[borrow v2] Alternative design sketch using a checked reference types

[wrwg]

This sketches an alternative design to #835 based on new types global::Ref<T> and global::RefMut<T>. Those types are considered to be known to the compiler, but some checking is defererred to runtime.

I'm not sure yet whether this design is correct, but I think it points at least in the right direction.

[wrwg]

@chen-robert

[chen-robert]

Minor typo nit, I think ref_mut has an extra reference on rc right?

public native fun ref_mut<T>(rc: &RefMut<T>): &mut T /* acquires T */;

should be public native fun ref_mut(rc: RefMut): &mut T / acquires T /;

I also wonder if it would make more sense to have these as bytecode instructions instead of native functions (keeping in mind that it would be a far more invasive change). It seems like, in order to add this functionality, there need to be large changes in the bytecode verifier. For example, the acquires semantics in the borrow checker and link-time checks for T ownership.

Also, I think T cannot be a runtime type generic right?