Positivity check in type constructors

[loutr]

Right now, EasyCrypt refuses the definition

type 'a tree = [
  | Leaf of 'a
  | Children of 'a tree list
].

This is because the positivity checker refuses any occurrence of the datatype within the parameters of another type constructor (here, list). This PR changes the positivity check algorithm and allows such definition. Please note that induction principle generation is left unchanged for now, and that the corresponding induction principles are not useful as-is (see note below).

Also, this PR includes some typo fixing. If the changes are considered to big, I can make it into a separate PR.

---

Note that there is some code duplication in the functions below because the current algorithm performs at two levels: first it evaluates, for a given path p (i.e. a type constructor in the AST), whether all its occurrences are positive. This requires, at a second level, to evaluate whether all occurrences of type variables instantiated by p also appear strictly positively in the corresponding type constructor.

Future developments

Additionaly, note that EasyCrypt allows to declare inductive types which change the order of their type parameters, e.g.:

type ('a, 'b) permlist = [
  | Nil
  | Cons of ('a * ('a, 'b) permlist)
  | Perm of ('b, 'a) permlist
].

These types may not be used right now in some positions as it would make the check (potentially much) slower. In the future:

• lift this restriction with a new implementation that uses some form of union find/constraint-solving structure in order to evaluate strict positivity for every type variable of the constructor, and store the resulting list/array in its definition. This would also make the check faster in general, as type declarations would only need to be traversed once, when they are being defined;
• maybe remove the corresponding inductive principle for these types. Also, provide a correct induction principle for simpler types (e.g. tree defined above).