All classes that do not set a ProtectionDomain explicitly have a "default" ProtectionDomain. And
every ProtectionDomain has a CodeSource with a URL as its location.
If an application invokes
CodeSource.getLocation(), it can reasonably expect a non-null
URL. We use the executable image's name as the location, because that is the best value we can
provide.
But computing the URL for the location pulls in a lot of JDK dependencies. For a simple
application like "Hello World", that would significantly increase the image size. So we only add
code to compute the URL if the application explicitly invokes
CodeSource.getLocation().
This is done using a reachability handler registered in
ProtectionDomainFeature.beforeAnalysis(org.graalvm.nativeimage.hosted.Feature.BeforeAnalysisAccess).
Note that this still leads to observable differences in places where the location is used
implicitly, like
CodeSource.toString() and
CodeSource.implies(java.security.CodeSource). We accept that
difference in behavior.