<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/90498>90498</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [clang][static analyzer] false positive cplusplus.NewDelete ("use after free") w/ reference counting
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            clang
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          sharkautarch
      </td>
    </tr>
</table>

<pre>
    version of clang: `17.0.6`

(see also: this closed issue thread w/ more details about the false positive: https://github.com/ValveSoftware/gamescope/issues/1275)
After Joshua-Ashton did a refactor of a reference counting class, I started seeing a new use-after-free warning from scan-build:
```
[419/450] Compiling C++ object src/gamescope.p/commit.cpp.o
../../../src/commit.cpp:116:12: warning: Use of memory after it is freed [cplusplus.NewDelete]
  116 | close( m_nCommitFence );
      |            ^~~~~~~~~~~~~~
1 warning generated.
```

as detailed under the last comment I made in the issue thread here: https://github.com/ValveSoftware/gamescope/issues/1275#issuecomment-2081667870
I found that, in this situation, the static analyzer is:
1) making a conclusion on use-after-free with incomplete information (only looking at local translation unit it seems)
2) just assuming that if it can't *definitively prove*, with its incomplete information, that `if (<condition>) { delete this }` won't be taken, then it'll evaluate both the branch-taken path and the branch-not-taken path.

**what should happen instead:**
Whenever the static analyzer sees `free` or `delete` inside something like an `if`, wherein it currently doesn't know if the branching condition will always evaluate to true or false, it should check beyond the local translation unit to try to figure out if said condition would always turn out to be true or always turn out to be false.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJysVU1v67gO_TXKhohhK3GcLLJI2hvgvsXbPLyZ5YCW6Vi3smRIdIPMYn77gHJu2_s1qzFSJSpp6vDwiMSU7NUTHVV9VvXzCmceQjymAeMLzozRDKs2dPfjK8Vkg4fQg3Hor2pzArUrq6Yoi53alap8VuXpsep9IgJ0KYgbDzaBcSFRBzalmYCHSNjBTekLjCESdMRoXQJsw8zAA0GPLhFMIVm2ryRhBuYpqc1J6YvSl6vlYW4LE0alL7-he6X_hZ5vGEmMOFIyYZLf-cSk9KXSTa30YYF46pki_CekYcb1KQ0cPHS2A4RIPRoOUTLNO4rkDYEJs2frr5J-Sko_wWdIjJGpg0QkFgRPN5gTrVHCr_tIBDeMXox9DCMkg37dztZ1kshC1q58fJZtfd5WB6Uv27pU9TM8hXGyTgI8KX1W-gyh_UKGIUXzMdNiUvpiwjhaLsw0FWEJVxRKX96X5aV3N7U5VdVOVi0UP7DKz_8nEgZGGkO8Q84HLINNIFl1oOqzmdyc5K_4L92eyRGTqp-XcwGqageqeVoKr_Qexj_8Uz74kvmUUmzOX73lEe8Pj6o__fXxWVyrN0Kv5CkiU1f8nMi8YnpoizqYfUcxi8thYhAWyDN8hhE7Auuz6RuBDhT_Relt8v5x7FqX-2q3a_bNA-9n6MPsO-ABWdSV8dgEyfKMbIOXfwrCxMjWAHp09z-lKulNS5XSBxjxZRGjCd64ebm1_gdZWh7AehPGSQoH1vchjvkgUHofvLuDC2EJxeCCQQcc0Se3OM1e5MCi_TG93SstCL7MiQFTmkd5WxIC24uvQa90w6D0qaPe-ny33R2mGF5J6ZOkuADj9AtwCwvI0nxsL1DV5skE39ls3XwSAKo5Q5cFuXComme1K-EWluNbAsYX-sqoB8tKN84BvaKbkQnawEMmu43ozbDO7jAhD4C5Rm8WH_iDtfi2DcrnJmDTEGbXwYDTJMf5xIS5BWSXxf33gTy9PhT6fZETUZKUpXaSSoiyW3KUvfXJdgQpjMSDsO7sCwH6hSa5FEKt6Nn6XIk5RvLs7tAFSgstLz7cpFDv2eV295VbuFnnAN0N7-mdKQ7AcSYBlFt2lu5bwmYg8wIt3cODtV_oKEe5y1dvr3MkkDFge0hou48IctAHBJ6jz34cckUfKH5uzdiKVXfcdIfNAVd0rJpqu62qatOshiM1LZrq0BrdVW27RY3mUJvdHnd12-Ner-xRl3pbbvWhaqp93RSIu31d6ZqaqtuVXae2JY1oXeHc61iEeF3l2348lNvDfuWwJZfykNV6mZ9ay7yNR_Fft_M1qW3pbOL0HoEtuzyZlzfqZ1WfvxOGjIhvRyX8pC3na6L1nOjRybOMdL6seQj_OOZWc3THf-h7AvLxtZ5ikJH0sePltP8OAAD__wSrwgw">