fin_maps.v 71.6 KB
Newer Older
1
(* Copyright (c) 2012-2017, Robbert Krebbers. *)
Robbert Krebbers's avatar
Robbert Krebbers committed
2 3 4 5
(* This file is distributed under the terms of the BSD license. *)
(** Finite maps associate data to keys. This file defines an interface for
finite maps and collects some theory on it. Most importantly, it proves useful
induction principles for finite maps and implements the tactic
6
[simplify_map_eq] to simplify goals involving finite maps. *)
7
From Coq Require Import Permutation.
8
From iris.prelude Require Export relations orders vector.
9 10
(* FIXME: This file needs a 'Proof Using' hint, but the default we use
   everywhere makes for lots of extra ssumptions. *)
Robbert Krebbers's avatar
Robbert Krebbers committed
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

(** * Axiomatization of finite maps *)
(** We require Leibniz equality to be extensional on finite maps. This of
course limits the space of finite map implementations, but since we are mainly
interested in finite maps with numbers as indexes, we do not consider this to
be a serious limitation. The main application of finite maps is to implement
the memory, where extensionality of Leibniz equality is very important for a
convenient use in the assertions of our axiomatic semantics. *)

(** Finiteness is axiomatized by requiring that each map can be translated
to an association list. The translation to association lists is used to
prove well founded recursion on finite maps. *)

(** Finite map implementations are required to implement the [merge] function
which enables us to give a generic implementation of [union_with],
[intersection_with], and [difference_with]. *)

Class FinMapToList K A M := map_to_list: M  list (K * A).

Class FinMap K M `{FMap M,  A, Lookup K A (M A),  A, Empty (M A),  A,
    PartialAlter K A (M A), OMap M, Merge M,  A, FinMapToList K A (M A),
32
    EqDecision K} := {
Robbert Krebbers's avatar
Robbert Krebbers committed
33 34 35 36 37 38 39 40 41 42 43
  map_eq {A} (m1 m2 : M A) : ( i, m1 !! i = m2 !! i)  m1 = m2;
  lookup_empty {A} i : ( : M A) !! i = None;
  lookup_partial_alter {A} f (m : M A) i :
    partial_alter f i m !! i = f (m !! i);
  lookup_partial_alter_ne {A} f (m : M A) i j :
    i  j  partial_alter f i m !! j = m !! j;
  lookup_fmap {A B} (f : A  B) (m : M A) i : (f <$> m) !! i = f <$> m !! i;
  NoDup_map_to_list {A} (m : M A) : NoDup (map_to_list m);
  elem_of_map_to_list {A} (m : M A) i x :
    (i,x)  map_to_list m  m !! i = Some x;
  lookup_omap {A B} (f : A  option B) m i : omap f m !! i = m !! i = f;
44
  lookup_merge {A B C} (f: option A  option B  option C) `{!DiagNone f} m1 m2 i :
Robbert Krebbers's avatar
Robbert Krebbers committed
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
    merge f m1 m2 !! i = f (m1 !! i) (m2 !! i)
}.

(** * Derived operations *)
(** All of the following functions are defined in a generic way for arbitrary
finite map implementations. These generic implementations do not cause a
significant performance loss to make including them in the finite map interface
worthwhile. *)
Instance map_insert `{PartialAlter K A M} : Insert K A M :=
  λ i x, partial_alter (λ _, Some x) i.
Instance map_alter `{PartialAlter K A M} : Alter K A M :=
  λ f, partial_alter (fmap f).
Instance map_delete `{PartialAlter K A M} : Delete K M :=
  partial_alter (λ _, None).
Instance map_singleton `{PartialAlter K A M, Empty M} :
60
  SingletonM K A M := λ i x, <[i:=x]> .
Robbert Krebbers's avatar
Robbert Krebbers committed
61 62 63 64 65 66 67 68 69 70 71 72 73 74

Definition map_of_list `{Insert K A M, Empty M} : list (K * A)  M :=
  fold_right (λ p, <[p.1:=p.2]>) .
Definition map_of_collection `{Elements K C, Insert K A M, Empty M}
    (f : K  option A) (X : C) : M :=
  map_of_list (omap (λ i, (i,) <$> f i) (elements X)).

Instance map_union_with `{Merge M} {A} : UnionWith A (M A) :=
  λ f, merge (union_with f).
Instance map_intersection_with `{Merge M} {A} : IntersectionWith A (M A) :=
  λ f, merge (intersection_with f).
Instance map_difference_with `{Merge M} {A} : DifferenceWith A (M A) :=
  λ f, merge (difference_with f).

75 76
Instance map_equiv `{ A, Lookup K A (M A), Equiv A} : Equiv (M A) | 18 :=
  λ m1 m2,  i, m1 !! i  m2 !! i.
Robbert Krebbers's avatar
Robbert Krebbers committed
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120

(** The relation [intersection_forall R] on finite maps describes that the
relation [R] holds for each pair in the intersection. *)
Definition map_Forall `{Lookup K A M} (P : K  A  Prop) : M  Prop :=
  λ m,  i x, m !! i = Some x  P i x.
Definition map_relation `{ A, Lookup K A (M A)} {A B} (R : A  B  Prop)
    (P : A  Prop) (Q : B  Prop) (m1 : M A) (m2 : M B) : Prop :=  i,
  option_relation R P Q (m1 !! i) (m2 !! i).
Definition map_included `{ A, Lookup K A (M A)} {A}
  (R : relation A) : relation (M A) := map_relation R (λ _, False) (λ _, True).
Definition map_disjoint `{ A, Lookup K A (M A)} {A} : relation (M A) :=
  map_relation (λ _ _, False) (λ _, True) (λ _, True).
Infix "⊥ₘ" := map_disjoint (at level 70) : C_scope.
Hint Extern 0 (_  _) => symmetry; eassumption.
Notation "( m ⊥ₘ.)" := (map_disjoint m) (only parsing) : C_scope.
Notation "(.⊥ₘ m )" := (λ m2, m2  m) (only parsing) : C_scope.
Instance map_subseteq `{ A, Lookup K A (M A)} {A} : SubsetEq (M A) :=
  map_included (=).

(** The union of two finite maps only has a meaningful definition for maps
that are disjoint. However, as working with partial functions is inconvenient
in Coq, we define the union as a total function. In case both finite maps
have a value at the same index, we take the value of the first map. *)
Instance map_union `{Merge M} {A} : Union (M A) := union_with (λ x _, Some x).
Instance map_intersection `{Merge M} {A} : Intersection (M A) :=
  intersection_with (λ x _, Some x).

(** The difference operation removes all values from the first map whose
index contains a value in the second map as well. *)
Instance map_difference `{Merge M} {A} : Difference (M A) :=
  difference_with (λ _ _, None).

(** A stronger variant of map that allows the mapped function to use the index
of the elements. Implemented by conversion to lists, so not very efficient. *)
Definition map_imap `{ A, Insert K A (M A),  A, Empty (M A),
     A, FinMapToList K A (M A)} {A B} (f : K  A  option B) (m : M A) : M B :=
  map_of_list (omap (λ ix, (fst ix,) <$> curry f ix) (map_to_list m)).

(** * Theorems *)
Section theorems.
Context `{FinMap K M}.

(** ** Setoids *)
Section setoid.
121
  Context `{Equiv A}.
122

123 124 125 126
  Lemma map_equiv_lookup_l (m1 m2 : M A) i x :
    m1  m2  m1 !! i = Some x   y, m2 !! i = Some y  x  y.
  Proof. generalize (equiv_Some_inv_l (m1 !! i) (m2 !! i) x); naive_solver. Qed.

