Description:
One of our instances on production environment was crashed while executing a SELECT statement with subquery. This happened only once and hard to reproduce. i've searched bug system and change logs after 5.6.16 but can't find anything related.   So i decide to file a bug here. 

backtrace:

 1 pthread_kill(libpthread.so.0),handle_fatal_signal(signal_handler.cc:258),<signal(signal_handler.cc:258),Item_func::fix_fields(item_func.cc:203),Item_cond::fix_fields(item_cmpfunc.cc:4853),setup_conds(sql_base.cc:8776),setup_without_group(sql_resolver.cc:952),JOIN::prepare(sql_resolver.cc:952),subselect_single_select_engine::prepare(item_subselect.cc:2630),Item_subselect::fix_fields(item_subselect.cc:380),Item_func::fix_fields(item_func.cc:203),Item_cond::fix_fields(item_cmpfunc.cc:4853),setup_conds(sql_base.cc:8776),setup_without_group(sql_resolver.cc:952),JOIN::prepare(sql_resolver.cc:952),mysql_prepare_select(sql_select.cc:1054),mysql_select(sql_select.cc:1054),handle_select(sql_select.cc:110),execute_sqlcom_select(sql_parse.cc:5406),mysql_execute_command(sql_parse.cc:2865),sp_instr_stmt::exec_core(sp_instr.cc:906),sp_lex_instr::reset_lex_and_exec_core(sp_instr.cc:395),sp_lex_instr::validate_lex_and_execute_core(sp_instr.cc:631),sp_instr_stmt::execute(sp_instr.cc:811),sp_head::execute(sp_head.cc:645),sp_head::execute_procedure(sp_head.cc:1315),mysql_execute_command(sql_parse.cc:4850),mysql_parse(sql_parse.cc:6598),dispatch_command(sql_parse.cc:1428),do_handle_one_connection(sql_connect.cc:1000),handle_one_connection(sql_connect.cc:916),start_thread(libpthread.so.0),clone(libc.so.6)

31 0x0000003987a07851 in start_thread () from /lib64/libpthread.so.0
#32 0x00000039876e767d in clone () from /lib64/libc.so.6
(gdb) f 3
#3  0x00000000005ede4c in Item_func::fix_fields (this=0x2ab85966d460, thd=0x2ab85968d000, ref=<value optimized out>)
    at /home/ads/build23_6u0_x64/workspace/t-mysql-rds-5616/label/build23_6u0_x64/origin/sql/item_func.cc:203
203	/home/ads/build23_6u0_x64/workspace/t-mysql-rds-5616/label/build23_6u0_x64/origin/sql/item_func.cc: No such file or directory.
	in /home/ads/build23_6u0_x64/workspace/t-mysql-rds-5616/label/build23_6u0_x64/origin/sql/item_func.cc
(gdb) p *arg
$1 = (Item *) 0x2ab85e87dcf0
(gdb) p **arg
$2 = {_vptr.Item = 0x0, is_expensive_cache = 0 '\000', rsize = 0, str_value = {Ptr = 0x0, str_length = 0, Alloced_length = 0, alloced = false, str_charset = 0x0},
  item_name = {<Name_string> = {<Simple_cstring> = {m_str = 0x0, m_length = 0}, <No data fields>}, m_is_autogenerated = false}, orig_name = {<Name_string> = {<Simple_cstring> = {m_str = 0x0,
        m_length = 0}, <No data fields>}, m_is_autogenerated = false}, next = 0x0, max_length = 0, marker = 0, decimals = 0 '\000', maybe_null = 0 '\000', null_value = 0 '\000',
  unsigned_flag = 0 '\000', with_sum_func = 0 '\000', fixed = 0 '\000', collation = {collation = 0x0, derivation = DERIVATION_EXPLICIT, repertoire = 0}, cmp_context = STRING_RESULT,
  with_subselect = 0 '\000', with_stored_program = 0 '\000', tables_locked_cache = false}
(gdb) f 18
#18 0x00000000006d522d in execute_sqlcom_select (thd=0x2ab85968d000, all_tables=<value optimized out>)
    at /home/ads/build23_6u0_x64/workspace/t-mysql-rds-5616/label/build23_6u0_x64/origin/sql/sql_parse.cc:5406
5406	/home/ads/build23_6u0_x64/workspace/t-mysql-rds-5616/label/build23_6u0_x64/origin/sql/sql_parse.cc: No such file or directory.
	in /home/ads/build23_6u0_x64/workspace/t-mysql-rds-5616/label/build23_6u0_x64/origin/sql/sql_parse.cc
(gdb) set print element 0
(gdb)p thd->query_string
$3 = {string = {
    str = 0x2ab85e87c010 "select a.id,a.title,a.msg,a.pindex,a.kindid,a.classid from kmb01 a where 6 > (select count(*) from kmb01 where classid = a.classid and pindex < a.pindex  and classid in(select id from view_selecttopclassbypid)) and a.classid in (select id from view_selecttopclassbypid) order by a.classid,a.pindex", length = 297}, cs = 0x134c760}

