Merge bitcoin/bitcoin#34375: doc: mempool: fix removeUnchecked incorrect comment

1137debb85 doc: mempool: fix  `removeUnchecked` incorrect comment (ismaelsadeeq)

Pull request description:

  `CTxMemPool::removeUnchecked` description comment is stale and incorrect; the behaviour being described no longer applies in the post-cluster world.  This PR is a simple fix that attempts to correctly describe what is being done in removeUnchecked.

ACKs for top commit:
  instagibbs:
    ACK 1137debb85
  sipa:
    ACK 1137debb85

Tree-SHA512: e410be57a83df50df01fcd6d7b07d08f0fe5a2abd229974f1ad269bb2e301608fd0d3912af349e2971f9a8abdbaa8e90c46d4832ec7b6858639642742b31a618

.cirrus.yml

@@ -1,214 +0,0 @@
-env:  # Global defaults
-  CIRRUS_CLONE_DEPTH: 1
-  CIRRUS_LOG_TIMESTAMP: true
-  MAKEJOBS: "-j10"
-  TEST_RUNNER_PORT_MIN: "14000"  # Must be larger than 12321, which is used for the http cache. See https://cirrus-ci.org/guide/writing-tasks/#http-cache
-  CI_FAILFAST_TEST_LEAVE_DANGLING: "1"  # Cirrus CI does not care about dangling processes and setting this variable avoids killing the CI script itself on error
-
-# A self-hosted machine(s) can be used via Cirrus CI. It can be configured with
-# multiple users to run tasks in parallel. No sudo permission is required.
-#
-# https://cirrus-ci.org/guide/persistent-workers/
-#
-# Generally, a persistent worker must run Ubuntu 23.04+ or Debian 12+.
-#
-# The following specific types should exist, with the following requirements:
-# - small: For an x86_64 machine, with at least 2 vCPUs and 8 GB of memory.
-# - medium: For an x86_64 machine, with at least 4 vCPUs and 16 GB of memory.
-# - arm64: For an aarch64 machine, with at least 2 vCPUs and 8 GB of memory.
-#
-# CI jobs for the latter configuration can be run on x86_64 hardware
-# by installing qemu-user-static, which works out of the box with
-# podman or docker. Background: https://stackoverflow.com/a/72890225/313633
-#
-# The above machine types are matched to each task by their label. Refer to the
-# Cirrus CI docs for more details.
-#
-# When a contributor maintains a fork of the repo, any pull request they make
-# to their own fork, or to the main repository, will trigger two CI runs:
-# one for the branch push and one for the pull request.
-# This can be avoided by setting SKIP_BRANCH_PUSH=true as a custom env variable
-# in Cirrus repository settings, accessible from
-# https://cirrus-ci.com/github/my-organization/my-repository
-#
-# On machines that are persisted between CI jobs, RESTART_CI_DOCKER_BEFORE_RUN=1
-# ensures that previous containers and artifacts are cleared before each run.
-# This requires installing Podman instead of Docker.
-#
-# Futhermore:
-# - podman-docker-4.1+ is required due to the bugfix in 4.1
-#   (https://github.com/bitcoin/bitcoin/pull/21652#issuecomment-1657098200)
-# - The ./ci/ dependencies (with cirrus-cli) should be installed. One-liner example
-#   for a single user setup with sudo permission:
-#
-#   ```
-#   apt update && apt install git screen python3 bash podman-docker uidmap slirp4netns curl -y && curl -L -o cirrus "https://github.com/cirruslabs/cirrus-cli/releases/latest/download/cirrus-linux-$(dpkg --print-architecture)" && mv cirrus /usr/local/bin/cirrus && chmod +x /usr/local/bin/cirrus
-#   ```
-#
-# - There are no strict requirements on the hardware. Having fewer CPU threads
-#   than recommended merely causes the CI script to run slower.
-#   To avoid rare and intermittent OOM due to short memory usage spikes,
-#   it is recommended to add (and persist) swap:
-#
-#   ```
-#   fallocate -l 16G /swapfile_ci && chmod 600 /swapfile_ci && mkswap /swapfile_ci && swapon /swapfile_ci && ( echo '/swapfile_ci none swap sw 0 0' | tee -a /etc/fstab )
-#   ```
-#
-# - To register the persistent worker, open a `screen` session and run:
-#
-#   ```
-#   RESTART_CI_DOCKER_BEFORE_RUN=1 screen cirrus worker run --labels type=todo_fill_in_type --token todo_fill_in_token
-#   ```
-
-# https://cirrus-ci.org/guide/tips-and-tricks/#sharing-configuration-between-tasks
-filter_template: &FILTER_TEMPLATE
-  # Allow forks to specify SKIP_BRANCH_PUSH=true and skip CI runs when a branch is pushed,
-  # but still run CI when a PR is created.
-  # https://cirrus-ci.org/guide/writing-tasks/#conditional-task-execution
-  skip: $SKIP_BRANCH_PUSH == "true" && $CIRRUS_PR == ""
-  stateful: false  # https://cirrus-ci.org/guide/writing-tasks/#stateful-tasks
-
-base_template: &BASE_TEMPLATE
-  << : *FILTER_TEMPLATE
-  merge_base_script:
-    # Require git (used in fingerprint_script).
-    - git --version || ( apt-get update && apt-get install -y git )
-    - if [ "$CIRRUS_PR" = "" ]; then exit 0; fi
-    - git fetch --depth=1 $CIRRUS_REPO_CLONE_URL "pull/${CIRRUS_PR}/merge"
-    - git checkout FETCH_HEAD  # Use merged changes to detect silent merge conflicts
-                               # Also, the merge commit is used to lint COMMIT_RANGE="HEAD~..HEAD"
-
-main_template: &MAIN_TEMPLATE
-  timeout_in: 120m  # https://cirrus-ci.org/faq/#instance-timed-out
-  ci_script:
-    - ./ci/test_run_all.sh
-
-global_task_template: &GLOBAL_TASK_TEMPLATE
-  << : *BASE_TEMPLATE
-  << : *MAIN_TEMPLATE
-
-compute_credits_template: &CREDITS_TEMPLATE
-  # https://cirrus-ci.org/pricing/#compute-credits
-  # Only use credits for pull requests to the main repo
-  use_compute_credits: $CIRRUS_REPO_FULL_NAME == 'bitcoin/bitcoin' && $CIRRUS_PR != ""
-
-task:
-  name: 'lint'
-  << : *BASE_TEMPLATE
-  container:
-    image: debian:bookworm
-    cpu: 1
-    memory: 1G
-  # For faster CI feedback, immediately schedule the linters
-  << : *CREDITS_TEMPLATE
-  test_runner_cache:
-    folder: "/lint_test_runner"
-    fingerprint_script: echo $CIRRUS_TASK_NAME $(git rev-parse HEAD:test/lint/test_runner)
-  python_cache:
-    folder: "/python_build"
-    fingerprint_script: cat .python-version /etc/os-release
-  unshallow_script:
-    - git fetch --unshallow --no-tags
-  lint_script:
-    - ./ci/lint_run_all.sh
-
-task:
-  name: 'tidy'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: medium
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_native_tidy.sh"
-
-task:
-  name: 'ARM, unit tests, no functional tests'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: arm64  # Use arm64 worker to sidestep qemu and avoid a slow CI: https://github.com/bitcoin/bitcoin/pull/28087#issuecomment-1649399453
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_arm.sh"
-
-task:
-  name: 'Win64-cross'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: small
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_win64.sh"
-
-task:
-  name: 'CentOS, depends, gui'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: small
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_native_centos.sh"
-
-task:
-  name: 'previous releases, depends DEBUG'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: small
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_native_previous_releases.sh"
-
-task:
-  name: 'TSan, depends, gui'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: medium
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_native_tsan.sh"
-
-task:
-  name: 'MSan, depends'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: small
-  timeout_in: 300m  # Use longer timeout for the *rare* case where a full build (llvm + msan + depends + ...) needs to be done.
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_native_msan.sh"
-
-task:
-  name: 'fuzzer,address,undefined,integer, no depends'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: medium
-  timeout_in: 240m  # larger timeout, due to the high CPU demand
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_native_fuzz.sh"
-
-task:
-  name: 'multiprocess, i686, DEBUG'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: medium
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_i686_multiprocess.sh"
-
-task:
-  name: 'no wallet, libbitcoinkernel'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: small
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_native_nowallet_libbitcoinkernel.sh"
-
-task:
-  name: 'macOS-cross, gui, no tests'
-  << : *GLOBAL_TASK_TEMPLATE
-  persistent_worker:
-    labels:
-      type: small
-  env:
-    FILE_ENV: "./ci/test/00_setup_env_mac_cross.sh"

.github/ISSUE_TEMPLATE/bug.yml

@@ -78,7 +78,7 @@ body:
     id: os
     attributes:
       label: Operating system and version
-      placeholder: e.g. "MacOS Ventura 13.2" or "Ubuntu 22.04 LTS"
+      placeholder: e.g. "MacOS 26.0" or "Ubuntu 26.04 LTS"
     validations:
       required: true
   - type: textarea
@@ -90,4 +90,3 @@ body:
         e.g. OS/CPU and disk type, network connectivity
     validations:
       required: false
-

.github/ISSUE_TEMPLATE/good_first_issue.yml

@@ -28,7 +28,7 @@ body:
     id: useful-skills
     attributes:
       label: Useful Skills
-      description: For example, “`std::thread`”, “Qt5 GUI and async GUI design” or “basic understanding of Bitcoin mining and the Bitcoin Core RPC interface”.
+      description: For example, “`std::thread`”, “Qt6 GUI and async GUI design” or “basic understanding of Bitcoin mining and the Bitcoin Core RPC interface”.
       value: |
         * Compiling Bitcoin Core from source
         * Running the C++ unit tests and the Python functional tests

.github/actions/clear-files/action.yml

@@ -0,0 +1,12 @@
+name: 'Clear unnecessary files'
+description: 'Clear out unnecessary files to make space on the VM'
+runs:
+  using: 'composite'
+  steps:
+    - name: Clear unnecessary files
+      shell: bash
+      env:
+        DEBIAN_FRONTEND: noninteractive
+      run: |
+        set +o errexit
+        sudo bash -c '(ionice -c 3 nice -n 19 rm -rf /usr/share/dotnet/ /usr/local/graalvm/ /usr/local/.ghcup/ /usr/local/share/powershell /usr/local/share/chromium /usr/local/lib/android /usr/local/lib/node_modules)&'

.github/actions/configure-docker/action.yml

@@ -0,0 +1,63 @@
+name: 'Configure Docker'
+description: 'Set up Docker build driver and configure build cache args'
+inputs:
+  cache-provider:
+    description: 'gha or cirrus cache provider'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - name: Check inputs
+      shell: python
+      run: |
+        # We expect only gha or cirrus as inputs to cache-provider
+        if "${{ inputs.cache-provider }}" not in ("gha", "cirrus"):
+          print("::warning title=Unknown input to configure docker action::Provided value was ${{ inputs.cache-provider }}")
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+      with:
+        # Use host network to allow access to cirrus gha cache running on the host
+        driver-opts: |
+          network=host
+
+    # This is required to allow buildkit to access the actions cache
+    - name: Expose actions cache variables
+      uses: actions/github-script@v6
+      with:
+        script: |
+          Object.keys(process.env).forEach(function (key) {
+            if (key.startsWith('ACTIONS_')) {
+              core.info(`Exporting ${key}`);
+              core.exportVariable(key, process.env[key]);
+            }
+          });
+
+    - name: Construct docker build cache args
+      shell: bash
+      run: |
+        # Configure docker build cache backend
+        #
+        # On forks the gha cache will work but will use Github's cache backend.
+        # Docker will check for variables $ACTIONS_CACHE_URL, $ACTIONS_RESULTS_URL and $ACTIONS_RUNTIME_TOKEN
+        # which are set automatically when running on GitHub infra: https://docs.docker.com/build/cache/backends/gha/#synopsis
+
+        # Use cirrus cache host
+        if [[ ${{ inputs.cache-provider }} == 'cirrus' ]]; then
+          url_args="url=${CIRRUS_CACHE_HOST},url_v2=${CIRRUS_CACHE_HOST}"
+        else
+          url_args=""
+        fi
+
+        # Always optimistically --cache‑from in case a cache blob exists
+        args=(--cache-from "type=gha${url_args:+,${url_args}},scope=${CONTAINER_NAME}")
+
+        # Only add --cache-to when using the Cirrus cache provider and pushing to the default branch.
+        if [[ ${{ inputs.cache-provider }} == 'cirrus' && ${{ github.event_name }} == "push" && ${{ github.ref_name }} == ${{ github.event.repository.default_branch }} ]]; then
+          args+=(--cache-to "type=gha${url_args:+,${url_args}},mode=max,ignore-error=true,scope=${CONTAINER_NAME}")
+        fi
+
+        # Always `--load` into docker images (needed when using the `docker-container` build driver).
+        args+=(--load)
+
+        echo "DOCKER_BUILD_CACHE_ARG=${args[*]}" >> $GITHUB_ENV

.github/actions/configure-environment/action.yml

@@ -0,0 +1,27 @@
+name: 'Configure environment'
+description: 'Configure CI, cache and container name environment variables'
+runs:
+  using: 'composite'
+  steps:
+    - name: Set CI and cache directories
+      shell: bash
+      run: |
+        echo "BASE_ROOT_DIR=${{ runner.temp }}" >> "$GITHUB_ENV"
+        echo "BASE_BUILD_DIR=${{ runner.temp }}/build" >> "$GITHUB_ENV"
+        echo "CCACHE_DIR=${{ runner.temp }}/ccache_dir" >> $GITHUB_ENV
+        echo "DEPENDS_DIR=${{ runner.temp }}/depends" >> "$GITHUB_ENV"
+        echo "BASE_CACHE=${{ runner.temp }}/depends/built" >> $GITHUB_ENV
+        echo "SOURCES_PATH=${{ runner.temp }}/depends/sources" >> $GITHUB_ENV
+        echo "PREVIOUS_RELEASES_DIR=${{ runner.temp }}/previous_releases" >> $GITHUB_ENV
+
+    - name: Set cache hashes
+      shell: bash
+      run: |
+        echo "DEPENDS_HASH=$(git ls-tree HEAD depends "$FILE_ENV" | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
+        echo "PREVIOUS_RELEASES_HASH=$(git ls-tree HEAD test/get_previous_releases.py | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
+
+    - name: Get container name
+      shell: bash
+      run: |
+        source $FILE_ENV
+        echo "CONTAINER_NAME=$CONTAINER_NAME" >> "$GITHUB_ENV"

.github/actions/restore-caches/action.yml

@@ -0,0 +1,47 @@
+name: 'Restore Caches'
+description: 'Restore ccache, depends sources, and built depends caches'
+runs:
+  using: 'composite'
+  steps:
+    - name: Restore Ccache cache
+      id: ccache-cache
+      uses: cirruslabs/cache/restore@v4
+      with:
+        path: ${{ env.CCACHE_DIR }}
+        key: ccache-${{ env.CONTAINER_NAME }}-${{ github.run_id }}
+        restore-keys: |
+          ccache-${{ env.CONTAINER_NAME }}-
+
+    - name: Restore depends sources cache
+      id: depends-sources
+      uses: cirruslabs/cache/restore@v4
+      with:
+        path: ${{ env.SOURCES_PATH }}
+        key: depends-sources-${{ env.CONTAINER_NAME }}-${{ env.DEPENDS_HASH }}
+        restore-keys: |
+          depends-sources-${{ env.CONTAINER_NAME }}-
+
+    - name: Restore built depends cache
+      id: depends-built
+      uses: cirruslabs/cache/restore@v4
+      with:
+        path: ${{ env.BASE_CACHE }}
+        key: depends-built-${{ env.CONTAINER_NAME }}-${{ env.DEPENDS_HASH }}
+        restore-keys: |
+          depends-built-${{ env.CONTAINER_NAME }}-
+
+    - name: Restore previous releases cache
+      id: previous-releases
+      uses: cirruslabs/cache/restore@v4
+      with:
+        path: ${{ env.PREVIOUS_RELEASES_DIR }}
+        key: previous-releases-${{ env.CONTAINER_NAME }}-${{ env.PREVIOUS_RELEASES_HASH }}
+        restore-keys: |
+          previous-releases-${{ env.CONTAINER_NAME }}-
+
+    - name: export cache hits
+      shell: bash
+      run: |
+        echo "depends-sources-cache-hit=${{ steps.depends-sources.outputs.cache-hit }}" >> $GITHUB_ENV
+        echo "depends-built-cache-hit=${{ steps.depends-built.outputs.cache-hit }}" >> $GITHUB_ENV
+        echo "previous-releases-cache-hit=${{ steps.previous-releases.outputs.cache-hit }}" >> $GITHUB_ENV

.github/actions/save-caches/action.yml

@@ -0,0 +1,39 @@
+name: 'Save Caches'
+description: 'Save ccache, depends sources, and built depends caches'
+runs:
+  using: 'composite'
+  steps:
+    - name: debug cache hit inputs
+      shell: bash
+      run: |
+        echo "depends sources direct cache hit to primary key: ${{ env.depends-sources-cache-hit }}"
+        echo "depends built direct cache hit to primary key: ${{ env.depends-built-cache-hit }}"
+        echo "previous releases direct cache hit to primary key: ${{ env.previous-releases-cache-hit }}"
+
+    - name: Save Ccache cache
+      uses: cirruslabs/cache/save@v4
+      if: ${{ (github.event_name == 'push') && (github.ref_name == github.event.repository.default_branch) }}
+      with:
+        path: ${{ env.CCACHE_DIR }}
+        key: ccache-${{ env.CONTAINER_NAME }}-${{ github.run_id }}
+
+    - name: Save depends sources cache
+      uses: cirruslabs/cache/save@v4
+      if: ${{ (github.event_name == 'push') && (github.ref_name == github.event.repository.default_branch) && (env.depends-sources-cache-hit != 'true') }}
+      with:
+        path: ${{ env.SOURCES_PATH }}
+        key: depends-sources-${{ env.CONTAINER_NAME }}-${{ env.DEPENDS_HASH }}
+
+    - name: Save built depends cache
+      uses: cirruslabs/cache/save@v4
+      if: ${{ (github.event_name == 'push') && (github.ref_name == github.event.repository.default_branch) && (env.depends-built-cache-hit != 'true' )}}
+      with:
+        path: ${{ env.BASE_CACHE }}
+        key: depends-built-${{ env.CONTAINER_NAME }}-${{ env.DEPENDS_HASH }}
+
+    - name: Save previous releases cache
+      uses: cirruslabs/cache/save@v4
+      if: ${{ (github.event_name == 'push') && (github.ref_name == github.event.repository.default_branch) && (env.previous-releases-cache-hit != 'true' )}}
+      with:
+        path: ${{ env.PREVIOUS_RELEASES_DIR }}
+        key: previous-releases-${{ env.CONTAINER_NAME }}-${{ env.PREVIOUS_RELEASES_HASH }}

.github/ci-lint-exec.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+# Copyright (c) The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or https://opensource.org/license/mit.
+
+import os
+import shlex
+import subprocess
+import sys
+import time
+
+
+def run(cmd, **kwargs):
+    print("+ " + shlex.join(cmd), flush=True)
+    kwargs.setdefault("check", True)
+    try:
+        return subprocess.run(cmd, **kwargs)
+    except Exception as e:
+        sys.exit(e)
+
+
+def main():
+    CONTAINER_NAME = os.environ["CONTAINER_NAME"]
+
+    build_cmd = [
+        "docker", "buildx", "build",
+        f"--tag={CONTAINER_NAME}",
+        *shlex.split(os.getenv("DOCKER_BUILD_CACHE_ARG", "")),
+        "--file=./ci/lint_imagefile",
+        "."
+    ]
+
+    if run(build_cmd, check=False).returncode != 0:
+        print("Retry building image tag after failure")
+        time.sleep(3)
+        run(build_cmd)
+
+    extra_env = []
+    if os.environ["GITHUB_EVENT_NAME"] == "pull_request":
+        extra_env = ["--env", "LINT_CI_IS_PR=1"]
+    if os.environ["GITHUB_EVENT_NAME"] != "pull_request" and os.environ["GITHUB_REPOSITORY"] == "bitcoin/bitcoin":
+        extra_env = ["--env", "LINT_CI_SANITY_CHECK_COMMIT_SIG=1"]
+
+    run([
+        "docker",
+        "run",
+        "--rm",
+        *extra_env,
+        f"--volume={os.getcwd()}:/bitcoin",
+        CONTAINER_NAME,
+    ])
+
+
+if __name__ == "__main__":
+    main()

.github/ci-test-each-commit-exec.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+# Copyright (c) The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or https://opensource.org/license/mit/.
+
+import subprocess
+import sys
+import shlex
+
+
+def run(cmd, **kwargs):
+    print("+ " + shlex.join(cmd), flush=True)
+    try:
+        return subprocess.run(cmd, check=True, **kwargs)
+    except Exception as e:
+        sys.exit(e)
+
+
+def main():
+    print("Running tests on commit ...")
+    run(["git", "log", "-1"])
+
+    num_procs = int(run(["nproc"], stdout=subprocess.PIPE).stdout)
+    build_dir = "ci_build"
+
+    run([
+        "cmake",
+        "-B",
+        build_dir,
+        "-Werror=dev",
+        # Use clang++, because it is a bit faster and uses less memory than g++
+        "-DCMAKE_C_COMPILER=clang",
+        "-DCMAKE_CXX_COMPILER=clang++",
+        # Use mold, because it is faster than the default linker
+        "-DCMAKE_EXE_LINKER_FLAGS=-fuse-ld=mold",
+        # Use Debug build type for more debug checks, but enable optimizations
+        "-DAPPEND_CXXFLAGS='-O3 -g2'",
+        "-DAPPEND_CFLAGS='-O3 -g2'",
+        "-DCMAKE_BUILD_TYPE=Debug",
+        "-DWERROR=ON",
+        "--preset=dev-mode",
+        # Tolerate unused member functions in intermediate commits in a pull request
+        "-DCMAKE_CXX_FLAGS=-Wno-error=unused-member-function",
+    ])
+    run(["cmake", "--build", build_dir, "-j", str(num_procs)])
+    run([
+        "ctest",
+        "--output-on-failure",
+        "--stop-on-failure",
+        "--test-dir",
+        build_dir,
+        "-j",
+        str(num_procs),
+    ])
+    run([
+        sys.executable,
+        f"./{build_dir}/test/functional/test_runner.py",
+        "-j",
+        str(num_procs * 2),
+        "--combinedlogslen=99999999",
+    ])
+
+
+if __name__ == "__main__":
+    main()

.github/workflows/ci.yml

@@ -1,6 +1,6 @@
 # Copyright (c) 2023-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+# file COPYING or https://opensource.org/license/mit.
 
 name: CI
 on:
@@ -19,20 +19,54 @@ concurrency:
 
 env:
   CI_FAILFAST_TEST_LEAVE_DANGLING: 1  # GHA does not care about dangling processes and setting this variable avoids killing the CI script itself on error
-  MAKEJOBS: '-j10'
+  CIRRUS_CACHE_HOST: http://127.0.0.1:12321/ # When using Cirrus Runners this host can be used by the docker `gha` build cache type.
+  REPO_USE_CIRRUS_RUNNERS: 'bitcoin/bitcoin' # Use cirrus runners and cache for this repo, instead of falling back to the slow GHA runners
+
+defaults:
+  run:
+    # Enforce fail-fast behavior for all platforms.
+    # See: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+    shell: bash
 
 jobs:
+  runners:
+    name: '[meta] determine runners'
+    runs-on: ubuntu-latest
+    outputs:
+      provider: ${{ steps.runners.outputs.provider }}
+    steps:
+      - &ANNOTATION_PR_NUMBER
+        name: Annotate with pull request number
+        # This annotation is machine-readable and can be used to assign a check
+        # run to its corresponding pull request. Running in all check runs is
+        # required, because check re-runs discard the annotations of other
+        # tasks in the test suite.
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "::notice title=debug_pull_request_number_str::${{ github.event.number }}"
+          fi
+      - id: runners
+        run: |
+          if [[ "${REPO_USE_CIRRUS_RUNNERS}" == "${{ github.repository }}" ]]; then
+            echo "provider=cirrus" >> "$GITHUB_OUTPUT"
+            echo "::notice title=Runner Selection::Using Cirrus Runners"
+          else
+            echo "provider=gha" >> "$GITHUB_OUTPUT"
+            echo "::notice title=Runner Selection::Using GitHub-hosted runners"
+          fi
+
   test-each-commit:
-    name: 'test each commit'
+    name: 'test max 6 ancestor commits'
     runs-on: ubuntu-24.04
     if: github.event_name == 'pull_request' && github.event.pull_request.commits != 1
     timeout-minutes: 360  # Use maximum time, see https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes. Assuming a worst case time of 1 hour per commit, this leads to a --max-count=6 below.
     env:
-      MAX_COUNT: 6
+      MAX_COUNT: 6  # Keep in sync with name above
     steps:
       - name: Determine fetch depth
         run: echo "FETCH_DEPTH=$((${{ github.event.pull_request.commits }} + 2))" >> "$GITHUB_ENV"
-      - uses: actions/checkout@v4
+      - *ANNOTATION_PR_NUMBER
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: ${{ env.FETCH_DEPTH }}
@@ -65,20 +99,24 @@ jobs:
             EXCLUDE_MERGE_BASE_ANCESTORS=^${MERGE_BASE}^@
           fi
           echo "TEST_BASE=$(git rev-list -n$((${{ env.MAX_COUNT }} + 1)) --reverse HEAD $EXCLUDE_MERGE_BASE_ANCESTORS | head -1)" >> "$GITHUB_ENV"
+      - run: |
+          git fetch origin "${GITHUB_BASE_REF}"
+          git config user.email "ci@example.com"
+          git config user.name "CI"
       - run: |
           sudo apt-get update
-          sudo apt-get install clang ccache build-essential cmake pkgconf python3-zmq libevent-dev libboost-dev libsqlite3-dev libdb++-dev systemtap-sdt-dev libzmq3-dev qtbase5-dev qttools5-dev qttools5-dev-tools qtwayland5 libqrencode-dev -y
+          sudo apt-get install clang mold ccache build-essential cmake ninja-build pkgconf python3-zmq libevent-dev libboost-dev libsqlite3-dev systemtap-sdt-dev libzmq3-dev qt6-base-dev qt6-tools-dev qt6-l10n-tools libqrencode-dev capnproto libcapnp-dev -y
+          sudo pip3 install --break-system-packages pycapnp
       - name: Compile and run tests
         run: |
           # Run tests on commits after the last merge commit and before the PR head commit
-          # Use clang++, because it is a bit faster and uses less memory than g++
-          git rebase --exec "echo Running test-one-commit on \$( git log -1 ) && CC=clang CXX=clang++ cmake -B build -DWERROR=ON -DWITH_ZMQ=ON -DBUILD_GUI=ON -DBUILD_BENCH=ON -DBUILD_FUZZ_BINARY=ON -DWITH_BDB=ON -DWITH_USDT=ON -DCMAKE_CXX_FLAGS='-Wno-error=unused-member-function' && cmake --build build -j $(nproc) && ctest --output-on-failure --stop-on-failure --test-dir build -j $(nproc) && ./build/test/functional/test_runner.py -j $(( $(nproc) * 2 )) --combinedlogslen=99999999" ${{ env.TEST_BASE }}
+          git rebase --exec "git merge --no-commit origin/${GITHUB_BASE_REF} && python3 ./.github/ci-test-each-commit-exec.py && git reset --hard" ${{ env.TEST_BASE }}
 
   macos-native-arm64:
     name: ${{ matrix.job-name }}
     # Use any image to support the xcode-select below, but hardcode version to avoid silent upgrades (and breaks).
     # See: https://github.com/actions/runner-images#available-images.
-    runs-on: macos-14
+    runs-on: macos-15
 
     # When a contributor maintains a fork of the repo, any pull request they make
     # to their own fork, or to the main repository, will trigger two CI runs:
@@ -96,26 +134,32 @@ jobs:
         include:
           - job-type: standard
             file-env: './ci/test/00_setup_env_mac_native.sh'
-            job-name: 'macOS 14 native, arm64, no depends, sqlite only, gui'
+            job-name: 'macOS native'
           - job-type: fuzz
             file-env: './ci/test/00_setup_env_mac_native_fuzz.sh'
-            job-name: 'macOS 14 native, arm64, fuzz'
+            job-name: 'macOS native, fuzz'
 
     env:
       DANGER_RUN_CI_ON_HOST: 1
-      BASE_ROOT_DIR: ${{ github.workspace }}
+      BASE_ROOT_DIR: ${{ github.workspace }}/repo_archive
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - *ANNOTATION_PR_NUMBER
+
+      - &CHECKOUT
+        name: Checkout
+        uses: actions/checkout@v6
+        with:
+          # Ensure the latest merged pull request state is used, even on re-runs.
+          ref: &CHECKOUT_REF_TMPL ${{ github.event_name == 'pull_request' && github.ref || '' }}
 
       - name: Clang version
         run: |
-          # Use the earliest Xcode supported by the version of macOS denoted in
+          # Use the latest Xcode supported by the version of macOS denoted in
           # doc/release-notes-empty-template.md and providing at least the
           # minimum clang version denoted in doc/dependencies.md.
-          # See: https://developer.apple.com/documentation/xcode-release-notes/xcode-15-release-notes
-          sudo xcode-select --switch /Applications/Xcode_15.0.app
+          # See: https://developer.apple.com/documentation/xcode-release-notes/xcode-16_2-release-notes
+          sudo xcode-select --switch /Applications/Xcode_16.2.app
           clang --version
 
       - name: Install Homebrew packages
@@ -124,7 +168,7 @@ jobs:
         run: |
           # A workaround for "The `brew link` step did not complete successfully" error.
           brew install --quiet python@3 || brew link --overwrite python@3
-          brew install --quiet coreutils ninja pkgconf gnu-getopt ccache boost libevent zeromq qt@5 qrencode
+          brew install --quiet coreutils ninja pkgconf gnu-getopt ccache boost libevent zeromq qt@6 qrencode capnp
 
       - name: Set Ccache directory
         run: echo "CCACHE_DIR=${RUNNER_TEMP}/ccache_dir" >> "$GITHUB_ENV"
@@ -137,23 +181,29 @@ jobs:
           key: ${{ github.job }}-${{ matrix.job-type }}-ccache-${{ github.run_id }}
           restore-keys: ${{ github.job }}-${{ matrix.job-type }}-ccache-
 
+      - name: Create git archive
+        run: |
+          git log -1
+          git archive --format=tar --prefix=repo_archive/ --output=repo.tar HEAD
+          tar -xf repo.tar
+
       - name: CI script
-        run: ./ci/test_run_all.sh
+        run: |
+          cd repo_archive
+          ./ci/test_run_all.sh
         env:
           FILE_ENV: ${{ matrix.file-env }}
 
       - name: Save Ccache cache
         uses: actions/cache/save@v4
-        if: github.event_name != 'pull_request' && steps.ccache-cache.outputs.cache-hit != 'true'
+        if: github.event_name != 'pull_request' && github.ref_name == github.event.repository.default_branch && steps.ccache-cache.outputs.cache-hit != 'true'
         with:
           path: ${{ env.CCACHE_DIR }}
           # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache
           key: ${{ github.job }}-${{ matrix.job-type }}-ccache-${{ github.run_id }}
 
-  win64-native:
+  windows-native-dll:
     name: ${{ matrix.job-name }}
-    # Use latest image, but hardcode version to avoid silent upgrades (and breaks).
-    # See: https://github.com/actions/runner-images#available-images.
     runs-on: windows-2022
 
     if: ${{ vars.SKIP_BRANCH_PUSH != 'true' || github.event_name == 'pull_request' }}
@@ -168,23 +218,30 @@ jobs:
         job-type: [standard, fuzz]
         include:
           - job-type: standard
-            generate-options: '-DBUILD_GUI=ON -DWITH_BDB=ON -DWITH_ZMQ=ON -DBUILD_BENCH=ON -DWERROR=ON'
-            job-name: 'Win64 native, VS 2022'
+            generate-options: '-DBUILD_BENCH=ON -DBUILD_KERNEL_LIB=ON -DBUILD_UTIL_CHAINSTATE=ON -DWERROR=ON'
+            job-name: 'Windows native, VS 2022'
           - job-type: fuzz
-            generate-options: '-DVCPKG_MANIFEST_NO_DEFAULT_FEATURES=ON -DVCPKG_MANIFEST_FEATURES="sqlite" -DBUILD_GUI=OFF -DBUILD_FOR_FUZZING=ON -DWERROR=ON'
-            job-name: 'Win64 native fuzz, VS 2022'
+            generate-options: '-DVCPKG_MANIFEST_NO_DEFAULT_FEATURES=ON -DVCPKG_MANIFEST_FEATURES="wallet" -DBUILD_GUI=OFF -DWITH_ZMQ=OFF -DBUILD_FOR_FUZZING=ON -DWERROR=ON'
+            job-name: 'Windows native, fuzz, VS 2022'
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - *ANNOTATION_PR_NUMBER
 
-      - name: Configure Developer Command Prompt for Microsoft Visual C++
-        # Using microsoft/setup-msbuild is not enough.
-        uses: ilammy/msvc-dev-cmd@v1
-        with:
-          arch: x64
+      - *CHECKOUT
+
+      - &SET_UP_VS
+        name: Set up VS Developer Prompt
+        shell: pwsh -Command "$PSVersionTable; $PSNativeCommandUseErrorActionPreference = $true; $ErrorActionPreference = 'Stop'; & '{0}'"
+        run: |
+          $vswherePath = "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe"
+          $installationPath = & $vswherePath -latest -property installationPath
+          & "${env:COMSPEC}" /s /c "`"$installationPath\Common7\Tools\vsdevcmd.bat`" -arch=x64 -no_logo && set" | foreach-object {
+            $name, $value = $_ -split '=', 2
+            echo "$name=$value" >> $env:GITHUB_ENV
+          }
 
       - name: Get tool information
+        shell: pwsh
         run: |
           cmake -version | Tee-Object -FilePath "cmake_version"
           Write-Output "---"
@@ -192,15 +249,16 @@ jobs:
           $env:VCToolsVersion | Tee-Object -FilePath "toolset_version"
           py -3 --version
           Write-Host "PowerShell version $($PSVersionTable.PSVersion.ToString())"
+          bash --version
 
       - name: Using vcpkg with MSBuild
         run: |
-          Set-Location "$env:VCPKG_INSTALLATION_ROOT"
-          Add-Content -Path "triplets\x64-windows.cmake" -Value "set(VCPKG_BUILD_TYPE release)"
-          Add-Content -Path "triplets\x64-windows-static.cmake" -Value "set(VCPKG_BUILD_TYPE release)"
+          echo "set(VCPKG_BUILD_TYPE release)" >> "${VCPKG_INSTALLATION_ROOT}/triplets/x64-windows.cmake"
+          # Workaround for libevent, which requires CMake 3.1 but is incompatible with CMake >= 4.0.
+          sed -i '1s/^/set(ENV{CMAKE_POLICY_VERSION_MINIMUM} 3.5)\n/' "${VCPKG_INSTALLATION_ROOT}/scripts/ports.cmake"
 
       - name: vcpkg tools cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: C:/vcpkg/downloads/tools
           key: ${{ github.job }}-vcpkg-tools
@@ -214,11 +272,11 @@ jobs:
 
       - name: Generate build system
         run: |
-          cmake -B build --preset vs2022-static -DCMAKE_TOOLCHAIN_FILE="$env:VCPKG_INSTALLATION_ROOT\scripts\buildsystems\vcpkg.cmake" ${{ matrix.generate-options }}
+          cmake -B build -Werror=dev --preset vs2022 -DCMAKE_TOOLCHAIN_FILE="${VCPKG_INSTALLATION_ROOT}/scripts/buildsystems/vcpkg.cmake" ${{ matrix.generate-options }}
 
       - name: Save vcpkg binary cache
         uses: actions/cache/save@v4
-        if: github.event_name != 'pull_request' && steps.vcpkg-binary-cache.outputs.cache-hit != 'true' && matrix.job-type == 'standard'
+        if: github.event_name != 'pull_request' && github.ref_name == github.event.repository.default_branch && steps.vcpkg-binary-cache.outputs.cache-hit != 'true' && matrix.job-type == 'standard'
         with:
           path: ~/AppData/Local/vcpkg/archives
           key: ${{ github.job }}-vcpkg-binary-${{ hashFiles('cmake_version', 'msbuild_version', 'toolset_version', 'vcpkg.json') }}
@@ -226,32 +284,58 @@ jobs:
       - name: Build
         working-directory: build
         run: |
-          cmake --build . -j $env:NUMBER_OF_PROCESSORS --config Release
+          cmake --build . -j $NUMBER_OF_PROCESSORS --config Release
+
+      - name: Check executable manifests
+        if: matrix.job-type == 'standard'
+        working-directory: build
+        shell: pwsh -Command "$PSVersionTable; $PSNativeCommandUseErrorActionPreference = $true; $ErrorActionPreference = 'Stop'; & '{0}'"
+        run: |
+          mt.exe -nologo -inputresource:bin\Release\bitcoind.exe -out:bitcoind.manifest
+          Get-Content bitcoind.manifest
+
+          Get-ChildItem -Filter "bin\Release\*.exe" | ForEach-Object {
+            $exeName = $_.Name
+
+            # Skip as they currently do not have manifests
+            if ($exeName -eq "fuzz.exe" -or $exeName -eq "bench_bitcoin.exe" -or $exeName -eq "test_bitcoin-qt.exe" -or $exeName -eq "test_kernel.exe" -or $exeName -eq "bitcoin-chainstate.exe") {
+              Write-Host "Skipping $exeName (no manifest present)"
+              return
+            }
+
+            Write-Host "Checking $exeName"
+            & mt.exe -nologo -inputresource:$_.FullName -validate_manifest
+          }
 
       - name: Run test suite
         if: matrix.job-type == 'standard'
         working-directory: build
         run: |
-          ctest --output-on-failure --stop-on-failure -j $env:NUMBER_OF_PROCESSORS -C Release
+          ctest --output-on-failure --stop-on-failure -j $NUMBER_OF_PROCESSORS -C Release
 
       - name: Run functional tests
         if: matrix.job-type == 'standard'
         working-directory: build
         env:
+          BITCOIN_BIN: '${{ github.workspace }}\build\bin\Release\bitcoin.exe'
           BITCOIND: '${{ github.workspace }}\build\bin\Release\bitcoind.exe'
           BITCOINCLI: '${{ github.workspace }}\build\bin\Release\bitcoin-cli.exe'
+          BITCOIN_BENCH: '${{ github.workspace }}\build\bin\Release\bench_bitcoin.exe'
+          BITCOINTX: '${{ github.workspace }}\build\bin\Release\bitcoin-tx.exe'
           BITCOINUTIL: '${{ github.workspace }}\build\bin\Release\bitcoin-util.exe'
           BITCOINWALLET: '${{ github.workspace }}\build\bin\Release\bitcoin-wallet.exe'
+          BITCOINCHAINSTATE: '${{ github.workspace }}\build\bin\Release\bitcoin-chainstate.exe'
           TEST_RUNNER_EXTRA: ${{ github.event_name != 'pull_request' && '--extended' || '' }}
-        shell: cmd
-        run: py -3 test\functional\test_runner.py --jobs %NUMBER_OF_PROCESSORS% --ci --quiet --tmpdirprefix=%RUNNER_TEMP% --combinedlogslen=99999999 --timeout-factor=%TEST_RUNNER_TIMEOUT_FACTOR% %TEST_RUNNER_EXTRA%
+        run: |
+          py -3 -m pip install pyzmq
+          py -3 test/functional/test_runner.py --jobs $NUMBER_OF_PROCESSORS --quiet --tmpdirprefix="${RUNNER_TEMP}" --combinedlogslen=99999999 --timeout-factor=${TEST_RUNNER_TIMEOUT_FACTOR} ${TEST_RUNNER_EXTRA}
 
       - name: Clone corpora
         if: matrix.job-type == 'fuzz'
         run: |
-          git clone --depth=1 https://github.com/bitcoin-core/qa-assets "$env:RUNNER_TEMP\qa-assets"
-          Set-Location "$env:RUNNER_TEMP\qa-assets"
-          Write-Host "Using qa-assets repo from commit ..."
+          git clone --depth=1 https://github.com/bitcoin-core/qa-assets "${RUNNER_TEMP}/qa-assets"
+          cd "${RUNNER_TEMP}/qa-assets"
+          echo "Using qa-assets repo from commit ..."
           git log -1
 
       - name: Run fuzz tests
@@ -259,48 +343,342 @@ jobs:
         working-directory: build
         env:
           BITCOINFUZZ: '${{ github.workspace }}\build\bin\Release\fuzz.exe'
-        shell: cmd
         run: |
-          py -3 test\fuzz\test_runner.py --par %NUMBER_OF_PROCESSORS% --loglevel DEBUG %RUNNER_TEMP%\qa-assets\fuzz_corpora
+          py -3 test/fuzz/test_runner.py --par $NUMBER_OF_PROCESSORS --loglevel DEBUG "${RUNNER_TEMP}/qa-assets/fuzz_corpora"
 
