dependabot[bot] [Sun, 1 Mar 2026 14:58:16 +0000 (14:58 +0000)]
GHA: bump actions and pip dependencies
- update action `actions/cache` from 5.0.1 to 5.0.3
- update action `github/codeql-action` from 4.31.9 to 4.32.4
- update pip `filelock` from 3.20.3 to 3.24.3
- update pip `ruff` from 0.14.14 to 0.15.2
Florian Imdahl [Thu, 26 Feb 2026 18:48:57 +0000 (19:48 +0100)]
docs: some nitpicks
- replaced double spaces with single space where applicable
- replaced "favourite" with "favorite"
- added language identifiers to code blocks in markdown files
- added extra line after code blocks and after headings in markdown
files
Viktor Szakats [Thu, 26 Feb 2026 23:38:07 +0000 (00:38 +0100)]
mprintf: use `_snprintf()` when compiled with VS2013 and older
To support floats and doubles when using these old compilers.
Before this patch, these tests most likely failed with them:
```
FAIL 557: 'curl_mprintf() testing' printf, unittest
FAIL 566: 'HTTP GET with CURLINFO_CONTENT_LENGTH_DOWNLOAD and 0 bytes transfer' HTTP, HTTP GET
FAIL 599: 'HTTP GET with progress callback and redirects changing content sizes' HTTP, HTTP POST, chunked Transfer-Encoding
FAIL 1148: 'progress-bar' HTTP, progressbar
```
Also:
- mention `_snprintf()` in the `_CRT_SECURE_NO_WARNINGS` comment.
Viktor Szakats [Fri, 27 Feb 2026 12:43:51 +0000 (13:43 +0100)]
cmake: convert `curl_add_clang_tidy_test_target()` macro to function
I thought a macro is necessary to have `get_directory_property()` and
`CMAKE_CURRENT_SOURCE_DIR` work on the correct directory, but it turns
out they do work the same when used in a function.
Viktor Szakats [Fri, 27 Feb 2026 00:09:14 +0000 (01:09 +0100)]
GHA/linux: replace scan-build with clang-tidy
`scan-build` is a (Perl) wrapper around clang's built-in `--analyze`
option. Which look similar or identical to clang-tidy checkers under
the `clang-analyzer-*` namespace:
https://clang.llvm.org/docs/ClangStaticAnalyzer.html
Unless somebody has other information, it appears redundant to run
scan-build in parallel with clang-tidy in CI, now that the latter is
working reliably and with good performance for all curl components.
Another scan-build issue is the lack of a markup to suppress false
positives. It ignores `NOLINT`, yet finds the same false positives as
clang-tidy. This happens with scan-build v20+. v18 is silent, but it's
a blocker to upgrade to a newer version.
scan-build may still be a useful when combined with autotools, where
clang-tidy support is incomplete, slow (no parallelism), and uses
a distinct make target, which does not build binaries in the same pass.
But, scan-build also lacks extra checkers that are now enabled for
clang-tidy.
The clang-tidy job is also 30-40s faster than the one it replaced.
Also:
- drop scan-build job configured the same way as a clang-tidy one.
CI time saved: 6m30s
- bump to clang-20 (from 18) in the replacement job.
- build tests in the replacement job.
To verify a cmake command-line reconstruction issue only hit in this
job in CI.
CI time cost: 1m40s
- replacement job caught a minor, new, issue.
Ref: b2076d3c2f5386068d9b0199f25a81147784d8ac #20752
- drop unused scan-build logic.
Viktor Szakats [Fri, 27 Feb 2026 03:08:06 +0000 (04:08 +0100)]
cmake: fix system include directory position for clang-tidy in tests
To avoid a system include masking a custom directory, and e.g. picking
up system OpenSSL headers from `/usr/include` on Linux, instead of the
correct ones from a custom header directory, move system include
directories to the back of the header path list. Also to match what
CMake seems to be doing for the C compiler command-lines it generates.
CMake seems to use `-I`, while for these invocations we stick with
`-isystem` just in case.
This area remains fragile and likely not the final issue.
Fixing (seen in GHA/linux H3 c-ares):
```
Error while processing bld/tests/libtest/lib1521.c.
/usr/include/openssl/macros.h:147:4: error: "OPENSSL_API_COMPAT expresses an impossible API compatibility level" [clang-diagnostic-error]
Found compiler error(s).
147 | # error "OPENSSL_API_COMPAT expresses an impossible API compatibility level"
| ^
FAILED: [code=1] tests/libtest/CMakeFiles/libtests-clang-tidy
```
Ref: https://github.com/curl/curl/actions/runs/22468472670/job/65079885471?pr=20751
Bug: https://github.com/curl/curl/pull/20751#issuecomment-3970180687
Cherry-picked from #20751
Viktor Szakats [Thu, 26 Feb 2026 11:35:51 +0000 (12:35 +0100)]
cmake: fix confusing error when a dependency is undetected in `curl-config.cmake`
Fixing:
```
CMake Error at /path/to/CURL/CURLConfig.cmake:190 (get_target_property):
get_target_property() called with non-existent target "CURL::libssh2".
