RAFFS: Model Checking a Robust Abstract Flash File Store

  • Paul Taverne
  • C. (Kees) Pronk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5885)


This paper presents a case study in modeling and verifying a POSIX-like file store for Flash memory. This work fits in the context of Hoare’s verification challenge and, in particular, Joshi and Holzmann’s mini-challenge to build a verifiable file store. We have designed a simple robust file store and implemented it in the form of a Promela model. A test harness is used to exercise the file store in a number of ways. Model checking technology has been extensively used to verify the correctness of our implementation. A distinguishing feature of our approach is the (bounded) exhaustive verification of power loss recovery.


Model Check Power Loss Flash Memory Garbage Collection Reference Implementation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ABZ conference: case study details,
  2. 2.
    ABZ conference (October 2008),
  3. 3.
  4. 4.
    Arkoudas, K., Zee, K., Kuncak, V., Rinard, M.: On verifying a file system implementation. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 373–390. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Bicarregui, J.C., Hoare, C.A.R., Woodcock, J.C.P.: The verified software repository: a step towards the verifying compiler. Formal Aspects of Computing 18(2), 143–151 (2006)zbMATHCrossRefGoogle Scholar
  6. 6.
    Butler, M.: Some filestore developments with Event-B and RODIN. In: Workshop at ICFEM (2007)Google Scholar
  7. 7.
    Butterfield, A., Woodcock, J.: Formalising flash memory: First steps. In: ICECCS, pp. 251–260 (2007)Google Scholar
  8. 8.
    Chang, Y.-H., Hsieh, J.-W., Kuo, T.-W.: Endurance enhancement of flash-memory storage systems: an efficient static wear leveling design. In: DAC 2007: Proceedings of the 44th annual conference on Design automation, pp. 212–217. ACM, New York (2007)CrossRefGoogle Scholar
  9. 9.
    Dijkstra, E.W.: Notes on structured programming. In: Dahl, O.J., Dijkstra, E.W., Hoare, C.A.R. (eds.) structured programming, Ch. 1, pp. 1–82. Academic Press, London (1972)Google Scholar
  10. 10.
    Ferreira, M.A., Silva, S.S., Oliveira, J.N.: Verifying Intel Flash file system core specification. In: Modelling and Analysis in VDM: Proceedings of the Fourth VDM/Overture Workshop. Newcastle University, CS-TR-1099 (May 2008)Google Scholar
  11. 11.
    Freitas, L., Fu, Z., Woodcock, J.: Posix file store in Z/Eves: an experiment in the verified software repository. In: ICECCS, pp. 3–14 (2007)Google Scholar
  12. 12.
    Freitas, L., Woodcock, J., Butterfield, A.: POSIX and the verification grand challenge: a roadmap. In: 13th Int’l Conference on Engineering Complex Computer Systems (ICECCS 2008). IEEE, Los Alamitos (2008)Google Scholar
  13. 13.
    Galloway, A., Lüttgen, G., Mühlberg, J.T., Siminiceanu, R.I.: Model-checking the Linux virtual file system. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 74–88. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
  15. 15.
    Groce, A., Holzmann, G., Joshi, R.: Randomized differential testing as a prelude to formal verification. In: ICSE 2007: Proceedings of the 29th Int’l conference on Software Engineering, pp. 621–631. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  16. 16.
    Henzinger, T.A., et al.: Temporal safety-proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Hoare, T., Misra, J.: Verified software: theories, tools, experiments (July 2005),
  18. 18.
    Holzmann, G.J.: Promela language reference,
  19. 19.
    Holzmann, G.J., Bošnački, D.: The design of a multi-core extension of the Spin model checker. IEEE Transactions on Software Engineering 33(10) (October 2007)Google Scholar
