A Formal Model of a Virtual Filesystem Switch

This work presents a formal model that is part of our effort to construct a verified file system for Flash memory. To modularize the verification we factor out generic aspects into a common component that is inspired by the Linux Virtual Filesystem Switch (VFS) and provides POSIX compatible operations. It relies on an abstract specification of its internal interface to concrete file system implementations (AFS). We proved that preconditions of AFS are respected and that the state is kept consistent. The model can be made executable and mounted into the Linux directory tree using FUSE.

💡 Research Summary

The paper presents a formally specified virtual filesystem switch (VFS) that serves as a generic, POSIX‑compatible layer for building a verified flash‑memory file system. The authors start from the Linux VFS concept, extracting the common responsibilities of path resolution, inode and dentry management, and the definition of standard file‑operation primitives (open, read, write, mkdir, unlink, etc.). Each primitive is expressed as a state‑transition relation with explicit pre‑conditions and post‑conditions, allowing rigorous reasoning about correctness.

To keep the verification effort modular, the VFS does not implement any storage‑specific logic itself. Instead it delegates all low‑level actions to an abstract file system interface (AFS). The AFS contract specifies a minimal set of functions that any concrete file system must provide: block allocation/deallocation, inode initialization, block read/write, and transaction primitives (begin, commit, abort). The contract also enumerates the exact pre‑conditions each function expects (e.g., a valid inode number, sufficient free blocks) and the post‑conditions it guarantees (e.g., consistency of the inode’s metadata).

The formal model is developed in the Coq proof assistant. The authors first prove that every VFS operation respects its own pre‑conditions and preserves a collection of global invariants: inode identifiers remain unique, directory entries always point to a valid parent, and open file descriptors are only valid while their underlying inode exists. Next, they prove the interface contract: whenever the VFS calls an AFS routine, the arguments satisfy the routine’s pre‑conditions, and the returned values satisfy the VFS’s post‑conditions. This two‑level proof structure isolates the verification of the generic VFS layer from the verification of any particular concrete file system, enabling reuse of the VFS proof across multiple AFS implementations.

Beyond the theoretical contribution, the model is made executable. Coq’s extraction mechanism generates OCaml code that implements the VFS core. By linking this code with a small FUSE (Filesystem in Userspace) wrapper, the authors mount the verified VFS as a regular directory in a Linux system. The mounted filesystem behaves like any POSIX‑compliant filesystem: standard utilities (ls, cat, cp, etc.) operate correctly, and error handling follows the defined pre‑condition checks (e.g., permission denied, file not found). This demonstrates that the formal model is not merely an abstract artifact but can be integrated into a real operating system environment.

In summary, the paper contributes a clean, mathematically rigorous abstraction of the virtual filesystem switch, a well‑defined AFS interface, and a proof methodology that separates generic VFS correctness from concrete storage implementation. The approach yields a reusable verification foundation for flash‑oriented file systems such as JFFS2 or UBIFS, while also providing an executable prototype that can be mounted via FUSE. This work bridges the gap between formal verification and practical system deployment, offering a scalable path toward fully verified storage stacks for emerging non‑volatile memory technologies.