RTree.thy
author Christian Urban <urbanc@in.tum.de>
Thu, 21 Sep 2017 14:33:13 +0100
changeset 196 704fd8749dad
parent 178 da27bece9575
child 197 ca4ddf26a7c7
permissions -rw-r--r--
updated

theory RTree
imports "~~/src/HOL/Library/Transitive_Closure_Table" 
begin

section {* A theory of relational trees *}

inductive_cases path_nilE [elim!]: "rtrancl_path r x [] y"
inductive_cases path_consE [elim!]: "rtrancl_path r x (z#zs) y"

subsection {* Definitions *}

text {*
  In this theory, we are going to give a notion of of `Relational Graph` and
  its derived notion `Relational Tree`. Given a binary relation @{text "r"},
  the `Relational Graph of @{text "r"}` is the graph, the edges of which
  are those in @{text "r"}. In this way, any binary relation can be viewed
  as a `Relational Graph`. Note, this notion of graph includes infinite graphs. 

  A `Relation Graph` @{text "r"} is said to be a `Relational Tree` if it is both
  {\em single valued} and {\em acyclic}. 
*}


locale forest = 
  fixes r
  assumes sgv: "single_valued r"
  assumes acl: "acyclic r"

text {* 
  The following two auxiliary functions @{text "rel_of"} and @{text "pred_of"} 
  transfer between the predicate and set representation of binary relations.
*}

definition "rel_of r = {(x, y) | x y. r x y}"

definition "pred_of r = (\<lambda> x y. (x, y) \<in> r)"

text {*

  To reason about {\em Relational Graph}, a notion of path is needed,
  which is given by the following @{text "rpath"} (short for
  `relational path`).  The path @{text "xs"} in proposition @{text
  "rpath r x xs y"} is a path leading from @{text "x"} to @{text "y"},
  which serves as a witness of the fact @{text "(x, y) \<in> r^*"}.

  @{text "rpath"} is simply a wrapper of the @{text "rtrancl_path"}
  defined in the imported theory @{text "Transitive_Closure_Table"},
  which defines a notion of path for the predicate form of binary
  relations.  *}

definition "rpath r x xs y = rtrancl_path (pred_of r) x xs y"

text {*

  Given a path @{text "ps"}, @{text "edges_on ps"} is the set of edges
  along the path, which is defined as follows: *}

definition "edges_on ps = {(a,b) | a b. \<exists> xs ys. ps = xs@[a,b]@ys}"

text {*

   The following @{text "indep"} defines a notion of independence.
   Two nodes @{text "x"} and @{text "y"} are said to be independent
   (expressed as @{text "indep x y"}), if neither one is reachable
   from the other in relational graph @{text "r"}.  *}

definition "indep r x y = (((x, y) \<notin> r^*) \<and> ((y, x) \<notin> r^*))"

text {*
 
 In relational tree @{text "r"}, the sub tree of node @{text "x"} is
  written @{text "subtree r x"}, which is defined to be the set of
  nodes (including itself) which can reach @{text "x"} by following
  some path in @{text "r"}: *}

definition "subtree r x = {y . (y, x) \<in> r^*}"

definition "ancestors r x = {y. (x, y) \<in> r^+}"

(* tmp *)
definition 
  "nancestors r x \<equiv> ancestors r x \<union> {x}"

lemma nancestors_def2:
  "nancestors r x \<equiv> {y. (x, y) \<in> r\<^sup>*}"
unfolding nancestors_def
apply(auto)
by (smt Collect_cong ancestors_def insert_compr mem_Collect_eq rtrancl_eq_or_trancl)

lemma nancestors2:
  "y \<in> ancestors r x \<Longrightarrow> y \<in> nancestors r x"
apply(auto simp add: nancestors_def)
done

lemma nancestors3:
  "\<lbrakk>y \<in> nancestors r x; x \<noteq> y\<rbrakk> \<Longrightarrow> y \<in> ancestors r x"
apply(auto simp add: nancestors_def)
done
(* end tmp *)

definition "root r x = (ancestors r x = {})"

lemma root_indep:
  assumes "root r x"
    and "root r y"
    and "y \<noteq> x"
  shows "indep r x y"
proof -
  { assume "(x, y) \<in> r^*"
    hence False using assms
      by (unfold root_def ancestors_def, auto dest:tranclD rtranclD)
  } moreover {
    assume "(y, x) \<in> r^*"
    hence False using assms
      by (unfold root_def ancestors_def, auto dest:tranclD rtranclD)
  } ultimately show ?thesis by (auto simp:indep_def)
qed

text {*
 
  The following @{text "edge_in r x"} is the set of edges contained in
  the sub-tree of @{text "x"}, with @{text "r"} as the underlying
  graph.  *}

definition "edges_in r x = {(a, b) | a b. (a, b) \<in> r \<and> b \<in> subtree r x}"

text {*

  The following lemma @{text "edges_in_meaning"} shows the intuitive
  meaning of `an edge @{text "(a, b)"} is in the sub-tree of @{text
  "x"}`, i.e., both @{text "a"} and @{text "b"} are in the sub-tree.
  *}

lemma edges_in_meaning: 
  "edges_in r x = {(a, b) | a b. (a, b) \<in> r \<and> a \<in> subtree r x \<and> b \<in> subtree r x}"
 by (auto simp:edges_in_def subtree_def)

text {*
  The following lemma shows the meaning of @{term "edges_in"} from the other side, 
  which says: for the edge @{text "(a,b)"} to be outside of the sub-tree of @{text "x"}, 
  it is sufficient to show that @{text "b"} is.
*}
lemma edges_in_refutation:
  assumes "b \<notin> subtree r x"
  shows "(a, b) \<notin> edges_in r x"
  using assms by (unfold edges_in_def subtree_def, auto)

definition "children r x = {y. (y, x) \<in> r}"

locale fforest = forest +
  assumes fb: "finite (children r x)"
  assumes wf: "wf r"
begin

lemma finite_children: "finite (children r x)"
  using fb by (cases "children r x = {}", auto simp:children_def)

end


subsection {* Auxiliary lemmas *}

lemma index_minimize:
  assumes "P (i::nat)"
  obtains j where "P j" and "\<forall> k < j. \<not> P k" 
  using assms
  by (induct i rule:less_induct, auto)

subsection {* Properties of Relational Graphs and Relational Trees *}

subsubsection {* Properties of @{text "rel_of"} and @{text "pred_of"} *}

text {* The following lemmas establish bijectivity of the two functions *}

lemma pred_rel_eq: "pred_of (rel_of r) = r" by (auto simp:rel_of_def pred_of_def)

lemma rel_pred_eq: "rel_of (pred_of r) = r" by (auto simp:rel_of_def pred_of_def)

lemma rel_of_star: "rel_of (r^**) = (rel_of r)^*"
  by (unfold rel_of_def rtranclp_rtrancl_eq, auto)

lemma pred_of_star: "pred_of (r^*) = (pred_of r)^**"
proof -
  { fix x y
    have "pred_of (r^*) x y = (pred_of r)^** x y"
    by (unfold pred_of_def rtranclp_rtrancl_eq, auto)
  } thus ?thesis by auto
qed

lemma star_2_pstar: "(x, y) \<in> r^* = (pred_of (r^*)) x y"
  by (simp add: pred_of_def)

subsubsection {* Properties of @{text "rpath"} *}

text {* Induction rule for @{text "rpath"}: *}

lemma rpath_induct [consumes 1, case_names rbase rstep, induct pred: rpath]:
  assumes "rpath r x1 x2 x3"
    and "\<And>x. P x [] x"
    and "\<And>x y ys z. (x, y) \<in> r \<Longrightarrow> rpath r y ys z \<Longrightarrow> P y ys z \<Longrightarrow> P x (y # ys) z"
  shows "P x1 x2 x3"
  using assms[unfolded rpath_def]
  by (induct, auto simp:pred_of_def rpath_def)

lemma rpathE [elim]: 
  assumes "rpath r x xs y"
  obtains (base) "y = x" "xs = []"
     | (step) z zs where "(x, z) \<in> r" "rpath r z zs y" "xs = z#zs"
  using assms
  by (induct, auto)

text {* Introduction rule for empty path *}
lemma rbaseI [intro!]: 
  assumes "x = y"
  shows "rpath r x [] y"
  by  (unfold rpath_def assms, 
         rule Transitive_Closure_Table.rtrancl_path.base)

text {* Introduction rule for non-empty path *}
lemma rstepI [intro!]: 
  assumes "(x, y) \<in> r"
    and "rpath r y ys z"
  shows "rpath r x (y#ys) z" 
proof(unfold rpath_def, rule Transitive_Closure_Table.rtrancl_path.step)
  from assms(1) show "pred_of r x y" by (auto simp:pred_of_def)
next
  from assms(2) show "rtrancl_path (pred_of r) y ys z"  
  by (auto simp:pred_of_def rpath_def)
qed

lemma rpath_stepI'[intro, simp]: 
  assumes "rpath r x xs y"
  and "(y, z) \<in> r"
  shows "rpath r x (xs@[z]) z"
  using assms
  by (induct, auto)

text {* Introduction rule for @{text "@"}-path *}
lemma rpath_appendI [intro,simp]: 
  assumes "rpath r x xs a" and "rpath r a ys y"
  shows "rpath r x (xs @ ys) y"
  using assms 
  by (unfold rpath_def, auto intro:rtrancl_path_trans)

