Server crashes in embedding_sjm on a simple 1-table select with AND and OR

The following query started crashing between revisions 3472 and 3474 (probably with revision 3474):

SELECT * FROM t1
WHERE a = d AND ( b = 50 AND b = d OR a = c );

#3 <signal handler called>
#4 0x000000000078e031 in embedding_sjm (item=0x0) at sql_select.cc:11439
#5 0x000000000078e2e3 in eliminate_item_equal (cond=0x0,
    upper_levels=0x1cb47d8, item_equal=0x1cdffe8) at sql_select.cc:11564
#6 0x000000000078eade in substitute_for_best_equal_field (context_tab=0x1,
    cond=0x1cdffe8, cond_equal=0x1cb47d8, table_join_idx=0x1ce08b8)
    at sql_select.cc:11773
#7 0x000000000078e862 in substitute_for_best_equal_field (context_tab=0x1,
    cond=0x1cb45e8, cond_equal=0x1cb47d8, table_join_idx=0x1ce08b8)
    at sql_select.cc:11737
#8 0x000000000078e862 in substitute_for_best_equal_field (context_tab=0x1,
    cond=0x1cb46f0, cond_equal=0x1cb47d8, table_join_idx=0x1ce08b8)
    at sql_select.cc:11737
#9 0x00000000007731f0 in JOIN::optimize (this=0x1cb48d8) at sql_select.cc:1231
#10 0x00000000007794db in mysql_select (thd=0x1c2e988,
    rref_pointer_array=0x1c315a8, tables=0x1cb3338, wild_num=1, fields=...,
    conds=0x1cb46f0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0,
    select_options=2147764736, result=0x1cb48b8, unit=0x1c30e70,
    select_lex=0x1c31358) at sql_select.cc:2938
#11 0x0000000000770139 in handle_select (thd=0x1c2e988, lex=0x1c30dd0,
    result=0x1cb48b8, setup_tables_done_option=0) at sql_select.cc:285
#12 0x00000000006fe94c in execute_sqlcom_select (thd=0x1c2e988,
    all_tables=0x1cb3338) at sql_parse.cc:5151
#13 0x00000000006f5a09 in mysql_execute_command (thd=0x1c2e988)
    at sql_parse.cc:2284
#14 0x0000000000701327 in mysql_parse (thd=0x1c2e988,
    rawbuf=0x1cb3100 "SELECT * FROM t1\nWHERE a = d AND ( b = 50 AND b = d OR a = c )", length=62, found_semicolon=0x7fdebbf82c98) at sql_parse.cc:6152
#15 0x00000000006f31b8 in dispatch_command (command=COM_QUERY, thd=0x1c2e988,
    packet=0x1ca9c49 "SELECT * FROM t1\nWHERE a = d AND ( b = 50 AND b = d OR a = c )", packet_length=62) at sql_parse.cc:1228
#16 0x00000000006f24ec in do_command (thd=0x1c2e988) at sql_parse.cc:923
#17 0x00000000006ef3ca in handle_one_connection (arg=0x1c2e988)
    at sql_connect.cc:1193
#18 0x00007fdec5720a4f in start_thread () from /lib64/libpthread.so.0

bzr version-info
revision-id: <email address hidden>
date: 2012-03-26 21:38:24 +0400
build-date: 2012-03-27 04:45:31 +0300
revno: 3478

As said before, also reproducible on revno 3474, but not on 3472.
Not reproducible on MariaDB 5.5 revno 3353.

EXPLAIN also crashes.

Minimal optimizer_switch: none required (crashes with all OFFs).

Full optimizer_switch (default): index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on

Test case:

CREATE TABLE t1 ( a INT, b INT, c INT, d INT );
INSERT INTO t1 VALUES (4,2,8,9),(4,2,7,8);

SELECT * FROM t1
WHERE a = d AND ( b = 50 AND b = d OR a = c );

# End of test case