I've had another look at this. Here's what I think is going on. The relevant output is:
Event use_after_free: Using freed pointer "(ins)->next" Also see events: [alias][freed_arg] 493 for (ins = unit->instructions; ins; ins = ins->next) { Event alias: aliasing "(ins)->next" with "ins2" Also see events: [freed_arg][use_after_free] 512 for (ins2 = ins->next; ins2; ins2 = ins2->next) { Event freed_arg: Pointer "ins2" freed by function "subst_ins" [model] Also see events: [alias][use_after_free] 536 subst_ins(unit, ins2, tmp, 1); The key here is the "model." While Coverity's model captures the C<free> quite correctly, I don't think it recognizes the pointer update in the double linked list, which is done in C<subst_ins>, as important. Coverity probably sees something like the following in the inspected code: Instruction *ins, *ins2; for (ins = unit->instructions; ins; ins = ins->next) { ins2 = ins->next; free(ins2); } So, it's a false positive. Ron