Introduces F_all2, which allows us to have
a proper stateless precondition in corres_mapM_list_all2
(has access to all introduced goal parameters).
With it is the implicit assumption that the generated
condition can be phrased as a per-element property (although
it may talk about the list as a whole).
* rules for when the state relation is Id.
* rules for modify
* trivial return relations over units (i.e. = or dc)
are now always weakened into a schematic
This removes corres_choice in favour of making corres_rv smarter.
Now corres_rv can propagate a stateless condition, and the new
corres_rv method (called from corres) tries to push the generated
obligation into the appropriate place (stateless, left or right
precondition) based on which variables it discusses.
This avoids most cases where the corres_rv_wp_left/right or
corres_rv_defer rules needed to be specified manually.
The new "corres_choice_true" and "corres_choice_false" constants
represent a deferred choice for how to propagate a generated
stateless precondition. If possible, we would prefer to do so
via the outermost stateless precondition, since it has access
to all green variables. Importantly corres_rv_defer_left/right
are subsumed by the more general corres_rv_defer.
Also we introduce alternative wp_comb rules which introduce
a corres_inst_eq goal, rather than a raw meta-implication. This
is to avoid cases where the existing wp_comb methods would incorrectly
introduce schematic assumptions, resulting in unprovable goals. This
allows for more carefully controlling unification in cases where
the precondition of a hoare triple doesn't have access to all
necessary green variables.