%%%%%% Sets of natural numbers
%%%%%% John Boyland
%%%%%% You may freely use, modify and distribute this file without restrictions.
%%%%% This file requires the "nat.elf" signature
%{%
This signature implements sets of natural numbers.
The representation is "adequate" in that every set
has a unique representation. In other words, equality of the terms
is the same as semantic equality.
%}%
%{%
This signature was created using "map" and is not "optimally" concise.
The proofs of the theorems are more general than necessary and
use many trivial lemmas.
%}%
%{%
This file follows the same theorem naming convention as nat.elf (q.v.)
%}%
%%%%% set-help.elf
%%%%% Theorems needed to help 'set' use 'map.'
%%%%% This file is part of the set.elf signature
%%%% Theorems
%{%
What follows is a series of utterly trivial theorems
about the unit type and trivial operations on it.
These theorems are needed to satisfy the map "functor".
All of these definitions are indented one space,
which signifies to the pre-module module-system
that they are internal and should not be exported.
%}%
unit`eq : unit -> unit -> type.
unit`eq/ : unit`eq unit/ unit/.
unit`ne : unit -> unit -> type. % uninhabited
unit`eq? : unit -> unit -> bool -> type.
unit`eq?/yes : unit`eq? U U true.
unit`eq?/no : unit`ne U1 U2 -> unit`eq? U1 U2 false.
%theorem unit`false-implies-eq :
forall* {U1} {U2}
forall {F:void}
exists {E:unit`eq U1 U2}
true.
%worlds () (unit`false-implies-eq _ _).
%total { } (unit`false-implies-eq _ _).
%theorem unit`eq-reflexive :
forall {U}
exists {E:unit`eq U U}
true.
- : unit`eq-reflexive unit/ unit`eq/.
%worlds () (unit`eq-reflexive _ _).
%total { } (unit`eq-reflexive _ _).
%theorem unit`eq-symmetric :
forall* {U1} {U2}
forall {E1:unit`eq U1 U2}
exists {E2:unit`eq U2 U1}
true.
- : unit`eq-symmetric unit`eq/ unit`eq/.
%worlds () (unit`eq-symmetric _ _).
%total { } (unit`eq-symmetric _ _).
%theorem unit`eq-transitive :
forall* {U1} {U2} {U3}
forall {E12:unit`eq U1 U2} {E23:unit`eq U2 U3}
exists {E13:unit`eq U1 U3}
true.
- : unit`eq-transitive unit`eq/ unit`eq/ unit`eq/.
%worlds () (unit`eq-transitive _ _ _).
%total { } (unit`eq-transitive _ _ _).
%theorem unit`false-implies-ne :
forall* {X1} {X2}
forall {F:void}
exists {G:unit`ne X1 X2}
true.
%worlds () (unit`false-implies-ne _ _).
%total { } (unit`false-implies-ne _ _).
%theorem unit`ne-respects-eq :
forall* {X1} {X2} {Y1} {Y2}
forall {D1:unit`ne X1 X2} {E1:unit`eq X1 Y1} {E2:unit`eq X2 Y2}
exists {D2:unit`ne Y1 Y2}
true.
%worlds () (unit`ne-respects-eq _ _ _ _).
%total { } (unit`ne-respects-eq _ _ _ _).
%theorem unit`ne-anti-reflexive :
forall* {X}
forall {R:unit`ne X X}
exists {F:void}
true.
%worlds () (unit`ne-anti-reflexive _ _).
%total { } (unit`ne-anti-reflexive _ _).
%theorem unit`ne-symmetric :
forall* {X} {Y}
forall {R1:unit`ne X Y}
exists {R2:unit`ne Y X}
true.
%worlds () (unit`ne-symmetric _ _).
%total { } (unit`ne-symmetric _ _).
%theorem unit`eq-ne-implies-false :
forall* {X} {Y}
forall {D1:unit`eq X Y} {D2:unit`ne X Y}
exists {F:void}
true.
%worlds () (unit`eq-ne-implies-false _ _ _).
%total { } (unit`eq-ne-implies-false _ _ _).
%theorem unit`eq?-total* :
forall {M} {N}
exists {B} {T:unit`eq? M N B}
true.
%abbrev unit`eq?-total = unit`eq?-total* _ _ _.
- : unit`eq?-total unit`eq?/yes.
%worlds () (unit`eq?-total* _ _ _ _).
%total { } (unit`eq?-total* _ _ _ _).
%abbrev unit`leq = unit`eq.
%abbrev unit`false-implies-leq = unit`false-implies-eq.
%abbrev unit`leq-reflexive = unit`eq-reflexive.
%abbrev unit`leq-transitive = unit`eq-transitive.
%theorem unit`leq-anti-symmetric :
forall* {U1} {U2}
forall {L12:unit`leq U1 U2} {L21:unit`leq U2 U1}
exists {E:unit`eq U1 U2}
true.
- : unit`leq-anti-symmetric E _ E.
%worlds () (unit`leq-anti-symmetric _ _ _).
%total { } (unit`leq-anti-symmetric _ _ _).
unit`union : unit -> unit -> unit -> type.
unit`union/ : unit`union unit/ unit/ unit/.
%theorem unit`false-implies-union :
forall* {U1} {U2} {U3}
forall {F:void}
exists {J:unit`union U1 U2 U3}
true.
%worlds () (unit`false-implies-union _ _).
%total { } (unit`false-implies-union _ _).
%theorem unit`union-deterministic :
forall* {U1} {U2} {U3} {V1} {V2} {V3}
forall {J:unit`union U1 U2 U3} {K:unit`union V1 V2 V3}
{E1:unit`eq U1 V1} {E2:unit`eq U2 V2}
exists {E3:unit`eq U3 V3}
true.
- : unit`union-deterministic unit`union/ unit`union/ unit`eq/ unit`eq/ unit`eq/.
%worlds () (unit`union-deterministic _ _ _ _ _).
%total { } (unit`union-deterministic _ _ _ _ _).
%theorem unit`union-total* :
forall {U1} {U2}
exists {U3} {J:unit`union U1 U2 U3}
true.
- : unit`union-total* _ _ _ unit`union/.
%worlds () (unit`union-total* _ _ _ _).
%total { } (unit`union-total* _ _ _ _).
%theorem unit`union-commutative :
forall* {U1} {U2} {U3}
forall {J:unit`union U1 U2 U3}
exists {K:unit`union U2 U1 U3}
true.
- : unit`union-commutative _ unit`union/.
%worlds () (unit`union-commutative _ _).
%total { } (unit`union-commutative _ _).
%theorem unit`union-associative :
forall* {U1} {U2} {U3} {U4} {U7}
forall {J12:unit`union U1 U2 U3}
{J34:unit`union U3 U4 U7}
exists {U6} {J24:unit`union U2 U4 U6}
{J16:unit`union U1 U6 U7}
true.
- : unit`union-associative _ _ unit/ unit`union/ unit`union/.
%worlds () (unit`union-associative _ _ _ _ _).
%total { } (unit`union-associative _ _ _ _ _).
%theorem unit`union-associative* :
forall* {U1} {U2} {U3} {U4} {U6} {U7}
forall {J12:unit`union U1 U2 U3}
{J34:unit`union U3 U4 U7}
{J24:unit`union U2 U4 U6}
exists {J16:unit`union U1 U6 U7}
true.
- : unit`union-associative* _ _ _ unit`union/.
%worlds () (unit`union-associative* _ _ _ _).
%total { } (unit`union-associative* _ _ _ _).
%theorem unit`union-left-preserves-leq* :
forall* {U1} {U2} {U3} {U4} {U5}
forall {L24:unit`leq U2 U4}
{J12:unit`union U1 U2 U3} {J14:unit`union U1 U4 U5}
exists {L35:unit`leq U3 U5}
true.
- : unit`union-left-preserves-leq* _ _ _ unit`eq/.
%worlds () (unit`union-left-preserves-leq* _ _ _ _).
%total { } (unit`union-left-preserves-leq* _ _ _ _).
%theorem unit`union-preserves-leq :
forall* {U1} {U2} {U3} {V1} {V2} {V3}
forall {L1:unit`leq U1 V1} {L2:unit`leq U2 V2}
{JU:unit`union U1 U2 U3} {JV:unit`union V1 V2 V3}
exists {L3:unit`leq U3 V3}
true.
- : unit`union-preserves-leq _ _ _ _ unit`eq/.
%worlds () (unit`union-preserves-leq _ _ _ _ _).
%total { } (unit`union-preserves-leq _ _ _ _ _).
%theorem unit`union-implies-leq* :
forall* {U1} {U2} {U3}
forall {J:unit`union U1 U2 U3}
exists {L:unit`leq U1 U3}
true.
- : unit`union-implies-leq* _ unit`eq/.
%worlds () (unit`union-implies-leq* _ _).
%total { } (unit`union-implies-leq* _ _).
%theorem unit`union-implies-leq :
forall* {U1} {U2} {U3}
forall {J:unit`union U1 U2 U3}
exists {L:unit`leq U1 U3} {L2:unit`leq U2 U3}
true.
- : unit`union-implies-leq _ unit`eq/ unit`eq/.
%worlds () (unit`union-implies-leq _ _ _).
%total { } (unit`union-implies-leq _ _ _).
%theorem unit`union-is-lub :
forall* {U1} {U2} {U3} {U4}
forall {J:unit`union U1 U2 U3}
{L1:unit`leq U1 U4} {L2:unit`leq U2 U4}
exists {L3:unit`leq U3 U4}
true.
- : unit`union-is-lub _ _ _ unit`eq/.
%worlds () (unit`union-is-lub _ _ _ _).
%total { } (unit`union-is-lub _ _ _ _).
%abbrev unit`intersection = unit`union.
%abbrev unit`false-implies-intersection = unit`false-implies-union.
%abbrev unit`intersection-deterministic = unit`union-deterministic.
%abbrev unit`intersection-total* = unit`union-total*.
%abbrev unit`intersection-commutative = unit`union-commutative.
%abbrev unit`intersection-associative = unit`union-associative.
%abbrev unit`intersection-associative* = unit`union-associative*.
%abbrev unit`intersection-implies-leq* = unit`union-implies-leq*.
%abbrev unit`intersection-left-preserves-leq* = unit`union-left-preserves-leq*.
%theorem unit`intersection-is-glb :
forall* {U0} {U1} {U2} {U3}
forall {A:unit`intersection U1 U2 U3}
{L1:unit`leq U0 U1} {L2:unit`leq U0 U2}
exists {L3:unit`leq U0 U3}
true.
- : unit`intersection-is-glb _ _ _ unit`eq/.
%worlds () (unit`intersection-is-glb _ _ _ _).
%total { } (unit`intersection-is-glb _ _ _ _).
%theorem unit`intersection-right-distributes-over-union :
forall* {U1} {U2} {U3} {U4} {U7}
forall {J:unit`union U1 U2 U3} {A:unit`intersection U3 U4 U7}
exists {U5} {U6} {M14:unit`intersection U1 U4 U5} {M24:unit`intersection U2 U4 U6}
{J56:unit`union U5 U6 U7}
true.
- : unit`intersection-right-distributes-over-union _ _ unit/ unit/ unit`union/
unit`union/ unit`union/.
%worlds () (unit`intersection-right-distributes-over-union _ _ _ _ _ _ _).
%total { } (unit`intersection-right-distributes-over-union _ _ _ _ _ _ _).
%abbrev unit`union-right-distributes-over-intersection =
unit`intersection-right-distributes-over-union.
%%%% Functor Use
%%%% Definitions of Maps
map : type.
map/0 : map.
map/+ : nat -> unit -> map -> map.
%%%% Relations on maps
eq : map -> map -> type.
eq/ : eq M M.
ne : map -> map -> type.
ne/L : ne map/0 (map/+ _ _ _).
ne/R : ne (map/+ _ _ _) map/0.
ne/N : nat`ne N1 N2 -> ne (map/+ N1 _ _) (map/+ N2 _ _).
ne/D : unit`ne D1 D2 -> ne (map/+ _ D1 _) (map/+ _ D2 _).
ne/+ : ne M1 M2 -> ne (map/+ _ _ M1) (map/+ _ _ M2).
eq? : map -> map -> bool -> type.
eq?/yes : eq? X X true.
eq?/no : eq? X Y false
<- ne X Y.
lookup : map -> nat -> unit -> type.
lookup/= : lookup (map/+ N1 D _) N2 D
<- nat`eq N1 N2.
lookup/> : lookup (map/+ N1 _ F) N2 D
<- plus (s N0) N1 N2
<- lookup F N0 D.
not-member : map -> nat -> type.
not-member/0 : not-member map/0 M.
not-member/< : not-member (map/+ N _ F) M
<- gt N M.
not-member/> : not-member (map/+ N _ F) M
<- plus (s M1) N M
<- not-member F M1.
member? : map -> nat -> bool -> type.
member?/in : member? M N true
<- lookup M N _.
member?/out : member? M N false
<- not-member M N.
disjoint : map -> map -> type.
disjoint/L : disjoint map/0 M.
disjoint/R : disjoint M map/0.
disjoint/< : disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2)
<- nat`plus (s N0) N1 N2
<- disjoint M1 (map/+ N0 D2 M2).
disjoint/> : disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2)
<- nat`plus (s N3) N2 N1
<- disjoint (map/+ N3 D1 M1) M2.
disjoint? : map -> map -> bool -> type.
disjoint?/yes : disjoint M1 M2 -> disjoint? M1 M2 true.
disjoint?/no :
lookup M1 N D1 ->
lookup M2 N D2 ->
disjoint? M1 M2 false.
size : map -> nat -> type.
size/0 : size map/0 z.
size/+ : size (map/+ _ _ M) (s N)
<- size M N.
%% useful for proving termination on map operations:
bound : map -> nat -> type.
bound/0 : bound map/0 z.
bound/+ : bound (map/+ N1 D M) N3
<- bound M N2
<- plus (s N1) N2 N3.
shift : nat -> map -> map -> type.
shift/0 : shift _ map/0 map/0.
shift/+ : shift N1 (map/+ N2 D M) (map/+ N3 D M)
<- plus (s N1) N2 N3.
update : map -> nat -> unit -> map -> type.
update/0 : update map/0 N D (map/+ N D map/0).
update/= : update (map/+ N1 _ F) N2 D (map/+ N2 D F)
<- nat`eq N1 N2.
update/< : update (map/+ N1 D1 F) N2 D2 (map/+ N2 D2 (map/+ N3 D1 F))
<- plus (s N3) N2 N1.
update/> : update (map/+ N1 D1 F1) N2 D2 (map/+ N1 D1 F2)
<- plus (s N0) N1 N2
<- update F1 N0 D2 F2.
%%%% Theorems
%%% Theorems about eq
%theorem meta-eq :
forall {M} {N} {E:eq M N}
true.
- : meta-eq M M eq/.
%worlds () (meta-eq _ _ _).
%total {} (meta-eq _ _ _).
%reduces M = N (meta-eq M N _).
%theorem false-implies-eq :
forall* {M} {M'} forall {F:void} exists {E:eq M M'} true.
%worlds () (false-implies-eq _ %{=>}% M=M').
%total {} (false-implies-eq _ _).
%theorem eq-reflexive : forall {M} exists {E:eq M M} true.
- : eq-reflexive _ eq/.
%worlds () (eq-reflexive M %{=>}% M=M).
%total {} (eq-reflexive _ _).
%theorem eq-symmetric :
forall* {M} {M'}
forall {E1:eq M M'}
exists {E2:eq M' M}
true.
- : eq-symmetric eq/ eq/.
%worlds () (eq-symmetric M=M' %{=>}% M'=M).
%total {} (eq-symmetric _ _).
%theorem eq-transitive:
forall* {M1} {M2} {M3}
forall {E12:eq M1 M2} {E23:eq M2 M3}
exists {E13:eq M1 M3}
true.
- : eq-transitive eq/ eq/ eq/.
%worlds () (eq-transitive M1=M2 M2=M3 %{=>}% M1=M3).
%total {} (eq-transitive _ _ _).
%theorem map/+-preserves-eq :
forall* {N} {NP} {D} {DP} {F} {FP}
forall {EN:nat`eq N NP} {ED:unit`eq D DP} {EF:eq F FP}
exists {E:eq (map/+ N D F) (map/+ NP DP FP)}
true.
- : map/+-preserves-eq nat`eq/ unit`eq/ eq/ eq/.
%worlds () (map/+-preserves-eq N=N' D=D' F=F' %{=>}% NDF=N'D'F').
%total {} (map/+-preserves-eq _ _ _ _).
%theorem map/+-preserves-eq-converse :
forall* {N} {NP} {D} {DP} {F} {FP}
forall {E:eq (map/+ N D F) (map/+ NP DP FP)}
exists {EN:nat`eq N NP} {ED:unit`eq D DP} {EF:eq F FP}
true.
- : map/+-preserves-eq-converse eq/ nat`eq/ unit`eq/ eq/.
%worlds () (map/+-preserves-eq-converse _ _ _ _).
%total {} (map/+-preserves-eq-converse _ _ _ _).
%theorem eq-no-occur :
forall* {M} {N} {D}
forall {E:eq M (map/+ N D M)}
exists {F:void}
true.
%worlds () (eq-no-occur _ _).
%total {} (eq-no-occur _ _).
%theorem eq-contradiction :
forall* {N} {D} {M}
forall {E:eq map/0 (map/+ N D M)}
exists {F:void}
true.
%worlds () (eq-contradiction _ _).
%total {} (eq-contradiction _ _).
%%% Theorems about ne
%theorem false-implies-ne :
forall* {M1} {M2}
forall {F:void}
exists {N:ne M1 M2}
true.
%worlds () (false-implies-ne _ _).
%total { } (false-implies-ne _ _).
%theorem ne-respects-eq :
forall* {M11} {M12} {M21} {M22}
forall {N1:ne M11 M12} {E1:eq M11 M21} {E2:eq M12 M22}
exists {N2:ne M21 M22}
true.
- : ne-respects-eq N eq/ eq/ N.
%worlds () (ne-respects-eq _ _ _ _).
%total { } (ne-respects-eq _ _ _ _).
%theorem ne-anti-reflexive :
forall* {M}
forall {N:ne M M}
exists {F:void}
true.
- : ne-anti-reflexive (ne/N N) F
<- nat`ne-anti-reflexive N F.
- : ne-anti-reflexive (ne/D N) F
<- unit`ne-anti-reflexive N F.
- : ne-anti-reflexive (ne/+ N) F
<- ne-anti-reflexive N F.
%worlds () (ne-anti-reflexive _ _).
%total (N) (ne-anti-reflexive N _).
%theorem ne-symmetric :
forall* {M1} {M2}
forall {N1:ne M1 M2}
exists {N2:ne M2 M1}
true.
- : ne-symmetric ne/L ne/R.
- : ne-symmetric ne/R ne/L.
- : ne-symmetric (ne/N N1) (ne/N N2)
<- nat`ne-symmetric N1 N2.
- : ne-symmetric (ne/D N1) (ne/D N2)
<- unit`ne-symmetric N1 N2.
- : ne-symmetric (ne/+ N1) (ne/+ N2)
<- ne-symmetric N1 N2.
%worlds () (ne-symmetric _ _).
%total (N) (ne-symmetric N _).
%theorem eq-ne-implies-false :
forall* {X} {Y}
forall {D1:eq X Y} {D2:ne X Y}
exists {F:void}
true.
- : eq-ne-implies-false eq/ X<>X F
<- ne-anti-reflexive X<>X F.
%worlds () (eq-ne-implies-false _ _ _).
%total { } (eq-ne-implies-false _ _ _).
%theorem eq?-total* :
forall {M} {N}
exists {B} {T:eq? M N B}
true.
%abbrev eq?-total = eq?-total* _ _ _.
%theorem eq?-total/+ :
forall* {N1} {D1} {N2} {D2} {M2} {EN} {ED} {EM}
forall {M1}
{EN?:nat`eq? N1 N2 EN}
{ED?:unit`eq? D1 D2 ED}
{EM?:eq? M1 M2 EM}
exists {B}
{E?:eq? (map/+ N1 D1 M1) (map/+ N2 D2 M2) B}
true.
- : eq?-total eq?/yes.
- : eq?-total (eq?/no ne/L).
- : eq?-total (eq?/no ne/R).
- : eq?-total E?
<- nat`eq?-total EN?
<- unit`eq?-total ED?
<- eq?-total EM?
<- eq?-total/+ _ EN? ED? EM? _ E?.
- : eq?-total/+ _ (nat`eq?/yes) (unit`eq?/yes) (eq?/yes) _ eq?/yes.
- : eq?-total/+ _ (nat`eq?/no N) _ _ _ (eq?/no (ne/N N)).
- : eq?-total/+ _ _ (unit`eq?/no N) _ _ (eq?/no (ne/D N)).
- : eq?-total/+ _ _ _ (eq?/no N) _ (eq?/no (ne/+ N)).
%worlds () (eq?-total* _ _ _ _) (eq?-total/+ _ _ _ _ _ _).
%total (M W) (eq?-total* M _ _ _) (eq?-total/+ W _ _ _ _ _).
%%% Theorems about lookup
%theorem false-implies-lookup :
forall* {M} {N} {D}
forall {F:void}
exists {L:lookup M N D}
true.
%worlds () (false-implies-lookup _ %{=>}% F^N=D).
%total {} (false-implies-lookup _ _).
%theorem lookup-respects-eq :
forall* {M} {N} {D} {MP} {NP} {DP}
forall {L:lookup M N D} {EM:eq M MP} {EN:nat`eq N NP} {ED:unit`eq D DP}
exists {LP:lookup MP NP DP}
true.
- : lookup-respects-eq L eq/ nat`eq/ unit`eq/ L.
%worlds () (lookup-respects-eq M^N=D M=M' N=N' D=D' %{=>}% M'^N'=D').
%total {} (lookup-respects-eq _ _ _ _ _).
%theorem lookup-deterministic :
forall* {M} {N} {D} {MP} {NP} {DP}
forall {L:lookup M N D} {LP:lookup MP NP DP}
{EM:eq M MP} {EN:nat`eq N NP}
exists {ED:unit`eq D DP}
true.
- : lookup-deterministic (lookup/= nat`eq/) (lookup/= nat`eq/) eq/ nat`eq/ unit`eq/.
- : lookup-deterministic (lookup/> F^N0=D N0+1+N1=N2)
(lookup/> F^N0'=D' N0'+1+N1=N2) eq/ nat`eq/ D=D'
<- plus-right-cancels N0+1+N1=N2 N0'+1+N1=N2 nat`eq/ nat`eq/ N0+1=N0'+1
<- succ-cancels N0+1=N0'+1 N0=N0'
<- lookup-deterministic F^N0=D F^N0'=D' eq/ N0=N0' D=D'.
%% contradiction cases
- : lookup-deterministic (lookup/= nat`eq/) (lookup/> _ N0+1+N=N)
eq/ nat`eq/ D=D'
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N FALSE
<- unit`false-implies-eq FALSE D=D'.
- : lookup-deterministic (lookup/> _ N0+1+N=N) (lookup/= nat`eq/)
eq/ nat`eq/ D=D'
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N FALSE
<- unit`false-implies-eq FALSE D=D'.
%worlds () (lookup-deterministic M^N=D M'^N'=D' M=M' N=N' %{=>}% D=D').
%total (L) (lookup-deterministic L _ _ _ _).
%% lookup is NOT total
%theorem lookup-contradiction :
forall* {N} {D}
forall {L:lookup map/0 N D}
exists {F:void}
true.
%worlds () (lookup-contradiction _ _).
%total { } (lookup-contradiction _ _).
%theorem lookup-one-choice :
forall* {N1} {D1} {N2} {D2}
forall {L:lookup (map/+ N1 D1 map/0) N2 D2}
exists {NE:nat`eq N1 N2} {DE:unit`eq D1 D2}
true.
- : lookup-one-choice (lookup/= nat`eq/) nat`eq/ unit`eq/.
%worlds () (lookup-one-choice _ _ _).
%total { } (lookup-one-choice _ _ _).
%theorem lookup-ne-implies-ne :
forall* {M1} {N1} {D1} {M2} {N2} {D2}
forall {L1:lookup M1 N1 D1}
{L2:lookup M2 N2 D2}
{EN:nat`eq N1 N2}
{ND:unit`ne D1 D2}
exists {NM:ne M1 M2}
true.
%theorem lookup-ne-implies-ne/L :
forall* {M1} {N1} {D1} {M2} {N2} {D2} {B}
forall {L1:lookup M1 N1 D1}
{L2:lookup M2 N2 D2}
{EN:nat`eq N1 N2}
{ND:unit`ne D1 D2}
{EM?:eq? M1 M2 B}
exists {NM:ne M1 M2}
true.
- : lookup-ne-implies-ne L1 L2 EN ND NM
<- eq?-total EM?
<- lookup-ne-implies-ne/L L1 L2 EN ND EM? NM.
- : lookup-ne-implies-ne/L L1 L2 _ _ (eq?/no NM) NM.
- : lookup-ne-implies-ne/L L1 L2 nat`eq/ D1<>D2 eq?/yes NM
<- lookup-deterministic L1 L2 eq/ nat`eq/ D1=D2
<- unit`eq-ne-implies-false D1=D2 D1<>D2 F
<- false-implies-ne F NM.
%worlds () (lookup-ne-implies-ne/L _ _ _ _ _ _).
%total { } (lookup-ne-implies-ne/L _ _ _ _ _ _).
%worlds () (lookup-ne-implies-ne _ _ _ _ _).
%total { } (lookup-ne-implies-ne _ _ _ _ _).
%%% Theorems about not-member
%theorem false-implies-not-member :
forall* {M} {N} forall {F:void} exists {D:not-member M N} true.
%worlds () (false-implies-not-member _ %{=>}% N-not-in-member-M).
%total {} (false-implies-not-member _ _).
%theorem not-member-respects-eq :
forall* {M} {N} {MP} {NP}
forall {D:not-member M N} {EM:eq M MP} {EN:nat`eq N NP}
exists {DP:not-member MP NP}
true.
- : not-member-respects-eq D eq/ nat`eq/ D.
%worlds () (not-member-respects-eq _ _ _ _).
%total {} (not-member-respects-eq _ _ _ _).
%% not-member is NOT deterministic
%theorem not-member-total* :
forall {M}
exists {N} {F:not-member M N}
true.
- : not-member-total* map/0 z not-member/0.
- : not-member-total* (map/+ N1 _ M) N3 (not-member/> F N+1+N1=N3)
<- not-member-total* M N F
<- plus-total* (s N) N1 N3 N+1+N1=N3.
%worlds () (not-member-total* M %{=>}% N N-not-in-member-of-M).
%total (M) (not-member-total* M _ _).
%abbrev not-member-total = not-member-total* _ _.
%theorem not-member-lookup-not-equal :
forall* {M} {N1} {N2} {D2}
forall {F:not-member M N1} {L:lookup M N2 D2}
exists {NE:nat`ne N1 N2}
true.
- : not-member-lookup-not-equal (not-member/< N2>N1) (lookup/= nat`eq/) (nat`ne/< N2>N1).
- : not-member-lookup-not-equal (not-member/< N1>N3) (lookup/> _ N0+1+N1=N2)
(nat`ne/< N2>N3)
<- plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- gt-transitive N2>N1 N1>N3 N2>N3.
- : not-member-lookup-not-equal (not-member/> _ X+1+N2=N1) (lookup/= nat`eq/) (nat`ne/> N1>N2)
<- plus-implies-gt X+1+N2=N1 nat`eq/ N1>N2.
- : not-member-lookup-not-equal (not-member/> F N4+1+N1=N3) (lookup/> L N0+1+N1=N2)
N3<>N2
<- not-member-lookup-not-equal F L N4<>N0
<- succ-preserves-ne N4<>N0 N4+1<>N0+1
<- plus-right-preserves-ne* N4+1<>N0+1 N4+1+N1=N3 N0+1+N1=N2 N3<>N2.
%worlds () (not-member-lookup-not-equal N1-not-in-member-of-M M^N2=D %{=>}% N1<>N2).
%total (F) (not-member-lookup-not-equal F _ _).
%theorem not-member-contradiction :
forall* {M} {N} {D}
forall {F:not-member (map/+ N D M) N}
exists {V:void}
true.
- : not-member-contradiction (not-member/< N>N) V
<- nat`gt-anti-reflexive N>N V.
- : not-member-contradiction (not-member/> _ N0+1+N=N) V
<- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N V.
%worlds () (not-member-contradiction _ _).
%total {} (not-member-contradiction _ _).
%theorem ne-implies-unit-map-not-member :
forall* {N1} {D} {N2}
forall {NE:nat`ne N1 N2}
exists {F:not-member (map/+ N1 D map/0) N2}
true.
- : ne-implies-unit-map-not-member
(nat`ne/< N1 not-member/0 N0+1+N1=N2)
<- nat`gt-implies-plus N1 N1>N2) (not-member/< N1>N2).
%worlds () (ne-implies-unit-map-not-member _ _).
%total { } (ne-implies-unit-map-not-member _ _).
%theorem plus-right-preserves-not-member* :
forall* {M} {N1} {D} {N2} {N} {N3} {N4}
forall {F:not-member (map/+ N1 D M) N2}
{P1:plus N1 N N3} {P2:plus N2 N N4}
exists {FP:not-member (map/+ N3 D M) N4}
true.
- : plus-right-preserves-not-member* (not-member/< N2>N1) N1+N=N3 N2+N=N4 (not-member/< N4>N3)
<- nat`plus-right-preserves-gt* N2>N1 N1+N=N3 N2+N=N4 N4>N3.
- : plus-right-preserves-not-member* (not-member/> F10 N0+1+N1=N2) N1+N=N3 N2+N=N4
(not-member/> F10 N0+1+N3=N4)
<- nat`plus-associative* N0+1+N1=N2 N2+N=N4 N1+N=N3 N0+1+N3=N4.
%worlds () (plus-right-preserves-not-member* _ _ _ _).
%total {} (plus-right-preserves-not-member* _ _ _ _).
%theorem not-member-lookup-implies-ne :
forall* {M1} {N1} {M2} {N2} {D2}
forall {L1:not-member M1 N1}
{L2:lookup M2 N2 D2}
{EN:nat`eq N1 N2}
exists {NM:ne M1 M2}
true.
%theorem not-member-lookup-implies-ne/L :
forall* {M1} {N1} {M2} {N2} {D2} {B}
forall {L1:not-member M1 N1}
{L2:lookup M2 N2 D2}
{EN:nat`eq N1 N2}
{EM?:eq? M1 M2 B}
exists {NM:ne M1 M2}
true.
- : not-member-lookup-implies-ne F1 L2 EN NM
<- eq?-total EM?
<- not-member-lookup-implies-ne/L F1 L2 EN EM? NM.
- : not-member-lookup-implies-ne/L _ _ _ (eq?/no NM) NM.
- : not-member-lookup-implies-ne/L F1 L2 nat`eq/ eq?/yes NM
<- not-member-lookup-not-equal F1 L2 N<>N
<- nat`ne-anti-reflexive N<>N F
<- false-implies-ne F NM.
%worlds () (not-member-lookup-implies-ne/L _ _ _ _ _).
%total { } (not-member-lookup-implies-ne/L _ _ _ _ _).
%worlds () (not-member-lookup-implies-ne _ _ _ _).
%total { } (not-member-lookup-implies-ne _ _ _ _).
%%% Theorems about map/member
%theorem false-implies-member? :
forall* {M} {N} {D}
forall {F:void}
exists {MD:member? M N D}
true.
%worlds () (false-implies-member? _ _).
%total {} (false-implies-member? _ _).
%theorem member?-respects-eq :
forall* {M1} {N1} {B1} {M2} {N2} {B2}
forall {MD1:member? M1 N1 B1}
{EM:eq M1 M2}
{EN:nat`eq N1 N2}
{BE:bool`eq B1 B2}
exists {MD2:member? M2 N2 B2}
true.
- : member?-respects-eq MD eq/ nat`eq/ bool`eq/ MD.
%worlds () (member?-respects-eq _ _ _ _ _).
%total { } (member?-respects-eq _ _ _ _ _).
%theorem member?-deterministic :
forall* {M1} {N1} {B1} {M2} {N2} {B2}
forall {MD1:member? M1 N1 B1}
{MD2:member? M2 N2 B2}
{EM:eq M1 M2}
{EN:nat`eq N1 N2}
exists {BE:bool`eq B1 B2}
true.
- : member?-deterministic _ _ _ _ bool`eq/.
- : member?-deterministic (member?/in L) (member?/out F) eq/ nat`eq/ BE
<- not-member-lookup-not-equal F L NE
<- nat`ne-anti-reflexive NE V
<- bool`false-implies-eq V BE.
- : member?-deterministic (member?/out F) (member?/in L) eq/ nat`eq/ BE
<- not-member-lookup-not-equal F L NE
<- nat`ne-anti-reflexive NE V
<- bool`false-implies-eq V BE.
%worlds () (member?-deterministic _ _ _ _ _).
%total { } (member?-deterministic _ _ _ _ _).
%theorem member?-total* :
forall {M} {N}
exists {B} {MD:member? M N B}
true.
%% we need a lemma
%theorem member?-map/+-total :
forall {N1} {D1} {M1} {N2} {C} {CMP:nat`compare N1 N2 C}
exists {B} {MD:member? (map/+ N1 D1 M1) N2 B}
true.
%% and this lemma needs a lemma
%theorem member?-map/+-complete :
forall {N1} {D1} {M1} {N2} {N0} {P:plus (s N0) N1 N2}
{B} {MD1:member? M1 N0 B}
exists {MD:member? (map/+ N1 D1 M1) N2 B}
true.
- : member?-total* map/0 N false (member?/out not-member/0).
- : member?-total* (map/+ N1 D1 M1) N2 B MD
<- nat`compare-total* N1 N2 C CMP
<- member?-map/+-total N1 D1 M1 N2 C CMP B MD.
- : member?-map/+-total N1 D1 M1 N2 equal CMP true
(member?/in (lookup/= N1=N2))
<- equal-implies-eq CMP N1=N2.
- : member?-map/+-total N1 D1 M1 N2 greater CMP false
(member?/out (not-member/< N1>N2))
<- greater-implies-gt CMP N1>N2.
- : member?-map/+-total N1 D1 M1 N2 less CMP B MD
<- less-implies-lt CMP N2>N1
<- gt-implies-plus N2>N1 N0 N0+1+N1=N2
<- member?-total* M1 N0 B MD1
<- member?-map/+-complete N1 D1 M1 N2 N0 N0+1+N1=N2 B MD1 MD.
- : member?-map/+-complete N1 D1 M1 N2 N0 N0+1+N1=N2 true (member?/in L1)
(member?/in (lookup/> L1 N0+1+N1=N2)).
- : member?-map/+-complete N1 D1 M1 N2 N0 N0+1+N1=N2 false (member?/out F1)
(member?/out (not-member/> F1 N0+1+N1=N2)).
%worlds () (member?-map/+-complete _ _ _ _ _ _ _ _ _).
%total {} (member?-map/+-complete _ _ _ _ _ _ _ _ _).
%worlds () (member?-total* _ _ _ _)
(member?-map/+-total _ _ _ _ _ _ _ _).
%total (M M1) (member?-total* M _ _ _)
(member?-map/+-total _ _ M1 _ _ _ _ _).
%abbrev member?-total = member?-total* _ _ _.
%theorem in-implies-lookup :
forall* {M} {N}
forall {MD:member? M N true}
exists {D} {L:lookup M N D}
true.
- : in-implies-lookup (member?/in L) _ L.
%worlds () (in-implies-lookup _ _ _).
%total {} (in-implies-lookup _ _ _).
%theorem out-implies-not-member :
forall* {M} {N}
forall {MD:member? M N false}
exists {F:not-member M N}
true.
- : out-implies-not-member (member?/out F) F.
%worlds () (out-implies-not-member _ _).
%total {} (out-implies-not-member _ _).
%%% Theorems about disjoint
%theorem false-implies-disjoint :
forall* {M1} {M2}
forall {F:void}
exists {D:disjoint M1 M2}
true.
%worlds () (false-implies-disjoint _ _).
%total { } (false-implies-disjoint _ _).
%theorem disjoint-respects-eq :
forall* {M1} {M2} {M1P} {M2P}
forall {A:disjoint M1 M2} {E1:eq M1 M1P} {E2:eq M2 M2P}
exists {AP:disjoint M1P M2P}
true.
- : disjoint-respects-eq A eq/ eq/ A.
%worlds () (disjoint-respects-eq _ _ _ _).
%total {} (disjoint-respects-eq _ _ _ _).
%reduces A = AP (disjoint-respects-eq A _ _ AP).
%theorem disjoint/=-contradiction :
forall* {N1} {D1} {M1} {N2} {D2} {M2}
forall {A:disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2)}
{G:nat`eq N1 N2}
exists {F:void}
true.
- : disjoint/=-contradiction (disjoint/< _ N0+1+N=N) nat`eq/ F
<- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F.
- : disjoint/=-contradiction (disjoint/> _ N3+1+N=N) nat`eq/ F
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F.
%worlds () (disjoint/=-contradiction _ _ _).
%total { } (disjoint/=-contradiction _ _ _).
%theorem disjoint/<-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N0}
forall {A:disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2)}
{P:plus (s N0) N1 N2}
exists {AP:disjoint M1 (map/+ N0 D2 M2)}
true.
- : disjoint/<-inversion (disjoint/< A P) P' A'
<- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N0+1=N0'+1
<- succ-cancels N0+1=N0'+1 N0=N0P
<- map/+-preserves-eq N0=N0P unit`eq/ eq/ M022=M022'
<- disjoint-respects-eq A eq/ M022=M022' A'.
