123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668(**************************************************************************)(* *)(* OCaml *)(* *)(* Gabriel Scherer, projet Parsifal, INRIA Saclay *)(* Rodolphe Lepigre, projet Deducteam, INRIA Saclay *)(* *)(* Copyright 2018 Institut National de Recherche en Informatique et *)(* en Automatique. *)(* *)(* All rights reserved. This file is distributed under the terms of *)(* the GNU Lesser General Public License version 2.1, with the *)(* special exception on linking described in the file LICENSE. *)(* *)(**************************************************************************)openTypestypetype_definition=type_declaration(* We should use 'declaration' for interfaces, and 'definition' for
implementations. The name type_declaration in types.ml is improper
for our usage -- although for OCaml types the declaration and
definition languages are the same. *)(** assuming that a datatype has a single constructor/label with
a single argument, [argument_to_unbox] represents the
information we need to check the argument for separability. *)typeargument_to_unbox={argument_type:type_expr;result_type_parameter_instances:type_exprlist;(** result_type_parameter_instances represents the domain of the
constructor; usually it is just a list of the datatype parameter
('a, 'b, ...), but when using GADTs or constraints it could
contain arbitrary type expressions.
For example, [type 'a t = 'b constraint 'a = 'b * int] has
[['b * int]] as [result_type_parameter_instances], and so does
[type _ t = T : 'b -> ('b * int) t]. *)}(** Summarize the right-hand-side of a type declaration,
for separability-checking purposes. See {!structure} below. *)typetype_structure=|Synonymoftype_expr|Abstract|Open|Algebraic|Unboxedofargument_to_unboxletstructure:type_definition->type_structure=fundef->matchdef.type_kindwith|Type_open->Open|Type_abstract->beginmatchdef.type_manifestwith|None->Abstract|Sometype_expr->Synonymtype_exprend|(Type_record([{ld_type=ty;_}],Record_unboxed_)|Type_variant([{cd_args=Cstr_tuple[ty];_}],Variant_unboxed)|Type_variant([{cd_args=Cstr_record[{ld_type=ty;_}];_}],Variant_unboxed))->letparams=matchdef.type_kindwith|Type_variant([{cd_res=Someret_type}],_)->beginmatchget_descret_typewith|Tconstr(_,tyl,_)->tyl|_->assertfalseend|_->def.type_paramsinUnboxed{argument_type=ty;result_type_parameter_instances=params}|Type_record_|Type_variant_->Algebraictypeerror=|Non_separable_evarofstringoptionexceptionErrorofLocation.t*error(* see the .mli file for explanations on the modes *)moduleSep=Types.Separabilitytypemode=Sep.t=Ind|Sep|Deepsepletrank=Sep.rankletmax_mode=Sep.max(** If the type context [e(_)] imposes the mode [m] on its hole [_],
and the type context [e'(_)] imposes the mode [m'] on its hole [_],
then the mode on [_] imposed by the context composition [e(e'(_))]
is [compose m m'].
This operation differs from [max_mode]: [max_mode Ind Sep] is [Sep],
but [compose Ind Sep] is [Ind]. *)letcompose:mode->mode->mode=funm1m2->matchm1with|Deepsep->Deepsep|Sep->m2|Ind->Indtypetype_var={text:stringoption;(** the user name of the type variable, None for '_' *)id:int;(** the identifier of the type node (type_expr.id) of the variable *)}moduleTVarMap=Map.Make(structtypet=type_varletcomparev1v2=comparev1.idv2.idend)typecontext=modeTVarMap.tlet(++)=TVarMap.union(fun_m1m2->Some(max_modem1m2))letempty=TVarMap.empty(** [immediate_subtypes ty] returns the list of all the
immediate sub-type-expressions of [ty]. They represent the biggest
sub-components that may be extracted using a constraint. For
example, the immediate sub-type-expressions of [int * (bool * 'a)]
are [int] and [bool * 'a].
