Description:
mysqld service crashes when running certain queries from CLI, where the query contains aggregates in case statements (or at least this seems to be the common scenario.)  I've included a contrived example simplified from a more complex query.

How to repeat:
CREATE TABLE tab0(col0 INTEGER, col1 INTEGER, col2 INTEGER)
INSERT INTO tab0 VALUES(1,17,65)
INSERT INTO tab0 VALUES(21,44,76)
SELECT CASE AVG ( col0 ) WHEN col1 * col2 THEN 1 END FROM tab0;

Crash confirmed on Windows. Stack trace is:

 	mysqld.exe!Item_func_case::find_item(String * str=0x0566e1a8)  Line 2550 + 0x14 bytes	C++
 	mysqld.exe!Item_func_case::val_int()  Line 2587 + 0xc bytes	C++
 	mysqld.exe!Item::send(Protocol * protocol=0x02359820, String * buffer=0x0566e210)  Line 5278	C++
 	mysqld.exe!select_send::send_data(List<Item> & items={...})  Line 1559 + 0xd bytes	C++
 	mysqld.exe!end_send_group(JOIN * join=0x023a64c0, st_join_table * join_tab=0x04d96158, bool end_of_records=true)  Line 12019 + 0x14 bytes	C++
 	mysqld.exe!sub_select(JOIN * join=0x023a64c0, st_join_table * join_tab=0x04d95fc8, bool end_of_records=true)  Line 11020 + 0x12 bytes	C++
 	mysqld.exe!do_select(JOIN * join=0x00000000, List<Item> * fields=0x023a7630, st_table * table=0x00000000, Procedure * procedure=0x00000000)  Line 10813 + 0x9 bytes	C++
 	mysqld.exe!JOIN::exec()  Line 2182 + 0x11 bytes	C++
 	mysqld.exe!mysql_select(THD * thd=0x02359518, Item * * * rref_pointer_array=0x0235a93c, TABLE_LIST * tables=0x023a6258, unsigned int wild_num=0, List<Item> & fields={...}, Item * conds=0x00000000, unsigned int og_num=0, st_order * order=0x00000000, st_order * group=0x00000000, Item * having=0x00000000, st_order * proc_param=0x00000000, unsigned __int64 select_options=2147764736, select_result * result=0x023a64a8, st_select_lex_unit * unit=0x0235a5c0, st_select_lex * select_lex=0x0235a840)  Line 2363	C++
 	mysqld.exe!handle_select(THD * thd=0x02359518, st_lex * lex=0x0235a560, select_result * result=0x023a64a8, unsigned long setup_tables_done_option=0)  Line 269 + 0x75 bytes	C++
 	mysqld.exe!execute_sqlcom_select(THD * thd=0x00000000, TABLE_LIST * all_tables=0x00000000)  Line 4888 + 0xa bytes	C++
 	mysqld.exe!mysql_execute_command(THD * thd=0x02359518)  Line 2184 + 0xb bytes	C++
 	mysqld.exe!opt_look_for_col_in_cond_before(unsigned long cmp_type=2089881702, unsigned long col_no=2089877947, func_node_struct * search_cond=0x000007e4, sel_node_struct * sel_node=0x00000000, unsigned long nth_table=9378296, unsigned long * op=0x00000000)  Line 273 + 0x18 bytes	C
 	ntdll.dll!7c911d45() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for ntdll.dll]	
 	mysqld.exe!mem_pool_fill_free_list(unsigned long i=34758252, mem_pool_struct * pool=0x00708684)  Line 314	C
 	mysqld.exe!rec_get_1byte_offs_flag(unsigned char * rec=0x00000000)  Line 702 + 0x10 bytes	C
 	mysqld.exe!mutex_enter_func(mutex_struct * mutex=0x01fa9680, const char * file_name=0x006cadcf, unsigned long line=37593630)  Line 251 + 0xa bytes	C
 	mysqld.exe!btr_pcur_open(dict_index_struct * index=0x00000000, dtuple_struct * tuple=0x0000000c, unsigned long mode=1376256, unsigned long latch_mode=2089878018, btr_pcur_struct * cursor=0x04e53738, mtr_struct * mtr=0x00151378)  Line 494 + 0x35 bytes	C
 	mysqld.exe!mutex_enter_func(mutex_struct * mutex=0x006b8311, const char * file_name=0x00340178, unsigned long line=7045947)  Line 251 + 0xa bytes	C
 	mysqld.exe!mutex_enter_func(mutex_struct * mutex=0x00eb157c, const char * file_name=0x00eb1580, unsigned long line=33241136)  Line 251 + 0xa bytes	C
 	mysqld.exe!mutex_exit(mutex_struct * mutex=0x04e1ea50)  Line 219 + 0x6 bytes	C
 	mysqld.exe!strmake_root(st_mem_root * root=0x023597fc, const char * str=0x0566ed90, unsigned int len=226)  Line 407 + 0xc bytes	C
 	mysqld.exe!strdup_root(st_mem_root * root=0x023597fc, const char * str=0x00000002)  Line 398 + 0x27 bytes	C
 	mysqld.exe!MYSQL_ERROR::set_msg(THD * thd=0x023597fc, const char * msg_arg=0x00000008)  Line 56 + 0x18 bytes	C++
 	mysqld.exe!List<MYSQL_ERROR>::push_back(MYSQL_ERROR * a=0x04e1ea40, st_mem_root * mem_root=0x023597fc)  Line 386 + 0xf bytes	C++
 	mysqld.exe!push_warning(THD * thd=0x02359518, MYSQL_ERROR::enum_warning_level level=WARN_LEVEL_ERROR, unsigned int code=1064, const char * msg=0x0566ed90)  Line 155 + 0xd bytes	C++
 	mysqld.exe!my_message_sql(unsigned int error=1064, const char * str=0x0566ed90, int MyFlags=0)  Line 2869 + 0x11 bytes	C++
 	mysqld.exe!my_printf_error(unsigned int error=8, const char * format=0x81e184a2, int MyFlags=6175978, ...)  Line 124	C
 	mysqld.exe!st_select_lex::add_joined_table(TABLE_LIST * table=0x008cf7d8)  Line 6322 + 0xd bytes	C++
 	mysqld.exe!MYSQLparse(void * yythd=0x0235a560)  Line 32273 + 0x12 bytes	C++
 	mysqld.exe!mysql_parse(THD * thd=0x02359518, const char * inBuf=0x023a5c28, unsigned int length=62, const char * * found_semicolon=0x0566f7fc)  Line 5752	C++
 	mysqld.exe!dispatch_command(enum_server_command command=COM_QUERY, THD * thd=0x02359518, char * packet=0x04d89009, unsigned int packet_length=62)  Line 1202	C++
 	mysqld.exe!do_command(THD * thd=0x00000003)  Line 861	C++
 	mysqld.exe!handle_one_connection(void * arg=0x02359518)  Line 1115 + 0xa bytes	C++
 	mysqld.exe!pthread_start(void * param=0x0239fba0)  Line 85 + 0x3 bytes	C
>	mysqld.exe!_callthreadstart()  Line 293 + 0x6 bytes	C
 	mysqld.exe!_threadstart(void * ptd=0x04d88560)  Line 275 + 0x5 bytes	C
 	kernel32.dll!7c80b713()

