[Bro-Dev] Intermittent bro crashes

McMullan, Tim Tim.McMullan at sig.com
Wed Oct 17 05:44:00 PDT 2018

Hi Jon,

Our scripts do make extensive use of &read_expire and &create_expire, but we don't have expire_func anywhere.

I'll check against the latest master and see how it goes!


-----Original Message-----
From: Jon Siwek [mailto:jsiwek at corelight.com]
Sent: Tuesday, October 16, 2018 12:02 PM
To: McMullan, Tim <Tim.McMullan at msx.bala.susq.com>
Cc: <bro-dev at bro.org> <bro-dev at bro.org>; Wallior, Julien <Julien.Wallior at msx.bala.susq.com>
Subject: Re: [Bro-Dev] Intermittent bro crashes

On Tue, Oct 16, 2018 at 9:38 AM McMullan, Tim <Tim.McMullan at sig.com> wrote:

> We have been seeing occasional core dumps from bro, currently running on 2.5-870.

May be nice to try most recent master version to see if it still pops up.

>  We’ve tried a few things to reproduce it on-demand but haven’t been successful.  We were wondering if you might have some insight into the crash.  This is the backtrace we get:
> #0  TableEntryVal::ExpireAccessTime (this=0x9b349bd32ebb5614) at /hostname/bro-devel-src/src/Val.h:741
> #1  TableVal::DoExpire (this=0x3955a40, t=1539447574.1403711) at /hostname/bro-devel-src/src/Val.cc:2353

I don't see an immediate culprit there -- it's the table entry
expiration algorithm that I guess is well-traveled by most people
running Bro, so maybe need to work on narrowing down a way to
reproduce or what specific script is triggering it.  Do you have any
custom scripts that make use of &expire_func or &{read, write,
create}_expire table attributes?  That could be a first place to
inspect.  I also fixed a bug [1] in related code just last week, but
I'd expect that to give a different stack trace if it was the same
problem here (still doesn't hurt to try to rule that out as a
contributing factor by testing w/ latest git/master).

- Jon

[1] https://github.com/bro/bro/commit/8792f5545cd5b7de433d0eee510fde94371fdee3


IMPORTANT: The information contained in this email and/or its attachments is confidential. If you are not the intended recipient, please notify the sender immediately by reply and immediately delete this message and all its attachments. Any review, use, reproduction, disclosure or dissemination of this message or any attachment by an unintended recipient is strictly prohibited. Neither this message nor any attachment is intended as or should be construed as an offer, solicitation or recommendation to buy or sell any security or other financial instrument. Neither the sender, his or her employer nor any of their respective affiliates makes any warranties as to the completeness or accuracy of any of the information contained herein or that this message or any of its attachments is free of viruses.

More information about the bro-dev mailing list