Fail-safety


TINY is designed to be fail-safe. This means that:

  • After a system reset, the file system will always be in a consistent state.
  • Any file that was opened for writing at the time of an unexpected reset will be returned to its pre-open state, unless a flush or close operation on that file was successfully completed.

This means that the application developer is entirely in control of when the new state of a file is set, independent of any other activity in the file system.

Fail-safety of any file system can only be guaranteed if the low level driver guarantees a defined quality of service. For the TINY file system this is defined as:

  • Any write operation must complete successfully or return an error. Otherwise, the file system must be restarted.
  • All writes to the media must be executed in the sequence in which they are provided to the driver.
  • Erase operation must complete successfully or return an error. Otherwise, the file system must be restarted.

To achieve this, the hardware should ensure that, in the event of a falling voltage approaching the specified minimum programming level of the flash, the system either resets or provides a signal to the software to block access to the flash.

An alternative solution is to add capacitance to the design. This must provide sufficient power that, after a hardware error or reset condition is detected, the active operation on the flash can be completed.

Only by using one of these techniques can the system guarantee correct operation even after an unexpected system reset.