formal modeling and analysis of a flash filesystem in alloy eunsuk kang tds seminar, mar. 14, 2008
TRANSCRIPT
![Page 1: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/1.jpg)
Formal Modeling and Analysis of a Flash Filesystem in Alloy
Eunsuk KangTDS Seminar, Mar. 14, 2008
![Page 2: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/2.jpg)
What is flash memory?
Non-volatile, high-performance storage
Applications: MP3 players, laptop drives, digital cameras, etc.
![Page 3: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/3.jpg)
NASA Mars Exploration Rover Spirit
On-board flash memory to store scientific data
![Page 4: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/4.jpg)
Flash anomaly on Spirit
System failure18 days after landing (2004)
Loss of communication with Earth, stuck in “reboot” loop
Cause: Flaw in the flash filesystemCost: 10 days of lost scientific
activity
![Page 5: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/5.jpg)
Testing for unanticipated?
Out of free space, but still attempted to service file operations
“There was a belief among the FSW development team that the system would not exhibit the behavior that is the root cause of the anomaly…” [Reeves, 2004]
Testing is essential, but is it enough?
![Page 6: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/6.jpg)
Answer: Formal methods?
Allows exhaustive analysisBUT: Verifying a poorly designed
piece of code in an after-the-fact, ad hoc manner is impractical
Apply formal methods early, get the design right
![Page 7: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/7.jpg)
Grand Challenge in VerificationLong term
“Build a verifying compiler” – Tony HoareShort term
“Build a verified flash filesystem” – Joshi & Holzmann (Jet Propulsion Laboratory)
In this talk“Build a verified design for a flash
filesystem”
![Page 8: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/8.jpg)
Outline
![Page 9: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/9.jpg)
What is POSIX?
IEEE standard for filesystem operations Adopted by UNIX, Mac OS X, etc. Reference model for the flash filesystem Function signatures & behaviors
e.g. write(fildes, *buf, nbyte, offset)“The write() function shall attempt to write
nbyte bytes from the buffer pointed to by buf to the file associated with the open file descriptor, fildes.”
![Page 10: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/10.jpg)
POSIX filesystem in Alloy
AlloyFirst-order relational logic + transitive closure
sig Data {} // data elementsig FID {} // file identifier
sig File {contents : seq Data
}
sig AbsFsys { // abstract filesystemfileMap : FID -> lone File // “lone” means one or zero
}
![Page 11: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/11.jpg)
Abstract read operation
// simulationrun { some fsys : AbsFsys,
fid : FID, output : seq Data | output = readAbs[fsys, fid,
1, 3]} for 3
fun readAbs [fsys: AbsFsys, fid: FID, offset, size: Int] : seq Data {
let file = fsys.fileMap[fid] | (file.contents).subseq[offset, offset + size – 1]}
![Page 12: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/12.jpg)
Abstract write operation
// promotionpred writePromote[fsys, fsys’ : AbsFsys, file, file’ : File, fid : FID] { fsys’.fileMap = fsys.fileMap ++ (fid -> file’) }
pred writeAbs[fsys, fsys’ : AbsFsys, fid : FID, buffer : seq Data, offset, size : Int] {
let file = fsys.fileMap[fid], file’ = fsys’.fileMap[fid], buffer’ = buffer.subseq[0, size – 1] { (#buffer’ = 0) => file’ = file // case 1 (#buffer’ != 0) => // case 2 & 3
file’.contents = (zeros[offset] ++ file.contents) ++ shift[buffer’, offset]
writePromote[fsys, fsys’, file, file’, fid] } } }
