zeek / spicy-plugin Goto Github PK

Spicy plugin for Zeek

Home Page: https://docs.zeek.org/projects/spicy/en/latest/zeek.html

License: Other

CMake 9.14% Dockerfile 0.32% Makefile 0.16% C++ 70.97% Zeek 17.89% Shell 0.98% C 0.54%

spicy zeek

spicy-plugin's Introduction

Note: This plugin is no longer needed with Zeek >= 6.0, which comes with Spicy support built in. All new development now happens in Zeek directly. This repository will still be receiving important bugfixes for the time being, but will eventually be shut down.

Spicy Plugin for Zeek

This repository provides a Zeek package that adds Spicy support to Zeek through a plugin. Once installed, your Zeek will be able to load Spicy-based protocol and file analyzers, such as those coming with the Spicy Analyzers package.

Both this plugin and Spicy itself now ship with Zeek by default, so chances are that you already have Spicy support in place if you are using Zeek >= 5.0.

Prerequisites

If not using Zeek's built-in version of the plugin, you will first need to install Spicy. Please follow its instructions. Ensure that the Spicy toolchain is in your PATH. For example, with Spicy installed to /opt/spicy and using bash:

export PATH=/opt/spicy/bin:$PATH

Now which should be able to find spicy-config:

# which spicy-config
/opt/spicy/bin/spicy-config

Please also install and configure the Zeek package manager.

Installation

Use Zeek's built-in version

Zeek includes both Spicy and this plugin by default since version 5.0. To confirm that you have it available, run zeek -N Zeek::Spicy, it should show output like this:

# zeek -N Zeek::Spicy
Zeek::Spicy - Support for Spicy parsers (*.hlto) (built-in)

Assuming that's the case, you should also find the plugin's compilation tool spicyz at the same place as the Zeek executable:

# which spicyz
/usr/local/zeek/bin/spicyz

If you do not want to use the Spicy plugin that's built into Zeek for some reason (e.g., because you'd like to try a new version of the plugin or Spicy), you can build Zeek with --disable-spicy and then follow the instructions below for installation through the package manager or from source.

Install through package manager

If not using Zeek's built-in Spicy support, the recommended way to install the Spicy plugin is through the Zeek package manager:

# zkg install zeek/spicy-plugin

This will pull down the package, compile and test the plugin, and then install and activate it. To check that the plugin has become available, run zeek -N Zeek::Spicy afterwards, it should show output like this:

# zeek -N Zeek::Spicy
Zeek::Spicy - Support for Spicy parsers (*.hlto) (dynamic, version x.y.z)

The compilation tool spicyz comes with the package as well, and should show up in your PATH after installation. If that's not the case, please see the Spicy manual on how to locate it (you might be using an older version of zkg still).

Install manually

You can also install the plugin through normal CMake means. After cloning this repository, make sure that the Spicy tools are in your PATH, per above. Then build the plugin like this:

# (mkdir build && cd build && cmake -DCMAKE_INSTALL_PREFIX=/opt/spicy .. && make -j)

The tests should now pass:

# make -C tests

You can then install the plugin (which you may need to do as root so that you can write to the Zeek plugin directory):

# make -C build install

Zeek should now show it:

# zeek -N Zeek::Spicy
Zeek::Spicy - Support for Spicy parsers (*.hlto) (dynamic, version x.y.z)

You will also find spicyz in ${prefix}/bin now.

By default, the plugin will search for precompiled *.hlto files in <prefix>/lib/zeek-spicy/modules. You change that path by setting ZEEK_SPICY_MODULE_DIR through CMake.

Documentation

The plugin's documentation is part of the Spicy manual.

License

Just like Spicy, the plugin is open source and released under a BSD license.

spicy-plugin's People

Contributors

Stargazers

Watchers

Forkers

bbannier hecg119 fox-ds luxanna91 awelzel nabbi rsmmr simeonmiteff seanpm2001

spicy-plugin's Issues

protocol_confirmation not being called as of f8fde8d3

I've got a spicy-based analyzer which worked with zeek/spicy-plugin v1.3.9 but does not with v1.3.10. It appears that what's happening is that protocol_confirmation is no longer being called.

There is this warning:

**warning in /opt/zeek/share/zeek/site/packages/./icsnpp-genisys/./main.zeek, line 77:
deprecated (protocol_confirmation): Remove in v5.1. Use analyzer_confirmation.**

However we're not at v5.1 yet.

I did a git-bisect and found that f8fde8d was the first bad commit:

f8fde8d3635a191aac2769b708af694a50a8ba32 is the first bad commit
commit f8fde8d3635a191aac2769b708af694a50a8ba32
Author: Robin Sommer <[email protected]>
Date:   Thu Apr 7 10:29:59 2022 +0200

    Avoid deprecation warnings with Zeek >= 4.2.
    
    Also includes a bug fix triggering an internal error when no
    `{protocol,analyzer}_confirmation` event handler is defined.
    
    Also add Zeek 4.2 to CI.

 .cirrus.yml                |  3 +++
 ci/Dockerfile              |  9 ++++-----
 include/zeek-compat.h      | 20 ++++++++++++++++++++
 src/runtime-support.cc     |  9 ++++++---
 tests/zeek/replaces.zeek   |  4 ++++
 tests/zeek/ssh-banner.zeek | 12 ++++++++++--
 6 files changed, 47 insertions(+), 10 deletions(-)

Here's the broken scenario vs. the working scenario:

Broken at f8fde8d:

root@034b7646397d logs › zkg install --skiptests --version f8fde8d3635a191aac2769b708af694a50a8ba32 https://github.com/zeek/spicy-pluginin
The following packages will be INSTALLED:
  https://github.com/zeek/spicy-plugin (f8fde8d3635a191aac2769b708af694a50a8ba32)

Proceed? [Y/n] y
Installing "https://github.com/zeek/spicy-plugin"................................................................................
Installed "https://github.com/zeek/spicy-plugin" (f8fde8d3635a191aac2769b708af694a50a8ba32)
Loaded "https://github.com/zeek/spicy-plugin"

root@034b7646397d logs › zkg install --skiptests --nodeps --version ebf059a1c3d31de7dbb20d43e251aa8209bf507d https://github.com/cisagov/icsnpp-genisys
The following packages will be INSTALLED:
  https://github.com/cisagov/icsnpp-genisys (ebf059a1c3d31de7dbb20d43e251aa8209bf507d)

Proceed? [Y/n] y
Installing "https://github.com/cisagov/icsnpp-genisys"...........
Installed "https://github.com/cisagov/icsnpp-genisys" (ebf059a1c3d31de7dbb20d43e251aa8209bf507d)
Loaded "https://github.com/cisagov/icsnpp-genisys"

› zeek -C -r /opt/zeek/var/lib/zkg/clones/package/icsnpp-genisys/tests/traces/genisys.pcap local
warning in /opt/zeek/share/zeek/site/packages/./icsnpp-genisys/./main.zeek, line 77: deprecated (protocol_confirmation): Remove in v5.1. Use analyzer_confirmation.
WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
1645544569.483546 expression error in /opt/zeek/share/zeek/site/packages/./icsnpp-genisys/./main.zeek, line 98: field value missing (genisys::c$genisys_proto)
... (repeats many times) ...
root@034b7646397d logs ›

Working at c9ca2d9:

root@034b7646397d logs › zkg install --skiptests --version c9ca2d93aaf7bfb75fb282eaa7214a9057d4666e https://github.com/zeek/spicy-plugin
The following packages will be INSTALLED:
  https://github.com/zeek/spicy-plugin (c9ca2d93aaf7bfb75fb282eaa7214a9057d4666e)

Proceed? [Y/n] y
Installing "https://github.com/zeek/spicy-plugin"................................................................................
Installed "https://github.com/zeek/spicy-plugin" (c9ca2d93aaf7bfb75fb282eaa7214a9057d4666e)
Loaded "https://github.com/zeek/spicy-plugin"
root@034b7646397d logs › zkg install --skiptests --nodeps --version ebf059a1c3d31de7dbb20d43e251aa8209bf507d https://github.com/cisagov/icsnpp-genisys
The following packages will be INSTALLED:
  https://github.com/cisagov/icsnpp-genisys (ebf059a1c3d31de7dbb20d43e251aa8209bf507d)

Proceed? [Y/n] y
Installing "https://github.com/cisagov/icsnpp-genisys"...........
Installed "https://github.com/cisagov/icsnpp-genisys" (ebf059a1c3d31de7dbb20d43e251aa8209bf507d)
Loaded "https://github.com/cisagov/icsnpp-genisys"

root@034b7646397d logs › zeek -C-C -r /opt/zeek/var/lib/zkg/clones/package/icsnpp-genisys/tests/traces/genisys.pcap local
warning in /opt/zeek/share/zeek/site/packages/./icsnpp-genisys/./main.zeek, line 77: deprecated (protocol_confirmation): Remove in v5.1. Use analyzer_confirmation.
WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
root@034b7646397d logs › wc -l genisys.log 
697 genisys.log

With my plugin the actual expression error comes from the fact that one of my variables didn't get set, as it was being set in protocol_confirmation which is no longer called, which triggers the error when it's used later in my genisys::msg event.

Allow analyzer to start analyzing partial connections

Zeek might be started after a connection was established; this leads to partial connections. We should allow attaching Spicy analyzers to such a connection. Ideally we'd start the analyzer in recovery mode so it can find a synchronization point.

Standalone installation of downstream packages broken

It looks like the recent commit to install Zeek d68cea0 broke the downstream spicy-analyzers standalone ci, see https://cirrus-ci.com/task/5544656852221952.

There already the start of test execution fails reports the following fatal errors:

/tmp/cirrus-ci-build/tests/Scripts/get-path: 31: cd: can't cd to /opt/spicy-plugin/lib/spicy/zeek/modules/../_Zeek_Spicy
/tmp/cirrus-ci-build/tests/Scripts/get-path: 55: /bin/spicyz: not found
/tmp/cirrus-ci-build/tests/Scripts/get-path: 67: --prefix: not found
/tmp/cirrus-ci-build/tests/Scripts/get-path: 31: cd: can't cd to /opt/spicy-plugin/lib/spicy/zeek/modules/../_Zeek_Spicy

Consider encoding Spicy version requirement in CMake setup

We might at features which depend on a specific minimum Spicy version (e.g., we currently require >=spicy-1.3.0). We should add a version check to the CMake setup so we can reject builds before the cause confusing issues.

Export namespaced events

Spicy should probably automatically export namespaced events in evt files.

Currently events are not exported by default, which leads to error messages like:

error in /Users/johanna/spicy/spicy-analyzers/tests/.tmp/protocol.tftp.rrq/rrq.zeek, line 9: identifier is not exported: tftp::read_request

when trying to consume the event in a different module.

Better support parallel Spicy installations

Right now, when Spicy is installed through Homebrew, it's tricky to teach a source build of the plugin to not use that Homebrew version, but pick up Spicy in some other location. I'm seeing trouble mixing up includes and libraries, even when the right spicy-config is being found. Haven't fully tracked it down yet what's going on.

We should tweak the CMake config to make it straight-forward to point to a specific Spicy version to use. Best would be indeed to derive everything from spicy-config (which is happening already) and then prioritize that over paths found differently (which doesn't seem to happen yet).

Uses of `Tag`s incompatible with Zeek `master` branch

This commit on Zeek's master branch reorganized the different Tag types and their header files. We cannot build against this commit or any newer version.

