[Bro] Protocl Analyzer: when to Unref a variable
Valerio
valerio.click at gmx.com
Thu Aug 10 07:23:37 PDT 2017
Hi Johanna,
thanks for your reply, it does help a lot!
Especially the confirmation that values that are passed to events are
"consumed" by Bro core.
best,
Valerio
Il 10/08/2017 01:56, Johanna Amann ha scritto:
> Hi Valerio,
>
> the answer to this is more or less that it is a bit complicated. Usually
> when raising events, the values are "consumed" by the Bro core (so you
> won't have to call Unref or anything on them). I expect most of the times
> that you see an Unref directly in an analyzer code is when a data
> structure is first constructed and then not directly passed to the core,
> but instead deleted again (e.g. because some precondition was not met).
> Another case might be when it is replaced with a different structure.
>
> When using more complex data structures, things get more complicated and
> you basically have to resort to reading the code of the data structure you
> are using, to determine if you have to call Unref afterwards (or you have
> to use memory leak checks). An example where I think you see explicit
> unrefs is when using a TableVal; the index is not consumed.
>
> I hope this helps a bit,
> Johanna
>
> On Fri, Jul 28, 2017 at 08:47:08AM +0200, Valerio wrote:
>> By looking at some analyzers (e.g., sip, TCP) I noticed that some here
>> and there (usually after the content of a variable is assigned to
>> another structure with Append) a call to Unref() is made.
>>
>> Are there any general principles or guidelines regarding when to
>> explicitly Unref a variable when writing a Bro Analyzer with BinPAC?
>>
>> thanks,
>> Valerio
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
More information about the Bro
mailing list