Code, Music, and more

Realtime Function Static Analysis

Based Upon a Four Pass System, callgraph information is extracted (virtual method dispatch included) for C/C++ programs compiled to llvm IR representations. This information is used in conjunction with external whitelist files to find calls to blacklisted or graylisted functions which could result in realtime unsafe behavior.


  • Recentish LLVM 3.3+

  • A version of clang which dumps valid llvm IR files

  • c++filt for demangling

  • ruby for doing the actual deduction logic

  • graphviz gem for callgraph graph rendering

How To Build

git clone && cd stoat
mkdir build && cd build
cmake .. && make && make test
make install #or just run in place

How To Use

  1. Compile all files of a given project using the -emit-llvm option

  2. Annotate a function with __attribute__((annotate("realtime")))

  3. Run the stoat on the resulting llvm IR files using the --recursive option

  4. View the contradictions and either update your code or update a whitelist

  5. ???

  6. Profit

For a more explict guide please see the tutorial at

General LLVM Interacting Design

  • Pass 1

    • Dump CallGraph information including stubs for virtual calls

  • Pass 2

    • Dump Inline annotations on functions/methods for safety

  • Pass 3

    • Extract the class hierarchy using typecast information preserved within class constructors

  • Pass 4

    • Dump vTables which can be combined with the call graph from Pass one and the hierarchy from pass 3