cmake: add CURL_GCC_ANALYZER option, enable in CI, fix/silence

Enable in one existing Linux, macOS and Windows job.

Cost:
- Linux: +1.3 minutes.
- macOS: +1.5 minutes.
- Windows: +2.5 minutes.

Fix or silence issues found:
- conncache: silence NULL deref warning.
  ```
  lib/conncache.c:564:18: warning: dereference of NULL '*data.multi' [CWE-476] [-Wanalyzer-null-dereference]
  ```
  Ref: ede6a8e087 #19378
- http2: check pointer for NULL.
  ```
  lib/http2.c:388:7: error: dereference of NULL ‘data’ [CWE-476] [-Wanalyzer-null-dereference]
  ```
- http2: silence potential NULL deref in `cf_h2_recv`.
  ```
  lib/http2.c: In function 'cf_h2_recv':
  lib/curl_trc.h:62:15: warning: dereference of NULL 'data' [CWE-476] [-Wanalyzer-null-dereference]
  ```
- openldap: silence deref before NULL check.
  Seen in GHA/Linux.
  ```
  lib/openldap.c: In function ‘oldap_state_mechs_resp’:
  lib/curl_trc.h:140:7: warning: check of ‘data’ for NULL after already dereferencing it [-Wanalyzer-deref-before-check]
  ```
- sendf: silence NULL deref false positive in `Curl_creader_set_fread`.
  It looks impossible to happen.
  ```
  lib/sendf.c:1133:7: warning: dereference of NULL 'r' [CWE-476] [-Wanalyzer-null-dereference]
  ```
- ws: silence deref before NULL check.
  ```
  lib/ws.c: In function 'ws_send_raw_blocking':
  lib/curl_trc.h:205:7: warning: check of 'data' for NULL after already dereferencing it [-Wanalyzer-deref-before-check]
  ```
- var: fix potential NULL deref
  ```
  src/var.c:216:29: warning: dereference of NULL 'envp' [CWE-476] [-Wanalyzer-null-dereference]
  ```
- cli_hx_upload.c: fix NULL check after dereference.
  ```
  tests/libtest/cli_hx_upload.c:170:7: warning: check of '*t.method' for NULL after already dereferencing it [-Wanalyzer-deref-before-check]
  ```
- unit1607, unit1609: fix theoretical NULL ptr dereference.
  ```
  tests/unit/unit1607.c:211:12: warning: dereference of NULL 'addr' [CWE-476] [-Wanalyzer-null-dereference]
  tests/unit/unit1609.c:193:12: warning: dereference of NULL 'addr' [CWE-476] [-Wanalyzer-null-dereference]
  ```
- globally disable checks triggering false positives only:
  ```
  docs/examples/externalsocket.c:135:8: warning: 'connect' on possibly invalid file descriptor 'sockfd' [-Wanalyzer-fd-use-without-check]
  lib/bufq.c:465:16: warning: infinite loop [CWE-835] [-Wanalyzer-infinite-loop] (gcc-15 Windows)
  lib/doh.c:1035:34: warning: stack-based buffer over-read [CWE-126] [-Wanalyzer-out-of-bounds] (gcc-15 macOS)
  lib/ftp.c:4022:20: warning: infinite loop [CWE-835] [-Wanalyzer-infinite-loop] (gcc-15 macOS)
  lib/http2.c:689:28: warning: buffer over-read [CWE-126] [-Wanalyzer-out-of-bounds] (gcc-15 macOS)
  lib/socketpair.c:195:5: warning: leak of file descriptor 'curl_dbg_socket(2, 1, 0, 192, "D:/a/curl/curl/lib/socketpair.c")' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_doswin.c:810:7: warning: leak of file descriptor '*tdata.socket_l' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_doswin.c:816:9: warning: leak of file descriptor '*tdata.socket_l' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_main.c:96:1: warning: leak of file descriptor 'fd[0]' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_main.c:96:1: warning: leak of file descriptor 'fd[1]' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_urlglob.c:48:17: warning: leak of 'malloc(8)' [CWE-401] [-Wanalyzer-malloc-leak]
  src/tool_writeout.c:870:3: warning: leak of FILE 'stream2' [CWE-775] [-Wanalyzer-file-leak]
  tests/libtest/lib518.c:90:1: warning: leak of FILE [CWE-775] [-Wanalyzer-file-leak]
  tests/libtest/lib537.c:87:1: warning: leak of FILE [CWE-775] [-Wanalyzer-file-leak]
  tests/server/tftpd.c:1147:10: warning: 'bind' on possibly invalid file descriptor 'sock' [-Wanalyzer-fd-use-without-check]
  tests/server/tftpd.c:1155:10: warning: 'bind' on possibly invalid file descriptor 'sock' [-Wanalyzer-fd-use-without-check]
  tests/server/tftpd.c:1259:10: warning: 'connect' on possibly invalid file descriptor '4294967295' [-Wanalyzer-fd-use-without-check]
  ```

