psort-studentpc1-services end-to-end test failing with QueueFull

[joachimmetz]

2020-06-04 09:30:46,985 [INFO] (MainProcess) PID:4370 <data_location> Determined data location: /tmp/workspace/psort-linux-services/data
Traceback (most recent call last):
  File "./tools/psort.py", line 95, in <module>
    if not Main():
  File "./tools/psort.py", line 72, in Main
    tool.ProcessStorage()
  File "/tmp/workspace/psort-linux-services/plaso/cli/psort_tool.py", line 554, in ProcessStorage
    worker_memory_limit=self._worker_memory_limit)
  File "/tmp/workspace/psort-linux-services/plaso/multi_processing/psort.py", line 909, in AnalyzeEvents
    storage_writer, analysis_plugins, event_filter=event_filter)
  File "/tmp/workspace/psort-linux-services/plaso/multi_processing/psort.py", line 281, in _AnalyzeEvents
    event_queue.PushItem((event, event_data))
  File "/tmp/workspace/psort-linux-services/plaso/engine/zeromq_queue.py", line 457, in PushItem
    raise errors.QueueFull
plaso.lib.errors.QueueFull

[Onager]

This seems to be due to the windows_service plugin exit prematurely. Looking into why this is.

[Onager]

It looks like this is failing because it's being fed an WindowsRegistryServiceEventData that has no service_dll attribute.

I don't understand what could be removing the attribute from the EventData, I'd expect it to be set to None.

[Onager]

It's actually not a WindowsRegistryServiceEventData, it's just a regular EventData.

I assume there's something in the storage implementation or serializer that's deleting the attribute from the eventdata. The unittests are OK, and they use the FakeStorageWriter.

[Onager]

This is because GetAttributes in the attribute container interface skips all attributes that have a None value.

[joachimmetz]

It's actually not a WindowsRegistryServiceEventData, it's just a regular EventData.

WindowsRegistryServiceEventData is the only event data that defines service_dll

[joachimmetz]

End to end tests started passing again on Jun 22, but failed on Jun 28. Created #3145