Honor the server's Content-Range when resuming a partial download (#198 ) (#428 )

* Honor the server's Content-Range when resuming a partial download (#198) A resumed download (Range: bytes=N-) may be answered with a 206 whose range starts before N: block-aligned caches and CDNs routinely round the start down to a block boundary, and RFC 7233 lets the server pick the range it returns. httrack ignored the returned Content-Range and blindly appended the 206 body to the bytes already on disk, so the overlapping bytes were duplicated and the file grew by the overlap. With timing deciding which files get interrupted (and thus resumed), this surfaced as a random subset of files corrupted on each run, each a few bytes too large. Resume at the server's crange_start instead: ftruncate the partial to that offset and write the 206 body there (the in-memory branch keeps only that prefix). When the returned range is unusable (a forward gap, no/garbage Content-Range, or one that doesn't reach EOF) drop the partial and refetch the whole file rather than stitch a corrupt one. Reading the existing crange_start/crange_end/crange fields only, no ABI change. Driven by tests/24_local-resume-overlap.test: pass 1 interrupts a download mid-body, pass 2 resumes against a 206 that backs up 8 bytes, and the result must be byte-identical to the same content fetched whole. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com> * Harden #198 fix: verify the truncate, assert the test hit the resume path Two follow-ups from review of the resume fix. If HTS_FTRUNCATE fails the partial could keep a stale tail (only when the resource shrank between runs, sz > full, so the body write no longer covers the old end). Check its return and, on failure, drop the partial and refetch the whole file instead of writing a possibly-corrupt one. The resume test only compared the resumed bytes against the whole file, which also passes if httrack silently re-downloads the file with no Range (the bug never fires). Mark when the server actually serves a resume 206 and assert pass 2 hit that path, so a full re-download fails the test instead of passing it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com> * tests: run 24_local-resume-overlap under set -e Follow the golden rule for shell scripts: start with set -e so a non-last failure can't be masked. Guard the backgrounded-crawl kill/wait spots with || true so the expected SIGTERM exit doesn't abort the run. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com> --------- Signed-off-by: Xavier Roche <roche@httrack.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Replace single-letter -# self-tests with a named -#test=NAME registry (#427 )
2026-06-26 20:17:05 +03:00 · 2026-06-26 17:42:26 +02:00 · 2026-06-26 08:05:59 +02:00 · 2026-06-26 06:46:59 +02:00 · 2026-06-25 18:02:28 +02:00 · 2026-06-25 17:18:06 +02:00
36 changed files with 1798 additions and 1082 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -33,8 +33,9 @@ the operational checklist: toolchain, invariants, and how to ship a change.
 - Be terse. Comment the why, in English; translate French comments you touch.
 - Strip AI tells from prose (em-dash overuse, rule-of-three, filler, vague
  attributions). Ref: Wikipedia "Signs of AI writing". Claude Code: `/humanizer`.
- Behavior change → add a test. Fast path: a hidden `httrack -#N` debug
-  subcommand (`htscoremain.c`) driven by a `tests/NN_*.test`, over a slow crawl.
+- Behavior change → add a test. Fast path: a hidden `httrack -#test=NAME` engine
+  self-test (registry in `htsselftest.c`; `-#test` lists them) driven by a
+  `tests/NN_*.test`, over a slow crawl.

 ## Review your change adversarially (strongly suggested)
 Before pushing, and when reviewing others, don't skim for bugs:
--- a/man/httrack.1
+++ b/man/httrack.1
@@ -3,7 +3,7 @@
 .\"
 .\" This file is generated by man/makeman.sh; do not edit by hand.
 .\" SPDX-License-Identifier: GPL-3.0-or-later
-.TH httrack 1 "13 June 2026" "httrack website copier"
+.TH httrack 1 "26 June 2026" "httrack website copier"
 .SH NAME
 httrack \- offline browser : copy websites to a local directory
 .SH SYNOPSIS
@@ -313,12 +313,8 @@ debug HTTP headers in logfile (\-\-debug\-headers)
 .SS Guru options: (do NOT use if possible)
 .IP \-#X
 *use optimized engine (limited memory boundary checks) (\-\-fast\-engine)
-.IP \-#0
-filter test (\-#0 '*.gif' 'www.bar.com/foo.gif') (\-\-debug\-testfilters <param>)
-.IP \-#1
-simplify test (\-#1 ./foo/bar/../foobar)
-.IP \-#2
-type test (\-#2 /foo/bar.php)
+.IP \-#test
+list engine self\-tests (run one with \-#test=NAME [args])
 .IP \-#C
 cache list (\-#C '*.com/spider*.gif' (\-\-debug\-cache <param>)
 .IP \-#R
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -56,7 +56,7 @@ whttrackrundir = $(bindir)
 whttrackrun_SCRIPTS = webhttrack

 libhttrack_la_SOURCES =  htscore.c htsparse.c htsback.c htscache.c \
-	htscache_selftest.c htsdns_selftest.c \
+	htscache_selftest.c htsdns_selftest.c htsselftest.c \
 	htscatchurl.c htsfilters.c htsftp.c htshash.c coucal/coucal.c \
 	htshelp.c htslib.c htscoremain.c \
 	htsname.c htsrobots.c htstools.c htswizard.c \
@@ -66,7 +66,7 @@ libhttrack_la_SOURCES =  htscore.c htsparse.c htsback.c htscache.c \
 	md5.c \
 	minizip/ioapi.c minizip/mztools.c minizip/unzip.c minizip/zip.c \
 	hts-indextmpl.h htsalias.h htsback.h htsbase.h htssafe.h \
-	htsbasenet.h htsbauth.h htscache.h htscache_selftest.h htsdns_selftest.h htscatchurl.h  \
+	htsbasenet.h htsbauth.h htscache.h htscache_selftest.h htsdns_selftest.h htsselftest.h htscatchurl.h  \
 	htsconfig.h htscore.h htsparse.h htscoremain.h htsdefines.h  \
 	htsfilters.h htsftp.h htsglobal.h htshash.h coucal/coucal.h \
 	htshelp.h htsindex.h htslib.h htsmd5.h \
--- a/src/htsback.c
+++ b/src/htsback.c
@@ -57,7 +57,10 @@ Please visit our Website: http://www.httrack.com
 // DOS
 #include <process.h>            /* _beginthread, _endthread */
 #endif
+#include <io.h> /* _chsize_s */
+#define HTS_FTRUNCATE(fp, sz) _chsize_s(_fileno(fp), (sz))
 #else
+#define HTS_FTRUNCATE(fp, sz) ftruncate(fileno(fp), (sz))
 #endif

 #define VT_CLREOL       "\33[K"
@@ -3774,35 +3777,70 @@ void back_wait(struct_back * sback, httrackp * opt, cache_back * cache,
                    // xxc SI CHUNK VERIFIER QUE CA MARCHE??
                    if (back[i].r.statuscode == 206) {  // on nous envoie un morceau (la fin) coz une partie sur disque!
                      off_t sz = fsize_utf8(back[i].url_sav);
+                      /* RFC 7233: resume at the server's Content-Range start,
+                         not the offset we requested; a server may resume
+                         earlier and appending the overlap duplicates bytes
+                         (#198). */
+                      const LLint resume = back[i].r.crange_start;
+                      const hts_boolean range_ok =
+                          back[i].r.crange > 0 && resume >= 0 &&
+                          resume <= (LLint) sz &&
+                          back[i].r.crange_end + 1 == back[i].r.crange &&
+                          (back[i].r.totalsize < 0 ||
+                           back[i].r.totalsize ==
+                               back[i].r.crange_end - resume + 1);