The following issues need to be fixed:

fix includes so we always pull in headers declaring a specific used (now deprecated) Tag variant.
rewrite our toggleAnalyzer functions. Since all different Tag types now are just aliases to a single ::zeek::Tag we cannot use overloads here anymore. We also need to adjust the logic in the "frontend" toggleAnalyzer function so it branches to the correct concrete functions (alternatively: could we just get rid of this function?).

Tagged version does not contain zkg.meta

The current tagged version does not contain zkg.meta. Thus this is not picked up by the package manager for metadata aggregation.

Use of `protocol_*` functions in corelight/zeek-spicy-openvpn triggers sigabort

As of corelight/zeek-spicy-openvpn@6bcb4ec the test suite of that analyzer fails on their Linux CI. The logs mention that many tests failed due to SIGABRT. This seems to coincide with them starting to use protocol_* functions from this package.

We should look into this and depending on what we find either fix our implementation, or reject incorrect usage patterns.

This is also tracked in corelight/zeek-spicy-openvpn#3.

CMake function `spicy_add_analyzer` should support installing additional scripts

We provide spicy_add_analyzer to compile and install analyzers. We should add support to that script so accompanying Zeek scripts can be installed.

See e.g., zeek/spicy-analyzers#77 for a related issue.

Fix bro_int_t deprecation added in Zeek 5.1

bro_int_t and bro_uint_t are both marked as deprecated in the current Zeek master branch, replaced by zeek_int_t and zeek_uint_t. These deprecations need to be handled in the spicy-plugin to not return warnings during builds:

[770/937] Building CXX object src/builtin-plugins/spi...akeFiles/plugin-Zeek-Spicy.dir/src/file-analyzer.cc.o
In file included from /Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/file-analyzer.cc:8:
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/include/zeek-spicy/runtime-support.h:712:5: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
    bro_int_t bt = (it >= 0 ? it : std::numeric_limits<::bro_int_t>::max());
    ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
In file included from /Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/file-analyzer.cc:8:
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/include/zeek-spicy/runtime-support.h:712:58: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
    bro_int_t bt = (it >= 0 ? it : std::numeric_limits<::bro_int_t>::max());
                                                         ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
2 warnings generated.
[773/937] Building CXX object src/builtin-plugins/spi...eFiles/plugin-Zeek-Spicy.dir/src/packet-analyzer.cc.o
In file included from /Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/packet-analyzer.cc:6:
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/include/zeek-spicy/runtime-support.h:712:5: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
    bro_int_t bt = (it >= 0 ? it : std::numeric_limits<::bro_int_t>::max());
    ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
In file included from /Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/packet-analyzer.cc:6:
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/include/zeek-spicy/runtime-support.h:712:58: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
    bro_int_t bt = (it >= 0 ? it : std::numeric_limits<::bro_int_t>::max());
                                                         ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
2 warnings generated.
[774/937] Building CXX object src/builtin-plugins/spi...iles/plugin-Zeek-Spicy.dir/src/protocol-analyzer.cc.o
In file included from /Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/protocol-analyzer.cc:6:
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/include/zeek-spicy/runtime-support.h:712:5: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
    bro_int_t bt = (it >= 0 ? it : std::numeric_limits<::bro_int_t>::max());
    ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
In file included from /Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/protocol-analyzer.cc:6:
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/include/zeek-spicy/runtime-support.h:712:58: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
    bro_int_t bt = (it >= 0 ? it : std::numeric_limits<::bro_int_t>::max());
                                                         ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
2 warnings generated.
[775/937] Building CXX object src/builtin-plugins/spi...eFiles/plugin-Zeek-Spicy.dir/src/runtime-support.cc.o
In file included from /Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/runtime-support.cc:12:
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/include/zeek-spicy/runtime-support.h:712:5: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
    bro_int_t bt = (it >= 0 ? it : std::numeric_limits<::bro_int_t>::max());
    ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
In file included from /Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/runtime-support.cc:12:
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/include/zeek-spicy/runtime-support.h:712:58: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
    bro_int_t bt = (it >= 0 ? it : std::numeric_limits<::bro_int_t>::max());
                                                         ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
2 warnings generated.
[777/937] Building CXX object src/builtin-plugins/spi...ugin/CMakeFiles/plugin-Zeek-Spicy.dir/src/plugin.cc.o
/Users/tim/Desktop/projects/zeek/auxil/spicy-plugin/src/plugin.cc:245:42: warning: 'bro_int_t' is deprecated: Remove in v6.1. Use zeek_int_t. [-Wdeprecated-declarations]
            lval = std::numeric_limits<::bro_int_t>::max();
                                         ^
/Users/tim/Desktop/projects/zeek/src/zeek/util.h:82:19: note: 'bro_int_t' has been explicitly marked deprecated here
using bro_int_t [[deprecated("Remove in v6.1. Use zeek_int_t.")]] = zeek_int_t;
                  ^
1 warning generated.

Segfault handling packet analyzer parse error

It looks like packet-analyzer.cc line 60 calls spicy::zeek::compat::Analyzer_AnalyzerViolation with a zeek::Packet argument that has a null/uninitialized session pointer, and later on SetAnalyzerState() gets called on the null session which then triggers a segfault.

This happens with packet analyzers but not with protocol analyzers - I made a variant of the analyzer below and added in IP/UDP and it works OK. Perhaps this is because there is no session for packet analyzers?... if this is true, then I imagine we need a check somewhere to skip updating the session.

To reproduce analyzer.spicy:

module test;

public type Foo = unit {
  data: bytes &until=b"\xbe";
};

and analyzer.evt:

import test;

packet analyzer spicy::TEST:
    parse with test::Foo;

and main.zeek:

module TEST;

event zeek_init()
	{
	if ( ! PacketAnalyzer::try_register_packet_analyzer_by_name("Ethernet", 0x6666,
	    "spicy::TEST") )
		print "cannot register spicy analyzer";
	}

Built with:

$ spicyz -d -o zeek_test.hlto analyzer.spicy analyzer.evt

This python program generates two PCAP files, one that parses OK, and another that triggers the parse error:

#!/usr/bin/env python3
from scapy.all import *

eth = Ether(src='00:01:02:ff:fe:fd', dst='00:01:02:ff:fe:fd', type=0x6666)
wrpcap('deadbeef.pcap', eth / Raw(load=b'\xde\xad\xbe\xef'))
wrpcap('badcodes.pcap', eth / Raw(load=b'\xba\xdc\x0d\xe5'))

This is the good input:

$ HILTI_DEBUG=spicy zeek -r deadbeef.pcap zeek_test.hlto main.zeek 
[spicy] test::Foo
[spicy]   data = \\xde\\xad

and this is the bad input:

$ HILTI_DEBUG=spicy zeek -r badcodes.pcap zeek_test.hlto main.zeek
[spicy] test::Foo
Segmentation fault (core dumped)

A stack trace:

Thread 1 "zeek" received signal SIGSEGV, Segmentation fault.
0x00005555577f6eaa in std::_Rb_tree<zeek::Tag, std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState>, std::_Select1st<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> >, std::less<zeek::Tag>, std::allocator<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> > >::_M_mbegin (this=0x60) at /usr/include/c++/11/bits/stl_tree.h:735
735           { return static_cast<_Link_type>(this->_M_impl._M_header._M_parent); }
(gdb) bt
#0  0x00005555577f6eaa in std::_Rb_tree<zeek::Tag, std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState>, std::_Select1st<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> >, std::less<zeek::Tag>, std::allocator<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> > >::_M_mbegin (this=0x60) at /usr/include/c++/11/bits/stl_tree.h:735
#1  0x00005555577f68ae in std::_Rb_tree<zeek::Tag, std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState>, std::_Select1st<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> >, std::less<zeek::Tag>, std::allocator<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> > >::_M_begin (this=0x60) at /usr/include/c++/11/bits/stl_tree.h:739
#2  0x0000555557cf2a6e in std::_Rb_tree<zeek::Tag, std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState>, std::_Select1st<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> >, std::less<zeek::Tag>, std::allocator<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> > >::lower_bound (this=0x60, __k=...)
    at /usr/include/c++/11/bits/stl_tree.h:1270
#3  0x0000555557cf267f in std::map<zeek::Tag, zeek::session::AnalyzerConfirmationState, std::less<zeek::Tag>, std::allocator<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> > >::lower_bound (this=0x60, __x=...) at /usr/include/c++/11/bits/stl_map.h:1259
#4  0x0000555557cf211b in std::map<zeek::Tag, zeek::session::AnalyzerConfirmationState, std::less<zeek::Tag>, std::allocator<std::pair<zeek::Tag const, zeek::session::AnalyzerConfirmationState> > >::insert_or_assign<zeek::session::AnalyzerConfirmationState&> (this=0x60, __k=..., __obj=@0x7fffffffd17c: zeek::session::AnalyzerConfirmationState::VIOLATED)
    at /usr/include/c++/11/bits/stl_map.h:920
#5  0x0000555557cf1940 in zeek::session::Session::SetAnalyzerState (this=0x0, tag=..., value=zeek::session::AnalyzerConfirmationState::VIOLATED)
    at /zeek/src/session/Session.cc:214
#6  0x0000555557de76e8 in zeek::packet_analysis::Analyzer::AnalyzerViolation (this=0x55555bb36320,
    reason=0x55555eb788b8 "end-of-data reached before &until expression found (analyzer.spicy:4:22)", session=0x0, data=0x0, len=0,
    arg_tag=...) at /zeek/src/packet_analysis/Analyzer.cc:189
#7  0x00005555583af6d7 in spicy::zeek::compat::Analyzer_AnalyzerViolation (packet=..., analyzer=0x55555bb36320,
    reason=0x55555eb788b8 "end-of-data reached before &until expression found (analyzer.spicy:4:22)", data=0x0, len=0, tag=...)
    at /zeek/auxil/spicy-plugin/include/zeek-spicy/zeek-compat.h:132
#8  0x00005555583aebc2 in spicy::zeek::rt::PacketAnalyzer::AnalyzePacket (this=0x55555bb36320, len=4, data=0x55555e46f46e "\272\334\r\345F^UU", packet=0x55555e9bbb48)
    at /zeek/auxil/spicy-plugin/src/packet-analyzer.cc:60
#9  0x0000555557de7058 in zeek::packet_analysis::Analyzer::ForwardPacket (this=0x55555b02ba50, len=4, data=0x55555e46f46e "\272\334\r\345F^UU", packet=0x55555e9bbb48, identifier=26214)
    at /zeek/src/packet_analysis/Analyzer.cc:112
#10 0x00005555582cb11e in zeek::packet_analysis::Ethernet::EthernetAnalyzer::AnalyzePacket (this=0x55555b02ba50, len=18, data=0x55555e46f460 "", packet=0x55555e9bbb48)
    at /zeek/src/packet_analysis/protocol/ethernet/Ethernet.cc:54
#11 0x0000555557de7058 in zeek::packet_analysis::Analyzer::ForwardPacket (this=0x55555e44dec0, len=18, data=0x55555e46f460 "", packet=0x55555e9bbb48, identifier=1)
    at /zeek/src/packet_analysis/Analyzer.cc:112
#12 0x0000555557dec54f in zeek::packet_analysis::Manager::ProcessPacket (this=0x55555b029160, packet=0x55555e9bbb48) at /zeek/src/packet_analysis/Manager.cc:112
#13 0x00005555579cd743 in zeek::run_state::detail::dispatch_packet (pkt=0x55555e9bbb48, pkt_src=0x55555e9bbb00) at /zeek/src/RunState.cc:257
#14 0x0000555557d350f9 in zeek::iosource::PktSrc::Process (this=0x55555e9bbb00) at /zeek/src/iosource/PktSrc.cc:154
#15 0x00005555579cdb39 in zeek::run_state::detail::run_loop () at /zeek/src/RunState.cc:316
#16 0x000055555762f2f5 in main (argc=5, argv=0x7fffffffdcc8) at /zeek/src/main.cc:59

Make Zeek's `conn_id` available in Spicy

My current use case requires acquiring templates from traffic and then using those templates to perform some post-processing parsing based on the provided template(s). The templates come with a unique identifier, but it's only guaranteed to be unique for a given device, i.e., at a given time the way to identify a unique template is by the tuple (template_id, device_ip). If the equivalent of a conn_id was available at Spicy unit parse time, it would allow me to uniquely identify templates. This is key functionality for my parser, because in most production deployments I expect to receive data from multiple devices. Happy to provide more details if needed.

