SquirrelFS: using the Rust compiler to check file-system crash consistency (2406.09649v1)

Abstract: This work introduces a new approach to building crash-safe file systems for persistent memory. We exploit the fact that Rust's typestate pattern allows compile-time enforcement of a specific order of operations. We introduce a novel crash-consistency mechanism, Synchronous Soft Updates, that boils down crash safety to enforcing ordering among updates to file-system metadata. We employ this approach to build SquirrelFS, a new file system with crash-consistency guarantees that are checked at compile time. SquirrelFS avoids the need for separate proofs, instead incorporating correctness guarantees into the typestate itself. Compiling SquirrelFS only takes tens of seconds; successful compilation indicates crash consistency, while an error provides a starting point for fixing the bug. We evaluate SquirrelFS against state of the art file systems such as NOVA and WineFS, and find that SquirrelFS achieves similar or better performance on a wide range of benchmarks and applications.

• The paper introduces a compiler-enabled method using Rust’s type system to statically verify file-system crash consistency.
• It implements SquirrelFS with Synchronous Soft Updates (SSU) to enforce ordering invariants for persistent memory operations.
• Evaluation shows that SquirrelFS achieves low latency and competitive throughput, particularly excelling in write-dominated workloads.

SquirrelFS: Using the Rust Compiler for Crash-Consistent File Systems

The paper "SquirrelFS: using the Rust compiler to check file-system crash consistency" by Hayley LeBlanc, Nathan Taylor, James Bornholt, and Vijay Chidambaram proposes an innovative approach to achieving crash consistency in file systems deployed on persistent memory (PM). The authors introduce SquirrelFS, a new file system that leverages the Rust programming language’s type system to enforce crash-consistency invariants at compile time. This method is encapsulated in the novel crash-consistency mechanism termed Synchronous Soft Updates (SSU).

Key Contributions

The paper provides several key contributions to the field of file system design and verification:

1. Statically-Checked Crash Consistency: Utilizing Rust’s typestate pattern allows high-level properties of file system operations to be encoded into the type system and checked at compile time.
2. Synchronous Soft Updates (SSU): A crash-consistency mechanism designed specifically for the characteristics of persistent memory, focusing on ordering-based invariants.
3. SquirrelFS Implementation: An implementation of a file system using SSU in Rust, demonstrating the practicality and effectiveness of the proposed methodology through comprehensive evaluation.

Synchronous Soft Updates

SSU is rooted in the concept of soft updates, a technique traditionally used to maintain file-system consistency by enforcing ordering constraints on updates. However, conventional soft updates are typically asynchronous and carry significant complexity due to dependency tracking and potential cyclic dependencies. SSU adapts this concept to the synchronous nature of persistent memory systems, effectively eliminating these complexities.

Synchronous Operations

Persistent memory’s low latency allows SquirrelFS operations to be synchronous, ensuring all updates are durable by the time each operation completes. This synchrony negates the need for asynchronous dependency tracking and cyclic dependency management, simplifying the overall design and implementation.

Atomic Rename

SquirrelFS introduces a mechanism to handle atomic renames efficiently, a notable improvement over traditional soft updates. It employs a persistent rename pointer within directory entries to maintain enough information for completing rename operations after crashes. This enables the system to resolve inconsistencies that can arise from partially completed rename operations.

Implementation Highlights

SquirrelFS is built with approximately 7500 lines of Rust code and connects to the Linux Virtual File System (VFS) layer. It employs a simple persistent layout and relies on volatile structures for fast lookups:

• Persistent Layout: Includes a superblock, inode table, page descriptor table, and data pages, resembling the simplicity of FreeBSD’s FFS but adapted for persistent memory.
• Volatile Structures: Uses in-memory indexes and allocators to avoid performance penalties associated with persistent metadata management. These structures are rebuilt upon mounting the file system.

Evaluation and Performance

The authors rigorously evaluate SquirrelFS against existing PM file systems including ext4-DAX, NOVA, and WineFS. Key findings from their benchmarks and practical application tests reveal:

• Microbenchmark Latency: SquirrelFS often achieves the lowest latency for various file operations, outperforming others particularly in write-dominated workloads.
• Macrobenchmark Throughput: In Filebench workloads, SquirrelFS provides throughput comparable to or exceeding that of other evaluated systems.
• Real Application Performance: Evaluations using YCSB on RocksDB and LMDB show competitive performance, with SquirrelFS excelling particularly in write-heavy and mixed workloads.

SquirrelFS incurs compilation overhead equivalent to other PM file systems, but the compile-time typestate checking ensures crash consistency. The memory footprint of the indexing structures is reasonable, though the mount time is higher due to the need to rebuild these volatile structures.

Implications and Future Developments

The typestate-based approach introduces a valuable intermediate methodology between conventional testing and full verification. While it does not replace the comprehensive guarantees provided by verified systems, it significantly reduces the complexity and effort required for ensuring crash consistency in file systems. This method is poised to benefit not only persistent memory file systems but potentially other domains requiring strong ordering guarantees in operations.

Future work could address optimizing the mount times for larger-capacity devices, parallelizing rebuild and recovery logic, and extending typestate patterns to broader types of storage systems. Additionally, integrating the typestate pattern with more sophisticated crash-consistency mechanisms like journaling or copy-on-write might offer enhanced guarantees.

Conclusion

The paper provides compelling evidence for using the Rust compiler’s type system to check crash-consistency invariants in file systems. SquirrelFS demonstrates that combining typestate checking with SSU can yield a file system that offers strong consistency guarantees with performance on par with state-of-the-art PM file systems. This approach opens new avenues in file system design, balancing strong correctness assurances with practical development and maintenance overheads.