(* Title: HOL/Library/RBT_Impl.thy
Author: Markus Reiter, TU Muenchen
Author: Alexander Krauss, TU Muenchen
*)
header {* Implementation of Red-Black Trees *}
theory RBT_Impl
imports Main
begin
text {*
For applications, you should use theory @{text RBT} which defines
an abstract type of red-black tree obeying the invariant.
*}
subsection {* Datatype of RB trees *}
datatype color = R | B
datatype ('a, 'b) rbt = Empty | Branch color "('a, 'b) rbt" 'a 'b "('a, 'b) rbt"
lemma rbt_cases:
obtains (Empty) "t = Empty"
| (Red) l k v r where "t = Branch R l k v r"
| (Black) l k v r where "t = Branch B l k v r"
proof (cases t)
case Empty with that show thesis by blast
next
case (Branch c) with that show thesis by (cases c) blast+
qed
subsection {* Tree properties *}
subsubsection {* Content of a tree *}
primrec entries :: "('a, 'b) rbt \ ('a \ 'b) list"
where
"entries Empty = []"
| "entries (Branch _ l k v r) = entries l @ (k,v) # entries r"
abbreviation (input) entry_in_tree :: "'a \ 'b \ ('a, 'b) rbt \ bool"
where
"entry_in_tree k v t \ (k, v) \ set (entries t)"
definition keys :: "('a, 'b) rbt \ 'a list" where
"keys t = map fst (entries t)"
lemma keys_simps [simp, code]:
"keys Empty = []"
"keys (Branch c l k v r) = keys l @ k # keys r"
by (simp_all add: keys_def)
lemma entry_in_tree_keys:
assumes "(k, v) \ set (entries t)"
shows "k \ set (keys t)"
proof -
from assms have "fst (k, v) \ fst ` set (entries t)" by (rule imageI)
then show ?thesis by (simp add: keys_def)
qed
lemma keys_entries:
"k \ set (keys t) \ (\v. (k, v) \ set (entries t))"
by (auto intro: entry_in_tree_keys) (auto simp add: keys_def)
subsubsection {* Search tree properties *}
definition tree_less :: "'a\order \ ('a, 'b) rbt \ bool"
where
tree_less_prop: "tree_less k t \ (\x\set (keys t). x < k)"
abbreviation tree_less_symbol (infix "|\" 50)
where "t |\ x \ tree_less x t"
definition tree_greater :: "'a\order \ ('a, 'b) rbt \ bool" (infix "\|" 50)
where
tree_greater_prop: "tree_greater k t = (\x\set (keys t). k < x)"
lemma tree_less_simps [simp]:
"tree_less k Empty = True"
"tree_less k (Branch c lt kt v rt) \ kt < k \ tree_less k lt \ tree_less k rt"
by (auto simp add: tree_less_prop)
lemma tree_greater_simps [simp]:
"tree_greater k Empty = True"
"tree_greater k (Branch c lt kt v rt) \ k < kt \ tree_greater k lt \ tree_greater k rt"
by (auto simp add: tree_greater_prop)
lemmas tree_ord_props = tree_less_prop tree_greater_prop
lemmas tree_greater_nit = tree_greater_prop entry_in_tree_keys
lemmas tree_less_nit = tree_less_prop entry_in_tree_keys
lemma tree_less_eq_trans: "l |\ u \ u \ v \ l |\ v"
and tree_less_trans: "t |\ x \ x < y \ t |\ y"
and tree_greater_eq_trans: "u \ v \ v \| r \ u \| r"
and tree_greater_trans: "x < y \ y \| t \ x \| t"
by (auto simp: tree_ord_props)
primrec sorted :: "('a::linorder, 'b) rbt \ bool"
where
"sorted Empty = True"
| "sorted (Branch c l k v r) = (l |\ k \ k \| r \ sorted l \ sorted r)"
lemma sorted_entries:
"sorted t \ List.sorted (List.map fst (entries t))"
by (induct t)
(force simp: sorted_append sorted_Cons tree_ord_props
dest!: entry_in_tree_keys)+
lemma distinct_entries:
"sorted t \ distinct (List.map fst (entries t))"
by (induct t)
(force simp: sorted_append sorted_Cons tree_ord_props
dest!: entry_in_tree_keys)+
subsubsection {* Tree lookup *}
primrec lookup :: "('a\linorder, 'b) rbt \ 'a \ 'b"