- : disjoint/<-inversion (disjoint/> A' N3+1+N2=N1) N0+1+N1=N2 A
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F M311=M1
<- false-implies-eq F M2=M022
<- disjoint-respects-eq A' M311=M1 M2=M022 A.
%worlds () (disjoint/<-inversion _ _ _).
%total {} (disjoint/<-inversion _ _ _).
%reduces AP < A (disjoint/<-inversion A _ AP).
%theorem disjoint/>-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3}
forall {A:disjoint (map/+ N1 D1 M1) (map/+ N2 D2 M2)}
{P:plus (s N3) N2 N1}
exists {AP:disjoint (map/+ N3 D1 M1) M2}
true.
- : disjoint/>-inversion (disjoint/> A P) P' A'
<- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N3+1=N3'+1
<- succ-cancels N3+1=N3'+1 N3=N3P
<- map/+-preserves-eq N3=N3P unit`eq/ eq/ M311=M311'
<- disjoint-respects-eq A M311=M311' eq/ A'.
- : disjoint/>-inversion (disjoint/< A' N0+1+N1=N2) N3+1+N2=N1 A
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F M1=M311
<- false-implies-eq F M022=M2
<- disjoint-respects-eq A' M1=M311 M022=M2 A.
%worlds () (disjoint/>-inversion _ _ _).
%total { } (disjoint/>-inversion _ _ _).
%reduces AP < A (disjoint/>-inversion A _ AP).
%theorem disjoint-anti-reflexive :
forall* {M}
forall {D:disjoint M M}
exists {E:eq map/0 M}
true.
- : disjoint-anti-reflexive disjoint/L eq/.
- : disjoint-anti-reflexive disjoint/R eq/.
- : disjoint-anti-reflexive (A:disjoint (map/+ N D M) (map/+ N D M)) E
<- disjoint/=-contradiction A nat`eq/ F
<- false-implies-eq F E.
%worlds () (disjoint-anti-reflexive _ _).
%total { } (disjoint-anti-reflexive _ _).
%theorem disjoint-symmetric :
forall* {M1} {M2}
forall {D:disjoint M1 M2}
exists {D:disjoint M2 M1}
true.
- : disjoint-symmetric disjoint/L disjoint/R.
- : disjoint-symmetric disjoint/R disjoint/L.
- : disjoint-symmetric (disjoint/< D P) (disjoint/> D' P)
<- disjoint-symmetric D D'.
- : disjoint-symmetric (disjoint/> D P) (disjoint/< D' P)
<- disjoint-symmetric D D'.
%worlds () (disjoint-symmetric _ _).
%total (D) (disjoint-symmetric D _).
%theorem disjoint-lookup-contradiction :
forall* {M1} {M2} {N} {D1} {D2}
forall {A:disjoint M1 M2}
{L1:lookup M1 N D1} {L2:lookup M2 N D2}
exists {F:void}
true.
- : disjoint-lookup-contradiction disjoint/L L _ F
<- lookup-contradiction L F.
- : disjoint-lookup-contradiction disjoint/R _ L F
<- lookup-contradiction L F.
- : disjoint-lookup-contradiction (disjoint/< _ N0+1+N=N)
(lookup/= nat`eq/) (lookup/= nat`eq/) F
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F.
- : disjoint-lookup-contradiction (disjoint/< _ N0+1+N1=N2)
(lookup/= nat`eq/)
(lookup/> _ N3+1+N2=N1) F
<- plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- gt-anti-symmetric N2>N1 N1>N2 F.
- : disjoint-lookup-contradiction (disjoint/< D N0+1+N1=N2)
(lookup/> L1P N0P+1+N1=N2)
(lookup/= nat`eq/) F
<- plus-right-cancels N0P+1+N1=N2 N0+1+N1=N2 nat`eq/ nat`eq/ N0P+1=N0+1
<- succ-cancels N0P+1=N0+1 N0P=N0
<- lookup-respects-eq L1P eq/ N0P=N0 unit`eq/ L1
<- disjoint-lookup-contradiction D L1 (lookup/= nat`eq/) F.
- : disjoint-lookup-contradiction (disjoint/< D N0+1+N1=N2)
(lookup/> L1 N1P+1+N1=N)
(lookup/> L2 N2P+1+N2=N) F
<- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- plus-associative-converse N0+N1+1=N2 N2P+1+N2=N NX
N2P+1+N0=NX NX+N1+1=N
<- plus-swap-succ N1P+1+N1=N N1P+N1+1=N
<- plus-right-cancels NX+N1+1=N N1P+N1+1=N nat`eq/ nat`eq/ NX=N1P
<- plus-respects-eq N2P+1+N0=NX nat`eq/ nat`eq/ NX=N1P N2P+1+N0=N1P
<- disjoint-lookup-contradiction D L1 (lookup/> L2 N2P+1+N0=N1P) F.
- : disjoint-lookup-contradiction (disjoint/> _ N3+1+N=N)
(lookup/= nat`eq/) (lookup/= nat`eq/) F
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F.
- : disjoint-lookup-contradiction (disjoint/> _ N3+1+N2=N1)
(lookup/> _ N3+1+N1=N2)
(lookup/= nat`eq/) F
<- plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- plus-implies-gt N3+1+N1=N2 nat`eq/ N2>N1
<- gt-anti-symmetric N1>N2 N2>N1 F.
- : disjoint-lookup-contradiction (disjoint/> D N3+1+N2=N1)
(lookup/= nat`eq/)
(lookup/> L2P N3P+1+N2=N1) F
<- plus-right-cancels N3P+1+N2=N1 N3+1+N2=N1 nat`eq/ nat`eq/ N3P+1=N3+1
<- succ-cancels N3P+1=N3+1 N3P=N3
<- lookup-respects-eq L2P eq/ N3P=N3 unit`eq/ L2
<- disjoint-lookup-contradiction D (lookup/= nat`eq/) L2 F.
- : disjoint-lookup-contradiction (disjoint/> D N3+1+N2=N1)
(lookup/> L1 N1P+1+N1=N)
(lookup/> L2 N2P+1+N2=N) F
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-associative-converse N3+N2+1=N1 N1P+1+N1=N NX
N1P+1+N3=NX NX+N2+1=N
<- plus-swap-succ N2P+1+N2=N N2P+N2+1=N
<- plus-right-cancels NX+N2+1=N N2P+N2+1=N nat`eq/ nat`eq/ NX=N2P
<- plus-respects-eq N1P+1+N3=NX nat`eq/ nat`eq/ NX=N2P N1P+1+N3=N2P
<- disjoint-lookup-contradiction D (lookup/> L1 N1P+1+N3=N2P) L2 F.
%worlds () (disjoint-lookup-contradiction _ _ _ _).
%total (D) (disjoint-lookup-contradiction D _ _ _).
%theorem shift-left-preserves-disjoint :
forall* {N} {D} {M1} {M2} {SM1}
forall {A:disjoint M1 M2} {S1:shift N M1 SM1}
exists {SA:disjoint SM1 (map/+ N D M2)}
true.
- : shift-left-preserves-disjoint _ shift/0 disjoint/L.
- : shift-left-preserves-disjoint M111*M2 (shift/+ N+1+N1=N1P)
(disjoint/> M111*M2 N1+1+N=N1P)
<- plus-swap-succ N+1+N1=N1P N+N1+1=N1P
<- plus-commutative N+N1+1=N1P N1+1+N=N1P.
%worlds () (shift-left-preserves-disjoint _ _ _).
%total { } (shift-left-preserves-disjoint _ _ _).
%theorem shift-left-preserves-disjoint-converse :
forall* {N} {D} {M1} {M2} {SM1}
forall {SA:disjoint SM1 (map/+ N D M2)} {S1:shift N M1 SM1}
exists {A:disjoint M1 M2}
true.
- : shift-left-preserves-disjoint-converse _ shift/0 disjoint/L.
- : shift-left-preserves-disjoint-converse M111*M222 (shift/+ N2+1+N3=N1)
M311*M2
<- plus-swap-succ N2+1+N3=N1 N2+N3+1=N1
<- plus-commutative N2+N3+1=N1 N3+1+N2=N1
<- disjoint/>-inversion M111*M222 N3+1+N2=N1 M311*M2.
%worlds () (shift-left-preserves-disjoint-converse _ _ _).
%total { } (shift-left-preserves-disjoint-converse _ _ _).
%theorem shift-right-preserves-disjoint :
forall* {N} {D} {M1} {M2} {SM2}
forall {A:disjoint M1 M2} {S2:shift N M2 SM2}
exists {SA:disjoint (map/+ N D M1) SM2}
true.
- : shift-right-preserves-disjoint _ shift/0 disjoint/R.
- : shift-right-preserves-disjoint M1*M222 (shift/+ N+1+N2=N2P)
(disjoint/< M1*M222 N2+1+N=N2P)
<- plus-swap-succ N+1+N2=N2P N+N2+1=N2P
<- plus-commutative N+N2+1=N2P N2+1+N=N2P.
%worlds () (shift-right-preserves-disjoint _ _ _).
%total { } (shift-right-preserves-disjoint _ _ _).
%theorem shift-right-preserves-disjoint-converse :
forall* {N} {D} {M1} {M2} {SM2}
forall {SA:disjoint (map/+ N D M1) SM2} {S2:shift N M2 SM2}
exists {A:disjoint M1 M2}
true.
- : shift-right-preserves-disjoint-converse _ shift/0 disjoint/R.
- : shift-right-preserves-disjoint-converse M111*M322 (shift/+ N1+1+N2=N3)
M1*M222
<- plus-swap-succ N1+1+N2=N3 N1+N2+1=N3
<- plus-commutative N1+N2+1=N3 N2+1+N1=N3
<- disjoint/<-inversion M111*M322 N2+1+N1=N3 M1*M222.
%worlds () (shift-right-preserves-disjoint-converse _ _ _).
%total { } (shift-right-preserves-disjoint-converse _ _ _).
%theorem shift-preserves-disjoint :
forall* {N} {M1} {M2} {SM1} {SM2}
forall {A:disjoint M1 M2}
{S1:shift N M1 SM1} {S2:shift N M2 SM2}
exists {SA:disjoint SM1 SM2}
true.
- : shift-preserves-disjoint _ shift/0 _ disjoint/L.
- : shift-preserves-disjoint _ _ shift/0 disjoint/R.
- : shift-preserves-disjoint (disjoint/< M1*M022 N0+1+N1=N2)
(shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5)
(disjoint/< M1*M022 N0+1+N4=N5)
<- plus-swap-succ N+1+N1=N4 N+N1+1=N4
<- plus-commutative N+N1+1=N4 N1+1+N=N4
<- plus-commutative N0+1+N1=N2 N1+N0+1=N2
<- plus-associative-converse* N1+N0+1=N2 N+1+N2=N5 N+1+N1=N4 N4+N0+1=N5
<- plus-commutative N4+N0+1=N5 N0+1+N4=N5.
- : shift-preserves-disjoint (disjoint/> M311*M2 N3+1+N2=N1)
(shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5)
(disjoint/> M311*M2 N3+1+N5=N4)
<- plus-swap-succ N+1+N2=N5 N+N2+1=N5
<- plus-commutative N+N2+1=N5 N2+1+N=N5
<- plus-commutative N3+1+N2=N1 N2+N3+1=N1
<- plus-associative-converse* N2+N3+1=N1 N+1+N1=N4 N+1+N2=N5 N5+N3+1=N4
<- plus-commutative N5+N3+1=N4 N3+1+N5=N4.
%worlds () (shift-preserves-disjoint _ _ _ _).
%total { } (shift-preserves-disjoint _ _ _ _).
%theorem shift-preserves-disjoint-converse :
forall* {N} {M1} {M2} {SM1} {SM2}
forall {SA:disjoint SM1 SM2}
{S1:shift N M1 SM1} {S2:shift N M2 SM2}
exists {A:disjoint M1 M2}
true.
- : shift-preserves-disjoint-converse _ shift/0 _ disjoint/L.
- : shift-preserves-disjoint-converse _ _ shift/0 disjoint/R.
- : shift-preserves-disjoint-converse (disjoint/< M1*M055 N0+1+N4=N5)
(shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5)
(disjoint/< M1*M055 N0+1+N1=N2)
<- plus-commutative N+1+N1=N4 N1+N+1=N4
<- plus-swap-succ-converse N1+N+1=N4 N1+1+N=N4
<- plus-associative-converse N1+N+1=N4 N0+1+N4=N5 N2P N0+1+N1=N2P N2P+N+1=N5
<- plus-commutative N+1+N2=N5 N2+N+1=N5
<- plus-right-cancels N2P+N+1=N5 N2+N+1=N5 nat`eq/ nat`eq/ N2P=N2
<- plus-respects-eq N0+1+N1=N2P nat`eq/ nat`eq/ N2P=N2 N0+1+N1=N2.
- : shift-preserves-disjoint-converse (disjoint/> M611*M2 N6+1+N5=N4)
(shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5)
(disjoint/> M611*M2 N6+1+N2=N1)
<- plus-commutative N+1+N2=N5 N2+N+1=N5
<- plus-swap-succ-converse N2+N+1=N5 N2+1+N=N5
<- plus-associative-converse N2+N+1=N5 N6+1+N5=N4 N1P N6+1+N2=N1P N1P+N+1=N4
<- plus-commutative N+1+N1=N4 N1+N+1=N4
<- plus-right-cancels N1P+N+1=N4 N1+N+1=N4 nat`eq/ nat`eq/ N1P=N1
<- plus-respects-eq N6+1+N2=N1P nat`eq/ nat`eq/ N1P=N1 N6+1+N2=N1.
%worlds () (shift-preserves-disjoint-converse _ _ _ _).
%total { } (shift-preserves-disjoint-converse _ _ _ _).
%theorem ne-implies-disjoint :
forall* {N1} {D1} {N2} {D2}
forall {NE:nat`ne N1 N2}
exists {D:disjoint (map/+ N1 D1 map/0) (map/+ N2 D2 map/0)}
true.
- : ne-implies-disjoint (nat`ne/< N1 N1>N2)
(disjoint/> disjoint/R N3+1+N2=N1)
<- gt-implies-plus N1>N2 _ N3+1+N2=N1.
%worlds () (ne-implies-disjoint _ _).
%total { } (ne-implies-disjoint _ _).
%%% Theorems about size
%theorem false-implies-size :
forall* {M} {N}
forall {F:void}
exists {SZ:size M N}
true.
%worlds () (false-implies-size _ _).
%total { } (false-implies-size _ _).
%theorem size-total* :
forall {M}
exists {N} {MX:size M N}
true.
- : size-total* map/0 _ size/0.
- : size-total* _ _ (size/+ SZ)
<- size-total* _ _ SZ.
%worlds () (size-total* _ _ _).
%total (M) (size-total* M _ _).
%abbrev size-total = size-total* _ _.
%theorem size-deterministic :
forall* {M1} {M2} {N1} {N2}
forall {SZ1:size M1 N1} {SZ2:size M2 N2} {EM:eq M1 M2}
exists {EN:nat`eq N1 N2}
true.
- : size-deterministic size/0 size/0 eq/ nat`eq/.
- : size-deterministic (size/+ N1=|M1|) (size/+ N2=|M2|) eq/ N1+1=N2+1
<- size-deterministic N1=|M1| N2=|M2| eq/ N1=N2
<- succ-deterministic N1=N2 N1+1=N2+1.
%worlds () (size-deterministic _ _ _ _).
%total (S) (size-deterministic S _ _ _).
%%% Theorems about bound
%theorem false-implies-bound :
forall* {M} {N}
forall {F:void}
exists {MX:bound M N}
true.
%worlds () (false-implies-bound _ _).
%total { } (false-implies-bound _ _).
%theorem bound-total* :
forall {M}
exists {N} {MX:bound M N}
true.
- : bound-total* map/0 _ bound/0.
- : bound-total* _ _ (bound/+ P MX)
<- bound-total* _ _ MX
<- plus-total P.
%worlds () (bound-total* _ _ _).
%total (M) (bound-total* M _ _).
%abbrev bound-total = bound-total* _ _.
%theorem ge-bound-implies-not-member :
forall* {M} {X} {N}
forall {B:bound M X} {G:nat`ge N X}
exists {F:not-member M N}
true.
- : ge-bound-implies-not-member bound/0 _ not-member/0.
- : ge-bound-implies-not-member (bound/+ M1+1+X1=X B) N>=X (not-member/> F1 N1+1+M1=N)
<- nat`ge-implies-plus N>=X Y1 Y1+X=N
<- nat`plus-commutative M1+1+X1=X X1+M1+1=X
<- nat`plus-associative-converse X1+M1+1=X Y1+X=N N1 Y1+X1=N1 N1+M1+1=N
<- plus-swap-succ-converse N1+M1+1=N N1+1+M1=N
<- plus-implies-ge Y1+X1=N1 N1>=X1
<- ge-bound-implies-not-member B N1>=X1 F1.
%worlds () (ge-bound-implies-not-member _ _ _).
%total (B) (ge-bound-implies-not-member B _ _).
%%% Theorems about shift
%theorem false-implies-shift :
forall* {M} {N} {M'}
forall {F:void}
exists {S:shift N M M'}
true.
%worlds () (false-implies-shift _ _).
%total { } (false-implies-shift _ _).
%theorem shift-respects-eq :
forall* {N} {M1} {M2} {N'} {M1'} {M2'}
forall {S:shift N M1 M2}
{EN:nat`eq N N'} {E1:eq M1 M1'} {E2:eq M2 M2'}
exists {S':shift N' M1' M2'}
true.
- : shift-respects-eq S nat`eq/ eq/ eq/ S.
%worlds () (shift-respects-eq _ _ _ _ _).
%total { } (shift-respects-eq _ _ _ _ _).
%theorem shift-total* :
forall {N} {M1}
exists {M2} {S:shift N M1 M2}
true.
- : shift-total* N map/0 map/0 shift/0.
- : shift-total* N1 (map/+ N2 D M) (map/+ N3 D M) (shift/+ N1+1+N2=N3)
<- plus-total N1+1+N2=N3.
%worlds () (shift-total* _ _ _ _).
%total { } (shift-total* _ _ _ _).
%abbrev shift-total = shift-total* _ _ _.
%theorem shift-deterministic :
forall* {N} {M1} {M2} {N'} {M1'} {M2'}
forall {S:shift N M1 M2} {S':shift N' M1' M2'}
{EN:nat`eq N N'} {EM1:eq M1 M1'}
exists {EM2:eq M2 M2'}
true.
- : shift-deterministic shift/0 shift/0 nat`eq/ eq/ eq/.
- : shift-deterministic (shift/+ N1+1+N2=N3) (shift/+ N1+1+N2=N3') nat`eq/ eq/ E
<- plus-deterministic N1+1+N2=N3 N1+1+N2=N3' nat`eq/ nat`eq/ N3=N3P
<- map/+-preserves-eq N3=N3P unit`eq/ eq/ E.
%worlds () (shift-deterministic _ _ _ _ _).
%total { } (shift-deterministic _ _ _ _ _).
%theorem shifts-add :
forall* {N1} {N2} {N3} {M0} {M1} {M3}
forall {S1:shift N1 M0 M1} {S2:shift N2 M1 M3} {P:plus (s N1) N2 N3}
exists {S3:shift N3 M0 M3}
true.
- : shifts-add shift/0 shift/0 _ shift/0.
- : shifts-add (shift/+ N1+1+N4=N5) (shift/+ N2+1+N5=N7) N1+1+N2=N3
(shift/+ N3+1+N4=N7)
<- plus-total N3+1+N4=N7'
<- plus-swap-succ N3+1+N4=N7' N3+N4+1=N7'
<- plus-swap-succ N1+1+N2=N3 N1+N2+1=N3
<- plus-swap-succ N1+1+N4=N5 N1+N4+1=N5
<- plus-commutative N1+N2+1=N3 N2+1+N1=N3
<- plus-associative* N2+1+N1=N3 N3+N4+1=N7' N1+N4+1=N5 N2+1+N5=N7'
<- plus-deterministic N2+1+N5=N7' N2+1+N5=N7 nat`eq/ nat`eq/ N7'=N7
<- plus-respects-eq N3+1+N4=N7' nat`eq/ nat`eq/ N7'=N7 N3+1+N4=N7.
%worlds () (shifts-add _ _ _ _).
%total { } (shifts-add _ _ _ _).
%theorem shifts-add-converse :
forall* {N1} {N2} {N3} {M0} {M3}
forall {S3:shift N3 M0 M3} {P:plus (s N1) N2 N3}
exists {M1} {S1:shift N1 M0 M1} {S2:shift N2 M1 M3}
true.
- : shifts-add-converse S3 P M1 S1 S2
<- shift-total S1
<- shift-total S2'
<- shifts-add S1 S2' P S3'
<- shift-deterministic S3' S3 nat`eq/ eq/ M3'=M3
<- shift-respects-eq S2' nat`eq/ eq/ M3'=M3 S2.
%worlds () (shifts-add-converse _ _ _ _ _).
%total { } (shifts-add-converse _ _ _ _ _).
%theorem shift-preserves-lookup :
forall* {M1} {N1} {D} {N0} {M2}
forall {L1:lookup M1 N1 D} {S:shift N0 M1 M2}
exists {N2} {P:plus (s N0) N1 N2} {L2:lookup M2 N2 D}
true.
- : shift-preserves-lookup (lookup/= nat`eq/) (shift/+ N0+1+N1=N2) _
N0+1+N1=N2 (lookup/= nat`eq/).
- : shift-preserves-lookup (lookup/> L N3+1+N1=N4) (shift/+ N0+1+N1=N2) _
N0+1+N4=N5 (lookup/> L N3+1+N2=N5)
<- plus-total N0+1+N4=N5
<- plus-commutative N3+1+N1=N4 N1+N3+1=N4
<- plus-associative-converse* N1+N3+1=N4 N0+1+N4=N5 N0+1+N1=N2 N2+N3+1=N5
<- plus-commutative N2+N3+1=N5 N3+1+N2=N5.
%worlds () (shift-preserves-lookup _ _ _ _ _).
%total { } (shift-preserves-lookup _ _ _ _ _).
%theorem shift-preserves-lookup* :
forall* {M1} {N1} {D} {N0} {M2} {N2}
forall {L1:lookup M1 N1 D} {S:shift N0 M1 M2}
{P:plus (s N0) N1 N2}
exists {L2:lookup M2 N2 D}
true.
- : shift-preserves-lookup* L1 S P L2
<- shift-preserves-lookup L1 S _ P' L2'
<- plus-deterministic P' P nat`eq/ nat`eq/ N2'=N2
<- lookup-respects-eq L2' eq/ N2'=N2 unit`eq/ L2.
%worlds () (shift-preserves-lookup* _ _ _ _).
%total { } (shift-preserves-lookup* _ _ _ _).
%theorem shift-preserves-lookup-converse :
forall* {M1} {N0} {D} {N2} {M2}
forall {L2:lookup M2 N2 D} {S:shift N0 M1 M2}
exists {N1} {P:plus (s N0) N1 N2} {L1:lookup M1 N1 D}
true.
- : shift-preserves-lookup-converse (lookup/= nat`eq/) (shift/+ N0+1+N1=N2) _
N0+1+N1=N2 (lookup/= nat`eq/).
- : shift-preserves-lookup-converse (lookup/> L N3+1+N2=N5) (shift/+ N0+1+N1=N2)
_ N0+1+N4=N5 (lookup/> L N3+1+N1=N4)
<- plus-commutative N0+1+N1=N2 N1+N0+1=N2
<- plus-associative-converse N1+N0+1=N2 N3+1+N2=N5 N4 N3+1+N1=N4 N4+N0+1=N5
<- plus-commutative N4+N0+1=N5 N0+1+N4=N5.
%worlds () (shift-preserves-lookup-converse _ _ _ _ _).
%total { } (shift-preserves-lookup-converse _ _ _ _ _).
%theorem shift-preserves-lookup-converse* :
forall* {M1} {N1} {D} {N2} {M2} {N0}
forall {L2:lookup M2 N2 D} {S:shift N0 M1 M2}
{P:plus (s N0) N1 N2}
exists {L1:lookup M1 N1 D}
true.
- : shift-preserves-lookup-converse* L2 S P L1
<- shift-preserves-lookup-converse L2 S _ P' L1'
<- plus-left-cancels P' P nat`eq/ nat`eq/ N1'=N1
<- lookup-respects-eq L1' eq/ N1'=N1 unit`eq/ L1.
%worlds () (shift-preserves-lookup-converse* _ _ _ _).
%total { } (shift-preserves-lookup-converse* _ _ _ _).
%theorem shift-preserves-update :
forall* {M1} {N1} {D} {M1'} {N0} {M2}
forall {U1:update M1 N1 D M1'}
{S:shift N0 M1 M2}
exists {N2} {M2'}
{P:plus (s N0) N1 N2}
{SS:shift N0 M1' M2'}
{U2:update M2 N2 D M2'}
true.
- : shift-preserves-update update/0 shift/0 _ _ P (shift/+ P) update/0
<- plus-total P.
- : shift-preserves-update (update/= nat`eq/) (shift/+ P) _ _ P (shift/+ P)
(update/= nat`eq/).
- : shift-preserves-update (update/< N4+1+N1=N3) (shift/+ N0+1+N3=N5) _ _
N0+1+N1=N2 (shift/+ N0+1+N1=N2)
(update/< N4+1+N2=N5)
<- plus-commutative N4+1+N1=N3 N1+N4+1=N3
<- plus-associative-converse N1+N4+1=N3 N0+1+N3=N5 _ N0+1+N1=N2 N2+N4+1=N5
<- plus-commutative N2+N4+1=N5 N4+1+N2=N5.
- : shift-preserves-update (update/> U N4+1+N3=N1) (shift/+ N0+1+N3=N5) _ _
N0+1+N1=N2 (shift/+ N0+1+N3=N5)
(update/> U N4+1+N5=N2)
<- plus-total N0+1+N1=N2
<- plus-commutative N4+1+N3=N1 N3+N4+1=N1
<- plus-associative-converse* N3+N4+1=N1 N0+1+N1=N2 N0+1+N3=N5 N5+N4+1=N2
<- plus-commutative N5+N4+1=N2 N4+1+N5=N2.
%worlds () (shift-preserves-update _ _ _ _ _ _ _).
%total { } (shift-preserves-update _ _ _ _ _ _ _).
%theorem shift-preserves-size :
forall* {M} {N1} {N2} {S2M}
forall {SZ:size M N1} {SH:shift N2 M S2M}
exists {SHSZ:size S2M N1}
true.
- : shift-preserves-size size/0 shift/0 size/0.
- : shift-preserves-size (size/+ SZ) (shift/+ _) (size/+ SZ).
%worlds () (shift-preserves-size _ _ _).
%total { } (shift-preserves-size _ _ _).
%%% Theorems about disjoint?
%theorem disjoint?-total* :
forall {M1} {M2}
exists {B} {D:disjoint? M1 M2 B}
true.
- : disjoint?-total* _ _ _ (disjoint?/yes disjoint/L).
- : disjoint?-total* _ _ _ (disjoint?/yes disjoint/R).
%theorem disjoint?-total*/+ :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {C}
forall {S1} {S2} {SZ1:size M1 S1} {SZ2:size M2 S2} {CMP:nat`compare N1 N2 C}
exists {B} {D:disjoint? (map/+ N1 D1 M1) (map/+ N2 D2 M2) B}
true.
%theorem disjoint?-total*/< :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N0} {B1}
forall {P:plus (s N0) N1 N2}
{D?1:disjoint? M1 (map/+ N0 D2 M2) B1}
exists {B} {D:disjoint? (map/+ N1 D1 M1) (map/+ N2 D2 M2) B}
true.
%theorem disjoint?-total*/> :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} {B1}
forall {P:plus (s N3) N2 N1}
{D?1:disjoint? (map/+ N3 D1 M1) M2 B1}
exists {B} {D:disjoint? (map/+ N1 D1 M1) (map/+ N2 D2 M2) B}
true.
- : disjoint?-total* _ _ _ D?
<- size-total SZ1
<- size-total SZ2
<- nat`compare-total CMP
<- disjoint?-total*/+ _ _ SZ1 SZ2 CMP _ D?.
- : disjoint?-total*/+ _ _ _ _ (nat`compare/=) _
(disjoint?/no (lookup/= nat`eq/) (lookup/= nat`eq/)).
- : disjoint?-total*/+ _ _ _ _ (nat`compare/< N2>N1) _ D?
<- gt-implies-plus N2>N1 _ N0+1+N1=N2
<- disjoint?-total*/< N0+1+N1=N2 (disjoint?/yes disjoint/L) _ D?.
- : disjoint?-total*/+ _ _ (size/+ SZ1) SZ2 (nat`compare/< N2>N1) _ D?
<- gt-implies-plus N2>N1 _ N0+1+N1=N2
<- nat`compare-total CMP
<- disjoint?-total*/+ _ _ SZ1 SZ2 CMP _ D?1
<- disjoint?-total*/< N0+1+N1=N2 D?1 _ D?.
- : disjoint?-total*/< N0+1+N1=N2 (disjoint?/yes M1*M022) _
(disjoint?/yes (disjoint/< M1*M022 N0+1+N1=N2)).
- : disjoint?-total*/< N0+1+N1=N2 (disjoint?/no M1^N3=D1 M022^N3=D2) _
(disjoint?/no (lookup/> M1^N3=D1 N3+1+N1=N4) M222^N4=D2)
<- plus-total N3+1+N1=N4
<- plus-swap-succ N3+1+N1=N4 N3+N1+1=N4
<- plus-commutative N3+N1+1=N4 N1+1+N3=N4
<- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- plus-commutative N0+N1+1=N2 N1+1+N0=N2
<- shift-preserves-lookup* M022^N3=D2 (shift/+ N1+1+N0=N2) N1+1+N3=N4
M222^N4=D2.
%worlds () (disjoint?-total*/< _ _ _ _).
%total { } (disjoint?-total*/< _ _ _ _).
- : disjoint?-total*/+ _ _ _ _ (nat`compare/> N1>N2) _ D?
<- gt-implies-plus N1>N2 _ N3+1+N2=N1
<- disjoint?-total*/> N3+1+N2=N1 (disjoint?/yes disjoint/R) _ D?.
- : disjoint?-total*/+ _ _ SZ1 (size/+ SZ2) (nat`compare/> N1>N2) _ D?
<- gt-implies-plus N1>N2 _ N3+1+N2=N1
<- nat`compare-total CMP
<- disjoint?-total*/+ _ _ SZ1 SZ2 CMP _ D?1
<- disjoint?-total*/> N3+1+N2=N1 D?1 _ D?.
- : disjoint?-total*/> P (disjoint?/yes D) _ (disjoint?/yes (disjoint/> D P)).
- : disjoint?-total*/> N3+1+N2=N1 (disjoint?/no M311^N4=D1 M2^N4=D2) _
(disjoint?/no M111^N5=D1 (lookup/> M2^N4=D2 N4+1+N2=N5))
<- plus-total N4+1+N2=N5
<- plus-swap-succ N4+1+N2=N5 N4+N2+1=N5
<- plus-commutative N4+N2+1=N5 N2+1+N4=N5
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-commutative N3+N2+1=N1 N2+1+N3=N1
<- shift-preserves-lookup* M311^N4=D1 (shift/+ N2+1+N3=N1) N2+1+N4=N5
M111^N5=D1.
%worlds () (disjoint?-total*/> _ _ _ _).
%total { } (disjoint?-total*/> _ _ _ _).
%worlds () (disjoint?-total*/+ _ _ _ _ _ _ _).
%total [S1 S2] (disjoint?-total*/+ S1 S2 _ _ _ _ _).
%worlds () (disjoint?-total* _ _ _ _).
%total { } (disjoint?-total* _ _ _ _).
%abbrev disjoint?-total = disjoint?-total* _ _ _.
%%% Theorems about update
%theorem false-implies-update :
forall* {M} {N} {D} {M'}
forall {F:void}
exists {U:update M N D M'}
true.
%worlds () (false-implies-update _ %{=>}% M^N=D->M').
%total {} (false-implies-update _ _).
%theorem update-respects-eq :
forall* {M1} {N} {D} {M2} {M1P} {NP} {DP} {M2P}
forall {U:update M1 N D M2} {EM1:eq M1 M1P}
{EN:nat`eq N NP} {ED:unit`eq D DP} {EM2:eq M2 M2P}
exists {UP:update M1P NP DP M2P}
true.
- : update-respects-eq U eq/ nat`eq/ unit`eq/ eq/ U.
%worlds () (update-respects-eq M1^N=D->M2 M1=M1' N=N' D=D' M2=M2'
%{=>}% M1'^N'=D'->M2').
%total {} (update-respects-eq _ _ _ _ _ _).
%reduces U = U' (update-respects-eq U _ _ _ _ U').
%%% technical lemmas to help prove reduction arguments
update-eq : {M1} {N1} {D1} {M1'} {M2} {N2} {D2} {M2'}
update M1 N1 D1 M1' -> update M2 N2 D2 M2' -> type.
update-eq/ : update-eq M1 N1 D1 M1' M1 N1 D1 M1' U U.
%theorem false-implies-update-eq :
forall* {M1} {N1} {D1} {M1'} {M2} {N2} {D2} {M2'} {U} {U'}
forall {F:void}
exists {UE:update-eq M1 N1 D1 M1' M2 N2 D2 M2' U U'}
true.
%worlds () (false-implies-update-eq _ _).
%total { } (false-implies-update-eq _ _).
%theorem meta-update-eq :
forall* {M1} {N1} {D1} {M1'} {M2} {N2} {D2} {M2'}
forall {U} {U'} {UE:update-eq M1 N1 D1 M1' M2 N2 D2 M2' U U'}
true.
- : meta-update-eq U U (update-eq/).
%worlds () (meta-update-eq _ _ _).
%total { } (meta-update-eq _ _ _).
%reduces U = U' (meta-update-eq U U' _).
%%% inversion lemmas
%theorem update/=-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2}
forall {U:update (map/+ N1 D1 M1) N2 D2 M2} {E:nat`eq N1 N2}
exists {EM:eq (map/+ N2 D2 M1) M2}
true.
- : update/=-inversion (update/= nat`eq/) nat`eq/ eq/.
- : update/=-inversion (update/< N3+1+N=N) nat`eq/ E
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : update/=-inversion (update/> U1022 N3+1+N=N) nat`eq/ E
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F
<- false-implies-eq F E.
%worlds () (update/=-inversion _ _ _).
%total { } (update/=-inversion _ _ _).
%theorem update/<-inversion:
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3}
forall {U:update (map/+ N1 D1 M1) N2 D2 M2} {P:plus (s N3) N2 N1}
exists {E:eq (map/+ N2 D2 (map/+ N3 D1 M1)) M2}
true.
- : update/<-inversion (update/= nat`eq/) N3+1+N=N E
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : update/<-inversion (update/< N3+1+N2=N1) N3P+1+N2=N1 E
<- nat`plus-right-cancels N3P+1+N2=N1 N3+1+N2=N1 nat`eq/ nat`eq/ N3P+1=N3+1
<- nat`succ-cancels N3P+1=N3+1 N3P=N3
<- map/+-preserves-eq N3P=N3 unit`eq/ eq/ M311P=M311
<- map/+-preserves-eq nat`eq/ unit`eq/ M311P=M311 E.
- : update/<-inversion (update/> _ N0+1+N1=N2) N3+1+N2=N1 E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F E.
%worlds () (update/<-inversion _ _ _).
%total { } (update/<-inversion _ _ _).
%theorem update/>-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M} {N0}
forall {U:update (map/+ N1 D1 M1) N2 D2 M} {P:plus (s N0) N1 N2}
exists {M2} {UP:update M1 N0 D2 M2} {E:eq (map/+ N1 D1 M2) M}
true.
% a little more complex than might be expected
% because we want to prove reduction
- : update/>-inversion (update/= nat`eq/: update (map/+ N D1 M1) N D2
(map/+ N D2 M1))
N0+1+N=N M1 U' E
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E
<- false-implies-update F U'
<- false-implies-update-eq F
(UE:update-eq (map/+ N D1 M1) N D2 (map/+ N D2 M1)
(map/+ N D1 M1) N D2 (map/+ N D1 M1) _ _)
<- meta-update-eq (update/= nat`eq/) (update/> U' N0+1+N=N) UE.
- : update/>-inversion (update/< N3+1+N2=N1: update (map/+ N1 D1 M1) _ _ _)
N0+1+N1=N2 M1 U' E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-update F U'
<- false-implies-eq F E
<- false-implies-update-eq F
(UE:update-eq (map/+ N1 D1 M1) N2 D2 (map/+ N2 D2 (map/+ N3 D1 M1))
(map/+ N1 D1 M1) N2 D2 (map/+ N1 D1 M1) _ _)
<- meta-update-eq (update/< N3+1+N2=N1) (update/> U' N0+1+N1=N2) UE.
- : update/>-inversion (update/> U N0+1+N1=N2) N0P+1+N1=N2 _ UP eq/
<- nat`plus-right-cancels N0+1+N1=N2 N0P+1+N1=N2 nat`eq/ nat`eq/ N0+1=N0P+1
<- nat`succ-cancels N0+1=N0P+1 N0=N0P
<- update-respects-eq U eq/ N0=N0P unit`eq/ eq/ UP.
%worlds () (update/>-inversion _ _ _ _ _).
%total { } (update/>-inversion _ _ _ _ _).
%reduces U' < U (update/>-inversion U _ _ U' _).
