Class invariants -- consistency constraints preserved by every operation on objects of a given type -- are fundamental to building and understanding object-oriented programs. They should also be a key help in verifying them, but turn out instead to raise major verification challenges which have prompted a significant literature with, until now, no widely accepted solution. The present work introduces a general proof rule meant to address invariant-related issues and allow verification tools benefit from invariants. It first clarifies the notion of invariant and identify the three problems: callbacks, furtive access and reference leak. As an example, the 2016 Ethereum DAO bug, in which \$50 million were stolen, resulted from a callback invalidating an invariant. The discussion starts with a "Simple Model" and an associated proof rule, demonstrating its soundness. It then removes one by one the three assumptions of the Simple Model, each removal bringing up one of the three issues, and introduces the corresponding adaptation to the proof rule. The final version of the rule can tackle tricky examples, including "challenge problems" listed in the literature.

中文翻译：

---

面向对象编程中类不变的概念

类不变量——由对给定类型的对象的每个操作保留的一致性约束——是构建和理解面向对象程序的基础。它们也应该是验证它们的关键帮助，但结果却提出了主要的验证挑战，这导致了大量文献，直到现在还没有被广泛接受的解决方案。目前的工作引入了一个通用的证明规则，旨在解决与不变量相关的问题，并允许验证工具从不变量中受益。它首先阐明了不变性的概念，并确定了三个问题：回调、偷偷摸摸的访问和引用泄漏。例如，2016 年以太坊 DAO 漏洞（其中 5000 万美元被盗）是由使不变量无效的回调引起的。讨论从“简单模型”和相关的证明规则开始，证明它的健全。然后将简单模型的三个假设一一去除，每次去除都会带来三个问题之一，并引入对证明规则的相应调整。规则的最终版本可以处理棘手的例子，包括文献中列出的“挑战问题”。