public inbox for [email protected]
help / color / mirror / Atom feedRe: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
8+ messages / 3 participants
[nested] [flat]
* Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
@ 2026-05-31 21:11 Scott Ray <[email protected]>
2026-06-04 05:41 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: Scott Ray @ 2026-05-31 21:11 UTC (permalink / raw)
To: JoongHyuk Shin <[email protected]>; +Cc: Fujii Masao <[email protected]>; Michael Paquier <[email protected]>; [email protected]
Thanks for the patch. I've attached v1-0001 (atop v4) addressing the
UX and test-coverage items below. Happy to rework or fold in however
you prefer.
1. There's a configuration trap in master and in this branch that
could be prevented using something very similar to
CheckRecoveryTargetConflicts to check pending GUCs:
psql -c "ALTER SYSTEM SET recovery_target_xid TO '700'"
psql -c "ALTER SYSTEM SET recovery_target_time TO '2026-01-01 00:00:00'"
pg_ctl reload
The log shows:
LOG: received SIGHUP, reloading configuration files
LOG: parameter "recovery_target_xid" cannot be changed without restarting the server
LOG: parameter "recovery_target_time" cannot be changed without restarting the server
LOG: configuration file "postgresql.auto.conf" contains errors; unaffected changes were applied
pg_settings shows:
postgres=# SELECT name, setting, pending_restart FROM pg_settings
WHERE name LIKE 'recovery_target%' AND pending_restart;
name | setting | pending_restart
---------------------+---------+-----------------
recovery_target_time | | t
recovery_target_xid | | t
The db runs fine until the next restart, maybe hours later:
FATAL: multiple recovery targets specified
DETAIL: At most one of "recovery_target", "recovery_target_lsn",
"recovery_target_name", "recovery_target_time",
"recovery_target_xid" can be set.
Is it worth a follow-up to report the conflict early and loud?
2. There's an opportunity to provide a better UX by reporting which
flags were set and what the values were, so that the user doesn't have
to search config files or other logs to find this info. For instance,
in the postgresql.auto.conf scenario above, instead of:
DETAIL: At most one of "recovery_target", "recovery_target_lsn",
"recovery_target_name", "recovery_target_time",
"recovery_target_xid" can be set.
The operator could see:
DETAIL: The following recovery target parameters are set:
"recovery_target_time" = "2026-01-01 00:00:00",
"recovery_target_xid" = "700".
HINT: At most one of "recovery_target", "recovery_target_lsn",
"recovery_target_name", "recovery_target_time",
"recovery_target_xid" can be set.
3. 003_recovery_targets.pl:339 currently tests recovery_target_xid's
cleared-then-set behavior. The patch adds the same coverage for the
other four recovery_target_* GUCs.
--
Scott Ray
Attachments:
[application/octet-stream] v1-0001-Report-set-parameters-on-recovery_target-conflict.patch (6.2K, 2-v1-0001-Report-set-parameters-on-recovery_target-conflict.patch)
download | inline diff:
From c61284c824429778ad8f123e22862931d41a2a6d Mon Sep 17 00:00:00 2001
From: Scott Ray <[email protected]>
Date: Sun, 31 May 2026 13:12:29 -0700
Subject: [PATCH v1] Report set parameters on recovery_target conflict; expand
tests
v4 of "Don't call ereport(ERROR) from recovery target GUC assign
hooks" produces a FATAL with an errdetail that lists all five
recovery_target_* GUCs regardless of which the operator actually
set, and exercises only recovery_target_xid in the cleared-then-set
direction.
This patch makes CheckRecoveryTargetConflicts() report the names
and values of the GUCs that are actually non-empty in errdetail,
moving the "at most one of [list]" enumeration to errhint. The
five hand-written GetConfigOption() calls collapse into a loop over
a static target_names[] array, so adding a sixth recovery_target_*
GUC requires only updating the array; both error messages are
derived from it.
The TAP test gains four cleared-then-set cases covering time, name,
lsn, and the bare recovery_target, mirroring the existing xid case.
A new like() assertion verifies that the errdetail names which GUCs
are set and their values.
Applies atop v4.
Discussion: https://postgr.es/m/CACSdjfPUa4UvKjADgOERXoxNYmCg2mqqiqKkiJk6mX6E4qgVFw@mail.gmail.com
---
src/backend/access/transam/xlogrecovery.c | 61 ++++++++++++---------
src/test/recovery/t/003_recovery_targets.pl | 40 ++++++++++++++
2 files changed, 76 insertions(+), 25 deletions(-)
diff --git a/src/backend/access/transam/xlogrecovery.c b/src/backend/access/transam/xlogrecovery.c
index 1253bed1058..e48e21631b2 100644
--- a/src/backend/access/transam/xlogrecovery.c
+++ b/src/backend/access/transam/xlogrecovery.c
@@ -1167,41 +1167,52 @@ validateRecoveryParameters(void)
* assign hooks must never fail. Moving the check here keeps the assign hooks
* contract-compliant.
*
- * If a future patch adds a sixth recovery_target_* GUC, both this list and
- * the errdetail below must be updated.
+ * If a future patch adds a sixth recovery_target_* GUC, add its name to
+ * target_names below; both error messages are derived from that array.
*/
static void
CheckRecoveryTargetConflicts(void)
{
+ static const char *const target_names[] = {
+ "recovery_target",
+ "recovery_target_lsn",
+ "recovery_target_name",
+ "recovery_target_time",
+ "recovery_target_xid",
+ };
+ StringInfoData set_targets;
+ StringInfoData all_targets;
int ntargets = 0;
- const char *val;
-
- /* missing_ok=false guarantees val is non-NULL. */
- val = GetConfigOption("recovery_target", false, false);
- if (val[0] != '\0')
- ntargets++;
- val = GetConfigOption("recovery_target_lsn", false, false);
- if (val[0] != '\0')
- ntargets++;
- val = GetConfigOption("recovery_target_name", false, false);
- if (val[0] != '\0')
- ntargets++;
- val = GetConfigOption("recovery_target_time", false, false);
- if (val[0] != '\0')
- ntargets++;
- val = GetConfigOption("recovery_target_xid", false, false);
- if (val[0] != '\0')
- ntargets++;
+
+ initStringInfo(&set_targets);
+ initStringInfo(&all_targets);
+
+ for (int i = 0; i < lengthof(target_names); i++)
+ {
+ /* missing_ok=false guarantees val is non-NULL. */
+ const char *val = GetConfigOption(target_names[i], false, false);
+
+ if (i > 0)
+ appendStringInfoString(&all_targets, ", ");
+ appendStringInfo(&all_targets, "\"%s\"", target_names[i]);
+
+ if (val[0] != '\0')
+ {
+ if (ntargets > 0)
+ appendStringInfoString(&set_targets, ", ");
+ appendStringInfo(&set_targets, "\"%s\" = \"%s\"",
+ target_names[i], val);
+ ntargets++;
+ }
+ }
if (ntargets > 1)
ereport(FATAL,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("multiple recovery targets specified"),
- errdetail("At most one of \"recovery_target\", "
- "\"recovery_target_lsn\", "
- "\"recovery_target_name\", "
- "\"recovery_target_time\", "
- "\"recovery_target_xid\" can be set.")));
+ errdetail("The following recovery target parameters are set: %s.",
+ set_targets.data),
+ errhint("At most one of %s can be set.", all_targets.data)));
}
/*
diff --git a/src/test/recovery/t/003_recovery_targets.pl b/src/test/recovery/t/003_recovery_targets.pl
index 5979663b0ab..3e68c01968b 100644
--- a/src/test/recovery/t/003_recovery_targets.pl
+++ b/src/test/recovery/t/003_recovery_targets.pl
@@ -282,6 +282,14 @@ like(
qr/multiple recovery targets specified/,
'expected error message logged without recovery.signal');
+# Ordering in the errdetail follows target_names[] in CheckRecoveryTargetConflicts:
+# recovery_target, recovery_target_lsn, recovery_target_name,
+# recovery_target_time, recovery_target_xid.
