loke.dev
Header image for Total Determinism

Total Determinism

Stop chasing heisenbugs and start building systems where every failure is a perfectly reproducible sequence of events.

· 8 min read

I spent three days in 2018 staring at a trace from a distributed key-value store that seemed to defy the laws of physics. According to the logs, a write had been acknowledged by a majority of nodes, yet a subsequent read returned a stale value. I couldn't reproduce it on my laptop. I couldn't reproduce it in the staging environment. It only happened in production, under heavy load, once every few billion requests. It was a Heisenbug—a ghost in the machine that vanished the moment I tried to look closer.

Eventually, I found it: a tiny race condition between a heart-beat timer and a leader election cycle, triggered only when the system clock jumped slightly due to an NTP sync. That’s the moment I realized that building distributed systems on top of "hope" and "wall clocks" is a recipe for a lifetime of late-night pageduty calls.

The alternative is Total Determinism.

Total determinism is the architectural philosophy that if you start with the same initial state and provide the same sequence of inputs, you must—mathematically—end up with the same output and the same final state. No exceptions. No "sometimes."

The Entropy Tax

In a standard distributed system, entropy is everywhere. You have:
1. The Network: Packets are delayed, reordered, or dropped entirely.
2. The Clock: time.now() is a liar. Every node has a slightly different idea of what time it is.
3. Threading: The OS scheduler decides which thread runs when, introducing non-deterministic interleaving.
4. Randomness: uuid.v4() or rand.Int() calls that produce different values on every run.

When these four horsemen of the apocalypse meet, your system becomes a black box. If it crashes, you can't just "replay" the crash. You have to guess.

Building the Deterministic Core

To fix this, we have to treat our entire application logic as a pure function. This means the "business logic" of your distributed system cannot call the outside world. It cannot read the clock, it cannot generate a random number, and it certainly cannot send a network packet.

Instead, the system is modeled as a State Machine.

A Bad, Non-Deterministic Node

Look at this Go snippet. It looks normal, but it’s a nightmare for reproducibility.

type Node struct {
    data map[string]string
}

func (n *Node) HandleRequest(key, value string) {
    // NON-DETERMINISTIC: Depends on the current time of this specific machine
    timestamp := time.Now().UnixNano()
    
    // NON-DETERMINISTIC: ID generation is random
    id := uuid.New().String()
    
    n.data[key] = fmt.Sprintf("%s:%d:%s", value, timestamp, id)
    
    // NON-DETERMINISTIC: Network I/O can fail or delay unpredictably
    go sendToPeers(key, value)
}

If this crashes, you are finished. You can't recreate that timestamp, that uuid, or the exact moment the go sendToPeers routine fired relative to other requests.

The Deterministic Refactor

To make this deterministic, we push all "side effects" to the very edge of the system. The core logic receives everything it needs as an input.

type Event struct {
    Type      string
    Key       string
    Value     string
    Timestamp int64  // Provided by the caller
    Entropy   uint64 // Provided by the caller
}

type DeterministicNode struct {
    data map[string]string
}

// HandleEvent is a pure function. 
// Given the same state and same Event, it produces the same State + Effects.
func (n *DeterministicNode) HandleEvent(e Event) []Effect {
    n.data[e.Key] = fmt.Sprintf("%s:%d:%d", e.Value, e.Timestamp, e.Entropy)
    
    return []Effect{
        {Type: "Replicate", Key: e.Key, Value: e.Value},
    }
}

By passing in the Timestamp and a seed for Entropy, we’ve turned the logic into a predictable machine. If we log every Event that enters the system, we can replay the entire history of the node from scratch and reach the exact same state every single time.

The Magic of Discrete Event Simulation

Once your logic is deterministic, something incredible happens: you can run your entire distributed system inside a simulator.

This is the secret sauce behind systems like FoundationDB and TigerBeetle. Instead of running your code on real servers with real networks, you run it inside a single-threaded loop that simulates the passage of time, the network, and even disk failures.

A Simple Simulator in Python

Here is a conceptual look at how you might simulate a cluster of nodes.

import collections
import heapq

class Simulator:
    def __init__(self):
        self.time = 0
        self.events = [] # Priority queue of (time, node_id, event)
        self.nodes = {}
        self.rng_seed = 42

    def schedule(self, delay, node_id, event):
        heapq.heappush(self.events, (self.time + delay, node_id, event))

    def run(self, iterations):
        for _ in range(iterations):
            if not self.events:
                break
                
            self.time, node_id, event = heapq.heappop(self.events)
            
            # Inject determinism into the event
            event.timestamp = self.time
            event.seed = self.generate_next_random()
            
            # Execute logic
            effects = self.nodes[node_id].handle(event)
            
            # Process side effects (like sending messages)
            for effect in effects:
                if effect.type == "SEND":
                    # Simulate network delay/jitter
                    delay = self.simulate_network_latency()
                    self.schedule(delay, effect.target, effect.msg)

In this world, "time" is just an integer that you control. You can run 10 hours of system "time" in 10 seconds of real-world CPU time.

