Looks like the core dump happens on connchan.c line 551.
Exactly [1]:
550: assert(cbPtr->connChanPtr->sockPtr != NULL);
551: servPtr = cbPtr->connChanPtr->sockPtr->servPtr;
one sees from your output that cbPtr has a reasonable value. Since you are compiling with assertions activated, i would expect a failing assertion.
It would be interesting to see the members of this structure in more detail. In gdb, go with "up" to level #12 and do there a "print *cbPtr".
It is unusual, that instantclient_21_1 is doing the top-level exception handling (we don't have these in our configurations). However, my first suspicion would be either a race condition (some other thread deletes the channel information while the crashing thread works on it), or that some other callback being processed together with the crashing one in SockCallbackThread() calls some code that frees it.
Probably, activating debug for "connchan" can provide more insights.
ns_logctl severity Debug(connchan) on
-gn
[1] https://bitbucket.org/naviserver/naviserver/src/4edd96403f7e6477f9271ecae2f62fe4be77db8a/nsd/connchan.c#lines-550