register pmf as BNF
authorAndreas Lochbihler
Fri Nov 21 12:11:44 2014 +0100 (2014-11-21)
changeset 590234999a616336c
parent 59022 fa7c419f04b4
child 59024 5fcfeae84b96
register pmf as BNF
src/HOL/Library/Extended_Real.thy
src/HOL/Probability/Nonnegative_Lebesgue_Integration.thy
src/HOL/Probability/Probability_Mass_Function.thy
     1.1 --- a/src/HOL/Library/Extended_Real.thy	Thu Nov 20 17:29:18 2014 +0100
     1.2 +++ b/src/HOL/Library/Extended_Real.thy	Fri Nov 21 12:11:44 2014 +0100
     1.3 @@ -1178,6 +1178,11 @@
     1.4      a \<le> b \<or> c = \<infinity> \<or> (c = -\<infinity> \<and> a \<noteq> \<infinity> \<and> b \<noteq> \<infinity>)"
     1.5    by (cases rule: ereal3_cases[of a b c]) (simp_all add: field_simps)
     1.6  
     1.7 +lemma ereal_add_le_add_iff2:
     1.8 +  fixes a b c :: ereal
     1.9 +  shows "a + c \<le> b + c \<longleftrightarrow> a \<le> b \<or> c = \<infinity> \<or> (c = -\<infinity> \<and> a \<noteq> \<infinity> \<and> b \<noteq> \<infinity>)"
    1.10 +by(cases rule: ereal3_cases[of a b c])(simp_all add: field_simps)
    1.11 +
    1.12  lemma ereal_mult_le_mult_iff:
    1.13    fixes a b c :: ereal
    1.14    shows "\<bar>c\<bar> \<noteq> \<infinity> \<Longrightarrow> c * a \<le> c * b \<longleftrightarrow> (0 < c \<longrightarrow> a \<le> b) \<and> (c < 0 \<longrightarrow> b \<le> a)"
     2.1 --- a/src/HOL/Probability/Nonnegative_Lebesgue_Integration.thy	Thu Nov 20 17:29:18 2014 +0100
     2.2 +++ b/src/HOL/Probability/Nonnegative_Lebesgue_Integration.thy	Fri Nov 21 12:11:44 2014 +0100
     2.3 @@ -1951,6 +1951,20 @@
     2.4    shows "(\<integral>\<^sup>+x. f x \<partial>count_space X) = (\<integral>\<^sup>+x. f x * indicator X x \<partial>count_space UNIV)"
     2.5    by (simp add: nn_integral_restrict_space[symmetric] restrict_count_space)
     2.6  
     2.7 +lemma nn_integral_ge_point:
     2.8 +  assumes "x \<in> A"
     2.9 +  shows "p x \<le> \<integral>\<^sup>+ x. p x \<partial>count_space A"
    2.10 +proof -
    2.11 +  from assms have "p x \<le> \<integral>\<^sup>+ x. p x \<partial>count_space {x}"
    2.12 +    by(auto simp add: nn_integral_count_space_finite max_def)
    2.13 +  also have "\<dots> = \<integral>\<^sup>+ x'. p x' * indicator {x} x' \<partial>count_space A"
    2.14 +    using assms by(auto simp add: nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
    2.15 +  also have "\<dots> \<le> \<integral>\<^sup>+ x. max 0 (p x) \<partial>count_space A"
    2.16 +    by(rule nn_integral_mono)(simp add: indicator_def)
    2.17 +  also have "\<dots> = \<integral>\<^sup>+ x. p x \<partial>count_space A" by(simp add: nn_integral_def o_def)
    2.18 +  finally show ?thesis .
    2.19 +qed
    2.20 +
    2.21  subsubsection {* Measure spaces with an associated density *}
    2.22  
    2.23  definition density :: "'a measure \<Rightarrow> ('a \<Rightarrow> ereal) \<Rightarrow> 'a measure" where
     3.1 --- a/src/HOL/Probability/Probability_Mass_Function.thy	Thu Nov 20 17:29:18 2014 +0100
     3.2 +++ b/src/HOL/Probability/Probability_Mass_Function.thy	Fri Nov 21 12:11:44 2014 +0100
     3.3 @@ -1,5 +1,7 @@
     3.4  (*  Title:      HOL/Probability/Probability_Mass_Function.thy
     3.5 -    Author:     Johannes Hölzl, TU München *)
     3.6 +    Author:     Johannes Hölzl, TU München 
     3.7 +    Author:     Andreas Lochbihler, ETH Zurich
     3.8 +*)
     3.9  
    3.10  section \<open> Probability mass function \<close>
    3.11  
    3.12 @@ -133,7 +135,7 @@
    3.13  
    3.14  declare [[coercion set_pmf]]
    3.15  
    3.16 -lemma countable_set_pmf: "countable (set_pmf p)"
    3.17 +lemma countable_set_pmf [simp]: "countable (set_pmf p)"
    3.18    by transfer (metis prob_space.finite_measure finite_measure.countable_support)
    3.19  
    3.20  lemma sets_measure_pmf[simp]: "sets (measure_pmf p) = UNIV"
    3.21 @@ -193,6 +195,10 @@
    3.22  lemma emeasure_measure_pmf_finite: "finite S \<Longrightarrow> emeasure (measure_pmf M) S = (\<Sum>s\<in>S. pmf M s)"
    3.23    by (subst emeasure_eq_setsum_singleton) (auto simp: emeasure_pmf_single)
    3.24  
    3.25 +lemma measure_measure_pmf_finite: "finite S \<Longrightarrow> measure (measure_pmf M) S = setsum (pmf M) S"
    3.26 +using emeasure_measure_pmf_finite[of S M]
    3.27 +by(simp add: measure_pmf.emeasure_eq_measure)
    3.28 +
    3.29  lemma nn_integral_measure_pmf_support:
    3.30    fixes f :: "'a \<Rightarrow> ereal"
    3.31    assumes f: "finite A" and nn: "\<And>x. x \<in> A \<Longrightarrow> 0 \<le> f x" "\<And>x. x \<in> set_pmf M \<Longrightarrow> x \<notin> A \<Longrightarrow> f x = 0"
    3.32 @@ -234,7 +240,7 @@
    3.33    then have "integrable (count_space X) (pmf M) = integrable (count_space (M \<inter> X)) (pmf M)"
    3.34      by (simp add: integrable_iff_bounded pmf_nonneg)
    3.35    then show ?thesis
    3.36 -    by (simp add: pmf.rep_eq measure_pmf.integrable_measure countable_set_pmf disjoint_family_on_def)
    3.37 +    by (simp add: pmf.rep_eq measure_pmf.integrable_measure disjoint_family_on_def)
    3.38  qed
    3.39  
    3.40  lemma integral_pmf: "(\<integral>x. pmf M x \<partial>count_space X) = measure M X"
    3.41 @@ -266,6 +272,11 @@
    3.42      using measure_pmf.emeasure_space_1 by simp
    3.43  qed
    3.44  
    3.45 +lemma in_null_sets_measure_pmfI:
    3.46 +  "A \<inter> set_pmf p = {} \<Longrightarrow> A \<in> null_sets (measure_pmf p)"
    3.47 +using emeasure_eq_0_AE[where ?P="\<lambda>x. x \<in> A" and M="measure_pmf p"]
    3.48 +by(auto simp add: null_sets_def AE_measure_pmf_iff)
    3.49 +
    3.50  lemma map_pmf_id[simp]: "map_pmf id = id"
    3.51    by (rule, transfer) (auto simp: emeasure_distr measurable_def intro!: measure_eqI)
    3.52  
    3.53 @@ -287,6 +298,16 @@
    3.54  lemma nn_integral_map_pmf[simp]: "(\<integral>\<^sup>+x. f x \<partial>map_pmf g M) = (\<integral>\<^sup>+x. f (g x) \<partial>M)"
    3.55    unfolding map_pmf.rep_eq by (intro nn_integral_distr) auto
    3.56  
    3.57 +lemma ereal_pmf_map: "pmf (map_pmf f p) x = (\<integral>\<^sup>+ y. indicator (f -` {x}) y \<partial>measure_pmf p)"
    3.58 +proof(transfer fixing: f x)
    3.59 +  fix p :: "'b measure"
    3.60 +  presume "prob_space p"
    3.61 +  then interpret prob_space p .
