Update the gh workflow to pin clang-format to version 21.
Mention the version we use in CONTRIBUTING.md.
And hint to the workflow file if we want to change it.
Move the `make doublecheck` functionality into a build system agnostic
script.
`scripts/quality-check.sh` can now be used to check for spelling via
codespell, formatting clang-format and run the unit tests.
`make doublecheck` and `meson compile doublecheck` will call this
script.
Sometimes we have issues with different versions of clang-format locally
vs our CI. In this case SKIP_FORMAT env variable can be set.
Use a behavior-driven naming convention for unit tests.
Functions are now named using the pattern: [unit]__[verb]__[scenario]
The __ works as a semantic separator.
Examples:
* jid_create__returns__null_from_null()
* cmd_connect__shows__usage_when_no_server_value
Benefits:
* Easy to find all tests associated with a specific function using the
mandatory prefix.
* Test output in CI now explicitly describes the unit, the expected
outcome, and the scenario being tested.
Also disabled keyhandlers tests due to missing code in src/ui.
For example cmd_account() is located in src/command/cmd_funcs.c.
The unit test was located in tests/unittests/test_cmd_account.c.
Let's move it to a subdirectory like tests/unittests/command/test_cmd_account.c
to correpsond to the same structure.
Let's build with -fanalyzer in debug mode.
These commits are related to issues found by gccs static analyzer.
Also bulid with -fstack-protector-strong compiler flag.
This flag adds a canary to stack frames, causing the program to terminate immediately if stack corruption is detected.
This helps identify memory safety bugs earlier during development by
turning silent corruption into an immediate crash.
* _rotate_log_file(): guard against NULL mainlogfile before g_strdup/strlen
* log_stderr_init(): move dup2 after malloc checks to avoid fd leak on
allocation failure.
Also remove explicit close(STDERR_FILENO) before dup2
since dup2 closes the target atomically. Close the fd returned by
dup2 immediately.
We were sequentially checking for errors from 'curl_easy_perform',
'ftell', and 'fclose'. Each time overwriting the last one, resulting in
a leak. This commit ensures that 'err' is only set if it is currently
NULL, preserving the first and most specific error encountered.
`userdata` was not freed if a handler could not be registered.
This occurs when the 'id' parameter is NULL. In such cases, the
handler cannot be stored in the 'id_handlers' table, but ownership
of 'userdata' has already been transferred to this function. This
commit ensures 'free_func' is called if 'id' is NULL since we always
need to have an ID.
recp elements were accessed without verifying the success of
_ox_key_lookup().
Also fix several memory leaks.
gpgme_data_new() followed 'gpgme_data_new_from_mem' was redundant.
Usually we use `/help command`. Additionally there is a shortcut
`/comamnd?`. 54fea4afcf tried to introduce
to have `/command help`. Which doesn't really work since most commands
get this as parameters. So it never worked. Additionally it introduced
at segfault because it tried to set *question_mark to NULL even we can
also get there without the `?` but by having the `help` as parameter.
Modernize the /export command implementation by adopting GLib-based
patterns for string manipulation and file handling.
* Replace _writecsv with _append_csv_escaped to efficiently handle CSV
quote doubling directly within a GString buffer
* Refactor cmd_export to build the CSV content in memory using GString,
minimizing system calls
* Use g_file_set_contents for atomic writing
* Cache strlen() result
* Check for malloc() failure to prevent null pointer dereference
* Ensure the output buffer is null-terminated for safe use with cons_show()
* Simplify the quote escaping logic for better readability.
Make get_random_string() return a gchar*.
This is part of the effort to migrate string declarations and
allocations from char to gchar, replacing standard C allocators
(malloc/calloc/strdup) with their glib equivalents
(g_malloc/g_new0/g_strdup).
The primary goal is to prevent mismatched allocator bugs. While char and
gchar are binary compatible, mixing their respective deallocators is
dangerous:
* Freeing malloc'd memory with g_free() (or vice versa) can lead to
memory corruption, double-frees, or crashes.
* This is seems to be the case especiall on non Linux platforms or when
using hardened memory allocators where the GLib slice allocator or
wrappers may differ from the system heap.
By standardizing on gchar, we ensure that our automatic cleanup macros
(like auto_gchar) always invoke the correct deallocator (g_free).
Migrate structure allocations from calloc to glibs g_new0 macro to
improve type safety and memory robustness.
* Type Safety: The macro takes the type name directly, ensuring the
allocated size always matches the pointer type.
* Static Analysis: It guarantees a non-NULL return by aborting on
failure, which silences -fanalyzer warnings regarding potential NULL
pointer dereferences.
* Readability: Removes redundant sizeof() calls and is the glib way
Enable gccs static analyzer to detect memory bugs at compile-time. This
validates our __attribute__((__cleanup__)) macros and improves security
when parsing external XMPP data with zero runtime overhead.
Add security hardening via _FORTIFY_SOURCE=2 and switch to -Og to
provide the necessary optimization for these checks while remaining
debugger friendly.
The goal is to catch many buffer overflows and format string errors
at compile-time or runtime.
-Og may occasionally optimize out very short-lived
local variables, making them invisible in the debugger.
So i'm not sure this is a very good idea. But I hope that we will find
bugs earlier and don't even need to debug that often. We might revert
this change later though in case we run into problems too often.
I'm not aware of any other downsides.