+like(
+ $logfile_no_signal,
+ qr/are set: "recovery_target_name" = "[^"]+", "recovery_target_time" = "[^"]+"/,
+ 'errdetail names which recovery_target_* GUCs are set and their values');
+
# Same-GUC last-wins (one source of truth for the GUC's value): assigning a
# recovery_target_* GUC and then assigning the same GUC to an empty string
# leaves no target set and recovery proceeds to the end of WAL. This is the
@@ -358,6 +366,38 @@ is($count_xid_clear_set, "2000",
'recovery_target_xid honored when cleared then set');
$node_xid_clear_set->teardown_node;
+test_recovery_standby_with_options(
+ 'recovery_target_time cleared then set',
+ 'standby_time_clear_set',
+ $node_primary,
+ "-c recovery_target_time= -c recovery_target_time=$recovery_time_t",
+ "3000",
+ $lsn3);
+
+test_recovery_standby_with_options(
+ 'recovery_target_name cleared then set',
+ 'standby_name_clear_set',
+ $node_primary,
+ "-c recovery_target_name= -c recovery_target_name=$recovery_name",
+ "4000",
+ $lsn4);
+
+test_recovery_standby_with_options(
+ 'recovery_target_lsn cleared then set',
+ 'standby_lsn_clear_set',
+ $node_primary,
+ "-c recovery_target_lsn= -c recovery_target_lsn=$recovery_lsn",
+ "5000",
+ $lsn5);
+
+test_recovery_standby_with_options(
+ 'recovery_target cleared then set',
+ 'standby_immediate_clear_set',
+ $node_primary,
+ "-c recovery_target= -c recovery_target=immediate",
+ "1000",
+ $lsn1);
+
# Invalid recovery_target_timeline tests
my ($result, $stdout, $stderr) = $node_primary->psql('postgres',
"ALTER SYSTEM SET recovery_target_timeline TO 'bogus'");
--
2.50.1 (Apple Git-155)
[application/pgp-signature] signature.asc (343B, 3-signature.asc)
download
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
2026-05-31 21:11 Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
@ 2026-06-04 05:41 ` JoongHyuk Shin <[email protected]>
2026-06-06 20:10 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: JoongHyuk Shin @ 2026-06-04 05:41 UTC (permalink / raw)
To: [email protected]; +Cc: Fujii Masao <[email protected]>; Michael Paquier <[email protected]>; [email protected]
Thanks for the patch.
I went through 'v1-0001-Report-....patch'
and have a few observations to share.
* Function structure: the recovery_target_* set has been
historically stable, so array + loop abstraction adds limited
value; function size grows ~34% (32 -> 43 lines) for one line of
savings on a hypothetical sixth GUC, while the closest precedent
(archive_command / archive_library in pgarch.c) is a hard-coded literal.
* errhint vs errdetail: errhint("At most one of %s can be set.")
reads more like a constraint than an action hint. The closest
precedent, archive_command / archive_library in pgarch.c
(ProcessPgArchInterrupts() / LoadArchiveLibrary()), keeps the
enumeration in errdetail and omits errhint entirely.
* TAP regex: the added like() uses [^"]+ for the values, which
passes regardless of the actual value. Using quotemeta on the
expected values would verify the actual content, and anchoring
would also avoid accidentally matching the same tokens inside
errhint.
On the reload trap:
I reproduced this on master and confirmed it's there exactly as you noted.
ALTER SYSTEM doesn't trigger the assign hook;
it just writes to postgresql.auto.conf,
so the trap window is intrinsic to PGC_POSTMASTER + ALTER SYSTEM.
A separate follow-up patch in the reload path feels natural.
--
JH Shin
On Mon, Jun 1, 2026 at 6:11 AM Scott Ray <[email protected]> wrote:
> Thanks for the patch. I've attached v1-0001 (atop v4) addressing the
> UX and test-coverage items below. Happy to rework or fold in however
> you prefer.
>
> 1. There's a configuration trap in master and in this branch that
> could be prevented using something very similar to
> CheckRecoveryTargetConflicts to check pending GUCs:
>
> psql -c "ALTER SYSTEM SET recovery_target_xid TO '700'"
> psql -c "ALTER SYSTEM SET recovery_target_time TO '2026-01-01
> 00:00:00'"
> pg_ctl reload
>
> The log shows:
>
> LOG: received SIGHUP, reloading configuration files
> LOG: parameter "recovery_target_xid" cannot be changed without
> restarting the server
> LOG: parameter "recovery_target_time" cannot be changed without
> restarting the server
> LOG: configuration file "postgresql.auto.conf" contains errors;
> unaffected changes were applied
>
> pg_settings shows:
>
> postgres=# SELECT name, setting, pending_restart FROM pg_settings
> WHERE name LIKE 'recovery_target%' AND pending_restart;
> name | setting | pending_restart
> ---------------------+---------+-----------------
> recovery_target_time | | t
> recovery_target_xid | | t
>
> The db runs fine until the next restart, maybe hours later:
>
> FATAL: multiple recovery targets specified
> DETAIL: At most one of "recovery_target", "recovery_target_lsn",
> "recovery_target_name", "recovery_target_time",
> "recovery_target_xid" can be set.
>
> Is it worth a follow-up to report the conflict early and loud?
>
> 2. There's an opportunity to provide a better UX by reporting which
> flags were set and what the values were, so that the user doesn't have
> to search config files or other logs to find this info. For instance,
> in the postgresql.auto.conf scenario above, instead of:
>
> DETAIL: At most one of "recovery_target", "recovery_target_lsn",
> "recovery_target_name", "recovery_target_time",
> "recovery_target_xid" can be set.
>
> The operator could see:
>
> DETAIL: The following recovery target parameters are set:
> "recovery_target_time" = "2026-01-01 00:00:00",
> "recovery_target_xid" = "700".
> HINT: At most one of "recovery_target", "recovery_target_lsn",
> "recovery_target_name", "recovery_target_time",
> "recovery_target_xid" can be set.
>
> 3. 003_recovery_targets.pl:339 currently tests recovery_target_xid's
> cleared-then-set behavior. The patch adds the same coverage for the
> other four recovery_target_* GUCs.
>
>
> --
> Scott Ray
>
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
2026-05-31 21:11 Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-04 05:41 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
@ 2026-06-06 20:10 ` Scott Ray <[email protected]>
2026-06-07 10:30 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: Scott Ray @ 2026-06-06 20:10 UTC (permalink / raw)
To: JoongHyuk Shin <[email protected]>; +Cc: Fujii Masao <[email protected]>; Michael Paquier <[email protected]>; [email protected]
> * Function structure: the recovery_target_* set has been
> historically stable, so array + loop abstraction adds limited
> value; function size grows ~34% (32 -> 43 lines) for one line of
> savings on a hypothetical sixth GUC, while the closest precedent
> (archive_command / archive_library in pgarch.c) is a hard-coded literal.
>
> * errhint vs errdetail: errhint("At most one of %s can be set.")
> reads more like a constraint than an action hint. The closest
> precedent, archive_command / archive_library in pgarch.c
> (ProcessPgArchInterrupts() / LoadArchiveLibrary()), keeps the
> enumeration in errdetail and omits errhint entirely.
>
> * TAP regex: the added like() uses [^"]+ for the values, which
> passes regardless of the actual value. Using quotemeta on the
> expected values would verify the actual content, and anchoring
> would also avoid accidentally matching the same tokens inside
> errhint.
Thanks for taking a look. I attached a v2 that applies your suggestions
and uses "set to" instead of "=" to match convention. What do you think?
Sample output:
FATAL: multiple recovery targets specified
DETAIL: At most one of "recovery_target", "recovery_target_lsn",
"recovery_target_name", "recovery_target_time",
"recovery_target_xid" can be set. Currently set:
"recovery_target_time" set to "2026-01-01 00:00:00",
"recovery_target_xid" set to "700".
--
Scott Ray
Attachments:
[application/octet-stream] v2-0001-Report-set-parameters-on-recovery_target-conflict.patch (6.0K, 2-v2-0001-Report-set-parameters-on-recovery_target-conflict.patch)
download | inline diff:
From 9b96e0f327d7ca2f644b259511776ef7286ec72f Mon Sep 17 00:00:00 2001
From: Scott Ray <[email protected]>
Date: Sun, 31 May 2026 13:12:29 -0700
Subject: [PATCH v2] Report set parameters on recovery_target conflict; expand
tests
v4 of "Don't call ereport(ERROR) from recovery target GUC assign
hooks" produces a FATAL with an errdetail that lists all five
recovery_target_* GUCs regardless of which the operator actually
set, and exercises only recovery_target_xid in the cleared-then-set
direction.
This patch appends the names and values of the GUCs that are
actually non-empty as a trailing sentence in the existing errdetail.
The "at most one of [list]" enumeration stays in errdetail and no
errhint is emitted, matching the archive_command / archive_library
precedent in pgarch.c.
The TAP test gains four cleared-then-set cases covering time, name,
lsn, and the bare recovery_target, mirroring the existing xid case.
A new like() assertion verifies that the errdetail names which GUCs
are set and their values, using quotemeta on the expected values.
Applies atop v4.
Discussion: https://postgr.es/m/CACSdjfPUa4UvKjADgOERXoxNYmCg2mqqiqKkiJk6mX6E4qgVFw@mail.gmail.com
---
src/backend/access/transam/xlogrecovery.c | 35 ++++++++++++++++--
src/test/recovery/t/003_recovery_targets.pl | 40 +++++++++++++++++++++
2 files changed, 72 insertions(+), 3 deletions(-)
diff --git a/src/backend/access/transam/xlogrecovery.c b/src/backend/access/transam/xlogrecovery.c
index 1253bed1058..6af36960ddc 100644
--- a/src/backend/access/transam/xlogrecovery.c
+++ b/src/backend/access/transam/xlogrecovery.c
@@ -1167,31 +1167,58 @@ validateRecoveryParameters(void)
* assign hooks must never fail. Moving the check here keeps the assign hooks
* contract-compliant.