    3.62 +  presume "sets p = UNIV"
    3.63 +  then show "ereal (measure (distr p (count_space UNIV) f) {x}) = integral\<^sup>N p (indicator (f -` {x}))"
    3.64 +    by(simp add: measure_distr measurable_def emeasure_eq_measure)
    3.65 +qed simp_all
    3.66 +
    3.67  lemma pmf_set_map: 
    3.68    fixes f :: "'a \<Rightarrow> 'b"
    3.69    shows "set_pmf \<circ> map_pmf f = op ` f \<circ> set_pmf"
    3.70 @@ -317,6 +338,19 @@
    3.71  lemma set_map_pmf: "set_pmf (map_pmf f M) = f`set_pmf M"
    3.72    using pmf_set_map[of f] by (auto simp: comp_def fun_eq_iff)
    3.73  
    3.74 +lemma nn_integral_pmf: "(\<integral>\<^sup>+ x. pmf p x \<partial>count_space A) = emeasure (measure_pmf p) A"
    3.75 +proof -
    3.76 +  have "(\<integral>\<^sup>+ x. pmf p x \<partial>count_space A) = (\<integral>\<^sup>+ x. pmf p x \<partial>count_space (A \<inter> set_pmf p))"
    3.77 +    by(auto simp add: nn_integral_count_space_indicator indicator_def set_pmf_iff intro: nn_integral_cong)
    3.78 +  also have "\<dots> = emeasure (measure_pmf p) (\<Union>x\<in>A \<inter> set_pmf p. {x})"
    3.79 +    by(subst emeasure_UN_countable)(auto simp add: emeasure_pmf_single disjoint_family_on_def)
    3.80 +  also have "\<dots> = emeasure (measure_pmf p) ((\<Union>x\<in>A \<inter> set_pmf p. {x}) \<union> {x. x \<in> A \<and> x \<notin> set_pmf p})"
    3.81 +    by(rule emeasure_Un_null_set[symmetric])(auto intro: in_null_sets_measure_pmfI)
    3.82 +  also have "\<dots> = emeasure (measure_pmf p) A"
    3.83 +    by(auto intro: arg_cong2[where f=emeasure])
    3.84 +  finally show ?thesis .
    3.85 +qed
    3.86 +
    3.87  subsection {* PMFs as function *}
    3.88  
    3.89  context
    3.90 @@ -667,7 +701,7 @@
    3.91    also have "\<dots> = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>restrict_space A A \<partial>restrict_space B B)"
    3.92      by (rule AB.Fubini_integral[symmetric])
    3.93         (auto intro!: AB.integrable_const_bound[where B=1] measurable_pair_restrict_pmf2
    3.94 -             simp: pmf_nonneg pmf_le_1 countable_set_pmf measurable_restrict_space1)
    3.95 +             simp: pmf_nonneg pmf_le_1 measurable_restrict_space1)
    3.96    also have "\<dots> = (\<integral> y. \<integral> x. pmf (C x y) i \<partial>restrict_space A A \<partial>B)"
    3.97      by (intro integral_pmf_restrict[symmetric] A.borel_measurable_lebesgue_integral measurable_pair_restrict_pmf2
    3.98                countable_set_pmf borel_measurable_count_space)
    3.99 @@ -783,18 +817,19 @@
   3.100      done
   3.101  qed
   3.102  
   3.103 -
   3.104 -(*
   3.105 +inductive rel_pmf :: "('a \<Rightarrow> 'b \<Rightarrow> bool) \<Rightarrow> 'a pmf \<Rightarrow> 'b pmf \<Rightarrow> bool"
   3.106 +for R p q
   3.107 +where
   3.108 +  "\<lbrakk> \<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> R x y; 
   3.109 +     map_pmf fst pq = p; map_pmf snd pq = q \<rbrakk>
   3.110 +  \<Longrightarrow> rel_pmf R p q"
   3.111  
   3.112 -definition
   3.113 -  "rel_pmf P d1 d2 \<longleftrightarrow> (\<exists>p3. (\<forall>(x, y) \<in> set_pmf p3. P x y) \<and> map_pmf fst p3 = d1 \<and> map_pmf snd p3 = d2)"
   3.114 -
   3.115 -bnf pmf: "'a pmf" map: map_pmf sets: set_pmf bd : "natLeq" rel: pmf_rel
   3.116 +bnf pmf: "'a pmf" map: map_pmf sets: set_pmf bd : "natLeq" rel: rel_pmf
   3.117  proof -
   3.118    show "map_pmf id = id" by (rule map_pmf_id)
   3.119    show "\<And>f g. map_pmf (f \<circ> g) = map_pmf f \<circ> map_pmf g" by (rule map_pmf_compose) 
   3.120    show "\<And>f g::'a \<Rightarrow> 'b. \<And>p. (\<And>x. x \<in> set_pmf p \<Longrightarrow> f x = g x) \<Longrightarrow> map_pmf f p = map_pmf g p"
   3.121 -    by (intro map_pmg_cong refl)
   3.122 +    by (intro map_pmf_cong refl)
   3.123  
   3.124    show "\<And>f::'a \<Rightarrow> 'b. set_pmf \<circ> map_pmf f = op ` f \<circ> set_pmf"
   3.125      by (rule pmf_set_map)
   3.126 @@ -807,46 +842,595 @@
   3.127        by (metis Field_natLeq card_of_least natLeq_Well_order)
   3.128      finally show "(card_of (set_pmf p), natLeq) \<in> ordLeq" . }
   3.129  
   3.130 -  show "\<And>R. pmf_rel R =
   3.131 -         (BNF_Util.Grp {x. set_pmf x \<subseteq> {(x, y). R x y}} (map_pmf fst))\<inverse>\<inverse> OO
   3.132 -         BNF_Util.Grp {x. set_pmf x \<subseteq> {(x, y). R x y}} (map_pmf snd)"
   3.133 -     by (auto simp add: fun_eq_iff pmf_rel_def BNF_Util.Grp_def OO_def)
   3.134 +  show "\<And>R. rel_pmf R =
   3.135 +         (BNF_Def.Grp {x. set_pmf x \<subseteq> {(x, y). R x y}} (map_pmf fst))\<inverse>\<inverse> OO
   3.136 +         BNF_Def.Grp {x. set_pmf x \<subseteq> {(x, y). R x y}} (map_pmf snd)"
   3.137 +     by (auto simp add: fun_eq_iff BNF_Def.Grp_def OO_def rel_pmf.simps)
   3.138 +
   3.139 +  { fix p :: "'a pmf" and f :: "'a \<Rightarrow> 'b" and g x
   3.140 +    assume p: "\<And>z. z \<in> set_pmf p \<Longrightarrow> f z = g z"
   3.141 +      and x: "x \<in> set_pmf p"
   3.142 +    thus "f x = g x" by simp }
   3.143 +
   3.144 +  fix R :: "'a => 'b \<Rightarrow> bool" and S :: "'b \<Rightarrow> 'c \<Rightarrow> bool"
   3.145 +  { fix p q r
   3.146 +    assume pq: "rel_pmf R p q"
   3.147 +      and qr:"rel_pmf S q r"
   3.148 +    from pq obtain pq where pq: "\<And>x y. (x, y) \<in> set_pmf pq \<Longrightarrow> R x y"
   3.149 +      and p: "p = map_pmf fst pq" and q: "q = map_pmf snd pq" by cases auto
   3.150 +    from qr obtain qr where qr: "\<And>y z. (y, z) \<in> set_pmf qr \<Longrightarrow> S y z"
   3.151 +      and q': "q = map_pmf fst qr" and r: "r = map_pmf snd qr" by cases auto
   3.152 +
   3.153 +    have support_subset: "set_pmf pq O set_pmf qr \<subseteq> set_pmf p \<times> set_pmf r"
   3.154 +      by(auto simp add: p r set_map_pmf intro: rev_image_eqI)
   3.155 +
   3.156 +    let ?A = "\<lambda>y. {x. (x, y) \<in> set_pmf pq}"
   3.157 +      and ?B = "\<lambda>y. {z. (y, z) \<in> set_pmf qr}"
   3.158 +
   3.159 +
   3.160 +    def ppp \<equiv> "\<lambda>A. \<lambda>f :: 'a \<Rightarrow> real. \<lambda>n. if n \<in> to_nat_on A ` A then f (from_nat_into A n) else 0"
   3.161 +    have [simp]: "\<And>A f n. (\<And>x. x \<in> A \<Longrightarrow> 0 \<le> f x) \<Longrightarrow> 0 \<le> ppp A f n"
   3.162 +                 "\<And>A f n x. \<lbrakk> x \<in> A; countable A \<rbrakk> \<Longrightarrow> ppp A f (to_nat_on A x) = f x"
   3.163 +                 "\<And>A f n. n \<notin> to_nat_on A ` A \<Longrightarrow> ppp A f n = 0"
   3.164 +      by(auto simp add: ppp_def intro: from_nat_into)
   3.165 +    def rrr \<equiv> "\<lambda>A. \<lambda>f :: 'c \<Rightarrow> real. \<lambda>n. if n \<in> to_nat_on A ` A then f (from_nat_into A n) else 0"
   3.166 +    have [simp]: "\<And>A f n. (\<And>x. x \<in> A \<Longrightarrow> 0 \<le> f x) \<Longrightarrow> 0 \<le> rrr A f n"
   3.167 +                 "\<And>A f n x. \<lbrakk> x \<in> A; countable A \<rbrakk> \<Longrightarrow> rrr A f (to_nat_on A x) = f x"
   3.168 +                 "\<And>A f n. n \<notin> to_nat_on A ` A \<Longrightarrow> rrr A f n = 0"
   3.169 +      by(auto simp add: rrr_def intro: from_nat_into)
   3.170 +
   3.171 +    def pp \<equiv> "\<lambda>y. ppp (?A y) (\<lambda>x. pmf pq (x, y))"
   3.172 +     and rr \<equiv> "\<lambda>y. rrr (?B y) (\<lambda>z. pmf qr (y, z))"
   3.173 +
   3.174 +    have pos_p [simp]: "\<And>y n. 0 \<le> pp y n"
   3.175 +      and pos_r [simp]: "\<And>y n. 0 \<le> rr y n"
   3.176 +      by(simp_all add: pmf_nonneg pp_def rr_def)
   3.177 +    { fix y n
   3.178 +      have "pp y n \<le> 0 \<longleftrightarrow> pp y n = 0" "\<not> 0 < pp y n \<longleftrightarrow> pp y n = 0"
   3.179 +        and "min (pp y n) 0 = 0" "min 0 (pp y n) = 0"
   3.180 +        using pos_p[of y n] by(auto simp del: pos_p) }
   3.181 +    note pp_convs [simp] = this
   3.182 +    { fix y n
   3.183 +      have "rr y n \<le> 0 \<longleftrightarrow> rr y n = 0" "\<not> 0 < rr y n \<longleftrightarrow> rr y n = 0"
   3.184 +        and "min (rr y n) 0 = 0" "min 0 (rr y n) = 0"
   3.185 +        using pos_r[of y n] by(auto simp del: pos_r) }