where
"lookup Empty k = None"
| "lookup (Branch _ l x y r) k = (if k < x then lookup l k else if x < k then lookup r k else Some y)"
lemma lookup_keys: "sorted t \ dom (lookup t) = set (keys t)"
by (induct t) (auto simp: dom_def tree_greater_prop tree_less_prop)
lemma dom_lookup_Branch:
"sorted (Branch c t1 k v t2) \
dom (lookup (Branch c t1 k v t2))
= Set.insert k (dom (lookup t1) \ dom (lookup t2))"
proof -
assume "sorted (Branch c t1 k v t2)"
moreover from this have "sorted t1" "sorted t2" by simp_all
ultimately show ?thesis by (simp add: lookup_keys)
qed
lemma finite_dom_lookup [simp, intro!]: "finite (dom (lookup t))"
proof (induct t)
case Empty then show ?case by simp
next
case (Branch color t1 a b t2)
let ?A = "Set.insert a (dom (lookup t1) \ dom (lookup t2))"
have "dom (lookup (Branch color t1 a b t2)) \ ?A" by (auto split: split_if_asm)
moreover from Branch have "finite (insert a (dom (lookup t1) \ dom (lookup t2)))" by simp
ultimately show ?case by (rule finite_subset)
qed
lemma lookup_tree_less[simp]: "t |\ k \ lookup t k = None"
by (induct t) auto
lemma lookup_tree_greater[simp]: "k \| t \ lookup t k = None"
by (induct t) auto
lemma lookup_Empty: "lookup Empty = empty"
by (rule ext) simp
lemma map_of_entries:
"sorted t \ map_of (entries t) = lookup t"
proof (induct t)
case Empty thus ?case by (simp add: lookup_Empty)
next
case (Branch c t1 k v t2)
have "lookup (Branch c t1 k v t2) = lookup t2 ++ [k\v] ++ lookup t1"
proof (rule ext)
fix x
from Branch have SORTED: "sorted (Branch c t1 k v t2)" by simp
let ?thesis = "lookup (Branch c t1 k v t2) x = (lookup t2 ++ [k \ v] ++ lookup t1) x"
have DOM_T1: "!!k'. k'\dom (lookup t1) \ k>k'"
proof -
fix k'
from SORTED have "t1 |\ k" by simp
with tree_less_prop have "\k'\set (keys t1). k>k'" by auto
moreover assume "k'\dom (lookup t1)"
ultimately show "k>k'" using lookup_keys SORTED by auto
qed
have DOM_T2: "!!k'. k'\dom (lookup t2) \ k| t2" by simp
with tree_greater_prop have "\k'\set (keys t2). kdom (lookup t2)"
ultimately show "kdom [k\v]" by simp
moreover have "x\dom (lookup t2)" proof
assume "x\dom (lookup t2)"
with DOM_T2 have "k v] x" by simp
moreover have "x\dom (lookup t1)" proof
assume "x\dom (lookup t1)"
with DOM_T1 have "k>x" by blast
thus False by simp
qed
ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
} moreover {
assume C: "x>k"
hence "lookup (Branch c t1 k v t2) x = lookup t2 x" by (simp add: less_not_sym[of k x])
moreover from C have "x\dom [k\v]" by simp
moreover have "x\dom (lookup t1)" proof
assume "x\dom (lookup t1)"
with DOM_T1 have "k>x" by simp
with C show False by simp
qed
ultimately have ?thesis by (simp add: map_add_upd_left map_add_dom_app_simps)
} ultimately show ?thesis using less_linear by blast
qed
also from Branch have "lookup t2 ++ [k \ v] ++ lookup t1 = map_of (entries (Branch c t1 k v t2))" by simp
finally show ?case by simp
qed
lemma lookup_in_tree: "sorted t \ lookup t k = Some v \ (k, v) \ set (entries t)"
by (simp add: map_of_entries [symmetric] distinct_entries)
lemma set_entries_inject:
assumes sorted: "sorted t1" "sorted t2"
shows "set (entries t1) = set (entries t2) \ entries t1 = entries t2"
proof -
from sorted have "distinct (map fst (entries t1))"
"distinct (map fst (entries t2))"
by (auto intro: distinct_entries)
with sorted show ?thesis
