Write failures during a clean shutdown can leave WiredTiger tables inconsistent with each other on restart.

WT_CONNECTION::close attempts to continue after most errors so that it can free as many resources as possible. However, continuing after some writes fail during clean shutdown could incorrectly go on to mark the database as clean so that recovery would be skipped next time the database is opened. If some tables were successfully flushed before the error occurred, this could lead to inconsistencies in the data.

For example, if WiredTiger successfully closes a MongoDB _id index (making it durable), but writes fail before the corresponding collection becomes durable, then on restart, when replication replays the oplog entries, it can successfully insert into the collection but then unexpectedly find the _id entries from before the shutdown, causing an assertion failure.

WiredTiger should do a full checkpoint as part of a clean shutdown to avoid trees becoming inconsistent in this situation.