cer fying a crash safe file system
play

Cer$fying a Crash-safe File System Nickolai Zeldovich - PowerPoint PPT Presentation

Mar 21, 2023 •176 likes •1.17k views

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang Chen, Alex Konradi, Stephanie Wang, Daniel Ziegler, Adam Chlipala, M. Frans Kaashoek File systems should not lose data People use file systems to

  1. Cer$fying a 
 Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang Chen, Alex Konradi, Stephanie Wang, Daniel Ziegler, Adam Chlipala, M. Frans Kaashoek

  2. File systems should not lose data • People use file systems to store permanent data • Computers can crash any$me • power failures • hardware failures (unplug USB drive) • soRware bugs • File systems should not lose or corrupt data in case of crashes

  3. File systems are complex and have bugs • Linux ext4: ~60,000 lines of code • Some bugs are serious: data loss, security exploits , etc. Cumula&ve number of bug patches in Linux file systems [Lu et al., FAST’13] 600 ext3 # of patches for bugs xfs 450 jfs reiserfs 300 ext4 btrfs 150 0 Dec-03 Apr-04 Dec-04 Jan-06 Feb-07 Apr-08 Jun-09 Aug-10 May-11

  4. Researches in avoiding bugs in file systems • Most research is on finding bugs • Crash injec$on (e.g., EXPLODE [OSDI’06]) • Symbolic execu$on (e.g., EXE [Oakland’06]) • Design modeling (e.g., in Alloy [ABZ’08]) • Some elimina$on of bugs by proving: • FS without directories [Arkoudas et al. 2004] • BilbyFS [Keller 2014] • UBIFS [Ernst et al. 2013]

  5. Researches in avoiding bugs in file systems • Most research is on finding bugs reduce 
 • Crash injec$on (e.g., EXPLODE [OSDI’06]) # of bugs • Symbolic execu$on (e.g., EXE [Oakland’06]) • Design modeling (e.g., in Alloy [ABZ’08]) • Some elimina$on of bugs by proving: • FS without directories [Arkoudas et al. 2004] • BilbyFS [Keller 2014] • UBIFS [Ernst et al. 2013]

  6. Researches in avoiding bugs in file systems • Most research is on finding bugs reduce 
 • Crash injec$on (e.g., EXPLODE [OSDI’06]) # of bugs • Symbolic execu$on (e.g., EXE [Oakland’06]) • Design modeling (e.g., in Alloy [ABZ’08]) • Some elimina$on of bugs by proving: • FS without directories [Arkoudas et al. 2004] incomplete • BilbyFS [Keller 2014] + no crashes • UBIFS [Ernst et al. 2013]

  7. Dealing with crashes is hard • Crashes expose many par$ally-updated states • Reasoning about all failure cases is hard • Performance op$miza$ons lead to more tricky par$al states • Disk I/O is expensive • Buffer updates in memory

  8. Dealing with crashes is hard A patch for Linux’s write-ahead logging (jbd) in 2012: “Is it safe to omit a disk write barrier here?” commit 353b67d8ced4dc53281c88150ad295e24bc4b4c5 Author: Jan Kara <jack@suse.cz> Date: Sat Nov 26 00:35:39 2011 +0100 Title: jbd: Issue cache flush after checkpointing --- a/fs/jbd/checkpoint.c It's unlikely this will be necessary, … but we +++ b/fs/jbd/checkpoint.c @@ -504,7 +503,25 @@ int cleanup_journal_tail(journal_t *journal) need this to guarantee correctness. spin_unlock(&journal->j_state_lock); return 1; Fortunately this func;on doesn't get called all } + spin_unlock(&journal->j_state_lock); that o<en. + + /* + * We need to make sure that any blocks that were recently written out + * --- perhaps by log_do_checkpoint() --- are flushed out before we + * drop the transactions from the journal. It's unlikely this will be + * necessary, especially with an appropriately sized journal, but we + * need this to guarantee correctness. Fortunately + * cleanup_journal_tail() doesn't get called all that often. + */ + if (journal->j_flags & JFS_BARRIER) + blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL); + spin_lock(&journal->j_state_lock); + if (!tid_gt(first_tid, journal->j_tail_sequence)) { + spin_unlock(&journal->j_state_lock); + /* Someone else cleaned up journal so return 0 */ + return 0; + }

  9. Goal: cer$fy a file system under crashes A complete file system with a machine-checkable proof that its implementa$on meets its specifica$on , both under normal execu@on and under any sequence of crashes, including crashes during recovery .

