This is similar to the problems in CLJ-2066, but through a different code path. Basically, the reflector can find a method instance that is available via reflection, but not module-accessible and invoking that can produce an IllegalAccessException.

To reproduce:

Then:

In this case, the reflector is finding the method DeepNodeListImpl.getLength(), which is not module accessible, rather than the public interface method NodeList.getLength().

Proposed: The reflector already does one check for whether the method is publicly invokable and knows how to find an invokable super-class method instead. Here we need to add an additional check on Method#canAccess() (new as of Java 9).

Patch: clj-2454-2.patch - checks canAccess() when deciding whether matched method is invokable. Also, added new methods getAsMethodOfAccessibleBase and isAccessibleMatch that are copies of the (now unused) getAsMethodOfPublicBase and isMatch methods that check accessibility before selecting a super method. Old ones left in case anyone was invoking them directly (no callers in Clojure itself).