This project has been submitted to Coverity Scan, a static analyzer. It has found many bugs, most of which have already been fixed. The remaining ones should be fixed as well.

https://scan.coverity.com/projects/4743

If you need access to that site, contact @rillig.