-  asan-lsan-ubsan-integer-no-depends-usdt:
-    name: 'ASan + LSan + UBSan + integer, no depends, USDT'
-    runs-on: ubuntu-24.04 # has to match container in ci/test/00_setup_env_native_asan.sh for tracing tools
-    if: ${{ vars.SKIP_BRANCH_PUSH != 'true' || github.event_name == 'pull_request' }}
-    timeout-minutes: 120
-    env:
-      FILE_ENV: "./ci/test/00_setup_env_native_asan.sh"
-      DANGER_CI_ON_HOST_FOLDERS: 1
+  record-frozen-commit:
+    # Record frozen commit, so that the native tests on cross-builds can run on
+    # the exact same commit id of the build.
+    name: '[meta] record frozen commit'
+    runs-on: ubuntu-latest
+    outputs:
+      commit: ${{ steps.record-commit.outputs.commit }}
     steps:
+      - *ANNOTATION_PR_NUMBER
+      - *CHECKOUT
+      - name: Record commit
+        id: record-commit
+        run: echo "commit=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
+  windows-cross:
+    name: 'Windows-cross to x86_64, ${{ matrix.crt }}'
+    needs: [runners, record-frozen-commit]
+    runs-on: ${{ needs.runners.outputs.provider == 'cirrus' && 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm' || 'ubuntu-24.04' }}
+    if: ${{ vars.SKIP_BRANCH_PUSH != 'true' || github.event_name == 'pull_request' }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        crt: [msvcrt, ucrt]
+        include:
+          - crt: msvcrt
+            file-env: './ci/test/00_setup_env_win64_msvcrt.sh'
+            artifact-name: 'x86_64-w64-mingw32-executables'
+          - crt: ucrt
+            file-env: './ci/test/00_setup_env_win64.sh'
+            artifact-name: 'x86_64-w64-mingw32ucrt-executables'
+
+    env:
+      FILE_ENV: ${{ matrix.file-env }}
+      DANGER_CI_ON_HOST_FOLDERS: 1
+
+    steps:
+      - *ANNOTATION_PR_NUMBER
+
       - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set CI directories
-        run: |
-          echo "CCACHE_DIR=${{ runner.temp }}/ccache_dir" >> "$GITHUB_ENV"
-          echo "BASE_ROOT_DIR=${{ runner.temp }}" >> "$GITHUB_ENV"
-          echo "BASE_BUILD_DIR=${{ runner.temp }}/build-asan" >> "$GITHUB_ENV"
-
-      - name: Restore Ccache cache
-        id: ccache-cache
-        uses: actions/cache/restore@v4
+        uses: actions/checkout@v6
         with:
-          path: ${{ env.CCACHE_DIR }}
-          key: ${{ github.job }}-ccache-${{ github.run_id }}
-          restore-keys: ${{ github.job }}-ccache-
+          ref: ${{ needs.record-frozen-commit.outputs.commit }}
 
-      - name: Enable bpfcc script
-        # In the image build step, no external environment variables are available,
-        # so any settings will need to be written to the settings env file:
-        run: sed -i "s|\${INSTALL_BCC_TRACING_TOOLS}|true|g" ./ci/test/00_setup_env_native_asan.sh
+      - name: Configure environment
+        uses: ./.github/actions/configure-environment
+
+      - name: Restore caches
+        id: restore-cache
+        uses: ./.github/actions/restore-caches
+
+      - name: Configure Docker
+        uses: ./.github/actions/configure-docker
+        with:
+          cache-provider: ${{ needs.runners.outputs.provider }}
 
       - name: CI script
         run: ./ci/test_run_all.sh
 
-      - name: Save Ccache cache
-        uses: actions/cache/save@v4
-        if: github.event_name != 'pull_request' && steps.ccache-cache.outputs.cache-hit != 'true'
+      - name: Save caches
+        uses: ./.github/actions/save-caches
+
+      - name: Upload built executables
+        uses: actions/upload-artifact@v6
         with:
-          path: ${{ env.CCACHE_DIR }}
-          # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache
-          key: ${{ github.job }}-ccache-${{ github.run_id }}
+          name: ${{ matrix.artifact-name }}-${{ github.run_id }}
+          path: |
+            ${{ env.BASE_BUILD_DIR }}/bin/*.dll
+            ${{ env.BASE_BUILD_DIR }}/bin/*.exe
+            ${{ env.BASE_BUILD_DIR }}/src/secp256k1/bin/*.exe
+            ${{ env.BASE_BUILD_DIR }}/src/univalue/*.exe
+            ${{ env.BASE_BUILD_DIR }}/test/config.ini
+
+  windows-native-test:
+    name: 'Windows, ${{ matrix.crt }}, test cross-built'
+    runs-on: windows-2022
+    needs: [windows-cross, record-frozen-commit]
+
+    strategy:
+      fail-fast: false
+      matrix:
+        crt: [msvcrt, ucrt]
+        include:
+          - crt: msvcrt
+            artifact-name: 'x86_64-w64-mingw32-executables'
+          - crt: ucrt
+            artifact-name: 'x86_64-w64-mingw32ucrt-executables'
+
+    env:
+      PYTHONUTF8: 1
+      TEST_RUNNER_TIMEOUT_FACTOR: 40
+
+    steps:
+      - *ANNOTATION_PR_NUMBER
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.record-frozen-commit.outputs.commit }}
+
+      - name: Download built executables
+        uses: actions/download-artifact@v7
+        with:
+          name: ${{ matrix.artifact-name }}-${{ github.run_id }}
+
+      - name: Run bitcoind.exe
+        run: ./bin/bitcoind.exe -version
+
+      - *SET_UP_VS
+
+      - name: Check executable manifests
+        shell: pwsh -Command "$PSVersionTable; $PSNativeCommandUseErrorActionPreference = $true; $ErrorActionPreference = 'Stop'; & '{0}'"
+        run: |
+          mt.exe -nologo -inputresource:bin\bitcoind.exe -out:bitcoind.manifest
+          Get-Content bitcoind.manifest
+
+          Get-ChildItem -Filter "bin\*.exe" | ForEach-Object {
+            $exeName = $_.Name
+
+            # Skip as they currently do not have manifests
+            if ($exeName -eq "fuzz.exe" -or $exeName -eq "bench_bitcoin.exe" -or $exeName -eq "test_kernel.exe") {
+              Write-Host "Skipping $exeName (no manifest present)"
+              return
+            }
+
+            Write-Host "Checking $exeName"
+            & mt.exe -nologo -inputresource:$_.FullName -validate_manifest
+          }
+
+      - name: Run unit tests
+        # Can't use ctest here like other jobs as we don't have a CMake build tree.
+        run: |
+          ./bin/test_bitcoin-qt.exe
+          ./bin/test_bitcoin.exe -l test_suite  # Intentionally run sequentially here, to catch test case failures caused by dirty global state from prior test cases.
+          ./src/secp256k1/bin/exhaustive_tests.exe
+          ./src/secp256k1/bin/noverify_tests.exe
+          ./src/secp256k1/bin/tests.exe
+          ./src/univalue/object.exe
+          ./src/univalue/unitester.exe
+
+      - name: Adjust paths in test/config.ini
+        shell: pwsh
+        run: |
+          (Get-Content "test/config.ini") -replace '(?<=^SRCDIR=).*', '${{ github.workspace }}' -replace '(?<=^BUILDDIR=).*', '${{ github.workspace }}' -replace '(?<=^RPCAUTH=).*', '${{ github.workspace }}/share/rpcauth/rpcauth.py' | Set-Content "test/config.ini"
+          Get-Content "test/config.ini"
+
+      - name: Set previous release directory
+        run: |
+          echo "PREVIOUS_RELEASES_DIR=${{ runner.temp }}/previous_releases" >> "$GITHUB_ENV"
+
+      - name: Get previous releases
+        run: ./test/get_previous_releases.py --target-dir $PREVIOUS_RELEASES_DIR
+
+      - name: Run functional tests
+        env:
+          TEST_RUNNER_EXTRA: ${{ github.event_name != 'pull_request' && '--extended' || '' }}
+        run: |
+          py -3 -m pip install pyzmq
+          py -3 test/functional/test_runner.py --jobs $NUMBER_OF_PROCESSORS --quiet --tmpdirprefix="$RUNNER_TEMP" --combinedlogslen=99999999 --timeout-factor=$TEST_RUNNER_TIMEOUT_FACTOR $TEST_RUNNER_EXTRA \
+            `# feature_unsupported_utxo_db.py fails on Windows because of emojis in the test data directory.` \
+            --exclude feature_unsupported_utxo_db.py \
+            `# See https://github.com/bitcoin/bitcoin/issues/31409.` \
+            --exclude wallet_multiwallet.py
+          # Run feature_unsupported_utxo_db sequentially in ASCII-only tmp dir,
+          # because it is excluded above due to lack of UTF-8 support in the
+          # ancient release.
+          py -3 test/functional/feature_unsupported_utxo_db.py --previous-releases --tmpdir="${RUNNER_TEMP}/test_feature_unsupported_utxo_db"
+
+  ci-matrix:
+    name: ${{ matrix.name }}
+    needs: runners
+    runs-on: ${{ needs.runners.outputs.provider == 'cirrus' && matrix.cirrus-runner || matrix.fallback-runner }}
+    if: ${{ vars.SKIP_BRANCH_PUSH != 'true' || github.event_name == 'pull_request' }}
+    timeout-minutes: ${{ matrix.timeout-minutes }}
+
+    env:
+      DANGER_CI_ON_HOST_FOLDERS: 1
+      FILE_ENV: ${{ matrix.file-env }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: 'iwyu'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_iwyu.sh'
+
+          - name: '32 bit ARM'
+            cirrus-runner: 'ubuntu-24.04-arm' # Cirrus' Arm runners are Apple (with virtual Linux aarch64), which doesn't support 32-bit mode
+            fallback-runner: 'ubuntu-24.04-arm'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_arm.sh'
+            provider: 'gha'
+
+          - name: 'ASan + LSan + UBSan + integer'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md' # has to match container in ci/test/00_setup_env_native_asan.sh for tracing tools
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_asan.sh'
+
+          - name: 'macOS-cross to arm64'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_mac_cross.sh'
+
+          - name: 'macOS-cross to x86_64'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_mac_cross_intel.sh'
+
+          - name: 'No wallet'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-sm'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_nowallet.sh'
+
+          - name: 'i686, no IPC'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_i686_no_ipc.sh'
+
+          - name: 'fuzzer,address,undefined,integer'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-lg'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 240
+            file-env: './ci/test/00_setup_env_native_fuzz.sh'
+
+          - name: 'Valgrind, fuzz'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 240
+            file-env: './ci/test/00_setup_env_native_fuzz_with_valgrind.sh'
+
+          - name: 'previous releases'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_previous_releases.sh'
+
+          - name: 'Alpine (musl)'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_alpine_musl.sh'
+
+          - name: 'tidy'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_tidy.sh'
+
+          - name: 'TSan'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_tsan.sh'
+
+          - name: 'MSan, fuzz'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 150
+            file-env: './ci/test/00_setup_env_native_fuzz_with_msan.sh'
+
+          - name: 'MSan'
+            cirrus-runner: 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-lg'
+            fallback-runner: 'ubuntu-24.04'
+            timeout-minutes: 120
+            file-env: './ci/test/00_setup_env_native_msan.sh'
+
+    steps:
+      - *ANNOTATION_PR_NUMBER
+
+      - *CHECKOUT
+
+      - name: Configure environment
+        uses: ./.github/actions/configure-environment
+
+      - name: Restore caches
+        id: restore-cache
+        uses: ./.github/actions/restore-caches
+
+      - name: Configure Docker
+        uses: ./.github/actions/configure-docker
+        with:
+          cache-provider: ${{ matrix.provider || needs.runners.outputs.provider }}
+
+      - name: Clear unnecessary files
+        if: ${{ needs.runners.outputs.provider == 'gha' && true || false }} # Only needed on GHA runners
+        uses: ./.github/actions/clear-files
+
+      - name: Enable bpfcc script
+        if: ${{ env.CONTAINER_NAME == 'ci_native_asan' }}
+        # In the image build step, no external environment variables are available,
+        # so any settings will need to be written to the settings env file:
+        run: sed -i "s|\${INSTALL_BCC_TRACING_TOOLS}|true|g" ./ci/test/00_setup_env_native_asan.sh
+
+      - name: Set mmap_rnd_bits
+        if: ${{ env.CONTAINER_NAME == 'ci_native_tsan' || env.CONTAINER_NAME == 'ci_native_msan' || env.CONTAINER_NAME == 'ci_native_fuzz_msan' }}
+        # Prevents crashes due to high ASLR entropy
+        run: sudo sysctl -w vm.mmap_rnd_bits=28
+
+      - name: CI script
+        run: ./ci/test_run_all.sh
+
+      - name: Save caches
+        uses: ./.github/actions/save-caches
+
+  lint:
+    name: 'lint'
+    needs: runners
+    runs-on: ${{ needs.runners.outputs.provider == 'cirrus' && 'ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-xs' || 'ubuntu-24.04' }}
+    if: ${{ vars.SKIP_BRANCH_PUSH != 'true' || github.event_name == 'pull_request' }}
+    timeout-minutes: 20
+    env:
+      CONTAINER_NAME: "bitcoin-linter"
+    steps:
+      - *ANNOTATION_PR_NUMBER
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: *CHECKOUT_REF_TMPL
+          fetch-depth: 0
+
+      - name: Configure Docker
+        uses: ./.github/actions/configure-docker
+        with:
+          cache-provider: ${{ needs.runners.outputs.provider }}
+
+      - name: CI script
+        run: python .github/ci-lint-exec.py

.gitignore

@@ -1,3 +1,8 @@
+# Patterns that are specific to a text editor, IDE, operating system, or user
+# environment are not added here. They should be added to your local gitignore
+# file instead:
+# https://docs.github.com/en/get-started/git-basics/ignoring-files#configuring-ignored-files-for-all-repositories-on-your-computer
+
 # Build subdirectories.
 /*build*
 !/build-aux
@@ -7,6 +12,7 @@
 
 # Only ignore unexpected patches
 *.patch
+!ci/test/*.patch
 !contrib/guix/patches/*.patch
 !depends/patches/**/*.patch
 
@@ -15,8 +21,8 @@
 # Previous releases
 /releases
 
-#build tests
-test/lint/test_runner/target/
+# cargo default target dir
+target/
 
 /guix-build-*
 

.tx/config

@@ -1,7 +1,7 @@
 [main]
 host = https://www.transifex.com
 
-[o:bitcoin:p:bitcoin:r:qt-translation-029x]
+[o:bitcoin:p:bitcoin:r:qt-translation-030x]
 file_filter = src/qt/locale/bitcoin_<lang>.xlf
 source_file = src/qt/locale/bitcoin_en.xlf
 source_lang = en

CMakeLists.txt

@@ -19,16 +19,20 @@ if(POLICY CMP0171)
   cmake_policy(SET CMP0171 NEW)
 endif()
 
+# When adjusting CMake flag variables, we must not override those explicitly
+# set by the user. These are a subset of the CACHE_VARIABLES property.
+get_directory_property(precious_variables CACHE_VARIABLES)
+
 #=============================
 # Project / Package metadata
 #=============================
 set(CLIENT_NAME "Bitcoin Core")
-set(CLIENT_VERSION_MAJOR 28)
+set(CLIENT_VERSION_MAJOR 30)
 set(CLIENT_VERSION_MINOR 99)
 set(CLIENT_VERSION_BUILD 0)
 set(CLIENT_VERSION_RC 0)
 set(CLIENT_VERSION_IS_RELEASE "false")
-set(COPYRIGHT_YEAR "2025")
+set(COPYRIGHT_YEAR "2026")
 
 # During the enabling of the CXX and CXXOBJ languages, we modify
 # CMake's compiler/linker invocation strings by appending the content
@@ -90,47 +94,30 @@ endif()
 #=============================
 include(CMakeDependentOption)
 # When adding a new option, end the <help_text> with a full stop for consistency.
+option(BUILD_BITCOIN_BIN "Build bitcoin executable." ON)
 option(BUILD_DAEMON "Build bitcoind executable." ON)
 option(BUILD_GUI "Build bitcoin-qt executable." OFF)
 option(BUILD_CLI "Build bitcoin-cli executable." ON)
 
-option(BUILD_TESTS "Build test_bitcoin executable." ON)
+option(BUILD_TESTS "Build test_bitcoin and other unit test executables." ON)
 option(BUILD_TX "Build bitcoin-tx executable." ${BUILD_TESTS})
 option(BUILD_UTIL "Build bitcoin-util executable." ${BUILD_TESTS})
 
 option(BUILD_UTIL_CHAINSTATE "Build experimental bitcoin-chainstate executable." OFF)
 option(BUILD_KERNEL_LIB "Build experimental bitcoinkernel library." ${BUILD_UTIL_CHAINSTATE})
+cmake_dependent_option(BUILD_KERNEL_TEST "Build tests for the experimental bitcoinkernel library." ON "BUILD_KERNEL_LIB" OFF)
 
 option(ENABLE_WALLET "Enable wallet." ON)
-option(WITH_SQLITE "Enable SQLite wallet support." ${ENABLE_WALLET})
-if(WITH_SQLITE)
+if(ENABLE_WALLET)
   if(VCPKG_TARGET_TRIPLET)
     # Use of the `unofficial::` namespace is a vcpkg package manager convention.
     find_package(unofficial-sqlite3 CONFIG REQUIRED)
   else()
     find_package(SQLite3 3.7.17 REQUIRED)
   endif()
-  set(USE_SQLITE ON)
-endif()
-option(WITH_BDB "Enable Berkeley DB (BDB) wallet support." OFF)
-cmake_dependent_option(WARN_INCOMPATIBLE_BDB "Warn when using a Berkeley DB (BDB) version other than 4.8." ON "WITH_BDB" OFF)
-if(WITH_BDB)
-  find_package(BerkeleyDB 4.8 MODULE REQUIRED)
-  set(USE_BDB ON)
-  if(NOT BerkeleyDB_VERSION VERSION_EQUAL 4.8)
-    message(WARNING "Found Berkeley DB (BDB) other than 4.8.\n"
-                    "BDB (legacy) wallets opened by this build will not be portable!"
-    )
-    if(WARN_INCOMPATIBLE_BDB)
-      message(WARNING "If this is intended, pass \"-DWARN_INCOMPATIBLE_BDB=OFF\".\n"
-                      "Passing \"-DWITH_BDB=OFF\" will suppress this warning."
-      )
-    endif()
-  endif()
 endif()
 cmake_dependent_option(BUILD_WALLET_TOOL "Build bitcoin-wallet tool." ${BUILD_TESTS} "ENABLE_WALLET" OFF)
 
-option(ENABLE_HARDENING "Attempt to harden the resulting executables." ON)
 option(REDUCE_EXPORTS "Attempt to reduce exported symbols in the resulting executables." OFF)
 option(WERROR "Treat compiler warnings as errors." OFF)
 option(WITH_CCACHE "Attempt to use ccache for compiling." ON)
@@ -145,7 +132,7 @@ if(WITH_USDT)
   find_package(USDT MODULE REQUIRED)
 endif()
 
-cmake_dependent_option(ENABLE_EXTERNAL_SIGNER "Enable external signer support." ON "NOT WIN32" OFF)
+option(ENABLE_EXTERNAL_SIGNER "Enable external signer support." ON)
 
 cmake_dependent_option(WITH_QRENCODE "Enable QR code support." ON "BUILD_GUI" OFF)
 if(WITH_QRENCODE)
@@ -153,10 +140,11 @@ if(WITH_QRENCODE)
   set(USE_QRCODE TRUE)
 endif()
 
-cmake_dependent_option(WITH_DBUS "Enable DBus support." ON "CMAKE_SYSTEM_NAME STREQUAL \"Linux\" AND BUILD_GUI" OFF)
+cmake_dependent_option(WITH_DBUS "Enable DBus support." ON "NOT CMAKE_SYSTEM_NAME MATCHES \"(Windows|Darwin)\" AND BUILD_GUI" OFF)
 
-option(WITH_MULTIPROCESS "Build multiprocess bitcoin-node and bitcoin-gui executables in addition to monolithic bitcoind and bitcoin-qt executables. Requires libmultiprocess library. Experimental." OFF)
-if(WITH_MULTIPROCESS)
+cmake_dependent_option(ENABLE_IPC "Build multiprocess bitcoin-node and bitcoin-gui executables in addition to monolithic bitcoind and bitcoin-qt executables." ON "NOT WIN32" OFF)
+cmake_dependent_option(WITH_EXTERNAL_LIBMULTIPROCESS "Build with external libmultiprocess library instead of with local git subtree when ENABLE_IPC is enabled. This is not normally recommended, but can be useful for developing libmultiprocess itself." OFF "ENABLE_IPC" OFF)
+if(ENABLE_IPC AND WITH_EXTERNAL_LIBMULTIPROCESS)
   find_package(Libmultiprocess REQUIRED COMPONENTS Lib)
   find_package(LibmultiprocessNative REQUIRED COMPONENTS Bin
     NAMES Libmultiprocess
@@ -176,7 +164,7 @@ if(BUILD_GUI)
   if(BUILD_GUI_TESTS)
     list(APPEND qt_components Test)
   endif()
-  find_package(Qt 5.11.3 MODULE REQUIRED
+  find_package(Qt 6.2 MODULE REQUIRED
     COMPONENTS ${qt_components}
   )
   unset(qt_components)
@@ -216,12 +204,14 @@ target_link_libraries(core_interface INTERFACE
 
 if(BUILD_FOR_FUZZING)
   message(WARNING "BUILD_FOR_FUZZING=ON will disable all other targets and force BUILD_FUZZ_BINARY=ON.")
+  set(BUILD_BITCOIN_BIN OFF)
   set(BUILD_DAEMON OFF)
   set(BUILD_CLI OFF)
   set(BUILD_TX OFF)
   set(BUILD_UTIL OFF)
   set(BUILD_UTIL_CHAINSTATE OFF)
   set(BUILD_KERNEL_LIB OFF)
+  set(BUILD_KERNEL_TEST OFF)
   set(BUILD_WALLET_TOOL OFF)
   set(BUILD_GUI OFF)
   set(ENABLE_EXTERNAL_SIGNER OFF)
@@ -229,6 +219,7 @@ if(BUILD_FOR_FUZZING)
   set(BUILD_TESTS OFF)
   set(BUILD_GUI_TESTS OFF)
   set(BUILD_BENCH OFF)
+  set(ENABLE_IPC OFF)
   set(BUILD_FUZZ_BINARY ON)
 
   target_compile_definitions(core_interface INTERFACE
@@ -290,6 +281,10 @@ if(WIN32)
       /Zc:__cplusplus
       /sdl
     )
+    target_link_options(core_interface INTERFACE
+      # We embed our own manifests.
+      /MANIFEST:NO
+    )
     # Improve parallelism in MSBuild.
     # See: https://devblogs.microsoft.com/cppblog/improved-parallelism-in-msbuild/.
     list(APPEND CMAKE_VS_GLOBALS "UseMultiToolTask=true")
@@ -348,13 +343,28 @@ target_link_libraries(core_interface INTERFACE
   Threads::Threads
 )
 
+# Define sanitize_interface with -fsanitize flags intended to apply to all
+# libraries and executables.
 add_library(sanitize_interface INTERFACE)
 target_link_libraries(core_interface INTERFACE sanitize_interface)
 if(SANITIZERS)
+  # Transform list of sanitizers into -fsanitize flags, replacing "fuzzer" with
+  # "fuzzer-no-link" in sanitize_interface flags, and moving "fuzzer" to
+  # fuzzer_interface flags. If -DSANITIZERS=fuzzer is specified, the fuzz test
+  # binary should be built with -fsanitize=fuzzer (so it can use libFuzzer's
+  # main function), but libraries should be built with -fsanitize=fuzzer-no-link
+  # (so they can be linked into other executables that have their own main
+  # functions).
+  string(REGEX REPLACE "(^|,)fuzzer($|,)" "\\1fuzzer-no-link\\2" sanitize_opts "${SANITIZERS}")
+  set(fuzz_flag "")
+  if(NOT sanitize_opts STREQUAL SANITIZERS)
+    set(fuzz_flag "-fsanitize=fuzzer")
+  endif()
+
   # First check if the compiler accepts flags. If an incompatible pair like
   # -fsanitize=address,thread is used here, this check will fail. This will also
   # fail if a bad argument is passed, e.g. -fsanitize=undfeined
-  try_append_cxx_flags("-fsanitize=${SANITIZERS}" TARGET sanitize_interface
+  try_append_cxx_flags("-fsanitize=${sanitize_opts}" TARGET sanitize_interface
     RESULT_VAR cxx_supports_sanitizers
     SKIP_LINK
   )
@@ -367,15 +377,15 @@ if(SANITIZERS)
   # flag. This is a separate check so we can give a better error message when
   # the sanitize flags are supported by the compiler but the actual sanitizer
   # libs are missing.
-  try_append_linker_flag("-fsanitize=${SANITIZERS}" VAR SANITIZER_LDFLAGS
+  try_append_linker_flag("-fsanitize=${sanitize_opts}" VAR SANITIZER_LDFLAGS
     SOURCE "
       #include <cstdint>
       #include <cstddef>
       extern \"C\" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { return 0; }
-      __attribute__((weak)) // allow for libFuzzer linking
       int main() { return 0; }
     "
     RESULT_VAR linker_supports_sanitizers
+    NO_CACHE_IF_FAILED
   )
   if(NOT linker_supports_sanitizers)
     message(FATAL_ERROR "Linker did not accept requested flags, you are missing required libraries.")
@@ -383,8 +393,10 @@ if(SANITIZERS)
 endif()
 target_link_options(sanitize_interface INTERFACE ${SANITIZER_LDFLAGS})
 
+# Define fuzzer_interface with flags intended to apply to the fuzz test binary,
+# and perform a test compilation to determine correct value of
+# FUZZ_BINARY_LINKS_WITHOUT_MAIN_FUNCTION.
 if(BUILD_FUZZ_BINARY)
-  target_link_libraries(core_interface INTERFACE ${FUZZ_LIBS})
   include(CheckSourceCompilesWithFlags)
   check_cxx_source_compiles_with_flags("
       #include <cstdint>
@@ -392,9 +404,12 @@ if(BUILD_FUZZ_BINARY)
       extern \"C\" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { return 0; }
       // No main() function.
     " FUZZ_BINARY_LINKS_WITHOUT_MAIN_FUNCTION
-    LDFLAGS ${SANITIZER_LDFLAGS}
+    LDFLAGS ${SANITIZER_LDFLAGS} ${fuzz_flag}
     LINK_LIBRARIES ${FUZZ_LIBS}
   )
+  add_library(fuzzer_interface INTERFACE)
+  target_link_options(fuzzer_interface INTERFACE ${fuzz_flag})
+  target_link_libraries(fuzzer_interface INTERFACE ${FUZZ_LIBS})
 endif()
 
 include(AddBoostIfNeeded)
@@ -431,6 +446,7 @@ else()
   try_append_cxx_flags("-Wvla" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wshadow-field" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wthread-safety" TARGET warn_interface SKIP_LINK)
+  try_append_cxx_flags("-Wthread-safety-pointer" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wloop-analysis" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wredundant-decls" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wunused-member-function" TARGET warn_interface SKIP_LINK)
@@ -447,6 +463,8 @@ else()
   try_append_cxx_flags("-Wself-assign" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wbidi-chars=any" TARGET warn_interface SKIP_LINK)
   try_append_cxx_flags("-Wundef" TARGET warn_interface SKIP_LINK)
+  try_append_cxx_flags("-Wleading-whitespace=spaces" TARGET warn_interface SKIP_LINK)
+  try_append_cxx_flags("-Wtrailing-whitespace=any" TARGET warn_interface SKIP_LINK)
 
   # Some compilers (gcc) ignore unknown -Wno-* options, but warn about all
   # unknown options if any other warning is produced. Test the -Wfoo case, and
@@ -477,69 +495,77 @@ try_append_cxx_flags("-fmacro-prefix-map=A=B" TARGET core_interface SKIP_LINK
   IF_CHECK_PASSED "-fmacro-prefix-map=${PROJECT_SOURCE_DIR}/src=."
 )
 
-# Currently all versions of gcc are subject to a class of bugs, see the
-# gccbug_90348 test case (only reproduces on GCC 11 and earlier) and
+# GCC versions 13.2 (and earlier) are subject to a class of bugs, see
+# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90348 and the meta bug
 # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111843. To work around that, set
 # -fstack-reuse=none for all gcc builds. (Only gcc understands this flag).
 try_append_cxx_flags("-fstack-reuse=none" TARGET core_interface)
 
-if(ENABLE_HARDENING)
-  add_library(hardening_interface INTERFACE)
-  target_link_libraries(core_interface INTERFACE hardening_interface)
-  if(MSVC)
-    try_append_linker_flag("/DYNAMICBASE" TARGET hardening_interface)
-    try_append_linker_flag("/HIGHENTROPYVA" TARGET hardening_interface)
-    try_append_linker_flag("/NXCOMPAT" TARGET hardening_interface)
-  else()
+if(MSVC)
+  try_append_linker_flag("/DYNAMICBASE" TARGET core_interface)
+  try_append_linker_flag("/HIGHENTROPYVA" TARGET core_interface)
+  try_append_linker_flag("/NXCOMPAT" TARGET core_interface)
+else()
 
-    # _FORTIFY_SOURCE requires that there is some level of optimization,
-    # otherwise it does nothing and just creates a compiler warning.
-    try_append_cxx_flags("-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
-      RESULT_VAR cxx_supports_fortify_source
-      SOURCE "int main() {
-              # if !defined __OPTIMIZE__ || __OPTIMIZE__ <= 0
-                #error
-              #endif
-              }"
+  # _FORTIFY_SOURCE requires that there is some level of optimization,
+  # otherwise it does nothing and just creates a compiler warning.
+  try_append_cxx_flags("-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
+    RESULT_VAR cxx_supports_fortify_source
+    SOURCE "int main() {
+            # if !defined __OPTIMIZE__ || __OPTIMIZE__ <= 0
+              #error
+            #endif
+            }"
+  )
+  if(cxx_supports_fortify_source)
+    target_compile_options(core_interface INTERFACE
+      -U_FORTIFY_SOURCE
+      -D_FORTIFY_SOURCE=3
     )
-    if(cxx_supports_fortify_source)
-      target_compile_options(hardening_interface INTERFACE
-        -U_FORTIFY_SOURCE
-        -D_FORTIFY_SOURCE=3
-      )
-    endif()
-    unset(cxx_supports_fortify_source)
+  endif()
+  unset(cxx_supports_fortify_source)
 
-    try_append_cxx_flags("-Wstack-protector" TARGET hardening_interface SKIP_LINK)
-    try_append_cxx_flags("-fstack-protector-all" TARGET hardening_interface)
-    try_append_cxx_flags("-fcf-protection=full" TARGET hardening_interface)
+  try_append_cxx_flags("-Wstack-protector" TARGET core_interface SKIP_LINK)
+  try_append_cxx_flags("-fstack-protector-all" TARGET core_interface)
+  try_append_cxx_flags("-fcf-protection=full" TARGET core_interface)
 
-    if(MINGW)
-      # stack-clash-protection is a no-op for Windows.
-      # See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458 for more details.
-    else()
-      try_append_cxx_flags("-fstack-clash-protection" TARGET hardening_interface)
-    endif()
+  if(MINGW)
+    # stack-clash-protection is a no-op for Windows.
+    # See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458 for more details.
+  else()
+    try_append_cxx_flags("-fstack-clash-protection" TARGET core_interface)
+  endif()
 
-    if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" OR CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64")
-      if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
-        try_append_cxx_flags("-mbranch-protection=bti" TARGET hardening_interface SKIP_LINK)
-      else()
-        try_append_cxx_flags("-mbranch-protection=standard" TARGET hardening_interface SKIP_LINK)
-      endif()
-    endif()
-
-    try_append_linker_flag("-Wl,--enable-reloc-section" TARGET hardening_interface)
-    try_append_linker_flag("-Wl,--dynamicbase" TARGET hardening_interface)
-    try_append_linker_flag("-Wl,--nxcompat" TARGET hardening_interface)
-    try_append_linker_flag("-Wl,--high-entropy-va" TARGET hardening_interface)
-    try_append_linker_flag("-Wl,-z,relro" TARGET hardening_interface)
-    try_append_linker_flag("-Wl,-z,now" TARGET hardening_interface)
-    try_append_linker_flag("-Wl,-z,separate-code" TARGET hardening_interface)
+  if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" OR CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64")
     if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
-      try_append_linker_flag("-Wl,-fixup_chains" TARGET hardening_interface)
+      try_append_cxx_flags("-mbranch-protection=bti" TARGET core_interface SKIP_LINK)
+    else()
+      try_append_cxx_flags("-mbranch-protection=standard" TARGET core_interface SKIP_LINK)
     endif()
   endif()
+
+  try_append_linker_flag("-Wl,--enable-reloc-section" TARGET core_interface)
+  try_append_linker_flag("-Wl,--dynamicbase" TARGET core_interface)
+  try_append_linker_flag("-Wl,--nxcompat" TARGET core_interface)
+  try_append_linker_flag("-Wl,--high-entropy-va" TARGET core_interface)
+  try_append_linker_flag("-Wl,-z,relro" TARGET core_interface)
+  try_append_linker_flag("-Wl,-z,now" TARGET core_interface)
+  # TODO: This can be dropped once Bitcoin Core no longer supports
+  #       NetBSD 10.0 or if upstream fix is backported.
+  # NetBSD's dynamic linker ld.elf_so < 11.0 supports exactly 2
+  # `PT_LOAD` segments and binaries linked with `-z separate-code`
+  # have 4 `PT_LOAD` segments.
+  # Relevant discussions:
+  # - https://github.com/bitcoin/bitcoin/pull/28724#issuecomment-2589347934
+  # - https://mail-index.netbsd.org/tech-userlevel/2023/01/05/msg013666.html
+  if(CMAKE_SYSTEM_NAME STREQUAL "NetBSD" AND CMAKE_SYSTEM_VERSION VERSION_LESS 11.0)
+    try_append_linker_flag("-Wl,-z,noseparate-code" TARGET core_interface)
+  else()
+    try_append_linker_flag("-Wl,-z,separate-code" TARGET core_interface)
+  endif()
+  if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
+    try_append_linker_flag("-Wl,-fixup_chains" TARGET core_interface)
+  endif()
 endif()
 
 if(REDUCE_EXPORTS)
@@ -569,11 +595,9 @@ set(Python3_FIND_FRAMEWORK LAST CACHE STRING "")
 set(Python3_FIND_UNVERSIONED_NAMES FIRST CACHE STRING "")
 mark_as_advanced(Python3_FIND_FRAMEWORK Python3_FIND_UNVERSIONED_NAMES)
 find_package(Python3 3.10 COMPONENTS Interpreter)
-if(Python3_EXECUTABLE)
-  set(PYTHON_COMMAND ${Python3_EXECUTABLE})
-else()
+if(NOT TARGET Python3::Interpreter)
   list(APPEND configure_warnings
-    "Minimum required Python not found. Utils and rpcauth tests are disabled."
+    "Minimum required Python not found."
   )
 endif()
 
@@ -599,29 +623,13 @@ if(CMAKE_VERSION VERSION_GREATER_EQUAL 3.29)
   set(CMAKE_SKIP_TEST_ALL_DEPENDENCY FALSE)
 endif()
 
-# TODO: The `CMAKE_SKIP_BUILD_RPATH` variable setting can be deleted
-#       in the future after reordering Guix script commands to
-#       perform binary checks after the installation step.
-# Relevant discussions:
-# - https://github.com/hebasto/bitcoin/pull/236#issuecomment-2183120953
-# - https://github.com/bitcoin/bitcoin/pull/30312#issuecomment-2191235833
-# NetBSD always requires runtime paths to be set for executables.
-if(CMAKE_SYSTEM_NAME STREQUAL "NetBSD")
-  set(CMAKE_INSTALL_RPATH_USE_LINK_PATH TRUE)
-else()
-  set(CMAKE_SKIP_BUILD_RPATH TRUE)
-  set(CMAKE_SKIP_INSTALL_RPATH TRUE)
-endif()
 add_subdirectory(test)
 add_subdirectory(doc)
 
 add_subdirectory(src)
 
-include(cmake/tests.cmake)
-
 include(Maintenance)
 setup_split_debug_script()
-add_maintenance_targets()
 add_windows_deploy_target()
 add_macos_deploy_target()
 
@@ -629,15 +637,16 @@ message("\n")
 message("Configure summary")
 message("=================")
 message("Executables:")
+message("  bitcoin ............................. ${BUILD_BITCOIN_BIN}")
 message("  bitcoind ............................ ${BUILD_DAEMON}")
-if(BUILD_DAEMON AND WITH_MULTIPROCESS)
+if(BUILD_DAEMON AND ENABLE_IPC)
   set(bitcoin_daemon_status ON)
 else()
   set(bitcoin_daemon_status OFF)
 endif()
 message("  bitcoin-node (multiprocess) ......... ${bitcoin_daemon_status}")
 message("  bitcoin-qt (GUI) .................... ${BUILD_GUI}")
-if(BUILD_GUI AND WITH_MULTIPROCESS)
+if(BUILD_GUI AND ENABLE_IPC)
   set(bitcoin_gui_status ON)
 else()
   set(bitcoin_gui_status OFF)
@@ -649,17 +658,24 @@ message("  bitcoin-util ........................ ${BUILD_UTIL}")
 message("  bitcoin-wallet ...................... ${BUILD_WALLET_TOOL}")
 message("  bitcoin-chainstate (experimental) ... ${BUILD_UTIL_CHAINSTATE}")
 message("  libbitcoinkernel (experimental) ..... ${BUILD_KERNEL_LIB}")
+message("  kernel-test (experimental) .......... ${BUILD_KERNEL_TEST}")
 message("Optional features:")
 message("  wallet support ...................... ${ENABLE_WALLET}")
-if(ENABLE_WALLET)
-  message("   - descriptor wallets (SQLite) ...... ${WITH_SQLITE}")
-  message("   - legacy wallets (Berkeley DB) ..... ${WITH_BDB}")
-endif()
 message("  external signer ..................... ${ENABLE_EXTERNAL_SIGNER}")
 message("  ZeroMQ .............................. ${WITH_ZMQ}")
+if(ENABLE_IPC)
+  if (WITH_EXTERNAL_LIBMULTIPROCESS)
+    set(ipc_status "ON (with external libmultiprocess)")
+  else()
+    set(ipc_status ON)
+  endif()
+else()
+  set(ipc_status OFF)
+endif()
+message("  IPC ................................. ${ipc_status}")
 message("  USDT tracing ........................ ${WITH_USDT}")
 message("  QR code (GUI) ....................... ${WITH_QRENCODE}")
-message("  DBus (GUI, Linux only) .............. ${WITH_DBUS}")
+message("  DBus (GUI) .......................... ${WITH_DBUS}")
 message("Tests:")
 message("  test_bitcoin ........................ ${BUILD_TESTS}")
 message("  test_bitcoin-qt ..................... ${BUILD_GUI_TESTS}")
@@ -675,7 +691,6 @@ message("Cross compiling ....................... ${cross_status}")
 message("C++ compiler .......................... ${CMAKE_CXX_COMPILER_ID} ${CMAKE_CXX_COMPILER_VERSION}, ${CMAKE_CXX_COMPILER}")
 include(FlagsSummary)
 flags_summary()
-message("Attempt to harden executables ......... ${ENABLE_HARDENING}")
 message("Treat compiler warnings as errors ..... ${WERROR}")
 message("Use ccache for compiling .............. ${WITH_CCACHE}")
 message("\n")

CMakePresets.json

@@ -1,6 +1,5 @@
 {
   "version": 3,
-  "cmakeMinimumRequired": {"major": 3, "minor": 21, "patch": 0},
   "configurePresets": [
     {
       "name": "vs2022",
@@ -15,7 +14,8 @@
       "toolchainFile": "$env{VCPKG_ROOT}\\scripts\\buildsystems\\vcpkg.cmake",
       "cacheVariables": {
         "VCPKG_TARGET_TRIPLET": "x64-windows",
-        "BUILD_GUI": "ON"
+        "BUILD_GUI": "ON",
+        "WITH_ZMQ": "ON"
       }
     },
     {
@@ -31,7 +31,8 @@
       "toolchainFile": "$env{VCPKG_ROOT}\\scripts\\buildsystems\\vcpkg.cmake",
       "cacheVariables": {
         "VCPKG_TARGET_TRIPLET": "x64-windows-static",
-        "BUILD_GUI": "ON"
+        "BUILD_GUI": "ON",
+        "WITH_ZMQ": "ON"
       }
     },
     {
@@ -62,6 +63,7 @@
       "name": "dev-mode",
       "displayName": "Developer mode, with all features/dependencies enabled",
       "binaryDir": "${sourceDir}/build_dev_mode",
+      "errors": {"dev": true},
       "cacheVariables": {
         "BUILD_BENCH": "ON",
         "BUILD_CLI": "ON",
@@ -77,13 +79,9 @@
         "BUILD_UTIL_CHAINSTATE": "ON",
         "BUILD_WALLET_TOOL": "ON",
         "ENABLE_EXTERNAL_SIGNER": "ON",
-        "ENABLE_HARDENING": "ON",
         "ENABLE_WALLET": "ON",
-        "WARN_INCOMPATIBLE_BDB": "OFF",
-        "WITH_BDB": "ON",
-        "WITH_MULTIPROCESS": "ON",
+        "ENABLE_IPC": "ON",
         "WITH_QRENCODE": "ON",
-        "WITH_SQLITE": "ON",
         "WITH_USDT": "ON",
         "WITH_ZMQ": "ON"
       }

CONTRIBUTING.md

@@ -80,7 +80,7 @@ facilitates social contribution, easy testing and peer review.
 
 To contribute a patch, the workflow is as follows:
 
-  1. Fork repository ([only for the first time](https://docs.github.com/en/get-started/quickstart/fork-a-repo))
+  1. Fork repository ([only for the first time](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo))
   1. Create topic branch
   1. Commit patches
 
@@ -115,13 +115,14 @@ fixes or code moves with actual code changes.
 
 Make sure each individual commit is hygienic: that it builds successfully on its
 own without warnings, errors, regressions, or test failures.
+This means tests must be updated in the same commit that changes the behavior.
 
 Commit messages should be verbose by default consisting of a short subject line
 (50 chars max), a blank line and detailed explanatory text as separate
 paragraph(s), unless the title alone is self-explanatory (like "Correct typo
 in init.cpp") in which case a single title line is sufficient. Commit messages should be
 helpful to people reading your code in the future, so explain the reasoning for
-your decisions. Further explanation [here](https://chris.beams.io/posts/git-commit/).
+your decisions. Further explanation [here](https://cbea.ms/git-commit/).
 
 If a particular commit references another issue, please add the reference. For
 example: `refs #1234` or `fixes #4321`. Using the `fixes` or `closes` keywords
@@ -182,7 +183,7 @@ for more information on helping with translations.
 ### Work in Progress Changes and Requests for Comments
 
 If a pull request is not to be considered for merging (yet), please
-prefix the title with [WIP] or use [Tasks Lists](https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#task-lists)
+prefix the title with [WIP] or use [Tasks Lists](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#task-lists)
 in the body of the pull request to indicate tasks are pending.
 
