src/HOL/Library/RBT_Impl.thy
author blanchet
Fri Feb 21 00:09:56 2014 +0100 (2014-02-21)
changeset 55642 63beb38e9258
parent 55466 786edc984c98
child 57512 cc97b347b301
permissions -rw-r--r--
adapted to renaming of datatype 'cases' and 'recs' to 'case' and 'rec'
     1 (*  Title:      HOL/Library/RBT_Impl.thy
     2     Author:     Markus Reiter, TU Muenchen
     3     Author:     Alexander Krauss, TU Muenchen
     4 *)
     5 
     6 header {* Implementation of Red-Black Trees *}
     7 
     8 theory RBT_Impl
     9 imports Main
    10 begin
    11 
    12 text {*
    13   For applications, you should use theory @{text RBT} which defines
    14   an abstract type of red-black tree obeying the invariant.
    15 *}
    16 
    17 subsection {* Datatype of RB trees *}
    18 
    19 datatype color = R | B
    20 datatype ('a, 'b) rbt = Empty | Branch color "('a, 'b) rbt" 'a 'b "('a, 'b) rbt"
    21 
    22 lemma rbt_cases:
    23   obtains (Empty) "t = Empty" 
    24   | (Red) l k v r where "t = Branch R l k v r" 
    25   | (Black) l k v r where "t = Branch B l k v r"
    26 proof (cases t)
    27   case Empty with that show thesis by blast
    28 next
    29   case (Branch c) with that show thesis by (cases c) blast+
    30 qed
    31 
    32 subsection {* Tree properties *}
    33 
    34 subsubsection {* Content of a tree *}
    35 
    36 primrec entries :: "('a, 'b) rbt \<Rightarrow> ('a \<times> 'b) list"
    37 where 
    38   "entries Empty = []"
    39 | "entries (Branch _ l k v r) = entries l @ (k,v) # entries r"
    40 
    41 abbreviation (input) entry_in_tree :: "'a \<Rightarrow> 'b \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"
    42 where
    43   "entry_in_tree k v t \<equiv> (k, v) \<in> set (entries t)"
    44 
    45 definition keys :: "('a, 'b) rbt \<Rightarrow> 'a list" where
    46   "keys t = map fst (entries t)"
    47 
    48 lemma keys_simps [simp, code]:
    49   "keys Empty = []"
    50   "keys (Branch c l k v r) = keys l @ k # keys r"
    51   by (simp_all add: keys_def)
    52 
    53 lemma entry_in_tree_keys:
    54   assumes "(k, v) \<in> set (entries t)"
    55   shows "k \<in> set (keys t)"
    56 proof -
    57   from assms have "fst (k, v) \<in> fst ` set (entries t)" by (rule imageI)
    58   then show ?thesis by (simp add: keys_def)
    59 qed
    60 
    61 lemma keys_entries:
    62   "k \<in> set (keys t) \<longleftrightarrow> (\<exists>v. (k, v) \<in> set (entries t))"
    63   by (auto intro: entry_in_tree_keys) (auto simp add: keys_def)
    64 
    65 lemma non_empty_rbt_keys: 
    66   "t \<noteq> rbt.Empty \<Longrightarrow> keys t \<noteq> []"
    67   by (cases t) simp_all
    68 
    69 subsubsection {* Search tree properties *}
    70 
    71 context ord begin
    72 
    73 definition rbt_less :: "'a \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"
    74 where
    75   rbt_less_prop: "rbt_less k t \<longleftrightarrow> (\<forall>x\<in>set (keys t). x < k)"
    76 
    77 abbreviation rbt_less_symbol (infix "|\<guillemotleft>" 50)
    78 where "t |\<guillemotleft> x \<equiv> rbt_less x t"
    79 
    80 definition rbt_greater :: "'a \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool" (infix "\<guillemotleft>|" 50) 
    81 where
    82   rbt_greater_prop: "rbt_greater k t = (\<forall>x\<in>set (keys t). k < x)"
    83 
    84 lemma rbt_less_simps [simp]:
    85   "Empty |\<guillemotleft> k = True"
    86   "Branch c lt kt v rt |\<guillemotleft> k \<longleftrightarrow> kt < k \<and> lt |\<guillemotleft> k \<and> rt |\<guillemotleft> k"
    87   by (auto simp add: rbt_less_prop)
    88 
    89 lemma rbt_greater_simps [simp]:
    90   "k \<guillemotleft>| Empty = True"
    91   "k \<guillemotleft>| (Branch c lt kt v rt) \<longleftrightarrow> k < kt \<and> k \<guillemotleft>| lt \<and> k \<guillemotleft>| rt"
    92   by (auto simp add: rbt_greater_prop)
    93 
    94 lemmas rbt_ord_props = rbt_less_prop rbt_greater_prop
    95 
    96 lemmas rbt_greater_nit = rbt_greater_prop entry_in_tree_keys
    97 lemmas rbt_less_nit = rbt_less_prop entry_in_tree_keys
    98 
    99 lemma (in order)
   100   shows rbt_less_eq_trans: "l |\<guillemotleft> u \<Longrightarrow> u \<le> v \<Longrightarrow> l |\<guillemotleft> v"
   101   and rbt_less_trans: "t |\<guillemotleft> x \<Longrightarrow> x < y \<Longrightarrow> t |\<guillemotleft> y"
   102   and rbt_greater_eq_trans: "u \<le> v \<Longrightarrow> v \<guillemotleft>| r \<Longrightarrow> u \<guillemotleft>| r"
   103   and rbt_greater_trans: "x < y \<Longrightarrow> y \<guillemotleft>| t \<Longrightarrow> x \<guillemotleft>| t"
   104   by (auto simp: rbt_ord_props)
   105 
   106 primrec rbt_sorted :: "('a, 'b) rbt \<Rightarrow> bool"
   107 where
   108   "rbt_sorted Empty = True"
   109 | "rbt_sorted (Branch c l k v r) = (l |\<guillemotleft> k \<and> k \<guillemotleft>| r \<and> rbt_sorted l \<and> rbt_sorted r)"
   110 
   111 end
   112 
   113 context linorder begin
   114 
   115 lemma rbt_sorted_entries:
   116   "rbt_sorted t \<Longrightarrow> List.sorted (map fst (entries t))"
   117 by (induct t) 
   118   (force simp: sorted_append sorted_Cons rbt_ord_props 
   119       dest!: entry_in_tree_keys)+
   120 
   121 lemma distinct_entries:
   122   "rbt_sorted t \<Longrightarrow> distinct (map fst (entries t))"
   123 by (induct t) 
   124   (force simp: sorted_append sorted_Cons rbt_ord_props 
   125       dest!: entry_in_tree_keys)+
   126 
   127 lemma distinct_keys:
   128   "rbt_sorted t \<Longrightarrow> distinct (keys t)"
   129   by (simp add: distinct_entries keys_def)
   130 
   131 
   132 subsubsection {* Tree lookup *}
   133 
   134 primrec (in ord) rbt_lookup :: "('a, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"
   135 where
   136   "rbt_lookup Empty k = None"
   137 | "rbt_lookup (Branch _ l x y r) k = 
   138    (if k < x then rbt_lookup l k else if x < k then rbt_lookup r k else Some y)"
   139 
   140 lemma rbt_lookup_keys: "rbt_sorted t \<Longrightarrow> dom (rbt_lookup t) = set (keys t)"
   141   by (induct t) (auto simp: dom_def rbt_greater_prop rbt_less_prop)
   142 
   143 lemma dom_rbt_lookup_Branch: 
   144   "rbt_sorted (Branch c t1 k v t2) \<Longrightarrow> 
   145     dom (rbt_lookup (Branch c t1 k v t2)) 
   146     = Set.insert k (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2))"
   147 proof -
   148   assume "rbt_sorted (Branch c t1 k v t2)"
   149   then show ?thesis by (simp add: rbt_lookup_keys)
   150 qed
   151 
   152 lemma finite_dom_rbt_lookup [simp, intro!]: "finite (dom (rbt_lookup t))"
   153 proof (induct t)
   154   case Empty then show ?case by simp
   155 next
   156   case (Branch color t1 a b t2)
   157   let ?A = "Set.insert a (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2))"
   158   have "dom (rbt_lookup (Branch color t1 a b t2)) \<subseteq> ?A" by (auto split: split_if_asm)
   159   moreover from Branch have "finite (insert a (dom (rbt_lookup t1) \<union> dom (rbt_lookup t2)))" by simp
   160   ultimately show ?case by (rule finite_subset)
   161 qed 
   162 
   163 end
   164 
   165 context ord begin
   166 
   167 lemma rbt_lookup_rbt_less[simp]: "t |\<guillemotleft> k \<Longrightarrow> rbt_lookup t k = None" 
   168 by (induct t) auto
   169 
   170 lemma rbt_lookup_rbt_greater[simp]: "k \<guillemotleft>| t \<Longrightarrow> rbt_lookup t k = None"
   171 by (induct t) auto
   172 
   173 lemma rbt_lookup_Empty: "rbt_lookup Empty = empty"
   174 by (rule ext) simp
   175 
   176 end
   177 
   178 context linorder begin
   179 
   180 lemma map_of_entries:
   181   "rbt_sorted t \<Longrightarrow> map_of (entries t) = rbt_lookup t"
   182 proof (induct t)
   183   case Empty thus ?case by (simp add: rbt_lookup_Empty)
   184 next
   185   case (Branch c t1 k v t2)
   186   have "rbt_lookup (Branch c t1 k v t2) = rbt_lookup t2 ++ [k\<mapsto>v] ++ rbt_lookup t1"
   187   proof (rule ext)
   188     fix x
   189     from Branch have RBT_SORTED: "rbt_sorted (Branch c t1 k v t2)" by simp
   190     let ?thesis = "rbt_lookup (Branch c t1 k v t2) x = (rbt_lookup t2 ++ [k \<mapsto> v] ++ rbt_lookup t1) x"
   191 
   192     have DOM_T1: "!!k'. k'\<in>dom (rbt_lookup t1) \<Longrightarrow> k>k'"
   193     proof -
   194       fix k'
   195       from RBT_SORTED have "t1 |\<guillemotleft> k" by simp
   196       with rbt_less_prop have "\<forall>k'\<in>set (keys t1). k>k'" by auto
   197       moreover assume "k'\<in>dom (rbt_lookup t1)"
   198       ultimately show "k>k'" using rbt_lookup_keys RBT_SORTED by auto
   199     qed
   200     
   201     have DOM_T2: "!!k'. k'\<in>dom (rbt_lookup t2) \<Longrightarrow> k<k'"
   202     proof -
   203       fix k'
   204       from RBT_SORTED have "k \<guillemotleft>| t2" by simp
   205       with rbt_greater_prop have "\<forall>k'\<in>set (keys t2). k<k'" by auto
   206       moreover assume "k'\<in>dom (rbt_lookup t2)"
   207       ultimately show "k<k'" using rbt_lookup_keys RBT_SORTED by auto
   208     qed
   209     
   210     {
   211       assume C: "x<k"
   212       hence "rbt_lookup (Branch c t1 k v t2) x = rbt_lookup t1 x" by simp
   213       moreover from C have "x\<notin>dom [k\<mapsto>v]" by simp
   214       moreover have "x \<notin> dom (rbt_lookup t2)"
   215       proof
   216         assume "x \<in> dom (rbt_lookup t2)"
   217         with DOM_T2 have "k<x" by blast
   218         with C show False by simp
   219       qed
   220       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   221     } moreover {
   222       assume [simp]: "x=k"
   223       hence "rbt_lookup (Branch c t1 k v t2) x = [k \<mapsto> v] x" by simp
   224       moreover have "x \<notin> dom (rbt_lookup t1)" 
   225       proof
   226         assume "x \<in> dom (rbt_lookup t1)"
   227         with DOM_T1 have "k>x" by blast
   228         thus False by simp
   229       qed
   230       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   231     } moreover {
   232       assume C: "x>k"
   233       hence "rbt_lookup (Branch c t1 k v t2) x = rbt_lookup t2 x" by (simp add: less_not_sym[of k x])
   234       moreover from C have "x\<notin>dom [k\<mapsto>v]" by simp
   235       moreover have "x\<notin>dom (rbt_lookup t1)" proof
   236         assume "x\<in>dom (rbt_lookup t1)"
   237         with DOM_T1 have "k>x" by simp
   238         with C show False by simp
   239       qed
   240       ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
   241     } ultimately show ?thesis using less_linear by blast
   242   qed
   243   also from Branch 
   244   have "rbt_lookup t2 ++ [k \<mapsto> v] ++ rbt_lookup t1 = map_of (entries (Branch c t1 k v t2))" by simp
   245   finally show ?case by simp
   246 qed
   247 
   248 lemma rbt_lookup_in_tree: "rbt_sorted t \<Longrightarrow> rbt_lookup t k = Some v \<longleftrightarrow> (k, v) \<in> set (entries t)"
   249   by (simp add: map_of_entries [symmetric] distinct_entries)
   250 
   251 lemma set_entries_inject:
   252   assumes rbt_sorted: "rbt_sorted t1" "rbt_sorted t2" 
   253   shows "set (entries t1) = set (entries t2) \<longleftrightarrow> entries t1 = entries t2"
   254 proof -
   255   from rbt_sorted have "distinct (map fst (entries t1))"
   256     "distinct (map fst (entries t2))"
   257     by (auto intro: distinct_entries)
   258   with rbt_sorted show ?thesis
   259     by (auto intro: map_sorted_distinct_set_unique rbt_sorted_entries simp add: distinct_map)
   260 qed
   261 
   262 lemma entries_eqI:
   263   assumes rbt_sorted: "rbt_sorted t1" "rbt_sorted t2" 
   264   assumes rbt_lookup: "rbt_lookup t1 = rbt_lookup t2"
   265   shows "entries t1 = entries t2"
   266 proof -
   267   from rbt_sorted rbt_lookup have "map_of (entries t1) = map_of (entries t2)"
   268     by (simp add: map_of_entries)
   269   with rbt_sorted have "set (entries t1) = set (entries t2)"
   270     by (simp add: map_of_inject_set distinct_entries)
   271   with rbt_sorted show ?thesis by (simp add: set_entries_inject)
   272 qed
   273 
   274 lemma entries_rbt_lookup:
   275   assumes "rbt_sorted t1" "rbt_sorted t2" 
   276   shows "entries t1 = entries t2 \<longleftrightarrow> rbt_lookup t1 = rbt_lookup t2"
   277   using assms by (auto intro: entries_eqI simp add: map_of_entries [symmetric])
   278 
   279 lemma rbt_lookup_from_in_tree: 
   280   assumes "rbt_sorted t1" "rbt_sorted t2" 
   281   and "\<And>v. (k, v) \<in> set (entries t1) \<longleftrightarrow> (k, v) \<in> set (entries t2)" 
   282   shows "rbt_lookup t1 k = rbt_lookup t2 k"
   283 proof -
   284   from assms have "k \<in> dom (rbt_lookup t1) \<longleftrightarrow> k \<in> dom (rbt_lookup t2)"
   285     by (simp add: keys_entries rbt_lookup_keys)
   286   with assms show ?thesis by (auto simp add: rbt_lookup_in_tree [symmetric])
   287 qed
   288 
   289 end
   290 
   291 subsubsection {* Red-black properties *}
   292 
   293 primrec color_of :: "('a, 'b) rbt \<Rightarrow> color"
   294 where
   295   "color_of Empty = B"
   296 | "color_of (Branch c _ _ _ _) = c"
   297 
   298 primrec bheight :: "('a,'b) rbt \<Rightarrow> nat"
   299 where
   300   "bheight Empty = 0"
   301 | "bheight (Branch c lt k v rt) = (if c = B then Suc (bheight lt) else bheight lt)"
   302 
   303 primrec inv1 :: "('a, 'b) rbt \<Rightarrow> bool"
   304 where
   305   "inv1 Empty = True"
   306 | "inv1 (Branch c lt k v rt) \<longleftrightarrow> inv1 lt \<and> inv1 rt \<and> (c = B \<or> color_of lt = B \<and> color_of rt = B)"
   307 
   308 primrec inv1l :: "('a, 'b) rbt \<Rightarrow> bool" -- {* Weaker version *}
   309 where
   310   "inv1l Empty = True"
   311 | "inv1l (Branch c l k v r) = (inv1 l \<and> inv1 r)"