127 128
  Global Instance map_equivalence :
    Equivalence (() : relation A)  Equivalence (() : relation (M A)).
Robbert Krebbers's avatar
Robbert Krebbers committed
129 130
  Proof.
    split.
131 132
    - by intros m i.
    - by intros m1 m2 ? i.
133
    - by intros m1 m2 m3 ?? i; trans (m2 !! i).
Robbert Krebbers's avatar
Robbert Krebbers committed
134 135 136 137 138
  Qed.
  Global Instance lookup_proper (i : K) :
    Proper (() ==> ()) (lookup (M:=M A) i).
  Proof. by intros m1 m2 Hm. Qed.
  Global Instance partial_alter_proper :
139
    Proper ((() ==> ()) ==> (=) ==> () ==> ()) (partial_alter (M:=M A)).
Robbert Krebbers's avatar
Robbert Krebbers committed
140 141 142 143 144 145 146 147
  Proof.
    by intros f1 f2 Hf i ? <- m1 m2 Hm j; destruct (decide (i = j)) as [->|];
      rewrite ?lookup_partial_alter, ?lookup_partial_alter_ne by done;
      try apply Hf; apply lookup_proper.
  Qed.
  Global Instance insert_proper (i : K) :
    Proper (() ==> () ==> ()) (insert (M:=M A) i).
  Proof. by intros ???; apply partial_alter_proper; [constructor|]. Qed.
148 149
  Global Instance singleton_proper k :
    Proper (() ==> ()) (singletonM k : A  M A).
150 151 152 153
  Proof.
    intros ???; apply insert_proper; [done|].
    intros ?. rewrite lookup_empty; constructor.
  Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
154 155 156 157 158 159 160 161 162
  Global Instance delete_proper (i : K) :
    Proper (() ==> ()) (delete (M:=M A) i).
  Proof. by apply partial_alter_proper; [constructor|]. Qed.
  Global Instance alter_proper :
    Proper ((() ==> ()) ==> (=) ==> () ==> ()) (alter (A:=A) (M:=M A)).
  Proof.
    intros ?? Hf; apply partial_alter_proper.
    by destruct 1; constructor; apply Hf.
  Qed.
163
  Lemma merge_ext f g `{!DiagNone f, !DiagNone g} :
Robbert Krebbers's avatar
Robbert Krebbers committed
164
    (() ==> () ==> ())%signature f g 
165
    (() ==> () ==> ())%signature (merge (M:=M) f) (merge g).
Robbert Krebbers's avatar
Robbert Krebbers committed
166 167 168 169
  Proof.
    by intros Hf ?? Hm1 ?? Hm2 i; rewrite !lookup_merge by done; apply Hf.
  Qed.
  Global Instance union_with_proper :
170
    Proper ((() ==> () ==> ()) ==> () ==> () ==>()) (union_with (M:=M A)).
Robbert Krebbers's avatar
Robbert Krebbers committed
171 172 173
  Proof.
    intros ?? Hf ?? Hm1 ?? Hm2 i; apply (merge_ext _ _); auto.
    by do 2 destruct 1; first [apply Hf | constructor].
174
  Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
175
  Global Instance map_leibniz `{!LeibnizEquiv A} : LeibnizEquiv (M A).
176
  Proof. intros m1 m2 Hm; apply map_eq; intros i. apply leibniz_equiv, Hm. Qed.
177 178
  Lemma map_equiv_empty (m : M A) : m    m = .
  Proof.
179 180 181
    split; [intros Hm; apply map_eq; intros i|intros ->].
    - generalize (Hm i). by rewrite lookup_empty, equiv_None.
    - intros ?. rewrite lookup_empty; constructor.
182
  Qed.
183 184 185 186 187
  Global Instance map_fmap_proper `{Equiv B} (f : A  B) :
    Proper (() ==> ()) f  Proper (() ==> ()) (fmap (M:=M) f).
  Proof.
    intros ? m m' ? k; rewrite !lookup_fmap. by apply option_fmap_proper.
  Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
188 189 190 191 192 193 194 195 196 197 198 199 200 201 202
End setoid.

(** ** General properties *)
Lemma map_eq_iff {A} (m1 m2 : M A) : m1 = m2   i, m1 !! i = m2 !! i.
Proof. split. by intros ->. apply map_eq. Qed.
Lemma map_subseteq_spec {A} (m1 m2 : M A) :
  m1  m2   i x, m1 !! i = Some x  m2 !! i = Some x.
Proof.
  unfold subseteq, map_subseteq, map_relation. split; intros Hm i;
    specialize (Hm i); destruct (m1 !! i), (m2 !! i); naive_solver.
Qed.
Global Instance:  {A} (R : relation A), PreOrder R  PreOrder (map_included R).
Proof.
  split; [intros m i; by destruct (m !! i); simpl|].
  intros m1 m2 m3 Hm12 Hm23 i; specialize (Hm12 i); specialize (Hm23 i).
203
  destruct (m1 !! i), (m2 !! i), (m3 !! i); simplify_eq/=;
204
    done || etrans; eauto.
Robbert Krebbers's avatar
Robbert Krebbers committed
205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238
Qed.
Global Instance: PartialOrder (() : relation (M A)).
Proof.
  split; [apply _|].
  intros m1 m2; rewrite !map_subseteq_spec.
  intros; apply map_eq; intros i; apply option_eq; naive_solver.
Qed.
Lemma lookup_weaken {A} (m1 m2 : M A) i x :
  m1 !! i = Some x  m1  m2  m2 !! i = Some x.
Proof. rewrite !map_subseteq_spec. auto. Qed.
Lemma lookup_weaken_is_Some {A} (m1 m2 : M A) i :
  is_Some (m1 !! i)  m1  m2  is_Some (m2 !! i).
Proof. inversion 1. eauto using lookup_weaken. Qed.
Lemma lookup_weaken_None {A} (m1 m2 : M A) i :
  m2 !! i = None  m1  m2  m1 !! i = None.
Proof.
  rewrite map_subseteq_spec, !eq_None_not_Some.
  intros Hm2 Hm [??]; destruct Hm2; eauto.
Qed.
Lemma lookup_weaken_inv {A} (m1 m2 : M A) i x y :
  m1 !! i = Some x  m1  m2  m2 !! i = Some y  x = y.
Proof. intros Hm1 ? Hm2. eapply lookup_weaken in Hm1; eauto. congruence. Qed.
Lemma lookup_ne {A} (m : M A) i j : m !! i  m !! j  i  j.
Proof. congruence. Qed.
Lemma map_empty {A} (m : M A) : ( i, m !! i = None)  m = .
Proof. intros Hm. apply map_eq. intros. by rewrite Hm, lookup_empty. Qed.
Lemma lookup_empty_is_Some {A} i : ¬is_Some (( : M A) !! i).
Proof. rewrite lookup_empty. by inversion 1. Qed.
Lemma lookup_empty_Some {A} i (x : A) : ¬ !! i = Some x.
Proof. by rewrite lookup_empty. Qed.
Lemma map_subset_empty {A} (m : M A) : m  .
Proof.
  intros [_ []]. rewrite map_subseteq_spec. intros ??. by rewrite lookup_empty.
Qed.
239 240
Lemma map_fmap_empty {A B} (f : A  B) : f <$> ( : M A) = .
Proof. by apply map_eq; intros i; rewrite lookup_fmap, !lookup_empty. Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262

