theory EdmondsKarp_Termination_Abstract
imports Ford_Fulkerson
section ‹Edmonds-Karp Algorithm›

lemma mlex_fst_decrI:
  fixes a a' b b' N :: nat
  assumes "a<a'"
  assumes "b<N" "b'<N"
  shows "a*N + b < a'*N + b'"
proof -  
  have "a*N + b + 1 ≤ a*N + N" using ‹b<N› by linarith 
  also have "… ≤ a'*N" using ‹a<a'›
    by (metis Suc_leI ab_semigroup_add_class.add.commute 
      ab_semigroup_mult_class.mult.commute mult_Suc_right mult_le_mono2) 
  also have "… ≤ a'*N + b'" by auto
  finally show ?thesis by auto

lemma (in NFlow) augmenting_path_imp_shortest: 
  "isAugmentingPath p ⟹ ∃p. Graph.isShortestPath cf s p t"
  using Graph.obtain_shortest_path unfolding isAugmentingPath_def
  by (fastforce simp: Graph.isSimplePath_def Graph.connected_def)

lemma (in NFlow) shortest_is_augmenting: 
  "Graph.isShortestPath cf s p t ⟹ isAugmentingPath p"
  unfolding isAugmentingPath_def using Graph.shortestPath_is_simple
  by (fastforce)

subsection ‹Complexity and Termination Analysis›
text ‹
  In this section, we show that the loop iterations of the Edmonds-Karp algorithm
  are bounded by $O(VE)$.

  The basic idea of the proof is, that a path that
  takes an edge reverse to an edge on some shortest path 
  cannot be a shortest path itself.

  As augmentation flips at least one edge, this yields a termination argument:
    After augmentation, either the minimum distance between source and target
    increases, or it remains the same, but the number of edges that lay on a
    shortest path decreases. As the minimum distance is bounded by $V$, 
    we get termination within $O(VE)$ loop iterations.

context Graph begin

text ‹
  The basic idea is expressed in the following lemma, which, however, 
  is not general enough to be applied for the correctness proof, where
  we flip more than one edge simultaneously.
lemma isShortestPath_flip_edge:
  assumes "isShortestPath s p t" "(u,v)∈set p"
  assumes "isPath s p' t" "(v,u)∈set p'"
  shows "length p' ≥ length p + 2"
  using assms
proof -
  from ‹isShortestPath s p t› have 
    MIN: "min_dist s t = length p" and 
      P: "isPath s p t" and 
     DV: "distinct (pathVertices s p)"
    by (auto simp: isShortestPath_alt isSimplePath_def)
  from ‹(u,v)∈set p› obtain p1 p2 where [simp]: "p=p1@(u,v)#p2"
    by (auto simp: in_set_conv_decomp)
  from P DV have [simp]: "u≠v"
    by (cases p2) (auto simp add: isPath_append pathVertices_append)

  from P have DISTS: "dist s (length p1) u" "dist u 1 v" "dist v (length p2) t"
    by (auto simp: isPath_append dist_def intro: exI[where x="[(u,v)]"])

  from MIN have MIN': "min_dist s t = length p1 + 1 + length p2" by auto

  from min_dist_split[OF dist_trans[OF DISTS(1,2)] DISTS(3) MIN'] have
    MDSV: "min_dist s v = length p1 + 1" by simp
  from min_dist_split[OF DISTS(1) dist_trans[OF DISTS(2,3)]] MIN' have
    MDUT: "min_dist u t = 1 + length p2" by simp

  from ‹(v,u)∈set p'› obtain p1' p2' where [simp]: "p'=p1'@(v,u)#p2'"
    by (auto simp: in_set_conv_decomp)

  from ‹isPath s p' t› have 
    DISTS': "dist s (length p1') v" "dist u (length p2') t"
    by (auto simp: isPath_append dist_def)
  from DISTS'[THEN min_dist_minD, unfolded MDSV MDUT] show
    "length p + 2 ≤ length p'" by auto

text ‹
  To be used for the analysis of augmentation, we have to generalize the 
  lemma to simultaneous flipping of edges:
lemma isShortestPath_flip_edges:
  assumes "Graph.E c' ⊇ E - edges" "Graph.E c' ⊆ E ∪ (prod.swap`edges)"
  assumes SP: "isShortestPath s p t" and EDGES_SS: "edges ⊆ set p"
  assumes P': "Graph.isPath c' s p' t" "prod.swap`edges ∩ set p' ≠ {}"
  shows "length p + 2 ≤ length p'"
proof -
  interpret g': Graph c' .