 #if HDEBUG
                      printf("partial content: " LLintP " on disk..\n",
                             (LLint) sz);
 #endif
-                      if (sz >= 0) {
+                      if (sz >= 0 && range_ok) {
                        if (!is_hypertext_mime(opt, back[i].r.contenttype, back[i].url_sav)) {  // pas HTML
                          if (opt->getmode & HTS_GETMODE_NONHTML) {
                            filenote(&opt->state.strc, back[i].url_sav, NULL);  // noter fichier comme connu
                            file_notify(opt, back[i].url_adr, back[i].url_fil,
                                        back[i].url_sav, 0, 1,
                                        back[i].r.notmodified);
-                            back[i].r.out = FOPEN(fconv(catbuff, sizeof(catbuff), back[i].url_sav), "ab");       // append
+                            back[i].r.out =
+                                FOPEN(fconv(catbuff, sizeof(catbuff),
+                                            back[i].url_sav),
+                                      "r+b"); // resume in place
                            if (back[i].r.out && opt->cache != 0) {
-                              back[i].r.is_write = 1;   // écrire
-                              back[i].r.size = sz;      // déja écrit
-                              back[i].r.statuscode = HTTP_OK;   // Forcer 'OK'
+                              back[i].r.is_write = 1;
+                              back[i].r.size = resume; // bytes already on disk
+                              back[i].r.statuscode = HTTP_OK; // force 'OK'
                              if (back[i].r.totalsize >= 0)
-                                back[i].r.totalsize += sz;      // plus en fait
-                              fseek(back[i].r.out, 0, SEEK_END);        // à la fin
-                              /* create a temporary reference file in case of broken mirror */
-                              if (back_serialize_ref(opt, &back[i]) != 0) {
-                                hts_log_print(opt, LOG_WARNING,
-                                              "Could not create temporary reference file for %s%s",
-                                              back[i].url_adr, back[i].url_fil);
-                              }
+                                back[i].r.totalsize += resume; // -> full size
+                              // drop bytes past the resume point; a silent
+                              // failure could leave a stale tail, so on error
+                              // drop the partial and refetch the whole file
+                              if (HTS_FTRUNCATE(back[i].r.out,
+                                                (off_t) resume) != 0) {
+                                fclose(back[i].r.out);
+                                back[i].r.out = NULL;
+                                url_savename_refname_remove(
+                                    opt, back[i].url_adr, back[i].url_fil);
+                                UNLINK(back[i].url_sav);
+                                back[i].status = STATUS_READY;
+                                back_set_finished(sback, i);
+                                strcpybuff(back[i].r.msg,
+                                           "Can not truncate partial file, "
+                                           "restarting");
+                              } else {
+                                fseeko(back[i].r.out, (off_t) resume, SEEK_SET);
+                                /* create a temporary reference file in case of
+                                 * broken mirror */
+                                if (back_serialize_ref(opt, &back[i]) != 0) {
+                                  hts_log_print(opt, LOG_WARNING,
+                                                "Could not create temporary "
+                                                "reference file for %s%s",
+                                                back[i].url_adr,
+                                                back[i].url_fil);
+                                }
 #if HDEBUG
-                              printf("continue interrupted file\n");
+                                printf("continue interrupted file\n");
 #endif
+                              }
                            } else {    // On est dans la m**
                              back[i].status = STATUS_READY;    // terminé (voir plus loin)
                              back_set_finished(sback, i);
@@ -3814,17 +3852,18 @@ void back_wait(struct_back * sback, httrackp * opt, cache_back * cache,
                          FILE *fp =
                            FOPEN(fconv(catbuff, sizeof(catbuff), back[i].url_sav), "rb");
                          if (fp) {
-                            LLint alloc_mem = sz + 1;
+                            LLint alloc_mem = resume + 1;

                            if (back[i].r.totalsize >= 0)
                              alloc_mem += back[i].r.totalsize; // AJOUTER RESTANT!
                            if (deleteaddr(&back[i].r)
                                && (back[i].r.adr =
                                    (char *) malloct((size_t) alloc_mem))) {
-                              back[i].r.size = sz;
+                              back[i].r.size = resume;
                              if (back[i].r.totalsize >= 0)
-                                back[i].r.totalsize += sz;      // plus en fait
-                              if ((fread(back[i].r.adr, 1, sz, fp)) != sz) {
+                                back[i].r.totalsize += resume; // -> full size
+                              if ((fread(back[i].r.adr, 1, (size_t) resume,
+                                         fp)) != (size_t) resume) {
                                back[i].status = STATUS_READY;  // terminé (voir plus loin)
                                back_set_finished(sback, i);
                                strcpybuff(back[i].r.msg,
@@ -3842,14 +3881,30 @@ void back_wait(struct_back * sback, httrackp * opt, cache_back * cache,
                                         "No memory for partial file");
                            }
                            fclose(fp);
-                          } else {      // Argh.. 
+                          } else {                              // open failed
                            back[i].status = STATUS_READY;      // terminé (voir plus loin)
                            back_set_finished(sback, i);
                            strcpybuff(back[i].r.msg,
                                       "Can not open partial file");
                          }
                        }
-                      } else {  // Non trouvé??
+                      } else if (sz >=
+                                 0) { // unusable range -> restart whole file
+                        hts_log_print(opt, LOG_WARNING,
+                                      "Unusable partial-content range for %s%s "
+                                      "(have " LLintP " bytes, got " LLintP
+                                      "-" LLintP "/" LLintP "), restarting",
+                                      back[i].url_adr, back[i].url_fil,
+                                      (LLint) sz, back[i].r.crange_start,
+                                      back[i].r.crange_end, back[i].r.crange);
+                        url_savename_refname_remove(opt, back[i].url_adr,
+                                                    back[i].url_fil);
+                        UNLINK(back[i].url_sav);
+                        back[i].status = STATUS_READY;
+                        back_set_finished(sback, i);
+                        strcpybuff(back[i].r.msg,
+                                   "Unusable partial content, restarting");
+                      } else {                          // partial not found
                        back[i].status = STATUS_READY;  // terminé (voir plus loin)
                        back_set_finished(sback, i);
                        strcpybuff(back[i].r.msg, "Can not find partial file");
--- a/src/htscache.c
+++ b/src/htscache.c
@@ -220,6 +220,25 @@ struct cache_back_zip_entry {
 	} \
 } while(0)

+/* A cache (new.zip) write failed: storage is gone (disk full / dropped share),
+   so the mirror is doomed too. Abort it via exit_xh, don't crash as assertf
+   did. */
+static void cache_zip_write_failed(httrackp *opt, cache_back *cache,
+                                   const char *what, int zErr) {
+  if (!cache->zipWriteFailed) {
+    cache->zipWriteFailed = HTS_TRUE;
+    if (check_fatal_io_errno()) {
+      hts_log_print(opt, LOG_ERROR,
+                    "Mirror aborted: disk full or filesystem problems");
+    } else {
+      hts_log_print(opt, LOG_ERROR,
+                    "Mirror aborted: cache write failed (%s): %s", what,
+                    hts_get_zerror(zErr));
+    }
+  }
+  opt->state.exit_xh = -1; /* fatal: stop the mirror, exit non-zero */
+}
+
 /* Ajout d'un fichier en cache */
 void cache_add(httrackp * opt, cache_back * cache, const htsblk * r,
               const char *url_adr, const char *url_fil, const char *url_save,
@@ -236,6 +255,10 @@ void cache_add(httrackp * opt, cache_back * cache, const htsblk * r,
  const char *url_save_suffix = url_save;
  int zErr;

+  /* already failed and aborting; don't touch the broken stream again */
+  if (cache->zipWriteFailed)
+    return;
+
  // robots.txt hack
  if (url_save == NULL) {
    dataincache = 0;            // testing links
@@ -346,9 +369,8 @@ void cache_add(httrackp * opt, cache_back * cache, const htsblk * r,
                                   */
                                  headers, (uInt) strlen(headers), NULL, 0, NULL,       /* comment */
                                  Z_DEFLATED, Z_DEFAULT_COMPRESSION)) != Z_OK) {
-    int zip_zipOpenNewFileInZip_failed = 0;
-
-    assertf(zip_zipOpenNewFileInZip_failed);
+    cache_zip_write_failed(opt, cache, "opening a cache entry", zErr);
+    return;
  }

  /* Write data in cache */
@@ -358,9 +380,8 @@ void cache_add(httrackp * opt, cache_back * cache, const htsblk * r,
        if ((zErr =
             zipWriteInFileInZip((zipFile) cache->zipOutput, r->adr,
                                 (int) r->size)) != Z_OK) {
-          int zip_zipWriteInFileInZip_failed = 0;
-
-          assertf(zip_zipWriteInFileInZip_failed);
+          cache_zip_write_failed(opt, cache, "writing to the cache", zErr);
+          return;
        }
      }
    } else {
@@ -381,9 +402,10 @@ void cache_add(httrackp * opt, cache_back * cache, const htsblk * r,
              if ((zErr =
                   zipWriteInFileInZip((zipFile) cache->zipOutput, buff,
                                       (int) nl)) != Z_OK) {
-                int zip_zipWriteInFileInZip_failed = 0;
-
-                assertf(zip_zipWriteInFileInZip_failed);
+                cache_zip_write_failed(opt, cache, "writing to the cache",
+                                       zErr);
+                fclose(fp);
+                return;
              }
            }
          } while(nl > 0);
@@ -397,16 +419,14 @@ void cache_add(httrackp * opt, cache_back * cache, const htsblk * r,

  /* Close */
  if ((zErr = zipCloseFileInZip((zipFile) cache->zipOutput)) != Z_OK) {
-    int zip_zipCloseFileInZip_failed = 0;
-
-    assertf(zip_zipCloseFileInZip_failed);
+    cache_zip_write_failed(opt, cache, "closing a cache entry", zErr);
+    return;
  }

  /* Flush */
  if ((zErr = zipFlush((zipFile) cache->zipOutput)) != 0) {
-    int zip_zipFlush_failed = 0;
-
-    assertf(zip_zipFlush_failed);
+    cache_zip_write_failed(opt, cache, "flushing the cache", zErr);
+    return;
  }
 }