I am not sure the best way to implement this. Optional parameter to all (a subset?) of units? Some global that's dumped into something under the spicy:: namespace?

Slack conversation below for additional context:

[Yacin Nadji] is there a way to access transport protocol information (like the src/dst IP address) from within spicy if i’m already parsing it over UDP?
[Robin Sommer] Currently not, but it would be pretty easy to add. Feel free to file a ticket for the plugin with the information you’re looking for. We could for example provide an equivalent of Zeek’s conn_id?
[Yacin Nadji] ooh yeah that would address my use case. i’ll go ahead and make a ticket.

referencing _Undef value for spicy enum in zeek code results in Aborted (core dumped)

The Spicy documentation section on Zeek Integration - Enum Types describes how Spicy enums are translated into code accessible on the Zeek side.

However, referencing the _Undef value on the zeek side results in a core dump:

Test.spicy

module Test;

public type MyEnum = enum {
    A = 83,
    B = 84,
    C = 85
};

Test.zeek

module Test;

event Test::message(c: connection) {
  local whatever: Test::MyEnum = Test::MyEnum_A;
  whatever = Test::MyEnum_Undef;
}

Output:

# zeek -NN /tmp/Test.hlto /host/Test.zeek 
internal error in /host/Test.zeek, line 5: enum value not found for Test::MyEnum_Undef
Aborted (core dumped)

Output commenting out the _Undef line results in no error.

Add script-land API to disable Spicy analyzers

Functions in spicy/zeek.spicy are not present in any rendered documentation

Allow multiple calls to `protocol_begin()`

Currently we abort if protocol_begin() gets called twice without any protocol_end() in between. While that's reasonable in principle, it can make it hard to call protocol_begin() at the right time when both originator and responder side may want to trigger it. In that case, currently one gets an obscure error message of Zeek not being able to add DPD analyzer.

I believe it should be fine to just ignore the 2nd call silently in these cases.

(Note, I believe protocol_end() is already safe against calling multiple times, but should double check).

Compilation trouble on macOS

There's a file naming conflict: system headers contain #include <version>, which can end up picking up our VERSION file on the Mac's case-insensitive file system.

I've started seeing that only recently, not sure what changed; but now I'm actually also getting it when doing zkg install spicy-plugin:

In file included from /Users/robin/.zkg/testing/spicy-plugin/clones/spicy-plugin/compiler/driver.cc:3:
In file included from /Users/robin/.zkg/testing/spicy-plugin/clones/spicy-plugin/compiler/driver.h:5:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/usr/include/c++/v1/map:481:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/usr/include/c++/v1/__tree:14:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/usr/include/c++/v1/iterator:419:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/usr/include/c++/v1/__functional_base:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/usr/include/c++/v1/type_traits:417:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/usr/include/c++/v1/cstddef:37:
/Users/robin/.zkg/testing/spicy-plugin/clones/spicy-plugin/version:1:1: error: expected unqualified-id
0.99.4

undefined reference to `dlopen' on ubuntu 20.04 with default gcc 9.4.0

git clone --recursive https://github.com/zeek/zeek

configure and make and make install finished.

But zkg install zeek/spicy-plugin with such faield

Running unit tests for "zeek/zeek/spicy-plugin"

error: failed to run tests for zeek/zeek/spicy-plugin: package build_command failed, see log in /home/jiamo/opt/var/lib/zkg/logs/spicy-plugin-build.log

The error is :

/usr/bin/ld: /home/jiamo/opt/lib/libhilti.a(driver.cc.o): in function `hilti::Driver::_symbol(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)':
/home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/toolchain/src/compiler/driver.cc:470: undefined reference to `dlerror'
/usr/bin/ld: /home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/toolchain/src/compiler/driver.cc:472: undefined reference to `dlsym'
/usr/bin/ld: /home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/toolchain/src/compiler/driver.cc:476: undefined reference to `dlerror'
/usr/bin/ld: /home/jiamo/opt/lib/libhilti.a(library.cc.o): in function `hilti::rt::Library::symbol(std::basic_string_view<char, std::char_traits<char> >) const':
/home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/runtime/src/library.cc:98: undefined reference to `dlerror'
/usr/bin/ld: /home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/runtime/src/library.cc:100: undefined reference to `dlsym'
/usr/bin/ld: /home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/runtime/src/library.cc:102: undefined reference to `dlerror'
/usr/bin/ld: /home/jiamo/opt/lib/libhilti.a(library.cc.o): in function `hilti::rt::Library::~Library()':
/home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/runtime/src/library.cc:57: undefined reference to `dlclose'
/usr/bin/ld: /home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/runtime/src/library.cc:59: undefined reference to `dlerror'
/usr/bin/ld: /home/jiamo/opt/lib/libhilti.a(library.cc.o): in function `hilti::rt::Library::open() const':
/home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/runtime/src/library.cc:75: undefined reference to `dlsym'
/usr/bin/ld: /home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/runtime/src/library.cc:67: undefined reference to `dlopen'
/usr/bin/ld: /home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/runtime/src/library.cc:70: undefined reference to `dlerror'
collect2: error: ld returned 1 exit status
make[2]: *** [src/compiler/CMakeFiles/spicyz.dir/build.make:88: bin/spicyz] Error 1
make[1]: *** [CMakeFiles/Makefile2:362: src/compiler/CMakeFiles/spicyz.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:141: all] Error 2

std::__cxx11::basic_string. But we build zeek with c++14 ?

The plugin make VERBOSE=1 got

/usr/bin/c++  -O3 -g -DNDEBUG  -Wl,--export-dynamic -rdynamic CMakeFiles/spicyz.dir/bin/spicyz.cc.o CMakeFiles/zeek-compiler.dir/driver.cc.o CMakeFiles/zeek-compiler.dir/glue-compiler.cc.o  -o ../../bin/spicyz   -L/home/jiamo/opt/lib  -Wl,-rpath,/home/jiamo/opt/lib: -lhilti -lspicy 
/usr/bin/ld: /home/jiamo/opt/lib/libhilti.a(driver.cc.o): in function `hilti::Driver::_symbol(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)':
/home/jiamo/engine/zeek/auxil/spicy/spicy/hilti/toolchain/src/compiler/driver.cc:470: undefined reference to `dlerror'

In zeek source rm ./auxil/spicy/spicy/lib/libhilti.a and make VERBOSE=1 got

make -f auxil/spicy/spicy/hilti/toolchain/CMakeFiles/hilti.dir/build.make auxil/spicy/spicy/hilti/toolchain/CMakeFiles/hilti.dir/build
make[2]: Entering directory '/home/jiamo/engine/zeek/build'
[ 35%] Linking CXX static library ../../lib/libhilti.a
cd /home/jiamo/engine/zeek/build/auxil/spicy/spicy/hilti/toolchain && /usr/bin/cmake -P CMakeFiles/hilti.dir/cmake_clean_target.cmake
cd /home/jiamo/engine/zeek/build/auxil/spicy/spicy/hilti/toolchain && /usr/bin/cmake -E cmake_link_script CMakeFiles/hilti.dir/link.txt --verbose=1
/usr/bin/ar qc ../../lib/libhilti.a  ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/clock.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/drain.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/error.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/handle.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/init.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/options.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/pipe.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/process.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/redirect.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/redirect.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/reproc.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/run.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/strv.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/utf.posix.c.o CMakeFiles/hilti-objects.dir/src/ast/builder/builder.cc.o CMakeFiles/hilti-objects.dir/src/ast/builder/type.cc.o CMakeFiles/hilti-objects.dir/src/ast/declarations/imported-module.cc.o CMakeFiles/hilti-objects.dir/src/ast/expression.cc.o CMakeFiles/hilti-objects.dir/src/ast/expressions/id.cc.o CMakeFiles/hilti-objects.dir/src/ast/location.cc.o CMakeFiles/hilti-objects.dir/src/ast/meta.cc.o CMakeFiles/hilti-objects.dir/src/ast/module.cc.o CMakeFiles/hilti-objects.dir/src/ast/node.cc.o CMakeFiles/hilti-objects.dir/src/ast/node_ref.cc.o CMakeFiles/hilti-objects.dir/src/ast/scope.cc.o CMakeFiles/hilti-objects.dir/src/ast/scope-lookup.cc.o CMakeFiles/hilti-objects.dir/src/ast/type.cc.o CMakeFiles/hilti-objects.dir/src/ast/types/enum.cc.o CMakeFiles/hilti-objects.dir/src/ast/types/integer.cc.o CMakeFiles/hilti-objects.dir/src/ast/types/tuple.cc.o CMakeFiles/hilti-objects.dir/src/base/code-formatter.cc.o CMakeFiles/hilti-objects.dir/src/base/logger.cc.o CMakeFiles/hilti-objects.dir/src/base/preprocessor.cc.o CMakeFiles/hilti-objects.dir/src/base/timing.cc.o CMakeFiles/hilti-objects.dir/src/base/type_erase.cc.o CMakeFiles/hilti-objects.dir/src/base/util.cc.o CMakeFiles/hilti-objects.dir/src/compiler/codegen/codegen.cc.o CMakeFiles/hilti-objects.dir/src/compiler/codegen/coercions.cc.o CMakeFiles/hilti-objects.dir/src/compiler/codegen/ctors.cc.o CMakeFiles/hilti-objects.dir/src/compiler/codegen/expressions.cc.o CMakeFiles/hilti-objects.dir/src/compiler/codegen/operators.cc.o CMakeFiles/hilti-objects.dir/src/compiler/codegen/statements.cc.o CMakeFiles/hilti-objects.dir/src/compiler/codegen/types.cc.o CMakeFiles/hilti-objects.dir/src/compiler/codegen/unpack.cc.o CMakeFiles/hilti-objects.dir/src/compiler/coercion.cc.o CMakeFiles/hilti-objects.dir/src/compiler/context.cc.o CMakeFiles/hilti-objects.dir/src/compiler/cxx/elements.cc.o CMakeFiles/hilti-objects.dir/src/compiler/cxx/formatter.cc.o CMakeFiles/hilti-objects.dir/src/compiler/cxx/linker.cc.o CMakeFiles/hilti-objects.dir/src/compiler/cxx/unit.cc.o CMakeFiles/hilti-objects.dir/src/compiler/driver.cc.o CMakeFiles/hilti-objects.dir/src/compiler/init.cc.o CMakeFiles/hilti-objects.dir/src/compiler/jit.cc.o CMakeFiles/hilti-objects.dir/src/compiler/optimizer.cc.o CMakeFiles/hilti-objects.dir/src/compiler/parser/driver.cc.o CMakeFiles/hilti-objects.dir/src/compiler/plugin.cc.o CMakeFiles/hilti-objects.dir/src/compiler/unit.cc.o CMakeFiles/hilti-objects.dir/src/compiler/visitors/coercer.cc.o CMakeFiles/hilti-objects.dir/src/compiler/visitors/normalizer.cc.o CMakeFiles/hilti-objects.dir/src/compiler/visitors/printer.cc.o CMakeFiles/hilti-objects.dir/src/compiler/visitors/renderer.cc.o CMakeFiles/hilti-objects.dir/src/compiler/visitors/resolver.cc.o CMakeFiles/hilti-objects.dir/src/compiler/visitors/scope-builder.cc.o CMakeFiles/hilti-objects.dir/src/compiler/visitors/validator.cc.o CMakeFiles/hilti-objects.dir/src/global.cc.o CMakeFiles/hilti-objects.dir/__/src/autogen/operators-implementations.cc.o CMakeFiles/hilti-objects.dir/__/src/autogen/config.cc.o CMakeFiles/hilti-objects.dir/__/src/autogen/__parser.cc.o CMakeFiles/hilti-objects.dir/__/src/autogen/__scanner.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/backtrace.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/configuration.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/context.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/debug-logger.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/exception.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/fiber.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/global-state.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/init.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/library.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/logging.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/main.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/type-info.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/address.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/bytes.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/integer.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/port.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/real.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/regexp.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/stream.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/string.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/types/time.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/src/util.cc.o ../runtime/CMakeFiles/hilti-rt-objects.dir/__/__/3rdparty/utf8proc/utf8proc.c.o ../../3rdparty/reproc/reproc++/CMakeFiles/reproc++.dir/src/reproc.cpp.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/ccl.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/dfa.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/dfa-interpreter-std.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/dfa-interpreter-min.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/jlocale.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/jrx.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/nfa.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/util.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/justrx/autogen/re-parse.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/justrx/autogen/re-scan.c.o ../../3rdparty/fiber/CMakeFiles/fiber.dir/src/fiber_asm_amd64_sysv.S.o ../../3rdparty/fiber/CMakeFiles/fiber.dir/src/fiber.c.o
/usr/bin/ranlib ../../lib/libhilti.a

