feat(callgraph): C call graph builder

[shivasurya]

Summary

Adds BuildCCallGraph — a four-pass algorithm that produces a *core.CallGraph for C projects, ready to merge into the unified graph alongside Python/Go.

Pass	Purpose
1	Index every C function_definition under \"<relpath>::<name>\" and ensure the FQN is also in registry.FunctionIndex
2	Register explicit return types (skipping void) and emit ParameterSymbol entries for every named parameter
3	Walk parser-emitted edges (function_definition → call_expression) to extract one CallSiteInternal per call — no second AST traversal
4	Resolve targets in a definition-preferring order, then emit edges and CallSite records

Resolution order (Pass 4)

1. Same-file definition — common case (helper in same .c); deterministic and independent of include state.
2. Global definition — scan registry.FunctionIndex[name] for an FQN whose call-graph entry is a definition. Handles cross-.c calls.
3. Same-file declaration — accept a forward declaration when no definition exists project-wide.
4. Declaration reachable through #include — last resort so externs handed off to another translation unit still surface as edges.

Calls that don't match any source produce a CallSite{Resolved: false, FailureReason: \"external_or_unresolved\"} — stdlib calls (printf, malloc) and unknown function pointers remain visible to rule writers without polluting the edge set.

Design notes

• Edges from the parser: every parseCCallExpression adds an edge from the enclosing function to the call node. The builder walks OutgoingEdges of each indexed function instead of doing byte-range containment, keeping Pass 3 deterministic and trivially testable.
• Definition vs declaration: the parser sets Metadata[\"is_declaration\"]=true on prototype/extern decls. isDeclaration() reads that key with a typed assertion so non-declaration nodes (no metadata) fall through correctly.
• Recursion: self-edges (process → process) are emitted as-is; the call graph already deduplicates via AddEdge.
• Static functions: same FQN-by-file mechanism — file-scope statics in different .c files map to disjoint FQNs.
• Unique FunctionIndex entries: Pass 1 dedupes against the registry's existing FunctionIndex so calling BuildCCallGraph after BuildCModuleRegistry is idempotent.

Test plan

• go build ./...
• go test ./... — full suite green
• go vet ./...
• golangci-lint run ./graph/callgraph/builder/ — 0 issues
• Coverage on c_builder.go lines: ~89.6%
• Spec scenarios covered:
  • Single-file main() → add() edge
  • Cross-file .c definition preferred over .h declaration
  • Header declaration via #include fallback
  • printf (stdlib) recorded as Resolved:false with failure reason
  • Recursive self-call
  • Same name in two .c files (file-scope statics)
  • Type engine populated; void returns dropped
  • Parameters indexed (anonymous params skipped)
  • Declarations skipped from Pass 2 type extraction
  • Merges cleanly into an empty unified graph
  • Non-C nodes ignored (mixed-language safety)
  • Anonymous / missing-file functions filtered
  • Empty-target call_expression produces no edge and no recorded site
  • Cross-.c global lookup works without an #include
  • Same-file forward declaration accepted when no definition exists

Stacked on

shiva/cpp-type-inference (#673)

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	2
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

❌ Patch coverage is 88.35616% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.28%. Comparing base (d3ea40b) to head (d55e6cc).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
sast-engine/graph/callgraph/builder/c_builder.go	88.35%	11 Missing and 6 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #674      +/-   ##
==========================================
- Coverage   85.28%   85.28%   -0.01%     
==========================================
  Files         182      183       +1     
  Lines       26399    26545     +146     
==========================================
+ Hits        22515    22639     +124     
- Misses       3023     3038      +15     
- Partials      861      868       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[shivasurya]

• feat(python-sdk): @c_rule / @cpp_rule decorators with language scoping #678
• feat(cfg+scan+output): wire C/C++ pipeline end-to-end #677
• feat(extraction): C/C++ statement extraction #676
• feat(callgraph): C++ call graph builder #675
• feat(callgraph): C call graph builder #674 👈 (View in Graphite)
• feat(callgraph): C/C++ explicit type inference engines #673
• feat(callgraph): C/C++ module registry and include resolution #672
• feat(graph): C++ parser — classes, namespaces, templates, exception flow #671
• feat(graph): C parser — function defs, types, decls, calls, includes #670
• feat(graph/clike): shared C/C++ AST extraction helpers #669
• feat(graph): C/C++ file detection and tree-sitter parsing foundation #668
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[shivasurya]

Merge activity

• May 3, 1:15 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 3, 1:27 PM UTC: Graphite rebased this pull request as part of a merge.
• May 3, 1:28 PM UTC: @shivasurya merged this pull request with Graphite.