--- a/src/htscache_selftest.c
+++ b/src/htscache_selftest.c
@@ -47,6 +47,7 @@ Please visit our Website: http://www.httrack.com
 #include "htslib.h"
 #include "htszlib.h"

+#include <errno.h>
 #include <stdio.h>
 #include <string.h>

@@ -316,6 +317,136 @@ static int disk_fallback_selftest(httrackp *opt) {
  return fail;
 }

+typedef struct {
+  size_t budget;  /**< bytes allowed through before writes start failing */
+  int fail_errno; /**< errno set on the failing write (ENOSPC, EIO, ...) */
+  int writes;     /**< zwrite call count, to detect re-entry into the stream */
+} writefail_inject;
+
+/* zwrite that copies until the budget runs out, then fails with inj->fail_errno
+   (the #174/#219 condition). Counts calls so the test can prove a flagged cache
+   never re-enters the stream. */
+static uLong selftest_failing_zwrite(voidpf opaque, voidpf stream,
+                                     const void *buf, uLong size) {
+  writefail_inject *inj = (writefail_inject *) opaque;
+
+  inj->writes++;
+  if (inj->budget >= (size_t) size) {
+    inj->budget -= (size_t) size;
+    return (uLong) fwrite(buf, 1, (size_t) size, (FILE *) stream);
+  }
+  errno = inj->fail_errno;
+  return 0; /* short write -> the minizip op returns an error */
+}
+
+/* Open a ZIP whose writes fail past inj->budget, so cache_add() hits an error.
+ */
+static zipFile selftest_open_failing_zip(const char *path,
+                                         writefail_inject *inj) {
+  zlib_filefunc_def ff;
+
+  fill_fopen_filefunc(&ff); /* real fopen/read/seek/close; ignores opaque */
+  ff.zwrite_file = selftest_failing_zwrite;
+  ff.opaque = inj;
+  return zipOpen2(path, APPEND_STATUS_CREATE, NULL, &ff);
+}
+
+/* Store one octet-stream body into `cache` (all-in-cache, body in the ZIP). */
+static void writefail_store(httrackp *opt, cache_back *cache, const char *fil,
+                            const char *body, size_t body_len) {
+  htsblk r;
+  char locbuf[4];
+  char *bodycopy = malloct(body_len);
+
+  hts_init_htsblk(&r);
+  r.statuscode = 200;
+  r.size = (LLint) body_len;
+  strcpybuff(r.msg, "OK");
+  strcpybuff(r.contenttype, "application/octet-stream");
+  locbuf[0] = '\0';
+  r.location = locbuf;
+  r.is_write = 0;
+  memcpy(bodycopy, body, body_len);
+  r.adr = bodycopy;
+  cache_add(opt, cache, &r, "example.com", fil, "example.com/blob.bin", 1,
+            NULL);
+  freet(bodycopy);
+}
+
+/* #174/#219: a failing cache write used to crash via assertf(); it must instead
+   stop the mirror (exit_xh = -1) without crashing. Assert that, plus the cache
+   is flagged and a sibling write doesn't re-enter the broken stream. */
+int cache_write_failure_selftest(httrackp *opt, const char *dir) {
+  int fail = 0;
+  char path[HTS_URLMAXSIZE];
+  /* incompressible + big, so deflate flushes (and fails) mid-write, before
+   * close */
+  static const size_t body_len = 256 * 1024;
+  char *body = malloct(body_len);
+  int phase;
+
+  gen_body(body, body_len, 1 /* incompressible */);
+  fconcat(path, sizeof(path), dir, "/wfail.zip");
+
+  /* phase 0: fail on the body write, fatal errno (ENOSPC, the disk-full
+     branch). phase 1: fail on the open, non-fatal errno (EIO, dropped-share
+     branch). Both must abort the mirror. */
+  for (phase = 0; phase < 2; phase++) {
+    cache_back cache;
+    writefail_inject inj;
+    int writes_after_fail;
+
+    inj.budget = (phase == 0) ? 4096 : 0;
+    inj.fail_errno = (phase == 0) ? ENOSPC : EIO;
+    inj.writes = 0;
+    memset(&cache, 0, sizeof(cache));
+    cache.type = 1;
+    cache.log = stderr;
+    cache.errlog = stderr;
+    cache.hashtable = coucal_new(0);
+    cache.zipOutput = selftest_open_failing_zip(path, &inj);
+    if (cache.zipOutput == NULL) {
+      fprintf(stderr, "cache-writefail: could not open injected ZIP\n");
+      fail++;
+      continue;
+    }
+
+    opt->state.exit_xh = 0; /* clear; the failing write must set it to -1 */
+    writefail_store(opt, &cache, "/blob.bin", body, body_len);
+    if (!cache.zipWriteFailed) {
+      fprintf(stderr, "cache-writefail: phase %d: write error not caught\n",
+              phase);
+      fail++;
+    }
+    if (opt->state.exit_xh != -1) {
+      fprintf(stderr,
+              "cache-writefail: phase %d: mirror not aborted (exit_xh=%d)\n",
+              phase, opt->state.exit_xh);
+      fail++;
+    }
+
+    /* a flagged cache must no-op a sibling write: no further backend write */
+    writes_after_fail = inj.writes;
+    writefail_store(opt, &cache, "/blob2.bin", body, 16);
+    if (inj.writes != writes_after_fail) {
+      fprintf(stderr,
+              "cache-writefail: phase %d: sibling write re-entered the broken "
+              "stream (%d extra backend writes)\n",
+              phase, inj.writes - writes_after_fail);
+      fail++;
+    }
+
+    if (cache.zipOutput != NULL) {
+      zipClose(cache.zipOutput,
+               NULL); /* best-effort; may fail on the backend */
+      cache.zipOutput = NULL;
+    }
+  }
+
+  freet(body);
+  return fail;
+}
+
 int cache_selftests(httrackp *opt, const char *dir) {
  int failures = 0;
  cache_back cache;
--- a/src/htscache_selftest.h
+++ b/src/htscache_selftest.h
@@ -52,6 +52,10 @@ int cache_selftests(httrackp *opt, const char *dir);
   committed file, never by the test). Returns the failed-check count. */
 int cache_golden_selftest(httrackp *opt, const char *dir, int regen);

+/* #174/#219: assert a failing cache write aborts the mirror cleanly instead of
+   crashing. Returns the failed-check count. */
+int cache_write_failure_selftest(httrackp *opt, const char *dir);
+
 #endif

 #endif
--- a/src/htscore.h
+++ b/src/htscore.h
@@ -214,6 +214,8 @@ struct cache_back {
  cache_back_zip_entry *zipEntries;
  int zipEntriesOffs;
  int zipEntriesCapa;
+  hts_boolean
+      zipWriteFailed; /**< a cache write failed; stop touching the stream */
 };

 #ifndef HTS_DEF_FWSTRUCT_hash_struct
--- a/src/htscoremain.c
+++ b/src/htscoremain.c
--- a/src/htshelp.c
+++ b/src/htshelp.c
@@ -646,9 +646,7 @@ void help(const char *app, int more) {
  infomsg("");
  infomsg("Guru options: (do NOT use if possible)");
  infomsg(" #X *use optimized engine (limited memory boundary checks)");
-  infomsg(" #0  filter test (-#0 '*.gif' 'www.bar.com/foo.gif')");
-  infomsg(" #1  simplify test (-#1 ./foo/bar/../foobar)");
-  infomsg(" #2  type test (-#2 /foo/bar.php)");
+  infomsg(" #test  list engine self-tests (run one with -#test=NAME [args])");
  infomsg(" #C  cache list (-#C '*.com/spider*.gif'");
  infomsg(" #R  cache repair (damaged cache)");
  infomsg(" #d  debug parser");
--- a/src/htslib.c
+++ b/src/htslib.c
@@ -4177,9 +4177,10 @@ HTSEXT_API hts_boolean get_httptype_sized(httrackp *opt, char *s, size_t ssize,
    /* Check html -> text/html */
    const char *a = fil + strlen(fil) - 1;