   312 lemma [simp]: "inv1 t \<Longrightarrow> inv1l t" by (cases t) simp+
   313 
   314 primrec inv2 :: "('a, 'b) rbt \<Rightarrow> bool"
   315 where
   316   "inv2 Empty = True"
   317 | "inv2 (Branch c lt k v rt) = (inv2 lt \<and> inv2 rt \<and> bheight lt = bheight rt)"
   318 
   319 context ord begin
   320 
   321 definition is_rbt :: "('a, 'b) rbt \<Rightarrow> bool" where
   322   "is_rbt t \<longleftrightarrow> inv1 t \<and> inv2 t \<and> color_of t = B \<and> rbt_sorted t"
   323 
   324 lemma is_rbt_rbt_sorted [simp]:
   325   "is_rbt t \<Longrightarrow> rbt_sorted t" by (simp add: is_rbt_def)
   326 
   327 theorem Empty_is_rbt [simp]:
   328   "is_rbt Empty" by (simp add: is_rbt_def)
   329 
   330 end
   331 
   332 subsection {* Insertion *}
   333 
   334 fun (* slow, due to massive case splitting *)
   335   balance :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   336 where
   337   "balance (Branch R a w x b) s t (Branch R c y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   338   "balance (Branch R (Branch R a w x b) s t c) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   339   "balance (Branch R a w x (Branch R b s t c)) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   340   "balance a w x (Branch R b s t (Branch R c y z d)) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   341   "balance a w x (Branch R (Branch R b s t c) y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
   342   "balance a s t b = Branch B a s t b"
   343 
   344 lemma balance_inv1: "\<lbrakk>inv1l l; inv1l r\<rbrakk> \<Longrightarrow> inv1 (balance l k v r)" 
   345   by (induct l k v r rule: balance.induct) auto
   346 
   347 lemma balance_bheight: "bheight l = bheight r \<Longrightarrow> bheight (balance l k v r) = Suc (bheight l)"
   348   by (induct l k v r rule: balance.induct) auto
   349 
   350 lemma balance_inv2: 
   351   assumes "inv2 l" "inv2 r" "bheight l = bheight r"
   352   shows "inv2 (balance l k v r)"
   353   using assms
   354   by (induct l k v r rule: balance.induct) auto
   355 
   356 context ord begin
   357 
   358 lemma balance_rbt_greater[simp]: "(v \<guillemotleft>| balance a k x b) = (v \<guillemotleft>| a \<and> v \<guillemotleft>| b \<and> v < k)" 
   359   by (induct a k x b rule: balance.induct) auto
   360 
   361 lemma balance_rbt_less[simp]: "(balance a k x b |\<guillemotleft> v) = (a |\<guillemotleft> v \<and> b |\<guillemotleft> v \<and> k < v)"
   362   by (induct a k x b rule: balance.induct) auto
   363 
   364 end
   365 
   366 lemma (in linorder) balance_rbt_sorted: 
   367   fixes k :: "'a"
   368   assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   369   shows "rbt_sorted (balance l k v r)"
   370 using assms proof (induct l k v r rule: balance.induct)
   371   case ("2_2" a x w b y t c z s va vb vd vc)
   372   hence "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" 
   373     by (auto simp add: rbt_ord_props)
   374   hence "y \<guillemotleft>| (Branch B va vb vd vc)" by (blast dest: rbt_greater_trans)
   375   with "2_2" show ?case by simp
   376 next
   377   case ("3_2" va vb vd vc x w b y s c z)
   378   from "3_2" have "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x" 
   379     by simp
   380   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   381   with "3_2" show ?case by simp
   382 next
   383   case ("3_3" x w b y s c z t va vb vd vc)
   384   from "3_3" have "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" by simp
   385   hence "y \<guillemotleft>| Branch B va vb vd vc" by (blast dest: rbt_greater_trans)
   386   with "3_3" show ?case by simp
   387 next
   388   case ("3_4" vd ve vg vf x w b y s c z t va vb vii vc)
   389   hence "x < y \<and> Branch B vd ve vg vf |\<guillemotleft> x" by simp
   390   hence 1: "Branch B vd ve vg vf |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   391   from "3_4" have "y < z \<and> z \<guillemotleft>| Branch B va vb vii vc" by simp
   392   hence "y \<guillemotleft>| Branch B va vb vii vc" by (blast dest: rbt_greater_trans)
   393   with 1 "3_4" show ?case by simp
   394 next
   395   case ("4_2" va vb vd vc x w b y s c z t dd)
   396   hence "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x" by simp
   397   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   398   with "4_2" show ?case by simp
   399 next
   400   case ("5_2" x w b y s c z t va vb vd vc)
   401   hence "y < z \<and> z \<guillemotleft>| Branch B va vb vd vc" by simp
   402   hence "y \<guillemotleft>| Branch B va vb vd vc" by (blast dest: rbt_greater_trans)
   403   with "5_2" show ?case by simp
   404 next
   405   case ("5_3" va vb vd vc x w b y s c z t)
   406   hence "x < y \<and> Branch B va vb vd vc |\<guillemotleft> x" by simp
   407   hence "Branch B va vb vd vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   408   with "5_3" show ?case by simp
   409 next
   410   case ("5_4" va vb vg vc x w b y s c z t vd ve vii vf)
   411   hence "x < y \<and> Branch B va vb vg vc |\<guillemotleft> x" by simp
   412   hence 1: "Branch B va vb vg vc |\<guillemotleft> y" by (blast dest: rbt_less_trans)
   413   from "5_4" have "y < z \<and> z \<guillemotleft>| Branch B vd ve vii vf" by simp
   414   hence "y \<guillemotleft>| Branch B vd ve vii vf" by (blast dest: rbt_greater_trans)
   415   with 1 "5_4" show ?case by simp
   416 qed simp+
   417 
   418 lemma entries_balance [simp]:
   419   "entries (balance l k v r) = entries l @ (k, v) # entries r"
   420   by (induct l k v r rule: balance.induct) auto
   421 
   422 lemma keys_balance [simp]: 
   423   "keys (balance l k v r) = keys l @ k # keys r"
   424   by (simp add: keys_def)
   425 
   426 lemma balance_in_tree:  
   427   "entry_in_tree k x (balance l v y r) \<longleftrightarrow> entry_in_tree k x l \<or> k = v \<and> x = y \<or> entry_in_tree k x r"
   428   by (auto simp add: keys_def)
   429 
   430 lemma (in linorder) rbt_lookup_balance[simp]: 
   431 fixes k :: "'a"
   432 assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   433 shows "rbt_lookup (balance l k v r) x = rbt_lookup (Branch B l k v r) x"
   434 by (rule rbt_lookup_from_in_tree) (auto simp:assms balance_in_tree balance_rbt_sorted)
   435 
   436 primrec paint :: "color \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   437 where
   438   "paint c Empty = Empty"
   439 | "paint c (Branch _ l k v r) = Branch c l k v r"
   440 
   441 lemma paint_inv1l[simp]: "inv1l t \<Longrightarrow> inv1l (paint c t)" by (cases t) auto
   442 lemma paint_inv1[simp]: "inv1l t \<Longrightarrow> inv1 (paint B t)" by (cases t) auto
   443 lemma paint_inv2[simp]: "inv2 t \<Longrightarrow> inv2 (paint c t)" by (cases t) auto
   444 lemma paint_color_of[simp]: "color_of (paint B t) = B" by (cases t) auto
   445 lemma paint_in_tree[simp]: "entry_in_tree k x (paint c t) = entry_in_tree k x t" by (cases t) auto
   446 
   447 context ord begin
   448 
   449 lemma paint_rbt_sorted[simp]: "rbt_sorted t \<Longrightarrow> rbt_sorted (paint c t)" by (cases t) auto
   450 lemma paint_rbt_lookup[simp]: "rbt_lookup (paint c t) = rbt_lookup t" by (rule ext) (cases t, auto)
   451 lemma paint_rbt_greater[simp]: "(v \<guillemotleft>| paint c t) = (v \<guillemotleft>| t)" by (cases t) auto
   452 lemma paint_rbt_less[simp]: "(paint c t |\<guillemotleft> v) = (t |\<guillemotleft> v)" by (cases t) auto
   453 
   454 fun
   455   rbt_ins :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   456 where
   457   "rbt_ins f k v Empty = Branch R Empty k v Empty" |
   458   "rbt_ins f k v (Branch B l x y r) = (if k < x then balance (rbt_ins f k v l) x y r
   459                                        else if k > x then balance l x y (rbt_ins f k v r)
   460                                        else Branch B l x (f k y v) r)" |
   461   "rbt_ins f k v (Branch R l x y r) = (if k < x then Branch R (rbt_ins f k v l) x y r
   462                                        else if k > x then Branch R l x y (rbt_ins f k v r)
   463                                        else Branch R l x (f k y v) r)"
   464 
   465 lemma ins_inv1_inv2: 
   466   assumes "inv1 t" "inv2 t"
   467   shows "inv2 (rbt_ins f k x t)" "bheight (rbt_ins f k x t) = bheight t" 
   468   "color_of t = B \<Longrightarrow> inv1 (rbt_ins f k x t)" "inv1l (rbt_ins f k x t)"
   469   using assms
   470   by (induct f k x t rule: rbt_ins.induct) (auto simp: balance_inv1 balance_inv2 balance_bheight)
   471 
   472 end
   473 
   474 context linorder begin
   475 
   476 lemma ins_rbt_greater[simp]: "(v \<guillemotleft>| rbt_ins f (k :: 'a) x t) = (v \<guillemotleft>| t \<and> k > v)"
   477   by (induct f k x t rule: rbt_ins.induct) auto
   478 lemma ins_rbt_less[simp]: "(rbt_ins f k x t |\<guillemotleft> v) = (t |\<guillemotleft> v \<and> k < v)"
   479   by (induct f k x t rule: rbt_ins.induct) auto
   480 lemma ins_rbt_sorted[simp]: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_ins f k x t)"
   481   by (induct f k x t rule: rbt_ins.induct) (auto simp: balance_rbt_sorted)
   482 
   483 lemma keys_ins: "set (keys (rbt_ins f k v t)) = { k } \<union> set (keys t)"
   484   by (induct f k v t rule: rbt_ins.induct) auto
   485 
   486 lemma rbt_lookup_ins: 
   487   fixes k :: "'a"
   488   assumes "rbt_sorted t"
   489   shows "rbt_lookup (rbt_ins f k v t) x = ((rbt_lookup t)(k |-> case rbt_lookup t k of None \<Rightarrow> v 
   490                                                                 | Some w \<Rightarrow> f k w v)) x"
   491 using assms by (induct f k v t rule: rbt_ins.induct) auto
   492 
   493 end
   494 
   495 context ord begin
   496 
   497 definition rbt_insert_with_key :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   498 where "rbt_insert_with_key f k v t = paint B (rbt_ins f k v t)"
   499 
   500 definition rbt_insertw_def: "rbt_insert_with f = rbt_insert_with_key (\<lambda>_. f)"
   501 
   502 definition rbt_insert :: "'a \<Rightarrow> 'b \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt" where
   503   "rbt_insert = rbt_insert_with_key (\<lambda>_ _ nv. nv)"
   504 
   505 end
   506 
   507 context linorder begin
   508 
   509 lemma rbt_insertwk_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert_with_key f (k :: 'a) x t)"
   510   by (auto simp: rbt_insert_with_key_def)
   511 
   512 theorem rbt_insertwk_is_rbt: 
   513   assumes inv: "is_rbt t" 
   514   shows "is_rbt (rbt_insert_with_key f k x t)"
   515 using assms
   516 unfolding rbt_insert_with_key_def is_rbt_def
   517 by (auto simp: ins_inv1_inv2)
   518 
   519 lemma rbt_lookup_rbt_insertwk: 
   520   assumes "rbt_sorted t"
   521   shows "rbt_lookup (rbt_insert_with_key f k v t) x = ((rbt_lookup t)(k |-> case rbt_lookup t k of None \<Rightarrow> v 
   522                                                        | Some w \<Rightarrow> f k w v)) x"
   523 unfolding rbt_insert_with_key_def using assms
   524 by (simp add:rbt_lookup_ins)
   525 
   526 lemma rbt_insertw_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert_with f k v t)" 
   527   by (simp add: rbt_insertwk_rbt_sorted rbt_insertw_def)
   528 theorem rbt_insertw_is_rbt: "is_rbt t \<Longrightarrow> is_rbt (rbt_insert_with f k v t)"
   529   by (simp add: rbt_insertwk_is_rbt rbt_insertw_def)
   530 
   531 lemma rbt_lookup_rbt_insertw:
   532   assumes "is_rbt t"
   533   shows "rbt_lookup (rbt_insert_with f k v t) = (rbt_lookup t)(k \<mapsto> (if k:dom (rbt_lookup t) then f (the (rbt_lookup t k)) v else v))"
   534 using assms
   535 unfolding rbt_insertw_def
   536 by (rule_tac ext) (cases "rbt_lookup t k", auto simp:rbt_lookup_rbt_insertwk dom_def)
   537 
   538 lemma rbt_insert_rbt_sorted: "rbt_sorted t \<Longrightarrow> rbt_sorted (rbt_insert k v t)"
   539   by (simp add: rbt_insertwk_rbt_sorted rbt_insert_def)
   540 theorem rbt_insert_is_rbt [simp]: "is_rbt t \<Longrightarrow> is_rbt (rbt_insert k v t)"
   541   by (simp add: rbt_insertwk_is_rbt rbt_insert_def)
   542 
   543 lemma rbt_lookup_rbt_insert: 
   544   assumes "is_rbt t"
   545   shows "rbt_lookup (rbt_insert k v t) = (rbt_lookup t)(k\<mapsto>v)"
   546 unfolding rbt_insert_def
   547 using assms
   548 by (rule_tac ext) (simp add: rbt_lookup_rbt_insertwk split:option.split)
   549 
   550 end
   551 
   552 subsection {* Deletion *}
   553 
   554 lemma bheight_paintR'[simp]: "color_of t = B \<Longrightarrow> bheight (paint R t) = bheight t - 1"
   555 by (cases t rule: rbt_cases) auto
   556 
   557 fun
   558   balance_left :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   559 where
   560   "balance_left (Branch R a k x b) s y c = Branch R (Branch B a k x b) s y c" |
   561   "balance_left bl k x (Branch B a s y b) = balance bl k x (Branch R a s y b)" |
   562   "balance_left bl k x (Branch R (Branch B a s y b) t z c) = Branch R (Branch B bl k x a) s y (balance b t z (paint R c))" |
   563   "balance_left t k x s = Empty"
   564 
   565 lemma balance_left_inv2_with_inv1:
   566   assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "inv1 rt"
   567   shows "bheight (balance_left lt k v rt) = bheight lt + 1"
   568   and   "inv2 (balance_left lt k v rt)"
   569 using assms 
   570 by (induct lt k v rt rule: balance_left.induct) (auto simp: balance_inv2 balance_bheight)
   571 
   572 lemma balance_left_inv2_app: 
   573   assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "color_of rt = B"
   574   shows "inv2 (balance_left lt k v rt)" 
   575         "bheight (balance_left lt k v rt) = bheight rt"
   576 using assms 
   577 by (induct lt k v rt rule: balance_left.induct) (auto simp add: balance_inv2 balance_bheight)+ 
   578 
   579 lemma balance_left_inv1: "\<lbrakk>inv1l a; inv1 b; color_of b = B\<rbrakk> \<Longrightarrow> inv1 (balance_left a k x b)"
