2017
DOI: 10.1145/3051092
|View full text |Cite
|
Sign up to set email alerts
|

Certifying a file system using crash hoare logic

Abstract: FSCQ is the first file system with a machine-checkable proof that its implementation meets a specification, even in the presence of fail-stop crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover its state correctly … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
8
0

Year Published

2017
2017
2023
2023

Publication Types

Select...
3
2
2

Relationship

0
7

Authors

Journals

citations
Cited by 10 publications
(8 citation statements)
references
References 20 publications
0
8
0
Order By: Relevance
“…(i) Hoare logic is a formal method for reasoning on computer program correctness where specifications are of the form {P} procedure {Q} [7]. (ii) Petri nets are a graphical and mathematical modeling tool applicable to many systems.…”
Section: Formal Methodsmentioning
confidence: 99%
“…(i) Hoare logic is a formal method for reasoning on computer program correctness where specifications are of the form {P} procedure {Q} [7]. (ii) Petri nets are a graphical and mathematical modeling tool applicable to many systems.…”
Section: Formal Methodsmentioning
confidence: 99%
“…Impressive advances have been made in mechanized verification in recent years. We have seen example verifications of OS microkernels [48,67], a file system [13], crypto algorithms [4] and distributed systems [41]. Some of this work develops the program and the proof side by side, while other work proves existing code.…”
Section: Mostly Automatic and Interactive Verifiersmentioning
confidence: 99%
“…consists of a set of states S, inputs In and outputs Out, initial states Init, synchronized states Sync with Init ⊆ Sync ⊆ S, a relation Crash ⊆ S×Sync with Sync ⊆ dom(Crash) describing the effect of a crash including its subsequent recovery, 4 and regular operations Op i ⊆ In × S × S × (Out { }). The value signifies that the operation was interrupted by a power cut.…”
Section: Components With Power Cutsmentioning
confidence: 99%
“…f (s, x, sync = false)). Ntzik et al [16] as well as Chen et al [6,4] have developed Hoare-style proof rules that establish a user-provided invariant called "crash condition" over the intermediate states of a program that serves as the precondition of recovery. The latter work has produced the FSCQ file system that is verified with Coq.…”
Section: Related Workmentioning
confidence: 99%