Presentation is loading. Please wait.

Presentation is loading. Please wait.

E X PLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University.

Published byMiranda Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "E X PLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University."— Presentation transcript:

1 E X PLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University

2 Why check storage systems?  Storage system errors are among the worst  kernel panic, data loss and corruption  Complicated code, hard to get right  Simultaneously worry about speed, failures and crashes  Hard to comprehensively test for failures, crashes Goal: comprehensively check many storage systems with little work

3 E X PLODE summary  Comprehensive: uses ideas from model checking  Fast, easy  Check a storage system: 200 lines of C++ code  Main requirement: 1 device driver. Run on Linux, FreeBSD  General, real: check live systems.  Can run, can check, even without source code  Effective  checked 10 Linux FS, 3 version control software, Berkeley DB, Linux RAID, NFS, VMware GSX 3.2/Linux  Bugs in all, 36 in total, mostly data loss  Subsumes our old work FiSC [OSDI 2004]

4 Checking complicated stacks  All real  Stack of storage systems  subversion: an open-source version control software  User-written checker on top  Recovery tools run after EXPLODE- simulated crashes subversion checker NFS client NFS server loopback JFS software RAID1 checking disk subversion checking disk %fsck.jfs %mdadm --assemble --run --force --update=resync %mdadm -a crash disk %svnadm.recover crash disk ok? crash

5 Outline  Core idea  Checking interface  Implementation  Results  Related work, conclusion and future work

6 Core idea: explore all choices  Bugs are often triggered by corner cases  How to find: drive execution down to these tricky corner cases When execution reaches a point in program that can do one of N different actions, fork execution and in first child do first action, in second do second, etc.

7 External choices creat /root b a c link unlink mkdir rmdir … …  Fork and do every possible operation Explore generated states as well Speed hack: hash states, discard if seen Users write code to check. E X PLODE “amplifies” the checks

8 Internal choices creat /root b a c Buffer cache misses kmalloc returns 0  Fork and explore internal choices

9 How to expose choices  To explore N-choice point, users instrument code using choose(N)  choose(N): N-way fork, return K in K’th kid  We instrumented 7 kernel functions in Linux void* kmalloc(size s) { if(choose(2) == 0) return NULL; … // normal memory allocation }

10 Crashes creat /root b a c  Dirty blocks can be written in any order, crash at any point Write all subsets fsck buffer cache check Users write code to check recovered FS

11 Outline  Core idea: explore all choices  Checking interface  What E X PLODE provides  What users do to check their storage system  Implementation  Results  Related work, conclusion and future work

12 What E X PLODE provides  choose(N) : conceptual N-way fork, return K in K’th child execution  check_crashes_now(): check all crashes that can happen at the current moment  Paper has more methods for checking crashes  Users embed non-crash checks in their code. E X PLODE amplifies them  err() : record trace for deterministic replay

13  Example: ext3 on RAID  checker: drive ext3 to do something: mutate(), then verify what ext3 did was correct: check()  storage component: set up, repair and tear down ext3, RAID. Write once per system  assemble a checking stack What users do

14  FS Checker  mutate  ext3 Component  Stack choose(4) mkdirrmdirrm filecreat file …/02341 2341syncfsync

15  FS Checker  check  ext3 Component  Stack Check file exists Check file contents match Found JFS fsync bug, caused by re- using directory inode as file inode Checkers can be simple (50 lines) or very complex(5,000 lines) Whatever you can express in C++, you can check

16  FS Checker  ext3 Component  Stack  storage component: initialize, repair, set up, and tear down your system  threads(): returns list of kernel thread IDs for deterministic error replay  Wrappers to existing utilities  Write once per system  Real code on next slide

17  FS Checker  ext3 Component  Stack

18  FS Checker  ext3 Component  Stack  assemble a checking stack  Let E X PLODE know how subsystems are connected together, so it can initialize, set up, tear down, repair the entire stack  Real code on next slide

19  FS Checker  ext3 Component  Stack

20 Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check a system  Implementation  Checkpoint and restore states  Deterministic replay  Checking process  Checking crashes  Checking “soft” application crashes  Results  Related work, conclusion and future work

21 Recall: core idea  “Fork” at decision point to explore all choices state: a snapshot of the checked system …

22 How to checkpoint live system? S0 S …  Hard to checkpoint live kernel memory  VM cloning is heavy-weight  checkpoint: record all choose() returns from S0  restore: umount, restore S0, re-run code, make K’th choose() return K’th recorded values  Key to E X PLODE approach 2 3 S = S0 + redo (2, 3)

23 Deterministic replay  Need it to recreate states, diagnose bugs Sources of non-determinism  Kernel choose() can be called by other code  Fix: filter by thread IDs. No choose() in interrupt  Kernel threads  Opportunistic hack: setting priorities. Worked well  Can’t use lock: deadlock. A holds lock, then yield to B  Other requirements in paper  Worst case: non-repeatable error. Automatic detect and ignore

