src/HOL/Library/RBT.thy
author haftmann
Wed Apr 22 19:09:21 2009 +0200 (2009-04-22)
changeset 30960 fec1a04b7220
parent 30738 0842e906300c
child 32237 cdc76a42fed4
permissions -rw-r--r--
power operation defined generic
     1 (*  Title:      RBT.thy
     2     Author:     Markus Reiter, TU Muenchen
     3     Author:     Alexander Krauss, TU Muenchen
     4 *)
     5 
     6 header {* Red-Black Trees *}
     7 
     8 (*<*)
     9 theory RBT
    10 imports Main AssocList
    11 begin
    12 
    13 datatype color = R | B
    14 datatype ('a,'b)"rbt" = Empty | Tr color "('a,'b)rbt" 'a 'b "('a,'b)rbt"
    15 
    16 (* Suchbaum-Eigenschaften *)
    17 
    18 primrec
    19   pin_tree :: "'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> bool"
    20 where
    21   "pin_tree k v Empty = False"
    22 | "pin_tree k v (Tr c l x y r) = (k = x \<and> v = y \<or> pin_tree k v l \<or> pin_tree k v r)"
    23 
    24 primrec
    25   keys :: "('k,'v) rbt \<Rightarrow> 'k set"
    26 where
    27   "keys Empty = {}"
    28 | "keys (Tr _ l k _ r) = { k } \<union> keys l \<union> keys r"
    29 
    30 lemma pint_keys: "pin_tree k v t \<Longrightarrow> k \<in> keys t" by (induct t) auto
    31 
    32 primrec tlt :: "'a\<Colon>order \<Rightarrow> ('a,'b) rbt \<Rightarrow> bool"
    33 where
    34   "tlt k Empty = True"
    35 | "tlt k (Tr c lt kt v rt) = (kt < k \<and> tlt k lt \<and> tlt k rt)"
    36 
    37 abbreviation tllt (infix "|\<guillemotleft>" 50)
    38 where "t |\<guillemotleft> x == tlt x t"
    39 
    40 primrec tgt :: "'a\<Colon>order \<Rightarrow> ('a,'b) rbt \<Rightarrow> bool" (infix "\<guillemotleft>|" 50) 
    41 where
    42   "tgt k Empty = True"
    43 | "tgt k (Tr c lt kt v rt) = (k < kt \<and> tgt k lt \<and> tgt k rt)"
    44 
    45 lemma tlt_prop: "(t |\<guillemotleft> k) = (\<forall>x\<in>keys t. x < k)" by (induct t) auto
    46 lemma tgt_prop: "(k \<guillemotleft>| t) = (\<forall>x\<in>keys t. k < x)" by (induct t) auto
    47 lemmas tlgt_props = tlt_prop tgt_prop
    48 
    49 lemmas tgt_nit = tgt_prop pint_keys
    50 lemmas tlt_nit = tlt_prop pint_keys
    51 
    52 lemma tlt_trans: "\<lbrakk> t |\<guillemotleft> x; x < y \<rbrakk> \<Longrightarrow> t |\<guillemotleft> y"
    53   and tgt_trans: "\<lbrakk> x < y; y \<guillemotleft>| t\<rbrakk> \<Longrightarrow> x \<guillemotleft>| t"
    54 by (auto simp: tlgt_props)
    55 
    56 
    57 primrec st :: "('a::linorder, 'b) rbt \<Rightarrow> bool"
    58 where
    59   "st Empty = True"
    60 | "st (Tr c l k v r) = (l |\<guillemotleft> k \<and> k \<guillemotleft>| r \<and> st l \<and> st r)"
    61 
    62 primrec map_of :: "('a\<Colon>linorder, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"
    63 where
    64   "map_of Empty k = None"
    65 | "map_of (Tr _ l x y r) k = (if k < x then map_of l k else if x < k then map_of r k else Some y)"
    66 
    67 lemma map_of_tlt[simp]: "t |\<guillemotleft> k \<Longrightarrow> map_of t k = None" 
    68 by (induct t) auto
    69 
    70 lemma map_of_tgt[simp]: "k \<guillemotleft>| t \<Longrightarrow> map_of t k = None"
    71 by (induct t) auto
    72 
    73 lemma mapof_keys: "st t \<Longrightarrow> dom (map_of t) = keys t"
    74 by (induct t) (auto simp: dom_def tgt_prop tlt_prop)
    75 
    76 lemma mapof_pit: "st t \<Longrightarrow> (map_of t k = Some v) = pin_tree k v t"
    77 by (induct t) (auto simp: tlt_prop tgt_prop pint_keys)
    78 
    79 lemma map_of_Empty: "map_of Empty = empty"
    80 by (rule ext) simp
    81 
    82 (* a kind of extensionality *)
    83 lemma mapof_from_pit: 
    84   assumes st: "st t1" "st t2" 
    85   and eq: "\<And>v. pin_tree (k\<Colon>'a\<Colon>linorder) v t1 = pin_tree k v t2" 
    86   shows "map_of t1 k = map_of t2 k"
    87 proof (cases "map_of t1 k")
    88   case None
    89   then have "\<And>v. \<not> pin_tree k v t1"
    90     by (simp add: mapof_pit[symmetric] st)
    91   with None show ?thesis
    92     by (cases "map_of t2 k") (auto simp: mapof_pit st eq)
    93 next
    94   case (Some a)
    95   then show ?thesis
    96     apply (cases "map_of t2 k")
    97     apply (auto simp: mapof_pit st eq)
    98     by (auto simp add: mapof_pit[symmetric] st Some)
    99 qed
   100 
   101 subsection {* Red-black properties *}
   102 
   103 primrec treec :: "('a,'b) rbt \<Rightarrow> color"
   104 where
   105   "treec Empty = B"
   106 | "treec (Tr c _ _ _ _) = c"
   107 
   108 primrec inv1 :: "('a,'b) rbt \<Rightarrow> bool"
   109 where
   110   "inv1 Empty = True"
   111 | "inv1 (Tr c lt k v rt) = (inv1 lt \<and> inv1 rt \<and> (c = B \<or> treec lt = B \<and> treec rt = B))"
   112 
   113 (* Weaker version *)
   114 primrec inv1l :: "('a,'b) rbt \<Rightarrow> bool"
   115 where
   116   "inv1l Empty = True"
   117 | "inv1l (Tr c l k v r) = (inv1 l \<and> inv1 r)"
   118 lemma [simp]: "inv1 t \<Longrightarrow> inv1l t" by (cases t) simp+
   119 
   120 primrec bh :: "('a,'b) rbt \<Rightarrow> nat"
   121 where
   122   "bh Empty = 0"
   123 | "bh (Tr c lt k v rt) = (if c = B then Suc (bh lt) else bh lt)"
   124 
   125 primrec inv2 :: "('a,'b) rbt \<Rightarrow> bool"
   126 where
   127   "inv2 Empty = True"
   128 | "inv2 (Tr c lt k v rt) = (inv2 lt \<and> inv2 rt \<and> bh lt = bh rt)"
   129 
   130 definition
   131   "isrbt t = (inv1 t \<and> inv2 t \<and> treec t = B \<and> st t)"
   132 
   133 lemma isrbt_st[simp]: "isrbt t \<Longrightarrow> st t" by (simp add: isrbt_def)
   134 
   135 lemma rbt_cases:
   136   obtains (Empty) "t = Empty" 
   137   | (Red) l k v r where "t = Tr R l k v r" 
   138   | (Black) l k v r where "t = Tr B l k v r" 
   139 by (cases t, simp) (case_tac "color", auto)
   140 
   141 theorem Empty_isrbt[simp]: "isrbt Empty"
   142 unfolding isrbt_def by simp
   143 
   144 
   145 subsection {* Insertion *}
   146 
   147 fun (* slow, due to massive case splitting *)
   148   balance :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   149 where
