src/HOL/Library/RBT_Impl.thy
author Andreas Lochbihler
Thu Sep 20 17:17:20 2012 +0200 (2012-09-20)
changeset 49480 4632b867fba7
parent 48621 877df57629e3
child 49770 cf6a78acf445
permissions -rw-r--r--
more efficient code setup
     1 (*  Title:      HOL/Library/RBT_Impl.thy
     2     Author:     Markus Reiter, TU Muenchen
     3     Author:     Alexander Krauss, TU Muenchen
     4 *)
     5 
     6 header {* Implementation of Red-Black Trees *}
     7 
     8 theory RBT_Impl
     9 imports Main
    10 begin
    11 
    12 text {*
    13   For applications, you should use theory @{text RBT} which defines
    14   an abstract type of red-black tree obeying the invariant.
    15 *}
    16 
    17 subsection {* Datatype of RB trees *}
    18 
    19 datatype color = R | B
    20 datatype ('a, 'b) rbt = Empty | Branch color "('a, 'b) rbt" 'a 'b "('a, 'b) rbt"
    21 
    22 lemma rbt_cases:
    23   obtains (Empty) "t = Empty" 
    24   | (Red) l k v r where "t = Branch R l k v r" 
    25   | (Black) l k v r where "t = Branch B l k v r"
    26 proof (cases t)
    27   case Empty with that show thesis by blast
    28 next
    29   case (Branch c) with that show thesis by (cases c) blast+
    30 qed
    31 
    32 subsection {* Tree properties *}
    33 
    34 subsubsection {* Content of a tree *}
    35 
    36 primrec entries :: "('a, 'b) rbt \<Rightarrow> ('a \<times> 'b) list"
    37 where 
    38   "entries Empty = []"
    39 | "entries (Branch _ l k v r) = entries l @ (k,v) # entries r"
    40 
    41 abbreviation (input) entry_in_tree :: "'a \<Rightarrow> 'b \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"
    42 where
    43   "entry_in_tree k v t \<equiv> (k, v) \<in> set (entries t)"
    44 
    45 definition keys :: "('a, 'b) rbt \<Rightarrow> 'a list" where
    46   "keys t = map fst (entries t)"
    47 
    48 lemma keys_simps [simp, code]:
    49   "keys Empty = []"
    50   "keys (Branch c l k v r) = keys l @ k # keys r"
    51   by (simp_all add: keys_def)
    52 
    53 lemma entry_in_tree_keys:
    54   assumes "(k, v) \<in> set (entries t)"
    55   shows "k \<in> set (keys t)"
    56 proof -
    57   from assms have "fst (k, v) \<in> fst ` set (entries t)" by (rule imageI)
    58   then show ?thesis by (simp add: keys_def)
    59 qed
    60 
    61 lemma keys_entries:
    62   "k \<in> set (keys t) \<longleftrightarrow> (\<exists>v. (k, v) \<in> set (entries t))"
    63   by (auto intro: entry_in_tree_keys) (auto simp add: keys_def)
    64 
    65 lemma non_empty_rbt_keys: 
    66   "t \<noteq> rbt.Empty \<Longrightarrow> keys t \<noteq> []"
    67   by (cases t) simp_all
    68 
    69 subsubsection {* Search tree properties *}
    70 
    71 context ord begin
    72 
    73 definition rbt_less :: "'a \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"
    74 where
    75   rbt_less_prop: "rbt_less k t \<longleftrightarrow> (\<forall>x\<in>set (keys t). x < k)"
    76 
    77 abbreviation rbt_less_symbol (infix "|\<guillemotleft>" 50)
    78 where "t |\<guillemotleft> x \<equiv> rbt_less x t"
    79 
    80 definition rbt_greater :: "'a \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool" (infix "\<guillemotleft>|" 50) 
    81 where
    82   rbt_greater_prop: "rbt_greater k t = (\<forall>x\<in>set (keys t). k < x)"
    83 
    84 lemma rbt_less_simps [simp]:
    85   "Empty |\<guillemotleft> k = True"
    86   "Branch c lt kt v rt |\<guillemotleft> k \<longleftrightarrow> kt < k \<and> lt |\<guillemotleft> k \<and> rt |\<guillemotleft> k"
    87   by (auto simp add: rbt_less_prop)
    88 
    89 lemma rbt_greater_simps [simp]:
    90   "k \<guillemotleft>| Empty = True"
    91   "k \<guillemotleft>| (Branch c lt kt v rt) \<longleftrightarrow> k < kt \<and> k \<guillemotleft>| lt \<and> k \<guillemotleft>| rt"
    92   by (auto simp add: rbt_greater_prop)
    93 
    94 lemmas rbt_ord_props = rbt_less_prop rbt_greater_prop
    95 
    96 lemmas rbt_greater_nit = rbt_greater_prop entry_in_tree_keys
    97 lemmas rbt_less_nit = rbt_less_prop entry_in_tree_keys
    98 
    99 lemma (in order)
   100   shows rbt_less_eq_trans: "l |\<guillemotleft> u \<Longrightarrow> u \<le> v \<Longrightarrow> l |\<guillemotleft> v"
   101   and rbt_less_trans: "t |\<guillemotleft> x \<Longrightarrow> x < y \<Longrightarrow> t |\<guillemotleft> y"
   102   and rbt_greater_eq_trans: "u \<le> v \<Longrightarrow> v \<guillemotleft>| r \<Longrightarrow> u \<guillemotleft>| r"
   103   and rbt_greater_trans: "x < y \<Longrightarrow> y \<guillemotleft>| t \<Longrightarrow> x \<guillemotleft>| t"
   104   by (auto simp: rbt_ord_props)
   105 
   106 primrec rbt_sorted :: "('a, 'b) rbt \<Rightarrow> bool"
   107 where
   108   "rbt_sorted Empty = True"
   109 | "rbt_sorted (Branch c l k v r) = (l |\<guillemotleft> k \<and> k \<guillemotleft>| r \<and> rbt_sorted l \<and> rbt_sorted r)"
   110 
   111 end
   112 
   113 context linorder begin
   114 
   115 lemma rbt_sorted_entries:
   116   "rbt_sorted t \<Longrightarrow> List.sorted (List.map fst (entries t))"
   117 by (induct t) 
   118   (force simp: sorted_append sorted_Cons rbt_ord_props 
   119       dest!: entry_in_tree_keys)+
   120 
   121 lemma distinct_entries:
   122   "rbt_sorted t \<Longrightarrow> distinct (List.map fst (entries t))"
   123 by (induct t) 
   124   (force simp: sorted_append sorted_Cons rbt_ord_props 
   125       dest!: entry_in_tree_keys)+
   126 
   127 lemma distinct_keys:
   128   "rbt_sorted t \<Longrightarrow> distinct (keys t)"
   129   by (simp add: distinct_entries keys_def)
   130 
   131 
   132 subsubsection {* Tree lookup *}
   133 
   134 primrec (in ord) rbt_lookup :: "('a, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"
   135 where
   136   "rbt_lookup Empty k = None"
   137 | "rbt_lookup (Branch _ l x y r) k = 
   138    (if k < x then rbt_lookup l k else if x < k then rbt_lookup r k else Some y)"
   139 
   140 lemma rbt_lookup_keys: "rbt_sorted t \<Longrightarrow> dom (rbt_lookup t) = set (keys t)"
   141   by (induct t) (auto simp: dom_def rbt_greater_prop rbt_less_prop)
   142 
   143 lemma dom_rbt_lookup_Branch: 
   144   "rbt_sorted (Branch c t1 k v t2) \<Longrightarrow> 
   145     dom (rbt_lookup (Branch c t1 k v t2)) 
   146     = Set.insert k (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2))"
   147 proof -
   148   assume "rbt_sorted (Branch c t1 k v t2)"
   149   moreover from this have "rbt_sorted t1" "rbt_sorted t2" by simp_all
   150   ultimately show ?thesis by (simp add: rbt_lookup_keys)
   151 qed
   152 
   153 lemma finite_dom_rbt_lookup [simp, intro!]: "finite (dom (rbt_lookup t))"
   154 proof (induct t)
   155   case Empty then show ?case by simp
   156 next
   157   case (Branch color t1 a b t2)
   158   let ?A = "Set.insert a (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2))"
   159   have "dom (rbt_lookup (Branch color t1 a b t2)) \<subseteq> ?A" by (auto split: split_if_asm)
   160   moreover from Branch have "finite (insert a (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2)))" by simp
   161   ultimately show ?case by (rule finite_subset)
   162 qed 
   163 
   164 end
   165 
   166 context ord begin
   167 
   168 lemma rbt_lookup_rbt_less[simp]: "t |\<guillemotleft> k \<Longrightarrow> rbt_lookup t k = None" 
   169 by (induct t) auto
   170 
   171 lemma rbt_lookup_rbt_greater[simp]: "k \<guillemotleft>| t \<Longrightarrow> rbt_lookup t k = None"
   172 by (induct t) auto
   173 
   174 lemma rbt_lookup_Empty: "rbt_lookup Empty = empty"
   175 by (rule ext) simp
   176 
   177 end
   178 
   179 context linorder begin
   180 
   181 lemma map_of_entries:
   182   "rbt_sorted t \<Longrightarrow> map_of (entries t) = rbt_lookup t"
   183 proof (induct t)
   184   case Empty thus ?case by (simp add: rbt_lookup_Empty)
   185 next
   186   case (Branch c t1 k v t2)
   187   have "rbt_lookup (Branch c t1 k v t2) = rbt_lookup t2 ++ [k\<mapsto>v] ++ rbt_lookup t1"
   188   proof (rule ext)
   189     fix x
