# tree-crasher

tree-crasher is an easy-to-use grammar-based black-box fuzzer. It parses a
number of input files using [tree-sitter][tree-sitter] grammars, and produces
new files formed by splicing together their ASTs.

tree-crasher aims to occupy a different niche from more advanced grammar-based 
fuzzers like Gramatron, Nautilus, and Grammarinator. Rather than achieve
maximal coverage and bug-finding through complete, hand-written grammars and
complex techniques like coverage-based feedback, tree-crasher aims to achieve
maximal ease-of-use by using off-the-shelf tree-sitter grammars and not
requiring any instrumentation (nor even source code) for the target. In short,
tree-crasher wants to be the [Radamsa][radamsa] of grammar-based fuzzing.

tree-crasher uses [treereduce][treereduce] to automatically minimize generated
test-cases.

For more information, see [the documentation][doc].

## Examples

When reading these examples, keep in mind that fuzzing can cause unpredictable
behaviors. Always fuzz in a VM or Docker container with a memory limit, no
network access, and no important files.

### JavaScript interpreters

Obtain a collection of JavaScript files and put them in `corpus/` (for
example, using [this script](./scripts/corpora/js.sh)). Then here's how to fuzz
[JerryScript][jerryscript] and [Boa][boa]:

```sh
tree-crasher-javascript corpus/ jerry
tree-crasher-javascript corpus/ boa
```

(By default, tree-crasher passes input to the target on stdin.)

[boa]: https://github.com/boa-dev/boa
[jerryscript]: https://github.com/jerryscript-project/jerryscript

### Python's regex engine

Write `rx.py` like so:
```python
import re
import sys
try:
    s = sys.stdin.read()
    r = re.compile(s)
    print(r.match(s))
except:
    pass
```

Put some sample regular expressions in `corpus/`. Then:
```sh
tree-crasher-regex corpus/ -- python3 $PWD/rx.py
```

### rustc

tree-crasher has found many bugs in rustc. Here's how it was done! The special
`@@` symbol on the command line gets replaced by the file generated by
tree-crasher.

```sh
tree-crasher-rust \
  --interesting-stderr "(?m)^error: internal compiler error:" \
  corpus \ 
  -- \
  rustc +nightly --crate-type=lib --emit=mir -Zmir-opt-level=4 @@.rs
```

(The regex syntax is that of the
[regex crate](https://docs.rs/regex/latest/regex/).)

### More examples

See [the documentation][doc] for more examples.

## Bugs found

tree-crasher uses [tree-splicer][tree-splicer] to generate test cases, see the
list of bugs found in that project's README.

If you find a bug with tree-crasher, please let me know! One great way to do so
would be to submit a PR to tree-splicer to add it to the README.

## Supported languages

tree-crasher supports 9+ languages, see [the documentation][doc] for details.

## Documentation

Documentation is available [online][doc] or in `./doc`.

[doc]: https://langston-barrett.github.io/tree-crasher/
[radamsa]: https://gitlab.com/akihe/radamsa
[tree-sitter]: https://tree-sitter.github.io/tree-sitter/
[tree-splicer]: https://github.com/langston-barrett/tree-splicer
[treereduce]: https://github.com/langston-barrett/treereduce