The official document sys that synchronous-commit with automatic failover will not lose data. But I'm still confused how this is guaranteed. Actually I'm confused how the replication, commit, ack of secondary and reply to client located in the workflow.
Is is possible that some synchronous-commit ack but the master crash before receive all acks? In this case, some of the secondaries are in the lead of the transaction log and one of them become next master which with the uncommitted transaction committed.
Or maybe the always-on do 2PC, the master send commit signal to all secondaries and secondaries commit after receive the signal? Then will there be a condition that master crash afte send commit signal but before it reply to client, then we still have uncommitted transaction committed.
I've setup the availability group myself, but I'm not sure how to confirm my suspect because sql server is not open sourced.