   190     from Branch have RBT_SORTED: "rbt_sorted (Branch c t1 k v t2)" by simp
   191     let ?thesis = "rbt_lookup (Branch c t1 k v t2) x = (rbt_lookup t2 ++ [k \<mapsto> v] ++ rbt_lookup t1) x"
   192 
   193     have DOM_T1: "!!k'. k'\<in>dom (rbt_lookup t1) \<Longrightarrow> k>k'"
   194     proof -
   195       fix k'
   196       from RBT_SORTED have "t1 |\<guillemotleft> k" by simp
   197       with rbt_less_prop have "\<forall>k'\<in>set (keys t1). k>k'" by auto
   198       moreover assume "k'\<in>dom (rbt_lookup t1)"
   199       ultimately show "k>k'" using rbt_lookup_keys RBT_SORTED by auto
   200     qed
   201     
   202     have DOM_T2: "!!k'. k'\<in>dom (rbt_lookup t2) \<Longrightarrow> k<k'"
   203     proof -
   204       fix k'
   205       from RBT_SORTED have "k \<guillemotleft>| t2" by simp
   206       with rbt_greater_prop have "\<forall>k'\<in>set (keys t2). k<k'" by auto
   207       moreover assume "k'\<in>dom (rbt_lookup t2)"
   208       ultimately show "k<k'" using rbt_lookup_keys RBT_SORTED by auto
   209     qed
   210     
   211     {
   212       assume C: "x<k"
   213       hence "rbt_lookup (Branch c t1 k v t2) x = rbt_lookup t1 x" by simp
   214       moreover from C have "x\<notin>dom [k\<mapsto>v]" by simp
   215       moreover have "x \<notin> dom (rbt_lookup t2)"
   216       proof
   217         assume "x \<in> dom (rbt_lookup t2)"
   218         with DOM_T2 have "k<x" by blast
   219         with C show False by simp
   220       qed
   221       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   222     } moreover {
   223       assume [simp]: "x=k"
   224       hence "rbt_lookup (Branch c t1 k v t2) x = [k \<mapsto> v] x" by simp
   225       moreover have "x \<notin> dom (rbt_lookup t1)" 
   226       proof
   227         assume "x \<in> dom (rbt_lookup t1)"
   228         with DOM_T1 have "k>x" by blast
   229         thus False by simp
   230       qed
   231       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   232     } moreover {
   233       assume C: "x>k"
   234       hence "rbt_lookup (Branch c t1 k v t2) x = rbt_lookup t2 x" by (simp add: less_not_sym[of k x])
   235       moreover from C have "x\<notin>dom [k\<mapsto>v]" by simp
   236       moreover have "x\<notin>dom (rbt_lookup t1)" proof
   237         assume "x\<in>dom (rbt_lookup t1)"
   238         with DOM_T1 have "k>x" by simp
   239         with C show False by simp
   240       qed
   241       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   242     } ultimately show ?thesis using less_linear by blast
   243   qed
   244   also from Branch 
   245   have "rbt_lookup t2 ++ [k \<mapsto> v] ++ rbt_lookup t1 = map_of (entries (Branch c t1 k v t2))" by simp
   246   finally show ?case by simp
   247 qed
   248 
   249 lemma rbt_lookup_in_tree: "rbt_sorted t \<Longrightarrow> rbt_lookup t k = Some v \<longleftrightarrow> (k, v) \<in> set (entries t)"
   250   by (simp add: map_of_entries [symmetric] distinct_entries)
   251 
   252 lemma set_entries_inject:
   253   assumes rbt_sorted: "rbt_sorted t1" "rbt_sorted t2" 
   254   shows "set (entries t1) = set (entries t2) \<longleftrightarrow> entries t1 = entries t2"
   255 proof -
   256   from rbt_sorted have "distinct (map fst (entries t1))"
   257     "distinct (map fst (entries t2))"
   258     by (auto intro: distinct_entries)
   259   with rbt_sorted show ?thesis
   260     by (auto intro: map_sorted_distinct_set_unique rbt_sorted_entries simp add: distinct_map)
   261 qed
   262 
   263 lemma entries_eqI:
   264   assumes rbt_sorted: "rbt_sorted t1" "rbt_sorted t2" 
   265   assumes rbt_lookup: "rbt_lookup t1 = rbt_lookup t2"
   266   shows "entries t1 = entries t2"
   267 proof -
   268   from rbt_sorted rbt_lookup have "map_of (entries t1) = map_of (entries t2)"
   269     by (simp add: map_of_entries)
   270   with rbt_sorted have "set (entries t1) = set (entries t2)"
   271     by (simp add: map_of_inject_set distinct_entries)
   272   with rbt_sorted show ?thesis by (simp add: set_entries_inject)
   273 qed
   274 
   275 lemma entries_rbt_lookup:
   276   assumes "rbt_sorted t1" "rbt_sorted t2" 
   277   shows "entries t1 = entries t2 \<longleftrightarrow> rbt_lookup t1 = rbt_lookup t2"
   278   using assms by (auto intro: entries_eqI simp add: map_of_entries [symmetric])
   279 
   280 lemma rbt_lookup_from_in_tree: 
   281   assumes "rbt_sorted t1" "rbt_sorted t2" 
   282   and "\<And>v. (k, v) \<in> set (entries t1) \<longleftrightarrow> (k, v) \<in> set (entries t2)" 
   283   shows "rbt_lookup t1 k = rbt_lookup t2 k"
   284 proof -
   285   from assms have "k \<in> dom (rbt_lookup t1) \<longleftrightarrow> k \<in> dom (rbt_lookup t2)"
   286     by (simp add: keys_entries rbt_lookup_keys)
   287   with assms show ?thesis by (auto simp add: rbt_lookup_in_tree [symmetric])
   288 qed
   289 
   290 end
   291 
   292 subsubsection {* Red-black properties *}
   293 
   294 primrec color_of :: "('a, 'b) rbt \<Rightarrow> color"
   295 where
   296   "color_of Empty = B"
   297 | "color_of (Branch c _ _ _ _) = c"
   298 
   299 primrec bheight :: "('a,'b) rbt \<Rightarrow> nat"
   300 where
   301   "bheight Empty = 0"
   302 | "bheight (Branch c lt k v rt) = (if c = B then Suc (bheight lt) else bheight lt)"
   303 
   304 primrec inv1 :: "('a, 'b) rbt \<Rightarrow> bool"
   305 where
   306   "inv1 Empty = True"
   307 | "inv1 (Branch c lt k v rt) \<longleftrightarrow> inv1 lt \<and> inv1 rt \<and> (c = B \<or> color_of lt = B \<and> color_of rt = B)"
   308 
   309 primrec inv1l :: "('a, 'b) rbt \<Rightarrow> bool" -- {* Weaker version *}
   310 where
   311   "inv1l Empty = True"
   312 | "inv1l (Branch c l k v r) = (inv1 l \<and> inv1 r)"
   313 lemma [simp]: "inv1 t \<Longrightarrow> inv1l t" by (cases t) simp+
   314 
   315 primrec inv2 :: "('a, 'b) rbt \<Rightarrow> bool"
   316 where
   317   "inv2 Empty = True"
   318 | "inv2 (Branch c lt k v rt) = (inv2 lt \<and> inv2 rt \<and> bheight lt = bheight rt)"
   319 
   320 context ord begin
   321 
   322 definition is_rbt :: "('a, 'b) rbt \<Rightarrow> bool" where
   323   "is_rbt t \<longleftrightarrow> inv1 t \<and> inv2 t \<and> color_of t = B \<and> rbt_sorted t"
   324 
   325 lemma is_rbt_rbt_sorted [simp]:
   326   "is_rbt t \<Longrightarrow> rbt_sorted t" by (simp add: is_rbt_def)
   327 
   328 theorem Empty_is_rbt [simp]:
   329   "is_rbt Empty" by (simp add: is_rbt_def)
   330 
   331 end
   332 
   333 subsection {* Insertion *}
   334 
   335 fun (* slow, due to massive case splitting *)
   336   balance :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   337 where
   338   "balance (Branch R a w x b) s t (Branch R c y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   339   "balance (Branch R (Branch R a w x b) s t c) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   340   "balance (Branch R a w x (Branch R b s t c)) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   341   "balance a w x (Branch R b s t (Branch R c y z d)) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   342   "balance a w x (Branch R (Branch R b s t c) y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   343   "balance a s t b = Branch B a s t b"
   344 
   345 lemma balance_inv1: "\<lbrakk>inv1l l; inv1l r\<rbrakk> \<Longrightarrow> inv1 (balance l k v r)" 
   346   by (induct l k v r rule: balance.induct) auto
   347 
   348 lemma balance_bheight: "bheight l = bheight r \<Longrightarrow> bheight (balance l k v r) = Suc (bheight l)"
   349   by (induct l k v r rule: balance.induct) auto
   350 
   351 lemma balance_inv2: 
   352   assumes "inv2 l" "inv2 r" "bheight l = bheight r"
   353   shows "inv2 (balance l k v r)"
   354   using assms
   355   by (induct l k v r rule: balance.induct) auto
   356 
   357 context ord begin
   358 
   359 lemma balance_rbt_greater[simp]: "(v \<guillemotleft>| balance a k x b) = (v \<guillemotleft>| a \<and> v \<guillemotleft>| b \<and> v < k)" 
   360   by (induct a k x b rule: balance.induct) auto
   361 
