test: Grep for failures in CI (#6339)

This change adjusts the CI tests to make it easier to spot errors, without needing to sift through the thousands of lines of output.

.clang-tidy

@@ -1,105 +1,143 @@
 ---
 Checks: "-*,
-  bugprone-argument-comment
+  bugprone-argument-comment,
+  bugprone-assert-side-effect,
+  bugprone-bad-signal-to-kill-thread,
+  bugprone-bool-pointer-implicit-conversion,
+  bugprone-casting-through-void,
+  bugprone-chained-comparison,
+  bugprone-compare-pointer-to-member-virtual-function,
+  bugprone-copy-constructor-init,
+  bugprone-dangling-handle,
+  bugprone-dynamic-static-initializers,
+  bugprone-fold-init-type,
+  bugprone-forward-declaration-namespace,
+  bugprone-inaccurate-erase,
+  bugprone-incorrect-enable-if,
+  bugprone-incorrect-roundings,
+  bugprone-infinite-loop,
+  bugprone-integer-division,
+  bugprone-lambda-function-name,
+  bugprone-macro-parentheses,
+  bugprone-macro-repeated-side-effects,
+  bugprone-misplaced-operator-in-strlen-in-alloc,
+  bugprone-misplaced-pointer-arithmetic-in-alloc,
+  bugprone-misplaced-widening-cast,
+  bugprone-multi-level-implicit-pointer-conversion,
+  bugprone-multiple-new-in-one-expression,
+  bugprone-multiple-statement-macro,
+  bugprone-no-escape,
+  bugprone-non-zero-enum-to-bool-conversion,
+  bugprone-parent-virtual-call,
+  bugprone-posix-return,
+  bugprone-redundant-branch-condition,
+  bugprone-shared-ptr-array-mismatch,
+  bugprone-signal-handler,
+  bugprone-signed-char-misuse,
+  bugprone-sizeof-container,
+  bugprone-spuriously-wake-up-functions,
+  bugprone-standalone-empty,
+  bugprone-string-constructor,
+  bugprone-string-integer-assignment,
+  bugprone-string-literal-with-embedded-nul,
+  bugprone-stringview-nullptr,
+  bugprone-suspicious-enum-usage,
+  bugprone-suspicious-include,
+  bugprone-suspicious-memory-comparison,
+  bugprone-suspicious-memset-usage,
+  bugprone-suspicious-realloc-usage,
+  bugprone-suspicious-semicolon,
+  bugprone-suspicious-string-compare,
+  bugprone-swapped-arguments,
+  bugprone-terminating-continue,
+  bugprone-throw-keyword-missing,
+  bugprone-undefined-memory-manipulation,
+  bugprone-undelegated-constructor,
+  bugprone-unhandled-exception-at-new,
+  bugprone-unique-ptr-array-mismatch,
+  bugprone-unsafe-functions,
+  bugprone-virtual-near-miss,
+  cppcoreguidelines-no-suspend-with-lock,
+  cppcoreguidelines-virtual-class-destructor,
+  hicpp-ignored-remove-result,
+  misc-definitions-in-headers,
+  misc-header-include-cycle,
+  misc-misplaced-const,
+  misc-static-assert,
+  misc-throw-by-value-catch-by-reference,
+  misc-unused-alias-decls,
+  misc-unused-using-decls,
+  readability-duplicate-include,
+  readability-enum-initial-value,
+  readability-misleading-indentation,
+  readability-non-const-parameter,
+  readability-redundant-declaration,
+  readability-reference-to-constructed-temporary,
+  modernize-deprecated-headers,
+  modernize-make-shared,
+  modernize-make-unique,
+  performance-implicit-conversion-in-loop,
+  performance-move-constructor-init,
+  performance-trivially-destructible
   "
-# bugprone-assert-side-effect,
-# bugprone-bad-signal-to-kill-thread,
-# bugprone-bool-pointer-implicit-conversion,
-# bugprone-casting-through-void,
-# bugprone-chained-comparison,
-# bugprone-compare-pointer-to-member-virtual-function,
-# bugprone-copy-constructor-init,
-# bugprone-crtp-constructor-accessibility,
-# bugprone-dangling-handle,
-# bugprone-dynamic-static-initializers,
+# ---
+# checks that have some issues that need to be resolved:
+#
 # bugprone-empty-catch,
-# bugprone-fold-init-type,
-# bugprone-forward-declaration-namespace,
-# bugprone-inaccurate-erase,
+# bugprone-crtp-constructor-accessibility,
 # bugprone-inc-dec-in-conditions,
-# bugprone-incorrect-enable-if,
-# bugprone-incorrect-roundings,
-# bugprone-infinite-loop,
-# bugprone-integer-division,
-# bugprone-lambda-function-name,
-# bugprone-macro-parentheses,
-# bugprone-macro-repeated-side-effects,
-# bugprone-misplaced-operator-in-strlen-in-alloc,
-# bugprone-misplaced-pointer-arithmetic-in-alloc,
-# bugprone-misplaced-widening-cast,
-# bugprone-move-forwarding-reference,
-# bugprone-multi-level-implicit-pointer-conversion,
-# bugprone-multiple-new-in-one-expression,
-# bugprone-multiple-statement-macro,
-# bugprone-no-escape,
-# bugprone-non-zero-enum-to-bool-conversion,
-# bugprone-optional-value-conversion,
-# bugprone-parent-virtual-call,
-# bugprone-pointer-arithmetic-on-polymorphic-object,
-# bugprone-posix-return,
-# bugprone-redundant-branch-condition,
 # bugprone-reserved-identifier,
-# bugprone-return-const-ref-from-parameter,
-# bugprone-shared-ptr-array-mismatch,
-# bugprone-signal-handler,
-# bugprone-signed-char-misuse,
-# bugprone-sizeof-container,
-# bugprone-sizeof-expression,
-# bugprone-spuriously-wake-up-functions,
-# bugprone-standalone-empty,
-# bugprone-string-constructor,
-# bugprone-string-integer-assignment,
-# bugprone-string-literal-with-embedded-nul,
-# bugprone-stringview-nullptr,
-# bugprone-suspicious-enum-usage,
-# bugprone-suspicious-include,
-# bugprone-suspicious-memory-comparison,
-# bugprone-suspicious-memset-usage,
-# bugprone-suspicious-missing-comma,
-# bugprone-suspicious-realloc-usage,
-# bugprone-suspicious-semicolon,
-# bugprone-suspicious-string-compare,
-# bugprone-suspicious-stringview-data-usage,
-# bugprone-swapped-arguments,
-# bugprone-switch-missing-default-case,
-# bugprone-terminating-continue,
-# bugprone-throw-keyword-missing,
-# bugprone-too-small-loop-variable,
-# bugprone-undefined-memory-manipulation,
-# bugprone-undelegated-constructor,
-# bugprone-unhandled-exception-at-new,
-# bugprone-unhandled-self-assignment,
-# bugprone-unique-ptr-array-mismatch,
-# bugprone-unsafe-functions,
+# bugprone-move-forwarding-reference,
 # bugprone-unused-local-non-trivial-variable,
-# bugprone-unused-raii,
+# bugprone-return-const-ref-from-parameter,
+# bugprone-switch-missing-default-case,
+# bugprone-sizeof-expression,
+# bugprone-suspicious-stringview-data-usage,
+# bugprone-suspicious-missing-comma,
+# bugprone-pointer-arithmetic-on-polymorphic-object,
+# bugprone-optional-value-conversion,
+# bugprone-too-small-loop-variable,
 # bugprone-unused-return-value,
 # bugprone-use-after-move,
-# bugprone-virtual-near-miss,
-# cppcoreguidelines-init-variables,
+# bugprone-unhandled-self-assignment,
+# bugprone-unused-raii,
+#
 # cppcoreguidelines-misleading-capture-default-by-value,
-# cppcoreguidelines-no-suspend-with-lock,
+# cppcoreguidelines-init-variables,
 # cppcoreguidelines-pro-type-member-init,
 # cppcoreguidelines-pro-type-static-cast-downcast,
-# cppcoreguidelines-rvalue-reference-param-not-moved,
 # cppcoreguidelines-use-default-member-init,
-# cppcoreguidelines-virtual-class-destructor,
-# hicpp-ignored-remove-result,
+# cppcoreguidelines-rvalue-reference-param-not-moved,
+#
 # llvm-namespace-comment,
 # misc-const-correctness,
-# misc-definitions-in-headers,
-# misc-header-include-cycle,
 # misc-include-cleaner,
-# misc-misplaced-const,
 # misc-redundant-expression,
-# misc-static-assert,
-# misc-throw-by-value-catch-by-reference,
-# misc-unused-alias-decls,
-# misc-unused-using-decls,
+#
+# readability-avoid-nested-conditional-operator,
+# readability-avoid-return-with-void-value,
+# readability-braces-around-statements,
+# readability-container-contains,
+# readability-container-size-empty,
+# readability-convert-member-functions-to-static,
+# readability-const-return-type,
+# readability-else-after-return,
+# readability-implicit-bool-conversion,
+# readability-inconsistent-declaration-parameter-name,
+# readability-identifier-naming,
+# readability-make-member-function-const,
+# readability-math-missing-parentheses,
+# readability-redundant-inline-specifier,
+# readability-redundant-member-init,
+# readability-redundant-casting,
+# readability-redundant-string-init,
+# readability-simplify-boolean-expr,
+# readability-static-definition-in-anonymous-namespace,
+# readability-suspicious-call-argument,
+# readability-use-std-min-max,
+# readability-static-accessed-through-instance,
+#
 # modernize-concat-nested-namespaces,
-# modernize-deprecated-headers,
-# modernize-make-shared,
-# modernize-make-unique,
 # modernize-pass-by-value,
 # modernize-type-traits,
 # modernize-use-designated-initializers,
@@ -111,79 +149,50 @@ Checks: "-*,
 # modernize-use-starts-ends-with,
 # modernize-use-std-numbers,
 # modernize-use-using,
+#
 # performance-faster-string-find,
 # performance-for-range-copy,
-# performance-implicit-conversion-in-loop,
 # performance-inefficient-vector-operation,
 # performance-move-const-arg,
-# performance-move-constructor-init,
 # performance-no-automatic-move,
-# performance-trivially-destructible,
-# readability-avoid-nested-conditional-operator,
-# readability-avoid-return-with-void-value,
-# readability-braces-around-statements,
-# readability-const-return-type,
-# readability-container-contains,
-# readability-container-size-empty,
-# readability-convert-member-functions-to-static,
-# readability-duplicate-include,
-# readability-else-after-return,
-# readability-enum-initial-value,
-# readability-implicit-bool-conversion,
-# readability-inconsistent-declaration-parameter-name,
-# readability-identifier-naming,
-# readability-make-member-function-const,
-# readability-math-missing-parentheses,
-# readability-misleading-indentation,
-# readability-non-const-parameter,
-# readability-redundant-casting,
-# readability-redundant-declaration,
-# readability-redundant-inline-specifier,
-# readability-redundant-member-init,
-# readability-redundant-string-init,
-# readability-reference-to-constructed-temporary,
-# readability-simplify-boolean-expr,
-# readability-static-accessed-through-instance,
-# readability-static-definition-in-anonymous-namespace,
-# readability-suspicious-call-argument,
-# readability-use-std-min-max
+# ---
 #
-# CheckOptions:
-#   readability-braces-around-statements.ShortStatementLines: 2
-#   readability-identifier-naming.MacroDefinitionCase: UPPER_CASE
-#   readability-identifier-naming.ClassCase: CamelCase
-#   readability-identifier-naming.StructCase: CamelCase
-#   readability-identifier-naming.UnionCase: CamelCase
-#   readability-identifier-naming.EnumCase: CamelCase
-#   readability-identifier-naming.EnumConstantCase: CamelCase
-#   readability-identifier-naming.ScopedEnumConstantCase: CamelCase
-#   readability-identifier-naming.GlobalConstantCase: UPPER_CASE
-#   readability-identifier-naming.GlobalConstantPrefix: "k"
-#   readability-identifier-naming.GlobalVariableCase: CamelCase
-#   readability-identifier-naming.GlobalVariablePrefix: "g"
-#   readability-identifier-naming.ConstexprFunctionCase: camelBack
-#   readability-identifier-naming.ConstexprMethodCase: camelBack
-#   readability-identifier-naming.ClassMethodCase: camelBack
-#   readability-identifier-naming.ClassMemberCase: camelBack
-#   readability-identifier-naming.ClassConstantCase: UPPER_CASE
-#   readability-identifier-naming.ClassConstantPrefix: "k"
-#   readability-identifier-naming.StaticConstantCase: UPPER_CASE
-#   readability-identifier-naming.StaticConstantPrefix: "k"
-#   readability-identifier-naming.StaticVariableCase: UPPER_CASE
-#   readability-identifier-naming.StaticVariablePrefix: "k"
-#   readability-identifier-naming.ConstexprVariableCase: UPPER_CASE
-#   readability-identifier-naming.ConstexprVariablePrefix: "k"
-#   readability-identifier-naming.LocalConstantCase: camelBack
-#   readability-identifier-naming.LocalVariableCase: camelBack
-#   readability-identifier-naming.TemplateParameterCase: CamelCase
-#   readability-identifier-naming.ParameterCase: camelBack
-#   readability-identifier-naming.FunctionCase: camelBack
-#   readability-identifier-naming.MemberCase: camelBack
-#   readability-identifier-naming.PrivateMemberSuffix: _
-#   readability-identifier-naming.ProtectedMemberSuffix: _
-#   readability-identifier-naming.PublicMemberSuffix: ""
-#   readability-identifier-naming.FunctionIgnoredRegexp: ".*tag_invoke.*"
-#   bugprone-unsafe-functions.ReportMoreUnsafeFunctions: true
+CheckOptions:
+  #   readability-braces-around-statements.ShortStatementLines: 2
+  #   readability-identifier-naming.MacroDefinitionCase: UPPER_CASE
+  #   readability-identifier-naming.ClassCase: CamelCase
+  #   readability-identifier-naming.StructCase: CamelCase
+  #   readability-identifier-naming.UnionCase: CamelCase
+  #   readability-identifier-naming.EnumCase: CamelCase
+  #   readability-identifier-naming.EnumConstantCase: CamelCase
+  #   readability-identifier-naming.ScopedEnumConstantCase: CamelCase
+  #   readability-identifier-naming.GlobalConstantCase: UPPER_CASE
+  #   readability-identifier-naming.GlobalConstantPrefix: "k"
+  #   readability-identifier-naming.GlobalVariableCase: CamelCase
+  #   readability-identifier-naming.GlobalVariablePrefix: "g"
+  #   readability-identifier-naming.ConstexprFunctionCase: camelBack
+  #   readability-identifier-naming.ConstexprMethodCase: camelBack
+  #   readability-identifier-naming.ClassMethodCase: camelBack
+  #   readability-identifier-naming.ClassMemberCase: camelBack
+  #   readability-identifier-naming.ClassConstantCase: UPPER_CASE
+  #   readability-identifier-naming.ClassConstantPrefix: "k"
+  #   readability-identifier-naming.StaticConstantCase: UPPER_CASE
+  #   readability-identifier-naming.StaticConstantPrefix: "k"
+  #   readability-identifier-naming.StaticVariableCase: UPPER_CASE
+  #   readability-identifier-naming.StaticVariablePrefix: "k"
+  #   readability-identifier-naming.ConstexprVariableCase: UPPER_CASE
+  #   readability-identifier-naming.ConstexprVariablePrefix: "k"
+  #   readability-identifier-naming.LocalConstantCase: camelBack
+  #   readability-identifier-naming.LocalVariableCase: camelBack
+  #   readability-identifier-naming.TemplateParameterCase: CamelCase
+  #   readability-identifier-naming.ParameterCase: camelBack
+  #   readability-identifier-naming.FunctionCase: camelBack
+  #   readability-identifier-naming.MemberCase: camelBack
+  #   readability-identifier-naming.PrivateMemberSuffix: _
+  #   readability-identifier-naming.ProtectedMemberSuffix: _
+  #   readability-identifier-naming.PublicMemberSuffix: ""
+  #   readability-identifier-naming.FunctionIgnoredRegexp: ".*tag_invoke.*"
+  bugprone-unsafe-functions.ReportMoreUnsafeFunctions: true
 #   bugprone-unused-return-value.CheckedReturnTypes: ::std::error_code;::std::error_condition;::std::errc
 #   misc-include-cleaner.IgnoreHeaders: '.*/(detail|impl)/.*;.*(expected|unexpected).*;.*ranges_lower_bound\.h;time.h;stdlib.h;__chrono/.*;fmt/chrono.h;boost/uuid/uuid_hash.hpp'
 #

