src/HOL/Library/RBT_Impl.thy
 author haftmann Sun Oct 08 22:28:21 2017 +0200 (2017-10-08) changeset 66808 1907167b6038 parent 64246 15d1ee6e847b child 67408 4a4c14b24800 permissions -rw-r--r--
elementary definition of division on natural numbers
```     1 (*  Title:      HOL/Library/RBT_Impl.thy
```
```     2     Author:     Markus Reiter, TU Muenchen
```
```     3     Author:     Alexander Krauss, TU Muenchen
```
```     4 *)
```
```     5
```
```     6 section \<open>Implementation of Red-Black Trees\<close>
```
```     7
```
```     8 theory RBT_Impl
```
```     9 imports Main
```
```    10 begin
```
```    11
```
```    12 text \<open>
```
```    13   For applications, you should use theory \<open>RBT\<close> which defines
```
```    14   an abstract type of red-black tree obeying the invariant.
```
```    15 \<close>
```
```    16
```
```    17 subsection \<open>Datatype of RB trees\<close>
```
```    18
```
```    19 datatype color = R | B
```
```    20 datatype ('a, 'b) rbt = Empty | Branch color "('a, 'b) rbt" 'a 'b "('a, 'b) rbt"
```
```    21
```
```    22 lemma rbt_cases:
```
```    23   obtains (Empty) "t = Empty"
```
```    24   | (Red) l k v r where "t = Branch R l k v r"
```
```    25   | (Black) l k v r where "t = Branch B l k v r"
```
```    26 proof (cases t)
```
```    27   case Empty with that show thesis by blast
```
```    28 next
```
```    29   case (Branch c) with that show thesis by (cases c) blast+
```
```    30 qed
```
```    31
```
```    32 subsection \<open>Tree properties\<close>
```
```    33
```
```    34 subsubsection \<open>Content of a tree\<close>
```
```    35
```
```    36 primrec entries :: "('a, 'b) rbt \<Rightarrow> ('a \<times> 'b) list"
```
```    37 where
```
```    38   "entries Empty = []"
```
```    39 | "entries (Branch _ l k v r) = entries l @ (k,v) # entries r"
```
```    40
```
```    41 abbreviation (input) entry_in_tree :: "'a \<Rightarrow> 'b \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"
```
```    42 where
```
```    43   "entry_in_tree k v t \<equiv> (k, v) \<in> set (entries t)"
```
```    44
```
```    45 definition keys :: "('a, 'b) rbt \<Rightarrow> 'a list" where
```
```    46   "keys t = map fst (entries t)"
```
```    47
```
```    48 lemma keys_simps [simp, code]:
```
```    49   "keys Empty = []"
```
```    50   "keys (Branch c l k v r) = keys l @ k # keys r"
```
```    51   by (simp_all add: keys_def)
```
```    52
```
```    53 lemma entry_in_tree_keys:
```
```    54   assumes "(k, v) \<in> set (entries t)"
```
```    55   shows "k \<in> set (keys t)"
```
```    56 proof -
```
```    57   from assms have "fst (k, v) \<in> fst ` set (entries t)" by (rule imageI)
```
```    58   then show ?thesis by (simp add: keys_def)
```
```    59 qed
```
```    60
```
```    61 lemma keys_entries:
```
```    62   "k \<in> set (keys t) \<longleftrightarrow> (\<exists>v. (k, v) \<in> set (entries t))"
```
```    63   by (auto intro: entry_in_tree_keys) (auto simp add: keys_def)
```
```    64
```
```    65 lemma non_empty_rbt_keys:
```
```    66   "t \<noteq> rbt.Empty \<Longrightarrow> keys t \<noteq> []"
```
```    67   by (cases t) simp_all
```
```    68
```
```    69 subsubsection \<open>Search tree properties\<close>
```
```    70
```
```    71 context ord begin
```
```    72
```
```    73 definition rbt_less :: "'a \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"
```
```    74 where
```
```    75   rbt_less_prop: "rbt_less k t \<longleftrightarrow> (\<forall>x\<in>set (keys t). x < k)"
```
```    76
```
```    77 abbreviation rbt_less_symbol (infix "|\<guillemotleft>" 50)
```
```    78 where "t |\<guillemotleft> x \<equiv> rbt_less x t"
```
```    79
```
```    80 definition rbt_greater :: "'a \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool" (infix "\<guillemotleft>|" 50)
```
```    81 where
```
```    82   rbt_greater_prop: "rbt_greater k t = (\<forall>x\<in>set (keys t). k < x)"
```
```    83
```
```    84 lemma rbt_less_simps [simp]:
```
```    85   "Empty |\<guillemotleft> k = True"
```
```    86   "Branch c lt kt v rt |\<guillemotleft> k \<longleftrightarrow> kt < k \<and> lt |\<guillemotleft> k \<and> rt |\<guillemotleft> k"
```
```    87   by (auto simp add: rbt_less_prop)
```
```    88
```
```    89 lemma rbt_greater_simps [simp]:
```
```    90   "k \<guillemotleft>| Empty = True"
```
```    91   "k \<guillemotleft>| (Branch c lt kt v rt) \<longleftrightarrow> k < kt \<and> k \<guillemotleft>| lt \<and> k \<guillemotleft>| rt"
```
```    92   by (auto simp add: rbt_greater_prop)
```
```    93
```
```    94 lemmas rbt_ord_props = rbt_less_prop rbt_greater_prop
```
```    95
```
```    96 lemmas rbt_greater_nit = rbt_greater_prop entry_in_tree_keys
```
```    97 lemmas rbt_less_nit = rbt_less_prop entry_in_tree_keys
```
```    98
```
```    99 lemma (in order)
```
```   100   shows rbt_less_eq_trans: "l |\<guillemotleft> u \<Longrightarrow> u \<le> v \<Longrightarrow> l |\<guillemotleft> v"
```
```   101   and rbt_less_trans: "t |\<guillemotleft> x \<Longrightarrow> x < y \<Longrightarrow> t |\<guillemotleft> y"
```
```   102   and rbt_greater_eq_trans: "u \<le> v \<Longrightarrow> v \<guillemotleft>| r \<Longrightarrow> u \<guillemotleft>| r"
```
```   103   and rbt_greater_trans: "x < y \<Longrightarrow> y \<guillemotleft>| t \<Longrightarrow> x \<guillemotleft>| t"
```
```   104   by (auto simp: rbt_ord_props)
```
```   105
```
```   106 primrec rbt_sorted :: "('a, 'b) rbt \<Rightarrow> bool"
```
```   107 where
```
```   108   "rbt_sorted Empty = True"
```
```   109 | "rbt_sorted (Branch c l k v r) = (l |\<guillemotleft> k \<and> k \<guillemotleft>| r \<and> rbt_sorted l \<and> rbt_sorted r)"
```
```   110
```
```   111 end
```
```   112
```
```   113 context linorder begin
```
```   114
```
```   115 lemma rbt_sorted_entries:
```
```   116   "rbt_sorted t \<Longrightarrow> List.sorted (map fst (entries t))"
```
```   117 by (induct t)
```
```   118   (force simp: sorted_append sorted_Cons rbt_ord_props
```
```   119       dest!: entry_in_tree_keys)+
```
```   120
```
```   121 lemma distinct_entries:
```
```   122   "rbt_sorted t \<Longrightarrow> distinct (map fst (entries t))"
```
```   123 by (induct t)
```
```   124   (force simp: sorted_append sorted_Cons rbt_ord_props
```
```   125       dest!: entry_in_tree_keys)+
```
```   126
```
```   127 lemma distinct_keys:
```
```   128   "rbt_sorted t \<Longrightarrow> distinct (keys t)"
```
```   129   by (simp add: distinct_entries keys_def)
```
```   130
```
```   131
```
```   132 subsubsection \<open>Tree lookup\<close>
```
```   133
```
```   134 primrec (in ord) rbt_lookup :: "('a, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"
```
```   135 where
```
```   136   "rbt_lookup Empty k = None"
```
```   137 | "rbt_lookup (Branch _ l x y r) k =
```
```   138    (if k < x then rbt_lookup l k else if x < k then rbt_lookup r k else Some y)"
```
```   139
```
```   140 lemma rbt_lookup_keys: "rbt_sorted t \<Longrightarrow> dom (rbt_lookup t) = set (keys t)"
```
```   141   by (induct t) (auto simp: dom_def rbt_greater_prop rbt_less_prop)
```
```   142
```
```   143 lemma dom_rbt_lookup_Branch:
```
```   144   "rbt_sorted (Branch c t1 k v t2) \<Longrightarrow>
```
```   145     dom (rbt_lookup (Branch c t1 k v t2))
```
```   146     = Set.insert k (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2))"
```
```   147 proof -
```
```   148   assume "rbt_sorted (Branch c t1 k v t2)"
```
```   149   then show ?thesis by (simp add: rbt_lookup_keys)
```
```   150 qed
```
```   151
```
```   152 lemma finite_dom_rbt_lookup [simp, intro!]: "finite (dom (rbt_lookup t))"
```
```   153 proof (induct t)
```
```   154   case Empty then show ?case by simp
```
```   155 next
```
```   156   case (Branch color t1 a b t2)
```
```   157   let ?A = "Set.insert a (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2))"
```
```   158   have "dom (rbt_lookup (Branch color t1 a b t2)) \<subseteq> ?A" by (auto split: if_split_asm)
```
```   159   moreover from Branch have "finite (insert a (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2)))" by simp
```
```   160   ultimately show ?case by (rule finite_subset)
```
```   161 qed
```
```   162
```
```   163 end
```
```   164
```
```   165 context ord begin
```
```   166
```
```   167 lemma rbt_lookup_rbt_less[simp]: "t |\<guillemotleft> k \<Longrightarrow> rbt_lookup t k = None"
```
```   168 by (induct t) auto
```
```   169
```
```   170 lemma rbt_lookup_rbt_greater[simp]: "k \<guillemotleft>| t \<Longrightarrow> rbt_lookup t k = None"
```
```   171 by (induct t) auto
```
```   172
```
```   173 lemma rbt_lookup_Empty: "rbt_lookup Empty = empty"
```
```   174 by (rule ext) simp
```
```   175
```
```   176 end
```
```   177
```
```   178 context linorder begin
```
```   179
```
```   180 lemma map_of_entries:
```
```   181   "rbt_sorted t \<Longrightarrow> map_of (entries t) = rbt_lookup t"
```
```   182 proof (induct t)
```
```   183   case Empty thus ?case by (simp add: rbt_lookup_Empty)
```
```   184 next
```
```   185   case (Branch c t1 k v t2)
```
```   186   have "rbt_lookup (Branch c t1 k v t2) = rbt_lookup t2 ++ [k\<mapsto>v] ++ rbt_lookup t1"
```
```   187   proof (rule ext)
```
```   188     fix x
```
```   189     from Branch have RBT_SORTED: "rbt_sorted (Branch c t1 k v t2)" by simp
```
```   190     let ?thesis = "rbt_lookup (Branch c t1 k v t2) x = (rbt_lookup t2 ++ [k \<mapsto> v] ++ rbt_lookup t1) x"
```
```   191
```
```   192     have DOM_T1: "!!k'. k'\<in>dom (rbt_lookup t1) \<Longrightarrow> k>k'"
```
```   193     proof -
```
```   194       fix k'
```
```   195       from RBT_SORTED have "t1 |\<guillemotleft> k" by simp
```
```   196       with rbt_less_prop have "\<forall>k'\<in>set (keys t1). k>k'" by auto
```
```   197       moreover assume "k'\<in>dom (rbt_lookup t1)"
```
```   198       ultimately show "k>k'" using rbt_lookup_keys RBT_SORTED by auto
```
```   199     qed
```
```   200
```
```   201     have DOM_T2: "!!k'. k'\<in>dom (rbt_lookup t2) \<Longrightarrow> k<k'"
```
```   202     proof -
```
```   203       fix k'
```
```   204       from RBT_SORTED have "k \<guillemotleft>| t2" by simp
```
```   205       with rbt_greater_prop have "\<forall>k'\<in>set (keys t2). k<k'" by auto
```
```   206       moreover assume "k'\<in>dom (rbt_lookup t2)"
```
```   207       ultimately show "k<k'" using rbt_lookup_keys RBT_SORTED by auto
```
```   208     qed
```
```   209
```
```   210     {
```
```   211       assume C: "x<k"
```
```   212       hence "rbt_lookup (Branch c t1 k v t2) x = rbt_lookup t1 x" by simp
```
```   213       moreover from C have "x\<notin>dom [k\<mapsto>v]" by simp
```
```   214       moreover have "x \<notin> dom (rbt_lookup t2)"
```
```   215       proof
```
```   216         assume "x \<in> dom (rbt_lookup t2)"
```
```   217         with DOM_T2 have "k<x" by blast
```
```   218         with C show False by simp
```
```   219       qed
```
```   220       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
```
```   221     } moreover {
```
```   222       assume [simp]: "x=k"
```
```   223       hence "rbt_lookup (Branch c t1 k v t2) x = [k \<mapsto> v] x" by simp
```
```   224       moreover have "x \<notin> dom (rbt_lookup t1)"
```
```   225       proof
```
```   226         assume "x \<in> dom (rbt_lookup t1)"
```
```   227         with DOM_T1 have "k>x" by blast
```
```   228         thus False by simp
```
```   229       qed
```
```   230       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
```
```   231     } moreover {
```
```   232       assume C: "x>k"
```
```   233       hence "rbt_lookup (Branch c t1 k v t2) x = rbt_lookup t2 x" by (simp add: less_not_sym[of k x])
```
```   234       moreover from C have "x\<notin>dom [k\<mapsto>v]" by simp
```
```   235       moreover have "x\<notin>dom (rbt_lookup t1)" proof
```
```   236         assume "x\<in>dom (rbt_lookup t1)"
```
```   237         with DOM_T1 have "k>x" by simp
```
```   238         with C show False by simp
```
```   239       qed
```
```   240       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
```
```   241     } ultimately show ?thesis using less_linear by blast
```
```   242   qed
```
```   243   also from Branch
```
```   244   have "rbt_lookup t2 ++ [k \<mapsto> v] ++ rbt_lookup t1 = map_of (entries (Branch c t1 k v t2))" by simp
```
```   245   finally show ?case by simp
```
```   246 qed
```
```   247
```
```   248 lemma rbt_lookup_in_tree: "rbt_sorted t \<Longrightarrow> rbt_lookup t k = Some v \<longleftrightarrow> (k, v) \<in> set (entries t)"
```
```   249   by (simp add: map_of_entries [symmetric] distinct_entries)
```
```   250
```
```   251 lemma set_entries_inject:
```
```   252   assumes rbt_sorted: "rbt_sorted t1" "rbt_sorted t2"
```
```   253   shows "set (entries t1) = set (entries t2) \<longleftrightarrow> entries t1 = entries t2"
```
```   254 proof -
```
```   255   from rbt_sorted have "distinct (map fst (entries t1))"
```
```   256     "distinct (map fst (entries t2))"
```
```   257     by (auto intro: distinct_entries)
```
```   258   with rbt_sorted show ?thesis
```
```   259     by (auto intro: map_sorted_distinct_set_unique rbt_sorted_entries simp add: distinct_map)
```
```   260 qed
```
```   261
```
```   262 lemma entries_eqI:
```
```   263   assumes rbt_sorted: "rbt_sorted t1" "rbt_sorted t2"
```
```   264   assumes rbt_lookup: "rbt_lookup t1 = rbt_lookup t2"
```
```   265   shows "entries t1 = entries t2"
```
```   266 proof -
```
```   267   from rbt_sorted rbt_lookup have "map_of (entries t1) = map_of (entries t2)"
```
```   268     by (simp add: map_of_entries)
```
```   269   with rbt_sorted have "set (entries t1) = set (entries t2)"
```
```   270     by (simp add: map_of_inject_set distinct_entries)
```
```   271   with rbt_sorted show ?thesis by (simp add: set_entries_inject)
```
```   272 qed
```
```   273
```
```   274 lemma entries_rbt_lookup:
```
```   275   assumes "rbt_sorted t1" "rbt_sorted t2"
```
```   276   shows "entries t1 = entries t2 \<longleftrightarrow> rbt_lookup t1 = rbt_lookup t2"
```
```   277   using assms by (auto intro: entries_eqI simp add: map_of_entries [symmetric])
```
```   278
```
```   279 lemma rbt_lookup_from_in_tree:
```
```   280   assumes "rbt_sorted t1" "rbt_sorted t2"
```
```   281   and "\<And>v. (k, v) \<in> set (entries t1) \<longleftrightarrow> (k, v) \<in> set (entries t2)"
```
```   282   shows "rbt_lookup t1 k = rbt_lookup t2 k"
```
```   283 proof -
```
```   284   from assms have "k \<in> dom (rbt_lookup t1) \<longleftrightarrow> k \<in> dom (rbt_lookup t2)"
```
```   285     by (simp add: keys_entries rbt_lookup_keys)
```
```   286   with assms show ?thesis by (auto simp add: rbt_lookup_in_tree [symmetric])
```
```   287 qed
```
```   288
```
```   289 end
```
```   290
```
```   291 subsubsection \<open>Red-black properties\<close>
```
```   292
```
```   293 primrec color_of :: "('a, 'b) rbt \<Rightarrow> color"
```
```   294 where
```
```   295   "color_of Empty = B"
```
```   296 | "color_of (Branch c _ _ _ _) = c"
