suggesting an incorrect variable name or mismatched parentheses. The impact of diagnostic issues, especially bugs in rustc's fix suggestion, should not be underestimated, as they can mislead developers and reduce rustc's usability, and in severe cases may even lead to rustc crashes. Existing testing tools, however, provide little support for systematically evaluating the correctness and reliability of these suggestions. To address this gap, in this paper, we present SugBreaker, an automated testing framework specifically designed to validate rustc's suggestions. We propose a constraint-violation-guided mutation approach that injects type-related, borrow-related, and lifetime-related errors into valid Rust programs to trigger compiler diagnostics and iteratively verify the correctness of suggested fixes. SugBreaker has already detected 12 bugs, and 11 of them have been confirmed or fixed; all of them are triggered by different rustc error messages.Compared with a series of rustc testing baseline tools, SugBreaker achieves broader coverage of rustc's core checking modules and a higher suggestion trigger rate, which further confirms the effectiveness and efficiency of SugBreaker for testing rustc's fix suggestions.
The Rust programming language has garnered significant attention due to its robust safety features and memory management capabilities. Despite its guaranteed memory safety, Rust programs suffer from runtime errors that are unmanageable, i.e., panic errors. Notably, traditional memory issues such as null pointer dereferences, which are prevalent in other languages, are less likely to be triggered in Rust due to its strict ownership rules. However, the unique nature of Rust's panic bugs, which arise from the language's stringent safety and ownership paradigms, presents a distinct challenge. Over half of the bugs in rustc, Rust's own compiler, are attributable to crash stemming from panic errors. However, addressing Rust panic bugs is challenging and requires significant effort, as existing fix patterns are not directly applicable due to the design and feature of Rust language.Therefore, developing foundational infrastructure, including datasets, fixing patterns, and automated repair tools, is both critical and urgent. This paper introduces a comprehensive infrastructure, namely PanicFI, aimed at providing supports for understanding Rust panic bugs and developing automated techniques.
Researchers found that a Chinese sodium-ion battery performs far better than expected, with production quality and design features comparable to Tesla’s batteries。 If engineers can improve cold-weather charging and energy density, sodium could become a cheaper and more abundant alternative to lithium for EVs and large-scale energy storage
Ancient asteroid impacts may have done more than reshape Earth's surface—they could have helped spark life itself。 New computer models show the collisions created enormous underground hydrothermal systems by cracking the planet's crust and allowing hot water to flow through it。 These long-lasting, life-friendly environments may have covered much of