*
- * If a future patch adds a sixth recovery_target_* GUC, both this list and
- * the errdetail below must be updated.
+ * If a future patch adds a sixth recovery_target_* GUC, add another
+ * GetConfigOption block below to include it in the "Currently set:"
+ * suffix, and extend the fixed enumeration in the errdetail.
*/
static void
CheckRecoveryTargetConflicts(void)
{
+ StringInfoData set_targets;
int ntargets = 0;
const char *val;
+ initStringInfo(&set_targets);
+
/* missing_ok=false guarantees val is non-NULL. */
val = GetConfigOption("recovery_target", false, false);
if (val[0] != '\0')
+ {
+ appendStringInfo(&set_targets, "\"recovery_target\" set to \"%s\"", val);
ntargets++;
+ }
val = GetConfigOption("recovery_target_lsn", false, false);
if (val[0] != '\0')
+ {
+ if (ntargets > 0)
+ appendStringInfoString(&set_targets, ", ");
+ appendStringInfo(&set_targets, "\"recovery_target_lsn\" set to \"%s\"", val);
ntargets++;
+ }
val = GetConfigOption("recovery_target_name", false, false);
if (val[0] != '\0')
+ {
+ if (ntargets > 0)
+ appendStringInfoString(&set_targets, ", ");
+ appendStringInfo(&set_targets, "\"recovery_target_name\" set to \"%s\"", val);
ntargets++;
+ }
val = GetConfigOption("recovery_target_time", false, false);
if (val[0] != '\0')
+ {
+ if (ntargets > 0)
+ appendStringInfoString(&set_targets, ", ");
+ appendStringInfo(&set_targets, "\"recovery_target_time\" set to \"%s\"", val);
ntargets++;
+ }
val = GetConfigOption("recovery_target_xid", false, false);
if (val[0] != '\0')
+ {
+ if (ntargets > 0)
+ appendStringInfoString(&set_targets, ", ");
+ appendStringInfo(&set_targets, "\"recovery_target_xid\" set to \"%s\"", val);
ntargets++;
+ }
if (ntargets > 1)
ereport(FATAL,
@@ -1201,7 +1228,9 @@ CheckRecoveryTargetConflicts(void)
"\"recovery_target_lsn\", "
"\"recovery_target_name\", "
"\"recovery_target_time\", "
- "\"recovery_target_xid\" can be set.")));
+ "\"recovery_target_xid\" can be set. "
+ "Currently set: %s.",
+ set_targets.data)));
}
/*
diff --git a/src/test/recovery/t/003_recovery_targets.pl b/src/test/recovery/t/003_recovery_targets.pl
index 5979663b0ab..f00a82d4e9e 100644
--- a/src/test/recovery/t/003_recovery_targets.pl
+++ b/src/test/recovery/t/003_recovery_targets.pl
@@ -282,6 +282,14 @@ like(
qr/multiple recovery targets specified/,
'expected error message logged without recovery.signal');
+# Ordering in the errdetail follows the GetConfigOption sequence in
+# CheckRecoveryTargetConflicts: recovery_target, recovery_target_lsn,
+# recovery_target_name, recovery_target_time, recovery_target_xid.
+like(
+ $logfile_no_signal,
+ qr/Currently set: "recovery_target_name" set to "\Q$recovery_name\E", "recovery_target_time" set to "\Q$recovery_time\E"/,
+ 'errdetail names which recovery_target_* GUCs are set and their values');
+
# Same-GUC last-wins (one source of truth for the GUC's value): assigning a
# recovery_target_* GUC and then assigning the same GUC to an empty string
# leaves no target set and recovery proceeds to the end of WAL. This is the
@@ -358,6 +366,38 @@ is($count_xid_clear_set, "2000",
'recovery_target_xid honored when cleared then set');
$node_xid_clear_set->teardown_node;
+test_recovery_standby_with_options(
+ 'recovery_target_time cleared then set',
+ 'standby_time_clear_set',
+ $node_primary,
+ "-c recovery_target_time= -c recovery_target_time=$recovery_time_t",
+ "3000",
+ $lsn3);
+
+test_recovery_standby_with_options(
+ 'recovery_target_name cleared then set',
+ 'standby_name_clear_set',
+ $node_primary,
+ "-c recovery_target_name= -c recovery_target_name=$recovery_name",
+ "4000",
+ $lsn4);
+
+test_recovery_standby_with_options(
+ 'recovery_target_lsn cleared then set',
+ 'standby_lsn_clear_set',
+ $node_primary,
+ "-c recovery_target_lsn= -c recovery_target_lsn=$recovery_lsn",
+ "5000",
+ $lsn5);
+
+test_recovery_standby_with_options(
+ 'recovery_target cleared then set',
+ 'standby_immediate_clear_set',
+ $node_primary,
+ "-c recovery_target= -c recovery_target=immediate",
+ "1000",
+ $lsn1);
+
# Invalid recovery_target_timeline tests
my ($result, $stdout, $stderr) = $node_primary->psql('postgres',
"ALTER SYSTEM SET recovery_target_timeline TO 'bogus'");
--
2.50.1 (Apple Git-155)
[application/pgp-signature] signature.asc (343B, 3-signature.asc)
download
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
2026-05-31 21:11 Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-04 05:41 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-06 20:10 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
@ 2026-06-07 10:30 ` JoongHyuk Shin <[email protected]>
2026-06-07 15:44 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Álvaro Herrera <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: JoongHyuk Shin @ 2026-06-07 10:30 UTC (permalink / raw)
To: Scott Ray <[email protected]>; +Cc: Fujii Masao <[email protected]>; Michael Paquier <[email protected]>; [email protected]
On "=" vs "set to": I'd stay with "=".
The list is assembled in appendStringInfo and ends up in the dynamic %s,
so prose like "set to" there never goes through gettext
and would print in English even under a translated lc_messages.
"=" is punctuation, so it sidesteps that.
PG already uses this form in the RI detail,
e.g. Key (%s)=(%s) in ri_triggers.c.
That said, I'm not sure the currently-set list belongs in the errdetail at
all,
since an operator can read the values back from the configuration.
I'd be interested in the committer's view on whether it is worth adding.
--
JH Shin
On Sun, Jun 7, 2026 at 5:10 AM Scott Ray <[email protected]> wrote:
> > * Function structure: the recovery_target_* set has been
> > historically stable, so array + loop abstraction adds limited
> > value; function size grows ~34% (32 -> 43 lines) for one line of
> > savings on a hypothetical sixth GUC, while the closest precedent
> > (archive_command / archive_library in pgarch.c) is a hard-coded literal.
> >
>
> > * errhint vs errdetail: errhint("At most one of %s can be set.")
> > reads more like a constraint than an action hint. The closest
> > precedent, archive_command / archive_library in pgarch.c
> > (ProcessPgArchInterrupts() / LoadArchiveLibrary()), keeps the
> > enumeration in errdetail and omits errhint entirely.
> >
>
> > * TAP regex: the added like() uses [^"]+ for the values, which
> > passes regardless of the actual value. Using quotemeta on the
> > expected values would verify the actual content, and anchoring
> > would also avoid accidentally matching the same tokens inside
> > errhint.
>
> Thanks for taking a look. I attached a v2 that applies your suggestions
> and uses "set to" instead of "=" to match convention. What do you think?
>
> Sample output:
>
> FATAL: multiple recovery targets specified
> DETAIL: At most one of "recovery_target", "recovery_target_lsn",
> "recovery_target_name", "recovery_target_time",
> "recovery_target_xid" can be set. Currently set:
> "recovery_target_time" set to "2026-01-01 00:00:00",
> "recovery_target_xid" set to "700".
>
> --
> Scott Ray
>
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
2026-05-31 21:11 Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-04 05:41 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-06 20:10 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-07 10:30 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
@ 2026-06-07 15:44 ` Álvaro Herrera <[email protected]>
2026-06-21 09:27 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: Álvaro Herrera @ 2026-06-07 15:44 UTC (permalink / raw)
To: JoongHyuk Shin <[email protected]>; +Cc: Scott Ray <[email protected]>; Fujii Masao <[email protected]>; Michael Paquier <[email protected]>; [email protected]
On 2026-Jun-07, JoongHyuk Shin wrote:
> On "=" vs "set to": I'd stay with "=".
> The list is assembled in appendStringInfo and ends up in the dynamic %s,
> so prose like "set to" there never goes through gettext
> and would print in English even under a translated lc_messages.
> "=" is punctuation, so it sidesteps that.
Agreed on using =, although ...
> That said, I'm not sure the currently-set list belongs in the errdetail at
> all,
> since an operator can read the values back from the configuration.
> I'd be interested in the committer's view on whether it is worth adding.
It may be enough to list which ones are set, without listing their values.
Those can be obtained easily from pg_settings, which can be mentioned in
errhint -- useful also to figure out exactly _where_ they are set (e.g.,
in an include file, postgresql.auto.conf, and so on.)