by (auto intro: map_sorted_distinct_set_unique sorted_entries simp add: distinct_map)
qed
lemma entries_eqI:
assumes sorted: "sorted t1" "sorted t2"
assumes lookup: "lookup t1 = lookup t2"
shows "entries t1 = entries t2"
proof -
from sorted lookup have "map_of (entries t1) = map_of (entries t2)"
by (simp add: map_of_entries)
with sorted have "set (entries t1) = set (entries t2)"
by (simp add: map_of_inject_set distinct_entries)
with sorted show ?thesis by (simp add: set_entries_inject)
qed
lemma entries_lookup:
assumes "sorted t1" "sorted t2"
shows "entries t1 = entries t2 \ lookup t1 = lookup t2"
using assms by (auto intro: entries_eqI simp add: map_of_entries [symmetric])
lemma lookup_from_in_tree:
assumes "sorted t1" "sorted t2"
and "\v. (k\'a\linorder, v) \ set (entries t1) \ (k, v) \ set (entries t2)"
shows "lookup t1 k = lookup t2 k"
proof -
from assms have "k \ dom (lookup t1) \ k \ dom (lookup t2)"
by (simp add: keys_entries lookup_keys)
with assms show ?thesis by (auto simp add: lookup_in_tree [symmetric])
qed
subsubsection {* Red-black properties *}
primrec color_of :: "('a, 'b) rbt \ color"
where
"color_of Empty = B"
| "color_of (Branch c _ _ _ _) = c"
primrec bheight :: "('a,'b) rbt \ nat"
where
"bheight Empty = 0"
| "bheight (Branch c lt k v rt) = (if c = B then Suc (bheight lt) else bheight lt)"
primrec inv1 :: "('a, 'b) rbt \ bool"
where
"inv1 Empty = True"
| "inv1 (Branch c lt k v rt) \ inv1 lt \ inv1 rt \ (c = B \ color_of lt = B \ color_of rt = B)"
primrec inv1l :: "('a, 'b) rbt \ bool" -- {* Weaker version *}
where
"inv1l Empty = True"
| "inv1l (Branch c l k v r) = (inv1 l \ inv1 r)"
lemma [simp]: "inv1 t \ inv1l t" by (cases t) simp+
primrec inv2 :: "('a, 'b) rbt \ bool"
where
"inv2 Empty = True"
| "inv2 (Branch c lt k v rt) = (inv2 lt \ inv2 rt \ bheight lt = bheight rt)"
definition is_rbt :: "('a\linorder, 'b) rbt \ bool" where
"is_rbt t \ inv1 t \ inv2 t \ color_of t = B \ sorted t"
lemma is_rbt_sorted [simp]:
"is_rbt t \ sorted t" by (simp add: is_rbt_def)
theorem Empty_is_rbt [simp]:
"is_rbt Empty" by (simp add: is_rbt_def)
subsection {* Insertion *}
fun (* slow, due to massive case splitting *)
balance :: "('a,'b) rbt \ 'a \ 'b \ ('a,'b) rbt \ ('a,'b) rbt"
where
"balance (Branch R a w x b) s t (Branch R c y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
"balance (Branch R (Branch R a w x b) s t c) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
"balance (Branch R a w x (Branch R b s t c)) y z d = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
"balance a w x (Branch R b s t (Branch R c y z d)) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
"balance a w x (Branch R (Branch R b s t c) y z d) = Branch R (Branch B a w x b) s t (Branch B c y z d)" |
"balance a s t b = Branch B a s t b"
lemma balance_inv1: "\inv1l l; inv1l r\ \ inv1 (balance l k v r)"
by (induct l k v r rule: balance.induct) auto
lemma balance_bheight: "bheight l = bheight r \ bheight (balance l k v r) = Suc (bheight l)"
by (induct l k v r rule: balance.induct) auto
lemma balance_inv2:
assumes "inv2 l" "inv2 r" "bheight l = bheight r"
shows "inv2 (balance l k v r)"
using assms
by (induct l k v r rule: balance.induct) auto
lemma balance_tree_greater[simp]: "(v \| balance a k x b) = (v \| a \ v \| b \ v < k)"
by (induct a k x b rule: balance.induct) auto
lemma balance_tree_less[simp]: "(balance a k x b |\ v) = (a |\ v \ b |\ v \ k < v)"
