Presentation is loading. Please wait.

Presentation is loading. Please wait.

W4118 Operating Systems Instructor: Junfeng Yang.

Published byMarvin Jordan Modified over 8 years ago

Similar presentations

Presentation on theme: "W4118 Operating Systems Instructor: Junfeng Yang."— Presentation transcript:

1 W4118 Operating Systems Instructor: Junfeng Yang

2 1 File System Consistency  Journaling  What is the consistent update problem?  What is journaling?  What are different journaling modes?  eXplode: an automatic tool for detecting serious storage system errors 1

3 2 The Consistent Update Problem  Atomically update file system from one consistent state to another, which may require modifying several sectors, despite that the disk only provides atomic write of one sector at a time 2

4 3 Example: ext2 File Creation 3 01000 inode bitmap block bitmap inodeblocks. 1.. root Disk Memory direct: 1 …

5 4 Read to In-memory Cache 4 01000 inode bitmap block bitmap inodedata blocks 01000. 1.. root

6 5 Modify blocks 5 01000 inode bitmap block bitmap inodedata blocks 01010. 1.. root f 3 “Dirty” blocks, must write to disk

7 6 Crash?  Disk: atomically write one sector  Atomic: if crash, a sector is either completely written, or none of this sector is written  An FS operation may modify multiple sectors  Crash  FS partially updated 6

8 7 Possible Crash Scenarios: Any Subset  File creation dirties three blocks  inode bitmap (B)  inode (I)  parent directory data block (D)  Possible crash scenarios  None  B  I  D  B + I  B + D  I + D  B + I + D 7

9 8 Some Solutions  Using a repair utility fsck  Upon reboot, scan entire disk to make FS consistent  Disadvantages Slow to scan large disk Cannot correctly fix all crashed disks (e.g., B+D) Not well-defined consistency  Journaling  Write-ahead logging from database community  Persistently write intent to log (or journal), then update file system Crash before intent is written == no-op Crash after intent is written == redo op  Advantages no need to scan entire disk Well-defined consistency 8

10 9 Ext3 Journaling  Three steps  Commit dirty blocks to journal as one transaction  Write dirty blocks to real file system  Reclaim the journal space for the transaction  Physical journaling: write real physical contents of the update  v.s. logical journaling: “create file f in dir d” More complex May be faster and save disk space

11 10 Ext3 Journaling Example 10 01000 01010. 1.. root f 3 “Dirty” blocks, must write to disk 01010 journal DescCommit

12 11 Ext3 Journaling Example 11 0101001000 01010. 1.. root f 3 “Dirty” blocks, must write to disk 01010 journal DescCommit

13 12 Ext3 Journaling Example 12 0101001000 01010. 1.. root f 3 “Dirty” blocks, must write to disk journal 01010 DescCommit

14 13 Write Orders  Journal writes < FS writes  Otherwise:  FS writes < Journal clear  Otherwise:  When to write commit block?  Journal writes and commit ? journal 01010 X DescCommit

15 14 Journaling Modes  Cost: one write = two disk writes, two seeks  Data journaling: journal all writes, including file data  Problem: expensive to journal data  Metadata journaling: journal only metadata  Used by most FS (IBM JFS, SGI XFS, NTFS)  Problem: file may contain garbage data  Ordered mode: write file data to real FS first, then journal metadata  Default mode for ext3

16 15 E X PLODE : a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang Stanford University Joint work with Can Sar, Paul Twohey, Ben Pfaff, Dawson Engler and Madan Musuvathi

17 16 Why check storage systems?  Storage system errors: some of the most serious  machine crash  data loss  data corruption  Code complicated, hard to get right  Conflicting goals: speed, reliability (recover from any failures and crashes)  Typical ways to find these errors: ineffective  Manual inspection: strenuous, erratic  Randomized testing (e.g. unplug the power cord): blindly throwing darts  Error report from mad users

18 17 Goal: build tools to automatically find storage system errors Sub-goal: comprehensive, lightweight, general

19 18 E X PLODE [OSDI06]  Comprehensive: adapt ideas from model checking  General, real: check live systems  Can run (on Linux, BSD), can check, even w/o source code  Fast, easy  Check a new storage system: 200 lines of C++ code  Port to a new OS: 1 kernel module + optional modification  Effective  17 storage systems: 10 Linux FS, Linux NFS, Soft-RAID, 3 version control, Berkeley DB, VMware  Found serious data-loss in all  Subsumes FiSC [OSDI04, best paper]

20 19 Outline  Overview  Checking process  Implementation  Example check: crashes during recovery are recoverable  Results

