The @CHIP-RTOS-PPC file system's power loss protection (PLP) mechanism allows unfinished disk write activity to be continued after a power loss (or other cause of system reset). Using this strategy, the disk will either contain the original valid image or the completed modified image after the next time this disk is opened.
External Media and Driver Requirements
The following requirements must be meet by an external disk and its driver in order for the PLP mechanism to work reliably on that drive.
Only the addressed sector can be modified when the driver receives a sector write command.
If the driver returns from a sector write command with a success indication, then the new data must now be safely in that disk sector, irrespective of continued system power or operation.
The intent of the first rule above is to state that in the event that power is lost in the middle of a sector write action, only the addressed sector may contain garbage. Spraying garbage into any other sector as a result of power going out of specification would not be acceptable, and the PLP would then not be able to handle a recovery from the power loss event.
Problems meeting these requirements have been observed in rare cases on SD cards and on the internal A: flash drive. For this reason, as of @CHIP-RTOS-PPC version 1.30 the PLP drives will be write protected by default at a Power Fail Interrupt (PFI).
The PLP mechanization will come with some disk speed and space penalties. (Some example cases are provided here.) These include the following:
Two FAT's are required for PLP. The external drives are normally formatted with two FAT, so for these drives the PLP cost no extra FAT space. But for the internal flash A: drive which by default would be formatted with only a single FAT, the extra FAT required for PLP will reduce the available disk space somewhat. For example, the 25 MB flash drive on a SC243 typically uses a 98 sector FAT16 which translates to about 49 kByte of disk space needed for an extra FAT.
For FAT12 and FAT16 drives, space for a working copy of the root directory is allocated from the reserved sectors. A drive formatted with 128 root directory entries (A: drive's default) would then require 8 reserved sectors (4 kByte) for this root directory shadow.
Two reserved sectors are allocated for a double buffered "Power Loss Recovery" record. (The file system holds its PLP bookkeeping in these sectors.)
Due to the fact that some free disk clusters will be used temporarily to buffer pending sector writes, not all of the disk's space will be directly usable. For example, if a disk still showed 1 kB free space, attempting to create a new very small file might fail under these conditions.
These PLP disk space penalties reduce a 25 MB flash drive by around 0,2%. More detail can be found here.
Some additional sector writes are required for a PLP drive at each disk editing action in order that at all times there be sufficient information on the disk to either continue or abort an uncompleted edit action in the event that power is lost. Go here for PLP disk transfer timing measurements.
For disk read activity, the PLP format causes no additional delays.
A PLP disk will be in one of three states: "stable", "edit" or "commit". Unless the system is reset, the sequence of state transitions is always:
stable --> edit --> commit --> stable ...
The "stable" state covers the case where nothing is going on, write activity wise.
When a file is created or opened for write, the "edit" state is entered. The disk can dwell in this state for extended periods of time, up until either a file flush or file close action is performed.
Brief transitions through the "edit" state also occur for file system actions such as the MD, DEL or REN commands.
Note that for PLP type drives, there will be some coupling (directory node updating wise) between write activity on a given PLP drive. The directory nodes for all open files will be updated when ever a "commit" is performed. These directory node updates would occur when, for example:
Some other file is closed or flushed.
A new directory is created.
Some other file is deleted.
If the system is reset while the disk is in the "edit" state, then the previous state of that disk (prior to edit) will be restored by the @CHIP-RTOS-PPC at the next opening of that drive, thereby restoring a "stable" state.
Assuming no system reset, the "edit" state will followed by the "commit" state. The "commit" state is entered after the file system has stored on the disk sufficient information to safely complete the desired file system modification, irrespective of continued system operation and power supply. If a system reset occurs (e.g. due to power loss) while the disk is in the "commit" state, then the commit actions will be resumed when the disk is opened again following the IPC@CHIP® computer reset.
The "commit" state dwell is intended to be very short, and might instead be viewed as a state transition between states "edit" and "stable". (The state point of view becomes useful when this strobe is caught by a reset event.)
Removable Disk Usage
If a USB stick or other removable storage media is taken from the IPC@CHIP® and used on another computer (e.g. Windows), that other computer must not write to the disk unless the disk was in the "stable" state (meaning no write activity was in progress) when the disk was removed from the IPC@CHIP® .
A disk that was left in the "edit" state will be readable on another computer, provided that the file system on this other computer regards only FAT0 (true for the IPC@CHIP® file system for non-PLP type disks).
A disk that was left in the "commit" state at power loss time must be first re-opened on the IPC@CHIP® computer before moving the disk to another computer, so that the power loss recovery actions can be taken to clean up that disk. Otherwise the disk will most likely appear corrupt on the other computer, and any write activity done by the other computer when in the "commit" state would then corrupt the disk from the Beck target's point of view,
Note that for drives with very large FAT32 tables, the commit or recovery actions can require a significant amount of time to complete (minutes).These actions take place when the drive is first opened after the power loss event. Upon successful completion, the system will output a message like either