Hi, I use the taint analysis of DECAF these days. During test, I find no new instructions are inserted. After I check the I see that the find_shadow_arg function in tcg_taint.c always return 0 because of the check on temp in TCGContext:
TCGv find_shadow_arg(TCGv arg)
{
if (arg < tcg_ctx.nb_globals)
return shadow_arg[arg];

/* Check if this temp is allocated in the context */
if (!tcg_ctx.temps[arg].temp_allocated)
return 0;

However, in QEMU, most instructions are handled in tcg-op.h and do not allocate new TCGTemp such as qemu_ld and qemu_st (In fact, is allocated but freed). Therefore, no new instructions can be added because no shadow args are found:
case INDEX_op_qemu_ld32:
arg0 = find_shadow_arg(gen_opparam_ptr[-3]);
if (arg0) {
/* Patch qemu_ld* opcode into taint_qemu_ld* */
gen_opc_ptr[-1] += (INDEX_op_taint_qemu_ld8u - INDEX_op_qemu_ld8u);

Could you provide some advices to help me to use DECAF?
Thanks~

Oh, the tcg_temp_free_internal function returns early if taint enabled.. Now I close this issue.