Mlw_expr: fix potentially unsound pattern matching in programs

split the ppat_ghost field in program patterns into two distinct
conditions:
- ppat_ghost, indicating that the pattern starts as ghost,
  meaning that all variables in it are ghost, too;
- ppat_fail, meaning that the pattern contains a refutable
  ghost subpattern, which makes the match in the extracted code
  impossible, which makes the whole match expression ghost.

Until now, the two conditions were disjunctively combined, making
admissible the invalid pattern matching in bench/p/b-d/ghost4.mlw.