feat: LLVM 16 + New Pass Manager + C++17 migration + TestComp 2026 checkpoint

.clang-tidy

@@ -0,0 +1,36 @@
+# ============================================================
+# clang-tidy configuration for Map2Check
+#
+# Focus on security-relevant checks for C/C++ code:
+# - clang-analyzer-*: deep static analysis (null deref, buffer overflow, etc.)
+# - bugprone-*: common bug patterns
+# - performance-*: performance anti-patterns
+# - modernize-*: C++17 modernization
+#
+# Phase 1.5 — OpenSSF Best Practices Badge
+# ============================================================
+
+Checks: >
+  -*,
+  clang-analyzer-*,
+  -clang-analyzer-cplusplus.NewDeleteLeaks,
+  -clang-analyzer-optin.cplusplus.UninitializedObject,
+  bugprone-*,
+  -bugprone-easily-swappable-parameters,
+  -bugprone-narrowing-conversions,
+  performance-*,
+  -performance-avoid-endl,
+  modernize-use-override
+
+WarningsAsErrors: >
+  clang-analyzer-core.*,
+  clang-analyzer-security.*,
+  bugprone-use-after-move
+
+HeaderFilterRegex: 'modules/.*'
+
+CheckOptions:
+  - key: bugprone-assert-side-effect.AssertMacros
+    value: 'assert,BOOST_ASSERT'
+  - key: bugprone-dangling-handle.HandleClasses
+    value: 'std::string_view;std::experimental::string_view'

.cppcheck-suppressions.txt

@@ -0,0 +1,8 @@
+unmatchedSuppression
+missingIncludeSystem
+*:modules/backend/library/lib/json11/*
+unknownMacro
+unusedFunction:modules/backend/pass/*
+unusedFunction:modules/backend/library/*
+uninitMemberVar
+missingReturn:modules/frontend/counter_example/*

