The following query can leads to an invariant failure in debug build and can lead to seg fault in release build.

assert.commandWorked(db.adminCommand({setParameter: 1, internalQueryFrameworkControl: "trySbeEngine"}));
const coll = db[jsTestName()];
coll.drop();
assert.commandWorked(coll.insert({s: ""}));
coll.aggregate([\{$project: {r: {$regexFindAll: {input: "$s", regex: "a*"}}}}]) 

This happens when the regex pattern matches at the end of the input string (https://github.com/10gen/mongo/blob/69bbbf7992cdaeb91a28e26d3d88ce0e40434d4f/src/mongo/db/exec/sbe/vm/vm_builtin_regex.cpp#L234) 

So it would also reproduce with input being any string and regex pattern being "$".

In debug build,  StringData::operator[] checks the pos and trips an invariant. Since all string types in sbe are null terminated this won't lead to a crash in release variant.