Crash happens with latest bzr source:

081210 14:36:02 [Note] c:\dbs\5.1\bin\mysqld: ready for connections.
Version: '5.1.31-nt-debug-log'  socket: ''  port: 3510  Source distribution
Assertion failed: cmp_items[(uint)cmp_type], file .\item_cmpfunc.cc, line 2552
081210 15:31:12 - mysqld got exception 0x80000003 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388572
read_buffer_size=131072
max_used_connections=1
max_threads=151
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 337709 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x1f70c60
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
009C5284    mysqld.exe!_NMSG_WRITE()[crt0msg.c:195]
009B380A    mysqld.exe!abort()[abort.c:44]
009B0F72    mysqld.exe!_assert()[assert.c:306]
004A1D61    mysqld.exe!Item_func_case::find_item()[item_cmpfunc.cc:2552]
004A200B    mysqld.exe!Item_func_case::val_int()[item_cmpfunc.cc:2592]
0048941B    mysqld.exe!Item::send()[item.cc:5290]
00636AA7    mysqld.exe!select_send::send_data()[sql_class.cc:1584]
006D015E    mysqld.exe!end_send_group()[sql_select.cc:12041]
006CDCAA    mysqld.exe!sub_select()[sql_select.cc:11042]
006CD8EF    mysqld.exe!do_select()[sql_select.cc:10835]
006B9027    mysqld.exe!JOIN::exec()[sql_select.cc:2192]
006B96F9    mysqld.exe!mysql_select()[sql_select.cc:2373]
006B3219    mysqld.exe!handle_select()[sql_select.cc:269]
00679B49    mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4890]
00672578    mysqld.exe!mysql_execute_command()[sql_parse.cc:2184]
0067BBF1    mysqld.exe!mysql_parse()[sql_parse.cc:5789]
006706CE    mysqld.exe!dispatch_command()[sql_parse.cc:1200]
0066FDB7    mysqld.exe!do_command()[sql_parse.cc:857]
00780AF4    mysqld.exe!handle_one_connection()[sql_connect.cc:1115]
008498A6    mysqld.exe!pthread_start()[my_winthread.c:85]
009B93B7    mysqld.exe!_threadstart()[thread.c:196]
7C80B713    kernel32.dll!GetModuleFileNameA()
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 01F24050=SELECT CASE AVG ( col0 ) WHEN col1 * col2 THEN 1 END FROM tab0
thd->thread_id=2
thd->killed=NOT_KILLED
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.

Verified with recent 5.1.31-debug from bzr also.

5.1.26 also crashes, so this is not a recent regression.

Does not crash on 5.0.67, do this is a regression bug.

