GitLab

but forbid writing into these "confined" regions

this should not be problematic as long as these fields do not occur
in the invariants (actual or refined). In other words, a value of
a private type exists no matter what is stored in the field.

Also, admit non-private mutable types without actual mutable fields.
It is actually impossible to create a write effect for such types,
and the only consequence of being mutable is that they are assigned
a region, and so every value of such type can be tracked individually.
One use case for this is a non-private record with an invariant,
which either has fields with mutable types or has type parameters
that we wish to instantiate with mutable types. If we modify these
mutable components, this may break the record's invariant. Now, if
the record itself is immutable (and thus has no associated region),
then we must reestablish the invariant immediately, otherwise we
lose track of the value. Even if this extra flexibility does not
prove useful in the end, it seems to be harmless.

Also, admit type definitions of the form
  type t 'a = (private|abstract)? mutable? {} invariant*
which define private empty records (even if not declared private).

Also, "type t 'a" is now equivalent to "type t 'a = private {}".

[add_left] and [remove_left] are useful in left folds,
[contains] allows to use partial application in maps.

If we have a top-level total let-function definition and
no variants are supplied, then we expect the definition
to be terminating with respect to Decl.check_termination.

Conflicts:
	examples/schorr_waite.mlw

all operations on sequences are pure functions

pure functions are always ghost, accept mutable values,
and are required to produce pure results

This reverts commit b19660c9.
We prefer not having two syntaxes for the same thing.
(With the approval of Andrei, of course.)

The backslash symbol can be also used as a priority-3 infix operation.
The "fun .. -> .." syntax is also usable.

0. define Map.map 'a 'b as an alias 'a -> 'b
1. define Set.set as an alias for 'a -> bool
2. rename HighOrd.func to (->)
3. remove HighOrd.pred
4. update drivers

except for modules/impset.mlw (because of Fset) and modules/mach/*
(because of program cloning), the standard library now typechecks.

This is still very much the work in progress. Many functions and
predicates have still to be converted to "let function" and
"let predicate". Here are some TODOs:
- do not require the return type for "val predicate", "val lemma", etc.
- do not require explicit variant for "let rec" if the code passes
  the termination check in Decl (see list.why)
- what should become "val ghost function" and what should stay just
  "function" (see array.mlw, matrix.mlw, string.mlw, etc)?
- some defined functions in algebra.why and relations.why had to be
  removed, so that they can be implemented with "let function" in
  int.mlw (since they are defined, they cannot be instantiated with
  let-functions). This seems too restrictive. One way out would be
  to authorise instantiation of defined functions (with a VC).
- should we keep the keyword "model"? reuse of "abstract" in types
  breaks syntax coloring ("abstract" requires closing "end" in
  programs but not in types; maybe we can drop that "end" again?).