Understanding and Analyzing Java Reflection 7:13 one of its subtypes assuming that the cast operation does not throw any exceptions.This approach has been implemented in many analysis tools such as WALA,BDDBDDB and ELF. However,as shown in Figure 7,exploiting casts this way does not always work.On average,28% of newInstance()call sites (obtained by manually inspecting all the related reflective code)have no such intra-procedural post-dominating casts.As newInstance()is the most widely used reflective- action method(see Q6),its unresolved call sites may significantly affect the soundness of the analysis,as discussed in Section 7.5.1.Hence,we need a better solution to handle newInstance(). ■Unresolved ■Resolved 100% 80% 409 20% Fig.7.newInstance()resolution by leveraging intra-procedural post-dominating casts. Remark 4.Resolving newInstance()calls by leveraging their intra-procedural post-dominating cast operations fails to work for 28%of the newInstance()call sites found.As newInstance() affects critically the soundness of reflection analysis(Remark 6),a more effective approach for its resolution is required. O5.Class-Retrieving Methods.Figure 8 shows the percentage frequency distribution of eight class-retrieving methods."Unknown"is included since we failed to find the class-retrieving methods for some reflective-action calls (e.g.,invoke())even by using Eclipse's Open Call Hierarchy tool.For the first 12 programs,the six class-retrieving methods as shown (excluding "Unknown" and "Others")are the only ones leading to reflective-action calls.For the last two,Jetty and Tomcat,"Others"stands for defineclass()in ClassLoader and getParameterTypes()in Method. Finally,getComponentType()is usually used in the form of getclass().getComponentType() for creating a Class object argument for Array.newInstance(). On average,Class.forName(),.class,getclass()and loadclass()are the top four most frequently used(48.1%,18.0%,17.0%and 9.7%,respectively).A class loading strategy can be con- figured in forName()and loadclass().In practice,forName()is often used by the system class loader and loadclass()is usually overwritten in customer class loaders,especially in framework applications such as Tomcat and Jetty. Remark 5.Reflection analysis should handle Class.forName(),getclass(),.class,and loadclass(),which are the four major class-retrieving methods for creating Class objects. ACM Trans.Softw.Eng.Methodol.,Vol.28,No.2,Article 7.Publication date:February 2019.Understanding and Analyzing Java Reflection 7:13 one of its subtypes assuming that the cast operation does not throw any exceptions. This approach has been implemented in many analysis tools such as Wala, Bddbddb and Elf. However, as shown in Figure 7, exploiting casts this way does not always work. On average, 28% of newInstance() call sites (obtained by manually inspecting all the related reflective code) have no such intra-procedural post-dominating casts. As newInstance() is the most widely used reflective￾action method (see Q6), its unresolved call sites may significantly affect the soundness of the analysis, as discussed in Section 7.5.1. Hence, we need a better solution to handle newInstance(). 0% 20% 40% 60% 80% 100% antlr chart eclipse fop hsqldb jython lucene pmd xalan eclipse4 javac jedit jetty tomcat average Unresolved Resolved Fig. 7. newInstance() resolution by leveraging intra-procedural post-dominating casts. Remark 4. Resolving newInstance() calls by leveraging their intra-procedural post-dominating cast operations fails to work for 28% of the newInstance() call sites found. As newInstance() affects critically the soundness of reflection analysis (Remark 6), a more effective approach for its resolution is required. Q5. Class-Retrieving Methods. Figure 8 shows the percentage frequency distribution of eight class-retrieving methods. “Unknown” is included since we failed to find the class-retrieving methods for some reflective-action calls (e.g., invoke()) even by using Eclipse’s Open Call Hierarchy tool. For the first 12 programs, the six class-retrieving methods as shown (excluding “Unknown” and “Others”) are the only ones leading to reflective-action calls. For the last two, Jetty and Tomcat, “Others” stands for defineClass() in ClassLoader and getParameterTypes() in Method. Finally, getComponentType() is usually used in the form of getClass().getComponentType() for creating a Class object argument for Array.newInstance(). On average, Class.forName(), .class, getClass() and loadClass() are the top four most frequently used (48.1%, 18.0%, 17.0% and 9.7%, respectively). A class loading strategy can be con￾figured in forName() and loadClass(). In practice, forName() is often used by the system class loader and loadClass() is usually overwritten in customer class loaders, especially in framework applications such as Tomcat and Jetty. Remark 5. Reflection analysis should handle Class.forName(), getClass(), .class, and loadClass(), which are the four major class-retrieving methods for creating Class objects. ACM Trans. Softw. Eng. Methodol., Vol. 28, No. 2, Article 7. Publication date: February 2019