   580   by (induct a k x b rule: balance_left.induct) (simp add: balance_inv1)+
   581 
   582 lemma balance_left_inv1l: "\<lbrakk> inv1l lt; inv1 rt \<rbrakk> \<Longrightarrow> inv1l (balance_left lt k x rt)"
   583 by (induct lt k x rt rule: balance_left.induct) (auto simp: balance_inv1)
   584 
   585 lemma (in linorder) balance_left_rbt_sorted: 
   586   "\<lbrakk> rbt_sorted l; rbt_sorted r; rbt_less k l; k \<guillemotleft>| r \<rbrakk> \<Longrightarrow> rbt_sorted (balance_left l k v r)"
   587 apply (induct l k v r rule: balance_left.induct)
   588 apply (auto simp: balance_rbt_sorted)
   589 apply (unfold rbt_greater_prop rbt_less_prop)
   590 by force+
   591 
   592 context order begin
   593 
   594 lemma balance_left_rbt_greater: 
   595   fixes k :: "'a"
   596   assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   597   shows "k \<guillemotleft>| balance_left a x t b"
   598 using assms 
   599 by (induct a x t b rule: balance_left.induct) auto
   600 
   601 lemma balance_left_rbt_less: 
   602   fixes k :: "'a"
   603   assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   604   shows "balance_left a x t b |\<guillemotleft> k"
   605 using assms
   606 by (induct a x t b rule: balance_left.induct) auto
   607 
   608 end
   609 
   610 lemma balance_left_in_tree: 
   611   assumes "inv1l l" "inv1 r" "bheight l + 1 = bheight r"
   612   shows "entry_in_tree k v (balance_left l a b r) = (entry_in_tree k v l \<or> k = a \<and> v = b \<or> entry_in_tree k v r)"
   613 using assms 
   614 by (induct l k v r rule: balance_left.induct) (auto simp: balance_in_tree)
   615 
   616 fun
   617   balance_right :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   618 where
   619   "balance_right a k x (Branch R b s y c) = Branch R a k x (Branch B b s y c)" |
   620   "balance_right (Branch B a k x b) s y bl = balance (Branch R a k x b) s y bl" |
   621   "balance_right (Branch R a k x (Branch B b s y c)) t z bl = Branch R (balance (paint R a) k x b) s y (Branch B c t z bl)" |
   622   "balance_right t k x s = Empty"
   623 
   624 lemma balance_right_inv2_with_inv1:
   625   assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt + 1" "inv1 lt"
   626   shows "inv2 (balance_right lt k v rt) \<and> bheight (balance_right lt k v rt) = bheight lt"
   627 using assms
   628 by (induct lt k v rt rule: balance_right.induct) (auto simp: balance_inv2 balance_bheight)
   629 
   630 lemma balance_right_inv1: "\<lbrakk>inv1 a; inv1l b; color_of a = B\<rbrakk> \<Longrightarrow> inv1 (balance_right a k x b)"
   631 by (induct a k x b rule: balance_right.induct) (simp add: balance_inv1)+
   632 
   633 lemma balance_right_inv1l: "\<lbrakk> inv1 lt; inv1l rt \<rbrakk> \<Longrightarrow>inv1l (balance_right lt k x rt)"
   634 by (induct lt k x rt rule: balance_right.induct) (auto simp: balance_inv1)
   635 
   636 lemma (in linorder) balance_right_rbt_sorted:
   637   "\<lbrakk> rbt_sorted l; rbt_sorted r; rbt_less k l; k \<guillemotleft>| r \<rbrakk> \<Longrightarrow> rbt_sorted (balance_right l k v r)"
   638 apply (induct l k v r rule: balance_right.induct)
   639 apply (auto simp:balance_rbt_sorted)
   640 apply (unfold rbt_less_prop rbt_greater_prop)
   641 by force+
   642 
   643 context order begin
   644 
   645 lemma balance_right_rbt_greater: 
   646   fixes k :: "'a"
   647   assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   648   shows "k \<guillemotleft>| balance_right a x t b"
   649 using assms by (induct a x t b rule: balance_right.induct) auto
   650 
   651 lemma balance_right_rbt_less: 
   652   fixes k :: "'a"
   653   assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   654   shows "balance_right a x t b |\<guillemotleft> k"
   655 using assms by (induct a x t b rule: balance_right.induct) auto
   656 
   657 end
   658 
   659 lemma balance_right_in_tree:
   660   assumes "inv1 l" "inv1l r" "bheight l = bheight r + 1" "inv2 l" "inv2 r"
   661   shows "entry_in_tree x y (balance_right l k v r) = (entry_in_tree x y l \<or> x = k \<and> y = v \<or> entry_in_tree x y r)"
   662 using assms by (induct l k v r rule: balance_right.induct) (auto simp: balance_in_tree)
   663 
   664 fun
   665   combine :: "('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   666 where
   667   "combine Empty x = x" 
   668 | "combine x Empty = x" 
   669 | "combine (Branch R a k x b) (Branch R c s y d) = (case (combine b c) of
   670                                     Branch R b2 t z c2 \<Rightarrow> (Branch R (Branch R a k x b2) t z (Branch R c2 s y d)) |
   671                                     bc \<Rightarrow> Branch R a k x (Branch R bc s y d))" 
   672 | "combine (Branch B a k x b) (Branch B c s y d) = (case (combine b c) of
   673                                     Branch R b2 t z c2 \<Rightarrow> Branch R (Branch B a k x b2) t z (Branch B c2 s y d) |
   674                                     bc \<Rightarrow> balance_left a k x (Branch B bc s y d))" 
   675 | "combine a (Branch R b k x c) = Branch R (combine a b) k x c" 
   676 | "combine (Branch R a k x b) c = Branch R a k x (combine b c)" 
   677 
   678 lemma combine_inv2:
   679   assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt"
   680   shows "bheight (combine lt rt) = bheight lt" "inv2 (combine lt rt)"
   681 using assms 
   682 by (induct lt rt rule: combine.induct) 
   683    (auto simp: balance_left_inv2_app split: rbt.splits color.splits)
   684 
   685 lemma combine_inv1: 
   686   assumes "inv1 lt" "inv1 rt"
   687   shows "color_of lt = B \<Longrightarrow> color_of rt = B \<Longrightarrow> inv1 (combine lt rt)"
   688          "inv1l (combine lt rt)"
   689 using assms 
   690 by (induct lt rt rule: combine.induct)
   691    (auto simp: balance_left_inv1 split: rbt.splits color.splits)
   692 
   693 context linorder begin
   694 
   695 lemma combine_rbt_greater[simp]: 
   696   fixes k :: "'a"
   697   assumes "k \<guillemotleft>| l" "k \<guillemotleft>| r" 
   698   shows "k \<guillemotleft>| combine l r"
   699 using assms 
   700 by (induct l r rule: combine.induct)
   701    (auto simp: balance_left_rbt_greater split:rbt.splits color.splits)
   702 
   703 lemma combine_rbt_less[simp]: 
   704   fixes k :: "'a"
   705   assumes "l |\<guillemotleft> k" "r |\<guillemotleft> k" 
   706   shows "combine l r |\<guillemotleft> k"
   707 using assms 
   708 by (induct l r rule: combine.induct)
   709    (auto simp: balance_left_rbt_less split:rbt.splits color.splits)
   710 
   711 lemma combine_rbt_sorted: 
   712   fixes k :: "'a"
   713   assumes "rbt_sorted l" "rbt_sorted r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   714   shows "rbt_sorted (combine l r)"
   715 using assms proof (induct l r rule: combine.induct)
   716   case (3 a x v b c y w d)
   717   hence ineqs: "a |\<guillemotleft> x" "x \<guillemotleft>| b" "b |\<guillemotleft> k" "k \<guillemotleft>| c" "c |\<guillemotleft> y" "y \<guillemotleft>| d"
   718     by auto
   719   with 3
   720   show ?case
   721     by (cases "combine b c" rule: rbt_cases)
   722       (auto, (metis combine_rbt_greater combine_rbt_less ineqs ineqs rbt_less_simps(2) rbt_greater_simps(2) rbt_greater_trans rbt_less_trans)+)
   723 next
   724   case (4 a x v b c y w d)
   725   hence "x < k \<and> rbt_greater k c" by simp
   726   hence "rbt_greater x c" by (blast dest: rbt_greater_trans)
   727   with 4 have 2: "rbt_greater x (combine b c)" by (simp add: combine_rbt_greater)
   728   from 4 have "k < y \<and> rbt_less k b" by simp
   729   hence "rbt_less y b" by (blast dest: rbt_less_trans)
   730   with 4 have 3: "rbt_less y (combine b c)" by (simp add: combine_rbt_less)
   731   show ?case
   732   proof (cases "combine b c" rule: rbt_cases)
   733     case Empty
   734     from 4 have "x < y \<and> rbt_greater y d" by auto
   735     hence "rbt_greater x d" by (blast dest: rbt_greater_trans)
   736     with 4 Empty have "rbt_sorted a" and "rbt_sorted (Branch B Empty y w d)"
   737       and "rbt_less x a" and "rbt_greater x (Branch B Empty y w d)" by auto
   738     with Empty show ?thesis by (simp add: balance_left_rbt_sorted)
   739   next
   740     case (Red lta va ka rta)
   741     with 2 4 have "x < va \<and> rbt_less x a" by simp
   742     hence 5: "rbt_less va a" by (blast dest: rbt_less_trans)
   743     from Red 3 4 have "va < y \<and> rbt_greater y d" by simp
   744     hence "rbt_greater va d" by (blast dest: rbt_greater_trans)
   745     with Red 2 3 4 5 show ?thesis by simp
   746   next
   747     case (Black lta va ka rta)
   748     from 4 have "x < y \<and> rbt_greater y d" by auto
   749     hence "rbt_greater x d" by (blast dest: rbt_greater_trans)
   750     with Black 2 3 4 have "rbt_sorted a" and "rbt_sorted (Branch B (combine b c) y w d)" 
   751       and "rbt_less x a" and "rbt_greater x (Branch B (combine b c) y w d)" by auto
   752     with Black show ?thesis by (simp add: balance_left_rbt_sorted)
   753   qed
   754 next
   755   case (5 va vb vd vc b x w c)
   756   hence "k < x \<and> rbt_less k (Branch B va vb vd vc)" by simp
   757   hence "rbt_less x (Branch B va vb vd vc)" by (blast dest: rbt_less_trans)
   758   with 5 show ?case by (simp add: combine_rbt_less)
   759 next
   760   case (6 a x v b va vb vd vc)
   761   hence "x < k \<and> rbt_greater k (Branch B va vb vd vc)" by simp
   762   hence "rbt_greater x (Branch B va vb vd vc)" by (blast dest: rbt_greater_trans)
   763   with 6 show ?case by (simp add: combine_rbt_greater)
   764 qed simp+
   765 
   766 end
   767 
   768 lemma combine_in_tree: 
   769   assumes "inv2 l" "inv2 r" "bheight l = bheight r" "inv1 l" "inv1 r"
   770   shows "entry_in_tree k v (combine l r) = (entry_in_tree k v l \<or> entry_in_tree k v r)"
   771 using assms 
   772 proof (induct l r rule: combine.induct)
   773   case (4 _ _ _ b c)
   774   hence a: "bheight (combine b c) = bheight b" by (simp add: combine_inv2)
   775   from 4 have b: "inv1l (combine b c)" by (simp add: combine_inv1)
   776 
   777   show ?case
   778   proof (cases "combine b c" rule: rbt_cases)
   779     case Empty
   780     with 4 a show ?thesis by (auto simp: balance_left_in_tree)
   781   next
   782     case (Red lta ka va rta)
   783     with 4 show ?thesis by auto
   784   next
   785     case (Black lta ka va rta)
   786     with a b 4  show ?thesis by (auto simp: balance_left_in_tree)
   787   qed 
   788 qed (auto split: rbt.splits color.splits)
   789 
   790 context ord begin
   791 
   792 fun
   793   rbt_del_from_left :: "'a \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   794   rbt_del_from_right :: "'a \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   795   rbt_del :: "'a\<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   796 where
   797   "rbt_del x Empty = Empty" |
   798   "rbt_del x (Branch c a y s b) = 
   799    (if x < y then rbt_del_from_left x a y s b 
   800     else (if x > y then rbt_del_from_right x a y s b else combine a b))" |
   801   "rbt_del_from_left x (Branch B lt z v rt) y s b = balance_left (rbt_del x (Branch B lt z v rt)) y s b" |
   802   "rbt_del_from_left x a y s b = Branch R (rbt_del x a) y s b" |
   803   "rbt_del_from_right x a y s (Branch B lt z v rt) = balance_right a y s (rbt_del x (Branch B lt z v rt))" | 
   804   "rbt_del_from_right x a y s b = Branch R a y s (rbt_del x b)"
   805 
   806 end
   807 
   808 context linorder begin
   809 
   810 lemma 
   811   assumes "inv2 lt" "inv1 lt"
   812   shows
   813   "\<lbrakk>inv2 rt; bheight lt = bheight rt; inv1 rt\<rbrakk> \<Longrightarrow>
   814    inv2 (rbt_del_from_left x lt k v rt) \<and> 
   815    bheight (rbt_del_from_left x lt k v rt) = bheight lt \<and> 
   816    (color_of lt = B \<and> color_of rt = B \<and> inv1 (rbt_del_from_left x lt k v rt) \<or> 
   817     (color_of lt \<noteq> B \<or> color_of rt \<noteq> B) \<and> inv1l (rbt_del_from_left x lt k v rt))"
   818   and "\<lbrakk>inv2 rt; bheight lt = bheight rt; inv1 rt\<rbrakk> \<Longrightarrow>
   819   inv2 (rbt_del_from_right x lt k v rt) \<and> 
   820   bheight (rbt_del_from_right x lt k v rt) = bheight lt \<and> 
   821   (color_of lt = B \<and> color_of rt = B \<and> inv1 (rbt_del_from_right x lt k v rt) \<or> 
   822    (color_of lt \<noteq> B \<or> color_of rt \<noteq> B) \<and> inv1l (rbt_del_from_right x lt k v rt))"
   823   and rbt_del_inv1_inv2: "inv2 (rbt_del x lt) \<and> (color_of lt = R \<and> bheight (rbt_del x lt) = bheight lt \<and> inv1 (rbt_del x lt) 
   824   \<or> color_of lt = B \<and> bheight (rbt_del x lt) = bheight lt - 1 \<and> inv1l (rbt_del x lt))"
   825 using assms
   826 proof (induct x lt k v rt and x lt k v rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
   827 case (2 y c _ y')
   828   have "y = y' \<or> y < y' \<or> y > y'" by auto
   829   thus ?case proof (elim disjE)
   830     assume "y = y'"
   831     with 2 show ?thesis by (cases c) (simp add: combine_inv2 combine_inv1)+
   832   next
   833     assume "y < y'"
   834     with 2 show ?thesis by (cases c) auto
   835   next
   836     assume "y' < y"
   837     with 2 show ?thesis by (cases c) auto
   838   qed
   839 next
   840   case (3 y lt z v rta y' ss bb) 
   841   thus ?case by (cases "color_of (Branch B lt z v rta) = B \<and> color_of bb = B") (simp add: balance_left_inv2_with_inv1 balance_left_inv1 balance_left_inv1l)+
   842 next
   843   case (5 y a y' ss lt z v rta)
   844   thus ?case by (cases "color_of a = B \<and> color_of (Branch B lt z v rta) = B") (simp add: balance_right_inv2_with_inv1 balance_right_inv1 balance_right_inv1l)+
   845 next
   846   case ("6_1" y a y' ss) thus ?case by (cases "color_of a = B \<and> color_of Empty = B") simp+