```
```   297
```
```   298 primrec bheight :: "('a,'b) rbt \<Rightarrow> nat"
```
```   299 where
```
```   300   "bheight Empty = 0"
```
```   301 | "bheight (Branch c lt k v rt) = (if c = B then Suc (bheight lt) else bheight lt)"
```
```   302
```
```   303 primrec inv1 :: "('a, 'b) rbt \<Rightarrow> bool"
```
```   304 where
```
```   305   "inv1 Empty = True"
```
```   306 | "inv1 (Branch c lt k v rt) \<longleftrightarrow> inv1 lt \<and> inv1 rt \<and> (c = B \<or> color_of lt = B \<and> color_of rt = B)"
```
```   307
```
```   308 primrec inv1l :: "('a, 'b) rbt \<Rightarrow> bool" \<comment> \<open>Weaker version\<close>
```
```   309 where
```
```   310   "inv1l Empty = True"
```
```   311 | "inv1l (Branch c l k v r) = (inv1 l \<and> inv1 r)"
```
```   312 lemma [simp]: "inv1 t \<Longrightarrow> inv1l t" by (cases t) simp+
```
```   313
```
```   314 primrec inv2 :: "('a, 'b) rbt \<Rightarrow> bool"
```
```   315 where
```
```   316   "inv2 Empty = True"
```
```   317 | "inv2 (Branch c lt k v rt) = (inv2 lt \<and> inv2 rt \<and> bheight lt = bheight rt)"
```
```   318
```
```   319 context ord begin
```
```   320
```
```   321 definition is_rbt :: "('a, 'b) rbt \<Rightarrow> bool" where
```
```   322   "is_rbt t \<longleftrightarrow> inv1 t \<and> inv2 t \<and> color_of t = B \<and> rbt_sorted t"
```
```   323
```
```   324 lemma is_rbt_rbt_sorted [simp]:
```
```   325   "is_rbt t \<Longrightarrow> rbt_sorted t" by (simp add: is_rbt_def)
```
```   326
```
```   327 theorem Empty_is_rbt [simp]:
```
```   328   "is_rbt Empty" by (simp add: is_rbt_def)
```
```   329
```
```   330 end
```
```   331
```
```   332 subsection \<open>Insertion\<close>
```
```   333
```
```   334 text \<open>The function definitions are based on the book by Okasaki.\<close>
```
```   335
```
```   336 fun (* slow, due to massive case splitting *)
```
```   337   balance :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
```
```   338 where
```
```   339   "balance (Branch R a w x b) s t (Branch R c y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
```
```   340   "balance (Branch R (Branch R a w x b) s t c) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
```
```   341   "balance (Branch R a w x (Branch R b s t c)) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
```
```   342   "balance a w x (Branch R b s t (Branch R c y z d)) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
```
```   343   "balance a w x (Branch R (Branch R b s t c) y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
```
```   344   "balance a s t b = Branch B a s t b"
```
```   345
```
```   346 lemma balance_inv1: "\<lbrakk>inv1l l; inv1l r\<rbrakk> \<Longrightarrow> inv1 (balance l k v r)"
```
```   347   by (induct l k v r rule: balance.induct) auto
```
```   348
```
```   349 lemma balance_bheight: "bheight l = bheight r \<Longrightarrow> bheight (balance l k v r) = Suc (bheight l)"
```
```   350   by (induct l k v r rule: balance.induct) auto
```
```   351
```
```   352 lemma balance_inv2:
```
```   353   assumes "inv2 l" "inv2 r" "bheight l = bheight r"
```
```   354   shows "inv2 (balance l k v r)"
```
```   355   using assms
```
```   356   by (induct l k v r rule: balance.induct) auto
```
```   357
```
```   358 context ord begin
```
```   359
```
```   360 lemma balance_rbt_greater[simp]: "(v \<guillemotleft>| balance a k x b) = (v \<guillemotleft>| a \<and> v \<guillemotleft>| b \<and> v < k)"
```
```   361   by (induct a k x b rule: balance.induct) auto
```
```   362
```
```   363 lemma balance_rbt_less[simp]: "(balance a k x b |\<guillemotleft> v) = (a |\<guillemotleft> v \<and> b |\<guillemotleft> v \<and> k < v)"
```
```   364   by (induct a k x b rule: balance.induct) auto
```
```   365
```
```   366 end
```
```   367
```
```   368 lemma (in linorder) balance_rbt_sorted:
```
```   369   fixes k :: "'a"
```
```   370   assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
```
```   371   shows "rbt_sorted (balance l k v r)"
```
```   372 using assms proof (induct l k v r rule: balance.induct)
```
```   373   case ("2_2" a x w b y t c z s va vb vd vc)
```
```   374   hence "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc"
```
```   375     by (auto simp add: rbt_ord_props)
```
```   376   hence "y \<guillemotleft>| (Branch B va vb vd vc)" by (blast dest: rbt_greater_trans)
```
```   377   with "2_2" show ?case by simp
```
```   378 next
```
```   379   case ("3_2" va vb vd vc x w b y s c z)
```
```   380   from "3_2" have "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x"
```
```   381     by simp
```
```   382   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
```
```   383   with "3_2" show ?case by simp
```
```   384 next
```
```   385   case ("3_3" x w b y s c z t va vb vd vc)
```
```   386   from "3_3" have "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" by simp
```
```   387   hence "y \<guillemotleft>| Branch B va vb vd vc" by (blast dest: rbt_greater_trans)
```
```   388   with "3_3" show ?case by simp
```
```   389 next
```
```   390   case ("3_4" vd ve vg vf x w b y s c z t va vb vii vc)
```
```   391   hence "x < y \<and> Branch B vd ve vg vf |\<guillemotleft> x" by simp
```
```   392   hence 1: "Branch B vd ve vg vf |\<guillemotleft> y" by (blast dest: rbt_less_trans)
```
```   393   from "3_4" have "y < z \<and> z \<guillemotleft>| Branch B va vb vii vc" by simp
```
```   394   hence "y \<guillemotleft>| Branch B va vb vii vc" by (blast dest: rbt_greater_trans)
```
```   395   with 1 "3_4" show ?case by simp
```
```   396 next
```
```   397   case ("4_2" va vb vd vc x w b y s c z t dd)
```
```   398   hence "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x" by simp
```
```   399   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
```
```   400   with "4_2" show ?case by simp
```
```   401 next
```
```   402   case ("5_2" x w b y s c z t va vb vd vc)
```
```   403   hence "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" by simp
```
```   404   hence "y \<guillemotleft>| Branch B va vb vd vc" by (blast dest: rbt_greater_trans)
```
```   405   with "5_2" show ?case by simp
```
```   406 next
```
```   407   case ("5_3" va vb vd vc x w b y s c z t)
```
```   408   hence "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x" by simp
```
```   409   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
```
```   410   with "5_3" show ?case by simp
```
```   411 next
```
```   412   case ("5_4" va vb vg vc x w b y s c z t vd ve vii vf)
```
```   413   hence "x < y \<and> Branch B va vb vg vc |\<guillemotleft> x" by simp
```
```   414   hence 1: "Branch B va vb vg vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
```
```   415   from "5_4" have "y < z \<and> z \<guillemotleft>| Branch B vd ve vii vf" by simp
```
```   416   hence "y \<guillemotleft>| Branch B vd ve vii vf" by (blast dest: rbt_greater_trans)
```
```   417   with 1 "5_4" show ?case by simp
```
```   418 qed simp+
```
```   419
```
```   420 lemma entries_balance [simp]:
```
```   421   "entries (balance l k v r) = entries l @ (k, v) # entries r"
```
```   422   by (induct l k v r rule: balance.induct) auto
```
```   423
```
```   424 lemma keys_balance [simp]:
```
```   425   "keys (balance l k v r) = keys l @ k # keys r"
```
```   426   by (simp add: keys_def)
```
```   427
```
```   428 lemma balance_in_tree:
```
```   429   "entry_in_tree k x (balance l v y r) \<longleftrightarrow> entry_in_tree k x l \<or> k = v \<and> x = y \<or> entry_in_tree k x r"
```
```   430   by (auto simp add: keys_def)
```
```   431
```
```   432 lemma (in linorder) rbt_lookup_balance[simp]:
```
```   433 fixes k :: "'a"
```
```   434 assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
```
```   435 shows "rbt_lookup (balance l k v r) x = rbt_lookup (Branch B l k v r) x"
```
```   436 by (rule rbt_lookup_from_in_tree) (auto simp:assms balance_in_tree balance_rbt_sorted)
```
```   437
```
```   438 primrec paint :: "color \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
```
```   439 where
```
```   440   "paint c Empty = Empty"
```
```   441 | "paint c (Branch _ l k v r) = Branch c l k v r"
```
```   442
```
```   443 lemma paint_inv1l[simp]: "inv1l t \<Longrightarrow> inv1l (paint c t)" by (cases t) auto
```
```   444 lemma paint_inv1[simp]: "inv1l t \<Longrightarrow> inv1 (paint B t)" by (cases t) auto
```
```   445 lemma paint_inv2[simp]: "inv2 t \<Longrightarrow> inv2 (paint c t)" by (cases t) auto
```
```   446 lemma paint_color_of[simp]: "color_of (paint B t) = B" by (cases t) auto
```
```   447 lemma paint_in_tree[simp]: "entry_in_tree k x (paint c t) = entry_in_tree k x t" by (cases t) auto
```
```   448
```
```   449 context ord begin
```
```   450
```
```   451 lemma paint_rbt_sorted[simp]: "rbt_sorted t \<Longrightarrow> rbt_sorted (paint c t)" by (cases t) auto
```
```   452 lemma paint_rbt_lookup[simp]: "rbt_lookup (paint c t) = rbt_lookup t" by (rule ext) (cases t, auto)
```
```   453 lemma paint_rbt_greater[simp]: "(v \<guillemotleft>| paint c t) = (v \<guillemotleft>| t)" by (cases t) auto
```
```   454 lemma paint_rbt_less[simp]: "(paint c t |\<guillemotleft> v) = (t |\<guillemotleft> v)" by (cases t) auto
```
```   455
```
```   456 fun
```
```   457   rbt_ins :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
```
```   458 where
```
```   459   "rbt_ins f k v Empty = Branch R Empty k v Empty" |
```
```   460   "rbt_ins f k v (Branch B l x y r) = (if k < x then balance (rbt_ins f k v l) x y r
```
```   461                                        else if k > x then balance l x y (rbt_ins f k v r)
```
```   462                                        else Branch B l x (f k y v) r)" |
```
```   463   "rbt_ins f k v (Branch R l x y r) = (if k < x then Branch R (rbt_ins f k v l) x y r
```
```   464                                        else if k > x then Branch R l x y (rbt_ins f k v r)
```
```   465                                        else Branch R l x (f k y v) r)"
```
```   466
```
```   467 lemma ins_inv1_inv2:
```
```   468   assumes "inv1 t" "inv2 t"
```
```   469   shows "inv2 (rbt_ins f k x t)" "bheight (rbt_ins f k x t) = bheight t"
```
```   470   "color_of t = B \<Longrightarrow> inv1 (rbt_ins f k x t)" "inv1l (rbt_ins f k x t)"
```
```   471   using assms
```
```   472   by (induct f k x t rule: rbt_ins.induct) (auto simp: balance_inv1 balance_inv2 balance_bheight)
```
```   473
```
```   474 end
```
```   475
```
```   476 context linorder begin
```
```   477
```
```   478 lemma ins_rbt_greater[simp]: "(v \<guillemotleft>| rbt_ins f (k :: 'a) x t) = (v \<guillemotleft>| t \<and> k > v)"
```
```   479   by (induct f k x t rule: rbt_ins.induct) auto
```
```   480 lemma ins_rbt_less[simp]: "(rbt_ins f k x t |\<guillemotleft> v) = (t |\<guillemotleft> v \<and> k < v)"
```
```   481   by (induct f k x t rule: rbt_ins.induct) auto
```
```   482 lemma ins_rbt_sorted[simp]: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_ins f k x t)"
```
```   483   by (induct f k x t rule: rbt_ins.induct) (auto simp: balance_rbt_sorted)
```
```   484
```
```   485 lemma keys_ins: "set (keys (rbt_ins f k v t)) = { k } \<union> set (keys t)"
```
```   486   by (induct f k v t rule: rbt_ins.induct) auto
```
```   487
```
```   488 lemma rbt_lookup_ins:
```
```   489   fixes k :: "'a"
```
```   490   assumes "rbt_sorted t"
```
```   491   shows "rbt_lookup (rbt_ins f k v t) x = ((rbt_lookup t)(k |-> case rbt_lookup t k of None \<Rightarrow> v
```
```   492                                                                 | Some w \<Rightarrow> f k w v)) x"
```
```   493 using assms by (induct f k v t rule: rbt_ins.induct) auto
```
```   494
```
```   495 end
```
```   496
```
```   497 context ord begin
```
```   498
```
```   499 definition rbt_insert_with_key :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
```
```   500 where "rbt_insert_with_key f k v t = paint B (rbt_ins f k v t)"
```
```   501
```
```   502 definition rbt_insertw_def: "rbt_insert_with f = rbt_insert_with_key (\<lambda>_. f)"
```
```   503
```
```   504 definition rbt_insert :: "'a \<Rightarrow> 'b \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt" where
```
```   505   "rbt_insert = rbt_insert_with_key (\<lambda>_ _ nv. nv)"
```
```   506
```
```   507 end
```
```   508
```
```   509 context linorder begin
```
```   510
```
```   511 lemma rbt_insertwk_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert_with_key f (k :: 'a) x t)"
```
```   512   by (auto simp: rbt_insert_with_key_def)
```
```   513
```
```   514 theorem rbt_insertwk_is_rbt:
```
```   515   assumes inv: "is_rbt t"
```
```   516   shows "is_rbt (rbt_insert_with_key f k x t)"
```
```   517 using assms
```
```   518 unfolding rbt_insert_with_key_def is_rbt_def
```
```   519 by (auto simp: ins_inv1_inv2)
```
```   520
```
```   521 lemma rbt_lookup_rbt_insertwk:
```
```   522   assumes "rbt_sorted t"
```
```   523   shows "rbt_lookup (rbt_insert_with_key f k v t) x = ((rbt_lookup t)(k |-> case rbt_lookup t k of None \<Rightarrow> v
```
```   524                                                        | Some w \<Rightarrow> f k w v)) x"
```
```   525 unfolding rbt_insert_with_key_def using assms
```
```   526 by (simp add:rbt_lookup_ins)
```
```   527
```
```   528 lemma rbt_insertw_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert_with f k v t)"
```
```   529   by (simp add: rbt_insertwk_rbt_sorted rbt_insertw_def)
```
```   530 theorem rbt_insertw_is_rbt: "is_rbt t \<Longrightarrow> is_rbt (rbt_insert_with f k v t)"
```
```   531   by (simp add: rbt_insertwk_is_rbt rbt_insertw_def)
```
```   532
```
```   533 lemma rbt_lookup_rbt_insertw:
```
```   534   "is_rbt t \<Longrightarrow>
```
```   535     rbt_lookup (rbt_insert_with f k v t) =
```
```   536       (rbt_lookup t)(k \<mapsto> (if k \<in> dom (rbt_lookup t) then f (the (rbt_lookup t k)) v else v))"
```
```   537   by (rule ext, cases "rbt_lookup t k") (auto simp: rbt_lookup_rbt_insertwk dom_def rbt_insertw_def)
```
```   538
```
```   539 lemma rbt_insert_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert k v t)"
```
```   540   by (simp add: rbt_insertwk_rbt_sorted rbt_insert_def)
```
```   541 theorem rbt_insert_is_rbt [simp]: "is_rbt t \<Longrightarrow> is_rbt (rbt_insert k v t)"
```
```   542   by (simp add: rbt_insertwk_is_rbt rbt_insert_def)
```
```   543
```
```   544 lemma rbt_lookup_rbt_insert: "is_rbt t \<Longrightarrow> rbt_lookup (rbt_insert k v t) = (rbt_lookup t)(k\<mapsto>v)"
```
```   545   by (rule ext) (simp add: rbt_insert_def rbt_lookup_rbt_insertwk split: option.split)
```
```   546
```
```   547 end
```
```   548
```
```   549 subsection \<open>Deletion\<close>
```
```   550
```
```   551 lemma bheight_paintR'[simp]: "color_of t = B \<Longrightarrow> bheight (paint R t) = bheight t - 1"
```
```   552 by (cases t rule: rbt_cases) auto
```
```   553
```
```   554 text \<open>
```
```   555   The function definitions are based on the Haskell code by Stefan Kahrs
```
```   556   at \<^url>\<open>http://www.cs.ukc.ac.uk/people/staff/smk/redblack/rb.html\<close>.
