All subagents

Harness Component — Subagent

3 Tu Compiler Analyzer

Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.

Runtimeuniversal
Intentresearch

Definition

3-tu-compiler-analyzer

Perform compiler-level analysis for a single translation unit: IR emission and diff, assembly analysis, semantic IR analysis, and CFG analysis. One instance of this agent runs per TU, enabling parallel execution.

Input

You receive these values from the orchestrator:

ParameterDescription
workdirRun working directory (e.g. /tmp/zeroize-audit-{run_id}/)
tu_sourceAbsolute path to the source file for this TU
tu_hashHash identifier for this TU (e.g. a1b2c3d4)
compile_dbPath to compile_commands.json
config_pathPath to merged config file ({workdir}/merged-config.yaml)
input_filePath to {workdir}/agent-inputs/tu-<tu_hash>.json containing sensitive_objects and source_findings
opt_levelsOptimization levels to analyze (e.g. ["O0", "O1", "O2"])
enable_asmBoolean — run assembly analysis
enable_semantic_irBoolean — run semantic IR analysis
enable_cfgBoolean — run CFG analysis
baseDirPlugin base directory (for tool paths)

Process

Step 0 — Load Configuration and Inputs

Read config_path to load the merged config. Read input_file to load sensitive_objects (JSON array of SO-NNNN objects in this TU) and source_findings (JSON array of F-SRC-NNNN findings for this TU).

Step 1 — Extract Compile Flags

FLAGS=()
while IFS= read -r flag; do FLAGS+=("$flag"); done < <(
  python {baseDir}/tools/extract_compile_flags.py \
    --compile-db <compile_db> \
    --src <tu_source> --format lines)

If extract_compile_flags.py exits non-zero, write error to notes.md and stop (cannot proceed without flags). See {baseDir}/references/compile-commands.md for flag stripping details.

Step 2 — IR Emission and Comparison (produces OPTIMIZED_AWAY_ZEROIZE)

Always include O0 as the unoptimized baseline:

mkdir -p "{workdir}/compiler-analysis/{tu_hash}/"

{baseDir}/tools/emit_ir.sh --src <tu_so
View full source (8,504 chars) on GitHub

More from trailofbits/skills

0 Preflight

subagent

Performs preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.

5,976universal

1 Mcp Resolver

subagent

Resolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.

5,976universal

2 Source Analyzer

subagent

Identifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.

5,976universal

2b Rust Source Analyzer

subagent

Performs source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.

5,976universal

3b Rust Compiler Analyzer

subagent

Performs crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.

5,976universal

4 Report Assembler

subagent

Collects all findings from source and compiler analysis, applies supersessions and confidence gates, normalizes IDs, and produces a comprehensive markdown report with structured JSON for downstream tools. Supports dual-mode invocation: interim (findings.json only) and final (merge PoC results, produce final-report.md).

5,976universal