Hm, after more careful review, I take back my comment about the scheme being
fragile. (I mean, it's still fragile, but not AS fragile as I thought. I don't
see a way for it to fail under normal circumstances.)

However one very simple explanation is that a call command is making it onto
the userspace-supplied pushbuf. Let's make sure that this is not the case --
Get valgrind-mmt going (http://nouveau.freedesktop.org/wiki/Valgrind-mmt/), and
run X inside of mmt, and run x11perf until it dies, e.g.

valgrind --tool=mmt --mmt-trace-file=/dev/dri/card0 --mmt-trace-nouveau-ioctls
xinit x11perf -putimage500 -- :1 >& xorg-mmt.log

or something along those lines. (And you can run it in a separate X server so
you don't have to kill your "real" session.)