I hesitate a bit to step into this, but agree with the notion that static analysis tools must be used with great care by people who really understand programming. I've seen Coverity get run over a large codebase. Some of the issues found were false alarms, and many were real. Often it was "this variable could be used uninitialized". In some cases where one could make an argument Coverity was wrong (due to a bunch of complicated ifs), we decided to just initiailize to a safe value at the beginning. Basically, if it takes longer than 30 seconds to explain why the code is right, it's better off being fixed. A number of the issues found were dead on, though. I've also seen people change code to pacify Coverity and introduce bugs; the tools definitely must be used with care.
Description: PGP signature