src/HOL/Probability/Probability_Mass_Function.thy
author haftmann
Thu Feb 19 11:53:36 2015 +0100 (2015-02-19)
changeset 59557 ebd8ecacfba6
parent 59527 edaabc1ab1ed
child 59664 224741ede5ae
permissions -rw-r--r--
establish unique preferred fact names
     1 (*  Title:      HOL/Probability/Probability_Mass_Function.thy
     2     Author:     Johannes Hölzl, TU München 
     3     Author:     Andreas Lochbihler, ETH Zurich
     4 *)
     5 
     6 section \<open> Probability mass function \<close>
     7 
     8 theory Probability_Mass_Function
     9 imports
    10   Giry_Monad
    11   "~~/src/HOL/Number_Theory/Binomial"
    12   "~~/src/HOL/Library/Multiset"
    13 begin
    14 
    15 lemma ereal_divide': "b \<noteq> 0 \<Longrightarrow> ereal (a / b) = ereal a / ereal b"
    16   using ereal_divide[of a b] by simp
    17 
    18 lemma (in finite_measure) countable_support:
    19   "countable {x. measure M {x} \<noteq> 0}"
    20 proof cases
    21   assume "measure M (space M) = 0"
    22   with bounded_measure measure_le_0_iff have "{x. measure M {x} \<noteq> 0} = {}"
    23     by auto
    24   then show ?thesis
    25     by simp
    26 next
    27   let ?M = "measure M (space M)" and ?m = "\<lambda>x. measure M {x}"
    28   assume "?M \<noteq> 0"
    29   then have *: "{x. ?m x \<noteq> 0} = (\<Union>n. {x. ?M / Suc n < ?m x})"
    30     using reals_Archimedean[of "?m x / ?M" for x]
    31     by (auto simp: field_simps not_le[symmetric] measure_nonneg divide_le_0_iff measure_le_0_iff)
    32   have **: "\<And>n. finite {x. ?M / Suc n < ?m x}"
    33   proof (rule ccontr)
    34     fix n assume "infinite {x. ?M / Suc n < ?m x}" (is "infinite ?X")
    35     then obtain X where "finite X" "card X = Suc (Suc n)" "X \<subseteq> ?X"
    36       by (metis infinite_arbitrarily_large)
    37     from this(3) have *: "\<And>x. x \<in> X \<Longrightarrow> ?M / Suc n \<le> ?m x" 
    38       by auto
    39     { fix x assume "x \<in> X"
    40       from `?M \<noteq> 0` *[OF this] have "?m x \<noteq> 0" by (auto simp: field_simps measure_le_0_iff)
    41       then have "{x} \<in> sets M" by (auto dest: measure_notin_sets) }
    42     note singleton_sets = this
    43     have "?M < (\<Sum>x\<in>X. ?M / Suc n)"
    44       using `?M \<noteq> 0` 
    45       by (simp add: `card X = Suc (Suc n)` real_eq_of_nat[symmetric] real_of_nat_Suc field_simps less_le measure_nonneg)
    46     also have "\<dots> \<le> (\<Sum>x\<in>X. ?m x)"
    47       by (rule setsum_mono) fact
    48     also have "\<dots> = measure M (\<Union>x\<in>X. {x})"
    49       using singleton_sets `finite X`
    50       by (intro finite_measure_finite_Union[symmetric]) (auto simp: disjoint_family_on_def)
    51     finally have "?M < measure M (\<Union>x\<in>X. {x})" .
    52     moreover have "measure M (\<Union>x\<in>X. {x}) \<le> ?M"
    53       using singleton_sets[THEN sets.sets_into_space] by (intro finite_measure_mono) auto
    54     ultimately show False by simp
    55   qed
    56   show ?thesis
    57     unfolding * by (intro countable_UN countableI_type countable_finite[OF **])
    58 qed
    59 
    60 lemma (in finite_measure) AE_support_countable:
    61   assumes [simp]: "sets M = UNIV"
    62   shows "(AE x in M. measure M {x} \<noteq> 0) \<longleftrightarrow> (\<exists>S. countable S \<and> (AE x in M. x \<in> S))"
    63 proof
    64   assume "\<exists>S. countable S \<and> (AE x in M. x \<in> S)"
    65   then obtain S where S[intro]: "countable S" and ae: "AE x in M. x \<in> S"
    66     by auto
    67   then have "emeasure M (\<Union>x\<in>{x\<in>S. emeasure M {x} \<noteq> 0}. {x}) = 
    68     (\<integral>\<^sup>+ x. emeasure M {x} * indicator {x\<in>S. emeasure M {x} \<noteq> 0} x \<partial>count_space UNIV)"
    69     by (subst emeasure_UN_countable)
    70        (auto simp: disjoint_family_on_def nn_integral_restrict_space[symmetric] restrict_count_space)
    71   also have "\<dots> = (\<integral>\<^sup>+ x. emeasure M {x} * indicator S x \<partial>count_space UNIV)"
    72     by (auto intro!: nn_integral_cong split: split_indicator)
    73   also have "\<dots> = emeasure M (\<Union>x\<in>S. {x})"
    74     by (subst emeasure_UN_countable)
    75        (auto simp: disjoint_family_on_def nn_integral_restrict_space[symmetric] restrict_count_space)
    76   also have "\<dots> = emeasure M (space M)"
    77     using ae by (intro emeasure_eq_AE) auto
    78   finally have "emeasure M {x \<in> space M. x\<in>S \<and> emeasure M {x} \<noteq> 0} = emeasure M (space M)"
    79     by (simp add: emeasure_single_in_space cong: rev_conj_cong)
    80   with finite_measure_compl[of "{x \<in> space M. x\<in>S \<and> emeasure M {x} \<noteq> 0}"]
    81   have "AE x in M. x \<in> S \<and> emeasure M {x} \<noteq> 0"
    82     by (intro AE_I[OF order_refl]) (auto simp: emeasure_eq_measure set_diff_eq cong: conj_cong)
    83   then show "AE x in M. measure M {x} \<noteq> 0"
    84     by (auto simp: emeasure_eq_measure)
    85 qed (auto intro!: exI[of _ "{x. measure M {x} \<noteq> 0}"] countable_support)
    86 
    87 subsection {* PMF as measure *}
    88 
    89 typedef 'a pmf = "{M :: 'a measure. prob_space M \<and> sets M = UNIV \<and> (AE x in M. measure M {x} \<noteq> 0)}"
    90   morphisms measure_pmf Abs_pmf
    91   by (intro exI[of _ "uniform_measure (count_space UNIV) {undefined}"])
    92      (auto intro!: prob_space_uniform_measure AE_uniform_measureI)
    93 
    94 declare [[coercion measure_pmf]]
    95 
    96 lemma prob_space_measure_pmf: "prob_space (measure_pmf p)"
    97   using pmf.measure_pmf[of p] by auto
    98 
    99 interpretation measure_pmf!: prob_space "measure_pmf M" for M
   100   by (rule prob_space_measure_pmf)
   101 
   102 interpretation measure_pmf!: subprob_space "measure_pmf M" for M
   103   by (rule prob_space_imp_subprob_space) unfold_locales
   104 
   105 lemma subprob_space_measure_pmf: "subprob_space (measure_pmf x)"
   106   by unfold_locales
   107 
   108 locale pmf_as_measure
   109 begin
   110 
   111 setup_lifting type_definition_pmf
   112 
   113 end
   114 
   115 context
   116 begin
   117 
   118 interpretation pmf_as_measure .
   119 
   120 lift_definition pmf :: "'a pmf \<Rightarrow> 'a \<Rightarrow> real" is "\<lambda>M x. measure M {x}" .
   121 
   122 lift_definition set_pmf :: "'a pmf \<Rightarrow> 'a set" is "\<lambda>M. {x. measure M {x} \<noteq> 0}" .
   123 
   124 lift_definition map_pmf :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a pmf \<Rightarrow> 'b pmf" is
   125   "\<lambda>f M. distr M (count_space UNIV) f"
   126 proof safe
   127   fix M and f :: "'a \<Rightarrow> 'b"
   128   let ?D = "distr M (count_space UNIV) f"
   129   assume "prob_space M" and [simp]: "sets M = UNIV" and ae: "AE x in M. measure M {x} \<noteq> 0"
   130   interpret prob_space M by fact
   131   from ae have "AE x in M. measure M (f -` {f x}) \<noteq> 0"
   132   proof eventually_elim
   133     fix x
   134     have "measure M {x} \<le> measure M (f -` {f x})"
   135       by (intro finite_measure_mono) auto
   136     then show "measure M {x} \<noteq> 0 \<Longrightarrow> measure M (f -` {f x}) \<noteq> 0"
   137       using measure_nonneg[of M "{x}"] by auto
   138   qed
   139   then show "AE x in ?D. measure ?D {x} \<noteq> 0"
   140     by (simp add: AE_distr_iff measure_distr measurable_def)
   141 qed (auto simp: measurable_def prob_space.prob_space_distr)
   142 
   143 declare [[coercion set_pmf]]
   144 
   145 lemma countable_set_pmf [simp]: "countable (set_pmf p)"
   146   by transfer (metis prob_space.finite_measure finite_measure.countable_support)
   147 
   148 lemma sets_measure_pmf[simp]: "sets (measure_pmf p) = UNIV"
   149   by transfer metis
   150 
   151 lemma sets_measure_pmf_count_space[measurable_cong]:
   152   "sets (measure_pmf M) = sets (count_space UNIV)"
   153   by simp
   154 
   155 lemma space_measure_pmf[simp]: "space (measure_pmf p) = UNIV"
   156   using sets_eq_imp_space_eq[of "measure_pmf p" "count_space UNIV"] by simp
   157 
   158 lemma measure_pmf_in_subprob_algebra[measurable (raw)]: "measure_pmf x \<in> space (subprob_algebra (count_space UNIV))"
   159   by (simp add: space_subprob_algebra subprob_space_measure_pmf)
   160 
   161 lemma measurable_pmf_measure1[simp]: "measurable (M :: 'a pmf) N = UNIV \<rightarrow> space N"
   162   by (auto simp: measurable_def)
   163 
   164 lemma measurable_pmf_measure2[simp]: "measurable N (M :: 'a pmf) = measurable N (count_space UNIV)"
   165   by (intro measurable_cong_sets) simp_all
   166 
   167 lemma pmf_positive: "x \<in> set_pmf p \<Longrightarrow> 0 < pmf p x"
   168   by transfer (simp add: less_le measure_nonneg)
   169 
   170 lemma pmf_nonneg: "0 \<le> pmf p x"
   171   by transfer (simp add: measure_nonneg)
   172 
   173 lemma pmf_le_1: "pmf p x \<le> 1"
   174   by (simp add: pmf.rep_eq)
   175 
   176 lemma emeasure_pmf_single:
   177   fixes M :: "'a pmf"
   178   shows "emeasure M {x} = pmf M x"
   179   by transfer (simp add: finite_measure.emeasure_eq_measure[OF prob_space.finite_measure])
   180 
   181 lemma AE_measure_pmf: "AE x in (M::'a pmf). x \<in> M"
   182   by transfer simp
   183 
   184 lemma emeasure_pmf_single_eq_zero_iff:
   185   fixes M :: "'a pmf"
   186   shows "emeasure M {y} = 0 \<longleftrightarrow> y \<notin> M"
   187   by transfer (simp add: finite_measure.emeasure_eq_measure[OF prob_space.finite_measure])
   188 
   189 lemma AE_measure_pmf_iff: "(AE x in measure_pmf M. P x) \<longleftrightarrow> (\<forall>y\<in>M. P y)"
   190 proof -
   191   { fix y assume y: "y \<in> M" and P: "AE x in M. P x" "\<not> P y"
   192     with P have "AE x in M. x \<noteq> y"
   193       by auto
   194     with y have False
   195       by (simp add: emeasure_pmf_single_eq_zero_iff AE_iff_measurable[OF _ refl]) }
   196   then show ?thesis
   197     using AE_measure_pmf[of M] by auto
   198 qed
   199 
   200 lemma set_pmf_not_empty: "set_pmf M \<noteq> {}"