![Page 13: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/13.jpg)
pred writeAbs[fsys, fsys’ : AbsFsys, fid : FID, buffer : seq Data, offset, size : Int] {
let file = fsys.fileMap[fid], file’ = fsys’.fileMap[fid], buffer’ = buffer.subseq[0, size – 1] { (#buffer’ = 0) => file’ = file // case 1 (#buffer’ != 0) => // case 2 & 3
file’.contents = (zeros[offset] ++ file.contents) ++ shift[buffer’, offset]
writePromote[fsys, fsys’, file, file’, fid] } } }
Alloy is pure logic
// promotionpred writePromote[fsys, fsys’ : AbsFsys, file, file’ : File, fid : FID] { fsys’.fileMap = fsys.fileMap ++ (fid -> file’) }
No built-in syntax/semantics for state machines Transition as an explicit constraint between two
states
![Page 14: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/14.jpg)
pred writeAbs[fsys, fsys’ : AbsFsys, fid : FID, buffer : seq Data, offset, size : Int] {
let file = fsys.fileMap[fid], file’ = fsys’.fileMap[fid], buffer’ = buffer.subseq[0, size – 1] { (#buffer’ = 0) => file’ = file // case 1 (#buffer’ != 0) => // case 2 & 3
file’.contents = (zeros[offset] ++ file.contents) ++ shift[buffer’, offset]
writePromote[fsys, fsys’, file, file’, fid] } } }
Abstract write operation: Case 1
// promotionpred writePromote[fsys, fsys’ : AbsFsys, file, file’ : File, fid : FID] { fsys’.fileMap = fsys.fileMap ++ (fid -> file’) }
Input buffer is empty; no changes to the file
![Page 15: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/15.jpg)
pred writeAbs[fsys, fsys’ : AbsFsys, fid : FID, buffer : seq Data, offset, size : Int] {
let file = fsys.fileMap[fid], file’ = fsys’.fileMap[fid], buffer’ = buffer.subseq[0, size – 1] { (#buffer’ = 0) => file’ = file // case 1 (#buffer’ != 0) => // case 2 & 3
file’.contents = (zeros[offset] ++ file.contents) ++ shift[buffer’, offset]
writePromote[fsys, fsys’, file, file’, fid] } } }
Abstract write operation: Case 2
// promotionpred writePromote[fsys, fsys’ : AbsFsys, file, file’ : File, fid : FID] { fsys’.fileMap = fsys.fileMap ++ (fid -> file’) }
Offset is within the file Shift buffer by offset & override existing
data
![Page 16: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/16.jpg)
pred writeAbs[fsys, fsys’ : AbsFsys, fid : FID, buffer : seq Data, offset, size : Int] {
let file = fsys.fileMap[fid], file’ = fsys’.fileMap[fid], buffer’ = buffer.subseq[0, size – 1] { (#buffer’ = 0) => file’ = file // case 1 (#buffer’ != 0) => // case 2 & 3
file’.contents = (zeros[offset] ++ file.contents) ++ shift[buffer’, offset]
writePromote[fsys, fsys’, file, file’, fid] } } }
Abstract write operation: Case 3
// promotionpred writePromote[fsys, fsys’ : AbsFsys, file, file’ : File, fid : FID] { fsys’.fileMap = fsys.fileMap ++ (fid -> file’) }
Offset is after the end of the file Fill in the gap with zeros
![Page 17: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/17.jpg)
pred writeAbs[fsys, fsys’ : AbsFsys, fid : FID, buffer : seq Data, offset, size : Int] {
let file = fsys.fileMap[fid], file’ = fsys’.fileMap[fid], buffer’ = buffer.subseq[0, size – 1] { (#buffer’ = 0) => file’ = file // case 1 (#buffer’ != 0) => // case 2 & 3
file’.contents = (zeros[offset] ++ file.contents) ++ shift[buffer’, offset]
writePromote[fsys, fsys’, file, file’, fid] } } }
Promotion
// promotionpred writePromote[fsys, fsys’ : AbsFsys, file, file’ : File, fid : FID] { fsys’.fileMap = fsys.fileMap ++ (fid -> file’) }
A style of modeling changes in system state Ensure all other files remain unchanged
![Page 18: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/18.jpg)
Outline
![Page 19: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/19.jpg)
What makes flash special?