   847 qed auto
   848 
   849 lemma 
   850   rbt_del_from_left_rbt_less: "\<lbrakk> lt |\<guillemotleft> v; rt |\<guillemotleft> v; k < v\<rbrakk> \<Longrightarrow> rbt_del_from_left x lt k y rt |\<guillemotleft> v"
   851   and rbt_del_from_right_rbt_less: "\<lbrakk>lt |\<guillemotleft> v; rt |\<guillemotleft> v; k < v\<rbrakk> \<Longrightarrow> rbt_del_from_right x lt k y rt |\<guillemotleft> v"
   852   and rbt_del_rbt_less: "lt |\<guillemotleft> v \<Longrightarrow> rbt_del x lt |\<guillemotleft> v"
   853 by (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct) 
   854    (auto simp: balance_left_rbt_less balance_right_rbt_less)
   855 
   856 lemma rbt_del_from_left_rbt_greater: "\<lbrakk>v \<guillemotleft>| lt; v \<guillemotleft>| rt; k > v\<rbrakk> \<Longrightarrow> v \<guillemotleft>| rbt_del_from_left x lt k y rt"
   857   and rbt_del_from_right_rbt_greater: "\<lbrakk>v \<guillemotleft>| lt; v \<guillemotleft>| rt; k > v\<rbrakk> \<Longrightarrow> v \<guillemotleft>| rbt_del_from_right x lt k y rt"
   858   and rbt_del_rbt_greater: "v \<guillemotleft>| lt \<Longrightarrow> v \<guillemotleft>| rbt_del x lt"
   859 by (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
   860    (auto simp: balance_left_rbt_greater balance_right_rbt_greater)
   861 
   862 lemma "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> k; k \<guillemotleft>| rt\<rbrakk> \<Longrightarrow> rbt_sorted (rbt_del_from_left x lt k y rt)"
   863   and "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> k; k \<guillemotleft>| rt\<rbrakk> \<Longrightarrow> rbt_sorted (rbt_del_from_right x lt k y rt)"
   864   and rbt_del_rbt_sorted: "rbt_sorted lt \<Longrightarrow> rbt_sorted (rbt_del x lt)"
   865 proof (induct x lt k y rt and x lt k y rt and x lt rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
   866   case (3 x lta zz v rta yy ss bb)
   867   from 3 have "Branch B lta zz v rta |\<guillemotleft> yy" by simp
   868   hence "rbt_del x (Branch B lta zz v rta) |\<guillemotleft> yy" by (rule rbt_del_rbt_less)
   869   with 3 show ?case by (simp add: balance_left_rbt_sorted)
   870 next
   871   case ("4_2" x vaa vbb vdd vc yy ss bb)
   872   hence "Branch R vaa vbb vdd vc |\<guillemotleft> yy" by simp
   873   hence "rbt_del x (Branch R vaa vbb vdd vc) |\<guillemotleft> yy" by (rule rbt_del_rbt_less)
   874   with "4_2" show ?case by simp
   875 next
   876   case (5 x aa yy ss lta zz v rta) 
   877   hence "yy \<guillemotleft>| Branch B lta zz v rta" by simp
   878   hence "yy \<guillemotleft>| rbt_del x (Branch B lta zz v rta)" by (rule rbt_del_rbt_greater)
   879   with 5 show ?case by (simp add: balance_right_rbt_sorted)
   880 next
   881   case ("6_2" x aa yy ss vaa vbb vdd vc)
   882   hence "yy \<guillemotleft>| Branch R vaa vbb vdd vc" by simp
   883   hence "yy \<guillemotleft>| rbt_del x (Branch R vaa vbb vdd vc)" by (rule rbt_del_rbt_greater)
   884   with "6_2" show ?case by simp
   885 qed (auto simp: combine_rbt_sorted)
   886 
   887 lemma "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> kt; kt \<guillemotleft>| rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bheight lt = bheight rt; x < kt\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del_from_left x lt kt y rt) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v (Branch c lt kt y rt)))"
   888   and "\<lbrakk>rbt_sorted lt; rbt_sorted rt; lt |\<guillemotleft> kt; kt \<guillemotleft>| rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bheight lt = bheight rt; x > kt\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del_from_right x lt kt y rt) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v (Branch c lt kt y rt)))"
   889   and rbt_del_in_tree: "\<lbrakk>rbt_sorted t; inv1 t; inv2 t\<rbrakk> \<Longrightarrow> entry_in_tree k v (rbt_del x t) = (False \<or> (x \<noteq> k \<and> entry_in_tree k v t))"
   890 proof (induct x lt kt y rt and x lt kt y rt and x t rule: rbt_del_from_left_rbt_del_from_right_rbt_del.induct)
   891   case (2 xx c aa yy ss bb)
   892   have "xx = yy \<or> xx < yy \<or> xx > yy" by auto
   893   from this 2 show ?case proof (elim disjE)
   894     assume "xx = yy"
   895     with 2 show ?thesis proof (cases "xx = k")
   896       case True
   897       from 2 `xx = yy` `xx = k` have "rbt_sorted (Branch c aa yy ss bb) \<and> k = yy" by simp
   898       hence "\<not> entry_in_tree k v aa" "\<not> entry_in_tree k v bb" by (auto simp: rbt_less_nit rbt_greater_prop)
   899       with `xx = yy` 2 `xx = k` show ?thesis by (simp add: combine_in_tree)
   900     qed (simp add: combine_in_tree)
   901   qed simp+
   902 next    
   903   case (3 xx lta zz vv rta yy ss bb)
   904   def mt[simp]: mt == "Branch B lta zz vv rta"
   905   from 3 have "inv2 mt \<and> inv1 mt" by simp
   906   hence "inv2 (rbt_del xx mt) \<and> (color_of mt = R \<and> bheight (rbt_del xx mt) = bheight mt \<and> inv1 (rbt_del xx mt) \<or> color_of mt = B \<and> bheight (rbt_del xx mt) = bheight mt - 1 \<and> inv1l (rbt_del xx mt))" by (blast dest: rbt_del_inv1_inv2)
   907   with 3 have 4: "entry_in_tree k v (rbt_del_from_left xx mt yy ss bb) = (False \<or> xx \<noteq> k \<and> entry_in_tree k v mt \<or> (k = yy \<and> v = ss) \<or> entry_in_tree k v bb)" by (simp add: balance_left_in_tree)
   908   thus ?case proof (cases "xx = k")
   909     case True
   910     from 3 True have "yy \<guillemotleft>| bb \<and> yy > k" by simp
   911     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
   912     with 3 4 True show ?thesis by (auto simp: rbt_greater_nit)
   913   qed auto
   914 next
   915   case ("4_1" xx yy ss bb)
   916   show ?case proof (cases "xx = k")
   917     case True
   918     with "4_1" have "yy \<guillemotleft>| bb \<and> k < yy" by simp
   919     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
   920     with "4_1" `xx = k` 
   921    have "entry_in_tree k v (Branch R Empty yy ss bb) = entry_in_tree k v Empty" by (auto simp: rbt_greater_nit)
   922     thus ?thesis by auto
   923   qed simp+
   924 next
   925   case ("4_2" xx vaa vbb vdd vc yy ss bb)
   926   thus ?case proof (cases "xx = k")
   927     case True
   928     with "4_2" have "k < yy \<and> yy \<guillemotleft>| bb" by simp
   929     hence "k \<guillemotleft>| bb" by (blast dest: rbt_greater_trans)
   930     with True "4_2" show ?thesis by (auto simp: rbt_greater_nit)
   931   qed auto
   932 next
   933   case (5 xx aa yy ss lta zz vv rta)
   934   def mt[simp]: mt == "Branch B lta zz vv rta"
   935   from 5 have "inv2 mt \<and> inv1 mt" by simp
   936   hence "inv2 (rbt_del xx mt) \<and> (color_of mt = R \<and> bheight (rbt_del xx mt) = bheight mt \<and> inv1 (rbt_del xx mt) \<or> color_of mt = B \<and> bheight (rbt_del xx mt) = bheight mt - 1 \<and> inv1l (rbt_del xx mt))" by (blast dest: rbt_del_inv1_inv2)
   937   with 5 have 3: "entry_in_tree k v (rbt_del_from_right xx aa yy ss mt) = (entry_in_tree k v aa \<or> (k = yy \<and> v = ss) \<or> False \<or> xx \<noteq> k \<and> entry_in_tree k v mt)" by (simp add: balance_right_in_tree)
   938   thus ?case proof (cases "xx = k")
   939     case True
   940     from 5 True have "aa |\<guillemotleft> yy \<and> yy < k" by simp
   941     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
   942     with 3 5 True show ?thesis by (auto simp: rbt_less_nit)
   943   qed auto
   944 next
   945   case ("6_1" xx aa yy ss)
   946   show ?case proof (cases "xx = k")
   947     case True
   948     with "6_1" have "aa |\<guillemotleft> yy \<and> k > yy" by simp
   949     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
   950     with "6_1" `xx = k` show ?thesis by (auto simp: rbt_less_nit)
   951   qed simp
   952 next
   953   case ("6_2" xx aa yy ss vaa vbb vdd vc)
   954   thus ?case proof (cases "xx = k")
   955     case True
   956     with "6_2" have "k > yy \<and> aa |\<guillemotleft> yy" by simp
   957     hence "aa |\<guillemotleft> k" by (blast dest: rbt_less_trans)
   958     with True "6_2" show ?thesis by (auto simp: rbt_less_nit)
   959   qed auto
   960 qed simp
   961 
   962 definition (in ord) rbt_delete where
   963   "rbt_delete k t = paint B (rbt_del k t)"
   964 
   965 theorem rbt_delete_is_rbt [simp]: assumes "is_rbt t" shows "is_rbt (rbt_delete k t)"
   966 proof -
   967   from assms have "inv2 t" and "inv1 t" unfolding is_rbt_def by auto 
   968   hence "inv2 (rbt_del k t) \<and> (color_of t = R \<and> bheight (rbt_del k t) = bheight t \<and> inv1 (rbt_del k t) \<or> color_of t = B \<and> bheight (rbt_del k t) = bheight t - 1 \<and> inv1l (rbt_del k t))" by (rule rbt_del_inv1_inv2)
   969   hence "inv2 (rbt_del k t) \<and> inv1l (rbt_del k t)" by (cases "color_of t") auto
   970   with assms show ?thesis
   971     unfolding is_rbt_def rbt_delete_def
   972     by (auto intro: paint_rbt_sorted rbt_del_rbt_sorted)
   973 qed
   974 
   975 lemma rbt_delete_in_tree: 
   976   assumes "is_rbt t" 
   977   shows "entry_in_tree k v (rbt_delete x t) = (x \<noteq> k \<and> entry_in_tree k v t)"
   978   using assms unfolding is_rbt_def rbt_delete_def
   979   by (auto simp: rbt_del_in_tree)
   980 
   981 lemma rbt_lookup_rbt_delete:
   982   assumes is_rbt: "is_rbt t"
   983   shows "rbt_lookup (rbt_delete k t) = (rbt_lookup t)|`(-{k})"
   984 proof
   985   fix x
   986   show "rbt_lookup (rbt_delete k t) x = (rbt_lookup t |` (-{k})) x" 
   987   proof (cases "x = k")
   988     assume "x = k" 
   989     with is_rbt show ?thesis
   990       by (cases "rbt_lookup (rbt_delete k t) k") (auto simp: rbt_lookup_in_tree rbt_delete_in_tree)
   991   next
   992     assume "x \<noteq> k"
   993     thus ?thesis
   994       by auto (metis is_rbt rbt_delete_is_rbt rbt_delete_in_tree is_rbt_rbt_sorted rbt_lookup_from_in_tree)
   995   qed
   996 qed
   997 
   998 end
   999 
  1000 subsection {* Modifying existing entries *}
  1001 
  1002 context ord begin
  1003 
  1004 primrec
  1005   rbt_map_entry :: "'a \<Rightarrow> ('b \<Rightarrow> 'b) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
  1006 where
  1007   "rbt_map_entry k f Empty = Empty"
  1008 | "rbt_map_entry k f (Branch c lt x v rt) =
  1009     (if k < x then Branch c (rbt_map_entry k f lt) x v rt
  1010     else if k > x then (Branch c lt x v (rbt_map_entry k f rt))
  1011     else Branch c lt x (f v) rt)"
  1012 
  1013 
  1014 lemma rbt_map_entry_color_of: "color_of (rbt_map_entry k f t) = color_of t" by (induct t) simp+
  1015 lemma rbt_map_entry_inv1: "inv1 (rbt_map_entry k f t) = inv1 t" by (induct t) (simp add: rbt_map_entry_color_of)+
  1016 lemma rbt_map_entry_inv2: "inv2 (rbt_map_entry k f t) = inv2 t" "bheight (rbt_map_entry k f t) = bheight t" by (induct t) simp+
  1017 lemma rbt_map_entry_rbt_greater: "rbt_greater a (rbt_map_entry k f t) = rbt_greater a t" by (induct t) simp+
  1018 lemma rbt_map_entry_rbt_less: "rbt_less a (rbt_map_entry k f t) = rbt_less a t" by (induct t) simp+
  1019 lemma rbt_map_entry_rbt_sorted: "rbt_sorted (rbt_map_entry k f t) = rbt_sorted t"
  1020   by (induct t) (simp_all add: rbt_map_entry_rbt_less rbt_map_entry_rbt_greater)
  1021 
  1022 theorem rbt_map_entry_is_rbt [simp]: "is_rbt (rbt_map_entry k f t) = is_rbt t" 
  1023 unfolding is_rbt_def by (simp add: rbt_map_entry_inv2 rbt_map_entry_color_of rbt_map_entry_rbt_sorted rbt_map_entry_inv1 )
  1024 
  1025 end
  1026 
  1027 theorem (in linorder) rbt_lookup_rbt_map_entry:
  1028   "rbt_lookup (rbt_map_entry k f t) = (rbt_lookup t)(k := map_option f (rbt_lookup t k))"
  1029   by (induct t) (auto split: option.splits simp add: fun_eq_iff)
  1030 
  1031 subsection {* Mapping all entries *}
  1032 
  1033 primrec
  1034   map :: "('a \<Rightarrow> 'b \<Rightarrow> 'c) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'c) rbt"
  1035 where
  1036   "map f Empty = Empty"
  1037 | "map f (Branch c lt k v rt) = Branch c (map f lt) k (f k v) (map f rt)"
  1038 
  1039 lemma map_entries [simp]: "entries (map f t) = List.map (\<lambda>(k, v). (k, f k v)) (entries t)"
  1040   by (induct t) auto
  1041 lemma map_keys [simp]: "keys (map f t) = keys t" by (simp add: keys_def split_def)
  1042 lemma map_color_of: "color_of (map f t) = color_of t" by (induct t) simp+
  1043 lemma map_inv1: "inv1 (map f t) = inv1 t" by (induct t) (simp add: map_color_of)+
  1044 lemma map_inv2: "inv2 (map f t) = inv2 t" "bheight (map f t) = bheight t" by (induct t) simp+
  1045 
  1046 context ord begin
  1047 
  1048 lemma map_rbt_greater: "rbt_greater k (map f t) = rbt_greater k t" by (induct t) simp+
  1049 lemma map_rbt_less: "rbt_less k (map f t) = rbt_less k t" by (induct t) simp+
  1050 lemma map_rbt_sorted: "rbt_sorted (map f t) = rbt_sorted t"  by (induct t) (simp add: map_rbt_less map_rbt_greater)+
  1051 theorem map_is_rbt [simp]: "is_rbt (map f t) = is_rbt t" 
  1052 unfolding is_rbt_def by (simp add: map_inv1 map_inv2 map_rbt_sorted map_color_of)
  1053 
  1054 end
  1055 
  1056 theorem (in linorder) rbt_lookup_map: "rbt_lookup (map f t) x = map_option (f x) (rbt_lookup t x)"
  1057   apply(induct t)
  1058   apply auto
  1059   apply(subgoal_tac "x = a")
  1060   apply auto
  1061   done
  1062  (* FIXME: simproc "antisym less" does not work for linorder context, only for linorder type class
  1063     by (induct t) auto *)
  1064 
  1065 hide_const (open) map
  1066 
  1067 subsection {* Folding over entries *}
  1068 
  1069 definition fold :: "('a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c" where
  1070   "fold f t = List.fold (case_prod f) (entries t)"
  1071 
  1072 lemma fold_simps [simp]:
  1073   "fold f Empty = id"
  1074   "fold f (Branch c lt k v rt) = fold f rt \<circ> f k v \<circ> fold f lt"
  1075   by (simp_all add: fold_def fun_eq_iff)