%theorem update-deterministic :
forall* {M1} {N1} {D1} {M1'} {M2} {N2} {D2} {M2'}
forall {U1:update M1 N1 D1 M1'} {U2:update M2 N2 D2 M2'}
{EM:eq M1 M2} {EN:nat`eq N1 N2} {ED:unit`eq D1 D2}
exists {EM':eq M1' M2'}
true.
- : update-deterministic update/0 update/0 eq/ nat`eq/ unit`eq/ eq/.
- : update-deterministic (update/= nat`eq/) (update/= nat`eq/) eq/ nat`eq/ unit`eq/ eq/.
- : update-deterministic (update/< N3+1+N2=N1) (update/< N3'+1+N2=N1)
eq/ nat`eq/ unit`eq/ M1'=M2'
<- plus-right-cancels N3+1+N2=N1 N3'+1+N2=N1 nat`eq/ nat`eq/ SN3=SN3'
<- succ-cancels SN3=SN3' N3E
<- map/+-preserves-eq N3E unit`eq/ eq/ MM1=MM2
<- map/+-preserves-eq nat`eq/ unit`eq/ MM1=MM2 M1'=M2'.
- : update-deterministic (update/> F1^N0=D2->F2 N0+1+N1=N2)
(update/> F1^N0'=D2->F2' N0'+1+N1=N2)
eq/ nat`eq/ unit`eq/ M1'=M2'
<- plus-right-cancels N0+1+N1=N2 N0'+1+N1=N2 nat`eq/ nat`eq/ N0+1=N0'+1
<- succ-cancels N0+1=N0'+1 N0=N0'
<- update-deterministic F1^N0=D2->F2 F1^N0'=D2->F2' eq/ N0=N0'
unit`eq/ F2=F2'
<- map/+-preserves-eq nat`eq/ unit`eq/ F2=F2' M1'=M2'.
%% contradiction cases:
- : update-deterministic (update/= nat`eq/) (update/< N3+1+N=N) eq/ nat`eq/ unit`eq/ E
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : update-deterministic (update/= nat`eq/) (update/> _ N0+1+N=N) eq/ nat`eq/ unit`eq/ E
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : update-deterministic (update/< N3+1+N=N) (update/= nat`eq/) eq/ nat`eq/ unit`eq/ E
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : update-deterministic (update/< N3+1+N2=N1) (update/> _ N0+1+N1=N2)
eq/ nat`eq/ unit`eq/ E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F E.
- : update-deterministic (update/> _ N0+1+N=N) (update/= nat`eq/) eq/ nat`eq/ unit`eq/ E
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : update-deterministic (update/> _ N0+1+N1=N2) (update/< N3+1+N2=N1)
eq/ nat`eq/ unit`eq/ E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F E.
%worlds () (update-deterministic M1^N1=D1->M1' M2^N2=D2->M2' M1=M2 N1=N2 D1=D2
%{=>}% M1'=M2').
%total (U) (update-deterministic U _ _ _ _ _).
%theorem update-total* :
forall {M} {N} {D}
exists {M'} {U:update M N D M'}
true.
%% we need a mutually recursive lemma
%theorem update-map/+-total :
forall {N1} {D1} {M1} {N2} {D2} {C} {CMP:nat`compare N1 N2 C}
exists {M2} {U:update (map/+ N1 D1 M1) N2 D2 M2}
true.
- : update-total* map/0 N D (map/+ N D map/0) update/0.
- : update-total* (map/+ N1 D1 M1) N2 D2 M2 U
<- nat`compare-total* N1 N2 C CMP
<- update-map/+-total N1 D1 M1 N2 D2 C CMP M2 U.
- : update-map/+-total N1 D1 M1 N2 D2 equal CMP (map/+ N2 D2 M1) (update/= N1=N2)
<- equal-implies-eq CMP N1=N2.
- : update-map/+-total N1 D1 M1 N2 D2 less CMP (map/+ N1 D1 M1')
(update/> U1 N0+1+N1=N2)
<- less-implies-lt CMP N2>N1
<- gt-implies-plus N2>N1 N0 N0+1+N1=N2
<- update-total* M1 N0 D2 M1' U1.
- : update-map/+-total N1 D1 M1 N2 D2 greater CMP (map/+ N2 D2 (map/+ N3 D1 M1))
(update/< N3+1+N2=N1)
<- greater-implies-gt CMP N1>N2
<- gt-implies-plus N1>N2 N3 N3+1+N2=N1.
%worlds () (update-total* M N D %{=>}% M' M^N=D->M')
(update-map/+-total _ _ _ _ _ _ _ _ _).
%total (M1 M2) (update-total* M1 _ _ _ _) (update-map/+-total _ _ M2 _ _ _ _ _ _).
%abbrev update-total = update-total* _ _ _ _.
%theorem lookup-implies-update :
forall* {F} {N} {D}
forall {L:lookup F N D}
exists {U:update F N D F}
true.
- : lookup-implies-update (lookup/= nat`eq/) (update/= nat`eq/).
- : lookup-implies-update (lookup/> L P) (update/> U P)
<- lookup-implies-update L U.
%worlds () (lookup-implies-update _ _).
%total (L) (lookup-implies-update L _).
%theorem update-implies-lookup :
forall* {F} {N} {D} {F'}
forall {U:update F N D F'}
exists {L:lookup F' N D}
true.
- : update-implies-lookup update/0 (lookup/= nat`eq/).
- : update-implies-lookup (update/= nat`eq/) (lookup/= nat`eq/).
- : update-implies-lookup (update/< _) (lookup/= nat`eq/).
- : update-implies-lookup (update/> F^N0=D2->F' N0+1+N1=N2)
(lookup/> F'^N0=D2 N0+1+N1=N2)
<- update-implies-lookup F^N0=D2->F' F'^N0=D2.
%worlds () (update-implies-lookup F^N=D->F' %{=>}% F'^N=D).
%total (U) (update-implies-lookup U _).
%theorem update-preserves-lookup :
forall* {F} {N1} {D1} {F'} {N2} {D2}
forall {L:lookup F N2 D2} {U:update F N1 D1 F'} {X:nat`ne N2 N1}
exists {L':lookup F' N2 D2}
true.
%% update/0 is impossible
- : update-preserves-lookup (lookup/= nat`eq/) (update/= nat`eq/) N<>N L'
<- nat`ne-anti-reflexive N<>N FALSE
<- false-implies-lookup FALSE L'.
- : update-preserves-lookup (lookup/> L1 P1) (update/= nat`eq/) _ (lookup/> L1 P1).
- : update-preserves-lookup (lookup/= nat`eq/) (update/< N3+1+N2=N1) _
(lookup/> (lookup/= nat`eq/) N3+1+N2=N1).
- : update-preserves-lookup (lookup/> L N0+1+N1=N2') (update/< N3+1+N2=N1) _
(lookup/> (lookup/> L N0+1+N3=N4)
N4+1+N2=N2')
<- plus-left-decrease N3+1+N2=N1 N1-1 N1=N1-1+1 N3+N2=N1-1
<- plus-right-increase N3+N2=N1-1 N3+N2+1=N1-1+1
<- nat`eq-symmetric N1=N1-1+1 N1-1+1=N1
<- plus-respects-eq N3+N2+1=N1-1+1 nat`eq/ nat`eq/ N1-1+1=N1 N3+N2+1=N1
<- plus-associative-converse N3+N2+1=N1 N0+1+N1=N2' N4 N0+1+N3=N4
N4+N2+1=N2'
<- plus-swap-succ-converse N4+N2+1=N2' N4+1+N2=N2'.
- : update-preserves-lookup (lookup/= nat`eq/) (update/> _ _) _ (lookup/= nat`eq/).
- : update-preserves-lookup (lookup/> L N0+1+N1=N2)
((update/> U N0'+1+N1=N2')
: update (map/+ N1 D1 M1) N2' D'
(map/+ N1 D1 M1'))
N2<>N2'
((lookup/> L' N0+1+N1=N2)
: lookup (map/+ N1 D1 M1') N2 D)
<- plus-right-cancels-ne N0+1+N1=N2 N0'+1+N1=N2' nat`eq/ N2<>N2' N0+1<>N0'+1
<- succ-preserves-ne-converse N0+1<>N0'+1 N0<>N0'
<- update-preserves-lookup L U N0<>N0' L'.
%worlds () (update-preserves-lookup F^N2=D2 F^N1=D1->F' N1<>N2 F'^N2=D2).
%total (L) (update-preserves-lookup L _ _ _).
%theorem update-preserves-lookup-converse :
forall* {F1} {N1} {D1} {F2} {N2} {D2}
forall {L2:lookup F2 N2 D2} {U:update F1 N1 D1 F2} {X:nat`ne N2 N1}
exists {L1:lookup F1 N2 D2}
true.
- : update-preserves-lookup-converse (lookup/= nat`eq/) update/0 N<>N L1
<- nat`ne-anti-reflexive N<>N F
<- false-implies-lookup F L1.
- : update-preserves-lookup-converse (lookup/= nat`eq/) (update/= nat`eq/) N<>N
L1
<- nat`ne-anti-reflexive N<>N F
<- false-implies-lookup F L1.
- : update-preserves-lookup-converse (lookup/= nat`eq/) (update/< N3+1+N2=N1)
N<>N L1
<- nat`ne-anti-reflexive N<>N F
<- false-implies-lookup F L1.
- : update-preserves-lookup-converse (lookup/= nat`eq/) (update/> _ _) _
(lookup/= nat`eq/).
- : update-preserves-lookup-converse (lookup/> L1 P) (update/= nat`eq/) _
(lookup/> L1 P).
- : update-preserves-lookup-converse (lookup/> (lookup/= nat`eq/) N3+1+N2=N4)
(update/< N3+1+N2=N1) _
(lookup/= N1=N4)
<- plus-deterministic N3+1+N2=N1 N3+1+N2=N4 nat`eq/ nat`eq/ N1=N4.
- : update-preserves-lookup-converse (lookup/> (lookup/> L1 N6+1+N3=N5)
N5+1+N2=N4)
(update/< N3+1+N2=N1) _
(lookup/> L1 N6+1+N1=N4)
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-swap-succ N5+1+N2=N4 N5+N2+1=N4
<- plus-associative* N6+1+N3=N5 N5+N2+1=N4 N3+N2+1=N1 N6+1+N1=N4.
- : update-preserves-lookup-converse (lookup/> L2 N5+1+N1=N4)
(update/> U1 N0+1+N1=N2) N4<>N2
(lookup/> L1 N5+1+N1=N4)
<- plus-right-cancels-ne N5+1+N1=N4 N0+1+N1=N2 nat`eq/ N4<>N2 N5+1<>N0+1
<- succ-preserves-ne-converse N5+1<>N0+1 N5<>N0
<- update-preserves-lookup-converse L2 U1 N5<>N0 L1.
%worlds () (update-preserves-lookup-converse _ _ _ _).
%total (L) (update-preserves-lookup-converse L _ _ _).
%theorem update-preserves-not-member :
forall* {M1} {N1} {N2} {D} {M2}
forall {F1:not-member M1 N1} {U:update M1 N2 D M2} {N:nat`ne N1 N2}
exists {F2:not-member M2 N1}
true.
- : update-preserves-not-member not-member/0 update/0 (nat`ne/< N>M) (not-member/< N>M).
- : update-preserves-not-member not-member/0 update/0 (nat`ne/> M>N)
(not-member/> not-member/0 M1+1+N=M)
<- gt-implies-plus M>N M1 M1+1+N=M.
- : update-preserves-not-member (not-member/< N>M) (update/= nat`eq/) _ (not-member/< N>M).
- : update-preserves-not-member (not-member/< N1>M) (update/< N3+1+N2=N1) (nat`ne/< N2>M)
(not-member/< N2>M).
- : update-preserves-not-member (not-member/< N1>M) (update/< N3+1+N2=N1) (nat`ne/> M>N2)
(not-member/> (not-member/< N3>M1) M1+1+N2=M)
<- gt-implies-plus M>N2 M1 M1+1+N2=M
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-swap-succ M1+1+N2=M M1+N2+1=M
<- plus-right-cancels-gt N3+N2+1=N1 M1+N2+1=M nat`eq/ N1>M N3>M1.
- : update-preserves-not-member (not-member/< N1>M) (update/> _ _) _ (not-member/< N1>M).
- : update-preserves-not-member (not-member/> F P) (update/= nat`eq/) _ (not-member/> F P).
- : update-preserves-not-member (not-member/> F M1+1+N1=M) (update/< N3+1+N2=N1) _
(not-member/> (not-member/> F M1+1+N3=MM) MM+1+N2=M)
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-associative-converse N3+N2+1=N1 M1+1+N1=M MM M1+1+N3=MM
MM+N2+1=M
<- plus-swap-succ-converse MM+N2+1=M MM+1+N2=M.
- : update-preserves-not-member (not-member/> F M1+1+N1=M) (update/> U N0+1+N1=N2) M<>N2
(not-member/> F' M1+1+N1=M)
<- plus-right-cancels-ne M1+1+N1=M N0+1+N1=N2 nat`eq/ M<>N2 M1+1<>N0+1
<- succ-preserves-ne-converse M1+1<>N0+1 M1<>N0
<- update-preserves-not-member F U M1<>N0 F'.
%worlds () (update-preserves-not-member N1-not-member-M1 M1^N2=D->M2 N1<>N2 N1-not-member-M2).
%total (F) (update-preserves-not-member F _ _ _).
%theorem update-preserves-not-member-converse :
forall* {M1} {N1} {N2} {D} {M2}
forall {F1:not-member M2 N1} {U:update M1 N2 D M2}
exists {F2:not-member M1 N1}
true.
%theorem update-preserves-not-member-converse-helper :
forall* {M1} {N1} {N2} {D} {M2} {B} {B2}
forall {F1:not-member M2 N1} {U:update M1 N2 D M2}
{D:member? M1 N1 B} {E:nat`eq? N1 N2 B2}
exists {F2:not-member M1 N1}
true.
- : update-preserves-not-member-converse-helper _ _ (member?/out F) _ F.
- : update-preserves-not-member-converse-helper F2 U (member?/in L1) (nat`eq?/no N) F1
<- update-preserves-lookup L1 U N L2
<- not-member-lookup-not-equal F2 L2 N<>N
<- nat`ne-anti-reflexive N<>N F
<- false-implies-not-member F F1.
- : update-preserves-not-member-converse-helper F2 U _ nat`eq?/yes F1
<- update-implies-lookup U L2
<- not-member-lookup-not-equal F2 L2 N<>N
<- nat`ne-anti-reflexive N<>N F
<- false-implies-not-member F F1.
%worlds () (update-preserves-not-member-converse-helper _ _ _ _ _).
%total { } (update-preserves-not-member-converse-helper _ _ _ _ _).
- : update-preserves-not-member-converse F2 U F1
<- member?-total D
<- nat`eq?-total E
<- update-preserves-not-member-converse-helper F2 U D E F1.
%worlds () (update-preserves-not-member-converse _ _ _).
%total { } (update-preserves-not-member-converse _ _ _).
%theorem update-is-cause-of-change :
forall* {M1} {N1} {N2} {M2} {D1} {D2}
forall {F:not-member M1 N1}
{U:update M1 N2 D2 M2}
{L:lookup M2 N1 D1}
exists {EN:nat`eq N1 N2} {ED:unit`eq D1 D2}
true.
%theorem update-is-cause-of-change/L :
forall* {M1} {N1} {N2} {M2} {D1} {D2} {B}
forall {F:not-member M1 N1}
{U:update M1 N2 D2 M2}
{L:lookup M2 N1 D1}
{E:nat`eq? N1 N2 B}
exists {EN:nat`eq N1 N2} {ED:unit`eq D1 D2}
true.
- : update-is-cause-of-change F U L EN ED
<- nat`eq?-total E?
<- update-is-cause-of-change/L F U L E? EN ED.
- : update-is-cause-of-change/L F U L (nat`eq?/yes) nat`eq/ ED
<- update-implies-lookup U L'
<- lookup-deterministic L L' eq/ nat`eq/ ED.
- : update-is-cause-of-change/L F U L (nat`eq?/no N1<>N2) EN ED
<- update-preserves-not-member F U N1<>N2 F'
<- not-member-lookup-not-equal F' L N1<>N1
<- nat`ne-anti-reflexive N1<>N1 V
<- nat`false-implies-eq V EN
<- unit`false-implies-eq V ED.
%worlds () (update-is-cause-of-change/L _ _ _ _ _ _).
%total { } (update-is-cause-of-change/L _ _ _ _ _ _).
%worlds () (update-is-cause-of-change _ _ _ _ _).
%total { } (update-is-cause-of-change _ _ _ _ _).
%theorem update-preserves-membership :
forall* {M1} {N1} {B} {N2} {D} {M2}
forall {MD1:member? M1 N1 B} {U:update M1 N2 D M2} {N:nat`ne N1 N2}
exists {MD2:member? M2 N1 B}
true.
- : update-preserves-membership (member?/in L) U NE (member?/in L')
<- update-preserves-lookup L U NE L'.
- : update-preserves-membership (member?/out F) U NE (member?/out F')
<- update-preserves-not-member F U NE F'.
%worlds () (update-preserves-membership _ _ _ _).
%total {} (update-preserves-membership _ _ _ _).
%theorem update-preserves-membership-converse :
forall* {M1} {N1} {B} {N2} {D} {M2}
forall {MD2:member? M2 N1 B} {U:update M1 N2 D M2} {N:nat`ne N1 N2}
exists {MD1:member? M1 N1 B}
true.
- : update-preserves-membership-converse (member?/in L2) U NE (member?/in L1)
<- update-preserves-lookup-converse L2 U NE L1.
- : update-preserves-membership-converse (member?/out F2) U NE (member?/out F1)
<- update-preserves-not-member-converse F2 U F1.
%worlds () (update-preserves-membership-converse _ _ _ _).
%total { } (update-preserves-membership-converse _ _ _ _).
%theorem lookup-update-preserves-membership :
forall* {M1} {N1} {B} {N2} {D1} {D2} {M2}
forall {MD1:member? M1 N1 B} {L:lookup M1 N2 D1} {U:update M1 N2 D2 M2}
exists {MD2:member? M2 N1 B}
true.
%theorem lookup-update-preserves-membership/L :
forall* {M1} {N1} {B} {N2} {D1} {D2} {M2} {B2}
forall {MD1:member? M1 N1 B} {L:lookup M1 N2 D1} {U:update M1 N2 D2 M2}
{EQ?:nat`eq? N1 N2 B2}
exists {MD2:member? M2 N1 B}
true.
- : lookup-update-preserves-membership/L MD1 _ Ux1 (nat`eq?/no N1<>N2) MD2
<- update-preserves-membership MD1 Ux1 N1<>N2 MD2.
- : lookup-update-preserves-membership/L
(member?/in _) _ U (nat`eq?/yes) (member?/in L2)
<- update-implies-lookup U L2.
- : lookup-update-preserves-membership/L
(member?/out F1) L1 _ nat`eq?/yes (member?/out F2)
<- not-member-lookup-not-equal F1 L1 NE
<- nat`ne-anti-reflexive NE F
<- false-implies-not-member F F2.
%worlds () (lookup-update-preserves-membership/L _ _ _ _ _).
%total { } (lookup-update-preserves-membership/L _ _ _ _ _).
- : lookup-update-preserves-membership MD1 L1 U MD2
<- nat`eq?-total EQ?
<- lookup-update-preserves-membership/L MD1 L1 U EQ? MD2.
%worlds () (lookup-update-preserves-membership _ _ _ _).
%total { } (lookup-update-preserves-membership _ _ _ _).
%theorem lookup-update-preserves-membership-converse :
forall* {M1} {N1} {B} {N2} {D1} {D2} {M2}
forall {MD1:member? M2 N1 B} {L:lookup M1 N2 D1} {U:update M1 N2 D2 M2}
exists {MD2:member? M1 N1 B}
true.
- : lookup-update-preserves-membership-converse MD2 ML MU MD1
<- member?-total MD1'
<- lookup-update-preserves-membership MD1' ML MU MD2'
<- member?-deterministic MD2' MD2 eq/ nat`eq/ B'=B
<- member?-respects-eq MD1' eq/ nat`eq/ B'=B MD1.
%worlds () (lookup-update-preserves-membership-converse _ _ _ _).
%total { } (lookup-update-preserves-membership-converse _ _ _ _).
%theorem update-preserves-in-member :
forall* {M1} {N1} {N2} {D} {M2}
forall {MD1:member? M1 N1 true} {U:update M1 N2 D M2}
exists {MD2:member? M2 N1 true}
true.
%theorem update-preserves-in-member/L :
forall* {M1} {N1} {N2} {D} {M2} {B}
forall {MD1:member? M1 N1 true} {U:update M1 N2 D M2}
{E: nat`eq? N1 N2 B}
exists {MD2:member? M2 N1 true}
true.
- : update-preserves-in-member/L
(member?/in ML1) U (nat`eq?/no N1<>N2) (member?/in ML2)
<- update-preserves-lookup ML1 U N1<>N2 ML2.
- : update-preserves-in-member/L _ U (nat`eq?/yes) (member?/in ML)
<- update-implies-lookup U ML.
%worlds () (update-preserves-in-member/L _ _ _ _).
%total { } (update-preserves-in-member/L _ _ _ _).
- : update-preserves-in-member MD1 U MD2
<- nat`eq?-total E
<- update-preserves-in-member/L MD1 U E MD2.
%worlds () (update-preserves-in-member _ _ _).
%total { } (update-preserves-in-member _ _ _).
%theorem update-overwrites :
forall* {M1} {N1} {D1} {M2} {N2} {D2} {M3}
forall {U1:update M1 N1 D1 M2} {U2:update M2 N2 D2 M3}
{E:nat`eq N1 N2}
exists {U12:update M1 N1 D2 M3}
true.
- : update-overwrites (update/0) (update/= nat`eq/) nat`eq/ (update/0).
- : update-overwrites (update/= nat`eq/) (update/= nat`eq/) nat`eq/ (update/= nat`eq/).
- : update-overwrites (update/< P) (update/= nat`eq/) nat`eq/ (update/< P).
- : update-overwrites (update/> U1 P) (update/> U2 P') nat`eq/ (update/> U3 P)
<- plus-right-cancels P P' nat`eq/ nat`eq/ N0+1=N0'+1
<- succ-cancels N0+1=N0'+1 N0=N0'
<- update-overwrites U1 U2 N0=N0' U3.
%% contradiction cases
- : update-overwrites (update/0) (update/< N3+1+N=N) nat`eq/ U
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-update F U.
- : update-overwrites (update/0) (update/> _ N0+1+N=N) nat`eq/ U
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-update F U.
- : update-overwrites (update/= nat`eq/) (update/< N3+1+N=N) nat`eq/ U
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-update F U.
- : update-overwrites (update/= nat`eq/) (update/> _ N0+1+N=N) nat`eq/ U
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-update F U.
- : update-overwrites (update/< _) (update/< N3+1+N=N) nat`eq/ U
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-update F U.
- : update-overwrites (update/< _) (update/> _ N0+1+N=N) nat`eq/ U
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-update F U.
- : update-overwrites (update/> _ N0+1+N=N) (update/= nat`eq/) nat`eq/ U
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-update F U.
- : update-overwrites (update/> _ N0+1+N1=N2) (update/< N3+1+N2=N1) nat`eq/ U
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-update F U.
%worlds () (update-overwrites M1^N1=D1->M2 M2^N2=D2->M3 N1=N2
%{=>}% M1^N1=D2->M3).
%total (U) (update-overwrites U _ _ _).
%theorem update-overwrites-converse :
forall* {M1} {N1} {D1} {M2} {D2} {M3}
forall {U12:update M1 N1 D1 M3} {U1:update M1 N1 D2 M2}
exists {U2:update M2 N1 D1 M3}
true.
- : update-overwrites-converse U12 U1 U2
<- update-total U2P
<- update-overwrites U1 U2P nat`eq/ U12P
<- update-deterministic U12P U12 eq/ nat`eq/ unit`eq/ M2P=M2
<- update-respects-eq U2P eq/ nat`eq/ unit`eq/ M2P=M2 U2.
%worlds () (update-overwrites-converse _ _ _).
%total { } (update-overwrites-converse _ _ _).
%theorem update-may-have-no-effect :
forall* {M1} {N} {D} {M2}
forall {L:lookup M1 N D} {U:update M1 N D M2}
exists {E:eq M1 M2}
true.
- : update-may-have-no-effect (lookup/= nat`eq/) U E
<- update/=-inversion U nat`eq/ E.
- : update-may-have-no-effect (lookup/> L1 N0+1+N1=N2) U E
<- update/>-inversion U N0+1+N1=N2 _ U1 M112=M2
<- update-may-have-no-effect L1 U1 M1=M2
<- map/+-preserves-eq nat`eq/ unit`eq/ M1=M2 M111=M112
<- eq-transitive M111=M112 M112=M2 E.
%worlds () (update-may-have-no-effect _ _ _).
%total (L) (update-may-have-no-effect L _ _).
%theorem update-idempotent :
forall* {M1} {N1} {D1} {M2} {N2} {D2} {M3}
forall {U1:update M1 N1 D1 M2} {U2:update M2 N2 D2 M3}
{EN:nat`eq N1 N2} {ED:unit`eq D1 D2}
exists {EM:eq M2 M3}
true.
- : update-idempotent U1 U2 nat`eq/ unit`eq/ M2=M3
<- update-overwrites U1 U2 nat`eq/ M1^N=D->M3
<- update-deterministic U1 M1^N=D->M3 eq/ nat`eq/ unit`eq/ M2=M3.
%worlds () (update-idempotent M1^N1=D1->M2 M2^N2=D2->M3 N1=N2 D1=D2
%{=>}% M2=M3).
%total {} (update-idempotent _ _ _ _ _).
%theorem update-commutes :
forall* {M} {N1} {D1} {M1} {N2} {D2} {M12}
forall {U1:update M N1 D1 M1} {U12:update M1 N2 D2 M12}
{NE:nat`ne N1 N2}
exists {M2} {U2:update M N2 D2 M2} {U21:update M2 N1 D1 M12}
true.
- : update-commutes update/0 (update/= nat`eq/) N<>N map/0 U2 U21
<- nat`ne-anti-reflexive N<>N F
<- false-implies-update F U2
<- false-implies-update F U21.
- : update-commutes update/0 (update/< N'+1+N2=N1) _ _ update/0
(update/> update/0 N'+1+N2=N1).
- : update-commutes update/0 (update/> update/0 N'+1+N1=N2) _ _ update/0
(update/< N'+1+N1=N2).
- : update-commutes (update/= nat`eq/) (update/= nat`eq/) N<>N map/0 U2 U21
<- nat`ne-anti-reflexive N<>N F
<- false-implies-update F U2
<- false-implies-update F U21.
- : update-commutes (update/= nat`eq/) (update/< N'+1+N2=N1) _ _
(update/< N'+1+N2=N1) (update/> (update/= nat`eq/) N'+1+N2=N1).
- : update-commutes (update/= nat`eq/) (update/> U N'+1+N1=N2) _ _
(update/> U N'+1+N1=N2) (update/= nat`eq/).
- : update-commutes (update/< _) (update/= nat`eq/) N<>N map/0 U2 U21
<- nat`ne-anti-reflexive N<>N F
<- false-implies-update F U2
<- false-implies-update F U21.
- : update-commutes (update/< N1'+1+N1=N) (update/< N2'+1+N2=N1) _ _
(update/< N2''+1+N2=N)
(update/> (update/< N1'+1+N2'=N2'') N2'+1+N2=N1)
<- plus-swap-succ N2'+1+N2=N1 N2'+N2+1=N1
<- plus-associative-converse N2'+N2+1=N1 N1'+1+N1=N
N2'' N1'+1+N2'=N2'' N2''+N2+1=N
<- plus-swap-succ-converse N2''+N2+1=N N2''+1+N2=N.
- : update-commutes ((update/< N11+1+N1=N):update (map/+ N D M) _ _ _)
(update/> (update/= nat`eq/) N11+1+N1=N2) _
(map/+ N2 D2 M)
(update/= N=N2)
((update/< N11+1+N1=N2):update _ N1 D1 _)
<- plus-deterministic N11+1+N1=N N11+1+N1=N2 nat`eq/ nat`eq/ N=N2.
- : update-commutes (update/< N11+1+N1=N)
(update/> (update/< N2''+1+N2'=N11) N2'+1+N1=N2) _ _
(update/< N2''+1+N2=N) (update/< N2'+1+N1=N2)
<- plus-swap-succ N11+1+N1=N N11+N1+1=N
<- plus-swap-succ N2'+1+N1=N2 N2'+N1+1=N2
<- plus-associative* N2''+1+N2'=N11 N11+N1+1=N N2'+N1+1=N2
N2''+1+N2=N.
- : update-commutes (update/< N11+1+N1=N)
(update/> (update/> U N2''+1+N11=N2') N2'+1+N1=N2) _ _
(update/> U N2''+1+N=N2) (update/< N11+1+N1=N)
<- plus-swap-succ N11+1+N1=N N11+N1+1=N
<- plus-swap-succ N2'+1+N1=N2 N2'+N1+1=N2
<- plus-associative* N2''+1+N11=N2' N2'+N1+1=N2 N11+N1+1=N N2''+1+N=N2.
- : update-commutes (update/> U N11+1+N=N1) (update/= nat`eq/) _ _
(update/= nat`eq/) (update/> U N11+1+N=N1).
- : update-commutes (update/> U N11+1+N=N1) (update/< N2'+1+N2=N) _ _
(update/< N2'+1+N2=N)
(update/> (update/> U N11+1+N2'=N11') N11'+1+N2=N1)
<- plus-swap-succ N2'+1+N2=N N2'+N2+1=N
<- plus-associative-converse N2'+N2+1=N N11+1+N=N1
N11' N11+1+N2'=N11' N11'+N2+1=N1
<- plus-swap-succ-converse N11'+N2+1=N1 N11'+1+N2=N1.
- : update-commutes (update/> U1 N11+1+N=N1) (update/> U12 N2'+1+N=N2) N1<>N2
(map/+ N D M2)
(update/> U2 N2'+1+N=N2) (update/> U21 N11+1+N=N1)
<- plus-right-cancels-ne N11+1+N=N1 N2'+1+N=N2 nat`eq/ N1<>N2 N11+1<>N2'+1
<- succ-preserves-ne-converse N11+1<>N2'+1 N11<>N2'
<- update-commutes U1 U12 N11<>N2' M2 U2 U21.
%worlds () (update-commutes M^N1=D1->M1 M1^D2=N2->M12 N1<>N2
%{=>}% M2 M^N2=D2->M2 M2^N1=D1->M12).
%total (U1) (update-commutes U1 _ _ _ _ _).
%theorem update-commutes* :
forall* {M} {N1} {D1} {M1} {N2} {D2} {M12} {M2}
forall {U1:update M N1 D1 M1} {U12:update M1 N2 D2 M12}
{NE:nat`ne N1 N2} {U2:update M N2 D2 M2}
exists {U21:update M2 N1 D1 M12}
true.
- : update-commutes* M^N1=D1->M1 M1^D2=N2->M12 N1<>N2 M^N2=D2->M2 M2^N1=D1->M12
<- update-commutes M^N1=D1->M1 M1^D2=N2->M12 N1<>N2
M2' M^N2=D2->M2' M2'^N1=D1->M12
<- update-deterministic M^N2=D2->M2' M^N2=D2->M2 eq/ nat`eq/
unit`eq/ M2'=M2
<- update-respects-eq M2'^N1=D1->M12 M2'=M2 nat`eq/
unit`eq/ eq/ M2^N1=D1->M12.
%worlds () (update-commutes* M^N1=D1->M1 M1^D2=N2->M12 N1<>N2 M^N2=D2->M2
%{=>}% M2^N1=D1->M12).
%total {} (update-commutes* _ _ _ _ _).
%% The following theorem is needed if you want to iteratively
%% do something with a set. It says that you can take out an element
%% and (using the update-preserves-X-converse theorems) get a smaller set
%% that differs only for this element:
%theorem can-remove :
forall* {M} {S} {N} {D}
forall {SZ:size M S} {L:lookup M N D}
exists {M-} {S-} {SZ-:size M- S-} {E:nat`eq (s S-) S}
{U:update M- N D M} {F:not-member M- N}
true.
- : can-remove (size/+ _) (lookup/= _) _ _ size/0 nat`eq/ update/0 not-member/0.
- : can-remove (size/+ (size/+ SZ)) (lookup/= nat`eq/) _ _ (size/+ SZ) nat`eq/
(update/< N3+1+N2=N1) (not-member/< N1>N2)
<- plus-total N3+1+N2=N1
<- plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2.
- : can-remove (size/+ SZ) (lookup/> LK N0+1+N1=N2) _ _
(size/+ SZ2) E
(update/> U2 N0+1+N1=N2) (not-member/> F2 N0+1+N1=N2)
<- can-remove SZ LK M- S- SZ2 E2 U2 F2
<- succ-deterministic E2 E.
%worlds () (can-remove _ _ _ _ _ _ _ _).
%total (L) (can-remove _ L _ _ _ _ _ _).
%%%% Map comparison
%%% Definition of leq
leq : map -> map -> type.
leq/0 : leq map/0 M.
leq/= : leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)
<- nat`eq N1 N2
<- unit`leq D1 D2
<- leq M1 M2.
leq/> : leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)
<- nat`plus (s N3) N2 N1
<- leq (map/+ N3 D1 M1) M2.
%%% Theorems about leq
%theorem false-implies-leq :
forall* {M1} {M2}
forall {F:void}
exists {L:leq M1 M2}
true.
%worlds () (false-implies-leq _ _).
%total {} (false-implies-leq _ _).
%theorem leq-respects-eq :
forall* {M1} {M2} {M1'} {M2'}
forall {L:leq M1 M2} {E1:eq M1 M1'} {E2:eq M2 M2'}
exists {LP:leq M1' M2'}
true.
- : leq-respects-eq L eq/ eq/ L.
%worlds () (leq-respects-eq _ _ _ _).
%total {} (leq-respects-eq _ _ _ _).
%reduces L1 = L2 (leq-respects-eq L1 _ _ L2).
%theorem leq/0-inversion :
forall* {M1} {M2}
forall {L:leq M1 M2} {E2:eq M2 map/0}
exists {E1:eq M1 map/0}
true.
- : leq/0-inversion leq/0 eq/ eq/.
%worlds () (leq/0-inversion _ _ _).
%total { } (leq/0-inversion _ _ _).
%theorem leq/=-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2}
forall {L:leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)} {EN:nat`eq N1 N2}
exists {ED:unit`leq D1 D2} {EM:leq M1 M2}
true.
- : leq/=-inversion (leq/= M1<=M2 D1<=D2 nat`eq/) nat`eq/ D1<=D2 M1<=M2.
- : leq/=-inversion (leq/> M311<=M2 N3+1+N=N) nat`eq/ ED M1<=M2
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- unit`false-implies-leq F ED
<- false-implies-eq F M311=M1
<- leq-respects-eq M311<=M2 M311=M1 eq/ M1<=M2.
%worlds () (leq/=-inversion _ _ _ _).
%total { } (leq/=-inversion _ _ _ _).
%reduces L1 < L (leq/=-inversion L _ _ L1).
%theorem leq/>-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3}
forall {L:leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)}
{P:plus (s N3) N2 N1}
exists {EM:leq (map/+ N3 D1 M1) M2}
true.
- : leq/>-inversion (leq/= M1<=M2 D1<=D2 nat`eq/) N3+1+N=N M311<=M2
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F M1=M311
<- leq-respects-eq M1<=M2 M1=M311 eq/ M311<=M2.
- : leq/>-inversion (leq/> M311'<=M2 N3P+1+N2=N1) N3+1+N2=N1 M311<=M2
<- plus-right-cancels N3P+1+N2=N1 N3+1+N2=N1 nat`eq/ nat`eq/ N3P+1=N3+1
<- succ-cancels N3P+1=N3+1 N3P=N3
<- map/+-preserves-eq N3P=N3 unit`eq/ eq/ M311'=M311
<- leq-respects-eq M311'<=M2 M311'=M311 eq/ M311<=M2.
%worlds () (leq/>-inversion _ _ _).
%total { } (leq/>-inversion _ _ _).
%reduces LP < L (leq/>-inversion L _ LP).
%theorem leq-contradiction :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N0}
forall {L:leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)}
{P:plus (s N0) N1 N2}
exists {F:void}
true.
- : leq-contradiction (leq/= _ _ nat`eq/) N0+1+N=N F
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F.
- : leq-contradiction (leq/> _ N3+1+N2=N1) N0+1+N1=N2 F
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F.
%worlds () (leq-contradiction _ _ _).
%total { } (leq-contradiction _ _ _).
%theorem leq-reflexive :
forall {M}
exists {L:leq M M}
true.
- : leq-reflexive map/0 leq/0.
- : leq-reflexive (map/+ N D M) (leq/= M<=M D<=D nat`eq/)
<- unit`leq-reflexive D D<=D
<- leq-reflexive M M<=M.
%worlds () (leq-reflexive _ _).
%total (M) (leq-reflexive M _).
%theorem leq-anti-symmetric :
forall* {M1} {M2}
forall {L1: leq M1 M2} {L2:leq M2 M1}
exists {E: eq M1 M2}
true.
- : leq-anti-symmetric leq/0 leq/0 eq/.
- : leq-anti-symmetric (leq/= M1<=M2 D1<=D2 nat`eq/)
(leq/= M2<=M1 D2<=D1 nat`eq/) E
<- unit`leq-anti-symmetric D1<=D2 D2<=D1 D1=D2
<- leq-anti-symmetric M1<=M2 M2<=M1 M1=M2
<- map/+-preserves-eq nat`eq/ D1=D2 M1=M2 E.
