How to properly write "unit" tests for analyzers?

[fmagin]

I have been tackling Objective-C analysis for a while, and this is currently culminating in a dedicated plugin for anything related to it.

One problem I'm currently facing is that I don't know how to properly write tests for our analyzers.
We have some simple unit tests, but I'd like to write tests for a workflow like:

1. Import Program from a file
2. Run Auto analysis (with the option to activate analyzers that might not be activated by default)
3. Check that the resulting program has various information available.

My jury-rigged method would be to call the headless analyzer with a preScript for configuring the analysis and a postScript for checking the results, but this sounds like something common enough that there is a proper way to integrate this into the Junit tests?

At the core I want tests for specific analyzers, that they return the right result after being run on a specific program that is in a certain state already. The specific state could either come from a stored project, or previous analyzer tests. But this sounds a lot more complicated, so I'm fine with just automating the workflow described above, and paying for it with test latency and compute.

The AbstractGhidraHeadlessIntegrationTest sounds like it would do this, but it also inherits from AbstractGuiTest which is specifically "for tests that need swing support methods", which seems inconsistent with that assumption.

What is the canonical way to achieve the workflow described above? Or is there another way to achieve something similar which should be used instead?

(I am also curious how to write all other kinds of more sophisticated tests for Ghidra like proper integration tests so if the answer involves a digression into the overall testing approach in Ghidra I'm interested, but the most pressing problem is that I want to refactor code without worrying about accidentally breaking my analyzers because I forgot a corner case)

[dragonmacher]

Oof.

I have very strong opinions on this subject. Rather than waste time expressing those fully here, I will try to give concise answers and only hint at my disdain.

We have never established a good framework for testing analyzers. All previous tests that I have seen have been 'tripwire' tests that check results in a course grained fashion, such as 'assert that there are 5215 symbols' after the test runs. I'm sure you can imagine the uselessness of such a test.

All analyzer tests that I have seen have been full integration tests that use the GUI environment.

The AbstractGhidraHeadlessIntegrationTest sounds like it would do this, but it also inherits from AbstractGuiTest which is specifically "for tests that need swing support methods", which seems inconsistent with that assumption.

Yes, this is quite silly, although, I think it works as you would expect. The abstract tests each configure an environment that makes sense for them. The headless test will configure a headless environment when it runs. The only oddness that I see here is what you mention, that there are Swing related methods in the hierarchy. Ideally, we could refactor the design in such a way to remove this. This hierarchy has changed countless times over the years. It is better than ever, but still not correct from a clean OO perspective.

I think that using a real headless environment, as you described above, with pre and post scripts, sounds like extra complication that you should not need. Of course, you should probably do whatever is the easiest for you to build and maintain.

---

For analyzer testing and full integration testing, this the state of the art for Ghidra:

• Use a ProgramBuilder (or one of its subclasses) to create an in-memory test program that is configured exactly as you would like
• Use one of the abstract integration base classes depending on whether you would like a GUI or not. (I'd say always use a GUI, since it makes debugging easier)
• Perform full program analysis or just call your analyzer's methods directly (integration vs unit-y)

It looks like we have not good examples in the repo of full integration analysis tests. The basic setup has code that looks like this:

---

This shows how to toggle some analyzers and then run analysis in the tool.

	private void analyze() {
		// turn off some analyzers
		setAnalysisOptions("Stack");
		setAnalysisOptions("Embedded Media");
		setAnalysisOptions("DWARF");
		setAnalysisOptions("Create Address Tables");

		AutoAnalysisManager analysisMgr = AutoAnalysisManager.getAnalysisManager(program);
		analysisMgr.reAnalyzeAll(null);

		Command cmd = new AnalysisBackgroundCommand(analysisMgr, false);
		tool.execute(cmd, program);
		waitForBusyTool(tool);
	}

	protected void setAnalysisOptions(String optionName) {
		int txId = program.startTransaction("Analyze");
		Options analysisOptions = program.getOptions(Program.ANALYSIS_PROPERTIES);
		analysisOptions.setBoolean(optionName, false);
		program.endTransaction(txId, true);
	}

OR

This shows how to use the builder to perform analysis, which is not really full integration:

	private void setupFooProgram() throws Exception {

		builder = new ProgramBuilder("noExit", ProgramBuilder._X64);

		builder.setBytes("0x100001c70",
			"55 48 89 e5 48 83 ec 10 89 7d fc 8b 7d fc e8 c5 00 00 00 66 90 66 90 66 67 67 c3 00 00 00 00 00");
		builder.disassemble("0x100001c70", 27, false);
		builder.createEmptyFunction("noReturn", "0x100001c70", 1, DataType.DEFAULT);

		builder.setBytes("100001d48", "ff 25 c2 02 00 00");
		builder.disassemble("100001d48", 6, false);
		Function exit = builder.createEmptyFunction("exit", "100001d48", 1, DataType.DEFAULT);

		builder.analyze();

		program = builder.getProgram();
	}

---

For a more unit-y style test that just calls the analyzer directly, you can look at the StringsAnalyzerTest in the Base module.