(** ** Properties of the [partial_alter] operation *)
Lemma partial_alter_ext {A} (f g : option A  option A) (m : M A) i :
  ( x, m !! i = x  f x = g x)  partial_alter f i m = partial_alter g i m.
Proof.
  intros. apply map_eq; intros j. by destruct (decide (i = j)) as [->|?];
    rewrite ?lookup_partial_alter, ?lookup_partial_alter_ne; auto.
Qed.
Lemma partial_alter_compose {A} f g (m : M A) i:
  partial_alter (f  g) i m = partial_alter f i (partial_alter g i m).
Proof.
  intros. apply map_eq. intros ii. by destruct (decide (i = ii)) as [->|?];
    rewrite ?lookup_partial_alter, ?lookup_partial_alter_ne.
Qed.
Lemma partial_alter_commute {A} f g (m : M A) i j :
  i  j  partial_alter f i (partial_alter g j m) =
    partial_alter g j (partial_alter f i m).
Proof.
  intros. apply map_eq; intros jj. destruct (decide (jj = j)) as [->|?].
  { by rewrite lookup_partial_alter_ne,
      !lookup_partial_alter, lookup_partial_alter_ne. }
  destruct (decide (jj = i)) as [->|?].
263
  - by rewrite lookup_partial_alter,
Robbert Krebbers's avatar
Robbert Krebbers committed
264
     !lookup_partial_alter_ne, lookup_partial_alter by congruence.
265
  - by rewrite !lookup_partial_alter_ne by congruence.
Robbert Krebbers's avatar
Robbert Krebbers committed
266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292
Qed.
Lemma partial_alter_self_alt {A} (m : M A) i x :
  x = m !! i  partial_alter (λ _, x) i m = m.
Proof.
  intros. apply map_eq. intros ii. by destruct (decide (i = ii)) as [->|];
    rewrite ?lookup_partial_alter, ?lookup_partial_alter_ne.
Qed.
Lemma partial_alter_self {A} (m : M A) i : partial_alter (λ _, m !! i) i m = m.
Proof. by apply partial_alter_self_alt. Qed.
Lemma partial_alter_subseteq {A} f (m : M A) i :
  m !! i = None  m  partial_alter f i m.
Proof.
  rewrite map_subseteq_spec. intros Hi j x Hj.
  rewrite lookup_partial_alter_ne; congruence.
Qed.
Lemma partial_alter_subset {A} f (m : M A) i :
  m !! i = None  is_Some (f (m !! i))  m  partial_alter f i m.
Proof.
  intros Hi Hfi. split; [by apply partial_alter_subseteq|].
  rewrite !map_subseteq_spec. inversion Hfi as [x Hx]. intros Hm.
  apply (Some_ne_None x). rewrite <-(Hm i x); [done|].
  by rewrite lookup_partial_alter.
Qed.

(** ** Properties of the [alter] operation *)
Lemma alter_ext {A} (f g : A  A) (m : M A) i :
  ( x, m !! i = Some x  f x = g x)  alter f i m = alter g i m.
293
Proof. intro. apply partial_alter_ext. intros [x|] ?; f_equal/=; auto. Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311
Lemma lookup_alter {A} (f : A  A) m i : alter f i m !! i = f <$> m !! i.
Proof. unfold alter. apply lookup_partial_alter. Qed.
Lemma lookup_alter_ne {A} (f : A  A) m i j : i  j  alter f i m !! j = m !! j.
Proof. unfold alter. apply lookup_partial_alter_ne. Qed.
Lemma alter_compose {A} (f g : A  A) (m : M A) i:
  alter (f  g) i m = alter f i (alter g i m).
Proof.
  unfold alter, map_alter. rewrite <-partial_alter_compose.
  apply partial_alter_ext. by intros [?|].
Qed.
Lemma alter_commute {A} (f g : A  A) (m : M A) i j :
  i  j  alter f i (alter g j m) = alter g j (alter f i m).
Proof. apply partial_alter_commute. Qed.
Lemma lookup_alter_Some {A} (f : A  A) m i j y :
  alter f i m !! j = Some y 
    (i = j   x, m !! j = Some x  y = f x)  (i  j  m !! j = Some y).
Proof.
  destruct (decide (i = j)) as [->|?].
312
  - rewrite lookup_alter. naive_solver (simplify_option_eq; eauto).
313
  - rewrite lookup_alter_ne by done. naive_solver.
Robbert Krebbers's avatar
Robbert Krebbers committed
314 315 316 317 318 319 320 321 322 323 324
Qed.
Lemma lookup_alter_None {A} (f : A  A) m i j :
  alter f i m !! j = None  m !! j = None.
Proof.
  by destruct (decide (i = j)) as [->|?];
    rewrite ?lookup_alter, ?fmap_None, ?lookup_alter_ne.
Qed.
Lemma alter_id {A} (f : A  A) m i :
  ( x, m !! i = Some x  f x = x)  alter f i m = m.
Proof.
  intros Hi; apply map_eq; intros j; destruct (decide (i = j)) as [->|?].
325
  { rewrite lookup_alter; destruct (m !! j); f_equal/=; auto. }
Robbert Krebbers's avatar
Robbert Krebbers committed
326 327 328 329 330 331 332 333 334 335 336 337
  by rewrite lookup_alter_ne by done.
Qed.

(** ** Properties of the [delete] operation *)
Lemma lookup_delete {A} (m : M A) i : delete i m !! i = None.
Proof. apply lookup_partial_alter. Qed.
Lemma lookup_delete_ne {A} (m : M A) i j : i  j  delete i m !! j = m !! j.
Proof. apply lookup_partial_alter_ne. Qed.
Lemma lookup_delete_Some {A} (m : M A) i j y :
  delete i m !! j = Some y  i  j  m !! j = Some y.
Proof.
  split.
338
  - destruct (decide (i = j)) as [->|?];
Robbert Krebbers's avatar
Robbert Krebbers committed
339
      rewrite ?lookup_delete, ?lookup_delete_ne; intuition congruence.
340
  - intros [??]. by rewrite lookup_delete_ne.
Robbert Krebbers's avatar
Robbert Krebbers committed
341
Qed.
342 343 344
Lemma lookup_delete_is_Some {A} (m : M A) i j :
  is_Some (delete i m !! j)  i  j  is_Some (m !! j).
Proof. unfold is_Some; setoid_rewrite lookup_delete_Some; naive_solver. Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
345 346 347 348 349 350 351 352
Lemma lookup_delete_None {A} (m : M A) i j :
  delete i m !! j = None  i = j  m !! j = None.
Proof.
  destruct (decide (i = j)) as [->|?];
    rewrite ?lookup_delete, ?lookup_delete_ne; tauto.
Qed.
Lemma delete_empty {A} i : delete i ( : M A) = .
Proof. rewrite <-(partial_alter_self ) at 2. by rewrite lookup_empty. Qed.
353
Lemma delete_singleton {A} i (x : A) : delete i {[i := x]} = .
Robbert Krebbers's avatar
Robbert Krebbers committed
354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374
Proof. setoid_rewrite <-partial_alter_compose. apply delete_empty. Qed.
Lemma delete_commute {A} (m : M A) i j :
  delete i (delete j m) = delete j (delete i m).
Proof. destruct (decide (i = j)). by subst. by apply partial_alter_commute. Qed.
Lemma delete_insert_ne {A} (m : M A) i j x :
  i  j  delete i (<[j:=x]>m) = <[j:=x]>(delete i m).
Proof. intro. by apply partial_alter_commute. Qed.
Lemma delete_notin {A} (m : M A) i : m !! i = None  delete i m = m.
Proof.
  intros. apply map_eq. intros j. by destruct (decide (i = j)) as [->|?];
    rewrite ?lookup_delete, ?lookup_delete_ne.
Qed.
Lemma delete_partial_alter {A} (m : M A) i f :
  m !! i = None  delete i (partial_alter f i m) = m.
Proof.
  intros. unfold delete, map_delete. rewrite <-partial_alter_compose.
  unfold compose. by apply partial_alter_self_alt.
Qed.
Lemma delete_insert {A} (m : M A) i x :
  m !! i = None  delete i (<[i:=x]>m) = m.
Proof. apply delete_partial_alter. Qed.
375 376
Lemma insert_delete {A} (m : M A) i x : <[i:=x]>(delete i m) = <[i:=x]> m.
Proof. symmetry; apply (partial_alter_compose (λ _, Some x)). Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402
Lemma delete_subseteq {A} (m : M A) i : delete i m  m.
Proof.
  rewrite !map_subseteq_spec. intros j x. rewrite lookup_delete_Some. tauto.
Qed.
Lemma delete_subseteq_compat {A} (m1 m2 : M A) i :
  m1  m2  delete i m1  delete i m2.
Proof.
  rewrite !map_subseteq_spec. intros ? j x.
  rewrite !lookup_delete_Some. intuition eauto.
Qed.
Lemma delete_subset_alt {A} (m : M A) i x : m !! i = Some x  delete i m  m.
Proof.
  split; [apply delete_subseteq|].
  rewrite !map_subseteq_spec. intros Hi. apply (None_ne_Some x).
  by rewrite <-(lookup_delete m i), (Hi i x).
Qed.
Lemma delete_subset {A} (m : M A) i : is_Some (m !! i)  delete i m  m.
Proof. inversion 1. eauto using delete_subset_alt. Qed.