by (induct a k x b rule: balance.induct) auto
lemma balance_sorted:
fixes k :: "'a::linorder"
assumes "sorted l" "sorted r" "l |\ k" "k \| r"
shows "sorted (balance l k v r)"
using assms proof (induct l k v r rule: balance.induct)
case ("2_2" a x w b y t c z s va vb vd vc)
hence "y < z \ z \| Branch B va vb vd vc"
by (auto simp add: tree_ord_props)
hence "tree_greater y (Branch B va vb vd vc)" by (blast dest: tree_greater_trans)
with "2_2" show ?case by simp
next
case ("3_2" va vb vd vc x w b y s c z)
from "3_2" have "x < y \ tree_less x (Branch B va vb vd vc)"
by simp
hence "tree_less y (Branch B va vb vd vc)" by (blast dest: tree_less_trans)
with "3_2" show ?case by simp
next
case ("3_3" x w b y s c z t va vb vd vc)
from "3_3" have "y < z \ tree_greater z (Branch B va vb vd vc)" by simp
hence "tree_greater y (Branch B va vb vd vc)" by (blast dest: tree_greater_trans)
with "3_3" show ?case by simp
next
case ("3_4" vd ve vg vf x w b y s c z t va vb vii vc)
hence "x < y \ tree_less x (Branch B vd ve vg vf)" by simp
hence 1: "tree_less y (Branch B vd ve vg vf)" by (blast dest: tree_less_trans)
from "3_4" have "y < z \ tree_greater z (Branch B va vb vii vc)" by simp
hence "tree_greater y (Branch B va vb vii vc)" by (blast dest: tree_greater_trans)
with 1 "3_4" show ?case by simp
next
case ("4_2" va vb vd vc x w b y s c z t dd)
hence "x < y \ tree_less x (Branch B va vb vd vc)" by simp
hence "tree_less y (Branch B va vb vd vc)" by (blast dest: tree_less_trans)
with "4_2" show ?case by simp
next
case ("5_2" x w b y s c z t va vb vd vc)
hence "y < z \ tree_greater z (Branch B va vb vd vc)" by simp
hence "tree_greater y (Branch B va vb vd vc)" by (blast dest: tree_greater_trans)
with "5_2" show ?case by simp
next
case ("5_3" va vb vd vc x w b y s c z t)
hence "x < y \ tree_less x (Branch B va vb vd vc)" by simp
hence "tree_less y (Branch B va vb vd vc)" by (blast dest: tree_less_trans)
with "5_3" show ?case by simp
next
case ("5_4" va vb vg vc x w b y s c z t vd ve vii vf)
hence "x < y \ tree_less x (Branch B va vb vg vc)" by simp
hence 1: "tree_less y (Branch B va vb vg vc)" by (blast dest: tree_less_trans)
from "5_4" have "y < z \ tree_greater z (Branch B vd ve vii vf)" by simp
hence "tree_greater y (Branch B vd ve vii vf)" by (blast dest: tree_greater_trans)
with 1 "5_4" show ?case by simp
qed simp+
lemma entries_balance [simp]:
"entries (balance l k v r) = entries l @ (k, v) # entries r"
by (induct l k v r rule: balance.induct) auto
lemma keys_balance [simp]:
"keys (balance l k v r) = keys l @ k # keys r"
by (simp add: keys_def)
lemma balance_in_tree:
"entry_in_tree k x (balance l v y r) \ entry_in_tree k x l \ k = v \ x = y \ entry_in_tree k x r"
by (auto simp add: keys_def)
lemma lookup_balance[simp]:
fixes k :: "'a::linorder"
assumes "sorted l" "sorted r" "l |\ k" "k \| r"
shows "lookup (balance l k v r) x = lookup (Branch B l k v r) x"
by (rule lookup_from_in_tree) (auto simp:assms balance_in_tree balance_sorted)
primrec paint :: "color \ ('a,'b) rbt \ ('a,'b) rbt"
where
"paint c Empty = Empty"
| "paint c (Branch _ l k v r) = Branch c l k v r"
lemma paint_inv1l[simp]: "inv1l t \ inv1l (paint c t)" by (cases t) auto
lemma paint_inv1[simp]: "inv1l t \ inv1 (paint B t)" by (cases t) auto
lemma paint_inv2[simp]: "inv2 t \ inv2 (paint c t)" by (cases t) auto