```
and replacing it with the clearer message:
```
CMake Error at /path/to/CURL/CURLTargets.cmake:61 (set_target_properties):
The link interface of target "CURL::libcurl_static" contains:
CURL::libssh2
but the target was not found. Possible reasons include:
[...]
```
Viktor Szakats [Wed, 25 Feb 2026 14:51:59 +0000 (15:51 +0100)]
GHA/linux: switch clang-tidy job to cmake for 2x speed, bump to v20, enable for tests
Checking lib and src under 3m15s versus 7m15s.
Downside: autotools clang-tidy support is no longer CI-tested.
The reason for the slowness is invoking a single clang-tidy command with
all source files, and clang-tidy checking them in a single thread,
sequentially. clang-tidy offers a `run-clang-tidy` Python script for
parallel processing, which may help with this. However at this point
it's more practical to use cmake, which also supports verifying the
whole codebase, not only lib and src.
Also:
- bump clang-tidy to the latest available, v20 (from v18).
- enable running clang-tidy on tests. Takes under 2 minutes.
Also tried `_CURL_TESTS_CONCAT=ON`, it brings down the build tests step
from 1m47s to 54s, saving 1 minute. Skipped using it for now.
Viktor Szakats [Thu, 26 Feb 2026 02:28:17 +0000 (03:28 +0100)]
tests/server: fix to clear the complete `srvr_sockaddr_union_t` variable
Reported by clang-tidy (seen on Linux with v18, v19, v20, not on macOS):
```
tests/server/dnsd.c:552:14: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/dnsd.c:556:14: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/rtspd.c:1183:14: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/rtspd.c:1187:14: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/sws.c:2235:14: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/sws.c:2239:14: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/tftpd.c:1188:14: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/tftpd.c:1192:14: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/util.c:860:21: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
tests/server/util.c:864:21: error: 1st function call argument is an uninitialized value [clang-analyzer-core.CallAndMessage]
```
Ref: https://github.com/curl/curl/actions/runs/22424827575/job/64930560425?pr=20725
Viktor Szakats [Wed, 25 Feb 2026 19:55:03 +0000 (20:55 +0100)]
build: do not include wolfSSL header in `curl_setup.h`
To fix building tests/server with cmake and both wolfSSL and OpenSSL
enabled (MultiSSL).
tests/server do not have libcurl dependency header paths setup because
it does not use libcurl. The code however includes `curl_setup.h`, which
tried including `wolfssl/version.h` before this patch to verify if the
wolfSSL coexist feature is available. Without a header path, it failed:
```
In file included from bld/tests/server/servers.c:3:
In file included from tests/server/first.h:40:
lib/curl_setup.h:737:12: fatal error: 'wolfssl/version.h' file not found
737 | # include <wolfssl/version.h>
| ^~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/22410066319/job/64880787424#step:46:76
Fix by moving the include and version check to `vtls/wolfssl.c`.
Viktor Szakats [Tue, 24 Feb 2026 00:35:02 +0000 (01:35 +0100)]
cmake: replace internal option with a new `testbins` target
To allow building test binaries without test certs, replacing
`_CURL_SKIP_BUILD_CERTS` internal option with a build target that is
similar to `testdeps`, but without building the test certificates.
To make building test binaries a little bit faster, with less noisy
output, and without having to reconfigure the build.
Viktor Szakats [Wed, 25 Feb 2026 17:18:02 +0000 (18:18 +0100)]
cmake: fix passing system header directories to clang-tidy for tests
Pass system directories with `-isystem` to avoid clang-tidy parsing
3rd-party and system headers with `HeaderFilterRegex: '.*' enabled.
Also:
- drop rule exception no longer necessary.
- sync normal vs. system header path order with compiler invocation.
- tidy up `set()` syntax.
- clear a temporary variable.
Viktor Szakats [Sat, 21 Feb 2026 01:44:42 +0000 (02:44 +0100)]
cmake: add native clang-tidy support for tests, with concatenated sources
Tests are build in "unity"-style, by including sources into an umbrella
C files (similar to how CMake unity works). This does not play well with
clang-tidy, which seems to unconditionally ignore C sources included
like this. To fix it, curl's CMake implements a manual clang-tidy
support for tests, which compiles sources one-by-one, while also making
sure sources compile cleanly standalone (e.g. all sources need to
include `first.h`). The manual clang-tidy implementation is fragile, and
performance, in particular when targeting Windows, is abysmal.
