101
0/241
Loading content...
Prevention is the primary strategy for lost updates, but detection remains essential for several reasons:
Validation: How do you know your prevention mechanisms are working? Detection techniques can verify that no lost updates are occurring.
Legacy Systems: Existing systems may not have prevention mechanisms in place. Detection helps identify problems before implementing fixes.
Defense in Depth: Even with prevention, detection provides a safety net—catching issues that slip through.
Forensics: When data corruption is discovered, detection techniques help attribute it to lost updates versus other causes.
This page explores the art of detecting lost updates—finding the invisible corruption that produces no errors and leaves no direct traces.
Lost updates are designed by their nature to be invisible. Both transactions commit successfully; no errors occur. Detection requires clever use of secondary signals: independent data sources, statistical anomalies, and deliberate instrumentation. None of these are automatic—they require explicit design.
The most powerful detection technique leverages business invariants—properties that must always hold true. When invariants are violated, lost updates are a prime suspect.
The Approach:
Example: Account Balance Invariant
For a bank account, the invariant is:
Balance = Initial Deposit + Σ(credits) - Σ(debits)
If we maintain a transaction log, we can verify this invariant:
1234567891011121314151617181920212223242526272829
-- Invariant verification: account balance should equal sum of transactionsWITH expected AS ( SELECT account_id, (SELECT initial_deposit FROM account_setup WHERE account_id = t.account_id) + SUM(CASE WHEN type = 'CREDIT' THEN amount ELSE -amount END) as expected_balance FROM transactions t GROUP BY account_id),actual AS ( SELECT account_id, balance as actual_balance FROM accounts)SELECT e.account_id, e.expected_balance, a.actual_balance, a.actual_balance - e.expected_balance as discrepancyFROM expected eJOIN actual a ON e.account_id = a.account_idWHERE a.actual_balance != e.expected_balance; -- If this query returns rows, we have a discrepancy-- Lost updates are a primary suspect -- Example output:-- account_id | expected_balance | actual_balance | discrepancy-- ACC-7821 | 0.00 | 100.00 | +100.00-- ACC-9432 | 1500.00 | 1520.00 | +20.00Designing for Invariant Checking:
To use invariant-based detection effectively, system design must support it:
1. Append-Only Transaction Logs:
Record every operation (credit, debit, increment, decrement) in an immutable log. The log becomes the source of truth for expected values.
2. Derived Field Computation:
Maintain fields that can be recomputed from underlying data. When recomputed values don't match stored values, corruption is detected.
3. Cross-Reference Checks:
Verify that related data remains consistent: order totals match line item sums, inventory counts match movement logs, etc.
Run invariant verification as scheduled background jobs (e.g., nightly). Alert on any violations. Over time, you build confidence that the system maintains correctness—or catch problems early before they compound.
If your system logs incoming requests before processing, you have an independent record of intended operations. Comparing these against actual database state can reveal lost updates.
