BorrowSanitizer
| Metadata | |
|---|---|
| Point of contact | Ian McCormack |
| Status | Proposed |
| Tracking issue | |
| Zulip channel | N/A |
| compiler champion | Ralf Jung |
| opsem champion | Ralf Jung |
| lang champion | Tyler Mandry |
| Teams | compiler, infra, lang, opsem |
| Task owners | (none) |
Summary
We are building BorrowSanitizer: an LLVM-based instrumentation tool for finding violations of Rust’s aliasing model. In 2026, we want to make it feature-complete and useful in practice.
Motivation
The status quo
Developers rely on Miri to validate their programs against Rust’s latest Tree Borrows aliasing model. However, Miri cannot find these Rust-specific aliasing bugs when they are caused by foreign function calls. Miri’s performance is also several orders of magnitude slower than native execution. As Rust is increasingly being in security-critical C and C++ applications, like Android and Chromium, developers will need a method for finding aliasing errors that can scale across language boundaries.
What we propose to do about it
We are developing BorrowSanitizer to fix this tooling gap. Much like AddressSanitizer, MemorySanitizer, and other LLVM-based tools, BorrowSanitizer inserts checks during compilation to detect errors at run-time. Its purpose is to find violations of Rust’s newest Tree Borrows aliasing model, as well as accesses out-of-bounds and use-after-free errors.
BorrowSanitizer relies on changes to the Rust compiler, an LLVM instrumentation pass, and a runtime library. We modified the compiler to emit special “retag” intrinsics that indicate when references are created and updated. Our LLVM pass lowers these intrinsics into runtime calls that associate each pointer with “provenance” metadata (see RFC #3559(https://rust-lang.github.io/rfcs/3559-rust-has-provenance.html)). We validate provenance before memory accesses to detect undefined behavior.
Our primary goal is for BorrowSanitizer to be useful in practice. This will require broad support for Rust, C, and C++ language features. We want to achieve better performance than Miri while fully supporting the different features of Tree Borrows.
Work items over the next year
Throughout 2026, we will complete the remaining features needed for BorrowSanitizer to have parity with Miri for detecting aliasing violations. We will finish contributing the retag intrinsics described in our previous project goal and evaluate when and how the rest of BorrowSanitizer should be integrated with the compiler.
One topic for discussion is whether the BorrowSanitizer itself should live in a subtree of rust-lang/rust, with a new Github repo under rust-lang, or as an independent project.
| Task | Owner(s) | Notes |
|---|---|---|
| Complete MCP and implementation for retag intrinsics | Ian McCormack | |
| Feature-parity with Miri | Ian McCormack, BorSan Team | Garbage collection, error reporting, atomics, interception, and more! |
| Automated Evaluation | Ian McCormack, BorSan Team | Self-hosted crater instance, benchmarking. |
| Full compiler integration | Ian McCormack | Have the runtime, instrumentation pass, and other components available upstream in nightly. |
BorrowSanitizer is open source and available on GitHub, and we welcome any contributions. We will post monthly status updates on our website throughout 2026. We are available at any point for Q/A on Zulip. Ian McCormack will be the primary point-of-contact for the BorrowSanitizer Team.
Team asks
| Team | Support level | Notes |
|---|---|---|
| compiler | Medium | Champion: Ralf Jung. Design discussions, PR review, and upstream integration. |
| opsem | Medium | Champion: Ralf Jung. |
| lang | Vibes | Champion: Tyler Mandry. General support and guidance. |
| infra | Small | Upstream integration. |