Certifying a file system using crash hoare logic

FSCQ is the frst fle system with a machine-checkable proof that its implementation meets a specifcation, even in the presence of fail-stop crashes. FSCQ provably avoids bugs that have plagued previous fle systems, such as performing disk writes without suffcient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover its state correctly without losing data. To state FSCQ's theorems, this paper introduces the Crash Hoare logic (CHL), which extends traditional Hoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels. CHL also reduces the proof effort for developers through proof automation. Using CHL, we developed, specifed, and proved the correctness of the FSCQ fle system. Although FSCQ's design is relatively simple, experiments with FSCQ as a user-level fle system show that it is suffcient to run Unix applications with usable performance. FSCQ's specifcations and proofs required signifcantly more work than the implementation, but the work was manageable even for a small team of a few researchers.