tree-splicer is a simple grammar-based test case generator (black-box fuzzer). It uses tree-sitter grammars to parse a number of input files, and produces new files formed by splicing together parts of the input files.
tree-splicer aims to occupy a different niche from more advanced grammar-based fuzzers like Gramatron, Nautilus, and Grammarinator. Rather than achieve maximal coverage and bug-finding through complete, hand-written grammars and complex techniques like coverage-based feedback, tree-splicer aims to achieve maximal ease-of-use by using off-the-shelf tree-sitter grammars and not requiring any instrumentation (nor even source code) for the target. In short, tree-splicer wants to be the Radamsa of grammar-based fuzzing.
tree-sitter grammars are resistant to syntax errors. Therefore, tree-splicer can even mutate syntactically-invalid inputs! You can also use tree-splicer with an incomplete grammar.
Given this simple Rust program:
use std::env;
fn even(x: usize) -> bool {
if x % 2 == 0 {
return true;
} else {
return false;
}
}
fn main() -> () {
let argc = env::args().len();
println!("Hello, world!");
if even(argc) {
println!("Even!");
} else {
println!("Odd!");
}
return ();
}
Here are a few candidates created by tree-splicer-rust
:
use even::env;
fn even() -> bool {
if even(argc) {
println!("Even!");
} else {
println!("Odd!");
}
}
fn std() -> () {
return true;
}
use args::env;
fn argc(main: usize) -> bool {
return true;
}
fn even(x: usize) -> bool {
if x % 2 == 0 {
return true;
} else {
return false;
}
}
use std::env;
fn x(x: usize) -> bool {
return true;
}
fn x(x: usize) -> () {
return false;
}
Languages are easy to add, see PR #3 for an example.
- JavaScript
- Rust
- TypeScript
#109066 #109071 #109072 #109078 #109079 #109090 #109129 #109141 #109143 #109144 #109146 #109147 #109148 #109152 #109178 #109188 #109191 #109204 #109232 #109239 #109296 #109297 #109298 #109299 #109300 #109304 #109305
Statically-linked Linux binaries are available on the releases page.
You can build a released version from crates.io. You'll need the
Rust compiler and the Cargo build tool. rustup makes it very
easy to obtain these. Then, to install the generator for the language <LANG>
,
run:
cargo install tree-splicer-<LANG>
This will install binaries in ~/.cargo/bin
by default.
To build from source, you'll need the Rust compiler and the Cargo build tool. rustup makes it very easy to obtain these. Then, get the source:
git clone https://github.com/langston-barrett/tree-splicer
cd tree-splicer
Finally, build everything:
cargo build --release
You can find binaries in target/release
. Run tests with cargo test
.