   201   using AE_measure_pmf[of M] by (intro notI) simp
   202 
   203 lemma set_pmf_iff: "x \<in> set_pmf M \<longleftrightarrow> pmf M x \<noteq> 0"
   204   by transfer simp
   205 
   206 lemma emeasure_measure_pmf_finite: "finite S \<Longrightarrow> emeasure (measure_pmf M) S = (\<Sum>s\<in>S. pmf M s)"
   207   by (subst emeasure_eq_setsum_singleton) (auto simp: emeasure_pmf_single)
   208 
   209 lemma measure_measure_pmf_finite: "finite S \<Longrightarrow> measure (measure_pmf M) S = setsum (pmf M) S"
   210   using emeasure_measure_pmf_finite[of S M] by(simp add: measure_pmf.emeasure_eq_measure)
   211 
   212 lemma nn_integral_measure_pmf_support:
   213   fixes f :: "'a \<Rightarrow> ereal"
   214   assumes f: "finite A" and nn: "\<And>x. x \<in> A \<Longrightarrow> 0 \<le> f x" "\<And>x. x \<in> set_pmf M \<Longrightarrow> x \<notin> A \<Longrightarrow> f x = 0"
   215   shows "(\<integral>\<^sup>+x. f x \<partial>measure_pmf M) = (\<Sum>x\<in>A. f x * pmf M x)"
   216 proof -
   217   have "(\<integral>\<^sup>+x. f x \<partial>M) = (\<integral>\<^sup>+x. f x * indicator A x \<partial>M)"
   218     using nn by (intro nn_integral_cong_AE) (auto simp: AE_measure_pmf_iff split: split_indicator)
   219   also have "\<dots> = (\<Sum>x\<in>A. f x * emeasure M {x})"
   220     using assms by (intro nn_integral_indicator_finite) auto
   221   finally show ?thesis
   222     by (simp add: emeasure_measure_pmf_finite)
   223 qed
   224 
   225 lemma nn_integral_measure_pmf_finite:
   226   fixes f :: "'a \<Rightarrow> ereal"
   227   assumes f: "finite (set_pmf M)" and nn: "\<And>x. x \<in> set_pmf M \<Longrightarrow> 0 \<le> f x"
   228   shows "(\<integral>\<^sup>+x. f x \<partial>measure_pmf M) = (\<Sum>x\<in>set_pmf M. f x * pmf M x)"
   229   using assms by (intro nn_integral_measure_pmf_support) auto
   230 lemma integrable_measure_pmf_finite:
   231   fixes f :: "'a \<Rightarrow> 'b::{banach, second_countable_topology}"
   232   shows "finite (set_pmf M) \<Longrightarrow> integrable M f"
   233   by (auto intro!: integrableI_bounded simp: nn_integral_measure_pmf_finite)
   234 
   235 lemma integral_measure_pmf:
   236   assumes [simp]: "finite A" and "\<And>a. a \<in> set_pmf M \<Longrightarrow> f a \<noteq> 0 \<Longrightarrow> a \<in> A"
   237   shows "(\<integral>x. f x \<partial>measure_pmf M) = (\<Sum>a\<in>A. f a * pmf M a)"
   238 proof -
   239   have "(\<integral>x. f x \<partial>measure_pmf M) = (\<integral>x. f x * indicator A x \<partial>measure_pmf M)"
   240     using assms(2) by (intro integral_cong_AE) (auto split: split_indicator simp: AE_measure_pmf_iff)
   241   also have "\<dots> = (\<Sum>a\<in>A. f a * pmf M a)"
   242     by (subst integral_indicator_finite_real) (auto simp: measure_def emeasure_measure_pmf_finite)
   243   finally show ?thesis .
   244 qed
   245 
   246 lemma integrable_pmf: "integrable (count_space X) (pmf M)"
   247 proof -
   248   have " (\<integral>\<^sup>+ x. pmf M x \<partial>count_space X) = (\<integral>\<^sup>+ x. pmf M x \<partial>count_space (M \<inter> X))"
   249     by (auto simp add: nn_integral_count_space_indicator set_pmf_iff intro!: nn_integral_cong split: split_indicator)
   250   then have "integrable (count_space X) (pmf M) = integrable (count_space (M \<inter> X)) (pmf M)"
   251     by (simp add: integrable_iff_bounded pmf_nonneg)
   252   then show ?thesis
   253     by (simp add: pmf.rep_eq measure_pmf.integrable_measure disjoint_family_on_def)
   254 qed
   255 
   256 lemma integral_pmf: "(\<integral>x. pmf M x \<partial>count_space X) = measure M X"
   257 proof -
   258   have "(\<integral>x. pmf M x \<partial>count_space X) = (\<integral>\<^sup>+x. pmf M x \<partial>count_space X)"
   259     by (simp add: pmf_nonneg integrable_pmf nn_integral_eq_integral)
   260   also have "\<dots> = (\<integral>\<^sup>+x. emeasure M {x} \<partial>count_space (X \<inter> M))"
   261     by (auto intro!: nn_integral_cong_AE split: split_indicator
   262              simp: pmf.rep_eq measure_pmf.emeasure_eq_measure nn_integral_count_space_indicator
   263                    AE_count_space set_pmf_iff)
   264   also have "\<dots> = emeasure M (X \<inter> M)"
   265     by (rule emeasure_countable_singleton[symmetric]) (auto intro: countable_set_pmf)
   266   also have "\<dots> = emeasure M X"
   267     by (auto intro!: emeasure_eq_AE simp: AE_measure_pmf_iff)
   268   finally show ?thesis
   269     by (simp add: measure_pmf.emeasure_eq_measure)
   270 qed
   271 
   272 lemma integral_pmf_restrict:
   273   "(f::'a \<Rightarrow> 'b::{banach, second_countable_topology}) \<in> borel_measurable (count_space UNIV) \<Longrightarrow>
   274     (\<integral>x. f x \<partial>measure_pmf M) = (\<integral>x. f x \<partial>restrict_space M M)"
   275   by (auto intro!: integral_cong_AE simp add: integral_restrict_space AE_measure_pmf_iff)
   276 
   277 lemma emeasure_pmf: "emeasure (M::'a pmf) M = 1"
   278 proof -
   279   have "emeasure (M::'a pmf) M = emeasure (M::'a pmf) (space M)"
   280     by (intro emeasure_eq_AE) (simp_all add: AE_measure_pmf)
   281   then show ?thesis
   282     using measure_pmf.emeasure_space_1 by simp
   283 qed
   284 
   285 lemma emeasure_pmf_UNIV [simp]: "emeasure (measure_pmf M) UNIV = 1"
   286 using measure_pmf.emeasure_space_1[of M] by simp
   287 
   288 lemma in_null_sets_measure_pmfI:
   289   "A \<inter> set_pmf p = {} \<Longrightarrow> A \<in> null_sets (measure_pmf p)"
   290 using emeasure_eq_0_AE[where ?P="\<lambda>x. x \<in> A" and M="measure_pmf p"]
   291 by(auto simp add: null_sets_def AE_measure_pmf_iff)
   292 
   293 lemma map_pmf_id[simp]: "map_pmf id = id"
   294   by (rule, transfer) (auto simp: emeasure_distr measurable_def intro!: measure_eqI)
   295 
   296 lemma map_pmf_ident[simp]: "map_pmf (\<lambda>x. x) = (\<lambda>x. x)"
   297   using map_pmf_id unfolding id_def .
   298 
   299 lemma map_pmf_compose: "map_pmf (f \<circ> g) = map_pmf f \<circ> map_pmf g"
   300   by (rule, transfer) (simp add: distr_distr[symmetric, where N="count_space UNIV"] measurable_def) 
   301 
   302 lemma map_pmf_comp: "map_pmf f (map_pmf g M) = map_pmf (\<lambda>x. f (g x)) M"
   303   using map_pmf_compose[of f g] by (simp add: comp_def)
   304 
   305 lemma map_pmf_cong:
   306   assumes "p = q"
   307   shows "(\<And>x. x \<in> set_pmf q \<Longrightarrow> f x = g x) \<Longrightarrow> map_pmf f p = map_pmf g q"
   308   unfolding `p = q`[symmetric] measure_pmf_inject[symmetric] map_pmf.rep_eq
   309   by (auto simp add: emeasure_distr AE_measure_pmf_iff intro!: emeasure_eq_AE measure_eqI)
   310 
   311 lemma emeasure_map_pmf[simp]: "emeasure (map_pmf f M) X = emeasure M (f -` X)"
   312   unfolding map_pmf.rep_eq by (subst emeasure_distr) auto
   313 
   314 lemma nn_integral_map_pmf[simp]: "(\<integral>\<^sup>+x. f x \<partial>map_pmf g M) = (\<integral>\<^sup>+x. f (g x) \<partial>M)"
   315   unfolding map_pmf.rep_eq by (intro nn_integral_distr) auto
   316 
   317 lemma ereal_pmf_map: "pmf (map_pmf f p) x = (\<integral>\<^sup>+ y. indicator (f -` {x}) y \<partial>measure_pmf p)"
   318 proof(transfer fixing: f x)
   319   fix p :: "'b measure"
   320   presume "prob_space p"
   321   then interpret prob_space p .
   322   presume "sets p = UNIV"
   323   then show "ereal (measure (distr p (count_space UNIV) f) {x}) = integral\<^sup>N p (indicator (f -` {x}))"
   324     by(simp add: measure_distr measurable_def emeasure_eq_measure)
   325 qed simp_all
   326 
   327 lemma pmf_set_map: 
   328   fixes f :: "'a \<Rightarrow> 'b"
   329   shows "set_pmf \<circ> map_pmf f = op ` f \<circ> set_pmf"
   330 proof (rule, transfer, clarsimp simp add: measure_distr measurable_def)
   331   fix f :: "'a \<Rightarrow> 'b" and M :: "'a measure"
   332   assume "prob_space M" and ae: "AE x in M. measure M {x} \<noteq> 0" and [simp]: "sets M = UNIV"
   333   interpret prob_space M by fact
   334   show "{x. measure M (f -` {x}) \<noteq> 0} = f ` {x. measure M {x} \<noteq> 0}"
   335   proof safe
   336     fix x assume "measure M (f -` {x}) \<noteq> 0"
   337     moreover have "measure M (f -` {x}) = measure M {y. f y = x \<and> measure M {y} \<noteq> 0}"
   338       using ae by (intro finite_measure_eq_AE) auto
   339     ultimately have "{y. f y = x \<and> measure M {y} \<noteq> 0} \<noteq> {}"
   340       by (metis measure_empty)
   341     then show "x \<in> f ` {x. measure M {x} \<noteq> 0}"
   342       by auto
   343   next
   344     fix x assume "measure M {x} \<noteq> 0"
   345     then have "0 < measure M {x}"
   346       using measure_nonneg[of M "{x}"] by auto
   347     also have "measure M {x} \<le> measure M (f -` {f x})"
   348       by (intro finite_measure_mono) auto
   349     finally show "measure M (f -` {f x}) = 0 \<Longrightarrow> False"
   350       by simp
   351   qed
   352 qed
   353 
   354 lemma set_map_pmf: "set_pmf (map_pmf f M) = f`set_pmf M"
   355   using pmf_set_map[of f] by (auto simp: comp_def fun_eq_iff)
   356 
   357 lemma nn_integral_pmf: "(\<integral>\<^sup>+ x. pmf p x \<partial>count_space A) = emeasure (measure_pmf p) A"
   358 proof -
   359   have "(\<integral>\<^sup>+ x. pmf p x \<partial>count_space A) = (\<integral>\<^sup>+ x. pmf p x \<partial>count_space (A \<inter> set_pmf p))"
   360     by(auto simp add: nn_integral_count_space_indicator indicator_def set_pmf_iff intro: nn_integral_cong)
   361   also have "\<dots> = emeasure (measure_pmf p) (\<Union>x\<in>A \<inter> set_pmf p. {x})"
   362     by(subst emeasure_UN_countable)(auto simp add: emeasure_pmf_single disjoint_family_on_def)
   363   also have "\<dots> = emeasure (measure_pmf p) ((\<Union>x\<in>A \<inter> set_pmf p. {x}) \<union> {x. x \<in> A \<and> x \<notin> set_pmf p})"
   364     by(rule emeasure_Un_null_set[symmetric])(auto intro: in_null_sets_measure_pmfI)
   365   also have "\<dots> = emeasure (measure_pmf p) A"
   366     by(auto intro: arg_cong2[where f=emeasure])
   367   finally show ?thesis .
