src/HOL/Library/RBT_Impl.thy
changeset 36147 b43b22f63665
parent 35618 b7bfd4cbcfc0
child 36176 3fe7e97ccca8
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/src/HOL/Library/RBT_Impl.thy	Thu Apr 15 12:27:14 2010 +0200
     1.3 @@ -0,0 +1,1084 @@
     1.4 +(*  Title:      RBT_Impl.thy
     1.5 +    Author:     Markus Reiter, TU Muenchen
     1.6 +    Author:     Alexander Krauss, TU Muenchen
     1.7 +*)
     1.8 +
     1.9 +header {* Implementation of Red-Black Trees *}
    1.10 +
    1.11 +theory RBT_Impl
    1.12 +imports Main
    1.13 +begin
    1.14 +
    1.15 +text {*
    1.16 +  For applications, you should use theory @{text RBT} which defines
    1.17 +  an abstract type of red-black tree obeying the invariant.
    1.18 +*}
    1.19 +
    1.20 +subsection {* Datatype of RB trees *}
    1.21 +
    1.22 +datatype color = R | B
    1.23 +datatype ('a, 'b) rbt = Empty | Branch color "('a, 'b) rbt" 'a 'b "('a, 'b) rbt"
    1.24 +
    1.25 +lemma rbt_cases:
    1.26 +  obtains (Empty) "t = Empty" 
    1.27 +  | (Red) l k v r where "t = Branch R l k v r" 
    1.28 +  | (Black) l k v r where "t = Branch B l k v r"
    1.29 +proof (cases t)
    1.30 +  case Empty with that show thesis by blast
    1.31 +next
    1.32 +  case (Branch c) with that show thesis by (cases c) blast+
    1.33 +qed
    1.34 +
    1.35 +subsection {* Tree properties *}
    1.36 +
    1.37 +subsubsection {* Content of a tree *}
    1.38 +
    1.39 +primrec entries :: "('a, 'b) rbt \<Rightarrow> ('a \<times> 'b) list"
    1.40 +where 
    1.41 +  "entries Empty = []"
    1.42 +| "entries (Branch _ l k v r) = entries l @ (k,v) # entries r"
    1.43 +
    1.44 +abbreviation (input) entry_in_tree :: "'a \<Rightarrow> 'b \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"
    1.45 +where
    1.46 +  "entry_in_tree k v t \<equiv> (k, v) \<in> set (entries t)"
    1.47 +
    1.48 +definition keys :: "('a, 'b) rbt \<Rightarrow> 'a list" where
    1.49 +  "keys t = map fst (entries t)"
    1.50 +
    1.51 +lemma keys_simps [simp, code]:
    1.52 +  "keys Empty = []"
    1.53 +  "keys (Branch c l k v r) = keys l @ k # keys r"
    1.54 +  by (simp_all add: keys_def)
    1.55 +
    1.56 +lemma entry_in_tree_keys:
    1.57 +  assumes "(k, v) \<in> set (entries t)"
    1.58 +  shows "k \<in> set (keys t)"
    1.59 +proof -
    1.60 +  from assms have "fst (k, v) \<in> fst ` set (entries t)" by (rule imageI)
    1.61 +  then show ?thesis by (simp add: keys_def)
    1.62 +qed
    1.63 +
    1.64 +lemma keys_entries:
    1.65 +  "k \<in> set (keys t) \<longleftrightarrow> (\<exists>v. (k, v) \<in> set (entries t))"
    1.66 +  by (auto intro: entry_in_tree_keys) (auto simp add: keys_def)
    1.67 +
    1.68 +
    1.69 +subsubsection {* Search tree properties *}
    1.70 +
    1.71 +definition tree_less :: "'a\<Colon>order \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"
    1.72 +where
    1.73 +  tree_less_prop: "tree_less k t \<longleftrightarrow> (\<forall>x\<in>set (keys t). x < k)"
    1.74 +
    1.75 +abbreviation tree_less_symbol (infix "|\<guillemotleft>" 50)
    1.76 +where "t |\<guillemotleft> x \<equiv> tree_less x t"
    1.77 +
    1.78 +definition tree_greater :: "'a\<Colon>order \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool" (infix "\<guillemotleft>|" 50) 
    1.79 +where
    1.80 +  tree_greater_prop: "tree_greater k t = (\<forall>x\<in>set (keys t). k < x)"
    1.81 +
    1.82 +lemma tree_less_simps [simp]:
    1.83 +  "tree_less k Empty = True"
    1.84 +  "tree_less k (Branch c lt kt v rt) \<longleftrightarrow> kt < k \<and> tree_less k lt \<and> tree_less k rt"
    1.85 +  by (auto simp add: tree_less_prop)
    1.86 +
    1.87 +lemma tree_greater_simps [simp]:
    1.88 +  "tree_greater k Empty = True"
    1.89 +  "tree_greater k (Branch c lt kt v rt) \<longleftrightarrow> k < kt \<and> tree_greater k lt \<and> tree_greater k rt"
    1.90 +  by (auto simp add: tree_greater_prop)
    1.91 +
    1.92 +lemmas tree_ord_props = tree_less_prop tree_greater_prop
    1.93 +
    1.94 +lemmas tree_greater_nit = tree_greater_prop entry_in_tree_keys
    1.95 +lemmas tree_less_nit = tree_less_prop entry_in_tree_keys
    1.96 +
    1.97 +lemma tree_less_eq_trans: "l |\<guillemotleft> u \<Longrightarrow> u \<le> v \<Longrightarrow> l |\<guillemotleft> v"
    1.98 +  and tree_less_trans: "t |\<guillemotleft> x \<Longrightarrow> x < y \<Longrightarrow> t |\<guillemotleft> y"
    1.99 +  and tree_greater_eq_trans: "u \<le> v \<Longrightarrow> v \<guillemotleft>| r \<Longrightarrow> u \<guillemotleft>| r"
   1.100 +  and tree_greater_trans: "x < y \<Longrightarrow> y \<guillemotleft>| t \<Longrightarrow> x \<guillemotleft>| t"
   1.101 +  by (auto simp: tree_ord_props)
   1.102 +
   1.103 +primrec sorted :: "('a::linorder, 'b) rbt \<Rightarrow> bool"
   1.104 +where
   1.105 +  "sorted Empty = True"
   1.106 +| "sorted (Branch c l k v r) = (l |\<guillemotleft> k \<and> k \<guillemotleft>| r \<and> sorted l \<and> sorted r)"
   1.107 +
   1.108 +lemma sorted_entries:
   1.109 +  "sorted t \<Longrightarrow> List.sorted (List.map fst (entries t))"
   1.110 +by (induct t) 
   1.111 +  (force simp: sorted_append sorted_Cons tree_ord_props 
   1.112 +      dest!: entry_in_tree_keys)+
   1.113 +
   1.114 +lemma distinct_entries:
   1.115 +  "sorted t \<Longrightarrow> distinct (List.map fst (entries t))"
   1.116 +by (induct t) 
   1.117 +  (force simp: sorted_append sorted_Cons tree_ord_props 
   1.118 +      dest!: entry_in_tree_keys)+
   1.119 +
   1.120 +
   1.121 +subsubsection {* Tree lookup *}
   1.122 +
   1.123 +primrec lookup :: "('a\<Colon>linorder, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"
   1.124 +where
   1.125 +  "lookup Empty k = None"
   1.126 +| "lookup (Branch _ l x y r) k = (if k < x then lookup l k else if x < k then lookup r k else Some y)"
   1.127 +
   1.128 +lemma lookup_keys: "sorted t \<Longrightarrow> dom (lookup t) = set (keys t)"
   1.129 +  by (induct t) (auto simp: dom_def tree_greater_prop tree_less_prop)
   1.130 +
   1.131 +lemma dom_lookup_Branch: 
   1.132 +  "sorted (Branch c t1 k v t2) \<Longrightarrow> 
   1.133 +    dom (lookup (Branch c t1 k v t2)) 
   1.134 +    = Set.insert k (dom (lookup t1) \<union> dom (lookup t2))"
   1.135 +proof -
   1.136 +  assume "sorted (Branch c t1 k v t2)"
   1.137 +  moreover from this have "sorted t1" "sorted t2" by simp_all
   1.138 +  ultimately show ?thesis by (simp add: lookup_keys)
   1.139 +qed
   1.140 +
   1.141 +lemma finite_dom_lookup [simp, intro!]: "finite (dom (lookup t))"
   1.142 +proof (induct t)
   1.143 +  case Empty then show ?case by simp
   1.144 +next
   1.145 +  case (Branch color t1 a b t2)
   1.146 +  let ?A = "Set.insert a (dom (lookup t1) \<union> dom (lookup t2))"
   1.147 +  have "dom (lookup (Branch color t1 a b t2)) \<subseteq> ?A" by (auto split: split_if_asm)
   1.148 +  moreover from Branch have "finite (insert a (dom (lookup t1) \<union> dom (lookup t2)))" by simp
   1.149 +  ultimately show ?case by (rule finite_subset)
   1.150 +qed 
   1.151 +
   1.152 +lemma lookup_tree_less[simp]: "t |\<guillemotleft> k \<Longrightarrow> lookup t k = None" 
   1.153 +by (induct t) auto
   1.154 +
   1.155 +lemma lookup_tree_greater[simp]: "k \<guillemotleft>| t \<Longrightarrow> lookup t k = None"
   1.156 +by (induct t) auto
   1.157 +
   1.158 +lemma lookup_Empty: "lookup Empty = empty"
