build: update and shrink build images, migrate to clang 19 (#3771)

* build: migrate clang 17 -> 19

This matches Rust 1.84, but libdatadog recently introduced a flag
which was introduced in this version. Although this should not cause
a hard failure and libdatadog should be patched, it's also a good
idea to upgrade.

* ci: avoid interactive mode for docker login

* ci: -u must come before --pasword-stdin

* build: drop LLVM components that need python, drop protobuf

* build: shrink centos-7 base image by ~2.4 GB

- Exclude kernel-core, kernel-modules, linux-firmware globally via yum.conf
  (~183 MB; these are useless in containers)
- Move devtoolset-9 into the LLVM RUN layer and remove it afterward (~196 MB)
- Build LLVM with CLANG_BUILD_TOOLS=OFF and LLVM_INSTALL_TOOLCHAIN_ONLY=ON
  to skip building unused tools (~1.3 GB)
- Remove LLVM internal C++ headers and cmake config dirs post-install (~54 MB)
- Add --disable-static to libxml2, libffi, oniguruma, curl, sqlite3 configure
- Remove .a static archives from openssl and zlib after install
- Fix catch2 build/source cleanup (cd - && rm -fr build was a no-op)
- Remove cmake Help docs and man pages post-install (~10 MB)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* build: bump PHP versions across CI images

- PHP 8.5: RC3 -> 8.5.4 (stable) across centos-7, bookworm
- PHP 8.4: 8.4.1/8.4.16 -> 8.4.19 across centos-7, bookworm
- PHP 8.3: 8.3.14/8.3.29 -> 8.3.30 across centos-7, bookworm
- PHP 8.2: 8.2.26/8.2.28 -> 8.2.30 across centos-7, bookworm
- PHP 8.1: 8.1.8/8.1.31 -> 8.1.32 across centos-6, centos-7
- PHP 8.0: 8.0.15/8.0.21/8.0.27 -> 8.0.30 across centos-6, centos-7, alpine
- PHP 7.4: 7.4.30 -> 7.4.33 on centos-6

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: drop ccmake, cpack, ctest

* build: pin sqlsrv and grpc PECL versions for PHP compatibility

- sqlsrv 5.13.0 raised minimum to PHP 8.3; pin PHP 8.1-8.2 to 5.12.0
- grpc 1.80.0 uses EG(max_allowed_stack_size) gated on PHP_VERSION_ID>=80300
  but the field is absent in ASan builds because the ZEND_CHECK_STACK_LIMIT
  autoconf test cannot execute sanitized binaries during configure; pin to
  1.78.0 which predates that change

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* build: patch PHP 8.5 to disable preserve_none under ASan

preserve_none + -fsanitize=address crashes clang 19+ on x86-64
(llvm/llvm-project#95928). Apply a patch at source-tree build time
that guards ZEND_PRESERVE_NONE with __has_feature(address_sanitizer),
following the fix pattern from llvm-project commit 996157c.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* build: silence make recipe output in bookworm PHP builds

Adds -s (silent) to all make invocations in build-php.sh and to
MAKEFLAGS in build-extensions.sh (which covers pecl installs too).
Compiler errors still print via stderr; only the cc/ld recipe lines
are suppressed. Reduces log volume significantly given parallel stages.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* build: bump CI images from bookworm-6/5 to bookworm-7

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* build: update clang/llvm references from 17 to 19

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(centos-7): restore ctest, update clang/llvm/clang-tidy 17 → 19

ctest is required by the appsec C components ASAN job (make test calls
ctest internally). cpack remains removed as it is genuinely unused.