.github/workflows/ci.yml

@@ -0,0 +1,191 @@
+############################################################
+# Map2Check CI — Build, Test, Static & Dynamic Analysis
+#
+# Runs on every push and pull request.
+# Installs LLVM 16 directly on ubuntu-22.04 runner.
+# Unit tests use -DSKIP_KLEE=ON -DSKIP_LIB_FUZZER=ON,
+# so the full Dockerfile.dev dependencies are not needed.
+#
+# Phase 1.5 — OpenSSF Best Practices Badge (Analysis section)
+############################################################
+name: CI
+
+on:
+  push:
+    branches: [develop, main, master, 'feat-*']
+  pull_request:
+    branches: [develop, main, master]
+
+jobs:
+  # ===========================================================
+  # Job 1: Build + Unit Tests
+  # ===========================================================
+  build-and-test:
+    name: Build & Unit Tests
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install LLVM 16
+        run: |
+          wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
+          echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-16 main" | sudo tee /etc/apt/sources.list.d/llvm-16.list
+          sudo apt-get update
+          sudo apt-get install -y \
+            clang-16 llvm-16 llvm-16-dev libclang-16-dev \
+            cmake ninja-build libboost-all-dev zlib1g-dev
+
+      - name: Configure CMake
+        run: |
+          mkdir -p build && cd build
+          cmake .. -G Ninja \
+            -DLLVM_DIR=/usr/lib/llvm-16/lib/cmake/llvm \
+            -DSKIP_LIB_FUZZER=ON \
+            -DSKIP_KLEE=ON \
+            -DENABLE_TEST=ON
+        env:
+          CC: /usr/bin/clang-16
+          CXX: /usr/bin/clang++-16
+
+      - name: Build
+        run: cd build && ninja
+
+      - name: Run Unit Tests
+        run: cd build && ctest --output-on-failure
+
+  # ===========================================================
+  # Job 2: Static Analysis (cppcheck + clang-tidy)
+  # ===========================================================
+  static-analysis:
+    name: Static Analysis
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install LLVM 16 + cppcheck
+        run: |
+          wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
+          echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-16 main" | sudo tee /etc/apt/sources.list.d/llvm-16.list
+          sudo apt-get update
+          sudo apt-get install -y \
+            clang-16 clang-tidy-16 llvm-16 llvm-16-dev libclang-16-dev \
+            cmake ninja-build libboost-all-dev zlib1g-dev \
+            cppcheck
+
+      - name: Generate compile_commands.json
+        run: |
+          mkdir -p build && cd build
+          cmake .. -G Ninja \
+            -DLLVM_DIR=/usr/lib/llvm-16/lib/cmake/llvm \
+            -DSKIP_LIB_FUZZER=ON \
+            -DSKIP_KLEE=ON \
+            -DENABLE_TEST=ON \
+            -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
+        env:
+          CC: /usr/bin/clang-16
+          CXX: /usr/bin/clang++-16
+
+      - name: Run cppcheck (C++)
+        run: |
+          cppcheck \
+            --enable=warning,portability \
+            --suppress=missingIncludeSystem \
+            --suppress=unknownMacro \
+            --suppress=unusedFunction \
+            --suppress=passedByValue \
+            --suppressions-list=.cppcheck-suppressions.txt \
+            --inline-suppr \
+            --error-exitcode=1 \
+            --std=c++17 \
+            --language=c++ \
+            -I modules/ \
+            modules/frontend/ \
+            tests/unit/
+
+      - name: Run cppcheck (C backend — informational)
+        run: |
+          echo "::warning::C backend library has pre-existing issues — scan is informational only"
+          cppcheck \
+            --enable=warning,portability \
+            --suppress=missingIncludeSystem \
+            --suppress=unknownMacro \
+            --suppress=unusedFunction \
+            --suppressions-list=.cppcheck-suppressions.txt \
+            --inline-suppr \
+            --std=c11 \
+            --language=c \
+            -I modules/ \
+            modules/backend/library/ || true
+
+      - name: Build (for clang-tidy)
+        run: cd build && ninja
+        env:
+          CC: /usr/bin/clang-16
+          CXX: /usr/bin/clang++-16
+
+      - name: Run clang-tidy
+        run: |
+          find modules/frontend -name '*.cpp' | \
+            xargs -I{} clang-tidy-16 -p build/ \
+              --config-file=.clang-tidy \
+              --warnings-as-errors='clang-analyzer-core.*,clang-analyzer-security.*,bugprone-use-after-move' \
+              {} 2>&1 || true
+
+  # ===========================================================
+  # Job 3: Dynamic Analysis (ASan + UBSan)
+  # ===========================================================
+  sanitizer-tests:
+    name: Sanitizer Tests (ASan + UBSan)
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install LLVM 16
+        run: |
+          wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
+          echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-16 main" | sudo tee /etc/apt/sources.list.d/llvm-16.list
+          sudo apt-get update
+          sudo apt-get install -y \
+            clang-16 llvm-16 llvm-16-dev libclang-16-dev \
+            cmake ninja-build libboost-all-dev zlib1g-dev
+
+      - name: Configure CMake with Sanitizers
+        run: |
+          mkdir -p build && cd build
+          cmake .. -G Ninja \
+            -DLLVM_DIR=/usr/lib/llvm-16/lib/cmake/llvm \
+            -DSKIP_LIB_FUZZER=ON \
+            -DSKIP_KLEE=ON \
+            -DENABLE_TEST=ON \
+            -DMAP2CHECK_ENABLE_SANITIZERS=ON
+        env:
+          CC: /usr/bin/clang-16
+          CXX: /usr/bin/clang++-16
+
+      - name: Build with Sanitizers
+        run: cd build && ninja
+        env:
+          CC: /usr/bin/clang-16
+          CXX: /usr/bin/clang++-16
+
+      - name: Run Tests with ASan + UBSan
+        env:
+          # detect_leaks=0: test code intentionally allocates without freeing
+          # (tests allocation tracking, not ownership)
+          ASAN_OPTIONS: "detect_leaks=0:halt_on_error=1:abort_on_error=1"
+          # halt_on_error=0: report pre-existing UB issues without blocking CI
+          # Known: BTree.c:276 off-by-one (tracked for fix in Phase 2)
+          UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=0"
+        run: cd build && ctest --output-on-failure

