While scan-build wasn't what I was looking for, it has proven useful anyway: many of the sizeof errors were just noise, but a few were actual bugs (allocating too much or too little memory).