spicy docker image - type parsing oddity

Zeek
1

Hello,

I'm uncertain if I've run into an issue peculiar to the spicy docker
image (which should be the latest - 247ea5070b15), or if this is syntax
problem.

In a basic modbus parser (attached : .pac2, .evt, .bro and modbus trace
file) , the Message definition throws an error when executing as:

root# bro -r modbus_part1.3.pcap modbus.evt modbus.bro

struct.set __self "data" ref<MODBUS::DinputsPdu>()

<no location>:: error, operand type ref<MODBUS::DinputsPdu> is not
compatible with type ref<MODBUS::CoilsPdu> [pass::hilti::Validator]

However, ALT Message definition works fine. In fact, if I parse the
data field with the same type (ie both with type CoilsPdu or both with
type DinputsPdu) it works, which is puzzling.

The idea is to parse different modbus function codes as different types
to enable raising type-specific events.

Any insights appreciated.

- Troy

modbus-parse-fail.tar (10 KB)

2

So, this is easy to fix. I figured out that once a field name gets
typed, it can only appear again with the same type. Makes perfect sense.

So this snippet would work:

switch ( self.fcode ) {
    b"0x01" -> data1: CoilPDU;
    b"0x03" -> data2: HregisterPDU;
    }

and so would this:

switch ( self.fcode ) {
    b"0x01" -> data1: CoilPDU;
    b"0x03" -> data1: CoilPDU;
    }

but not this one which reuses the 'data' fieldname but with different types:

switch ( self.fcode ) {
    b"0x01" -> data: CoilPDU;
    b"0x03" -> data: HregisterPDU;
    }

- Troy

3

Yeah, exactly. That's something the compiler should catch and give you
a decent error message for but validation is still a weak spot of
Spicy.

Robin