Cppcheck VS American Fuzzy Lop

I dedicated Sunday morning to going over the documentation of the linters we use in the project. The goal was to understand all options and use them in the best way for our project. Seeing their manuals side by side was nice because even very similar things are solved differently. Cppcheck is the most configurable and best documented; JSON Lint lies at the other end.

Using infer, someone else exploited null-dereference checks to introduce simple affine types in C++. Cppcheck also checks for null-dereferences. Unfortunately, that approach means that borrow-counting references have a larger sizeof than non-borrow counting references, so optimizing the count away potentially changes the semantics of a program which introduces a whole new way of writing subtly wrong code.

Also check out (cppcheck)[https://github.com/danmar/cppcheck] if you want more static analysis

My browser refuses to open that link. This is better: https://github.com/danmar/cppcheck

cppcheck - Extensible C/C++ static analyzer focused on finding bugs.

and five C/C++ static code analyzers: * clang-tidy * oclint * cppcheck * cpplint (recently added!) * include-what-you-use (recently added!)

Start by feeding your codebase to a static analysis tool like cppcheck, to rule out obvious bound-checking mistakes in it.

Cppcheck is free. I've previously used it with a C++ project.

There's some efforts to guide test generation for property based testing to make the instruction pointer explore as large a space as possible.

This effort is more mature in the fuzzing community. See eg American Fuzzy Lop https://github.com/google/AFL

What you're describing, just generating random input to test a program, is sometimes called "blind fuzzing" but the state-of-the-art is far beyond that. Maybe try reading through the documentation of e.g. https://github.com/google/AFL to see what a fuzzer does and why just producing random input isn't even scratching the surface.

for general riscv I used to use this https://github.com/google/AFL I dont know if it supports x64 tho.

Ex ( AFL, WinAFL, HonggFuzz, LibFuzzer, Jazzer )

I wrote this little fuzz test target in order to fuzz it with afl (under ASan and UBSan):

afl, which is trivial to apply to this program:

I made my own version of a TCL interpreter (well, a very TCL like langauge) derived from "picol" available at https://github.com/howerj/pickle. There are many different re-implementations and derivatives of this interpreter but they all seem very "crashy", this one has been significantly hardened by using a fuzzer on it which ran for months called American Fuzzy Lop https://lcamtuf.coredump.cx/afl/ . It is also more suitable for embedded use whilst still not having arbitrary restrictions like many other implementations.

On Linux afl is a very powerful bug-finding tool, and it's a great companion when doing code review. Composes well with ASan and UBSan.

b-, https://lcamtuf.coredump.cx/afl/