I also see build the spicy-config with -ldl. So the libhilti is somthing internal lib don't need -ldl but plugin build need it ?

[ 40%] Linking CXX executable ../../bin/spicy-config
cd /home/jiamo/engine/zeek/build/auxil/spicy/spicy/spicy/toolchain && /usr/bin/cmake -E cmake_link_script CMakeFiles/spicy-config.dir/link.txt --verbose=1
/usr/bin/c++   -Wall -Wno-unused -Wno-register -Werror=vla -Wno-vla -O3 -g -DNDEBUG   -fuse-ld=gold -Wl,--export-dynamic -rdynamic CMakeFiles/spicy-config.dir/bin/spicy-config.cc.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/clock.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/drain.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/error.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/handle.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/init.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/options.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/pipe.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/process.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/redirect.posix.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/redirect.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/reproc.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/run.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/strv.c.o ../../3rdparty/reproc/reproc/CMakeFiles/reproc.dir/src/utf.posix.c.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/builder/builder.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/builder/type.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/declarations/imported-module.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/expression.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/expressions/id.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/location.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/meta.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/module.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/node.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/node_ref.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/scope.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/scope-lookup.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/type.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/types/enum.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/types/integer.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/ast/types/tuple.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/base/code-formatter.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/base/logger.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/base/preprocessor.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/base/timing.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/base/type_erase.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/base/util.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/codegen/codegen.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/codegen/coercions.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/codegen/ctors.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/codegen/expressions.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/codegen/operators.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/codegen/statements.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/codegen/types.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/codegen/unpack.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/coercion.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/context.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/cxx/elements.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/cxx/formatter.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/cxx/linker.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/cxx/unit.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/driver.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/init.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/jit.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/optimizer.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/parser/driver.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/plugin.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/unit.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/visitors/coercer.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/visitors/normalizer.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/visitors/printer.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/visitors/renderer.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/visitors/resolver.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/visitors/scope-builder.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/compiler/visitors/validator.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/src/global.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/__/src/autogen/operators-implementations.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/__/src/autogen/config.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/__/src/autogen/__parser.cc.o ../../hilti/toolchain/CMakeFiles/hilti-objects.dir/__/src/autogen/__scanner.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/backtrace.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/configuration.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/context.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/debug-logger.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/exception.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/fiber.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/global-state.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/init.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/library.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/logging.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/main.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/type-info.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/address.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/bytes.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/integer.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/port.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/real.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/regexp.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/stream.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/string.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/types/time.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/src/util.cc.o ../../hilti/runtime/CMakeFiles/hilti-rt-objects.dir/__/__/3rdparty/utf8proc/utf8proc.c.o ../../3rdparty/reproc/reproc++/CMakeFiles/reproc++.dir/src/reproc.cpp.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/ccl.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/dfa.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/dfa-interpreter-std.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/dfa-interpreter-min.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/jlocale.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/jrx.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/nfa.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/src/util.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/justrx/autogen/re-parse.c.o ../../3rdparty/justrx/CMakeFiles/jrx-objects.dir/justrx/autogen/re-scan.c.o ../../3rdparty/fiber/CMakeFiles/fiber.dir/src/fiber_asm_amd64_sysv.S.o ../../3rdparty/fiber/CMakeFiles/fiber.dir/src/fiber.c.o CMakeFiles/spicy-objects.dir/src/ast/hook.cc.o CMakeFiles/spicy-objects.dir/src/ast/types.cc.o CMakeFiles/spicy-objects.dir/src/ast/types/bitfield.cc.o CMakeFiles/spicy-objects.dir/src/ast/types/unit.cc.o CMakeFiles/spicy-objects.dir/src/ast/types/unit-items/field.cc.o CMakeFiles/spicy-objects.dir/src/ast/types/unit-items/switch.cc.o CMakeFiles/spicy-objects.dir/src/compiler/coercion.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/codegen.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/grammar.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/grammar-builder.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/parser-builder.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/parsers/literals.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/parsers/types.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/production.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/productions/look-ahead.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/productions/switch.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/productions/while.cc.o CMakeFiles/spicy-objects.dir/src/compiler/codegen/unit-builder.cc.o CMakeFiles/spicy-objects.dir/src/compiler/driver.cc.o CMakeFiles/spicy-objects.dir/src/compiler/init.cc.o CMakeFiles/spicy-objects.dir/src/compiler/parser/driver.cc.o CMakeFiles/spicy-objects.dir/src/compiler/plugin.cc.o CMakeFiles/spicy-objects.dir/src/compiler/visitors/normalizer.cc.o CMakeFiles/spicy-objects.dir/src/compiler/visitors/resolver.cc.o CMakeFiles/spicy-objects.dir/src/compiler/visitors/printer.cc.o CMakeFiles/spicy-objects.dir/src/compiler/visitors/scope-builder.cc.o CMakeFiles/spicy-objects.dir/src/compiler/visitors/validator.cc.o CMakeFiles/spicy-objects.dir/__/src/autogen/operators-implementations.cc.o CMakeFiles/spicy-objects.dir/__/src/autogen/config.cc.o CMakeFiles/spicy-objects.dir/__/src/autogen/__parser.cc.o CMakeFiles/spicy-objects.dir/__/src/autogen/__scanner.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/base64.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/driver.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/global-state.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/init.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/mime.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/parser.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/sink.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/unit-context.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/util.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/src/zlib.cc.o ../runtime/CMakeFiles/spicy-rt-objects.dir/__/__/3rdparty/libb64/src/cdecode.c.o ../runtime/CMakeFiles/spicy-rt-objects.dir/__/__/3rdparty/libb64/src/cencode.c.o  -o ../../bin/spicy-config  -Wl,-rpath,:::::::::::::::::::::: /usr/lib/x86_64-linux-gnu/libz.so ../../lib/libhilti.a -pthread -ldl -lrt

And I also find ./../bin/hilti-config was linked by '-ldl' too.

Glue `replaces` statement should activate DPD rules of replaced analyzer for replacement

We can currently specify in the evt glue that an analyzer replaces an existing analyzer. In that case we deactivate the old analyzer before registering the replacement.

If the old analyzer had associated DPD rules they will still only enable the old analyzer and not the replacement. We should figure out a way to obtain rules matching a replacement, rewrite them to enable the new analyzer, and then add them the Zeek's RuleMatcher. This seems tricky as e.g., RuleMatcher does not seem to have an API to iterate or obtain previously added rules.

This is related to zeek/spicy-analyzers#88.

Zip analyzer event/notice on recursion limit

Feature Request. It would be interesting to get a notice when the zip analyzer hits it's recursion limit.

Remove symlink in build tree when built as builtin plugin

If built as a builtin plugin we currently create a link in into the build/source directory and it is not clear anymore exactly why that link was needed. We added a workaround for binary packages when fixing #119, but should probably just get rid of the link.

Analyzers report weird before protocol has been confirmed

Currently we often emit weird log entries if we see parse errors during explorative processing in PacketAnalyzer::AnalyzePacket and ProtocolAnalyzer::[Process|Finish]] (we also report weirds from FileAnalyer which might be different). If such reporting happens during DPD before confirmation parse errors are to be expected. Reporting them to the weird log on the other hand makes it look like there is a problem which needs to be investigated; we also make it hard to distinguish genuine parse errors (after DPD confirmation) from ones during DPD.

We should look into how we can reduce weirds during DPD. We could e.g., track whether an analyzer has confirmed a protocol and suppress or redirect during DPD.

Packet analyzers misname the Zeek-side tag

Given a packet analyzer defined like this:

packet analyzer spicy::MyAnalyzer:
    parse with MyAnalyzer::MyPacket;

The plugin creates a Zeek-side tag for this that comes with an additional underscore for some reason:

# zeek -NN Zeek::Spicy
...
    [Packet Analyzer] spicy::MyAnalyzer (ANALYZER_SPICY__MYANALYZER)
...

It should be ANALYZER_SPICY_MYANALYZER instead. Other types of analyzers don't do this.

Revert `ZEEK_STATIC_BRANCH`

Our .cirrus.yml still has this:

    # Branch of Zeek to use for the static plugin build.
    # TODO: Revert to 'main' once Zeek's #1676 is merged.
    ZEEK_STATIC_BRANCH: topic/robin/fix-plugin-port-registration

Remove support for zeek-3

We currently still have some code for compatibility with zeek-3 which we should remove.

Remove Zeek 3.x support

With Zeek 3.x being out of support, we're going to remove Spicy-side support as well.

This involves:

Remove all the < 4.0 wrappers from zeek-compat.h
Rename the plugin from _Zeek_Spicy to Zeek_Spicy (and add cmake logic to explicitly remove the old _Zeek_Spicy.so to avoid conflicts when upgrading)

Add support for passing Spicy structs to Zeek as records.

This conversion is currently missing. It would work similarly to tuples.

Add clang-tidy to CI

Currently we check the code through Spicy's CI, but would be good to catch trouble earlier.

Add support for Zeek's `—include-plugins`

This will allow to compile Spicy statically into Zeek. It needs some restructuring of the plugin and probably some small code adjustments as well.

Add function to retrieve Zeek network time

That would be zeek::network_time() simply returning Zeek's network_time().

Provide primitives so that Spicy analyzers can forward data to other Zeek analyzers for follow-up analysis

We provide functions to pass data extracted by Spicy file analyzers back into Zeek with e.g.,

function zeek::file_begin(mime_type: optional<string> = Null) : string

Such functionality currently does not exist for Spicy protocol or packet analyzers. We should provide similar functions for such analyzers, ideally with some optional type so callers can opt into a specific analyzer to process the data (e.g., for HTTP with websockets can detect that the unparsed data is websockets) if they do not want Zeek to detect the format dynamically.