Smaller components are extracted recursively in [check_type]. *)letrecimmediate_subtypes:type_expr->type_exprlist=funty->(* Note: Btype.fold_type_expr is not suitable here:
- it does not do the right thing on Tpoly, iterating on type
parameters as well as the subtype
- it performs a shallow traversal of object types,
while our implementation collects all method types *)matchget_desctywith(* these are the important cases,
on which immediate_subtypes is called from [check_type] *)|Tarrow(_,ty1,ty2,_)->[ty1;ty2]|Ttuple(tys)->tys|Tpackage(_,fl)->(snd(List.splitfl))|Tobject(row,class_ty)->letclass_subtys=match!class_tywith|None->[]|Some(_,tys)->tysinimmediate_subtypes_object_rowclass_subtysrow|Tvariant(row)->immediate_subtypes_variant_row[]row(* the cases below are not called from [check_type],
they are here for completeness *)|Tnil|Tfield_->(* these should only occur under Tobject and not at the toplevel,
but "better safe than sorry" *)immediate_subtypes_object_row[]ty|Tlink_|Tsubst_->assertfalse(* impossible due to Ctype.repr *)|Tvar_|Tunivar_->[]|Tpoly(pty,_)->[pty]|Tconstr(_path,tys,_)->tysandimmediate_subtypes_object_rowaccty=matchget_desctywith|Tnil->acc|Tfield(_label,_kind,ty,rest)->letacc=ty::accinimmediate_subtypes_object_rowaccrest|_->ty::accandimmediate_subtypes_variant_rowaccdesc=letadd_subtypesacc=letadd_subtypeacc(_l,rf)=immediate_subtypes_variant_row_fieldaccrfinList.fold_leftadd_subtypeacc(row_fieldsdesc)inletadd_rowacc=letrow=row_moredescinmatchget_descrowwith|Tvariantmore->immediate_subtypes_variant_rowaccmore|_->row::accinadd_row(add_subtypesacc)andimmediate_subtypes_variant_row_fieldaccf=matchrow_field_reprfwith|Rpresent(None)|Rabsent->acc|Rpresent(Some(ty))->ty::acc|Reither(_,field_types,_)->List.rev_appendfield_typesaccletfree_variablesty=Ctype.free_variablesty|>List.map(funty->matchget_desctywithTvartext->{text;id=get_idty}|_->(* Ctype.free_variables only returns Tvar nodes *)assertfalse)(** Coinductive hypotheses to handle equi-recursive types
OCaml allows infinite/cyclic types, such as
(int * 'a) as 'a
whose infinite unfolding is (int * (int * (int * (int * ...)))).
Remark: this specific type is only accepted if the -rectypes option
is passed, but such "equi-recursive types" are accepted by
default if the cycle goes through an object type or polymorphic
variant type:
[ `int | `other of 'a ] as 'a
< head : int; rest : 'a > as 'a
We have to take those infinite types in account in our
separability-checking program: a naive implementation would loop
infinitely when trying to prove that one of them is Deepsep.
After type-checking, the cycle-introducing form (... as 'a) does
not appear explicitly in the syntax of types: types are graphs/trees
with cycles in them, and we have to use the type_expr.id field,
an identifier for each node in the graph/tree, to detect cycles.
We avoid looping by remembering the set of separability queries
that we have already asked ourselves (in the current
search branch). For example, if we are asked to check
(int * 'a) : Deepsep
our algorithm will check both (int : Deepsep) and ('a : Deepsep),
but it will remember in these sub-checks that it is in the process
of checking (int * 'a) : Deepsep, adding it to a list of "active
goals", or "coinductive hypotheses".
Each new sub-query will start by checking whether the query
already appears as a coinductive hypothesis; in our example, this
can happen if 'a and (int * 'a) are in fact the same node in the
cyclic tree. In that case, we return immediately (instead of looping):
we reason that, assuming that 'a is indeed Deepsep, then it is
the case that (int * 'a) is also Deepsep.
This kind of cyclic reasoning can be dangerous: it would be wrong
to argue that an arbitrary 'a type is Deepsep by saying:
"assuming that 'a is Deepsep, then it is the case that 'a is
also Deepsep". In the first case, we made an assumption on 'a,
and used it on a type (int * 'a) which has 'a as a strict sub-component;
in the second, we use it on the same type 'a directly, which is invalid.