  1076 
  1077 lemma fold_code [code]:
  1078   "fold f Empty x = x"
  1079   "fold f (Branch c lt k v rt) x = fold f rt (f k v (fold f lt x))"
  1080 by(simp_all)
  1081 
  1082 (* fold with continuation predicate *)
  1083 
  1084 fun foldi :: "('c \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a :: linorder, 'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c" 
  1085   where
  1086   "foldi c f Empty s = s" |
  1087   "foldi c f (Branch col l k v r) s = (
  1088     if (c s) then
  1089       let s' = foldi c f l s in
  1090         if (c s') then
  1091           foldi c f r (f k v s')
  1092         else s'
  1093     else 
  1094       s
  1095   )"
  1096 
  1097 subsection {* Bulkloading a tree *}
  1098 
  1099 definition (in ord) rbt_bulkload :: "('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt" where
  1100   "rbt_bulkload xs = foldr (\<lambda>(k, v). rbt_insert k v) xs Empty"
  1101 
  1102 context linorder begin
  1103 
  1104 lemma rbt_bulkload_is_rbt [simp, intro]:
  1105   "is_rbt (rbt_bulkload xs)"
  1106   unfolding rbt_bulkload_def by (induct xs) auto
  1107 
  1108 lemma rbt_lookup_rbt_bulkload:
  1109   "rbt_lookup (rbt_bulkload xs) = map_of xs"
  1110 proof -
  1111   obtain ys where "ys = rev xs" by simp
  1112   have "\<And>t. is_rbt t \<Longrightarrow>
  1113     rbt_lookup (List.fold (case_prod rbt_insert) ys t) = rbt_lookup t ++ map_of (rev ys)"
  1114       by (induct ys) (simp_all add: rbt_bulkload_def rbt_lookup_rbt_insert case_prod_beta)
  1115   from this Empty_is_rbt have
  1116     "rbt_lookup (List.fold (case_prod rbt_insert) (rev xs) Empty) = rbt_lookup Empty ++ map_of xs"
  1117      by (simp add: `ys = rev xs`)
  1118   then show ?thesis by (simp add: rbt_bulkload_def rbt_lookup_Empty foldr_conv_fold)
  1119 qed
  1120 
  1121 end
  1122 
  1123 
  1124 
  1125 subsection {* Building a RBT from a sorted list *}
  1126 
  1127 text {* 
  1128   These functions have been adapted from 
  1129   Andrew W. Appel, Efficient Verified Red-Black Trees (September 2011) 
  1130 *}
  1131 
  1132 fun rbtreeify_f :: "nat \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt \<times> ('a \<times> 'b) list"
  1133   and rbtreeify_g :: "nat \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt \<times> ('a \<times> 'b) list"
  1134 where
  1135   "rbtreeify_f n kvs =
  1136    (if n = 0 then (Empty, kvs)
  1137     else if n = 1 then
  1138       case kvs of (k, v) # kvs' \<Rightarrow> (Branch R Empty k v Empty, kvs')
  1139     else if (n mod 2 = 0) then
  1140       case rbtreeify_f (n div 2) kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1141         apfst (Branch B t1 k v) (rbtreeify_g (n div 2) kvs')
  1142     else case rbtreeify_f (n div 2) kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1143         apfst (Branch B t1 k v) (rbtreeify_f (n div 2) kvs'))"
  1144 
  1145 | "rbtreeify_g n kvs =
  1146    (if n = 0 \<or> n = 1 then (Empty, kvs)
  1147     else if n mod 2 = 0 then
  1148       case rbtreeify_g (n div 2) kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1149         apfst (Branch B t1 k v) (rbtreeify_g (n div 2) kvs')
  1150     else case rbtreeify_f (n div 2) kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1151         apfst (Branch B t1 k v) (rbtreeify_g (n div 2) kvs'))"
  1152 
  1153 definition rbtreeify :: "('a \<times> 'b) list \<Rightarrow> ('a, 'b) rbt"
  1154 where "rbtreeify kvs = fst (rbtreeify_g (Suc (length kvs)) kvs)"
  1155 
  1156 declare rbtreeify_f.simps [simp del] rbtreeify_g.simps [simp del]
  1157 
  1158 lemma rbtreeify_f_code [code]:
  1159   "rbtreeify_f n kvs =
  1160    (if n = 0 then (Empty, kvs)
  1161     else if n = 1 then
  1162       case kvs of (k, v) # kvs' \<Rightarrow> 
  1163         (Branch R Empty k v Empty, kvs')
  1164     else let (n', r) = divmod_nat n 2 in
  1165       if r = 0 then
  1166         case rbtreeify_f n' kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1167           apfst (Branch B t1 k v) (rbtreeify_g n' kvs')
  1168       else case rbtreeify_f n' kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1169           apfst (Branch B t1 k v) (rbtreeify_f n' kvs'))"
  1170 by (subst rbtreeify_f.simps) (simp only: Let_def divmod_nat_div_mod prod.case)
  1171 
  1172 lemma rbtreeify_g_code [code]:
  1173   "rbtreeify_g n kvs =
  1174    (if n = 0 \<or> n = 1 then (Empty, kvs)
  1175     else let (n', r) = divmod_nat n 2 in
  1176       if r = 0 then
  1177         case rbtreeify_g n' kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1178           apfst (Branch B t1 k v) (rbtreeify_g n' kvs')
  1179       else case rbtreeify_f n' kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1180           apfst (Branch B t1 k v) (rbtreeify_g n' kvs'))"
  1181 by(subst rbtreeify_g.simps)(simp only: Let_def divmod_nat_div_mod prod.case)
  1182 
  1183 lemma Suc_double_half: "Suc (2 * n) div 2 = n"
  1184 by simp
  1185 
  1186 lemma div2_plus_div2: "n div 2 + n div 2 = (n :: nat) - n mod 2"
  1187 by arith
  1188 
  1189 lemma rbtreeify_f_rec_aux_lemma:
  1190   "\<lbrakk>k - n div 2 = Suc k'; n \<le> k; n mod 2 = Suc 0\<rbrakk>
  1191   \<Longrightarrow> k' - n div 2 = k - n"
  1192 apply(rule add_right_imp_eq[where a = "n - n div 2"])
  1193 apply(subst add_diff_assoc2, arith)
  1194 apply(simp add: div2_plus_div2)
  1195 done
  1196 
  1197 lemma rbtreeify_f_simps:
  1198   "rbtreeify_f 0 kvs = (RBT_Impl.Empty, kvs)"
  1199   "rbtreeify_f (Suc 0) ((k, v) # kvs) = 
  1200   (Branch R Empty k v Empty, kvs)"
  1201   "0 < n \<Longrightarrow> rbtreeify_f (2 * n) kvs =
  1202    (case rbtreeify_f n kvs of (t1, (k, v) # kvs') \<Rightarrow>
  1203      apfst (Branch B t1 k v) (rbtreeify_g n kvs'))"
  1204   "0 < n \<Longrightarrow> rbtreeify_f (Suc (2 * n)) kvs =
  1205    (case rbtreeify_f n kvs of (t1, (k, v) # kvs') \<Rightarrow> 
  1206      apfst (Branch B t1 k v) (rbtreeify_f n kvs'))"
  1207 by(subst (1) rbtreeify_f.simps, simp add: Suc_double_half)+
  1208 
  1209 lemma rbtreeify_g_simps:
  1210   "rbtreeify_g 0 kvs = (Empty, kvs)"
  1211   "rbtreeify_g (Suc 0) kvs = (Empty, kvs)"
  1212   "0 < n \<Longrightarrow> rbtreeify_g (2 * n) kvs =
  1213    (case rbtreeify_g n kvs of (t1, (k, v) # kvs') \<Rightarrow> 
  1214      apfst (Branch B t1 k v) (rbtreeify_g n kvs'))"
  1215   "0 < n \<Longrightarrow> rbtreeify_g (Suc (2 * n)) kvs =
  1216    (case rbtreeify_f n kvs of (t1, (k, v) # kvs') \<Rightarrow> 
  1217      apfst (Branch B t1 k v) (rbtreeify_g n kvs'))"
  1218 by(subst (1) rbtreeify_g.simps, simp add: Suc_double_half)+
  1219 
  1220 declare rbtreeify_f_simps[simp] rbtreeify_g_simps[simp]
  1221 
  1222 lemma length_rbtreeify_f: "n \<le> length kvs
  1223   \<Longrightarrow> length (snd (rbtreeify_f n kvs)) = length kvs - n"
  1224   and length_rbtreeify_g:"\<lbrakk> 0 < n; n \<le> Suc (length kvs) \<rbrakk>
  1225   \<Longrightarrow> length (snd (rbtreeify_g n kvs)) = Suc (length kvs) - n"
  1226 proof(induction n kvs and n kvs rule: rbtreeify_f_rbtreeify_g.induct)
  1227   case (1 n kvs)
  1228   show ?case
  1229   proof(cases "n \<le> 1")
  1230     case True thus ?thesis using "1.prems"
  1231       by(cases n kvs rule: nat.exhaust[case_product list.exhaust]) auto
  1232   next
  1233     case False
  1234     hence "n \<noteq> 0" "n \<noteq> 1" by simp_all
  1235     note IH = "1.IH"[OF this]
  1236     show ?thesis
  1237     proof(cases "n mod 2 = 0")
  1238       case True
  1239       hence "length (snd (rbtreeify_f n kvs)) = 
  1240         length (snd (rbtreeify_f (2 * (n div 2)) kvs))"
  1241         by(metis minus_nat.diff_0 mult_div_cancel)
  1242       also from "1.prems" False obtain k v kvs' 
  1243         where kvs: "kvs = (k, v) # kvs'" by(cases kvs) auto
  1244       also have "0 < n div 2" using False by(simp) 
  1245       note rbtreeify_f_simps(3)[OF this]
  1246       also note kvs[symmetric] 
  1247       also let ?rest1 = "snd (rbtreeify_f (n div 2) kvs)"
  1248       from "1.prems" have "n div 2 \<le> length kvs" by simp
  1249       with True have len: "length ?rest1 = length kvs - n div 2" by(rule IH)
  1250       with "1.prems" False obtain t1 k' v' kvs''
  1251         where kvs'': "rbtreeify_f (n div 2) kvs = (t1, (k', v') # kvs'')"
  1252          by(cases ?rest1)(auto simp add: snd_def split: prod.split_asm)
  1253       note this also note prod.case also note list.simps(5) 
  1254       also note prod.case also note snd_apfst
  1255       also have "0 < n div 2" "n div 2 \<le> Suc (length kvs'')" 
  1256         using len "1.prems" False unfolding kvs'' by simp_all
  1257       with True kvs''[symmetric] refl refl
  1258       have "length (snd (rbtreeify_g (n div 2) kvs'')) = 
  1259         Suc (length kvs'') - n div 2" by(rule IH)
  1260       finally show ?thesis using len[unfolded kvs''] "1.prems" True
  1261         by(simp add: Suc_diff_le[symmetric] mult_2[symmetric] mult_div_cancel)
  1262     next
  1263       case False
  1264       hence "length (snd (rbtreeify_f n kvs)) = 
  1265         length (snd (rbtreeify_f (Suc (2 * (n div 2))) kvs))"
  1266         by(metis Suc_eq_plus1_left comm_semiring_1_class.normalizing_semiring_rules(7)
  1267              mod_2_not_eq_zero_eq_one_nat semiring_div_class.mod_div_equality')
  1268       also from "1.prems" `\<not> n \<le> 1` obtain k v kvs' 
  1269         where kvs: "kvs = (k, v) # kvs'" by(cases kvs) auto
  1270       also have "0 < n div 2" using `\<not> n \<le> 1` by(simp) 
  1271       note rbtreeify_f_simps(4)[OF this]
  1272       also note kvs[symmetric] 
  1273       also let ?rest1 = "snd (rbtreeify_f (n div 2) kvs)"
  1274       from "1.prems" have "n div 2 \<le> length kvs" by simp
  1275       with False have len: "length ?rest1 = length kvs - n div 2" by(rule IH)
  1276       with "1.prems" `\<not> n \<le> 1` obtain t1 k' v' kvs''
  1277         where kvs'': "rbtreeify_f (n div 2) kvs = (t1, (k', v') # kvs'')"
  1278         by(cases ?rest1)(auto simp add: snd_def split: prod.split_asm)
  1279       note this also note prod.case also note list.simps(5)
  1280       also note prod.case also note snd_apfst
  1281       also have "n div 2 \<le> length kvs''" 
  1282         using len "1.prems" False unfolding kvs'' by simp arith
  1283       with False kvs''[symmetric] refl refl
  1284       have "length (snd (rbtreeify_f (n div 2) kvs'')) = length kvs'' - n div 2"
  1285         by(rule IH)
  1286       finally show ?thesis using len[unfolded kvs''] "1.prems" False
  1287         by simp(rule rbtreeify_f_rec_aux_lemma[OF sym])
  1288     qed
  1289   qed
  1290 next
  1291   case (2 n kvs)
  1292   show ?case
  1293   proof(cases "n > 1")
  1294     case False with `0 < n` show ?thesis
  1295       by(cases n kvs rule: nat.exhaust[case_product list.exhaust]) simp_all
  1296   next
  1297     case True
  1298     hence "\<not> (n = 0 \<or> n = 1)" by simp
  1299     note IH = "2.IH"[OF this]
  1300     show ?thesis
  1301     proof(cases "n mod 2 = 0")
  1302       case True
  1303       hence "length (snd (rbtreeify_g n kvs)) =
  1304         length (snd (rbtreeify_g (2 * (n div 2)) kvs))"
  1305         by(metis minus_nat.diff_0 mult_div_cancel)
  1306       also from "2.prems" True obtain k v kvs' 
  1307         where kvs: "kvs = (k, v) # kvs'" by(cases kvs) auto
  1308       also have "0 < n div 2" using `1 < n` by(simp) 
  1309       note rbtreeify_g_simps(3)[OF this]
  1310       also note kvs[symmetric] 
  1311       also let ?rest1 = "snd (rbtreeify_g (n div 2) kvs)"
  1312       from "2.prems" `1 < n`
  1313       have "0 < n div 2" "n div 2 \<le> Suc (length kvs)" by simp_all
  1314       with True have len: "length ?rest1 = Suc (length kvs) - n div 2" by(rule IH)
  1315       with "2.prems" obtain t1 k' v' kvs''
  1316         where kvs'': "rbtreeify_g (n div 2) kvs = (t1, (k', v') # kvs'')"
  1317         by(cases ?rest1)(auto simp add: snd_def split: prod.split_asm)
  1318       note this also note prod.case also note list.simps(5) 
  1319       also note prod.case also note snd_apfst
  1320       also have "n div 2 \<le> Suc (length kvs'')" 
  1321         using len "2.prems" unfolding kvs'' by simp
  1322       with True kvs''[symmetric] refl refl `0 < n div 2`
  1323       have "length (snd (rbtreeify_g (n div 2) kvs'')) = Suc (length kvs'') - n div 2"
  1324         by(rule IH)
  1325       finally show ?thesis using len[unfolded kvs''] "2.prems" True
  1326         by(simp add: Suc_diff_le[symmetric] mult_2[symmetric] mult_div_cancel)
  1327     next
  1328       case False
  1329       hence "length (snd (rbtreeify_g n kvs)) = 
  1330         length (snd (rbtreeify_g (Suc (2 * (n div 2))) kvs))"
  1331         by(metis Suc_eq_plus1_left comm_semiring_1_class.normalizing_semiring_rules(7) 
  1332             mod_2_not_eq_zero_eq_one_nat semiring_div_class.mod_div_equality')
  1333       also from "2.prems" `1 < n` obtain k v kvs'
  1334         where kvs: "kvs = (k, v) # kvs'" by(cases kvs) auto
  1335       also have "0 < n div 2" using `1 < n` by(simp)
  1336       note rbtreeify_g_simps(4)[OF this]
  1337       also note kvs[symmetric] 
  1338       also let ?rest1 = "snd (rbtreeify_f (n div 2) kvs)"
  1339       from "2.prems" have "n div 2 \<le> length kvs" by simp
  1340       with False have len: "length ?rest1 = length kvs - n div 2" by(rule IH)
  1341       with "2.prems" `1 < n` False obtain t1 k' v' kvs'' 
  1342         where kvs'': "rbtreeify_f (n div 2) kvs = (t1, (k', v') # kvs'')"
  1343         by(cases ?rest1)(auto simp add: snd_def split: prod.split_asm, arith)
  1344       note this also note prod.case also note list.simps(5) 
  1345       also note prod.case also note snd_apfst
