specifying and checking file system crash consistency
play

Specifying and Checking File System Crash-Consistency Models James - PowerPoint PPT Presentation

Sep 03, 2023 •27 likes •937 views

Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann Jialin Li Arvind Krishnamurthy Emina Torlak Xi Wang University of Washington File systems persist our data Application File System File systems

  1. Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann Jialin Li Arvind Krishnamurthy Emina Torlak Xi Wang University of Washington

  2. File systems persist our data Application File System

  3. File systems persist our data Application The best of times The worst of times File System

  4. File systems persist our data Application The best of times The best of times The worst of times The worst of times File System

  5. But what if the system crashes? Application The best of times The best of times The worst of times The worst of times File System

  6. But what if the system crashes? Application POSIX system calls The best of times The best of times The worst of times The worst of times File System

  7. But what if the system crashes? This provides roughly the same level of Application guarantees as ext3. Linux kernel ext4 documentation POSIX system calls The best of times The best of times If the file system is The worst of times The worst of times inconsistent a fu er a crash it is usually automatically checked and repaired when the File System system is rebooted Proposed POSIX fsync documentation

  8. But what if the system crashes? Application POSIX system calls The best of times The best of times The worst of times The worst of times File System

  9. But what if the system crashes? Application POSIX system calls The best of times The best of times The best o00000 The worst of times The worst of times 0000000 of tim Optimizations are exposed File System

  10. But what if the system crashes? Application When gradually appending to a file, the content gets corrupted, causing Chrome to crash POSIX system calls ChromeOS “FS corruption on panic”, 2015 The best of times The best of times The best o00000 The worst of times The worst of times 0000000 of tim …some of the KDE core Optimizations config files were reset. are exposed Also some of my MySQL databases were killed… Ubuntu “ext4 data loss”, 2009 File System

  11. Crash-consistency models Application Crash-consistency model File System

  12. Crash-consistency models Application A precise formal specification of the crash guarantees that a file system provides Crash-consistency model File System

  13. Crash-consistency models Just like a memory model! Application A precise formal specification of the crash guarantees that a file system provides Crash-consistency model File System

  14. Crash-consistency models Just like a memory model! Application A precise formal specification of the crash guarantees that a file system provides Crash-consistency model Ferrite File System Validate the model against the system with litmus tests

  15. Crash behavior of modern file systems Crash-consistency models Litmus tests & formal specifications Ferrite: developing crash-consistency models Building crash-safe applications

  16. Crash behavior of modern file systems Crash-consistency models Litmus tests & formal specifications Ferrite: developing crash-consistency models Building crash-safe applications

  17. Replacing the contents of a file foo.txt foo.txt foo.txt The best of times The age of wisdom The worst of times The epoch of belief

  18. Atomic replace via rename foo.txt foo.txt f = create(“foo.tmp”) The best of times The worst of times write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  19. Atomic replace via rename foo.txt foo.txt foo.tmp f = create(“foo.tmp”) The best of times The worst of times write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  20. Atomic replace via rename foo.txt foo.txt foo.tmp f = create(“foo.tmp”) The best of times The age of wisdom The worst of times write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  21. Atomic replace via rename foo.txt foo.txt foo.tmp f = create(“foo.tmp”) The best of times The age of wisdom The worst of times The epoch of belief write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  22. Atomic replace via rename foo.txt foo.txt foo.tmp f = create(“foo.tmp”) The best of times The age of wisdom The worst of times The epoch of belief write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  23. Atomic replace via rename foo.txt foo.tmp foo.txt f = create(“foo.tmp”) The best of times The age of wisdom The worst of times The epoch of belief write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  24. Atomic replace via rename f = create(“foo.tmp”) write(f, “The age of …”) write(f, “The epoch of …”) close(f) rename(“foo.tmp”, “foo.txt”)

  25. Atomic replace via rename create(“foo.tmp”) f = create(“foo.tmp”) write(f, “The age of …”) write(f, “The age of …”) write(f, “The epoch of …”) close(f) write(f, “The epoch of …”) rename(“foo.tmp”, “foo.txt”) rename(“foo.tmp”, “foo.txt”)