(** ** Properties of the [insert] operation *)
Lemma lookup_insert {A} (m : M A) i x : <[i:=x]>m !! i = Some x.
Proof. unfold insert. apply lookup_partial_alter. Qed.
Lemma lookup_insert_rev {A}  (m : M A) i x y : <[i:=x]>m !! i = Some y  x = y.
Proof. rewrite lookup_insert. congruence. Qed.
Lemma lookup_insert_ne {A} (m : M A) i j x : i  j  <[i:=x]>m !! j = m !! j.
Proof. unfold insert. apply lookup_partial_alter_ne. Qed.
403 404
Lemma insert_insert {A} (m : M A) i x y : <[i:=x]>(<[i:=y]>m) = <[i:=x]>m.
Proof. unfold insert, map_insert. by rewrite <-partial_alter_compose. Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
405 406 407 408 409 410 411
Lemma insert_commute {A} (m : M A) i j x y :
  i  j  <[i:=x]>(<[j:=y]>m) = <[j:=y]>(<[i:=x]>m).
Proof. apply partial_alter_commute. Qed.
Lemma lookup_insert_Some {A} (m : M A) i j x y :
  <[i:=x]>m !! j = Some y  (i = j  x = y)  (i  j  m !! j = Some y).
Proof.
  split.
412
  - destruct (decide (i = j)) as [->|?];
Robbert Krebbers's avatar
Robbert Krebbers committed
413
      rewrite ?lookup_insert, ?lookup_insert_ne; intuition congruence.
414
  - intros [[-> ->]|[??]]; [apply lookup_insert|]. by rewrite lookup_insert_ne.
Robbert Krebbers's avatar
Robbert Krebbers committed
415
Qed.
416 417 418
Lemma lookup_insert_is_Some {A} (m : M A) i j x :
  is_Some (<[i:=x]>m !! j)  i = j  i  j  is_Some (m !! j).
Proof. unfold is_Some; setoid_rewrite lookup_insert_Some; naive_solver. Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434
Lemma lookup_insert_None {A} (m : M A) i j x :
  <[i:=x]>m !! j = None  m !! j = None  i  j.
Proof.
  split; [|by intros [??]; rewrite lookup_insert_ne].
  destruct (decide (i = j)) as [->|];
    rewrite ?lookup_insert, ?lookup_insert_ne; intuition congruence.
Qed.
Lemma insert_id {A} (m : M A) i x : m !! i = Some x  <[i:=x]>m = m.
Proof.
  intros; apply map_eq; intros j; destruct (decide (i = j)) as [->|];
    by rewrite ?lookup_insert, ?lookup_insert_ne by done.
Qed.
Lemma insert_included {A} R `{!Reflexive R} (m : M A) i x :
  ( y, m !! i = Some y  R y x)  map_included R m (<[i:=x]>m).
Proof.
  intros ? j; destruct (decide (i = j)) as [->|].
435 436
  - rewrite lookup_insert. destruct (m !! j); simpl; eauto.
  - rewrite lookup_insert_ne by done. by destruct (m !! j); simpl.
Robbert Krebbers's avatar
Robbert Krebbers committed
437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461
Qed.
Lemma insert_subseteq {A} (m : M A) i x : m !! i = None  m  <[i:=x]>m.
Proof. apply partial_alter_subseteq. Qed.
Lemma insert_subset {A} (m : M A) i x : m !! i = None  m  <[i:=x]>m.
Proof. intro. apply partial_alter_subset; eauto. Qed.
Lemma insert_subseteq_r {A} (m1 m2 : M A) i x :
  m1 !! i = None  m1  m2  m1  <[i:=x]>m2.
Proof.
  rewrite !map_subseteq_spec. intros ?? j ?.
  destruct (decide (j = i)) as [->|?]; [congruence|].
  rewrite lookup_insert_ne; auto.
Qed.
Lemma insert_delete_subseteq {A} (m1 m2 : M A) i x :
  m1 !! i = None  <[i:=x]> m1  m2  m1  delete i m2.
Proof.
  rewrite !map_subseteq_spec. intros Hi Hix j y Hj.
  destruct (decide (i = j)) as [->|]; [congruence|].
  rewrite lookup_delete_ne by done.
  apply Hix; by rewrite lookup_insert_ne by done.
Qed.
Lemma delete_insert_subseteq {A} (m1 m2 : M A) i x :
  m1 !! i = Some x  delete i m1  m2  m1  <[i:=x]> m2.
Proof.
  rewrite !map_subseteq_spec.
  intros Hix Hi j y Hj. destruct (decide (i = j)) as [->|?].
462 463
  - rewrite lookup_insert. congruence.
  - rewrite lookup_insert_ne by done. apply Hi. by rewrite lookup_delete_ne.
Robbert Krebbers's avatar
Robbert Krebbers committed
464 465 466 467 468 469 470 471 472 473 474 475
Qed.
Lemma insert_delete_subset {A} (m1 m2 : M A) i x :
  m1 !! i = None  <[i:=x]> m1  m2  m1  delete i m2.
Proof.
  intros ? [Hm12 Hm21]; split; [eauto using insert_delete_subseteq|].
  contradict Hm21. apply delete_insert_subseteq; auto.
  eapply lookup_weaken, Hm12. by rewrite lookup_insert.
Qed.
Lemma insert_subset_inv {A} (m1 m2 : M A) i x :
  m1 !! i = None  <[i:=x]> m1  m2 
   m2', m2 = <[i:=x]>m2'  m1  m2'  m2' !! i = None.
Proof.
476
  intros Hi Hm1m2. exists (delete i m2). split_and?.
477 478
  - rewrite insert_delete, insert_id. done.
    eapply lookup_weaken, strict_include; eauto. by rewrite lookup_insert.
479 480
  - eauto using insert_delete_subset.
  - by rewrite lookup_delete.
Robbert Krebbers's avatar
Robbert Krebbers committed
481
Qed.
482
Lemma insert_empty {A} i (x : A) : <[i:=x]> = {[i := x]}.
Robbert Krebbers's avatar
Robbert Krebbers committed
483
Proof. done. Qed.
484 485 486 487
Lemma insert_non_empty {A} (m : M A) i x : <[i:=x]>m  .
Proof.
  intros Hi%(f_equal (!! i)). by rewrite lookup_insert, lookup_empty in Hi.
Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
488 489 490

