sig=11 in add_identifier [major crashing bug, seen in many different tests]

$ cd /percona-server/5.5 # Containing bzr branch of 5.5.25a or 5.5.27 (trunk)
$ ./build/build-binary.sh ..
$ cd ..; tar -xf Percona-Server-5.5.25a-rel27.1-285.Linux.x86_64.tar.xf
$ cat /dev/shm/e.yy
query: ALTER TABLE _table PARTITION BY KEY() PARTITIONS 10;
$ cat /dev/shm/e.zz
$tables = { rows => [ 10000 ] };
$fields = { types => [ 'int' ] };
$data = { strings => [ 'int' ] };
$ rm -R /dev/shm/e
$ mkdir /dev/shm/e
$ cd /randgen
$ perl runall.pl --duration=120 --queries=30000 --threads=30 --reporter=Backtrace,Shutdown --basedir=/percona-server/Percona-Server-5.5.25a-rel27.1-285.Linux.x86_64 --mysqld=--log-output=none --grammar=/dev/shm/e.yy --gendata=/dev/shm/e.zz --vardir=/dev/shm/e --mtr-build-thread=950 --seed=27705 --sqltrace >/dev/shm/e.log 2>&1
$ tail -n1 /dev/shm/e.log
2012-08-14T14:29:26 [8314] runall.pl will exit with exit status STATUS_SERVER_CRASHED (101)
$ gdb /percona-server/Percona-Server-5.5.25a-rel27.1-285.Linux.x86_64/bin/mysqld /dev/shm/e/master-data/core.<your_pid>

(gdb) bt
#0 0x000000307260c60c in pthread_kill () from /lib64/libpthread.so.0
#1 0x00000000006929cf in handle_fatal_signal (sig=11) at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/sql/signal_handler.cc:249
#2 <signal handler called>
#3 add_identifier (thd=thd@entry=0x202d720, to_p=0x7f6d5c5cc3fb "*/", end_p=end_p@entry=0x7f6d5c5cc4d0 "", name=name@entry=0x7f6d5c5cc30f "p0", name_len=name_len@entry=4294967293)
at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/sql/sql_table.cc:104
#4 0x00000000005fbabd in explain_filename (thd=0x202d720, from=<optimized out>, to=0x7f6d5c5cc3d0 "`#sql-1979_11#P#p0` /* Temporary Partition */", to_length=256, explain_mode=EXPLAIN_PARTITIONS_AS_COMMENT)
at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/sql/sql_table.cc:356
#5 0x0000000000808244 in innobase_convert_identifier (buf=0x7f6d5c5cc507 "`table10000_int_autoinc` /* Partition `p0` */", buflen=569, id=<optimized out>, idlen=17, thd=0x202d720, file_id=1)
at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/storage/innobase/handler/ha_innodb.cc:2261
#6 0x000000000086c73a in ut_print_namel (f=f@entry=0x1b6ed70, trx=<optimized out>, table_id=table_id@entry=1, name=<optimized out>,
namelen=<optimized out>) at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/storage/innobase/ut/ut0ut.c:552
#7 0x000000000086c7c1 in ut_print_name (f=f@entry=0x1b6ed70, trx=<optimized out>, table_id=table_id@entry=1, name=<optimized out>)
at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/storage/innobase/ut/ut0ut.c:528
#8 0x000000000090c991 in lock_table_print (file=0x1b6ed70, lock=0x7f6d1c02c108) at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/storage/innobase/lock/lock0lock.c:4319
#9 0x000000000090d50f in lock_print_info_all_transactions (file=file@entry=0x1b6ed70) at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/storage/innobase/lock/lock0lock.c:4680
#10 0x00000000008449e4 in srv_printf_innodb_monitor (file=0x1b6ed70, nowait=1, trx_start=trx_start@entry=0x0, trx_end=trx_end@entry=0x0)
at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/storage/innobase/srv/srv0srv.c:2243
#11 0x00000000008457c0 in srv_monitor_thread (arg=<optimized out>)
at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/storage/innobase/srv/srv0srv.c:2560
#12 0x0000003072607d14 in start_thread () from /lib64/libpthread.so.0
#13 0x00000030722f197d in clone () from /lib64/libc.so.6
(gdb) f 3
#3 add_identifier (thd=thd@entry=0x202d720, to_p=0x7f6d5c5cc3fb "*/", end_p=end_p@entry=0x7f6d5c5cc4d0 "", name=name@entry=0x7f6d5c5cc30f "p0", name_len=name_len@entry=4294967293)
at /percona-server/5.5/Percona-Server-5.5.25a-rel27.1/sql/sql_table.cc:104
104 if (!name[name_len])
(gdb) list
99 char tmp_name[FN_REFLEN];
100 char conv_string[FN_REFLEN];
101 int quote;
102
103 DBUG_ENTER("add_identifier");
104 if (!name[name_len])
105 conv_name= name;
106 else
107 {
108 strnmov(tmp_name, name, name_len);
(gdb) p name_len
$1 = 4294967293
(gdb) p name[name_len]
Cannot access memory at address 0x7f6e5c5cc30c