| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/PVS/fault_tolerance/ (Beweissystem der NASA Version 6.0.9©) Datei vom 28.9.2014 mit Größe 10 kB |
|
Quelle AA_Set.thy Sprache: Isabelle |
|||||||||
|
(*
Author: Tobias Nipkow, Daniel Stüwe *) section \<open>AA Tree Implementation of Sets\<close> theory AA_Set imports Isin2 Cmp begin type_synonym 'a aa_tree = "('a*nat) tree" definition empty :: "'a aa_tree" where "empty = Leaf" fun lvl :: "'a aa_tree \ "lvl Leaf = 0" | "lvl (Node _ (_, lv) _) = lv" fun invar :: "'a aa_tree \ "invar Leaf = True" | "invar (Node l (a, h) r) = (invar l \<and> invar r \<and> h = lvl l + 1 \<and> (h = lvl r + 1 \<or> (\<exists>lr b rr. r = Node lr (b,h) rr \<and> h = lvl rr + 1)))" fun skew :: "'a aa_tree \ "skew (Node (Node t1 (b, lvb) t2) (a, lva) t3) = (if lva = lvb then Node t1 (b, lvb) (Node t2 (a, lva) t3) else Node (Node t1 (b, lvb) t2) (a, lva) t3)" "skew t = t" fun split :: "'a aa_tree \ "split (Node t1 (a, lva) (Node t2 (b, lvb) (Node t3 (c, lvc) t4))) = (if lva = lvb \<and> lvb = lvc \<comment> \<open>\<open>lva = lvc\<close> suffices\<close> then Node (Node t1 (a,lva) t2) (b,lva+1) (Node t3 (c, lva) t4) else Node t1 (a,lva) (Node t2 (b,lvb) (Node t3 (c,lvc) t4)))" | "split t = t" hide_const (open) insert fun insert :: "'a::linorder \ "insert x Leaf = Node Leaf (x, 1) Leaf" | "insert x (Node t1 (a,lv) t2) = (case cmp x a of LT \<Rightarrow> split (skew (Node (insert x t1) (a,lv) t2)) | GT \<Rightarrow> split (skew (Node t1 (a,lv) (insert x t2))) | EQ \<Rightarrow> Node t1 (x, lv) t2)" fun sngl :: "'a aa_tree \ "sngl Leaf = False" | "sngl (Node _ _ Leaf) = True" | "sngl (Node _ (_, lva) (Node _ (_, lvb) _)) = (lva > lvb)" definition adjust :: "'a aa_tree \ "adjust t = (case t of Node l (x,lv) r \<Rightarrow> (if lvl l >= lv-1 \<and> lvl r >= lv-1 then t else if lvl r < lv-1 \<and> sngl l then skew (Node l (x,lv-1) r) else if lvl r < lv-1 then case l of Node t1 (a,lva) (Node t2 (b,lvb) t3) \<Rightarrow> Node (Node t1 (a,lva) t2) (b,lvb+1) (Node t3 (x,lv-1) r) else if lvl r < lv then split (Node l (x,lv-1) r) else case r of Node t1 (b,lvb) t4 \<Rightarrow> (case t1 of Node t2 (a,lva) t3 \<Rightarrow> Node (Node l (x,lv-1) t2) (a,lva+1) (split (Node t3 (b, if sngl t1 then lva else lva+1) t4)))))" text\<open>In the paper, the last case of \<^const>\<open>adjust\<close> is expressed with the help o incorrect auxiliary function \texttt{nlvl}. Function \<open>split_max\<close> below is called \texttt{dellrg} in the paper. The latter is incorrect for two reasons: \texttt{dellrg} is meant to delete the largest element but recurses on the left instead of the right subtree; the invariant is not restored.