4.4 RQ2:Automatically Identifying "Problematic"Reflective Calls SOLAR is unscalable for hsqldb,xalan and checkstyle (under 3 hours).PROBE is then run to identify their "problematic"reflective calls,reporting 13 poten- tially unsound calls:1 hsqldb,12 in xalan and 0 in checkstyle.Their handling is all unsound by code inspection,highlighting the effectiveness of SoLAR in pin- pointing a small number of right parts of the program to improve unsoundness. In addition,we presently adopt a simple approach to alerting users for poten- tially imprecisely resolved reflective calls.PROBE sorts all the newInstance() call sites according to the number of objects lazily created at the cast operations operating on the result of a newInstance()call(by [L-CAsT])in non-increasing order.In addition,PROBE ranks the remaining reflective call sites according to the number of reflective targets resolved,also in non-increasing order. By focusing on unsoundly and imprecisely resolved reflective calls(as opposed to input strings),only lightweight annotations are needed as shown in Fig.10, with 2 in hsqldb,2 in xalan and 3 in checkstyle,as explained below. 4.4.1 hsqldb Fig.11 shows the unsound and imprecise lists automatically generated by PROBE,together with the suggested annotation points (found by tracing value flow).All the call sites to the same method are numbered from 0. sound List: ass om hsdldb Functon The unsound list contains one etvabe(..)( invoke(),with its relevant code con- org.hsqldb.Function:<init>/forName/0 unction(-)( tained in class org.hsqldb.Function =Class forName(cn) as shown.After PROBE has finished. 一ao. a.0 mtd in line 352 points to a Method o java.io.Senalizable:1391 metaobject m"that is initially created ..10 ttems in toeal 182 o Sido-EMect Methods in line 179 and later flows into line Targets:244 mid ='m 182,indicating that the class type of m"is unknown since cn in line 169 is Fig.11.Probing hsqldb unknown.By inspecting the code,we find that cn can only be java.lang.Math or org.hsqldb.Library,read from some hash maps or obtained by string manipulations.So it has been annotated this way afterwards.The imprecise list for hsqldb is divided into two sections.In "newInstance(Type Casting)",there are 10 listed cast operations(T)reached by an o object such that the number of types inferred from T is larger than 10.The top cast java.io.Serializable has 1391 subtypes and is marked to be reached by a newInstance()call site in java.io.ObjectStreamClass.However,this is a false positive for the harness used due to imprecision in pointer analysis.Thus,we have annotated its corresponding forName()call site in method resolveClass of class java.io.ObjectInputStream to return nothing.With the two annota- tions,SoLAR terminates in 45 minutes with its unsound list being empty. 4.4.2 xalan PROBE reports 12 unsoundly resolved invoke()calls.All Method objects flowing into these call sites are created at two getMethods()call sites in class extensions.MethodResolver.By inspecting the code,we find that the string arguments for the two getMethods()calls and their corresponding entry4.4 RQ2: Automatically Identifying “Problematic” Reflective Calls Solar is unscalable for hsqldb, xalan and checkstyle (under 3 hours). Probe is then run to identify their “problematic” reflective calls, reporting 13 poten￾tially unsound calls: 1 hsqldb, 12 in xalan and 0 in checkstyle. Their handling is all unsound by code inspection, highlighting the effectiveness of Solar in pin￾pointing a small number of right parts of the program to improve unsoundness. In addition, we presently adopt a simple approach to alerting users for poten￾tially imprecisely resolved reflective calls. Probe sorts all the newInstance() call sites according to the number of objects lazily created at the cast operations operating on the result of a newInstance() call (by [L-Cast]) in non-increasing order. In addition, Probe ranks the remaining reflective call sites according to the number of reflective targets resolved, also in non-increasing order. By focusing on unsoundly and imprecisely resolved reflective calls (as opposed to input strings), only lightweight annotations are needed as shown in Fig. 10, with 2 in hsqldb, 2 in xalan and 3 in checkstyle, as explained below. 4.4.1 hsqldb Fig. 11 shows the unsound and imprecise lists automatically generated by Probe, together with the suggested annotation points (found by tracing value flow). All the call sites to the same method are numbered from 0. Unsound List: org.hsqldb.Function:getValue/invoke/1 org.hsqldb.Function:<init>/getMethods/0 org.hsqldb.Function:<init>/forName/0 org.hsqldb.Function:getValue/invoke/1 org.hsqldb.Function:<init>/getMethods/0 Targets: 244 java.io.ObjectStreamClass.newInstance /Constructor.newInstance/0 java.io.ObjectInputStream.resolveClass java.io.Serializable: 1391 10 items in total /forName/0 … … … … Imprecise List: newInstance (Type Casting) Other Side-Effect Methods 147 Function ( ) { 343 Objecct getValue(…) { mtd.invoke(null, arg); } … … c = Class.forName(cn); … … Method[] mtds = c.getMethods(); for(;i<mtds.length;i++) { … Method m = mtds[i]; if(m.getName(). mtd = m; … Class: org.hsqldb.Function 185 352 … 169 179 181 182 184 equals(mn) && …) 186 Fig. 11. Probing hsqldb. The unsound list contains one invoke(), with its relevant code con￾tained in class org.hsqldb.Function as shown. After Probe has finished, mtd in line 352 points to a Method metaobject m u u that is initially created in line 179 and later flows into line 182, indicating that the class type of m u u is unknown since cn in line 169 is unknown. By inspecting the code, we find that cn can only be java.lang.Math or org.hsqldb.Library, read from some hash maps or obtained by string manipulations. So it has been annotated this way afterwards. The imprecise list for hsqldb is divided into two sections. In “newInstance (Type Casting)”, there are 10 listed cast operations pTq reached by an o u i object such that the number of types inferred from T is larger than 10. The top cast java.io.Serializable has 1391 subtypes and is marked to be reached by a newInstance() call site in java.io.ObjectStreamClass. However, this is a false positive for the harness used due to imprecision in pointer analysis. Thus, we have annotated its corresponding forName() call site in method resolveClass of class java.io.ObjectInputStream to return nothing. With the two annota￾tions, Solar terminates in 45 minutes with its unsound list being empty. 4.4.2 xalan Probe reports 12 unsoundly resolved invoke() calls. All Method objects flowing into these call sites are created at two getMethods() call sites in class extensions.MethodResolver. By inspecting the code, we find that the string arguments for the two getMethods() calls and their corresponding entry