![Counter - lost update](pg_conc1.png){#fig-counter-lost-update}



# Experimental environment

To check behaviour of postgres, we will run the official docker container, and create some tables.
We will use sqlalchemy ORM for working with that.

In [1]:
# !docker run -d --name pg-concurrency -e POSTGRES_PASSWORD=mysecretpassword -p 2345:5432 postgres

In [23]:
#| label: Tables-setup
#| lst-cap: Y
#| lst-label: Z
#| code-fold: true
#| code-summary: Tables used in examples

from sqlalchemy import create_engine, insert, select, text, Integer, String, Text
from sqlalchemy.orm import declarative_base, mapped_column, Session
import pytest

PG_URL = 'postgresql+psycopg2://postgres:mysecretpassword@localhost:2345/postgres'
engine = create_engine(PG_URL)

Base = declarative_base()

class User(Base):
    __tablename__ = 'users'

    id = mapped_column(Integer, primary_key=True)
    name = mapped_column(String, nullable=True)


class Product(Base):
    __tablename__ = 'product'
    
    id = mapped_column(Integer, primary_key=True)
    name = mapped_column(String, nullable=True)
    num_likes = mapped_column(Integer, default=0)

    def __str__(self):
        return f'p#{self.id}'

Base.metadata.drop_all(engine)
Base.metadata.create_all(engine)


In [24]:
#| label: Utilities
#| code-fold: true
#| code-summary: Utilities used in examples

ses_autocommit = Session(
    engine.execution_options(isolation_level="AUTOCOMMIT"), 
    autoflush=True, autobegin=True
)

# Clean table
def clean_table():
    ses_autocommit.execute(text("DELETE from product"))#; session.commit()
    ses_autocommit.execute(text("DELETE from users"))#; session.commit()
from sqlalchemy.orm import sessionmaker

ReadCommittedSession = sessionmaker(create_engine(PG_URL, isolation_level='READ COMMITTED'), autoflush=True)
RepeatableReadSession = sessionmaker(create_engine(PG_URL, isolation_level="REPEATABLE READ"), autoflush=True)
SerializableSession = sessionmaker(create_engine(PG_URL, isolation_level="SERIALIZABLE"), autoflush=True)


# Bare minimum - Repeatable Reads (RC) level

The minimal isolation level, which provides only basic guarantee - nobody sees changes produced by a transaction unless it's committed. This is called, __"dirty reads"__ prevented. Otherwise it would be a nightmare, isn't it?

::: {.callout-note}
Could we go below this level, and database would allow dirty reads?
In SQl standard there's a level called "READ UNCOMMITTED" which sits below RC and suppose to do exactly this, but Postgres developers decided to not implement it. More correctly, it presents but behaves exactly as RC. In the docs you can find the reasons for that: "This is because it is the only sensible way to map the standard isolation levels to PostgreSQL's multiversion concurrency control architecture.". But actually I'm thinking it's just not very helful for anything. I can barely imaging a system which would tolerate repeatable reads (as well as  __"repeatable writes"__). This is basically an auto-commit mode with possibility to revert all changes back. Could be useful for something?

:::


So, when you're running in RC, you can be sure that nobody will see your changes before (and if) you commit. But which changes you see? The answer is, on each operation you see:

* your current changes (made by previous operations)
* the most fresh global state of db (of course, comitted)

It means, if some transaction committed in between your subsequent queries, it will immediately affect you on the next query (or commit).


These two behaviour aspects are illustrated in the following code:

In [21]:
#| label: RC
#| lst-cap: Y
#| lst-label: Z
#| code-fold: true
#| code-summary: RC guarantees in action

clean_table()

with (
    ReadCommittedSession() as Alice,
    ReadCommittedSession() as Bob
):
    # 1
    Alice.add(
        Product(name='inserted by Alice')
    )

    # 2
    found = Bob.query(Product).filter(Product.name=='inserted by Alice').all()
    assert not found, "Dirty read prevented !"
    
    # 3
    Alice.commit()

    # 4: the same query now gives another result - this is called "non-repeatable reads"
    # which is fine for RC level
    found = Bob.query(Product).filter(Product.name=='inserted by Alice').all()
    assert found, "This is non-repeatable read :("


# Non-consistent snapshot


You may think, RR provides fair conditions? The second rule sounds even attractive - you're working always with an up-to-date data. If something changes in db, you immediately sees it. Your code should just tolerate the case of __"non-repeatable read"__ (or __"phantom read"__, there're small differencies between these two anomalies, but essentially it's the same): you run some query in the beginning of transaction, later repeat exactly the same query, and the result could be different. Maybe you're working with some record, and your next operation is an update of this record; but another transaction just deleted this record in meanwhile; your code should not be broken because of that suprise.

