When the TcpTransportFactory::pingServers method is executed, we iterate the servers vector and do:
1. borrow object
2. ping
3. return object

When the ping gets new server list, this immediately updates the iterated collection. Not only that the iterator can be broken with non-robust implementations, but as the collection is cleared, the inet address is deallocated and then the return object gets some rubbish.

ConnectionPool::removeObject method (and the other method accessing busy and idle maps) is not very safe for bad wrong input - on the maps it uses operator[] which always returns NULL for unknown keys. I recommend changing this to find method and checking the iterator before use.

Next problem is that when the new topology does not contain the address we are connecting to (such as when we're using DNS name and servers respond with IP address list), the ConnectionPool::idle[address] is removed and when trying to return the object we get another SIGSEGV.