Understanding and Analyzing Java Reflection 7:15 ■Array:rset ■Array:get ■Field:set ■Field::get ■Method:invoke ■Array:newlnstance Proxy:newProxylnstance Constructor::newlnstance Class::newlnstance antir chart eclipse fop hsgldb jython lucene pmd xalan eclipse4 javac jedit jetty tomcat average 0% 20% 40% 60% 80% 100% Fig.9.Reflective-action methods. Q7.Self-Inferencing Property.As illustrated by the program given in Figure 3,the names of its reflective targets are specified by the string arguments(e.g.,cName,mName and fName)at the class- retrieving and member-retrieving reflective calls.Therefore,string analysis has been a popular approach for static reflection analysis in the last decade.However,if the value of a string is unknown statically (e.g.,read from external files or command lines),then the related reflective calls,includ- ing those to newInstance(),may have to be ignored,rendering the corresponding codebase or operations invisible to the analysis(note that conservatively estimating those unresolved reflective calls to have any effect would cause to invoke any methods,making the analysis too imprecise to be scalable).To improve precision,in this case,the last resort is to exploit the existence of some intra-procedurally post-dominating cast operations on a call to newInstance()in order to deduce the types of objects reflectively created (Q4). However,in our study,we find that there are many other rich hints about the behaviors of reflective calls at their usage sites.Such hints can be and should be exploited to make reflection analysis more effective,even when some string values are partially or fully unknown.In the following,we first look at three real example programs to examine what these hints are and expose a so-called self-inferencing property inherent in these hints.Finally,we explain why self-inferencing property is naturally inherent in most Java reflection code and discuss its potential in making reflection analysis more effective. Example 2.1(Reflective Method Invocation(Figure 10)).The method name (the first argument of getMethod()in line 174)is statically unknown as part of it is read from command line cmd. However,the target method(represented by method)can be deduced from the second argument (parameters)of the corresponding reflective-action call invoke()in line 175.Here,parameters is an array of objects,with only one element(line 155).By querying the pointer analysis and also leveraging the type information in the program,we know that the type of the object pointed to by this is FrameworkCommandInterpreter,which has no subtypes.As a result,we can infer that ACM Trans.Softw.Eng.Methodol.,Vol.28.No.2.Article 7.Publication date:February 2019.Understanding and Analyzing Java Reflection 7:15 0% 20% 40% 60% 80% 100% average tomcat jetty jedit javac eclipse4 xalan pmd lucene jython hsqldb fop eclipse chart antlr Array::set Array::get Field::set Field::get Method::invoke Array::newInstance Proxy::newProxyInstance Constructor::newInstance Class::newInstance Fig. 9. Reflective-action methods. Q7. Self-Inferencing Property. As illustrated by the program given in Figure 3, the names of its reflective targets are specified by the string arguments (e.g., cName, mName and fName) at the class￾retrieving and member-retrieving reflective calls. Therefore, string analysis has been a popular approach for static reflection analysis in the last decade. However, if the value of a string is unknown statically (e.g., read from external files or command lines), then the related reflective calls, includ￾ing those to newInstance(), may have to be ignored, rendering the corresponding codebase or operations invisible to the analysis (note that conservatively estimating those unresolved reflective calls to have any effect would cause to invoke any methods, making the analysis too imprecise to be scalable). To improve precision, in this case, the last resort is to exploit the existence of some intra-procedurally post-dominating cast operations on a call to newInstance() in order to deduce the types of objects reflectively created (Q4). However, in our study, we find that there are many other rich hints about the behaviors of reflective calls at their usage sites. Such hints can be and should be exploited to make reflection analysis more effective, even when some string values are partially or fully unknown. In the following, we first look at three real example programs to examine what these hints are and expose a so-called self-inferencing property inherent in these hints. Finally, we explain why self-inferencing property is naturally inherent in most Java reflection code and discuss its potential in making reflection analysis more effective. Example 2.1 (Reflective Method Invocation (Figure 10)). The method name (the first argument of getMethod() in line 174) is statically unknown as part of it is read from command line cmd. However, the target method (represented by method) can be deduced from the second argument (parameters) of the corresponding reflective-action call invoke() in line 175. Here, parameters is an array of objects, with only one element (line 155). By querying the pointer analysis and also leveraging the type information in the program, we know that the type of the object pointed to by this is FrameworkCommandInterpreter, which has no subtypes. As a result, we can infer that ACM Trans. Softw. Eng. Methodol., Vol. 28, No. 2, Article 7. Publication date: February 2019