mutated × unstructured — blows up live on input you didn't expect
NaN / Infinity Poisons a Consumer
Float math yields NaN or Infinity, which crashes the first consumer that needs a finite number.
01the recipe
In the wild
compound ofTime, Money & EntropyCWE-682 Incorrect CalculationLack of Input ValidationCWE-20 Input ValidationcompoundCWE-754 Unchecked Condition
example.py
# SMELL: float math yields NaN/Infinity; a consumer assumes a finite number.
# (time / money / entropy x lack of input validation)
import math
rate = spent / hours # hours == 0.0 -> inf; 0.0 / 0.0 -> nan
buckets[int(rate)] += 1 # int(inf) -> OverflowError; int(nan) -> ValueError
# first seen on a real row with hours == 0
# RIGHT: validate the numeric domain before you consume it.
if not math.isfinite(rate):
raise ValueError("rate must be finite")
buckets[int(rate)] += 1Float division silently produces inf or nan; nothing flags it until a consumer that needs a finite integer chokes. int(inf) raises OverflowError and int(nan) raises ValueError -- a crash whose root is the unchecked numeric domain, seen first on production data.
// observed
bad: OverflowError / ValueError converting inf or nan to int right: non-finite rate rejected at the boundary, with a clear error
02weakness catalog
Mapped weaknesses (CWE)
On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.