Description
Hi all. I'm seeing some unexpected behavior, and I can't explain it - perhaps I'm misunderstanding C, or perhaps I've found a bug in CodeQL.
I create a project comprising two source files. The first, a.c:
#include <stdio.h>
void __attribute__((weak)) foo() { printf("The weak func"); }
void main() { }
And the second, b.c:
#include <stdio.h>
void foo() { printf("The strong func"); }
I build these with the Makefile (supplied for completeness, excuse my verbosity):
a:
gcc -o a a.c b.c
As you can see, foo is defined twice - once as weak.
I then run the following CodeQL query to list all functions, and an attribute of each.
from Function f select f, f.getAnAttribute().toString()
Via the following commands:
./codeql database create a --language=c --overwrite --source-root /home/aliz/a/
./codeql database analyze --format=csv --output=results a foo --rerun
This results in the following unexpected output:
"foo","foo","error","weak","/a.c","2","28","2","30"
"foo","foo","error","weak","/b.c","2","6","2","8"
As you can see, the two functions have been identified, but have both been marked with the weak attribute. I expected only the first to be marked as weak.
I initially thought this was due to some subtle C behavior beyond my understanding, but if we look a little closer, it does indeed appear that CodeQL has 'mixed up' the two functions. I run the following query, intended to list the string literals for each function:
from
StringLiteral str,
Function f
where
str.getEnclosingFunction() = f
select f, str.getValue()
This results in the following:
"foo","foo","error","The weak func
The strong func","/a.c","2","28","2","30"
"foo","foo","error","The weak func
The strong func","/b.c","2","6","2","8"
Here, the two functions have been reported, but each is reported as referencing both strings, which appears incorrect to me - I would have expected something akin to the following to be returned:
"foo","foo","error","The weak func","/a.c","2","28","2","30"
"foo","foo","error","The strong func","/b.c","2","6","2","8"
Can anyone shed some light on the issue here? Have I really stumbled into a codeql bug, or is this due to some wizard-level C behavior? Thanks for any help!