I hope this is the right mailing list to ask some questions related to the llvm. I am new to llvm and I decided to use llvm to conduct static analysis of the linux kernel( mostly on the TCP/IP stack). One thing is that whether llvm support static taint analysis. Could you please give me some examples if you have or do I have to implement it by myself. If so, any suggestions available?
My requirements is to do some model checking and pattern checking on the linux source code and static taint analysis might solve it. Thanks
To the best of my knowledge, there is no static information flow analysis for LLVM IR. There might be a taint analysis for Clang ASTs, but someone else will need to comment on that. For LLVM IR, you’ll need to write your own. Taint analysis through SSA values should be relatively straightforward to implement; the in-memory LLVM IR provides iterators that allow you to iterate through all uses of a value. Taint analysis through values stored in memory (e.g., loads, stores) will require alias analysis or points-to analysis. For that, you might try Type-Based Alias Analysis (TBAA) or DSA. TBAA is included with LLVM. DSA is in a sub-project; an updated version can be found at . Regards, John Criswell