Description:
If I put a SELECT statement inside "PARTITION BY RANGE (...)", crash.
Also the database may become corrupt.

How to repeat:
mysql> create table t1 (s1 int) partition by range (s1 + (select count(*) from t1)) (partition p1 values less than (1));
ERROR 2013 (HY000): Lost connection to MySQL server during query

Sorry, but this one seemd serous to me

0x81cd987 handle_segfault + 437
0xffffe420 _end + -142437200
0x912ea80 _end + 9804560
0x822ae9e JOIN::prepare(Item***, st_table_list*, unsigned int, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) + 442
0x81934a3 subselect_single_select_engine::prepare() + 403
0x818f8a3 Item_subselect::fix_fields(THD*, Item**) + 159
0x8152966 Item_func::fix_fields(THD*, Item**) + 250
0x81269a2 fix_fields_part_func(THD*, st_table_list*, Item*, partition_info*, bool) + 294
0x812792b fix_partition_func(THD*, char const*, st_table*, bool) + 1547
0x8225925 open_table_from_share(THD*, st_table_share*, char const*, unsigned int, unsigned int, unsigned int, st_table*, bool) + 1613
0x82c09cd ha_create_table(THD*, char const*, char const*, char const*, st_ha_create_information*, bool) + 269
0x82995d9 rea_create_table(THD*, char const*, char const*, char const*, st_ha_create_information*, List<create_field>&, unsigned int, st_key*, handler*) + 369
0x82d4717 mysql_create_table_internal(THD*, char const*, char const*, st_ha_create_information*, List<create_field>&, List<Key>&, bool, unsigned int) + 2523
0x82d4a4e mysql_create_table(THD*, char const*, char const*, st_ha_create_information*, List<create_field>&, List<Key>&, bool, unsigned int) + 388
0x81e9943 mysql_execute_command(THD*) + 5415
0x81f2288 mysql_parse(THD*, char*, unsigned int) + 570
0x81e6a19 dispatch_command(enum_server_command, THD*, char*, unsigned int) + 2097
0x81e61dd do_command(THD*) + 573
0x81e523c handle_one_connection + 828

Reggie, check that you open the tables with subqueries (see open_and_lock_tables(thd, all_tables)) in sql_parse.cc for SQLCOM_DO and SQLCOM_SELECT. The problem you see is that in the last frame table is 0x0 -> wasn't opened prior to calling fix_fields() on the Item_subselect you get from parsing.

The backtrace:
(gdb) bt
#0  0x08221d47 in setup_table_map (table=0x0, table_list=0x912e578, tablenr=0) at mysql_priv.h:1719
#1  0x0821efab in setup_tables (thd=0x9115ab0, context=0x912e0d8, from_clause=0x912e180, tables=0x912e578, conds=0x9131a34, leaves=0x912e194, select_insert=false) at sql_base.cc:5208
#2  0x0822ae9e in JOIN::prepare (this=0x9130c88, rref_pointer_array=0x912e1cc, tables_init=0x912e578, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x912e0a8, unit_arg=0x912e208) at sql_select.cc:339
#3  0x081934a3 in subselect_single_select_engine::prepare (this=0x912e7a8) at item_subselect.cc:1466
#4  0x0818f8a3 in Item_subselect::fix_fields (this=0x912e720, thd_param=0x9115ab0, ref=0x912e814) at item_subselect.cc:145
#5  0x08152966 in Item_func::fix_fields (this=0x912e7c8, thd=0x9115ab0, ref=0x0) at item_func.cc:163
#6  0x081269a2 in fix_fields_part_func (thd=0x9115ab0, tables=0x4244a8b0, func_expr=0x912e7c8, part_info=0x912df10, is_sub_part=false) at sql_partition.cc:1209
#7  0x0812792b in fix_partition_func (thd=0x9115ab0, name=0x4244b7c0 "./test/t122", table=0x4244af80, is_create_table_ind=true) at sql_partition.cc:1810
#8  0x08225925 in open_table_from_share (thd=0x9115ab0, share=0x4244ab40, alias=0x8652ea4 "", db_stat=0, prgflag=1, ha_open_flags=0, outparam=0x4244af80, is_create_table=true) at table.cc:1485
#9  0x082c09cd in ha_create_table (thd=0x9115ab0, path=0x4244b7c0 "./test/t122", db=0x91152b8 "test", table_name=0x912dcd8 "t122", create_info=0x9116058, update_create_info=false) at handler.cc:2340
#10 0x082995d9 in rea_create_table (thd=0x9115ab0, path=0x4244b7c0 "./test/t122", db=0x91152b8 "test", table_name=0x912dcd8 "t122", create_info=0x9116058, create_fields=@0x9115f70, keys=0, key_info=0x912ecd8, file=0x912ea60) at unireg.cc:335
#11 0x082d4717 in mysql_create_table_internal (thd=0x9115ab0, db=0x91152b8 "test", table_name=0x912dcd8 "t122", create_info=0x9116058, fields=@0x9115f70, keys=@0x9115f64, internal_tmp_table=false, select_field_count=0) at sql_table.cc:2236
#12 0x082d4a4e in mysql_create_table (thd=0x9115ab0, db=0x91152b8 "test", table_name=0x912dcd8 "t122", create_info=0x9116058, fields=@0x9115f70, keys=@0x9115f64, internal_tmp_table=false, select_field_count=0) at sql_table.cc:2313
#13 0x081e9943 in mysql_execute_command (thd=0x9115ab0) at sql_parse.cc:2901
#14 0x081f2288 in mysql_parse (thd=0x9115ab0, inBuf=0x912dc28 "create table t122 (s1 int) partition by range (s1 + (select count(*) from t1)) (partition p1 values less than (1))", length=114) at sql_parse.cc:5779
#15 0x081e6a19 in dispatch_command (command=COM_QUERY, thd=0x9115ab0, packet=0x9106e31 "create table t122 (s1 int) partition by range (s1 + (select count(*) from t1)) (partition p1 values less than (1))", packet_length=115) at sql_parse.cc:1740
#16 0x081e61dd in do_command (thd=0x9115ab0) at sql_parse.cc:1536
#17 0x081e523c in handle_one_connection (arg=0x9115ab0) at sql_parse.cc:1178
#18 0x40173aa7 in start_thread () from /lib/tls/libpthread.so.0
#19 0x402a4c2e in clone () from /lib/tls/libc.so.6

When this is fixed, close #18139: SELECT * FROM information_schema.tables crashes server

This and all other bugs related to allowing expressions as partition functions are being closed as "won't fix" and replaced with Bug #18198  	Expressions are allowed as partition functions.

Closing. After the patch for bug#18198, this is not allowed and the crash does not occur.