Now consider a type of the form (('a t) as 'a): while 'a is a sub-component
of ('a t), it may still be wrong to reason coinductively about it,
as ('a t) may be defined as (type 'a t = 'a).
When moving from (int * 'a) to a subcomponent (int) or ('a), we
say that the coinductive hypothesis on (int * 'a : m) is "safe":
it can be used immediately to prove the subcomponents, because we
made progress moving to a strict subcomponent (we are guarded
under a computational type constructor). On the other hand, when
moving from ('a t) to ('a), we say that the coinductive hypothesis
('a t : m) is "unsafe" for the subgoal, as we don't know whether
we have made strict progress. In the general case, we keep track
of a set of safe and unsafe hypotheses made in the past, and we
use them to terminate checking if we encounter them again,
ensuring termination.
If we encounter a (ty : m) goal that is exactly a safe hypothesis,
we terminate with a success. In fact, we can use mode subtyping here:
if (ty : m') appears as a hypothesis with (m' >= m), then we would
succeed for (ty : m'), so (ty : m) should succeed as well.
On the other hand, if we encounter a (ty : m) goal that is an
*unsafe* hypothesis, we terminate the check with a failure. In this case,
we cannot work modulo mode subtyping: if (ty : m') appears with
(m' >= m), then the check (ty : m') would have failed, but it is still
possible that the weaker current query (ty : m) would succeed.
In usual coinductive-reasoning systems, unsafe hypotheses are turned
into safe hypotheses each time strict progress is made (for each
guarded sub-goal). Consider ((int * 'a) t as 'a : deepsep) for example:
the idea is that the ((int * 'a) t : deepsep) hypothesis would be
unsafe when checking ((int * 'a) : deepsep), but that the progress
step from (int * 'a : deepsep) to ('a : deepsep) would turn all
past unsafe hypotheses into safe hypotheses. There is a problem
with this, though, due to constraints: what if (_ t) is defined as
type 'b t = 'a constraint 'b = (int * 'a)
?
In that case, then 'a is precisely the one-step unfolding
of the ((int * 'a) t) definition, and it would be an invalid,
cyclic reasoning to prove ('a : deepsep) from the now-safe
hypothesis ((int * 'a) t : deepsep).
Surprisingly-fortunately, we have exactly the information we need
to know whether (_ t) may or may not pull a constraint trick of
this nature: we can look at its mode signature, where constraints
are marked by a Deepsep mode. If we see Deepsep, we know that a
constraint exists, but we don't know what the constraint is:
we cannot tell at which point, when decomposing the parameter type,
a sub-component can be considered safe again. To model this,
we add a third category of co-inductive hypotheses: to "safe" and
"unsafe" we add the category of "poison" hypotheses, which remain
poisonous during the remaining of the type decomposition,
even in presence of safe, computational types constructors:
- when going under a computational constructor,
"unsafe" hypotheses become "safe"
- when going under a constraining type (more precisely, under
a type parameter that is marked Deepsep in the mode signature),
"unsafe" hypotheses become "poison"
The mode signature tells us even a bit more: if a parameter
is marked "Ind", we know that the type constructor cannot unfold
to this parameter (otherwise it would be Sep), so going under
this parameter can be considered a safe/guarded move: if
we have to check (foo t : m) with ((_ : Ind) t) in the signature,
we can recursively check (foo : Ind) with (foo t : m) marked
as "safe", rather than "unsafe".