   1.159 +by (rule ext) simp
   1.160 +
   1.161 +lemma map_of_entries:
   1.162 +  "sorted t \<Longrightarrow> map_of (entries t) = lookup t"
   1.163 +proof (induct t)
   1.164 +  case Empty thus ?case by (simp add: lookup_Empty)
   1.165 +next
   1.166 +  case (Branch c t1 k v t2)
   1.167 +  have "lookup (Branch c t1 k v t2) = lookup t2 ++ [k\<mapsto>v] ++ lookup t1"
   1.168 +  proof (rule ext)
   1.169 +    fix x
   1.170 +    from Branch have SORTED: "sorted (Branch c t1 k v t2)" by simp
   1.171 +    let ?thesis = "lookup (Branch c t1 k v t2) x = (lookup t2 ++ [k \<mapsto> v] ++ lookup t1) x"
   1.172 +
   1.173 +    have DOM_T1: "!!k'. k'\<in>dom (lookup t1) \<Longrightarrow> k>k'"
   1.174 +    proof -
   1.175 +      fix k'
   1.176 +      from SORTED have "t1 |\<guillemotleft> k" by simp
   1.177 +      with tree_less_prop have "\<forall>k'\<in>set (keys t1). k>k'" by auto
   1.178 +      moreover assume "k'\<in>dom (lookup t1)"
   1.179 +      ultimately show "k>k'" using lookup_keys SORTED by auto
   1.180 +    qed
   1.181 +    
   1.182 +    have DOM_T2: "!!k'. k'\<in>dom (lookup t2) \<Longrightarrow> k<k'"
   1.183 +    proof -
   1.184 +      fix k'
   1.185 +      from SORTED have "k \<guillemotleft>| t2" by simp
   1.186 +      with tree_greater_prop have "\<forall>k'\<in>set (keys t2). k<k'" by auto
   1.187 +      moreover assume "k'\<in>dom (lookup t2)"
   1.188 +      ultimately show "k<k'" using lookup_keys SORTED by auto
   1.189 +    qed
   1.190 +    
   1.191 +    {
   1.192 +      assume C: "x<k"
   1.193 +      hence "lookup (Branch c t1 k v t2) x = lookup t1 x" by simp
   1.194 +      moreover from C have "x\<notin>dom [k\<mapsto>v]" by simp
   1.195 +      moreover have "x\<notin>dom (lookup t2)" proof
   1.196 +        assume "x\<in>dom (lookup t2)"
   1.197 +        with DOM_T2 have "k<x" by blast
   1.198 +        with C show False by simp
   1.199 +      qed
   1.200 +      ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   1.201 +    } moreover {
   1.202 +      assume [simp]: "x=k"
   1.203 +      hence "lookup (Branch c t1 k v t2) x = [k \<mapsto> v] x" by simp
   1.204 +      moreover have "x\<notin>dom (lookup t1)" proof
   1.205 +        assume "x\<in>dom (lookup t1)"
   1.206 +        with DOM_T1 have "k>x" by blast
   1.207 +        thus False by simp
   1.208 +      qed
   1.209 +      ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   1.210 +    } moreover {
   1.211 +      assume C: "x>k"
   1.212 +      hence "lookup (Branch c t1 k v t2) x = lookup t2 x" by (simp add: less_not_sym[of k x])
   1.213 +      moreover from C have "x\<notin>dom [k\<mapsto>v]" by simp
   1.214 +      moreover have "x\<notin>dom (lookup t1)" proof
   1.215 +        assume "x\<in>dom (lookup t1)"
   1.216 +        with DOM_T1 have "k>x" by simp
   1.217 +        with C show False by simp
   1.218 +      qed
   1.219 +      ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   1.220 +    } ultimately show ?thesis using less_linear by blast
   1.221 +  qed
   1.222 +  also from Branch have "lookup t2 ++ [k \<mapsto> v] ++ lookup t1 = map_of (entries (Branch c t1 k v t2))" by simp
   1.223 +  finally show ?case by simp
   1.224 +qed
   1.225 +
   1.226 +lemma lookup_in_tree: "sorted t \<Longrightarrow> lookup t k = Some v \<longleftrightarrow> (k, v) \<in> set (entries t)"
   1.227 +  by (simp add: map_of_entries [symmetric] distinct_entries)
   1.228 +
   1.229 +lemma set_entries_inject:
   1.230 +  assumes sorted: "sorted t1" "sorted t2" 
   1.231 +  shows "set (entries t1) = set (entries t2) \<longleftrightarrow> entries t1 = entries t2"
   1.232 +proof -
   1.233 +  from sorted have "distinct (map fst (entries t1))"
   1.234 +    "distinct (map fst (entries t2))"
   1.235 +    by (auto intro: distinct_entries)
   1.236 +  with sorted show ?thesis
   1.237 +    by (auto intro: map_sorted_distinct_set_unique sorted_entries simp add: distinct_map)
   1.238 +qed
   1.239 +
   1.240 +lemma entries_eqI:
   1.241 +  assumes sorted: "sorted t1" "sorted t2" 
   1.242 +  assumes lookup: "lookup t1 = lookup t2"
   1.243 +  shows "entries t1 = entries t2"
   1.244 +proof -
   1.245 +  from sorted lookup have "map_of (entries t1) = map_of (entries t2)"
   1.246 +    by (simp add: map_of_entries)
   1.247 +  with sorted have "set (entries t1) = set (entries t2)"
   1.248 +    by (simp add: map_of_inject_set distinct_entries)
   1.249 +  with sorted show ?thesis by (simp add: set_entries_inject)
   1.250 +qed
   1.251 +
   1.252 +lemma entries_lookup:
   1.253 +  assumes "sorted t1" "sorted t2" 
   1.254 +  shows "entries t1 = entries t2 \<longleftrightarrow> lookup t1 = lookup t2"
   1.255 +  using assms by (auto intro: entries_eqI simp add: map_of_entries [symmetric])
   1.256 +
   1.257 +lemma lookup_from_in_tree: 
   1.258 +  assumes "sorted t1" "sorted t2" 
   1.259 +  and "\<And>v. (k\<Colon>'a\<Colon>linorder, v) \<in> set (entries t1) \<longleftrightarrow> (k, v) \<in> set (entries t2)" 
   1.260 +  shows "lookup t1 k = lookup t2 k"
   1.261 +proof -
   1.262 +  from assms have "k \<in> dom (lookup t1) \<longleftrightarrow> k \<in> dom (lookup t2)"
   1.263 +    by (simp add: keys_entries lookup_keys)
   1.264 +  with assms show ?thesis by (auto simp add: lookup_in_tree [symmetric])
   1.265 +qed
   1.266 +
   1.267 +
   1.268 +subsubsection {* Red-black properties *}
   1.269 +
   1.270 +primrec color_of :: "('a, 'b) rbt \<Rightarrow> color"
   1.271 +where
   1.272 +  "color_of Empty = B"
   1.273 +| "color_of (Branch c _ _ _ _) = c"
   1.274 +
   1.275 +primrec bheight :: "('a,'b) rbt \<Rightarrow> nat"
   1.276 +where
   1.277 +  "bheight Empty = 0"
   1.278 +| "bheight (Branch c lt k v rt) = (if c = B then Suc (bheight lt) else bheight lt)"
   1.279 +
   1.280 +primrec inv1 :: "('a, 'b) rbt \<Rightarrow> bool"
   1.281 +where
   1.282 +  "inv1 Empty = True"
   1.283 +| "inv1 (Branch c lt k v rt) \<longleftrightarrow> inv1 lt \<and> inv1 rt \<and> (c = B \<or> color_of lt = B \<and> color_of rt = B)"
   1.284 +
   1.285 +primrec inv1l :: "('a, 'b) rbt \<Rightarrow> bool" -- {* Weaker version *}
   1.286 +where
   1.287 +  "inv1l Empty = True"
   1.288 +| "inv1l (Branch c l k v r) = (inv1 l \<and> inv1 r)"
   1.289 +lemma [simp]: "inv1 t \<Longrightarrow> inv1l t" by (cases t) simp+
   1.290 +
   1.291 +primrec inv2 :: "('a, 'b) rbt \<Rightarrow> bool"
   1.292 +where
   1.293 +  "inv2 Empty = True"
   1.294 +| "inv2 (Branch c lt k v rt) = (inv2 lt \<and> inv2 rt \<and> bheight lt = bheight rt)"
   1.295 +
   1.296 +definition is_rbt :: "('a\<Colon>linorder, 'b) rbt \<Rightarrow> bool" where
   1.297 +  "is_rbt t \<longleftrightarrow> inv1 t \<and> inv2 t \<and> color_of t = B \<and> sorted t"
   1.298 +
   1.299 +lemma is_rbt_sorted [simp]:
   1.300 +  "is_rbt t \<Longrightarrow> sorted t" by (simp add: is_rbt_def)
   1.301 +
   1.302 +theorem Empty_is_rbt [simp]:
   1.303 +  "is_rbt Empty" by (simp add: is_rbt_def)
   1.304 +
   1.305 +
   1.306 +subsection {* Insertion *}
   1.307 +
   1.308 +fun (* slow, due to massive case splitting *)
   1.309 +  balance :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.310 +where