Also updates clang-tidy, llvm-cov, llvm-profdata, clang-format, and
libc++ references from version 17 to 19 in appsec CI and cmake config.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: put bookworm next down to 7 in case I need to rebuild

* fix: update remaining llvm17/clang17 references to 19

- Alpine compile extension image: llvm17-libs/clang17-dev/llvm17 → 19
- build-profiler.sh, generate-profiler.php, build-debug-artifact:
  Alpine aarch64 clang symlink llvm17 → llvm19
- appsec/cmake/clang-format.cmake: llvm@17 → llvm@19
- centos-7 base.Dockerfile: remove -DCLANG_BUILD_TOOLS=OFF which
  prevented the clang binary itself from being built/installed,
  leaving broken symlinks and breaking bindgen

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(appsec): find fuzzer runtime lib in Debian's linux/ layout

Newer clang versions return a per-target path from -print-runtime-dir
(e.g. .../lib/x86_64-pc-linux-gnu) but Debian/Ubuntu packages install
compiler-rt runtime libs in a sibling "linux/" directory. Add that as a
fallback search path for both find_library and target_link_directories.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(appsec): pass __VA_ARGS__ through CONFIG to SYSCFG to avoid empty variadic

clang 19 with -Werror,-Wc23-extensions rejects calling a variadic macro
with no argument for '...'. CONFIG's body called SYSCFG(type, name) with
only 2 args. Pass CONFIG's own __VA_ARGS__ through instead — CONFIG is
always called with at least a default value, so the variadic arg is never
empty. SYSCFG ignores the extra args in this context anyway.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* style(appsec): clang-format-19 helper sources

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: bump bookworm NEXT version to 8

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: revert CentOS 6 changes to avoid appearing that it's maintained

* fix(appsec): address clang-tidy 19 new checks

- acceptor.cpp: use designated initializer for timeval (layout is
  system-dependent, so positional init is unsafe)
- extension/.clang-tidy: suppress checks new in clang-tidy 19 that fire
  on pre-existing C code (math-missing-parentheses, macro-to-enum,
  multi-level-implicit-pointer-conversion, redundant-casting)
- helper/.clang-tidy: suppress modernize-use-designated-initializers for
  internal structs where positional init is unambiguous

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(appsec): separate void return from call expression in waf.cpp

clang-tidy 19 readability-avoid-return-with-void-value rejects
returning the result of a void function call.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci(appsec): revert clang-19 migration, keep clang-17, bump to bookworm-7

Reverts all appsec source/config changes that were made to accommodate
clang-19 warnings and formatting. Appsec jobs stay on clang-17 for now.
Bumps appsec CI image from bookworm-6 to bookworm-7.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci(appsec): revert bookworm-7, keep bookworm-6

bookworm-7 only ships clang-19 in its apt repo; appsec jobs still
need clang-17 so stay on bookworm-6 for now.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: xfail ext/sockets/tests/gh21161.phpt on PHP 8.4 and 8.5

The test lacks a SKIPIF guard for IPv6 availability. In CI (Kubernetes
pods), IPv6 is unavailable so socket_create() returns false, causing a
TypeError instead of the expected warnings.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: suppress ASAN stack-use-after-return in sandbox observer bailout

zai_reset_observed_frame_post_bailout (PHP 8.0/8.1) calls
zend_observer_fcall_end_all after a sandbox bailout. At that point
current_observed_frame may point to a dummy_execute_data that was
stack-allocated inside zend_call_function and already freed by the
unwind. PHP 8.2+ is safe via zai_set_observed_frame(NULL).

Suppress for the "multiple observers" ASAN job while Bob investigates
a proper fix in zai_reset_observed_frame_post_bailout.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: suppress sandbox observer ASAN error in ZAI tests too

Same stack-use-after-return in zai_reset_observed_frame_post_bailout
seen in Zend Abstract Interface Tests with debug-zts-asan.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: use detect_stack_use_after_return=0 to suppress sandbox observer ASAN error

ASAN suppression files don't support fun: entries; that's TSan/LSan format.
Use detect_stack_use_after_return=0 in the affected jobs instead.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: morrisonlevi

.github/workflows/prof_asan.yml

@@ -16,7 +16,7 @@ jobs:
       CARGO_TARGET_DIR: /tmp/build-cargo
       RUST_TOOLCHAIN: nightly-2025-06-13
     container:
-      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-6
+      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-7
       # https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user
       options: --user root --privileged
 
