It's a big step from "Static analyzers are usually wrong" to "They are not bugs." This particular static analyzer *may* be right in one or more of these cases, but proof requires more than some bold red text on a PNG. I believe this report wouldn't have been immediately disregarded and so would have received a less dismissive reply if the many problems in the original report were fixed: * We knew this "hyx" user by reputation, from prior posting. * He made the reports against the trunk version. * The line numbers were against the actual `src/*.c` files, not against the amalgamation. * The reports were in plain text — possibly with Markup formatting — rather than bitmapped-images-of-text. * Each flagged case was accompanied by separate prose descriptions of the reporter's hypothesis justifying the report. (Or, better, included proof-of-concept code showing how to exploit the claimed flaws.) I'm with drh on this one: this "hyx" user has shown little regard for what the developers need and care about when going after static analyzer reports. One more thing: knowing which tool gave this output might be helpful, too, particularly if it's available to drh, so he could just run it himself. If it's somehow proprietary, then we don't know what the tool is doing, so we can't evaluate how useful it is. Just because some bit of dumb anonymous software gave a report about some *other* bit of software doesn't justify work chasing the resulting output.