   150   "balance (Tr R a w x b) s t (Tr R c y z d) = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   151   "balance (Tr R (Tr R a w x b) s t c) y z d = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   152   "balance (Tr R a w x (Tr R b s t c)) y z d = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   153   "balance a w x (Tr R b s t (Tr R c y z d)) = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   154   "balance a w x (Tr R (Tr R b s t c) y z d) = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   155   "balance a s t b = Tr B a s t b"
   156 
   157 lemma balance_inv1: "\<lbrakk>inv1l l; inv1l r\<rbrakk> \<Longrightarrow> inv1 (balance l k v r)" 
   158   by (induct l k v r rule: balance.induct) auto
   159 
   160 lemma balance_bh: "bh l = bh r \<Longrightarrow> bh (balance l k v r) = Suc (bh l)"
   161   by (induct l k v r rule: balance.induct) auto
   162 
   163 lemma balance_inv2: 
   164   assumes "inv2 l" "inv2 r" "bh l = bh r"
   165   shows "inv2 (balance l k v r)"
   166   using assms
   167   by (induct l k v r rule: balance.induct) auto
   168 
   169 lemma balance_tgt[simp]: "(v \<guillemotleft>| balance a k x b) = (v \<guillemotleft>| a \<and> v \<guillemotleft>| b \<and> v < k)" 
   170   by (induct a k x b rule: balance.induct) auto
   171 
   172 lemma balance_tlt[simp]: "(balance a k x b |\<guillemotleft> v) = (a |\<guillemotleft> v \<and> b |\<guillemotleft> v \<and> k < v)"
   173   by (induct a k x b rule: balance.induct) auto
   174 
   175 lemma balance_st: 
   176   fixes k :: "'a::linorder"
   177   assumes "st l" "st r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   178   shows "st (balance l k v r)"
   179 using assms proof (induct l k v r rule: balance.induct)
   180   case ("2_2" a x w b y t c z s va vb vd vc)
   181   hence "y < z \<and> z \<guillemotleft>| Tr B va vb vd vc" 
   182     by (auto simp add: tlgt_props)
   183   hence "tgt y (Tr B va vb vd vc)" by (blast dest: tgt_trans)
   184   with "2_2" show ?case by simp
   185 next
   186   case ("3_2" va vb vd vc x w b y s c z)
   187   from "3_2" have "x < y \<and> tlt x (Tr B va vb vd vc)" 
   188     by (simp add: tlt.simps tgt.simps)
   189   hence "tlt y (Tr B va vb vd vc)" by (blast dest: tlt_trans)
   190   with "3_2" show ?case by simp
   191 next
   192   case ("3_3" x w b y s c z t va vb vd vc)
   193   from "3_3" have "y < z \<and> tgt z (Tr B va vb vd vc)" by simp
   194   hence "tgt y (Tr B va vb vd vc)" by (blast dest: tgt_trans)
   195   with "3_3" show ?case by simp
   196 next
   197   case ("3_4" vd ve vg vf x w b y s c z t va vb vii vc)
   198   hence "x < y \<and> tlt x (Tr B vd ve vg vf)" by simp
   199   hence 1: "tlt y (Tr B vd ve vg vf)" by (blast dest: tlt_trans)
   200   from "3_4" have "y < z \<and> tgt z (Tr B va vb vii vc)" by simp
   201   hence "tgt y (Tr B va vb vii vc)" by (blast dest: tgt_trans)
   202   with 1 "3_4" show ?case by simp
   203 next
   204   case ("4_2" va vb vd vc x w b y s c z t dd)
   205   hence "x < y \<and> tlt x (Tr B va vb vd vc)" by simp
   206   hence "tlt y (Tr B va vb vd vc)" by (blast dest: tlt_trans)
   207   with "4_2" show ?case by simp
   208 next
   209   case ("5_2" x w b y s c z t va vb vd vc)
   210   hence "y < z \<and> tgt z (Tr B va vb vd vc)" by simp
   211   hence "tgt y (Tr B va vb vd vc)" by (blast dest: tgt_trans)
   212   with "5_2" show ?case by simp
   213 next
   214   case ("5_3" va vb vd vc x w b y s c z t)
   215   hence "x < y \<and> tlt x (Tr B va vb vd vc)" by simp
   216   hence "tlt y (Tr B va vb vd vc)" by (blast dest: tlt_trans)
   217   with "5_3" show ?case by simp
   218 next
   219   case ("5_4" va vb vg vc x w b y s c z t vd ve vii vf)
   220   hence "x < y \<and> tlt x (Tr B va vb vg vc)" by simp
   221   hence 1: "tlt y (Tr B va vb vg vc)" by (blast dest: tlt_trans)
   222   from "5_4" have "y < z \<and> tgt z (Tr B vd ve vii vf)" by simp
   223   hence "tgt y (Tr B vd ve vii vf)" by (blast dest: tgt_trans)
   224   with 1 "5_4" show ?case by simp
   225 qed simp+
   226 
   227 lemma keys_balance[simp]: 
   228   "keys (balance l k v r) = { k } \<union> keys l \<union> keys r"
   229 by (induct l k v r rule: balance.induct) auto
   230 
   231 lemma balance_pit:  
   232   "pin_tree k x (balance l v y r) = (pin_tree k x l \<or> k = v \<and> x = y \<or> pin_tree k x r)" 
   233 by (induct l v y r rule: balance.induct) auto
   234 
   235 lemma map_of_balance[simp]: 
   236 fixes k :: "'a::linorder"
   237 assumes "st l" "st r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   238 shows "map_of (balance l k v r) x = map_of (Tr B l k v r) x"
   239 by (rule mapof_from_pit) (auto simp:assms balance_pit balance_st)
   240 
   241 primrec paint :: "color \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   242 where
   243   "paint c Empty = Empty"
   244 | "paint c (Tr _ l k v r) = Tr c l k v r"
   245 
   246 lemma paint_inv1l[simp]: "inv1l t \<Longrightarrow> inv1l (paint c t)" by (cases t) auto
   247 lemma paint_inv1[simp]: "inv1l t \<Longrightarrow> inv1 (paint B t)" by (cases t) auto
   248 lemma paint_inv2[simp]: "inv2 t \<Longrightarrow> inv2 (paint c t)" by (cases t) auto
   249 lemma paint_treec[simp]: "treec (paint B t) = B" by (cases t) auto
   250 lemma paint_st[simp]: "st t \<Longrightarrow> st (paint c t)" by (cases t) auto
   251 lemma paint_pit[simp]: "pin_tree k x (paint c t) = pin_tree k x t" by (cases t) auto
   252 lemma paint_mapof[simp]: "map_of (paint c t) = map_of t" by (rule ext) (cases t, auto)
   253 lemma paint_tgt[simp]: "(v \<guillemotleft>| paint c t) = (v \<guillemotleft>| t)" by (cases t) auto
   254 lemma paint_tlt[simp]: "(paint c t |\<guillemotleft> v) = (t |\<guillemotleft> v)" by (cases t) auto
   255 
   256 fun
   257   ins :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   258 where
   259   "ins f k v Empty = Tr R Empty k v Empty" |
   260   "ins f k v (Tr B l x y r) = (if k < x then balance (ins f k v l) x y r
   261                                else if k > x then balance l x y (ins f k v r)
