Development of a Verified Flash File System

Schellhorn, Gerhard; Ernst, Gerhard; Pfähler, Jörg; Haneberg, Dominik; Reif, Wolfgang

doi:10.1007/978-3-662-43652-3_2

Cited by 26 publications

(17 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The closest effort in this area is work in progress by Schellhorn, Pfähler, and others to verify a flash file system called Flashix [20,54,58]. They aim to produce a verified file system for raw flash, to support a POSIX-like interface, and to handle crashes.…”

Section: Related Workmentioning

confidence: 99%

Using Crash Hoare logic for certifying the FSCQ file system

Chen¹,

Ziegler²,

Chajed³

et al. 2015

Proceedings of the 25th Symposium on Operating Systems Principles

179

144

View full text Add to dashboard Cite

FSCQ is the first file system with a machine-checkable proof (using the Coq proof assistant) that its implementation meets its specification and whose specification includes crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover the file system correctly without losing data. To state FSCQ's theorems, this paper introduces the Crash Hoare logic (CHL), which extends traditional Hoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels. CHL also reduces the proof effort for developers through proof automation. Using CHL, we developed, specified, and proved the correctness of the FSCQ file system. Although FSCQ's design is relatively simple, experiments with FSCQ running as a user-level file system show that it is sufficient to run Unix applications with usable performance. FSCQ's specifications and proofs required significantly more work than the implementation, but the work was manageable even for a small team of a few researchers.

show abstract

Section: Related Workmentioning

confidence: 99%

Using Crash Hoare logic for certifying the FSCQ file system

Chen¹,

Ziegler²,

Chajed³

et al. 2015

Proceedings of the 25th Symposium on Operating Systems Principles

179

144

View full text Add to dashboard Cite

show abstract

“…Another line of work is applying formal verification to implementing a POSIX-like file system [33]. On-going work includes BilbyFs [36], FSCQ [14], and Schellhorn et al's verified flash file system [71]. It would be interesting to apply our framework to analyzing the crash-consistency guarantees of these file systems once they are complete and available.…”

Section: Related Workmentioning

confidence: 99%

Specifying and Checking File System Crash-Consistency Models

Bornholt

Kaufmann

et al. 2016

SIGARCH Comput. Archit. News

View full text Add to dashboard Cite

Applications depend on persistent storage to recover state after system crashes. But the POSIX file system interfaces do not define the possible outcomes of a crash. As a result, it is difficult for application writers to correctly understand the ordering of and dependencies between file system operations, which can lead to corrupt application state and, in the worst case, catastrophic data loss. This paper presents crash-consistency models, analogous to memory consistency models, which describe the behavior of a file system across crashes. Crash-consistency models include both litmus tests, which demonstrate allowed and forbidden behaviors, and axiomatic and operational specifications. We present a formal framework for developing crash-consistency models, and a toolkit, called FERRITE, for validating those models against real file system implementations. We develop a crash-consistency model for ext4, and use FERRITE to demonstrate unintuitive crash behaviors of the ext4 implementation. To demonstrate the utility of crashconsistency models to application writers, we use our models to prototype proof-of-concept verification and synthesis tools, as well as new library interfaces for crash-safe applications.

show abstract

“…There exist many verification case studies, where unmodified (library) code was annotated and verified, and often bugs were discovered, see e.g. [39,79,102,111,116]. Despite those success stories, there is a growing realization that post-hoc verification and, in particular, specification, remains difficult and challenging, and that there always is a trade-off between the verification effort and the level of reliability that is required for an application.…”

Section: Deductive Verification Architecturesmentioning

confidence: 99%

Deductive Software Verification: From Pen-and-Paper Proofs to Industrial Tools

Hähnle

Huisman

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Deductive software verification aims at formally verifying that all possible behaviors of a given program satisfy formally defined, possibly complex properties, where the verification process is based on logical inference. We follow the trajectory of the field from its inception in the late 1960s via its current state to its promises for the future, from pen-and-paper proofs for programs written in small, idealized languages to highly automated proofs of complex library or system code written in mainstream languages. We take stock of the state-of-art and give a list of the most important challenges for the further development of the field of deductive software verification.

show abstract

Development of a Verified Flash File System

Cited by 26 publications

References 32 publications

Using Crash Hoare logic for certifying the FSCQ file system

Using Crash Hoare logic for certifying the FSCQ file system

Specifying and Checking File System Crash-Consistency Models

Deductive Software Verification: From Pen-and-Paper Proofs to Industrial Tools

Contact Info

Product

Resources

About