--
Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
2026-05-31 21:11 Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-04 05:41 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-06 20:10 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-07 10:30 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-07 15:44 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Álvaro Herrera <[email protected]>
@ 2026-06-21 09:27 ` JoongHyuk Shin <[email protected]>
2026-06-21 12:31 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Álvaro Herrera <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: JoongHyuk Shin @ 2026-06-21 09:27 UTC (permalink / raw)
To: Álvaro Herrera <[email protected]>; +Cc: Scott Ray <[email protected]>; Fujii Masao <[email protected]>; Michael Paquier <[email protected]>; [email protected]
Thanks for the reviews.
v5 attached.
The errdetail now lists which recovery_target_* parameters are actually set,
instead of the full candidate list.
This follows Scott's idea to surface the set targets;
following Álvaro, the values are dropped
and a new errhint points to pg_settings for them and their sources.
I kept the "which ones are set" list in errdetail rather than errhint,
it states the current configuration, which reads as detail,
while the errhint carries the actionable pg_settings pointer.
--
JH Shin
On Mon, Jun 8, 2026 at 12:44 AM Álvaro Herrera <[email protected]> wrote:
> On 2026-Jun-07, JoongHyuk Shin wrote:
>
> > On "=" vs "set to": I'd stay with "=".
> > The list is assembled in appendStringInfo and ends up in the dynamic %s,
> > so prose like "set to" there never goes through gettext
> > and would print in English even under a translated lc_messages.
> > "=" is punctuation, so it sidesteps that.
>
> Agreed on using =, although ...
>
> > That said, I'm not sure the currently-set list belongs in the errdetail
> at
> > all,
> > since an operator can read the values back from the configuration.
> > I'd be interested in the committer's view on whether it is worth adding.
>
> It may be enough to list which ones are set, without listing their values.
> Those can be obtained easily from pg_settings, which can be mentioned in
> errhint -- useful also to figure out exactly _where_ they are set (e.g.,
> in an include file, postgresql.auto.conf, and so on.)
>
> --
> Álvaro Herrera Breisgau, Deutschland —
> https://www.EnterpriseDB.com/
>
Attachments:
[application/octet-stream] v5-0001-Don-t-call-ereport-ERROR-from-recovery-target-GUC-as.patch (22.5K, 3-v5-0001-Don-t-call-ereport-ERROR-from-recovery-target-GUC-as.patch)
download | inline diff:
From 3638a7ba5037c46e0106989a6679906c03a2fc6b Mon Sep 17 00:00:00 2001
From: JoongHyuk Shin <[email protected]>
Date: Sun, 21 Jun 2026 17:45:25 +0900
Subject: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign
hooks
The five recovery target GUC assign hooks (assign_recovery_target,
assign_recovery_target_lsn, assign_recovery_target_name,
assign_recovery_target_time, assign_recovery_target_xid) all called
error_multiple_recovery_targets(), which invoked ereport(ERROR). The
GUC README explicitly states that assign hooks must never fail; raising
an error from an assign hook leaves guc.c's internal state inconsistent
before the abort. A comment in the code itself acknowledged this as
"broken by design."
Fix this by removing the conflict check from all five assign hooks and
detecting multiple recovery targets in a new CheckRecoveryTargetConflicts()
function, called from validateRecoveryParameters() before its early
return for !ArchiveRecoveryRequested. The check therefore runs at
every startup regardless of recovery mode, preserving the existing
behavior of detecting misconfiguration at server start time rather
than only when recovery.signal is added.
In each assign hook's empty-string branch, replace the unconditional
"recoveryTarget = RECOVERY_TARGET_UNSET" assignment with a narrower
"if (recoveryTarget == MY_TYPE)" form. Empty strings for an unrelated
recovery_target_* GUC then leave another GUC's already-set target
intact, while still preserving the documented "last value wins"
reassignment semantics for the same GUC.
When a conflict is detected, the errdetail now lists which
recovery_target_* parameters are actually set, rather than the full
list of candidate names, and an errhint points to pg_settings for their
values and where each is configured.
---
src/backend/access/transam/xlogrecovery.c | 159 +++++++++----
src/test/recovery/t/003_recovery_targets.pl | 251 +++++++++++++++++++-
2 files changed, 361 insertions(+), 49 deletions(-)
diff --git a/src/backend/access/transam/xlogrecovery.c b/src/backend/access/transam/xlogrecovery.c
index 4d61795b483..dc8b46a6c81 100644
--- a/src/backend/access/transam/xlogrecovery.c
+++ b/src/backend/access/transam/xlogrecovery.c
@@ -61,6 +61,7 @@
#include "storage/subsystems.h"
#include "utils/datetime.h"
#include "utils/fmgrprotos.h"
+#include "utils/guc.h"
#include "utils/guc_hooks.h"
#include "utils/pgstat_internal.h"
#include "utils/pg_lsn.h"
@@ -341,6 +342,7 @@ static void ApplyWalRecord(XLogReaderState *xlogreader, XLogRecord *record, Time
static void EnableStandbyMode(void);
static void readRecoverySignalFile(void);
static void validateRecoveryParameters(void);
+static void CheckRecoveryTargetConflicts(void);
static bool read_backup_label(XLogRecPtr *checkPointLoc,
TimeLineID *backupLabelTLI,
bool *backupEndRequired, bool *backupFromStandby);
@@ -1067,6 +1069,8 @@ readRecoverySignalFile(void)
static void
validateRecoveryParameters(void)
{
+ CheckRecoveryTargetConflicts();
+
if (!ArchiveRecoveryRequested)
return;
@@ -1144,6 +1148,94 @@ validateRecoveryParameters(void)
}
}
+/*
+ * CheckRecoveryTargetConflicts
+ *
+ * Validate that at most one of the recovery_target_* GUCs is set to a
+ * non-empty value. This is called from validateRecoveryParameters() at every
+ * server startup, regardless of whether archive recovery is requested, so
+ * misconfiguration is detected at server start time rather than later when
+ * recovery.signal is added.
+ *
+ * The check is a separate function rather than inlined into
+ * validateRecoveryParameters() because it intentionally runs even when no
+ * recovery is requested, while the rest of validateRecoveryParameters() is
+ * recovery-mode-only. Keeping it as a named function makes that separation
+ * explicit.
+ *
+ * The check used to live in the assign hooks of the recovery_target_* GUCs
+ * (calling ereport(ERROR) on conflict), which violated guc.c's contract that
+ * assign hooks must never fail. Moving the check here keeps the assign hooks
+ * contract-compliant.
+ *
+ * If a future patch adds a sixth recovery_target_* GUC, it must be added to the
+ * list of GetConfigOption() checks below; the errdetail builds its list of set
+ * parameters dynamically, so it needs no change.
+ */
+static void
+CheckRecoveryTargetConflicts(void)
+{
+ int ntargets = 0;
+ const char *val;
+ StringInfoData buf;
+
+ initStringInfo(&buf);
+
+ /*
+ * These GUCs are all PGC_STRING, so GetConfigOption() returns "" (not
+ * NULL) when a parameter is unset. Collect the name of each one that is
+ * set into buf, separated by ", ", for use in the errdetail below.
+ */
+ val = GetConfigOption("recovery_target", false, false);
+ if (val[0] != '\0')
+ {
+ ntargets++;
+ if (buf.len > 0)
+ appendStringInfoString(&buf, ", ");
+ appendStringInfoString(&buf, "\"recovery_target\"");
+ }
+ val = GetConfigOption("recovery_target_lsn", false, false);
+ if (val[0] != '\0')
+ {
+ ntargets++;
+ if (buf.len > 0)
+ appendStringInfoString(&buf, ", ");
+ appendStringInfoString(&buf, "\"recovery_target_lsn\"");
+ }
+ val = GetConfigOption("recovery_target_name", false, false);
+ if (val[0] != '\0')
+ {
+ ntargets++;
+ if (buf.len > 0)
+ appendStringInfoString(&buf, ", ");
+ appendStringInfoString(&buf, "\"recovery_target_name\"");
+ }
+ val = GetConfigOption("recovery_target_time", false, false);
+ if (val[0] != '\0')
+ {
+ ntargets++;
+ if (buf.len > 0)
+ appendStringInfoString(&buf, ", ");
+ appendStringInfoString(&buf, "\"recovery_target_time\"");
+ }
+ val = GetConfigOption("recovery_target_xid", false, false);
+ if (val[0] != '\0')
+ {
+ ntargets++;
+ if (buf.len > 0)
+ appendStringInfoString(&buf, ", ");
+ appendStringInfoString(&buf, "\"recovery_target_xid\"");
+ }
+
+ if (ntargets > 1)
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("multiple recovery targets specified"),
+ errdetail("Recovery targets %s are set, but only one can be set.",
+ buf.data),
+ errhint("See pg_settings for the parameter values and where each is set.")));
+}
+
/*
* read_backup_label: check to see if a backup_label file is present
*
@@ -4769,32 +4861,27 @@ check_primary_slot_name(char **newval, void **extra, GucSource source)
}
/*
- * Recovery target settings: Only one of the several recovery_target* settings
- * may be set. Setting a second one results in an error. The global variable
+ * Recovery target settings: At most one of the several recovery_target*
+ * settings may be set to a non-empty value. The global variable
* recoveryTarget tracks which kind of recovery target was chosen. Other
* variables store the actual target value (for example a string or a xid).