 ### Address Feedback
@@ -401,7 +402,7 @@ about:
   - It may be because your code is too complex for all but a few people, and those people
     may not have realized your pull request even exists. A great way to find people who
     are qualified and care about the code you are touching is the
-    [Git Blame feature](https://docs.github.com/en/github/managing-files-in-a-repository/managing-files-on-github/tracking-changes-in-a-file). Simply
+    [Git Blame feature](https://docs.github.com/en/repositories/working-with-files/using-files/viewing-and-understanding-files). Simply
     look up who last modified the code you are changing and see if you can find
     them and give them a nudge. Don't be incessant about the nudging, though.
   - Finally, if all else fails, ask on IRC or elsewhere for someone to give your pull request

COPYING

@@ -1,7 +1,7 @@
 The MIT License (MIT)
 
-Copyright (c) 2009-2025 The Bitcoin Core developers
-Copyright (c) 2009-2025 Bitcoin Developers
+Copyright (c) 2009-2026 The Bitcoin Core developers
+Copyright (c) 2009-2026 Bitcoin Developers
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

INSTALL.md

@@ -1 +1 @@
-See [doc/build-\*.md](/doc)
+See [doc/build-\*.md](/doc)

README.md

@@ -19,7 +19,7 @@ License
 -------
 
 Bitcoin Core is released under the terms of the MIT license. See [COPYING](COPYING) for more
-information or see https://opensource.org/licenses/MIT.
+information or see https://opensource.org/license/MIT.
 
 Development Process
 -------------------
@@ -56,8 +56,8 @@ in Python.
 These tests can be run (if the [test dependencies](/test) are installed) with: `build/test/functional/test_runner.py`
 (assuming `build` is your build directory).
 
-The CI (Continuous Integration) systems make sure that every pull request is built for Windows, Linux, and macOS,
-and that unit/sanity tests are run automatically.
+The CI (Continuous Integration) systems make sure that every pull request is tested on Windows, Linux, and macOS.
+The CI must pass on all commits before merge to avoid unrelated CI failures on new pull requests.
 
 ### Manual Quality Assurance (QA) Testing
 
@@ -70,7 +70,7 @@ Translations
 ------------
 
 Changes to translations as well as new translations can be submitted to
-[Bitcoin Core's Transifex page](https://www.transifex.com/bitcoin/bitcoin/).
+[Bitcoin Core's Transifex page](https://explore.transifex.com/bitcoin/bitcoin/).
 
 Translations are periodically pulled from Transifex and merged into the git repository. See the
 [translation process](doc/translation_process.md) for details on how this works.

ci/README.md

@@ -1,8 +1,8 @@
-## CI Scripts
+# CI Scripts
 
 This directory contains scripts for each build step in each build stage.
 
-### Running a Stage Locally
+## Running a Stage Locally
 
 Be aware that the tests will be built and run in-place, so please run at your own risk.
 If the repository is not a fresh git clone, you might have to clean files from previous builds or test runs first.
@@ -20,14 +20,33 @@ requires `bash`, `docker`, and `python3` to be installed. To run on different ar
 sudo apt install bash docker.io python3 qemu-user-static
 ```
 
-It is recommended to run the ci system in a clean env. To run the test stage
-with a specific configuration,
+For some sanitizer builds, the kernel's address-space layout randomization
+(ASLR) entropy can cause sanitizer shadow memory mappings to fail. When running
+the CI locally you may need to reduce that entropy by running:
 
 ```
-env -i HOME="$HOME" PATH="$PATH" USER="$USER" bash -c 'FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh'
+sudo sysctl -w vm.mmap_rnd_bits=28
 ```
 
-### Configurations
+To run a test that requires emulating a CPU architecture different from the
+host, we may rely on the container environment recognizing foreign executables
+and automatically running them using `qemu`. The following sets us up to do so
+(also works for `podman`):
+
+```
+docker run --rm --privileged docker.io/multiarch/qemu-user-static --reset -p yes
+```
+
+It is recommended to run the CI system in a clean environment. The `env -i`
+command below ensures that *only* specified environment variables are propagated
+into the local CI.
+To run the test stage with a specific configuration:
+
+```
+env -i HOME="$HOME" PATH="$PATH" USER="$USER" FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh
+```
+
+## Configurations
 
 The test files (`FILE_ENV`) are constructed to test a wide range of
 configurations, rather than a single pass/fail. This helps to catch build
@@ -43,14 +62,38 @@ It is also possible to force a specific configuration without modifying the
 file. For example,
 
