[Bro-Dev] serialization problems

Jonathan Siwek jsiwek at ncsa.illinois.edu
Wed Jun 22 13:36:21 PDT 2011 

I've been having a heck of a time porting the istate.events unit test to the policy-scripts-new branch.  I understand the script changes that need to be done and everything, but the way the test compares the serialized events from each bro instance has started to fail: they are reporting differing values of arguments in some places that I'm trying to understand.

I think the difference isn't a result of the new policy scripts themselves, but probably just that they're exercising some part of the serialization code that wasn't before.  Here's an simpler example script I wrote that (I think) shows the same kind of thing I was running into with the new http scripts:

---------------- event_serialize_test.bro ----------------

type I: record {
    method: string;
    cnt: string &default="";
};

type S: record {
    pending: table[count] of I;
};

type C: record {
    somefield: string &default="blah";
    state: S;
};

global E: event(c: C);

event E(c: C)
    {
    print c;
    c$state$pending[1]$method = "after event";
    c$state$pending[1]$cnt += "*";
    }

event bro_init()
    {
    capture_events("events.bst");
    local c: C;
    local i: I;
    c$state$pending[1] = i;
    c$state$pending[1]$method = "by init";
    event E(c);
    event E(c);
    }

---------------- event_serialize_test.bro ----------------

Here's some output that looks ok:

$ ./src/bro event_serialize_test.bro 
[somefield=blah, state=[pending={
[1] = [method=by init, cnt=]
}]]
[somefield=blah, state=[pending={
[1] = [method=after event, cnt=*]
}]]

But here's the serialized events:

$ ./src/bro -x events.bst event_serialize_test.bro 
Date: Wed Jun 22 14:55:52 2011
Event [1308772552.798098] E([somefield="blah", state=[pending={[1] = [method="by init", cnt=""]}]])
Event [1308772552.798098] E([somefield="blah", state=[pending={[1] = [method="by init", cnt=""]}]])

So the value of the 'pending' table doesn't seem right to me for the second serialization of event E.

After enabling the serialization debug logs, I think what I'm seeing is that the first event is serialized with the full table value, but the second event is serialized with just a reference to the first's even though that value has changed.

Does this seem like a problem or am I not really on the right track?

- Jon

More information about the bro-dev mailing list