{- ICFP referees look away now -}

f

g

f

g

error

f x y

x

y

focusLeft



focusLeft = modify Empty $ \c -> case c of

Node _ _ [] [] -> c

Node m t (l:ls) rs -> Node m l ls (t:rs)

Node m t [] rs -> Node m x xs [t] where (x:xs) = reverse rs -- wrap



modify

Empty

modify

Node

modify

reverse rs

reverse rs

rs

I've proved that the central XMonad StackSet module is safe on several occasions, as the code keeps evolving. Each time I take the source code, run Catch on it, and send an email back to the XMonad list giving the results. So far only one other person (Spencer Janssen) has taken the time to download and install Catch and run the tests to validate my result. The reason for this is that building Catch is slightly tricky, due to the Yhc and Yhc.Core dependencies. I'm working on putting together a proper release for Hackage, expect that within a month - all the code works, its just the packaging and user interface thats lacking.The other day dons asked me how he could "get an idea" of what Catch is doing. If you blindly accept a formal proof, its hard to get a feel of whether its correct, or if you are proving what you expect. The detailed answer is going to appear in my thesis (and hopefully as a paper beforehand), but I thought it may help to give a very light overview of what thoughts go through Catch.The concept behind Catch is that each function has athat must hold in order for the function to execute without error. If a functioncalls a functionwhich has a precondition, then the precondition formust guarantee that the precondition toholds. If you set this up so thathas the precondition False, then you have a pattern match checker.The second concept is that given aon a function, you can transform that to aon the arguments to the function. If there is a requirement that the result ofmeets a certain condition, then this can be expressed as conditions on the variablesandBefore all this machinery can be put into action, it is first necessary to perform many transformations on the source code - filling in default pattern matches, doing simplifications, removing higher-order functions and abstracting some library functions. All these transformations are performed automatically, and are intended to set up the Catch machinery to do the best job it can.As it happens, most of the pattern matches that are checked in XMonad are relatively trivial - and do not push the power of Catch to its full potential. A few are slightly more complex, and one of these is(XMonad code evolves very fast, so this may not be the current darcs version!):Catch identifies two separate potential pattern match errors in this statement. Firstly the lambda expression passed as the second argument tois potentially unsafe - as it does not mention theconstructor. A quick look at thefunction shows that by this stage the value must be a. The way Catch solves this is by transforming the code, bringing the two pices of code together. Once the case expression withinis merged with the one in the lambda, pattern match safety is a simple transformation of elimating redundant alternatives.The second potential error is in the where statement. Ifis empty then the pattern will not match. This is a perfect example of the postconditions in action, the generated postcondition is thatmust be a (:) constructed value. Using the machinery in Catch, this condition is transformed into the condition thatmust be a (:) value. Looking at the alternatives, Catch can see this is always the case, and declares the pattern safe.In order to prove the entire module, Catch requires 23 properties, and 12 preconditions. The process takes 1.16 seconds are requires 1521.05 Kb of memory.Catch is an automated tool - no user annotations are required - which means that some people may feel excluded from its computational thoughts. If a user does wish to gain confidence in the Catch checking process, a full log is produced of all the preconditions and postconditions required, but it isn't bedtime reading. Hopefully this post will let people get an idea for how Catch works at a higher level.I am very glad that Catch is an automated tool. XMonad is a fast changing code base, with many contributors. In a manual system, requiring proofs to remain in lockstep with the code, the pace of progress would be slowed dramatically. Hopefully Catch can give cheap verification, and therefore verification which can be of practical user to non-experts.