Rust’s borrow checker rejects unsafe lifetime annotations only during type checking, leaving potential memory-safety vulnerabilities undetected earlier in the compilation pipeline. Method: We present the first static analyzer specifically designed to detect erroneous lifetime annotations as memory-safety defects. We formally model incorrect lifetime annotations as sources of memory unsafety and propose a multi-stage static analysis framework. It integrates lightweight syntactic pattern matching with flow-sensitive, field-sensitive alias analysis, all grounded in precise context modeling derived from Rust’s abstract syntax tree. Contribution/Results: Evaluated on a novel, manually curated dataset of real-world lifetime-related bugs, our tool achieves high precision (>92%) and recall (>87%). To foster reproducibility and further research, both the implementation and the benchmark dataset are publicly released as open-source resources.

The Rust programming language is becoming increasingly popular among systems programmers due to its efficient performance and robust memory safety guarantees. Rust employs an ownership model to ensure these guarantees by allowing each value to be owned by only one identifier at a time. It uses the concept of borrowing and lifetimes to enable other variables to temporarily borrow values. Despite its benefits, security vulnerabilities have been reported in Rust projects, often attributed to the use of “unsafe” Rust code. These vulnerabilities, in part, arise from incorrect lifetime annotations on function signatures. However, existing tools fail to detect these bugs, primarily because such bugs are rare, challenging to detect through dynamic analysis, and require explicit memory models. To overcome these limitations, we characterize incorrect lifetime annotations as a source of memory safety bugs and leverage this understanding to devise a novel static analysis tool, Yuga, to detect potential lifetime annotation bugs. Yuga uses a multi-phase analysis approach, starting with a quick pattern-matching algorithm to identify potential buggy components and then conducting a flow and field-sensitive alias analysis to confirm the bugs. We also curate new datasets of lifetime annotation bugs. Yuga successfully detects bugs with good precision on these datasets, and we make the code and datasets publicly available.