   1.311 +  "balance (Branch R a w x b) s t (Branch R c y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   1.312 +  "balance (Branch R (Branch R a w x b) s t c) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   1.313 +  "balance (Branch R a w x (Branch R b s t c)) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   1.314 +  "balance a w x (Branch R b s t (Branch R c y z d)) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   1.315 +  "balance a w x (Branch R (Branch R b s t c) y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   1.316 +  "balance a s t b = Branch B a s t b"
   1.317 +
   1.318 +lemma balance_inv1: "\<lbrakk>inv1l l; inv1l r\<rbrakk> \<Longrightarrow> inv1 (balance l k v r)" 
   1.319 +  by (induct l k v r rule: balance.induct) auto
   1.320 +
   1.321 +lemma balance_bheight: "bheight l = bheight r \<Longrightarrow> bheight (balance l k v r) = Suc (bheight l)"
   1.322 +  by (induct l k v r rule: balance.induct) auto
   1.323 +
   1.324 +lemma balance_inv2: 
   1.325 +  assumes "inv2 l" "inv2 r" "bheight l = bheight r"
   1.326 +  shows "inv2 (balance l k v r)"
   1.327 +  using assms
   1.328 +  by (induct l k v r rule: balance.induct) auto
   1.329 +
   1.330 +lemma balance_tree_greater[simp]: "(v \<guillemotleft>| balance a k x b) = (v \<guillemotleft>| a \<and> v \<guillemotleft>| b \<and> v < k)" 
   1.331 +  by (induct a k x b rule: balance.induct) auto
   1.332 +
   1.333 +lemma balance_tree_less[simp]: "(balance a k x b |\<guillemotleft> v) = (a |\<guillemotleft> v \<and> b |\<guillemotleft> v \<and> k < v)"
   1.334 +  by (induct a k x b rule: balance.induct) auto
   1.335 +
   1.336 +lemma balance_sorted: 
   1.337 +  fixes k :: "'a::linorder"
   1.338 +  assumes "sorted l" "sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   1.339 +  shows "sorted (balance l k v r)"
   1.340 +using assms proof (induct l k v r rule: balance.induct)
   1.341 +  case ("2_2" a x w b y t c z s va vb vd vc)
   1.342 +  hence "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" 
   1.343 +    by (auto simp add: tree_ord_props)
   1.344 +  hence "tree_greater y (Branch B va vb vd vc)" by (blast dest: tree_greater_trans)
   1.345 +  with "2_2" show ?case by simp
   1.346 +next
   1.347 +  case ("3_2" va vb vd vc x w b y s c z)
   1.348 +  from "3_2" have "x < y \<and> tree_less x (Branch B va vb vd vc)" 
   1.349 +    by simp
   1.350 +  hence "tree_less y (Branch B va vb vd vc)" by (blast dest: tree_less_trans)
   1.351 +  with "3_2" show ?case by simp
   1.352 +next
   1.353 +  case ("3_3" x w b y s c z t va vb vd vc)
   1.354 +  from "3_3" have "y < z \<and> tree_greater z (Branch B va vb vd vc)" by simp
   1.355 +  hence "tree_greater y (Branch B va vb vd vc)" by (blast dest: tree_greater_trans)
   1.356 +  with "3_3" show ?case by simp
   1.357 +next
   1.358 +  case ("3_4" vd ve vg vf x w b y s c z t va vb vii vc)
   1.359 +  hence "x < y \<and> tree_less x (Branch B vd ve vg vf)" by simp
   1.360 +  hence 1: "tree_less y (Branch B vd ve vg vf)" by (blast dest: tree_less_trans)
   1.361 +  from "3_4" have "y < z \<and> tree_greater z (Branch B va vb vii vc)" by simp
   1.362 +  hence "tree_greater y (Branch B va vb vii vc)" by (blast dest: tree_greater_trans)
   1.363 +  with 1 "3_4" show ?case by simp
   1.364 +next
   1.365 +  case ("4_2" va vb vd vc x w b y s c z t dd)
   1.366 +  hence "x < y \<and> tree_less x (Branch B va vb vd vc)" by simp
   1.367 +  hence "tree_less y (Branch B va vb vd vc)" by (blast dest: tree_less_trans)
   1.368 +  with "4_2" show ?case by simp
   1.369 +next
   1.370 +  case ("5_2" x w b y s c z t va vb vd vc)
   1.371 +  hence "y < z \<and> tree_greater z (Branch B va vb vd vc)" by simp
   1.372 +  hence "tree_greater y (Branch B va vb vd vc)" by (blast dest: tree_greater_trans)
   1.373 +  with "5_2" show ?case by simp
   1.374 +next
   1.375 +  case ("5_3" va vb vd vc x w b y s c z t)
   1.376 +  hence "x < y \<and> tree_less x (Branch B va vb vd vc)" by simp
   1.377 +  hence "tree_less y (Branch B va vb vd vc)" by (blast dest: tree_less_trans)
   1.378 +  with "5_3" show ?case by simp
   1.379 +next
   1.380 +  case ("5_4" va vb vg vc x w b y s c z t vd ve vii vf)
   1.381 +  hence "x < y \<and> tree_less x (Branch B va vb vg vc)" by simp
   1.382 +  hence 1: "tree_less y (Branch B va vb vg vc)" by (blast dest: tree_less_trans)
   1.383 +  from "5_4" have "y < z \<and> tree_greater z (Branch B vd ve vii vf)" by simp
   1.384 +  hence "tree_greater y (Branch B vd ve vii vf)" by (blast dest: tree_greater_trans)
   1.385 +  with 1 "5_4" show ?case by simp
   1.386 +qed simp+
   1.387 +
   1.388 +lemma entries_balance [simp]:
   1.389 +  "entries (balance l k v r) = entries l @ (k, v) # entries r"
   1.390 +  by (induct l k v r rule: balance.induct) auto
   1.391 +
   1.392 +lemma keys_balance [simp]: 
   1.393 +  "keys (balance l k v r) = keys l @ k # keys r"
   1.394 +  by (simp add: keys_def)
   1.395 +
   1.396 +lemma balance_in_tree:  
   1.397 +  "entry_in_tree k x (balance l v y r) \<longleftrightarrow> entry_in_tree k x l \<or> k = v \<and> x = y \<or> entry_in_tree k x r"
   1.398 +  by (auto simp add: keys_def)
   1.399 +
   1.400 +lemma lookup_balance[simp]: 
   1.401 +fixes k :: "'a::linorder"
   1.402 +assumes "sorted l" "sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   1.403 +shows "lookup (balance l k v r) x = lookup (Branch B l k v r) x"
   1.404 +by (rule lookup_from_in_tree) (auto simp:assms balance_in_tree balance_sorted)
   1.405 +
   1.406 +primrec paint :: "color \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.407 +where
   1.408 +  "paint c Empty = Empty"
   1.409 +| "paint c (Branch _ l k v r) = Branch c l k v r"
   1.410 +
   1.411 +lemma paint_inv1l[simp]: "inv1l t \<Longrightarrow> inv1l (paint c t)" by (cases t) auto
   1.412 +lemma paint_inv1[simp]: "inv1l t \<Longrightarrow> inv1 (paint B t)" by (cases t) auto
   1.413 +lemma paint_inv2[simp]: "inv2 t \<Longrightarrow> inv2 (paint c t)" by (cases t) auto
   1.414 +lemma paint_color_of[simp]: "color_of (paint B t) = B" by (cases t) auto
   1.415 +lemma paint_sorted[simp]: "sorted t \<Longrightarrow> sorted (paint c t)" by (cases t) auto
   1.416 +lemma paint_in_tree[simp]: "entry_in_tree k x (paint c t) = entry_in_tree k x t" by (cases t) auto
   1.417 +lemma paint_lookup[simp]: "lookup (paint c t) = lookup t" by (rule ext) (cases t, auto)
   1.418 +lemma paint_tree_greater[simp]: "(v \<guillemotleft>| paint c t) = (v \<guillemotleft>| t)" by (cases t) auto
   1.419 +lemma paint_tree_less[simp]: "(paint c t |\<guillemotleft> v) = (t |\<guillemotleft> v)" by (cases t) auto
   1.420 +
   1.421 +fun
   1.422 +  ins :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.423 +where
   1.424 +  "ins f k v Empty = Branch R Empty k v Empty" |
   1.425 +  "ins f k v (Branch B l x y r) = (if k < x then balance (ins f k v l) x y r
   1.426 +                               else if k > x then balance l x y (ins f k v r)
   1.427 +                               else Branch B l x (f k y v) r)" |
   1.428 +  "ins f k v (Branch R l x y r) = (if k < x then Branch R (ins f k v l) x y r
   1.429 +                               else if k > x then Branch R l x y (ins f k v r)
   1.430 +                               else Branch R l x (f k y v) r)"
   1.431 +
   1.432 +lemma ins_inv1_inv2: 
   1.433 +  assumes "inv1 t" "inv2 t"
   1.434 +  shows "inv2 (ins f k x t)" "bheight (ins f k x t) = bheight t" 
   1.435 +  "color_of t = B \<Longrightarrow> inv1 (ins f k x t)" "inv1l (ins f k x t)"
   1.436 +  using assms
