MariaDB crash triggered by recursive CTE with JSON condition and ordinal ORDER BY

~~~sql
SELECT ALL RELEASE_LOCK ( 'test2' ) + RELEASE_LOCK ( 'test1' ) = 2 AS x FROM ( SELECT x FROM ( SELECT * FROM ( SELECT 1 AS x UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT -171126738 ) AS x GROUP BY x HAVING x = 'M' OR x IS NULL ) AS x EXCEPT SELECT x FROM ( SELECT LOWER ( ( WITH RECURSIVE x ( x ) AS ( SELECT 1 EXCEPT SELECT SUBTIME ( '916:40:00' , '416:40:00' ) ) SELECT x FROM x WHERE JSON_LENGTH ( '

' ) IN ( SELECT x FROM x ) ORDER BY ExtractValue ( '<a><b><node>test</node></b></a>' , ( SELECT UTC_TIMESTAMP ( ) , 6 AS x EXCEPT SELECT convert_tz ( '1970-01-01 01:00:00' , 'MET' , 'UTC' ) , 4 ORDER BY '/a/b/node' DESC ) IN ( SELECT 3 , 4 ) ) LIMIT 1 ) ) NOT BETWEEN inet_aton ( 6 ) AND CURRENT_TIME ( ) AS x FROM ( SELECT 1 AS x UNION SELECT 2 UNION SELECT 3 ) AS x ) AS x ) AS x WHERE x = DATABASE ( ) AND x = 'BASE TABLE' AND x NOT IN ( SELECT BIN ( 362793609 ) ) ORDER BY 1 ;
~~~

1. 1. Expected result
      The server should either execute the query or return a normal SQL error without crashing.

1. 1. Actual result
      The fuzzing run observed a server crash. The deduplicated stack signature is:
      ~~~
      stack:_ZN4JOIN36transform_in_predicates_into_in_subqEP3THD|_Z36convert_join_subqueries_to_semijoinsP4JOIN|_ZN4JOIN14optimize_innerEv|_ZN4JOIN8optimizeEv|_ZN30subselect_single_select_engine4execEv|_ZN14Item_subselect4execEv|_ZN24Item_singlerow_subselect7val_strEP6String|_ZN13Item_str_conv7val_strEP6String
      ~~~

Top frames:
~~~
_ZN4JOIN36transform_in_predicates_into_in_subqEP3THD
_Z36convert_join_subqueries_to_semijoinsP4JOIN
_ZN4JOIN14optimize_innerEv
_ZN4JOIN8optimizeEv
_ZN30subselect_single_select_engine4execEv
_ZN14Item_subselect4execEv
_ZN24Item_singlerow_subselect7val_strEP6String
_ZN13Item_str_conv7val_strEP6String
~~~