```
```   557 \<close>
```
```   558
```
```   559 fun
```
```   560   balance_left :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
```
```   561 where
```
```   562   "balance_left (Branch R a k x b) s y c = Branch R (Branch B a k x b) s y c" |
```
```   563   "balance_left bl k x (Branch B a s y b) = balance bl k x (Branch R a s y b)" |
```
```   564   "balance_left bl k x (Branch R (Branch B a s y b) t z c) = Branch R (Branch B bl k x a) s y (balance b t z (paint R c))" |
```
```   565   "balance_left t k x s = Empty"
```
```   566
```
```   567 lemma balance_left_inv2_with_inv1:
```
```   568   assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "inv1 rt"
```
```   569   shows "bheight (balance_left lt k v rt) = bheight lt + 1"
```
```   570   and   "inv2 (balance_left lt k v rt)"
```
```   571 using assms
```
```   572 by (induct lt k v rt rule: balance_left.induct) (auto simp: balance_inv2 balance_bheight)
```
```   573
```
```   574 lemma balance_left_inv2_app:
```
```   575   assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "color_of rt = B"
```
```   576   shows "inv2 (balance_left lt k v rt)"
```
```   577         "bheight (balance_left lt k v rt) = bheight rt"
```
```   578 using assms
```
```   579 by (induct lt k v rt rule: balance_left.induct) (auto simp add: balance_inv2 balance_bheight)+
```
```   580
```
```   581 lemma balance_left_inv1: "\<lbrakk>inv1l a; inv1 b; color_of b = B\<rbrakk> \<Longrightarrow> inv1 (balance_left a k x b)"
```
```   582   by (induct a k x b rule: balance_left.induct) (simp add: balance_inv1)+
```
```   583
```
```   584 lemma balance_left_inv1l: "\<lbrakk> inv1l lt; inv1 rt \<rbrakk> \<Longrightarrow> inv1l (balance_left lt k x rt)"
```
```   585 by (induct lt k x rt rule: balance_left.induct) (auto simp: balance_inv1)
```
```   586
```
```   587 lemma (in linorder) balance_left_rbt_sorted:
```
```   588   "\<lbrakk> rbt_sorted l; rbt_sorted r; rbt_less k l; k \<guillemotleft>| r \<rbrakk> \<Longrightarrow> rbt_sorted (balance_left l k v r)"
```
```   589 apply (induct l k v r rule: balance_left.induct)
```
```   590 apply (auto simp: balance_rbt_sorted)
```
```   591 apply (unfold rbt_greater_prop rbt_less_prop)
```
```   592 by force+
```
```   593
```
```   594 context order begin
```
```   595
```
```   596 lemma balance_left_rbt_greater:
```
```   597   fixes k :: "'a"
```
```   598   assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x"
```
```   599   shows "k \<guillemotleft>| balance_left a x t b"
```
```   600 using assms
```
```   601 by (induct a x t b rule: balance_left.induct) auto
```
```   602
```
```   603 lemma balance_left_rbt_less:
```
```   604   fixes k :: "'a"
```
```   605   assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k"
```
```   606   shows "balance_left a x t b |\<guillemotleft> k"
```
```   607 using assms
```
```   608 by (induct a x t b rule: balance_left.induct) auto
```
```   609
```
```   610 end
```
```   611
```
```   612 lemma balance_left_in_tree:
```
```   613   assumes "inv1l l" "inv1 r" "bheight l + 1 = bheight r"
```
```   614   shows "entry_in_tree k v (balance_left l a b r) = (entry_in_tree k v l \<or> k = a \<and> v = b \<or> entry_in_tree k v r)"
```
```   615 using assms
```
```   616 by (induct l k v r rule: balance_left.induct) (auto simp: balance_in_tree)
```
```   617
```
```   618 fun
```
```   619   balance_right :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
```
```   620 where
```
```   621   "balance_right a k x (Branch R b s y c) = Branch R a k x (Branch B b s y c)" |
```
```   622   "balance_right (Branch B a k x b) s y bl = balance (Branch R a k x b) s y bl" |
```
```   623   "balance_right (Branch R a k x (Branch B b s y c)) t z bl = Branch R (balance (paint R a) k x b) s y (Branch B c t z bl)" |
```
```   624   "balance_right t k x s = Empty"
```
```   625
```
```   626 lemma balance_right_inv2_with_inv1:
```
```   627   assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt + 1" "inv1 lt"
```
```   628   shows "inv2 (balance_right lt k v rt) \<and> bheight (balance_right lt k v rt) = bheight lt"
```
```   629 using assms
```
```   630 by (induct lt k v rt rule: balance_right.induct) (auto simp: balance_inv2 balance_bheight)
```
```   631
```
```   632 lemma balance_right_inv1: "\<lbrakk>inv1 a; inv1l b; color_of a = B\<rbrakk> \<Longrightarrow> inv1 (balance_right a k x b)"
```
```   633 by (induct a k x b rule: balance_right.induct) (simp add: balance_inv1)+
```
```   634
```
```   635 lemma balance_right_inv1l: "\<lbrakk> inv1 lt; inv1l rt \<rbrakk> \<Longrightarrow>inv1l (balance_right lt k x rt)"
```
```   636 by (induct lt k x rt rule: balance_right.induct) (auto simp: balance_inv1)
```
```   637
```
```   638 lemma (in linorder) balance_right_rbt_sorted:
```
```   639   "\<lbrakk> rbt_sorted l; rbt_sorted r; rbt_less k l; k \<guillemotleft>| r \<rbrakk> \<Longrightarrow> rbt_sorted (balance_right l k v r)"
```
```   640 apply (induct l k v r rule: balance_right.induct)
```
```   641 apply (auto simp:balance_rbt_sorted)
```
```   642 apply (unfold rbt_less_prop rbt_greater_prop)
```
```   643 by force+
```
```   644
```
```   645 context order begin
```
```   646
```
```   647 lemma balance_right_rbt_greater:
```
```   648   fixes k :: "'a"
```
```   649   assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x"
```
```   650   shows "k \<guillemotleft>| balance_right a x t b"
```
```   651 using assms by (induct a x t b rule: balance_right.induct) auto
```
```   652
```
```   653 lemma balance_right_rbt_less:
```
```   654   fixes k :: "'a"
```
```   655   assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k"
```
```   656   shows "balance_right a x t b |\<guillemotleft> k"
```
```   657 using assms by (induct a x t b rule: balance_right.induct) auto
```
```   658
```
```   659 end
```
```   660
```
```   661 lemma balance_right_in_tree:
```
```   662   assumes "inv1 l" "inv1l r" "bheight l = bheight r + 1" "inv2 l" "inv2 r"
```
```   663   shows "entry_in_tree x y (balance_right l k v r) = (entry_in_tree x y l \<or> x = k \<and> y = v \<or> entry_in_tree x y r)"
```
```   664 using assms by (induct l k v r rule: balance_right.induct) (auto simp: balance_in_tree)
```
```   665
```
```   666 fun
```
```   667   combine :: "('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
```
```   668 where
```
```   669   "combine Empty x = x"
```
```   670 | "combine x Empty = x"
```
```   671 | "combine (Branch R a k x b) (Branch R c s y d) = (case (combine b c) of
```
```   672                                     Branch R b2 t z c2 \<Rightarrow> (Branch R (Branch R a k x b2) t z (Branch R c2 s y d)) |
```
```   673                                     bc \<Rightarrow> Branch R a k x (Branch R bc s y d))"
```
```   674 | "combine (Branch B a k x b) (Branch B c s y d) = (case (combine b c) of
```
```   675                                     Branch R b2 t z c2 \<Rightarrow> Branch R (Branch B a k x b2) t z (Branch B c2 s y d) |
```
```   676                                     bc \<Rightarrow> balance_left a k x (Branch B bc s y d))"
```
```   677 | "combine a (Branch R b k x c) = Branch R (combine a b) k x c"
```
```   678 | "combine (Branch R a k x b) c = Branch R a k x (combine b c)"
```
```   679
```
```   680 lemma combine_inv2:
```
```   681   assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt"
```
```   682   shows "bheight (combine lt rt) = bheight lt" "inv2 (combine lt rt)"
```
```   683 using assms
```
```   684 by (induct lt rt rule: combine.induct)
```
```   685    (auto simp: balance_left_inv2_app split: rbt.splits color.splits)
```
```   686
```
```   687 lemma combine_inv1:
```
```   688   assumes "inv1 lt" "inv1 rt"
```
```   689   shows "color_of lt = B \<Longrightarrow> color_of rt = B \<Longrightarrow> inv1 (combine lt rt)"
```
```   690          "inv1l (combine lt rt)"
```
```   691 using assms
```
```   692 by (induct lt rt rule: combine.induct)
```
```   693    (auto simp: balance_left_inv1 split: rbt.splits color.splits)
```
```   694
```
```   695 context linorder begin
```
```   696
```
```   697 lemma combine_rbt_greater[simp]:
```
```   698   fixes k :: "'a"
```
```   699   assumes "k \<guillemotleft>| l" "k \<guillemotleft>| r"
```
```   700   shows "k \<guillemotleft>| combine l r"
```
```   701 using assms
```
```   702 by (induct l r rule: combine.induct)
```
```   703    (auto simp: balance_left_rbt_greater split:rbt.splits color.splits)
```
```   704
```
```   705 lemma combine_rbt_less[simp]:
```
```   706   fixes k :: "'a"
```
```   707   assumes "l |\<guillemotleft> k" "r |\<guillemotleft> k"
```
```   708   shows "combine l r |\<guillemotleft> k"
```
```   709 using assms
```
```   710 by (induct l r rule: combine.induct)
```
```   711    (auto simp: balance_left_rbt_less split:rbt.splits color.splits)
```
```   712
```
```   713 lemma combine_rbt_sorted:
```
```   714   fixes k :: "'a"
```
```   715   assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
```
```   716   shows "rbt_sorted (combine l r)"
```
```   717 using assms proof (induct l r rule: combine.induct)
```
```   718   case (3 a x v b c y w d)
```
```   719   hence ineqs: "a |\<guillemotleft> x" "x \<guillemotleft>| b" "b |\<guillemotleft> k" "k \<guillemotleft>| c" "c |\<guillemotleft> y" "y \<guillemotleft>| d"
```
```   720     by auto
```
```   721   with 3
```
```   722   show ?case
```
```   723     by (cases "combine b c" rule: rbt_cases)
```
```   724       (auto, (metis combine_rbt_greater combine_rbt_less ineqs ineqs rbt_less_simps(2) rbt_greater_simps(2) rbt_greater_trans rbt_less_trans)+)
```
```   725 next
```
```   726   case (4 a x v b c y w d)
```
```   727   hence "x < k \<and> rbt_greater k c" by simp
```
```   728   hence "rbt_greater x c" by (blast dest: rbt_greater_trans)
```
```   729   with 4 have 2: "rbt_greater x (combine b c)" by (simp add: combine_rbt_greater)
```
```   730   from 4 have "k < y \<and> rbt_less k b" by simp
```
```   731   hence "rbt_less y b" by (blast dest: rbt_less_trans)
```
```   732   with 4 have 3: "rbt_less y (combine b c)" by (simp add: combine_rbt_less)
```
```   733   show ?case
```
```   734   proof (cases "combine b c" rule: rbt_cases)
```
```   735     case Empty
```
```   736     from 4 have "x < y \<and> rbt_greater y d" by auto
```
```   737     hence "rbt_greater x d" by (blast dest: rbt_greater_trans)
```
```   738     with 4 Empty have "rbt_sorted a" and "rbt_sorted (Branch B Empty y w d)"
```
```   739       and "rbt_less x a" and "rbt_greater x (Branch B Empty y w d)" by auto
```
```   740     with Empty show ?thesis by (simp add: balance_left_rbt_sorted)
```
```   741   next
```
```   742     case (Red lta va ka rta)
```
```   743     with 2 4 have "x < va \<and> rbt_less x a" by simp
```
```   744     hence 5: "rbt_less va a" by (blast dest: rbt_less_trans)
```
```   745     from Red 3 4 have "va < y \<and> rbt_greater y d" by simp
```
```   746     hence "rbt_greater va d" by (blast dest: rbt_greater_trans)
```
```   747     with Red 2 3 4 5 show ?thesis by simp
```
```   748   next
```
```   749     case (Black lta va ka rta)
```
```   750     from 4 have "x < y \<and> rbt_greater y d" by auto
```
```   751     hence "rbt_greater x d" by (blast dest: rbt_greater_trans)
```
```   752     with Black 2 3 4 have "rbt_sorted a" and "rbt_sorted (Branch B (combine b c) y w d)"
```
```   753       and "rbt_less x a" and "rbt_greater x (Branch B (combine b c) y w d)" by auto
```
```   754     with Black show ?thesis by (simp add: balance_left_rbt_sorted)
```
```   755   qed
```
```   756 next
```
```   757   case (5 va vb vd vc b x w c)
```
```   758   hence "k < x \<and> rbt_less k (Branch B va vb vd vc)" by simp
```
```   759   hence "rbt_less x (Branch B va vb vd vc)" by (blast dest: rbt_less_trans)
```
```   760   with 5 show ?case by (simp add: combine_rbt_less)
```
```   761 next
```
```   762   case (6 a x v b va vb vd vc)
```
```   763   hence "x < k \<and> rbt_greater k (Branch B va vb vd vc)" by simp
```
```   764   hence "rbt_greater x (Branch B va vb vd vc)" by (blast dest: rbt_greater_trans)
```
```   765   with 6 show ?case by (simp add: combine_rbt_greater)
```
```   766 qed simp+
```
```   767
```
```   768 end
```
```   769
```
```   770 lemma combine_in_tree:
```
```   771   assumes "inv2 l" "inv2 r" "bheight l = bheight r" "inv1 l" "inv1 r"
```
```   772   shows "entry_in_tree k v (combine l r) = (entry_in_tree k v l \<or> entry_in_tree k v r)"
```
```   773 using assms
```
```   774 proof (induct l r rule: combine.induct)
```
```   775   case (4 _ _ _ b c)
```
```   776   hence a: "bheight (combine b c) = bheight b" by (simp add: combine_inv2)
```
```   777   from 4 have b: "inv1l (combine b c)" by (simp add: combine_inv1)
```
```   778
```
```   779   show ?case
```
```   780   proof (cases "combine b c" rule: rbt_cases)
```
```   781     case Empty
```
```   782     with 4 a show ?thesis by (auto simp: balance_left_in_tree)
```
```   783   next
```
```   784     case (Red lta ka va rta)
```
```   785     with 4 show ?thesis by auto
```
```   786   next
```
```   787     case (Black lta ka va rta)
```
```   788     with a b 4  show ?thesis by (auto simp: balance_left_in_tree)
```
```   789   qed
```
```   790 qed (auto split: rbt.splits color.splits)
```
```   791
```
```   792 context ord begin
```
```   793
```
```   794 fun
```
```   795   rbt_del_from_left :: "'a \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
```
```   796   rbt_del_from_right :: "'a \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
```
```   797   rbt_del :: "'a\<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
```
```   798 where
```
```   799   "rbt_del x Empty = Empty" |
```
```   800   "rbt_del x (Branch c a y s b) =
```
```   801    (if x < y then rbt_del_from_left x a y s b
```
```   802     else (if x > y then rbt_del_from_right x a y s b else combine a b))" |
```
```   803   "rbt_del_from_left x (Branch B lt z v rt) y s b = balance_left (rbt_del x (Branch B lt z v rt)) y s b" |
```
```   804   "rbt_del_from_left x a y s b = Branch R (rbt_del x a) y s b" |
```
```   805   "rbt_del_from_right x a y s (Branch B lt z v rt) = balance_right a y s (rbt_del x (Branch B lt z v rt))" |
```
```   806   "rbt_del_from_right x a y s b = Branch R a y s (rbt_del x b)"
```
```   807
```
```   808 end
```
```   809
```
```   810 context linorder begin
```
```   811
```
```   812 lemma
```
```   813   assumes "inv2 lt" "inv1 lt"
```
```   814   shows
```
```   815   "\<lbrakk>inv2 rt; bheight lt = bheight rt; inv1 rt\<rbrakk> \<Longrightarrow>
```
```   816    inv2 (rbt_del_from_left x lt k v rt) \<and>
```
```   817    bheight (rbt_del_from_left x lt k v rt) = bheight lt \<and>
```
```   818    (color_of lt = B \<and> color_of rt = B \<and> inv1 (rbt_del_from_left x lt k v rt) \<or>
```
```   819     (color_of lt \<noteq> B \<or> color_of rt \<noteq> B) \<and> inv1l (rbt_del_from_left x lt k v rt))"
```
```   820   and "\<lbrakk>inv2 rt; bheight lt = bheight rt; inv1 rt\<rbrakk> \<Longrightarrow>
```
```   821   inv2 (rbt_del_from_right x lt k v rt) \<and>
```
```   822   bheight (rbt_del_from_right x lt k v rt) = bheight lt \<and>
```
```   823   (color_of lt = B \<and> color_of rt = B \<and> inv1 (rbt_del_from_right x lt k v rt) \<or>
```
```   824    (color_of lt \<noteq> B \<or> color_of rt \<noteq> B) \<and> inv1l (rbt_del_from_right x lt k v rt))"
```
```   825   and rbt_del_inv1_inv2: "inv2 (rbt_del x lt) \<and> (color_of lt = R \<and> bheight (rbt_del x lt) = bheight lt \<and> inv1 (rbt_del x lt)
```
```   826   \<or> color_of lt = B \<and> bheight (rbt_del x lt) = bheight lt - 1 \<and> inv1l (rbt_del x lt))"
```
```   827 using assms
