WebAssembly runtimes embed compilers to compile WebAssembly code into machine code for execution. These compilers use various compiler rules to define how to optimize and lower the WebAssembly code. However, existing testing tools struggle to explore these rules effectively due to their complexity. Moreover, they cannot generate test cases diversely due to their limitations, which can result in undetected bugs.
This paper presents RGFuzz, a differential fuzzer for WebAssembly runtimes, addressing the existing limitations through two novel techniques. First, RGFuzz uses rule-guided fuzzing, which extracts compiler rules from the WebAssembly runtime, wasmtime, and uses them to guide test case generation, thereby effectively exploring complex rules. Second, RGFuzz uses reverse stack-based generation to generate test cases diversely. These techniques enable RGFuzz to find bugs effectively in WebAssembly runtimes. We implemented RGFuzz and evaluated it on six engines: wasmtime, Wasmer, WasmEdge, V8, SpiderMonkey, and JavaScriptCore. As a result, RGFuzz found 20 new bugs in these engines, including one bug with a CVE ID issued. Our evaluation demonstrates that RGFuzz outperforms existing fuzzers by utilizing the extracted rules and diversely generating test cases.