text {* Elimination rule for empty path *}

lemma rpath_cases [cases pred:rpath,elim]:
  assumes "rpath r a1 a2 a3"
  obtains (rbase)  "a1 = a3" and "a2 = []"
    | (rstep)  y :: "'a" and ys :: "'a list"  
         where "(a1, y) \<in> r" and "a2 = y # ys" and "rpath r y ys a3"
  using assms [unfolded rpath_def]
  by (cases, auto simp:rpath_def pred_of_def)

lemma rpath_nilE [elim!, cases pred:rpath]: 
  assumes "rpath r x [] y"
  obtains "y = x"
  using assms[unfolded rpath_def] by auto

text {*
  Elimination rule for non-empty paths constructed with @{text "#"}.
*}

lemma rpath_ConsE [elim!, cases pred:rpath]:
  assumes "rpath r x (y # ys) x2"
  obtains (rstep) "(x, y) \<in> r" and "rpath r y ys x2"
  using assms[unfolded rpath_def]
  by (cases, auto simp:rpath_def pred_of_def)

text {*
  Elimination rule for non-empty path, where the destination node 
  @{text "y"} is shown to be at the end of the path.
*}
lemma rpath_nnl_lastE [elim]: 
  assumes "rpath r x xs y"
  and "xs \<noteq> []"
  obtains xs' where "xs = xs'@[y]"
  using assms
proof(induct)
    case (rstep x y ys z)
    thus ?case by (cases ys, auto)
qed auto

text {* Other elimination rules of @{text "rpath"} *}

lemma rpath_appendE [elim]:
  assumes "rpath r x (xs @ [a] @ ys) y"
  obtains "rpath r x (xs @ [a]) a" and "rpath r a ys y"
  using rtrancl_path_appendE[OF assms[unfolded rpath_def, simplified], folded rpath_def]
  by auto

lemma rpath_subE [elim]: 
  assumes "rpath r x (xs @ [a] @ ys @ [b] @ zs) y"
  obtains "rpath r x (xs @ [a]) a" and "rpath r a (ys @ [b]) b" and "rpath r b zs y" 
  using assms
 by (elim rpath_appendE, auto)

text {* Every path has a unique end point. *}
lemma rpath_dest_eq [simp]: 
  assumes "rpath r x xs x1"
  and "rpath r x xs x2"
  shows "x1 = x2"
  using assms
  by (induct, auto)

lemma rpath_dest_eq_simp[simp]: 
  assumes "rpath r x xs1 x1"
  and "rpath r x xs2 x2"
  and "xs1 = xs2"
  shows "x1 = x2"
  using assms
  by (induct, auto)

subsubsection {* Properites of @{text "edges_on"} *}

lemma edge_on_headI[simp, intro]: 
  assumes "(a, b) = (a', b')"
  shows "(a, b) \<in> edges_on (a' # b' # xs)"
  using assms
  by (unfold edges_on_def, auto)

lemma edges_on_ConsI[intro]:
  assumes "(a, b) \<in> edges_on xs" 
  shows "(a, b) \<in> edges_on (x#xs)"
  using assms
  apply (unfold edges_on_def, auto)
  by (meson Cons_eq_appendI)
  
lemma edges_on_appendI1[intro]:
  assumes "(a, b) \<in> edges_on xs" 
  shows "(a, b) \<in> edges_on (xs'@xs)"
  using assms 
  apply (unfold edges_on_def, auto simp:append_assoc)
  by (metis append_assoc)
  
lemma edges_on_appendI2[intro]:
  assumes "(a, b) \<in> edges_on xs" 
  shows "(a, b) \<in> edges_on (xs@xs')"
  using assms 
  apply (unfold edges_on_def, auto)
  by metis

lemma edges_onE [elim]:
  assumes "(a, b) \<in> edges_on xs"
  obtains a' b' xs' where "(a,b) = (a', b')" "xs = a'#b'#xs'"
        | a' b' xs' where "(a,b) \<noteq> (a', b')" "xs = a'#b'#xs'" "(a,b) \<in> edges_on (b'#xs')"
proof(cases xs)
  case Nil
  with assms show ?thesis
    by (unfold edges_on_def, auto)
next
  case cs1: (Cons a' xsa)
  show ?thesis
  proof(cases xsa)
    case Nil
    with cs1 and assms show ?thesis
      by (unfold edges_on_def, auto)
  next
    case (Cons b' xsb)
    show ?thesis
    proof(cases "(a,b) = (a', b')")
      case True
      with cs1 Cons show ?thesis using that by metis
    next
      case False
      from assms[unfolded cs1 Cons edges_on_def]
      obtain xs1 ys1 where "a' # b' # xsb = xs1 @ [a, b] @ ys1" by auto
      moreover with False obtain c xsc where "xs1 = Cons c xsc" by (cases xs1, auto)
      ultimately have h: "b' # xsb = xsc @ [a, b] @ ys1" by auto
      show ?thesis
        apply (rule that(2)[OF False], insert cs1 Cons, simp)
        using h by auto
    qed
  qed
qed

lemma edges_on_nil [simp]:
  "edges_on [] = {}" by auto

lemma edges_on_single [simp]:
  "edges_on [a] = {}" by auto

lemma edges_on_unfold [simp]:
  "edges_on (a # b # xs) = {(a, b)} \<union> edges_on (b # xs)" (is "?L = ?R")
by (auto)

lemma edges_on_len:
  assumes "x \<in> edges_on l"
  shows "2 \<le> length l" using assms by (cases x, auto)

text {* Elimination of @{text "edges_on"} for non-empty path *}

lemma edges_on_consE [elim!, cases set:edges_on]:
  assumes "(a,b) \<in> edges_on (x#xs)"
  obtains (head)  xs' where "x = a" and "xs = b#xs'"
      |  (tail)  "(a,b) \<in> edges_on xs"
      using assms
      by auto


text {*
  Every edges on the path is a graph edges:
*}

lemma rpath_edges_on [intro]: 
  assumes "rpath r x xs y"
  shows "edges_on (x#xs) \<subseteq> r"
  using assms 
 by (induct arbitrary:y, auto)

text {* @{text "edges_on"} is mono with respect to @{text "#"}-operation: *}
lemma edges_on_Cons_mono [intro,simp]: 
   shows "edges_on xs \<subseteq> edges_on (x#xs)"
   by auto

lemma edges_on_append_mono [intro,simp]:
   shows "edges_on xs \<subseteq> edges_on (xs'@xs)"
   by auto

lemma edges_on_append_mono' [intro,simp]:
   shows "edges_on xs \<subseteq> edges_on (xs@xs')"
   by auto

text {*
  The following rule @{text "rpath_transfer"} is used to show 
  that one path is intact as long as all the edges on it are intact
  with the change of graph.

  If @{text "x#xs"} is path in graph @{text "r1"} and 
  every edges along the path is also in @{text "r2"}, 
  then @{text "x#xs"} is also a edge in graph @{text "r2"}:
*}

lemma rpath_transfer[intro]:
  assumes "rpath r1 x xs y"
  and "edges_on (x#xs) \<subseteq> r2"
  shows "rpath r2 x xs y"
  using assms
 by (induct, auto)
  
lemma edges_on_rpathI[intro, simp]:
  assumes "edges_on (a#xs@[b]) \<subseteq> r"
  shows "rpath r a (xs@[b]) b"
  using assms
 by (induct xs arbitrary: a b, auto) 

lemma list_nnl_appendE [elim]:
  assumes "xs \<noteq> []"
  obtains x xs' where "xs = xs'@[x]"
  by (insert assms, rule rev_exhaust, fastforce)

lemma edges_on_rpathI' [intro]:
  assumes "edges_on (a#xs) \<subseteq> r"
  and "xs \<noteq> []"
  and "last xs = b"
  shows "rpath r a xs b"
proof -
  obtain xs' where "xs = xs'@[b]"
  using assms by fastforce
  with assms show ?thesis by fastforce
qed

text {*
  The following lemma extracts the path from @{text "x"} to @{text "y"}
  from proposition @{text "(x, y) \<in> r^*"}
*}

lemma star_rpath [elim]:
  assumes "(x, y) \<in> r^*"
  obtains xs where "rpath r x xs y"
  using assms
  by (induct, auto)


text {*
  The following lemma uses the path @{text "xs"} from @{text "x"} to @{text "y"}
  as a witness to show @{text "(x, y) \<in> r^*"}.
*}
lemma rpath_star [simp]: 
  assumes "rpath r x xs y"
  shows "(x, y) \<in> r^*"
proof -
  from iffD2[OF rtranclp_eq_rtrancl_path] and assms[unfolded rpath_def]
  have "(pred_of r)\<^sup>*\<^sup>* x y" by metis
  thus ?thesis by (simp add: pred_of_star star_2_pstar)
qed  

declare rpath_star[elim_format]

lemma rpath_transfer' [intro]: 
  assumes "rpath r1 x xs y"
  and "r1 \<subseteq> r2"
  shows "rpath r2 x xs y"
  using assms
  by (induct, auto)

lemma subtree_transfer[intro]:
  assumes "a \<in> subtree r1 a'"
  and "r1 \<subseteq> r2"
  shows "a \<in> subtree r2 a'"
  using assms 
proof -
  from assms(1) 
  obtain xs where h1: "rpath r1 a xs a'" by (auto simp:subtree_def)
  show ?thesis 
  proof -
    from rpath_star[OF h1]
    have "(a, a') \<in> r1\<^sup>*" .
    with assms(2) have  "(a, a') \<in> r2\<^sup>*"
        using rtrancl_mono subsetCE by blast
    thus ?thesis by (auto simp:subtree_def)
  qed
qed 