 ```
-env -i HOME="$HOME" PATH="$PATH" USER="$USER" bash -c 'MAKEJOBS="-j1" FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh'
+env -i HOME="$HOME" PATH="$PATH" USER="$USER" MAKEJOBS="-j1" FILE_ENV="./ci/test/00_setup_env_arm.sh" ./ci/test_run_all.sh
 ```
 
 The files starting with `0n` (`n` greater than 0) are the scripts that are run
 in order.
 
-### Cache
+## Cache
 
 In order to avoid rebuilding all dependencies for each build, the binaries are
 cached and reused when possible. Changes in the dependency-generator will
 trigger cache-invalidation and rebuilds as necessary.
+
+## Configuring a repository for CI
+
+### Primary repository
+
+To configure the primary repository, follow these steps:
+
+1. Register with [Cirrus Runners](https://cirrus-runners.app/) and purchase runners.
+2. Install the Cirrus Runners GitHub app against the GitHub organization.
+3. Enable organisation-level runners to be used in public repositories:
+   1. `Org settings -> Actions -> Runner Groups -> Default -> Allow public repos`
+4. Permit the following actions to run:
+   1. cirruslabs/cache/restore@\*
+   1. cirruslabs/cache/save@\*
+   1. docker/setup-buildx-action@\*
+   1. actions/github-script@\*
+
+### Forked repositories
+
+When used in a fork the CI will run on GitHub's free hosted runners by default.
+In this case, due to GitHub's 10GB-per-repo cache size limitations caches will be frequently evicted and missed, but the workflows will run (slowly).
+
+It is also possible to use your own Cirrus Runners in your own fork with an appropriate patch to the `REPO_USE_CIRRUS_RUNNERS` variable in ../.github/workflows/ci.yml
+NB that Cirrus Runners only work at an organisation level, therefore in order to use your own Cirrus Runners, *the fork must be within your own organisation*.

ci/lint/01_install.sh

@@ -6,16 +6,20 @@
 
 export LC_ALL=C
 
+set -o errexit -o pipefail -o xtrace
+
 export CI_RETRY_EXE="/ci_retry --"
 
 pushd "/"
 
 ${CI_RETRY_EXE} apt-get update
 # Lint dependencies:
+# - cargo (used to run the lint tests)
 # - curl/xz-utils (to install shellcheck)
 # - git (used in many lint scripts)
 # - gpg (used by verify-commits)
-${CI_RETRY_EXE} apt-get install -y curl xz-utils git gpg
+# - moreutils (used by scripted-diff)
+${CI_RETRY_EXE} apt-get install -y cargo curl xz-utils git gpg moreutils
 
 PYTHON_PATH="/python_build"
 if [ ! -d "${PYTHON_PATH}/bin" ]; then
@@ -35,31 +39,19 @@ export PATH="${PYTHON_PATH}/bin:${PATH}"
 command -v python3
 python3 --version
 
-export LINT_RUNNER_PATH="/lint_test_runner"
-if [ ! -d "${LINT_RUNNER_PATH}" ]; then
-  ${CI_RETRY_EXE} apt-get install -y cargo
-  (
-    cd "/test/lint/test_runner" || exit 1
-    cargo build
-    mkdir -p "${LINT_RUNNER_PATH}"
-    mv target/debug/test_runner "${LINT_RUNNER_PATH}"
-  )
-fi
-
 ${CI_RETRY_EXE} pip3 install \
-  codespell==2.2.6 \
-  lief==0.13.2 \
-  mypy==1.4.1 \
-  pyzmq==25.1.0 \
-  ruff==0.5.5 \
-  vulture==2.6
+  lief==0.16.6 \
+  mypy==1.18.2 \
+  pyzmq==27.1.0 \
+  ruff==0.13.2 \
+  vulture==2.14
 
-SHELLCHECK_VERSION=v0.8.0
+SHELLCHECK_VERSION=v0.11.0
 curl -sL "https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" | \
     tar --xz -xf - --directory /tmp/
 mv "/tmp/shellcheck-${SHELLCHECK_VERSION}/shellcheck" /usr/bin/
 
-MLC_VERSION=v0.19.0
+MLC_VERSION=v1
 MLC_BIN=mlc-x86_64-linux
 curl -sL "https://github.com/becheran/mlc/releases/download/${MLC_VERSION}/${MLC_BIN}" -o "/usr/bin/mlc"
 chmod +x /usr/bin/mlc

ci/lint/06_script.sh

@@ -6,19 +6,19 @@
 
 export LC_ALL=C
 
-set -ex
+set -o errexit -o pipefail -o xtrace
 
-if [ -n "$CIRRUS_PR" ]; then
+if [ -n "${LINT_CI_IS_PR}" ]; then
   export COMMIT_RANGE="HEAD~..HEAD"
   if [ "$(git rev-list -1 HEAD)" != "$(git rev-list -1 --merges HEAD)" ]; then
-    echo "Error: The top commit must be a merge commit, usually the remote 'pull/${PR_NUMBER}/merge' branch."
+    echo "Error: The top commit must be a merge commit, usually the remote 'pull/<PR_NUMBER>/merge' branch."
     false
   fi
 fi
 
-RUST_BACKTRACE=1 "${LINT_RUNNER_PATH}/test_runner"
+RUST_BACKTRACE=1 cargo run --manifest-path "./test/lint/test_runner/Cargo.toml"
 
-if [ "$CIRRUS_REPO_FULL_NAME" = "bitcoin/bitcoin" ] && [ "$CIRRUS_PR" = "" ] ; then
+if [ "${LINT_CI_SANITY_CHECK_COMMIT_SIG}" = "1" ] ; then
     # Sanity check only the last few commits to get notified of missing sigs,
     # missing keys, or expired keys. Usually there is only one new merge commit
     # per push on the master branch and a few commits on release branches, so

ci/lint/container-entrypoint.sh

@@ -11,7 +11,6 @@ export LC_ALL=C
 git config --global --add safe.directory /bitcoin
 
 export PATH="/python_build/bin:${PATH}"
-export LINT_RUNNER_PATH="/lint_test_runner"
 
 if [ -z "$1" ]; then
   bash -ic "./ci/lint/06_script.sh"

ci/lint_imagefile

@@ -4,7 +4,7 @@
 
 # See test/lint/README.md for usage.
 
-FROM mirror.gcr.io/debian:bookworm
+FROM mirror.gcr.io/ubuntu:24.04
 
 ENV DEBIAN_FRONTEND=noninteractive
 ENV LC_ALL=C.UTF-8
@@ -12,8 +12,7 @@ ENV LC_ALL=C.UTF-8
 COPY ./ci/retry/retry /ci_retry
 COPY ./.python-version /.python-version
 COPY ./ci/lint/container-entrypoint.sh /entrypoint.sh
-COPY ./ci/lint/04_install.sh /install.sh
-COPY ./test/lint/test_runner /test/lint/test_runner
+COPY ./ci/lint/01_install.sh /install.sh
 
 RUN /install.sh && \
   echo 'alias lint="./ci/lint/06_script.sh"' >> ~/.bashrc && \

ci/lint_run_all.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2019-present The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-export LC_ALL=C.UTF-8
-
-# Only used in .cirrus.yml. Refer to test/lint/README.md on how to run locally.
-
-cp "./ci/retry/retry" "/ci_retry"
-cp "./.python-version" "/.python-version"
-mkdir --parents "/test/lint"
-cp --recursive "./test/lint/test_runner" "/test/lint/"
-set -o errexit; source ./ci/lint/04_install.sh
-set -o errexit
-./ci/lint/06_script.sh

ci/test/00_setup_env.sh

@@ -6,7 +6,7 @@
 
 export LC_ALL=C.UTF-8
 
-set -ex
+set -o errexit -o pipefail -o xtrace
 
 # The source root dir, usually from git, usually read-only.
 # The ci system copies this folder.
@@ -22,9 +22,6 @@ export DEPENDS_DIR=${DEPENDS_DIR:-$BASE_ROOT_DIR/depends}
 # A folder for the ci system to put temporary files (build result, datadirs for tests, ...)
 # This folder only exists on the ci guest.
 export BASE_SCRATCH_DIR=${BASE_SCRATCH_DIR:-$BASE_ROOT_DIR/ci/scratch}
-# A folder for the ci system to put executables.
-# This folder only exists on the ci guest.
-export BINS_SCRATCH_DIR="${BASE_SCRATCH_DIR}/bins/"
 
 echo "Setting specific values in env"
 if [ -n "${FILE_ENV}" ]; then
@@ -35,9 +32,7 @@ fi
 
 echo "Fallback to default values in env (if not yet set)"
 # The number of parallel jobs to pass down to make and test_runner.py
-export MAKEJOBS=${MAKEJOBS:--j4}
-# Whether to prefer BusyBox over GNU utilities
-export USE_BUSY_BOX=${USE_BUSY_BOX:-false}
+export MAKEJOBS=${MAKEJOBS:--j$(if command -v nproc > /dev/null 2>&1; then nproc; else sysctl -n hw.logicalcpu; fi)}
 
 export RUN_UNIT_TESTS=${RUN_UNIT_TESTS:-true}
 export RUN_FUNCTIONAL_TESTS=${RUN_FUNCTIONAL_TESTS:-true}
@@ -64,7 +59,7 @@ export BASE_OUTDIR=${BASE_OUTDIR:-$BASE_SCRATCH_DIR/out}
 # The folder for previous release binaries.
 # This folder exists only on the ci guest, and on the ci host as a volume.
 export PREVIOUS_RELEASES_DIR=${PREVIOUS_RELEASES_DIR:-$BASE_ROOT_DIR/prev_releases}
-export CI_BASE_PACKAGES=${CI_BASE_PACKAGES:-build-essential pkgconf curl ca-certificates ccache python3 rsync git procps bison e2fsprogs cmake}
+export CI_BASE_PACKAGES=${CI_BASE_PACKAGES:-build-essential pkgconf curl ca-certificates ccache python3-dev rsync git procps bison e2fsprogs cmake ninja-build}
 export GOAL=${GOAL:-install}
 export DIR_QA_ASSETS=${DIR_QA_ASSETS:-${BASE_SCRATCH_DIR}/qa-assets}
 export CI_RETRY_EXE=${CI_RETRY_EXE:-"retry --"}

ci/test/00_setup_env_arm.sh

@@ -8,14 +8,16 @@ export LC_ALL=C.UTF-8
 
 export HOST=arm-linux-gnueabihf
 export DPKG_ADD_ARCH="armhf"
-export PACKAGES="python3-zmq g++-arm-linux-gnueabihf busybox libc6:armhf libstdc++6:armhf libfontconfig1:armhf libxcb1:armhf"
+export PACKAGES="python3-zmq g++-arm-linux-gnueabihf libc6:armhf libstdc++6:armhf libfontconfig1:armhf libxcb1:armhf"
 export CONTAINER_NAME=ci_arm_linux
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:noble"  # Check that https://packages.ubuntu.com/noble/g++-arm-linux-gnueabihf (version 13.3, similar to guix) can cross-compile
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"  # Check that https://packages.debian.org/trixie/g++-arm-linux-gnueabihf (version 14.x, similar to guix) can cross-compile
 export CI_IMAGE_PLATFORM="linux/arm64"
-export USE_BUSY_BOX=true
-export RUN_UNIT_TESTS=true
-export RUN_FUNCTIONAL_TESTS=false
 export GOAL="install"
+export CI_LIMIT_STACK_SIZE=1
 # -Wno-psabi is to disable ABI warnings: "note: parameter passing for argument of type ... changed in GCC 7.1"
 # This could be removed once the ABI change warning does not show up by default
-export BITCOIN_CONFIG="-DREDUCE_EXPORTS=ON -DCMAKE_CXX_FLAGS='-Wno-psabi -Wno-error=maybe-uninitialized'"
+export BITCOIN_CONFIG=" \
+  --preset=dev-mode \
+  -DREDUCE_EXPORTS=ON \
+  -DCMAKE_CXX_FLAGS='-Wno-psabi -Wno-error=maybe-uninitialized' \
+"

ci/test/00_setup_env_i686_no_ipc.sh

@@ -7,17 +7,19 @@
 export LC_ALL=C.UTF-8
 
 export HOST=i686-pc-linux-gnu
-export CONTAINER_NAME=ci_i686_multiprocess
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export CONTAINER_NAME=ci_i686_no_multiprocess
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CI_IMAGE_PLATFORM="linux/amd64"
 export PACKAGES="llvm clang g++-multilib"
-export DEP_OPTS="DEBUG=1 MULTIPROCESS=1"
+export DEP_OPTS="DEBUG=1 NO_IPC=1"
 export GOAL="install"
-export TEST_RUNNER_EXTRA="--v2transport"
+export CI_LIMIT_STACK_SIZE=1
+export TEST_RUNNER_EXTRA="--v2transport --usecli"
 export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DENABLE_IPC=OFF \
  -DCMAKE_BUILD_TYPE=Debug \
  -DCMAKE_C_COMPILER='clang;-m32' \
  -DCMAKE_CXX_COMPILER='clang++;-m32' \
  -DAPPEND_CPPFLAGS='-DBOOST_MULTI_INDEX_ENABLE_SAFE_MODE' \
 "
-export BITCOIND=bitcoin-node  # Used in functional tests

ci/test/00_setup_env_mac_cross.sh

@@ -9,12 +9,16 @@ export LC_ALL=C.UTF-8
 export SDK_URL=${SDK_URL:-https://bitcoincore.org/depends-sources/sdks}
 
 export CONTAINER_NAME=ci_macos_cross
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
-export HOST=x86_64-apple-darwin
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie" # Check that https://packages.debian.org/trixie/clang (version 19, similar to guix) can cross-compile
+export HOST=arm64-apple-darwin
 export PACKAGES="clang lld llvm zip"
 export XCODE_VERSION=15.0
 export XCODE_BUILD_ID=15A240d
 export RUN_UNIT_TESTS=false
 export RUN_FUNCTIONAL_TESTS=false
 export GOAL="deploy"
-export BITCOIN_CONFIG="-DBUILD_GUI=ON -DREDUCE_EXPORTS=ON"
+export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DWITH_USDT=OFF \
+ -DREDUCE_EXPORTS=ON \
+"

ci/test/00_setup_env_mac_cross_intel.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export SDK_URL=${SDK_URL:-https://bitcoincore.org/depends-sources/sdks}
+
+export CONTAINER_NAME=ci_macos_cross_intel
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie" # Check that https://packages.debian.org/trixie/clang (version 19, similar to guix) can cross-compile
+export HOST=x86_64-apple-darwin
+export PACKAGES="clang lld llvm zip"
+export XCODE_VERSION=15.0
+export XCODE_BUILD_ID=15A240d
+export RUN_UNIT_TESTS=false
+export RUN_FUNCTIONAL_TESTS=false
+export GOAL="deploy"
+export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DWITH_USDT=OFF \
+ -DREDUCE_EXPORTS=ON \
+"

ci/test/00_setup_env_mac_native.sh

@@ -6,12 +6,17 @@
 
 export LC_ALL=C.UTF-8
 
-# Homebrew's python@3.12 is marked as externally managed (PEP 668).
-# Therefore, `--break-system-packages` is needed.
-export PIP_PACKAGES="--break-system-packages zmq"
-export GOAL="install"
+export CONTAINER_NAME="ci_mac_native"  # macos does not use a container, but the env var is needed for logging
+export PIP_PACKAGES="--break-system-packages pycapnp zmq"
+export GOAL="install deploy"
 export CMAKE_GENERATOR="Ninja"
-export BITCOIN_CONFIG="-DBUILD_GUI=ON -DWITH_ZMQ=ON -DREDUCE_EXPORTS=ON"
 export CI_OS_NAME="macos"
 export NO_DEPENDS=1
 export OSX_SDK=""
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DWITH_USDT=OFF \
+  -DREDUCE_EXPORTS=ON \
+  -DCMAKE_EXE_LINKER_FLAGS='-Wl,-stack_size -Wl,0x80000' \
+"
+export BITCOIN_CMD="bitcoin -m" # Used in functional tests

ci/test/00_setup_env_mac_native_fuzz.sh

@@ -6,8 +6,9 @@
 
 export LC_ALL=C.UTF-8
 
+export CONTAINER_NAME="ci_mac_native_fuzz"  # macos does not use a container, but the env var is needed for logging
 export CMAKE_GENERATOR="Ninja"
-export BITCOIN_CONFIG="-DBUILD_FOR_FUZZING=ON"
+export BITCOIN_CONFIG="-DBUILD_FOR_FUZZING=ON -DCMAKE_EXE_LINKER_FLAGS='-Wl,-stack_size -Wl,0x80000' -DAPPEND_CPPFLAGS='-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG'"
 export CI_OS_NAME="macos"
 export NO_DEPENDS=1
 export OSX_SDK=""

ci/test/00_setup_env_native_alpine_musl.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2020-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export CONTAINER_NAME=ci_native_alpine_musl
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/alpine:3.22"
+export CI_BASE_PACKAGES="build-base musl-dev pkgconf curl ccache make ninja git python3-dev py3-pip which patch xz procps rsync util-linux bison e2fsprogs cmake dash linux-headers"
+export PIP_PACKAGES="--break-system-packages pyzmq pycapnp"
+export DEP_OPTS="DEBUG=1"
+export GOAL="install"
+export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DREDUCE_EXPORTS=ON \
+ -DCMAKE_BUILD_TYPE=Debug \
+"
+export BITCOIN_CMD="bitcoin -m" # Used in functional tests

ci/test/00_setup_env_native_asan.sh

@@ -19,17 +19,20 @@ else
 fi
 
 export CONTAINER_NAME=ci_native_asan
-export APT_LLVM_V="20"
-export PACKAGES="systemtap-sdt-dev clang-${APT_LLVM_V} llvm-${APT_LLVM_V} libclang-rt-${APT_LLVM_V}-dev python3-zmq qtbase5-dev qttools5-dev qttools5-dev-tools libevent-dev libboost-dev libdb5.3++-dev libzmq3-dev libqrencode-dev libsqlite3-dev ${BPFCC_PACKAGE}"
+export APT_LLVM_V="21"
+export PACKAGES="systemtap-sdt-dev clang-${APT_LLVM_V} llvm-${APT_LLVM_V} libclang-rt-${APT_LLVM_V}-dev mold python3-zmq qt6-base-dev qt6-tools-dev qt6-l10n-tools libevent-dev libboost-dev libzmq3-dev libqrencode-dev libsqlite3-dev ${BPFCC_PACKAGE} libcapnp-dev capnproto python3-pip"
+export PIP_PACKAGES="--break-system-packages pycapnp"
 export NO_DEPENDS=1
 export GOAL="install"
+export CI_LIMIT_STACK_SIZE=1
 export BITCOIN_CONFIG="\
- -DWITH_USDT=ON -DWITH_ZMQ=ON -DWITH_BDB=ON -DWARN_INCOMPATIBLE_BDB=OFF -DBUILD_GUI=ON \
+ --preset=dev-mode \
  -DSANITIZERS=address,float-divide-by-zero,integer,undefined \
- -DCMAKE_C_COMPILER=clang-${APT_LLVM_V} \
- -DCMAKE_CXX_COMPILER=clang++-${APT_LLVM_V} \
+ -DCMAKE_C_COMPILER=clang \
+ -DCMAKE_CXX_COMPILER=clang++ \
  -DCMAKE_C_FLAGS='-ftrivial-auto-var-init=pattern' \
- -DCMAKE_CXX_FLAGS='-ftrivial-auto-var-init=pattern -Wno-error=deprecated-declarations' \
+ -DCMAKE_CXX_FLAGS='-ftrivial-auto-var-init=pattern' \
+ -DCMAKE_EXE_LINKER_FLAGS='-fuse-ld=mold' \
  -DAPPEND_CXXFLAGS='-std=c++23' \
  -DAPPEND_CPPFLAGS='-DARENA_DEBUG -DDEBUG_LOCKORDER' \
 "

ci/test/00_setup_env_native_centos.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2020-present The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-export LC_ALL=C.UTF-8
-
-export CONTAINER_NAME=ci_native_centos
-export CI_IMAGE_NAME_TAG="quay.io/centos/centos:stream10"
-export CI_BASE_PACKAGES="gcc-c++ glibc-devel libstdc++-devel ccache make git python3 python3-pip which patch xz procps-ng ksh rsync coreutils bison e2fsprogs cmake"
-export PIP_PACKAGES="pyzmq"
-export DEP_OPTS="DEBUG=1"  # Temporarily enable a DEBUG=1 build to check for GCC-bug-117966 regressions. This can be removed once the minimum GCC version is bumped to 12 in the previous releases task, see https://github.com/bitcoin/bitcoin/issues/31436#issuecomment-2530717875
-export GOAL="install"
-export BITCOIN_CONFIG="-DWITH_ZMQ=ON -DBUILD_GUI=ON -DREDUCE_EXPORTS=ON -DCMAKE_BUILD_TYPE=Debug"

ci/test/00_setup_env_native_fuzz.sh

@@ -8,8 +8,8 @@ export LC_ALL=C.UTF-8
 
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
 export CONTAINER_NAME=ci_native_fuzz
-export APT_LLVM_V="20"
-export PACKAGES="clang-${APT_LLVM_V} llvm-${APT_LLVM_V} libclang-rt-${APT_LLVM_V}-dev libevent-dev libboost-dev libsqlite3-dev"
+export APT_LLVM_V="21"
+export PACKAGES="clang-${APT_LLVM_V} llvm-${APT_LLVM_V} libclang-rt-${APT_LLVM_V}-dev libevent-dev libboost-dev libsqlite3-dev libcapnp-dev capnproto"
 export NO_DEPENDS=1
 export RUN_UNIT_TESTS=false
 export RUN_FUNCTIONAL_TESTS=false
@@ -19,9 +19,8 @@ export CI_CONTAINER_CAP="--cap-add SYS_PTRACE"  # If run with (ASan + LSan), the
 export BITCOIN_CONFIG="\
  -DBUILD_FOR_FUZZING=ON \
  -DSANITIZERS=fuzzer,address,undefined,float-divide-by-zero,integer \
- -DCMAKE_C_COMPILER=clang-${APT_LLVM_V} \
- -DCMAKE_CXX_COMPILER=clang++-${APT_LLVM_V} \
+ -DCMAKE_C_COMPILER=clang \
+ -DCMAKE_CXX_COMPILER=clang++ \
  -DCMAKE_C_FLAGS='-ftrivial-auto-var-init=pattern' \
  -DCMAKE_CXX_FLAGS='-ftrivial-auto-var-init=pattern' \
 "
-export LLVM_SYMBOLIZER_PATH="/usr/bin/llvm-symbolizer-${APT_LLVM_V}"

ci/test/00_setup_env_native_fuzz_with_msan.sh

@@ -7,15 +7,16 @@
 export LC_ALL=C.UTF-8
 
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
-LIBCXX_DIR="/msan/cxx_build/"
+export APT_LLVM_V="21"
+LIBCXX_DIR="/cxx_build/"
 export MSAN_FLAGS="-fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer -g -O1 -fno-optimize-sibling-calls"
-LIBCXX_FLAGS="-nostdinc++ -nostdlib++ -isystem ${LIBCXX_DIR}include/c++/v1 -L${LIBCXX_DIR}lib -Wl,-rpath,${LIBCXX_DIR}lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument"
+# -lstdc++ to resolve link issues due to upstream packaging
+LIBCXX_FLAGS="-nostdinc++ -nostdlib++ -isystem ${LIBCXX_DIR}include/c++/v1 -L${LIBCXX_DIR}lib -Wl,-rpath,${LIBCXX_DIR}lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument -lstdc++"
 export MSAN_AND_LIBCXX_FLAGS="${MSAN_FLAGS} ${LIBCXX_FLAGS}"
 
 export CONTAINER_NAME="ci_native_fuzz_msan"
-export PACKAGES="ninja-build"
-# BDB generates false-positives and will be removed in future
-export DEP_OPTS="DEBUG=1 NO_BDB=1 NO_QT=1 CC=clang CXX=clang++ CFLAGS='${MSAN_FLAGS}' CXXFLAGS='${MSAN_AND_LIBCXX_FLAGS}'"
+export PACKAGES="clang-${APT_LLVM_V} llvm-${APT_LLVM_V} llvm-${APT_LLVM_V}-dev libclang-${APT_LLVM_V}-dev libclang-rt-${APT_LLVM_V}-dev"
+export DEP_OPTS="DEBUG=1 NO_QT=1 CC=clang CXX=clang++ CFLAGS='${MSAN_FLAGS}' CXXFLAGS='${MSAN_AND_LIBCXX_FLAGS}'"
 export GOAL="all"
 # Setting CMAKE_{C,CXX}_FLAGS_DEBUG flags to an empty string ensures that the flags set in MSAN_FLAGS remain unaltered.
 # _FORTIFY_SOURCE is not compatible with MSAN.
@@ -24,10 +25,10 @@ export BITCOIN_CONFIG="\
  -DCMAKE_C_FLAGS_DEBUG='' \
  -DCMAKE_CXX_FLAGS_DEBUG='' \
  -DBUILD_FOR_FUZZING=ON \
- -DSANITIZERS=fuzzer,memory \
+ -DSANITIZERS=memory \
  -DAPPEND_CPPFLAGS='-DBOOST_MULTI_INDEX_ENABLE_SAFE_MODE -U_FORTIFY_SOURCE' \
 "
-export USE_MEMORY_SANITIZER="true"
+export USE_INSTRUMENTED_LIBCPP="MemoryWithOrigins"
 export RUN_UNIT_TESTS="false"
 export RUN_FUNCTIONAL_TESTS="false"
 export RUN_FUZZ_TESTS=true

ci/test/00_setup_env_native_fuzz_with_valgrind.sh

@@ -6,9 +6,9 @@
 
 export LC_ALL=C.UTF-8
 
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CONTAINER_NAME=ci_native_fuzz_valgrind
-export PACKAGES="clang-16 llvm-16 libclang-rt-16-dev libevent-dev libboost-dev libsqlite3-dev valgrind"
+export PACKAGES="libevent-dev libboost-dev libsqlite3-dev valgrind libcapnp-dev capnproto"
 export NO_DEPENDS=1
 export RUN_UNIT_TESTS=false
 export RUN_FUNCTIONAL_TESTS=false
@@ -17,8 +17,5 @@ export FUZZ_TESTS_CONFIG="--valgrind"
 export GOAL="all"
 export BITCOIN_CONFIG="\
  -DBUILD_FOR_FUZZING=ON \
- -DSANITIZERS=fuzzer \
- -DCMAKE_C_COMPILER=clang-16 \
- -DCMAKE_CXX_COMPILER=clang++-16 \
+ -DCMAKE_CXX_FLAGS='-Wno-error=array-bounds' \
 "
-export LLVM_SYMBOLIZER_PATH="/usr/bin/llvm-symbolizer-16"

ci/test/00_setup_env_native_iwyu.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2023-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"  # To build codegen, CMake must be 3.31 or newer.
+export CONTAINER_NAME=ci_native_iwyu
+export TIDY_LLVM_V="21"
+export APT_LLVM_V="${TIDY_LLVM_V}"
+export PACKAGES="clang-${TIDY_LLVM_V} clang-format-${TIDY_LLVM_V} libclang-${TIDY_LLVM_V}-dev llvm-${TIDY_LLVM_V}-dev jq libevent-dev libboost-dev libzmq3-dev systemtap-sdt-dev qt6-base-dev qt6-tools-dev qt6-l10n-tools libqrencode-dev libsqlite3-dev libcapnp-dev capnproto"
+export NO_DEPENDS=1
+export RUN_UNIT_TESTS=false
+export RUN_FUNCTIONAL_TESTS=false
+export RUN_FUZZ_TESTS=false
+export RUN_CHECK_DEPS=false
+export RUN_IWYU=true
+export GOAL="codegen"
+export BITCOIN_CONFIG="\
+ --preset dev-mode -DBUILD_GUI=OFF \
+ -DCMAKE_C_COMPILER=clang-${TIDY_LLVM_V} \
+ -DCMAKE_CXX_COMPILER=clang++-${TIDY_LLVM_V} \
+"

ci/test/00_setup_env_native_msan.sh

@@ -7,23 +7,27 @@
 export LC_ALL=C.UTF-8
 
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
-LIBCXX_DIR="/msan/cxx_build/"
+export APT_LLVM_V="21"
+LIBCXX_DIR="/cxx_build/"
 export MSAN_FLAGS="-fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer -g -O1 -fno-optimize-sibling-calls"
 LIBCXX_FLAGS="-nostdinc++ -nostdlib++ -isystem ${LIBCXX_DIR}include/c++/v1 -L${LIBCXX_DIR}lib -Wl,-rpath,${LIBCXX_DIR}lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument"
 export MSAN_AND_LIBCXX_FLAGS="${MSAN_FLAGS} ${LIBCXX_FLAGS}"
 
 export CONTAINER_NAME="ci_native_msan"
-export PACKAGES="ninja-build"
-# BDB generates false-positives and will be removed in future
-export DEP_OPTS="DEBUG=1 NO_BDB=1 NO_QT=1 CC=clang CXX=clang++ CFLAGS='${MSAN_FLAGS}' CXXFLAGS='${MSAN_AND_LIBCXX_FLAGS}'"
+export PACKAGES="clang-${APT_LLVM_V} llvm-${APT_LLVM_V} llvm-${APT_LLVM_V}-dev libclang-${APT_LLVM_V}-dev libclang-rt-${APT_LLVM_V}-dev python3-pip"
+export PIP_PACKAGES="--break-system-packages pycapnp"
+export DEP_OPTS="DEBUG=1 NO_QT=1 CC=clang CXX=clang++ CFLAGS='${MSAN_FLAGS}' CXXFLAGS='${MSAN_AND_LIBCXX_FLAGS}'"
 export GOAL="install"
+export CI_LIMIT_STACK_SIZE=1
 # Setting CMAKE_{C,CXX}_FLAGS_DEBUG flags to an empty string ensures that the flags set in MSAN_FLAGS remain unaltered.
 # _FORTIFY_SOURCE is not compatible with MSAN.
 export BITCOIN_CONFIG="\
+ --preset=dev-mode \
+ -DBUILD_GUI=OFF \
  -DCMAKE_BUILD_TYPE=Debug \
  -DCMAKE_C_FLAGS_DEBUG='' \
  -DCMAKE_CXX_FLAGS_DEBUG='' \
  -DSANITIZERS=memory \
  -DAPPEND_CPPFLAGS='-U_FORTIFY_SOURCE' \
 "
-export USE_MEMORY_SANITIZER="true"
+export USE_INSTRUMENTED_LIBCPP="MemoryWithOrigins"

ci/test/00_setup_env_native_nowallet.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export CONTAINER_NAME=ci_native_nowallet
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+# Use minimum supported python3.10 (or best-effort 3.12) and clang-17, see doc/dependencies.md
+export PACKAGES="python3-zmq python3-pip clang-17 llvm-17 libc++abi-17-dev libc++-17-dev"
+export PIP_PACKAGES="--break-system-packages pycapnp"
+export DEP_OPTS="NO_WALLET=1 CC=clang-17 CXX='clang++-17 -stdlib=libc++'"
+export GOAL="install"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DREDUCE_EXPORTS=ON \
+  -DENABLE_WALLET=OFF \
+"

ci/test/00_setup_env_native_nowallet_libbitcoinkernel.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2019-present The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-export LC_ALL=C.UTF-8
-
-export CONTAINER_NAME=ci_native_nowallet_libbitcoinkernel
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:bookworm"
-# Use minimum supported python3.10 (or best-effort 3.11) and clang-16, see doc/dependencies.md
-export PACKAGES="python3-zmq clang-16 llvm-16 libc++abi-16-dev libc++-16-dev"
-export DEP_OPTS="NO_WALLET=1 CC=clang-16 CXX='clang++-16 -stdlib=libc++'"
-export GOAL="install"
-export BITCOIN_CONFIG="-DREDUCE_EXPORTS=ON -DBUILD_UTIL_CHAINSTATE=ON -DBUILD_KERNEL_LIB=ON -DBUILD_SHARED_LIBS=ON"

ci/test/00_setup_env_native_previous_releases.sh

@@ -8,20 +8,20 @@ export LC_ALL=C.UTF-8
 
 export CONTAINER_NAME=ci_native_previous_releases
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:22.04"
-# Use minimum supported python3.10 and gcc-11, see doc/dependencies.md
-export PACKAGES="gcc-11 g++-11 python3-zmq"
-export DEP_OPTS="DEBUG=1 CC=gcc-11 CXX=g++-11"
+# Use minimum supported python3.10 and gcc-12, see doc/dependencies.md
+export PACKAGES="gcc-12 g++-12 python3-zmq"
+export DEP_OPTS="CC=gcc-12 CXX=g++-12"
 export TEST_RUNNER_EXTRA="--previous-releases --coverage --extended --exclude feature_dbcrash"  # Run extended tests so that coverage does not fail, but exclude the very slow dbcrash
-export RUN_UNIT_TESTS_SEQUENTIAL="true"
-export RUN_UNIT_TESTS="false"
 export GOAL="install"
+export CI_LIMIT_STACK_SIZE=1
 export DOWNLOAD_PREVIOUS_RELEASES="true"
 export BITCOIN_CONFIG="\
- -DWITH_ZMQ=ON -DBUILD_GUI=ON -DREDUCE_EXPORTS=ON \
+ --preset=dev-mode \
+ -DREDUCE_EXPORTS=ON \
  -DCMAKE_BUILD_TYPE=Debug \
  -DCMAKE_C_FLAGS='-funsigned-char' \
- -DCMAKE_C_FLAGS_DEBUG='-g0 -O2' \
+ -DCMAKE_C_FLAGS_DEBUG='-g2 -O2' \
  -DCMAKE_CXX_FLAGS='-funsigned-char' \
- -DCMAKE_CXX_FLAGS_DEBUG='-g0 -O2' \
+ -DCMAKE_CXX_FLAGS_DEBUG='-g2 -O2' \
  -DAPPEND_CPPFLAGS='-DBOOST_MULTI_INDEX_ENABLE_SAFE_MODE' \
 "

ci/test/00_setup_env_native_tidy.sh

@@ -8,9 +8,9 @@ export LC_ALL=C.UTF-8
 
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
 export CONTAINER_NAME=ci_native_tidy
-export TIDY_LLVM_V="19"
+export TIDY_LLVM_V="21"
 export APT_LLVM_V="${TIDY_LLVM_V}"
-export PACKAGES="clang-${TIDY_LLVM_V} libclang-${TIDY_LLVM_V}-dev llvm-${TIDY_LLVM_V}-dev libomp-${TIDY_LLVM_V}-dev clang-tidy-${TIDY_LLVM_V} jq libevent-dev libboost-dev libzmq3-dev systemtap-sdt-dev qtbase5-dev qttools5-dev qttools5-dev-tools libqrencode-dev libsqlite3-dev libdb++-dev"
+export PACKAGES="clang-${TIDY_LLVM_V} libclang-${TIDY_LLVM_V}-dev llvm-${TIDY_LLVM_V}-dev libomp-${TIDY_LLVM_V}-dev clang-tidy-${TIDY_LLVM_V} jq libevent-dev libboost-dev libzmq3-dev systemtap-sdt-dev qt6-base-dev qt6-tools-dev qt6-l10n-tools libqrencode-dev libsqlite3-dev libcapnp-dev capnproto"
 export NO_DEPENDS=1
 export RUN_UNIT_TESTS=false
 export RUN_FUNCTIONAL_TESTS=false
@@ -19,8 +19,7 @@ export RUN_CHECK_DEPS=true
 export RUN_TIDY=true
 export GOAL="install"
 export BITCOIN_CONFIG="\
- -DWITH_ZMQ=ON -DBUILD_GUI=ON -DBUILD_BENCH=ON -DWITH_USDT=ON -DWITH_BDB=ON -DWARN_INCOMPATIBLE_BDB=OFF \
- -DENABLE_HARDENING=OFF \
+ --preset dev-mode \
  -DCMAKE_C_COMPILER=clang-${TIDY_LLVM_V} \
  -DCMAKE_CXX_COMPILER=clang++-${TIDY_LLVM_V} \
  -DCMAKE_C_FLAGS_RELWITHDEBINFO='-O0 -g0' \

ci/test/00_setup_env_native_tsan.sh

@@ -8,9 +8,18 @@ export LC_ALL=C.UTF-8
 
 export CONTAINER_NAME=ci_native_tsan
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
-export APT_LLVM_V="20"
-export PACKAGES="clang-${APT_LLVM_V} llvm-${APT_LLVM_V} libclang-rt-${APT_LLVM_V}-dev libc++abi-${APT_LLVM_V}-dev libc++-${APT_LLVM_V}-dev python3-zmq"
-export DEP_OPTS="CC=clang-${APT_LLVM_V} CXX='clang++-${APT_LLVM_V} -stdlib=libc++'"
+export APT_LLVM_V="21"
+LIBCXX_DIR="/cxx_build/"
+LIBCXX_FLAGS="-fsanitize=thread -nostdinc++ -nostdlib++ -isystem ${LIBCXX_DIR}include/c++/v1 -L${LIBCXX_DIR}lib -Wl,-rpath,${LIBCXX_DIR}lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument"
+export PACKAGES="clang-${APT_LLVM_V} llvm-${APT_LLVM_V} llvm-${APT_LLVM_V}-dev libclang-${APT_LLVM_V}-dev libclang-rt-${APT_LLVM_V}-dev python3-zmq python3-pip"
+export PIP_PACKAGES="--break-system-packages pycapnp"
+export DEP_OPTS="CC=clang CXX=clang++ CXXFLAGS='${LIBCXX_FLAGS}' NO_QT=1"
 export GOAL="install"
-export BITCOIN_CONFIG="-DWITH_ZMQ=ON -DSANITIZERS=thread \
--DAPPEND_CPPFLAGS='-DARENA_DEBUG -DDEBUG_LOCKORDER -DDEBUG_LOCKCONTENTION -D_LIBCPP_REMOVE_TRANSITIVE_INCLUDES'"
+export CI_LIMIT_STACK_SIZE=1
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DBUILD_GUI=OFF \
+  -DSANITIZERS=thread \
+  -DAPPEND_CPPFLAGS='-DARENA_DEBUG -DDEBUG_LOCKCONTENTION -D_LIBCPP_REMOVE_TRANSITIVE_INCLUDES' \
+"
+export USE_INSTRUMENTED_LIBCPP="Thread"

ci/test/00_setup_env_native_valgrind.sh

@@ -6,16 +6,18 @@
 
 export LC_ALL=C.UTF-8
 
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CONTAINER_NAME=ci_native_valgrind
-export PACKAGES="valgrind clang-16 llvm-16 libclang-rt-16-dev python3-zmq libevent-dev libboost-dev libdb5.3++-dev libzmq3-dev libsqlite3-dev"
+export PACKAGES="valgrind python3-zmq libevent-dev libboost-dev libzmq3-dev libsqlite3-dev libcapnp-dev capnproto python3-pip"
+export PIP_PACKAGES="--break-system-packages pycapnp"
 export USE_VALGRIND=1
 export NO_DEPENDS=1
-export TEST_RUNNER_EXTRA="--exclude feature_init,rpc_bind,feature_bind_extra"  # feature_init excluded for now, see https://github.com/bitcoin/bitcoin/issues/30011 ; bind tests excluded for now, see https://github.com/bitcoin/bitcoin/issues/17765#issuecomment-602068547
+# bind tests excluded for now, see https://github.com/bitcoin/bitcoin/issues/17765#issuecomment-602068547
+export TEST_RUNNER_EXTRA="--exclude rpc_bind --exclude feature_bind_extra"
 export GOAL="install"
 # TODO enable GUI
 export BITCOIN_CONFIG="\
- -DWITH_ZMQ=ON -DWITH_BDB=ON -DWARN_INCOMPATIBLE_BDB=OFF -DBUILD_GUI=OFF \
- -DCMAKE_C_COMPILER=clang-16 \
- -DCMAKE_CXX_COMPILER=clang++-16 \
+  --preset=dev-mode \
+ -DBUILD_GUI=OFF \
+ -DWITH_USDT=OFF \
 "

ci/test/00_setup_env_s390x.sh

@@ -9,9 +9,13 @@ export LC_ALL=C.UTF-8
 export HOST=s390x-linux-gnu
 export PACKAGES="python3-zmq"
 export CONTAINER_NAME=ci_s390x
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:24.04"
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CI_IMAGE_PLATFORM="linux/s390x"
-export TEST_RUNNER_EXTRA="--exclude rpc_bind,feature_bind_extra"  # Excluded for now, see https://github.com/bitcoin/bitcoin/issues/17765#issuecomment-602068547
+# bind tests excluded for now, see https://github.com/bitcoin/bitcoin/issues/17765#issuecomment-602068547
+export TEST_RUNNER_EXTRA="--exclude rpc_bind --exclude feature_bind_extra"
 export RUN_FUNCTIONAL_TESTS=true
 export GOAL="install"
-export BITCOIN_CONFIG="-DREDUCE_EXPORTS=ON"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DREDUCE_EXPORTS=ON \
+"

ci/test/00_setup_env_win64.sh

@@ -1,21 +1,22 @@
 #!/usr/bin/env bash
 #
-# Copyright (c) 2019-present The Bitcoin Core developers
+# Copyright (c) 2025-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 export LC_ALL=C.UTF-8
 
 export CONTAINER_NAME=ci_win64
-export CI_IMAGE_NAME_TAG="mirror.gcr.io/ubuntu:noble"  # Check that g++-mingw-w64-x86-64-posix (version 13.2, similar to guix) can cross-compile
-export CI_IMAGE_PLATFORM="linux/amd64"
-export HOST=x86_64-w64-mingw32
-export DPKG_ADD_ARCH="i386"
-export PACKAGES="nsis g++-mingw-w64-x86-64-posix wine-binfmt wine64 wine32 file"
-# Install wine, but do not run unit tests, as they surface frequent
-# false-positives.
-export RUN_UNIT_TESTS=${RUN_UNIT_TESTS:-false}
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"  # Check that https://packages.debian.org/trixie/g++-mingw-w64-ucrt64 can cross-compile
+export HOST=x86_64-w64-mingw32ucrt
+export PACKAGES="g++-mingw-w64-ucrt64 nsis"
+export RUN_UNIT_TESTS=false
 export RUN_FUNCTIONAL_TESTS=false
 export GOAL="deploy"
-export BITCOIN_CONFIG="-DREDUCE_EXPORTS=ON -DBUILD_GUI_TESTS=OFF \
--DCMAKE_CXX_FLAGS='-Wno-error=maybe-uninitialized -Wno-error=array-bounds'"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DENABLE_IPC=OFF \
+  -DWITH_USDT=OFF \
+  -DREDUCE_EXPORTS=ON \
+  -DCMAKE_CXX_FLAGS='-Wno-error=maybe-uninitialized' \
+"

ci/test/00_setup_env_win64_msvcrt.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+export LC_ALL=C.UTF-8
+
+export CONTAINER_NAME=ci_win64_msvcrt
+export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"  # Check that https://packages.debian.org/trixie/g++-mingw-w64-x86-64-posix (version 14.x, similar to guix) can cross-compile
+export HOST=x86_64-w64-mingw32
+export PACKAGES="g++-mingw-w64-x86-64-posix nsis"
+export RUN_UNIT_TESTS=false
+export RUN_FUNCTIONAL_TESTS=false
+export GOAL="deploy"
+export BITCOIN_CONFIG="\
+  --preset=dev-mode \
+  -DENABLE_IPC=OFF \
+  -DWITH_USDT=OFF \
+  -DREDUCE_EXPORTS=ON \
+  -DCMAKE_CXX_FLAGS='-Wno-error=maybe-uninitialized' \
+"

ci/test/01_base_install.sh

@@ -6,11 +6,11 @@
 
 export LC_ALL=C.UTF-8
 
-set -ex
+set -o errexit -o pipefail -o xtrace
 
-CFG_DONE="ci.base-install-done"  # Use a global git setting to remember whether this script ran to avoid running it twice
+CFG_DONE="${BASE_ROOT_DIR}/ci.base-install-done"  # Use a global setting to remember whether this script ran to avoid running it twice
 
-if [ "$(git config --global ${CFG_DONE})" == "true" ]; then
+if [ "$( cat "${CFG_DONE}" || true )" == "done" ]; then
   echo "Skip base install"
   exit 0
 fi
@@ -32,15 +32,23 @@ if [ -n "${APT_LLVM_V}" ]; then
   )
 fi
 
-if [[ $CI_IMAGE_NAME_TAG == *centos* ]]; then
-  bash -c "dnf -y install epel-release"
-  bash -c "dnf -y --allowerasing install $CI_BASE_PACKAGES $PACKAGES"
+if [[ $CI_IMAGE_NAME_TAG == *alpine* ]]; then
+  ${CI_RETRY_EXE} apk update
+  # shellcheck disable=SC2086
+  ${CI_RETRY_EXE} apk add --no-cache $CI_BASE_PACKAGES $PACKAGES
 elif [ "$CI_OS_NAME" != "macos" ]; then
   if [[ -n "${APPEND_APT_SOURCES_LIST}" ]]; then
     echo "${APPEND_APT_SOURCES_LIST}" >> /etc/apt/sources.list
   fi
   ${CI_RETRY_EXE} apt-get update
-  ${CI_RETRY_EXE} bash -c "apt-get install --no-install-recommends --no-upgrade -y $PACKAGES $CI_BASE_PACKAGES"
+  # shellcheck disable=SC2086
+  ${CI_RETRY_EXE} apt-get install --no-install-recommends --no-upgrade -y $PACKAGES $CI_BASE_PACKAGES
+fi
+
+if [ -n "${APT_LLVM_V}" ]; then
+  update-alternatives --install /usr/bin/clang++ clang++ "/usr/bin/clang++-${APT_LLVM_V}" 100
+  update-alternatives --install /usr/bin/clang clang "/usr/bin/clang-${APT_LLVM_V}" 100
+  update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer "/usr/bin/llvm-symbolizer-${APT_LLVM_V}" 100
 fi
 
 if [ -n "$PIP_PACKAGES" ]; then
@@ -48,27 +56,13 @@ if [ -n "$PIP_PACKAGES" ]; then
   ${CI_RETRY_EXE} pip3 install --user $PIP_PACKAGES
 fi
 
-if [[ ${USE_MEMORY_SANITIZER} == "true" ]]; then
-  ${CI_RETRY_EXE} git clone --depth=1 https://github.com/llvm/llvm-project -b "llvmorg-20.1.0" /msan/llvm-project
+if [[ -n "${USE_INSTRUMENTED_LIBCPP}" ]]; then
+  ${CI_RETRY_EXE} git clone --depth=1 https://github.com/llvm/llvm-project -b "llvmorg-21.1.5" /llvm-project
 
-  cmake -G Ninja -B /msan/clang_build/ \
-    -DLLVM_ENABLE_PROJECTS="clang" \
-    -DCMAKE_BUILD_TYPE=Release \
-    -DLLVM_TARGETS_TO_BUILD=Native \
-    -DLLVM_ENABLE_RUNTIMES="compiler-rt;libcxx;libcxxabi;libunwind" \
-    -S /msan/llvm-project/llvm
-
-  ninja -C /msan/clang_build/ "$MAKEJOBS"
-  ninja -C /msan/clang_build/ install-runtimes
-
-  update-alternatives --install /usr/bin/clang++ clang++ /msan/clang_build/bin/clang++ 100
-  update-alternatives --install /usr/bin/clang clang /msan/clang_build/bin/clang 100
-  update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer /msan/clang_build/bin/llvm-symbolizer 100
-
-  cmake -G Ninja -B /msan/cxx_build/ \
+  cmake -G Ninja -B /cxx_build/ \
     -DLLVM_ENABLE_RUNTIMES="libcxx;libcxxabi;libunwind" \
     -DCMAKE_BUILD_TYPE=Release \
-    -DLLVM_USE_SANITIZER=MemoryWithOrigins \
+    -DLLVM_USE_SANITIZER="${USE_INSTRUMENTED_LIBCPP}" \
     -DCMAKE_C_COMPILER=clang \
     -DCMAKE_CXX_COMPILER=clang++ \
     -DLLVM_TARGETS_TO_BUILD=Native \
@@ -76,17 +70,18 @@ if [[ ${USE_MEMORY_SANITIZER} == "true" ]]; then
     -DLIBCXXABI_USE_LLVM_UNWINDER=OFF \
     -DLIBCXX_ABI_DEFINES="_LIBCPP_ABI_BOUNDED_ITERATORS;_LIBCPP_ABI_BOUNDED_ITERATORS_IN_STD_ARRAY;_LIBCPP_ABI_BOUNDED_ITERATORS_IN_STRING;_LIBCPP_ABI_BOUNDED_ITERATORS_IN_VECTOR;_LIBCPP_ABI_BOUNDED_UNIQUE_PTR" \
     -DLIBCXX_HARDENING_MODE=debug \
-    -S /msan/llvm-project/runtimes
+    -S /llvm-project/runtimes
 
-  ninja -C /msan/cxx_build/ "$MAKEJOBS"
+  ninja -C /cxx_build/ "$MAKEJOBS"
 
   # Clear no longer needed source folder
-  du -sh /msan/llvm-project
-  rm -rf /msan/llvm-project
+  du -sh /llvm-project
+  rm -rf /llvm-project
 fi
 
-if [[ "${RUN_TIDY}" == "true" ]]; then
+if [[ "${RUN_IWYU}" == true ]]; then
   ${CI_RETRY_EXE} git clone --depth=1 https://github.com/include-what-you-use/include-what-you-use -b clang_"${TIDY_LLVM_V}" /include-what-you-use
+  (cd /include-what-you-use && patch -p1 < /ci_container_base/ci/test/01_iwyu.patch)
   cmake -B /iwyu-build/ -G 'Unix Makefiles' -DCMAKE_PREFIX_PATH=/usr/lib/llvm-"${TIDY_LLVM_V}" -S /include-what-you-use
   make -C /iwyu-build/ install "$MAKEJOBS"
 fi
@@ -96,7 +91,7 @@ mkdir -p "${DEPENDS_DIR}/SDKs" "${DEPENDS_DIR}/sdk-sources"
 OSX_SDK_BASENAME="Xcode-${XCODE_VERSION}-${XCODE_BUILD_ID}-extracted-SDK-with-libcxx-headers"
 
 if [ -n "$XCODE_VERSION" ] && [ ! -d "${DEPENDS_DIR}/SDKs/${OSX_SDK_BASENAME}" ]; then
-  OSX_SDK_FILENAME="${OSX_SDK_BASENAME}.tar.gz"
+  OSX_SDK_FILENAME="${OSX_SDK_BASENAME}.tar"
   OSX_SDK_PATH="${DEPENDS_DIR}/sdk-sources/${OSX_SDK_FILENAME}"
   if [ ! -f "$OSX_SDK_PATH" ]; then
     ${CI_RETRY_EXE} curl --location --fail "${SDK_URL}/${OSX_SDK_FILENAME}" -o "$OSX_SDK_PATH"
@@ -104,4 +99,4 @@ if [ -n "$XCODE_VERSION" ] && [ ! -d "${DEPENDS_DIR}/SDKs/${OSX_SDK_BASENAME}" ]
   tar -C "${DEPENDS_DIR}/SDKs" -xf "$OSX_SDK_PATH"
 fi
 
-git config --global ${CFG_DONE} "true"
+echo -n "done" > "${CFG_DONE}"

ci/test/01_iwyu.patch

@@ -0,0 +1,600 @@
+Prefer angled brackets over quotes for include directives.
+See: https://en.cppreference.com/w/cpp/preprocessor/include.html.
+
+--- a/iwyu_path_util.cc
++++ b/iwyu_path_util.cc
+@@ -211,7 +211,7 @@ bool IsQuotedInclude(const string& s) {
+ }
+
+ string AddQuotes(string include_name, bool angled) {
+-  if (angled) {
++  if (true) {
+       return "<" + include_name + ">";
+   }
+   return "\"" + include_name + "\"";
+
+
+Prefer C++ headers over C counterparts.
+See: https://github.com/include-what-you-use/include-what-you-use/blob/clang_21/iwyu_include_picker.cc#L587-L629.
+
+--- a/iwyu_include_picker.cc
++++ b/iwyu_include_picker.cc
+@@ -100,20 +100,20 @@ const IncludeMapEntry libc_symbol_map[] = {
+   // equal.  The visibility on the symbol-name is ignored; by convention
+   // we always set it to kPrivate.
+   { "_POSIX_VDISABLE", kPrivate, "<unistd.h>", kPublic },
+-  { "abort", kPrivate, "<stdlib.h>", kPublic },
++  { "abort", kPrivate, "<stdlib.h>", kPrivate },
+   { "aiocb", kPrivate, "<aio.h>", kPublic },
+   { "blkcnt_t", kPrivate, "<sys/types.h>", kPublic },
+   { "blksize_t", kPrivate, "<sys/types.h>", kPublic },
+   { "cc_t", kPrivate, "<termios.h>", kPublic },
+-  { "clock_t", kPrivate, "<time.h>", kPublic },
++  { "clock_t", kPrivate, "<time.h>", kPrivate },
+   { "clock_t", kPrivate, "<sys/types.h>", kPublic },
+   { "clockid_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "ctermid", kPrivate, "<stdio.h>", kPublic },
++  { "ctermid", kPrivate, "<stdio.h>", kPrivate },
+   { "daddr_t", kPrivate, "<sys/types.h>", kPublic },
+   { "dev_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "div_t", kPrivate, "<stdlib.h>", kPublic },
+-  { "double_t", kPrivate, "<math.h>", kPublic },
+-  { "error_t", kPrivate, "<errno.h>", kPublic },
++  { "div_t", kPrivate, "<stdlib.h>", kPrivate },
++  { "double_t", kPrivate, "<math.h>", kPrivate },
++  { "error_t", kPrivate, "<errno.h>", kPrivate },
+   { "error_t", kPrivate, "<argp.h>", kPublic },
+   { "error_t", kPrivate, "<argz.h>", kPublic },
+   { "FD_CLR", kPrivate, "<sys/select.h>", kPublic },
+@@ -122,10 +122,10 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "fd_set", kPrivate, "<sys/select.h>", kPublic },
+   { "FD_SETSIZE", kPrivate, "<sys/select.h>", kPublic },
+   { "FD_ZERO", kPrivate, "<sys/select.h>", kPublic },
+-  { "fenv_t", kPrivate, "<fenv.h>", kPublic },
+-  { "fexcept_t", kPrivate, "<fenv.h>", kPublic },
+-  { "FILE", kPrivate, "<stdio.h>", kPublic },
+-  { "float_t", kPrivate, "<math.h>", kPublic },
++  { "fenv_t", kPrivate, "<fenv.h>", kPrivate },
++  { "fexcept_t", kPrivate, "<fenv.h>", kPrivate },
++  { "FILE", kPrivate, "<stdio.h>", kPrivate },
++  { "float_t", kPrivate, "<math.h>", kPrivate },
+   { "fsblkcnt_t", kPrivate, "<sys/types.h>", kPublic },
+   { "fsfilcnt_t", kPrivate, "<sys/types.h>", kPublic },
+   { "getopt", kPrivate, "<unistd.h>", kPublic },
+@@ -135,31 +135,31 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "in_addr_t", kPrivate, "<netinet/in.h>", kPublic },
+   { "in_port_t", kPrivate, "<netinet/in.h>", kPublic },
+   { "id_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "imaxdiv_t", kPrivate, "<inttypes.h>", kPublic },
+-  { "intmax_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uintmax_t", kPrivate, "<stdint.h>", kPublic },
++  { "imaxdiv_t", kPrivate, "<inttypes.h>", kPrivate },
++  { "intmax_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uintmax_t", kPrivate, "<stdint.h>", kPrivate },
+   { "ino64_t", kPrivate, "<sys/types.h>", kPublic },
+   { "ino_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "int8_t", kPrivate, "<stdint.h>", kPublic },
+-  { "int16_t", kPrivate, "<stdint.h>", kPublic },
+-  { "int32_t", kPrivate, "<stdint.h>", kPublic },
+-  { "int64_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uint8_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uint16_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uint32_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uint64_t", kPrivate, "<stdint.h>", kPublic },
+-  { "intptr_t", kPrivate, "<stdint.h>", kPublic },
+-  { "uintptr_t", kPrivate, "<stdint.h>", kPublic },
++  { "int8_t", kPrivate, "<stdint.h>", kPrivate },
++  { "int16_t", kPrivate, "<stdint.h>", kPrivate },
++  { "int32_t", kPrivate, "<stdint.h>", kPrivate },
++  { "int64_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uint8_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uint16_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uint32_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uint64_t", kPrivate, "<stdint.h>", kPrivate },
++  { "intptr_t", kPrivate, "<stdint.h>", kPrivate },
++  { "uintptr_t", kPrivate, "<stdint.h>", kPrivate },
+   { "iovec", kPrivate, "<sys/uio.h>", kPublic },
+-  { "itimerspec", kPrivate, "<time.h>", kPublic },
++  { "itimerspec", kPrivate, "<time.h>", kPrivate },
+   { "key_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "L_ctermid", kPrivate, "<stdio.h>", kPublic },
+-  { "lconv", kPrivate, "<locale.h>", kPublic },
+-  { "ldiv_t", kPrivate, "<stdlib.h>", kPublic },
+-  { "lldiv_t", kPrivate, "<stdlib.h>", kPublic },
+-  { "locale_t", kPrivate, "<locale.h>", kPublic },
+-  { "max_align_t", kPrivate, "<stddef.h>", kPublic },
+-  { "mbstate_t", kPrivate, "<wchar.h>", kPublic },
++  { "L_ctermid", kPrivate, "<stdio.h>", kPrivate },
++  { "lconv", kPrivate, "<locale.h>", kPrivate },
++  { "ldiv_t", kPrivate, "<stdlib.h>", kPrivate },
++  { "lldiv_t", kPrivate, "<stdlib.h>", kPrivate },
++  { "locale_t", kPrivate, "<locale.h>", kPrivate },
++  { "max_align_t", kPrivate, "<stddef.h>", kPrivate },
++  { "mbstate_t", kPrivate, "<wchar.h>", kPrivate },
+   { "mcontext_t", kPrivate, "<ucontext.h>", kPublic },
+   { "mode_t", kPrivate, "<sys/types.h>", kPublic },
+   { "nl_item", kPrivate, "<nl_types.h>", kPublic },
+@@ -175,8 +175,8 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "optind", kPrivate, "<unistd.h>", kPublic },
+   { "optopt", kPrivate, "<unistd.h>", kPublic },
+   { "pid_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "posix_memalign", kPrivate, "<stdlib.h>", kPublic },
+-  { "printf", kPrivate, "<stdio.h>", kPublic },
++  { "posix_memalign", kPrivate, "<stdlib.h>", kPrivate },
++  { "printf", kPrivate, "<stdio.h>", kPrivate },
+   { "pthread_attr_t", kPrivate, "<pthread.h>", kPublic },
+   { "pthread_cond_t", kPrivate, "<pthread.h>", kPublic },
+   { "pthread_condattr_t", kPrivate, "<pthread.h>", kPublic },
+@@ -187,7 +187,7 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "pthread_rwlock_t", kPrivate, "<pthread.h>", kPublic },
+   { "pthread_rwlockattr_t", kPrivate, "<pthread.h>", kPublic },
+   { "pthread_t", kPrivate, "<pthread.h>", kPublic },
+-  { "ptrdiff_t", kPrivate, "<stddef.h>", kPublic },
++  { "ptrdiff_t", kPrivate, "<stddef.h>", kPrivate },
+   { "regex_t", kPrivate, "<regex.h>", kPublic },
+   { "regmatch_t", kPrivate, "<regex.h>", kPublic },
+   { "regoff_t", kPrivate, "<regex.h>", kPublic },
+@@ -218,51 +218,51 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "SCHED_FIFO", kPrivate, "<sched.h>", kPublic },
+   { "SCHED_OTHER", kPrivate, "<sched.h>", kPublic },
+   { "SCHED_RR", kPrivate, "<sched.h>", kPublic },
+-  { "SEEK_CUR", kPrivate, "<stdio.h>", kPublic },
+-  { "SEEK_END", kPrivate, "<stdio.h>", kPublic },
+-  { "SEEK_SET", kPrivate, "<stdio.h>", kPublic },
+-  { "sig_atomic_t", kPrivate, "<signal.h>", kPublic },
+-  { "sigevent", kPrivate, "<signal.h>", kPublic },
+-  { "siginfo_t", kPrivate, "<signal.h>", kPublic },
+-  { "sigset_t", kPrivate, "<signal.h>", kPublic },
+-  { "sigval", kPrivate, "<signal.h>", kPublic },
++  { "SEEK_CUR", kPrivate, "<stdio.h>", kPrivate },
++  { "SEEK_END", kPrivate, "<stdio.h>", kPrivate },
++  { "SEEK_SET", kPrivate, "<stdio.h>", kPrivate },
++  { "sig_atomic_t", kPrivate, "<signal.h>", kPrivate },
++  { "sigevent", kPrivate, "<signal.h>", kPrivate },
++  { "siginfo_t", kPrivate, "<signal.h>", kPrivate },
++  { "sigset_t", kPrivate, "<signal.h>", kPrivate },
++  { "sigval", kPrivate, "<signal.h>", kPrivate },
+   { "sockaddr", kPrivate, "<sys/socket.h>", kPublic },
+   { "socklen_t", kPrivate, "<sys/socket.h>", kPublic },
+   { "ssize_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "stack_t", kPrivate, "<signal.h>", kPublic },
++  { "stack_t", kPrivate, "<signal.h>", kPrivate },
+   { "stat", kPrivate, "<sys/stat.h>", kPublic },
+   { "suseconds_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "time_t", kPrivate, "<time.h>", kPublic },
++  { "time_t", kPrivate, "<time.h>", kPrivate },
+   { "time_t", kPrivate, "<sys/types.h>", kPublic },
