src/HOL/Probability/Probability_Mass_Function.thy
author Andreas Lochbihler
Fri Nov 21 12:24:59 2014 +0100 (2014-11-21)
changeset 59024 5fcfeae84b96
parent 59023 4999a616336c
child 59048 7dc8ac6f0895
permissions -rw-r--r--
add lemma
     1 (*  Title:      HOL/Probability/Probability_Mass_Function.thy
     2     Author:     Johannes Hölzl, TU München 
     3     Author:     Andreas Lochbihler, ETH Zurich
     4 *)
     5 
     6 section \<open> Probability mass function \<close>
     7 
     8 theory Probability_Mass_Function
     9 imports
    10   Giry_Monad
    11   "~~/src/HOL/Library/Multiset"
    12 begin
    13 
    14 lemma (in finite_measure) countable_support: (* replace version in pmf *)
    15   "countable {x. measure M {x} \<noteq> 0}"
    16 proof cases
    17   assume "measure M (space M) = 0"
    18   with bounded_measure measure_le_0_iff have "{x. measure M {x} \<noteq> 0} = {}"
    19     by auto
    20   then show ?thesis
    21     by simp
    22 next
    23   let ?M = "measure M (space M)" and ?m = "\<lambda>x. measure M {x}"
    24   assume "?M \<noteq> 0"
    25   then have *: "{x. ?m x \<noteq> 0} = (\<Union>n. {x. ?M / Suc n < ?m x})"
    26     using reals_Archimedean[of "?m x / ?M" for x]
    27     by (auto simp: field_simps not_le[symmetric] measure_nonneg divide_le_0_iff measure_le_0_iff)
    28   have **: "\<And>n. finite {x. ?M / Suc n < ?m x}"
    29   proof (rule ccontr)
    30     fix n assume "infinite {x. ?M / Suc n < ?m x}" (is "infinite ?X")
    31     then obtain X where "finite X" "card X = Suc (Suc n)" "X \<subseteq> ?X"
    32       by (metis infinite_arbitrarily_large)
    33     from this(3) have *: "\<And>x. x \<in> X \<Longrightarrow> ?M / Suc n \<le> ?m x" 
    34       by auto
    35     { fix x assume "x \<in> X"
    36       from `?M \<noteq> 0` *[OF this] have "?m x \<noteq> 0" by (auto simp: field_simps measure_le_0_iff)
    37       then have "{x} \<in> sets M" by (auto dest: measure_notin_sets) }
    38     note singleton_sets = this
    39     have "?M < (\<Sum>x\<in>X. ?M / Suc n)"
    40       using `?M \<noteq> 0` 
    41       by (simp add: `card X = Suc (Suc n)` real_eq_of_nat[symmetric] real_of_nat_Suc field_simps less_le measure_nonneg)
    42     also have "\<dots> \<le> (\<Sum>x\<in>X. ?m x)"
    43       by (rule setsum_mono) fact
    44     also have "\<dots> = measure M (\<Union>x\<in>X. {x})"
    45       using singleton_sets `finite X`
    46       by (intro finite_measure_finite_Union[symmetric]) (auto simp: disjoint_family_on_def)
    47     finally have "?M < measure M (\<Union>x\<in>X. {x})" .
    48     moreover have "measure M (\<Union>x\<in>X. {x}) \<le> ?M"
    49       using singleton_sets[THEN sets.sets_into_space] by (intro finite_measure_mono) auto
    50     ultimately show False by simp
    51   qed
    52   show ?thesis
    53     unfolding * by (intro countable_UN countableI_type countable_finite[OF **])
    54 qed
    55 
    56 lemma (in finite_measure) AE_support_countable:
    57   assumes [simp]: "sets M = UNIV"
    58   shows "(AE x in M. measure M {x} \<noteq> 0) \<longleftrightarrow> (\<exists>S. countable S \<and> (AE x in M. x \<in> S))"
    59 proof
    60   assume "\<exists>S. countable S \<and> (AE x in M. x \<in> S)"
    61   then obtain S where S[intro]: "countable S" and ae: "AE x in M. x \<in> S"
    62     by auto
    63   then have "emeasure M (\<Union>x\<in>{x\<in>S. emeasure M {x} \<noteq> 0}. {x}) = 
    64     (\<integral>\<^sup>+ x. emeasure M {x} * indicator {x\<in>S. emeasure M {x} \<noteq> 0} x \<partial>count_space UNIV)"
    65     by (subst emeasure_UN_countable)
    66        (auto simp: disjoint_family_on_def nn_integral_restrict_space[symmetric] restrict_count_space)
    67   also have "\<dots> = (\<integral>\<^sup>+ x. emeasure M {x} * indicator S x \<partial>count_space UNIV)"
    68     by (auto intro!: nn_integral_cong split: split_indicator)
    69   also have "\<dots> = emeasure M (\<Union>x\<in>S. {x})"
    70     by (subst emeasure_UN_countable)
    71        (auto simp: disjoint_family_on_def nn_integral_restrict_space[symmetric] restrict_count_space)
    72   also have "\<dots> = emeasure M (space M)"
    73     using ae by (intro emeasure_eq_AE) auto
    74   finally have "emeasure M {x \<in> space M. x\<in>S \<and> emeasure M {x} \<noteq> 0} = emeasure M (space M)"
    75     by (simp add: emeasure_single_in_space cong: rev_conj_cong)
    76   with finite_measure_compl[of "{x \<in> space M. x\<in>S \<and> emeasure M {x} \<noteq> 0}"]
    77   have "AE x in M. x \<in> S \<and> emeasure M {x} \<noteq> 0"
    78     by (intro AE_I[OF order_refl]) (auto simp: emeasure_eq_measure set_diff_eq cong: conj_cong)
    79   then show "AE x in M. measure M {x} \<noteq> 0"
    80     by (auto simp: emeasure_eq_measure)
    81 qed (auto intro!: exI[of _ "{x. measure M {x} \<noteq> 0}"] countable_support)
    82 
    83 subsection {* PMF as measure *}
    84 
    85 typedef 'a pmf = "{M :: 'a measure. prob_space M \<and> sets M = UNIV \<and> (AE x in M. measure M {x} \<noteq> 0)}"
    86   morphisms measure_pmf Abs_pmf
    87   by (intro exI[of _ "uniform_measure (count_space UNIV) {undefined}"])
    88      (auto intro!: prob_space_uniform_measure AE_uniform_measureI)
    89 
    90 declare [[coercion measure_pmf]]
    91 
    92 lemma prob_space_measure_pmf: "prob_space (measure_pmf p)"
    93   using pmf.measure_pmf[of p] by auto
    94 
    95 interpretation measure_pmf!: prob_space "measure_pmf M" for M
    96   by (rule prob_space_measure_pmf)
    97 
    98 interpretation measure_pmf!: subprob_space "measure_pmf M" for M
    99   by (rule prob_space_imp_subprob_space) unfold_locales
   100 
   101 locale pmf_as_measure
   102 begin
   103 
   104 setup_lifting type_definition_pmf
   105 
   106 end
   107 
   108 context
   109 begin
   110 
   111 interpretation pmf_as_measure .
   112 
   113 lift_definition pmf :: "'a pmf \<Rightarrow> 'a \<Rightarrow> real" is "\<lambda>M x. measure M {x}" .
   114 
   115 lift_definition set_pmf :: "'a pmf \<Rightarrow> 'a set" is "\<lambda>M. {x. measure M {x} \<noteq> 0}" .
   116 
   117 lift_definition map_pmf :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a pmf \<Rightarrow> 'b pmf" is
   118   "\<lambda>f M. distr M (count_space UNIV) f"
   119 proof safe
   120   fix M and f :: "'a \<Rightarrow> 'b"
   121   let ?D = "distr M (count_space UNIV) f"
   122   assume "prob_space M" and [simp]: "sets M = UNIV" and ae: "AE x in M. measure M {x} \<noteq> 0"
   123   interpret prob_space M by fact
   124   from ae have "AE x in M. measure M (f -` {f x}) \<noteq> 0"
   125   proof eventually_elim
   126     fix x
   127     have "measure M {x} \<le> measure M (f -` {f x})"
   128       by (intro finite_measure_mono) auto
   129     then show "measure M {x} \<noteq> 0 \<Longrightarrow> measure M (f -` {f x}) \<noteq> 0"
   130       using measure_nonneg[of M "{x}"] by auto
   131   qed
   132   then show "AE x in ?D. measure ?D {x} \<noteq> 0"
   133     by (simp add: AE_distr_iff measure_distr measurable_def)
   134 qed (auto simp: measurable_def prob_space.prob_space_distr)
   135 
   136 declare [[coercion set_pmf]]
   137 
   138 lemma countable_set_pmf [simp]: "countable (set_pmf p)"
   139   by transfer (metis prob_space.finite_measure finite_measure.countable_support)
   140 
   141 lemma sets_measure_pmf[simp]: "sets (measure_pmf p) = UNIV"
   142   by transfer metis
   143 
   144 lemma sets_measure_pmf_count_space: "sets (measure_pmf M) = sets (count_space UNIV)"
   145   by simp
   146 
   147 lemma space_measure_pmf[simp]: "space (measure_pmf p) = UNIV"
   148   using sets_eq_imp_space_eq[of "measure_pmf p" "count_space UNIV"] by simp
   149 
   150 lemma measurable_pmf_measure1[simp]: "measurable (M :: 'a pmf) N = UNIV \<rightarrow> space N"
   151   by (auto simp: measurable_def)
   152 
   153 lemma measurable_pmf_measure2[simp]: "measurable N (M :: 'a pmf) = measurable N (count_space UNIV)"
   154   by (intro measurable_cong_sets) simp_all
   155 
   156 lemma pmf_positive: "x \<in> set_pmf p \<Longrightarrow> 0 < pmf p x"
   157   by transfer (simp add: less_le measure_nonneg)
   158 
   159 lemma pmf_nonneg: "0 \<le> pmf p x"
   160   by transfer (simp add: measure_nonneg)
   161 
   162 lemma pmf_le_1: "pmf p x \<le> 1"
   163   by (simp add: pmf.rep_eq)
   164 
   165 lemma emeasure_pmf_single:
   166   fixes M :: "'a pmf"
   167   shows "emeasure M {x} = pmf M x"
   168   by transfer (simp add: finite_measure.emeasure_eq_measure[OF prob_space.finite_measure])
   169 
   170 lemma AE_measure_pmf: "AE x in (M::'a pmf). x \<in> M"
   171   by transfer simp
   172 
   173 lemma emeasure_pmf_single_eq_zero_iff:
   174   fixes M :: "'a pmf"
   175   shows "emeasure M {y} = 0 \<longleftrightarrow> y \<notin> M"
   176   by transfer (simp add: finite_measure.emeasure_eq_measure[OF prob_space.finite_measure])
   177 
   178 lemma AE_measure_pmf_iff: "(AE x in measure_pmf M. P x) \<longleftrightarrow> (\<forall>y\<in>M. P y)"
   179 proof -
   180   { fix y assume y: "y \<in> M" and P: "AE x in M. P x" "\<not> P y"
   181     with P have "AE x in M. x \<noteq> y"
   182       by auto
   183     with y have False
   184       by (simp add: emeasure_pmf_single_eq_zero_iff AE_iff_measurable[OF _ refl]) }
   185   then show ?thesis
   186     using AE_measure_pmf[of M] by auto
   187 qed
   188 
   189 lemma set_pmf_not_empty: "set_pmf M \<noteq> {}"
   190   using AE_measure_pmf[of M] by (intro notI) simp
   191 
   192 lemma set_pmf_iff: "x \<in> set_pmf M \<longleftrightarrow> pmf M x \<noteq> 0"
   193   by transfer simp
   194 
   195 lemma emeasure_measure_pmf_finite: "finite S \<Longrightarrow> emeasure (measure_pmf M) S = (\<Sum>s\<in>S. pmf M s)"
   196   by (subst emeasure_eq_setsum_singleton) (auto simp: emeasure_pmf_single)
   197 
   198 lemma measure_measure_pmf_finite: "finite S \<Longrightarrow> measure (measure_pmf M) S = setsum (pmf M) S"
   199 using emeasure_measure_pmf_finite[of S M]
   200 by(simp add: measure_pmf.emeasure_eq_measure)
   201 
   202 lemma nn_integral_measure_pmf_support:
   203   fixes f :: "'a \<Rightarrow> ereal"
   204   assumes f: "finite A" and nn: "\<And>x. x \<in> A \<Longrightarrow> 0 \<le> f x" "\<And>x. x \<in> set_pmf M \<Longrightarrow> x \<notin> A \<Longrightarrow> f x = 0"
   205   shows "(\<integral>\<^sup>+x. f x \<partial>measure_pmf M) = (\<Sum>x\<in>A. f x * pmf M x)"
   206 proof -
   207   have "(\<integral>\<^sup>+x. f x \<partial>M) = (\<integral>\<^sup>+x. f x * indicator A x \<partial>M)"
   208     using nn by (intro nn_integral_cong_AE) (auto simp: AE_measure_pmf_iff split: split_indicator)
   209   also have "\<dots> = (\<Sum>x\<in>A. f x * emeasure M {x})"
   210     using assms by (intro nn_integral_indicator_finite) auto
   211   finally show ?thesis
   212     by (simp add: emeasure_measure_pmf_finite)
   213 qed
   214 
   215 lemma nn_integral_measure_pmf_finite:
   216   fixes f :: "'a \<Rightarrow> ereal"
   217   assumes f: "finite (set_pmf M)" and nn: "\<And>x. x \<in> set_pmf M \<Longrightarrow> 0 \<le> f x"
   218   shows "(\<integral>\<^sup>+x. f x \<partial>measure_pmf M) = (\<Sum>x\<in>set_pmf M. f x * pmf M x)"
   219   using assms by (intro nn_integral_measure_pmf_support) auto
   220 lemma integrable_measure_pmf_finite:
   221   fixes f :: "'a \<Rightarrow> 'b::{banach, second_countable_topology}"
   222   shows "finite (set_pmf M) \<Longrightarrow> integrable M f"
   223   by (auto intro!: integrableI_bounded simp: nn_integral_measure_pmf_finite)
   224 
   225 lemma integral_measure_pmf:
   226   assumes [simp]: "finite A" and "\<And>a. a \<in> set_pmf M \<Longrightarrow> f a \<noteq> 0 \<Longrightarrow> a \<in> A"
   227   shows "(\<integral>x. f x \<partial>measure_pmf M) = (\<Sum>a\<in>A. f a * pmf M a)"
   228 proof -
   229   have "(\<integral>x. f x \<partial>measure_pmf M) = (\<integral>x. f x * indicator A x \<partial>measure_pmf M)"
   230     using assms(2) by (intro integral_cong_AE) (auto split: split_indicator simp: AE_measure_pmf_iff)
   231   also have "\<dots> = (\<Sum>a\<in>A. f a * pmf M a)"
   232     by (subst integral_indicator_finite_real) (auto simp: measure_def emeasure_measure_pmf_finite)
   233   finally show ?thesis .
