This is neat. Turns out JS JIT engines have all the tools needed for fine-grained differential fuzzing already built-in.

https://www.ndss-symposium.org/ndss-paper/dumpling-fine-grained-differential-javascript-engine-fuzzing/