24 E X PLODE: put it all together EXPLODEUser code EKM = EXPLODE device driver

25 Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check a system  Implementation  Results  Lines of code  Errors found  Related work, conclusion and future work

26 E X PLODE core lines of code 3 kernels: Linux 2.6.11, 2.6.15, FreeBSD 6.0. FreeBSD patch doesn’t have all functionality yet Lines of code Kernel patch Linux 1,915 (+ 2,194 generated) FreeBSD1,210 User-level code6,323

27 Checkers lines of code, errors found Storage System CheckedComponentCheckerBugs 10 file systems7445,47718 Storage applications CVS27681 SubversionNot ported yet1 “E XP ENS IVE ” 301243 Berkeley DB822026 Transparent subsystems RAID144FS + 1372 NFS34FS4 VMware GSX/Linux 54FS1 Total1,1156,00836

28 Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check a system  Implementation  Results  Lines of code  Errors found  Related work, conclusion and future work

29 FS Sync checking results App rely on sync operations, yet they are broken indicates a failed check

30 ext2 fsync bug Mem Disk A B A truncate A creat B write B fsync B … … B Events to trigger bug fsck.ext2 Bug is fundamental due to ext2 asynchrony crash! B Indirect block

31 Classic app mistake: “atomic” rename  Atomically update file A to avoid corruption  Problem: rename guarantees nothing abt. data fd = creat(A_tmp, …); write(fd, …); close(fd); rename(A_tmp, A); fsync(fd);

32 Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check a system  Implementation  Results: checked many systems, found many bugs  Related work, conclusion and future work

33 Related work  FS testing  IRON  Static analysis  Traditional software model checking  Theorem proving  Other techniques

34 Conclusion and future work  E X PLODE  Easy: need 1 device driver. simple user interface  General: can run, can check, without source  Effective: checked many systems, 36 bugs  Future work:  Work closely with storage system implementers to check more systems and more properties  Smart search  Automatic diagnosis  Automatically inferring “choice points”  Approach is general, applicable to distributed systems, secure systems, …

Download ppt "E X PLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University."

Similar presentations

Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.

Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.
Today From threads to file systems

Today From threads to file systems
Recovery 10/18/05. Implementing atomicity Note, when a transaction commits, the portion of the system implementing durability ensures the transaction’s.

Recovery 10/18/05. Implementing atomicity Note, when a transaction commits, the portion of the system implementing durability ensures the transaction’s.
1 Principles of Reliable Distributed Systems Tutorial 12: Frangipani Spring 2009 Alex Shraer.

1 Principles of Reliable Distributed Systems Tutorial 12: Frangipani Spring 2009 Alex Shraer.
Crash recovery All-or-nothing atomicity & logging.

Crash recovery All-or-nothing atomicity & logging.
I/O Hardware n Incredible variety of I/O devices n Common concepts: – Port – connection point to the computer – Bus (daisy chain or shared direct access)

I/O Hardware n Incredible variety of I/O devices n Common concepts: – Port – connection point to the computer – Bus (daisy chain or shared direct access)
CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 18 - File System Performance Jonathan Walpole Computer Science Portland State University.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Crash recovery All-or-nothing atomicity & logging.

Crash recovery All-or-nothing atomicity & logging.
Linux Operating System

Linux Operating System
CSE 451: Operating Systems Winter 2010 Module 13 Redundant Arrays of Inexpensive Disks (RAID) and OS structure Mark Zbikowski Gary Kimura.

CSE 451: Operating Systems Winter 2010 Module 13 Redundant Arrays of Inexpensive Disks (RAID) and OS structure Mark Zbikowski Gary Kimura.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Frangipani: A Scalable Distributed File System C. A. Thekkath, T. Mann, and E. K. Lee Systems Research Center Digital Equipment Corporation.

Frangipani: A Scalable Distributed File System C. A. Thekkath, T. Mann, and E. K. Lee Systems Research Center Digital Equipment Corporation.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Transactions and Reliability. File system components Disk management Naming Reliability  What are the reliability issues in file systems? Security.

Transactions and Reliability. File system components Disk management Naming Reliability  What are the reliability issues in file systems? Security.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Selecting and Implementing An Embedded Database System Presented by Jeff Webb March 2005 Article written by Michael Olson IEEE Software, 2000.

Selecting and Implementing An Embedded Database System Presented by Jeff Webb March 2005 Article written by Michael Olson IEEE Software, 2000.
Guide to Linux Installation and Administration, 2e 1 Chapter 9 Preparing for Emergencies.

Guide to Linux Installation and Administration, 2e 1 Chapter 9 Preparing for Emergencies.
Self stabilizing Linux Kernel Mechanism Doron Mishali, Alex Plits Supervisors: Prof. Shlomi Dolev Dr. Reuven Yagel.

Self stabilizing Linux Kernel Mechanism Doron Mishali, Alex Plits Supervisors: Prof. Shlomi Dolev Dr. Reuven Yagel.
Chapter Fourteen Windows XP Professional Fault Tolerance.

Chapter Fourteen Windows XP Professional Fault Tolerance.

Similar presentations

Ads by Google