If it doesn't confuse you - all seems good.

**When it's a not acceptable ?**

When you're running a kind of snapshot of database state,
and you need a consistent view of database.

Example:

Imagine banking system with 2 tables - Cards and Accounts.
You going to make a report of current state of these 2 tables.
The following transaction running in RC will provide you an inconsistent report:

1. You dump (`SELECT * FROM Accounts`) all the accounts
2. Some transaction creates a new card #N and account attached to it.
3. You dump all cards

Result: The resulting report have broken link: a card #N with non-existing account.


# Need for locks

But another thing missed in RC is any kind of automatic locking, which help you to tackle concurrent data modifications.

The first example is __lost update__, occuring with quite standard Read-Modify-Write pattern.
Imaging Accounts table, and Alice wants to send 10$ to Carl. The same wants to do Bob,
and Carl should expect increase of 20$ on their balance.
Both Bob and Alice runs their transactions in RC mode:

1. Alice reads account of Carl and observes the current balance of 100$
2. Bob does the same: reads account of Carl and observes the current balance of 100$
3. Alice adds 10 to current balance of 100, and updates Carl record with value of 110$. Commits.
4. Bob does the same: adds 10 to current balance of 100, and updates Carl record with value of 110$. Commits

The last update of Bob overrides that one of Alice, and the resulting balance of Carl is only 110$.

You can say it's quite naive to make increments on client side, and that could be fixed with database increments (`...SET balance = balance + 10`).
 While it helps in this case, it's not a remedy in general situation. 

Here's another example:

Now you're going to make a transfer from account "Alice",
but the only thing you should check beforehand is that account has enough money.
Your transaction runs in RC mode:

1. You read Alice balance - let it be 100. It's more that required 80$, so proceeding.
2. Some other transaction decreases balance to 50$.
3. You're decreasing the balance by 80$ (with help of `UPDATE balance=balance-80 WHERE ...`).
4. Commit. 

Nothing prevents you to commit, process inapropriate spending. In result, Alice balance is negative. You could fix this exact case by imposing constrains on column "balance", but there's no general treatment.


Allright, all such cases should be resolved with locks.
Reminding, there're two types of locks:

* pessimistic locking, with help of real, explicit locks (`SELECT FOR UPDATE`)[^pessimistic]
* optimistic locking, enforced by higher isolation levels

So, staying on RC level, you can fallback to explicit locks in Read-Modify-Write cycle,
or move to higher isolation level to enjoy safety provided by optimistic locking.

[^pessimistic]: Such locks has performance advantages in case of frequent contention. 
    But a lot of disadvages, such as: 
        1. you need to take care of them manually, which complicates development
        2. possibility of deadlocks
        3. poor performance in case of extensive usage with low chance of conflict

The following example is also illustrated in @fig-counter-lost-update.

In [18]:
# Example of lost update

clean_table()

product = Product(name='common')
ses_autocommit.add(product)#; ses_autocommit.commit()
ses_autocommit.flush()


level = 'READ COMMITTED'
# level = 'REPEATABLE READ'
with (
    Session(create_engine(PG_URL, isolation_level = level)) as session_A,
    Session(create_engine(PG_URL, isolation_level = level)) as session_B
):
        # 1
        pA = session_A.get(Product, product.id)
        assert pA.num_likes == 0 

        # 2
        pB = session_B.get(Product, product.id)
        assert pB.num_likes == 0         
        
        # 3
        pA.num_likes += 1
        session_A.commit()

        # 4
        pB.num_likes += 1
        session_B.commit()

ses_autocommit.refresh(product)

# 5
assert product.num_likes == 1, "Update is lost"



# Golden mean - Repeatable Reads (RR) level

RR level adds the following policies on top of RC:

* you're working with the same database state (snapshot) from the beginning of the transaction to the end (commit)
* optimistic locking is set for the records you modify


When transaction begins, current database snapshot[^MVCC] is taking and you stay within it up to the end,
this is why this level also called __Snapshot Isolation__.
As we already discussed, it's a neccesary condition for snapshots/reports generation, including full database dumps and system snapshots allowing to later restore.

[^MVCC]: Internally it's achieved through MVCC mechanism. It's quite similar to Git  - transaction starts its own branch with later attempt to merge back into master.

In [19]:
# Prevention of non-repeatable read example

clean_table()

with (
    Session(create_engine(PG_URL)) as session_A,
    Session(create_engine(PG_URL, isolation_level = "REPEATABLE READ")) as session_B
):
        # 1
        session_A.add(Product(name='from A'))

        # 2
        found = session_B.query(Product).filter(Product.name=='from A').all()
        assert not found, "Dirty read prevented :)"
        # 3
        session_A.commit()

        # 4
        found = session_B.query(Product).filter(Product.name=='from A').all()
        assert not found, "Non-repeatable read prevented :)"


But probably more important feature provided by RR - optimistic locking on the data you write.

