1 / 21

An Experiment in Applying Event-B and Rodin to a Flash Filestore

An Experiment in Applying Event-B and Rodin to a Flash Filestore. By Kriangsak Damchoom Michael Butler. Rodin User and Developer Workshop 2009 @ Southampton. Main Points. An overview of a flash filesystem model Part of Verified Software Grand challege Uses of refinement in Event-B

galia
Download Presentation

An Experiment in Applying Event-B and Rodin to a Flash Filestore

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Experiment in Applying Event-B and Rodin to a Flash Filestore By Kriangsak Damchoom Michael Butler Rodin User and Developer Workshop 2009 @ Southampton

  2. Main Points • An overview of a flash filesystem model • Part of Verified Software Grand challege • Uses of refinementin Event-B • Horizontal refinement • Structural refinement • Atomicity decomposition • Machine decomposition • Summary and Future work

  3. Refinement strategy • Feature augmentation • define provided features in an incremental way • add state variables and extend events • the spec consists of several refinement levels • (horizontal / superposition refinement) • Structural refinement • introduce design decision • e.g., replace abstract file store by flash spec • involve data and event refinement • (vertical refinement) 3

  4. Layered specification of FFS • ML0 : Tree properties and basic operations affecting tree structure • Inv1: parent ∈ objects \ {root} → objects • Inv2:∀s. s ⊆ parent~[s] ⇒ s={} • Thm1:∀o. o ∈ objects\{root} ⇒ o ∈ tcl(parent~)[{root}] • Events: create, move, copy, delete • ML1: Partition objects into files and directories • Inv1: objects = files ∪ directories • Inv2: files ∩ directories = {} • Inv3: ran(parent) ⊆ directories • Events: crtfile, mkdir

  5. Layered specification of FFS • ML2 : Introduces file content • fcontent ∈ files → CONT • Additional events: open, read, write, close • ML3: Introduces permissions • obj_perms ∈ (files∪directories) ↔ PERM • obj_owner ∈ (files∪directories) → users • obj_grp ∈ (files∪directories) → groups • Additional events: setpermission • ML4: Introduces other missing properties such as name, date of creation and last modification • Additional events: rename (ML2-4 are feature augmentation or horizontal refinement)

  6. Layered specification of FFS • ML5: Decomposes event write into • w_start, w_step, w_end (ok, fail) • ML6 : Decomposes event read into • r_start, r_step, r_end (ok, fail) • ML7: Links the FS to the flash specification by introducing flash properties (ML5-7 are structural refinement, which are focused in this talk)

  7. ML5: Decomposes the writefile event The decomposition is based on the assumption that the content on the buffer is written into the storage one page at a time. Here fcont_tmp behaves like a shadow disk.

  8. Abstraction

  9. Flash Architecture (ONFi’07) • flash∈ RowAddr → PDATA, RowAddr =LAddr x BAddr x PAddr

  10. ML7: Links abstract FS to FL spec

  11. ML7: Links abstract FS to FL spec • Introduces flash properties • flash ∈ RowAddr → PDATA • programmed_pages ⊆ RowAddr • obsolete_pages ⊆ programmed_pages • fcontent was replaced by fat∈ files → (N +->RowAddr) • fcont_tmp was replaced by fat_tmp∈ writing → (N+->RowAddr) • Refines events pagewrite and pageread by including flash spec

  12. Machine Decomposition Partitions the machine level 7 into two machines representing the file system layer (FS) and the flash interface layer (FL). Diagram of the machine decomposition

  13. ML7.pagewrite

  14. FL0.page_programme

  15. ML7_FS.pagewrite

  16. Abstract Flash specification (FL0) • Flash Structure (an array of pages) - flash∈ RowAddr → PDATA Where PDATArepresents the content of each page (which is composed of a version number, an object to which the page belongs, logical page index and data) - programmed_pages ⊆ RowAddr - obsolete_pages ⊆ programmed_pages • Events (APIs provided to the file system layer) • page_read (read page data from the flash array) • page_programme (programme/write page data into the flash array at a given row address)

  17. Further refinement steps Focusing on the flash interface layer Covering FL_Ref1: Introduces Page Register Each LUN has at least one page register. PR is used for buffering data before it is written to or is read off flash chip. FL_Ref2: Introduces Status Register (SR) One SR per LUN Determines whether the selected LUN is ready, not ready or write-protected FL_Ref3: Deals with bad blocks Maximum number of erasure per block is limited

  18. Refinement chain summary MCH0 MCH1 MCH2 Feature augmentation (horizontal refinement) MCH3 MCH4 MCH5 MCH6 Structural refinement (vertical) MCH7 decomposed refines MCH7_FS MCH7_FL0 MCH_FL_R1 cMCH7_FS_FL Further refinements focusing on flash spec MCH_FL_R2 Recomposed to show that it is the refinement of the MCH7 MCH_FL_R3

  19. Proof statistics

  20. Conclusion & On-going Work • Conclusion • I have presented the model of FFS • Two uses of refinement • Event decomposition and machine decomposition • On-going work • Specifying wear-levelling process • Implementation

  21. Machine Invariants of ML7

More Related