Why should this be impossible on NOCOW filesystems?

By now, it's evident that BTRFS is badly designed. Bcachefs might not have all the features, but they are building them slowly, in a sane way, once the basics have been mastered and work. With BTRFS, everything was thrown together, and it doesn't work. A couple of weeks ago, a pcie hardware failure caused my system to require a hard reboot. My raid-1 btrfs had the last leaf on the most recent tree corrupted. There was absolutely no way to repair it. The only thing I could do was dump the files in another array, and destroy and fe-format the btrfs array. All attempts to recover and all commands were done by a btrfs developer.

So with BTRFS, a raid-1 array that has the very last block of the very last write broken due to a power failure corrupts the entire filesystem. And there is no way to recover. So how is btrfs even COW? My understanding of COW is that you could just truncate the last modifications and recover everything not too new. But no, it doesn't, not with BTRFS.

I think it's the other way around. ZFS and BTRFS have CoW as one of their main design features, and incidentally it allowed them to support data checksum.

To put it in a grossly simplistic way, writing on a XFS or Ext4 filesystem with data checksum would need to work along these lines:

1. Add journal entry
2. Write an extent
3. Calculate and write the checksum
4. Close journal entry

Now what happens if the system crashes between steps 2 and 3? Upon reboot, the extent written has no valid checksum, so the FS safety guarantees go out thr window. And we also can't just recalculate it, precisely because in the absence of a valid checksum in the first place, there is no way to tell if the data have been corrupted or not.

There is no difference to a COW filesystem. The commit was not done, so you have to discard it.

No. In a COW system it goes like this:

1. write new extent, alongside the old one
2. write new checksum alongside the old one
3. write new metadata, with their own checksums etc., alongside old metadata
4. commit

Until step 4, the old data remain unchanged. If a crash occurs at any time during that period, the newly written data will be lost but we will use the old data, with a valid checksum.

The commit itself is atomic and is basically akin to a single update of a field in the superblock. In other words it can't crash mid-way. After the commit, we use the newly written data and a valid checksum is in place.

Would you like to add XFS to the table? Please...

You're speaking about data consistency.

[...]

Now you have the checksum in the log and can verify on log replay.

I'm speaking about consistency between data and the corresponding checksum It basically boils down to the fact that after data are written, you need to write the checksum using a separate disk operation. With a NOCOW filesystem there is no way to ensure that these two things will be either executed consistently together, or not at all (remember ACID?).