  (* TODO: The proof still contains some redundancy: A first flipped edge
    is searched in both, the induction, and the initialization *)
    fix u v p1 p2'
    assume "(u,v)∈edges"
       and "isPath s p1 v" and "g'.isPath u p2' t"
    hence "min_dist s t < length p1 + length p2'"   
    proof (induction p2' arbitrary: u v p1 rule: length_induct)
      case (1 p2')
      note IH = "1.IH"[rule_format]
      note P1 = ‹isPath s p1 v›
      note P2' = ‹g'.isPath u p2' t›

      have "length p1 > min_dist s u"
      proof -
        from P1 have "length p1 ≥ min_dist s v"
          using min_dist_minD by (auto simp: dist_def)
        moreover from ‹(u,v)∈edges› EDGES_SS 
        have "min_dist s v = Suc (min_dist s u)"
          using isShortestPath_level_edge[OF SP] by auto
        ultimately show ?thesis by auto

      from isShortestPath_level_edge[OF SP] ‹(u,v)∈edges› EDGES_SS 
            "min_dist s t = min_dist s u + min_dist u t" 
        and "connected s u"
      by auto

      show ?case
      proof (cases "prod.swap`edges ∩ set p2' = {}")
        ― ‹We proceed by a case distinction whether the suffix path contains swapped edges›
        case True 
        with g'.transfer_path[OF _ P2', of c] ‹g'.E ⊆ E ∪ prod.swap ` edges›
        have "isPath u p2' t" by auto
        hence "length p2' ≥ min_dist u t" using min_dist_minD
          by (auto simp: dist_def)
        moreover note ‹length p1 > min_dist s u›
        moreover note ‹min_dist s t = min_dist s u + min_dist u t›
        ultimately show ?thesis by auto
        case False
        ― ‹Obtain first swapped edge on suffix path›
        obtain p21' e' p22' where [simp]: "p2'=p21'@e'#p22'" and 
           E_IN_EDGES: "e'∈prod.swap`edges" and 
          P1_NO_EDGES: "prod.swap`edges ∩ set p21' = {}"
          apply (rule split_list_first_propE[of p2' "λe. e∈prod.swap`edges"])
          using ‹prod.swap ` edges ∩ set p2' ≠ {}› by fastforce+
        obtain u' v' where [simp]: "e'=(v',u')" by (cases e')      
        ― ‹Split the suffix path accordingly›
        from P2' have P21': "g'.isPath u p21' v'" and P22': "g'.isPath u' p22' t"
          by (auto simp: g'.isPath_append)
        ― ‹As we chose the first edge, the prefix of the suffix path is also a path in the original graph›  
          g'.transfer_path[OF _ P21', of c] 
          ‹g'.E ⊆ E ∪ prod.swap ` edges› 
        have P21: "isPath u p21' v'" by auto
        from min_dist_is_dist[OF ‹connected s u›] 
        obtain psu where 
              PSU: "isPath s psu u" and 
          LEN_PSU: "length psu = min_dist s u" 
          by (auto simp: dist_def)
        from PSU P21 have P1n: "isPath s (psu@p21') v'" 
          by (auto simp: isPath_append)
        from IH[OF _ _ P1n P22'] E_IN_EDGES have 
          "min_dist s t < length psu + length p21' + length p22'" 
          by auto
        moreover note ‹length p1 > min_dist s u›
        ultimately show ?thesis by (auto simp: LEN_PSU)
  } note aux=this

  (* TODO: This step is analogous to what we do in the False-case of the induction.
    Can we somehow remove the redundancy? *)
  ― ‹Obtain first swapped edge on path›
  obtain p1' e p2' where [simp]: "p'=p1'@e#p2'" and 
    E_IN_EDGES: "e∈prod.swap`edges" and 
    P1_NO_EDGES: "prod.swap`edges ∩ set p1' = {}"
    apply (rule split_list_first_propE[of p' "λe. e∈prod.swap`edges"])
    using ‹prod.swap ` edges ∩ set p' ≠ {}› by fastforce+
  obtain u v where [simp]: "e=(v,u)" by (cases e)      

