Static analysis is a technique for finding bugs just by looking at source code without actually running it. That's great, because it can find bugs that are really hard to trigger.
Coverity is a commercial static analysis service that runs continuous scans of many open source apps, including Wine. A summary of results is online at http://scan.coverity.com/rung1.html; it shows Wine has 0.2 defects per thousand lines of code, which compares favorably with other projects.
To see the detailed results, see http://scan.coverity.com/devfaq.html which says "Locate your project on the Full List of the Scan ladder, and click the Log In link. Account requests must be approved by the project's official contacts." Our official contacts are Paul Vriens and Jan Zerebecki. Contact them or scan-admin at coverity for access.
When posting patches to fix bugs found by Coverity, please include "Coverity" in the subject line.
Here are two ways to look for Coverity-related Wine patches:
PVS-Studio is a static analysis tool that integrates into Visual Studio. See http://www.viva64.com/en/a/0076/ for a report of errors analyzing ReactOS code with PVS-Studio. According to http://www.winehq.org/pipermail/wine-devel/2011-December/093599.html, many but not all of the warnings it raised have already been fixed in Wine.
Smatch is an open source static analysis tool based on sparse, the checker used by the Linux kernel. The obsolete version was based on a version of gcc-3.1.1 hacked to dump its intermediate representation of the code, along with some perl modules and scripts to analyze the dumped IR code.
MichaelStefaniuc adapted an existing script in the old Smatch to find code paths with missing LeaveCriticalSection's. Scripts to find some other useful things like fd, DC, and GDI object leaks should be easy to write. Michael also created a page with more info on using Smatch to test Wine. However, at least as of Jan 2010, he expressed some interest in switching over to Coccinelle because it seemed to make prototyping much easier.
You can also see all Smatch-related patches in the Wine git tree.
Coccinelle is yet another open source static analysis tool.
Students at Aalborg University say they found a number of bugs with it in 2008. Paul Vriens and Michael Stefaniuc are using it since 2009.
When posting patches to fix bugs found by Coccinelle, please include "Coccinelle" in the subject line.
Here are two ways to look for Coccinelle-related Wine patches:
Clang Static Analyzer
Henri Verbeet has started submitting patches to fix these warnings; the first is http://winehq.org/pipermail/wine-patches/2008-October/062650.html
When posting patches to fix bugs found by Clang, please include "LLVM/Clang" in the subject line.
Here are two ways to look for Clang-related Wine patches:
See also: the Clang page in this Wiki.
Saturn is the second static analysis tool out of Stanford (the first was MC aka the Stanford Checker, which became Coverity). Their tool can be downloaded for free, and there is a mailing list for discussing it.
The first patch from somebody using Saturn was posted on 26 Jan 2009.
When posting patches to fix bugs found by Saturn, please include "(Saturn)" in the subject line.
Here are two ways to look for Saturn-related Wine patches:
There was a discussion about adding Flawfinder to PatchWatcher (which went a bit off-topic due to mailman sending out duplicate messages), but there were too many false positives for it to be much use.