a concurrent specification for posix file systems
play

A Concurrent Specification for POSIX File Systems Gian Ntzik, Pedro - PowerPoint PPT Presentation

Apr 04, 2024 •270 likes •560 views

A Concurrent Specification for POSIX File Systems Gian Ntzik, Pedro da Rocha Pinto and Philippa Gardner Imperial College London gian.ntzik08@imperial.ac.uk pedro.da-rocha-pinto09@imperial.ac.uk p.gardner@imperial.ac.uk Dagstuhl 2016 1/22

  1. A Concurrent Specification for POSIX File Systems Gian Ntzik, Pedro da Rocha Pinto and Philippa Gardner Imperial College London gian.ntzik08@imperial.ac.uk pedro.da-rocha-pinto09@imperial.ac.uk p.gardner@imperial.ac.uk Dagstuhl 2016 1/22

  2. POSIX: Portable Operating System Interface ◮ An operating system standard ◮ A large part is devoted to the file system > 20 base definitions, > 50 system interfaces ◮ It is written in English 2/22

  3. Formal Sequential Specifications ◮ Based on first-order logic ◮ Z Notation: specification language with refinement to implementation ◮ Forest: Haskell DSL for type-safe file-system interactions These approaches lack modularity for client reasoning ◮ Based on separation logics ◮ SSL [ESOP’14], Fusion Logic [OOPSLA’15] These approaches give modular client reasoning. The second has been used to find bugs in implementations of e.g. rm − r . 3/22

  4. Concurrency in the POSIX File System ◮ Understanding the intended POSIX concurrent behaviour is difficult ◮ It contains ambiguities Example: I/O atomicity I/O is intended to be atomic to ordinary files and pipes and FIFOs. This volume of POSIX.1-2008 does not specify behavior of concurrent writes to a file from multiple processes. Applications should use some form of concurrency control. 4/22

  5. Concurrency in the POSIX File System ◮ Understanding the intended POSIX concurrent behaviour is difficult ◮ It contains ambiguities ◮ Information is fragmented throughout the whole standard Example: unlink ( p ) atomically removes the file at path p . But resolving the path is not atomic. Any part of the path of a file could be changed in parallel to a call to unlink(), resulting in unspecified behavior. 5/22

  6. Example: unlink ( / usr / bin / git ) The operation takes a sequence of atomic actions 0 tmp usr 1 2 share local .X0-lock bin 3 8 0101111011... 5 4 lib git 7 9 0110011011... File-system notation: FS [2 �→ S ] and FS (2) = S where S = { (share , 3) , (bin , 4) , (local , 5) } 6/22

  7. Sequence of Atomic Actions unlink(/usr/bin/git) usr bin git FS 1 FS 1 FS 2 FS 2 FS 3 FS 4 Environment: mupltiple atomic updates Thread: single atomic read in path traversal Thread: single atomic update 7/22

  8. Atomic Specification: atomic Hoare triple Atomic Hoare triples introduced in TaDA, encoded in Iris: ℂ P Q x ∈ X . � P ( x ) � C � Q ( x ) � A 8/22

  9. Atomic Specification: refinement ℂ P Q � � C ⊑ A x ∈ X . P ( x ) , Q ( x ) 9/22

  10. Sequence of Atomic Actions: refinement ℂ ... P 1 P 2 P 3 P 4 P n − 1 P n C ⊑ x 1 ∈ X 1 . � P 1 ( x 1 ) , P 2 ( x 1 ) � ; x 2 ∈ X 2 . � P 3 ( x 2 ) , P 4 ( x 2 ) � ; . . . ; x n − 1 ∈ X n − 1 . � P n − 1 ( x n − 1 ) , P n ( x n − 1 ) � A A A 10/22

  11. Concurrent unlink Specification unlink ( p / a , ret ) ⊑ let r = resolve ( ι 0 , p ) in if ¬ iserr( r ) then ret = remlink( r , a ) else ret = r fi 11/22

