Rethink the Sync
Edmund B. Nightingale, Kaushik Veeraraghavan, Peter M. Chen, and Jason Flinn
Department of Electrical Engineering and Computer Science
University of Michigan
Abstract
We introduce external synchrony, a new model for local
file I/O that provides the reliability and simplicity of syn-
chronous I/O, yet also closely approximates the perfor-
mance of asynchronous I/O. An external observer cannot
distinguish the output of a computer with an externally
synchronous file system from the output of a computer
with a synchronous file system. No application modifi-
cation is required to use an externally synchronous file
system: in fact, application developers can program to
the simpler synchronous I/O abstraction and still receive
excellent performance. We have implemented an exter-
nally synchronous file system for Linux, called xsyncfs.
Xsyncfs provides the same durability and ordering guar-
antees as those provided by a synchronously mounted
ext3 file system. Yet, even for I/O-intensive benchmarks,
xsyncfs performance is within 7% of ext3 mounted asyn-
chronously. Compared to ext3 mounted synchronously,
xsyncfs is up to two orders of magnitude faster.
1 Introduction
File systems serve two opposing masters: durability and
performance. The tension between these goals has led
to two distinct models of file I/O: synchronous and asyn-
chronous.
A synchronous file system (e.g., one mounted with the
sync option on a Linux system) guarantees durability by
blocking the calling application until modifications are
committed to disk. Synchronous I/O provides a clean ab-
straction to users. Any file system operation they observe
to complete is durable — data will not be lost due to a
subsequent OS crash or power failure. Synchronous I/O
also guarantees the ordering of modifications; if one op-
eration causally precedes another, the effects of the sec-
ond operation are never visible unless the effects of first
operation are also visible. Unfortunately, synchronous
I/O can be very slow because applications frequently
block waiting for mechanical disk operations. In fact, our
results show that blocking due to synchronous I/O can
degrade the performance of disk-intensive benchmarks
by two orders of magnitude.
USENIX Association OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
In contrast, an asynchronous file system does not block
the calling application, so modifications are typically
committed to disk long after the call completes. This
is fast, but not safe. Users view output that depends
on uncommitted modifications. If the system crashes or
loses power before those modifications commit, the out-
put observed by the user was invalid. Asynchronous I/O
also complicates applications that require durability or
ordering guarantees. Programmers must insert explicit
synchronization operations such as fsync to enforce the
guarantees required by their applications. They must
sometimes implement complex group commit strategies
to achieve reasonable performance. Despite the poor
guarantees provided to users and programmers, most lo-
cal file systems provide an asynchronous I/O abstraction
by default because synchronous I/O is simply too slow.
The tension between durability and performance leads to
surprising behavior. For instance, on most desktop op-
erating systems, even executing an explicit synchroniza-
tion command such as fsync does not protect against
data loss in the event of a power failure [13]. This be-
havior is not a bug, but rather a conscious design deci-
sion to sacrifice durability for performance [27]. For ex-
ample, on fsync, the Linux 2.4 kernel commits data to
the volatile hard drive cache rather than to the disk plat-
ter. If a power failure occurs, the data in the drive cache
is lost. Because of this behavior, applications that re-
quire stronger durability guarantees, such as the MySQL
database, recommend disabling the drive cache [15].
While MacOS X and the Linux 2.6 kernel provide mech-
anisms to explicitly flush the drive cache, these mecha-
nisms are not enabled by default due to the severe per-
formance degradation they can cause.
We show that a new model of local file I/O, which
we term external synchrony, resolves the tension be-
tween durability and performance. External synchrony
provides the reliability and simplicity of synchronous
I/O, while closely approaching the performance of asyn-
chronous I/O. In external synchrony, we view the ab-
straction of synchronous I/O as a set of guarantees that
are provided to the clients of the file system. In con-
1
 trast to asynchronous I/O, which improves performance
by substantially weakening these guarantees, externally
synchronous I/O provides the same guarantees, but it
changes the clients to which the guarantees are provided.
Synchronous I/O reflects the application-centric view of
modern operating systems. The return of a synchronous
file system call guarantees durability to the application
since the calling process is blocked until modifications
commit. In contrast, externally synchronous I/O takes a
user-centric view in which it guarantees durability not to
the application, but to any external entity that observes
application output. An externally synchronous system
returns control to the application before committing data.
However, it subsequently buffers all output that causally
depends on the uncommitted modification. Buffered out-
put is only externalized (sent to the screen, network, or
other external device) after the modification commits.
From the viewpoint of an external observer such as a
user or an application running on another computer, the
guarantees provided by externally synchronous I/O are
identical to the guarantees provided by a traditional file
system mounted synchronously. An external observer
never sees output that depends on uncommitted modi-
fications. Since external synchrony commits modifica-
tions to disk in the order they are generated by appli-
cations, an external observer will not see a modification
unless all other modifications that causally precede that
modification are also visible. However, because exter-
nally synchronous I/O rarely blocks applications, its per-
formance approaches that of asynchronous I/O.
Our externally synchronous Linux file system, xsyncfs,
uses mechanisms developed as part of the Speculator
project [17]. When a process performs a synchronous
I/O operation, xsyncfs validates the operation, adds the
modifications to a file system transaction, and returns
control to the calling process without waiting for the
transaction to commit. However, xsyncfs also taints the
calling process with a commit dependency that specifies
that the process is not allowed to externalize any output
until the transaction commits. If the process writes to
the network, screen, or other external device, its output
is buffered by the operating system. The buffered output
is released only after all disk transactions on which the
output depends commit. If a process with commit depen-
dencies interacts with another process on the same com-
puter through IPC such as pipes, the file cache, or shared
memory, the other process inherits those dependencies
so that it also cannot externalize output until the trans-
action commits. The performance of xsyncfs is gener-
ally quite good since applications can perform computa-
tion and initiate further I/O operations while waiting for
a transaction to commit. In most cases, output is delayed
by no more than the time to commit a single transaction
2 OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
— this is typically less than the perception threshold of a
human user.
Xsyncfs uses output-triggered commits to balance
throughput and latency. Output-triggered commits track
the causal relationship between external output and file
system modifications to decide when to commit data.
Until some external output is produced that depends
upon modified data, xsyncfs may delay committing data
to optimize for throughput. However, once some output
is buffered that depends upon an uncommitted modifica-
tion, an immediate commit of that modification is trig-
gered to minimize latency for any external observer.
Our results to date are very positive. For I/O inten-
sive benchmarks such as Postmark and an Andrew-style
build, the performance of xsyncfs is within 7% of the de-
fault asynchronous implementation of ext3. Compared to
current implementations of synchronous I/O in the Linux
kernel, external synchrony offers better performance and
better reliability. Xsyncfs is up to an order of magni-
tude faster than the default version of ext3 mounted syn-
chronously, which allows data to be lost on power fail-
ure because committed data may reside in the volatile
hard drive cache. Xsyncfs is up to two orders of mag-
nitude faster than a version of ext3 that guards against
losing data on power failure. Xsyncfs sometimes even
improves the performance of applications that do their
own custom synchronization. Running on top of xsyncfs,
the MySQL database executes a modified version of the
TPC-C benchmark up to three times faster than when it
runs on top of ext3 mounted asynchronously.
2 Design overview
2.1 Principles
The design of external synchrony is based on two princi-
ples. First, we define externally synchronous I/O by its
externally observable behavior rather than by its imple-
mentation. Second, we note that application state is an
internal property of the computer system. Since applica-
tion state is not directly observable by external entities,
the operating system need not treat changes to applica-
tion state as an external output.
