Proto/Michelson: remove mutez underflow possibility in SUB

Context

Mutez underflow in the SUB instruction is one of the very few runtime exceptions of Michelson. Usually in Michelson runtime exceptions are avoided and the instructions that could have failed (for example EDIV on null divisor, CONTRACT on non-existing contract, UNPACK on ill-formed data) return None instead if failing so the Michelson developer can recover in these cases.

This MR adds a new instruction called SUB_MUTEZ that is the same as SUB on mutez but returns option mutez instead of mutez. It also deprecates the mutez case of the SUB instruction (it is now restricted to legacy typechecking mode).

Manually testing the MR

The important part to test is the backward-compatibility. To test it:

• using the predecessor of Alpha originate two contracts that contain calls to the SUB instruction respectivly in the mutez case and in another case,
• migrate to Alpha,
• check that interacting with the contract is still possible after the migration.

I think that a mockup migration is enough for this test.

Checklist

• Document the interface of any function added or modified (see the coding guidelines)
• Document any change to the user interface, including configuration parameters (see node configuration)
• Provide automatic testing (see the testing guide).
• For new features and bug fixes, add an item in the appropriate changelog (docs/protocols/alpha.rst for the protocol and the environment, the Development Version section of CHANGES.md for everything else).
• Select suitable reviewers using the Reviewers field below.

Depends on !3078 (merged).