.github/workflows/docker-publish.yml

@@ -0,0 +1,58 @@
+############################################################
+# Publish map2check-dev Docker image to GitHub Container Registry
+#
+# Triggers:
+#   - Push to develop (Dockerfile.dev changes)
+#   - Manual dispatch (workflow_dispatch)
+#
+# Phase 1.5 — OpenSSF Best Practices Badge
+############################################################
+name: Publish Docker Image
+
+on:
+  push:
+    branches: [develop]
+    paths:
+      - 'Dockerfile.dev'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository_owner }}/map2check-dev
+
+jobs:
+  build-and-push:
+    name: Build & Push to GHCR
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest
+            type=sha,prefix=
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile.dev
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -74,3 +74,4 @@ target_wrapper.*
 
 # QtCreator CMake
 CMakeLists.txt.user*
+test-comp2026/simulation/release/*

CMakeLists.txt

@@ -1,27 +1,35 @@
-cmake_minimum_required(VERSION 3.5)
-project(Map2Check)
+cmake_minimum_required(VERSION 3.20)
+project(Map2Check VERSION 8.0.0 LANGUAGES C CXX)
 
-set(Map2Check_VERSION_MAJOR 7)
-set(Map2Check_VERSION_MINOR 0)
-
-option(USE_PREBUILT_CLANG "Download and Install pre-built clang" ON)
 option(BUILD_DOC "Build documentation" OFF)
-option(SKIP_LIB_FUZZER "Don't build libFuzzer" OFF)
-option(SKIP_KLEE "Don't build KLEE" OFF)
+option(SKIP_LIB_FUZZER "Don't use libFuzzer" OFF)
+option(SKIP_KLEE "Don't use KLEE" OFF)
 option(REGRESSION "Prepare Regression Tests" OFF)
 option(ENABLE_TEST "Build all tests" OFF)
+option(MAP2CHECK_ENABLE_SANITIZERS "Enable AddressSanitizer + UndefinedBehaviorSanitizer for testing" OFF)
 
-set (CMAKE_CXX_STANDARD 11)
-
-# set(CMAKE_FIND_LIBRARY_SUFFIXES ".a")
-# set(CMAKE_EXE_LINKER_FLAGS "-Bstatic -static-libgcc -static-libstdc++")
-# include(cmake/ExternalDeps.cmake)
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 
+# --- Sanitizer configuration (Phase 1.5 — OpenSSF Best Practices) ---
+if(MAP2CHECK_ENABLE_SANITIZERS)
+  message(STATUS "Sanitizers enabled: ASan + UBSan (dynamic linking)")
+  add_compile_options(-fsanitize=address,undefined -fno-omit-frame-pointer -g)
+  add_link_options(-fsanitize=address,undefined)
+  # Ensure all targets (including OBJECT libraries) are compiled with -fPIC,
+  # required for LLVM pass shared libraries (.so)
+  set(CMAKE_POSITION_INDEPENDENT_CODE ON)
+  # ASan requires dynamic linking — skip static config
+  set(Map2Check_MODE "SHARED")
+else()
+  # --- Static linking configuration ---
+  set(Map2Check_MODE "STATIC")
+  set(CMAKE_FIND_LIBRARY_SUFFIXES ".a")
+  set(CMAKE_EXE_LINKER_FLAGS "-Bstatic -static-libgcc -static-libstdc++")
+endif()
 
-set(Map2Check_MODE "STATIC")
-set(CMAKE_FIND_LIBRARY_SUFFIXES ".a")
-set(CMAKE_EXE_LINKER_FLAGS "-Bstatic -static-libgcc -static-libstdc++")
-
+# --- Core dependencies ---
 include(cmake/FindClang.cmake)
 include(cmake/FindBoost.cmake)
 
@@ -46,7 +54,7 @@ include_directories(${PROJECT_SOURCE_DIR})
 if(ENABLE_TEST)
   enable_testing()
   include(cmake/FindGTest.cmake)
-  message("Adding tests")
+  message(STATUS "Adding tests")
   add_subdirectory(tests)
 endif()