  12. Concurrent unlink Specification unlink ( p / a , ret ) ⊑ ∃ r . resolve ( ι 0 , p , r ); if ¬ iserr( r ) then ret = remlink( r , a ) else ret = r fi 11/22

  13. Concurrent unlink Specification unlink ( p / a , ret ) ⊑ ∃ r . resolve ( ι 0 , p , r ); [ ¬ iserr( r )] ; remlink( r , a , ret ) ⊔ [iserr( r )] ; [ ret = r ] 11/22

  14. Concurrent unlink Specification unlink ( p / a , ret ) ⊑ ∃ r . resolve ( ι 0 , p , r ); { true , ¬ iserr( r ) } ; remlink( r , a , ret ) ⊔ { true , iserr( r ) } ; { true , ret = r } 11/22

  15. Concurrent unlink Specification unlink ( p / a , ret ) ⊑ ∃ r . resolve ( ι 0 , p , r ); { true , ¬ iserr( r ) } ; remlink( r , a , ret ) ⊔ { true , iserr( r ) } ; { true , ret = r } remlink( r , a , ret ) � � fs ( FS ) ∧ r ∈ dom( FS ) , � . FS ∈ FS . A ∃ S . fs ( FS [ r �→ S ]) ∧ FS ( r ) = S ∪ { ( a , − ) } = ⇒ ret = 0 � fs ( FS ) ∧ r ∈ dom( FS ) , � ⊓ FS ∈ FS . A fs ( FS ) ∧ { ( a , − ) } �∈ FS ( r ) = ⇒ ret = − 1 ∗ errno = ENOENT 11/22

  16. Concurrent unlink Specification letrec resolve ( ι, p , ret ) � ∃ b , a ′ , p ′ . if p = a ′ / p ′ then � fs ( FS ) ∧ ι ∈ dom( FS ) , � ∃ ι ′ . A FS ∈ FS . fs ( FS ) ∧ (( a ′ , ι ′ ) ∈ FS ( ι ) ∧ b = 0) ; ∨ (( a ′ , − ) �∈ FS ( ι ) ∧ b = − 1) if b = 0 then resolve ( ι ′ , p ′ , ret ) else . . . fi else . . . 12/22

  17. Concurrent rename Specification rename ( p / a , p ′ / b , ret ) ⊑ ∃ r 1 , r 2 . resolve ( ι root , p , r 1 ) � resolve ( ι root , p ′ , r 2 ); if ¬ iserr( r 1 ) ∧ ¬ iserr( r 2 ) then // success cases: rename file ( r 1 , r 2 , a , b ) ⊓ rename dir ( r 1 , r 2 , a , b ) // error cases: ⊓ err file and dir ( r 1 , r 2 , a , b ) ⊓ err target notempty dir ( r 1 , r 2 , b ) ⊓ err source ancestor ( r 1 , r 2 ) ⊓ err dir and file ( r 1 , r 2 , a , b ) else if iserr( r 1 ) ∧ ¬ iserr( r 2 ) then // error in resolve of source [ ret = − 1 ∗ errno = r 1 ] else if ¬ iserr( r 1 ) ∧ iserr( r 2 ) then // error in resolve of target [ ret = − 1 ∗ errno = r 2 ] else if iserr( r 1 ) ∧ iserr( r 2 ) then // error in both resolves; either error code is set [ ret = − 1 ∗ errno ∈ { r 1 , r 2 } ] fi 13/22

  18. Concurrent rename Specification // rename file, if target exists it must be a file and it is replaced let rename file ( r 1 , r 2 , a , b ) � ∃ ι a , ι b . � fs( FS ) ∧ r 1 , r 2 ∈ dom( FS ) , � FS ∈ FS . fs( FS [ r 1 �→ S ][ r 2 �→ ( FS ( r 2 ) \ { ( b , − ) } ) ∪ { ( b , ι a ) } ]) ∧ FS ( r 1 ) = S ∪ { ( a , ι a } A ∧ isfile( FS , ι a ) ∧ ( ∃ ι b . ( b , ι b ) ∈ FS ( r 2 ) = ⇒ isfile( FS , ι b )) = ⇒ ret = 0 14/22