   262                                else Tr B l x (f k y v) r)" |
   263   "ins f k v (Tr R l x y r) = (if k < x then Tr R (ins f k v l) x y r
   264                                else if k > x then Tr R l x y (ins f k v r)
   265                                else Tr R l x (f k y v) r)"
   266 
   267 lemma ins_inv1_inv2: 
   268   assumes "inv1 t" "inv2 t"
   269   shows "inv2 (ins f k x t)" "bh (ins f k x t) = bh t" 
   270   "treec t = B \<Longrightarrow> inv1 (ins f k x t)" "inv1l (ins f k x t)"
   271   using assms
   272   by (induct f k x t rule: ins.induct) (auto simp: balance_inv1 balance_inv2 balance_bh)
   273 
   274 lemma ins_tgt[simp]: "(v \<guillemotleft>| ins f k x t) = (v \<guillemotleft>| t \<and> k > v)"
   275   by (induct f k x t rule: ins.induct) auto
   276 lemma ins_tlt[simp]: "(ins f k x t |\<guillemotleft> v) = (t |\<guillemotleft> v \<and> k < v)"
   277   by (induct f k x t rule: ins.induct) auto
   278 lemma ins_st[simp]: "st t \<Longrightarrow> st (ins f k x t)"
   279   by (induct f k x t rule: ins.induct) (auto simp: balance_st)
   280 
   281 lemma keys_ins: "keys (ins f k v t) = { k } \<union> keys t"
   282 by (induct f k v t rule: ins.induct) auto
   283 
   284 lemma map_of_ins: 
   285   fixes k :: "'a::linorder"
   286   assumes "st t"
   287   shows "map_of (ins f k v t) x = ((map_of t)(k |-> case map_of t k of None \<Rightarrow> v 
   288                                                        | Some w \<Rightarrow> f k w v)) x"
   289 using assms by (induct f k v t rule: ins.induct) auto
   290 
   291 definition
   292   insertwithkey :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   293 where
   294   "insertwithkey f k v t = paint B (ins f k v t)"
   295 
   296 lemma insertwk_st: "st t \<Longrightarrow> st (insertwithkey f k x t)"
   297   by (auto simp: insertwithkey_def)
   298 
   299 theorem insertwk_isrbt: 
   300   assumes inv: "isrbt t" 
   301   shows "isrbt (insertwithkey f k x t)"
   302 using assms
   303 unfolding insertwithkey_def isrbt_def
   304 by (auto simp: ins_inv1_inv2)
   305 
   306 lemma map_of_insertwk: 
   307   assumes "st t"
   308   shows "map_of (insertwithkey f k v t) x = ((map_of t)(k |-> case map_of t k of None \<Rightarrow> v 
   309                                                        | Some w \<Rightarrow> f k w v)) x"
   310 unfolding insertwithkey_def using assms
   311 by (simp add:map_of_ins)
   312 
   313 definition
   314   insertw_def: "insertwith f = insertwithkey (\<lambda>_. f)"
   315 
   316 lemma insertw_st: "st t \<Longrightarrow> st (insertwith f k v t)" by (simp add: insertwk_st insertw_def)
   317 theorem insertw_isrbt: "isrbt t \<Longrightarrow> isrbt (insertwith f k v t)" by (simp add: insertwk_isrbt insertw_def)
   318 
   319 lemma map_of_insertw:
   320   assumes "isrbt t"
   321   shows "map_of (insertwith f k v t) = (map_of t)(k \<mapsto> (if k:dom (map_of t) then f (the (map_of t k)) v else v))"
   322 using assms
   323 unfolding insertw_def
   324 by (rule_tac ext) (cases "map_of t k", auto simp:map_of_insertwk dom_def)
   325 
   326 
   327 definition
   328   "insrt k v t = insertwithkey (\<lambda>_ _ nv. nv) k v t"
   329 
   330 lemma insrt_st: "st t \<Longrightarrow> st (insrt k v t)" by (simp add: insertwk_st insrt_def)
   331 theorem insrt_isrbt: "isrbt t \<Longrightarrow> isrbt (insrt k v t)" by (simp add: insertwk_isrbt insrt_def)
   332 
   333 lemma map_of_insert: 
   334   assumes "isrbt t"
   335   shows "map_of (insrt k v t) = (map_of t)(k\<mapsto>v)"
   336 unfolding insrt_def
   337 using assms
   338 by (rule_tac ext) (simp add: map_of_insertwk split:option.split)
   339 
   340 
   341 subsection {* Deletion *}
   342 
   343 (*definition
   344   [simp]: "ibn t = (bh t > 0 \<and> treec t = B)"
   345 *)
   346 lemma bh_paintR'[simp]: "treec t = B \<Longrightarrow> bh (paint R t) = bh t - 1"
   347 by (cases t rule: rbt_cases) auto
   348 
   349 fun
   350   balleft :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   351 where
   352   "balleft (Tr R a k x b) s y c = Tr R (Tr B a k x b) s y c" |
   353   "balleft bl k x (Tr B a s y b) = balance bl k x (Tr R a s y b)" |
   354   "balleft bl k x (Tr R (Tr B a s y b) t z c) = Tr R (Tr B bl k x a) s y (balance b t z (paint R c))" |
   355   "balleft t k x s = Empty"
   356 
   357 lemma balleft_inv2_with_inv1:
   358   assumes "inv2 lt" "inv2 rt" "bh lt + 1 = bh rt" "inv1 rt"
   359   shows "bh (balleft lt k v rt) = bh lt + 1"
   360   and   "inv2 (balleft lt k v rt)"
   361 using assms 
   362 by (induct lt k v rt rule: balleft.induct) (auto simp: balance_inv2 balance_bh)
   363 
   364 lemma balleft_inv2_app: 
   365   assumes "inv2 lt" "inv2 rt" "bh lt + 1 = bh rt" "treec rt = B"
   366   shows "inv2 (balleft lt k v rt)" 
   367         "bh (balleft lt k v rt) = bh rt"
   368 using assms 
   369 by (induct lt k v rt rule: balleft.induct) (auto simp add: balance_inv2 balance_bh)+ 
   370 
   371 lemma balleft_inv1: "\<lbrakk>inv1l a; inv1 b; treec b = B\<rbrakk> \<Longrightarrow> inv1 (balleft a k x b)"
   372   by (induct a k x b rule: balleft.induct) (simp add: balance_inv1)+
   373 
   374 lemma balleft_inv1l: "\<lbrakk> inv1l lt; inv1 rt \<rbrakk> \<Longrightarrow> inv1l (balleft lt k x rt)"
   375 by (induct lt k x rt rule: balleft.induct) (auto simp: balance_inv1)
   376 
   377 lemma balleft_st: "\<lbrakk> st l; st r; tlt k l; tgt k r \<rbrakk> \<Longrightarrow> st (balleft l k v r)"
   378 apply (induct l k v r rule: balleft.induct)
   379 apply (auto simp: balance_st)
   380 apply (unfold tgt_prop tlt_prop)
   381 by force+
   382 
   383 lemma balleft_tgt: 
   384   fixes k :: "'a::order"
   385   assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   386   shows "k \<guillemotleft>| balleft a x t b"
   387 using assms 
   388 by (induct a x t b rule: balleft.induct) auto
   389 
   390 lemma balleft_tlt: 
   391   fixes k :: "'a::order"
