Fault tolerant flash use

    I searched the forum and found several tips regarding this topic - but I am not sure what to choose...
    our app consists of roughly 30 MB read only data and - say 500 kb living data.


    OPTION A) - several fflashdisks
    ====================


    if I want to get it safe, then I think I'd need 3 partitions


    a big one readonly and two small ones for the data, always holding 2 copies of the data set
    upon every startup I'd have to check consistency between the data, and in case of differences , copy the latest to the other partition
    can I flush an entire filesystem in order to finish a write?


    how can I - programmatically - unmount, reformat and mount a partition ? is this API available? (as the use of storage manager is not acceptable)


    can I mount a partition readonly to increase safety ?



    OPTION B) - use MS' TFAT
    =================
    btw, the posted link doesn't work anymore, I tried this one
    <!-- m --><a class="postlink" href="http://msdn2.microsoft.com/en-us/library/aa911939.aspx">http://msdn2.microsoft.com/en-us/library/aa911939.aspx</a><!-- m -->






    what is your recommendation ?


    I am neither experienced with a) or b) ;)
    but I think it ight make sense to store the big amount of data on a simple fs, as the transaction-fs usually tend to produce much overhead , eg for invisible copies ..




    tia
    u.b.

    Meanwhile I checked the sample code area and the sample CeStoreNames.


    This is a good example how samples should be. Compact, readable and extremely helpful. It shows how to use the console as output (it took me quite long to get sth like that set up properly in eVc ;) and it shows the use of the Storage manager functions and acts , important as usual, as anchor to searches within the help.
    So I found out that mounting,dismounting etc should be no act using the well documented API of the storage manager. So I think option 1 might be the better choice.


    but


    a) is a partition really (!) safe as long as there is no write command issued to it ? I did not find a mount read only flag like linux has


    b) how can I make a partition unusable to create test cases ?
    How does CE react if there is a bad partition? does it continue quickly with booting ?


    thanx

    The whole topic is rather complicated. Even if using TFAT, there is a small risk of getting an inconsistent file system. Most of the "secure" file systems silently assume that writing a page or block is atomic, i.e. always succeeds in whole or fails in whole. But if the power is switched off exactly while writing is active, the result is indetermined. The only thing a more secure file system can do is reduce the time while the disk is inconsistent. But you can almost never bring this time to zero.


    Moreover all these file systems only provide a consistent file system at the next start. This is usually done by using a journal that can reconstruct the file system in an instant, or by issuing a file system check at startup. However this does not mean that you don't loose data that was still in the memory buffer when the power failed.


    In fact I don't know of any really transaction-save, lossless file system. Therefore the idea must be to reduce the risk of loosing data by other techniques.


    1. By using different partitions for read-only data like program executables and for the changeable data. Then the important read-only data is never in danger.


    2. By avoiding times when data is only held in volatile memory before actually been written to the non-volatile media. For example use fflush() in your software or close the files as soon as possible. Or use FILE_FLAG_WRITE_THROUGH in CreateFile(). Or use _flushall() to sync all the files.


    Quote from "Behrenbeck"

    a) is a partition really (!) safe as long as there is no write command issued to it ?


    I would assume yes. The system does not create any temporary files under FFSDISK and it opens executables in read-only mode.

    Quote

    I did not find a mount read only flag like linux has


    However there is. You can set PARTITION_ATTRIBUTE_READONLY with SetPartitionAttributes() before mounting the partition.


    Quote

    b) how can I make a partition unusable to create test cases ?


    Just do all the things that usually bring the trouble: heavily write on the partition and then switch off the power. Either after some iterations, the file system is actually damaged, or it proves that it is more stable than assumed.


    Quote

    How does CE react if there is a bad partition? does it continue quickly with booting ?


    Usually yes. At least as long the files required during the boot process are not damaged. However it is rather dangerous to write to an inconsistent file system as this may corrupt further data.


    Regards,


    H. Keller

    F&S Elektronik Systeme GmbH
    As this is an international forum, please try to post in English.
    Da dies ein internationales Forum ist, bitten wir darum, Beiträge möglichst in Englisch zu verfassen.

    Thank you for the detailed answer.


    Yes, the topic is quite complex, but I would have expected that a dedicated flash file system could withstand power loss during write ...


    The other solution would .. as long as I can find means to ensure that the write to the first partition is really done (fully flushed) before I start to write to the second.

    If I get you right, then you'd recommend to choose "three partitions" solution ?


    regards
    U. Behrenbeck

    You can do both: use TFAT to reduce failure of the file system in general. (This alone will *not* avoid data loss of non-yet written files.) If you add the "three partition" solution then you avoid loosing data at all. And it is easier to recover from the rare cases when even TFAT fails.


    TFAT *is* rather secure as it uses the two FATs as a kind of simple journal. But while doing this, it often has to write to the boot sector, especially the "File System Valid" flag to mark if the file system is consistent (transaction complete) or if it is currently changing the content (transaction in progress). This procedure may fail in those cases when the writing of the boot sector is unexpectedly interrupted.


    Quote

    but I would have expected that a dedicated flash file system could withstand power loss during write ...


    That was my first thought a few years ago, too. However if you dive a little deeper into the file systems, you will see getting a really failsafe file system is not easy at all. If you look at jffs2, yaffs or whatever "failsafe" flash file systems there may be, even in the linux world, they all can (and will) fail in certain circumstances. It is always a compromise between memory requirements, efficency and average failure probabilities. So nothing different with NetDCU and FAT/TFAT there...


    BTW we *are* currently developing a new file system offering more security. But this is still work in progress.


    Regards,


    H. Keller

    F&S Elektronik Systeme GmbH
    As this is an international forum, please try to post in English.
    Da dies ein internationales Forum ist, bitten wir darum, Beiträge möglichst in Englisch zu verfassen.