UC Irvine

Starting from JDK 9, the Java Platform Module System (JPMS) was introduced to facilitate resolving the monolithic ball-of-mud architecture of the original JDK by offering architectural modules in the Java language that provide various benefits for Java projects, especially in terms of protecting its internals from dangerous static or dynamic usage. However, a recent study has shown evidence that many existing projects bypass Java module boundaries to access internal APIs which, in turn, break the strong encapsulation (BSE) of Java modules. BSE leads to exceptions, errors, and other maintenance issues for Java systems. To address BSE, we propose a detection tool, BEAD, that leverages static analysis to identify BSE abuse instances within Java projects and evaluate BEAD on open-source Java projects. Our analysis revealed that JDK modules are designed with strong encapsulation principles, but BEAD detected numerous abuse instances, predominantly at compile-time, indicating prevalent unauthorized access to internal packages. Besides, our analysis found evidence of a correlation between the detected abuse instances and reported GitHub issues, validating the ecosystem impact of those detected abuse instances. Our findings demonstrate BEAD's effectiveness of detection capabilities in terms of BSE problem.