.github/scripts/strategy-matrix/generate.py

@@ -236,23 +236,21 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
         # names get truncated.
         # Add Address and Thread (both coupled with UB) sanitizers for specific bookworm distros.
         # GCC-Asan rippled-embedded tests are failing because of https://github.com/google/sanitizers/issues/856
-        if os[
-            "distro_version"
-        ] == "bookworm" and f"{os['compiler_name']}-{os['compiler_version']}" in [
-            "clang-20",
-            "gcc-13",
-        ]:
+        if (
+            os["distro_version"] == "bookworm"
+            and f"{os['compiler_name']}-{os['compiler_version']}" == "clang-20"
+        ):
             # Add ASAN + UBSAN configuration.
             configurations.append(
                 {
-                    "config_name": config_name + "-asan",
+                    "config_name": config_name + "-asan-ubsan",
                     "cmake_args": cmake_args,
                     "cmake_target": cmake_target,
                     "build_only": build_only,
                     "build_type": build_type,
                     "os": os,
                     "architecture": architecture,
-                    "sanitizers": "address",
+                    "sanitizers": "address,undefinedbehavior",
                 }
             )
             # TSAN is deactivated due to seg faults with latest compilers.

.github/workflows/on-pr.yml

@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Determine changed files
         # This step checks whether any files have changed that should
         # cause the next jobs to run. We do it this way rather than
@@ -46,7 +46,7 @@ jobs:
         # that Github considers any skipped jobs to have passed, and in
         # turn the required checks as well.
         id: changes
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             # These paths are unique to `on-pr.yml`.

.github/workflows/pre-commit.yml

@@ -14,4 +14,4 @@ jobs:
     uses: XRPLF/actions/.github/workflows/pre-commit.yml@320be44621ca2a080f05aeb15817c44b84518108
     with:
       runs_on: ubuntu-latest
-      container: '{ "image": "ghcr.io/xrplf/ci/tools-rippled-pre-commit:sha-ab4d1f0" }'
+      container: '{ "image": "ghcr.io/xrplf/ci/tools-rippled-pre-commit:sha-41ec7c1" }'

.github/workflows/publish-docs.yml

@@ -4,6 +4,18 @@ name: Build and publish documentation
 
 on:
   push:
+    branches:
+      - "develop"
+      - "release*"
+    paths:
+      - ".github/workflows/publish-docs.yml"
+      - "*.md"
+      - "**/*.md"
+      - "docs/**"
+      - "include/**"
+      - "src/libxrpl/**"
+      - "src/xrpld/**"
+  pull_request:
     paths:
       - ".github/workflows/publish-docs.yml"
       - "*.md"
@@ -23,7 +35,9 @@ defaults:
 
 env:
   BUILD_DIR: build
-  NPROC_SUBTRACT: 2
+  # ubuntu-latest has only 2 CPUs for private repositories
+  # https://docs.github.com/en/actions/reference/runners/github-hosted-runners#standard-github-hosted-runners-for--private-repositories
+  NPROC_SUBTRACT: ${{ github.event.repository.private && '1' || '2' }}
 
 jobs:
   publish:
@@ -33,7 +47,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Get number of processors
         uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
@@ -65,7 +79,7 @@ jobs:
           cmake --build . --target docs --parallel ${BUILD_NPROC}
 
       - name: Publish documentation
-        if: ${{ github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch }}
+        if: ${{ github.event_name == 'push' }}
         uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/reusable-build-test-config.yml

@@ -76,8 +76,7 @@ jobs:
     name: ${{ inputs.config_name }}
     runs-on: ${{ fromJSON(inputs.runs_on) }}
     container: ${{ inputs.image != '' && inputs.image || null }}
-    # Sanitizer builds on GCC are taking longer than 60mins. Hence increasing the timeout to 90mins.
-    timeout-minutes: ${{ inputs.sanitizers != '' && 360 || 60 }}
+    timeout-minutes: 60
     env:
       # Use a namespace to keep the objects separate for each configuration.
       CCACHE_NAMESPACE: ${{ inputs.config_name }}
@@ -102,10 +101,10 @@ jobs:
     steps:
       - name: Cleanup workspace (macOS and Windows)
         if: ${{ runner.os == 'macOS' || runner.os == 'Windows' }}
-        uses: XRPLF/actions/cleanup-workspace@cf0433aa74563aead044a1e395610c96d65a37cf
+        uses: XRPLF/actions/cleanup-workspace@c7d9ce5ebb03c752a354889ecd870cadfc2b1cd4
 
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Prepare runner
         uses: XRPLF/actions/prepare-runner@2cbf481018d930656e9276fcc20dc0e3a0be5b6d
@@ -178,7 +177,7 @@ jobs:
 
       - name: Upload the binary (Linux)
         if: ${{ github.repository_owner == 'XRPLF' && runner.os == 'Linux' }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: xrpld-${{ inputs.config_name }}
           path: ${{ env.BUILD_DIR }}/xrpld
@@ -206,22 +205,14 @@ jobs:
       - name: Set sanitizer options
         if: ${{ !inputs.build_only && env.SANITIZERS_ENABLED == 'true' }}
         run: |
-          ASAN_OPTS="include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-asan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/asan.supp"
-          if [[ "${{ inputs.config_name }}" == *gcc* ]]; then
-            ASAN_OPTS="${ASAN_OPTS}:alloc_dealloc_mismatch=0"
-          fi
-          echo "ASAN_OPTIONS=${ASAN_OPTS}" >> ${GITHUB_ENV}
-          echo "TSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-tsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/tsan.supp" >> ${GITHUB_ENV}
-          echo "UBSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-ubsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/ubsan.supp" >> ${GITHUB_ENV}
-          echo "LSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-lsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/lsan.supp" >> ${GITHUB_ENV}
+          echo "ASAN_OPTIONS=print_stacktrace=1:detect_container_overflow=0:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/asan.supp" >> ${GITHUB_ENV}
+          echo "TSAN_OPTIONS=second_deadlock_stack=1:halt_on_error=0:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/tsan.supp" >> ${GITHUB_ENV}
+          echo "UBSAN_OPTIONS=suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/ubsan.supp" >> ${GITHUB_ENV}
+          echo "LSAN_OPTIONS=suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/lsan.supp" >> ${GITHUB_ENV}
 
       - name: Run the separate tests
-        # We continue on error here because we want to try the Embedded tests before
-        # failing. This will give us details on all the failures at once.
-        continue-on-error: true
         if: ${{ !inputs.build_only }}
         working-directory: ${{ env.BUILD_DIR }}
-        id: separate_tests
         # Windows locks some of the build files while running tests, and parallel jobs can collide
         env:
           BUILD_TYPE: ${{ inputs.build_type }}
@@ -237,15 +228,22 @@ jobs:
         working-directory: ${{ runner.os == 'Windows' && format('{0}/{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
         env:
           BUILD_NPROC: ${{ steps.nproc.outputs.nproc }}
-          PARALLELISM: ${{ env.SANITIZERS_ENABLED == 'true' && steps.nproc.outputs.nproc || steps.nproc.outputs.nproc }}
         run: |
-          ./xrpld --unittest --unittest-jobs "${PARALLELISM}"
+          set -o pipefail
+          ./xrpld --unittest --unittest-jobs "${BUILD_NPROC}" 2>&1 | tee unittest.log
 
-        # Pipeline should fail if the separate tests failed.
-      - name: Check results of the SeparateTests
-        if: ${{ !inputs.build_only && steps.separate_tests.outcome == 'failure' }}
-        run: exit 1
+      - name: Show test failure summary
+        if: ${{ failure() && !inputs.build_only }}
+        working-directory: ${{ runner.os == 'Windows' && format('{0}/{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
+        run: |
+          if [ ! -f unittest.log ]; then
+            echo "unittest.log not found; embedded tests may not have run."
+            exit 0
+          fi
 
+          if ! grep -E "failed" unittest.log; then
+            echo "Log present but no failure lines found in unittest.log."
+          fi
       - name: Debug failure (Linux)
         if: ${{ failure() && runner.os == 'Linux' && !inputs.build_only }}
         run: |
@@ -269,7 +267,7 @@ jobs:
 
       - name: Upload coverage report
         if: ${{ github.repository_owner == 'XRPLF' && !inputs.build_only && env.COVERAGE_ENABLED == 'true' }}
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           disable_search: true
           disable_telem: true

.github/workflows/reusable-check-levelization.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check levelization
         run: .github/scripts/levelization/generate.sh
       - name: Check for differences

.github/workflows/reusable-check-rename.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check definitions
         run: .github/scripts/rename/definitions.sh .
       - name: Check copyright notices

.github/workflows/reusable-clang-tidy-files.yml

@@ -32,7 +32,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Prepare runner
         uses: XRPLF/actions/prepare-runner@2cbf481018d930656e9276fcc20dc0e3a0be5b6d
@@ -78,13 +78,13 @@ jobs:
         id: run_clang_tidy
         continue-on-error: true
         env:
-          FILES: ${{ inputs.files }}
+          TARGETS: ${{ inputs.files != '' && inputs.files || 'src tests' }}
         run: |
-          run-clang-tidy -j ${{ steps.nproc.outputs.nproc }} -p "$BUILD_DIR" $FILES 2>&1 | tee clang-tidy-output.txt
+          run-clang-tidy -j ${{ steps.nproc.outputs.nproc }} -p "${BUILD_DIR}" ${TARGETS} 2>&1 | tee clang-tidy-output.txt
 
       - name: Upload clang-tidy output
         if: steps.run_clang_tidy.outcome != 'success'
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: clang-tidy-results
           path: clang-tidy-output.txt

.github/workflows/reusable-clang-tidy.yml

@@ -22,7 +22,8 @@ jobs:
     if: ${{ inputs.check_only_changed }}
     runs-on: ubuntu-latest
     outputs:
-      any_changed: ${{ steps.changed_files.outputs.any_changed }}
+      clang_tidy_config_changed: ${{ steps.changed_clang_tidy.outputs.any_changed }}
+      any_cpp_changed: ${{ steps.changed_files.outputs.any_changed }}
       all_changed_files: ${{ steps.changed_files.outputs.all_changed_files }}
     steps:
       - name: Checkout repository
@@ -30,7 +31,7 @@ jobs:
 
       - name: Get changed C++ files
         id: changed_files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files: |
             **/*.cpp
@@ -38,10 +39,17 @@ jobs:
             **/*.ipp
           separator: " "
 
