Usage
The inputs to tree-crasher are a corpus of files and a command to run. By
default, tree-crasher passes inputs to the command on stdin, but will replace
the special symbol @@
with a filename as seen in the examples above.
tree-crasher saves inputs that match a set of conditions. By default the only
condition is that the target receives an unhandled signal (e.g., a segfault).
Extra conditions may be added with the --interesting*
flags, see --help
.
tree-crasher does not exit gracefully at the moment; just send SIGINT (ctrl-c) when you're done fuzzing.
Examples
When reading these examples, keep in mind that fuzzing can cause unpredictable behaviors. Always fuzz in a VM or Docker container with a memory limit, no network access, and no important files.
JavaScript interpreters
Obtain a collection of JavaScript files and put them in corpus/
(for example,
using this script). Then here's how to fuzz
JerryScript and Boa:
tree-crasher-javascript corpus/ jerry
tree-crasher-javascript corpus/ boa
(By default, tree-crasher passes input to the target on stdin.)
Python's regex engine
Write rx.py
like so:
import re
import sys
try:
s = sys.stdin.read()
r = re.compile(s)
print(r.match(s))
except:
pass
Put some sample regular expressions in corpus/
. Then:
tree-crasher-regex corpus/ -- python3 $PWD/rx.py
rustc
tree-crasher has found many bugs in rustc. Here's how it was done! The special
@@
symbol on the command line gets replaced by the file generated by
tree-crasher.
tree-crasher-rust \
--interesting-stderr "(?m)^error: internal compiler error:" \
corpus \
-- \
rustc +nightly --crate-type=lib --emit=mir -Zmir-opt-level=4 @@.rs
(The regex syntax is that of the regex crate.)
Here's how to limit the amount of memory taken by tree-crasher and rustc using
systemd-run
, and drop network access using unshare
:
systemd-run --scope -p MemoryMax=16G -p MemorySwapMax=0B --user \
unshare -Umn \
tree-crasher-rust \
--interesting-stderr "(?m)^error: internal compiler error:" \
corpus \
-- \
rustc +nightly --crate-type=lib --emit=mir -Zmir-opt-level=4 @@.rs
SQL databases
Obtain a collection of SQL files (for example, using this script). Then here's how to fuzz DuckDB:
tree-crasher-sql --interesting-stderr "INTERNAL Error" corpus/ -- duckdb
Sometimes, you keep running into the same bug and would like to stop reporting
it. For that, you can use --uninteresting-stderr
:
tree-crasher-sql \
--interesting-stderr "INTERNAL Error" \
--uninteresting-stderr "INTERNAL Error.+HyperLogLog::ComputeHashes" \
corpus \
-- \
duckdb
Even more examples
Clang (frontend) (see also this script):
tree-crasher-c corpus/ --interesting-stderr "(?m)^PLEASE " -- clang -c -O0 -o /dev/null -emit-llvm -Xclang -disable-llvm-passes @@.c
tree-crasher-javascript corpus/ -- deno fmt @@.js
tree-crasher-sql corpus/ -- clickhouse local