Hi,
I tried llvm (clang's scan-build) after reading your post.
It is very easy to run scan-build, and it seems good to find unused statements.
However for finding errors, false positives disappointed me.
I analyzed 4 'API' errors, but only one seems to be real error:
at color_filter.c:173, variable "filter" might be NULL in 'strstr'.
I randomly choose 28 'logic error' results, such as 'null dereference', 'use of uninitialized value'. But all of them are false positives.
Some common false positive reasons are:
1. assertions are not respected, scan-build usually assume ptr is NULL in "DISSECTOR_ASSERT(ptr)".
2. goto statement is not handled correctly. For example, at dumpcap.c:988, variable "magic" is considered uninitialized if read() returns negative integer. But in this case, switch(magic) will not be executed.
3. TRY is not handled correctly. For example, at packet-dcerpc.c:4204, "pdu_len" is considered uninitialized.