Wuffs has been fuzzed (on OSS-Fuzz) since February 2018.
As of November 2019, this has not yet found any memory-safety bugs in Wuffs. Compile-time safety checks seem to work.
However, it has found a few correctness bugs, based on generating random input. Wuffs' fuzzer programs will intentionally segfault if the Wuffs library returns an “internal” error message.
For example, Wuffs won't let you write x -= 1
unless you can prove that it won‘t underflow. The programmer might ‘know’ that x
is always positive at some point in their program, but to satisfy Wuffs’ bounds checker, they have to explicitly write something like:
if x > 0 { x -= 1 } else { // Unreachable: x is always positive because blah blah blah. return "#internal error: etc" }
Hitting the else branch means that there‘s a bug: what the programmer ‘knew’ was incorrect. These aren’t security bugs per se: decoding an image would produce the wrong pixels, or abort early, instead of leading to RCE (Remote Code Execution). But fuzzing Wuffs has still been useful.