specifying and checking file system crash consistency
play

Specifying and Checking File System Crash-Consistency Models James - PowerPoint PPT Presentation

Sep 03, 2023 •27 likes •937 views

Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann Jialin Li Arvind Krishnamurthy Emina Torlak Xi Wang University of Washington File systems persist our data Application File System File systems

  1. Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann Jialin Li Arvind Krishnamurthy Emina Torlak Xi Wang University of Washington

  2. File systems persist our data Application File System

  3. File systems persist our data Application The best of times The worst of times File System

  4. File systems persist our data Application The best of times The best of times The worst of times The worst of times File System

  5. But what if the system crashes? Application The best of times The best of times The worst of times The worst of times File System

  6. But what if the system crashes? Application POSIX system calls The best of times The best of times The worst of times The worst of times File System

  7. But what if the system crashes? This provides roughly the same level of Application guarantees as ext3. Linux kernel ext4 documentation POSIX system calls The best of times The best of times If the file system is The worst of times The worst of times inconsistent a fu er a crash it is usually automatically checked and repaired when the File System system is rebooted Proposed POSIX fsync documentation

  8. But what if the system crashes? Application POSIX system calls The best of times The best of times The worst of times The worst of times File System

  9. But what if the system crashes? Application POSIX system calls The best of times The best of times The best o00000 The worst of times The worst of times 0000000 of tim Optimizations are exposed File System

  10. But what if the system crashes? Application When gradually appending to a file, the content gets corrupted, causing Chrome to crash POSIX system calls ChromeOS “FS corruption on panic”, 2015 The best of times The best of times The best o00000 The worst of times The worst of times 0000000 of tim …some of the KDE core Optimizations config files were reset. are exposed Also some of my MySQL databases were killed… Ubuntu “ext4 data loss”, 2009 File System

  11. Crash-consistency models Application Crash-consistency model File System

  12. Crash-consistency models Application A precise formal specification of the crash guarantees that a file system provides Crash-consistency model File System

  13. Crash-consistency models Just like a memory model! Application A precise formal specification of the crash guarantees that a file system provides Crash-consistency model File System

  14. Crash-consistency models Just like a memory model! Application A precise formal specification of the crash guarantees that a file system provides Crash-consistency model Ferrite File System Validate the model against the system with litmus tests

  15. Crash behavior of modern file systems Crash-consistency models Litmus tests & formal specifications Ferrite: developing crash-consistency models Building crash-safe applications

  16. Crash behavior of modern file systems Crash-consistency models Litmus tests & formal specifications Ferrite: developing crash-consistency models Building crash-safe applications

  17. Replacing the contents of a file foo.txt foo.txt foo.txt The best of times The age of wisdom The worst of times The epoch of belief

  18. Atomic replace via rename foo.txt foo.txt f = create(“foo.tmp”) The best of times The worst of times write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  19. Atomic replace via rename foo.txt foo.txt foo.tmp f = create(“foo.tmp”) The best of times The worst of times write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  20. Atomic replace via rename foo.txt foo.txt foo.tmp f = create(“foo.tmp”) The best of times The age of wisdom The worst of times write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  21. Atomic replace via rename foo.txt foo.txt foo.tmp f = create(“foo.tmp”) The best of times The age of wisdom The worst of times The epoch of belief write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  22. Atomic replace via rename foo.txt foo.txt foo.tmp f = create(“foo.tmp”) The best of times The age of wisdom The worst of times The epoch of belief write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  23. Atomic replace via rename foo.txt foo.tmp foo.txt f = create(“foo.tmp”) The best of times The age of wisdom The worst of times The epoch of belief write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  24. Atomic replace via rename f = create(“foo.tmp”) write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  25. Atomic replace via rename create(“foo.tmp”) f = create(“foo.tmp”) write(f, “The age of …”) write(f, “The age of …”) write(f, “The epoch of …”) close(f) write(f, “The epoch of …”) rename(“foo.tmp”, “foo.txt”) rename(“foo.tmp”, “foo.txt”)

