--- a/ChangeLog	Thu Jan 05 22:08:15 2017 +0900
+++ b/ChangeLog	Sat Jan 07 11:57:22 2017 +0900
@@ -1,3 +1,7 @@
+2017-01-07  Yasumasa Suenaga <yasuenag@gmail.com>
+
+	* Bug 3279: Fix not to reference freed TChildCounter when SnapShot merges
+
 2017-01-05  Yasumasa Suenaga <yasuenag@gmail.com>
 
 	* Bug 3265: Many WARN and CRIT messages are shown when DumpRequest is sent

--- a/agent/src/heapstats-engines/snapShotContainer.cpp	Thu Jan 05 22:08:15 2017 +0900
+++ b/agent/src/heapstats-engines/snapShotContainer.cpp	Sat Jan 07 11:57:22 2017 +0900
@@ -1,7 +1,7 @@
 /*!
  * \file snapshotContainer.cpp
  * \brief This file is used to add up using size every class.
- * Copyright (C) 2011-2015 Nippon Telegraph and Telephone Corporation
+ * Copyright (C) 2011-2017 Nippon Telegraph and Telephone Corporation
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -477,15 +477,19 @@
            * reference to it from child object data.
            */
           if (objData->isRemoved) {
+            TChildClassCounter *nextCounter = counter->next;
+
             if (prevCounter == NULL) {
-              srcClsCounter->child = counter->next;
+              srcClsCounter->child = nextCounter;
             } else {
-              prevCounter->next = counter->next;
+              prevCounter->next = nextCounter;
             }
 
             /* Deallocate TChildClassCounter. */
             free(counter->counter);
             free(counter);
+
+            counter = nextCounter;
           } else {
             /* Search child class. */
             TChildClassCounter *childClsData =
@@ -502,9 +506,8 @@
             }
 
             prevCounter = counter;
+            counter = counter->next;
           }
-
-          counter = counter->next;
         }
       }
     }