   234 qed
   235 
   236 lemma integrable_pmf: "integrable (count_space X) (pmf M)"
   237 proof -
   238   have " (\<integral>\<^sup>+ x. pmf M x \<partial>count_space X) = (\<integral>\<^sup>+ x. pmf M x \<partial>count_space (M \<inter> X))"
   239     by (auto simp add: nn_integral_count_space_indicator set_pmf_iff intro!: nn_integral_cong split: split_indicator)
   240   then have "integrable (count_space X) (pmf M) = integrable (count_space (M \<inter> X)) (pmf M)"
   241     by (simp add: integrable_iff_bounded pmf_nonneg)
   242   then show ?thesis
   243     by (simp add: pmf.rep_eq measure_pmf.integrable_measure disjoint_family_on_def)
   244 qed
   245 
   246 lemma integral_pmf: "(\<integral>x. pmf M x \<partial>count_space X) = measure M X"
   247 proof -
   248   have "(\<integral>x. pmf M x \<partial>count_space X) = (\<integral>\<^sup>+x. pmf M x \<partial>count_space X)"
   249     by (simp add: pmf_nonneg integrable_pmf nn_integral_eq_integral)
   250   also have "\<dots> = (\<integral>\<^sup>+x. emeasure M {x} \<partial>count_space (X \<inter> M))"
   251     by (auto intro!: nn_integral_cong_AE split: split_indicator
   252              simp: pmf.rep_eq measure_pmf.emeasure_eq_measure nn_integral_count_space_indicator
   253                    AE_count_space set_pmf_iff)
   254   also have "\<dots> = emeasure M (X \<inter> M)"
   255     by (rule emeasure_countable_singleton[symmetric]) (auto intro: countable_set_pmf)
   256   also have "\<dots> = emeasure M X"
   257     by (auto intro!: emeasure_eq_AE simp: AE_measure_pmf_iff)
   258   finally show ?thesis
   259     by (simp add: measure_pmf.emeasure_eq_measure)
   260 qed
   261 
   262 lemma integral_pmf_restrict:
   263   "(f::'a \<Rightarrow> 'b::{banach, second_countable_topology}) \<in> borel_measurable (count_space UNIV) \<Longrightarrow>
   264     (\<integral>x. f x \<partial>measure_pmf M) = (\<integral>x. f x \<partial>restrict_space M M)"
   265   by (auto intro!: integral_cong_AE simp add: integral_restrict_space AE_measure_pmf_iff)
   266 
   267 lemma emeasure_pmf: "emeasure (M::'a pmf) M = 1"
   268 proof -
   269   have "emeasure (M::'a pmf) M = emeasure (M::'a pmf) (space M)"
   270     by (intro emeasure_eq_AE) (simp_all add: AE_measure_pmf)
   271   then show ?thesis
   272     using measure_pmf.emeasure_space_1 by simp
   273 qed
   274 
   275 lemma in_null_sets_measure_pmfI:
   276   "A \<inter> set_pmf p = {} \<Longrightarrow> A \<in> null_sets (measure_pmf p)"
   277 using emeasure_eq_0_AE[where ?P="\<lambda>x. x \<in> A" and M="measure_pmf p"]
   278 by(auto simp add: null_sets_def AE_measure_pmf_iff)
   279 
   280 lemma map_pmf_id[simp]: "map_pmf id = id"
   281   by (rule, transfer) (auto simp: emeasure_distr measurable_def intro!: measure_eqI)
   282 
   283 lemma map_pmf_compose: "map_pmf (f \<circ> g) = map_pmf f \<circ> map_pmf g"
   284   by (rule, transfer) (simp add: distr_distr[symmetric, where N="count_space UNIV"] measurable_def) 
   285 
   286 lemma map_pmf_comp: "map_pmf f (map_pmf g M) = map_pmf (\<lambda>x. f (g x)) M"
   287   using map_pmf_compose[of f g] by (simp add: comp_def)
   288 
   289 lemma map_pmf_cong:
   290   assumes "p = q"
   291   shows "(\<And>x. x \<in> set_pmf q \<Longrightarrow> f x = g x) \<Longrightarrow> map_pmf f p = map_pmf g q"
   292   unfolding `p = q`[symmetric] measure_pmf_inject[symmetric] map_pmf.rep_eq
   293   by (auto simp add: emeasure_distr AE_measure_pmf_iff intro!: emeasure_eq_AE measure_eqI)
   294 
   295 lemma emeasure_map_pmf[simp]: "emeasure (map_pmf f M) X = emeasure M (f -` X)"
   296   unfolding map_pmf.rep_eq by (subst emeasure_distr) auto
   297 
   298 lemma nn_integral_map_pmf[simp]: "(\<integral>\<^sup>+x. f x \<partial>map_pmf g M) = (\<integral>\<^sup>+x. f (g x) \<partial>M)"
   299   unfolding map_pmf.rep_eq by (intro nn_integral_distr) auto
   300 
   301 lemma ereal_pmf_map: "pmf (map_pmf f p) x = (\<integral>\<^sup>+ y. indicator (f -` {x}) y \<partial>measure_pmf p)"
   302 proof(transfer fixing: f x)
   303   fix p :: "'b measure"
   304   presume "prob_space p"
   305   then interpret prob_space p .
   306   presume "sets p = UNIV"
   307   then show "ereal (measure (distr p (count_space UNIV) f) {x}) = integral\<^sup>N p (indicator (f -` {x}))"
   308     by(simp add: measure_distr measurable_def emeasure_eq_measure)
   309 qed simp_all
   310 
   311 lemma pmf_set_map: 
   312   fixes f :: "'a \<Rightarrow> 'b"
   313   shows "set_pmf \<circ> map_pmf f = op ` f \<circ> set_pmf"
   314 proof (rule, transfer, clarsimp simp add: measure_distr measurable_def)
   315   fix f :: "'a \<Rightarrow> 'b" and M :: "'a measure"
   316   assume "prob_space M" and ae: "AE x in M. measure M {x} \<noteq> 0" and [simp]: "sets M = UNIV"
   317   interpret prob_space M by fact
   318   show "{x. measure M (f -` {x}) \<noteq> 0} = f ` {x. measure M {x} \<noteq> 0}"
   319   proof safe
   320     fix x assume "measure M (f -` {x}) \<noteq> 0"
   321     moreover have "measure M (f -` {x}) = measure M {y. f y = x \<and> measure M {y} \<noteq> 0}"
   322       using ae by (intro finite_measure_eq_AE) auto
   323     ultimately have "{y. f y = x \<and> measure M {y} \<noteq> 0} \<noteq> {}"
   324       by (metis measure_empty)
   325     then show "x \<in> f ` {x. measure M {x} \<noteq> 0}"
   326       by auto
   327   next
   328     fix x assume "measure M {x} \<noteq> 0"
   329     then have "0 < measure M {x}"
   330       using measure_nonneg[of M "{x}"] by auto
   331     also have "measure M {x} \<le> measure M (f -` {f x})"
   332       by (intro finite_measure_mono) auto
   333     finally show "measure M (f -` {f x}) = 0 \<Longrightarrow> False"
   334       by simp
   335   qed
   336 qed
   337 
   338 lemma set_map_pmf: "set_pmf (map_pmf f M) = f`set_pmf M"
   339   using pmf_set_map[of f] by (auto simp: comp_def fun_eq_iff)
   340 
   341 lemma nn_integral_pmf: "(\<integral>\<^sup>+ x. pmf p x \<partial>count_space A) = emeasure (measure_pmf p) A"
   342 proof -
   343   have "(\<integral>\<^sup>+ x. pmf p x \<partial>count_space A) = (\<integral>\<^sup>+ x. pmf p x \<partial>count_space (A \<inter> set_pmf p))"
   344     by(auto simp add: nn_integral_count_space_indicator indicator_def set_pmf_iff intro: nn_integral_cong)
   345   also have "\<dots> = emeasure (measure_pmf p) (\<Union>x\<in>A \<inter> set_pmf p. {x})"
   346     by(subst emeasure_UN_countable)(auto simp add: emeasure_pmf_single disjoint_family_on_def)
   347   also have "\<dots> = emeasure (measure_pmf p) ((\<Union>x\<in>A \<inter> set_pmf p. {x}) \<union> {x. x \<in> A \<and> x \<notin> set_pmf p})"
   348     by(rule emeasure_Un_null_set[symmetric])(auto intro: in_null_sets_measure_pmfI)
   349   also have "\<dots> = emeasure (measure_pmf p) A"
   350     by(auto intro: arg_cong2[where f=emeasure])
   351   finally show ?thesis .
   352 qed
   353 
   354 subsection {* PMFs as function *}
   355 
   356 context
   357   fixes f :: "'a \<Rightarrow> real"
   358   assumes nonneg: "\<And>x. 0 \<le> f x"
   359   assumes prob: "(\<integral>\<^sup>+x. f x \<partial>count_space UNIV) = 1"
   360 begin
   361 
   362 lift_definition embed_pmf :: "'a pmf" is "density (count_space UNIV) (ereal \<circ> f)"
   363 proof (intro conjI)
   364   have *[simp]: "\<And>x y. ereal (f y) * indicator {x} y = ereal (f x) * indicator {x} y"
   365     by (simp split: split_indicator)
   366   show "AE x in density (count_space UNIV) (ereal \<circ> f).
   367     measure (density (count_space UNIV) (ereal \<circ> f)) {x} \<noteq> 0"
   368     by (simp add: AE_density nonneg emeasure_density measure_def nn_integral_cmult_indicator)
   369   show "prob_space (density (count_space UNIV) (ereal \<circ> f))"
   370     by default (simp add: emeasure_density prob)
   371 qed simp
   372 
   373 lemma pmf_embed_pmf: "pmf embed_pmf x = f x"
   374 proof transfer
   375   have *[simp]: "\<And>x y. ereal (f y) * indicator {x} y = ereal (f x) * indicator {x} y"
   376     by (simp split: split_indicator)
   377   fix x show "measure (density (count_space UNIV) (ereal \<circ> f)) {x} = f x"
   378     by transfer (simp add: measure_def emeasure_density nn_integral_cmult_indicator nonneg)
   379 qed
   380 
   381 end
   382 
   383 lemma embed_pmf_transfer:
   384   "rel_fun (eq_onp (\<lambda>f. (\<forall>x. 0 \<le> f x) \<and> (\<integral>\<^sup>+x. ereal (f x) \<partial>count_space UNIV) = 1)) pmf_as_measure.cr_pmf (\<lambda>f. density (count_space UNIV) (ereal \<circ> f)) embed_pmf"
   385   by (auto simp: rel_fun_def eq_onp_def embed_pmf.transfer)
   386 
   387 lemma measure_pmf_eq_density: "measure_pmf p = density (count_space UNIV) (pmf p)"
   388 proof (transfer, elim conjE)
   389   fix M :: "'a measure" assume [simp]: "sets M = UNIV" and ae: "AE x in M. measure M {x} \<noteq> 0"
   390   assume "prob_space M" then interpret prob_space M .
