Undefined behavior in JSC's tryConvertToInt52(): ``` inline int64_t tryConvertToInt52(double number) { if (number != number) return JSValue::notInt52; #if OS(WINDOWS) && CPU(X86) // The VS Compiler for 32-bit builds generates a floating point error when attempting to cast // from an infinity to a 64-bit integer. We leave this routine with the floating point error // left in a register, causing undefined behavior in later floating point operations. // // To avoid this issue, we check for infinity here, and return false in that case. if (std::isinf(number)) return JSValue::notInt52; #endif int64_t asInt64 = static_cast<int64_t>(number); ``` UBSan says: ``` SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior runtime/CommonSlowPaths.cpp:495:57 in /Volumes/Work/WebKit/OpenSource/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:636:44: runtime error: inf is outside the range of representable values of type 'long long' ``` Casting a number (which may be infinite) to a int64_t is Undefined Behavior and may in theory crash.