Prior static analysis studies of C software have been limited to small-scale or manually sampled datasets, lacking representative, large-scale empirical evidence from real-world Linux distributions. Method: This work conducts the first large-scale empirical evaluation across 3,538 mainstream C packages in Gentoo—a full Linux distribution—using GCC’s built-in static analyzer. Contribution/Results: We systematically characterize defect distributions and code quality patterns: uninitialized variables and null pointer dereferences are the most prevalent issues; warnings follow a heavy-tailed distribution independent of application domain; 89% of packages emit zero warnings, while a small fraction accounts for the vast majority; memory management defects are surprisingly rare. This establishes the first reproducible, distribution-scale static analysis benchmark for open-source C ecosystems, providing quantitative baselines and empirically grounded insights for software quality assessment, static analysis tool improvement, and security governance.

Static analysis is a classical technique for improving software security and software quality in general. Fairly recently, a new static analyzer was implemented in the GNU Compiler Collection (GCC). The present paper uses the GCC’s analyzer to empirically examine popular Linux packages. The dataset used is based on those packages in the Gentoo Linux distribution that are either written in C or contain C code. In total, 3,538 such packages are covered. According to the results, uninitialized variables and NULL pointer dereference issues are the most common problems according to the analyzer. Classical memory management issues are relatively rare. The warnings also follow a long-tailed probability distribution across the packages; a few packages are highly warning-prone, whereas no warnings are present for as much as $89 %$ of the packages. Furthermore, the warnings do not vary across different application domains. With these results, the paper contributes to the domain of large-scale empirical research on software quality and security. In addition, a discussion is presented about practical implications of the results.