We have investigated the issue and found that the crash is due to an application bug. It crashes upon calling glDrawElementsInstanced() because it has incorrectly set the vertex attribute pointers to NULL.
Below is a trace of the OpenGL command stream that leads to the crash. You will note that no VBO is bound, and the application gives a NULL pointer to attribute 6, which by itself is enough to trigger the crash. The application also gets GL_INVALID_OPERATION for the next attributes because of this part of the OpenGL specification:
An INVALID_OPERATION error is generated if a non-zero vertex arrayobject is bound, no buffer is bound to ARRAY_BUFFER, and pointer is not NULL.
Looking at the command stream, it’s likely that the call that unbinds the VBO should simply not be there: experiments on our side show that ignoring this call prevents the crash and doesn’t appear to yield rendering artifacts. Of course such experiments are not spec conformant and cannot be integrated to the NVIDIA driver. An end-user might want to try intercepting glBindBuffer(GL_ARRAY_BUFFER, 0) with LD_PRELOAD, and ignoring this call, to work around the issue until the application is fixed.
glBindBuffer(GL_ARRAY_BUFFER, 0);
glVertexAttribPointer(6, 3, GL_FLOAT, 0, 76, (nil));
glVertexAttribDivisor(6, 1);
glVertexAttribPointer(7, 3, GL_FLOAT, 0, 76, 0xc);
// **********
// ERROR: 1282 = 0x502 (GL_INVALID_OPERATION)
// **********
glVertexAttribDivisor(7, 1);
glEnableVertexAttribArray(8);
glVertexAttribPointer(8, 3, GL_FLOAT, 0, 76, 0x18);
// **********
// ERROR: 1282 = 0x502 (GL_INVALID_OPERATION)
// **********
glVertexAttribDivisor(8, 1);
glEnableVertexAttribArray(9);
glVertexAttribPointer(9, 3, GL_FLOAT, 0, 76, 0x24);
// **********
// ERROR: 1282 = 0x502 (GL_INVALID_OPERATION)
// **********
glVertexAttribDivisor(9, 1);
glEnableVertexAttribArray(10);
glVertexAttribPointer(10, 3, GL_FLOAT, 0, 76, 0x30);
// **********
// ERROR: 1282 = 0x502 (GL_INVALID_OPERATION)
// **********
glVertexAttribDivisor(10, 1);
glDrawElementsInstanced(GL_TRIANGLES, 84, GL_UNSIGNED_SHORT, (nil), 1);