+   { "timer_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "timespec", kPrivate, "<time.h>", kPublic },
++  { "timespec", kPrivate, "<time.h>", kPrivate },
+   { "timeval", kPrivate, "<sys/time.h>", kPublic },
+-  { "tm", kPrivate, "<time.h>", kPublic },
++  { "tm", kPrivate, "<time.h>", kPrivate },
+   { "u_char", kPrivate, "<sys/types.h>", kPublic },
+   { "ucontext_t", kPrivate, "<ucontext.h>", kPublic },
+   { "uid_t", kPrivate, "<sys/types.h>", kPublic },
+   { "useconds_t", kPrivate, "<sys/types.h>", kPublic },
+-  { "wchar_t", kPrivate, "<stddef.h>", kPublic },
+-  { "wctrans_t", kPrivate, "<wctype.h>", kPublic },
+-  { "wctype_t", kPrivate, "<wctype.h>", kPublic },
++  { "wchar_t", kPrivate, "<stddef.h>", kPrivate },
++  { "wctrans_t", kPrivate, "<wctype.h>", kPrivate },
++  { "wctype_t", kPrivate, "<wctype.h>", kPrivate },
+   { "winsize", kPrivate, "<termios.h>", kPublic },
+-  { "wint_t", kPrivate, "<wchar.h>", kPublic },
++  { "wint_t", kPrivate, "<wchar.h>", kPrivate },
+   // It is unspecified if the cname headers provide ::size_t.
+   // <locale.h> is the one header which defines NULL but not size_t.
+-  { "size_t", kPrivate, "<stddef.h>", kPublic },  // 'canonical' location for size_t
+-  { "size_t", kPrivate, "<signal.h>", kPublic },
+-  { "size_t", kPrivate, "<stdio.h>", kPublic },
+-  { "size_t", kPrivate, "<stdlib.h>", kPublic },
+-  { "size_t", kPrivate, "<string.h>", kPublic },
+-  { "size_t", kPrivate, "<time.h>", kPublic },
+-  { "size_t", kPrivate, "<uchar.h>", kPublic },
+-  { "size_t", kPrivate, "<wchar.h>", kPublic },
++  { "size_t", kPrivate, "<stddef.h>", kPrivate },  // 'canonical' location for size_t
++  { "size_t", kPrivate, "<signal.h>", kPrivate },
++  { "size_t", kPrivate, "<stdio.h>", kPrivate },
++  { "size_t", kPrivate, "<stdlib.h>", kPrivate },
++  { "size_t", kPrivate, "<string.h>", kPrivate },
++  { "size_t", kPrivate, "<time.h>", kPrivate },
++  { "size_t", kPrivate, "<uchar.h>", kPrivate },
++  { "size_t", kPrivate, "<wchar.h>", kPrivate },
+   // Macros that can be defined in more than one file, don't have the
+   // same __foo_defined guard that other types do, so the grep above
+   // doesn't discover them.  Until I figure out a better way, I just
+   // add them in by hand as I discover them.
+-  { "EOF", kPrivate, "<stdio.h>", kPublic },
+-  { "FILE", kPrivate, "<stdio.h>", kPublic },
++  { "EOF", kPrivate, "<stdio.h>", kPrivate },
++  { "FILE", kPrivate, "<stdio.h>", kPrivate },
+   { "IBSHIFT", kPrivate, "<asm/termbits.h>", kPublic },
+   { "MAP_POPULATE", kPrivate, "<sys/mman.h>", kPublic },
+   { "MAP_POPULATE", kPrivate, "<linux/mman.h>", kPublic },
+@@ -270,22 +270,22 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "MAP_STACK", kPrivate, "<linux/mman.h>", kPublic },
+   { "MAXHOSTNAMELEN", kPrivate, "<sys/param.h>", kPublic },
+   { "MAXHOSTNAMELEN", kPrivate, "<protocols/timed.h>", kPublic },
+-  { "SIGABRT", kPrivate, "<signal.h>", kPublic },
+-  { "SIGCHLD", kPrivate, "<signal.h>", kPublic },
+-  { "va_arg", kPrivate, "<stdarg.h>", kPublic },
+-  { "va_copy", kPrivate, "<stdarg.h>", kPublic },
+-  { "va_end", kPrivate, "<stdarg.h>", kPublic },
+-  { "va_list", kPrivate, "<stdarg.h>", kPublic },
+-  { "va_start", kPrivate, "<stdarg.h>", kPublic },
+-  { "WEOF", kPrivate, "<wchar.h>", kPublic },
++  { "SIGABRT", kPrivate, "<signal.h>", kPrivate },
++  { "SIGCHLD", kPrivate, "<signal.h>", kPrivate },
++  { "va_arg", kPrivate, "<stdarg.h>", kPrivate },
++  { "va_copy", kPrivate, "<stdarg.h>", kPrivate },
++  { "va_end", kPrivate, "<stdarg.h>", kPrivate },
++  { "va_list", kPrivate, "<stdarg.h>", kPrivate },
++  { "va_start", kPrivate, "<stdarg.h>", kPrivate },
++  { "WEOF", kPrivate, "<wchar.h>", kPrivate },
+   // These are symbols that could be defined in either stdlib.h or
+   // malloc.h, but we always want the stdlib location.
+-  { "malloc", kPrivate, "<stdlib.h>", kPublic },
+-  { "calloc", kPrivate, "<stdlib.h>", kPublic },
+-  { "realloc", kPrivate, "<stdlib.h>", kPublic },
+-  { "free", kPrivate, "<stdlib.h>", kPublic },
++  { "malloc", kPrivate, "<stdlib.h>", kPrivate },
++  { "calloc", kPrivate, "<stdlib.h>", kPrivate },
++  { "realloc", kPrivate, "<stdlib.h>", kPrivate },
++  { "free", kPrivate, "<stdlib.h>", kPrivate },
+   // Entries for NULL
+-  { "NULL", kPrivate, "<stddef.h>", kPublic },  // 'canonical' location for NULL
++  { "NULL", kPrivate, "<stddef.h>", kPrivate },  // 'canonical' location for NULL
+   { "NULL", kPrivate, "<clocale>", kPublic },
+   { "NULL", kPrivate, "<cstddef>", kPublic },
+   { "NULL", kPrivate, "<cstdio>", kPublic },
+@@ -293,13 +293,13 @@ const IncludeMapEntry libc_symbol_map[] = {
+   { "NULL", kPrivate, "<cstring>", kPublic },
+   { "NULL", kPrivate, "<ctime>", kPublic },
+   { "NULL", kPrivate, "<cwchar>", kPublic },
+-  { "NULL", kPrivate, "<locale.h>", kPublic },
+-  { "NULL", kPrivate, "<stdio.h>", kPublic },
+-  { "NULL", kPrivate, "<stdlib.h>", kPublic },
+-  { "NULL", kPrivate, "<string.h>", kPublic },
+-  { "NULL", kPrivate, "<time.h>", kPublic },
+-  { "NULL", kPrivate, "<wchar.h>", kPublic },
+-  { "offsetof", kPrivate, "<stddef.h>", kPublic },
++  { "NULL", kPrivate, "<locale.h>", kPrivate },
++  { "NULL", kPrivate, "<stdio.h>", kPrivate },
++  { "NULL", kPrivate, "<stdlib.h>", kPrivate },
++  { "NULL", kPrivate, "<string.h>", kPrivate },
++  { "NULL", kPrivate, "<time.h>", kPrivate },
++  { "NULL", kPrivate, "<wchar.h>", kPrivate },
++  { "offsetof", kPrivate, "<stddef.h>", kPrivate },
+ };
+ 
+ // Common kludges for C++ standard libraries
+@@ -355,7 +355,7 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/a.out.h>", kPrivate, "<a.out.h>", kPublic },
+   { "<bits/auxv.h>", kPrivate, "<sys/auxv.h>", kPublic },
+   { "<bits/byteswap.h>", kPrivate, "<byteswap.h>", kPublic },
+-  { "<bits/cmathcalls.h>", kPrivate, "<complex.h>", kPublic },
++  { "<bits/cmathcalls.h>", kPrivate, "<complex.h>", kPrivate },
+   { "<bits/confname.h>", kPrivate, "<unistd.h>", kPublic },
+   { "<bits/dirent.h>", kPrivate, "<dirent.h>", kPublic },
+   { "<bits/dlfcn.h>", kPrivate, "<dlfcn.h>", kPublic },
+@@ -363,18 +363,18 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/endian.h>", kPrivate, "<endian.h>", kPublic },
+   { "<bits/environments.h>", kPrivate, "<unistd.h>", kPublic },
+   { "<bits/epoll.h>", kPrivate, "<sys/epoll.h>", kPublic },
+-  { "<bits/errno.h>", kPrivate, "<errno.h>", kPublic },
++  { "<bits/errno.h>", kPrivate, "<errno.h>", kPrivate },
+   { "<bits/error.h>", kPrivate, "<error.h>", kPublic },
+   { "<bits/eventfd.h>", kPrivate, "<sys/eventfd.h>", kPublic },
+   { "<bits/fcntl.h>", kPrivate, "<fcntl.h>", kPublic },
+   { "<bits/fcntl2.h>", kPrivate, "<fcntl.h>", kPublic },
+-  { "<bits/fenv.h>", kPrivate, "<fenv.h>", kPublic },
+-  { "<bits/fenvinline.h>", kPrivate, "<fenv.h>", kPublic },
+-  { "<bits/huge_val.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/huge_valf.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/huge_vall.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/fenv.h>", kPrivate, "<fenv.h>", kPrivate },
++  { "<bits/fenvinline.h>", kPrivate, "<fenv.h>", kPrivate },
++  { "<bits/huge_val.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/huge_valf.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/huge_vall.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/hwcap.h>", kPrivate, "<sys/auxv.h>", kPublic },
+-  { "<bits/inf.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/inf.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/inotify.h>", kPrivate, "<sys/inotify.h>", kPublic },
+   { "<bits/ioctl-types.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+   { "<bits/ioctls.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+@@ -382,24 +382,24 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/ipctypes.h>", kPrivate, "<sys/ipc.h>", kPublic },
+   { "<bits/libio-ldbl.h>", kPrivate, "<libio.h>", kPublic },
+   { "<bits/link.h>", kPrivate, "<link.h>", kPublic },
+-  { "<bits/locale.h>", kPrivate, "<locale.h>", kPublic },
+-  { "<bits/math-finite.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathcalls.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathdef.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathinline.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/locale.h>", kPrivate, "<locale.h>", kPrivate },
++  { "<bits/math-finite.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathcalls.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathdef.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathinline.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/mman.h>", kPrivate, "<sys/mman.h>", kPublic },
+   { "<bits/mman-shared.h>", kPrivate, "<sys/mman.h>", kPublic },
+   { "<bits/monetary-ldbl.h>", kPrivate, "<monetary.h>", kPublic },
+   { "<bits/mqueue.h>", kPrivate, "<mqueue.h>", kPublic },
+   { "<bits/mqueue2.h>", kPrivate, "<mqueue.h>", kPublic },
+   { "<bits/msq.h>", kPrivate, "<sys/msg.h>", kPublic },
+-  { "<bits/nan.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/nan.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/netdb.h>", kPrivate, "<netdb.h>", kPublic },
+   { "<bits/param.h>", kPrivate, "<sys/param.h>", kPublic },
+   { "<bits/poll.h>", kPrivate, "<sys/poll.h>", kPrivate },
+   { "<bits/poll2.h>", kPrivate, "<sys/poll.h>", kPrivate },
+-  { "<bits/posix1_lim.h>", kPrivate, "<limits.h>", kPublic },
+-  { "<bits/posix2_lim.h>", kPrivate, "<limits.h>", kPublic },
++  { "<bits/posix1_lim.h>", kPrivate, "<limits.h>", kPrivate },
++  { "<bits/posix2_lim.h>", kPrivate, "<limits.h>", kPrivate },
+   { "<bits/posix_opt.h>", kPrivate, "<unistd.h>", kPublic },
+   { "<bits/printf-ldbl.h>", kPrivate, "<printf.h>", kPublic },
+   { "<bits/pthreadtypes.h>", kPrivate, "<pthread.h>", kPublic },
+@@ -409,17 +409,17 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/select2.h>", kPrivate, "<sys/select.h>", kPublic },
+   { "<bits/sem.h>", kPrivate, "<sys/sem.h>", kPublic },
+   { "<bits/semaphore.h>", kPrivate, "<semaphore.h>", kPublic },
+-  { "<bits/setjmp.h>", kPrivate, "<setjmp.h>", kPublic },
+-  { "<bits/setjmp2.h>", kPrivate, "<setjmp.h>", kPublic },
++  { "<bits/setjmp.h>", kPrivate, "<setjmp.h>", kPrivate },
++  { "<bits/setjmp2.h>", kPrivate, "<setjmp.h>", kPrivate },
+   { "<bits/shm.h>", kPrivate, "<sys/shm.h>", kPublic },
+-  { "<bits/sigaction.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/sigcontext.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/siginfo.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/signum.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/signum-arch.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/sigset.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/sigstack.h>", kPrivate, "<signal.h>", kPublic },
+-  { "<bits/sigthread.h>", kPrivate, "<signal.h>", kPublic },
++  { "<bits/sigaction.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/sigcontext.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/siginfo.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/signum.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/signum-arch.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/sigset.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/sigstack.h>", kPrivate, "<signal.h>", kPrivate },
++  { "<bits/sigthread.h>", kPrivate, "<signal.h>", kPrivate },
+   { "<bits/sockaddr.h>", kPrivate, "<sys/un.h>", kPublic },
+   { "<bits/socket.h>", kPrivate, "<sys/socket.h>", kPublic },
+   { "<bits/socket2.h>", kPrivate, "<sys/socket.h>", kPublic },
+@@ -429,22 +429,22 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/statfs.h>", kPrivate, "<sys/statfs.h>", kPublic },
+   { "<bits/statvfs.h>", kPrivate, "<sys/statvfs.h>", kPublic },
+   { "<bits/statx-generic.h>", kPrivate, "<sys/stat.h>", kPublic },
+-  { "<bits/stdio-ldbl.h>", kPrivate, "<stdio.h>", kPublic },
++  { "<bits/stdio-ldbl.h>", kPrivate, "<stdio.h>", kPrivate },
+   { "<bits/stdio-lock.h>", kPrivate, "<libio.h>", kPublic },
+-  { "<bits/stdio.h>", kPrivate, "<stdio.h>", kPublic },
+-  { "<bits/stdio2.h>", kPrivate, "<stdio.h>", kPublic },
+-  { "<bits/stdio_lim.h>", kPrivate, "<stdio.h>", kPublic },
+-  { "<bits/stdlib-bsearch.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/stdlib-float.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/stdlib-ldbl.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/stdlib.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/string.h>", kPrivate, "<string.h>", kPublic },
+-  { "<bits/string2.h>", kPrivate, "<string.h>", kPublic },
+-  { "<bits/string3.h>", kPrivate, "<string.h>", kPublic },
++  { "<bits/stdio.h>", kPrivate, "<stdio.h>", kPrivate },
++  { "<bits/stdio2.h>", kPrivate, "<stdio.h>", kPrivate },
++  { "<bits/stdio_lim.h>", kPrivate, "<stdio.h>", kPrivate },
++  { "<bits/stdlib-bsearch.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/stdlib-float.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/stdlib-ldbl.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/stdlib.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/string.h>", kPrivate, "<string.h>", kPrivate },
++  { "<bits/string2.h>", kPrivate, "<string.h>", kPrivate },
++  { "<bits/string3.h>", kPrivate, "<string.h>", kPrivate },
+   { "<bits/stropts.h>", kPrivate, "<stropts.h>", kPublic },
+   { "<bits/struct_stat.h>", kPrivate, "<sys/stat.h>", kPublic },
+   { "<bits/struct_stat.h>", kPrivate, "<ftw.h>", kPublic },
+-  { "<bits/sys_errlist.h>", kPrivate, "<stdio.h>", kPublic },
++  { "<bits/sys_errlist.h>", kPrivate, "<stdio.h>", kPrivate },
+   { "<bits/syscall.h>", kPrivate, "<sys/syscall.h>", kPublic },
+   { "<bits/sysctl.h>", kPrivate, "<sys/sysctl.h>", kPublic },
+   { "<bits/syslog-ldbl.h>", kPrivate, "<sys/syslog.h>", kPrivate },
+@@ -459,12 +459,12 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/termios-struct.h>", kPrivate, "<termios.h>", kPublic },
+   { "<bits/termios-tcflow.h>", kPrivate, "<termios.h>", kPublic },
+   { "<bits/termios.h>", kPrivate, "<termios.h>", kPublic },
+-  { "<bits/time.h>", kPrivate, "<time.h>", kPublic },
++  { "<bits/time.h>", kPrivate, "<time.h>", kPrivate },
+   { "<bits/time.h>", kPrivate, "<sys/time.h>", kPublic },
+   { "<bits/timerfd.h>", kPrivate, "<sys/timerfd.h>", kPublic },
+   { "<bits/timex.h>", kPrivate, "<sys/timex.h>", kPublic },
+   { "<bits/types.h>", kPrivate, "<sys/types.h>", kPublic },
+-  { "<bits/types/siginfo_t.h>", kPrivate, "<signal.h>", kPublic },
++  { "<bits/types/siginfo_t.h>", kPrivate, "<signal.h>", kPrivate },
+   { "<bits/types/siginfo_t.h>", kPrivate, "<sys/wait.h>", kPublic },
+   { "<bits/uio.h>", kPrivate, "<sys/uio.h>", kPublic },
+   { "<bits/unistd.h>", kPrivate, "<unistd.h>", kPublic },
+@@ -474,11 +474,11 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/utsname.h>", kPrivate, "<sys/utsname.h>", kPublic },
+   { "<bits/waitflags.h>", kPrivate, "<sys/wait.h>", kPublic },
+   { "<bits/waitstatus.h>", kPrivate, "<sys/wait.h>", kPublic },
+-  { "<bits/wchar-ldbl.h>", kPrivate, "<wchar.h>", kPublic },
+-  { "<bits/wchar.h>", kPrivate, "<wchar.h>", kPublic },
+-  { "<bits/wchar2.h>", kPrivate, "<wchar.h>", kPublic },
+-  { "<bits/wordsize.h>", kPrivate, "<limits.h>", kPublic },
+-  { "<bits/xopen_lim.h>", kPrivate, "<limits.h>", kPublic },
++  { "<bits/wchar-ldbl.h>", kPrivate, "<wchar.h>", kPrivate },
++  { "<bits/wchar.h>", kPrivate, "<wchar.h>", kPrivate },
++  { "<bits/wchar2.h>", kPrivate, "<wchar.h>", kPrivate },
++  { "<bits/wordsize.h>", kPrivate, "<limits.h>", kPrivate },
++  { "<bits/xopen_lim.h>", kPrivate, "<limits.h>", kPrivate },
+   { "<bits/xtitypes.h>", kPrivate, "<stropts.h>", kPublic },
+   // Sometimes libc tells you what mapping to do via an '#error':
+   // # error "Never use <bits/dlfcn.h> directly; include <dlfcn.h> instead."
+@@ -488,7 +488,7 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/a.out.h>", kPrivate, "<a.out.h>", kPublic },
+   { "<bits/byteswap-16.h>", kPrivate, "<byteswap.h>", kPublic },
+   { "<bits/byteswap.h>", kPrivate, "<byteswap.h>", kPublic },
+-  { "<bits/cmathcalls.h>", kPrivate, "<complex.h>", kPublic },
++  { "<bits/cmathcalls.h>", kPrivate, "<complex.h>", kPrivate },
+   { "<bits/confname.h>", kPrivate, "<unistd.h>", kPublic },
+   { "<bits/dirent.h>", kPrivate, "<dirent.h>", kPublic },
+   { "<bits/dlfcn.h>", kPrivate, "<dlfcn.h>", kPublic },
+@@ -498,38 +498,38 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<bits/eventfd.h>", kPrivate, "<sys/eventfd.h>", kPublic },
+   { "<bits/fcntl-linux.h>", kPrivate, "<fcntl.h>", kPublic },
+   { "<bits/fcntl.h>", kPrivate, "<fcntl.h>", kPublic },
+-  { "<bits/fenv.h>", kPrivate, "<fenv.h>", kPublic },
+-  { "<bits/huge_val.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/huge_valf.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/huge_vall.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/fenv.h>", kPrivate, "<fenv.h>", kPrivate },
++  { "<bits/huge_val.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/huge_valf.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/huge_vall.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/in.h>", kPrivate, "<netinet/in.h>", kPublic },
+-  { "<bits/inf.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/inf.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/inotify.h>", kPrivate, "<sys/inotify.h>", kPublic },
+   { "<bits/ioctl-types.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+   { "<bits/ioctls.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+   { "<bits/ipc.h>", kPrivate, "<sys/ipc.h>", kPublic },
+   { "<bits/ipctypes.h>", kPrivate, "<sys/ipc.h>", kPublic },
+-  { "<bits/locale.h>", kPrivate, "<locale.h>", kPublic },
+-  { "<bits/math-finite.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathdef.h>", kPrivate, "<math.h>", kPublic },
+-  { "<bits/mathinline.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/locale.h>", kPrivate, "<locale.h>", kPrivate },
++  { "<bits/math-finite.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathdef.h>", kPrivate, "<math.h>", kPrivate },
++  { "<bits/mathinline.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/mman-linux.h>", kPrivate, "<sys/mman.h>", kPublic },
+   { "<bits/mman.h>", kPrivate, "<sys/mman.h>", kPublic },
+   { "<bits/mqueue.h>", kPrivate, "<mqueue.h>", kPublic },
+   { "<bits/msq.h>", kPrivate, "<sys/msg.h>", kPublic },
+-  { "<bits/nan.h>", kPrivate, "<math.h>", kPublic },
++  { "<bits/nan.h>", kPrivate, "<math.h>", kPrivate },
+   { "<bits/param.h>", kPrivate, "<sys/param.h>", kPublic },
+   { "<bits/poll.h>", kPrivate, "<sys/poll.h>", kPrivate },
+   { "<bits/predefs.h>", kPrivate, "<features.h>", kPublic },
+   { "<bits/resource.h>", kPrivate, "<sys/resource.h>", kPublic },
+   { "<bits/select.h>", kPrivate, "<sys/select.h>", kPublic },
+   { "<bits/semaphore.h>", kPrivate, "<semaphore.h>", kPublic },
+-  { "<bits/sigcontext.h>", kPrivate, "<signal.h>", kPublic },
++  { "<bits/sigcontext.h>", kPrivate, "<signal.h>", kPrivate },
+   { "<bits/signalfd.h>", kPrivate, "<sys/signalfd.h>", kPublic },
+-  { "<bits/stdlib-float.h>", kPrivate, "<stdlib.h>", kPublic },
+-  { "<bits/string.h>", kPrivate, "<string.h>", kPublic },
+-  { "<bits/string2.h>", kPrivate, "<string.h>", kPublic },
+-  { "<bits/string3.h>", kPrivate, "<string.h>", kPublic },
++  { "<bits/stdlib-float.h>", kPrivate, "<stdlib.h>", kPrivate },
++  { "<bits/string.h>", kPrivate, "<string.h>", kPrivate },
++  { "<bits/string2.h>", kPrivate, "<string.h>", kPrivate },
++  { "<bits/string3.h>", kPrivate, "<string.h>", kPrivate },
+   { "<bits/timerfd.h>", kPrivate, "<sys/timerfd.h>", kPublic },
+   { "<bits/typesizes.h>", kPrivate, "<sys/types.h>", kPublic },
+   // Top-level #includes that just forward to another file:
+@@ -541,13 +541,13 @@ const IncludeMapEntry libc_include_map[] = {
+   // on the POSIX.1-2024 list, I just choose the top-level one.
+   { "<sys/aio.h>", kPrivate, "<aio.h>", kPublic },
+   { "<sys/dirent.h>", kPrivate, "<dirent.h>", kPublic },
+-  { "<sys/errno.h>", kPrivate, "<errno.h>", kPublic },
++  { "<sys/errno.h>", kPrivate, "<errno.h>", kPrivate },
+   { "<sys/fcntl.h>", kPrivate, "<fcntl.h>", kPublic },
+   { "<sys/poll.h>", kPrivate, "<poll.h>", kPublic },
+   { "<sys/semaphore.h>", kPrivate, "<semaphore.h>", kPublic },
+-  { "<sys/signal.h>", kPrivate, "<signal.h>", kPublic },
++  { "<sys/signal.h>", kPrivate, "<signal.h>", kPrivate },
+   { "<sys/spawn.h>", kPrivate, "<spawn.h>", kPublic },
+-  { "<sys/stdio.h>", kPrivate, "<stdio.h>", kPublic },
++  { "<sys/stdio.h>", kPrivate, "<stdio.h>", kPrivate },
+   { "<sys/syslog.h>", kPrivate, "<syslog.h>", kPublic },
+   { "<sys/termios.h>", kPrivate, "<termios.h>", kPublic },
+   { "<sys/unistd.h>", kPrivate, "<unistd.h>", kPublic },
+@@ -567,21 +567,21 @@ const IncludeMapEntry libc_include_map[] = {
+   { "<asm/unistd_64.h>", kPrivate, "<asm/unistd.h>", kPrivate },
+   // I don't know what grep would have found these.  I found them
+   // via user report.
+-  { "<asm/errno.h>", kPrivate, "<errno.h>", kPublic },
+-  { "<asm/errno-base.h>", kPrivate, "<errno.h>", kPublic },
++  { "<asm/errno.h>", kPrivate, "<errno.h>", kPrivate },
++  { "<asm/errno-base.h>", kPrivate, "<errno.h>", kPrivate },
+   { "<asm/ptrace-abi.h>", kPrivate, "<asm/ptrace.h>", kPublic },
+   { "<asm/unistd.h>", kPrivate, "<sys/syscall.h>", kPublic },
+-  { "<linux/limits.h>", kPrivate, "<limits.h>", kPublic },   // PATH_MAX
++  { "<linux/limits.h>", kPrivate, "<limits.h>", kPrivate },   // PATH_MAX
+   { "<linux/prctl.h>", kPrivate, "<sys/prctl.h>", kPublic },
+   { "<sys/ucontext.h>", kPrivate, "<ucontext.h>", kPublic },
+   // System headers available on AIX, BSD, Solaris and other Unix systems
+   { "<sys/dtrace.h>", kPrivate, "<dtrace.h>", kPublic },
+   { "<sys/paths.h>", kPrivate, "<paths.h>", kPublic },
+-  { "<sys/syslimits.h>", kPrivate, "<limits.h>", kPublic },
++  { "<sys/syslimits.h>", kPrivate, "<limits.h>", kPrivate },
+   { "<sys/ttycom.h>", kPrivate, "<sys/ioctl.h>", kPublic },
+   { "<sys/ustat.h>", kPrivate, "<ustat.h>", kPublic },
+   // Exports guaranteed by the C standard
+-  { "<stdint.h>", kPublic, "<inttypes.h>", kPublic },
++  { "<stdint.h>", kPrivate, "<inttypes.h>", kPrivate },
+ };
+ 
+ const IncludeMapEntry stdlib_c_include_map[] = {
+@@ -600,32 +600,32 @@ const IncludeMapEntry stdlib_c_include_map[] = {
+   // https://github.com/cplusplus/draft/blob/c+%2B20/source/lib-intro.tex
+   //
+   // $ curl -s -N https://raw.githubusercontent.com/cplusplus/draft/c%2B%2B20/source/lib-intro.tex | sed -n '/begin{multicolfloattable}.*{headers.cpp.c}/,/end{multicolfloattable}/p' | grep tcode | perl -nle 'm/tcode{<c(.*)>}/ && print qq@  { "<$1.h>", kPublic, "<c$1>", kPublic },@' | sort
+-  { "<assert.h>", kPublic, "<cassert>", kPublic },
+-  { "<complex.h>", kPublic, "<ccomplex>", kPublic },
+-  { "<ctype.h>", kPublic, "<cctype>", kPublic },
+-  { "<errno.h>", kPublic, "<cerrno>", kPublic },
+-  { "<fenv.h>", kPublic, "<cfenv>", kPublic },
+-  { "<float.h>", kPublic, "<cfloat>", kPublic },
+-  { "<inttypes.h>", kPublic, "<cinttypes>", kPublic },
+-  { "<iso646.h>", kPublic, "<ciso646>", kPublic },
+-  { "<limits.h>", kPublic, "<climits>", kPublic },
+-  { "<locale.h>", kPublic, "<clocale>", kPublic },
+-  { "<math.h>", kPublic, "<cmath>", kPublic },
+-  { "<setjmp.h>", kPublic, "<csetjmp>", kPublic },
+-  { "<signal.h>", kPublic, "<csignal>", kPublic },
+-  { "<stdalign.h>", kPublic, "<cstdalign>", kPublic },
+-  { "<stdarg.h>", kPublic, "<cstdarg>", kPublic },
+-  { "<stdbool.h>", kPublic, "<cstdbool>", kPublic },
+-  { "<stddef.h>", kPublic, "<cstddef>", kPublic },
+-  { "<stdint.h>", kPublic, "<cstdint>", kPublic },
+-  { "<stdio.h>", kPublic, "<cstdio>", kPublic },
+-  { "<stdlib.h>", kPublic, "<cstdlib>", kPublic },
+-  { "<string.h>", kPublic, "<cstring>", kPublic },
+-  { "<tgmath.h>", kPublic, "<ctgmath>", kPublic },
+-  { "<time.h>", kPublic, "<ctime>", kPublic },
+-  { "<uchar.h>", kPublic, "<cuchar>", kPublic },
+-  { "<wchar.h>", kPublic, "<cwchar>", kPublic },
+-  { "<wctype.h>", kPublic, "<cwctype>", kPublic },
++  { "<assert.h>", kPrivate, "<cassert>", kPublic },
++  { "<complex.h>", kPrivate, "<ccomplex>", kPublic },
++  { "<ctype.h>", kPrivate, "<cctype>", kPublic },
++  { "<errno.h>", kPrivate, "<cerrno>", kPublic },
++  { "<fenv.h>", kPrivate, "<cfenv>", kPublic },
++  { "<float.h>", kPrivate, "<cfloat>", kPublic },
++  { "<inttypes.h>", kPrivate, "<cinttypes>", kPublic },
++  { "<iso646.h>", kPrivate, "<ciso646>", kPublic },
++  { "<limits.h>", kPrivate, "<climits>", kPublic },
++  { "<locale.h>", kPrivate, "<clocale>", kPublic },
++  { "<math.h>", kPrivate, "<cmath>", kPublic },
++  { "<setjmp.h>", kPrivate, "<csetjmp>", kPublic },
++  { "<signal.h>", kPrivate, "<csignal>", kPublic },
++  { "<stdalign.h>", kPrivate, "<cstdalign>", kPublic },
++  { "<stdarg.h>", kPrivate, "<cstdarg>", kPublic },
++  { "<stdbool.h>", kPrivate, "<cstdbool>", kPublic },
++  { "<stddef.h>", kPrivate, "<cstddef>", kPublic },
++  { "<stdint.h>", kPrivate, "<cstdint>", kPublic },
++  { "<stdio.h>", kPrivate, "<cstdio>", kPublic },
++  { "<stdlib.h>", kPrivate, "<cstdlib>", kPublic },
++  { "<string.h>", kPrivate, "<cstring>", kPublic },
++  { "<tgmath.h>", kPrivate, "<ctgmath>", kPublic },
++  { "<time.h>", kPrivate, "<ctime>", kPublic },
++  { "<uchar.h>", kPrivate, "<cuchar>", kPublic },
++  { "<wchar.h>", kPrivate, "<cwchar>", kPublic },
++  { "<wctype.h>", kPrivate, "<cwctype>", kPublic },
+ };
+ 
+ const char* stdlib_cpp_public_headers[] = {

ci/test/02_run_container.py

@@ -0,0 +1,192 @@
+#!/usr/bin/env python3
+# Copyright (c) The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or https://opensource.org/license/mit/.
+
+from pathlib import Path
+import os
+import shlex
+import subprocess
+import sys
+import time
+
+
+def run(cmd, **kwargs):
+    print("+ " + shlex.join(cmd), flush=True)
+    kwargs.setdefault("check", True)
+    try:
+        return subprocess.run(cmd, **kwargs)
+    except Exception as e:
+        sys.exit(e)
+
+
+def main():
+    print("Export only allowed settings:")
+    settings = run(
+        ["bash", "-c", "grep export ./ci/test/00_setup_env*.sh"],
+        stdout=subprocess.PIPE,
+        text=True,
+    ).stdout.splitlines()
+    settings = set(l.split("=")[0].split("export ")[1] for l in settings)
+    # Add "hidden" settings, which are never exported, manually. Otherwise,
+    # they will not be passed on.
+    settings.update([
+        "BASE_BUILD_DIR",
+        "CI_FAILFAST_TEST_LEAVE_DANGLING",
+    ])
+
+    # Append $USER to /tmp/env to support multi-user systems and $CONTAINER_NAME
+    # to allow support starting multiple runs simultaneously by the same user.
+    env_file = "/tmp/env-{u}-{c}".format(
+        u=os.environ["USER"],
+        c=os.environ["CONTAINER_NAME"],
+    )
+    with open(env_file, "w") as file:
+        for k, v in os.environ.items():
+            if k in settings:
+                file.write(f"{k}={v}\n")
+    run(["cat", env_file])
+
+    if os.getenv("DANGER_RUN_CI_ON_HOST"):
+        print("Running on host system without docker wrapper")
+        print("Create missing folders")
+        for create_dir in [
+                os.environ["CCACHE_DIR"],
+                os.environ["PREVIOUS_RELEASES_DIR"],
+        ]:
+            Path(create_dir).mkdir(parents=True, exist_ok=True)
+
+        # Modify PATH to prepend the retry script, needed for CI_RETRY_EXE
+        os.environ["PATH"] = f"{os.environ['BASE_ROOT_DIR']}/ci/retry:{os.environ['PATH']}"
+        # GNU getopt is required for the CI_RETRY_EXE script
+        if os.getenv("CI_OS_NAME") == "macos":
+            prefix = run(
+                ["brew", "--prefix", "gnu-getopt"],
+                stdout=subprocess.PIPE,
+                text=True,
+            ).stdout.strip()
+            os.environ["IN_GETOPT_BIN"] = f"{prefix}/bin/getopt"
+    else:
+        CI_IMAGE_LABEL = "bitcoin-ci-test"
+
+        # Use buildx unconditionally
+        # Using buildx is required to properly load the correct driver, for use with registry caching. Neither build, nor BUILDKIT=1 currently do this properly
+        cmd_build = ["docker", "buildx", "build"]
+        cmd_build += [
+            f"--file={os.environ['BASE_READ_ONLY_DIR']}/ci/test_imagefile",
+            f"--build-arg=CI_IMAGE_NAME_TAG={os.environ['CI_IMAGE_NAME_TAG']}",
+            f"--build-arg=FILE_ENV={os.environ['FILE_ENV']}",
+            f"--build-arg=BASE_ROOT_DIR={os.environ['BASE_ROOT_DIR']}",
+            f"--platform={os.environ['CI_IMAGE_PLATFORM']}",
+            f"--label={CI_IMAGE_LABEL}",
+            f"--tag={os.environ['CONTAINER_NAME']}",
+        ]
+        cmd_build += shlex.split(os.getenv("DOCKER_BUILD_CACHE_ARG", ""))
+        cmd_build += [os.environ["BASE_READ_ONLY_DIR"]]
+
+        print(f"Building {os.environ['CONTAINER_NAME']} image tag to run in")
+        if run(cmd_build, check=False).returncode != 0:
+            print(f"Retry building {os.environ['CONTAINER_NAME']} image tag after failure")
+            time.sleep(3)
+            run(cmd_build)
+
+        for suffix in ["ccache", "depends", "depends_sources", "previous_releases"]:
+            run(["docker", "volume", "create", f"{os.environ['CONTAINER_NAME']}_{suffix}"], check=False)
+
+        CI_CCACHE_MOUNT = f"type=volume,src={os.environ['CONTAINER_NAME']}_ccache,dst={os.environ['CCACHE_DIR']}"
+        CI_DEPENDS_MOUNT = f"type=volume,src={os.environ['CONTAINER_NAME']}_depends,dst={os.environ['DEPENDS_DIR']}/built"
+        CI_DEPENDS_SOURCES_MOUNT = f"type=volume,src={os.environ['CONTAINER_NAME']}_depends_sources,dst={os.environ['DEPENDS_DIR']}/sources"
+        CI_PREVIOUS_RELEASES_MOUNT = f"type=volume,src={os.environ['CONTAINER_NAME']}_previous_releases,dst={os.environ['PREVIOUS_RELEASES_DIR']}"
+        CI_BUILD_MOUNT = []
+
+        if os.getenv("DANGER_CI_ON_HOST_FOLDERS"):
+            # ensure the directories exist
+            for create_dir in [
+                    os.environ["CCACHE_DIR"],
+                    f"{os.environ['DEPENDS_DIR']}/built",
+                    f"{os.environ['DEPENDS_DIR']}/sources",
+                    os.environ["PREVIOUS_RELEASES_DIR"],
+                    os.environ["BASE_BUILD_DIR"],  # Unset by default, must be defined externally
+            ]:
+                Path(create_dir).mkdir(parents=True, exist_ok=True)
+
+            CI_CCACHE_MOUNT = f"type=bind,src={os.environ['CCACHE_DIR']},dst={os.environ['CCACHE_DIR']}"
+            CI_DEPENDS_MOUNT = f"type=bind,src={os.environ['DEPENDS_DIR']}/built,dst={os.environ['DEPENDS_DIR']}/built"
+            CI_DEPENDS_SOURCES_MOUNT = f"type=bind,src={os.environ['DEPENDS_DIR']}/sources,dst={os.environ['DEPENDS_DIR']}/sources"
+            CI_PREVIOUS_RELEASES_MOUNT = f"type=bind,src={os.environ['PREVIOUS_RELEASES_DIR']},dst={os.environ['PREVIOUS_RELEASES_DIR']}"
+            CI_BUILD_MOUNT = [f"--mount=type=bind,src={os.environ['BASE_BUILD_DIR']},dst={os.environ['BASE_BUILD_DIR']}"]
+
+        if os.getenv("DANGER_CI_ON_HOST_CCACHE_FOLDER"):
+            if not os.path.isdir(os.environ["CCACHE_DIR"]):
+                print(f"Error: Directory '{os.environ['CCACHE_DIR']}' must be created in advance.")
+                sys.exit(1)
+            CI_CCACHE_MOUNT = f"type=bind,src={os.environ['CCACHE_DIR']},dst={os.environ['CCACHE_DIR']}"
+
+        run(["docker", "network", "create", "--ipv6", "--subnet", "1111:1111::/112", "ci-ip6net"], check=False)
+
+        if os.getenv("RESTART_CI_DOCKER_BEFORE_RUN"):
+            print("Restart docker before run to stop and clear all containers started with --rm")
+            run(["podman", "container", "rm", "--force", "--all"])  # Similar to "systemctl restart docker"
+
+            # Still prune everything in case the filtered pruning doesn't work, or if labels were not set
+            # on a previous run. Belt and suspenders approach, should be fine to remove in the future.
+            # Prune images used by --external containers (e.g. build containers) when
+            # using podman.
+            print("Prune all dangling images")
+            run(["podman", "image", "prune", "--force", "--external"])
+
+        print(f"Prune all dangling {CI_IMAGE_LABEL} images")
+        # When detecting podman-docker, `--external` should be added.
+        run(["docker", "image", "prune", "--force", "--filter", f"label={CI_IMAGE_LABEL}"])
+
+        cmd_run = ["docker", "run", "--rm", "--interactive", "--detach", "--tty"]
+        cmd_run += [
+            "--cap-add=LINUX_IMMUTABLE",
+            *shlex.split(os.getenv("CI_CONTAINER_CAP", "")),
+            f"--mount=type=bind,src={os.environ['BASE_READ_ONLY_DIR']},dst={os.environ['BASE_READ_ONLY_DIR']},readonly",
+            f"--mount={CI_CCACHE_MOUNT}",
+            f"--mount={CI_DEPENDS_MOUNT}",
+            f"--mount={CI_DEPENDS_SOURCES_MOUNT}",
+            f"--mount={CI_PREVIOUS_RELEASES_MOUNT}",
+            *CI_BUILD_MOUNT,
+            f"--env-file={env_file}",
+            f"--name={os.environ['CONTAINER_NAME']}",
+            "--network=ci-ip6net",
+            f"--platform={os.environ['CI_IMAGE_PLATFORM']}",
+            os.environ["CONTAINER_NAME"],
+        ]
+
+        container_id = run(
+            cmd_run,
+            stdout=subprocess.PIPE,
+            text=True,
+        ).stdout.strip()
+
+    def ci_exec(cmd_inner, **kwargs):
+        if os.getenv("DANGER_RUN_CI_ON_HOST"):
+            prefix = []
+        else:
+            prefix = ["docker", "exec", container_id]
+
+        return run([*prefix, *cmd_inner], **kwargs)
+
+    # Normalize all folders to BASE_ROOT_DIR
+    ci_exec([
+        "rsync",
+        "--recursive",
+        "--perms",
+        "--stats",
+        "--human-readable",
+        f"{os.environ['BASE_READ_ONLY_DIR']}/",
+        f"{os.environ['BASE_ROOT_DIR']}",
+    ])
+    ci_exec([f"{os.environ['BASE_ROOT_DIR']}/ci/test/01_base_install.sh"])
+    ci_exec([f"{os.environ['BASE_ROOT_DIR']}/ci/test/03_test_script.sh"])
+
+    if not os.getenv("DANGER_RUN_CI_ON_HOST"):
+        print("Stop and remove CI container by ID")
+        run(["docker", "container", "kill", container_id])
+
+
+if __name__ == "__main__":
+    main()

ci/test/02_run_container.sh

@@ -1,175 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2018-present The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-export LC_ALL=C.UTF-8
-export CI_IMAGE_LABEL="bitcoin-ci-test"
-
-set -o errexit -o pipefail -o xtrace
-
-if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
-  # Export all env vars to avoid missing some.
-  # Though, exclude those with newlines to avoid parsing problems.
-  python3 -c 'import os; [print(f"{key}={value}") for key, value in os.environ.items() if "\n" not in value and "HOME" != key and "PATH" != key and "USER" != key]' | tee "/tmp/env-$USER-$CONTAINER_NAME"
-
-  # Env vars during the build can not be changed. For example, a modified
-  # $MAKEJOBS is ignored in the build process. Use --cpuset-cpus as an
-  # approximation to respect $MAKEJOBS somewhat, if cpuset is available.
-  MAYBE_CPUSET=""
-  if [ "$HAVE_CGROUP_CPUSET" ]; then
-    MAYBE_CPUSET="--cpuset-cpus=$( python3 -c "import random;P=$( nproc );M=min(P,int('$MAKEJOBS'.lstrip('-j')));print(','.join(map(str,sorted(random.sample(range(P),M)))))" )"
-  fi
-  echo "Creating $CI_IMAGE_NAME_TAG container to run in"
-
-  DOCKER_BUILD_CACHE_ARG=""
-  DOCKER_BUILD_CACHE_TEMPDIR=""
-  DOCKER_BUILD_CACHE_OLD_DIR=""
-  DOCKER_BUILD_CACHE_NEW_DIR=""
-  # If set, use an `docker build` cache directory on the CI host
-  # to cache docker image layers for the CI container image.
-  # This cache can be multiple GB in size. Prefixed with DANGER
-  # as setting it removes (old cache) files from the host.
-  if [ "$DANGER_DOCKER_BUILD_CACHE_HOST_DIR" ]; then
-    # Directory where the current cache for this run could be. If not existing
-    # or empty, "docker build" will warn, but treat it as cache-miss and continue.
-    DOCKER_BUILD_CACHE_OLD_DIR="${DANGER_DOCKER_BUILD_CACHE_HOST_DIR}/${CONTAINER_NAME}"
-    # Temporary directory for a newly created cache. We can't write the new
-    # cache into OLD_DIR directly, as old cache layers would not be removed.
-    # The NEW_DIR contents are moved to OLD_DIR after OLD_DIR has been cleared.
-    # This happens after `docker build`. If a task fails or is aborted, the
-    # DOCKER_BUILD_CACHE_TEMPDIR might be retained on the host. If the host isn't
-    # ephemeral, it has to take care of cleaning old TEMPDIR's up.
-    DOCKER_BUILD_CACHE_TEMPDIR="$(mktemp --directory ci-docker-build-cache-XXXXXXXXXX)"
-    DOCKER_BUILD_CACHE_NEW_DIR="${DOCKER_BUILD_CACHE_TEMPDIR}/${CONTAINER_NAME}"
-    DOCKER_BUILD_CACHE_ARG="--cache-from type=local,src=${DOCKER_BUILD_CACHE_OLD_DIR} --cache-to type=local,dest=${DOCKER_BUILD_CACHE_NEW_DIR},mode=max"
-  fi
-
-  # shellcheck disable=SC2086
-  DOCKER_BUILDKIT=1 docker build \
-      --file "${BASE_READ_ONLY_DIR}/ci/test_imagefile" \
-      --build-arg "CI_IMAGE_NAME_TAG=${CI_IMAGE_NAME_TAG}" \
-      --build-arg "FILE_ENV=${FILE_ENV}" \
-      $MAYBE_CPUSET \
-      --platform="${CI_IMAGE_PLATFORM}" \
-      --label="${CI_IMAGE_LABEL}" \
-      --tag="${CONTAINER_NAME}" \
-      $DOCKER_BUILD_CACHE_ARG \
-      "${BASE_READ_ONLY_DIR}"
-
-  if [ "$DANGER_DOCKER_BUILD_CACHE_HOST_DIR" ]; then
-    if [ -e "${DOCKER_BUILD_CACHE_NEW_DIR}/index.json" ]; then
-      echo "Removing the existing docker build cache in ${DOCKER_BUILD_CACHE_OLD_DIR}"
-      rm -rf "${DOCKER_BUILD_CACHE_OLD_DIR}"
-      echo "Moving the contents of ${DOCKER_BUILD_CACHE_NEW_DIR} to ${DOCKER_BUILD_CACHE_OLD_DIR}"
-      mv "${DOCKER_BUILD_CACHE_NEW_DIR}" "${DOCKER_BUILD_CACHE_OLD_DIR}"
-    fi
-  fi
-
-  docker volume create "${CONTAINER_NAME}_ccache" || true
-  docker volume create "${CONTAINER_NAME}_depends" || true
-  docker volume create "${CONTAINER_NAME}_depends_sources" || true
-  docker volume create "${CONTAINER_NAME}_previous_releases" || true
-
-  CI_CCACHE_MOUNT="type=volume,src=${CONTAINER_NAME}_ccache,dst=$CCACHE_DIR"
-  CI_DEPENDS_MOUNT="type=volume,src=${CONTAINER_NAME}_depends,dst=$DEPENDS_DIR/built"
-  CI_DEPENDS_SOURCES_MOUNT="type=volume,src=${CONTAINER_NAME}_depends_sources,dst=$DEPENDS_DIR/sources"
-  CI_PREVIOUS_RELEASES_MOUNT="type=volume,src=${CONTAINER_NAME}_previous_releases,dst=$PREVIOUS_RELEASES_DIR"
-  CI_BUILD_MOUNT=""
-
-  if [ "$DANGER_CI_ON_HOST_FOLDERS" ]; then
-    # ensure the directories exist
-    mkdir -p "${CCACHE_DIR}"
-    mkdir -p "${DEPENDS_DIR}/built"
-    mkdir -p "${DEPENDS_DIR}/sources"
-    mkdir -p "${PREVIOUS_RELEASES_DIR}"
-    mkdir -p "${BASE_BUILD_DIR}"  # Unset by default, must be defined externally
-
-    CI_CCACHE_MOUNT="type=bind,src=${CCACHE_DIR},dst=$CCACHE_DIR"
-    CI_DEPENDS_MOUNT="type=bind,src=${DEPENDS_DIR}/built,dst=$DEPENDS_DIR/built"
-    CI_DEPENDS_SOURCES_MOUNT="type=bind,src=${DEPENDS_DIR}/sources,dst=$DEPENDS_DIR/sources"
-    CI_PREVIOUS_RELEASES_MOUNT="type=bind,src=${PREVIOUS_RELEASES_DIR},dst=$PREVIOUS_RELEASES_DIR"
-    CI_BUILD_MOUNT="--mount type=bind,src=${BASE_BUILD_DIR},dst=${BASE_BUILD_DIR}"
-  fi
-
-  if [ "$DANGER_CI_ON_HOST_CCACHE_FOLDER" ]; then
-   # Temporary exclusion for https://github.com/bitcoin/bitcoin/issues/31108
-   # to allow CI configs and envs generated in the past to work for a bit longer.
-   # Can be removed in March 2025.
-   if [ "${CCACHE_DIR}" != "/tmp/ccache_dir" ]; then
-    if [ ! -d "${CCACHE_DIR}" ]; then
-      echo "Error: Directory '${CCACHE_DIR}' must be created in advance."
-      exit 1
-    fi
-    CI_CCACHE_MOUNT="type=bind,src=${CCACHE_DIR},dst=${CCACHE_DIR}"
-   fi # End temporary exclusion
-  fi
-
-  docker network create --ipv6 --subnet 1111:1111::/112 ci-ip6net || true
-
-  if [ -n "${RESTART_CI_DOCKER_BEFORE_RUN}" ] ; then
-    echo "Restart docker before run to stop and clear all containers started with --rm"
-    podman container rm --force --all  # Similar to "systemctl restart docker"
-
-    # Still prune everything in case the filtered pruning doesn't work, or if labels were not set
-    # on a previous run. Belt and suspenders approach, should be fine to remove in the future.
-    # Prune images used by --external containers (e.g. build containers) when
-    # using podman.
-    echo "Prune all dangling images"
-    podman image prune --force --external
-  fi
-  echo "Prune all dangling $CI_IMAGE_LABEL images"
-  # When detecting podman-docker, `--external` should be added.
-  docker image prune --force --filter "label=$CI_IMAGE_LABEL"
-
-  # Append $USER to /tmp/env to support multi-user systems and $CONTAINER_NAME
-  # to allow support starting multiple runs simultaneously by the same user.
-  # shellcheck disable=SC2086
-  CI_CONTAINER_ID=$(docker run --cap-add LINUX_IMMUTABLE $CI_CONTAINER_CAP --rm --interactive --detach --tty \
-                  --mount "type=bind,src=$BASE_READ_ONLY_DIR,dst=$BASE_READ_ONLY_DIR,readonly" \
-                  --mount "${CI_CCACHE_MOUNT}" \
-                  --mount "${CI_DEPENDS_MOUNT}" \
-                  --mount "${CI_DEPENDS_SOURCES_MOUNT}" \
-                  --mount "${CI_PREVIOUS_RELEASES_MOUNT}" \
-                  ${CI_BUILD_MOUNT} \
-                  --env-file /tmp/env-$USER-$CONTAINER_NAME \
-                  --name "$CONTAINER_NAME" \
-                  --network ci-ip6net \
-                  --platform="${CI_IMAGE_PLATFORM}" \
-                  "$CONTAINER_NAME")
-  export CI_CONTAINER_ID
-  export CI_EXEC_CMD_PREFIX="docker exec ${CI_CONTAINER_ID}"
-else
-  echo "Running on host system without docker wrapper"
-  echo "Create missing folders"
-  mkdir -p "${CCACHE_DIR}"
-  mkdir -p "${PREVIOUS_RELEASES_DIR}"
-fi
-
-if [ "$CI_OS_NAME" == "macos" ]; then
-  IN_GETOPT_BIN="$(brew --prefix gnu-getopt)/bin/getopt"
-  export IN_GETOPT_BIN
-fi
-
-CI_EXEC () {
-  $CI_EXEC_CMD_PREFIX bash -c "export PATH=\"/path_with space:${BINS_SCRATCH_DIR}:${BASE_ROOT_DIR}/ci/retry:\$PATH\" && cd \"${BASE_ROOT_DIR}\" && $*"
-}
-export -f CI_EXEC
-
-# Normalize all folders to BASE_ROOT_DIR
-CI_EXEC rsync --archive --stats --human-readable "${BASE_READ_ONLY_DIR}/" "${BASE_ROOT_DIR}" || echo "Nothing to copy from ${BASE_READ_ONLY_DIR}/"
-CI_EXEC "${BASE_ROOT_DIR}/ci/test/01_base_install.sh"
-
-# Fixes permission issues when there is a container UID/GID mismatch with the owner
-# of the git source code directory.
-CI_EXEC git config --global --add safe.directory \"*\"
-
-CI_EXEC mkdir -p "${BINS_SCRATCH_DIR}"
-
-CI_EXEC "${BASE_ROOT_DIR}/ci/test/03_test_script.sh"
-
-if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
-  echo "Stop and remove CI container by ID"
-  docker container kill "${CI_CONTAINER_ID}"
-fi

ci/test/03_test_script.sh

@@ -8,6 +8,9 @@ export LC_ALL=C.UTF-8
 
 set -ex
 
+cd "${BASE_ROOT_DIR}"
+
+export PATH="/path_with space:${PATH}"
 export ASAN_OPTIONS="detect_leaks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1"
 export LSAN_OPTIONS="suppressions=${BASE_ROOT_DIR}/test/sanitizer_suppressions/lsan"
 export TSAN_OPTIONS="suppressions=${BASE_ROOT_DIR}/test/sanitizer_suppressions/tsan:halt_on_error=1:second_deadlock_stack=1"
@@ -24,6 +27,14 @@ fi
 echo "Free disk space:"
 df -h
 
+# We force an install of linux-headers again here via $PACKAGES to fix any
+# kernel mismatch between a cached docker image and the underlying host.
+# This can happen occasionally on hosted runners if the runner image is updated.
+if [[ "$CONTAINER_NAME" == "ci_native_asan" ]]; then
+  $CI_RETRY_EXE apt-get update
+  ${CI_RETRY_EXE} bash -c "apt-get install --no-install-recommends --no-upgrade -y $PACKAGES"
+fi
+
 # What host to compile for. See also ./depends/README.md
 # Tests that need cross-compilation export the appropriate HOST.
 # Tests that run natively guess the host
@@ -33,7 +44,10 @@ echo "=== BEGIN env ==="
 env
 echo "=== END env ==="
 
-(
+# Don't apply patches in the iwyu job, because it relies on the `git diff`
+# command to detect IWYU errors. It is safe to skip this patch in the iwyu job
+# because it doesn't run a UB detector.
+if [[ "${RUN_IWYU}" != true ]]; then
   # compact->outputs[i].file_size is uninitialized memory, so reading it is UB.
   # The statistic bytes_written is only used for logging, which is disabled in
   # CI, so as a temporary minimal fix to work around UB and CI failures, leave
@@ -54,7 +68,7 @@ echo "=== END env ==="
    mutex_.Lock();
    stats_[compact->compaction->level() + 1].Add(stats);
 EOF
-)
+fi
 
 if [ "$RUN_FUZZ_TESTS" = "true" ]; then
   export DIR_FUZZ_IN=${DIR_QA_ASSETS}/fuzz_corpora/
@@ -66,7 +80,7 @@ if [ "$RUN_FUZZ_TESTS" = "true" ]; then
     echo "Using qa-assets repo from commit ..."
     git log -1
   )
-elif [ "$RUN_UNIT_TESTS" = "true" ] || [ "$RUN_UNIT_TESTS_SEQUENTIAL" = "true" ]; then
+elif [ "$RUN_UNIT_TESTS" = "true" ]; then
   export DIR_UNIT_TEST_DATA=${DIR_QA_ASSETS}/unit_test_data/
   if [ ! -d "$DIR_UNIT_TEST_DATA" ]; then
     mkdir -p "$DIR_UNIT_TEST_DATA"
@@ -74,15 +88,6 @@ elif [ "$RUN_UNIT_TESTS" = "true" ] || [ "$RUN_UNIT_TESTS_SEQUENTIAL" = "true" ]
   fi
 fi
 
-if [ "$USE_BUSY_BOX" = "true" ]; then
-  echo "Setup to use BusyBox utils"
-  # tar excluded for now because it requires passing in the exact archive type in ./depends (fixed in later BusyBox version)
-  # ar excluded for now because it does not recognize the -q option in ./depends (unknown if fixed)
-  for util in $(busybox --list | grep -v "^ar$" | grep -v "^tar$" ); do ln -s "$(command -v busybox)" "${BINS_SCRATCH_DIR}/$util"; done
-  # Print BusyBox version
-  patch --help
-fi
-
 # Make sure default datadir does not exist and is never read by creating a dummy file
 if [ "$CI_OS_NAME" == "macos" ]; then
   echo > "${HOME}/Library/Application Support/Bitcoin"
@@ -91,15 +96,15 @@ else
 fi
 
 if [ -z "$NO_DEPENDS" ]; then
-  if [[ $CI_IMAGE_NAME_TAG == *centos* ]]; then
-    SHELL_OPTS="CONFIG_SHELL=/bin/ksh"  # Temporarily use ksh instead of dash, until https://bugzilla.redhat.com/show_bug.cgi?id=2335416 is fixed.