Thank you for the bug report. Repeatable on 5.1/6.0 bzr source server and with 5.1.22 older released version. Not repeatable with today 5.0 source server:

c:\dbs>c:\dbs\5.0\bin\mysql -uroot --port=3500 --prompt="mysql 5.0 > "
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.76-nt-debug-log Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql 5.0 > use test
Database changed
mysql 5.0 > CREATE TABLE tab0(col0 INTEGER, col1 INTEGER, col2 INTEGER);
Query OK, 0 rows affected (0.16 sec)

mysql 5.0 > INSERT INTO tab0 VALUES(1,17,65);
Query OK, 1 row affected (0.02 sec)

mysql 5.0 > INSERT INTO tab0 VALUES(21,44,76);
Query OK, 1 row affected (0.00 sec)

mysql 5.0 > SELECT CASE AVG ( col0 ) WHEN col1 * col2 THEN 1 END FROM tab0;
+-----------------------------------------------+
| CASE AVG ( col0 ) WHEN col1 * col2 THEN 1 END |
+-----------------------------------------------+
|                                          NULL |
+-----------------------------------------------+
1 row in set (0.08 sec)

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/62315

2739 Gleb Shchepa	2008-12-25
      Bug #41363: crash of mysqld on windows with aggregate in case
      
      Execution of queries containing the CASE function of
      aggregate function like in "SELECT ... CASE ARGV(...) WHEN ..."
      crashed the server.
      
      The CASE function caches pointers to concrete comparison
      functions for an each pair of types of CASE-WHERE clause
      parameters, i.e. for the "CASE INT_RESULT WHERE REAL_RESULT
      THEN ... WHERE DECIMAL_RESULT ... END" function call it
      caches comparisons for INT_RESULT with REAL_RESULT and
      for INT_RESULT with DECIMAL_RESULT. Usually a result
      type is known after a call to the fix_fields function,
      however, the setup_copy_fields function call may
      wrap aggregate items with Item_copy_string that has
      STRING_RESULT result type, so setup_copy_fields may
      change argument result types of the CASE function after
      call to Item_func_case::fix_fields/fix_length_and_dec.
      Then the Item_func_case::find_item function tries to
      use comparison function for unexpected pair of the
      STRING_RESULT and some other type - that caused
      an assertion failure of server crash.
      
      The Item_func_case::fix_length_and_dec function has
      been modified to take into account possible STRING_RESULT
      result type in the presence of aggregate arguments of
      the CASE function.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/62453

2739 Gleb Shchepa	2008-12-31
      Bug #41363: crash of mysqld on windows with aggregate in case
      
      Execution of queries containing the CASE function of
      aggregate function like in "SELECT ... CASE ARGV(...) WHEN ..."
      crashed the server.
      
      
      The CASE function caches pointers to concrete comparison
      functions for an each pair of types of CASE-WHERE clause
      parameters, i.e. for the "CASE INT_RESULT WHERE REAL_RESULT
      THEN ... WHERE DECIMAL_RESULT ... END" function call it
      caches comparisons for INT_RESULT with REAL_RESULT and
      for INT_RESULT with DECIMAL_RESULT. Usually a result
      type is known after a call to the fix_fields function,
      however, the setup_copy_fields function call may
      wrap aggregate items with Item_copy_string that has
      STRING_RESULT result type, so setup_copy_fields may
      change argument result types of the CASE function after
      call to Item_func_case::fix_fields/fix_length_and_dec.
      Then the Item_func_case::find_item function tries to
      use comparison function for unexpected pair of the
      STRING_RESULT and some other type - that caused
      an assertion failure of server crash.
      
      The Item_func_case::fix_length_and_dec function has
      been modified to take into account possible STRING_RESULT
      result type in the presence of aggregate arguments of
      the CASE function.

Pushed into 5.1.31 (revid:joro@sun.com-20090115053147-tx1oapthnzgvs1ro) (version source revid:gshchepa@mysql.com-20081231115504-fgml7gt7bzs53qjv) (merge vers: 5.1.31) (pib:6)

Pushed into 5.1.31-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090119095303-uwwvxiibtr38djii) (version source revid:tomas.ulin@sun.com-20090115073240-1wanl85vlvw2she1) (merge vers: 5.1.31-ndb-6.2.17) (pib:6)

Pushed into 5.1.31-ndb-6.3.21 (revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (version source revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (merge vers: 5.1.31-ndb-6.3.21) (pib:6)

Pushed into 5.1.31-ndb-6.4.1 (revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (version source revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (merge vers: 5.1.31-ndb-6.4.1) (pib:6)

Pushed into 6.0.10-alpha (revid:joro@sun.com-20090119171328-2hemf2ndc1dxl0et) (version source revid:gshchepa@mysql.com-20081231115801-qgbwd2fy5aib72n1) (merge vers: 6.0.9-alpha) (pib:6)

Noted in 5.1.31, 6.0.10 changelogs.

Queries such as SELECT ... CASE AVG(...) WHEN ... that used aggregate
functions in a CASE expression crashed the server.