This way you handle a lot of concurrency issues, exactly concurrent modifying of the same records.


In [22]:
import pytest

clean_table()

product = Product(name='common')
ses_autocommit.add(product); ses_autocommit.flush()


with (
    ReadCommittedSession() as Alice,  # This transaction could be on any level
    RepeatableReadSession() as Bob
):
        # 1
        pA = Alice.get(Product, product.id)
        assert pA.num_likes == 0 

        # 2
        pB = Bob.get(Product, product.id)
        assert pB.num_likes == 0         
        
        # 3
        pA.num_likes += 1
        Alice.commit()

        # 4: on this step, transaction was failed to commit, and lost update was prevented
        Bob.refresh(pB)
        assert pB.num_likes == 0, "Repeatable read enforced"
        pB.num_likes += 1

        with pytest.raises(Exception) as excinfo:
            Bob.commit()
        assert (
              "could not serialize access due to concurrent update" in str(excinfo.value)
        )

ses_autocommit.refresh(product)

# 5
assert product.num_likes == 1, "Second update was reverted"




How granular is the optimistic locking provided by RR?
It has the same granularity as pessimistic ones (`SELECT FOR UPDATE Products WHERE id=1`).
It means, you lock the whole row. Despite the other transactions could only modify another column of the row, you will not be able to commit. Technically, there will be no write conflicts or lost updates. Here's an example:

In [26]:

clean_table()

product = Product(name='common')
ses_autocommit.add(product); ses_autocommit.flush()


with (
    ReadCommittedSession() as Alice,  # This transaction could be on any level
    RepeatableReadSession() as Bob
):
        # 1
        pA = Alice.get(Product, product.id)
        assert pA.num_likes == 0 

        # 2
        pB = Bob.get(Product, product.id)
        assert pB.num_likes == 0         
        
        # 3 Alice modifies another column - name
        pA.name = "Alice's favourite product"
        Alice.commit()

        # 4: on this step, transaction was failed to commit, and lost update was prevented
        
        pB.num_likes += 1
        with pytest.raises(Exception) as excinfo:
            Bob.commit()
        assert (
              "could not serialize access due to concurrent update" in str(excinfo.value)
        )

ses_autocommit.refresh(product)

# 5
assert product.name == "Alice's favourite product", "Effect of Alice's transaction"
assert product.num_likes == 0, "Bob's transaction was not commited"




As we see, RR is a powerful concurrency mechanism, capable to solve the cases of modifying the same records (rows).
But what if there're no row to impose lock onto?
Basically, we're talking about the case covered by whole-table locks:
we want to enforce some business rule on table level, e.g. uniqueness of some type of records.

In [27]:
clean_table()

level = 'REPEATABLE READ'

unique_name = 'Unique'
with (
    Session(create_engine(PG_URL, isolation_level = level)) as session_A,
    Session(create_engine(PG_URL, isolation_level = level)) as session_B
):
    #1
    found = session_A.query(Product).filter(Product.name == unique_name).all()

    assert not found, "A decides the name is not taken"

    session_A.add(Product(name=unique_name))

    #2
    found = session_B.query(Product).filter(Product.name == unique_name).all()

    assert not found, "B decides the name is not taken"

    session_B.add(Product(name=unique_name))

    #3
    session_A.commit()

    session_B.commit()


found = session_A.query(Product).filter(Product.name == unique_name).all()
assert len(found) == 2, "Uniqness checking logic was bypassed :("




In such cases, you can fallback to use of table-wide explicit locks.

# Serializable (S) - too safe to be true

Standard formulation: level S guarantees that if transaction commit is accepted, **there's an order of transactions which gives the same result** if they are running one by one, serially. Which basically means - you can think there's no concurrency at all, no concurrency anomalies could happen[^Reject].

[^Reject]: Of course - for those transactions which were commited.
Basically, the only concurrency anomaly you can face - commit rejected.



But I like to think about this level as an addon to RR, which adds **an additional optimistic locks on read queries (and bulk update) **[^predicate-lock]. In addition to checking for the records you modify (which is available on RR too), you check for all the records you have read or could have read, in case they were already commited.

[^predicate-lock]: Which is called __predicate locks__

If you read some set of records in the beginning of transaction,
and before your commit some other transaction did something which changes the result of the same query if it would be repeated now - your transaction will be rejected.
It makes a lot of sense - your logic could depend on previous read results, and your actions would be different now, when data was changed.