(** ** Properties of the singleton maps *)
Lemma lookup_singleton_Some {A} i j (x y : A) :
491
  {[i := x]} !! j = Some y  i = j  x = y.
Robbert Krebbers's avatar
Robbert Krebbers committed
492
Proof.
493
  rewrite <-insert_empty,lookup_insert_Some, lookup_empty; intuition congruence.
Robbert Krebbers's avatar
Robbert Krebbers committed
494
Qed.
495
Lemma lookup_singleton_None {A} i j (x : A) : {[i := x]} !! j = None  i  j.
496
Proof. rewrite <-insert_empty,lookup_insert_None, lookup_empty; tauto. Qed.
497
Lemma lookup_singleton {A} i (x : A) : {[i := x]} !! i = Some x.
Robbert Krebbers's avatar
Robbert Krebbers committed
498
Proof. by rewrite lookup_singleton_Some. Qed.
499
Lemma lookup_singleton_ne {A} i j (x : A) : i  j  {[i := x]} !! j = None.
Robbert Krebbers's avatar
Robbert Krebbers committed
500
Proof. by rewrite lookup_singleton_None. Qed.
501
Lemma map_non_empty_singleton {A} i (x : A) : {[i := x]}  .
Robbert Krebbers's avatar
Robbert Krebbers committed
502 503 504 505
Proof.
  intros Hix. apply (f_equal (!! i)) in Hix.
  by rewrite lookup_empty, lookup_singleton in Hix.
Qed.
506
Lemma insert_singleton {A} i (x y : A) : <[i:=y]>{[i := x]} = {[i := y]}.
Robbert Krebbers's avatar
Robbert Krebbers committed
507
Proof.
508
  unfold singletonM, map_singleton, insert, map_insert.
Robbert Krebbers's avatar
Robbert Krebbers committed
509 510
  by rewrite <-partial_alter_compose.
Qed.
511
Lemma alter_singleton {A} (f : A  A) i x : alter f i {[i := x]} = {[i := f x]}.
Robbert Krebbers's avatar
Robbert Krebbers committed
512 513
Proof.
  intros. apply map_eq. intros i'. destruct (decide (i = i')) as [->|?].
514 515
  - by rewrite lookup_alter, !lookup_singleton.
  - by rewrite lookup_alter_ne, !lookup_singleton_ne.
Robbert Krebbers's avatar
Robbert Krebbers committed
516 517
Qed.
Lemma alter_singleton_ne {A} (f : A  A) i j x :
518
  i  j  alter f i {[j := x]} = {[j := x]}.
Robbert Krebbers's avatar
Robbert Krebbers committed
519 520 521 522
Proof.
  intros. apply map_eq; intros i'. by destruct (decide (i = i')) as [->|?];
    rewrite ?lookup_alter, ?lookup_singleton_ne, ?lookup_alter_ne by done.
Qed.
523 524
Lemma singleton_non_empty {A} i (x : A) : {[i:=x]}  .
Proof. apply insert_non_empty. Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
525 526 527 528 529 530

(** ** Properties of the map operations *)
Lemma fmap_empty {A B} (f : A  B) : f <$>  = .
Proof. apply map_empty; intros i. by rewrite lookup_fmap, lookup_empty. Qed.
Lemma omap_empty {A B} (f : A  option B) : omap f  = .
Proof. apply map_empty; intros i. by rewrite lookup_omap, lookup_empty. Qed.
531 532 533
Lemma fmap_insert {A B} (f: A  B) m i x: f <$> <[i:=x]>m = <[i:=f x]>(f <$> m).
Proof.
  apply map_eq; intros i'; destruct (decide (i' = i)) as [->|].
534 535
  - by rewrite lookup_fmap, !lookup_insert.
  - by rewrite lookup_fmap, !lookup_insert_ne, lookup_fmap by done.
536
Qed.
537 538 539 540 541 542
Lemma fmap_delete {A B} (f: A  B) m i: f <$> delete i m = delete i (f <$> m).
Proof.
  apply map_eq; intros i'; destruct (decide (i' = i)) as [->|].
  - by rewrite lookup_fmap, !lookup_delete.
  - by rewrite lookup_fmap, !lookup_delete_ne, lookup_fmap by done.
Qed.
543 544 545 546
Lemma omap_insert {A B} (f : A  option B) m i x y :
  f x = Some y  omap f (<[i:=x]>m) = <[i:=y]>(omap f m).
Proof.
  intros; apply map_eq; intros i'; destruct (decide (i' = i)) as [->|].
547 548
  - by rewrite lookup_omap, !lookup_insert.
  - by rewrite lookup_omap, !lookup_insert_ne, lookup_omap by done.
549
Qed.
550
Lemma map_fmap_singleton {A B} (f : A  B) i x : f <$> {[i := x]} = {[i := f x]}.
551 552 553
Proof.
  by unfold singletonM, map_singleton; rewrite fmap_insert, map_fmap_empty.
Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
554
Lemma omap_singleton {A B} (f : A  option B) i x y :
555
  f x = Some y  omap f {[ i := x ]} = {[ i := y ]}.
Robbert Krebbers's avatar
Robbert Krebbers committed
556
Proof.
557 558
  intros. unfold singletonM, map_singleton.
  by erewrite omap_insert, omap_empty by eauto.
Robbert Krebbers's avatar
Robbert Krebbers committed
559 560 561 562 563 564
Qed.
Lemma map_fmap_id {A} (m : M A) : id <$> m = m.
Proof. apply map_eq; intros i; by rewrite lookup_fmap, option_fmap_id. Qed.
Lemma map_fmap_compose {A B C} (f : A  B) (g : B  C) (m : M A) :
  g  f <$> m = g <$> f <$> m.
Proof. apply map_eq; intros i; by rewrite !lookup_fmap,option_fmap_compose. Qed.
565
Lemma map_fmap_equiv_ext `{Equiv A, Equiv B} (f1 f2 : A  B) m :
566 567 568 569 570
  ( i x, m !! i = Some x  f1 x  f2 x)  f1 <$> m  f2 <$> m.
Proof.
  intros Hi i; rewrite !lookup_fmap.
  destruct (m !! i) eqn:?; constructor; eauto.
Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
571 572 573 574 575 576
Lemma map_fmap_ext {A B} (f1 f2 : A  B) m :
  ( i x, m !! i = Some x  f1 x = f2 x)  f1 <$> m = f2 <$> m.
Proof.
  intros Hi; apply map_eq; intros i; rewrite !lookup_fmap.
  by destruct (m !! i) eqn:?; simpl; erewrite ?Hi by eauto.
Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
577 578 579 580 581 582
Lemma omap_ext {A B} (f1 f2 : A  option B) m :
  ( i x, m !! i = Some x  f1 x = f2 x)  omap f1 m = omap f2 m.
Proof.
  intros Hi; apply map_eq; intros i; rewrite !lookup_omap.
  by destruct (m !! i) eqn:?; simpl; erewrite ?Hi by eauto.
Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
583 584 585 586 587 588 589 590 591 592 593 594

