D.Instrumented Execution ing class.newInstance ()Method.invoke()and For each path-based slice generated for a du-chain group Constructor.newInstance ()the three widely used XR,we will create an executable program by adding some Java reflection API in the application code of a program. missing declaration statements to the slice.In addition,we will synthesize a pseudo main (method to call all the source TABLE I:Program characteristics methods (with no predecessors)in GR.By construction,for Program #Classes #Methods #Statements every du-chain in XR,its path-based slice always contains a batikl.7 5148 32347 581106 findbugs-1.2.1 4692 28857 472647 source method that can make a sequence of method calls so freecs1.3 3714 24000 418731 that the du-chain holds (Section III-A). gruntspud-0.4.6-beta 4945 31684 527433 In Figure 9,the pseudo main()synthesized will call d(), h2-1.3.172 4139 30208 518189 since d()reaches the other three methods a().c()and b().so Edit-5.1.0 5135 34402 586647 ifreechart-1.0.19 451I 30596 534615 that the du-chain s1→s2→s3→s4 will be established. ip-1.6 5208 35739 659927 Example 6.For the four path-based slices in Figure 6.the pmd-4.2.3 3936 25068 422054 xalan-2.4.1 3483 21755 37300R pseudo main (is simply set as the original main ()which Total 4491I 294656 5094357 happens to be the only source node in GA2 (Figure 3).The declaration statements such as the ones for className and c)Computing Platform:Our plaform is an Intel i5- getM will be added in the final executables generated. O 4570 3.20 GHz machine(running Windows 7)with 16GB of IV.EVALUATION RAM.The analysis time of a program is the average of 5 runs. Our evaluation addresses three research questions: A.RO1:Refection Analysis RQ1.Can MIRROR assist TAMIFLEX [17],a state-of-the- Table II contains our main results.MIRROR can assist art dynamic reflection analysis tool,to resolve more (true) a state-of-the-art dynamic reflection analysis tool,TAMI- reflective targets in real-world applications efficiently and precisely while maintaining a good degree of soundness? FLEX [17],to find significantly more reflective calls and (true) RQ2.Is MIRROR's reflection-oriented slicing capable of reflective targets in real-world applications efficiently.For the 10 programs evaluated,MIRROR reports no false reflective avoiding many irrelevant methods (statements)introduced targets,demonstrating also the validity of Observation 1. by traditional slicing and including only the relevant reflection-related methods (statements)? TABLE II:Comparing MIRROR and TAMIFLEX in terms of RO3.Can MIRROR's reflection resolution solve path con- reflective calls and (true)refective targets found. ditions effectively during automatic test case generation? TAMIFLEX MIRROR TAMIFLEX n MIRROR a)Implementation:We have implemented MIRROR in #Ref Calls #Targets#Ref Calls #Targets #Ref Calls #Targets SOoT [27],a static analysis framework for Java,in 10 KLOC bauik 4 6 of Java code.Our analysis operates on the ICFG of the ndbugs program expressed in the Jimple IR constructed by SooT with freecs 6 59 gruntspud its demand-driven context-sensitive pointer analysis.We make 19 10 12 use of the program's call graph and def-use chains built this Edit 40 way.For each sliced program,we transform it into a jar file ifreechart 4 6 13 and report the reflective targets detected under the test inputs ftp 4 10 16 28 pmd 10 2 automatically generated by MIRROR xalan 56 b)Benchmarks:We consider a set of 10 large,widely- Total 48 154 67 165 7 30 used open-source Java applications evaluated under a large Java library.JDK 1.6.0_45,and test each with 8GB heap space. When running TAMIFLEX on a program,some test cases are As shown in Table I,our 10 open-source programs are needed.For the six GUI programs,findbugs,gruntspud, selected from a wide range of application areas:batik1.7 h2,jEdit,jfreechart and jftp,we exercise their GUI (a SVG toolkit).findbugs-1.2.1 (a bug detector), to invoke their main functionalities just like a user does,in 5 freecs1.3 (a chat server),gruntspud-0.4.6-beta minutes each.Take jfreechart as an example.We exercise (a graphical CVS client),h2-1.3.172 (a database man- its GUI by designing different charts and exporting them to agement system),jEdit-5.1.0 (a software text editor), files.There are four non-GUI programs.For batik,pmd and jfreechart-1.0.19 (a chart library),jftp-1.6 (a net- xalan,we have designed 10 test cases each guided by their work browser),pmd-4.2.5 (a source code analyzer),and user tutorials in order to exercise their main functionalities xalan-2.4.1 (a XSLT processor). When applying MIRROR to a program,we focus on the For each program,we list the number of classes, reflective calls that are identified by Soor and analyzed methods and Jimple statements reported by Soor that scalably under a budget (discussed below).For freecs,a are reachable from its main()in both the appli- chat server,we start it up for it to read several configuration cation and library code.We will focus on analyz- files (without providing any explicit input from us). 