Two types: NOR and NANDProgram (i.e. write) at the page
level, erase at the block levelMust erase before programmingBlock can be erased only a limited
number of times (need wear-leveling)
![Page 20: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/20.jpg)
Modeling memory hierarchy
sig Page { data : seq Data } { #data = PAGE_SIZE }
sig Block { pages : seq Page } { #pages = BLOCK_SIZE }
sig LUN { blocks : seq Block } { #blocks = LUN_SIZE }
sig Device { LUNs : seq LUN …} { #LUNs = DEVICE_SIZE }// simulation with
constraintsrun { some Device DEVICE_SIZE = 1 LUN_SIZE = 2 BLOCK_SIZE = 2 PAGE_SIZE = 4} for 4
![Page 21: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/21.jpg)
Addressing mode
Row & column addresses:sig RowAddr { // used to access a
page lunIndex : Int blockIndex : Int pageIndex : Int}
A column address is an Int, andidentifies a data element in a
pageExample:rowAddr.lunIndex = 0rowAddr.blockIndex
= 1rowAddr. pageIndex
= 1columnAddr = 1
![Page 22: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/22.jpg)
Page status & data structures Each page is associated with its current status
abstract sig PageStatus {}one sig Free,
Allocated, Valid, Invalid extends PageStatus {}
Auxiliary data structures*
sig Device { LUNs : seq LUN, pageStatusMap : RowAddr -> one PageStatus, eraseCountMap : RowAddr -> one Int, // wear-
leveling reserveBlock : RowAddr // garbage
collection} { #LUNs = DEVICE_SIZE } (*
disclaimers)
![Page 23: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/23.jpg)
Flash API functions// reads data from page, starting at “colAddr”fun read[d : Device, colAddr : Int, rowAddr : RowAddr] : seq
Data { … }
// program data into page & set page status to “Allocated”pred program[d, d’ : Device, colAddr : Int, rowAddr :
RowAddr, data : seq Data] { … }
// erase data in block & increase its erase count, and set status of every page in block to “Free”
pred erase[d, d’ : Device, rowAddr : RowAddr] { … }
![Page 24: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/24.jpg)
Outline
![Page 25: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/25.jpg)
Abstract vs. concrete filesystem
![Page 26: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/26.jpg)
Concrete filesystem in Alloysig Inode { blockList : seq VBlock }sig VBlock {} // virtual block
sig ConcFsys { inodeMap : FID -> lone Inode blockMap : VBlock one -> one RowAddr}
![Page 27: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/27.jpg)
Concrete read operation (snippet)pred readConc[fsys : ConcFsys, d : Device,
fid : FID, offset, size : Int, buffer : seq Data] { … all i : blocksToRead.inds { let vblock = blocksToRead[i], rowAddr = fsys.blockMap[vblock],
from = PAGE_SIZE*i, to = from + PAGE_SIZE – 1 | buffer.subseq[from, to] = read[d, 0, rowAddr] }
} …}
![Page 28: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/28.jpg)
State of a flash filesystem
pred readConc[fsys : ConcFsys, d : Device, fid : FID, offset, size : Int, buffer : seq Data] {
… all i : blocksToRead.inds { let vblock = blocksToRead[i], rowAddr = fsys.blockMap[vblock],
from = PAGE_SIZE*i, to = from + PAGE_SIZE – 1 | buffer.subseq[from, to] = read[d, 0, rowAddr] }
}}
State is represented by a pair (ConcFsys, Device)
![Page 29: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/29.jpg)
Read operation animated
Initially, buffer is empty