text {*
  @{text "subtree"} is mono with respect to the underlying graph.
*}
lemma subtree_mono[intro]:
  assumes "r1 \<subseteq> r2"
  shows "subtree r1 x \<subseteq> subtree r2 x"
  using assms by auto

lemma subtree_rev_transfer[intro]:
  assumes "a \<notin> subtree r2 a'"
  and "r1 \<subseteq> r2"
  shows "a \<notin> subtree r1 a'"
  using assms and subtree_transfer by metis

text {*
  The following lemmas establishes a relation from paths in @{text "r"}
  to @{text "r^+"} relation.
*}
lemma rpath_plus[simp]: 
  assumes "rpath r x xs y"
  and "xs \<noteq> []"
  shows "(x, y) \<in> r^+"
  using assms
  by (induct, simp) fastforce

lemma plus_rpath [elim]: 
  assumes "(x, y) \<in> r^+"
  obtains xs where "rpath r x xs y" and "xs \<noteq> []"
proof -
  from assms
  have "\<exists> xs. rpath r x xs y \<and> xs \<noteq> []" by (induct; auto)
  with that show ?thesis by metis
qed
  
subsubsection {* Properties of @{text "subtree"} and @{term "ancestors"}*}

lemma ancestors_subtreeI [intro, dest]:
  assumes "b \<in> ancestors r a"
  shows "a \<in> subtree r b"
  using assms by (auto simp:subtree_def ancestors_def)

lemma ancestors_Field[elim]:
  assumes "b \<in> ancestors r a"
  obtains "a \<in> Domain r" "b \<in> Range r"
  using assms 
  apply (unfold ancestors_def, simp)
  by (metis Domain.DomainI Range.intros trancl_domain trancl_range)

lemma subtreeE [elim]:
  assumes "a \<in> subtree r b"
  obtains "a = b"
      | "a \<noteq> b" and "b \<in> ancestors r a"
proof -
  from assms have "(a, b) \<in> r^*" by (auto simp:subtree_def)
  from rtranclD[OF this]
  have " a = b \<or> a \<noteq> b \<and> (a, b) \<in> r\<^sup>+" .
  with that[unfolded ancestors_def] show ?thesis by auto
qed


lemma subtree_Field [simp, iff]:
  "subtree r x \<subseteq> Field r \<union> {x}"
proof
  fix y
  assume "y \<in> subtree r x"
  thus "y \<in> Field r \<union> {x}"
  proof(cases rule:subtreeE)
    case 1
    thus ?thesis by auto
  next
    case 2
    thus ?thesis 
      by (unfold Field_def, fast)
  qed
qed

lemma subtree_ancestorsI:
  assumes "a \<in> subtree r b"
  and "a \<noteq> b"
  shows "b \<in> ancestors r a"
  using assms
  by auto

text {*
  The following lemma characterizes the change of sub-tree of @{text "x"}
  with the removal of an outside edge @{text "(a,b)"}. 

  Note that, according to lemma @{thm edges_in_refutation}, the assumption
  @{term "b \<notin> subtree r x"} amounts to saying @{text "(a, b)"} 
  is outside the sub-tree of @{text "x"}.
*}
lemma subtree_del_outside [simp,intro]: (* ddd *)
    assumes "b \<notin> subtree r x" 
    shows "subtree (r - {(a, b)}) x = (subtree r x)" (is "?L = ?R")
proof -
  { fix c
    assume "c \<in> ?R"
    hence "(c, x) \<in> r^*" by (auto simp:subtree_def)
    hence "c \<in> ?L"
    proof(rule star_rpath)
      fix xs
      assume rp: "rpath r c xs x"
      show ?thesis
      proof -
        from rp
        have "rpath  (r - {(a, b)}) c xs x"
        proof(rule rpath_transfer)
          from rp have "edges_on (c # xs) \<subseteq> r" ..
          moreover have "(a, b) \<notin> edges_on (c#xs)"
          proof
            assume "(a, b) \<in> edges_on (c # xs)"
            then obtain l1 l2 where h: "c#xs = l1@[a,b]@l2" by (auto simp:edges_on_def)
            hence "tl (c#xs) = tl (l1@[a,b]@l2)" by simp
            then obtain l1' where eq_xs_b: "xs = l1'@[b]@l2" by (cases l1, auto)
            from rp[unfolded this]
            show False
              by (rule rpath_appendE, insert assms(1), auto simp:subtree_def)
          qed
          ultimately show "edges_on (c # xs) \<subseteq> (r - {(a, b)})" 
            by (auto)
        qed
        thus ?thesis by (auto simp:subtree_def)
      qed
    qed
  } moreover {
    fix c
    assume "c \<in> ?L"
    moreover have "... \<subseteq> (subtree r x)" by auto
    ultimately have "c \<in> ?R" by auto
  } ultimately show ?thesis by auto
qed

(* ddd *)
lemma subset_del_subtree_outside [simp, intro]: (* ddd *)
    assumes "Range r' \<inter> subtree r x = {}" 
    shows "subtree (r - r') x = (subtree r x)" 
proof -
  { fix c
    assume "c \<in> (subtree r x)"
    hence "(c, x) \<in> r^*" by (auto simp:subtree_def)
    hence "c \<in> subtree (r - r') x"
    proof(rule star_rpath)
      fix xs
      assume rp: "rpath r c xs x"
      show ?thesis
      proof -
        from rp
        have "rpath  (r - r') c xs x"
        proof(rule rpath_transfer)
          from rp have "edges_on (c # xs) \<subseteq> r" ..
          moreover {
              fix a b
              assume h: "(a, b) \<in> r'"
              have "(a, b) \<notin> edges_on (c#xs)"
              proof
                assume "(a, b) \<in> edges_on (c # xs)"
                then obtain l1 l2 where "c#xs = (l1@[a])@[b]@l2" by (auto simp:edges_on_def)
                hence "tl (c#xs) = tl (l1@[a,b]@l2)" by simp
                then obtain l1' where eq_xs_b: "xs = l1'@[b]@l2" by (cases l1, auto)
                from rp[unfolded this]
                show False
                proof(rule rpath_appendE)
                  assume "rpath r b l2 x"
                  from rpath_star[OF this]
                  have "b \<in> subtree r x" by (auto simp:subtree_def)
                  with assms (1) and h show ?thesis by (auto)
                qed
             qed
         } ultimately show "edges_on (c # xs) \<subseteq> (r - r')" by (auto)
        qed
        thus ?thesis by (rule rpath_star[elim_format], auto simp:subtree_def)
      qed
    qed
  } moreover {
    fix c
    assume "c \<in> subtree (r - r') x"
    moreover have "... \<subseteq> (subtree r x)" by (rule subtree_mono, auto)
    ultimately have "c \<in> (subtree r x)" by auto
  } ultimately show ?thesis by auto
qed

lemma subset_insert_subtree_outside [simp, intro]: (* ddd *) 
    assumes "Range r' \<inter> subtree r x = {}" 
    shows "subtree (r \<union> r') x = (subtree r x)" (is "?L = ?R")
proof -
  { have "?L \<subseteq> ?R"
    proof
      fix y
      assume "y \<in> ?L"
      from this[unfolded subtree_def] have "(y, x) \<in> ( (r \<union> r')^*)" by simp
      thus "y \<in> ?R"
      proof(induct rule:converse_rtrancl_induct)
        case (base)
        show ?case unfolding subtree_def by auto
      next
        case (step x y)
        moreover have "(x, y) \<in> r"
        proof - 
          {  assume "(x, y) \<in> r'"
             with assms step(3)
             have False by auto
          } with step(1) show ?thesis by auto
        qed
        ultimately show ?case unfolding subtree_def by auto
      qed
    qed
  } moreover have "?R \<subseteq> ?L" by auto
  ultimately show ?thesis by auto
qed


lemma subtree_insert_ext [simp, intro]:
    assumes "b \<in> subtree r x"
    shows "subtree (r \<union> {(a, b)}) x = (subtree r x) \<union> (subtree r a)" 
    using assms by (auto simp:subtree_def rtrancl_insert)

lemma subtree_insert_next [simp, intro]:
    assumes "b \<notin> subtree r x"
    shows "subtree (r \<union> {(a, b)}) x = (subtree r x)" 
    using assms
    by (auto simp:subtree_def rtrancl_insert)

lemma set_add_rootI[simp, intro]:
  assumes "root r a"
  and "a \<notin> Domain r1"
  shows "root (r \<union> r1) a"
  using assms
proof -
  let ?r = "r \<union> r1"
  { fix a'
    assume "a' \<in> ancestors ?r a"
    hence "(a, a') \<in> ?r^+" by (auto simp:ancestors_def)
    from tranclD[OF this] obtain z where "(a, z) \<in> ?r" by auto
    moreover have "(a, z) \<notin> r"
    proof
      assume "(a, z) \<in> r"
      with assms(1) show False 
        by (auto simp:root_def ancestors_def)
    qed
    ultimately have "(a, z) \<in> r1" by auto
    with assms(2) 
    have False by (auto)
  } thus ?thesis by (auto simp:root_def)
qed

