Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The concept of class invariant in object-oriented programming

Bertrand Meyer, Alisa Arkadova, Alexander Kogtenkov

TL;DR

The paper formalizes class invariants as core consistency properties preserved by all object methods and introduces the Invariant Hypothesis to enable modular verification without relying on programmer-annotated wrap/unwrap constructs. It identifies three practical threats—callbacks, furtive access, and reference leaks—through concrete examples and progressively relaxes a Simple Model's restrictions to address them. The Final rule set combines a Callback Model with a Slicing Model, using selective exports and invariant slicing to handle furtive access and aliasing, culminating in strong and weak variants that balance soundness and modular reasoning. The work advances automated OO verification by embedding invariants into a rigorous axiomatic framework, achieving soundness under increasingly realistic language features, and highlighting practical considerations and limitations such as inheritance and mechanization.

Abstract

Class invariants -- consistency constraints preserved by every operation on objects of a given type -- are fundamental to building, understanding and verifying object-oriented programs. For verification, however, they raise difficulties, which have not yet received a generally accepted solution. The present work introduces a proof rule meant to address these issues and allow verification tools to benefit from invariants. It clarifies the notion of invariant and identifies the three associated problems: callbacks, furtive access and reference leak. As an example, the 2016 Ethereum DAO bug, in which $50 million were stolen, resulted from a callback invalidating an invariant. The discussion starts with a simplified model of computation and an associated proof rule, demonstrating its soundness. It then removes one by one the three simplifying assumptions, each removal raising one of the three issues, and leading to a corresponding adaptation to the proof rule. The final version of the rule can tackle tricky examples, including "challenge problems" listed in the literature.

The concept of class invariant in object-oriented programming

TL;DR

The paper formalizes class invariants as core consistency properties preserved by all object methods and introduces the Invariant Hypothesis to enable modular verification without relying on programmer-annotated wrap/unwrap constructs. It identifies three practical threats—callbacks, furtive access, and reference leaks—through concrete examples and progressively relaxes a Simple Model's restrictions to address them. The Final rule set combines a Callback Model with a Slicing Model, using selective exports and invariant slicing to handle furtive access and aliasing, culminating in strong and weak variants that balance soundness and modular reasoning. The work advances automated OO verification by embedding invariants into a rigorous axiomatic framework, achieving soundness under increasingly realistic language features, and highlighting practical considerations and limitations such as inheritance and mechanization.

Abstract

Class invariants -- consistency constraints preserved by every operation on objects of a given type -- are fundamental to building, understanding and verifying object-oriented programs. For verification, however, they raise difficulties, which have not yet received a generally accepted solution. The present work introduces a proof rule meant to address these issues and allow verification tools to benefit from invariants. It clarifies the notion of invariant and identifies the three associated problems: callbacks, furtive access and reference leak. As an example, the 2016 Ethereum DAO bug, in which $50 million were stolen, resulted from a callback invalidating an invariant. The discussion starts with a simplified model of computation and an associated proof rule, demonstrating its soundness. It then removes one by one the three simplifying assumptions, each removal raising one of the three issues, and leading to a corresponding adaptation to the proof rule. The final version of the rule can tackle tricky examples, including "challenge problems" listed in the literature.

Paper Structure

This paper contains 55 sections, 20 figures, 2 tables.

Table of Contents

  1. Class Invariants
  2. Basics
  3. Contributions and limitations
  4. Progression and preview
  5. Terminology
  6. Working with invariants
  7. Working with heaps
  8. The Invariant Hypothesis and the Scandalous Obligation
  9. Background: a classical proof rule for routine calls
  10. Notation
  11. Sound but useless invariant integration
  12. The Invariant Preservation Property
  13. The ideal rule
  14. The run-time model
  15. Current object, active objects, active routines
  16. ...and 40 more sections

Figures (20)

  • Figure 1: Some objects in a heap
  • Figure 2: Object lifecycle
  • Figure 3: OO computation model
  • Figure 4: Run-time snapshot: root, current, active and inactive objects
  • Figure 5: Incomplete remarriage
  • ...and 15 more figures