   391   show "M = density (count_space UNIV) (\<lambda>x. ereal (measure M {x}))"
   392   proof (rule measure_eqI)
   393     fix A :: "'a set"
   394     have "(\<integral>\<^sup>+ x. ereal (measure M {x}) * indicator A x \<partial>count_space UNIV) = 
   395       (\<integral>\<^sup>+ x. emeasure M {x} * indicator (A \<inter> {x. measure M {x} \<noteq> 0}) x \<partial>count_space UNIV)"
   396       by (auto intro!: nn_integral_cong simp: emeasure_eq_measure split: split_indicator)
   397     also have "\<dots> = (\<integral>\<^sup>+ x. emeasure M {x} \<partial>count_space (A \<inter> {x. measure M {x} \<noteq> 0}))"
   398       by (subst nn_integral_restrict_space[symmetric]) (auto simp: restrict_count_space)
   399     also have "\<dots> = emeasure M (\<Union>x\<in>(A \<inter> {x. measure M {x} \<noteq> 0}). {x})"
   400       by (intro emeasure_UN_countable[symmetric] countable_Int2 countable_support)
   401          (auto simp: disjoint_family_on_def)
   402     also have "\<dots> = emeasure M A"
   403       using ae by (intro emeasure_eq_AE) auto
   404     finally show " emeasure M A = emeasure (density (count_space UNIV) (\<lambda>x. ereal (measure M {x}))) A"
   405       using emeasure_space_1 by (simp add: emeasure_density)
   406   qed simp
   407 qed
   408 
   409 lemma td_pmf_embed_pmf:
   410   "type_definition pmf embed_pmf {f::'a \<Rightarrow> real. (\<forall>x. 0 \<le> f x) \<and> (\<integral>\<^sup>+x. ereal (f x) \<partial>count_space UNIV) = 1}"
   411   unfolding type_definition_def
   412 proof safe
   413   fix p :: "'a pmf"
   414   have "(\<integral>\<^sup>+ x. 1 \<partial>measure_pmf p) = 1"
   415     using measure_pmf.emeasure_space_1[of p] by simp
   416   then show *: "(\<integral>\<^sup>+ x. ereal (pmf p x) \<partial>count_space UNIV) = 1"
   417     by (simp add: measure_pmf_eq_density nn_integral_density pmf_nonneg del: nn_integral_const)
   418 
   419   show "embed_pmf (pmf p) = p"
   420     by (intro measure_pmf_inject[THEN iffD1])
   421        (simp add: * embed_pmf.rep_eq pmf_nonneg measure_pmf_eq_density[of p] comp_def)
   422 next
   423   fix f :: "'a \<Rightarrow> real" assume "\<forall>x. 0 \<le> f x" "(\<integral>\<^sup>+x. f x \<partial>count_space UNIV) = 1"
   424   then show "pmf (embed_pmf f) = f"
   425     by (auto intro!: pmf_embed_pmf)
   426 qed (rule pmf_nonneg)
   427 
   428 end
   429 
   430 locale pmf_as_function
   431 begin
   432 
   433 setup_lifting td_pmf_embed_pmf
   434 
   435 lemma set_pmf_transfer[transfer_rule]: 
   436   assumes "bi_total A"
   437   shows "rel_fun (pcr_pmf A) (rel_set A) (\<lambda>f. {x. f x \<noteq> 0}) set_pmf"  
   438   using `bi_total A`
   439   by (auto simp: pcr_pmf_def cr_pmf_def rel_fun_def rel_set_def bi_total_def Bex_def set_pmf_iff)
   440      metis+
   441 
   442 end
   443 
   444 context
   445 begin
   446 
   447 interpretation pmf_as_function .
   448 
   449 lemma pmf_eqI: "(\<And>i. pmf M i = pmf N i) \<Longrightarrow> M = N"
   450   by transfer auto
   451 
   452 lemma pmf_eq_iff: "M = N \<longleftrightarrow> (\<forall>i. pmf M i = pmf N i)"
   453   by (auto intro: pmf_eqI)
   454 
   455 end
   456 
   457 context
   458 begin
   459 
   460 interpretation pmf_as_function .
   461 
   462 lift_definition bernoulli_pmf :: "real \<Rightarrow> bool pmf" is
   463   "\<lambda>p b. ((\<lambda>p. if b then p else 1 - p) \<circ> min 1 \<circ> max 0) p"
   464   by (auto simp: nn_integral_count_space_finite[where A="{False, True}"] UNIV_bool
   465            split: split_max split_min)
   466 
   467 lemma pmf_bernoulli_True[simp]: "0 \<le> p \<Longrightarrow> p \<le> 1 \<Longrightarrow> pmf (bernoulli_pmf p) True = p"
   468   by transfer simp
   469 
   470 lemma pmf_bernoulli_False[simp]: "0 \<le> p \<Longrightarrow> p \<le> 1 \<Longrightarrow> pmf (bernoulli_pmf p) False = 1 - p"
   471   by transfer simp
   472 
   473 lemma set_pmf_bernoulli: "0 < p \<Longrightarrow> p < 1 \<Longrightarrow> set_pmf (bernoulli_pmf p) = UNIV"
   474   by (auto simp add: set_pmf_iff UNIV_bool)
   475 
   476 lemma nn_integral_bernoulli_pmf[simp]: 
   477   assumes [simp]: "0 \<le> p" "p \<le> 1" "\<And>x. 0 \<le> f x"
   478   shows "(\<integral>\<^sup>+x. f x \<partial>bernoulli_pmf p) = f True * p + f False * (1 - p)"
   479   by (subst nn_integral_measure_pmf_support[of UNIV])
   480      (auto simp: UNIV_bool field_simps)
   481 
   482 lemma integral_bernoulli_pmf[simp]: 
   483   assumes [simp]: "0 \<le> p" "p \<le> 1"
   484   shows "(\<integral>x. f x \<partial>bernoulli_pmf p) = f True * p + f False * (1 - p)"
   485   by (subst integral_measure_pmf[of UNIV]) (auto simp: UNIV_bool)
   486 
   487 lift_definition geometric_pmf :: "nat pmf" is "\<lambda>n. 1 / 2^Suc n"
   488 proof
   489   note geometric_sums[of "1 / 2"]
   490   note sums_mult[OF this, of "1 / 2"]
   491   from sums_suminf_ereal[OF this]
   492   show "(\<integral>\<^sup>+ x. ereal (1 / 2 ^ Suc x) \<partial>count_space UNIV) = 1"
   493     by (simp add: nn_integral_count_space_nat field_simps)
   494 qed simp
   495 
   496 lemma pmf_geometric[simp]: "pmf geometric_pmf n = 1 / 2^Suc n"
   497   by transfer rule
   498 
   499 lemma set_pmf_geometric[simp]: "set_pmf geometric_pmf = UNIV"
   500   by (auto simp: set_pmf_iff)
   501 
   502 context
   503   fixes M :: "'a multiset" assumes M_not_empty: "M \<noteq> {#}"
   504 begin
   505 
   506 lift_definition pmf_of_multiset :: "'a pmf" is "\<lambda>x. count M x / size M"
   507 proof
   508   show "(\<integral>\<^sup>+ x. ereal (real (count M x) / real (size M)) \<partial>count_space UNIV) = 1"  
   509     using M_not_empty
   510     by (simp add: zero_less_divide_iff nn_integral_count_space nonempty_has_size
   511                   setsum_divide_distrib[symmetric])
   512        (auto simp: size_multiset_overloaded_eq intro!: setsum.cong)
   513 qed simp
   514 
   515 lemma pmf_of_multiset[simp]: "pmf pmf_of_multiset x = count M x / size M"
   516   by transfer rule
   517 
   518 lemma set_pmf_of_multiset[simp]: "set_pmf pmf_of_multiset = set_of M"
   519   by (auto simp: set_pmf_iff)
   520 
   521 end
   522 
   523 context
   524   fixes S :: "'a set" assumes S_not_empty: "S \<noteq> {}" and S_finite: "finite S"
   525 begin
   526 
   527 lift_definition pmf_of_set :: "'a pmf" is "\<lambda>x. indicator S x / card S"
   528 proof
   529   show "(\<integral>\<^sup>+ x. ereal (indicator S x / real (card S)) \<partial>count_space UNIV) = 1"  
   530     using S_not_empty S_finite by (subst nn_integral_count_space'[of S]) auto
   531 qed simp
   532 
   533 lemma pmf_of_set[simp]: "pmf pmf_of_set x = indicator S x / card S"
   534   by transfer rule
   535 
   536 lemma set_pmf_of_set[simp]: "set_pmf pmf_of_set = S"
   537   using S_finite S_not_empty by (auto simp: set_pmf_iff)
   538 
   539 lemma emeasure_pmf_of_set[simp]: "emeasure pmf_of_set S = 1"
   540   by (rule measure_pmf.emeasure_eq_1_AE) (auto simp: AE_measure_pmf_iff)
   541 
   542 end
   543 
   544 end
   545 
   546 subsection {* Monad interpretation *}
   547 
   548 lemma measurable_measure_pmf[measurable]:
   549   "(\<lambda>x. measure_pmf (M x)) \<in> measurable (count_space UNIV) (subprob_algebra (count_space UNIV))"
   550   by (auto simp: space_subprob_algebra intro!: prob_space_imp_subprob_space) unfold_locales
   551 
   552 lemma bind_pmf_cong:
   553   assumes "\<And>x. A x \<in> space (subprob_algebra N)" "\<And>x. B x \<in> space (subprob_algebra N)"
   554   assumes "\<And>i. i \<in> set_pmf x \<Longrightarrow> A i = B i"
   555   shows "bind (measure_pmf x) A = bind (measure_pmf x) B"
   556 proof (rule measure_eqI)
   557   show "sets (measure_pmf x \<guillemotright>= A) = sets (measure_pmf x \<guillemotright>= B)"
   558     using assms by (subst (1 2) sets_bind) auto
   559 next
   560   fix X assume "X \<in> sets (measure_pmf x \<guillemotright>= A)"
   561   then have X: "X \<in> sets N"
   562     using assms by (subst (asm) sets_bind) auto
   563   show "emeasure (measure_pmf x \<guillemotright>= A) X = emeasure (measure_pmf x \<guillemotright>= B) X"
   564     using assms
   565     by (subst (1 2) emeasure_bind[where N=N, OF _ _ X])
   566        (auto intro!: nn_integral_cong_AE simp: AE_measure_pmf_iff)
   567 qed
   568 
   569 context
   570 begin
   571 
   572 interpretation pmf_as_measure .