   392   assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   393   shows "balleft a x t b |\<guillemotleft> k"
   394 using assms
   395 by (induct a x t b rule: balleft.induct) auto
   396 
   397 lemma balleft_pit: 
   398   assumes "inv1l l" "inv1 r" "bh l + 1 = bh r"
   399   shows "pin_tree k v (balleft l a b r) = (pin_tree k v l \<or> k = a \<and> v = b \<or> pin_tree k v r)"
   400 using assms 
   401 by (induct l k v r rule: balleft.induct) (auto simp: balance_pit)
   402 
   403 fun
   404   balright :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   405 where
   406   "balright a k x (Tr R b s y c) = Tr R a k x (Tr B b s y c)" |
   407   "balright (Tr B a k x b) s y bl = balance (Tr R a k x b) s y bl" |
   408   "balright (Tr R a k x (Tr B b s y c)) t z bl = Tr R (balance (paint R a) k x b) s y (Tr B c t z bl)" |
   409   "balright t k x s = Empty"
   410 
   411 lemma balright_inv2_with_inv1:
   412   assumes "inv2 lt" "inv2 rt" "bh lt = bh rt + 1" "inv1 lt"
   413   shows "inv2 (balright lt k v rt) \<and> bh (balright lt k v rt) = bh lt"
   414 using assms
   415 by (induct lt k v rt rule: balright.induct) (auto simp: balance_inv2 balance_bh)
   416 
   417 lemma balright_inv1: "\<lbrakk>inv1 a; inv1l b; treec a = B\<rbrakk> \<Longrightarrow> inv1 (balright a k x b)"
   418 by (induct a k x b rule: balright.induct) (simp add: balance_inv1)+
   419 
   420 lemma balright_inv1l: "\<lbrakk> inv1 lt; inv1l rt \<rbrakk> \<Longrightarrow>inv1l (balright lt k x rt)"
   421 by (induct lt k x rt rule: balright.induct) (auto simp: balance_inv1)
   422 
   423 lemma balright_st: "\<lbrakk> st l; st r; tlt k l; tgt k r \<rbrakk> \<Longrightarrow> st (balright l k v r)"
   424 apply (induct l k v r rule: balright.induct)
   425 apply (auto simp:balance_st)
   426 apply (unfold tlt_prop tgt_prop)
   427 by force+
   428 
   429 lemma balright_tgt: 
   430   fixes k :: "'a::order"
   431   assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   432   shows "k \<guillemotleft>| balright a x t b"
   433 using assms by (induct a x t b rule: balright.induct) auto
   434 
   435 lemma balright_tlt: 
   436   fixes k :: "'a::order"
   437   assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   438   shows "balright a x t b |\<guillemotleft> k"
   439 using assms by (induct a x t b rule: balright.induct) auto
   440 
   441 lemma balright_pit:
   442   assumes "inv1 l" "inv1l r" "bh l = bh r + 1" "inv2 l" "inv2 r"
   443   shows "pin_tree x y (balright l k v r) = (pin_tree x y l \<or> x = k \<and> y = v \<or> pin_tree x y r)"
   444 using assms by (induct l k v r rule: balright.induct) (auto simp: balance_pit)
   445 
   446 
   447 text {* app *}
   448 
   449 fun
   450   app :: "('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   451 where
   452   "app Empty x = x" 
   453 | "app x Empty = x" 
   454 | "app (Tr R a k x b) (Tr R c s y d) = (case (app b c) of
   455                                       Tr R b2 t z c2 \<Rightarrow> (Tr R (Tr R a k x b2) t z (Tr R c2 s y d)) |
   456                                       bc \<Rightarrow> Tr R a k x (Tr R bc s y d))" 
   457 | "app (Tr B a k x b) (Tr B c s y d) = (case (app b c) of
   458                                       Tr R b2 t z c2 \<Rightarrow> Tr R (Tr B a k x b2) t z (Tr B c2 s y d) |
   459                                       bc \<Rightarrow> balleft a k x (Tr B bc s y d))" 
   460 | "app a (Tr R b k x c) = Tr R (app a b) k x c" 
   461 | "app (Tr R a k x b) c = Tr R a k x (app b c)" 
   462 
   463 lemma app_inv2:
   464   assumes "inv2 lt" "inv2 rt" "bh lt = bh rt"
   465   shows "bh (app lt rt) = bh lt" "inv2 (app lt rt)"
   466 using assms 
   467 by (induct lt rt rule: app.induct) 
   468    (auto simp: balleft_inv2_app split: rbt.splits color.splits)
   469 
   470 lemma app_inv1: 
   471   assumes "inv1 lt" "inv1 rt"
   472   shows "treec lt = B \<Longrightarrow> treec rt = B \<Longrightarrow> inv1 (app lt rt)"
   473          "inv1l (app lt rt)"
   474 using assms 
   475 by (induct lt rt rule: app.induct)
   476    (auto simp: balleft_inv1 split: rbt.splits color.splits)
   477 
   478 lemma app_tgt[simp]: 
   479   fixes k :: "'a::linorder"
   480   assumes "k \<guillemotleft>| l" "k \<guillemotleft>| r" 
   481   shows "k \<guillemotleft>| app l r"
   482 using assms 
   483 by (induct l r rule: app.induct)
   484    (auto simp: balleft_tgt split:rbt.splits color.splits)
   485 
   486 lemma app_tlt[simp]: 
   487   fixes k :: "'a::linorder"
   488   assumes "l |\<guillemotleft> k" "r |\<guillemotleft> k" 
   489   shows "app l r |\<guillemotleft> k"
   490 using assms 
   491 by (induct l r rule: app.induct)
   492    (auto simp: balleft_tlt split:rbt.splits color.splits)
   493 
   494 lemma app_st: 
   495   fixes k :: "'a::linorder"
   496   assumes "st l" "st r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   497   shows "st (app l r)"
   498 using assms proof (induct l r rule: app.induct)
   499   case (3 a x v b c y w d)
   500   hence ineqs: "a |\<guillemotleft> x" "x \<guillemotleft>| b" "b |\<guillemotleft> k" "k \<guillemotleft>| c" "c |\<guillemotleft> y" "y \<guillemotleft>| d"
   501     by auto
   502   with 3
   503   show ?case
   504     apply (cases "app b c" rule: rbt_cases)
   505     apply auto
   506     by (metis app_tgt app_tlt ineqs ineqs tlt.simps(2) tgt.simps(2) tgt_trans tlt_trans)+
   507 next
   508   case (4 a x v b c y w d)
   509   hence "x < k \<and> tgt k c" by simp
   510   hence "tgt x c" by (blast dest: tgt_trans)
   511   with 4 have 2: "tgt x (app b c)" by (simp add: app_tgt)
   512   from 4 have "k < y \<and> tlt k b" by simp
   513   hence "tlt y b" by (blast dest: tlt_trans)
   514   with 4 have 3: "tlt y (app b c)" by (simp add: app_tlt)
   515   show ?case
   516   proof (cases "app b c" rule: rbt_cases)
   517     case Empty
   518     from 4 have "x < y \<and> tgt y d" by auto
   519     hence "tgt x d" by (blast dest: tgt_trans)
   520     with 4 Empty have "st a" and "st (Tr B Empty y w d)" and "tlt x a" and "tgt x (Tr B Empty y w d)" by auto