```
```   828 proof (induct x lt k v rt and x lt k v rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
```
```   829 case (2 y c _ y')
```
```   830   have "y = y' \<or> y < y' \<or> y > y'" by auto
```
```   831   thus ?case proof (elim disjE)
```
```   832     assume "y = y'"
```
```   833     with 2 show ?thesis by (cases c) (simp add: combine_inv2 combine_inv1)+
```
```   834   next
```
```   835     assume "y < y'"
```
```   836     with 2 show ?thesis by (cases c) auto
```
```   837   next
```
```   838     assume "y' < y"
```
```   839     with 2 show ?thesis by (cases c) auto
```
```   840   qed
```
```   841 next
```
```   842   case (3 y lt z v rta y' ss bb)
```
```   843   thus ?case by (cases "color_of (Branch B lt z v rta) = B \<and> color_of bb = B") (simp add: balance_left_inv2_with_inv1 balance_left_inv1 balance_left_inv1l)+
```
```   844 next
```
```   845   case (5 y a y' ss lt z v rta)
```
```   846   thus ?case by (cases "color_of a = B \<and> color_of (Branch B lt z v rta) = B") (simp add: balance_right_inv2_with_inv1 balance_right_inv1 balance_right_inv1l)+
```
```   847 next
```
```   848   case ("6_1" y a y' ss) thus ?case by (cases "color_of a = B \<and> color_of Empty = B") simp+
```
```   849 qed auto
```
```   850
```
```   851 lemma
```
```   852   rbt_del_from_left_rbt_less: "\<lbrakk> lt |\<guillemotleft> v; rt |\<guillemotleft> v; k < v\<rbrakk> \<Longrightarrow> rbt_del_from_left x lt k y rt |\<guillemotleft> v"
```
```   853   and rbt_del_from_right_rbt_less: "\<lbrakk>lt |\<guillemotleft> v; rt |\<guillemotleft> v; k < v\<rbrakk> \<Longrightarrow> rbt_del_from_right x lt k y rt |\<guillemotleft> v"
```
```   854   and rbt_del_rbt_less: "lt |\<guillemotleft> v \<Longrightarrow> rbt_del x lt |\<guillemotleft> v"
```
```   855 by (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
```
```   856    (auto simp: balance_left_rbt_less balance_right_rbt_less)
```
```   857
```
```   858 lemma rbt_del_from_left_rbt_greater: "\<lbrakk>v \<guillemotleft>| lt; v \<guillemotleft>| rt; k > v\<rbrakk> \<Longrightarrow> v \<guillemotleft>| rbt_del_from_left x lt k y rt"
```
```   859   and rbt_del_from_right_rbt_greater: "\<lbrakk>v \<guillemotleft>| lt; v \<guillemotleft>| rt; k > v\<rbrakk> \<Longrightarrow> v \<guillemotleft>| rbt_del_from_right x lt k y rt"
```
```   860   and rbt_del_rbt_greater: "v \<guillemotleft>| lt \<Longrightarrow> v \<guillemotleft>| rbt_del x lt"
```
```   861 by (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
```
```   862    (auto simp: balance_left_rbt_greater balance_right_rbt_greater)
```
```   863
```
```   864 lemma "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> k; k \<guillemotleft>| rt\<rbrakk> \<Longrightarrow> rbt_sorted (rbt_del_from_left x lt k y rt)"
```
```   865   and "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> k; k \<guillemotleft>| rt\<rbrakk> \<Longrightarrow> rbt_sorted (rbt_del_from_right x lt k y rt)"
```
```   866   and rbt_del_rbt_sorted: "rbt_sorted lt \<Longrightarrow> rbt_sorted (rbt_del x lt)"
```
```   867 proof (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
```
```   868   case (3 x lta zz v rta yy ss bb)
```
```   869   from 3 have "Branch B lta zz v rta |\<guillemotleft> yy" by simp
```
```   870   hence "rbt_del x (Branch B lta zz v rta) |\<guillemotleft> yy" by (rule rbt_del_rbt_less)
```
```   871   with 3 show ?case by (simp add: balance_left_rbt_sorted)
```
```   872 next
```
```   873   case ("4_2" x vaa vbb vdd vc yy ss bb)
```
```   874   hence "Branch R vaa vbb vdd vc |\<guillemotleft> yy" by simp
```
```   875   hence "rbt_del x (Branch R vaa vbb vdd vc) |\<guillemotleft> yy" by (rule rbt_del_rbt_less)
```
```   876   with "4_2" show ?case by simp
```
```   877 next
```
```   878   case (5 x aa yy ss lta zz v rta)
```
```   879   hence "yy \<guillemotleft>| Branch B lta zz v rta" by simp
```
```   880   hence "yy \<guillemotleft>| rbt_del x (Branch B lta zz v rta)" by (rule rbt_del_rbt_greater)
```
```   881   with 5 show ?case by (simp add: balance_right_rbt_sorted)
```
```   882 next
```
```   883   case ("6_2" x aa yy ss vaa vbb vdd vc)
```
```   884   hence "yy \<guillemotleft>| Branch R vaa vbb vdd vc" by simp
```
```   885   hence "yy \<guillemotleft>| rbt_del x (Branch R vaa vbb vdd vc)" by (rule rbt_del_rbt_greater)
```
```   886   with "6_2" show ?case by simp
```
```   887 qed (auto simp: combine_rbt_sorted)
```
```   888
```
```   889 lemma "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> kt; kt \<guillemotleft>| rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bheight lt = bheight rt; x < kt\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del_from_left x lt kt y rt) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v (Branch c lt kt y rt)))"
```
```   890   and "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> kt; kt \<guillemotleft>| rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bheight lt = bheight rt; x > kt\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del_from_right x lt kt y rt) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v (Branch c lt kt y rt)))"
```
```   891   and rbt_del_in_tree: "\<lbrakk>rbt_sorted t; inv1 t; inv2 t\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del x t) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v t))"
```
```   892 proof (induct x lt kt y rt and x lt kt y rt and x t rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
```
```   893   case (2 xx c aa yy ss bb)
```
```   894   have "xx = yy \<or> xx < yy \<or> xx > yy" by auto
```
```   895   from this 2 show ?case proof (elim disjE)
```
```   896     assume "xx = yy"
```
```   897     with 2 show ?thesis proof (cases "xx = k")
```
```   898       case True
```
```   899       from 2 \<open>xx = yy\<close> \<open>xx = k\<close> have "rbt_sorted (Branch c aa yy ss bb) \<and> k = yy" by simp
```
```   900       hence "\<not> entry_in_tree k v aa" "\<not> entry_in_tree k v bb" by (auto simp: rbt_less_nit rbt_greater_prop)
```
```   901       with \<open>xx = yy\<close> 2 \<open>xx = k\<close> show ?thesis by (simp add: combine_in_tree)
```
```   902     qed (simp add: combine_in_tree)
```
```   903   qed simp+
```
```   904 next
```
```   905   case (3 xx lta zz vv rta yy ss bb)
```
```   906   define mt where [simp]: "mt = Branch B lta zz vv rta"
```
```   907   from 3 have "inv2 mt \<and> inv1 mt" by simp
```
```   908   hence "inv2 (rbt_del xx mt) \<and> (color_of mt = R \<and> bheight (rbt_del xx mt) = bheight mt \<and> inv1 (rbt_del xx mt) \<or> color_of mt = B \<and> bheight (rbt_del xx mt) = bheight mt - 1 \<and> inv1l (rbt_del xx mt))" by (blast dest: rbt_del_inv1_inv2)
```
```   909   with 3 have 4: "entry_in_tree k v (rbt_del_from_left xx mt yy ss bb) = (False \<or> xx \<noteq> k \<and> entry_in_tree k v mt \<or> (k = yy \<and> v = ss) \<or> entry_in_tree k v bb)" by (simp add: balance_left_in_tree)
```
```   910   thus ?case proof (cases "xx = k")
```
```   911     case True
```
```   912     from 3 True have "yy \<guillemotleft>| bb \<and> yy > k" by simp
```
```   913     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
```
```   914     with 3 4 True show ?thesis by (auto simp: rbt_greater_nit)
```
```   915   qed auto
```
```   916 next
```
```   917   case ("4_1" xx yy ss bb)
```
```   918   show ?case proof (cases "xx = k")
```
```   919     case True
```
```   920     with "4_1" have "yy \<guillemotleft>| bb \<and> k < yy" by simp
```
```   921     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
```
```   922     with "4_1" \<open>xx = k\<close>
```
```   923    have "entry_in_tree k v (Branch R Empty yy ss bb) = entry_in_tree k v Empty" by (auto simp: rbt_greater_nit)
```
```   924     thus ?thesis by auto
```
```   925   qed simp+
```
```   926 next
```
```   927   case ("4_2" xx vaa vbb vdd vc yy ss bb)
```
```   928   thus ?case proof (cases "xx = k")
```
```   929     case True
```
```   930     with "4_2" have "k < yy \<and> yy \<guillemotleft>| bb" by simp
```
```   931     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
```
```   932     with True "4_2" show ?thesis by (auto simp: rbt_greater_nit)
```
```   933   qed auto
```
```   934 next
```
```   935   case (5 xx aa yy ss lta zz vv rta)
```
```   936   define mt where [simp]: "mt = Branch B lta zz vv rta"
```
```   937   from 5 have "inv2 mt \<and> inv1 mt" by simp
```
```   938   hence "inv2 (rbt_del xx mt) \<and> (color_of mt = R \<and> bheight (rbt_del xx mt) = bheight mt \<and> inv1 (rbt_del xx mt) \<or> color_of mt = B \<and> bheight (rbt_del xx mt) = bheight mt - 1 \<and> inv1l (rbt_del xx mt))" by (blast dest: rbt_del_inv1_inv2)
```
```   939   with 5 have 3: "entry_in_tree k v (rbt_del_from_right xx aa yy ss mt) = (entry_in_tree k v aa \<or> (k = yy \<and> v = ss) \<or> False \<or> xx \<noteq> k \<and> entry_in_tree k v mt)" by (simp add: balance_right_in_tree)
```
```   940   thus ?case proof (cases "xx = k")
```
```   941     case True
```
```   942     from 5 True have "aa |\<guillemotleft> yy \<and> yy < k" by simp
```
```   943     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
```
```   944     with 3 5 True show ?thesis by (auto simp: rbt_less_nit)
```
```   945   qed auto
```
```   946 next
```
```   947   case ("6_1" xx aa yy ss)
```
```   948   show ?case proof (cases "xx = k")
```
```   949     case True
```
```   950     with "6_1" have "aa |\<guillemotleft> yy \<and> k > yy" by simp
```
```   951     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
```
```   952     with "6_1" \<open>xx = k\<close> show ?thesis by (auto simp: rbt_less_nit)
```
```   953   qed simp
```
```   954 next
```
```   955   case ("6_2" xx aa yy ss vaa vbb vdd vc)
```
```   956   thus ?case proof (cases "xx = k")
```
```   957     case True
```
```   958     with "6_2" have "k > yy \<and> aa |\<guillemotleft> yy" by simp
```
```   959     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
```
```   960     with True "6_2" show ?thesis by (auto simp: rbt_less_nit)
```
```   961   qed auto
```
```   962 qed simp
```
```   963
```
```   964 definition (in ord) rbt_delete where
```
```   965   "rbt_delete k t = paint B (rbt_del k t)"
```
```   966
```
```   967 theorem rbt_delete_is_rbt [simp]: assumes "is_rbt t" shows "is_rbt (rbt_delete k t)"
```
```   968 proof -
```
```   969   from assms have "inv2 t" and "inv1 t" unfolding is_rbt_def by auto
```
```   970   hence "inv2 (rbt_del k t) \<and> (color_of t = R \<and> bheight (rbt_del k t) = bheight t \<and> inv1 (rbt_del k t) \<or> color_of t = B \<and> bheight (rbt_del k t) = bheight t - 1 \<and> inv1l (rbt_del k t))" by (rule rbt_del_inv1_inv2)
```
```   971   hence "inv2 (rbt_del k t) \<and> inv1l (rbt_del k t)" by (cases "color_of t") auto
```
```   972   with assms show ?thesis
```
```   973     unfolding is_rbt_def rbt_delete_def
```
```   974     by (auto intro: paint_rbt_sorted rbt_del_rbt_sorted)
```
```   975 qed
```
```   976
```
```   977 lemma rbt_delete_in_tree:
```
```   978   assumes "is_rbt t"
```
```   979   shows "entry_in_tree k v (rbt_delete x t) = (x \<noteq> k \<and> entry_in_tree k v t)"
```
```   980   using assms unfolding is_rbt_def rbt_delete_def
```
```   981   by (auto simp: rbt_del_in_tree)
```
```   982
```
```   983 lemma rbt_lookup_rbt_delete:
```
```   984   assumes is_rbt: "is_rbt t"
```
```   985   shows "rbt_lookup (rbt_delete k t) = (rbt_lookup t)|`(-{k})"
```
```   986 proof
```
```   987   fix x
```
```   988   show "rbt_lookup (rbt_delete k t) x = (rbt_lookup t |` (-{k})) x"
```
```   989   proof (cases "x = k")
```
```   990     assume "x = k"
```
```   991     with is_rbt show ?thesis
```
```   992       by (cases "rbt_lookup (rbt_delete k t) k") (auto simp: rbt_lookup_in_tree rbt_delete_in_tree)
```
```   993   next
```
```   994     assume "x \<noteq> k"
```
```   995     thus ?thesis
```
```   996       by auto (metis is_rbt rbt_delete_is_rbt rbt_delete_in_tree is_rbt_rbt_sorted rbt_lookup_from_in_tree)
```
```   997   qed
```
```   998 qed
```
```   999
```
```  1000 end
```
```  1001
```
```  1002 subsection \<open>Modifying existing entries\<close>
```
```  1003
```
```  1004 context ord begin
```
```  1005
```
```  1006 primrec
```
```  1007   rbt_map_entry :: "'a \<Rightarrow> ('b \<Rightarrow> 'b) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
```
```  1008 where
```
```  1009   "rbt_map_entry k f Empty = Empty"
```
```  1010 | "rbt_map_entry k f (Branch c lt x v rt) =
```
```  1011     (if k < x then Branch c (rbt_map_entry k f lt) x v rt
```
```  1012     else if k > x then (Branch c lt x v (rbt_map_entry k f rt))
```
```  1013     else Branch c lt x (f v) rt)"
```
```  1014
```
```  1015
```
```  1016 lemma rbt_map_entry_color_of: "color_of (rbt_map_entry k f t) = color_of t" by (induct t) simp+
```
```  1017 lemma rbt_map_entry_inv1: "inv1 (rbt_map_entry k f t) = inv1 t" by (induct t) (simp add: rbt_map_entry_color_of)+
```
```  1018 lemma rbt_map_entry_inv2: "inv2 (rbt_map_entry k f t) = inv2 t" "bheight (rbt_map_entry k f t) = bheight t" by (induct t) simp+
```
```  1019 lemma rbt_map_entry_rbt_greater: "rbt_greater a (rbt_map_entry k f t) = rbt_greater a t" by (induct t) simp+
```
```  1020 lemma rbt_map_entry_rbt_less: "rbt_less a (rbt_map_entry k f t) = rbt_less a t" by (induct t) simp+
```
```  1021 lemma rbt_map_entry_rbt_sorted: "rbt_sorted (rbt_map_entry k f t) = rbt_sorted t"
```
```  1022   by (induct t) (simp_all add: rbt_map_entry_rbt_less rbt_map_entry_rbt_greater)
```
```  1023
```
```  1024 theorem rbt_map_entry_is_rbt [simp]: "is_rbt (rbt_map_entry k f t) = is_rbt t"
```
```  1025 unfolding is_rbt_def by (simp add: rbt_map_entry_inv2 rbt_map_entry_color_of rbt_map_entry_rbt_sorted rbt_map_entry_inv1 )
```
```  1026
```
```  1027 end
```
```  1028
```
```  1029 theorem (in linorder) rbt_lookup_rbt_map_entry:
```
```  1030   "rbt_lookup (rbt_map_entry k f t) = (rbt_lookup t)(k := map_option f (rbt_lookup t k))"
```
```  1031   by (induct t) (auto split: option.splits simp add: fun_eq_iff)
```
```  1032
```
```  1033 subsection \<open>Mapping all entries\<close>
```
```  1034
```
```  1035 primrec
```
```  1036   map :: "('a \<Rightarrow> 'b \<Rightarrow> 'c) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'c) rbt"
```
```  1037 where
```
```  1038   "map f Empty = Empty"
```
```  1039 | "map f (Branch c lt k v rt) = Branch c (map f lt) k (f k v) (map f rt)"
```
```  1040
```
```  1041 lemma map_entries [simp]: "entries (map f t) = List.map (\<lambda>(k, v). (k, f k v)) (entries t)"
```
```  1042   by (induct t) auto
```
```  1043 lemma map_keys [simp]: "keys (map f t) = keys t" by (simp add: keys_def split_def)
```
```  1044 lemma map_color_of: "color_of (map f t) = color_of t" by (induct t) simp+
```
```  1045 lemma map_inv1: "inv1 (map f t) = inv1 t" by (induct t) (simp add: map_color_of)+
```
```  1046 lemma map_inv2: "inv2 (map f t) = inv2 t" "bheight (map f t) = bheight t" by (induct t) simp+
```
```  1047
```
```  1048 context ord begin
```
```  1049
```
```  1050 lemma map_rbt_greater: "rbt_greater k (map f t) = rbt_greater k t" by (induct t) simp+
```
```  1051 lemma map_rbt_less: "rbt_less k (map f t) = rbt_less k t" by (induct t) simp+
```
```  1052 lemma map_rbt_sorted: "rbt_sorted (map f t) = rbt_sorted t"  by (induct t) (simp add: map_rbt_less map_rbt_greater)+
```
```  1053 theorem map_is_rbt [simp]: "is_rbt (map f t) = is_rbt t"
```
```  1054 unfolding is_rbt_def by (simp add: map_inv1 map_inv2 map_rbt_sorted map_color_of)
```
```  1055
```
```  1056 end
```
```  1057
```
```  1058 theorem (in linorder) rbt_lookup_map: "rbt_lookup (map f t) x = map_option (f x) (rbt_lookup t x)"
```
```  1059   apply(induct t)
```
