Stack-overflow, Out of memory and Timeout issues are 'P2'.

Predator and CL could not provide any possible suspects.
Using Code Search for the file, "cxfa_fmsimpleexpression.cpp" assigning to the concern owner who might be related or worked on similar file.

rharrison@ -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

XFA bug which is not enabled in any Chrome branch. Removing M-60 label.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md.

The link referenced in the description is no longer valid.

(bulk edit)

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb

commit 1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb
Author: Ryan Harrison <rharrison@chromium.org>
Date: Wed Oct 25 18:50:23 2017

Add in depth check for ToJavascript and related methods

There exists a similar check for the parser, but it doesn't catch all
cases of excessive memory usage, since a single parse step can
generate multiple expressions that need to be converted or other cases
where the parse depth doesn't match the emission depth later.

Due to the expressions appearing in two different inheritence
hierachies the depth information needs to be stored outside of the
classes, thus the new depth class.

Another way to handle this would be to change the method calls to take
in a visitor object that tracks depth. This would require significant
reworking of some of the code, so I am going to file a bug about doing
that conversion as a cleanup.

BUG= chromium:752495 

Change-Id: Ica7c9b60ecf1e17530ea88b7bfb01582c63043be
Reviewed-on: https://pdfium-review.googlesource.com/16752
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>

[modify] https://crrev.com/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
[modify] https://crrev.com/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb/xfa/fxfa/fm2js/cxfa_fmexpression.cpp
[modify] https://crrev.com/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb/xfa/fxfa/fm2js/cxfa_fmsimpleexpression_unittest.cpp
[modify] https://crrev.com/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb/BUILD.gn
[modify] https://crrev.com/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb/xfa/fxfa/fm2js/cxfa_fmsimpleexpression.cpp
[modify] https://crrev.com/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
[add] https://crrev.com/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb/xfa/fxfa/fm2js/cxfa_fmtojavascriptdepth.h
[add] https://crrev.com/1e19e25cd10c24f25beddff56b7c4b5fdc5adbcb/xfa/fxfa/fm2js/cxfa_fmtojavascriptdepth.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2c831a14c07c91e327c2a27d46de9e41b134afe8

commit 2c831a14c07c91e327c2a27d46de9e41b134afe8
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Wed Oct 25 23:40:17 2017

Roll src/third_party/pdfium/ 5daf07afe..06673ede2 (10 commits)

https://pdfium.googlesource.com/pdfium.git/+log/5daf07afe5b7..06673ede2dda

$ git log 5daf07afe..06673ede2 --date=short --no-merges --format='%ad %ae %s'
2017-10-25 hnakashima Add --regenerate_expected option to test_runner.py.
2017-10-25 npm Enforce end of data in CJBig2_ArithDecoder
2017-10-25 dsinclair Remove unused CJS_Object methods
2017-10-25 dsinclair Remove CJS_Date
2017-10-25 dsinclair Remove methods from CJS_Date
2017-10-25 dsinclair Remove CJS_Value
2017-10-25 rharrison Fixing the prefix on IsTooBig
2017-10-25 rharrison Add in depth check for ToJavascript and related methods
2017-10-25 dsinclair Refactor JS method parameters and return values.
2017-10-24 dsinclair Only set return value if one provided

Created with:
  roll-dep src/third_party/pdfium
BUG= 752495 


Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls


TBR=dsinclair@chromium.org

Change-Id: I6e41c5fa2771c5db9f9f87d2ff4a0ad075b773dd
Reviewed-on: https://chromium-review.googlesource.com/738820
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#511646}
[modify] https://crrev.com/2c831a14c07c91e327c2a27d46de9e41b134afe8/DEPS

ClusterFuzz has detected this issue as fixed in range 511619:511648.

Detailed report: https://clusterfuzz.com/testcase?key=6078368541048832

Fuzzer: libFuzzer_pdf_fm2js_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffe11398fa8
Crash State:
  CXFA_FMDotAccessorExpression::ToJavaScript
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=511619:511648

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6078368541048832

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6078368541048832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.