Disabling custom function lookups in merge functions

[FTRobbin]

Merge functions are currently allowed to do arbitrary lookups. This is dangerous because these reads happening on the right-hand side or during rebuilding can observe inconsistent database states.

An example of custom function lookup in merge functions merge_read.egg:

(function foo () i64)
(function bar () i64 :merge (foo))
(set (bar) 0)
(fail (set (bar) 1)) ; fails because foo is undefined

An example of a merge function being called in rebuilding merge-during-rebuild.egg:

(datatype N (Node i64))
(function distance (N N) i64 :merge (min old new))

(let a (Node 0))
(let b (Node 1))
(let x (Node 2))
(let y (Node 3))
(set (distance x y) 1)
(set (distance a b) 2)

(union a x)
(union b y)

(run 1)
(check (= (distance x y) 1)) ; 1 and 2 are merged due to congruence

A weirder behavior is merge-saturates.egg, where calls to merge functions create new terms and prevent saturation.

We want to forbid the merge functions from calling custom functions.

A tentative plan is to apply the same restriction as #420. However, the details regarding treatments of relations in merge functions and allowing merge functions to panic are still up for discussion.