```  1060   apply auto
```
```  1061   apply(rename_tac a b c, subgoal_tac "x = a")
```
```  1062   apply auto
```
```  1063   done
```
```  1064  (* FIXME: simproc "antisym less" does not work for linorder context, only for linorder type class
```
```  1065     by (induct t) auto *)
```
```  1066
```
```  1067 hide_const (open) map
```
```  1068
```
```  1069 subsection \<open>Folding over entries\<close>
```
```  1070
```
```  1071 definition fold :: "('a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c" where
```
```  1072   "fold f t = List.fold (case_prod f) (entries t)"
```
```  1073
```
```  1074 lemma fold_simps [simp]:
```
```  1075   "fold f Empty = id"
```
```  1076   "fold f (Branch c lt k v rt) = fold f rt \<circ> f k v \<circ> fold f lt"
```
```  1077   by (simp_all add: fold_def fun_eq_iff)
```
```  1078
```
```  1079 lemma fold_code [code]:
```
```  1080   "fold f Empty x = x"
```
```  1081   "fold f (Branch c lt k v rt) x = fold f rt (f k v (fold f lt x))"
```
```  1082 by(simp_all)
```
```  1083
```
```  1084 (* fold with continuation predicate *)
```
```  1085
```
```  1086 fun foldi :: "('c \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a :: linorder, 'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c"
```
```  1087   where
```
```  1088   "foldi c f Empty s = s" |
```
```  1089   "foldi c f (Branch col l k v r) s = (
```
```  1090     if (c s) then
```
```  1091       let s' = foldi c f l s in
```
```  1092         if (c s') then
```
```  1093           foldi c f r (f k v s')
```
```  1094         else s'
```
```  1095     else
```
```  1096       s
```
```  1097   )"
```
```  1098
```
```  1099 subsection \<open>Bulkloading a tree\<close>
```
```  1100
```
```  1101 definition (in ord) rbt_bulkload :: "('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt" where
```
```  1102   "rbt_bulkload xs = foldr (\<lambda>(k, v). rbt_insert k v) xs Empty"
```
```  1103
```
```  1104 context linorder begin
```
```  1105
```
```  1106 lemma rbt_bulkload_is_rbt [simp, intro]:
```
```  1107   "is_rbt (rbt_bulkload xs)"
```
```  1108   unfolding rbt_bulkload_def by (induct xs) auto
```
```  1109
```
```  1110 lemma rbt_lookup_rbt_bulkload:
```
```  1111   "rbt_lookup (rbt_bulkload xs) = map_of xs"
```
```  1112 proof -
```
```  1113   obtain ys where "ys = rev xs" by simp
```
```  1114   have "\<And>t. is_rbt t \<Longrightarrow>
```
```  1115     rbt_lookup (List.fold (case_prod rbt_insert) ys t) = rbt_lookup t ++ map_of (rev ys)"
```
```  1116       by (induct ys) (simp_all add: rbt_bulkload_def rbt_lookup_rbt_insert case_prod_beta)
```
```  1117   from this Empty_is_rbt have
```
```  1118     "rbt_lookup (List.fold (case_prod rbt_insert) (rev xs) Empty) = rbt_lookup Empty ++ map_of xs"
```
```  1119      by (simp add: \<open>ys = rev xs\<close>)
```
```  1120   then show ?thesis by (simp add: rbt_bulkload_def rbt_lookup_Empty foldr_conv_fold)
```
```  1121 qed
```
```  1122
```
```  1123 end
```
```  1124
```
```  1125
```
```  1126
```
```  1127 subsection \<open>Building a RBT from a sorted list\<close>
```
```  1128
```
```  1129 text \<open>
```
```  1130   These functions have been adapted from
```
```  1131   Andrew W. Appel, Efficient Verified Red-Black Trees (September 2011)
```
```  1132 \<close>
```
```  1133
```
```  1134 fun rbtreeify_f :: "nat \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt \<times> ('a \<times> 'b) list"
```
```  1135   and rbtreeify_g :: "nat \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt \<times> ('a \<times> 'b) list"
```
```  1136 where
```
```  1137   "rbtreeify_f n kvs =
```
```  1138    (if n = 0 then (Empty, kvs)
```
```  1139     else if n = 1 then
```
```  1140       case kvs of (k, v) # kvs' \<Rightarrow> (Branch R Empty k v Empty, kvs')
```
```  1141     else if (n mod 2 = 0) then
```
```  1142       case rbtreeify_f (n div 2) kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1143         apfst (Branch B t1 k v) (rbtreeify_g (n div 2) kvs')
```
```  1144     else case rbtreeify_f (n div 2) kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1145         apfst (Branch B t1 k v) (rbtreeify_f (n div 2) kvs'))"
```
```  1146
```
```  1147 | "rbtreeify_g n kvs =
```
```  1148    (if n = 0 \<or> n = 1 then (Empty, kvs)
```
```  1149     else if n mod 2 = 0 then
```
```  1150       case rbtreeify_g (n div 2) kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1151         apfst (Branch B t1 k v) (rbtreeify_g (n div 2) kvs')
```
```  1152     else case rbtreeify_f (n div 2) kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1153         apfst (Branch B t1 k v) (rbtreeify_g (n div 2) kvs'))"
```
```  1154
```
```  1155 definition rbtreeify :: "('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt"
```
```  1156 where "rbtreeify kvs = fst (rbtreeify_g (Suc (length kvs)) kvs)"
```
```  1157
```
```  1158 declare rbtreeify_f.simps [simp del] rbtreeify_g.simps [simp del]
```
```  1159
```
```  1160 lemma rbtreeify_f_code [code]:
```
```  1161   "rbtreeify_f n kvs =
```
```  1162    (if n = 0 then (Empty, kvs)
```
```  1163     else if n = 1 then
```
```  1164       case kvs of (k, v) # kvs' \<Rightarrow>
```
```  1165         (Branch R Empty k v Empty, kvs')
```
```  1166     else let (n', r) = Divides.divmod_nat n 2 in
```
```  1167       if r = 0 then
```
```  1168         case rbtreeify_f n' kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1169           apfst (Branch B t1 k v) (rbtreeify_g n' kvs')
```
```  1170       else case rbtreeify_f n' kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1171           apfst (Branch B t1 k v) (rbtreeify_f n' kvs'))"
```
```  1172 by (subst rbtreeify_f.simps) (simp only: Let_def divmod_nat_def prod.case)
```
```  1173
```
```  1174 lemma rbtreeify_g_code [code]:
```
```  1175   "rbtreeify_g n kvs =
```
```  1176    (if n = 0 \<or> n = 1 then (Empty, kvs)
```
```  1177     else let (n', r) = Divides.divmod_nat n 2 in
```
```  1178       if r = 0 then
```
```  1179         case rbtreeify_g n' kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1180           apfst (Branch B t1 k v) (rbtreeify_g n' kvs')
```
```  1181       else case rbtreeify_f n' kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1182           apfst (Branch B t1 k v) (rbtreeify_g n' kvs'))"
```
```  1183 by(subst rbtreeify_g.simps)(simp only: Let_def divmod_nat_def prod.case)
```
```  1184
```
```  1185 lemma Suc_double_half: "Suc (2 * n) div 2 = n"
```
```  1186 by simp
```
```  1187
```
```  1188 lemma div2_plus_div2: "n div 2 + n div 2 = (n :: nat) - n mod 2"
```
```  1189 by arith
```
```  1190
```
```  1191 lemma rbtreeify_f_rec_aux_lemma:
```
```  1192   "\<lbrakk>k - n div 2 = Suc k'; n \<le> k; n mod 2 = Suc 0\<rbrakk>
```
```  1193   \<Longrightarrow> k' - n div 2 = k - n"
```
```  1194 apply(rule add_right_imp_eq[where a = "n - n div 2"])
```
```  1195 apply(subst add_diff_assoc2, arith)
```
```  1196 apply(simp add: div2_plus_div2)
```
```  1197 done
```
```  1198
```
```  1199 lemma rbtreeify_f_simps:
```
```  1200   "rbtreeify_f 0 kvs = (Empty, kvs)"
```
```  1201   "rbtreeify_f (Suc 0) ((k, v) # kvs) =
```
```  1202   (Branch R Empty k v Empty, kvs)"
```
```  1203   "0 < n \<Longrightarrow> rbtreeify_f (2 * n) kvs =
```
```  1204    (case rbtreeify_f n kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1205      apfst (Branch B t1 k v) (rbtreeify_g n kvs'))"
```
```  1206   "0 < n \<Longrightarrow> rbtreeify_f (Suc (2 * n)) kvs =
```
```  1207    (case rbtreeify_f n kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1208      apfst (Branch B t1 k v) (rbtreeify_f n kvs'))"
```
```  1209 by(subst (1) rbtreeify_f.simps, simp add: Suc_double_half)+
```
```  1210
```
```  1211 lemma rbtreeify_g_simps:
```
```  1212   "rbtreeify_g 0 kvs = (Empty, kvs)"
```
```  1213   "rbtreeify_g (Suc 0) kvs = (Empty, kvs)"
```
```  1214   "0 < n \<Longrightarrow> rbtreeify_g (2 * n) kvs =
```
```  1215    (case rbtreeify_g n kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1216      apfst (Branch B t1 k v) (rbtreeify_g n kvs'))"
```
```  1217   "0 < n \<Longrightarrow> rbtreeify_g (Suc (2 * n)) kvs =
```
```  1218    (case rbtreeify_f n kvs of (t1, (k, v) # kvs') \<Rightarrow>
```
```  1219      apfst (Branch B t1 k v) (rbtreeify_g n kvs'))"
```
```  1220 by(subst (1) rbtreeify_g.simps, simp add: Suc_double_half)+
```
```  1221
```
```  1222 declare rbtreeify_f_simps[simp] rbtreeify_g_simps[simp]
```
```  1223
```
```  1224 lemma length_rbtreeify_f: "n \<le> length kvs
```
```  1225   \<Longrightarrow> length (snd (rbtreeify_f n kvs)) = length kvs - n"
```
```  1226   and length_rbtreeify_g:"\<lbrakk> 0 < n; n \<le> Suc (length kvs) \<rbrakk>
```
```  1227   \<Longrightarrow> length (snd (rbtreeify_g n kvs)) = Suc (length kvs) - n"
```
```  1228 proof(induction n kvs and n kvs rule: rbtreeify_f_rbtreeify_g.induct)
```
```  1229   case (1 n kvs)
```
```  1230   show ?case
```
```  1231   proof(cases "n \<le> 1")
```
```  1232     case True thus ?thesis using "1.prems"
```
```  1233       by(cases n kvs rule: nat.exhaust[case_product list.exhaust]) auto
```
```  1234   next
```
```  1235     case False
```
```  1236     hence "n \<noteq> 0" "n \<noteq> 1" by simp_all
```
```  1237     note IH = "1.IH"[OF this]
```
```  1238     show ?thesis
```
```  1239     proof(cases "n mod 2 = 0")
```
```  1240       case True
```
```  1241       hence "length (snd (rbtreeify_f n kvs)) =
```
```  1242         length (snd (rbtreeify_f (2 * (n div 2)) kvs))"
```
```  1243         by(metis minus_nat.diff_0 minus_mod_eq_mult_div [symmetric])
```
```  1244       also from "1.prems" False obtain k v kvs'
```
```  1245         where kvs: "kvs = (k, v) # kvs'" by(cases kvs) auto
```
```  1246       also have "0 < n div 2" using False by(simp)
```
```  1247       note rbtreeify_f_simps(3)[OF this]
```
```  1248       also note kvs[symmetric]
```
```  1249       also let ?rest1 = "snd (rbtreeify_f (n div 2) kvs)"
```
```  1250       from "1.prems" have "n div 2 \<le> length kvs" by simp
```
```  1251       with True have len: "length ?rest1 = length kvs - n div 2" by(rule IH)
```
```  1252       with "1.prems" False obtain t1 k' v' kvs''
```
```  1253         where kvs'': "rbtreeify_f (n div 2) kvs = (t1, (k', v') # kvs'')"
```
```  1254          by(cases ?rest1)(auto simp add: snd_def split: prod.split_asm)
```
```  1255       note this also note prod.case also note list.simps(5)
```
```  1256       also note prod.case also note snd_apfst
```
```  1257       also have "0 < n div 2" "n div 2 \<le> Suc (length kvs'')"
```
```  1258         using len "1.prems" False unfolding kvs'' by simp_all
```
```  1259       with True kvs''[symmetric] refl refl
```
```  1260       have "length (snd (rbtreeify_g (n div 2) kvs'')) =
```
```  1261         Suc (length kvs'') - n div 2" by(rule IH)
```
```  1262       finally show ?thesis using len[unfolded kvs''] "1.prems" True
```
```  1263         by(simp add: Suc_diff_le[symmetric] mult_2[symmetric] minus_mod_eq_mult_div [symmetric])
```
```  1264     next
```
```  1265       case False
```
```  1266       hence "length (snd (rbtreeify_f n kvs)) =
```
```  1267         length (snd (rbtreeify_f (Suc (2 * (n div 2))) kvs))"
```
```  1268         by (simp add: mod_eq_0_iff_dvd)
```
```  1269       also from "1.prems" \<open>\<not> n \<le> 1\<close> obtain k v kvs'
```
```  1270         where kvs: "kvs = (k, v) # kvs'" by(cases kvs) auto
```
```  1271       also have "0 < n div 2" using \<open>\<not> n \<le> 1\<close> by(simp)
```
```  1272       note rbtreeify_f_simps(4)[OF this]
```
```  1273       also note kvs[symmetric]
```
```  1274       also let ?rest1 = "snd (rbtreeify_f (n div 2) kvs)"
```
```  1275       from "1.prems" have "n div 2 \<le> length kvs" by simp
```
```  1276       with False have len: "length ?rest1 = length kvs - n div 2" by(rule IH)
```
```  1277       with "1.prems" \<open>\<not> n \<le> 1\<close> obtain t1 k' v' kvs''
```
```  1278         where kvs'': "rbtreeify_f (n div 2) kvs = (t1, (k', v') # kvs'')"
```
```  1279         by(cases ?rest1)(auto simp add: snd_def split: prod.split_asm)
```
```  1280       note this also note prod.case also note list.simps(5)
```
```  1281       also note prod.case also note snd_apfst
```
```  1282       also have "n div 2 \<le> length kvs''"
```
```  1283         using len "1.prems" False unfolding kvs'' by simp arith
```
```  1284       with False kvs''[symmetric] refl refl
```
```  1285       have "length (snd (rbtreeify_f (n div 2) kvs'')) = length kvs'' - n div 2"
```
```  1286         by(rule IH)
```
```  1287       finally show ?thesis using len[unfolded kvs''] "1.prems" False
```
```  1288         by simp(rule rbtreeify_f_rec_aux_lemma[OF sym])
```
```  1289     qed
```
```  1290   qed
```
```  1291 next
```
```  1292   case (2 n kvs)
```
```  1293   show ?case
```
```  1294   proof(cases "n > 1")
```
```  1295     case False with \<open>0 < n\<close> show ?thesis
```
```  1296       by(cases n kvs rule: nat.exhaust[case_product list.exhaust]) simp_all
```
```  1297   next
```
```  1298     case True
```
```  1299     hence "\<not> (n = 0 \<or> n = 1)" by simp
```
```  1300     note IH = "2.IH"[OF this]
```
```  1301     show ?thesis
```
```  1302     proof(cases "n mod 2 = 0")
```
```  1303       case True
```
```  1304       hence "length (snd (rbtreeify_g n kvs)) =
```
```  1305         length (snd (rbtreeify_g (2 * (n div 2)) kvs))"
```
```  1306         by(metis minus_nat.diff_0 minus_mod_eq_mult_div [symmetric])
```
```  1307       also from "2.prems" True obtain k v kvs'
```
```  1308         where kvs: "kvs = (k, v) # kvs'" by(cases kvs) auto
```
```  1309       also have "0 < n div 2" using \<open>1 < n\<close> by(simp)
```
```  1310       note rbtreeify_g_simps(3)[OF this]
```
```  1311       also note kvs[symmetric]
```
```  1312       also let ?rest1 = "snd (rbtreeify_g (n div 2) kvs)"
```
```  1313       from "2.prems" \<open>1 < n\<close>
```
```  1314       have "0 < n div 2" "n div 2 \<le> Suc (length kvs)" by simp_all
```
```  1315       with True have len: "length ?rest1 = Suc (length kvs) - n div 2" by(rule IH)
```
```  1316       with "2.prems" obtain t1 k' v' kvs''
```
```  1317         where kvs'': "rbtreeify_g (n div 2) kvs = (t1, (k', v') # kvs'')"
```
```  1318         by(cases ?rest1)(auto simp add: snd_def split: prod.split_asm)
```
```  1319       note this also note prod.case also note list.simps(5)
```
```  1320       also note prod.case also note snd_apfst
```
```  1321       also have "n div 2 \<le> Suc (length kvs'')"
```
```  1322         using len "2.prems" unfolding kvs'' by simp
```
```  1323       with True kvs''[symmetric] refl refl \<open>0 < n div 2\<close>
```
```  1324       have "length (snd (rbtreeify_g (n div 2) kvs'')) = Suc (length kvs'') - n div 2"
```
```  1325         by(rule IH)
```
```  1326       finally show ?thesis using len[unfolded kvs''] "2.prems" True
```
```  1327         by(simp add: Suc_diff_le[symmetric] mult_2[symmetric] minus_mod_eq_mult_div [symmetric])
```
```  1328     next
```
```  1329       case False
```
```  1330       hence "length (snd (rbtreeify_g n kvs)) =
```
```  1331         length (snd (rbtreeify_g (Suc (2 * (n div 2))) kvs))"
```
```  1332         by (simp add: mod_eq_0_iff_dvd)
```
```  1333       also from "2.prems" \<open>1 < n\<close> obtain k v kvs'
```
```  1334         where kvs: "kvs = (k, v) # kvs'" by(cases kvs) auto
```
```  1335       also have "0 < n div 2" using \<open>1 < n\<close> by(simp)
```
```  1336       note rbtreeify_g_simps(4)[OF this]
```
```  1337       also note kvs[symmetric]
```
```  1338       also let ?rest1 = "snd (rbtreeify_f (n div 2) kvs)"
```