- : leq-anti-symmetric (leq/= _ _ nat`eq/) (leq/> _ N3+1+N=N) E
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : leq-anti-symmetric (leq/> _ N3+1+N=N) (leq/= _ _ nat`eq/) E
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : leq-anti-symmetric (leq/> _ N3+1+N2=N1) (leq/> _ N0+1+N1=N2) E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F E.
%worlds () (leq-anti-symmetric _ _ _).
%total (L) (leq-anti-symmetric L _ _).
%theorem leq-transitive :
forall* {M1} {M2} {M3}
forall {L1:leq M1 M2} {L2:leq M2 M3}
exists {L3:leq M1 M3}
true.
- : leq-transitive leq/0 _ leq/0.
- : leq-transitive (leq/= M1<=M2 D1<=D2 nat`eq/) (leq/= M2<=M3 D2<=D3 nat`eq/)
(leq/= M1<=M3 D1<=D3 nat`eq/)
<- unit`leq-transitive D1<=D2 D2<=D3 D1<=D3
<- leq-transitive M1<=M2 M2<=M3 M1<=M3.
- : leq-transitive (leq/= M1<=M2 D1<=D2 nat`eq/) (leq/> M522<=M3 N5+1+N3=N2)
(leq/> M511<=M3 N5+1+N3=N2)
<- leq-transitive (leq/= M1<=M2 D1<=D2 nat`eq/) M522<=M3 M511<=M3.
- : leq-transitive (leq/> M011<=M2 N0+1+N=N1) (leq/= M2<=M3 D2<=D3 nat`eq/)
(leq/> M011<=M3 N0+1+N=N1)
<- leq-transitive M011<=M2 M2<=M3 M011<=M3.
- : leq-transitive (leq/> M011<=M2 N0+1+N2=N1) (leq/> M522<=M3 N5+1+N3=N2)
(leq/> M411<=M3 N4+1+N3=N1)
<- nat`plus-swap-succ N5+1+N3=N2 N5+N3+1=N2
<- nat`plus-associative-converse N5+N3+1=N2 N0+1+N2=N1 N4 N0+1+N5=N4
N4+N3+1=N1
<- nat`plus-swap-succ-converse N4+N3+1=N1 N4+1+N3=N1
<- leq-transitive (leq/> M011<=M2 N0+1+N5=N4) M522<=M3 M411<=M3.
%worlds () (leq-transitive _ _ _).
%total (L) (leq-transitive _ L _).
%theorem map/+-preserves-leq :
forall* {N1} {N2} {D1} {D2} {M1} {M2}
forall {E:nat`eq N1 N2} {LD:unit`leq D1 D2} {LM:leq M1 M2}
exists {L:leq (map/+ N1 D1 M1) (map/+ N2 D2 M2)}
true.
- : map/+-preserves-leq N1=N2 D1<=D2 M1<=M2 (leq/= M1<=M2 D1<=D2 N1=N2).
%worlds () (map/+-preserves-leq _ _ _ _).
%total { } (map/+-preserves-leq _ _ _ _).
%theorem lookup-respects-leq :
forall* {M} {N} {D} {MP}
forall {L:lookup M N D} {ME:leq M MP}
exists {DP} {L:lookup MP N DP} {DE:unit`leq D DP}
true.
- : lookup-respects-leq (lookup/= nat`eq/) (leq/= _ D1<=D2 nat`eq/)
_ (lookup/= nat`eq/) D1<=D2.
- : lookup-respects-leq (lookup/= nat`eq/) (leq/> M311<=M2 N3+1+N2=N1)
D2 (lookup/> L13 N3+1+N2=N1) D1<=D2
<- lookup-respects-leq (lookup/= nat`eq/) M311<=M2 D2 L13 D1<=D2.
- : lookup-respects-leq (lookup/> L13 N3+1+N2=N1) (leq/= M1<=M2 _ nat`eq/)
D2 (lookup/> L13' N3+1+N2=N1) D1<=D2
<- lookup-respects-leq L13 M1<=M2 D2 L13' D1<=D2.
- : lookup-respects-leq (lookup/> L10 N0+1+N1=N) (leq/> M311<=M2 N3+1+N2=N1)
D2 (lookup/> L14' N4+1+N2=N) D1<=D2
<- nat`plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- nat`plus-associative-converse N3+N2+1=N1 N0+1+N1=N
N4 N0+1+N3=N4 N4+N2+1=N
<- nat`plus-swap-succ-converse N4+N2+1=N N4+1+N2=N
<- lookup-respects-leq (lookup/> L10 N0+1+N3=N4) M311<=M2 D2 L14' D1<=D2.
%worlds () (lookup-respects-leq _ _ _ _ _).
%total (L) (lookup-respects-leq _ L _ _ _).
%theorem not-member-respects-geq :
forall* {M} {MP} {N}
forall {FP:not-member MP N} {L:leq M MP}
exists {F:not-member M N}
true.
- : not-member-respects-geq F leq/0 not-member/0.
- : not-member-respects-geq (not-member/< R) (leq/= _ _ nat`eq/) (not-member/< R).
- : not-member-respects-geq (not-member/< N2>N) (leq/> _ N3+1+N2=N1) (not-member/< N1>N)
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- gt-transitive N1>N2 N2>N N1>N.
- : not-member-respects-geq (not-member/> F20 N0+1+N2=N) (leq/= M1<=M2 _ nat`eq/)
(not-member/> F10 N0+1+N2=N)
<- not-member-respects-geq F20 M1<=M2 F10.
- : {F3110:not-member (map/+ N3 D1 M1) N0}
{N0+1+N2=N:plus (s N0) N2 N}
{N3+1+N2=N1:plus (s N3) N2 N1}
not-member-respects-geq
(not-member/> F20 N0+1+N2=N: not-member (map/+ N2 D2 M2) N)
(leq/> M311<=M2 N3+1+N2=N1) F'
<- not-member-respects-geq F20 M311<=M2 F3110
<- nat`plus-swap-succ N0+1+N2=N N0+N2+1=N
<- nat`plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-right-preserves-not-member* F3110 N3+N2+1=N1 N0+N2+1=N F'.
%worlds () (not-member-respects-geq _ _ _).
%total (F) (not-member-respects-geq F _ _).
%theorem leq-implies-size-le:
forall* {M1} {M2} {N1} {N2}
forall {L:leq M1 M2} {SZ1:size M1 N1} {SZ2:size M2 N2}
exists {G:ge N2 N1}
true.
- : leq-implies-size-le leq/0 size/0 N2=|M2| N2>=0
<- plus-commutative (plus/z:plus z N2 N2) N2+0=N2
<- plus-implies-ge N2+0=N2 N2>=0.
- : leq-implies-size-le (leq/= M1<=M2 _ _) (size/+ N1=|M1|) (size/+ N2=|M2|)
N2+1>=N1+1
<- leq-implies-size-le M1<=M2 N1=|M1| N2=|M2| N2>=N1
<- succ-preserves-ge N2>=N1 N2+1>=N1+1.
- : leq-implies-size-le (leq/> M311<=M2 _) (size/+ N1=|M1|) (size/+ N2=|M2|)
(ge/> N2+1>N1+1)
<- leq-implies-size-le M311<=M2 (size/+ N1=|M1|) N2=|M2| N2>=N1+1
<- succ-implies-gt nat`eq/ N2+1>N2
<- gt-transitive-ge N2+1>N2 N2>=N1+1 N2+1>N1+1.
%worlds () (leq-implies-size-le _ _ _ _).
%total (L) (leq-implies-size-le L _ _ _).
%theorem leq-implies-bound-le:
forall* {M1} {M2} {N1} {N2}
forall {L:leq M1 M2} {BD1:bound M1 N1} {BD2:bound M2 N2}
exists {G:ge N2 N1}
true.
- : leq-implies-bound-le leq/0 bound/0 _ N2>=0
<- plus-commutative plus/z N2+0=N2
<- plus-implies-ge N2+0=N2 N2>=0.
- : leq-implies-bound-le (leq/= M1<=M2 _ nat`eq/)
(bound/+ N+1+N1=N3 DM1=N3
<- leq-implies-bound-le M1<=M2 DM1=N1
<- plus-left-preserves-ge* N2>=N1 N+1+N2=N4 N+1+N1=N3 N4>=N3.
- : leq-implies-bound-le (leq/> M311<=M2 N3+1+N2=N1)
(bound/+ N1+1+N10=N11 DM1=N11
<- plus-total N3+1+N10=N13
<- leq-implies-bound-le M311<=M2 (bound/+ N3+1+N10=N13 DM1=N13
<- plus-swap-succ N1+1+N10=N11 N1+N10+1=N11
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-commutative N3+N2+1=N1 N2+1+N3=N1
<- plus-swap-succ N3+1+N10=N13 N3+N10+1=N13
<- plus-associative* N2+1+N3=N1 N1+N10+1=N11 N3+N10+1=N13 N2+1+N13=N11
<- plus-left-preserves-ge* N20>=N13 N2+1+N20=N22 N2+1+N13=N11 N22>=N11.
%worlds () (leq-implies-bound-le _ _ _ _).
%total (L) (leq-implies-bound-le L _ _ _).
%theorem shift-left-preserves-leq*:
forall* {M1} {M2} {N} {SM1} {D}
forall {L:leq M1 M2}
{S1:shift N M1 SM1}
exists {SL:leq SM1 (map/+ N D M2)}
true.
- : shift-left-preserves-leq* _ shift/0 leq/0.
- : shift-left-preserves-leq* M111<=M2 (shift/+ N+1+N1=N1')
(leq/> M111<=M2 N1+1+N=N1')
<- plus-swap-succ N+1+N1=N1' N+N1+1=N1'
<- plus-commutative N+N1+1=N1' N1+1+N=N1'.
%worlds () (shift-left-preserves-leq* _ _ _).
%total { } (shift-left-preserves-leq* _ _ _).
%theorem shift-preserves-leq*:
forall* {M1} {M2} {N} {SM1} {SM2}
forall {L:leq M1 M2}
{S1:shift N M1 SM1}
{S1:shift N M2 SM2}
exists {SL:leq SM1 SM2}
true.
- : shift-preserves-leq* _ shift/0 _ leq/0.
- : shift-preserves-leq* (leq/= M1<=M2 D1<=D2 nat`eq/)
(shift/+ N+1+N1=N1')
(shift/+ N+1+N1=N2')
(leq/= M1<=M2 D1<=D2 N1'=N2')
<- plus-deterministic N+1+N1=N1' N+1+N1=N2' nat`eq/ nat`eq/ N1'=N2'.
- : shift-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1)
(shift/+ N+1+N1=N1')
(shift/+ N+1+N2=N2')
(leq/> M311<=M2 N3+1+N2'=N1')
<- plus-commutative N3+1+N2=N1 N2+N3+1=N1
<- plus-associative-converse* N2+N3+1=N1 N+1+N1=N1' N+1+N2=N2' N2'+N3+1=N1'
<- plus-commutative N2'+N3+1=N1' N3+1+N2'=N1'.
%worlds () (shift-preserves-leq* _ _ _ _).
%total { } (shift-preserves-leq* _ _ _ _).
%theorem update-left-preserves-leq*:
forall* {M1} {M2} {N} {D} {M1'} {M2'}
forall {L:leq M1 M2}
{U1:update M1 N D M1'}
{U2:update M2 N D M2'}
exists {LP:leq M1' M2'}
true.
- : update-left-preserves-leq* leq/0 update/0 update/0 (leq/= leq/0 D<=D nat`eq/)
<- unit`leq-reflexive _ D<=D.
- : update-left-preserves-leq* leq/0 update/0 (update/= nat`eq/)
(leq/= leq/0 D<=D nat`eq/)
<- unit`leq-reflexive _ D<=D.
- : update-left-preserves-leq* leq/0 update/0 (update/< _)
(leq/= leq/0 D<=D nat`eq/)
<- unit`leq-reflexive _ D<=D.
- : update-left-preserves-leq* leq/0 update/0 (update/> U2505 N5+1+N2=N)
(leq/> M500<=M5 N5+1+N2=N)
<- update-left-preserves-leq* leq/0 update/0 U2505 M500<=M5.
- : update-left-preserves-leq* (leq/= M1<=M2 D1<=D2 nat`eq/)
(update/= nat`eq/)
(U2:update (map/+ N D2 M2) N D M)
M001<=M
<- update/=-inversion U2 nat`eq/ M002=M
<- unit`leq-reflexive _ D<=D
<- leq-respects-eq (leq/= M1<=M2 D<=D nat`eq/) eq/ M002=M M001<=M.
- : update-left-preserves-leq* (leq/= M1<=M2 D1<=D2 nat`eq/)
(update/< N3+1+N=N1)
(U2:update (map/+ N1 D2 M2) N D M)
M00M311<=M
<- update/<-inversion U2 N3+1+N=N1 M00M322=M
<- unit`leq-reflexive _ D<=D
<- leq-respects-eq (leq/= (leq/= M1<=M2 D1<=D2 nat`eq/) D<=D nat`eq/) eq/
M00M322=M M00M311<=M.
- : update-left-preserves-leq* (leq/= M1<=M2 D1<=D2 nat`eq/)
(update/> U1303 N3+1+N1=N)
(U2:update (map/+ N1 D2 M2) N D M)
M113<=M
<- update/>-inversion U2 N3+1+N1=N M4 U2304 M124=M
<- update-left-preserves-leq* M1<=M2 U1303 U2304 M3<=M4
<- leq-respects-eq (leq/= M3<=M4 D1<=D2 nat`eq/) eq/ M124=M M113<=M.
- : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1)
(update/= nat`eq/)
(U2:update (map/+ N2 D2 M2) N1 D M)
M101<=M
<- update/>-inversion U2 N3+1+N2=N1 M4 U2304 M224=M
<- update-left-preserves-leq* M311<=M2 (update/= nat`eq/) U2304 M301<=M4
<- leq-respects-eq (leq/> M301<=M4 N3+1+N2=N1) eq/ M224=M M101<=M.
- : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N=N1)
(update/< N4+1+N=N1)
(update/= nat`eq/) %% hence N=N2
(leq/= M411<=M2 D<=D nat`eq/)
<- nat`plus-right-cancels N3+1+N=N1 N4+1+N=N1 nat`eq/ nat`eq/ N3+1=N4+1
<- nat`succ-cancels N3+1=N4+1 N3=N4
<- map/+-preserves-eq N3=N4 unit`eq/ eq/ M311=M411
<- leq-respects-eq M311<=M2 M311=M411 eq/ M411<=M2
<- unit`leq-reflexive _ D<=D.
- : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1)
(update/< N4+1+N=N1)
(update/< N5+1+N=N2)
(leq/= (leq/> M311<=M2 N3+1+N5=N4) D<=D nat`eq/)
<- nat`plus-swap-succ N5+1+N=N2 N5+N+1=N2
<- nat`plus-associative-converse N5+N+1=N2 N3+1+N2=N1
N4' N3+1+N5=N4' N4'+N+1=N1
<- nat`plus-swap-succ N4+1+N=N1 N4+N+1=N1
<- nat`plus-right-cancels N4'+N+1=N1 N4+N+1=N1 nat`eq/ nat`eq/ N4'=N4
<- nat`plus-respects-eq N3+1+N5=N4' nat`eq/ nat`eq/ N4'=N4 N3+1+N5=N4
<- unit`leq-reflexive _ D<=D.
- : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1)
(update/< N4+1+N=N1)
(update/> U2505 N5+1+N2=N)
(leq/> M50M411<=M5 N5+1+N2=N)
<- nat`plus-swap-succ N5+1+N2=N N5+N2+1=N
<- nat`plus-associative-converse N5+N2+1=N N4+1+N=N1
N3P N4+1+N5=N3P N3P+N2+1=N1
<- nat`plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- nat`plus-right-cancels N3P+N2+1=N1 N3+N2+1=N1 nat`eq/ nat`eq/ N3P=N3
<- nat`plus-respects-eq N4+1+N5=N3P nat`eq/ nat`eq/ N3P=N3 N4+1+N5=N3
<- update-left-preserves-leq* M311<=M2 (update/< N4+1+N5=N3) U2505
M50M411<=M5.
- : update-left-preserves-leq* (leq/> M311<=M2 N3+1+N2=N1)
(update/> U1404 N4+1+N1=N)
(U2:update (map/+ N2 D2 M2) N D M)
M114<=M
<- nat`plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- nat`plus-associative-converse N3+N2+1=N1 N4+1+N1=N
N5 N4+1+N3=N5 N5+N2+1=N
<- nat`plus-swap-succ-converse N5+N2+1=N N5+1+N2=N
<- update/>-inversion U2 N5+1+N2=N M5 U2505 M225=M
<- update-left-preserves-leq* M311<=M2 (update/> U1404 N4+1+N3=N5) U2505
M314<=M5
<- leq-respects-eq (leq/> M314<=M5 N3+1+N2=N1) eq/ M225=M M114<=M.
%worlds () (update-left-preserves-leq* _ _ _ _).
%total (U) (update-left-preserves-leq* _ _ U _).
%theorem update-right-preserves-leq*:
forall* {M} {N} {D1} {D2} {M1'} {M2'}
forall {L:unit`leq D1 D2}
{U1:update M N D1 M1'}
{U2:update M N D2 M2'}
exists {LP:leq M1' M2'}
true.
- : update-right-preserves-leq* D1<=D2 update/0 update/0
(leq/= leq/0 D1<=D2 nat`eq/).
- : update-right-preserves-leq* D1<=D2 (update/= nat`eq/) U2 L
<- update/=-inversion U2 nat`eq/ M221=M2'
<- leq-reflexive _ M1<=M1
<- leq-respects-eq (leq/= M1<=M1 D1<=D2 nat`eq/) eq/ M221=M2' L.
- : update-right-preserves-leq* D1<=D2 (update/< P) U2 L
<- update/<-inversion U2 P M22311=M2'
<- leq-reflexive _ M311<=M311
<- leq-respects-eq (leq/= M311<=M311 D1<=D2 nat`eq/) eq/ M22311=M2' L.
- : update-right-preserves-leq* D1<=D2 (update/> U1 P) U22 L
<- update/>-inversion U22 P M2' U2 M112=M
<- update-right-preserves-leq* D1<=D2 U1 U2 M1'<=M2'
<- unit`leq-reflexive _ D<=D
<- leq-respects-eq (leq/= M1'<=M2' D<=D nat`eq/) eq/ M112=M L.
%worlds () (update-right-preserves-leq* _ _ _ _).
%total (U) (update-right-preserves-leq* _ U _ _).
%theorem update-preserves-leq* :
forall* {M1} {M2} {N} {D1} {D2} {M1'} {M2'}
forall {L:leq M1 M2} {L:unit`leq D1 D2}
{U1:update M1 N D1 M1'}
{U2:update M2 N D2 M2'}
exists {LP:leq M1' M2'}
true.
- : update-preserves-leq* M1<=M2 D1<=D2 M1^N=D1->M1' M2^N=D2->M2' M1'<=M2'
<- update-total M2^N=D1->MM
<- update-left-preserves-leq* M1<=M2 M1^N=D1->M1' M2^N=D1->MM M1'<=MM
<- update-right-preserves-leq* D1<=D2 M2^N=D1->MM M2^N=D2->M2' MM<=M2'
<- leq-transitive M1'<=MM MM<=M2' M1'<=M2'.
%worlds () (update-preserves-leq* _ _ _ _ _).
%total { } (update-preserves-leq* _ _ _ _ _).
%theorem not-member-update-implies-leq :
forall* {M1} {N} {D} {M2}
forall {F:not-member M1 N} {U:update M1 N D M2}
exists {L:leq M1 M2}
true.
- : not-member-update-implies-leq not-member/0 U leq/0.
- : not-member-update-implies-leq (not-member/< N2 M311<=M311 N3+1+N2=N1) eq/ M22311=M2 L.
- : not-member-update-implies-leq (not-member/> F1 N0+1+N1=N2) U L
<- update/>-inversion U N0+1+N1=N2 _ U1 M112=M
<- not-member-update-implies-leq F1 U1 L1
<- unit`leq-reflexive _ DL
<- leq-respects-eq (leq/= L1 DL nat`eq/) eq/ M112=M L.
%worlds () (not-member-update-implies-leq _ _ _).
%total (F) (not-member-update-implies-leq F _ _).
%theorem lookup-update-preserves-leq :
forall* {M1} {N} {D1} {D2} {M2}
forall {L:lookup M1 N D1} {U:update M1 N D2 M2}
{L:unit`leq D1 D2}
exists {L:leq M1 M2}
true.
- : lookup-update-preserves-leq (lookup/= nat`eq/) U D1<=D2 L
<- update/=-inversion U nat`eq/ M221=M2
<- leq-reflexive _ M1<=M1
<- leq-respects-eq (leq/= M1<=M1 D1<=D2 nat`eq/) eq/ M221=M2 L.
- : lookup-update-preserves-leq (lookup/> L1 N0+1+N1=N2) U D1<=D2 L
<- update/>-inversion U N0+1+N1=N2 M2 U1 M112=M
<- lookup-update-preserves-leq L1 U1 D1<=D2 L1'
<- unit`leq-reflexive _ D1<=D1
<- leq-respects-eq (leq/= L1' D1<=D1 nat`eq/) eq/ M112=M L.
%worlds () (lookup-update-preserves-leq _ _ _ _).
%total (L) (lookup-update-preserves-leq L _ _ _).
%%%% Map addition
%%% Definition of union
union : map -> map -> map -> type.
union/L : union map/0 M M.
union/R : union M map/0 M.
union/= : union (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N1 D3 M3)
<- nat`eq N1 N2
<- unit`union D1 D2 D3
<- union M1 M2 M3.
union/< : union (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N1 D1 M3)
<- nat`plus (s N0) N1 N2
<- union M1 (map/+ N0 D2 M2) M3.
union/> : union (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N2 D2 M3)
<- nat`plus (s N3) N2 N1
<- union (map/+ N3 D1 M1) M2 M3.
%%% Theorems about union
%theorem false-implies-union :
forall* {M1} {M2} {M3}
forall {F:void}
exists {D:union M1 M2 M3}
true.
%worlds () (false-implies-union _ _).
%total {} (false-implies-union _ _).
%theorem union-respects-eq :
forall* {M1} {M2} {M3} {M1P} {M2P} {M3P}
forall {A:union M1 M2 M3} {E1:eq M1 M1P} {E2:eq M2 M2P} {E3:eq M3 M3P}
exists {AP:union M1P M2P M3P}
true.
- : union-respects-eq A eq/ eq/ eq/ A.
%worlds () (union-respects-eq _ _ _ _ _).
%total {} (union-respects-eq _ _ _ _ _).
%reduces A = AP (union-respects-eq A _ _ _ AP).
%% Inversion lemmas for union
%theorem union/=-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {M}
forall {A:union (map/+ N1 D1 M1) (map/+ N2 D2 M2) M}
{G:nat`eq N1 N2}
exists {D3} {M3}
{D:unit`union D1 D2 D3}
{AP:union M1 M2 M3}
{E:eq M (map/+ N1 D3 M3)}
true.
- : union/=-inversion (union/= MM DD nat`eq/) _ _ _ DD MM eq/.
- : union/=-inversion (union/< (JP:union _ (map/+ N0 D2 M2) M3) N0+1+N=N) nat`eq/
D2 M3 DJ MJ ME
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- unit`false-implies-union F DJ
<- false-implies-eq F (M022=M2:eq (map/+ N0 D2 M2) M2)
<- union-respects-eq JP eq/ M022=M2 eq/ MJ
<- false-implies-eq F ME.
- : union/=-inversion (union/> (JP:union (map/+ _ D1 M1) M2 M3) N3+1+N=N) nat`eq/
D1 M3 DJ MJ ME
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F
<- unit`false-implies-union F DJ
<- false-implies-eq F (M311=M1:eq (map/+ N3 D1 M1) M1)
<- union-respects-eq JP M311=M1 eq/ eq/ MJ
<- false-implies-eq F ME.
%worlds () (union/=-inversion _ _ _ _ _ _ _).
%total {} (union/=-inversion _ _ _ _ _ _ _).
%reduces JP < J (union/=-inversion J _ _ _ _ JP _).
%theorem union/<-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {M} {N0}
forall {A:union (map/+ N1 D1 M1) (map/+ N2 D2 M2) M}
{P:plus (s N0) N1 N2}
exists {M3}
{AP:union M1 (map/+ N0 D2 M2) M3}
{E:eq M (map/+ N1 D1 M3)}
true.
- : union/<-inversion (union/< J P) P' _ J' eq/
<- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N0+1=N0'+1
<- succ-cancels N0+1=N0'+1 N0=N0P
<- map/+-preserves-eq N0=N0P unit`eq/ eq/ M022=M022'
<- union-respects-eq J eq/ M022=M022' eq/ J'.
- : union/<-inversion (union/= J' _ nat`eq/) N0+1+N=N M3 J E
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F M2=M022
<- union-respects-eq J' eq/ M2=M022 eq/ J
<- false-implies-eq F E.
- : union/<-inversion (union/> J' N3+1+N2=N1) N0+1+N1=N2 M3 J E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F M311=M1
<- false-implies-eq F M2=M022
<- union-respects-eq J' M311=M1 M2=M022 eq/ J
<- false-implies-eq F E.
%worlds () (union/<-inversion _ _ _ _ _).
%total {} (union/<-inversion _ _ _ _ _).
%reduces JP < J (union/<-inversion J _ _ JP _).
%theorem union/>-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} {M}
forall {A:union (map/+ N1 D1 M1) (map/+ N2 D2 M2) M}
{P:plus (s N3) N2 N1}
exists {M3}
{AP:union (map/+ N3 D1 M1) M2 M3}
{E:eq M (map/+ N2 D2 M3)}
true.
- : union/>-inversion (union/> J P) P' _ J' eq/
<- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N3+1=N3'+1
<- succ-cancels N3+1=N3'+1 N3=N3P
<- map/+-preserves-eq N3=N3P unit`eq/ eq/ M311=M311'
<- union-respects-eq J M311=M311' eq/ eq/ J'.
- : union/>-inversion (union/= J' _ nat`eq/) N3+1+N=N M3 J E
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F M1=M311
<- union-respects-eq J' M1=M311 eq/ eq/ J
<- false-implies-eq F E.
- : union/>-inversion (union/< J' N0+1+N1=N2) N3+1+N2=N1 M3 J E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F M1=M311
<- false-implies-eq F M022=M2
<- union-respects-eq J' M1=M311 M022=M2 eq/ J
<- false-implies-eq F E.
%worlds () (union/>-inversion _ _ _ _ _).
%total {} (union/>-inversion _ _ _ _ _).
%reduces JP < J (union/>-inversion J _ _ JP _).
%theorem union-deterministic :
forall* {M1} {M2} {M3} {M1P} {M2P} {M3P}
forall {A:union M1 M2 M3} {AP:union M1P M2P M3P}
{E1:eq M1 M1P} {E2:eq M2 M2P}
exists {E3:eq M3 M3P}
true.
- : union-deterministic union/L union/L eq/ eq/ eq/.
- : union-deterministic union/L union/R eq/ eq/ eq/.
- : union-deterministic union/R union/L eq/ eq/ eq/.
- : union-deterministic union/R union/R eq/ eq/ eq/.
- : union-deterministic (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(union/= M1+M2=M3' D1+D2=D3P nat`eq/)
eq/ eq/ M=M'
<- unit`union-deterministic D1+D2=D3 D1+D2=D3P unit`eq/ unit`eq/ D3=D3'
<- union-deterministic M1+M2=M3 M1+M2=M3' eq/ eq/ M3=M3'
<- map/+-preserves-eq nat`eq/ D3=D3' M3=M3' M=M'.
- : union-deterministic (union/< M1+MT=M3 N0+1+N1=N2)
(union/< M1+MT'=M3' N0'+1+N1=N2)
eq/ eq/ M=M'
<- plus-right-cancels N0+1+N1=N2 N0'+1+N1=N2 nat`eq/ nat`eq/ N0+1=N0'+1
<- succ-cancels N0+1=N0'+1 N0=N0P
<- map/+-preserves-eq N0=N0P unit`eq/ eq/ MT=MT'
<- union-deterministic M1+MT=M3 M1+MT'=M3' eq/ MT=MT' M3=M3'
<- map/+-preserves-eq nat`eq/ unit`eq/ M3=M3' M=M'.
- : union-deterministic (union/> MT+M2=M3 N3+1+N2=N1)
(union/> MT'+M2=M3' N3'+1+N2=N1) eq/ eq/ E
<- plus-right-cancels N3+1+N2=N1 N3'+1+N2=N1 nat`eq/ nat`eq/ N3+1=N3'+1
<- succ-cancels N3+1=N3'+1 N3=N3P
<- map/+-preserves-eq N3=N3P unit`eq/ eq/ MT=MT'
<- union-deterministic MT+M2=M3 MT'+M2=M3' MT=MT' eq/ M3=M3'
<- map/+-preserves-eq nat`eq/ unit`eq/ M3=M3' E.
%% contradiction cases:
- : union-deterministic (union/= _ _ nat`eq/) (union/< _ N'+1+N=N) eq/ eq/ E
<- plus-implies-gt N'+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : union-deterministic (union/= _ _ nat`eq/) (union/> _ N'+1+N=N) eq/ eq/ E
<- plus-implies-gt N'+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : union-deterministic (union/< _ NP+1+N=N) (union/= _ _ nat`eq/) eq/ eq/ E
<- plus-implies-gt NP+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : union-deterministic (union/< _ N0+1+N1=N2) (union/> _ N3+1+N2=N1) eq/ eq/ E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F E.
- : union-deterministic (union/> _ NP+1+N=N) (union/= _ _ nat`eq/) eq/ eq/ E
<- plus-implies-gt NP+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F E.
- : union-deterministic (union/> _ N3+1+N2=N1) (union/< _ N0+1+N1=N2) eq/ eq/ E
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F E.
%worlds () (union-deterministic _ _ _ _ _).
%total (A) (union-deterministic A _ _ _ _).
%theorem union-total* :
forall {M1} {M2}
exists {M3} {A:union M1 M2 M3}
true.
%% we need some lemmas
%% We need them to ensure termination because
%% union substitutes new maps on recursive calls which
%% makes it hard to prove the arguments get smaller.
%theorem union-map/+-M-total* :
forall {N1} {D1} {M1} {M2}
exists {M3} {A:union (map/+ N1 D1 M1) M2 M3}
true.
%theorem union-M-map/+-total* :
forall {M1} {N2} {D2} {M2}
exists {M3} {A:union M1 (map/+ N2 D2 M2) M3}
true.
%theorem union-map/+-map/+-total* :
forall {N1} {D1} {M1} {N2} {D2} {M2} {C} {CMP:nat`compare N1 N2 C}
exists {M3}
{A:union (map/+ N1 D1 M1) (map/+ N2 D2 M2) M3}
true.
- : union-total* map/0 M M union/L.
- : union-total* M map/0 M union/R.
- : union-total* (map/+ N1 D1 M1) (map/+ N2 D2 M2) M3 A
<- nat`compare-total* N1 N2 C CMP
<- union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 C CMP M3 A.
- : union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 equal CMP (map/+ N1 D3 M3)
(union/= M1+M2=M3 D1+D2=D3 N1=N2)
<- equal-implies-eq CMP N1=N2
<- unit`union-total* D1 D2 D3 D1+D2=D3
<- union-total* M1 M2 M3 M1+M2=M3.
- : union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 less CMP (map/+ N1 D1 M3)
(union/< M1+T=M3 N0+1+N1=N2)
<- less-implies-lt CMP N2>N1
<- gt-implies-plus N2>N1 _ N0+1+N1=N2
<- union-M-map/+-total* M1 N0 D2 M2 M3 M1+T=M3.
- : union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 greater CMP (map/+ N2 D2 M3)
(union/> T+M2=M3 N3+1+N2=N1)
<- greater-implies-gt CMP N1>N2
<- gt-implies-plus N1>N2 _ N3+1+N2=N1
<- union-map/+-M-total* N3 D1 M1 M2 M3 T+M2=M3.
- : union-M-map/+-total* map/0 N2 D2 M2 (map/+ N2 D2 M2) union/L.
- : union-M-map/+-total* (map/+ N1 D1 M1) N2 D2 M2 M3 A
<- nat`compare-total* N1 N2 C CMP
<- union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 C CMP M3 A.
- : union-map/+-M-total* N1 D1 M1 map/0 (map/+ N1 D1 M1) union/R.
- : union-map/+-M-total* N1 D1 M1 (map/+ N2 D2 M2) M3 A
<- nat`compare-total* N1 N2 C CMP
<- union-map/+-map/+-total* N1 D1 M1 N2 D2 M2 C CMP M3 A.
%worlds () (union-total* _ _ _ _)
(union-M-map/+-total* _ _ _ _ _ _)
(union-map/+-M-total* _ _ _ _ _ _)
(union-map/+-map/+-total* _ _ _ _ _ _ _ _ _ _).
%total [ (M1a M1b M1c M1d) (M2a M2b M2c M2d) ]
(union-total* M1d M2d _ _)
(union-M-map/+-total* M1c _ _ M2c _ _)
(union-map/+-M-total* _ _ M1b M2b _ _)
(union-map/+-map/+-total* _ _ M1a _ _ M2a _ _ _ _).
%abbrev union-total = union-total* _ _ _.
%theorem disjoint-union-total :
forall* {M1} {M2}
forall {D:disjoint M1 M2}
exists {M3} {A:union M1 M2 M3}
true.
- : disjoint-union-total disjoint/L _ union/L.
- : disjoint-union-total disjoint/R _ union/R.
- : disjoint-union-total (disjoint/< D P) _ (union/< J P)
<- disjoint-union-total D _ J.
- : disjoint-union-total (disjoint/> D P) _ (union/> J P)
<- disjoint-union-total D _ J.
%worlds () (disjoint-union-total _ _ _).
%total (D) (disjoint-union-total D _ _).
%theorem union-empty-implies-empty :
forall* {M1} {M2}
forall {A:union M1 M2 map/0}
exists {E1:eq M1 map/0} {E2:eq M2 map/0}
true.
- : union-empty-implies-empty union/L eq/ eq/.
- : union-empty-implies-empty union/R eq/ eq/.
%worlds () (union-empty-implies-empty _ _ _).
%total { } (union-empty-implies-empty _ _ _).
%theorem union-preserves-disjoint* :
forall* {M1} {M2} {M3} {M4}
forall {D1:disjoint M1 M4} {D2:disjoint M2 M4}
{A:union M1 M2 M3}
exists {D3:disjoint M3 M4}
true.
% a lemma that counts the size of maps to help prove termination
%theorem union-preserves-disjoint*/L :
forall* {M1} {M2} {M3} {M4}
forall {S1} {S2} {SZ1:size M1 S1} {SZ2:size M2 S2}
{D1:disjoint M1 M4} {D2:disjoint M2 M4}
{A:union M1 M2 M3}
exists {D3:disjoint M3 M4}
true.
- : union-preserves-disjoint* D1 D2 J D3
<- size-total SZ1
<- size-total SZ2
<- union-preserves-disjoint*/L _ _ SZ1 SZ2 D1 D2 J D3.
- : union-preserves-disjoint*/L _ _ _ _ disjoint/R _ _ disjoint/R.
- : union-preserves-disjoint*/L _ _ _ _ _ disjoint/R _ disjoint/R.
- : union-preserves-disjoint*/L _ _ _ _ _ D union/L D.
- : union-preserves-disjoint*/L _ _ _ _ D _ union/R D.
- : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2)
(disjoint/< D1 N5+1+N1=N4) D2X
(union/= J _ nat`eq/)
(disjoint/< D3 N5+1+N1=N4)
<- disjoint/<-inversion D2X N5+1+N1=N4 D2
<- union-preserves-disjoint*/L S1 S2 SZ1 SZ2 D1 D2 J D3.
- : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2)
(disjoint/< D1 N5+1+N1=N4) D2X
(union/> J N3+1+N2=N1)
(disjoint/< D3 N6+1+N2=N4)
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-associative-converse N3+N2+1=N1 N5+1+N1=N4 N6 N5+1+N3=N6 N6+N2+1=N4
<- plus-swap-succ-converse N6+N2+1=N4 N6+1+N2=N4
<- disjoint/<-inversion D2X N6+1+N2=N4 D2
<- plus-swap-succ N5+1+N3=N6 N5+N3+1=N6
<- plus-commutative N5+N3+1=N6 N3+1+N5=N6
<- shift-right-preserves-disjoint D1 (shift/+ N3+1+N5=N6) D1< D1 N5+1+N4=N1) D2X
(union/= J DJ nat`eq/)
(disjoint/> D3 N5+1+N4=N1)
<- disjoint/>-inversion D2X N5+1+N4=N1 D2
<- union-preserves-disjoint*/L _ _ (size/+ SZ1) (size/+ SZ2)
D1 D2 (union/= J DJ nat`eq/) D3.
- : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2)
(disjoint/> D1 N5+1+N4=N1) D2X
(union/< J N0+1+N1=N2)
(disjoint/> D3 N5+1+N4=N1)
<- plus-swap-succ N5+1+N4=N1 N5+N4+1=N1
<- plus-associative-converse N5+N4+1=N1 N0+1+N1=N2 N6 N0+1+N5=N6 N6+N4+1=N2
<- plus-swap-succ-converse N6+N4+1=N2 N6+1+N4=N2
<- disjoint/>-inversion D2X N6+1+N4=N2 D2
<- union-preserves-disjoint*/L _ _ (size/+ SZ1) (size/+ SZ2)
D1 D2 (union/< J N0+1+N5=N6) D3.
- : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2)
D1X (disjoint/< D2 N6+1+N2=N4)
(union/< J N0+1+N1=N2)
(disjoint/< D3 N5+1+N1=N4)
<- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- plus-associative-converse N0+N1+1=N2 N6+1+N2=N4 N5 N6+1+N0=N5 N5+N1+1=N4
<- plus-swap-succ-converse N5+N1+1=N4 N5+1+N1=N4
<- disjoint/<-inversion D1X N5+1+N1=N4 D1
<- plus-swap-succ N6+1+N0=N5 N6+N0+1=N5
<- plus-commutative N6+N0+1=N5 N0+1+N6=N5
<- shift-right-preserves-disjoint D2 (shift/+ N0+1+N6=N5) D2< D2 N6+1+N4=N2)
(union/> J N3+1+N2=N1)
(disjoint/> D3 N6+1+N4=N2)
<- plus-swap-succ N6+1+N4=N2 N6+N4+1=N2
<- plus-associative-converse N6+N4+1=N2 N3+1+N2=N1 N5 N3+1+N6=N5 N5+N4+1=N1
<- plus-swap-succ-converse N5+N4+1=N1 N5+1+N4=N1
<- disjoint/>-inversion D1X N5+1+N4=N1 D1
<- union-preserves-disjoint*/L _ _ (size/+ SZ1) (size/+ SZ2)
D1 D2 (union/> J N3+1+N6=N5) D3.
- : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2)
(disjoint/< D1 N5+1+N1=N4)
(disjoint/> D2 N6+1+N4=N2) JX D3X
<- plus-swap-succ N5+1+N1=N4 N5+N1+1=N4
<- plus-associative-converse N5+N1+1=N4 N6+1+N4=N2 N0 N6+1+N5=N0 N0+N1+1=N2
<- plus-swap-succ-converse N0+N1+1=N2 N0+1+N1=N2
<- union/<-inversion JX N0+1+N1=N2 _ J M=M113
<- eq-symmetric M=M113 M113=M
<- union-preserves-disjoint*/L S1 (s S2) SZ1 (size/+ SZ2)
D1 (disjoint/> D2 N6+1+N5=N0) J D3
<- disjoint-respects-eq (disjoint/< D3 N5+1+N1=N4) M113=M eq/ D3X.
- : union-preserves-disjoint*/L (s S1) (s S2) (size/+ SZ1) (size/+ SZ2)
(disjoint/> D1 N5+1+N4=N1)
(disjoint/< D2 N6+1+N2=N4) JX D3X
<- plus-swap-succ N6+1+N2=N4 N6+N2+1=N4
<- plus-associative-converse N6+N2+1=N4 N5+1+N4=N1 N3 N5+1+N6=N3 N3+N2+1=N1
<- plus-swap-succ-converse N3+N2+1=N1 N3+1+N2=N1
<- union/>-inversion JX N3+1+N2=N1 _ J M=M223
<- eq-symmetric M=M223 M223=M
<- union-preserves-disjoint*/L _ _ (size/+ SZ1) SZ2
(disjoint/> D1 N5+1+N6=N3) D2 J D3
<- disjoint-respects-eq (disjoint/< D3 N6+1+N2=N4) M223=M eq/ D3X.
%worlds () (union-preserves-disjoint*/L _ _ _ _ _ _ _ _).
%total {S1 S2 D1} (union-preserves-disjoint*/L S1 S2 _ _ D1 _ _ _).
%worlds () (union-preserves-disjoint* _ _ _ _).
%total { } (union-preserves-disjoint* _ _ _ _).
%theorem shift-left-preserves-union :
forall* {N} {D} {M1} {M2} {M3} {SM1}
forall {A:union M1 M2 M3} {S1:shift N M1 SM1}
exists {SA:union SM1 (map/+ N D M2) (map/+ N D M3)}
true.
- : shift-left-preserves-union union/L shift/0 union/L.
- : shift-left-preserves-union union/R shift/0 union/L.
- : shift-left-preserves-union M111+M2=M3 (shift/+ N+1+N1=N1')
(union/> M111+M2=M3 N1+1+N=N1')
<- plus-swap-succ N+1+N1=N1' N+N1+1=N1'
<- plus-commutative N+N1+1=N1' N1+1+N=N1'.
%worlds () (shift-left-preserves-union _ _ _).
%total { } (shift-left-preserves-union _ _ _).
%theorem shift-left-preserves-union-converse :
forall* {N} {D} {M1} {M2} {SM1} {SM3}
forall {SA:union SM1 (map/+ N D M2) SM3} {S1:shift N M1 SM1}
exists {M3} {A:union M1 M2 M3} {E:eq (map/+ N D M3) SM3}
true.
- : shift-left-preserves-union-converse union/L shift/0 _ union/L eq/.
- : shift-left-preserves-union-converse M111+M222=SM3 (shift/+ N2+1+N3=N1) M3
M311+M2=M3 M223=SM3
<- plus-swap-succ N2+1+N3=N1 N2+N3+1=N1
<- plus-commutative N2+N3+1=N1 N3+1+N2=N1
<- union/>-inversion M111+M222=SM3 N3+1+N2=N1 M3 M311+M2=M3 SM3=M223
<- eq-symmetric SM3=M223 M223=SM3.
%worlds () (shift-left-preserves-union-converse _ _ _ _ _).
%total { } (shift-left-preserves-union-converse _ _ _ _ _).
%theorem shift-right-preserves-union :
forall* {N} {D} {M1} {M2} {M3} {SM2}
forall {A:union M1 M2 M3} {S2:shift N M2 SM2}
exists {SA:union (map/+ N D M1) SM2 (map/+ N D M3)}
true.
- : shift-right-preserves-union union/L shift/0 union/R.
- : shift-right-preserves-union union/R shift/0 union/R.
- : shift-right-preserves-union M1+M222=M3 (shift/+ N+1+N2=N2')
(union/< M1+M222=M3 N2+1+N=N2')
<- plus-swap-succ N+1+N2=N2' N+N2+1=N2'
<- plus-commutative N+N2+1=N2' N2+1+N=N2'.
%worlds () (shift-right-preserves-union _ _ _).
%total { } (shift-right-preserves-union _ _ _).
%theorem shift-right-preserves-union-converse :
forall* {N} {D} {M1} {M2} {SM2} {SM3}
forall {SA:union (map/+ N D M1) SM2 SM3} {S2:shift N M2 SM2}
exists {M3} {A:union M1 M2 M3} {E:eq (map/+ N D M3) SM3}
true.
- : shift-right-preserves-union-converse union/R shift/0 _ union/R eq/.
- : shift-right-preserves-union-converse M111+M322=SM3 (shift/+ N1+1+N2=N3)
M3 M1+M222=M3 M133=SM3
<- plus-swap-succ N1+1+N2=N3 N1+N2+1=N3
<- plus-commutative N1+N2+1=N3 N2+1+N1=N3
<- union/<-inversion M111+M322=SM3 N2+1+N1=N3 M3 M1+M222=M3 SM3=M133
<- eq-symmetric SM3=M133 M133=SM3.
%worlds () (shift-right-preserves-union-converse _ _ _ _ _).
%total { } (shift-right-preserves-union-converse _ _ _ _ _).
%theorem shift-preserves-union :
forall* {N} {M1} {M2} {M3} {SM1} {SM2} {SM3}
forall {A:union M1 M2 M3}
{S1:shift N M1 SM1} {S2:shift N M2 SM2} {S3:shift N M3 SM3}
exists {SA:union SM1 SM2 SM3}
true.
- : shift-preserves-union union/L shift/0 M2< M311+M2=M3 N3+1+N2=N1)
(shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5)
(shift/+ N+1+N2=N6) M411+M522=M623
<- plus-deterministic N+1+N2=N5 N+1+N2=N6 nat`eq/ nat`eq/ N5=N6
<- plus-swap-succ N+1+N2=N5 N+N2+1=N5
<- plus-commutative N+N2+1=N5 N2+1+N=N5
<- plus-commutative N3+1+N2=N1 N2+N3+1=N1
<- plus-associative-converse* N2+N3+1=N1 N+1+N1=N4 N+1+N2=N5 N5+N3+1=N4
<- plus-commutative N5+N3+1=N4 N3+1+N5=N4
<- map/+-preserves-eq N5=N6 unit`eq/ eq/ M523=M623
<- union-respects-eq (union/> M311+M2=M3 N3+1+N5=N4) eq/ eq/ M523=M623
M411+M522=M623.
%worlds () (shift-preserves-union _ _ _ _ _).
%total { } (shift-preserves-union _ _ _ _ _).
%theorem shift-preserves-union-converse :
forall* {N} {M1} {M2} {SM1} {SM2} {SM3}
forall {SA:union SM1 SM2 SM3}
{S1:shift N M1 SM1} {S2:shift N M2 SM2}
exists {M3} {A:union M1 M2 M3} {S3:shift N M3 SM3}
true.
- : shift-preserves-union-converse union/L shift/0 M2< M611+M2=M3 N6+1+N5=N4)
(shift/+ N+1+N1=N4) (shift/+ N+1+N2=N5) _
(union/> M611+M2=M3 N6+1+N2=N1)
(shift/+ N+1+N2=N5)
<- plus-commutative N+1+N2=N5 N2+N+1=N5
<- plus-swap-succ-converse N2+N+1=N5 N2+1+N=N5
<- plus-associative-converse N2+N+1=N5 N6+1+N5=N4 N1' N6+1+N2=N1' N1'+N+1=N4
<- plus-commutative N+1+N1=N4 N1+N+1=N4
<- plus-right-cancels N1'+N+1=N4 N1+N+1=N4 nat`eq/ nat`eq/ N1'=N1
<- plus-respects-eq N6+1+N2=N1' nat`eq/ nat`eq/ N1'=N1 N6+1+N2=N1.
%worlds () (shift-preserves-union-converse _ _ _ _ _ _).
%total { } (shift-preserves-union-converse _ _ _ _ _ _).
%theorem union-commutative :
forall* {M1} {M2} {M3}
forall {A:union M1 M2 M3}
exists {AP:union M2 M1 M3}
true.
- : union-commutative union/L union/R.
- : union-commutative union/R union/L.
- : union-commutative (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(union/= M2+M1=M3 D2+D1=D3 nat`eq/)
<- unit`union-commutative D1+D2=D3 D2+D1=D3
<- union-commutative M1+M2=M3 M2+M1=M3.
- : union-commutative (union/< M1+MT=M3 N0+1+N1=N2) (union/> MT+M1=M3 N0+1+N1=N2)
<- union-commutative M1+MT=M3 MT+M1=M3.
- : union-commutative (union/> MT+M2=M3 N3+1+N2=N1) (union/< M2+MT=M3 N3+1+N2=N1)
<- union-commutative MT+M2=M3 M2+MT=M3.
%worlds () (union-commutative _ _).
%total (A) (union-commutative A _).
%theorem union-associative :
forall* {M1} {M2} {M3} {M4} {M7}
forall {A12:union M1 M2 M3} {A34:union M3 M4 M7}
exists {M6} {A24:union M2 M4 M6} {A16:union M1 M6 M7}
true.
%% a lemma
%theorem union-associative-union/<-union/< :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N0} {N5} {N4} {D4} {M4} {M6} {M7}
forall {PLUS012:nat`plus (s N0) N1 N2}
{PLUS514:nat`plus (s N5) N1 N4}
{JOIN246:union (map/+ N0 D2 M2) (map/+ N5 D4 M4) M6}
{JOIN167:union M1 M6 M7}
exists {M} {JOIN24: union (map/+ N2 D2 M2) (map/+ N4 D4 M4) M}
{JOIN:union (map/+ N1 D1 M1) M (map/+ N1 D1 M7)}
true.
- : union-associative union/L A _ A union/L.
- : union-associative A union/R _ union/R A.
- : union-associative union/R A _ union/L A.
- : union-associative (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(union/= M3+M4=M7 D3+D4=D7 nat`eq/) (map/+ _ D6 M6)
(union/= M2+M4=M6 D2+D4=D6 nat`eq/)
(union/= M1+M6=M7 D1+D6=D7 nat`eq/)
<- unit`union-associative D1+D2=D3 D3+D4=D7 D6 D2+D4=D6 D1+D6=D7
<- union-associative M1+M2=M3 M3+M4=M7 M6 M2+M4=M6 M1+M6=M7.
- : union-associative (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(union/< M3+M044=M7 N0+1+N3=N4) (map/+ _ _ M6)
(union/< M2+M044=M6 N0+1+N3=N4)
(union/= M1+M6=M7 D1+D2=D3 nat`eq/)
<- union-associative M1+M2=M3 M3+M044=M7 M6 M2+M044=M6 M1+M6=M7.
- : union-associative (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(union/> M533+M4=M7 N5+1+N4=N3) (map/+ _ _ M6)
(union/> M522+M4=M6 N5+1+N4=N3)
(union/> M511+M6=M7 N5+1+N4=N3)
<- union-associative (union/= M1+M2=M3 D1+D2=D3 nat`eq/) M533+M4=M7
M6 M522+M4=M6 M511+M6=M7.
- : union-associative (union/< M1+M022=M3 N0+1+N1=N2)
(union/= M3+M4=M7 D1+D4=D7 nat`eq/) (map/+ _ _ M6)
(union/> M022+M3=M6 N0+1+N1=N2)
(union/= M1+M6=M7 D1+D4=D7 nat`eq/)
<- union-associative M1+M022=M3 M3+M4=M7 M6 M022+M3=M6 M1+M6=M7.
%% the hardest of all 11 cases!
- : {M111+M=M117: union (map/+ N1 D1 M1) M (map/+ N1 D1 M7)}
{M3+M544=M7: union M3 (map/+ N5 D4 M4) M7}
{M1+M022=M3: union M1 (map/+ N0 D2 M2) M3}
{M1+M6=M7: union M1 M6 M7}
union-associative (union/< M1+M022=M3 N0+1+N1=N2)
(union/< M3+M544=M7 N5+1+N1=N4)
M M222+M444=M M111+M=M117
<- union-associative M1+M022=M3 M3+M544=M7 M6 M022+M544=M6 M1+M6=M7
<- union-associative-union/<-union/<
N0+1+N1=N2 N5+1+N1=N4 M022+M544=M6 M1+M6=M7
M M222+M444=M M111+M=M117.
- : union-associative-union/<-union/< N+1+N1=N2 N+1+N1=N4
(union/= M2+M4=M6 D2+D4=D6 nat`eq/)
M1+M066=M7 (map/+ N2 D6 M6)
(union/= M2+M4=M6 D2+D4=D6 N2=N4)
(union/< M1+M066=M7 N+1+N1=N2)
<- nat`plus-deterministic N+1+N1=N2 N+1+N1=N4 nat`eq/ nat`eq/ N2=N4.
- : union-associative-union/<-union/< N0+1+N1=N2 N5+1+N1=N4
(union/< M2+M744=M6 N7+1+N0=N5)
M1+M026=M7 (map/+ N2 D2 M6)
(union/< M2+M744=M6 N7+1+N2=N4)
(union/< M1+M026=M7 N0+1+N1=N2)
<- nat`plus-swap-succ N5+1+N1=N4 N5+N1+1=N4
<- nat`plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- nat`plus-associative* N7+1+N0=N5 N5+N1+1=N4 N0+N1+1=N2 N7+1+N2=N4.
- : union-associative-union/<-union/< N0+1+N1=N2 N5+1+N1=N4
(union/> M722+M4=M6 N7+1+N5=N0)
M1+M546=M7 (map/+ N4 D4 M6)
(union/> M722+M4=M6 N7+1+N4=N2)
(union/< M1+M546=M7 N5+1+N1=N4)
<- nat`plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- nat`plus-swap-succ N5+1+N1=N4 N5+N1+1=N4
<- nat`plus-associative* N7+1+N5=N0 N0+N1+1=N2 N5+N1+1=N4 N7+1+N4=N2.
%% and now we return to the main theorem
- : union-associative (union/< M1+M022=M3 N0+1+N1=N2)
(union/> M513+M4=M7 N5+1+N3=N1) (map/+ _ _ M6)
(union/> M622+M4=M6 N6+1+N3=N2)
(union/> M511+M6=M7 N5+1+N3=N1)
<- nat`plus-swap-succ N5+1+N3=N1 N5+N3+1=N1
<- nat`plus-associative-converse N5+N3+1=N1 N0+1+N1=N2 N6
N0+1+N5=N6 N6+N3+1=N2
<- nat`plus-swap-succ-converse N6+N3+1=N2 N6+1+N3=N2
<- union-associative (union/< M1+M022=M3 N0+1+N5=N6) M513+M4=M7
M6 M622+M4=M6 M511+M6=M7.
- : union-associative (union/> M311+M2=M3 N3+1+N2=N1)
(union/= M3+M4=M7 D2+D4=D7 nat`eq/) (map/+ _ _ M6)
(union/= M2+M4=M6 D2+D4=D7 nat`eq/)
(union/> M311+M6=M7 N3+1+N2=N1)
<- union-associative M311+M2=M3 M3+M4=M7 M6 M2+M4=M6 M311+M6=M7.
- : union-associative (union/> M311+M2=M3 N3+1+N2=N1)
(union/< M3+M044=M7 N0+1+N2=N4) (map/+ _ _ M6)
(union/< M2+M044=M6 N0+1+N2=N4)
(union/> M311+M6=M7 N3+1+N2=N1)
<- union-associative M311+M2=M3 M3+M044=M7 M6 M2+M044=M6 M311+M6=M7.
- : union-associative (union/> M311+M2=M3 N3+1+N2=N1)
(union/> M523+M4=M7 N5+1+N4=N2) (map/+ _ _ M6)
(union/> M522+M4=M6 N5+1+N4=N2)
(union/> M711+M6=M7 N7+1+N4=N1)
<- nat`plus-swap-succ N5+1+N4=N2 N5+N4+1=N2
<- nat`plus-associative-converse N5+N4+1=N2 N3+1+N2=N1
N7 N3+1+N5=N7 N7+N4+1=N1
<- nat`plus-swap-succ-converse N7+N4+1=N1 N7+1+N4=N1
<- union-associative (union/> M311+M2=M3 N3+1+N5=N7) M523+M4=M7
M6 M522+M4=M6 M711+M6=M7.
%worlds () (union-associative-union/<-union/< _ _ _ _ _ _ _).
%total {} (union-associative-union/<-union/< _ _ _ _ _ _ _).
%worlds () (union-associative _ _ _ _ _).
%total (J) (union-associative _ J _ _ _).
%theorem union-associative* :
forall* {X1} {X2} {X12} {X3} {X23} {X123}
forall {OP12:union X1 X2 X12} {OP12-3:union X12 X3 X123} {OP23:union X2 X3 X23}
exists {OP1-23:union X1 X23 X123}
true.
- : union-associative* X1+X2=X3 X3+X4=X7 X2+X4=X6 X1+X6=X7
<- union-associative X1+X2=X3 X3+X4=X7 Y6 X2+X4=Y6 X1+Y6=X7
<- union-deterministic X2+X4=Y6 X2+X4=X6 eq/ eq/ Y6=X6
<- union-respects-eq X1+Y6=X7 eq/ Y6=X6 eq/ X1+X6=X7.
%worlds () (union-associative* _ _ _ _).
%total {} (union-associative* _ _ _ _).
%theorem union-associative-converse :
forall* {X1} {X2} {X4} {X6} {X7}
forall {OP24:union X2 X4 X6} {OP16:union X1 X6 X7}
exists {X3} {OP12:union X1 X2 X3} {OP34:union X3 X4 X7}
true.
- : union-associative-converse X2+X4=X6 X1+X6=X7 _ X1+X2=X3 X3+X4=X7
<- union-commutative X2+X4=X6 X4+X2=X6
<- union-commutative X1+X6=X7 X6+X1=X7
<- union-associative X4+X2=X6 X6+X1=X7 _ X2+X1=X3 X4+X3=X7
<- union-commutative X2+X1=X3 X1+X2=X3
<- union-commutative X4+X3=X7 X3+X4=X7.
%worlds () (union-associative-converse X2+X4=X6 X1+X6=X7 X3 X1+X2=X3 X3+X4=X7).
%total {} (union-associative-converse _ _ _ _ _).
%theorem union-associative-converse* :
forall* {X1} {X2} {X3} {X4} {X6} {X7}
forall {OP24:union X2 X4 X6} {OP16:union X1 X6 X7} {OP12:union X1 X2 X3}
exists {OP34:union X3 X4 X7}
true.
- : union-associative-converse* X2+X4=X6 X1+X6=X7 X1+X2=X3 X3+X4=X7
<- union-associative-converse X2+X4=X6 X1+X6=X7 X3P X1+X2=X3P X3P+X4=X7
<- union-deterministic X1+X2=X3P X1+X2=X3 eq/ eq/ X3P=X3
<- union-respects-eq X3P+X4=X7 X3P=X3 eq/ eq/ X3+X4=X7.
%worlds () (union-associative-converse* X2+X4=X6 X1+X6=X7 X1+X2=X3 %{=>}% X3+X4=X7).
%total {} (union-associative-converse* _ _ _ _).
%% The following two theorems are useful for reordering elements
%% is a left-associative sequence of operations.
%theorem union-assoc-commutative* :
forall* {X1} {X2} {X3} {X4} {X5} {X7}
forall {OP1:union X1 X2 X3} {OP2:union X3 X4 X7}
{OP3:union X1 X4 X5}
exists {OP4:union X5 X2 X7}
true.
- : union-assoc-commutative* X1+X2=X3 X3+X4=X7 X1+X4=X5 X5+X2=X7
<- union-associative X1+X2=X3 X3+X4=X7 X6 X2+X4=X6 X1+X6=X7
<- union-commutative X2+X4=X6 X4+X2=X6
<- union-associative-converse* X4+X2=X6 X1+X6=X7 X1+X4=X5 X5+X2=X7.
%worlds () (union-assoc-commutative* X1+X2=X3 X3+X4=X7 X1+X4=X5 %{=>}% X5+X2=X7).
%total {} (union-assoc-commutative* _ _ _ _).
%theorem union-assoc-commutative :
forall* {X1} {X2} {X3} {X4} {X7}
forall {OP1:union X1 X2 X3} {OP2:union X3 X4 X7}
exists {X5} {OP3:union X1 X4 X5} {OP4:union X5 X2 X7}
true.
- : union-assoc-commutative X1+X2=X3 X3+X4=X7 X5 X1+X4=X5 X5+X2=X7
<- union-associative X1+X2=X3 X3+X4=X7 X6 X2+X4=X6 X1+X6=X7
<- union-commutative X2+X4=X6 X4+X2=X6
<- union-associative-converse X4+X2=X6 X1+X6=X7 X5 X1+X4=X5 X5+X2=X7.
%worlds () (union-assoc-commutative X1+X2=X3 X3+X4=X7 %{=>}% X5 X1+X4=X5 X5+X2=X7).
%total {} (union-assoc-commutative _ _ _ _ _).
%% The following theorem is a useful shortcut to
%% re-associate (AB)(CD) to (AC)(BD):
%theorem union-double-associative* :
forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X}
forall {AB:union A B A+B} {CD:union C D C+D} {ABCD:union A+B C+D X}
{AC:union A C A+C} {BD:union B D B+D}
exists {ACBD:union A+C B+D X}
true.
- : union-double-associative* X1+X2=X3 X4+X8=XC X3+XC=XF X1+X4=X5 X2+X8=XA X5+XA=XF
<- union-associative X1+X2=X3 X3+XC=XF XE X2+XC=XE X1+XE=XF
<- union-commutative X4+X8=XC X8+X4=XC
<- union-associative-converse* X8+X4=XC X2+XC=XE X2+X8=XA XA+X4=XE
<- union-commutative XA+X4=XE X4+XA=XE
<- union-associative-converse* X4+XA=XE X1+XE=XF X1+X4=X5 X5+XA=XF.
%worlds () (union-double-associative* X1+X2=X3 X4+X8=XC X3+XC=XF X1+X4=X5 X2+X8=XA
%{=>}% X5+XA=XF).
%total {} (union-double-associative* _ _ _ _ _ _).
%theorem union-double-associative :
forall* {A} {B} {C} {D} {A+B} {C+D} {X}
forall {AB:union A B A+B} {CD:union C D C+D} {ABCD:union A+B C+D X}
exists {A+C} {B+D} {AC:union A C A+C} {BD:union B D B+D}
{ACBD:union A+C B+D X}
true.
- : union-double-associative X1+X2=X3 X4+X8=XC X3+XC=XF X5 XA X1+X4=X5 X2+X8=XA X5+XA=XF
<- union-associative X1+X2=X3 X3+XC=XF XE X2+XC=XE X1+XE=XF
<- union-commutative X4+X8=XC X8+X4=XC
<- union-associative-converse X8+X4=XC X2+XC=XE XA X2+X8=XA XA+X4=XE
<- union-commutative XA+X4=XE X4+XA=XE
<- union-associative-converse X4+XA=XE X1+XE=XF X5 X1+X4=X5 X5+XA=XF.
%worlds () (union-double-associative _ _ _ _ _ _ _ _).
%total { } (union-double-associative _ _ _ _ _ _ _ _).
%theorem lookup-implies-union :
forall* {M} {N} {D}
forall {L:lookup M N D}
exists {M-} {F:not-member M- N}
{A:union (map/+ N D map/0) M- M}
true.
- : lookup-implies-union (lookup/= nat`eq/) _
(not-member/0) (union/R).
- : lookup-implies-union (lookup/= nat`eq/) _
(not-member/< N2>N1)
(union/< union/L N0+1+N1=N2)
<- nat`plus-total N0+1+N1=N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1.
- : lookup-implies-union (lookup/> L N0+1+N1=N2) _
(not-member/> F N0+1+N1=N2)
(union/> A N0+1+N1=N2)
<- lookup-implies-union L _ F A.
%worlds () (lookup-implies-union _ _ _ _).
%total (L) (lookup-implies-union L _ _ _).
%theorem union-joins-lookup :
forall* {M1} {M2} {M3} {N} {D1} {D2}
forall {L1:lookup M1 N D1} {L2:lookup M2 N D2}
{A:union M1 M2 M3}
exists {D3} {J:unit`union D1 D2 D3} {L3:lookup M3 N D3}
true.
- : union-joins-lookup (lookup/= nat`eq/) (lookup/= nat`eq/) A
_ AD L3
<- union/=-inversion A nat`eq/ _ _ AD _ M=M133
<- eq-symmetric M=M133 M133=M
<- lookup-respects-eq (lookup/= nat`eq/) M133=M nat`eq/ unit`eq/ L3.
- : union-joins-lookup (lookup/> L1 N0+1+N1=N2)
(lookup/= nat`eq/) A _ AD L3P
<- union/<-inversion A N0+1+N1=N2 M3 M1+M022=M3 M=M113
<- union-joins-lookup L1 (lookup/= nat`eq/) M1+M022=M3 _ AD L3
<- eq-symmetric M=M113 M113=M
<- lookup-respects-eq (lookup/> L3 N0+1+N1=N2) M113=M nat`eq/ unit`eq/ L3P.
- : union-joins-lookup (lookup/= nat`eq/)
(lookup/> L2 N3+1+N2=N1) A _ AD L3P
<- union/>-inversion A N3+1+N2=N1 M3 M311+M2=M3 M=M223
<- union-joins-lookup (lookup/= nat`eq/) L2 M311+M2=M3 _ AD L3
<- eq-symmetric M=M223 M223=M
<- lookup-respects-eq (lookup/> L3 N3+1+N2=N1) M223=M nat`eq/ unit`eq/ L3P.
- : union-joins-lookup (lookup/> L1P N4+1+N1=N)
(lookup/> L2 N5+1+N2=N)
(union/= M1+M2=M3 _ nat`eq/) _ AD
(lookup/> L N5+1+N2=N)
<- plus-right-cancels N4+1+N1=N N5+1+N2=N nat`eq/ nat`eq/ N4+1=N5+1
<- succ-cancels N4+1=N5+1 N4=N5
<- lookup-respects-eq L1P eq/ N4=N5 unit`eq/ L1
<- union-joins-lookup L1 L2 M1+M2=M3 _ AD L.
- : union-joins-lookup (lookup/> L1 N4+1+N1=N)
(lookup/> L2 N5+1+N2=N)
(union/< M1+M022=M3 N0+1+N1=N2) _ AD
(lookup/> L3 N4+1+N1=N)
<- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- plus-associative-converse N0+N1+1=N2 N5+1+N2=N N6 N5+1+N0=N6 N6+N1+1=N
<- plus-swap-succ N4+1+N1=N N4+N1+1=N
<- plus-right-cancels N6+N1+1=N N4+N1+1=N nat`eq/ nat`eq/ N6=N4
<- plus-respects-eq N5+1+N0=N6 nat`eq/ nat`eq/ N6=N4 N5+1+N0=N4
<- union-joins-lookup
L1 (lookup/> L2 N5+1+N0=N4) M1+M022=M3 _ AD L3.
- : union-joins-lookup (lookup/> L1 N4+1+N1=N)
(lookup/> L2 N5+1+N2=N)
(union/> M311+M2=M3 N3+1+N2=N1) _ AD
(lookup/> L3 N5+1+N2=N)
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-associative-converse N3+N2+1=N1 N4+1+N1=N N6 N4+1+N3=N6 N6+N2+1=N
<- plus-swap-succ N5+1+N2=N N5+N2+1=N
<- plus-right-cancels N6+N2+1=N N5+N2+1=N nat`eq/ nat`eq/ N6=N5
<- plus-respects-eq N4+1+N3=N6 nat`eq/ nat`eq/ N6=N5 N4+1+N3=N5
<- union-joins-lookup
(lookup/> L1 N4+1+N3=N5) L2 M311+M2=M3 _ AD L3.
%worlds () (union-joins-lookup _ _ _ _ _ _).
%total (A) (union-joins-lookup _ _ A _ _ _).
%theorem union-preserves-not-member* :
forall* {M1} {M2} {M3} {N}
forall {F1:not-member M1 N} {F2:not-member M2 N}
{A:union M1 M2 M3}
exists {F3:not-member M3 N}
true.
- : union-preserves-not-member* _ F union/L F.
- : union-preserves-not-member* F _ union/R F.
- : union-preserves-not-member* (not-member/< N _ _)
(not-member/< N F2 N4+1+N2=N) AX F3X
<- gt-implies-plus N-inversion AX N3+1+N2=N1 M3 A M=M223
<- plus-implies-gt N0+1+N4=N3 nat`eq/ N4 F3 N4+1+N2=N) M223=M nat`eq/ F3X.
- : union-preserves-not-member* (not-member/> F1 N3+1+N1=N) (not-member/< N F3 N3+1+N1=N) M113=M nat`eq/ F3X.
- : union-preserves-not-member* (not-member/> F1 N3+1+N1=N) (not-member/> F2P N4+1+N2=N)
(union/= A _ N1=N2) (not-member/> F3 N3+1+N1=N)
<- plus-right-cancels N3+1+N1=N N4+1+N2=N N1=N2 nat`eq/ N3+1=N4+1
<- succ-cancels N3+1=N4+1 N3=N4
<- nat`eq-symmetric N3=N4 N4=N3
<- not-member-respects-eq F2P eq/ N4=N3 F2
<- union-preserves-not-member* F1 F2 A F3.
- : union-preserves-not-member* (not-member/> F1 N3+1+N1=N) (not-member/> F2 N4+1+N2=N)
(union/< A N0+1+N1=N2) (not-member/> F3 N3+1+N1=N)
<- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- plus-associative-converse N0+N1+1=N2 N4+1+N2=N N6 N4+1+N0=N6 N6+N1+1=N
<- plus-swap-succ N3+1+N1=N N3+N1+1=N
<- plus-right-cancels N6+N1+1=N N3+N1+1=N nat`eq/ nat`eq/ N6=N3
<- plus-respects-eq N4+1+N0=N6 nat`eq/ nat`eq/ N6=N3 N4+1+N0=N3
<- union-preserves-not-member* F1 (not-member/> F2 N4+1+N0=N3) A F3.
- : union-preserves-not-member* (not-member/> F1 N3+1+N1=N) (not-member/> F2 N4+1+N2=N)
(union/> A N0+1+N2=N1) (not-member/> F3 N4+1+N2=N)
<- plus-swap-succ N0+1+N2=N1 N0+N2+1=N1
<- plus-associative-converse N0+N2+1=N1 N3+1+N1=N N6 N3+1+N0=N6 N6+N2+1=N
<- plus-swap-succ N4+1+N2=N N4+N2+1=N
<- plus-right-cancels N6+N2+1=N N4+N2+1=N nat`eq/ nat`eq/ N6=N4
<- plus-respects-eq N3+1+N0=N6 nat`eq/ nat`eq/ N6=N4 N3+1+N0=N4
<- union-preserves-not-member* (not-member/> F1 N3+1+N0=N4) F2 A F3.
%worlds () (union-preserves-not-member* _ _ _ _).
%total (A) (union-preserves-not-member* _ _ A _).
%theorem not-member-union-left-preserves-lookup* :
forall* {M1} {M2} {M3} {N} {D}
forall {F1:not-member M1 N} {L2:lookup M2 N D}
{A:union M1 M2 M3}
exists {L3:lookup M3 N D}
true.
- : not-member-union-left-preserves-lookup* _ L union/L L.
- : not-member-union-left-preserves-lookup* (not-member/< N2-inversion AX N3+1+N2=N1 M3 A M=M223
<- eq-symmetric M=M223 M223=M
<- lookup-respects-eq (lookup/= nat`eq/) M223=M nat`eq/ unit`eq/ L3X.
- : not-member-union-left-preserves-lookup* (not-member/< N L2 N4+1+N2=N)
AX L3X
<- gt-implies-plus N-inversion AX N3+1+N2=N1 M3 A M=M223
<- eq-symmetric M=M223 M223=M
<- plus-implies-gt N0+1+N4=N3 nat`eq/ N3>N4
<- not-member-union-left-preserves-lookup* (not-member/< N3>N4) L2 A L3
<- lookup-respects-eq (lookup/> L3 N4+1+N2=N) M223=M nat`eq/ unit`eq/ L3X.
- : not-member-union-left-preserves-lookup* (not-member/> F1 N0+1+N1=N2)
(lookup/= nat`eq/) AX L3X
<- union/<-inversion AX N0+1+N1=N2 M3 A M=M113
<- eq-symmetric M=M113 M113=M
<- not-member-union-left-preserves-lookup* F1 (lookup/= nat`eq/) A L3
<- lookup-respects-eq (lookup/> L3 N0+1+N1=N2) M113=M nat`eq/ unit`eq/ L3X.
- : not-member-union-left-preserves-lookup* (not-member/> F1P N4+1+N1=N)
(lookup/> L2 N5+1+N1=N)
(union/= A _ nat`eq/)
(lookup/> L3 N5+1+N1=N)
<- plus-right-cancels N4+1+N1=N N5+1+N1=N nat`eq/ nat`eq/ N4+1=N5+1
<- succ-cancels N4+1=N5+1 N4=N5
<- not-member-respects-eq F1P eq/ N4=N5 F1
<- not-member-union-left-preserves-lookup* F1 L2 A L3.
- : not-member-union-left-preserves-lookup* (not-member/> F1 N4+1+N1=N)
(lookup/> L2 N5+1+N2=N)
(union/< A N0+1+N1=N2)
(lookup/> L3 N4+1+N1=N)
<- plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- plus-associative-converse N0+N1+1=N2 N5+1+N2=N N3 N5+1+N0=N3 N3+N1+1=N
<- plus-swap-succ N4+1+N1=N N4+N1+1=N
<- plus-right-cancels N3+N1+1=N N4+N1+1=N nat`eq/ nat`eq/ N3=N4
<- plus-respects-eq N5+1+N0=N3 nat`eq/ nat`eq/ N3=N4 N5+1+N0=N4
<- not-member-union-left-preserves-lookup* F1 (lookup/> L2 N5+1+N0=N4) A L3.
- : not-member-union-left-preserves-lookup* (not-member/> F1 N4+1+N1=N)
(lookup/> L2 N5+1+N2=N)
(union/> A N3+1+N2=N1)
(lookup/> L3 N5+1+N2=N)
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-associative-converse N3+N2+1=N1 N4+1+N1=N N6 N4+1+N3=N6 N6+N2+1=N
<- plus-swap-succ N5+1+N2=N N5+N2+1=N
<- plus-right-cancels N6+N2+1=N N5+N2+1=N nat`eq/ nat`eq/ N6=N5
<- plus-respects-eq N4+1+N3=N6 nat`eq/ nat`eq/ N6=N5 N4+1+N3=N5
<- not-member-union-left-preserves-lookup* (not-member/> F1 N4+1+N3=N5) L2 A L3.
%worlds () (not-member-union-left-preserves-lookup* _ _ _ _).
%total (A) (not-member-union-left-preserves-lookup* _ _ A _).
%theorem not-member-union-left-preserves-lookup-converse :
forall* {M1} {M2} {M3} {N} {D}
forall {F1:not-member M1 N} {L3:lookup M3 N D}
{A:union M1 M2 M3}
exists {L2:lookup M2 N D}
true.
%theorem not-member-union-left-preserves-lookup-converse/L :
forall* {M1} {M2} {M3} {N} {D} {B}
forall {F1:not-member M1 N} {L3:lookup M3 N D}
{A:union M1 M2 M3}
{D?:member? M2 N B}
exists {L2:lookup M2 N D}
true.
- : not-member-union-left-preserves-lookup-converse F1 L3 A L2
<- member?-total D?
<- not-member-union-left-preserves-lookup-converse/L F1 L3 A D? L2.
