Well, it's really hard to estimate the cost of CPU-hours. Our fuzzer is running on a single CPU core, and it took about 1-10 hours from start to when we first found the testcase (I didn't monitor the fuzzing progress during that time so I don't know the exact cost). In fact, I think the initial seed matters a lot. When we use another input seed (looks completely different from this testcase, which triggers other crash, while we have not yet found a testcase suitable for reporting), within less than an hour a testcase was generated that could cause this bug.