Fuzzing

Wuffs has been fuzzed (on OSS-Fuzz) since February 2018.

As of November 2019, this has not yet found any memory-safety bugs in Wuffs. Compile-time safety checks seem to work.

However, it has found a few correctness bugs, based on generating random input. Wuffs' fuzzer programs will intentionally segfault if the Wuffs library returns an “internal” error message.

For example, Wuffs won't let you write x -= 1 unless you can prove that it won‘t underflow. The programmer might ‘know’ that x is always positive at some point in their program, but to satisfy Wuffs’ bounds checker, they have to explicitly write something like:

if x > 0 {
    x -= 1
} else {
    // Unreachable: x is always positive because blah blah blah.
    return "#internal error: etc"
}

Hitting the else branch means that there‘s a bug: what the programmer ‘knew’ was incorrect. These aren’t security bugs per se: decoding an image would produce the wrong pixels, or abort early, instead of leading to RCE (Remote Code Execution). But fuzzing Wuffs has still been useful.