The Technique:
123456789101112131415161718192021222324252627282930313233343536373839
-- Request logs table: records all incoming increment requestsCREATE TABLE request_log ( request_id UUID PRIMARY KEY, timestamp TIMESTAMP NOT NULL, entity_type VARCHAR(50) NOT NULL, entity_id VARCHAR(100) NOT NULL, operation VARCHAR(50) NOT NULL, amount INT NOT NULL); -- Example: page view increment requests-- Every time a user views a page, we log the request -- Modification logs table: records successful database changesCREATE TABLE modification_log ( mod_id SERIAL PRIMARY KEY, request_id UUID, -- Links to the triggering request timestamp TIMESTAMP NOT NULL, table_name VARCHAR(100) NOT NULL, record_id VARCHAR(100) NOT NULL, old_value TEXT, new_value TEXT); -- Detection query: find requests without corresponding modificationsSELECT r.request_id, r.timestamp as request_time, r.entity_id, r.operation, r.amountFROM request_log rLEFT JOIN modification_log m ON r.request_id = m.request_idWHERE r.entity_type = 'page_view' AND r.timestamp > NOW() - INTERVAL '24 hours' AND m.request_id IS NULL; -- Results show page view requests that did not produce modifications-- These are likely lost updatesCounter Cross-Check:
For counters specifically, compare request counts against counter values:
123456789101112131415161718192021222324252627282930313233343536373839
-- Compare request log count against actual counter valueWITH request_counts AS ( SELECT entity_id as page_id, COUNT(*) as request_count FROM request_log WHERE entity_type = 'page_view' AND timestamp BETWEEN '2024-01-01' AND '2024-01-31' GROUP BY entity_id),actual_counts AS ( SELECT page_id, view_count - lag_view_count as increment_count FROM ( SELECT page_id, view_count, LAG(view_count) OVER (PARTITION BY page_id ORDER BY snapshot_date) as lag_view_count FROM page_count_snapshots WHERE snapshot_date IN ('2024-01-01', '2024-02-01') ) sub WHERE lag_view_count IS NOT NULL)SELECT r.page_id, r.request_count as expected_increments, a.increment_count as actual_increments, r.request_count - a.increment_count as lost_updates, ROUND(100.0 * (r.request_count - a.increment_count) / r.request_count, 2) as loss_percentageFROM request_counts rJOIN actual_counts a ON r.page_id = a.page_idWHERE r.request_count > a.increment_countORDER BY lost_updates DESC; -- Sample output:-- page_id | expected | actual | lost_updates | loss_pct-- P-12345 | 50000 | 47500 | 2500 | 5.00%-- P-67890 | 30000 | 28800 | 1200 | 4.00%If lost update percentages correlate with traffic levels (higher loss during peak hours), this strongly suggests concurrency issues. Low-traffic periods should show near-zero loss rates if the system is otherwise correct.
When independent truth sources aren't available, statistical methods can identify anomalies consistent with lost updates. These techniques look for patterns that shouldn't exist in correctly-operating systems.
Technique 1: Drift Analysis
Monitor cumulative values over time. If values systematically drift in one direction (usually under-counting), this suggests lost updates:
1234567891011121314151617181920212223242526272829303132
-- Drift analysis: compare expected growth rate vs actual-- If a counter should grow roughly linearly but shows consistent under-performance... WITH daily_metrics AS ( SELECT metric_date, daily_requests, -- From web server logs daily_increments, -- From database counter delta daily_requests - daily_increments as daily_loss FROM metric_summary WHERE metric_name = 'page_views' ORDER BY metric_date),cumulative AS ( SELECT metric_date, SUM(daily_requests) OVER (ORDER BY metric_date) as cum_requests, SUM(daily_increments) OVER (ORDER BY metric_date) as cum_increments, SUM(daily_loss) OVER (ORDER BY metric_date) as cum_loss FROM daily_metrics)SELECT metric_date, cum_requests, cum_increments, cum_loss, ROUND(100.0 * cum_loss / cum_requests, 2) as cumulative_loss_pctFROM cumulativeORDER BY metric_date; -- If cumulative_loss_pct increases steadily over time,-- this indicates ongoing lost updates, not one-time errorsTechnique 2: Concurrency Correlation
If lost update rates correlate with concurrency levels, this is a strong signal:
| Hour | Avg Concurrent Connections | Operations | Discrepancies | Loss Rate |
|---|---|---|---|---|
| 00:00-01:00 | 12 | 1,000 | 2 | 0.2% |
| 01:00-02:00 | 8 | 600 | 0 | 0.0% |
| 09:00-10:00 | 145 | 25,000 | 875 | 3.5% |
| 10:00-11:00 | 210 | 40,000 | 1,800 | 4.5% |
| 14:00-15:00 | 180 | 32,000 | 1,120 | 3.5% |
| 22:00-23:00 | 45 | 5,000 | 75 | 1.5% |
The correlation is clear: higher concurrency correlates with higher loss rates. This pattern is diagnostic of lost updates (or other concurrency issues).