(** ** Properties of conversion to lists *)
Lemma map_to_list_unique {A} (m : M A) i x y :
  (i,x)  map_to_list m  (i,y)  map_to_list m  x = y.
Proof. rewrite !elem_of_map_to_list. congruence. Qed.
Lemma NoDup_fst_map_to_list {A} (m : M A) : NoDup ((map_to_list m).*1).
Proof. eauto using NoDup_fmap_fst, map_to_list_unique, NoDup_map_to_list. Qed.
Lemma elem_of_map_of_list_1_help {A} (l : list (K * A)) i x :
  (i,x)  l  ( y, (i,y)  l  y = x)  map_of_list l !! i = Some x.
Proof.
  induction l as [|[j y] l IH]; csimpl; [by rewrite elem_of_nil|].
  setoid_rewrite elem_of_cons.
595
  intros [?|?] Hdup; simplify_eq; [by rewrite lookup_insert|].
Robbert Krebbers's avatar
Robbert Krebbers committed
596
  destruct (decide (i = j)) as [->|].
597 598
  - rewrite lookup_insert; f_equal; eauto.
  - rewrite lookup_insert_ne by done; eauto.
Robbert Krebbers's avatar
Robbert Krebbers committed
599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627
Qed.
Lemma elem_of_map_of_list_1 {A} (l : list (K * A)) i x :
  NoDup (l.*1)  (i,x)  l  map_of_list l !! i = Some x.
Proof.
  intros ? Hx; apply elem_of_map_of_list_1_help; eauto using NoDup_fmap_fst.
  intros y; revert Hx. rewrite !elem_of_list_lookup; intros [i' Hi'] [j' Hj'].
  cut (i' = j'); [naive_solver|]. apply NoDup_lookup with (l.*1) i;
    by rewrite ?list_lookup_fmap, ?Hi', ?Hj'.
Qed.
Lemma elem_of_map_of_list_2 {A} (l : list (K * A)) i x :
  map_of_list l !! i = Some x  (i,x)  l.
Proof.
  induction l as [|[j y] l IH]; simpl; [by rewrite lookup_empty|].
  rewrite elem_of_cons. destruct (decide (i = j)) as [->|];
    rewrite ?lookup_insert, ?lookup_insert_ne; intuition congruence.
Qed.
Lemma elem_of_map_of_list {A} (l : list (K * A)) i x :
  NoDup (l.*1)  (i,x)  l  map_of_list l !! i = Some x.
Proof. split; auto using elem_of_map_of_list_1, elem_of_map_of_list_2. Qed.
Lemma not_elem_of_map_of_list_1 {A} (l : list (K * A)) i :
  i  l.*1  map_of_list l !! i = None.
Proof.
  rewrite elem_of_list_fmap, eq_None_not_Some. intros Hi [x ?]; destruct Hi.
  exists (i,x); simpl; auto using elem_of_map_of_list_2.
Qed.
Lemma not_elem_of_map_of_list_2 {A} (l : list (K * A)) i :
  map_of_list l !! i = None  i  l.*1.
Proof.
  induction l as [|[j y] l IH]; csimpl; [rewrite elem_of_nil; tauto|].
628
  rewrite elem_of_cons. destruct (decide (i = j)); simplify_eq.
629 630
  - by rewrite lookup_insert.
  - by rewrite lookup_insert_ne; intuition.
Robbert Krebbers's avatar
Robbert Krebbers committed
631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667
Qed.
Lemma not_elem_of_map_of_list {A} (l : list (K * A)) i :
  i  l.*1  map_of_list l !! i = None.
Proof. red; auto using not_elem_of_map_of_list_1,not_elem_of_map_of_list_2. Qed.
Lemma map_of_list_proper {A} (l1 l2 : list (K * A)) :
  NoDup (l1.*1)  l1  l2  map_of_list l1 = map_of_list l2.
Proof.
  intros ? Hperm. apply map_eq. intros i. apply option_eq. intros x.
  by rewrite <-!elem_of_map_of_list; rewrite <-?Hperm.
Qed.
Lemma map_of_list_inj {A} (l1 l2 : list (K * A)) :
  NoDup (l1.*1)  NoDup (l2.*1)  map_of_list l1 = map_of_list l2  l1  l2.
Proof.
  intros ?? Hl1l2. apply NoDup_Permutation; auto using (NoDup_fmap_1 fst).
  intros [i x]. by rewrite !elem_of_map_of_list, Hl1l2.
Qed.
Lemma map_of_to_list {A} (m : M A) : map_of_list (map_to_list m) = m.
Proof.
  apply map_eq. intros i. apply option_eq. intros x.
  by rewrite <-elem_of_map_of_list, elem_of_map_to_list
    by auto using NoDup_fst_map_to_list.
Qed.
Lemma map_to_of_list {A} (l : list (K * A)) :
  NoDup (l.*1)  map_to_list (map_of_list l)  l.
Proof. auto using map_of_list_inj, NoDup_fst_map_to_list, map_of_to_list. Qed.
Lemma map_to_list_inj {A} (m1 m2 : M A) :
  map_to_list m1  map_to_list m2  m1 = m2.
Proof.
  intros. rewrite <-(map_of_to_list m1), <-(map_of_to_list m2).
  auto using map_of_list_proper, NoDup_fst_map_to_list.
Qed.
Lemma map_to_of_list_flip {A} (m1 : M A) l2 :
  map_to_list m1  l2  m1 = map_of_list l2.
Proof.
  intros. rewrite <-(map_of_to_list m1).
  auto using map_of_list_proper, NoDup_fst_map_to_list.
Qed.
668 669 670 671 672 673 674 675 676 677 678 679 680

Lemma map_of_list_nil {A} : map_of_list (@nil (K * A)) = .
Proof. done. Qed.
Lemma map_of_list_cons {A} (l : list (K * A)) i x :
  map_of_list ((i, x) :: l) = <[i:=x]>(map_of_list l).
Proof. done. Qed.
Lemma map_of_list_fmap {A B} (f : A  B) l :
  map_of_list (prod_map id f <$> l) = f <$> map_of_list l.
Proof.
  induction l as [|[i x] l IH]; csimpl; rewrite ?fmap_empty; auto.
  rewrite <-map_of_list_cons; simpl. by rewrite IH, <-fmap_insert.
Qed.

Robbert Krebbers's avatar
Robbert Krebbers committed
681 682 683 684 685 686 687 688 689
Lemma map_to_list_empty {A} : map_to_list  = @nil (K * A).
Proof.
  apply elem_of_nil_inv. intros [i x].
  rewrite elem_of_map_to_list. apply lookup_empty_Some.
Qed.
Lemma map_to_list_insert {A} (m : M A) i x :
  m !! i = None  map_to_list (<[i:=x]>m)  (i,x) :: map_to_list m.
Proof.
  intros. apply map_of_list_inj; csimpl.
690 691
  - apply NoDup_fst_map_to_list.
  - constructor; auto using NoDup_fst_map_to_list.
Robbert Krebbers's avatar
Robbert Krebbers committed
692 693
    rewrite elem_of_list_fmap. intros [[??] [? Hlookup]]; subst; simpl in *.
    rewrite elem_of_map_to_list in Hlookup. congruence.
694
  - by rewrite !map_of_to_list.
Robbert Krebbers's avatar
Robbert Krebbers committed
695
Qed.
696 697 698 699 700 701
Lemma map_to_list_singleton {A} i (x : A) : map_to_list {[i:=x]} = [(i,x)].
Proof.
  apply Permutation_singleton. unfold singletonM, map_singleton.
  by rewrite map_to_list_insert, map_to_list_empty by auto using lookup_empty.
Qed.

