diff --git a/CHANGES b/CHANGES index 54d9921f6e..153f0ae980 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +7.0.0-dev.200 | 2024-05-02 19:00:53 -0700 + + * refine Val "footprint" to equate long strings with multiple objects (Vern Paxson, Corelight) + 7.0.0-dev.198 | 2024-05-02 10:21:43 -0700 * Constify classes in RuleMatcher, fixes c++20 build failure (Tim Wojtulewicz, Corelight) diff --git a/NEWS b/NEWS index ed82e649c5..e726382b58 100644 --- a/NEWS +++ b/NEWS @@ -58,6 +58,12 @@ Changed Functionality ``frameworks/signatures/iso-9660`` which also increases the BOF buffer sufficiently. Note, doing so may increase memory and CPU usage significantly. +- The ``val_footprint()`` BiF now factors in the size of strings when reporting + footprints, roughly equating a string's size with the number of elements + comparable to that length. As before, footprints are not meant to be precise + but mainly for providing comparisons, which is why this is not a breaking + change. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index ab23c435b2..525f993b04 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.0-dev.198 +7.0.0-dev.200 diff --git a/doc b/doc index 9f9ebde623..5a9c406b74 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 9f9ebde62380a3012a1471d9ff1c1c91c7aa69da +Subproject commit 5a9c406b74d75373b22531cf296e3fb14646a9b3 diff --git a/src/Val.cc b/src/Val.cc index 10acd4b8ff..f97601236a 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -855,6 +855,10 @@ StringValPtr StringVal::Replace(RE_Matcher* re, const String& repl, bool do_all) return make_intrusive(new String(true, result, r - result)); } +unsigned int StringVal::ComputeFootprint(std::unordered_set* analyzed_vals) const { + return 1 /* this object */ + static_cast(Len()) / sizeof(Val); +} + static std::variant BuildVal(const rapidjson::Value& j, const TypePtr& t, const FuncPtr& key_func) { auto mismatch_err = [t, &j]() { diff --git a/src/Val.h b/src/Val.h index d62f581d49..c8392bbcfd 100644 --- a/src/Val.h +++ b/src/Val.h @@ -564,6 +564,8 @@ public: StringValPtr Replace(RE_Matcher* re, const String& repl, bool do_all); protected: + unsigned int ComputeFootprint(std::unordered_set* analyzed_vals) const override; + void ValDescribe(ODesc* d) const override; ValPtr DoClone(CloneState* state) override; diff --git a/testing/btest/Baseline/bifs.footprint/out b/testing/btest/Baseline/bifs.footprint/out index bc43dfb6bc..5302bdd10a 100644 --- a/testing/btest/Baseline/bifs.footprint/out +++ b/testing/btest/Baseline/bifs.footprint/out @@ -12,6 +12,7 @@ l1, 3 l1b, 6 l2, 7 l2b, 9 +l2c, T v1, 8 v2, 18 v3, 11 diff --git a/testing/btest/bifs/footprint.zeek b/testing/btest/bifs/footprint.zeek index 1fe986588e..edeec51c33 100644 --- a/testing/btest/bifs/footprint.zeek +++ b/testing/btest/bifs/footprint.zeek @@ -54,6 +54,12 @@ event zeek_init() local l2b = r2($a=3, $b1=99.0, $c="I'm here"); print "l2b", val_footprint(l2b); + local l2c = r2($a=3, $b1=99e99, $c="I'm here and really very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very long-winded"); + # In the following, we just print the comparison rather than the + # actual footprint value, since the latter will change depending + # on the size of C++ pointers and the like. + print "l2c", val_footprint(l2c) > val_footprint(l2b); + local v1 = vector(9, 7, 3, 1); print "v1", val_footprint(v1);