   521     with Empty show ?thesis by (simp add: balleft_st)
   522   next
   523     case (Red lta va ka rta)
   524     with 2 4 have "x < va \<and> tlt x a" by simp
   525     hence 5: "tlt va a" by (blast dest: tlt_trans)
   526     from Red 3 4 have "va < y \<and> tgt y d" by simp
   527     hence "tgt va d" by (blast dest: tgt_trans)
   528     with Red 2 3 4 5 show ?thesis by simp
   529   next
   530     case (Black lta va ka rta)
   531     from 4 have "x < y \<and> tgt y d" by auto
   532     hence "tgt x d" by (blast dest: tgt_trans)
   533     with Black 2 3 4 have "st a" and "st (Tr B (app b c) y w d)" and "tlt x a" and "tgt x (Tr B (app b c) y w d)" by auto
   534     with Black show ?thesis by (simp add: balleft_st)
   535   qed
   536 next
   537   case (5 va vb vd vc b x w c)
   538   hence "k < x \<and> tlt k (Tr B va vb vd vc)" by simp
   539   hence "tlt x (Tr B va vb vd vc)" by (blast dest: tlt_trans)
   540   with 5 show ?case by (simp add: app_tlt)
   541 next
   542   case (6 a x v b va vb vd vc)
   543   hence "x < k \<and> tgt k (Tr B va vb vd vc)" by simp
   544   hence "tgt x (Tr B va vb vd vc)" by (blast dest: tgt_trans)
   545   with 6 show ?case by (simp add: app_tgt)
   546 qed simp+
   547 
   548 lemma app_pit: 
   549   assumes "inv2 l" "inv2 r" "bh l = bh r" "inv1 l" "inv1 r"
   550   shows "pin_tree k v (app l r) = (pin_tree k v l \<or> pin_tree k v r)"
   551 using assms 
   552 proof (induct l r rule: app.induct)
   553   case (4 _ _ _ b c)
   554   hence a: "bh (app b c) = bh b" by (simp add: app_inv2)
   555   from 4 have b: "inv1l (app b c)" by (simp add: app_inv1)
   556 
   557   show ?case
   558   proof (cases "app b c" rule: rbt_cases)
   559     case Empty
   560     with 4 a show ?thesis by (auto simp: balleft_pit)
   561   next
   562     case (Red lta ka va rta)
   563     with 4 show ?thesis by auto
   564   next
   565     case (Black lta ka va rta)
   566     with a b 4  show ?thesis by (auto simp: balleft_pit)
   567   qed 
   568 qed (auto split: rbt.splits color.splits)
   569 
   570 fun
   571   delformLeft :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   572   delformRight :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   573   del :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   574 where
   575   "del x Empty = Empty" |
   576   "del x (Tr c a y s b) = (if x < y then delformLeft x a y s b else (if x > y then delformRight x a y s b else app a b))" |
   577   "delformLeft x (Tr B lt z v rt) y s b = balleft (del x (Tr B lt z v rt)) y s b" |
   578   "delformLeft x a y s b = Tr R (del x a) y s b" |
   579   "delformRight x a y s (Tr B lt z v rt) = balright a y s (del x (Tr B lt z v rt))" | 
   580   "delformRight x a y s b = Tr R a y s (del x b)"
   581 
   582 lemma 
   583   assumes "inv2 lt" "inv1 lt"
   584   shows
   585   "\<lbrakk>inv2 rt; bh lt = bh rt; inv1 rt\<rbrakk> \<Longrightarrow>
   586   inv2 (delformLeft x lt k v rt) \<and> bh (delformLeft x lt k v rt) = bh lt \<and> (treec lt = B \<and> treec rt = B \<and> inv1 (delformLeft x lt k v rt) \<or> (treec lt \<noteq> B \<or> treec rt \<noteq> B) \<and> inv1l (delformLeft x lt k v rt))"
   587   and "\<lbrakk>inv2 rt; bh lt = bh rt; inv1 rt\<rbrakk> \<Longrightarrow>
   588   inv2 (delformRight x lt k v rt) \<and> bh (delformRight x lt k v rt) = bh lt \<and> (treec lt = B \<and> treec rt = B \<and> inv1 (delformRight x lt k v rt) \<or> (treec lt \<noteq> B \<or> treec rt \<noteq> B) \<and> inv1l (delformRight x lt k v rt))"
   589   and del_inv1_inv2: "inv2 (del x lt) \<and> (treec lt = R \<and> bh (del x lt) = bh lt \<and> inv1 (del x lt) 
   590   \<or> treec lt = B \<and> bh (del x lt) = bh lt - 1 \<and> inv1l (del x lt))"
   591 using assms
   592 proof (induct x lt k v rt and x lt k v rt and x lt rule: delformLeft_delformRight_del.induct)
   593 case (2 y c _ y')
   594   have "y = y' \<or> y < y' \<or> y > y'" by auto
   595   thus ?case proof (elim disjE)
   596     assume "y = y'"
   597     with 2 show ?thesis by (cases c) (simp add: app_inv2 app_inv1)+
   598   next
   599     assume "y < y'"
   600     with 2 show ?thesis by (cases c) auto
   601   next
   602     assume "y' < y"
   603     with 2 show ?thesis by (cases c) auto
   604   qed
   605 next
   606   case (3 y lt z v rta y' ss bb) 
   607   thus ?case by (cases "treec (Tr B lt z v rta) = B \<and> treec bb = B") (simp add: balleft_inv2_with_inv1 balleft_inv1 balleft_inv1l)+
   608 next
   609   case (5 y a y' ss lt z v rta)
   610   thus ?case by (cases "treec a = B \<and> treec (Tr B lt z v rta) = B") (simp add: balright_inv2_with_inv1 balright_inv1 balright_inv1l)+
   611 next
   612   case ("6_1" y a y' ss) thus ?case by (cases "treec a = B \<and> treec Empty = B") simp+
   613 qed auto
   614 
   615 lemma 
   616   delformLeft_tlt: "\<lbrakk>tlt v lt; tlt v rt; k < v\<rbrakk> \<Longrightarrow> tlt v (delformLeft x lt k y rt)"
   617   and delformRight_tlt: "\<lbrakk>tlt v lt; tlt v rt; k < v\<rbrakk> \<Longrightarrow> tlt v (delformRight x lt k y rt)"
   618   and del_tlt: "tlt v lt \<Longrightarrow> tlt v (del x lt)"
   619 by (induct x lt k y rt and x lt k y rt and x lt rule: delformLeft_delformRight_del.induct) 
   620    (auto simp: balleft_tlt balright_tlt)
   621 
   622 lemma delformLeft_tgt: "\<lbrakk>tgt v lt; tgt v rt; k > v\<rbrakk> \<Longrightarrow> tgt v (delformLeft x lt k y rt)"
   623   and delformRight_tgt: "\<lbrakk>tgt v lt; tgt v rt; k > v\<rbrakk> \<Longrightarrow> tgt v (delformRight x lt k y rt)"
   624   and del_tgt: "tgt v lt \<Longrightarrow> tgt v (del x lt)"
   625 by (induct x lt k y rt and x lt k y rt and x lt rule: delformLeft_delformRight_del.induct)
   626    (auto simp: balleft_tgt balright_tgt)
   627 
   628 lemma "\<lbrakk>st lt; st rt; tlt k lt; tgt k rt\<rbrakk> \<Longrightarrow> st (delformLeft x lt k y rt)"
   629   and "\<lbrakk>st lt; st rt; tlt k lt; tgt k rt\<rbrakk> \<Longrightarrow> st (delformRight x lt k y rt)"