  ― ‹Split the new path accordingly›
  from ‹g'.isPath s p' t› have 
    P1': "g'.isPath s p1' v" and 
    P2': "g'.isPath u p2' t"
    by (auto simp: g'.isPath_append)
  ― ‹As we chose the first edge, the prefix of the path is also a path in the original graph›  
    g'.transfer_path[OF _ P1', of c] 
    ‹g'.E ⊆ E ∪ prod.swap ` edges› 
  have P1: "isPath s p1' v" by auto
  from aux[OF _ P1 P2'] E_IN_EDGES 
  have "min_dist s t < length p1' + length p2'"
    by auto
  thus ?thesis using SP 
    by (auto simp: isShortestPath_min_dist_def)

end ― ‹Graph›

text ‹We outsource the more specific lemmas to their own locale, 
  to prevent name space pollution›
locale ek_analysis_defs = Graph +
  fixes s t :: node

locale ek_analysis = ek_analysis_defs + Finite_Graph

definition (in ek_analysis_defs) 
  "spEdges ≡ {e. ∃p. e∈set p ∧ isShortestPath s p t}"

lemma spEdges_ss_E: "spEdges ⊆ E"
  using isPath_edgeset unfolding spEdges_def isShortestPath_def by auto

lemma finite_spEdges[simp, intro]: "finite (spEdges)"  
  using finite_subset[OF spEdges_ss_E] 
  by blast

definition (in ek_analysis_defs) "uE ≡ E ∪ E¯"

lemma finite_uE[simp,intro]: "finite uE"
  by (auto simp: uE_def)

lemma E_ss_uE: "E⊆uE"  
  by (auto simp: uE_def)

lemma card_spEdges_le:
  shows "card spEdges ≤ card uE"
  apply (rule card_mono)
  apply (auto simp: order_trans[OF spEdges_ss_E E_ss_uE])

lemma card_spEdges_less:
  shows "card spEdges < card uE + 1"
  using card_spEdges_le 
  by auto

definition (in ek_analysis_defs) "ekMeasure ≡ 
  if (connected s t) then
    (card V - min_dist s t) * (card uE + 1) + (card (spEdges))
  else 0"

lemma measure_decr:
  assumes SV: "s∈V"
  assumes SP: "isShortestPath s p t"
  assumes SP_EDGES: "edges⊆set p"
  assumes Ebounds: 
    "Graph.E c' ⊇ E - edges ∪ prod.swap`edges" 
    "Graph.E c' ⊆ E ∪ prod.swap`edges"
  shows "ek_analysis_defs.ekMeasure c' s t ≤ ekMeasure"
    and "edges - Graph.E c' ≠ {} 
         ⟹ ek_analysis_defs.ekMeasure c' s t < ekMeasure"
proof -
  interpret g': ek_analysis_defs c' s t .

  interpret g': ek_analysis c' s t
    apply intro_locales
    apply (rule g'.Finite_Graph_EI)
    using finite_subset[OF Ebounds(2)] finite_subset[OF SP_EDGES]
    by auto
  from SP_EDGES SP have "edges ⊆ E" 
    by (auto simp: spEdges_def isShortestPath_def dest: isPath_edgeset)
  with Ebounds have Veq[simp]: "Graph.V c' = V"
    by (force simp: Graph.V_def)

  from Ebounds ‹edges ⊆ E› have uE_eq[simp]: "g'.uE = uE"  
    by (force simp: ek_analysis_defs.uE_def)

  from SP have LENP: "length p = min_dist s t" 
    by (auto simp: isShortestPath_min_dist_def) 

  from SP have CONN: "connected s t" 
    by (auto simp: isShortestPath_def connected_def)

    assume NCONN2: "¬g'.connected s t"
    hence "s≠t" by auto
    with CONN NCONN2 have "g'.ekMeasure < ekMeasure"
      unfolding g'.ekMeasure_def ekMeasure_def
      using min_dist_less_V[OF SV]
      by auto
  } moreover {
    assume SHORTER: "g'.min_dist s t < min_dist s t"
    assume CONN2: "g'.connected s t"

    ― ‹Obtain a shorter path in $g'$›
    from g'.min_dist_is_dist[OF CONN2] obtain p' where
      P': "g'.isPath s p' t" and LENP': "length p' = g'.min_dist s t"
      by (auto simp: g'.dist_def)