Also:
- cmake: update clang-tidy typecheck comment.

Ref: https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html

Closes #20921

.github/workflows/linux.yml

@@ -174,11 +174,11 @@ jobs:
             install_steps: pytest
             configure: --with-openssl --enable-debug --disable-unity
 
-          - name: 'openssl libssh2 sync-resolver valgrind 1'
+          - name: 'openssl libssh2 sync-resolver valgrind 1 +analyzer'
             image: ubuntu-24.04-arm
             install_packages: libidn2-dev libssh2-1-dev libnghttp2-dev libldap-dev valgrind
             tflags: '--min=920 1 to 950'
-            generate: -DENABLE_DEBUG=ON -DENABLE_THREADED_RESOLVER=OFF
+            generate: -DENABLE_DEBUG=ON -DENABLE_THREADED_RESOLVER=OFF -DCURL_GCC_ANALYZER=ON
 
           - name: 'openssl libssh2 sync-resolver valgrind 2'
             image: ubuntu-24.04-arm

.github/workflows/macos.yml

@@ -314,10 +314,10 @@ jobs:
             compiler: clang
             install: gnutls nettle krb5
             generate: -DENABLE_DEBUG=ON -DCURL_USE_GNUTLS=ON -DCURL_USE_OPENSSL=OFF -DCURL_USE_GSSAPI=ON -DGSS_ROOT_DIR=/opt/homebrew/opt/krb5 -DCURL_DISABLE_LDAP=ON -DUSE_SSLS_EXPORT=ON
-          - name: 'aws-lc'
-            compiler: gcc-13
+          - name: 'aws-lc +analyzer'
+            compiler: gcc-15
             install: aws-lc
-            generate: -DENABLE_DEBUG=ON -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/aws-lc -DUSE_ECH=ON -DCURL_DISABLE_LDAP=ON -DUSE_SSLS_EXPORT=ON
+            generate: -DENABLE_DEBUG=ON -DCURL_USE_OPENSSL=ON -DOPENSSL_ROOT_DIR=/opt/homebrew/opt/aws-lc -DUSE_ECH=ON -DCURL_DISABLE_LDAP=ON -DUSE_SSLS_EXPORT=ON -DCURL_GCC_ANALYZER=ON
           - name: 'Rustls'
             compiler: clang
             install: rustls-ffi

.github/workflows/windows.yml

@@ -474,14 +474,14 @@ jobs:
     strategy:
       matrix:
         include:
-          - name: 'schannel'  # mingw-w64 12.0
+          - name: 'schannel +analyzer'  # mingw-w64 12.0
             sys: 'mingw64'
             dir: 'w64devkit'
             env: 'x86_64'
             ver: '15.1.0'
             url: 'https://github.com/skeeto/w64devkit/releases/download/v2.2.0/w64devkit-x64-2.2.0.7z.exe'
             SHA256: e02de30b97196329662007d64bc4509fbd7f5e14339d344075c7f1223dead4a2
-            config: '-DENABLE_DEBUG=ON -DBUILD_SHARED_LIBS=OFF -DCURL_USE_SCHANNEL=ON -DENABLE_UNICODE=OFF -DENABLE_UNIX_SOCKETS=OFF'
+            config: '-DENABLE_DEBUG=ON -DBUILD_SHARED_LIBS=OFF -DCURL_USE_SCHANNEL=ON -DENABLE_UNICODE=OFF -DENABLE_UNIX_SOCKETS=OFF -DCURL_GCC_ANALYZER=ON'
             type: 'Release'
           - name: 'schannel'  # mingw-w64 10.0
             sys: 'mingw64'