   368 qed
   369 
   370 subsection {* PMFs as function *}
   371 
   372 context
   373   fixes f :: "'a \<Rightarrow> real"
   374   assumes nonneg: "\<And>x. 0 \<le> f x"
   375   assumes prob: "(\<integral>\<^sup>+x. f x \<partial>count_space UNIV) = 1"
   376 begin
   377 
   378 lift_definition embed_pmf :: "'a pmf" is "density (count_space UNIV) (ereal \<circ> f)"
   379 proof (intro conjI)
   380   have *[simp]: "\<And>x y. ereal (f y) * indicator {x} y = ereal (f x) * indicator {x} y"
   381     by (simp split: split_indicator)
   382   show "AE x in density (count_space UNIV) (ereal \<circ> f).
   383     measure (density (count_space UNIV) (ereal \<circ> f)) {x} \<noteq> 0"
   384     by (simp add: AE_density nonneg measure_def emeasure_density max_def)
   385   show "prob_space (density (count_space UNIV) (ereal \<circ> f))"
   386     by default (simp add: emeasure_density prob)
   387 qed simp
   388 
   389 lemma pmf_embed_pmf: "pmf embed_pmf x = f x"
   390 proof transfer
   391   have *[simp]: "\<And>x y. ereal (f y) * indicator {x} y = ereal (f x) * indicator {x} y"
   392     by (simp split: split_indicator)
   393   fix x show "measure (density (count_space UNIV) (ereal \<circ> f)) {x} = f x"
   394     by transfer (simp add: measure_def emeasure_density nonneg max_def)
   395 qed
   396 
   397 end
   398 
   399 lemma embed_pmf_transfer:
   400   "rel_fun (eq_onp (\<lambda>f. (\<forall>x. 0 \<le> f x) \<and> (\<integral>\<^sup>+x. ereal (f x) \<partial>count_space UNIV) = 1)) pmf_as_measure.cr_pmf (\<lambda>f. density (count_space UNIV) (ereal \<circ> f)) embed_pmf"
   401   by (auto simp: rel_fun_def eq_onp_def embed_pmf.transfer)
   402 
   403 lemma measure_pmf_eq_density: "measure_pmf p = density (count_space UNIV) (pmf p)"
   404 proof (transfer, elim conjE)
   405   fix M :: "'a measure" assume [simp]: "sets M = UNIV" and ae: "AE x in M. measure M {x} \<noteq> 0"
   406   assume "prob_space M" then interpret prob_space M .
   407   show "M = density (count_space UNIV) (\<lambda>x. ereal (measure M {x}))"
   408   proof (rule measure_eqI)
   409     fix A :: "'a set"
   410     have "(\<integral>\<^sup>+ x. ereal (measure M {x}) * indicator A x \<partial>count_space UNIV) = 
   411       (\<integral>\<^sup>+ x. emeasure M {x} * indicator (A \<inter> {x. measure M {x} \<noteq> 0}) x \<partial>count_space UNIV)"
   412       by (auto intro!: nn_integral_cong simp: emeasure_eq_measure split: split_indicator)
   413     also have "\<dots> = (\<integral>\<^sup>+ x. emeasure M {x} \<partial>count_space (A \<inter> {x. measure M {x} \<noteq> 0}))"
   414       by (subst nn_integral_restrict_space[symmetric]) (auto simp: restrict_count_space)
   415     also have "\<dots> = emeasure M (\<Union>x\<in>(A \<inter> {x. measure M {x} \<noteq> 0}). {x})"
   416       by (intro emeasure_UN_countable[symmetric] countable_Int2 countable_support)
   417          (auto simp: disjoint_family_on_def)
   418     also have "\<dots> = emeasure M A"
   419       using ae by (intro emeasure_eq_AE) auto
   420     finally show " emeasure M A = emeasure (density (count_space UNIV) (\<lambda>x. ereal (measure M {x}))) A"
   421       using emeasure_space_1 by (simp add: emeasure_density)
   422   qed simp
   423 qed
   424 
   425 lemma td_pmf_embed_pmf:
   426   "type_definition pmf embed_pmf {f::'a \<Rightarrow> real. (\<forall>x. 0 \<le> f x) \<and> (\<integral>\<^sup>+x. ereal (f x) \<partial>count_space UNIV) = 1}"
   427   unfolding type_definition_def
   428 proof safe
   429   fix p :: "'a pmf"
   430   have "(\<integral>\<^sup>+ x. 1 \<partial>measure_pmf p) = 1"
   431     using measure_pmf.emeasure_space_1[of p] by simp
   432   then show *: "(\<integral>\<^sup>+ x. ereal (pmf p x) \<partial>count_space UNIV) = 1"
   433     by (simp add: measure_pmf_eq_density nn_integral_density pmf_nonneg del: nn_integral_const)
   434 
   435   show "embed_pmf (pmf p) = p"
   436     by (intro measure_pmf_inject[THEN iffD1])
   437        (simp add: * embed_pmf.rep_eq pmf_nonneg measure_pmf_eq_density[of p] comp_def)
   438 next
   439   fix f :: "'a \<Rightarrow> real" assume "\<forall>x. 0 \<le> f x" "(\<integral>\<^sup>+x. f x \<partial>count_space UNIV) = 1"
   440   then show "pmf (embed_pmf f) = f"
   441     by (auto intro!: pmf_embed_pmf)
   442 qed (rule pmf_nonneg)
   443 
   444 end
   445 
   446 locale pmf_as_function
   447 begin
   448 
   449 setup_lifting td_pmf_embed_pmf
   450 
   451 lemma set_pmf_transfer[transfer_rule]: 
   452   assumes "bi_total A"
   453   shows "rel_fun (pcr_pmf A) (rel_set A) (\<lambda>f. {x. f x \<noteq> 0}) set_pmf"  
   454   using `bi_total A`
   455   by (auto simp: pcr_pmf_def cr_pmf_def rel_fun_def rel_set_def bi_total_def Bex_def set_pmf_iff)
   456      metis+
   457 
   458 end
   459 
   460 context
   461 begin
   462 
   463 interpretation pmf_as_function .
   464 
   465 lemma pmf_eqI: "(\<And>i. pmf M i = pmf N i) \<Longrightarrow> M = N"
   466   by transfer auto
   467 
   468 lemma pmf_eq_iff: "M = N \<longleftrightarrow> (\<forall>i. pmf M i = pmf N i)"
   469   by (auto intro: pmf_eqI)
   470 
   471 end
   472 
   473 context
   474 begin
   475 
   476 interpretation pmf_as_function .
   477 
   478 subsubsection \<open> Bernoulli Distribution \<close>
   479 
   480 lift_definition bernoulli_pmf :: "real \<Rightarrow> bool pmf" is
   481   "\<lambda>p b. ((\<lambda>p. if b then p else 1 - p) \<circ> min 1 \<circ> max 0) p"
   482   by (auto simp: nn_integral_count_space_finite[where A="{False, True}"] UNIV_bool
   483            split: split_max split_min)
   484 
   485 lemma pmf_bernoulli_True[simp]: "0 \<le> p \<Longrightarrow> p \<le> 1 \<Longrightarrow> pmf (bernoulli_pmf p) True = p"
   486   by transfer simp
   487 
   488 lemma pmf_bernoulli_False[simp]: "0 \<le> p \<Longrightarrow> p \<le> 1 \<Longrightarrow> pmf (bernoulli_pmf p) False = 1 - p"
   489   by transfer simp
   490 
   491 lemma set_pmf_bernoulli: "0 < p \<Longrightarrow> p < 1 \<Longrightarrow> set_pmf (bernoulli_pmf p) = UNIV"
   492   by (auto simp add: set_pmf_iff UNIV_bool)
   493 
   494 lemma nn_integral_bernoulli_pmf[simp]: 
   495   assumes [simp]: "0 \<le> p" "p \<le> 1" "\<And>x. 0 \<le> f x"
   496   shows "(\<integral>\<^sup>+x. f x \<partial>bernoulli_pmf p) = f True * p + f False * (1 - p)"
   497   by (subst nn_integral_measure_pmf_support[of UNIV])
   498      (auto simp: UNIV_bool field_simps)
   499 
   500 lemma integral_bernoulli_pmf[simp]: 
   501   assumes [simp]: "0 \<le> p" "p \<le> 1"
   502   shows "(\<integral>x. f x \<partial>bernoulli_pmf p) = f True * p + f False * (1 - p)"
   503   by (subst integral_measure_pmf[of UNIV]) (auto simp: UNIV_bool)
   504 
   505 lemma pmf_bernoulli_half [simp]: "pmf (bernoulli_pmf (1 / 2)) x = 1 / 2"
   506 by(cases x) simp_all
   507 
   508 lemma measure_pmf_bernoulli_half: "measure_pmf (bernoulli_pmf (1 / 2)) = uniform_count_measure UNIV"
   509 by(rule measure_eqI)(simp_all add: nn_integral_pmf[symmetric] emeasure_uniform_count_measure nn_integral_count_space_finite sets_uniform_count_measure)
   510 
   511 subsubsection \<open> Geometric Distribution \<close>
   512 
   513 lift_definition geometric_pmf :: "nat pmf" is "\<lambda>n. 1 / 2^Suc n"
   514 proof
   515   note geometric_sums[of "1 / 2"]
   516   note sums_mult[OF this, of "1 / 2"]
   517   from sums_suminf_ereal[OF this]
   518   show "(\<integral>\<^sup>+ x. ereal (1 / 2 ^ Suc x) \<partial>count_space UNIV) = 1"
   519     by (simp add: nn_integral_count_space_nat field_simps)
   520 qed simp
   521 
   522 lemma pmf_geometric[simp]: "pmf geometric_pmf n = 1 / 2^Suc n"
   523   by transfer rule
   524 
   525 lemma set_pmf_geometric[simp]: "set_pmf geometric_pmf = UNIV"
   526   by (auto simp: set_pmf_iff)
   527 
   528 subsubsection \<open> Uniform Multiset Distribution \<close>
   529 
   530 context
   531   fixes M :: "'a multiset" assumes M_not_empty: "M \<noteq> {#}"
   532 begin
   533 
   534 lift_definition pmf_of_multiset :: "'a pmf" is "\<lambda>x. count M x / size M"
   535 proof
   536   show "(\<integral>\<^sup>+ x. ereal (real (count M x) / real (size M)) \<partial>count_space UNIV) = 1"  
   537     using M_not_empty
   538     by (simp add: zero_less_divide_iff nn_integral_count_space nonempty_has_size
   539                   setsum_divide_distrib[symmetric])
   540        (auto simp: size_multiset_overloaded_eq intro!: setsum.cong)
   541 qed simp
   542 
   543 lemma pmf_of_multiset[simp]: "pmf pmf_of_multiset x = count M x / size M"
   544   by transfer rule
   545 
   546 lemma set_pmf_of_multiset[simp]: "set_pmf pmf_of_multiset = set_of M"
   547   by (auto simp: set_pmf_iff)
   548 
   549 end
   550 
   551 subsubsection \<open> Uniform Distribution \<close>
   552 
   553 context
   554   fixes S :: "'a set" assumes S_not_empty: "S \<noteq> {}" and S_finite: "finite S"
   555 begin
   556 
   557 lift_definition pmf_of_set :: "'a pmf" is "\<lambda>x. indicator S x / card S"
   558 proof
   559   show "(\<integral>\<^sup>+ x. ereal (indicator S x / real (card S)) \<partial>count_space UNIV) = 1"  
   560     using S_not_empty S_finite by (subst nn_integral_count_space'[of S]) auto
   561 qed simp
   562 
   563 lemma pmf_of_set[simp]: "pmf pmf_of_set x = indicator S x / card S"
   564   by transfer rule
   565 
   566 lemma set_pmf_of_set[simp]: "set_pmf pmf_of_set = S"
   567   using S_finite S_not_empty by (auto simp: set_pmf_iff)
   568 
   569 lemma emeasure_pmf_of_set[simp]: "emeasure pmf_of_set S = 1"
   570   by (rule measure_pmf.emeasure_eq_1_AE) (auto simp: AE_measure_pmf_iff)
   571 
   572 end
   573 
   574 subsubsection \<open> Poisson Distribution \<close>
   575 
   576 context
   577   fixes rate :: real assumes rate_pos: "0 < rate"
   578 begin
   579 
   580 lift_definition poisson_pmf :: "nat pmf" is "\<lambda>k. rate ^ k / fact k * exp (-rate)"
   581 proof
   582   (* Proof by Manuel Eberl *)
   583 
   584   have summable: "summable (\<lambda>x::nat. rate ^ x / fact x)" using summable_exp
   585     by (simp add: field_simps divide_inverse [symmetric])
   586   have "(\<integral>\<^sup>+(x::nat). rate ^ x / fact x * exp (-rate) \<partial>count_space UNIV) =
   587           exp (-rate) * (\<integral>\<^sup>+(x::nat). rate ^ x / fact x \<partial>count_space UNIV)"
   588     by (simp add: field_simps nn_integral_cmult[symmetric])
   589   also from rate_pos have "(\<integral>\<^sup>+(x::nat). rate ^ x / fact x \<partial>count_space UNIV) = (\<Sum>x. rate ^ x / fact x)"
   590     by (simp_all add: nn_integral_count_space_nat suminf_ereal summable suminf_ereal_finite)
   591   also have "... = exp rate" unfolding exp_def
   592     by (simp add: field_simps divide_inverse [symmetric] transfer_int_nat_factorial)
   593   also have "ereal (exp (-rate)) * ereal (exp rate) = 1"
   594     by (simp add: mult_exp_exp)
   595   finally show "(\<integral>\<^sup>+ x. ereal (rate ^ x / real (fact x) * exp (- rate)) \<partial>count_space UNIV) = 1" .
