Fix all memory leaks, vendor sqlite3, add Docker test infrastructure

Leak fixes (13 sources, 1.4MB → 0 bytes):
- Cypher: free col_names after rb_set_columns, free rejected inline
  prop nodes, store WITH aliases in qualified_name for auto-cleanup
- Store: add cbm_project_free_fields, fix find_node_ids_by_qns leak
- Graph buffer: free strdup'd hash keys during delete operations
- SQL scanner: free old start_tag before reassignment in deserialize

Platform independence:
- Vendor sqlite3 amalgamation (3.49.1) — eliminates system libsqlite3
  dependency, enables full ASan/LeakSanitizer instrumentation
- Add -I for vendored tree-sitter unicode headers — eliminates hidden
  dependency on system libicu-dev
- Add test-infrastructure/ with Docker Compose for local GCC+ASan
  testing that mirrors CI exactly

Author: DeusData

Makefile.cbm

@@ -21,6 +21,9 @@
 #   internal/cbm/vendored/ts_runtime/include — tree-sitter API
 CBM_DIR = internal/cbm
 TS_INCLUDE = $(CBM_DIR)/vendored/ts_runtime/include
+# Vendored tree-sitter src/ contains unicode/ headers (umachine.h, utf.h, utf8.h).
+# This ensures we use our vendored copies instead of requiring system libicu-dev.
+TS_SRC = $(CBM_DIR)/vendored/ts_runtime/src
 
 # ── Optional libgit2 (faster git history parsing) ────────────────
 # Auto-detected via pkg-config. Falls back to popen("git log ...") if absent.
@@ -71,9 +74,9 @@ CFLAGS_TSAN = $(CFLAGS_COMMON) -g -O1 \
 CXXFLAGS_TSAN = $(CXXFLAGS_COMMON) -g -O1 \
                 -fsanitize=thread -fno-omit-frame-pointer
 
-LDFLAGS = -lm -lstdc++ -lpthread -lsqlite3 -lz $(LIBGIT2_LIBS)
-LDFLAGS_TEST = -lm -lstdc++ -lpthread -lsqlite3 -lz -fsanitize=address,undefined $(LIBGIT2_LIBS)
-LDFLAGS_TSAN = -lm -lstdc++ -lpthread -lsqlite3 -lz -fsanitize=thread $(LIBGIT2_LIBS)
+LDFLAGS = -lm -lstdc++ -lpthread -lz $(LIBGIT2_LIBS)
+LDFLAGS_TEST = -lm -lstdc++ -lpthread -lz -fsanitize=address,undefined $(LIBGIT2_LIBS)
+LDFLAGS_TSAN = -lm -lstdc++ -lpthread -lz -fsanitize=thread $(LIBGIT2_LIBS)
 
 # ── Source files ─────────────────────────────────────────────────
 
@@ -200,6 +203,11 @@ MIMALLOC_CFLAGS_TEST = -std=c11 -g -O1 -w \
                        -Ivendored/mimalloc/src \
                        -DMI_OVERRIDE=0
 
+# sqlite3 (vendored amalgamation — compiled ourselves for ASan instrumentation)
+SQLITE3_SRC = vendored/sqlite3/sqlite3.c
+SQLITE3_CFLAGS = -std=c11 -O2 -w -DSQLITE_DQS=0 -DSQLITE_THREADSAFE=1
+SQLITE3_CFLAGS_TEST = -std=c11 -g -O1 -w -DSQLITE_DQS=0 -DSQLITE_THREADSAFE=1
+
 # yyjson (vendored)
 YYJSON_SRC = vendored/yyjson/yyjson.c
 
@@ -276,10 +284,10 @@ BUILD_DIR = build/c
 # ── Object file compilation (grammars need relaxed warnings) ─────
 
