Fixed bug#17366: Unchecked Item_int results in server crash

When there is conjunction of conds, the substitute_for_best_equal_field()
will call the eliminate_item_equal() function in loop to build final
expression. But if eliminate_item_equal() finds that some cond will always
evaluate to 0, then that cond will be substituted by Item_int with value ==
0. In this case on the next iteration eliminate_item_equal() will get that 
Item_int and treat it as Item_cond. This is leads to memory corruption and
server crash on cleanup phase.

To the eliminate_item_equal() function was added DBUG_ASSERT for checking
that all items treaten as Item_cond are really Item_cond.
The substitute_for_best_equal_field() now checks that if
eliminate_item_equal() returns Item_int and it's value is 0 then this 
value is returned as the result of whole conjunction.

sql/sql_select.cc

@@ -7066,7 +7066,10 @@ static Item *eliminate_item_equal(COND *cond, COND_EQUAL *upper_levels,
   if (!cond)
     cond= new Item_cond_and(eq_list);
   else
+  {
+    DBUG_ASSERT(cond->type() == Item::COND_ITEM);
     ((Item_cond *) cond)->add_at_head(&eq_list);
+  }
 
   cond->quick_fix_field();
   cond->update_used_tables();
@@ -7151,6 +7154,11 @@ static COND* substitute_for_best_equal_field(COND *cond,
       while ((item_equal= it++))
       {
         cond= eliminate_item_equal(cond, cond_equal->upper_levels, item_equal);
+        // This occurs when eliminate_item_equal() founds that cond is
+        // always false and substitues it with Item_int 0.
+        // Due to this, value of item_equal will be 0, so just return it.
+        if (cond->type() != Item::ITEM_COND)
+          break;
       }
     }
   }