   362 lemma balance_rbt_less[simp]: "(balance a k x b |\<guillemotleft> v) = (a |\<guillemotleft> v \<and> b |\<guillemotleft> v \<and> k < v)"
   363   by (induct a k x b rule: balance.induct) auto
   364 
   365 end
   366 
   367 lemma (in linorder) balance_rbt_sorted: 
   368   fixes k :: "'a"
   369   assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   370   shows "rbt_sorted (balance l k v r)"
   371 using assms proof (induct l k v r rule: balance.induct)
   372   case ("2_2" a x w b y t c z s va vb vd vc)
   373   hence "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" 
   374     by (auto simp add: rbt_ord_props)
   375   hence "y \<guillemotleft>| (Branch B va vb vd vc)" by (blast dest: rbt_greater_trans)
   376   with "2_2" show ?case by simp
   377 next
   378   case ("3_2" va vb vd vc x w b y s c z)
   379   from "3_2" have "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x" 
   380     by simp
   381   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   382   with "3_2" show ?case by simp
   383 next
   384   case ("3_3" x w b y s c z t va vb vd vc)
   385   from "3_3" have "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" by simp
   386   hence "y \<guillemotleft>| Branch B va vb vd vc" by (blast dest: rbt_greater_trans)
   387   with "3_3" show ?case by simp
   388 next
   389   case ("3_4" vd ve vg vf x w b y s c z t va vb vii vc)
   390   hence "x < y \<and> Branch B vd ve vg vf |\<guillemotleft> x" by simp
   391   hence 1: "Branch B vd ve vg vf |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   392   from "3_4" have "y < z \<and> z \<guillemotleft>| Branch B va vb vii vc" by simp
   393   hence "y \<guillemotleft>| Branch B va vb vii vc" by (blast dest: rbt_greater_trans)
   394   with 1 "3_4" show ?case by simp
   395 next
   396   case ("4_2" va vb vd vc x w b y s c z t dd)
   397   hence "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x" by simp
   398   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   399   with "4_2" show ?case by simp
   400 next
   401   case ("5_2" x w b y s c z t va vb vd vc)
   402   hence "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" by simp
   403   hence "y \<guillemotleft>| Branch B va vb vd vc" by (blast dest: rbt_greater_trans)
   404   with "5_2" show ?case by simp
   405 next
   406   case ("5_3" va vb vd vc x w b y s c z t)
   407   hence "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x" by simp
   408   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   409   with "5_3" show ?case by simp
   410 next
   411   case ("5_4" va vb vg vc x w b y s c z t vd ve vii vf)
   412   hence "x < y \<and> Branch B va vb vg vc |\<guillemotleft> x" by simp
   413   hence 1: "Branch B va vb vg vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   414   from "5_4" have "y < z \<and> z \<guillemotleft>| Branch B vd ve vii vf" by simp
   415   hence "y \<guillemotleft>| Branch B vd ve vii vf" by (blast dest: rbt_greater_trans)
   416   with 1 "5_4" show ?case by simp
   417 qed simp+
   418 
   419 lemma entries_balance [simp]:
   420   "entries (balance l k v r) = entries l @ (k, v) # entries r"
   421   by (induct l k v r rule: balance.induct) auto
   422 
   423 lemma keys_balance [simp]: 
   424   "keys (balance l k v r) = keys l @ k # keys r"
   425   by (simp add: keys_def)
   426 
   427 lemma balance_in_tree:  
   428   "entry_in_tree k x (balance l v y r) \<longleftrightarrow> entry_in_tree k x l \<or> k = v \<and> x = y \<or> entry_in_tree k x r"
   429   by (auto simp add: keys_def)
   430 
   431 lemma (in linorder) rbt_lookup_balance[simp]: 
   432 fixes k :: "'a"
   433 assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   434 shows "rbt_lookup (balance l k v r) x = rbt_lookup (Branch B l k v r) x"
   435 by (rule rbt_lookup_from_in_tree) (auto simp:assms balance_in_tree balance_rbt_sorted)
   436 
   437 primrec paint :: "color \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   438 where
   439   "paint c Empty = Empty"
   440 | "paint c (Branch _ l k v r) = Branch c l k v r"
   441 
   442 lemma paint_inv1l[simp]: "inv1l t \<Longrightarrow> inv1l (paint c t)" by (cases t) auto
   443 lemma paint_inv1[simp]: "inv1l t \<Longrightarrow> inv1 (paint B t)" by (cases t) auto
   444 lemma paint_inv2[simp]: "inv2 t \<Longrightarrow> inv2 (paint c t)" by (cases t) auto
   445 lemma paint_color_of[simp]: "color_of (paint B t) = B" by (cases t) auto
   446 lemma paint_in_tree[simp]: "entry_in_tree k x (paint c t) = entry_in_tree k x t" by (cases t) auto
   447 
   448 context ord begin
   449 
   450 lemma paint_rbt_sorted[simp]: "rbt_sorted t \<Longrightarrow> rbt_sorted (paint c t)" by (cases t) auto
   451 lemma paint_rbt_lookup[simp]: "rbt_lookup (paint c t) = rbt_lookup t" by (rule ext) (cases t, auto)
   452 lemma paint_rbt_greater[simp]: "(v \<guillemotleft>| paint c t) = (v \<guillemotleft>| t)" by (cases t) auto
   453 lemma paint_rbt_less[simp]: "(paint c t |\<guillemotleft> v) = (t |\<guillemotleft> v)" by (cases t) auto
   454 
   455 fun
   456   rbt_ins :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   457 where
   458   "rbt_ins f k v Empty = Branch R Empty k v Empty" |
   459   "rbt_ins f k v (Branch B l x y r) = (if k < x then balance (rbt_ins f k v l) x y r
   460                                        else if k > x then balance l x y (rbt_ins f k v r)
   461                                        else Branch B l x (f k y v) r)" |
   462   "rbt_ins f k v (Branch R l x y r) = (if k < x then Branch R (rbt_ins f k v l) x y r
   463                                        else if k > x then Branch R l x y (rbt_ins f k v r)
   464                                        else Branch R l x (f k y v) r)"
   465 
   466 lemma ins_inv1_inv2: 
   467   assumes "inv1 t" "inv2 t"
   468   shows "inv2 (rbt_ins f k x t)" "bheight (rbt_ins f k x t) = bheight t" 
   469   "color_of t = B \<Longrightarrow> inv1 (rbt_ins f k x t)" "inv1l (rbt_ins f k x t)"
   470   using assms
   471   by (induct f k x t rule: rbt_ins.induct) (auto simp: balance_inv1 balance_inv2 balance_bheight)
   472 
   473 end
   474 
   475 context linorder begin
   476 
   477 lemma ins_rbt_greater[simp]: "(v \<guillemotleft>| rbt_ins f (k :: 'a) x t) = (v \<guillemotleft>| t \<and> k > v)"
   478   by (induct f k x t rule: rbt_ins.induct) auto
   479 lemma ins_rbt_less[simp]: "(rbt_ins f k x t |\<guillemotleft> v) = (t |\<guillemotleft> v \<and> k < v)"
   480   by (induct f k x t rule: rbt_ins.induct) auto
   481 lemma ins_rbt_sorted[simp]: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_ins f k x t)"
   482   by (induct f k x t rule: rbt_ins.induct) (auto simp: balance_rbt_sorted)
   483 
   484 lemma keys_ins: "set (keys (rbt_ins f k v t)) = { k } \<union> set (keys t)"
   485   by (induct f k v t rule: rbt_ins.induct) auto
   486 
   487 lemma rbt_lookup_ins: 
   488   fixes k :: "'a"
   489   assumes "rbt_sorted t"
   490   shows "rbt_lookup (rbt_ins f k v t) x = ((rbt_lookup t)(k |-> case rbt_lookup t k of None \<Rightarrow> v 
   491                                                                 | Some w \<Rightarrow> f k w v)) x"
   492 using assms by (induct f k v t rule: rbt_ins.induct) auto
   493 
   494 end
   495 
   496 context ord begin
   497 
   498 definition rbt_insert_with_key :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   499 where "rbt_insert_with_key f k v t = paint B (rbt_ins f k v t)"
   500 
   501 definition rbt_insertw_def: "rbt_insert_with f = rbt_insert_with_key (\<lambda>_. f)"
   502 
   503 definition rbt_insert :: "'a \<Rightarrow> 'b \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt" where
   504   "rbt_insert = rbt_insert_with_key (\<lambda>_ _ nv. nv)"
   505 
   506 end
   507 
   508 context linorder begin
   509 
   510 lemma rbt_insertwk_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert_with_key f (k :: 'a) x t)"
   511   by (auto simp: rbt_insert_with_key_def)
   512 
   513 theorem rbt_insertwk_is_rbt: 
   514   assumes inv: "is_rbt t" 
   515   shows "is_rbt (rbt_insert_with_key f k x t)"
