Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/awelzel/event-trace-mgr-destructor-fclose'

Browse source 
* origin/topic/awelzel/event-trace-mgr-destructor-fclose:
  btest/core: Add event-trace test
  zeek-setup: Free event_trace_mgr after generating trace
  EventTraceMgr: Rename etm to event_trace_mgr
  EventTraceMgr: Move fclose() to destructor
This commit is contained in:
Arne Welzel 2025-05-19 20:01:30 +02:00
commit eb15997cc3
10 changed files with 65 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

12
CHANGES
View file

@ -1,3 +1,15 @@
8.0.0-dev.136 | 2025-05-19 20:01:30 +0200
* btest/core: Add event-trace test (Arne Welzel, Corelight)
* zeek-setup: Free event_trace_mgr after generating trace (Arne Welzel, Corelight)
* EventTraceMgr: Rename etm to event_trace_mgr (Arne Welzel, Corelight)
* EventTraceMgr: Move fclose() to destructor (Arne Welzel, Corelight)
* Update cmake submodule (Tim Wojtulewicz, Corelight)
8.0.0-dev.130 | 2025-05-19 10:25:34 -0700 8.0.0-dev.130 | 2025-05-19 10:25:34 -0700
* Remove unnecessary #includes across the repo (Tim Wojtulewicz, Corelight) * Remove unnecessary #includes across the repo (Tim Wojtulewicz, Corelight)

2
VERSION
View file

@ -1 +1 @@
8.0.0-dev.130 8.0.0-dev.136

16
src/EventTrace.cc
View file

@ -13,7 +13,7 @@
namespace zeek::detail { namespace zeek::detail {
std::unique_ptr<EventTraceMgr> etm; std::unique_ptr<EventTraceMgr> event_trace_mgr;
// Helper function for generating a correct script-level representation // Helper function for generating a correct script-level representation
// of a string constant. // of a string constant.
@ -955,7 +955,17 @@ bool ValTraceMgr::IsUnsupported(const Val* v) const {
EventTraceMgr::EventTraceMgr(const std::string& trace_file) { EventTraceMgr::EventTraceMgr(const std::string& trace_file) {
f = fopen(trace_file.c_str(), "w"); f = fopen(trace_file.c_str(), "w");
if ( ! f ) if ( ! f )
reporter->FatalError("can't open event trace file %s", trace_file.c_str()); reporter->FatalError("can't open event trace file %s: %s", trace_file.c_str(), strerror(errno));
}
EventTraceMgr::~EventTraceMgr() {
if ( f ) {
if ( fclose(f) )
// Not fatal, won't do anything with it anymore anyhow.
reporter->Error("failed to close event trace file: %s", strerror(errno));
f = nullptr;
}
} }
void EventTraceMgr::Generate() { void EventTraceMgr::Generate() {
@ -999,8 +1009,6 @@ void EventTraceMgr::Generate() {
for ( auto& c : c_t ) for ( auto& c : c_t )
fprintf(f, "#\t%s\n", c.c_str()); fprintf(f, "#\t%s\n", c.c_str());
} }
fclose(f);
} }
void EventTraceMgr::StartEvent(const ScriptFunc* ev, const zeek::Args* args) { void EventTraceMgr::StartEvent(const ScriptFunc* ev, const zeek::Args* args) {

4
src/EventTrace.h
View file

@ -441,6 +441,8 @@ class EventTraceMgr {
public: public:
EventTraceMgr(const std::string& trace_file); EventTraceMgr(const std::string& trace_file);
~EventTraceMgr();
// Generates the trace upon exit. // Generates the trace upon exit.
void Generate(); void Generate();
@ -465,6 +467,6 @@ private:
}; };
// If non-nil then we're doing event tracing. // If non-nil then we're doing event tracing.
extern std::unique_ptr<EventTraceMgr> etm; extern std::unique_ptr<EventTraceMgr> event_trace_mgr;
} // namespace zeek::detail } // namespace zeek::detail

8
src/Expr.cc
View file

@ -3865,8 +3865,8 @@ ValPtr ScheduleExpr::Eval(Frame* f) const {
if ( args ) { if ( args ) {
auto handler = event->Handler(); auto handler = event->Handler();
if ( etm ) if ( event_trace_mgr )
etm->ScriptEventQueued(handler); event_trace_mgr->ScriptEventQueued(handler);
timer_mgr->Add(new ScheduleTimer(handler, std::move(*args), dt)); timer_mgr->Add(new ScheduleTimer(handler, std::move(*args), dt));
} }
@ -4471,8 +4471,8 @@ ValPtr EventExpr::Eval(Frame* f) const {
auto v = eval_list(f, args.get()); auto v = eval_list(f, args.get());
if ( handler ) { if ( handler ) {
if ( etm ) if ( event_trace_mgr )
etm->ScriptEventQueued(handler); event_trace_mgr->ScriptEventQueued(handler);
event_mgr.Enqueue(handler, std::move(*v)); event_mgr.Enqueue(handler, std::move(*v));
} }