Synchronous I/O is usually defined by its implementa-
tion: an I/O is considered synchronous if the calling ap-
plication is blocked until after the I/O completes [26].
In contrast, we define externally synchronous I/O by its
observable behavior: we say that an I/O is externally syn-
chronous if the external output produced by the computer
system cannot be distinguished from output that could
have been produced if the I/O had been synchronous.
The next step is to precisely define what is considered ex-
ternal output. Traditionally, the operating system takes
USENIX Association
 time
user
block block
app
OS
disk
commit commit
(a) Synchronous I/O
This figure shows the behavior of a sample application that makes two file system modifications, then displays output to an external
device. The diagram on the left shows how the application executes when its file I/O is synchronous; the diagram on the right shows
how it executes when its file I/O is externally synchronous.
Figure 1. Example of externally synchronous file I/O
an application-centric view of the computer system, in
which it considers applications to be external entities ob-
serving its behavior. This view divides the computer sys-
tem into two partitions: the kernel, which is considered
internal state, and the user level, which is considered ex-
ternal state. Using this view, the return from a system
call is considered an externally visible event.
However, users, not applications, are the true observers
of the computer system. Application state is only visible
through output sent to external devices such as the screen
and network. By regarding application state as internal
to the computer system, the operating system can take
a user-centric view in which only output sent to an ex-
ternal device is considered externally visible. This view
divides the computer system into three partitions, the ker-
nel and applications, both of which are considered inter-
nal state, and the external interfaces, which are consid-
ered externally visible. Using this view, changes to ap-
plication state, such as the return from a system call, are
not considered externally visible events.
The operating system can implement user-centric guar-
antees because it controls access to external devices. Ap-
plications can only generate external events with the co-
operation of the operating system. Applications must in-
voke this cooperation either directly by making a system
call or indirectly by mapping an externally visible device.
2.2 Correctness
Figure 1 illustrates these principles by showing an exam-
ple single-threaded application that makes two file sys-
tem modifications and writes some output to the screen.
In the diagram on the left, the file modifications made by
the application are synchronous. Thus, the application
blocks until each modification commits.
USENIX Association OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
time
user
buffer
app
OS
disk
commit
(b) Externally synchronous I/O
We say that external output of an externally synchronous
system is equivalent to the output of a synchronous one if
(a) the values of the external outputs are the same, and (b)
the outputs occur in the same causal order, as defined by
Lamport’s happens before relation [9]. We consider disk
commits external output because they change the stable
image of the file system. If the system crashes and re-
boots, the change to the stable image is visible. Since the
operating system cannot control when crashes occur, it
must treat disk commits as external output. Thus, in Fig-
ure 1(a), there are three external outputs: the two com-
mits and the message displayed on the screen.
An externally synchronous file I/O returns the same re-
sult to applications that would have been returned by
a synchronous I/O. The file system does all processing
that would be done for a synchronous I/O, including val-
idation and changing the volatile (in-memory) state of
the file system, except that it does not actually commit
the modification to disk before returning. Because the
results that an application sees from an externally syn-
chronous I/O are equivalent to the results it would have
seen if the I/O had been synchronous, the external output
it produces is the same in both cases.
An operating system that supports external synchrony
must ensure that external output occurs in the same
causal order that would have occurred had I/O been per-
formed synchronously. Specifically, if an external out-
put causally follows an externally synchronous file I/O,
then that output cannot be observed before the file I/O
has been committed to disk. In the example, this means
that the second file modification made by the application
cannot commit before the first, and that the screen output
cannot be seen before both modifications commit.
3
 2.3 Improving performance
The externally synchronous system in Figure 1(b) makes
two optimizations to improve performance. First, the two
modifications are group committed as a single file system
transaction. Because the commit is atomic, the effects of
the second modification are never seen unless the effects
of the first are also visible. Grouping multiple modifica-
tions into one transaction has many benefits: the commit
of all modifications is done with a single sequential disk
write, writes to the same disk block are coalesced in the
log, and no blocks are written to disk at all if data writes
are closely followed by deletion. For example, ext3 em-
ploys value logging — when a transaction commits, only
the latest version of each block is written to the journal.
If a temporary file is created and deleted within a single
transaction, none of its blocks are written to disk. In con-
trast, a synchronous file system cannot group multiple
modifications for a single-threaded application because
the application does not begin the second modification
until after the first commits.
The second optimization is buffering screen output. The
operating system must delay the externalization of the
output until after the commit of the file modifications
to obey the causal ordering constraint of externally syn-
chronous I/O. One way to enforce this ordering would be
to block the application when it initiates external output.
However, the asynchronous nature of the output enables
a better solution. The operating system instead buffers
the output and allows the process that generated the out-
put to continue execution. After the modifications are
committed to disk, the operating system releases the out-
put to the device for which it was destined.
This design requires that the operating system track the
causal relationship between file system modifications
and external output. When a process writes to the file
system, it inherits a commit dependency on the uncom-
mitted data that it wrote. When a process with commit
dependencies modifies another kernel object (process,
pipe, file, UNIX socket, etc.) by executing a system call,
the operating system marks the modified objects with the
same commit dependencies. Similarly, if a process ob-
serves the state of another kernel object with commit de-
pendencies, the process inherits those dependencies. If
a process with commit dependencies executes a system
call for which the operating system cannot track the flow
of causality (e.g., an ioctl), the process is blocked until
its file systems modifications have been committed. Any
external output inherits the commit dependencies of the
process that generated it — the operating system buffers
the output until the last dependency is resolved by com-
mitting modifications to disk.
4 OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
2.4 Deciding when to commit
An externally synchronous file system uses the causal re-
lationship between external output and file modifications
to trigger commits. There is a well-known tradeoff be-
tween throughput and latency for group commit strate-
gies. Delaying a group commit in the hope that more
modifications will occur in the near future can improve
throughput by amortizing more modifications across a
single commit. However, delaying a commit also in-
creases latency — in our system, commit latency is es-
pecially important because output cannot be externalized
until the commit occurs.
Latency is unimportant if no external entity is observ-
ing the result. Specifically, until some output is gener-
ated that causally depends on a file system transaction,
committing the transaction does not change the observ-
able behavior of the system. Thus, the operating sys-
tem can improve throughput by delaying a commit until
some output that depends on the transaction is buffered
(or until some application that depends on the transac-
tion blocks due to an ioctl or similar system call). We
call this strategy output-triggered commits since the at-
tempt to generate output that is causally dependent upon
modifications to be written to disk triggers the commit of
those modifications.
Output-triggered commits enable an externally syn-
chronous file system to maximize throughput when out-
put is not being displayed (for example, when it is piped
to a file). However, when a user could be actively observ-
ing the results of a transaction, commit latency is small.
2.5 Limitations
One potential limitation of external synchrony is that
it complicates application-specific recovery from catas-
trophic media failure because the application continues
execution before such errors are detected. Although the
kernel validates each modification before writing it to the
file cache, the physical write of the data to disk may sub-
sequently fail. While smaller errors such as a bad disk
block are currently handled by the disk or device driver,
a catastrophic media failure is rarely masked at these lev-
els. Theoretically, a file system mounted synchronously
could propagate such failures to the application. How-
ever, a recent survey of common file systems [20] found
that write errors are either not detected by the file sys-
tem (ext3, jbd, and NTFS) or induce a kernel panic
(ReiserFS). An externally synchronous file system could
propagate failures to applications by using Speculator to
checkpoint a process before it modifies the file system. If
a catastrophic failure occurs, the process would be rolled
back and notified of the failure. We rejected this solution
because it would both greatly increase the complexity
USENIX Association
 of external synchrony and severely penalize its perfor-
mance. Further, it is unclear that catastrophic failures are
best handled by applications — it seems best to handle
them in the operating system, either by inducing a kernel
panic or (preferably) by writing data elsewhere.
