If there is the following variable definition, it may cause double free:
The points are PLUGIN_VAR_MEMALLOC and the default update function.
If this pattern is used, the following SQL causes double free:
If a variable uses PLUGIN_VAR_MEMALLOC and the default update function, the following code is used in sql/sql_plugin.cc:
if value is NULL, tgt still referes freed memory. It is freed in sql/sql_plugin.cc:plugin_vars_free_values(). It causes double free.
This pattern isn't used all of bundled storage engines. It is used in mroonga storage engine: https://github.com/mroonga/mroonga/blob/3156280442792c1446175044ba666428690b9c55/ha_mroonga.cpp#L699
(I'm a mroonga storage engine developer.)
I will attach a patch to fix the problem.