Robbert Krebbers's avatar
Robbert Krebbers committed
702 703
Lemma map_to_list_submseteq {A} (m1 m2 : M A) :
  m1  m2  map_to_list m1 + map_to_list m2.
704
Proof.
Robbert Krebbers's avatar
Robbert Krebbers committed
705
  intros; apply NoDup_submseteq; auto using NoDup_map_to_list.
706 707
  intros [i x]. rewrite !elem_of_map_to_list; eauto using lookup_weaken.
Qed.
708 709 710 711 712 713 714 715 716 717
Lemma map_to_list_fmap {A B} (f : A  B) m :
  map_to_list (f <$> m)  prod_map id f <$> map_to_list m.
Proof.
  assert (NoDup ((prod_map id f <$> map_to_list m).*1)).
  { erewrite <-list_fmap_compose, (list_fmap_ext _ fst) by done.
    apply NoDup_fst_map_to_list. }
  rewrite <-(map_of_to_list m) at 1.
  by rewrite <-map_of_list_fmap, map_to_of_list.
Qed.

Robbert Krebbers's avatar
Robbert Krebbers committed
718 719 720 721
Lemma map_to_list_empty_inv_alt {A}  (m : M A) : map_to_list m  []  m = .
Proof. rewrite <-map_to_list_empty. apply map_to_list_inj. Qed.
Lemma map_to_list_empty_inv {A} (m : M A) : map_to_list m = []  m = .
Proof. intros Hm. apply map_to_list_empty_inv_alt. by rewrite Hm. Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
722 723 724 725 726
Lemma map_to_list_empty' {A} (m : M A) : map_to_list m = []  m = .
Proof.
  split. apply map_to_list_empty_inv. intros ->. apply map_to_list_empty.
Qed.

Robbert Krebbers's avatar
Robbert Krebbers committed
727 728 729 730 731 732 733 734 735 736
Lemma map_to_list_insert_inv {A} (m : M A) l i x :
  map_to_list m  (i,x) :: l  m = <[i:=x]>(map_of_list l).
Proof.
  intros Hperm. apply map_to_list_inj.
  assert (i  l.*1  NoDup (l.*1)) as [].
  { rewrite <-NoDup_cons. change (NoDup (((i,x)::l).*1)). rewrite <-Hperm.
    auto using NoDup_fst_map_to_list. }
  rewrite Hperm, map_to_list_insert, map_to_of_list;
    auto using not_elem_of_map_of_list_1.
Qed.
737

Robbert Krebbers's avatar
Robbert Krebbers committed
738 739 740 741
Lemma map_choose {A} (m : M A) : m     i x, m !! i = Some x.
Proof.
  intros Hemp. destruct (map_to_list m) as [|[i x] l] eqn:Hm.
  { destruct Hemp; eauto using map_to_list_empty_inv. }
742
  exists i, x. rewrite <-elem_of_map_to_list, Hm. by left.
Robbert Krebbers's avatar
Robbert Krebbers committed
743 744
Qed.

745 746 747 748 749 750
Global Instance map_eq_dec_empty {A} (m : M A) : Decision (m = ) | 20.
Proof.
  refine (cast_if (decide (elements m = [])));
    [apply _|by rewrite <-?map_to_list_empty' ..].
Defined.

Robbert Krebbers's avatar
Robbert Krebbers committed
751 752 753 754 755
(** Properties of the imap function *)
Lemma lookup_imap {A B} (f : K  A  option B) m i :
  map_imap f m !! i = m !! i = f i.
Proof.
  unfold map_imap; destruct (m !! i = f i) as [y|] eqn:Hi; simpl.
756
  - destruct (m !! i) as [x|] eqn:?; simplify_eq/=.
Robbert Krebbers's avatar
Robbert Krebbers committed
757 758
    apply elem_of_map_of_list_1_help.
    { apply elem_of_list_omap; exists (i,x); split;
759
        [by apply elem_of_map_to_list|by simplify_option_eq]. }
Robbert Krebbers's avatar
Robbert Krebbers committed
760
    intros y'; rewrite elem_of_list_omap; intros ([i' x']&Hi'&?).
761
    by rewrite elem_of_map_to_list in Hi'; simplify_option_eq.
762
  - apply not_elem_of_map_of_list; rewrite elem_of_list_fmap.
763
    intros ([i' x]&->&Hi'); simplify_eq/=.
Robbert Krebbers's avatar
Robbert Krebbers committed
764
    rewrite elem_of_list_omap in Hi'; destruct Hi' as ([j y]&Hj&?).
765
    rewrite elem_of_map_to_list in Hj; simplify_option_eq.
Robbert Krebbers's avatar
Robbert Krebbers committed
766 767 768 769 770 771 772 773 774 775 776
Qed.

(** ** Properties of conversion from collections *)
Lemma lookup_map_of_collection {A} `{FinCollection K C}
    (f : K  option A) X i x :
  map_of_collection f X !! i = Some x  i  X  f i = Some x.
Proof.
  assert (NoDup (fst <$> omap (λ i, (i,) <$> f i) (elements X))).
  { induction (NoDup_elements X) as [|i' l]; csimpl; [constructor|].
    destruct (f i') as [x'|]; csimpl; auto; constructor; auto.
    rewrite elem_of_list_fmap. setoid_rewrite elem_of_list_omap.
777
    by intros (?&?&?&?&?); simplify_option_eq. }
Robbert Krebbers's avatar
Robbert Krebbers committed
778 779
  unfold map_of_collection; rewrite <-elem_of_map_of_list by done.
  rewrite elem_of_list_omap. setoid_rewrite elem_of_elements; split.
780 781
  - intros (?&?&?); simplify_option_eq; eauto.
  - intros [??]; exists i; simplify_option_eq; eauto.
Robbert Krebbers's avatar
Robbert Krebbers committed
782 783 784 785 786 787 788 789 790 791 792 793 794
Qed.

(** ** Induction principles *)
Lemma map_ind {A} (P : M A  Prop) :
  P   ( i x m, m !! i = None  P m  P (<[i:=x]>m))   m, P m.
Proof.
  intros ? Hins. cut ( l, NoDup (l.*1)   m, map_to_list m  l  P m).
  { intros help m.
    apply (help (map_to_list m)); auto using NoDup_fst_map_to_list. }
  induction l as [|[i x] l IH]; intros Hnodup m Hml.
  { apply map_to_list_empty_inv_alt in Hml. by subst. }
  inversion_clear Hnodup.
  apply map_to_list_insert_inv in Hml; subst m. apply Hins.
795 796
  - by apply not_elem_of_map_of_list_1.
  - apply IH; auto using map_to_of_list.
Robbert Krebbers's avatar
Robbert Krebbers committed
797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812
Qed.
Lemma map_to_list_length {A} (m1 m2 : M A) :
  m1  m2  length (map_to_list m1) < length (map_to_list m2).
Proof.
  revert m2. induction m1 as [|i x m ? IH] using map_ind.
  { intros m2 Hm2. rewrite map_to_list_empty. simpl.
    apply neq_0_lt. intros Hlen. symmetry in Hlen.
    apply nil_length_inv, map_to_list_empty_inv in Hlen.
    rewrite Hlen in Hm2. destruct (irreflexivity ()  Hm2). }
  intros m2 Hm2.
  destruct (insert_subset_inv m m2 i x) as (m2'&?&?&?); auto; subst.
  rewrite !map_to_list_insert; simpl; auto with arith.
Qed.
Lemma map_wf {A} : wf (strict (@subseteq (M A) _)).
Proof.
  apply (wf_projected (<) (length  map_to_list)).
813 814
  - by apply map_to_list_length.
  - by apply lt_wf.
Robbert Krebbers's avatar
Robbert Krebbers committed
815 816 817 818 819 820 821 822 823
Qed.