Another limitation of external synchrony is that the user
may have some temporal expectations about when modi-
fications are committed to disk. As defined so far, an ex-
ternally synchronous file system could indefinitely delay
committing data written by an application with no exter-
nal output. If the system crashes, a substantial amount
of work could be lost. Xsyncfs therefore commits data
every 5 seconds, even if no output is produced. The 5
second commit interval is the same value used by ext3
mounted asynchronously.
A final limitation of external synchrony is that modifica-
tions to data in two different file systems cannot be easily
committed with a single disk transaction. Potentially, we
could share a common journal among all local file sys-
tems, or we could implement a two-phase commit strat-
egy. However, a simpler solution is to block a process
with commit dependencies for one file system before it
modifies data in a second. Speculator would map each
dependency to a specific file system. When a process
writes to a file system, Speculator would verify that the
process depends only on the file system it is modifying;
if it depends on another file system, Speculator would
block it until its previous modifications commit.
3 Implementation
3.1 External synchrony
We next provide a brief overview of Speculator [17] and
how it supports externally synchronous file systems.
3.1.1 Speculator background
Speculator improves the performance of distributed file
systems by hiding the performance cost of remote opera-
tions. Rather than block during a remote operation, a file
system predicts the operation’s result, then uses Specula-
tor to checkpoint the state of the calling process and spec-
ulatively continue its execution based on the predicted
result. If the prediction is correct, the checkpoint is dis-
carded; if it is incorrect, the calling process is restored to
the checkpoint, and the operation is retried.
Speculator adds two new data structures to the kernel.
A speculation object tracks all process and kernel state
that depends on the success or failure of a speculative
operation. Each speculative object in the kernel has an
undo log that contains the state needed to undo specu-
lative modifications to that object. As processes interact
with kernel objects by executing system calls, Speculator
USENIX Association OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
uses these data structures to track causal dependencies.
For example, if a speculative process writes to a pipe,
Speculator creates an entry in the pipe’s undo log that
refers to the speculations on which the writing process
depends. If another process reads from the pipe, Spec-
ulator creates an undo log entry for the reading process
that refers to all speculations on which the pipe depends.
Speculator ensures that speculative state is never visible
to an external observer. If a speculative process exe-
cutes a system call that would normally externalize out-
put, Speculator buffers its output until the outcome of the
speculation is decided. If a speculative process performs
a system call that Speculator is unable to handle by ei-
ther transferring causal dependencies or buffering output,
Speculator blocks it until it becomes non-speculative.
3.1.2 From speculation to synchronization
Speculator ties dependency tracking and output buffer-
ing to other features, such as checkpoint and rollback,
that are not needed to support external synchrony. Worse
yet, these unneeded features come at a substantial per-
formance cost. This led us to factor out the functionality
in Speculator common to both speculative execution and
external synchrony. We modified the Speculator inter-
face to allow each file system to specify the additional
Speculator features that it requires. This allows a single
computer to run both a speculative distributed file system
and an externally synchronous local file system.
Both speculative execution and external synchrony en-
force restrictions on when external output may be ob-
served. Speculative execution allows output to be ob-
served based on correctness; output is externalized af-
ter all speculations on which that output depends have
proven to be correct. In contrast, external synchrony al-
lows output to be observed based on durability; output is
externalized after all file system operations on which that
output depends have been committed to disk.
In external synchrony, a commit dependency represents
the causal relationship between kernel state and an un-
committed file system modification. Any kernel object
that has one or more associated commit dependencies is
referred to as uncommitted. Any external output from a
process that is uncommitted is buffered within the kernel
until the modifications on which the output depends have
been committed. In other words, uncommitted output is
never visible to an external observer.
When a process writes to an externally synchronous file
system, Speculator marks the process as uncommitted. It
also creates a commit dependency between the process
and the uncommitted file system transaction that con-
tains the modification. When the file system commits the
transaction to disk, the commit dependency is removed.
5
 Once all commit dependencies for buffered output have
been removed, Speculator releases that output to the ex-
ternal device to which it was written. When the last com-
mit dependency for a process is discarded, Speculator
marks the process as committed.
Speculator propagates commit dependencies among ker-
nel objects and processes using the same mechanisms it
uses to propagate speculative dependencies. However,
since external synchrony does not require checkpoint and
rollback, the propagation of dependencies is consider-
ably easier to implement. For instance, before a pro-
cess inherits a new speculative dependency, Speculator
must checkpoint its state with a copy-on-write fork. In
contrast, when a process inherits a commit dependency,
no checkpoint is needed since the process will never be
rolled back. To support external synchrony, Speculator
maintains the same many-to-many relationship between
commit dependencies and undo logs as it does for specu-
lations and undo logs. Since commit dependencies are
never rolled back, undo logs need not contain data to
undo the effects of an operation. Therefore, undo logs
in an externally synchronous system only track the re-
lationship between commit dependencies and kernel ob-
jects and reveal which buffered output can be safely re-
leased. This simplicity enables Speculator to support
more forms of interaction among uncommitted processes
than it supports for speculative processes. For example,
checkpointing multi-threaded processes for speculative
execution is a thorny problem [17, 21]. However, as dis-
cussed in Section 3.5, tracking their commit dependen-
cies is substantially simpler.
3.2 File system support for external synchrony
We modified ext3, a journaling Linux file system, to cre-
ate xsyncfs. In its default ordered mode, ext3 writes only
metadata modifications to its journal. In its journaled
mode, ext3 writes both data and metadata modifications.
Modifications from many different file system operations
may be grouped into a single compound journal transac-
tion that is committed atomically. Ext3 writes modifica-
tions to the active transaction — at most one transaction
may be active at any given time. A commit of the active
transaction is triggered when journal space is exhausted,
an application performs an explicit synchronization op-
eration such as fsync, or the oldest modification in the
transaction is more than 5 seconds old. After the transac-
tion starts to commit, the next modification triggers the
creation of a new active transaction. Only one transac-
tion may be committing at any given time, so the next
transaction must wait for the commit of the prior trans-
action to finish before it commits.
Figure 2 shows how the external synchrony data struc-
tures change when a process interacts with xsyncfs. In
6 OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
Process 1234
Commit Committing
Output a Dep 1 FS Op 1
Transaction
Output b Commit FS Op 2 Active
Output c Transaction
Dep 2 FS Op 3
Undo Log FS Journal
(a) Data structures with a committing and active transaction
Process 1234
Output b Commit FS Op 2 Active
Dep 2 Transaction
Output c FS Op 3
Undo Log FS Journal
(b) Data structures after the first transaction commits
Figure 2. The external synchrony data structures
Figure 2(a), process 1234 has completed three file sys-
tem operations, sending output to the screen after each
one. Since the output after the first operation triggered
a transaction commit, the two following operations were
placed in a new active transaction. The output is buffered
in the undo log; the commit dependencies maintain the
relationship between buffered output and uncommitted
data. In Figure 2(b), the first transaction has been com-
mitted to disk. Therefore, the output that depended upon
the committed transaction has been released to the screen
and the commit dependency has been discarded.
