cisely and quickly,making many previously missing call-graph 1 public class Server edges visible to a variety of analysis tools.This enables bug 2 Class clzObj; 3 boolean infoChanged; detectors and security analyzers,for example,to identify more 4 public static void main(String args[]){ bugs and vulnerabilities effectively. 5 String className "content.HTTPRequest"; In summary,this paper makes the following contributions: 6 if (args.length 0){ className args [0] We introduce MIRROR,the first automatic Java reflection 8 analysis framework that combines static and dynamic 9 if (args.length >5) analysis to resolve reflective calls in large codebases. 0 System.out.println("No config info"); We describe a reflection-oriented slicing technique that Server srv new Server(); 12 srv.changeInfo(className); improves the scalability of traditional slicing for object- 中 arv.readConfig(); oriented programs (w.r.t.a reflective call).This technique 14 8rW.1 nitServer《: is also potentially useful for supporting bug detection, 15 16 public void changeInfo(String cName){ program understanding,and verification. 17 this.clzObj Class.forName(cName); We describe a dynamic analysis technique for resolving 18 this.infoChanged false; reflective calls by combining automatic test case genera- 19 d 20 public void readConfig(){ tion and program execution on path-based slices 21 loadCommand(); We evaluate MIRROR (implemented in 10 KLOC of Java) 2 this.infoChanged true; by using 10 large real-world Java programs.MIRROR is 23 FileMonitor.getFileMonitor().addReloadable(this); 24 critical in enabling their reflective calls to be analyzed 25 public void initServer(){ efficiently and precisely with good soundness 26 created(); 27 II.A MOTIVATING EXAMPLE 28 public void created(){ 29 loadCommand(): Our motivating example is a Java program given in 30 Figure 1,which is abstracted from real-world applications 31 public void loadCommand(){ freecs-1.3 and pmd-4.2.5 (used in our evaluation in 32 String cmdStr null; 33 if (this.infoChanged ==false){ Section IV).We focus on resolving the reflective target meth- Method getM null; ods that may be called at getM.invoke(o,null)in line 35 Class clz this.clzObj; 42.While MIRROR works on the Jimple IR (Intermediate 36 if (pmd.cpd.Renderer.class.isAssignableFrom(clz)) 37 getM clz.getMethod("toString"); Representation)in SooT [27],we illustrate it by using the 38 else if (content.HTTPRequest.class.isAssignableFrom(clz)) high-level statements in Java in order to ease understanding. 39 getM clz.getMethod("getUrl"); In line 17,a class metaobject pointed to by this.clzobj 40 else throw new ErrorClassTypeException(...); 41 is created by calling class.forName (cName)to rep- Object o clz.nevInstance(); 42 cmdStr =(String)getM.invoke(o,null); resent the class named by cName.Here,cName is either 43 "content.HTTPRequest"(line 5)or a non-constant string read from the command line (line 7).In line 41,an object 45] o is created reflectively as an instance of this.clzobj. Fig.1:A Java program. Then a method object,pointed to by getM,is created by calling getMethod()in line 37 or 39 to repre- sent a method from this.clzobj with its name being “toString”or“getUr1”.In line42,this method is two potential targets in line 42.Finally,as o may also be called reflectively on the receiver object o with the ac- an instance of any unknown class (line 7),getUrl()or tual argument null.There are five potential reflective tar- tostring()in any class is also a possible target.Thus, gets:getUrl()in class content.HTTPRequest and a dilemma emerges.Including all these targets improves the the four tostring ()methods in the four subclasses, soundness of the analysis but introduces many false targets, SimpleRenderer.XMLRenderer.CSVRenderer and making the analysis imprecise or unscalable.Conversely.ig- VSRenderer,of interface pmd.cpd.Renderer. noring all these targets may cause some true targets to be missed.In MIRROR,we avoid this dilemma by reporting only A.Existing Approaches the reflective targets observed dynamically on the path-based Static analysis [6],[7],[11],[28][30]attempts to re- slices that are statically computed for a given reflective call. solve reflective targets of getM.invoke (o,null)in Dynamic analysis [16],[17]instruments and records the line 42 by conducting type inference.By keeping track reflective targets invoked by getM.invoke (o,null)in of string constants,we know that getM represents a line 42 during program execution.Unless all test inputs are method named tostring ((line 37)or geturl() exhausted,which is impractical for many applications,espe- (line 39).In addition,as o may be an instance of cially GUI applications,some reflective targets will be missed. class content.HTTPRequest (line 5),tostring (and For example,pmd-4.2.5,from which our example is partly getUrl()from class content.HTTPRequest are the abstracted,does not come with any test case for exercising 13cisely and quickly, making many previously missing call-graph edges visible