Using Alcoa to Specify a UNIX File System Specification of some structures and operations in a File System.

Slides:



Advertisements
Similar presentations
More on File Management
Advertisements

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
File System Interface CSCI 444/544 Operating Systems Fall 2008.
Inodes. Filesystems Each partition has a filesystem –This filesystem will usually support a directory hierarchy Every file on a disk partition is allocated.
Day 27 File System. UNIX File Management Types of files Ordinary – stream of bytes Directory – list of names plus pointers to attributes of the entry.
Introduction to Formal Methods
Copyright W. Howden1 Lecture 13: Programming by Contract.
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
Ceng Operating Systems
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
CS 497C – Introduction to UNIX Lecture 16: - File Attributes Chin-Chih Chang
Crash recovery All-or-nothing atomicity & logging.
Describing Syntax and Semantics
1 Course Outline Processes & Threads CPU Scheduling Synchronization & Deadlock Memory Management File Systems & I/O Networks, Protection and Security.
Secondary Storage Management Hank Levy. 8/7/20152 Secondary Storage • Secondary Storage is usually: –anything outside of “primary memory” –storage that.
Contiguous Allocation of Disk Space. Linked Allocation.
BACS 371 Computer Forensics
Rensselaer Polytechnic Institute CSCI-4210 – Operating Systems David Goldschmidt, Ph.D.
Pre/Post Condition Logic 03/06/2013. Agenda Hoare’s Logic Overview Application to Pre/Post Conditions.
1 File Systems Chapter Files 6.2 Directories 6.3 File system implementation 6.4 Example file systems.
Chapter 4. INTERNAL REPRESENTATION OF FILES
Chapter 11 File Sharing. Sharing Techniques Duplicate files Common login Setting appropriate access permissions on shared files Common group for team.
CS 4284 Systems Capstone Godmar Back Disks & File Systems.
File Management Chapter 12. File Management File management system is considered part of the operating system Input to applications is by means of a file.
1 File Systems: Consistency Issues. 2 File Systems: Consistency Issues File systems maintains many data structures  Free list/bit vector  Directories.
1 Shared Files Sharing files among team members A shared file appearing simultaneously in different directories Share file by link File system becomes.
Log-Structured File Systems
File System Implementation
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 11: File System Implementation.
Chapter 4. INTERNAL REPRESENTATION OF FILES
Deriving Operational Software Specification from System Goals Xin Bai EEL 5881 Course Fall, 2003.
Some basic concepts and information on file systems Portions taken and modified from books by ANDREW S. TANENBAUM.
File Systems Operating Systems 1 Computer Science Dept Va Tech August 2007 ©2007 Back File Systems & Fault Tolerance Failure Model – Define acceptable.
1 Chapter 4. INTERNAL REPRESENTATION OF FILES THE DESIGN OF THE UNIX OPERATING SYSTEM Maurice J. bach Prentice Hall.
Software Engineering 2 -Prakash Shrestha.
CS333 Intro to Operating Systems Jonathan Walpole.
UNIX File System (UFS) Chapter Five.
Outline for Today Journaling vs. Soft Updates Administrative.
Jeff's Filesystem Papers Review Part I. Review of "Design and Implementation of The Second Extended Filesystem"
CS 3204 Operating Systems Godmar Back Lecture 21.
11.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 11.5 Free-Space Management Bit vector (n blocks) … 012n-1 bit[i] =  1  block[i]
1 Recall that... char str [ 8 ]; str is the base address of the array. We say str is a pointer because its value is an address. It is a pointer constant.
1 Chapter 15-1 Pointers, Dynamic Data, and Reference Types Dale/Weems.
W4118 Operating Systems Instructor: Junfeng Yang.
Chapter 39 File and Directory Chien-Chung Shen CIS/UD
Operating Systems, Winter Semester 2011 Practical Session 11 File Systems, part 1 1.
Day 28 File System.
Jonathan Walpole Computer Science Portland State University
Day 27 File System.
CS703 - Advanced Operating Systems
CS 5204 Operating Systems Disks & File Systems Godmar Back.
Formal Methods in Software Engineering 1
Chapter 11: File System Implementation
File Systems Kanwar Gill July 7, 2015.
Hoare-style program verification
Printed on Monday, December 31, 2018 at 2:03 PM.
Overview: File system implementation (cont)
Secondary Storage Management Brian Bershad
Chapter 10: File-System Interface
Chapter 14: File-System Implementation
Secondary Storage Management Hank Levy
Linked lists Prof. Noah Snavely CS1114
CS703 - Advanced Operating Systems
CS703 - Advanced Operating Systems
Internal Representation of Files
Lecture Topics: 11/20 HW 7 What happens on a memory reference Traps
The File Manager Implementation issues
Presentation transcript:

Using Alcoa to Specify a UNIX File System Specification of some structures and operations in a File System

Alcoa Predicate logic to specify a system of objects. (quantifiers, subsets, relations) Can only describe a two state relationship. Missing a sequential composition operator. currentnext time0time1time2 OK NO

Alcoa

Alcoa Tool Finds an instance which satisfies the specification. –Finds contradictions. –See an example of the specification. Preservation of some logical statement through an operation.

currentnext operation Invariant holds here. Does invariant hold here? Alcoa will check this and give counterexamples if not true. a & b | c is trueIs a’ & b’ | c’ true?

File System Basics Inode Directory Entry

File System Basics Inode Directory Entry 2 1

File System Basics Inode Directory Entry 2 1 Datablocks

Atomic Actions Ordering Imagine the system crashing while making changes to the file system. How should the atomic actions be ordered such that the file system can be recovered?

Atomic Actions Ordering Inode a Directory Entry rename a b

Atomic Actions Ordering Inode a Directory Entry rename a b Lost inode if system crashes here.

Atomic Actions Ordering Inode a Directory Entry rename a b

Atomic Actions Ordering Inode a Directory Entry rename a b b

Atomic Actions Ordering Inode a Directory Entry rename a b b

Atomic Actions Ordering From “Metadata Update Performance in File Systems” by G. Ganger, Y. Patt Operations –Link removal –Link addition –Block allocation –Block de-allocation

Link Addition 1. Link count in inode incremented. 2. Pointer to inode added to the list of directory entries. Inode DirEntry 1 Link Count

Link Addition 1. Link count in inode incremented. 2. Pointer to inode added to the list of directory entries. Inode DirEntry 2 Link Count

Link Addition 1. Link count in inode incremented. 2. Pointer to inode added to the list of directory entries. Inode DirEntry 2 Link Count DirEntry

Link Deletion 1. Directory Entry is removed first. 2. Link Count is decremented. Inode DirEntry 2 Link Count DirEntry

Link Deletion 1. Directory Entry is removed first. 2. Link Count is decremented. Inode DirEntry 2 Link Count

Link Deletion 1. Directory Entry is removed first. 2. Link Count is decremented. Inode DirEntry 1 Link Count

The Problem –Finding preserved invariant was not easy. “No lost inodes. All allocated inodes are pointed to by a directory entry.” is not an invariant. –Reverse engineering the invariant. –Tool helped determine which invariants are wrong.

Discovered Invariants “If an inode’s link count is zero, there are no directory entries pointing to the inode.” “At all times, an inode’s link count is higher than the number of directory entries pointing to an inode.”

Discovered Invariants “If an inode’s link count is zero, there are no directory entries pointing to the inode.” –Important when recovering after a crash so that an inode is not accidently deallocated.

Using the Invariants Weakened the precondition of the operations to see if the invariants are preserved. Some interesting configurations –Link count much higher than the actual number of directory entries.

Other Issues Relations in Alcoa can be –A function, surjective, partial/total, injective Abstraction design decision –Choosing relation type forces specification writer to be careful and specific.

Other Issues Alcoa does not have numbers. –Link Count was tricky to model. Inverse relations. –Alcoa allows this and inadvertently used. Many invariants do not hold because of the intermediate stages. –Tricky specifying an invariant.

Other Issues Must clearly specify the precondition and postcondition of an operation. –Hoare Triple Instance finding useful for careless errors such as typos. –b in UsedB –b not in UsedB’

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.