Found while fuzzing 20201230-0c1bddfacedd (--enable-debug --enable-fuzzing)

Hit MOZ_CRASH(attempt to add with overflow) at gfx/wr/webrender/src/atlas_allocator.rs:186

#0 0x7f26692b8325 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7f26692b8325 in RustMozCrash src/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7f26692b82d4 in mozglue_static::panic_hook::ha757622518ce090b src/mozglue/static/rust/lib.rs:89:9
#3 0x7f26692b7bfb in core::ops::function::Fn::call::h2f0433a5b64f4daf /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
#4 0x7f266a28f465 in std::panicking::rust_panic_with_hook::h2bdec87b60580584 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/panicking.rs:581:17
#5 0x7f266a28efe8 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h101ca09d9df5db47 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/panicking.rs:484:9
#6 0x7f266a28a2db in std::sys_common::backtrace::__rust_end_short_backtrace::h3bb85654c20113ca /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/sys_common/backtrace.rs:153:18
#7 0x7f266a28efa8 in rust_begin_unwind /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/panicking.rs:483:5
#8 0x7f266a2f4cb0 in core::panicking::panic_fmt::h48c31e1e3d550146 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/core/src/panicking.rs:85:14
#9 0x7f266a2f4bfc in core::panicking::panic::h184ede6dd822ffb4 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/core/src/panicking.rs:50:5
#10 0x7f2668ccdae6 in webrender::texture_cache::TextureCache::end_frame::h5ee46621a89ef369 src/gfx/wr/webrender/src/texture_cache.rs
#11 0x7f2668c50314 in webrender::resource_cache::ResourceCache::end_frame::h1a82ccb619bbdcd7 src/gfx/wr/webrender/src/resource_cache.rs:1475:9
#12 0x7f2668b4b2d3 in webrender::frame_builder::FrameBuilder::build::h6ec0e1ff8d576e93 src/gfx/wr/webrender/src/frame_builder.rs:616:9
#13 0x7f2668bcd79e in webrender::render_backend::Document::build_frame::hf749c0b504b95746 src/gfx/wr/webrender/src/render_backend.rs:622:25
#14 0x7f2668bde3cd in webrender::render_backend::RenderBackend::update_document::h8c51c808d439f7cf src/gfx/wr/webrender/src/render_backend.rs:1507:41
#15 0x7f2668bd4e21 in webrender::render_backend::RenderBackend::prepare_transactions::h3c8024283bfb4c7b src/gfx/wr/webrender/src/render_backend.rs:1357:28
#16 0x7f2668bd4e21 in webrender::render_backend::RenderBackend::process_api_msg::h3c9d3b4f0a1dfc6b src/gfx/wr/webrender/src/render_backend.rs:1217:17
#17 0x7f26689c87ed in webrender::render_backend::RenderBackend::run::h8506c0ad20f763a5 src/gfx/wr/webrender/src/render_backend.rs:892:21
#18 0x7f26689c87ed in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h14fd868c2decd410 src/gfx/wr/webrender/src/renderer.rs:2564:13
#19 0x7f26689c87ed in std::sys_common::backtrace::__rust_begin_short_backtrace::hb923b58588469b20 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:137:18
#20 0x7f26689e723f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h25acfb4e93949b50 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:464:17
#21 0x7f26689e723f in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h423d6549a48bcb44 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:308:9
#22 0x7f26689e723f in std::panicking::try::do_call::hdd29b4f4c23911e6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
#23 0x7f26689e723f in std::panicking::try::h59406bcb282efed2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
#24 0x7f26689e723f in std::panic::catch_unwind::h85822dd2828a4422 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:382:14
#25 0x7f26689e723f in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h4f8874e6220b3410 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:463:30
#26 0x7f26689e723f in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h9b31292093927ac9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
#27 0x7f266a29df09 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::hbb39a3e615f69ef9 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/alloc/src/boxed.rs:1042:9
#28 0x7f266a29df09 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::h79630a683aed732c /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/alloc/src/boxed.rs:1042:9
#29 0x7f266a29df09 in std::sys::unix::thread::Thread::new::thread_start::h4afaeade0da13617 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/sys/unix/thread.rs:87:17
#30 0x7f267dda46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#31 0x7f267cd82a3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Got crash from the testcase :
https://crash-stats.mozilla.org/report/index/688a77f0-06ce-4589-9d10-9420a0201223#tab-details
https://crash-stats.mozilla.org/report/index/bbd86ca9-e3f4-4636-8e34-4c0490201223

A Pernosco session is available here: https://pernos.co/debug/GLMN2ipafoL-3iR0TqtFIQ/index.html

The old testcase reproduced the crash for me. The new testcase+pref.js doesnt repro.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210406152948-b85e871f6a8d.
Failed to bisect testcase (Unable to launch the start build!):

Start: b7d4ff29805ddabfebebb34b1e5beee07fcad45b (20200407035309)
End: 0c1bddfaceddf99e5bfacf89d8c08c2aa9ec85db (20201230092946)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 95d93c007301f5a90edf1e8f79641f7c7569ba68 (20210512174859)
End: 60a413f472fd505322e3ffbbb2b17592ef2b1c25 (20210512143049)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=95d93c007301f5a90edf1e8f79641f7c7569ba68&tochange=60a413f472fd505322e3ffbbb2b17592ef2b1c25
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Bugmon Analysis
Unable to reproduce bug 1683970 using build mozilla-central 20210604102111-f3aa64653924. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Not sure why bugmon failed here. Running it locally now.

:tsmith, the testcase you added in comment 8 appears to be for a different bug. It produces the following assertion for me locally:
Hit MOZ_CRASH(attempt to add with overflow) at gfx/wr/webrender/src/texture_pack/mod.rs:207

The testcase does not reproduce on the oldest build available (20210604102111) but does on tip. I'm bisecting it now to determine when it was introduced.

:jrmuizel, is it possible that the original testcase was fixed via bug 1710695?

The bug triggered by the testcase in comment 8 appears to have been introduced in the following range:
Reduced build range to:

Start: ec65d50a86cfa0f1f2bc705064aa6879f788c8cc (20210912234018)
End: e8a29c8f1e095884077d52166404a854fba86280 (20210913050506)
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ec65d50a86cfa0f1f2bc705064aa6879f788c8cc&tochange=e8a29c8f1e095884077d52166404a854fba86280