NAND flash imposes a unique set of requirements, and thus challenges, to a file system. TargetFFS-NAND is a complete flash file system designed from the ground up to use NAND flash as backing store.
Theory of Operation
NAND flash devices have qualities that are quite different from media normally used for backing store, such as hard disks, floppy disks, or magnetic tape. For best results, the architecture of a NAND flash file system must take into account the unique attributes of NAND flash memory.
The qualities of NAND flash memory include: (1) a write operation can only clear bits, bits are set only by erasing a large block, typically 8 KB or larger, (2) some blocks in the NAND memory may fail, both during manufacture and normal use, (3) bit errors may occur during normal operation, and (4) blocks experience fatigue from program/erase cycles.
The wear fatigue results in manufacturers only guaranteeing proper operation for a finite number of program/erase cycles, typically 1 million or more. The manufacturers' guarantee applies independently to each block in the device. If one block is cycled at a higher rate than others, it will have more wear and can be expected to fail first. A block that fails prematurely can affect use of the entire device if the file system depends on the information stored in that block.
The design of a flash file system is very much affected by the wear leveling restriction. File systems for freely writable media typically place their control information in a fixed location and repeatedly modify this location as files and directories are created or deleted and as files expand or contract. If applied to flash, this approach would lead to uneven program/erase fatigue. With TargetFFS-NAND, no block is programmed and erased at a higher rate than any other block. Wear is distributed in an even fashion.
TargetFFS-NAND : Embedded NAND Flash File System
TargetFFS-NAND accommodates bad blocks, both those initially marked by the manufacturer and those that arise from failure of a block erase or page program operation. A block is never erased or programmed once it is determined to be bad. When TargetFFS-NAND encounters a previously unformatted volume, it searches for bad blocks. Because manufacturers fully erase all good blocks prior to shipment, any block on an unformatted volume that has a zero bit is recorded as a bad block.
Because bit errors can occur in NAND memories due to "loss of charge", TargetFFS-NAND provides ECC encoding and decoding routines that can be used by the flash driver. To support products which guarantee that no bit errors will occur below a specified number of program and erase cycles, TargetFFS-NAND passes the block wear control to the driver's read and write page routines. ECC encoding and decoding can be omitted until the wear count reaches the critical value. Also, because the driver layer performs the error detection and correction, TargetFFS-NAND supports hardware ECC implementations.
TargetFFS-NAND is robust against unexpected power-loss. Each time the file system's state changes, new information is written to the flash without overwriting old information, neither file system control information nor user data. Each write of control information is given an incrementing sequence number and protected with a 32-bit cyclic redundancy check. The location of pages that contain control information is marked by a flag value in the page's extra bytes.
TargetFFS-NAND mounts a volume by searching for pages that contain control information. The control information that passes the cyclic redundancy check and has the highest sequence number is used as descriptive of the file system's state. The only possible difference from the state prior to a power-loss is that some pages and blocks recorded as free may have been programmed. TargetFFS-NAND scans each page recorded as free and either erases blocks or marks pages as dirty, as appropriate.
If an unexpected power loss occurs before a control write is complete, upon subsequent power-up the file system reverts to its state before the most recent change. If power loss occurs after a control write completes, the new state changes have been successfully stored and will be used when the file system reboots. In neither case are closed files, directory structures, or files open for reading at risk. Only data written since the last synchronizing operation (fclose(), fflush(), etc.) can be lost.
This explanation simplifies many details about the file system requirements for NAND flash. TargetFFS-NAND incorporates clever algorithms, diligent implementation, and months of testing to provide a reliable, re-entrant file system whose use of NAND flash memory for the backing store is invisible to the application layer.