 # Grammar + tree-sitter runtime: compiled without -Werror (upstream code has warnings)
-GRAMMAR_CFLAGS = -std=c11 -D_DEFAULT_SOURCE -O2 -w -I$(CBM_DIR) -I$(TS_INCLUDE)
-GRAMMAR_CFLAGS_TEST = -std=c11 -D_DEFAULT_SOURCE -g -O1 -w -I$(CBM_DIR) -I$(TS_INCLUDE) \
+GRAMMAR_CFLAGS = -std=c11 -D_DEFAULT_SOURCE -O2 -w -I$(CBM_DIR) -I$(TS_INCLUDE) -I$(TS_SRC)
+GRAMMAR_CFLAGS_TEST = -std=c11 -D_DEFAULT_SOURCE -g -O1 -w -I$(CBM_DIR) -I$(TS_INCLUDE) -I$(TS_SRC) \
                       -fsanitize=address,undefined -fno-omit-frame-pointer
-GRAMMAR_CFLAGS_TSAN = -std=c11 -D_DEFAULT_SOURCE -g -O1 -w -I$(CBM_DIR) -I$(TS_INCLUDE) \
+GRAMMAR_CFLAGS_TSAN = -std=c11 -D_DEFAULT_SOURCE -g -O1 -w -I$(CBM_DIR) -I$(TS_INCLUDE) -I$(TS_SRC) \
                       -fsanitize=thread -fno-omit-frame-pointer
 
 # Object files for grammars + ts_runtime + lsp_all + preprocessor
@@ -339,7 +347,17 @@ $(BUILD_DIR)/mimalloc.o: $(MIMALLOC_SRC) | $(BUILD_DIR)
 $(BUILD_DIR)/prod_mimalloc.o: $(MIMALLOC_SRC) | $(BUILD_DIR)
 	$(CC) $(MIMALLOC_CFLAGS) -c -o $@ $<
 
-OBJS_VENDORED_TEST = $(MIMALLOC_OBJ_TEST) $(GRAMMAR_OBJS_TEST) $(TS_RUNTIME_OBJ_TEST) $(LSP_OBJ_TEST) $(PP_OBJ_TEST) $(MONGOOSE_OBJ_TEST)
+# sqlite3 object files (vendored amalgamation)
+SQLITE3_OBJ_TEST = $(BUILD_DIR)/sqlite3.o
+SQLITE3_OBJ_PROD = $(BUILD_DIR)/prod_sqlite3.o
+
+$(BUILD_DIR)/sqlite3.o: $(SQLITE3_SRC) | $(BUILD_DIR)
+	$(CC) $(SQLITE3_CFLAGS_TEST) -fsanitize=address,undefined -fno-omit-frame-pointer -c -o $@ $<
+
+$(BUILD_DIR)/prod_sqlite3.o: $(SQLITE3_SRC) | $(BUILD_DIR)
+	$(CC) $(SQLITE3_CFLAGS) -c -o $@ $<
+
+OBJS_VENDORED_TEST = $(MIMALLOC_OBJ_TEST) $(SQLITE3_OBJ_TEST) $(GRAMMAR_OBJS_TEST) $(TS_RUNTIME_OBJ_TEST) $(LSP_OBJ_TEST) $(PP_OBJ_TEST) $(MONGOOSE_OBJ_TEST)
 
 $(BUILD_DIR)/test-runner: $(ALL_TEST_SRCS) $(PROD_SRCS) $(EXTRACTION_SRCS) $(AC_LZ4_SRCS) $(SQLITE_WRITER_SRC) $(OBJS_VENDORED_TEST) | $(BUILD_DIR)
 	$(CC) $(CFLAGS_TEST) -o $@ \
@@ -376,7 +394,7 @@ $(BUILD_DIR)/prod_lsp_all.o: $(CBM_DIR)/lsp_all.c | $(BUILD_DIR)
 $(BUILD_DIR)/prod_preprocessor.o: $(CBM_DIR)/preprocessor.cpp | $(BUILD_DIR)
 	$(CXX) $(CXXFLAGS_PROD) -w -I$(CBM_DIR)/vendored -c -o $@ $<
 
-OBJS_VENDORED_PROD = $(MIMALLOC_OBJ_PROD) $(GRAMMAR_OBJS_PROD) $(TS_RUNTIME_OBJ_PROD) $(LSP_OBJ_PROD) $(PP_OBJ_PROD) $(MONGOOSE_OBJ_PROD)
+OBJS_VENDORED_PROD = $(MIMALLOC_OBJ_PROD) $(SQLITE3_OBJ_PROD) $(GRAMMAR_OBJS_PROD) $(TS_RUNTIME_OBJ_PROD) $(LSP_OBJ_PROD) $(PP_OBJ_PROD) $(MONGOOSE_OBJ_PROD)
 