Technique 3: Benford's Law Deviation
For certain numeric data (transaction amounts, natural counts), Benford's law describes the expected distribution of leading digits. Systematic under-counting can shift this distribution:
Statistical anomalies don't prove lost updates definitively—they indicate that something is wrong. They're smoke detectors: the smoke (anomaly) tells you to investigate for fire (specific root cause). Combine statistical signals with code review and targeted testing.
Proactive testing can identify lost update vulnerabilities before they reach production. This involves deliberately creating conditions that would cause lost updates if the code is vulnerable.
Approach 1: Concurrent Load Test
Hit an endpoint with many simultaneous requests that all modify the same data:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657
import asyncioimport aiohttpimport random async def test_lost_updates(): """ Test for lost updates by sending concurrent increment requests and verifying the final count matches the request count. """ COUNTER_ID = "test-counter-001" NUM_REQUESTS = 1000 CONCURRENT_REQUESTS = 50 # High concurrency to trigger race conditions # Reset counter to 0 async with aiohttp.ClientSession() as session: await session.post( f"http://localhost:8080/counters/{COUNTER_ID}/reset" ) # Send concurrent increment requests async def increment(): async with aiohttp.ClientSession() as session: response = await session.post( f"http://localhost:8080/counters/{COUNTER_ID}/increment" ) return response.status == 200 # Create batches of concurrent requests successful_requests = 0 for batch in range(NUM_REQUESTS // CONCURRENT_REQUESTS): tasks = [increment() for _ in range(CONCURRENT_REQUESTS)] results = await asyncio.gather(*tasks) successful_requests += sum(results) # Verify final counter value async with aiohttp.ClientSession() as session: response = await session.get( f"http://localhost:8080/counters/{COUNTER_ID}" ) counter_data = await response.json() final_count = counter_data['value'] # Analyze results print(f"Total successful requests: {successful_requests}") print(f"Final counter value: {final_count}") print(f"Lost updates: {successful_requests - final_count}") if final_count < successful_requests: print("❌ LOST UPDATES DETECTED!") print(f" Loss rate: {100 * (successful_requests - final_count) / successful_requests:.2f}%") return False else: print("✓ No lost updates detected") return True # Run testasyncio.run(test_lost_updates())Approach 2: Deterministic Concurrency Test
For more controlled testing, use test harnesses that precisely control transaction timing:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081
import threadingimport time def test_deterministic_lost_update(): """ Uses threading barriers to force the exact R→R→W→W sequence that causes lost updates. """ # Setup: initial balance = 1000 db.execute("UPDATE accounts SET balance = 1000 WHERE id = 'TEST'") # Barriers to synchronize threads both_read = threading.Barrier(2) t1_written = threading.Event() results = {'t1': None, 't2': None} def transaction_1(): conn = db.connect() cursor = conn.cursor() cursor.execute("BEGIN") cursor.execute("SELECT balance FROM accounts WHERE id = 'TEST'") balance = cursor.fetchone()[0] # Reads 1000 # Wait for T2 to also read both_read.wait() # T1 writes first new_balance = balance - 100 # 900 cursor.execute(f"UPDATE accounts SET balance = {new_balance} WHERE id = 'TEST'") cursor.execute("COMMIT") t1_written.set() # Signal T2 that T1 has written results['t1'] = new_balance def transaction_2(): conn = db.connect() cursor = conn.cursor() cursor.execute("BEGIN") cursor.execute("SELECT balance FROM accounts WHERE id = 'TEST'") balance = cursor.fetchone()[0] # Also reads 1000 (stale!) # Wait for T1 to also read both_read.wait() # Wait for T1 to write first t1_written.wait() # T2 writes after T1 - using stale value! new_balance = balance - 200 # 800, should be 700! cursor.execute(f"UPDATE accounts SET balance = {new_balance} WHERE id = 'TEST'") cursor.execute("COMMIT") results['t2'] = new_balance t1 = threading.Thread(target=transaction_1) t2 = threading.Thread(target=transaction_2) t1.start() t2.start() t1.join() t2.join() # Verify final state final_balance = db.query("SELECT balance FROM accounts WHERE id = 'TEST'")[0][0] expected_balance = 700 # 1000 - 100 - 200 print(f"T1 wrote: {results['t1']}") print(f"T2 wrote: {results['t2']}") print(f"Final balance: {final_balance}") print(f"Expected balance: {expected_balance}") if final_balance != expected_balance: print(f"❌ LOST UPDATE: T1's update was overwritten!") print(f" Lost amount: ${expected_balance - final_balance}") else: print("✓ Updates correctly serialized") test_deterministic_lost_update()Deterministic tests are valuable in CI/CD pipelines because they don't rely on timing luck. They force the problematic execution order, ensuring the test catches vulnerabilities every time—not just when thread scheduling happens to align.
