Automated verification for program safety is reduced to the discovery safe inductive invariants, i.e., formulas that over-approximate the sets of reachable program states, but precise enough to prove unreachability of the error state. We present a framework, called FreqHorn , that follows the Syntax-Guided Synthesis paradigm to iteratively sample candidate invariants from a formal grammar and check them with an SMT solver. FreqHorn automatically constructs grammars based on either source code or bounded proofs. After each (un-)successful candidate, FreqHorn adjusts the grammars to ensure the candidate is not sampled again. The process continues either until the conjunction of successful candidates (called lemmas) is sufficient, or the search space is exhausted. Additionally, FreqHorn keeps a history of counterexamples-to-induction (CTI) which block learning a lemma. With some periodicity, it checks if there is a CTI which is invalidated by the currently learned lemmas and rechecks the failed lemma if needed. FreqHorn is able to check several candidates at the same time to filter them effectively using the well known Houdini algorithm.

中文翻译：

---

通过从频率分布中采样来学习归纳不变量

程序安全的自动验证被简化为发现安全归纳不变量，即过度近似可到达程序状态集的公式，但足够精确以证明错误状态的不可到达性。我们提出了一个名为 FreqHorn 的框架，它遵循语法引导的综合范式，从正式语法中迭代采样候选不变量，并使用 SMT 求解器进行检查。FreqHorn 基于源代码或有界证明自动构建语法。在每个（不）成功的候选人之后，FreqHorn 会调整语法以确保不会再次对候选人进行采样。该过程将继续，直到成功候选者（称为引理）的合取足够，或者搜索空间耗尽。此外，FreqHorn 保留了一个阻止学习引理的反例归纳 (CTI) 的历史。它会定期检查是否存在被当前学习的引理无效的 CTI，并在需要时重新检查失败的引理。FreqHorn 能够同时检查多个候选对象，并使用众所周知的 Houdini 算法有效地过滤它们。