 MAIN_SRC = src/main.c
 

internal/cbm/vendored/grammars/sql/scanner.c

@@ -2052,7 +2052,7 @@ static void scan_pattern_nodes(cbm_store_t *store, const char *project, int max_
         }
         cbm_store_search_free(&sout);
     }
-    /* Apply inline property filters */
+    /* Apply inline property filters — free rejected nodes' strings */
     if (first->prop_count > 0) {
         int kept = 0;
         for (int i = 0; i < *out_count; i++) {
@@ -2061,6 +2061,8 @@ static void scan_pattern_nodes(cbm_store_t *store, const char *project, int max_
                     (*out_nodes)[kept] = (*out_nodes)[i];
                 }
                 kept++;
+            } else {
+                node_fields_free(&(*out_nodes)[i]);
             }
         }
         *out_count = kept;
@@ -2646,17 +2648,20 @@ static int execute_single(cbm_store_t *store, cbm_query_t *q, const char *projec
                         } else {
                             snprintf(vbuf, sizeof(vbuf), "%d", aggs[a].counts[ci]);
                         }
-                        /* Store as a "virtual node" with the value in name */
-                        cbm_node_t vn = {.name = heap_strdup(vbuf)};
+                        /* Store as a "virtual node" with the value in name,
+                         * alias in qualified_name (freed by node_fields_free). */
+                        cbm_node_t vn = {.name = heap_strdup(vbuf),
+                                         .qualified_name = heap_strdup(alias)};
                         if (vb.var_count < 16) {
-                            vb.var_names[vb.var_count] = heap_strdup(alias);
+                            vb.var_names[vb.var_count] = vn.qualified_name;
                             vb.var_nodes[vb.var_count] = vn;
                             vb.var_count++;
                         }
                     } else {
-                        cbm_node_t vn = {.name = heap_strdup(aggs[a].group_vals[ci])};
+                        cbm_node_t vn = {.name = heap_strdup(aggs[a].group_vals[ci]),
+                                         .qualified_name = heap_strdup(alias)};
                         if (vb.var_count < 16) {
-                            vb.var_names[vb.var_count] = heap_strdup(alias);
+                            vb.var_names[vb.var_count] = vn.qualified_name;
                             vb.var_nodes[vb.var_count] = vn;
                             vb.var_count++;
                         }
@@ -2695,9 +2700,10 @@ static int execute_single(cbm_store_t *store, cbm_query_t *q, const char *projec
                     char func_buf[512];
                     const char *val =
                         project_item(&bindings[bi], &wc->items[ci], func_buf, sizeof(func_buf));
-                    cbm_node_t vn = {.name = heap_strdup(val)};
+                    cbm_node_t vn = {.name = heap_strdup(val),
+                                     .qualified_name = heap_strdup(alias)};
                     if (vb.var_count < 16) {
-                        vb.var_names[vb.var_count] = heap_strdup(alias);
+                        vb.var_names[vb.var_count] = vn.qualified_name;
                         vb.var_nodes[vb.var_count] = vn;
                         vb.var_count++;
                     }
@@ -2875,6 +2881,14 @@ static int execute_single(cbm_store_t *store, cbm_query_t *q, const char *projec
             }
         }
         rb_set_columns(rb, col_names, ret->count);
+        /* Free heap_strdup'd column names (rb_set_columns made its own copies).
+         * Only func/property branches heap-allocate; alias takes priority. */
+        for (int i = 0; i < ret->count && i < 32; i++) {
+            cbm_return_item_t *item = &ret->items[i];
+            if (!item->alias && (item->func || (!item->kase && item->property))) {
+                free((void *)col_names[i]);
+            }
+        }
 
         if (has_agg) {
             /* Generalized aggregation: COUNT, SUM, AVG, MIN, MAX, COLLECT */

src/cypher/cypher.c

@@ -422,8 +422,10 @@ int cbm_gbuf_delete_by_label(cbm_gbuf_t *gb, const char *label) {
 
         /* Remove from primary indexes */
         cbm_ht_delete(gb->node_by_qn, n->qualified_name);
-        void *removed_key = cbm_ht_delete(gb->node_by_id, id_buf);
-        (void)removed_key;
+        /* Free the strdup'd key stored in node_by_id (get before delete) */
+        const char *stored_key = cbm_ht_get_key(gb->node_by_id, id_buf);
+        cbm_ht_delete(gb->node_by_id, id_buf);
+        free((void *)stored_key);
     }
 