   596 qed (simp add: rate_pos[THEN less_imp_le])
   597 
   598 lemma pmf_poisson[simp]: "pmf poisson_pmf k = rate ^ k / fact k * exp (-rate)"
   599   by transfer rule
   600 
   601 lemma set_pmf_poisson[simp]: "set_pmf poisson_pmf = UNIV"
   602   using rate_pos by (auto simp: set_pmf_iff)
   603 
   604 end
   605 
   606 subsubsection \<open> Binomial Distribution \<close>
   607 
   608 context
   609   fixes n :: nat and p :: real assumes p_nonneg: "0 \<le> p" and p_le_1: "p \<le> 1"
   610 begin
   611 
   612 lift_definition binomial_pmf :: "nat pmf" is "\<lambda>k. (n choose k) * p^k * (1 - p)^(n - k)"
   613 proof
   614   have "(\<integral>\<^sup>+k. ereal (real (n choose k) * p ^ k * (1 - p) ^ (n - k)) \<partial>count_space UNIV) =
   615     ereal (\<Sum>k\<le>n. real (n choose k) * p ^ k * (1 - p) ^ (n - k))"
   616     using p_le_1 p_nonneg by (subst nn_integral_count_space') auto
   617   also have "(\<Sum>k\<le>n. real (n choose k) * p ^ k * (1 - p) ^ (n - k)) = (p + (1 - p)) ^ n"
   618     by (subst binomial_ring) (simp add: atLeast0AtMost real_of_nat_def)
   619   finally show "(\<integral>\<^sup>+ x. ereal (real (n choose x) * p ^ x * (1 - p) ^ (n - x)) \<partial>count_space UNIV) = 1"
   620     by simp
   621 qed (insert p_nonneg p_le_1, simp)
   622 
   623 lemma pmf_binomial[simp]: "pmf binomial_pmf k = (n choose k) * p^k * (1 - p)^(n - k)"
   624   by transfer rule
   625 
   626 lemma set_pmf_binomial_eq: "set_pmf binomial_pmf = (if p = 0 then {0} else if p = 1 then {n} else {.. n})"
   627   using p_nonneg p_le_1 unfolding set_eq_iff set_pmf_iff pmf_binomial by (auto simp: set_pmf_iff)
   628 
   629 end
   630 
   631 end
   632 
   633 lemma set_pmf_binomial_0[simp]: "set_pmf (binomial_pmf n 0) = {0}"
   634   by (simp add: set_pmf_binomial_eq)
   635 
   636 lemma set_pmf_binomial_1[simp]: "set_pmf (binomial_pmf n 1) = {n}"
   637   by (simp add: set_pmf_binomial_eq)
   638 
   639 lemma set_pmf_binomial[simp]: "0 < p \<Longrightarrow> p < 1 \<Longrightarrow> set_pmf (binomial_pmf n p) = {..n}"
   640   by (simp add: set_pmf_binomial_eq)
   641 
   642 subsection \<open> Monad Interpretation \<close>
   643 
   644 lemma measurable_measure_pmf[measurable]:
   645   "(\<lambda>x. measure_pmf (M x)) \<in> measurable (count_space UNIV) (subprob_algebra (count_space UNIV))"
   646   by (auto simp: space_subprob_algebra intro!: prob_space_imp_subprob_space) unfold_locales
   647 
   648 lemma bind_measure_pmf_cong:
   649   assumes "\<And>x. A x \<in> space (subprob_algebra N)" "\<And>x. B x \<in> space (subprob_algebra N)"
   650   assumes "\<And>i. i \<in> set_pmf x \<Longrightarrow> A i = B i"
   651   shows "bind (measure_pmf x) A = bind (measure_pmf x) B"
   652 proof (rule measure_eqI)
   653   show "sets (measure_pmf x \<guillemotright>= A) = sets (measure_pmf x \<guillemotright>= B)"
   654     using assms by (subst (1 2) sets_bind) (auto simp: space_subprob_algebra)
   655 next
   656   fix X assume "X \<in> sets (measure_pmf x \<guillemotright>= A)"
   657   then have X: "X \<in> sets N"
   658     using assms by (subst (asm) sets_bind) (auto simp: space_subprob_algebra)
   659   show "emeasure (measure_pmf x \<guillemotright>= A) X = emeasure (measure_pmf x \<guillemotright>= B) X"
   660     using assms
   661     by (subst (1 2) emeasure_bind[where N=N, OF _ _ X])
   662        (auto intro!: nn_integral_cong_AE simp: AE_measure_pmf_iff)
   663 qed
   664 
   665 context
   666 begin
   667 
   668 interpretation pmf_as_measure .
   669 
   670 lift_definition join_pmf :: "'a pmf pmf \<Rightarrow> 'a pmf" is "\<lambda>M. measure_pmf M \<guillemotright>= measure_pmf"
   671 proof (intro conjI)
   672   fix M :: "'a pmf pmf"
   673 
   674   interpret bind: prob_space "measure_pmf M \<guillemotright>= measure_pmf"
   675     apply (intro measure_pmf.prob_space_bind[where S="count_space UNIV"] AE_I2)
   676     apply (auto intro!: subprob_space_measure_pmf simp: space_subprob_algebra)
   677     apply unfold_locales
   678     done
   679   show "prob_space (measure_pmf M \<guillemotright>= measure_pmf)"
   680     by intro_locales
   681   show "sets (measure_pmf M \<guillemotright>= measure_pmf) = UNIV"
   682     by (subst sets_bind) auto
   683   have "AE x in measure_pmf M \<guillemotright>= measure_pmf. emeasure (measure_pmf M \<guillemotright>= measure_pmf) {x} \<noteq> 0"
   684     by (auto simp: AE_bind[where B="count_space UNIV"] measure_pmf_in_subprob_algebra
   685                    emeasure_bind[where N="count_space UNIV"] AE_measure_pmf_iff nn_integral_0_iff_AE
   686                    measure_pmf.emeasure_eq_measure measure_le_0_iff set_pmf_iff pmf.rep_eq)
   687   then show "AE x in measure_pmf M \<guillemotright>= measure_pmf. measure (measure_pmf M \<guillemotright>= measure_pmf) {x} \<noteq> 0"
   688     unfolding bind.emeasure_eq_measure by simp
   689 qed
   690 
   691 lemma pmf_join: "pmf (join_pmf N) i = (\<integral>M. pmf M i \<partial>measure_pmf N)"
   692 proof (transfer fixing: N i)
   693   have N: "subprob_space (measure_pmf N)"
   694     by (rule prob_space_imp_subprob_space) intro_locales
   695   show "measure (measure_pmf N \<guillemotright>= measure_pmf) {i} = integral\<^sup>L (measure_pmf N) (\<lambda>M. measure M {i})"
   696     using measurable_measure_pmf[of "\<lambda>x. x"]
   697     by (intro subprob_space.measure_bind[where N="count_space UNIV", OF N]) auto
   698 qed (auto simp: Transfer.Rel_def rel_fun_def cr_pmf_def)
   699 
   700 lemma ereal_pmf_join: "ereal (pmf (join_pmf N) i) = (\<integral>\<^sup>+M. pmf M i \<partial>measure_pmf N)"
   701   unfolding pmf_join
   702   by (intro nn_integral_eq_integral[symmetric] measure_pmf.integrable_const_bound[where B=1])
   703      (auto simp: pmf_le_1 pmf_nonneg)
   704 
   705 lemma set_pmf_join_pmf: "set_pmf (join_pmf f) = (\<Union>p\<in>set_pmf f. set_pmf p)"
   706 apply(simp add: set_eq_iff set_pmf_iff pmf_join)
   707 apply(subst integral_nonneg_eq_0_iff_AE)
   708 apply(auto simp add: pmf_le_1 pmf_nonneg AE_measure_pmf_iff intro!: measure_pmf.integrable_const_bound[where B=1])
   709 done
   710 
   711 lift_definition return_pmf :: "'a \<Rightarrow> 'a pmf" is "return (count_space UNIV)"
   712   by (auto intro!: prob_space_return simp: AE_return measure_return)
   713 
   714 lemma join_return_pmf: "join_pmf (return_pmf M) = M"
   715   by (simp add: integral_return pmf_eq_iff pmf_join return_pmf.rep_eq)
   716 
   717 lemma map_return_pmf: "map_pmf f (return_pmf x) = return_pmf (f x)"
   718   by transfer (simp add: distr_return)
   719 
   720 lemma map_pmf_const[simp]: "map_pmf (\<lambda>_. c) M = return_pmf c"
   721   by transfer (auto simp: prob_space.distr_const)
   722 
   723 lemma set_return_pmf: "set_pmf (return_pmf x) = {x}"
   724   by transfer (auto simp add: measure_return split: split_indicator)
   725 
   726 lemma pmf_return: "pmf (return_pmf x) y = indicator {y} x"
   727   by transfer (simp add: measure_return)
   728 
   729 lemma nn_integral_return_pmf[simp]: "0 \<le> f x \<Longrightarrow> (\<integral>\<^sup>+x. f x \<partial>return_pmf x) = f x"
   730   unfolding return_pmf.rep_eq by (intro nn_integral_return) auto
   731 
   732 lemma emeasure_return_pmf[simp]: "emeasure (return_pmf x) X = indicator X x"
   733   unfolding return_pmf.rep_eq by (intro emeasure_return) auto
   734 
   735 end
   736 
   737 lemma return_pmf_inj[simp]: "return_pmf x = return_pmf y \<longleftrightarrow> x = y"
   738   by (metis insertI1 set_return_pmf singletonD)
   739 
   740 definition "bind_pmf M f = join_pmf (map_pmf f M)"
   741 
   742 lemma (in pmf_as_measure) bind_transfer[transfer_rule]:
   743   "rel_fun pmf_as_measure.cr_pmf (rel_fun (rel_fun op = pmf_as_measure.cr_pmf) pmf_as_measure.cr_pmf) op \<guillemotright>= bind_pmf"
   744 proof (auto simp: pmf_as_measure.cr_pmf_def rel_fun_def bind_pmf_def join_pmf.rep_eq map_pmf.rep_eq)
   745   fix M f and g :: "'a \<Rightarrow> 'b pmf" assume "\<forall>x. f x = measure_pmf (g x)"
   746   then have f: "f = (\<lambda>x. measure_pmf (g x))"
   747     by auto
   748   show "measure_pmf M \<guillemotright>= f = distr (measure_pmf M) (count_space UNIV) g \<guillemotright>= measure_pmf"
   749     unfolding f by (subst bind_distr[OF _ measurable_measure_pmf]) auto
   750 qed
   751 
   752 lemma ereal_pmf_bind: "pmf (bind_pmf N f) i = (\<integral>\<^sup>+x. pmf (f x) i \<partial>measure_pmf N)"
   753   by (auto intro!: nn_integral_distr simp: bind_pmf_def ereal_pmf_join map_pmf.rep_eq)
   754 
   755 lemma pmf_bind: "pmf (bind_pmf N f) i = (\<integral>x. pmf (f x) i \<partial>measure_pmf N)"
   756   by (auto intro!: integral_distr simp: bind_pmf_def pmf_join map_pmf.rep_eq)
   757 
   758 lemma bind_return_pmf: "bind_pmf (return_pmf x) f = f x"
   759   unfolding bind_pmf_def map_return_pmf join_return_pmf ..