Give packet analyzers access to header data already parsed

Packet analyzers currently don't have a way to access any header fields that were already parsed by preceeding Zeek analyzers. For example, a Spicy analyzer for a new protocol on top of IP cannot get access to the packet's IP addresses. This applies primarily to creating Zeek-side events: we're essentially missing the equivalent of $conn or $file there.

Proposal: let's add support for $packet to EVT files, which on the Zeek-side will turn into a raw_pkt_hdr value for the current packet, with any fields filled in that have been parsed already.

One caveat: Using $packet could become expensive if raw_pkt_hdr instances needed to created for lots of packets. But I don't think that's much of an issue because: (1) using it would be optional, and (2) in practice the volume of packets going through this path should remain small.

The File Analysis Framework can't open more than one file at a time.

I was using the functions listed here: https://docs.zeek.org/projects/spicy/en/latest/zeek.html#controlling-zeek-from-spicy

I can start a file with:

function zeek::file_begin(mime_type: optional<string> = Null) : string

I can only add data to one file at a time because I can't index the fuid with this function:

function zeek::file_data_in_at_offset(data: bytes, offset: uint64)

With a protocol I'm working on, there could multiple files streaming amongst each other so I need a way to point the data I get to the right opened file. Thanks!

Add support for adding additional libraries to link

zeek/spicy#1244 adds a command line flag which can be used add additional libraries to the link. We should make that command line flag accessible in spicy_add_analyzer.

support port range rather than just a single port

Protocols with which I am familiar, such as BACnet in its clause J.1.2, specify a port range rather than a single port. B/IP devices shall also support a configurable UDP port number and shall support, at a minimum, values in the ranges 47808 - 47823 and 49152 - 65535. For B/IP devices that support multiple B/IP ports, the UDP port number for each B/IP port shall be settable across the above noted valid range.

And for Voice-over-IP, the Vonage FAQ states Your network must allow inbound and outbound traffic from RTP ports 10,000 - 30,000 to prevent one-way or no audio on phone calls. https://businesssupport.vonage.com/articles/answer/Port-Forwarding-807

Support for port range is here proposed, per zeek/spicy#547 (comment), as Feature Request.

Plugin is loading too many scripts in bare mode with Zeek 4.2 (but not 5.0)

Odd behavior difference between Zeek 4.2 and 5.0 (the latter with a separately compiled plugin, not built into Zeek).

Zeek 5.0:

# zeek -b -r Traces/ssh-single-conn.trace Zeek::Spicy misc/loaded-scripts
# grep scripts/Zeek/Spicy loaded_scripts.log
  /Users/robin/work/spicy/spicy-plugin/build/scripts/Zeek/Spicy/bare.zeek

Zeek 4.2:

# zeek -b -r Traces/ssh-single-conn.trace Zeek::Spicy misc/loaded-scripts
# grep scripts/Zeek/Spicy loaded_scripts.log
  /Users/robin/work/spicy/spicy-plugin/build-4.2/scripts/Zeek/Spicy/bare.zeek
  /Users/robin/work/spicy/spicy-plugin/build-4.2/scripts/Zeek/Spicy/default.zeek

5.0 is correct, but I'm wondering where that difference is coming from (and we should fix 4.x).

Installed Zeek has side-effects on testing in-tree

I'm not sure this is the right place to flag this, but here goes: when I install a specific version of Zeek into my system so that its bin folder is in PATH, this seems to affect Zeek's spicy-related testing, causing test failures.

Specifically, when I have a Zeek 5.1 build installed and test latest Zeek master, I see these:

[ 99%] spicy.spicyz-aot ... failed
[ 99%] spicy.spicyz-jit ... failed

There's a clue in the .stderr output of the first test:

/home/christian/devel/zeek/zeek/build/src/builtin-plugins/spicy-plugin/include/zeek-spicy/zeek-compat.h:21:2: error: #error "Mismatch in Zeek version numbers"
   21 | #error "Mismatch in Zeek version numbers"
      |  ^~~~~
/home/christian/devel/zeek/zeek/build/src/builtin-plugins/spicy-plugin/include/zeek-spicy/zeek-compat.h:20:96: note: '#pragma message: Zeek version 50200 vs 50100)'
   20 | #pragma message "Zeek version " STR(ZEEK_SPICY_VERSION_NUMBER) " vs " STR(ZEEK_VERSION_NUMBER) ")"

When I remove my installed tree and re-run the tests in my local build, they succeed.

ghc::filesystem::canonical throws exceptions which spicy-plugin doesn't catch

According to cppreference, filesystem::canonical used in the way referenced below throws exceptions. If you would like the version that doesn't throw exceptions you must pass a reference to a std::error_code object.
https://en.cppreference.com/w/cpp/filesystem/canonical

spicy-plugin/compiler/driver.cc

Line 83 in 906b38f

plugin_path = hilti::rt::filesystem::canonical(plugin_path);

Allow Zeek packet-analyzer replacement

Just recording that Spicy might theoretically allow packet-analyzer replacement like it does for protocols/files by using replaces in .evt files, but maybe less near-term need and also not sure it's as simple (e.g. care in syncing analyzer chaining/mapping).

linking error with spicyz

Output:

[ 75%] Building CXX object CMakeFiles/_Zeek-Spicy.linux-x86_64.dir/functions.bif.init.cc.o                               
[ 79%] Building CXX object CMakeFiles/_Zeek-Spicy.linux-x86_64.dir/functions.bif.register.cc.o                           
[ 82%] Linking CXX executable ../../bin/spicyz
/nix/store/sgrwh6jsrshrnicqi67fck336q6ldh2d-binutils-2.35.1/bin/ld: /nix/store/rf9hrg356ig7gpbh08cc6h8y4dlx3bzh-spicy-lat
est-f7b6454-dirty/lib/libhilti.a(driver.cc.o): in function `hilti::Driver::_symbol(std::__cxx11::basic_string<char, std::
char_traits<char>, std::allocator<char> > const&)':
(.text+0x71b6): undefined reference to `dlerror'
/nix/store/sgrwh6jsrshrnicqi67fck336q6ldh2d-binutils-2.35.1/bin/ld: (.text+0x71c0): undefined reference to `dlsym'
/nix/store/sgrwh6jsrshrnicqi67fck336q6ldh2d-binutils-2.35.1/bin/ld: (.text+0x71cd): undefined reference to `dlerror'
/nix/store/sgrwh6jsrshrnicqi67fck336q6ldh2d-binutils-2.35.1/bin/ld: /nix/store/rf9hrg356ig7gpbh08cc6h8y4dlx3bzh-spicy-lat
est-f7b6454-dirty/lib/libhilti.a(library.cc.o): in function `hilti::rt::Library::~Library()':
(.text+0x1012): undefined reference to `dlclose'
/nix/store/sgrwh6jsrshrnicqi67fck336q6ldh2d-binutils-2.35.1/bin/ld: (.text+0x101b): undefined reference to `dlerror'
/nix/store/sgrwh6jsrshrnicqi67fck336q6ldh2d-binutils-2.35.1/bin/ld: /nix/store/rf9hrg356ig7gpbh08cc6h8y4dlx3bzh-spicy-lat
est-f7b6454-dirty/lib/libhilti.a(library.cc.o): in function `hilti::rt::Library::open() const':
(.text+0x10fd): undefined reference to `dlsym'
/nix/store/sgrwh6jsrshrnicqi67fck336q6ldh2d-binutils-2.35.1/bin/ld: (.text+0x118a): undefined re

Platform: Nix

Errors with zkg install zeek/spicy-plugin

I'm currently trying to build Zeek with spicy and receiving errors below are some details.

Red Hat Enterprise Linux release 8.5 (Ootpa)
Spicy - spicyc v1.5.0-dev.12 (1b38a6dc)
zeek version 4.0.3

Used pip3 to installl zeek/spicy-plugin
spicy-plugin-build.log

Last line in evt file ignored if it does not end in newline

If an evt file does not end in a newline, its last line will be ignored. This can e.g., be reproduced if one configures an event on that line; the event will never be triggered.

`file_data_in_at_offset` is unusable

When using file_data_in_at_offset

# /tmp/foo.spicy
module foo;

import zeek;

public type X = unit {
    data: bytes &size=1;

    var fuid: string = "";

    on %done {
        self.fuid = zeek::file_begin();
        zeek::file_data_in_at_offset(self.data, 0);
        zeek::file_data_in(self.data);
        zeek::file_end();
    }
};

one runs into a linker error:

$ zeek foo.spicy
fatal error: error during compilation: failed to load library "/tmp/hilti.XXXELN36r/__library__.hlto": /tmp/hilti.XXXELN36r/__library__.hlto: undefined symbol: _ZN5spicy4zeek2rt17data_in_at_offsetERKN5hilti2rt5BytesERK7SafeIntImNS3_7integer6detail16SafeIntExceptionEE

Spicy-plugin creates dangling links (assuming binary installation)

An installation of spicy-plugin will leave the following dangling link in include/zeek/builtin-plugins/spicy-plugin/lib64:

[johanna@johanna-zeek-compile lib64]$ ls -lh
total 1.0K
lrwxrwxrwx 1 johanna johanna 57 Jun 15 09:57 zeek-spicy -> /home/johanna/zeek/build/src/builtin-plugins/spicy-plugin

Assuming a binary installation, this link will point into nothingness; having links to outside of the distribution directory also violates packaging guidelines on just about any system, and generally seems like a bad idea.

@bbannier pointed me to this as the cause

spicy-plugin/CMakeLists.txt

Lines 211 to 216 in 8cd9a0b

    
           if (ZEEK_SPICY_PLUGIN_INTERNAL_BUILD) 
        
               # The static build doesn't put the aux files into the build directory 
        
               # We create links to get the same effect. 
        
               file(MAKE_DIRECTORY "${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_LIBDIR}") 
        
               file(CREATE_LINK "${PROJECT_BINARY_DIR}" 
        
                    "${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_LIBDIR}/zeek-spicy" SYMBOLIC)

and mentioned that there might have been a discussion between @sethhall and @rsmmr about this.

I am not sure what the reason for this is - but in my opinion we should not have links back into the source folder in a finished installation.

Optimally this should be removed for the 5.0 release.

spicy-plugin can e.g., segfault if underlying Spicy breaks ABI

Currently spicy-plugin has a ABI dependency on the underlying Spicy installation so that e.g., upgrading Spicy without reinstalling spicy-plugin can lead to errors like segfaults.

It would be nice if it was clearer that the environment was broken. When debugging issues right now we often need to tell users to reinstall spicy-plugin to be sure which doesn't seem viable for the long term.

We should check whether we could either only use a "stable" Spicy ABI, or alternatively add a new layer in spicy-plugin which can catch ABI.

Compiler errors when building on macos

I am seeing compiler errors when installing the plugin on macos-10.15.7. This seems to have started around the time we moved spicy-plugin to build via Zeek's CMake setup.

