‹ 首页

abstract-state-analyzer

@arabelatso · 收录于 1 周前

Performs abstract interpretation over source code to infer possible program states, variable ranges, and data properties without executing the program. Reports potential runtime errors including out-of-bounds accesses, null dereferences, type inconsistencies, division by zero, and integer overflows. Use when analyzing code for potential runtime errors, performing static analysis, checking safety properties, or verifying program behavior without execution.

适合你,如果需要在运行前发现代码中的潜在缺陷

/ 下载安装
abstract-state-analyzer.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add arabelatso/skills-4-se/abstract-state-analyzer
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- arabelatso/skills-4-se/abstract-state-analyzer
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify arabelatso/skills-4-se/abstract-state-analyzer
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
137GitHub stars
~1.6K最小装载
~7K含声明引用
~7K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · Apache-2.0 · 0f00a4f

Abstract State Analyzer

Overview

This skill performs abstract interpretation to statically analyze source code and infer possible program states, variable ranges, and data properties. It identifies potential runtime errors without executing the program.

Analysis Workflow
Step 1: Parse and Understand Code Structure

Analyze the code to identify:

  • Functions and their control flow
  • Variable declarations and types
  • Loops and conditionals
  • Array/buffer operations
  • Pointer/reference operations
  • Function calls and parameter passing
Step 2: Select Abstract Domains

Choose appropriate abstract domains based on the analysis goals:

Interval Domain: Track numeric variable ranges

  • Example: x ∈ [0, 100] means x is between 0 and 100
  • Good for: Array bounds checking, overflow detection

Sign Domain: Track whether values are positive, negative, or zero

  • Values: {+, -, 0, ⊤}
  • Good for: Division by zero, sign-dependent operations

Null Domain: Track whether pointers/references can be null

  • Values: {null, not-null, maybe-null, ⊤}
  • Good for: Null dereference detection

Type Domain: Track possible types of variables

  • Good for: Type consistency checking, dynamic language analysis

Combination: Use multiple domains together for more precise analysis

Step 3: Initialize Abstract States

Set initial abstract values for:

  • Function parameters (based on preconditions or ⊤ for unknown)
  • Global variables
  • Constants and literals

Example:

def process(arr, index):
    # Initial state:
    # arr: not-null (assumed)
    # index: ⊤ (unknown integer)
Step 4: Perform Forward Analysis

Propagate abstract states through the program:

Assignment: Update abstract value

x = 5
# x: [5, 5]

y = x + 3
# y: [8, 8]

Conditionals: Split into branches

if x > 10:
    # Branch 1: x ∈ [11, ∞]
else:
    # Branch 2: x ∈ [-∞, 10]

Loops: Iterate until fixpoint

i = 0
while i < n:
    # Iteration 1: i ∈ [0, 0]
    # Iteration 2: i ∈ [0, 1]
    # ...
    # Fixpoint: i ∈ [0, n-1]
    i += 1

Join Points: Merge states from multiple paths

if condition:
    x = 5  # x: [5, 5]
else:
    x = 10  # x: [10, 10]
# After join: x ∈ [5, 10]
Step 5: Detect Potential Errors

Check for violations at each operation:

Array Bounds:

arr[index]
# Check: index ∈ [0, len(arr)-1]?
# If index: ⊤ → Potential out-of-bounds
# If index: [0, 5] and len(arr) = 10 → Safe

Null Dereference:

ptr.field
# Check: ptr is not-null?
# If ptr: maybe-null → Potential null dereference

Division by Zero:

x / y
# Check: 0 ∉ y?
# If y: [1, 10] → Safe
# If y: [-5, 5] → Potential division by zero

Integer Overflow:

x = a * b
# Check: a * b within type bounds?
# If a: [1000, 2000], b: [1000, 2000] → Potential overflow for int32

Type Inconsistency:

result = func(arg)
# Check: arg type matches parameter type?
Step 6: Report Findings