  26. Atomic replace via rename create(“foo.tmp”) write(f, “The age of …”) write(f, “The epoch of …”) rename(“foo.tmp”, “foo.txt”)

  27. Atomic replace via rename File operations Writes create(“foo.tmp”) write(f, “The age of …”) rename(“foo.tmp”, “foo.txt”) write(f, “The epoch of …”)

  28. Atomic replace via rename create(“foo.tmp”) rename(“foo.tmp”, “foo.txt”) write(f, “The age of …”) write(f, “The epoch of …”)

  29. Atomic replace via rename create(“foo.tmp”) foo.txt foo.txt foo.tmp The best of times The worst of times rename(“foo.tmp”, “foo.txt”) write(f, “The age of …”) write(f, “The epoch of …”)

  30. Atomic replace via rename create(“foo.tmp”) foo.txt foo.tmp foo.txt The best of times The worst of times rename(“foo.tmp”, “foo.txt”) write(f, “The age of …”) write(f, “The epoch of …”)

  31. Atomic replace via rename create(“foo.tmp”) foo.txt foo.tmp foo.txt The best of times The worst of times rename(“foo.tmp”, “foo.txt”) Crash! write(f, “The age of …”) write(f, “The epoch of …”)

  32. The storage stack write(f, “The age of …”) write(f, “The epoch of …”)

  33. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) File System Block Layer Low-level Driver Controller

  34. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) File System Block Layer Low-level Driver Controller Diagram by Werner Fischer

  35. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) File System Block Layer Low-level Driver Controller

  36. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) This provides roughly the same level of guarantees as ext3. File System Linux kernel ext4 documentation Block Layer Low-level Driver Controller

  37. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) This provides roughly the same level of guarantees as ext3. File System Linux kernel ext4 documentation Block Layer The key aspects of fsync() are unreasonable to test in a test Low-level Driver suite POSIX specification for fsync Controller

  38. Existing work Formalize the existing POSIX write(f, “The age of …”) interface (e.g. SibylFS [SOSP’15]) write(f, “The epoch of …”) But the interface says nothing about crash safety File System Block Layer Low-level Driver Controller

  39. Existing work Formalize the existing POSIX write(f, “The age of …”) interface (e.g. SibylFS [SOSP’15]) write(f, “The epoch of …”) But the interface says nothing about crash safety File System Build a new crash-safe file system Block Layer (e.g. FSCQ [SOSP’15]) Comes with extremely high verification Low-level Driver burden Controller

  40. Existing work Formalize the existing POSIX write(f, “The age of …”) interface (e.g. SibylFS [SOSP’15]) write(f, “The epoch of …”) But the interface says nothing about crash safety File System Build a new crash-safe file system Block Layer (e.g. FSCQ [SOSP’15]) Comes with extremely high verification Low-level Driver burden Controller Find bugs in existing file systems (e.g. eXplode [OSDI’06]) Ours is a complementary problem: precisely specifying actual behavior

  41. Crash behavior of modern file systems Crash-consistency models Litmus tests & formal specifications Ferrite: developing crash-consistency models Building crash-safe applications

  42. Crash behavior of modern file systems Crash-consistency models Litmus tests & formal specifications Ferrite: developing crash-consistency models Building crash-safe applications

  43. Crash-consistency models

  44. Crash-consistency models Litmus tests Small programs that demonstrate allowed or forbidden behaviors of a file system across crashes

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016 Specifying and Checking File System Crash-Consistency Models Johannes Gutenberg Universitt Mainz Motivation The problem: POSIX

982 views • 71 slides
to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

CrashMonkey: A Framework to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram University of Texas at Austin Crash Consistency File-system updates change multiple blocks on storage Data blocks, inodes,

499 views • 46 slides
TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting Zhu, Ian Neal, Youngjin Kwon, Tianyu Chen, Vijay Chidambaram, Emmett Witchel The University of Texas at Austin 1 Crash Applications need crash

819 views • 30 slides
Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea

Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea

Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea Arpaci-Dusseau Remzi Arpaci-Dusseau Crash Consistency Problem Single file-system operation updates multiple on-disk data structures System may crash

1.29k views • 83 slides
From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel

From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel

From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel Persistent data is structured; crash consistency hard Structured data abstractions built on file system SQLite, BerkeleyDB...