(** ** Properties of the [map_Forall] predicate *)
Section map_Forall.
Context {A} (P : K  A  Prop).

Lemma map_Forall_to_list m : map_Forall P m  Forall (curry P) (map_to_list m).
Proof.
  rewrite Forall_forall. split.
824 825
  - intros Hforall [i x]. rewrite elem_of_map_to_list. by apply (Hforall i x).
  - intros Hforall i x. rewrite <-elem_of_map_to_list. by apply (Hforall (i,x)).
Robbert Krebbers's avatar
Robbert Krebbers committed
826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868
Qed.
Lemma map_Forall_empty : map_Forall P .
Proof. intros i x. by rewrite lookup_empty. Qed.
Lemma map_Forall_impl (Q : K  A  Prop) m :
  map_Forall P m  ( i x, P i x  Q i x)  map_Forall Q m.
Proof. unfold map_Forall; naive_solver. Qed.
Lemma map_Forall_insert_11 m i x : map_Forall P (<[i:=x]>m)  P i x.
Proof. intros Hm. by apply Hm; rewrite lookup_insert. Qed.
Lemma map_Forall_insert_12 m i x :
  m !! i = None  map_Forall P (<[i:=x]>m)  map_Forall P m.
Proof.
  intros ? Hm j y ?; apply Hm. by rewrite lookup_insert_ne by congruence.
Qed.
Lemma map_Forall_insert_2 m i x :
  P i x  map_Forall P m  map_Forall P (<[i:=x]>m).
Proof. intros ?? j y; rewrite lookup_insert_Some; naive_solver. Qed.
Lemma map_Forall_insert m i x :
  m !! i = None  map_Forall P (<[i:=x]>m)  P i x  map_Forall P m.
Proof.
  naive_solver eauto using map_Forall_insert_11,
    map_Forall_insert_12, map_Forall_insert_2.
Qed.
Lemma map_Forall_ind (Q : M A  Prop) :
  Q  
  ( m i x, m !! i = None  P i x  map_Forall P m  Q m  Q (<[i:=x]>m)) 
   m, map_Forall P m  Q m.
Proof.
  intros Hnil Hinsert m. induction m using map_ind; auto.
  rewrite map_Forall_insert by done; intros [??]; eauto.
Qed.

Context `{ i x, Decision (P i x)}.
Global Instance map_Forall_dec m : Decision (map_Forall P m).
Proof.
  refine (cast_if (decide (Forall (curry P) (map_to_list m))));
    by rewrite map_Forall_to_list.
Defined.
Lemma map_not_Forall (m : M A) :
  ¬map_Forall P m   i x, m !! i = Some x  ¬P i x.
Proof.
  split; [|intros (i&x&?&?) Hm; specialize (Hm i x); tauto].
  rewrite map_Forall_to_list. intros Hm.
  apply (not_Forall_Exists _), Exists_exists in Hm.
869
  destruct Hm as ([i x]&?&?). exists i, x. by rewrite <-elem_of_map_to_list.
Robbert Krebbers's avatar
Robbert Krebbers committed
870 871 872 873 874
Qed.
End map_Forall.

(** ** Properties of the [merge] operation *)
Section merge.
875
Context {A} (f : option A  option A  option A) `{!DiagNone f}.
Robbert Krebbers's avatar
Robbert Krebbers committed
876 877 878 879 880 881 882 883 884 885
Global Instance: LeftId (=) None f  LeftId (=)  (merge f).
Proof.
  intros ??. apply map_eq. intros.
  by rewrite !(lookup_merge f), lookup_empty, (left_id_L None f).
Qed.
Global Instance: RightId (=) None f  RightId (=)  (merge f).
Proof.
  intros ??. apply map_eq. intros.
  by rewrite !(lookup_merge f), lookup_empty, (right_id_L None f).
Qed.
886
Lemma merge_comm m1 m2 :
Robbert Krebbers's avatar
Robbert Krebbers committed
887 888 889
  ( i, f (m1 !! i) (m2 !! i) = f (m2 !! i) (m1 !! i)) 
  merge f m1 m2 = merge f m2 m1.
Proof. intros. apply map_eq. intros. by rewrite !(lookup_merge f). Qed.
890 891
Global Instance merge_comm' : Comm (=) f  Comm (=) (merge f).
Proof. intros ???. apply merge_comm. intros. by apply (comm f). Qed.
892
Lemma merge_assoc m1 m2 m3 :
Robbert Krebbers's avatar
Robbert Krebbers committed
893 894 895 896
  ( i, f (m1 !! i) (f (m2 !! i) (m3 !! i)) =
        f (f (m1 !! i) (m2 !! i)) (m3 !! i)) 
  merge f m1 (merge f m2 m3) = merge f (merge f m1 m2) m3.
Proof. intros. apply map_eq. intros. by rewrite !(lookup_merge f). Qed.
897 898
Global Instance merge_assoc' : Assoc (=) f  Assoc (=) (merge f).
Proof. intros ????. apply merge_assoc. intros. by apply (assoc_L f). Qed.
899
Lemma merge_idemp m1 :
Robbert Krebbers's avatar
Robbert Krebbers committed
900 901
  ( i, f (m1 !! i) (m1 !! i) = m1 !! i)  merge f m1 m1 = m1.
Proof. intros. apply map_eq. intros. by rewrite !(lookup_merge f). Qed.
902
Global Instance merge_idemp' : IdemP (=) f  IdemP (=) (merge f).
903
Proof. intros ??. apply merge_idemp. intros. by apply (idemp f). Qed.
Robbert Krebbers's avatar
Robbert Krebbers committed
904 905 906
End merge.

Section more_merge.
907 908
Context {A B C} (f : option A  option B  option C) `{!DiagNone f}.

Robbert Krebbers's avatar
Robbert Krebbers committed
909 910 911 912 913 914 915 916 917 918 919 920 921 922
Lemma merge_Some m1 m2 m :
  ( i, m !! i = f (m1 !! i) (m2 !! i))  merge f m1 m2 = m.
Proof.
  split; [|intros <-; apply (lookup_merge _) ].
  intros Hlookup. apply map_eq; intros. rewrite Hlookup. apply (lookup_merge _).
Qed.
Lemma merge_empty : merge f   = .
Proof. apply map_eq. intros. by rewrite !(lookup_merge f), !lookup_empty. Qed.
Lemma partial_alter_merge g g1 g2 m1 m2 i :
  g (f (m1 !! i) (m2 !! i)) = f (g1 (m1 !! i)) (g2 (m2 !! i)) 
  partial_alter g i (merge f m1 m2) =
    merge f (partial_alter g1 i m1) (partial_alter g2 i m2).
Proof.
  intro. apply map_eq. intros j. destruct (decide (i = j)); subst.