-    while((*a != '.') && (*a != '/') && (a > fil))
+    /* a < fil when fil is empty: bound before dereferencing */
+    while ((a > fil) && (*a != '.') && (*a != '/'))
      a--;
-    if (*a == '.' && strlen(a) < 32) {
+    if (a >= fil && *a == '.' && strlen(a) < 32) {
      int j = 0;

      a++;
--- a/src/htsselftest.c
+++ b/src/htsselftest.c
--- a/src/htsselftest.h
+++ b/src/htsselftest.h
@@ -0,0 +1,52 @@
+/* ------------------------------------------------------------ */
+/*
+HTTrack Website Copier, Offline Browser for Windows and Unix
+Copyright (C) 2026 Xavier Roche and other contributors
+
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+Ethical use: we kindly ask that you NOT use this software to harvest email
+addresses or to collect any other private information about people. Doing so
+would dishonor our work and waste the many hours we have spent on it.
+
+Please visit our Website: http://www.httrack.com
+*/
+
+/* ------------------------------------------------------------ */
+/* File: htsselftest.h                                          */
+/*       named dispatch for the hidden engine self-tests        */
+/* Author: Xavier Roche                                         */
+/* ------------------------------------------------------------ */
+
+#ifndef HTSSELFTEST_DEFH
+#define HTSSELFTEST_DEFH
+
+#ifdef HTS_INTERNAL_BYTECODE
+
+#ifndef HTS_DEF_FWSTRUCT_httrackp
+#define HTS_DEF_FWSTRUCT_httrackp
+typedef struct httrackp httrackp;
+#endif
+
+/* Run engine self-test `name` over the positional args argv[0..argc-1], or list
+   the available tests when name is NULL, empty, or "list". Prints the result;
+   returns the process exit code (0 == success). The caller owns option cleanup.
+   Reached through the hidden `httrack -#test[=NAME ...]` subcommand. */
+int hts_selftest(httrackp *opt, const char *name, int argc, char **argv);
+
+#endif
+
+#endif
--- a/tests/01_engine-cache-golden.test
+++ b/tests/01_engine-cache-golden.test
@@ -4,7 +4,7 @@
 # POSIX /bin/sh on some platforms (e.g. macOS), so avoid bashisms and GNU-only
 # tool flags despite the #!/bin/bash above.

-# Golden cache-format regression test (driven by 'httrack -#B <dir>').
+# Golden cache-format regression test (driven by 'httrack -#test=cache-golden <dir>').
 #
 # 01_engine-cache.test writes the cache with the same build it reads back (a
 # round-trip), so it cannot catch a read-path or ZIP-format regression where
@@ -13,7 +13,7 @@
 # byte-exact.
 #
 # Regenerate the fixture after a deliberate format change with
-# 'httrack -#B <dir> regen', then copy <dir>/hts-cache/new.zip over the
+# 'httrack -#test=cache-golden <dir> regen', then copy <dir>/hts-cache/new.zip over the
 # committed file.

 set -eu
@@ -37,11 +37,11 @@ trap 'rm -rf "$dir"' EXIT
 mkdir -p "$dir/hts-cache"
 cp "$fixture/hts-cache/new.zip" "$dir/hts-cache/new.zip"

-out=$(httrack -#B "$dir")
+out=$(httrack -#test=cache-golden "$dir")

 # Match the exact success line: the read must have found and verified every
-# entry, not merely failed to enter the mode (a bad -#B falls through to the
-# usage screen, which also exits non-zero but never prints this).
+# entry, not merely failed to enter the mode (a renamed/removed test prints the
+# registry to stderr, which also exits non-zero but never prints this).
 test "$out" = "cache-golden: OK" || {
    echo "expected 'cache-golden: OK', got: $out" >&2
    exit 1
--- a/tests/01_engine-cache-writefail.test
+++ b/tests/01_engine-cache-writefail.test
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Keep this POSIX-portable: the harness runs it via $(BASH), which is a plain
+# POSIX /bin/sh on some platforms (e.g. macOS), so avoid bashisms and GNU-only
+# tool flags despite the #!/bin/bash above.
+
+# Cache write-failure handling (httrack -#test=cache-writefail <dir>). #174/#219.
+# A failing new.zip write (disk full) used to crash the process via assertf; it
+# must instead stop the mirror with a fatal error (exit_xh=-1), no crash. The
+# self-test asserts that; reverting the fix makes -#test=cache-writefail abort (SIGABRT) and fail.
+
+set -eu
+
+dir=$(mktemp -d)
+trap 'rm -rf "$dir"' EXIT
+
+out=$(httrack -#test=cache-writefail "$dir")
+
+# Match the exact success line (error logs also go to stdout); a renamed/removed
+# test prints the registry to stderr, which exits non-zero but never prints this.
+printf '%s\n' "$out" | grep -qx "cache-writefail: OK" || {
+    echo "expected 'cache-writefail: OK', got: $out" >&2
+    exit 1
+}
--- a/tests/01_engine-cache.test
+++ b/tests/01_engine-cache.test
@@ -4,7 +4,7 @@
 # POSIX /bin/sh on some platforms (e.g. macOS), so avoid bashisms and GNU-only
 # tool flags despite the #!/bin/bash above.

-# Cache create/read/update logic (driven by 'httrack -#A <dir>').
+# Cache create/read/update logic (driven by 'httrack -#test=cache <dir>').
 #
 # The in-process self-test stores several hand-crafted edge entries (normal
 # HTML, an empty redirect with a near-limit location, a non-HTML body kept via
@@ -20,13 +20,13 @@ set -eu
 dir=$(mktemp -d)
 trap 'rm -rf "$dir"' EXIT

-# Like the other -# debug modes, a trailing token (the working directory) is
-# required; a bare '-#A' falls through to the usage screen.
-out=$(httrack -#A "$dir")
+# The working directory is a required argument; without it the test prints a
+# usage line to stderr and returns non-zero.
+out=$(httrack -#test=cache "$dir")

 # Match the exact success line, so the test cannot pass for an unrelated reason
-# (e.g. the -#A mode being gone and falling through to the usage screen, which
-# also exits non-zero but never prints this).
+# (e.g. the cache test being gone, which prints the registry to stderr but
+# never prints this line).
 test "$out" = "cache-selftest: OK" || {
    echo "expected 'cache-selftest: OK', got: $out" >&2
    exit 1
--- a/tests/01_engine-charset.test
+++ b/tests/01_engine-charset.test
@@ -4,13 +4,13 @@
 set -euo pipefail

 # charset -> UTF-8 conversion (hts_convertStringToUTF8).
-# -#3 <charset> <string> prints the string re-decoded from <charset> as UTF-8.
+# -#test=charset <charset> <string> prints the string re-decoded from <charset> as UTF-8.
 conv() {
-    test "$(httrack -O /dev/null -#3 "$1" "$2")" == "$3" || exit 1
+    test "$(httrack -O /dev/null -#test=charset "$1" "$2")" == "$3" || exit 1
 }
 # crash probe: malformed input must exit cleanly, not abort.
 runs() {
-    httrack -O /dev/null -#3 "$1" "$2" >/dev/null 2>&1 || exit 1
+    httrack -O /dev/null -#test=charset "$1" "$2" >/dev/null 2>&1 || exit 1
 }

 # the source bytes below are UTF-8 (this file is UTF-8); "café" is 0x63 61 66 C3 A9.
@@ -31,7 +31,7 @@ conv 'us-ascii' 'hello' 'hello'
 # unknown charset: ASCII passes through unchanged, but non-ASCII input cannot be
 # decoded and yields empty output (an error is printed to stderr).
 conv 'no-such-charset-xyz' 'abc' 'abc'
-test "$(httrack -O /dev/null -#3 'no-such-charset-xyz' 'café' 2>/dev/null)" == "" || exit 1
+test "$(httrack -O /dev/null -#test=charset 'no-such-charset-xyz' 'café' 2>/dev/null)" == "" || exit 1

 # malformed UTF-8 (lone continuation byte, truncated lead byte) must not crash
 runs 'utf-8' $'\x80'
--- a/tests/01_engine-cookies.test
+++ b/tests/01_engine-cookies.test
@@ -1,14 +1,15 @@
 #!/bin/bash
 #
 # Issue #151 guard: the request Cookie header must be bare RFC 6265 name=value
-# pairs, no $Version/$Path attributes. Driven by the 'httrack -#Q' selftest.
+# pairs, no $Version/$Path attributes. Driven by the 'httrack -#test=cookies' selftest.

 set -eu

-# A trailing token is required; a bare '-#Q' falls through to the usage screen.
-out=$(httrack -#Q run)
+# 'run' is an ignored placeholder argument.
+out=$(httrack -#test=cookies run)

-# Exact-match the success line so a fall-through to usage can't pass the test.
+# Exact-match the success line so a renamed/removed test (it prints the registry
+# to stderr) can't pass.
 test "$out" = "cookie-header: OK" || {
    echo "expected 'cookie-header: OK', got: $out" >&2
    exit 1
--- a/tests/01_engine-copyopt.test
+++ b/tests/01_engine-copyopt.test
@@ -2,15 +2,16 @@
 #
 # Regression guard for the unsigned-enum sentinel trap: copy_htsopt's
 # `if (from->X > -1)` guard is always false for unsigned hts_boolean fields, so
-# they silently stop being copied. Driven by the in-process 'httrack -#9' test.
+# they silently stop being copied. Driven by the in-process 'httrack -#test=copyopt' test.
 # Keep POSIX-portable (harness runs it via $(BASH), a plain /bin/sh on macOS).