For each potential error, report:

  1. Location: File, line number, function
  2. Error Type: Out-of-bounds, null dereference, etc.
  3. Abstract State: Variable values at the error point
  4. Severity: Definite error vs. potential error
  5. Explanation: Why the error might occur
  6. Suggestion: How to fix (add check, change bounds, etc.)
Complete Example
def find_max(arr, n):
    if n <= 0:
        return None

    max_val = arr[0]
    i = 1
    while i < n:
        if arr[i] > max_val:
            max_val = arr[i]
        i += 1
    return max_val

Analysis:

Initial State:

  • arr: not-null (assumed)
  • n: ⊤ (unknown integer)

Line 2: if n <= 0

  • Branch 1 (n ≤ 0): n ∈ [-∞, 0]
  • Branch 2 (n > 0): n ∈ [1, ∞]

Line 3: return None (Branch 1)

  • Safe return

Line 5: max_val = arr[0] (Branch 2)

  • Access: arr[0]
  • Check: 0 < len(arr)?
  • POTENTIAL ERROR: arr length unknown, might be empty
  • State: max_val = arr[0], n ∈ [1, ∞]

Line 6: i = 1

  • State: i = [1, 1]

Line 7: while i < n

  • Loop invariant: i ∈ [1, n]
  • Fixpoint: i ∈ [1, n-1] inside loop

Line 8: if arr[i] > max_val

  • Access: arr[i] where i ∈ [1, n-1]
  • Check: i < len(arr)?
  • POTENTIAL ERROR: If n > len(arr), out-of-bounds access
  • State: max_val updated if arr[i] > max_val

Line 10: i += 1

  • State: i ∈ [2, n]

Report:

POTENTIAL ERRORS FOUND:

1. Out-of-Bounds Access
   Location: line 5, arr[0]
   State: n ∈ [1, ∞], arr length unknown
   Severity: Potential
   Explanation: Array 'arr' might be empty when n > 0
   Suggestion: Add check: if len(arr) == 0 or add precondition

2. Out-of-Bounds Access
   Location: line 8, arr[i]
   State: i ∈ [1, n-1], arr length unknown
   Severity: Potential
   Explanation: If n > len(arr), accessing beyond array bounds
   Suggestion: Add precondition: n <= len(arr) or check i < len(arr)
Language-Specific Considerations
C/C++
  • Track pointer arithmetic carefully
  • Consider undefined behavior (signed overflow, null dereference)
  • Analyze memory allocation/deallocation
  • Check buffer sizes for string operations
Python
  • Dynamic typing requires type domain
  • List/dict operations need bounds checking
  • None values require null domain
  • Consider duck typing and attribute access
Java
  • Null pointer exceptions
  • Array bounds (ArrayIndexOutOfBoundsException)
  • Integer overflow (silent wraparound)
  • Type casting (ClassCastException)
JavaScript
  • Undefined and null values
  • Type coercion issues
  • Array bounds (returns undefined, not error)
  • Property access on null/undefined
Handling Complexity
Widening for Loops

When loops don't converge quickly, apply widening:

# Instead of: [0, 0] → [0, 1] → [0, 2] → ...
# Widen to: [0, ∞]
Function Summaries

For called functions, use summaries instead of full analysis:

def helper(x):
    # Summary: returns x + 1, no errors
    return x + 1

# Use summary instead of analyzing helper body
Path Sensitivity

For complex conditionals, track path conditions:

if x > 0 and x < 10:
    # x ∈ [1, 9] (path-sensitive)
    # vs x ∈ [-∞, ∞] (path-insensitive)
References

For detailed information on abstract interpretation techniques and domains:

  • references/abstract_domains.md: Detailed abstract domain definitions and operations
  • references/analysis_patterns.md: Common analysis patterns for different error types
  • references/language_specifics.md: Language-specific analysis considerations
按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。