- * The assign functions of the parameters check whether a competing parameter
- * was already set. But we want to allow setting the same parameter multiple
- * times. We also want to allow unsetting a parameter and setting a different
- * one, so we unset recoveryTarget when the parameter is set to an empty
- * string.
+ * An empty string for any of these GUCs is treated as "not set", equivalent
+ * to the GUC's default; an empty value cannot clobber another GUC's
+ * already-set target. Conflicts between multiple non-empty settings are
+ * detected in CheckRecoveryTargetConflicts(), called from
+ * validateRecoveryParameters() at every startup.
*
- * XXX this code is broken by design. Throwing an error from a GUC assign
- * hook breaks fundamental assumptions of guc.c. So long as all the variables
- * for which this can happen are PGC_POSTMASTER, the consequences are limited,
- * since we'd just abort postmaster startup anyway. Nonetheless it's likely
- * that we have odd behaviors such as unexpected GUC ordering dependencies.
+ * Each assign hook clears recoveryTarget only when its own GUC is reassigned
+ * to an empty string after the same GUC was previously assigned a non-empty
+ * value, e.g.
+ * postgres -c recovery_target_xid=700 -c recovery_target_xid=
+ * (postgresql.conf collapses duplicate keys so only the last value reaches
+ * the assign hook; this same-parameter set-then-clear case only arises from
+ * -c). The clear is restricted to the hook's own target type so that an
+ * empty value for one recovery_target_* GUC cannot clobber another GUC's
+ * already-set target.
*/
-pg_noreturn static void
-error_multiple_recovery_targets(void)
-{
- ereport(ERROR,
- (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
- errmsg("multiple recovery targets specified"),
- errdetail("At most one of \"recovery_target\", \"recovery_target_lsn\", \"recovery_target_name\", \"recovery_target_time\", \"recovery_target_xid\" may be set.")));
-}
-
/*
* GUC check_hook for recovery_target
*/
@@ -4815,13 +4902,9 @@ check_recovery_target(char **newval, void **extra, GucSource source)
void
assign_recovery_target(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_IMMEDIATE)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
recoveryTarget = RECOVERY_TARGET_IMMEDIATE;
- else
+ else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
@@ -4856,16 +4939,12 @@ check_recovery_target_lsn(char **newval, void **extra, GucSource source)
void
assign_recovery_target_lsn(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_LSN)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
{
recoveryTarget = RECOVERY_TARGET_LSN;
recoveryTargetLSN = *((XLogRecPtr *) extra);
}
- else
+ else if (recoveryTarget == RECOVERY_TARGET_LSN)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
@@ -4891,16 +4970,12 @@ check_recovery_target_name(char **newval, void **extra, GucSource source)
void
assign_recovery_target_name(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_NAME)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
{
recoveryTarget = RECOVERY_TARGET_NAME;
recoveryTargetName = newval;
}
- else
+ else if (recoveryTarget == RECOVERY_TARGET_NAME)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
@@ -4971,13 +5046,9 @@ check_recovery_target_time(char **newval, void **extra, GucSource source)
void
assign_recovery_target_time(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_TIME)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
recoveryTarget = RECOVERY_TARGET_TIME;
- else
+ else if (recoveryTarget == RECOVERY_TARGET_TIME)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
@@ -5099,15 +5170,11 @@ check_recovery_target_xid(char **newval, void **extra, GucSource source)
void
assign_recovery_target_xid(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_XID)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
{
recoveryTarget = RECOVERY_TARGET_XID;
recoveryTargetXid = *((TransactionId *) extra);
}
- else
+ else if (recoveryTarget == RECOVERY_TARGET_XID)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
diff --git a/src/test/recovery/t/003_recovery_targets.pl b/src/test/recovery/t/003_recovery_targets.pl
index 047eb13293a..6e8a2c557c9 100644
--- a/src/test/recovery/t/003_recovery_targets.pl
+++ b/src/test/recovery/t/003_recovery_targets.pl
@@ -51,6 +51,49 @@ sub test_recovery_standby
return;
}
+# Start a standby with the given pg_ctl --options string and verify that
+# the standby reaches the given LSN and row count. Used to exercise
+# scenarios that require the postmaster command line to receive multiple
+# "-c name=value" instances of the same GUC, which postgresql.conf cannot
+# express because ProcessConfigFile collapses duplicate keys.
+sub test_recovery_standby_with_options
+{
+ local $Test::Builder::Level = $Test::Builder::Level + 1;
+
+ my $test_name = shift;
+ my $node_name = shift;
+ my $node_primary = shift;
+ my $options = shift;
+ my $num_rows = shift;
+ my $until_lsn = shift;
+
+ my $node_standby = PostgreSQL::Test::Cluster->new($node_name);
+ $node_standby->init_from_backup($node_primary, 'my_backup',
+ has_restoring => 1);
+
+ my $res = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_standby->data_dir,
+ '--log' => $node_standby->logfile,
+ '--options' => $options,
+ 'start',
+ ]);
+ ok($res, "server starts for $test_name");
+
+ $node_standby->poll_query_until('postgres',
+ "SELECT '$until_lsn'::pg_lsn <= pg_last_wal_replay_lsn()")
+ or die "Timed out while waiting for standby to catch up";
+
+ my $count = $node_standby->safe_psql('postgres',
+ "SELECT count(*) FROM tab_int");
+ is($count, qq($num_rows), "check standby content for $test_name");
+
+ $node_standby->teardown_node;
+
+ return;
+}
+
# Initialize primary node
my $node_primary = PostgreSQL::Test::Cluster->new('primary');
$node_primary->init(has_archiving => 1, allows_streaming => 1);
@@ -108,6 +151,13 @@ $node_primary->safe_psql('postgres',
# Force archiving of WAL file
$node_primary->safe_psql('postgres', "SELECT pg_switch_wal()");
+# LSN after the final 6000-row insert and WAL switch. Used by the
+# set-then-cleared scenarios below where recovery has no target and must
+# replay all archived WAL; polling on $lsn5 would race against the 5001-6000
+# rows.
+my $lsn6 =
+ $node_primary->safe_psql('postgres', "SELECT pg_current_wal_lsn()");
+
# Test recovery targets
my @recovery_params = ("recovery_target = 'immediate'");
test_recovery_standby('immediate target',
@@ -125,11 +175,24 @@ test_recovery_standby('name', 'standby_4', $node_primary, \@recovery_params,
test_recovery_standby('LSN', 'standby_5', $node_primary, \@recovery_params,
"5000", $lsn5);
+# Regression: empty-string for one recovery_target_* GUC must not clobber
+# another non-empty target. Setting recovery_target_xid + recovery_target_time
+# = '' must recover to the xid, not run as no-target recovery.
+@recovery_params = (
+ "recovery_target_xid = '$recovery_txid'",
+ "recovery_target_time = ''");
+test_recovery_standby('xid with empty time GUC',
+ 'standby_xid_empty_time', $node_primary, \@recovery_params,
+ "2000", $lsn2);
+
# Multiple targets
#
-# Multiple conflicting settings are not allowed, but setting the same
-# parameter multiple times or unsetting a parameter and setting a
-# different one is allowed.
+# Multiple conflicting non-empty settings are not allowed. Setting the same
+# parameter multiple times is allowed (the last value wins, per ProcessConfigFile
+# duplicate handling). An empty string for a recovery_target_* GUC is treated
+# as the GUC's default and is a no-op; it does not clear any other already-set
+# target. Conflict detection runs in CheckRecoveryTargetConflicts() at every
+# server start, regardless of whether recovery is requested.
@recovery_params = (
"recovery_target_name = '$recovery_name'",
@@ -159,6 +222,21 @@ like(
$logfile,
qr/multiple recovery targets specified/,
'multiple conflicting settings');
+# errdetail lists exactly the parameters that are set, in GUC-check order
+# (recovery_target_name is checked before recovery_target_time).
+like(
+ $logfile,
+ qr/Recovery targets "recovery_target_name", "recovery_target_time" are set/,
+ 'errdetail lists the set parameters in order');
+# The parameter values must not be echoed (only the names are listed).
+unlike(
+ $logfile,
+ qr/are set[^\n]*=/,
+ 'errdetail does not echo parameter values');
+like(
+ $logfile,
+ qr/HINT:.*pg_settings/,
+ 'errhint points to pg_settings');
# Check behavior when recovery ends before target is reached
@@ -190,6 +268,173 @@ like(
qr/FATAL: .* recovery ended before configured recovery target was reached/,
'recovery end before target reached is a fatal error');
+# Conflicting recovery targets are rejected at every startup, regardless of
+# whether recovery.signal is present. Use a throwaway cluster initialized
+# from the existing backup so we can leave conflicting GUCs in its
+# postgresql.conf without polluting the primary used by later tests.