lemma ancestors_mono [simp]:
  assumes "r1 \<subseteq> r2"
  shows "ancestors r1 x \<subseteq> ancestors r2 x"
proof
 fix a
 assume "a \<in> ancestors r1 x"
 hence "(x, a) \<in> r1^+" by (auto simp:ancestors_def)
 from plus_rpath[OF this] obtain xs where 
    h: "rpath r1 x xs a" "xs \<noteq> []" .
 have "rpath r2 x xs a"
 proof(rule rpath_transfer[OF h(1)])
  from h(1) have "edges_on (x # xs) \<subseteq> r1" ..
  also note assms
  finally show "edges_on (x # xs) \<subseteq> r2" .
 qed
 from rpath_plus[OF this h(2)]
 show "a \<in> ancestors r2 x" by (auto simp:ancestors_def)
qed

lemma subtree_refute:
  assumes "x \<notin> ancestors r y"
  and "x \<noteq> y"
  shows "y \<notin> subtree r x"
proof
   assume "y \<in> subtree r x"
   thus False
     by(elim subtreeE, insert assms, auto)
qed

subsubsection {* Properties about relational trees *}

context forest 
begin

lemma ancestors_headE:
  assumes "c \<in> ancestors r a"
  assumes "(a, b) \<in> r"
  obtains "b = c"
     |   "c \<in> ancestors r b"
proof -
  from assms(1) 
  have "(a, c) \<in> r^+" by (auto simp:ancestors_def)
  hence "b = c \<or> c \<in> ancestors r b"
  proof(cases rule:converse_tranclE[consumes 1])
    case 1
    with assms(2) and sgv have "b = c" by (auto simp:single_valued_def)
    thus ?thesis by auto
  next
    case (2 y)
    from 2(1) and assms(2) and sgv have "y = b" by (auto simp:single_valued_def)
    from 2(2)[unfolded this] have "c \<in> ancestors r b" by (auto simp:ancestors_def)
    thus ?thesis by auto
  qed
  with that show ?thesis by metis
qed

lemma ancestors_accum:
  assumes "(a, b) \<in> r"
  shows "ancestors r a = ancestors r b \<union> {b}"
proof -
  { fix c
    assume "c \<in> ancestors r a"
    hence "(a, c) \<in> r^+" by (auto simp:ancestors_def)
    hence "c \<in> ancestors r b \<union> {b}"
    proof(cases rule:converse_tranclE[consumes 1])
      case 1
      with sgv assms have "c = b" by (unfold single_valued_def, auto)
      thus ?thesis by auto
    next
      case (2 c')
      with sgv assms have "c' = b" by (unfold single_valued_def, auto)
      from 2(2)[unfolded this]
      show ?thesis by (auto simp:ancestors_def)
    qed
  } moreover {
    fix c
    assume "c \<in> ancestors r b \<union> {b}"
    hence "c = b \<or> c \<in> ancestors r b" by auto
    hence "c \<in> ancestors r a"
    proof
      assume "c = b"
      from assms[folded this] 
      show ?thesis by (auto simp:ancestors_def)
    next
      assume "c \<in> ancestors r b"
      with assms show ?thesis by (auto simp:ancestors_def)
    qed
  } ultimately show ?thesis by auto
qed

lemma rootI [intro]:
  assumes h: "\<And> x'. x' \<noteq> x \<Longrightarrow> x \<notin> subtree r' x'"
  and "r' \<subseteq> r"
  shows "root r' x"
proof -
  from acyclic_subset[OF acl assms(2)]
  have acl': "acyclic r'" .
  { fix x'
    assume "x' \<in> ancestors r' x"
    hence h1: "(x, x') \<in> r'^+" by (auto simp:ancestors_def)
    have "x' \<noteq> x"
    proof
      assume eq_x: "x' = x"
      from h1[unfolded this] and acl'
      show False by (auto simp:acyclic_def)
    qed
    moreover from h1 have "x \<in> subtree r' x'" by (auto simp:subtree_def)
    ultimately have False using h by auto
  } thus ?thesis by (auto simp:root_def)
qed

lemma rpath_overlap_oneside [elim]: (* ddd *)
  assumes "rpath r x xs1 x1"
  and "rpath r x xs2 x2"
  and "length xs1 \<le> length xs2"
  obtains xs3 where "xs2 = xs1 @ xs3"
proof(cases "xs1 = []")
  case True
  with that show ?thesis by auto
next
  case False
  have "\<forall> i \<le> length xs1. take i xs1 = take i xs2"
  proof -
     { assume "\<not> (\<forall> i \<le> length xs1. take i xs1 = take i xs2)"
       then obtain i where "i \<le> length xs1 \<and> take i xs1 \<noteq> take i xs2" by auto
       from this(1) have "False"
       proof(rule index_minimize)
          fix j
          assume h1: "j \<le> length xs1 \<and> take j xs1 \<noteq> take j xs2"
          and h2: " \<forall>k<j. \<not> (k \<le> length xs1 \<and> take k xs1 \<noteq> take k xs2)"
          -- {* @{text "j - 1"} is the branch point between @{text "xs1"} and @{text "xs2"} *}
          let ?idx = "j - 1"
          -- {* A number of inequalities concerning @{text "j - 1"} are derived first *}
          have lt_i: "?idx < length xs1" using False h1 
            by (metis Suc_diff_1 le_neq_implies_less length_greater_0_conv lessI less_imp_diff_less)
          have lt_i': "?idx < length xs2" using lt_i and assms(3) by auto
          have lt_j: "?idx < j" using h1 by (cases j, auto)
          -- {* From thesis inequalities, a number of equations concerning @{text "xs1"}
                 and @{text "xs2"} are derived *}
          have eq_take: "take ?idx xs1 = take ?idx xs2"
            using h2[rule_format, OF lt_j] and h1 by linarith
          have eq_xs1: " xs1 = take ?idx xs1 @ xs1 ! (?idx) # drop (Suc (?idx)) xs1" 
            using id_take_nth_drop[OF lt_i] .
          have eq_xs2: "xs2 = take ?idx xs2 @ xs2 ! (?idx) # drop (Suc (?idx)) xs2" 
              using id_take_nth_drop[OF lt_i'] .
          -- {* The branch point along the path is finally pinpointed *}
          have neq_idx: "xs1!?idx \<noteq> xs2!?idx" 
          proof -
            have "take j xs1 = take ?idx xs1 @ [xs1 ! ?idx]"
                using eq_xs1 Suc_diff_1 lt_i lt_j take_Suc_conv_app_nth by fastforce 
            moreover have eq_tk2: "take j xs2 = take ?idx xs2 @ [xs2 ! ?idx]"
                using Suc_diff_1 lt_i' lt_j take_Suc_conv_app_nth by fastforce 
            ultimately show ?thesis using eq_take h1 by auto
          qed
          show ?thesis
          proof(cases " take (j - 1) xs1 = []")
            case True
            have "(x, xs1!?idx) \<in> r"
            proof -
                from eq_xs1[unfolded True, simplified, symmetric] assms(1) 
                have "rpath r x ( xs1 ! ?idx # drop (Suc ?idx) xs1) x1" by simp
                from this[unfolded rpath_def]
                show ?thesis by (auto simp:pred_of_def)
            qed
            moreover have "(x, xs2!?idx) \<in> r"
            proof -
              from eq_xs2[folded eq_take, unfolded True, simplified, symmetric] assms(2)
              have "rpath r x ( xs2 ! ?idx # drop (Suc ?idx) xs2) x2" by simp
              from this[unfolded rpath_def]
              show ?thesis by (auto simp:pred_of_def)
            qed
            ultimately show ?thesis using neq_idx sgv[unfolded single_valued_def] by metis
        next
           case False
           then obtain e es where eq_es: "take ?idx xs1 = es@[e]" by fast
           have "(e, xs1!?idx) \<in> r"
           proof -
            from eq_xs1[unfolded eq_es] 
            have "xs1 = es@[e, xs1!?idx]@drop (Suc ?idx) xs1" by simp
            hence "(e, xs1!?idx) \<in> edges_on xs1" by (simp add:edges_on_def, metis)
            with rpath_edges_on[OF assms(1)] edges_on_Cons_mono[of xs1 x]
            show ?thesis by (auto)
           qed moreover have "(e, xs2!?idx) \<in> r"
           proof -
            from eq_xs2[folded eq_take, unfolded eq_es]
            have "xs2 = es@[e, xs2!?idx]@drop (Suc ?idx) xs2" by simp
            hence "(e, xs2!?idx) \<in> edges_on xs2" by (simp add:edges_on_def, metis)
            with rpath_edges_on[OF assms(2)] edges_on_Cons_mono[of xs2 x]
            show ?thesis by (auto)
           qed
           ultimately show ?thesis 
              using sgv[unfolded single_valued_def] neq_idx by metis
        qed
       qed
     } thus ?thesis by auto
  qed
  from this[rule_format, of "length xs1"]
  have "take (length xs1) xs1 = take (length xs1) xs2" by simp
  moreover have "xs2 = take (length xs1) xs2 @ drop (length xs1) xs2" by simp
  ultimately have "xs2 = xs1 @ drop (length xs1) xs2" by auto
  from that[OF this] show ?thesis .
qed