- : not-member-union-left-preserves-lookup-converse/L
F1 L3 A (member?/in L2') L2
<- not-member-union-left-preserves-lookup* F1 L2' A L3'
<- lookup-deterministic L3' L3 eq/ nat`eq/ D'=D
<- lookup-respects-eq L2' eq/ nat`eq/ D'=D L2.
- : not-member-union-left-preserves-lookup-converse/L
F1 L3 A (member?/out F2) L2
<- union-preserves-not-member* F1 F2 A F3
<- not-member-lookup-not-equal F3 L3 N<>N
<- nat`ne-anti-reflexive N<>N F
<- false-implies-lookup F L2.
%worlds () (not-member-union-left-preserves-lookup-converse/L _ _ _ _ _).
%total { } (not-member-union-left-preserves-lookup-converse/L _ _ _ _ _).
%worlds () (not-member-union-left-preserves-lookup-converse _ _ _ _).
%total { } (not-member-union-left-preserves-lookup-converse _ _ _ _).
%theorem union-left-affects-lookup :
forall* {M1} {N} {D2} {M2} {M3}
forall {L:lookup M2 N D2}
{A:union M1 M2 M3}
exists {D3}
{N:lookup M3 N D3}
true.
%theorem union-left-affects-lookup/L :
forall* {M1} {N} {D2} {M2} {M3} {B}
forall {L:lookup M2 N D2}
{A:union M1 M2 M3}
{D:member? M1 N B}
exists {D3}
{N:lookup M3 N D3}
true.
- : union-left-affects-lookup/L L2 A (member?/in L1) _ L3
<- union-joins-lookup L1 L2 A _ _ L3.
- : union-left-affects-lookup/L L2 A (member?/out F1) _ L3
<- not-member-union-left-preserves-lookup* F1 L2 A L3.
%worlds () (union-left-affects-lookup/L _ _ _ _ _).
%total { } (union-left-affects-lookup/L _ _ _ _ _).
- : union-left-affects-lookup L2 A _ L3
<- member?-total D
<- union-left-affects-lookup/L L2 A D _ L3.
%worlds () (union-left-affects-lookup _ _ _ _).
%total { } (union-left-affects-lookup _ _ _ _).
%theorem not-member-union-right-preserves-lookup* :
forall* {M1} {M2} {M3} {N} {D}
forall {L1:lookup M1 N D} {F2:not-member M2 N}
{A:union M1 M2 M3}
exists {L3:lookup M3 N D}
true.
- : not-member-union-right-preserves-lookup* L1 F2 A L3
<- union-commutative A Ac
<- not-member-union-left-preserves-lookup* F2 L1 Ac L3.
%worlds () (not-member-union-right-preserves-lookup* _ _ _ _).
%total { } (not-member-union-right-preserves-lookup* _ _ _ _).
%theorem not-member-union-right-preserves-lookup-converse :
forall* {M1} {M2} {M3} {N} {D}
forall {L3:lookup M3 N D} {F2:not-member M2 N}
{A:union M1 M2 M3}
exists {L1:lookup M1 N D}
true.
%theorem not-member-union-right-preserves-lookup-converse/L :
forall* {M1} {M2} {M3} {N} {D} {B}
forall {L3:lookup M3 N D} {F2:not-member M2 N}
{A:union M1 M2 M3}
{D?:member? M1 N B}
exists {L1:lookup M1 N D}
true.
- : not-member-union-right-preserves-lookup-converse L3 F2 A L1
<- member?-total D?
<- not-member-union-right-preserves-lookup-converse/L L3 F2 A D? L1.
- : not-member-union-right-preserves-lookup-converse/L
L3 F2 A (member?/in L1') L1
<- not-member-union-right-preserves-lookup* L1' F2 A L3'
<- lookup-deterministic L3' L3 eq/ nat`eq/ D'=D
<- lookup-respects-eq L1' eq/ nat`eq/ D'=D L1.
- : not-member-union-right-preserves-lookup-converse/L
L3 F2 A (member?/out F1) L1
<- union-preserves-not-member* F1 F2 A F3
<- not-member-lookup-not-equal F3 L3 N<>N
<- nat`ne-anti-reflexive N<>N F
<- false-implies-lookup F L1.
%worlds () (not-member-union-right-preserves-lookup-converse/L _ _ _ _ _).
%total { } (not-member-union-right-preserves-lookup-converse/L _ _ _ _ _).
%worlds () (not-member-union-right-preserves-lookup-converse _ _ _ _).
%total { } (not-member-union-right-preserves-lookup-converse _ _ _ _).
%theorem union-right-affects-lookup :
forall* {M1} {N} {D1} {M2} {M3}
forall {L:lookup M1 N D1}
{A:union M1 M2 M3}
exists {D3}
{N:lookup M3 N D3}
true.
%theorem union-right-affects-lookup/L :
forall* {M1} {N} {D1} {M2} {M3} {B}
forall {L:lookup M1 N D1}
{A:union M1 M2 M3}
{D:member? M2 N B}
exists {D3}
{N:lookup M3 N D3}
true.
- : union-right-affects-lookup/L L1 A (member?/in L2) _ L3
<- union-joins-lookup L1 L2 A _ _ L3.
- : union-right-affects-lookup/L L1 A (member?/out F2) _ L3
<- not-member-union-right-preserves-lookup* L1 F2 A L3.
%worlds () (union-right-affects-lookup/L _ _ _ _ _).
%total { } (union-right-affects-lookup/L _ _ _ _ _).
- : union-right-affects-lookup L1 A _ L3
<- member?-total D
<- union-right-affects-lookup/L L1 A D _ L3.
%worlds () (union-right-affects-lookup _ _ _ _).
%total { } (union-right-affects-lookup _ _ _ _).
%theorem union-preserves-not-member-converse* :
forall* {M1} {M2} {M3} {N}
forall {F3:not-member M3 N}
{A:union M1 M2 M3}
exists {F1:not-member M1 N} {F2:not-member M2 N}
true.
%theorem union-preserves-not-member-converse/L :
forall* {M1} {M2} {M3} {N} {B1} {B2}
forall {F3:not-member M3 N}
{A:union M1 M2 M3}
{D1:member? M1 N B1}
{D2:member? M2 N B2}
exists {F1:not-member M1 N} {F2:not-member M2 N}
true.
- : union-preserves-not-member-converse* F3 A F1 F2
<- member?-total D1
<- member?-total D2
<- union-preserves-not-member-converse/L F3 A D1 D2 F1 F2.
- : union-preserves-not-member-converse/L _ _
(member?/out F1) (member?/out F2) F1 F2.
- : union-preserves-not-member-converse/L F3 A
(member?/out F1) (member?/in L2) F1 F2
<- not-member-union-left-preserves-lookup* F1 L2 A L3
<- not-member-lookup-not-equal F3 L3 N<>N
<- nat`ne-anti-reflexive N<>N F
<- false-implies-not-member F F2.
- : union-preserves-not-member-converse/L F3 A
(member?/in L1) (member?/out F2) F1 F2
<- not-member-union-right-preserves-lookup* L1 F2 A L3
<- not-member-lookup-not-equal F3 L3 N<>N
<- nat`ne-anti-reflexive N<>N F
<- false-implies-not-member F F1.
- : union-preserves-not-member-converse/L F3 A
(member?/in L1) (member?/in L2) F1 F2
<- union-joins-lookup L1 L2 A _ _ L3
<- not-member-lookup-not-equal F3 L3 N<>N
<- nat`ne-anti-reflexive N<>N F
<- false-implies-not-member F F1
<- false-implies-not-member F F2.
%worlds () (union-preserves-not-member-converse/L _ _ _ _ _ _).
%total { } (union-preserves-not-member-converse/L _ _ _ _ _ _).
%worlds () (union-preserves-not-member-converse* _ _ _ _).
%total { } (union-preserves-not-member-converse* _ _ _ _).
%theorem disjoint-union-left-preserves-lookup* :
forall* {M1} {M2} {M3} {N} {D}
forall {L2:lookup M2 N D}
{X:disjoint M1 M2}
{A:union M1 M2 M3}
exists {L3:lookup M3 N D}
true.
%theorem disjoint-union-left-preserves-lookup*/L :
forall* {M1} {M2} {M3} {N} {D} {B}
forall {L2:lookup M2 N D}
{X:disjoint M1 M2}
{A:union M1 M2 M3}
{D?:member? M1 N B}
exists {L3:lookup M3 N D}
true.
- : disjoint-union-left-preserves-lookup* L2 X A L3
<- member?-total D?
<- disjoint-union-left-preserves-lookup*/L L2 X A D? L3.
- : disjoint-union-left-preserves-lookup*/L L2 X A (member?/in L1) L3
<- disjoint-lookup-contradiction X L1 L2 F
<- false-implies-lookup F L3.
- : disjoint-union-left-preserves-lookup*/L L2 X A (member?/out F1) L3
<- not-member-union-left-preserves-lookup* F1 L2 A L3.
%worlds () (disjoint-union-left-preserves-lookup*/L _ _ _ _ _).
%total { } (disjoint-union-left-preserves-lookup*/L _ _ _ _ _).
%worlds () (disjoint-union-left-preserves-lookup* _ _ _ _).
%total { } (disjoint-union-left-preserves-lookup* _ _ _ _).
%theorem disjoint-union-right-preserves-lookup* :
forall* {M1} {M2} {M3} {N} {D}
forall {L1:lookup M1 N D}
{X:disjoint M1 M2}
{A:union M1 M2 M3}
exists {L3:lookup M3 N D}
true.
%theorem disjoint-union-right-preserves-lookup*/L :
forall* {M1} {M2} {M3} {N} {D} {B}
forall {L1:lookup M1 N D}
{X:disjoint M1 M2}
{A:union M1 M2 M3}
{D?:member? M2 N B}
exists {L3:lookup M3 N D}
true.
- : disjoint-union-right-preserves-lookup* L1 X A L3
<- member?-total D?
<- disjoint-union-right-preserves-lookup*/L L1 X A D? L3.
- : disjoint-union-right-preserves-lookup*/L L1 X A (member?/in L2) L3
<- disjoint-lookup-contradiction X L1 L2 F
<- false-implies-lookup F L3.
- : disjoint-union-right-preserves-lookup*/L L1 X A (member?/out F2) L3
<- not-member-union-right-preserves-lookup* L1 F2 A L3.
%worlds () (disjoint-union-right-preserves-lookup*/L _ _ _ _ _).
%total { } (disjoint-union-right-preserves-lookup*/L _ _ _ _ _).
%worlds () (disjoint-union-right-preserves-lookup* _ _ _ _).
%total { } (disjoint-union-right-preserves-lookup* _ _ _ _).
%theorem union-implies-leq* :
forall* {M1} {M2} {M3}
forall {J:union M1 M2 M3}
exists {L:leq M1 M3}
true.
- : union-implies-leq* union/L leq/0.
- : union-implies-leq* union/R M2=M2
<- leq-reflexive _ M2=M2.
- : union-implies-leq* (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(leq/= M1<=M3 D1<=D3 nat`eq/)
<- unit`union-implies-leq* D1+D2=D3 D1<=D3
<- union-implies-leq* M1+M2=M3 M1<=M3.
- : union-implies-leq* (union/< M1+_=M3 _) (leq/= M1<=M3 D1<=D1 nat`eq/)
<- unit`leq-reflexive _ D1<=D1
<- union-implies-leq* M1+_=M3 M1<=M3.
- : union-implies-leq* (union/> M311+M2=M3 P) (leq/> M311<=M3 P)
<- union-implies-leq* M311+M2=M3 M311<=M3.
%worlds () (union-implies-leq* _ _).
%total (J) (union-implies-leq* J _).
%theorem union-implies-leq :
forall* {M1} {M2} {M3}
forall {A:union M1 M2 M3}
exists {L1:leq M1 M3} {L2:leq M2 M3}
true.
- : union-implies-leq M1*M2=M3 M1<=M3 M2<=M3
<- union-implies-leq* M1*M2=M3 M1<=M3
<- union-commutative M1*M2=M3 M2*M1=M3
<- union-implies-leq* M2*M1=M3 M2<=M3.
%worlds () (union-implies-leq _ _ _).
%total { } (union-implies-leq _ _ _).
%theorem union-is-lub :
forall* {M1} {M2} {M3} {M4}
forall {J:union M1 M2 M3}
{L1:leq M1 M4} {L2:leq M2 M4}
exists {L3:leq M3 M4}
true.
- : union-is-lub union/L _ L L.
- : union-is-lub union/R L _ L.
- : union-is-lub (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(leq/= M1<=M4 D1<=D4 nat`eq/)
(leq/= M2<=M4 D2<=D4 nat`eq/)
(leq/= M3<=M4 D3<=D4 nat`eq/)
<- unit`union-is-lub D1+D2=D3 D1<=D4 D2<=D4 D3<=D4
<- union-is-lub M1+M2=M3 M1<=M4 M2<=M4 M3<=M4.
- : union-is-lub (union/= _ _ nat`eq/) (leq/= _ _ nat`eq/) (leq/> _ N3+1+N=N) L
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-leq F L.
- : union-is-lub (union/= _ _ nat`eq/) (leq/> _ N3+1+N=N) (leq/= _ _ nat`eq/) L
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-leq F L.
- : union-is-lub (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(leq/> M511<=M4 N5+1+N4=N)
(leq/> M622<=M4 N6+1+N4=N)
(leq/> M633<=M4 N6+1+N4=N)
<- nat`plus-right-cancels N5+1+N4=N N6+1+N4=N nat`eq/ nat`eq/ N5+1=N6+1
<- nat`succ-cancels N5+1=N6+1 N5=N6
<- map/+-preserves-eq N5=N6 unit`eq/ eq/ M511=M611
<- leq-respects-eq M511<=M4 M511=M611 eq/ M611<=M4
<- union-is-lub (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
M611<=M4 M622<=M4 M633<=M4.
- : union-is-lub (union/< _ N0+1+N=N) (leq/= _ _ nat`eq/) (leq/= _ _ nat`eq/) L
<- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-leq F L.
- : union-is-lub (union/< M1+M022=M3 N0+1+N1=N2)
(leq/= M1<=M4 D1<=D4 nat`eq/)
(leq/> M622<=M4 N6+1+N1=N2)
(leq/= M3<=M4 D1<=D4 nat`eq/)
<- nat`plus-right-cancels N6+1+N1=N2 N0+1+N1=N2 nat`eq/ nat`eq/ N6+1=N0+1
<- succ-cancels N6+1=N0+1 N6=N0
<- map/+-preserves-eq N6=N0 unit`eq/ eq/ M622=M022
<- leq-respects-eq M622<=M4 M622=M022 eq/ M022<=M4
<- union-is-lub M1+M022=M3 M1<=M4 M022<=M4 M3<=M4.
- : union-is-lub (union/< _ N0+1+N1=N2) (leq/> _ N3+1+N2=N1) (leq/= _ _ nat`eq/) L
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-leq F L.
- : union-is-lub (union/< M1+M022=M3 N0+1+N1=N2)
(leq/> M511<=M4 N5+1+N4=N1)
(leq/> M622<=M4 N6+1+N4=N2)
(leq/> M513<=M4 N5+1+N4=N1)
<- nat`plus-swap-succ N5+1+N4=N1 N5+N4+1=N1
<- nat`plus-associative-converse N5+N4+1=N1 N0+1+N1=N2
N6' N0+1+N5=N6' N6'+N4+1=N2
<- nat`plus-swap-succ-converse N6'+N4+1=N2 N6'+1+N4=N2
<- nat`plus-right-cancels N6'+1+N4=N2 N6+1+N4=N2 nat`eq/ nat`eq/ N6'+1=N6+1
<- nat`succ-cancels N6'+1=N6+1 N6'=N6
<- nat`plus-respects-eq N0+1+N5=N6' nat`eq/ nat`eq/ N6'=N6 N0+1+N5=N6
<- union-is-lub (union/< M1+M022=M3 N0+1+N5=N6) M511<=M4 M622<=M4 M513<=M4.
- : union-is-lub (union/> _ N3+1+N=N) (leq/= _ _ nat`eq/) (leq/= _ _ nat`eq/) L
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-leq F L.
- : union-is-lub (union/> _ N3+1+N2=N1) (leq/= _ _ nat`eq/) (leq/> _ N0+1+N1=N2) L
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-leq F L.
- : union-is-lub (union/> M311+M2=M3 N3+1+N2=N1)
(leq/> M511<=M4 N5+1+N2=N1)
(leq/= M2<=M4 D2<=D4 nat`eq/)
(leq/= M3<=M4 D2<=D4 nat`eq/)
<- nat`plus-right-cancels N3+1+N2=N1 N5+1+N2=N1 nat`eq/ nat`eq/ N3+1=N5+1
<- nat`succ-cancels N3+1=N5+1 N3=N5
<- map/+-preserves-eq N3=N5 unit`eq/ eq/ M311=M511
<- union-respects-eq M311+M2=M3 M311=M511 eq/ eq/ M511+M2=M3
<- union-is-lub M511+M2=M3 M511<=M4 M2<=M4 M3<=M4.
- : union-is-lub (union/> M311+M2=M3 N3+1+N2=N1)
(leq/> M511<=M4 N5+1+N4=N1)
(leq/> M622<=M4 N6+1+N4=N2)
(leq/> M623<=M4 N6+1+N4=N2)
<- nat`plus-swap-succ N6+1+N4=N2 N6+N4+1=N2
<- nat`plus-associative-converse N6+N4+1=N2 N3+1+N2=N1
N5' N3+1+N6=N5' N5'+N4+1=N1
<- nat`plus-swap-succ N5+1+N4=N1 N5+N4+1=N1
<- nat`plus-right-cancels N5'+N4+1=N1 N5+N4+1=N1 nat`eq/ nat`eq/ N5'=N5
<- nat`plus-respects-eq N3+1+N6=N5' nat`eq/ nat`eq/ N5'=N5 N3+1+N6=N5
<- union-is-lub (union/> M311+M2=M3 N3+1+N6=N5) M511<=M4 M622<=M4 M623<=M4.
%worlds () (union-is-lub _ _ _ _).
%total (L) (union-is-lub _ L _ _).
%theorem union-idempotent :
forall* {S}
exists {J:union S S S}
true.
- : union-idempotent S+S=S
<- union-total S+S=S'
<- union-implies-leq* S+S=S' S<=S'
<- leq-reflexive _ S<=S
<- union-is-lub S+S=S' S<=S S<=S S'<=S
<- leq-anti-symmetric S'<=S S<=S' S'=S
<- union-respects-eq S+S=S' eq/ eq/ S'=S S+S=S.
%worlds () (union-idempotent _).
%total { } (union-idempotent _).
%theorem leq-implies-union :
forall* {M1} {M2}
forall {L:leq M1 M2}
exists {J:union M1 M2 M2}
true.
- : leq-implies-union M1<=M2 M1+M2=M2
<- union-total M1+M2=M3
<- leq-reflexive _ M2<=M2
<- union-is-lub M1+M2=M3 M1<=M2 M2<=M2 M3<=M2
<- union-implies-leq M1+M2=M3 _ M2<=M3
<- leq-anti-symmetric M3<=M2 M2<=M3 M3=M2
<- union-respects-eq M1+M2=M3 eq/ eq/ M3=M2 M1+M2=M2.
%worlds () (leq-implies-union _ _).
%total { } (leq-implies-union _ _).
%theorem disjoint-leq-implies-union-leq* :
forall* {C1} {C2} {C} {C3}
forall {D:disjoint C1 C2}
{L1:leq C1 C}
{L2:leq C2 C}
{J:union C1 C2 C3}
exists {L3:leq C3 C}
true.
- : disjoint-leq-implies-union-leq* disjoint/L _ C2<=C Z+C2=C3 C3<=C
<- union-deterministic union/L Z+C2=C3 eq/ eq/ C2=C3
<- leq-respects-eq C2<=C C2=C3 eq/ C3<=C.
- : disjoint-leq-implies-union-leq* disjoint/R C1<=C _ C1+0=C3 C3<=C
<- union-deterministic union/R C1+0=C3 eq/ eq/ C1=C3
<- leq-respects-eq C1<=C C1=C3 eq/ C3<=C.
- : disjoint-leq-implies-union-leq*
(disjoint/< C1^C022 P)
(leq/= C1<=C4 D1<=D4 nat`eq/)
C222<=C444 C111+C222=C333 C333<=C444
<- union/<-inversion C111+C222=C333 P _ C1+C022=C5 C333=C115
<- leq/>-inversion C222<=C444 P C022<=C4
<- disjoint-leq-implies-union-leq*
C1^C022 C1<=C4 C022<=C4 C1+C022=C5 C5<=C4
<- eq-symmetric C333=C115 C115=C333
<- leq-respects-eq
(leq/= C5<=C4 D1<=D4 nat`eq/) C115=C333 eq/ C333<=C444.
- : disjoint-leq-implies-union-leq* (disjoint/< C1^C022 N0+1+N1=N2) (leq/> C611<=C4 N6+1+N4=N1) C222<=C444 C111+C222=C333 C333<=C444
<- union/<-inversion C111+C222=C333 N0+1+N1=N2 _ C1+C022=C5 C333=C115
<- plus-swap-succ N6+1+N4=N1 N6+N4+1=N1
<- plus-associative-converse
N6+N4+1=N1 N0+1+N1=N2 N7 N0+1+N6=N7 N7+N4+1=N2
<- plus-swap-succ-converse N7+N4+1=N2 N7+1+N4=N2
<- leq/>-inversion C222<=C444 N7+1+N4=N2 C722<=C4
<- disjoint-leq-implies-union-leq*
(disjoint/< C1^C022 N0+1+N6=N7)
C611<=C4 C722<=C4
(union/< C1+C022=C5 N0+1+N6=N7) C615<=C4
<- eq-symmetric C333=C115 C115=C333
<- leq-respects-eq
(leq/> C615<=C4 N6+1+N4=N1) C115=C333 eq/ C333<=C444.
- : disjoint-leq-implies-union-leq*
(disjoint/> C011^C2 P)
C111<=C444 (leq/= C2<=C4 D2<=D4 nat`eq/)
C111+C222=C333 C333<=C444
<- union/>-inversion C111+C222=C333 P _ C011+C2=C5 C333=C225
<- leq/>-inversion C111<=C444 P C011<=C4
<- disjoint-leq-implies-union-leq*
C011^C2 C011<=C4 C2<=C4 C011+C2=C5 C5<=C4
<- eq-symmetric C333=C225 C225=C333
<- leq-respects-eq
(leq/= C5<=C4 D2<=D4 nat`eq/) C225=C333 eq/ C333<=C444.
- : disjoint-leq-implies-union-leq*
(disjoint/> C011^C2 N0+1+N2=N1)
C111<=C444 (leq/> C622<=C4 N6+1+N4=N2)
C111+C222=C333 C333<=C444
<- union/>-inversion C111+C222=C333 N0+1+N2=N1 _ C011+C2=C5 C333=C225
<- plus-swap-succ N6+1+N4=N2 N6+N4+1=N2
<- plus-associative-converse
N6+N4+1=N2 N0+1+N2=N1 N7 N0+1+N6=N7 N7+N4+1=N1
<- plus-swap-succ-converse N7+N4+1=N1 N7+1+N4=N1
<- leq/>-inversion C111<=C444 N7+1+N4=N1 C711<=C4
<- disjoint-leq-implies-union-leq*
(disjoint/> C011^C2 N0+1+N6=N7)
C711<=C4 C622<=C4
(union/> C011+C2=C5 N0+1+N6=N7) C625<=C4
<- eq-symmetric C333=C225 C225=C333
<- leq-respects-eq
(leq/> C625<=C4 N6+1+N4=N2) C225=C333 eq/ C333<=C444.
%worlds () (disjoint-leq-implies-union-leq* _ _ _ _ _).
%total (L) (disjoint-leq-implies-union-leq* _ L _ _ _).
%theorem union-left-preserves-leq* :
forall* {M1} {M2} {M3} {M4} {M5}
forall {L1:leq M2 M4}
{J:union M1 M2 M3} {JP:union M1 M4 M5}
exists {L3:leq M3 M5}
true.
- : union-left-preserves-leq* L union/L union/L L.
- : union-left-preserves-leq* _ union/L union/R leq/0.
- : union-left-preserves-leq* leq/0 union/R M1+M4=M5 M1<=M5
<- union-implies-leq* M1+M4=M5 M1<=M5.
- : union-left-preserves-leq* (leq/= M2<=M4 D2<=D4 nat`eq/)
(union/= M1+M2=M3 D1+D2=D3 nat`eq/)
M111+M144=M M133<=M
<- union/=-inversion M111+M144=M nat`eq/ D5 M5 D1+D4=D5 M1+M4=M5 M=M155
<- eq-symmetric M=M155 M155=M
<- meta-eq (map/+ N1 D5 M5) M M155=M
<- unit`union-left-preserves-leq* D2<=D4 D1+D2=D3 D1+D4=D5 D3<=D5
<- union-left-preserves-leq* M2<=M4 M1+M2=M3 M1+M4=M5 M3<=M5
<- leq-respects-eq (leq/= M3<=M5 D3<=D5 nat`eq/) eq/ M155=M M133<=M.
- : {M1+M044=M5:union M1 (map/+ N0 D4 M4) M5}
{M115=M: eq (map/+ N1 D1 M5) M}
union-left-preserves-leq* (leq/= M2<=M4 D2<=D4 nat`eq/)
(union/< M1+M022=M3 N0+1+N1=N2)
M111+M244=M M113<=M
<- union/<-inversion M111+M244=M N0+1+N1=N2 M5 M1+M044=M5 M=M115
<- eq-symmetric M=M115 M115=M
<- meta-eq (map/+ N1 D1 M5) M M115=M
<- union-left-preserves-leq* (leq/= M2<=M4 D2<=D4 nat`eq/)
M1+M022=M3 M1+M044=M5 M3<=M5
<- unit`leq-reflexive _ D1<=D1
<- leq-respects-eq (leq/= M3<=M5 D1<=D1 nat`eq/) eq/ M115=M M113<=M.
- : union-left-preserves-leq* (leq/= M2<=M4 D2<=D4 nat`eq/)
(union/> M311+M2=M3 N3+1+N2=N1)
M111+M244=M M223<=M
<- union/>-inversion M111+M244=M N3+1+N2=N1 M5 M311+M4=M5 M=M245
<- eq-symmetric M=M245 M245=M
<- meta-eq (map/+ N2 D4 M5) M M245=M
<- union-left-preserves-leq* M2<=M4 M311+M2=M3 M311+M4=M5 M3<=M5
<- leq-respects-eq (leq/= M3<=M5 D2<=D4 nat`eq/) eq/ M245=M M223<=M.
- : union-left-preserves-leq* (leq/> M622<=M4 N6+1+N4=N2)
(union/= M1+M2=M3 D1+D2=D3 nat`eq/) % N1=N2
M211+M444=M M233<=M
<- union/>-inversion M211+M444=M N6+1+N4=N2 M5 M611+M4=M5 M=M445
<- eq-symmetric M=M445 M445=M
<- meta-eq (map/+ N4 D4 M5) M M445=M
<- union-left-preserves-leq* M622<=M4 (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
M611+M4=M5 M633<=M5
<- leq-respects-eq (leq/> M633<=M5 N6+1+N4=N2) eq/ M445=M M233<=M.
- : union-left-preserves-leq* (leq/> M622<=M4 N6+1+N4=N2)
(union/< M1+M022=M3 N0+1+N4=N2)
(union/= M1+M4=M5 D1+D4=D5 nat`eq/)
(leq/= M3<=M5 D1<=D5 nat`eq/)
<- nat`plus-right-cancels N6+1+N4=N2 N0+1+N4=N2 nat`eq/ nat`eq/ N6+1=N0+1
<- nat`succ-cancels N6+1=N0+1 N6=N0
<- map/+-preserves-eq N6=N0 unit`eq/ eq/ M622=M022
<- leq-respects-eq M622<=M4 M622=M022 eq/ M022<=M4
<- union-left-preserves-leq* M022<=M4 M1+M022=M3 M1+M4=M5 M3<=M5
<- unit`union-implies-leq* D1+D4=D5 D1<=D5.
- : union-left-preserves-leq* (leq/> M622<=M4 N6+1+N4=N2)
(union/< M1+M022=M3 N0+1+N1=N2)
(union/< M1+M544=M5 N5+1+N1=N4)
(leq/= M3<=M5 D1<=D1 nat`eq/)
<- nat`plus-swap-succ N5+1+N1=N4 N5+N1+1=N4
<- nat`plus-associative-converse N5+N1+1=N4 N6+1+N4=N2
N0' N6+1+N5=N0' N0'+N1+1=N2
<- nat`plus-swap-succ N0+1+N1=N2 N0+N1+1=N2
<- nat`plus-right-cancels N0'+N1+1=N2 N0+N1+1=N2 nat`eq/ nat`eq/ N0'=N0
<- nat`plus-respects-eq N6+1+N5=N0' nat`eq/ nat`eq/ N0'=N0 N6+1+N5=N0
<- union-left-preserves-leq* (leq/> M622<=M4 N6+1+N5=N0)
M1+M022=M3 M1+M544=M5 M3<=M5
<- unit`leq-reflexive _ D1<=D1.
% for some reason, twelf needs a lot of help inferring types here:
- : union-left-preserves-leq* ((leq/> M622<=M4 N6+1+N4=N2):leq (map/+ N2 D2 M2) (map/+ N4 D4 M4))
(union/< M1+M022=M3 N0+1+N1=N2)
(union/> M511+M4=M5 N5+1+N4=N1)
(leq/> M513<=M5 N5+1+N4=N1)
<- nat`plus-swap-succ N5+1+N4=N1 N5+N4+1=N1
<- nat`plus-associative-converse N5+N4+1=N1 N0+1+N1=N2
N6' N0+1+N5=N6' N6'+N4+1=N2
<- nat`plus-swap-succ N6+1+N4=N2 N6+N4+1=N2
<- nat`plus-right-cancels N6'+N4+1=N2 N6+N4+1=N2 nat`eq/ nat`eq/ N6'=N6
<- nat`plus-respects-eq N0+1+N5=N6' nat`eq/ nat`eq/ N6'=N6 N0+1+N5=N6
<- union-left-preserves-leq* M622<=M4
((union/< M1+M022=M3 N0+1+N5=N6):union (map/+ N5 D1 M1) (map/+ N6 D2 M2)
(map/+ N5 D1 M3))
M511+M4=M5 M513<=M5.
- : union-left-preserves-leq* (leq/> M622<=M4 N6+1+N4=N2)
(union/> M311+M2=M3 N3+1+N2=N1)
M111+M444=M M223<=M
<- nat`plus-swap-succ N6+1+N4=N2 N6+N4+1=N2
<- nat`plus-associative-converse N6+N4+1=N2 N3+1+N2=N1
N5 N3+1+N6=N5 N5+N4+1=N1
<- nat`plus-swap-succ-converse N5+N4+1=N1 N5+1+N4=N1
<- union/>-inversion M111+M444=M N5+1+N4=N1 M5 M511+M4=M5 M=M445
<- eq-symmetric M=M445 M445=M
<- meta-eq _ _ M445=M
<- union-left-preserves-leq* M622<=M4 (union/> M311+M2=M3 N3+1+N6=N5)
M511+M4=M5 M623<=M5
<- leq-respects-eq (leq/> M623<=M5 N6+1+N4=N2) eq/ M445=M M223<=M.
%worlds () (union-left-preserves-leq* _ _ _ _).
%total (J) (union-left-preserves-leq* _ _ J _).
%theorem union-right-preserves-leq* :
forall* {X1} {X2} {X3} {X4} {X5}
forall {G1:leq X1 X2} {O1:union X1 X3 X4} {O2:union X2 X3 X5}
exists {G2:leq X4 X5}
true.
- : union-right-preserves-leq* X1<=X2 X1+X3=X4 X2+X3=X5 X4<=X5
<- union-commutative X1+X3=X4 X3+X1=X4
<- union-commutative X2+X3=X5 X3+X2=X5
<- union-left-preserves-leq* X1<=X2 X3+X1=X4 X3+X2=X5 X4<=X5.
%worlds () (union-right-preserves-leq* X1<=X2 X1+X3=X4 X2+X3=X5 %{=>}% X4<=X5).
%total {} (union-right-preserves-leq* _ _ _ _).
%%%% Map ``multiplication''
%%% Definition of intersection
intersection : map -> map -> map -> type.
intersection/L : intersection map/0 M map/0.
intersection/R : intersection M map/0 map/0.
intersection/= : intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N1 D3 M3)
<- nat`eq N1 N2
<- unit`intersection D1 D2 D3
<- intersection M1 M2 M3.
intersection/< : intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) S1M3
<- nat`plus (s N0) N1 N2
<- intersection M1 (map/+ N0 D2 M2) M3
<- shift N1 M3 S1M3.
intersection/> : intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) S2M3
<- nat`plus (s N3) N2 N1
<- intersection (map/+ N3 D1 M1) M2 M3
<- shift N2 M3 S2M3.
%%% Theorems about intersection
%theorem false-implies-intersection :
forall* {M1} {M2} {M3}
forall {F:void}
exists {D:intersection M1 M2 M3}
true.
%worlds () (false-implies-intersection _ _).
%total {} (false-implies-intersection _ _).
%theorem intersection-respects-eq :
forall* {M1} {M2} {M3} {M1P} {M2P} {M3P}
forall {A:intersection M1 M2 M3} {E1:eq M1 M1P} {E2:eq M2 M2P} {E3:eq M3 M3P}
exists {AP:intersection M1P M2P M3P}
true.
- : intersection-respects-eq A eq/ eq/ eq/ A.
%worlds () (intersection-respects-eq _ _ _ _ _).
%total {} (intersection-respects-eq _ _ _ _ _).
%reduces A = AP (intersection-respects-eq A _ _ _ AP).
%% Inversion lemmas for intersection
%theorem intersection/L-inversion :
forall* {M1} {M2} {M3}
forall {A:intersection M1 M2 M3} {E1:eq map/0 M1}
exists {E3:eq map/0 M3}
true.
- : intersection/L-inversion intersection/L eq/ eq/.
- : intersection/L-inversion intersection/R eq/ eq/.
%worlds () (intersection/L-inversion _ _ _).
%total { } (intersection/L-inversion _ _ _).
%theorem intersection/R-inversion :
forall* {M1} {M2} {M3}
forall {A:intersection M1 M2 M3} {E1:eq map/0 M2}
exists {E3:eq map/0 M3}
true.
- : intersection/R-inversion intersection/L eq/ eq/.
- : intersection/R-inversion intersection/R eq/ eq/.
%worlds () (intersection/R-inversion _ _ _).
%total { } (intersection/R-inversion _ _ _).
%theorem intersection/=-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {M}
forall {A:intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) M}
{G:nat`eq N1 N2}
exists {D3} {M3}
{D:unit`intersection D1 D2 D3}
{AP:intersection M1 M2 M3}
{E:eq (map/+ N1 D3 M3) M}
true.
- : intersection/=-inversion (intersection/= MM DD nat`eq/) _ _ _ DD MM eq/.
- : intersection/=-inversion (intersection/< S A' N0+1+N=N) nat`eq/
D2 M3 DA MA ME
<- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F
<- unit`false-implies-intersection F DA
<- false-implies-eq F (M022=M2:eq (map/+ N0 D2 M2) M2)
<- intersection-respects-eq A' eq/ M022=M2 eq/ MA
<- false-implies-eq F ME.
- : intersection/=-inversion (intersection/> S (AP:intersection (map/+ _ D1 M1) M2 _) N3+1+N=N) nat`eq/
D1 M3 DA MA ME
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- nat`gt-anti-reflexive N>N F
<- unit`false-implies-intersection F DA
<- false-implies-eq F (M311=M1:eq (map/+ N3 D1 M1) M1)
<- intersection-respects-eq AP M311=M1 eq/ eq/ MA
<- false-implies-eq F ME.
%worlds () (intersection/=-inversion _ _ _ _ _ _ _).
%total {} (intersection/=-inversion _ _ _ _ _ _ _).
%reduces AP < A (intersection/=-inversion A _ _ _ _ AP _).
%theorem intersection/<-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {S1M3} {N0}
forall {A:intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) S1M3}
{P:plus (s N0) N1 N2}
exists {M3} {AP:intersection M1 (map/+ N0 D2 M2) M3}
{S:shift N1 M3 S1M3}
true.
- : intersection/<-inversion (intersection/< S A P) P' _ A' S
<- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N0+1=N0'+1
<- succ-cancels N0+1=N0'+1 N0=N0P
<- map/+-preserves-eq N0=N0P unit`eq/ eq/ M022=M022'
<- intersection-respects-eq A eq/ M022=M022' eq/ A'.
- : intersection/<-inversion (intersection/= A' _ nat`eq/) N0+1+N=N map/0 A S
<- nat`plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F M2=M022
<- false-implies-eq F M3=M333
<- intersection-respects-eq A' eq/ M2=M022 M3=M333 A
<- false-implies-shift F S.
- : intersection/<-inversion (intersection/> S A' N3+1+N2=N1) N0+1+N1=N2 _ A S'
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F M311=M1
<- false-implies-eq F M2=M022
<- intersection-respects-eq A' M311=M1 M2=M022 eq/ A
<- false-implies-shift F S'.
%worlds () (intersection/<-inversion _ _ _ _ _).
%total {} (intersection/<-inversion _ _ _ _ _).
%reduces AP < A (intersection/<-inversion A _ _ AP _).
%theorem intersection/>-inversion :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} {S2M3}
forall {A:intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) S2M3}
{P:plus (s N3) N2 N1}
exists {M3} {AP:intersection (map/+ N3 D1 M1) M2 M3}
{S:shift N2 M3 S2M3}
true.