@@ -49,7 +49,7 @@ jobs:
           set -eux
           switch-php nts-asan
           cd profiling
-          export CC=clang-17
+          export CC=clang-19
           export CFLAGS='-fsanitize=address  -fno-omit-frame-pointer'
           export LDFLAGS='-fsanitize=address -shared-libasan'
           export RUSTC_LINKER=lld-17

.gitlab/build-profiler.sh

@@ -17,7 +17,7 @@ fi
 #  /usr/lib/llvm20/lib/clang/20/include/arm_neon.h:6374:25: error: incompatible constant for this __builtin_neon function
 # etc.
 if [ -f /sbin/apk ] && [ $(uname -m) = "aarch64" ]; then
-    ln -sf ../lib/llvm17/bin/clang /usr/bin/clang
+    ln -sf ../lib/llvm19/bin/clang /usr/bin/clang
 fi
 
 set -u

.gitlab/ci-images.yml

@@ -34,7 +34,7 @@ CentOS:
         - php-7.0
   script:
     - cd dockerfiles/ci/centos/7
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_TOKEN" $CI_REGISTRY
+    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
     - docker buildx bake --no-cache --pull --push $PHP_VERSION
 
 Alpine:
@@ -63,7 +63,7 @@ Alpine:
         - 7.0-alpine
   script:
     - cd dockerfiles/ci/alpine_compile_extension
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_TOKEN" $CI_REGISTRY
+    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
     - docker buildx bake --no-cache --pull --push $PHP_VERSION
 
 Bookworm:
@@ -94,7 +94,7 @@ Bookworm:
         - php-7.0
   script:
     - cd dockerfiles/ci/bookworm
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_TOKEN" $CI_REGISTRY
+    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
     - docker buildx bake --no-cache --pull --push $PHP_VERSION
 
 Buster:
@@ -125,5 +125,5 @@ Buster:
         - php-7.0
   script:
     - cd dockerfiles/ci/buster
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_TOKEN" $CI_REGISTRY
+    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
     - docker buildx bake --no-cache --pull --push $PHP_VERSION

.gitlab/generate-package.php

@@ -48,13 +48,13 @@
 $asan_build_platforms = [
     [
         "triplet" => "x86_64-unknown-linux-gnu",
-        "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-6",
+        "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-7",
         "arch" => "amd64",
         "host_os" => "linux-gnu",
     ],
     [
         "triplet" => "aarch64-unknown-linux-gnu",
-        "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-6",
+        "image_template" => "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-%s_bookworm-7",
         "arch" => "arm64",
         "host_os" => "linux-gnu",
     ]
@@ -319,7 +319,7 @@
 
 "pecl build":
   stage: tracing
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-6"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-7"
   tags: [ "arch:amd64" ]
   needs: [ "prepare code" ]
   script:
@@ -369,7 +369,7 @@
 <?php foreach ($arch_targets as $arch): ?>
 "aggregate tracing extension: [<?= $arch ?>]":
   stage: tracing
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-6"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-7.4_bookworm-7"
   tags: [ "arch:amd64" ]
   script: ls ./
   variables:
@@ -1136,7 +1136,7 @@
 
 "pecl tests":
   stage: verify
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_VERSION}_bookworm-6"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_VERSION}_bookworm-7"
   tags: [ "arch:amd64" ]
   services:
     - !reference [.services, request-replayer]
@@ -1307,7 +1307,7 @@
   variables:
     VALGRIND: false
     ARCH: "<?= $arch ?>"
-    CONTAINER_SUFFIX: bookworm-6
+    CONTAINER_SUFFIX: bookworm-7
   needs:
     - job: "package loader: [<?= $arch ?>]"
       artifacts: true

.gitlab/generate-profiler.php

@@ -43,7 +43,7 @@
         IMAGE_SUFFIX: _centos-7
   script:
     - if [ -d '/opt/rh/devtoolset-7' ]; then set +eo pipefail; source scl_source enable devtoolset-7; set -eo pipefail; fi
-    - if [ -f /sbin/apk ] && [ $(uname -m) = "aarch64" ]; then ln -sf ../lib/llvm17/bin/clang /usr/bin/clang; fi
+    - if [ -f /sbin/apk ] && [ $(uname -m) = "aarch64" ]; then ln -sf ../lib/llvm19/bin/clang /usr/bin/clang; fi
 