   760 
   761 lemma join_eq_bind_pmf: "join_pmf M = bind_pmf M id"
   762   by (simp add: bind_pmf_def)
   763 
   764 lemma bind_pmf_const[simp]: "bind_pmf M (\<lambda>x. c) = c"
   765   unfolding bind_pmf_def map_pmf_const join_return_pmf ..
   766 
   767 lemma set_bind_pmf: "set_pmf (bind_pmf M N) = (\<Union>M\<in>set_pmf M. set_pmf (N M))"
   768   apply (simp add: set_eq_iff set_pmf_iff pmf_bind)
   769   apply (subst integral_nonneg_eq_0_iff_AE)
   770   apply (auto simp: pmf_nonneg pmf_le_1 AE_measure_pmf_iff
   771               intro!: measure_pmf.integrable_const_bound[where B=1])
   772   done
   773 
   774 
   775 lemma measurable_pair_restrict_pmf2:
   776   assumes "countable A"
   777   assumes [measurable]: "\<And>y. y \<in> A \<Longrightarrow> (\<lambda>x. f (x, y)) \<in> measurable M L"
   778   shows "f \<in> measurable (M \<Otimes>\<^sub>M restrict_space (measure_pmf N) A) L" (is "f \<in> measurable ?M _")
   779 proof -
   780   have [measurable_cong]: "sets (restrict_space (count_space UNIV) A) = sets (count_space A)"
   781     by (simp add: restrict_count_space)
   782 
   783   show ?thesis
   784     by (intro measurable_compose_countable'[where f="\<lambda>a b. f (fst b, a)" and g=snd and I=A,
   785                                             unfolded pair_collapse] assms)
   786         measurable
   787 qed
   788 
   789 lemma measurable_pair_restrict_pmf1:
   790   assumes "countable A"
   791   assumes [measurable]: "\<And>x. x \<in> A \<Longrightarrow> (\<lambda>y. f (x, y)) \<in> measurable N L"
   792   shows "f \<in> measurable (restrict_space (measure_pmf M) A \<Otimes>\<^sub>M N) L"
   793 proof -
   794   have [measurable_cong]: "sets (restrict_space (count_space UNIV) A) = sets (count_space A)"
   795     by (simp add: restrict_count_space)
   796 
   797   show ?thesis
   798     by (intro measurable_compose_countable'[where f="\<lambda>a b. f (a, snd b)" and g=fst and I=A,
   799                                             unfolded pair_collapse] assms)
   800         measurable
   801 qed
   802                                 
   803 lemma bind_commute_pmf: "bind_pmf A (\<lambda>x. bind_pmf B (C x)) = bind_pmf B (\<lambda>y. bind_pmf A (\<lambda>x. C x y))"
   804   unfolding pmf_eq_iff pmf_bind
   805 proof
   806   fix i
   807   interpret B: prob_space "restrict_space B B"
   808     by (intro prob_space_restrict_space measure_pmf.emeasure_eq_1_AE)
   809        (auto simp: AE_measure_pmf_iff)
   810   interpret A: prob_space "restrict_space A A"
   811     by (intro prob_space_restrict_space measure_pmf.emeasure_eq_1_AE)
   812        (auto simp: AE_measure_pmf_iff)
   813 
   814   interpret AB: pair_prob_space "restrict_space A A" "restrict_space B B"
   815     by unfold_locales
   816 
   817   have "(\<integral> x. \<integral> y. pmf (C x y) i \<partial>B \<partial>A) = (\<integral> x. (\<integral> y. pmf (C x y) i \<partial>restrict_space B B) \<partial>A)"
   818     by (rule integral_cong) (auto intro!: integral_pmf_restrict)
   819   also have "\<dots> = (\<integral> x. (\<integral> y. pmf (C x y) i \<partial>restrict_space B B) \<partial>restrict_space A A)"
   820     by (intro integral_pmf_restrict B.borel_measurable_lebesgue_integral measurable_pair_restrict_pmf2
   821               countable_set_pmf borel_measurable_count_space)
   822   also have "\<dots> = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>restrict_space A A \<partial>restrict_space B B)"
   823     by (rule AB.Fubini_integral[symmetric])
   824        (auto intro!: AB.integrable_const_bound[where B=1] measurable_pair_restrict_pmf2
   825              simp: pmf_nonneg pmf_le_1 measurable_restrict_space1)
   826   also have "\<dots> = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>restrict_space A A \<partial>B)"
   827     by (intro integral_pmf_restrict[symmetric] A.borel_measurable_lebesgue_integral measurable_pair_restrict_pmf2
   828               countable_set_pmf borel_measurable_count_space)
   829   also have "\<dots> = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>A \<partial>B)"
   830     by (rule integral_cong) (auto intro!: integral_pmf_restrict[symmetric])
   831   finally show "(\<integral> x. \<integral> y. pmf (C x y) i \<partial>B \<partial>A) = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>A \<partial>B)" .
   832 qed
   833 
   834 
   835 context
   836 begin
   837 
   838 interpretation pmf_as_measure .
   839 
   840 lemma measure_pmf_bind: "measure_pmf (bind_pmf M f) = (measure_pmf M \<guillemotright>= (\<lambda>x. measure_pmf (f x)))"
   841   by transfer simp
   842 
   843 lemma nn_integral_bind_pmf[simp]: "(\<integral>\<^sup>+x. f x \<partial>bind_pmf M N) = (\<integral>\<^sup>+x. \<integral>\<^sup>+y. f y \<partial>N x \<partial>M)"
   844   using measurable_measure_pmf[of N]
   845   unfolding measure_pmf_bind
   846   apply (subst (1 3) nn_integral_max_0[symmetric])
   847   apply (intro nn_integral_bind[where B="count_space UNIV"])
   848   apply auto
   849   done
   850 
   851 lemma emeasure_bind_pmf[simp]: "emeasure (bind_pmf M N) X = (\<integral>\<^sup>+x. emeasure (N x) X \<partial>M)"
   852   using measurable_measure_pmf[of N]
   853   unfolding measure_pmf_bind
   854   by (subst emeasure_bind[where N="count_space UNIV"]) auto
   855 
   856 lemma bind_return_pmf': "bind_pmf N return_pmf = N"
   857 proof (transfer, clarify)
   858   fix N :: "'a measure" assume "sets N = UNIV" then show "N \<guillemotright>= return (count_space UNIV) = N"
   859     by (subst return_sets_cong[where N=N]) (simp_all add: bind_return')
   860 qed
   861 
   862 lemma bind_return_pmf'': "bind_pmf N (\<lambda>x. return_pmf (f x)) = map_pmf f N"
   863 proof (transfer, clarify)
   864   fix N :: "'b measure" and f :: "'b \<Rightarrow> 'a" assume "prob_space N" "sets N = UNIV"
   865   then show "N \<guillemotright>= (\<lambda>x. return (count_space UNIV) (f x)) = distr N (count_space UNIV) f"
   866     by (subst bind_return_distr[symmetric])
   867        (auto simp: prob_space.not_empty measurable_def comp_def)
   868 qed
   869 
   870 lemma bind_assoc_pmf: "bind_pmf (bind_pmf A B) C = bind_pmf A (\<lambda>x. bind_pmf (B x) C)"
   871   by transfer
   872      (auto intro!: bind_assoc[where N="count_space UNIV" and R="count_space UNIV"]
   873            simp: measurable_def space_subprob_algebra prob_space_imp_subprob_space)
   874 
   875 end
   876 
   877 lemma map_bind_pmf: "map_pmf f (bind_pmf M g) = bind_pmf M (\<lambda>x. map_pmf f (g x))"
   878   unfolding bind_return_pmf''[symmetric] bind_assoc_pmf[of M] ..
   879 
   880 lemma bind_map_pmf: "bind_pmf (map_pmf f M) g = bind_pmf M (\<lambda>x. g (f x))"
   881   unfolding bind_return_pmf''[symmetric] bind_assoc_pmf bind_return_pmf ..
