Refine
Document Type
- Article (17)
- Part of a Book (2)
- Doctoral Thesis (1)
- Report (1)
Language
- English (21)
Keywords
- Software (2)
- flash file system (2)
- refinement (2)
- Dateisystem (1)
- Flash-Speicher (1)
- Formale Spezifikationstechnik (1)
- KIV (1)
- Modelling and Simulation (1)
- Schrittweise Verfeinerung (1)
- Stromausfall (1)
This paper presents formal proof obligations for data refinement in the presence of unexpected crashes, notably due to a power failure. The work is part of our effort to construct a verified file system for flash memory. We apply the theory to one of the components in the flash file system, namely the erase block management layer. We show its functional correctness with respect to a high-level specification. We prove that the system can always recover from power loss to a desired state. We observe two simplifications that greatly reduce the proof effort for crashes in practice. Proofs are mechanized in the theorem prover KIV.
A Verified POSIX-Compliant Flash File System - Modular Verification Technology & Crash Tolerance
(2017)
In the Flashix project, a file system for flash memory has been developed. It is proven functionally correct and tolerates system crashes such as abrupt power cuts at any point in time during its execution. The development approach is based in incremental and modular refinement. This dissertaion reports on the verification approach, the practical development, and the results.
The first contribution is a refinement theory with strong guarantees for compositionality built in. It is based on the observations that can be made of a sequential interface of subcomponents that have an encapsulated state. In order to be able to study the effect of power cuts, which may hit the system in any intermediate state of its execution, the foundations are a fine grained, trace-based semantics that exposes such steps. The integration of subcomponents with their context is done via operation calls with explicit input and output parameters. At such calls, the steps of the program defining the operation are collapsed into an atomic view, which provides the lever for a substitution theorem for submachine refinement.
The second contribution is an extension of the theory that permits to specify and verify the effect of system crashes and their subsequent recovery. This extension is fully compatible with the incremental and modular approach used for the functional verification. Furthermore, two different views of the atomicity of operations are considered, namely a white box semantics that is adequate for implementation level components, and a black box semantics that is adequate for specification level components. Several proof methods for compositional refinement in the presence of crashes are derived. A reduction theorem permits to gradually switch to the much simpler black box view.
The third contribution consists of formal models of concepts for flash file system that capture the implementation challenges at a high degree of abstraction, while at the same time these models do not introduce unrealistic conceptual simplifications. Specifically, a formal model of the POSIX standard for file systems is presented. Exploiting the modular theory for refinement under crashes, a verified implementation is described that separates generic aspects from the flash specific details. The models in the refinement hierarchy comprise a coherent working system, from which code is generated that can run on real flash hardware.