+      - name: Get changed clang-tidy configuration
+        id: changed_clang_tidy
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        with:
+          files: |
+            .clang-tidy
+
   run-clang-tidy:
     needs: [determine-files]
-    if: ${{ always() && !cancelled() && (!inputs.check_only_changed || needs.determine-files.outputs.any_changed == 'true') }}
+    if: ${{ always() && !cancelled() && (!inputs.check_only_changed || needs.determine-files.outputs.any_cpp_changed == 'true' || needs.determine-files.outputs.clang_tidy_config_changed == 'true') }}
     uses: ./.github/workflows/reusable-clang-tidy-files.yml
     with:
-      files: ${{ inputs.check_only_changed && needs.determine-files.outputs.all_changed_files || '' }}
+      files: ${{ (needs.determine-files.outputs.clang_tidy_config_changed == 'true' && '') || (inputs.check_only_changed && needs.determine-files.outputs.all_changed_files || '') }}
       create_issue_on_failure: ${{ inputs.create_issue_on_failure }}

.github/workflows/reusable-strategy-matrix.yml

@@ -29,10 +29,10 @@ jobs:
       matrix: ${{ steps.generate.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.13
 

.github/workflows/reusable-upload-recipe.yml

@@ -43,7 +43,7 @@ jobs:
     container: ghcr.io/xrplf/ci/ubuntu-noble:gcc-13-sha-5dd7158
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Generate build version number
         id: version

.github/workflows/upload-conan-deps.yml

@@ -64,10 +64,10 @@ jobs:
     steps:
       - name: Cleanup workspace (macOS and Windows)
         if: ${{ runner.os == 'macOS' || runner.os == 'Windows' }}
-        uses: XRPLF/actions/cleanup-workspace@cf0433aa74563aead044a1e395610c96d65a37cf
+        uses: XRPLF/actions/cleanup-workspace@c7d9ce5ebb03c752a354889ecd870cadfc2b1cd4
 
       - name: Checkout repository
-        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Prepare runner
         uses: XRPLF/actions/prepare-runner@2cbf481018d930656e9276fcc20dc0e3a0be5b6d

.gitignore

@@ -42,6 +42,9 @@ gmon.out
 # Locally patched Conan recipes
 external/conan-center-index/
 
+# Local conan directory
+.conan
+
 # XCode IDE.
 *.pbxuser
 !default.pbxuser
@@ -72,5 +75,8 @@ DerivedData
 /.claude
 /CLAUDE.md
 
+# Direnv's directory
+/.direnv
+
 # clangd cache
 /.cache

.pre-commit-config.yaml

@@ -57,6 +57,16 @@ repos:
           - .git/COMMIT_EDITMSG
         stages: [commit-msg]
 
+  - repo: local
+    hooks:
+      - id: nix-fmt
+        name: Format Nix files
+        entry: nix --extra-experimental-features 'nix-command flakes' fmt
+        language: system
+        types:
+          - nix
+        pass_filenames: true
+
 exclude: |
   (?x)^(
       external/.*|

CONTRIBUTING.md

@@ -251,6 +251,29 @@ pip3 install pre-commit
 pre-commit install
 ```
 
+## Clang-tidy
+
+All code must pass `clang-tidy` checks according to the settings in [`.clang-tidy`](./.clang-tidy).
+
+There is a Continuous Integration job that runs clang-tidy on pull requests. The CI will check:
+
+- All changed C++ files (`.cpp`, `.h`, `.ipp`) when only code files are modified
+- **All files in the repository** when the `.clang-tidy` configuration file is changed
+
+This ensures that configuration changes don't introduce new warnings across the codebase.
+
+### Running clang-tidy locally
+
+Before running clang-tidy, you must build the project to generate required files (particularly protobuf headers). Refer to [`BUILD.md`](./BUILD.md) for build instructions.
+
+Then run clang-tidy on your local changes:
+
+```
+run-clang-tidy -p build src tests
+```
+
+This will check all source files in the `src` and `tests` directories using the compile commands from your `build` directory.
+
 ## Contracts and instrumentation
 
 We are using [Antithesis](https://antithesis.com/) for continuous fuzzing,

cmake/XrplConfig.cmake

@@ -17,10 +17,12 @@ find_dependency(Boost
                 chrono
                 container
                 context
+                coroutine
                 date_time
                 filesystem
                 program_options
                 regex
+                system
                 thread)
 #[=========================================================[
   OpenSSL

cmake/XrplInterface.cmake

@@ -22,7 +22,7 @@ target_compile_definitions(
               BOOST_FILESYSTEM_NO_DEPRECATED
               >
               $<$<NOT:$<BOOL:${boost_show_deprecated}>>:
-              BOOST_COROUTINES2_NO_DEPRECATION_WARNING
+              BOOST_COROUTINES_NO_DEPRECATION_WARNING
               BOOST_BEAST_ALLOW_DEPRECATED
               BOOST_FILESYSTEM_DEPRECATED
               >

cmake/deps/Boost.cmake

@@ -4,12 +4,13 @@ include(XrplSanitizers)
 find_package(Boost REQUIRED
              COMPONENTS chrono
                         container
-                        context
+                        coroutine
                         date_time
                         filesystem
                         json
                         program_options
                         regex
+                        system
                         thread)
 
 add_library(xrpl_boost INTERFACE)
@@ -20,7 +21,7 @@ target_link_libraries(
     INTERFACE Boost::headers
               Boost::chrono
               Boost::container
-              Boost::context
+              Boost::coroutine
               Boost::date_time
               Boost::filesystem
               Boost::json
@@ -31,26 +32,6 @@ target_link_libraries(
 if (Boost_COMPILER)
     target_link_libraries(xrpl_boost INTERFACE Boost::disable_autolinking)
 endif ()
-
-# GCC 14+ has a false positive -Wuninitialized warning in Boost.Coroutine2's
-# state.hpp when compiled with -O3. This is due to GCC's intentional behavior
-# change (Bug #98871, #119388) where warnings from inlined system header code
-# are no longer suppressed by -isystem. The warning occurs in operator|= in
-# boost/coroutine2/detail/state.hpp when inlined from push_control_block::destroy().
-# See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=119388
-if (is_gcc AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 14)
-    target_compile_options(xrpl_boost INTERFACE -Wno-uninitialized)
-endif ()
-
-# Boost.Context's ucontext backend has ASAN fiber-switching annotations
-# (start/finish_switch_fiber) that are compiled in when BOOST_USE_ASAN is defined.
-# This tells ASAN about coroutine stack switches, preventing false positive
-# stack-use-after-scope errors. BOOST_USE_UCONTEXT ensures the ucontext backend
-# is selected (fcontext does not support ASAN annotations).
-# These defines must match what Boost was compiled with (see conan/profiles/sanitizers).
-if (enable_asan)
-    target_compile_definitions(xrpl_boost INTERFACE BOOST_USE_ASAN BOOST_USE_UCONTEXT)
-endif ()
 if (SANITIZERS_ENABLED AND is_clang)
     # TODO: gcc does not support -fsanitize-blacklist...can we do something else for gcc ?
     if (NOT Boost_INCLUDE_DIRS AND TARGET Boost::headers)

conan/profiles/sanitizers

@@ -7,21 +7,16 @@ include(default)
     {% if compiler == "gcc" %}
         {% if "address" in sanitizers or "thread" in sanitizers or "undefinedbehavior" in sanitizers %}
             {% set sanitizer_list = [] %}
-            {% set defines = [] %}
             {% set model_code = "" %}
             {% set extra_cxxflags = ["-fno-omit-frame-pointer", "-O1", "-Wno-stringop-overflow"] %}
 
             {% if "address" in sanitizers %}
                 {% set _ = sanitizer_list.append("address") %}
                 {% set model_code = "-mcmodel=large" %}
-                {% set _ = defines.append("BOOST_USE_ASAN")%}
-                {% set _ = defines.append("BOOST_USE_UCONTEXT")%}
             {% elif "thread" in sanitizers %}
                 {% set _ = sanitizer_list.append("thread") %}
                 {% set model_code = "-mcmodel=medium" %}
                 {% set _ = extra_cxxflags.append("-Wno-tsan") %}
-                {% set _ = defines.append("BOOST_USE_TSAN")%}
-                {% set _ = defines.append("BOOST_USE_UCONTEXT")%}
             {% endif %}
 
             {% if "undefinedbehavior" in sanitizers %}
@@ -34,22 +29,16 @@ include(default)
             tools.build:cxxflags+=['{{sanitizer_flags}} {{" ".join(extra_cxxflags)}}']
             tools.build:sharedlinkflags+=['{{sanitizer_flags}}']
             tools.build:exelinkflags+=['{{sanitizer_flags}}']
-            tools.build:defines+={{defines}}
         {% endif %}
     {% elif compiler == "apple-clang" or compiler == "clang" %}
         {% if "address" in sanitizers or "thread" in sanitizers or "undefinedbehavior" in sanitizers %}
             {% set sanitizer_list = [] %}
-            {% set defines = [] %}
             {% set extra_cxxflags = ["-fno-omit-frame-pointer", "-O1"] %}
 
             {% if "address" in sanitizers %}
                 {% set _ = sanitizer_list.append("address") %}
-                {% set _ = defines.append("BOOST_USE_ASAN")%}
-                {% set _ = defines.append("BOOST_USE_UCONTEXT")%}
             {% elif "thread" in sanitizers %}
                 {% set _ = sanitizer_list.append("thread") %}
-                {% set _ = defines.append("BOOST_USE_TSAN")%}
-                {% set _ = defines.append("BOOST_USE_UCONTEXT")%}
             {% endif %}
 
             {% if "undefinedbehavior" in sanitizers %}
@@ -63,24 +52,8 @@ include(default)
             tools.build:cxxflags+=['{{sanitizer_flags}} {{" ".join(extra_cxxflags)}}']
             tools.build:sharedlinkflags+=['{{sanitizer_flags}}']
             tools.build:exelinkflags+=['{{sanitizer_flags}}']
-            tools.build:defines+={{defines}}
         {% endif %}
     {% endif %}
 {% endif %}
 
-tools.info.package_id:confs+=["tools.build:cxxflags", "tools.build:exelinkflags", "tools.build:sharedlinkflags", "tools.build:defines"]
-
-[options]
-{% if sanitizers %}
-    {% if "address" in sanitizers %}
-        # Build Boost.Context with ucontext backend (not fcontext) so that
-        # ASAN fiber-switching annotations (__sanitizer_start/finish_switch_fiber)
-        # are compiled into the library. fcontext (assembly) has no ASAN support.
-        # define=BOOST_USE_ASAN=1 is critical: it must be defined when building
-        # Boost.Context itself so the ucontext backend compiles in the ASAN annotations.
-        boost/*:extra_b2_flags=context-impl=ucontext address-sanitizer=on define=BOOST_USE_ASAN=1
-        boost/*:without_context=False
-        # Boost stacktrace fails to build with some sanitizers
-        boost/*:without_stacktrace=True
-    {% endif %}
-{% endif %}
+tools.info.package_id:confs+=["tools.build:cxxflags", "tools.build:exelinkflags", "tools.build:sharedlinkflags"]

conanfile.py

@@ -1,5 +1,4 @@
 import re
-import os
 
 from conan.tools.cmake import CMake, CMakeToolchain, cmake_layout
 
@@ -58,9 +57,6 @@ class Xrpl(ConanFile):
         "tests": False,
         "unity": False,
         "xrpld": False,
-        "boost/*:without_context": False,
-        "boost/*:without_coroutine": True,
-        "boost/*:without_coroutine2": False,
         "date/*:header_only": True,
         "ed25519/*:shared": False,
         "grpc/*:shared": False,
@@ -129,14 +125,6 @@ class Xrpl(ConanFile):
             self.options["boost"].visibility = "global"
         if self.settings.compiler in ["clang", "gcc"]:
             self.options["boost"].without_cobalt = True
-        self.options["boost"].without_context = False
-        self.options["boost"].without_coroutine = True
-        self.options["boost"].without_coroutine2 = False
-        # Check if environment variable exists
-        if "SANITIZERS" in os.environ:
-            sanitizers = os.environ["SANITIZERS"]
-            if "address" in sanitizers.lower():
-                self.default_options["fPIC"] = False
 
     def requirements(self):
         # Conan 2 requires transitive headers to be specified
@@ -208,8 +196,7 @@ class Xrpl(ConanFile):
             "boost::headers",
             "boost::chrono",
             "boost::container",
-            "boost::context",
-            "boost::coroutine2",
+            "boost::coroutine",
             "boost::date_time",
             "boost::filesystem",
             "boost::json",

cspell.config.yaml

@@ -99,10 +99,8 @@ words:
   - endmacro
   - exceptioned
   - Falco
-  - fcontext
   - finalizers
   - firewalled
-  - flackiness
   - fmtdur
   - fsanitize
   - funclets
@@ -113,7 +111,6 @@ words:
   - gpgcheck
   - gpgkey
   - hotwallet
-  - hwaddress
   - hwrap
   - ifndef
   - inequation
@@ -176,8 +173,10 @@ words:
   - nftokens
   - nftpage
   - nikb
+  - nixfmt
+  - nixos
+  - nixpkgs
   - nonxrp
-  - norecover
   - noripple
   - nudb
   - nullptr
@@ -237,7 +236,6 @@ words:
   - soci
   - socidb
   - sslws
-  - stackful
   - statsd
   - STATSDCOLLECTOR
   - stissue

docs/build/environment.md

@@ -3,6 +3,8 @@ environment complete with Git, Python, Conan, CMake, and a C++ compiler.
 This document exists to help readers set one up on any of the Big Three
 platforms: Linux, macOS, or Windows.
 
+As an alternative to system packages, the Nix development shell can be used to provide a development environment. See [using nix development shell](./nix.md) for more details.
+
 [BUILD.md]: ../../BUILD.md
 
 ## Linux

docs/build/nix.md

@@ -0,0 +1,95 @@
+# Using Nix Development Shell for xrpld Development
+
+This guide explains how to use Nix to set up a reproducible development environment for xrpld. Using Nix eliminates the need to manually install utilities and ensures consistent tooling across different machines.
+
+## Benefits of Using Nix
+
+- **Reproducible environment**: Everyone gets the same versions of tools and compilers
+- **No system pollution**: Dependencies are isolated and don't affect your system packages
+- **Multiple compiler versions**: Easily switch between different GCC and Clang versions
+- **Quick setup**: Get started with a single command
+- **Works on Linux and macOS**: Consistent experience across platforms
+
+## Install Nix
+
+Please follow [the official installation instructions of nix package manager](https://nixos.org/download/) for your system.
+
+## Entering the Development Shell
+
+### Basic Usage
+
+From the root of the xrpld repository, enter the default development shell:
+
+```bash
+nix --experimental-features 'nix-command flakes' develop
+```
+
+This will:
+
+- Download and set up all required development tools (CMake, Ninja, Conan, etc.)
+- Configure the appropriate compiler for your platform:
+  - **macOS**: Apple Clang (default system compiler)
+  - **Linux**: GCC 15
+
+The first time you run this command, it will take a few minutes to download and build the environment. Subsequent runs will be much faster.
+
+> [!TIP]
+> To avoid typing `--experimental-features 'nix-command flakes'` every time, you can permanently enable flakes by creating `~/.config/nix/nix.conf`:
+>
+> ```bash
+> mkdir -p ~/.config/nix
+> echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+> ```
+>
+> After this, you can simply use `nix develop` instead.
+
+> [!NOTE]
+> The examples below assume you've enabled flakes in your config. If you haven't, add `--experimental-features 'nix-command flakes'` after each `nix` command.
+
+### Choosing a different compiler
+
+A compiler can be chosen by providing its name with the `.#` prefix, e.g. `nix develop .#gcc15`.
+Use `nix flake show` to see all the available development shells.
+
+Use `nix develop .#no_compiler` to use the compiler from your system.
+
+### Example Usage
+
+```bash
+# Use GCC 14
+nix develop .#gcc14
+
+# Use Clang 19
+nix develop .#clang19
+
+# Use default for your platform
+nix develop
+```
+
+### Using a different shell
+
+`nix develop` opens bash by default. If you want to use another shell this could be done by adding `-c` flag. For example:
+
+```bash
+nix develop -c zsh
+```
+
+## Building xrpld with Nix
+
+Once inside the Nix development shell, follow the standard [build instructions](../../BUILD.md#steps). The Nix shell provides all necessary tools (CMake, Ninja, Conan, etc.).
+
+## Automatic Activation with direnv
+
+[direnv](https://direnv.net/) or [nix-direnv](https://github.com/nix-community/nix-direnv) can automatically activate the Nix development shell when you enter the repository directory.
+
+## Conan and Prebuilt Packages
+
+Please note that there is no guarantee that binaries from conan cache will work when using nix. If you encounter any errors, please use `--build '*'` to force conan to compile everything from source:
+
+```bash
+conan install .. --output-folder . --build '*' --settings build_type=Release
+```
+
+## Updating `flake.lock` file
+
+To update `flake.lock` to the latest revision use `nix flake update` command.

docs/build/sanitizers.md

@@ -89,8 +89,8 @@ cmake --build . --parallel 4
 **IMPORTANT**: ASAN with Boost produces many false positives. Use these options:
 
