Bounded uncertainty
Google Spanner uses TrueTime, an API backed by GPS and atomic clocks. Instead of returning a single instant, it returns an interval of earliest and latest, with a guarantee that the true time lies inside. The width of that interval, often a few milliseconds, is the uncertainty epsilon.
Commit wait
The clever trick is commit wait. To assign a commit timestamp t, a transaction picks t at the latest bound, then waits until the now interval is entirely past t before releasing locks.
- After commit wait, every other node will read a TrueTime whose earliest bound is greater than t.
- So any later transaction is guaranteed a strictly larger timestamp.
This gives external consistency: if transaction A commits before B starts in real time, A has a smaller timestamp. The cost is a deliberate latency equal to the uncertainty epsilon.
The trade off
- Tight clock synchronization shrinks epsilon and the wait.
- Hardware clocks make the bound small enough that commit wait is only milliseconds.
Key idea
TrueTime exposes clock uncertainty as an interval, and commit wait pauses out that uncertainty to deliver globally consistent, externally ordered timestamps.