\begin{code}
module Laziness where
import Language.Haskell.Liquid.Prelude
{-@ LIQUID "--no-termination" @-}
safeDiv :: Int -> Int -> Int
foo :: Int -> Int
-- zero :: Int
-- diverge :: a -> b
\end{code}
Lazy Evaluation?
----------------
Lazy Evaluation
===============
SMT based Verification
----------------------
Techniques developed for **strict** languages
Back To the Beginning
---------------------
\begin{code}
{-@ safeDiv :: _ -> {v:_ |v /= 0} -> Int @-}
safeDiv n 0 = liquidError "div-by-zero!"
safeDiv n d = n `div` d
\end{code}
Should only call `safeDiv` with **non-zero** values
An Innocent Function
--------------------
`foo` returns a value **strictly less than** input.
\begin{spec}
{-@ foo :: n:Nat -> {v:Nat | v < n} @-}
foo n
| n > 0 = n - 1
| otherwise = foo n
\end{spec}
LiquidHaskell Lies!
-------------------
\begin{code}
{-@ foo :: n:Nat -> {v:Nat | v < n} @-}
foo n
| n > 0 = n - 1
| otherwise = foo n
explode = let z = 0
a = foo z
in
(\x -> 2014 `safeDiv` z) a
\end{code}
Why is this program **deemed safe**?!
*Is Safe* With Eager Eval
-------------------------
\begin{spec}
{-@ foo :: n:Nat -> {v:Nat | v < n} @-}
foo n
| n > 0 = n - 1
| otherwise = foo n
explode = let z = 0 -- :: {v:Int| v = 0}
a = foo z -- :: {v:Nat| v < z}
in
(\x -> 2014 `safeDiv` z) a
\end{spec}
**Safe** in Java, ML: program **never hits** divide-by-zero
*Unsafe* With Lazy Eval
-----------------------
\begin{spec}
{-@ foo :: n:Nat -> {v:Nat | v < n} @-}
foo n
| n > 0 = n - 1
| otherwise = foo n
explode = let z = 0 -- :: {v:Int| v = 0}
a = foo z -- :: {v:Nat| v < z}
in
(\x -> 2014 `safeDiv` z) a
\end{spec}
**Unsafe** in Haskell: skips `foo z` **hits** divide-by-zero!
Problem: Divergence
-------------------
What is denoted by:
$$ e :: \reft{v}{\Int}{p}$$
$e$ evaluates to $\Int$ that satisfies $p$
or
**diverges**!
Classical Floyd-Hoare notion of [partial correctness](http://en.wikipedia.org/wiki/Hoare_logic#Partial_and_total_correctness)
Problem: Divergence
-------------------
\begin{spec} **Consider**
{-@ e :: {v : Int | P} @-}
let x = e in body
\end{spec}
**Eager Evaluation**
*Can* assume `P(x)` when checking `body`
**Lazy Evaluation**
*Cannot* assume `P(x)` when checking `body`
Eager vs. Lazy Binders
----------------------
\begin{spec}
{-@ foo :: n:Nat -> {v:Nat | v < n} @-}
foo n
| n > 0 = n - 1
| otherwise = foo n
explode = let z = 0 -- :: {v:Int| v = 0}
a = foo z -- :: {v:Nat| v < z}
in
(\x -> 2014 `safeDiv` z) a
\end{spec}
Inconsistent `a` is sound for **eager**, unsound for **lazy**
Panic! Now what?
---------------
**Solution**
Assign *non-trivial* refinements to *non-diverging* terms!
**Harder Problem?**
Yikes, doesn't non-divergence mean tracking *permination?*
**Relax**
Its *easy* ... since we have *refinements*! [[continue...]](10_Termination.lhs.slides.html)