Leaving this here in case anyone needs to pick this up while I am out next week...

So, during the select, something seems to not be properly parsing and setting up the item values for the JOIN comparison correctly...

With this simple query and a debug build:
DROP DATABASE IF EXISTS test; CREATE DATABASE test; USE test; CREATE TABLE t1(a INT KEY,b text) ENGINE=InnoDB; select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3));

The crash is happening when an attempt is made to copy a string from a bogus memory address. That address lies within an Item_field->Field_blob and is copied into a String from within Field_blob::val_str. The thing is the Field_blob is bad and I'm still trying to figure out where that is getting set up from. The call stack where the bogus address is getting set on the object that is actually where the crash is on is:
#0  0x0000000000666350 in String::set (this=0x7fffa80058a0,
    str=0x7fffa8011b9000 <error: Cannot access memory at address 0x7fffa8011b9000>, arg_length=127,
    cs=0x16b76e0 <my_charset_latin1>) at /data/percona/ST-48128/5.6/sql/sql_string.h:258
#1  0x000000000091408f in Field_blob::val_str (this=0x7fffa8011c68, val_buffer=0x7fffa8006c90, val_ptr=0x7fffa80058a0)
    at /data/percona/ST-48128/5.6/sql/field.cc:7899
#2  0x00000000006520ce in Item_field::val_str (this=0x7fffa8005890, str=0x7fffa8006c90)
    at /data/percona/ST-48128/5.6/sql/item.cc:2676
#3  0x00000000006864de in cmp_item_sort_string::store_value (this=0x7fffa8006c28, item=0x7fffa8005890)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.h:1166
#4  0x000000000067bef0 in cmp_item_row::store_value (this=0x7fffa8006b78, item=0x7fffa80059d0)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4190
#5  0x000000000067d297 in Item_func_in::fix_length_and_dec (this=0x7fffa80061c0)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4590
#6  0x000000000069ff2e in Item_func::fix_fields (this=0x7fffa80061c0, thd=0x209a950, ref=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/item_func.cc:231
#7  0x000000000067c6b9 in Item_func_in::fix_fields (this=0x7fffa80061c0, thd=0x209a950, ref=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/item_cmpfunc.cc:4362
#8  0x000000000076f8e3 in setup_conds (thd=0x209a950, tables=0x7fffa8005200, leaves=0x7fffa8005200, conds=0x7fffa8006708)
    at /data/percona/ST-48128/5.6/sql/sql_base.cc:9003
#9  0x00000000007fe8cc in setup_without_group (thd=0x209a950, ref_pointer_array=..., tables=0x7fffa8005200,
    leaves=0x7fffa8005200, fields=..., all_fields=..., conds=0x7fffa8006708, order=0x0, group=0x0,
    hidden_group_field_count=0x7fffa80065ec, hidden_order_field_count=0x7ffff04086c0)
    at /data/percona/ST-48128/5.6/sql/sql_resolver.cc:952
#10 0x00000000007fc1c1 in JOIN::prepare (this=0x7fffa80063c8, tables_init=0x7fffa8005200, wild_num=1, conds_init=0x7fffa80061c0,
    og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, select_lex_arg=0x209d5b0, unit_arg=0x209cf68)
    at /data/percona/ST-48128/5.6/sql/sql_resolver.cc:177
#11 0x0000000000803d3c in mysql_prepare_select (thd=0x209a950, tables=0x7fffa8005200, wild_num=1, fields=...,
    conds=0x7fffa80061c0, og_num=0, order=0x0, group=0x0, having=0x0, select_options=2147748608, result=0x7fffa80063a0,
    unit=0x209cf68, select_lex=0x209d5b0, free_join=0x7ffff040894b) at /data/percona/ST-48128/5.6/sql/sql_select.cc:1054
#12 0x0000000000803ff7 in mysql_select (thd=0x209a950, tables=0x7fffa8005200, wild_num=1, fields=..., conds=0x7fffa80061c0,
    order=0x209d778, group=0x209d6b0, having=0x0, select_options=2147748608, result=0x7fffa80063a0, unit=0x209cf68,
    select_lex=0x209d5b0) at /data/percona/ST-48128/5.6/sql/sql_select.cc:1177
#13 0x00000000008020ae in handle_select (thd=0x209a950, result=0x7fffa80063a0, setup_tables_done_option=0)
---Type <return> to continue, or q <return> to quit---
    at /data/percona/ST-48128/5.6/sql/sql_select.cc:110
#14 0x00000000007da906 in execute_sqlcom_select (thd=0x209a950, all_tables=0x7fffa8005200)
    at /data/percona/ST-48128/5.6/sql/sql_parse.cc:5616
#15 0x00000000007d2e85 in mysql_execute_command (thd=0x209a950) at /data/percona/ST-48128/5.6/sql/sql_parse.cc:2974
#16 0x00000000007dd137 in mysql_parse (thd=0x209a950,
    rawbuf=0x7fffa8004fd0 "select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3))", length=51, parser_state=0x7ffff040a1d0)
    at /data/percona/ST-48128/5.6/sql/sql_parse.cc:6792
#17 0x00000000007cf6bf in dispatch_command (command=COM_QUERY, thd=0x209a950,
    packet=0x216ffb1 "select * FROM t1 where (a,b) in ((0,0),(5,0),(4,3))", packet_length=51)
    at /data/percona/ST-48128/5.6/sql/sql_parse.cc:1434
#18 0x00000000007ce615 in do_command (thd=0x209a950) at /data/percona/ST-48128/5.6/sql/sql_parse.cc:1051
#19 0x0000000000797fbe in do_handle_one_connection (thd_arg=0x209a950) at /data/percona/ST-48128/5.6/sql/sql_connect.cc:1532
#20 0x0000000000797ad5 in handle_one_connection (arg=0x209a950) at /data/percona/ST-48128/5.6/sql/sql_connect.cc:1443
#21 0x0000000000da9f7f in pfs_spawn_thread (arg=0x2112900) at /data/percona/ST-48128/5.6/storage/perfschema/pfs.cc:1860
#22 0x00007ffff757f182 in start_thread (arg=0x7ffff040b700) at pthread_create.c:312
#23 0x00007ffff6a8bfbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111