Xsyncfs uses journaled mode rather than the default or-
dered mode. This change guarantees ordering; specif-
ically, the property that if an operation A causally pre-
cedes another operation B, the effects of B should never
be visible unless the effects of A are also visible. This
guarantee requires that B never be committed to disk be-
fore A. Otherwise, a system crash or power failure may
occur between the two commits — in this case, after the
system is restarted, B will be visible when A is not. Since
journaled mode adds all modifications for A to the jour-
nal before the operation completes, those modifications
must already be in the journal when B begins (since B
causally follows A). Thus, either B is part of the same
transaction as A (in which case the ordering property
holds since A and B are committed atomically), or the
transaction containing A is already committed before the
transaction containing B starts to commit.
In contrast, the default mode in ext3 does not provide or-
dering since data modifications are not journaled. The
kernel may write the dirty blocks of A and B to disk
in any order as long as the data reaches disk before the
metadata in the associated journal transaction commits.
USENIX Association
 Thus, the data modifications for B may be visible after a
crash without the modifications for A being visible.
Xsyncfs informs Speculator when a new journal transac-
tion is created — this allows Speculator to track state that
depends on the uncommitted transaction. Xsyncfs also
informs Speculator when a new modification is added to
the transaction and when the transaction commits.
As described in Section 1, the default behavior of ext3
does not guarantee that modifications are durable after a
power failure. In the Linux 2.4 kernel, durability can be
ensured only by disabling the drive cache. The Linux
2.6.11 kernel provides the option of using write bar-
riers to flush the drive cache before and after writing
each transaction commit record. Since Speculator runs
on a 2.4 kernel, we ported write barriers to our kernel
and modified xsyncfs to use write barriers to guarantee
that all committed modifications are preserved, even on
power failure.
3.3 Output-triggered commits
Xsyncfs uses the causal relationship between disk I/O
and external output to balance the competing concerns
of throughput and latency. Currently, ext3 commits its
journal every 5 seconds, which typically groups the com-
mit of many file system operations. This strategy opti-
mizes for throughput, a logical behavior when writes are
asynchronous. However, latency is an important consid-
eration in xsyncfs since users must wait to view output
until the transactions on which that output depends com-
mit. If xsyncfs were to use the default ext3 commit strat-
egy, disk throughput would be high, but the user might be
forced to wait up to 5 seconds to see output. This behav-
ior is clearly unacceptable for interactive applications.
We therefore modified Speculator to support output-
triggered commits. Speculator provides callbacks to
xsyncfs when it buffers output or blocks a process that
performed a system call for which it cannot track the
propagation of causal dependencies (e.g., an ioctl).
Xsyncfs uses the ext3 strategy of committing every 5 sec-
onds unless it receives a callback that indicates that Spec-
ulator blocked or buffered output from a process that de-
pends on the active transaction. The receipt of a callback
triggers a commit of the active transaction.
Output-triggered commits adapt the behavior of the file
system according to the observable behavior of the sys-
tem. For instance, if a user directs output from a running
application to the screen, latency is reduced by commit-
ting transactions frequently. If the user instead redirects
the output to a file, xsyncfs optimizes for throughput by
committing every 5 seconds. Optimizing for throughput
is correct in this instance since the only event the user
can observe is the completion of the application (and
USENIX Association OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
the completion would trigger a commit if it is a visible
event). Finally, if the user were to observe the contents of
the file using a different application, e.g., tail, xsyncfs
would correctly optimize for latency because Specula-
tor would track the causal relationship through the kernel
data structures from tail to the transaction and provide
callbacks to xsyncfs. When tail attempts to output data
to the screen, Speculator callbacks will cause xsyncfs to
commit the active transaction.
3.4 Rethinking sync
Asynchronous file systems provide explicit synchroniza-
tion operations such as sync and fdatasync for appli-
cations with durability or ordering constraints. In a syn-
chronous file system, such synchronization operations
are redundant since ordering and durability are already
guaranteed for all file system operations. However, in an
externally synchronous file system, some extra support
is needed to minimize latency. For instance, a user who
types “sync” in a terminal would prefer that the com-
mand complete as soon as possible.
When xsyncfs receives a synchronization call such as
sync from the VFS layer, it creates a commit depen-
dency between the calling process and the active trans-
action. Since this does not require a disk write, the
return from the synchronization call is almost instanta-
neous. If a visible event occurs, such as the completion
of the sync process, Speculator will issue a callback that
causes xsyncfs to commit the active transaction.
External synchrony simplifies the file system abstrac-
tion. Since xsyncfs requires no application modifica-
tion, programmers can write the same code that they
would write if they were using a unmodified file sys-
tem mounted synchronously. They do not need explicit
synchronization calls to provide ordering and durability
since xsyncfs provides these guarantees by default for all
file system operations. Further, since xsyncfs does not
incur the large performance penalty usually associated
with synchronous I/O, programmers do not need com-
plicated group commit strategies to achieve acceptable
performance. Group commit is provided transparently
by xsyncfs.
Of course, a hand-tuned strategy might offer better per-
formance than the default policies provided by xsyncfs.
However, as described in Section 3.3, there are some
instances in which xsyncfs can optimize performance
when an application solution cannot. Since xsyncfs uses
output-triggered commits, it knows when no external
output has been generated that depends on the current
transaction; in these instances, xsyncfs uses group com-
mit to optimize throughput. In contrast, an application-
specific commit strategy cannot determine the visibility
7
 of its actions beyond the scope of the currently executing
process; it must therefore conservatively commit modifi-
cations before producing external messages.
For example, consider a client that issues two sequential
transactions to a database server on the same computer
and then produces output. Xsyncfs can safely group
the commit of both transactions. However, the database
server (which does not use output-triggered commits)
must commit each transaction separately since it cannot
know whether or not the client will produce output after
it is informed of the commit of the first transaction.
3.5 Shared memory
Speculator does not propagate speculative dependencies
when processes interact through shared memory due to
the complexity of checkpointing at arbitrary states in a
process’ execution. Since commit dependencies do not
require checkpoints, we enhanced Speculator to propa-
gate them among processes that share memory.
Speculator can track causal dependencies because pro-
cesses can only interact through the operating system.
Usually, this interaction involves an explicit system call
(e.g., write) that Speculator can intercept. However,
when processes interact through shared memory regions,
only the sharing and unsharing of regions is visible to the
operating system. Thus, Speculator cannot readily inter-
cept individual reads and writes to shared memory.
We considered marking a shared memory page inaccessi-
ble when a process with write permission inherits a com-
mit dependency that a process with read permission does
not have. This would trigger a page fault whenever a pro-
cess reads or writes the shared page. If a process reads
the page after another writes it, any commit dependen-
cies would be transferred from the writer to the reader.
Once these processes have the same commit dependen-
cies, the page can be restored to its normal protections.
We felt this mechanism would perform poorly because of
the time needed to protect and unprotect pages, as well
as the extra page faults that would be incurred.
Instead, we decided to use an approach that imposes
less overhead but might transfer dependencies when not
strictly necessary. We make a conservative assumption
that processes with write permission for a shared mem-
ory region are continually writing to that region, while
processes with read permission are continually reading
it. When a process with write permission for a shared
region inherits a new commit dependency, any process
with read permission for that region atomically inherits
the same dependency.
Speculator uses the same mechanism to track commit
dependencies transfered through memory-mapped files.
Similarly, Speculator is conservative when propagating
8 OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
dependencies for multi-threaded applications — any de-
pendency inherited by one thread is inherited by all.
4 Evaluation
Our evaluation answers the following questions:
• How does the durability of xsyncfs compare to cur-
rent file systems?