*)moduleTypeMap=Btype.TypeMapmoduleModeSet=Set.Make(Types.Separability)typecoinductive_hyps={safe:ModeSet.tTypeMap.t;unsafe:ModeSet.tTypeMap.t;poison:ModeSet.tTypeMap.t;}moduleHyps:sigtypet=coinductive_hypsvalempty:tvaladd:type_expr->mode->t->tvalguard:t->tvalpoison:t->tvalsafe:type_expr->mode->t->boolvalunsafe:type_expr->mode->t->boolend=structtypet=coinductive_hypsletempty={safe=TypeMap.empty;unsafe=TypeMap.empty;poison=TypeMap.empty;}letof_opt=function|Somems->ms|None->ModeSet.emptyletmergemap1map2=TypeMap.merge(fun_kms1ms2->Some(ModeSet.union(of_optms1)(of_optms2)))map1map2letguard{safe;unsafe;poison;}={safe=mergesafeunsafe;unsafe=TypeMap.empty;poison;}letpoison{safe;unsafe;poison;}={safe;unsafe=TypeMap.empty;poison=mergepoisonunsafe;}letaddtymhyps=letm_map=TypeMap.singletonty(ModeSet.singletonm)in{hypswithunsafe=mergem_maphyps.unsafe;}letfindtymap=tryTypeMap.findtymapwithNot_found->ModeSet.emptyletsafetymhyps=matchModeSet.max_elt_opt(findtyhyps.safe)with|None->false|Somebest_safe->rankbest_safe>=rankmletunsafetym{safe=_;unsafe;poison}=letin_maps=ModeSet.memm(findtys)inList.existsin_map[unsafe;poison]end(** For a type expression [ty] (without constraints and existentials),
any mode checking [ty : m] is satisfied in the "worse case" context
that maps all free variables of [ty] to the most demanding mode,
Deepsep. *)letworst_casety=letaddctxtvar=TVarMap.addtvarDeepsepctxinList.fold_leftaddTVarMap.empty(free_variablesty)(** [check_type env sigma ty m] returns the most permissive context [gamma]
such that [ty] is separable at mode [m] in [gamma], under
the signature [sigma]. *)letcheck_type:Env.t->type_expr->mode->context=funenvtym->letreccheck_typehypstym=ifHyps.safetymhypsthenemptyelseifHyps.unsafetymhypsthenworst_casetyelselethyps=Hyps.addtymhypsinmatch(get_descty,m)with(* Impossible case due to the call to [Ctype.repr]. *)|(Tlink_,_)->assertfalse(* Impossible case (according to comment in [typing/types.mli]. *)|(Tsubst(_),_)->assertfalse(* "Indifferent" case, the empty context is sufficient. *)|(_,Ind)->empty(* Variable case, add constraint. *)|(Tvar(alpha),m)->TVarMap.singleton{text=alpha;id=get_idty}m(* "Separable" case for constructors with known memory representation. *)|(Tarrow_,Sep)|(Ttuple_,Sep)|(Tvariant(_),Sep)|(Tobject(_,_),Sep)|((Tnil|Tfield_),Sep)|(Tpackage(_,_),Sep)->empty(* "Deeply separable" case for these same constructors. *)|(Tarrow_,Deepsep)|(Ttuple_,Deepsep)|(Tvariant(_),Deepsep)|(Tobject(_,_),Deepsep)|((Tnil|Tfield_),Deepsep)|(Tpackage(_,_),Deepsep)->lettys=immediate_subtypestyinleton_subtypecontextty=context++check_type(Hyps.guardhyps)tyDeepsepinList.fold_lefton_subtypeemptytys(* Polymorphic type, and corresponding polymorphic variable.
In theory, [Tpoly] (forall alpha. tau) would add a new variable
(alpha) in scope, check its body (tau) recursively, and then
remove the new variable from the resulting context. Because the
rule accepts any mode for this variable, the removal never
fails.