\<close> fun split_max :: "'a aa_tree \ "split_max (Node l (a,lv) Leaf) = (l,a)" | "split_max (Node l (a,lv) r) = (let (r',b) = split_max r in (adjust(Node l (a,lv fun delete :: "'a::linorder \ "delete _ Leaf = Leaf" | "delete x (Node l (a,lv) r) = (case cmp x a of LT \<Rightarrow> adjust (Node (delete x l) (a,lv) r) | GT \<Rightarrow> adjust (Node l (a,lv) (delete x r)) | EQ \<Rightarrow> (if l = Leaf then r else let (l',b) = split_max l in adjust (Node l' (b,lv) r)))" fun pre_adjust where "pre_adjust (Node l (a,lv) r) = (invar l \ ((lv = lvl l + 1 \<and> (lv = lvl r + 1 \<or> lv = lvl r + 2 \<or> lv = lvl r \<and> sngl r)) \<or> (lv = lvl l + 2 \<and> (lv = lvl r + 1 \<or> lv = lvl r \<and> sngl r))))" declare pre_adjust.simps [simp del] subsection "Auxiliary Proofs" lemma split_case: "split t = (case t of Node t1 (x,lvx) (Node t2 (y,lvy) (Node t3 (z,lvz) t4)) \<Rightarrow> (if lvx = lvy \<and> lvy = lvz then Node (Node t1 (x,lvx) t2) (y,lvx+1) (Node t3 (z,lvx) t4) else t) | t \<Rightarrow> t)" by(auto split: tree.split) lemma skew_case: "skew t = (case t of Node (Node t1 (y,lvy) t2) (x,lvx) t3 \<Rightarrow> (if lvx = lvy then Node t1 (y, lvx) (Node t2 (x,lvx) t3) else t) | t \<Rightarrow> t)" by(auto split: tree.split) lemma lvl_0_iff: "invar t \ by(cases t) auto lemma lvl_Suc_iff: "lvl t = Suc n \ by(cases t) auto lemma lvl_skew: "lvl (skew t) = lvl t" by(cases t rule: skew.cases) auto lemma lvl_split: "lvl (split t) = lvl t \ by(cases t rule: split.cases) auto lemma invar_2Nodes:"invar (Node l (x,lv) (Node rl (rx, rlv) rr)) = (invar l \<and> invar \<langle>rl, (rx, rlv), rr\<rangle> \<and> lv = Suc (lvl l) \<and> (lv = Suc rlv \<or> rlv = lv \<and> lv = Suc (lvl rr)))" by simp lemma invar_NodeLeaf[simp]: "invar (Node l (x,lv) Leaf) = (invar l \ by simp lemma sngl_if_invar: "invar (Node l (a, n) r) \ by(cases r rule: sngl.cases) clarsimp+ subsection "Invariance" subsubsection "Proofs for insert" lemma lvl_insert_aux: "lvl (insert x t) = lvl t \ apply(induction t) apply (auto simp: lvl_skew) apply (metis Suc_eq_plus1 lvl.simps(2) lvl_split lvl_skew)+ done lemma lvl_insert: obtains (Same) "lvl (insert x t) = lvl t" | (Incr) "lvl (insert x t) = lvl t + 1" "sngl (insert x t)" using lvl_insert_aux by blast lemma lvl_insert_sngl: "invar t \ proof (induction t rule: insert.induct) case (2 x t1 a lv t2) consider (LT) "x < a" | (GT) "x > a" | (EQ) "x = a" using less_linear by blast thus ?case proof cases case LT thus ?thesis using 2 by (auto simp add: skew_case split_case split: tree.splits) next case GT thus ?thesis using 2 proof (cases t1 rule: tree2_cases) case Node thus ?thesis using 2 GT apply (auto simp add: skew_case split_case split: tree.splits) by (metis less_not_refl2 lvl.simps(2) lvl_insert_aux n_not_Suc_n sngl.simps(3))+ qed (auto simp add: lvl_0_iff) qed simp qed simp lemma skew_invar: "invar t \ by(cases t rule: skew.cases) auto lemma split_invar: "invar t \ by(cases t rule: split.cases) clarsimp+ lemma invar_NodeL: "\ by(auto) lemma invar_NodeR: "\ by(auto) lemma invar_NodeR2: "\ by(cases r' rule: sngl.cases) clarsimp+ lemma lvl_insert_incr_iff: "(lvl(insert a t) = lvl t + 1) \ (\<exists>l x r. insert a t = Node l (x, lvl t + 1) r \<and> lvl l = lvl r)" apply(cases t rule: tree2_cases) apply(auto simp