• How does the performance of xsyncfs compare to
current file systems?
• How does xsyncfs affect the performance of appli-
cations that synchronize explicitly?
• How much do output-triggered commits improve
the performance of xsyncfs?
4.1 Methodology
All computers used in our evaluation have a 3.02 GHZ
Pentium 4 processor with 1 GB of RAM. Each computer
has a single Western Digital WD-XL40 hard drive, which
is a 7200 RPM 120 GB ATA 100 drive with a 2 MB on-
disk cache. The computers run Red Hat Enterprise Linux
version 3 (kernel version 2.4.21). We use a 400 MB jour-
nal size for both ext3 and xsyncfs. For each benchmark,
we measured ext3 executing in both journaled and or-
dered mode. Since journaled mode executed faster in
every benchmark, we report only journaled mode results
in this evaluation. Finally, we measured the performance
of ext3 both using write barriers and with the drive cache
disabled. In all cases write barriers were faster than dis-
abling the drive cache since the drive cache improves
read times and reduces the frequency of writes to the disk
platter. Thus, we report only results using write barriers.
4.2 Durability
Our first benchmark empirically confirms that without
write barriers, ext3 does not guarantee durability. This
result holds in both journaled and ordered mode, whether
ext3 is mounted synchronously or asynchronously, and
even if fsync commands are issued by the application
after every write. Even worse, our results show that, de-
spite the use of journaling in ext3, a loss of power can
corrupt data and metadata stored in the file system.
We confirmed these results by running an experiment in
which a test computer continuously writes data to its lo-
cal file system. After each write completes, the test com-
puter sends a UDP message that is logged by a remote
computer. During the experiment, we cut power to the
test computer. After it reboots, we compare the state of
its file system to the log on the remote computer.
USENIX Association
 File system configuration
Asynchronous
Synchronous
Synchronous with write barriers
External synchrony
This figure describes whether each file system provides durability to the user when an application executes a write or fsync system
call. A “Yes” indicates that the file system provides durability if an OS crash or power failure occurs.
Figure 3. When is data safe?
Our goal was to determine when each file system guaran-
tees durability and ordering. We say a file system fails to
provide durability if the remote computer logs a message
for a write operation, but the test computer is missing
the data written by that operation. In this case, dura-
bility is not provided because an external observer (the
remote computer) saw output that depended on data that
was subsequently lost. We say a file system fails to pro-
vide ordering if the state of the file after reboot violates
the temporal ordering of writes. Specifically, for each
block in the file, ordering is violated if the file does not
also contain all previously-written blocks.
For each configuration shown in Figure 3, we ran four
trials of this experiment: two in journaled mode and
two in ordered mode. As expected, our results confirm
that ext3 provides durability only when write barriers are
used. Without write barriers, synchronous operations en-
sure only that modifications are written to the hard drive
cache. If power fails before the modifications are written
to the disk platter, those modifications are lost.
Some of our experiments exposed a dangerous behav-
ior in ext3: unless write barriers are used, power failures
can corrupt both data and metadata stored on disk. In
one experiment, a block in the file being modified was
silently overwritten with garbage data. In another, a sub-
stantial amount of metadata in the file system, including
the superblock, was overwritten with garbage. In the lat-
ter case, the test machine failed to reboot until the file
system was manually repaired. In both cases, corruption
is caused by the commit block for a transaction being
written to the disk platter before all data blocks in that
transaction are written to disk. Although the operating
system wrote the blocks to the drive cache in the correct
order, the hard drive reorders the blocks when writing
them to the disk platter. After this happens, the trans-
action is committed during recovery even though several
data blocks do not contain valid data. Effectively, this
overwrites disk blocks with uninitialized data.
Our results also confirm that ext3 without write barriers
writes data to disk out of order. Journaled mode alone is
insufficient to provide ordering since the order of writing
transactions to the disk platter may differ from the order
of writing transactions to the drive cache. In contrast,
USENIX Association OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
Data durable on write Data durable on fsync
No Not on power failure
Not on power failure Not on power failure
Yes Yes
Yes Yes
ext3 provides both durability and ordering when write
barriers are combined with some form of synchronous
operation (either mounting the file system synchronously
or calling fsync after each modification). If write barri-
ers are not available, the equivalent behavior could also
be achieved by disabling the hard drive cache.
The last row of Figure 3 shows results for xsyncfs. As
expected, xsyncfs provides both durability and ordering.
4.3 The PostMark benchmark
We next ran the PostMark benchmark, which was de-
signed to replicate the small file workloads seen in elec-
tronic mail, netnews, and web-based commerce [8]. We
used PostMark version 1.5, running in a configuration
that creates 10,000 files, performs 10,000 transactions
consisting of file reads, writes, creates, and deletes, and
then removes all files. The PostMark benchmark has a
single thread of control that executes file system oper-
ations as quickly as possible. PostMark is a good test
of file system throughput since it does not generate any
output or perform any substantial computation.
Each bar in Figure 4 shows the time to complete the Post-
Mark benchmark. The y-axis is logarithmic because of
the substantial slowdown of synchronous I/O. The first
bar shows results when ext3 is mounted asynchronously.
As expected, this offers the best performance since the
file system buffers data in memory up to 5 seconds before
writing it to disk. The second bar shows results using
xsyncfs. Despite the I/O intensive nature of PostMark,
the performance of xsyncfs is within 7% of the perfor-
mance of ext3 mounted asynchronously. After examin-
ing the performance of xsyncfs, we determined that the
overhead of tracking causal dependencies in the kernel
accounts for most of the difference.
The third bar shows performance when ext3 is mounted
synchronously. In this configuration the writing process
is blocked until its modifications are committed to the
drive cache. Ext3 in synchronous mode is over an order
of magnitude slower than xsyncfs, even though xsyncfs
provides stronger durability guarantees. Throughput is
limited by the size of the drive cache; once the cache fills,
subsequent writes block until some data in the cache is
written to the disk platter.
9
 10000
ext3-async
xsyncfs
ext3-sync
1000 ext3-barrier
Time (seconds)
100
10
1 0
This figure shows the time to run the PostMark benchmark —
the y-axis is logarithmic. Each value is the mean of 5 trials —
the (relatively small) error bars are 90% confidence intervals.
Figure 4. The PostMark file system benchmark
The last bar in Figure 4 shows the time to complete
the benchmark when ext3 is mounted synchronously
and write barriers are used to prevent data loss when a
power failure occurs. Since write barriers synchronously
flush the drive cache twice for each file system transac-
tion, ext3’s performance is over two orders of magnitude
slower than that of xsyncfs.
Due to the high cost of durability, high end storage sys-
tems sometimes use specialized hardware such as a non-
volatile cache to improve performance [7]. This elim-
inates the need for write barriers. However, even with
specialized hardware, we expect that the performance
of ext3 mounted synchronously would be no better than
the third bar in Figure 4, which writes data to a volatile
cache. Thus, use of xsyncfs should still lead to substan-
tial performance improvements for synchronous opera-
tions even when the hard drive has a non-volatile cache
of the same size as the volatile cache on our drive.
4.4 The Apache build benchmark
We next ran a benchmark in which we untar the Apache
2.0.48 source tree into a file system, run configure in
an object directory within that file system, run make in
the object directory, and remove all files. The Apache
build benchmark requires the file system to balance
throughput and latency; it displays large amounts of
screen output interleaved with disk I/O and computation.
