0. define Map.map 'a 'b as an alias 'a -> 'b
1. define Set.set as an alias for 'a -> bool
2. rename HighOrd.func to (->)
3. remove HighOrd.pred
4. update drivers

except for modules/impset.mlw (because of Fset) and modules/mach/*
(because of program cloning), the standard library now typechecks.

This is still very much the work in progress. Many functions and
predicates have still to be converted to "let function" and
"let predicate". Here are some TODOs:
- do not require the return type for "val predicate", "val lemma", etc.
- do not require explicit variant for "let rec" if the code passes
  the termination check in Decl (see list.why)
- what should become "val ghost function" and what should stay just
  "function" (see array.mlw, matrix.mlw, string.mlw, etc)?
- some defined functions in algebra.why and relations.why had to be
  removed, so that they can be implemented with "let function" in
  int.mlw (since they are defined, they cannot be instantiated with
  let-functions). This seems too restrictive. One way out would be
  to authorise instantiation of defined functions (with a VC).
- should we keep the keyword "model"? reuse of "abstract" in types
  breaks syntax coloring ("abstract" requires closing "end" in
  programs but not in types; maybe we can drop that "end" again?).

In programs, we do not really care about unnamed typed variables,
and it is convenient to write ((fun s _ -> s) : int -> bool -> int)
in logical terms.

the previous commit loses information when the target type symbol
is an existing type alias. This commit preserves symbol-to-symbol
instances.

this removes the ugly hack of creating an ad-hoc type alias symbol
for substitutions like "clone T with type t 'a = list (int, 'a)".

If a type symbol "t1 'a 'b 'c" is instantiated into a type of the
form "t2 'a 'b 'c", then the metas that mention the type symbol "t1"
are preserved, and "t1" is replaced with "t2". Otherwise, all such
metas disappear in the cloned theory.

This is a one-call function that exports add_clone_unsafe to Pmodule,
allowing it to add Clone declarations to underlying theories without
additional checks.

up to this point, we used Clone declarations with an empty substitution
to represent use of theories in tasks. The intention was to stress the
fact that the imported declarations are physically present in the task
and thus are followed by a "witness" Clone declaration (whereas a Use
inside a theory acts rather as a pointer to follow).

However, this encoding requires the clone substitution to cover every
locally defined symbol: otherwise we might not be able to distinguish
a use from a clone. Therefore, we had to clone even Pgoal propositions
as Pskip, in order to keep the substitutions complete.

This commit restricts the Clone declarations in tasks to actual
theory cloning, and represents theory use with Use declarations.
This hopefully makes the API more clear, and will allow us to
abolish Pskip.

in this version, we reconstruct and scan the mutable fields of all
regions that occur in an assignment, independently on whether the
region is modified. This avoids a bug in the previous version where
the "left" and "right" subregion lists could have different length.
This also avoids a bug in the version before that, where an upper
region could have a shorter subregion list than one of its subregions.
It is possible to fix those issues in a more efficient manner, but this
seems to make code quite more complex for a non-existent practical gain.

This allows us to compute correctly the list of region arguments
in create_itysymbol_rich and create_itysymbol_alias, and also to
simplify definitions of eff_assign and eff_reset_overwritten.

Both ity_app and ity_pur produce Ityapp(s,tl,[]) when s
is a pure type such as int or list.

The effects now must satisfy the following invariants:

1. Every region in eff_writes, eff_taints, and eff_covers
   must occur in the type of some variable in eff_reads.

2. Both eff_taints and eff_covers are subsets of eff_writes.

3. eff_covers and eff_resets are disjoint.

4. Every region in eff_writes is either in eff_covers or
   is stale (according to Ity.reg_r_stale) and forbidden
   for the later use.

Also, this commit rewrites Ity.eff_assign and Ity.eff_strong
(renamed now to eff_reset_overwritten) to handle correctly
parallel assignments.

We need to be able to put quantifiers directly over the arguments
and the external reads, without having to reconstruct their values
with aliases.

Translate a chain of equivalences A <-> B <-> C into a conjunction
(A <-> B) /\ (B <-> C). Implication is weaker than equivalence when
it occurs to the left of it, and is forbidden at the right hand side.
In other words, A -> B <-> C <-> D is allowed and translated into
A -> ((B <-> C) /\ (C <-> D)), and A <-> B -> C is not allowed,
and requires explicit parentheses.

All infix operations in the weakest priority group (those containing
at least one of the characters '=', '<', '>', or '~') are considered
non-associative and the chains (t1 OP t2 OP t3) are translated into
conjunctions (t1 OP t2 /\ t2 OP t3).

This does not concern implication '->' and equivalence '<->'
which are right-associative. like the rest of propositional
connectives.

we are not going to use exceptions as first-class values any time soon