21 20  Serious  Loss of an entire FS!  Fixed in 2 days with our complete trace  Hard to find  3 years old, ever since the first version Long-lived bug fixed in 2 days in the IBM Journaling file system (JFS) Dave Kleikamp (IBM JFS): “I really appreciate your work finding and recreating this bug. I'm sure this has bitten us before, but it's usually hard to go back and find out what causes the file system to get messed up so bad”

22 21 ff Events to trigger the JFS bug Buffer Cache (in mem) Disk / / creat(“/f”); flush “/f” crash! fsck.jfs 5-char system call, not a typo File system recovery utility, run after reboot Orphan file removed. Legal behavior for file systems

23 22 /f Events to trigger the JFS bug Buffer Cache (in mem) Disk / / creat(“/f”); flush “/” crash! dangling pointer! fsck.jfs bug under low mem (design flaw) “fix” by zeroing, entire FS gone! File system recovery utility, run after reboot

24 23 Overview Linux Kernel JFS User-written Checker f/ / f creat(“/f”) Our codeUser code /f void mutate() { creat(“/old”); sync(); creat(“/f”); check_crash_now(); } void check() { int fd = open(“/old”, O_RDONLY ); if (fd < 0) error(“lost old!”); close(fd); } EKM E X PLODE Runtime fsck.jfs check( ) /root old /root old f /root old EKM = EXPLODE kernel module Hardware “crash-disk” Toy checker: crash after creat(“/f”) should not lose any old file that is already persistent on disk User-written checker: can be either very sophisticated or very simple

25 24 Outline  Overview  Checking process  Implementation  Example check: crashes during recovery are recoverable  Results

26 25 One core idea from model checking: explore all choices  Bugs are often triggered by corner cases  How to find? Drive execution down to these tricky corner cases Principle When execution reaches a point in program that can do one of N different actions, fork execution and in first child do first action, in second do second, etc. Result: rare events appear as often as common ones

27 26 Linux Kernel JFS User-written Checker f/ / f /f EKM E X PLODE Runtime fsck.jfs check( ) /root Crashes (Overview slide revisit) “crash-disk” /root old /root old f /root old Hardware

28 27 External choices creat /root a unlink mkdir rmdir … …  Fork and do every possible operation Explore generated states as well Users write code to check FS valid. E X PLODE “amplifies” /root b a c a a

29 28 struct block* read_block (int i) { struct block *b; if ((b = cache_lookup(i))) return b; return disk_read (i); } Internal choices  Fork and explore all internal choices /root a b a cache hit miss disk read succeed fail /root b a a

30 29 Users expose choices using choose(N)  To explore N-choice point, users instrument code using choose(N) (also used in other model checkers)  choose(N): N-way fork, return K in K’th kid  Optional. Instrumented only 7 places in Linux cache_lookup (int i) { if(choose(2) == 0) return NULL; // normal lookup … } struct block* read_block (int i) { struct block *b; if ((b = cache_lookup(i))) return b; return disk_read (i); }

31 30 Crash X External X Internal /root a … b a c a a …

32 31 Speed: skip same states creat(“/b”) /root a mkdir(“/c”) … /root b a c a a b a c mkdir(“/c”) creat(“/b”) Abstract and hash a state, discard if seen. …

33 32 Outline  Overview  Checking process  Implementation  FiSC, File System Checker, [OSDI04], best paper  E X PLODE, storage system checker, [OSDI06]  Example check: crashes during recovery are recoverable  Results

34 33 Checking process S0 … How to checkpoint and restore a live OS? S0 = checkpoint() enqueue(S0) while(queue not empty){ S = dequeue() for each action in S { restore(S) do action S’ = checkpoint() if(S’ is new) enqueue(S’) } }

35 34 FiSC: jam OS into tool  Pros  Comprehensive, effective  No model, check code  Checkpoint and restore: easy  Cons  Intrusive. Build fake environment. Hard to check anything new. Months for new OS, 1 week for new FS  Many tricks, so complicated that we won best paper OSDI 04 FiSC User Mode Linux JFS User-written Checker Linux Kernel Hardware Our codeUser code

36 35 E X PLODE: jam tool into OS FiSC User Mode Linux JFS User-written Checker Linux Kernel Hardware Our codeUser code JFS User-written Checker Linux Kernel Hardware EKM EKM = EXPLODE kernel module E X PLODE Runtime

37 36 EKM lines of code OSLines of code Linux 2.61,915 FreeBSD 6.01,210 E X PLODE kernel modules ( EKM ) are small and easy to write

38 37 How to checkpoint and restore a live OS kernel? JFS Checker Linux Kernel Hardware EKM E X PLODE Runtime  Hard to checkpoint live kernel memory  Virtual machine? No  VMware: no source  Xen: not portable  heavyweight  There’s a better solution for storage systems