 set -eu

-# A trailing token is required; a bare '-#9' falls through to the usage screen.
-out=$(httrack -#9 run)
+# 'run' is an ignored placeholder argument.
+out=$(httrack -#test=copyopt run)

-# Exact-match the success line so a fall-through to usage can't pass the test.
+# Exact-match the success line so a renamed/removed test (it prints the registry
+# to stderr) can't pass.
 test "$out" = "copy-htsopt: OK" || {
    echo "expected 'copy-htsopt: OK', got: $out" >&2
    exit 1
--- a/tests/01_engine-dns.test
+++ b/tests/01_engine-dns.test
@@ -5,9 +5,8 @@ set -euo pipefail

 # DNS resolver/cache self-test: a mock getaddrinfo (no network) checks address
 # family, single-address selection, the -@i4/-@i6 family filter, and cache reuse.
-# The trailing token is required, like the other -# selftests, so a bare command
-# line isn't treated as "no arguments" and routed to the usage screen.
-out=$(httrack -#D run)
+# 'run' is an ignored placeholder argument.
+out=$(httrack -#test=dns run)

 test "$out" = "dns-selftest: OK" || {
    echo "expected 'dns-selftest: OK', got: $out" >&2
--- a/tests/01_engine-entities.test
+++ b/tests/01_engine-entities.test
@@ -4,13 +4,13 @@
 set -euo pipefail

 # HTML entity unescaping (hts_unescapeEntitiesWithCharset).
-# -#6 <string> prints the string with entities decoded (UTF-8 output).
+# -#test=entities <string> prints the string with entities decoded (UTF-8 output).
 ent() {
-    test "$(httrack -O /dev/null -#6 "$1")" == "$2" || exit 1
+    test "$(httrack -O /dev/null -#test=entities "$1")" == "$2" || exit 1
 }
 # crash probe: malformed input must exit cleanly, not abort.
 runs() {
-    httrack -O /dev/null -#6 "$1" >/dev/null 2>&1 || exit 1
+    httrack -O /dev/null -#test=entities "$1" >/dev/null 2>&1 || exit 1
 }

 # named entities
--- a/tests/01_engine-filter.test
+++ b/tests/01_engine-filter.test
@@ -4,13 +4,13 @@
 set -euo pipefail

 # wildcard filter engine (strjoker), the core of +/- include/exclude rules.
-# -#0 <filter> <string> prints "<string> does match <filter>" or "... does NOT match ...".
+# -#test=filter <filter> <string> prints "<string> does match <filter>" or "... does NOT match ...".

 match() {
-    test "$(httrack -O /dev/null -#0 "$1" "$2")" == "$2 does match $1" || exit 1
+    test "$(httrack -O /dev/null -#test=filter "$1" "$2")" == "$2 does match $1" || exit 1
 }
 nomatch() {
-    test "$(httrack -O /dev/null -#0 "$1" "$2")" == "$2 does NOT match $1" || exit 1
+    test "$(httrack -O /dev/null -#test=filter "$1" "$2")" == "$2 does NOT match $1" || exit 1
 }

 # bare star matches everything
--- a/tests/01_engine-hashtable.test
+++ b/tests/01_engine-hashtable.test
@@ -3,5 +3,7 @@

 set -euo pipefail

-# httrack internal hashtable autotest on 100K keys
-httrack -#7 100000
+# httrack internal hashtable autotest on 100K keys. Assert the success line (on
+# stderr) so a misrouted registry entry can't pass on exit code alone.
+out=$(httrack -#test=hashtable 100000 2>&1)
+printf '%s\n' "$out" | grep -q "all hashtable tests were successful!" || exit 1
--- a/tests/01_engine-idna.test
+++ b/tests/01_engine-idna.test
@@ -3,13 +3,13 @@

 set -euo pipefail

-# IDNA / punycode encode (-#4) and decode (-#5). This code has a CVE history,
+# IDNA / punycode encode (-#test=idna-encode) and decode (-#test=idna-decode). This code has a CVE history,
 # so the edge cases below cover passthrough, round-trips, and malformed input.

-enc() { test "$(httrack -O /dev/null -#4 "$1")" == "$2" || exit 1; }
-dec() { test "$(httrack -O /dev/null -#5 "$1")" == "$2" || exit 1; }
+enc() { test "$(httrack -O /dev/null -#test=idna-encode "$1")" == "$2" || exit 1; }
+dec() { test "$(httrack -O /dev/null -#test=idna-decode "$1")" == "$2" || exit 1; }
 # crash probe: malformed ACE input must exit cleanly, not abort.
-runs() { httrack -O /dev/null -#5 "$1" >/dev/null 2>&1 || exit 1; }
+runs() { httrack -O /dev/null -#test=idna-decode "$1" >/dev/null 2>&1 || exit 1; }

 # encode
 enc 'www.café.com' 'www.xn--caf-dma.com'
--- a/tests/01_engine-mime.test
+++ b/tests/01_engine-mime.test
@@ -4,13 +4,13 @@
 set -euo pipefail

 # MIME type guessing from extension (get_httptype / give_mimext).
-# -#2 <path> prints "<path> is '<mime>'" then "and its local type is '.<ext>'".
+# -#test=mime <path> prints "<path> is '<mime>'" then "and its local type is '.<ext>'".

 mime() {
-    test "$(httrack -O /dev/null -#2 "$1" | head -1)" == "$1 is '$2'" || exit 1
+    test "$(httrack -O /dev/null -#test=mime "$1" | head -1)" == "$1 is '$2'" || exit 1
 }
 unknown() {
-    test "$(httrack -O /dev/null -#2 "$1" | head -1)" == "$1 is of an unknown MIME type" || exit 1
+    test "$(httrack -O /dev/null -#test=mime "$1" | head -1)" == "$1 is of an unknown MIME type" || exit 1
 }

 mime '/a/b.html' 'text/html'
--- a/tests/01_engine-relative.test
+++ b/tests/01_engine-relative.test
@@ -8,7 +8,7 @@ set -euo pipefail
 # relative path from <curr>'s directory to <link>
 rel() {
    local got
-    got=$(httrack -O /dev/null -#l "$1" "$2")
+    got=$(httrack -O /dev/null -#test=relative "$1" "$2")
    test "$got" == "relative=$3" ||
        {
            echo "FAIL rel($1, $2): got '$got' want 'relative=$3'"
@@ -19,7 +19,7 @@ rel() {
 # resolve <link> against origin <adr>/<fil> -> adr=.. fil=..
 ident() {
    local got
-    got=$(httrack -O /dev/null -#i "$1" "$2" "$3")
+    got=$(httrack -O /dev/null -#test=resolve "$1" "$2" "$3")
    test "$got" == "$4" ||
        {
            echo "FAIL ident($1, $2, $3): got '$got' want '$4'"
--- a/tests/01_engine-savename.test
+++ b/tests/01_engine-savename.test
@@ -3,11 +3,11 @@

 set -euo pipefail

-# Local save-name extension resolution (url_savename via -#N <fil> <content-type>).
+# Local save-name extension resolution (url_savename via -#test=savename <fil> <content-type>).
 # Asserts on the basename of "savename: <path>".

 name() {
-    out="$(httrack -O /dev/null -#N "$1" "$2" | sed -n 's/^savename: //p')"
+    out="$(httrack -O /dev/null -#test=savename "$1" "$2" | sed -n 's/^savename: //p')"
    test "${out##*/}" == "$3" || {
        echo "FAIL: '$1' '$2' -> '$out' (want '$3')"
        exit 1
--- a/tests/01_engine-selftest-dispatch.test
+++ b/tests/01_engine-selftest-dispatch.test
@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# The -#test dispatch itself: a bare -#test lists the registry, and an unknown
+# name errors (non-zero, diagnostic) instead of silently passing.
+
+set -eu
+
+# Bare -#test lists known tests (printed to stderr).
+list=$(httrack -#test 2>&1)
+printf '%s\n' "$list" | grep -q "filter" || exit 1
+printf '%s\n' "$list" | grep -q "cache-writefail" || exit 1
+
+# Unknown name: non-zero exit + diagnostic, and no test result line.
+rc=0
+err=$(httrack -#test=bogus 2>&1) || rc=$?
+test "$rc" -ne 0 || exit 1
+printf '%s\n' "$err" | grep -q "Unknown self-test" || exit 1
--- a/tests/01_engine-simplify.test
+++ b/tests/01_engine-simplify.test
@@ -5,7 +5,7 @@ set -euo pipefail

 # path simplify engine (fil_simplifie): collapses ./ and ../ segments.
 simp() {
-    test "$(httrack -O /dev/null -#1 "$1")" == "simplified=$2" || exit 1
+    test "$(httrack -O /dev/null -#test=simplify "$1")" == "simplified=$2" || exit 1
 }

 simp './foo/bar/' 'foo/bar/'
--- a/tests/01_engine-strsafe.test
+++ b/tests/01_engine-strsafe.test
@@ -3,23 +3,22 @@

 set -euo pipefail

-# htssafe.h bounded string operations (driven by 'httrack -#8').
+# htssafe.h bounded string operations (driven by 'httrack -#test=strsafe').