   573 
   574 lift_definition join_pmf :: "'a pmf pmf \<Rightarrow> 'a pmf" is "\<lambda>M. measure_pmf M \<guillemotright>= measure_pmf"
   575 proof (intro conjI)
   576   fix M :: "'a pmf pmf"
   577 
   578   have *: "measure_pmf \<in> measurable (measure_pmf M) (subprob_algebra (count_space UNIV))"
   579     using measurable_measure_pmf[of "\<lambda>x. x"] by simp
   580   
   581   interpret bind: prob_space "measure_pmf M \<guillemotright>= measure_pmf"
   582     apply (rule measure_pmf.prob_space_bind[OF _ *])
   583     apply (auto intro!: AE_I2)
   584     apply unfold_locales
   585     done
   586   show "prob_space (measure_pmf M \<guillemotright>= measure_pmf)"
   587     by intro_locales
   588   show "sets (measure_pmf M \<guillemotright>= measure_pmf) = UNIV"
   589     by (subst sets_bind[OF *]) auto
   590   have "AE x in measure_pmf M \<guillemotright>= measure_pmf. emeasure (measure_pmf M \<guillemotright>= measure_pmf) {x} \<noteq> 0"
   591     by (auto simp add: AE_bind[OF _ *] AE_measure_pmf_iff emeasure_bind[OF _ *]
   592         nn_integral_0_iff_AE measure_pmf.emeasure_eq_measure measure_le_0_iff set_pmf_iff pmf.rep_eq)
   593   then show "AE x in measure_pmf M \<guillemotright>= measure_pmf. measure (measure_pmf M \<guillemotright>= measure_pmf) {x} \<noteq> 0"
   594     unfolding bind.emeasure_eq_measure by simp
   595 qed
   596 
   597 lemma pmf_join: "pmf (join_pmf N) i = (\<integral>M. pmf M i \<partial>measure_pmf N)"
   598 proof (transfer fixing: N i)
   599   have N: "subprob_space (measure_pmf N)"
   600     by (rule prob_space_imp_subprob_space) intro_locales
   601   show "measure (measure_pmf N \<guillemotright>= measure_pmf) {i} = integral\<^sup>L (measure_pmf N) (\<lambda>M. measure M {i})"
   602     using measurable_measure_pmf[of "\<lambda>x. x"]
   603     by (intro subprob_space.measure_bind[where N="count_space UNIV", OF N]) auto
   604 qed (auto simp: Transfer.Rel_def rel_fun_def cr_pmf_def)
   605 
   606 lemma set_pmf_join_pmf: "set_pmf (join_pmf f) = (\<Union>p\<in>set_pmf f. set_pmf p)"
   607 apply(simp add: set_eq_iff set_pmf_iff pmf_join)
   608 apply(subst integral_nonneg_eq_0_iff_AE)
   609 apply(auto simp add: pmf_le_1 pmf_nonneg AE_measure_pmf_iff intro!: measure_pmf.integrable_const_bound[where B=1])
   610 done
   611 
   612 lift_definition return_pmf :: "'a \<Rightarrow> 'a pmf" is "return (count_space UNIV)"
   613   by (auto intro!: prob_space_return simp: AE_return measure_return)
   614 
   615 lemma join_return_pmf: "join_pmf (return_pmf M) = M"
   616   by (simp add: integral_return pmf_eq_iff pmf_join return_pmf.rep_eq)
   617 
   618 lemma map_return_pmf: "map_pmf f (return_pmf x) = return_pmf (f x)"
   619   by transfer (simp add: distr_return)
   620 
   621 lemma set_return_pmf: "set_pmf (return_pmf x) = {x}"
   622   by transfer (auto simp add: measure_return split: split_indicator)
   623 
   624 lemma pmf_return: "pmf (return_pmf x) y = indicator {y} x"
   625   by transfer (simp add: measure_return)
   626 
   627 lemma nn_integral_return_pmf[simp]: "0 \<le> f x \<Longrightarrow> (\<integral>\<^sup>+x. f x \<partial>return_pmf x) = f x"
   628   unfolding return_pmf.rep_eq by (intro nn_integral_return) auto
   629 
   630 lemma emeasure_return_pmf[simp]: "emeasure (return_pmf x) X = indicator X x"
   631   unfolding return_pmf.rep_eq by (intro emeasure_return) auto
   632 
   633 end
   634 
   635 definition "bind_pmf M f = join_pmf (map_pmf f M)"
   636 
   637 lemma (in pmf_as_measure) bind_transfer[transfer_rule]:
   638   "rel_fun pmf_as_measure.cr_pmf (rel_fun (rel_fun op = pmf_as_measure.cr_pmf) pmf_as_measure.cr_pmf) op \<guillemotright>= bind_pmf"
   639 proof (auto simp: pmf_as_measure.cr_pmf_def rel_fun_def bind_pmf_def join_pmf.rep_eq map_pmf.rep_eq)
   640   fix M f and g :: "'a \<Rightarrow> 'b pmf" assume "\<forall>x. f x = measure_pmf (g x)"
   641   then have f: "f = (\<lambda>x. measure_pmf (g x))"
   642     by auto
   643   show "measure_pmf M \<guillemotright>= f = distr (measure_pmf M) (count_space UNIV) g \<guillemotright>= measure_pmf"
   644     unfolding f by (subst bind_distr[OF _ measurable_measure_pmf]) auto
   645 qed
   646 
   647 lemma pmf_bind: "pmf (bind_pmf N f) i = (\<integral>x. pmf (f x) i \<partial>measure_pmf N)"
   648   by (auto intro!: integral_distr simp: bind_pmf_def pmf_join map_pmf.rep_eq)
   649 
   650 lemma bind_return_pmf: "bind_pmf (return_pmf x) f = f x"
   651   unfolding bind_pmf_def map_return_pmf join_return_pmf ..
   652 
   653 lemma set_bind_pmf: "set_pmf (bind_pmf M N) = (\<Union>M\<in>set_pmf M. set_pmf (N M))"
   654   apply (simp add: set_eq_iff set_pmf_iff pmf_bind)
   655   apply (subst integral_nonneg_eq_0_iff_AE)
   656   apply (auto simp: pmf_nonneg pmf_le_1 AE_measure_pmf_iff
   657               intro!: measure_pmf.integrable_const_bound[where B=1])
   658   done
   659 
   660 lemma measurable_pair_restrict_pmf2:
   661   assumes "countable A"
   662   assumes "\<And>y. y \<in> A \<Longrightarrow> (\<lambda>x. f (x, y)) \<in> measurable M L"
   663   shows "f \<in> measurable (M \<Otimes>\<^sub>M restrict_space (measure_pmf N) A) L"
   664   apply (subst measurable_cong_sets)
   665   apply (rule sets_pair_measure_cong sets_restrict_space_cong sets_measure_pmf_count_space refl)+
   666   apply (simp_all add: restrict_count_space)
   667   apply (subst split_eta[symmetric])
   668   unfolding measurable_split_conv
   669   apply (rule measurable_compose_countable'[OF _ measurable_snd `countable A`])
   670   apply (rule measurable_compose[OF measurable_fst])
   671   apply fact
   672   done
   673 
   674 lemma measurable_pair_restrict_pmf1:
   675   assumes "countable A"
   676   assumes "\<And>x. x \<in> A \<Longrightarrow> (\<lambda>y. f (x, y)) \<in> measurable N L"
   677   shows "f \<in> measurable (restrict_space (measure_pmf M) A \<Otimes>\<^sub>M N) L"
   678   apply (subst measurable_cong_sets)
   679   apply (rule sets_pair_measure_cong sets_restrict_space_cong sets_measure_pmf_count_space refl)+
   680   apply (simp_all add: restrict_count_space)
   681   apply (subst split_eta[symmetric])
   682   unfolding measurable_split_conv
   683   apply (rule measurable_compose_countable'[OF _ measurable_fst `countable A`])
   684   apply (rule measurable_compose[OF measurable_snd])
   685   apply fact
   686   done
   687                                 
   688 lemma bind_commute_pmf: "bind_pmf A (\<lambda>x. bind_pmf B (C x)) = bind_pmf B (\<lambda>y. bind_pmf A (\<lambda>x. C x y))"
   689   unfolding pmf_eq_iff pmf_bind
   690 proof
   691   fix i
   692   interpret B: prob_space "restrict_space B B"
   693     by (intro prob_space_restrict_space measure_pmf.emeasure_eq_1_AE)
   694        (auto simp: AE_measure_pmf_iff)
   695   interpret A: prob_space "restrict_space A A"
   696     by (intro prob_space_restrict_space measure_pmf.emeasure_eq_1_AE)
   697        (auto simp: AE_measure_pmf_iff)
   698 
   699   interpret AB: pair_prob_space "restrict_space A A" "restrict_space B B"
   700     by unfold_locales
   701 
   702   have "(\<integral> x. \<integral> y. pmf (C x y) i \<partial>B \<partial>A) = (\<integral> x. (\<integral> y. pmf (C x y) i \<partial>restrict_space B B) \<partial>A)"
   703     by (rule integral_cong) (auto intro!: integral_pmf_restrict)
   704   also have "\<dots> = (\<integral> x. (\<integral> y. pmf (C x y) i \<partial>restrict_space B B) \<partial>restrict_space A A)"
   705     by (intro integral_pmf_restrict B.borel_measurable_lebesgue_integral measurable_pair_restrict_pmf2
   706               countable_set_pmf borel_measurable_count_space)
   707   also have "\<dots> = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>restrict_space A A \<partial>restrict_space B B)"
   708     by (rule AB.Fubini_integral[symmetric])
   709        (auto intro!: AB.integrable_const_bound[where B=1] measurable_pair_restrict_pmf2
   710              simp: pmf_nonneg pmf_le_1 measurable_restrict_space1)
   711   also have "\<dots> = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>restrict_space A A \<partial>B)"
   712     by (intro integral_pmf_restrict[symmetric] A.borel_measurable_lebesgue_integral measurable_pair_restrict_pmf2
   713               countable_set_pmf borel_measurable_count_space)
   714   also have "\<dots> = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>A \<partial>B)"
   715     by (rule integral_cong) (auto intro!: integral_pmf_restrict[symmetric])
   716   finally show "(\<integral> x. \<integral> y. pmf (C x y) i \<partial>B \<partial>A) = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>A \<partial>B)" .
   717 qed
   718 
   719 
   720 context
   721 begin
   722 
   723 interpretation pmf_as_measure .
   724 
   725 lemma measure_pmf_bind: "measure_pmf (bind_pmf M f) = (measure_pmf M \<guillemotright>= (\<lambda>x. measure_pmf (f x)))"
   726   by transfer simp
   727 
   728 lemma nn_integral_bind_pmf[simp]: "(\<integral>\<^sup>+x. f x \<partial>bind_pmf M N) = (\<integral>\<^sup>+x. \<integral>\<^sup>+y. f y \<partial>N x \<partial>M)"
   729   using measurable_measure_pmf[of N]
   730   unfolding measure_pmf_bind
   731   apply (subst (1 3) nn_integral_max_0[symmetric])
   732   apply (intro nn_integral_bind[where B="count_space UNIV"])
   733   apply auto
   734   done
   735 
   736 lemma emeasure_bind_pmf[simp]: "emeasure (bind_pmf M N) X = (\<integral>\<^sup>+x. emeasure (N x) X \<partial>M)"
   737   using measurable_measure_pmf[of N]
   738   unfolding measure_pmf_bind
   739   by (subst emeasure_bind[where N="count_space UNIV"]) auto
   740 
   741 lemma bind_return_pmf': "bind_pmf N return_pmf = N"
   742 proof (transfer, clarify)
   743   fix N :: "'a measure" assume "sets N = UNIV" then show "N \<guillemotright>= return (count_space UNIV) = N"
   744     by (subst return_sets_cong[where N=N]) (simp_all add: bind_return')
   745 qed
   746 
   747 lemma bind_return_pmf'': "bind_pmf N (\<lambda>x. return_pmf (f x)) = map_pmf f N"
   748 proof (transfer, clarify)
   749   fix N :: "'b measure" and f :: "'b \<Rightarrow> 'a" assume "prob_space N" "sets N = UNIV"
   750   then show "N \<guillemotright>= (\<lambda>x. return (count_space UNIV) (f x)) = distr N (count_space UNIV) f"
   751     by (subst bind_return_distr[symmetric])
   752        (auto simp: prob_space.not_empty measurable_def comp_def)
   753 qed
   754 
   755 lemma bind_assoc_pmf: "bind_pmf (bind_pmf A B) C = bind_pmf A (\<lambda>x. bind_pmf (B x) C)"
   756   by transfer
   757      (auto intro!: bind_assoc[where N="count_space UNIV" and R="count_space UNIV"]
   758            simp: measurable_def space_subprob_algebra prob_space_imp_subprob_space)
   759 
   760 end
   761 
   762 definition "pair_pmf A B = bind_pmf A (\<lambda>x. bind_pmf B (\<lambda>y. return_pmf (x, y)))"
   763 
   764 lemma pmf_pair: "pmf (pair_pmf M N) (a, b) = pmf M a * pmf N b"
   765   unfolding pair_pmf_def pmf_bind pmf_return
   766   apply (subst integral_measure_pmf[where A="{b}"])
   767   apply (auto simp: indicator_eq_0_iff)
   768   apply (subst integral_measure_pmf[where A="{a}"])
   769   apply (auto simp: indicator_eq_0_iff setsum_nonneg_eq_0_iff pmf_nonneg)
   770   done
   771 
   772 lemma set_pair_pmf: "set_pmf (pair_pmf A B) = set_pmf A \<times> set_pmf B"
   773   unfolding pair_pmf_def set_bind_pmf set_return_pmf by auto
   774 
   775 lemma bind_pair_pmf:
   776   assumes M[measurable]: "M \<in> measurable (count_space UNIV \<Otimes>\<^sub>M count_space UNIV) (subprob_algebra N)"
   777   shows "measure_pmf (pair_pmf A B) \<guillemotright>= M = (measure_pmf A \<guillemotright>= (\<lambda>x. measure_pmf B \<guillemotright>= (\<lambda>y. M (x, y))))"
   778     (is "?L = ?R")
   779 proof (rule measure_eqI)
   780   have M'[measurable]: "M \<in> measurable (pair_pmf A B) (subprob_algebra N)"
   781     using M[THEN measurable_space] by (simp_all add: space_pair_measure)
   782 
   783   have sets_eq_N: "sets ?L = N"
   784     by (simp add: sets_bind[OF M'])
   785   show "sets ?L = sets ?R"
   786     unfolding sets_eq_N
   787     apply (subst sets_bind[where N=N])
   788     apply (rule measurable_bind)
   789     apply (rule measurable_compose[OF _ measurable_measure_pmf])
   790     apply measurable
   791     apply (auto intro!: sets_pair_measure_cong sets_measure_pmf_count_space)
   792     done
   793   fix X assume "X \<in> sets ?L"
   794   then have X[measurable]: "X \<in> sets N"
   795     unfolding sets_eq_N .