  20. 20.
    Holzmann, G.J.: An improved reachability analysis technique. Software Practice and Experience 18, 137–161 (1988)CrossRefGoogle Scholar
  21. 21.
    Holzmann, G.J.: State compression in SPIN. In: Proc. Third SPIN Workshop, Twente University, The Netherlands (1997)Google Scholar
  22. 22.
    Holzmann, G.J.: The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley Professional, Reading (2003)Google Scholar
  23. 23.
    Holzmann, G.J., Joshi, R., Groce, A.: New challenges in model checking. In: Grumberg, O., Veith, H. (eds.) 25 Years of Model Checking. LNCS, vol. 5000, pp. 65–76. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Holzmann, G.J., Puri, A.: A minimized automaton representation of reachable states. Software Tools for Technology Transfer 2(3), 270–278 (1999)zbMATHCrossRefGoogle Scholar
  25. 25.
    Houston, I., King, S.: CICS project report: Experiences and results from the use of Z. In: Prehn, S., Toetenel, H. (eds.) VDM 1991. LNCS, vol. 551, pp. 588–596. Springer, Heidelberg (1991)Google Scholar
  26. 26.
    ICFEM Flash File System Workshop. Modelling Flash Memory (November 2007)Google Scholar
  27. 27.
    Intel Corporation. Intel Flash File System Core Reference Guide, version 1 edition (October 2004)Google Scholar
  28. 28.
    Jackson, D.: Software Abstractions. The MIT-Press, Cambridge (2006)Google Scholar
  29. 29.
    Jones, C., O’Hearn, P., Woodcock, J.: Verified software: A grand challenge. IEEE Computer: Software Technologies 39(4), 93–95 (2006)Google Scholar
  30. 30.
    Joshi, R., Holzmann, G.J.: A mini challenge: build a verifiable filesystem. Formal Aspects of Computing 19(2), 269–272 (2007)zbMATHCrossRefGoogle Scholar
  31. 31.
    Kang, E., Jackson, D.: Formal modeling and analysis of a flash filesystem in Alloy. In: Börger, E., Butler, M., Bowen, J.P., Boca, P. (eds.) ABZ 2008. LNCS, vol. 5238, pp. 294–308. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
    Liu, Z., Yue, L., Wei, P., Jin, P., Xiang, X.: An adaptive block-set based management for large-scale flash memory. In: SAC 2009: Proceedings of the, ACM symposium on Applied Computing, pp. 1621–1625. ACM, New York (2009)CrossRefGoogle Scholar
  33. 33.
    Morgan, C., Sufrin, B.: Specification of the UNIX filing system. IEEE Trans. Software Eng. 10(2), 128–142 (1984)CrossRefGoogle Scholar
  34. 34.
    Mühlberg, J.T., Lüttgen, G.: Blasting Linux code. In: Brim, L., Haverkort, B.R., Leucker, M., van de Pol, J. (eds.) FMICS 2006 and PDMC 2006. LNCS, vol. 4346, pp. 211–226. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  35. 35.
    Part 1: Base definitions POSIX. ISO/IEC 9945-1:2003Google Scholar
  36. 36.
    Part 2: System Interfaces POSIX. ISO/IEC 9945-2:2003Google Scholar
  37. 37.
    Ruys, T.C.: Towards Effective Model Checking. PhD thesis, University of Twente, Enschede (March 2001)Google Scholar
  38. 38.
    Spivey, J.M.: The Z notation: a reference manual. Prentice-Hall, Inc., Upper Saddle River (1989)zbMATHGoogle Scholar
  39. 39.
    Taverne, P.: Raffs: Model checking a robust abstract flash file store. Master’s thesis, Delft University of Technology (2009),
  40. 40.
    Verified software repository,
  41. 41.
    Verified software: Theories, tools, experiments (October 2005),
  42. 42.
    Yang, J., Twohey, P., Engler, D., Musuvathi, M.: Using model checking to find serious file system errors. ACM Trans. Comput. Syst. 24(4), 393–423 (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Paul Taverne
    • 1
  • C. (Kees) Pronk
    • 1
  1. 1.Delft University of TechnologyThe Netherlands

Personalised recommendations