fuzz: add differential_spec fuzzing target

This new target compares the outputs of executing the first exported
function of a Wasm module in Wasmtime and in the official Wasm spec
interpreter (using the `wasm-spec-interpreter` crate). This is an
initial step towards more fully-featured fuzzing (e.g. compare memories,
add `v128`, add references, add other proposals, etc.)

fuzz/Cargo.toml

@@ -52,6 +52,12 @@ path = "fuzz_targets/differential.rs"
 test = false
 doc = false
 
+[[bin]]
+name = "differential_spec"
+path = "fuzz_targets/differential_spec.rs"
+test = false
+doc = false
+
 [[bin]]
 name = "differential_wasmi"
 path = "fuzz_targets/differential_wasmi.rs"

fuzz/fuzz_targets/differential_spec.rs

@@ -0,0 +1,13 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use wasmtime_fuzzing::{generators, oracles};
+
+fuzz_target!(|data: (
+    generators::Config,
+    wasm_smith::ConfiguredModule<oracles::SingleFunctionModuleConfig>
+)| {
+    let (config, mut wasm) = data;
+    wasm.ensure_termination(1000);
+    oracles::differential_spec_execution(&wasm.to_bytes(), &config);
+});