Swift: Xcode 16.2 - could not build module

[stefanrenne]

ADO pipelines using codeql bundle 2.21.0 with Xcode 16.2 and the following task configuration block me to compile a swift project. It fails on could not build module related errors.

Pipeline:

 - task: AdvancedSecurity-Codeql-Init@1
  inputs:
    enableAutomaticCodeQLInstall: true
    languages: swift
    querysuite: security-and-quality
- task: Xcode@5
  displayName: 'Build and archive'
  inputs:
    configuration: 'ANONYMISED'
    sdk: iphoneos
    xcWorkspacePath: ANONYMISED.xcodeproj
    scheme: 'ANONYMISED'
    xcodeVersion: specifyPath
    xcodeDeveloperDir: '/Applications/Xcode_$(xcodeVersion).app/Contents/Developer'
    packageApp: true
    archivePath: 'output/release'
    exportPath: 'output/release'
    exportOptions: plist
    exportOptionsPlist: 'Signing/$(buildType)/exportOptions.plist'
    signingOption: default

Output:
logging.txt

[aibaars]

This line in the logs looks worrying:

2025-04-07T09:45:08.3797660Z   fatalError
2025-04-07T09:45:08.3798290Z   Cyclic dependency in module 'DarwinFoundation': DarwinFoundation -> _stddef -> DarwinFoundation

Have you tried running the same build commands in ADO, but without CodeQL? If the same build command runs fine without CodeQL then CodeQL's analyzer is somehow interfering and causing a failure.

[stefanrenne]

@aibaars of course, without the AdvancedSecurity-Codeql-Init@1 task everything works fine :)

[aibaars]

@aibaars of course, without the AdvancedSecurity-Codeql-Init@1 task everything works fine :)

Thanks for confirming.

[aibaars]

It would be very helpful if you could attach the detailed CodeQL log file, in particular the build-tracer.log file. I'm afraid I'm not familiar with ADO pipelines, and do not know how to obtain such log file from an ADO run. For GitHub Actions the github/codeql-action/init step has a debug: true property to enable debug mode, which uploads a debug artifact with logs and much more. I'm not sure if the ADO task has a similar feature.

I could not find many other reports of Cyclic dependency in module 'DarwinFoundation': DarwinFoundation -> _stddef -> DarwinFoundation. I found the following, but no suggestions on how to fix the problem other than running a clean build:
https://www.reddit.com/r/flutterhelp/comments/1i7h270/vs_code_template_flutter_project_cycling/

[aibaars]

Here are some instructions to obtain debug artifacts. Note that the debug artifacts contain sensitive information such as the contents of analyzed files. If your repository is private then it is probably best to create an enterprise support ticket and move this conversation there.

[stefanrenne]

@aibaars I have been trying this but I keep on getting a error

Artifact name input: codeql-artifact
##[error]Path does not exist: /Users/runner/work/_temp\advancedsecurity.codeql\d\swift

Which is probably because the whole compiling is broken?

[aibaars]

##[error]Path does not exist: /Users/runner/work/_temp\advancedsecurity.codeql\d\swift

That looks really strange indeed. It looks like a mixup of Windows and Unix paths. Do you have any idea where the \advancedsecurity.codeql\d\ part comes from?

[stefanrenne]

@aibaars oke my bad, used the slash in the wrong direction. Attached the build tracer log, I will provide all other logging to our GitHub person of contact.

build-tracer.log

[redsun82]

The Error: Environment variable SEMMLE_PRELOAD_libtrace is not set (or empty), but it should be set messages indeed look quite suspicious. However in the worst case that should impede analysis, not the build itself.

By the way, on Github actions that environment variable is set by github/codeql-action/init in case of a traced language. Shouldn't that variable be set by AdvancedSecurity-Codeql-Init@1 then?

[stefanrenne]

@redsun82 @aibaars Any update on this bug?

[ramon-hub]

@redsun82 @aibaars an update would be appreciated.

[redsun82]

Hi @stefanrenne @ramon-hub Thanks for the detailed logs provided in the internal escalation.

