Bug#20755389 SERVER CRASHES IN ITEM_FUNC_GROUP_CONCAT::FIX_FIELDS ON

               2ND EXECUTION OF PS

Description:
------------
When MySQL calls 'EXECUTE stmt' firstly to deal with ORDER BY clause which is
similar with 'ORDER BY 1,(t2a.f2+1)' in find_order_in_list(), it believes the
first expression is a position, the function replaces the pointer of the first
expression with Item_field object associated with a temporary table field,
then releases it after the end of the execution, that behavior destroys the
pointer of first expression.

After that, when MySQL calls 'EXECUTE stmt' once more, the first expression
points to an invalid pointer, so it crashed.

Fix:
----
If an item of ORDER clause is a location, reset 'args' with a original value.

sql/item_sum.cc

@@ -3184,7 +3184,9 @@ void Item_func_group_concat::cleanup()
   ORDER **order_ptr= order;
   for (uint i= 0; i < arg_count_order; i++)
   {
-    (*order_ptr)->item= &args[arg_count_field + i];
+
+    if ((*order_ptr)->counter_used)
+      args[arg_count_field + i]= (*order_ptr)->item_ptr;
     order_ptr++;
   }
   DBUG_VOID_RETURN;