1. Field of the Invention
The present invention relates to a file storage apparatus, more particularly to a file storage apparatus capable of safely protecting a file system from trouble such as sudden power outages (failure) or momentary loss of power.
2. Description of the Related Art
At the present, storage apparatus using disk media such as hard disk drives (hereinafter abbreviated as “HDDs”) have been frequently used. There have been remarkable advances in increasing the capacity of these storage media. In recent years, these have not only been used for computer applications, but also for recording video images etc.
When storing a file on such a disk medium, usually use is made of software referred to as a “file system”. The files system manages files on the disk medium so that the files can be easily accessed. There are a variety of types of file systems. All of them store management information of the files (hereinafter referred to as “meta data”) on the disk medium together with the contents of the files (hereinafter referred to as the “main data”).
Meta data includes for example a table indicating the storage position on the disk medium of the main data of each file and information of the capacity etc. For normal operation of the file system, it is indispensable that integrity of the information in the meta data be held. This is because nonintegrity in the meta data causes trouble in access of the entire disk, so even very small damage has a substantial impact.
If the power supply of the apparatus fails when the data is just being written onto a disk medium, sometimes the meta data on the disk medium does not maintain its integrity. The nonintegrity means for example the followings.
Assume that a directory A exists in the file system, and there is a file B in the directory A. The meta data of the directory A has information indicating the having the file B therein and the position and size of the file B on the disk medium. Further, the meta data of the file B has information indicating that the file exists in the directory A.
Here, consider a case where the power supply fails when performing work for deleting the file B from the directory A. It is necessary to update the meta data at least at two positions for deletion of the file. When the work is stopped in the update operation, the meta data of the file B is lost, but the information of the file B in the directory A may remain. In this case, even if the file B looks like it exists from the directory A, it becomes impossible to access its content.
Such nonintegrity sometimes brings the entire system into a critical state. For this reason, in general, in a system mounting a disk medium such as an HDD, the existence of such nonintegrity is checked when starting up the system. When nonintegrity is detected by this check, the system runs a scan check over the entire area of the HDD and tries to recover the integrity of the meta data. This takes enormous time, so the user is unable to use the apparatus for a long time.
A sudden power outage (failure), momentary loss of the power, or other power supply abnormality is a serious problem which may occur in consumer electronics such as video recorders equipped with HDDs not strictly specifying usage procedures of the user, so a variety of corrective measures have been proposed.
For example, Japanese Unexamined Patent Publication (Kokai) No. 2002-32975 discloses duplexing meta data and a technique for managing the same. Here, the meta data, a copy of the meta data, and a descriptor describing their updating history are stored on the disk. The routine is as follows:
(Step ST11)
First, the meta data on a buffer is stored in a first region on the disk.
(Step ST12)
A first value indicating the completion of the storage of the meta data is described in the descriptor.
(Step ST13)
Next, the copied meta data is stored in a second region on the disk.
(Step ST14)
A second value indicating the completion of the storage of the copied meta data is described in the descriptor.
The system performs the processing as follows by referring the value of the descriptor when re-started after the end of an abnormality. For example, when the power supply fails before the storage of the meta data or during the storage, the second value is described in the descriptor. Accordingly, in this case, by overwriting the meta data by the copied meta data, the state where the internal integrity was established before storing the meta data is restored. On the other hand, if the power supply fails during the storage of the copied meta data, the first value is described in the descriptor. In this case, by overwriting the copied meta data by the meta data, the state of normal storage is restored.
However, the larger the capacity of the disk medium, the larger the meta data as well, therefore frequent storage of the duplexed meta data adversely lowers the performance of the system. Further, due to the need in disk management, meta data are arranged dispersed at different positions, so it is necessary to frequently perform a seek operation when rewriting them. For this reason, an enormous time overhead occurs in the rewriting of the meta data.
On the other hand, when the frequency of storage of the meta data is lowered, if there is momentary power loss as explained above, even if the integrity of the meta data can be established by returning to the state before the storage, much information updated after storing the meta data will be lost.
Such problem is overcome to certain extent at present by a technique referred to as “journaling”. For example, in a file system such as the XFS of Linux, file management is carried out incorporating this technique.
Next, an explanation will be given of the technique of restoration of meta data by “journaling”.
In journaling, at the time of change of the meta data, information concerning the changed part (difference) is stored in a region different from that for the main data (hereinafter referred to as a “log storage region”). The information of the difference (hereinafter referred to as “log data”) is used for reconstructing the meta data after update from the meta data before update.
Below, an explanation will be given of the routine for updating meta data in journaling.
(Step ST21)
When performing a file operation accompanied with update of meta data, the information of the meta data to be updated by the file operation is stored as log data in the log storage region on the HDD.
