CONCEPT Cited by 1 source
Differential fuzzing¶
Differential fuzzing is the testing technique of feeding the same randomly/fuzz-generated input to two (or more) implementations of a specification and treating any divergence in their outputs, error codes, or internal state as a bug. It's a fuzzer-shaped cousin of parser-differential analysis — but used constructively during development rather than observed destructively during exploitation.
Canonical use cases¶
- Parallel rewrite of a well-specified library — run the new implementation alongside the old one and flag every divergence. The Meta WhatsApp wamedia C++→Rust rewrite is the wiki-canonical instance: "we developed the Rust version of wamedia in parallel with the original C++ version. We used differential fuzzing and extensive integration and unit tests to ensure compatibility between the two implementations."
- Cross-implementation conformance testing — fuzz a spec (JSON, regex, URL, MP4) across multiple parsers and surface divergences as bugs in whichever parser is wrong. Related to (and a defense against) concepts/parser-differential when both parsers live inside the same security decision.
- Compiler / interpreter validation — fuzz the compiler vs. an oracle (reference implementation, simulator) on the same source.
Why it works¶
Well-specified libraries have an oracle for correctness — the existing implementation. Differential fuzzing exploits that oracle without requiring the tester to articulate the specification in testable form. Every randomly-generated input is automatically paired with its "correct" output (the old implementation's) — no handwritten expectations needed.
What it doesn't catch¶
- Shared bugs — if both implementations inherit the same bug (common upstream, same incorrect interpretation of the spec), differential fuzzing reports no divergence.
- Spec deviations by both — if both implementations deviate from the spec in the same direction, differential is silent; the spec itself has no fuzzer-checkable oracle.
- Non-functional regressions — memory use, performance, binary size don't produce output divergence; they need their own measurement.
Sibling disciplines¶
- concepts/parser-differential — the attack class that differential fuzzing defends against constructively (during rewrite) or detects destructively (during research).
- Mutation fuzzing — random-byte mutation on real corpora; feeds differential fuzzing its inputs in practice.
- Coverage-guided fuzzing — AFL / libFuzzer / honggfuzz class tools; orthogonal to the differential oracle but typically stacked with it.
Seen in¶
- sources/2026-01-28-meta-rust-at-scale-an-added-layer-of-security-for-whatsapp — canonical wiki first instance. wamedia C++→Rust parallel-rewrite compatibility was enforced via differential fuzzing + extensive integration + unit tests. The patterns/parallel-rewrite-with-differential-testing pattern page carries the pattern-level canonicalisation.