Abstract

Abstract The reliability of file systems depends in part on howwell they propagate errors. We develop a static analysis technique, EDP, that analyzes how file systems andstorage device drivers propagate error codes. Running our EDP analysis on all file systems and 3 major storagedevice drivers in Linux 2.6, we find that errors are often incorrectly propagated; 1153 calls (13%) drop an errorcode without handling it. We perform a set of analyses to rank the robustnessof each subsystem based on the completeness of its error propagation; we find that many popular file systemsare less robust than other available choices. We confirm that write errors are neglected more often than readerrors. We also find that many violations are not cornercase mistakes, but perhaps intentional choices. Finally,we show that inter-module calls play a part in incorrect error propagation, but that chained propagations do not.In conclusion, error propagation appears complex and hard to perform correctly in modern systems. 1 Introduction The robustness of file systems and storage systems isa major concern, and rightly so [32]. Recent work has shown that file systems are especially unreliablewhen the underlying disk system does not behave as expected [20]. Specifically, many modern commodity filesystems, such as Linux ext3 [31], ReiserFS [23], IBM's JFS [1], and Windows NTFS [27], all have serious bugsand inconsistencies in how they handle errors from the storage system. However, the question remains unan-swered as to why these fault-handling bugs are present.