![Page 30: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/30.jpg)
Read operation animated
![Page 31: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/31.jpg)
Read operation animated
![Page 32: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/32.jpg)
Read operation animated
Three calls to flash read in total
![Page 33: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/33.jpg)
Concrete read operation: Step 1
pred readConc[fsys : ConcFsys, d : Device, fid : FID, offset, size : Int, buffer : seq Data] {
… all i : blocksToRead.inds { let vblock = blocksToRead[i], rowAddr = fsys.blockMap[vblock],
from = PAGE_SIZE*i, to = from + PAGE_SIZE – 1 | buffer.subseq[from, to] = read[d, 0, rowAddr] }
}}
Extract blocks to read from inode using offset & size
![Page 34: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/34.jpg)
Concrete read operation: Step 2
pred readConc[fsys : ConcFsys, d : Device, fid : FID, offset, size : Int, buffer : seq Data] {
… all i : blocksToRead.inds { let vblock = blocksToRead[i], rowAddr = fsys.blockMap[vblock],
from = PAGE_SIZE*i, to = from + PAGE_SIZE – 1 | buffer.subseq[from, to] = read[d, 0, rowAddr] }
}}
Consider each index i in blocksToRead
![Page 35: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/35.jpg)
Concrete read operation: Step 3
pred readConc[fsys : ConcFsys, d : Device, fid : FID, offset, size : Int, buffer : seq Data] {
… all i : blocksToRead.inds { let vblock = blocksToRead[i], rowAddr = fsys.blockMap[vblock],
from = PAGE_SIZE*i, to = from + PAGE_SIZE – 1 | buffer.subseq[from, to] = read[d, 0, rowAddr] }
}}
Retrieve the address of page for ith virtual block
![Page 36: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/36.jpg)
Concrete read operation: Step 4
pred readConc[fsys : ConcFsys, d : Device, fid : FID, offset, size : Int, buffer : seq Data] {
… all i : blocksToRead.inds { let vblock = blocksToRead[i], rowAddr = fsys.blockMap[vblock],
from = PAGE_SIZE*i, to = from + PAGE_SIZE – 1 | buffer.subseq[from, to] = read[d, 0, rowAddr] }
}}
Calculate indices for current buffer slot
![Page 37: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/37.jpg)
Concrete read operation: Step 5
pred readConc[fsys : ConcFsys, d : Device, fid : FID, offset, size : Int, buffer : seq Data] {
… all i : blocksToRead.inds { let vblock = blocksToRead[i], rowAddr = fsys.blockMap[vblock],
from = PAGE_SIZE*i, to = from + PAGE_SIZE – 1 | buffer.subseq[from, to] = read[d, 0, rowAddr] }
}}
Execute the flash API function, read
![Page 38: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/38.jpg)
Wear-leveling
![Page 39: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/39.jpg)
Wear-leveling example
Client sends a write request to overwrite data in VBlk1 with 0110
Simple approach: Erase Block2 & program Page5
![Page 40: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/40.jpg)
Non-wear-leveling approach: Step 1
Client sends a write request to overwrite data in VBlk1 with 0110
Step 1: Erase Block2
![Page 41: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/41.jpg)
Non-wear-leveling approach: Step 2
Client sends a write request to overwrite data in VBlk1 with 0110
Step 2: Program 0110 into Page5 - Done.
![Page 42: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/42.jpg)
Why wear-level?
What’s wrong with a simple approach?