[fmagin]

All previous tests that I have seen have been 'tripwire' tests that check results in a course grained fashion, such as 'assert that there are 5215 symbols' after the test runs. I'm sure you can imagine the uselessness of such a test.

Yikes.

My analyzers are currently written in a way that they at least produce easily testable results. E.g. I have an analysis that recovers the string argument for a specific function at all its callsites and puts them into a StringPropertyMap with the callsite as the key, and the value as the entry.

Your response provides some good pointers and context, but I think it will be too much effort to re-create the code and necessary data for testing with a ProgramBuilder. During development and testing on real data I expect that I will run into a lot of new edge cases that I quickly want to turn into a test.
I think I understand how to proceed after I have set up the Program, but how do I correctly create the Program from a specific executable file on disk and get a reference to it inside the test? TestEnv looks like it gives me a reference to a GhidraProject on which I can call importProgram. I'm not sure if I'm supposed to instantiate TestEnv() myself, or if there already is a reference to it somewhere when I'm using the AbstractGhidraHeadlessIntegrationTest?

Also, is there any reason against instantiating my analyzer inside the test and then calling Analyzer.added with the specific values so that only a specific function is analyzed (which exhibits the edge case)?

[fmagin]

Ah, instantiating TestEnv fails with an exception:

Cannot invoke "ghidra.framework.model.ToolTemplate.setName(String)" because "template" is null
java.lang.NullPointerException: Cannot invoke "ghidra.framework.model.ToolTemplate.setName(String)" because "template" is null
	at ghidra.test.TestEnv.installDefaultTool(TestEnv.java:413)
	at ghidra.test.TestEnv.createGhidraTestProject(TestEnv.java:384)
	at ghidra.test.TestEnv.<init>(TestEnv.java:133)
	at ghidra.test.TestEnv.<init>(TestEnv.java:98)
	at DispatchResolverTest.testDispatchResolver(DispatchResolverTest.kt:9)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:728)
	at org.junit.jupiter.engine.execution.MethodInvocation.proceed(MethodInvocation.java:60)
	at org.junit.jupiter.engine.execution.InvocationInterceptorChain$ValidatingInvocation.proceed(InvocationInterceptorChain.java:131)
	at org.junit.jupiter.engine.extension.TimeoutExtension.intercept(TimeoutExtension.java:156)
	at org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestableMethod(TimeoutExtension.java:147)
	at org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestMethod(TimeoutExtension.java:86)
	at org.junit.jupiter.engine.execution.InterceptingExecutableInvoker$ReflectiveInterceptorCall.lambda$ofVoidMethod$0(InterceptingExecutableInvoker.java:103)
	at org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.lambda$invoke$0(InterceptingExecutableInvoker.java:93)
	at org.junit.jupiter.engine.execution.InvocationInterceptorChain$InterceptedInvocation.proceed(InvocationInterceptorChain.java:106)
	at org.junit.jupiter.engine.execution.InvocationInterceptorChain.proceed(InvocationInterceptorChain.java:64)
	at org.junit.jupiter.engine.execution.InvocationInterceptorChain.chainAndInvoke(InvocationInterceptorChain.java:45)
	at org.junit.jupiter.engine.execution.InvocationInterceptorChain.invoke(InvocationInterceptorChain.java:37)
	at org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.invoke(InterceptingExecutableInvoker.java:92)
	at org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.invoke(InterceptingExecutableInvoker.java:86)
	at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$7(TestMethodTestDescriptor.java:218)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:214)
	at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:139)
	at org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:69)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:151)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
	at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:41)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:155)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
	at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.invokeAll(SameThreadHierarchicalTestExecutorService.java:41)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:155)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
	at org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
	at org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
	at org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
	at org.junit.platform.engine.support.hierarchical.SameThreadHierarchicalTestExecutorService.submit(SameThreadHierarchicalTestExecutorService.java:35)
	at org.junit.platform.engine.support.hierarchical.HierarchicalTestExecutor.execute(HierarchicalTestExecutor.java:57)
	at org.junit.platform.engine.support.hierarchical.HierarchicalTestEngine.execute(HierarchicalTestEngine.java:54)
	at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:107)
	at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:88)
	at org.junit.platform.launcher.core.EngineExecutionOrchestrator.lambda$execute$0(EngineExecutionOrchestrator.java:54)
	at org.junit.platform.launcher.core.EngineExecutionOrchestrator.withInterceptedStreams(EngineExecutionOrchestrator.java:67)
	at org.junit.platform.launcher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:52)
	at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:114)
	at org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:86)
	at org.junit.platform.launcher.core.DefaultLauncherSession$DelegatingLauncher.execute(DefaultLauncherSession.java:86)
	at org.gradle.api.internal.tasks.testing.junitplatform.JUnitPlatformTestClassProcessor$CollectAllTestClassesExecutor.processAllTestClasses(JUnitPlatformTestClassProcessor.java:119)
	at org.gradle.api.internal.tasks.testing.junitplatform.JUnitPlatformTestClassProcessor$CollectAllTestClassesExecutor.access$000(JUnitPlatformTestClassProcessor.java:94)
	at org.gradle.api.internal.tasks.testing.junitplatform.JUnitPlatformTestClassProcessor.stop(JUnitPlatformTestClassProcessor.java:89)
	at org.gradle.api.internal.tasks.testing.SuiteTestClassProcessor.stop(SuiteTestClassProcessor.java:62)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at org.gradle.internal.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:36)
	at org.gradle.internal.dispatch.ReflectionDispatch.dispatch(ReflectionDispatch.java:24)
	at org.gradle.internal.dispatch.ContextClassLoaderDispatch.dispatch(ContextClassLoaderDispatch.java:33)
	at org.gradle.internal.dispatch.ProxyDispatchAdapter$DispatchingInvocationHandler.invoke(ProxyDispatchAdapter.java:94)
	at jdk.proxy1/jdk.proxy1.$Proxy2.stop(Unknown Source)
	at org.gradle.api.internal.tasks.testing.worker.TestWorker$3.run(TestWorker.java:193)
	at org.gradle.api.internal.tasks.testing.worker.TestWorker.executeAndMaintainThreadName(TestWorker.java:129)
	at org.gradle.api.internal.tasks.testing.worker.TestWorker.execute(TestWorker.java:100)
	at org.gradle.api.internal.tasks.testing.worker.TestWorker.execute(TestWorker.java:60)
	at org.gradle.process.internal.worker.child.ActionExecutionWorker.execute(ActionExecutionWorker.java:56)
	at org.gradle.process.internal.worker.child.SystemApplicationClassLoaderWorker.call(SystemApplicationClassLoaderWorker.java:113)
	at org.gradle.process.internal.worker.child.SystemApplicationClassLoaderWorker.call(SystemApplicationClassLoaderWorker.java:65)
	at worker.org.gradle.process.internal.worker.GradleWorkerMain.run(GradleWorkerMain.java:69)
	at worker.org.gradle.process.internal.worker.GradleWorkerMain.main(GradleWorkerMain.java:74)

Given that I want headless tests the default tool should be irrelevant, as I never actually want to use a tool.

[fmagin]

Seems like I can just do

class MyNewTest : AbstractGhidraHeadlessIntegrationTest() {
    @Test
    fun test() {
        val ghidraProject = GhidraProject.createProject("/tmp", this::class.simpleName, true)
        val program = ghidraProject.importProgram(File("/path/to/file"))
        println(program.name)
    }
}

and then proceed

[dragonmacher]

Also, is there any reason against instantiating my analyzer inside the test and then calling Analyzer.added with the specific values so that only a specific function is analyzed (which exhibits the edge case)?

This is probably the best way to do it. This is how the StringsAnalyzerTest is setup.

Your response provides some good pointers and context, but I think it will be too much effort to re-create the code and necessary data for testing with a ProgramBuilder.

This would indeed be a great deal of effort if you were seeking full coverage of edge cases.

I think I understand how to proceed after I have set up the Program, but how do I correctly create the Program from a specific executable file on disk and get a reference to it inside the test?

We do this by using a repository of programs that we have already imported by hand and saved as gzf files. We then use the TestEnv to open the programs by name.

I'm not sure if I'm supposed to instantiate TestEnv() myself, or if there already is a reference to it somewhere

You should be able to create this, for example:

	@Before
	public void setUp() throws Exception {
		env = new TestEnv();
		tool = env.getTool();
	}

The exception you listed above is because you do not have the default test tool TestCodeBrowser in your classpath. It lives at Ghidra/Features/Base/src/test/resources/defaultTools/TestCodeBrowser.tool Assuming your project dependencies are setup correctly, with your test depending on the Base project, then this should work. In gradle, you do not get dependent test resources without explicitly declaring a dependency, like this (from Base's build.gradle file):

	// These have abstract test classes and stubs needed by this module	
	testImplementation project(path: ':Docking', configuration: 'testArtifacts')
	testImplementation project(path: ':Generic', configuration: 'testArtifacts')
	testImplementation project(path: ':Project', configuration: 'testArtifacts')
	testImplementation project(path: ':SoftwareModeling', configuration: 'testArtifacts')
	testImplementation project(path: ':DB', configuration: 'testArtifacts')

[fmagin]

Assuming your project dependencies are setup correctly, with your test depending on the Base project, then this should work. In gradle, you do not get dependent test resources without explicitly declaring a dependency, like this (from Base's build.gradle file):

That's the likely culprit, I'm running this in IntelliJ with just the build.gradle for an extension. I'll work around this by directly setting up the project for now.