Verifying a high-performance crash-safe file system using a tree specification

Chen, Haogang; Chajed, Tej; Konradi, Alex; Wang, Stephanie; İleri, Atalay; Chlipala, Adam; Kaashoek, M. Frans; Zeldovich, Nickolai

doi:10.1145/3132747.3132776

Cited by 45 publications

(36 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Verification has also reached file systems, such as FSCQ (Chen et al, 2015), a file system with guarantees about crash safety that have been verified in Coq, and DFSCQ (Chen et al, 2017), an efficient crashsafe file system with several verified optimizations. Using the Cogent Why Proof Engineering Matters language and its certifying compiler (Section 3.1.1), Amani et al (2016) developed a file system called BilbyFS in Isabelle/HOL with executable code in C; they also implemented and verified the legacy Linux file system ext2.…”

Section: Proof Engineering For Program Verificationmentioning

confidence: 99%

QED at Large: A Survey of Engineering of Formally Verified Software

Ringer

Palmskog

Sergey

et al. 2019

FNT in Programming Languages

View full text Add to dashboard Cite

Development of formal proofs of correctness of programs can increase actual and perceived reliability and facilitate better understanding of program specifications and their underlying assumptions. Tools supporting such development have been available for over 40 years, but have only recently seen wide practical use. Projects based on construction of machine-checked formal proofs are now reaching an unprecedented scale, comparable to large software projects, which leads to new challenges in proof development and maintenance. Despite its increasing importance, the field of proof engineering is seldom considered in its own right; related theories, techniques, and tools span many fields and venues. This survey of the literature presents a holistic understanding of proof engineering for program correctness, covering impact in practice, foundations, proof automation, proof organization, and practical proof development.

show abstract

Section: Proof Engineering For Program Verificationmentioning

confidence: 99%

QED at Large: A Survey of Engineering of Formally Verified Software

Ringer

Palmskog

Sergey

et al. 2019

FNT in Programming Languages

View full text Add to dashboard Cite

show abstract

“…There are several existing systems that support reasoning about crashes and recovery, particularly in the context of file-system verification [7,8,11,26,28]. Most have no support for layered recovery, since they consider only a single recovery procedure at a time.…”

Section: Multiple Unreliable Disksmentioning

confidence: 99%

“…To prove recovery refinement within a single layer, Argosy supports a variant of Crash Hoare Logic (CHL), the logic used in the FSCQ verified file system [7,8]. Argosy generalizes FSCQ's CHL by supporting non-deterministic crash behavior, whereas FSCQ modeled only persistent state and assumed it was unaffected by a crash.…”

Section: Multiple Unreliable Disksmentioning

confidence: 99%

“…These examples are intended to illustrate how CHL enables recovery reasoning within Argosy for individual refinements. The logging design we use is comparable to the log used in the original FSCQ paper [8] and in Yggdrasil [28], although it is simplified compared to the followup system DFSCQ [7] or the journaling in Linux's ext4 file system. We believe both implementations demonstrate the main issues that arise in crash and recovery reasoning and that Argosy could be used to verify designs that give better performance with more engineering work.…”

Section: Examplesmentioning

confidence: 99%

See 1 more Smart Citation

Argosy: verifying layered storage systems with recovery refinement

Chajed

Tassarotti

Kaashoek

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

Storage systems make persistence guarantees even if the system crashes at any time, which they achieve using recovery procedures that run after a crash. We present Argosy, a framework for machine-checked proofs of storage systems that supports layered recovery implementations with modular proofs. Reasoning about layered recovery procedures is especially challenging because the system can crash in the middle of a more abstract layer's recovery procedure and must start over with the lowest-level recovery procedure.This paper introduces recovery refinement, a set of conditions that ensure proper implementation of an interface with a recovery procedure. Argosy includes a proof that recovery refinements compose, using Kleene algebra for concise definitions and metatheory. We implemented Crash Hoare Logic, the program logic used by FSCQ [8], to prove recovery refinement, and demonstrated the whole system by verifying an example of layered recovery featuring a write-ahead log running on top of a disk replication system. The metatheory of the framework, the soundness of the program logic, and these examples are all verified in the Coq proof assistant.

show abstract

“…Thus, given a set of constraints, Ace generates an exhaustive set of workloads, each of which is tested with CrashMonkey on the target file system. B 3 offers a new point in the spectrum of techniques addressing file-system crash consistency, alongside verified file systems [12,13,82] and model checking [94,95]. Unlike these approaches, B 3 targets widely deployed file systems written in low-level languages, and does not require annotating or modifying file-system code.…”

mentioning

confidence: 99%

CrashMonkey and ACE

et al. 2019

View full text Add to dashboard Cite

We present CrashMonkey and Ace, a set of tools to systematically find crash-consistency bugs in Linux file systems. CrashMonkey is a record-and-replay framework which tests a given workload on the target file system by simulating power-loss crashes while the workload is being executed, and checking if the file system recovers to a correct state after each crash. Ace automatically generates all the workloads to be run on the target file system. We build CrashMonkey and Ace based on a new approach to test file-system crash consistency: bounded black-box crash testing (B 3). B 3 tests the file system in a black-box manner using workloads of file-system operations. Since the space of possible workloads is infinite, B 3 bounds this space based on parameters such as the number of file-system operations or which operations to include, and exhaustively generates workloads within this bounded space. B 3 builds upon insights derived from our study of crashconsistency bugs reported in Linux file systems in the last 5 years. We observed that most reported bugs can be reproduced using small workloads of three or fewer file-system operations on a newly created file system, and that all reported bugs result from crashes after fsync()-related system calls. CrashMonkey and Ace are able to find 24 out of the 26 crash-consistency bugs reported in the last 5 years. Our tools also revealed 10 new crash-consistency bugs in widely used, mature Linux file systems, 7 of which existed in the kernel since 2014. Additionally, our tools found a crash-consistency bug in a verified file system, FSCQ. The new bugs result in severe consequences like broken rename atomicity, loss of persisted files and directories, and data loss.

show abstract

Verifying a high-performance crash-safe file system using a tree specification

Cited by 45 publications

References 28 publications

QED at Large: A Survey of Engineering of Formally Verified Software

QED at Large: A Survey of Engineering of Formally Verified Software

Argosy: verifying layered storage systems with recovery refinement

CrashMonkey and ACE

Contact Info

Product

Resources

About