  19. Concurrent rename Specification // rename file, if target exists it must be a file and it is replaced let rename file ( r 1 , r 2 , a , b ) � ∃ ι a , ι b . � fs( FS ) ∧ r 1 , r 2 ∈ dom( FS ) , � FS ∈ FS . fs( FS [ r 1 �→ S ][ r 2 �→ ( FS ( r 2 ) \ { ( b , − ) } ) ∪ { ( b , ι a ) } ]) ∧ FS ( r 1 ) = S ∪ { ( a , ι a } A ∧ isfile( FS , ι a ) ∧ ( ∃ ι b . ( b , ι b ) ∈ FS ( r 2 ) = ⇒ isfile( FS , ι b )) = ⇒ ret = 0 // rename directory, if target exists it must be an empty directory and it is replaced let rename dir ( r 1 , r 2 , a , b ) � ∃ S , ι a , ι b . � fs( FS ) ∧ r 1 , r 2 ∈ dom( FS ) , � FS ∈ FS . fs( FS [ r 1 �→ S ][ r 2 �→ ( FS ( r 2 ) \ { ( b , − ) } ) ∪ { ( b , ι a ) } ]) ∧ FS ( r 1 ) = S ∪ { a , ι a } ∧ isdir( FS , ι a ) A ∧ r 2 �∈ descendants( FS , r 1 ) ∧ ( ∃ ι b . ( b , ι b ) ∈ FS ( r 2 ) = ⇒ isempdir( FS , ι b )) = ⇒ ret = 0 14/22

  20. Concurrent rename Specification // rename file, if target exists it must be a file and it is replaced let rename file ( r 1 , r 2 , a , b ) � ∃ ι a , ι b . � fs( FS ) ∧ r 1 , r 2 ∈ dom( FS ) , � FS ∈ FS . fs( FS [ r 1 �→ S ][ r 2 �→ ( FS ( r 2 ) \ { ( b , − ) } ) ∪ { ( b , ι a ) } ]) ∧ FS ( r 1 ) = S ∪ { ( a , ι a } A ∧ isfile( FS , ι a ) ∧ ( ∃ ι b . ( b , ι b ) ∈ FS ( r 2 ) = ⇒ isfile( FS , ι b )) = ⇒ ret = 0 // rename directory, if target exists it must be an empty directory and it is replaced let rename dir ( r 1 , r 2 , a , b ) � ∃ S , ι a , ι b . � fs( FS ) ∧ r 1 , r 2 ∈ dom( FS ) , � FS ∈ FS . fs( FS [ r 1 �→ S ][ r 2 �→ ( FS ( r 2 ) \ { ( b , − ) } ) ∪ { ( b , ι a ) } ]) ∧ FS ( r 1 ) = S ∪ { a , ι a } ∧ isdir( FS , ι a ) A ∧ r 2 �∈ descendants( FS , r 1 ) ∧ ( ∃ ι b . ( b , ι b ) ∈ FS ( r 2 ) = ⇒ isempdir( FS , ι b )) = ⇒ ret = 0 // error: source is file, target is an existing directory let err file and dir ( r 1 , r 2 , a , b ) � ∃ ι a , ι b . � fs( FS ) ∧ r 1 , r 2 ∈ dom( FS ) , � FS ∈ FS . fs( FS ) ∧ ( a , ι a ) ∈ FS ( r 1 ) ∧ isfile( FS , ι a ) ∧ ( b , ι b ) ∈ FS ( r 2 ) ∧ isdir( FS , ι b ) A = ⇒ ret = − 1 ∗ errno = EISDIR 14/22