How to repeat:
Hard to reproduce

Suggested fix:
I don't know.. I am not familiar with this area..

(gdb) bt
#0  0x0000003987a0c69c in pthread_kill () from /lib64/libpthread.so.0
#1  0x0000000000655b52 in handle_fatal_signal (sig=11) at origin/sql/signal_handler.cc:258
#2  <signal handler called>
#3  0x00000000005ede4c in Item_func::fix_fields (this=0x2ab85966d460, thd=0x2ab85968d000, ref=<value optimized out>)
    at origin/sql/item_func.cc:203
#4  0x00000000005c587a in Item_cond::fix_fields (this=0x2ab85e87c430, thd=0x2ab85968d000, ref=<value optimized out>)
    at origin/sql/item_cmpfunc.cc:4853
#5  0x0000000000685eff in setup_conds (thd=0x2ab85968d000, tables=<value optimized out>, leaves=0x2ab85e880d10, conds=0x2ab85e87cf58)
    at origin/sql/sql_base.cc:8776
#6  0x00000000006f72ac in setup_without_group (this=0x2ab85e87cc18, tables_init=<value optimized out>, wild_num=<value optimized out>, conds_init=<value optimized out>, og_num=<value optimized out>,
    order_init=<value optimized out>, group_init=0x0, having_init=0x0, select_lex_arg=0x2ab85e914b90, unit_arg=0x2ab85e880580)
    at origin/sql/sql_resolver.cc:952
#7  JOIN::prepare (this=0x2ab85e87cc18, tables_init=<value optimized out>, wild_num=<value optimized out>, conds_init=<value optimized out>, og_num=<value optimized out>,
    order_init=<value optimized out>, group_init=0x0, having_init=0x0, select_lex_arg=0x2ab85e914b90, unit_arg=0x2ab85e880580)
    at origin/sql/sql_resolver.cc:173
#8  0x00000000007da723 in subselect_single_select_engine::prepare (this=0x2ab85e903f90) at origin/sql/item_subselect.cc:2630
#9  0x00000000007daebd in Item_subselect::fix_fields (this=0x2ab85e903e70, thd=0x2ab85968d000, ref=0x2ab85e904070)
    at origin/sql/item_subselect.cc:380
#10 0x00000000005ede4f in Item_func::fix_fields (this=0x2ab85e903fc8, thd=0x2ab85968d000, ref=<value optimized out>)
    at origin/sql/item_func.cc:203
#11 0x00000000005c587a in Item_cond::fix_fields (this=0x2ab85e87c5a8, thd=0x2ab85968d000, ref=<value optimized out>)
    at origin/sql/item_cmpfunc.cc:4853
#12 0x0000000000685eff in setup_conds (thd=0x2ab85968d000, tables=<value optimized out>, leaves=0x2ab85e880010, conds=0x2ab85e87cb18)
    at origin/sql/sql_base.cc:8776
#13 0x00000000006f72ac in setup_without_group (this=0x2ab85e87c7d8, tables_init=<value optimized out>, wild_num=<value optimized out>, conds_init=<value optimized out>, og_num=<value optimized out>,
    order_init=<value optimized out>, group_init=0x0, having_init=0x0, select_lex_arg=0x2ab85e913858, unit_arg=0x2ab85e913200)
    at origin/sql/sql_resolver.cc:952
#14 JOIN::prepare (this=0x2ab85e87c7d8, tables_init=<value optimized out>, wild_num=<value optimized out>, conds_init=<value optimized out>, og_num=<value optimized out>,
    order_init=<value optimized out>, group_init=0x0, having_init=0x0, select_lex_arg=0x2ab85e913858, unit_arg=0x2ab85e913200)
    at origin/sql/sql_resolver.cc:173
#15 0x00000000006ff123 in mysql_prepare_select (thd=0x2ab85968d000, tables=0x2ab85e880010, wild_num=0, fields=<value optimized out>, conds=<value optimized out>, order=<value optimized out>,