   1.437 +  by (induct f k x t rule: ins.induct) (auto simp: balance_inv1 balance_inv2 balance_bheight)
   1.438 +
   1.439 +lemma ins_tree_greater[simp]: "(v \<guillemotleft>| ins f k x t) = (v \<guillemotleft>| t \<and> k > v)"
   1.440 +  by (induct f k x t rule: ins.induct) auto
   1.441 +lemma ins_tree_less[simp]: "(ins f k x t |\<guillemotleft> v) = (t |\<guillemotleft> v \<and> k < v)"
   1.442 +  by (induct f k x t rule: ins.induct) auto
   1.443 +lemma ins_sorted[simp]: "sorted t \<Longrightarrow> sorted (ins f k x t)"
   1.444 +  by (induct f k x t rule: ins.induct) (auto simp: balance_sorted)
   1.445 +
   1.446 +lemma keys_ins: "set (keys (ins f k v t)) = { k } \<union> set (keys t)"
   1.447 +  by (induct f k v t rule: ins.induct) auto
   1.448 +
   1.449 +lemma lookup_ins: 
   1.450 +  fixes k :: "'a::linorder"
   1.451 +  assumes "sorted t"
   1.452 +  shows "lookup (ins f k v t) x = ((lookup t)(k |-> case lookup t k of None \<Rightarrow> v 
   1.453 +                                                       | Some w \<Rightarrow> f k w v)) x"
   1.454 +using assms by (induct f k v t rule: ins.induct) auto
   1.455 +
   1.456 +definition
   1.457 +  insert_with_key :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.458 +where
   1.459 +  "insert_with_key f k v t = paint B (ins f k v t)"
   1.460 +
   1.461 +lemma insertwk_sorted: "sorted t \<Longrightarrow> sorted (insert_with_key f k x t)"
   1.462 +  by (auto simp: insert_with_key_def)
   1.463 +
   1.464 +theorem insertwk_is_rbt: 
   1.465 +  assumes inv: "is_rbt t" 
   1.466 +  shows "is_rbt (insert_with_key f k x t)"
   1.467 +using assms
   1.468 +unfolding insert_with_key_def is_rbt_def
   1.469 +by (auto simp: ins_inv1_inv2)
   1.470 +
   1.471 +lemma lookup_insertwk: 
   1.472 +  assumes "sorted t"
   1.473 +  shows "lookup (insert_with_key f k v t) x = ((lookup t)(k |-> case lookup t k of None \<Rightarrow> v 
   1.474 +                                                       | Some w \<Rightarrow> f k w v)) x"
   1.475 +unfolding insert_with_key_def using assms
   1.476 +by (simp add:lookup_ins)
   1.477 +
   1.478 +definition
   1.479 +  insertw_def: "insert_with f = insert_with_key (\<lambda>_. f)"
   1.480 +
   1.481 +lemma insertw_sorted: "sorted t \<Longrightarrow> sorted (insert_with f k v t)" by (simp add: insertwk_sorted insertw_def)
   1.482 +theorem insertw_is_rbt: "is_rbt t \<Longrightarrow> is_rbt (insert_with f k v t)" by (simp add: insertwk_is_rbt insertw_def)
   1.483 +
   1.484 +lemma lookup_insertw:
   1.485 +  assumes "is_rbt t"
   1.486 +  shows "lookup (insert_with f k v t) = (lookup t)(k \<mapsto> (if k:dom (lookup t) then f (the (lookup t k)) v else v))"
   1.487 +using assms
   1.488 +unfolding insertw_def
   1.489 +by (rule_tac ext) (cases "lookup t k", auto simp:lookup_insertwk dom_def)
   1.490 +
   1.491 +definition insert :: "'a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt" where
   1.492 +  "insert = insert_with_key (\<lambda>_ _ nv. nv)"
   1.493 +
   1.494 +lemma insert_sorted: "sorted t \<Longrightarrow> sorted (insert k v t)" by (simp add: insertwk_sorted insert_def)
   1.495 +theorem insert_is_rbt [simp]: "is_rbt t \<Longrightarrow> is_rbt (insert k v t)" by (simp add: insertwk_is_rbt insert_def)
   1.496 +
   1.497 +lemma lookup_insert: 
   1.498 +  assumes "is_rbt t"
   1.499 +  shows "lookup (insert k v t) = (lookup t)(k\<mapsto>v)"
   1.500 +unfolding insert_def
   1.501 +using assms
   1.502 +by (rule_tac ext) (simp add: lookup_insertwk split:option.split)
   1.503 +
   1.504 +
   1.505 +subsection {* Deletion *}
   1.506 +
   1.507 +lemma bheight_paintR'[simp]: "color_of t = B \<Longrightarrow> bheight (paint R t) = bheight t - 1"
   1.508 +by (cases t rule: rbt_cases) auto
   1.509 +
   1.510 +fun
   1.511 +  balance_left :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.512 +where
   1.513 +  "balance_left (Branch R a k x b) s y c = Branch R (Branch B a k x b) s y c" |
   1.514 +  "balance_left bl k x (Branch B a s y b) = balance bl k x (Branch R a s y b)" |
   1.515 +  "balance_left bl k x (Branch R (Branch B a s y b) t z c) = Branch R (Branch B bl k x a) s y (balance b t z (paint R c))" |
   1.516 +  "balance_left t k x s = Empty"
   1.517 +
   1.518 +lemma balance_left_inv2_with_inv1:
   1.519 +  assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "inv1 rt"
   1.520 +  shows "bheight (balance_left lt k v rt) = bheight lt + 1"
   1.521 +  and   "inv2 (balance_left lt k v rt)"
   1.522 +using assms 
   1.523 +by (induct lt k v rt rule: balance_left.induct) (auto simp: balance_inv2 balance_bheight)
   1.524 +
   1.525 +lemma balance_left_inv2_app: 
   1.526 +  assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "color_of rt = B"
   1.527 +  shows "inv2 (balance_left lt k v rt)" 
   1.528 +        "bheight (balance_left lt k v rt) = bheight rt"
   1.529 +using assms 
   1.530 +by (induct lt k v rt rule: balance_left.induct) (auto simp add: balance_inv2 balance_bheight)+ 
   1.531 +
   1.532 +lemma balance_left_inv1: "\<lbrakk>inv1l a; inv1 b; color_of b = B\<rbrakk> \<Longrightarrow> inv1 (balance_left a k x b)"
   1.533 +  by (induct a k x b rule: balance_left.induct) (simp add: balance_inv1)+
   1.534 +
   1.535 +lemma balance_left_inv1l: "\<lbrakk> inv1l lt; inv1 rt \<rbrakk> \<Longrightarrow> inv1l (balance_left lt k x rt)"
   1.536 +by (induct lt k x rt rule: balance_left.induct) (auto simp: balance_inv1)
   1.537 +
   1.538 +lemma balance_left_sorted: "\<lbrakk> sorted l; sorted r; tree_less k l; tree_greater k r \<rbrakk> \<Longrightarrow> sorted (balance_left l k v r)"
   1.539 +apply (induct l k v r rule: balance_left.induct)
   1.540 +apply (auto simp: balance_sorted)
   1.541 +apply (unfold tree_greater_prop tree_less_prop)
   1.542 +by force+
   1.543 +
   1.544 +lemma balance_left_tree_greater: 
   1.545 +  fixes k :: "'a::order"
   1.546 +  assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   1.547 +  shows "k \<guillemotleft>| balance_left a x t b"
   1.548 +using assms 
   1.549 +by (induct a x t b rule: balance_left.induct) auto
   1.550 +
   1.551 +lemma balance_left_tree_less: 
   1.552 +  fixes k :: "'a::order"
   1.553 +  assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   1.554 +  shows "balance_left a x t b |\<guillemotleft> k"
   1.555 +using assms
   1.556 +by (induct a x t b rule: balance_left.induct) auto
   1.557 +
   1.558 +lemma balance_left_in_tree: 
   1.559 +  assumes "inv1l l" "inv1 r" "bheight l + 1 = bheight r"
   1.560 +  shows "entry_in_tree k v (balance_left l a b r) = (entry_in_tree k v l \<or> k = a \<and> v = b \<or> entry_in_tree k v r)"
   1.561 +using assms 
   1.562 +by (induct l k v r rule: balance_left.induct) (auto simp: balance_in_tree)
   1.563 +
   1.564 +fun
   1.565 +  balance_right :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.566 +where
   1.567 +  "balance_right a k x (Branch R b s y c) = Branch R a k x (Branch B b s y c)" |
   1.568 +  "balance_right (Branch B a k x b) s y bl = balance (Branch R a k x b) s y bl" |
   1.569 +  "balance_right (Branch R a k x (Branch B b s y c)) t z bl = Branch R (balance (paint R a) k x b) s y (Branch B c t z bl)" |
   1.570 +  "balance_right t k x s = Empty"
   1.571 +
   1.572 +lemma balance_right_inv2_with_inv1:
   1.573 +  assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt + 1" "inv1 lt"