   796   then show "emeasure ?L X = emeasure ?R X"
   797     apply (simp add: emeasure_bind[OF _ M' X])
   798     unfolding pair_pmf_def measure_pmf_bind[of A]
   799     apply (subst nn_integral_bind)
   800     apply (rule measurable_compose[OF M' measurable_emeasure_subprob_algebra, OF X])
   801     apply (subst measurable_cong_sets[OF sets_measure_pmf_count_space refl])
   802     apply (subst subprob_algebra_cong[OF sets_measure_pmf_count_space])
   803     apply measurable
   804     unfolding measure_pmf_bind
   805     apply (subst nn_integral_bind)
   806     apply (rule measurable_compose[OF M' measurable_emeasure_subprob_algebra, OF X])
   807     apply (subst measurable_cong_sets[OF sets_measure_pmf_count_space refl])
   808     apply (subst subprob_algebra_cong[OF sets_measure_pmf_count_space])
   809     apply measurable
   810     apply (simp add: nn_integral_measure_pmf_finite set_return_pmf emeasure_nonneg pmf_return one_ereal_def[symmetric])
   811     apply (subst emeasure_bind[OF _ _ X])
   812     apply simp
   813     apply (rule measurable_bind[where N="count_space UNIV"])
   814     apply (rule measurable_compose[OF _ measurable_measure_pmf])
   815     apply measurable
   816     apply (rule sets_pair_measure_cong sets_measure_pmf_count_space refl)+
   817     apply (subst measurable_cong_sets[OF sets_pair_measure_cong[OF sets_measure_pmf_count_space refl] refl])
   818     apply simp
   819     apply (subst emeasure_bind[OF _ _ X])
   820     apply simp
   821     apply (rule measurable_compose[OF _ M])
   822     apply (auto simp: space_pair_measure)
   823     done
   824 qed
   825 
   826 inductive rel_pmf :: "('a \<Rightarrow> 'b \<Rightarrow> bool) \<Rightarrow> 'a pmf \<Rightarrow> 'b pmf \<Rightarrow> bool"
   827 for R p q
   828 where
   829   "\<lbrakk> \<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> R x y; 
   830      map_pmf fst pq = p; map_pmf snd pq = q \<rbrakk>
   831   \<Longrightarrow> rel_pmf R p q"
   832 
   833 bnf pmf: "'a pmf" map: map_pmf sets: set_pmf bd : "natLeq" rel: rel_pmf
   834 proof -
   835   show "map_pmf id = id" by (rule map_pmf_id)
   836   show "\<And>f g. map_pmf (f \<circ> g) = map_pmf f \<circ> map_pmf g" by (rule map_pmf_compose) 
   837   show "\<And>f g::'a \<Rightarrow> 'b. \<And>p. (\<And>x. x \<in> set_pmf p \<Longrightarrow> f x = g x) \<Longrightarrow> map_pmf f p = map_pmf g p"
   838     by (intro map_pmf_cong refl)
   839 
   840   show "\<And>f::'a \<Rightarrow> 'b. set_pmf \<circ> map_pmf f = op ` f \<circ> set_pmf"
   841     by (rule pmf_set_map)
   842 
   843   { fix p :: "'s pmf"
   844     have "(card_of (set_pmf p), card_of (UNIV :: nat set)) \<in> ordLeq"
   845       by (rule card_of_ordLeqI[where f="to_nat_on (set_pmf p)"])
   846          (auto intro: countable_set_pmf inj_on_to_nat_on)
   847     also have "(card_of (UNIV :: nat set), natLeq) \<in> ordLeq"
   848       by (metis Field_natLeq card_of_least natLeq_Well_order)
   849     finally show "(card_of (set_pmf p), natLeq) \<in> ordLeq" . }
   850 
   851   show "\<And>R. rel_pmf R =
   852          (BNF_Def.Grp {x. set_pmf x \<subseteq> {(x, y). R x y}} (map_pmf fst))\<inverse>\<inverse> OO
   853          BNF_Def.Grp {x. set_pmf x \<subseteq> {(x, y). R x y}} (map_pmf snd)"
   854      by (auto simp add: fun_eq_iff BNF_Def.Grp_def OO_def rel_pmf.simps)
   855 
   856   { fix p :: "'a pmf" and f :: "'a \<Rightarrow> 'b" and g x
   857     assume p: "\<And>z. z \<in> set_pmf p \<Longrightarrow> f z = g z"
   858       and x: "x \<in> set_pmf p"
   859     thus "f x = g x" by simp }
   860 
   861   fix R :: "'a => 'b \<Rightarrow> bool" and S :: "'b \<Rightarrow> 'c \<Rightarrow> bool"
   862   { fix p q r
   863     assume pq: "rel_pmf R p q"
   864       and qr:"rel_pmf S q r"
   865     from pq obtain pq where pq: "\<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> R x y"
   866       and p: "p = map_pmf fst pq" and q: "q = map_pmf snd pq" by cases auto
   867     from qr obtain qr where qr: "\<And>y z. (y, z) \<in> set_pmf qr \<Longrightarrow> S y z"
   868       and q': "q = map_pmf fst qr" and r: "r = map_pmf snd qr" by cases auto
   869 
   870     have support_subset: "set_pmf pq O set_pmf qr \<subseteq> set_pmf p \<times> set_pmf r"
   871       by(auto simp add: p r set_map_pmf intro: rev_image_eqI)
   872 
   873     let ?A = "\<lambda>y. {x. (x, y) \<in> set_pmf pq}"
   874       and ?B = "\<lambda>y. {z. (y, z) \<in> set_pmf qr}"
   875 
   876 
   877     def ppp \<equiv> "\<lambda>A. \<lambda>f :: 'a \<Rightarrow> real. \<lambda>n. if n \<in> to_nat_on A ` A then f (from_nat_into A n) else 0"
   878     have [simp]: "\<And>A f n. (\<And>x. x \<in> A \<Longrightarrow> 0 \<le> f x) \<Longrightarrow> 0 \<le> ppp A f n"
   879                  "\<And>A f n x. \<lbrakk> x \<in> A; countable A \<rbrakk> \<Longrightarrow> ppp A f (to_nat_on A x) = f x"
   880                  "\<And>A f n. n \<notin> to_nat_on A ` A \<Longrightarrow> ppp A f n = 0"
   881       by(auto simp add: ppp_def intro: from_nat_into)
   882     def rrr \<equiv> "\<lambda>A. \<lambda>f :: 'c \<Rightarrow> real. \<lambda>n. if n \<in> to_nat_on A ` A then f (from_nat_into A n) else 0"
   883     have [simp]: "\<And>A f n. (\<And>x. x \<in> A \<Longrightarrow> 0 \<le> f x) \<Longrightarrow> 0 \<le> rrr A f n"
   884                  "\<And>A f n x. \<lbrakk> x \<in> A; countable A \<rbrakk> \<Longrightarrow> rrr A f (to_nat_on A x) = f x"
   885                  "\<And>A f n. n \<notin> to_nat_on A ` A \<Longrightarrow> rrr A f n = 0"
   886       by(auto simp add: rrr_def intro: from_nat_into)
   887 
   888     def pp \<equiv> "\<lambda>y. ppp (?A y) (\<lambda>x. pmf pq (x, y))"
   889      and rr \<equiv> "\<lambda>y. rrr (?B y) (\<lambda>z. pmf qr (y, z))"
   890 
   891     have pos_p [simp]: "\<And>y n. 0 \<le> pp y n"
   892       and pos_r [simp]: "\<And>y n. 0 \<le> rr y n"
   893       by(simp_all add: pmf_nonneg pp_def rr_def)
   894     { fix y n
   895       have "pp y n \<le> 0 \<longleftrightarrow> pp y n = 0" "\<not> 0 < pp y n \<longleftrightarrow> pp y n = 0"
   896         and "min (pp y n) 0 = 0" "min 0 (pp y n) = 0"
   897         using pos_p[of y n] by(auto simp del: pos_p) }
   898     note pp_convs [simp] = this
   899     { fix y n
   900       have "rr y n \<le> 0 \<longleftrightarrow> rr y n = 0" "\<not> 0 < rr y n \<longleftrightarrow> rr y n = 0"
   901         and "min (rr y n) 0 = 0" "min 0 (rr y n) = 0"
   902         using pos_r[of y n] by(auto simp del: pos_r) }
   903     note r_convs [simp] = this
   904 
   905     have "\<And>y. ?A y \<subseteq> set_pmf p" by(auto simp add: p set_map_pmf intro: rev_image_eqI)
   906     then have [simp]: "\<And>y. countable (?A y)" by(rule countable_subset) simp
   907 
   908     have "\<And>y. ?B y \<subseteq> set_pmf r" by(auto simp add: r set_map_pmf intro: rev_image_eqI)
   909     then have [simp]: "\<And>y. countable (?B y)" by(rule countable_subset) simp
   910 
   911     let ?P = "\<lambda>y. to_nat_on (?A y)"
   912       and ?R = "\<lambda>y. to_nat_on (?B y)"
   913 
   914     have eq: "\<And>y. (\<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV) = \<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV"
   915     proof -
   916       fix y
   917       have "(\<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV) = (\<integral>\<^sup>+ x. pp y x \<partial>count_space (?P y ` ?A y))"
   918         by(auto simp add: pp_def nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
   919       also have "\<dots> = (\<integral>\<^sup>+ x. pp y (?P y x) \<partial>count_space (?A y))"
   920         by(intro nn_integral_bij_count_space[symmetric] inj_on_imp_bij_betw inj_on_to_nat_on) simp
   921       also have "\<dots> = (\<integral>\<^sup>+ x. pmf pq (x, y) \<partial>count_space (?A y))"
   922         by(rule nn_integral_cong)(simp add: pp_def)
   923       also have "\<dots> = \<integral>\<^sup>+ x. emeasure (measure_pmf pq) {(x, y)} \<partial>count_space (?A y)"
   924         by(simp add: emeasure_pmf_single)
   925       also have "\<dots> = emeasure (measure_pmf pq) (\<Union>x\<in>?A y. {(x, y)})"
   926         by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
   927       also have "\<dots> = emeasure (measure_pmf pq) ((\<Union>x\<in>?A y. {(x, y)}) \<union> {(x, y'). x \<notin> ?A y \<and> y' = y})"
   928         by(rule emeasure_Un_null_set[symmetric])+
   929           (auto simp add: q set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
   930       also have "\<dots> = emeasure (measure_pmf pq) (snd -` {y})"
   931         by(rule arg_cong2[where f=emeasure])+auto
   932       also have "\<dots> = pmf q y" by(simp add: q ereal_pmf_map)
   933       also have "\<dots> = emeasure (measure_pmf qr) (fst -` {y})"
   934         by(simp add: q' ereal_pmf_map)
   935       also have "\<dots> = emeasure (measure_pmf qr) ((\<Union>z\<in>?B y. {(y, z)}) \<union> {(y', z). z \<notin> ?B y \<and> y' = y})"
   936         by(rule arg_cong2[where f=emeasure])+auto
   937       also have "\<dots> = emeasure (measure_pmf qr) (\<Union>z\<in>?B y. {(y, z)})"
   938         by(rule emeasure_Un_null_set)
   939           (auto simp add: q' set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
   940       also have "\<dots> = \<integral>\<^sup>+ z. emeasure (measure_pmf qr) {(y, z)} \<partial>count_space (?B y)"
   941         by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
   942       also have "\<dots> = (\<integral>\<^sup>+ z. pmf qr (y, z) \<partial>count_space (?B y))"
   943         by(simp add: emeasure_pmf_single)
   944       also have "\<dots> = (\<integral>\<^sup>+ z. rr y (?R y z) \<partial>count_space (?B y))"
   945         by(rule nn_integral_cong)(simp add: rr_def)
   946       also have "\<dots> = (\<integral>\<^sup>+ z. rr y z \<partial>count_space (?R y ` ?B y))"
   947         by(intro nn_integral_bij_count_space inj_on_imp_bij_betw inj_on_to_nat_on) simp
   948       also have "\<dots> = \<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV"
   949         by(auto simp add: rr_def nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
   950       finally show "?thesis y" .
   951     qed
   952 
   953     def assign_aux \<equiv> "\<lambda>y remainder start weight z.
