Server crashes in ha_maria::scan_time with derived_with_keys=on, GROUP_CONCAT in a view or FROM subquery, MyISAM or Aria

#4 <signal handler called>
#5 0x08596e47 in ha_maria::scan_time (this=0x9473f50) at ha_maria.cc:916
#6 0x084053b6 in SQL_SELECT::test_quick_select (this=0x947cff0, thd=0x93f04c8, keys_to_use=..., prev_tables=0, limit=18446744073709551615, force_quick_range=false,
    ordered_output=false) at opt_range.cc:2945
#7 0x083595c4 in get_quick_record_count (thd=0x93f04c8, select=0x947cff0, table=0x9473360, keys=0x947cd18, limit=18446744073709551615) at sql_select.cc:3001
#8 0x0835b1f6 in make_join_statistics (join=0x9475b28, tables_list=..., conds=0x947c8f8, keyuse_array=0x947bfd0) at sql_select.cc:3532
#9 0x08353469 in JOIN::optimize (this=0x9475b28) at sql_select.cc:1150
#10 0x083592e4 in mysql_select (thd=0x93f04c8, rref_pointer_array=0x93f2064, tables=0x945ed68, wild_num=0, fields=..., conds=0x945f380, og_num=0, order=0x0,
    group=0x0, having=0x0, proc_param=0x0, select_options=2147764736, result=0x9460978, unit=0x93f1c48, select_lex=0x93f1f28) at sql_select.cc:2938
#11 0x08350fe7 in handle_select (thd=0x93f04c8, lex=0x93f1bec, result=0x9460978, setup_tables_done_option=0) at sql_select.cc:285
#12 0x082ec085 in execute_sqlcom_select (thd=0x93f04c8, all_tables=0x945ed68) at sql_parse.cc:5151
#13 0x082e3461 in mysql_execute_command (thd=0x93f04c8) at sql_parse.cc:2284
#14 0x082ee6c0 in mysql_parse (thd=0x93f04c8, rawbuf=0x945ec00 "SELECT a FROM t1, v \nWHERE a = b", length=32, found_semicolon=0xae865234) at sql_parse.cc:6152
#15 0x082e10a1 in dispatch_command (command=COM_QUERY, thd=0x93f04c8, packet=0x9449311 "SELECT a FROM t1, v \nWHERE a = b", packet_length=32) at sql_parse.cc:1228
#16 0x082e054b in do_command (thd=0x93f04c8) at sql_parse.cc:923
#17 0x082dd4d1 in handle_one_connection (arg=0x93f04c8) at sql_connect.cc:1193
#18 0xb767ab25 in start_thread () from /lib/libpthread.so.0

bzr version-info
revision-id: <email address hidden>
date: 2012-03-12 18:21:14 +0400
build-date: 2012-03-13 06:07:23 +0400
revno: 3457

(Note: according to log, revno 3457 contains a bugfix for https://bugs.launchpad.net/maria/+bug/944782).

Also reproducible on MariaDB 5.5 revno 3319.

EXPLAIN also crashes.

Minimal optimizer_switch: derived_with_keys=on
Full optimizer_switch (default): index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on

Test case:

SET optimizer_switch = 'derived_with_keys=on';

CREATE TABLE t1 ( a INT ) ENGINE=MyISAM;
INSERT INTO t1 VALUES ( 132 );

CREATE TABLE t2 ( b INT, c VARCHAR(1024) ) ENGINE=MyISAM;
INSERT INTO t2 VALUES (120,'text1'),(132,'text2');

CREATE VIEW v AS
  SELECT b, GROUP_CONCAT(c) AS gc
  FROM t2
  GROUP BY b;

SELECT a FROM t1, v
WHERE a = b;