8
src/Func.cc
View file

@ -355,8 +355,8 @@ ValPtr ScriptFunc::Invoke(zeek::Args* args, Frame* parent) const {
return nullptr; return nullptr;
} }
if ( etm && Flavor() == FUNC_FLAVOR_EVENT ) if ( event_trace_mgr && Flavor() == FUNC_FLAVOR_EVENT )
etm->StartEvent(this, args); event_trace_mgr->StartEvent(this, args);
if ( g_trace_state.DoTrace() ) { if ( g_trace_state.DoTrace() ) {
ODesc d; ODesc d;
@ -433,8 +433,8 @@ ValPtr ScriptFunc::Invoke(zeek::Args* args, Frame* parent) const {
result = val_mgr->True(); result = val_mgr->True();
} }
else if ( etm && Flavor() == FUNC_FLAVOR_EVENT ) else if ( event_trace_mgr && Flavor() == FUNC_FLAVOR_EVENT )
etm->EndEvent(this, args); event_trace_mgr->EndEvent(this, args);
// Warn if the function returns something, but we returned from // Warn if the function returns something, but we returned from
// the function without an explicit return, or without a value. // the function without an explicit return, or without a value.

4
src/Stmt.cc
View file

@ -902,8 +902,8 @@ ValPtr EventStmt::Exec(Frame* f, StmtFlowType& flow) {
auto h = event_expr->Handler(); auto h = event_expr->Handler();
if ( args && h ) { if ( args && h ) {
if ( etm ) if ( event_trace_mgr )
etm->ScriptEventQueued(h); event_trace_mgr->ScriptEventQueued(h);
event_mgr.Enqueue(h, std::move(*args)); event_mgr.Enqueue(h, std::move(*args));
} }

8
src/zeek-setup.cc
View file

@ -401,8 +401,10 @@ static void terminate_zeek() {
script_coverage_mgr.WriteStats(); script_coverage_mgr.WriteStats();
if ( etm ) if ( event_trace_mgr ) {
etm->Generate(); event_trace_mgr->Generate();
event_trace_mgr.reset();
}
delete zeekygen_mgr; delete zeekygen_mgr;
delete packet_mgr; delete packet_mgr;
@ -775,7 +777,7 @@ SetupResult setup(int argc, char** argv, Options* zopts) {
auto ipbb = make_intrusive<BuiltinFunc>(init_bifs, ipbid->Name(), false); auto ipbb = make_intrusive<BuiltinFunc>(init_bifs, ipbid->Name(), false);
if ( options.event_trace_file ) if ( options.event_trace_file )
etm = std::make_unique<EventTraceMgr>(*options.event_trace_file); event_trace_mgr = std::make_unique<EventTraceMgr>(*options.event_trace_file);
// Parsing involves reading input files, including any input // Parsing involves reading input files, including any input
// interactively provided by the user at the console. Temporarily // interactively provided by the user at the console. Temporarily

1
testing/btest/Baseline/core.event-trace/.stderr Normal file
View file

@ -0,0 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

21
testing/btest/core/event-trace.zeek Normal file
View file

@ -0,0 +1,21 @@
# @TEST-DOC: Verify the --event-trace feature works and produces the same logs as when reading from a pcap.
#
# Trace files produced with ZAM don't work - issue #4478
#
# @TEST-REQUIRES: test "${ZEEK_ZAM}" != "1"
#
# @TEST-EXEC: zeek --event-trace trace.zeek -b -r $TRACES/http/get.trace %INPUT
# @TEST-EXEC: mkdir pcap-logs
# @TEST-EXEC: zeek-cut -m < http.log > pcap-logs/http.log
# @TEST-EXEC: rm -v *.log
#
# @TEST-EXEC: zeek -b --parse-only %INPUT trace.zeek
# @TEST-EXEC: zeek -b %INPUT trace.zeek
# @TEST-EXEC: mkdir trace-logs
# @TEST-EXEC: zeek-cut -m < http.log > trace-logs/http.log
# @TEST-EXEC: rm -v *.log
#
# @TEST-EXEC: diff pcap-logs/http.log trace-logs/http.log
# @TEST-EXEC: btest-diff .stderr
@load base/protocols/http