detect/byte: cache byte values in tx state

[jlucovsky]

Continuation of #15195

Add per-transaction byte value caching so that variables produced by byte_extract and byte_math persist across buffer and direction boundaries.

Without this change, bidirectional (=>) rules that produce a byte variable in a toserver buffer and consume it in a toclient buffer fail when HTTP/1.1 pipelining creates multiple transactions. All TXs share the same det_ctx->byte_values, and a later TX's toserver inspection clobbers values before an earlier TX's toclient inspection runs.

The fix saves byte values to the per-TX DetectEngineState after extraction, restores them before each content inspection pass, clears them when resetting a TX, and frees the memory when DetectEngineState is destroyed, the transaction is reset, or the DetectEngineThreadCtx is uninitialized.

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7801

Describe changes:

• detect-engine-state.c/.h: Add byte_values array to DetectEngineState with save/restore functions, cleared/freed on reset, free on destroy
• detect-engine-content-inspection.c: Restore cached values at start of inspection, save after byte_extract/byte_math
• detect-engine.c, detect.h: Track byte_values_len in DetectEngineThreadCtx
• rust/sys/src/sys.rs: Add new fields to bindgen struct
• Documentation updates in differences-from-snort.rst, payload-keywords.rst, and devguide/transactions.rst

Updates:

• Moved from issue 1412 to 7801 as focus is on cross buffer-variable usage
• Adjust positioning of byte_value variables to reduce holes in struct (see scan-build in detect/byte: cache byte values in tx state #15027)
• Skip caching for unidirectional rules since all buffers are inspected in a single TX.
• Clear on engine reload
• Removed dynamic growth with a single alloc as the size is static.
• Address review comments (see detect/byte: cache byte values in tx state #15084)
• Eliminated byte values swap and use make a memory copy of the values to avoid ownership issues. Added @catenacyber's test case that validates this to s-v PR
• Created Redmine issue 8458 to handle rules that try to use byte values before they are created.
• Fix formatting issue

Provide values to any of the below to override the defaults.

• To use a Suricata-Verify or Suricata-Update pull request,
  link to the pull request in the respective _BRANCH variable.
• Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=OISF/suricata-verify#2968
SU_REPO=
SU_BRANCH=

[codecov]

Codecov Report

❌ Patch coverage is 82.75862% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.68%. Comparing base (336b50a) to head (a49d229).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #15196      +/-   ##
==========================================
- Coverage   82.71%   82.68%   -0.03%     
==========================================
  Files         993      993              
  Lines      271737   271809      +72     
==========================================
- Hits       224772   224751      -21     
- Misses      46965    47058      +93     

Flag	Coverage Δ
fuzzcorpus	61.06% <32.75%> (-0.06%)	⬇️
livemode	18.33% <6.89%> (-0.04%)	⬇️
netns	22.59% <8.62%> (-0.02%)	⬇️
pcap	45.25% <10.34%> (-0.07%)	⬇️
suricata-verify	66.25% <81.03%> (-0.02%)	⬇️
unittests	58.84% <13.79%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[suricata-qa]

WARNING:

field	baseline	test	%
	SURI_TLPR1_stats_chk
.app_layer.flow.ftp-data	697	664	95.27%

Pipeline = 30908

[catenacyber]

optimization detail : I think we can do the swap instead of memcpy, if we care to swap back at the right time

[jlucovsky]

Yes -- the swap could be reintroduced but note that the amount of the data copied is bounded -- in practice, it's just a few uint64_t's.

[catenacyber]

Still questions about tickets and scope :

• does this PR solve 1412 as well ?
• can it also solve https://redmine.openinfosecfoundation.org/issues/7197 ?

For the latter, you said

similar problem with a different variable type.

Is it a simple fixup to add ? Or a more complete one

[jlucovsky]

Still questions about tickets and scope :

• does this PR solve 1412 as well ?

Test case 09 uses the rule/pcap from the issue 1412.

• can it also solve https://redmine.openinfosecfoundation.org/issues/7197 ?

For the latter, you said

similar problem with a different variable type.

Is it a simple fixup to add ? Or a more complete one

The fix for 7197 is more involved and better handled by a follow-on PR.

[catenacyber]

The fix for 7197 is more involved and better handled by a follow-on PR.

OK thanks

• does this PR solve 1412 as well ?

Test case 09 uses the rule/pcap from the issue 1412.

But the ticket do not mention ticket 1412, is this solved by this PR of is there more to do ?

[jlucovsky]

The fix for 7197 is more involved and better handled by a follow-on PR.

OK thanks

• does this PR solve 1412 as well ?

Test case 09 uses the rule/pcap from the issue 1412.

But the ticket do not mention ticket 1412, is this solved by this PR of is there more to do ?

1412 is partially solved -- for bidirectional rules, it's completely solved. For unidirectional rules, if the producing buffer is at a higher progress than the consuming buffer, the issue from 1412 still occurs.

I'll make sure that the PR states this -- i'm rebasing and putting a replacement pr together.

[jlucovsky]

Continued in #15333