crash in select_describe

Also reproducible on MariaDB 5.3 revno 3526.
Reproducible with the default optimizer_switch as well as all OFF values (except for in_to_exists which is required to run the query or, in this case, explain).
Not reproducible on MySQL trunk revno 3782, MariaDB 5.2.

This bug is already fixed in the 5.5 branch for lp:944706, task MDEV-193.

The bug can be fixed in 5.3 by backporting the MySQL patch for
mysql bug #12330344.

Correction to the previous comment. The bug is not a duplicate for lp:1001117.

Analysis:
When a subquery that needs a temp table is executed during the prepare or optimize
phase of the outer query, at the end of the subquery execution all the JOIN_TABs of
the subquery are replaced by a new JOIN_TAB that selects from the temp table.
However that temp table has no corresponding TABLE_LIST. Once EXPLAIN execution
reaches its last phase, it tries to print the names of the subquery tables through
its TABLE_LISTs, but in the case of this bug there is no such TABLE_LIST (it is NULL),
hence a crash.

This bug is not present in the 5.5 branch for lp:944706, task MDEV-193
because this patch takes care of the situation that causes the crash.

The fix in 5.3 is to block subquery evaluation inside Item_func_like::fix_fields
using the Item::is_expensive() test. When the fix is merged into 5.5 it will
interoperate correctly with the fix for lp:944706.

With my optimizer switch settings and MariaDB 5.3.7:

Thread pointer: 0x02BD73F8
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
004D1D02 mysqld.exe!select_describe()[sql_select.cc:21198]
004E6FBC mysqld.exe!JOIN::exec()[sql_select.cc:2240]
004E7EE2 mysqld.exe!mysql_select()[sql_select.cc:2954]
004E80A8 mysqld.exe!mysql_explain_union()[sql_select.cc:21671]
004D32A6 mysqld.exe!select_describe()[sql_select.cc:21628]
004E6FBC mysqld.exe!JOIN::exec()[sql_select.cc:2240]
004E7EE2 mysqld.exe!mysql_select()[sql_select.cc:2954]
004E80A8 mysqld.exe!mysql_explain_union()[sql_select.cc:21671]
004D32A6 mysqld.exe!select_describe()[sql_select.cc:21628]
004E6FBC mysqld.exe!JOIN::exec()[sql_select.cc:2240]
004E7EE2 mysqld.exe!mysql_select()[sql_select.cc:2954]
004E80A8 mysqld.exe!mysql_explain_union()[sql_select.cc:21671]
00422732 mysqld.exe!execute_sqlcom_select()[sql_parse.cc:5130]
004252E1 mysqld.exe!mysql_execute_command()[sql_parse.cc:2284]
00429F35 mysqld.exe!mysql_parse()[sql_parse.cc:6156]
0042A844 mysqld.exe!dispatch_command()[sql_parse.cc:1230]
0042B40E mysqld.exe!do_command()[sql_parse.cc:927]
004536AC mysqld.exe!handle_one_connection()[sql_connect.cc:1218]
0076EBFD mysqld.exe!pthread_start()[my_winthread.c:90]
00741CB9 mysqld.exe!_callthreadstart()[thread.c:259]
00741D37 mysqld.exe!_threadstart()[thread.c:241]
75D8ED4C kernel32.dll!BaseThreadInitThunk()
777837E3 ntdll.dll!RtlInitializeExceptionChain()
777837B6 ntdll.dll!RtlInitializeExceptionChain()

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (02C2FE08): explain select 1 from `t1` where 1 like
( select 1 from t1 where 1 <=>
 (select 1 from t1 group by `a1`)
)Connection ID (thread ID): 1
Status: NOT_KILLED
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=off,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=off,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on