+# init_from_backup is called without has_restoring, so no recovery.signal
+# is created and the cluster would normally start as a plain primary; the
+# conflicting recovery_target_* GUCs must be rejected anyway.
+my $node_no_signal = PostgreSQL::Test::Cluster->new('multi_target_no_signal');
+$node_no_signal->init_from_backup($node_primary, 'my_backup');
+$node_no_signal->append_conf(
+ 'postgresql.conf', "recovery_target_name = '$recovery_name'
+recovery_target_time = '$recovery_time'");
+
+my $res_no_signal = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_no_signal->data_dir,
+ '--log' => $node_no_signal->logfile,
+ 'start',
+ ]);
+ok(!$res_no_signal,
+ 'server fails to start with conflicting recovery targets and no recovery.signal');
+
+my $logfile_no_signal = slurp_file($node_no_signal->logfile());
+like(
+ $logfile_no_signal,
+ qr/multiple recovery targets specified/,
+ 'expected error message logged without recovery.signal');
+like(
+ $logfile_no_signal,
+ qr/Recovery targets "recovery_target_name", "recovery_target_time" are set/,
+ 'errdetail lists the set parameters in order without recovery.signal');
+unlike(
+ $logfile_no_signal,
+ qr/are set[^\n]*=/,
+ 'errdetail does not echo parameter values without recovery.signal');
+like(
+ $logfile_no_signal,
+ qr/HINT:.*pg_settings/,
+ 'errhint points to pg_settings without recovery.signal');
+
+# Conflict involving the bare recovery_target (no suffix): it is checked first,
+# so its name appears at the head of the list. The list entries are quoted, so
+# the regex anchors on the closing quote to ensure "recovery_target" does not
+# match a prefix of "recovery_target_xid".
+my $node_bare = PostgreSQL::Test::Cluster->new('multi_target_bare');
+$node_bare->init_from_backup($node_primary, 'my_backup');
+$node_bare->append_conf('postgresql.conf',
+ "recovery_target = 'immediate'\nrecovery_target_xid = '$recovery_txid'");
+
+my $res_bare = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_bare->data_dir,
+ '--log' => $node_bare->logfile,
+ 'start',
+ ]);
+ok(!$res_bare,
+ 'server fails to start with bare recovery_target conflict');
+
+my $logfile_bare = slurp_file($node_bare->logfile());
+like(
+ $logfile_bare,
+ qr/Recovery targets "recovery_target", "recovery_target_xid" are set/,
+ 'errdetail lists the bare recovery_target first, without prefix mismatch');
+
+# Three conflicting targets: exercises the ", " separator between more than two
+# entries (no trailing separator after the last entry).
+my $node_three = PostgreSQL::Test::Cluster->new('multi_target_three');
+$node_three->init_from_backup($node_primary, 'my_backup');
+$node_three->append_conf('postgresql.conf',
+ "recovery_target_name = '$recovery_name'\n"
+ . "recovery_target_time = '$recovery_time'\n"
+ . "recovery_target_xid = '$recovery_txid'");
+
+my $res_three = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_three->data_dir,
+ '--log' => $node_three->logfile,
+ 'start',
+ ]);
+ok(!$res_three,
+ 'server fails to start with three conflicting recovery targets');
+
+my $logfile_three = slurp_file($node_three->logfile());
+like(
+ $logfile_three,
+ qr/Recovery targets "recovery_target_name", "recovery_target_time", "recovery_target_xid" are set/,
+ 'errdetail lists three set parameters with correct separators');
+
+# Same-GUC last-wins (one source of truth for the GUC's value): assigning a
+# recovery_target_* GUC and then assigning the same GUC to an empty string
+# leaves no target set and recovery proceeds to the end of WAL. This is the
+# "set then unset" form of GUC reassignment; the assign hook clears its own
+# type when the new value is empty. postgresql.conf cannot express duplicate
+# keys (ProcessConfigFile collapses them), so the postmaster command line is
+# used via "pg_ctl --options". Each of the five recovery_target_* assign
+# hooks is exercised once.
+#
+# Note: GUC values below are passed unquoted on the command line. Windows
+# cmd.exe does not strip single quotes the way POSIX shells do, so quoted
+# values would reach the postmaster verbatim and be rejected. recovery_time
+# from now() contains a space; we replace it with the ISO 8601 T separator
+# so the value is a single shell token without quoting.
+my $recovery_time_t = $recovery_time;
+$recovery_time_t =~ s/ /T/;
+
+test_recovery_standby_with_options(
+ 'recovery_target_xid set then cleared',
+ 'standby_xid_set_clear', $node_primary,
+ "-c recovery_target_xid=$recovery_txid -c recovery_target_xid=",
+ "6000", $lsn6);
+
+test_recovery_standby_with_options(
+ 'recovery_target_time set then cleared',
+ 'standby_time_set_clear', $node_primary,
+ "-c recovery_target_time=$recovery_time_t -c recovery_target_time=",
+ "6000", $lsn6);
+
+test_recovery_standby_with_options(
+ 'recovery_target_name set then cleared',
+ 'standby_name_set_clear', $node_primary,
+ "-c recovery_target_name=$recovery_name -c recovery_target_name=",
+ "6000", $lsn6);
+
+test_recovery_standby_with_options(
+ 'recovery_target_lsn set then cleared',
+ 'standby_lsn_set_clear', $node_primary,
+ "-c recovery_target_lsn=$recovery_lsn -c recovery_target_lsn=",
+ "6000", $lsn6);
+
+test_recovery_standby_with_options(
+ 'recovery_target set then cleared',
+ 'standby_immediate_set_clear', $node_primary,
+ "-c recovery_target=immediate -c recovery_target=",
+ "6000", $lsn6);
+
+# Same-GUC empty-then-set sanity: assigning an empty string and then a
+# non-empty value to the same GUC must end with the target set. The empty
+# value seen first must not poison a later non-empty assignment.
+my $node_xid_clear_set =
+ PostgreSQL::Test::Cluster->new('standby_xid_clear_set');
+$node_xid_clear_set->init_from_backup($node_primary, 'my_backup',
+ has_restoring => 1);
+
+my $res_xid_clear_set = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_xid_clear_set->data_dir,
+ '--log' => $node_xid_clear_set->logfile,
+ '--options' =>
+ "-c recovery_target_xid= -c recovery_target_xid=$recovery_txid",
+ 'start',
+ ]);
+ok($res_xid_clear_set,
+ 'server starts with recovery_target_xid cleared then set');
+
+$node_xid_clear_set->poll_query_until('postgres',
+ "SELECT '$lsn2'::pg_lsn <= pg_last_wal_replay_lsn()")
+ or die "Timed out while waiting for standby to catch up";
+my $count_xid_clear_set = $node_xid_clear_set->safe_psql('postgres',
+ "SELECT count(*) FROM tab_int");
+is($count_xid_clear_set, "2000",
+ 'recovery_target_xid honored when cleared then set');
+$node_xid_clear_set->teardown_node;
+
# Invalid recovery_target_timeline tests
my ($result, $stdout, $stderr) = $node_primary->psql('postgres',
"ALTER SYSTEM SET recovery_target_timeline TO 'bogus'");
--
2.52.0
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
2026-05-31 21:11 Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-04 05:41 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-06 20:10 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-07 10:30 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-07 15:44 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Álvaro Herrera <[email protected]>
2026-06-21 09:27 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
@ 2026-06-21 12:31 ` Álvaro Herrera <[email protected]>
2026-06-22 04:37 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
0 siblings, 1 reply; 8+ messages in thread
From: Álvaro Herrera @ 2026-06-21 12:31 UTC (permalink / raw)
To: JoongHyuk Shin <[email protected]>; +Cc: Scott Ray <[email protected]>; Fujii Masao <[email protected]>; Michael Paquier <[email protected]>; [email protected]
Hello,
On 2026-Jun-21, JoongHyuk Shin wrote:
> The errdetail now lists which recovery_target_* parameters are actually set,
> instead of the full candidate list.
> This follows Scott's idea to surface the set targets;
> following Álvaro, the values are dropped
> and a new errhint points to pg_settings for them and their sources.
>
> I kept the "which ones are set" list in errdetail rather than errhint,
> it states the current configuration, which reads as detail,
> while the errhint carries the actionable pg_settings pointer.
Please see https://postgr.es/c/3692a622d3fd for more on translatable
message construction. You should end up with a translatable string in
a _() call like
_(", \"%s\"")
and the GUC names in a separate string in each case.
Maybe you can make this a local macro to avoid repetitive coding,
#define considerAndComplainAboutGUC(gucname, buf) \
do { \
val = GetConfigOption(gucname, false, false); \
if (val[0] != '\0') \
{ \
ntargets++; \
if (buf.len == 0) \
appendStringInfoString(&buf, _("\"%s\""), gucname); \
else \
appendStringInfoString(&buf, _(", \"%s\""), gucname); \
} \
} while (0)
considerAndComplainAboutGUC("recovery_target", buf);
considerAndComplainAboutGUC("recovery_target_lsn", buf);
and so on. (Of course, you should choose a less stupid macro name, but
you get my meaning.)
