Class invariants—consistency constraints preserved by every operation on objects of a given type—are fundamental to building, understanding, and verifying object-oriented programs. For verification, however, they raise difficulties, which have not yet received a generally accepted solution. The present work introduces a proof rule meant to address these issues and allow verification tools to benefit from invariants.

It clarifies the notion of invariant and identifies the three associated problems: callbacks, furtive access, and reference leak. As an example, the 2016 Ethereum DAO bug, in which $50 million was stolen, resulted from a callback invalidating an invariant.

The discussion starts with a simplified model of computation and an associated proof rule, demonstrating its soundness. It then removes one by one the three simplifying assumptions, each removal raising one of the three issues and leading to a corresponding adaptation to the proof rule. The final version of the rule can tackle tricky examples, including “challenge problems” listed in the literature.

类不变量——给定类型对象上的每个操作所保留的一致性约束——是构建、理解和验证面向对象程序的基础。然而，对于验证来说，它们带来了困难，目前尚未得到普遍接受的解决方案。目前的工作引入了一种证明规则，旨在解决这些问题并允许验证工具从不变量中受益。

它阐明了不变性的概念，并确定了三个相关问题：回调、秘密访问和引用泄漏。例如，2016 年以太坊 DAO 漏洞导致 5000 万美元被盗，其原因是回调使不变量无效。

讨论从简化的计算模型和相关的证明规则开始，证明其合理性。然后，它一一删除三个简化假设，每次删除都会引发三个问题之一，并导致对证明规则的相应调整。该规则的最终版本可以解决棘手的例子，包括文献中列出的“挑战问题”。