+  if [[ $CI_IMAGE_NAME_TAG == *alpine* ]]; then
+    SHELL_OPTS="CONFIG_SHELL=/usr/bin/dash"
   else
     SHELL_OPTS="CONFIG_SHELL="
   fi
   bash -c "$SHELL_OPTS make $MAKEJOBS -C depends HOST=$HOST $DEP_OPTS LOG=1"
 fi
 if [ "$DOWNLOAD_PREVIOUS_RELEASES" = "true" ]; then
-  test/get_previous_releases.py -b -t "$PREVIOUS_RELEASES_DIR"
+  test/get_previous_releases.py --target-dir "$PREVIOUS_RELEASES_DIR"
 fi
 
 BITCOIN_CONFIG_ALL="-DBUILD_BENCH=ON -DBUILD_FUZZ_BINARY=ON"
@@ -115,25 +120,45 @@ PRINT_CCACHE_STATISTICS="ccache --version | head -n 1 && ccache --show-stats"
 
 # Folder where the build is done.
 BASE_BUILD_DIR=${BASE_BUILD_DIR:-$BASE_SCRATCH_DIR/build-$HOST}
-mkdir -p "${BASE_BUILD_DIR}"
-cd "${BASE_BUILD_DIR}"
 
-BITCOIN_CONFIG_ALL="$BITCOIN_CONFIG_ALL -DENABLE_EXTERNAL_SIGNER=ON -DCMAKE_INSTALL_PREFIX=$BASE_OUTDIR"
+BITCOIN_CONFIG_ALL="$BITCOIN_CONFIG_ALL -DCMAKE_INSTALL_PREFIX=$BASE_OUTDIR -Werror=dev"
 
-if [[ "${RUN_TIDY}" == "true" ]]; then
+if [[ "${RUN_IWYU}" == true || "${RUN_TIDY}" == true ]]; then
   BITCOIN_CONFIG_ALL="$BITCOIN_CONFIG_ALL -DCMAKE_EXPORT_COMPILE_COMMANDS=ON"
 fi
 
-bash -c "cmake -S $BASE_ROOT_DIR $BITCOIN_CONFIG_ALL $BITCOIN_CONFIG || ( (cat $(cmake -P "${BASE_ROOT_DIR}/ci/test/GetCMakeLogFiles.cmake")) && false)"
+eval "CMAKE_ARGS=($BITCOIN_CONFIG_ALL $BITCOIN_CONFIG)"
+cmake -S "$BASE_ROOT_DIR" -B "$BASE_BUILD_DIR" "${CMAKE_ARGS[@]}" || (
+  cd "${BASE_BUILD_DIR}"
+  # shellcheck disable=SC2046
+  cat $(cmake -P "${BASE_ROOT_DIR}/ci/test/GetCMakeLogFiles.cmake")
+  false
+)
 
-bash -c "cmake --build . $MAKEJOBS --target all $GOAL" || ( echo "Build failure. Verbose build follows." && cmake --build . --target all "$GOAL" --verbose ; false )
+if [[ "${GOAL}" != all && "${GOAL}" != codegen ]]; then
+  GOAL="all ${GOAL}"
+fi
+
+# shellcheck disable=SC2086
+cmake --build "${BASE_BUILD_DIR}" "$MAKEJOBS" --target $GOAL || (
+  echo "Build failure. Verbose build follows."
+  # shellcheck disable=SC2086
+  cmake --build "${BASE_BUILD_DIR}" -j1 --target $GOAL --verbose
+  false
+)
 
 bash -c "${PRINT_CCACHE_STATISTICS}"
+if [ "$CI" = "true" ]; then
+  hit_rate=$(ccache -s | grep "Hits:" | head -1 | sed 's/.*(\(.*\)%).*/\1/')
+  if [ "${hit_rate%.*}" -lt 75 ]; then
+      echo "::notice title=low ccache hitrate::Ccache hit-rate in $CONTAINER_NAME was $hit_rate%"
+  fi
+fi
 du -sh "${DEPENDS_DIR}"/*/
 du -sh "${PREVIOUS_RELEASES_DIR}"
 
-if [[ $HOST = *-mingw32 ]]; then
-  "${BASE_ROOT_DIR}/ci/test/wrap-wine.sh"
+if [ -n "${CI_LIMIT_STACK_SIZE}" ]; then
+  ulimit -s 512
 fi
 
 if [ -n "$USE_VALGRIND" ]; then
@@ -141,21 +166,32 @@ if [ -n "$USE_VALGRIND" ]; then
 fi
 
 if [ "$RUN_CHECK_DEPS" = "true" ]; then
-  "${BASE_ROOT_DIR}/contrib/devtools/check-deps.sh" .
+  "${BASE_ROOT_DIR}/contrib/devtools/check-deps.sh" "${BASE_BUILD_DIR}"
 fi
 
 if [ "$RUN_UNIT_TESTS" = "true" ]; then
-  DIR_UNIT_TEST_DATA="${DIR_UNIT_TEST_DATA}" LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" CTEST_OUTPUT_ON_FAILURE=ON ctest --stop-on-failure "${MAKEJOBS}" --timeout $(( TEST_RUNNER_TIMEOUT_FACTOR * 60 ))
-fi
-
-if [ "$RUN_UNIT_TESTS_SEQUENTIAL" = "true" ]; then
-  DIR_UNIT_TEST_DATA="${DIR_UNIT_TEST_DATA}" LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" "${BASE_OUTDIR}"/bin/test_bitcoin --catch_system_errors=no -l test_suite
+  DIR_UNIT_TEST_DATA="${DIR_UNIT_TEST_DATA}" \
+  LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" \
+  CTEST_OUTPUT_ON_FAILURE=ON \
+  ctest --test-dir "${BASE_BUILD_DIR}" \
+    --stop-on-failure \
+    "${MAKEJOBS}" \
+    --timeout $(( TEST_RUNNER_TIMEOUT_FACTOR * 60 ))
 fi
 
 if [ "$RUN_FUNCTIONAL_TESTS" = "true" ]; then
   # parses TEST_RUNNER_EXTRA as an array which allows for multiple arguments such as TEST_RUNNER_EXTRA='--exclude "rpc_bind.py --ipv6"'
   eval "TEST_RUNNER_EXTRA=($TEST_RUNNER_EXTRA)"
-  LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" test/functional/test_runner.py --ci "${MAKEJOBS}" --tmpdirprefix "${BASE_SCRATCH_DIR}"/test_runner/ --ansi --combinedlogslen=99999999 --timeout-factor="${TEST_RUNNER_TIMEOUT_FACTOR}" "${TEST_RUNNER_EXTRA[@]}" --quiet --failfast
+  LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" \
+  "${BASE_BUILD_DIR}/test/functional/test_runner.py" \
+    "${MAKEJOBS}" \
+    --tmpdirprefix "${BASE_SCRATCH_DIR}/test_runner/" \
+    --ansi \
+    --combinedlogslen=99999999 \
+    --timeout-factor="${TEST_RUNNER_TIMEOUT_FACTOR}" \
+    "${TEST_RUNNER_EXTRA[@]}" \
+    --quiet \
+    --failfast
 fi
 
 if [ "${RUN_TIDY}" = "true" ]; then
@@ -175,19 +211,44 @@ if [ "${RUN_TIDY}" = "true" ]; then
     echo "^^^ ⚠️ Failure generated from clang-tidy"
     false
   fi
+fi
+
+if [[ "${RUN_IWYU}" == true ]]; then
+  # TODO: Consider enforcing IWYU across the entire codebase.
+  FILES_WITH_ENFORCED_IWYU="/src/((crypto|index|kernel)/.*\\.cpp|node/blockstorage.cpp|node/utxo_snapshot.cpp|core_io.cpp|signet.cpp)"
+  jq --arg patterns "$FILES_WITH_ENFORCED_IWYU" 'map(select(.file | test($patterns)))' "${BASE_BUILD_DIR}/compile_commands.json" > "${BASE_BUILD_DIR}/compile_commands_iwyu_errors.json"
+  jq --arg patterns "$FILES_WITH_ENFORCED_IWYU" 'map(select(.file | test($patterns) | not))' "${BASE_BUILD_DIR}/compile_commands.json" > "${BASE_BUILD_DIR}/compile_commands_iwyu_warnings.json"
 
   cd "${BASE_ROOT_DIR}"
-  python3 "/include-what-you-use/iwyu_tool.py" \
-           -p "${BASE_BUILD_DIR}" "${MAKEJOBS}" \
-           -- -Xiwyu --cxx17ns -Xiwyu --mapping_file="${BASE_ROOT_DIR}/contrib/devtools/iwyu/bitcoin.core.imp" \
-           -Xiwyu --max_line_length=160 \
-           2>&1 | tee /tmp/iwyu_ci.out
-  cd "${BASE_ROOT_DIR}/src"
-  python3 "/include-what-you-use/fix_includes.py" --nosafe_headers < /tmp/iwyu_ci.out
+
+  run_iwyu() {
+    mv "${BASE_BUILD_DIR}/$1" "${BASE_BUILD_DIR}/compile_commands.json"
+    python3 "/include-what-you-use/iwyu_tool.py" \
+             -p "${BASE_BUILD_DIR}" "${MAKEJOBS}" \
+             -- -Xiwyu --cxx17ns -Xiwyu --mapping_file="${BASE_ROOT_DIR}/contrib/devtools/iwyu/bitcoin.core.imp" \
+             -Xiwyu --max_line_length=160 \
+             2>&1 | tee /tmp/iwyu_ci.out
+    python3 "/include-what-you-use/fix_includes.py" --nosafe_headers < /tmp/iwyu_ci.out
+    git diff -U0 | ./contrib/devtools/clang-format-diff.py -binary="clang-format-${TIDY_LLVM_V}" -p1 -i -v
+  }
+
+  run_iwyu "compile_commands_iwyu_errors.json"
+  if ! ( git --no-pager diff --exit-code ); then
+    echo "^^^ ⚠️ Failure generated from IWYU"
+    false
+  fi
+
+  run_iwyu "compile_commands_iwyu_warnings.json"
   git --no-pager diff
 fi
 
 if [ "$RUN_FUZZ_TESTS" = "true" ]; then
   # shellcheck disable=SC2086
-  LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" test/fuzz/test_runner.py ${FUZZ_TESTS_CONFIG} "${MAKEJOBS}" -l DEBUG "${DIR_FUZZ_IN}" --empty_min_time=60
+  LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" \
+  "${BASE_BUILD_DIR}/test/fuzz/test_runner.py" \
+    ${FUZZ_TESTS_CONFIG} \
+    "${MAKEJOBS}" \
+    -l DEBUG \
+    "${DIR_FUZZ_IN}" \
+    --empty_min_time=60
 fi

ci/test/wrap-valgrind.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright (c) 2018-2021 The Bitcoin Core developers
+# Copyright (c) 2018-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
@@ -12,7 +12,7 @@ for b_name in "${BASE_OUTDIR}/bin"/*; do
       echo "Wrap $b ..."
       mv "$b" "${b}_orig"
       echo '#!/usr/bin/env bash' > "$b"
-      echo "valgrind --gen-suppressions=all --quiet --error-exitcode=1 --suppressions=${BASE_ROOT_DIR}/contrib/valgrind.supp \"${b}_orig\" \"\$@\"" >> "$b"
+      echo "exec valgrind --gen-suppressions=all --quiet --error-exitcode=1 --suppressions=${BASE_ROOT_DIR}/contrib/valgrind.supp \"${b}_orig\" \"\$@\"" >> "$b"
       chmod +x "$b"
     done
 done

ci/test/wrap-wine.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2020-2022 The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-export LC_ALL=C.UTF-8
-
-for b_name in {"${BASE_OUTDIR}/bin"/*,src/univalue/{test_json,unitester,object}}.exe; do
-    # shellcheck disable=SC2044
-    for b in $(find "${BASE_ROOT_DIR}" -executable -type f -name "$(basename "$b_name")"); do
-      if (file "$b" | grep "Windows"); then
-        echo "Wrap $b ..."
-        mv "$b" "${b}_orig"
-        echo '#!/usr/bin/env bash' > "$b"
-        echo "( wine \"${b}_orig\" \"\$@\" ) || ( sleep 1 && wine \"${b}_orig\" \"\$@\" )" >> "$b"
-        chmod +x "$b"
-      fi
-    done
-done

ci/test_imagefile

@@ -4,13 +4,21 @@
 
 # See ci/README.md for usage.
 
-ARG CI_IMAGE_NAME_TAG
+# We never want scratch, but default arg silences a Warning
+ARG CI_IMAGE_NAME_TAG=scratch
 FROM ${CI_IMAGE_NAME_TAG}
 
 ARG FILE_ENV
 ENV FILE_ENV=${FILE_ENV}
 
+ARG BASE_ROOT_DIR
+ENV BASE_ROOT_DIR=${BASE_ROOT_DIR}
+
+# Make retry available in PATH, needed for CI_RETRY_EXE
 COPY ./ci/retry/retry /usr/bin/retry
-COPY ./ci/test/00_setup_env.sh ./${FILE_ENV} ./ci/test/01_base_install.sh /ci_container_base/ci/test/
+COPY ./ci/test/00_setup_env.sh ./${FILE_ENV} ./ci/test/01_base_install.sh ./ci/test/01_iwyu.patch /ci_container_base/ci/test/
+
+# Bash is required, so install it when missing
+RUN sh -c "bash -c 'true' || ( apk update && apk add --no-cache bash )"
 
 RUN ["bash", "-c", "cd /ci_container_base/ && set -o errexit && source ./ci/test/00_setup_env.sh && ./ci/test/01_base_install.sh"]

ci/test_run_all.sh

@@ -8,4 +8,4 @@ export LC_ALL=C.UTF-8
 
 set -o errexit; source ./ci/test/00_setup_env.sh
 set -o errexit
-"./ci/test/02_run_container.sh"
+"./ci/test/02_run_container.py"

cmake/bitcoin-build-config.h.in

@@ -29,18 +29,9 @@
 /* Copyright year */
 #define COPYRIGHT_YEAR @COPYRIGHT_YEAR@
 
-/* Define this symbol to build code that uses ARMv8 SHA-NI intrinsics */
-#cmakedefine ENABLE_ARM_SHANI 1
-
-/* Define this symbol to build code that uses AVX2 intrinsics */
-#cmakedefine ENABLE_AVX2 1
-
 /* Define if external signer support is enabled */
 #cmakedefine ENABLE_EXTERNAL_SIGNER 1
 
-/* Define this symbol to build code that uses SSE4.1 intrinsics */
-#cmakedefine ENABLE_SSE41 1
-
 /* Define to 1 to enable tracepoints for Userspace, Statically Defined Tracing
    */
 #cmakedefine ENABLE_TRACING 1
@@ -48,20 +39,12 @@
 /* Define to 1 to enable wallet functions. */
 #cmakedefine ENABLE_WALLET 1
 
-/* Define this symbol to build code that uses x86 SHA-NI intrinsics */
-#cmakedefine ENABLE_X86_SHANI 1
-
 /* Define to 1 if you have the declaration of `fork', and to 0 if you don't.
    */
 #cmakedefine01 HAVE_DECL_FORK
 
-/* Define to 1 if you have the declaration of `freeifaddrs', and to 0 if you
-   don't. */
-#cmakedefine01 HAVE_DECL_FREEIFADDRS
-
-/* Define to 1 if you have the declaration of `getifaddrs', and to 0 if you
-   don't. */
-#cmakedefine01 HAVE_DECL_GETIFADDRS
+/* Define to 1 if '*ifaddrs' are available. */
+#cmakedefine HAVE_IFADDRS 1
 
 /* Define to 1 if you have the declaration of `pipe2', and to 0 if you don't.
    */
@@ -108,18 +91,6 @@
 /* Define to 1 if std::system or ::wsystem is available. */
 #cmakedefine HAVE_SYSTEM 1
 
-/* Define to 1 if you have the <sys/prctl.h> header file. */
-#cmakedefine HAVE_SYS_PRCTL_H 1
-
-/* Define to 1 if you have the <sys/resources.h> header file. */
-#cmakedefine HAVE_SYS_RESOURCES_H 1
-
-/* Define to 1 if you have the <sys/vmmeter.h> header file. */
-#cmakedefine HAVE_SYS_VMMETER_H 1
-
-/* Define to 1 if you have the <vm/vm_param.h> header file. */
-#cmakedefine HAVE_VM_VM_PARAM_H 1
-
 /* Define to the address where bug reports for this package should be sent. */
 #define CLIENT_BUGREPORT "@CLIENT_BUGREPORT@"
 
@@ -135,16 +106,10 @@
 /* Define to 1 if strerror_r returns char *. */
 #cmakedefine STRERROR_R_CHAR_P 1
 
-/* Define if BDB support should be compiled in */
-#cmakedefine USE_BDB 1
-
 /* Define if dbus support should be compiled in */
 #cmakedefine USE_DBUS 1
 
 /* Define if QR support should be compiled in */
 #cmakedefine USE_QRCODE 1
 
-/* Define if sqlite support should be compiled in */
-#cmakedefine USE_SQLITE 1
-
 #endif //BITCOIN_CONFIG_H

cmake/introspection.cmake

@@ -4,13 +4,6 @@
 
 include(CheckCXXSourceCompiles)
 include(CheckCXXSymbolExists)
-include(CheckIncludeFileCXX)
-
-# The following HAVE_{HEADER}_H variables go to the bitcoin-build-config.h header.
-check_include_file_cxx(sys/prctl.h HAVE_SYS_PRCTL_H)
-check_include_file_cxx(sys/resources.h HAVE_SYS_RESOURCES_H)
-check_include_file_cxx(sys/vmmeter.h HAVE_SYS_VMMETER_H)
-check_include_file_cxx(vm/vm_param.h HAVE_VM_VM_PARAM_H)
 
 check_cxx_symbol_exists(O_CLOEXEC "fcntl.h" HAVE_O_CLOEXEC)
 check_cxx_symbol_exists(fdatasync "unistd.h" HAVE_FDATASYNC)
@@ -18,9 +11,7 @@ check_cxx_symbol_exists(fork "unistd.h" HAVE_DECL_FORK)
 check_cxx_symbol_exists(pipe2 "unistd.h" HAVE_DECL_PIPE2)
 check_cxx_symbol_exists(setsid "unistd.h" HAVE_DECL_SETSID)
 
-check_include_file_cxx(sys/types.h HAVE_SYS_TYPES_H)
-check_include_file_cxx(ifaddrs.h HAVE_IFADDRS_H)
-if(HAVE_SYS_TYPES_H AND HAVE_IFADDRS_H)
+if(NOT WIN32)
   include(TestAppendRequiredLibraries)
   test_append_socket_library(core_interface)
 endif()
@@ -28,6 +19,8 @@ endif()
 include(TestAppendRequiredLibraries)
 test_append_atomic_library(core_interface)
 
+# Even though ::system is part of the standard library, we still check
+# for it, to support building targets that don't have it, such as iOS.
 check_cxx_symbol_exists(std::system "cstdlib" HAVE_STD_SYSTEM)
 check_cxx_symbol_exists(::_wsystem "stdlib.h" HAVE__WSYSTEM)
 if(HAVE_STD_SYSTEM OR HAVE__WSYSTEM)
@@ -62,13 +55,6 @@ check_cxx_source_compiles("
 
 # Check for posix_fallocate().
 check_cxx_source_compiles("
-  // same as in src/util/fs_helpers.cpp
-  #ifdef __linux__
-  #ifdef _POSIX_C_SOURCE
-  #undef _POSIX_C_SOURCE
-  #endif
-  #define _POSIX_C_SOURCE 200112L
-  #endif // __linux__
   #include <fcntl.h>
 
   int main()
@@ -177,7 +163,6 @@ if(NOT MSVC)
     " HAVE_SSE41
     CXXFLAGS ${SSE41_CXXFLAGS}
   )
-  set(ENABLE_SSE41 ${HAVE_SSE41})
 
   # Check for AVX2 intrinsics.
   set(AVX2_CXXFLAGS -mavx -mavx2)
@@ -192,7 +177,6 @@ if(NOT MSVC)
     " HAVE_AVX2
     CXXFLAGS ${AVX2_CXXFLAGS}
   )
-  set(ENABLE_AVX2 ${HAVE_AVX2})
 
   # Check for x86 SHA-NI intrinsics.
   set(X86_SHANI_CXXFLAGS -msse4 -msha)
@@ -209,7 +193,6 @@ if(NOT MSVC)
     " HAVE_X86_SHANI
     CXXFLAGS ${X86_SHANI_CXXFLAGS}
   )
-  set(ENABLE_X86_SHANI ${HAVE_X86_SHANI})
 
   # Check for ARMv8 SHA-NI intrinsics.
   set(ARM_SHANI_CXXFLAGS -march=armv8-a+crypto)
@@ -227,5 +210,4 @@ if(NOT MSVC)
     " HAVE_ARM_SHANI
     CXXFLAGS ${ARM_SHANI_CXXFLAGS}
   )
-  set(ENABLE_ARM_SHANI ${HAVE_ARM_SHANI})
 endif()

cmake/leveldb.cmake

@@ -90,9 +90,6 @@ else()
   try_append_cxx_flags("-Wconditional-uninitialized" TARGET nowarn_leveldb_interface SKIP_LINK
     IF_CHECK_PASSED "-Wno-conditional-uninitialized"
   )
-  try_append_cxx_flags("-Wsuggest-override" TARGET nowarn_leveldb_interface SKIP_LINK
-    IF_CHECK_PASSED "-Wno-suggest-override"
-  )
 endif()
 
 target_link_libraries(leveldb PRIVATE

cmake/libmultiprocess.cmake

@@ -0,0 +1,38 @@
+# Copyright (c) 2025-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or https://opensource.org/license/mit/.
+
+function(add_libmultiprocess subdir)
+  # Set BUILD_TESTING to match BUILD_TESTS. BUILD_TESTING is a standard cmake
+  # option that controls whether enable_testing() is called, but in the bitcoin
+  # build a BUILD_TESTS option is used instead.
+  set(BUILD_TESTING "${BUILD_TESTS}")
+  add_subdirectory(${subdir} EXCLUDE_FROM_ALL)
+  # Apply core_interface compile options to libmultiprocess runtime library.
+  target_link_libraries(multiprocess PUBLIC $<BUILD_INTERFACE:core_interface>)
+  target_link_libraries(mputil PUBLIC $<BUILD_INTERFACE:core_interface>)
+  target_link_libraries(mpgen PUBLIC $<BUILD_INTERFACE:core_interface>)
+  # Mark capproto options as advanced to hide by default from cmake UI
+  mark_as_advanced(CapnProto_DIR)
+  mark_as_advanced(CapnProto_capnpc_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_capnp_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_capnp-json_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_capnp-rpc_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_capnp-websocket_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_kj-async_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_kj-gzip_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_kj-http_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_kj_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_kj-test_IMPORTED_LOCATION)
+  mark_as_advanced(CapnProto_kj-tls_IMPORTED_LOCATION)
+  if(BUILD_TESTS)
+    # Add tests to "all" target so ctest can run them
+    set_target_properties(mptest PROPERTIES EXCLUDE_FROM_ALL OFF)
+  endif()
+  # Exclude examples from compilation database, because the examples are not
+  # built by default, and they contain generated c++ code. Without this
+  # exclusion, tools like clang-tidy and IWYU that make use of compilation
+  # database would complain that the generated c++ source files do not exist. An
+  # alternate fix could build "mpexamples" by default like "mptests" above.
+  set_target_properties(mpcalculator mpprinter mpexample PROPERTIES EXPORT_COMPILE_COMMANDS OFF)
+endfunction()

cmake/module/AddBoostIfNeeded.cmake

@@ -17,17 +17,29 @@ function(add_boost_if_needed)
   directory and other added INTERFACE properties.
   ]=]
 
-  # We cannot rely on find_package(Boost ...) to work properly without
-  # Boost_NO_BOOST_CMAKE set until we require a more recent Boost because
-  # upstream did not ship proper CMake files until 1.82.0.
-  # Until then, we rely on CMake's FindBoost module.
-  # See: https://cmake.org/cmake/help/latest/policy/CMP0167.html
-  if(POLICY CMP0167)
-    cmake_policy(SET CMP0167 OLD)
+  if(CMAKE_HOST_APPLE)
+    find_program(HOMEBREW_EXECUTABLE brew)
+    if(HOMEBREW_EXECUTABLE)
+      execute_process(
+        COMMAND ${HOMEBREW_EXECUTABLE} --prefix boost
+        OUTPUT_VARIABLE Boost_ROOT
+        ERROR_QUIET
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+      )
+    endif()
+  endif()
+
+  find_package(Boost 1.74.0 REQUIRED CONFIG)
+  mark_as_advanced(Boost_INCLUDE_DIR boost_headers_DIR)
+  # Workaround for a bug in NetBSD pkgsrc.
+  # See: https://github.com/NetBSD/pkgsrc/issues/167.
+  if(CMAKE_SYSTEM_NAME STREQUAL "NetBSD")
+    get_filename_component(_boost_include_dir "${boost_headers_DIR}/../../../include/" ABSOLUTE)
+    set_target_properties(Boost::headers PROPERTIES
+      INTERFACE_INCLUDE_DIRECTORIES ${_boost_include_dir}
+    )
+    unset(_boost_include_dir)
   endif()
-  set(Boost_NO_BOOST_CMAKE ON)
-  find_package(Boost 1.73.0 REQUIRED)
-  mark_as_advanced(Boost_INCLUDE_DIR)
   set_target_properties(Boost::headers PROPERTIES IMPORTED_GLOBAL TRUE)
   target_compile_definitions(Boost::headers INTERFACE
     # We don't use multi_index serialization.
@@ -45,34 +57,24 @@ function(add_boost_if_needed)
   # older than 1.80.
   # See: https://github.com/boostorg/config/pull/430.
   set(CMAKE_REQUIRED_DEFINITIONS -DBOOST_NO_CXX98_FUNCTION_BASE)
-  set(CMAKE_REQUIRED_INCLUDES ${Boost_INCLUDE_DIR})
-  include(CMakePushCheckState)
-  cmake_push_check_state()
-  include(TryAppendCXXFlags)
+  get_target_property(CMAKE_REQUIRED_INCLUDES Boost::headers INTERFACE_INCLUDE_DIRECTORIES)
   set(CMAKE_REQUIRED_FLAGS ${working_compiler_werror_flag})
   set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY)
+  include(CheckCXXSourceCompiles)
   check_cxx_source_compiles("
     #include <boost/config.hpp>
     " NO_DIAGNOSTICS_BOOST_NO_CXX98_FUNCTION_BASE
   )
-  cmake_pop_check_state()
   if(NO_DIAGNOSTICS_BOOST_NO_CXX98_FUNCTION_BASE)
     target_compile_definitions(Boost::headers INTERFACE
       BOOST_NO_CXX98_FUNCTION_BASE
     )
-  else()
-    set(CMAKE_REQUIRED_DEFINITIONS)
   endif()
 
   # Some package managers, such as vcpkg, vendor Boost.Test separately
   # from the rest of the headers, so we have to check for it individually.
   if(BUILD_TESTS AND DEFINED VCPKG_TARGET_TRIPLET)
-    list(APPEND CMAKE_REQUIRED_DEFINITIONS -DBOOST_TEST_NO_MAIN)
-    include(CheckIncludeFileCXX)
-    check_include_file_cxx(boost/test/included/unit_test.hpp HAVE_BOOST_INCLUDED_UNIT_TEST_H)
-    if(NOT HAVE_BOOST_INCLUDED_UNIT_TEST_H)
-      message(FATAL_ERROR "Building test_bitcoin executable requested but boost/test/included/unit_test.hpp header not available.")
-    endif()
+    find_package(boost_included_unit_test_framework ${Boost_VERSION} EXACT REQUIRED CONFIG)
   endif()
 
 endfunction()

cmake/module/AddWindowsResources.cmake

@@ -4,11 +4,21 @@
 
 include_guard(GLOBAL)
 
-macro(add_windows_resources target rc_file)
+function(add_windows_resources target rc_file)
   if(WIN32)
     target_sources(${target} PRIVATE ${rc_file})
-    set_property(SOURCE ${rc_file}
-      APPEND PROPERTY COMPILE_DEFINITIONS WINDRES_PREPROC
-    )
   endif()
-endmacro()
+endfunction()
+
+# Add a fusion manifest to Windows executables.
+# See: https://learn.microsoft.com/en-us/windows/win32/sbscs/application-manifests
+function(add_windows_application_manifest target)
+  if(WIN32)
+    configure_file(${PROJECT_SOURCE_DIR}/cmake/windows-app.manifest.in ${target}.manifest USE_SOURCE_PERMISSIONS)
+    file(CONFIGURE
+      OUTPUT ${target}-manifest.rc
+      CONTENT "1 /* CREATEPROCESS_MANIFEST_RESOURCE_ID */ 24 /* RT_MANIFEST */ \"${target}.manifest\""
+    )
+    add_windows_resources(${target} ${CMAKE_CURRENT_BINARY_DIR}/${target}-manifest.rc)
+  endif()
+endfunction()

cmake/module/FindBerkeleyDB.cmake

@@ -1,133 +0,0 @@
-# Copyright (c) 2023-present The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or https://opensource.org/license/mit/.
-
-#[=======================================================================[
-FindBerkeleyDB
---------------
-
-Finds the Berkeley DB headers and library.
-
-Imported Targets
-^^^^^^^^^^^^^^^^
-
-This module provides imported target ``BerkeleyDB::BerkeleyDB``, if
-Berkeley DB has been found.
-
-Result Variables
-^^^^^^^^^^^^^^^^
-
-This module defines the following variables:
-
-``BerkeleyDB_FOUND``
-  "True" if Berkeley DB found.
-
-``BerkeleyDB_VERSION``
-  The MAJOR.MINOR version of Berkeley DB found.
-
-#]=======================================================================]
-
-set(_BerkeleyDB_homebrew_prefix)
-if(CMAKE_HOST_APPLE)
-  find_program(HOMEBREW_EXECUTABLE brew)
-  if(HOMEBREW_EXECUTABLE)
-    # The Homebrew package manager installs the berkeley-db* packages as
-    # "keg-only", which means they are not symlinked into the default prefix.
-    # To find such a package, the find_path() and find_library() commands
-    # need additional path hints that are computed by Homebrew itself.
-    execute_process(
-      COMMAND ${HOMEBREW_EXECUTABLE} --prefix berkeley-db@4
-      OUTPUT_VARIABLE _BerkeleyDB_homebrew_prefix
-      ERROR_QUIET
-      OUTPUT_STRIP_TRAILING_WHITESPACE
-    )
-  endif()
-endif()
-
-find_path(BerkeleyDB_INCLUDE_DIR
-  NAMES db_cxx.h
-  HINTS ${_BerkeleyDB_homebrew_prefix}/include
-  PATH_SUFFIXES 4.8 48 db4.8 4 db4 5.3 db5.3 5 db5
-)
-mark_as_advanced(BerkeleyDB_INCLUDE_DIR)
-unset(_BerkeleyDB_homebrew_prefix)
-
-if(NOT BerkeleyDB_LIBRARY)
-  if(VCPKG_TARGET_TRIPLET)
-    # The vcpkg package manager installs the berkeleydb package with the same name
-    # of release and debug libraries. Therefore, the default search paths set by
-    # vcpkg's toolchain file cannot be used to search libraries as the debug one
-    # will always be found.
-    set(CMAKE_FIND_USE_CMAKE_PATH FALSE)
-  endif()
-
-  get_filename_component(_BerkeleyDB_lib_hint "${BerkeleyDB_INCLUDE_DIR}" DIRECTORY)
-
-  find_library(BerkeleyDB_LIBRARY_RELEASE
-    NAMES db_cxx-4.8 db4_cxx db48 db_cxx-5.3 db_cxx-5 db_cxx libdb48
-    NAMES_PER_DIR
-    HINTS ${_BerkeleyDB_lib_hint}
-    PATH_SUFFIXES lib
-  )
-  mark_as_advanced(BerkeleyDB_LIBRARY_RELEASE)
-
-  find_library(BerkeleyDB_LIBRARY_DEBUG
-    NAMES db_cxx-4.8 db4_cxx db48 db_cxx-5.3 db_cxx-5 db_cxx libdb48
-    NAMES_PER_DIR
-    HINTS ${_BerkeleyDB_lib_hint}
-    PATH_SUFFIXES debug/lib
-  )
-  mark_as_advanced(BerkeleyDB_LIBRARY_DEBUG)
-
-  unset(_BerkeleyDB_lib_hint)
-  unset(CMAKE_FIND_USE_CMAKE_PATH)
-
-  include(SelectLibraryConfigurations)
-  select_library_configurations(BerkeleyDB)
-  # The select_library_configurations() command sets BerkeleyDB_FOUND, but we
-  # want the one from the find_package_handle_standard_args() command below.
-  unset(BerkeleyDB_FOUND)
-endif()
-
-if(BerkeleyDB_INCLUDE_DIR)
-  file(STRINGS "${BerkeleyDB_INCLUDE_DIR}/db.h" _BerkeleyDB_version_strings REGEX "^#define[\t ]+DB_VERSION_(MAJOR|MINOR|PATCH)[ \t]+[0-9]+.*")
-  string(REGEX REPLACE ".*#define[\t ]+DB_VERSION_MAJOR[ \t]+([0-9]+).*" "\\1" _BerkeleyDB_version_major "${_BerkeleyDB_version_strings}")
-  string(REGEX REPLACE ".*#define[\t ]+DB_VERSION_MINOR[ \t]+([0-9]+).*" "\\1" _BerkeleyDB_version_minor "${_BerkeleyDB_version_strings}")
-  string(REGEX REPLACE ".*#define[\t ]+DB_VERSION_PATCH[ \t]+([0-9]+).*" "\\1" _BerkeleyDB_version_patch "${_BerkeleyDB_version_strings}")
-  unset(_BerkeleyDB_version_strings)
-  # The MAJOR.MINOR.PATCH version will be logged in the following find_package_handle_standard_args() command.
-  set(_BerkeleyDB_full_version ${_BerkeleyDB_version_major}.${_BerkeleyDB_version_minor}.${_BerkeleyDB_version_patch})
-  set(BerkeleyDB_VERSION ${_BerkeleyDB_version_major}.${_BerkeleyDB_version_minor})
-  unset(_BerkeleyDB_version_major)
-  unset(_BerkeleyDB_version_minor)
-  unset(_BerkeleyDB_version_patch)
-endif()
-
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(BerkeleyDB
-  REQUIRED_VARS BerkeleyDB_LIBRARY BerkeleyDB_INCLUDE_DIR
-  VERSION_VAR _BerkeleyDB_full_version
-)
-unset(_BerkeleyDB_full_version)
-
-if(BerkeleyDB_FOUND AND NOT TARGET BerkeleyDB::BerkeleyDB)
-  add_library(BerkeleyDB::BerkeleyDB UNKNOWN IMPORTED)
-  set_target_properties(BerkeleyDB::BerkeleyDB PROPERTIES
-    INTERFACE_INCLUDE_DIRECTORIES "${BerkeleyDB_INCLUDE_DIR}"
-  )
-  if(BerkeleyDB_LIBRARY_RELEASE)
-    set_property(TARGET BerkeleyDB::BerkeleyDB APPEND PROPERTY
-      IMPORTED_CONFIGURATIONS RELEASE
-    )
-    set_target_properties(BerkeleyDB::BerkeleyDB PROPERTIES
-      IMPORTED_LOCATION_RELEASE "${BerkeleyDB_LIBRARY_RELEASE}"
-    )
-  endif()
-  if(BerkeleyDB_LIBRARY_DEBUG)
-    set_property(TARGET BerkeleyDB::BerkeleyDB APPEND PROPERTY
-      IMPORTED_CONFIGURATIONS DEBUG)
-    set_target_properties(BerkeleyDB::BerkeleyDB PROPERTIES
-      IMPORTED_LOCATION_DEBUG "${BerkeleyDB_LIBRARY_DEBUG}"
-    )
-  endif()
-endif()

cmake/module/FindQRencode.cmake

@@ -21,16 +21,16 @@ endif()
 
 find_path(QRencode_INCLUDE_DIR
   NAMES qrencode.h
-  PATHS ${PC_QRencode_INCLUDE_DIRS}
+  HINTS ${PC_QRencode_INCLUDE_DIRS}
 )
 
 find_library(QRencode_LIBRARY_RELEASE
   NAMES qrencode
-  PATHS ${PC_QRencode_LIBRARY_DIRS}
+  HINTS ${PC_QRencode_LIBRARY_DIRS}
 )
 find_library(QRencode_LIBRARY_DEBUG
   NAMES qrencoded qrencode
-  PATHS ${PC_QRencode_LIBRARY_DIRS}
+  HINTS ${PC_QRencode_LIBRARY_DIRS}
 )
 include(SelectLibraryConfigurations)
 select_library_configurations(QRencode)

cmake/module/FindQt.cmake

@@ -27,19 +27,6 @@ if(CMAKE_HOST_APPLE)
   endif()
 endif()
 
-# Save CMAKE_FIND_ROOT_PATH_MODE_LIBRARY state.
-unset(_qt_find_root_path_mode_library_saved)
-if(DEFINED CMAKE_FIND_ROOT_PATH_MODE_LIBRARY)
-  set(_qt_find_root_path_mode_library_saved ${CMAKE_FIND_ROOT_PATH_MODE_LIBRARY})
-endif()
-
-# The Qt config files internally use find_library() calls for all
-# dependencies to ensure their availability. In turn, the find_library()
-# inspects the well-known locations on the file system; therefore, it must
-# be able to find platform-specific system libraries, for example:
-# /usr/x86_64-w64-mingw32/lib/libm.a or /usr/arm-linux-gnueabihf/lib/libm.a.
-set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY BOTH)
-
 find_package(Qt${Qt_FIND_VERSION_MAJOR} ${Qt_FIND_VERSION}
   COMPONENTS ${Qt_FIND_COMPONENTS}
   HINTS ${_qt_homebrew_prefix}
@@ -47,14 +34,6 @@ find_package(Qt${Qt_FIND_VERSION_MAJOR} ${Qt_FIND_VERSION}
 )
 unset(_qt_homebrew_prefix)
 
-# Restore CMAKE_FIND_ROOT_PATH_MODE_LIBRARY state.
-if(DEFINED _qt_find_root_path_mode_library_saved)
-  set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ${_qt_find_root_path_mode_library_saved})
-  unset(_qt_find_root_path_mode_library_saved)
-else()
-  unset(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY)
-endif()
-
 include(FindPackageHandleStandardArgs)
 find_package_handle_standard_args(Qt
   REQUIRED_VARS Qt${Qt_FIND_VERSION_MAJOR}_DIR

cmake/module/FindUSDT.cmake

@@ -36,6 +36,10 @@ if(USDT_INCLUDE_DIR)
   include(CheckCXXSourceCompiles)
   set(CMAKE_REQUIRED_INCLUDES ${USDT_INCLUDE_DIR})
   check_cxx_source_compiles("
+    #if defined(__arm__)
+    #  define STAP_SDT_ARG_CONSTRAINT g
+    #endif
+
     // Setting SDT_USE_VARIADIC lets systemtap (sys/sdt.h) know that we want to use
     // the optional variadic macros to define tracepoints.
     #define SDT_USE_VARIADIC 1

cmake/module/GenerateSetupNsi.cmake

@@ -7,6 +7,7 @@ function(generate_setup_nsi)
   set(abs_top_builddir ${PROJECT_BINARY_DIR})
   set(CLIENT_URL ${PROJECT_HOMEPAGE_URL})
   set(CLIENT_TARNAME "bitcoin")
+  set(BITCOIN_WRAPPER_NAME "bitcoin")
   set(BITCOIN_GUI_NAME "bitcoin-qt")
   set(BITCOIN_DAEMON_NAME "bitcoind")
   set(BITCOIN_CLI_NAME "bitcoin-cli")

cmake/module/InstallBinaryComponent.cmake

@@ -7,14 +7,19 @@ include(GNUInstallDirs)
 
 function(install_binary_component component)
   cmake_parse_arguments(PARSE_ARGV 1
-    IC                # prefix
-    "HAS_MANPAGE"     # options
-    ""                # one_value_keywords
-    ""                # multi_value_keywords
+    IC                          # prefix
+    "HAS_MANPAGE;INTERNAL"      # options
+    ""                          # one_value_keywords
+    ""                          # multi_value_keywords
   )
   set(target_name ${component})
+  if(IC_INTERNAL)
+    set(runtime_dest ${CMAKE_INSTALL_LIBEXECDIR})
+  else()
+    set(runtime_dest ${CMAKE_INSTALL_BINDIR})
+  endif()
   install(TARGETS ${target_name}
-    RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
+    RUNTIME DESTINATION ${runtime_dest}
     COMPONENT ${component}
   )
   if(INSTALL_MAN AND IC_HAS_MANPAGE)

cmake/module/Maintenance.cmake

@@ -18,32 +18,16 @@ function(setup_split_debug_script)
   endif()
 endfunction()
 
-function(add_maintenance_targets)
-  if(NOT PYTHON_COMMAND)
-    return()
-  endif()
-
-  foreach(target IN ITEMS bitcoind bitcoin-qt bitcoin-cli bitcoin-tx bitcoin-util bitcoin-wallet test_bitcoin bench_bitcoin)
-    if(TARGET ${target})
-      list(APPEND executables $<TARGET_FILE:${target}>)
-    endif()
-  endforeach()
-
-  add_custom_target(check-symbols
-    COMMAND ${CMAKE_COMMAND} -E echo "Running symbol and dynamic library checks..."
-    COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/devtools/symbol-check.py ${executables}
-    VERBATIM
-  )
-
-  add_custom_target(check-security
-    COMMAND ${CMAKE_COMMAND} -E echo "Checking binary security..."
-    COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/devtools/security-check.py ${executables}
-    VERBATIM
-  )
-endfunction()
-
 function(add_windows_deploy_target)
-  if(MINGW AND TARGET bitcoin-qt AND TARGET bitcoind AND TARGET bitcoin-cli AND TARGET bitcoin-tx AND TARGET bitcoin-wallet AND TARGET bitcoin-util AND TARGET test_bitcoin)
+  if(MINGW AND TARGET bitcoin AND TARGET bitcoin-qt AND TARGET bitcoind AND TARGET bitcoin-cli AND TARGET bitcoin-tx AND TARGET bitcoin-wallet AND TARGET bitcoin-util AND TARGET test_bitcoin)
+    find_program(MAKENSIS_EXECUTABLE makensis)
+    if(NOT MAKENSIS_EXECUTABLE)
+      add_custom_target(deploy
+        COMMAND ${CMAKE_COMMAND} -E echo "Error: NSIS not found"
+      )
+      return()
+    endif()
+
     # TODO: Consider replacing this code with the CPack NSIS Generator.
     #       See https://cmake.org/cmake/help/latest/cpack_gen/nsis.html
     include(GenerateSetupNsi)
@@ -51,6 +35,7 @@ function(add_windows_deploy_target)
     add_custom_command(
       OUTPUT ${PROJECT_BINARY_DIR}/bitcoin-win64-setup.exe
       COMMAND ${CMAKE_COMMAND} -E make_directory ${PROJECT_BINARY_DIR}/release
+      COMMAND ${CMAKE_STRIP} $<TARGET_FILE:bitcoin> -o ${PROJECT_BINARY_DIR}/release/$<TARGET_FILE_NAME:bitcoin>
       COMMAND ${CMAKE_STRIP} $<TARGET_FILE:bitcoin-qt> -o ${PROJECT_BINARY_DIR}/release/$<TARGET_FILE_NAME:bitcoin-qt>
       COMMAND ${CMAKE_STRIP} $<TARGET_FILE:bitcoind> -o ${PROJECT_BINARY_DIR}/release/$<TARGET_FILE_NAME:bitcoind>
       COMMAND ${CMAKE_STRIP} $<TARGET_FILE:bitcoin-cli> -o ${PROJECT_BINARY_DIR}/release/$<TARGET_FILE_NAME:bitcoin-cli>
@@ -58,7 +43,7 @@ function(add_windows_deploy_target)
       COMMAND ${CMAKE_STRIP} $<TARGET_FILE:bitcoin-wallet> -o ${PROJECT_BINARY_DIR}/release/$<TARGET_FILE_NAME:bitcoin-wallet>
       COMMAND ${CMAKE_STRIP} $<TARGET_FILE:bitcoin-util> -o ${PROJECT_BINARY_DIR}/release/$<TARGET_FILE_NAME:bitcoin-util>
       COMMAND ${CMAKE_STRIP} $<TARGET_FILE:test_bitcoin> -o ${PROJECT_BINARY_DIR}/release/$<TARGET_FILE_NAME:test_bitcoin>
-      COMMAND makensis -V2 ${PROJECT_BINARY_DIR}/bitcoin-win64-setup.nsi
+      COMMAND ${MAKENSIS_EXECUTABLE} -V2 ${PROJECT_BINARY_DIR}/bitcoin-win64-setup.nsi
       VERBATIM
     )
     add_custom_target(deploy DEPENDS ${PROJECT_BINARY_DIR}/bitcoin-win64-setup.exe)
@@ -83,27 +68,28 @@ function(add_macos_deploy_target)
       COMMAND ${CMAKE_COMMAND} --install ${PROJECT_BINARY_DIR} --config $<CONFIG> --component bitcoin-qt --prefix ${macos_app}/Contents/MacOS --strip
       COMMAND ${CMAKE_COMMAND} -E rename ${macos_app}/Contents/MacOS/bin/$<TARGET_FILE_NAME:bitcoin-qt> ${macos_app}/Contents/MacOS/Bitcoin-Qt
       COMMAND ${CMAKE_COMMAND} -E rm -rf ${macos_app}/Contents/MacOS/bin
+      COMMAND ${CMAKE_COMMAND} -E rm -rf ${macos_app}/Contents/MacOS/share
       VERBATIM
     )
 
-    string(REPLACE " " "-" osx_volname ${CLIENT_NAME})
+    set(macos_zip "bitcoin-macos-app")
     if(CMAKE_HOST_APPLE)
       add_custom_command(
-        OUTPUT ${PROJECT_BINARY_DIR}/${osx_volname}.zip
-        COMMAND ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/macdeploy/macdeployqtplus ${macos_app} ${osx_volname} -translations-dir=${QT_TRANSLATIONS_DIR} -zip
+        OUTPUT ${PROJECT_BINARY_DIR}/${macos_zip}.zip
+        COMMAND Python3::Interpreter ${PROJECT_SOURCE_DIR}/contrib/macdeploy/macdeployqtplus ${macos_app} -translations-dir=${QT_TRANSLATIONS_DIR} -zip=${macos_zip}
         DEPENDS ${PROJECT_BINARY_DIR}/${macos_app}/Contents/MacOS/Bitcoin-Qt
         VERBATIM
       )
       add_custom_target(deploydir
-        DEPENDS ${PROJECT_BINARY_DIR}/${osx_volname}.zip
+        DEPENDS ${PROJECT_BINARY_DIR}/${macos_zip}.zip
       )
       add_custom_target(deploy
-        DEPENDS ${PROJECT_BINARY_DIR}/${osx_volname}.zip
+        DEPENDS ${PROJECT_BINARY_DIR}/${macos_zip}.zip
       )
     else()
       add_custom_command(
         OUTPUT ${PROJECT_BINARY_DIR}/dist/${macos_app}/Contents/MacOS/Bitcoin-Qt
-        COMMAND OBJDUMP=${CMAKE_OBJDUMP} ${PYTHON_COMMAND} ${PROJECT_SOURCE_DIR}/contrib/macdeploy/macdeployqtplus ${macos_app} ${osx_volname} -translations-dir=${QT_TRANSLATIONS_DIR}
+        COMMAND ${CMAKE_COMMAND} -E env OBJDUMP=${CMAKE_OBJDUMP} $<TARGET_FILE:Python3::Interpreter> ${PROJECT_SOURCE_DIR}/contrib/macdeploy/macdeployqtplus ${macos_app} -translations-dir=${QT_TRANSLATIONS_DIR}
         DEPENDS ${PROJECT_BINARY_DIR}/${macos_app}/Contents/MacOS/Bitcoin-Qt
         VERBATIM
       )
@@ -111,16 +97,22 @@ function(add_macos_deploy_target)
         DEPENDS ${PROJECT_BINARY_DIR}/dist/${macos_app}/Contents/MacOS/Bitcoin-Qt
       )
 
-      find_program(ZIP_COMMAND zip REQUIRED)
-      add_custom_command(
-        OUTPUT ${PROJECT_BINARY_DIR}/dist/${osx_volname}.zip
-        WORKING_DIRECTORY dist
-        COMMAND ${PROJECT_SOURCE_DIR}/cmake/script/macos_zip.sh ${ZIP_COMMAND} ${osx_volname}.zip
-        VERBATIM
-      )
-      add_custom_target(deploy
-        DEPENDS ${PROJECT_BINARY_DIR}/dist/${osx_volname}.zip
-      )
+      find_program(ZIP_EXECUTABLE zip)
+      if(NOT ZIP_EXECUTABLE)
+        add_custom_target(deploy
+          COMMAND ${CMAKE_COMMAND} -E echo "Error: ZIP not found"
+        )
+      else()
+        add_custom_command(
+          OUTPUT ${PROJECT_BINARY_DIR}/dist/${macos_zip}.zip
+          WORKING_DIRECTORY dist
+          COMMAND ${PROJECT_SOURCE_DIR}/cmake/script/macos_zip.sh ${ZIP_EXECUTABLE} ${macos_zip}.zip
+          VERBATIM
+        )
+        add_custom_target(deploy
+          DEPENDS ${PROJECT_BINARY_DIR}/dist/${macos_zip}.zip
+        )
+      endif()
     endif()
     add_dependencies(deploydir bitcoin-qt)
     add_dependencies(deploy deploydir)

cmake/module/ProcessConfigurations.cmake

@@ -105,14 +105,13 @@ function(remove_cxx_flag_from_all_configs flag)
 endfunction()
 
 function(replace_cxx_flag_in_config config old_flag new_flag)
-  string(TOUPPER "${config}" config_uppercase)
-  string(REGEX REPLACE "(^| )${old_flag}( |$)" "\\1${new_flag}\\2" new_flags "${CMAKE_CXX_FLAGS_${config_uppercase}}")
-  set(CMAKE_CXX_FLAGS_${config_uppercase} "${new_flags}" PARENT_SCOPE)
-  set(CMAKE_CXX_FLAGS_${config_uppercase} "${new_flags}"
-    CACHE STRING
-    "Flags used by the CXX compiler during ${config_uppercase} builds."
-    FORCE
-  )
+  string(TOUPPER "CMAKE_CXX_FLAGS_${config}" var_name)
+  if("${var_name}" IN_LIST precious_variables)
+    return()
+  endif()
+  string(REGEX REPLACE "(^| )${old_flag}( |$)" "\\1${new_flag}\\2" ${var_name} "${${var_name}}")
+  set(${var_name} "${${var_name}}" PARENT_SCOPE)
+  set_property(CACHE ${var_name} PROPERTY VALUE "${${var_name}}")
 endfunction()
 
 set_default_config(RelWithDebInfo)

cmake/module/TestAppendRequiredLibraries.cmake

@@ -38,8 +38,7 @@ function(test_append_socket_library target)
       message(FATAL_ERROR "Cannot figure out how to use getifaddrs/freeifaddrs.")
     endif()
   endif()
-  set(HAVE_DECL_GETIFADDRS TRUE PARENT_SCOPE)
-  set(HAVE_DECL_FREEIFADDRS TRUE PARENT_SCOPE)
+  set(HAVE_IFADDRS TRUE PARENT_SCOPE)
 endfunction()
 
 # Clang, when building for 32-bit,

cmake/module/TryAppendLinkerFlag.cmake

@@ -20,7 +20,7 @@ In configuration output, this function prints a string by the following pattern:
 function(try_append_linker_flag flag)
   cmake_parse_arguments(PARSE_ARGV 1
     TALF                              # prefix
-    ""                                # options
+    "NO_CACHE_IF_FAILED"              # options
     "TARGET;VAR;SOURCE;RESULT_VAR"    # one_value_keywords
     "IF_CHECK_PASSED"                 # multi_value_keywords
   )
@@ -68,6 +68,10 @@ function(try_append_linker_flag flag)
   if(DEFINED TALF_RESULT_VAR)
     set(${TALF_RESULT_VAR} "${${result}}" PARENT_SCOPE)
   endif()
+
+  if(NOT ${result} AND TALF_NO_CACHE_IF_FAILED)
+    unset(${result} CACHE)
+  endif()
 endfunction()
 
 if(MSVC)

cmake/secp256k1.cmake

@@ -0,0 +1,52 @@
+# Copyright (c) 2023-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or https://opensource.org/license/mit/.
+
+enable_language(C)
+
+function(add_secp256k1 subdir)
+  message("")
+  message("Configuring secp256k1 subtree...")
+  set(BUILD_SHARED_LIBS OFF)
+  set(CMAKE_EXPORT_COMPILE_COMMANDS OFF)
+  set(SECP256K1_ENABLE_MODULE_ECDH OFF CACHE BOOL "" FORCE)
+  set(SECP256K1_ENABLE_MODULE_RECOVERY ON CACHE BOOL "" FORCE)
+  set(SECP256K1_ENABLE_MODULE_MUSIG ON CACHE BOOL "" FORCE)
+  set(SECP256K1_BUILD_BENCHMARK OFF CACHE BOOL "" FORCE)
+  set(SECP256K1_BUILD_TESTS ${BUILD_TESTS} CACHE BOOL "" FORCE)
+  set(SECP256K1_BUILD_EXHAUSTIVE_TESTS ${BUILD_TESTS} CACHE BOOL "" FORCE)
+  if(NOT BUILD_TESTS)
+    # Always skip the ctime tests, if we are building no other tests.
+    # Otherwise, they are built if Valgrind is available. See SECP256K1_VALGRIND.
+    set(SECP256K1_BUILD_CTIME_TESTS ${BUILD_TESTS} CACHE BOOL "" FORCE)
+  endif()
+  set(SECP256K1_BUILD_EXAMPLES OFF CACHE BOOL "" FORCE)
+  include(GetTargetInterface)
+  # -fsanitize and related flags apply to both C++ and C,
+  # so we can pass them down to libsecp256k1 as CFLAGS and LDFLAGS.
+  get_target_interface(SECP256K1_APPEND_CFLAGS "" sanitize_interface COMPILE_OPTIONS)
+  string(STRIP "${SECP256K1_APPEND_CFLAGS} ${APPEND_CPPFLAGS}" SECP256K1_APPEND_CFLAGS)
+  string(STRIP "${SECP256K1_APPEND_CFLAGS} ${APPEND_CFLAGS}" SECP256K1_APPEND_CFLAGS)
+  set(SECP256K1_APPEND_CFLAGS ${SECP256K1_APPEND_CFLAGS} CACHE STRING "" FORCE)
+  get_target_interface(SECP256K1_APPEND_LDFLAGS "" sanitize_interface LINK_OPTIONS)
+  string(STRIP "${SECP256K1_APPEND_LDFLAGS} ${APPEND_LDFLAGS}" SECP256K1_APPEND_LDFLAGS)
+  set(SECP256K1_APPEND_LDFLAGS ${SECP256K1_APPEND_LDFLAGS} CACHE STRING "" FORCE)
+  # We want to build libsecp256k1 with the most tested RelWithDebInfo configuration.
+  foreach(config IN LISTS CMAKE_BUILD_TYPE CMAKE_CONFIGURATION_TYPES)
+    if(config STREQUAL "")
+      continue()
+    endif()
+    string(TOUPPER "${config}" config)
+    set(CMAKE_C_FLAGS_${config} "${CMAKE_C_FLAGS_RELWITHDEBINFO}")
+  endforeach()
+  # If the CFLAGS environment variable is defined during building depends
+  # and configuring this build system, its content might be duplicated.
+  if(DEFINED ENV{CFLAGS})
+    deduplicate_flags(CMAKE_C_FLAGS)
+  endif()
+
+  add_subdirectory(${subdir})
+  set_target_properties(secp256k1 PROPERTIES
+    EXCLUDE_FROM_ALL TRUE
+  )
+endfunction()

cmake/tests.cmake

@@ -1,15 +0,0 @@
-# Copyright (c) 2023-present The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or https://opensource.org/license/mit/.
-
-if(TARGET bitcoin-util AND TARGET bitcoin-tx AND PYTHON_COMMAND)
-  add_test(NAME util_test_runner
-    COMMAND ${CMAKE_COMMAND} -E env BITCOINUTIL=$<TARGET_FILE:bitcoin-util> BITCOINTX=$<TARGET_FILE:bitcoin-tx> ${PYTHON_COMMAND} ${PROJECT_BINARY_DIR}/test/util/test_runner.py
-  )
-endif()
-
-if(PYTHON_COMMAND)
-  add_test(NAME util_rpcauth_test
-    COMMAND ${PYTHON_COMMAND} ${PROJECT_BINARY_DIR}/test/util/rpcauth-test.py
-  )
-endif()

cmake/windows-app.manifest.in

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
+  <assemblyIdentity
+      type="win32"
+      name="org.bitcoincore.${target}"
+      version="${CLIENT_VERSION_MAJOR}.${CLIENT_VERSION_MINOR}.${CLIENT_VERSION_BUILD}.0"
+  />
+  <asmv3:application>
+    <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2019/WindowsSettings">
+      <activeCodePage>UTF-8</activeCodePage>
+    </asmv3:windowsSettings>
+  </asmv3:application>
+  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+    <security>
+      <requestedPrivileges>
+        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
+      </requestedPrivileges>
+    </security>
+  </trustInfo>
+</assembly>

contrib/asmap/README.md

@@ -9,4 +9,75 @@ Example usage:
 python3 asmap-tool.py encode /path/to/input.file /path/to/output.file
 python3 asmap-tool.py decode /path/to/input.file /path/to/output.file
 python3 asmap-tool.py diff /path/to/first.file /path/to/second.file
+python3 asmap-tool.py diff_addrs /path/to/first.file /path/to/second.file addrs.file
+```
+These commands may take a few minutes to run with `python3`,
+depending on the amount of data involved and your machine specs.
+Consider using `pypy3` for a faster run time.
+
+### Encoding and Decoding
+
+ASmap files are somewhat large in text form, and need to be encoded
+to binary before being used with Bitcoin Core.
+
+The `encode` command takes an ASmap and an output file.
+
+The `--fill`/`-f` flag further reduces the size of the output file
+by assuming an AS assignment for an unmapped network if an adjacent network is assigned.
+This procedure is lossy, in the sense that it loses information
+about which ranges were unassigned.
+However, if the input ASmap is incomplete,
+this procedure will also reassign ranges that should have an AS assignment,
+resulting in an ASmap that may diverge from reality significantly.
+Finally, another consequence is that the resulting encoded file
+will no longer be meaningful for diffs.
+Therefore only use `--fill` if
+you want to optimise space, you have a reasonably complete ASmap,
+and do not intend to diff the file at a later time.
+
+The `decode` command takes an encoded ASmap and an output file.
+As with `encode`, the `--fill`/`-f` flag reduces the output file size
+by reassigning subnets. Conversely, the `--non-overlapping`/`-n` flag
+increases output size by outputting strictly non-overlapping network ranges.
+
+### Comparing ASmaps
+
+AS control of IP networks changes frequently, therefore it can be useful to get
+the changes between two ASmaps via the `diff` and `diff_addrs` commands.
+
+`diff` takes two ASmap files, and returns a file detailing the changes
+in the state of a network's AS assignment between the first and the second file.
+This command may take a few minutes to run, depending on your machine.
+
+The example below shows the three possible output states:
+- reassigned to a new AS (`AS26496 # was AS20738`),
+- present in the first but not the second (`# 220.157.65.0/24 was AS9723`),
+- or present in the second but not the first (`# was unassigned`).
+
+```
+217.199.160.0/19 AS26496 # was AS20738
+# 220.157.65.0/24 was AS9723
+216.151.172.0/23 AS400080 # was unassigned
+2001:470:49::/48 AS20205 # was AS6939
+# 2001:678:bd0::/48 was AS207631
+2001:67c:308::/48 AS26496 # was unassigned
+```
+`diff` accepts a `--ignore-unassigned`/`-i` flag
+which ignores networks present in the second but not the first.
+
+`diff_addrs` is intended to provide changes between two ASmaps and
+a node's known peers.
+The command takes two ASmap files, and a file of IP addresses as output by
+the `bitcoin-cli getnodeaddresses` command.
+It returns the changes between the two ASmaps for the peer IPs provided in
+the `getnodeaddresses` output.
+The resulting file is in the same format as the `diff` command shown above.
+
+You can output address data to a file:
+```
+bitcoin-cli getnodeaddresses 0 > addrs.json
+```
+and pass in the address file as the third argument:
+```
+python3 asmap-tool.py diff_addrs path/to/first.file path/to/second.file addrs.json
 ```