This patch introduces an alternate solution, enabled by the
`_CURL_TESTS_CONCAT=ON` option. In this mode, umbrella sources include
the actual sources instead of `#including` them. Allowing to use CMake's
built-in clang-tidy support to compile them, with clang-tidy actually
checking the sources. Making the manual clang-tidy support unnecessary.
In the Windows CI job it results in a 4x performance improvement (4m ->
1m), making it practical to run clang-tidy on tests on Windows, in CI.
The main downside is that clang-tidy doesn't understand the `#line`
directive. Meaning issues found show the wrong filename and line number
next to them. It's not impossible to locate errors this way, but also
not convenient.
Minor/potential downside is that the concatenated source needs to be
reassembled each time an original source is updated. This may result in
more copying on the disk when used in local development. The largest
source is 1.4MB, so probably not a show-stopper on most machines.
Another is the complexity of maintaining two methods in parallel, which
may be necessary till clang-tidy understands `#line`:
https://github.com/llvm/llvm-project/issues/62405
This solution may in theory also enable adding clang-tidy support for
tests in autotools, though I haven't tried.
Targeted for curl CI for now, and used in a GHA/windows job. 100%
experimental, not recommended outside these.
Viktor Szakats [Fri, 13 Feb 2026 00:47:10 +0000 (01:47 +0100)]
tidy-up: miscellaneous
- vms/curlmsg_vms.h: delete unused/commented code.
- vtls/schannel_verify: sort includes.
- typecheck-gcc.h: fix indent and alignment.
- lib/config-win32.h: drop idle `#undef`.
- spacecheck: check for stray empty lines before after curly braces.
- make literals more readable: 1048576 -> 1024 * 1024
- scope variables.
- use ISO date in a comment.
- drop redundant parentheses.
- drop empty comments.
- unfold lines.
- duplicate/stray spaces in comments.
- fix indent, whitespace, minor typos.
Viktor Szakats [Thu, 19 Feb 2026 17:10:58 +0000 (18:10 +0100)]
openssl: fix potential NULL dereference when loading certs (Windows)
This could happen if the first cert to be loaded missed EKU (Enhanced
Key Usage) data, when using native CA on Windows.
Fix by skipping certs without Enhanced Key Usage data.
Detected by clang-tidy:
```
lib/vtls/openssl.c:2922:15: warning: Access to field 'cUsageIdentifier'
results in a dereference of a null pointer (loaded from variable
'enhkey_usage') [clang-analyzer-core.NullDereference]
2922 | if(!enhkey_usage->cUsageIdentifier) {
| ^
```
Daniel Stenberg [Tue, 24 Feb 2026 10:01:35 +0000 (11:01 +0100)]
setopt: refuse blobs with zero length
A blob must have a length or it will not be accepted. By enforcing the
check here, TLS backend code can rely on the fact that the length is
always non-zero from this point.
Viktor Szakats [Wed, 18 Feb 2026 23:44:43 +0000 (00:44 +0100)]
lib: use lib source directory as base include path
Backtrack on previous change that aimed to solve the wrong `share.h`
being included. It turns out it did not fix this issue. At the same time
it introduced relative header filenames and the need to include the same
headers differently depending on the source files' location, reducing
readability and editability.
Replace this method by re-adding curl's lib source directory to the
header path and addressing headers by the their full, relative name to
that base directory. Aligning with this method already used in src and
tests.
With these advantages:
- makes includes easier to read, recognize, grep, sort, write, and copy
between sources,
- syncs the way these headers are included across curl components,
- avoids the ambiguity between system `schannel.h`, `rustls.h` vs.
local headers using the same names in `lib/vtls`,
- silences clang-tidy `readability-duplicate-include` checker, which
detects the above issue,
Ref: https://clang.llvm.org/extra/clang-tidy/checks/readability/duplicate-include.html
- possibly silences TIOBE coding standard warnings:
`6.10.2.a: Don't use relative paths in #include statements.`
- long shot: it works well with concatenated test sources, for
clang-tidy-friendly custom unity builds. Ref: #20667
Slight downside: it's not enforced.
If there happens to be a collision between a local `lib/*.h` header and
a system one, the solution is to rename (possibly with its `.c`
counterpart) into the `curl_` namespace. This is also the method used by
curl in the past.
Also:
- curlx/inet_pton: reduce scope of an include.
- toolx/tool_time: apply this to an include, and update VS project
files accordingly. Also dropping unnecessary lib/curlx header path.
- clang-tidy: enable `readability-duplicate-include`.
Viktor Szakats [Mon, 23 Feb 2026 12:32:52 +0000 (13:32 +0100)]
cmake: add C++ integration test
Also:
- include code to verify a C++-specific public header regression
reported in 8.19.0-rc2.