  10. Contribu$ons • CHL : Crash Hoare Logic • Specifica$on framework for crash-safety of storage • Crash condi$on and recovery seman$cs • Automa$on to reduce proof effort • FSCQ : the first cer$fied crash-safe file system • Basic Unix-like file system (no hard-links, no concurrency) • Precise specifica$on for the core subset of POSIX • I/O performance on par with Linux ext4 • CPU overhead is high

  11. FSCQ runs standard Unix programs FSCQ (wriNen in Coq) Crash Hoare Logic (CHL) Top-level specifica@on Internal specifica@ons Program Program Proof

  12. FSCQ runs standard Unix programs FSCQ (wriNen in Coq) Crash Hoare Logic (CHL) Top-level specifica@on Internal specifica@ons Program Program Proof Coq proof checker OK

  13. FSCQ runs standard Unix programs FSCQ (wriNen in Coq) Crash Hoare Logic (CHL) Top-level specifica@on Internal specifica@ons Program Mechanical 
 Proof code extrac$on Coq proof checker FSCQ’s Haskell code Haskell compiler OK FSCQ’s FUSE server

  14. FSCQ runs standard Unix programs FSCQ (wriNen in Coq) Crash Hoare Logic (CHL) Top-level specifica@on Internal specifica@ons Program Mechanical 
 Proof code extrac$on Coq proof checker FSCQ’s Haskell code Haskell compiler OK FSCQ’s FUSE server Haskell libraries & FUSE driver Linux kernel /dev/sda

  15. FSCQ runs standard Unix programs FSCQ (wriNen in Coq) Crash Hoare Logic (CHL) Top-level specifica@on Internal specifica@ons Program Mechanical 
 Proof code extrac$on Coq proof checker FSCQ’s Haskell code Haskell compiler OK FSCQ’s FUSE server $ mv src dest Haskell libraries $ git clone repo… & FUSE driver $ make disk read(), 
 syscalls FUSE upcalls write(), sync() Linux kernel /dev/sda

  16. FSCQ’s Trusted Compu@ng Base FSCQ (wriNen in Coq) Crash Hoare Logic (CHL) Top-level specifica@on Internal specifica@ons Program Mechanical 
 Proof code extrac@on Coq proof checker FSCQ’s Haskell code Haskell compiler OK FSCQ’s FUSE server $ mv src dest Haskell libraries $ git clone repo… & FUSE driver $ make disk read(), 
 syscalls FUSE upcalls write(), sync() Linux kernel /dev/sda

  17. Outline • Crash safety • What is the correct behavior aRer a crash? • Challenge 1: formalizing crashes • Crash Hoare Logic (CHL) • Challenge 2: incorpora$ng performance op$miza$ons • Disk sequences • Building a complete file system • Evalua$on

  18. What is crash safety ? • What guarantee should file system provide when it crashes and reboot? • Look it up in the POSIX standard?

  19. POSIX is vague about crash behavior [...] a power failure [...] can cause data to be lost. The data may be associated with a file that is s:ll open, with one that has been closed, with a directory, or with any other internal system data structures associated with permanent storage. This data can be lost, in whole or part, so that only careful inspec:on of file contents could determine that an update did not occur. IEEE Std 1003.1, 2013 Edi$on • POSIX’s goal was to specify “common-denominator” behavior • Gives freedom to file systems to implement their own op$miza$ons

  20. What is crash safety ? • What guarantee should file system provide when it crashes and reboot? • Look it up in the POSIX standard? (Too Vague) • A simple and useful defini$on is transac@onal • Atomicity : every file-system call is all-or-nothing • Durability : every call persists on disk when it returns • Run every file-system call inside a transac$on, using write-ahead logging .

