What is an invariant? (2023)

I’m not sure that I agree with the article.<p>In the course of my work, I think of an invariant as a state that must hold true at all points during the software’s execution.<p>For example, “port xxx must never accept inbound traffic”.<p>I don’t think of invariants as mindsets; I think of them as runtime requirements that are observable and testable at any point during execution, and whose violation is an indication that some assumption about state that the proper execution of the software depends on, no longer holds.<p>Maybe a good analogy would be “a runtime assert”.

I appreciate that the Ada language features baked-in pre- and post-condition invariants as a part of a function&#x27;s signature. It goes beyond just runtime assertions by becoming a part of the function&#x27;s contract with callers.<p><a href="https:&#x2F;&#x2F;learn.adacore.com&#x2F;courses&#x2F;intro-to-ada&#x2F;chapters&#x2F;contracts.html" rel="nofollow">https:&#x2F;&#x2F;learn.adacore.com&#x2F;courses&#x2F;intro-to-ada&#x2F;chapters&#x2F;cont...</a>

Perhaps a nice short summary would be &quot;facts you can rely on&quot;. Because the benefit comes from reducing the cognitive load juggled by the programmer. The more possibilities you can eliminate by identifying invariants, the quicker you&#x27;ll arrive at a working solution.

Another way to view such invariant is to see it as a generalization of both pre- as well as post-condition.<p>The pre-condition is a special case, then the invariant provides the &quot;guard rails&quot; along which the computation proceeds, and then the post-condition is again a special case which ultimately is the result of the computation.<p>In the search example of the computation, the pre-condition is &quot;the position is <i>somewhere</i> in the allowed indices&quot;, the post-condition is &quot;the return value is the position&quot;. The stated invariant is &quot;the value is between current min and max bounds&quot;. These bounds become tighter and tighter, so that eventually the pre-condition is transformed into the post-condition.

using a SMT solver like Z3 to define and test invariants is a really interesting application of an extremely powerful tool.<p>from z3 import *<p>def check_invariant(precondition, loop_body, invariant): &quot;&quot;&quot; Check if a loop invariant holds.<p><pre><code> Args: precondition (z3.ExprRef): The precondition of the loop. loop_body (Callable[[z3.ExprRef], z3.ExprRef]): A function representing the loop body. invariant (z3.ExprRef): The loop invariant to check. &quot;&quot;&quot; s = Solver() s.add(precondition) # Check if the invariant holds initially s.push() s.add(Not(invariant)) if s.check() == sat: print(&quot;Invariant does not hold initially.&quot;) return s.pop() # Check if the invariant is preserved by the loop body s.push() s.add(invariant) s.add(loop_body(invariant)) s.add(Not(invariant)) if s.check() == sat: print(&quot;Invariant is not preserved by the loop body.&quot;) return s.pop() print(&quot;Invariant holds.&quot;) </code></pre> # Example: Proving that the sum of the first n integers is n<i>(n+1)&#x2F;2 def example(): n = Int(&#x27;n&#x27;) i = Int(&#x27;i&#x27;) sum = Int(&#x27;sum&#x27;)<p><pre><code> precondition = And(n &gt;= 0, i == 0, sum == 0) loop_body = lambda inv: And(i &lt; n, sum == i * (i + 1) &#x2F; 2, i == i + 1, sum == sum + i) invariant = sum == i * (i + 1) &#x2F; 2 check_invariant(precondition, loop_body, invariant) </code></pre> if __name__ == &quot;__main__&quot;: example()</i>