add: skew_case split_case split: if_splits) apply(auto split: tree.splits if_splits) done lemma invar_insert: "invar t \ proof(induction t rule: tree2_induct) case N: (Node l x n r) hence il: "invar l" and ir: "invar r" by auto note iil = N.IH(1)[OF il] note iir = N.IH(2)[OF ir] let ?t = "Node l (x, n) r" have "a < x \ moreover have ?case if "a < x" proof (cases rule: lvl_insert[of a l]) case (Same) thus ?thesis using \<open>a<x\<close> invar_NodeL[OF N.prems iil Same] by (simp add: skew_invar split_invar del: invar.simps) next case (Incr) then obtain t1 w t2 where ial[simp]: "insert a l = Node t1 (w, n) t2" using N.prems by (auto simp: lvl_Suc_iff) have l12: "lvl t1 = lvl t2" by (metis Incr(1) ial lvl_insert_incr_iff tree.inject) have "insert a ?t = split(skew(Node (insert a l) (x,n) r))" by(simp add: \<open>a<x\<close>) also have "skew(Node (insert a l) (x,n) r) = Node t1 (w,n) (Node t2 (x,n) r)" by(simp) also have "invar(split \ proof (cases r rule: tree2_cases) case Leaf hence "l = Leaf" using N.prems by(auto simp: lvl_0_iff) thus ?thesis using Leaf ial by simp next case [simp]: (Node t3 y m t4) show ?thesis (*using N(3) iil l12 by(auto)*) proof cases assume "m = n" thus ?thesis using N(3) iil by(auto) next assume "m \ qed qed finally show ?thesis . qed moreover have ?case if "x < a" proof - from \<open>invar ?t\<close> have "n = lvl r \<or> n = lvl r + 1" by auto thus ?case proof assume 0: "n = lvl r" have "insert a ?t = split(skew(Node l (x, n) (insert a r)))" using \<open>a>x\<close> by(auto) also have "skew(Node l (x,n) (insert a r)) = Node l (x,n) (insert a r)" using N.prems by(simp add: skew_case split: tree.split) also have "invar(split \ proof - from lvl_insert_sngl[OF ir sngl_if_invar[OF \<open>invar ?t\<close> 0], of a] obtain t1 y t2 where iar: "insert a r = Node t1 (y,n) t2" using N.prems 0 by (auto simp: lvl_Suc_iff) from N.prems iar 0 iir show ?thesis by (auto simp: split_case split: tree.splits) qed finally show ?thesis . next assume 1: "n = lvl r + 1" hence "sngl ?t" by(cases r) auto show ?thesis proof (cases rule: lvl_insert[of a r]) case (Same) show ?thesis using \<open>x<a\<close> il ir invar_NodeR[OF N.prems 1 iir Same] by (auto simp add: skew_invar split_invar) next case (Incr) thus ?thesis using invar_NodeR2[OF \<open>invar ?t\<close> Incr(2) 1 iir] 1 \<open>x < a\<close> by (auto simp add: skew_invar split_invar split: if_splits) qed qed qed moreover have "a = x \ ultimately show ?case by blast qed simp subsubsection "Proofs for delete" lemma invarL: "ASSUMPTION(invar \ by(simp add: ASSUMPTION_def) lemma invarR: "ASSUMPTION(invar \ by(simp add: ASSUMPTION_def) lemma sngl_NodeI: "sngl (Node l (a,lv) r) \ by(cases r rule: tree2_cases) (simp_all) declare invarL[simp] invarR[simp] lemma pre_cases: assumes "pre_adjust (Node l (x,lv) r)" obtains (tSngl) "invar l \ lv = Suc (lvl r) \<and> lvl l = lvl r" | (tDouble) "invar l \ lv = lvl r \<and> Suc (lvl l) = lvl r \<and> sngl r " | (rDown) "invar l \ lv = Suc (Suc (lvl r)) \<and> lv = Suc (lvl l)" | (lDown_tSngl) "invar l \ lv = Suc (lvl r) \<and> lv = Suc (Suc (lvl l))" | (lDown_tDouble) "invar l \ lv = lvl r \<and> lv = Suc (Suc (lvl l)) \<and> sngl r" using assms unfolding pre_adjust.simps by auto declare invar.simps(2)[simp del] invar_2Nodes[simp add] lemma invar_adjust: assumes pre: "pre_adjust (Node l (a,lv) r)" shows "invar(adjust (Node l (a,lv) r))" using pre proof (cases rule: pre_cases) case (tDouble) thus ?thesis unfolding adjust_def by (cases r) (auto simp: invar.simps(2)) next case (rDown) from rDown obtain llv ll la lr where l: "l = Node ll (la, llv) lr" by (cases l) auto from rDown show ?thesis unfolding adjust_def by (auto simp: l invar.simps(2) split: tree.spl next case (lDown_tDouble) from lDown_tDouble obtain rlv rr ra rl where r: "r = Node rl (ra, rlv) rr" by (cases r) auto from lDown_tDouble and r obtain rrlv rrr rra rrl where rr :"rr = Node rrr (rra, rrlv) rrl" by (cases rr) auto from lDown_tDouble show ?thesis unfolding adjust_def r rr apply (cases rl rule: tree2_cases) apply (auto simp add: invar.simps(2) split!: if_split) using lDown_tDouble by (auto simp: split_case lvl_0_iff elim:lvl.elims split: tree.split) qed (auto simp: split_case invar.simps(2) adjust_def split: tree.splits) lemma lvl_adjust: assumes "pre_adjust (Node l (a,lv) r)" shows "lv = lvl (adjust(Node l (a,lv) r)) \ using assms(1) proof(cases rule: pre_cases) case lDown_tSngl thus ?thesis using lvl_split[of "\ next case lDown_tDouble thus ?thesis by (auto simp: adjust_def invar.simps(2) split: tree.split) qed (auto simp: adjust_def split: tree.splits) lemma sngl_adjust: assumes "pre_adjust (Node l (a,lv) r)" "sngl \ shows "sngl (adjust \ using assms proof (cases rule: pre_cases) case rDown thus ?thesis using assms(2,3) unfolding adjust_def by (auto simp add: skew_case) (auto split: tree.split) qed (auto simp: adjust_def skew_case split_case split: tree.split) definition "post_del t t' == invar t' \ (lvl t' = lvl t \ (lvl t' = lvl t \ lemma pre_adj_if_postR: "invar\ by(cases "sngl r") (auto simp: pre_adjust.simps post_del_def invar.simps(2) elim: sngl.elims) lemma pre_adj_if_postL: "invar\ by(cases "sngl r") (auto simp: pre_adjust.simps post_del_def invar.simps(2) elim: sngl.elims) lemma post_del_adjL: "\ \<Longrightarrow> post_del \<langle>l, (a, lv), r\<rangle> (adjust \<langle>l', (b, lv), r\<rangle>) unfolding post_del_def by (metis invar_adjust lvl_adjust sngl_NodeI sngl_adjust lvl.simps(2)) lemma post_del_adjR: assumes "invar\ shows "post_del \ proof(unfold post_del_def, safe del: disjCI) let ?t = "\ let ?t' = "adjust \ show "invar ?t'" by(rule invar_adjust[OF assms(2)]) show "lvl ?t' = lvl ?t \ using lvl_adjust[OF assms(2)] by auto show "sngl ?t'" if as: "lvl ?t' = lvl ?t" "sngl ?t" proof - have s: "sngl \ proof(cases r' rule: tree2_cases) case Leaf thus ?thesis by simp next case Node thus ?thesis using as(2) assms(1,3) by (cases r rule: tree2_cases) (auto simp: post_del_def) qed