Institute of Computer Science
  1. Courses
  2. 2018/19 fall
  3. Systems Modelling (MTAT.03.083)
ET
Log in

Systems Modelling 2018/19 fall

Home
Lectures
Practicals
Assessment

Submit
Extra credit

Message Board
Readings

Solutions

Peterson's algorithm

We only did Peterson's algorithm in the second lab. (I will briefly go over the temporal formula's next Tuseday). Here's the algorithm: 

fair process thread \in Threads
variable other = CHOOSE t \in Threads : t /= self
begin
  P1: flag[self] := TRUE;
  P2: turn := other;
  P3: await ~flag[other] \/ turn = self;
  CS: skip;
  P4: flag[self] := FALSE;
  P5: goto P1
end process;

Ferryman

By defining some auxiliary values, we can simplify the algorithm significantly. We also include the "ferryman" as part of the goods, so he can pick himself in order to cross on his own. Here's a polished version of what we had on Tuesday, but the flaw is still there! 

------------------------------ MODULE ferryman ------------------------------
(*--algorithm ferryman

variable
  pos = [item \in goods |-> "left"]

define
  goods == {"goat", "cabbage", "wolf", "ferryman"}
  flip(side) == CASE side = "left" -> "right" [] side = "right" -> "left"
  currentside == pos["ferryman"]
  otherside == flip(currentside)
  currentside_items == {it \in goods : pos[it] = currentside}

  Safe == \/ pos["goat"] = pos["wolf"] 
          \/ pos["goat"] = pos["cabbage"]
          => pos["ferryman"] = pos["goat"]

  Solved == \A item \in goods : pos[item] = "right"
  Solution == []Safe /\ <>Solved
  ThereIsNoSolution == ~Solution
end define

begin
  Ferry:
  with item \in currentside_items do
    pos[item] := otherside 
  end with;
  P1: 
  pos["ferryman"] := otherside;
  goto Ferry
end algorithm*)
=============================================================================

If we try to use TLA+ to disprove that ThereIsNoSolition, we find that TLA fails; indeed, this algorithm doesn't have a solution. The problem is actually worth noting. I spoke at length about these labels during the lecture, so we all (even me!) probably understand that adding the label P1 will no longer make the assignments atomic. (We had to add the label because we can't assign twice to the same struct in an atomic section.) Here's what I did not consider: these assignment actually have a meaning in the domain that we're modelling. It really does matter whether the ferryman is on the boat together with the goods or swims along and arrives a while after! Mistaken assumptions about atomicity requirements are a very common cause of errors; that's why I made this mistake. ;) Anyway, we can fix it by parallel assignment: 

begin
  Ferry:
  with item \in currentside_items do
    pos[item] := otherside || pos["ferryman"] := otherside
  end with;
  goto Ferry

If you run this, you should find a solution. When I try this, the counter-example is a solution where after having reached the final state, the ferryman goes back with the goat and stutters on the other side, probably admiring his solution from afar. This satisfies the formula. If we want him to stay at the solution, we can use Solution == []Safe /\ <>[]Solved.

  • Institute of Computer Science
  • Faculty of Science and Technology
  • University of Tartu
In case of technical problems or questions write to:

Contact the course organizers with the organizational and course content questions.
The proprietary copyrights of educational materials belong to the University of Tartu. The use of educational materials is permitted for the purposes and under the conditions provided for in the copyright law for the free use of a work. When using educational materials, the user is obligated to give credit to the author of the educational materials.
The use of educational materials for other purposes is allowed only with the prior written consent of the University of Tartu.
Terms of use for the Courses environment