lemma rpath_overlap_oneside':
  assumes "rpath r x xs1 x1" 
  and "rpath r x xs2 x2"
  and "length xs1 \<le> length xs2"
  obtains xs3 where 
    "xs2 = xs1 @ xs3" "rpath r x xs1 x1" "rpath r x1 xs3 x2"
proof -
  from rpath_overlap_oneside[OF assms]
  obtain xs3 where eq_xs: "xs2 = xs1 @ xs3" by auto
  show ?thesis
  proof(cases "xs1 = []")
    case True
    from rpath_nilE[OF assms(1)[unfolded this]]
    have eq_x1: "x1 = x" .
    have "xs2 = xs3" using True eq_xs by simp
    from that[OF eq_xs assms(1) assms(2)[folded eq_x1, unfolded this]]
    show ?thesis .
  next
    case False  
    from rpath_nnl_lastE[OF assms(1) False]
    obtain xs' where eq_xs1: "xs1 = xs'@[x1]" by auto
    from assms(2)[unfolded eq_xs this]
    have "rpath r x (xs' @ [x1] @ xs3) x2" by simp
    from rpath_appendE[OF this]
    have "rpath r x (xs' @ [x1]) x1" "rpath r x1 xs3 x2" by auto
    from that [OF eq_xs this(1)[folded eq_xs1] this(2)]
    show ?thesis .
  qed
qed


lemma rpath_overlap [consumes 2, cases pred:rpath]:
  assumes "rpath r x xs1 x1"
  and "rpath r x xs2 x2"
  obtains (less_1) xs3 where "xs2 = xs1 @ xs3"
     |    (less_2) xs3 where "xs1 = xs2 @ xs3"
proof -
  have "length xs1 \<le> length xs2 \<or> length xs2 \<le> length xs1" by auto
  with assms rpath_overlap_oneside that show ?thesis by metis
qed

lemma rpath_overlap' [consumes 2, cases pred:rpath]:
  assumes "rpath r x xs1 x1"
  and "rpath r x xs2 x2"
  obtains (less_1) xs3 where "xs2 = xs1 @ xs3" "rpath r x xs1 x1" "rpath r x1 xs3 x2"
     |    (less_2) xs3 where "xs1 = xs2 @ xs3" "rpath r x xs2 x2" "rpath r x2 xs3 x1"
proof -
  have "length xs1 \<le> length xs2 \<or> length xs2 \<le> length xs1" by auto
  with assms rpath_overlap_oneside' that show ?thesis by metis
qed

text {*
  As a corollary of @{thm "rpath_overlap_oneside"}, 
  the following two lemmas gives one important property of relation tree, 
  i.e. there is at most one path between any two nodes.
  Similar to the proof of @{thm rpath_overlap}, we starts with
  the one side version first.
*}

lemma rpath_unique_oneside:
  assumes "rpath r x xs1 y"
    and "rpath r x xs2 y"
    and "length xs1 \<le> length xs2"
  shows "xs1 = xs2"
proof -
  from rpath_overlap_oneside[OF assms] 
  obtain xs3 where less_1: "xs2 = xs1 @ xs3" by blast
  show ?thesis
  proof(cases "xs3 = []") 
    case True
    from less_1[unfolded this] show ?thesis by simp
  next
    case False
    note FalseH = this
    show ?thesis
    proof(cases "xs1 = []")
      case True
      have "(x, x) \<in> r^+"
      proof(rule rpath_plus)
        from assms(1)[unfolded True] 
        have "y = x" by (cases rule:rpath_nilE, simp)
        from assms(2)[unfolded this] show "rpath r x xs2 x" .
      next
        from less_1 and False show "xs2 \<noteq> []" by simp
      qed
      with acl show ?thesis by (unfold acyclic_def, auto)
    next 
      case False
      then obtain e es where eq_xs1: "xs1 = es@[e]" by fast
      from assms(2)[unfolded less_1 this]
      have "rpath r x (es @ [e] @ xs3) y" by simp
      thus ?thesis
      proof(cases rule:rpath_appendE)
        case 1
        from rpath_dest_eq [OF 1(1)[folded eq_xs1] assms(1)]
        have "e = y" .
        from rpath_plus [OF 1(2)[unfolded this] FalseH]
        have "(y, y) \<in> r^+" .
        with acl show ?thesis by (unfold acyclic_def, auto)
      qed
    qed
  qed
qed

text {*
  The following is the full version of path uniqueness.
*}
lemma rpath_unique:
  assumes "rpath r x xs1 y"
    and "rpath r x xs2 y"
  shows "xs1 = xs2"
proof(cases "length xs1 \<le> length xs2")
   case True
   from rpath_unique_oneside[OF assms this] show ?thesis .
next
  case False
  hence "length xs2 \<le> length xs1" by simp
  from rpath_unique_oneside[OF assms(2,1) this]
  show ?thesis by simp
qed

text {*
  The following lemma shows that the `independence` relation is symmetric.
  It is an obvious auxiliary lemma which will be used later. 
*}
lemma sym_indep: "indep r x y \<Longrightarrow> indep r y x"
  by (unfold indep_def, auto)

text {*
  This is another `obvious` lemma about trees, which says trees rooted at 
  independent nodes are disjoint.
*}
lemma subtree_disjoint:
  assumes "indep r x y"
  shows "subtree r x \<inter> subtree r y = {}"
proof -
  { fix z x y xs1 xs2 xs3
      assume ind: "indep r x y"
      and rp1: "rpath r z xs1 x"
      and rp2: "rpath r z xs2 y"
      and h: "xs2 = xs1 @ xs3"
      have False
      proof(cases "xs1 = []")
        case True
        from rp1[unfolded this] have "x = z" by auto
        from rp2[folded this] rpath_star ind[unfolded indep_def]
        show ?thesis by metis
      next
        case False
        then obtain e es where eq_xs1: "xs1 = es@[e]" by fast
        from rp2[unfolded h this]
        have "rpath r z (es @ [e] @ xs3) y" by simp
        thus ?thesis
        proof(cases rule:rpath_appendE)
          case 1
          have "e = x" using 1(1)[folded eq_xs1] rp1 rpath_dest_eq by metis
          from rpath_star[OF 1(2)[unfolded this]] ind[unfolded indep_def]
          show ?thesis by auto
        qed
      qed
  } note my_rule = this
  { fix z
    assume h: "z \<in> subtree r x" "z \<in> subtree r y"
    from h(1) have "(z, x) \<in> r^*" by (unfold subtree_def, auto)
    then obtain xs1 where rp1: "rpath r z xs1 x" using star_rpath by metis
    from h(2) have "(z, y) \<in> r^*" by (unfold subtree_def, auto)
    then obtain xs2 where rp2: "rpath r z xs2 y" using star_rpath by metis
    from rp1 rp2
    have False
    by (cases, insert my_rule[OF sym_indep[OF assms(1)] rp2 rp1] 
                  my_rule[OF assms(1) rp1 rp2], auto)
  } thus ?thesis by auto
qed

lemma root_unique:
   assumes "x \<in> subtree r y"
    and "x \<in> subtree r z"
    and "root r y"
    and "root r z"
    shows "y = z" 
proof -
  { assume "y \<noteq> z"
    from root_indep[OF assms(4,3) this]
    have "indep r z y" .
    from subtree_disjoint[OF this] and assms
    have False by auto
  } thus ?thesis by auto
qed

text {*
  The following lemma @{text "subtree_del"} characterizes the change of sub-tree of 
  @{text "x"} with the removal of an inside edge @{text "(a, b)"}. 
  Note that, the case for the removal of an outside edge has already been dealt with
  in lemma @{text "subtree_del_outside"}). 

  This lemma is underpinned by the following two `obvious` facts:
  \begin{enumearte}
  \item
  In graph @{text "r"}, for an inside edge @{text "(a,b) \<in> edges_in r x"},  
  every node @{text "c"} in the sub-tree of @{text "a"} has a path
  which goes first from @{text "c"} to @{text "a"}, then through edge @{text "(a, b)"}, and 
  finally reaches @{text "x"}. By the uniqueness of path in a tree,
  all paths from sub-tree of @{text "a"} to @{text "x"} are such constructed, therefore 
  must go through @{text "(a, b)"}. The consequence is: with the removal of @{text "(a,b)"},
  all such paths will be broken. 

  \item
  On the other hand, all paths not originate from within the sub-tree of @{text "a"}
  will not be affected by the removal of edge @{text "(a, b)"}. 
  The reason is simple: if the path is affected by the removal, it must 
  contain @{text "(a, b)"}, then it must originate from within the sub-tree of @{text "a"}.
  \end{enumearte}
*}