- : intersection/>-inversion (intersection/> S A P) P' _ A' S
<- nat`plus-right-cancels P P' nat`eq/ nat`eq/ N3+1=N3'+1
<- succ-cancels N3+1=N3'+1 N3=N3P
<- map/+-preserves-eq N3=N3P unit`eq/ eq/ M311=M311'
<- intersection-respects-eq A M311=M311' eq/ eq/ A'.
- : intersection/>-inversion (intersection/= A' _ nat`eq/) N3+1+N=N map/0 A S
<- nat`plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F M1=M311
<- false-implies-eq F M3=M333
<- intersection-respects-eq A' M1=M311 eq/ M3=M333 A
<- false-implies-shift F S.
- : intersection/>-inversion (intersection/< S A' N0+1+N1=N2) N3+1+N2=N1 _ A S'
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F M1=M311
<- false-implies-eq F M022=M2
<- intersection-respects-eq A' M1=M311 M022=M2 eq/ A
<- false-implies-shift F S'.
%worlds () (intersection/>-inversion _ _ _ _ _).
%total { } (intersection/>-inversion _ _ _ _ _).
%reduces AP < A (intersection/>-inversion A _ _ AP _).
%theorem intersection-implies-ge :
forall* {N1} {D1} {M1} {N2} {D2} {M2} {N3} {D3} {M3}
forall {A:intersection (map/+ N1 D1 M1) (map/+ N2 D2 M2) (map/+ N3 D3 M3)}
exists {G1:ge N3 N1} {G2:ge N3 N2}
true.
- : intersection-implies-ge (intersection/= _ _ nat`eq/) (ge/= nat`eq/) (ge/= nat`eq/).
- : intersection-implies-ge (intersection/< (shift/+ N1+1+N3=N4) M1*M022=M333 N0+1+N1=N2)
(ge/> N4>N1) N4>=N2
<- plus-swap-succ N1+1+N3=N4 N1+N3+1=N4
<- plus-commutative N1+N3+1=N4 N3+1+N1=N4
<- plus-implies-gt N3+1+N1=N4 nat`eq/ N4>N1
<- intersection-implies-ge M1*M022=M333 _ N3>=N0
<- succ-preserves-ge N3>=N0 N3+1>=N0+1
<- plus-right-preserves-ge* N3+1>=N0+1 N3+1+N1=N4 N0+1+N1=N2 N4>=N2.
- : intersection-implies-ge (intersection/> (shift/+ N2+1+N3=N5) M011*M2=M333 N0+1+N2=N1)
N5>=N1 (ge/> N5>N2)
<- plus-swap-succ N2+1+N3=N5 N2+N3+1=N5
<- plus-commutative N2+N3+1=N5 N3+1+N2=N5
<- plus-implies-gt N3+1+N2=N5 nat`eq/ N5>N2
<- intersection-implies-ge M011*M2=M333 N3>=N0 _
<- succ-preserves-ge N3>=N0 N3+1>=N0+1
<- plus-right-preserves-ge* N3+1>=N0+1 N3+1+N2=N5 N0+1+N2=N1 N5>=N1.
%worlds () (intersection-implies-ge _ _ _).
%total (A) (intersection-implies-ge A _ _).
%theorem intersection-deterministic :
forall* {M1} {M2} {M3} {M1P} {M2P} {M3P}
forall {A:intersection M1 M2 M3} {AP:intersection M1P M2P M3P}
{E1:eq M1 M1P} {E2:eq M2 M2P}
exists {E3:eq M3 M3P}
true.
- : intersection-deterministic intersection/L intersection/L eq/ eq/ eq/.
- : intersection-deterministic intersection/L intersection/R eq/ eq/ eq/.
- : intersection-deterministic intersection/R intersection/L eq/ eq/ eq/.
- : intersection-deterministic intersection/R intersection/R eq/ eq/ eq/.
- : intersection-deterministic (intersection/= M1*M2=M3 D1*D2=D3 nat`eq/)
(AP:intersection _ _ M') eq/ eq/ M133=M'
<- intersection/=-inversion AP nat`eq/ D3' M3' D1*D2=D3P M1*M2=M3' M133'=M'
<- unit`intersection-deterministic D1*D2=D3 D1*D2=D3P unit`eq/ unit`eq/ D3=D3'
<- intersection-deterministic M1*M2=M3 M1*M2=M3' eq/ eq/ M3=M3'
<- map/+-preserves-eq nat`eq/ D3=D3' M3=M3' M133=M133'
<- eq-transitive M133=M133' M133'=M' M133=M'.
- : intersection-deterministic (intersection/< M3< M3<-inversion A' N3+1+N2=N1 M3' M311*M2=M3' M3'<N1
<- gt-implies-plus N2>N1 _ N0+1+N1=N2
<- intersection-M-map/+-total* M1 N0 D2 M2 M3 M1*M022=M3
<- shift-total* N1 M3 S1M3 M3< M3<N2
<- gt-implies-plus N1>N2 _ N3+1+N2=N1
<- intersection-map/+-M-total* N3 D1 M1 M2 M3 M311*M2=M3
<- shift-total* N2 M3 S2M3 M3< D N3+1+N2=N1)
(intersection/> shift/0 M N3+1+N2=N1)
<- disjoint-intersection-empty D M.
%worlds () (disjoint-intersection-empty _ _).
%total (D) (disjoint-intersection-empty D _).
%}%
%}%
%theorem intersection-commutative :
forall* {M1} {M2} {M3}
forall {A:intersection M1 M2 M3}
exists {AP:intersection M2 M1 M3}
true.
- : intersection-commutative intersection/L intersection/R.
- : intersection-commutative intersection/R intersection/L.
- : intersection-commutative (intersection/= M1*M2=M3 D1*D2=D3 nat`eq/)
(intersection/= M2*M1=M3 D2*D1=D3 nat`eq/)
<- unit`intersection-commutative D1*D2=D3 D2*D1=D3
<- intersection-commutative M1*M2=M3 M2*M1=M3.
- : intersection-commutative (intersection/< M3< M3< M3< M3<-inversion M111*M222=SM3 N3+1+N2=N1 M3 M311*M2=M3 M3< M3< M3< M3< M3<B1
<- meta-gt _ _ B>B1
<- intersection-associativeM _ BD1 M1*M2=M3 M3*M4=M7 M2*M4=M6 M1*M6=M7
<- intersection-respects-eq (intersection/= M1*M6=M7 D1*D6=D7 nat`eq/)
eq/ M166=M24 M177=M34 A16.
- : intersection-associativeM* B (bound/+ N1+1+B1=B BD1)
(nat`compare/=) (nat`compare/< N4>N1) _
A12 A34 A24 A16
<- intersection/=-inversion A12 nat`eq/ D3 M3 D1*D2=D3 M1*M2=M3 M133=M12
<- eq-symmetric M133=M12 M12=M133
<- intersection-respects-eq A34 M12=M133 eq/ eq/ A34'
<- gt-implies-plus N4>N1 N5 N5+1+N1=N4
<- intersection/<-inversion A34' N5+1+N1=N4 M7 M3*M544=M7 M7<B1
<- meta-gt _ _ B>B1
<- intersection-associativeM _ BD1 M1*M2=M3 M3*M544=M7 M2*M544=M6 M1*M6=M7
<- shift-right-preserves-intersection M1*M6=M7 M6< N1>N4) _
A12 A34 A24 A16
<- intersection/=-inversion A12 nat`eq/ D3 M3 D1*D2=D3 M1*M2=M3 M133=M12
<- eq-symmetric M133=M12 M12=M133
<- intersection-respects-eq A34 M12=M133 eq/ eq/ A34'
<- gt-implies-plus N1>N4 N6 N6+1+N4=N1 %% NB N2 eq N1
<- intersection/>-inversion A34' N6+1+N4=N1 M7 M633*M4=M7 M7<-inversion A24 N6+1+N4=N1 M6 M622*M4=M6 M6<N6
<- succ-preserves-gt N1>N6 N1+1>N6+1
<- plus-total N6+1+B1=B6
<- plus-right-preserves-gt* N1+1>N6+1 N1+1+B1=B N6+1+B1=B6 B>B6
<- meta-gt _ _ B>B6
<- intersection-associativeM _ (bound/+ N6+1+B1=B6 BD1)
(intersection/= M1*M2=M3 D1*D2=D3 nat`eq/)
M633*M4=M7 M622*M4=M6 M611*M6=M7
<- shift-preserves-intersection M611*M6=M7
(shift/+ N4+1+N6=N1) M6<N1) (nat`compare/=) _
A12 A34 A24 A16
<- gt-implies-plus N2>N1 N0 N0+1+N1=N2
<- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<B1
<- meta-gt _ _ B>B1
<- intersection-associativeM _ BD1 M1*M022=M3 M3*M044=M7
(intersection/= M2*M4=M6 D2*D4=D6 nat`eq/)
M1*M066=M7
<- shift-right-preserves-intersection M1*M066=M7 (shift/+ N1+1+N0=N2) M7< N1>N2) (nat`compare/=) _
A12 A34 A24 A16
<- gt-implies-plus N1>N2 N3 N3+1+N2=N1
<- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N3
<- succ-preserves-gt N1>N3 N1+1>N3+1
<- plus-total N3+1+B1=B3
<- plus-right-preserves-gt* N1+1>N3+1 N1+1+B1=B N3+1+B1=B3 B>B3
<- meta-gt _ _ B>B3
<- intersection-associativeM _ (bound/+ N3+1+B1=B3 BD1)
M311*M2=M3 M3*M4=M7 M2*M4=M6 M311*M6=M7
<- intersection-respects-eq (intersection/> M7<N1) _ (nat`compare/=)
A12 A34 A24 A16
<- gt-implies-plus N2>N1 N0 N0+1+N1=N2
<- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<-inversion A24 N0+1+N1=N2 M6 M022*M4=M6 M6<B1
<- meta-gt _ _ B>B1
<- intersection-associativeM _ BD1 M1*M022=M3 M3*M4=M7 M022*M4=M6 M1*M6=M7
<- shift-right-preserves-intersection M1*M6=M7 M6< N1>N2) _ (nat`compare/=)
A12 A34 A24 A16
<- gt-implies-plus N1>N2 N3 N3+1+N2=N1
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-commutative N3+N2+1=N1 N2+1+N3=N1
<- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N3
<- succ-preserves-gt N1>N3 N1+1>N3+1
<- plus-total N3+1+B1=B3
<- plus-right-preserves-gt* N1+1>N3+1 N1+1+B1=B N3+1+B1=B3 B>B3
<- meta-gt _ _ B>B3
<- intersection-associativeM _ (bound/+ N3+1+B1=B3 BD1)
M311*M2=M3 M3*M344=M7 M2*M344=M6 M311*M6=M7
<- shift-preserves-intersection M311*M6=M7 (shift/+ N2+1+N3=N1) M6<N1) (nat`compare/< N4>N2) _
A12 A34 A24 A16
<- gt-implies-plus N2>N1 N0 N0+1+N1=N2
<- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<N2 N6 N6+1+N2=N4
<- intersection/<-inversion A24 N6+1+N2=N4 M6 M2*M644=M6 M6<B1
<- meta-gt _ _ B>B1
<- intersection-associativeM _ BD1 M1*M022=M3 M3*M744=M7
(intersection/< M6< N1>N2) (nat`compare/> N2>N4) _
A12 A34 A24 A16
<- gt-implies-plus N1>N2 N3 N3+1+N2=N1
<- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N4 N6 N6+1+N4=N2
<- intersection/>-inversion A24 N6+1+N4=N2 M6 M622*M4=M6 M6<N9
<- succ-preserves-gt N1>N9 N1+1>N9+1
<- plus-total N9+1+B1=B9
<- plus-right-preserves-gt* N1+1>N9+1 N1+1+B1=B N9+1+B1=B9 B>B9
<- meta-gt _ _ B>B9
<- intersection-associativeM _ (bound/+ N9+1+B1=B9 BD1)
M911*M622=S6M3 S6M3*M4=M7 M622*M4=M6 M911*M6=M7
<- shift-preserves-intersection M911*M6=M7 (shift/+ N4+1+N9=N1)
M6< N2>N4) (nat`compare/< N4>N1)
A12 A34 A24 A16
<- gt-implies-plus N2>N4 N6 N6+1+N4=N2
<- gt-implies-plus N4>N1 N5 N5+1+N1=N4
<- plus-swap-succ N5+1+N1=N4 N5+N1+1=N4
<- plus-associative-converse N5+N1+1=N4 N6+1+N4=N2 N0 N6+1+N5=N0 N0+N1+1=N2
<- plus-swap-succ-converse N0+N1+1=N2 N0+1+N1=N2
<- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<-inversion A24 N6+1+N4=N2 M6 M622*M4=M6 M6<B1
<- meta-gt _ _ B>B1
<- intersection-associativeM _ BD1 M1*M022=M3 M3*M544=M7 M022*M544=S5M6 M1*S5M6=M7
<- shift-right-preserves-intersection M1*S5M6=M7 S5M6<N2) (nat`compare/> N1>N4)
A12 A34 A24 A16
<- gt-implies-plus N4>N2 N6 N6+1+N2=N4
<- gt-implies-plus N1>N4 N5 N5+1+N4=N1
<- plus-swap-succ N6+1+N2=N4 N6+N2+1=N4
<- plus-associative-converse N6+N2+1=N4 N5+1+N4=N1 N3 N5+1+N6=N3 N3+N2+1=N1
<- plus-swap-succ-converse N3+N2+1=N1 N3+1+N2=N1
<- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N3
<- succ-preserves-gt N1>N3 N1+1>N3+1
<- plus-total N3+1+B1=B3
<- plus-right-preserves-gt* N1+1>N3+1 N1+1+B1=B N3+1+B1=B3 B>B3
<- meta-gt _ _ B>B3
<- intersection-associativeM _ (bound/+ N3+1+B1=B3 BD1)
M311*M2=M3 M3*M644=M7 M2*M644=M6 M311*M6=M7
<- shift-preserves-intersection M311*M6=M7 (shift/+ N2+1+N3=N1) M6< N1>N2) _ (nat`compare/< N4>N1)
A12 A34 A24 A16
<- gt-implies-plus N1>N2 N3 N3+1+N2=N1
<- gt-implies-plus N4>N1 N5 N5+1+N1=N4
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-associative-converse N3+N2+1=N1 N5+1+N1=N4 N6 N5+1+N3=N6 N6+N2+1=N4
<- plus-swap-succ-converse N6+N2+1=N4 N6+1+N2=N4
<- intersection/>-inversion A12 N3+1+N2=N1 M3 M311*M2=M3 M3<N3
<- succ-preserves-gt N1>N3 N1+1>N3+1
<- plus-total N3+1+B1=B3
<- plus-right-preserves-gt* N1+1>N3+1 N1+1+B1=B N3+1+B1=B3 B>B3
<- meta-gt _ _ B>B3
<- intersection-associativeM _ (bound/+ N3+1+B1=B3 BD1)
M311*M2=M3 M3*M644=M7 M2*M644=M6 M311*M6=M7
<- shift-preserves-intersection M311*M6=M7 (shift/+ N2+1+N3=N1) M6<N1) _ (nat`compare/> N1>N4)
A12 A34 A24 A16
<- gt-implies-plus N2>N1 N0 N0+1+N1=N2
<- gt-implies-plus N1>N4 N5 N5+1+N4=N1
<- plus-swap-succ N5+1+N4=N1 N5+N4+1=N1
<- plus-associative-converse N5+N4+1=N1 N0+1+N1=N2 N6 N0+1+N5=N6 N6+N4+1=N2
<- plus-swap-succ-converse N6+N4+1=N2 N6+1+N4=N2
<- intersection/<-inversion A12 N0+1+N1=N2 M3 M1*M022=M3 M3<-inversion A24 N6+1+N4=N2 M6 M622*M4=M6 M6<N5
<- succ-preserves-gt N1>N5 N1+1>N5+1
<- plus-total N5+1+B1=B5
<- plus-right-preserves-gt* N1+1>N5+1 N1+1+B1=B N5+1+B1=B5 B>B5
<- meta-gt _ _ B>B5
<- intersection-associativeM _ (bound/+ N5+1+B1=B5 BD1)
M511*M622=S5M3 S5M3*M4=M7 M622*M4=M6 M511*M6=M7
<- shift-preserves-intersection M511*M6=M7 (shift/+ N4+1+N5=N1)
M6<}% X3*X4=X7).
%total {} (intersection-associative-converse* _ _ _ _).
%theorem intersection-assoc-commutative* :
forall* {X1} {X2} {X3} {X4} {X5} {X7}
forall {OP1:intersection X1 X2 X3} {OP2:intersection X3 X4 X7}
{OP3:intersection X1 X4 X5}
exists {OP4:intersection X5 X2 X7}
true.
- : intersection-assoc-commutative* X1*X2=X3 X3*X4=X7 X1*X4=X5 X5*X2=X7
<- intersection-associative X1*X2=X3 X3*X4=X7 X6 X2*X4=X6 X1*X6=X7
<- intersection-commutative X2*X4=X6 X4*X2=X6
<- intersection-associative-converse* X4*X2=X6 X1*X6=X7 X1*X4=X5 X5*X2=X7.
%worlds () (intersection-assoc-commutative* X1*X2=X3 X3*X4=X7 X1*X4=X5 %{=>}% X5*X2=X7).
%total {} (intersection-assoc-commutative* _ _ _ _).
%theorem intersection-assoc-commutative :
forall* {X1} {X2} {X3} {X4} {X7}
forall {OP1:intersection X1 X2 X3} {OP2:intersection X3 X4 X7}
exists {X5} {OP3:intersection X1 X4 X5} {OP4:intersection X5 X2 X7}
true.
- : intersection-assoc-commutative X1*X2=X3 X3*X4=X7 X5 X1*X4=X5 X5*X2=X7
<- intersection-associative X1*X2=X3 X3*X4=X7 X6 X2*X4=X6 X1*X6=X7
<- intersection-commutative X2*X4=X6 X4*X2=X6
<- intersection-associative-converse X4*X2=X6 X1*X6=X7 X5 X1*X4=X5 X5*X2=X7.
%worlds () (intersection-assoc-commutative X1*X2=X3 X3*X4=X7 %{=>}% X5 X1*X4=X5 X5*X2=X7).
%total {} (intersection-assoc-commutative _ _ _ _ _).
%theorem intersection-double-associative* :
forall* {A} {B} {C} {D} {A+B} {C+D} {A+C} {B+D} {X}
forall {AB:intersection A B A+B} {CD:intersection C D C+D} {ABCD:intersection A+B C+D X}
{AC:intersection A C A+C} {BD:intersection B D B+D}
exists {ACBD:intersection A+C B+D X}
true.
- : intersection-double-associative* X1*X2=X3 X4*X8=XC X3*XC=XF X1*X4=X5 X2*X8=XA X5*XA=XF
<- intersection-associative X1*X2=X3 X3*XC=XF XE X2*XC=XE X1*XE=XF
<- intersection-commutative X4*X8=XC X8*X4=XC
<- intersection-associative-converse* X8*X4=XC X2*XC=XE X2*X8=XA XA*X4=XE
<- intersection-commutative XA*X4=XE X4*XA=XE
<- intersection-associative-converse* X4*XA=XE X1*XE=XF X1*X4=X5 X5*XA=XF.
%worlds () (intersection-double-associative* X1*X2=X3 X4*X8=XC X3*XC=XF X1*X4=X5 X2*X8=XA
%{=>}% X5*XA=XF).
%total {} (intersection-double-associative* _ _ _ _ _ _).
%theorem intersection-double-associative :
forall* {A} {B} {C} {D} {A+B} {C+D} {X}
forall {AB:intersection A B A+B} {CD:intersection C D C+D} {ABCD:intersection A+B C+D X}
exists {A+C} {B+D} {AC:intersection A C A+C} {BD:intersection B D B+D}
{ACBD:intersection A+C B+D X}
true.
- : intersection-double-associative X1*X2=X3 X4*X8=XC X3*XC=XF X5 XA X1*X4=X5 X2*X8=XA X5*XA=XF
<- intersection-associative X1*X2=X3 X3*XC=XF XE X2*XC=XE X1*XE=XF
<- intersection-commutative X4*X8=XC X8*X4=XC
<- intersection-associative-converse X8*X4=XC X2*XC=XE XA X2*X8=XA XA*X4=XE
<- intersection-commutative XA*X4=XE X4*XA=XE
<- intersection-associative-converse X4*XA=XE X1*XE=XF X5 X1*X4=X5 X5*XA=XF.
%worlds () (intersection-double-associative _ _ _ _ _ _ _ _).
%total { } (intersection-double-associative _ _ _ _ _ _ _ _).
%theorem intersection-implies-leq* :
forall* {M1} {M2} {M3}
forall {A:intersection M1 M2 M3}
exists {L:leq M3 M1}
true.
- : intersection-implies-leq* intersection/L leq/0.
- : intersection-implies-leq* intersection/R leq/0.
- : intersection-implies-leq* (intersection/= M1*M2=M3 D1*D2=D3 nat`eq/)
(leq/= M3<=M1 D3<=D1 nat`eq/)
<- unit`intersection-implies-leq* D1*D2=D3 D3<=D1
<- intersection-implies-leq* M1*M2=M3 M3<=M1.
- : intersection-implies-leq* (intersection/< M3< M3< M400<=M1 N4+1+N1=N0) L2
(leq/> M400<=M3 N4+1+N1=N0)
<- leq/>-inversion L2 N4+1+N1=N0 M400<=M2
<- intersection-is-glb M1*M2=M3 M400<=M1 M400<=M2 M400<=M3.
- : intersection-is-glb (intersection/< M3< M500<=M1 N5+1+N1=N2) (leq/= M0<=M2 D0<=D2 nat`eq/)
M200<=S1M3
<- plus-right-cancels N5+1+N1=N2 N3+1+N1=N2 nat`eq/ nat`eq/ N5+1=N3+1
<- succ-cancels N5+1=N3+1 N5=N3
<- map/+-preserves-eq N5=N3 unit`eq/ eq/ M500=M300
<- leq-respects-eq M500<=M1 M500=M300 eq/ M300<=M1
<- intersection-is-glb M1*M322=M3 M300<=M1 (leq/= M0<=M2 D0<=D2 nat`eq/) M300<=M3
<- plus-swap-succ N3+1+N1=N2 N3+N1+1=N2
<- plus-commutative N3+N1+1=N2 N1+1+N3=N2
<- shift-preserves-leq* M300<=M3 (shift/+ N1+1+N3=N2) M3< M500<=M1 N5+1+N1=N0) (leq/> M600<=M2 N6+1+N2=N0)
M000<=S1M3
<- plus-swap-succ N3+1+N1=N2 N3+N1+1=N2
<- plus-associative-converse N3+N1+1=N2 N6+1+N2=N0
N5' N6+1+N3=N5' N5'+N1+1=N0
<- plus-swap-succ N5+1+N1=N0 N5+N1+1=N0
<- plus-right-cancels N5'+N1+1=N0 N5+N1+1=N0 nat`eq/ nat`eq/ N5'=N5
<- plus-respects-eq N6+1+N3=N5' nat`eq/ nat`eq/ N5'=N5 N6+1+N3=N5
<- plus-swap-succ N6+1+N3=N5 N6+N3+1=N5
<- plus-commutative N6+N3+1=N5 N3+1+N6=N5
<- shift-left-preserves-leq* M600<=M2 (shift/+ N3+1+N6=N5) M500<=M322
<- intersection-is-glb M1*M322=M3 M500<=M1 M500<=M322 M500<=M3
<- plus-commutative N5+N1+1=N0 N1+1+N5=N0
<- shift-preserves-leq* M500<=M3 (shift/+ N1+1+N5=N0) M3< M3<-inversion L2 N3+1+N2=N1 M300<=M2
<- intersection-is-glb M311*M2=M3 (leq/= M0<=M1 D0<=D1 nat`eq/) M300<=M2 M300<=M3
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-commutative N3+N2+1=N1 N2+1+N3=N1
<- shift-preserves-leq* M300<=M3 (shift/+ N2+1+N3=N1) M3< M3< M500<=M1 N5+1+N1=N0) L2
M000<=S2M3
<- plus-swap-succ N3+1+N2=N1 N3+N2+1=N1
<- plus-associative-converse N3+N2+1=N1 N5+1+N1=N0
N6 N5+1+N3=N6 N6+N2+1=N0
<- plus-swap-succ-converse N6+N2+1=N0 N6+1+N2=N0
<- leq/>-inversion L2 N6+1+N2=N0 M600<=M2
<- plus-swap-succ N5+1+N3=N6 N5+N3+1=N6
<- plus-commutative N5+N3+1=N6 N3+1+N5=N6
<- shift-left-preserves-leq* M500<=M1 (shift/+ N3+1+N5=N6) M600<=M311
<- intersection-is-glb M311*M2=M3 M600<=M311 M600<=M2 M600<=M3
<- plus-commutative N6+N2+1=N0 N2+1+N6=N0
<- shift-preserves-leq* M600<=M3 (shift/+ N2+1+N6=N0) M3< M3<-inversion M111*M244=M N3+1+N2=N1 M5 M311*M4=M5 M5< M622<=M4 N6+1+N4=N2)
(intersection/= M1*M2=M3 D1*D2=D3 nat`eq/) % N1=N2
M211*M444=M M233<=M
<- intersection/>-inversion M211*M444=M N6+1+N4=N2 M5 M611*M4=M5 M5< M622<=M4 N6+1+N4=N2)
(intersection/> M3<-inversion M111*M444=M N5+1+N4=N1 M5 M511*M4=M5 M5< M3< M622<=M4 N6+1+N4=N2)
A1 (intersection/= M1*M4=M5 D1*D4=D5 nat`eq/)
S1M3<=M455
<- intersection/<-inversion A1 N6+1+N4=N2 M3 M1*M622=M3 M3< M622<=M4 N6+1+N4=N2)
A1 (intersection/< M5< M5<-inversion L N6+1+N4=N2 M622<=M4
<- plus-swap-succ N0+1+N5=N6 N0+N5+1=N6
<- plus-commutative N0+N5+1=N6 N5+1+N0=N6
<- shift-total M3<}% X4<=X5).
%total {} (intersection-right-preserves-leq* _ _ _ _).
%theorem intersection-right-distributes-over-union :
forall* {M1} {M2} {M3} {M4} {M7}
forall {J12:union M1 M2 M3} {A34:intersection M3 M4 M7}
exists {M5} {M6} {A14:intersection M1 M4 M5} {A24:intersection M2 M4 M6}
{J56:union M5 M6 M7}
true.
- : intersection-right-distributes-over-union union/L A24 _ _ intersection/L A24 union/L.
- : intersection-right-distributes-over-union union/R A14 _ _ A14 intersection/L union/R.
- : intersection-right-distributes-over-union _ intersection/R _ _ intersection/R intersection/R union/L.
- : intersection-right-distributes-over-union (union/= M1+M2=M3 D1+D2=D3 nat`eq/) intersection/R
_ _ intersection/R intersection/R union/L.
- : intersection-right-distributes-over-union (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(intersection/= M3*M4=M7 D3*D4=D7 nat`eq/) _ _
(intersection/= M1*M4=M5 D1*D4=D5 nat`eq/)
(intersection/= M2*M4=M6 D2*D4=D6 nat`eq/)
(union/= M5+M6=M7 D5+D6=D7 nat`eq/)
<- intersection-right-distributes-over-union M1+M2=M3 M3*M4=M7 _ _
M1*M4=M5 M2*M4=M6 M5+M6=M7
<- unit`intersection-right-distributes-over-union D1+D2=D3 D3*D4=D7 _ _
D1*D4=D5 D2*D4=D6 D5+D6=D7.
- : intersection-right-distributes-over-union (union/= M1+M2=M3 D1+D2=D3 nat`eq/)
(intersection/< M7< M7< M5< M6< M6< M7< M5< M6< M311+M2=M3 N3+1+N2=N1)
(intersection/= M3*M4=M7 D2*D4=D7 nat`eq/)
_ _ (intersection/> M5< M311+M2=M3 N3+1+N2=N1)
(intersection/< M7< M311+M2=M3 N3+1+N2=N1)
(intersection/> M7< M5< M6<}% X5+X6=X7).
%total {} (intersection-right-distributes-over-union* _ _ _ _ _).
%theorem intersection-left-distributes-over-union* :
forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7}
forall {A12:union X2 X4 X6} {M34:intersection X1 X6 X7}
{M14:intersection X1 X2 X3} {M24:intersection X1 X4 X5}
exists {A56:union X3 X5 X7}
true.
- : intersection-left-distributes-over-union* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5 X3+X5=X7
<- intersection-commutative X1*X6=X7 X6*X1=X7
<- intersection-commutative X1*X2=X3 X2*X1=X3
<- intersection-commutative X1*X4=X5 X4*X1=X5
<- intersection-right-distributes-over-union* X2+X4=X6 X6*X1=X7 X2*X1=X3 X4*X1=X5
X3+X5=X7.
%worlds () (intersection-left-distributes-over-union* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5
%{=>}% X3+X5=X7).
%total {} (intersection-left-distributes-over-union* _ _ _ _ _).
%theorem intersection-left-distributes-over-union :
forall* {X1} {X2} {X4} {X6} {X7}
forall {A12:union X2 X4 X6} {M34:intersection X1 X6 X7}
exists {X3} {X5} {M14:intersection X1 X2 X3} {M24:intersection X1 X4 X5}
{A56:union X3 X5 X7}
true.
- : intersection-left-distributes-over-union X2+X4=X6 X1*X6=X7
X3 X5 X1*X2=X3 X1*X4=X5 X3+X5=X7
<- intersection-total X1*X2=X3
<- intersection-total X1*X4=X5
<- intersection-left-distributes-over-union* X2+X4=X6 X1*X6=X7 X1*X2=X3 X1*X4=X5
X3+X5=X7.
%worlds () (intersection-left-distributes-over-union X2+X4=X6 X1*X6=X7
%{=>}% X3 X5 X1*X2=X3 X1*X4=X5 X3+X5=X7).
%total {} (intersection-left-distributes-over-union _ _ _ _ _ _ _).
%theorem intersection-right-factors-over-union* :
forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7}
forall {M14:intersection X1 X4 X5} {M24:intersection X2 X4 X6} {A56:union X5 X6 X7}
{A12:union X1 X2 X3}
exists {M34:intersection X3 X4 X7}
true.
- : intersection-right-factors-over-union* X1*X4=X5 X2*X4=X6 X5+X6=X7 X1+X2=X3 X3*X4=X7
<- intersection-total X3*X4=Y7
<- intersection-right-distributes-over-union* X1+X2=X3 X3*X4=Y7 X1*X4=X5 X2*X4=X6
X5+X6=Y7
<- union-deterministic X5+X6=Y7 X5+X6=X7 eq/ eq/ Y7=X7
<- intersection-respects-eq X3*X4=Y7 eq/ eq/ Y7=X7 X3*X4=X7.
%worlds () (intersection-right-factors-over-union* X1*X4=X5 X2*X4=X6 X5+X6=X7 X1+X2=X3
%{=>}% X3*X4=X7 ).
%total {} (intersection-right-factors-over-union* _ _ _ _ _).
%theorem intersection-left-factors-over-union* :
forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7}
forall {M12:intersection X1 X2 X3} {M14:intersection X1 X4 X5}
{A35:union X3 X5 X7} {A24:union X2 X4 X6}
exists {M16:intersection X1 X6 X7}
true.
- : intersection-left-factors-over-union* X1*X2=X3 X1*X4=X5 X3+X5=X7 X2+X4=X6
X1*X6=X7
<- intersection-total X1*X6=Y7
<- intersection-left-distributes-over-union* X2+X4=X6 X1*X6=Y7 X1*X2=X3 X1*X4=X5
X3+X5=Y7
<- union-deterministic X3+X5=Y7 X3+X5=X7 eq/ eq/ Y7=X7
<- intersection-respects-eq X1*X6=Y7 eq/ eq/ Y7=X7 X1*X6=X7.
%worlds () (intersection-left-factors-over-union* X1*X2=X3 X1*X4=X5 X3+X5=X7 X2+X4=X6
%{=>}% X1*X6=X7).
%total {} (intersection-left-factors-over-union* _ _ _ _ _).
%%%%% set-extra.elf
%%%%% Extra theorems about sets not derived from map.
%%%%% This file is part of the set.elf signature
%%%% Theorems
%theorem union-right-distributes-over-intersection :
forall* {S1} {S2} {S3} {S4} {S7}
forall {I12:intersection S1 S2 S3} {U34:union S3 S4 S7}
exists {S5} {S6} {U14:union S1 S4 S5} {U24:union S2 S4 S6}
{I56:intersection S5 S6 S7}
true.
- : union-right-distributes-over-intersection S1*S2=S3 S3+S4=S7 S5 S6
S1+S4=S5 S2+S4=S6 S5*S6=S7
<- union-total S1+S4=S5
<- union-total S2+S4=S6
<- intersection-total S5*S6=S7'
<- union-implies-leq S2+S4=S6 _ S4<=S6
<- leq-implies-intersection S4<=S6 S4*S6=S4
<- intersection-total S1*S6=S8
<- intersection-total S1*S4=S9
<- intersection-right-distributes-over-union* S1+S4=S5 S5*S6=S7'
S1*S6=S8 S4*S6=S4 S8+S4=S7'
<- intersection-left-distributes-over-union* S2+S4=S6 S1*S6=S8
S1*S2=S3 S1*S4=S9 S3+S9=S8
<- intersection-implies-leq S1*S4=S9 _ S9<=S4
<- leq-implies-union S9<=S4 S9+S4=S4
<- union-associative* S3+S9=S8 S8+S4=S7' S9+S4=S4 S3+S4=S7'
<- union-deterministic S3+S4=S7' S3+S4=S7 eq/ eq/ S7'=S7
<- intersection-respects-eq S5*S6=S7' eq/ eq/ S7'=S7 S5*S6=S7.
%worlds () (union-right-distributes-over-intersection _ _ _ _ _ _ _).
%total { } (union-right-distributes-over-intersection _ _ _ _ _ _ _).
%theorem union-right-distributes-over-intersection* :
forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7}
forall {A12:intersection X1 X2 X3} {M34:union X3 X4 X7}
{M14:union X1 X4 X5} {M24:union X2 X4 X6}
exists {A56:intersection X5 X6 X7}
true.
- : union-right-distributes-over-intersection* X1*X2=X3 X3+X4=X7 X1+X4=X5 X2+X4=X6 X5*X6=X7
<- union-right-distributes-over-intersection X1*X2=X3 X3+X4=X7 Y5 Y6
X1+X4=Y5 X2+X4=Y6 Y5*Y6=X7
<- union-deterministic X1+X4=Y5 X1+X4=X5 eq/ eq/ Y5=X5
<- union-deterministic X2+X4=Y6 X2+X4=X6 eq/ eq/ Y6=X6
<- intersection-respects-eq Y5*Y6=X7 Y5=X5 Y6=X6 eq/ X5*X6=X7.
%worlds () (union-right-distributes-over-intersection* X1*X2=X3 X3+X4=X7 X1+X4=X5 X2+X4=X6
%{=>}% X5*X6=X7).
%total {} (union-right-distributes-over-intersection* _ _ _ _ _).
%theorem union-left-distributes-over-intersection* :
forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7}
forall {A12:intersection X2 X4 X6} {M34:union X1 X6 X7}
{M14:union X1 X2 X3} {M24:union X1 X4 X5}
exists {A56:intersection X3 X5 X7}
true.
- : union-left-distributes-over-intersection* X2*X4=X6 X1+X6=X7 X1+X2=X3 X1+X4=X5 X3*X5=X7
<- union-commutative X1+X6=X7 X6+X1=X7
<- union-commutative X1+X2=X3 X2+X1=X3
<- union-commutative X1+X4=X5 X4+X1=X5
<- union-right-distributes-over-intersection* X2*X4=X6 X6+X1=X7 X2+X1=X3 X4+X1=X5
X3*X5=X7.
%worlds () (union-left-distributes-over-intersection* X2*X4=X6 X1+X6=X7 X1+X2=X3 X1+X4=X5
%{=>}% X3*X5=X7).
%total {} (union-left-distributes-over-intersection* _ _ _ _ _).
%theorem union-left-distributes-over-intersection :
forall* {X1} {X2} {X4} {X6} {X7}
forall {A12:intersection X2 X4 X6} {M34:union X1 X6 X7}
exists {X3} {X5} {M14:union X1 X2 X3} {M24:union X1 X4 X5}
{A56:intersection X3 X5 X7}
true.
- : union-left-distributes-over-intersection X2*X4=X6 X1+X6=X7
X3 X5 X1+X2=X3 X1+X4=X5 X3*X5=X7
<- union-total X1+X2=X3
<- union-total X1+X4=X5
<- union-left-distributes-over-intersection* X2*X4=X6 X1+X6=X7 X1+X2=X3 X1+X4=X5
X3*X5=X7.
%worlds () (union-left-distributes-over-intersection X2*X4=X6 X1+X6=X7
%{=>}% X3 X5 X1+X2=X3 X1+X4=X5 X3*X5=X7).
%total {} (union-left-distributes-over-intersection _ _ _ _ _ _ _).
%theorem union-right-factors-over-intersection :
forall* {X1} {X2} {X4} {X5} {X6} {X7}
forall {M14:union X1 X4 X5} {M24:union X2 X4 X6} {A56:intersection X5 X6 X7}
exists {X3} {A12:intersection X1 X2 X3} {M34:union X3 X4 X7}
true.
