We've examined write-through (immediate persistence) and write-back (eventual persistence). But real-world applications often need something in between: delayed write strategies that provide explicit control over when cached data becomes durable.

Consider a database transaction:

1. Write undo log entry (must be durable before modifying data)
2. Modify data page A (can stay in cache)
3. Modify data page B (can stay in cache)
4. Write transaction commit record (must be durable before acknowledging client)
5. Eventually, data pages A and B can be flushed at leisure

Neither pure write-through nor pure write-back fits this pattern. Write-through would force every operation to disk—devastating for performance. Write-back would defer everything, including the critical log entries—catastrophic for correctness.

Delayed write strategies allow applications to explicitly control which writes are immediately durable and which can remain cached. The operating system provides the mechanisms; the application provides the intelligence about what data is critical.

This page explores those mechanisms in depth and provides the patterns for using them correctly.

Delayed write refers to the practice of initially writing data to cache (like write-back) but giving applications explicit control over when that data is flushed to persistent storage. The "delay" is not a fixed time period—it's a gap between write completion and application-initiated synchronization.

The Delayed Write Timeline

T=0.000: write(fd, data1, size)  → Returns immediately (data in cache)
T=0.001: write(fd, data2, size)  → Returns immediately (data in cache)
T=0.002: write(fd, data3, size)  → Returns immediately (data in cache)
         ...
         (Application performs other work)
         (Data remains in cache, at risk of loss)
         ...
T=0.500: fsync(fd)               → Blocks until data1, data2, data3 on disk
         → At this point, data is durable

Key: Duration from T=0.000 to T=0.500 is explicitly controlled by application
     Not by OS periodic flush (write-back)
     Not by zero (write-through)

This model is distinct from write-back in an important way:

The Conceptual Model

Think of delayed write as a contract between application and OS:

Application: "I'm writing data, but I'll tell you when I need it durable."
OS: "Understood. I'll keep it in fast cache until then."
OS: "I might also write it opportunistically if I have nothing else to do."
Application: "Fine, but I won't assume it's durable until I explicitly ask."

This contract shifts responsibility: the OS is no longer guaranteeing durability on any schedule. The application must explicitly request durability at appropriate points.

POSIX and Linux provide a family of synchronization calls that force cached data to persistent storage. Understanding the precise semantics of each is critical for correct system design.

The Synchronization Hierarchy

*fdatasync() syncs metadata required for data retrieval (file size if extended), but may skip non-essential metadata (modification time).

The Directory Sync Problem

Calling fsync() on a file ensures the file's contents are durable. But what about the file's existence? If you create a new file, the durability of the file depends on the durability of its parent directory entry.

// INCORRECT: Creating a durable file
int fd = open("/data/newfile.txt", O_WRONLY | O_CREAT, 0644);
write(fd, "important data", 14);
fsync(fd);  // Data is durable
close(fd);
// CRASH: File may not exist after recovery!
// The directory entry pointing to the file might have been cached

// CORRECT: Creating a durable file
int fd = open("/data/newfile.txt", O_WRONLY | O_CREAT, 0644);
write(fd, "important data", 14);
fsync(fd);  // Data is durable
close(fd);

int dir_fd = open("/data", O_RDONLY);
fsync(dir_fd);  // Directory entry is now durable
close(dir_fd);
// File definitely exists after crash

This requirement is frequently overlooked, leading to data loss after crashes.

Synchronization is expensive. Understanding the cost structure helps design systems that minimize sync overhead while maintaining durability.

fsync Latency Components

fsync(fd) latency = T_flush_dirty_pages + T_flush_device_cache + T_journal_sync

Where:
  T_flush_dirty_pages: Write all dirty pages for this file to device
                       Linear in number of dirty pages
                       
  T_flush_device_cache: Issue flush/FUA to device
                        Constant time (~50µs - 5ms depending on device)
                        Required to ensure device cache is also durable
                        
  T_journal_sync: If journaling, wait for journal commit
                  Includes journal write + device flush
                  Affects other files on same filesystem

Measured fsync Latencies

The Batching Opportunity

The key performance insight: fsync cost is largely fixed overhead (device flush), not proportional to data size. Batching multiple writes between syncs amortizes this overhead:

# Naive: fsync after every write (100 writes/second)
for record in records:
    write(fd, record)
    fsync(fd)  # 100µs each = 10ms total latency per batch
    # Max throughput: ~10,000 ops/second

# Batched: fsync after N writes
batch = []
for record in records:
    batch.append(record)
    if len(batch) >= 100:
        for r in batch:
            write(fd, r)
        fsync(fd)  # 100µs once per 100 writes
        batch = []
# Max throughput: ~1,000,000 ops/second

# Speedup: 100x from simple batching

The Interference Problem

fsync affects other operations on the same filesystem due to journal dependencies:

Thread A: write to file1, fsync(file1)
Thread B: write to file2 (no sync)

On journaled filesystem:
  - fsync(file1) must commit journal
  - Journal commit includes file2's changes too
  - Thread B's data becomes durable as side effect

  - But also: fsync(file1) waits for journal commit
  - Journal commit may wait for other dirty metadata
  - Thread A's latency increases due to Thread B's writes

This is why database engines often use O_DIRECT or dedicated filesystems for WAL: to isolate sync latency from other I/O.

Production systems use sophisticated patterns to achieve durability with minimal performance impact. Let's examine the most important ones.