     /* Clear the label array */
@@ -442,11 +444,12 @@ int cbm_gbuf_delete_by_label(cbm_gbuf_t *gb, const char *label) {
         make_id_key(tgt_id, sizeof(tgt_id), e->target_id);
 
         if (cbm_ht_get(deleted_set, src_id) || cbm_ht_get(deleted_set, tgt_id)) {
-            /* Remove from edge dedup index */
+            /* Remove from edge dedup index (free the strdup'd key) */
             char key[EDGE_KEY_BUF];
             make_edge_key(key, sizeof(key), e->source_id, e->target_id, e->type);
-            void *k = cbm_ht_delete(gb->edge_by_key, key);
-            (void)k;
+            const char *ekey = cbm_ht_get_key(gb->edge_by_key, key);
+            cbm_ht_delete(gb->edge_by_key, key);
+            free((void *)ekey);
 
             /* Remove from secondary indexes incrementally */
             make_src_type_key(key, sizeof(key), e->source_id, e->type);
@@ -490,6 +493,7 @@ int cbm_gbuf_delete_by_label(cbm_gbuf_t *gb, const char *label) {
     }
     gb->edges.count = write_idx;
 
+    cbm_ht_foreach(deleted_set, free_key_only, NULL);
     cbm_ht_free(deleted_set);
     return 0;
 }
@@ -636,8 +640,9 @@ int cbm_gbuf_delete_edges_by_type(cbm_gbuf_t *gb, const char *type) {
         if (strcmp(e->type, type) == 0) {
             char key[EDGE_KEY_BUF];
             make_edge_key(key, sizeof(key), e->source_id, e->target_id, e->type);
-            void *k = cbm_ht_delete(gb->edge_by_key, key);
-            (void)k;
+            const char *ekey = cbm_ht_get_key(gb->edge_by_key, key);
+            cbm_ht_delete(gb->edge_by_key, key);
+            free((void *)ekey);
             free_edge_strings(e);
             free(e);
         } else {

src/graph_buffer/graph_buffer.c

@@ -731,7 +731,7 @@ int cbm_store_find_node_ids_by_qns(cbm_store_t *s, const char *project, const ch
     memset(out_ids, 0, (size_t)qn_count * sizeof(int64_t));
 
     int found = 0;
-    cbm_node_t node;
+    cbm_node_t node = {0};
     for (int i = 0; i < qn_count; i++) {
         if (!qns[i]) {
             continue;
@@ -740,9 +740,10 @@ int cbm_store_find_node_ids_by_qns(cbm_store_t *s, const char *project, const ch
         if (rc == CBM_STORE_OK) {
             out_ids[i] = node.id;
             found++;
+            cbm_node_free_fields(&node);
+            memset(&node, 0, sizeof(node));
         }
     }
-    // NOLINTNEXTLINE(clang-analyzer-unix.Malloc)
     return found;
 }
 
@@ -4278,14 +4279,18 @@ void cbm_store_free_edges(cbm_edge_t *edges, int count) {
     free(edges);
 }
 
+void cbm_project_free_fields(cbm_project_t *p) {
+    free((void *)p->name);
+    free((void *)p->indexed_at);
+    free((void *)p->root_path);
+}
+
 void cbm_store_free_projects(cbm_project_t *projects, int count) {
     if (!projects) {
         return;
     }
     for (int i = 0; i < count; i++) {
-        free((void *)projects[i].name);
-        free((void *)projects[i].indexed_at);
-        free((void *)projects[i].root_path);
+        cbm_project_free_fields(&projects[i]);
     }
     free(projects);
 }

src/store/store.c

@@ -567,6 +567,9 @@ int cbm_louvain(const int64_t *nodes, int node_count, const cbm_louvain_edge_t *
 /* Free heap-allocated strings in a stack-allocated node (does NOT free the node itself). */
 void cbm_node_free_fields(cbm_node_t *n);
 
+/* Free heap-allocated strings in a stack-allocated project (does NOT free the project itself). */
+void cbm_project_free_fields(cbm_project_t *p);
+
 /* Free an array of nodes returned by find_nodes_by_* functions. */
 void cbm_store_free_nodes(cbm_node_t *nodes, int count);
 

src/store/store.h

@@ -0,0 +1,22 @@
+# Mirrors the Ubuntu CI environment exactly:
+#   - Ubuntu 24.04 (same as GitHub Actions ubuntu-latest / ubuntu-24.04-arm)
+#   - GCC (system default) with ASan + UBSan + LeakSanitizer
+#   - libsqlite3-dev + zlib1g-dev (same as CI "Install deps" step)
+#
+# Build:  docker build -t cbm-test test-infrastructure/
+# Run:    docker run --rm -v $(pwd):/src cbm-test
+
+FROM ubuntu:noble
+
+# Minimal: gcc + zlib only. sqlite3 is vendored (compiled from source with ASan).
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc g++ make \
+    zlib1g-dev \
+    pkg-config \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /src
+
+# Default: run test.sh with GCC (mirrors CI exactly)
+ENTRYPOINT ["scripts/test.sh"]
+CMD ["CC=gcc", "CXX=g++"]

