[cfe-dev] Implementing a custom analysis in the clang static analyzer

[David Gens]

Hi,

I've been looking for C/C++ static analysis tools lately, particularly  
tools capable of data flow analysis and came by clang.
Poking around the docs and examples - the type state example from the   
slides was nice :-) - I still can't figure out if the following is  
possible:

Say I want to implement a taint analysis for some private helper  
method in a library I want to analyze, i.e. I want to know if a  
certain parameter of this method can be modified somehow by using only  
public API calls. The library is HUGE and the helper method is used in  
various places. But only the cases where the user would be able to  
modify the parameter and also get hold of the returned result are of  
interest. If such a path exists, I want to report it.

What would be the general strategy for implementing an analysis like  
this in clang? Implementing a custom checker do I need to re-compile  
clang in order to run my analysis? Is there something like a client  
API in clang to hand over my implemented analysis to clang and running  
them without re-compilation? In particular extending clang makes  
little sense as this check is really specific to this library.

I apologize if these are stupid questions and I completely missed a  
point somewhere!

Kind regards,
David