Using Alcoa to Specify a UNIX File System - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Using Alcoa to Specify a UNIX File System

Description:

Directory Entry. rename a b. b. Atomic Actions Ordering ... Reverse engineering the invariant. Tool helped determine which invariants are wrong. ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 29
Provided by: kan5
Category:

less

Transcript and Presenter's Notes

Title: Using Alcoa to Specify a UNIX File System


1
Using Alcoa to Specify a UNIX File System
  • Specification of some structures and operations
    in a File System

2
Alcoa
  • Predicate logic to specify a system of objects.
    (quantifiers, subsets, relations)
  • Can only describe a two state relationship.
    Missing a sequential composition operator.

current
next
OK
NO
time0
time1
time2
3
Alcoa
4
Alcoa Tool
  • Finds an instance which satisfies the
    specification.
  • Finds contradictions.
  • See an example of the specification.
  • Preservation of some logical statement through an
    operation.

5
current
next
operation
Does invariant hold here?
Invariant holds here.
a b c is true
Is a b c true?
Alcoa will check this and give counterexamples if
not true.
6
File System Basics
Directory Entry
Inode
Directory Entry
Inode
Directory Entry
7
File System Basics
Directory Entry
Inode
2
Directory Entry
Inode
Directory Entry
1
8
File System Basics
Datablocks
Directory Entry
Inode
2
Directory Entry
Inode
Directory Entry
1
9
Atomic Actions Ordering
  • Imagine the system crashing while making changes
    to the file system.
  • How should the atomic actions be ordered such
    that the file system can be recovered?

10
Atomic Actions Ordering
Directory Entry
a
Inode
rename a b
11
Atomic Actions Ordering
Directory Entry
a
Inode
rename a b
Lost inode if system crashes here.
12
Atomic Actions Ordering
Directory Entry
a
Inode
rename a b
13
Atomic Actions Ordering
Directory Entry
a
Inode
b
rename a b
14
Atomic Actions Ordering
Directory Entry
a
Inode
b
rename a b
15
Atomic Actions Ordering
  • From Metadata Update Performance in File
    Systems by G. Ganger, Y. Patt
  • Operations
  • Link removal
  • Link addition
  • Block allocation
  • Block de-allocation

16
Link Addition
  • 1. Link count in inode incremented.
  • 2. Pointer to inode added to the list of
    directory entries.

Link Count
DirEntry
Inode
1
17
Link Addition
  • 1. Link count in inode incremented.
  • 2. Pointer to inode added to the list of
    directory entries.

Link Count
DirEntry
Inode
2
18
Link Addition
  • 1. Link count in inode incremented.
  • 2. Pointer to inode added to the list of
    directory entries.

Link Count
DirEntry
Inode
2
DirEntry
19
Link Deletion
  • 1. Directory Entry is removed first.
  • 2. Link Count is decremented.

Link Count
DirEntry
Inode
2
DirEntry
20
Link Deletion
  • 1. Directory Entry is removed first.
  • 2. Link Count is decremented.

Link Count
DirEntry
Inode
2
21
Link Deletion
  • 1. Directory Entry is removed first.
  • 2. Link Count is decremented.

Link Count
DirEntry
Inode
1
22
The Problem
  • Finding preserved invariant was not easy.
  • No lost inodes. All allocated inodes are
    pointed to by a directory entry. is not an
    invariant.
  • Reverse engineering the invariant.
  • Tool helped determine which invariants are wrong.

23
Discovered Invariants
  • If an inodes link count is zero, there are no
    directory entries pointing to the inode.
  • At all times, an inodes link count is higher
    than the number of directory entries pointing to
    an inode.

24
Discovered Invariants
  • If an inodes link count is zero, there are no
    directory entries pointing to the inode.
  • Important when recovering after a crash so that
    an inode is not accidently deallocated.

25
Using the Invariants
  • Weakened the precondition of the operations to
    see if the invariants are preserved.
  • Some interesting configurations
  • Link count much higher than the actual number of
    directory entries.

26
Other Issues
  • Relations in Alcoa can be
  • A function, surjective, partial/total, injective
  • Abstraction design decision
  • Choosing relation type forces specification
    writer to be careful and specific.

27
Other Issues
  • Alcoa does not have numbers.
  • Link Count was tricky to model.
  • Inverse relations.
  • Alcoa allows this and inadvertently used.
  • Many invariants do not hold because of the
    intermediate stages.
  • Tricky specifying an invariant.

28
Other Issues
  • Must clearly specify the precondition and
    postcondition of an operation.
  • Hoare Triple
  • Instance finding useful for careless errors such
    as typos.
  • b in UsedB
  • b not in UsedB
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Using Alcoa to Specify a UNIX File System" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!