I've had another look at this. Here's what I think is going on.
The relevant output is:
Event use_after_free: Using freed pointer "(ins)->next"
Also see events: [alias][freed_arg]
493 for (ins = unit->instructions; ins; ins = ins->next) {
Event alias: aliasing "(ins)->next" with "ins2"
Also see events: [freed_arg][use_after_free]
512 for (ins2 = ins->next; ins2; ins2 = ins2->next) {
Event freed_arg: Pointer "ins2" freed by function "subst_ins" [model]
Also see events: [alias][use_after_free]
536 subst_ins(unit, ins2, tmp, 1);
The key here is the "model." While Coverity's model captures the
C<free> quite correctly, I don't think it recognizes the pointer update
in the double linked list, which is done in C<subst_ins>, as important.
Coverity probably sees something like the following in the inspected code:
Instruction *ins, *ins2;
for (ins = unit->instructions; ins; ins = ins->next) {
ins2 = ins->next;
free(ins2);
}
So, it's a false positive.
Ron
