> Pillai et al., OSDI’14 looked at a bunch of software that writes to files, including things we'd hope write to files safely, like databases and version control systems: Leveldb, LMDB, GDBM, HSQLDB, Sqlite, PostgreSQL, Git, Mercurial, HDFS, Zookeeper. They then wrote a static analysis tool that can find incorrect usage of the file API, things like incorrectly assuming that operations that aren't atomic are actually atomic, incorrectly assuming that operations that can be re-ordered will execute in program order, etc.<p>> When they did this, they found that every single piece of software they tested except for SQLite in one particular mode had at least one bug. This isn't a knock on the developers of this software or the software -- the programmers who work on things like Leveldb, LBDM, etc., know more about filesystems than the vast majority programmers and the software has more rigorous tests than most software. But they still can't use files safely every time! A natural follow-up to this is the question: why the file API so hard to use that even experts make mistakes?
Ext4 actually special-handles the rename trick so that it works even if it should not:<p>"If auto_da_alloc is enabled, ext4 will detect the replace-via-rename and replace-via-truncate patterns and [basically save your ass]"[0]<p>[0]<a href="https://docs.kernel.org/admin-guide/ext4.html" rel="nofollow">https://docs.kernel.org/admin-guide/ext4.html</a>
> they found that every single piece of software they tested except for SQLite in one particular mode had at least one bug.<p>This is why whenever I need to persist any kind of state to disk, SQLite is the first tool I reach for. Filesystem APIs are scary, but SQLite is well-behaved.<p>Of course, it doesn't always make sense to do that, like the dropbox use case.
As per HN headlines, files are hard, git is hard, regex is hard, time zones are hard, money as data type is hard, hiring is hard, people is hard.<p>I wonder what is easy.
I wonder if, in the Pillai paper, I wonder if they tested the SQLite Rollback option with the default synchronous [1] (`NORMAL`, I believe) or with `EXTRA`. I'm thinking that it was probably the default.<p>I kinda think, and I could be wrong, that SQLite rollback would not have any vulnerabilities with `synchronous=EXTRA` (and `fullfsync=F_FULLFSYNC` on macOS [2]).<p>[1]: <a href="https://www.sqlite.org/pragma.html#pragma_synchronous" rel="nofollow">https://www.sqlite.org/pragma.html#pragma_synchronous</a><p>[2]: <a href="https://www.sqlite.org/pragma.html#pragma_fullfsync" rel="nofollow">https://www.sqlite.org/pragma.html#pragma_fullfsync</a>
> On Linux ZFS, it appears that there's a code path designed to do the right thing, but CPU usage spikes and the system may hang or become unusable.<p>ZFS fsync will not fail, although it could end up waiting forever when a pool faults due to hardware failures:<p><a href="https://papers.freebsd.org/2024/asiabsdcon/norris_openzfs-fsync-failure/" rel="nofollow">https://papers.freebsd.org/2024/asiabsdcon/norris_openzfs-fs...</a>
No Javascript or SNI:<p><a href="https://archive.wikiwix.com/cache/index2.php?rev_t=&url=https%3A%2F%2Fdanluu.com%2Fdeconstruct-files%2F" rel="nofollow">https://archive.wikiwix.com/cache/index2.php?rev_t=&url=http...</a>
this whole thing is a story about using outdated stuff in a shitty ecosystem.<p>its not a real problem for most modern developers.<p>pwrite? wtf?<p>not one mention of fopen.<p>granted some of the fine detail discussion is interesting, but it doesn't make practical sense since about 1990.
I don't get it. The only times I've had problems with filesystem corruption in the past few decades was with a hardware problem, and said hardware was quickly replaced. FAT family has been perfectly fine while I've encountered corruption on every other FS including NTFS, exFAT, and the ext* family.<p>Meanwhile you can read plenty of stories of others having the exact opposite experience.<p>If you keep losing data to power losses or crashes, perhaps fix the cause of that? It doesn't make sense to try to work around it.