 ```bash
-export ASAN_OPTIONS="include=sanitizers/suppressions/runtime-asan-options.txt:suppressions=sanitizers/suppressions/asan.supp"
-export LSAN_OPTIONS="include=sanitizers/suppressions/runtime-lsan-options.txt:suppressions=sanitizers/suppressions/lsan.supp"
+export ASAN_OPTIONS="print_stacktrace=1:detect_container_overflow=0:suppressions=path/to/asan.supp:halt_on_error=0:log_path=asan.log"
+export LSAN_OPTIONS="suppressions=path/to/lsan.supp:halt_on_error=0:log_path=lsan.log"
 
 # Run tests
 ./xrpld --unittest --unittest-jobs=5
@@ -108,7 +108,7 @@ export LSAN_OPTIONS="include=sanitizers/suppressions/runtime-lsan-options.txt:su
 ### ThreadSanitizer (TSan)
 
 ```bash
-export TSAN_OPTIONS="include=sanitizers/suppressions/runtime-tsan-options.txt:suppressions=sanitizers/suppressions/tsan.supp"
+export TSAN_OPTIONS="suppressions=path/to/tsan.supp halt_on_error=0 log_path=tsan.log"
 
 # Run tests
 ./xrpld --unittest --unittest-jobs=5
@@ -129,7 +129,7 @@ More details [here](https://github.com/google/sanitizers/wiki/AddressSanitizerLe
 ### UndefinedBehaviorSanitizer (UBSan)
 
 ```bash
-export UBSAN_OPTIONS="include=sanitizers/suppressions/runtime-ubsan-options.txt:suppressions=sanitizers/suppressions/ubsan.supp"
+export UBSAN_OPTIONS="suppressions=path/to/ubsan.supp:print_stacktrace=1:halt_on_error=0:log_path=ubsan.log"
 
 # Run tests
 ./xrpld --unittest --unittest-jobs=5

flake.lock

@@ -0,0 +1,26 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1769461804,
+        "narHash": "sha256-6h5sROT/3CTHvzPy9koKBmoCa2eJKh4fzQK8eYFEgl8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b579d443b37c9c5373044201ea77604e37e748c8",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,16 @@
+{
+  description = "Nix related things for xrpld";
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+  };
+
+  outputs =
+    { nixpkgs, ... }:
+    let
+      forEachSystem = (import ./nix/utils.nix { inherit nixpkgs; }).forEachSystem;
+    in
+    {
+      devShells = forEachSystem (import ./nix/devshell.nix);
+      formatter = forEachSystem ({ pkgs, ... }: pkgs.nixfmt);
+    };
+}

include/xrpl/basics/MallocTrim.h

@@ -0,0 +1,73 @@
+#pragma once
+
+#include <xrpl/beast/utility/Journal.h>
+
+#include <chrono>
+#include <cstdint>
+#include <string_view>
+
+namespace xrpl {
+
+// cSpell:ignore ptmalloc
+
+// -----------------------------------------------------------------------------
+// Allocator interaction note:
+// - This facility invokes glibc's malloc_trim(0) on Linux/glibc to request that
+//   ptmalloc return free heap pages to the OS.
+// - If an alternative allocator (e.g. jemalloc or tcmalloc) is linked or
+//   preloaded (LD_PRELOAD), calling glibc's malloc_trim typically has no effect
+//   on the *active* heap. The call is harmless but may not reclaim memory
+//   because those allocators manage their own arenas.
+// - Only glibc sbrk/arena space is eligible for trimming; large mmap-backed
+//   allocations are usually returned to the OS on free regardless of trimming.
+// - Call at known reclamation points (e.g., after cache sweeps / online delete)
+//   and consider rate limiting to avoid churn.
+// -----------------------------------------------------------------------------
+
+struct MallocTrimReport
+{
+    bool supported{false};
+    int trimResult{-1};
+    std::int64_t rssBeforeKB{-1};
+    std::int64_t rssAfterKB{-1};
+    std::chrono::microseconds durationUs{-1};
+    std::int64_t minfltDelta{-1};
+    std::int64_t majfltDelta{-1};
+
+    [[nodiscard]] std::int64_t
+    deltaKB() const noexcept
+    {
+        if (rssBeforeKB < 0 || rssAfterKB < 0)
+            return 0;
+        return rssAfterKB - rssBeforeKB;
+    }
+};
+
+/**
+ * @brief Attempt to return freed memory to the operating system.
+ *
+ * On Linux with glibc malloc, this issues ::malloc_trim(0), which may release
+ * free space from ptmalloc arenas back to the kernel. On other platforms, or if
+ * a different allocator is in use, this function is a no-op and the report will
+ * indicate that trimming is unsupported or had no effect.
+ *
+ * @param tag     Identifier for logging/debugging purposes.
+ * @param journal Journal for diagnostic logging.
+ * @return Report containing before/after metrics and the trim result.
+ *
+ * @note If an alternative allocator (jemalloc/tcmalloc) is linked or preloaded,
+ *       calling glibc's malloc_trim may have no effect on the active heap. The
+ *       call is harmless but typically does not reclaim memory under those
+ *       allocators.
+ *
+ * @note Only memory served from glibc's sbrk/arena heaps is eligible for trim.
+ *       Large allocations satisfied via mmap are usually returned on free
+ *       independently of trimming.
+ *
+ * @note Intended for use after operations that free significant memory (e.g.,
+ *       cache sweeps, ledger cleanup, online delete). Consider rate limiting.
+ */
+MallocTrimReport
+mallocTrim(std::string_view tag, beast::Journal journal);
+
+}  // namespace xrpl

include/xrpl/basics/base_uint.h

@@ -359,7 +359,6 @@ public:
     base_uint&
     operator&=(base_uint const& b)
     {
-        XRPL_ASSERT(WIDTH == b.WIDTH, "input size mismatch");
         for (int i = 0; i < WIDTH; i++)
             data_[i] &= b.data_[i];
 

include/xrpl/basics/contract.h

@@ -1,6 +1,5 @@
 #pragma once
 
-#include <xrpl/basics/sanitizers.h>
 #include <xrpl/beast/type_name.h>
 
 #include <exception>
@@ -25,7 +24,7 @@ LogThrow(std::string const& title);
     control to the next matching exception handler, if any.
     Otherwise, std::terminate will be called.
 */
-[[noreturn]] XRPL_NO_SANITIZE_ADDRESS inline void
+[[noreturn]] inline void
 Rethrow()
 {
     LogThrow("Re-throwing exception");
@@ -33,7 +32,7 @@ Rethrow()
 }
 
 template <class E, class... Args>
-[[noreturn]] XRPL_NO_SANITIZE_ADDRESS inline void
+[[noreturn]] inline void
 Throw(Args&&... args)
 {
     static_assert(

include/xrpl/basics/sanitizers.h

@@ -1,6 +0,0 @@
-// Helper to disable ASan/HwASan for specific functions
-#if defined(__GNUC__) || defined(__clang__)
-#define XRPL_NO_SANITIZE_ADDRESS __attribute__((no_sanitize("address", "hwaddress")))
-#else
-#define XRPL_NO_SANITIZE_ADDRESS
-#endif

include/xrpl/core/Coro.ipp

@@ -1,5 +1,7 @@
 #pragma once
 
+#include <xrpl/basics/ByteUtilities.h>
+
 namespace xrpl {
 
 template <class F>
@@ -8,15 +10,17 @@ JobQueue::Coro::Coro(Coro_create_t, JobQueue& jq, JobType type, std::string cons
     , type_(type)
     , name_(name)
     , running_(false)
-    , coro_([this, fn = std::forward<F>(f)](
-                boost::coroutines2::asymmetric_coroutine<void>::push_type& do_yield) {
-        yield_ = &do_yield;
-        yield();
-        fn(shared_from_this());
+    , coro_(
+          [this, fn = std::forward<F>(f)](
+              boost::coroutines::asymmetric_coroutine<void>::push_type& do_yield) {
+              yield_ = &do_yield;
+              yield();
+              fn(shared_from_this());
 #ifndef NDEBUG
-        finished_ = true;
+              finished_ = true;
 #endif
-    })
+          },
+          boost::coroutines::attributes(megabytes(1)))
 {
 }
 
@@ -76,7 +80,6 @@ JobQueue::Coro::resume()
     coro_();
     detail::getLocalValues().release();
     detail::getLocalValues().reset(saved);
-
     std::lock_guard lk(mutex_run_);
     running_ = false;
     cv_.notify_all();

include/xrpl/core/JobQueue.h

@@ -7,7 +7,7 @@
 #include <xrpl/core/detail/Workers.h>
 #include <xrpl/json/json_value.h>
 
-#include <boost/coroutine2/all.hpp>
+#include <boost/coroutine/all.hpp>
 
 #include <set>
 
@@ -48,8 +48,8 @@ public:
         std::mutex mutex_;
         std::mutex mutex_run_;
         std::condition_variable cv_;
-        boost::coroutines2::coroutine<void>::pull_type coro_;
-        boost::coroutines2::coroutine<void>::push_type* yield_;
+        boost::coroutines::asymmetric_coroutine<void>::pull_type coro_;
+        boost::coroutines::asymmetric_coroutine<void>::push_type* yield_;
 #ifndef NDEBUG
         bool finished_ = false;
 #endif

include/xrpl/ledger/detail/ApplyStateTable.h

@@ -64,11 +64,6 @@ public:
     std::shared_ptr<SLE const>
     read(ReadView const& base, Keylet const& k) const;
 
-    /** Check only local items without delegating to base.
-        Returns std::nullopt if key not found locally. */
-    std::optional<std::shared_ptr<SLE const>>
-    readLocal(Keylet const& k) const;
-
     std::shared_ptr<SLE>
     peek(ReadView const& base, Keylet const& k);
 

include/xrpl/net/HTTPClient.h

@@ -29,9 +29,6 @@ public:
         bool sslVerify,
         beast::Journal j);
 
