{#laziness}
============

<div class="hidden">
\begin{code}
module Laziness where

import Language.Haskell.Liquid.Prelude

{-@ LIQUID "--no-termination" @-}

safeDiv :: Int -> Int -> Int
foo     :: Int -> Int
-- zero    :: Int 
-- diverge :: a -> b
\end{code}
</div>


Lazy Evaluation?
----------------


Lazy Evaluation
===============

SMT based Verification
----------------------

Techniques developed for **strict** languages

<br>

<div class="fragment">

-----------------------   ---   ------------------------------------------
        **Floyd-Hoare**    :    `ESCJava`, `SpecSharp` ...
     **Model Checkers**    :    `Slam`, `Blast` ...
   **Refinement Types**    :    `DML`, `Stardust`, `Sage`, `F7`, `F*`, ...
-----------------------   ---   ------------------------------------------

</div>

<br>

<div class="fragment">
Surely soundness carries over to Haskell, right?
</div>


Back To the Beginning
---------------------

\begin{code}
{-@ safeDiv :: _ -> {v:_ |v /= 0} -> Int @-}
safeDiv n 0 = liquidError "div-by-zero!"
safeDiv n d = n `div` d
\end{code}

<br>

<div class="fragment">
Should only call `safeDiv` with **non-zero** values
</div>

An Innocent Function
--------------------

`foo` returns a value **strictly less than** input.

<br>

\begin{spec}
{-@ foo       :: n:Nat -> {v:Nat | v < n} @-}
foo n   
  | n > 0     = n - 1
  | otherwise = foo n
\end{spec}

LiquidHaskell Lies! 
-------------------

\begin{code}
{-@ foo       :: n:Nat -> {v:Nat | v < n} @-}
foo n   
  | n > 0     = n - 1
  | otherwise = foo n

explode = let z = 0    
              a = foo z
          in  
              (\x -> 2014 `safeDiv` z) a 
\end{code}

<br>

<div class="fragment">
Why is this program **deemed safe**?! 
</div>


*Is Safe* With Eager Eval
-------------------------

\begin{spec}
{-@ foo       :: n:Nat -> {v:Nat | v < n} @-}
foo n   
  | n > 0     = n - 1
  | otherwise = foo n

explode = let z = 0     -- :: {v:Int| v = 0}
              a = foo z -- :: {v:Nat| v < z}
          in  
              (\x -> 2014 `safeDiv` z) a 
\end{spec}

<br>

**Safe** in Java, ML: program **never hits** divide-by-zero 

*Unsafe* With Lazy Eval
-----------------------

\begin{spec} <div/>
{-@ foo       :: n:Nat -> {v:Nat | v < n} @-}
foo n   
  | n > 0     = n - 1
  | otherwise = foo n

explode = let z = 0     -- :: {v:Int| v = 0}
              a = foo z -- :: {v:Nat| v < z}
          in  
              (\x -> 2014 `safeDiv` z) a 
\end{spec}

<br>

**Unsafe** in Haskell: skips `foo z` **hits** divide-by-zero!

Problem: Divergence
-------------------

What is denoted by:

$$ e :: \reft{v}{\Int}{p}$$

<br>

<div class="fragment">
$e$ evaluates to $\Int$ that satisfies $p$  
</div>

<div class="fragment">
or

**diverges**! 
</div>

<div class="fragment">
<br>

Classical Floyd-Hoare notion of [partial correctness](http://en.wikipedia.org/wiki/Hoare_logic#Partial_and_total_correctness)

</div>



Problem: Divergence
-------------------

\begin{spec} **Consider** <div/> 
        {-@ e :: {v : Int | P} @-}

        let x = e in body 
\end{spec}

<br>

<div class="fragment">
**Eager Evaluation** 

*Can* assume `P(x)` when checking `body`
</div>

<br>

<div class="fragment">
**Lazy Evaluation** 

*Cannot* assume `P(x)` when checking `body`
</div>

Eager vs. Lazy Binders 
----------------------

\begin{spec} 
{-@ foo       :: n:Nat -> {v:Nat | v < n} @-}
foo n   
  | n > 0     = n - 1
  | otherwise = foo n

explode = let z = 0     -- :: {v:Int| v = 0}
              a = foo z -- :: {v:Nat| v < z}
          in  
              (\x -> 2014 `safeDiv` z) a 
\end{spec}

<br>

Inconsistent `a` is sound for **eager**, unsound for **lazy**


Panic! Now what?
---------------

<div class="fragment">
**Solution** 

Assign *non-trivial* refinements to *non-diverging* terms!
</div>

<br>

<div class="fragment">
**Harder Problem?**

Yikes, doesn't non-divergence mean tracking *permination?*
</div>

<br>

<div class="fragment">
**Relax**

Its *easy* ... since we have *refinements*! [[continue...]](10_Termination.lhs.slides.html)
</div>

<br>