    { ― ‹Case: It does not use @{term "prod.swap`edges"}. 
        Then it is also a path in $g$, which is shorter than 
        the shortest path in $g$, yielding a contradiction.›
      assume "prod.swap`edges ∩ set p' = {}"
      with g'.transfer_path[OF _ P', of c] Ebounds have "dist s (length p') t"
        by (auto simp: dist_def)
      from LENP' SHORTER min_dist_minD[OF this] have False by auto 
    } moreover {
      ― ‹So assume the path uses the edge @{term "prod.swap e"}.›
      assume "prod.swap`edges ∩ set p' ≠ {}"
      ― ‹Due to auxiliary lemma, those path must be longer›
      from isShortestPath_flip_edges[OF _ _ SP SP_EDGES P' this] Ebounds
      have "length p' > length p" by auto
      with SHORTER LENP LENP' have False by auto
    } ultimately have False by auto
  } moreover {
    assume LONGER: "g'.min_dist s t > min_dist s t"
    assume CONN2: "g'.connected s t"
    have "g'.ekMeasure < ekMeasure"
      unfolding g'.ekMeasure_def ekMeasure_def
      apply (simp only: Veq uE_eq CONN CONN2 if_True)
      apply (rule mlex_fst_decrI)
      using card_spEdges_less g'.card_spEdges_less 
        and g'.min_dist_less_V[OF _ CONN2] SV
        and LONGER
      apply auto

  } moreover {
    assume EQ: "g'.min_dist s t = min_dist s t"
    assume CONN2: "g'.connected s t"

      fix p'
      assume P': "g'.isShortestPath s p' t"
      have "prod.swap`edges ∩ set p' = {}" 
      proof (rule ccontr) 
        assume EIP': "prod.swap`edges ∩ set p' ≠ {}"
        from P' have 
             P': "g'.isPath s p' t" and 
          LENP': "length p' = g'.min_dist s t"
          by (auto simp: g'.isShortestPath_min_dist_def)
        from isShortestPath_flip_edges[OF _ _ SP SP_EDGES P' EIP'] Ebounds 
        have "length p + 2 ≤ length p'" by auto
        with LENP LENP' EQ show False by auto
      with g'.transfer_path[of p' c s t] P' Ebounds have "isShortestPath s p' t"
        by (auto simp: Graph.isShortestPath_min_dist_def EQ)
    } hence SS: "g'.spEdges ⊆ spEdges" by (auto simp: g'.spEdges_def spEdges_def)
      assume "edges - Graph.E c' ≠ {}"
      with g'.spEdges_ss_E SS SP SP_EDGES have "g'.spEdges ⊂ spEdges"
        unfolding g'.spEdges_def spEdges_def by fastforce
      hence "g'.ekMeasure < ekMeasure"  
        unfolding g'.ekMeasure_def ekMeasure_def 
        apply (simp only: Veq uE_eq EQ CONN CONN2 if_True)
        apply (rule add_strict_left_mono)
        apply (rule psubset_card_mono)
        apply simp
        by simp
    } note G1 = this

    have G2: "g'.ekMeasure ≤ ekMeasure"
      unfolding g'.ekMeasure_def ekMeasure_def
      apply (simp only: Veq uE_eq CONN CONN2 if_True)
      apply (rule add_mono[OF mult_right_mono])
      apply (simp add: EQ)
      apply simp
      apply (rule card_mono)
      apply simp
      by fact
    note G1 G2  
  } ultimately show 
    "g'.ekMeasure ≤ ekMeasure" 
    "edges - Graph.E c' ≠ {} ⟹ g'.ekMeasure < ekMeasure"
    using less_linear[of "g'.min_dist s t" "min_dist s t"]   
    apply -
    apply (fastforce)+


end ― ‹Analysis locale› 

text ‹As a first step to the analysis setup, we characterize
  the effect of augmentation on the residual graph
context Graph

definition "augment_cf edges cap ≡ λe. 
  if e∈edges then c e - cap 
  else if prod.swap e∈edges then c e + cap
  else c e"

lemma augment_cf_empty[simp]: "augment_cf {} cap = c" 
  by (auto simp: augment_cf_def)

lemma augment_cf_ss_V: "⟦edges ⊆ E⟧ ⟹ Graph.V (augment_cf edges cap) ⊆ V"  
  unfolding Graph.E_def Graph.V_def
  by (auto simp add: augment_cf_def) []
lemma augment_saturate:
  fixes edges e
  defines "c' ≡ augment_cf edges (c e)"
  assumes EIE: "e∈edges"
  shows "e∉Graph.E c'"
  using EIE unfolding c'_def augment_cf_def
  by (auto simp: Graph.E_def)

lemma augment_cf_split: 
  assumes "edges1 ∩ edges2 = {}" "edges1¯ ∩ edges2 = {}"
  shows "Graph.augment_cf c (edges1 ∪ edges2) cap 
    = Graph.augment_cf (Graph.augment_cf c edges1 cap) edges2 cap"  
  using assms
  by (fastforce simp: Graph.augment_cf_def intro!: ext)
end ― ‹Graph›