468 views • 34 slides
The problem: crash consistency Single operaBon updates mulBple blocks System might crash in

The problem: crash consistency Single operaBon updates mulBple blocks System might crash in

Consistency Without Ordering Vijay Chidambaram, Tushar Sharma, Andrea ArpaciDusseau, Remzi ArpaciDusseau The Advanced Systems Laboratory University of Wisconsin Madison The problem: crash consistency Single operaBon updates mulBple

953 views • 49 slides
Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
Using Model Checking to Find Serious File System Errors Junfeng Yang, Paul Twohey, Dawson Engler

Using Model Checking to Find Serious File System Errors Junfeng Yang, Paul Twohey, Dawson Engler

Using Model Checking to Find Serious File System Errors Junfeng Yang, Paul Twohey, Dawson Engler Stanford University Madanlal Musuvathi Microsoft Research Authors Dawson Junfeng Paul Madan FS Errors are Destructive Kernel crash, FS

806 views • 31 slides
Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang Chen, Alex Konradi, Stephanie Wang, Daniel Ziegler, Adam Chlipala, M. Frans Kaashoek File systems should not lose data People use file systems to

1.17k views • 98 slides
Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej Chajed , Stephanie Wang, Alex Konradi, Atalay leri, Adam Chlipala, M. Frans Kaashoek, Nickolai Zeldovich File systems are difficult to make correct

1.19k views • 100 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 1 File systems are complex and have bugs File systems are complex (e.g.,

765 views • 52 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 27 File systems are complex and have bugs File systems are complex (e.g.,

1.18k views • 50 slides
File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many

File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many

File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many data structures Free list/bit vector Directories File headers and inode structures Data blocks All data structures are cached for better

357 views • 14 slides
Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai,

Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai,

Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai, Ramnatthan Alagappan, Lanyue Lu, Vijay Chidambaram, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau Application-Level Crash Consistency Storage must

2.09k views • 139 slides
Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure Protection Consistency Semantics Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts 11.1 File Concept Contiguous

755 views • 50 slides
Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types

Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types

Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types The following crash types are eligible for submission to the program. Struck in the Rear type of crash when the CMV was struck: in the rear; or

211 views • 20 slides
Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and

Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and

Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and Public Works Committee January 22, 2019 Todays topics Context for Vision Zero Crash Study Key crash study information Next steps for

690 views • 37 slides
ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04

ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04

ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04 February 2019 Friends House London, UK Agenda 1500 Welcome, background and introduction Prof Stephanie Glendinning (Newcastle) 1520 Modelling

318 views • 28 slides
EXPERIENCE TRUE INNOVATION BK-HT is a third generation, semi-premium connection, designed for

EXPERIENCE TRUE INNOVATION BK-HT is a third generation, semi-premium connection, designed for

EXPERIENCE TRUE INNOVATION BK-HT is a third generation, semi-premium connection, designed for HIGH PRESSURE / HIGH TORQUE frac strings. FIRST Steam Injection and Steam Assisted Gravity Drain Wells . Needed torque for installation and sealing.

557 views • 27 slides
A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul Twohey Dawson Engler Stanford Background Lineage Thesis work at MIT building a new OS (exokernel) Spent last 7 years developing methods to

1.02k views • 70 slides
5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise

5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise

Joint Use of the HSM and Human Factors Guide 5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise Risk AASHTO Committee on Safety Annual Meeting, May 8, 2018 Last update 10/24/17 Using Human Factors

606 views • 37 slides
Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all

Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all

Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all WHY? SAFETY Trend is going up in 2019 Streets need to be designed to be safer Project Background Corridor in Context Corridor provides

494 views • 38 slides
Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW

Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW

Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW Overview of Crash Analysis From Tyringham St, Dorrigo to 10m west of Pacific Highway, Raleigh was examined. This section of Waterfall

428 views • 17 slides

More recommend