   516 using assms
   517 unfolding rbt_insert_with_key_def is_rbt_def
   518 by (auto simp: ins_inv1_inv2)
   519 
   520 lemma rbt_lookup_rbt_insertwk: 
   521   assumes "rbt_sorted t"
   522   shows "rbt_lookup (rbt_insert_with_key f k v t) x = ((rbt_lookup t)(k |-> case rbt_lookup t k of None \<Rightarrow> v 
   523                                                        | Some w \<Rightarrow> f k w v)) x"
   524 unfolding rbt_insert_with_key_def using assms
   525 by (simp add:rbt_lookup_ins)
   526 
   527 lemma rbt_insertw_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert_with f k v t)" 
   528   by (simp add: rbt_insertwk_rbt_sorted rbt_insertw_def)
   529 theorem rbt_insertw_is_rbt: "is_rbt t \<Longrightarrow> is_rbt (rbt_insert_with f k v t)"
   530   by (simp add: rbt_insertwk_is_rbt rbt_insertw_def)
   531 
   532 lemma rbt_lookup_rbt_insertw:
   533   assumes "is_rbt t"
   534   shows "rbt_lookup (rbt_insert_with f k v t) = (rbt_lookup t)(k \<mapsto> (if k:dom (rbt_lookup t) then f (the (rbt_lookup t k)) v else v))"
   535 using assms
   536 unfolding rbt_insertw_def
   537 by (rule_tac ext) (cases "rbt_lookup t k", auto simp:rbt_lookup_rbt_insertwk dom_def)
   538 
   539 lemma rbt_insert_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert k v t)"
   540   by (simp add: rbt_insertwk_rbt_sorted rbt_insert_def)
   541 theorem rbt_insert_is_rbt [simp]: "is_rbt t \<Longrightarrow> is_rbt (rbt_insert k v t)"
   542   by (simp add: rbt_insertwk_is_rbt rbt_insert_def)
   543 
   544 lemma rbt_lookup_rbt_insert: 
   545   assumes "is_rbt t"
   546   shows "rbt_lookup (rbt_insert k v t) = (rbt_lookup t)(k\<mapsto>v)"
   547 unfolding rbt_insert_def
   548 using assms
   549 by (rule_tac ext) (simp add: rbt_lookup_rbt_insertwk split:option.split)
   550 
   551 end
   552 
   553 subsection {* Deletion *}
   554 
   555 lemma bheight_paintR'[simp]: "color_of t = B \<Longrightarrow> bheight (paint R t) = bheight t - 1"
   556 by (cases t rule: rbt_cases) auto
   557 
   558 fun
   559   balance_left :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   560 where
   561   "balance_left (Branch R a k x b) s y c = Branch R (Branch B a k x b) s y c" |
   562   "balance_left bl k x (Branch B a s y b) = balance bl k x (Branch R a s y b)" |
   563   "balance_left bl k x (Branch R (Branch B a s y b) t z c) = Branch R (Branch B bl k x a) s y (balance b t z (paint R c))" |
   564   "balance_left t k x s = Empty"
   565 
   566 lemma balance_left_inv2_with_inv1:
   567   assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "inv1 rt"
   568   shows "bheight (balance_left lt k v rt) = bheight lt + 1"
   569   and   "inv2 (balance_left lt k v rt)"
   570 using assms 
   571 by (induct lt k v rt rule: balance_left.induct) (auto simp: balance_inv2 balance_bheight)
   572 
   573 lemma balance_left_inv2_app: 
   574   assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "color_of rt = B"
   575   shows "inv2 (balance_left lt k v rt)" 
   576         "bheight (balance_left lt k v rt) = bheight rt"
   577 using assms 
   578 by (induct lt k v rt rule: balance_left.induct) (auto simp add: balance_inv2 balance_bheight)+ 
   579 
   580 lemma balance_left_inv1: "\<lbrakk>inv1l a; inv1 b; color_of b = B\<rbrakk> \<Longrightarrow> inv1 (balance_left a k x b)"
   581   by (induct a k x b rule: balance_left.induct) (simp add: balance_inv1)+
   582 
   583 lemma balance_left_inv1l: "\<lbrakk> inv1l lt; inv1 rt \<rbrakk> \<Longrightarrow> inv1l (balance_left lt k x rt)"
   584 by (induct lt k x rt rule: balance_left.induct) (auto simp: balance_inv1)
   585 
   586 lemma (in linorder) balance_left_rbt_sorted: 
   587   "\<lbrakk> rbt_sorted l; rbt_sorted r; rbt_less k l; k \<guillemotleft>| r \<rbrakk> \<Longrightarrow> rbt_sorted (balance_left l k v r)"
   588 apply (induct l k v r rule: balance_left.induct)
   589 apply (auto simp: balance_rbt_sorted)
   590 apply (unfold rbt_greater_prop rbt_less_prop)
   591 by force+
   592 
   593 context order begin
   594 
   595 lemma balance_left_rbt_greater: 
   596   fixes k :: "'a"
   597   assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   598   shows "k \<guillemotleft>| balance_left a x t b"
   599 using assms 
   600 by (induct a x t b rule: balance_left.induct) auto
   601 
   602 lemma balance_left_rbt_less: 
   603   fixes k :: "'a"
   604   assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   605   shows "balance_left a x t b |\<guillemotleft> k"
   606 using assms
   607 by (induct a x t b rule: balance_left.induct) auto
   608 
   609 end
   610 
   611 lemma balance_left_in_tree: 
   612   assumes "inv1l l" "inv1 r" "bheight l + 1 = bheight r"
   613   shows "entry_in_tree k v (balance_left l a b r) = (entry_in_tree k v l \<or> k = a \<and> v = b \<or> entry_in_tree k v r)"
   614 using assms 
   615 by (induct l k v r rule: balance_left.induct) (auto simp: balance_in_tree)
   616 
   617 fun
   618   balance_right :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   619 where
   620   "balance_right a k x (Branch R b s y c) = Branch R a k x (Branch B b s y c)" |
   621   "balance_right (Branch B a k x b) s y bl = balance (Branch R a k x b) s y bl" |
   622   "balance_right (Branch R a k x (Branch B b s y c)) t z bl = Branch R (balance (paint R a) k x b) s y (Branch B c t z bl)" |
   623   "balance_right t k x s = Empty"
   624 
   625 lemma balance_right_inv2_with_inv1:
   626   assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt + 1" "inv1 lt"
   627   shows "inv2 (balance_right lt k v rt) \<and> bheight (balance_right lt k v rt) = bheight lt"
   628 using assms
   629 by (induct lt k v rt rule: balance_right.induct) (auto simp: balance_inv2 balance_bheight)
   630 
   631 lemma balance_right_inv1: "\<lbrakk>inv1 a; inv1l b; color_of a = B\<rbrakk> \<Longrightarrow> inv1 (balance_right a k x b)"
   632 by (induct a k x b rule: balance_right.induct) (simp add: balance_inv1)+
   633 
   634 lemma balance_right_inv1l: "\<lbrakk> inv1 lt; inv1l rt \<rbrakk> \<Longrightarrow>inv1l (balance_right lt k x rt)"
   635 by (induct lt k x rt rule: balance_right.induct) (auto simp: balance_inv1)
   636 
   637 lemma (in linorder) balance_right_rbt_sorted:
   638   "\<lbrakk> rbt_sorted l; rbt_sorted r; rbt_less k l; k \<guillemotleft>| r \<rbrakk> \<Longrightarrow> rbt_sorted (balance_right l k v r)"
   639 apply (induct l k v r rule: balance_right.induct)
   640 apply (auto simp:balance_rbt_sorted)
   641 apply (unfold rbt_less_prop rbt_greater_prop)
   642 by force+
   643 
   644 context order begin
   645 
   646 lemma balance_right_rbt_greater: 
   647   fixes k :: "'a"
   648   assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   649   shows "k \<guillemotleft>| balance_right a x t b"
   650 using assms by (induct a x t b rule: balance_right.induct) auto
   651 
   652 lemma balance_right_rbt_less: 
   653   fixes k :: "'a"
   654   assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   655   shows "balance_right a x t b |\<guillemotleft> k"
   656 using assms by (induct a x t b rule: balance_right.induct) auto
   657 
   658 end
   659 
   660 lemma balance_right_in_tree:
   661   assumes "inv1 l" "inv1l r" "bheight l = bheight r + 1" "inv2 l" "inv2 r"
   662   shows "entry_in_tree x y (balance_right l k v r) = (entry_in_tree x y l \<or> x = k \<and> y = v \<or> entry_in_tree x y r)"
   663 using assms by (induct l k v r rule: balance_right.induct) (auto simp: balance_in_tree)
   664 
   665 fun
   666   combine :: "('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   667 where
   668   "combine Empty x = x" 
   669 | "combine x Empty = x" 
   670 | "combine (Branch R a k x b) (Branch R c s y d) = (case (combine b c) of
   671                                     Branch R b2 t z c2 \<Rightarrow> (Branch R (Branch R a k x b2) t z (Branch R c2 s y d)) |
   672                                     bc \<Rightarrow> Branch R a k x (Branch R bc s y d))" 
   673 | "combine (Branch B a k x b) (Branch B c s y d) = (case (combine b c) of
