<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/100712>100712</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Segfault in clang with "-analyze -analyzer-checker=core"
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            clang
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          SebastianKonplan
      </td>
    </tr>
</table>

<pre>
    Using the following script triggers a segfault:
```
#!/bin/sh

clang -cc1 -analyze -analyzer-checker=core - << __eof 
extern int fun2(unsigned int bufsize, char *buf);

int fun1(unsigned int bufsize)
{
        char *buf;

        if(0 == (*(void **)&buf = __builtin_alloca(bufsize)))
                return 0;

        return fun2(bufsize, buf);
}
__eof
```
Issue occurs with clang-15.0.7 in Ubuntu 22.04 and also with clang-16.0.6 (27+b1) in debian-testing.
The following output is displayed:
```
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0. Program arguments: clang-15 -cc1 -analyze -analyzer-checker=core -
1. <eof> parser at end of file
2.      While analyzing stack: 
        #0 Calling fun1
3.      <stdin>:10:9: Error evaluating statement
4. <stdin>:10:9: Error evaluating statement
 #0 0x00007d74df3043b1 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/usr/lib/llvm-15/bin/../lib/libLLVM-15.so.1+0xf043b1)
 #1 0x00007d74df3020fe llvm::sys::RunSignalHandlers() (/usr/lib/llvm-15/bin/../lib/libLLVM-15.so.1+0xf020fe)
 #2 0x00007d74df3048d6 (/usr/lib/llvm-15/bin/../lib/libLLVM-15.so.1+0xf048d6)
 #3 0x00007d74ddc42520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x00007d74e7dcefdf clang::ento::MemRegionManager::getElementRegion(clang::QualType, clang::ento::NonLoc, clang::ento::SubRegion const*, clang::ASTContext&) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x29cefdf)
 #5 0x00007d74e7e094ad (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x2a094ad)
 #6 0x00007d74e7e0416d (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x2a0416d)
 #7 0x00007d74e7d993d1 clang::ento::ExprEngine::processPointerEscapedOnBind(llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>, llvm::ArrayRef<std::pair<clang::ento::SVal, clang::ento::SVal>>, clang::LocationContext const*, clang::ento::PointerEscapeKind, clang::ento::CallEvent const*) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x29993d1)
 #8 0x00007d74e7db2e84 clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNode*, clang::ento::CallEvent const&) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x29b2e84)
 #9 0x00007d74e7db26b4 clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x29b26b4)
#10 0x00007d74e7d919c9 clang::ento::ExprEngine::Visit(clang::Stmt const*, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x29919c9)
#11 0x00007d74e7d8d7f5 clang::ento::ExprEngine::ProcessStmt(clang::Stmt const*, clang::ento::ExplodedNode*) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x298d7f5)
#12 0x00007d74e7d8d4ce clang::ento::ExprEngine::processCFGElement(clang::CFGElement, clang::ento::ExplodedNode*, unsigned int, clang::ento::NodeBuilderContext*) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x298d4ce)
#13 0x00007d74e7d74c08 clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x2974c08)
#14 0x00007d74e7d74758 clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x2974758)
#15 0x00007d74e81d495f (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x2dd495f)
#16 0x00007d74e81b20d8 (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x2db20d8)
#17 0x00007d74e5e8ce9b clang::ParseAST(clang::Sema&, bool, bool) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0xa8ce9b)