- : union-right-factors-over-intersection X1+X4=X5 X2+X4=X6 X5*X6=X7 X3 X1*X2=X3 X3+X4=X7
<- intersection-total X1*X2=X3
<- union-total X3+X4=Y7
<- union-right-distributes-over-intersection* X1*X2=X3 X3+X4=Y7 X1+X4=X5 X2+X4=X6
X5*X6=Y7
<- intersection-deterministic X5*X6=Y7 X5*X6=X7 eq/ eq/ Y7=X7
<- union-respects-eq X3+X4=Y7 eq/ eq/ Y7=X7 X3+X4=X7.
%worlds () (union-right-factors-over-intersection X1+X4=X5 X2+X4=X6 X5*X6=X7
%{=>}% X3 X1*X2=X3 X3+X4=X7 ).
%total {} (union-right-factors-over-intersection _ _ _ _ _ _).
%theorem union-right-factors-over-intersection* :
forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7}
forall {M14:union X1 X4 X5} {M24:union X2 X4 X6} {A56:intersection X5 X6 X7}
{A12:intersection X1 X2 X3}
exists {M34:union X3 X4 X7}
true.
- : union-right-factors-over-intersection* X1+X4=X5 X2+X4=X6 X5*X6=X7 X1*X2=X3 X3+X4=X7
<- union-total X3+X4=Y7
<- union-right-distributes-over-intersection* X1*X2=X3 X3+X4=Y7 X1+X4=X5 X2+X4=X6
X5*X6=Y7
<- intersection-deterministic X5*X6=Y7 X5*X6=X7 eq/ eq/ Y7=X7
<- union-respects-eq X3+X4=Y7 eq/ eq/ Y7=X7 X3+X4=X7.
%worlds () (union-right-factors-over-intersection* X1+X4=X5 X2+X4=X6 X5*X6=X7 X1*X2=X3
%{=>}% X3+X4=X7 ).
%total {} (union-right-factors-over-intersection* _ _ _ _ _).
%theorem union-left-factors-over-intersection :
forall* {X1} {X2} {X3} {X4} {X5} {X7}
forall {M12:union X1 X2 X3} {M14:union X1 X4 X5} {A35:intersection X3 X5 X7}
exists {X6} {A24:intersection X2 X4 X6} {M16:union X1 X6 X7}
true.
- : union-left-factors-over-intersection X1+X2=X3 X1+X4=X5 X3*X5=X7 X6 X2*X4=X6 X1+X6=X7
<- union-commutative X1+X2=X3 X2+X1=X3
<- union-commutative X1+X4=X5 X4+X1=X5
<- union-right-factors-over-intersection X2+X1=X3 X4+X1=X5 X3*X5=X7 X6 X2*X4=X6 X6+X1=X7
<- union-commutative X6+X1=X7 X1+X6=X7.
%worlds () (union-left-factors-over-intersection X1+X2=X3 X1+X4=X5 X3*X5=X7
%{=>}% X6 X2*X4=X6 X1+X6=X7).
%total {} (union-left-factors-over-intersection _ _ _ _ _ _).
%theorem union-left-factors-over-intersection* :
forall* {X1} {X2} {X3} {X4} {X5} {X6} {X7}
forall {M12:union X1 X2 X3} {M14:union X1 X4 X5}
{A35:intersection X3 X5 X7} {A24:intersection X2 X4 X6}
exists {M16:union X1 X6 X7}
true.
- : union-left-factors-over-intersection* X1+X2=X3 X1+X4=X5 X3*X5=X7 X2*X4=X6
X1+X6=X7
<- union-total X1+X6=Y7
<- union-left-distributes-over-intersection* X2*X4=X6 X1+X6=Y7 X1+X2=X3 X1+X4=X5
X3*X5=Y7
<- intersection-deterministic X3*X5=Y7 X3*X5=X7 eq/ eq/ Y7=X7
<- union-respects-eq X1+X6=Y7 eq/ eq/ Y7=X7 X1+X6=X7.
%worlds () (union-left-factors-over-intersection* X1+X2=X3 X1+X4=X5 X3*X5=X7 X2*X4=X6
%{=>}% X1+X6=X7).
%total {} (union-left-factors-over-intersection* _ _ _ _ _).
%%% set membership w.r.t. union:
%theorem union-left-preserves-member* :
forall* {S1} {S2} {S3} {N}
forall {M:lookup S2 N unit/}
{U:union S1 S2 S3}
exists {M:lookup S3 N unit/}
true.
- : union-left-preserves-member* M U M'
<- union-left-affects-lookup M U _ M'.
%worlds () (union-left-preserves-member* _ _ _).
%total { } (union-left-preserves-member* _ _ _).
%theorem union-right-preserves-member* :
forall* {S1} {S2} {S3} {N}
forall {M:lookup S1 N unit/}
{U:union S1 S2 S3}
exists {M:lookup S3 N unit/}
true.
- : union-right-preserves-member* M U M'
<- union-right-affects-lookup M U _ M'.
%worlds () (union-right-preserves-member* _ _ _).
%total { } (union-right-preserves-member* _ _ _).
%%%% Redefinitions
%{%
This file includes definitions of operations with
more appropriate names and/or arguments than the
ones created by map.
%}%
%abbrev set = map.
%abbrev set/0 = map/0.
%abbrev set/+ = [N] [S] (map/+ N unit/ S).
%% To avoid nasty skolemization functions, we do some explicit typing:
%abbrev set/+-preserves-eq = [NE:nat`eq N NP] [ME:eq M MP]
(map/+-preserves-eq NE unit`eq/ ME).
%abbrev set/+-preserves-leq = [NE:nat`eq N NP] [ML:leq M MP]
(map/+-preserves-leq NE unit`eq/ ML).
%abbrev member = [S] [N] lookup S N unit/.
%% 'join' and 'meet' and converted using CPP,
%% but some names don't quite work:
%abbrev union/= = [U] [E:nat`eq N1 N2] union/= U unit`union/ E.
%abbrev intersection/= = [I] [E:nat`eq N1 N2] intersection/= I unit`union/ E.
%abbrev add = [S1] [N] [S2] update S1 N unit/ S2.
%%% Theorem renamings.
%% using "member"
%abbrev false-implies-member = false-implies-lookup.
%abbrev not-member-member-implies-ne = not-member-lookup-not-equal.
%abbrev in-implies-member = in-implies-lookup.
%abbrev member-respects-eq =
[L:member M N] [EM:eq M MP] [EN:nat`eq N NP] [LP:member MP NP]
lookup-respects-eq L EM EN unit`eq/ LP.
%abbrev member-respects-leq =
[L:member M N] [EM:leq M MP] [LP:member MP N]
lookup-respects-leq L EM unit/ LP unit`eq/.
%% using "add"
%abbrev false-implies-add = false-implies-update.
%abbrev add-respects-eq = update-respects-eq.
%abbrev add-deterministic = update-deterministic.
%abbrev add-total* = update-total*.
%abbrev add-implies-member = update-implies-lookup.
%abbrev add-preserves-member = update-preserves-lookup.
%abbrev add-preserves-not-member = update-preserves-not-member.
%abbrev add-preserves-membership = update-preserves-membership.
%abbrev add-overwrites = update-overwrites.
%abbrev add-idempotent = update-idempotent.
%abbrev add-commutes = update-commutes.
%abbrev add-commutes* = update-commutes*.
%abbrev add-preserves-leq* = update-left-preserves-leq*.
%% using "union"
% nothing yet
%%%%% set-remove.elf
%%%%% Set subtraction.
%%%%% This file is part of the set.elf signature
%%%% Definitions
%%% removal
remove : set -> set -> set -> type.
remove/L : remove set/0 _ set/0.
remove/R : remove S set/0 S.
remove/= : remove (set/+ N1 S1) (set/+ N2 S2) S1S3
<- nat`eq N1 N2
<- remove S1 S2 S3
<- shift N1 S3 S1S3.
remove/< : remove (set/+ N1 S1) (set/+ N2 S2) (set/+ N1 S3)
<- plus (s N0) N1 N2
<- remove S1 (set/+ N0 S2) S3.
remove/> : remove (set/+ N1 S1) (set/+ N2 S2) S2S3
<- plus (s N3) N2 N1
<- remove (set/+ N3 S1) S2 S3
<- shift N2 S3 S2S3.
%%%% Theorems
%%% Theorems about remove
%theorem false-implies-remove :
forall* {S1} {S2} {S3}
forall {F:void}
exists {D:remove S1 S2 S3}
true.
%worlds () (false-implies-remove _ %{=>}% S1-S2=S3).
%total {} (false-implies-remove _ _).
%theorem remove-respects-eq :
forall* {S1} {S2} {S3} {T1} {T2} {T3}
forall {DS:remove S1 S2 S3}
{E1:eq S1 T1} {E2:eq S2 T2} {E3:eq S3 T3}
exists {DT:remove T1 T2 T3}
true.
- : remove-respects-eq R eq/ eq/ eq/ R.
%worlds () (remove-respects-eq S1-S2=S3 S1=T1 S2=T2 S3=T3 %{=>}% T1-T2=T3).
%total {} (remove-respects-eq _ _ _ _ _).
%reduces R = R' (remove-respects-eq R _ _ _ R').
%theorem remove/=-inversion :
forall* {N1} {S1} {N2} {S2} {S}
forall {R:remove (set/+ N1 S1) (set/+ N2 S2) S}
{E:nat`eq N1 N2}
exists {S3} {R':remove S1 S2 S3} {SH:shift N1 S3 S}
true.
- : remove/=-inversion (remove/= S3<N
<- gt-anti-reflexive N>N F
<- false-implies-eq F S02=S2
<- remove-respects-eq S1-S02=S3 eq/ S02=S2 eq/ R
<- false-implies-shift F SH.
- : remove/=-inversion (remove/> S3<N
<- gt-anti-reflexive N>N F
<- false-implies-eq F S31=S1
<- remove-respects-eq S31-S2=S3 S31=S1 eq/ eq/ R.
%worlds () (remove/=-inversion _ _ _ _ _).
%total { } (remove/=-inversion _ _ _ _ _).
%reduces R < R' (remove/=-inversion R' _ _ R _).
%theorem remove/<-inversion :
forall* {N1} {S1} {N2} {S2} {S} {N0}
forall {R:remove (set/+ N1 S1) (set/+ N2 S2) S}
{P:plus (s N0) N1 N2}
exists {S3} {R':remove S1 (set/+ N0 S2) S3} {E:eq (set/+ N1 S3) S}
true.
- : remove/<-inversion (remove/< S1-S0'2=S3 N0'+1+N1=N2) N0+1+N1=N2
_ S1-S02=S3 eq/
<- plus-right-cancels N0'+1+N1=N2 N0+1+N1=N2 nat`eq/ nat`eq/ N0'+1=N0+1
<- succ-cancels N0'+1=N0+1 N0'=N0
<- set/+-preserves-eq N0'=N0 eq/ S0'2=S02
<- remove-respects-eq S1-S0'2=S3 eq/ S0'2=S02 eq/ S1-S02=S3.
- : remove/<-inversion (remove/= _ S1-S2=S3 nat`eq/) N0+1+N=N _ S1-S02=S3 S13=S
<- plus-implies-gt N0+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F S2=S02
<- remove-respects-eq S1-S2=S3 eq/ S2=S02 eq/ S1-S02=S3
<- false-implies-eq F S13=S.
- : remove/<-inversion (remove/> _ S31-S2=S3 N3+1+N2=N1) N0+1+N1=N2 _ S1-S02=S3
S13=S
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F S31=S1
<- false-implies-eq F S2=S02
<- remove-respects-eq S31-S2=S3 S31=S1 S2=S02 eq/ S1-S02=S3
<- false-implies-eq F S13=S.
%worlds () (remove/<-inversion _ _ _ _ _).
%total { } (remove/<-inversion _ _ _ _ _).
%reduces R < R' (remove/<-inversion R' _ _ R _).
%theorem remove/>-inversion :
forall* {N1} {S1} {N2} {S2} {S} {N3}
forall {R:remove (set/+ N1 S1) (set/+ N2 S2) S}
{P:plus (s N3) N2 N1}
exists {S3} {R':remove (set/+ N3 S1) S2 S3} {SH:shift N2 S3 S}
true.
- : remove/>-inversion (remove/> S3<-inversion (remove/= _ S1-S2=S3 nat`eq/) N3+1+N=N _ R SH
<- plus-implies-gt N3+1+N=N nat`eq/ N>N
<- gt-anti-reflexive N>N F
<- false-implies-eq F S1=S31
<- remove-respects-eq S1-S2=S3 S1=S31 eq/ eq/ R
<- false-implies-shift F SH.
- : remove/>-inversion (remove/< S1-S02=S3 N0+1+N1=N2) N3+1+N2=N1 _ R SH
<- nat`plus-implies-gt N3+1+N2=N1 nat`eq/ N1>N2
<- nat`plus-implies-gt N0+1+N1=N2 nat`eq/ N2>N1
<- nat`gt-anti-symmetric N1>N2 N2>N1 F
<- false-implies-eq F S1=S31
<- false-implies-eq F S02=S2
<- remove-respects-eq S1-S02=S3 S1=S31 S02=S2 eq/ R
<- false-implies-shift F SH.
%worlds () (remove/>-inversion _ _ _ _ _).
%total { } (remove/>-inversion _ _ _ _ _).
%reduces R < R' (remove/>-inversion R' _ _ R _).
%theorem remove-total* :
forall {S1} {S2}
exists {S3} {R:remove S1 S2 S3}
true.
%theorem remove-set/+-total :
forall* {N1} {N2} {C}
forall {CMP:nat`compare N1 N2 C}
{S1} {S2}
exists {S3} {R:remove (set/+ N1 S1) (set/+ N2 S2) S3}
true.
- : remove-total* set/0 _ _ remove/L.
- : remove-total* _ set/0 _ remove/R.
- : remove-total* (set/+ N1 S1) (set/+ N2 S2) S3 R
<- nat`compare-total CMP
<- remove-set/+-total CMP S1 S2 S3 R.
- : remove-set/+-total (nat`compare/=) S1 S2 _
(remove/= S3<N1) set/0 S2 _
(remove/< remove/L N0+1+N1=N2)
<- gt-implies-plus N2>N1 _ N0+1+N1=N2.
- : remove-set/+-total (nat`compare/< N2>N1) (set/+ N4 S4) S2 _
(remove/< S44-S02=S3 N0+1+N1=N2)
<- gt-implies-plus N2>N1 _ N0+1+N1=N2
<- nat`compare-total CMP
<- remove-set/+-total CMP S4 S2 _ S44-S02=S3.
- : remove-set/+-total (nat`compare/> N1>N2) S1 set/0 _
(remove/> S3<N2 _ N3+1+N2=N1
<- shift-total S3< N1>N2) S1 (set/+ N4 S4) _
(remove/> S3<N2 _ N3+1+N2=N1
<- nat`compare-total CMP
<- remove-set/+-total CMP S1 S4 _ S31-S44=S3
<- shift-total S3< S3<-inversion R N3+1+N2=N1 _ S31-S2=S3' S3'< S3<-inversion S22+S13=S N0+1+N1=N2 _ S02+S3=S4 S=S14
<- eq-symmetric S=S14 S14=S
<- remove-implies-leq-union S1-S02=S3 S02+S3=S4 S1<=S4
<- set/+-preserves-leq nat`eq/ S1<=S4 S11<=S14
<- leq-respects-eq S11<=S14 eq/ S14=S S11<=S.
- : remove-implies-leq-union (remove/> S3< S3< = lookup/>.
%abbrev set`not-member = not-member.
%abbrev set`not-member/0 = not-member/0.
%abbrev set`not-member/< = not-member/<.
%abbrev set`not-member/> = not-member/>.
%abbrev set`member? = member?.
%abbrev set`member?/in = member?/in.
%abbrev set`member?/out = member?/out.
%abbrev set`disjoint = disjoint.
%abbrev set`disjoint/L = disjoint/L.
%abbrev set`disjoint/R = disjoint/R.
%abbrev set`disjoint/< = disjoint/<.
%abbrev set`disjoint/> = disjoint/>.
%abbrev set`disjoint? = disjoint?.
%abbrev set`disjoint?/yes = disjoint?/yes.
%abbrev set`disjoint?/no = disjoint?/no.
%abbrev set`size = size.
%abbrev set`size/0 = size/0.
%abbrev set`size/+ = size/+.
%abbrev set`bound = bound.
%abbrev set`bound/0 = bound/0.
%abbrev set`bound/+ = bound/+.
%abbrev set`shift = shift.
%abbrev set`shift/0 = shift/0.
%abbrev set`shift/+ = shift/+.
%abbrev set`update = update.
%abbrev set`update/0 = update/0.
%abbrev set`update/= = update/=.
%abbrev set`update/< = update/<.
%abbrev set`update/> = update/>.
%abbrev set`meta-eq = meta-eq.
%abbrev set`false-implies-eq = false-implies-eq.
%abbrev set`eq-reflexive = eq-reflexive.
%abbrev set`eq-symmetric = eq-symmetric.
%abbrev set`eq-transitive = eq-transitive.
%abbrev set`map/+-preserves-eq = map/+-preserves-eq.
%abbrev set`map/+-preserves-eq-converse = map/+-preserves-eq-converse.
%abbrev set`eq-no-occur = eq-no-occur.
%abbrev set`eq-contradiction = eq-contradiction.
%abbrev set`false-implies-ne = false-implies-ne.
%abbrev set`ne-respects-eq = ne-respects-eq.
%abbrev set`ne-anti-reflexive = ne-anti-reflexive.
%abbrev set`ne-symmetric = ne-symmetric.
%abbrev set`eq-ne-implies-false = eq-ne-implies-false.
%abbrev set`eq?-total* = eq?-total*.
%abbrev set`eq?-total = eq?-total.
%abbrev set`eq?-total/+ = eq?-total/+.
%abbrev set`false-implies-lookup = false-implies-lookup.
%abbrev set`lookup-respects-eq = lookup-respects-eq.
%abbrev set`lookup-deterministic = lookup-deterministic.
%abbrev set`lookup-contradiction = lookup-contradiction.
%abbrev set`lookup-one-choice = lookup-one-choice.
%abbrev set`lookup-ne-implies-ne = lookup-ne-implies-ne.
%abbrev set`lookup-ne-implies-ne/L = lookup-ne-implies-ne/L.
%abbrev set`false-implies-not-member = false-implies-not-member.
%abbrev set`not-member-respects-eq = not-member-respects-eq.
%abbrev set`not-member-total* = not-member-total*.
%abbrev set`not-member-total = not-member-total.
%abbrev set`not-member-lookup-not-equal = not-member-lookup-not-equal.
%abbrev set`not-member-contradiction = not-member-contradiction.
%abbrev set`ne-implies-unit-map-not-member = ne-implies-unit-map-not-member.
%abbrev set`plus-right-preserves-not-member* = plus-right-preserves-not-member*.
%abbrev set`not-member-lookup-implies-ne = not-member-lookup-implies-ne.
%abbrev set`not-member-lookup-implies-ne/L = not-member-lookup-implies-ne/L.
%abbrev set`false-implies-member? = false-implies-member?.
%abbrev set`member?-respects-eq = member?-respects-eq.
%abbrev set`member?-deterministic = member?-deterministic.
%abbrev set`member?-total* = member?-total*.
%abbrev set`member?-map/+-total = member?-map/+-total.
%abbrev set`member?-map/+-complete = member?-map/+-complete.
%abbrev set`member?-total = member?-total.
%abbrev set`in-implies-lookup = in-implies-lookup.
%abbrev set`out-implies-not-member = out-implies-not-member.
%abbrev set`false-implies-disjoint = false-implies-disjoint.
%abbrev set`disjoint-respects-eq = disjoint-respects-eq.
%abbrev set`disjoint/=-contradiction = disjoint/=-contradiction.
%abbrev set`disjoint/<-inversion = disjoint/<-inversion.
%abbrev set`disjoint/>-inversion = disjoint/>-inversion.
%abbrev set`disjoint-anti-reflexive = disjoint-anti-reflexive.
%abbrev set`disjoint-symmetric = disjoint-symmetric.
%abbrev set`disjoint-lookup-contradiction = disjoint-lookup-contradiction.
%abbrev set`shift-left-preserves-disjoint = shift-left-preserves-disjoint.
%abbrev set`shift-left-preserves-disjoint-converse = shift-left-preserves-disjoint-converse.
%abbrev set`shift-right-preserves-disjoint = shift-right-preserves-disjoint.
%abbrev set`shift-right-preserves-disjoint-converse = shift-right-preserves-disjoint-converse.
%abbrev set`shift-preserves-disjoint = shift-preserves-disjoint.
%abbrev set`shift-preserves-disjoint-converse = shift-preserves-disjoint-converse.
%abbrev set`ne-implies-disjoint = ne-implies-disjoint.
%abbrev set`false-implies-size = false-implies-size.
%abbrev set`size-total* = size-total*.
%abbrev set`size-total = size-total.
%abbrev set`size-deterministic = size-deterministic.
%abbrev set`false-implies-bound = false-implies-bound.
%abbrev set`bound-total* = bound-total*.
%abbrev set`bound-total = bound-total.
%abbrev set`ge-bound-implies-not-member = ge-bound-implies-not-member.
%abbrev set`false-implies-shift = false-implies-shift.
%abbrev set`shift-respects-eq = shift-respects-eq.
%abbrev set`shift-total* = shift-total*.
%abbrev set`shift-total = shift-total.
%abbrev set`shift-deterministic = shift-deterministic.
%abbrev set`shifts-add = shifts-add.
%abbrev set`shifts-add-converse = shifts-add-converse.
%abbrev set`shift-preserves-lookup = shift-preserves-lookup.
%abbrev set`shift-preserves-lookup* = shift-preserves-lookup*.
%abbrev set`shift-preserves-lookup-converse = shift-preserves-lookup-converse.
%abbrev set`shift-preserves-lookup-converse* = shift-preserves-lookup-converse*.
%abbrev set`shift-preserves-update = shift-preserves-update.
%abbrev set`shift-preserves-size = shift-preserves-size.
%abbrev set`disjoint?-total* = disjoint?-total*.
%abbrev set`disjoint?-total*/+ = disjoint?-total*/+.
%abbrev set`disjoint?-total*/< = disjoint?-total*/<.
%abbrev set`disjoint?-total*/> = disjoint?-total*/>.
%abbrev set`disjoint?-total = disjoint?-total.
%abbrev set`false-implies-update = false-implies-update.
%abbrev set`update-respects-eq = update-respects-eq.
%abbrev set`update-eq = update-eq.
%abbrev set`update-eq/ = update-eq/.
%abbrev set`false-implies-update-eq = false-implies-update-eq.
%abbrev set`meta-update-eq = meta-update-eq.
%abbrev set`update/=-inversion = update/=-inversion.
%abbrev set`update/<-inversion = update/<-inversion.
%abbrev set`update/>-inversion = update/>-inversion.
%abbrev set`update-deterministic = update-deterministic.
%abbrev set`update-total* = update-total*.
%abbrev set`update-map/+-total = update-map/+-total.
%abbrev set`update-total = update-total.
%abbrev set`lookup-implies-update = lookup-implies-update.
%abbrev set`update-implies-lookup = update-implies-lookup.
%abbrev set`update-preserves-lookup = update-preserves-lookup.
%abbrev set`update-preserves-lookup-converse = update-preserves-lookup-converse.
%abbrev set`update-preserves-not-member = update-preserves-not-member.
%abbrev set`update-preserves-not-member-converse = update-preserves-not-member-converse.
%abbrev set`update-preserves-not-member-converse-helper = update-preserves-not-member-converse-helper.
%abbrev set`update-is-cause-of-change = update-is-cause-of-change.
%abbrev set`update-is-cause-of-change/L = update-is-cause-of-change/L.
%abbrev set`update-preserves-membership = update-preserves-membership.
%abbrev set`update-preserves-membership-converse = update-preserves-membership-converse.
%abbrev set`lookup-update-preserves-membership = lookup-update-preserves-membership.
%abbrev set`lookup-update-preserves-membership/L = lookup-update-preserves-membership/L.
%abbrev set`lookup-update-preserves-membership-converse = lookup-update-preserves-membership-converse.
%abbrev set`update-preserves-in-member = update-preserves-in-member.
%abbrev set`update-preserves-in-member/L = update-preserves-in-member/L.
%abbrev set`update-overwrites = update-overwrites.
%abbrev set`update-overwrites-converse = update-overwrites-converse.
%abbrev set`update-may-have-no-effect = update-may-have-no-effect.
%abbrev set`update-idempotent = update-idempotent.
%abbrev set`update-commutes = update-commutes.
%abbrev set`update-commutes* = update-commutes*.
%abbrev set`can-remove = can-remove.
%abbrev set`leq = leq.
%abbrev set`leq/0 = leq/0.
%abbrev set`leq/= = leq/=.
%abbrev set`leq/> = leq/>.
%abbrev set`false-implies-leq = false-implies-leq.
%abbrev set`leq-respects-eq = leq-respects-eq.
%abbrev set`leq/0-inversion = leq/0-inversion.
%abbrev set`leq/=-inversion = leq/=-inversion.
%abbrev set`leq/>-inversion = leq/>-inversion.
%abbrev set`leq-contradiction = leq-contradiction.
%abbrev set`leq-reflexive = leq-reflexive.
%abbrev set`leq-anti-symmetric = leq-anti-symmetric.
%abbrev set`leq-transitive = leq-transitive.
%abbrev set`map/+-preserves-leq = map/+-preserves-leq.
%abbrev set`lookup-respects-leq = lookup-respects-leq.
%abbrev set`not-member-respects-geq = not-member-respects-geq.
%abbrev set`leq-implies-size-le = leq-implies-size-le.
%abbrev set`leq-implies-bound-le = leq-implies-bound-le.
%abbrev set`shift-left-preserves-leq* = shift-left-preserves-leq*.
%abbrev set`shift-preserves-leq* = shift-preserves-leq*.
%abbrev set`update-left-preserves-leq* = update-left-preserves-leq*.
%abbrev set`update-right-preserves-leq* = update-right-preserves-leq*.
%abbrev set`update-preserves-leq* = update-preserves-leq*.
%abbrev set`not-member-update-implies-leq = not-member-update-implies-leq.
%abbrev set`lookup-update-preserves-leq = lookup-update-preserves-leq.
%abbrev set`union = union.
%abbrev set`union/L = union/L.
%abbrev set`union/R = union/R.
%abbrev set`union/= = union/=.
%abbrev set`union/< = union/<.
%abbrev set`union/> = union/>.
%abbrev set`false-implies-union = false-implies-union.
%abbrev set`union-respects-eq = union-respects-eq.
%abbrev set`union/=-inversion = union/=-inversion.
%abbrev set`union/<-inversion = union/<-inversion.
%abbrev set`union/>-inversion = union/>-inversion.
%abbrev set`union-deterministic = union-deterministic.
%abbrev set`union-total* = union-total*.
%abbrev set`union-map/+-M-total* = union-map/+-M-total*.
%abbrev set`union-M-map/+-total* = union-M-map/+-total*.
%abbrev set`union-map/+-map/+-total* = union-map/+-map/+-total*.
%abbrev set`union-total = union-total.
%abbrev set`disjoint-union-total = disjoint-union-total.
%abbrev set`union-empty-implies-empty = union-empty-implies-empty.
%abbrev set`union-preserves-disjoint* = union-preserves-disjoint*.
%abbrev set`union-preserves-disjoint*/L = union-preserves-disjoint*/L.
%abbrev set`shift-left-preserves-union = shift-left-preserves-union.
%abbrev set`shift-left-preserves-union-converse = shift-left-preserves-union-converse.
%abbrev set`shift-right-preserves-union = shift-right-preserves-union.
%abbrev set`shift-right-preserves-union-converse = shift-right-preserves-union-converse.
%abbrev set`shift-preserves-union = shift-preserves-union.
%abbrev set`shift-preserves-union-converse = shift-preserves-union-converse.
%abbrev set`union-commutative = union-commutative.
%abbrev set`union-associative = union-associative.
%abbrev set`union-associative-union/<-union/< = union-associative-union/<-union/<.
%abbrev set`union-associative* = union-associative*.
%abbrev set`union-associative-converse = union-associative-converse.
%abbrev set`union-associative-converse* = union-associative-converse*.
%abbrev set`union-assoc-commutative* = union-assoc-commutative*.
%abbrev set`union-assoc-commutative = union-assoc-commutative.
%abbrev set`union-double-associative* = union-double-associative*.
%abbrev set`union-double-associative = union-double-associative.
%abbrev set`lookup-implies-union = lookup-implies-union.
%abbrev set`union-joins-lookup = union-joins-lookup.
%abbrev set`union-preserves-not-member* = union-preserves-not-member*.
%abbrev set`not-member-union-left-preserves-lookup* = not-member-union-left-preserves-lookup*.
%abbrev set`not-member-union-left-preserves-lookup-converse = not-member-union-left-preserves-lookup-converse.
%abbrev set`not-member-union-left-preserves-lookup-converse/L = not-member-union-left-preserves-lookup-converse/L.
%abbrev set`union-left-affects-lookup = union-left-affects-lookup.
%abbrev set`union-left-affects-lookup/L = union-left-affects-lookup/L.
%abbrev set`not-member-union-right-preserves-lookup* = not-member-union-right-preserves-lookup*.
%abbrev set`not-member-union-right-preserves-lookup-converse = not-member-union-right-preserves-lookup-converse.
%abbrev set`not-member-union-right-preserves-lookup-converse/L = not-member-union-right-preserves-lookup-converse/L.
%abbrev set`union-right-affects-lookup = union-right-affects-lookup.
%abbrev set`union-right-affects-lookup/L = union-right-affects-lookup/L.
%abbrev set`union-preserves-not-member-converse* = union-preserves-not-member-converse*.
%abbrev set`union-preserves-not-member-converse/L = union-preserves-not-member-converse/L.
%abbrev set`disjoint-union-left-preserves-lookup* = disjoint-union-left-preserves-lookup*.
%abbrev set`disjoint-union-left-preserves-lookup*/L = disjoint-union-left-preserves-lookup*/L.
%abbrev set`disjoint-union-right-preserves-lookup* = disjoint-union-right-preserves-lookup*.
%abbrev set`disjoint-union-right-preserves-lookup*/L = disjoint-union-right-preserves-lookup*/L.
%abbrev set`union-implies-leq* = union-implies-leq*.
%abbrev set`union-implies-leq = union-implies-leq.
%abbrev set`union-is-lub = union-is-lub.
%abbrev set`union-idempotent = union-idempotent.
%abbrev set`leq-implies-union = leq-implies-union.
%abbrev set`disjoint-leq-implies-union-leq* = disjoint-leq-implies-union-leq*.
%abbrev set`union-left-preserves-leq* = union-left-preserves-leq*.
%abbrev set`union-right-preserves-leq* = union-right-preserves-leq*.
%abbrev set`intersection = intersection.
%abbrev set`intersection/L = intersection/L.
%abbrev set`intersection/R = intersection/R.
%abbrev set`intersection/= = intersection/=.
%abbrev set`intersection/< = intersection/<.
%abbrev set`intersection/> = intersection/>.
%abbrev set`false-implies-intersection = false-implies-intersection.
%abbrev set`intersection-respects-eq = intersection-respects-eq.
%abbrev set`intersection/L-inversion = intersection/L-inversion.
%abbrev set`intersection/R-inversion = intersection/R-inversion.
%abbrev set`intersection/=-inversion = intersection/=-inversion.
%abbrev set`intersection/<-inversion = intersection/<-inversion.
%abbrev set`intersection/>-inversion = intersection/>-inversion.
%abbrev set`intersection-implies-ge = intersection-implies-ge.
%abbrev set`intersection-deterministic = intersection-deterministic.
%abbrev set`intersection-total* = intersection-total*.
%abbrev set`intersection-map/+-M-total* = intersection-map/+-M-total*.
%abbrev set`intersection-M-map/+-total* = intersection-M-map/+-total*.
%abbrev set`intersection-map/+-map/+-total* = intersection-map/+-map/+-total*.
%abbrev set`intersection-total = intersection-total.
%abbrev set`intersection-commutative = intersection-commutative.
%abbrev set`shift-left-preserves-intersection = shift-left-preserves-intersection.
%abbrev set`shift-left-preserves-intersection-converse = shift-left-preserves-intersection-converse.
%abbrev set`shift-right-preserves-intersection = shift-right-preserves-intersection.
%abbrev set`shift-right-preserves-intersection-converse = shift-right-preserves-intersection-converse.
%abbrev set`shift-preserves-intersection = shift-preserves-intersection.
%abbrev set`shift-preserves-intersection-converse = shift-preserves-intersection-converse.
%abbrev set`intersection-associativeM = intersection-associativeM.
%abbrev set`intersection-associativeM* = intersection-associativeM*.
%abbrev set`intersection-associative = intersection-associative.
%abbrev set`intersection-associative* = intersection-associative*.
%abbrev set`intersection-associative-converse = intersection-associative-converse.
%abbrev set`intersection-associative-converse* = intersection-associative-converse*.
%abbrev set`intersection-assoc-commutative* = intersection-assoc-commutative*.
%abbrev set`intersection-assoc-commutative = intersection-assoc-commutative.
%abbrev set`intersection-double-associative* = intersection-double-associative*.
%abbrev set`intersection-double-associative = intersection-double-associative.
%abbrev set`intersection-implies-leq* = intersection-implies-leq*.
%abbrev set`intersection-implies-leq = intersection-implies-leq.
%abbrev set`intersection-is-glb = intersection-is-glb.
%abbrev set`intersection-idempotent = intersection-idempotent.
%abbrev set`leq-implies-intersection = leq-implies-intersection.
%abbrev set`intersection-left-preserves-leq* = intersection-left-preserves-leq*.
%abbrev set`intersection-right-preserves-leq* = intersection-right-preserves-leq*.
%abbrev set`intersection-right-distributes-over-union = intersection-right-distributes-over-union.
%abbrev set`intersection-right-distributes-over-union* = intersection-right-distributes-over-union*.
%abbrev set`intersection-left-distributes-over-union* = intersection-left-distributes-over-union*.
%abbrev set`intersection-left-distributes-over-union = intersection-left-distributes-over-union.
%abbrev set`intersection-right-factors-over-union* = intersection-right-factors-over-union*.
%abbrev set`intersection-left-factors-over-union* = intersection-left-factors-over-union*.
%abbrev set`union-right-distributes-over-intersection = union-right-distributes-over-intersection.
%abbrev set`union-right-distributes-over-intersection* = union-right-distributes-over-intersection*.
%abbrev set`union-left-distributes-over-intersection* = union-left-distributes-over-intersection*.
%abbrev set`union-left-distributes-over-intersection = union-left-distributes-over-intersection.
%abbrev set`union-right-factors-over-intersection = union-right-factors-over-intersection.
%abbrev set`union-right-factors-over-intersection* = union-right-factors-over-intersection*.
%abbrev set`union-left-factors-over-intersection = union-left-factors-over-intersection.
%abbrev set`union-left-factors-over-intersection* = union-left-factors-over-intersection*.
%abbrev set`union-left-preserves-member* = union-left-preserves-member*.
%abbrev set`union-right-preserves-member* = union-right-preserves-member*.
%abbrev set`set = set.
%abbrev set`set/0 = set/0.
%abbrev set`set/+ = set/+.
%abbrev set`set/+-preserves-eq = set/+-preserves-eq.
%abbrev set`set/+-preserves-leq = set/+-preserves-leq.
%abbrev set`member = member.
%abbrev set`union/= = union/=.
%abbrev set`intersection/= = intersection/=.
%abbrev set`add = add.
%abbrev set`false-implies-member = false-implies-member.
%abbrev set`not-member-member-implies-ne = not-member-member-implies-ne.
%abbrev set`in-implies-member = in-implies-member.
%abbrev set`member-respects-eq = member-respects-eq.
%abbrev set`member-respects-leq = member-respects-leq.
%abbrev set`false-implies-add = false-implies-add.
%abbrev set`add-respects-eq = add-respects-eq.
%abbrev set`add-deterministic = add-deterministic.
%abbrev set`add-total* = add-total*.
%abbrev set`add-implies-member = add-implies-member.
%abbrev set`add-preserves-member = add-preserves-member.
%abbrev set`add-preserves-not-member = add-preserves-not-member.
%abbrev set`add-preserves-membership = add-preserves-membership.
%abbrev set`add-overwrites = add-overwrites.
%abbrev set`add-idempotent = add-idempotent.
%abbrev set`add-commutes = add-commutes.
%abbrev set`add-commutes* = add-commutes*.
%abbrev set`add-preserves-leq* = add-preserves-leq*.
%abbrev set`remove = remove.
%abbrev set`remove/L = remove/L.
%abbrev set`remove/R = remove/R.
%abbrev set`remove/= = remove/=.
%abbrev set`remove/< = remove/<.
%abbrev set`remove/> = remove/>.
%abbrev set`false-implies-remove = false-implies-remove.
%abbrev set`remove-respects-eq = remove-respects-eq.
%abbrev set`remove/=-inversion = remove/=-inversion.
%abbrev set`remove/<-inversion = remove/<-inversion.
%abbrev set`remove/>-inversion = remove/>-inversion.
%abbrev set`remove-total* = remove-total*.
%abbrev set`remove-set/+-total = remove-set/+-total.
%abbrev set`remove-total = remove-total.
%abbrev set`remove-deterministic = remove-deterministic.
%abbrev set`remove-implies-leq = remove-implies-leq.
%abbrev set`remove-implies-leq-union = remove-implies-leq-union.
%abbrev set`remove-implies-empty-intersection = remove-implies-empty-intersection.