A write-ahead log, fsync-d before commit
A transaction that returns has been written to a length-framed, CRC-32 checksummed log and fsync-dbefore the commit becomes visible. A crash can only ever damage the last, un-fsync-d record — which recovery detects and truncates, leaving a valid committed prefix.