Inside a Verified Flash File System: Transactions and Garbage Collection

  • Gidon ErnstEmail author
  • Jörg Pfähler
  • Gerhard Schellhorn
  • Wolfgang Reif
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9593)


The work presented here addresses a long-standing conceptual gap in flash file system verification: We map an abstract graph-based representation down to the flat blocks of bytes of the storage medium. Specifically, we consider grouping of file system objects into atomic transactions together with layout, allocation and garbage collection of on-flash storage space. Two major concerns guide the design and verification: proper handling of errors and, more importantly, guaranteed recovery from unexpected power cuts. Finding useful specifications of intermediate interfaces to address these concerns realistically dominates the verification effort.


Flash File Systems Formal verification Specification Transactions Garbage collection Write buffer KIV 



We thank the anonymous reviewers for their detailed and helpful comments.


  1. 1.
    Arkoudas, K., Zee, K., Kuncak, V., Rinard, M.: Verifying a file system implementation. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 373–390. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Lessons learned from Microkernel verification - specification is the new bottleneck. In: SSV, pp. 18–32 (2012)Google Scholar
  3. 3.
    Börger, E.: The ASM refinement method. Form. Asp. Comput. 15(1–2), 237–257 (2003)CrossRefzbMATHGoogle Scholar
  4. 4.
    Börger, E., Stärk, R.F.: Abstract State Machines – A Method for High-Level System Design and Analysis. Springer, Berlin (2003)CrossRefzbMATHGoogle Scholar
  5. 5.
    Butterfield, A., Woodcock, J.: Formalising flash memory: first steps. In: IEEE International Conference on Engineering of Complex Computer Systems, pp. 251–260 (2007)Google Scholar
  6. 6.
    Chen, H., Ziegler, D., Chlipala, A., Kaashoek, M.F., Kohler, E., Zeldovich, N.: Specifying crash safety for storage systems. In: 15th Workshop on Hot Topics in Operating Systems (HotOS XV). USENIX Association (2015)Google Scholar
  7. 7.
    Chen, H., Ziegler, D., Chlipala, A., Zeldovich, N., Kaashoek, M.F.: Using crash hoare logic for certifying the FSCQ file system. In: Proceedings of SOSP. ACM (2015)Google Scholar
  8. 8.
    Damchoom, K.: An incremental refinement approach to a development of a flash-based file system in Event-B, Ph.D. thesis, University of Southampton (2010)Google Scholar
  9. 9.
    Ernst, G., Pfähler, J., Schellhorn, G.: Web presentation of the Flash Filesystem (2015).
  10. 10.
    Ernst, G., Pfähler, J., Schellhorn, G., Haneberg, D., Reif, W.: KIV - overview and VerifyThis competition. Softw. Tools Technol. Transf. (STTT) 17(6), 677–694 (2015)Google Scholar
  11. 11.
    Ernst, G., Pfähler, J., Schellhorn, G., Reif, W.: Modular, crash-safe refinement for ASMs with submachines. Science of Computer Programming, ABZ special issue, 2015 (submitted) (2014)Google Scholar
  12. 12.
    Ernst, G., Schellhorn, G., Haneberg, D., Pfähler, J., Reif, W.: A formal model of a virtual filesystem switch. In: Proceedings of Software and Systems Modeling (SSV), EPTCS, pp. 33–45 (2012)Google Scholar
  13. 13.
    Ernst, G., Schellhorn, G., Haneberg, D., Pfähler, J., Reif, W.: Verification of a Virtual Filesystem Switch. In: Cohen, E., Rybalchenko, A. (eds.) VSTTE 2013. LNCS, vol. 8164, pp. 242–261. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  14. 14.
    Ferreira, M.A., Silva, S.S., Oliveira, J.N.: Verifying intel Flash File System core specification. In: Modelling and Analysis in VDM: Proceedings of the Fourth VDM/Overture Workshop, pp. 54–71, Technical report CS-TR-1099 (2008)Google Scholar
  15. 15.
    Freitas, L., Woodcock, J., Fu, Z.: POSIX file store in Z/Eves: an experiment in the verified software repository. Sci. Comput. Program. 74(4), 238–257 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Gleixner, T., Haverkamp, F., Bityutskiy, A.: UBI - Unsorted Block Images (2006).
  17. 17.
    Hesselink, W.H., Lali, M.I.: Formalizing a hierarchical file system. Form. Asp. Comput. 24(1), 27–44 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Hunter, A.: A brief introduction to the design of UBIFS (2008).
  19. 19.
    Joshi, R., Holzmann, G.J.: A mini challenge: build a verifiable filesystem. Form. Asp. Comput. 19(2), 269–272 (2007)Google Scholar
  20. 20.
    Kang, E., Jackson, D.: Formal Modeling and Analysis of a Flash Filesystem in Alloy. In: Börger, E., Butler, M., Bowen, J.P., Boca, P. (eds.) ABZ 2008. LNCS, vol. 5238, pp. 294–308. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Marić, O., Sprenger, C.: Verification of a transactional memory manager under hardware failures and restarts. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 449–464. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  22. 22.
    Morgan, C., Sufrin, B.: Specification of the UNIX filing system. Specification Case Studies, pp. 91–140. Prentice Hall Ltd., Hertfordshire (1987)Google Scholar
  23. 23.
    Pfähler, J., Ernst, G., Schellhorn, G., Haneberg, D., Reif, W.: Formal specification of an erase block management layer for flash memory. In: Legay, A., Bertacco, V. (eds.) HVC 2013. LNCS, vol. 8244, pp. 214–229. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  24. 24.
    Ridge, T., Sheets, D., Tuerk, T., Giugliano, A., Madhavapeddy, A., Sewell, P.: SibylFS: formal specification and oracle-based testing for POSIX and real-world file systems. In: Proceedings of SOSP. ACM (2015)Google Scholar
  25. 25.
    Schellhorn, G.: Completeness of fair ASM refinement. Sci. Comput. Program. 76(9), 756–773 (2009). ElsevierCrossRefzbMATHGoogle Scholar
  26. 26.
    Schellhorn, G., Ernst, G., Pfähler, J., Haneberg, D., Reif, W.: Development of a verified flash file system. In: Ait Ameur, Y., Schewe, K.-D. (eds.) ABZ 2014. LNCS, vol. 8477, pp. 9–24. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  27. 27.
    Schellhorn, G., Tofan, B., Ernst, G., Pfähler, J., Reif, W.: RGITL: a temporal logic framework for compositional reasoning about interleaved programs. Ann. Math. Artif. Intell. (AMAI) 71, 1–44 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Schierl, A., Schellhorn, G., Haneberg, D., Reif, W.: Abstract specification of the UBIFS file system for flash memory. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 190–206. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. 29.
    The Open Group: The Open Group Base Specifications Issue 7, IEEE Std 1003.1, 2008 Edition. (login required)
  30. 30.
  31. 31.
    Woodcock, J.C.P., Davies, J.: Using Z: Specification. Proof and Refinement. Prentice Hall International Series in Computer Science. Prentice Hall, New York (1996)zbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Gidon Ernst
    • 1
    Email author
  • Jörg Pfähler
    • 1
  • Gerhard Schellhorn
    • 1
  • Wolfgang Reif
    • 1
  1. 1.Institute for Software and Systems EngineeringUniversity of AugsburgAugsburgGermany

Personalised recommendations