19D. Instrumented Execution For each path-based slice generated for a du-chain group XR, we will create an executable program by adding some missing declaration statements to the slice. In addition, we will synthesize a pseudo main() method to call all the source methods (with no predecessors) in GR. By construction, for every du-chain in XR, its path-based slice always contains a source method that can make a sequence of method calls so that the du-chain holds (Section III-A). In Figure 9, the pseudo main() synthesized will call d(), since d() reaches the other three methods a(), c() and b(), so that the du-chain s1 ⇒ s2 ⇒ s3 ⇒ s4 will be established. Example 6. For the four path-based slices in Figure 6, the pseudo main() is simply set as the original main(), which happens to be the only source node in G42 (Figure 3). The declaration statements such as the ones for className and getM will be added in the final executables generated. IV. EVALUATION Our evaluation addresses three research questions: • RQ1. Can MIRROR assist TAMIFLEX [17], a state-of-the￾art dynamic reflection analysis tool, to resolve more (true) reflective targets in real-world applications efficiently and precisely while maintaining a good degree of soundness? • RQ2. Is MIRROR’s reflection-oriented slicing capable of avoiding many irrelevant methods (statements) introduced by traditional slicing and including only the relevant reflection-related methods (statements)? • RQ3. Can MIRROR’s reflection resolution solve path con￾ditions effectively during automatic test case generation? a) Implementation: We have implemented MIRROR in SOOT [27], a static analysis framework for Java, in 10 KLOC of Java code. Our analysis operates on the ICFG of the program expressed in the Jimple IR constructed by SOOT with its demand-driven context-sensitive pointer analysis. We make use of the program’s call graph and def-use chains built this way. For each sliced program, we transform it into a jar file and report the reflective targets detected under the test inputs automatically generated by MIRROR. b) Benchmarks: We consider a set of 10 large, widely￾used open-source Java applications evaluated under a large Java library, JDK 1.6.0 45, and test each with 8GB heap space. As shown in Table I, our 10 open-source programs are selected from a wide range of application areas: batik1.7 (a SVG toolkit), findbugs-1.2.1 (a bug detector), freecs1.3 (a chat server), gruntspud-0.4.6-beta (a graphical CVS client), h2-1.3.172 (a database man￾agement system), jEdit-5.1.0 (a software text editor), jfreechart-1.0.19 (a chart library), jftp-1.6 (a net￾work browser), pmd-4.2.5 (a source code analyzer), and xalan-2.4.1 (a XSLT processor). For each program, we list the number of classes, methods and Jimple statements reported by SOOT that are reachable from its main() in both the appli￾cation and library code. We will focus on analyz￾ing Class.newInstance(), Method.invoke() and Constructor.newInstance(), the three widely used Java reflection API in the application code of a program. TABLE I: Program characteristics Program #Classes #Methods #Statements batik1.7 5148 32347 581106 findbugs-1.2.1 4692 28857 472647 freecs1.3 3714 24000 418731 gruntspud-0.4.6-beta 4945 31684 527433 h2-1.3.172 4139 30208 518189 jEdit-5.1.0 5135 34402 586647 jfreechart-1.0.19 4511 30596 534615 jftp-1.6 5208 35739 659927 pmd-4.2.5 3936 25068 422054 xalan-2.4.1 3483 21755 373008 Total 44911 294656 5094357 c) Computing Platform: Our plaform is an Intel i5- 4570 3.20 GHz machine (running Windows 7) with 16GB of RAM. The analysis time of a program is the average of 5 runs. A. RQ1: Reflection Analysis Table II contains our main results. MIRROR can assist a state-of-the-art dynamic reflection analysis tool, TAMI￾FLEX [17], to find significantly more reflective calls and (true) reflective targets in real-world applications efficiently. For the 10 programs evaluated, MIRROR reports no false reflective targets, demonstrating also the validity of Observation 1. TABLE II: Comparing MIRROR and TAMIFLEX in terms of reflective calls and (true) reflective targets found. Program TAMIFLEX MIRROR TAMIFLEX ∩ MIRROR #Ref Calls #Targets #Ref Calls #Targets #Ref Calls #Targets batik 3 4 1 6 1 1 findbugs 3 3 3 4 2 2 freecs 6 6 6 59 3 3 gruntspud 5 8 7 7 2 2 h2 7 19 10 18 4 12 jEdit 4 40 6 12 1 1 jfreechart 4 6 13 13 1 1 jftp 4 10 16 28 1 5 pmd 1 2 2 10 1 2 xalan 11 56 3 8 1 1 Total 48 154 67 165 17 30 When running TAMIFLEX on a program, some test cases are needed. For the six GUI programs, findbugs, gruntspud, h2, jEdit, jfreechart and jftp, we exercise their GUI to invoke their main functionalities just like a user does, in 5 minutes each. Take jfreechart as an example. We exercise its GUI by designing different charts and exporting them to files. There are four non-GUI programs. For batik, pmd and xalan, we have designed 10 test cases each guided by their user tutorials in order to exercise their main functionalities. When applying MIRROR to a program, we focus on the reflective calls that are identified by SOOT and analyzed scalably under a budget (discussed below). For freecs, a chat server, we start it up for it to read several configuration files (without providing any explicit input from us). 19