Crash server using ROW_NUMBER()

The following query crashes mariadb. This query is just part of procedure. If I execute this procedure twice, it doesn't have any problem. But on the 3rd time, the server crashed.
And if I execute the query directly, it doesn't have any problem. We encountered this on 10.2.18. We think the problem is ROW_NUMBER() function. Because if I execute LIMIT instead of ROW_NUMBER(), it works fine.

SELECT * FROM (
SELECT *, ROW_NUMBER() OVER (ORDER BY USE_TF DESC, ALLODEDU_CD ASC
) AS ROWNUMBER
.......)
WHERE ROWNUMBER BETWEEN $V_SROW AND $V_EROW
ORDER BY T2.ROWNUMBER;

The next thing is the part of log about error when DB crashed.

*************************************************************************************************
190419 16:08:20 [ERROR] mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.2.18-MariaDB-log
key_buffer_size=134217728
read_buffer_size=1048576
max_used_connections=8
max_threads=501
thread_count=32
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 1167828 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x7f4a40428008
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7f4af64cbc68 thread_stack 0x49000

• • • buffer overflow detected ***: /usr/sbin/mysqld terminated
      ======= Backtrace: =========
      /lib64/libc.so.6(__fortify_fail+0x37)[0x7f4b07271d87]
      /lib64/libc.so.6(+0x10df40)[0x7f4b0726ff40]
      /lib64/libc.so.6(+0x10fcf7)[0x7f4b07271cf7]
      /usr/sbin/mysqld(my_addr_resolve+0xda)[0x55c386a1076a]
      /usr/sbin/mysqld(my_print_stacktrace+0x1c2)[0x55c3869f9e32]
      /usr/sbin/mysqld(handle_fatal_signal+0x355)[0x55c38647ec95]
      /lib64/libpthread.so.0(+0xf5e0)[0x7f4b08c8a5e0]
      /usr/sbin/mysqld(_Z20find_field_in_tablesP3THDP10Item_identP10TABLE_LISTS4_PP4Item27find_item_error_report_typebb+0x5d8)[0x55c3862a5228]
      /usr/sbin/mysqld(+0x508c38)[0x55c386313c38]
      /usr/sbin/mysqld(_Z11setup_orderP3THD20Bounds_checked_arrayIP4ItemEP10TABLE_LISTR4ListIS2_ES9_P8st_orderb+0xee)[0x55c38632cc2e]
      /usr/sbin/mysqld(_Z13setup_windowsP3THD20Bounds_checked_arrayIP4ItemEP10TABLE_LISTR4ListIS2_ES9_RS7_I11Window_specERS7_I16Item_window_funcE+0x1e5)[0x55c386406ae5]
      /usr/sbin/mysqld(_ZN4JOIN7prepareEP10TABLE_LISTjP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit+0x857)[0x55c38632f1e7]
      /usr/sbin/mysqld(_ZN18st_select_lex_unit7prepareEP3THDP13select_resultm+0xa54)[0x55c38637f654]
      /usr/sbin/mysqld(_Z21mysql_derived_prepareP3THDP3LEXP10TABLE_LIST+0x271)[0x55c3862c4171]
      /usr/sbin/mysqld(_Z27mysql_handle_single_derivedP3LEXP10TABLE_LISTj+0xe4)[0x55c3862c4ed4]
      /usr/sbin/mysqld(_ZN13st_select_lex14handle_derivedEP3LEXj+0x47)[0x55c3862dafe7]
      /usr/sbin/mysqld(_ZN4JOIN7prepareEP10TABLE_LISTjP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit+0xc5)[0x55c38632ea55]
      /usr/sbin/mysqld(_Z12mysql_selectP3THDP10TABLE_LISTjR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x90c)[0x55c38633dffc]
      /usr/sbin/mysqld(_Z13handle_selectP3THDP3LEXP13select_resultm+0x254)[0x55c38633e364]
      /usr/sbin/mysqld(+0x4151d2)[0x55c3862201d2]
      /usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x1b71)[0x55c3862e6c21]
      /usr/sbin/mysqld(_ZN13sp_instr_stmt9exec_coreEP3THDPj+0x36)[0x55c3865a7856]
      /usr/sbin/mysqld(_ZN13sp_lex_keeper23reset_lex_and_exec_coreEP3THDPjbP8sp_instr+0x99)[0x55c3865ad9e9]
      /usr/sbin/mysqld(_ZN13sp_instr_stmt7executeEP3THDPj+0x205)[0x55c3865adfd5]
      /usr/sbin/mysqld(_ZN7sp_head7executeEP3THDb+0x7a0)[0x55c3865aa810]
      /usr/sbin/mysqld(_ZN7sp_head17execute_procedureEP3THDP4ListI4ItemE+0x5ef)[0x55c3865abf9f]
