Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from dev team to look in to this issue.

Thanks!

Since this XFA, I can take a look.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/d86d6a737e2b7f51a6ac245b611e32bf0fc25d29

commit d86d6a737e2b7f51a6ac245b611e32bf0fc25d29
Author: Ryan Harrison <rharrison@chromium.org>
Date: Thu Oct 04 17:28:17 2018

Reject argument lists that are not comma separated

The FormCalc grammar explicitly calls out that argument lists must
have commas separating the simple expressions that make up the
elements. The current implementation will accept the invalid string
!a!b!c, which is 3 variables; !a, !b, and !c.

BUG= chromium:890407 

Change-Id: I3e2da4abce9989e9e9b929ce2da030e0f8dfd371
Reviewed-on: https://pdfium-review.googlesource.com/c/43430
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>

[modify] https://crrev.com/d86d6a737e2b7f51a6ac245b611e32bf0fc25d29/xfa/fxfa/fm2js/cxfa_fmparser.h
[modify] https://crrev.com/d86d6a737e2b7f51a6ac245b611e32bf0fc25d29/xfa/fxfa/fm2js/cxfa_fmparser_unittest.cpp
[modify] https://crrev.com/d86d6a737e2b7f51a6ac245b611e32bf0fc25d29/xfa/fxfa/fm2js/cxfa_fmparser.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1ac104a8a47a9abdf4281e44f709dc912af797e6

commit 1ac104a8a47a9abdf4281e44f709dc912af797e6
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Thu Oct 04 18:52:06 2018

Roll src/third_party/pdfium 912f2d154162..d86d6a737e2b (1 commits)

https://pdfium.googlesource.com/pdfium.git/+log/912f2d154162..d86d6a737e2b


git log 912f2d154162..d86d6a737e2b --date=short --no-merges --format='%ad %ae %s'
2018-10-04 rharrison@chromium.org Reject argument lists that are not comma separated


Created with:
  gclient setdep -r src/third_party/pdfium@d86d6a737e2b

The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG= chromium:890407 
TBR=dsinclair@chromium.org

Change-Id: I80343ba8ffb196423e69eb7fe94daf7349a6dd15
Reviewed-on: https://chromium-review.googlesource.com/c/1262355
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#596784}
[modify] https://crrev.com/1ac104a8a47a9abdf4281e44f709dc912af797e6/DEPS

ClusterFuzz has detected this issue as fixed in range 596767:596785.

Detailed report: https://clusterfuzz.com/testcase?key=4710966582050816

Fuzzer: libFuzzer_pdf_fm2js_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  pdf_fm2js_fuzzer
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=583285:583294
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=596767:596785

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4710966582050816

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4710966582050816 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.