This work addresses previously underexplored security risks at the interaction boundary between JavaScript and WebAssembly (Wasm). The authors propose Weaver, the first gray-box fuzzing framework specifically designed for this cross-language interface. Weaver introduces a novel generation strategy based on dual-type representations and an intelligent mutation scheduling mechanism grounded in the UCB-1 multi-armed bandit algorithm, enabling type-aware testing across language boundaries. Experimental evaluation on three major JavaScript engines demonstrates that Weaver substantially improves code coverage and successfully uncovers two previously unknown vulnerabilities, one of which has been classified as high-severity and assigned the highest priority by vendors.

The security of modern JavaScript (JS) engines is critical since they provide the primary defense mechanism for executing untrusted code on the web. The recent integration of WebAssembly (Wasm) has transformed these engines into complex polyglot environments, creating a novel attack surface at the JS-Wasm interaction boundary due to the distinct type systems and memory models of two languages. This boundary remains largely underexplored, as previous works mainly focus on testing JS and Wasm as two isolated entities rather than investigating the security implications of their cross-language interactions. This paper proposes Weaver, an effective greybox fuzzing framework specifically tailored to uncover vulnerabilities at the JS-Wasm boundary. To comply with the language constraints, Weaver uses a type-aware generation strategy, meticulously maintaining the dual-type representation for every generated variables. This allows fuzzer to validly utilize variables across the language boundary. Besides, Weaver leverages the UCB-1 algorithm to intelligently schedule mutators and generators to maximize the discovery of new code paths. We have implemented and evaluated Weaver on three JS engines. The results indicate that Weaver achieves superior code coverage compared to state-of-the-art fuzzers. Moreover, Weaver has uncovered two new bugs in the latest versions of these engines, one of which is considered high severity and set to highest priority, demonstrating the practicality of Weaver.