Crash in clear_tables() with subqueries

MySQL Bug#52347 is still present in MariaDB 5.3 (and possibly all earlier versions). It seems that whatever fix they had did not make it into MariaDB.

backtrace:

#4 <signal handler called>
#5 0x0832bdd5 in copy_fields (param=0xae666ccc) at sql_select.cc:17305
#6 0x0832455a in end_send_group (join=0xae662038, join_tab=0x0, end_of_records=false) at sql_select.cc:14287
#7 0x08320d41 in do_select (join=0xae662038, fields=0xae666dd8, table=0x0, procedure=0x0) at sql_select.cc:12658
#8 0x083071f5 in JOIN::exec (this=0xae662038) at sql_select.cc:2340
#9 0x08237f14 in subselect_single_select_engine::exec (this=0xae62e670) at item_subselect.cc:2749
#10 0x0823243b in Item_subselect::exec (this=0xae62e5a8) at item_subselect.cc:552
#11 0x08233393 in Item_singlerow_subselect::val_int (this=0xae62e5a8) at item_subselect.cc:995
#12 0x081d1612 in Item::val_int_result (this=0xae62e5a8) at item.h:779
#13 0x081cd450 in Item_cache_int::cache_value (this=0xae66e068) at item.cc:7733
#14 0x081d52bc in Item_cache_wrapper::cache (this=0xae66e008) at item.cc:6738
#15 0x081caa60 in Item_cache_wrapper::val_int (this=0xae66e008) at item.cc:6792
#16 0x081c822a in Item::send (this=0xae66e008, protocol=0xb1f73f8, buffer=0xae7fe0c4) at item.cc:5755
#17 0x081d385d in Item_cache_wrapper::send (this=0xae66e008, protocol=0xb1f73f8, buffer=0xae7fe0c4) at item.h:2643
#18 0x0826a8c8 in select_send::send_data (this=0xae62f860, items=...) at sql_class.cc:1876
#19 0x0831717f in return_zero_rows (join=0xae65d1b8, result=0xae62f860, tables=0xae62e6e0, fields=..., send_row=true, select_options=2147764736,
    info=0x88a2b1c "Impossible WHERE noticed after reading const tables", having=0x0) at sql_select.cc:8359
#20 0x083050a6 in JOIN::exec (this=0xae65d1b8) at sql_select.cc:1838
#21 0x08307961 in mysql_select (thd=0xb1f70e8, rref_pointer_array=0xb1f8b64, tables=0xae62e6e0, wild_num=0, fields=..., conds=0xae62f600, og_num=1,
    order=0x0, group=0xae62f7c0, having=0x0, proc_param=0x0, select_options=2147764736, result=0xae62f860, unit=0xb1f87c4, select_lex=0xb1f8a60)
    at sql_select.cc:2550
#22 0x0830004d in handle_select (thd=0xb1f70e8, lex=0xb1f8768, result=0xae62f860, setup_tables_done_option=0) at sql_select.cc:281
#23 0x0829d91b in execute_sqlcom_select (thd=0xb1f70e8, all_tables=0xae62e6e0) at sql_parse.cc:5102
#24 0x08294423 in mysql_execute_command (thd=0xb1f70e8) at sql_parse.cc:2281
#25 0x0829feac in mysql_parse (thd=0xb1f70e8,
    rawbuf=0xae62d9b8 "SELECT\nCOUNT( alias1.f3 ),\n( SELECT COUNT( f1 ) FROM t2 WHERE alias1.f1 ) AS field9\nFROM t2 AS alias1 JOIN t1 AS alias2 ON alias2.f3\nWHERE ( 'v' ) IN ( SELECT f4 FROM t2 )\nGROUP BY field9", length=188, found_semicolon=0xae7ff228) at sql_parse.cc:6109
#26 0x08291f0c in dispatch_command (command=COM_QUERY, thd=0xb1f70e8, packet=0xb20f789 "", packet_length=188) at sql_parse.cc:1209
#27 0x08291376 in do_command (thd=0xb1f70e8) at sql_parse.cc:902
#28 0x0828e454 in handle_one_connection (arg=0xb1f70e8) at sql_connect.cc:1154
#29 0x00bea919 in start_thread () from /lib/libpthread.so.0
#30 0x00b2ccbe in clone () from /lib/libc.so.6

test case:

CREATE TABLE t1 (f3 int) ;
INSERT IGNORE INTO t1 VALUES (0),(0);

CREATE TABLE t2 (f1 int,f3 int,f4 varchar(32)) ;
INSERT IGNORE INTO t2 VALUES (1,0,'f');
SELECT
        COUNT( alias1.f3 ),
        ( SELECT COUNT( f1 ) FROM t2 WHERE alias1.f1 ) AS field9
FROM t2 AS alias1 JOIN t1 AS alias2 ON alias2.f3
WHERE ( 'v' ) IN ( SELECT f4 FROM t2 )
GROUP BY field9;