Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1

[gripedthumbtacks]

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (guice.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

affecting oracle java9 with maven

[davido]

I'm seeing this too on Gerrit Code Review, and further warnings:

WARNING: Illegal reflective access by com.google.inject.assistedinject.FactoryProvider2$MethodHandleWrapper (file:/home/davido/.gerritcodereview/tmp/gerrit_13189476373589339762_app/guice-assistedinject-4.1.0.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)

[IliasKar]

Also shown when running hadoop 3.0.0 with JDK9
pplication application_1522866364341_0002 failed 2 times due to AM Container for appattempt_1522866364341_0002_000002 exited with exitCode: 1
Failing this attempt.Diagnostics: [2018-04-04 21:42:23.732]Exception from container-launch.
Container id: container_1522866364341_0002_02_000001
Exit code: 1
[2018-04-04 21:42:23.738]Container exited with a non-zero exit code 1. Error file: prelaunch.err.
Last 4096 bytes of prelaunch.err :
Last 4096 bytes of stderr :
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/home/karalis/hadoop/hadoop-3.0.0/share/hadoop/yarn/lib/guice-4.0.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

[te21wals]

Has this been resolved?

[kibertoad]

Should this be fixed within Guice or within the cglib?

[Maia-Everett]

Still happening for me with 4.2.0, even though its release notes list it as Java 9 compatible.

[swankjesse]

Switching from cglib to ByteBuddy would be a nice fix.

[Hronom]

What progress with this? Got it on Spring Boot projects on Java 10. Is ByteBuddy will fix that?
I think this is actual nowadays since there comes Java 11 and Spring will start to support it oficially, It's big thing in Java world.

Also maven-compiler-plugin is somehow depends on this library
https://maven.apache.org/plugins/maven-compiler-plugin/dependencies.html

So this affects all projects with maven.

[GedMarc]

Very easy to fix...
System.setProperty("com.google.inject.internal.cglib.$experimental_asm7", "true");

Then
--add-opens java.base/java.lang=com.google.guice,javassist

[ToxicMushroom]

this warning is really anoying pls fix

[mkurz]

Did you try latest release 4.2.2?

[GedMarc]

Without add-opens

Caused by: com.google.inject.internal.cglib.core.$CodeGenerationException: java.lang.reflect.InaccessibleObjectException-->Unable to make protected final java.lang.Class java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain) throws java.lang.ClassFormatError accessible: module java.base does not "opens java.lang" to module com.google.guice
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$ReflectUtils.defineClass(ReflectUtils.java:464)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$AbstractClassGenerator.generate(AbstractClassGenerator.java:336)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:93)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:91)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.internal.$LoadingCache$2.call(LoadingCache.java:54)
	at java.base/java.util.concurrent.FutureTask.run$$$capture(FutureTask.java:264)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.internal.$LoadingCache.createEntry(LoadingCache.java:61)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.internal.$LoadingCache.get(LoadingCache.java:34)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:116)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$AbstractClassGenerator.create(AbstractClassGenerator.java:291)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$KeyFactory$Generator.create(KeyFactory.java:221)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$KeyFactory.create(KeyFactory.java:174)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.core.$KeyFactory.create(KeyFactory.java:153)
	at com.google.guice@4.2.2/com.google.inject.internal.cglib.proxy.$Enhancer.<clinit>(Enhancer.java:73)
	... 28 more
Caused by: java.lang.reflect.InaccessibleObjectException: Unable to make protected final java.lang.Class java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain) throws java.lang.ClassFormatError accessible: module java.base does not "opens java.lang" to module com.google.guice
Caused by: java.lang.ExceptionInInitializerError
	at com.google.guice@4.2.2/com.google.inject.internal.ProxyFactory.<init>(ProxyFactory.java:87)
	at com.google.guice@4.2.2/com.google.inject.internal.ConstructorInjectorStore.createConstructor(ConstructorInjectorStore.java:82)
	at com.google.guice@4.2.2/com.google.inject.internal.ConstructorInjectorStore.access$000(ConstructorInjectorStore.java:29)
	at com.google.guice@4.2.2/com.google.inject.internal.ConstructorInjectorStore$1.create(ConstructorInjectorStore.java:37)
	at com.google.guice@4.2.2/com.google.inject.internal.ConstructorInjectorStore$1.create(ConstructorInjectorStore.java:33)
	at com.google.guice@4.2.2/com.google.inject.internal.FailableCache$1.load(FailableCache.java:40)
	at com.google.common@26.0-jre/com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528)
	at com.google.common@26.0-jre/com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2277)
	at com.google.common@26.0-jre/com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2154)
	at com.google.common@26.0-jre/com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2044)
	... 18 more

[GedMarc]

Should I remove the system property?