In practice the implementation is simplified by ignoring the
new variable, and always returning the [empty] context
(instead of (alpha : m) in the [Tunivar] case: the constraint
on the variable is removed/ignored at the variable occurrence
site, rather than at the variable-introduction site. *)(* Note: that we are semantically incomplete in the Deepsep case
(following the syntactic typing rules): the semantics only
requires that *closed* sub-type-expressions be (deeply)
separable; sub-type-expressions containing the quantified
variable cannot be extracted by constraints (this would be
a scope violation), so they could be ignored if they occur
under a separating type constructor. *)|(Tpoly(pty,_),m)->check_typehypsptym|(Tunivar(_),_)->empty(* Type constructor case. *)|(Tconstr(path,tys,_),m)->letmsig=(Env.find_typepathenv).type_separabilityinleton_paramcontext(ty,m_param)=lethyps=matchm_paramwith|Ind->Hyps.guardhyps|Sep->hyps|Deepsep->Hyps.poisonhypsincontext++check_typehypsty(composemm_param)inList.fold_lefton_paramempty(List.combinetysmsig)incheck_typeHyps.emptytymletbest_msigdecl=List.map(fun_->Ind)decl.type_paramsletworst_msigdecl=List.map(fun_->Deepsep)decl.type_params(** [msig_of_external_type decl] infers the mode signature of an
abstract/external type. We must assume the worst, namely that this
type may be defined as an unboxed algebraic datatype imposing deep
separability of its parameters.
One exception is when the type is marked "immediate", which
guarantees that its representation is only integers. Immediate
types are always separable, so [Ind] suffices for their
parameters.
Note: this differs from {!Types.Separability.default_signature},
which does not have access to the declaration and its immediacy. *)letmsig_of_external_typedecl=matchdecl.type_immediatewith|Always|Always_on_64bits->best_msigdecl|Unknown->worst_msigdecl(** [msig_of_context ~decl_loc constructor context] returns the
separability signature of a single-constructor type whose
definition is valid in the mode context [context].
Note: A GADT constructor introduces existential type variables, and
may also introduce some equalities between its return type
parameters and type expressions containing universal and
existential variables. In other words, it introduces new type
variables in scope, and restricts existing variables by adding
equality constraints.
[msig_of_context] performs the reverse transformation: the context
[ctx] computed from the argument of the constructor mentions
existential variables, and the function returns a context over the
(universal) type parameters only. (Type constraints do not
introduce existential variables, but they do introduce equalities;
they are handled as GADTs equalities by this function.)
The transformation is separability-preserving in the following
sense: for any valid instance of the result mode signature
(replacing the universal type parameters with ground types
respecting the variable's separability mode), any possible
extension of this context instance with ground instances for the
existential variables of [parameter] that respects the equation
constraints will validate the separability requirements of the
modes in the input context [ctx].
Sometimes no such universal context exists, as an existential type
cannot be safely introduced, then this function raises an [Error]
exception with a [Non_separable_evar] payload. *)letmsig_of_context:decl_loc:Location.t->parameters:type_exprlist->context->Sep.signature=fun~decl_loc~parameterscontext->lethandle_equation(acc,context)param_instance=(* In the theory, GADT equations are of the form
('a = <ty>)
for each type parameter 'a of the type constructor. For each
such equation, we should "strengthen" the current context in
the following way:
- if <ty> is another variable 'b,
the mode of 'a is set to the mode of 'b,
and 'b is set to Ind
- if <ty> is a type expression whose variables are all Ind,
set 'a to Ind and discard the equation
- otherwise (one of the variable of 'b is not Ind),
set 'a to Deepsep and set all variables of <ty> to Ind
In practice, type parameters are determined by their position
in a list, they do not necessarily have a corresponding type variable.
Instead of "setting 'a" in the context as in the description above,
we build a list of modes by repeated consing into
an accumulator variable [acc], setting existential variables
to Ind as we go. *)letgetcontextvar=tryTVarMap.findvarcontextwithNot_found->Indinletset_indcontextvar=TVarMap.addvarIndcontextinletis_indcontextvar=matchgetcontextvarwith|Ind->true|Sep|Deepsep->falseinmatchget_descparam_instancewith|Tvartext->letvar={text;id=get_idparam_instance}in(getcontextvar)::acc,(set_indcontextvar)|_->letinstance_exis=free_variablesparam_instanceinifList.for_all(is_indcontext)instance_existhenInd::acc,contextelseDeepsep::acc,List.fold_leftset_indcontextinstance_exisinletmode_signature,context=let(mode_signature_rev,ctx)=List.fold_lefthandle_equation([],context)parametersin(* Note: our inference system is not principal, because the
inference result depends on the order in which those
equations are processed. (To our knowledge this is the only
source of non-principality.) If two parameters ('a, 'b) are
forced to be equal to each other, and also separable, then
either modes (Sep, Ind) and (Ind, Sep) are correct, allow
more declarations than (Sep, Sep), but (Ind, Ind) would be
unsound.
