Features/QED
Specification
The file format looks like this:
+--------+----------+---------+---------+-----+ | header | L1 table | extent0 | extent1 | ... | +--------+----------+---------+---------+-----+
Header
Header { uint32_t magic; /* COW2 */ uint32_t features; /* format feature bits */ uint32_t cluster_size; /* in bytes */ uint32_t table_size; /* table size, in clusters */ uint64_t l1_table_offset; /* L1 table offset, in clusters */ uint64_t image_size; /* total image size, in clusters */ uint32_t backing_file_offset; /* in bytes from start of header */ uint32_t backing_file_size; /* in bytes */ }
Extent table
#define TABLE_NOFFSETS (table_size * cluster_size / sizeof(uint64_t)) Table { uint64_t offsets[TABLE_NOFFSETS]; }
The extent tables are organized as follows:
+----------+ | L1 table | +----------+ ,------' | '------. +----------+ | +----------+ | L2 table | ... | L2 table | +----------+ +----------+ ,------' | '------. +----------+ | +----------+ | Data | ... | Data | +----------+ +----------+
The table_size field allows tables to be multiples of the cluster size. For example, cluster_size=64 KB and table_size=4 results in 256 KB tables.
Operations
Read
- If L2 table is not present in L1, read from backing image.
- If data cluster is not present in L2, read from backing image.
- Otherwise read data from cluster.
Write
- If L2 table is not present in L1, allocate new cluster and L2. Perform L2 and L1 link after writing data.
- If data cluster is not present in L2, allocate new cluster. Perform L1 link after writing data.
- Otherwise overwrite data cluster.
The L2 link should be made after the data is in place on storage. However, when no ordering is enforced the worst case scenario is an L2 link to an unwritten cluster.
The L1 link must be made after the L2 cluster is in place on storage. If the order is reversed then the L1 table may point to a bogus L2 table. (Is this a problem since clusters are allocated at the end of the file?)
Grow
- If table_size * TABLE_NOFFSETS < new_image_size, fail -EOVERFLOW. The L1 table is not big enough.
- Write new image_size header field.
Data integrity
Write
Writes that complete before a flush must be stable when the flush completes.
If storage is interrupted (e.g. power outage) then writes in progress may be lost, stable, or partially completed. The storage must not be otherwise corrupted or inaccessible after it is restarted.