test-infrastructure/Dockerfile

@@ -0,0 +1,32 @@
+# Lint environment — mirrors CI lint job exactly:
+#   - clang-format-20 (from LLVM apt repo)
+#   - cppcheck 2.20.0 (built from source, same as CI)
+#
+# Build:  docker build -t cbm-lint -f test-infrastructure/Dockerfile.lint test-infrastructure/
+# Run:    docker run --rm -v $(pwd):/src cbm-lint
+
+FROM ubuntu:noble
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc g++ make cmake \
+    libsqlite3-dev zlib1g-dev \
+    pkg-config wget gnupg git ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# clang-format-20 (same version as CI)
+RUN wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc \
+    && echo "deb http://apt.llvm.org/noble/ llvm-toolchain-noble-20 main" > /etc/apt/sources.list.d/llvm-20.list \
+    && apt-get update && apt-get install -y --no-install-recommends clang-format-20 \
+    && rm -rf /var/lib/apt/lists/*
+
+# cppcheck 2.20.0 (same version as CI)
+RUN git clone --depth 1 --branch 2.20.0 https://github.com/danmar/cppcheck.git /tmp/cppcheck \
+    && cmake -S /tmp/cppcheck -B /tmp/cppcheck/build -DCMAKE_BUILD_TYPE=Release -DHAVE_RULES=OFF -DCMAKE_INSTALL_PREFIX=/usr/local \
+    && cmake --build /tmp/cppcheck/build -j$(nproc) \
+    && cmake --install /tmp/cppcheck/build \
+    && rm -rf /tmp/cppcheck
+
+WORKDIR /src
+
+ENTRYPOINT ["scripts/lint.sh"]
+CMD ["CLANG_FORMAT=clang-format-20"]

test-infrastructure/Dockerfile.lint

@@ -0,0 +1,26 @@
+# Local Ubuntu test environment — mirrors GitHub Actions CI exactly.
+#
+# Usage:
+#   docker compose -f test-infrastructure/docker-compose.yml run --rm test
+#   docker compose -f test-infrastructure/docker-compose.yml run --rm lint
+#
+# Shortcut (from repo root):
+#   ./test-infrastructure/run.sh          # test
+#   ./test-infrastructure/run.sh lint     # lint only
+
+services:
+  test:
+    build:
+      context: ..
+      dockerfile: test-infrastructure/Dockerfile
+    volumes:
+      - ..:/src
+    # GCC + ASan + UBSan + LeakSanitizer (exactly what CI runs)
+    command: ["CC=gcc", "CXX=g++"]
+
+  lint:
+    build:
+      context: ..
+      dockerfile: test-infrastructure/Dockerfile.lint
+    volumes:
+      - ..:/src

test-infrastructure/docker-compose.yml

@@ -0,0 +1,38 @@
+#!/bin/bash
+# Quick runner for local Docker-based CI testing.
+#
+# Usage:
+#   ./test-infrastructure/run.sh           # Run GCC tests (ASan + LeakSanitizer)
+#   ./test-infrastructure/run.sh lint      # Run linters (clang-format + cppcheck)
+#   ./test-infrastructure/run.sh both      # Lint then test
+#   ./test-infrastructure/run.sh shell     # Drop into container shell for debugging
+
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+COMPOSE="docker compose -f $ROOT/test-infrastructure/docker-compose.yml"
+
+case "${1:-test}" in
+    test)
+        echo "=== Running GCC + ASan + LeakSanitizer tests (mirrors Ubuntu CI) ==="
+        $COMPOSE run --rm test
+        ;;
+    lint)
+        echo "=== Running linters (clang-format-20 + cppcheck 2.20.0) ==="
+        $COMPOSE run --rm lint
+        ;;
+    both)
+        echo "=== Running linters ==="
+        $COMPOSE run --rm lint
+        echo "=== Running tests ==="
+        $COMPOSE run --rm test
+        ;;
+    shell)
+        echo "=== Dropping into test container shell ==="
+        $COMPOSE run --rm --entrypoint bash test
+        ;;
+    *)
+        echo "Usage: $0 {test|lint|both|shell}"
+        exit 1
+        ;;
+esac