      /usr/sbin/mysqld(_Z21mysql_execute_commandP3THD+0x6a03)[0x55c3862ebab3]
      /usr/sbin/mysqld(_Z11mysql_parseP3THDPcjP12Parser_statebb+0x2de)[0x55c3862eeb9e]
      /usr/sbin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcjbb+0x29a6)[0x55c3862f27f6]
      /usr/sbin/mysqld(_Z10do_commandP3THD+0x165)[0x55c3862f3505]
      /usr/sbin/mysqld(_Z11tp_callbackP13TP_connection+0xbf)[0x55c3863f72bf]
      /usr/sbin/mysqld(+0x64d1e8)[0x55c3864581e8]
      /lib64/libpthread.so.0(+0x7e25)[0x7f4b08c82e25]
      /lib64/libc.so.6(clone+0x6d)[0x7f4b0725a34d]
      ======= Memory map: ========
      55c385e0b000-55c386f2f000 r-xp 00000000 fd:00 134347243 /usr/sbin/mysqld
      55c38712f000-55c387208000 r--p 01124000 fd:00 134347243 /usr/sbin/mysqld
      55c387208000-55c3872bf000 rw-p 011fd000 fd:00 134347243 /usr/sbin/mysqld
      55c3872bf000-55c387b53000 rw-p 00000000 00:00 0
      7f4a34fff000-7f4a35000000 ---p 00000000 00:00 0
      7f4a35000000-7f4a36c00000 rw-p 00000000 00:00 0
      7f4a36ff3000-7f4a36ff4000 ---p 00000000 00:00 0
      7f4a36ff4000-7f4a377f4000 rw-p 00000000 00:00 0
      7f4a377f4000-7f4a377f5000 ---p 00000000 00:00 0
      7f4a377f5000-7f4a37ff5000 rw-p 00000000 00:00 0
      7f4a37ff5000-7f4a37ff6000 ---p 00000000 00:00 0
      7f4a37ff6000-7f4a387f6000 rw-p 00000000 00:00 0
      7f4a387f6000-7f4a387f7000 ---p 00000000 00:00 0
      7f4a387f7000-7f4a38ff7000 rw-p 00000000 00:00 0
      7f4a38ff7000-7f4a38ff8000 ---p 00000000 00:00 0
      7f4a38ff8000-7f4a397f8000 rw-p 00000000 00:00 0
      7f4a397f8000-7f4a397f9000 ---p 00000000 00:00 0
      7f4a397f9000-7f4a39ff9000 rw-p 00000000 00:00 0
      7f4a39ff9000-7f4a39ffa000 ---p 00000000 00:00 0
      7f4a39ffa000-7f4a3a7fa000 rw-p 00000000 00:00 0
      7f4a3a7fa000-7f4a3a7fb000 ---p 00000000 00:00 0
      7f4a3a7fb000-7f4a3affb000 rw-p 00000000 00:00 0
      7f4a3affb000-7f4a3affc000 ---p 00000000 00:00 0
      7f4a3affc000-7f4a3b7fc000 rw-p 00000000 00:00 0
      7f4a3b7fc000-7f4a3b7fd000 ---p 00000000 00:00 0
      7f4a3b7fd000-7f4a3bffd000 rw-p 00000000 00:00 0
      7f4a3bffd000-7f4a3bffe000 ---p 00000000 00:00 0
      7f4a3bffe000-7f4a3c7fe000 rw-p 00000000 00:00 0
      7f4a3c7fe000-7f4a3c7ff000 ---p 00000000 00:00 0
      7f4a3c7ff000-7f4a3cfff000 rw-p 00000000 00:00 0
      7f4a3cfff000-7f4a3d000000 ---p 00000000 00:00 0
      7f4a3d000000-7f4a3ec00000 rw-p 00000000 00:00 0
      7f4a3efff000-7f4a3f000000 ---p 00000000 00:00 0
      7f4a3f000000-7f4a40c00000 rw-p 00000000 00:00 0
      7f4a40ff2000-7f4a40ff3000 ---p 00000000 00:00 0
      7f4a40ff3000-7f4a417f3000 rw-p 00000000 00:00 0
      7f4a41bf3000-7f4a41bf4000 ---p 00000000 00:00 0
      7f4a41bf4000-7f4a423f4000 rw-p 00000000 00:00 0
      7f4a423f4000-7f4a423f5000 ---p 00000000 00:00 0
      7f4a423f5000-7f4a42bf5000 rw-p 00000000 00:00 0
      7f4a42bf5000-7f4a42bf6000 ---p 00000000 00:00 0
      7f4a42bf6000-7f4a433f6000 rw-p 00000000 00:00 0
      7f4a433f6000-7f4a433f7000 ---p 00000000 00:00 0
      7f4a433f7000-7f4a43bf7000 rw-p 00000000 00:00 0
      7f4a43bf7000-7f4a43bf8000 ---p 00000000 00:00 0
      7f4a43bf8000-7f4a443f8000 rw-p 00000000 00:00 0
      7f4a443f8000-7f4a443f9000 ---p 00000000 00:00 0
      7f4a443f9000-7f4a44bf9000 rw-p 00000000 00:00 0
      7f4a44bf9000-7f4a44bfa000 ---p 00000000 00:00 0
      7f4a44bfa000-7f4a453fa000 rw-p 00000000 00:00 0
      7f4a453fa000-7f4a453fb000 ---p 00000000 00:00 0
      .
      .
      .
      *******************************************************************************************

Is this result caused by MariaDB bug?

Or Is there any solution for this result?