   674                                     Branch R b2 t z c2 \<Rightarrow> Branch R (Branch B a k x b2) t z (Branch B c2 s y d) |
   675                                     bc \<Rightarrow> balance_left a k x (Branch B bc s y d))" 
   676 | "combine a (Branch R b k x c) = Branch R (combine a b) k x c" 
   677 | "combine (Branch R a k x b) c = Branch R a k x (combine b c)" 
   678 
   679 lemma combine_inv2:
   680   assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt"
   681   shows "bheight (combine lt rt) = bheight lt" "inv2 (combine lt rt)"
   682 using assms 
   683 by (induct lt rt rule: combine.induct) 
   684    (auto simp: balance_left_inv2_app split: rbt.splits color.splits)
   685 
   686 lemma combine_inv1: 
   687   assumes "inv1 lt" "inv1 rt"
   688   shows "color_of lt = B \<Longrightarrow> color_of rt = B \<Longrightarrow> inv1 (combine lt rt)"
   689          "inv1l (combine lt rt)"
   690 using assms 
   691 by (induct lt rt rule: combine.induct)
   692    (auto simp: balance_left_inv1 split: rbt.splits color.splits)
   693 
   694 context linorder begin
   695 
   696 lemma combine_rbt_greater[simp]: 
   697   fixes k :: "'a"
   698   assumes "k \<guillemotleft>| l" "k \<guillemotleft>| r" 
   699   shows "k \<guillemotleft>| combine l r"
   700 using assms 
   701 by (induct l r rule: combine.induct)
   702    (auto simp: balance_left_rbt_greater split:rbt.splits color.splits)
   703 
   704 lemma combine_rbt_less[simp]: 
   705   fixes k :: "'a"
   706   assumes "l |\<guillemotleft> k" "r |\<guillemotleft> k" 
   707   shows "combine l r |\<guillemotleft> k"
   708 using assms 
   709 by (induct l r rule: combine.induct)
   710    (auto simp: balance_left_rbt_less split:rbt.splits color.splits)
   711 
   712 lemma combine_rbt_sorted: 
   713   fixes k :: "'a"
   714   assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   715   shows "rbt_sorted (combine l r)"
   716 using assms proof (induct l r rule: combine.induct)
   717   case (3 a x v b c y w d)
   718   hence ineqs: "a |\<guillemotleft> x" "x \<guillemotleft>| b" "b |\<guillemotleft> k" "k \<guillemotleft>| c" "c |\<guillemotleft> y" "y \<guillemotleft>| d"
   719     by auto
   720   with 3
   721   show ?case
   722     by (cases "combine b c" rule: rbt_cases)
   723       (auto, (metis combine_rbt_greater combine_rbt_less ineqs ineqs rbt_less_simps(2) rbt_greater_simps(2) rbt_greater_trans rbt_less_trans)+)
   724 next
   725   case (4 a x v b c y w d)
   726   hence "x < k \<and> rbt_greater k c" by simp
   727   hence "rbt_greater x c" by (blast dest: rbt_greater_trans)
   728   with 4 have 2: "rbt_greater x (combine b c)" by (simp add: combine_rbt_greater)
   729   from 4 have "k < y \<and> rbt_less k b" by simp
   730   hence "rbt_less y b" by (blast dest: rbt_less_trans)
   731   with 4 have 3: "rbt_less y (combine b c)" by (simp add: combine_rbt_less)
   732   show ?case
   733   proof (cases "combine b c" rule: rbt_cases)
   734     case Empty
   735     from 4 have "x < y \<and> rbt_greater y d" by auto
   736     hence "rbt_greater x d" by (blast dest: rbt_greater_trans)
   737     with 4 Empty have "rbt_sorted a" and "rbt_sorted (Branch B Empty y w d)"
   738       and "rbt_less x a" and "rbt_greater x (Branch B Empty y w d)" by auto
   739     with Empty show ?thesis by (simp add: balance_left_rbt_sorted)
   740   next
   741     case (Red lta va ka rta)
   742     with 2 4 have "x < va \<and> rbt_less x a" by simp
   743     hence 5: "rbt_less va a" by (blast dest: rbt_less_trans)
   744     from Red 3 4 have "va < y \<and> rbt_greater y d" by simp
   745     hence "rbt_greater va d" by (blast dest: rbt_greater_trans)
   746     with Red 2 3 4 5 show ?thesis by simp
   747   next
   748     case (Black lta va ka rta)
   749     from 4 have "x < y \<and> rbt_greater y d" by auto
   750     hence "rbt_greater x d" by (blast dest: rbt_greater_trans)
   751     with Black 2 3 4 have "rbt_sorted a" and "rbt_sorted (Branch B (combine b c) y w d)" 
   752       and "rbt_less x a" and "rbt_greater x (Branch B (combine b c) y w d)" by auto
   753     with Black show ?thesis by (simp add: balance_left_rbt_sorted)
   754   qed
   755 next
   756   case (5 va vb vd vc b x w c)
   757   hence "k < x \<and> rbt_less k (Branch B va vb vd vc)" by simp
   758   hence "rbt_less x (Branch B va vb vd vc)" by (blast dest: rbt_less_trans)
   759   with 5 show ?case by (simp add: combine_rbt_less)
   760 next
   761   case (6 a x v b va vb vd vc)
   762   hence "x < k \<and> rbt_greater k (Branch B va vb vd vc)" by simp
   763   hence "rbt_greater x (Branch B va vb vd vc)" by (blast dest: rbt_greater_trans)
   764   with 6 show ?case by (simp add: combine_rbt_greater)
   765 qed simp+
   766 
   767 end
   768 
   769 lemma combine_in_tree: 
   770   assumes "inv2 l" "inv2 r" "bheight l = bheight r" "inv1 l" "inv1 r"
   771   shows "entry_in_tree k v (combine l r) = (entry_in_tree k v l \<or> entry_in_tree k v r)"
   772 using assms 
   773 proof (induct l r rule: combine.induct)
   774   case (4 _ _ _ b c)
   775   hence a: "bheight (combine b c) = bheight b" by (simp add: combine_inv2)
   776   from 4 have b: "inv1l (combine b c)" by (simp add: combine_inv1)
   777 
   778   show ?case
   779   proof (cases "combine b c" rule: rbt_cases)
   780     case Empty
   781     with 4 a show ?thesis by (auto simp: balance_left_in_tree)
   782   next
   783     case (Red lta ka va rta)
   784     with 4 show ?thesis by auto
   785   next
   786     case (Black lta ka va rta)
   787     with a b 4  show ?thesis by (auto simp: balance_left_in_tree)
   788   qed 
   789 qed (auto split: rbt.splits color.splits)
   790 
   791 context ord begin
   792 
   793 fun
   794   rbt_del_from_left :: "'a \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   795   rbt_del_from_right :: "'a \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   796   rbt_del :: "'a\<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   797 where
   798   "rbt_del x Empty = Empty" |
   799   "rbt_del x (Branch c a y s b) = 
   800    (if x < y then rbt_del_from_left x a y s b 
   801     else (if x > y then rbt_del_from_right x a y s b else combine a b))" |
   802   "rbt_del_from_left x (Branch B lt z v rt) y s b = balance_left (rbt_del x (Branch B lt z v rt)) y s b" |
   803   "rbt_del_from_left x a y s b = Branch R (rbt_del x a) y s b" |
   804   "rbt_del_from_right x a y s (Branch B lt z v rt) = balance_right a y s (rbt_del x (Branch B lt z v rt))" | 
   805   "rbt_del_from_right x a y s b = Branch R a y s (rbt_del x b)"
   806 
   807 end
   808 
   809 context linorder begin
   810 
   811 lemma 
   812   assumes "inv2 lt" "inv1 lt"
   813   shows
   814   "\<lbrakk>inv2 rt; bheight lt = bheight rt; inv1 rt\<rbrakk> \<Longrightarrow>
   815    inv2 (rbt_del_from_left x lt k v rt) \<and> 
   816    bheight (rbt_del_from_left x lt k v rt) = bheight lt \<and> 
   817    (color_of lt = B \<and> color_of rt = B \<and> inv1 (rbt_del_from_left x lt k v rt) \<or> 
   818     (color_of lt \<noteq> B \<or> color_of rt \<noteq> B) \<and> inv1l (rbt_del_from_left x lt k v rt))"
   819   and "\<lbrakk>inv2 rt; bheight lt = bheight rt; inv1 rt\<rbrakk> \<Longrightarrow>
   820   inv2 (rbt_del_from_right x lt k v rt) \<and> 
   821   bheight (rbt_del_from_right x lt k v rt) = bheight lt \<and> 
   822   (color_of lt = B \<and> color_of rt = B \<and> inv1 (rbt_del_from_right x lt k v rt) \<or> 
   823    (color_of lt \<noteq> B \<or> color_of rt \<noteq> B) \<and> inv1l (rbt_del_from_right x lt k v rt))"
   824   and rbt_del_inv1_inv2: "inv2 (rbt_del x lt) \<and> (color_of lt = R \<and> bheight (rbt_del x lt) = bheight lt \<and> inv1 (rbt_del x lt) 
   825   \<or> color_of lt = B \<and> bheight (rbt_del x lt) = bheight lt - 1 \<and> inv1l (rbt_del x lt))"
   826 using assms
   827 proof (induct x lt k v rt and x lt k v rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
   828 case (2 y c _ y')
   829   have "y = y' \<or> y < y' \<or> y > y'" by auto
