I work at Red Hat on the GNU Compiler Collection (GCC). In GCC 10, I added the new -fanalyzer option, a static analysis pass for identifying various problems at compile-time, rather than at runtime. The initial implementation was aimed at early adopters, who found a few bugs, including a security vulnerability: CVE-2020-1967. Bernd Edlinger, who discovered the issue, had to wade through many false
![Static analysis updates in GCC 11 | Red Hat Developer](https://cdn-ak-scissors.b.st-hatena.com/image/square/3a2bbef31328ae9e049198c4c3de3735ab3ca9b7/height=288;version=1;width=512/https%3A%2F%2Fdevelopers.redhat.com%2Fsites%2Fdefault%2Ffiles%2Fstyles%2Fshare%2Fpublic%2Fblog%2F2021%2F01%2F2021_GCC_Static_Analysis_Updates_Featured_Article_A-2.png%3Fitok%3DePrY4-Tj)