detect: remove STATE_MATCH flag use at runtime

Instead, use it only at init time and use Signature::app_inspect
directly at runtime.

src/detect-engine-analyzer.c

@@ -516,7 +516,7 @@ void EngineAnalysisRules2(const DetectEngineCtx *de_ctx, const Signature *s)
         json_object_set_new(js, "requirements", js_flags);
     }
 
-    if (s->flags & SIG_FLAG_STATE_MATCH) {
+    if (s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) {
         json_t *js_array = json_array();
         const DetectEngineAppInspectionEngine *app = s->app_inspect;
         for ( ; app != NULL; app = app->next) {

src/detect-engine.c

@@ -469,12 +469,14 @@ int DetectEngineAppInspectionEngine2Signature(DetectEngineCtx *de_ctx, Signature
 
         SCLogDebug("sid %u: engine %p/%u added", s->id, new_engine, new_engine->id);
 
-        s->flags |= SIG_FLAG_STATE_MATCH;
+        s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH;
 next:
         t = t->next;
     }
 
-    if ((s->flags & SIG_FLAG_STATE_MATCH) && s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL) {
+    if ((s->init_data->init_flags & SIG_FLAG_INIT_STATE_MATCH) &&
+            s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL)
+    {
         /* if engine is added multiple times, we pass it the same list */
         SigMatchData *stream = SigMatchList2DataArray(s->init_data->smlists[DETECT_SM_LIST_PMATCH]);
         BUG_ON(stream == NULL);

src/detect-flowbits.c

@@ -507,7 +507,7 @@ void DetectFlowbitsAnalyze(DetectEngineCtx *de_ctx)
             SCLogDebug("GET flowbit %s/%u: SID %u", varname, i, s->id);
 
             if (to_state) {
-                s->flags |= SIG_FLAG_STATE_MATCH;
+                s->init_data->init_flags |= SIG_FLAG_INIT_STATE_MATCH;
                 SCLogDebug("made SID %u stateful because it depends on "
                         "stateful rules that set flowbit %s", s->id, varname);
             }

src/detect.c

@@ -802,8 +802,8 @@ static inline void DetectRulePacketRules(
 
         SCLogDebug("inspecting signature id %"PRIu32"", s->id);
 
-        if (sflags & SIG_FLAG_STATE_MATCH) {
-            goto next; // TODO skip and handle in DetectRunTx
+        if (s->app_inspect != NULL) {
+            goto next; // handle sig in DetectRunTx
         }
 
         /* don't run mask check for stateful rules.
@@ -1420,7 +1420,7 @@ static void DetectRunTx(ThreadVars *tv,
         uint32_t x = array_idx;
         for (uint32_t i = 0; i < det_ctx->match_array_cnt; i++) {
             const Signature *s = det_ctx->match_array[i];
-            if (s->flags & SIG_FLAG_STATE_MATCH) {
+            if (s->app_inspect != NULL) {
                 const SigIntId id = s->num;
                 det_ctx->tx_candidates[array_idx].s = s;
                 det_ctx->tx_candidates[array_idx].id = id;

src/detect.h

@@ -222,7 +222,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_APPLAYER               (1<<6)  /**< signature applies to app layer instead of packets */
 #define SIG_FLAG_IPONLY                 (1<<7) /**< ip only signature */
 
-#define SIG_FLAG_STATE_MATCH            (1<<8) /**< signature has matches that require stateful inspection */
+// vacancy
 
 #define SIG_FLAG_REQUIRE_PACKET         (1<<9) /**< signature is requiring packet match */
 #define SIG_FLAG_REQUIRE_STREAM         (1<<10) /**< signature is requiring stream match */
@@ -259,6 +259,7 @@ typedef struct DetectPort_ {
 #define SIG_FLAG_INIT_BIDIREC               (1<<3)  /**< signature has bidirectional operator */
 #define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN    (1<<4)  /** < signature has seen the first ip_proto keyword */
 #define SIG_FLAG_INIT_HAS_TRANSFORM         (1<<5)
+#define SIG_FLAG_INIT_STATE_MATCH           (1<<6)  /**< signature has matches that require stateful inspection */
 
 /* signature mask flags */
 #define SIG_MASK_REQUIRE_PAYLOAD            (1<<0)