   630   and del_st: "st lt \<Longrightarrow> st (del x lt)"
   631 proof (induct x lt k y rt and x lt k y rt and x lt rule: delformLeft_delformRight_del.induct)
   632   case (3 x lta zz v rta yy ss bb)
   633   from 3 have "tlt yy (Tr B lta zz v rta)" by simp
   634   hence "tlt yy (del x (Tr B lta zz v rta))" by (rule del_tlt)
   635   with 3 show ?case by (simp add: balleft_st)
   636 next
   637   case ("4_2" x vaa vbb vdd vc yy ss bb)
   638   hence "tlt yy (Tr R vaa vbb vdd vc)" by simp
   639   hence "tlt yy (del x (Tr R vaa vbb vdd vc))" by (rule del_tlt)
   640   with "4_2" show ?case by simp
   641 next
   642   case (5 x aa yy ss lta zz v rta) 
   643   hence "tgt yy (Tr B lta zz v rta)" by simp
   644   hence "tgt yy (del x (Tr B lta zz v rta))" by (rule del_tgt)
   645   with 5 show ?case by (simp add: balright_st)
   646 next
   647   case ("6_2" x aa yy ss vaa vbb vdd vc)
   648   hence "tgt yy (Tr R vaa vbb vdd vc)" by simp
   649   hence "tgt yy (del x (Tr R vaa vbb vdd vc))" by (rule del_tgt)
   650   with "6_2" show ?case by simp
   651 qed (auto simp: app_st)
   652 
   653 lemma "\<lbrakk>st lt; st rt; tlt kt lt; tgt kt rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bh lt = bh rt; x < kt\<rbrakk> \<Longrightarrow> pin_tree k v (delformLeft x lt kt y rt) = (False \<or> (x \<noteq> k \<and> pin_tree k v (Tr c lt kt y rt)))"
   654   and "\<lbrakk>st lt; st rt; tlt kt lt; tgt kt rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bh lt = bh rt; x > kt\<rbrakk> \<Longrightarrow> pin_tree k v (delformRight x lt kt y rt) = (False \<or> (x \<noteq> k \<and> pin_tree k v (Tr c lt kt y rt)))"
   655   and del_pit: "\<lbrakk>st t; inv1 t; inv2 t\<rbrakk> \<Longrightarrow> pin_tree k v (del x t) = (False \<or> (x \<noteq> k \<and> pin_tree k v t))"
   656 proof (induct x lt kt y rt and x lt kt y rt and x t rule: delformLeft_delformRight_del.induct)
   657   case (2 xx c aa yy ss bb)
   658   have "xx = yy \<or> xx < yy \<or> xx > yy" by auto
   659   from this 2 show ?case proof (elim disjE)
   660     assume "xx = yy"
   661     with 2 show ?thesis proof (cases "xx = k")
   662       case True
   663       from 2 `xx = yy` `xx = k` have "st (Tr c aa yy ss bb) \<and> k = yy" by simp
   664       hence "\<not> pin_tree k v aa" "\<not> pin_tree k v bb" by (auto simp: tlt_nit tgt_prop)
   665       with `xx = yy` 2 `xx = k` show ?thesis by (simp add: app_pit)
   666     qed (simp add: app_pit)
   667   qed simp+
   668 next    
   669   case (3 xx lta zz vv rta yy ss bb)
   670   def mt[simp]: mt == "Tr B lta zz vv rta"
   671   from 3 have "inv2 mt \<and> inv1 mt" by simp
   672   hence "inv2 (del xx mt) \<and> (treec mt = R \<and> bh (del xx mt) = bh mt \<and> inv1 (del xx mt) \<or> treec mt = B \<and> bh (del xx mt) = bh mt - 1 \<and> inv1l (del xx mt))" by (blast dest: del_inv1_inv2)
   673   with 3 have 4: "pin_tree k v (delformLeft xx mt yy ss bb) = (False \<or> xx \<noteq> k \<and> pin_tree k v mt \<or> (k = yy \<and> v = ss) \<or> pin_tree k v bb)" by (simp add: balleft_pit)
   674   thus ?case proof (cases "xx = k")
   675     case True
   676     from 3 True have "tgt yy bb \<and> yy > k" by simp
   677     hence "tgt k bb" by (blast dest: tgt_trans)
   678     with 3 4 True show ?thesis by (auto simp: tgt_nit)
   679   qed auto
   680 next
   681   case ("4_1" xx yy ss bb)
   682   show ?case proof (cases "xx = k")
   683     case True
   684     with "4_1" have "tgt yy bb \<and> k < yy" by simp
   685     hence "tgt k bb" by (blast dest: tgt_trans)
   686     with "4_1" `xx = k` 
   687    have "pin_tree k v (Tr R Empty yy ss bb) = pin_tree k v Empty" by (auto simp: tgt_nit)
   688     thus ?thesis by auto
   689   qed simp+
   690 next
   691   case ("4_2" xx vaa vbb vdd vc yy ss bb)
   692   thus ?case proof (cases "xx = k")
   693     case True
   694     with "4_2" have "k < yy \<and> tgt yy bb" by simp
   695     hence "tgt k bb" by (blast dest: tgt_trans)
   696     with True "4_2" show ?thesis by (auto simp: tgt_nit)
   697   qed simp
   698 next
   699   case (5 xx aa yy ss lta zz vv rta)
   700   def mt[simp]: mt == "Tr B lta zz vv rta"
   701   from 5 have "inv2 mt \<and> inv1 mt" by simp
   702   hence "inv2 (del xx mt) \<and> (treec mt = R \<and> bh (del xx mt) = bh mt \<and> inv1 (del xx mt) \<or> treec mt = B \<and> bh (del xx mt) = bh mt - 1 \<and> inv1l (del xx mt))" by (blast dest: del_inv1_inv2)
   703   with 5 have 3: "pin_tree k v (delformRight xx aa yy ss mt) = (pin_tree k v aa \<or> (k = yy \<and> v = ss) \<or> False \<or> xx \<noteq> k \<and> pin_tree k v mt)" by (simp add: balright_pit)
   704   thus ?case proof (cases "xx = k")
   705     case True
   706     from 5 True have "tlt yy aa \<and> yy < k" by simp
   707     hence "tlt k aa" by (blast dest: tlt_trans)
   708     with 3 5 True show ?thesis by (auto simp: tlt_nit)
   709   qed auto
   710 next
   711   case ("6_1" xx aa yy ss)
   712   show ?case proof (cases "xx = k")
   713     case True
   714     with "6_1" have "tlt yy aa \<and> k > yy" by simp
   715     hence "tlt k aa" by (blast dest: tlt_trans)
   716     with "6_1" `xx = k` show ?thesis by (auto simp: tlt_nit)
   717   qed simp
   718 next
   719   case ("6_2" xx aa yy ss vaa vbb vdd vc)
   720   thus ?case proof (cases "xx = k")
   721     case True
   722     with "6_2" have "k > yy \<and> tlt yy aa" by simp
   723     hence "tlt k aa" by (blast dest: tlt_trans)
   724     with True "6_2" show ?thesis by (auto simp: tlt_nit)
   725   qed simp
   726 qed simp
   727 
   728 
   729 definition delete where
   730   delete_def: "delete k t = paint B (del k t)"
   731 
   732 theorem delete_isrbt[simp]: assumes "isrbt t" shows "isrbt (delete k t)"
   733 proof -
   734   from assms have "inv2 t" and "inv1 t" unfolding isrbt_def by auto 
   735   hence "inv2 (del k t) \<and> (treec t = R \<and> bh (del k t) = bh t \<and> inv1 (del k t) \<or> treec t = B \<and> bh (del k t) = bh t - 1 \<and> inv1l (del k t))" by (rule del_inv1_inv2)
