Crash in JOIN_CACHE_BNLH::get_matching_chain_by_join_key with InnoDB and join-cache-level=3

#3 <signal handler called>
#4 0x00000000006bf5a8 in key_copy (to_key=0x2e58b23 "v",
    from_record=0x3134e78 "\375\001v", key_info=0x3134b50, key_length=2,
    with_zerofill=true) at key.cc:152
#5 0x0000000000742f06 in JOIN_CACHE_BNLH::get_matching_chain_by_join_key (
    this=0x2e584b8) at sql_join_cache.cc:3599
#6 0x0000000000742f9a in JOIN_CACHE_BNLH::prepare_look_for_matches (
    this=0x2e584b8, skip_last=false) at sql_join_cache.cc:3636
#7 0x0000000000740eeb in JOIN_CACHE::join_matching_records (this=0x2e584b8,
    skip_last=false) at sql_join_cache.cc:2248
#8 0x000000000074099c in JOIN_CACHE::join_records (this=0x2e584b8,
    skip_last=false) at sql_join_cache.cc:2062
#9 0x0000000000794329 in sub_select_cache (join=0x2e4e5d0,
    join_tab=0x2e57c18, end_of_records=true) at sql_select.cc:14936
#10 0x000000000079454b in sub_select (join=0x2e4e5d0, join_tab=0x2e578f8,
    end_of_records=true) at sql_select.cc:15098
#11 0x0000000000794014 in do_select (join=0x2e4e5d0, fields=0x7fe4f8060f78,
    table=0x0, procedure=0x0) at sql_select.cc:14820
#12 0x000000000077605c in JOIN::exec (this=0x2e4e5d0) at sql_select.cc:2685
#13 0x00000000007768ef in mysql_select (thd=0x7fe4f805e4e8,
    rref_pointer_array=0x7fe4f80610c0, tables=0x2e3cdb0, wild_num=1,
    fields=..., conds=0x2e3e160, og_num=0, order=0x0, group=0x0, having=0x0,
    proc_param=0x0, select_options=2147764736, result=0x2e3e3e8,
    unit=0x7fe4f8060988, select_lex=0x7fe4f8060e70) at sql_select.cc:2906
#14 0x000000000076d4c9 in handle_select (thd=0x7fe4f805e4e8,
    lex=0x7fe4f80608e8, result=0x2e3e3e8, setup_tables_done_option=0)
    at sql_select.cc:283
#15 0x00000000006fc648 in execute_sqlcom_select (thd=0x7fe4f805e4e8,
    all_tables=0x2e3cdb0) at sql_parse.cc:5112
#16 0x00000000006f371e in mysql_execute_command (thd=0x7fe4f805e4e8)
    at sql_parse.cc:2250
#17 0x00000000006ff028 in mysql_parse (thd=0x7fe4f805e4e8,
    rawbuf=0x2e3cb80 "SELECT * FROM t1 WHERE b IN ( SELECT a FROM t1 GROUP BY a )", length=59, found_semicolon=0x7fe515cebc98) at sql_parse.cc:6113
#18 0x00000000006f0f36 in dispatch_command (command=COM_QUERY,
    thd=0x7fe4f805e4e8, packet=0x7fe4f809bde9 "", packet_length=59)
    at sql_parse.cc:1221
#19 0x00000000006f026a in do_command (thd=0x7fe4f805e4e8) at sql_parse.cc:916
#20 0x00000000006ed1c0 in handle_one_connection (arg=0x7fe4f805e4e8)
    at sql_connect.cc:1191
#21 0x00007fe514fcaa4f in start_thread () from /lib64/libpthread.so.0
#22 0x00007fe5143b482d in clone () from /lib64/libc.so.6

5.3 main
revno: 3324
revision-id: <email address hidden>

Also reproducible on 3315.

No specific optimizer_switch required.

Full switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=off,semijoin_with_cache=off,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on

Reproducible with join-cache-level = 3, 4 (included into the test case).

Does not crash with Aria or MyISAM.

EXPLAIN SELECT * FROM t1 WHERE b IN ( SELECT a FROM t1 GROUP BY a );

id select_type table type possible_keys key key_len ref rows Extra
1 PRIMARY t1 ALL NULL NULL NULL NULL 1 Using where
1 PRIMARY <subquery2> hash_ALL distinct_key #hash#distinct_key 5 test.t1.b 1 Using join buffer (flat, BNLH join)
2 SUBQUERY t1 ALL NULL NULL NULL NULL 1 Using temporary

Test case:

--source include/have_innodb.inc

SET join_cache_level=3; # also crashes with 4

CREATE TABLE t1 ( a VARCHAR(1), b VARCHAR(1) ) ENGINE=InnoDB;
INSERT INTO t1 VALUES ('v','v');

SELECT * FROM t1 WHERE b IN ( SELECT a FROM t1 GROUP BY a );