Skip to content

langston-barrett/tree-splicer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

tree-splicer

tree-splicer is a simple grammar-based test case generator (black-box fuzzer). It uses tree-sitter grammars to parse a number of input files, and produces new files formed by splicing together parts of the input files.

tree-splicer aims to occupy a different niche from more advanced grammar-based fuzzers like Gramatron, Nautilus, and Grammarinator. Rather than achieve maximal coverage and bug-finding through complete, hand-written grammars and complex techniques like coverage-based feedback, tree-splicer aims to achieve maximal ease-of-use by using off-the-shelf tree-sitter grammars and not requiring any instrumentation (nor even source code) for the target. In short, tree-splicer wants to be the Radamsa of grammar-based fuzzing.

tree-sitter grammars are resistant to syntax errors. Therefore, tree-splicer can even mutate syntactically-invalid inputs! You can also use tree-splicer with an incomplete grammar.

Example

Given this simple Rust program:

use std::env;

fn even(x: usize) -> bool {
    if x % 2 == 0 {
        return true;
    } else {
        return false;
    }
}

fn main() -> () {
    let argc = env::args().len();
    println!("Hello, world!");
    if even(argc) {
        println!("Even!");
    } else {
        println!("Odd!");
    }
    return ();
}

Here are a few candidates created by tree-splicer-rust:

use even::env;

fn even() -> bool {
    if even(argc) {
        println!("Even!");
    } else {
        println!("Odd!");
    }
}

fn std() -> () {
    return true;
}
use args::env;

fn argc(main: usize) -> bool {
    return true;
}

fn even(x: usize) -> bool {
    if x % 2 == 0 {
        return true;
    } else {
        return false;
    }
}
use std::env;

fn x(x: usize) -> bool {
    return true;
}

fn x(x: usize) -> () {
    return false;
}

Supported languages

Languages are easy to add, see PR #3 for an example.

  • JavaScript
  • Rust
  • TypeScript

Bugs found

rustc

#109066 #109071 #109072 #109078 #109079 #109090 #109129 #109141 #109143 #109144 #109146 #109147 #109148 #109152 #109178 #109188 #109191 #109204 #109232 #109239 #109296 #109297 #109298 #109299 #109300 #109304 #109305

rustfmt

#5716

Installation

From a release

Statically-linked Linux binaries are available on the releases page.

From crates.io

You can build a released version from crates.io. You'll need the Rust compiler and the Cargo build tool. rustup makes it very easy to obtain these. Then, to install the generator for the language <LANG>, run:

cargo install tree-splicer-<LANG>

This will install binaries in ~/.cargo/bin by default.

Build

To build from source, you'll need the Rust compiler and the Cargo build tool. rustup makes it very easy to obtain these. Then, get the source:

git clone https://github.com/langston-barrett/tree-splicer
cd tree-splicer

Finally, build everything:

cargo build --release

You can find binaries in target/release. Run tests with cargo test.