lemma subtree_del_inside: (* ddd *)
    assumes "(a,b) \<in> edges_in r x"
    shows "subtree (r - {(a, b)}) x = (subtree r x) - subtree r a"
proof -
  from assms have asm: "b \<in> subtree r x" "(a, b) \<in> r" by (auto simp:edges_in_def)
  -- {* The proof follows a common pattern to prove the equality of sets. *}
  { -- {* The `left to right` direction.
       *}
    fix c
    -- {* Assuming @{text "c"} is inside the sub-tree of @{text "x"} in the reduced graph *}
    assume h: "c \<in> subtree (r - {(a, b)}) x" 
    -- {* We are going to show that @{text "c"} can not be in the sub-tree of @{text "a"} in 
          the original graph. *}
    -- {* In other words, all nodes inside the sub-tree of @{text "a"} in the original 
          graph will be removed from the sub-tree of @{text "x"} in the reduced graph. *}
    -- {* The reason, as analyzed before, is that all paths from within the 
          sub-tree of @{text "a"} are broken with the removal of edge @{text "(a,b)"}.
       *}
    have "c \<in> (subtree r x) - subtree r a" 
    proof -
      let ?r' = "r - {(a, b)}" -- {* The reduced graph is abbreviated as @{text "?r'"} *}
      from h have "(c, x) \<in> ?r'^*" by (auto simp:subtree_def)
      -- {* Extract from the reduced graph the path @{text "xs"} from @{text "c"} to @{text "x"}. *}
      then obtain xs where rp0: "rpath ?r' c xs x" by (rule star_rpath, auto)
      -- {* It is easy to show @{text "xs"} is also a path in the original graph *}
      hence rp1: "rpath r c xs x" using rpath_edges_on[OF rp0]
        by auto
      -- {* @{text "xs"} is used as the witness to show that @{text "c"} 
                   in the sub-tree of @{text "x"} in the original graph. *}
      hence "c \<in> subtree r x"
         by (rule rpath_star[elim_format], auto simp:subtree_def)
      -- {* The next step is to show that @{text "c"} can not be in the sub-tree of @{text "a"}
            in the original graph. *}
      -- {* We need to use the fact that all paths originate from within sub-tree of @{text "a"}
             are broken. *}
      moreover have "c \<notin> subtree r a"
      proof
        -- {* Proof by contradiction, suppose otherwise *}
        assume otherwise: "c \<in> subtree r a"
        -- {* Then there is a path in original graph leading from @{text "c"} to @{text "a"} *}
        obtain xs1 where rp_c: "rpath r c xs1 a" 
        proof -
          from otherwise have "(c, a) \<in> r^*" by (auto simp:subtree_def)
          thus ?thesis by (rule star_rpath, auto intro!:that)
        qed
        -- {* Starting from this path, we are going to construct a fictional 
                  path from @{text "c"} to @{text "x"}, which, as explained before,
              is broken, so that contradiction can be derived. *}
        -- {* First, there is a path from @{text "b"} to @{text "x"} *}
        obtain ys where rp_b: "rpath r b ys x" 
        proof -
          from asm have "(b, x) \<in> r^*" by (auto simp:subtree_def)
          thus ?thesis by (rule star_rpath, auto intro!:that)
        qed
        -- {* The paths @{text "xs1"} and @{text "ys"} can be 
                 tied together using @{text "(a,b)"} to form a path 
               from @{text "c"} to @{text "x"}: *}
        have "rpath r c (xs1 @ b # ys) x"
        proof -
          from rstepI[OF asm(2) rp_b] have "rpath r a (b # ys) x" .
          from rpath_appendI[OF rp_c this]
          show ?thesis .
        qed
        -- {* By the uniqueness of path between two nodes of a tree, we have: *}
        from rpath_unique[OF rp1 this] have eq_xs: "xs = xs1 @ b # ys" .
        -- {* Contradiction can be derived from from this fictional path . *}
        show False
        proof -
          -- {* It can be shown that @{term "(a,b)"} is on this fictional path. *}
          have "(a, b) \<in> edges_on (c#xs)"
          proof(cases "xs1 = []")
            case True
            from rp_c[unfolded this] have "rpath r c [] a" .
            hence eq_c: "c = a" by fast
            hence "c#xs = a#xs" by simp
            from this and eq_xs have "c#xs = a # xs1 @ b # ys" by simp
            from this[unfolded True] have "c#xs = []@[a,b]@ys" by simp
            thus ?thesis by (auto simp:edges_on_def)
          next
            case False
            from rpath_nnl_lastE[OF rp_c this]
            obtain xs' where "xs1 = xs'@[a]" by auto
            from eq_xs[unfolded this] have "c#xs = (c#xs')@[a,b]@ys" by simp
            thus ?thesis by (unfold edges_on_def, blast)
          qed
          -- {* It can also be shown that @{term "(a,b)"} is not on this fictional path. *}
          moreover have "(a, b) \<notin> edges_on (c#xs)"
              using rpath_edges_on[OF rp0] by (auto)
          -- {* Contradiction is thus derived. *}
          ultimately show False by auto
        qed
      qed
      ultimately show ?thesis by auto
    qed
  } moreover {
    -- {* The `right to left` direction.
       *} 
     fix c
   -- {* Assuming that @{text "c"} is in the sub-tree of @{text "x"}, but
         outside of the sub-tree of @{text "a"} in the original graph, *}
   assume h: "c \<in> (subtree r x) - subtree r a"
   -- {* we need to show that in the reduced graph, @{text "c"} is still in 
         the sub-tree of @{text "x"}. *}
   have "c \<in> subtree (r - {(a, b)}) x"
   proof -
      -- {* The proof goes by showing that the path from @{text "c"} to @{text "x"}
            in the original graph is not affected by the removal of @{text "(a,b)"}.
         *}
      from h have "(c, x) \<in> r^*" by (unfold subtree_def, auto)
      -- {* Extract the path @{text "xs"} from @{text "c"} to @{text "x"} in the original graph. *}
      from star_rpath[OF this] obtain xs where rp: "rpath r c xs x" by auto
      -- {* Show that it is also a path in the reduced graph. *}
      hence "rpath (r - {(a, b)}) c xs x"
      -- {* The proof goes by using rule @{thm rpath_transfer} *} 
      proof(rule rpath_transfer)
        -- {* We need to show all edges on the path are still in the reduced graph. *}
        show "edges_on (c # xs) \<subseteq> r - {(a, b)}"
        proof -
          -- {* It is easy to show that all the edges are in the original graph. *}
          from rpath_edges_on [OF rp] have " edges_on (c # xs) \<subseteq> r" .
          -- {* The essential part is to show that @{text "(a, b)"} is not on the path. *}
          moreover have "(a,b) \<notin> edges_on (c#xs)"
          proof
            -- {* Proof by contradiction, suppose otherwise: *}
            assume otherwise: "(a, b) \<in> edges_on (c#xs)"
            -- {* Then @{text "(a, b)"} is in the middle of the path. 
                  with @{text "l1"} and @{text "l2"} be the nodes in 
                  the front and rear respectively. *}
              then obtain l1 l2 where eq_xs: 
                "c#xs = l1 @ [a, b] @ l2" by (unfold edges_on_def, blast)
            -- {* From this, it can be shown that @{text "c"} is 
                      in the sub-tree of @{text "a"} *}
            have "c \<in> subtree r a" 
            proof(cases "l1 = []")
              case True
              -- {* If @{text "l1"} is null, it can be derived that @{text "c = a"}. *}
              with eq_xs have "c = a" by auto
              -- {* So, @{text "c"} is obviously in the sub-tree of @{text "a"}. *}
              thus ?thesis by (unfold subtree_def, auto)
            next
              case False
              -- {* When @{text "l1"} is not null, it must have a tail @{text "es"}: *}
              then obtain e es where "l1 = e#es" by (cases l1, auto)
              -- {* The relation of this tail with @{text "xs"} is derived: *}
              with eq_xs have "xs = es@[a,b]@l2" by auto
              -- {* From this, a path from @{text "c"} to @{text "a"} is made visible: *}
              from rp[unfolded this] have "rpath r c (es @ [a] @ (b#l2)) x" by simp
              thus ?thesis
              proof(cases rule:rpath_appendE)
                -- {* The path from @{text "c"} to @{text "a"} is extraced 
                             using @{thm "rpath_appendE"}: *}
                case 1
                from rpath_star[OF this(1)] 
                -- {* The extracted path servers as a witness that @{text "c"} is 
                          in the sub-tree of @{text "a"}: *}
                show ?thesis by (simp add:subtree_def)
            qed
          qed with h show False by auto         
         qed ultimately show ?thesis by auto
       qed
     qed
     -- {* From , it is shown that @{text "c"} is in the sub-tree of @{text "x"}
           inthe reduced graph. *}
     from rpath_star[OF this] show ?thesis by (auto simp:subtree_def)
    qed
  } 
  -- {* The equality of sets is derived from the two directions just proved. *}
  ultimately show ?thesis by blast
qed 

lemma  set_del_rootI:
  assumes "r1 \<subseteq> r"
  and "a \<in> Domain r1"
  shows "root (r - r1) a"
proof -
   let ?r = "r - r1"
  { fix a' 
    assume neq: "a' \<noteq> a"
    have "a \<notin> subtree ?r a'"
    proof
      assume "a \<in> subtree ?r a'"
      hence "(a, a') \<in> ?r^*" by (auto simp:subtree_def)
      from star_rpath[OF this] obtain xs
      where rp: "rpath ?r a xs a'" by auto
      from rpathE[OF this] and neq
      obtain z zs where h: "(a, z) \<in> ?r" "rpath ?r z zs a'" "xs = z#zs" by auto
      from assms(2) obtain z' where z'_in: "(a, z') \<in> r1" by (auto simp:DomainE)
      with assms(1) have "(a, z') \<in> r" by auto
      moreover from h(1) have "(a, z) \<in> r" by simp 
      ultimately have "z' = z" using sgv by (auto simp:single_valued_def)
      from z'_in[unfolded this] and h(1) show False by auto
   qed
  } thus ?thesis by (intro rootI, auto)
qed

lemma edge_del_no_rootI:
  assumes "(a, b) \<in> r"
  shows "root (r - {(a, b)}) a"
  by (rule set_del_rootI, insert assms, auto)

lemma ancestors_children_unique:
  assumes "z1 \<in> ancestors r x \<inter> children r y"
  and "z2 \<in> ancestors r x \<inter> children r y"
  shows "z1 = z2"
proof -
  from assms have h:
     "(x, z1) \<in> r^+" "(z1, y) \<in> r" 
     "(x, z2) \<in> r^+" "(z2, y) \<in> r" 
  by (auto simp:ancestors_def children_def)