 # Success path: every bounded op (strcpybuff/strcatbuff/strncatbuff/strlcpybuff)
-# must behave correctly. Like the other -# debug modes, a trailing token is
-# required (a bare '-#8' falls through to the usage screen).
+# must behave correctly. 'run' selects the success path (vs the overflow modes).
 rc=0
-out=$(httrack -#8 run) || rc=$?
+out=$(httrack -#test=strsafe run) || rc=$?
 test "$rc" -eq 0 || exit 1
 test "$out" == "strsafe: OK" || exit 1

 # Overflow path: an over-capacity write into a sized buffer must be caught by
 # the bounded macro and abort the process, not be silently truncated/completed.
 # Assert the htssafe abort signature specifically, so the test cannot pass for
-# an unrelated reason (e.g. the -#8 mode being gone and falling through to the
-# usage screen, which also exits non-zero).
+# an unrelated reason (e.g. the strsafe test being gone, which prints the
+# registry to stderr and also exits non-zero).
 # the bounded macro aborts (non-zero exit), so don't let set -e trip on it
-err=$(httrack -#8 overflow "this string is far too long for the buffer" 2>&1) || true
+err=$(httrack -#test=strsafe overflow "this string is far too long for the buffer" 2>&1) || true
 case "$err" in
 *"strsafe: NOT aborted"*)
    echo "over-capacity write was NOT caught" >&2
@@ -36,7 +35,7 @@ esac
 # capacity (4 bytes into a 4-byte buffer), so this also pins the boundary: a
 # '<=' off-by-one in the capacity check would let it through (and print "NOT
 # aborted"). Match the specific htsbuff abort message, not just any assert.
-err=$(httrack -#8 overflow-buff "abcd" 2>&1) || true
+err=$(httrack -#test=strsafe overflow-buff "abcd" 2>&1) || true
 case "$err" in
 *"strsafe: NOT aborted"*)
    echo "htsbuff over-capacity write was NOT caught" >&2
--- a/tests/22_local-broken-size.test
+++ b/tests/22_local-broken-size.test
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Issues #32/#41: a Content-Length that disagrees with the body warns "bogus
+# state (broken size)" and skips the cache; -%B (tolerant) accepts it.
+
+: "${top_srcdir:=..}"
+
+# Default: warn, but the file is still written.
+bash "$top_srcdir/tests/local-crawl.sh" --errors 0 \
+    --found 'size/oversize.bin' \
+    --log-found 'bogus state \(broken size' \
+    httrack 'BASEURL/size/index.html'
+
+# -%B (tolerant): no warning, file written.
+bash "$top_srcdir/tests/local-crawl.sh" --errors 0 \
+    --found 'size/oversize.bin' \
+    --log-not-found 'bogus state' \
+    httrack 'BASEURL/size/index.html' '-%B'
--- a/tests/23_local-errpage.test
+++ b/tests/23_local-errpage.test
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Issue #17: with "no error pages" (-o0), 4xx/5xx bodies must not be written;
+# a genuine 0-byte 200 stays. Default (-o1) writes the error page. (#17's purge
+# half also does not reproduce; the purge path is not exercised here.)
+set -e
+
+: "${top_srcdir:=..}"
+
+# -o0: 404 suppressed, good page and the legit 0-byte 200 kept.
+bash "$top_srcdir/tests/local-crawl.sh" --errors 1 \
+    --found 'errpage/good.html' \
+    --found 'errpage/empty.html' \
+    --not-found 'errpage/missing.html' \
+    httrack 'BASEURL/errpage/index.html' '-o0'
+
+# Control -o1 (default): the 404 error page is written.
+bash "$top_srcdir/tests/local-crawl.sh" --errors 1 \
+    --found 'errpage/missing.html' \
+    httrack 'BASEURL/errpage/index.html' '-o1'
--- a/tests/24_local-resume-overlap.test
+++ b/tests/24_local-resume-overlap.test
@@ -0,0 +1,109 @@
+#!/bin/bash
+# Issue #198: on a resumed download the server may answer the Range with a 206
+# that starts *before* the offset we asked for (block-aligned ranges). httrack
+# must honor the returned Content-Range, not blindly append, or the overlap
+# bytes get duplicated and the file grows (corrupt PDFs). Pass 1 interrupts
+# flaky.bin mid-body (partial + temp-ref); pass 2 resumes against a 206 that
+# backs up 8 bytes. The result must equal the same bytes fetched whole (full.bin).
+set -eu
+
+: "${top_srcdir:=..}"
+testdir=$(cd "$(dirname "$0")" && pwd)
+server="${testdir}/local-server.py"
+
+command -v python3 >/dev/null || ! echo "python3 not found; skipping" || exit 77
+
+tmpdir=$(mktemp -d "${TMPDIR:-/tmp}/httrack_198.XXXXXX") || exit 1
+serverpid=
+crawlpid=
+cleanup() {
+    if test -n "$crawlpid"; then kill -9 "$crawlpid" 2>/dev/null || true; fi
+    if test -n "$serverpid"; then
+        kill "$serverpid" 2>/dev/null || true
+        wait "$serverpid" 2>/dev/null || true
+    fi
+    rm -rf "$tmpdir"
+}
+trap cleanup EXIT HUP INT QUIT PIPE TERM
+
+# OVERLAP_COUNTER gets a byte per flaky.bin request so pass 1 knows when to interrupt.
+serverlog="${tmpdir}/server.log"
+counter="${tmpdir}/hits"
+resumed="${tmpdir}/resumed" # gets a byte when the server serves a resume 206
+OVERLAP_COUNTER="$counter" OVERLAP_RESUMED="$resumed" \
+    python3 "$server" --root "${testdir}/server-root" \
+    >"$serverlog" 2>&1 &
+serverpid=$!
+port=
+for _ in $(seq 1 50); do
+    line=$(head -n1 "$serverlog" 2>/dev/null)
+    if test "${line%% *}" == "PORT"; then
+        port="${line#PORT }"
+        break
+    fi
+    kill -0 "$serverpid" 2>/dev/null || {
+        echo "server exited early: $(cat "$serverlog")"
+        exit 1
+    }
+    sleep 0.1
+done
+test -n "$port" || {
+    echo "could not discover server port"
+    exit 1
+}
+base="http://127.0.0.1:${port}"
+
+which httrack >/dev/null || {
+    echo "could not find httrack"
+    exit 1
+}
+out="${tmpdir}/crawl"
+common=(-O "$out" --quiet --disable-security-limits --robots=0 --timeout=30 --retries=0 -c1)
+refdir="${out}/hts-cache/ref"
+
+# pass 1: interrupt once flaky.bin's prefix is streaming (partial + temp-ref).
+printf '[pass 1: interrupt flaky.bin] ..\t'
+httrack "${common[@]}" "${base}/overlap/index.html" >"${tmpdir}/log1" 2>&1 &
+crawlpid=$!
+for _ in $(seq 1 300); do
+    test -s "$counter" && break
+    kill -0 "$crawlpid" 2>/dev/null || break
+    sleep 0.1
+done
+sleep 0.5
+kill -TERM "$crawlpid" 2>/dev/null || true
+wait "$crawlpid" 2>/dev/null || true
+crawlpid=
+test -n "$(find "$refdir" -name '*.ref' 2>/dev/null)" || {
+    echo "FAIL: no temp-ref survived pass 1; cannot drive the resume"
+    exit 1
+}
+echo "OK (temp-ref present)"
+
+# pass 2: --continue -> resume Range -> 206 that starts 8 bytes early.
+printf '[pass 2: resume flaky.bin] ..\t'
+httrack "${common[@]}" --continue "${base}/overlap/index.html" >"${tmpdir}/log2" 2>&1 || true
+echo "OK"
+
+# Guard against a silent full re-download: the byte-compare below only tests the
+# fix if pass 2 actually went through the resume Range -> 206 path.
+printf '[resume path was exercised] ..\t'
+if ! test -s "$resumed"; then
+    echo "FAIL: pass 2 never triggered a resume 206; the overlap fix was not exercised"
+    exit 1
+fi
+echo "OK"
+
+printf '[resumed file is not corrupted] ..\t'
+dir=$(find "$out" -maxdepth 1 -type d -name '127.0.0.1*' | head -1)
+flaky="${dir}/overlap/flaky.bin"
+full="${dir}/overlap/full.bin"
+if ! test -f "$flaky" || ! test -f "$full"; then
+    echo "FAIL: flaky.bin or full.bin missing after pass 2"
+    exit 1
+fi
+if ! cmp -s "$flaky" "$full"; then
+    echo "FAIL: resumed flaky.bin ($(wc -c <"$flaky")) != full.bin ($(wc -c <"$full")); overlap duplicated"
+    exit 1
+fi
+echo "OK ($(wc -c <"$flaky") bytes, byte-identical)"
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -26,6 +26,7 @@ TESTS = \
 	00_runnable.test \
 	01_engine-cache.test \
 	01_engine-cache-golden.test \
+	01_engine-cache-writefail.test \
 	01_engine-charset.test \
 	01_engine-cmdline.test \
 	01_engine-cookies.test \
@@ -41,6 +42,7 @@ TESTS = \
 	01_engine-rcfile.test \
 	01_engine-relative.test \
 	01_engine-savename.test \
+	01_engine-selftest-dispatch.test \
 	01_engine-simplify.test \
 	01_engine-strsafe.test \
 	02_manpage-regen.test \
@@ -61,6 +63,9 @@ TESTS = \
 	18_local-update.test \
 	19_local-connect-fallback.test \
 	20_local-resume-loop.test \
-	21_local-intl-update.test
+	21_local-intl-update.test \
+	22_local-broken-size.test \
+	23_local-errpage.test \
+	24_local-resume-overlap.test

