Journal commit order isn't required to match oplog optime order on document-locking storage engines. We have a mechanism to hide oplog ops that are ahead of uncommitted ops, but it currently does not consider durability. This can lead to a scenario where a secondary has ops 1,2,3 while a former primary restarts after a crash with just 1 and 3 but no 2. Since they both have the same highest point (3) they will assume they are consistent.

The fix for this involves two semantic changes related to reading from the oplog:
1) If there are any hidden writes at the time an optime is assigned, we must wait for that write to be durable before making it visible.
2) Reverse oplog cursors should ignore visibility rules and always return the newest committed op.