Internal.Ensures and Internal.MayReturn #
Internal.Ensures p x characterizes the postconditions of a monadic action x: it
holds iff every value returned by x satisfies p. The witness is a Subtype-refined
action y : m {a // p a} that is bind-faithful w.r.t. x.
Internal.MayReturn x a is the strongest postcondition of x evaluated at a:
a is in every postcondition of x ↔ a is reachable as a value of x.