[analyzer] Fix crash in GenericTaintChecker when propagatig taint to …

…AllocaRegion

The `GenericTaintChecker` checker was crashing, when the taint
was propagated to `AllocaRegion` region in following code:
```
  int x;
  void* p = alloca(10);
  mempcy(p, &x, sizeof(x));
```
This crash was caused by the fact that determining type of
`AllocaRegion` returns a null `QualType`.

This patch makes `AllocaRegion` expose its type as `void`,
making them consistent with results of `malloc` or `new`
that produce `SymRegion` with `void*` symbol.

Reviewed By: steakhal, xazax.hun

Differential Revision: https://reviews.llvm.org/D155847

clang/lib/StaticAnalyzer/Core/SVals.cpp

@@ -174,6 +174,9 @@ class TypeRetrievingVisitor
   QualType VisitSymbolicRegion(const SymbolicRegion *SR) {
     return Visit(SR->getSymbol());
   }
+  QualType VisitAllocaRegion(const AllocaRegion *) {
+    return QualType{Context.VoidPtrTy};
+  }
   QualType VisitTypedRegion(const TypedRegion *TR) {
     return TR->getLocationType();
   }

clang/test/Analysis/taint-generic.c

@@ -359,6 +359,25 @@ void testTaintedVLASize(void) {
   int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted size}}
 }
 
+int testTaintedAllocaMem() {
+  char x;
+  void * p;
+  scanf("%c", &x);
+  p = __builtin_alloca(1);
+  __builtin_memcpy(p, &x, 1);
+  return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
+}
+
+int testTaintedMallocMem() {
+  char x;
+  void * p;
+  scanf("%c", &x);
+  p = malloc(1);
+  __builtin_memcpy(p, &x, 1);
+  return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}}
+}
+
+
 // This computation used to take a very long time.
 #define longcmp(a,b,c) { \
   a -= c;  a ^= c;  c += b; b -= a;  b ^= (a<<6) | (a >> (32-b));  a += c; c -= b;  c ^= b;  b += a; \