Spicy and Zeek are installed via Homebrew and seem to point to a correct compiler:

$ zeek-config --version
4.0.0
$  zkg --version
zkg 2.7.1
$ spicy-config --version
0.4.0-1628 (master 723f3dfe)
$ spicy-config --cxx --cxxflags
/usr/bin/clang++ -I/usr/local/Cellar/spicy/HEAD-723f3df/include -fPIC -std=c++17 -g -O3 -DNDEBUG -fvisibility=hidden -I/usr/local/Cellar/spicy/HEAD-723f3df/include -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk

For

$ zkg install spicy-plugin

I get the following error:

=== STDERR ===

====================|  Spicy Installation Summary  |====================

Found Spicy:           yes

Version:               0.4.0-1628 (master 723f3dfe) (400)
Prefix:                /usr/local/Cellar/spicy/HEAD-723f3df
Build type:            release
Have toolchain:        yes
Spicy compiler:        /usr/local/Cellar/spicy/HEAD-723f3df/bin/spicyc

========================================================================


====================|  Zeek Installation Summary  |====================

Found Zeek:            yes

Version:          4.0.0 (40000)
Prefix:           /usr/local/Cellar/zeek/4.0.0_1
Build type:       release

========================================================================


====================|  Spicy Zeek Plugin  |====================

Version:               0.99.2 (9902)
Build type:            RelWithDebInfo
Zeek debug build:      no
spicy-config:          /usr/local/bin/spicy-config
zeek-config:           /usr/local/bin/zeek-config

========================================================================

In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/file-analyzer.cc:4:
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/include/zeek-spicy/file-analyzer.h:9:
In file included from /usr/local/include/hilti/rt/types/stream.h:20:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
In file included from /usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:147:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:317:9: error: no member named 'signbit' in the global namespace
using ::signbit;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:318:9: error: no member named 'fpclassify' in the global namespace
using ::fpclassify;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:319:9: error: no member named 'isfinite' in the global namespace; did you mean 'finite'?
using ::isfinite;
      ~~^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:749:12: note: 'finite' declared here
extern int finite(double)
           ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/file-analyzer.cc:4:
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/include/zeek-spicy/file-analyzer.h:9:
In file included from /usr/local/include/hilti/rt/types/stream.h:20:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
In file included from /usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:147:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:320:9: error: no member named 'isinf' in the global namespace
using ::isinf;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:321:9: error: no member named 'isnan' in the global namespace
using ::isnan;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:322:9: error: no member named 'isnormal' in the global namespace
using ::isnormal;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:323:7: error: no member named 'isgreater' in the global namespace; did you mean '::std::greater'?
using ::isgreater;
      ^~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/functional:738:29: note: '::std::greater' declared here
struct _LIBCPP_TEMPLATE_VIS greater : binary_function<_Tp, _Tp, bool>
                            ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/file-analyzer.cc:4:
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/include/zeek-spicy/file-analyzer.h:9:
In file included from /usr/local/include/hilti/rt/types/stream.h:20:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
In file included from /usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:147:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:324:7: error: no member named 'isgreaterequal' in the global namespace; did you mean '::std::greater_equal'?
using ::isgreaterequal;
      ^~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/functional:767:29: note: '::std::greater_equal' declared here
struct _LIBCPP_TEMPLATE_VIS greater_equal : binary_function<_Tp, _Tp, bool>
                            ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/file-analyzer.cc:4:
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/include/zeek-spicy/file-analyzer.h:9:
In file included from /usr/local/include/hilti/rt/types/stream.h:20:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
In file included from /usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:147:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:325:9: error: no member named 'isless' in the global namespace
using ::isless;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:326:9: error: no member named 'islessequal' in the global namespace
using ::islessequal;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:327:9: error: no member named 'islessgreater' in the global namespace
using ::islessgreater;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:328:9: error: no member named 'isunordered' in the global namespace
using ::isunordered;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:329:9: error: no member named 'isunordered' in the global namespace
using ::isunordered;
      ~~^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/file-analyzer.cc:4:
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/include/zeek-spicy/file-analyzer.h:9:
In file included from /usr/local/include/hilti/rt/types/stream.h:20:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:311:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(float)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/file-analyzer.cc:4:
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/include/zeek-spicy/file-analyzer.h:9:
In file included from /usr/local/include/hilti/rt/types/stream.h:20:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:312:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(double)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/file-analyzer.cc:4:
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/include/zeek-spicy/file-analyzer.h:9:
In file included from /usr/local/include/hilti/rt/types/stream.h:20:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:313:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(long double)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/plugin.cc:9:
In file included from /usr/local/include/hilti/rt/configuration.h:10:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
In file included from /usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:147:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:317:9: error: no member named 'signbit' in the global namespace
using ::signbit;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:318:9: error: no member named 'fpclassify' in the global namespace
using ::fpclassify;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:319:9: error: no member named 'isfinite' in the global namespace; did you mean 'finite'?
using ::isfinite;
      ~~^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:749:12: note: 'finite' declared here
extern int finite(double)
           ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/plugin.cc:9:
In file included from /usr/local/include/hilti/rt/configuration.h:10:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
In file included from /usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:147:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:320:9: error: no member named 'isinf' in the global namespace
using ::isinf;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:321:9: error: no member named 'isnan' in the global namespace
using ::isnan;
      ~~^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/driver.cc:3:
In file included from /usr/local/include/hilti/ast/types/enum.h:9:
In file included from /usr/local/include/hilti/ast/id.h:11:
In file included from /usr/local/include/hilti/ast/node.h:23:
In file included from /usr/local/include/hilti/ast/meta.h:10:
In file included from /usr/local/include/hilti/ast/location.h:10:
In file included from /usr/local/include/hilti/base/util.h:9:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:317:9: error: no member named 'signbit' in the global namespace
using ::signbit;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:322:9: error: no member named 'isnormal' in the global namespace
using ::isnormal;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:318:9: error: no member named 'fpclassify' in the global namespace
using ::fpclassify;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:323:7: error: no member named 'isgreater' in the global namespace; did you mean '::std::greater'?
using ::isgreater;
      ^~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/functional:738:29: note: '::std::greater' declared here
struct _LIBCPP_TEMPLATE_VIS greater : binary_function<_Tp, _Tp, bool>
                            ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:319:9: error: no member named 'isfinite' in the global namespace; did you mean 'finite'?
using ::isfinite;
      ~~^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:749:12: note: 'finite' declared here
extern int finite(double)
           ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/plugin.cc:9:
In file included from /usr/local/include/hilti/rt/configuration.h:10:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
In file included from /usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:147:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:324:7: error: no member named 'isgreaterequal' in the global namespace; did you mean '::std::greater_equal'?
using ::isgreaterequal;
      ^~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/functional:767:29: note: '::std::greater_equal' declared here
struct _LIBCPP_TEMPLATE_VIS greater_equal : binary_function<_Tp, _Tp, bool>
                            ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/driver.cc:3:
In file included from /usr/local/include/hilti/ast/types/enum.h:9:
In file included from /usr/local/include/hilti/ast/id.h:11:
In file included from /usr/local/include/hilti/ast/node.h:23:
In file included from /usr/local/include/hilti/ast/meta.h:10:
In file included from /usr/local/include/hilti/ast/location.h:10:
In file included from /usr/local/include/hilti/base/util.h:9:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:320:9: error: no member named 'isinf' in the global namespace
using ::isinf;
      ~~^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/plugin.cc:9:
In file included from /usr/local/include/hilti/rt/configuration.h:10:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
In file included from /usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:147:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:325:9: error: no member named 'isless' in the global namespace
using ::isless;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:321:9: error: no member named 'isnan' in the global namespace
using ::isnan;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:326:9: error: no member named 'islessequal' in the global namespace
using ::islessequal;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:322:9: error: no member named 'isnormal' in the global namespace
using ::isnormal;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:327:9: error: no member named 'islessgreater' in the global namespace
using ::islessgreater;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:323:7: error: no member named 'isgreater' in the global namespace; did you mean '::std::greater'?
using ::isgreater;
      ^~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/functional:738:29: note: '::std::greater' declared here
struct _LIBCPP_TEMPLATE_VIS greater : binary_function<_Tp, _Tp, bool>
                            ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:328:9: error: no member named 'isunordered' in the global namespace
using ::isunordered;
      ~~^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/driver.cc:3:
In file included from /usr/local/include/hilti/ast/types/enum.h:9:
In file included from /usr/local/include/hilti/ast/id.h:11:
In file included from /usr/local/include/hilti/ast/node.h:23:
In file included from /usr/local/include/hilti/ast/meta.h:10:
In file included from /usr/local/include/hilti/ast/location.h:10:
In file included from /usr/local/include/hilti/base/util.h:9:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:324:7: error: no member named 'isgreaterequal' in the global namespace; did you mean '::std::greater_equal'?
using ::isgreaterequal;
      ^~
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/functional:767:29: note: '::std::greater_equal' declared here
struct _LIBCPP_TEMPLATE_VIS greater_equal : binary_function<_Tp, _Tp, bool>
                            ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:329:9: error: no member named 'isunordered' in the global namespace
using ::isunordered;
      ~~^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/driver.cc:3:
In file included from /usr/local/include/hilti/ast/types/enum.h:9:
In file included from /usr/local/include/hilti/ast/id.h:11:
In file included from /usr/local/include/hilti/ast/node.h:23:
In file included from /usr/local/include/hilti/ast/meta.h:10:
In file included from /usr/local/include/hilti/ast/location.h:10:
In file included from /usr/local/include/hilti/base/util.h:9:
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:325:9: error: no member named 'isless' in the global namespace
using ::isless;
      ~~^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/plugin.cc:9:
In file included from /usr/local/include/hilti/rt/configuration.h:10:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:311:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(float)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/plugin.cc:9:
In file included from /usr/local/include/hilti/rt/configuration.h:10:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:312:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(double)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/plugin.cc:9:
In file included from /usr/local/include/hilti/rt/configuration.h:10:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:313:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(long double)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:326:9: error: no member named 'islessequal' in the global namespace
using ::islessequal;
      ~~^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/file-analyzer.cc:4:
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/include/zeek-spicy/file-analyzer.h:9:
In file included from /usr/local/include/hilti/rt/types/stream.h:22:
In file included from /usr/local/include/hilti/rt/logging.h:8:
In file included from /usr/local/include/hilti/rt/debug-logger.h:12:
In file included from /usr/local/include/hilti/rt/util.h:23:
In file included from /usr/local/include/hilti/rt/types/time.h:12:
In file included from /usr/local/include/hilti/rt/types/interval.h:14:
In file included from /usr/local/include/hilti/rt/safe-int.h:6:
/usr/local/include/hilti/rt/3rdparty/SafeInt/SafeInt.hpp:1269:22: error: expected unqualified-id
        switch (std::fpclassify(d))
                     ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:127:5: note: expanded from macro 'fpclassify'
    ( sizeof(x) == sizeof(float)  ? __fpclassifyf((float)(x))            \
    ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:327:9: error: no member named 'islessgreater' in the global namespace
using ::islessgreater;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:328:9: error: no member named 'isunordered' in the global namespace
using ::isunordered;
      ~~^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/c++/v1/cmath:329:9: error: no member named 'isunordered' in the global namespace
using ::isunordered;
      ~~^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/plugin.cc:9:
In file included from /usr/local/include/hilti/rt/configuration.h:10:
In file included from /usr/local/include/hilti/rt/util.h:23:
In file included from /usr/local/include/hilti/rt/types/time.h:12:
In file included from /usr/local/include/hilti/rt/types/interval.h:14:
In file included from /usr/local/include/hilti/rt/safe-int.h:6:
/usr/local/include/hilti/rt/3rdparty/SafeInt/SafeInt.hpp:1269:22: error: expected unqualified-id
        switch (std::fpclassify(d))
                     ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:127:5: note: expanded from macro 'fpclassify'
    ( sizeof(x) == sizeof(float)  ? __fpclassifyf((float)(x))            \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/driver.cc:3:
In file included from /usr/local/include/hilti/ast/types/enum.h:9:
In file included from /usr/local/include/hilti/ast/id.h:11:
In file included from /usr/local/include/hilti/ast/node.h:23:
In file included from /usr/local/include/hilti/ast/meta.h:10:
In file included from /usr/local/include/hilti/ast/location.h:10:
In file included from /usr/local/include/hilti/base/util.h:27:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:311:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(float)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/driver.cc:3:
In file included from /usr/local/include/hilti/ast/types/enum.h:9:
In file included from /usr/local/include/hilti/ast/id.h:11:
In file included from /usr/local/include/hilti/ast/node.h:23:
In file included from /usr/local/include/hilti/ast/meta.h:10:
In file included from /usr/local/include/hilti/ast/location.h:10:
In file included from /usr/local/include/hilti/base/util.h:27:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:312:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(double)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/driver.cc:3:
In file included from /usr/local/include/hilti/ast/types/enum.h:9:
In file included from /usr/local/include/hilti/ast/id.h:11:
In file included from /usr/local/include/hilti/ast/node.h:23:
In file included from /usr/local/include/hilti/ast/meta.h:10:
In file included from /usr/local/include/hilti/ast/location.h:10:
In file included from /usr/local/include/hilti/base/util.h:27:
In file included from /usr/local/include/hilti/rt/util.h:19:
In file included from /usr/local/include/hilti/rt/exception.h:13:
In file included from /usr/local/include/hilti/rt/fmt.h:7:
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:313:1: error: expected unqualified-id
TINYFORMAT_SETFILL_NOT_FINITE_FLOATING(long double)
^
/usr/local/include/hilti/rt/3rdparty/tinyformat/tinyformat.h:308:36: note: expanded from macro 'TINYFORMAT_SETFILL_NOT_FINITE_FLOATING'
    if (out.fill() == '0' && !std::isfinite(value))              \
                                   ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:155:5: note: expanded from macro 'isfinite'
    ( sizeof(x) == sizeof(float)  ? __inline_isfinitef((float)(x))       \
    ^
In file included from /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/plugin/src/driver.cc:3:
In file included from /usr/local/include/hilti/ast/types/enum.h:9:
In file included from /usr/local/include/hilti/ast/id.h:11:
In file included from /usr/local/include/hilti/ast/node.h:23:
In file included from /usr/local/include/hilti/ast/meta.h:10:
In file included from /usr/local/include/hilti/ast/location.h:10:
In file included from /usr/local/include/hilti/base/util.h:27:
In file included from /usr/local/include/hilti/rt/util.h:23:
In file included from /usr/local/include/hilti/rt/types/time.h:12:
In file included from /usr/local/include/hilti/rt/types/interval.h:14:
In file included from /usr/local/include/hilti/rt/safe-int.h:6:
/usr/local/include/hilti/rt/3rdparty/SafeInt/SafeInt.hpp:1269:22: error: expected unqualified-id
        switch (std::fpclassify(d))
                     ^
/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/usr/include/math.h:127:5: note: expanded from macro 'fpclassify'
    ( sizeof(x) == sizeof(float)  ? __fpclassifyf((float)(x))            \
    ^
17 errors generated.
make[2]: *** [plugin/CMakeFiles/_Zeek-Spicy.darwin-x86_64.dir/src/driver.cc.o] Error 1
make[2]: *** Waiting for unfinished jobs....
17 errors generated.
make[2]: *** [plugin/CMakeFiles/_Zeek-Spicy.darwin-x86_64.dir/src/file-analyzer.cc.o] Error 1
17 errors generated.
make[2]: *** [plugin/CMakeFiles/_Zeek-Spicy.darwin-x86_64.dir/src/plugin.cc.o] Error 1
make[1]: *** [plugin/CMakeFiles/_Zeek-Spicy.darwin-x86_64.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [all] Error 2
=== STDOUT ===
-- The CXX compiler identification is AppleClang 12.0.0.12000032
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found spicy-config: /usr/local/bin/spicy-config
-- Found Spicy: yes  
-- Found zeek-config: /usr/local/bin/zeek-config
-- Found Zeek: yes  
-- Performing Test cxx17_already_works
-- Performing Test cxx17_already_works - Success
-- Found BinPAC: /usr/local/include/binpac  
-- Found CAF: 0.18.1  found components: core io openssl 
-- Found Broker: /usr/local/lib/libbroker.dylib  
-- Zeek executable      : /usr/local/Cellar/zeek/4.0.0_1/bin/zeek
-- Zeek source          : 
-- Zeek build           : 
-- Zeek install prefix  : /usr/local/Cellar/zeek/4.0.0_1
-- Zeek plugin directory: /usr/local/Cellar/zeek/4.0.0_1/lib/zeek/plugins
-- Zeek debug mode      : 
-- Configuring done
-- Generating done
-- Build files have been written to: /Users/bbannier/.zkg/testing/spicy-plugin/clones/spicy-plugin/build
Scanning dependencies of target bif-plugin-_Zeek_Spicy-events.bif
Scanning dependencies of target bif-plugin-_Zeek_Spicy-functions.bif
Scanning dependencies of target bif-plugin-_Zeek_Spicy-consts.bif
[ 10%] [BIFCL] Processing src/functions.bif
[ 10%] [BIFCL] Processing src/consts.bif
[ 10%] [BIFCL] Processing src/events.bif
[ 10%] Built target bif-plugin-_Zeek_Spicy-functions.bif
[ 10%] Built target bif-plugin-_Zeek_Spicy-consts.bif
[ 10%] Built target bif-plugin-_Zeek_Spicy-events.bif
Scanning dependencies of target generate_outputs
Scanning dependencies of target copy-scripts-_Zeek_Spicy
Scanning dependencies of target copy-scripts
[ 10%] Built target generate_outputs
[ 10%] Built target copy-scripts-_Zeek_Spicy
Scanning dependencies of target bro-plugin-_Zeek_Spicy
Scanning dependencies of target bif-init-_Zeek_Spicy
[ 13%] Creating __bro_plugin__ for _Zeek::Spicy
[ 13%] Built target bro-plugin-_Zeek_Spicy
Scanning dependencies of target zeek-compiler
[ 13%] Built target copy-scripts
[ 13%] Built target bif-init-_Zeek_Spicy
[ 20%] Building CXX object compiler/CMakeFiles/zeek-compiler.dir/driver.cc.o
[ 20%] Building CXX object compiler/CMakeFiles/zeek-compiler.dir/glue-compiler.cc.o
[ 20%] Built target zeek-compiler
Scanning dependencies of target spicyz
[ 24%] Building CXX object compiler/CMakeFiles/spicyz.dir/bin/spicyz.cc.o
Scanning dependencies of target _Zeek-Spicy.darwin-x86_64
[ 34%] Building CXX object plugin/CMakeFiles/_Zeek-Spicy.darwin-x86_64.dir/src/file-analyzer.cc.o
[ 34%] Building CXX object plugin/CMakeFiles/_Zeek-Spicy.darwin-x86_64.dir/src/driver.cc.o
[ 34%] Building CXX object plugin/CMakeFiles/_Zeek-Spicy.darwin-x86_64.dir/src/plugin.cc.o
[ 37%] Linking CXX executable ../plugin/bin/spicyz
[ 37%] Built target spicyz