Production systems should include continuous monitoring for lost update symptoms. This provides ongoing validation that prevention mechanisms are working.
Key Metrics to Monitor:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657
# Example Prometheus/Grafana monitoring configuration # Metric: Invariant violations detected- name: invariant_violations_total type: counter help: "Total invariant violations detected by verification jobs" labels: - invariant_type - severity alerts: - name: InvariantViolationDetected condition: rate(invariant_violations_total[5m]) > 0 severity: critical message: "Invariant violation detected: {{ $labels.invariant_type }}" # Metric: Request-to-Write discrepancy- name: request_write_discrepancy_ratio type: gauge help: "Ratio of logged requests to recorded writes (should be ~1.0)" labels: - operation_type alerts: - name: PossibleLostUpdates condition: request_write_discrepancy_ratio < 0.99 for: 10m severity: warning message: "Possible lost updates: {{ $value | humanizePercentage }} write rate" # Metric: Optimistic lock retries- name: optimistic_lock_retries_total type: counter help: "Total optimistic lock conflicts requiring retry" labels: - table_name alerts: - name: HighOptimisticLockContention condition: rate(optimistic_lock_retries_total[5m]) > 100 severity: warning message: "High contention on {{ $labels.table_name }}: consider pessimistic locking" # Dashboard panel: Lost Update Risk Score- name: lost_update_risk_score type: gauge calculation: | (1 - request_write_discrepancy_ratio) * 0.4 + (rate(optimistic_lock_retries_total[5m]) / 1000) * 0.3 + (rate(invariant_violations_total[5m])) * 0.3 thresholds: - value: 0.0 color: green label: "Low Risk" - value: 0.1 color: yellow label: "Elevated Risk" - value: 0.3 color: red label: "High Risk - Investigate"Establish monitoring baselines before deploying prevention mechanisms. This allows you to quantify improvement. A system showing 5% request-write discrepancy before fix should show ~0% after—this validates the fix worked.
When data corruption is discovered, forensic analysis determines whether lost updates were the cause—and if so, what data was affected.
Forensic Workflow:
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950
-- Forensic query: Find overlapping transactions on a specific record-- Investigating account 'ACC-7821' for potential lost update -- Step 1: Get all transaction log entries for this account in time windowSELECT transaction_id, start_time, end_time, operation, old_value, new_valueFROM transaction_logWHERE table_name = 'accounts' AND record_id = 'ACC-7821' AND start_time BETWEEN '2024-01-15 09:00:00' AND '2024-01-15 09:10:00'ORDER BY start_time; -- Step 2: Identify overlapping transactions (start_A < end_B AND start_B < end_A)WITH txns AS ( SELECT transaction_id as txn, start_time, end_time FROM transaction_log WHERE table_name = 'accounts' AND record_id = 'ACC-7821' AND start_time BETWEEN '2024-01-15 09:00:00' AND '2024-01-15 09:10:00')SELECT a.txn as txn_a, b.txn as txn_b, a.start_time as a_start, a.end_time as a_end, b.start_time as b_start, b.end_time as b_endFROM txns aJOIN txns b ON a.txn < b.txn -- Avoid duplicate pairsWHERE a.start_time < b.end_time AND b.start_time < a.end_time;-- Rows here indicate overlapping transactions - potential lost update -- Step 3: Check if overlapping transactions both read before either wrote-- (This requires more detailed operation-level logging) -- Step 4: Reconstruct correct value from transaction historySELECT 1000.00 + SUM(CASE WHEN operation = 'CREDIT' THEN amount ELSE -amount END) as correct_balanceFROM transaction_operationsWHERE account_id = 'ACC-7821' AND committed = true;Forensic analysis requires detailed logs. If logs are rotated or deleted before corruption is discovered, forensic analysis becomes impossible. Retain transaction and operation logs for sufficient duration to support investigation.