1. Frequent requests on VBlk1: Block2 wears out quickly
2. H/W failure: Original data in Page5 is lost
![Page 43: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/43.jpg)
Wear-leveling approach
Client sends a write request to overwrite data in VBlk1 with 0110
Wear-leveling approach: Search for a free page & program
![Page 44: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/44.jpg)
Wear-leveling approach: Step 1
Client sends a write request to overwrite data in VBlk1 with 0110
Step 1: Program 0110 into a free page, Page3
![Page 45: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/45.jpg)
Wear-leveling approach: Step 2
Client sends a write request to overwrite data in VBlk1 with 0110
Step 2: Invalidate Page5 & validate Page3
![Page 46: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/46.jpg)
Wear-leveling approach: Step 3
Client sends a write request to overwrite data in VBlk1 with 0110
Step 3: Update blockMap
![Page 47: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/47.jpg)
Erase unit reclamation (garbage collection)
![Page 48: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/48.jpg)
Erase-unit reclamation example
Client sends a write request to append 0101 at the end of the inode
Problem: Flash is out of free pages (besides reserved ones)
![Page 49: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/49.jpg)
Erase-unit reclamation: Step 1
Client sends a write request to append 0101 at the end of the inode
Step 1: Pick a dirty block with the least erase count
![Page 50: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/50.jpg)
Erase-unit reclamation: Step 2
Client sends a write request to append 0101 at the end of the inode
Step 2: Relocate valid data to reserveBlock
![Page 51: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/51.jpg)
Erase-unit reclamation: Step 3
Client sends a write request to append 0101 at the end of the inode
Step 3: Invalidate/validate pages & update blockMap
![Page 52: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/52.jpg)
Erase-unit reclamation: Step 4
Client sends a write request to append 0101 at the end of the inode
Step 4: Erase Block2 & set it as the new reserveBlock
![Page 53: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/53.jpg)
Erase-unit reclamation complete
Client sends a write request to append 0101 at the end of the inode
Complete: Page0 in Block0 is now free and available for use
![Page 54: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/54.jpg)
Concrete write operation
![Page 55: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/55.jpg)
Concrete write operation
pred writeConc[fsys, fsys’ : ConcFsys, d, d’ : Device, fid : FID, buffer : seq Data, offset, size :
Int] { … }
Transition between two pairs (fsys, d) and (fsys’, d’)
Flash API program is a single-step transition between two device states
PAGE_SIZE = 4
![Page 56: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/56.jpg)
Write operation: Phase 1 Partition input buffer into N fragments & program
them1. Introduce an intermediate device, interDev2. Create a sequence of states between d and
interDev using seq Device
pred stateSeqConds[init, final : Device, stateSeq : seq Device, length : Int] {stateSeq.first = init
stateSeq.last = final #stateSeq = length + 1}
3. Constrain the sequence
4. Program fragments one by one
![Page 57: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/57.jpg)
Write operation: Phase 1.1
pred writeConc[fsys, fsys’ : ConcFsys, d, d’ : Device, fid : FID, buffer : seq Data, offset, size : Int]
{ … some stateSeq : seq Device, interDev : Device { stateSeqConds[d, interDev, stateSeq,
numBlocksToProgram] all i : stateSeq.butlast.inds {
let from = PAGE_SIZE * i, to = from + PAGE_SIZE – 1, dataFragment = buffer.subseq[from, to], vblock = inode.blockList[startBlkIndex + i], rowAddr = fsys.blockMap[vblock], preState = stateSeq[i], postState = stateSeq[i + 1] | programPage[preState, postState, rowAddr,
dataFragment] } …
Introduce & constrain intermediate device states
![Page 58: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/58.jpg)