(Step ST22)
After the storage ends, the actual meta data on the HDD is updated.
(Step ST23)
After the change of the meta data ends, the log storage region on the HDD is freed up and writing of the next log data is enabled.
When the power supply of the apparatus fails when performing the work of steps ST21 to ST23, the method of maintaining the integrity of the meta data when the power supply of the apparatus is restored the next time is as follows.
(Case where the Power Supply Fails at Step ST21)
There is a possibility that no correct information will exist in the log storage region on the HDD. However, since no change is made at this point of time at the meta data region on the HDD, the integrity of the meta data is held. In this case, the meta data exhibits the state before the file operation.
(Case where the Power Supply Fails at Step ST22)
There is a possibility that the information in the meta data region on the HDD will not be correct. However, all of the history of change of the meta data remains as log data in the log storage region on the HDD, therefore by writing the meta data reconstructed based on this log data into the meta data region on the HDD, the integrity of the entire meta data can be held. In this case, the meta data enters a state after the file operation.
(Case where the Power Supply Fails at Step ST23)
The information in the log storage region on the HDD is not freed up, so the update information of the meta data existing in the log storage region is written back into the meta data region on the HDD. Namely, the meta data reconstructed based on the log data remaining in the log storage region is written back into the meta data region. In this case, the correct information is already written into the meta data region, but the same information is only written again. This does not degrade the integrity.
It becomes possible to restore the integrity of the meta data no matter when the power supply of the apparatus fails by the above methods. In this case, the log data stored in the log storage region of the HDD is only the amount of the change of the meta data, that is, the difference, and is much smaller in data size than the entire meta data. Further, the log data can be usually stored in continuous locations in the disk together, so the number of seek operations of the head of the HDD can be minimized. Accordingly, the overhead for disk access accompanied with the storage of the log data is relatively small.
Further, so long as this log data is stored, it is possible to reconstruct the meta data based on the log data even if the meta data per se is not stored, and the meta data can be easily restored to a state near the newest meta data. Accordingly, by just frequently storing the log data, the frequency of storage of the meta data itself may be kept to the minimum, so the performance of the disk access is greatly improved.
In the method of duplexing and journaling the meta data explained above, it is assumed that the sequence of writing data to the HDD by the file system and the sequence of writing data to the hard disk are equal.
Most latest HDDS, however, are raised in the write performance to mount a cache memory configured by a volatile memory such as dynamic random access memory (DRAM). The data to be written into the hard disk is stored once in this cache memory, then is changed in write sequence so that the write time becomes the shortest and is written into the hard disk. In the case of a HDD, a wait time for moving the head and the wait time of the disk rotation are very long, therefore by changing the write sequence of the data by the cache memory, deterioration of the performance of the random writing can be reduced to the lowest limit.
In a file system using journaling, if the write sequence is changed in this way, the following disadvantages occur.
When the sequence of steps ST21 and ST22 is inverted, irrespective of the fact that all of the information of the changed meta data is not stored in the log storage region on the HDD, the meta data region on the HDD will be changed. When the power supply of the apparatus fails at this point of time, even though part of the meta data region on the HDD has been already rewritten, all information for correctly reflecting the content of the change of the meta data on the meta data region will not exist in the log storage region. Accordingly, if the meta data is rewritten based on the information of this log storage region, the integrity of the meta data will be degraded.
When the sequence of steps ST22 and ST23 is inverted, irrespective of the fact that part of the meta data region on the HDD has not yet been correctly changed, the log storage region will be freed up. In this case, the information of the log storage region has already become unusable, so the integrity of the meta data cannot be restored.
Further, even if there is no change of the write sequence, if the power supply fails in the state where part of the log data is stored in the cache memory, the integrity of the meta data cannot be restored.
The state is exactly the same for the method of duplexing the meta data. If the write sequence of two meta files and descriptors ends up being jumbled or if part of the data is missing, the effect of restoration of the meta file ends up being lost.
The method of directly coping with this disadvantage is to forcibly write all of the content of the cache into the hard disk when writing the meta data and the log data into the HDD. In this method, however, the overhead for the disk access becomes extremely large, therefore if the log is frequently updated, this becomes a source of deterioration of the performance of the system.
The disadvantage of the nonintegrity of the meta data due to a power supply abnormality explained above is not limited to a storage device using a disk medium such as an HDD and also exists in a storage device using for example a flash memory. This is because the data transfer speed of a flash memory is slower than an HDD and the power consumption for a rewrite is considerably larger than that of the usual semiconductor memory, so data loss accompanying a momentary power loss in the middle of a rewrite may occur in exactly the same way as the HDD etc.