Protocl Analyzer: when to Unref a variable

By looking at some analyzers (e.g., sip, TCP) I noticed that some here
and there (usually after the content of a variable is assigned to
another structure with Append) a call to Unref() is made.

Are there any general principles or guidelines regarding when to
explicitly Unref a variable when writing a Bro Analyzer with BinPAC?


Hi Valerio,

the answer to this is more or less that it is a bit complicated. Usually
when raising events, the values are "consumed" by the Bro core (so you
won't have to call Unref or anything on them). I expect most of the times
that you see an Unref directly in an analyzer code is when a data
structure is first constructed and then not directly passed to the core,
but instead deleted again (e.g. because some precondition was not met).
Another case might be when it is replaced with a different structure.

When using more complex data structures, things get more complicated and
you basically have to resort to reading the code of the data structure you
are using, to determine if you have to call Unref afterwards (or you have
to use memory leak checks). An example where I think you see explicit
unrefs is when using a TableVal; the index is not consumed.

I hope this helps a bit,

Hi Johanna,

thanks for your reply, it does help a lot!
Especially the confirmation that values that are passed to events are
"consumed" by Bro core.