39 38 S0S0 … S Checkpoint: save actions instead of bits state = list of actions checkpoint S = save (creat, cache miss) restore = re-initialize, creat, cache miss re-initialize = unmount, mkfs creat cache miss Redo-to-restore-state idea used in model checking to trade time for space (stateless search). We use it only to reduce intrusiveness Utility that clears in-mem state of a storage system Utility to create an empty FS

40 39 Deterministic replay  Storage system: isolated subsystem  Non-deterministic kernel scheduling decision  Opportunistic fix: priorities  Non-deterministic interrupt  Fix: use RAM disks, no interrupt for checked system  Non-deterministic kernel choose() calls by other code  Fix: filter by thread IDs. No choose() in interrupt  Worked well in practice  Mostly deterministic  Worst case: auto-detect & ignore non-repeatable errors

41 40 Outline  Overview  Checking process  Implementation  Example check: crashes during recovery are recoverable  Results

42 41 What to check?  fsck once == fsck & crash, re-run fsck  fsck(crash-disk) to completion, “/a” recovered  fsck(crash-disk) and crash, fsck, “/a” gone  Powerful heuristic, found interesting bugs (wait until results) Why check crashes during recovery?  Crashes are highly correlated  Often caused by kernel bugs, hardware errors  Reboot, hit same bug/error Bug!

43 42 How to check crashes during recovery? fsck.jfs “crash-disk” fsck.jfs EXPLODE Runtime “crash-crash-disk” same as ? Problem: N blocks  2^N crash-crash-disks. Too many! Can prune many crash-crash-disks

44 43 Simplified example  3-block disk, B1, B2, B3  each block is either 0 or 1  crash-disk = 000 (B1 to B3) Read(B1) = 0 Write(B2, 1) Write(B3, 1) Read(B3) = 1 Write(B1, 1) fsck(000) fsck(000) = 111 buffer cache: B2=1, B3=1, B1=1 buffer cache: B2=1 buffer cache: B2=1, B3=1

45 44 Na ï ve strategy: 7 crash-crash-disks Read(B1) = 0 Write(B2, 1) Write(B3, 1) Read(B3) = 1 Write(B1, 1) fsck(000)= 111 fsck(010) == 111? fsck(001) == 111? fsck(011) == 111? fsck(100) == 111? fsck(110) == 111? fsck(101) == 111? fsck(111) == 111? buffer cache: B2=1, B3=1, B1=1crash-disk = 000 000 + {B2=1}

46 45 Optimization: exploiting determinism  For all practical purposes, fsck is deterministic  read same blocks  write same blocks  fsck(010) == 111?  fsck(000) doesn’t read B2  So, fsck(010) = 111 Read(B1) = 0 Write(B2, 1) Write(B3, 1) Read(B3) = 1 Write(B1, 1) fsck(000)= 111 crash-disk = 000 000 + {B2=1}

47 46 What blocks does fsck(000) actually read? Read(B1) = 0 Write(B2, 1) Write(B3, 1) Read(B3) = 1 Write(B1, 1) fsck(000)= 111 fsck(000) reads/depends only on B1. It doesn’t matter what we write to the other blocks. fsck(0**) = 111 Read of B3 will get what we just wrote. Can’t depend on B3 crash-disk = 000

48 47 Prune crash-crash-disks matching 0** Read(B1) = 0 Write(B2, 1) Write(B3, 1) Read(B3) = 1 Write(B1, 1) fsck(000)= 111 fsck(010) == 111? fsck(001) == 111? fsck(011) == 111? fsck(100) == 111? fsck(110) == 111? fsck(101) == 111? fsck(111) == 111? buffer cache: B2=1, B3=1, B1=1 Can further optimize using this and other ideas crash-disk = 000

49 48 Outline  Overview  Checking process  Implementation  Example check: crashes during recovery are recoverable  Results

50 49 Bugs caused by crashes during recovery  Found data-loss bugs in all three FS that use logging (ext3, JFS, ReiserFS), total 5  Strict order under normal operation:  First, write operation to log, commit  Second, apply operation to actual file system  Strict (reverse) order during recovery:  First, replay log to patch actual file system  Second, clear log  No order  corrupted FS and no log to patch it!