   1.574 +  shows "inv2 (balance_right lt k v rt) \<and> bheight (balance_right lt k v rt) = bheight lt"
   1.575 +using assms
   1.576 +by (induct lt k v rt rule: balance_right.induct) (auto simp: balance_inv2 balance_bheight)
   1.577 +
   1.578 +lemma balance_right_inv1: "\<lbrakk>inv1 a; inv1l b; color_of a = B\<rbrakk> \<Longrightarrow> inv1 (balance_right a k x b)"
   1.579 +by (induct a k x b rule: balance_right.induct) (simp add: balance_inv1)+
   1.580 +
   1.581 +lemma balance_right_inv1l: "\<lbrakk> inv1 lt; inv1l rt \<rbrakk> \<Longrightarrow>inv1l (balance_right lt k x rt)"
   1.582 +by (induct lt k x rt rule: balance_right.induct) (auto simp: balance_inv1)
   1.583 +
   1.584 +lemma balance_right_sorted: "\<lbrakk> sorted l; sorted r; tree_less k l; tree_greater k r \<rbrakk> \<Longrightarrow> sorted (balance_right l k v r)"
   1.585 +apply (induct l k v r rule: balance_right.induct)
   1.586 +apply (auto simp:balance_sorted)
   1.587 +apply (unfold tree_less_prop tree_greater_prop)
   1.588 +by force+
   1.589 +
   1.590 +lemma balance_right_tree_greater: 
   1.591 +  fixes k :: "'a::order"
   1.592 +  assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   1.593 +  shows "k \<guillemotleft>| balance_right a x t b"
   1.594 +using assms by (induct a x t b rule: balance_right.induct) auto
   1.595 +
   1.596 +lemma balance_right_tree_less: 
   1.597 +  fixes k :: "'a::order"
   1.598 +  assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   1.599 +  shows "balance_right a x t b |\<guillemotleft> k"
   1.600 +using assms by (induct a x t b rule: balance_right.induct) auto
   1.601 +
   1.602 +lemma balance_right_in_tree:
   1.603 +  assumes "inv1 l" "inv1l r" "bheight l = bheight r + 1" "inv2 l" "inv2 r"
   1.604 +  shows "entry_in_tree x y (balance_right l k v r) = (entry_in_tree x y l \<or> x = k \<and> y = v \<or> entry_in_tree x y r)"
   1.605 +using assms by (induct l k v r rule: balance_right.induct) (auto simp: balance_in_tree)
   1.606 +
   1.607 +fun
   1.608 +  combine :: "('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.609 +where
   1.610 +  "combine Empty x = x" 
   1.611 +| "combine x Empty = x" 
   1.612 +| "combine (Branch R a k x b) (Branch R c s y d) = (case (combine b c) of
   1.613 +                                      Branch R b2 t z c2 \<Rightarrow> (Branch R (Branch R a k x b2) t z (Branch R c2 s y d)) |
   1.614 +                                      bc \<Rightarrow> Branch R a k x (Branch R bc s y d))" 
   1.615 +| "combine (Branch B a k x b) (Branch B c s y d) = (case (combine b c) of
   1.616 +                                      Branch R b2 t z c2 \<Rightarrow> Branch R (Branch B a k x b2) t z (Branch B c2 s y d) |
   1.617 +                                      bc \<Rightarrow> balance_left a k x (Branch B bc s y d))" 
   1.618 +| "combine a (Branch R b k x c) = Branch R (combine a b) k x c" 
   1.619 +| "combine (Branch R a k x b) c = Branch R a k x (combine b c)" 
   1.620 +
   1.621 +lemma combine_inv2:
   1.622 +  assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt"
   1.623 +  shows "bheight (combine lt rt) = bheight lt" "inv2 (combine lt rt)"
   1.624 +using assms 
   1.625 +by (induct lt rt rule: combine.induct) 
   1.626 +   (auto simp: balance_left_inv2_app split: rbt.splits color.splits)
   1.627 +
   1.628 +lemma combine_inv1: 
   1.629 +  assumes "inv1 lt" "inv1 rt"
   1.630 +  shows "color_of lt = B \<Longrightarrow> color_of rt = B \<Longrightarrow> inv1 (combine lt rt)"
   1.631 +         "inv1l (combine lt rt)"
   1.632 +using assms 
   1.633 +by (induct lt rt rule: combine.induct)
   1.634 +   (auto simp: balance_left_inv1 split: rbt.splits color.splits)
   1.635 +
   1.636 +lemma combine_tree_greater[simp]: 
   1.637 +  fixes k :: "'a::linorder"
   1.638 +  assumes "k \<guillemotleft>| l" "k \<guillemotleft>| r" 
   1.639 +  shows "k \<guillemotleft>| combine l r"
   1.640 +using assms 
   1.641 +by (induct l r rule: combine.induct)
   1.642 +   (auto simp: balance_left_tree_greater split:rbt.splits color.splits)
   1.643 +
   1.644 +lemma combine_tree_less[simp]: 
   1.645 +  fixes k :: "'a::linorder"
   1.646 +  assumes "l |\<guillemotleft> k" "r |\<guillemotleft> k" 
   1.647 +  shows "combine l r |\<guillemotleft> k"
   1.648 +using assms 
   1.649 +by (induct l r rule: combine.induct)
   1.650 +   (auto simp: balance_left_tree_less split:rbt.splits color.splits)
   1.651 +
   1.652 +lemma combine_sorted: 
   1.653 +  fixes k :: "'a::linorder"
   1.654 +  assumes "sorted l" "sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   1.655 +  shows "sorted (combine l r)"
   1.656 +using assms proof (induct l r rule: combine.induct)
   1.657 +  case (3 a x v b c y w d)
   1.658 +  hence ineqs: "a |\<guillemotleft> x" "x \<guillemotleft>| b" "b |\<guillemotleft> k" "k \<guillemotleft>| c" "c |\<guillemotleft> y" "y \<guillemotleft>| d"
   1.659 +    by auto
   1.660 +  with 3
   1.661 +  show ?case
   1.662 +    by (cases "combine b c" rule: rbt_cases)
   1.663 +      (auto, (metis combine_tree_greater combine_tree_less ineqs ineqs tree_less_simps(2) tree_greater_simps(2) tree_greater_trans tree_less_trans)+)
   1.664 +next
   1.665 +  case (4 a x v b c y w d)
   1.666 +  hence "x < k \<and> tree_greater k c" by simp
   1.667 +  hence "tree_greater x c" by (blast dest: tree_greater_trans)
   1.668 +  with 4 have 2: "tree_greater x (combine b c)" by (simp add: combine_tree_greater)
   1.669 +  from 4 have "k < y \<and> tree_less k b" by simp
   1.670 +  hence "tree_less y b" by (blast dest: tree_less_trans)
   1.671 +  with 4 have 3: "tree_less y (combine b c)" by (simp add: combine_tree_less)
   1.672 +  show ?case
   1.673 +  proof (cases "combine b c" rule: rbt_cases)
   1.674 +    case Empty
   1.675 +    from 4 have "x < y \<and> tree_greater y d" by auto
   1.676 +    hence "tree_greater x d" by (blast dest: tree_greater_trans)
   1.677 +    with 4 Empty have "sorted a" and "sorted (Branch B Empty y w d)" and "tree_less x a" and "tree_greater x (Branch B Empty y w d)" by auto
   1.678 +    with Empty show ?thesis by (simp add: balance_left_sorted)
   1.679 +  next
   1.680 +    case (Red lta va ka rta)
   1.681 +    with 2 4 have "x < va \<and> tree_less x a" by simp
   1.682 +    hence 5: "tree_less va a" by (blast dest: tree_less_trans)
   1.683 +    from Red 3 4 have "va < y \<and> tree_greater y d" by simp
   1.684 +    hence "tree_greater va d" by (blast dest: tree_greater_trans)
   1.685 +    with Red 2 3 4 5 show ?thesis by simp
   1.686 +  next
   1.687 +    case (Black lta va ka rta)
   1.688 +    from 4 have "x < y \<and> tree_greater y d" by auto
   1.689 +    hence "tree_greater x d" by (blast dest: tree_greater_trans)
   1.690 +    with Black 2 3 4 have "sorted a" and "sorted (Branch B (combine b c) y w d)" and "tree_less x a" and "tree_greater x (Branch B (combine b c) y w d)" by auto
   1.691 +    with Black show ?thesis by (simp add: balance_left_sorted)
   1.692 +  qed
   1.693 +next
   1.694 +  case (5 va vb vd vc b x w c)
   1.695 +  hence "k < x \<and> tree_less k (Branch B va vb vd vc)" by simp
   1.696 +  hence "tree_less x (Branch B va vb vd vc)" by (blast dest: tree_less_trans)
   1.697 +  with 5 show ?case by (simp add: combine_tree_less)
   1.698 +next
   1.699 +  case (6 a x v b va vb vd vc)
   1.700 +  hence "x < k \<and> tree_greater k (Branch B va vb vd vc)" by simp