 CLEANFILES = check-network_sh.cache
--- a/tests/local-crawl.sh
+++ b/tests/local-crawl.sh
@@ -14,7 +14,9 @@
 # Usage:
 #   bash local-crawl.sh [--tls] [--root DIR] \
 #       --errors N --files N --found PATH ... --directory PATH ... \
+#       --log-found REGEX ... --log-not-found REGEX ... \
 #       httrack BASEURL/some/path [httrack-args...]
+# --log-found/--log-not-found grep (ERE) the crawl's hts-log.txt.

 set -u

@@ -107,7 +109,7 @@ while test "$pos" -lt "$nargs"; do
        audit+=("${args[$pos]}" "${args[$((pos + 1))]}")
        pos=$((pos + 1))
        ;;
-    --found | --not-found | --directory)
+    --found | --not-found | --directory | --log-found | --log-not-found)
        audit+=("${args[$pos]}" "${args[$((pos + 1))]}")
        pos=$((pos + 1))
        ;;
@@ -257,6 +259,22 @@ while test "$i" -lt "${#audit[@]}"; do
            exit 1
        fi
        ;;
+    --log-found)
+        i=$((i + 1))
+        info "checking log matches ${audit[$i]}"
+        if grep -aqE "${audit[$i]}" "${out}/hts-log.txt"; then result "OK"; else
+            result "not in log"
+            exit 1
+        fi
+        ;;
+    --log-not-found)
+        i=$((i + 1))
+        info "checking log lacks ${audit[$i]}"
+        if grep -aqE "${audit[$i]}" "${out}/hts-log.txt"; then
+            result "present in log"
+            exit 1
+        else result "OK"; fi
+        ;;
    esac
    i=$((i + 1))
 done
--- a/tests/local-server.py
+++ b/tests/local-server.py
@@ -225,6 +225,104 @@ class Handler(SimpleHTTPRequestHandler):
        self.send_header("Content-Length", "0")
        self.end_headers()

+    # 206 resume must honor the server's Content-Range, not the offset we asked
+    # for (#198): a server resuming a few bytes *before* the request must not
+    # leave httrack duplicating the overlap onto the partial. flaky.bin
+    # interrupts once then resumes OVERLAP_EARLY bytes early; full.bin serves
+    # the identical bytes in one shot, so the test can compare the two.
+    OVERLAP_BLOB = b"%PDF-1.4\n" + bytes((i * 37 + 11) % 256 for i in range(8000))
+    OVERLAP_EARLY = 8
+    OVERLAP_PREFIX_LEN = 4000  # flushed before the stall
+    _overlap_started = False
+
+    def route_overlap_index(self):
+        self.send_html('\t<a href="flaky.bin">flaky</a>\n\t<a href="full.bin">full</a>')
+
+    def route_overlap_full(self):
+        self.send_raw(self.OVERLAP_BLOB, "application/octet-stream")
+
+    def route_overlap(self):
+        counter = os.environ.get("OVERLAP_COUNTER")
+        if counter:
+            with open(counter, "a") as fp:
+                fp.write("x")
+        blob = self.OVERLAP_BLOB
+        rng = self.headers.get("Range")
+        # First GET: stream a prefix then stall, so the crawl can be interrupted
+        # mid-body (partial + temp-ref on disk).
+        if rng is None and not Handler._overlap_started:
+            Handler._overlap_started = True
+            self.send_response(200)
+            self.send_header("Content-Type", "application/octet-stream")
+            self.send_header("Content-Length", str(len(blob)))
+            self.send_header("Accept-Ranges", "bytes")
+            self.end_headers()
+            if self.command != "HEAD":
+                self.wfile.write(blob[: self.OVERLAP_PREFIX_LEN])
+                self.wfile.flush()
+                try:
+                    while True:
+                        time.sleep(3600)
+                except OSError:
+                    pass
+            return
+        if rng is None:  # no resume request: serve the whole file
+            return self.route_overlap_full()
+        # Resume: honor the Range, but back up OVERLAP_EARLY bytes.
+        start = (
+            int(rng[len("bytes=") :].split("-")[0]) if rng.startswith("bytes=") else 0
+        )
+        start = max(0, start - self.OVERLAP_EARLY)
+        # Signal that the resume Range -> 206 path actually fired, so the test
+        # can prove it was exercised (not a silent full re-download).
+        resumed = os.environ.get("OVERLAP_RESUMED")
+        if resumed:
+            with open(resumed, "a") as fp:
+                fp.write("x")
+        part = blob[start:]
+        self.send_response(206, "Partial Content")
+        self.send_header("Content-Type", "application/octet-stream")
+        self.send_header("Content-Length", str(len(part)))
+        self.send_header(
+            "Content-Range", "bytes %d-%d/%d" % (start, len(blob) - 1, len(blob))
+        )
+        self.end_headers()
+        if self.command != "HEAD":
+            self.wfile.write(part)
+
+    # error pages / 0-byte files (#17): -o0 ("no error pages") must keep 4xx/5xx
+    # bodies off disk; a genuine 0-byte 200 is a valid file and stays.
+    def route_errpage_index(self):
+        self.send_html(
+            '\t<a href="good.html">good</a>\n'
+            '\t<a href="missing.html">missing</a>\n'
+            '\t<a href="empty.html">empty</a>\n'
+        )
+
+    def route_errpage_good(self):
+        self.send_raw(b"<html><body>good page</body></html>\n", "text/html")
+
+    def route_errpage_missing(self):
+        self.send_html("\t404 error body", status=404, extra_status="Not Found")
+
+    def route_errpage_empty(self):
+        self.send_raw(b"", "text/html")
+
+    # broken Content-Length (#32/#41): declared size != bytes sent. httrack
+    # warns "bogus state (broken size)" and skips the cache unless -%B.
+    def route_size_index(self):
+        self.send_html('\t<a href="oversize.bin">over</a>\n')
+
+    def route_size_oversize(self):
+        body = b"A" * 100
+        self.send_response(200)
+        self.send_header("Content-Type", "application/octet-stream")
+        self.send_header("Content-Length", str(len(body) - 2))  # lie: too short
+        self.send_header("Connection", "close")
+        self.end_headers()
+        if self.command != "HEAD":
+            self.wfile.write(body)
+
    ROUTES = {
        "/cookies/entrance.php": route_entrance,
        "/cookies/second.php": route_second,
@@ -248,6 +346,15 @@ class Handler(SimpleHTTPRequestHandler):
        "/intl/" + INTL_NAME: route_intl_page,
        "/resume/index.html": route_resume_index,
        "/resume/blob.txt": route_resume,
+        "/overlap/index.html": route_overlap_index,
+        "/overlap/flaky.bin": route_overlap,
+        "/overlap/full.bin": route_overlap_full,
+        "/size/index.html": route_size_index,
+        "/size/oversize.bin": route_size_oversize,
+        "/errpage/index.html": route_errpage_index,
+        "/errpage/good.html": route_errpage_good,
+        "/errpage/missing.html": route_errpage_missing,
+        "/errpage/empty.html": route_errpage_empty,
    }