  -- {* From this, a path containing @{text "z1"} is obtained. *}
  from plus_rpath[OF h(1)] obtain xs1 
     where h1: "rpath r x xs1 z1" "xs1 \<noteq> []" by auto
  from rpath_nnl_lastE[OF this] obtain xs1' where eq_xs1: "xs1 = xs1' @ [z1]"
    by auto
  from h(2) have h2: "rpath r z1 [y] y" by auto
  from rpath_appendI[OF h1(1) h2, unfolded eq_xs1]
  have rp1: "rpath r x (xs1' @ [z1, y]) y" by simp

  -- {* Then, another path containing @{text "z2"} is obtained. *}
  from plus_rpath[OF h(3)] obtain xs2
     where h3: "rpath r x xs2 z2" "xs2 \<noteq> []" by auto
  from rpath_nnl_lastE[OF this] obtain xs2' where eq_xs2: "xs2 = xs2' @ [z2]"
    by auto
  from h(4) have h4: "rpath r z2 [y] y" by auto
  from rpath_appendI[OF h3(1) h4, unfolded eq_xs2]
     have "rpath r x (xs2' @ [z2, y]) y" by simp

  -- {* Finally @{text "z1 = z2"} is proved by uniqueness of path. *}
  from rpath_unique[OF rp1 this]
  have "xs1' @ [z1, y] = xs2' @ [z2, y]" .
  thus ?thesis by auto
qed

lemma ancestors_childrenE:
  assumes "y \<in> ancestors r x"
  obtains "x \<in> children r y"
      | z where "z \<in> ancestors r x \<inter> children r y"
proof -
  from assms(1) have "(x, y) \<in> r^+" by (auto simp:ancestors_def)
  from tranclD2[OF this] obtain z where 
     h: "(x, z) \<in> r\<^sup>*" "(z, y) \<in> r" by auto
  from h(1)
  show ?thesis
  proof(cases rule:rtranclE)
    case base
    from h(2)[folded this] have "x \<in> children r y" 
              by (auto simp:children_def)
    thus ?thesis by (intro that, auto)
  next
    case (step u)
    hence "z \<in> ancestors r x" by (auto simp:ancestors_def)
    moreover from h(2) have "z \<in> children r y" 
              by (auto simp:children_def)
    ultimately show ?thesis by (intro that, auto)
  qed
qed

end (* of forest *)

lemma subtree_trancl:
  "subtree r x = {x} \<union> {y. (y, x) \<in> r^+}" (is "?L = ?R")
proof -
  { fix z
    assume "z \<in> ?L"
    hence "z \<in> ?R"
    proof(cases rule:subtreeE)
      case 2
      thus ?thesis  
        by (unfold ancestors_def, auto)
    qed auto
  } moreover
  { fix z
    assume "z \<in> ?R"
    hence "z \<in> ?L" 
      by (unfold subtree_def, auto)
  } ultimately show ?thesis by auto
qed

lemma ancestor_children_subtreeI [intro]: 
  "x \<in> ancestors r z \<Longrightarrow> z \<in> \<Union>(subtree r ` children r x)"
  by (unfold ancestors_def children_def, auto simp:subtree_def dest:tranclD2)

lemma [iff]: "x \<in> subtree r x"
  by (auto simp:subtree_def)

lemma [intro]: "xa \<in> children r x \<Longrightarrow> z \<in> subtree r xa \<Longrightarrow> z \<in> subtree r x"
  by (unfold children_def subtree_def, auto)

lemma subtree_children:
  "subtree r x = ({x} \<union> (\<Union> (subtree r ` (children r x))))" (is "?L = ?R")
  by fast

context fforest
begin
  
lemma finite_subtree:
  shows "finite (subtree r x)"
proof(induct rule:wf_induct[OF wf])
  case (1 x)
  have "finite (\<Union>(subtree r ` children r x))"
  proof(rule finite_Union)
    show "finite (subtree r ` children r x)"
    proof(cases "children r x = {}")
      case True
      thus ?thesis by auto
    next
      case False
      hence "x \<in> Range r" by (auto simp:children_def)
      from fb 
      have "finite (children r x)" .
      thus ?thesis by (rule finite_imageI)
    qed
  next
    fix M 
    assume "M \<in> subtree r ` children r x"
    then obtain y where h: "y \<in> children r x" "M = subtree r y" by auto
    hence "(y, x) \<in> r" by (auto simp:children_def)
    from 1[rule_format, OF this, folded h(2)]
    show "finite M" .
  qed
  thus ?case
    by (unfold subtree_children finite_Un, auto)
qed

end

definition "pairself f = (\<lambda>(a, b). (f a, f b))"

definition "rel_map f r = (pairself f ` r)"

lemma rel_mapE: 
  assumes "(a, b) \<in> rel_map f r"
  obtains c d 
  where "(c, d) \<in> r" "(a, b) = (f c, f d)"
  using assms
  by (unfold rel_map_def pairself_def, auto)

lemma rel_mapI: 
  assumes "(a, b) \<in> r"
    and "c = f a"
    and "d = f b"
  shows "(c, d) \<in> rel_map f r"
  using assms
  by (unfold rel_map_def pairself_def, auto)

lemma map_appendE:
  assumes "map f zs = xs @ ys"
  obtains xs' ys' 
  where "zs = xs' @ ys'" "xs = map f xs'" "ys = map f ys'"
proof -
  have "\<exists> xs' ys'. zs = xs' @ ys' \<and> xs = map f xs' \<and> ys = map f ys'"
  using assms
  proof(induct xs arbitrary:zs ys)
    case (Nil zs ys)
    thus ?case by auto
  next
    case (Cons x xs zs ys)
    note h = this
    show ?case
    proof(cases zs)
      case (Cons e es)
      with h have eq_x: "map f es = xs @ ys" "x = f e" by auto
      from h(1)[OF this(1)]
      obtain xs' ys' where "es = xs' @ ys'" "xs = map f xs'" "ys = map f ys'"
        by blast
      with Cons eq_x
      have "zs = (e#xs') @ ys' \<and> x # xs = map f (e#xs') \<and> ys = map f ys'" by auto
      thus ?thesis by metis
    qed (insert h, auto)
  qed
  thus ?thesis by (auto intro!:that)
qed

lemma rel_map_mono:
  assumes "r1 \<subseteq> r2"
  shows "rel_map f r1 \<subseteq> rel_map f r2"
  using assms
  by (auto simp:rel_map_def pairself_def)

lemma rel_map_compose [simp]:
    shows "rel_map f1 (rel_map f2 r) = rel_map (f1 o f2) r"
    by (auto simp:rel_map_def pairself_def)

lemma edges_on_map: "edges_on (map f xs) = rel_map f (edges_on xs)"
proof -
  { fix a b
    assume "(a, b) \<in> edges_on (map f xs)"
    then obtain l1 l2 where eq_map: "map f xs = l1 @ [a, b] @ l2" 
      by (unfold edges_on_def, auto)
    hence "(a, b) \<in> rel_map f (edges_on xs)"
      by (auto elim!:map_appendE intro!:rel_mapI simp:edges_on_def)
  } moreover { 
    fix a b
    assume "(a, b) \<in> rel_map f (edges_on xs)"
    then obtain c d where 
        h: "(c, d) \<in> edges_on xs" "(a, b) = (f c, f d)" 
             by (elim rel_mapE, auto)
    then obtain l1 l2 where
        eq_xs: "xs = l1 @ [c, d] @ l2" 
             by (auto simp:edges_on_def)
    hence eq_map: "map f xs = map f l1 @ [f c, f d] @ map f l2" by auto
    have "(a, b) \<in> edges_on (map f xs)"
    proof -
      from h(2) have "[f c, f d] = [a, b]" by simp
      from eq_map[unfolded this] show ?thesis by (auto simp:edges_on_def)
    qed
  } ultimately show ?thesis by auto
qed

lemma image_id:
  assumes "\<And> x. x \<in> A \<Longrightarrow> f x = x"
  shows "f ` A = A"
  using assms by (auto simp:image_def)

lemma rel_map_inv_id:
  assumes "inj_on f ((Domain r) \<union> (Range r))"
  shows "(rel_map (inv_into ((Domain r) \<union> (Range r)) f \<circ> f) r) = r"
proof -
 let ?f = "(inv_into (Domain r \<union> Range r) f \<circ> f)"
 {
  fix a b
  assume h0: "(a, b) \<in> r"
  have "pairself ?f (a, b) = (a, b)"
  proof -
    from assms h0 have "?f a = a" by (auto intro:inv_into_f_f)
    moreover have "?f b = b"
      by (insert h0, simp, intro inv_into_f_f[OF assms], auto intro!:RangeI)
    ultimately show ?thesis by (auto simp:pairself_def)
  qed
 } thus ?thesis by (unfold rel_map_def, intro image_id, case_tac x, auto)
qed 