  1346       also have "n div 2 \<le> Suc (length kvs'')" 
  1347         using len "2.prems" False unfolding kvs'' by simp arith
  1348       with False kvs''[symmetric] refl refl `0 < n div 2`
  1349       have "length (snd (rbtreeify_g (n div 2) kvs'')) = Suc (length kvs'') - n div 2"
  1350         by(rule IH)
  1351       finally show ?thesis using len[unfolded kvs''] "2.prems" False
  1352         by(simp add: div2_plus_div2)
  1353     qed
  1354   qed
  1355 qed
  1356 
  1357 lemma rbtreeify_induct [consumes 1, case_names f_0 f_1 f_even f_odd g_0 g_1 g_even g_odd]:
  1358   fixes P Q
  1359   defines "f0 == (\<And>kvs. P 0 kvs)"
  1360   and "f1 == (\<And>k v kvs. P (Suc 0) ((k, v) # kvs))"
  1361   and "feven ==
  1362     (\<And>n kvs t k v kvs'. \<lbrakk> n > 0; n \<le> length kvs; P n kvs; 
  1363        rbtreeify_f n kvs = (t, (k, v) # kvs'); n \<le> Suc (length kvs'); Q n kvs' \<rbrakk> 
  1364      \<Longrightarrow> P (2 * n) kvs)"
  1365   and "fodd == 
  1366     (\<And>n kvs t k v kvs'. \<lbrakk> n > 0; n \<le> length kvs; P n kvs;
  1367        rbtreeify_f n kvs = (t, (k, v) # kvs'); n \<le> length kvs'; P n kvs' \<rbrakk> 
  1368     \<Longrightarrow> P (Suc (2 * n)) kvs)"
  1369   and "g0 == (\<And>kvs. Q 0 kvs)"
  1370   and "g1 == (\<And>kvs. Q (Suc 0) kvs)"
  1371   and "geven == 
  1372     (\<And>n kvs t k v kvs'. \<lbrakk> n > 0; n \<le> Suc (length kvs); Q n kvs; 
  1373        rbtreeify_g n kvs = (t, (k, v) # kvs'); n \<le> Suc (length kvs'); Q n kvs' \<rbrakk>
  1374     \<Longrightarrow> Q (2 * n) kvs)"
  1375   and "godd == 
  1376     (\<And>n kvs t k v kvs'. \<lbrakk> n > 0; n \<le> length kvs; P n kvs;
  1377        rbtreeify_f n kvs = (t, (k, v) # kvs'); n \<le> Suc (length kvs'); Q n kvs' \<rbrakk>
  1378     \<Longrightarrow> Q (Suc (2 * n)) kvs)"
  1379   shows "\<lbrakk> n \<le> length kvs; 
  1380            PROP f0; PROP f1; PROP feven; PROP fodd; 
  1381            PROP g0; PROP g1; PROP geven; PROP godd \<rbrakk>
  1382          \<Longrightarrow> P n kvs"
  1383   and "\<lbrakk> n \<le> Suc (length kvs);
  1384           PROP f0; PROP f1; PROP feven; PROP fodd; 
  1385           PROP g0; PROP g1; PROP geven; PROP godd \<rbrakk>
  1386        \<Longrightarrow> Q n kvs"
  1387 proof -
  1388   assume f0: "PROP f0" and f1: "PROP f1" and feven: "PROP feven" and fodd: "PROP fodd"
  1389     and g0: "PROP g0" and g1: "PROP g1" and geven: "PROP geven" and godd: "PROP godd"
  1390   show "n \<le> length kvs \<Longrightarrow> P n kvs" and "n \<le> Suc (length kvs) \<Longrightarrow> Q n kvs"
  1391   proof(induction rule: rbtreeify_f_rbtreeify_g.induct)
  1392     case (1 n kvs)
  1393     show ?case
  1394     proof(cases "n \<le> 1")
  1395       case True thus ?thesis using "1.prems"
  1396         by(cases n kvs rule: nat.exhaust[case_product list.exhaust])
  1397           (auto simp add: f0[unfolded f0_def] f1[unfolded f1_def])
  1398     next
  1399       case False 
  1400       hence ns: "n \<noteq> 0" "n \<noteq> 1" by simp_all
  1401       hence ge0: "n div 2 > 0" by simp
  1402       note IH = "1.IH"[OF ns]
  1403       show ?thesis
  1404       proof(cases "n mod 2 = 0")
  1405         case True note ge0 
  1406         moreover from "1.prems" have n2: "n div 2 \<le> length kvs" by simp
  1407         moreover from True n2 have "P (n div 2) kvs" by(rule IH)
  1408         moreover from length_rbtreeify_f[OF n2] ge0 "1.prems" obtain t k v kvs' 
  1409           where kvs': "rbtreeify_f (n div 2) kvs = (t, (k, v) # kvs')"
  1410           by(cases "snd (rbtreeify_f (n div 2) kvs)")
  1411             (auto simp add: snd_def split: prod.split_asm)
  1412         moreover from "1.prems" length_rbtreeify_f[OF n2] ge0
  1413         have n2': "n div 2 \<le> Suc (length kvs')" by(simp add: kvs')
  1414         moreover from True kvs'[symmetric] refl refl n2'
  1415         have "Q (n div 2) kvs'" by(rule IH)
  1416         moreover note feven[unfolded feven_def]
  1417           (* FIXME: why does by(rule feven[unfolded feven_def]) not work? *)
  1418         ultimately have "P (2 * (n div 2)) kvs" by -
  1419         thus ?thesis using True by (metis div_mod_equality' minus_nat.diff_0 nat_mult_commute)
  1420       next
  1421         case False note ge0
  1422         moreover from "1.prems" have n2: "n div 2 \<le> length kvs" by simp
  1423         moreover from False n2 have "P (n div 2) kvs" by(rule IH)
  1424         moreover from length_rbtreeify_f[OF n2] ge0 "1.prems" obtain t k v kvs' 
  1425           where kvs': "rbtreeify_f (n div 2) kvs = (t, (k, v) # kvs')"
  1426           by(cases "snd (rbtreeify_f (n div 2) kvs)")
  1427             (auto simp add: snd_def split: prod.split_asm)
  1428         moreover from "1.prems" length_rbtreeify_f[OF n2] ge0 False
  1429         have n2': "n div 2 \<le> length kvs'" by(simp add: kvs') arith
  1430         moreover from False kvs'[symmetric] refl refl n2' have "P (n div 2) kvs'" by(rule IH)
  1431         moreover note fodd[unfolded fodd_def]
  1432         ultimately have "P (Suc (2 * (n div 2))) kvs" by -
  1433         thus ?thesis using False 
  1434           by simp (metis One_nat_def Suc_eq_plus1_left le_add_diff_inverse mod_less_eq_dividend mult_div_cancel)
  1435       qed
  1436     qed
  1437   next
  1438     case (2 n kvs)
  1439     show ?case
  1440     proof(cases "n \<le> 1")
  1441       case True thus ?thesis using "2.prems"
  1442         by(cases n kvs rule: nat.exhaust[case_product list.exhaust])
  1443           (auto simp add: g0[unfolded g0_def] g1[unfolded g1_def])
  1444     next
  1445       case False 
  1446       hence ns: "\<not> (n = 0 \<or> n = 1)" by simp
  1447       hence ge0: "n div 2 > 0" by simp
  1448       note IH = "2.IH"[OF ns]
  1449       show ?thesis
  1450       proof(cases "n mod 2 = 0")
  1451         case True note ge0
  1452         moreover from "2.prems" have n2: "n div 2 \<le> Suc (length kvs)" by simp
  1453         moreover from True n2 have "Q (n div 2) kvs" by(rule IH)
  1454         moreover from length_rbtreeify_g[OF ge0 n2] ge0 "2.prems" obtain t k v kvs' 
  1455           where kvs': "rbtreeify_g (n div 2) kvs = (t, (k, v) # kvs')"
  1456           by(cases "snd (rbtreeify_g (n div 2) kvs)")
  1457             (auto simp add: snd_def split: prod.split_asm)
  1458         moreover from "2.prems" length_rbtreeify_g[OF ge0 n2] ge0
  1459         have n2': "n div 2 \<le> Suc (length kvs')" by(simp add: kvs')
  1460         moreover from True kvs'[symmetric] refl refl  n2'
  1461         have "Q (n div 2) kvs'" by(rule IH)
  1462         moreover note geven[unfolded geven_def]
  1463         ultimately have "Q (2 * (n div 2)) kvs" by -
  1464         thus ?thesis using True 
  1465           by(metis div_mod_equality' minus_nat.diff_0 nat_mult_commute)
  1466       next
  1467         case False note ge0
  1468         moreover from "2.prems" have n2: "n div 2 \<le> length kvs" by simp
  1469         moreover from False n2 have "P (n div 2) kvs" by(rule IH)
  1470         moreover from length_rbtreeify_f[OF n2] ge0 "2.prems" False obtain t k v kvs' 
  1471           where kvs': "rbtreeify_f (n div 2) kvs = (t, (k, v) # kvs')"
  1472           by(cases "snd (rbtreeify_f (n div 2) kvs)")
  1473             (auto simp add: snd_def split: prod.split_asm, arith)
  1474         moreover from "2.prems" length_rbtreeify_f[OF n2] ge0 False
  1475         have n2': "n div 2 \<le> Suc (length kvs')" by(simp add: kvs') arith
  1476         moreover from False kvs'[symmetric] refl refl n2'
  1477         have "Q (n div 2) kvs'" by(rule IH)
  1478         moreover note godd[unfolded godd_def]
  1479         ultimately have "Q (Suc (2 * (n div 2))) kvs" by -
  1480         thus ?thesis using False 
  1481           by simp (metis One_nat_def Suc_eq_plus1_left le_add_diff_inverse mod_less_eq_dividend mult_div_cancel)
  1482       qed
  1483     qed
  1484   qed
  1485 qed
  1486 
  1487 lemma inv1_rbtreeify_f: "n \<le> length kvs 
  1488   \<Longrightarrow> inv1 (fst (rbtreeify_f n kvs))"
  1489   and inv1_rbtreeify_g: "n \<le> Suc (length kvs)
  1490   \<Longrightarrow> inv1 (fst (rbtreeify_g n kvs))"
  1491 by(induct n kvs and n kvs rule: rbtreeify_induct) simp_all
  1492 
  1493 fun plog2 :: "nat \<Rightarrow> nat" 
  1494 where "plog2 n = (if n \<le> 1 then 0 else plog2 (n div 2) + 1)"
  1495 
  1496 declare plog2.simps [simp del]
  1497 
  1498 lemma plog2_simps [simp]:
  1499   "plog2 0 = 0" "plog2 (Suc 0) = 0"
  1500   "0 < n \<Longrightarrow> plog2 (2 * n) = 1 + plog2 n"
  1501   "0 < n \<Longrightarrow> plog2 (Suc (2 * n)) = 1 + plog2 n"
  1502 by(subst plog2.simps, simp add: Suc_double_half)+
  1503 
  1504 lemma bheight_rbtreeify_f: "n \<le> length kvs
  1505   \<Longrightarrow> bheight (fst (rbtreeify_f n kvs)) = plog2 n"
  1506   and bheight_rbtreeify_g: "n \<le> Suc (length kvs)
  1507   \<Longrightarrow> bheight (fst (rbtreeify_g n kvs)) = plog2 n"
  1508 by(induct n kvs and n kvs rule: rbtreeify_induct) simp_all
  1509 
  1510 lemma bheight_rbtreeify_f_eq_plog2I:
  1511   "\<lbrakk> rbtreeify_f n kvs = (t, kvs'); n \<le> length kvs \<rbrakk> 
  1512   \<Longrightarrow> bheight t = plog2 n"
  1513 using bheight_rbtreeify_f[of n kvs] by simp
  1514 
  1515 lemma bheight_rbtreeify_g_eq_plog2I: 
  1516   "\<lbrakk> rbtreeify_g n kvs = (t, kvs'); n \<le> Suc (length kvs) \<rbrakk>
  1517   \<Longrightarrow> bheight t = plog2 n"
  1518 using bheight_rbtreeify_g[of n kvs] by simp
  1519 
  1520 hide_const (open) plog2
  1521 
  1522 lemma inv2_rbtreeify_f: "n \<le> length kvs
  1523   \<Longrightarrow> inv2 (fst (rbtreeify_f n kvs))"
  1524   and inv2_rbtreeify_g: "n \<le> Suc (length kvs)
  1525   \<Longrightarrow> inv2 (fst (rbtreeify_g n kvs))"
  1526 by(induct n kvs and n kvs rule: rbtreeify_induct)
  1527   (auto simp add: bheight_rbtreeify_f bheight_rbtreeify_g 
  1528         intro: bheight_rbtreeify_f_eq_plog2I bheight_rbtreeify_g_eq_plog2I)
  1529 
  1530 lemma "n \<le> length kvs \<Longrightarrow> True"
  1531   and color_of_rbtreeify_g:
  1532   "\<lbrakk> n \<le> Suc (length kvs); 0 < n \<rbrakk> 
  1533   \<Longrightarrow> color_of (fst (rbtreeify_g n kvs)) = B"
  1534 by(induct n kvs and n kvs rule: rbtreeify_induct) simp_all
  1535 
  1536 lemma entries_rbtreeify_f_append:
  1537   "n \<le> length kvs 
  1538   \<Longrightarrow> entries (fst (rbtreeify_f n kvs)) @ snd (rbtreeify_f n kvs) = kvs"
  1539   and entries_rbtreeify_g_append: 
  1540   "n \<le> Suc (length kvs) 
  1541   \<Longrightarrow> entries (fst (rbtreeify_g n kvs)) @ snd (rbtreeify_g n kvs) = kvs"
  1542 by(induction rule: rbtreeify_induct) simp_all
  1543 
  1544 lemma length_entries_rbtreeify_f:
  1545   "n \<le> length kvs \<Longrightarrow> length (entries (fst (rbtreeify_f n kvs))) = n"
  1546   and length_entries_rbtreeify_g: 
  1547   "n \<le> Suc (length kvs) \<Longrightarrow> length (entries (fst (rbtreeify_g n kvs))) = n - 1"
  1548 by(induct rule: rbtreeify_induct) simp_all
  1549 
  1550 lemma rbtreeify_f_conv_drop: 
  1551   "n \<le> length kvs \<Longrightarrow> snd (rbtreeify_f n kvs) = drop n kvs"
  1552 using entries_rbtreeify_f_append[of n kvs]
  1553 by(simp add: append_eq_conv_conj length_entries_rbtreeify_f)
  1554 
  1555 lemma rbtreeify_g_conv_drop: 
  1556   "n \<le> Suc (length kvs) \<Longrightarrow> snd (rbtreeify_g n kvs) = drop (n - 1) kvs"
  1557 using entries_rbtreeify_g_append[of n kvs]
  1558 by(simp add: append_eq_conv_conj length_entries_rbtreeify_g)
  1559 
  1560 lemma entries_rbtreeify_f [simp]:
  1561   "n \<le> length kvs \<Longrightarrow> entries (fst (rbtreeify_f n kvs)) = take n kvs"
  1562 using entries_rbtreeify_f_append[of n kvs]
  1563 by(simp add: append_eq_conv_conj length_entries_rbtreeify_f)
  1564 
  1565 lemma entries_rbtreeify_g [simp]:
  1566   "n \<le> Suc (length kvs) \<Longrightarrow> 
  1567   entries (fst (rbtreeify_g n kvs)) = take (n - 1) kvs"
  1568 using entries_rbtreeify_g_append[of n kvs]
  1569 by(simp add: append_eq_conv_conj length_entries_rbtreeify_g)
  1570 
  1571 lemma keys_rbtreeify_f [simp]: "n \<le> length kvs
  1572   \<Longrightarrow> keys (fst (rbtreeify_f n kvs)) = take n (map fst kvs)"
  1573 by(simp add: keys_def take_map)
  1574 
  1575 lemma keys_rbtreeify_g [simp]: "n \<le> Suc (length kvs)
  1576   \<Longrightarrow> keys (fst (rbtreeify_g n kvs)) = take (n - 1) (map fst kvs)"
  1577 by(simp add: keys_def take_map)
  1578 
  1579 lemma rbtreeify_fD: 
  1580   "\<lbrakk> rbtreeify_f n kvs = (t, kvs'); n \<le> length kvs \<rbrakk> 
  1581   \<Longrightarrow> entries t = take n kvs \<and> kvs' = drop n kvs"
  1582 using rbtreeify_f_conv_drop[of n kvs] entries_rbtreeify_f[of n kvs] by simp
  1583 
  1584 lemma rbtreeify_gD: 
  1585   "\<lbrakk> rbtreeify_g n kvs = (t, kvs'); n \<le> Suc (length kvs) \<rbrakk>
  1586   \<Longrightarrow> entries t = take (n - 1) kvs \<and> kvs' = drop (n - 1) kvs"
  1587 using rbtreeify_g_conv_drop[of n kvs] entries_rbtreeify_g[of n kvs] by simp
  1588 
  1589 lemma entries_rbtreeify [simp]: "entries (rbtreeify kvs) = kvs"
  1590 by(simp add: rbtreeify_def entries_rbtreeify_g)
  1591 
  1592 context linorder begin
  1593 
  1594 lemma rbt_sorted_rbtreeify_f: 
  1595   "\<lbrakk> n \<le> length kvs; sorted (map fst kvs); distinct (map fst kvs) \<rbrakk> 
  1596   \<Longrightarrow> rbt_sorted (fst (rbtreeify_f n kvs))"
  1597   and rbt_sorted_rbtreeify_g: 
  1598   "\<lbrakk> n \<le> Suc (length kvs); sorted (map fst kvs); distinct (map fst kvs) \<rbrakk>
  1599   \<Longrightarrow> rbt_sorted (fst (rbtreeify_g n kvs))"
  1600 proof(induction n kvs and n kvs rule: rbtreeify_induct)
  1601   case (f_even n kvs t k v kvs')