Pattern 1: Double-Write Buffer

Used by MySQL InnoDB to prevent torn pages (partial writes during crash):

Problem: 16KB InnoDB page ≠ 4KB filesystem block
         Power loss mid-write leaves page half-old, half-new
         Checksum detects corruption but can't recover

Solution: Double-write buffer
  1. Write page to sequential "doublewrite buffer" area
  2. fsync the doublewrite buffer
  3. Write page to actual location (can use write-back!)
  4. No fsync needed for actual write

Recovery:
  - If actual page checksums fail, read from doublewrite buffer
  - Doublewrite buffer is always intact (sequential write, one sync)

Pattern 2: Write Ordering with Barriers

For operations where order matters more than immediate durability:

// Ensure critical metadata is on disk before dependent data

// Write metadata (e.g., allocation bitmap)
write(meta_fd, new_allocation_info, meta_size);
fsync(meta_fd);  // Barrier: metadata durable

// Now safe to write data that depends on this allocation
write(data_fd, user_data, data_size);
// No fsync needed immediately - can batch with other writes

// Eventually, sync data too (or let background writeback handle)

Pattern 3: Epoch-Based Flushing

Group writes by "epoch", sync each epoch as a unit:

Pattern 4: Asynchronous fsync with io_uring

Linux io_uring provides true asynchronous fsync:

#include <liburing.h>

// Traditional: fsync blocks calling thread
fsync(fd);  // Thread sleeps until complete

// io_uring: submit fsync, continue working, check later
struct io_uring ring;
io_uring_queue_init(32, &ring, 0);

// Submit async fsync
struct io_uring_sqe *sqe = io_uring_get_sqe(&ring);
io_uring_prep_fsync(sqe, fd, IORING_FSYNC_DATASYNC);
io_uring_submit(&ring);

// Do other work...

// Later: check if fsync completed
struct io_uring_cqe *cqe;
io_uring_wait_cqe(&ring, &cqe);  // Or io_uring_peek_cqe for non-blocking

if (cqe->res < 0) {
    // fsync failed!
    handle_error(-cqe->res);
} else {
    // Data is durable
}
io_uring_cqe_seen(&ring, cqe);

This enables high-throughput durability-aware applications that overlap computation with sync operations.

Different application types have different durability requirements. Let's examine optimal strategies for common cases.

Case Study: SQLite Durability Modes

SQLite provides a perfect example of configurable delayed write strategies:

-- 1. FULL synchronous (safest, slowest)
PRAGMA synchronous = FULL;
-- fsync after every transaction AND after journal write
-- Survives both OS crash and power loss

-- 2. NORMAL synchronous (balanced)
PRAGMA synchronous = NORMAL;
-- fsync at critical moments only
-- Survives OS crash; may corrupt on power loss at wrong moment

-- 3. OFF synchronous (fastest, risky)
PRAGMA synchronous = OFF;
-- Never fsync automatically
-- Data corruption likely on any crash
-- Only for ephemeral/reconstructible data

Case Study: PostgreSQL fsync Settings

PostgreSQL's wal_sync_method controls how WAL is synced:

The choice depends on OS and filesystem. Always benchmark on your specific configuration.

Even experienced developers make subtle mistakes with delayed write semantics. Let's examine the most common pitfalls and their corrections.

Implementing delayed write correctly is hard. Testing it is harder. Normal testing can't verify durability because tests don't involve power failures. Here are techniques for rigorous durability testing.

Technique 1: dm-flakey (Linux)

Device-mapper target that can simulate various failure modes:

# Create a flakey device that drops writes after 60 seconds
dmsetup create mydata --table "0 $(blockdev --getsz /dev/sdb) \
    flakey /dev/sdb 0 60 5 \
    drop_writes"

# 60: Seconds device works normally
# 5: Seconds device "fails" (drops writes)
# Then it repeats

# Mount filesystem on flakey device
mkfs.ext4 /dev/mapper/mydata
mount /dev/mapper/mydata /mnt/test

# Run your application
./my_durable_application /mnt/test/data

# During "drop" window, writes are lost
# Application must either:
#   - Fail gracefully (detect write failures)
#   - Retry when device recovers
#   - Have state on disk that allows recovery

Technique 2: libeatmydata

LD_PRELOAD library that makes fsync() return immediately without doing anything:

# Run application with fsync as no-op
LD_PRELOAD=libeatmydata.so ./my_application

# If application breaks: it wasn't handling lack of durability
# If application works: it might be relying on fsync correctly!

# Useful for:
#   - Performance testing without I/O overhead
#   - Identifying excessive fsync() calls
#   - Verifying retry logic handles transient failures

Technique 3: Crash Injection with sqlite3_test_control

SQLite's test infrastructure can inject crashes:

// Crash at specific fsync call
sqlite3_test_control(SQLITE_TESTCTRL_BYTEORDER, ...);

// Or use --enable-debug build with -DSQLITE_CRASH_TEST
// Allows triggering crashes at various recovery points

Technique 4: Hardware-Assisted Testing

For ultimate verification, use actual power control:

Test setup:
  - Controlled power strip (smart plug with API)
  - Test system writing continuously
  - Script that cuts power at random intervals
  - Second system to verify state after power-on

Verification:
  - Boot test system
  - Run consistency check
  - Verify all "committed" data is present
  - Repeat thousands of times

Delayed writes represent the practical middle ground between immediate durability and maximum performance. By understanding the synchronization primitives and their proper use, you can build systems that are both fast and correct.

What's Next

We've now covered three fundamental strategies: write-through (immediate), write-back (eventual), and delayed write (explicit control). Next, we'll examine ordered writes—the technique of controlling which writes complete before others, enabling crash-safe data structures without syncing every operation. Ordered writes are the foundation of journaling filesystems and ACID databases.