I would like to understand whether it's an interaction between CodeQL ADO's integration and the CodeQL tracer. I was wondering if the Xcode step could be replaced by a command step, and if we could then wrap it in a direct CodeQL invocation via codeql database trace-command /Users/runner/work/_temp/advancedsecurity.codeql/d/swift <the-build-command>". If that works, it means something is off in the CodeQL ADO integration in case of an indirectly traced macOS build like this one (indirect meaning you add a CodeQL init step and then do your usual build steps, direct would be the invocation under database trace-command, or one done via codeql database create). If that doesn't work, then something's really off in the macOS tracer per se.

[stefanrenne]

@redsun82 the result is definitely different
This is the build task I'm now executing

- task: Bash@3
  displayName: "Build and archive"
  inputs:
    targetType: 'inline'
    script: |
      codeql database trace-command /Users/runner/work/_temp/advancedsecurity.codeql/d/swift "/usr/bin/xcodebuild -sdk iphoneos -configuration \"ACC(debug)\" -project /Users/runner/work/1/s/ANONYMIZED.xcodeproj -scheme \"ANONYMIZED - ACC\" build -clonedSourcePackagesDirPath SourcePackages;/usr/bin/xcodebuild -project /Users/runner/work/1/s/ANONYMIZED.xcodeproj -scheme "ANONYMIZED - ACC" archive -sdk iphoneos -configuration \"ACC(debug)\" -archivePath "/Users/runner/work/1/s/output/release/ANONYMIZED - ACC" -clonedSourcePackagesDirPath SourcePackages;/usr/bin/xcodebuild -exportArchive -archivePath "/Users/runner/work/1/s/output/release/ANONYMIZED - ACC.xcarchive" -exportPath /Users/runner/work/1/s/output/release -exportOptionsPlist /Users/runner/work/1/s/Signing/debug/exportOptions.plist"

But the logs are indicating an unexpected token `(' see attachment

logging.txt

[redsun82]

Interesting, the Environment variable SEMMLE_PRELOAD_libtrace is not set (or empty) seems to be gone, which could indicate something's off with the ADO codeQL integration in your case. Though it might still not be the root cause of your problem. I'm still investigating this, but in the meantime, one more question: is it possible for you to run this build locally? I can understand if it's not possible (maybe you don't have macOS machines or the build takes too long), but if yes running codeql database create -lswift -c "<your-build-command>" ../codeql-database might be helpful pinpointing the problem. If that succeeds, we can start looking at things like differences in installed tooling versions between your local setup and the ADO hosts.

[redsun82]

ah, before trying that, one more thing that sprang to my mind @stefanrenne: could you try adding explicit ARCHS=arm64 to all your xcodebuild invocations? CodeQL runs things under rosetta, so it actually switches to x86 executables. As your target is iPhone, we might need to make the target architecture explcit.

[stefanrenne]

@redsun82 lets see I tried building locally under rosetta, no problem there then I downloaded the latest codeql bundle 2.21.3, I should mention that this is a newer version then the latest one I tried on ado.
And I'm running this command:
./codeql database create -lswift -c "/usr/bin/xcodebuild -sdk iphoneos -configuration \"ACC(debug)\" -project /Users/stefan/git/ANONYMIZED/ANONYMIZED.xcodeproj -scheme \"ANONYMIZED - ACC\" build" ../codeql-database

And it gives this output Successfully created database at /Users/stefan/Documents/codeql-database.
I have just mailed you the logging

[redsun82]

Good to hear that! I will compare the logs now.

In CodeQL version 2.21.2 we updated the swift compiler library our swift solution is built upon to version 6.1, so I wonder if that is what has helped in your local run. I see the latest failure logs we have come from a 2.21.1 CLI.

The other point might be the different Xcode version you're using, but I would definitely try first if you can update the codeQL version, maybe trying both an indirect tracing run (i.e. the initial pipeline you had with the Xcode action) and a direct one (the database trace-command bash action).

If that fails, is using a newwer Xcode version in your CI an option maybe?