Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/langston-barrett/tree-crasher

Easy-to-use grammar-based black-box fuzzer. Has found dozens of bugs in important targets like Clang, Deno, and rustc.
https://github.com/langston-barrett/tree-crasher

black-box-testing fuzzer fuzzing grammar-based grammar-based-fuzzing

Last synced: 6 days ago
JSON representation

Easy-to-use grammar-based black-box fuzzer. Has found dozens of bugs in important targets like Clang, Deno, and rustc.

Awesome Lists containing this project

README 

        
# tree-crasher



tree-crasher is an easy-to-use grammar-based black-box fuzzer. It parses a

number of input files using [tree-sitter][tree-sitter] grammars, and produces

new files formed by splicing together their ASTs.



tree-crasher aims to occupy a different niche from more advanced grammar-based 

fuzzers like Gramatron, Nautilus, and Grammarinator. Rather than achieve

maximal coverage and bug-finding through complete, hand-written grammars and

complex techniques like coverage-based feedback, tree-crasher aims to achieve

maximal ease-of-use by using off-the-shelf tree-sitter grammars and not

requiring any instrumentation (nor even source code) for the target. In short,

tree-crasher wants to be the [Radamsa][radamsa] of grammar-based fuzzing.



tree-crasher uses [treereduce][treereduce] to automatically minimize generated

test-cases.



For more information, see [the documentation][doc].



## Examples



When reading these examples, keep in mind that fuzzing can cause unpredictable

behaviors. Always fuzz in a VM or Docker container with a memory limit, no

network access, and no important files.



### JavaScript interpreters



Obtain a collection of JavaScript files and put them in `corpus/` (for

example, using [this script](./scripts/corpora/js.sh)). Then here's how to fuzz

[JerryScript][jerryscript] and [Boa][boa]:



```sh

tree-crasher-javascript corpus/ jerry

tree-crasher-javascript corpus/ boa

```



(By default, tree-crasher passes input to the target on stdin.)



[boa]: https://github.com/boa-dev/boa

[jerryscript]: https://github.com/jerryscript-project/jerryscript



### Python's regex engine



Write `rx.py` like so:

```python

import re

import sys

try:

    s = sys.stdin.read()

    r = re.compile(s)

    print(r.match(s))

except:

    pass

```



Put some sample regular expressions in `corpus/`. Then:

```sh

tree-crasher-regex corpus/ -- python3 $PWD/rx.py

```



### rustc



tree-crasher has found many bugs in rustc. Here's how it was done! The special

`@@` symbol on the command line gets replaced by the file generated by

tree-crasher.



```sh

tree-crasher-rust \

  --interesting-stderr "(?m)^error: internal compiler error:" \

  corpus \ 

  -- \

  rustc +nightly --crate-type=lib --emit=mir -Zmir-opt-level=4 @@.rs

```



(The regex syntax is that of the

[regex crate](https://docs.rs/regex/latest/regex/).)



### More examples



See [the documentation][doc] for more examples.



## Bugs found



tree-crasher uses [tree-splicer][tree-splicer] to generate test cases, see the

list of bugs found in that project's README.



If you find a bug with tree-crasher, please let me know! One great way to do so

would be to submit a PR to tree-splicer to add it to the README.



## Supported languages



tree-crasher supports 9+ languages, see [the documentation][doc] for details.



## Documentation



Documentation is available [online][doc] or in `./doc`.



[doc]: https://langston-barrett.github.io/tree-crasher/

[radamsa]: https://gitlab.com/akihe/radamsa

[tree-sitter]: https://tree-sitter.github.io/tree-sitter/

[tree-splicer]: https://github.com/langston-barrett/tree-splicer

[treereduce]: https://github.com/langston-barrett/treereduce