Such a non-principal example is the following:
type ('a, 'b) almost_eq =
| Almost_refl : 'c -> ('c, 'c) almost_eq
(This example looks strange: GADT equations are typically
either on only one parameter, or on two parameters that are
not used to classify constructor arguments. Indeed, we have
not found non-principal declarations in real-world code.)
In a non-principal system, it is important the our choice of
non-unique solution be at least predictable. We find it more
natural, when either ('a : Sep, 'b : Ind) and ('a : Ind,
'b : Sep) are correct because 'a = 'b, to choose to make the
first/leftmost parameter more constrained. We read this as
saying that 'a must be Sep, and 'b = 'a so 'b can be
Ind. (We define the second parameter as equal of the first,
already-seen parameter; instead of saying that the first
parameter is equal to the not-yet-seen second one.)
This is achieved by processing the equations from left to
right with List.fold_left, instead of using
List.fold_right. The code is slightly more awkward as it
needs a List.rev on the accumulated modes, but it gives
a more predictable/natural (non-principal) behavior.
*)(List.revmode_signature_rev,ctx)in(* After all variables determined by the parameters have been set to Ind
by [handle_equation], all variables remaining in the context are
purely existential and should not require a stronger mode than Ind. *)letcheck_existentialevarmode=ifrankmode>rankIndthenraise(Error(decl_loc,Non_separable_evarevar.text))inTVarMap.itercheck_existentialcontext;mode_signature(** [check_def env def] returns the signature required
for the type definition [def] in the typing environment [env].
The exception [Error] is raised if we discover that
no such signature exists -- the definition will always be invalid.
This only happens when the definition is marked to be unboxed. *)letcheck_def:Env.t->type_definition->Sep.signature=funenvdef->matchstructuredefwith|Abstract->msig_of_external_typedef|Synonymtype_expr->check_typeenvtype_exprSep|>msig_of_context~decl_loc:def.type_loc~parameters:def.type_params|Open|Algebraic->best_msigdef|Unboxedconstructor->check_typeenvconstructor.argument_typeSep|>msig_of_context~decl_loc:def.type_loc~parameters:constructor.result_type_parameter_instancesletcompute_declenvdecl=ifConfig.flat_float_arraythencheck_defenvdeclelse(* Hack: in -no-flat-float-array mode, instead of always returning
[best_msig], we first compute the separability signature --
falling back to [best_msig] if it fails.
This discipline is conservative: it never
rejects -no-flat-float-array programs. At the same time it
guarantees that, for any program that is also accepted
in -flat-float-array mode, the same separability will be
inferred in the two modes. In particular, the same .cmi files
and digests will be produced.
Before we introduced this hack, the production of different
.cmi files would break the build system of the compiler itself,
when trying to build a -no-flat-float-array system from
a bootstrap compiler itself using -flat-float-array. See #9291.
*)trycheck_defenvdeclwith|Error_->(* It could be nice to emit a warning here, so that users know
that their definition would be rejected in -flat-float-array mode *)best_msigdecl(** Separability as a generic property *)typeprop=Types.Separability.signatureletproperty:(prop,unit)Typedecl_properties.property=letopenTypedecl_propertiesinleteqts1ts2=List.lengthts1=List.lengthts2&&List.for_all2Sep.eqts1ts2inletmerge~prop:_~new_prop=(* the update function is monotonous: ~new_prop is always
more informative than ~prop, which can be ignored *)new_propinletdefaultdecl=best_msigdeclinletcomputeenvdecl()=compute_declenvdeclinletupdate_decldecltype_separability={declwithtype_separability}inletcheck_env_id_decl()=()in(* FIXME run final check? *){eq;merge;default;compute;update_decl;check;}(* Definition using the fixpoint infrastructure. *)letupdate_declsenvdecls=Typedecl_properties.compute_property_noreqpropertyenvdecls