More importantly, if the simulator finds a bug—say, a deadlock that only happens when three specific packets arrive in a specific order—it prints out the Random Seed. You can then plug that seed back into the simulator and watch the exact same failure happen again. And again. And again.

No more "I can't reproduce it."

The "Wall Clock" Trap

One of the hardest things for developers to grasp is that system_time has no place in a deterministic system. If you use it, you break the simulation.

If your protocol needs to handle timeouts (e.g., "If I don't hear from the Leader in 500ms, start an election"), you don't use time.Sleep() or Timer. You use Logical Ticks.

The environment (the simulator or the real-world adapter) sends a Tick event to your state machine every X milliseconds. Your logic counts these ticks.

func (n *Node) HandleEvent(e Event) {
    switch e.Type {
    case "Tick":
        n.ticksSinceLastHeartbeat++
        if n.ticksSinceLastHeartbeat > 10 {
            n.startElection()
        }
    case "AppendEntries":
        n.ticksSinceLastHeartbeat = 0
        // ... process raft log
    }
}

Now, during a simulation, you can speed up or slow down these ticks. You can even pause them to see what happens if a node's CPU "stalls" while the rest of the network moves on.

Dealing with the Real World (I/O)

You might be thinking: "This is great for a toy, but my app needs to write to a real disk and talk over a real TCP socket."

True. The way we handle this is through Hermetic Interfaces. You define an interface for every side effect. In production, you use the RealNetwork and RealDisk implementations. In your tests, you use SimulatedNetwork and SimulatedDisk.

The crucial part: The logic doesn't know which one it's using.

Example: Deterministic Disk I/O

Disk I/O is notoriously non-deterministic. A write might succeed, or it might fail halfway through (a partial write), or it might "succeed" but the data is corrupted on the next read.

In a deterministic simulation, you can actually model these failures:

class SimulatedDisk:
    def write(self, sector, data):
        if self.simulator.should_fault_inject():
            # Simulate a "torn write" where only half the data hits the platter
            data = data[:len(data)//2] + garbage_bytes()
            self.storage[sector] = data
            return "SUCCESS_BUT_CORRUPT" 
        
        self.storage[sector] = data
        return "OK"

Because your simulator is deterministic, you can test how your database recovers from a torn write. You can verify that your checksumming and WAL (Write-Ahead Log) logic actually works, without having to physically pull the power plug on a server.

Floating Point: The Silent Killer

Here is a gotcha that bites people: Floating point math is often non-deterministic across different architectures.

If you are calculating a risk score or a financial balance using float64, and Node A (Intel) and Node B (ARM) perform the same calculation, they might end up with bits that are slightly different. In a replicated state machine (like Raft or Paxos), a single bit of difference in the state will cause the nodes to diverge, eventually crashing the cluster.

The Fix: Use fixed-point arithmetic or integers for all deterministic logic. If you absolutely must use floats, ensure you are using a software-based floating-point library or very specific compiler flags to ensure cross-platform consistency.

Why isn't everyone doing this?

If total determinism is so powerful, why do we still write "messy" code?

1. The Upfront Cost: Designing a system this way is hard. You have to think about every event, every source of entropy, and every I/O boundary before you write a single line of business logic.
2. Performance: Sometimes, pushing everything through a single-threaded state machine (like Node.js or Redis) is slower than a multi-threaded "free-for-all." However, projects like TigerBeetle have shown that you can achieve massive throughput (1m+ transactions per second) using a deterministic, single-threaded execution model per shard.
3. Legacy: It's almost impossible to retrofit total determinism onto an existing, messy codebase. You usually have to start from scratch.

The Payoff

The payoff of total determinism isn't just "fewer bugs." It's a fundamental shift in how you develop software.

When you have a deterministic simulator, you can run Fuzz Tests. You can tell the simulator: "Run 100,000 different scenarios with 100,000 different random seeds. In each scenario, randomly drop 10% of packets, delay others by 500ms, and crash one node every 20 seconds."

If the simulator finds a violation of your invariants (e.g., "Two nodes think they are the Leader at the same time"), it stops and gives you the seed.

You can then fix the bug, run that specific seed again, and *prove* the bug is gone. This is the difference between being a "software plumber" and a "software engineer."

Practical Steps to Get Started

You don't have to build a full FoundationDB clone to benefit from this.

* Dependency Injection for Time: Stop using time.Now(). Pass a Clock interface or a timestamp into your functions.
* Log Your Inputs: If you log every external message and its arrival order, you're halfway to a replayable system.
* Separate Pure Logic from Side Effects: Try to write your core logic as a function that takes (State, Input) -> (NewState, ListOfEffects).

Total determinism is about taking the "luck" out of distributed systems. It’s about building a world where a failure is not a mystery, but a reproducible sequence of events waiting to be solved. It’s a lot of work, but the first time you replay a complex race condition on your local machine and fix it in ten minutes, you'll never want to go back to the old way.