The thing I wish someone would build, which I suspect would find bugs a lot more cheaply than Claude Mythos:
Integrate a static analyser with a fuzzer.
Static analysers will find paths and variable values that, if they occur, reach unhappy states in the program. But they can’t tell you that it is possible for the preconditions to occur.
Fuzzers can explore the state space of code rapidly by throwing random values at it and then refining the input to try to explore specific places in the state space.
I would love to see someone wire up clang’s analyser with libFuzzer, for example, so that you can throw the analyser at a big project and have it spit out the hooks for guided fuzzing, then try to generate the inputs that will trigger the possible bug. Bonus points if it then tries to minimise the test case (some existing fuzzers do this).
This would then give you a fully automated way of triaging static analysis reports, by providing something you can use as a test case for the ones that are easy to trigger.
David Chisnall (*Now with 50% more sarcasm!*)
npub13g…dk50d
2026-04-18 08:19:14 UTC
Author Public Key
npub13gcwraghdcw9xzkg3tky24feu0lzkhtlt57wpdn58y4m4tyr9qdsxdk50dSeen on
wss://relay.momostr.pinkPublished at
2026-04-18 08:19:14 UTCEvent JSON
{
"id": "cb9e50da020cf8fed3bd4255b60ee1a4372f7d2a21fa0cb0634c7e789c6de036",
"pubkey": "8a30e1f5176e1c530ac88aec455539e3fe2b5d7f5d3ce0b674392bbaac83281b",
"created_at": 1776500354,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@david_chisnall/116424727248780061",
"web"
],
[
"proxy",
"https://infosec.exchange/users/david_chisnall/statuses/116424727248780061",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/david_chisnall/statuses/116424727248780061",
"pink.momostr"
],
[
"-"
]
],
"content": "The thing I wish someone would build, which I suspect would find bugs a lot more cheaply than Claude Mythos:\n\nIntegrate a static analyser with a fuzzer.\n\nStatic analysers will find paths and variable values that, if they occur, reach unhappy states in the program. But they can’t tell you that it is possible for the preconditions to occur.\n\nFuzzers can explore the state space of code rapidly by throwing random values at it and then refining the input to try to explore specific places in the state space.\n\nI would love to see someone wire up clang’s analyser with libFuzzer, for example, so that you can throw the analyser at a big project and have it spit out the hooks for guided fuzzing, then try to generate the inputs that will trigger the possible bug. Bonus points if it then tries to minimise the test case (some existing fuzzers do this).\n\nThis would then give you a fully automated way of triaging static analysis reports, by providing something you can use as a test case for the ones that are easy to trigger.",
"sig": "36243f881f6043b9aed976c4a34b6521a2f04e932f5872bd2d3f8f105846ec3703801050d2c28641dde8bfcb0dc79dd1fae6b43f1496eca7d0a07d28bb05c39a"
}