     - cd profiling
     - 'echo "nproc: $(nproc)"'
@@ -82,7 +82,7 @@
 "clippy NTS":
   stage: test
   tags: [ "arch:amd64" ]
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-6
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7
   variables:
     KUBERNETES_CPU_REQUEST: 5
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -101,7 +101,7 @@
 "Cargo test":
   stage: test
   tags: [ "arch:amd64" ]
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.5_bookworm-5
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.5_bookworm-7
   variables:
     KUBERNETES_CPU_REQUEST: 5
     KUBERNETES_MEMORY_REQUEST: 3Gi

.gitlab/generate-shared.php

@@ -21,7 +21,7 @@
       - IMAGE:
         - "datadog/dd-trace-ci:centos-7"
         - "datadog/dd-trace-ci:php-compile-extension-alpine"
-        - "datadog/dd-trace-ci:bookworm-6"
+        - "datadog/dd-trace-ci:bookworm-7"
   script:
     - if [ -f "/opt/libuv/lib/pkgconfig/libuv.pc" ]; then export PKG_CONFIG_PATH="/opt/libuv/lib/pkgconfig:$PKG_CONFIG_PATH"; fi
     - if [ -d "/opt/catch2" ]; then export CMAKE_PREFIX_PATH=/opt/catch2; fi
@@ -45,7 +45,7 @@
 "C components UBSAN":
   tags: [ "arch:amd64" ]
   stage: test
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-6"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-7"
   needs: []
   script:
     - if [ -f "/opt/libuv/lib/pkgconfig/libuv.pc" ]; then export PKG_CONFIG_PATH="/opt/libuv/lib/pkgconfig:$PKG_CONFIG_PATH"; fi
@@ -69,7 +69,7 @@
 "Build & Test Tea":
   tags: [ "arch:amd64" ]
   stage: build
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-6"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7"
   parallel:
     matrix:
       - PHP_MAJOR_MINOR: *no_asan_minor_major_targets
@@ -98,7 +98,7 @@
 .tea_test:
   tags: [ "arch:amd64" ]
   stage: test
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-6"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7"
   interruptible: true
   rules:
     - if: $CI_COMMIT_BRANCH == "master"
@@ -122,7 +122,7 @@
   needs: []
   variables:
     PHP_MAJOR_MINOR: "<?= $all_minor_major_targets[count($all_minor_major_targets) - 1] ?>"
-  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-6"
+  image: "registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7"
   script:
     - |
       if ! command -v cc >/dev/null 2>&1 && ! command -v clang >/dev/null 2>&1 && ! command -v gcc >/dev/null 2>&1; then
@@ -157,6 +157,9 @@
   extends: .tea_test
   variables:
     PHP_MAJOR_MINOR: "<?= $major_minor ?>"
+<?php if ($switch_php_version == "debug-zts-asan"): ?>
+    ASAN_OPTIONS: "detect_stack_use_after_return=0"
+<?php endif; ?>
   needs:
     - job: "Build & Test Tea"
       parallel:

.gitlab/generate-tracer.php

@@ -67,7 +67,7 @@ function before_script_steps($with_docker_auth = false) {
 "compile extension: debug":
   stage: compile
   tags: [ "arch:${ARCH}" ]
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-6
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7
   parallel:
     matrix:
       - PHP_MAJOR_MINOR: *all_minor_major_targets
@@ -187,7 +187,7 @@ function before_script_steps($with_docker_auth = false) {
 .base_test:
   stage: test
   tags: [ "arch:${ARCH}" ]
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-6
+  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-7
   timeout: 60m
   interruptible: true
   rules:
@@ -311,6 +311,7 @@ function before_script_steps($with_docker_auth = false) {
     PHP_MAJOR_MINOR: "<?= $major_minor ?>"
     ARCH: "amd64"
     TEST_PHP_JUNIT: "${CI_PROJECT_DIR}/tmp/build_extension/artifacts/tests/php-tests.xml"
+    ASAN_OPTIONS: "abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1:detect_stack_use_after_return=0"
   script:
     - mkdir -p "${CI_PROJECT_DIR}/tmp/build_extension/artifacts/tests"
     - make test_c_observer