Figure 5 shows the total amount of time to run the
benchmark, with shadings within each bar showing the
time for each stage. Comparing the first two bars in
the graph, xsyncfs performs within 3% of ext3 mounted
asynchronously. Since xsyncfs releases output as soon
10 OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
Untar
Configure
1000
Make
Remove
Time (seconds)
500
ext3-async xsyncfs ext3-sync ext3-barrier RAMFS
This figure shows the time to run the Apache build benchmark.
Each value is the mean of 5 trials — the (relatively small) error
bars are 90% confidence intervals.
Figure 5. The Apache build benchmark
as the data on which it depends commits, output appears
promptly during the execution of the benchmark.
For comparison, the bar at the far right of the graph
shows the time to execute the benchmark using a
memory-only file system, RAMFS. This provides a
lower bound on the performance of a local file sys-
tem, and it isolates the computation requirements of the
benchmark. Removing disk I/O by running the bench-
mark in RAMFS improves performance by only 8% over
xsyncfs because the remainder of the benchmark is dom-
inated by computation.
The third bar in Figure 5 shows that ext3 mounted in
synchronous mode is 46% slower than xsyncfs. Since
computation dominates I/O in this benchmark, any dif-
ference in I/O performance is a smaller part of overall
performance. The fourth bar shows that ext3 mounted
synchronously with write barriers is over 11 times slower
than xsyncfs. If we isolate the cost of I/O by subtracting
the cost of computation (calculated using the RAMFS
result), ext3 mounted synchronously is 7.5 times slower
than xsyncfs while ext3 mounted synchronously with
write barriers is over two orders of magnitude slower
than xsyncfs. These isolated results are similar to the
values that we saw for the PostMark experiments.
4.5 The MySQL benchmark
We were curious to see how xsyncfs would perform
with an application that implements its own group com-
mit strategy. We therefore ran a modified version of
the OSDL TPC-C benchmark [18] using MySQL ver-
sion 5.0.16 and the InnoDB storage engine. Since
both MySQL and the TPC-C benchmark client are
USENIX Association
 New Order Transactions Per Minute 4000
3000
2000
1000
0
0 5
Number of Threads
This figure shows the New Order Transactions Per Minute when
running a modified TPC-C benchmark on MySQL with varying
numbers of clients. Each result is the mean of 5 trials — the
error bars are 90% confidence intervals.
Figure 6. The MySQL benchmark
multi-threaded, this benchmark measures the efficacy of
xsyncfs’s support for shared memory. TPC-C measures
the New Order Transactions Per Minute (NOTPM) a
database can process for a given number of simultane-
ous client connections. The total number of transactions
performed by TPC-C is approximately twice the num-
ber of New Order Transactions. TPC-C requires that a
database provide ACID semantics, and MySQL requires
either disabling the drive cache or using write barriers to
provide durability. Therefore, we compare xsyncfs with
ext3 mounted asynchronously using write barriers. Since
the client ran on the same machine as the server, we mod-
ified the benchmark to use UNIX sockets. This allows
xsyncfs to propagate commit dependencies between the
client and server on the same machine. In addition, we
modified the benchmark to saturate the MySQL server by
removing any wait times between transactions and creat-
ing a data set that fits completely in memory.
Figure 6 shows the NOTPM achieved as the number
of clients is increased from 1 to 20. With a single
client, MySQL completes 3 times as many NOTPM
using xsyncfs. By propagating commit dependencies
to both the MySQL server and the requesting client,
xsyncfs can group commit transactions from a single
client, significantly improving performance. In contrast,
MySQL cannot benefit from group commit with a single
client because it must conservatively commit each trans-
action before replying to the client.
When there are multiple clients, MySQL can group
the commit of transactions from different clients. As
the number of clients grows, the gap between xsyncfs
and ext3 mounted asynchronously with write barriers
shrinks. With 20 clients, xsyncfs improves TPC-C per-
formance by 22%. When the number of clients reaches
32, the performance of ext3 mounted asynchronously
USENIX Association
300
Throughput (Kb/s)
200 ext3-async
xsyncfs
xsyncfs
ext3-barrier ext3-sync
ext3-barrier
100
10 15 20
0
This figure shows the mean throughput achieved when running
the SPECweb99 benchmark with 50 simultaneous connections.
Each result is the mean of three trials, with error bars showing
the highest and lowest result.
Figure 7. Throughput in the SPECweb99 benchmark
with write barriers matches the performance of xsyncfs.
From these results, we conclude that even applications
such as MySQL that use a custom group commit strat-
egy can benefit from external synchrony if the number of
concurrent transactions is low to moderate.
Although ext3 mounted asynchronously without write
barriers does not meet the durability requirements for
TPC-C, we were still curious to see how its performance
compared to xsyncfs. With only 1 or 2 clients, MySQL
executes 11% more NOTPM with xsyncfs than it exe-
cutes with ext3 without write barriers. With 4 or more
clients, the two configurations yield equivalent perfor-
mance within experimental error.
4.6 The SPECweb99 benchmark
Since our previous benchmarks measured only work-
loads confined to a single computer, we also ran the
SPECweb99 [29] benchmark to examine the impact of
external synchrony on a network-intensive application.
In the SPECweb99 benchmark, multiple clients issue a
mix of HTTP GET and POST requests. HTTP GET re-
quests are issued for both static and dynamic content up
to 1 MB in size. A single client, emulating 50 simultane-
ous connections, is connected to the server, which runs
Apache 2.0.48, by a 100 Mb/s Ethernet switch. As we
use the default Apache settings, 50 connections are suf-
ficient to saturate our server.
We felt that this benchmark might be especially challeng-
ing for xsyncfs since sending a network message exter-
nalizes state. Since xsyncfs only tracks causal dependen-
cies on a single computer, it must buffer each message
OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation 11
 Request size ext3-async xsyncfs
0–1 KB 0.064 (±0.025) 0.097 (±0.002)
1–10 KB 0.150 (±0.034) 0.180 (±0.001)
10–100 KB 1.084 (±0.052) 1.094 (±0.003)
100–1000 KB 10.253 (±0.098) 10.072 (±0.066)
The figure shows the mean time (in seconds) to request a file of a
particular size during three trials of the SPECweb99 benchmark
with 50 simultaneous connections. 90% confidence intervals are
given in parentheses.
Figure 8. SPECweb99 latency results
until the file system data on which that message depends
has been committed. In addition to the normal log data
written by Apache, the SPECweb99 benchmark writes a
log record to the file system as a result of each HTTP
POST. Thus, small file writes are common during bench-
mark execution — a typical 45 minute run has approxi-
mately 150,000 file system transactions.
As shown in Figure 7, SPECweb99 throughput us-
ing xsyncfs is within 8% of the throughput achieved
when ext3 is mounted asynchronously. In contrast to
ext3, xsyncfs guarantees that the data associated with
each POST request is durable before a client receives
the POST response. The third bar in Figure 7 shows
that SPECweb99 using ext3 mounted synchronously
achieves 6% higher throughput than xsyncfs. Unlike the
previous benchmarks, SPECweb99 writes little data to
disk, so most writes are buffered by the drive cache. The
last bar shows that xsyncfs achieves 7% better through-
put than ext3 mounted synchronously with write barriers.
Figure 8 summarizes the average latency of individual
HTTP requests during benchmark execution. On aver-
age, use of xsyncfs adds no more than 33 ms of delay
to each request — this value is less than the commonly
cited perception threshold of 50 ms for human users [5].
Thus, a user should perceive no difference in response
time between xsyncfs and ext3 for HTTP requests.