   954        if z < start then 0
   955        else if z = start then min weight remainder
   956        else if remainder + setsum (rr y) {Suc start ..<z} < weight then min (weight - remainder - setsum (rr y) {Suc start..<z}) (rr y z) else 0"
   957     hence assign_aux_alt_def: "\<And>y remainder start weight z. assign_aux y remainder start weight z = 
   958        (if z < start then 0
   959         else if z = start then min weight remainder
   960         else if remainder + setsum (rr y) {Suc start ..<z} < weight then min (weight - remainder - setsum (rr y) {Suc start..<z}) (rr y z) else 0)"
   961        by simp
   962     { fix y and remainder :: real and start and weight :: real
   963       assume weight_nonneg: "0 \<le> weight"
   964       let ?assign_aux = "assign_aux y remainder start weight"
   965       { fix z
   966         have "setsum ?assign_aux {..<z} =
   967            (if z \<le> start then 0 else if remainder + setsum (rr y) {Suc start..<z} < weight then remainder + setsum (rr y) {Suc start..<z} else weight)"
   968         proof(induction z)
   969           case (Suc z) show ?case
   970             by(auto simp add: Suc.IH assign_aux_alt_def[where z=z] not_less)(metis add.commute add.left_commute add_increasing pos_r)
   971         qed(auto simp add: assign_aux_def) }
   972       note setsum_start_assign_aux = this
   973       moreover {
   974         assume remainder_nonneg: "0 \<le> remainder"
   975         have [simp]: "\<And>z. 0 \<le> ?assign_aux z"
   976           by(simp add: assign_aux_def weight_nonneg remainder_nonneg)
   977         moreover have "\<And>z. \<lbrakk> rr y z = 0; remainder \<le> rr y start \<rbrakk> \<Longrightarrow> ?assign_aux z = 0"
   978           using remainder_nonneg weight_nonneg
   979           by(auto simp add: assign_aux_def min_def)
   980         moreover have "(\<integral>\<^sup>+ z. ?assign_aux z \<partial>count_space UNIV) = 
   981           min weight (\<integral>\<^sup>+ z. (if z < start then 0 else if z = start then remainder else rr y z) \<partial>count_space UNIV)"
   982           (is "?lhs = ?rhs" is "_ = min _ (\<integral>\<^sup>+ y. ?f y \<partial>_)")
   983         proof -
   984           have "?lhs = (SUP n. \<Sum>z<n. ereal (?assign_aux z))"
   985             by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP)
   986           also have "\<dots> = (SUP n. min weight (\<Sum>z<n. ?f z))"
   987           proof(rule arg_cong2[where f=SUPREMUM] ext refl)+
   988             fix n
   989             have "(\<Sum>z<n. ereal (?assign_aux z)) = min weight ((if n > start then remainder else 0) + setsum ?f {Suc start..<n})"
   990               using weight_nonneg remainder_nonneg by(simp add: setsum_start_assign_aux min_def)
   991             also have "\<dots> = min weight (setsum ?f {start..<n})"
   992               by(simp add: setsum_head_upt_Suc)
   993             also have "\<dots> = min weight (setsum ?f {..<n})"
   994               by(intro arg_cong2[where f=min] setsum.mono_neutral_left) auto
   995             finally show "(\<Sum>z<n. ereal (?assign_aux z)) = \<dots>" .
   996           qed
   997           also have "\<dots> = min weight (SUP n. setsum ?f {..<n})"
   998             unfolding inf_min[symmetric] by(subst inf_SUP) simp
   999           also have "\<dots> = ?rhs"
  1000             by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP remainder_nonneg)
  1001           finally show ?thesis .
  1002         qed
  1003         moreover note calculation }
  1004       moreover note calculation }
  1005     note setsum_start_assign_aux = this(1)
  1006       and assign_aux_nonneg [simp] = this(2)
  1007       and assign_aux_eq_0_outside = this(3)
  1008       and nn_integral_assign_aux = this(4)
  1009     { fix y and remainder :: real and start target
  1010       have "setsum (rr y) {Suc start..<target} \<ge> 0" by(simp add: setsum_nonneg)
  1011       moreover assume "0 \<le> remainder"
  1012       ultimately have "assign_aux y remainder start 0 target = 0"
  1013         by(auto simp add: assign_aux_def min_def) }
  1014     note assign_aux_weight_0 [simp] = this
  1015 
  1016     def find_start \<equiv> "\<lambda>y weight. if \<exists>n. weight \<le> setsum (rr y)  {..n} then Some (LEAST n. weight \<le> setsum (rr y) {..n}) else None"
  1017     have find_start_eq_Some_above:
  1018       "\<And>y weight n. find_start y weight = Some n \<Longrightarrow> weight \<le> setsum (rr y) {..n}"
  1019       by(drule sym)(auto simp add: find_start_def split: split_if_asm intro: LeastI)
  1020     { fix y weight n
  1021       assume find_start: "find_start y weight = Some n"
  1022       and weight: "0 \<le> weight"
  1023       have "setsum (rr y) {..n} \<le> rr y n + weight"
  1024       proof(rule ccontr)
  1025         assume "\<not> ?thesis"
  1026         hence "rr y n + weight < setsum (rr y) {..n}" by simp
  1027         moreover with weight obtain n' where "n = Suc n'" by(cases n) auto
  1028         ultimately have "weight \<le> setsum (rr y) {..n'}" by simp
  1029         hence "(LEAST n. weight \<le> setsum (rr y) {..n}) \<le> n'" by(rule Least_le)
  1030         moreover from find_start have "n = (LEAST n. weight \<le> setsum (rr y) {..n})"
  1031           by(auto simp add: find_start_def split: split_if_asm)
  1032         ultimately show False using \<open>n = Suc n'\<close> by auto
  1033       qed }
  1034     note find_start_eq_Some_least = this
  1035     have find_start_0 [simp]: "\<And>y. find_start y 0 = Some 0"
  1036       by(auto simp add: find_start_def intro!: exI[where x=0])
  1037     { fix y and weight :: real
  1038       assume "weight < \<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV"
  1039       also have "(\<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV) = (SUP n. \<Sum>z<n. ereal (rr y z))"
  1040         by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP)
  1041       finally obtain n where "weight < (\<Sum>z<n. rr y z)" by(auto simp add: less_SUP_iff)
  1042       hence "weight \<in> dom (find_start y)"
  1043         by(auto simp add: find_start_def)(meson atMost_iff finite_atMost lessThan_iff less_imp_le order_trans pos_r setsum_mono3 subsetI) }
  1044     note in_dom_find_startI = this
  1045     { fix y and w w' :: real and m
  1046       let ?m' = "LEAST m. w' \<le> setsum (rr y) {..m}"
  1047       assume "w' \<le> w"
  1048       also  assume "find_start y w = Some m"
  1049       hence "w \<le> setsum (rr y) {..m}" by(rule find_start_eq_Some_above)
  1050       finally have "find_start y w' = Some ?m'" by(auto simp add: find_start_def)
  1051       moreover from \<open>w' \<le> setsum (rr y) {..m}\<close> have "?m' \<le> m" by(rule Least_le)
  1052       ultimately have "\<exists>m'. find_start y w' = Some m' \<and> m' \<le> m" by blast }
  1053     note find_start_mono = this[rotated]
  1054 
  1055     def assign \<equiv> "\<lambda>y x z. let used = setsum (pp y) {..<x}
  1056       in case find_start y used of None \<Rightarrow> 0
  1057          | Some start \<Rightarrow> assign_aux y (setsum (rr y) {..start} - used) start (pp y x) z"
  1058     hence assign_alt_def: "\<And>y x z. assign y x z = 
  1059       (let used = setsum (pp y) {..<x}
  1060        in case find_start y used of None \<Rightarrow> 0
  1061           | Some start \<Rightarrow> assign_aux y (setsum (rr y) {..start} - used) start (pp y x) z)"
  1062       by simp
  1063     have assign_nonneg [simp]: "\<And>y x z. 0 \<le> assign y x z"
  1064       by(simp add: assign_def diff_le_iff find_start_eq_Some_above split: option.split)
  1065     have assign_eq_0_outside: "\<And>y x z. \<lbrakk> pp y x = 0 \<or> rr y z = 0 \<rbrakk> \<Longrightarrow> assign y x z = 0"
  1066       by(auto simp add: assign_def assign_aux_eq_0_outside diff_le_iff find_start_eq_Some_above find_start_eq_Some_least setsum_nonneg split: option.split)
  1067 
  1068     { fix y x z
  1069       have "(\<Sum>n<Suc x. assign y n z) =
  1070             (case find_start y (setsum (pp y) {..<x}) of None \<Rightarrow> rr y z
  1071              | Some m \<Rightarrow> if z < m then rr y z 
  1072                          else min (rr y z) (max 0 (setsum (pp y) {..<x} + pp y x - setsum (rr y) {..<z})))"
  1073         (is "?lhs x = ?rhs x")
  1074       proof(induction x)
  1075         case 0 thus ?case 
  1076           by(auto simp add: assign_def assign_aux_def setsum_head_upt_Suc atLeast0LessThan[symmetric] not_less field_simps max_def)
  1077       next
  1078         case (Suc x)
  1079         have "?lhs (Suc x) = ?lhs x + assign y (Suc x) z" by simp
  1080         also have "?lhs x = ?rhs x" by(rule Suc.IH)
  1081         also have "?rhs x + assign y (Suc x) z = ?rhs (Suc x)"
  1082         proof(cases "find_start y (setsum (pp y) {..<Suc x})")
  1083           case None
  1084           thus ?thesis
  1085             by(auto split: option.split simp add: assign_def min_def max_def diff_le_iff setsum_nonneg not_le field_simps)
  1086               (metis add.commute add_increasing find_start_def lessThan_Suc_atMost less_imp_le option.distinct(1) setsum_lessThan_Suc)+
  1087         next
  1088           case (Some m)
  1089           have [simp]: "setsum (rr y) {..m} = rr y m + setsum (rr y) {..<m}"
  1090             by(simp add: ivl_disj_un(2)[symmetric])
  1091           from Some obtain m' where m': "find_start y (setsum (pp y) {..<x}) = Some m'" "m' \<le> m"
  1092             by(auto dest: find_start_mono[where w'2="setsum (pp y) {..<x}"])
  1093           moreover {
  1094             assume "z < m"
  1095             then have "setsum (rr y) {..z} \<le> setsum (rr y) {..<m}"
  1096               by(auto intro: setsum_mono3)
  1097             also have "\<dots> \<le> setsum (pp y) {..<Suc x}" using find_start_eq_Some_least[OF Some]
  1098               by(simp add: ivl_disj_un(2)[symmetric] setsum_nonneg)
  1099             finally have "rr y z \<le> max 0 (setsum (pp y) {..<x} + pp y x - setsum (rr y) {..<z})"
  1100               by(auto simp add: ivl_disj_un(2)[symmetric] max_def diff_le_iff simp del: r_convs)
  1101           } moreover {
  1102             assume "m \<le> z"
  1103             have "setsum (pp y) {..<Suc x} \<le> setsum (rr y) {..m}"
  1104               using Some by(rule find_start_eq_Some_above)
  1105             also have "\<dots> \<le> setsum (rr y) {..<Suc z}" using \<open>m \<le> z\<close> by(intro setsum_mono3) auto
  1106             finally have "max 0 (setsum (pp y) {..<x} + pp y x - setsum (rr y) {..<z}) \<le> rr y z" by simp
  1107             moreover have "z \<noteq> m \<Longrightarrow> setsum (rr y) {..m} + setsum (rr y) {Suc m..<z} = setsum (rr y) {..<z}"
  1108               using \<open>m \<le> z\<close>
  1109               by(subst ivl_disj_un(8)[where l="Suc m", symmetric])
  1110                 (simp_all add: setsum_Un ivl_disj_un(2)[symmetric] setsum.neutral)
  1111             moreover note calculation
  1112           } moreover {
  1113             assume "m < z"
  1114             have "setsum (pp y) {..<Suc x} \<le> setsum (rr y) {..m}"
  1115               using Some by(rule find_start_eq_Some_above)
  1116             also have "\<dots> \<le> setsum (rr y) {..<z}" using \<open>m < z\<close> by(intro setsum_mono3) auto
  1117             finally have "max 0 (setsum (pp y) {..<Suc x} - setsum (rr y) {..<z}) = 0" by simp }
  1118           moreover have "setsum (pp y) {..<Suc x} \<ge> setsum (rr y) {..<m}"
  1119             using find_start_eq_Some_least[OF Some]
  1120             by(simp add: setsum_nonneg ivl_disj_un(2)[symmetric])
  1121           moreover hence "setsum (pp y) {..<Suc (Suc x)} \<ge> setsum (rr y) {..<m}"
  1122             by(fastforce intro: order_trans)
  1123           ultimately show ?thesis using Some
  1124             by(auto simp add: assign_def assign_aux_def Let_def field_simps max_def)
  1125         qed
  1126         finally show ?case .