-    static void
-    cleanupSSLContext();
-
     static void
     get(bool bSSL,
         boost::asio::io_context& io_context,

include/xrpl/nodestore/Backend.h

@@ -77,16 +77,16 @@ public:
         If the object is not found or an error is encountered, the
         result will indicate the condition.
         @note This will be called concurrently.
-        @param key A pointer to the key data.
+        @param hash The hash of the object.
         @param pObject [out] The created object if successful.
         @return The result of the operation.
     */
     virtual Status
-    fetch(void const* key, std::shared_ptr<NodeObject>* pObject) = 0;
+    fetch(uint256 const& hash, std::shared_ptr<NodeObject>* pObject) = 0;
 
     /** Fetch a batch synchronously. */
     virtual std::pair<std::vector<std::shared_ptr<NodeObject>>, Status>
-    fetchBatch(std::vector<uint256 const*> const& hashes) = 0;
+    fetchBatch(std::vector<uint256> const& hashes) = 0;
 
     /** Store a single object.
         Depending on the implementation this may happen immediately

include/xrpl/protocol/ErrorCodes.h

@@ -234,7 +234,7 @@ missing_field_error(std::string const& name)
 }
 
 inline Json::Value
-missing_field_error(Json::StaticString const& name)
+missing_field_error(Json::StaticString name)
 {
     return missing_field_error(std::string(name));
 }
@@ -252,7 +252,7 @@ object_field_error(std::string const& name)
 }
 
 inline Json::Value
-object_field_error(Json::StaticString const& name)
+object_field_error(Json::StaticString name)
 {
     return object_field_error(std::string(name));
 }
@@ -264,7 +264,7 @@ invalid_field_message(std::string const& name)
 }
 
 inline std::string
-invalid_field_message(Json::StaticString const& name)
+invalid_field_message(Json::StaticString name)
 {
     return invalid_field_message(std::string(name));
 }
@@ -276,7 +276,7 @@ invalid_field_error(std::string const& name)
 }
 
 inline Json::Value
-invalid_field_error(Json::StaticString const& name)
+invalid_field_error(Json::StaticString name)
 {
     return invalid_field_error(std::string(name));
 }
@@ -288,7 +288,7 @@ expected_field_message(std::string const& name, std::string const& type)
 }
 
 inline std::string
-expected_field_message(Json::StaticString const& name, std::string const& type)
+expected_field_message(Json::StaticString name, std::string const& type)
 {
     return expected_field_message(std::string(name), type);
 }
@@ -300,7 +300,7 @@ expected_field_error(std::string const& name, std::string const& type)
 }
 
 inline Json::Value
-expected_field_error(Json::StaticString const& name, std::string const& type)
+expected_field_error(Json::StaticString name, std::string const& type)
 {
     return expected_field_error(std::string(name), type);
 }

include/xrpl/protocol/detail/features.macro

@@ -15,9 +15,10 @@
 
 // Add new amendments to the top of this list.
 // Keep it sorted in reverse chronological order.
+
 XRPL_FIX   (PermissionedDomainInvariant, Supported::yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (ExpiredNFTokenOfferRemoval, Supported::yes, VoteBehavior::DefaultNo)
-XRPL_FIX    (BatchInnerSigs,             Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FIX    (BatchInnerSigs,             Supported::no, VoteBehavior::DefaultNo)
 XRPL_FEATURE(LendingProtocol,            Supported::yes, VoteBehavior::DefaultNo)
 XRPL_FEATURE(PermissionDelegationV1_1,   Supported::no,  VoteBehavior::DefaultNo)
 XRPL_FIX    (DirectoryLimit,             Supported::yes, VoteBehavior::DefaultNo)
@@ -31,7 +32,7 @@ XRPL_FEATURE(TokenEscrow,                Supported::yes, VoteBehavior::DefaultNo
 XRPL_FIX    (EnforceNFTokenTrustlineV2,  Supported::yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (AMMv1_3,                    Supported::yes, VoteBehavior::DefaultNo)
 XRPL_FEATURE(PermissionedDEX,            Supported::yes, VoteBehavior::DefaultNo)
-XRPL_FEATURE(Batch,                      Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FEATURE(Batch,                      Supported::no,  VoteBehavior::DefaultNo)
 XRPL_FEATURE(SingleAssetVault,           Supported::yes,  VoteBehavior::DefaultNo)
 XRPL_FIX    (PayChanCancelAfter,         Supported::yes, VoteBehavior::DefaultNo)
 // Check flags in Credential transactions

include/xrpl/shamap/SHAMapNodeID.h

@@ -46,17 +46,6 @@ public:
         return id_;
     }
 
-    /**
-     * Get the SHAMapNodeID of a child node at the specified branch.
-     *
-     * @param m  The branch number (0-15) indicating which child to descend to.
-     *           In the SHAMap's 16-way radix tree, each inner node has up to
-     *           16 children, indexed by the corresponding nibble (4 bits) of
-     *           the key at the current depth.
-     * @return SHAMapNodeID of the child node at branch m.
-     * @throws std::logic_error if this node is at the maximum leaf depth (64)
-     *         or if the node's id doesn't match its depth mask.
-     */
     SHAMapNodeID
     getChildNodeID(unsigned int m) const;
 

nix/devshell.nix

@@ -0,0 +1,140 @@
+{ pkgs, ... }:
+let
+  commonPackages = with pkgs; [
+    ccache
+    cmake
+    conan
+    gcovr
+    git
+    gnumake
+    llvmPackages_21.clang-tools
+    ninja
+    perl # needed for openssl
+    pkg-config
+    pre-commit
+    python314
+  ];
+
+  # Supported compiler versions
+  gccVersion = pkgs.lib.range 13 15;
+  clangVersions = pkgs.lib.range 18 21;
+
+  defaultCompiler = if pkgs.stdenv.isDarwin then "apple-clang" else "gcc";
+  defaultGccVersion = pkgs.lib.last gccVersion;
+  defaultClangVersion = pkgs.lib.last clangVersions;
+
+  strToCompilerEnv =
+    compiler: version:
+    (
+      if compiler == "gcc" then
+        let
+          gccPkg = pkgs."gcc${toString version}Stdenv" or null;
+        in
+        if gccPkg != null && builtins.elem version gccVersion then
+          gccPkg
+        else
+          throw "Invalid GCC version: ${toString version}. Must be one of: ${toString gccVersion}"
+      else if compiler == "clang" then
+        let
+          clangPkg = pkgs."llvmPackages_${toString version}".stdenv or null;
+        in
+        if clangPkg != null && builtins.elem version clangVersions then
+          clangPkg
+        else
+          throw "Invalid Clang version: ${toString version}. Must be one of: ${toString clangVersions}"
+      else if compiler == "apple-clang" || compiler == "none" then
+        pkgs.stdenvNoCC
+      else
+        throw "Invalid compiler: ${compiler}. Must be one of: gcc, clang, apple-clang, none"
+    );
+
+  # Helper function to create a shell with a specific compiler
+  makeShell =
+    {
+      compiler ? defaultCompiler,
+      version ? (
+        if compiler == "gcc" then
+          defaultGccVersion
+        else if compiler == "clang" then
+          defaultClangVersion
+        else
+          null
+      ),
+    }:
+    let
+      compilerStdEnv = strToCompilerEnv compiler version;
+
+      compilerName =
+        if compiler == "apple-clang" then
+          "clang"
+        else if compiler == "none" then
+          null
+        else
+          compiler;
+
+      gccOnMacWarning =
+        if pkgs.stdenv.isDarwin && compiler == "gcc" then
+          ''
+            echo "WARNING: Using GCC on macOS with Conan may not work."
+            echo "         Consider using 'nix develop .#clang' or the default shell instead."
+            echo ""
+          ''
+        else
+          "";
+
+      compilerVersion =
+        if compilerName != null then
+          ''
+            echo "Compiler: "
+            ${compilerName} --version
+          ''
+        else
+          ''
+            echo "No compiler specified - using system compiler"
+          '';
+
+      shellAttrs = {
+        packages = commonPackages;
+
+        shellHook = ''
+          echo "Welcome to xrpld development shell";
+          ${gccOnMacWarning}${compilerVersion}
+        '';
+      };
+    in
+    pkgs.mkShell.override { stdenv = compilerStdEnv; } shellAttrs;
+
+  # Generate shells for each compiler version
+  gccShells = builtins.listToAttrs (
+    map (version: {
+      name = "gcc${toString version}";
+      value = makeShell {
+        compiler = "gcc";
+        version = version;
+      };
+    }) gccVersion
+  );
+
+  clangShells = builtins.listToAttrs (
+    map (version: {
+      name = "clang${toString version}";
+      value = makeShell {
+        compiler = "clang";
+        version = version;
+      };
+    }) clangVersions
+  );
+
+in
+gccShells
+// clangShells
+// {
+  # Default shells
+  default = makeShell { };
+  gcc = makeShell { compiler = "gcc"; };
+  clang = makeShell { compiler = "clang"; };
+
+  # No compiler
+  no-compiler = makeShell { compiler = "none"; };
+  apple-clang = makeShell { compiler = "apple-clang"; };
+}

nix/utils.nix

@@ -0,0 +1,19 @@
+{ nixpkgs }:
+{
+  forEachSystem =
+    function:
+    nixpkgs.lib.genAttrs
+      [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ]
+      (
+        system:
+        function {
+          inherit system;
+          pkgs = import nixpkgs { inherit system; };
+        }
+      );
+}

sanitizers/suppressions/asan.supp

@@ -1,29 +1,29 @@
-# The idea is to empty this file gradually by fixing the underlying issues and removing suppresions.
+# The idea is to empty this file gradually by fixing the underlying issues and removing suppressions.
 #
-# ASAN_OPTIONS="suppressions=sanitizers/suppressions/asan.supp:include=sanitizers/suppressions/runtime-asan-options.txt"
+# ASAN_OPTIONS="print_stacktrace=1:detect_container_overflow=0:suppressions=sanitizers/suppressions/asan.supp:halt_on_error=0"
 #
-# Boost coroutines cause multiple ASAN false positives due to swapcontext/fiber stack switching.
-# ASAN cannot correctly track stack memory across coroutine context switches, leading to:
-# - stack-use-after-return errors
-# - stack-use-after-scope errors
-# - stack-buffer-overflow errors in seemingly unrelated code (e.g., std::chrono::steady_clock::now())
-# - stack-buffer-underflow errors in seemingly unrelated code (e.g., xxhasher::retrieveHash(), clock_gettime)
-# - bad-free errors in boost::context::basic_fixedsize_stack::deallocate (ASan loses track of
-#   malloc allocations after fiber/context switches, reporting "free on address not malloc()-ed")
+# The detect_container_overflow=0 option disables false positives from:
+# - Boost intrusive containers (slist_iterator.hpp, hashtable.hpp, aged_unordered_container.h)
+# - Boost context/coroutine stack switching (Workers.cpp, thread.h)
 #
-# These are now handled by:
-# 1. Using Boost.Coroutine2 with the ucontext backend (BOOST_USE_ASAN + BOOST_USE_UCONTEXT)
-# 2. Runtime options in runtime-asan-options.txt:
-#    - alloc_dealloc_mismatch=0: Suppresses false "bad-free" errors from fiber stack deallocation, on GCC. For Clang we don't instrument boost
-#    - detect_stack_use_after_return=0: Prevents false positives from fake stack tracking
-#    - use_sigaltstack=0: Avoids conflicts with coroutine stack switching
-interceptor_via_fun:swapcontext
-interceptor_via_fun:makecontext
-interceptor_via_fun:boost::context::fiber::~fiber
-interceptor_name:boost/context/fiber_ucontext.hpp
-interceptor_name:boost/context/fixedsize_stack.hpp
-interceptor_name:Coro.ipp
+# See: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow
 
-interceptor_name:clock_gettime
+# Boost
+interceptor_name:boost/asio
+
+# Leaks in Doctest tests: xrpl.test.*
+interceptor_name:src/libxrpl/net/HTTPClient.cpp
+interceptor_name:src/libxrpl/net/RegisterSSLCerts.cpp
+interceptor_name:src/tests/libxrpl/net/HTTPClient.cpp
+interceptor_name:xrpl/net/AutoSocket.h
+interceptor_name:xrpl/net/HTTPClient.h
+interceptor_name:xrpl/net/HTTPClientSSLContext.h
+interceptor_name:xrpl/net/RegisterSSLCerts.h
+
+# Suppress false positive stack-buffer errors in thread stack allocation
+# Related to ASan's __asan_handle_no_return warnings (github.com/google/sanitizers/issues/189)
+# These occur during multi-threaded test initialization on macOS
+interceptor_name:memcpy
 interceptor_name:__bzero
-interceptor_name:nudb
+interceptor_name:__asan_memset
+interceptor_name:__asan_memcpy

sanitizers/suppressions/lsan.supp

@@ -1,13 +1,16 @@
 # The idea is to empty this file gradually by fixing the underlying issues and removing suppresions.
 