   3.186 +    note r_convs [simp] = this
   3.187 +
   3.188 +    have "\<And>y. ?A y \<subseteq> set_pmf p" by(auto simp add: p set_map_pmf intro: rev_image_eqI)
   3.189 +    then have [simp]: "\<And>y. countable (?A y)" by(rule countable_subset) simp
   3.190 +
   3.191 +    have "\<And>y. ?B y \<subseteq> set_pmf r" by(auto simp add: r set_map_pmf intro: rev_image_eqI)
   3.192 +    then have [simp]: "\<And>y. countable (?B y)" by(rule countable_subset) simp
   3.193 +
   3.194 +    let ?P = "\<lambda>y. to_nat_on (?A y)"
   3.195 +      and ?R = "\<lambda>y. to_nat_on (?B y)"
   3.196 +
   3.197 +    have eq: "\<And>y. (\<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV) = \<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV"
   3.198 +    proof -
   3.199 +      fix y
   3.200 +      have "(\<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV) = (\<integral>\<^sup>+ x. pp y x \<partial>count_space (?P y ` ?A y))"
   3.201 +        by(auto simp add: pp_def nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
   3.202 +      also have "\<dots> = (\<integral>\<^sup>+ x. pp y (?P y x) \<partial>count_space (?A y))"
   3.203 +        by(intro nn_integral_bij_count_space[symmetric] inj_on_imp_bij_betw inj_on_to_nat_on) simp
   3.204 +      also have "\<dots> = (\<integral>\<^sup>+ x. pmf pq (x, y) \<partial>count_space (?A y))"
   3.205 +        by(rule nn_integral_cong)(simp add: pp_def)
   3.206 +      also have "\<dots> = \<integral>\<^sup>+ x. emeasure (measure_pmf pq) {(x, y)} \<partial>count_space (?A y)"
   3.207 +        by(simp add: emeasure_pmf_single)
   3.208 +      also have "\<dots> = emeasure (measure_pmf pq) (\<Union>x\<in>?A y. {(x, y)})"
   3.209 +        by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
   3.210 +      also have "\<dots> = emeasure (measure_pmf pq) ((\<Union>x\<in>?A y. {(x, y)}) \<union> {(x, y'). x \<notin> ?A y \<and> y' = y})"
   3.211 +        by(rule emeasure_Un_null_set[symmetric])+
   3.212 +          (auto simp add: q set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
   3.213 +      also have "\<dots> = emeasure (measure_pmf pq) (snd -` {y})"
   3.214 +        by(rule arg_cong2[where f=emeasure])+auto
   3.215 +      also have "\<dots> = pmf q y" by(simp add: q ereal_pmf_map)
   3.216 +      also have "\<dots> = emeasure (measure_pmf qr) (fst -` {y})"
   3.217 +        by(simp add: q' ereal_pmf_map)
   3.218 +      also have "\<dots> = emeasure (measure_pmf qr) ((\<Union>z\<in>?B y. {(y, z)}) \<union> {(y', z). z \<notin> ?B y \<and> y' = y})"
   3.219 +        by(rule arg_cong2[where f=emeasure])+auto
   3.220 +      also have "\<dots> = emeasure (measure_pmf qr) (\<Union>z\<in>?B y. {(y, z)})"
   3.221 +        by(rule emeasure_Un_null_set)
   3.222 +          (auto simp add: q' set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
   3.223 +      also have "\<dots> = \<integral>\<^sup>+ z. emeasure (measure_pmf qr) {(y, z)} \<partial>count_space (?B y)"
   3.224 +        by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
   3.225 +      also have "\<dots> = (\<integral>\<^sup>+ z. pmf qr (y, z) \<partial>count_space (?B y))"
   3.226 +        by(simp add: emeasure_pmf_single)
   3.227 +      also have "\<dots> = (\<integral>\<^sup>+ z. rr y (?R y z) \<partial>count_space (?B y))"
   3.228 +        by(rule nn_integral_cong)(simp add: rr_def)
   3.229 +      also have "\<dots> = (\<integral>\<^sup>+ z. rr y z \<partial>count_space (?R y ` ?B y))"
   3.230 +        by(intro nn_integral_bij_count_space inj_on_imp_bij_betw inj_on_to_nat_on) simp
   3.231 +      also have "\<dots> = \<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV"
   3.232 +        by(auto simp add: rr_def nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
   3.233 +      finally show "?thesis y" .
   3.234 +    qed
   3.235  
   3.236 -  { let ?f = "map_pmf fst" and ?s = "map_pmf snd"
   3.237 -    fix R :: "'a \<Rightarrow> 'b \<Rightarrow> bool" and A assume "\<And>x y. (x, y) \<in> set_pmf A \<Longrightarrow> R x y"
   3.238 -    fix S :: "'b \<Rightarrow> 'c \<Rightarrow> bool" and B assume "\<And>y z. (y, z) \<in> set_pmf B \<Longrightarrow> S y z"
   3.239 -    assume "?f B = ?s A"
   3.240 -    have "\<exists>C. (\<forall>(x, z)\<in>set_pmf C. \<exists>y. R x y \<and> S y z) \<and> ?f C = ?f A \<and> ?s C = ?s B"
   3.241 -      sorry }
   3.242 -oops
   3.243 -  then show "\<And>R::'a \<Rightarrow> 'b \<Rightarrow> bool. \<And>S::'b \<Rightarrow> 'c \<Rightarrow> bool. pmf_rel R OO pmf_rel S \<le> pmf_rel (R OO S)"
   3.244 -      by (auto simp add: subset_eq pmf_rel_def fun_eq_iff OO_def Ball_def)
   3.245 -qed (fact natLeq_card_order natLeq_cinfinite)+
   3.246 +    def assign_aux \<equiv> "\<lambda>y remainder start weight z.
   3.247 +       if z < start then 0
   3.248 +       else if z = start then min weight remainder
   3.249 +       else if remainder + setsum (rr y) {Suc start ..<z} < weight then min (weight - remainder - setsum (rr y) {Suc start..<z}) (rr y z) else 0"
   3.250 +    hence assign_aux_alt_def: "\<And>y remainder start weight z. assign_aux y remainder start weight z = 
   3.251 +       (if z < start then 0
   3.252 +        else if z = start then min weight remainder
   3.253 +        else if remainder + setsum (rr y) {Suc start ..<z} < weight then min (weight - remainder - setsum (rr y) {Suc start..<z}) (rr y z) else 0)"
   3.254 +       by simp
   3.255 +    { fix y and remainder :: real and start and weight :: real
   3.256 +      assume weight_nonneg: "0 \<le> weight"
   3.257 +      let ?assign_aux = "assign_aux y remainder start weight"
   3.258 +      { fix z
   3.259 +        have "setsum ?assign_aux {..<z} =
   3.260 +           (if z \<le> start then 0 else if remainder + setsum (rr y) {Suc start..<z} < weight then remainder + setsum (rr y) {Suc start..<z} else weight)"
   3.261 +        proof(induction z)
   3.262 +          case (Suc z) show ?case
   3.263 +            by(auto simp add: Suc.IH assign_aux_alt_def[where z=z] not_less)(metis add.commute add.left_commute add_increasing pos_r)
   3.264 +        qed(auto simp add: assign_aux_def) }
   3.265 +      note setsum_start_assign_aux = this
   3.266 +      moreover {
   3.267 +        assume remainder_nonneg: "0 \<le> remainder"
   3.268 +        have [simp]: "\<And>z. 0 \<le> ?assign_aux z"
   3.269 +          by(simp add: assign_aux_def weight_nonneg remainder_nonneg)
   3.270 +        moreover have "\<And>z. \<lbrakk> rr y z = 0; remainder \<le> rr y start \<rbrakk> \<Longrightarrow> ?assign_aux z = 0"
   3.271 +          using remainder_nonneg weight_nonneg
   3.272 +          by(auto simp add: assign_aux_def min_def)
   3.273 +        moreover have "(\<integral>\<^sup>+ z. ?assign_aux z \<partial>count_space UNIV) = 
   3.274 +          min weight (\<integral>\<^sup>+ z. (if z < start then 0 else if z = start then remainder else rr y z) \<partial>count_space UNIV)"
   3.275 +          (is "?lhs = ?rhs" is "_ = min _ (\<integral>\<^sup>+ y. ?f y \<partial>_)")
   3.276 +        proof -
   3.277 +          have "?lhs = (SUP n. \<Sum>z<n. ereal (?assign_aux z))"
   3.278 +            by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP)
   3.279 +          also have "\<dots> = (SUP n. min weight (\<Sum>z<n. ?f z))"
   3.280 +          proof(rule arg_cong2[where f=SUPREMUM] ext refl)+
   3.281 +            fix n
   3.282 +            have "(\<Sum>z<n. ereal (?assign_aux z)) = min weight ((if n > start then remainder else 0) + setsum ?f {Suc start..<n})"
   3.283 +              using weight_nonneg remainder_nonneg by(simp add: setsum_start_assign_aux min_def)
   3.284 +            also have "\<dots> = min weight (setsum ?f {start..<n})"
   3.285 +              by(simp add: setsum_head_upt_Suc)
   3.286 +            also have "\<dots> = min weight (setsum ?f {..<n})"
   3.287 +              by(intro arg_cong2[where f=min] setsum.mono_neutral_left) auto
   3.288 +            finally show "(\<Sum>z<n. ereal (?assign_aux z)) = \<dots>" .