  1127       qed }
  1128     note setsum_assign = this
  1129 
  1130     have nn_integral_assign1: "\<And>y z. (\<integral>\<^sup>+ x. assign y x z \<partial>count_space UNIV) = rr y z"
  1131     proof -
  1132       fix y z
  1133       have "(\<integral>\<^sup>+ x. assign y x z \<partial>count_space UNIV) = (SUP n. ereal (\<Sum>x<n. assign y x z))"
  1134         by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP)
  1135       also have "\<dots> = rr y z"
  1136       proof(rule antisym)
  1137         show "(SUP n. ereal (\<Sum>x<n. assign y x z)) \<le> rr y z"
  1138         proof(rule SUP_least)
  1139           fix n
  1140           show "ereal (\<Sum>x<n. (assign y x z)) \<le> rr y z"
  1141             using setsum_assign[of y z "n - 1"]
  1142             by(cases n)(simp_all split: option.split)
  1143         qed
  1144         show "rr y z \<le> (SUP n. ereal (\<Sum>x<n. assign y x z))"
  1145         proof(cases "setsum (rr y) {..z} < \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV")
  1146           case True
  1147           then obtain n where "setsum (rr y) {..z} < setsum (pp y) {..<n}"
  1148             by(auto simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP less_SUP_iff)
  1149           moreover have "\<And>k. k < z \<Longrightarrow> setsum (rr y) {..k} \<le> setsum (rr y) {..<z}"
  1150             by(auto intro: setsum_mono3)
  1151           ultimately have "rr y z \<le> (\<Sum>x<Suc n. assign y x z)"
  1152             by(subst setsum_assign)(auto split: option.split dest!: find_start_eq_Some_above simp add: ivl_disj_un(2)[symmetric] add.commute add_increasing le_diff_eq le_max_iff_disj)
  1153           also have "\<dots> \<le> (SUP n. ereal (\<Sum>x<n. assign y x z))" 
  1154             by(rule SUP_upper) simp
  1155           finally show ?thesis by simp
  1156         next
  1157           case False
  1158           have "setsum (rr y) {..z} = \<integral>\<^sup>+ z. rr y z \<partial>count_space {..z}"
  1159             by(simp add: nn_integral_count_space_finite max_def)
  1160           also have "\<dots> \<le> \<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV"
  1161             by(auto simp add: nn_integral_count_space_indicator indicator_def intro: nn_integral_mono)
  1162           also have "\<dots> = \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV" by(simp add: eq)
  1163           finally have *: "setsum (rr y) {..z} = \<dots>" using False by simp
  1164           also have "\<dots> = (SUP n. ereal (\<Sum>x<n. pp y x))"
  1165             by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP)
  1166           also have "\<dots> \<le> (SUP n. ereal (\<Sum>x<n. assign y x z)) + setsum (rr y) {..<z}"
  1167           proof(rule SUP_least)
  1168             fix n
  1169             have "setsum (pp y) {..<n} = \<integral>\<^sup>+ x. pp y x \<partial>count_space {..<n}"
  1170               by(simp add: nn_integral_count_space_finite max_def)
  1171             also have "\<dots> \<le> \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
  1172               by(auto simp add: nn_integral_count_space_indicator indicator_def intro: nn_integral_mono)
  1173             also have "\<dots> = setsum (rr y) {..z}" using * by simp
  1174             finally obtain k where k: "find_start y (setsum (pp y) {..<n}) = Some k"
  1175               by(fastforce simp add: find_start_def)
  1176             with \<open>ereal (setsum (pp y) {..<n}) \<le> setsum (rr y) {..z}\<close>
  1177             have "k \<le> z" by(auto simp add: find_start_def split: split_if_asm intro: Least_le)
  1178             then have "setsum (pp y) {..<n} - setsum (rr y) {..<z} \<le> ereal (\<Sum>x<Suc n. assign y x z)"
  1179               using \<open>ereal (setsum (pp y) {..<n}) \<le> setsum (rr y) {..z}\<close>
  1180               by(subst setsum_assign)(auto simp add: field_simps max_def k ivl_disj_un(2)[symmetric], metis le_add_same_cancel2 max.bounded_iff max_def pos_p)
  1181             also have "\<dots> \<le> (SUP n. ereal (\<Sum>x<n. assign y x z))"
  1182               by(rule SUP_upper) simp
  1183             finally show "ereal (\<Sum>x<n. pp y x) \<le> \<dots> + setsum (rr y) {..<z}" 
  1184               by(simp add: ereal_minus(1)[symmetric] ereal_minus_le del: ereal_minus(1))
  1185           qed
  1186           finally show ?thesis
  1187             by(simp add: ivl_disj_un(2)[symmetric] plus_ereal.simps(1)[symmetric] ereal_add_le_add_iff2 del: plus_ereal.simps(1))
  1188         qed
  1189       qed
  1190       finally show "?thesis y z" .
  1191     qed
  1192 
  1193     { fix y x
  1194       have "(\<integral>\<^sup>+ z. assign y x z \<partial>count_space UNIV) = pp y x"
  1195       proof(cases "setsum (pp y) {..<x} = \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV")
  1196         case False
  1197         let ?used = "setsum (pp y) {..<x}"
  1198         have "?used = \<integral>\<^sup>+ x. pp y x \<partial>count_space {..<x}"
  1199           by(simp add: nn_integral_count_space_finite max_def)
  1200         also have "\<dots> \<le> \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
  1201           by(auto simp add: nn_integral_count_space_indicator indicator_def intro!: nn_integral_mono)
  1202         finally have "?used < \<dots>" using False by auto
  1203         also note eq finally have "?used \<in> dom (find_start y)" by(rule in_dom_find_startI)
  1204         then obtain k where k: "find_start y ?used = Some k" by auto
  1205         let ?f = "\<lambda>z. if z < k then 0 else if z = k then setsum (rr y) {..k} - ?used else rr y z"
  1206         let ?g = "\<lambda>x'. if x' < x then 0 else pp y x'"
  1207         have "pp y x = ?g x" by simp
  1208         also have "?g x \<le> \<integral>\<^sup>+ x'. ?g x' \<partial>count_space UNIV" by(rule nn_integral_ge_point) simp
  1209         also {
  1210           have "?used = \<integral>\<^sup>+ x. pp y x \<partial>count_space {..<x}"
  1211             by(simp add: nn_integral_count_space_finite max_def)
  1212           also have "\<dots> = \<integral>\<^sup>+ x'. (if x' < x then pp y x' else 0) \<partial>count_space UNIV"
  1213             by(simp add: nn_integral_count_space_indicator indicator_def if_distrib zero_ereal_def cong: if_cong)
  1214           also have "(\<integral>\<^sup>+ x'. ?g x' \<partial>count_space UNIV) + \<dots> = \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
  1215             by(subst nn_integral_add[symmetric])(auto intro: nn_integral_cong)
  1216           also note calculation }
  1217         ultimately have "ereal (pp y x) + ?used \<le> \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
  1218           by (metis (no_types, lifting) ereal_add_mono order_refl)
  1219         also note eq
  1220         also have "(\<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV) = (\<integral>\<^sup>+ z. ?f z \<partial>count_space UNIV) + (\<integral>\<^sup>+ z. (if z < k then rr y z else if z = k then ?used - setsum (rr y) {..<k} else 0) \<partial>count_space UNIV)"
  1221           using k by(subst nn_integral_add[symmetric])(auto intro!: nn_integral_cong simp add: ivl_disj_un(2)[symmetric] setsum_nonneg dest: find_start_eq_Some_least find_start_eq_Some_above)
  1222         also have "(\<integral>\<^sup>+ z. (if z < k then rr y z else if z = k then ?used - setsum (rr y) {..<k} else 0) \<partial>count_space UNIV) =
  1223           (\<integral>\<^sup>+ z. (if z < k then rr y z else if z = k then ?used - setsum (rr y) {..<k} else 0) \<partial>count_space {..k})"
  1224           by(auto simp add: nn_integral_count_space_indicator indicator_def intro: nn_integral_cong)
  1225         also have "\<dots> = ?used" 
  1226           using k by(auto simp add: nn_integral_count_space_finite max_def ivl_disj_un(2)[symmetric] diff_le_iff setsum_nonneg dest: find_start_eq_Some_least)
  1227         finally have "pp y x \<le> (\<integral>\<^sup>+ z. ?f z \<partial>count_space UNIV)"
  1228           by(cases "\<integral>\<^sup>+ z. ?f z \<partial>count_space UNIV") simp_all
  1229         then show ?thesis using k
  1230           by(simp add: assign_def nn_integral_assign_aux diff_le_iff find_start_eq_Some_above min_def)
  1231       next
  1232         case True
  1233         have "setsum (pp y) {..x} = \<integral>\<^sup>+ x. pp y x \<partial>count_space {..x}"
  1234           by(simp add: nn_integral_count_space_finite max_def)
  1235         also have "\<dots> \<le> \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
  1236           by(auto simp add: nn_integral_count_space_indicator indicator_def intro: nn_integral_mono)
  1237         also have "\<dots> = setsum (pp y) {..<x}" by(simp add: True)
  1238         finally have "pp y x = 0" by(simp add: ivl_disj_un(2)[symmetric] eq_iff del: pp_convs)
  1239         thus ?thesis
  1240           by(cases "find_start y (setsum (pp y) {..<x})")(simp_all add: assign_def diff_le_iff find_start_eq_Some_above)
  1241       qed }
  1242     note nn_integral_assign2 = this
  1243 
  1244     let ?f = "\<lambda>y x z. if x \<in> ?A y \<and> z \<in> ?B y then assign y (?P y x) (?R y z) else 0"
  1245     def f \<equiv> "\<lambda>y x z. ereal (?f y x z)"
  1246 
  1247     have pos: "\<And>y x z. 0 \<le> f y x z" by(simp add: f_def)
  1248     { fix y x z
  1249       have "f y x z \<le> 0 \<longleftrightarrow> f y x z = 0" using pos[of y x z] by simp }
  1250     note f [simp] = this
  1251     have support:
  1252       "\<And>x y z. (x, y) \<notin> set_pmf pq \<Longrightarrow> f y x z = 0"
  1253       "\<And>x y z. (y, z) \<notin> set_pmf qr \<Longrightarrow> f y x z = 0"
  1254       by(auto simp add: f_def)
  1255 
  1256     from pos support have support':
  1257       "\<And>x z. x \<notin> set_pmf p \<Longrightarrow> (\<integral>\<^sup>+ y. f y x z \<partial>count_space UNIV) = 0"
  1258       "\<And>x z. z \<notin> set_pmf r \<Longrightarrow> (\<integral>\<^sup>+ y. f y x z \<partial>count_space UNIV) = 0"
  1259     and support'':
  1260       "\<And>x y z. x \<notin> set_pmf p \<Longrightarrow> f y x z = 0"
  1261       "\<And>x y z. y \<notin> set_pmf q \<Longrightarrow> f y x z = 0"
  1262       "\<And>x y z. z \<notin> set_pmf r \<Longrightarrow> f y x z = 0"
  1263       by(auto simp add: nn_integral_0_iff_AE AE_count_space p q r set_map_pmf image_iff)(metis fst_conv snd_conv)+
  1264 
  1265     have f_x: "\<And>y z. (\<integral>\<^sup>+ x. f y x z \<partial>count_space (set_pmf p)) = pmf qr (y, z)"
  1266     proof(case_tac "z \<in> ?B y")
  1267       fix y z
  1268       assume z: "z \<in> ?B y"
  1269       have "(\<integral>\<^sup>+ x. f y x z \<partial>count_space (set_pmf p)) = (\<integral>\<^sup>+ x. ?f y x z \<partial>count_space (?A y))"
  1270         using support''(1)[of _ y z]
  1271         by(fastforce simp add: f_def nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
  1272       also have "\<dots> = \<integral>\<^sup>+ x. assign y (?P y x) (?R y z) \<partial>count_space (?A y)"
  1273         using z by(intro nn_integral_cong) simp
  1274       also have "\<dots> = \<integral>\<^sup>+ x. assign y x (?R y z) \<partial>count_space (?P y ` ?A y)"
  1275         by(intro nn_integral_bij_count_space inj_on_imp_bij_betw inj_on_to_nat_on) simp
  1276       also have "\<dots> = \<integral>\<^sup>+ x. assign y x (?R y z) \<partial>count_space UNIV"
  1277         by(auto simp add: nn_integral_count_space_indicator indicator_def assign_eq_0_outside pp_def intro!: nn_integral_cong)
  1278       also have "\<dots> = rr y (?R y z)" by(rule nn_integral_assign1)
  1279       also have "\<dots> = pmf qr (y, z)" using z by(simp add: rr_def)
  1280       finally show "?thesis y z" .
  1281     qed(auto simp add: f_def zero_ereal_def[symmetric] set_pmf_iff)
  1282 
  1283     have f_z: "\<And>x y. (\<integral>\<^sup>+ z. f y x z \<partial>count_space (set_pmf r)) = pmf pq (x, y)"
  1284     proof(case_tac "x \<in> ?A y")
  1285       fix x y
  1286       assume x: "x \<in> ?A y"
  1287       have "(\<integral>\<^sup>+ z. f y x z \<partial>count_space (set_pmf r)) = (\<integral>\<^sup>+ z. ?f y x z \<partial>count_space (?B y))"
  1288         using support''(3)[of _ y x]
  1289         by(fastforce simp add: f_def nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
  1290       also have "\<dots> = \<integral>\<^sup>+ z. assign y (?P y x) (?R y z) \<partial>count_space (?B y)"
  1291         using x by(intro nn_integral_cong) simp
  1292       also have "\<dots> = \<integral>\<^sup>+ z. assign y (?P y x) z \<partial>count_space (?R y ` ?B y)"
  1293         by(intro nn_integral_bij_count_space inj_on_imp_bij_betw inj_on_to_nat_on) simp
  1294       also have "\<dots> = \<integral>\<^sup>+ z. assign y (?P y x) z \<partial>count_space UNIV"
  1295         by(auto simp add: nn_integral_count_space_indicator indicator_def assign_eq_0_outside rr_def intro!: nn_integral_cong)
  1296       also have "\<dots> = pp y (?P y x)" by(rule nn_integral_assign2)
  1297       also have "\<dots> = pmf pq (x, y)" using x by(simp add: pp_def)
  1298       finally show "?thesis x y" .
