Important changes in the core semantics:
* Types extended with function types. Since function types are a special kind
  of pointer types, types now have an additional mutual part called "ptr_type".
* Pointers extended with function pointers. Theses are just names that refer
  to an actual function in the function environment.
* Typing environments extended to assign argument and return types to function
  names. Before we used a separate environment for these, but since the
  argument and return types are already needed to type function pointers, this
  environment would appear in pretty much every typing judgment.

As a side-effect, the frontend has been rewritten entirely. The important
changes are:

* Type checking of expressions is more involved: there is a special kind of
  expression type corresponding to a function designator.
* To handle things like block scoped extern function, more state-fullness was
  needed. To prepare for future extensions, the entire frontend now uses a
  state monad.

Type environments now describe alignment, this allows to:
* Prove properties about alignment, for example that bit offsets
  of addresses are always aligned.
* Support align_of expressions in the frontend.

addresses.

The operation "mem_force Γ m a" used to apply the identify function to
pricisely the object "a", even in case "a" is an "unsigned char" address
refering to an individual byte. This caused the ctree substructure of the
entire subobject to disappear and had the undesired effect that:

  mem_force Γ a m ⊑{Γ,true@Γm} m

failed to hold (i.e. unused reads cannot be removed).

* This behavior is "implementation defined" and can be turned on and off
  using the Boolean field "alloc_can_fail" of the class "Env".
* The expression "EAlloc" is now an r-value of pointer type instead of an
  l-value.
* The executable semantics for expressions is now non-deterministic. Hence,
  some proofs had to be revised.

Pointer equality is now defined using absolute object offsets. The treatment
is similar to CompCert:

* Equality of pointers in the same object is defined provided the object has
  not been deallocated.
* Equality of pointers in different objects is defined provided both pointers
  have not been deallocated and both are strict (i.e. not end-of-array).

Thus, pointer equality is defined for all pointers that are not-end-of-array
and have not been deallocated. The following examples have defined behavior:

  int x, y;
  printf("%d\n", &x == &y);
  int *p = malloc(sizeof(int)), *q = malloc(sizeof(int));
  printf("%d\n", p == q);
  struct S { int a; int b; } s, *r = &s;
  printf("%d\n", &s.a + 1 == &(r->b));

The following not:

  int x, y;
  printf("%d\n", &x + 1 == &y);

The refinement relation on addresses allows union references to be refined:

  (β2 → β1) → RUnion i s β1 ⊆ RUnion i s β2

The result is that frozen values are below their unfrozen variant, which made
it possible to prove that constant propagation (see constant_propagation.v) can
be performed on the level of the memory model.

Integers with the same size, are no longer supposed to have the same rank. As a
result, the C integer types (char, short, int, long, long long) are different
(and thus cannot alias) even if they have the same size. We now have to use a
more involved definition of integer promotions and usual arithmetic conversions.
However, this new definition follows the C standard literally.

The proof now uses the stronger notion of memory permutation instead of a more
general memory refinement. We have also proven that memory permutations are
symmetric.

Memory refinements now carry a boolean parameter that has the following
meaning:

[false] : Behave like a simple renaming of memories that merely allows to
          permute object identifiers. It does not allow to refine memories
          into a more defined version.
[true]  : Behave like before. Objects can be injected, and memory contents can
          be refined into a more defined variant.

We make refinements parametric in these two variant to avoid code duplication,
and because the [false] variant is a special case of the [true] variant.

For completeness of the executable semantics, we now use the [false] variant.

Also better error messages if a constant expression is expected.

Now it only performs injection on hypotheses of the shape f .. = f ..

memory instead of the whole memory itself.

This has the following advantages:
* Avoid parametrization in {addresses,pointers,pointer_bits,bits}.v
* Make {base_values,values}.v independent of the memory, this makes better
  parallelized compilation possible.
* Allow small memories (e.g. singletons as used in separation logic) with
  addresses to objects in another part to be typed.
* Some proofs become easier, because the memory environments are preserved
  under many operations (insert, force, lock, unlock).

It also as the following disadvantages:
* At all kinds of places we now have explicit casts from memories to memory
  environments. This is kind of ugly. Note, we cannot declare memenv_of as a
  Coercion because it is non-uniform.
* It is a bit inefficient with respect to the interpreter, because memory
  environments are finite functions instead of proper functions, so calling
  memenv_of often (which we do) is not too good.

It is still rather slow, though.