   3.289 +          qed
   3.290 +          also have "\<dots> = min weight (SUP n. setsum ?f {..<n})"
   3.291 +            unfolding inf_min[symmetric] by(subst inf_SUP) simp
   3.292 +          also have "\<dots> = ?rhs"
   3.293 +            by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP remainder_nonneg)
   3.294 +          finally show ?thesis .
   3.295 +        qed
   3.296 +        moreover note calculation }
   3.297 +      moreover note calculation }
   3.298 +    note setsum_start_assign_aux = this(1)
   3.299 +      and assign_aux_nonneg [simp] = this(2)
   3.300 +      and assign_aux_eq_0_outside = this(3)
   3.301 +      and nn_integral_assign_aux = this(4)
   3.302 +    { fix y and remainder :: real and start target
   3.303 +      have "setsum (rr y) {Suc start..<target} \<ge> 0" by(simp add: setsum_nonneg)
   3.304 +      moreover assume "0 \<le> remainder"
   3.305 +      ultimately have "assign_aux y remainder start 0 target = 0"
   3.306 +        by(auto simp add: assign_aux_def min_def) }
   3.307 +    note assign_aux_weight_0 [simp] = this
   3.308 +
   3.309 +    def find_start \<equiv> "\<lambda>y weight. if \<exists>n. weight \<le> setsum (rr y)  {..n} then Some (LEAST n. weight \<le> setsum (rr y) {..n}) else None"
   3.310 +    have find_start_eq_Some_above:
   3.311 +      "\<And>y weight n. find_start y weight = Some n \<Longrightarrow> weight \<le> setsum (rr y) {..n}"
   3.312 +      by(drule sym)(auto simp add: find_start_def split: split_if_asm intro: LeastI)
   3.313 +    { fix y weight n
   3.314 +      assume find_start: "find_start y weight = Some n"
   3.315 +      and weight: "0 \<le> weight"
   3.316 +      have "setsum (rr y) {..n} \<le> rr y n + weight"
   3.317 +      proof(rule ccontr)
   3.318 +        assume "\<not> ?thesis"
   3.319 +        hence "rr y n + weight < setsum (rr y) {..n}" by simp
   3.320 +        moreover with weight obtain n' where "n = Suc n'" by(cases n) auto
   3.321 +        ultimately have "weight \<le> setsum (rr y) {..n'}" by simp
   3.322 +        hence "(LEAST n. weight \<le> setsum (rr y) {..n}) \<le> n'" by(rule Least_le)
   3.323 +        moreover from find_start have "n = (LEAST n. weight \<le> setsum (rr y) {..n})"
   3.324 +          by(auto simp add: find_start_def split: split_if_asm)
   3.325 +        ultimately show False using \<open>n = Suc n'\<close> by auto
   3.326 +      qed }
   3.327 +    note find_start_eq_Some_least = this
   3.328 +    have find_start_0 [simp]: "\<And>y. find_start y 0 = Some 0"
   3.329 +      by(auto simp add: find_start_def intro!: exI[where x=0])
   3.330 +    { fix y and weight :: real
   3.331 +      assume "weight < \<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV"
   3.332 +      also have "(\<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV) = (SUP n. \<Sum>z<n. ereal (rr y z))"
   3.333 +        by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP)
   3.334 +      finally obtain n where "weight < (\<Sum>z<n. rr y z)" by(auto simp add: less_SUP_iff)
   3.335 +      hence "weight \<in> dom (find_start y)"
   3.336 +        by(auto simp add: find_start_def)(meson atMost_iff finite_atMost lessThan_iff less_imp_le order_trans pos_r setsum_mono3 subsetI) }
   3.337 +    note in_dom_find_startI = this
   3.338 +    { fix y and w w' :: real and m
   3.339 +      let ?m' = "LEAST m. w' \<le> setsum (rr y) {..m}"
   3.340 +      assume "w' \<le> w"
   3.341 +      also  assume "find_start y w = Some m"
   3.342 +      hence "w \<le> setsum (rr y) {..m}" by(rule find_start_eq_Some_above)
   3.343 +      finally have "find_start y w' = Some ?m'" by(auto simp add: find_start_def)
   3.344 +      moreover from \<open>w' \<le> setsum (rr y) {..m}\<close> have "?m' \<le> m" by(rule Least_le)
   3.345 +      ultimately have "\<exists>m'. find_start y w' = Some m' \<and> m' \<le> m" by blast }
   3.346 +    note find_start_mono = this[rotated]
   3.347 +
   3.348 +    def assign \<equiv> "\<lambda>y x z. let used = setsum (pp y) {..<x}
   3.349 +      in case find_start y used of None \<Rightarrow> 0
   3.350 +         | Some start \<Rightarrow> assign_aux y (setsum (rr y) {..start} - used) start (pp y x) z"
   3.351 +    hence assign_alt_def: "\<And>y x z. assign y x z = 
   3.352 +      (let used = setsum (pp y) {..<x}
   3.353 +       in case find_start y used of None \<Rightarrow> 0
   3.354 +          | Some start \<Rightarrow> assign_aux y (setsum (rr y) {..start} - used) start (pp y x) z)"
   3.355 +      by simp
   3.356 +    have assign_nonneg [simp]: "\<And>y x z. 0 \<le> assign y x z"
   3.357 +      by(simp add: assign_def diff_le_iff find_start_eq_Some_above split: option.split)
   3.358 +    have assign_eq_0_outside: "\<And>y x z. \<lbrakk> pp y x = 0 \<or> rr y z = 0 \<rbrakk> \<Longrightarrow> assign y x z = 0"
   3.359 +      by(auto simp add: assign_def assign_aux_eq_0_outside diff_le_iff find_start_eq_Some_above find_start_eq_Some_least setsum_nonneg split: option.split)
   3.360 +
   3.361 +    { fix y x z
   3.362 +      have "(\<Sum>n<Suc x. assign y n z) =
   3.363 +            (case find_start y (setsum (pp y) {..<x}) of None \<Rightarrow> rr y z
   3.364 +             | Some m \<Rightarrow> if z < m then rr y z 
   3.365 +                         else min (rr y z) (max 0 (setsum (pp y) {..<x} + pp y x - setsum (rr y) {..<z})))"
   3.366 +        (is "?lhs x = ?rhs x")
   3.367 +      proof(induction x)
   3.368 +        case 0 thus ?case 
   3.369 +          by(auto simp add: assign_def assign_aux_def setsum_head_upt_Suc atLeast0LessThan[symmetric] not_less field_simps max_def)
   3.370 +      next
   3.371 +        case (Suc x)
   3.372 +        have "?lhs (Suc x) = ?lhs x + assign y (Suc x) z" by simp
   3.373 +        also have "?lhs x = ?rhs x" by(rule Suc.IH)
   3.374 +        also have "?rhs x + assign y (Suc x) z = ?rhs (Suc x)"
   3.375 +        proof(cases "find_start y (setsum (pp y) {..<Suc x})")
   3.376 +          case None
   3.377 +          thus ?thesis
   3.378 +            by(auto split: option.split simp add: assign_def min_def max_def diff_le_iff setsum_nonneg not_le field_simps)
   3.379 +              (metis add.commute add_increasing find_start_def lessThan_Suc_atMost less_imp_le option.distinct(1) setsum_lessThan_Suc)+
   3.380 +        next
   3.381 +          case (Some m)
   3.382 +          have [simp]: "setsum (rr y) {..m} = rr y m + setsum (rr y) {..<m}"
   3.383 +            by(simp add: ivl_disj_un(2)[symmetric])
   3.384 +          from Some obtain m' where m': "find_start y (setsum (pp y) {..<x}) = Some m'" "m' \<le> m"
   3.385 +            by(auto dest: find_start_mono[where w'2="setsum (pp y) {..<x}"])
   3.386 +          moreover {
   3.387 +            assume "z < m"
   3.388 +            then have "setsum (rr y) {..z} \<le> setsum (rr y) {..<m}"
   3.389 +              by(auto intro: setsum_mono3)
   3.390 +            also have "\<dots> \<le> setsum (pp y) {..<Suc x}" using find_start_eq_Some_least[OF Some]
   3.391 +              by(simp add: ivl_disj_un(2)[symmetric] setsum_nonneg)
   3.392 +            finally have "rr y z \<le> max 0 (setsum (pp y) {..<x} + pp y x - setsum (rr y) {..<z})"
   3.393 +              by(auto simp add: ivl_disj_un(2)[symmetric] max_def diff_le_iff simp del: r_convs)
   3.394 +          } moreover {
   3.395 +            assume "m \<le> z"
   3.396 +            have "setsum (pp y) {..<Suc x} \<le> setsum (rr y) {..m}"
   3.397 +              using Some by(rule find_start_eq_Some_above)
   3.398 +            also have "\<dots> \<le> setsum (rr y) {..<Suc z}" using \<open>m \<le> z\<close> by(intro setsum_mono3) auto
   3.399 +            finally have "max 0 (setsum (pp y) {..<x} + pp y x - setsum (rr y) {..<z}) \<le> rr y z" by simp
