danmar
integrate with OSS-Fuzz
The main downstream user Cppcheck is already integrated with OSS-Fuzz. As that is supposed to be used as a CLI application in the first place (although it also could be used as a library) and it also offers to perform the analysis in separate threads (albeit not on Windows - yet) fixing the fuzzing findings are not that crucial as they will mostly just be invalid code.
This is much different for this project though as it is supposed to be used as a library or inside another application by design. That makes stability and security a high priority. We have not encountered much in this regard in the past but that doesn't mean there are no actual things to find.
I already have a fuzzing client locally which I will publish in a PR soon. I have no permissions into the OSS-Fuzz integration (or this project) so somebody else needs to prepare the upstream integration.
The preliminary results also show that there are several issues in the code which can manifest in any possible way (crashes, leaks, hangs, out-of-memory).
Preliminary client published as #351.
Before integrating it with OSS-Fuzz we should fix all known issues which were encountered during local fuzzing. Maybe even fix some of the known hot spots to improve the performance.