Server crashes in in base_list_iterator::next_fast with AND/OR and impossible condition inside IN SQ

CREATE TABLE t1 (a INT, b INT, c VARCHAR(3)) ENGINE=MyISAM;

INSERT INTO t1 VALUES (1,1,'CAN'),(2,2,'AUS');

CREATE TABLE t2 (f INT) ENGINE=MyISAM;

INSERT INTO t2 VALUES (3);

SELECT * FROM t2 WHERE f NOT IN ( 

  SELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b 

);

#3  <signal handler called>

#4  0x000000000058a8bd in base_list_iterator::next_fast (this=0x7f06c9076f50) at sql_list.h:449

#5  0x000000000058cab5 in List_iterator_fast<Item>::operator++ (this=0x7f06c9076f50) at sql_list.h:561

#6  0x0000000000602d7c in Item_equal_iterator<List_iterator_fast, Item>::operator++ (this=0x7f06c9076f50) at item_cmpfunc.h:1824

#7  0x00000000005fe7a7 in Item_equal::contains (this=0x29c4370, field=0x29b5a90) at item_cmpfunc.cc:5603

#8  0x00000000005abe9f in Item_field::find_item_equal (this=0x298ded8, cond_equal=0x29bf8e8) at item.cc:4970

#9  0x0000000000745053 in eliminate_item_equal (cond=0x0, upper_levels=0x29bf8e8, item_equal=0x29c2198) at sql_select.cc:11945

#10 0x00000000007459b2 in substitute_for_best_equal_field (context_tab=0x1, cond=0x29c2198, cond_equal=0x29bf8e8, table_join_idx=0x29c2718) at sql_select.cc:12236

#11 0x0000000000745699 in substitute_for_best_equal_field (context_tab=0x1, cond=0x298e510, cond_equal=0x29c4758, table_join_idx=0x29c2718) at sql_select.cc:12163

#12 0x0000000000745699 in substitute_for_best_equal_field (context_tab=0x1, cond=0x29c4670, cond_equal=0x29c4758, table_join_idx=0x29c2718) at sql_select.cc:12163

#13 0x0000000000728878 in JOIN::optimize (this=0x29c04a0) at sql_select.cc:1253

#14 0x0000000000588e9b in st_select_lex::optimize_unflattened_subqueries (this=0x290b620) at sql_lex.cc:3166

#15 0x00000000008182bb in JOIN::optimize_unflattened_subqueries (this=0x29bfd08) at opt_subselect.cc:4903

#16 0x0000000000729b71 in JOIN::optimize (this=0x29bfd08) at sql_select.cc:1575

#17 0x000000000072ec11 in mysql_select (thd=0x2908b88, rref_pointer_array=0x290b878, tables=0x298cb60, wild_num=1, fields=..., conds=0x29bfbb8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x298e8a0, unit=0x290b118, select_lex=0x290b620) at sql_select.cc:2993

#18 0x000000000072570d in handle_select (thd=0x2908b88, lex=0x290b078, result=0x298e8a0, setup_tables_done_option=0) at sql_select.cc:288

#19 0x00000000006b4444 in execute_sqlcom_select (thd=0x2908b88, all_tables=0x298cb60) at sql_parse.cc:5172

#20 0x00000000006ab5e0 in mysql_execute_command (thd=0x2908b88) at sql_parse.cc:2305

#21 0x00000000006b6dab in mysql_parse (thd=0x2908b88, rawbuf=0x298c8c0 "SELECT * FROM t2 WHERE f NOT IN ( \nSELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b \n)", length=112, found_semicolon=0x7f06c9078cb8) at sql_parse.cc:6173

#22 0x00000000006a8dc0 in dispatch_command (command=COM_QUERY, thd=0x2908b88, packet=0x2983459 "SELECT * FROM t2 WHERE f NOT IN ( \nSELECT b FROM t1 WHERE 0 OR ( c IN ('USA') OR c NOT IN ('USA') ) AND a = b \n)", packet_length=112) at sql_parse.cc:1243

#23 0x00000000006a80ac in do_command (thd=0x2908b88) at sql_parse.cc:923

#24 0x00000000006a4f3d in handle_one_connection (arg=0x2908b88) at sql_connect.cc:1231

#25 0x00007f06d2867b50 in start_thread (arg=<optimized out>) at pthread_create.c:304

#26 0x00007f06d1c0aa7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

revision-id: psergey@askmonty.org-20140214212653-cjbm9hqh0gpxapba

revno: 3758

branch-nick: 5.3

BUILD/compile-pentium-debug-max-no-ndb

revno: 3627

revision-id: igor@askmonty.org-20130222011312-0n7i0ki83efkz17e

parent: igor@askmonty.org-20130221032202-ed2p8w1a984bxa2p

committer: Igor Babaev <igor@askmonty.org>

branch nick: maria-5.3-mdev4172

timestamp: Thu 2013-02-21 17:13:12 -0800

message:

  Fixed bug mdev-4172.

  This bug in the legacy code could manifest itself in queries with

  semi-join materialized subqueries.

  ...