  21. Client Reasoning ◮ Lock Files ◮ Named Pipes ◮ Advisory record locks (on-going) 15/22

  22. Example: lock-file /tmp/ .X0-lock is locked 0 tmp usr 1 2 share .X0-lock local bin 3 8 5 4 lib git 7 0110011011... 9 16/22

  23. Lock Files ◮ lock ( path ): atomically create a non-existing lock file at path ◮ unlock ( path ): remove the lock file identified by path ◮ Implemented similarly to spin locks ◮ open ( path , O CREAT | O EXCL ) to try to lock ◮ unlink to unlock 17/22

  24. Lock-file Implementation letrec lock ( path ) � let fd = open ( path , O CREAT | O EXCL ); if fd = − 1 then lock ( path ) else close ( fd ) fi let unlock ( path ) � unlink ( path ) 18/22

  25. Lock-file Specification: a first try ◮ We want clients to observe lock and unlock operations as single atomic actions � � lock ( path ) ⊑ A v ∈ { 0 , 1 } . Lock( path , v ) , Lock( path , 1) ∗ v = 0 � � unlock ( path ) ⊑ Lock( path , 1) , Lock( path , 0) where Lock( path , v ) is an abstract predicate. ◮ This specification cannot be guaranteed only by the module ◮ The file system is globally shared ◮ The module cannot enforce ownership of the path ◮ The module and the environment must agree a priori on a protocol for the use of path 19/22

  26. Lock-file Protocol Agreement We want the module and the environment to agree on a boundary 0 tmp usr LF 1 2 share .X0-lock local bin 3 8 5 4 lib git 7 0110011011... 9 20/22

Recommend

Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix

Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix

Posix-Free File Systems in the Cloud Jeff Chase Duke University Beyond Posix Filesystem Posix file system semantics? open(2) Hierarchical directories with aliasing Human-readable symbolic names Atomic ops on

599 views • 12 slides
Formally Specifying POSIX File Systems Gian Ntzik , Pedro da Rocha Pinto and Philippa Gardner

Formally Specifying POSIX File Systems Gian Ntzik , Pedro da Rocha Pinto and Philippa Gardner

Formally Specifying POSIX File Systems Gian Ntzik , Pedro da Rocha Pinto and Philippa Gardner Imperial College London July 16, 2015 1/39 POSIX File Systems POSIX: Portable Operating System Interface Large part devoted to the file system

630 views • 46 slides
The Specification of POSIX File Systems Gian Ntzik, Pedro da Rocha Pinto and Philippa Gardner

The Specification of POSIX File Systems Gian Ntzik, Pedro da Rocha Pinto and Philippa Gardner

The Specification of POSIX File Systems Gian Ntzik, Pedro da Rocha Pinto and Philippa Gardner Imperial College London gian.ntzik08@imperial.ac.uk pedro.da-rocha-pinto09@imperial.ac.uk p.gardner@imperial.ac.uk INVEST 2017 1/13 Logics for

461 views • 14 slides
POSIX IPC: Overview primitive POSIX function description message queues create or access

POSIX IPC: Overview primitive POSIX function description message queues create or access

CPSC-313: Introduction to Computer Systems POSIX IPC POSIX Inter-Process Communication (IPC) Message Queues Shared Memory Semaphores Reading: R&R, Ch 15 POSIX IPC: Overview primitive POSIX function description message

392 views • 6 slides
Introduction to Operating Systems Class 4 Concurrent Programming and Synchronization

Introduction to Operating Systems Class 4 Concurrent Programming and Synchronization

CS 333 Introduction to Operating Systems Class 4 Concurrent Programming and Synchronization Primitives Jonathan Walpole Computer Science Portland State University 1 What does a typical thread API look like? POSIX standard threads

1k views • 62 slides
Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally

Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally

Network File System - NFS NFS Specification NFS is a distributed file system (DFS) originally The NFS specification distinguishes between the implemented by Sun Microsystems. services provided by the mount mechanism and the remote file

