Marc Nieper-Wißkirchen wrote: > Coverity seems to be a good tool. Yes, it has found a number of mistakes in Gnulib code (handle leaks, memory leaks, use-after-free bugs, invalid free()), partially in really complex code that a human cannot easily review.
> I haven't yet tested GCC's new static analyzer. In GCC 10, the static analyzer has so many false positives that, on a codebase as mature a gnulib, it was a waste of time to use it. Let's see how it evolves in future GCC versions. It may be reasonable on first-year students' code, though — I haven't tried that. Bruno