--
Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/
"... In accounting terms this makes perfect sense. To rational humans, it
is insane. Welcome to IBM." (Robert X. Cringely)
https://www.cringely.com/2015/06/03/autodesks-john-walker-explained-hp-and-ibm-in-1991/
^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks
2026-05-31 21:11 Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-04 05:41 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-06 20:10 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-07 10:30 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-07 15:44 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Álvaro Herrera <[email protected]>
2026-06-21 09:27 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks JoongHyuk Shin <[email protected]>
2026-06-21 12:31 ` Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Álvaro Herrera <[email protected]>
@ 2026-06-22 04:37 ` JoongHyuk Shin <[email protected]>
0 siblings, 0 replies; 8+ messages in thread
From: JoongHyuk Shin @ 2026-06-22 04:37 UTC (permalink / raw)
To: Álvaro Herrera <[email protected]>; +Cc: Scott Ray <[email protected]>; Fujii Masao <[email protected]>; Michael Paquier <[email protected]>; [email protected]
Thanks for the review.
v6 attached.
The set-parameter list in the errdetail now wraps the separator and quotes
in _()
so the punctuation is translatable, following 3692a622d3fd.
The five GetConfigOption() checks are now a local macro, as suggested.
--
JH Shin
On Sun, Jun 21, 2026 at 9:32 PM Álvaro Herrera <[email protected]> wrote:
> Hello,
>
> On 2026-Jun-21, JoongHyuk Shin wrote:
>
> > The errdetail now lists which recovery_target_* parameters are actually
> set,
> > instead of the full candidate list.
> > This follows Scott's idea to surface the set targets;
> > following Álvaro, the values are dropped
> > and a new errhint points to pg_settings for them and their sources.
> >
> > I kept the "which ones are set" list in errdetail rather than errhint,
> > it states the current configuration, which reads as detail,
> > while the errhint carries the actionable pg_settings pointer.
>
> Please see https://postgr.es/c/3692a622d3fd for more on translatable
> message construction. You should end up with a translatable string in
> a _() call like
> _(", \"%s\"")
> and the GUC names in a separate string in each case.
>
> Maybe you can make this a local macro to avoid repetitive coding,
>
> #define considerAndComplainAboutGUC(gucname, buf) \
> do { \
> val = GetConfigOption(gucname, false, false); \
> if (val[0] != '\0') \
> { \
> ntargets++; \
> if (buf.len == 0) \
> appendStringInfoString(&buf, _("\"%s\""), gucname); \
> else \
> appendStringInfoString(&buf, _(", \"%s\""), gucname); \
> } \
> } while (0)
>
> considerAndComplainAboutGUC("recovery_target", buf);
> considerAndComplainAboutGUC("recovery_target_lsn", buf);
> and so on. (Of course, you should choose a less stupid macro name, but
> you get my meaning.)
>
> --
> Álvaro Herrera PostgreSQL Developer —
> https://www.EnterpriseDB.com/
> "... In accounting terms this makes perfect sense. To rational humans, it
> is insane. Welcome to IBM." (Robert X. Cringely)
>
> https://www.cringely.com/2015/06/03/autodesks-john-walker-explained-hp-and-ibm-in-1991/
>
Attachments:
[application/octet-stream] v6-0001-Don-t-call-ereport-ERROR-from-recovery-target-GUC.patch (22.0K, 3-v6-0001-Don-t-call-ereport-ERROR-from-recovery-target-GUC.patch)
download | inline diff:
From 7f05600fb76699a09daa671ddf4d5c85d1c944d9 Mon Sep 17 00:00:00 2001
From: JoongHyuk Shin <[email protected]>
Date: Sun, 21 Jun 2026 17:45:25 +0900
Subject: [PATCH v6] Don't call ereport(ERROR) from recovery target GUC assign
hooks
The five recovery target GUC assign hooks (assign_recovery_target,
assign_recovery_target_lsn, assign_recovery_target_name,
assign_recovery_target_time, assign_recovery_target_xid) all called
error_multiple_recovery_targets(), which invoked ereport(ERROR). The
GUC README explicitly states that assign hooks must never fail; raising
an error from an assign hook leaves guc.c's internal state inconsistent
before the abort. A comment in the code itself acknowledged this as
"broken by design."
Fix this by removing the conflict check from all five assign hooks and
detecting multiple recovery targets in a new CheckRecoveryTargetConflicts()
function, called from validateRecoveryParameters() before its early
return for !ArchiveRecoveryRequested. The check therefore runs at
every startup regardless of recovery mode, preserving the existing
behavior of detecting misconfiguration at server start time rather
than only when recovery.signal is added.
In each assign hook's empty-string branch, replace the unconditional
"recoveryTarget = RECOVERY_TARGET_UNSET" assignment with a narrower
"if (recoveryTarget == MY_TYPE)" form. Empty strings for an unrelated
recovery_target_* GUC then leave another GUC's already-set target
intact, while still preserving the documented "last value wins"
reassignment semantics for the same GUC.
When a conflict is detected, the errdetail now lists which
recovery_target_* parameters are actually set, rather than the full
list of candidate names, and an errhint points to pg_settings for their
values and where each is configured.
---
src/backend/access/transam/xlogrecovery.c | 140 +++++++----
src/test/recovery/t/003_recovery_targets.pl | 251 +++++++++++++++++++-
2 files changed, 342 insertions(+), 49 deletions(-)
diff --git a/src/backend/access/transam/xlogrecovery.c b/src/backend/access/transam/xlogrecovery.c
index 4d61795b483..32d209b3957 100644
--- a/src/backend/access/transam/xlogrecovery.c
+++ b/src/backend/access/transam/xlogrecovery.c
@@ -61,6 +61,7 @@
#include "storage/subsystems.h"
#include "utils/datetime.h"
#include "utils/fmgrprotos.h"
+#include "utils/guc.h"
#include "utils/guc_hooks.h"
#include "utils/pgstat_internal.h"
#include "utils/pg_lsn.h"
@@ -341,6 +342,7 @@ static void ApplyWalRecord(XLogReaderState *xlogreader, XLogRecord *record, Time
static void EnableStandbyMode(void);
static void readRecoverySignalFile(void);
static void validateRecoveryParameters(void);
+static void CheckRecoveryTargetConflicts(void);
static bool read_backup_label(XLogRecPtr *checkPointLoc,
TimeLineID *backupLabelTLI,
bool *backupEndRequired, bool *backupFromStandby);
@@ -1067,6 +1069,8 @@ readRecoverySignalFile(void)
static void
validateRecoveryParameters(void)
{
+ CheckRecoveryTargetConflicts();
+
if (!ArchiveRecoveryRequested)
return;
@@ -1144,6 +1148,75 @@ validateRecoveryParameters(void)
}
}
+/*
+ * CheckRecoveryTargetConflicts
+ *
+ * Validate that at most one of the recovery_target_* GUCs is set to a
+ * non-empty value. This is called from validateRecoveryParameters() at every
+ * server startup, regardless of whether archive recovery is requested, so
+ * misconfiguration is detected at server start time rather than later when
+ * recovery.signal is added.
+ *
+ * The check is a separate function rather than inlined into
+ * validateRecoveryParameters() because it intentionally runs even when no
+ * recovery is requested, while the rest of validateRecoveryParameters() is
+ * recovery-mode-only. Keeping it as a named function makes that separation
+ * explicit.
+ *
+ * The check used to live in the assign hooks of the recovery_target_* GUCs
+ * (calling ereport(ERROR) on conflict), which violated guc.c's contract that
+ * assign hooks must never fail. Moving the check here keeps the assign hooks
+ * contract-compliant.
+ *
+ * If a future patch adds a sixth recovery_target_* GUC, it must be added to the
+ * list of ADD_TARGET_IF_SET() calls below; the errdetail builds its list of set
+ * parameters dynamically, so it needs no change.
+ */
+static void
+CheckRecoveryTargetConflicts(void)
+{
+ int ntargets = 0;
+ const char *val;
+ StringInfoData buf;
+
+ initStringInfo(&buf);
+
+ /*
+ * These GUCs are all PGC_STRING, so GetConfigOption() returns "" (not
+ * NULL) when a parameter is unset. Collect the name of each one that is
+ * set into buf for use in the errdetail below. The separator and the
+ * quotes are wrapped in _() so translators can adapt the list punctuation
+ * to their locale.