   3.400 +            moreover have "z \<noteq> m \<Longrightarrow> setsum (rr y) {..m} + setsum (rr y) {Suc m..<z} = setsum (rr y) {..<z}"
   3.401 +              using \<open>m \<le> z\<close>
   3.402 +              by(subst ivl_disj_un(8)[where l="Suc m", symmetric])
   3.403 +                (simp_all add: setsum_Un ivl_disj_un(2)[symmetric] setsum.neutral)
   3.404 +            moreover note calculation
   3.405 +          } moreover {
   3.406 +            assume "m < z"
   3.407 +            have "setsum (pp y) {..<Suc x} \<le> setsum (rr y) {..m}"
   3.408 +              using Some by(rule find_start_eq_Some_above)
   3.409 +            also have "\<dots> \<le> setsum (rr y) {..<z}" using \<open>m < z\<close> by(intro setsum_mono3) auto
   3.410 +            finally have "max 0 (setsum (pp y) {..<Suc x} - setsum (rr y) {..<z}) = 0" by simp }
   3.411 +          moreover have "setsum (pp y) {..<Suc x} \<ge> setsum (rr y) {..<m}"
   3.412 +            using find_start_eq_Some_least[OF Some]
   3.413 +            by(simp add: setsum_nonneg ivl_disj_un(2)[symmetric])
   3.414 +          moreover hence "setsum (pp y) {..<Suc (Suc x)} \<ge> setsum (rr y) {..<m}"
   3.415 +            by(fastforce intro: order_trans)
   3.416 +          ultimately show ?thesis using Some
   3.417 +            by(auto simp add: assign_def assign_aux_def Let_def field_simps max_def)
   3.418 +        qed
   3.419 +        finally show ?case .
   3.420 +      qed }
   3.421 +    note setsum_assign = this
   3.422  
   3.423 -notepad
   3.424 -begin
   3.425 -  fix x y :: "nat \<Rightarrow> real"
   3.426 -  def IJz \<equiv> "rec_nat ((0, 0), \<lambda>_. 0) (\<lambda>n ((I, J), z).
   3.427 -    let a = x I - (\<Sum>j<J. z (I, j)) ; b = y J - (\<Sum>i<I. z (i, J)) in
   3.428 -      ((if a \<le> b then I + 1 else I, if b \<le> a then J + 1 else J), z((I, J) := min a b)))"
   3.429 -  def I == "fst \<circ> fst \<circ> IJz" def J == "snd \<circ> fst \<circ> IJz" def z == "snd \<circ> IJz"
   3.430 -  let ?a = "\<lambda>n. x (I n) - (\<Sum>j<J n. z n (I n, j))" and ?b = "\<lambda>n. y (J n) - (\<Sum>i<I n. z n (i, J n))"
   3.431 -  have IJz_0[simp]: "\<And>p. z 0 p = 0" "I 0 = 0" "J 0 = 0"
   3.432 -    by (simp_all add: I_def J_def z_def IJz_def)
   3.433 -  have z_Suc[simp]: "\<And>n. z (Suc n) = (z n)((I n, J n) := min (?a n) (?b n))"
   3.434 -    by (simp add: z_def I_def J_def IJz_def Let_def split_beta)
   3.435 -  have I_Suc[simp]: "\<And>n. I (Suc n) = (if ?a n \<le> ?b n then I n + 1 else I n)"
   3.436 -    by (simp add: z_def I_def J_def IJz_def Let_def split_beta)
   3.437 -  have J_Suc[simp]: "\<And>n. J (Suc n) = (if ?b n \<le> ?a n then J n + 1 else J n)"
   3.438 -    by (simp add: z_def I_def J_def IJz_def Let_def split_beta)
   3.439 -  
   3.440 -  { fix N have "\<And>p. z N p \<noteq> 0 \<Longrightarrow> \<exists>n<N. p = (I n, J n)"
   3.441 -      by (induct N) (auto simp add: less_Suc_eq split: split_if_asm) }
   3.442 -  
   3.443 -  { fix i n assume "i < I n"
   3.444 -    then have "(\<Sum>j. z n (i, j)) = x i" 
   3.445 -    oops
   3.446 -*)
   3.447 +    have nn_integral_assign1: "\<And>y z. (\<integral>\<^sup>+ x. assign y x z \<partial>count_space UNIV) = rr y z"
   3.448 +    proof -
   3.449 +      fix y z
   3.450 +      have "(\<integral>\<^sup>+ x. assign y x z \<partial>count_space UNIV) = (SUP n. ereal (\<Sum>x<n. assign y x z))"
   3.451 +        by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP)
   3.452 +      also have "\<dots> = rr y z"
   3.453 +      proof(rule antisym)
   3.454 +        show "(SUP n. ereal (\<Sum>x<n. assign y x z)) \<le> rr y z"
   3.455 +        proof(rule SUP_least)
   3.456 +          fix n
   3.457 +          show "ereal (\<Sum>x<n. (assign y x z)) \<le> rr y z"
   3.458 +            using setsum_assign[of y z "n - 1"]
   3.459 +            by(cases n)(simp_all split: option.split)
   3.460 +        qed
   3.461 +        show "rr y z \<le> (SUP n. ereal (\<Sum>x<n. assign y x z))"
   3.462 +        proof(cases "setsum (rr y) {..z} < \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV")
   3.463 +          case True
   3.464 +          then obtain n where "setsum (rr y) {..z} < setsum (pp y) {..<n}"
   3.465 +            by(auto simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP less_SUP_iff)
   3.466 +          moreover have "\<And>k. k < z \<Longrightarrow> setsum (rr y) {..k} \<le> setsum (rr y) {..<z}"
   3.467 +            by(auto intro: setsum_mono3)
   3.468 +          ultimately have "rr y z \<le> (\<Sum>x<Suc n. assign y x z)"
   3.469 +            by(subst setsum_assign)(auto split: option.split dest!: find_start_eq_Some_above simp add: ivl_disj_un(2)[symmetric] add.commute add_increasing le_diff_eq le_max_iff_disj)
   3.470 +          also have "\<dots> \<le> (SUP n. ereal (\<Sum>x<n. assign y x z))" 
   3.471 +            by(rule SUP_upper) simp
   3.472 +          finally show ?thesis by simp
   3.473 +        next
   3.474 +          case False
   3.475 +          have "setsum (rr y) {..z} = \<integral>\<^sup>+ z. rr y z \<partial>count_space {..z}"
   3.476 +            by(simp add: nn_integral_count_space_finite max_def)
   3.477 +          also have "\<dots> \<le> \<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV"
   3.478 +            by(auto simp add: nn_integral_count_space_indicator indicator_def intro: nn_integral_mono)
   3.479 +          also have "\<dots> = \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV" by(simp add: eq)
   3.480 +          finally have *: "setsum (rr y) {..z} = \<dots>" using False by simp
   3.481 +          also have "\<dots> = (SUP n. ereal (\<Sum>x<n. pp y x))"
   3.482 +            by(simp add: nn_integral_count_space_nat suminf_ereal_eq_SUP)
   3.483 +          also have "\<dots> \<le> (SUP n. ereal (\<Sum>x<n. assign y x z)) + setsum (rr y) {..<z}"
   3.484 +          proof(rule SUP_least)
   3.485 +            fix n
   3.486 +            have "setsum (pp y) {..<n} = \<integral>\<^sup>+ x. pp y x \<partial>count_space {..<n}"
   3.487 +              by(simp add: nn_integral_count_space_finite max_def)
   3.488 +            also have "\<dots> \<le> \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
   3.489 +              by(auto simp add: nn_integral_count_space_indicator indicator_def intro: nn_integral_mono)
   3.490 +            also have "\<dots> = setsum (rr y) {..z}" using * by simp
   3.491 +            finally obtain k where k: "find_start y (setsum (pp y) {..<n}) = Some k"
   3.492 +              by(fastforce simp add: find_start_def)
   3.493 +            with \<open>ereal (setsum (pp y) {..<n}) \<le> setsum (rr y) {..z}\<close>
   3.494 +            have "k \<le> z" by(auto simp add: find_start_def split: split_if_asm intro: Least_le)
   3.495 +            then have "setsum (pp y) {..<n} - setsum (rr y) {..<z} \<le> ereal (\<Sum>x<Suc n. assign y x z)"
   3.496 +              using \<open>ereal (setsum (pp y) {..<n}) \<le> setsum (rr y) {..z}\<close>
   3.497 +              by(subst setsum_assign)(auto simp add: field_simps max_def k ivl_disj_un(2)[symmetric], metis le_add_same_cancel2 max.bounded_iff max_def pos_p)
   3.498 +            also have "\<dots> \<le> (SUP n. ereal (\<Sum>x<n. assign y x z))"
   3.499 +              by(rule SUP_upper) simp
   3.500 +            finally show "ereal (\<Sum>x<n. pp y x) \<le> \<dots> + setsum (rr y) {..<z}" 
   3.501 +              by(simp add: ereal_minus(1)[symmetric] ereal_minus_le del: ereal_minus(1))
   3.502 +          qed
   3.503 +          finally show ?thesis
   3.504 +            by(simp add: ivl_disj_un(2)[symmetric] plus_ereal.simps(1)[symmetric] ereal_add_le_add_iff2 del: plus_ereal.simps(1))
   3.505 +        qed
   3.506 +      qed
   3.507 +      finally show "?thesis y z" .