[cplerch]

Sadly, the same issue here:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/C:/_/dev/repos/m2/com/google/inject/guice/4.2.2/guice-4.2.2.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

My setup:

• Windows 10
• Gradle 4.10
• OpenJDK 11+28
• Guice 4.2.2

Looks to me that no progress has been made on this issue by just updating guice to the newest cglib & asm versions.

[cplerch]

Some findings:

Adding VM option --add-opens java.base/java.lang=com.google.guice,javassist as suggested above gives another warning:

WARNING: Unknown module: com.google.guice specified to --add-opens
WARNING: Unknown module: javassist specified to --add-opens

However, after adding VM option --add-opens java.base/java.lang=ALL-UNNAMED all warnings disapear.

System.setProperty("com.google.inject.internal.cglib.$experimental_asm7", "true"); is obviously not needed anymore.

[GedMarc]

That looks like you aren't running in modular mode, plus opening all-unnamed you mine-as-well not use modules at all

Are you starting your app using the modular system?
java -m modulename/my.package.publicvoidmainclass

e.g. mine is

java.exe --add-opens java.base/java.lang=com.google.guice,javassist -Dfile.encoding=UTF-8 -m com.jwebmp.examples.demos.homepage/com.jwebmp.examples.demos.homepage.HomePageStartup

[Yanson]

Above fix does remove warnings.
For Gradle application plugin:

applicationDefaultJvmArgs = ['--add-opens', 'java.base/java.lang=ALL-UNNAMED']

[mcculls]

Note there are 2 different issues when using Java9+

• first was the introduction of new bytecode - this has been handled by upgrading ASM, and also CGLIB because it in turn needs to tell ASM to process the new bytecode level
• second the introduction of JPMS has brought in new access checks when running applications on the module path - this can lead to warnings for code that uses reflection, like Guice's use of AOP

The second issue will require more changes to CGLIB to use the new lookup API when running on JPMS, rather than reflection. (Either that or switch to use ByteBuddy)

Until then running applications using the classic classpath shouldn't trigger warnings, because the new module access checks don't kick in. Similarly using --add-opens java.base/java.lang=<module-name> to grant access to modules on the module path that use reflection should also remove the warnings.

If you don't need AOP then you could also consider using the no-AOP build which doesn't use ASM or CGLIB, and shouldn't trigger these warnings.

[GedMarc]

Also found when using Guice - it's better to have an open module for your running app rather than opens/exports package to com.google.guice (for AOP) - especially for larger projects, the module-info gets bloated and it becomes a little messy.

open module running.app{
        requires com.google.guice;
	requires javax.inject;
	requires aopalliance;
}

[ToxicMushroom]

Did you try latest release 4.2.2?

yes
edit: I'm just gonna ignore the warning by adding --add-opens java.base/java.lang=ALL-UNNAMED as jvm argument

[gjvoosten]

No news about a final release?

Probably in the next few weeks. The final release will be pretty close to the BETA release so in the meantime you can probably depend on the BETA version.

@markmarch So, three weeks on and no new bug reports about BETA 5[*]. The release must be imminent, no? 😉

[*] There is #1451 but that's been there for a while and I can't tell how serious it is.

[TIBCOeddie]

Awaiting a final release to address this bug

[apflieger]

I use guice:5.0.0-BETA-1 in production for months now. Try it out!

[gjvoosten]

I use guice:5.0.0-BETA-1 in production for months now. Try it out!

I have, but some of us depend on other packages that depend on Guice, and whose maintainers won't release with a dependency on a beta version of something or other (and rightly so).
And so another week passes without any response from @markmarch or @sameb … Only some 5 weeks to go and we will be celebrating a whole year without any new (non-beta that is) release. 🍾

[Bas83]

Just FYI, Guice 5.0.1 that was released in February 2021 seems to have resolved this issue. I had to find out it was released by going to mvn repository.