1 / 28

Using Alcoa to Specify a UNIX File System

Using Alcoa to Specify a UNIX File System. Specification of some structures and operations in a File System. Alcoa. Predicate logic to specify a system of objects. (quantifiers, subsets, relations) Can only describe a two state relationship. Missing a sequential composition operator.

denise
Download Presentation

Using Alcoa to Specify a UNIX File System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Alcoa to Specify a UNIX File System Specification of some structures and operations in a File System

  2. Alcoa • Predicate logic to specify a system of objects. (quantifiers, subsets, relations) • Can only describe a two state relationship. Missing a sequential composition operator. current next OK NO time0 time1 time2

  3. Alcoa

  4. Alcoa Tool • Finds an instance which satisfies the specification. • Finds contradictions. • See an example of the specification. • Preservation of some logical statement through an operation.

  5. current next operation Does invariant hold here? Invariant holds here. a & b | c is true Is a’ & b’ | c’ true? Alcoa will check this and give counterexamples if not true.

  6. File System Basics Directory Entry Inode Directory Entry Inode Directory Entry

  7. File System Basics Directory Entry Inode 2 Directory Entry Inode Directory Entry 1

  8. File System Basics Datablocks Directory Entry Inode 2 Directory Entry Inode Directory Entry 1

  9. Atomic Actions Ordering • Imagine the system crashing while making changes to the file system. • How should the atomic actions be ordered such that the file system can be recovered?

  10. Atomic Actions Ordering Directory Entry a Inode rename a b

  11. Atomic Actions Ordering Directory Entry a Inode rename a b Lost inode if system crashes here.

  12. Atomic Actions Ordering Directory Entry a Inode rename a b

  13. Atomic Actions Ordering Directory Entry a Inode b rename a b

  14. Atomic Actions Ordering Directory Entry a Inode b rename a b

  15. Atomic Actions Ordering • From “Metadata Update Performance in File Systems” by G. Ganger, Y. Patt • Operations • Link removal • Link addition • Block allocation • Block de-allocation

  16. Link Addition • 1. Link count in inode incremented. • 2. Pointer to inode added to the list of directory entries. Link Count DirEntry Inode 1

  17. Link Addition • 1. Link count in inode incremented. • 2. Pointer to inode added to the list of directory entries. Link Count DirEntry Inode 2

  18. Link Addition • 1. Link count in inode incremented. • 2. Pointer to inode added to the list of directory entries. Link Count DirEntry Inode 2 DirEntry

  19. Link Deletion • 1. Directory Entry is removed first. • 2. Link Count is decremented. Link Count DirEntry Inode 2 DirEntry

  20. Link Deletion • 1. Directory Entry is removed first. • 2. Link Count is decremented. Link Count DirEntry Inode 2

  21. Link Deletion • 1. Directory Entry is removed first. • 2. Link Count is decremented. Link Count DirEntry Inode 1

  22. The Problem • Finding preserved invariant was not easy. • “No lost inodes. All allocated inodes are pointed to by a directory entry.” is not an invariant. • Reverse engineering the invariant. • Tool helped determine which invariants are wrong.

  23. Discovered Invariants • “If an inode’s link count is zero, there are no directory entries pointing to the inode.” • “At all times, an inode’s link count is higher than the number of directory entries pointing to an inode.”

  24. Discovered Invariants • “If an inode’s link count is zero, there are no directory entries pointing to the inode.” • Important when recovering after a crash so that an inode is not accidently deallocated.

  25. Using the Invariants • Weakened the precondition of the operations to see if the invariants are preserved. • Some interesting configurations • Link count much higher than the actual number of directory entries.

  26. Other Issues • Relations in Alcoa can be • A function, surjective, partial/total, injective • Abstraction design decision • Choosing relation type forces specification writer to be careful and specific.

  27. Other Issues • Alcoa does not have numbers. • Link Count was tricky to model. • Inverse relations. • Alcoa allows this and inadvertently used. • Many invariants do not hold because of the intermediate stages. • Tricky specifying an invariant.

  28. Other Issues • Must clearly specify the precondition and postcondition of an operation. • Hoare Triple • Instance finding useful for careless errors such as typos. • b in UsedB • b not in UsedB’

More Related