   3.508 +    qed
   3.509 +
   3.510 +    { fix y x
   3.511 +      have "(\<integral>\<^sup>+ z. assign y x z \<partial>count_space UNIV) = pp y x"
   3.512 +      proof(cases "setsum (pp y) {..<x} = \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV")
   3.513 +        case False
   3.514 +        let ?used = "setsum (pp y) {..<x}"
   3.515 +        have "?used = \<integral>\<^sup>+ x. pp y x \<partial>count_space {..<x}"
   3.516 +          by(simp add: nn_integral_count_space_finite max_def)
   3.517 +        also have "\<dots> \<le> \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
   3.518 +          by(auto simp add: nn_integral_count_space_indicator indicator_def intro!: nn_integral_mono)
   3.519 +        finally have "?used < \<dots>" using False by auto
   3.520 +        also note eq finally have "?used \<in> dom (find_start y)" by(rule in_dom_find_startI)
   3.521 +        then obtain k where k: "find_start y ?used = Some k" by auto
   3.522 +        let ?f = "\<lambda>z. if z < k then 0 else if z = k then setsum (rr y) {..k} - ?used else rr y z"
   3.523 +        let ?g = "\<lambda>x'. if x' < x then 0 else pp y x'"
   3.524 +        have "pp y x = ?g x" by simp
   3.525 +        also have "?g x \<le> \<integral>\<^sup>+ x'. ?g x' \<partial>count_space UNIV" by(rule nn_integral_ge_point) simp
   3.526 +        also {
   3.527 +          have "?used = \<integral>\<^sup>+ x. pp y x \<partial>count_space {..<x}"
   3.528 +            by(simp add: nn_integral_count_space_finite max_def)
   3.529 +          also have "\<dots> = \<integral>\<^sup>+ x'. (if x' < x then pp y x' else 0) \<partial>count_space UNIV"
   3.530 +            by(simp add: nn_integral_count_space_indicator indicator_def if_distrib zero_ereal_def cong: if_cong)
   3.531 +          also have "(\<integral>\<^sup>+ x'. ?g x' \<partial>count_space UNIV) + \<dots> = \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
   3.532 +            by(subst nn_integral_add[symmetric])(auto intro: nn_integral_cong)
   3.533 +          also note calculation }
   3.534 +        ultimately have "ereal (pp y x) + ?used \<le> \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
   3.535 +          by (metis (no_types, lifting) ereal_add_mono order_refl)
   3.536 +        also note eq
   3.537 +        also have "(\<integral>\<^sup>+ z. rr y z \<partial>count_space UNIV) = (\<integral>\<^sup>+ z. ?f z \<partial>count_space UNIV) + (\<integral>\<^sup>+ z. (if z < k then rr y z else if z = k then ?used - setsum (rr y) {..<k} else 0) \<partial>count_space UNIV)"
   3.538 +          using k by(subst nn_integral_add[symmetric])(auto intro!: nn_integral_cong simp add: ivl_disj_un(2)[symmetric] setsum_nonneg dest: find_start_eq_Some_least find_start_eq_Some_above)
   3.539 +        also have "(\<integral>\<^sup>+ z. (if z < k then rr y z else if z = k then ?used - setsum (rr y) {..<k} else 0) \<partial>count_space UNIV) =
   3.540 +          (\<integral>\<^sup>+ z. (if z < k then rr y z else if z = k then ?used - setsum (rr y) {..<k} else 0) \<partial>count_space {..k})"
   3.541 +          by(auto simp add: nn_integral_count_space_indicator indicator_def intro: nn_integral_cong)
   3.542 +        also have "\<dots> = ?used" 
   3.543 +          using k by(auto simp add: nn_integral_count_space_finite max_def ivl_disj_un(2)[symmetric] diff_le_iff setsum_nonneg dest: find_start_eq_Some_least)
   3.544 +        finally have "pp y x \<le> (\<integral>\<^sup>+ z. ?f z \<partial>count_space UNIV)"
   3.545 +          by(cases "\<integral>\<^sup>+ z. ?f z \<partial>count_space UNIV") simp_all
   3.546 +        then show ?thesis using k
   3.547 +          by(simp add: assign_def nn_integral_assign_aux diff_le_iff find_start_eq_Some_above min_def)
   3.548 +      next
   3.549 +        case True
   3.550 +        have "setsum (pp y) {..x} = \<integral>\<^sup>+ x. pp y x \<partial>count_space {..x}"
   3.551 +          by(simp add: nn_integral_count_space_finite max_def)
   3.552 +        also have "\<dots> \<le> \<integral>\<^sup>+ x. pp y x \<partial>count_space UNIV"
   3.553 +          by(auto simp add: nn_integral_count_space_indicator indicator_def intro: nn_integral_mono)
   3.554 +        also have "\<dots> = setsum (pp y) {..<x}" by(simp add: True)
   3.555 +        finally have "pp y x = 0" by(simp add: ivl_disj_un(2)[symmetric] eq_iff del: pp_convs)
   3.556 +        thus ?thesis
   3.557 +          by(cases "find_start y (setsum (pp y) {..<x})")(simp_all add: assign_def diff_le_iff find_start_eq_Some_above)
   3.558 +      qed }
   3.559 +    note nn_integral_assign2 = this
   3.560 +
   3.561 +    let ?f = "\<lambda>y x z. if x \<in> ?A y \<and> z \<in> ?B y then assign y (?P y x) (?R y z) else 0"
   3.562 +    def f \<equiv> "\<lambda>y x z. ereal (?f y x z)"
   3.563 +
   3.564 +    have pos: "\<And>y x z. 0 \<le> f y x z" by(simp add: f_def)
   3.565 +    { fix y x z
   3.566 +      have "f y x z \<le> 0 \<longleftrightarrow> f y x z = 0" using pos[of y x z] by simp }
   3.567 +    note f [simp] = this
   3.568 +    have support:
   3.569 +      "\<And>x y z. (x, y) \<notin> set_pmf pq \<Longrightarrow> f y x z = 0"
   3.570 +      "\<And>x y z. (y, z) \<notin> set_pmf qr \<Longrightarrow> f y x z = 0"
   3.571 +      by(auto simp add: f_def)
   3.572 +
   3.573 +    from pos support have support':
   3.574 +      "\<And>x z. x \<notin> set_pmf p \<Longrightarrow> (\<integral>\<^sup>+ y. f y x z \<partial>count_space UNIV) = 0"
   3.575 +      "\<And>x z. z \<notin> set_pmf r \<Longrightarrow> (\<integral>\<^sup>+ y. f y x z \<partial>count_space UNIV) = 0"
   3.576 +    and support'':
   3.577 +      "\<And>x y z. x \<notin> set_pmf p \<Longrightarrow> f y x z = 0"
   3.578 +      "\<And>x y z. y \<notin> set_pmf q \<Longrightarrow> f y x z = 0"
   3.579 +      "\<And>x y z. z \<notin> set_pmf r \<Longrightarrow> f y x z = 0"
   3.580 +      by(auto simp add: nn_integral_0_iff_AE AE_count_space p q r set_map_pmf image_iff)(metis fst_conv snd_conv)+
   3.581 +
   3.582 +    have f_x: "\<And>y z. (\<integral>\<^sup>+ x. f y x z \<partial>count_space (set_pmf p)) = pmf qr (y, z)"
   3.583 +    proof(case_tac "z \<in> ?B y")
   3.584 +      fix y z
   3.585 +      assume z: "z \<in> ?B y"
   3.586 +      have "(\<integral>\<^sup>+ x. f y x z \<partial>count_space (set_pmf p)) = (\<integral>\<^sup>+ x. ?f y x z \<partial>count_space (?A y))"
   3.587 +        using support''(1)[of _ y z]
   3.588 +        by(fastforce simp add: f_def nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
   3.589 +      also have "\<dots> = \<integral>\<^sup>+ x. assign y (?P y x) (?R y z) \<partial>count_space (?A y)"
   3.590 +        using z by(intro nn_integral_cong) simp
   3.591 +      also have "\<dots> = \<integral>\<^sup>+ x. assign y x (?R y z) \<partial>count_space (?P y ` ?A y)"
   3.592 +        by(intro nn_integral_bij_count_space inj_on_imp_bij_betw inj_on_to_nat_on) simp
   3.593 +      also have "\<dots> = \<integral>\<^sup>+ x. assign y x (?R y z) \<partial>count_space UNIV"
   3.594 +        by(auto simp add: nn_integral_count_space_indicator indicator_def assign_eq_0_outside pp_def intro!: nn_integral_cong)
   3.595 +      also have "\<dots> = rr y (?R y z)" by(rule nn_integral_assign1)
   3.596 +      also have "\<dots> = pmf qr (y, z)" using z by(simp add: rr_def)
   3.597 +      finally show "?thesis y z" .