to a variety of analysis tools. This enables bug detectors and security analyzers, for example, to identify more bugs and vulnerabilities effectively. In summary, this paper makes the following contributions: • We introduce MIRROR, the first automatic Java reflection analysis framework that combines static and dynamic analysis to resolve reflective calls in large codebases. • We describe a reflection-oriented slicing technique that improves the scalability of traditional slicing for object￾oriented programs (w.r.t. a reflective call). This technique is also potentially useful for supporting bug detection, program understanding, and verification. • We describe a dynamic analysis technique for resolving reflective calls by combining automatic test case genera￾tion and program execution on path-based slices. • We evaluate MIRROR (implemented in 10 KLOC of Java) by using 10 large real-world Java programs. MIRROR is critical in enabling their reflective calls to be analyzed efficiently and precisely with good soundness. II. A MOTIVATING EXAMPLE Our motivating example is a Java program given in Figure 1, which is abstracted from real-world applications freecs-1.3 and pmd-4.2.5 (used in our evaluation in Section IV). We focus on resolving the reflective target meth￾ods that may be called at getM.invoke(o, null) in line 42. While MIRROR works on the Jimple IR (Intermediate Representation) in SOOT [27], we illustrate it by using the high-level statements in Java in order to ease understanding. In line 17, a class metaobject pointed to by this.clzObj is created by calling Class.forName(cName) to rep￾resent the class named by cName. Here, cName is either “content.HTTPRequest” (line 5) or a non-constant string read from the command line (line 7). In line 41, an object o is created reflectively as an instance of this.clzObj. Then a method object, pointed to by getM, is created by calling getMethod() in line 37 or 39 to repre￾sent a method from this.clzObj with its name being “toString” or “getUrl”. In line 42, this method is called reflectively on the receiver object o with the ac￾tual argument null. There are five potential reflective tar￾gets: getUrl() in class content.HTTPRequest and the four toString() methods in the four subclasses, SimpleRenderer, XMLRenderer, CSVRenderer and VSRenderer, of interface pmd.cpd.Renderer. A. Existing Approaches Static analysis [6], [7], [11], [28]–[30] attempts to re￾solve reflective targets of getM.invoke(o, null) in line 42 by conducting type inference. By keeping track of string constants, we know that getM represents a method named toString() (line 37) or getUrl() (line 39). In addition, as o may be an instance of class content.HTTPRequest (line 5), toString() and getUrl() from class content.HTTPRequest are the 1 public class Server { 2 Class clzObj; 3 boolean infoChanged; 4 public static void main(String args[]) { 5 String className = "content.HTTPRequest"; 6 if (args.length > 0) { 7 className = args[0]; 8 } 9 if (args.length > 5) 10 System.out.println("No config info"); 11 Server srv = new Server(); 12 srv.changeInfo(className); 13 srv.readConfig(); 14 srv.initServer(); 15 } 16 public void changeInfo(String cName) { 17 this.clzObj = Class.forName(cName); 18 this.infoChanged = false; 19 } 20 public void readConfig() { 21 loadCommand(); 22 this.infoChanged = true; 23 FileMonitor.getFileMonitor().addReloadable(this); 24 } 25 public void initServer() { 26 created(); 27 } 28 public void created() { 29 loadCommand(); 30 } 31 public void loadCommand() { 32 String cmdStr = null; 33 if (this.infoChanged == false) { 34 Method getM = null; 35 Class clz = this.clzObj; 36 if (pmd.cpd.Renderer.class.isAssignableFrom(clz)) 37 getM = clz.getMethod("toString"); 38 else if (content.HTTPRequest.class.isAssignableFrom(clz)) 39 getM = clz.getMethod("getUrl"); 40 else throw new ErrorClassTypeException(...); 41 Object o = clz.newInstance(); 42 cmdStr = (String) getM.invoke(o, null); 43 } 44 } 45 } Fig. 1: A Java program. two potential targets in line 42. Finally, as o may also be an instance of any unknown class (line 7), getUrl() or toString() in any class is also a possible target. Thus, a dilemma emerges. Including all these targets improves the soundness of the analysis but introduces many false targets, making the analysis imprecise or unscalable. Conversely, ig￾noring all these targets may cause some true targets to be missed. In MIRROR, we avoid this dilemma by reporting only the reflective targets observed dynamically on the path-based slices that are statically computed for a given reflective call. Dynamic analysis [16], [17] instruments and records the reflective targets invoked by getM.invoke(o, null) in line 42 during program execution. Unless all test inputs are exhausted, which is impractical for many applications, espe￾cially GUI applications, some reflective targets will be missed. For example, pmd-4.2.5, from which our example is partly abstracted, does not come with any test case for exercising 13