Hello Zsolt, Thank you very much for pointing out the problem and the TAP test to reproduce it. I missed that PostgreSQL can change data in recovery mode when the database is not using checksums and the server is running without 'wal_log_hints'. Rather than trying to make that path safe, I think the conservative fix is to log a message and shut down when an incomplete snapshot is present at the end of recovery with 'recovery_target_action = pause'.
The attached patch does that: when hot standby is not active at the recovery target (e.g., due to an incomplete snapshot), PostgreSQL will log a message and shut down instead of promoting silently. It mirrors how 'pause' is already downgraded to 'shutdown' when hot_standby is off. This lets the user choose a different recovery target or action. The patch also updates the documentation to clarify the behavior and adds a TAP test to verify the change. Best regards Jan
0001-Shut-down-instead-of-promoting-when-recovery-cannot-.patch
Description: Binary data
