Using model checking to find serious file system errors

This article shows how to use model checking to find serious errors in file systems. Model checking is a formal verification technique tuned for finding corner-case errors by comprehensively exploring the state spaces defined by a system. File systems have two dynamics that make them attractive for such an approach. First, their errors are some of the most serious, since they can destroy persistent data and lead to unrecoverable corruption. Second, traditional testing needs an impractical, exponential number of test cases to check that the system will recover if it crashes at any point during execution. Model checking employs a variety of state-reducing techniques that allow it to explore such vast state spaces efficiently.We built a system, FiSC, for model checking file systems. We applied it to four widely-used, heavily-tested file systems: ext3, JFS, ReiserFS and XFS. We found serious bugs in all of them, 33 in total. Most have led to patches within a day of diagnosis. For each file system, FiSC found demonstrable events leading to the unrecoverable destruction of metadata and entire directories, including the file system root directory “/”.

[1]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[2]  Mark R. Tuttle,et al.  Redo Recovery after System Crashes , 1995, VLDB.

[3]  Mark R. Tuttle,et al.  A theory of redo recovery , 2003, SIGMOD '03.

[4]  Ozalp Babaoglu,et al.  ACM Transactions on Computer Systems , 2007 .

[5]  Stephan Merz,et al.  Model Checking , 2000 .

[6]  Hans-Juergen Boehm Simple garbage-collector-safety , 1996, PLDI '96.

[7]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[8]  Andrea C. Arpaci-Dusseau,et al.  Semantically-Smart Disk Systems , 2003, FAST.

[9]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[10]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[11]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[12]  N. S. Barnett,et al.  Private communication , 1969 .

[13]  Junfeng Yang,et al.  EXPLODE: a lightweight, general system for finding serious storage system errors , 2006, OSDI '06.

[14]  Dawson R. Engler,et al.  Proceedings of the 5th Symposium on Operating Systems Design and Implementation Cmc: a Pragmatic Approach to Model Checking Real Code , 2022 .

[15]  Gerard J. Holzmann,et al.  From code to models , 2001, Proceedings Second International Conference on Application of Concurrency to System Design.

[16]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[17]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[18]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[19]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[20]  Yale N. Patt,et al.  Soft updates: a solution to the metadata update problem in file systems , 2000 .

[21]  Dawson R. Engler,et al.  Model Checking Large Network Protocol Implementations , 2004, NSDI.

[22]  Andrea C. Arpaci-Dusseau,et al.  IRON file systems , 2005, SOSP '05.

[23]  Stephen N. Freund,et al.  Type-based race detection for Java , 2000, PLDI '00.

[24]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[25]  Matthew B. Dwyer,et al.  Bandera: extracting finite-state models from Java source code , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[26]  Sorin Lerner Path-Sensitive Program Veri cation in Polynomial Time , 2002 .

[27]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000 .

[28]  Leslie Lamport,et al.  Distributed snapshots: determining global states of distributed systems , 1985, TOCS.

[29]  Dawson R. Engler,et al.  Static Analysis versus Software Model Checking for Bug Finding , 2004, VMCAI.

[30]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[31]  Viktor Kuncak,et al.  Verifying a File System Implementation , 2004, ICFEM.

[32]  Carl A. Waldspurger,et al.  Memory resource management in VMware ESX server , 2002, OSDI '02.

[33]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[34]  YangJunfeng,et al.  Using model checking to find serious file system errors , 2006 .

[35]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.

[36]  David A. Goldberg,et al.  Design and Implementation of the Sun Network Filesystem , 1985, USENIX Conference Proceedings.