Sceptre is an LLVM Utility pass to check a program at the IR level for Spectre variant 1 (bounds check bypass) vulnerabilities. The pass currently must be enabled with -mllvm -enable-sceptre. When it finds a vulnerability it outputs a diagnostic of the form:
warning: spectre.c:10:10: in function array1_load: found vulnerable load note: inlined into function foo at: spectre.c:19:24 note: bounds check with index "index" is at: spectre.c:6:16: in function is_valid_idx note: inlined into function foo at: spectre.c:18:6
As it runs after inlining it must be ran at "-O1" or above (recommendation is to run it at "-O2").
Note, as the pass is still under development I'm putting this up merely as an RFC (an email will be sent to llvm-dev linking to this). The pass has proved useful internally and I wanted to share it as soon as possible with the community.
Sony Interactive Entertainment