lemma rel_map_acyclic:
  assumes "acyclic r"
  and "inj_on f ((Domain r) \<union> (Range r))"
  shows "acyclic (rel_map f r)"
proof -
  let ?D = "Domain r \<union> Range r"
  { fix a 
    assume "(a, a) \<in> (rel_map f r)^+" 
    from plus_rpath[OF this]
    obtain xs where rp: "rpath (rel_map f r) a xs a" "xs \<noteq> []" by auto
    from rpath_nnl_lastE[OF this] obtain xs' where eq_xs: "xs = xs'@[a]" by auto
    from rpath_edges_on[OF rp(1)]
    have h: "edges_on (a # xs) \<subseteq> rel_map f r" .
    from edges_on_map[of "inv_into ?D f" "a#xs"]
    have "edges_on (map (inv_into ?D f) (a # xs)) = rel_map (inv_into ?D f) (edges_on (a # xs))" .
    with rel_map_mono[OF h, of "inv_into ?D f"]
    have "edges_on (map (inv_into ?D f) (a # xs)) \<subseteq> rel_map ((inv_into ?D f) o f) r" by simp
    from this[unfolded eq_xs]
    have subr: "edges_on (map (inv_into ?D f) (a # xs' @ [a])) \<subseteq> rel_map (inv_into ?D f \<circ> f) r" .
    have "(map (inv_into ?D f) (a # xs' @ [a])) = (inv_into ?D f a) # map (inv_into ?D f) xs' @ [inv_into ?D f a]"
      by simp
    from edges_on_rpathI[OF subr[unfolded this]]
    have "rpath (rel_map (inv_into ?D f \<circ> f) r) 
                      (inv_into ?D f a) (map (inv_into ?D f) xs' @ [inv_into ?D f a]) (inv_into ?D f a)" .
    hence "(inv_into ?D f a, inv_into ?D f a) \<in> (rel_map (inv_into ?D f \<circ> f) r)^+"
        by (rule rpath_plus, simp)
    moreover have "(rel_map (inv_into ?D f \<circ> f) r) = r" by (rule rel_map_inv_id[OF assms(2)])
    moreover note assms(1) 
    ultimately have False by (unfold acyclic_def, auto)
  } thus ?thesis by (auto simp:acyclic_def)
qed

lemma compose_relpow_2 [intro, simp]:
  assumes "r1 \<subseteq> r"
  and "r2 \<subseteq> r"
  shows "r1 O r2 \<subseteq> r ^^ (2::nat)"
proof -
  { fix a b
    assume "(a, b) \<in> r1 O r2"
    then obtain e where "(a, e) \<in> r1" "(e, b) \<in> r2"
      by auto
    with assms have "(a, e) \<in> r" "(e, b) \<in> r" by auto
    hence "(a, b) \<in> r ^^ (Suc (Suc 0))" by auto
  } thus ?thesis by (auto simp:numeral_2_eq_2)
qed

lemma relpow_mult: 
  "((r::'a rel) ^^ m) ^^ n = r ^^ (m*n)"
proof(induct n arbitrary:m)
  case (Suc k m)
  thus ?case
  proof -
    have h: "(m * k + m) = (m + m * k)" by auto
    show ?thesis 
      apply (simp add:Suc relpow_add[symmetric])
      by (unfold h, simp)
  qed
qed simp

lemma acyclic_compose [intro, simp]:
  assumes "acyclic r"
  and "r1 \<subseteq> r"
  and "r2 \<subseteq> r"
  shows "acyclic (r1 O r2)"
proof -
  { fix a
    assume "(a, a) \<in> (r1 O r2)^+"
    from trancl_mono[OF this compose_relpow_2[OF assms(2, 3)]]
    have "(a, a) \<in> (r ^^ 2) ^+" .
    from trancl_power[THEN iffD1, OF this]
    obtain n where h: "(a, a) \<in> (r ^^ 2) ^^ n" "n > 0" by blast
    from this(1)[unfolded relpow_mult] have h2: "(a, a) \<in> r ^^ (2 * n)" .
    have "(a, a) \<in> r^+" 
    proof(cases rule:trancl_power[THEN iffD2])
      from h(2) h2 show "\<exists>n>0. (a, a) \<in> r ^^ n" 
        by (rule_tac x = "2*n" in exI, auto)
    qed
    with assms have "False" by (auto simp:acyclic_def)
  } thus ?thesis by (auto simp:acyclic_def)
qed

lemma children_compose_unfold: 
  "children (r1 O r2) x = \<Union> (children r1 ` (children r2 x))"
  by (auto simp:children_def)

lemma fbranch_compose [intro, simp]:
  assumes "\<forall> x \<in> Range r1 . finite (children r1 x)"
  and "\<forall> x \<in> Range r2 . finite (children r2 x)"
  shows "\<forall> x \<in> Range (r1 O r2) . finite (children (r1 O r2) x)"
proof -
  {  fix x
     assume "x\<in>Range (r1 O r2)"
     then obtain y z where h: "(y, z) \<in> r1" "(z, x) \<in> r2" by auto
     have "finite (children (r1 O r2) x)"
     proof(unfold children_compose_unfold, rule finite_Union)
      show "finite (children r1 ` children r2 x)"
      proof(rule finite_imageI)
        from h(2) have "x \<in> Range r2" by auto
        from assms(2)[unfolded fforest_def] this
        show "finite (children r2 x)" by auto
      qed
     next
       fix M
       assume "M \<in> children r1 ` children r2 x"
       then obtain y where h1: "y \<in> children r2 x" "M = children r1 y" by auto
       show "finite M"
       proof(cases "children r1 y = {}")
          case True
          with h1(2) show ?thesis by auto
       next
          case False
          hence "y \<in> Range r1" by (unfold children_def, auto)
          from assms(1)[unfolded fforest_def] this h1(2)
          show ?thesis by auto
       qed
     qed
  } thus ?thesis using assms by auto
qed

lemma fbranch_compose1 [intro, simp]:
  assumes "\<forall>x. finite (children r1 x)"
  and "\<forall>x. finite (children r2 x)"
  shows "\<forall>x. finite (children (r1 O r2) x)"
by (metis (no_types, lifting) Collect_empty_eq Range.intros assms(1) 
         assms(2) children_def fbranch_compose finite.emptyI)


lemma finite_fbranchI [intro]:
  assumes "finite r"
  shows "\<forall> x \<in> Range r . finite (children r x)"
proof -
  { fix x 
    assume "x \<in>Range r"
    have "finite (children r x)"
    proof -
      have "{y. (y, x) \<in> r} \<subseteq> Domain r" by (auto)
      from rev_finite_subset[OF finite_Domain[OF assms] this]
      have "finite {y. (y, x) \<in> r}" .
      thus ?thesis by (unfold children_def, simp)
    qed
  } thus ?thesis by auto
qed

lemma finite_fbranchI1 [intro]:
  assumes "finite r"
  shows "\<forall> x . finite (children r x)"
  by (metis (no_types, lifting) Collect_empty_eq Range.intros assms 
      children_def finite.emptyI finite_fbranchI)

lemma subset_fbranchI [intro]:
  assumes "\<forall> x \<in> Range r1 . finite (children r1 x)"
  and "r2 \<subseteq> r1"
  shows "\<forall> x \<in> Range r2 . finite (children r2 x)"
proof -
  { fix x
    assume "x \<in>Range r2"
    with assms(2) have "x \<in> Range r1" by auto
    from assms(1)[rule_format, OF this]
    have "finite (children r1 x)" .
    hence "finite (children r2 x)"
    proof(rule rev_finite_subset)
      from assms(2)
      show "children r2 x \<subseteq> children r1 x" by (auto simp:children_def)
    qed
  } thus ?thesis by auto
qed

lemma children_subtree [simp, intro]: 
  shows "children r x \<subseteq> subtree r x"
  by (auto simp:children_def subtree_def)

lemma children_union_kept [simp]:
  assumes "x \<notin> Range r'"
  shows "children (r \<union> r') x = children r x"
  using assms
  by (auto simp:children_def)

lemma wf_rbase [elim]:
  assumes "wf r"
  obtains b where "(b, a) \<in> r^*" "\<forall> c. (c, b) \<notin> r"
proof -
  from assms
  have "\<exists> b. (b, a) \<in> r^* \<and> (\<forall> c. (c, b) \<notin> r)"
  proof(induct) 
    case (less x)
    thus ?case
    proof(cases "\<exists> z. (z, x) \<in> r")
      case False
      moreover have "(x, x) \<in> r^*" by auto
      ultimately show ?thesis by metis
    next
      case True
      then obtain z where h_z: "(z, x) \<in> r" by auto
      from less[OF this]
      obtain b where "(b, z) \<in> r^*" "(\<forall>c. (c, b) \<notin> r)"
        by auto
      moreover from this(1) h_z have "(b, x) \<in> r^*" by auto
      ultimately show ?thesis by metis
    qed
  qed
  with that show ?thesis by metis
qed

lemma wf_base [elim]:
  assumes "wf r"
  and "a \<in> Range r"
  obtains b where "(b, a) \<in> r^+" "\<forall> c. (c, b) \<notin> r"
proof -
  from assms(2) obtain a' where h_a: "(a', a) \<in> r" by auto
  from wf_rbase[OF assms(1), of a]
  obtain b where h_b: "(b, a) \<in> r\<^sup>*" "\<forall>c. (c, b) \<notin> r" by auto
  from rtranclD[OF this(1)]
  have "b = a \<or>  b \<noteq> a \<and> (b, a) \<in> r\<^sup>+" by auto
  moreover have "b \<noteq> a" using h_a h_b(2) by auto
  ultimately have "(b, a) \<in> r\<^sup>+" by auto
  with h_b(2) and that show ?thesis by metis
qed


declare RTree.subtree_transfer[rule del]

declare RTree.subtreeE[rule del]

declare RTree.ancestors_Field[rule del]

declare RTree.star_rpath[rule del]

declare RTree.plus_rpath[rule del]

lemma fmap_children:
  assumes "inj f" 
  shows  "children ((map_prod f f) ` r) (f s) = f ` (children r s)"
  using assms
  apply (unfold children_def map_prod_def, auto)
  by (drule_tac x = s and y = b in injD, auto)

find_theorems subtree "op \<union>"

end