   1.701 +  hence "tree_greater x (Branch B va vb vd vc)" by (blast dest: tree_greater_trans)
   1.702 +  with 6 show ?case by (simp add: combine_tree_greater)
   1.703 +qed simp+
   1.704 +
   1.705 +lemma combine_in_tree: 
   1.706 +  assumes "inv2 l" "inv2 r" "bheight l = bheight r" "inv1 l" "inv1 r"
   1.707 +  shows "entry_in_tree k v (combine l r) = (entry_in_tree k v l \<or> entry_in_tree k v r)"
   1.708 +using assms 
   1.709 +proof (induct l r rule: combine.induct)
   1.710 +  case (4 _ _ _ b c)
   1.711 +  hence a: "bheight (combine b c) = bheight b" by (simp add: combine_inv2)
   1.712 +  from 4 have b: "inv1l (combine b c)" by (simp add: combine_inv1)
   1.713 +
   1.714 +  show ?case
   1.715 +  proof (cases "combine b c" rule: rbt_cases)
   1.716 +    case Empty
   1.717 +    with 4 a show ?thesis by (auto simp: balance_left_in_tree)
   1.718 +  next
   1.719 +    case (Red lta ka va rta)
   1.720 +    with 4 show ?thesis by auto
   1.721 +  next
   1.722 +    case (Black lta ka va rta)
   1.723 +    with a b 4  show ?thesis by (auto simp: balance_left_in_tree)
   1.724 +  qed 
   1.725 +qed (auto split: rbt.splits color.splits)
   1.726 +
   1.727 +fun
   1.728 +  del_from_left :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   1.729 +  del_from_right :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   1.730 +  del :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.731 +where
   1.732 +  "del x Empty = Empty" |
   1.733 +  "del x (Branch c a y s b) = (if x < y then del_from_left x a y s b else (if x > y then del_from_right x a y s b else combine a b))" |
   1.734 +  "del_from_left x (Branch B lt z v rt) y s b = balance_left (del x (Branch B lt z v rt)) y s b" |
   1.735 +  "del_from_left x a y s b = Branch R (del x a) y s b" |
   1.736 +  "del_from_right x a y s (Branch B lt z v rt) = balance_right a y s (del x (Branch B lt z v rt))" | 
   1.737 +  "del_from_right x a y s b = Branch R a y s (del x b)"
   1.738 +
   1.739 +lemma 
   1.740 +  assumes "inv2 lt" "inv1 lt"
   1.741 +  shows
   1.742 +  "\<lbrakk>inv2 rt; bheight lt = bheight rt; inv1 rt\<rbrakk> \<Longrightarrow>
   1.743 +  inv2 (del_from_left x lt k v rt) \<and> bheight (del_from_left x lt k v rt) = bheight lt \<and> (color_of lt = B \<and> color_of rt = B \<and> inv1 (del_from_left x lt k v rt) \<or> (color_of lt \<noteq> B \<or> color_of rt \<noteq> B) \<and> inv1l (del_from_left x lt k v rt))"
   1.744 +  and "\<lbrakk>inv2 rt; bheight lt = bheight rt; inv1 rt\<rbrakk> \<Longrightarrow>
   1.745 +  inv2 (del_from_right x lt k v rt) \<and> bheight (del_from_right x lt k v rt) = bheight lt \<and> (color_of lt = B \<and> color_of rt = B \<and> inv1 (del_from_right x lt k v rt) \<or> (color_of lt \<noteq> B \<or> color_of rt \<noteq> B) \<and> inv1l (del_from_right x lt k v rt))"
   1.746 +  and del_inv1_inv2: "inv2 (del x lt) \<and> (color_of lt = R \<and> bheight (del x lt) = bheight lt \<and> inv1 (del x lt) 
   1.747 +  \<or> color_of lt = B \<and> bheight (del x lt) = bheight lt - 1 \<and> inv1l (del x lt))"
   1.748 +using assms
   1.749 +proof (induct x lt k v rt and x lt k v rt and x lt rule: del_from_left_del_from_right_del.induct)
   1.750 +case (2 y c _ y')
   1.751 +  have "y = y' \<or> y < y' \<or> y > y'" by auto
   1.752 +  thus ?case proof (elim disjE)
   1.753 +    assume "y = y'"
   1.754 +    with 2 show ?thesis by (cases c) (simp add: combine_inv2 combine_inv1)+
   1.755 +  next
   1.756 +    assume "y < y'"
   1.757 +    with 2 show ?thesis by (cases c) auto
   1.758 +  next
   1.759 +    assume "y' < y"
   1.760 +    with 2 show ?thesis by (cases c) auto
   1.761 +  qed
   1.762 +next
   1.763 +  case (3 y lt z v rta y' ss bb) 
   1.764 +  thus ?case by (cases "color_of (Branch B lt z v rta) = B \<and> color_of bb = B") (simp add: balance_left_inv2_with_inv1 balance_left_inv1 balance_left_inv1l)+
   1.765 +next
   1.766 +  case (5 y a y' ss lt z v rta)
   1.767 +  thus ?case by (cases "color_of a = B \<and> color_of (Branch B lt z v rta) = B") (simp add: balance_right_inv2_with_inv1 balance_right_inv1 balance_right_inv1l)+
   1.768 +next
   1.769 +  case ("6_1" y a y' ss) thus ?case by (cases "color_of a = B \<and> color_of Empty = B") simp+
   1.770 +qed auto
   1.771 +
   1.772 +lemma 
   1.773 +  del_from_left_tree_less: "\<lbrakk>tree_less v lt; tree_less v rt; k < v\<rbrakk> \<Longrightarrow> tree_less v (del_from_left x lt k y rt)"
   1.774 +  and del_from_right_tree_less: "\<lbrakk>tree_less v lt; tree_less v rt; k < v\<rbrakk> \<Longrightarrow> tree_less v (del_from_right x lt k y rt)"
   1.775 +  and del_tree_less: "tree_less v lt \<Longrightarrow> tree_less v (del x lt)"
   1.776 +by (induct x lt k y rt and x lt k y rt and x lt rule: del_from_left_del_from_right_del.induct) 
   1.777 +   (auto simp: balance_left_tree_less balance_right_tree_less)
   1.778 +
   1.779 +lemma del_from_left_tree_greater: "\<lbrakk>tree_greater v lt; tree_greater v rt; k > v\<rbrakk> \<Longrightarrow> tree_greater v (del_from_left x lt k y rt)"
   1.780 +  and del_from_right_tree_greater: "\<lbrakk>tree_greater v lt; tree_greater v rt; k > v\<rbrakk> \<Longrightarrow> tree_greater v (del_from_right x lt k y rt)"
   1.781 +  and del_tree_greater: "tree_greater v lt \<Longrightarrow> tree_greater v (del x lt)"
   1.782 +by (induct x lt k y rt and x lt k y rt and x lt rule: del_from_left_del_from_right_del.induct)
   1.783 +   (auto simp: balance_left_tree_greater balance_right_tree_greater)
   1.784 +
   1.785 +lemma "\<lbrakk>sorted lt; sorted rt; tree_less k lt; tree_greater k rt\<rbrakk> \<Longrightarrow> sorted (del_from_left x lt k y rt)"
   1.786 +  and "\<lbrakk>sorted lt; sorted rt; tree_less k lt; tree_greater k rt\<rbrakk> \<Longrightarrow> sorted (del_from_right x lt k y rt)"
   1.787 +  and del_sorted: "sorted lt \<Longrightarrow> sorted (del x lt)"
   1.788 +proof (induct x lt k y rt and x lt k y rt and x lt rule: del_from_left_del_from_right_del.induct)
   1.789 +  case (3 x lta zz v rta yy ss bb)
   1.790 +  from 3 have "tree_less yy (Branch B lta zz v rta)" by simp
   1.791 +  hence "tree_less yy (del x (Branch B lta zz v rta))" by (rule del_tree_less)
   1.792 +  with 3 show ?case by (simp add: balance_left_sorted)
   1.793 +next
   1.794 +  case ("4_2" x vaa vbb vdd vc yy ss bb)
   1.795 +  hence "tree_less yy (Branch R vaa vbb vdd vc)" by simp
   1.796 +  hence "tree_less yy (del x (Branch R vaa vbb vdd vc))" by (rule del_tree_less)
   1.797 +  with "4_2" show ?case by simp
   1.798 +next
   1.799 +  case (5 x aa yy ss lta zz v rta) 
   1.800 +  hence "tree_greater yy (Branch B lta zz v rta)" by simp
   1.801 +  hence "tree_greater yy (del x (Branch B lta zz v rta))" by (rule del_tree_greater)
   1.802 +  with 5 show ?case by (simp add: balance_right_sorted)
   1.803 +next
   1.804 +  case ("6_2" x aa yy ss vaa vbb vdd vc)
   1.805 +  hence "tree_greater yy (Branch R vaa vbb vdd vc)" by simp
   1.806 +  hence "tree_greater yy (del x (Branch R vaa vbb vdd vc))" by (rule del_tree_greater)
   1.807 +  with "6_2" show ?case by simp
   1.808 +qed (auto simp: combine_sorted)
   1.809 +
   1.810 +lemma "\<lbrakk>sorted lt; sorted rt; tree_less kt lt; tree_greater kt rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bheight lt = bheight rt; x < kt\<rbrakk> \<Longrightarrow> entry_in_tree k v (del_from_left x lt kt y rt) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v (Branch c lt kt y rt)))"