   830   thus ?case proof (elim disjE)
   831     assume "y = y'"
   832     with 2 show ?thesis by (cases c) (simp add: combine_inv2 combine_inv1)+
   833   next
   834     assume "y < y'"
   835     with 2 show ?thesis by (cases c) auto
   836   next
   837     assume "y' < y"
   838     with 2 show ?thesis by (cases c) auto
   839   qed
   840 next
   841   case (3 y lt z v rta y' ss bb) 
   842   thus ?case by (cases "color_of (Branch B lt z v rta) = B \<and> color_of bb = B") (simp add: balance_left_inv2_with_inv1 balance_left_inv1 balance_left_inv1l)+
   843 next
   844   case (5 y a y' ss lt z v rta)
   845   thus ?case by (cases "color_of a = B \<and> color_of (Branch B lt z v rta) = B") (simp add: balance_right_inv2_with_inv1 balance_right_inv1 balance_right_inv1l)+
   846 next
   847   case ("6_1" y a y' ss) thus ?case by (cases "color_of a = B \<and> color_of Empty = B") simp+
   848 qed auto
   849 
   850 lemma 
   851   rbt_del_from_left_rbt_less: "\<lbrakk> lt |\<guillemotleft> v; rt |\<guillemotleft> v; k < v\<rbrakk> \<Longrightarrow> rbt_del_from_left x lt k y rt |\<guillemotleft> v"
   852   and rbt_del_from_right_rbt_less: "\<lbrakk>lt |\<guillemotleft> v; rt |\<guillemotleft> v; k < v\<rbrakk> \<Longrightarrow> rbt_del_from_right x lt k y rt |\<guillemotleft> v"
   853   and rbt_del_rbt_less: "lt |\<guillemotleft> v \<Longrightarrow> rbt_del x lt |\<guillemotleft> v"
   854 by (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct) 
   855    (auto simp: balance_left_rbt_less balance_right_rbt_less)
   856 
   857 lemma rbt_del_from_left_rbt_greater: "\<lbrakk>v \<guillemotleft>| lt; v \<guillemotleft>| rt; k > v\<rbrakk> \<Longrightarrow> v \<guillemotleft>| rbt_del_from_left x lt k y rt"
   858   and rbt_del_from_right_rbt_greater: "\<lbrakk>v \<guillemotleft>| lt; v \<guillemotleft>| rt; k > v\<rbrakk> \<Longrightarrow> v \<guillemotleft>| rbt_del_from_right x lt k y rt"
   859   and rbt_del_rbt_greater: "v \<guillemotleft>| lt \<Longrightarrow> v \<guillemotleft>| rbt_del x lt"
   860 by (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
   861    (auto simp: balance_left_rbt_greater balance_right_rbt_greater)
   862 
   863 lemma "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> k; k \<guillemotleft>| rt\<rbrakk> \<Longrightarrow> rbt_sorted (rbt_del_from_left x lt k y rt)"
   864   and "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> k; k \<guillemotleft>| rt\<rbrakk> \<Longrightarrow> rbt_sorted (rbt_del_from_right x lt k y rt)"
   865   and rbt_del_rbt_sorted: "rbt_sorted lt \<Longrightarrow> rbt_sorted (rbt_del x lt)"
   866 proof (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
   867   case (3 x lta zz v rta yy ss bb)
   868   from 3 have "Branch B lta zz v rta |\<guillemotleft> yy" by simp
   869   hence "rbt_del x (Branch B lta zz v rta) |\<guillemotleft> yy" by (rule rbt_del_rbt_less)
   870   with 3 show ?case by (simp add: balance_left_rbt_sorted)
   871 next
   872   case ("4_2" x vaa vbb vdd vc yy ss bb)
   873   hence "Branch R vaa vbb vdd vc |\<guillemotleft> yy" by simp
   874   hence "rbt_del x (Branch R vaa vbb vdd vc) |\<guillemotleft> yy" by (rule rbt_del_rbt_less)
   875   with "4_2" show ?case by simp
   876 next
   877   case (5 x aa yy ss lta zz v rta) 
   878   hence "yy \<guillemotleft>| Branch B lta zz v rta" by simp
   879   hence "yy \<guillemotleft>| rbt_del x (Branch B lta zz v rta)" by (rule rbt_del_rbt_greater)
   880   with 5 show ?case by (simp add: balance_right_rbt_sorted)
   881 next
   882   case ("6_2" x aa yy ss vaa vbb vdd vc)
   883   hence "yy \<guillemotleft>| Branch R vaa vbb vdd vc" by simp
   884   hence "yy \<guillemotleft>| rbt_del x (Branch R vaa vbb vdd vc)" by (rule rbt_del_rbt_greater)
   885   with "6_2" show ?case by simp
   886 qed (auto simp: combine_rbt_sorted)
   887 
   888 lemma "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> kt; kt \<guillemotleft>| rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bheight lt = bheight rt; x < kt\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del_from_left x lt kt y rt) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v (Branch c lt kt y rt)))"
   889   and "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> kt; kt \<guillemotleft>| rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bheight lt = bheight rt; x > kt\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del_from_right x lt kt y rt) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v (Branch c lt kt y rt)))"
   890   and rbt_del_in_tree: "\<lbrakk>rbt_sorted t; inv1 t; inv2 t\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del x t) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v t))"
   891 proof (induct x lt kt y rt and x lt kt y rt and x t rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
   892   case (2 xx c aa yy ss bb)
   893   have "xx = yy \<or> xx < yy \<or> xx > yy" by auto
   894   from this 2 show ?case proof (elim disjE)
   895     assume "xx = yy"
   896     with 2 show ?thesis proof (cases "xx = k")
   897       case True
   898       from 2 `xx = yy` `xx = k` have "rbt_sorted (Branch c aa yy ss bb) \<and> k = yy" by simp
   899       hence "\<not> entry_in_tree k v aa" "\<not> entry_in_tree k v bb" by (auto simp: rbt_less_nit rbt_greater_prop)
   900       with `xx = yy` 2 `xx = k` show ?thesis by (simp add: combine_in_tree)
   901     qed (simp add: combine_in_tree)
   902   qed simp+
   903 next    
   904   case (3 xx lta zz vv rta yy ss bb)
   905   def mt[simp]: mt == "Branch B lta zz vv rta"
   906   from 3 have "inv2 mt \<and> inv1 mt" by simp
   907   hence "inv2 (rbt_del xx mt) \<and> (color_of mt = R \<and> bheight (rbt_del xx mt) = bheight mt \<and> inv1 (rbt_del xx mt) \<or> color_of mt = B \<and> bheight (rbt_del xx mt) = bheight mt - 1 \<and> inv1l (rbt_del xx mt))" by (blast dest: rbt_del_inv1_inv2)
   908   with 3 have 4: "entry_in_tree k v (rbt_del_from_left xx mt yy ss bb) = (False \<or> xx \<noteq> k \<and> entry_in_tree k v mt \<or> (k = yy \<and> v = ss) \<or> entry_in_tree k v bb)" by (simp add: balance_left_in_tree)
   909   thus ?case proof (cases "xx = k")
   910     case True
   911     from 3 True have "yy \<guillemotleft>| bb \<and> yy > k" by simp
   912     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
   913     with 3 4 True show ?thesis by (auto simp: rbt_greater_nit)
   914   qed auto
   915 next
   916   case ("4_1" xx yy ss bb)
   917   show ?case proof (cases "xx = k")
   918     case True
   919     with "4_1" have "yy \<guillemotleft>| bb \<and> k < yy" by simp
   920     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
   921     with "4_1" `xx = k` 
   922    have "entry_in_tree k v (Branch R Empty yy ss bb) = entry_in_tree k v Empty" by (auto simp: rbt_greater_nit)
   923     thus ?thesis by auto
   924   qed simp+
   925 next
   926   case ("4_2" xx vaa vbb vdd vc yy ss bb)
   927   thus ?case proof (cases "xx = k")
   928     case True
   929     with "4_2" have "k < yy \<and> yy \<guillemotleft>| bb" by simp
   930     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
   931     with True "4_2" show ?thesis by (auto simp: rbt_greater_nit)
   932   qed auto
   933 next
   934   case (5 xx aa yy ss lta zz vv rta)
   935   def mt[simp]: mt == "Branch B lta zz vv rta"
   936   from 5 have "inv2 mt \<and> inv1 mt" by simp
   937   hence "inv2 (rbt_del xx mt) \<and> (color_of mt = R \<and> bheight (rbt_del xx mt) = bheight mt \<and> inv1 (rbt_del xx mt) \<or> color_of mt = B \<and> bheight (rbt_del xx mt) = bheight mt - 1 \<and> inv1l (rbt_del xx mt))" by (blast dest: rbt_del_inv1_inv2)
   938   with 5 have 3: "entry_in_tree k v (rbt_del_from_right xx aa yy ss mt) = (entry_in_tree k v aa \<or> (k = yy \<and> v = ss) \<or> False \<or> xx \<noteq> k \<and> entry_in_tree k v mt)" by (simp add: balance_right_in_tree)
   939   thus ?case proof (cases "xx = k")
   940     case True
   941     from 5 True have "aa |\<guillemotleft> yy \<and> yy < k" by simp