The Field_blob in frame 1 at this point looks like:
(gdb) p *this
$148 = {
  <Field_longstr> = {
    <Field_str> = {
      <Field> = {
        _vptr.Field = 0x10351b0 <vtable for Field_blob+16>,
        ptr = 0x7fffa8011bb5 "\177",
        null_ptr = 0x7fffa8011bb0 "\220\033\001\250\377\177",
        table = 0x7fffa8010dd0,
        orig_table = 0x7fffa8010dd0,
        table_name = 0x7fffa8010ea8,
        field_name = 0x7fffa805c503 "b",
        comment = {
          str = 0xfcc3f0 "",
          length = 0
        },
        key_start = {
          map = 0
        },
        part_of_key = {
          map = 0
        },
        part_of_key_not_clustered = {
          map = 0
        },
        part_of_sortkey = {
          map = 0
        },
        unireg_check = Field::BLOB_FIELD,
        field_length = 65535,
        flags = 16,
        field_index = 1,
        null_bit = 1 '\001',
        is_created_from_null_item = false
      },
      members of Field_str:
      field_charset = 0x16b76e0 <my_charset_latin1>,
      field_derivation = DERIVATION_IMPLICIT
    }, <No data fields>},
  members of Field_blob:
  packlength = 2,
  value = {
    Ptr = 0x0,
    str_length = 0,
    Alloced_length = 0,
    alloced = false,
    str_charset = 0x1561360 <my_charset_bin>
  }
}
(gdb) x/64bx ptr
0x7fffa8011bb5: 0x7f    0x00    0x00    0x90    0x1b    0x01    0xa8    0xff
0x7fffa8011bbd: 0x7f    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffa8011bc5: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffa8011bcd: 0x00    0x00    0x00    0xe8    0x1b    0x01    0xa8    0xff
0x7fffa8011bd5: 0x7f    0x00    0x00    0x68    0x1c    0x01    0xa8    0xff
0x7fffa8011bdd: 0x7f    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffa8011be5: 0x00    0x00    0x00    0x50    0x90    0x03    0x01    0x00
0x7fffa8011bed: 0x00    0x00    0x00    0xb1    0x1b    0x01    0xa8    0xff

So as I understand the layout here, the first 2 bytes of ptr are supposed to be the number of bytes that contain the size of the blob. In this particular debugging session, most memory addresses are 0x007fffa8nnnn...curious that the first value is 7f...

Looking further at this dump of Field_blob::ptr, it looks like Field_blob::ptr is actualy not the correct value, it would make sense if it began one byte later, leaving the size at 0 and the address of the blob data at 0x7fffa8011b90 which looks like a somewhat valid address within this session, but instead it is calculating the address to be 0x7fffa8011b9000 which is completely out of range for this process.

A dump of the owning Item from frame 2:
(gdb) p * this
$152 = {
  <Item_ident> = {
    <Item> = {
      _vptr.Item = 0xefbe70 <vtable for Item_field+16>,
      is_expensive_cache = -1 '\377',
      rsize = 0,
      str_value = {
        Ptr = 0x7fffa8011b9000 <error: Cannot access memory at address 0x7fffa8011b9000>,
        str_length = 0,
        Alloced_length = 0,
        alloced = false,
        str_charset = 0x1561360 <my_charset_bin>
      },
      item_name = {
        <Name_string> = {
          <Simple_cstring> = {
            m_str = 0x7fffa8005888 "b",
            m_length = 1
          }, <No data fields>},
        members of Item_name_string:
        m_is_autogenerated = true
      },
      orig_name = {
        <Name_string> = {
          <Simple_cstring> = {
            m_str = 0x0,
            m_length = 0
          }, <No data fields>},
        members of Item_name_string:
        m_is_autogenerated = true
      },
      next = 0x7fffa8005780,
      max_length = 65535,
      marker = 0,
      decimals = 31 '\037',
      maybe_null = 1 '\001',
      null_value = 0 '\000',
      unsigned_flag = 0 '\000',
      with_sum_func = 0 '\000',
      fixed = 1 '\001',
      collation = {
        collation = 0x16b76e0 <my_charset_latin1>,
        derivation = DERIVATION_IMPLICIT,
        repertoire = 3
      },
      cmp_context = 4294967295,
      runtime_item = false,
      with_subselect = 0 '\000',
      with_stored_program = 0 '\000',
      tables_locked_cache = false
    },
    members of Item_ident:
    orig_db_name = 0x0,
    orig_table_name = 0x0,
    orig_field_name = 0x7fffa8005888 "b",
    context = 0x209d600,
    db_name = 0x7fffa805c470 "test",
    table_name = 0x7fffa80142a0 "t1",
    field_name = 0x7fffa805c503 "b",
    alias_name_used = false,
    cached_field_index = 1,
    cached_table = 0x7fffa8005200,
    depended_from = 0x0
  },
  members of Item_field:
  field = 0x7fffa8011c68,
  result_field = 0x7fffa8011c68,
  item_equal = 0x0,
  no_const_subst = false,
  have_privileges = 0,
  any_privileges = false
}

We need to figure out where the parsing and creation of this Field_blob is coming from and see if we can spot the error there.