51 50 Bug in fsck.ext3 recover_ext3_journal(…) { // … retval = -journal_recover(journal); // … // clear the journal e2fsck_journal_release(…) // … } journal_recover(…) { // replay the journal //… // sync modifications to disk fsync_no_super (…) }  Code directly adapted from the kernel  But, fsync_no_super defined as NOP: “ hard to implement ” // Error! Empty macro, doesn’t sync data! #define fsync_no_super(dev) do {} while (0)

52 51 FiSC Results (can reproduce in E X PLODE ) Error TypeVFSext2ext3JFSReiserFStotal Data lossN/A 18110 False cleanN/A 112 Security2213 + 2 Crashes110112 Other1113 Total22521232 32 in total, 21 fixed, 9 of the remaining 11 confirmed

53 52 E X PLODE checkers lines of code and errors found Storage System CheckedCheckerBugs 10 file systems5,47718 Storage applications CVS681 Subversion691 “E XP ENS IVE ” 1243 Berkeley DB2026 Transparent subsystems RAIDFS + 1372 NFSFS4 VMware GSX/Linux FS1 Total6,00836 6 bugs per 1,000 lines of checker code

54 53 Related work  FS Testing  Static (compile-time) analysis  Software model checking

55 54 Conclusion  EXPLODE  Comprehensive: adapt ideas from model checking  General, real: check live systems in situ, w/o source code  Fast, easy: simple C++ checking interface  Results  Checked 17 widely-used, well-tested, real-world storage systems: 10 Linux FS, Linux NFS, Soft-RAID, 3 version control, Berkeley DB, VMware  Found serious data-loss bugs in all, over 70 bugs in total  Many bug reports led to immediate kernel patches

Download ppt "W4118 Operating Systems Instructor: Junfeng Yang."

Similar presentations

IDA / ADIT Lecture 10: Database recovery Jose M. Peña

IDA / ADIT Lecture 10: Database recovery Jose M. Peña
Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.

Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.
File Systems.

File Systems.
CSCI 3140 Module 8 – Database Recovery Theodore Chiasson Dalhousie University.

CSCI 3140 Module 8 – Database Recovery Theodore Chiasson Dalhousie University.
Chapter 19 Database Recovery Techniques

Chapter 19 Database Recovery Techniques
CSE506: Operating Systems Block Cache. CSE506: Operating Systems Address Space Abstraction Given a file, which physical pages store its data? Each file.

CSE506: Operating Systems Block Cache. CSE506: Operating Systems Address Space Abstraction Given a file, which physical pages store its data? Each file.
ICS 541 - 01 (072)Database Recovery1 Database Recovery Concepts and Techniques Dr. Muhammad Shafique.

ICS (072)Database Recovery1 Database Recovery Concepts and Techniques Dr. Muhammad Shafique.
Crash recovery All-or-nothing atomicity & logging.

Crash recovery All-or-nothing atomicity & logging.
Quick Review of May 1 material Concurrent Execution and Serializability –inconsistent concurrent schedules –transaction conflicts serializable == conflict.

Quick Review of May 1 material Concurrent Execution and Serializability –inconsistent concurrent schedules –transaction conflicts serializable == conflict.
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
Ext3 Journaling File System “absolute consistency of the filesystem in every respect after a reboot, with no loss of existing functionality” chadd williams.

Ext3 Journaling File System “absolute consistency of the filesystem in every respect after a reboot, with no loss of existing functionality” chadd williams.
Crash recovery All-or-nothing atomicity & logging.

Crash recovery All-or-nothing atomicity & logging.
Transactions and Reliability. File system components Disk management Naming Reliability  What are the reliability issues in file systems? Security.

Transactions and Reliability. File system components Disk management Naming Reliability  What are the reliability issues in file systems? Security.
Distributed File Systems

Distributed File Systems
UNIX File and Directory Caching How UNIX Optimizes File System Performance and Presents Data to User Processes Using a Virtual File System.

UNIX File and Directory Caching How UNIX Optimizes File System Performance and Presents Data to User Processes Using a Virtual File System.
OSes: 11. FS Impl. 1 Operating Systems v Objectives –discuss file storage and access on secondary storage (a hard disk) Certificate Program in Software.

OSes: 11. FS Impl. 1 Operating Systems v Objectives –discuss file storage and access on secondary storage (a hard disk) Certificate Program in Software.
CS 4284 Systems Capstone Godmar Back Disks & File Systems.

CS 4284 Systems Capstone Godmar Back Disks & File Systems.
1 File Systems: Consistency Issues. 2 File Systems: Consistency Issues File systems maintains many data structures  Free list/bit vector  Directories.

1 File Systems: Consistency Issues. 2 File Systems: Consistency Issues File systems maintains many data structures  Free list/bit vector  Directories.
Reliability and Recovery CS 537 - Introduction to Operating Systems.

Reliability and Recovery CS Introduction to Operating Systems.
1 How can several users access and update the information at the same time? Real world results Model Database system Physical database Database management.

1 How can several users access and update the information at the same time? Real world results Model Database system Physical database Database management.

Similar presentations

Ads by Google