contrib/asmap/asmap-tool.py

@@ -131,6 +131,8 @@ def main():
     if args.subcommand is None:
         parser.print_help()
     elif args.subcommand == "encode":
+        if args.outfile.isatty():
+            sys.exit("Not much use in writing binary to a TTY. Please specify an output file or pipe output to another process.")
         state = load_file(args.infile)
         save_binary(args.outfile, state, fill=args.fill)
     elif args.subcommand == "decode":
@@ -140,15 +142,19 @@ def main():
         state1 = load_file(args.infile1)
         state2 = load_file(args.infile2)
         ipv4_changed = 0
+        ipv4_entries_changed = 0
         ipv6_changed = 0
+        ipv6_entries_changed = 0
         for prefix, old_asn, new_asn in state1.diff(state2):
             if args.ignore_unassigned and old_asn == 0:
                 continue
             net = asmap.prefix_to_net(prefix)
             if isinstance(net, ipaddress.IPv4Network):
-                ipv4_changed += 1 << (32 - net.prefixlen)
+                ipv4_changed += net.num_addresses
+                ipv4_entries_changed += 1
             elif isinstance(net, ipaddress.IPv6Network):
-                ipv6_changed += 1 << (128 - net.prefixlen)
+                ipv6_changed += net.num_addresses
+                ipv6_entries_changed += 1
             if new_asn == 0:
                 print(f"# {net} was AS{old_asn}")
             elif old_asn == 0:
@@ -159,8 +165,9 @@ def main():
         ipv6_change_str = "" if ipv6_changed == 0 else f" (2^{math.log2(ipv6_changed):.2f})"
 
         print(
-            f"# {ipv4_changed}{ipv4_change_str} IPv4 addresses changed; "
-            f"{ipv6_changed}{ipv6_change_str} IPv6 addresses changed"
+f"""# Summary
+IPv4: {ipv4_entries_changed} entries with {ipv4_changed}{ipv4_change_str} addresses changed
+IPv6: {ipv6_entries_changed} entries with {ipv6_changed}{ipv6_change_str} addresses changed"""
         )
     elif args.subcommand == "diff_addrs":
         state1 = load_file(args.infile1)

contrib/completions/bash/bitcoin-cli.bash

@@ -1,5 +1,5 @@
 # bash programmable completion for bitcoin-cli(1)
-# Copyright (c) 2012-2022 The Bitcoin Core developers
+# Copyright (c) 2012-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
@@ -39,7 +39,7 @@ _bitcoin_cli() {
 
     if ((cword > 4)); then
         case ${words[cword-4]} in
-            importaddress|listtransactions|setban)
+            listtransactions|setban)
                 COMPREPLY=( $( compgen -W "true false" -- "$cur" ) )
                 return 0
                 ;;
@@ -52,10 +52,7 @@ _bitcoin_cli() {
 
     if ((cword > 3)); then
         case ${words[cword-3]} in
-            addmultisigaddress)
-                return 0
-                ;;
-            getbalance|gettxout|importaddress|importpubkey|importprivkey|listreceivedbyaddress|listsinceblock)
+            getbalance|gettxout|listreceivedbyaddress|listsinceblock)
                 COMPREPLY=( $( compgen -W "true false" -- "$cur" ) )
                 return 0
                 ;;
@@ -80,7 +77,7 @@ _bitcoin_cli() {
     fi
 
     case "$prev" in
-        backupwallet|dumpwallet|importwallet)
+        backupwallet)
             _filedir
             return 0
             ;;

contrib/completions/bash/bitcoin-tx.bash

@@ -1,5 +1,5 @@
 # bash programmable completion for bitcoin-tx(1)
-# Copyright (c) 2016-2022 The Bitcoin Core developers
+# Copyright (c) 2016-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/completions/bash/bitcoind.bash

@@ -1,5 +1,5 @@
 # bash programmable completion for bitcoind(1) and bitcoin-qt(1)
-# Copyright (c) 2012-2022 The Bitcoin Core developers
+# Copyright (c) 2012-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 

contrib/debian/copyright

@@ -5,7 +5,7 @@ Upstream-Contact: Satoshi Nakamoto <satoshin@gmx.com>
 Source: https://github.com/bitcoin/bitcoin
 
 Files: *
-Copyright: 2009-2025, Bitcoin Core Developers
+Copyright: 2009-2026, Bitcoin Core Developers
 License: Expat
 Comment: The Bitcoin Core Developers encompasses all contributors to the
          project, listed in the release notes or the git log.
@@ -121,17 +121,6 @@ Comment:
  You should have received a copy of the GNU General Public License along
  with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-License: GPL-3+
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the GNU General Public License, Version 3 or any
- later version published by the Free Software Foundation.
-Comment:
- On Debian systems the GNU General Public License (GPL) version 3 is
- located in '/usr/share/common-licenses/GPL-3'.
- .
- You should have received a copy of the GNU General Public License along
- with this program.  If not, see <http://www.gnu.org/licenses/>.
-
 License: public-domain
  This work is in the public domain.
 

contrib/devtools/README.md

@@ -8,18 +8,42 @@ deterministic-fuzz-coverage
 A tool to check for non-determinism in fuzz coverage. To get the help, run:
 
 ```
-RUST_BACKTRACE=1 cargo run --manifest-path ./contrib/devtools/deterministic-fuzz-coverage/Cargo.toml -- --help
+cargo run --manifest-path ./contrib/devtools/deterministic-fuzz-coverage/Cargo.toml -- --help
 ```
 
-To execute the tool, compilation has to be done with the build options
-`-DCMAKE_C_COMPILER='clang' -DCMAKE_CXX_COMPILER='clang++'
--DBUILD_FOR_FUZZING=ON -DCMAKE_CXX_FLAGS='-fPIC -fprofile-instr-generate
--fcoverage-mapping'`. Both llvm-profdata and llvm-cov must be installed. Also,
-the qa-assets repository must have been cloned. Finally, a fuzz target has to
-be picked before running the tool:
+To execute the tool, compilation has to be done with the build options:
 
 ```
-RUST_BACKTRACE=1 cargo run --manifest-path ./contrib/devtools/deterministic-fuzz-coverage/Cargo.toml -- $PWD/build_dir $PWD/qa-assets/corpora-dir fuzz_target_name
+-DCMAKE_C_COMPILER='clang' -DCMAKE_CXX_COMPILER='clang++' -DBUILD_FOR_FUZZING=ON -DCMAKE_CXX_FLAGS='-fprofile-instr-generate -fcoverage-mapping'
+```
+
+Both llvm-profdata and llvm-cov must be installed. Also, the qa-assets
+repository must have been cloned. Finally, a fuzz target has to be picked
+before running the tool:
+
+```
+cargo run --manifest-path ./contrib/devtools/deterministic-fuzz-coverage/Cargo.toml -- $PWD/build_dir $PWD/qa-assets/fuzz_corpora fuzz_target_name
+```
+
+deterministic-unittest-coverage
+===========================
+
+A tool to check for non-determinism in unit-test coverage. To get the help, run:
+
+```
+cargo run --manifest-path ./contrib/devtools/deterministic-unittest-coverage/Cargo.toml -- --help
+```
+
+To execute the tool, compilation has to be done with the build options:
+
+```
+-DCMAKE_C_COMPILER='clang' -DCMAKE_CXX_COMPILER='clang++' -DCMAKE_CXX_FLAGS='-fprofile-instr-generate -fcoverage-mapping'
+```
+
+Both llvm-profdata and llvm-cov must be installed.
+
+```
+cargo run --manifest-path ./contrib/devtools/deterministic-unittest-coverage/Cargo.toml -- $PWD/build_dir <boost unittest filter>
 ```
 
 clang-format-diff.py
@@ -37,65 +61,6 @@ the script should be called from the git root folder as follows.
 git diff -U0 HEAD~1.. | ./contrib/devtools/clang-format-diff.py -p1 -i -v
 ```
 
-copyright\_header.py
-====================
-
-Provides utilities for managing copyright headers of `The Bitcoin Core
-developers` in repository source files. It has three subcommands:
-
-```
-$ ./copyright_header.py report <base_directory> [verbose]
-$ ./copyright_header.py update <base_directory>
-$ ./copyright_header.py insert <file>
-```
-Running these subcommands without arguments displays a usage string.
-
-copyright\_header.py report \<base\_directory\> [verbose]
----------------------------------------------------------
-
-Produces a report of all copyright header notices found inside the source files
-of a repository. Useful to quickly visualize the state of the headers.
-Specifying `verbose` will list the full filenames of files of each category.
-
-copyright\_header.py update \<base\_directory\> [verbose]
----------------------------------------------------------
-Updates all the copyright headers of `The Bitcoin Core developers` which were
-changed in a year more recent than is listed. For example:
-```
-// Copyright (c) <firstYear>-<lastYear> The Bitcoin Core developers
-```
-will be updated to:
-```
-// Copyright (c) <firstYear>-<lastModifiedYear> The Bitcoin Core developers
-```
-where `<lastModifiedYear>` is obtained from the `git log` history.
-
-This subcommand also handles copyright headers that have only a single year. In
-those cases:
-```
-// Copyright (c) <year> The Bitcoin Core developers
-```
-will be updated to:
-```
-// Copyright (c) <year>-<lastModifiedYear> The Bitcoin Core developers
-```
-where the update is appropriate.
-
-copyright\_header.py insert \<file\>
-------------------------------------
-Inserts a copyright header for `The Bitcoin Core developers` at the top of the
-file in either Python or C++ style as determined by the file extension. If the
-file is a Python file and it has  `#!` starting the first line, the header is
-inserted in the line below it.
-
-The copyright dates will be set to be `<year_introduced>-<current_year>` where
-`<year_introduced>` is according to the `git log` history. If
-`<year_introduced>` is equal to `<current_year>`, it will be set as a single
-year rather than two hyphenated years.
-
-If the file already has a copyright for `The Bitcoin Core developers`, the
-script will exit.
-
 gen-manpages.py
 ===============
 
@@ -113,7 +78,7 @@ BUILDDIR=$PWD/my-build-dir contrib/devtools/gen-manpages.py
 headerssync-params.py
 =====================
 
-A script to generate optimal parameters for the headerssync module (src/headerssync.cpp). It takes no command-line
+A script to generate optimal parameters for the headerssync module (stored in src/kernel/chainparams.cpp). It takes no command-line
 options, as all its configuration is set at the top of the file. It runs many times faster inside PyPy. Invocation:
 