   3.598 +    qed(auto simp add: f_def zero_ereal_def[symmetric] set_pmf_iff)
   3.599 +
   3.600 +    have f_z: "\<And>x y. (\<integral>\<^sup>+ z. f y x z \<partial>count_space (set_pmf r)) = pmf pq (x, y)"
   3.601 +    proof(case_tac "x \<in> ?A y")
   3.602 +      fix x y
   3.603 +      assume x: "x \<in> ?A y"
   3.604 +      have "(\<integral>\<^sup>+ z. f y x z \<partial>count_space (set_pmf r)) = (\<integral>\<^sup>+ z. ?f y x z \<partial>count_space (?B y))"
   3.605 +        using support''(3)[of _ y x]
   3.606 +        by(fastforce simp add: f_def nn_integral_count_space_indicator indicator_def intro!: nn_integral_cong)
   3.607 +      also have "\<dots> = \<integral>\<^sup>+ z. assign y (?P y x) (?R y z) \<partial>count_space (?B y)"
   3.608 +        using x by(intro nn_integral_cong) simp
   3.609 +      also have "\<dots> = \<integral>\<^sup>+ z. assign y (?P y x) z \<partial>count_space (?R y ` ?B y)"
   3.610 +        by(intro nn_integral_bij_count_space inj_on_imp_bij_betw inj_on_to_nat_on) simp
   3.611 +      also have "\<dots> = \<integral>\<^sup>+ z. assign y (?P y x) z \<partial>count_space UNIV"
   3.612 +        by(auto simp add: nn_integral_count_space_indicator indicator_def assign_eq_0_outside rr_def intro!: nn_integral_cong)
   3.613 +      also have "\<dots> = pp y (?P y x)" by(rule nn_integral_assign2)
   3.614 +      also have "\<dots> = pmf pq (x, y)" using x by(simp add: pp_def)
   3.615 +      finally show "?thesis x y" .
   3.616 +    qed(auto simp add: f_def zero_ereal_def[symmetric] set_pmf_iff)
   3.617 +
   3.618 +    let ?pr = "\<lambda>(x, z). \<integral>\<^sup>+ y. f y x z \<partial>count_space UNIV"
   3.619 +
   3.620 +    have pr_pos: "\<And>xz. 0 \<le> ?pr xz"
   3.621 +      by(auto simp add: nn_integral_nonneg)
   3.622 +
   3.623 +    have pr': "?pr = (\<lambda>(x, z). \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q))"
   3.624 +      by(auto simp add: fun_eq_iff nn_integral_count_space_indicator indicator_def support'' intro: nn_integral_cong)
   3.625 +    
   3.626 +    have "(\<integral>\<^sup>+ xz. ?pr xz \<partial>count_space UNIV) = (\<integral>\<^sup>+ xz. ?pr xz * indicator (set_pmf p \<times> set_pmf r) xz \<partial>count_space UNIV)"
   3.627 +      by(rule nn_integral_cong)(auto simp add: indicator_def support' intro: ccontr)
   3.628 +    also have "\<dots> = (\<integral>\<^sup>+ xz. ?pr xz \<partial>count_space (set_pmf p \<times> set_pmf r))"
   3.629 +      by(simp add: nn_integral_count_space_indicator)
   3.630 +    also have "\<dots> = (\<integral>\<^sup>+ xz. ?pr xz \<partial>(count_space (set_pmf p) \<Otimes>\<^sub>M count_space (set_pmf r)))"
   3.631 +      by(simp add: pair_measure_countable)
   3.632 +    also have "\<dots> = (\<integral>\<^sup>+ (x, z). \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q) \<partial>(count_space (set_pmf p) \<Otimes>\<^sub>M count_space (set_pmf r)))"
   3.633 +      by(simp add: pr')
   3.634 +    also have "\<dots> = (\<integral>\<^sup>+ x. \<integral>\<^sup>+ z. \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf r) \<partial>count_space (set_pmf p))"
   3.635 +      by(subst sigma_finite_measure.nn_integral_fst[symmetric, OF sigma_finite_measure_count_space_countable])(simp_all add: pair_measure_countable)
   3.636 +    also have "\<dots> = (\<integral>\<^sup>+ x. \<integral>\<^sup>+ y. \<integral>\<^sup>+ z. f y x z \<partial>count_space (set_pmf r) \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf p))"
   3.637 +      by(subst (2) pair_sigma_finite.Fubini')(simp_all add: pair_sigma_finite.intro sigma_finite_measure_count_space_countable pair_measure_countable)
   3.638 +    also have "\<dots> = (\<integral>\<^sup>+ x. \<integral>\<^sup>+ y. pmf pq (x, y) \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf p))"
   3.639 +      by(simp add: f_z)
   3.640 +    also have "\<dots> = (\<integral>\<^sup>+ y. \<integral>\<^sup>+ x. pmf pq (x, y) \<partial>count_space (set_pmf p) \<partial>count_space (set_pmf q))"
   3.641 +      by(subst pair_sigma_finite.Fubini')(simp_all add: pair_sigma_finite.intro sigma_finite_measure_count_space_countable pair_measure_countable)
   3.642 +    also have "\<dots> = (\<integral>\<^sup>+ y. \<integral>\<^sup>+ x. emeasure (measure_pmf pq) {(x, y)} \<partial>count_space (set_pmf p) \<partial>count_space (set_pmf q))"
   3.643 +      by(simp add: emeasure_pmf_single)
   3.644 +    also have "\<dots> = (\<integral>\<^sup>+ y. emeasure (measure_pmf pq) (\<Union>x\<in>set_pmf p. {(x, y)}) \<partial>count_space (set_pmf q))"
   3.645 +      by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
   3.646 +    also have "\<dots> = (\<integral>\<^sup>+ y. emeasure (measure_pmf pq) ((\<Union>x\<in>set_pmf p. {(x, y)}) \<union> {(x, y'). x \<notin> set_pmf p \<and> y' = y}) \<partial>count_space (set_pmf q))"
   3.647 +      by(rule nn_integral_cong emeasure_Un_null_set[symmetric])+
   3.648 +        (auto simp add: p set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
   3.649 +    also have "\<dots> = (\<integral>\<^sup>+ y. emeasure (measure_pmf pq) (snd -` {y}) \<partial>count_space (set_pmf q))"
   3.650 +      by(rule nn_integral_cong arg_cong2[where f=emeasure])+auto
   3.651 +    also have "\<dots> = (\<integral>\<^sup>+ y. pmf q y \<partial>count_space (set_pmf q))"
   3.652 +      by(simp add: ereal_pmf_map q)
   3.653 +    also have "\<dots> = (\<integral>\<^sup>+ y. pmf q y \<partial>count_space UNIV)"
   3.654 +      by(auto simp add: nn_integral_count_space_indicator indicator_def set_pmf_iff intro: nn_integral_cong)
   3.655 +    also have "\<dots> = 1"
   3.656 +      by(subst nn_integral_pmf)(simp add: measure_pmf.emeasure_eq_1_AE)
   3.657 +    finally have pr_prob: "(\<integral>\<^sup>+ xz. ?pr xz \<partial>count_space UNIV) = 1" .
   3.658 +
   3.659 +    have pr_bounded: "\<And>xz. ?pr xz \<noteq> \<infinity>"
   3.660 +    proof -
   3.661 +      fix xz
   3.662 +      have "?pr xz \<le> \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space UNIV"
   3.663 +        by(rule nn_integral_ge_point) simp
   3.664 +      also have "\<dots> = 1" by(fact pr_prob)
   3.665 +      finally show "?thesis xz" by auto
   3.666 +    qed
   3.667 +
   3.668 +    def pr \<equiv> "embed_pmf (real \<circ> ?pr)"
   3.669 +    have pmf_pr: "\<And>xz. pmf pr xz = real (?pr xz)" using pr_pos pr_prob
   3.670 +      unfolding pr_def by(subst pmf_embed_pmf)(auto simp add: real_of_ereal_pos ereal_real pr_bounded)
   3.671 +
   3.672 +    have set_pmf_pr_subset: "set_pmf pr \<subseteq> set_pmf pq O set_pmf qr"
   3.673 +    proof
   3.674 +      fix xz :: "'a \<times> 'c"
   3.675 +      obtain x z where xz: "xz = (x, z)" by(cases xz)
   3.676 +      assume "xz \<in> set_pmf pr"
   3.677 +      with xz have "pmf pr (x, z) \<noteq> 0" by(simp add: set_pmf_iff)
   3.678 +      hence "\<exists>y. f y x z \<noteq> 0" by(rule contrapos_np)(simp add: pmf_pr)
   3.679 +      then obtain y where y: "f y x z \<noteq> 0" ..
   3.680 +      then have "(x, y) \<in> set_pmf pq" "(y, z) \<in> set_pmf qr" 
   3.681 +        using support by fastforce+
   3.682 +      then show "xz \<in> set_pmf pq O set_pmf qr" using xz by auto
   3.683 +    qed
   3.684 +    hence "\<And>x z. (x, z) \<in> set_pmf pr \<Longrightarrow> (R OO S) x z" using pq qr by blast
   3.685 +    moreover
   3.686 +    have "map_pmf fst pr = p"
   3.687 +    proof(rule pmf_eqI)
   3.688 +      fix x
   3.689 +      have "pmf (map_pmf fst pr) x = emeasure (measure_pmf pr) (fst -` {x})"
   3.690 +        by(simp add: ereal_pmf_map)
   3.691 +      also have "\<dots> = \<integral>\<^sup>+ xz. pmf pr xz \<partial>count_space (fst -` {x})"
   3.692 +        by(simp add: nn_integral_pmf)
   3.693 +      also have "\<dots> = \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space (fst -` {x})"
   3.694 +        by(simp add: pmf_pr ereal_real pr_bounded pr_pos)
   3.695 +      also have "\<dots> =  \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space {x} \<Otimes>\<^sub>M count_space (set_pmf r)"
   3.696 +        by(auto simp add: nn_integral_count_space_indicator indicator_def support' pair_measure_countable intro!: nn_integral_cong)
   3.697 +      also have "\<dots> = \<integral>\<^sup>+ z. \<integral>\<^sup>+ x. ?pr (x, z) \<partial>count_space {x} \<partial>count_space (set_pmf r)"
   3.698 +        by(subst pair_sigma_finite.nn_integral_snd[symmetric])(simp_all add: pair_measure_countable pair_sigma_finite.intro sigma_finite_measure_count_space_countable)
   3.699 +      also have "\<dots> = \<integral>\<^sup>+ z. ?pr (x, z) \<partial>count_space (set_pmf r)"
   3.700 +        using pr_pos by(clarsimp simp add: nn_integral_count_space_finite max_def)
   3.701 +      also have "\<dots> = \<integral>\<^sup>+ z. \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf r)"
   3.702 +        by(simp add: pr')
   3.703 +      also have "\<dots> =  \<integral>\<^sup>+ y. \<integral>\<^sup>+ z. f y x z \<partial>count_space (set_pmf r) \<partial>count_space (set_pmf q)"
   3.704 +        by(subst pair_sigma_finite.Fubini')(simp_all add: pair_sigma_finite.intro sigma_finite_measure_count_space_countable pair_measure_countable)
   3.705 +      also have "\<dots> = \<integral>\<^sup>+ y. pmf pq (x, y) \<partial>count_space (set_pmf q)"
   3.706 +        by(simp add: f_z)
   3.707 +      also have "\<dots> = \<integral>\<^sup>+ y. emeasure (measure_pmf pq) {(x, y)} \<partial>count_space (set_pmf q)"
   3.708 +        by(simp add: emeasure_pmf_single)
   3.709 +      also have "\<dots> = emeasure (measure_pmf pq) (\<Union>y\<in>set_pmf q. {(x, y)})"
   3.710 +        by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
   3.711 +      also have "\<dots> = emeasure (measure_pmf pq) ((\<Union>y\<in>set_pmf q. {(x, y)}) \<union> {(x', y). y \<notin> set_pmf q \<and> x' = x})"
   3.712 +        by(rule emeasure_Un_null_set[symmetric])+
   3.713 +          (auto simp add: q set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
   3.714 +      also have "\<dots> = emeasure (measure_pmf pq) (fst -` {x})"
   3.715 +        by(rule arg_cong2[where f=emeasure])+auto
   3.716 +      also have "\<dots> = pmf p x" by(simp add: ereal_pmf_map p)
   3.717 +      finally show "pmf (map_pmf fst pr) x = pmf p x" by simp
   3.718 +    qed
   3.719 +    moreover
   3.720 +    have "map_pmf snd pr = r"
   3.721 +    proof(rule pmf_eqI)
   3.722 +      fix z
   3.723 +      have "pmf (map_pmf snd pr) z = emeasure (measure_pmf pr) (snd -` {z})"
   3.724 +        by(simp add: ereal_pmf_map)
   3.725 +      also have "\<dots> = \<integral>\<^sup>+ xz. pmf pr xz \<partial>count_space (snd -` {z})"
   3.726 +        by(simp add: nn_integral_pmf)
   3.727 +      also have "\<dots> = \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space (snd -` {z})"
   3.728 +        by(simp add: pmf_pr ereal_real pr_bounded pr_pos)
   3.729 +      also have "\<dots> =  \<integral>\<^sup>+ xz. ?pr xz \<partial>count_space (set_pmf p) \<Otimes>\<^sub>M count_space {z}"
   3.730 +        by(auto simp add: nn_integral_count_space_indicator indicator_def support' pair_measure_countable intro!: nn_integral_cong)
   3.731 +      also have "\<dots> = \<integral>\<^sup>+ x. \<integral>\<^sup>+ z. ?pr (x, z) \<partial>count_space {z} \<partial>count_space (set_pmf p)"
   3.732 +        by(subst sigma_finite_measure.nn_integral_fst[symmetric])(simp_all add: pair_measure_countable sigma_finite_measure_count_space_countable)
   3.733 +      also have "\<dots> = \<integral>\<^sup>+ x. ?pr (x, z) \<partial>count_space (set_pmf p)"
   3.734 +        using pr_pos by(clarsimp simp add: nn_integral_count_space_finite max_def)
   3.735 +      also have "\<dots> = \<integral>\<^sup>+ x. \<integral>\<^sup>+ y. f y x z \<partial>count_space (set_pmf q) \<partial>count_space (set_pmf p)"
   3.736 +        by(simp add: pr')
   3.737 +      also have "\<dots> =  \<integral>\<^sup>+ y. \<integral>\<^sup>+ x. f y x z \<partial>count_space (set_pmf p) \<partial>count_space (set_pmf q)"
   3.738 +        by(subst pair_sigma_finite.Fubini')(simp_all add: pair_sigma_finite.intro sigma_finite_measure_count_space_countable pair_measure_countable)
   3.739 +      also have "\<dots> = \<integral>\<^sup>+ y. pmf qr (y, z) \<partial>count_space (set_pmf q)"
   3.740 +        by(simp add: f_x)
   3.741 +      also have "\<dots> = \<integral>\<^sup>+ y. emeasure (measure_pmf qr) {(y, z)} \<partial>count_space (set_pmf q)"
   3.742 +        by(simp add: emeasure_pmf_single)
   3.743 +      also have "\<dots> = emeasure (measure_pmf qr) (\<Union>y\<in>set_pmf q. {(y, z)})"
   3.744 +        by(subst emeasure_UN_countable)(simp_all add: disjoint_family_on_def)
   3.745 +      also have "\<dots> = emeasure (measure_pmf qr) ((\<Union>y\<in>set_pmf q. {(y, z)}) \<union> {(y, z'). y \<notin> set_pmf q \<and> z' = z})"
   3.746 +        by(rule emeasure_Un_null_set[symmetric])+
   3.747 +          (auto simp add: q' set_map_pmf split_beta intro!: in_null_sets_measure_pmfI intro: rev_image_eqI)
   3.748 +      also have "\<dots> = emeasure (measure_pmf qr) (snd -` {z})"
   3.749 +        by(rule arg_cong2[where f=emeasure])+auto
   3.750 +      also have "\<dots> = pmf r z" by(simp add: ereal_pmf_map r)
   3.751 +      finally show "pmf (map_pmf snd pr) z = pmf r z" by simp
   3.752 +    qed
   3.753 +    ultimately have "rel_pmf (R OO S) p r" .. }
   3.754 +  then show "rel_pmf R OO rel_pmf S \<le> rel_pmf (R OO S)"
   3.755 +    by(auto simp add: le_fun_def)
   3.756 +qed (fact natLeq_card_order natLeq_cinfinite)+
   3.757  
   3.758  end
   3.759