An Experiment in Applying An Experiment in Applying Event-B and Rodin to a Flash Event-B and Rodin to a Flash

FilestoreFilestore

An Experiment in Applying An Experiment in Applying Event-B and Rodin to a Flash Event-B and Rodin to a Flash

FilestoreFilestore

ByBy

Kriangsak DamchoomKriangsak DamchoomMichael ButlerMichael Butler

Rodin User and Developer Workshop 2009 @ SouthamptonRodin User and Developer Workshop 2009 @ Southampton

Main PointsMain PointsMain PointsMain Points

• An overview of a flash filesystem model– Part of Verified Software Grand challege

• Uses of refinement in Event-B– Horizontal refinement– Structural refinement

• Atomicity decomposition

• Machine decomposition

• Summary and Future work

Refinement strategyRefinement strategyRefinement strategyRefinement strategy• Feature augmentation

– define provided features in an incremental way– add state variables and extend events– the spec consists of several refinement levels– (horizontal / superposition refinement)

• Structural refinement– introduce design decision

– e.g., replace abstract file store by flash spec– involve data and event refinement– (vertical refinement)

3

Layered specification of FFSLayered specification of FFSLayered specification of FFSLayered specification of FFS

• ML0ML0 : Tree properties and basic operations affecting tree structure– Inv1: parent ∈ objects \ {root} → objects– Inv2:∀s. s ⊆ parent~[s] ⇒ s={}– Thm1:∀o. o ∈ objects\{root} ⇒ o ∈ tcl(parent~)[{root}]– Events: create, move, copy, delete

• ML1ML1: Partition objects into files and directories– Inv1: objects = files ∪ directories– Inv2: files ∩ directories = {}– Inv3: ran(parent) ⊆ directories– Events: crtfile, mkdir

Layered specification of FFSLayered specification of FFSLayered specification of FFSLayered specification of FFS

• ML2ML2 : Introduces file content– fcontent ∈ files → CONT– Additional events: open, read, write, close

• ML3ML3: Introduces permissions– obj_perms ∈ (files∪directories) ↔ PERM– obj_owner ∈ (files∪directories) → users– obj_grp ∈ (files∪directories) → groups– Additional events: setpermission

• ML4ML4: Introduces other missing properties such as name, date of creation and last modification– Additional events: rename

(ML2-4 are feature augmentation or horizontal refinement)

Layered specification of FFSLayered specification of FFSLayered specification of FFSLayered specification of FFS

• ML5ML5: Decomposes event write into– w_start, w_step, w_end (ok, fail)

• ML6ML6 : Decomposes event read into– r_start, r_step, r_end (ok, fail)

• ML7ML7: Links the FS to the flash specification by introducing flash properties

(ML5-7 are structural refinement, which are focused in this talk)

ML5: Decomposes the ML5: Decomposes the writefilewritefile event eventML5: Decomposes the ML5: Decomposes the writefilewritefile event event

The decomposition is based on the assumption that the content on the buffer is written into the storage one page at a time.

Here fcont_tmp behaves like a shadow disk.

AbstractionAbstraction

Flash Architecture (ONFi’07)Flash Architecture (ONFi’07)Flash Architecture (ONFi’07)Flash Architecture (ONFi’07)

flash RowAddr → PDATA, RowAddr =LAddr x BAddr x PAddr∈

ML7ML7: Links abstract FS to FL spec: Links abstract FS to FL specML7ML7: Links abstract FS to FL spec: Links abstract FS to FL spec

ML7ML7: Links abstract FS to FL spec: Links abstract FS to FL specML7ML7: Links abstract FS to FL spec: Links abstract FS to FL spec

• Introduces flash properties– flash ∈ RowAddr → PDATA – programmed_pages ⊆ RowAddr– obsolete_pages ⊆ programmed_pages – fcontent was replaced by

fat ∈ files → (N +->RowAddr)– fcont_tmp was replaced by

fat_tmp ∈ writing → (N+->RowAddr)

• Refines events pagewrite and pageread by including flash spec

Machine DecompositionMachine DecompositionMachine DecompositionMachine Decomposition

• Partitions the machine level 7 into two machines representing the file system layer (FS) and the flash interface layer (FL).

• Diagram of the machine decomposition

ML7ML7..pagewritepagewrite

FL0FL0..page_programmepage_programme

ML7_FSML7_FS..pagewritepagewrite

Abstract Flash specification (FL0)Abstract Flash specification (FL0)Abstract Flash specification (FL0)Abstract Flash specification (FL0)

• Flash Structure (an array of pages)- flash∈ RowAddr → PDATA

Where PDATA represents the content of each page (which is composed of a version number, an object to which the page belongs, logical page index and data)

- programmed_pages ⊆ RowAddr- obsolete_pages ⊆ programmed_pages

• Events (APIs provided to the file system layer)– page_read (read page data from the flash array) – page_programme (programme/write page data into the flash

array at a given row address)

Further refinement stepsFurther refinement stepsFurther refinement stepsFurther refinement steps

• Focusing on the flash interface layer• Covering

– FL_Ref1: Introduces Page Register • Each LUN has at least one page register. PR is used for

buffering data before it is written to or is read off flash chip.

– FL_Ref2: Introduces Status Register (SR)• One SR per LUN• Determines whether the selected LUN is ready, not ready or

write-protected

– FL_Ref3: Deals with bad blocks• Maximum number of erasure per block is limited

Refinement chain Refinement chain summarysummary

Refinement chain Refinement chain summarysummary

MCH0

MCH2

MCH4

MCH6

cMCH7_FS_FL

MCH1

MCH3

MCH5

MCH7

MCH7_FS MCH7_FL0

MCH_FL_R1

MCH_FL_R2

MCH_FL_R3

refines

Feature augmentation(horizontal refinement)

Further refinementsfocusing on flash spec

Structural refinement(vertical)

Recomposed to show that it is the refinement of the MCH7

decomposed

Proof statisticsProof statisticsProof statisticsProof statistics

Conclusion & On-going WorkConclusion & On-going WorkConclusion & On-going WorkConclusion & On-going Work

• Conclusion– I have presented the model of FFS– Two uses of refinement– Event decomposition and machine

decomposition

• On-going work– Specifying wear-levelling process– Implementation

Machine Invariants of ML7Machine Invariants of ML7Machine Invariants of ML7Machine Invariants of ML7