105 views • 9 slides
Na.ve POSIX Threading Library (NPTL) Don Porter 1 CSE 506: Opera.ng Systems Logical Diagram

Na.ve POSIX Threading Library (NPTL) Don Porter 1 CSE 506: Opera.ng Systems Logical Diagram

CSE 506: Opera.ng Systems Na.ve POSIX Threading Library (NPTL) Don Porter 1 CSE 506: Opera.ng Systems Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Kernel System Calls Scheduling threads RCU File

318 views • 31 slides
Operating Systems Real-Time POSIX TinyOS Standard of UNIX Real-time POSIX

Operating Systems Real-Time POSIX TinyOS Standard of UNIX Real-time POSIX

Operating Systems Real-Time POSIX TinyOS Standard of UNIX Real-time POSIX Supported by many operating systems Real-time schedulability analysis Variants of UNIX Linux Many commercial RTOS, e.g., VxWorks

545 views • 5 slides
The Sun Network File System (NFS) An implementation and a specification of a software system

The Sun Network File System (NFS) An implementation and a specification of a software system

The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs . NFS The implementation is part of the Solaris and SunOS operating systems running on Sun workstations

327 views • 3 slides
Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system

Chapter 6: File Systems File systems n Files n Directories & naming n File system implementation n Example file systems Chapter 6 CS 1550, cs.pitt.edu 2 (originaly modified by Ethan Long-term information storage n Must store large amounts

1.01k views • 66 slides
Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system

Chapter 6: File Systems File systems Files Directories & naming File system implementation Example file systems Chapter 6 CMPS 111, UC Santa Cruz 2 Long-term information storage Must store large amounts of data

829 views • 57 slides
INTRODUCTION TO TLA + Presented by : Kevin Yeh What is TLA+ Specification Language for

INTRODUCTION TO TLA + Presented by : Kevin Yeh What is TLA+ Specification Language for

INTRODUCTION TO TLA + Presented by : Kevin Yeh What is TLA+ Specification Language for modelling complex or concurrent systems TLA+ toolbox performs model checks to check for correctness PlusCAL What can TLA+ do for you?

611 views • 21 slides
Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

852 views • 46 slides
www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

POSIX I/O High Performance Computing Extensions Brent Welch (Speaker) Panasas www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read, write, stat) have semantics that can make it hard to achieve high

674 views • 24 slides
File Systems: All data structures are cached for better performance Create a new file

File Systems: All data structures are cached for better performance Create a new file

File Systems: Consistency Issues What about Multiple Updates? File systems maintain many data structures Several file system operations update multiple data structures Free list/bit vector Directories Examples: File headers and inode

257 views • 3 slides
Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science

Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science

Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213 1 Temporal Logic Model Checking Specification Language: A propositional temporal

710 views • 41 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1

Modeling and Analyzing Concurrent Systems Robert B. France 1

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled?

1.39k views • 83 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/16/2018 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

373 views • 13 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/15/2017 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

352 views • 16 slides
Storage management answers 1. A file is from the view of a process a sequentially numbered

Storage management answers 1. A file is from the view of a process a sequentially numbered

Linkping University 2011-05-14 Department of Computer and Information Science (IDA) Concurrent programming, Operating systems and Real-time operating systems (TDDI04) Storage management answers 1. A file is from the view of a process a

356 views • 6 slides
Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in

Steganographic File Systems Steganographic File Systems 1 Conventional Protection Mechanisms in File S Systems t User Access Control The operating system is fully trusted to enforce the security policy. Is it good enough? Is it

888 views • 44 slides
CSN08101 Digital Forensics Lecture 8: File Systems Lecture 8: File Systems Module Leader: Dr

CSN08101 Digital Forensics Lecture 8: File Systems Lecture 8: File Systems Module Leader: Dr

CSN08101 Digital Forensics Lecture 8: File Systems Lecture 8: File Systems Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Investigative Process Analysis Framework last week File Systems File

795 views • 50 slides

More recommend