   942     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
   943     with 3 5 True show ?thesis by (auto simp: rbt_less_nit)
   944   qed auto
   945 next
   946   case ("6_1" xx aa yy ss)
   947   show ?case proof (cases "xx = k")
   948     case True
   949     with "6_1" have "aa |\<guillemotleft> yy \<and> k > yy" by simp
   950     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
   951     with "6_1" `xx = k` show ?thesis by (auto simp: rbt_less_nit)
   952   qed simp
   953 next
   954   case ("6_2" xx aa yy ss vaa vbb vdd vc)
   955   thus ?case proof (cases "xx = k")
   956     case True
   957     with "6_2" have "k > yy \<and> aa |\<guillemotleft> yy" by simp
   958     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
   959     with True "6_2" show ?thesis by (auto simp: rbt_less_nit)
   960   qed auto
   961 qed simp
   962 
   963 definition (in ord) rbt_delete where
   964   "rbt_delete k t = paint B (rbt_del k t)"
   965 
   966 theorem rbt_delete_is_rbt [simp]: assumes "is_rbt t" shows "is_rbt (rbt_delete k t)"
   967 proof -
   968   from assms have "inv2 t" and "inv1 t" unfolding is_rbt_def by auto 
   969   hence "inv2 (rbt_del k t) \<and> (color_of t = R \<and> bheight (rbt_del k t) = bheight t \<and> inv1 (rbt_del k t) \<or> color_of t = B \<and> bheight (rbt_del k t) = bheight t - 1 \<and> inv1l (rbt_del k t))" by (rule rbt_del_inv1_inv2)
   970   hence "inv2 (rbt_del k t) \<and> inv1l (rbt_del k t)" by (cases "color_of t") auto
   971   with assms show ?thesis
   972     unfolding is_rbt_def rbt_delete_def
   973     by (auto intro: paint_rbt_sorted rbt_del_rbt_sorted)
   974 qed
   975 
   976 lemma rbt_delete_in_tree: 
   977   assumes "is_rbt t" 
   978   shows "entry_in_tree k v (rbt_delete x t) = (x \<noteq> k \<and> entry_in_tree k v t)"
   979   using assms unfolding is_rbt_def rbt_delete_def
   980   by (auto simp: rbt_del_in_tree)
   981 
   982 lemma rbt_lookup_rbt_delete:
   983   assumes is_rbt: "is_rbt t"
   984   shows "rbt_lookup (rbt_delete k t) = (rbt_lookup t)|`(-{k})"
   985 proof
   986   fix x
   987   show "rbt_lookup (rbt_delete k t) x = (rbt_lookup t |` (-{k})) x" 
   988   proof (cases "x = k")
   989     assume "x = k" 
   990     with is_rbt show ?thesis
   991       by (cases "rbt_lookup (rbt_delete k t) k") (auto simp: rbt_lookup_in_tree rbt_delete_in_tree)
   992   next
   993     assume "x \<noteq> k"
   994     thus ?thesis
   995       by auto (metis is_rbt rbt_delete_is_rbt rbt_delete_in_tree is_rbt_rbt_sorted rbt_lookup_from_in_tree)
   996   qed
   997 qed
   998 
   999 end
  1000 
  1001 subsection {* Union *}
  1002 
  1003 context ord begin
  1004 
  1005 primrec rbt_union_with_key :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
  1006 where
  1007   "rbt_union_with_key f t Empty = t"
  1008 | "rbt_union_with_key f t (Branch c lt k v rt) = rbt_union_with_key f (rbt_union_with_key f (rbt_insert_with_key f k v t) lt) rt"
  1009 
  1010 definition rbt_union_with where
  1011   "rbt_union_with f = rbt_union_with_key (\<lambda>_. f)"
  1012 
  1013 definition rbt_union where
  1014   "rbt_union = rbt_union_with_key (%_ _ rv. rv)"
  1015 
  1016 end
  1017 
  1018 context linorder begin
  1019 
  1020 lemma rbt_unionwk_rbt_sorted: "rbt_sorted lt \<Longrightarrow> rbt_sorted (rbt_union_with_key f lt rt)" 
  1021   by (induct rt arbitrary: lt) (auto simp: rbt_insertwk_rbt_sorted)
  1022 theorem rbt_unionwk_is_rbt[simp]: "is_rbt lt \<Longrightarrow> is_rbt (rbt_union_with_key f lt rt)" 
  1023   by (induct rt arbitrary: lt) (simp add: rbt_insertwk_is_rbt)+
  1024 
  1025 theorem rbt_unionw_is_rbt: "is_rbt lt \<Longrightarrow> is_rbt (rbt_union_with f lt rt)" unfolding rbt_union_with_def by simp
  1026 
  1027 theorem rbt_union_is_rbt: "is_rbt lt \<Longrightarrow> is_rbt (rbt_union lt rt)" unfolding rbt_union_def by simp
  1028 
  1029 lemma (in ord) rbt_union_Branch[simp]:
  1030   "rbt_union t (Branch c lt k v rt) = rbt_union (rbt_union (rbt_insert k v t) lt) rt"
  1031   unfolding rbt_union_def rbt_insert_def
  1032   by simp
  1033 
  1034 lemma rbt_lookup_rbt_union:
  1035   assumes "is_rbt s" "rbt_sorted t"
  1036   shows "rbt_lookup (rbt_union s t) = rbt_lookup s ++ rbt_lookup t"
  1037 using assms
  1038 proof (induct t arbitrary: s)
  1039   case Empty thus ?case by (auto simp: rbt_union_def)
  1040 next
  1041   case (Branch c l k v r s)
  1042   then have "rbt_sorted r" "rbt_sorted l" "l |\<guillemotleft> k" "k \<guillemotleft>| r" by auto
  1043 
  1044   have meq: "rbt_lookup s(k \<mapsto> v) ++ rbt_lookup l ++ rbt_lookup r =
  1045     rbt_lookup s ++
  1046     (\<lambda>a. if a < k then rbt_lookup l a
  1047     else if k < a then rbt_lookup r a else Some v)" (is "?m1 = ?m2")
  1048   proof (rule ext)
  1049     fix a
  1050 
  1051    have "k < a \<or> k = a \<or> k > a" by auto
  1052     thus "?m1 a = ?m2 a"
  1053     proof (elim disjE)
  1054       assume "k < a"
  1055       with `l |\<guillemotleft> k` have "l |\<guillemotleft> a" by (rule rbt_less_trans)
  1056       with `k < a` show ?thesis
  1057         by (auto simp: map_add_def split: option.splits)
  1058     next
  1059       assume "k = a"
  1060       with `l |\<guillemotleft> k` `k \<guillemotleft>| r` 
  1061       show ?thesis by (auto simp: map_add_def)
  1062     next
  1063       assume "a < k"
  1064       from this `k \<guillemotleft>| r` have "a \<guillemotleft>| r" by (rule rbt_greater_trans)
  1065       with `a < k` show ?thesis
  1066         by (auto simp: map_add_def split: option.splits)
  1067     qed
  1068   qed
  1069 
  1070   from Branch have is_rbt: "is_rbt (rbt_union (rbt_insert k v s) l)"
  1071     by (auto intro: rbt_union_is_rbt rbt_insert_is_rbt)
  1072   with Branch have IHs:
  1073     "rbt_lookup (rbt_union (rbt_union (rbt_insert k v s) l) r) = rbt_lookup (rbt_union (rbt_insert k v s) l) ++ rbt_lookup r"
  1074     "rbt_lookup (rbt_union (rbt_insert k v s) l) = rbt_lookup (rbt_insert k v s) ++ rbt_lookup l"
  1075     by auto
  1076   
  1077   with meq show ?case
  1078     by (auto simp: rbt_lookup_rbt_insert[OF Branch(3)])
  1079 
  1080 qed
  1081 
  1082 end
  1083 
  1084 subsection {* Modifying existing entries *}
  1085 
  1086 context ord begin
  1087 
  1088 primrec
  1089   rbt_map_entry :: "'a \<Rightarrow> ('b \<Rightarrow> 'b) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
  1090 where
  1091   "rbt_map_entry k f Empty = Empty"
  1092 | "rbt_map_entry k f (Branch c lt x v rt) =
  1093     (if k < x then Branch c (rbt_map_entry k f lt) x v rt
  1094     else if k > x then (Branch c lt x v (rbt_map_entry k f rt))
  1095     else Branch c lt x (f v) rt)"
  1096 
  1097 
  1098 lemma rbt_map_entry_color_of: "color_of (rbt_map_entry k f t) = color_of t" by (induct t) simp+
  1099 lemma rbt_map_entry_inv1: "inv1 (rbt_map_entry k f t) = inv1 t" by (induct t) (simp add: rbt_map_entry_color_of)+
  1100 lemma rbt_map_entry_inv2: "inv2 (rbt_map_entry k f t) = inv2 t" "bheight (rbt_map_entry k f t) = bheight t" by (induct t) simp+
  1101 lemma rbt_map_entry_rbt_greater: "rbt_greater a (rbt_map_entry k f t) = rbt_greater a t" by (induct t) simp+
  1102 lemma rbt_map_entry_rbt_less: "rbt_less a (rbt_map_entry k f t) = rbt_less a t" by (induct t) simp+
  1103 lemma rbt_map_entry_rbt_sorted: "rbt_sorted (rbt_map_entry k f t) = rbt_sorted t"
  1104   by (induct t) (simp_all add: rbt_map_entry_rbt_less rbt_map_entry_rbt_greater)
  1105 
  1106 theorem rbt_map_entry_is_rbt [simp]: "is_rbt (rbt_map_entry k f t) = is_rbt t" 
  1107 unfolding is_rbt_def by (simp add: rbt_map_entry_inv2 rbt_map_entry_color_of rbt_map_entry_rbt_sorted rbt_map_entry_inv1 )
  1108 
  1109 end
  1110 
  1111 theorem (in linorder) rbt_lookup_rbt_map_entry:
  1112   "rbt_lookup (rbt_map_entry k f t) = (rbt_lookup t)(k := Option.map f (rbt_lookup t k))"
  1113   by (induct t) (auto split: option.splits simp add: fun_eq_iff)
  1114 
  1115 subsection {* Mapping all entries *}
  1116 
  1117 primrec
