Tainting adjacent variables


I’m new to LLVM and am trying to build a checker for clang. In a program like

void foo()
int a;
int b;
int c;
int d;

If doSomeThingWith(c) detects a problem with the value c, I want to taint variables beyond c (aka c, b and a) so that when calling doSomeThingWith(a), the function says “hey, this value is tainted but it shouldn’t”.

I did something like :

const StackLocalsSpaceRegion *stackFrame = R->getMemRegionManager()->getStackLocalsRegion(C.getStackFrame());


in checkLocation to say “hey, I want to taint the entire stack frame”. And then, I do the check in checkPreCall with :

if (State->isTainted(dyn_cast(stackFrame)))
// bad


if (R && State->isTainted(dyn_cast(R)))
std::cout << “Corrupted stack” << std::endl;



But when I test my checker on a buggy program, the taint checking doesn’t work. Stack frames are note the same. If I only taint MemRegions, I actually only taint a chunk of a variable. (like a byte of a buffer) I can’t taint adjacent data. I can’t say for example “I can overflow a buffer from up to 12 bytes so I will taint the 12 bytes that follow that buffer aka the 3 4-bytes integers that are above the buffer in the code”.

Could you please give me some help doing that? What is the proper way to taint / checker the taint of the stack frame? How can I find adjacent variables? (didn’t find anything that fits in the doxygene doc)

Thank you in advance!