MariaDB crash triggered by recursive CTE with window aggregate and NULL/UNION predicates

~~~sql
SELECT LOWER ( ( WITH RECURSIVE x ( x ) AS ( SELECT 1 EXCEPT SELECT GET_LOCK ( NULL , 0 ) ) SELECT x FROM ( SELECT 1 AS x UNION SELECT 2 ) AS x WHERE x IN ( SELECT ROW_NUMBER ( ) OVER ( ORDER BY AVG ( x ) ) FROM ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT x + 1 FROM x ) SELECT * FROM x WHERE x = DATABASE ( ) AND x = 'BASE TABLE' AND x > 0 AND x = 'InnoDB' AND EXISTS ( SELECT 1 FROM x WHERE CONCAT ( 1 = 1.000000 ) IS NULL ) GROUP BY x HAVING x = ( SELECT x FROM x LIMIT 1 ) OR x IS NULL ) AS x ORDER BY ABS ( x ) , lower ( x ) , lower ( x ) , lower ( x ) ) ORDER BY x LIMIT 1 ) ) ;
~~~

1. 1. Expected result
      The server should either execute the query or return a normal SQL error without crashing.

1. 1. Actual result
      The fuzzing run observed a server crash. The deduplicated stack signature is:
      ~~~
      stack:_Z33execute_degenerate_jtbm_semi_joinP3THDP10TABLE_LISTP17Item_in_subselectR4ListI4ItemE|_Z21setup_jtbm_semi_joinsP4JOINP4ListI10TABLE_LISTERS1_I4ItemE|_ZN4JOIN14optimize_innerEv|_ZN4JOIN8optimizeEv|_ZN13st_select_lex31optimize_unflattened_subqueriesEb|_ZN4JOIN15optimize_stage2Ev|_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex|_Z13handle_selectP3THDP3LEXP13select_resulty
      ~~~

Top frames:
~~~
_Z33execute_degenerate_jtbm_semi_joinP3THDP10TABLE_LISTP17Item_in_subselectR4ListI4ItemE
_Z21setup_jtbm_semi_joinsP4JOINP4ListI10TABLE_LISTERS1_I4ItemE
_ZN4JOIN14optimize_innerEv
_ZN4JOIN8optimizeEv
_ZN13st_select_lex31optimize_unflattened_subqueriesEb
_ZN4JOIN15optimize_stage2Ev
_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex
_Z13handle_selectP3THDP3LEXP13select_resulty
~~~