  1118   map :: "('a \<Rightarrow> 'b \<Rightarrow> 'c) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'c) rbt"
  1119 where
  1120   "map f Empty = Empty"
  1121 | "map f (Branch c lt k v rt) = Branch c (map f lt) k (f k v) (map f rt)"
  1122 
  1123 lemma map_entries [simp]: "entries (map f t) = List.map (\<lambda>(k, v). (k, f k v)) (entries t)"
  1124   by (induct t) auto
  1125 lemma map_keys [simp]: "keys (map f t) = keys t" by (simp add: keys_def split_def)
  1126 lemma map_color_of: "color_of (map f t) = color_of t" by (induct t) simp+
  1127 lemma map_inv1: "inv1 (map f t) = inv1 t" by (induct t) (simp add: map_color_of)+
  1128 lemma map_inv2: "inv2 (map f t) = inv2 t" "bheight (map f t) = bheight t" by (induct t) simp+
  1129 
  1130 context ord begin
  1131 
  1132 lemma map_rbt_greater: "rbt_greater k (map f t) = rbt_greater k t" by (induct t) simp+
  1133 lemma map_rbt_less: "rbt_less k (map f t) = rbt_less k t" by (induct t) simp+
  1134 lemma map_rbt_sorted: "rbt_sorted (map f t) = rbt_sorted t"  by (induct t) (simp add: map_rbt_less map_rbt_greater)+
  1135 theorem map_is_rbt [simp]: "is_rbt (map f t) = is_rbt t" 
  1136 unfolding is_rbt_def by (simp add: map_inv1 map_inv2 map_rbt_sorted map_color_of)
  1137 
  1138 end
  1139 
  1140 theorem (in linorder) rbt_lookup_map: "rbt_lookup (map f t) x = Option.map (f x) (rbt_lookup t x)"
  1141   apply(induct t)
  1142   apply auto
  1143   apply(subgoal_tac "x = a")
  1144   apply auto
  1145   done
  1146  (* FIXME: simproc "antisym less" does not work for linorder context, only for linorder type class
  1147     by (induct t) auto *)
  1148 
  1149 subsection {* Folding over entries *}
  1150 
  1151 definition fold :: "('a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c" where
  1152   "fold f t = List.fold (prod_case f) (entries t)"
  1153 
  1154 lemma fold_simps [simp, code]:
  1155   "fold f Empty = id"
  1156   "fold f (Branch c lt k v rt) = fold f rt \<circ> f k v \<circ> fold f lt"
  1157   by (simp_all add: fold_def fun_eq_iff)
  1158 
  1159 (* fold with continuation predicate *)
  1160 
  1161 fun foldi :: "('c \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a :: linorder, 'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c" 
  1162   where
  1163   "foldi c f Empty s = s" |
  1164   "foldi c f (Branch col l k v r) s = (
  1165     if (c s) then
  1166       let s' = foldi c f l s in
  1167         if (c s') then
  1168           foldi c f r (f k v s')
  1169         else s'
  1170     else 
  1171       s
  1172   )"
  1173 
  1174 subsection {* Bulkloading a tree *}
  1175 
  1176 definition (in ord) rbt_bulkload :: "('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt" where
  1177   "rbt_bulkload xs = foldr (\<lambda>(k, v). rbt_insert k v) xs Empty"
  1178 
  1179 context linorder begin
  1180 
  1181 lemma rbt_bulkload_is_rbt [simp, intro]:
  1182   "is_rbt (rbt_bulkload xs)"
  1183   unfolding rbt_bulkload_def by (induct xs) auto
  1184 
  1185 lemma rbt_lookup_rbt_bulkload:
  1186   "rbt_lookup (rbt_bulkload xs) = map_of xs"
  1187 proof -
  1188   obtain ys where "ys = rev xs" by simp
  1189   have "\<And>t. is_rbt t \<Longrightarrow>
  1190     rbt_lookup (List.fold (prod_case rbt_insert) ys t) = rbt_lookup t ++ map_of (rev ys)"
  1191       by (induct ys) (simp_all add: rbt_bulkload_def rbt_lookup_rbt_insert prod_case_beta)
  1192   from this Empty_is_rbt have
  1193     "rbt_lookup (List.fold (prod_case rbt_insert) (rev xs) Empty) = rbt_lookup Empty ++ map_of xs"
  1194      by (simp add: `ys = rev xs`)
  1195   then show ?thesis by (simp add: rbt_bulkload_def rbt_lookup_Empty foldr_conv_fold)
  1196 qed
  1197 
  1198 end
  1199 
  1200 subsection {* Code generator setup *}
  1201 
  1202 lemmas [code] =
  1203   ord.rbt_less_prop
  1204   ord.rbt_greater_prop
  1205   ord.rbt_sorted.simps
  1206   ord.rbt_lookup.simps
  1207   ord.is_rbt_def
  1208   ord.rbt_ins.simps
  1209   ord.rbt_insert_with_key_def
  1210   ord.rbt_insertw_def
  1211   ord.rbt_insert_def
  1212   ord.rbt_del_from_left.simps
  1213   ord.rbt_del_from_right.simps
  1214   ord.rbt_del.simps
  1215   ord.rbt_delete_def
  1216   ord.rbt_union_with_key.simps
  1217   ord.rbt_union_with_def
  1218   ord.rbt_union_def
  1219   ord.rbt_map_entry.simps
  1220   ord.rbt_bulkload_def
  1221 
  1222 text {* More efficient implementations for @{term entries} and @{term keys} *}
  1223 
  1224 definition gen_entries :: 
  1225   "(('a \<times> 'b) \<times> ('a, 'b) rbt) list \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a \<times> 'b) list"
  1226 where
  1227   "gen_entries kvts t = entries t @ concat (List.map (\<lambda>(kv, t). kv # entries t) kvts)"
  1228 
  1229 lemma gen_entries_simps [simp, code]:
  1230   "gen_entries [] Empty = []"
  1231   "gen_entries ((kv, t) # kvts) Empty = kv # gen_entries kvts t"
  1232   "gen_entries kvts (Branch c l k v r) = gen_entries (((k, v), r) # kvts) l"
  1233 by(simp_all add: gen_entries_def)
  1234 
  1235 lemma entries_code [code]:
  1236   "entries = gen_entries []"
  1237 by(simp add: gen_entries_def fun_eq_iff)
  1238 
  1239 definition gen_keys :: "('a \<times> ('a, 'b) rbt) list \<Rightarrow> ('a, 'b) rbt \<Rightarrow> 'a list"
  1240 where "gen_keys kts t = RBT_Impl.keys t @ concat (List.map (\<lambda>(k, t). k # keys t) kts)"
  1241 
  1242 lemma gen_keys_simps [simp, code]:
  1243   "gen_keys [] Empty = []"
  1244   "gen_keys ((k, t) # kts) Empty = k # gen_keys kts t"
  1245   "gen_keys kts (Branch c l k v r) = gen_keys ((k, r) # kts) l"
  1246 by(simp_all add: gen_keys_def)
  1247 
  1248 lemma keys_code [code]:
  1249   "keys = gen_keys []"
  1250 by(simp add: gen_keys_def fun_eq_iff)
  1251 
  1252 text {* Restore original type constraints for constants *}
  1253 setup {*
  1254   fold Sign.add_const_constraint
  1255     [(@{const_name rbt_less}, SOME @{typ "('a :: order) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"}),
  1256      (@{const_name rbt_greater}, SOME @{typ "('a :: order) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"}),
  1257      (@{const_name rbt_sorted}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> bool"}),
  1258      (@{const_name rbt_lookup}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"}),
  1259      (@{const_name is_rbt}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> bool"}),
  1260      (@{const_name rbt_ins}, SOME @{typ "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1261      (@{const_name rbt_insert_with_key}, SOME @{typ "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1262      (@{const_name rbt_insert_with}, SOME @{typ "('b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a :: linorder) \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1263      (@{const_name rbt_insert}, SOME @{typ "('a :: linorder) \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1264      (@{const_name rbt_del_from_left}, SOME @{typ "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1265      (@{const_name rbt_del_from_right}, SOME @{typ "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1266      (@{const_name rbt_del}, SOME @{typ "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1267      (@{const_name rbt_delete}, SOME @{typ "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1268      (@{const_name rbt_union_with_key}, SOME @{typ "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1269      (@{const_name rbt_union_with}, SOME @{typ "('b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a\<Colon>linorder,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1270      (@{const_name rbt_union}, SOME @{typ "('a\<Colon>linorder,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1271      (@{const_name rbt_map_entry}, SOME @{typ "'a\<Colon>linorder \<Rightarrow> ('b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  1272      (@{const_name rbt_bulkload}, SOME @{typ "('a \<times> 'b) list \<Rightarrow> ('a\<Colon>linorder,'b) rbt"})]
  1273 *}
  1274 
  1275 hide_const (open) R B Empty entries keys map fold gen_keys gen_entries
  1276 
  1277 end