GitLab

1. Strong region updates can only work with direct assignments, e.g.
     r.contents <- something_completely_different
   but not with functions such as (:=) : ref 'a -> 'a -> unit
   Why3 requires 'a to be instantiated with one concrete type,
   not with a bunch of types that differ in their regions.

2. Strong region updates will restrict the updated regions to their
   covers. However, in the current implementation, Why3 does not know
   if the region corresponding to the field "contents" is the only
   cover for 'a in the type [ref 'a] or if there is a way to retrieve
   'a from [ref 'a] without going through "contents". Therefore, to
   ensure soundness, a strong update of r.contents will forbid to
   use r itself. A solution consists in writing an adhoc "reference"
   type, where the mutable contents (O.t in this case) is explicitly
   given in the type definition. Then the strong update of the field
   containing O.t will preserve the covering "reference".

   This problem is fixed in the "new system", where mutable types
   carry information about the access paths of the type variables.
   There, "r.contents <- something_different" preserves r.

http://linuxtesting.org/astraver)

A child process (e.g. CVC4) might catch SIGXCPU. If it gets stuck then, it
won't consume any additional cpu time, so the system won't forcibly kill
it. So why3-cpulimit has to kill it.

Note that, if the system is overloaded, why3-cpulimit might kill the child
process before it has even reached its cpu time limit. Hopefully, the 60'
additional time will suffice in practice.