InnoDB: fulltext search with ` in(...)` crashed on specific combination

From the log :

191112 21:24:03 [ERROR] mysqld got exception 0xc0000005 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.4.10-MariaDB
key_buffer_size=134217728
read_buffer_size=131072
max_used_connections=1
max_threads=65537
thread_count=7
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 136385 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x1c938d5b018
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
mysqld.exe!row_sel_field_store_in_mysql_format_func()[row0sel.cc:2864]
mysqld.exe!row_sel_store_mysql_field()[row0sel.cc:3011]
mysqld.exe!row_search_idx_cond_check()[row0sel.cc:3921]
mysqld.exe!row_search_mvcc()[row0sel.cc:5257]
mysqld.exe!ha_innobase::ft_read()[ha_innodb.cc:10092]
mysqld.exe!FT_SELECT::get_next()[opt_range.h:1719]
mysqld.exe!find_all_keys()[filesort.cc:764]
mysqld.exe!filesort()[filesort.cc:262]
mysqld.exe!create_sort_index()[sql_select.cc:23413]
mysqld.exe!st_join_table::sort_table()[sql_select.cc:21173]
mysqld.exe!join_init_read_record()[sql_select.cc:21108]
mysqld.exe!sub_select()[sql_select.cc:20188]
mysqld.exe!do_select()[sql_select.cc:19729]
mysqld.exe!JOIN::exec_inner()[sql_select.cc:4386]
mysqld.exe!JOIN::exec()[sql_select.cc:4169]
mysqld.exe!mysql_select()[sql_select.cc:4602]
mysqld.exe!handle_select()[sql_select.cc:408]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:6357]
mysqld.exe!mysql_execute_command()[sql_parse.cc:3899]
mysqld.exe!mysql_parse()[sql_parse.cc:7903]
mysqld.exe!dispatch_command()[sql_parse.cc:1844]
mysqld.exe!do_command()[sql_parse.cc:1359]
mysqld.exe!threadpool_process_request()[threadpool_common.cc:366]
mysqld.exe!tp_callback()[threadpool_common.cc:193]
ntdll.dll!RtlInitializeCriticalSection()
ntdll.dll!RtlReleaseSRWLockExclusive()
KERNEL32.DLL!BaseThreadInitThunk()
ntdll.dll!RtlUserThreadStart()

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x1c938d68310): SELECT search_sites.id, search_sites.start_date, company company, name,x,y, city_name ,
CAST( ST_Distance(@hereami, a_point) * 111195 as integer) distance
FROM search_sites2 search_sites WHERE
id in (select st_site from search_sites3 where st_site_visible=1 and st_type in (2546 ))
and city =414
and match(`name`, `description`, `company`, `require`, `address`, `city_name`, `company_orig_name`) against ('טקסט כלשהו בעברית')
ORDER BY distance LIMIT 0 ,10
Connection ID (thread ID): 8
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
Writing a core file at E:\MySQL\
InnoDB: using atomic writes.

What I tried to do:
create empty table with the same columnts - works
remove the fulltext search - works
remove the where ... in ... - works
remove the city or change the city= to city in (...) - not work
remove some of the fields from the SELECT - not work
remove thr ORDER BY and the computed column for it - not work
tested with a 20 rows - works
30 rows - works
50 rows - crashed
start again - works
touch the table (INSERT, DELETE row, etc) - crashed again

Tested on 10.3 - works

Scheme used for testing:

CREATE TABLE `search_sites2` (
`id` int(11) NOT NULL,
`name` varchar(75) NOT NULL,
`company` varchar(50) NOT NULL DEFAULT ' ',
`description` text DEFAULT NULL,
`require` text DEFAULT NULL,
`has_phone` tinyint(1) NOT NULL,
`has_mail` tinyint(1) NOT NULL,
`mail` varchar(70) NOT NULL,
`home` tinyint(3) unsigned NOT NULL,
`visible` tinyint(1) DEFAULT NULL,
`link` varchar(100) DEFAULT NULL,
`manpower` tinyint(3) unsigned NOT NULL,
`start_date` datetime NOT NULL,
`update_date` datetime NOT NULL,
`require_cv` tinyint(3) unsigned NOT NULL,
`parent` int(11) NOT NULL,
`code` varchar(25) NOT NULL,
`submit_url` varchar(250) NOT NULL,
`x` double NOT NULL,
`y` double NOT NULL,
`address` varchar(90) DEFAULT NULL,
`address_id` int(11) DEFAULT NULL,
`sa_id` int(11) NOT NULL,
`a_point` point NOT NULL,
`city` int(11) DEFAULT NULL,
`city_name` varchar(50) NOT NULL,
`area` int(10) unsigned DEFAULT NULL,
`parent_area` int(10) unsigned DEFAULT NULL,
`company_id` int(11) NOT NULL,
`company_orig_name` varchar(50) DEFAULT NULL,
`logo` int(11) DEFAULT NULL,
`parent_id` int(11) DEFAULT NULL,
`company_personal` tinyint(3) unsigned DEFAULT NULL,
PRIMARY KEY (`sa_id`),
KEY `site_id` (`id`),
SPATIAL KEY `point` (`a_point`),
KEY `city` (`city`),
KEY `update_date` (`update_date`),
KEY `home` (`home`),
KEY `company` (`company_id`),
FULLTEXT KEY `fts` (`name`,`description`,`company`,`require`,`address`,`city_name`,`company_orig_name`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

CREATE TABLE `search_sites3` (
`st_id` int(11) NOT NULL DEFAULT 0,
`st_site` int(11) NOT NULL,
`st_type` int(11) NOT NULL,
`st_speciality` int(11) NOT NULL,
`st_site_visible` tinyint(1) NOT NULL DEFAULT 1
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

I can send the table content, but not in public place.