    # --- dispatch ----------------------------------------------------------
Author	SHA1	Message	Date
Xavier Roche	38882c0aee	Honor the server's Content-Range when resuming a partial download (#198 ) (#428 ) * Honor the server's Content-Range when resuming a partial download (#198) A resumed download (Range: bytes=N-) may be answered with a 206 whose range starts before N: block-aligned caches and CDNs routinely round the start down to a block boundary, and RFC 7233 lets the server pick the range it returns. httrack ignored the returned Content-Range and blindly appended the 206 body to the bytes already on disk, so the overlapping bytes were duplicated and the file grew by the overlap. With timing deciding which files get interrupted (and thus resumed), this surfaced as a random subset of files corrupted on each run, each a few bytes too large. Resume at the server's crange_start instead: ftruncate the partial to that offset and write the 206 body there (the in-memory branch keeps only that prefix). When the returned range is unusable (a forward gap, no/garbage Content-Range, or one that doesn't reach EOF) drop the partial and refetch the whole file rather than stitch a corrupt one. Reading the existing crange_start/crange_end/crange fields only, no ABI change. Driven by tests/24_local-resume-overlap.test: pass 1 interrupts a download mid-body, pass 2 resumes against a 206 that backs up 8 bytes, and the result must be byte-identical to the same content fetched whole. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com> * Harden #198 fix: verify the truncate, assert the test hit the resume path Two follow-ups from review of the resume fix. If HTS_FTRUNCATE fails the partial could keep a stale tail (only when the resource shrank between runs, sz > full, so the body write no longer covers the old end). Check its return and, on failure, drop the partial and refetch the whole file instead of writing a possibly-corrupt one. The resume test only compared the resumed bytes against the whole file, which also passes if httrack silently re-downloads the file with no Range (the bug never fires). Mark when the server actually serves a resume 206 and assert pass 2 hit that path, so a full re-download fails the test instead of passing it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com> * tests: run 24_local-resume-overlap under set -e Follow the golden rule for shell scripts: start with set -e so a non-last failure can't be masked. Guard the backgrounded-crawl kill/wait spots with \|\| true so the expected SIGTERM exit doesn't abort the run. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com> --------- Signed-off-by: Xavier Roche <roche@httrack.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-26 17:42:26 +02:00
Xavier Roche	bfc4a016ab	Replace single-letter -# self-tests with a named -#test=NAME registry (#427 ) The hidden engine self-tests had accreted into a grab-bag of arbitrary single-letter/-digit -# arms (-#0, -#A, -#W, ...) buried in the htscoremain.c option switch, with no mnemonics and stale --help text. Collapse them into one registry: -#test lists every test with a usage hint and one-line description, and -#test=NAME [args] runs one. The handlers and the two helpers they used (basic_selftests, string_safety_selftests) move to a new htsselftest.c keyed by a {name, args, desc, fn} table; htscoremain.c keeps only a small dispatch that runs ahead of the no-URL usage gate, so a bare -#test (or an arg-less test like copyopt/dns/cookies) no longer needs a dummy URL token to be reached. The genuine debug knobs (-#L, -#C, -#R, -#h, ...) stay as letters in the switch; only the unit self-tests, whose sole callers are tests/01_engine-*.test, are renamed, so this is internal-only with no compatibility surface. Behavior is preserved: each test prints the same result line and exit code, which the existing assertions pin. Three now-unused includes (htscache_selftest.h, htsdns_selftest.h, htsencoding.h) drop out of htscoremain.c. Tests: the engine tests move to -#test=NAME; 01_engine-hashtable now asserts its success line (not just exit code) so a misrouted registry row can't pass, and a new 01_engine-selftest-dispatch covers the bare-list and unknown-name paths. The --help/man "guru options" list now points at -#test instead of enumerating a stale subset. The lone vestigial alias --debug-testfilters still resolves to the removed -#0 (it was already non-functional: param1 supplies one argument, -#0 required two); it is left untouched because editing that array forces clang-format to reflow the whole untouched table. Signed-off-by: Xavier Roche <roche@httrack.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-26 08:05:59 +02:00
Xavier Roche	756d8fb8bd	Stop the mirror with a fatal error on a cache write failure, don't crash (#174/#219) (#426 ) A failed write to the new.zip cache (zipOpenNewFileInZip / zipWriteInFileInZip / zipCloseFileInZip / zipFlush returning non-Z_OK) was a fatal assertf() that aborted the whole process and popped CRASH.TXT. The trigger is storage going away mid-crawl: a disk filling up overnight (#174) or a network share holding the mirror dropping (#219); WinHTTrack users commonly mirror to a NAS or mapped drive. The cache lives in the same output tree as the mirror, so a cache write failing means the mirror files can no longer be written either. Continuing would only produce a broken, incomplete mirror reported as success. So treat it the same way the engine already treats a failed mirror-file write (htscore.c:1961, htsback.c:2933): log the error and set opt->state.exit_xh = -1 to stop the mirror cleanly and exit non-zero. No crash, no CRASH.TXT. Route the cache_add() write sites through cache_zip_write_failed(), which logs once (the standard "disk full or filesystem problems" message when check_fatal_io_errno() confirms it) and flags the cache so sibling cache_add() calls don't re-enter the broken stream before the loop notices exit_xh. The flag is appended to the end of the engine-owned, non-installed struct cache_back, so the ABI is unchanged. Add an in-process self-test (httrack -#W) that drives cache_add() into a ZIP whose disk-full backend fails its writes; 01_engine-cache-writefail.test asserts httrack signals a fatal abort instead of crashing. Negative controls proven: reverting the fix makes -#W abort (SIGABRT); dropping the exit_xh assignment makes the test fail on the abort-signal check. Signed-off-by: Xavier Roche <roche@httrack.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-26 06:46:59 +02:00
Xavier Roche	5501faa7b1	tests: lock "no error pages" (-o0) write-suppression (#17 ) (#425 ) #17 (WinHTTrack 3.47-19, 2013) reported 404 error pages and 0-byte files kept and unpurged with "no error pages" set. It does not reproduce on current master/Linux: -o0 keeps 4xx/5xx bodies off disk and out of the purge list, a genuine 0-byte 200 is correctly saved, and purge removes stale files on update. The report's .html names were the extension-mangle bug (Defect A, fixed in #408 — the reporter switched to HTTP/1.0 because binaries were renamed .html); the settings-revert-on-update path is fixed by the hts_tristate option work (`4549ec3`, #413). Add an /errpage/ route group to local-server.py and 23_local-errpage.test locking -o0 suppression with an -o1 control. Negative-control verified: neutering the errpage gate (htsparse.c:3902) makes the test fail. Signed-off-by: Xavier Roche <roche@httrack.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-25 18:02:28 +02:00
Xavier Roche	6322b6fb1f	Lock --tolerant (-%B) on broken Content-Length, and fix an OOB it surfaced (#32/#41) (#424 ) * tests: lock --tolerant (-%B) behavior on broken Content-Length (#32/#41) A response whose Content-Length disagrees with the bytes actually sent warns "bogus state (broken size)" and is skipped from the cache, so it is re-fetched and re-warned on every run. --tolerant (-%B) already accepts such responses; either way the file reaches disk. Pin that contract with a local-server /size route (declares a length two bytes short of the body) and a test asserting the warning fires by default and is silenced under -%B, with the file present in both passes. Adds --log-found/--log-not-found ERE assertions on hts-log.txt to local-crawl.sh for the warning checks. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com> * htslib: fix global-buffer-overflow in get_httptype_sized on empty filename get_httptype_sized() set a = fil + strlen(fil) - 1, then dereferenced *a in the extension scan before the a > fil bound was checked, so an empty fil ("") read one byte before the string. istoobig() passes a literal "" to is_hypertext_mime() whenever it classifies by mime alone (the quota check in back_checksize), so any octet-stream-ish download hit it. Bound the loop and the dot test before dereferencing. Latent (an OOB read of one .rodata byte); surfaced under ASan by the new 22_local-broken-size.test, whose oversize.bin is application/octet-stream. Adds a direct empty-fil case to the -#7 basic_selftests block as a fast, deterministic leaf-level regression (it aborts under ASan on the old code). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Xavier Roche <roche@httrack.com> --------- Signed-off-by: Xavier Roche <roche@httrack.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-25 17:18:06 +02:00
Xavier Roche	58f368a91a	tests: lock special-char URL naming across an update (#157 ) (#423 ) #157 reported accented URLs (pt-BR MediaWiki) losing their .html extension on an update pass, observed with 3.49-2 on Windows. It does not reproduce on current master: the update resolves the cached content-type and re-applies .html consistently, for UTF-8 and ISO-8859-1 sources, raw Latin-1 href bytes, either percent-encoding case, and dotted tails. The original symptom was a Windows codepage vs UTF-8 X-Save filename mismatch that cannot occur on a UTF-8 filesystem. Add a regression test that locks the invariant: a dotless, accented basename served as text/html, crawled then updated, must keep its .html name and not leave an extensionless sibling. Also assert in the --rerun harness that the update pass reported "files updated" (a fresh crawl never does), so a regression that bypasses the cache and silently re-crawls fresh can no longer pass the update tests. Closes #157 Signed-off-by: Xavier Roche <roche@httrack.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-24 22:35:55 +02:00