[Bro] Protocl Analyzer: when to Unref a variable
Johanna Amann
johanna at icir.org
Wed Aug 9 16:56:12 PDT 2017
Hi Valerio,
the answer to this is more or less that it is a bit complicated. Usually
when raising events, the values are "consumed" by the Bro core (so you
won't have to call Unref or anything on them). I expect most of the times
that you see an Unref directly in an analyzer code is when a data
structure is first constructed and then not directly passed to the core,
but instead deleted again (e.g. because some precondition was not met).
Another case might be when it is replaced with a different structure.
When using more complex data structures, things get more complicated and
you basically have to resort to reading the code of the data structure you
are using, to determine if you have to call Unref afterwards (or you have
to use memory leak checks). An example where I think you see explicit
unrefs is when using a TableVal; the index is not consumed.
I hope this helps a bit,
Johanna
On Fri, Jul 28, 2017 at 08:47:08AM +0200, Valerio wrote:
> By looking at some analyzers (e.g., sip, TCP) I noticed that some here
> and there (usually after the content of a variable is assigned to
> another structure with Append) a call to Unref() is made.
>
> Are there any general principles or guidelines regarding when to
> explicitly Unref a variable when writing a Bro Analyzer with BinPAC?
>
> thanks,
> Valerio
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list