  1602   from rbtreeify_fD[OF `rbtreeify_f n kvs = (t, (k, v) # kvs')` `n \<le> length kvs`]
  1603   have "entries t = take n kvs"
  1604     and kvs': "drop n kvs = (k, v) # kvs'" by simp_all
  1605   hence unfold: "kvs = take n kvs @ (k, v) # kvs'" by(metis append_take_drop_id)
  1606   from `sorted (map fst kvs)` kvs'
  1607   have "(\<forall>(x, y) \<in> set (take n kvs). x \<le> k) \<and> (\<forall>(x, y) \<in> set kvs'. k \<le> x)"
  1608     by(subst (asm) unfold)(auto simp add: sorted_append sorted_Cons)
  1609   moreover from `distinct (map fst kvs)` kvs'
  1610   have "(\<forall>(x, y) \<in> set (take n kvs). x \<noteq> k) \<and> (\<forall>(x, y) \<in> set kvs'. x \<noteq> k)"
  1611     by(subst (asm) unfold)(auto intro: rev_image_eqI)
  1612   ultimately have "(\<forall>(x, y) \<in> set (take n kvs). x < k) \<and> (\<forall>(x, y) \<in> set kvs'. k < x)"
  1613     by fastforce
  1614   hence "fst (rbtreeify_f n kvs) |\<guillemotleft> k" "k \<guillemotleft>| fst (rbtreeify_g n kvs')"
  1615     using `n \<le> Suc (length kvs')` `n \<le> length kvs` set_take_subset[of "n - 1" kvs']
  1616     by(auto simp add: ord.rbt_greater_prop ord.rbt_less_prop take_map split_def)
  1617   moreover from `sorted (map fst kvs)` `distinct (map fst kvs)`
  1618   have "rbt_sorted (fst (rbtreeify_f n kvs))" by(rule f_even.IH)
  1619   moreover have "sorted (map fst kvs')" "distinct (map fst kvs')"
  1620     using `sorted (map fst kvs)` `distinct (map fst kvs)`
  1621     by(subst (asm) (1 2) unfold, simp add: sorted_append sorted_Cons)+
  1622   hence "rbt_sorted (fst (rbtreeify_g n kvs'))" by(rule f_even.IH)
  1623   ultimately show ?case
  1624     using `0 < n` `rbtreeify_f n kvs = (t, (k, v) # kvs')` by simp
  1625 next
  1626   case (f_odd n kvs t k v kvs')
  1627   from rbtreeify_fD[OF `rbtreeify_f n kvs = (t, (k, v) # kvs')` `n \<le> length kvs`]
  1628   have "entries t = take n kvs" 
  1629     and kvs': "drop n kvs = (k, v) # kvs'" by simp_all
  1630   hence unfold: "kvs = take n kvs @ (k, v) # kvs'" by(metis append_take_drop_id)
  1631   from `sorted (map fst kvs)` kvs'
  1632   have "(\<forall>(x, y) \<in> set (take n kvs). x \<le> k) \<and> (\<forall>(x, y) \<in> set kvs'. k \<le> x)"
  1633     by(subst (asm) unfold)(auto simp add: sorted_append sorted_Cons)
  1634   moreover from `distinct (map fst kvs)` kvs'
  1635   have "(\<forall>(x, y) \<in> set (take n kvs). x \<noteq> k) \<and> (\<forall>(x, y) \<in> set kvs'. x \<noteq> k)"
  1636     by(subst (asm) unfold)(auto intro: rev_image_eqI)
  1637   ultimately have "(\<forall>(x, y) \<in> set (take n kvs). x < k) \<and> (\<forall>(x, y) \<in> set kvs'. k < x)"
  1638     by fastforce
  1639   hence "fst (rbtreeify_f n kvs) |\<guillemotleft> k" "k \<guillemotleft>| fst (rbtreeify_f n kvs')"
  1640     using `n \<le> length kvs'` `n \<le> length kvs` set_take_subset[of n kvs']
  1641     by(auto simp add: rbt_greater_prop rbt_less_prop take_map split_def)
  1642   moreover from `sorted (map fst kvs)` `distinct (map fst kvs)`
  1643   have "rbt_sorted (fst (rbtreeify_f n kvs))" by(rule f_odd.IH)
  1644   moreover have "sorted (map fst kvs')" "distinct (map fst kvs')"
  1645     using `sorted (map fst kvs)` `distinct (map fst kvs)`
  1646     by(subst (asm) (1 2) unfold, simp add: sorted_append sorted_Cons)+
  1647   hence "rbt_sorted (fst (rbtreeify_f n kvs'))" by(rule f_odd.IH)
  1648   ultimately show ?case 
  1649     using `0 < n` `rbtreeify_f n kvs = (t, (k, v) # kvs')` by simp
  1650 next
  1651   case (g_even n kvs t k v kvs')
  1652   from rbtreeify_gD[OF `rbtreeify_g n kvs = (t, (k, v) # kvs')` `n \<le> Suc (length kvs)`]
  1653   have t: "entries t = take (n - 1) kvs" 
  1654     and kvs': "drop (n - 1) kvs = (k, v) # kvs'" by simp_all
  1655   hence unfold: "kvs = take (n - 1) kvs @ (k, v) # kvs'" by(metis append_take_drop_id)
  1656   from `sorted (map fst kvs)` kvs'
  1657   have "(\<forall>(x, y) \<in> set (take (n - 1) kvs). x \<le> k) \<and> (\<forall>(x, y) \<in> set kvs'. k \<le> x)"
  1658     by(subst (asm) unfold)(auto simp add: sorted_append sorted_Cons)
  1659   moreover from `distinct (map fst kvs)` kvs'
  1660   have "(\<forall>(x, y) \<in> set (take (n - 1) kvs). x \<noteq> k) \<and> (\<forall>(x, y) \<in> set kvs'. x \<noteq> k)"
  1661     by(subst (asm) unfold)(auto intro: rev_image_eqI)
  1662   ultimately have "(\<forall>(x, y) \<in> set (take (n - 1) kvs). x < k) \<and> (\<forall>(x, y) \<in> set kvs'. k < x)"
  1663     by fastforce
  1664   hence "fst (rbtreeify_g n kvs) |\<guillemotleft> k" "k \<guillemotleft>| fst (rbtreeify_g n kvs')"
  1665     using `n \<le> Suc (length kvs')` `n \<le> Suc (length kvs)` set_take_subset[of "n - 1" kvs']
  1666     by(auto simp add: rbt_greater_prop rbt_less_prop take_map split_def)
  1667   moreover from `sorted (map fst kvs)` `distinct (map fst kvs)`
  1668   have "rbt_sorted (fst (rbtreeify_g n kvs))" by(rule g_even.IH)
  1669   moreover have "sorted (map fst kvs')" "distinct (map fst kvs')"
  1670     using `sorted (map fst kvs)` `distinct (map fst kvs)`
  1671     by(subst (asm) (1 2) unfold, simp add: sorted_append sorted_Cons)+
  1672   hence "rbt_sorted (fst (rbtreeify_g n kvs'))" by(rule g_even.IH)
  1673   ultimately show ?case using `0 < n` `rbtreeify_g n kvs = (t, (k, v) # kvs')` by simp
  1674 next
  1675   case (g_odd n kvs t k v kvs')
  1676   from rbtreeify_fD[OF `rbtreeify_f n kvs = (t, (k, v) # kvs')` `n \<le> length kvs`]
  1677   have "entries t = take n kvs"
  1678     and kvs': "drop n kvs = (k, v) # kvs'" by simp_all
  1679   hence unfold: "kvs = take n kvs @ (k, v) # kvs'" by(metis append_take_drop_id)
  1680   from `sorted (map fst kvs)` kvs'
  1681   have "(\<forall>(x, y) \<in> set (take n kvs). x \<le> k) \<and> (\<forall>(x, y) \<in> set kvs'. k \<le> x)"
  1682     by(subst (asm) unfold)(auto simp add: sorted_append sorted_Cons)
  1683   moreover from `distinct (map fst kvs)` kvs'
  1684   have "(\<forall>(x, y) \<in> set (take n kvs). x \<noteq> k) \<and> (\<forall>(x, y) \<in> set kvs'. x \<noteq> k)"
  1685     by(subst (asm) unfold)(auto intro: rev_image_eqI)
  1686   ultimately have "(\<forall>(x, y) \<in> set (take n kvs). x < k) \<and> (\<forall>(x, y) \<in> set kvs'. k < x)"
  1687     by fastforce
  1688   hence "fst (rbtreeify_f n kvs) |\<guillemotleft> k" "k \<guillemotleft>| fst (rbtreeify_g n kvs')"
  1689     using `n \<le> Suc (length kvs')` `n \<le> length kvs` set_take_subset[of "n - 1" kvs']
  1690     by(auto simp add: rbt_greater_prop rbt_less_prop take_map split_def)
  1691   moreover from `sorted (map fst kvs)` `distinct (map fst kvs)`
  1692   have "rbt_sorted (fst (rbtreeify_f n kvs))" by(rule g_odd.IH)
  1693   moreover have "sorted (map fst kvs')" "distinct (map fst kvs')"
  1694     using `sorted (map fst kvs)` `distinct (map fst kvs)`
  1695     by(subst (asm) (1 2) unfold, simp add: sorted_append sorted_Cons)+
  1696   hence "rbt_sorted (fst (rbtreeify_g n kvs'))" by(rule g_odd.IH)
  1697   ultimately show ?case
  1698     using `0 < n` `rbtreeify_f n kvs = (t, (k, v) # kvs')` by simp
  1699 qed simp_all
  1700 
  1701 lemma rbt_sorted_rbtreeify: 
  1702   "\<lbrakk> sorted (map fst kvs); distinct (map fst kvs) \<rbrakk> \<Longrightarrow> rbt_sorted (rbtreeify kvs)"
  1703 by(simp add: rbtreeify_def rbt_sorted_rbtreeify_g)
  1704 
  1705 lemma is_rbt_rbtreeify: 
  1706   "\<lbrakk> sorted (map fst kvs); distinct (map fst kvs) \<rbrakk>
  1707   \<Longrightarrow> is_rbt (rbtreeify kvs)"
  1708 by(simp add: is_rbt_def rbtreeify_def inv1_rbtreeify_g inv2_rbtreeify_g rbt_sorted_rbtreeify_g color_of_rbtreeify_g)
  1709 
  1710 lemma rbt_lookup_rbtreeify:
  1711   "\<lbrakk> sorted (map fst kvs); distinct (map fst kvs) \<rbrakk> \<Longrightarrow> 
  1712   rbt_lookup (rbtreeify kvs) = map_of kvs"
  1713 by(simp add: map_of_entries[symmetric] rbt_sorted_rbtreeify)
  1714 
  1715 end
  1716 
  1717 text {* 
  1718   Functions to compare the height of two rbt trees, taken from 
  1719   Andrew W. Appel, Efficient Verified Red-Black Trees (September 2011)
  1720 *}
  1721 
  1722 fun skip_red :: "('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
  1723 where
  1724   "skip_red (Branch color.R l k v r) = l"
  1725 | "skip_red t = t"
  1726 
  1727 definition skip_black :: "('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
  1728 where
  1729   "skip_black t = (let t' = skip_red t in case t' of Branch color.B l k v r \<Rightarrow> l | _ \<Rightarrow> t')"
  1730 
  1731 datatype compare = LT | GT | EQ
  1732 
  1733 partial_function (tailrec) compare_height :: "('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> compare"
  1734 where
  1735   "compare_height sx s t tx =
  1736   (case (skip_red sx, skip_red s, skip_red t, skip_red tx) of
  1737      (Branch _ sx' _ _ _, Branch _ s' _ _ _, Branch _ t' _ _ _, Branch _ tx' _ _ _) \<Rightarrow> 
  1738        compare_height (skip_black sx') s' t' (skip_black tx')
  1739    | (_, rbt.Empty, _, Branch _ _ _ _ _) \<Rightarrow> LT
  1740    | (Branch _ _ _ _ _, _, rbt.Empty, _) \<Rightarrow> GT
  1741    | (Branch _ sx' _ _ _, Branch _ s' _ _ _, Branch _ t' _ _ _, rbt.Empty) \<Rightarrow>
  1742        compare_height (skip_black sx') s' t' rbt.Empty
  1743    | (rbt.Empty, Branch _ s' _ _ _, Branch _ t' _ _ _, Branch _ tx' _ _ _) \<Rightarrow>
  1744        compare_height rbt.Empty s' t' (skip_black tx')
  1745    | _ \<Rightarrow> EQ)"
  1746 
  1747 declare compare_height.simps [code]
  1748 
  1749 hide_type (open) compare
  1750 hide_const (open)
  1751   compare_height skip_black skip_red LT GT EQ case_compare rec_compare
  1752   Abs_compare Rep_compare rep_set_compare
  1753 hide_fact (open)
  1754   Abs_compare_cases Abs_compare_induct Abs_compare_inject Abs_compare_inverse
  1755   Rep_compare Rep_compare_cases Rep_compare_induct Rep_compare_inject Rep_compare_inverse
  1756   compare.simps compare.exhaust compare.induct compare.rec compare.simps
  1757   compare.size compare.case_cong compare.weak_case_cong compare.case
  1758   compare.nchotomy compare.split compare.split_asm rec_compare_def
  1759   compare.eq.refl compare.eq.simps
  1760   compare.EQ_def compare.GT_def compare.LT_def
  1761   equal_compare_def
  1762   skip_red_def skip_red.simps skip_red.cases skip_red.induct 
  1763   skip_black_def
  1764   compare_height_def compare_height.simps
  1765 
  1766 subsection {* union and intersection of sorted associative lists *}
  1767 
  1768 context ord begin
  1769 
  1770 function sunion_with :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a \<times> 'b) list" 
  1771 where
  1772   "sunion_with f ((k, v) # as) ((k', v') # bs) =
  1773    (if k > k' then (k', v') # sunion_with f ((k, v) # as) bs
  1774     else if k < k' then (k, v) # sunion_with f as ((k', v') # bs)
  1775     else (k, f k v v') # sunion_with f as bs)"
  1776 | "sunion_with f [] bs = bs"
  1777 | "sunion_with f as [] = as"
  1778 by pat_completeness auto
  1779 termination by lexicographic_order
  1780 
  1781 function sinter_with :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a \<times> 'b) list \<Rightarrow> ('a \<times> 'b) list"
  1782 where
  1783   "sinter_with f ((k, v) # as) ((k', v') # bs) =
  1784   (if k > k' then sinter_with f ((k, v) # as) bs
  1785    else if k < k' then sinter_with f as ((k', v') # bs)
  1786    else (k, f k v v') # sinter_with f as bs)"
  1787 | "sinter_with f [] _ = []"
  1788 | "sinter_with f _ [] = []"
  1789 by pat_completeness auto
  1790 termination by lexicographic_order
  1791 
  1792 end
  1793 
  1794 declare ord.sunion_with.simps [code] ord.sinter_with.simps[code]
  1795 
  1796 context linorder begin
  1797 
  1798 lemma set_fst_sunion_with: 
  1799   "set (map fst (sunion_with f xs ys)) = set (map fst xs) \<union> set (map fst ys)"
  1800 by(induct f xs ys rule: sunion_with.induct) auto
  1801 
  1802 lemma sorted_sunion_with [simp]:
  1803   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk> 
  1804   \<Longrightarrow> sorted (map fst (sunion_with f xs ys))"
  1805 by(induct f xs ys rule: sunion_with.induct)
  1806   (auto simp add: sorted_Cons set_fst_sunion_with simp del: set_map)
  1807 
  1808 lemma distinct_sunion_with [simp]:
  1809   "\<lbrakk> distinct (map fst xs); distinct (map fst ys); sorted (map fst xs); sorted (map fst ys) \<rbrakk>
  1810   \<Longrightarrow> distinct (map fst (sunion_with f xs ys))"
  1811 proof(induct f xs ys rule: sunion_with.induct)
  1812   case (1 f k v xs k' v' ys)
  1813   have "\<lbrakk> \<not> k < k'; \<not> k' < k \<rbrakk> \<Longrightarrow> k = k'" by simp
  1814   thus ?case using "1"
  1815     by(auto simp add: set_fst_sunion_with sorted_Cons simp del: set_map)
  1816 qed simp_all
  1817 
  1818 lemma map_of_sunion_with: 
  1819   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
  1820   \<Longrightarrow> map_of (sunion_with f xs ys) k = 
  1821   (case map_of xs k of None \<Rightarrow> map_of ys k 
  1822   | Some v \<Rightarrow> case map_of ys k of None \<Rightarrow> Some v 
  1823               | Some w \<Rightarrow> Some (f k v w))"
  1824 by(induct f xs ys rule: sunion_with.induct)(auto simp add: sorted_Cons split: option.split dest: map_of_SomeD bspec)
  1825 
  1826 lemma set_fst_sinter_with [simp]:
  1827   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
  1828   \<Longrightarrow> set (map fst (sinter_with f xs ys)) = set (map fst xs) \<inter> set (map fst ys)"
  1829 by(induct f xs ys rule: sinter_with.induct)(auto simp add: sorted_Cons simp del: set_map)
  1830 
  1831 lemma set_fst_sinter_with_subset1:
  1832   "set (map fst (sinter_with f xs ys)) \<subseteq> set (map fst xs)"
  1833 by(induct f xs ys rule: sinter_with.induct) auto
