Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.

Thank You.

This is rooted in the fact that assignment expressions are currently implemented as binary expressions, which are a type of simple expression in the grammar, instead of a top level expression. Thus statements like a=b=1 are being accepted. Such expressions are not valid FormCalc, so should be rejected. The specific example has a large number of assignments being chained, which are either causing the parser to misbehave or generate very large JS.

FormCalc things

The CF file has 20 assignments, which seems really small for us to be running out of memory on, even if the statement isn't valid formcalc.....

(that being said .... we generate > 20k lines of JS for this statement ......)

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/dd019e9e8144636c75111565af5b120cf9c0ef9b

commit dd019e9e8144636c75111565af5b120cf9c0ef9b
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Tue Feb 20 15:52:31 2018

Tighten up assignment instructions in formcalc.

The assignment operator can not be chained. This Cl removes the while
loop for assignments and changes it to an if(). We also can not have an
assignment inside ()'s so remove that option.

Bug:  chromium:779349 
Change-Id: I6934e18815f843ae8241023df6c03d8bbcd8168d
Reviewed-on: https://pdfium-review.googlesource.com/27350
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>

[modify] https://crrev.com/dd019e9e8144636c75111565af5b120cf9c0ef9b/xfa/fxfa/fm2js/cxfa_fmexpression.cpp
[modify] https://crrev.com/dd019e9e8144636c75111565af5b120cf9c0ef9b/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
[modify] https://crrev.com/dd019e9e8144636c75111565af5b120cf9c0ef9b/xfa/fxfa/fm2js/cxfa_fmexpression.h
[modify] https://crrev.com/dd019e9e8144636c75111565af5b120cf9c0ef9b/xfa/fxfa/fm2js/cxfa_fmparser.cpp

ClusterFuzz has detected this issue as fixed in range 537796:537806.

Detailed report: https://clusterfuzz.com/testcase?key=5443593342025728

Fuzzer: libFuzzer_pdf_fm2js_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  pdf_fm2js_fuzzer
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=470859:470917
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=537796:537806

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5443593342025728

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5443593342025728 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 814840  has been merged into this issue.

ClusterFuzz testcase 4712766297079808 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Unduped the bug as this one is fixed but the dup'd bug wasn't.