[rwmj]

Really? I tried to use it but I got a lot of false positives - in fact, every one of the errors in my medium-sized codebase was I believe a false positive. I spent a few hours last night looking at all of them and while I found a missing free, it was not one picked up by this analysis, but it happened to be in the same code that the analyzer flagged. Also the error messages are enormous in some cases.

It does show potential, and I hope it improves in future. Be nice to have a libre version of coverity one day.

Edit: Output from compiling nbdkit upstream with -fanalyzer: https://paste.centos.org/view/8381f926

[asveikau]

Looking at the categories of warnings it produces, I'm not surprised. When I've used similar tools trying to detect the same things, I also saw false positives. It's probably not an easy set of problems, otherwise we'd have it built-in to more tools and enabled by default.

[rwmj]

We routinely run nbdkit through Coverity and it finds bugs, although it too has false positives. Also the reports produced by Coverity are really nice - long enough to tell you where the bug is, but not too long to be overwhelming.

I've been meaning to formally prove one of our internal "mini libraries" using Frama-C. If we did that then no one would be able to complain about bugs in it :-)

[google234123]

Sadly, that's typical with static analyzers todays...

[flukus]

I like valgrind for this, combined with automated tests it gets decent coverage and finds actual (or at least probable) errors.

[unmole]

Valgrind is also prone to throwing up false positives. I find ASan much better.