Implementing a custom analysis in the clang static analyzer


I've been looking for C/C++ static analysis tools lately, particularly tools capable of data flow analysis and came by clang.
Poking around the docs and examples - the type state example from the slides was nice :slight_smile: - I still can't figure out if the following is possible:

Say I want to implement a taint analysis for some private helper method in a library I want to analyze, i.e. I want to know if a certain parameter of this method can be modified somehow by using only public API calls. The library is HUGE and the helper method is used in various places. But only the cases where the user would be able to modify the parameter and also get hold of the returned result are of interest. If such a path exists, I want to report it.

What would be the general strategy for implementing an analysis like this in clang? Implementing a custom checker do I need to re-compile clang in order to run my analysis? Is there something like a client API in clang to hand over my implemented analysis to clang and running them without re-compilation? In particular extending clang makes little sense as this check is really specific to this library.

I apologize if these are stupid questions and I completely missed a point somewhere!

Kind regards,

Hi David,
I am pretty sure you would want to have a look at which gives a good starting point for the development of clang based tools.