I am seeing a similar issue when building Spicy with --build-zeek-plugin=yes.

zeek::confirm_protocol on a file analyzer seems to disable other hooks and code following it

I am writing a file analyzer which has some default %done hook invoking zeek::confirm_protocol. When trying to invoke other analyzer %done hooks via the EVT file they do not seem to be triggered, but if I remove the protocol confirmation they are invoked.

If I invoke zeek::confirm_protocol in the default %done hook first, it seems no code following it even in the same function seems to be invoked (e.g., I see no results from print statements if executed after the confirmation, but see them if they are running before the confirmation).

I am attaching a sample plugin demonstrating the issue, see the places marked FIXME.

zeek/spicy: Built-in spicy modules cannot be replaced.

When Zeek is built with built-in spicy modules and a custom spicy module is loaded that uses the replaces keyword for an existing spicy module, the existing spicy module is not replaced -- it's left loaded along with the custom spicy module which requested the replacement.

Unsupported passing of user-defined types in event handler declaration not rejected

We currently do not support passing user-defined types in event handler declaration in the EVT file. If one does that, this fails at JIT time with intransparent C++ compiler errors. We should instead reject this explicitly.

# foo.spicy
module foo;

public type X = unit { y: Y; };

type Y = unit { y: uint8; };

# foo.evt
protocol analyzer spicy::foo over UDP:
    parse with foo::X;

import foo;

on foo::X -> event foo::X($conn, self.y);