4.7 Benefit of output-triggered commits
To measure the benefit of output-triggered commits, we
also implemented an eager commit strategy for xsyncfs
that triggers a commit whenever the file system is mod-
ified. The eager commit strategy still allows for group
commit since multiple modifications are grouped into a
single file system transaction while the previous transac-
tion is committing. The next transaction will only start
to commit once the commit of the previous transaction
completes. The eager commit strategy attempts to mini-
mize the latency of individual file system operations.
We executed the previous benchmarks using the eager
commit strategy. Figure 9 compares results for the two
12 OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
strategies. The output-triggered commit strategy per-
forms better than the eager commit strategy in every
benchmark except SPECweb99, which creates so much
output that the eager commit and output-triggered com-
mit strategies perform very similarly. Since the eager
commit strategy attempts to minimize the latency of a
single operation, it sacrifices the opportunity to improve
throughput. In contrast, the output-triggered commit
strategy only minimizes latency after output has been
generated that depends on a transaction; otherwise it
maximizes throughput.
5 Related work
To the best of our knowledge, xsyncfs is the first local
file system to provide high-performance synchronous I/O
without requiring specialized hardware support or appli-
cation modification. Further, xsyncfs is the first file sys-
tem to use the causal relationship between file modifica-
tions and external output to decide when to commit data.
While xsyncfs takes a software-only approach to provid-
ing high-performance synchronous I/O, specialized hard-
ware can achieve the same result. The Rio file cache [2]
and the Conquest file system [31] use battery-backed
main memory to make writes persistent. Durability is
guaranteed only as long as the computer has power or
the batteries remain charged.
Hitz et al. [7] store file system journal modifications on
a battery-backed RAM drive cache, while writing file
system data to disk. We expect that synchronous oper-
ations on Hitz’s hybrid system would perform no better
than ext3 mounted synchronously without write barriers
in our experiments. Thus, xsyncfs could substantially
improve the performance of such hybrid systems.
eNVy [33] is a file system that stores data on flash-based
NVRAM. The designers of eNVy found that although
reads from NVRAM were fast, writes were prohibitively
slow. They used a battery-backed RAM write cache to
achieve reasonable write performance. The write perfor-
mance issues seen in eNVy are similar to those we ex-
perienced writing data to commodity hard drives. There-
fore, it is likely that xsyncfs could also improve perfor-
mance for flash file systems.
Xsyncfs’s focus on providing both strong durability and
reasonable performance contrasts sharply with the trend
in commodity file systems toward relaxing durability
to improve performance. Early file systems such as
FFS [14] and the original UNIX file system [22] in-
troduced the use of a main memory buffer cache to
hold writes until they are asynchronously written to
disk. Early file systems suffered from potential corrup-
tion when a computer lost power or an operating sys-
tem crashed. Recovery often required a time consuming
USENIX Association
 Benchmark Eager Commits
PostMark (seconds) 9.879 (±0.056)
Apache (seconds) 111.41 (±0.32)
MySQL 1 client (NOTPM) 3323 (±60)
MySQL 20 clients (NOTPM) 3646 (±217)
SPECweb99 (Kb/s) 312 (±1)
This figure compares the performance of output-triggered commits with an eager commit strategy. Each result shows the mean of 5
trials, except SPECweb99, which is the mean of 3 trials. 90% confidence intervals are given in parentheses.
Figure 9. Benefit of output-triggered commits
examination of the entire state of the file system (e.g.,
running fsck). For this reason, file systems such as
Cedar [6] and LFS [23] added the complexity of a write-
ahead log to enable fast, consistent recovery of file sys-
tem state. Yet, as was shown in our evaluation, journal-
ing data to a write-ahead log is insufficient to prevent
file system corruption if the drive cache reorders block
writes. An alternative to write-ahead logging, Soft Up-
dates [25], carefully orders disk writes to provide consis-
tent recovery. Xsyncfs builds on this prior work since it
writes data after returning control to the application and
uses a write-ahead log. Thus, external synchrony could
improve the performance of synchronous I/O with other
journaling file systems such as JFS [1] or ReiserFS [16].
Fault tolerance researchers have long defined consis-
tent recovery in terms of the output seen by the outside
world [3, 11, 30]. For example, the output commit prob-
lem requires that, before a message is sent to the outside
world, the state from which that message is sent must be
preserved. In the same way, we argue that the guarantees
provided by synchronous disk I/O should be defined by
the output seen by the outside world, rather than by the
results seen by local processes.
It is interesting to speculate why the principle of outside
observability is widely known and used in fault tolerance
research yet new to the domain of general purpose appli-
cations and I/O. We believe this dichotomy arises from
the different scope and standard of recovery in the two
domains. In fault tolerance research, the scope of recov-
ery is the entire process; hence not using the principle of
outside observability would require a synchronous disk
I/O at every change in process state. In general pur-
pose applications, the scope of recovery is only the I/O
issued by the application (which can be viewed as an
application-specific recovery protocol). Hence it is fea-
sible (though still slow) to issue each I/O synchronously.
In addition, the standard for recovery in fault tolerance
research is well defined: a recovery system should lose
no visible output. In contrast, the standard for recovery
in general purpose systems is looser: asynchronous I/O is
common, and even synchronous I/O is usually commit-
ted synchronously only to the volatile hard drive cache.
USENIX Association OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
Output-Triggered Commits Speedup
8.668 (±0.478) 14%
109.42 (±0.71) 2%
4498 (±73) 35%
4052 (±200) 11%
311(±2) 0%
Our implementation of external synchrony draws upon
two other techniques from the fault tolerance literature.
First, buffering output until the commit is similar to de-
ferring message sends until commit [12]. Second, track-
ing causal dependencies to identify what and when to
commit is similar to causal tracking in message logging
protocols [4]. We use these techniques in isolation to im-
prove performance and maintain the appearance of syn-
chronous I/O. We also use these techniques in combina-
tion via output-triggered commits, which automatically
balance throughput and latency.
Transactions, provided by operating systems such as
QuickSilver [24], TABS [28], and Locus [32], and by
transactional file systems [10, 19], also give the strong
durability and ordering guarantees that are provided by
xsyncfs. In addition, transactions provide atomicity for
a set of file system operations. However, transactional
systems typically require that applications be modified
to specify transaction boundaries. In contrast, use of
xsyncfs requires no such modification.
6 Conclusion
It is challenging to develop simple and reliable software
systems if the foundations upon which those systems are
built are unreliable. Asynchronous I/O is a prime exam-
ple of one such unreliable foundation. OS crashes and
power failures can lead to loss of data, file system cor-
ruption, and out-of-order modifications. Nevertheless,
current file systems present an asynchronous I/O inter-
face by default because the performance penalty of syn-
chronous I/O is assumed to be too large.
In this paper, we have proposed a new abstraction, exter-
nal synchrony, that preserves the simplicity and reliabil-
ity of a synchronous I/O interface, yet performs approx-
imately as well as an asynchronous I/O interface. Based
on these results, we believe that externally synchronous
file systems such as xsyncfs can provide a better founda-
tion for the construction of reliable software systems.
13
 Acknowledgments
We thank Manish Anand, Evan Cooke, Anthony Nicholson, Dan Peek,
Sushant Sinha, Ya-Yunn Su, our shepherd, Rob Pike, and the anony-
mous reviewers for feedback on this paper. The work has been sup-
ported by the National Science Foundation under award CNS-0509093.