- curl/curl.h: mention C++ global namespace in comment.
- GHA/dist: add CI job for C++. Runtime: 15 seconds.
Viktor Szakats [Mon, 23 Feb 2026 11:00:18 +0000 (12:00 +0100)]
curl/curl.h: revert to recursive macros to keep supporting C++ use-case
To avoid breaking 3rd-party code reusing these symbols as C++ methods,
e.g. in CMake sources:
```
cmake/src/v4.0.0-b30653ae0c.clean/Source/cmCurl.cxx:119:24: error: expected unqualified-id
119 | ::CURLcode res = ::curl_easy_setopt(curl, CURLOPT_CAINFO, cafile.c_str());
| ^
```
Viktor Szakats [Sun, 22 Feb 2026 01:18:49 +0000 (02:18 +0100)]
tests/server: silence clang-tidy warning
It looks like a case that can never happen in practice.
Seen on mingw-w64 with experimental concatenated (vs. #included) test
sources:
```
tests/server/util.c:662:16: error: Null pointer passed as 1st
argument to string length function [clang-analyzer-unix.cstring.NullArg]
662 | size_t len = strlen(unix_socket);
| ^
```
Ref: https://github.com/curl/curl/actions/runs/22267482855/job/64416261156#step:10:273
Viktor Szakats [Sun, 22 Feb 2026 10:41:49 +0000 (11:41 +0100)]
cmake: force-disable unity for clang-tidied build targets only
Instead of globally disabling unity for all targets when clang-tidy is
enabled.
After this patch `CMAKE_UNITY_BUILD=ON` is honored for:
- static libcurl when building both static and shared separately.
- libcurlu and libcurltool internal libraries when building the test
target.
While keeping unity disabled for the libcurl build pass running
clang-tidy, and the curl tool, also running clang-tidy.
To make clang-tidy-enabled builds finish faster when unity mode is
enabled, yet performs the same clang-tidy checks as before this patch.
Effect on:
- GHA/macos: core build: same, buils tests 5-12 seconds faster,
with steps going down from 259 to 25.
- GHA/windows (not enabled): it'd save about 1 minute, bringing total
time barely below 10m, still one of the slowest jobs overall.
(#20667 is trying a way for 4x speed-up (with a drawback)).
Viktor Szakats [Sun, 22 Feb 2026 13:13:21 +0000 (14:13 +0100)]
cmake: limit clang-tidy to the shared libcurl if static is also built
On platforms that require building static and shared libcurl separately,
after this change clang-tidy is only run on one of them, to reduce build
time by avoiding the double-work. From a clang-tidy standpoint, static
and shared libs are identical.
Except `dllmain.c` on Windows, which is only present in shared. To keep
running it through clang-tidy, prefer the shared library for clang-tidy.
Daniel Stenberg [Sat, 21 Feb 2026 22:16:39 +0000 (23:16 +0100)]
tool: improve config error messaging
- make sure that errors for specific options in config files identify
the file, line number and shows the error about the correct option
- improve some error message wording
- add warning for leading single quote of arguments in config files
(verified in test 1712)
- adjust test error outputs accordingly
test1712 introduces mode=warn
Use the mode="warn" attribute if the output curl warning output, as it
then makes the check without newlines and the prefix to better handle
that the lines may wrap at different points depending on the lengths of
the lines and terminal width.
Also:
- lib/parsedate: avoid relying on side-effect of missing parentheses.
- lib/http: drop redundant parentheses.
- fix cases in headers missed by clang-tidy.
Viktor Szakats [Wed, 18 Feb 2026 14:14:06 +0000 (15:14 +0100)]
clang-tidy: check `misc-header-include-cycle`, fix in internal headers
Also opt-out `curl/curl.h` because it includes `curl/mprintf.h`, which
in turn includes `curl/curl.h` for `CURL_EXTERN`. Not changeable in
public headers to remain compatible. (Somehow only triggered for
examples.)
Viktor Szakats [Wed, 18 Feb 2026 16:46:36 +0000 (17:46 +0100)]
libtests: drop two redundant `memset()`s
Reported by clang-tidy `bugprone-sizeof-expression`.
Silencing:
```
tests/libtest/cli_h2_pausing.c:164:23: warning: suspicious usage of 'sizeof()' on an expression of pointer type [bugprone-sizeof-expression]
164 | memset(&resolve, 0, sizeof(resolve));
| ^
tests/libtest/cli_upload_pausing.c:158:23: warning: suspicious usage of 'sizeof()' on an expression of pointer type [bugprone-sizeof-expression]
158 | memset(&resolve, 0, sizeof(resolve));
| ^
```
projects / thirdparty / curl.git / log