context NFlow begin

lemma augmenting_edge_no_swap: "isAugmentingPath p ⟹ set p ∩ (set p)¯ = {}"
  using cf.isSPath_nt_parallel_pf
  by (auto simp: isAugmentingPath_def)

lemma aug_flows_finite[simp, intro!]: 
  "finite {cf e |e. e ∈ set p}"
  apply (rule finite_subset[where B="cf`set p"])
  by auto

lemma aug_flows_finite'[simp, intro!]: 
  "finite {cf (u,v) |u v. (u,v) ∈ set p}"
  apply (rule finite_subset[where B="cf`set p"])
  by auto

lemma augment_alt:
  assumes AUG: "isAugmentingPath p"
  defines "f' ≡ augment (augmentingFlow p)"
  defines "cf' ≡ residualGraph c f'"
  shows "cf' = Graph.augment_cf cf (set p) (resCap p)"
proof -
    fix u v
    assume "(u,v)∈set p"
    hence "resCap p ≤ cf (u,v)"
      unfolding resCap_def by (auto intro: Min_le)
  } note bn_smallerI = this

    fix u v
    assume "(u,v)∈set p"
    hence "(u,v)∈cf.E" using AUG cf.isPath_edgeset
      by (auto simp: isAugmentingPath_def cf.isSimplePath_def)
    hence "(u,v)∈E ∨ (v,u)∈E" using cfE_ss_invE by (auto)
  } note edge_or_swap = this 

  show ?thesis  
    apply (rule ext)
    unfolding cf.augment_cf_def
    using augmenting_edge_no_swap[OF AUG]
    apply (auto 
      simp: augment_def augmentingFlow_def cf'_def f'_def residualGraph_def
      split: prod.splits
      dest: edge_or_swap 

lemma augmenting_path_contains_resCap:
  assumes "isAugmentingPath p"
  obtains e where "e∈set p" "cf e = resCap p" 
proof -  
  from assms have "p≠[]" by (auto simp: isAugmentingPath_def s_not_t)
  hence "{cf e | e. e ∈ set p} ≠ {}" by (cases p) auto
  with Min_in[OF aug_flows_finite this, folded resCap_def]
    obtain e where "e∈set p" "cf e = resCap p" by auto
  thus ?thesis by (blast intro: that)
text ‹Finally, we show the main theorem used for termination and complexity 
  analysis: Augmentation with a shortest path decreases the measure function.›
theorem shortest_path_decr_ek_measure:
  fixes p
  assumes SP: "Graph.isShortestPath cf s p t"
  defines "f' ≡ augment (augmentingFlow p)"
  defines "cf' ≡ residualGraph c f'"
  shows "ek_analysis_defs.ekMeasure cf' s t < ek_analysis_defs.ekMeasure cf s t"
proof -
  interpret cf: ek_analysis cf by unfold_locales
  interpret cf': ek_analysis_defs cf' .

  from SP have AUG: "isAugmentingPath p" 
    unfolding isAugmentingPath_def cf.isShortestPath_alt by simp

  note BNGZ = resCap_gzero[OF AUG]  

  have cf'_alt: "cf' = cf.augment_cf (set p) (resCap p)"
    using augment_alt[OF AUG] unfolding cf'_def f'_def by simp

  obtain e where
    EIP: "e∈set p" and EBN: "cf e = resCap p"
    by (rule augmenting_path_contains_resCap[OF AUG]) auto

  have ENIE': "e∉cf'.E" 
    using cf.augment_saturate[OF EIP] EBN by (simp add: cf'_alt)
  { fix e  
    have "cf e + resCap p ≠ 0" using resE_nonNegative[of e] BNGZ by auto 
  } note [simp] = this  
  { fix e
    assume "e∈set p"
    hence "e ∈ cf.E"
      using cf.shortestPath_is_path[OF SP] cf.isPath_edgeset by blast
    hence "cf e > 0 ∧ cf e ≠ 0" using resE_positive[of e] by auto
  } note [simp] = this

  show ?thesis 
    apply (rule cf.measure_decr(2))
    apply (simp_all add: s_node)
    apply (rule SP)
    apply (rule order_refl)

    apply (rule conjI)
      apply (unfold Graph.E_def) []
      apply (auto simp: cf'_alt cf.augment_cf_def) []

      using augmenting_edge_no_swap[OF AUG]
      apply (fastforce 
        simp: cf'_alt cf.augment_cf_def Graph.E_def 
        simp del: cf.zero_cap_simp) []
    apply (unfold Graph.E_def) []
    apply (auto simp: cf'_alt cf.augment_cf_def) []
    using EIP ENIE' apply auto []

end ― ‹Network with flow›