+# Suppress leaks detected by asan in rippled code.
+leak:src/libxrpl/net/HTTPClient.cpp
+leak:src/libxrpl/net/RegisterSSLCerts.cpp
+leak:src/tests/libxrpl/net/HTTPClient.cpp
+leak:xrpl/net/AutoSocket.h
+leak:xrpl/net/HTTPClient.h
+leak:xrpl/net/HTTPClientSSLContext.h
+leak:xrpl/net/RegisterSSLCerts.h
+leak:ripple::HTTPClient
+leak:ripple::HTTPClientImp
+
 # Suppress leaks detected by asan in boost code.
-# These are false positives from Boost.Asio SSL internals that use OpenSSL BIO structures.
-# The BIO structures are managed by OpenSSL's internal reference counting and freed at process exit.
-
-#leak:boost::asio
-#leak:boost/asio
-
-# OpenSSL BIO memory is managed internally and freed at process exit
-leak:CRYPTO_malloc
-leak:bio_make_pair
-leak:BIO_new_bio_pair
+leak:boost::asio
+leak:boost/asio

sanitizers/suppressions/runtime-asan-options.txt

@@ -1,5 +0,0 @@
-detect_container_overflow=0
-detect_stack_use_after_return=0
-halt_on_error=0
-print_summary=true
-use_sigaltstack=0

sanitizers/suppressions/runtime-lsan-options.txt

@@ -1 +0,0 @@
-halt_on_error=0

sanitizers/suppressions/runtime-tsan-options.txt

@@ -1,2 +0,0 @@
-halt_on_error=0
-second_deadlock_stack=1

sanitizers/suppressions/runtime-ubsan-options.txt

@@ -1 +0,0 @@
-halt_on_error=0

sanitizers/suppressions/sanitizer-ignorelist.txt

@@ -20,15 +20,10 @@ signal:test/beast/beast_PropertyStream_test.cpp
 signal:xrpld/core/detail/Workers.cpp
 signal:xrpld/core/JobQueue.cpp
 
-# src:beast/utility/beast_Journal.cpp
-# src:beast/utility/beast_PropertyStream.cpp
-# src:core/detail/Workers.cpp
-# src:core/JobQueue.cpp
-# src:libxrpl/beast/utility/beast_Journal.cpp
-# src:test/beast/beast_PropertyStream_test.cpp
-# src:src/test/app/Invariants_test.cpp
-
-# Boost coroutines cause false positive stack-buffer-underflow in xxhasher
-# This is a known ASAN limitation with stackful coroutines
-# See: https://github.com/google/sanitizers/issues/189
-src:beast/hash/xxhasher.h
+src:beast/utility/beast_Journal.cpp
+src:beast/utility/beast_PropertyStream.cpp
+src:core/detail/Workers.cpp
+src:core/JobQueue.cpp
+src:libxrpl/beast/utility/beast_Journal.cpp
+src:test/beast/beast_PropertyStream_test.cpp
+src:src/test/app/Invariants_test.cpp

sanitizers/suppressions/ubsan.supp

@@ -140,7 +140,6 @@ unsigned-integer-overflow:src/libxrpl/protocol/tokens.cpp
 unsigned-integer-overflow:src/libxrpl/shamap/SHAMap.cpp
 unsigned-integer-overflow:src/test/app/Batch_test.cpp
 unsigned-integer-overflow:src/test/app/Invariants_test.cpp
-unsigned-integer-overflow:src/test/app/Loan_test.cpp
 unsigned-integer-overflow:src/test/app/NFToken_test.cpp
 unsigned-integer-overflow:src/test/app/Offer_test.cpp
 unsigned-integer-overflow:src/test/app/Path_test.cpp

src/libxrpl/basics/LocalValue.cpp

@@ -1,7 +0,0 @@
-#include <xrpl/basics/LocalValue.h>
-
-namespace xrpl {
-namespace detail {
-
-}  // namespace detail
-}  // namespace xrpl

src/libxrpl/basics/MallocTrim.cpp

@@ -0,0 +1,157 @@
+#include <xrpl/basics/Log.h>
+#include <xrpl/basics/MallocTrim.h>
+
+#include <boost/predef.h>
+
+#include <chrono>
+#include <cstdint>
+#include <cstdio>
+#include <fstream>
+#include <sstream>
+
+#if defined(__GLIBC__) && BOOST_OS_LINUX
+#include <sys/resource.h>
+
+#include <malloc.h>
+#include <unistd.h>
+
+// Require RUSAGE_THREAD for thread-scoped page fault tracking
+#ifndef RUSAGE_THREAD
+#error "MallocTrim rusage instrumentation requires RUSAGE_THREAD on Linux/glibc"
+#endif
+
+namespace {
+
+bool
+getRusageThread(struct rusage& ru)
+{
+    return ::getrusage(RUSAGE_THREAD, &ru) == 0;  // LCOV_EXCL_LINE
+}
+
+}  // namespace
+#endif
+
+namespace xrpl {
+
+namespace detail {
+
+// cSpell:ignore statm
+
+#if defined(__GLIBC__) && BOOST_OS_LINUX
+
+inline int
+mallocTrimWithPad(std::size_t padBytes)
+{
+    return ::malloc_trim(padBytes);
+}
+
+long
+parseStatmRSSkB(std::string const& statm)
+{
+    // /proc/self/statm format: size resident shared text lib data dt
+    // We want the second field (resident) which is in pages
+    std::istringstream iss(statm);
+    long size, resident;
+    if (!(iss >> size >> resident))
+        return -1;
+
+    // Convert pages to KB
+    long const pageSize = ::sysconf(_SC_PAGESIZE);
+    if (pageSize <= 0)
+        return -1;
+
+    return (resident * pageSize) / 1024;
+}
+
+#endif  // __GLIBC__ && BOOST_OS_LINUX
+
+}  // namespace detail
+
+MallocTrimReport
+mallocTrim(std::string_view tag, beast::Journal journal)
+{
+    // LCOV_EXCL_START
+
+    MallocTrimReport report;
+
+#if !(defined(__GLIBC__) && BOOST_OS_LINUX)
+    JLOG(journal.debug()) << "malloc_trim not supported on this platform (tag=" << tag << ")";
+#else
+    // Keep glibc malloc_trim padding at 0 (default): 12h Mainnet tests across 0/256KB/1MB/16MB
+    // showed no clear, consistent benefit from custom padding—0 provided the best overall balance
+    // of RSS reduction and trim-latency stability without adding a tuning surface.
+    constexpr std::size_t TRIM_PAD = 0;
+
+    report.supported = true;
+
+    if (journal.debug())
+    {
+        auto readFile = [](std::string const& path) -> std::string {
+            std::ifstream ifs(path, std::ios::in | std::ios::binary);
+            if (!ifs.is_open())
+                return {};
+
+            // /proc files are often not seekable; read as a stream.
+            std::ostringstream oss;
+            oss << ifs.rdbuf();
+            return oss.str();
+        };
+
+        std::string const tagStr{tag};
+        std::string const statmPath = "/proc/self/statm";
+
+        auto const statmBefore = readFile(statmPath);
+        long const rssBeforeKB = detail::parseStatmRSSkB(statmBefore);
+
+        struct rusage ru0{};
+        bool const have_ru0 = getRusageThread(ru0);
+
+        auto const t0 = std::chrono::steady_clock::now();
+
+        report.trimResult = detail::mallocTrimWithPad(TRIM_PAD);
+
+        auto const t1 = std::chrono::steady_clock::now();
+
+        struct rusage ru1{};
+        bool const have_ru1 = getRusageThread(ru1);
+
+        auto const statmAfter = readFile(statmPath);
+        long const rssAfterKB = detail::parseStatmRSSkB(statmAfter);
+
+        // Populate report fields
+        report.rssBeforeKB = rssBeforeKB;
+        report.rssAfterKB = rssAfterKB;
+        report.durationUs = std::chrono::duration_cast<std::chrono::microseconds>(t1 - t0);
+
+        if (have_ru0 && have_ru1)
+        {
+            report.minfltDelta = ru1.ru_minflt - ru0.ru_minflt;
+            report.majfltDelta = ru1.ru_majflt - ru0.ru_majflt;
+        }
+
+        std::int64_t const deltaKB = (rssBeforeKB < 0 || rssAfterKB < 0)
+            ? 0
+            : (static_cast<std::int64_t>(rssAfterKB) - static_cast<std::int64_t>(rssBeforeKB));
+
+        JLOG(journal.debug()) << "malloc_trim tag=" << tagStr << " result=" << report.trimResult
+                              << " pad=" << TRIM_PAD << " bytes"
+                              << " rss_before=" << rssBeforeKB << "kB"
+                              << " rss_after=" << rssAfterKB << "kB"
+                              << " delta=" << deltaKB << "kB"
+                              << " duration_us=" << report.durationUs.count()
+                              << " minflt_delta=" << report.minfltDelta
+                              << " majflt_delta=" << report.majfltDelta;
+    }
+    else
+    {
+        report.trimResult = detail::mallocTrimWithPad(TRIM_PAD);
+    }
+
+#endif
+
+    return report;
+
+    // LCOV_EXCL_STOP
+}
+
+}  // namespace xrpl

src/libxrpl/basics/Number.cpp

@@ -11,7 +11,6 @@
 #include <numeric>
 #include <stdexcept>
 #include <string>
-#include <string_view>
 #include <type_traits>
 #include <utility>
 
@@ -108,7 +107,7 @@ public:
         int& exponent,
         internalrep const& minMantissa,
         internalrep const& maxMantissa,
-        std::string_view location);
+        std::string location);
 
     // Modify the result to the correctly rounded value
     template <UnsignedMantissa T>
@@ -117,7 +116,7 @@ public:
 
     // Modify the result to the correctly rounded value
     void
-    doRound(rep& drops, std::string_view location);
+    doRound(rep& drops, std::string location);
 
 private:
     void
@@ -243,7 +242,7 @@ Number::Guard::doRoundUp(
     int& exponent,
     internalrep const& minMantissa,
     internalrep const& maxMantissa,
-    std::string_view location)
+    std::string location)
 {
     auto r = round();
     if (r == 1 || (r == 0 && (mantissa & 1) == 1))
@@ -259,7 +258,7 @@ Number::Guard::doRoundUp(
     }
     bringIntoRange(negative, mantissa, exponent, minMantissa);
     if (exponent > maxExponent)
-        Throw<std::overflow_error>(std::string(location));
+        throw std::overflow_error(location);
 }
 
 template <UnsignedMantissa T>
@@ -285,7 +284,7 @@ Number::Guard::doRoundDown(
 
 // Modify the result to the correctly rounded value
 void
-Number::Guard::doRound(rep& drops, std::string_view location)
+Number::Guard::doRound(rep& drops, std::string location)
 {
     auto r = round();
     if (r == 1 || (r == 0 && (drops & 1) == 1))
@@ -299,7 +298,7 @@ Number::Guard::doRound(rep& drops, std::string_view location)
             // or "(maxRep + 1) / 10", neither of which will round up when
             // converting to rep, though the latter might overflow _before_
             // rounding.
-            throw std::overflow_error(std::string(location));  // LCOV_EXCL_LINE
+            throw std::overflow_error(location);  // LCOV_EXCL_LINE
         }
         ++drops;
     }

src/libxrpl/json/json_value.cpp

@@ -193,17 +193,17 @@ Value::Value(ValueType type) : type_(type), allocated_(0)
     }
 }
 
-Value::Value(Int value) : type_(intValue), allocated_(0)
+Value::Value(Int value) : type_(intValue)
 {
     value_.int_ = value;
 }
 
-Value::Value(UInt value) : type_(uintValue), allocated_(0)
+Value::Value(UInt value) : type_(uintValue)
 {
     value_.uint_ = value;
 }
 
-Value::Value(double value) : type_(realValue), allocated_(0)
+Value::Value(double value) : type_(realValue)
 {
     value_.real_ = value;
 }
@@ -230,7 +230,7 @@ Value::Value(StaticString const& value) : type_(stringValue), allocated_(false)
     value_.string_ = const_cast<char*>(value.c_str());
 }
 
-Value::Value(bool value) : type_(booleanValue), allocated_(0)
+Value::Value(bool value) : type_(booleanValue)
 {
     value_.bool_ = value;
 }

src/libxrpl/ledger/ApplyStateTable.cpp

@@ -335,28 +335,6 @@ ApplyStateTable::read(ReadView const& base, Keylet const& k) const
     return sle;
 }
 
-std::optional<std::shared_ptr<SLE const>>
-ApplyStateTable::readLocal(Keylet const& k) const
-{
-    auto const iter = items_.find(k.key);
-    if (iter == items_.end())
-        return std::nullopt;
-    auto const& item = iter->second;
-    auto const& sle = item.second;
-    switch (item.first)
-    {
-        case Action::erase:
-            return nullptr;
-        case Action::cache:
-        case Action::insert:
-        case Action::modify:
-            break;
-    };
-    if (!k.check(*sle))
-        return nullptr;
-    return sle;
-}
-
 std::shared_ptr<SLE>
 ApplyStateTable::peek(ReadView const& base, Keylet const& k)
 {

src/libxrpl/ledger/ApplyViewBase.cpp

@@ -49,24 +49,7 @@ ApplyViewBase::succ(key_type const& key, std::optional<key_type> const& last) co
 std::shared_ptr<SLE const>
 ApplyViewBase::read(Keylet const& k) const
 {
-    // Iteratively walk up the chain of ApplyViewBase layers
-    // instead of recursing through items_.read(*base_, k).
-    auto const* current = this;
-    while (current)
-    {
-        if (auto result = current->items_.readLocal(k))
-            return *result;
-
-        // Check if the base is another ApplyViewBase layer
-        auto const* next = dynamic_cast<ApplyViewBase const*>(current->base_);
-        if (!next)
-            return current->base_->read(k);
-        current = next;
-    }
-    // Unreachable: current starts as `this` (non-null) and the loop
-    // always returns before current could become null.
-    UNREACHABLE("xrpl::ApplyViewBase::read : unreachable");
-    return nullptr;
+    return items_.read(*base_, k);
 }
 
 auto

src/libxrpl/net/HTTPClient.cpp

@@ -26,12 +26,6 @@ HTTPClient::initializeSSLContext(
     httpClientSSLContext.emplace(sslVerifyDir, sslVerifyFile, sslVerify, j);
 }
 