```  1339       from "2.prems" have "n div 2 \<le> length kvs" by simp
```
```  1340       with False have len: "length ?rest1 = length kvs - n div 2" by(rule IH)
```
```  1341       with "2.prems" \<open>1 < n\<close> False obtain t1 k' v' kvs''
```
```  1342         where kvs'': "rbtreeify_f (n div 2) kvs = (t1, (k', v') # kvs'')"
```
```  1343         by(cases ?rest1)(auto simp add: snd_def split: prod.split_asm, arith)
```
```  1344       note this also note prod.case also note list.simps(5)
```
```  1345       also note prod.case also note snd_apfst
```
```  1346       also have "n div 2 \<le> Suc (length kvs'')"
```
```  1347         using len "2.prems" False unfolding kvs'' by simp arith
```
```  1348       with False kvs''[symmetric] refl refl \<open>0 < n div 2\<close>
```
```  1349       have "length (snd (rbtreeify_g (n div 2) kvs'')) = Suc (length kvs'') - n div 2"
```
```  1350         by(rule IH)
```
```  1351       finally show ?thesis using len[unfolded kvs''] "2.prems" False
```
```  1352         by(simp add: div2_plus_div2)
```
```  1353     qed
```
```  1354   qed
```
```  1355 qed
```
```  1356
```
```  1357 lemma rbtreeify_induct [consumes 1, case_names f_0 f_1 f_even f_odd g_0 g_1 g_even g_odd]:
```
```  1358   fixes P Q
```
```  1359   defines "f0 == (\<And>kvs. P 0 kvs)"
```
```  1360   and "f1 == (\<And>k v kvs. P (Suc 0) ((k, v) # kvs))"
```
```  1361   and "feven ==
```
```  1362     (\<And>n kvs t k v kvs'. \<lbrakk> n > 0; n \<le> length kvs; P n kvs;
```
```  1363        rbtreeify_f n kvs = (t, (k, v) # kvs'); n \<le> Suc (length kvs'); Q n kvs' \<rbrakk>
```
```  1364      \<Longrightarrow> P (2 * n) kvs)"
```
```  1365   and "fodd ==
```
```  1366     (\<And>n kvs t k v kvs'. \<lbrakk> n > 0; n \<le> length kvs; P n kvs;
```
```  1367        rbtreeify_f n kvs = (t, (k, v) # kvs'); n \<le> length kvs'; P n kvs' \<rbrakk>
```
```  1368     \<Longrightarrow> P (Suc (2 * n)) kvs)"
```
```  1369   and "g0 == (\<And>kvs. Q 0 kvs)"
```
```  1370   and "g1 == (\<And>kvs. Q (Suc 0) kvs)"
```
```  1371   and "geven ==
```
```  1372     (\<And>n kvs t k v kvs'. \<lbrakk> n > 0; n \<le> Suc (length kvs); Q n kvs;
```
```  1373        rbtreeify_g n kvs = (t, (k, v) # kvs'); n \<le> Suc (length kvs'); Q n kvs' \<rbrakk>
```
```  1374     \<Longrightarrow> Q (2 * n) kvs)"
```
```  1375   and "godd ==
```
```  1376     (\<And>n kvs t k v kvs'. \<lbrakk> n > 0; n \<le> length kvs; P n kvs;
```
```  1377        rbtreeify_f n kvs = (t, (k, v) # kvs'); n \<le> Suc (length kvs'); Q n kvs' \<rbrakk>
```
```  1378     \<Longrightarrow> Q (Suc (2 * n)) kvs)"
```
```  1379   shows "\<lbrakk> n \<le> length kvs;
```
```  1380            PROP f0; PROP f1; PROP feven; PROP fodd;
```
```  1381            PROP g0; PROP g1; PROP geven; PROP godd \<rbrakk>
```
```  1382          \<Longrightarrow> P n kvs"
```
```  1383   and "\<lbrakk> n \<le> Suc (length kvs);
```
```  1384           PROP f0; PROP f1; PROP feven; PROP fodd;
```
```  1385           PROP g0; PROP g1; PROP geven; PROP godd \<rbrakk>
```
```  1386        \<Longrightarrow> Q n kvs"
```
```  1387 proof -
```
```  1388   assume f0: "PROP f0" and f1: "PROP f1" and feven: "PROP feven" and fodd: "PROP fodd"
```
```  1389     and g0: "PROP g0" and g1: "PROP g1" and geven: "PROP geven" and godd: "PROP godd"
```
```  1390   show "n \<le> length kvs \<Longrightarrow> P n kvs" and "n \<le> Suc (length kvs) \<Longrightarrow> Q n kvs"
```
```  1391   proof(induction rule: rbtreeify_f_rbtreeify_g.induct)
```
```  1392     case (1 n kvs)
```
```  1393     show ?case
```
```  1394     proof(cases "n \<le> 1")
```
```  1395       case True thus ?thesis using "1.prems"
```
```  1396         by(cases n kvs rule: nat.exhaust[case_product list.exhaust])
```
```  1397           (auto simp add: f0[unfolded f0_def] f1[unfolded f1_def])
```
```  1398     next
```
```  1399       case False
```
```  1400       hence ns: "n \<noteq> 0" "n \<noteq> 1" by simp_all
```
```  1401       hence ge0: "n div 2 > 0" by simp
```
```  1402       note IH = "1.IH"[OF ns]
```
```  1403       show ?thesis
```
```  1404       proof(cases "n mod 2 = 0")
```
```  1405         case True note ge0
```
```  1406         moreover from "1.prems" have n2: "n div 2 \<le> length kvs" by simp
```
```  1407         moreover from True n2 have "P (n div 2) kvs" by(rule IH)
```
```  1408         moreover from length_rbtreeify_f[OF n2] ge0 "1.prems" obtain t k v kvs'
```
```  1409           where kvs': "rbtreeify_f (n div 2) kvs = (t, (k, v) # kvs')"
```
```  1410           by(cases "snd (rbtreeify_f (n div 2) kvs)")
```
```  1411             (auto simp add: snd_def split: prod.split_asm)
```
```  1412         moreover from "1.prems" length_rbtreeify_f[OF n2] ge0
```
```  1413         have n2': "n div 2 \<le> Suc (length kvs')" by(simp add: kvs')
```
```  1414         moreover from True kvs'[symmetric] refl refl n2'
```
```  1415         have "Q (n div 2) kvs'" by(rule IH)
```
```  1416         moreover note feven[unfolded feven_def]
```
```  1417           (* FIXME: why does by(rule feven[unfolded feven_def]) not work? *)
```
```  1418         ultimately have "P (2 * (n div 2)) kvs" by -
```
```  1419         thus ?thesis using True by (metis minus_mod_eq_div_mult [symmetric] minus_nat.diff_0 mult.commute)
```
```  1420       next
```
```  1421         case False note ge0
```
```  1422         moreover from "1.prems" have n2: "n div 2 \<le> length kvs" by simp
```
```  1423         moreover from False n2 have "P (n div 2) kvs" by(rule IH)
```
```  1424         moreover from length_rbtreeify_f[OF n2] ge0 "1.prems" obtain t k v kvs'
```
```  1425           where kvs': "rbtreeify_f (n div 2) kvs = (t, (k, v) # kvs')"
```
```  1426           by(cases "snd (rbtreeify_f (n div 2) kvs)")
```
```  1427             (auto simp add: snd_def split: prod.split_asm)
```
```  1428         moreover from "1.prems" length_rbtreeify_f[OF n2] ge0 False
```
```  1429         have n2': "n div 2 \<le> length kvs'" by(simp add: kvs') arith
```
```  1430         moreover from False kvs'[symmetric] refl refl n2' have "P (n div 2) kvs'" by(rule IH)
```
```  1431         moreover note fodd[unfolded fodd_def]
```
```  1432         ultimately have "P (Suc (2 * (n div 2))) kvs" by -
```
```  1433         thus ?thesis using False
```
```  1434           by simp (metis One_nat_def Suc_eq_plus1_left le_add_diff_inverse mod_less_eq_dividend minus_mod_eq_mult_div [symmetric])
```
```  1435       qed
```
```  1436     qed
```
```  1437   next
```
```  1438     case (2 n kvs)
```
```  1439     show ?case
```
```  1440     proof(cases "n \<le> 1")
```
```  1441       case True thus ?thesis using "2.prems"
```
```  1442         by(cases n kvs rule: nat.exhaust[case_product list.exhaust])
```
```  1443           (auto simp add: g0[unfolded g0_def] g1[unfolded g1_def])
```
```  1444     next
```
```  1445       case False
```
```  1446       hence ns: "\<not> (n = 0 \<or> n = 1)" by simp
```
```  1447       hence ge0: "n div 2 > 0" by simp
```
```  1448       note IH = "2.IH"[OF ns]
```
```  1449       show ?thesis
```
```  1450       proof(cases "n mod 2 = 0")
```
```  1451         case True note ge0
```
```  1452         moreover from "2.prems" have n2: "n div 2 \<le> Suc (length kvs)" by simp
```
```  1453         moreover from True n2 have "Q (n div 2) kvs" by(rule IH)
```
```  1454         moreover from length_rbtreeify_g[OF ge0 n2] ge0 "2.prems" obtain t k v kvs'
```
```  1455           where kvs': "rbtreeify_g (n div 2) kvs = (t, (k, v) # kvs')"
```
```  1456           by(cases "snd (rbtreeify_g (n div 2) kvs)")
```
```  1457             (auto simp add: snd_def split: prod.split_asm)
```
```  1458         moreover from "2.prems" length_rbtreeify_g[OF ge0 n2] ge0
```
```  1459         have n2': "n div 2 \<le> Suc (length kvs')" by(simp add: kvs')
```
```  1460         moreover from True kvs'[symmetric] refl refl  n2'
```
```  1461         have "Q (n div 2) kvs'" by(rule IH)
```
```  1462         moreover note geven[unfolded geven_def]
```
```  1463         ultimately have "Q (2 * (n div 2)) kvs" by -
```
```  1464         thus ?thesis using True
```
```  1465           by(metis minus_mod_eq_div_mult [symmetric] minus_nat.diff_0 mult.commute)
```
```  1466       next
```
```  1467         case False note ge0
```
```  1468         moreover from "2.prems" have n2: "n div 2 \<le> length kvs" by simp
```
```  1469         moreover from False n2 have "P (n div 2) kvs" by(rule IH)
```
```  1470         moreover from length_rbtreeify_f[OF n2] ge0 "2.prems" False obtain t k v kvs'
```
```  1471           where kvs': "rbtreeify_f (n div 2) kvs = (t, (k, v) # kvs')"
```
```  1472           by(cases "snd (rbtreeify_f (n div 2) kvs)")
```
```  1473             (auto simp add: snd_def split: prod.split_asm, arith)
```
```  1474         moreover from "2.prems" length_rbtreeify_f[OF n2] ge0 False
```
```  1475         have n2': "n div 2 \<le> Suc (length kvs')" by(simp add: kvs') arith
```
```  1476         moreover from False kvs'[symmetric] refl refl n2'
```
```  1477         have "Q (n div 2) kvs'" by(rule IH)
```
```  1478         moreover note godd[unfolded godd_def]
```
```  1479         ultimately have "Q (Suc (2 * (n div 2))) kvs" by -
```
```  1480         thus ?thesis using False
```
```  1481           by simp (metis One_nat_def Suc_eq_plus1_left le_add_diff_inverse mod_less_eq_dividend minus_mod_eq_mult_div [symmetric])
```
```  1482       qed
```
```  1483     qed
```
```  1484   qed
```
```  1485 qed
```
```  1486
```
```  1487 lemma inv1_rbtreeify_f: "n \<le> length kvs
```
```  1488   \<Longrightarrow> inv1 (fst (rbtreeify_f n kvs))"
```
```  1489   and inv1_rbtreeify_g: "n \<le> Suc (length kvs)
```
```  1490   \<Longrightarrow> inv1 (fst (rbtreeify_g n kvs))"
```
```  1491 by(induct n kvs and n kvs rule: rbtreeify_induct) simp_all
```
```  1492
```
```  1493 fun plog2 :: "nat \<Rightarrow> nat"
```
```  1494 where "plog2 n = (if n \<le> 1 then 0 else plog2 (n div 2) + 1)"
```
```  1495
```
```  1496 declare plog2.simps [simp del]
```
```  1497
```
```  1498 lemma plog2_simps [simp]:
```
```  1499   "plog2 0 = 0" "plog2 (Suc 0) = 0"
```
```  1500   "0 < n \<Longrightarrow> plog2 (2 * n) = 1 + plog2 n"
```
```  1501   "0 < n \<Longrightarrow> plog2 (Suc (2 * n)) = 1 + plog2 n"
```
```  1502 by(subst plog2.simps, simp add: Suc_double_half)+
```
```  1503
```
```  1504 lemma bheight_rbtreeify_f: "n \<le> length kvs
```
```  1505   \<Longrightarrow> bheight (fst (rbtreeify_f n kvs)) = plog2 n"
```
```  1506   and bheight_rbtreeify_g: "n \<le> Suc (length kvs)
```
```  1507   \<Longrightarrow> bheight (fst (rbtreeify_g n kvs)) = plog2 n"
```
```  1508 by(induct n kvs and n kvs rule: rbtreeify_induct) simp_all
```
```  1509
```
```  1510 lemma bheight_rbtreeify_f_eq_plog2I:
```
```  1511   "\<lbrakk> rbtreeify_f n kvs = (t, kvs'); n \<le> length kvs \<rbrakk>
```
```  1512   \<Longrightarrow> bheight t = plog2 n"
```
```  1513 using bheight_rbtreeify_f[of n kvs] by simp
```
```  1514
```
```  1515 lemma bheight_rbtreeify_g_eq_plog2I:
```
```  1516   "\<lbrakk> rbtreeify_g n kvs = (t, kvs'); n \<le> Suc (length kvs) \<rbrakk>
```
```  1517   \<Longrightarrow> bheight t = plog2 n"
```
```  1518 using bheight_rbtreeify_g[of n kvs] by simp
```
```  1519
```
```  1520 hide_const (open) plog2
```
```  1521
```
```  1522 lemma inv2_rbtreeify_f: "n \<le> length kvs
```
```  1523   \<Longrightarrow> inv2 (fst (rbtreeify_f n kvs))"
```
```  1524   and inv2_rbtreeify_g: "n \<le> Suc (length kvs)
```
```  1525   \<Longrightarrow> inv2 (fst (rbtreeify_g n kvs))"
```
```  1526 by(induct n kvs and n kvs rule: rbtreeify_induct)
```
```  1527   (auto simp add: bheight_rbtreeify_f bheight_rbtreeify_g
```
```  1528         intro: bheight_rbtreeify_f_eq_plog2I bheight_rbtreeify_g_eq_plog2I)
```
```  1529
```
```  1530 lemma "n \<le> length kvs \<Longrightarrow> True"
```
```  1531   and color_of_rbtreeify_g:
```
```  1532   "\<lbrakk> n \<le> Suc (length kvs); 0 < n \<rbrakk>
```
```  1533   \<Longrightarrow> color_of (fst (rbtreeify_g n kvs)) = B"
```
```  1534 by(induct n kvs and n kvs rule: rbtreeify_induct) simp_all
```
```  1535
```
```  1536 lemma entries_rbtreeify_f_append:
```
```  1537   "n \<le> length kvs
```
```  1538   \<Longrightarrow> entries (fst (rbtreeify_f n kvs)) @ snd (rbtreeify_f n kvs) = kvs"
```
```  1539   and entries_rbtreeify_g_append:
```
```  1540   "n \<le> Suc (length kvs)
```
```  1541   \<Longrightarrow> entries (fst (rbtreeify_g n kvs)) @ snd (rbtreeify_g n kvs) = kvs"
```
```  1542 by(induction rule: rbtreeify_induct) simp_all
```
```  1543
```
```  1544 lemma length_entries_rbtreeify_f:
```
```  1545   "n \<le> length kvs \<Longrightarrow> length (entries (fst (rbtreeify_f n kvs))) = n"
```
```  1546   and length_entries_rbtreeify_g:
```
```  1547   "n \<le> Suc (length kvs) \<Longrightarrow> length (entries (fst (rbtreeify_g n kvs))) = n - 1"
```
```  1548 by(induct rule: rbtreeify_induct) simp_all
```
```  1549
```
```  1550 lemma rbtreeify_f_conv_drop:
```
```  1551   "n \<le> length kvs \<Longrightarrow> snd (rbtreeify_f n kvs) = drop n kvs"
```
```  1552 using entries_rbtreeify_f_append[of n kvs]
```
```  1553 by(simp add: append_eq_conv_conj length_entries_rbtreeify_f)
```
```  1554
```
```  1555 lemma rbtreeify_g_conv_drop:
```
```  1556   "n \<le> Suc (length kvs) \<Longrightarrow> snd (rbtreeify_g n kvs) = drop (n - 1) kvs"
```
```  1557 using entries_rbtreeify_g_append[of n kvs]
```
```  1558 by(simp add: append_eq_conv_conj length_entries_rbtreeify_g)
```
```  1559
```
```  1560 lemma entries_rbtreeify_f [simp]:
```
```  1561   "n \<le> length kvs \<Longrightarrow> entries (fst (rbtreeify_f n kvs)) = take n kvs"
```
```  1562 using entries_rbtreeify_f_append[of n kvs]
```
```  1563 by(simp add: append_eq_conv_conj length_entries_rbtreeify_f)
```
```  1564
```
```  1565 lemma entries_rbtreeify_g [simp]:
```
```  1566   "n \<le> Suc (length kvs) \<Longrightarrow>
```
```  1567   entries (fst (rbtreeify_g n kvs)) = take (n - 1) kvs"
```
```  1568 using entries_rbtreeify_g_append[of n kvs]
```
```  1569 by(simp add: append_eq_conv_conj length_entries_rbtreeify_g)
```
```  1570
```
```  1571 lemma keys_rbtreeify_f [simp]: "n \<le> length kvs
```
```  1572   \<Longrightarrow> keys (fst (rbtreeify_f n kvs)) = take n (map fst kvs)"
```
```  1573 by(simp add: keys_def take_map)
```
```  1574
```
```  1575 lemma keys_rbtreeify_g [simp]: "n \<le> Suc (length kvs)
```
```  1576   \<Longrightarrow> keys (fst (rbtreeify_g n kvs)) = take (n - 1) (map fst kvs)"
```
```  1577 by(simp add: keys_def take_map)
```
```  1578
```
```  1579 lemma rbtreeify_fD:
```
```  1580   "\<lbrakk> rbtreeify_f n kvs = (t, kvs'); n \<le> length kvs \<rbrakk>
```
```  1581   \<Longrightarrow> entries t = take n kvs \<and> kvs' = drop n kvs"
```
```  1582 using rbtreeify_f_conv_drop[of n kvs] entries_rbtreeify_f[of n kvs] by simp
```
```  1583
```
```  1584 lemma rbtreeify_gD:
```
```  1585   "\<lbrakk> rbtreeify_g n kvs = (t, kvs'); n \<le> Suc (length kvs) \<rbrakk>
```
```  1586   \<Longrightarrow> entries t = take (n - 1) kvs \<and> kvs' = drop (n - 1) kvs"
```
```  1587 using rbtreeify_g_conv_drop[of n kvs] entries_rbtreeify_g[of n kvs] by simp
```
```  1588
```
```  1589 lemma entries_rbtreeify [simp]: "entries (rbtreeify kvs) = kvs"
```
```  1590 by(simp add: rbtreeify_def entries_rbtreeify_g)
```
```  1591
```
```  1592 context linorder begin
```
```  1593
```
```  1594 lemma rbt_sorted_rbtreeify_f:
```
```  1595   "\<lbrakk> n \<le> length kvs; sorted (map fst kvs); distinct (map fst kvs) \<rbrakk>
```
```  1596   \<Longrightarrow> rbt_sorted (fst (rbtreeify_f n kvs))"
```
```  1597   and rbt_sorted_rbtreeify_g:
