abort on loads from absolute addresses, just like saves

2 files changed, 28 insertions, 0 deletions

diff --git a/src/jsifier.js b/src/jsifier.js
index 53d23140..7066f8c5 100644
--- a/src/jsifier.js
+++ b/src/jsifier.js
@@ -1226,6 +1226,15 @@ function JSify(data, functionsOnly, givenFunctions) {
     var impl = item.ident ? getVarImpl(item.funcData, item.ident) : VAR_EMULATED;
     switch (impl) {
       case VAR_NATIVIZED: {
+        if (isNumber(item.ident)) {
+          item.assignTo = null;
+          // Direct read from a memory address; this may be an intentional segfault, if not, it is a bug in the source
+          if (ASM_JS) {
+            return 'abort(' + item.ident + ')';
+          } else {
+            return 'throw "fault on read from ' + item.ident + '";';
+          }
+        }
         return value; // We have the actual value here
       }
       case VAR_EMULATED: return makeGetValue(value, 0, item.type, 0, item.unsigned, 0, item.align);
diff --git a/tests/cases/inttoptrfloat.ll b/tests/cases/inttoptrfloat.ll
new file mode 100644
index 00000000..607539fe
--- /dev/null
+++ b/tests/cases/inttoptrfloat.ll
@@ -0,0 +1,19 @@
+; ModuleID = 'tests/hello_world.bc'
+target datalayout = "e-p:32:32:32-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:32:64-f32:32:32-f64:32:64-v64:64:64-v128:128:128-a0:0:64-f80:32:32-n8:16:32-S128"
+target triple = "i386-pc-linux-gnu"
+
+@.str = private unnamed_addr constant [15 x i8] c"hello, world!\0A\00", align 1 ; [#uses=1 type=[15 x i8]*]
+
+; [#uses=0]
+define i32 @main() {
+entry:
+  %call = call i32 (i8*, ...)* @printf(i8* getelementptr inbounds ([15 x i8]* @.str, i32 0, i32 0), float %b) ; [#uses=0 type=i32]
+  %ff = alloca float, align 4
+  %a = load float* inttoptr (i32 4 to float*), align 4
+  store float %a, float* %ff, align 4
+  %b = load float* %ff, align 4
+  ret i32 1
+}
+
+; [#uses=1]
+declare i32 @printf(i8*, ...)