  21. Write-ahead logging Disk

  22. Write-ahead logging ➡ log_begin() Disk Log 0

  23. Write-ahead logging 1. Append writes to the log ➡ log_begin() ➡ log_write(2, ‘a’) ➡ log_write(8, ‘b’) ➡ log_write(5, ‘c’) 2 8 5 Disk Log 0 a b c

  24. Write-ahead logging 1. Append writes to the log ➡ log_begin() ➡ log_write(2, ‘a’) 2. Set commit record ➡ log_write(8, ‘b’) ➡ log_write(5, ‘c’) ➡ log_commit() 2 8 5 Disk Log 3 0 a b c

  25. Write-ahead logging 1. Append writes to the log ➡ log_begin() ➡ log_write(2, ‘a’) 2. Set commit record ➡ log_write(8, ‘b’) 3. Apply the log to disk loca$ons ➡ log_write(5, ‘c’) ➡ log_commit() 2 8 5 Disk Log a c b 3 0 a b c

  26. Write-ahead logging 1. Append writes to the log ➡ log_begin() ➡ log_write(2, ‘a’) 2. Set commit record ➡ log_write(8, ‘b’) 3. Apply the log to disk loca$ons ➡ log_write(5, ‘c’) 4. Truncate the log ➡ log_commit() Disk Log a c b 0 • Recovery : aRer crash, replay (apply) any commiNed transac$on in the log • Atomicity : either all writes appear on disk or none do • Durability : all changes are persisted on disk when log_commit() returns

  27. Example: transac$onal crash safety … aYer crash … def create(dir, name): def log_recover(): log_begin() if committed: newfile = allocate_inode() log_apply() newfile.init() log_truncate() dir.add(name, newfile) log_commit() • Q: How to formally define what happens when the computer crashes? • Q: How to formally specify the behavior of “create” in presence of crash and recovery?

  28. Approach: Crash Hoare Logic {pre} code {post} SPEC disk write ( a , v ) a 7! v 0 PRE a 7! v POST

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej Chajed , Stephanie Wang, Alex Konradi, Atalay leri, Adam Chlipala, M. Frans Kaashoek, Nickolai Zeldovich File systems are difficult to make correct

1.19k views • 100 slides
Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann

Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann

Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann Jialin Li Arvind Krishnamurthy Emina Torlak Xi Wang University of Washington File systems persist our data Application File System File systems

937 views • 91 slides
to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

CrashMonkey: A Framework to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram University of Texas at Austin Crash Consistency File-system updates change multiple blocks on storage Data blocks, inodes,

499 views • 46 slides
TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting Zhu, Ian Neal, Youngjin Kwon, Tianyu Chen, Vijay Chidambaram, Emmett Witchel The University of Texas at Austin 1 Crash Applications need crash

819 views • 30 slides
Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016 Specifying and Checking File System Crash-Consistency Models Johannes Gutenberg Universitt Mainz Motivation The problem: POSIX

982 views • 71 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 1 File systems are complex and have bugs File systems are complex (e.g.,

765 views • 52 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 27 File systems are complex and have bugs File systems are complex (e.g.,

1.18k views • 50 slides
Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

852 views • 46 slides
Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances?

Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances?

Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances? BSD Fast File System (FFS) How to improve the reliability in case of a crash? Log-Structured File system (LFS) Journaling File System (ext3)

600 views • 30 slides
Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea

Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea

Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea Arpaci-Dusseau Remzi Arpaci-Dusseau Crash Consistency Problem Single file-system operation updates multiple on-disk data structures System may crash

1.29k views • 83 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent

All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent

All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent Applications Thanumalayan Sankaranarayana Pillai Vijay Chidambaram Ramnatthan Alagappan, Samer Al-Kiswany Andrea Arpaci-Dusseau, Remzi Arpaci-Dusseau Crash