```
```  1598   "\<lbrakk> n \<le> Suc (length kvs); sorted (map fst kvs); distinct (map fst kvs) \<rbrakk>
```
```  1599   \<Longrightarrow> rbt_sorted (fst (rbtreeify_g n kvs))"
```
```  1600 proof(induction n kvs and n kvs rule: rbtreeify_induct)
```
```  1601   case (f_even n kvs t k v kvs')
```
```  1602   from rbtreeify_fD[OF \<open>rbtreeify_f n kvs = (t, (k, v) # kvs')\<close> \<open>n \<le> length kvs\<close>]
```
```  1603   have "entries t = take n kvs"
```
```  1604     and kvs': "drop n kvs = (k, v) # kvs'" by simp_all
```
```  1605   hence unfold: "kvs = take n kvs @ (k, v) # kvs'" by(metis append_take_drop_id)
```
```  1606   from \<open>sorted (map fst kvs)\<close> kvs'
```
```  1607   have "(\<forall>(x, y) \<in> set (take n kvs). x \<le> k) \<and> (\<forall>(x, y) \<in> set kvs'. k \<le> x)"
```
```  1608     by(subst (asm) unfold)(auto simp add: sorted_append sorted_Cons)
```
```  1609   moreover from \<open>distinct (map fst kvs)\<close> kvs'
```
```  1610   have "(\<forall>(x, y) \<in> set (take n kvs). x \<noteq> k) \<and> (\<forall>(x, y) \<in> set kvs'. x \<noteq> k)"
```
```  1611     by(subst (asm) unfold)(auto intro: rev_image_eqI)
```
```  1612   ultimately have "(\<forall>(x, y) \<in> set (take n kvs). x < k) \<and> (\<forall>(x, y) \<in> set kvs'. k < x)"
```
```  1613     by fastforce
```
```  1614   hence "fst (rbtreeify_f n kvs) |\<guillemotleft> k" "k \<guillemotleft>| fst (rbtreeify_g n kvs')"
```
```  1615     using \<open>n \<le> Suc (length kvs')\<close> \<open>n \<le> length kvs\<close> set_take_subset[of "n - 1" kvs']
```
```  1616     by(auto simp add: ord.rbt_greater_prop ord.rbt_less_prop take_map split_def)
```
```  1617   moreover from \<open>sorted (map fst kvs)\<close> \<open>distinct (map fst kvs)\<close>
```
```  1618   have "rbt_sorted (fst (rbtreeify_f n kvs))" by(rule f_even.IH)
```
```  1619   moreover have "sorted (map fst kvs')" "distinct (map fst kvs')"
```
```  1620     using \<open>sorted (map fst kvs)\<close> \<open>distinct (map fst kvs)\<close>
```
```  1621     by(subst (asm) (1 2) unfold, simp add: sorted_append sorted_Cons)+
```
```  1622   hence "rbt_sorted (fst (rbtreeify_g n kvs'))" by(rule f_even.IH)
```
```  1623   ultimately show ?case
```
```  1624     using \<open>0 < n\<close> \<open>rbtreeify_f n kvs = (t, (k, v) # kvs')\<close> by simp
```
```  1625 next
```
```  1626   case (f_odd n kvs t k v kvs')
```
```  1627   from rbtreeify_fD[OF \<open>rbtreeify_f n kvs = (t, (k, v) # kvs')\<close> \<open>n \<le> length kvs\<close>]
```
```  1628   have "entries t = take n kvs"
```
```  1629     and kvs': "drop n kvs = (k, v) # kvs'" by simp_all
```
```  1630   hence unfold: "kvs = take n kvs @ (k, v) # kvs'" by(metis append_take_drop_id)
```
```  1631   from \<open>sorted (map fst kvs)\<close> kvs'
```
```  1632   have "(\<forall>(x, y) \<in> set (take n kvs). x \<le> k) \<and> (\<forall>(x, y) \<in> set kvs'. k \<le> x)"
```
```  1633     by(subst (asm) unfold)(auto simp add: sorted_append sorted_Cons)
```
```  1634   moreover from \<open>distinct (map fst kvs)\<close> kvs'
```
```  1635   have "(\<forall>(x, y) \<in> set (take n kvs). x \<noteq> k) \<and> (\<forall>(x, y) \<in> set kvs'. x \<noteq> k)"
```
```  1636     by(subst (asm) unfold)(auto intro: rev_image_eqI)
```
```  1637   ultimately have "(\<forall>(x, y) \<in> set (take n kvs). x < k) \<and> (\<forall>(x, y) \<in> set kvs'. k < x)"
```
```  1638     by fastforce
```
```  1639   hence "fst (rbtreeify_f n kvs) |\<guillemotleft> k" "k \<guillemotleft>| fst (rbtreeify_f n kvs')"
```
```  1640     using \<open>n \<le> length kvs'\<close> \<open>n \<le> length kvs\<close> set_take_subset[of n kvs']
```
```  1641     by(auto simp add: rbt_greater_prop rbt_less_prop take_map split_def)
```
```  1642   moreover from \<open>sorted (map fst kvs)\<close> \<open>distinct (map fst kvs)\<close>
```
```  1643   have "rbt_sorted (fst (rbtreeify_f n kvs))" by(rule f_odd.IH)
```
```  1644   moreover have "sorted (map fst kvs')" "distinct (map fst kvs')"
```
```  1645     using \<open>sorted (map fst kvs)\<close> \<open>distinct (map fst kvs)\<close>
```
```  1646     by(subst (asm) (1 2) unfold, simp add: sorted_append sorted_Cons)+
```
```  1647   hence "rbt_sorted (fst (rbtreeify_f n kvs'))" by(rule f_odd.IH)
```
```  1648   ultimately show ?case
```
```  1649     using \<open>0 < n\<close> \<open>rbtreeify_f n kvs = (t, (k, v) # kvs')\<close> by simp
```
```  1650 next
```
```  1651   case (g_even n kvs t k v kvs')
```
```  1652   from rbtreeify_gD[OF \<open>rbtreeify_g n kvs = (t, (k, v) # kvs')\<close> \<open>n \<le> Suc (length kvs)\<close>]
```
```  1653   have t: "entries t = take (n - 1) kvs"
```
```  1654     and kvs': "drop (n - 1) kvs = (k, v) # kvs'" by simp_all
```
```  1655   hence unfold: "kvs = take (n - 1) kvs @ (k, v) # kvs'" by(metis append_take_drop_id)
```
```  1656   from \<open>sorted (map fst kvs)\<close> kvs'
```
```  1657   have "(\<forall>(x, y) \<in> set (take (n - 1) kvs). x \<le> k) \<and> (\<forall>(x, y) \<in> set kvs'. k \<le> x)"
```
```  1658     by(subst (asm) unfold)(auto simp add: sorted_append sorted_Cons)
```
```  1659   moreover from \<open>distinct (map fst kvs)\<close> kvs'
```
```  1660   have "(\<forall>(x, y) \<in> set (take (n - 1) kvs). x \<noteq> k) \<and> (\<forall>(x, y) \<in> set kvs'. x \<noteq> k)"
```
```  1661     by(subst (asm) unfold)(auto intro: rev_image_eqI)
```
```  1662   ultimately have "(\<forall>(x, y) \<in> set (take (n - 1) kvs). x < k) \<and> (\<forall>(x, y) \<in> set kvs'. k < x)"
```
```  1663     by fastforce
```
```  1664   hence "fst (rbtreeify_g n kvs) |\<guillemotleft> k" "k \<guillemotleft>| fst (rbtreeify_g n kvs')"
```
```  1665     using \<open>n \<le> Suc (length kvs')\<close> \<open>n \<le> Suc (length kvs)\<close> set_take_subset[of "n - 1" kvs']
```
```  1666     by(auto simp add: rbt_greater_prop rbt_less_prop take_map split_def)
```
```  1667   moreover from \<open>sorted (map fst kvs)\<close> \<open>distinct (map fst kvs)\<close>
```
```  1668   have "rbt_sorted (fst (rbtreeify_g n kvs))" by(rule g_even.IH)
```
```  1669   moreover have "sorted (map fst kvs')" "distinct (map fst kvs')"
```
```  1670     using \<open>sorted (map fst kvs)\<close> \<open>distinct (map fst kvs)\<close>
```
```  1671     by(subst (asm) (1 2) unfold, simp add: sorted_append sorted_Cons)+
```
```  1672   hence "rbt_sorted (fst (rbtreeify_g n kvs'))" by(rule g_even.IH)
```
```  1673   ultimately show ?case using \<open>0 < n\<close> \<open>rbtreeify_g n kvs = (t, (k, v) # kvs')\<close> by simp
```
```  1674 next
```
```  1675   case (g_odd n kvs t k v kvs')
```
```  1676   from rbtreeify_fD[OF \<open>rbtreeify_f n kvs = (t, (k, v) # kvs')\<close> \<open>n \<le> length kvs\<close>]
```
```  1677   have "entries t = take n kvs"
```
```  1678     and kvs': "drop n kvs = (k, v) # kvs'" by simp_all
```
```  1679   hence unfold: "kvs = take n kvs @ (k, v) # kvs'" by(metis append_take_drop_id)
```
```  1680   from \<open>sorted (map fst kvs)\<close> kvs'
```
```  1681   have "(\<forall>(x, y) \<in> set (take n kvs). x \<le> k) \<and> (\<forall>(x, y) \<in> set kvs'. k \<le> x)"
```
```  1682     by(subst (asm) unfold)(auto simp add: sorted_append sorted_Cons)
```
```  1683   moreover from \<open>distinct (map fst kvs)\<close> kvs'
```
```  1684   have "(\<forall>(x, y) \<in> set (take n kvs). x \<noteq> k) \<and> (\<forall>(x, y) \<in> set kvs'. x \<noteq> k)"
```
```  1685     by(subst (asm) unfold)(auto intro: rev_image_eqI)
```
```  1686   ultimately have "(\<forall>(x, y) \<in> set (take n kvs). x < k) \<and> (\<forall>(x, y) \<in> set kvs'. k < x)"
```
```  1687     by fastforce
```
```  1688   hence "fst (rbtreeify_f n kvs) |\<guillemotleft> k" "k \<guillemotleft>| fst (rbtreeify_g n kvs')"
```
```  1689     using \<open>n \<le> Suc (length kvs')\<close> \<open>n \<le> length kvs\<close> set_take_subset[of "n - 1" kvs']
```
```  1690     by(auto simp add: rbt_greater_prop rbt_less_prop take_map split_def)
```
```  1691   moreover from \<open>sorted (map fst kvs)\<close> \<open>distinct (map fst kvs)\<close>
```
```  1692   have "rbt_sorted (fst (rbtreeify_f n kvs))" by(rule g_odd.IH)
```
```  1693   moreover have "sorted (map fst kvs')" "distinct (map fst kvs')"
```
```  1694     using \<open>sorted (map fst kvs)\<close> \<open>distinct (map fst kvs)\<close>
```
```  1695     by(subst (asm) (1 2) unfold, simp add: sorted_append sorted_Cons)+
```
```  1696   hence "rbt_sorted (fst (rbtreeify_g n kvs'))" by(rule g_odd.IH)
```
```  1697   ultimately show ?case
```
```  1698     using \<open>0 < n\<close> \<open>rbtreeify_f n kvs = (t, (k, v) # kvs')\<close> by simp
```
```  1699 qed simp_all
```
```  1700
```
```  1701 lemma rbt_sorted_rbtreeify:
```
```  1702   "\<lbrakk> sorted (map fst kvs); distinct (map fst kvs) \<rbrakk> \<Longrightarrow> rbt_sorted (rbtreeify kvs)"
```
```  1703 by(simp add: rbtreeify_def rbt_sorted_rbtreeify_g)
```
```  1704
```
```  1705 lemma is_rbt_rbtreeify:
```
```  1706   "\<lbrakk> sorted (map fst kvs); distinct (map fst kvs) \<rbrakk>
```
```  1707   \<Longrightarrow> is_rbt (rbtreeify kvs)"
```
```  1708 by(simp add: is_rbt_def rbtreeify_def inv1_rbtreeify_g inv2_rbtreeify_g rbt_sorted_rbtreeify_g color_of_rbtreeify_g)
```
```  1709
```
```  1710 lemma rbt_lookup_rbtreeify:
```
```  1711   "\<lbrakk> sorted (map fst kvs); distinct (map fst kvs) \<rbrakk> \<Longrightarrow>
```
```  1712   rbt_lookup (rbtreeify kvs) = map_of kvs"
```
```  1713 by(simp add: map_of_entries[symmetric] rbt_sorted_rbtreeify)
```
```  1714
```
```  1715 end
```
```  1716
```
```  1717 text \<open>
```
```  1718   Functions to compare the height of two rbt trees, taken from
```
```  1719   Andrew W. Appel, Efficient Verified Red-Black Trees (September 2011)
```
```  1720 \<close>
```
```  1721
```
```  1722 fun skip_red :: "('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
```
```  1723 where
```
```  1724   "skip_red (Branch color.R l k v r) = l"
```
```  1725 | "skip_red t = t"
```
```  1726
```
```  1727 definition skip_black :: "('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
```
```  1728 where
```
```  1729   "skip_black t = (let t' = skip_red t in case t' of Branch color.B l k v r \<Rightarrow> l | _ \<Rightarrow> t')"
```
```  1730
```
```  1731 datatype compare = LT | GT | EQ
```
```  1732
```
```  1733 partial_function (tailrec) compare_height :: "('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> compare"
```
```  1734 where
```
```  1735   "compare_height sx s t tx =
```
```  1736   (case (skip_red sx, skip_red s, skip_red t, skip_red tx) of
```
```  1737      (Branch _ sx' _ _ _, Branch _ s' _ _ _, Branch _ t' _ _ _, Branch _ tx' _ _ _) \<Rightarrow>
```
```  1738        compare_height (skip_black sx') s' t' (skip_black tx')
```
```  1739    | (_, rbt.Empty, _, Branch _ _ _ _ _) \<Rightarrow> LT
```
```  1740    | (Branch _ _ _ _ _, _, rbt.Empty, _) \<Rightarrow> GT
```
```  1741    | (Branch _ sx' _ _ _, Branch _ s' _ _ _, Branch _ t' _ _ _, rbt.Empty) \<Rightarrow>
```
```  1742        compare_height (skip_black sx') s' t' rbt.Empty
```
```  1743    | (rbt.Empty, Branch _ s' _ _ _, Branch _ t' _ _ _, Branch _ tx' _ _ _) \<Rightarrow>
```
```  1744        compare_height rbt.Empty s' t' (skip_black tx')
```
```  1745    | _ \<Rightarrow> EQ)"
```
```  1746
```
```  1747 declare compare_height.simps [code]
```
```  1748
```
```  1749 hide_type (open) compare
```
```  1750 hide_const (open)
```
```  1751   compare_height skip_black skip_red LT GT EQ case_compare rec_compare
```
```  1752   Abs_compare Rep_compare
```
```  1753 hide_fact (open)
```
```  1754   Abs_compare_cases Abs_compare_induct Abs_compare_inject Abs_compare_inverse
```
```  1755   Rep_compare Rep_compare_cases Rep_compare_induct Rep_compare_inject Rep_compare_inverse
```
```  1756   compare.simps compare.exhaust compare.induct compare.rec compare.simps
```
```  1757   compare.size compare.case_cong compare.case_cong_weak compare.case
```
```  1758   compare.nchotomy compare.split compare.split_asm compare.eq.refl compare.eq.simps
```
```  1759   equal_compare_def
```
```  1760   skip_red.simps skip_red.cases skip_red.induct
```
```  1761   skip_black_def
```
```  1762   compare_height.simps
```
```  1763
```
```  1764 subsection \<open>union and intersection of sorted associative lists\<close>
```
```  1765
```
```  1766 context ord begin
```
```  1767
```
```  1768 function sunion_with :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a \<times> 'b) list"
```
```  1769 where
```
```  1770   "sunion_with f ((k, v) # as) ((k', v') # bs) =
```
```  1771    (if k > k' then (k', v') # sunion_with f ((k, v) # as) bs
```
```  1772     else if k < k' then (k, v) # sunion_with f as ((k', v') # bs)
```
```  1773     else (k, f k v v') # sunion_with f as bs)"
```
```  1774 | "sunion_with f [] bs = bs"
```
```  1775 | "sunion_with f as [] = as"
```
```  1776 by pat_completeness auto
```
```  1777 termination by lexicographic_order
```
```  1778
```
```  1779 function sinter_with :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a \<times> 'b) list"
```
```  1780 where
```
```  1781   "sinter_with f ((k, v) # as) ((k', v') # bs) =
```
```  1782   (if k > k' then sinter_with f ((k, v) # as) bs
```
```  1783    else if k < k' then sinter_with f as ((k', v') # bs)
```
```  1784    else (k, f k v v') # sinter_with f as bs)"
```
```  1785 | "sinter_with f [] _ = []"
```
```  1786 | "sinter_with f _ [] = []"
```
```  1787 by pat_completeness auto
```
```  1788 termination by lexicographic_order
```
```  1789
```
```  1790 end
```
```  1791
```
```  1792 declare ord.sunion_with.simps [code] ord.sinter_with.simps[code]
```
```  1793
```
```  1794 context linorder begin
```
```  1795
```
```  1796 lemma set_fst_sunion_with:
```
```  1797   "set (map fst (sunion_with f xs ys)) = set (map fst xs) \<union> set (map fst ys)"
```
```  1798 by(induct f xs ys rule: sunion_with.induct) auto
```
```  1799
```
```  1800 lemma sorted_sunion_with [simp]:
```
```  1801   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
```
```  1802   \<Longrightarrow> sorted (map fst (sunion_with f xs ys))"
```
```  1803 by(induct f xs ys rule: sunion_with.induct)
```
```  1804   (auto simp add: sorted_Cons set_fst_sunion_with simp del: set_map)
```
```  1805
```
```  1806 lemma distinct_sunion_with [simp]:
```
```  1807   "\<lbrakk> distinct (map fst xs); distinct (map fst ys); sorted (map fst xs); sorted (map fst ys) \<rbrakk>
```
```  1808   \<Longrightarrow> distinct (map fst (sunion_with f xs ys))"
```
```  1809 proof(induct f xs ys rule: sunion_with.induct)
```
```  1810   case (1 f k v xs k' v' ys)
```
```  1811   have "\<lbrakk> \<not> k < k'; \<not> k' < k \<rbrakk> \<Longrightarrow> k = k'" by simp
```
```  1812   thus ?case using "1"
```
```  1813     by(auto simp add: set_fst_sunion_with sorted_Cons simp del: set_map)
```
```  1814 qed simp_all
```
```  1815
```
```  1816 lemma map_of_sunion_with:
```
```  1817   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
```
```  1818   \<Longrightarrow> map_of (sunion_with f xs ys) k =
```
```  1819   (case map_of xs k of None \<Rightarrow> map_of ys k
```
```  1820   | Some v \<Rightarrow> case map_of ys k of None \<Rightarrow> Some v
```
```  1821               | Some w \<Rightarrow> Some (f k v w))"
```
```  1822 by(induct f xs ys rule: sunion_with.induct)(auto simp add: sorted_Cons split: option.split dest: map_of_SomeD bspec)
```
```  1823
```
```  1824 lemma set_fst_sinter_with [simp]:
```
```  1825   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
```
```  1826   \<Longrightarrow> set (map fst (sinter_with f xs ys)) = set (map fst xs) \<inter> set (map fst ys)"
