Kaiepi
commented
4 years ago OpenBSD's potentially another option in the meantime. With it, libc can be configured so malloc can detect certain types of vulnerabilities, and W^X detected there may be potential for ROP vulnerabilities in the JIT. I'll see if anything comes up when configuring malloc for auditing.
Theoretically, OSS-Fuzz is able to detect possible problems and vulnerabilities. Apparently it's not straightforward to use, but maybe we could keep it in mind to run it some time in the future. Google organizes workshops during some events (for instance, one during this Google Summer of Code Mentor Summit), so maybe in FOSDEM or some other event like that you can catch up with some Google people that can help you set this up.