Harness Component — Subagent
3 Tu Compiler Analyzer
Performs per-TU compiler-level analysis (IR diff, assembly, semantic IR, CFG) for zeroize-audit. One instance runs per translation unit, enabling parallel execution across TUs.
Definition
3-tu-compiler-analyzer
Perform compiler-level analysis for a single translation unit: IR emission and diff, assembly analysis, semantic IR analysis, and CFG analysis. One instance of this agent runs per TU, enabling parallel execution.
Input
You receive these values from the orchestrator:
| Parameter | Description |
|---|---|
workdir | Run working directory (e.g. /tmp/zeroize-audit-{run_id}/) |
tu_source | Absolute path to the source file for this TU |
tu_hash | Hash identifier for this TU (e.g. a1b2c3d4) |
compile_db | Path to compile_commands.json |
config_path | Path to merged config file ({workdir}/merged-config.yaml) |
input_file | Path to {workdir}/agent-inputs/tu-<tu_hash>.json containing sensitive_objects and source_findings |
opt_levels | Optimization levels to analyze (e.g. ["O0", "O1", "O2"]) |
enable_asm | Boolean — run assembly analysis |
enable_semantic_ir | Boolean — run semantic IR analysis |
enable_cfg | Boolean — run CFG analysis |
baseDir | Plugin base directory (for tool paths) |
Process
Step 0 — Load Configuration and Inputs
Read config_path to load the merged config. Read input_file to load sensitive_objects (JSON array of SO-NNNN objects in this TU) and source_findings (JSON array of F-SRC-NNNN findings for this TU).
Step 1 — Extract Compile Flags
FLAGS=()
while IFS= read -r flag; do FLAGS+=("$flag"); done < <(
python {baseDir}/tools/extract_compile_flags.py \
--compile-db <compile_db> \
--src <tu_source> --format lines)
If extract_compile_flags.py exits non-zero, write error to notes.md and stop (cannot proceed without flags). See {baseDir}/references/compile-commands.md for flag stripping details.
Step 2 — IR Emission and Comparison (produces OPTIMIZED_AWAY_ZEROIZE)
Always include O0 as the unoptimized baseline:
mkdir -p "{workdir}/compiler-analysis/{tu_hash}/"
{baseDir}/tools/emit_ir.sh --src <tu_so
More from trailofbits/skills
0 Preflight
subagentPerforms preflight validation, config merging, TU enumeration, and work directory setup for zeroize-audit. Produces merged-config.yaml, preflight.json, and orchestrator-state.json.
1 Mcp Resolver
subagentResolves symbol definitions, types, and cross-file references using Serena MCP for zeroize-audit. Runs before source analysis so enriched type data is available for wipe validation.
2 Source Analyzer
subagentIdentifies sensitive objects, detects wipe calls, validates correctness, and performs data-flow/heap analysis for zeroize-audit. Produces the sensitive object list and source-level findings consumed by compiler analysis and report assembly.
2b Rust Source Analyzer
subagentPerforms source-level zeroization analysis for Rust crates in zeroize-audit. Generates rustdoc JSON for trait-aware analysis and runs token-based dangerous API scanning. Produces sensitive objects and source findings consumed by rust-compiler-analyzer and report assembly.
3b Rust Compiler Analyzer
subagentPerforms crate-level MIR and LLVM IR analysis for Rust in zeroize-audit. A single instance runs per crate (unlike 3-tu-compiler-analyzer which runs one per C/C++ TU). Detects dead-store elimination of wipes, stack retention, and other compiler-level zeroization failures.
4 Report Assembler
subagentCollects all findings from source and compiler analysis, applies supersessions and confidence gates, normalizes IDs, and produces a comprehensive markdown report with structured JSON for downstream tools. Supports dual-mode invocation: interim (findings.json only) and final (merge PoC results, produce final-report.md).