Databases
HOT updates and isolation levels: what you gain and what you pay
Crux HOT updates cut index write cost by up to 70% when conditions are right; the four isolation levels decide which concurrency anomalies the database prevents vs leaves to the application.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at middle altitude — in the skyEvery UPDATE in Postgres writes a new tuple. If the table has five indexes, each UPDATE writes five new index entries. HOT updates eliminate that cost — but only under two specific conditions. And the isolation level you pick determines which correctness bugs the database prevents vs which it leaves to your application code.
HOT updates: an optimization with a famous cost model
If an UPDATE touches no indexed column and the new tuple fits on the same heap page as the old, Postgres can perform a heap-only tuple (HOT) update:
- The old tuple gets flag
HEAP_HOT_UPDATED— “follow thet_ctidchain to find me” - The new tuple gets flag
HEAP_ONLY_TUPLE— “no index entry points at me directly” - The index continues pointing at the original tuple; the heap chain carries the lookup the rest of the way
- Result: two index writes become zero
On UPDATE-heavy workloads where most columns are not indexed, this is the difference between WAL doubling and barely growing — a 30–70% WAL savings.
HOT chains break when the new version cannot fit on the original page; once broken, every subsequent UPDATE pays the index-write cost again. The fillfactor storage parameter (ALTER TABLE t SET (fillfactor=85)) reserves free space on each page precisely so HOT chains have room to grow.
| Condition | HOT eligible? | Index writes |
|---|---|---|
| No indexed column changed, new tuple fits same page | Yes | 0 |
| No indexed column changed, but page is full | No (chain breaks) | 1 per index |
| Indexed column changed | No | 1 per index |
Why this works
pg_stat_all_tables.n_tup_hot_upd divided by n_tup_upd gives the HOT ratio. On UPDATE-heavy schemas you want this above 80%. Below 50% means fillfactor is too aggressive or the schema has the wrong index set for the workload.
The four isolation levels Postgres exposes
SQL standard defines four levels by listing anomalies they allow or prohibit: dirty reads, non-repeatable reads, phantom reads, and serialization anomalies.
| Level | Dirty read | Non-repeatable read | Phantom read | Write skew |
|---|---|---|---|---|
| READ UNCOMMITTED | Possible (Postgres: no) | Possible | Possible | Possible |
| READ COMMITTED (default) | No | Possible | Possible | Possible |
| REPEATABLE READ | No | No | No (PG) | Possible |
| SERIALIZABLE | No | No | No | No |
Postgres specifics:
- Read Uncommitted is silently treated as Read Committed; Postgres never allows dirty reads at any level.
- Read Committed (the default) gives each statement a fresh snapshot.
- Repeatable Read gives the whole transaction one snapshot taken at the first statement; Postgres implements RR as snapshot isolation — stronger than the SQL standard’s RR (no phantom reads) but weaker than true serializable (write skew is still possible).
- Serializable (since 9.1) layers Serializable Snapshot Isolation (SSI) on top of RR: Postgres tracks read–write dependencies and aborts transactions whose commit order cannot correspond to any serial schedule, throwing SQLSTATE 40001.
What the application must do
Under READ COMMITTED: the application is responsible for avoiding lost updates via:
SELECT ... FOR UPDATE(pessimistic locking on the row), orUPDATE ... WHERE version = ?with optimistic concurrency, orRETURNINGto confirm the row had the expected value.
Under REPEATABLE READ and SERIALIZABLE: the database raises SQLSTATE 40001 serialization_failure when a conflict is detected. The application’s only correct response is to retry the entire transaction. Frameworks like Django, ActiveRecord, and Hibernate ship retry middlewares.
When to pick which level
- READ COMMITTED: 90% of business logic — maximum throughput, fresh snapshot per statement.
- REPEATABLE READ: when the transaction reads a set of rows multiple times and needs consistency between those reads (e.g., a report that sums fields then cross-checks the aggregate version).
- SERIALIZABLE: when the business logic has an invariant only preserved by absence of write skew (e.g., “at least one doctor on call”, “no account goes below zero”). Adds up to 5x cost and requires the application to handle retries.
Write skew under Repeatable Read
Write skew is the canonical Repeatable Read anomaly Postgres does not prevent. Two transactions read the same set, decide based on the set, and each modifies a different row in that set. Both commit; the invariant is broken.
Trace it
1/6 Trace a write-skew anomaly under Repeatable Read that Serializable would prevent.
1
Step 1 of 6
Setup: a doctors table with on_call boolean. Two doctors, alice and bob, both on_call=true. The application invariant: at least one doctor must remain on_call at all times.
Two app instances each let one doctor go off-call only if at least one other remains on-call.
2
Locked
T1 (alice removing her shift): SELECT COUNT(*) FROM doctors WHERE on_call = true. Returns 2. Decides safe to proceed.
Under Repeatable Read snapshot taken at BEGIN, T1's view: two doctors on call.
3
Locked
T2 (bob removing his shift, concurrent with T1): same SELECT, same snapshot view. Returns 2.