  26. Atomic replace via rename create(“foo.tmp”) write(f, “The age of …”) write(f, “The epoch of …”) rename(“foo.tmp”, “foo.txt”)

  27. Atomic replace via rename File operations Writes create(“foo.tmp”) write(f, “The age of …”) rename(“foo.tmp”, “foo.txt”) write(f, “The epoch of …”)

  28. Atomic replace via rename create(“foo.tmp”) rename(“foo.tmp”, “foo.txt”) write(f, “The age of …”) write(f, “The epoch of …”)

  29. Atomic replace via rename create(“foo.tmp”) foo.txt foo.txt foo.tmp The best of times The worst of times rename(“foo.tmp”, “foo.txt”) write(f, “The age of …”) write(f, “The epoch of …”)

  30. Atomic replace via rename create(“foo.tmp”) foo.txt foo.tmp foo.txt The best of times The worst of times rename(“foo.tmp”, “foo.txt”) write(f, “The age of …”) write(f, “The epoch of …”)

  31. Atomic replace via rename create(“foo.tmp”) foo.txt foo.tmp foo.txt The best of times The worst of times rename(“foo.tmp”, “foo.txt”) Crash! write(f, “The age of …”) write(f, “The epoch of …”)

  32. The storage stack write(f, “The age of …”) write(f, “The epoch of …”)

  33. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) File System Block Layer Low-level Driver Controller

  34. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) File System Block Layer Low-level Driver Controller Diagram by Werner Fischer

  35. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) File System Block Layer Low-level Driver Controller

  36. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) This provides roughly the same level of guarantees as ext3. File System Linux kernel ext4 documentation Block Layer Low-level Driver Controller

  37. The storage stack write(f, “The age of …”) write(f, “The epoch of …”) This provides roughly the same level of guarantees as ext3. File System Linux kernel ext4 documentation Block Layer The key aspects of fsync() are unreasonable to test in a test Low-level Driver suite POSIX specification for fsync Controller

  38. Existing work Formalize the existing POSIX write(f, “The age of …”) interface (e.g. SibylFS [SOSP’15]) write(f, “The epoch of …”) But the interface says nothing about crash safety File System Block Layer Low-level Driver Controller

  39. Existing work Formalize the existing POSIX write(f, “The age of …”) interface (e.g. SibylFS [SOSP’15]) write(f, “The epoch of …”) But the interface says nothing about crash safety File System Build a new crash-safe file system Block Layer (e.g. FSCQ [SOSP’15]) Comes with extremely high verification Low-level Driver burden Controller

  40. Existing work Formalize the existing POSIX write(f, “The age of …”) interface (e.g. SibylFS [SOSP’15]) write(f, “The epoch of …”) But the interface says nothing about crash safety File System Build a new crash-safe file system Block Layer (e.g. FSCQ [SOSP’15]) Comes with extremely high verification Low-level Driver burden Controller Find bugs in existing file systems (e.g. eXplode [OSDI’06]) Ours is a complementary problem: precisely specifying actual behavior

  41. Crash behavior of modern file systems Crash-consistency models Litmus tests & formal specifications Ferrite: developing crash-consistency models Building crash-safe applications

  42. Crash behavior of modern file systems Crash-consistency models Litmus tests & formal specifications Ferrite: developing crash-consistency models Building crash-safe applications

  43. Crash-consistency models

  44. Crash-consistency models Litmus tests Small programs that demonstrate allowed or forbidden behaviors of a file system across crashes

Recommend

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016 Specifying and Checking File System Crash-Consistency Models Johannes Gutenberg Universitt Mainz Motivation The problem: POSIX

982 views • 71 slides
to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

CrashMonkey: A Framework to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram University of Texas at Austin Crash Consistency File-system updates change multiple blocks on storage Data blocks, inodes,

499 views • 46 slides
TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting Zhu, Ian Neal, Youngjin Kwon, Tianyu Chen, Vijay Chidambaram, Emmett Witchel The University of Texas at Austin 1 Crash Applications need crash

819 views • 30 slides
Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea

Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea

Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea Arpaci-Dusseau Remzi Arpaci-Dusseau Crash Consistency Problem Single file-system operation updates multiple on-disk data structures System may crash

1.29k views • 83 slides
From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel

From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel

From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel Persistent data is structured; crash consistency hard Structured data abstractions built on file system SQLite, BerkeleyDB...