lemma paint_color_of[simp]: "color_of (paint B t) = B" by (cases t) auto
lemma paint_sorted[simp]: "sorted t \ sorted (paint c t)" by (cases t) auto
lemma paint_in_tree[simp]: "entry_in_tree k x (paint c t) = entry_in_tree k x t" by (cases t) auto
lemma paint_lookup[simp]: "lookup (paint c t) = lookup t" by (rule ext) (cases t, auto)
lemma paint_tree_greater[simp]: "(v \| paint c t) = (v \| t)" by (cases t) auto
lemma paint_tree_less[simp]: "(paint c t |\ v) = (t |\ v)" by (cases t) auto
fun
ins :: "('a\linorder \ 'b \ 'b \ 'b) \ 'a \ 'b \ ('a,'b) rbt \ ('a,'b) rbt"
where
"ins f k v Empty = Branch R Empty k v Empty" |
"ins f k v (Branch B l x y r) = (if k < x then balance (ins f k v l) x y r
else if k > x then balance l x y (ins f k v r)
else Branch B l x (f k y v) r)" |
"ins f k v (Branch R l x y r) = (if k < x then Branch R (ins f k v l) x y r
else if k > x then Branch R l x y (ins f k v r)
else Branch R l x (f k y v) r)"
lemma ins_inv1_inv2:
assumes "inv1 t" "inv2 t"
shows "inv2 (ins f k x t)" "bheight (ins f k x t) = bheight t"
"color_of t = B \ inv1 (ins f k x t)" "inv1l (ins f k x t)"
using assms
by (induct f k x t rule: ins.induct) (auto simp: balance_inv1 balance_inv2 balance_bheight)
lemma ins_tree_greater[simp]: "(v \| ins f k x t) = (v \| t \ k > v)"
by (induct f k x t rule: ins.induct) auto
lemma ins_tree_less[simp]: "(ins f k x t |\ v) = (t |\ v \ k < v)"
by (induct f k x t rule: ins.induct) auto
lemma ins_sorted[simp]: "sorted t \ sorted (ins f k x t)"
by (induct f k x t rule: ins.induct) (auto simp: balance_sorted)
lemma keys_ins: "set (keys (ins f k v t)) = { k } \ set (keys t)"
by (induct f k v t rule: ins.induct) auto
lemma lookup_ins:
fixes k :: "'a::linorder"
assumes "sorted t"
shows "lookup (ins f k v t) x = ((lookup t)(k |-> case lookup t k of None \ v
| Some w \ f k w v)) x"
using assms by (induct f k v t rule: ins.induct) auto
definition
insert_with_key :: "('a\linorder \ 'b \ 'b \ 'b) \ 'a \ 'b \ ('a,'b) rbt \ ('a,'b) rbt"
where
"insert_with_key f k v t = paint B (ins f k v t)"
lemma insertwk_sorted: "sorted t \ sorted (insert_with_key f k x t)"
by (auto simp: insert_with_key_def)
theorem insertwk_is_rbt:
assumes inv: "is_rbt t"
shows "is_rbt (insert_with_key f k x t)"
using assms
unfolding insert_with_key_def is_rbt_def
by (auto simp: ins_inv1_inv2)
lemma lookup_insertwk:
assumes "sorted t"
shows "lookup (insert_with_key f k v t) x = ((lookup t)(k |-> case lookup t k of None \ v
| Some w \ f k w v)) x"
unfolding insert_with_key_def using assms
by (simp add:lookup_ins)
definition
insertw_def: "insert_with f = insert_with_key (\_. f)"
lemma insertw_sorted: "sorted t \ sorted (insert_with f k v t)" by (simp add: insertwk_sorted insertw_def)
theorem insertw_is_rbt: "is_rbt t \ is_rbt (insert_with f k v t)" by (simp add: insertwk_is_rbt insertw_def)
lemma lookup_insertw:
assumes "is_rbt t"
shows "lookup (insert_with f k v t) = (lookup t)(k \ (if k:dom (lookup t) then f (the (lookup t k)) v else v))"
using assms
unfolding insertw_def
by (rule_tac ext) (cases "lookup t k", auto simp:lookup_insertwk dom_def)
definition insert :: "'a\linorder \ 'b \ ('a, 'b) rbt \ ('a, 'b) rbt" where
"insert = insert_with_key (\_ _ nv. nv)"
lemma insert_sorted: "sorted t \ sorted (insert k v t)" by (simp add: insertwk_sorted insert_def)
theorem insert_is_rbt [simp]: "is_rbt t \ is_rbt (insert k v t)" by (simp add: insertwk_is_rbt insert_def)
