Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Alcoa to Specify a UNIX File System Specification of some structures and operations in a File System.

Published byRosalind O’Connor’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Using Alcoa to Specify a UNIX File System Specification of some structures and operations in a File System."— Presentation transcript:

1 Using Alcoa to Specify a UNIX File System Specification of some structures and operations in a File System

2 Alcoa Predicate logic to specify a system of objects. (quantifiers, subsets, relations) Can only describe a two state relationship. Missing a sequential composition operator. currentnext time0time1time2 OK NO

3 Alcoa

4 Alcoa Tool Finds an instance which satisfies the specification. –Finds contradictions. –See an example of the specification. Preservation of some logical statement through an operation.

5 currentnext operation Invariant holds here. Does invariant hold here? Alcoa will check this and give counterexamples if not true. a & b | c is trueIs a’ & b’ | c’ true?

6 File System Basics Inode Directory Entry

7 File System Basics Inode Directory Entry 2 1

8 File System Basics Inode Directory Entry 2 1 Datablocks

9 Atomic Actions Ordering Imagine the system crashing while making changes to the file system. How should the atomic actions be ordered such that the file system can be recovered?

10 Atomic Actions Ordering Inode a Directory Entry rename a b

11 Atomic Actions Ordering Inode a Directory Entry rename a b Lost inode if system crashes here.

12 Atomic Actions Ordering Inode a Directory Entry rename a b

13 Atomic Actions Ordering Inode a Directory Entry rename a b b

14 Atomic Actions Ordering Inode a Directory Entry rename a b b

15 Atomic Actions Ordering From “Metadata Update Performance in File Systems” by G. Ganger, Y. Patt Operations –Link removal –Link addition –Block allocation –Block de-allocation

16 Link Addition 1. Link count in inode incremented. 2. Pointer to inode added to the list of directory entries. Inode DirEntry 1 Link Count

17 Link Addition 1. Link count in inode incremented. 2. Pointer to inode added to the list of directory entries. Inode DirEntry 2 Link Count

18 Link Addition 1. Link count in inode incremented. 2. Pointer to inode added to the list of directory entries. Inode DirEntry 2 Link Count DirEntry

19 Link Deletion 1. Directory Entry is removed first. 2. Link Count is decremented. Inode DirEntry 2 Link Count DirEntry

20 Link Deletion 1. Directory Entry is removed first. 2. Link Count is decremented. Inode DirEntry 2 Link Count

21 Link Deletion 1. Directory Entry is removed first. 2. Link Count is decremented. Inode DirEntry 1 Link Count

22 The Problem –Finding preserved invariant was not easy. “No lost inodes. All allocated inodes are pointed to by a directory entry.” is not an invariant. –Reverse engineering the invariant. –Tool helped determine which invariants are wrong.

23 Discovered Invariants “If an inode’s link count is zero, there are no directory entries pointing to the inode.” “At all times, an inode’s link count is higher than the number of directory entries pointing to an inode.”

24 Discovered Invariants “If an inode’s link count is zero, there are no directory entries pointing to the inode.” –Important when recovering after a crash so that an inode is not accidently deallocated.

25 Using the Invariants Weakened the precondition of the operations to see if the invariants are preserved. Some interesting configurations –Link count much higher than the actual number of directory entries.

26 Other Issues Relations in Alcoa can be –A function, surjective, partial/total, injective Abstraction design decision –Choosing relation type forces specification writer to be careful and specific.

27 Other Issues Alcoa does not have numbers. –Link Count was tricky to model. Inverse relations. –Alcoa allows this and inadvertently used. Many invariants do not hold because of the intermediate stages. –Tricky specifying an invariant.

28 Other Issues Must clearly specify the precondition and postcondition of an operation. –Hoare Triple Instance finding useful for careless errors such as typos. –b in UsedB –b not in UsedB’

Download ppt "Using Alcoa to Specify a UNIX File System Specification of some structures and operations in a File System."

Similar presentations

More on File Management

More on File Management
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
File System Interface CSCI 444/544 Operating Systems Fall 2008.

File System Interface CSCI 444/544 Operating Systems Fall 2008.
Inodes. Filesystems Each partition has a filesystem –This filesystem will usually support a directory hierarchy Every file on a disk partition is allocated.

Inodes. Filesystems Each partition has a filesystem –This filesystem will usually support a directory hierarchy Every file on a disk partition is allocated.
Day 27 File System. UNIX File Management Types of files Ordinary – stream of bytes Directory – list of names plus pointers to attributes of the entry.

Day 27 File System. UNIX File Management Types of files Ordinary – stream of bytes Directory – list of names plus pointers to attributes of the entry.
Introduction to Formal Methods

Introduction to Formal Methods
Copyright W. Howden1 Lecture 13: Programming by Contract.

Copyright W. Howden1 Lecture 13: Programming by Contract.
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
Ceng Operating Systems

Ceng Operating Systems
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.

Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
CS 497C – Introduction to UNIX Lecture 16: - File Attributes Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 16: - File Attributes Chin-Chih Chang
Crash recovery All-or-nothing atomicity & logging.

Crash recovery All-or-nothing atomicity & logging.
Describing Syntax and Semantics

Describing Syntax and Semantics
1 Course Outline Processes & Threads CPU Scheduling Synchronization & Deadlock Memory Management File Systems & I/O Networks, Protection and Security.

1 Course Outline Processes & Threads CPU Scheduling Synchronization & Deadlock Memory Management File Systems & I/O Networks, Protection and Security.
Secondary Storage Management Hank Levy. 8/7/20152 Secondary Storage • Secondary Storage is usually: –anything outside of “primary memory” –storage that.

Secondary Storage Management Hank Levy. 8/7/20152 Secondary Storage • Secondary Storage is usually: –anything outside of “primary memory” –storage that.
Contiguous Allocation of Disk Space. Linked Allocation.

Contiguous Allocation of Disk Space. Linked Allocation.
BACS 371 Computer Forensics

BACS 371 Computer Forensics

Similar presentations

Ads by Google