-void
-HTTPClient::cleanupSSLContext()
-{
-    httpClientSSLContext.reset();
-}
-
 //------------------------------------------------------------------------------
 //
 // Fetch a web page via http or https.

src/libxrpl/nodestore/DatabaseNodeImp.cpp

@@ -33,7 +33,7 @@ DatabaseNodeImp::fetchNodeObject(
 
     try
     {
-        status = backend_->fetch(hash.data(), &nodeObject);
+        status = backend_->fetch(hash, &nodeObject);
     }
     catch (std::exception const& e)
     {
@@ -68,18 +68,10 @@ DatabaseNodeImp::fetchBatch(std::vector<uint256> const& hashes)
     using namespace std::chrono;
     auto const before = steady_clock::now();
 
-    std::vector<uint256 const*> batch{};
-    batch.reserve(hashes.size());
-    for (size_t i = 0; i < hashes.size(); ++i)
-    {
-        auto const& hash = hashes[i];
-        batch.push_back(&hash);
-    }
-
     // Get the node objects that match the hashes from the backend. To protect
     // against the backends returning fewer or more results than expected, the
     // container is resized to the number of hashes.
-    auto results = backend_->fetchBatch(batch).first;
+    auto results = backend_->fetchBatch(hashes).first;
     XRPL_ASSERT(
         results.size() == hashes.size() || results.empty(),
         "number of output objects either matches number of input hashes or is empty");

src/libxrpl/nodestore/DatabaseRotatingImp.cpp

@@ -105,7 +105,7 @@ DatabaseRotatingImp::fetchNodeObject(
         std::shared_ptr<NodeObject> nodeObject;
         try
         {
-            status = backend->fetch(hash.data(), &nodeObject);
+            status = backend->fetch(hash, &nodeObject);
         }
         catch (std::exception const& e)
         {

src/libxrpl/nodestore/backend/MemoryFactory.cpp

@@ -116,10 +116,9 @@ public:
     //--------------------------------------------------------------------------
 
     Status
-    fetch(void const* key, std::shared_ptr<NodeObject>* pObject) override
+    fetch(uint256 const& hash, std::shared_ptr<NodeObject>* pObject) override
     {
         XRPL_ASSERT(db_, "xrpl::NodeStore::MemoryBackend::fetch : non-null database");
-        uint256 const hash(uint256::fromVoid(key));
 
         std::lock_guard _(db_->mutex);
 
@@ -134,14 +133,14 @@ public:
     }
 
     std::pair<std::vector<std::shared_ptr<NodeObject>>, Status>
-    fetchBatch(std::vector<uint256 const*> const& hashes) override
+    fetchBatch(std::vector<uint256> const& hashes) override
     {
         std::vector<std::shared_ptr<NodeObject>> results;
         results.reserve(hashes.size());
         for (auto const& h : hashes)
         {
             std::shared_ptr<NodeObject> nObj;
-            Status status = fetch(h->begin(), &nObj);
+            Status status = fetch(h, &nObj);
             if (status != ok)
                 results.push_back({});
             else

src/libxrpl/nodestore/backend/NuDBFactory.cpp

@@ -179,17 +179,17 @@ public:
     }
 
     Status
-    fetch(void const* key, std::shared_ptr<NodeObject>* pno) override
+    fetch(uint256 const& hash, std::shared_ptr<NodeObject>* pno) override
     {
         Status status;
         pno->reset();
         nudb::error_code ec;
         db_.fetch(
-            key,
-            [key, pno, &status](void const* data, std::size_t size) {
+            hash.data(),
+            [&hash, pno, &status](void const* data, std::size_t size) {
                 nudb::detail::buffer bf;
                 auto const result = nodeobject_decompress(data, size, bf);
-                DecodedBlob decoded(key, result.first, result.second);
+                DecodedBlob decoded(hash.data(), result.first, result.second);
                 if (!decoded.wasOk())
                 {
                     status = dataCorrupt;
@@ -207,14 +207,14 @@ public:
     }
 
     std::pair<std::vector<std::shared_ptr<NodeObject>>, Status>
-    fetchBatch(std::vector<uint256 const*> const& hashes) override
+    fetchBatch(std::vector<uint256> const& hashes) override
     {
         std::vector<std::shared_ptr<NodeObject>> results;
         results.reserve(hashes.size());
         for (auto const& h : hashes)
         {
             std::shared_ptr<NodeObject> nObj;
-            Status status = fetch(h->begin(), &nObj);
+            Status status = fetch(h, &nObj);
             if (status != ok)
                 results.push_back({});
             else

src/libxrpl/nodestore/backend/NullFactory.cpp

@@ -36,13 +36,13 @@ public:
     }
 
     Status
-    fetch(void const*, std::shared_ptr<NodeObject>*) override
+    fetch(uint256 const&, std::shared_ptr<NodeObject>*) override
     {
         return notFound;
     }
 
     std::pair<std::vector<std::shared_ptr<NodeObject>>, Status>
-    fetchBatch(std::vector<uint256 const*> const& hashes) override
+    fetchBatch(std::vector<uint256> const& hashes) override
     {
         return {};
     }

src/libxrpl/nodestore/backend/RocksDBFactory.cpp

@@ -244,7 +244,7 @@ public:
     //--------------------------------------------------------------------------
 
     Status
-    fetch(void const* key, std::shared_ptr<NodeObject>* pObject) override
+    fetch(uint256 const& hash, std::shared_ptr<NodeObject>* pObject) override
     {
         XRPL_ASSERT(m_db, "xrpl::NodeStore::RocksDBBackend::fetch : non-null database");
         pObject->reset();
@@ -252,7 +252,7 @@ public:
         Status status(ok);
 
         rocksdb::ReadOptions const options;
-        rocksdb::Slice const slice(static_cast<char const*>(key), m_keyBytes);
+        rocksdb::Slice const slice(std::bit_cast<char const*>(hash.data()), m_keyBytes);
 
         std::string string;
 
@@ -260,7 +260,7 @@ public:
 
         if (getStatus.ok())
         {
-            DecodedBlob decoded(key, string.data(), string.size());
+            DecodedBlob decoded(hash.data(), string.data(), string.size());
 
             if (decoded.wasOk())
             {
@@ -295,14 +295,14 @@ public:
     }
 
     std::pair<std::vector<std::shared_ptr<NodeObject>>, Status>
-    fetchBatch(std::vector<uint256 const*> const& hashes) override
+    fetchBatch(std::vector<uint256> const& hashes) override
     {
         std::vector<std::shared_ptr<NodeObject>> results;
         results.reserve(hashes.size());
         for (auto const& h : hashes)
         {
             std::shared_ptr<NodeObject> nObj;
-            Status status = fetch(h->begin(), &nObj);
+            Status status = fetch(h, &nObj);
             if (status != ok)
                 results.push_back({});
             else
@@ -332,9 +332,8 @@ public:
             EncodedBlob encoded(e);
 
             wb.Put(
-                rocksdb::Slice(reinterpret_cast<char const*>(encoded.getKey()), m_keyBytes),
-                rocksdb::Slice(
-                    reinterpret_cast<char const*>(encoded.getData()), encoded.getSize()));
+                rocksdb::Slice(std::bit_cast<char const*>(encoded.getKey()), m_keyBytes),
+                rocksdb::Slice(std::bit_cast<char const*>(encoded.getData()), encoded.getSize()));
         }
 
         rocksdb::WriteOptions const options;

src/libxrpl/protocol/STAmount.cpp

@@ -1003,12 +1003,7 @@ amountFromJson(SField const& name, Json::Value const& v)
     else if (v.isString())
     {
         std::string val = v.asString();
-        // Pre-allocate to avoid reallocation during split. This function is often
-        // called deep in the RPC stack (via JSON parsing) where stack space is
-        // limited. ASAN detected stack-buffer-overflow here at ~95% coroutine
-        // stack usage (1001376/1048576 bytes). Coroutine stack increased to 2MB.
         std::vector<std::string> elements;
-        elements.reserve(3);
         boost::split(elements, val, boost::is_any_of("\t\n\r ,/"));
 
         if (elements.size() > 3)

src/libxrpl/protocol/STParsedJSON.cpp

@@ -69,7 +69,7 @@ make_name(std::string const& object, std::string const& field)
     if (field.empty())
         return object;
 
-    return {object + "." + field};
+    return object + "." + field;
 }
 
 static inline Json::Value

src/libxrpl/shamap/SHAMapNodeID.cpp

@@ -6,11 +6,7 @@
 
 namespace xrpl {
 
-// Returns a depth mask by value to avoid potential lifetime issues in
-// multi-threaded contexts. Returning by const reference to a static member
-// could trigger stack-use-after-scope errors when the reference is used in
-// temporary expressions with operator& in concurrent coroutine scenarios.
-static uint256 const
+static uint256 const&
 depthMask(unsigned int depth)
 {
     enum { mask_size = 65 };
@@ -76,8 +72,7 @@ SHAMapNodeID::getChildNodeID(unsigned int m) const
     if (depth_ >= SHAMap::leafDepth)
         Throw<std::logic_error>("Request for child node ID of " + to_string(*this));
 
-    auto const idAtDepth = id_ & depthMask(depth_);
-    if (id_ != idAtDepth)
+    if (id_ != (id_ & depthMask(depth_)))
         Throw<std::logic_error>("Incorrect mask for " + to_string(*this));
 
     SHAMapNodeID node{depth_ + 1, id_};

src/test/app/ValidatorSite_test.cpp

@@ -148,7 +148,7 @@ private:
         std::vector<std::string> emptyCfgKeys;
         struct publisher
         {
-            publisher(FetchListConfig const& c) : cfg{c}, isRetry{false}
+            publisher(FetchListConfig const& c) : cfg{c}
             {
             }
             std::shared_ptr<TrustedPublisherServer> server;

src/test/app/Vault_test.cpp

@@ -5340,20 +5340,20 @@ class Vault_test : public beast::unit_test::suite
             env.close();
 
             // 2. Mantissa larger than uint64 max
+            env.set_parse_failure_expected(true);
             try
             {
                 tx[sfAssetsMaximum] = "18446744073709551617e5";  // uint64 max + 1
                 env(tx, THISLINE);
-                BEAST_EXPECT(false);
+                BEAST_EXPECTS(false, "Expected parse_error for mantissa larger than uint64 max");
             }
             catch (parse_error const& e)
             {
                 using namespace std::string_literals;
                 BEAST_EXPECT(
-                    e.what() ==
-                    "invalidParamsField 'tx_json.AssetsMaximum' has invalid "
-                    "data."s);
+                    e.what() == "invalidParamsField 'tx_json.AssetsMaximum' has invalid data."s);
             }
+            env.set_parse_failure_expected(false);
         }
     }
 

src/test/nodestore/TestBase.h

@@ -138,7 +138,7 @@ public:
         {
             std::shared_ptr<NodeObject> object;
 
-            Status const status = backend.fetch(batch[i]->getHash().cbegin(), &object);
+            Status const status = backend.fetch(batch[i]->getHash(), &object);
 
             BEAST_EXPECT(status == ok);
 
@@ -158,7 +158,7 @@ public:
         {
             std::shared_ptr<NodeObject> object;
 
-            Status const status = backend.fetch(batch[i]->getHash().cbegin(), &object);
+            Status const status = backend.fetch(batch[i]->getHash(), &object);
 
