z3/.github/skills/memory-safety/SKILL.md

---
name: memory-safety
description: Run AddressSanitizer and UndefinedBehaviorSanitizer on the Z3 test suite to detect memory errors, undefined behavior, and leaks. Logs each finding to z3agent.db.
---

Build Z3 with compiler-based sanitizer instrumentation, execute the test suite, and parse the runtime output for memory safety violations. Supported sanitizers are AddressSanitizer (heap and stack buffer overflows, use-after-free, double-free, memory leaks) and UndefinedBehaviorSanitizer (signed integer overflow, null pointer dereference, misaligned access, shift errors). Findings are deduplicated and stored in z3agent.db for triage and longitudinal tracking.

# Step 1: Configure and build

Action:
    Invoke the script with the desired sanitizer flag. The script calls
    cmake with the appropriate `-fsanitize` flags and builds the `test-z3`
    target. Each sanitizer uses a separate build directory to avoid flag
    conflicts.

Expectation:
    cmake configures successfully and make compiles the instrumented binary.
    If a prior build exists with matching flags, only incremental compilation
    runs.

Result:
    On success: an instrumented `test-z3` binary is ready in the build
    directory. Proceed to Step 2.
    On failure: verify compiler support for the requested sanitizer flags
    and review cmake output.

```bash
python3 scripts/memory_safety.py --sanitizer asan
python3 scripts/memory_safety.py --sanitizer ubsan
python3 scripts/memory_safety.py --sanitizer both
```

To reuse an existing build:
```bash
python3 scripts/memory_safety.py --sanitizer asan --skip-build --build-dir build/sanitizer-asan
```

# Step 2: Run and collect

Action:
    Execute the instrumented test binary with halt_on_error=0 so all
    violations are reported rather than aborting on the first.

Expectation:
    The script parses AddressSanitizer, UndefinedBehaviorSanitizer, and
    LeakSanitizer patterns from combined output, extracts source locations,
    and deduplicates by category/file/line.

Result:
    On `clean`: no violations detected.
    On `findings`: one or more violations found, each printed with severity,
    category, message, and source location.
    On `timeout`: test suite did not finish; increase timeout or investigate.
    On `error`: build or execution failed before sanitizer output.

```bash
python3 scripts/memory_safety.py --sanitizer asan --timeout 900 --debug
```

# Step 3: Interpret results

Action:
    Review printed findings and query z3agent.db for historical comparison.

Expectation:
    Each finding includes severity, category, message, and source location.
    The database query returns prior runs for trend analysis.

Result:
    On `clean`: no action required; proceed.
    On `findings`: triage by severity and category. Compare against prior
    runs to distinguish new regressions from known issues.
    On `timeout`: increase the deadline or investigate a possible infinite
    loop.
    On `error`: inspect build logs before re-running.

Query past runs:
```bash
python3 ../../shared/z3db.py runs --skill memory-safety --last 10
python3 ../../shared/z3db.py query "SELECT category, severity, file, line, message FROM findings WHERE run_id IN (SELECT run_id FROM runs WHERE skill='memory-safety') ORDER BY run_id DESC LIMIT 20"
```

# Parameters

| Parameter | Type | Required | Default | Description |
|-----------|------|----------|---------|-------------|
| sanitizer | choice | no | asan | which sanitizer to enable: asan, ubsan, or both |
| build-dir | path | no | build/sanitizer-{name} | path to the build directory |
| timeout | int | no | 600 | seconds before killing the test run |
| skip-build | flag | no | off | reuse an existing instrumented build |
| debug | flag | no | off | verbose cmake, make, and test output |
| db | path | no | .z3-agent/z3agent.db | path to the logging database |