appsec/cmake/clang-format.cmake

@@ -1,9 +1,9 @@
-set(_LLVM17_FORMAT /opt/homebrew/opt/llvm@17/bin/clang-format)
-if(EXISTS ${_LLVM17_FORMAT})
-    set(CLANG_FORMAT ${_LLVM17_FORMAT})
-    message(STATUS "Using Homebrew LLVM 17 clang-format: ${CLANG_FORMAT}")
+set(_LLVM19_FORMAT /opt/homebrew/opt/llvm@19/bin/clang-format)
+if(EXISTS ${_LLVM19_FORMAT})
+    set(CLANG_FORMAT ${_LLVM19_FORMAT})
+    message(STATUS "Using Homebrew LLVM 19 clang-format: ${CLANG_FORMAT}")
 else()
-    find_program(_CF_VERSIONED clang-format-17)
+    find_program(_CF_VERSIONED clang-format-19)
     if(NOT _CF_VERSIONED STREQUAL _CF_VERSIONED-NOTFOUND)
         set(CLANG_FORMAT ${_CF_VERSIONED})
     else()
@@ -14,15 +14,15 @@ else()
                 OUTPUT_VARIABLE _CF_VERSION
                 OUTPUT_STRIP_TRAILING_WHITESPACE
                 ERROR_QUIET)
-            if(_CF_VERSION MATCHES " 17\\.")
+            if(_CF_VERSION MATCHES " 19\\.")
                 set(CLANG_FORMAT ${_CF_UNVERSIONED})
             endif()
         endif()
     endif()
     if(NOT CLANG_FORMAT)
         set(CLANG_FORMAT ${CMAKE_CURRENT_LIST_DIR}/clang-tools/clang-format)
         if(NOT EXISTS ${CLANG_FORMAT})
-            message(STATUS "Cannot find clang-format version 17, either set CLANG_FORMAT or make it discoverable")
+            message(STATUS "Cannot find clang-format version 19, either set CLANG_FORMAT or make it discoverable")
             return()
         endif()
         message(STATUS "Using Docker-based clang-format wrapper: ${CLANG_FORMAT}")

appsec/cmake/clang-tidy.cmake

@@ -1,17 +1,17 @@
-# Prefer a locally installed LLVM 17 run-clang-tidy (e.g. via brew install llvm@17)
+# Prefer a locally installed LLVM 19 run-clang-tidy (e.g. via brew install llvm@19)
 # over the Docker-based wrapper, since native execution avoids SDK incompatibilities.
-set(_LLVM17_BIN /opt/homebrew/opt/llvm@17/bin)
-set(_LLVM17_TIDY ${_LLVM17_BIN}/run-clang-tidy)
+set(_LLVM19_BIN /opt/homebrew/opt/llvm@19/bin)
+set(_LLVM19_TIDY ${_LLVM19_BIN}/run-clang-tidy)
 set(CLANG_TIDY_BINARY_OPT "")
-if(EXISTS ${_LLVM17_TIDY})
-    set(CLANG_TIDY ${_LLVM17_TIDY})
-    set(CLANG_TIDY_BINARY_OPT -clang-tidy-binary ${_LLVM17_BIN}/clang-tidy)
-    message(STATUS "Using Homebrew LLVM 17 run-clang-tidy: ${CLANG_TIDY}")
+if(EXISTS ${_LLVM19_TIDY})
+    set(CLANG_TIDY ${_LLVM19_TIDY})
+    set(CLANG_TIDY_BINARY_OPT -clang-tidy-binary ${_LLVM19_BIN}/clang-tidy)
+    message(STATUS "Using Homebrew LLVM 19 run-clang-tidy: ${CLANG_TIDY}")
 else()
-    find_program(_RCT_VERSIONED run-clang-tidy-17)
+    find_program(_RCT_VERSIONED run-clang-tidy-19)
     if(NOT _RCT_VERSIONED STREQUAL _RCT_VERSIONED-NOTFOUND)
         set(CLANG_TIDY ${_RCT_VERSIONED})
-        find_program(_CT_VERSIONED clang-tidy-17)
+        find_program(_CT_VERSIONED clang-tidy-19)
         if(NOT _CT_VERSIONED STREQUAL _CT_VERSIONED-NOTFOUND)
             set(CLANG_TIDY_BINARY_OPT -clang-tidy-binary ${_CT_VERSIONED})
         endif()
@@ -37,7 +37,7 @@ else()
     if(NOT CLANG_TIDY)
         set(CLANG_TIDY ${CMAKE_CURRENT_LIST_DIR}/clang-tools/run-clang-tidy)
         if(NOT EXISTS ${CLANG_TIDY})
-            message(STATUS "Cannot find clang-tidy version 17, either set CLANG_TIDY or make it discoverable")
+            message(STATUS "Cannot find clang-tidy version 19, either set CLANG_TIDY or make it discoverable")
             return()
         endif()
         message(STATUS "Using Docker-based run-clang-tidy wrapper: ${CLANG_TIDY}")