```
```  1827 by(induct f xs ys rule: sinter_with.induct)(auto simp add: sorted_Cons simp del: set_map)
```
```  1828
```
```  1829 lemma set_fst_sinter_with_subset1:
```
```  1830   "set (map fst (sinter_with f xs ys)) \<subseteq> set (map fst xs)"
```
```  1831 by(induct f xs ys rule: sinter_with.induct) auto
```
```  1832
```
```  1833 lemma set_fst_sinter_with_subset2:
```
```  1834   "set (map fst (sinter_with f xs ys)) \<subseteq> set (map fst ys)"
```
```  1835 by(induct f xs ys rule: sinter_with.induct)(auto simp del: set_map)
```
```  1836
```
```  1837 lemma sorted_sinter_with [simp]:
```
```  1838   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
```
```  1839   \<Longrightarrow> sorted (map fst (sinter_with f xs ys))"
```
```  1840 by(induct f xs ys rule: sinter_with.induct)(auto simp add: sorted_Cons simp del: set_map)
```
```  1841
```
```  1842 lemma distinct_sinter_with [simp]:
```
```  1843   "\<lbrakk> distinct (map fst xs); distinct (map fst ys) \<rbrakk>
```
```  1844   \<Longrightarrow> distinct (map fst (sinter_with f xs ys))"
```
```  1845 proof(induct f xs ys rule: sinter_with.induct)
```
```  1846   case (1 f k v as k' v' bs)
```
```  1847   have "\<lbrakk> \<not> k < k'; \<not> k' < k \<rbrakk> \<Longrightarrow> k = k'" by simp
```
```  1848   thus ?case using "1" set_fst_sinter_with_subset1[of f as bs]
```
```  1849     set_fst_sinter_with_subset2[of f as bs]
```
```  1850     by(auto simp del: set_map)
```
```  1851 qed simp_all
```
```  1852
```
```  1853 lemma map_of_sinter_with:
```
```  1854   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
```
```  1855   \<Longrightarrow> map_of (sinter_with f xs ys) k =
```
```  1856   (case map_of xs k of None \<Rightarrow> None | Some v \<Rightarrow> map_option (f k v) (map_of ys k))"
```
```  1857 apply(induct f xs ys rule: sinter_with.induct)
```
```  1858 apply(auto simp add: sorted_Cons map_option_case split: option.splits dest: map_of_SomeD bspec)
```
```  1859 done
```
```  1860
```
```  1861 end
```
```  1862
```
```  1863 lemma distinct_map_of_rev: "distinct (map fst xs) \<Longrightarrow> map_of (rev xs) = map_of xs"
```
```  1864 by(induct xs)(auto 4 3 simp add: map_add_def intro!: ext split: option.split intro: rev_image_eqI)
```
```  1865
```
```  1866 lemma map_map_filter:
```
```  1867   "map f (List.map_filter g xs) = List.map_filter (map_option f \<circ> g) xs"
```
```  1868 by(auto simp add: List.map_filter_def)
```
```  1869
```
```  1870 lemma map_filter_map_option_const:
```
```  1871   "List.map_filter (\<lambda>x. map_option (\<lambda>y. f x) (g (f x))) xs = filter (\<lambda>x. g x \<noteq> None) (map f xs)"
```
```  1872 by(auto simp add: map_filter_def filter_map o_def)
```
```  1873
```
```  1874 lemma set_map_filter: "set (List.map_filter P xs) = the ` (P ` set xs - {None})"
```
```  1875 by(auto simp add: List.map_filter_def intro: rev_image_eqI)
```
```  1876
```
```  1877 context ord begin
```
```  1878
```
```  1879 definition rbt_union_with_key :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
```
```  1880 where
```
```  1881   "rbt_union_with_key f t1 t2 =
```
```  1882   (case RBT_Impl.compare_height t1 t1 t2 t2
```
```  1883    of compare.EQ \<Rightarrow> rbtreeify (sunion_with f (entries t1) (entries t2))
```
```  1884     | compare.LT \<Rightarrow> fold (rbt_insert_with_key (\<lambda>k v w. f k w v)) t1 t2
```
```  1885     | compare.GT \<Rightarrow> fold (rbt_insert_with_key f) t2 t1)"
```
```  1886
```
```  1887 definition rbt_union_with where
```
```  1888   "rbt_union_with f = rbt_union_with_key (\<lambda>_. f)"
```
```  1889
```
```  1890 definition rbt_union where
```
```  1891   "rbt_union = rbt_union_with_key (%_ _ rv. rv)"
```
```  1892
```
```  1893 definition rbt_inter_with_key :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
```
```  1894 where
```
```  1895   "rbt_inter_with_key f t1 t2 =
```
```  1896   (case RBT_Impl.compare_height t1 t1 t2 t2
```
```  1897    of compare.EQ \<Rightarrow> rbtreeify (sinter_with f (entries t1) (entries t2))
```
```  1898     | compare.LT \<Rightarrow> rbtreeify (List.map_filter (\<lambda>(k, v). map_option (\<lambda>w. (k, f k v w)) (rbt_lookup t2 k)) (entries t1))
```
```  1899     | compare.GT \<Rightarrow> rbtreeify (List.map_filter (\<lambda>(k, v). map_option (\<lambda>w. (k, f k w v)) (rbt_lookup t1 k)) (entries t2)))"
```
```  1900
```
```  1901 definition rbt_inter_with where
```
```  1902   "rbt_inter_with f = rbt_inter_with_key (\<lambda>_. f)"
```
```  1903
```
```  1904 definition rbt_inter where
```
```  1905   "rbt_inter = rbt_inter_with_key (\<lambda>_ _ rv. rv)"
```
```  1906
```
```  1907 end
```
```  1908
```
```  1909 context linorder begin
```
```  1910
```
```  1911 lemma rbt_sorted_entries_right_unique:
```
```  1912   "\<lbrakk> (k, v) \<in> set (entries t); (k, v') \<in> set (entries t);
```
```  1913      rbt_sorted t \<rbrakk> \<Longrightarrow> v = v'"
```
```  1914 by(auto dest!: distinct_entries inj_onD[where x="(k, v)" and y="(k, v')"] simp add: distinct_map)
```
```  1915
```
```  1916 lemma rbt_sorted_fold_rbt_insertwk:
```
```  1917   "rbt_sorted t \<Longrightarrow> rbt_sorted (List.fold (\<lambda>(k, v). rbt_insert_with_key f k v) xs t)"
```
```  1918 by(induct xs rule: rev_induct)(auto simp add: rbt_insertwk_rbt_sorted)
```
```  1919
```
```  1920 lemma is_rbt_fold_rbt_insertwk:
```
```  1921   assumes "is_rbt t1"
```
```  1922   shows "is_rbt (fold (rbt_insert_with_key f) t2 t1)"
```
```  1923 proof -
```
```  1924   define xs where "xs = entries t2"
```
```  1925   from assms show ?thesis unfolding fold_def xs_def[symmetric]
```
```  1926     by(induct xs rule: rev_induct)(auto simp add: rbt_insertwk_is_rbt)
```
```  1927 qed
```
```  1928
```
```  1929 lemma rbt_lookup_fold_rbt_insertwk:
```
```  1930   assumes t1: "rbt_sorted t1" and t2: "rbt_sorted t2"
```
```  1931   shows "rbt_lookup (fold (rbt_insert_with_key f) t1 t2) k =
```
```  1932   (case rbt_lookup t1 k of None \<Rightarrow> rbt_lookup t2 k
```
```  1933    | Some v \<Rightarrow> case rbt_lookup t2 k of None \<Rightarrow> Some v
```
```  1934                | Some w \<Rightarrow> Some (f k w v))"
```
```  1935 proof -
```
```  1936   define xs where "xs = entries t1"
```
```  1937   hence dt1: "distinct (map fst xs)" using t1 by(simp add: distinct_entries)
```
```  1938   with t2 show ?thesis
```
```  1939     unfolding fold_def map_of_entries[OF t1, symmetric]
```
```  1940       xs_def[symmetric] distinct_map_of_rev[OF dt1, symmetric]
```
```  1941     apply(induct xs rule: rev_induct)
```
```  1942     apply(auto simp add: rbt_lookup_rbt_insertwk rbt_sorted_fold_rbt_insertwk split: option.splits)
```
```  1943     apply(auto simp add: distinct_map_of_rev intro: rev_image_eqI)
```
```  1944     done
```
```  1945 qed
```
```  1946
```
```  1947 lemma is_rbt_rbt_unionwk [simp]:
```
```  1948   "\<lbrakk> is_rbt t1; is_rbt t2 \<rbrakk> \<Longrightarrow> is_rbt (rbt_union_with_key f t1 t2)"
```
```  1949 by(simp add: rbt_union_with_key_def Let_def is_rbt_fold_rbt_insertwk is_rbt_rbtreeify rbt_sorted_entries distinct_entries split: compare.split)
```
```  1950
```
```  1951 lemma rbt_lookup_rbt_unionwk:
```
```  1952   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk>
```
```  1953   \<Longrightarrow> rbt_lookup (rbt_union_with_key f t1 t2) k =
```
```  1954   (case rbt_lookup t1 k of None \<Rightarrow> rbt_lookup t2 k
```
```  1955    | Some v \<Rightarrow> case rbt_lookup t2 k of None \<Rightarrow> Some v
```
```  1956               | Some w \<Rightarrow> Some (f k v w))"
```
```  1957 by(auto simp add: rbt_union_with_key_def Let_def rbt_lookup_fold_rbt_insertwk rbt_sorted_entries distinct_entries map_of_sunion_with map_of_entries rbt_lookup_rbtreeify split: option.split compare.split)
```
```  1958
```
```  1959 lemma rbt_unionw_is_rbt: "\<lbrakk> is_rbt lt; is_rbt rt \<rbrakk> \<Longrightarrow> is_rbt (rbt_union_with f lt rt)"
```
```  1960 by(simp add: rbt_union_with_def)
```
```  1961
```
```  1962 lemma rbt_union_is_rbt: "\<lbrakk> is_rbt lt; is_rbt rt \<rbrakk> \<Longrightarrow> is_rbt (rbt_union lt rt)"
```
```  1963 by(simp add: rbt_union_def)
```
```  1964
```
```  1965 lemma rbt_lookup_rbt_union:
```
```  1966   "\<lbrakk> rbt_sorted s; rbt_sorted t \<rbrakk> \<Longrightarrow>
```
```  1967   rbt_lookup (rbt_union s t) = rbt_lookup s ++ rbt_lookup t"
```
```  1968 by(rule ext)(simp add: rbt_lookup_rbt_unionwk rbt_union_def map_add_def split: option.split)
```
```  1969
```
```  1970 lemma rbt_interwk_is_rbt [simp]:
```
```  1971   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk> \<Longrightarrow> is_rbt (rbt_inter_with_key f t1 t2)"
```
```  1972 by(auto simp add: rbt_inter_with_key_def Let_def map_map_filter split_def o_def option.map_comp map_filter_map_option_const sorted_filter[where f=id, simplified] rbt_sorted_entries distinct_entries intro: is_rbt_rbtreeify split: compare.split)
```
```  1973
```
```  1974 lemma rbt_interw_is_rbt:
```
```  1975   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk> \<Longrightarrow> is_rbt (rbt_inter_with f t1 t2)"
```
```  1976 by(simp add: rbt_inter_with_def)
```
```  1977
```
```  1978 lemma rbt_inter_is_rbt:
```
```  1979   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk> \<Longrightarrow> is_rbt (rbt_inter t1 t2)"
```
```  1980 by(simp add: rbt_inter_def)
```
```  1981
```
```  1982 lemma rbt_lookup_rbt_interwk:
```
```  1983   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk>
```
```  1984   \<Longrightarrow> rbt_lookup (rbt_inter_with_key f t1 t2) k =
```
```  1985   (case rbt_lookup t1 k of None \<Rightarrow> None
```
```  1986    | Some v \<Rightarrow> case rbt_lookup t2 k of None \<Rightarrow> None
```
```  1987                | Some w \<Rightarrow> Some (f k v w))"
```
```  1988 by(auto 4 3 simp add: rbt_inter_with_key_def Let_def map_of_entries[symmetric] rbt_lookup_rbtreeify map_map_filter split_def o_def option.map_comp map_filter_map_option_const sorted_filter[where f=id, simplified] rbt_sorted_entries distinct_entries map_of_sinter_with map_of_eq_None_iff set_map_filter split: option.split compare.split intro: rev_image_eqI dest: rbt_sorted_entries_right_unique)
```
```  1989
```
```  1990 lemma rbt_lookup_rbt_inter:
```
```  1991   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk>
```
```  1992   \<Longrightarrow> rbt_lookup (rbt_inter t1 t2) = rbt_lookup t2 |` dom (rbt_lookup t1)"
```
```  1993 by(auto simp add: rbt_inter_def rbt_lookup_rbt_interwk restrict_map_def split: option.split)
```
```  1994
```
```  1995 end
```
```  1996
```
```  1997
```
```  1998 subsection \<open>Code generator setup\<close>
```
```  1999
```
```  2000 lemmas [code] =
```
```  2001   ord.rbt_less_prop
```
```  2002   ord.rbt_greater_prop
```
```  2003   ord.rbt_sorted.simps
```
```  2004   ord.rbt_lookup.simps
```
```  2005   ord.is_rbt_def
```
```  2006   ord.rbt_ins.simps
```
```  2007   ord.rbt_insert_with_key_def
```
```  2008   ord.rbt_insertw_def
```
```  2009   ord.rbt_insert_def
```
```  2010   ord.rbt_del_from_left.simps
```
```  2011   ord.rbt_del_from_right.simps
```
```  2012   ord.rbt_del.simps
```
```  2013   ord.rbt_delete_def
```
```  2014   ord.sunion_with.simps
```
```  2015   ord.sinter_with.simps
```
```  2016   ord.rbt_union_with_key_def
```
```  2017   ord.rbt_union_with_def
```
```  2018   ord.rbt_union_def
```
```  2019   ord.rbt_inter_with_key_def
```
```  2020   ord.rbt_inter_with_def
```
```  2021   ord.rbt_inter_def
```
```  2022   ord.rbt_map_entry.simps
```
```  2023   ord.rbt_bulkload_def
```
```  2024
```
```  2025 text \<open>More efficient implementations for @{term entries} and @{term keys}\<close>
```
```  2026
```
```  2027 definition gen_entries ::
```
```  2028   "(('a \<times> 'b) \<times> ('a, 'b) rbt) list \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a \<times> 'b) list"
```
```  2029 where
```
```  2030   "gen_entries kvts t = entries t @ concat (map (\<lambda>(kv, t). kv # entries t) kvts)"
```
```  2031
```
```  2032 lemma gen_entries_simps [simp, code]:
```
```  2033   "gen_entries [] Empty = []"
```
```  2034   "gen_entries ((kv, t) # kvts) Empty = kv # gen_entries kvts t"
```
```  2035   "gen_entries kvts (Branch c l k v r) = gen_entries (((k, v), r) # kvts) l"
```
```  2036 by(simp_all add: gen_entries_def)
```
```  2037
```
```  2038 lemma entries_code [code]:
```
```  2039   "entries = gen_entries []"
```
```  2040 by(simp add: gen_entries_def fun_eq_iff)
```
```  2041
```
```  2042 definition gen_keys :: "('a \<times> ('a, 'b) rbt) list \<Rightarrow> ('a, 'b) rbt \<Rightarrow> 'a list"
```
```  2043 where "gen_keys kts t = RBT_Impl.keys t @ concat (List.map (\<lambda>(k, t). k # keys t) kts)"
```
```  2044
```
```  2045 lemma gen_keys_simps [simp, code]:
```
```  2046   "gen_keys [] Empty = []"
```
```  2047   "gen_keys ((k, t) # kts) Empty = k # gen_keys kts t"
```
```  2048   "gen_keys kts (Branch c l k v r) = gen_keys ((k, r) # kts) l"
```
```  2049 by(simp_all add: gen_keys_def)
```
```  2050
```
```  2051 lemma keys_code [code]:
```
```  2052   "keys = gen_keys []"
```
```  2053 by(simp add: gen_keys_def fun_eq_iff)
```
```  2054
```
```  2055 text \<open>Restore original type constraints for constants\<close>
```
```  2056 setup \<open>
```
```  2057   fold Sign.add_const_constraint
```
```  2058     [(@{const_name rbt_less}, SOME @{typ "('a :: order) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"}),
```
```  2059      (@{const_name rbt_greater}, SOME @{typ "('a :: order) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"}),
```
```  2060      (@{const_name rbt_sorted}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> bool"}),
```
```  2061      (@{const_name rbt_lookup}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"}),
```
```  2062      (@{const_name is_rbt}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> bool"}),
```
```  2063      (@{const_name rbt_ins}, SOME @{typ "('a::linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2064      (@{const_name rbt_insert_with_key}, SOME @{typ "('a::linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2065      (@{const_name rbt_insert_with}, SOME @{typ "('b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a :: linorder) \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2066      (@{const_name rbt_insert}, SOME @{typ "('a :: linorder) \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2067      (@{const_name rbt_del_from_left}, SOME @{typ "('a::linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2068      (@{const_name rbt_del_from_right}, SOME @{typ "('a::linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2069      (@{const_name rbt_del}, SOME @{typ "('a::linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2070      (@{const_name rbt_delete}, SOME @{typ "('a::linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2071      (@{const_name rbt_union_with_key}, SOME @{typ "('a::linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2072      (@{const_name rbt_union_with}, SOME @{typ "('b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a::linorder,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2073      (@{const_name rbt_union}, SOME @{typ "('a::linorder,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2074      (@{const_name rbt_map_entry}, SOME @{typ "'a::linorder \<Rightarrow> ('b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
```
```  2075      (@{const_name rbt_bulkload}, SOME @{typ "('a \<times> 'b) list \<Rightarrow> ('a::linorder,'b) rbt"})]
```
```  2076 \<close>
```
```  2077
```
```  2078 hide_const (open) R B Empty entries keys fold gen_keys gen_entries
```
```  2079
```
```  2080 end
```