That flow is not correct, when you call yr_rules_load() you get a new YR_RULES struct, so the threads are not sharing the same rules, each thread has its own copy (although they are identical because they were loaded from the same file). What you should do is something like:
main thread: yr_initialize() yr_compiler_create() yr_compiler_add_string/file/fd() yr_compiler_get_rules() yr_compiler_destroy() * span threads and pass them the YR_RULES* pointer you got from yr_compiler_get_rules(). Notice that you can't span more than MAX_THREADS (defined in libyara/include/yara/limits.h) * wait for all threads to finish yr_finalize() scan threads: yr_scan_mem() yr_finalize_thread() You can take a look at yara.c which uses a multithreaded approach while scanning directories. Regards, Víctor On Thu, Sep 28, 2017 at 8:41 PM, Igor Polevoy <[email protected]> wrote: > Hi > I need to port an old code from YARA C API for v 1.7 to 3.6 > The usage model is multi-threaded, with each thread using the same rules > to scan different files. > So I just want to understand if the relevant YARA code is reentrant and > what should be the correct flow? > > Let say I have in the *main thread* : > * yr_initialize()* > * yr_compiler_create()* > * ....* > * yr_rules_save(file)* > * yr_compiler_destroy()* > ... > /* spawn the threads here */ > > And in each one of *thread functions*: > *yr_rules_load(file)* > *yr_scan_mem()* > *yr_finalize_thread()* > > Is it the correct flow or do I miss anything? > > Many thanks > Igor > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