lemma lookup_insert:
assumes "is_rbt t"
shows "lookup (insert k v t) = (lookup t)(k\v)"
unfolding insert_def
using assms
by (rule_tac ext) (simp add: lookup_insertwk split:option.split)
subsection {* Deletion *}
lemma bheight_paintR'[simp]: "color_of t = B \ bheight (paint R t) = bheight t - 1"
by (cases t rule: rbt_cases) auto
fun
balance_left :: "('a,'b) rbt \ 'a \ 'b \ ('a,'b) rbt \ ('a,'b) rbt"
where
"balance_left (Branch R a k x b) s y c = Branch R (Branch B a k x b) s y c" |
"balance_left bl k x (Branch B a s y b) = balance bl k x (Branch R a s y b)" |
"balance_left bl k x (Branch R (Branch B a s y b) t z c) = Branch R (Branch B bl k x a) s y (balance b t z (paint R c))" |
"balance_left t k x s = Empty"
lemma balance_left_inv2_with_inv1:
assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "inv1 rt"
shows "bheight (balance_left lt k v rt) = bheight lt + 1"
and "inv2 (balance_left lt k v rt)"
using assms
by (induct lt k v rt rule: balance_left.induct) (auto simp: balance_inv2 balance_bheight)
lemma balance_left_inv2_app:
assumes "inv2 lt" "inv2 rt" "bheight lt + 1 = bheight rt" "color_of rt = B"
shows "inv2 (balance_left lt k v rt)"
"bheight (balance_left lt k v rt) = bheight rt"
using assms
by (induct lt k v rt rule: balance_left.induct) (auto simp add: balance_inv2 balance_bheight)+
lemma balance_left_inv1: "\inv1l a; inv1 b; color_of b = B\ \ inv1 (balance_left a k x b)"
by (induct a k x b rule: balance_left.induct) (simp add: balance_inv1)+
lemma balance_left_inv1l: "\ inv1l lt; inv1 rt \ \ inv1l (balance_left lt k x rt)"
by (induct lt k x rt rule: balance_left.induct) (auto simp: balance_inv1)
lemma balance_left_sorted: "\ sorted l; sorted r; tree_less k l; tree_greater k r \ \ sorted (balance_left l k v r)"
apply (induct l k v r rule: balance_left.induct)
apply (auto simp: balance_sorted)
apply (unfold tree_greater_prop tree_less_prop)
by force+
lemma balance_left_tree_greater:
fixes k :: "'a::order"
assumes "k \| a" "k \| b" "k < x"
shows "k \| balance_left a x t b"
using assms
by (induct a x t b rule: balance_left.induct) auto
lemma balance_left_tree_less:
fixes k :: "'a::order"
assumes "a |\ k" "b |\ k" "x < k"
shows "balance_left a x t b |\ k"
using assms
by (induct a x t b rule: balance_left.induct) auto
lemma balance_left_in_tree:
assumes "inv1l l" "inv1 r" "bheight l + 1 = bheight r"
shows "entry_in_tree k v (balance_left l a b r) = (entry_in_tree k v l \ k = a \ v = b \ entry_in_tree k v r)"
using assms
by (induct l k v r rule: balance_left.induct) (auto simp: balance_in_tree)
fun
balance_right :: "('a,'b) rbt \ 'a \ 'b \ ('a,'b) rbt \ ('a,'b) rbt"
where
"balance_right a k x (Branch R b s y c) = Branch R a k x (Branch B b s y c)" |
"balance_right (Branch B a k x b) s y bl = balance (Branch R a k x b) s y bl" |
"balance_right (Branch R a k x (Branch B b s y c)) t z bl = Branch R (balance (paint R a) k x b) s y (Branch B c t z bl)" |
"balance_right t k x s = Empty"
lemma balance_right_inv2_with_inv1:
assumes "inv2 lt" "inv2 rt" "bheight lt = bheight rt + 1" "inv1 lt"
shows "inv2 (balance_right lt k v rt) \ bheight (balance_right lt k v rt) = bheight lt"
using assms
by (induct lt k v rt rule: balance_right.induct) (auto simp: balance_inv2 balance_bheight)
lemma balance_right_inv1: "\inv1 a; inv1l b; color_of a = B\