   882 
   883 lemma map_join_pmf: "map_pmf f (join_pmf AA) = join_pmf (map_pmf (map_pmf f) AA)"
   884   unfolding bind_pmf_def[symmetric]
   885   unfolding bind_return_pmf''[symmetric] join_eq_bind_pmf bind_assoc_pmf
   886   by (simp add: bind_return_pmf'')
   887 
   888 lemma bind_pmf_cong:
   889   "\<lbrakk> p = q; \<And>x. x \<in> set_pmf q \<Longrightarrow> f x = g x \<rbrakk>
   890   \<Longrightarrow> bind_pmf p f = bind_pmf q g"
   891 by(simp add: bind_pmf_def cong: map_pmf_cong)
   892 
   893 lemma bind_pmf_cong_simp:
   894   "\<lbrakk> p = q; \<And>x. x \<in> set_pmf q =simp=> f x = g x \<rbrakk>
   895   \<Longrightarrow> bind_pmf p f = bind_pmf q g"
   896 by(simp add: simp_implies_def cong: bind_pmf_cong)
   897 
   898 definition "pair_pmf A B = bind_pmf A (\<lambda>x. bind_pmf B (\<lambda>y. return_pmf (x, y)))"
   899 
   900 lemma pmf_pair: "pmf (pair_pmf M N) (a, b) = pmf M a * pmf N b"
   901   unfolding pair_pmf_def pmf_bind pmf_return
   902   apply (subst integral_measure_pmf[where A="{b}"])
   903   apply (auto simp: indicator_eq_0_iff)
   904   apply (subst integral_measure_pmf[where A="{a}"])
   905   apply (auto simp: indicator_eq_0_iff setsum_nonneg_eq_0_iff pmf_nonneg)
   906   done
   907 
   908 lemma set_pair_pmf: "set_pmf (pair_pmf A B) = set_pmf A \<times> set_pmf B"
   909   unfolding pair_pmf_def set_bind_pmf set_return_pmf by auto
   910 
   911 lemma measure_pmf_in_subprob_space[measurable (raw)]:
   912   "measure_pmf M \<in> space (subprob_algebra (count_space UNIV))"
   913   by (simp add: space_subprob_algebra) intro_locales
   914 
   915 lemma nn_integral_pair_pmf': "(\<integral>\<^sup>+x. f x \<partial>pair_pmf A B) = (\<integral>\<^sup>+a. \<integral>\<^sup>+b. f (a, b) \<partial>B \<partial>A)"
   916 proof -
   917   have "(\<integral>\<^sup>+x. f x \<partial>pair_pmf A B) = (\<integral>\<^sup>+x. max 0 (f x) * indicator (A \<times> B) x \<partial>pair_pmf A B)"
   918     by (subst nn_integral_max_0[symmetric])
   919        (auto simp: AE_measure_pmf_iff set_pair_pmf intro!: nn_integral_cong_AE)
   920   also have "\<dots> = (\<integral>\<^sup>+a. \<integral>\<^sup>+b. max 0 (f (a, b)) * indicator (A \<times> B) (a, b) \<partial>B \<partial>A)"
   921     by (simp add: pair_pmf_def)
   922   also have "\<dots> = (\<integral>\<^sup>+a. \<integral>\<^sup>+b. max 0 (f (a, b)) \<partial>B \<partial>A)"
   923     by (auto intro!: nn_integral_cong_AE simp: AE_measure_pmf_iff)
   924   finally show ?thesis
   925     unfolding nn_integral_max_0 .
   926 qed
   927 
   928 lemma pair_map_pmf1: "pair_pmf (map_pmf f A) B = map_pmf (apfst f) (pair_pmf A B)"
   929 proof (safe intro!: pmf_eqI)
   930   fix a :: "'a" and b :: "'b"
   931   have [simp]: "\<And>c d. indicator (apfst f -` {(a, b)}) (c, d) = indicator (f -` {a}) c * (indicator {b} d::ereal)"
   932     by (auto split: split_indicator)
   933 
   934   have "ereal (pmf (pair_pmf (map_pmf f A) B) (a, b)) =
   935          ereal (pmf (map_pmf (apfst f) (pair_pmf A B)) (a, b))"
   936     unfolding pmf_pair ereal_pmf_map
   937     by (simp add: nn_integral_pair_pmf' max_def emeasure_pmf_single nn_integral_multc pmf_nonneg
   938                   emeasure_map_pmf[symmetric] del: emeasure_map_pmf)
   939   then show "pmf (pair_pmf (map_pmf f A) B) (a, b) = pmf (map_pmf (apfst f) (pair_pmf A B)) (a, b)"
   940     by simp
   941 qed
   942 
   943 lemma pair_map_pmf2: "pair_pmf A (map_pmf f B) = map_pmf (apsnd f) (pair_pmf A B)"
   944 proof (safe intro!: pmf_eqI)
   945   fix a :: "'a" and b :: "'b"
   946   have [simp]: "\<And>c d. indicator (apsnd f -` {(a, b)}) (c, d) = indicator {a} c * (indicator (f -` {b}) d::ereal)"
   947     by (auto split: split_indicator)
   948 
   949   have "ereal (pmf (pair_pmf A (map_pmf f B)) (a, b)) =
   950          ereal (pmf (map_pmf (apsnd f) (pair_pmf A B)) (a, b))"
   951     unfolding pmf_pair ereal_pmf_map
   952     by (simp add: nn_integral_pair_pmf' max_def emeasure_pmf_single nn_integral_cmult nn_integral_multc pmf_nonneg
   953                   emeasure_map_pmf[symmetric] del: emeasure_map_pmf)
   954   then show "pmf (pair_pmf A (map_pmf f B)) (a, b) = pmf (map_pmf (apsnd f) (pair_pmf A B)) (a, b)"
   955     by simp
   956 qed
   957 
   958 lemma map_pair: "map_pmf (\<lambda>(a, b). (f a, g b)) (pair_pmf A B) = pair_pmf (map_pmf f A) (map_pmf g B)"
   959   by (simp add: pair_map_pmf2 pair_map_pmf1 map_pmf_comp split_beta')
   960 
   961 lemma bind_pair_pmf:
   962   assumes M[measurable]: "M \<in> measurable (count_space UNIV \<Otimes>\<^sub>M count_space UNIV) (subprob_algebra N)"
   963   shows "measure_pmf (pair_pmf A B) \<guillemotright>= M = (measure_pmf A \<guillemotright>= (\<lambda>x. measure_pmf B \<guillemotright>= (\<lambda>y. M (x, y))))"
   964     (is "?L = ?R")
   965 proof (rule measure_eqI)
   966   have M'[measurable]: "M \<in> measurable (pair_pmf A B) (subprob_algebra N)"
   967     using M[THEN measurable_space] by (simp_all add: space_pair_measure)
   968 
   969   note measurable_bind[where N="count_space UNIV", measurable]
   970   note measure_pmf_in_subprob_space[simp]
   971 
   972   have sets_eq_N: "sets ?L = N"
   973     by (subst sets_bind[OF sets_kernel[OF M']]) auto
   974   show "sets ?L = sets ?R"
   975     using measurable_space[OF M]
   976     by (simp add: sets_eq_N space_pair_measure space_subprob_algebra)
   977   fix X assume "X \<in> sets ?L"
   978   then have X[measurable]: "X \<in> sets N"
   979     unfolding sets_eq_N .
   980   then show "emeasure ?L X = emeasure ?R X"
   981     apply (simp add: emeasure_bind[OF _ M' X])
   982     apply (simp add: nn_integral_bind[where B="count_space UNIV"] pair_pmf_def measure_pmf_bind[of A]
   983       nn_integral_measure_pmf_finite set_return_pmf emeasure_nonneg pmf_return one_ereal_def[symmetric])
   984     apply (subst emeasure_bind[OF _ _ X])
   985     apply measurable
   986     apply (subst emeasure_bind[OF _ _ X])
   987     apply measurable
   988     done
   989 qed
   990 
   991 lemma join_map_return_pmf: "join_pmf (map_pmf return_pmf A) = A"
   992   unfolding bind_pmf_def[symmetric] bind_return_pmf' ..
   993 
   994 lemma map_fst_pair_pmf: "map_pmf fst (pair_pmf A B) = A"
   995   by (simp add: pair_pmf_def bind_return_pmf''[symmetric] bind_assoc_pmf bind_return_pmf bind_return_pmf')
   996 
   997 lemma map_snd_pair_pmf: "map_pmf snd (pair_pmf A B) = B"
   998   by (simp add: pair_pmf_def bind_return_pmf''[symmetric] bind_assoc_pmf bind_return_pmf bind_return_pmf')
   999 
  1000 lemma nn_integral_pmf':
  1001   "inj_on f A \<Longrightarrow> (\<integral>\<^sup>+x. pmf p (f x) \<partial>count_space A) = emeasure p (f ` A)"
  1002   by (subst nn_integral_bij_count_space[where g=f and B="f`A"])
  1003      (auto simp: bij_betw_def nn_integral_pmf)
  1004 
  1005 lemma pmf_le_0_iff[simp]: "pmf M p \<le> 0 \<longleftrightarrow> pmf M p = 0"
  1006   using pmf_nonneg[of M p] by simp
  1007 
  1008 lemma min_pmf_0[simp]: "min (pmf M p) 0 = 0" "min 0 (pmf M p) = 0"
  1009   using pmf_nonneg[of M p] by simp_all
  1010 
  1011 lemma pmf_eq_0_set_pmf: "pmf M p = 0 \<longleftrightarrow> p \<notin> set_pmf M"
  1012   unfolding set_pmf_iff by simp
  1013 
  1014 lemma pmf_map_inj: "inj_on f (set_pmf M) \<Longrightarrow> x \<in> set_pmf M \<Longrightarrow> pmf (map_pmf f M) (f x) = pmf M x"
  1015   by (auto simp: pmf.rep_eq map_pmf.rep_eq measure_distr AE_measure_pmf_iff inj_onD
  1016            intro!: measure_pmf.finite_measure_eq_AE)
  1017 
  1018 subsection \<open> Conditional Probabilities \<close>
  1019 
  1020 context
  1021   fixes p :: "'a pmf" and s :: "'a set"
  1022   assumes not_empty: "set_pmf p \<inter> s \<noteq> {}"
  1023 begin
  1024 
  1025 interpretation pmf_as_measure .