Write operation: Phase 1.2
pred writeConc[fsys, fsys’ : ConcFsys, d, d’ : Device, fid : FID, buffer : seq Data, offset, size : Int]
{ … some stateSeq : seq Device, interDev : Device { stateSeqConds[d, interDev, stateSeq,
numBlocksToProgram] all i : stateSeq.butlast.inds {
let from = PAGE_SIZE * i, to = from + PAGE_SIZE – 1, dataFragment = buffer.subseq[from, to], vblock = inode.blockList[startBlkIndex + i], rowAddr = fsys.blockMap[vblock], preState = stateSeq[i], postState = stateSeq[i + 1] | programPage[preState, postState, rowAddr,
dataFragment] } …
For each sequence index i, extract a data fragment from buffer
![Page 59: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/59.jpg)
Write operation: Phase 1.3
pred writeConc[fsys, fsys’ : ConcFsys, d, d’ : Device, fid : FID, buffer : seq Data, offset, size : Int]
{ … some stateSeq : seq Device, interDev : Device { stateSeqConds[d, interDev, stateSeq,
numBlocksToProgram] all i : stateSeq.butlast.inds {
let from = PAGE_SIZE * i, to = from + PAGE_SIZE – 1, dataFragment = buffer.subseq[from, to], vblock = inode.blockList[startBlkIndex + i], rowAddr = fsys.blockMap[vblock], preState = stateSeq[i], postState = stateSeq[i + 1] | programPage[preState, postState, rowAddr
dataFragment] } …
Retrieve the address of page for ith virtual block (could be empty)
![Page 60: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/60.jpg)
Write operation: Phase 1.4
pred writeConc[fsys, fsys’ : ConcFsys, d, d’ : Device, fid : FID, buffer : seq Data, offset, size : Int]
{ … some stateSeq : seq Device, interDev : Device { stateSeqConds[d, interDev, stateSeq,
numBlocksToProgram] all i : stateSeq.butlast.inds {
let from = PAGE_SIZE * i, to = from + PAGE_SIZE – 1, dataFragment = buffer.subseq[from, to], vblock = inode.blockList[startBlkIndex + i], rowAddr = fsys.blockMap[vblock], preState = stateSeq[i], postState = stateSeq[i + 1] | programPage[preState, postState, rowAddr,
dataFragment] } …
Retrieve the current pair of pre- and post- states
![Page 61: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/61.jpg)
Write operation: Phase 1.5
pred writeConc[fsys, fsys’ : ConcFsys, d, d’ : Device, fid : FID, buffer : seq Data, offset, size : Int]
{ … some stateSeq : seq Device, interDev : Device { stateSeqConds[d, interDev, stateSeq,
numBlocksToProgram] all i : stateSeq.butlast.inds {
let from = PAGE_SIZE * i, to = from + PAGE_SIZE – 1, dataFragment = buffer.subseq[from, to], vblock = inode.blockList[startBlkIndex + i], rowAddr = fsys.blockMap[vblock], preState = stateSeq[i], postState = stateSeq[i + 1] | programPage[preState, postState, rowAddr,
dataFragment] } …
Program data fragment into page at rowAddr
![Page 62: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/62.jpg)
Write operation: Phase 2 Invalidate obsolete pages & validate all
allocated pages by updating interDev.pageStatusMap
pred writeConc[fsys, fsys’ : ConcFsys, d, d’ : Device, fid : FID, buffer : seq Data, offset,
size : Int] { … some stateSeq : seq Device, interDev : Device { … updatePageStatus[interDev, d’] updateFilesystemInfo[fsys, fsys’] } …}
![Page 63: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/63.jpg)
Write operation: Phase 3 Update filesystem information (blockMap &
inode.blockList)
pred writeConc[fsys, fsys’ : ConcFsys, d, d’ : Device, fid : FID, buffer : seq Data, offset,
size : Int] { … some stateSeq : seq Device, interDev : Device { … updatePageStatus[interDev, d’]
updateFilesystemInfo[fsys, fsys’] } …}
![Page 64: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/64.jpg)
Fault Tolerance
![Page 65: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/65.jpg)
Fault Tolerance
What happens when H/W loses power in the middle of a write operation?:
On recovery, the filesystem must be in a state as if:1. the operation has never begun, or2. the operation has successfully completed
Power loss may occur either in Phase 1 or Phase 2
![Page 66: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/66.jpg)
Phase 1 crash
At the time of failure, one or more pages programmed & status set to Allocated.
