IllegalAccessException possible invoking matching reflective call


  • Type: Defect Defect
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Completed
  • Affects Version/s: Release 1.10
  • Fix Version/s: Release 1.10
  • Component/s: None
  • Labels:
  • Patch:
  • Approval:


This is similar to the problems in CLJ-2066, but through a different code path. Basically, the reflector can find a method instance that is available via reflection, but not module-accessible and invoking that can produce an IllegalAccessException.

To reproduce:

clj -J--illegal-access=deny -Sdeps '{:deps {org.clojure/clojure {:mvn/version "1.10.0-RC4"}}}}'


(def el
      ( "<a><b>1</b><b>2</b></a>"))

(.getLength el)  ;; expect: 2

;; Execution error (IllegalAccessException) at jdk.internal.reflect.Reflection/newIllegalAccessException (
;; class clojure.lang.Reflector cannot access class (in module java.xml) because module java.xml does not export to unnamed module @3af356f

In this case, the reflector is finding the method DeepNodeListImpl.getLength(), which is not module accessible, rather than the public interface method NodeList.getLength().

Proposed: The reflector already does one check for whether the method is publicly invokable and knows how to find an invokable super-class method instead. Here we need to add an additional check on Method#canAccess() (new as of Java 9).

Patch: clj-2454-2.patch - checks canAccess() when deciding whether matched method is invokable. Also, added new methods getAsMethodOfAccessibleBase and isAccessibleMatch that are copies of the (now unused) getAsMethodOfPublicBase and isMatch methods that check accessibility before selecting a super method. Old ones left in case anyone was invoking them directly (no callers in Clojure itself).

  1. clj-2454.patch
    11/Dec/18 11:41 AM
    1 kB
    Alex Miller
  2. clj-2454-2.patch
    11/Dec/18 12:03 PM
    3 kB
    Alex Miller


There are no comments yet on this issue.


Vote (0)
Watch (1)


  • Created: