new theory of red-black trees, an efficient implementation of finite maps.
authorkrauss
Mon Mar 03 14:03:19 2008 +0100 (2008-03-03)
changeset 2619252617dca8386
parent 26191 ae537f315b34
child 26193 37a7eb7fd5f7
new theory of red-black trees, an efficient implementation of finite maps.
src/HOL/IsaMakefile
src/HOL/Library/Library.thy
src/HOL/Library/RBT.thy
     1.1 --- a/src/HOL/IsaMakefile	Sun Mar 02 15:02:06 2008 +0100
     1.2 +++ b/src/HOL/IsaMakefile	Mon Mar 03 14:03:19 2008 +0100
     1.3 @@ -235,7 +235,7 @@
     1.4    Library/Abstract_Rat.thy Library/Univ_Poly.thy\
     1.5    Library/Numeral_Type.thy Library/Boolean_Algebra.thy Library/Countable.thy \
     1.6    Library/RType.thy Library/Heap.thy Library/Heap_Monad.thy Library/Array.thy \
     1.7 -  Library/Ref.thy Library/Imperative_HOL.thy
     1.8 +  Library/Ref.thy Library/Imperative_HOL.thy Library/RBT.thy
     1.9  	@cd Library; $(ISATOOL) usedir $(OUT)/HOL Library
    1.10  
    1.11  
     2.1 --- a/src/HOL/Library/Library.thy	Sun Mar 02 15:02:06 2008 +0100
     2.2 +++ b/src/HOL/Library/Library.thy	Mon Mar 03 14:03:19 2008 +0100
     2.3 @@ -38,6 +38,7 @@
     2.4    Quicksort
     2.5    Quotient
     2.6    Ramsey
     2.7 +  RBT
     2.8    State_Monad
     2.9    Univ_Poly
    2.10    While_Combinator
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/src/HOL/Library/RBT.thy	Mon Mar 03 14:03:19 2008 +0100
     3.3 @@ -0,0 +1,1041 @@
     3.4 +(*  Title:      RBT.thy
     3.5 +    ID:         $Id$
     3.6 +    Author:     Markus Reiter, TU Muenchen
     3.7 +    Author:     Alexander Krauss, TU Muenchen
     3.8 +*)
     3.9 +
    3.10 +header {* Red-Black Trees *}
    3.11 +
    3.12 +(*<*)
    3.13 +theory RBT
    3.14 +imports Main AssocList
    3.15 +begin
    3.16 +
    3.17 +datatype color = R | B
    3.18 +datatype ('a,'b)"rbt" = Empty | Tr color "('a,'b)rbt" 'a 'b "('a,'b)rbt"
    3.19 +
    3.20 +(* Suchbaum-Eigenschaften *)
    3.21 +
    3.22 +primrec
    3.23 +  pin_tree :: "'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> bool"
    3.24 +where
    3.25 +  "pin_tree k v Empty = False"
    3.26 +| "pin_tree k v (Tr c l x y r) = (k = x \<and> v = y \<or> pin_tree k v l \<or> pin_tree k v r)"
    3.27 +
    3.28 +primrec
    3.29 +  keys :: "('k,'v) rbt \<Rightarrow> 'k set"
    3.30 +where
    3.31 +  "keys Empty = {}"
    3.32 +| "keys (Tr _ l k _ r) = { k } \<union> keys l \<union> keys r"
    3.33 +
    3.34 +lemma pint_keys: "pin_tree k v t \<Longrightarrow> k \<in> keys t" by (induct t) auto
    3.35 +
    3.36 +primrec tlt :: "'a\<Colon>order \<Rightarrow> ('a,'b) rbt \<Rightarrow> bool"
    3.37 +where
    3.38 +  "tlt k Empty = True"
    3.39 +| "tlt k (Tr c lt kt v rt) = (kt < k \<and> tlt k lt \<and> tlt k rt)"
    3.40 +
    3.41 +abbreviation tllt (infix "|\<guillemotleft>" 50)
    3.42 +where "t |\<guillemotleft> x == tlt x t"
    3.43 +
    3.44 +primrec tgt :: "'a\<Colon>order \<Rightarrow> ('a,'b) rbt \<Rightarrow> bool" (infix "\<guillemotleft>|" 50) 
    3.45 +where
    3.46 +  "tgt k Empty = True"
    3.47 +| "tgt k (Tr c lt kt v rt) = (k < kt \<and> tgt k lt \<and> tgt k rt)"
    3.48 +
    3.49 +lemma tlt_prop: "(t |\<guillemotleft> k) = (\<forall>x\<in>keys t. x < k)" by (induct t) auto
    3.50 +lemma tgt_prop: "(k \<guillemotleft>| t) = (\<forall>x\<in>keys t. k < x)" by (induct t) auto
    3.51 +lemmas tlgt_props = tlt_prop tgt_prop
    3.52 +
    3.53 +lemmas tgt_nit = tgt_prop pint_keys
    3.54 +lemmas tlt_nit = tlt_prop pint_keys
    3.55 +
    3.56 +lemma tlt_trans: "\<lbrakk> t |\<guillemotleft> x; x < y \<rbrakk> \<Longrightarrow> t |\<guillemotleft> y"
    3.57 +  and tgt_trans: "\<lbrakk> x < y; y \<guillemotleft>| t\<rbrakk> \<Longrightarrow> x \<guillemotleft>| t"
    3.58 +by (auto simp: tlgt_props)
    3.59 +
    3.60 +
    3.61 +primrec st :: "('a::linorder, 'b) rbt \<Rightarrow> bool"
    3.62 +where
    3.63 +  "st Empty = True"
    3.64 +| "st (Tr c l k v r) = (l |\<guillemotleft> k \<and> k \<guillemotleft>| r \<and> st l \<and> st r)"
    3.65 +
    3.66 +primrec map_of :: "('a\<Colon>linorder, 'b) rbt \<Rightarrow> 'a \<rightharpoonup> 'b"
    3.67 +where
    3.68 +  "map_of Empty k = None"
    3.69 +| "map_of (Tr _ l x y r) k = (if k < x then map_of l k else if x < k then map_of r k else Some y)"
    3.70 +
    3.71 +lemma map_of_tlt[simp]: "t |\<guillemotleft> k \<Longrightarrow> map_of t k = None" 
    3.72 +by (induct t) auto
    3.73 +
    3.74 +lemma map_of_tgt[simp]: "k \<guillemotleft>| t \<Longrightarrow> map_of t k = None"
    3.75 +by (induct t) auto
    3.76 +
    3.77 +lemma mapof_keys: "st t \<Longrightarrow> dom (map_of t) = keys t"
    3.78 +by (induct t) (auto simp: dom_def tgt_prop tlt_prop)
    3.79 +
    3.80 +lemma mapof_pit: "st t \<Longrightarrow> (map_of t k = Some v) = pin_tree k v t"
    3.81 +by (induct t) (auto simp: tlt_prop tgt_prop pint_keys)
    3.82 +
    3.83 +lemma map_of_Empty: "map_of Empty = empty"
    3.84 +by (rule ext) simp
    3.85 +
    3.86 +(* a kind of extensionality *)
    3.87 +lemma mapof_from_pit: 
    3.88 +  assumes st: "st t1" "st t2" 
    3.89 +  and eq: "\<And>v. pin_tree (k\<Colon>'a\<Colon>linorder) v t1 = pin_tree k v t2" 
    3.90 +  shows "map_of t1 k = map_of t2 k"
    3.91 +proof (cases "map_of t1 k")
    3.92 +  case None
    3.93 +  then have "\<And>v. \<not> pin_tree k v t1"
    3.94 +    by (simp add: mapof_pit[symmetric] st)
    3.95 +  with None show ?thesis
    3.96 +    by (cases "map_of t2 k") (auto simp: mapof_pit st eq)
    3.97 +next
    3.98 +  case (Some a)
    3.99 +  then show ?thesis
   3.100 +    apply (cases "map_of t2 k")
   3.101 +    apply (auto simp: mapof_pit st eq)
   3.102 +    by (auto simp add: mapof_pit[symmetric] st Some)
   3.103 +qed
   3.104 +
   3.105 +subsection {* Red-black properties *}
   3.106 +
   3.107 +primrec treec :: "('a,'b) rbt \<Rightarrow> color"
   3.108 +where
   3.109 +  "treec Empty = B"
   3.110 +| "treec (Tr c _ _ _ _) = c"
   3.111 +
   3.112 +primrec inv1 :: "('a,'b) rbt \<Rightarrow> bool"
   3.113 +where
   3.114 +  "inv1 Empty = True"
   3.115 +| "inv1 (Tr c lt k v rt) = (inv1 lt \<and> inv1 rt \<and> (c = B \<or> treec lt = B \<and> treec rt = B))"
   3.116 +
   3.117 +(* Weaker version *)
   3.118 +primrec inv1l :: "('a,'b) rbt \<Rightarrow> bool"
   3.119 +where
   3.120 +  "inv1l Empty = True"
   3.121 +| "inv1l (Tr c l k v r) = (inv1 l \<and> inv1 r)"
   3.122 +lemma [simp]: "inv1 t \<Longrightarrow> inv1l t" by (cases t) simp+
   3.123 +
   3.124 +primrec bh :: "('a,'b) rbt \<Rightarrow> nat"
   3.125 +where
   3.126 +  "bh Empty = 0"
   3.127 +| "bh (Tr c lt k v rt) = (if c = B then Suc (bh lt) else bh lt)"
   3.128 +
   3.129 +primrec inv2 :: "('a,'b) rbt \<Rightarrow> bool"
   3.130 +where
   3.131 +  "inv2 Empty = True"
   3.132 +| "inv2 (Tr c lt k v rt) = (inv2 lt \<and> inv2 rt \<and> bh lt = bh rt)"
   3.133 +
   3.134 +definition
   3.135 +  "isrbt t = (inv1 t \<and> inv2 t \<and> treec t = B \<and> st t)"
   3.136 +
   3.137 +lemma isrbt_st[simp]: "isrbt t \<Longrightarrow> st t" by (simp add: isrbt_def)
   3.138 +
   3.139 +lemma rbt_cases:
   3.140 +  obtains (Empty) "t = Empty" 
   3.141 +  | (Red) l k v r where "t = Tr R l k v r" 
   3.142 +  | (Black) l k v r where "t = Tr B l k v r" 
   3.143 +by (cases t, simp) (case_tac "color", auto)
   3.144 +
   3.145 +theorem Empty_isrbt[simp]: "isrbt Empty"
   3.146 +unfolding isrbt_def by simp
   3.147 +
   3.148 +
   3.149 +subsection {* Insertion *}
   3.150 +
   3.151 +fun (* slow, due to massive case splitting *)
   3.152 +  balance :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.153 +where
   3.154 +  "balance (Tr R a w x b) s t (Tr R c y z d) = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   3.155 +  "balance (Tr R (Tr R a w x b) s t c) y z d = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   3.156 +  "balance (Tr R a w x (Tr R b s t c)) y z d = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   3.157 +  "balance a w x (Tr R b s t (Tr R c y z d)) = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   3.158 +  "balance a w x (Tr R (Tr R b s t c) y z d) = Tr R (Tr B a w x b) s t (Tr B c y z d)" |
   3.159 +  "balance a s t b = Tr B a s t b"
   3.160 +
   3.161 +lemma balance_inv1: "\<lbrakk>inv1l l; inv1l r\<rbrakk> \<Longrightarrow> inv1 (balance l k v r)" 
   3.162 +  by (induct l k v r rule: balance.induct) auto
   3.163 +
   3.164 +lemma balance_bh: "bh l = bh r \<Longrightarrow> bh (balance l k v r) = Suc (bh l)"
   3.165 +  by (induct l k v r rule: balance.induct) auto
   3.166 +
   3.167 +lemma balance_inv2: 
   3.168 +  assumes "inv2 l" "inv2 r" "bh l = bh r"
   3.169 +  shows "inv2 (balance l k v r)"
   3.170 +  using assms
   3.171 +  by (induct l k v r rule: balance.induct) auto
   3.172 +
   3.173 +lemma balance_tgt[simp]: "(v \<guillemotleft>| balance a k x b) = (v \<guillemotleft>| a \<and> v \<guillemotleft>| b \<and> v < k)" 
   3.174 +  by (induct a k x b rule: balance.induct) auto
   3.175 +
   3.176 +lemma balance_tlt[simp]: "(balance a k x b |\<guillemotleft> v) = (a |\<guillemotleft> v \<and> b |\<guillemotleft> v \<and> k < v)"
   3.177 +  by (induct a k x b rule: balance.induct) auto
   3.178 +
   3.179 +lemma balance_st: 
   3.180 +  fixes k :: "'a::linorder"
   3.181 +  assumes "st l" "st r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   3.182 +  shows "st (balance l k v r)"
   3.183 +using assms proof (induct l k v r rule: balance.induct)
   3.184 +  case ("2_2" a x w b y t c z s va vb vd vc)
   3.185 +  hence "y < z \<and> z \<guillemotleft>| Tr B va vb vd vc" 
   3.186 +    by (auto simp add: tlgt_props)
   3.187 +  hence "tgt y (Tr B va vb vd vc)" by (blast dest: tgt_trans)
   3.188 +  with "2_2" show ?case by simp
   3.189 +next
   3.190 +  case ("3_2" va vb vd vc x w b y s c z)
   3.191 +  from "3_2" have "x < y \<and> tlt x (Tr B va vb vd vc)" 
   3.192 +    by (simp add: tlt.simps tgt.simps)
   3.193 +  hence "tlt y (Tr B va vb vd vc)" by (blast dest: tlt_trans)
   3.194 +  with "3_2" show ?case by simp
   3.195 +next
   3.196 +  case ("3_3" x w b y s c z t va vb vd vc)
   3.197 +  from "3_3" have "y < z \<and> tgt z (Tr B va vb vd vc)" by simp
   3.198 +  hence "tgt y (Tr B va vb vd vc)" by (blast dest: tgt_trans)
   3.199 +  with "3_3" show ?case by simp
   3.200 +next
   3.201 +  case ("3_4" vd ve vg vf x w b y s c z t va vb vii vc)
   3.202 +  hence "x < y \<and> tlt x (Tr B vd ve vg vf)" by simp
   3.203 +  hence 1: "tlt y (Tr B vd ve vg vf)" by (blast dest: tlt_trans)
   3.204 +  from "3_4" have "y < z \<and> tgt z (Tr B va vb vii vc)" by simp
   3.205 +  hence "tgt y (Tr B va vb vii vc)" by (blast dest: tgt_trans)
   3.206 +  with 1 "3_4" show ?case by simp
   3.207 +next
   3.208 +  case ("4_2" va vb vd vc x w b y s c z t dd)
   3.209 +  hence "x < y \<and> tlt x (Tr B va vb vd vc)" by simp
   3.210 +  hence "tlt y (Tr B va vb vd vc)" by (blast dest: tlt_trans)
   3.211 +  with "4_2" show ?case by simp
   3.212 +next
   3.213 +  case ("5_2" x w b y s c z t va vb vd vc)
   3.214 +  hence "y < z \<and> tgt z (Tr B va vb vd vc)" by simp
   3.215 +  hence "tgt y (Tr B va vb vd vc)" by (blast dest: tgt_trans)
   3.216 +  with "5_2" show ?case by simp
   3.217 +next
   3.218 +  case ("5_3" va vb vd vc x w b y s c z t)
   3.219 +  hence "x < y \<and> tlt x (Tr B va vb vd vc)" by simp
   3.220 +  hence "tlt y (Tr B va vb vd vc)" by (blast dest: tlt_trans)
   3.221 +  with "5_3" show ?case by simp
   3.222 +next
   3.223 +  case ("5_4" va vb vg vc x w b y s c z t vd ve vii vf)
   3.224 +  hence "x < y \<and> tlt x (Tr B va vb vg vc)" by simp
   3.225 +  hence 1: "tlt y (Tr B va vb vg vc)" by (blast dest: tlt_trans)
   3.226 +  from "5_4" have "y < z \<and> tgt z (Tr B vd ve vii vf)" by simp
   3.227 +  hence "tgt y (Tr B vd ve vii vf)" by (blast dest: tgt_trans)
   3.228 +  with 1 "5_4" show ?case by simp
   3.229 +qed simp+
   3.230 +
   3.231 +lemma keys_balance[simp]: 
   3.232 +  "keys (balance l k v r) = { k } \<union> keys l \<union> keys r"
   3.233 +by (induct l k v r rule: balance.induct) auto
   3.234 +
   3.235 +lemma balance_pit:  
   3.236 +  "pin_tree k x (balance l v y r) = (pin_tree k x l \<or> k = v \<and> x = y \<or> pin_tree k x r)" 
   3.237 +by (induct l v y r rule: balance.induct) auto
   3.238 +
   3.239 +lemma map_of_balance[simp]: 
   3.240 +fixes k :: "'a::linorder"
   3.241 +assumes "st l" "st r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   3.242 +shows "map_of (balance l k v r) x = map_of (Tr B l k v r) x"
   3.243 +by (rule mapof_from_pit) (auto simp:assms balance_pit balance_st)
   3.244 +
   3.245 +primrec paint :: "color \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.246 +where
   3.247 +  "paint c Empty = Empty"
   3.248 +| "paint c (Tr _ l k v r) = Tr c l k v r"
   3.249 +
   3.250 +lemma paint_inv1l[simp]: "inv1l t \<Longrightarrow> inv1l (paint c t)" by (cases t) auto
   3.251 +lemma paint_inv1[simp]: "inv1l t \<Longrightarrow> inv1 (paint B t)" by (cases t) auto
   3.252 +lemma paint_inv2[simp]: "inv2 t \<Longrightarrow> inv2 (paint c t)" by (cases t) auto
   3.253 +lemma paint_treec[simp]: "treec (paint B t) = B" by (cases t) auto
   3.254 +lemma paint_st[simp]: "st t \<Longrightarrow> st (paint c t)" by (cases t) auto
   3.255 +lemma paint_pit[simp]: "pin_tree k x (paint c t) = pin_tree k x t" by (cases t) auto
   3.256 +lemma paint_mapof[simp]: "map_of (paint c t) = map_of t" by (rule ext) (cases t, auto)
   3.257 +lemma paint_tgt[simp]: "(v \<guillemotleft>| paint c t) = (v \<guillemotleft>| t)" by (cases t) auto
   3.258 +lemma paint_tlt[simp]: "(paint c t |\<guillemotleft> v) = (t |\<guillemotleft> v)" by (cases t) auto
   3.259 +
   3.260 +fun
   3.261 +  ins :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.262 +where
   3.263 +  "ins f k v Empty = Tr R Empty k v Empty" |
   3.264 +  "ins f k v (Tr B l x y r) = (if k < x then balance (ins f k v l) x y r
   3.265 +                               else if k > x then balance l x y (ins f k v r)
   3.266 +                               else Tr B l x (f k y v) r)" |
   3.267 +  "ins f k v (Tr R l x y r) = (if k < x then Tr R (ins f k v l) x y r
   3.268 +                               else if k > x then Tr R l x y (ins f k v r)
   3.269 +                               else Tr R l x (f k y v) r)"
   3.270 +
   3.271 +lemma ins_inv1_inv2: 
   3.272 +  assumes "inv1 t" "inv2 t"
   3.273 +  shows "inv2 (ins f k x t)" "bh (ins f k x t) = bh t" 
   3.274 +  "treec t = B \<Longrightarrow> inv1 (ins f k x t)" "inv1l (ins f k x t)"
   3.275 +  using assms
   3.276 +  by (induct f k x t rule: ins.induct) (auto simp: balance_inv1 balance_inv2 balance_bh)
   3.277 +
   3.278 +lemma ins_tgt[simp]: "(v \<guillemotleft>| ins f k x t) = (v \<guillemotleft>| t \<and> k > v)"
   3.279 +  by (induct f k x t rule: ins.induct) auto
   3.280 +lemma ins_tlt[simp]: "(ins f k x t |\<guillemotleft> v) = (t |\<guillemotleft> v \<and> k < v)"
   3.281 +  by (induct f k x t rule: ins.induct) auto
   3.282 +lemma ins_st[simp]: "st t \<Longrightarrow> st (ins f k x t)"
   3.283 +  by (induct f k x t rule: ins.induct) (auto simp: balance_st)
   3.284 +
   3.285 +lemma keys_ins: "keys (ins f k v t) = { k } \<union> keys t"
   3.286 +by (induct f k v t rule: ins.induct) auto
   3.287 +
   3.288 +lemma map_of_ins: 
   3.289 +  fixes k :: "'a::linorder"
   3.290 +  assumes "st t"
   3.291 +  shows "map_of (ins f k v t) x = ((map_of t)(k |-> case map_of t k of None \<Rightarrow> v 
   3.292 +                                                       | Some w \<Rightarrow> f k w v)) x"
   3.293 +using assms by (induct f k v t rule: ins.induct) auto
   3.294 +
   3.295 +definition
   3.296 +  insertwithkey :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.297 +where
   3.298 +  "insertwithkey f k v t = paint B (ins f k v t)"
   3.299 +
   3.300 +lemma insertwk_st: "st t \<Longrightarrow> st (insertwithkey f k x t)"
   3.301 +  by (auto simp: insertwithkey_def)
   3.302 +
   3.303 +theorem insertwk_isrbt: 
   3.304 +  assumes inv: "isrbt t" 
   3.305 +  shows "isrbt (insertwithkey f k x t)"
   3.306 +using assms
   3.307 +unfolding insertwithkey_def isrbt_def
   3.308 +by (auto simp: ins_inv1_inv2)
   3.309 +
   3.310 +lemma map_of_insertwk: 
   3.311 +  assumes "st t"
   3.312 +  shows "map_of (insertwithkey f k v t) x = ((map_of t)(k |-> case map_of t k of None \<Rightarrow> v 
   3.313 +                                                       | Some w \<Rightarrow> f k w v)) x"
   3.314 +unfolding insertwithkey_def using assms
   3.315 +by (simp add:map_of_ins)
   3.316 +
   3.317 +definition
   3.318 +  insertw_def: "insertwith f = insertwithkey (\<lambda>_. f)"
   3.319 +
   3.320 +lemma insertw_st: "st t \<Longrightarrow> st (insertwith f k v t)" by (simp add: insertwk_st insertw_def)
   3.321 +theorem insertw_isrbt: "isrbt t \<Longrightarrow> isrbt (insertwith f k v t)" by (simp add: insertwk_isrbt insertw_def)
   3.322 +
   3.323 +lemma map_of_insertw:
   3.324 +  assumes "isrbt t"
   3.325 +  shows "map_of (insertwith f k v t) = (map_of t)(k \<mapsto> (if k:dom (map_of t) then f (the (map_of t k)) v else v))"
   3.326 +using assms
   3.327 +unfolding insertw_def
   3.328 +by (rule_tac ext) (cases "map_of t k", auto simp:map_of_insertwk dom_def)
   3.329 +
   3.330 +
   3.331 +definition
   3.332 +  "insrt k v t = insertwithkey (\<lambda>_ _ nv. nv) k v t"
   3.333 +
   3.334 +lemma insrt_st: "st t \<Longrightarrow> st (insrt k v t)" by (simp add: insertwk_st insrt_def)
   3.335 +theorem insrt_isrbt: "isrbt t \<Longrightarrow> isrbt (insrt k v t)" by (simp add: insertwk_isrbt insrt_def)
   3.336 +
   3.337 +lemma map_of_insert: 
   3.338 +  assumes "isrbt t"
   3.339 +  shows "map_of (insrt k v t) = (map_of t)(k\<mapsto>v)"
   3.340 +unfolding insrt_def
   3.341 +using assms
   3.342 +by (rule_tac ext) (simp add: map_of_insertwk split:option.split)
   3.343 +
   3.344 +
   3.345 +subsection {* Deletion *}
   3.346 +
   3.347 +(*definition
   3.348 +  [simp]: "ibn t = (bh t > 0 \<and> treec t = B)"
   3.349 +*)
   3.350 +lemma bh_paintR'[simp]: "treec t = B \<Longrightarrow> bh (paint R t) = bh t - 1"
   3.351 +by (cases t rule: rbt_cases) auto
   3.352 +
   3.353 +fun
   3.354 +  balleft :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.355 +where
   3.356 +  "balleft (Tr R a k x b) s y c = Tr R (Tr B a k x b) s y c" |
   3.357 +  "balleft bl k x (Tr B a s y b) = balance bl k x (Tr R a s y b)" |
   3.358 +  "balleft bl k x (Tr R (Tr B a s y b) t z c) = Tr R (Tr B bl k x a) s y (balance b t z (paint R c))" |
   3.359 +  "balleft t k x s = Empty"
   3.360 +
   3.361 +lemma balleft_inv2_with_inv1:
   3.362 +  assumes "inv2 lt" "inv2 rt" "bh lt + 1 = bh rt" "inv1 rt"
   3.363 +  shows "bh (balleft lt k v rt) = bh lt + 1"
   3.364 +  and   "inv2 (balleft lt k v rt)"
   3.365 +using assms 
   3.366 +by (induct lt k v rt rule: balleft.induct) (auto simp: balance_inv2 balance_bh)
   3.367 +
   3.368 +lemma balleft_inv2_app: 
   3.369 +  assumes "inv2 lt" "inv2 rt" "bh lt + 1 = bh rt" "treec rt = B"
   3.370 +  shows "inv2 (balleft lt k v rt)" 
   3.371 +        "bh (balleft lt k v rt) = bh rt"
   3.372 +using assms 
   3.373 +by (induct lt k v rt rule: balleft.induct) (auto simp add: balance_inv2 balance_bh)+ 
   3.374 +
   3.375 +lemma balleft_inv1: "\<lbrakk>inv1l a; inv1 b; treec b = B\<rbrakk> \<Longrightarrow> inv1 (balleft a k x b)"
   3.376 +  by (induct a k x b rule: balleft.induct) (simp add: balance_inv1)+
   3.377 +
   3.378 +lemma balleft_inv1l: "\<lbrakk> inv1l lt; inv1 rt \<rbrakk> \<Longrightarrow> inv1l (balleft lt k x rt)"
   3.379 +by (induct lt k x rt rule: balleft.induct) (auto simp: balance_inv1)
   3.380 +
   3.381 +lemma balleft_st: "\<lbrakk> st l; st r; tlt k l; tgt k r \<rbrakk> \<Longrightarrow> st (balleft l k v r)"
   3.382 +apply (induct l k v r rule: balleft.induct)
   3.383 +apply (auto simp: balance_st)
   3.384 +apply (unfold tgt_prop tlt_prop)
   3.385 +by force+
   3.386 +
   3.387 +lemma balleft_tgt: 
   3.388 +  fixes k :: "'a::order"
   3.389 +  assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   3.390 +  shows "k \<guillemotleft>| balleft a x t b"
   3.391 +using assms 
   3.392 +by (induct a x t b rule: balleft.induct) auto
   3.393 +
   3.394 +lemma balleft_tlt: 
   3.395 +  fixes k :: "'a::order"
   3.396 +  assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   3.397 +  shows "balleft a x t b |\<guillemotleft> k"
   3.398 +using assms
   3.399 +by (induct a x t b rule: balleft.induct) auto
   3.400 +
   3.401 +lemma balleft_pit: 
   3.402 +  assumes "inv1l l" "inv1 r" "bh l + 1 = bh r"
   3.403 +  shows "pin_tree k v (balleft l a b r) = (pin_tree k v l \<or> k = a \<and> v = b \<or> pin_tree k v r)"
   3.404 +using assms 
   3.405 +by (induct l k v r rule: balleft.induct) (auto simp: balance_pit)
   3.406 +
   3.407 +fun
   3.408 +  balright :: "('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.409 +where
   3.410 +  "balright a k x (Tr R b s y c) = Tr R a k x (Tr B b s y c)" |
   3.411 +  "balright (Tr B a k x b) s y bl = balance (Tr R a k x b) s y bl" |
   3.412 +  "balright (Tr R a k x (Tr B b s y c)) t z bl = Tr R (balance (paint R a) k x b) s y (Tr B c t z bl)" |
   3.413 +  "balright t k x s = Empty"
   3.414 +
   3.415 +lemma balright_inv2_with_inv1:
   3.416 +  assumes "inv2 lt" "inv2 rt" "bh lt = bh rt + 1" "inv1 lt"
   3.417 +  shows "inv2 (balright lt k v rt) \<and> bh (balright lt k v rt) = bh lt"
   3.418 +using assms
   3.419 +by (induct lt k v rt rule: balright.induct) (auto simp: balance_inv2 balance_bh)
   3.420 +
   3.421 +lemma balright_inv1: "\<lbrakk>inv1 a; inv1l b; treec a = B\<rbrakk> \<Longrightarrow> inv1 (balright a k x b)"
   3.422 +by (induct a k x b rule: balright.induct) (simp add: balance_inv1)+
   3.423 +
   3.424 +lemma balright_inv1l: "\<lbrakk> inv1 lt; inv1l rt \<rbrakk> \<Longrightarrow>inv1l (balright lt k x rt)"
   3.425 +by (induct lt k x rt rule: balright.induct) (auto simp: balance_inv1)
   3.426 +
   3.427 +lemma balright_st: "\<lbrakk> st l; st r; tlt k l; tgt k r \<rbrakk> \<Longrightarrow> st (balright l k v r)"
   3.428 +apply (induct l k v r rule: balright.induct)
   3.429 +apply (auto simp:balance_st)
   3.430 +apply (unfold tlt_prop tgt_prop)
   3.431 +by force+
   3.432 +
   3.433 +lemma balright_tgt: 
   3.434 +  fixes k :: "'a::order"
   3.435 +  assumes "k \<guillemotleft>| a" "k \<guillemotleft>| b" "k < x" 
   3.436 +  shows "k \<guillemotleft>| balright a x t b"
   3.437 +using assms by (induct a x t b rule: balright.induct) auto
   3.438 +
   3.439 +lemma balright_tlt: 
   3.440 +  fixes k :: "'a::order"
   3.441 +  assumes "a |\<guillemotleft> k" "b |\<guillemotleft> k" "x < k" 
   3.442 +  shows "balright a x t b |\<guillemotleft> k"
   3.443 +using assms by (induct a x t b rule: balright.induct) auto
   3.444 +
   3.445 +lemma balright_pit:
   3.446 +  assumes "inv1 l" "inv1l r" "bh l = bh r + 1" "inv2 l" "inv2 r"
   3.447 +  shows "pin_tree x y (balright l k v r) = (pin_tree x y l \<or> x = k \<and> y = v \<or> pin_tree x y r)"
   3.448 +using assms by (induct l k v r rule: balright.induct) (auto simp: balance_pit)
   3.449 +
   3.450 +
   3.451 +text {* app *}
   3.452 +
   3.453 +fun
   3.454 +  app :: "('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.455 +where
   3.456 +  "app Empty x = x" 
   3.457 +| "app x Empty = x" 
   3.458 +| "app (Tr R a k x b) (Tr R c s y d) = (case (app b c) of
   3.459 +                                      Tr R b2 t z c2 \<Rightarrow> (Tr R (Tr R a k x b2) t z (Tr R c2 s y d)) |
   3.460 +                                      bc \<Rightarrow> Tr R a k x (Tr R bc s y d))" 
   3.461 +| "app (Tr B a k x b) (Tr B c s y d) = (case (app b c) of
   3.462 +                                      Tr R b2 t z c2 \<Rightarrow> Tr R (Tr B a k x b2) t z (Tr B c2 s y d) |
   3.463 +                                      bc \<Rightarrow> balleft a k x (Tr B bc s y d))" 
   3.464 +| "app a (Tr R b k x c) = Tr R (app a b) k x c" 
   3.465 +| "app (Tr R a k x b) c = Tr R a k x (app b c)" 
   3.466 +
   3.467 +lemma app_inv2:
   3.468 +  assumes "inv2 lt" "inv2 rt" "bh lt = bh rt"
   3.469 +  shows "bh (app lt rt) = bh lt" "inv2 (app lt rt)"
   3.470 +using assms 
   3.471 +by (induct lt rt rule: app.induct) 
   3.472 +   (auto simp: balleft_inv2_app split: rbt.splits color.splits)
   3.473 +
   3.474 +lemma app_inv1: 
   3.475 +  assumes "inv1 lt" "inv1 rt"
   3.476 +  shows "treec lt = B \<Longrightarrow> treec rt = B \<Longrightarrow> inv1 (app lt rt)"
   3.477 +         "inv1l (app lt rt)"
   3.478 +using assms 
   3.479 +by (induct lt rt rule: app.induct)
   3.480 +   (auto simp: balleft_inv1 split: rbt.splits color.splits)
   3.481 +
   3.482 +lemma app_tgt[simp]: 
   3.483 +  fixes k :: "'a::linorder"
   3.484 +  assumes "k \<guillemotleft>| l" "k \<guillemotleft>| r" 
   3.485 +  shows "k \<guillemotleft>| app l r"
   3.486 +using assms 
   3.487 +by (induct l r rule: app.induct)
   3.488 +   (auto simp: balleft_tgt split:rbt.splits color.splits)
   3.489 +
   3.490 +lemma app_tlt[simp]: 
   3.491 +  fixes k :: "'a::linorder"
   3.492 +  assumes "l |\<guillemotleft> k" "r |\<guillemotleft> k" 
   3.493 +  shows "app l r |\<guillemotleft> k"
   3.494 +using assms 
   3.495 +by (induct l r rule: app.induct)
   3.496 +   (auto simp: balleft_tlt split:rbt.splits color.splits)
   3.497 +
   3.498 +lemma app_st: 
   3.499 +  fixes k :: "'a::linorder"
   3.500 +  assumes "st l" "st r" "l |\<guillemotleft> k" "k \<guillemotleft>| r"
   3.501 +  shows "st (app l r)"
   3.502 +using assms proof (induct l r rule: app.induct)
   3.503 +  case (3 a x v b c y w d)
   3.504 +  hence ineqs: "a |\<guillemotleft> x" "x \<guillemotleft>| b" "b |\<guillemotleft> k" "k \<guillemotleft>| c" "c |\<guillemotleft> y" "y \<guillemotleft>| d"
   3.505 +    by auto
   3.506 +  with 3
   3.507 +  show ?case
   3.508 +    apply (cases "app b c" rule: rbt_cases)
   3.509 +    apply auto
   3.510 +    by (metis app_tgt app_tlt ineqs ineqs tlt.simps(2) tgt.simps(2) tgt_trans tlt_trans)+
   3.511 +next
   3.512 +  case (4 a x v b c y w d)
   3.513 +  hence "x < k \<and> tgt k c" by simp
   3.514 +  hence "tgt x c" by (blast dest: tgt_trans)
   3.515 +  with 4 have 2: "tgt x (app b c)" by (simp add: app_tgt)
   3.516 +  from 4 have "k < y \<and> tlt k b" by simp
   3.517 +  hence "tlt y b" by (blast dest: tlt_trans)
   3.518 +  with 4 have 3: "tlt y (app b c)" by (simp add: app_tlt)
   3.519 +  show ?case
   3.520 +  proof (cases "app b c" rule: rbt_cases)
   3.521 +    case Empty
   3.522 +    from 4 have "x < y \<and> tgt y d" by auto
   3.523 +    hence "tgt x d" by (blast dest: tgt_trans)
   3.524 +    with 4 Empty have "st a" and "st (Tr B Empty y w d)" and "tlt x a" and "tgt x (Tr B Empty y w d)" by auto
   3.525 +    with Empty show ?thesis by (simp add: balleft_st)
   3.526 +  next
   3.527 +    case (Red lta va ka rta)
   3.528 +    with 2 4 have "x < va \<and> tlt x a" by simp
   3.529 +    hence 5: "tlt va a" by (blast dest: tlt_trans)
   3.530 +    from Red 3 4 have "va < y \<and> tgt y d" by simp
   3.531 +    hence "tgt va d" by (blast dest: tgt_trans)
   3.532 +    with Red 2 3 4 5 show ?thesis by simp
   3.533 +  next
   3.534 +    case (Black lta va ka rta)
   3.535 +    from 4 have "x < y \<and> tgt y d" by auto
   3.536 +    hence "tgt x d" by (blast dest: tgt_trans)
   3.537 +    with Black 2 3 4 have "st a" and "st (Tr B (app b c) y w d)" and "tlt x a" and "tgt x (Tr B (app b c) y w d)" by auto
   3.538 +    with Black show ?thesis by (simp add: balleft_st)
   3.539 +  qed
   3.540 +next
   3.541 +  case (5 va vb vd vc b x w c)
   3.542 +  hence "k < x \<and> tlt k (Tr B va vb vd vc)" by simp
   3.543 +  hence "tlt x (Tr B va vb vd vc)" by (blast dest: tlt_trans)
   3.544 +  with 5 show ?case by (simp add: app_tlt)
   3.545 +next
   3.546 +  case (6 a x v b va vb vd vc)
   3.547 +  hence "x < k \<and> tgt k (Tr B va vb vd vc)" by simp
   3.548 +  hence "tgt x (Tr B va vb vd vc)" by (blast dest: tgt_trans)
   3.549 +  with 6 show ?case by (simp add: app_tgt)
   3.550 +qed simp+
   3.551 +
   3.552 +lemma app_pit: 
   3.553 +  assumes "inv2 l" "inv2 r" "bh l = bh r" "inv1 l" "inv1 r"
   3.554 +  shows "pin_tree k v (app l r) = (pin_tree k v l \<or> pin_tree k v r)"
   3.555 +using assms 
   3.556 +proof (induct l r rule: app.induct)
   3.557 +  case (4 _ _ _ b c)
   3.558 +  hence a: "bh (app b c) = bh b" by (simp add: app_inv2)
   3.559 +  from 4 have b: "inv1l (app b c)" by (simp add: app_inv1)
   3.560 +
   3.561 +  show ?case
   3.562 +  proof (cases "app b c" rule: rbt_cases)
   3.563 +    case Empty
   3.564 +    with 4 a show ?thesis by (auto simp: balleft_pit)
   3.565 +  next
   3.566 +    case (Red lta ka va rta)
   3.567 +    with 4 show ?thesis by auto
   3.568 +  next
   3.569 +    case (Black lta ka va rta)
   3.570 +    with a b 4  show ?thesis by (auto simp: balleft_pit)
   3.571 +  qed 
   3.572 +qed (auto split: rbt.splits color.splits)
   3.573 +
   3.574 +fun
   3.575 +  delformLeft :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   3.576 +  delformRight :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt" and
   3.577 +  del :: "('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.578 +where
   3.579 +  "del x Empty = Empty" |
   3.580 +  "del x (Tr c a y s b) = (if x < y then delformLeft x a y s b else (if x > y then delformRight x a y s b else app a b))" |
   3.581 +  "delformLeft x (Tr B lt z v rt) y s b = balleft (del x (Tr B lt z v rt)) y s b" |
   3.582 +  "delformLeft x a y s b = Tr R (del x a) y s b" |
   3.583 +  "delformRight x a y s (Tr B lt z v rt) = balright a y s (del x (Tr B lt z v rt))" | 
   3.584 +  "delformRight x a y s b = Tr R a y s (del x b)"
   3.585 +
   3.586 +lemma 
   3.587 +  assumes "inv2 lt" "inv1 lt"
   3.588 +  shows
   3.589 +  "\<lbrakk>inv2 rt; bh lt = bh rt; inv1 rt\<rbrakk> \<Longrightarrow>
   3.590 +  inv2 (delformLeft x lt k v rt) \<and> bh (delformLeft x lt k v rt) = bh lt \<and> (treec lt = B \<and> treec rt = B \<and> inv1 (delformLeft x lt k v rt) \<or> (treec lt \<noteq> B \<or> treec rt \<noteq> B) \<and> inv1l (delformLeft x lt k v rt))"
   3.591 +  and "\<lbrakk>inv2 rt; bh lt = bh rt; inv1 rt\<rbrakk> \<Longrightarrow>
   3.592 +  inv2 (delformRight x lt k v rt) \<and> bh (delformRight x lt k v rt) = bh lt \<and> (treec lt = B \<and> treec rt = B \<and> inv1 (delformRight x lt k v rt) \<or> (treec lt \<noteq> B \<or> treec rt \<noteq> B) \<and> inv1l (delformRight x lt k v rt))"
   3.593 +  and del_inv1_inv2: "inv2 (del x lt) \<and> (treec lt = R \<and> bh (del x lt) = bh lt \<and> inv1 (del x lt) 
   3.594 +  \<or> treec lt = B \<and> bh (del x lt) = bh lt - 1 \<and> inv1l (del x lt))"
   3.595 +using assms
   3.596 +proof (induct x lt k v rt and x lt k v rt and x lt rule: delformLeft_delformRight_del.induct)
   3.597 +case (2 y c _ y')
   3.598 +  have "y = y' \<or> y < y' \<or> y > y'" by auto
   3.599 +  thus ?case proof (elim disjE)
   3.600 +    assume "y = y'"
   3.601 +    with 2 show ?thesis by (cases c) (simp add: app_inv2 app_inv1)+
   3.602 +  next
   3.603 +    assume "y < y'"
   3.604 +    with 2 show ?thesis by (cases c) auto
   3.605 +  next
   3.606 +    assume "y' < y"
   3.607 +    with 2 show ?thesis by (cases c) auto
   3.608 +  qed
   3.609 +next
   3.610 +  case (3 y lt z v rta y' ss bb) 
   3.611 +  thus ?case by (cases "treec (Tr B lt z v rta) = B \<and> treec bb = B") (simp add: balleft_inv2_with_inv1 balleft_inv1 balleft_inv1l)+
   3.612 +next
   3.613 +  case (5 y a y' ss lt z v rta)
   3.614 +  thus ?case by (cases "treec a = B \<and> treec (Tr B lt z v rta) = B") (simp add: balright_inv2_with_inv1 balright_inv1 balright_inv1l)+
   3.615 +next
   3.616 +  case ("6_1" y a y' ss) thus ?case by (cases "treec a = B \<and> treec Empty = B") simp+
   3.617 +qed auto
   3.618 +
   3.619 +lemma 
   3.620 +  delformLeft_tlt: "\<lbrakk>tlt v lt; tlt v rt; k < v\<rbrakk> \<Longrightarrow> tlt v (delformLeft x lt k y rt)"
   3.621 +  and delformRight_tlt: "\<lbrakk>tlt v lt; tlt v rt; k < v\<rbrakk> \<Longrightarrow> tlt v (delformRight x lt k y rt)"
   3.622 +  and del_tlt: "tlt v lt \<Longrightarrow> tlt v (del x lt)"
   3.623 +by (induct x lt k y rt and x lt k y rt and x lt rule: delformLeft_delformRight_del.induct) 
   3.624 +   (auto simp: balleft_tlt balright_tlt)
   3.625 +
   3.626 +lemma delformLeft_tgt: "\<lbrakk>tgt v lt; tgt v rt; k > v\<rbrakk> \<Longrightarrow> tgt v (delformLeft x lt k y rt)"
   3.627 +  and delformRight_tgt: "\<lbrakk>tgt v lt; tgt v rt; k > v\<rbrakk> \<Longrightarrow> tgt v (delformRight x lt k y rt)"
   3.628 +  and del_tgt: "tgt v lt \<Longrightarrow> tgt v (del x lt)"
   3.629 +by (induct x lt k y rt and x lt k y rt and x lt rule: delformLeft_delformRight_del.induct)
   3.630 +   (auto simp: balleft_tgt balright_tgt)
   3.631 +
   3.632 +lemma "\<lbrakk>st lt; st rt; tlt k lt; tgt k rt\<rbrakk> \<Longrightarrow> st (delformLeft x lt k y rt)"
   3.633 +  and "\<lbrakk>st lt; st rt; tlt k lt; tgt k rt\<rbrakk> \<Longrightarrow> st (delformRight x lt k y rt)"
   3.634 +  and del_st: "st lt \<Longrightarrow> st (del x lt)"
   3.635 +proof (induct x lt k y rt and x lt k y rt and x lt rule: delformLeft_delformRight_del.induct)
   3.636 +  case (3 x lta zz v rta yy ss bb)
   3.637 +  from 3 have "tlt yy (Tr B lta zz v rta)" by simp
   3.638 +  hence "tlt yy (del x (Tr B lta zz v rta))" by (rule del_tlt)
   3.639 +  with 3 show ?case by (simp add: balleft_st)
   3.640 +next
   3.641 +  case ("4_2" x vaa vbb vdd vc yy ss bb)
   3.642 +  hence "tlt yy (Tr R vaa vbb vdd vc)" by simp
   3.643 +  hence "tlt yy (del x (Tr R vaa vbb vdd vc))" by (rule del_tlt)
   3.644 +  with "4_2" show ?case by simp
   3.645 +next
   3.646 +  case (5 x aa yy ss lta zz v rta) 
   3.647 +  hence "tgt yy (Tr B lta zz v rta)" by simp
   3.648 +  hence "tgt yy (del x (Tr B lta zz v rta))" by (rule del_tgt)
   3.649 +  with 5 show ?case by (simp add: balright_st)
   3.650 +next
   3.651 +  case ("6_2" x aa yy ss vaa vbb vdd vc)
   3.652 +  hence "tgt yy (Tr R vaa vbb vdd vc)" by simp
   3.653 +  hence "tgt yy (del x (Tr R vaa vbb vdd vc))" by (rule del_tgt)
   3.654 +  with "6_2" show ?case by simp
   3.655 +qed (auto simp: app_st)
   3.656 +
   3.657 +lemma "\<lbrakk>st lt; st rt; tlt kt lt; tgt kt rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bh lt = bh rt; x < kt\<rbrakk> \<Longrightarrow> pin_tree k v (delformLeft x lt kt y rt) = (False \<or> (x \<noteq> k \<and> pin_tree k v (Tr c lt kt y rt)))"
   3.658 +  and "\<lbrakk>st lt; st rt; tlt kt lt; tgt kt rt; inv1 lt; inv1 rt; inv2 lt; inv2 rt; bh lt = bh rt; x > kt\<rbrakk> \<Longrightarrow> pin_tree k v (delformRight x lt kt y rt) = (False \<or> (x \<noteq> k \<and> pin_tree k v (Tr c lt kt y rt)))"
   3.659 +  and del_pit: "\<lbrakk>st t; inv1 t; inv2 t\<rbrakk> \<Longrightarrow> pin_tree k v (del x t) = (False \<or> (x \<noteq> k \<and> pin_tree k v t))"
   3.660 +proof (induct x lt kt y rt and x lt kt y rt and x t rule: delformLeft_delformRight_del.induct)
   3.661 +  case (2 xx c aa yy ss bb)
   3.662 +  have "xx = yy \<or> xx < yy \<or> xx > yy" by auto
   3.663 +  from this 2 show ?case proof (elim disjE)
   3.664 +    assume "xx = yy"
   3.665 +    with 2 show ?thesis proof (cases "xx = k")
   3.666 +      case True
   3.667 +      from 2 `xx = yy` `xx = k` have "st (Tr c aa yy ss bb) \<and> k = yy" by simp
   3.668 +      hence "\<not> pin_tree k v aa" "\<not> pin_tree k v bb" by (auto simp: tlt_nit tgt_prop)
   3.669 +      with `xx = yy` 2 `xx = k` show ?thesis by (simp add: app_pit)
   3.670 +    qed (simp add: app_pit)
   3.671 +  qed simp+
   3.672 +next    
   3.673 +  case (3 xx lta zz vv rta yy ss bb)
   3.674 +  def mt[simp]: mt == "Tr B lta zz vv rta"
   3.675 +  from 3 have "inv2 mt \<and> inv1 mt" by simp
   3.676 +  hence "inv2 (del xx mt) \<and> (treec mt = R \<and> bh (del xx mt) = bh mt \<and> inv1 (del xx mt) \<or> treec mt = B \<and> bh (del xx mt) = bh mt - 1 \<and> inv1l (del xx mt))" by (blast dest: del_inv1_inv2)
   3.677 +  with 3 have 4: "pin_tree k v (delformLeft xx mt yy ss bb) = (False \<or> xx \<noteq> k \<and> pin_tree k v mt \<or> (k = yy \<and> v = ss) \<or> pin_tree k v bb)" by (simp add: balleft_pit)
   3.678 +  thus ?case proof (cases "xx = k")
   3.679 +    case True
   3.680 +    from 3 True have "tgt yy bb \<and> yy > k" by simp
   3.681 +    hence "tgt k bb" by (blast dest: tgt_trans)
   3.682 +    with 3 4 True show ?thesis by (auto simp: tgt_nit)
   3.683 +  qed auto
   3.684 +next
   3.685 +  case ("4_1" xx yy ss bb)
   3.686 +  show ?case proof (cases "xx = k")
   3.687 +    case True
   3.688 +    with "4_1" have "tgt yy bb \<and> k < yy" by simp
   3.689 +    hence "tgt k bb" by (blast dest: tgt_trans)
   3.690 +    with "4_1" `xx = k` 
   3.691 +   have "pin_tree k v (Tr R Empty yy ss bb) = pin_tree k v Empty" by (auto simp: tgt_nit)
   3.692 +    thus ?thesis by auto
   3.693 +  qed simp+
   3.694 +next
   3.695 +  case ("4_2" xx vaa vbb vdd vc yy ss bb)
   3.696 +  thus ?case proof (cases "xx = k")
   3.697 +    case True
   3.698 +    with "4_2" have "k < yy \<and> tgt yy bb" by simp
   3.699 +    hence "tgt k bb" by (blast dest: tgt_trans)
   3.700 +    with True "4_2" show ?thesis by (auto simp: tgt_nit)
   3.701 +  qed simp
   3.702 +next
   3.703 +  case (5 xx aa yy ss lta zz vv rta)
   3.704 +  def mt[simp]: mt == "Tr B lta zz vv rta"
   3.705 +  from 5 have "inv2 mt \<and> inv1 mt" by simp
   3.706 +  hence "inv2 (del xx mt) \<and> (treec mt = R \<and> bh (del xx mt) = bh mt \<and> inv1 (del xx mt) \<or> treec mt = B \<and> bh (del xx mt) = bh mt - 1 \<and> inv1l (del xx mt))" by (blast dest: del_inv1_inv2)
   3.707 +  with 5 have 3: "pin_tree k v (delformRight xx aa yy ss mt) = (pin_tree k v aa \<or> (k = yy \<and> v = ss) \<or> False \<or> xx \<noteq> k \<and> pin_tree k v mt)" by (simp add: balright_pit)
   3.708 +  thus ?case proof (cases "xx = k")
   3.709 +    case True
   3.710 +    from 5 True have "tlt yy aa \<and> yy < k" by simp
   3.711 +    hence "tlt k aa" by (blast dest: tlt_trans)
   3.712 +    with 3 5 True show ?thesis by (auto simp: tlt_nit)
   3.713 +  qed auto
   3.714 +next
   3.715 +  case ("6_1" xx aa yy ss)
   3.716 +  show ?case proof (cases "xx = k")
   3.717 +    case True
   3.718 +    with "6_1" have "tlt yy aa \<and> k > yy" by simp
   3.719 +    hence "tlt k aa" by (blast dest: tlt_trans)
   3.720 +    with "6_1" `xx = k` show ?thesis by (auto simp: tlt_nit)
   3.721 +  qed simp
   3.722 +next
   3.723 +  case ("6_2" xx aa yy ss vaa vbb vdd vc)
   3.724 +  thus ?case proof (cases "xx = k")
   3.725 +    case True
   3.726 +    with "6_2" have "k > yy \<and> tlt yy aa" by simp
   3.727 +    hence "tlt k aa" by (blast dest: tlt_trans)
   3.728 +    with True "6_2" show ?thesis by (auto simp: tlt_nit)
   3.729 +  qed simp
   3.730 +qed simp
   3.731 +
   3.732 +
   3.733 +definition delete where
   3.734 +  delete_def: "delete k t = paint B (del k t)"
   3.735 +
   3.736 +theorem delete_isrbt[simp]: assumes "isrbt t" shows "isrbt (delete k t)"
   3.737 +proof -
   3.738 +  from assms have "inv2 t" and "inv1 t" unfolding isrbt_def by auto 
   3.739 +  hence "inv2 (del k t) \<and> (treec t = R \<and> bh (del k t) = bh t \<and> inv1 (del k t) \<or> treec t = B \<and> bh (del k t) = bh t - 1 \<and> inv1l (del k t))" by (rule del_inv1_inv2)
   3.740 +  hence "inv2 (del k t) \<and> inv1l (del k t)" by (cases "treec t") auto
   3.741 +  with assms show ?thesis
   3.742 +    unfolding isrbt_def delete_def
   3.743 +    by (auto intro: paint_st del_st)
   3.744 +qed
   3.745 +
   3.746 +lemma delete_pit: 
   3.747 +  assumes "isrbt t" 
   3.748 +  shows "pin_tree k v (delete x t) = (x \<noteq> k \<and> pin_tree k v t)"
   3.749 +  using assms unfolding isrbt_def delete_def
   3.750 +  by (auto simp: del_pit)
   3.751 +
   3.752 +lemma map_of_delete:
   3.753 +  assumes isrbt: "isrbt t"
   3.754 +  shows "map_of (delete k t) = (map_of t)|`(-{k})"
   3.755 +proof
   3.756 +  fix x
   3.757 +  show "map_of (delete k t) x = (map_of t |` (-{k})) x" 
   3.758 +  proof (cases "x = k")
   3.759 +    assume "x = k" 
   3.760 +    with isrbt show ?thesis
   3.761 +      by (cases "map_of (delete k t) k") (auto simp: mapof_pit delete_pit)
   3.762 +  next
   3.763 +    assume "x \<noteq> k"
   3.764 +    thus ?thesis
   3.765 +      by auto (metis isrbt delete_isrbt delete_pit isrbt_st mapof_from_pit)
   3.766 +  qed
   3.767 +qed
   3.768 +
   3.769 +subsection {* Union *}
   3.770 +
   3.771 +primrec
   3.772 +  unionwithkey :: "('a\<Colon>linorder \<Rightarrow> 'b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.773 +where
   3.774 +  "unionwithkey f t Empty = t"
   3.775 +| "unionwithkey f t (Tr c lt k v rt) = unionwithkey f (unionwithkey f (insertwithkey f k v t) lt) rt"
   3.776 +
   3.777 +lemma unionwk_st: "st lt \<Longrightarrow> st (unionwithkey f lt rt)" 
   3.778 +  by (induct rt arbitrary: lt) (auto simp: insertwk_st)
   3.779 +theorem unionwk_isrbt[simp]: "isrbt lt \<Longrightarrow> isrbt (unionwithkey f lt rt)" 
   3.780 +  by (induct rt arbitrary: lt) (simp add: insertwk_isrbt)+
   3.781 +
   3.782 +definition
   3.783 +  unionwith where
   3.784 +  "unionwith f = unionwithkey (\<lambda>_. f)"
   3.785 +
   3.786 +theorem unionw_isrbt: "isrbt lt \<Longrightarrow> isrbt (unionwith f lt rt)" unfolding unionwith_def by simp
   3.787 +
   3.788 +definition union where
   3.789 +  "union = unionwithkey (%_ _ rv. rv)"
   3.790 +
   3.791 +theorem union_isrbt: "isrbt lt \<Longrightarrow> isrbt (union lt rt)" unfolding union_def by simp
   3.792 +
   3.793 +lemma union_Tr[simp]:
   3.794 +  "union t (Tr c lt k v rt) = union (union (insrt k v t) lt) rt"
   3.795 +  unfolding union_def insrt_def
   3.796 +  by simp
   3.797 +
   3.798 +lemma map_of_union:
   3.799 +  assumes "isrbt s" "st t"
   3.800 +  shows "map_of (union s t) = map_of s ++ map_of t"
   3.801 +using assms
   3.802 +proof (induct t arbitrary: s)
   3.803 +  case Empty thus ?case by (auto simp: union_def)
   3.804 +next
   3.805 +  case (Tr c l k v r s)
   3.806 +  hence strl: "st r" "st l" "l |\<guillemotleft> k" "k \<guillemotleft>| r" by auto
   3.807 +
   3.808 +  have meq: "map_of s(k \<mapsto> v) ++ map_of l ++ map_of r =
   3.809 +    map_of s ++
   3.810 +    (\<lambda>a. if a < k then map_of l a
   3.811 +    else if k < a then map_of r a else Some v)" (is "?m1 = ?m2")
   3.812 +  proof (rule ext)
   3.813 +    fix a
   3.814 +
   3.815 +   have "k < a \<or> k = a \<or> k > a" by auto
   3.816 +    thus "?m1 a = ?m2 a"
   3.817 +    proof (elim disjE)
   3.818 +      assume "k < a"
   3.819 +      with `l |\<guillemotleft> k` have "l |\<guillemotleft> a" by (rule tlt_trans)
   3.820 +      with `k < a` show ?thesis
   3.821 +        by (auto simp: map_add_def split: option.splits)
   3.822 +    next
   3.823 +      assume "k = a"
   3.824 +      with `l |\<guillemotleft> k` `k \<guillemotleft>| r` 
   3.825 +      show ?thesis by (auto simp: map_add_def)
   3.826 +    next
   3.827 +      assume "a < k"
   3.828 +      from this `k \<guillemotleft>| r` have "a \<guillemotleft>| r" by (rule tgt_trans)
   3.829 +      with `a < k` show ?thesis
   3.830 +        by (auto simp: map_add_def split: option.splits)
   3.831 +    qed
   3.832 +  qed
   3.833 +
   3.834 +  from Tr
   3.835 +  have IHs:
   3.836 +    "map_of (union (union (insrt k v s) l) r) = map_of (union (insrt k v s) l) ++ map_of r"
   3.837 +    "map_of (union (insrt k v s) l) = map_of (insrt k v s) ++ map_of l"
   3.838 +    by (auto intro: union_isrbt insrt_isrbt)
   3.839 +  
   3.840 +  with meq show ?case
   3.841 +    by (auto simp: map_of_insert[OF Tr(3)])
   3.842 +qed
   3.843 +
   3.844 +subsection {* Adjust *}
   3.845 +
   3.846 +primrec
   3.847 +  adjustwithkey :: "('a \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a\<Colon>linorder) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'b) rbt"
   3.848 +where
   3.849 +  "adjustwithkey f k Empty = Empty"
   3.850 +| "adjustwithkey f k (Tr c lt x v rt) = (if k < x then (Tr c (adjustwithkey f k lt) x v rt) else if k > x then (Tr c lt x v (adjustwithkey f k rt)) else (Tr c lt x (f x v) rt))"
   3.851 +
   3.852 +lemma adjustwk_treec: "treec (adjustwithkey f k t) = treec t" by (induct t) simp+
   3.853 +lemma adjustwk_inv1: "inv1 (adjustwithkey f k t) = inv1 t" by (induct t) (simp add: adjustwk_treec)+
   3.854 +lemma adjustwk_inv2: "inv2 (adjustwithkey f k t) = inv2 t" "bh (adjustwithkey f k t) = bh t" by (induct t) simp+
   3.855 +lemma adjustwk_tgt: "tgt k (adjustwithkey f kk t) = tgt k t" by (induct t) simp+
   3.856 +lemma adjustwk_tlt: "tlt k (adjustwithkey f kk t) = tlt k t" by (induct t) simp+
   3.857 +lemma adjustwk_st: "st (adjustwithkey f k t) = st t" by (induct t) (simp add: adjustwk_tlt adjustwk_tgt)+
   3.858 +
   3.859 +theorem adjustwk_isrbt[simp]: "isrbt (adjustwithkey f k t) = isrbt t" 
   3.860 +unfolding isrbt_def by (simp add: adjustwk_inv2 adjustwk_treec adjustwk_st adjustwk_inv1 )
   3.861 +
   3.862 +theorem adjustwithkey_map[simp]:
   3.863 +  "map_of (adjustwithkey f k t) x = 
   3.864 +  (if x = k then case map_of t x of None \<Rightarrow> None | Some y \<Rightarrow> Some (f k y)
   3.865 +            else map_of t x)"
   3.866 +by (induct t arbitrary: x) (auto split:option.splits)
   3.867 +
   3.868 +definition adjust where
   3.869 +  "adjust f = adjustwithkey (\<lambda>_. f)"
   3.870 +
   3.871 +theorem adjust_isrbt[simp]: "isrbt (adjust f k t) = isrbt t" unfolding adjust_def by simp
   3.872 +
   3.873 +theorem adjust_map[simp]:
   3.874 +  "map_of (adjust f k t) x = 
   3.875 +  (if x = k then case map_of t x of None \<Rightarrow> None | Some y \<Rightarrow> Some (f y)
   3.876 +            else map_of t x)"
   3.877 +unfolding adjust_def by simp
   3.878 +
   3.879 +subsection {* Map *}
   3.880 +
   3.881 +primrec
   3.882 +  mapwithkey :: "('a::linorder \<Rightarrow> 'b \<Rightarrow> 'c) \<Rightarrow> ('a,'b) rbt \<Rightarrow> ('a,'c) rbt"
   3.883 +where
   3.884 +  "mapwithkey f Empty = Empty"
   3.885 +| "mapwithkey f (Tr c lt k v rt) = Tr c (mapwithkey f lt) k (f k v) (mapwithkey f rt)"
   3.886 +
   3.887 +theorem mapwk_keys[simp]: "keys (mapwithkey f t) = keys t" by (induct t) auto
   3.888 +lemma mapwk_tgt: "tgt k (mapwithkey f t) = tgt k t" by (induct t) simp+
   3.889 +lemma mapwk_tlt: "tlt k (mapwithkey f t) = tlt k t" by (induct t) simp+
   3.890 +lemma mapwk_st: "st (mapwithkey f t) = st t"  by (induct t) (simp add: mapwk_tlt mapwk_tgt)+
   3.891 +lemma mapwk_treec: "treec (mapwithkey f t) = treec t" by (induct t) simp+
   3.892 +lemma mapwk_inv1: "inv1 (mapwithkey f t) = inv1 t" by (induct t) (simp add: mapwk_treec)+
   3.893 +lemma mapwk_inv2: "inv2 (mapwithkey f t) = inv2 t" "bh (mapwithkey f t) = bh t" by (induct t) simp+
   3.894 +theorem mapwk_isrbt[simp]: "isrbt (mapwithkey f t) = isrbt t" 
   3.895 +unfolding isrbt_def by (simp add: mapwk_inv1 mapwk_inv2 mapwk_st mapwk_treec)
   3.896 +
   3.897 +theorem map_of_mapwk[simp]: "map_of (mapwithkey f t) x = option_map (f x) (map_of t x)"
   3.898 +by (induct t) auto
   3.899 +
   3.900 +definition map
   3.901 +where map_def: "map f == mapwithkey (\<lambda>_. f)"
   3.902 +
   3.903 +theorem map_keys[simp]: "keys (map f t) = keys t" unfolding map_def by simp
   3.904 +theorem map_isrbt[simp]: "isrbt (map f t) = isrbt t" unfolding map_def by simp
   3.905 +theorem map_of_map[simp]: "map_of (map f t) = option_map f o map_of t"
   3.906 +  by (rule ext) (simp add:map_def)
   3.907 +
   3.908 +subsection {* Fold *}
   3.909 +
   3.910 +text {* The following is still incomplete... *}
   3.911 +
   3.912 +primrec
   3.913 +  foldwithkey :: "('a::linorder \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'c) \<Rightarrow> ('a,'b) rbt \<Rightarrow> 'c \<Rightarrow> 'c"
   3.914 +where
   3.915 +  "foldwithkey f Empty v = v"
   3.916 +| "foldwithkey f (Tr c lt k x rt) v = foldwithkey f rt (f k x (foldwithkey f lt v))"
   3.917 +
   3.918 +primrec alist_of
   3.919 +where 
   3.920 +  "alist_of Empty = []"
   3.921 +| "alist_of (Tr _ l k v r) = alist_of l @ (k,v) # alist_of r"
   3.922 +
   3.923 +lemma map_of_alist_of:
   3.924 +  shows "st t \<Longrightarrow> Map.map_of (alist_of t) = map_of t"
   3.925 +  oops
   3.926 +
   3.927 +lemma fold_alist_fold:
   3.928 +  "foldwithkey f t x = foldl (\<lambda>x (k,v). f k v x) x (alist_of t)"
   3.929 +by (induct t arbitrary: x) auto
   3.930 +
   3.931 +lemma alist_pit[simp]: "(k, v) \<in> set (alist_of t) = pin_tree k v t"
   3.932 +by (induct t) auto
   3.933 +
   3.934 +lemma sorted_alist:
   3.935 +  "st t \<Longrightarrow> sorted (List.map fst (alist_of t))"
   3.936 +by (induct t) 
   3.937 +  (force simp: sorted_append sorted_Cons tlgt_props 
   3.938 +      dest!:pint_keys)+
   3.939 +
   3.940 +lemma distinct_alist:
   3.941 +  "st t \<Longrightarrow> distinct (List.map fst (alist_of t))"
   3.942 +by (induct t) 
   3.943 +  (force simp: sorted_append sorted_Cons tlgt_props 
   3.944 +      dest!:pint_keys)+
   3.945 +(*>*)
   3.946 +
   3.947 +text {* 
   3.948 +  This theory defines purely functional red-black trees which can be
   3.949 +  used as an efficient representation of finite maps.
   3.950 +*}
   3.951 +
   3.952 +subsection {* Data type and invariant *}
   3.953 +
   3.954 +text {*
   3.955 +  The type @{typ "('k, 'v) rbt"} denotes red-black trees with keys of
   3.956 +  type @{typ "'k"} and values of type @{typ "'v"}. To function
   3.957 +  properly, the key type must belong to the @{text "linorder"} class.
   3.958 +
   3.959 +  A value @{term t} of this type is a valid red-black tree if it
   3.960 +  satisfies the invariant @{text "isrbt t"}.
   3.961 +  This theory provides lemmas to prove that the invariant is
   3.962 +  satisfied throughout the computation.
   3.963 +
   3.964 +  The interpretation function @{const "map_of"} returns the partial
   3.965 +  map represented by a red-black tree:
   3.966 +  @{term_type[display] "map_of"}
   3.967 +
   3.968 +  This function should be used for reasoning about the semantics of the RBT
   3.969 +  operations. Furthermore, it implements the lookup functionality for
   3.970 +  the data structure: It is executable and the lookup is performed in
   3.971 +  $O(\log n)$.  
   3.972 +*}
   3.973 +
   3.974 +subsection {* Operations *}
   3.975 +
   3.976 +text {*
   3.977 +  Currently, the following operations are supported:
   3.978 +
   3.979 +  @{term_type[display] "Empty"}
   3.980 +  Returns the empty tree. $O(1)$
   3.981 +
   3.982 +  @{term_type[display] "insrt"}
   3.983 +  Updates the map at a given position. $O(\log n)$
   3.984 +
   3.985 +  @{term_type[display] "delete"}
   3.986 +  Deletes a map entry at a given position. $O(\log n)$
   3.987 +
   3.988 +  @{term_type[display] "union"}
   3.989 +  Forms the union of two trees, preferring entries from the first one.
   3.990 +
   3.991 +  @{term_type[display] "map"}
   3.992 +  Maps a function over the values of a map. $O(n)$
   3.993 +*}
   3.994 +
   3.995 +
   3.996 +subsection {* Invariant preservation *}
   3.997 +
   3.998 +text {*
   3.999 +  \noindent
  3.1000 +  @{thm Empty_isrbt}\hfill(@{text "Empty_isrbt"})
  3.1001 +
  3.1002 +  \noindent
  3.1003 +  @{thm insrt_isrbt}\hfill(@{text "insrt_isrbt"})
  3.1004 +
  3.1005 +  \noindent
  3.1006 +  @{thm delete_isrbt}\hfill(@{text "delete_isrbt"})
  3.1007 +
  3.1008 +  \noindent
  3.1009 +  @{thm union_isrbt}\hfill(@{text "union_isrbt"})
  3.1010 +
  3.1011 +  \noindent
  3.1012 +  @{thm map_isrbt}\hfill(@{text "map_isrbt"})
  3.1013 +*}
  3.1014 +
  3.1015 +subsection {* Map Semantics *}
  3.1016 +
  3.1017 +text {*
  3.1018 +  \noindent
  3.1019 +  \underline{@{text "map_of_Empty"}}
  3.1020 +  @{thm[display] map_of_Empty}
  3.1021 +  \vspace{1ex}
  3.1022 +
  3.1023 +  \noindent
  3.1024 +  \underline{@{text "map_of_insert"}}
  3.1025 +  @{thm[display] map_of_insert}
  3.1026 +  \vspace{1ex}
  3.1027 +
  3.1028 +  \noindent
  3.1029 +  \underline{@{text "map_of_delete"}}
  3.1030 +  @{thm[display] map_of_delete}
  3.1031 +  \vspace{1ex}
  3.1032 +
  3.1033 +  \noindent
  3.1034 +  \underline{@{text "map_of_union"}}
  3.1035 +  @{thm[display] map_of_union}
  3.1036 +  \vspace{1ex}
  3.1037 +
  3.1038 +  \noindent
  3.1039 +  \underline{@{text "map_of_map"}}
  3.1040 +  @{thm[display] map_of_map}
  3.1041 +  \vspace{1ex}
  3.1042 +*}
  3.1043 +
  3.1044 +end