On 3/5/26 12:03, Fujii Masao wrote:
On Thu, Mar 5, 2026 at 1:21 PM David Steele <[email protected]> wrote:
The prior standby is not running because of the invalid config. I
figured it was better to start clean but when I update the
recovery_target_timeline tests I was planning to use the same standby
for all the new tests.
Alternatively, we can use $node_primary, since ALTER SYSTEM SET with
invalid recovery_target_timeline or recovery_target_xid does not
affect the primary.
Well, as it turns out I was using the primary after all because I copied
your example and forgot to update the host. Seems weird to set these
GUCs on the primary but as long as we get the expected errors I don't
suppose it matters.
Regards,
-David
From 77fdf7b365d9887ea52522248ba2d5d575825f4b Mon Sep 17 00:00:00 2001
From: David Steele <[email protected]>
Date: Thu, 5 Mar 2026 08:14:36 +0000
Subject: Improve checks for GUC recovery_target_xid
Currently check_recovery_target_xid() converts invalid values to 0. So,
for example, the following configuration added to postgresql.conf
followed by a startup:
recovery_target_xid = 'bogus'
recovery_target_xid = '1.1'
recovery_target_xid = '0'
... does not generate an error but recovery does not complete. There are
many values that can prevent recovery from completing but we should at
least catch obvious misconfiguration by the user.
The origin of the problem is that we do not perform a range check in the
GUC value passed-in for recovery_target_xid. This commit improves the
situation by using adding end checking to strtou64() and by providing
stricter range checks. Some test cases are added for the cases of an
incorrect or a lower-bound timeline value, checking the sanity of the
reports based on the contents of the server logs.
Add a comment that truncation of the input value is expected since users
will generally be using the output from pg_current_xact_id() (or
similar) to set recovery_target_xid (just as our tests do).
Also update the documentation for recovery_target_xid to clarify usage.
---
doc/src/sgml/config.sgml | 15 ++++++++++
src/backend/access/transam/xlogrecovery.c | 31 +++++++++++++++++++--
src/test/recovery/t/003_recovery_targets.pl | 22 +++++++++++++++
3 files changed, 66 insertions(+), 2 deletions(-)
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index f670e2d4c31..949b86e4e70 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -4334,6 +4334,21 @@ restore_command = 'copy "C:\\server\\archivedir\\%f"
"%p"' # Windows
The precise stopping point is also influenced by
<xref linkend="guc-recovery-target-inclusive"/>.
</para>
+
+ <para>
+ The value can be specified as either a 32-bit transaction ID or a
64-bit
+ transaction ID (consisting of an epoch and a 32-bit ID), such as the
+ value returned by <function>pg_current_xact_id()</function>. When a
+ 64-bit transaction ID is provided, only its 32-bit transaction ID
+ portion is used as the recovery target. For example, the values
+ 4294968296 (epoch 1) and 8589935592 (epoch 2) both refer to the same
+ 32-bit transaction ID, 1000.
+ </para>
+
+ <para>
+ The effective transaction ID (the 32-bit portion) must be greater than
+ or equal to 3.
+ </para>
</listitem>
</varlistentry>
diff --git a/src/backend/access/transam/xlogrecovery.c
b/src/backend/access/transam/xlogrecovery.c
index ecd66fd86a4..fd0345a65f8 100644
--- a/src/backend/access/transam/xlogrecovery.c
+++ b/src/backend/access/transam/xlogrecovery.c
@@ -5108,11 +5108,38 @@ check_recovery_target_xid(char **newval, void **extra,
GucSource source)
{
TransactionId xid;
TransactionId *myextra;
+ char *endp;
+ char *val;
errno = 0;
- xid = (TransactionId) strtou64(*newval, NULL, 0);
- if (errno == EINVAL || errno == ERANGE)
+
+ /*
+ * Consume leading whitespace to determine if number is negative
+ */
+ val = *newval;
+
+ while (isspace((unsigned char)*val))
+ val++;
+
+ /*
+ * This cast will remove the epoch, if any
+ */
+ xid = (TransactionId) strtou64(val, &endp, 0);
+
+ if (*endp != '\0' || errno == EINVAL || errno == ERANGE || *val
== '-')
+ {
+ GUC_check_errdetail("\"%s\" is not a valid number.",
+
"recovery_target_xid");
return false;
+ }
+
+ if (xid < FirstNormalTransactionId)
+ {
+ GUC_check_errdetail("\"%s\" without epoch must be
greater than or equal to %u.",
+
"recovery_target_xid",
+
FirstNormalTransactionId);
+ return false;
+ }
myextra = (TransactionId *) guc_malloc(LOG,
sizeof(TransactionId));
if (!myextra)
diff --git a/src/test/recovery/t/003_recovery_targets.pl
b/src/test/recovery/t/003_recovery_targets.pl
index e0df1a23423..4e36e3a3fb5 100644
--- a/src/test/recovery/t/003_recovery_targets.pl
+++ b/src/test/recovery/t/003_recovery_targets.pl
@@ -240,4 +240,26 @@ ok(!$res, 'invalid timeline target (upper bound check)');
$log_start =
$node_standby->wait_for_log("must be between 1 and 4294967295", $log_start);
+# Invalid recovery_target_xid tests
+my ($result, $stdout, $stderr) = $node_primary->psql('postgres',
+ "ALTER SYSTEM SET recovery_target_xid TO 'bogus'");
+like(
+ $stderr,
+ qr/is not a valid number/,
+ "invalid recovery_target_xid (bogus value)");
+
+($result, $stdout, $stderr) = $node_primary->psql('postgres',
+ "ALTER SYSTEM SET recovery_target_xid TO '-1'");
+like(
+ $stderr,
+ qr/is not a valid number/,
+ "invalid recovery_target_xid (negative)");
+
+($result, $stdout, $stderr) = $node_primary->psql('postgres',
+ "ALTER SYSTEM SET recovery_target_xid TO '0'");
+like(
+ $stderr,
+ qr/without epoch must be greater than or equal to 3/,
+ "invalid recovery_target_xid (lower bound check)");
+
done_testing();
--
2.34.1
