gcc 10 now has a static analysis built in (-fanalyzer) and here's how it works internally

https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/doc/analyzer.texi;h=67efa52953b860fe828ab49d01b28ba336329b19;hb=757bf1dff5e8cee34c0a75d06140ca972bfecfa7