  1299     qed(auto simp add: f_def zero_ereal_def[symmetric] set_pmf_iff)
  1300 
  1301     let ?pr = "\<lambda>(x, z). \<integral>\<^sup>+ y. f y x z \<partial>count_space UNIV"
  1302 
  1303     have pr_pos: "\<And>xz. 0 \<le> ?pr xz"
  1304       by(auto simp add: nn_integral_nonneg)
  1305 
  1306     have pr': "?pr = (\<lambda>(x, z). \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q))"
  1307       by(auto simp add: fun_eq_iff nn_integral_count_space_indicator indicator_def support'' intro: nn_integral_cong)
  1308     
  1309     have "(\<integral>\<^sup>+ xz. ?pr xz \<partial>count_space UNIV) = (\<integral>\<^sup>+ xz. ?pr xz * indicator (set_pmf p \<times> set_pmf r) xz \<partial>count_space UNIV)"
  1310       by(rule nn_integral_cong)(auto simp add: indicator_def support' intro: ccontr)
  1311     also have "\<dots> = (\<integral>\<^sup>+ xz. ?pr xz \<partial>count_space (set_pmf p \<times> set_pmf r))"
  1312       by(simp add: nn_integral_count_space_indicator)
  1313     also have "\<dots> = (\<integral>\<^sup>+ xz. ?pr xz \<partial>(count_space (set_pmf p) \<Otimes>\<^sub>M count_space (set_pmf r)))"
  1314       by(simp add: pair_measure_countable)
  1315     also have "\<dots> = (\<integral>\<^sup>+ (x, z). \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q) \<partial>(count_space (set_pmf p) \<Otimes>\<^sub>M count_space (set_pmf r)))"
  1316       by(simp add: pr')
  1317     also have "\<dots> = (\<integral>\<^sup>+ x. \<integral>\<^sup>+ z. \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf r) \<partial>count_space (set_pmf p))"
  1318       by(subst sigma_finite_measure.nn_integral_fst[symmetric, OF sigma_finite_measure_count_space_countable])(simp_all add: pair_measure_countable)
  1319     also have "\<dots> = (\<integral>\<^sup>+ x. \<integral>\<^sup>+ y. \<integral>\<^sup>+ z. f y x z \<partial>count_space (set_pmf r) \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf p))"
  1320       by(subst (2) pair_sigma_finite.Fubini')(simp_all add: pair_sigma_finite.intro sigma_finite_measure_count_space_countable pair_measure_countable)
  1321     also have "\<dots> = (\<integral>\<^sup>+ x. \<integral>\<^sup>+ y. pmf pq (x, y) \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf p))"
  1322       by(simp add: f_z)
  1323     also have "\<dots> = (\<integral>\<^sup>+ y. \<integral>\<^sup>+ x. pmf pq (x, y) \<partial>count_space (set_pmf p) \<partial>count_space (set_pmf q))"
  1324       by(subst pair_sigma_finite.Fubini')(simp_all add: pair_sigma_finite.intro sigma_finite_measure_count_space_countable pair_measure_countable)
  1325     also have "\<dots> = (\<integral>\<^sup>+ y. \<integral>\<^sup>+ x. emeasure (measure_pmf pq) {(x, y)} \<partial>count_space (set_pmf p) \<partial>count_space (set_pmf q))"
  1326       by(simp add: emeasure_pmf_single)
  1327     also have "\<dots> = (\<integral>\<^sup>+ y. emeasure (measure_pmf pq) (\<Union>x\<in>set_pmf p. {(x, y)}) \<partial>count_space (set_pmf q))"
  1328       by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
  1329     also have "\<dots> = (\<integral>\<^sup>+ y. emeasure (measure_pmf pq) ((\<Union>x\<in>set_pmf p. {(x, y)}) \<union> {(x, y'). x \<notin> set_pmf p \<and> y' = y}) \<partial>count_space (set_pmf q))"
  1330       by(rule nn_integral_cong emeasure_Un_null_set[symmetric])+
  1331         (auto simp add: p set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
  1332     also have "\<dots> = (\<integral>\<^sup>+ y. emeasure (measure_pmf pq) (snd -` {y}) \<partial>count_space (set_pmf q))"
  1333       by(rule nn_integral_cong arg_cong2[where f=emeasure])+auto
  1334     also have "\<dots> = (\<integral>\<^sup>+ y. pmf q y \<partial>count_space (set_pmf q))"
  1335       by(simp add: ereal_pmf_map q)
  1336     also have "\<dots> = (\<integral>\<^sup>+ y. pmf q y \<partial>count_space UNIV)"
  1337       by(auto simp add: nn_integral_count_space_indicator indicator_def set_pmf_iff intro: nn_integral_cong)
  1338     also have "\<dots> = 1"
  1339       by(subst nn_integral_pmf)(simp add: measure_pmf.emeasure_eq_1_AE)
  1340     finally have pr_prob: "(\<integral>\<^sup>+ xz. ?pr xz \<partial>count_space UNIV) = 1" .
  1341 
  1342     have pr_bounded: "\<And>xz. ?pr xz \<noteq> \<infinity>"
  1343     proof -
  1344       fix xz
  1345       have "?pr xz \<le> \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space UNIV"
  1346         by(rule nn_integral_ge_point) simp
  1347       also have "\<dots> = 1" by(fact pr_prob)
  1348       finally show "?thesis xz" by auto
  1349     qed
  1350 
  1351     def pr \<equiv> "embed_pmf (real \<circ> ?pr)"
  1352     have pmf_pr: "\<And>xz. pmf pr xz = real (?pr xz)" using pr_pos pr_prob
  1353       unfolding pr_def by(subst pmf_embed_pmf)(auto simp add: real_of_ereal_pos ereal_real pr_bounded)
  1354 
  1355     have set_pmf_pr_subset: "set_pmf pr \<subseteq> set_pmf pq O set_pmf qr"
  1356     proof
  1357       fix xz :: "'a \<times> 'c"
  1358       obtain x z where xz: "xz = (x, z)" by(cases xz)
  1359       assume "xz \<in> set_pmf pr"
  1360       with xz have "pmf pr (x, z) \<noteq> 0" by(simp add: set_pmf_iff)
  1361       hence "\<exists>y. f y x z \<noteq> 0" by(rule contrapos_np)(simp add: pmf_pr)
  1362       then obtain y where y: "f y x z \<noteq> 0" ..
  1363       then have "(x, y) \<in> set_pmf pq" "(y, z) \<in> set_pmf qr" 
  1364         using support by fastforce+
  1365       then show "xz \<in> set_pmf pq O set_pmf qr" using xz by auto
  1366     qed
  1367     hence "\<And>x z. (x, z) \<in> set_pmf pr \<Longrightarrow> (R OO S) x z" using pq qr by blast
  1368     moreover
  1369     have "map_pmf fst pr = p"
  1370     proof(rule pmf_eqI)
  1371       fix x
  1372       have "pmf (map_pmf fst pr) x = emeasure (measure_pmf pr) (fst -` {x})"
  1373         by(simp add: ereal_pmf_map)
  1374       also have "\<dots> = \<integral>\<^sup>+ xz. pmf pr xz \<partial>count_space (fst -` {x})"
  1375         by(simp add: nn_integral_pmf)
  1376       also have "\<dots> = \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space (fst -` {x})"
  1377         by(simp add: pmf_pr ereal_real pr_bounded pr_pos)
  1378       also have "\<dots> =  \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space {x} \<Otimes>\<^sub>M count_space (set_pmf r)"
  1379         by(auto simp add: nn_integral_count_space_indicator indicator_def support' pair_measure_countable intro!: nn_integral_cong)
  1380       also have "\<dots> = \<integral>\<^sup>+ z. \<integral>\<^sup>+ x. ?pr (x, z) \<partial>count_space {x} \<partial>count_space (set_pmf r)"
  1381         by(subst pair_sigma_finite.nn_integral_snd[symmetric])(simp_all add: pair_measure_countable pair_sigma_finite.intro sigma_finite_measure_count_space_countable)
  1382       also have "\<dots> = \<integral>\<^sup>+ z. ?pr (x, z) \<partial>count_space (set_pmf r)"
  1383         using pr_pos by(clarsimp simp add: nn_integral_count_space_finite max_def)
  1384       also have "\<dots> = \<integral>\<^sup>+ z. \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf r)"
  1385         by(simp add: pr')
  1386       also have "\<dots> =  \<integral>\<^sup>+ y. \<integral>\<^sup>+ z. f y x z \<partial>count_space (set_pmf r) \<partial>count_space (set_pmf q)"
  1387         by(subst pair_sigma_finite.Fubini')(simp_all add: pair_sigma_finite.intro sigma_finite_measure_count_space_countable pair_measure_countable)
  1388       also have "\<dots> = \<integral>\<^sup>+ y. pmf pq (x, y) \<partial>count_space (set_pmf q)"
  1389         by(simp add: f_z)
  1390       also have "\<dots> = \<integral>\<^sup>+ y. emeasure (measure_pmf pq) {(x, y)} \<partial>count_space (set_pmf q)"
  1391         by(simp add: emeasure_pmf_single)
  1392       also have "\<dots> = emeasure (measure_pmf pq) (\<Union>y\<in>set_pmf q. {(x, y)})"
  1393         by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
  1394       also have "\<dots> = emeasure (measure_pmf pq) ((\<Union>y\<in>set_pmf q. {(x, y)}) \<union> {(x', y). y \<notin> set_pmf q \<and> x' = x})"
  1395         by(rule emeasure_Un_null_set[symmetric])+
  1396           (auto simp add: q set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
  1397       also have "\<dots> = emeasure (measure_pmf pq) (fst -` {x})"
  1398         by(rule arg_cong2[where f=emeasure])+auto
  1399       also have "\<dots> = pmf p x" by(simp add: ereal_pmf_map p)
  1400       finally show "pmf (map_pmf fst pr) x = pmf p x" by simp
  1401     qed
  1402     moreover
  1403     have "map_pmf snd pr = r"
  1404     proof(rule pmf_eqI)
  1405       fix z
  1406       have "pmf (map_pmf snd pr) z = emeasure (measure_pmf pr) (snd -` {z})"
  1407         by(simp add: ereal_pmf_map)
  1408       also have "\<dots> = \<integral>\<^sup>+ xz. pmf pr xz \<partial>count_space (snd -` {z})"
  1409         by(simp add: nn_integral_pmf)
  1410       also have "\<dots> = \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space (snd -` {z})"
  1411         by(simp add: pmf_pr ereal_real pr_bounded pr_pos)
  1412       also have "\<dots> =  \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space (set_pmf p) \<Otimes>\<^sub>M count_space {z}"
  1413         by(auto simp add: nn_integral_count_space_indicator indicator_def support' pair_measure_countable intro!: nn_integral_cong)
  1414       also have "\<dots> = \<integral>\<^sup>+ x. \<integral>\<^sup>+ z. ?pr (x, z) \<partial>count_space {z} \<partial>count_space (set_pmf p)"
  1415         by(subst sigma_finite_measure.nn_integral_fst[symmetric])(simp_all add: pair_measure_countable sigma_finite_measure_count_space_countable)
  1416       also have "\<dots> = \<integral>\<^sup>+ x. ?pr (x, z) \<partial>count_space (set_pmf p)"
  1417         using pr_pos by(clarsimp simp add: nn_integral_count_space_finite max_def)
  1418       also have "\<dots> = \<integral>\<^sup>+ x. \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf p)"
  1419         by(simp add: pr')
  1420       also have "\<dots> =  \<integral>\<^sup>+ y. \<integral>\<^sup>+ x. f y x z \<partial>count_space (set_pmf p) \<partial>count_space (set_pmf q)"
  1421         by(subst pair_sigma_finite.Fubini')(simp_all add: pair_sigma_finite.intro sigma_finite_measure_count_space_countable pair_measure_countable)
  1422       also have "\<dots> = \<integral>\<^sup>+ y. pmf qr (y, z) \<partial>count_space (set_pmf q)"
  1423         by(simp add: f_x)
  1424       also have "\<dots> = \<integral>\<^sup>+ y. emeasure (measure_pmf qr) {(y, z)} \<partial>count_space (set_pmf q)"
  1425         by(simp add: emeasure_pmf_single)
  1426       also have "\<dots> = emeasure (measure_pmf qr) (\<Union>y\<in>set_pmf q. {(y, z)})"
  1427         by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
  1428       also have "\<dots> = emeasure (measure_pmf qr) ((\<Union>y\<in>set_pmf q. {(y, z)}) \<union> {(y, z'). y \<notin> set_pmf q \<and> z' = z})"
  1429         by(rule emeasure_Un_null_set[symmetric])+
  1430           (auto simp add: q' set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
  1431       also have "\<dots> = emeasure (measure_pmf qr) (snd -` {z})"
  1432         by(rule arg_cong2[where f=emeasure])+auto
  1433       also have "\<dots> = pmf r z" by(simp add: ereal_pmf_map r)
  1434       finally show "pmf (map_pmf snd pr) z = pmf r z" by simp
  1435     qed
  1436     ultimately have "rel_pmf (R OO S) p r" .. }
  1437   then show "rel_pmf R OO rel_pmf S \<le> rel_pmf (R OO S)"
  1438     by(auto simp add: le_fun_def)
  1439 qed (fact natLeq_card_order natLeq_cinfinite)+
  1440 
  1441 end
  1442