T2's snapshot also sees two on-call doctors. Both transactions think they are safe.
4
Locked
T1: UPDATE doctors SET on_call = false WHERE name = 'alice'. Commits.
T1 commits successfully. No row-version conflict because T1 touched alice and T2 touched bob.
5
Locked
T2: UPDATE doctors SET on_call = false WHERE name = 'bob'. Commits.
Under Repeatable Read, T2 commits too. Now both doctors are off-call. The invariant is broken. This is write skew.
6
Locked
Under Serializable, what would have happened?
SSI tracks read-write dependencies. T1 read the set of on-call doctors and wrote alice; T2 read the same set and wrote bob. SSI detects the cycle and aborts one of them with SQLSTATE 40001. The retry runs after the first commit and now sees only one doctor on call — the invariant holds.
✓ Traced.
- Tuple header size
- 23 B (plus alignment)
- Transaction id width
- 32 bit; freeze at 2^31
- HOT update WAL savings
- 30–70% on update-heavy workloads
- Default isolation level
- READ COMMITTED
- Serialization failure code
- SQLSTATE 40001
- Bloat target (>50 GB tables)
- <20% dead tuples
- Autovacuum defaults
- 3 workers, 60s naptime, 20% scale
- VACUUM FULL lock
- ACCESS EXCLUSIVE
Quiz
Completed
A HOT (heap-only tuple) update can occur when...
Heads-up HOT applies even on indexed tables — the requirement is that no INDEXED column changes.
Heads-up FOR UPDATE is about locking, not HOT eligibility.
Heads-up Autovacuum has nothing to do with HOT — HOT is decided at the UPDATE moment based on page space and column changes.
Quiz
Completed
At which isolation level does Postgres detect lost-update anomalies and raise SQLSTATE 40001 instead of silently overwriting?
Heads-up Postgres treats Read Uncommitted as Read Committed; neither raises 40001 on lost updates.
Heads-up RC re-reads each statement with a fresh snapshot. Lost updates are application-detectable but not raised by the database.
Heads-up Serializable does detect lost updates, but Repeatable Read already does. SSI extends to write-skew, which RR does NOT catch.
Quiz
Completed
Two concurrent transactions each read the on-call doctor count (2), decide they can safely go off-call, and update different rows. Both commit. The invariant breaks. Which isolation level would have prevented this?
Heads-up RC gives a fresh snapshot per statement but does not track read-write dependencies. Write skew is still possible.
Heads-up RR prevents non-repeatable reads and phantom reads but explicitly allows write skew — this exact scenario is the canonical example.
Heads-up Serializable in Postgres does prevent write skew via SSI.
- 01What two conditions must both be true for a Postgres UPDATE to use HOT, and what happens when either fails?
- 02Why is Postgres's Repeatable Read stricter than the SQL standard's Repeatable Read, but weaker than its Serializable?
- 03What is the correct application response to SQLSTATE 40001 under Repeatable Read or Serializable?
Recap
HOT (heap-only tuple) updates avoid writing new index entries when an UPDATE changes no indexed column and the new tuple fits on the same page — saving 30–70% WAL on update-heavy workloads. The fillfactor storage parameter reserves page headroom to keep HOT chains intact. Isolation levels define correctness: READ COMMITTED (default) re-snapshots per statement and leaves lost updates to the application; REPEATABLE READ (snapshot isolation) raises SQLSTATE 40001 on concurrent row updates but allows write skew; SERIALIZABLE adds SSI to detect write skew cycles, at the cost of predicate-lock overhead and higher retry rates. Applications at any level above RC must implement retry loops that replay the entire transaction on 40001.
Connected lessons
deepens into
- CLOG, XID wraparound, and MultiXact: deep visibility internalssenior
- SSI internals and production autovacuum tuningsenior
- Real-world MVCC failures, deployment patterns, and distributed snapshotssenior
- MVCC and isolation: diagnose bloat and a write-skew anomalysenior
- MVCC and isolation: multiple-choice reviewsenior
- MVCC and isolation: free-recall reviewsenior
appears again in140
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- CLS: why layout shifts happen and how to stop themmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- The three-way handshakejunior
- Sequence numbers and connection statemiddle
- DNS: what it does and why it existsjunior
- The resolver walk: referrals, record types, and gluemiddle
- TTL, caching, and DNS propagationmiddle
- The 1-RTT handshake: key shares and ECDHEmiddle
- Session resumption and 0-RTTmiddle
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket frame format: opcodes, masking, fragmentationmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Health checks, connection draining, and slow startmiddle
- Session affinity, consistent hashing, and the right fixmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- Connection IDs and network migrationmiddle
- 0-RTT resumption and packet encryptionsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- PII redaction and log injectionsenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Error budget policy, latency SLOs, and composite journeysmiddle
- Production SLO failures, self-observability, security, and the big picturesenior
- The incident loop: from pager to postmortem to preventionmiddle
- Cache lines, struct layout, and false sharingmiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior