Description:
crash and/or invalid memory reads:

1 errors in context 1 of 3:
Invalid read of size 4
at: JOIN_CACHE::write_record_data(unsigned char*, bool*) (sql_join_cache.cc:964)
by: JOIN_CACHE_BKA_UNIQUE::put_record() (sql_join_cache.cc:2669)
by: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:16096)
by: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:16548)
by: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:16285)
by: do_select(JOIN*, List<Item>*, TABLE*, Procedure*) (sql_select.cc:15844)
by: JOIN::exec() (sql_select.cc:2886)
by: mysql_select (sql_select.cc:3067)
by: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:310)
by: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4964)
by: mysql_execute_command(THD*) (sql_parse.cc:2172)
by: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5979)
 Address 0x8 is not stack'd, malloc'd or (recently) free'd

1 errors in context 2 of 3:
Use of uninitialised value of size 4
at: JOIN_CACHE::write_record_data(unsigned char*, bool*) (sql_join_cache.cc:964)
by: JOIN_CACHE_BKA_UNIQUE::put_record() (sql_join_cache.cc:2669)
by: sub_select_cache(JOIN*, st_join_table*, bool) (sql_select.cc:16096)
by: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:16548)
by: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:16285)
by: do_select(JOIN*, List<Item>*, TABLE*, Procedure*) (sql_select.cc:15844)
by: JOIN::exec() (sql_select.cc:2886)
by: mysql_select (sql_select.cc:3067)
by: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:310)
by: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:4964)
by: mysql_execute_command(THD*) (sql_parse.cc:2172)
by: mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5979)

The explain for the crashing query is:

mysql> explain select 1 from t1 natural join t2 limit 1\G
*************************** 1. row ***************************
           id: 1
  select_type: SIMPLE
        table: t2
         type: ALL
possible_keys: NULL
          key: NULL
      key_len: NULL
          ref: NULL
         rows: 2
        Extra:
*************************** 2. row ***************************
           id: 1
  select_type: SIMPLE
        table: t1
         type: ref
possible_keys: c2
          key: c2
      key_len: 5
          ref: test.t2.c2
         rows: 1
        Extra: Using index condition(BKA); Using where; Using join buffer
2 rows in set (0.08 sec)

How to repeat:
drop table if exists t1,t2;
create table `t1` (`c1` int,`c2` int,`c3` int,`c4` int,`c5` int,key (`c2`)) engine=myisam;
insert into `t1` values (1,1,1,1,1);
insert into `t1` values (2,2,2,2,2);
create table `t2`(`c0` int,`c1` tinytext,`c2` text) engine=myisam default charset=latin1;
insert into `t2` values (3,null,'s');
insert into `t2` values (4,'z',null);
analyze table t1,t2;
set session join_cache_level=7;
select 1 from t1 natural join t2 limit 1;

Thank you for the report.

Verified as described.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/75488

2740 Igor Babaev	2009-06-02
      Fixed bug #45092.
      When the descriptors of the data fields stored in a join buffer 
      are created first the descriptors of the the fields used in
      building access keys are constructed. The construction is done
      with a call of the function add_table_data_fields_to_join_cache.
      One of the parameters of this function, namely field_set, specifies
      for what fields the descriptors are to be constructed. This function
      is called once again for the remaining fields.
      As the function adds new elements to the array of the field
      descriptors it has to save the number of the descriptors that
      has been already built in order to be able continue adding them
      later. The same is true for the array of pointers to the field
      descriptors that is created for blob fields.
      However the length of this array was not been saved. As a result,
      when the remaining blob fields were processed the pointers to
      their field descriptors overwrote the pointers to the descriptors
      of the blob fields used to build the access keys.
      modified:
        mysql-test/r/join_cache.result
        mysql-test/t/join_cache.test
        sql/sql_join_cache.cc
        sql/sql_select.h

this is in mysql-6.0-opt but never reached main trees (not in 6.0-codebase-bugfixing); this is the only such unmerged revision. I'll merge it.

queued to 6.0-codebase-bugfixing

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/85553

3635 Guilhem Bichot	2009-10-01 [merge]
      merge of Igor's fix for BUG#45092, fix which had been forgotten in mysql-6.0-opt and never merged to main trees.

Pushed into 6.0.14-alpha (revid:alik@ibmvm-20091009083208-0o0f0i9w1sq3c1kn) (version source revid:guilhem@mysql.com-20091001161223-jilbw8rvgm5fsbnc) (merge vers: 6.0.14-alpha) (pib:12)

Hi Guilhem. Right, 6.0.x is now something of a special case, but I'm adding changelog entries in case we need them later. So, could I have a bug description, please. :-)

Not easy as I didn't write the fix, but here is a try:
"Joins involving BLOB columns caused crashes when using the Batched Key Access method."

Noted in 6.0.14 changelog.

Joins involving BLOB columns caused crashes when using the Batched
Key Access method.

Pushed into mysql-next-mr (revid:alik@sun.com-20100816062819-bluwgdq8q4xysmlg) (version source revid:alik@sun.com-20100816062612-enatdwnv809iw3s9) (pib:20)

Pushed into mysql-trunk 5.6.99-m5 (revid:alexander.nozdrin@oracle.com-20101113155825-czmva9kg4n31anmu) (version source revid:vasil.dimov@oracle.com-20100629074804-359l9m9gniauxr94) (merge vers: 5.6.99-m4) (pib:21)

Noted in 5.6.1 changelog.

Correction: No 5.6.1 changelog entry. Bug does not appear in any released 5.6.x version.