The most proactive detection method is code review—identifying vulnerable patterns before they reach production. Train developers to recognize these red flags:
| Pattern | Code Smell | Question to Ask |
|---|---|---|
| SELECT then UPDATE | SELECT ... ; /* logic */ ; UPDATE ... | Is there locking or version checking between read and write? |
| Read field, use in computation | val = db.get(); newVal = f(val); db.set(newVal) | Can this be an atomic UPDATE field = field + 1 instead? |
| Check-then-act | if (available) { reserve(); } | Can another transaction pass the check simultaneously? |
| ORM load-modify-save | obj = load(id); obj.value++; save(obj) | Does the ORM use optimistic locking? Is version column present? |
| Missing transaction boundary | No BEGIN/COMMIT around related operations | Are these operations atomic? What if one fails? |
| Async/parallel updates | Promise.all([update1(), update2()]) | Are these updates to the same data? Is there coordination? |
1234567891011121314151617181920212223242526272829303132333435363738394041424344
# ❌ VULNERABLE: Classic lost update patterndef vulnerable_increment(item_id): # Red flag: SELECT then UPDATE without protection item = db.query("SELECT count FROM items WHERE id = ?", item_id) new_count = item['count'] + 1 db.execute("UPDATE items SET count = ? WHERE id = ?", new_count, item_id) # ✓ FIXED: Atomic operationdef atomic_increment(item_id): db.execute("UPDATE items SET count = count + 1 WHERE id = ?", item_id) # ❌ VULNERABLE: ORM without optimistic lockingdef vulnerable_orm_update(item_id): # Red flag: load-modify-save without version checking item = Item.get(item_id) item.quantity -= 1 item.save() # ✓ FIXED: ORM with optimistic lockingdef safe_orm_update(item_id): item = Item.get(item_id) item.quantity -= 1 try: item.save() # Raises StaleObjectError if version changed except StaleObjectError: # Retry with fresh data return safe_orm_update(item_id) # ❌ VULNERABLE: Check-then-actdef vulnerable_booking(room_id, user_id): # Red flag: gap between check and action room = db.query("SELECT available FROM rooms WHERE id = ?", room_id) if room['available']: db.execute("UPDATE rooms SET available=false, user=? WHERE id=?", user_id, room_id) return True return False # ✓ FIXED: Atomic conditional updatedef safe_booking(room_id, user_id): result = db.execute( "UPDATE rooms SET available=false, user=? WHERE id=? AND available=true", user_id, room_id ) return result.rowcount == 1 # True if booking succeededSome static analysis tools can detect these patterns. Configure linters to flag SELECT followed by UPDATE on the same table without intervening locking constructs. This catches vulnerabilities automatically during code review.
We've explored a comprehensive toolkit for detecting lost updates—from proactive code review to reactive forensic analysis. While prevention remains primary, detection provides essential validation and safety nets.
Module Complete:
This concludes our comprehensive exploration of the lost update problem. We've covered:
You now have the knowledge to design concurrent systems that don't lose updates, and to diagnose and fix systems that do.
Congratulations! You've mastered the lost update problem—one of the most critical concurrency anomalies in database systems. Apply this knowledge to build reliable systems that maintain data integrity even under high concurrent load.