We should add a simple target to js/src/fuzz-tests that takes the libFuzzer-provided input and feeds it directly to JS::Evaluate. This will probably not find many runtime bugs, but it will stress the parser a lot, in particular error paths in the parser that our normal JS fuzzers try to avoid. Especially with some new syntax being added to JS (BigInts, Nullish Coalescing, etc), this target should be able to provide additional value whenever we make parser changes. Historically, we have found such bugs before (mostly by accident through LangFuzz because the grammar is not perfect). Implementation should be trivial, I'll make a patch.

Marking this s-s because we need to do some testing first before landing this code to m-c to ensure we don't 0-day ourselves.

I had this backed out (https://hg.mozilla.org/integration/autoland/rev/cfc3b847727f6a9a284433db34ebfee7f5bb1882) because of linter failures. Apparently the linter considers all JS shell functions as undefined.

I will push a fixed patch next week.

https://hg.mozilla.org/integration/autoland/rev/a049b02d8c985f78da32fef1979d7e4e72636b43
https://hg.mozilla.org/mozilla-central/rev/a049b02d8c98