Static analysis is a technique for finding bugs just by looking at source code without actually running it. That's great, because it can find bugs that are really hard to trigger.
Coverity is a commercial static analysis service that runs continuous scans of many open source apps, including Wine. A summary of results is online at http://scan.coverity.com/rung1.html; it shows Wine has 0.2 defects per thousand lines of code, which compares favorably with other projects.
To see the detailed results, see http://scan.coverity.com/devfaq.html which says "Locate your project on the Full List of the Scan ladder, and click the Log In link. Account requests must be approved by the project's official contacts." Our official contacts are Paul Vriens and Jan Zerebecki. Contact them or scan-admin at coverity for access.
When posting patches to fix bugs found by Coverity, please include "Coverity" in the subject line.
Here are two ways to look for Coverity-related Wine patches:
PVS-Studio is a static analysis tool that integrates into Visual Studio. See http://www.viva64.com/en/a/0076/ for a report of errors analyzing ReactOS code with PVS-Studio. According to http://www.winehq.org/pipermail/wine-devel/2011-December/093599.html, many but not all of the warnings it raised have already been fixed in Wine.
Smatch is an open source static analysis tool. The old and obsolete version is based on a hacked gcc-3.1.1 with some perl modules and scripts. But it is still useful for Wine and "low cost" to run.
When posting patches to fix bugs found by Smatch, please include "Smatch" in the subject line.
Michael Stefaniuc says that one of these days he's going to stop using the old Smatch and switch to Coccinelle [IRC 15 Jan 2010]. It is way easier to prototype new ideas in Coccinelle.
Here are three ways to look for Smatch-related Wine patches:
in git (1 in month ending Jan 15 2010, 3 in previous month)
Smatch is an open source static analysis tool. The new Smatch is based on sparse, the checker used by the Linux Kernel.
Smatch has some built in Wine checks.
Coccinelle is yet another open source static analysis tool.
Students at Aalborg University say they found a number of bugs with it in 2008. Paul Vriens and Michael Stefaniuc are using it since 2009.
When posting patches to fix bugs found by Coccinelle, please include "Coccinelle" in the subject line.
Here are two ways to look for Coccinelle-related Wine patches:
Clang Static Analyzer
Henri Verbeet has started submitting patches to fix these warnings; the first is http://winehq.org/pipermail/wine-patches/2008-October/062650.html
When posting patches to fix bugs found by Clang, please include "LLVM/Clang" in the subject line.
Here are two ways to look for Clang-related Wine patches:
See also: the Clang page in this Wiki.
Saturn is the second static analysis tool out of Stanford (the first was MC aka the Stanford Checker, which became Coverity). Their tool can be downloaded for free, and there is a mailing list for discussing it.
The first patch from somebody using Saturn was posted on 26 Jan 2009.
When posting patches to fix bugs found by Saturn, please include "(Saturn)" in the subject line.
Here are two ways to look for Saturn-related Wine patches:
There was a discussion about adding Flawfinder to PatchWatcher (which went a bit off-topic due to mailman sending out duplicate messages), but there were too many false positives for it to be much use.