Description:
5.1.53:
mysqld.exe!Item_func_group_concat::print()[item_sum.cc:3411]
mysqld.exe!st_select_lex::print()[sql_select.cc:17162]
mysqld.exe!Item_subselect::print()[item_subselect.cc:337]
mysqld.exe!st_select_lex::print_order()[sql_lex.cc:2046]
mysqld.exe!st_select_lex::print()[sql_select.cc:17237]
mysqld.exe!st_select_lex_unit::print()[sql_lex.cc:2015]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:5129]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2294]
mysqld.exe!mysql_parse()[sql_parse.cc:6072]
mysqld.exe!dispatch_command()[sql_parse.cc:1263]
mysqld.exe!do_command()[sql_parse.cc:889]
mysqld.exe!handle_one_connection()[sql_connect.cc:1136]
mysqld.exe!pthread_start()[my_winthread.c:85]
mysqld.exe!_callthreadstart()[thread.c:295]
mysqld.exe!_threadstart()[thread.c:275]

5.6.1 [mysql-trunk] was not affected

How to repeat:
drop table if exists `t1`;
create table `t1`(`a` int)engine=myisam;
explain extended select updatexml('1',`a`,'1')
from `t1` order by(select group_concat(1) from `t1`);

Verified just as described with current mysql-5.5-security tree:

macbook-pro:5.5-sec openxs$ bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.5.8-rc-debug Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop table if exists `t1`;
Query OK, 0 rows affected (0.00 sec)

mysql> create table `t1`(`a` int)engine=myisam;
Query OK, 0 rows affected (0.19 sec)

mysql> explain extended select updatexml('1',`a`,'1')
    -> from `t1` order by(select group_concat(1) from `t1`);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> 101122 19:48:25 mysqld_safe mysqld restarted

mysql> exit
Bye
macbook-pro:5.5-sec openxs$ tail -80 var/macbook-pro.err 
InnoDB: Creating foreign key constraint system tables
InnoDB: Foreign key constraint system tables created
101119 18:45:37  InnoDB: 1.1.3 started; log sequence number 0
101119 18:45:37 [Note] Event Scheduler: Loaded 0 events
101119 18:45:37 [Note] /Users/openxs/dbs/5.5-sec/libexec/mysqld: ready for connections.
Version: '5.5.8-rc-debug'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution
101122 19:48:25 - mysqld got signal 10 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=2
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337959 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x18ad800
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0xb077ef34 thread_stack 0x30000
0   mysqld                              0x005cb7d9 my_print_stacktrace + 44
1   mysqld                              0x0010638a handle_segfault + 884
2   libSystem.B.dylib                   0x940472bb _sigtramp + 43
3   ???                                 0xffffffff 0x0 + 4294967295
4   mysqld                              0x0018855a _ZN13st_select_lex5printEP3THDP6String15enum_query_type + 722
5   mysqld                              0x000ace7e _ZN30subselect_single_select_engine5printEP6String15enum_query_type + 44
6   mysqld                              0x000acb93 _ZN14Item_subselect5printEP6String15enum_query_type + 79
7   mysqld                              0x00005d13 _ZN13st_select_lex11print_orderEP6StringP8st_order15enum_query_type + 141
8   mysqld                              0x00188859 _ZN13st_select_lex5printEP3THDP6String15enum_query_type + 1489
9   mysqld                              0x00005e52 _ZN18st_select_lex_unit5printEP6String15enum_query_type + 224
10  mysqld                              0x00116718 _Z15update_precheckP3THDP10TABLE_LIST + 736
11  mysqld                              0x0011902e _Z21mysql_execute_commandP3THD + 3058
12  mysqld                              0x00120cf1 _Z11mysql_parseP3THDPcjP12Parser_state + 627
13  mysqld                              0x00121601 _Z16dispatch_command19enum_server_commandP3THDPcj + 1991
14  mysqld                              0x00122a0f _Z10do_commandP3THD + 621
15  mysqld                              0x0010ffa3 _Z24do_handle_one_connectionP3THD + 515
16  mysqld                              0x00110095 handle_one_connection + 37
17  libSystem.B.dylib                   0x9400c095 _pthread_start + 321
18  libSystem.B.dylib                   0x9400bf52 thread_start + 34
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x183c810 = explain extended select updatexml('1',`a`,'1')
from `t1` order by(select group_concat(1) from `t1`)
thd->thread_id=15
thd->killed=NOT_KILLED
...

this is a very recent regression.
5.1.50 = no crash
5.1.51 = no crash
5.1.52 = no crash
5.1.53 = crash

DROP TABLE IF EXISTS `a`; CREATE TABLE `a` (`z` int);
EXPLAIN EXTENDED SELECT 1 FROM `a` GROUP BY (SELECT GROUP_CONCAT(y) from a);