    group=0x2ab85e913958, having=0x0, select_options=2147749632, result=0x2ab85e87c7b0, unit=0x2ab85e913200, select_lex=0x2ab85e913858)
    at origin/sql/sql_select.cc:1054
#16 mysql_select (thd=0x2ab85968d000, tables=0x2ab85e880010, wild_num=0, fields=<value optimized out>, conds=<value optimized out>, order=<value optimized out>, group=0x2ab85e913958, having=0x0,
    select_options=2147749632, result=0x2ab85e87c7b0, unit=0x2ab85e913200, select_lex=0x2ab85e913858)
    at origin/sql/sql_select.cc:1177
#17 0x00000000006ff2af in handle_select (thd=0x2ab85968d000, result=0x2ab85e87c7b0, setup_tables_done_option=0)
    at origin/sql/sql_select.cc:110
#18 0x00000000006d522d in execute_sqlcom_select (thd=0x2ab85968d000, all_tables=<value optimized out>)
    at origin/sql/sql_parse.cc:5406
#19 0x00000000006dbc5d in mysql_execute_command (thd=0x2ab85968d000) at origin/sql/sql_parse.cc:2865
#20 0x000000000081b4fb in sp_instr_stmt::exec_core (this=0x2ab85e8e94c0, thd=0x2ab85968d000, nextp=0x2ab85e07f5e8)
    at origin/sql/sp_instr.cc:906
#21 0x000000000081b7c0 in sp_lex_instr::reset_lex_and_exec_core (this=0x2ab85e8e94c0, thd=0x2ab85968d000, nextp=0x2ab85e07f5e8, open_tables=false)
    at origin/sql/sp_instr.cc:395
#22 0x000000000081d0cc in sp_lex_instr::validate_lex_and_execute_core (this=0x2ab85e8e94c0, thd=0x2ab85968d000, nextp=0x2ab85e07f5e8, open_tables=false)
    at origin/sql/sp_instr.cc:631
---Type <return> to continue, or q <return> to quit---
#23 0x000000000081da50 in sp_instr_stmt::execute (this=0x2ab85e8e94c0, thd=0x2ab85968d000, nextp=0x2ab85e07f5e8)
    at origin/sql/sp_instr.cc:811
#24 0x000000000065bfa6 in sp_head::execute (this=0x2ab85e906010, thd=0x2ab85968d000, merge_da_on_success=true)
    at origin/sql/sp_head.cc:645
#25 0x000000000065e40c in sp_head::execute_procedure (this=0x2ab85e906010, thd=<value optimized out>, args=0x2ab85968fe00)
    at origin/sql/sp_head.cc:1315
#26 0x00000000006df313 in mysql_execute_command (thd=0x2ab85968d000) at origin/sql/sql_parse.cc:4850
#27 0x00000000006dfed7 in mysql_parse (thd=0x2ab85968d000, rawbuf=<value optimized out>, length=<value optimized out>, parser_state=<value optimized out>)
    at origin/sql/sql_parse.cc:6598
#28 0x00000000006e2ad1 in dispatch_command (command=<value optimized out>, thd=0x2ab85968d000, packet=0x2ab80000001b <Address 0x2ab80000001b out of bounds>, packet_length=27)
    at origin/sql/sql_parse.cc:1428
#29 0x00000000006a901d in do_handle_one_connection (thd_arg=<value optimized out>) at origin/sql/sql_connect.cc:1000
#30 0x00000000006a9152 in handle_one_connection (arg=0x2ab859e9a000) at origin/sql/sql_connect.cc:916
#31 0x0000003987a07851 in start_thread () from /lib64/libpthread.so.0
#32 0x00000039876e767d in clone () from /lib64/libc.so.6

Probably a duplicate of my internal
Bug 19897405 - CRASH WHILE ACCESSING VIEWS IN STORED ROUTINE AND TABLES ARE FLUSHED

Please check again on current version,  I filed the same bug internally before, should be fixed by now.

Shane,
Thank you very much !!! 
I'll port the related changes to our internal branch.