show ?thesis using as(1) sngl_adjust[OF assms(2) s] by simp qed qed declare prod.splits[split] theorem post_split_max: "\ proof (induction t arbitrary: t' rule: split_max.induct) case (2 l a lv rl bl rr) let ?r = "\ let ?t = "\ from "2.prems"(2) obtain r' where r': "(r', x) = split_max ?r" and [simp]: "t' = adjust \ from "2.IH"[OF _ r'] \ note preR = pre_adj_if_postR[OF \<open>invar ?t\<close> post] show ?case by (simp add: post_del_adjR[OF "2.prems"(1) preR post]) qed (auto simp: post_del_def) theorem post_delete: "invar t \ proof (induction t rule: tree2_induct) case (Node l a lv r) let ?l' = "delete x l" and ?r' = "delete x r" let ?t = "Node l (a,lv) r" let ?t' = "delete x ?t" from Node.prems have inv_l: "invar l" and inv_r: "invar r" by (auto) note post_l' = Node.IH(1)[OF inv_l] note preL = pre_adj_if_postL[OF Node.prems post_l'] note post_r' = Node.IH(2)[OF inv_r] note preR = pre_adj_if_postR[OF Node.prems post_r'] show ?case proof (cases rule: linorder_cases[of x a]) case less thus ?thesis using Node.prems by (simp add: post_del_adjL preL) next case greater thus ?thesis using Node.prems by (simp add: post_del_adjR preR post_r') next case equal show ?thesis proof cases assume "l = Leaf" thus ?thesis using equal Node.prems by(auto simp: post_del_def invar.simps(2)) next assume "l \ by simp (metis Node.prems inv_l post_del_adjL post_split_max pre_adj_if_postL) qed qed qed (simp add: post_del_def) declare invar_2Nodes[simp del] subsection "Functional Correctness" subsubsection "Proofs for insert" lemma inorder_split: "inorder(split t) = inorder t" by(cases t rule: split.cases) (auto) lemma inorder_skew: "inorder(skew t) = inorder t" by(cases t rule: skew.cases) (auto) lemma inorder_insert: "sorted(inorder t) \ by(induction t) (auto simp: ins_list_simps inorder_split inorder_skew) subsubsection "Proofs for delete" lemma inorder_adjust: "t \ by(cases t) (auto simp: adjust_def inorder_skew inorder_split invar.simps(2) pre_adjust.simps split: tree.splits) lemma split_maxD: "\ by(induction t arbitrary: t' rule: split_max.induct) (auto simp: sorted_lems inorder_adjust pre_adj_if_postR post_split_max split: prod.spli lemma inorder_delete: "invar t \ by(induction t) (auto simp: del_list_simps inorder_adjust pre_adj_if_postL pre_adj_if_postR post_split_max post_delete split_maxD split: prod.splits) interpretation S: Set_by_Ordered where empty = empty and isin = isin and insert = insert and delete = delete and inorder = inorder and inv = invar proof (standard, goal_cases) case 1 show ?case by (simp add: empty_def) next case 2 thus ?case by(simp add: isin_set_inorder) next case 3 thus ?case by(simp add: inorder_insert) next case 4 thus ?case by(simp add: inorder_delete) next case 5 thus ?case by(simp add: empty_def) next case 6 thus ?case by(simp add: invar_insert) next case 7 thus ?case using post_delete by(auto simp: post_del_def) qed end ¤ Dauer der Verarbeitung: 0.2 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
2026-03-28