------- Backtrace
00000000`0528d9d0 00000001`40172023 : 00000001`403c3a00 00000000`0528db80 00000000`044caff8 00000000`00000000 : mysqld!Item_func_group_concat::print+0xa9 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\item_sum.cc @ 3411]
00000000`0528da10 00000001`4014a217 : 00000000`0528db80 00000001`403c3a8c 00000000`00000000 00000000`044cb398 : mysqld!st_select_lex::print+0x1e3 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_select.cc @ 17162]
00000000`0528da50 00000001`400c2980 : 00000000`0528db80 00000000`00000000 00000000`0528db80 00000001`403c3a8c : mysqld!Item_subselect::print+0x67 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\item_subselect.cc @ 337]
00000000`0528da80 00000001`4017213d : 00000000`0528db80 00000000`0528db80 00000000`00000000 00000000`00000000 : mysqld!st_select_lex::print_order+0x70 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_lex.cc @ 2046]
00000000`0528dae0 00000001`400c3d76 : 00000000`0528db80 00000000`044e1801 00000000`044e2e68 00000000`044e3270 : mysqld!st_select_lex::print+0x2fd [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_select.cc @ 17203]
00000000`0528db20 00000001`40069e47 : 00000000`044e1890 00000000`00000000 00000000`044c9e00 00000000`00000000 : mysqld!st_select_lex_unit::print+0xd6 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_lex.cc @ 2015]
00000000`0528db60 00000001`4006cefc : 00000000`044ca0b8 00000000`00000000 00000000`044c9e00 00000000`00000000 : mysqld!execute_sqlcom_select+0x177 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_parse.cc @ 5129]
00000000`0528dfe0 00000001`40071910 : 00000000`044e1890 00000000`044e1890 00000000`044e2dd0 00000000`00000000 : mysqld!mysql_execute_command+0x46c [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_parse.cc @ 2294]
00000000`0528f3d0 00000001`400725e8 : 00000000`0000004b 00000000`01cae101 00000000`044e1890 00000000`00000003 : mysqld!mysql_parse+0x1b0 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_parse.cc @ 6072]
00000000`0528f500 00000001`40073077 : 00000000`00000000 00000000`00000010 00000000`044e2e68 00000000`00000000 : mysqld!dispatch_command+0x798 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_parse.cc @ 1263]
00000000`0528fe60 00000001`4009a147 : 00000000`00000000 00000000`044e1890 00000000`00000000 00000000`00000000 : mysqld!do_command+0xf7 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_parse.cc @ 889]
00000000`0528fea0 00000001`4031faa5 : 00000000`044e1890 00000000`044e1890 00000001`4009a020 00000000`00000000 : mysqld!handle_one_connection+0x127 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\sql\sql_connect.cc @ 1136]
00000000`0528fed0 00000001`402ea477 : 00000000`030736d0 00000000`00000000 00000000`00000000 00000000`00000000 : mysqld!pthread_start+0x55 [g:\mysql-5.1.53-winbuild\mysql-community-nt-5.1.53-build\mysys\my_winthread.c @ 85]
00000000`0528ff00 00000001`402ea545 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : mysqld!_callthreadstart+0x17 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\thread.c @ 295]
00000000`0528ff30 00000000`76ddf56d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : mysqld!_threadstart+0x95 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\thread.c @ 275]
00000000`0528ff60 00000000`77013021 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0528ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

------- Code
void Item_func_group_concat::print(String *str, enum_query_type query_type)
{
  str->append(STRING_WITH_LEN("group_concat("));
  if (distinct)
    str->append(STRING_WITH_LEN("distinct "));
  for (uint i= 0; i < arg_count_field; i++)
  {
    if (i)
      str->append(',');
    orig_args[i]->print(str, query_type);     <------ item_sum.cc @ 3411
  }

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/126123

3513 Sergey Glukhov	2010-12-06
      Bug#58396 group_concat and explain extended are still crashy
      Explain fails at fix_fields stage and some items are left unfixed,
      particulary Item_group_concat. Item_group_concat::orig_args field
      is uninitialized in this case and Item_group_concat::print call 
      leads to crash.
      The fix:
      move the initialization of Item_group_concat::orig_args
      into constructor.
     @ mysql-test/r/func_gconcat.result
        test case
     @ mysql-test/t/func_gconcat.test
        test case
     @ sql/item_sum.cc
        move the initialization of Item_group_concat::orig_args
        into constructor.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/126611

3517 Sergey Glukhov	2010-12-13
      Bug#58396 group_concat and explain extended are still crashy
      Explain fails at fix_fields stage and some items are left unfixed,
      particulary Item_group_concat. Item_group_concat::orig_args field
      is uninitialized in this case and Item_group_concat::print call 
      leads to crash.
      The fix:
      move the initialization of Item_group_concat::orig_args
      into constructor.
     @ mysql-test/r/func_gconcat.result
        test case
     @ mysql-test/t/func_gconcat.test
        test case
     @ sql/item_sum.cc
        move the initialization of Item_group_concat::orig_args
        into constructor.

Pushed into mysql-5.1 5.1.55 (revid:georgi.kodinov@oracle.com-20101217124435-9imm43geck5u55qw) (version source revid:sergey.glukhov@oracle.com-20101213103926-okypkn10adeeyns8) (merge vers: 5.1.55) (pib:24)

Pushed into mysql-5.5 5.5.9 (revid:georgi.kodinov@oracle.com-20101217124733-p1ivu6higouawv8l) (version source revid:sergey.glukhov@oracle.com-20101213104816-v543drnj8ve4hdk1) (merge vers: 5.5.8) (pib:24)

Pushed into mysql-trunk 5.6.1 (revid:georgi.kodinov@oracle.com-20101217125013-y8pb3az32rtbplc9) (version source revid:sergey.glukhov@oracle.com-20101213110556-brvnmqklz5be7fx6) (merge vers: 5.6.1) (pib:24)

Noted in 5.1.55, 5.5.9 changelogs.

EXPLAIN could crash for queries that used GROUP_CONCAT().