MDEV-26806 Server crash in Charset::charset / Item_func_natural_sort_key::val_str

The reason for crash is that natural_sort_key(release_lock('a')) would
evaluate release_lock() twice, once in Item::is_null() and another time
in Item::val_str(). Second time it returns NULL, since lock was already
released.

Fixed to prevent double evaluation.

mysql-test/main/natural_sort_key.result

@@ -206,3 +206,9 @@ drop table t;
 select natural_sort_key(_utf16 0x0031),natural_sort_key(_ucs2 0x0031), natural_sort_key(_utf32 0x00000031);
 natural_sort_key(_utf16 0x0031)	natural_sort_key(_ucs2 0x0031)	natural_sort_key(_utf32 0x00000031)
 01	01	01
+select get_lock('a', 0);
+get_lock('a', 0)
+1
+select natural_sort_key(release_lock('a'));
+natural_sort_key(release_lock('a'))
+01

mysql-test/main/natural_sort_key.test

@@ -95,3 +95,8 @@ drop table t;
 
 # MDEV-26796 Natural sort does not work for utf32/utf16/ucs2
 select natural_sort_key(_utf16 0x0031),natural_sort_key(_ucs2 0x0031), natural_sort_key(_utf32 0x00000031);
+
+# MDEV-26806 Server crash in Charset::charset / Item_func_natural_sort_key::val_str
+select get_lock('a', 0);
+select natural_sort_key(release_lock('a'));
+

sql/item_strfunc.cc

@@ -5638,13 +5638,13 @@ static NATSORT_ERR to_natsort_key(const String *in, String *out,
 
 String *Item_func_natural_sort_key::val_str(String *out)
 {
-  if (args[0]->is_null())
+  String *in= args[0]->val_str();
+  if (args[0]->null_value || !in)
   {
     null_value= true;
     return nullptr;
   }
   NATSORT_ERR err= NATSORT_ERR::SUCCESS;
-  String *in= args[0]->val_str();
   CHARSET_INFO *cs= in->charset();
   ulong max_allowed_packet= current_thd->variables.max_allowed_packet;
   uint errs;