An Experiment in Applying Event-B and Rodin to a Flash Filestore By Kriangsak Damchoom Michael Butler Rodin User and Developer Workshop Southampton

Main Points An overview of a flash filesystem model –Part of Verified Software Grand challege Uses of refinement in Event-B –Horizontal refinement –Structural refinement Atomicity decomposition Machine decomposition Summary and Future work

Refinement strategy Feature augmentation –define provided features in an incremental way –add state variables and extend events –the spec consists of several refinement levels –(horizontal / superposition refinement) Structural refinement –introduce design decision –e.g., replace abstract file store by flash spec –involve data and event refinement –(vertical refinement) 3

Layered specification of FFS ML0ML0 : Tree properties and basic operations affecting tree structure –Inv1: parent ∈ objects \ {root} → objects –Inv2: ∀ s. s ⊆ parent~[s] ⇒ s={} –Thm1: ∀ o. o ∈ objects\{root} ⇒ o ∈ tcl(parent~)[{root}] –Events: create, move, copy, delete ML1ML1: Partition objects into files and directories –Inv1: objects = files ∪ directories –Inv2: files ∩ directories = {} –Inv3: ran(parent) ⊆ directories –Events: crtfile, mkdir

Layered specification of FFS ML2ML2 : Introduces file content –fcontent ∈ files → CONT –Additional events: open, read, write, close ML3ML3: Introduces permissions –obj_perms ∈ (files ∪ directories) ↔ PERM –obj_owner ∈ (files ∪ directories) → users –obj_grp ∈ (files ∪ directories) → groups –Additional events: setpermission ML4ML4: Introduces other missing properties such as name, date of creation and last modification –Additional events: rename (ML2-4 are feature augmentation or horizontal refinement)

Layered specification of FFS ML5ML5: Decomposes event write into –w_start, w_step, w_end (ok, fail) ML6ML6 : Decomposes event read into –r_start, r_step, r_end (ok, fail) ML7ML7: Links the FS to the flash specification by introducing flash properties (ML5-7 are structural refinement, which are focused in this talk)

ML5: Decomposes the writefile event The decomposition is based on the assumption that the content on the buffer is written into the storage one page at a time. Here fcont_tmp behaves like a shadow disk.

Abstraction

Flash Architecture (ONFi’07) flash ∈ RowAddr → PDATA, RowAddr =LAddr x BAddr x PAddr

ML7: Links abstract FS to FL spec

Introduces flash properties –flash ∈ RowAddr → PDATA –programmed_pages ⊆ RowAddr –obsolete_pages ⊆ programmed_pages –fcontent was replaced by fat ∈ files → (N +->RowAddr) –fcont_tmp was replaced by fat_tmp ∈ writing → (N+->RowAddr) Refines events pagewrite and pageread by including flash spec

Machine Decomposition Partitions the machine level 7 into two machines representing the file system layer (FS) and the flash interface layer (FL). Diagram of the machine decomposition

ML7.pagewrite

FL0.page_programme

ML7_FS.pagewrite

Abstract Flash specification (FL0) Flash Structure (an array of pages) - flash ∈ RowAddr → PDATA Where PDATA represents the content of each page (which is composed of a version number, an object to which the page belongs, logical page index and data) - programmed_pages ⊆ RowAddr - obsolete_pages ⊆ programmed_pages Events (APIs provided to the file system layer) –page_read (read page data from the flash array) –page_programme (programme/write page data into the flash array at a given row address)

Further refinement steps Focusing on the flash interface layer Covering –FL_Ref1: Introduces Page Register Each LUN has at least one page register. PR is used for buffering data before it is written to or is read off flash chip. –FL_Ref2: Introduces Status Register (SR) One SR per LUN Determines whether the selected LUN is ready, not ready or write-protected –FL_Ref3: Deals with bad blocks Maximum number of erasure per block is limited

Refinement chain summary MCH0 MCH2 MCH4 MCH6 cMCH7_FS_FL MCH1 MCH3 MCH5 MCH7 MCH7_FSMCH7_FL0 MCH_FL_R1 MCH_FL_R2 MCH_FL_R3 refines Feature augmentation (horizontal refinement) Further refinements focusing on flash spec Structural refinement (vertical) Recomposed to show that it is the refinement of the MCH7 decomposed

Proof statistics

Conclusion & On-going Work Conclusion –I have presented the model of FFS –Two uses of refinement –Event decomposition and machine decomposition On-going work –Specifying wear-levelling process –Implementation

Machine Invariants of ML7