             BEAST_EXPECT(status == notFound);
         }

src/test/nodestore/Timing_test.cpp

@@ -314,7 +314,7 @@ public:
                     std::shared_ptr<NodeObject> obj;
                     std::shared_ptr<NodeObject> result;
                     obj = seq1_.obj(dist_(gen_));
-                    backend_.fetch(obj->getHash().data(), &result);
+                    backend_.fetch(obj->getHash(), &result);
                     suite_.expect(result && isSame(result, obj));
                 }
                 catch (std::exception const& e)
@@ -377,9 +377,9 @@ public:
             {
                 try
                 {
-                    auto const key = seq2_.key(i);
+                    auto const hash = seq2_.key(i);
                     std::shared_ptr<NodeObject> result;
-                    backend_.fetch(key.data(), &result);
+                    backend_.fetch(hash, &result);
                     suite_.expect(!result);
                 }
                 catch (std::exception const& e)
@@ -449,9 +449,9 @@ public:
                 {
                     if (rand_(gen_) < missingNodePercent)
                     {
-                        auto const key = seq2_.key(dist_(gen_));
+                        auto const hash = seq2_.key(dist_(gen_));
                         std::shared_ptr<NodeObject> result;
-                        backend_.fetch(key.data(), &result);
+                        backend_.fetch(hash, &result);
                         suite_.expect(!result);
                     }
                     else
@@ -459,7 +459,7 @@ public:
                         std::shared_ptr<NodeObject> obj;
                         std::shared_ptr<NodeObject> result;
                         obj = seq1_.obj(dist_(gen_));
-                        backend_.fetch(obj->getHash().data(), &result);
+                        backend_.fetch(obj->getHash(), &result);
                         suite_.expect(result && isSame(result, obj));
                     }
                 }
@@ -540,8 +540,7 @@ public:
                         std::shared_ptr<NodeObject> result;
                         auto const j = older_(gen_);
                         obj = seq1_.obj(j);
-                        std::shared_ptr<NodeObject> result1;
-                        backend_.fetch(obj->getHash().data(), &result);
+                        backend_.fetch(obj->getHash(), &result);
                         suite_.expect(result != nullptr);
                         suite_.expect(isSame(result, obj));
                     }
@@ -559,7 +558,7 @@ public:
                                 std::shared_ptr<NodeObject> result;
                                 auto const j = recent_(gen_);
                                 obj = seq1_.obj(j);
-                                backend_.fetch(obj->getHash().data(), &result);
+                                backend_.fetch(obj->getHash(), &result);
                                 suite_.expect(!result || isSame(result, obj));
                                 break;
                             }

src/tests/libxrpl/basics/MallocTrim.cpp

@@ -0,0 +1,209 @@
+#include <xrpl/basics/MallocTrim.h>
+
+#include <boost/predef.h>
+
+#include <gtest/gtest.h>
+
+using namespace xrpl;
+
+// cSpell:ignore statm
+
+#if defined(__GLIBC__) && BOOST_OS_LINUX
+namespace xrpl::detail {
+long
+parseStatmRSSkB(std::string const& statm);
+}  // namespace xrpl::detail
+#endif
+
+TEST(MallocTrimReport, structure)
+{
+    // Test default construction
+    MallocTrimReport report;
+    EXPECT_EQ(report.supported, false);
+    EXPECT_EQ(report.trimResult, -1);
+    EXPECT_EQ(report.rssBeforeKB, -1);
+    EXPECT_EQ(report.rssAfterKB, -1);
+    EXPECT_EQ(report.durationUs, std::chrono::microseconds{-1});
+    EXPECT_EQ(report.minfltDelta, -1);
+    EXPECT_EQ(report.majfltDelta, -1);
+    EXPECT_EQ(report.deltaKB(), 0);
+
+    // Test deltaKB calculation - memory freed
+    report.rssBeforeKB = 1000;
+    report.rssAfterKB = 800;
+    EXPECT_EQ(report.deltaKB(), -200);
+
+    // Test deltaKB calculation - memory increased
+    report.rssBeforeKB = 500;
+    report.rssAfterKB = 600;
+    EXPECT_EQ(report.deltaKB(), 100);
+
+    // Test deltaKB calculation - no change
+    report.rssBeforeKB = 1234;
+    report.rssAfterKB = 1234;
+    EXPECT_EQ(report.deltaKB(), 0);
+}
+
+#if defined(__GLIBC__) && BOOST_OS_LINUX
+TEST(parseStatmRSSkB, standard_format)
+{
+    using xrpl::detail::parseStatmRSSkB;
+
+    // Test standard format: size resident shared text lib data dt
+    // Assuming 4KB page size: resident=1000 pages = 4000 KB
+    {
+        std::string statm = "25365 1000 2377 0 0 5623 0";
+        long result = parseStatmRSSkB(statm);
+        // Note: actual result depends on system page size
+        // On most systems it's 4KB, so 1000 pages = 4000 KB
+        EXPECT_GT(result, 0);
+    }
+
+    // Test with newline
+    {
+        std::string statm = "12345 2000 1234 0 0 3456 0\n";
+        long result = parseStatmRSSkB(statm);
+        EXPECT_GT(result, 0);
+    }
+
+    // Test with tabs
+    {
+        std::string statm = "12345\t2000\t1234\t0\t0\t3456\t0";
+        long result = parseStatmRSSkB(statm);
+        EXPECT_GT(result, 0);
+    }
+
+    // Test zero resident pages
+    {
+        std::string statm = "25365 0 2377 0 0 5623 0";
+        long result = parseStatmRSSkB(statm);
+        EXPECT_EQ(result, 0);
+    }
+
+    // Test with extra whitespace
+    {
+        std::string statm = "  25365   1000   2377  ";
+        long result = parseStatmRSSkB(statm);
+        EXPECT_GT(result, 0);
+    }
+
+    // Test empty string
+    {
+        std::string statm = "";
+        long result = parseStatmRSSkB(statm);
+        EXPECT_EQ(result, -1);
+    }
+
+    // Test malformed data (only one field)
+    {
+        std::string statm = "25365";
+        long result = parseStatmRSSkB(statm);
+        EXPECT_EQ(result, -1);
+    }
+
+    // Test malformed data (non-numeric)
+    {
+        std::string statm = "abc def ghi";
+        long result = parseStatmRSSkB(statm);
+        EXPECT_EQ(result, -1);
+    }
+
+    // Test malformed data (second field non-numeric)
+    {
+        std::string statm = "25365 abc 2377";
+        long result = parseStatmRSSkB(statm);
+        EXPECT_EQ(result, -1);
+    }
+}
+#endif
+
+TEST(mallocTrim, without_debug_logging)
+{
+    beast::Journal journal{beast::Journal::getNullSink()};
+
+    MallocTrimReport report = mallocTrim("without_debug", journal);
+
+#if defined(__GLIBC__) && BOOST_OS_LINUX
+    EXPECT_EQ(report.supported, true);
+    EXPECT_GE(report.trimResult, 0);
+    EXPECT_EQ(report.durationUs, std::chrono::microseconds{-1});
+    EXPECT_EQ(report.minfltDelta, -1);
+    EXPECT_EQ(report.majfltDelta, -1);
+#else
+    EXPECT_EQ(report.supported, false);
+    EXPECT_EQ(report.trimResult, -1);
+    EXPECT_EQ(report.rssBeforeKB, -1);
+    EXPECT_EQ(report.rssAfterKB, -1);
+    EXPECT_EQ(report.durationUs, std::chrono::microseconds{-1});
+    EXPECT_EQ(report.minfltDelta, -1);
+    EXPECT_EQ(report.majfltDelta, -1);
+#endif
+}
+
+TEST(mallocTrim, empty_tag)
+{
+    beast::Journal journal{beast::Journal::getNullSink()};
+    MallocTrimReport report = mallocTrim("", journal);
+
+#if defined(__GLIBC__) && BOOST_OS_LINUX
+    EXPECT_EQ(report.supported, true);
+    EXPECT_GE(report.trimResult, 0);
+#else
+    EXPECT_EQ(report.supported, false);
+#endif
+}
+
+TEST(mallocTrim, with_debug_logging)
+{
+    struct DebugSink : public beast::Journal::Sink
+    {
+        DebugSink() : Sink(beast::severities::kDebug, false)
+        {
+        }
+        void
+        write(beast::severities::Severity, std::string const&) override
+        {
+        }
+        void
+        writeAlways(beast::severities::Severity, std::string const&) override
+        {
+        }
+    };
+
+    DebugSink sink;
+    beast::Journal journal{sink};
+
+    MallocTrimReport report = mallocTrim("debug_test", journal);
+
+#if defined(__GLIBC__) && BOOST_OS_LINUX
+    EXPECT_EQ(report.supported, true);
+    EXPECT_GE(report.trimResult, 0);
+    EXPECT_GE(report.durationUs.count(), 0);
+    EXPECT_GE(report.minfltDelta, 0);
+    EXPECT_GE(report.majfltDelta, 0);
+#else
+    EXPECT_EQ(report.supported, false);
+    EXPECT_EQ(report.trimResult, -1);
+    EXPECT_EQ(report.durationUs, std::chrono::microseconds{-1});
+    EXPECT_EQ(report.minfltDelta, -1);
+    EXPECT_EQ(report.majfltDelta, -1);
+#endif
+}
+
+TEST(mallocTrim, repeated_calls)
+{
+    beast::Journal journal{beast::Journal::getNullSink()};
+
+    // Call malloc_trim multiple times to ensure it's safe
+    for (int i = 0; i < 5; ++i)
+    {
+        MallocTrimReport report = mallocTrim("iteration_" + std::to_string(i), journal);
+
+#if defined(__GLIBC__) && BOOST_OS_LINUX
+        EXPECT_EQ(report.supported, true);
+        EXPECT_GE(report.trimResult, 0);
+#else
+        EXPECT_EQ(report.supported, false);
+#endif
+    }
+}

src/tests/libxrpl/net/HTTPClient.cpp

@@ -184,9 +184,6 @@ private:
 };
 
 // Helper function to run HTTP client test
-// Note: Caller must ensure HTTPClient::initializeSSLContext has been called
-// before this function, and HTTPClient::cleanupSSLContext is called after
-// all tests are completed.
 bool
 runHTTPTest(
     TestHTTPServer& server,
@@ -194,9 +191,14 @@ runHTTPTest(
     bool& completed,
     int& resultStatus,
     std::string& resultData,
-    boost::system::error_code& resultError,
-    beast::Journal& j)
+    boost::system::error_code& resultError)
 {
+    // Create a null journal for testing
+    beast::Journal j{TestSink::instance()};
+
+    // Initialize HTTPClient SSL context
+    HTTPClient::initializeSSLContext("", "", false, j);
+
     HTTPClient::get(
         false,  // no SSL
         server.ioc(),
@@ -230,9 +232,6 @@ runHTTPTest(
         }
     }
 
-    // Drain any remaining handlers to ensure proper cleanup of HTTPClientImp
-    server.ioc().poll();
-
     return completed;
 }
 
@@ -261,28 +260,19 @@ TEST(HTTPClient, case_insensitive_content_length)
         std::string resultData;
         boost::system::error_code resultError;
 
-        beast::Journal j{TestSink::instance()};
-        HTTPClient::initializeSSLContext("", "", false, j);
-
         bool testCompleted =
-            runHTTPTest(server, "/test", completed, resultStatus, resultData, resultError, j);
+            runHTTPTest(server, "/test", completed, resultStatus, resultData, resultError);
+
         // Verify results
         EXPECT_TRUE(testCompleted);
         EXPECT_FALSE(resultError);
         EXPECT_EQ(resultStatus, 200);
         EXPECT_EQ(resultData, testBody);
     }
-
-    // Clean up SSL context to prevent memory leaks
-    HTTPClient::cleanupSSLContext();
 }
 
 TEST(HTTPClient, basic_http_request)
 {
-    // Initialize SSL context once for the entire test
-    beast::Journal j{TestSink::instance()};
-    HTTPClient::initializeSSLContext("", "", false, j);
-
     TestHTTPServer server;
     std::string testBody = "Test response body";
     server.setResponseBody(testBody);
@@ -294,23 +284,16 @@ TEST(HTTPClient, basic_http_request)
     boost::system::error_code resultError;
 
     bool testCompleted =
-        runHTTPTest(server, "/basic", completed, resultStatus, resultData, resultError, j);
+        runHTTPTest(server, "/basic", completed, resultStatus, resultData, resultError);
 
     EXPECT_TRUE(testCompleted);
     EXPECT_FALSE(resultError);
     EXPECT_EQ(resultStatus, 200);
     EXPECT_EQ(resultData, testBody);
-
-    // Clean up SSL context to prevent memory leaks
-    HTTPClient::cleanupSSLContext();
 }
 
 TEST(HTTPClient, empty_response)
 {
-    // Initialize SSL context once for the entire test
-    beast::Journal j{TestSink::instance()};
-    HTTPClient::initializeSSLContext("", "", false, j);
-
     TestHTTPServer server;
     server.setResponseBody("");  // Empty body
     server.setHeader("Content-Length", "0");
@@ -321,23 +304,16 @@ TEST(HTTPClient, empty_response)
     boost::system::error_code resultError;
 
     bool testCompleted =
-        runHTTPTest(server, "/empty", completed, resultStatus, resultData, resultError, j);
+        runHTTPTest(server, "/empty", completed, resultStatus, resultData, resultError);
 
     EXPECT_TRUE(testCompleted);
     EXPECT_FALSE(resultError);
     EXPECT_EQ(resultStatus, 200);
     EXPECT_TRUE(resultData.empty());
-
-    // Clean up SSL context to prevent memory leaks
-    HTTPClient::cleanupSSLContext();
 }
 
 TEST(HTTPClient, different_status_codes)
 {
-    // Initialize SSL context once for the entire test
-    beast::Journal j{TestSink::instance()};
-    HTTPClient::initializeSSLContext("", "", false, j);
-
     std::vector<unsigned int> statusCodes = {200, 404, 500};
 
     for (auto status : statusCodes)
@@ -352,13 +328,10 @@ TEST(HTTPClient, different_status_codes)
         boost::system::error_code resultError;
 
         bool testCompleted =
-            runHTTPTest(server, "/status", completed, resultStatus, resultData, resultError, j);
+            runHTTPTest(server, "/status", completed, resultStatus, resultData, resultError);
 
         EXPECT_TRUE(testCompleted);
         EXPECT_FALSE(resultError);
         EXPECT_EQ(resultStatus, static_cast<int>(status));
     }
-
-    // Clean up SSL context to prevent memory leaks
-    HTTPClient::cleanupSSLContext();
 }

src/xrpld/app/main/Application.cpp

@@ -31,6 +31,7 @@
 #include <xrpld/shamap/NodeFamily.h>
 
 #include <xrpl/basics/ByteUtilities.h>
+#include <xrpl/basics/MallocTrim.h>
 #include <xrpl/basics/ResolverAsio.h>
 #include <xrpl/basics/random.h>
 #include <xrpl/beast/asio/io_latency_probe.h>
@@ -1053,6 +1054,8 @@ public:
                                     << "; size after: " << cachedSLEs_.size();
         }
 
+        mallocTrim("doSweep", m_journal);
+
         // Set timer to do another sweep later.
         setSweepTimer();
     }