>>> It seems doable, but it's not pretty. One possible scheme would be to
>>> emit a record *after* chosing a name but *before* creating the file,
>> No, because the way you know the name is good is a successful
>> open(O_CREAT).
> The idea was to log *twice*. Once the we're about to create a file, and
> the second time that we succeeded. That way, the filename shows up in the
> log, even if we crash immediatly after physically creating the file, which
> gives recovery at least a chance to clean up the mess.

It sounds like if the reason it fails is because someone else created the same
file name you'll delete the wrong file?

