firefox: src/gl.cc:388: int DepthCursor::skip_failed(uint16_t) [FUNC = 515]: Assertion `valid()' failed.

#0 0x7ff9f9370f47 in raise /build/glibc-2ORdQG/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51
#1 0x7ff9f93728b0 in abort /build/glibc-2ORdQG/glibc-2.27/stdlib/abort.c:79
#2 0x7ff9f9362429 in __assert_fail_base /build/glibc-2ORdQG/glibc-2.27/assert/assert.c:92
#3 0x7ff9f93624a1 in __assert_fail /build/glibc-2ORdQG/glibc-2.27/assert/assert.c:101
#4 0x7ff9e5748181 in draw_quad(int, Texture&, int, Texture&) (/home/twsmith/workspace/browsers/m-c-20201126212448-fuzzing-asan-opt/libxul.so+0x13e4d181)
#5 0x7ff9e5740221 in DrawElementsInstanced (/home/twsmith/workspace/browsers/m-c-20201126212448-fuzzing-asan-opt/libxul.so+0x13e45221)
#6 0x7ff9e52a7e2e in webrender::device::gl::Device::draw_indexed_triangles_instanced_u16::heff8285dbad34772 src/gfx/wr/webrender/src/device/gl.rs:3407:9
#7 0x7ff9e52a7e2e in webrender::renderer::Renderer::draw_instanced_batch::hec2f6afb99bbc029 src/gfx/wr/webrender/src/renderer.rs:4328:13
#8 0x7ff9e52a3f8d in webrender::renderer::Renderer::draw_alpha_batch_container::hf06ac38b11e641cb src/gfx/wr/webrender/src/renderer.rs:4780:17
#9 0x7ff9e5295b2b in webrender::renderer::Renderer::draw_picture_cache_target::h403f6db188df66d1 src/gfx/wr/webrender/src/renderer.rs:4597:9
#10 0x7ff9e5295b2b in webrender::renderer::Renderer::draw_frame::ha48e1a1bfdee5c82 src/gfx/wr/webrender/src/renderer.rs:6358:21
#11 0x7ff9e52b5dc8 in webrender::renderer::Renderer::render_impl::h58e3e2b148b51f6a src/gfx/wr/webrender/src/renderer.rs:3663:17
#12 0x7ff9e52c3297 in webrender::renderer::Renderer::render::h5cc5e23ee60b3143 src/gfx/wr/webrender/src/renderer.rs:3414:30
#13 0x7ff9e548f94b in wr_renderer_render src/gfx/webrender_bindings/src/bindings.rs:614:11
#14 0x7ff9d918f04d in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) src/gfx/webrender_bindings/RendererOGL.cpp:193:8
#15 0x7ff9d918d306 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) src/gfx/webrender_bindings/RenderThread.cpp:488:31
#16 0x7ff9d918c37f in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) src/gfx/webrender_bindings/RenderThread.cpp:325:3
#17 0x7ff9d91a4156 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1096:12
#18 0x7ff9d91a4156 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1102:12
#19 0x7ff9d91a4156 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:13
#20 0x7ff9d7235c2d in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) src/ipc/chromium/src/base/message_loop.cc:465:9
#21 0x7ff9d7236ace in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:473:5
#22 0x7ff9d723734b in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:548:13
#23 0x7ff9d72389c6 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_default.cc:35:31
#24 0x7ff9d72357f1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
#25 0x7ff9d72357f1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#26 0x7ff9d72357f1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#27 0x7ff9d7256228 in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:191:16
#28 0x7ff9d724813c in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#29 0x7ff9fa4756da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
#30 0x7ff9f9453a3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

A Pernosco session is available here: https://pernos.co/debug/12ySjmec-cVRHn3EBnGduQ/index.html

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201127155321-c42696dc97c6.
The bug appears to have been introduced in the following build range:

Start: 6dd2f083cad49d9d745b80955bcc20b13333f19c (20201021012331)
End: c061dfcf1598aece0fe343783b351d0a280bf67d (20201021013257)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6dd2f083cad49d9d745b80955bcc20b13333f19c&tochange=c061dfcf1598aece0fe343783b351d0a280bf67d

Bugmon Analysis
The bug appears to have been fixed in the following build range:

Start: 0312654f27b415aa62bb90307371aebc0cd5fd77 (20210212090941)
End: 2d92a6ed94ec35dcdf80574f0d71255e67299a5a (20210212005017)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=0312654f27b415aa62bb90307371aebc0cd5fd77&tochange=2d92a6ed94ec35dcdf80574f0d71255e67299a5a
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

The attached testcase no longer reproduces the issue. It was last reported by fuzzers running m-c 20210212-1941f4130b28.

:glandium, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.