$ spicyz foo.spicy foo.evt -o foo.hlto
/tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc: In function ‘void __hlt::spicy_hooks_foo::__hook_X___on_0x25_done_6042(hilti::rt::ValueReference<__hlt::foo::X>&)’:
/tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:162:400: error: no matching function for call to ‘to_val(hilti::rt::ValueReference<__hlt::foo::Y>&, zeek::TypePtr, std::string)’
  162 |     args.emplace_back(spicy::zeek::rt::to_val(::hilti::rt::optional::value((*__self).y, "/workspaces/zeek-playground/re2/foo.evt:7:1"), spicy::zeek::rt::event_arg_type(spicy_hooks_foo::__globals()->__zeek_handler_foo_X_582c4c7796f6bd3c, ::hilti::rt::integer::safe<std::uint64_t>{1U}, std::string("/workspaces/zeek-playground/re2/foo.evt:7")), std::string("/workspaces/zeek-playground/re2/foo.evt:7")));
      |                                                                                                                                                                                                                                                                                                                                                                                                                ^
In file included from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:8:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:602:23: note: candidate: ‘template<class T, std::enable_if_t<hilti::rt::is_tuple< <template-parameter-1-1> >::value>* <anonymous> > zeek::ValPtr spicy::zeek::rt::to_val(const T&, zeek::TypePtr, const string&)’
  602 | inline ::zeek::ValPtr to_val(const T& t, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:602:23: note:   template argument deduction/substitution failed:
In file included from /usr/include/c++/10/bits/move.h:57,
                 from /usr/include/c++/10/bits/stl_pair.h:59,
                 from /usr/include/c++/10/bits/stl_algobase.h:64,
                 from /usr/include/c++/10/bits/char_traits.h:39,
                 from /usr/include/c++/10/string:40,
                 from /opt/zeek/include/hilti/rt/autogen/config.h:5,
                 from /opt/zeek/include/hilti/rt/libhilti.h:9,
                 from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:6:
/usr/include/c++/10/type_traits: In substitution of ‘template<bool _Cond, class _Tp> using enable_if_t = typename std::enable_if::type [with bool _Cond = false; _Tp = void]’:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:330:82:   required from here
/usr/include/c++/10/type_traits:2554:11: error: no type named ‘type’ in ‘struct std::enable_if<false, void>’
 2554 |     using enable_if_t = typename enable_if<_Cond, _Tp>::type;
      |           ^~~~~~~~~~~
In file included from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:8:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:644:23: note: candidate: ‘template<class T, std::enable_if_t<std::is_base_of<hilti::rt::trait::isStruct, T>::value>* <anonymous> > zeek::ValPtr spicy::zeek::rt::to_val(const T&, zeek::TypePtr, const string&)’
  644 | inline ::zeek::ValPtr to_val(const T& t, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:644:23: note:   template argument deduction/substitution failed:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:701:23: note: candidate: ‘template<class T, std::enable_if_t<std::is_enum<_Tp>::value>* <anonymous> > zeek::ValPtr spicy::zeek::rt::to_val(const T&, zeek::TypePtr, const string&)’
  701 | inline ::zeek::ValPtr to_val(const T& t, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:701:23: note:   template argument deduction/substitution failed:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:542:23: note: candidate: ‘template<class K, class V> zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Map<K, V>&, zeek::TypePtr, const string&)’
  542 | inline ::zeek::ValPtr to_val(const hilti::rt::Map<K, V>& m, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:542:23: note:   template argument deduction/substitution failed:
/tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:162:400: note:   ‘hilti::rt::ValueReference<__hlt::foo::Y>’ is not derived from ‘const hilti::rt::Map<K, V>’
  162 |     args.emplace_back(spicy::zeek::rt::to_val(::hilti::rt::optional::value((*__self).y, "/workspaces/zeek-playground/re2/foo.evt:7:1"), spicy::zeek::rt::event_arg_type(spicy_hooks_foo::__globals()->__zeek_handler_foo_X_582c4c7796f6bd3c, ::hilti::rt::integer::safe<std::uint64_t>{1U}, std::string("/workspaces/zeek-playground/re2/foo.evt:7")), std::string("/workspaces/zeek-playground/re2/foo.evt:7")));
      |                                                                                                                                                                                                                                                                                                                                                                                                                ^
In file included from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:8:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:572:23: note: candidate: ‘template<class T> zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Set<T>&, zeek::TypePtr, const string&)’
  572 | inline ::zeek::ValPtr to_val(const hilti::rt::Set<T>& s, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:572:23: note:   template argument deduction/substitution failed:
/tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:162:400: note:   ‘hilti::rt::ValueReference<__hlt::foo::Y>’ is not derived from ‘const hilti::rt::Set<T>’
  162 |     args.emplace_back(spicy::zeek::rt::to_val(::hilti::rt::optional::value((*__self).y, "/workspaces/zeek-playground/re2/foo.evt:7:1"), spicy::zeek::rt::event_arg_type(spicy_hooks_foo::__globals()->__zeek_handler_foo_X_582c4c7796f6bd3c, ::hilti::rt::integer::safe<std::uint64_t>{1U}, std::string("/workspaces/zeek-playground/re2/foo.evt:7")), std::string("/workspaces/zeek-playground/re2/foo.evt:7")));
      |                                                                                                                                                                                                                                                                                                                                                                                                                ^
In file included from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:8:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:525:23: note: candidate: ‘template<class T> zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Vector<T>&, zeek::TypePtr, const string&)’
  525 | inline ::zeek::ValPtr to_val(const hilti::rt::Vector<T>& v, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:525:23: note:   template argument deduction/substitution failed:
/tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:162:400: note:   ‘hilti::rt::ValueReference<__hlt::foo::Y>’ is not derived from ‘const hilti::rt::Vector<T>’
  162 |     args.emplace_back(spicy::zeek::rt::to_val(::hilti::rt::optional::value((*__self).y, "/workspaces/zeek-playground/re2/foo.evt:7:1"), spicy::zeek::rt::event_arg_type(spicy_hooks_foo::__globals()->__zeek_handler_foo_X_582c4c7796f6bd3c, ::hilti::rt::integer::safe<std::uint64_t>{1U}, std::string("/workspaces/zeek-playground/re2/foo.evt:7")), std::string("/workspaces/zeek-playground/re2/foo.evt:7")));
      |                                                                                                                                                                                                                                                                                                                                                                                                                ^
In file included from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:8:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:364:23: note: candidate: ‘template<class T> zeek::ValPtr spicy::zeek::rt::to_val(const std::optional<_Tp>&, zeek::TypePtr, const string&)’
  364 | inline ::zeek::ValPtr to_val(const std::optional<T>& t, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:364:23: note:   template argument deduction/substitution failed:
/tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:162:400: note:   ‘hilti::rt::ValueReference<__hlt::foo::Y>’ is not derived from ‘const std::optional<_Tp>’
  162 |     args.emplace_back(spicy::zeek::rt::to_val(::hilti::rt::optional::value((*__self).y, "/workspaces/zeek-playground/re2/foo.evt:7:1"), spicy::zeek::rt::event_arg_type(spicy_hooks_foo::__globals()->__zeek_handler_foo_X_582c4c7796f6bd3c, ::hilti::rt::integer::safe<std::uint64_t>{1U}, std::string("/workspaces/zeek-playground/re2/foo.evt:7")), std::string("/workspaces/zeek-playground/re2/foo.evt:7")));
      |                                                                                                                                                                                                                                                                                                                                                                                                                ^
In file included from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:8:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:378:23: note: candidate: ‘template<class T> zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::DeferredExpression<Result>&, zeek::TypePtr, const string&)’
  378 | inline ::zeek::ValPtr to_val(const hilti::rt::DeferredExpression<T>& t, ::zeek::TypePtr target,
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:378:23: note:   template argument deduction/substitution failed:
/tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:162:400: note:   ‘hilti::rt::ValueReference<__hlt::foo::Y>’ is not derived from ‘const hilti::rt::DeferredExpression<Result>’
  162 |     args.emplace_back(spicy::zeek::rt::to_val(::hilti::rt::optional::value((*__self).y, "/workspaces/zeek-playground/re2/foo.evt:7:1"), spicy::zeek::rt::event_arg_type(spicy_hooks_foo::__globals()->__zeek_handler_foo_X_582c4c7796f6bd3c, ::hilti::rt::integer::safe<std::uint64_t>{1U}, std::string("/workspaces/zeek-playground/re2/foo.evt:7")), std::string("/workspaces/zeek-playground/re2/foo.evt:7")));
      |                                                                                                                                                                                                                                                                                                                                                                                                                ^
In file included from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:8:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:414:23: note: candidate: ‘template<class T> zeek::ValPtr spicy::zeek::rt::to_val(hilti::rt::integer::safe<T>, zeek::TypePtr, const string&)’
  414 | inline ::zeek::ValPtr to_val(hilti::rt::integer::safe<T> i, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:414:23: note:   template argument deduction/substitution failed:
/tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:162:400: note:   ‘hilti::rt::ValueReference<__hlt::foo::Y>’ is not derived from ‘SafeInt<T, hilti::rt::integer::detail::SafeIntException>’
  162 |     args.emplace_back(spicy::zeek::rt::to_val(::hilti::rt::optional::value((*__self).y, "/workspaces/zeek-playground/re2/foo.evt:7:1"), spicy::zeek::rt::event_arg_type(spicy_hooks_foo::__globals()->__zeek_handler_foo_X_582c4c7796f6bd3c, ::hilti::rt::integer::safe<std::uint64_t>{1U}, std::string("/workspaces/zeek-playground/re2/foo.evt:7")), std::string("/workspaces/zeek-playground/re2/foo.evt:7")));
      |                                                                                                                                                                                                                                                                                                                                                                                                                ^
In file included from /tmp/spicy_hooks_foo_7c2b98512c2cb89c-48ee19717edfa961.cc:8:
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:444:23: note: candidate: ‘zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Bool&, zeek::TypePtr, const string&)’
  444 | inline ::zeek::ValPtr to_val(const hilti::rt::Bool& b, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:444:53: note:   no known conversion for argument 1 from ‘hilti::rt::ValueReference<__hlt::foo::Y>’ to ‘const hilti::rt::Bool&’
  444 | inline ::zeek::ValPtr to_val(const hilti::rt::Bool& b, ::zeek::TypePtr target, const std::string& location) {
      |                              ~~~~~~~~~~~~~~~~~~~~~~~^
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:466:23: note: candidate: ‘zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Address&, zeek::TypePtr, const string&)’
  466 | inline ::zeek::ValPtr to_val(const hilti::rt::Address& d, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:466:56: note:   no known conversion for argument 1 from ‘hilti::rt::ValueReference<__hlt::foo::Y>’ to ‘const hilti::rt::Address&’
  466 | inline ::zeek::ValPtr to_val(const hilti::rt::Address& d, ::zeek::TypePtr target, const std::string& location) {
      |                              ~~~~~~~~~~~~~~~~~~~~~~~~~~^
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:402:23: note: candidate: ‘zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Bytes&, zeek::TypePtr, const string&)’
  402 | inline ::zeek::ValPtr to_val(const hilti::rt::Bytes& b, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:402:54: note:   no known conversion for argument 1 from ‘hilti::rt::ValueReference<__hlt::foo::Y>’ to ‘const hilti::rt::Bytes&’
  402 | inline ::zeek::ValPtr to_val(const hilti::rt::Bytes& b, ::zeek::TypePtr target, const std::string& location) {
      |                              ~~~~~~~~~~~~~~~~~~~~~~~~^
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:502:23: note: candidate: ‘zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Interval&, zeek::TypePtr, const string&)’
  502 | inline ::zeek::ValPtr to_val(const hilti::rt::Interval& i, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:502:57: note:   no known conversion for argument 1 from ‘hilti::rt::ValueReference<__hlt::foo::Y>’ to ‘const hilti::rt::Interval&’
  502 | inline ::zeek::ValPtr to_val(const hilti::rt::Interval& i, ::zeek::TypePtr target, const std::string& location) {
      |                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~^
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:483:23: note: candidate: ‘zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Port&, zeek::TypePtr, const string&)’
  483 | inline ::zeek::ValPtr to_val(const hilti::rt::Port& p, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:483:53: note:   no known conversion for argument 1 from ‘hilti::rt::ValueReference<__hlt::foo::Y>’ to ‘const hilti::rt::Port&’
  483 | inline ::zeek::ValPtr to_val(const hilti::rt::Port& p, ::zeek::TypePtr target, const std::string& location) {
      |                              ~~~~~~~~~~~~~~~~~~~~~~~^
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:513:23: note: candidate: ‘zeek::ValPtr spicy::zeek::rt::to_val(const hilti::rt::Time&, zeek::TypePtr, const string&)’
  513 | inline ::zeek::ValPtr to_val(const hilti::rt::Time& t, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:513:53: note:   no known conversion for argument 1 from ‘hilti::rt::ValueReference<__hlt::foo::Y>’ to ‘const hilti::rt::Time&’
  513 | inline ::zeek::ValPtr to_val(const hilti::rt::Time& t, ::zeek::TypePtr target, const std::string& location) {
      |                              ~~~~~~~~~~~~~~~~~~~~~~~^
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:391:23: note: candidate: ‘zeek::ValPtr spicy::zeek::rt::to_val(const string&, zeek::TypePtr, const string&)’
  391 | inline ::zeek::ValPtr to_val(const std::string& s, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:391:49: note:   no known conversion for argument 1 from ‘hilti::rt::ValueReference<__hlt::foo::Y>’ to ‘const string&’ {aka ‘const std::__cxx11::basic_string<char>&’}
  391 | inline ::zeek::ValPtr to_val(const std::string& s, ::zeek::TypePtr target, const std::string& location) {
      |                              ~~~~~~~~~~~~~~~~~~~^
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:455:23: note: candidate: ‘zeek::ValPtr spicy::zeek::rt::to_val(double, zeek::TypePtr, const string&)’
  455 | inline ::zeek::ValPtr to_val(double r, ::zeek::TypePtr target, const std::string& location) {
      |                       ^~~~~~
/opt/zeek/lib/zeek-spicy/include/zeek-spicy/runtime-support.h:455:37: note:   no known conversion for argument 1 from ‘hilti::rt::ValueReference<__hlt::foo::Y>’ to ‘double’
  455 | inline ::zeek::ValPtr to_val(double r, ::zeek::TypePtr target, const std::string& location) {
      |                              ~~~~~~~^
[error] <Spicy Plugin for Zeek>: JIT compilation failed

	if (ZEEK_SPICY_PLUGIN_INTERNAL_BUILD)
	# The static build doesn't put the aux files into the build directory
	# We create links to get the same effect.
	file(MAKE_DIRECTORY "${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_LIBDIR}")
	file(CREATE_LINK "${PROJECT_BINARY_DIR}"
	"${PROJECT_BINARY_DIR}/${CMAKE_INSTALL_LIBDIR}/zeek-spicy" SYMBOLIC)