   1.811 +  and "\<lbrakk>sorted lt; sorted rt; tree_less kt lt; tree_greater kt rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bheight lt = bheight rt; x > kt\<rbrakk> \<Longrightarrow> entry_in_tree k v (del_from_right x lt kt y rt) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v (Branch c lt kt y rt)))"
   1.812 +  and del_in_tree: "\<lbrakk>sorted t; inv1 t; inv2 t\<rbrakk> \<Longrightarrow> entry_in_tree k v (del x t) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v t))"
   1.813 +proof (induct x lt kt y rt and x lt kt y rt and x t rule: del_from_left_del_from_right_del.induct)
   1.814 +  case (2 xx c aa yy ss bb)
   1.815 +  have "xx = yy \<or> xx < yy \<or> xx > yy" by auto
   1.816 +  from this 2 show ?case proof (elim disjE)
   1.817 +    assume "xx = yy"
   1.818 +    with 2 show ?thesis proof (cases "xx = k")
   1.819 +      case True
   1.820 +      from 2 `xx = yy` `xx = k` have "sorted (Branch c aa yy ss bb) \<and> k = yy" by simp
   1.821 +      hence "\<not> entry_in_tree k v aa" "\<not> entry_in_tree k v bb" by (auto simp: tree_less_nit tree_greater_prop)
   1.822 +      with `xx = yy` 2 `xx = k` show ?thesis by (simp add: combine_in_tree)
   1.823 +    qed (simp add: combine_in_tree)
   1.824 +  qed simp+
   1.825 +next    
   1.826 +  case (3 xx lta zz vv rta yy ss bb)
   1.827 +  def mt[simp]: mt == "Branch B lta zz vv rta"
   1.828 +  from 3 have "inv2 mt \<and> inv1 mt" by simp
   1.829 +  hence "inv2 (del xx mt) \<and> (color_of mt = R \<and> bheight (del xx mt) = bheight mt \<and> inv1 (del xx mt) \<or> color_of mt = B \<and> bheight (del xx mt) = bheight mt - 1 \<and> inv1l (del xx mt))" by (blast dest: del_inv1_inv2)
   1.830 +  with 3 have 4: "entry_in_tree k v (del_from_left xx mt yy ss bb) = (False \<or> xx \<noteq> k \<and> entry_in_tree k v mt \<or> (k = yy \<and> v = ss) \<or> entry_in_tree k v bb)" by (simp add: balance_left_in_tree)
   1.831 +  thus ?case proof (cases "xx = k")
   1.832 +    case True
   1.833 +    from 3 True have "tree_greater yy bb \<and> yy > k" by simp
   1.834 +    hence "tree_greater k bb" by (blast dest: tree_greater_trans)
   1.835 +    with 3 4 True show ?thesis by (auto simp: tree_greater_nit)
   1.836 +  qed auto
   1.837 +next
   1.838 +  case ("4_1" xx yy ss bb)
   1.839 +  show ?case proof (cases "xx = k")
   1.840 +    case True
   1.841 +    with "4_1" have "tree_greater yy bb \<and> k < yy" by simp
   1.842 +    hence "tree_greater k bb" by (blast dest: tree_greater_trans)
   1.843 +    with "4_1" `xx = k` 
   1.844 +   have "entry_in_tree k v (Branch R Empty yy ss bb) = entry_in_tree k v Empty" by (auto simp: tree_greater_nit)
   1.845 +    thus ?thesis by auto
   1.846 +  qed simp+
   1.847 +next
   1.848 +  case ("4_2" xx vaa vbb vdd vc yy ss bb)
   1.849 +  thus ?case proof (cases "xx = k")
   1.850 +    case True
   1.851 +    with "4_2" have "k < yy \<and> tree_greater yy bb" by simp
   1.852 +    hence "tree_greater k bb" by (blast dest: tree_greater_trans)
   1.853 +    with True "4_2" show ?thesis by (auto simp: tree_greater_nit)
   1.854 +  qed auto
   1.855 +next
   1.856 +  case (5 xx aa yy ss lta zz vv rta)
   1.857 +  def mt[simp]: mt == "Branch B lta zz vv rta"
   1.858 +  from 5 have "inv2 mt \<and> inv1 mt" by simp
   1.859 +  hence "inv2 (del xx mt) \<and> (color_of mt = R \<and> bheight (del xx mt) = bheight mt \<and> inv1 (del xx mt) \<or> color_of mt = B \<and> bheight (del xx mt) = bheight mt - 1 \<and> inv1l (del xx mt))" by (blast dest: del_inv1_inv2)
   1.860 +  with 5 have 3: "entry_in_tree k v (del_from_right xx aa yy ss mt) = (entry_in_tree k v aa \<or> (k = yy \<and> v = ss) \<or> False \<or> xx \<noteq> k \<and> entry_in_tree k v mt)" by (simp add: balance_right_in_tree)
   1.861 +  thus ?case proof (cases "xx = k")
   1.862 +    case True
   1.863 +    from 5 True have "tree_less yy aa \<and> yy < k" by simp
   1.864 +    hence "tree_less k aa" by (blast dest: tree_less_trans)
   1.865 +    with 3 5 True show ?thesis by (auto simp: tree_less_nit)
   1.866 +  qed auto
   1.867 +next
   1.868 +  case ("6_1" xx aa yy ss)
   1.869 +  show ?case proof (cases "xx = k")
   1.870 +    case True
   1.871 +    with "6_1" have "tree_less yy aa \<and> k > yy" by simp
   1.872 +    hence "tree_less k aa" by (blast dest: tree_less_trans)
   1.873 +    with "6_1" `xx = k` show ?thesis by (auto simp: tree_less_nit)
   1.874 +  qed simp
   1.875 +next
   1.876 +  case ("6_2" xx aa yy ss vaa vbb vdd vc)
   1.877 +  thus ?case proof (cases "xx = k")
   1.878 +    case True
   1.879 +    with "6_2" have "k > yy \<and> tree_less yy aa" by simp
   1.880 +    hence "tree_less k aa" by (blast dest: tree_less_trans)
   1.881 +    with True "6_2" show ?thesis by (auto simp: tree_less_nit)
   1.882 +  qed auto
   1.883 +qed simp
   1.884 +
   1.885 +
   1.886 +definition delete where
   1.887 +  delete_def: "delete k t = paint B (del k t)"
   1.888 +
   1.889 +theorem delete_is_rbt [simp]: assumes "is_rbt t" shows "is_rbt (delete k t)"
   1.890 +proof -
   1.891 +  from assms have "inv2 t" and "inv1 t" unfolding is_rbt_def by auto 
   1.892 +  hence "inv2 (del k t) \<and> (color_of t = R \<and> bheight (del k t) = bheight t \<and> inv1 (del k t) \<or> color_of t = B \<and> bheight (del k t) = bheight t - 1 \<and> inv1l (del k t))" by (rule del_inv1_inv2)
   1.893 +  hence "inv2 (del k t) \<and> inv1l (del k t)" by (cases "color_of t") auto
   1.894 +  with assms show ?thesis
   1.895 +    unfolding is_rbt_def delete_def
   1.896 +    by (auto intro: paint_sorted del_sorted)
   1.897 +qed
   1.898 +
   1.899 +lemma delete_in_tree: 
   1.900 +  assumes "is_rbt t" 
   1.901 +  shows "entry_in_tree k v (delete x t) = (x \<noteq> k \<and> entry_in_tree k v t)"
   1.902 +  using assms unfolding is_rbt_def delete_def
   1.903 +  by (auto simp: del_in_tree)
   1.904 +
   1.905 +lemma lookup_delete:
   1.906 +  assumes is_rbt: "is_rbt t"
   1.907 +  shows "lookup (delete k t) = (lookup t)|`(-{k})"
   1.908 +proof
   1.909 +  fix x
   1.910 +  show "lookup (delete k t) x = (lookup t |` (-{k})) x" 
   1.911 +  proof (cases "x = k")
   1.912 +    assume "x = k" 
   1.913 +    with is_rbt show ?thesis
   1.914 +      by (cases "lookup (delete k t) k") (auto simp: lookup_in_tree delete_in_tree)
   1.915 +  next
   1.916 +    assume "x \<noteq> k"
   1.917 +    thus ?thesis
   1.918 +      by auto (metis is_rbt delete_is_rbt delete_in_tree is_rbt_sorted lookup_from_in_tree)
   1.919 +  qed
   1.920 +qed
   1.921 +
   1.922 +
   1.923 +subsection {* Union *}
   1.924 +
   1.925 +primrec
   1.926 +  union_with_key :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   1.927 +where
   1.928 +  "union_with_key f t Empty = t"
   1.929 +| "union_with_key f t (Branch c lt k v rt) = union_with_key f (union_with_key f (insert_with_key f k v t) lt) rt"
   1.930 +
   1.931 +lemma unionwk_sorted: "sorted lt \<Longrightarrow> sorted (union_with_key f lt rt)" 
   1.932 +  by (induct rt arbitrary: lt) (auto simp: insertwk_sorted)
   1.933 +theorem unionwk_is_rbt[simp]: "is_rbt lt \<Longrightarrow> is_rbt (union_with_key f lt rt)" 
   1.934 +  by (induct rt arbitrary: lt) (simp add: insertwk_is_rbt)+
   1.935 +
   1.936 +definition
   1.937 +  union_with where
   1.938 +  "union_with f = union_with_key (\<lambda>_. f)"
   1.939 +
   1.940 +theorem unionw_is_rbt: "is_rbt lt \<Longrightarrow> is_rbt (union_with f lt rt)" unfolding union_with_def by simp
