RHEL 6.4

I realized that I attached the mysql-error.log from a 5.5.32 server, but it also still affects a 5.5.33a server. Here is the log from that server
131015 13:51:28 [ERROR] mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see http://kb.askmonty.org/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 5.5.33a-MariaDB-log
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=12
max_threads=502
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 1232371 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x0x7ffa1c5be000
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7ffc5584dd58 thread_stack 0x48000
??:0(my_print_stacktrace)[0xa896be]
??:0(handle_fatal_signal)[0x6d00bb]
:0()[0x346a80f500]
??:0(find_field_in_table(THD*, TABLE*, char const*, unsigned int, bool, unsigned int*))[0x544bd2]
??:0(find_field_in_table_ref(THD*, TABLE_LIST*, char const*, unsigned int, char const*, char const*, char const*, Item*, bool, bool, unsigned int, bool, TABLE_LIST**))[0x54570f]
??:0(find_field_in_tables(THD*, Item_ident*, TABLE_LIST*, TABLE_LIST*, Item**, find_item_error_report_type, bool, bool))[0x545aa2]
??:0(Item_field::fix_fields(THD*, Item**))[0x6ef087]
??:0(setup_fields(THD*, Item*, List<Item>&, enum_mark_columns, List<Item>, bool))[0x5408d3]
??:0(JOIN::prepare(Item**, TABLE_LIST, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x5bee89]
??:0(st_select_lex_unit::prepare(THD*, select_result*, unsigned long))[0x60fbda]
??:0(mysql_derived_prepare(THD*, LEX*, TABLE_LIST*))[0x56930e]
??:0(mysql_handle_derived(LEX*, unsigned int))[0x56a332]
??:0(mysql_multi_update_prepare(THD*))[0x61212d]
??:0(mysql_execute_command(THD*))[0x58bb35]
??:0(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x58ee19]
??:0(dispatch_command(enum_server_command, THD*, char*, unsigned int))[0x590270]
??:0(do_handle_one_connection(THD*))[0x649caf]
??:0(handle_one_connection)[0x649d4c]
:0()[0x346a807851]
:0()[0x346a4e890d]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x7ffa0b01f018): is an invalid pointer
Connection ID (thread ID): 360719
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=off

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.

Thank you for the good test case.

Note: this crash does not occur in MariaDB 5.5.28.

it is just wrong query which crashes before error is returned... So it should be fixed.

The problem is that mysql_derived_prepare do not check result of sl->handle_derived() call.

committed for review