  1026 
  1027 lemma emeasure_measure_pmf_not_zero: "emeasure (measure_pmf p) s \<noteq> 0"
  1028 proof
  1029   assume "emeasure (measure_pmf p) s = 0"
  1030   then have "AE x in measure_pmf p. x \<notin> s"
  1031     by (rule AE_I[rotated]) auto
  1032   with not_empty show False
  1033     by (auto simp: AE_measure_pmf_iff)
  1034 qed
  1035 
  1036 lemma measure_measure_pmf_not_zero: "measure (measure_pmf p) s \<noteq> 0"
  1037   using emeasure_measure_pmf_not_zero unfolding measure_pmf.emeasure_eq_measure by simp
  1038 
  1039 lift_definition cond_pmf :: "'a pmf" is
  1040   "uniform_measure (measure_pmf p) s"
  1041 proof (intro conjI)
  1042   show "prob_space (uniform_measure (measure_pmf p) s)"
  1043     by (intro prob_space_uniform_measure) (auto simp: emeasure_measure_pmf_not_zero)
  1044   show "AE x in uniform_measure (measure_pmf p) s. measure (uniform_measure (measure_pmf p) s) {x} \<noteq> 0"
  1045     by (simp add: emeasure_measure_pmf_not_zero measure_measure_pmf_not_zero AE_uniform_measure
  1046                   AE_measure_pmf_iff set_pmf.rep_eq)
  1047 qed simp
  1048 
  1049 lemma pmf_cond: "pmf cond_pmf x = (if x \<in> s then pmf p x / measure p s else 0)"
  1050   by transfer (simp add: emeasure_measure_pmf_not_zero pmf.rep_eq)
  1051 
  1052 lemma set_cond_pmf: "set_pmf cond_pmf = set_pmf p \<inter> s"
  1053   by (auto simp add: set_pmf_iff pmf_cond measure_measure_pmf_not_zero split: split_if_asm)
  1054 
  1055 end
  1056 
  1057 lemma cond_map_pmf:
  1058   assumes "set_pmf p \<inter> f -` s \<noteq> {}"
  1059   shows "cond_pmf (map_pmf f p) s = map_pmf f (cond_pmf p (f -` s))"
  1060 proof -
  1061   have *: "set_pmf (map_pmf f p) \<inter> s \<noteq> {}"
  1062     using assms by (simp add: set_map_pmf) auto
  1063   { fix x
  1064     have "ereal (pmf (map_pmf f (cond_pmf p (f -` s))) x) =
  1065       emeasure p (f -` s \<inter> f -` {x}) / emeasure p (f -` s)"
  1066       unfolding ereal_pmf_map cond_pmf.rep_eq[OF assms] by (simp add: nn_integral_uniform_measure)
  1067     also have "f -` s \<inter> f -` {x} = (if x \<in> s then f -` {x} else {})"
  1068       by auto
  1069     also have "emeasure p (if x \<in> s then f -` {x} else {}) / emeasure p (f -` s) =
  1070       ereal (pmf (cond_pmf (map_pmf f p) s) x)"
  1071       using measure_measure_pmf_not_zero[OF *]
  1072       by (simp add: pmf_cond[OF *] ereal_divide' ereal_pmf_map measure_pmf.emeasure_eq_measure[symmetric]
  1073                del: ereal_divide)
  1074     finally have "ereal (pmf (cond_pmf (map_pmf f p) s) x) = ereal (pmf (map_pmf f (cond_pmf p (f -` s))) x)"
  1075       by simp }
  1076   then show ?thesis
  1077     by (intro pmf_eqI) simp
  1078 qed
  1079 
  1080 lemma bind_cond_pmf_cancel:
  1081   assumes in_S: "\<And>x. x \<in> set_pmf p \<Longrightarrow> x \<in> S x" "\<And>x. x \<in> set_pmf q \<Longrightarrow> x \<in> S x"
  1082   assumes S_eq: "\<And>x y. x \<in> S y \<Longrightarrow> S x = S y"
  1083   and same: "\<And>x. measure (measure_pmf p) (S x) = measure (measure_pmf q) (S x)"
  1084   shows "bind_pmf p (\<lambda>x. cond_pmf q (S x)) = q" (is "?lhs = _")
  1085 proof (rule pmf_eqI)
  1086   { fix x
  1087     assume "x \<in> set_pmf p"
  1088     hence "set_pmf p \<inter> (S x) \<noteq> {}" using in_S by auto
  1089     hence "measure (measure_pmf p) (S x) \<noteq> 0"
  1090       by(auto simp add: measure_pmf.prob_eq_0 AE_measure_pmf_iff)
  1091     with same have "measure (measure_pmf q) (S x) \<noteq> 0" by simp
  1092     hence "set_pmf q \<inter> S x \<noteq> {}"
  1093       by(auto simp add: measure_pmf.prob_eq_0 AE_measure_pmf_iff) }
  1094   note [simp] = this
  1095 
  1096   fix z
  1097   have pmf_q_z: "z \<notin> S z \<Longrightarrow> pmf q z = 0"
  1098     by(erule contrapos_np)(simp add: pmf_eq_0_set_pmf in_S)
  1099 
  1100   have "ereal (pmf ?lhs z) = \<integral>\<^sup>+ x. ereal (pmf (cond_pmf q (S x)) z) \<partial>measure_pmf p"
  1101     by(simp add: ereal_pmf_bind)
  1102   also have "\<dots> = \<integral>\<^sup>+ x. ereal (pmf q z / measure p (S z)) * indicator (S z) x \<partial>measure_pmf p"
  1103     by(rule nn_integral_cong_AE)(auto simp add: AE_measure_pmf_iff pmf_cond same pmf_q_z in_S dest!: S_eq split: split_indicator)
  1104   also have "\<dots> = pmf q z" using pmf_nonneg[of q z]
  1105     by (subst nn_integral_cmult)(auto simp add: measure_nonneg measure_pmf.emeasure_eq_measure same measure_pmf.prob_eq_0 AE_measure_pmf_iff pmf_eq_0_set_pmf in_S)
  1106   finally show "pmf ?lhs z = pmf q z" by simp
  1107 qed
  1108 
  1109 inductive rel_pmf :: "('a \<Rightarrow> 'b \<Rightarrow> bool) \<Rightarrow> 'a pmf \<Rightarrow> 'b pmf \<Rightarrow> bool"
  1110 for R p q
  1111 where
  1112   "\<lbrakk> \<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> R x y; 
  1113      map_pmf fst pq = p; map_pmf snd pq = q \<rbrakk>
  1114   \<Longrightarrow> rel_pmf R p q"
  1115 
  1116 bnf pmf: "'a pmf" map: map_pmf sets: set_pmf bd : "natLeq" rel: rel_pmf
  1117 proof -
  1118   show "map_pmf id = id" by (rule map_pmf_id)
  1119   show "\<And>f g. map_pmf (f \<circ> g) = map_pmf f \<circ> map_pmf g" by (rule map_pmf_compose) 
  1120   show "\<And>f g::'a \<Rightarrow> 'b. \<And>p. (\<And>x. x \<in> set_pmf p \<Longrightarrow> f x = g x) \<Longrightarrow> map_pmf f p = map_pmf g p"
  1121     by (intro map_pmf_cong refl)
  1122 
  1123   show "\<And>f::'a \<Rightarrow> 'b. set_pmf \<circ> map_pmf f = op ` f \<circ> set_pmf"
  1124     by (rule pmf_set_map)
  1125 
  1126   { fix p :: "'s pmf"
  1127     have "(card_of (set_pmf p), card_of (UNIV :: nat set)) \<in> ordLeq"
  1128       by (rule card_of_ordLeqI[where f="to_nat_on (set_pmf p)"])
  1129          (auto intro: countable_set_pmf)
  1130     also have "(card_of (UNIV :: nat set), natLeq) \<in> ordLeq"
  1131       by (metis Field_natLeq card_of_least natLeq_Well_order)
  1132     finally show "(card_of (set_pmf p), natLeq) \<in> ordLeq" . }
  1133 
  1134   show "\<And>R. rel_pmf R =
  1135          (BNF_Def.Grp {x. set_pmf x \<subseteq> {(x, y). R x y}} (map_pmf fst))\<inverse>\<inverse> OO
  1136          BNF_Def.Grp {x. set_pmf x \<subseteq> {(x, y). R x y}} (map_pmf snd)"
  1137      by (auto simp add: fun_eq_iff BNF_Def.Grp_def OO_def rel_pmf.simps)
  1138 
  1139   { fix p :: "'a pmf" and f :: "'a \<Rightarrow> 'b" and g x
  1140     assume p: "\<And>z. z \<in> set_pmf p \<Longrightarrow> f z = g z"
  1141       and x: "x \<in> set_pmf p"
  1142     thus "f x = g x" by simp }
  1143 
  1144   fix R :: "'a => 'b \<Rightarrow> bool" and S :: "'b \<Rightarrow> 'c \<Rightarrow> bool"
  1145   { fix p q r
  1146     assume pq: "rel_pmf R p q"
  1147       and qr:"rel_pmf S q r"
  1148     from pq obtain pq where pq: "\<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> R x y"
  1149       and p: "p = map_pmf fst pq" and q: "q = map_pmf snd pq" by cases auto
  1150     from qr obtain qr where qr: "\<And>y z. (y, z) \<in> set_pmf qr \<Longrightarrow> S y z"
  1151       and q': "q = map_pmf fst qr" and r: "r = map_pmf snd qr" by cases auto
  1152 
  1153     def pr \<equiv> "bind_pmf pq (\<lambda>(x, y). bind_pmf (cond_pmf qr {(y', z). y' = y}) (\<lambda>(y', z). return_pmf (x, z)))"
  1154     have pr_welldefined: "\<And>y. y \<in> q \<Longrightarrow> qr \<inter> {(y', z). y' = y} \<noteq> {}"
  1155       by (force simp: q' set_map_pmf)
  1156 
  1157     have "rel_pmf (R OO S) p r"
  1158     proof (rule rel_pmf.intros)
  1159       fix x z assume "(x, z) \<in> pr"
  1160       then have "\<exists>y. (x, y) \<in> pq \<and> (y, z) \<in> qr"
  1161         by (auto simp: q pr_welldefined pr_def set_bind_pmf split_beta set_return_pmf set_cond_pmf set_map_pmf)
  1162       with pq qr show "(R OO S) x z"
  1163         by blast
  1164     next
  1165       have "map_pmf snd pr = map_pmf snd (bind_pmf q (\<lambda>y. cond_pmf qr {(y', z). y' = y}))"
  1166         by (simp add: pr_def q split_beta bind_map_pmf bind_return_pmf'' map_bind_pmf map_return_pmf)
  1167       then show "map_pmf snd pr = r"
  1168         unfolding r q' bind_map_pmf by (subst (asm) bind_cond_pmf_cancel) auto
  1169     qed (simp add: pr_def map_bind_pmf split_beta map_return_pmf bind_return_pmf'' p) }
  1170   then show "rel_pmf R OO rel_pmf S \<le> rel_pmf (R OO S)"
  1171     by(auto simp add: le_fun_def)
  1172 qed (fact natLeq_card_order natLeq_cinfinite)+
  1173 
  1174 lemma rel_pmf_return_pmf1: "rel_pmf R (return_pmf x) M \<longleftrightarrow> (\<forall>a\<in>M. R x a)"
  1175 proof safe
  1176   fix a assume "a \<in> M" "rel_pmf R (return_pmf x) M"
  1177   then obtain pq where *: "\<And>a b. (a, b) \<in> set_pmf pq \<Longrightarrow> R a b"
  1178     and eq: "return_pmf x = map_pmf fst pq" "M = map_pmf snd pq"
  1179     by (force elim: rel_pmf.cases)
  1180   moreover have "set_pmf (return_pmf x) = {x}"
  1181     by (simp add: set_return_pmf)
  1182   with `a \<in> M` have "(x, a) \<in> pq"
  1183     by (force simp: eq set_map_pmf)
  1184   with * show "R x a"
  1185     by auto
  1186 qed (auto intro!: rel_pmf.intros[where pq="pair_pmf (return_pmf x) M"]
  1187           simp: map_fst_pair_pmf map_snd_pair_pmf set_pair_pmf set_return_pmf)
  1188 
  1189 lemma rel_pmf_return_pmf2: "rel_pmf R M (return_pmf x) \<longleftrightarrow> (\<forall>a\<in>M. R a x)"
  1190   by (subst pmf.rel_flip[symmetric]) (simp add: rel_pmf_return_pmf1)
  1191 
  1192 lemma rel_return_pmf[simp]: "rel_pmf R (return_pmf x1) (return_pmf x2) = R x1 x2"
  1193   unfolding rel_pmf_return_pmf2 set_return_pmf by simp
  1194 
  1195 lemma rel_pmf_False[simp]: "rel_pmf (\<lambda>x y. False) x y = False"
  1196   unfolding pmf.in_rel fun_eq_iff using set_pmf_not_empty by fastforce
  1197 
  1198 lemma rel_pmf_rel_prod:
  1199   "rel_pmf (rel_prod R S) (pair_pmf A A') (pair_pmf B B') \<longleftrightarrow> rel_pmf R A B \<and> rel_pmf S A' B'"
  1200 proof safe
  1201   assume "rel_pmf (rel_prod R S) (pair_pmf A A') (pair_pmf B B')"
  1202   then obtain pq where pq: "\<And>a b c d. ((a, c), (b, d)) \<in> set_pmf pq \<Longrightarrow> R a b \<and> S c d"
  1203     and eq: "map_pmf fst pq = pair_pmf A A'" "map_pmf snd pq = pair_pmf B B'"
  1204     by (force elim: rel_pmf.cases)
  1205   show "rel_pmf R A B"
  1206   proof (rule rel_pmf.intros)
  1207     let ?f = "\<lambda>(a, b). (fst a, fst b)"
  1208     have [simp]: "(\<lambda>x. fst (?f x)) = fst o fst" "(\<lambda>x. snd (?f x)) = fst o snd"
  1209       by auto
  1210 
  1211     show "map_pmf fst (map_pmf ?f pq) = A"
  1212       by (simp add: map_pmf_comp pmf.map_comp[symmetric] eq map_fst_pair_pmf)
  1213     show "map_pmf snd (map_pmf ?f pq) = B"
  1214       by (simp add: map_pmf_comp pmf.map_comp[symmetric] eq map_fst_pair_pmf)
  1215 
  1216     fix a b assume "(a, b) \<in> set_pmf (map_pmf ?f pq)"
  1217     then obtain c d where "((a, c), (b, d)) \<in> set_pmf pq"
  1218       by (auto simp: set_map_pmf)
  1219     from pq[OF this] show "R a b" ..