Jason Flinn is supported by NSF CAREER award CNS-0346686, and
Ed Nightingale is supported by a Microsoft Research Student Fellow-
ship. Intel Corp. has provided additional support. The views and con-
clusions contained in this document are those of the authors and should
not be interpreted as representing the official policies, either expressed
or implied, of NSF, Intel, Microsoft, the University of Michigan, or the
U.S. government.
References
[1] B EST, S. JFS overview. Tech. rep., IBM, http://www-
128.ibm.com/developerworks/linux/library/l-jfs.html, 2000.
[2] C HEN , P. M., N G , W. T., C HANDRA , S., AYCOCK , C., R A -
JAMANI , G., AND L OWELL , D. The Rio file cache: Surviv-
ing operating system crashes. In Proceedings of the 7th Inter-
national Conference on Architectural Support for Programming
Languages and Operating Systems (Cambridge, MA, October
1996), pp. 74–83.
[3] E LNOZAHY, E. N., A LVISI , L., WANG , Y.-M., AND J OHN -
SON , D. B. A survey of rollback-recovery protocols in message-
passing systems. ACM Computing Surveys 34, 3 (September
2002), 375–408.
[4] E LNOZAHY, E. N., AND Z WAENEPOEL , W. Manetho: Transpar-
ent Rollback-Recovery with Low Overhead, Limited Rollback,
and Fast Output Commit. IEEE Transactions on Computers C-
41, 5 (May 1992), 526–531.
[5] F LAUTNER , K., AND M UDGE , T. Vertigo: Automatic
performance-setting for Linux. In Proceedings of the 5th Sympo-
sium on Operating Systems Design and Implementation (Boston,
MA, December 2002), pp. 105–116.
[6] H AGMANN , R. Reimplementing the Cedar file system using
logging and group commit. In Proceedings of the 11th ACM
Symposium on Operating Systems Principles (Austin, TX, 1987),
pp. 155–162.
[7] H ITZ , D., L AU , J., AND M ALCOLM , M. File system design for
an NFS file server appliance. In Proceedings of the Winter 1994
USENIX Technical Conference (1994).
[8] K ATCHER , J. PostMark: A new file system benchmark. Tech.
Rep. TR3022, Network Appliance, 1997.
[9] L AMPORT, L. Time, clocks, and the ordering of events in a dis-
tributed system. Commun. ACM 21, 7 (1978), 558–565.
[10] L ISKOV, B., AND RODRIGUES , R. Transactional file systems can
be fast. In Proceedings of the 11th SIGOPS European Workshop
(Leuven, Belgium, September 2004).
[11] L OWELL , D. E., C HANDRA , S., AND C HEN , P. M. Exploring
failure transparency and the limits of generic recovery. In Pro-
ceedings of the 4th Symposium on Operating Systems Design and
Implementation (San Diego, CA, October 2000).
[12] L OWELL , D. E., AND C HEN , P. M. Persistent messages in local
transactions. In Proceedings of the 1998 Symposium on Princi-
ples of Distributed Computing (June 1998), pp. 219–226.
[13] M C K USICK , M. K. Disks from the perspective of a file system.
;login: 31, 3 (June 2006), 18–19.
[14] M C K USICK , M. K., J OY, W. N., L EFFLER , S. J., AND FABRY,
R. S. A fast file system for unix. ACM Transactions on Computer
Systems (TOCS) 2, 3 (August 1984), 181–197.
[15] M Y SQL AB. MySQL Reference Manual. http://dev.mysql.com/.
[16] N AMESYS . ReiserFS. http://www.namesys.com/.
14 OSDI ’06: 7th USENIX Symposium on Operating Systems Design and Implementation
[17] N IGHTINGALE , E. B., C HEN , P. M., AND F LINN , J. Spec-
ulative execution in a distributed file system. In Proceedings
of the 20th ACM Symposium on Operating Systems Principles
(Brighton, United Kingdom, October 2005), pp. 191–205.
[18] OSDL. OSDL Database Test 2. http://www.osdl.org/.
[19] PAXTON , W. H. A client-based transaction system to maintain
data integrity. In Proceedings of the 7th ACM Symposium on Op-
erating Systems Principles (1979), pp. 18–23.
[20] P RABHAKARAN , V., BAIRAVASUNDARAM , L. N., A GRAWAL ,
N., G UNAWI , H. S., A RPACI -D USSEAU , A. C., AND A RPACI -
D USSEAU , R. H. IRON file systems. In Proceedings of the 20th
ACM Symposium on Operating Systems Principles (Brighton,
United Kingdom, October 2005), pp. 206–220.
[21] Q IN , F., T UCEK , J., S UNDARESAN , J., AND Z HOU , Y. Rx:
Treating bugs as allergies—a safe method to survive software fail-
ures. In Proceedings of the 20th ACM Symposium on Operating
Systems Principles (Brighton, United Kingdom, October 2005),
pp. 235–248.
[22] R ITCHIE , D. M., AND T HOMPSON , K. The UNIX time-sharing
system. Communications of the ACM 17, 7 (1974), 365–375.
[23] ROSENBLUM , M., AND O USTERHOUT, J. K. The design and im-
plementation of a log-structured file system. ACM Transactions
on Computer Systems (TOCS) 10, 1 (February 1992), 26–52.
[24] S CHMUCK , F., AND W YLIE , J. Experience with transactions
in QuickSilver. In Proceedings of the 13th ACM Symposium on
Operating Systems Principles (October 1991), pp. 239–53.
[25] S ELTZER , M. I., G ANGER , G. R., M C K USICK , M. K., S MITH ,
K. A., S OULES , C. A. N., AND S TEIN , C. A. Journaling versus
soft updates: Asynchronous meta-data protection in file systems.
In USENIX Annual Technical Conference (San Diego, CA, June
2000), pp. 18–23.
[26] S ILBERSCHATZ , A., AND G ALVIN , P. B. Operating System
Concepts (5th Edition). Addison Wesley, February 1998. p. 27.
[27] S LASHDOT. Your Hard Drive Lies to You.
http://hardware.slashdot.org/article.pl?sid=05/05/13/0529252.
[28] S PECTOR , A. Z., DANIELS , D., D UCHAMP, D., E PPINGER ,
J. L., AND PAUSCH , R. Distributed transactions for reliable sys-
tems. In Proceedings of the 10th ACM Symposium on Operating
Systems Principles (Orcas Island, WA, December 1985), pp. 127–
146.
[29] S TANDARD P ERFORMANCE E VALUATION C ORPORATION.
SPECweb99. http://www.spec.org/web99.
[30] S TROM , R. E., AND Y EMINI , S. Optimistic Recovery in Dis-
tributed Systems. ACM Transactions on Computer Systems 3, 3
(August 1985), 204–226.
[31] WANG , A.-I. A., R EIHER , P., P OPEK , G. J., AND K UENNING ,
G. H. Conquest: Better performance through a disk/persistent-
RAM hybrid file system. In Proceedings of the 2002 USENIX
Annual Technical Conference (Monterey, CA, June 2002).
[32] W EINSTEIN , M. J., T HOMAS W. PAGE , J., L IVEZEY, B. K.,
AND P OPEK , G. J. Transactions and synchronization in a dis-
tributed operating system. In Proceedings of the 10th ACM Sym-
posium on Operating Systems Principles (Orcas Island, WA, De-
cember 1985), pp. 115–126.
[33] W U , M., AND Z WAENEPOEL , W. eNVy: A non-volatile,
main memory storage system. In Proceedings of the 6th Inter-
national Conference on Architectural Support for Programming
Languages and Operating Systems (San Jose, CA, 1994), pp. 86–
97.
USENIX Association