1.67k views • 110 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Tunable Static Inference for Generic Universe Types Werner Dietl Michael Ernst &amp; Peter

Tunable Static Inference for Generic Universe Types Werner Dietl Michael Ernst &amp; Peter

Tunable Static Inference for Generic Universe Types Werner Dietl Michael Ernst &amp; Peter Mller Generic Universe Types (GUT) Lightweight ownership type system Heap topology Owner-as-Modifier encapsulation discipline Glimpse

840 views • 40 slides
Want Congress to Do Something? Start by Building Relationships Matthew David Hom Bend the Arc:

Want Congress to Do Something? Start by Building Relationships Matthew David Hom Bend the Arc:

Pursuing Justice 2020 Online Conference Workshops Want Congress to Do Something? Start by Building Relationships Matthew David Hom Bend the Arc: Jewish Action, Southern California February 7, 2018: #LetMyPeopleGo rally for Dreamers at the

584 views • 15 slides
Saving Taxpaye Saving Taxpayers: s: How to How to Sav Save Taxp Taxpayers and and Bu Build

Saving Taxpaye Saving Taxpayers: s: How to How to Sav Save Taxp Taxpayers and and Bu Build

Saving Taxpaye Saving Taxpayers: s: How to How to Sav Save Taxp Taxpayers and and Bu Build an Unst an Unstop oppable Tax Practice! Tax Prac Eric L. Green, Esq. 1 Eric Green, Esq. Managing partner in Green &amp; Sklarz LLC, a

329 views • 9 slides
REP A tradition worth carrying forward.. http://www.nationalrep.org National Radiological

REP A tradition worth carrying forward.. http://www.nationalrep.org National Radiological

REP A tradition worth carrying forward.. http://www.nationalrep.org National Radiological Emergency Preparedness Conference, Inc. A Forum on REP Issues Mar ark Ghila ilardu rducci cci Dire rector ctor o of f Eme mergency rgency

411 views • 9 slides
My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them.

My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them.

My Top 10 Mistakes On The Way From $0 to $100m ARR (Really, First $20m ARR) Dont Make Them. Youll Grow Even Faster. Jason M. Lemkin SaaStr Managing Director, Storm VenturesSaaStr w/ Nicolas Dessaigne Founder/CEO EchoSign/Adobe;

463 views • 24 slides
Plan by State Representatives Mike Tobash (R Schuylkill/Berks) Mike Tobash (R Schuylkill/Berks)

Plan by State Representatives Mike Tobash (R Schuylkill/Berks) Mike Tobash (R Schuylkill/Berks)

Plan by State Representatives Mike Tobash (R Schuylkill/Berks) Mike Tobash (R Schuylkill/Berks) Warren Kampf (Chester/Montgomery) An Overview of the Problem Pennsylvania faces a nearly $50 billion pension debt that will take decades to

371 views • 13 slides
Study of meson spectroscopy of a lattice SU(4) gauge BSM model. Venkitesh Ayyar 1 Thomas Degrand 1

Study of meson spectroscopy of a lattice SU(4) gauge BSM model. Venkitesh Ayyar 1 Thomas Degrand 1

Study of meson spectroscopy of a lattice SU(4) gauge BSM model. Venkitesh Ayyar 1 Thomas Degrand 1 Daniel Hackett 1 William Jay 1 Ethan Neil 1 , 3 Benjamin Svetitsky 2 Yigal Shamir 2 . 1 University of Colorado, Boulder, 2 Tel Aviv University, 3

698 views • 16 slides
Configuration Space Jane Li Assistant Professor Mechanical Engineering &amp; Robotics

Configuration Space Jane Li Assistant Professor Mechanical Engineering &amp; Robotics

RBE 550 MOTION PLANNING BASED ON DR. DMITRY BERENSON S RBE 550 Configuration Space Jane Li Assistant Professor Mechanical Engineering &amp; Robotics Engineering http://users.wpi.edu/~zli11 RBE 550 MOTION PLANNING BASED ON DR. DMITRY

967 views • 32 slides

More recommend