  1220   qed
  1221   show "rel_pmf S A' B'"
  1222   proof (rule rel_pmf.intros)
  1223     let ?f = "\<lambda>(a, b). (snd a, snd b)"
  1224     have [simp]: "(\<lambda>x. fst (?f x)) = snd o fst" "(\<lambda>x. snd (?f x)) = snd o snd"
  1225       by auto
  1226 
  1227     show "map_pmf fst (map_pmf ?f pq) = A'"
  1228       by (simp add: map_pmf_comp pmf.map_comp[symmetric] eq map_snd_pair_pmf)
  1229     show "map_pmf snd (map_pmf ?f pq) = B'"
  1230       by (simp add: map_pmf_comp pmf.map_comp[symmetric] eq map_snd_pair_pmf)
  1231 
  1232     fix c d assume "(c, d) \<in> set_pmf (map_pmf ?f pq)"
  1233     then obtain a b where "((a, c), (b, d)) \<in> set_pmf pq"
  1234       by (auto simp: set_map_pmf)
  1235     from pq[OF this] show "S c d" ..
  1236   qed
  1237 next
  1238   assume "rel_pmf R A B" "rel_pmf S A' B'"
  1239   then obtain Rpq Spq
  1240     where Rpq: "\<And>a b. (a, b) \<in> set_pmf Rpq \<Longrightarrow> R a b"
  1241         "map_pmf fst Rpq = A" "map_pmf snd Rpq = B"
  1242       and Spq: "\<And>a b. (a, b) \<in> set_pmf Spq \<Longrightarrow> S a b"
  1243         "map_pmf fst Spq = A'" "map_pmf snd Spq = B'"
  1244     by (force elim: rel_pmf.cases)
  1245 
  1246   let ?f = "(\<lambda>((a, c), (b, d)). ((a, b), (c, d)))"
  1247   let ?pq = "map_pmf ?f (pair_pmf Rpq Spq)"
  1248   have [simp]: "(\<lambda>x. fst (?f x)) = (\<lambda>(a, b). (fst a, fst b))" "(\<lambda>x. snd (?f x)) = (\<lambda>(a, b). (snd a, snd b))"
  1249     by auto
  1250 
  1251   show "rel_pmf (rel_prod R S) (pair_pmf A A') (pair_pmf B B')"
  1252     by (rule rel_pmf.intros[where pq="?pq"])
  1253        (auto simp: map_snd_pair_pmf map_fst_pair_pmf set_pair_pmf set_map_pmf map_pmf_comp Rpq Spq
  1254                    map_pair)
  1255 qed
  1256 
  1257 lemma rel_pmf_reflI: 
  1258   assumes "\<And>x. x \<in> set_pmf p \<Longrightarrow> P x x"
  1259   shows "rel_pmf P p p"
  1260 by(rule rel_pmf.intros[where pq="map_pmf (\<lambda>x. (x, x)) p"])(auto simp add: pmf.map_comp o_def set_map_pmf assms)
  1261 
  1262 lemma rel_pmf_joinI:
  1263   assumes "rel_pmf (rel_pmf P) p q"
  1264   shows "rel_pmf P (join_pmf p) (join_pmf q)"
  1265 proof -
  1266   from assms obtain pq where p: "p = map_pmf fst pq"
  1267     and q: "q = map_pmf snd pq"
  1268     and P: "\<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> rel_pmf P x y"
  1269     by cases auto
  1270   from P obtain PQ 
  1271     where PQ: "\<And>x y a b. \<lbrakk> (x, y) \<in> set_pmf pq; (a, b) \<in> set_pmf (PQ x y) \<rbrakk> \<Longrightarrow> P a b"
  1272     and x: "\<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> map_pmf fst (PQ x y) = x"
  1273     and y: "\<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> map_pmf snd (PQ x y) = y"
  1274     by(metis rel_pmf.simps)
  1275 
  1276   let ?r = "bind_pmf pq (\<lambda>(x, y). PQ x y)"
  1277   have "\<And>a b. (a, b) \<in> set_pmf ?r \<Longrightarrow> P a b" by(auto simp add: set_bind_pmf intro: PQ)
  1278   moreover have "map_pmf fst ?r = join_pmf p" "map_pmf snd ?r = join_pmf q"
  1279     by(simp_all add: bind_pmf_def map_join_pmf pmf.map_comp o_def split_def p q x y cong: pmf.map_cong)
  1280   ultimately show ?thesis ..
  1281 qed
  1282 
  1283 lemma rel_pmf_bindI:
  1284   assumes pq: "rel_pmf R p q"
  1285   and fg: "\<And>x y. R x y \<Longrightarrow> rel_pmf P (f x) (g y)"
  1286   shows "rel_pmf P (bind_pmf p f) (bind_pmf q g)"
  1287 unfolding bind_pmf_def
  1288 by(rule rel_pmf_joinI)(auto simp add: pmf.rel_map intro: pmf.rel_mono[THEN le_funD, THEN le_funD, THEN le_boolD, THEN mp, OF _ pq] fg)
  1289 
  1290 text {*
  1291   Proof that @{const rel_pmf} preserves orders.
  1292   Antisymmetry proof follows Thm. 1 in N. Saheb-Djahromi, Cpo's of measures for nondeterminism, 
  1293   Theoretical Computer Science 12(1):19--37, 1980, 
  1294   @{url "http://dx.doi.org/10.1016/0304-3975(80)90003-1"}
  1295 *}
  1296 
  1297 lemma 
  1298   assumes *: "rel_pmf R p q"
  1299   and refl: "reflp R" and trans: "transp R"
  1300   shows measure_Ici: "measure p {y. R x y} \<le> measure q {y. R x y}" (is ?thesis1)
  1301   and measure_Ioi: "measure p {y. R x y \<and> \<not> R y x} \<le> measure q {y. R x y \<and> \<not> R y x}" (is ?thesis2)
  1302 proof -
  1303   from * obtain pq
  1304     where pq: "\<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> R x y"
  1305     and p: "p = map_pmf fst pq"
  1306     and q: "q = map_pmf snd pq"
  1307     by cases auto
  1308   show ?thesis1 ?thesis2 unfolding p q map_pmf.rep_eq using refl trans
  1309     by(auto 4 3 simp add: measure_distr reflpD AE_measure_pmf_iff intro!: measure_pmf.finite_measure_mono_AE dest!: pq elim: transpE)
  1310 qed
  1311 
  1312 lemma rel_pmf_inf:
  1313   fixes p q :: "'a pmf"
  1314   assumes 1: "rel_pmf R p q"
  1315   assumes 2: "rel_pmf R q p"
  1316   and refl: "reflp R" and trans: "transp R"
  1317   shows "rel_pmf (inf R R\<inverse>\<inverse>) p q"
  1318 proof
  1319   let ?E = "\<lambda>x. {y. R x y \<and> R y x}"
  1320   let ?\<mu>E = "\<lambda>x. measure q (?E x)"
  1321   { fix x
  1322     have "measure p (?E x) = measure p ({y. R x y} - {y. R x y \<and> \<not> R y x})"
  1323       by(auto intro!: arg_cong[where f="measure p"])
  1324     also have "\<dots> = measure p {y. R x y} - measure p {y. R x y \<and> \<not> R y x}"
  1325       by (rule measure_pmf.finite_measure_Diff) auto
  1326     also have "measure p {y. R x y \<and> \<not> R y x} = measure q {y. R x y \<and> \<not> R y x}"
  1327       using 1 2 refl trans by(auto intro!: Orderings.antisym measure_Ioi)
  1328     also have "measure p {y. R x y} = measure q {y. R x y}"
  1329       using 1 2 refl trans by(auto intro!: Orderings.antisym measure_Ici)
  1330     also have "measure q {y. R x y} - measure q {y. R x y \<and> ~ R y x} =
  1331       measure q ({y. R x y} - {y. R x y \<and> \<not> R y x})"
  1332       by(rule measure_pmf.finite_measure_Diff[symmetric]) auto
  1333     also have "\<dots> = ?\<mu>E x"
  1334       by(auto intro!: arg_cong[where f="measure q"])
  1335     also note calculation }
  1336   note eq = this
  1337 
  1338   def pq \<equiv> "bind_pmf p (\<lambda>x. bind_pmf (cond_pmf q (?E x)) (\<lambda>y. return_pmf (x, y)))"
  1339 
  1340   show "map_pmf fst pq = p"
  1341     by(simp add: pq_def map_bind_pmf map_return_pmf bind_return_pmf')
  1342 
  1343   show "map_pmf snd pq = q"
  1344     unfolding pq_def map_bind_pmf map_return_pmf bind_return_pmf' snd_conv
  1345     by(subst bind_cond_pmf_cancel)(auto simp add: reflpD[OF \<open>reflp R\<close>] eq  intro: transpD[OF \<open>transp R\<close>])
  1346 
  1347   fix x y
  1348   assume "(x, y) \<in> set_pmf pq"
  1349   moreover
  1350   { assume "x \<in> set_pmf p"
  1351     hence "measure (measure_pmf p) (?E x) \<noteq> 0"
  1352       by(auto simp add: measure_pmf.prob_eq_0 AE_measure_pmf_iff intro: reflpD[OF \<open>reflp R\<close>])
  1353     hence "measure (measure_pmf q) (?E x) \<noteq> 0" using eq by simp
  1354     hence "set_pmf q \<inter> {y. R x y \<and> R y x} \<noteq> {}" 
  1355       by(auto simp add: measure_pmf.prob_eq_0 AE_measure_pmf_iff) }
  1356   ultimately show "inf R R\<inverse>\<inverse> x y"
  1357     by(auto simp add: pq_def set_bind_pmf set_return_pmf set_cond_pmf)
  1358 qed
  1359 
  1360 lemma rel_pmf_antisym:
  1361   fixes p q :: "'a pmf"
  1362   assumes 1: "rel_pmf R p q"
  1363   assumes 2: "rel_pmf R q p"
  1364   and refl: "reflp R" and trans: "transp R" and antisym: "antisymP R"
  1365   shows "p = q"
  1366 proof -
  1367   from 1 2 refl trans have "rel_pmf (inf R R\<inverse>\<inverse>) p q" by(rule rel_pmf_inf)
  1368   also have "inf R R\<inverse>\<inverse> = op ="
  1369     using refl antisym by(auto intro!: ext simp add: reflpD dest: antisymD)
  1370   finally show ?thesis unfolding pmf.rel_eq .
  1371 qed
  1372 
  1373 lemma reflp_rel_pmf: "reflp R \<Longrightarrow> reflp (rel_pmf R)"
  1374 by(blast intro: reflpI rel_pmf_reflI reflpD)
  1375 
  1376 lemma antisymP_rel_pmf:
  1377   "\<lbrakk> reflp R; transp R; antisymP R \<rbrakk>
  1378   \<Longrightarrow> antisymP (rel_pmf R)"
  1379 by(rule antisymI)(blast intro: rel_pmf_antisym)
  1380 
  1381 lemma transp_rel_pmf:
  1382   assumes "transp R"
  1383   shows "transp (rel_pmf R)"
  1384 proof (rule transpI)
  1385   fix x y z
  1386   assume "rel_pmf R x y" and "rel_pmf R y z"
  1387   hence "rel_pmf (R OO R) x z" by (simp add: pmf.rel_compp relcompp.relcompI)
  1388   thus "rel_pmf R x z"
  1389     using assms by (metis (no_types) pmf.rel_mono rev_predicate2D transp_relcompp_less_eq)
  1390 qed
  1391 
  1392 end
  1393