appsec/tests/fuzzer/CMakeLists.txt

@@ -19,20 +19,24 @@ if (CMAKE_CXX_COMPILER_ID STREQUAL "Clang" AND CMAKE_CXX_COMPILER_VERSION VERSIO
         OUTPUT_VARIABLE LLVM_RUNTIME_DIR
         OUTPUT_STRIP_TRAILING_WHITESPACE
     )
+    # Newer clang versions return a per-target path (e.g. .../lib/x86_64-pc-linux-gnu) but
+    # Debian/Ubuntu packages install runtime libs in the sibling "linux" directory.
+    get_filename_component(LLVM_RUNTIME_PARENT "${LLVM_RUNTIME_DIR}" DIRECTORY)
+    set(LLVM_RUNTIME_LINUX_DIR "${LLVM_RUNTIME_PARENT}/linux")
 
     execute_process(COMMAND uname -m COMMAND tr -d '\n' OUTPUT_VARIABLE ARCHITECTURE)
     target_compile_definitions(ddappsec_helper_fuzzer PUBLIC ZLIB_CONST=1)
-    target_link_directories(ddappsec_helper_fuzzer PRIVATE ${LLVM_RUNTIME_DIR})
+    target_link_directories(ddappsec_helper_fuzzer PRIVATE ${LLVM_RUNTIME_DIR} ${LLVM_RUNTIME_LINUX_DIR})
     target_link_libraries(ddappsec_helper_fuzzer PRIVATE
         libddwaf_objects pthread spdlog cpp-base64 msgpack_c rapidjson_appsec
         boost_system zlibstatic)
 
     set(FUZZER_LIB_NAME "libclang_rt.fuzzer_no_main-${ARCHITECTURE}.a")
-    find_library(FUZZER_LIB ${FUZZER_LIB_NAME} PATHS ${LLVM_RUNTIME_DIR})
+    find_library(FUZZER_LIB ${FUZZER_LIB_NAME} PATHS ${LLVM_RUNTIME_DIR} ${LLVM_RUNTIME_LINUX_DIR})
 
     if(NOT FUZZER_LIB)
         set(FUZZER_LIB_NAME_FALLBACK "libclang_rt.fuzzer_no_main.a")
-        find_library(FUZZER_LIB ${FUZZER_LIB_NAME_FALLBACK} PATHS ${LLVM_RUNTIME_DIR})
+        find_library(FUZZER_LIB ${FUZZER_LIB_NAME_FALLBACK} PATHS ${LLVM_RUNTIME_DIR} ${LLVM_RUNTIME_LINUX_DIR})
     endif()
 
     if(NOT FUZZER_LIB)