#18 0x00007d74e7ab4ea7 clang::FrontendAction::Execute() (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x26b4ea7)
#19 0x00007d74e7a27fb6 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x2627fb6)
#20 0x00007d74e7b32e4a clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/lib/llvm-15/bin/../lib/libclang-cpp.so.15+0x2732e4a)
#21 0x00005f546ba589e0 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/lib/llvm-15/bin/clang+0x139e0)
#22 0x00005f546ba56bab (/usr/lib/llvm-15/bin/clang+0x11bab)
#23 0x00005f546ba569fc clang_main(int, char**) (/usr/lib/llvm-15/bin/clang+0x119fc)
#24 0x00007d74ddc29d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#25 0x00007d74ddc29e40 call_init ./csu/../csu/libc-start.c:128:20
#26 0x00007d74ddc29e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#27 0x00005f546ba533b5 _start (/usr/lib/llvm-15/bin/clang+0xe3b5)
Segmentation fault (core dumped)
```
In our project source code we see this type of bug three distinct times. Each time it correlates with the use of `alloca()`.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzMWU1v2zoW_TXMhohBUbI-Fl44iTNTvPRNpm77lgZFXtmcyqRAUmnyfv2AlBKbqtMmhQeYIEhkiTz33HM_SNHMWrlVAAs0v0LzmwvWu502izXUzDrJ1B9adS1TF7UWT4svVqotdjvAjW5b_d1_stzIzmFn5HYLxmKGLWwb1rcOpUtEbhBZopyMv8NHmiKaIHpbS4Xord2Nt8Nf3jK1xZecJ_iSKdY-_Q0vF-aS74B_A4PSG64N4EuM0muUXuPNBnSDBwR4dGAUlsrhplcU0bJXwUcR7tV9Y-XfgOg15jtmMKLLum8QrVB6dUxknJ-8Or8aRxcv06pjwBgNkUo2iJYEo_QGpTcY0RLRJaLlg5YCh8ulx6R53Td-EN5s6l62TqoNa1vNGaLlke3h9xkbkcqA643C5EfD45NRjCP_p34XN8NFUPNk6D5Y2wPWnPfG4u_S7XCI12Uyn5FZgaXCX-peuR5TOiMZZkpg1lodDc1nZJZ7_2mB6FWdIFr5iQJqydSlA-uk2s4Ge5-jVNO963qHpcVC2q5lTyBey7H7u9VyvcK2r_fSYYbrfosNdNo47DTeOddZP5XeInq7lW7X1zOu94jetu3D87_Lzuj_AHeI3krvt0X0NrgkFW97AaEQuGF2h2vGvznDeJC1M9AZzcFaENjq3gy3gxjWai6ZA4FNr8baGX1dO8a_YdHvuxenyAzfG701bI-Z2fZ7UM7TfhH9zXUywCUzXy8-tukKd8xYMJg5DEpg3eBGtjCMozMcfv7ayRbwABpK3TP09odhePxBNCX4mrWtHxNKJjxORxSUXlsnpELpCqXLhKB0WXmQlTHaYHhgbc_cCO_A-zjMz2a_PXWgRB4JIaQQRSaalGRpneAQ3XSJ0qV9ssPFvZHKBe0_DwEsD4MM-77R1hlge0RzH0SpnM_XUL23vTU-VWT9nDDJ_KWrzWaHR7K-u_v60ReJ1bME0Svy2AQ-LyXsCScTwpQ0cIrwp16t5Vax9p9MiRaMDWTOwsmbjDjRqYilyM_ifCnyyFB6bEjwjM4pGQ0NOI9lvsmzy1aq_vFyq_rhAfegeQANUyLM7AgTCsGhEc1QOoOQoJwerj7C_hNspVYfmWJbXzf-7hbcqg1ZNTxEtDya_e-etZ-fumEhOQX6p1Z3mr_6eN3XAyzmWlkX2n80dLn-fK2Vg0cXcu_9AR66BO-6oPw8qESrIEOk0zzSCUiVMXEeYyxgRcbyibEsyc9mzGNFxoo4A6oqFcnpaKweO7NSW6lg-Dw28HstlQOzspx1IP6lrqQSUYf4oJzprXyAT9BcK3fvDEqvT1oYG_nad6ox5OnKh_wAtjSGPX2CZmh7IxEmX4Vcf2Xt6_nlH_q-uZoMudOcOanVmFyvpd8R82MR_ggKvDLSLwKrB1DHoOfK2xC8KLplHN2aQpm9Lbp-5fBc44qOxrdagPhTC1iDG3v_L4f-TMQfpDljSQfPI2mqqTR5_UZpvkorXSD72JlYn-e7v86Yt4pySufziZLXB1H8-kom3SCpePUOUWIx1m7_htL5fxAi-BkJkcRClKJo5m8T4n5oi975s8hxLh-DC5GPdOpjxuFdrf_69h_j6j-pgqP7b4_68SvkT3YMAq562QowLyv_WUXKOEQipbFIRcZJ-Ur70gaORfIvYMzx3V_afPvgYP-WTvpjZoxrYlhgXlXFm7iT1n1R8n_RPIPTkSrZVJVi_kZVVo_AewfPjGNRfrbuTtPjjBuM8-lUzGOdon1jmYismjfnMSYCVmQsj43VlIjyTMYCVmQs2jfOoeRQ1VHe-nfn5frzpAfCno1bhVrr9vD_PCFggUbEM94BsToDVhzzvDU-15RYcp94UY7-5kvjSQXzYDhiFm9AGC2aOj9mdq33nWzBfFDWMcXj-hnpRuJOXDljB8gDuWP2NN4p1CmFjB2zH3kenHgYa3uyVEydPGM3LwKpiPXzsj5v5lles3lZAcGcJ5s986jlyReNcGT50orGl4XoHr3GD1qKN5MfBPAkk7QCElGkE4p5zer3QSY1i2qAplPIquFDrJ79fl5cdsy8nLO-02jV8MhoFh9X0EpUBG82Plgb65hxG87aNhDAPpbc9s9htU9WQGcRvVWda8cITyfNdihdzkuULpP8YHU-tQoZwWGO9GvjxNBw6dEvA_qMezjqQenhJJ7mp0AjV055cRI8LSpP-4BdTGKTpvUcD6jvCgCk9WF3t4at332FesPhiwaPFc45Rb_v4HAEMD28Vlj3Bo-nuuPJLOZaAP4O2AJgt5MWu6cOsG7CkbHbGQAspHVScYed3IOd4RXju3CNw47EGGiZg_FA3O0A9zYgoJy8HN17UjmZXYhFKqq0YhewSAqaVCUhJbnYLfJynuWkzljBASApk7mAeZ4mSVIyUTO4kAtKaEYKmpMiLVIyI7zMU14WtCyaHEpAGYE9k-3M6zjTZnsRTq0XCSFFQi9aVkNrw9c8lI7SUjS_uTCLIHzdby3KSCutswcIJ10Li_X4jQ6WaiitwVVE6S_PnhGlF71pF79_5D7yf1jQ_wYAAP__nzfmog">