reduce to 3 phase protocol

Author: roberto-bayardo

runtime/src/utils/buffer/paged/append.rs

@@ -798,8 +798,11 @@ impl<B: Blob> Append<B> {
     ///
     /// Since larger valid lengths are authoritative, a shorter CRC cannot simply be written next to
     /// the old CRC. We first stage the shorter slot with length 0, then make its length durable,
-    /// then invalidate the old longer slot. A crash during any phase recovers either the old longer
-    /// page or the new shorter page, but never loses the whole page or fabricates a larger length.
+    /// then invalidate the old longer slot by clearing its CRC bytes. Once that invalidation is
+    /// durable, the old slot cannot validate under the CRC model used throughout this layer, even
+    /// though its length bytes remain present. A crash during any phase recovers either the old
+    /// longer page or the new shorter page, but never loses the whole page or fabricates a larger
+    /// length.
     async fn sync_partial_page_shrink(
         blob: &B,
         page: u64,
@@ -840,17 +843,17 @@ impl<B: Blob> Append<B> {
         };
         let len_size = std::mem::size_of::<u16>();
         let crc_size = CHECKSUM_SLOT_SIZE - len_size;
+
+        // Clear CRC bytes before length bytes. If this write is torn, recovery either sees the old
+        // valid CRC or an invalid old slot. After the following sync, the new shorter slot is the
+        // only valid slot, so zeroing the old length is unnecessary.
         blob.write_at(
             crc_start + old_slot_start as u64 + len_size as u64,
             vec![0u8; crc_size],
         )
         .await?;
         blob.sync().await?;
 
-        blob.write_at(crc_start + old_slot_start as u64, vec![0u8; len_size])
-            .await?;
-        blob.sync().await?;
-
         let final_record = if new_slot_start == 0 {
             Checksum {
                 len1: new_len,