 ```bash
@@ -135,35 +100,6 @@ For example:
 BUILDDIR=$PWD/my-build-dir contrib/devtools/gen-bitcoin-conf.sh
 ```
 
-security-check.py
-=================
-
-Perform basic security checks on a series of executables.
-
-symbol-check.py
-===============
-
-A script to check that release executables only contain
-certain symbols and are only linked against allowed libraries.
-
-For Linux this means checking for allowed gcc, glibc and libstdc++ version symbols.
-This makes sure they are still compatible with the minimum supported distribution versions.
-
-For macOS and Windows we check that the executables are only linked against libraries we allow.
-
-Example usage:
-
-    find ../path/to/executables -type f -executable | xargs python3 contrib/devtools/symbol-check.py
-
-If no errors occur the return value will be 0 and the output will be empty.
-
-If there are any errors the return value will be 1 and output like this will be printed:
-
-    .../64/test_bitcoin: symbol memcpy from unsupported version GLIBC_2.14
-    .../64/test_bitcoin: symbol __fdelt_chk from unsupported version GLIBC_2.15
-    .../64/test_bitcoin: symbol std::out_of_range::~out_of_range() from unsupported version GLIBCXX_3.4.15
-    .../64/test_bitcoin: symbol _ZNSt8__detail15_List_nod from unsupported version GLIBCXX_3.4.15
-
 circular-dependencies.py
 ========================
 

contrib/devtools/check-deps.sh

@@ -41,9 +41,6 @@ ALLOWED_DEPENDENCIES+=(
 
 # Declare list of known errors that should be suppressed.
 declare -A SUPPRESS
-# init.cpp file currently calls Berkeley DB sanity check function on startup, so
-# there is an undocumented dependency of the node library on the wallet library.
-SUPPRESS["init.cpp.o bdb.cpp.o _ZN6wallet27BerkeleyDatabaseSanityCheckEv"]=1
 # init/common.cpp file calls InitError and InitWarning from interface_ui which
 # is currently part of the node library. interface_ui should just be part of the
 # common library instead, and is moved in

contrib/devtools/circular-dependencies.py

@@ -1,16 +1,11 @@
 #!/usr/bin/env python3
-# Copyright (c) 2018-2020 The Bitcoin Core developers
+# Copyright (c) 2018-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 import sys
 import re
 
-MAPPING = {
-    'core_read.cpp': 'core_io.cpp',
-    'core_write.cpp': 'core_io.cpp',
-}
-
 # Directories with header-based modules, where the assumption that .cpp files
 # define functions and variables declared in corresponding .h files is
 # incorrect.
@@ -19,8 +14,6 @@ HEADER_MODULE_PATHS = [
 ]
 
 def module_name(path):
-    if path in MAPPING:
-        path = MAPPING[path]
     if any(path.startswith(dirpath) for dirpath in HEADER_MODULE_PATHS):
         return path
     if path.endswith(".h"):
@@ -49,7 +42,7 @@ for arg in sys.argv[1:]:
 # TODO: implement support for multiple include directories
 for arg in sorted(files.keys()):
     module = files[arg]
-    with open(arg, 'r', encoding="utf8") as f:
+    with open(arg, 'r') as f:
         for line in f:
             match = RE.match(line)
             if match:

contrib/devtools/clang-format-diff.py

@@ -169,7 +169,7 @@ def main():
             sys.exit(p.returncode)
 
         if not args.i:
-            with open(filename, encoding="utf8") as f:
+            with open(filename) as f:
                 code = f.readlines()
             formatted_code = StringIO(stdout).readlines()
             diff = difflib.unified_diff(

contrib/devtools/copyright_header.py

@@ -1,603 +0,0 @@
-#!/usr/bin/env python3
-# Copyright (c) 2016-2022 The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-import re
-import fnmatch
-import sys
-import subprocess
-import datetime
-import os
-
-################################################################################
-# file filtering
-################################################################################
-
-EXCLUDE = [
-    # auto generated:
-    'src/qt/bitcoinstrings.cpp',
-    'src/chainparamsseeds.h',
-    # other external copyrights:
-    'src/test/fuzz/FuzzedDataProvider.h',
-    'src/tinyformat.h',
-    'src/bench/nanobench.h',
-    'test/functional/test_framework/bignum.py',
-    # python init:
-    '*__init__.py',
-]
-EXCLUDE_COMPILED = re.compile('|'.join([fnmatch.translate(m) for m in EXCLUDE]))
-
-EXCLUDE_DIRS = [
-    # git subtrees
-    "src/crypto/ctaes/",
-    "src/leveldb/",
-    "src/minisketch",
-    "src/secp256k1/",
-    "src/crc32c/",
-]
-
-INCLUDE = ['*.h', '*.cpp', '*.cc', '*.c', '*.mm', '*.py', '*.sh', '*.bash-completion']
-INCLUDE_COMPILED = re.compile('|'.join([fnmatch.translate(m) for m in INCLUDE]))
-
-def applies_to_file(filename):
-    for excluded_dir in EXCLUDE_DIRS:
-        if filename.startswith(excluded_dir):
-            return False
-    return ((EXCLUDE_COMPILED.match(filename) is None) and
-            (INCLUDE_COMPILED.match(filename) is not None))
-
-################################################################################
-# obtain list of files in repo according to INCLUDE and EXCLUDE
-################################################################################
-
-GIT_LS_CMD = 'git ls-files --full-name'.split(' ')
-GIT_TOPLEVEL_CMD = 'git rev-parse --show-toplevel'.split(' ')
-
-def call_git_ls(base_directory):
-    out = subprocess.check_output([*GIT_LS_CMD, base_directory])
-    return [f for f in out.decode("utf-8").split('\n') if f != '']
-
-def call_git_toplevel():
-    "Returns the absolute path to the project root"
-    return subprocess.check_output(GIT_TOPLEVEL_CMD).strip().decode("utf-8")
-
-def get_filenames_to_examine(base_directory):
-    "Returns an array of absolute paths to any project files in the base_directory that pass the include/exclude filters"
-    root = call_git_toplevel()
-    filenames = call_git_ls(base_directory)
-    return sorted([os.path.join(root, filename) for filename in filenames if
-                   applies_to_file(filename)])
-
-################################################################################
-# define and compile regexes for the patterns we are looking for
-################################################################################
-
-
-COPYRIGHT_WITH_C = r'Copyright \(c\)'
-COPYRIGHT_WITHOUT_C = 'Copyright'
-ANY_COPYRIGHT_STYLE = '(%s|%s)' % (COPYRIGHT_WITH_C, COPYRIGHT_WITHOUT_C)
-
-YEAR = "20[0-9][0-9]"
-YEAR_RANGE = '(%s)(-%s)?' % (YEAR, YEAR)
-YEAR_LIST = '(%s)(, %s)+' % (YEAR, YEAR)
-ANY_YEAR_STYLE = '(%s|%s)' % (YEAR_RANGE, YEAR_LIST)
-ANY_COPYRIGHT_STYLE_OR_YEAR_STYLE = ("%s %s" % (ANY_COPYRIGHT_STYLE,
-                                                ANY_YEAR_STYLE))
-
-ANY_COPYRIGHT_COMPILED = re.compile(ANY_COPYRIGHT_STYLE_OR_YEAR_STYLE)
-
-def compile_copyright_regex(copyright_style, year_style, name):
-    return re.compile(r'%s %s,? %s( +\*)?\n' % (copyright_style, year_style, name))
-
-EXPECTED_HOLDER_NAMES = [
-    r"Satoshi Nakamoto",
-    r"The Bitcoin Core developers",
-    r"BitPay Inc\.",
-    r"University of Illinois at Urbana-Champaign\.",
-    r"Pieter Wuille",
-    r"Wladimir J\. van der Laan",
-    r"Jeff Garzik",
-    r"Jan-Klaas Kollhof",
-    r"ArtForz -- public domain half-a-node",
-    r"Intel Corporation ?",
-    r"The Zcash developers",
-    r"Jeremy Rubin",
-]
-
-DOMINANT_STYLE_COMPILED = {}
-YEAR_LIST_STYLE_COMPILED = {}
-WITHOUT_C_STYLE_COMPILED = {}
-
-for holder_name in EXPECTED_HOLDER_NAMES:
-    DOMINANT_STYLE_COMPILED[holder_name] = (
-        compile_copyright_regex(COPYRIGHT_WITH_C, YEAR_RANGE, holder_name))
-    YEAR_LIST_STYLE_COMPILED[holder_name] = (
-        compile_copyright_regex(COPYRIGHT_WITH_C, YEAR_LIST, holder_name))
-    WITHOUT_C_STYLE_COMPILED[holder_name] = (
-        compile_copyright_regex(COPYRIGHT_WITHOUT_C, ANY_YEAR_STYLE,
-                                holder_name))
-
-################################################################################
-# search file contents for copyright message of particular category
-################################################################################
-
-def get_count_of_copyrights_of_any_style_any_holder(contents):
-    return len(ANY_COPYRIGHT_COMPILED.findall(contents))
-
-def file_has_dominant_style_copyright_for_holder(contents, holder_name):
-    match = DOMINANT_STYLE_COMPILED[holder_name].search(contents)
-    return match is not None
-
-def file_has_year_list_style_copyright_for_holder(contents, holder_name):
-    match = YEAR_LIST_STYLE_COMPILED[holder_name].search(contents)
-    return match is not None
-
-def file_has_without_c_style_copyright_for_holder(contents, holder_name):
-    match = WITHOUT_C_STYLE_COMPILED[holder_name].search(contents)
-    return match is not None
-
-################################################################################
-# get file info
-################################################################################
-
-def read_file(filename):
-    return open(filename, 'r', encoding="utf8").read()
-
-def gather_file_info(filename):
-    info = {}
-    info['filename'] = filename
-    c = read_file(filename)
-    info['contents'] = c
-
-    info['all_copyrights'] = get_count_of_copyrights_of_any_style_any_holder(c)
-
-    info['classified_copyrights'] = 0
-    info['dominant_style'] = {}
-    info['year_list_style'] = {}
-    info['without_c_style'] = {}
-    for holder_name in EXPECTED_HOLDER_NAMES:
-        has_dominant_style = (
-            file_has_dominant_style_copyright_for_holder(c, holder_name))
-        has_year_list_style = (
-            file_has_year_list_style_copyright_for_holder(c, holder_name))
-        has_without_c_style = (
-            file_has_without_c_style_copyright_for_holder(c, holder_name))
-        info['dominant_style'][holder_name] = has_dominant_style
-        info['year_list_style'][holder_name] = has_year_list_style
-        info['without_c_style'][holder_name] = has_without_c_style
-        if has_dominant_style or has_year_list_style or has_without_c_style:
-            info['classified_copyrights'] = info['classified_copyrights'] + 1
-    return info
-
-################################################################################
-# report execution
-################################################################################
-
-SEPARATOR = '-'.join(['' for _ in range(80)])
-
-def print_filenames(filenames, verbose):
-    if not verbose:
-        return
-    for filename in filenames:
-        print("\t%s" % filename)
-
-def print_report(file_infos, verbose):
-    print(SEPARATOR)
-    examined = [i['filename'] for i in file_infos]
-    print("%d files examined according to INCLUDE and EXCLUDE fnmatch rules" %
-          len(examined))
-    print_filenames(examined, verbose)
-
-    print(SEPARATOR)
-    print('')
-    zero_copyrights = [i['filename'] for i in file_infos if
-                       i['all_copyrights'] == 0]
-    print("%4d with zero copyrights" % len(zero_copyrights))
-    print_filenames(zero_copyrights, verbose)
-    one_copyright = [i['filename'] for i in file_infos if
-                     i['all_copyrights'] == 1]
-    print("%4d with one copyright" % len(one_copyright))
-    print_filenames(one_copyright, verbose)
-    two_copyrights = [i['filename'] for i in file_infos if
-                      i['all_copyrights'] == 2]
-    print("%4d with two copyrights" % len(two_copyrights))
-    print_filenames(two_copyrights, verbose)
-    three_copyrights = [i['filename'] for i in file_infos if
-                        i['all_copyrights'] == 3]
-    print("%4d with three copyrights" % len(three_copyrights))
-    print_filenames(three_copyrights, verbose)
-    four_or_more_copyrights = [i['filename'] for i in file_infos if
-                               i['all_copyrights'] >= 4]
-    print("%4d with four or more copyrights" % len(four_or_more_copyrights))
-    print_filenames(four_or_more_copyrights, verbose)
-    print('')
-    print(SEPARATOR)
-    print('Copyrights with dominant style:\ne.g. "Copyright (c)" and '
-          '"<year>" or "<startYear>-<endYear>":\n')
-    for holder_name in EXPECTED_HOLDER_NAMES:
-        dominant_style = [i['filename'] for i in file_infos if
-                          i['dominant_style'][holder_name]]
-        if len(dominant_style) > 0:
-            print("%4d with '%s'" % (len(dominant_style),
-                                     holder_name.replace('\n', '\\n')))
-            print_filenames(dominant_style, verbose)
-    print('')
-    print(SEPARATOR)
-    print('Copyrights with year list style:\ne.g. "Copyright (c)" and '
-          '"<year1>, <year2>, ...":\n')
-    for holder_name in EXPECTED_HOLDER_NAMES:
-        year_list_style = [i['filename'] for i in file_infos if
-                           i['year_list_style'][holder_name]]
-        if len(year_list_style) > 0:
-            print("%4d with '%s'" % (len(year_list_style),
-                                     holder_name.replace('\n', '\\n')))
-            print_filenames(year_list_style, verbose)
-    print('')
-    print(SEPARATOR)
-    print('Copyrights with no "(c)" style:\ne.g. "Copyright" and "<year>" or '
-          '"<startYear>-<endYear>":\n')
-    for holder_name in EXPECTED_HOLDER_NAMES:
-        without_c_style = [i['filename'] for i in file_infos if
-                           i['without_c_style'][holder_name]]
-        if len(without_c_style) > 0:
-            print("%4d with '%s'" % (len(without_c_style),
-                                     holder_name.replace('\n', '\\n')))
-            print_filenames(without_c_style, verbose)
-
-    print('')
-    print(SEPARATOR)
-
-    unclassified_copyrights = [i['filename'] for i in file_infos if
-                               i['classified_copyrights'] < i['all_copyrights']]
-    print("%d with unexpected copyright holder names" %
-          len(unclassified_copyrights))
-    print_filenames(unclassified_copyrights, verbose)
-    print(SEPARATOR)
-
-def exec_report(base_directory, verbose):
-    filenames = get_filenames_to_examine(base_directory)
-    file_infos = [gather_file_info(f) for f in filenames]
-    print_report(file_infos, verbose)
-
-################################################################################
-# report cmd
-################################################################################
-
-REPORT_USAGE = """
-Produces a report of all copyright header notices found inside the source files
-of a repository.
-
-Usage:
-    $ ./copyright_header.py report <base_directory> [verbose]
-
-Arguments:
-    <base_directory> - The base directory of a bitcoin source code repository.
-    [verbose] - Includes a list of every file of each subcategory in the report.
-"""
-
-def report_cmd(argv):
-    if len(argv) == 2:
-        sys.exit(REPORT_USAGE)
-
-    base_directory = argv[2]
-    if not os.path.exists(base_directory):
-        sys.exit("*** bad <base_directory>: %s" % base_directory)
-
-    if len(argv) == 3:
-        verbose = False
-    elif argv[3] == 'verbose':
-        verbose = True
-    else:
-        sys.exit("*** unknown argument: %s" % argv[2])
-
-    exec_report(base_directory, verbose)
-
-################################################################################
-# query git for year of last change
-################################################################################
-
-GIT_LOG_CMD = "git log --pretty=format:%%ai %s"
-
-def call_git_log(filename):
-    out = subprocess.check_output((GIT_LOG_CMD % filename).split(' '))
-    return out.decode("utf-8").split('\n')
-
-def get_git_change_years(filename):
-    git_log_lines = call_git_log(filename)
-    if len(git_log_lines) == 0:
-        return [datetime.date.today().year]
-    # timestamp is in ISO 8601 format. e.g. "2016-09-05 14:25:32 -0600"
-    return [line.split(' ')[0].split('-')[0] for line in git_log_lines]
-
-def get_most_recent_git_change_year(filename):
-    return max(get_git_change_years(filename))
-
-################################################################################
-# read and write to file
-################################################################################
-
-def read_file_lines(filename):
-    with open(filename, 'r', encoding="utf8") as f:
-        file_lines = f.readlines()
-    return file_lines
-
-def write_file_lines(filename, file_lines):
-    with open(filename, 'w', encoding="utf8") as f:
-        f.write(''.join(file_lines))
-
-################################################################################
-# update header years execution
-################################################################################
-
-COPYRIGHT = r'Copyright \(c\)'
-YEAR = "20[0-9][0-9]"
-YEAR_RANGE = '(%s)(-%s)?' % (YEAR, YEAR)
-HOLDER = 'The Bitcoin Core developers'
-UPDATEABLE_LINE_COMPILED = re.compile(' '.join([COPYRIGHT, YEAR_RANGE, HOLDER]))
-
-def get_updatable_copyright_line(file_lines):
-    index = 0
-    for line in file_lines:
-        if UPDATEABLE_LINE_COMPILED.search(line) is not None:
-            return index, line
-        index = index + 1
-    return None, None
-
-def parse_year_range(year_range):
-    year_split = year_range.split('-')
-    start_year = year_split[0]
-    if len(year_split) == 1:
-        return start_year, start_year
-    return start_year, year_split[1]
-
-def year_range_to_str(start_year, end_year):
-    if start_year == end_year:
-        return start_year
-    return "%s-%s" % (start_year, end_year)
-
-def create_updated_copyright_line(line, last_git_change_year):
-    copyright_splitter = 'Copyright (c) '
-    copyright_split = line.split(copyright_splitter)
-    # Preserve characters on line that are ahead of the start of the copyright
-    # notice - they are part of the comment block and vary from file-to-file.
-    before_copyright = copyright_split[0]
-    after_copyright = copyright_split[1]
-
-    space_split = after_copyright.split(' ')
-    year_range = space_split[0]
-    start_year, end_year = parse_year_range(year_range)
-    if end_year >= last_git_change_year:
-        return line
-    return (before_copyright + copyright_splitter +
-            year_range_to_str(start_year, last_git_change_year) + ' ' +
-            ' '.join(space_split[1:]))
-
-def update_updatable_copyright(filename):
-    file_lines = read_file_lines(filename)
-    index, line = get_updatable_copyright_line(file_lines)
-    if not line:
-        print_file_action_message(filename, "No updatable copyright.")
-        return
-    last_git_change_year = get_most_recent_git_change_year(filename)
-    new_line = create_updated_copyright_line(line, last_git_change_year)
-    if line == new_line:
-        print_file_action_message(filename, "Copyright up-to-date.")
-        return
-    file_lines[index] = new_line
-    write_file_lines(filename, file_lines)
-    print_file_action_message(filename,
-                              "Copyright updated! -> %s" % last_git_change_year)
-
-def exec_update_header_year(base_directory):
-    for filename in get_filenames_to_examine(base_directory):
-        update_updatable_copyright(filename)
-
-################################################################################
-# update cmd
-################################################################################
-
-UPDATE_USAGE = """
-Updates all the copyright headers of "The Bitcoin Core developers" which were
-changed in a year more recent than is listed. For example:
-
-// Copyright (c) <firstYear>-<lastYear> The Bitcoin Core developers
-
-will be updated to:
-
-// Copyright (c) <firstYear>-<lastModifiedYear> The Bitcoin Core developers
-
-where <lastModifiedYear> is obtained from the 'git log' history.
-
-This subcommand also handles copyright headers that have only a single year. In those cases:
-
-// Copyright (c) <year> The Bitcoin Core developers
-
-will be updated to:
-
-// Copyright (c) <year>-<lastModifiedYear> The Bitcoin Core developers
-
-where the update is appropriate.
-
-Usage:
-    $ ./copyright_header.py update <base_directory>
-
-Arguments:
-    <base_directory> - The base directory of a bitcoin source code repository.
-"""
-
-def print_file_action_message(filename, action):
-    print("%-52s %s" % (filename, action))
-
-def update_cmd(argv):
-    if len(argv) != 3:
-        sys.exit(UPDATE_USAGE)
-
-    base_directory = argv[2]
-    if not os.path.exists(base_directory):
-        sys.exit("*** bad base_directory: %s" % base_directory)
-    exec_update_header_year(base_directory)
-
-################################################################################
-# inserted copyright header format
-################################################################################
-
-def get_header_lines(header, start_year, end_year):
-    lines = header.split('\n')[1:-1]
-    lines[0] = lines[0] % year_range_to_str(start_year, end_year)
-    return [line + '\n' for line in lines]
-
-CPP_HEADER = '''
-// Copyright (c) %s The Bitcoin Core developers
-// Distributed under the MIT software license, see the accompanying
-// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-'''
-
-def get_cpp_header_lines_to_insert(start_year, end_year):
-    return reversed(get_header_lines(CPP_HEADER, start_year, end_year))
-
-SCRIPT_HEADER = '''
-# Copyright (c) %s The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-'''
-
-def get_script_header_lines_to_insert(start_year, end_year):
-    return reversed(get_header_lines(SCRIPT_HEADER, start_year, end_year))
-
-################################################################################
-# query git for year of last change
-################################################################################
-
-def get_git_change_year_range(filename):
-    years = get_git_change_years(filename)
-    return min(years), max(years)
-
-################################################################################
-# check for existing core copyright
-################################################################################
-
-def file_already_has_core_copyright(file_lines):
-    index, _ = get_updatable_copyright_line(file_lines)
-    return index is not None
-
-################################################################################
-# insert header execution
-################################################################################
-
-def file_has_hashbang(file_lines):
-    if len(file_lines) < 1:
-        return False
-    if len(file_lines[0]) <= 2:
-        return False
-    return file_lines[0][:2] == '#!'
-
-def insert_script_header(filename, file_lines, start_year, end_year):
-    if file_has_hashbang(file_lines):
-        insert_idx = 1
-    else:
-        insert_idx = 0
-    header_lines = get_script_header_lines_to_insert(start_year, end_year)
-    for line in header_lines:
-        file_lines.insert(insert_idx, line)
-    write_file_lines(filename, file_lines)
-
-def insert_cpp_header(filename, file_lines, start_year, end_year):
-    file_lines.insert(0, '\n')
-    header_lines = get_cpp_header_lines_to_insert(start_year, end_year)
-    for line in header_lines:
-        file_lines.insert(0, line)
-    write_file_lines(filename, file_lines)
-
-def exec_insert_header(filename, style):
-    file_lines = read_file_lines(filename)
-    if file_already_has_core_copyright(file_lines):
-        sys.exit('*** %s already has a copyright by The Bitcoin Core developers'
-                 % (filename))
-    start_year, end_year = get_git_change_year_range(filename)
-    if style in ['python', 'shell']:
-        insert_script_header(filename, file_lines, start_year, end_year)
-    else:
-        insert_cpp_header(filename, file_lines, start_year, end_year)
-
-################################################################################
-# insert cmd
-################################################################################
-
-INSERT_USAGE = """
-Inserts a copyright header for "The Bitcoin Core developers" at the top of the
-file in either Python or C++ style as determined by the file extension. If the
-file is a Python file and it has a '#!' starting the first line, the header is
-inserted in the line below it.
-
-The copyright dates will be set to be:
-
-"<year_introduced>-<current_year>"
-
-where <year_introduced> is according to the 'git log' history. If
-<year_introduced> is equal to <current_year>, the date will be set to be:
-
-"<current_year>"
-
-If the file already has a copyright for "The Bitcoin Core developers", the
-script will exit.
-
-Usage:
-    $ ./copyright_header.py insert <file>
-
-Arguments:
-    <file> - A source file in the bitcoin repository.
-"""
-
-def insert_cmd(argv):
-    if len(argv) != 3:
-        sys.exit(INSERT_USAGE)
-
-    filename = argv[2]
-    if not os.path.isfile(filename):
-        sys.exit("*** bad filename: %s" % filename)
-    _, extension = os.path.splitext(filename)
-    if extension not in ['.h', '.cpp', '.cc', '.c', '.py', '.sh']:
-        sys.exit("*** cannot insert for file extension %s" % extension)
-
-    if extension == '.py':
-        style = 'python'
-    elif extension == '.sh':
-        style = 'shell'
-    else:
-        style = 'cpp'
-    exec_insert_header(filename, style)
-
-################################################################################
-# UI
-################################################################################
-
-USAGE = """
-copyright_header.py - utilities for managing copyright headers of 'The Bitcoin
-Core developers' in repository source files.
-
-Usage:
-    $ ./copyright_header <subcommand>
-
-Subcommands:
-    report
-    update
-    insert
-
-To see subcommand usage, run them without arguments.
-"""
-
-SUBCOMMANDS = ['report', 'update', 'insert']
-
-if __name__ == "__main__":
-    if len(sys.argv) == 1:
-        sys.exit(USAGE)
-    subcommand = sys.argv[1]
-    if subcommand not in SUBCOMMANDS:
-        sys.exit(USAGE)
-    if subcommand == 'report':
-        report_cmd(sys.argv)
-    elif subcommand == 'update':
-        update_cmd(sys.argv)
-    elif subcommand == 'insert':
-        insert_cmd(sys.argv)

contrib/devtools/deterministic-fuzz-coverage/Cargo.lock

@@ -0,0 +1,7 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "deterministic-fuzz-coverage"
+version = "0.1.0"

contrib/devtools/deterministic-fuzz-coverage/src/main.rs

@@ -2,89 +2,102 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or https://opensource.org/license/mit/.
 
+use std::collections::VecDeque;
 use std::env;
-use std::fs::{read_dir, File};
-use std::path::Path;
-use std::process::{exit, Command, Stdio};
+use std::fs::{read_dir, DirEntry, File};
+use std::path::{Path, PathBuf};
+use std::process::{Command, ExitCode};
 use std::str;
+use std::thread;
+
+/// A type for a complete and readable error message.
+type AppError = String;
+type AppResult = Result<(), AppError>;
 
 const LLVM_PROFDATA: &str = "llvm-profdata";
 const LLVM_COV: &str = "llvm-cov";
-const DIFF: &str = "diff";
+const GIT: &str = "git";
 
-fn exit_help(err: &str) -> ! {
-    eprintln!("Error: {}", err);
-    eprintln!();
-    eprintln!("Usage: program ./build_dir ./qa-assets-corpora-dir fuzz_target");
-    eprintln!();
-    eprintln!("Refer to the devtools/README.md for more details.");
-    exit(1)
+const DEFAULT_PAR: usize = 1;
+
+fn exit_help(err: &str) -> AppError {
+    format!(
+        r#"
+Error: {err}
+
+Usage: program ./build_dir ./qa-assets/fuzz_corpora fuzz_target_name [parallelism={DEFAULT_PAR}]
+
+Refer to the devtools/README.md for more details."#
+    )
 }
 
-fn sanity_check(corpora_dir: &Path, fuzz_exe: &Path) {
-    for tool in [LLVM_PROFDATA, LLVM_COV, DIFF] {
-        let output = Command::new(tool).arg("--version").output();
+fn sanity_check(corpora_dir: &Path, fuzz_exe: &Path) -> AppResult {
+    for tool in [LLVM_PROFDATA, LLVM_COV, GIT] {
+        let output = Command::new(tool).arg("--help").output();
         match output {
             Ok(output) if output.status.success() => {}
-            _ => {
-                exit_help(&format!("The tool {} is not installed", tool));
-            }
+            _ => Err(exit_help(&format!("The tool {tool} is not installed")))?,
         }
     }
     if !corpora_dir.is_dir() {
-        exit_help(&format!(
+        Err(exit_help(&format!(
             "Fuzz corpora path ({}) must be a directory",
             corpora_dir.display()
-        ));
+        )))?;
     }
     if !fuzz_exe.exists() {
-        exit_help(&format!(
+        Err(exit_help(&format!(
             "Fuzz executable ({}) not found",
             fuzz_exe.display()
-        ));
+        )))?;
     }
+    Ok(())
 }
 
-fn main() {
+fn app() -> AppResult {
     // Parse args
     let args = env::args().collect::<Vec<_>>();
-    let build_dir = args
-        .get(1)
-        .unwrap_or_else(|| exit_help("Must set build dir"));
+    let build_dir = args.get(1).ok_or(exit_help("Must set build dir"))?;
     if build_dir == "--help" {
-        exit_help("--help requested")
+        Err(exit_help("--help requested"))?;
     }
-    let corpora_dir = args
-        .get(2)
-        .unwrap_or_else(|| exit_help("Must set fuzz corpora dir"));
+    let corpora_dir = args.get(2).ok_or(exit_help("Must set fuzz corpora dir"))?;
     let fuzz_target = args
         .get(3)
         // Require fuzz target for now. In the future it could be optional and the tool could
         // iterate over all compiled fuzz targets
-        .unwrap_or_else(|| exit_help("Must set fuzz target"));
-    if args.get(4).is_some() {
-        exit_help("Too many args")
+        .ok_or(exit_help("Must set fuzz target"))?;
+    let par = match args.get(4) {
+        Some(s) => s
+            .parse::<usize>()
+            .map_err(|e| exit_help(&format!("Could not parse parallelism as usize ({s}): {e}")))?,
+        None => DEFAULT_PAR,
+    }
+    .max(1);
+    if args.get(5).is_some() {
+        Err(exit_help("Too many args"))?;
     }
 
     let build_dir = Path::new(build_dir);
     let corpora_dir = Path::new(corpora_dir);
-    let fuzz_exe = build_dir.join("src/test/fuzz/fuzz");
+    let fuzz_exe = build_dir.join("bin/fuzz");
 
-    sanity_check(corpora_dir, &fuzz_exe);
+    sanity_check(corpora_dir, &fuzz_exe)?;
 
-    deterministic_coverage(build_dir, corpora_dir, &fuzz_exe, fuzz_target);
+    deterministic_coverage(build_dir, corpora_dir, &fuzz_exe, fuzz_target, par)
 }
 
-fn using_libfuzzer(fuzz_exe: &Path) -> bool {
+fn using_libfuzzer(fuzz_exe: &Path) -> Result<bool, AppError> {
     println!("Check if using libFuzzer ...");
     let stderr = Command::new(fuzz_exe)
         .arg("-help=1") // Will be interpreted as option (libfuzzer) or as input file
         .env("FUZZ", "addition_overflow") // Any valid target
         .output()
-        .expect("fuzz failed")
+        .map_err(|e| format!("fuzz failed with {e}"))?
         .stderr;
-    let help_output = str::from_utf8(&stderr).expect("The -help=1 output must be valid text");
-    help_output.contains("libFuzzer")
+    let help_output = str::from_utf8(&stderr)
+        .map_err(|e| format!("The libFuzzer -help=1 output must be valid text ({e})"))?;
+    Ok(help_output.contains("libFuzzer"))
 }
 
 fn deterministic_coverage(
@@ -92,115 +105,177 @@ fn deterministic_coverage(
     corpora_dir: &Path,
     fuzz_exe: &Path,
     fuzz_target: &str,
-) {
-    let using_libfuzzer = using_libfuzzer(fuzz_exe);
-    let profraw_file = build_dir.join("fuzz_det_cov.profraw");
-    let profdata_file = build_dir.join("fuzz_det_cov.profdata");
+    par: usize,
+) -> AppResult {
+    let using_libfuzzer = using_libfuzzer(fuzz_exe)?;
+    if using_libfuzzer {
+        println!("Warning: The fuzz executable was compiled with libFuzzer as sanitizer.");
+        println!("This tool may be tripped by libFuzzer misbehavior.");
+        println!("It is recommended to compile without libFuzzer.");
+    }
     let corpus_dir = corpora_dir.join(fuzz_target);
     let mut entries = read_dir(&corpus_dir)
-        .unwrap_or_else(|err| {
+        .map_err(|err| {
             exit_help(&format!(
                 "The fuzz target's input directory must exist! ({}; {})",
                 corpus_dir.display(),
                 err
             ))
-        })
+        })?
         .map(|entry| entry.expect("IO error"))
         .collect::<Vec<_>>();
     entries.sort_by_key(|entry| entry.file_name());
-    let run_single = |run_id: u8, entry: &Path| {
-        let cov_txt_path = build_dir.join(format!("fuzz_det_cov.show.{run_id}.txt"));
-        assert!({
-            {
+    let run_single = |run_id: char, entry: &Path, thread_id: usize| -> Result<PathBuf, AppError> {
+        let cov_txt_path = build_dir.join(format!("fuzz_det_cov.show.t{thread_id}.{run_id}.txt"));
+        let profraw_file = build_dir.join(format!("fuzz_det_cov.t{thread_id}.{run_id}.profraw"));
+        let profdata_file = build_dir.join(format!("fuzz_det_cov.t{thread_id}.{run_id}.profdata"));
+        {
+            let output = {
                 let mut cmd = Command::new(fuzz_exe);
                 if using_libfuzzer {
-                    cmd.arg("-runs=1");
+                    cmd.args(["-runs=1", "-shuffle=1", "-prefer_small=0"]);
                 }
                 cmd
             }
             .env("LLVM_PROFILE_FILE", &profraw_file)
             .env("FUZZ", fuzz_target)
             .arg(entry)
-            .status()
-            .expect("fuzz failed")
-            .success()
-        });
-        assert!(Command::new(LLVM_PROFDATA)
+            .output()
+            .map_err(|e| format!("fuzz failed: {e}"))?;
+            if !output.status.success() {
+                Err(format!(
+                    "fuzz failed!\nstdout:\n{}\nstderr:\n{}\n",
+                    String::from_utf8_lossy(&output.stdout),
+                    String::from_utf8_lossy(&output.stderr)
+                ))?;
+            }
+        }
+        if !Command::new(LLVM_PROFDATA)
             .arg("merge")
             .arg("--sparse")
             .arg(&profraw_file)
             .arg("-o")
             .arg(&profdata_file)
             .status()
-            .expect("merge failed")
-            .success());
-        let cov_file = File::create(&cov_txt_path).expect("Failed to create coverage txt file");
-        let passed = Command::new(LLVM_COV)
+            .map_err(|e| format!("{LLVM_PROFDATA} merge failed with {e}"))?
+            .success()
+        {
+            Err(format!("{LLVM_PROFDATA} merge failed. This can be a sign of compiling without code coverage support."))?;
+        }
+        let cov_file = File::create(&cov_txt_path)
+            .map_err(|e| format!("Failed to create coverage txt file ({e})"))?;
+        if !Command::new(LLVM_COV)
             .args([
                 "show",
                 "--show-line-counts-or-regions",
                 "--show-branches=count",
                 "--show-expansions",
+                "--show-instantiation-summary",
+                "-Xdemangler=llvm-cxxfilt",
                 &format!("--instr-profile={}", profdata_file.display()),
             ])
             .arg(fuzz_exe)
-            .stdout(Stdio::from(cov_file))
+            .stdout(cov_file)
             .spawn()
-            .expect("Failed to execute llvm-cov")
+            .map_err(|e| format!("{LLVM_COV} show failed with {e}"))?
             .wait()
-            .expect("Failed to execute llvm-cov")
-            .success();
-        if !passed {
-            panic!("Failed to execute llvm-profdata")
-        }
-        cov_txt_path
+            .map_err(|e| format!("{LLVM_COV} show failed with {e}"))?
+            .success()
+        {
+            Err(format!("{LLVM_COV} show failed"))?;
+        };
+        Ok(cov_txt_path)
     };
-    let check_diff = |a: &Path, b: &Path, err: &str| {
-        let same = Command::new(DIFF)
-            .arg("--unified")
+    let check_diff = |a: &Path, b: &Path, err: &str| -> AppResult {
+        let same = Command::new(GIT)
+            .args(["--no-pager", "diff", "--no-index"])
             .arg(a)
             .arg(b)
             .status()
-            .expect("Failed to execute diff command")
+            .map_err(|e| format!("{GIT} diff failed with {e}"))?
             .success();
         if !same {
-            eprintln!();
-            eprintln!("The coverage was not determinstic between runs.");
-            eprintln!("{}", err);
-            eprintln!("Exiting.");
-            exit(1);
+            Err(format!(
+                r#"
+The coverage was not deterministic between runs.
+{err}"#
+            ))?;
         }
+        Ok(())
     };
-    // First, check that each fuzz input is determinisic running by itself in a process.
+    // First, check that each fuzz input is deterministic running by itself in a process.
     //
     // This can catch issues and isolate where a single fuzz input triggers non-determinism, but
     // all other fuzz inputs are deterministic.
     //
     // Also, This can catch issues where several fuzz inputs are non-deterministic, but the sum of
     // their overall coverage trace remains the same across runs and thus remains undetected.
-    for entry in entries {
+    println!(
+        "Check each fuzz input individually ... ({} inputs with parallelism {par})",
+        entries.len()
+    );
+    let check_individual = |entry: &DirEntry, thread_id: usize| -> AppResult {
         let entry = entry.path();
-        assert!(entry.is_file());
-        let cov_txt_base = run_single(0, &entry);
-        let cov_txt_repeat = run_single(1, &entry);
+        if !entry.is_file() {
+            Err(format!("{} should be a file", entry.display()))?;
+        }
+        let cov_txt_base = run_single('a', &entry, thread_id)?;
+        let cov_txt_repeat = run_single('b', &entry, thread_id)?;
         check_diff(
             &cov_txt_base,
             &cov_txt_repeat,
             &format!("The fuzz target input was {}.", entry.display()),
-        );
-    }
+        )?;
+        Ok(())
+    };
+    thread::scope(|s| -> AppResult {
+        let mut handles = VecDeque::with_capacity(par);
+        let mut res = Ok(());
+        for (i, entry) in entries.iter().enumerate() {
+            println!("[{}/{}]", i + 1, entries.len());
+            handles.push_back(s.spawn(move || check_individual(entry, i % par)));
+            while handles.len() >= par || i == (entries.len() - 1) || res.is_err() {
+                if let Some(th) = handles.pop_front() {
+                    let thread_result = match th.join() {
+                        Err(_e) => Err("A scoped thread panicked".to_string()),
+                        Ok(r) => r,
+                    };
+                    if thread_result.is_err() {
+                        res = thread_result;
+                    }
+                } else {
+                    return res;
+                }
+            }
+        }
+        res
+    })?;
     // Finally, check that running over all fuzz inputs in one process is deterministic as well.
     // This can catch issues where mutable global state is leaked from one fuzz input execution to
     // the next.
+    println!("Check all fuzz inputs in one go ...");
     {
-        assert!(corpus_dir.is_dir());
-        let cov_txt_base = run_single(0, &corpus_dir);
-        let cov_txt_repeat = run_single(1, &corpus_dir);
+        if !corpus_dir.is_dir() {
+            Err(format!("{} should be a folder", corpus_dir.display()))?;
+        }
+        let cov_txt_base = run_single('a', &corpus_dir, 0)?;
+        let cov_txt_repeat = run_single('b', &corpus_dir, 0)?;
         check_diff(
             &cov_txt_base,
             &cov_txt_repeat,
             &format!("All fuzz inputs in {} were used.", corpus_dir.display()),
-        );
+        )?;
+    }
+    println!("✨ Coverage test passed for {fuzz_target}. ✨");
+    Ok(())
+}
+
+fn main() -> ExitCode {
+    match app() {
+        Ok(()) => ExitCode::SUCCESS,
+        Err(err) => {
+            eprintln!("⚠️\n{err}");
+            ExitCode::FAILURE
+        }
     }
-    println!("Coverage test passed for {fuzz_target}.");
 }

contrib/devtools/deterministic-unittest-coverage/Cargo.lock

@@ -0,0 +1,7 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "deterministic-unittest-coverage"
+version = "0.1.0"

contrib/devtools/deterministic-unittest-coverage/Cargo.toml

@@ -0,0 +1,6 @@
+[package]
+name = "deterministic-unittest-coverage"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]

contrib/devtools/deterministic-unittest-coverage/src/main.rs

@@ -0,0 +1,149 @@
+// Copyright (c) The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or https://opensource.org/license/mit/.
+
+use std::env;
+use std::fs::File;
+use std::path::{Path, PathBuf};
+use std::process::{Command, ExitCode};
+use std::str;
+
+/// A type for a complete and readable error message.
+type AppError = String;
+type AppResult = Result<(), AppError>;
+
+const LLVM_PROFDATA: &str = "llvm-profdata";
+const LLVM_COV: &str = "llvm-cov";
+const GIT: &str = "git";
+
+fn exit_help(err: &str) -> AppError {
+    format!(
+        r#"
+Error: {err}
+
+Usage: program ./build_dir boost_unittest_filter
+
+Refer to the devtools/README.md for more details."#
+    )
+}
+
+fn sanity_check(test_exe: &Path) -> AppResult {
+    for tool in [LLVM_PROFDATA, LLVM_COV, GIT] {
+        let output = Command::new(tool).arg("--help").output();
+        match output {
+            Ok(output) if output.status.success() => {}
+            _ => Err(exit_help(&format!("The tool {tool} is not installed")))?,
+        }
+    }
+    if !test_exe.exists() {
+        Err(exit_help(&format!(
+            "Test executable ({}) not found",
+            test_exe.display()
+        )))?;
+    }
+    Ok(())
+}
+
+fn app() -> AppResult {
+    // Parse args
+    let args = env::args().collect::<Vec<_>>();
+    let build_dir = args.get(1).ok_or(exit_help("Must set build dir"))?;
+    if build_dir == "--help" {
+        Err(exit_help("--help requested"))?;
+    }
+    let filter = args
+        .get(2)
+        // Require filter for now. In the future it could be optional and the tool could provide a
+        // default filter.
+        .ok_or(exit_help("Must set boost test filter"))?;
+    if args.get(3).is_some() {
+        Err(exit_help("Too many args"))?;
+    }
+
+    let build_dir = Path::new(build_dir);
+    let test_exe = build_dir.join("bin/test_bitcoin");
+
+    sanity_check(&test_exe)?;
+
+    deterministic_coverage(build_dir, &test_exe, filter)
+}
+
+fn deterministic_coverage(build_dir: &Path, test_exe: &Path, filter: &str) -> AppResult {
+    let profraw_file = build_dir.join("test_det_cov.profraw");
+    let profdata_file = build_dir.join("test_det_cov.profdata");
+    let run_single = |run_id: char| -> Result<PathBuf, AppError> {
+        println!("Run with id {run_id}");
+        let cov_txt_path = build_dir.join(format!("test_det_cov.show.{run_id}.txt"));
+        if !Command::new(test_exe)
+            .env("LLVM_PROFILE_FILE", &profraw_file)
+            .env("BOOST_TEST_RUN_FILTERS", filter)
+            .env("RANDOM_CTX_SEED", "21")
+            .status()
+            .map_err(|e| format!("test failed with {e}"))?
+            .success()
+        {
+            Err("test failed".to_string())?;
+        }
+        if !Command::new(LLVM_PROFDATA)
+            .arg("merge")
+            .arg("--sparse")
+            .arg(&profraw_file)
+            .arg("-o")
+            .arg(&profdata_file)
+            .status()
+            .map_err(|e| format!("{LLVM_PROFDATA} merge failed with {e}"))?
+            .success()
+        {
+            Err(format!("{LLVM_PROFDATA} merge failed. This can be a sign of compiling without code coverage support."))?;
+        }
+        let cov_file = File::create(&cov_txt_path)
+            .map_err(|e| format!("Failed to create coverage txt file ({e})"))?;
+        if !Command::new(LLVM_COV)
+            .args([
+                "show",
+                "--show-line-counts-or-regions",
+                "--show-branches=count",
+                "--show-expansions",
+                "--show-instantiation-summary",
+                "-Xdemangler=llvm-cxxfilt",
+                &format!("--instr-profile={}", profdata_file.display()),
+            ])
+            .arg(test_exe)
+            .stdout(cov_file)
+            .status()
+            .map_err(|e| format!("{LLVM_COV} show failed with {e}"))?
+            .success()
+        {
+            Err(format!("{LLVM_COV} show failed"))?;
+        }
+        Ok(cov_txt_path)
+    };
+    let check_diff = |a: &Path, b: &Path| -> AppResult {
+        let same = Command::new(GIT)
+            .args(["--no-pager", "diff", "--no-index"])
+            .arg(a)
+            .arg(b)
+            .status()
+            .map_err(|e| format!("{GIT} diff failed with {e}"))?
+            .success();
+        if !same {
+            Err("The coverage was not deterministic between runs.".to_string())?;
+        }
+        Ok(())
+    };
+    let r0 = run_single('a')?;
+    let r1 = run_single('b')?;
+    check_diff(&r0, &r1)?;
+    println!("✨ The coverage was deterministic across two runs. ✨");
+    Ok(())
+}
+
+fn main() -> ExitCode {
+    match app() {
+        Ok(()) => ExitCode::SUCCESS,
+        Err(err) => {
+            eprintln!("⚠️\n{err}");
+            ExitCode::FAILURE
+        }
+    }
+}

contrib/devtools/gen-bitcoin-conf.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) 2021 The Bitcoin Core developers
+# Copyright (c) 2021-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
@@ -50,7 +50,8 @@ EOF
 # adding newlines is a bit funky to ensure portability for BSD
 # see here for more details: https://stackoverflow.com/a/24575385
 ${BITCOIND} --help \
-    | sed '1,/Print this help message and exit/d' \
+    | sed '1,/Options:/d' \
+    | sed -E '/^[[:space:]]{2}-help/,/^[[:space:]]*$/d' \
     | sed -E 's/^[[:space:]]{2}\-/#/' \
     | sed -E 's/^[[:space:]]{7}/# /' \
     | sed -E '/[=[:space:]]/!s/#.*$/&=1/' \

contrib/devtools/gen-manpages.py

@@ -1,14 +1,16 @@
 #!/usr/bin/env python3
-# Copyright (c) 2022 The Bitcoin Core developers
+# Copyright (c) 2022-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 import os
+import re
 import subprocess
 import sys
 import tempfile
 import argparse
 
 BINARIES = [
+'bin/bitcoin',
 'bin/bitcoind',
 'bin/bitcoin-cli',
 'bin/bitcoin-tx',
@@ -58,10 +60,11 @@ for relpath in BINARIES:
             print(f'{abspath} not found or not an executable', file=sys.stderr)
             sys.exit(1)
     # take first line (which must contain version)
-    verstr = r.stdout.splitlines()[0]
-    # last word of line is the actual version e.g. v22.99.0-5c6b3d5b3508
-    verstr = verstr.split()[-1]
-    assert verstr.startswith('v')
+    output = r.stdout.splitlines()[0]
+    # find the version e.g. v30.99.0-ce771726f3e7
+    search = re.search(r"v[0-9]\S+", output)
+    assert search
+    verstr = search.group(0)
     # remaining lines are copyright
     copyright = r.stdout.split('\n')[1:]
     assert copyright[0].startswith('Copyright (C)')

contrib/devtools/headerssync-params.py

@@ -5,20 +5,20 @@
 
 """Script to find the optimal parameters for the headerssync module through simulation."""
 
-from math import log, exp, sqrt
 from datetime import datetime, timedelta
+from math import log, exp, sqrt
 import random
 
 # Parameters:
 
 # Aim for still working fine at some point in the future. [datetime]
-TIME = datetime(2027, 10, 6)
+TIME = datetime(2028, 4, 2)
 
 # Expected block interval. [timedelta]
 BLOCK_INTERVAL = timedelta(seconds=600)
 
 # The number of headers corresponding to the minchainwork parameter. [headers]
-MINCHAINWORK_HEADERS = 886157
+MINCHAINWORK_HEADERS = 912683
 
 # Combined processing bandwidth from all attackers to one victim. [bit/s]
 # 6 Gbit/s is approximately the speed at which a single thread of a Ryzen 5950X CPU thread can hash
@@ -337,15 +337,15 @@ def analyze(when):
     attack_volume = NET_HEADER_SIZE * MINCHAINWORK_HEADERS
     # And report them.
     print()
-    print("Optimal configuration:")
+    print(f"Given current min chainwork headers of {MINCHAINWORK_HEADERS}, the optimal parameters for low")
+    print(f"memory usage on mainchain for release until {TIME:%Y-%m-%d} is:")
     print()
-    print("//! Store one header commitment per HEADER_COMMITMENT_PERIOD blocks.")
-    print(f"constexpr size_t HEADER_COMMITMENT_PERIOD{{{period}}};")
-    print()
-    print("//! Only feed headers to validation once this many headers on top have been")
-    print("//! received and validated against commitments.")
-    print(f"constexpr size_t REDOWNLOAD_BUFFER_SIZE{{{bufsize}}};"
+    print(f"        // Generated by headerssync-params.py on {datetime.today():%Y-%m-%d}.")
+    print( "        m_headers_sync_params = HeadersSyncParams{")
+    print(f"            .commitment_period = {period},")
+    print(f"            .redownload_buffer_size = {bufsize},"
           f" // {bufsize}/{period} = ~{bufsize/period:.1f} commitments")
+    print( "        };")
     print()
     print("Properties:")
     print(f"- Per-peer memory for mainchain sync: {mem_mainchain / 8192:.3f} KiB")

contrib/devtools/iwyu/bitcoin.core.imp

@@ -1,3 +1,20 @@
-# Nothing for now.
 [
+  # Compiler intrinsics.
+  # See: https://github.com/include-what-you-use/include-what-you-use/issues/1764.
+  { "include": [ "<emmintrin.h>", "private", "<immintrin.h>", "public" ] },
+  { "include": [ "<smmintrin.h>", "private", "<immintrin.h>", "public" ] },
+  { "include": [ "<tmmintrin.h>", "private", "<immintrin.h>", "public" ] },
+
+  # libc symbols.
+  { "symbol": ["AT_HWCAP", "private", "<sys/auxv.h>", "public"] },
+  { "symbol": ["AT_HWCAP2", "private", "<sys/auxv.h>", "public"] },
+
+  # Fixed in https://github.com/include-what-you-use/include-what-you-use/pull/1706.
+  { "symbol": ["SEEK_CUR", "private", "<cstdio>", "public"] },
+  { "symbol": ["SEEK_END", "private", "<cstdio>", "public"] },
+  { "symbol": ["SEEK_SET", "private", "<cstdio>", "public"] },
+
+  # IWYU bug.
+  # See: https://github.com/include-what-you-use/include-what-you-use/issues/1863.
+  { "symbol": ["std::vector", "private", "<vector>", "public"] },
 ]

contrib/devtools/test_deterministic_coverage.sh

@@ -1,151 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2019-2020 The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-#
-# Test for deterministic coverage across unit test runs.
-
-export LC_ALL=C
-
-# Use GCOV_EXECUTABLE="gcov" if compiling with gcc.
-# Use GCOV_EXECUTABLE="llvm-cov gcov" if compiling with clang.
-GCOV_EXECUTABLE="gcov"
-
-# Disable tests known to cause non-deterministic behaviour and document the source or point of non-determinism.
-NON_DETERMINISTIC_TESTS=(
-    "blockfilter_index_tests/blockfilter_index_initial_sync"  # src/checkqueue.h: In CCheckQueue::Loop(): while (queue.empty()) { ... }
-    "coinselector_tests/knapsack_solver_test"                 # coinselector_tests.cpp: if (equal_sets(setCoinsRet, setCoinsRet2))
-    "fs_tests/fsbridge_fstream"                               # deterministic test failure?
-    "miner_tests/CreateNewBlock_validity"                     # validation.cpp: if (signals.CallbacksPending() > 10)
-    "scheduler_tests/manythreads"                             # scheduler.cpp: CScheduler::serviceQueue()
-    "scheduler_tests/singlethreadedscheduler_ordered"         # scheduler.cpp: CScheduler::serviceQueue()
-    "txvalidationcache_tests/checkinputs_test"                # validation.cpp: if (signals.CallbacksPending() > 10)
-    "txvalidationcache_tests/tx_mempool_block_doublespend"    # validation.cpp: if (signals.CallbacksPending() > 10)
-    "txindex_tests/txindex_initial_sync"                      # validation.cpp: if (signals.CallbacksPending() > 10)
-    "txvalidation_tests/tx_mempool_reject_coinbase"           # validation.cpp: if (signals.CallbacksPending() > 10)
-    "validation_block_tests/processnewblock_signals_ordering" # validation.cpp: if (signals.CallbacksPending() > 10)
-    "wallet_tests/coin_mark_dirty_immature_credit"            # validation.cpp: if (signals.CallbacksPending() > 10)
-    "wallet_tests/dummy_input_size_test"                      # validation.cpp: if (signals.CallbacksPending() > 10)
-    "wallet_tests/importmulti_rescan"                         # validation.cpp: if (signals.CallbacksPending() > 10)
-    "wallet_tests/importwallet_rescan"                        # validation.cpp: if (signals.CallbacksPending() > 10)
-    "wallet_tests/ListCoins"                                  # validation.cpp: if (signals.CallbacksPending() > 10)
-    "wallet_tests/scan_for_wallet_transactions"               # validation.cpp: if (signals.CallbacksPending() > 10)
-    "wallet_tests/wallet_disableprivkeys"                     # validation.cpp: if (signals.CallbacksPending() > 10)
-)
-
-TEST_BITCOIN_BINARY="src/test/test_bitcoin"
-
-print_usage() {
-    echo "Usage: $0 [custom test filter (default: all but known non-deterministic tests)] [number of test runs (default: 2)]"
-}
-
-N_TEST_RUNS=2
-BOOST_TEST_RUN_FILTERS=""
-if [[ $# != 0 ]]; then
-    if [[ $1 == "--help" ]]; then
-        print_usage
-        exit
-    fi
-    PARSED_ARGUMENTS=0
-    if [[ $1 =~ [a-z] ]]; then
-        BOOST_TEST_RUN_FILTERS=$1
-        PARSED_ARGUMENTS=$((PARSED_ARGUMENTS + 1))
-        shift
-    fi
-    if [[ $1 =~ ^[0-9]+$ ]]; then
-        N_TEST_RUNS=$1
-        PARSED_ARGUMENTS=$((PARSED_ARGUMENTS + 1))
-        shift
-    fi
-    if [[ ${PARSED_ARGUMENTS} == 0 || $# -gt 2 || ${N_TEST_RUNS} -lt 2 ]]; then
-        print_usage
-        exit
-    fi
-fi
-if [[ ${BOOST_TEST_RUN_FILTERS} == "" ]]; then
-    BOOST_TEST_RUN_FILTERS="$(IFS=":"; echo "!${NON_DETERMINISTIC_TESTS[*]}" | sed 's/:/:!/g')"
-else
-    echo "Using Boost test filter: ${BOOST_TEST_RUN_FILTERS}"
-    echo
-fi
-
-if ! command -v gcov > /dev/null; then
-    echo "Error: gcov not installed. Exiting."
-    exit 1
-fi
-
-if ! command -v gcovr > /dev/null; then
-    echo "Error: gcovr not installed. Exiting."
-    exit 1
-fi
-
-if [[ ! -e ${TEST_BITCOIN_BINARY} ]]; then
-    echo "Error: Executable ${TEST_BITCOIN_BINARY} not found. Run \"cmake -B build -DCMAKE_BUILD_TYPE=Coverage\" and compile."
-    exit 1
-fi
-
-get_file_suffix_count() {
-    find src/ -type f -name "*.$1" | wc -l
-}
-
-if [[ $(get_file_suffix_count gcno) == 0 ]]; then
-    echo "Error: Could not find any *.gcno files. The *.gcno files are generated by the compiler. Run \"cmake -B build -DCMAKE_BUILD_TYPE=Coverage\" and re-compile."
-    exit 1
-fi
-
-get_covr_filename() {
-    echo "gcovr.run-$1.txt"
-}
-
-TEST_RUN_ID=0
-while [[ ${TEST_RUN_ID} -lt ${N_TEST_RUNS} ]]; do
-    TEST_RUN_ID=$((TEST_RUN_ID + 1))
-    echo "[$(date +"%Y-%m-%d %H:%M:%S")] Measuring coverage, run #${TEST_RUN_ID} of ${N_TEST_RUNS}"
-    find src/ -type f -name "*.gcda" -exec rm {} \;
-    if [[ $(get_file_suffix_count gcda) != 0 ]]; then
-        echo "Error: Stale *.gcda files found. Exiting."
-        exit 1
-    fi
-    TEST_OUTPUT_TEMPFILE=$(mktemp)
-    if ! BOOST_TEST_RUN_FILTERS="${BOOST_TEST_RUN_FILTERS}" ${TEST_BITCOIN_BINARY} > "${TEST_OUTPUT_TEMPFILE}" 2>&1; then
-        cat "${TEST_OUTPUT_TEMPFILE}"
-        rm "${TEST_OUTPUT_TEMPFILE}"
-        exit 1
-    fi
-    rm "${TEST_OUTPUT_TEMPFILE}"
-    if [[ $(get_file_suffix_count gcda) == 0 ]]; then
-        echo "Error: Running the test suite did not create any *.gcda files. The gcda files are generated when the instrumented test programs are executed. Run \"cmake -B build -DCMAKE_BUILD_TYPE=Coverage\" and re-compile."
-        exit 1
-    fi
-    GCOVR_TEMPFILE=$(mktemp)
-    if ! gcovr --gcov-executable "${GCOV_EXECUTABLE}" -r src/ > "${GCOVR_TEMPFILE}"; then
-        echo "Error: gcovr failed. Output written to ${GCOVR_TEMPFILE}. Exiting."
-        exit 1
-    fi
-    GCOVR_FILENAME=$(get_covr_filename ${TEST_RUN_ID})
-    mv "${GCOVR_TEMPFILE}" "${GCOVR_FILENAME}"
-    if grep -E "^TOTAL *0 *0 " "${GCOVR_FILENAME}"; then
-        echo "Error: Spurious gcovr output. Make sure the correct GCOV_EXECUTABLE variable is set in $0 (\"gcov\" for gcc, \"llvm-cov gcov\" for clang)."
-        exit 1
-    fi
-    if [[ ${TEST_RUN_ID} != 1 ]]; then
-        COVERAGE_DIFF=$(diff -u "$(get_covr_filename 1)" "${GCOVR_FILENAME}")
-        if [[ ${COVERAGE_DIFF} != "" ]]; then
-            echo
-            echo "The line coverage is non-deterministic between runs. Exiting."
-            echo
-            echo "The test suite must be deterministic in the sense that the set of lines executed at least"
-            echo "once must be identical between runs. This is a necessary condition for meaningful"
-            echo "coverage measuring."
-            echo
-            echo "${COVERAGE_DIFF}"
-            exit 1
-        fi
-        rm "${GCOVR_FILENAME}"
-    fi
-done
-
-echo
-echo "Coverage test passed: Deterministic coverage across ${N_TEST_RUNS} runs."
-exit

contrib/devtools/utils.py

@@ -1,21 +0,0 @@
-#!/usr/bin/env python3
-# Copyright (c) 2021 The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-'''
-Common utility functions
-'''
-import shutil
-import sys
-import os
-
-
-def determine_wellknown_cmd(envvar, progname) -> list[str]:
-    maybe_env = os.getenv(envvar)
-    maybe_which = shutil.which(progname)
-    if maybe_env:
-        return maybe_env.split(' ')  # Well-known vars are often meant to be word-split
-    elif maybe_which:
-        return [ maybe_which ]
-    else:
-        sys.exit(f"{progname} not found")

contrib/filter-lcov.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2017-2020 The Bitcoin Core developers
+# Copyright (c) 2017-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
@@ -16,8 +16,8 @@ pattern = args.pattern
 outfile = args.outfile
 
 in_remove = False
-with open(tracefile, 'r', encoding="utf8") as f:
-    with open(outfile, 'w', encoding="utf8") as wf:
+with open(tracefile, 'r') as f:
+    with open(outfile, 'w') as wf:
         for line in f:
             for p in pattern:
                 if line.startswith("SF:") and p in line: