Understanding and Analyzing Java Reflection 7:7 Class::newInstance Class::getDeclaredConstructor Constructor object Class::getConstructor Constructor::newInstance Class::getDeclaredConstructors Class object class:getConstructors Class:forName Class:getDeclaredMethod Method object ClassLoader::loadClass Class:getMethod Object::getclass Class::getDeclaredMethods Method::invoke Others .class Class::getMethods Field object Class:getDeclaredField Class::getPield Field::get Class:getDeclaredFields Field::set Class::getFields Proxy:newProxyInstance Array::newInstance Class object flows to (as a receiver object) Class-Retrieving Methods Array object Member object flows to(as a receiver object)Member-Retrieving Methods Class/Array object flows to (as an argument)Reflective-Action Methods Array::get Array::set Fig.4.Overview of core Java reflection APl. In Figure 3,the metaobjects clz,mtd and fld are instances of the metaobject classes Class, Method and Field,respectively.Constructor can be seen as Method except that the method name "<init>"is implicit.Class allows an object to be created reflectively by calling newInstance(). As shown in line 4,the dynamic type of obj is the class(type)represented by clz(specified by cName).In addition,Class provides accessor methods such as getDeclaredMethod()in line 5 and getField()in line 7 to allow the member metaobjects (e.g.,of Method and Field)related to a Class object to be introspected.With dynamic invocation,a Method object can be commanded to invoke the method that it represents(line 6).Similarly,a Field object can be commanded to access or modify the field that it represents(lines 8 and 9). 2.2.2 Core Java Reflection APl.In reflection analysis,we are concerned with reasoning about how reflection affects the control and data flow information in the program.For example,if a target method(say m)that is reflectively invoked in line 6 in Figure 3 cannot be resolved statically,the call graph edge from this call site to method m(control flow)and the values passed interprocedurally from obj and a to this and the parameter of m(data flow),respectively,will be missing.Therefore,we should focus on the part of the Java reflection API that affects a pointer analysis,a fundamental analysis that statically resolves the control and data flow information in a Pr0gram[27,30-32,38,41,42,51,52,60-62]. It is thus sufficient to consider only the pointer-affecting methods in the Java reflection API.We can divide such reflective methods into three categories(Figure 4): We summarize and explain the core reflection API(25 methods)that is critical to static analysis.A more complete reflection API list(181 methods)is given in [26]without explanations though. ACM Trans.Softw.Eng.Methodol.,Vol.28,No.2,Article 7.Publication date:February 2019.Understanding and Analyzing Java Reflection 7:7 Class::forName Class object flows to (as a receiver object) Class-Retrieving Methods Member-Retrieving Methods Reflective-Action Methods .class Object::getClass ClassLoader::loadClass Class::getMethod Class::getDeclaredMethods Class::getMethods Class::getField Class::getDeclaredField Class::getDeclaredFields Class::getFields Class::getConstructor Class::getDeclaredConstructor Class::getDeclaredConstructors Class::getConstructors Constructor::newInstance Method::invoke Field::get Field::set Class::newInstance Proxy::newProxyInstance Array::newInstance Array::get Array::set Class Object Constructor Object Method Object Field Object Array Object Member object flows to (as a receiver object) Class/Array object flows to (as an argument) Others Class::getDeclaredMethod Fig. 4. Overview of core Java reflection API.1 In Figure 3, the metaobjects clz, mtd and fld are instances of the metaobject classes Class, Method and Field, respectively. Constructor can be seen as Method except that the method name “<init>” is implicit. Class allows an object to be created reflectively by calling newInstance(). As shown in line 4, the dynamic type of obj is the class (type) represented by clz (specified by cName). In addition, Class provides accessor methods such as getDeclaredMethod() in line 5 and getField() in line 7 to allow the member metaobjects (e.g., of Method and Field) related to a Class object to be introspected. With dynamic invocation, a Method object can be commanded to invoke the method that it represents (line 6). Similarly, a Field object can be commanded to access or modify the field that it represents (lines 8 and 9). 2.2.2 Core Java Reflection API. In reflection analysis, we are concerned with reasoning about how reflection affects the control and data flow information in the program. For example, if a target method (say m) that is reflectively invoked in line 6 in Figure 3 cannot be resolved statically, the call graph edge from this call site to method m (control flow) and the values passed interprocedurally from obj and a to this and the parameter of m (data flow), respectively, will be missing. Therefore, we should focus on the part of the Java reflection API that affects a pointer analysis, a fundamental analysis that statically resolves the control and data flow information in a program [27, 30–32, 38, 41, 42, 51, 52, 60–62]. It is thus sufficient to consider only the pointer-affecting methods in the Java reflection API. We can divide such reflective methods into three categories (Figure 4): 1We summarize and explain the core reflection API (25 methods) that is critical to static analysis. A more complete reflection API list (181 methods) is given in [26] without explanations though. ACM Trans. Softw. Eng. Methodol., Vol. 28, No. 2, Article 7. Publication date: February 2019