Hello I post a code that illustrate something I don't understand.
See explanations bellow.

class A
{
public:
A(){ ptr[0] = (char **) calloc(100, sizeof(char*)); } // reserve 100 slots

~A(){
printf("destructor\n");
for ( int idx = 0; idx < 100; ++idx )
printf("ptr[0][%d] = %x\n", idx, ptr[0][idx] );
ptr[0][0] = 0;
ptr[0][1] = 0;
for ( int idx = 0; idx < 100; ++idx )
printf("ptr[0][%d] = %x\n", idx, ptr[0][idx] );
free( ptr[0] ); // core dump !
}

char empty[300];
char** ptr[10];
int empty2[320];
};

int main() {

char * string1 = (char *) malloc( 6 * sizeof(char) );
char * string2 = (char *) malloc( 6 * sizeof(char) );

{
A a;

// some string
memcpy ( string1, "Hello", 6 );
memcpy ( string2, "World", 6 );
a.ptr[0][0]= &string1[3];
a.ptr[0][1]= &string2[1];

printf("<%s>\n", a.ptr[0][0] );
printf("<%s>\n", a.ptr[0][1] );

// here we overlap string1, but volontary over sized too
memcpy(a.ptr[0][0], "tes laitues sechent-elles ?", 28 );

printf("<%s>\n", string1 );
printf("<%s>\n", a.ptr[0][0] );

} // here core dump after destructor call

// free(string1);
// free(string2);

// exit(0);
}

A memory overdump is generated here :
memcpy(a.ptr[0][0], "tes laitues sechent-elles ?", 28 );
If this line is commented out the program runs well.

As you can see in the destructor, pointers ptr[0][0] and ptr[0][1] are forced to zero. So I would like to understand why the program crash on the free() in the destructor ! It's like if it's trying to free the ressource of string1 that can't be adressed anymore.
This is the backtrack :
(gdb) bt
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7d19770 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7d1aef3 in abort () from /lib/tls/i686/cmov/libc.so.6
#3 0xb7d4ed0b in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6
#4 0xb7d568bd in mallopt () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7d56a44 in free () from /lib/tls/i686/cmov/libc.so.6
#6 0x080489c0 in ~A (this=0xbfa020e8) at test2.cpp:21
#7 0x08048878 in main () at test2.cpp:52

Thank you.
-Sebastien.F