Christopher Wellons writes: >> I'd glad if you can give some advices: which fuzzy-testing >> framework >> to use, which introductory material is worth reading, etc. > > I'm partial to AFL++, and it's what I reach for first. It also > works > with GCC. It has two modes, with persistent mode preferred: Thanks so much for the description! I created a standalone version of my parser (I attached it), and used "afl-clang-fast -o json json.c -fsanitize=address,undefined" and afl-fuzz to test it. It's been running for an hour, the tester didn't find any problems yet. I discovered a funny clang bug: it incorrectly optimizes around setjmp in do_test(): when json_parser_init runs, it stores the workspace pointer in a register. And if there is an error during JSON parsing, it will always free the pointer which is in that register. But in the meantime (I mean, after json_parser_init, and before the error is thrown), the parser could have updated it. So free() will be called on an already freed block. I had to add a dummy printf("free!\n"); to circumvent this optimization.