Recovery: Invalidate every allocated page
![Page 67: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/67.jpg)
Recovery from Phase 1 crash
After recovery, the filesystem is in the original state (but has extra invalid pages)
![Page 68: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/68.jpg)
Phase 2 crash
At the time of failure:1. some/all obsolete pages have been invalidated2. all obsolete pages have been invalidated, and
some allocated pages have been validatedRecovery: Complete the rest of Phase 2 & Phase 3
![Page 69: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/69.jpg)
Recovery from Phase 2
After recovery, the inode contains the new data as expected by the caller of writeConc
![Page 70: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/70.jpg)
Outline
![Page 71: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/71.jpg)
Refinement: Trace inclusion
Does the concrete filesystem conform
to the abstract filesystem?
![Page 72: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/72.jpg)
Abstract function
pred alpha[asys : AbsFsys, csys : ConcFsys, d : Device] { all fid : FID | let file = asys.fileMap[fid], inode = csys.inodeMap[fid], vblocks = inode.blockList { #file.contents = #vblocks * PAGE_SIZE (all i : vblocks.inds | let vblock = vblocks[i], from = i * PAGE_SIZE, to = from + PAGE_SIZE – 1, absDataFrag = file.contents.subseq[from, to], concDataFrag = findPageData[vblock, csys, d] |
absDataFrag = concDataFrag) }}
![Page 73: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/73.jpg)
Write refinement
assert WriteRefinement { all csys, csys’ : ConcFsys, asys, asys’ : AbsFsys, d, d’ :
Device, fid : FID, buffer : seq Data, offset, size : Int | concInvariant[csys, d] and writeConc[csys, csys’, d, d’, fid, buffer, offset, size]
and alpha[asys, csys, d] and alpha[asys’, csys’, d’] => writeAbs[asys, asys’, fid, buffer, offset, size]}
![Page 74: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/74.jpg)
State invariant
assert WriteRefinement { all csys, csys’ : ConcFsys, asys, asys’ : AbsFsys, d, d’ :
Device, fid : FID, buffer : seq Data, offset, size : Int | concInvariant[csys, d] and writeConc[csys, csys’, d, d’, fid, buffer, offset, size]
and alpha[asys, csys, d] and alpha[asys’, csys’, d’] => writeAbs[asys, asys’, fid, buffer, offset, size]}
…all inode : FID.(csys.inodeMap) |all rowAddr : csys.blockMap[inode.blockList.elems] | d.pageStatusMap[rowAddr] = Valid…
e.g. All pages within an inode have a valid status
![Page 75: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/75.jpg)
Write refinement
assert WriteRefinement { all csys, csys’ : ConcFsys, asys, asys’ : AbsFsys, d, d’ :
Device, fid : FID, buffer : seq Data, offset, size : Int | concInvariant[csys, d] and writeConc[csys, csys’, d, d’, fid, buffer, offset, size]
and alpha[asys, csys, d] and alpha[asys’, csys’, d’] => writeAbs[asys, asys’, fid, buffer, offset, size]}
![Page 76: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/76.jpg)
Analysis resultsWriteRefinement: A scope of 5 for each domain 6 pages, each with 4 data elements Incremental modeling & analysis Found over 20 bugs over development Final version returned no counterexample,
approximately 8 hours to check
ReadRefinement: Final version returned no counterexample,
approximately 45 minutes to check
![Page 77: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/77.jpg)
Discussion & future work
![Page 78: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/78.jpg)
On analysis: Our filesystem is small, but still found bugs Many bugs occur in “boundary” cases,
involving a small number of components Scientific argument for confidence?
On the Alloy language: Explicitly modeling state transitions – need
better syntax/semantics?
Discussion
![Page 79: Formal Modeling and Analysis of a Flash Filesystem in Alloy Eunsuk Kang TDS Seminar, Mar. 14, 2008](https://reader033.vdocument.in/reader033/viewer/2022051820/5697bf731a28abf838c7f0d2/html5/thumbnails/79.jpg)
On filesystem: Extended functionality (directories, etc.) Revisiting assumptions about flash H/W A wider variety of fault tolerance
mechanisms Concurrency
On Alloy: Syntax/semantics for imperative
statements Scalability Proof
Future work