Effective Soundness-Guided Reflection Analysis Yue Li,Tian Tan,and Jingling Xue Programming Languages and Compilers Group School of Computer Science and Engineering,UNSW Australia Abstract.We introduce SOLAR.the first reflection analysis that allows its soundness to be reasoned about when some assumptions are met and produces significantly improved under-approximations otherwise.In both settings,SoLAR has three novel aspects:(1)lazy heap modeling for reflective allocation sites,(2)collective inference for improving the inferences on related reflective calls,and (3)automatic identification of "problematic"reflective calls that may threaten its soundness,precision and scalability,thereby enabling their improvement via lightweight anno- tations.We evaluate SOLAR against two state-of-the-art solutions,DooP and ELF,with the three treated as under-approximate reflection analyses, using 11 large Java benchmarks and applications.SoLAR is significantly more sound while achieving nearly the same precision and running only several-fold more slowly,subject to only 7 annotations in 3 programs. 1 Introduction Reflection is increasingly used in a range of software and framework architec- tures,allowing a software system to choose and change implementations of ser- vices at run-time,but posing significant challenges to static program analysis. In the case of Java programs,refection has always been an obstacle for pointer analysis [1-10],a fundamental static analysis on which virtually all others [11- 16]are built.All pointer analysis tools for Java [2,17-19]either ignore reflection or handle it partially since their underlying best-effort reflection analyses [5,17, 18,20-22]provide only under-approximated handling of reflection heuristically. However,such unsoundness can render much of the codebase invisible for analysis.There is a recent community initiative [23]calling for the development of soundy analysis to handle "hard"language features(such as reflection).A soundy analysis is one that is as sound as possible without excessively compro- mising precision and/or scalability.Thus,improving or even achieving soundness in reflection analysis will provide significant benefits to many clients,such as pro- gram verifiers,optimizing compilers,bug detectors and security analyzers. In this paper,we make the following contributions: We introduce SoLAR,the first reflection analysis that allows its soundness to be reasoned about when some reasonable assumptions are met and yields significantly improved under-approximations otherwise(Section 2).We have developed SoLAR by adopting three novel aspects in its design:(N1)lazy heap modeling for refective allocation sites.(N2)collective inference forEffective Soundness-Guided Reflection Analysis Yue Li, Tian Tan, and Jingling Xue Programming Languages and Compilers Group School of Computer Science and Engineering, UNSW Australia Abstract. We introduce Solar, the first reflection analysis that allows its soundness to be reasoned about when some assumptions are met and produces significantly improved under-approximations otherwise. In both settings, Solar has three novel aspects: (1) lazy heap modeling for reflective allocation sites, (2) collective inference for improving the inferences on related reflective calls, and (3) automatic identification of “problematic” reflective calls that may threaten its soundness, precision and scalability, thereby enabling their improvement via lightweight anno￾tations. We evaluate Solar against two state-of-the-art solutions, Doop and Elf, with the three treated as under-approximate reflection analyses, using 11 large Java benchmarks and applications. Solar is significantly more sound while achieving nearly the same precision and running only several-fold more slowly, subject to only 7 annotations in 3 programs. 1 Introduction Reflection is increasingly used in a range of software and framework architec￾tures, allowing a software system to choose and change implementations of ser￾vices at run-time, but posing significant challenges to static program analysis. In the case of Java programs, reflection has always been an obstacle for pointer analysis [1–10], a fundamental static analysis on which virtually all others [11– 16] are built. All pointer analysis tools for Java [2, 17–19] either ignore reflection or handle it partially since their underlying best-effort reflection analyses [5, 17, 18, 20–22] provide only under-approximated handling of reflection heuristically. However, such unsoundness can render much of the codebase invisible for analysis. There is a recent community initiative [23] calling for the development of soundy analysis to handle “hard” language features (such as reflection). A soundy analysis is one that is as sound as possible without excessively compro￾mising precision and/or scalability. Thus, improving or even achieving soundness in reflection analysis will provide significant benefits to many clients, such as pro￾gram verifiers, optimizing compilers, bug detectors and security analyzers. In this paper, we make the following contributions: – We introduce Solar, the first reflection analysis that allows its soundness to be reasoned about when some reasonable assumptions are met and yields significantly improved under-approximations otherwise (Section 2). We have developed Solar by adopting three novel aspects in its design: (N1) lazy heap modeling for reflective allocation sites, (N2) collective inference for