   1.941 +
   1.942 +definition union where
   1.943 +  "union = union_with_key (%_ _ rv. rv)"
   1.944 +
   1.945 +theorem union_is_rbt: "is_rbt lt \<Longrightarrow> is_rbt (union lt rt)" unfolding union_def by simp
   1.946 +
   1.947 +lemma union_Branch[simp]:
   1.948 +  "union t (Branch c lt k v rt) = union (union (insert k v t) lt) rt"
   1.949 +  unfolding union_def insert_def
   1.950 +  by simp
   1.951 +
   1.952 +lemma lookup_union:
   1.953 +  assumes "is_rbt s" "sorted t"
   1.954 +  shows "lookup (union s t) = lookup s ++ lookup t"
   1.955 +using assms
   1.956 +proof (induct t arbitrary: s)
   1.957 +  case Empty thus ?case by (auto simp: union_def)
   1.958 +next
   1.959 +  case (Branch c l k v r s)
   1.960 +  then have "sorted r" "sorted l" "l |\<guillemotleft> k" "k \<guillemotleft>| r" by auto
   1.961 +
   1.962 +  have meq: "lookup s(k \<mapsto> v) ++ lookup l ++ lookup r =
   1.963 +    lookup s ++
   1.964 +    (\<lambda>a. if a < k then lookup l a
   1.965 +    else if k < a then lookup r a else Some v)" (is "?m1 = ?m2")
   1.966 +  proof (rule ext)
   1.967 +    fix a
   1.968 +
   1.969 +   have "k < a \<or> k = a \<or> k > a" by auto
   1.970 +    thus "?m1 a = ?m2 a"
   1.971 +    proof (elim disjE)
   1.972 +      assume "k < a"
   1.973 +      with `l |\<guillemotleft> k` have "l |\<guillemotleft> a" by (rule tree_less_trans)
   1.974 +      with `k < a` show ?thesis
   1.975 +        by (auto simp: map_add_def split: option.splits)
   1.976 +    next
   1.977 +      assume "k = a"
   1.978 +      with `l |\<guillemotleft> k` `k \<guillemotleft>| r` 
   1.979 +      show ?thesis by (auto simp: map_add_def)
   1.980 +    next
   1.981 +      assume "a < k"
   1.982 +      from this `k \<guillemotleft>| r` have "a \<guillemotleft>| r" by (rule tree_greater_trans)
   1.983 +      with `a < k` show ?thesis
   1.984 +        by (auto simp: map_add_def split: option.splits)
   1.985 +    qed
   1.986 +  qed
   1.987 +
   1.988 +  from Branch have is_rbt: "is_rbt (RBT_Impl.union (RBT_Impl.insert k v s) l)"
   1.989 +    by (auto intro: union_is_rbt insert_is_rbt)
   1.990 +  with Branch have IHs:
   1.991 +    "lookup (union (union (insert k v s) l) r) = lookup (union (insert k v s) l) ++ lookup r"
   1.992 +    "lookup (union (insert k v s) l) = lookup (insert k v s) ++ lookup l"
   1.993 +    by auto
   1.994 +  
   1.995 +  with meq show ?case
   1.996 +    by (auto simp: lookup_insert[OF Branch(3)])
   1.997 +
   1.998 +qed
   1.999 +
  1.1000 +
  1.1001 +subsection {* Modifying existing entries *}
  1.1002 +
  1.1003 +primrec
  1.1004 +  map_entry :: "'a\<Colon>linorder \<Rightarrow> ('b \<Rightarrow> 'b) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
  1.1005 +where
  1.1006 +  "map_entry k f Empty = Empty"
  1.1007 +| "map_entry k f (Branch c lt x v rt) =
  1.1008 +    (if k < x then Branch c (map_entry k f lt) x v rt
  1.1009 +    else if k > x then (Branch c lt x v (map_entry k f rt))
  1.1010 +    else Branch c lt x (f v) rt)"
  1.1011 +
  1.1012 +lemma map_entry_color_of: "color_of (map_entry k f t) = color_of t" by (induct t) simp+
  1.1013 +lemma map_entry_inv1: "inv1 (map_entry k f t) = inv1 t" by (induct t) (simp add: map_entry_color_of)+
  1.1014 +lemma map_entry_inv2: "inv2 (map_entry k f t) = inv2 t" "bheight (map_entry k f t) = bheight t" by (induct t) simp+
  1.1015 +lemma map_entry_tree_greater: "tree_greater a (map_entry k f t) = tree_greater a t" by (induct t) simp+
  1.1016 +lemma map_entry_tree_less: "tree_less a (map_entry k f t) = tree_less a t" by (induct t) simp+
  1.1017 +lemma map_entry_sorted: "sorted (map_entry k f t) = sorted t"
  1.1018 +  by (induct t) (simp_all add: map_entry_tree_less map_entry_tree_greater)
  1.1019 +
  1.1020 +theorem map_entry_is_rbt [simp]: "is_rbt (map_entry k f t) = is_rbt t" 
  1.1021 +unfolding is_rbt_def by (simp add: map_entry_inv2 map_entry_color_of map_entry_sorted map_entry_inv1 )
  1.1022 +
  1.1023 +theorem lookup_map_entry:
  1.1024 +  "lookup (map_entry k f t) = (lookup t)(k := Option.map f (lookup t k))"
  1.1025 +  by (induct t) (auto split: option.splits simp add: expand_fun_eq)
  1.1026 +
  1.1027 +
  1.1028 +subsection {* Mapping all entries *}
  1.1029 +
  1.1030 +primrec
  1.1031 +  map :: "('a \<Rightarrow> 'b \<Rightarrow> 'c) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'c) rbt"
  1.1032 +where
  1.1033 +  "map f Empty = Empty"
  1.1034 +| "map f (Branch c lt k v rt) = Branch c (map f lt) k (f k v) (map f rt)"
  1.1035 +
  1.1036 +lemma map_entries [simp]: "entries (map f t) = List.map (\<lambda>(k, v). (k, f k v)) (entries t)"
  1.1037 +  by (induct t) auto
  1.1038 +lemma map_keys [simp]: "keys (map f t) = keys t" by (simp add: keys_def split_def)
  1.1039 +lemma map_tree_greater: "tree_greater k (map f t) = tree_greater k t" by (induct t) simp+
  1.1040 +lemma map_tree_less: "tree_less k (map f t) = tree_less k t" by (induct t) simp+
  1.1041 +lemma map_sorted: "sorted (map f t) = sorted t"  by (induct t) (simp add: map_tree_less map_tree_greater)+
  1.1042 +lemma map_color_of: "color_of (map f t) = color_of t" by (induct t) simp+
  1.1043 +lemma map_inv1: "inv1 (map f t) = inv1 t" by (induct t) (simp add: map_color_of)+
  1.1044 +lemma map_inv2: "inv2 (map f t) = inv2 t" "bheight (map f t) = bheight t" by (induct t) simp+
  1.1045 +theorem map_is_rbt [simp]: "is_rbt (map f t) = is_rbt t" 
  1.1046 +unfolding is_rbt_def by (simp add: map_inv1 map_inv2 map_sorted map_color_of)
  1.1047 +
  1.1048 +theorem lookup_map: "lookup (map f t) x = Option.map (f x) (lookup t x)"
  1.1049 +  by (induct t) auto
  1.1050 +
  1.1051 +
  1.1052 +subsection {* Folding over entries *}
  1.1053 +
  1.1054 +definition fold :: "('a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c" where
  1.1055 +  "fold f t s = foldl (\<lambda>s (k, v). f k v s) s (entries t)"
  1.1056 +
  1.1057 +lemma fold_simps [simp, code]:
  1.1058 +  "fold f Empty = id"
  1.1059 +  "fold f (Branch c lt k v rt) = fold f rt \<circ> f k v \<circ> fold f lt"
  1.1060 +  by (simp_all add: fold_def expand_fun_eq)
  1.1061 +
  1.1062 +
  1.1063 +subsection {* Bulkloading a tree *}
  1.1064 +
  1.1065 +definition bulkload :: "('a \<times> 'b) list \<Rightarrow> ('a\<Colon>linorder, 'b) rbt" where
  1.1066 +  "bulkload xs = foldr (\<lambda>(k, v). insert k v) xs Empty"
  1.1067 +
  1.1068 +lemma bulkload_is_rbt [simp, intro]:
  1.1069 +  "is_rbt (bulkload xs)"
  1.1070 +  unfolding bulkload_def by (induct xs) auto
  1.1071 +
  1.1072 +lemma lookup_bulkload:
  1.1073 +  "lookup (bulkload xs) = map_of xs"
  1.1074 +proof -
  1.1075 +  obtain ys where "ys = rev xs" by simp
  1.1076 +  have "\<And>t. is_rbt t \<Longrightarrow>
  1.1077 +    lookup (foldl (\<lambda>t (k, v). insert k v t) t ys) = lookup t ++ map_of (rev ys)"
  1.1078 +      by (induct ys) (simp_all add: bulkload_def split_def lookup_insert)
  1.1079 +  from this Empty_is_rbt have
  1.1080 +    "lookup (foldl (\<lambda>t (k, v). insert k v t) Empty (rev xs)) = lookup Empty ++ map_of xs"
  1.1081 +     by (simp add: `ys = rev xs`)
  1.1082 +  then show ?thesis by (simp add: bulkload_def foldl_foldr lookup_Empty split_def)
  1.1083 +qed
  1.1084 +
  1.1085 +hide (open) const Empty insert delete entries keys bulkload lookup map_entry map fold union sorted
  1.1086 +
  1.1087 +end