   736   hence "inv2 (del k t) \<and> inv1l (del k t)" by (cases "treec t") auto
   737   with assms show ?thesis
   738     unfolding isrbt_def delete_def
   739     by (auto intro: paint_st del_st)
   740 qed
   741 
   742 lemma delete_pit: 
   743   assumes "isrbt t" 
   744   shows "pin_tree k v (delete x t) = (x \<noteq> k \<and> pin_tree k v t)"
   745   using assms unfolding isrbt_def delete_def
   746   by (auto simp: del_pit)
   747 
   748 lemma map_of_delete:
   749   assumes isrbt: "isrbt t"
   750   shows "map_of (delete k t) = (map_of t)|`(-{k})"
   751 proof
   752   fix x
   753   show "map_of (delete k t) x = (map_of t |` (-{k})) x" 
   754   proof (cases "x = k")
   755     assume "x = k" 
   756     with isrbt show ?thesis
   757       by (cases "map_of (delete k t) k") (auto simp: mapof_pit delete_pit)
   758   next
   759     assume "x \<noteq> k"
   760     thus ?thesis
   761       by auto (metis isrbt delete_isrbt delete_pit isrbt_st mapof_from_pit)
   762   qed
   763 qed
   764 
   765 subsection {* Union *}
   766 
   767 primrec
   768   unionwithkey :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   769 where
   770   "unionwithkey f t Empty = t"
   771 | "unionwithkey f t (Tr c lt k v rt) = unionwithkey f (unionwithkey f (insertwithkey f k v t) lt) rt"
   772 
   773 lemma unionwk_st: "st lt \<Longrightarrow> st (unionwithkey f lt rt)" 
   774   by (induct rt arbitrary: lt) (auto simp: insertwk_st)
   775 theorem unionwk_isrbt[simp]: "isrbt lt \<Longrightarrow> isrbt (unionwithkey f lt rt)" 
   776   by (induct rt arbitrary: lt) (simp add: insertwk_isrbt)+
   777 
   778 definition
   779   unionwith where
   780   "unionwith f = unionwithkey (\<lambda>_. f)"
   781 
   782 theorem unionw_isrbt: "isrbt lt \<Longrightarrow> isrbt (unionwith f lt rt)" unfolding unionwith_def by simp
   783 
   784 definition union where
   785   "union = unionwithkey (%_ _ rv. rv)"
   786 
   787 theorem union_isrbt: "isrbt lt \<Longrightarrow> isrbt (union lt rt)" unfolding union_def by simp
   788 
   789 lemma union_Tr[simp]:
   790   "union t (Tr c lt k v rt) = union (union (insrt k v t) lt) rt"
   791   unfolding union_def insrt_def
   792   by simp
   793 
   794 lemma map_of_union:
   795   assumes "isrbt s" "st t"
   796   shows "map_of (union s t) = map_of s ++ map_of t"
   797 using assms
   798 proof (induct t arbitrary: s)
   799   case Empty thus ?case by (auto simp: union_def)
   800 next
   801   case (Tr c l k v r s)
   802   hence strl: "st r" "st l" "l |\<guillemotleft> k" "k \<guillemotleft>| r" by auto
   803 
   804   have meq: "map_of s(k \<mapsto> v) ++ map_of l ++ map_of r =
   805     map_of s ++
   806     (\<lambda>a. if a < k then map_of l a
   807     else if k < a then map_of r a else Some v)" (is "?m1 = ?m2")
   808   proof (rule ext)
   809     fix a
   810 
   811    have "k < a \<or> k = a \<or> k > a" by auto
   812     thus "?m1 a = ?m2 a"
   813     proof (elim disjE)
   814       assume "k < a"
   815       with `l |\<guillemotleft> k` have "l |\<guillemotleft> a" by (rule tlt_trans)
   816       with `k < a` show ?thesis
   817         by (auto simp: map_add_def split: option.splits)
   818     next
   819       assume "k = a"
   820       with `l |\<guillemotleft> k` `k \<guillemotleft>| r` 
   821       show ?thesis by (auto simp: map_add_def)
   822     next
   823       assume "a < k"
   824       from this `k \<guillemotleft>| r` have "a \<guillemotleft>| r" by (rule tgt_trans)
   825       with `a < k` show ?thesis
   826         by (auto simp: map_add_def split: option.splits)
   827     qed
   828   qed
   829 
   830   from Tr
   831   have IHs:
   832     "map_of (union (union (insrt k v s) l) r) = map_of (union (insrt k v s) l) ++ map_of r"
   833     "map_of (union (insrt k v s) l) = map_of (insrt k v s) ++ map_of l"
   834     by (auto intro: union_isrbt insrt_isrbt)
   835   
   836   with meq show ?case
   837     by (auto simp: map_of_insert[OF Tr(3)])
   838 qed
   839 
   840 subsection {* Adjust *}
   841 
   842 primrec
   843   adjustwithkey :: "('a \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   844 where
   845   "adjustwithkey f k Empty = Empty"
   846 | "adjustwithkey f k (Tr c lt x v rt) = (if k < x then (Tr c (adjustwithkey f k lt) x v rt) else if k > x then (Tr c lt x v (adjustwithkey f k rt)) else (Tr c lt x (f x v) rt))"
   847 
   848 lemma adjustwk_treec: "treec (adjustwithkey f k t) = treec t" by (induct t) simp+
   849 lemma adjustwk_inv1: "inv1 (adjustwithkey f k t) = inv1 t" by (induct t) (simp add: adjustwk_treec)+
   850 lemma adjustwk_inv2: "inv2 (adjustwithkey f k t) = inv2 t" "bh (adjustwithkey f k t) = bh t" by (induct t) simp+
   851 lemma adjustwk_tgt: "tgt k (adjustwithkey f kk t) = tgt k t" by (induct t) simp+
   852 lemma adjustwk_tlt: "tlt k (adjustwithkey f kk t) = tlt k t" by (induct t) simp+
   853 lemma adjustwk_st: "st (adjustwithkey f k t) = st t" by (induct t) (simp add: adjustwk_tlt adjustwk_tgt)+
   854 
   855 theorem adjustwk_isrbt[simp]: "isrbt (adjustwithkey f k t) = isrbt t" 
   856 unfolding isrbt_def by (simp add: adjustwk_inv2 adjustwk_treec adjustwk_st adjustwk_inv1 )
   857 
   858 theorem adjustwithkey_map[simp]:
   859   "map_of (adjustwithkey f k t) x = 
   860   (if x = k then case map_of t x of None \<Rightarrow> None | Some y \<Rightarrow> Some (f k y)
   861             else map_of t x)"
   862 by (induct t arbitrary: x) (auto split:option.splits)
   863 
   864 definition adjust where
   865   "adjust f = adjustwithkey (\<lambda>_. f)"
   866 
   867 theorem adjust_isrbt[simp]: "isrbt (adjust f k t) = isrbt t" unfolding adjust_def by simp
   868 
   869 theorem adjust_map[simp]:
   870   "map_of (adjust f k t) x = 
   871   (if x = k then case map_of t x of None \<Rightarrow> None | Some y \<Rightarrow> Some (f y)
   872             else map_of t x)"
   873 unfolding adjust_def by simp
   874 
   875 subsection {* Map *}
   876 
   877 primrec
