GitLab

For the previous behaviour (no import), write "use/clone T as T".

This shortens the most used "use/clone import" to simply "use/clone".

Type declarations for records (incuding the private records) can
now be followed by a "witness": a set of values for the record
fields that must satisfy the type invariant (if any). The fields
must be initialized with pure terminating program expressions.
The current syntax, proposed by Martin, is

    type t 'a = { f: ty1; g: ty2 }
      invariant { J[f,g] }
      by { f = e1; g = e2 }

The generated proof obligation is the VC for

    let g = e2 in let f = e1 in assert { J[f,g] }

In absence of an explicit witness, an existential proof obligation
"exists f,g. J[f,g]" is produced.

use "begin <spec> <expr_seq> end" instead. The word "abstract" is
now only used to declare a private type whose fields are all ghost.

The old syntax:   abstract expr [spec]...

The semicolon binds more loosely than "abstract" and
the specification clauses are optional, so that
"abstract e1; e2" is the same as "(abstract e1); e2"
and "abstract e1; e2; ensures {...}" is a syntax error.

The new syntax:   abstract [spec]... expr end

This allows to put sequences of expressions under "abstract"
without ambiguity and moves the specification clauses to the
beginning. In other words, "abstract" becomes a "begin" with
a specification attached. The spec-at-the-top is consistent
with the syntax of functions and the whole seems to be more
natural for the intented use of "abstract" (a logical cut).

also, require to list all write/read effects whenever
at least one is listed

fix hashtbl_impl, mergesort_queue, and unraveling_a_card_trick