In parse_param_blr() function in jrd/met.epp pointers to requests of all parameters (one after one) are placed into same place - procedure->prc_request. Later request of procedure itself is placed to the same place. I see the following problems with it:

1. Looks like that requests will never be released.
2. In case of error in parse_procedure_blr() prc_request is explicitly released and NULLed, with parse_param_blr() - not.
3. That request is kept is prc_request field in case of any failure compiling procedure. Later it can be attempted to be released when parse_procedure_blr() fails. And looks like this can be a cause of segfault:

Program terminated with signal 11, Segmentation fault.
#0  LCK_release (tdbb=0x7fb1770490d0, lock=0x7fb16d5d18f0) at ../src/jrd/lck.cpp:1401
   in ../src/jrd/lck.cpp

#0  LCK_release (tdbb=0x7fb1770490d0, lock=0x7fb16d5d18f0) at ../src/jrd/lck.cpp:1401
#1  0x00007fb179611d29 in CMP_release (tdbb=0x7fb1770490d0, request=0x7fb16d572010) at ../src/jrd/cmp.cpp:2440
#2  0x00007fb1795adb96 in MET_procedure (tdbb=0x7fb1770490d0, id=<value optimized out>, noscan=false, flags=8)
   at ../temp/std/jrd/met.cpp:5001
#3  0x00007fb1795ae730 in MET_lookup_procedure (tdbb=0x7fb1770490d0, name=<value optimized out>, noscan=false)
   at ../temp/std/jrd/met.cpp:3972