468 views • 34 slides
The problem: crash consistency Single operaBon updates mulBple blocks System might crash in

The problem: crash consistency Single operaBon updates mulBple blocks System might crash in

Consistency Without Ordering Vijay Chidambaram, Tushar Sharma, Andrea ArpaciDusseau, Remzi ArpaciDusseau The Advanced Systems Laboratory University of Wisconsin Madison The problem: crash consistency Single operaBon updates mulBple

953 views • 49 slides
Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
Using Model Checking to Find Serious File System Errors Junfeng Yang, Paul Twohey, Dawson Engler

Using Model Checking to Find Serious File System Errors Junfeng Yang, Paul Twohey, Dawson Engler

Using Model Checking to Find Serious File System Errors Junfeng Yang, Paul Twohey, Dawson Engler Stanford University Madanlal Musuvathi Microsoft Research Authors Dawson Junfeng Paul Madan FS Errors are Destructive Kernel crash, FS

806 views • 31 slides
Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang

Cer$fying a Crash-safe File System Nickolai Zeldovich Collaborators: Tej Chajed, Haogang Chen, Alex Konradi, Stephanie Wang, Daniel Ziegler, Adam Chlipala, M. Frans Kaashoek File systems should not lose data People use file systems to

1.17k views • 98 slides
Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej Chajed , Stephanie Wang, Alex Konradi, Atalay leri, Adam Chlipala, M. Frans Kaashoek, Nickolai Zeldovich File systems are difficult to make correct

1.19k views • 100 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 1 File systems are complex and have bugs File systems are complex (e.g.,

765 views • 52 slides
Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej

Using Crash Hoare Logic for Certifying the FSCQ File System Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL 1 / 27 File systems are complex and have bugs File systems are complex (e.g.,

1.18k views • 50 slides
File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many

File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many

File Systems: Consistency Issues 1 File Systems: Consistency Issues File systems maintain many data structures Free list/bit vector Directories File headers and inode structures Data blocks All data structures are cached for better

357 views • 14 slides
Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai,

Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai,

Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai, Ramnatthan Alagappan, Lanyue Lu, Vijay Chidambaram, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau Application-Level Crash Consistency Storage must

2.09k views • 139 slides
Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure Protection Consistency Semantics Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts 11.1 File Concept Contiguous

755 views • 50 slides
Just-Right As available as possible, consistent when necessary Consistency The CAP theorem

Just-Right As available as possible, consistent when necessary Consistency The CAP theorem

Just-Right Consistency: Just-Right As available as possible, consistent when necessary Consistency The CAP theorem forces a choice In contrast, checking a data between strong consistency (CP) precondition on partitioned state is and

567 views • 10 slides
Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances?

Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances?

Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances? BSD Fast File System (FFS) How to improve the reliability in case of a crash? Log-Structured File system (LFS) Journaling File System (ext3)

600 views • 30 slides
File Systems: All data structures are cached for better performance Create a new file

File Systems: All data structures are cached for better performance Create a new file

File Systems: Consistency Issues What about Multiple Updates? File systems maintain many data structures Several file system operations update multiple data structures Free list/bit vector Directories Examples: File headers and inode

257 views • 3 slides
Recon: Verifying File System Consistency at Runtime Daniel Fryer, Jack (Kuei) Sun, Rahat

Recon: Verifying File System Consistency at Runtime Daniel Fryer, Jack (Kuei) Sun, Rahat

Recon: Verifying File System Consistency at Runtime Daniel Fryer, Jack (Kuei) Sun, Rahat Mahmood, TingHao Cheng, Shaun Benjamin, Angela Demke Brown and Ashvin Goel University of Toronto October 4, 2011 Metadata Integrity is Crucial D Kernel

676 views • 25 slides
Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science Two promising approaches to make

1.25k views • 85 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent

All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent

All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent Applications Thanumalayan Sankaranarayana Pillai Vijay Chidambaram Ramnatthan Alagappan, Samer Al-Kiswany Andrea Arpaci-Dusseau, Remzi Arpaci-Dusseau Crash

1.67k views • 110 slides

More recommend