Let's look how it solves previous example of checking for table-wide uniqueness:


In [13]:
clean_table()

unique_name = 'Unique'


# Both transactions should be serial. !!
with (
    SerializableSession() as Alice,
    SerializableSession() as Bob
):
    #1 Alice checks the name is not taken, and takes it
    found = Alice.query(Product).filter(Product.name == unique_name).all()

    assert not found, "Alice decides the name is not taken"

    Alice.add(Product(name=unique_name))

    #2 Bob does the same
    found = Bob.query(Product).filter(Product.name == unique_name).all()

    assert not found, "Bob decides the name is not taken"

    Bob.add(Product(name=unique_name))

    #3
    Alice.commit()

    #4
    with pytest.raises(Exception) as excinfo:
        Bob.commit()
    assert (
        "could not serialize access due to read/write dependencies among transactions" in str(excinfo.value)
    )

found = ses_autocommit.query(Product).filter(Product.name == unique_name).all()
assert len(found) == 1, "Uniqness checking logic was not bypassed! :)"





**How technically this is implemented?**

So called __predicate locks__ are used. Conceptually, on each your `SELECT` query, the predicate is saved (basically, `WHERE` condition, defining the set of rows returned). They doesn't really lock anything, but just are used to find out dependencies between transactions. If it's not possible to reorder and serialize them (which means, cycles present), a transaction (the last one) is rejected. 

This is a difference from optimistic row-level locks, available at RR,
where last transaction is always rejected.
In the case predicate logs, Postgres will try to reorder transactions, and only if it's not possible - reject one.

In the following example, you see a reordering of transactions. 
Alice already created a product and commited by the time
Bob takes a decision based on already outdated information.
Despite that, it's possible to reorder transactions (first Bob, then Alice) making both Alice'c and Bob's actions consistent.[^diff_from_prev]
This is quite fair: which transaction would be committed first, Alice or Bob, is anyway a random choice.

[^diff_from_prev]: The subtle difference from the previous example is only in the step 2. When Bob creates record in `products` table, it makes transactions non-serializable. When there's a write to `users` table - all good.

In [17]:
clean_table()

unique_name = 'Unique'


# Both transactions should be serial. !!
with (
    SerializableSession() as Alice,
    SerializableSession() as Bob
):
    #1 Alice checks the name is not taken, and takes it
    found = Alice.query(Product).filter(Product.name == unique_name).all()

    assert not found, "Alice decides the name is not taken"

    Alice.add(Product(name=unique_name))

    #2 Bob does the same
    found = Bob.query(Product).filter(Product.name == unique_name).all()

    assert not found, "Bob decides the name is not taken"

    Bob.add(
        User(name=f"I'm Bob who observed {len(found)} products in db.")
    )
    
    #3
    Alice.commit()

    #4

    Bob.commit()


found = ses_autocommit.query(Product).filter(Product.name == unique_name).all()
assert len(found) == 1, "Uniqness checking logic was not bypassed! :)"

assert (
    ses_autocommit.query(User).first().name 
    == "I'm Bob who observed 0 products in db."
)


An important thing to clarify: **both transactions should be of Serializable level** to enforce this behaviour. In other words - those checks works only between serializable transactions. If some transaction on lower level changes the data that you read inside Serializable, nothing will prevent you to commit (and probably make an error).


In [5]:
## Case of one transaction of lower level

clean_table()

# Both transactions should be serial. !!
with (
    SerializableSession() as Alice,
    ReadCommittedSession() as Bob  
):
    #1
    read_products = list(Alice.query(Product).all() )
    print(read_products)

    # 2
    Bob.add(Product(name='this product is something new, not seen by Alice yet'))
    Bob.commit()
    # 3
    
    Alice.add(Product(name='something'))
    Alice.commit()

assert ses_autocommit.query(Product).count() == 2, "both transactions accepted"


[]


# Summary - mental model

Let's summarize isolation levels of Postgres.
This is a table taken from official postgres documention:
![Isolation levels (from postgres doc.)](Postgres_iso_levels.png){#fig-postgres-levels}

I propose an alternative model of thinking about these levels, 
which I find more simple and easier to remember.

| level | Which data you can see/modify?[^my-data]  | Optimistic locking? | What happens on commit? |
|---------|:-----|------:|:------:|
| RC      | Fresh current state, committed so far  |    No |   _   |
| RR     | Snapshot - comitted by the start of tr.  |   On records you modified |  Abort, if conflict detected   |
| S       | Snapshot - comitted by the start of tr.    |  Plus, on predicates you used (either in SELECT or bulk UPDATE)  |   Try to reorder transactions, if not possible - abort the last one     |

: My model of isolation levels {#tbl-letters}

[^my-data]: Besides created by me during this transaction execution.