  1834 
  1835 lemma set_fst_sinter_with_subset2:
  1836   "set (map fst (sinter_with f xs ys)) \<subseteq> set (map fst ys)"
  1837 by(induct f xs ys rule: sinter_with.induct)(auto simp del: set_map)
  1838 
  1839 lemma sorted_sinter_with [simp]:
  1840   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
  1841   \<Longrightarrow> sorted (map fst (sinter_with f xs ys))"
  1842 by(induct f xs ys rule: sinter_with.induct)(auto simp add: sorted_Cons simp del: set_map)
  1843 
  1844 lemma distinct_sinter_with [simp]:
  1845   "\<lbrakk> distinct (map fst xs); distinct (map fst ys) \<rbrakk>
  1846   \<Longrightarrow> distinct (map fst (sinter_with f xs ys))"
  1847 proof(induct f xs ys rule: sinter_with.induct)
  1848   case (1 f k v as k' v' bs)
  1849   have "\<lbrakk> \<not> k < k'; \<not> k' < k \<rbrakk> \<Longrightarrow> k = k'" by simp
  1850   thus ?case using "1" set_fst_sinter_with_subset1[of f as bs]
  1851     set_fst_sinter_with_subset2[of f as bs]
  1852     by(auto simp del: set_map)
  1853 qed simp_all
  1854 
  1855 lemma map_of_sinter_with:
  1856   "\<lbrakk> sorted (map fst xs); sorted (map fst ys) \<rbrakk>
  1857   \<Longrightarrow> map_of (sinter_with f xs ys) k = 
  1858   (case map_of xs k of None \<Rightarrow> None | Some v \<Rightarrow> map_option (f k v) (map_of ys k))"
  1859 apply(induct f xs ys rule: sinter_with.induct)
  1860 apply(auto simp add: sorted_Cons map_option_case split: option.splits dest: map_of_SomeD bspec)
  1861 done
  1862 
  1863 end
  1864 
  1865 lemma distinct_map_of_rev: "distinct (map fst xs) \<Longrightarrow> map_of (rev xs) = map_of xs"
  1866 by(induct xs)(auto 4 3 simp add: map_add_def intro!: ext split: option.split intro: rev_image_eqI)
  1867 
  1868 lemma map_map_filter: 
  1869   "map f (List.map_filter g xs) = List.map_filter (map_option f \<circ> g) xs"
  1870 by(auto simp add: List.map_filter_def)
  1871 
  1872 lemma map_filter_map_option_const: 
  1873   "List.map_filter (\<lambda>x. map_option (\<lambda>y. f x) (g (f x))) xs = filter (\<lambda>x. g x \<noteq> None) (map f xs)"
  1874 by(auto simp add: map_filter_def filter_map o_def)
  1875 
  1876 lemma set_map_filter: "set (List.map_filter P xs) = the ` (P ` set xs - {None})"
  1877 by(auto simp add: List.map_filter_def intro: rev_image_eqI)
  1878 
  1879 context ord begin
  1880 
  1881 definition rbt_union_with_key :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
  1882 where
  1883   "rbt_union_with_key f t1 t2 =
  1884   (case RBT_Impl.compare_height t1 t1 t2 t2
  1885    of compare.EQ \<Rightarrow> rbtreeify (sunion_with f (entries t1) (entries t2))
  1886     | compare.LT \<Rightarrow> fold (rbt_insert_with_key (\<lambda>k v w. f k w v)) t1 t2
  1887     | compare.GT \<Rightarrow> fold (rbt_insert_with_key f) t2 t1)"
  1888 
  1889 definition rbt_union_with where
  1890   "rbt_union_with f = rbt_union_with_key (\<lambda>_. f)"
  1891 
  1892 definition rbt_union where
  1893   "rbt_union = rbt_union_with_key (%_ _ rv. rv)"
  1894 
  1895 definition rbt_inter_with_key :: "('a \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a, 'b) rbt"
  1896 where
  1897   "rbt_inter_with_key f t1 t2 =
  1898   (case RBT_Impl.compare_height t1 t1 t2 t2 
  1899    of compare.EQ \<Rightarrow> rbtreeify (sinter_with f (entries t1) (entries t2))
  1900     | compare.LT \<Rightarrow> rbtreeify (List.map_filter (\<lambda>(k, v). map_option (\<lambda>w. (k, f k v w)) (rbt_lookup t2 k)) (entries t1))
  1901     | compare.GT \<Rightarrow> rbtreeify (List.map_filter (\<lambda>(k, v). map_option (\<lambda>w. (k, f k w v)) (rbt_lookup t1 k)) (entries t2)))"
  1902 
  1903 definition rbt_inter_with where
  1904   "rbt_inter_with f = rbt_inter_with_key (\<lambda>_. f)"
  1905 
  1906 definition rbt_inter where
  1907   "rbt_inter = rbt_inter_with_key (\<lambda>_ _ rv. rv)"
  1908 
  1909 end
  1910 
  1911 context linorder begin
  1912 
  1913 lemma rbt_sorted_entries_right_unique:
  1914   "\<lbrakk> (k, v) \<in> set (entries t); (k, v') \<in> set (entries t); 
  1915      rbt_sorted t \<rbrakk> \<Longrightarrow> v = v'"
  1916 by(auto dest!: distinct_entries inj_onD[where x="(k, v)" and y="(k, v')"] simp add: distinct_map)
  1917 
  1918 lemma rbt_sorted_fold_rbt_insertwk:
  1919   "rbt_sorted t \<Longrightarrow> rbt_sorted (List.fold (\<lambda>(k, v). rbt_insert_with_key f k v) xs t)"
  1920 by(induct xs rule: rev_induct)(auto simp add: rbt_insertwk_rbt_sorted)
  1921 
  1922 lemma is_rbt_fold_rbt_insertwk:
  1923   assumes "is_rbt t1"
  1924   shows "is_rbt (fold (rbt_insert_with_key f) t2 t1)"
  1925 proof -
  1926   def xs \<equiv> "entries t2"
  1927   from assms show ?thesis unfolding fold_def xs_def[symmetric]
  1928     by(induct xs rule: rev_induct)(auto simp add: rbt_insertwk_is_rbt)
  1929 qed
  1930 
  1931 lemma rbt_lookup_fold_rbt_insertwk:
  1932   assumes t1: "rbt_sorted t1" and t2: "rbt_sorted t2"
  1933   shows "rbt_lookup (fold (rbt_insert_with_key f) t1 t2) k =
  1934   (case rbt_lookup t1 k of None \<Rightarrow> rbt_lookup t2 k
  1935    | Some v \<Rightarrow> case rbt_lookup t2 k of None \<Rightarrow> Some v
  1936                | Some w \<Rightarrow> Some (f k w v))"
  1937 proof -
  1938   def xs \<equiv> "entries t1"
  1939   hence dt1: "distinct (map fst xs)" using t1 by(simp add: distinct_entries)
  1940   with t2 show ?thesis
  1941     unfolding fold_def map_of_entries[OF t1, symmetric]
  1942       xs_def[symmetric] distinct_map_of_rev[OF dt1, symmetric]
  1943     apply(induct xs rule: rev_induct)
  1944     apply(auto simp add: rbt_lookup_rbt_insertwk rbt_sorted_fold_rbt_insertwk split: option.splits)
  1945     apply(auto simp add: distinct_map_of_rev intro: rev_image_eqI)
  1946     done
  1947 qed
  1948 
  1949 lemma is_rbt_rbt_unionwk [simp]:
  1950   "\<lbrakk> is_rbt t1; is_rbt t2 \<rbrakk> \<Longrightarrow> is_rbt (rbt_union_with_key f t1 t2)"
  1951 by(simp add: rbt_union_with_key_def Let_def is_rbt_fold_rbt_insertwk is_rbt_rbtreeify rbt_sorted_entries distinct_entries split: compare.split)
  1952 
  1953 lemma rbt_lookup_rbt_unionwk:
  1954   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk> 
  1955   \<Longrightarrow> rbt_lookup (rbt_union_with_key f t1 t2) k = 
  1956   (case rbt_lookup t1 k of None \<Rightarrow> rbt_lookup t2 k 
  1957    | Some v \<Rightarrow> case rbt_lookup t2 k of None \<Rightarrow> Some v 
  1958               | Some w \<Rightarrow> Some (f k v w))"
  1959 by(auto simp add: rbt_union_with_key_def Let_def rbt_lookup_fold_rbt_insertwk rbt_sorted_entries distinct_entries map_of_sunion_with map_of_entries rbt_lookup_rbtreeify split: option.split compare.split)
  1960 
  1961 lemma rbt_unionw_is_rbt: "\<lbrakk> is_rbt lt; is_rbt rt \<rbrakk> \<Longrightarrow> is_rbt (rbt_union_with f lt rt)"
  1962 by(simp add: rbt_union_with_def)
  1963 
  1964 lemma rbt_union_is_rbt: "\<lbrakk> is_rbt lt; is_rbt rt \<rbrakk> \<Longrightarrow> is_rbt (rbt_union lt rt)"
  1965 by(simp add: rbt_union_def)
  1966 
  1967 lemma rbt_lookup_rbt_union:
  1968   "\<lbrakk> rbt_sorted s; rbt_sorted t \<rbrakk> \<Longrightarrow>
  1969   rbt_lookup (rbt_union s t) = rbt_lookup s ++ rbt_lookup t"
  1970 by(rule ext)(simp add: rbt_lookup_rbt_unionwk rbt_union_def map_add_def split: option.split)
  1971 
  1972 lemma rbt_interwk_is_rbt [simp]:
  1973   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk> \<Longrightarrow> is_rbt (rbt_inter_with_key f t1 t2)"
  1974 by(auto simp add: rbt_inter_with_key_def Let_def map_map_filter split_def o_def option.map_comp map_filter_map_option_const sorted_filter[where f=id, simplified] rbt_sorted_entries distinct_entries intro: is_rbt_rbtreeify split: compare.split)
  1975 
  1976 lemma rbt_interw_is_rbt:
  1977   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk> \<Longrightarrow> is_rbt (rbt_inter_with f t1 t2)"
  1978 by(simp add: rbt_inter_with_def)
  1979 
  1980 lemma rbt_inter_is_rbt:
  1981   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk> \<Longrightarrow> is_rbt (rbt_inter t1 t2)"
  1982 by(simp add: rbt_inter_def)
  1983 
  1984 lemma rbt_lookup_rbt_interwk:
  1985   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk>
  1986   \<Longrightarrow> rbt_lookup (rbt_inter_with_key f t1 t2) k =
  1987   (case rbt_lookup t1 k of None \<Rightarrow> None 
  1988    | Some v \<Rightarrow> case rbt_lookup t2 k of None \<Rightarrow> None
  1989                | Some w \<Rightarrow> Some (f k v w))"
  1990 by(auto 4 3 simp add: rbt_inter_with_key_def Let_def map_of_entries[symmetric] rbt_lookup_rbtreeify map_map_filter split_def o_def option.map_comp map_filter_map_option_const sorted_filter[where f=id, simplified] rbt_sorted_entries distinct_entries map_of_sinter_with map_of_eq_None_iff set_map_filter split: option.split compare.split intro: rev_image_eqI dest: rbt_sorted_entries_right_unique)
  1991 
  1992 lemma rbt_lookup_rbt_inter:
  1993   "\<lbrakk> rbt_sorted t1; rbt_sorted t2 \<rbrakk>
  1994   \<Longrightarrow> rbt_lookup (rbt_inter t1 t2) = rbt_lookup t2 |` dom (rbt_lookup t1)"
  1995 by(auto simp add: rbt_inter_def rbt_lookup_rbt_interwk restrict_map_def split: option.split)
  1996 
  1997 end
  1998 
  1999 
  2000 subsection {* Code generator setup *}
  2001 
  2002 lemmas [code] =
  2003   ord.rbt_less_prop
  2004   ord.rbt_greater_prop
  2005   ord.rbt_sorted.simps
  2006   ord.rbt_lookup.simps
  2007   ord.is_rbt_def
  2008   ord.rbt_ins.simps
  2009   ord.rbt_insert_with_key_def
  2010   ord.rbt_insertw_def
  2011   ord.rbt_insert_def
  2012   ord.rbt_del_from_left.simps
  2013   ord.rbt_del_from_right.simps
  2014   ord.rbt_del.simps
  2015   ord.rbt_delete_def
  2016   ord.sunion_with.simps
  2017   ord.sinter_with.simps
  2018   ord.rbt_union_with_key_def
  2019   ord.rbt_union_with_def
  2020   ord.rbt_union_def
  2021   ord.rbt_inter_with_key_def
  2022   ord.rbt_inter_with_def
  2023   ord.rbt_inter_def
  2024   ord.rbt_map_entry.simps
  2025   ord.rbt_bulkload_def
  2026 
  2027 text {* More efficient implementations for @{term entries} and @{term keys} *}
  2028 
  2029 definition gen_entries :: 
  2030   "(('a \<times> 'b) \<times> ('a, 'b) rbt) list \<Rightarrow> ('a, 'b) rbt \<Rightarrow> ('a \<times> 'b) list"
  2031 where
  2032   "gen_entries kvts t = entries t @ concat (map (\<lambda>(kv, t). kv # entries t) kvts)"
  2033 
  2034 lemma gen_entries_simps [simp, code]:
  2035   "gen_entries [] Empty = []"
  2036   "gen_entries ((kv, t) # kvts) Empty = kv # gen_entries kvts t"
  2037   "gen_entries kvts (Branch c l k v r) = gen_entries (((k, v), r) # kvts) l"
  2038 by(simp_all add: gen_entries_def)
  2039 
  2040 lemma entries_code [code]:
  2041   "entries = gen_entries []"
  2042 by(simp add: gen_entries_def fun_eq_iff)
  2043 
  2044 definition gen_keys :: "('a \<times> ('a, 'b) rbt) list \<Rightarrow> ('a, 'b) rbt \<Rightarrow> 'a list"
  2045 where "gen_keys kts t = RBT_Impl.keys t @ concat (List.map (\<lambda>(k, t). k # keys t) kts)"
  2046 
  2047 lemma gen_keys_simps [simp, code]:
  2048   "gen_keys [] Empty = []"
  2049   "gen_keys ((k, t) # kts) Empty = k # gen_keys kts t"
  2050   "gen_keys kts (Branch c l k v r) = gen_keys ((k, r) # kts) l"
  2051 by(simp_all add: gen_keys_def)
  2052 
  2053 lemma keys_code [code]:
  2054   "keys = gen_keys []"
  2055 by(simp add: gen_keys_def fun_eq_iff)
  2056 
  2057 text {* Restore original type constraints for constants *}
  2058 setup {*
  2059   fold Sign.add_const_constraint
  2060     [(@{const_name rbt_less}, SOME @{typ "('a :: order) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"}),
  2061      (@{const_name rbt_greater}, SOME @{typ "('a :: order) \<Rightarrow> ('a, 'b) rbt \<Rightarrow> bool"}),
  2062      (@{const_name rbt_sorted}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> bool"}),
  2063      (@{const_name rbt_lookup}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"}),
  2064      (@{const_name is_rbt}, SOME @{typ "('a :: linorder, 'b) rbt \<Rightarrow> bool"}),
  2065      (@{const_name rbt_ins}, SOME @{typ "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2066      (@{const_name rbt_insert_with_key}, SOME @{typ "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2067      (@{const_name rbt_insert_with}, SOME @{typ "('b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a :: linorder) \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2068      (@{const_name rbt_insert}, SOME @{typ "('a :: linorder) \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2069      (@{const_name rbt_del_from_left}, SOME @{typ "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2070      (@{const_name rbt_del_from_right}, SOME @{typ "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2071      (@{const_name rbt_del}, SOME @{typ "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2072      (@{const_name rbt_delete}, SOME @{typ "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2073      (@{const_name rbt_union_with_key}, SOME @{typ "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2074      (@{const_name rbt_union_with}, SOME @{typ "('b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a\<Colon>linorder,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2075      (@{const_name rbt_union}, SOME @{typ "('a\<Colon>linorder,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2076      (@{const_name rbt_map_entry}, SOME @{typ "'a\<Colon>linorder \<Rightarrow> ('b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"}),
  2077      (@{const_name rbt_bulkload}, SOME @{typ "('a \<times> 'b) list \<Rightarrow> ('a\<Colon>linorder,'b) rbt"})]
  2078 *}
  2079 
  2080 hide_const (open) R B Empty entries keys fold gen_keys gen_entries
  2081 
  2082 end