   878   mapwithkey :: "('a::linorder \<Rightarrow> 'b \<Rightarrow> 'c) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'c) rbt"
   879 where
   880   "mapwithkey f Empty = Empty"
   881 | "mapwithkey f (Tr c lt k v rt) = Tr c (mapwithkey f lt) k (f k v) (mapwithkey f rt)"
   882 
   883 theorem mapwk_keys[simp]: "keys (mapwithkey f t) = keys t" by (induct t) auto
   884 lemma mapwk_tgt: "tgt k (mapwithkey f t) = tgt k t" by (induct t) simp+
   885 lemma mapwk_tlt: "tlt k (mapwithkey f t) = tlt k t" by (induct t) simp+
   886 lemma mapwk_st: "st (mapwithkey f t) = st t"  by (induct t) (simp add: mapwk_tlt mapwk_tgt)+
   887 lemma mapwk_treec: "treec (mapwithkey f t) = treec t" by (induct t) simp+
   888 lemma mapwk_inv1: "inv1 (mapwithkey f t) = inv1 t" by (induct t) (simp add: mapwk_treec)+
   889 lemma mapwk_inv2: "inv2 (mapwithkey f t) = inv2 t" "bh (mapwithkey f t) = bh t" by (induct t) simp+
   890 theorem mapwk_isrbt[simp]: "isrbt (mapwithkey f t) = isrbt t" 
   891 unfolding isrbt_def by (simp add: mapwk_inv1 mapwk_inv2 mapwk_st mapwk_treec)
   892 
   893 theorem map_of_mapwk[simp]: "map_of (mapwithkey f t) x = Option.map (f x) (map_of t x)"
   894 by (induct t) auto
   895 
   896 definition map
   897 where map_def: "map f == mapwithkey (\<lambda>_. f)"
   898 
   899 theorem map_keys[simp]: "keys (map f t) = keys t" unfolding map_def by simp
   900 theorem map_isrbt[simp]: "isrbt (map f t) = isrbt t" unfolding map_def by simp
   901 theorem map_of_map[simp]: "map_of (map f t) = Option.map f o map_of t"
   902   by (rule ext) (simp add:map_def)
   903 
   904 subsection {* Fold *}
   905 
   906 text {* The following is still incomplete... *}
   907 
   908 primrec
   909   foldwithkey :: "('a::linorder \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c"
   910 where
   911   "foldwithkey f Empty v = v"
   912 | "foldwithkey f (Tr c lt k x rt) v = foldwithkey f rt (f k x (foldwithkey f lt v))"
   913 
   914 primrec alist_of
   915 where 
   916   "alist_of Empty = []"
   917 | "alist_of (Tr _ l k v r) = alist_of l @ (k,v) # alist_of r"
   918 
   919 lemma map_of_alist_of:
   920   shows "st t \<Longrightarrow> Map.map_of (alist_of t) = map_of t"
   921   oops
   922 
   923 lemma fold_alist_fold:
   924   "foldwithkey f t x = foldl (\<lambda>x (k,v). f k v x) x (alist_of t)"
   925 by (induct t arbitrary: x) auto
   926 
   927 lemma alist_pit[simp]: "(k, v) \<in> set (alist_of t) = pin_tree k v t"
   928 by (induct t) auto
   929 
   930 lemma sorted_alist:
   931   "st t \<Longrightarrow> sorted (List.map fst (alist_of t))"
   932 by (induct t) 
   933   (force simp: sorted_append sorted_Cons tlgt_props 
   934       dest!:pint_keys)+
   935 
   936 lemma distinct_alist:
   937   "st t \<Longrightarrow> distinct (List.map fst (alist_of t))"
   938 by (induct t) 
   939   (force simp: sorted_append sorted_Cons tlgt_props 
   940       dest!:pint_keys)+
   941 (*>*)
   942 
   943 text {* 
   944   This theory defines purely functional red-black trees which can be
   945   used as an efficient representation of finite maps.
   946 *}
   947 
   948 subsection {* Data type and invariant *}
   949 
   950 text {*
   951   The type @{typ "('k, 'v) rbt"} denotes red-black trees with keys of
   952   type @{typ "'k"} and values of type @{typ "'v"}. To function
   953   properly, the key type must belong to the @{text "linorder"} class.
   954 
   955   A value @{term t} of this type is a valid red-black tree if it
   956   satisfies the invariant @{text "isrbt t"}.
   957   This theory provides lemmas to prove that the invariant is
   958   satisfied throughout the computation.
   959 
   960   The interpretation function @{const "map_of"} returns the partial
   961   map represented by a red-black tree:
   962   @{term_type[display] "map_of"}
   963 
   964   This function should be used for reasoning about the semantics of the RBT
   965   operations. Furthermore, it implements the lookup functionality for
   966   the data structure: It is executable and the lookup is performed in
   967   $O(\log n)$.  
   968 *}
   969 
   970 subsection {* Operations *}
   971 
   972 text {*
   973   Currently, the following operations are supported:
   974 
   975   @{term_type[display] "Empty"}
   976   Returns the empty tree. $O(1)$
   977 
   978   @{term_type[display] "insrt"}
   979   Updates the map at a given position. $O(\log n)$
   980 
   981   @{term_type[display] "delete"}
   982   Deletes a map entry at a given position. $O(\log n)$
   983 
   984   @{term_type[display] "union"}
   985   Forms the union of two trees, preferring entries from the first one.
   986 
   987   @{term_type[display] "map"}
   988   Maps a function over the values of a map. $O(n)$
   989 *}
   990 
   991 
   992 subsection {* Invariant preservation *}
   993 
   994 text {*
   995   \noindent
   996   @{thm Empty_isrbt}\hfill(@{text "Empty_isrbt"})
   997 
   998   \noindent
   999   @{thm insrt_isrbt}\hfill(@{text "insrt_isrbt"})
  1000 
  1001   \noindent
  1002   @{thm delete_isrbt}\hfill(@{text "delete_isrbt"})
  1003 
  1004   \noindent
  1005   @{thm union_isrbt}\hfill(@{text "union_isrbt"})
  1006 
  1007   \noindent
  1008   @{thm map_isrbt}\hfill(@{text "map_isrbt"})
  1009 *}
  1010 
  1011 subsection {* Map Semantics *}
  1012 
  1013 text {*
  1014   \noindent
  1015   \underline{@{text "map_of_Empty"}}
  1016   @{thm[display] map_of_Empty}
  1017   \vspace{1ex}
  1018 
  1019   \noindent
  1020   \underline{@{text "map_of_insert"}}
  1021   @{thm[display] map_of_insert}
  1022   \vspace{1ex}
  1023 
  1024   \noindent
  1025   \underline{@{text "map_of_delete"}}
  1026   @{thm[display] map_of_delete}
  1027   \vspace{1ex}
  1028 
  1029   \noindent
  1030   \underline{@{text "map_of_union"}}
  1031   @{thm[display] map_of_union}
  1032   \vspace{1ex}
  1033 
  1034   \noindent
  1035   \underline{@{text "map_of_map"}}
  1036   @{thm[display] map_of_map}
  1037   \vspace{1ex}
  1038 *}
  1039 
  1040 end