+ */
+#define ADD_TARGET_IF_SET(gucname) \
+ do { \
+ val = GetConfigOption(gucname, false, false); \
+ if (val[0] != '\0') \
+ { \
+ ntargets++; \
+ if (buf.len == 0) \
+ appendStringInfo(&buf, _("\"%s\""), gucname); \
+ else \
+ appendStringInfo(&buf, _(", \"%s\""), gucname); \
+ } \
+ } while (0)
+
+ ADD_TARGET_IF_SET("recovery_target");
+ ADD_TARGET_IF_SET("recovery_target_lsn");
+ ADD_TARGET_IF_SET("recovery_target_name");
+ ADD_TARGET_IF_SET("recovery_target_time");
+ ADD_TARGET_IF_SET("recovery_target_xid");
+#undef ADD_TARGET_IF_SET
+
+ if (ntargets > 1)
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("multiple recovery targets specified"),
+ errdetail("Recovery targets %s are set, but only one can be set.",
+ buf.data),
+ errhint("See pg_settings for the parameter values and where each is set.")));
+}
+
/*
* read_backup_label: check to see if a backup_label file is present
*
@@ -4769,32 +4842,27 @@ check_primary_slot_name(char **newval, void **extra, GucSource source)
}
/*
- * Recovery target settings: Only one of the several recovery_target* settings
- * may be set. Setting a second one results in an error. The global variable
+ * Recovery target settings: At most one of the several recovery_target*
+ * settings may be set to a non-empty value. The global variable
* recoveryTarget tracks which kind of recovery target was chosen. Other
* variables store the actual target value (for example a string or a xid).
- * The assign functions of the parameters check whether a competing parameter
- * was already set. But we want to allow setting the same parameter multiple
- * times. We also want to allow unsetting a parameter and setting a different
- * one, so we unset recoveryTarget when the parameter is set to an empty
- * string.
+ * An empty string for any of these GUCs is treated as "not set", equivalent
+ * to the GUC's default; an empty value cannot clobber another GUC's
+ * already-set target. Conflicts between multiple non-empty settings are
+ * detected in CheckRecoveryTargetConflicts(), called from
+ * validateRecoveryParameters() at every startup.
*
- * XXX this code is broken by design. Throwing an error from a GUC assign
- * hook breaks fundamental assumptions of guc.c. So long as all the variables
- * for which this can happen are PGC_POSTMASTER, the consequences are limited,
- * since we'd just abort postmaster startup anyway. Nonetheless it's likely
- * that we have odd behaviors such as unexpected GUC ordering dependencies.
+ * Each assign hook clears recoveryTarget only when its own GUC is reassigned
+ * to an empty string after the same GUC was previously assigned a non-empty
+ * value, e.g.
+ * postgres -c recovery_target_xid=700 -c recovery_target_xid=
+ * (postgresql.conf collapses duplicate keys so only the last value reaches
+ * the assign hook; this same-parameter set-then-clear case only arises from
+ * -c). The clear is restricted to the hook's own target type so that an
+ * empty value for one recovery_target_* GUC cannot clobber another GUC's
+ * already-set target.
*/
-pg_noreturn static void
-error_multiple_recovery_targets(void)
-{
- ereport(ERROR,
- (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
- errmsg("multiple recovery targets specified"),
- errdetail("At most one of \"recovery_target\", \"recovery_target_lsn\", \"recovery_target_name\", \"recovery_target_time\", \"recovery_target_xid\" may be set.")));
-}
-
/*
* GUC check_hook for recovery_target
*/
@@ -4815,13 +4883,9 @@ check_recovery_target(char **newval, void **extra, GucSource source)
void
assign_recovery_target(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_IMMEDIATE)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
recoveryTarget = RECOVERY_TARGET_IMMEDIATE;
- else
+ else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
@@ -4856,16 +4920,12 @@ check_recovery_target_lsn(char **newval, void **extra, GucSource source)
void
assign_recovery_target_lsn(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_LSN)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
{
recoveryTarget = RECOVERY_TARGET_LSN;
recoveryTargetLSN = *((XLogRecPtr *) extra);
}
- else
+ else if (recoveryTarget == RECOVERY_TARGET_LSN)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
@@ -4891,16 +4951,12 @@ check_recovery_target_name(char **newval, void **extra, GucSource source)
void
assign_recovery_target_name(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_NAME)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
{
recoveryTarget = RECOVERY_TARGET_NAME;
recoveryTargetName = newval;
}
- else
+ else if (recoveryTarget == RECOVERY_TARGET_NAME)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
@@ -4971,13 +5027,9 @@ check_recovery_target_time(char **newval, void **extra, GucSource source)
void
assign_recovery_target_time(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_TIME)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
recoveryTarget = RECOVERY_TARGET_TIME;
- else
+ else if (recoveryTarget == RECOVERY_TARGET_TIME)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
@@ -5099,15 +5151,11 @@ check_recovery_target_xid(char **newval, void **extra, GucSource source)
void
assign_recovery_target_xid(const char *newval, void *extra)
{
- if (recoveryTarget != RECOVERY_TARGET_UNSET &&
- recoveryTarget != RECOVERY_TARGET_XID)
- error_multiple_recovery_targets();
-
if (newval && strcmp(newval, "") != 0)
{
recoveryTarget = RECOVERY_TARGET_XID;
recoveryTargetXid = *((TransactionId *) extra);
}
- else
+ else if (recoveryTarget == RECOVERY_TARGET_XID)
recoveryTarget = RECOVERY_TARGET_UNSET;
}
diff --git a/src/test/recovery/t/003_recovery_targets.pl b/src/test/recovery/t/003_recovery_targets.pl
index 047eb13293a..6e8a2c557c9 100644
--- a/src/test/recovery/t/003_recovery_targets.pl
+++ b/src/test/recovery/t/003_recovery_targets.pl
@@ -51,6 +51,49 @@ sub test_recovery_standby
return;
}
+# Start a standby with the given pg_ctl --options string and verify that
+# the standby reaches the given LSN and row count. Used to exercise
+# scenarios that require the postmaster command line to receive multiple
+# "-c name=value" instances of the same GUC, which postgresql.conf cannot
+# express because ProcessConfigFile collapses duplicate keys.
+sub test_recovery_standby_with_options
+{
+ local $Test::Builder::Level = $Test::Builder::Level + 1;
+
+ my $test_name = shift;
+ my $node_name = shift;
+ my $node_primary = shift;
+ my $options = shift;
+ my $num_rows = shift;
+ my $until_lsn = shift;
+
+ my $node_standby = PostgreSQL::Test::Cluster->new($node_name);
+ $node_standby->init_from_backup($node_primary, 'my_backup',
+ has_restoring => 1);
+
+ my $res = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_standby->data_dir,
+ '--log' => $node_standby->logfile,
+ '--options' => $options,
+ 'start',
+ ]);
+ ok($res, "server starts for $test_name");
+
+ $node_standby->poll_query_until('postgres',
+ "SELECT '$until_lsn'::pg_lsn <= pg_last_wal_replay_lsn()")
+ or die "Timed out while waiting for standby to catch up";
+
+ my $count = $node_standby->safe_psql('postgres',
+ "SELECT count(*) FROM tab_int");
+ is($count, qq($num_rows), "check standby content for $test_name");
+
+ $node_standby->teardown_node;
+
+ return;
+}
+
# Initialize primary node
my $node_primary = PostgreSQL::Test::Cluster->new('primary');
$node_primary->init(has_archiving => 1, allows_streaming => 1);
@@ -108,6 +151,13 @@ $node_primary->safe_psql('postgres',
# Force archiving of WAL file
$node_primary->safe_psql('postgres', "SELECT pg_switch_wal()");
+# LSN after the final 6000-row insert and WAL switch. Used by the
+# set-then-cleared scenarios below where recovery has no target and must
+# replay all archived WAL; polling on $lsn5 would race against the 5001-6000
+# rows.
+my $lsn6 =
+ $node_primary->safe_psql('postgres', "SELECT pg_current_wal_lsn()");
+
# Test recovery targets
my @recovery_params = ("recovery_target = 'immediate'");
test_recovery_standby('immediate target',
@@ -125,11 +175,24 @@ test_recovery_standby('name', 'standby_4', $node_primary, \@recovery_params,
test_recovery_standby('LSN', 'standby_5', $node_primary, \@recovery_params,
"5000", $lsn5);
+# Regression: empty-string for one recovery_target_* GUC must not clobber
+# another non-empty target. Setting recovery_target_xid + recovery_target_time
+# = '' must recover to the xid, not run as no-target recovery.
+@recovery_params = (
+ "recovery_target_xid = '$recovery_txid'",
+ "recovery_target_time = ''");
+test_recovery_standby('xid with empty time GUC',
+ 'standby_xid_empty_time', $node_primary, \@recovery_params,
+ "2000", $lsn2);
+
# Multiple targets
#
-# Multiple conflicting settings are not allowed, but setting the same
-# parameter multiple times or unsetting a parameter and setting a
-# different one is allowed.
+# Multiple conflicting non-empty settings are not allowed. Setting the same
+# parameter multiple times is allowed (the last value wins, per ProcessConfigFile
+# duplicate handling). An empty string for a recovery_target_* GUC is treated
+# as the GUC's default and is a no-op; it does not clear any other already-set
+# target. Conflict detection runs in CheckRecoveryTargetConflicts() at every
+# server start, regardless of whether recovery is requested.
@recovery_params = (
"recovery_target_name = '$recovery_name'",
@@ -159,6 +222,21 @@ like(
$logfile,
qr/multiple recovery targets specified/,
'multiple conflicting settings');
+# errdetail lists exactly the parameters that are set, in GUC-check order
+# (recovery_target_name is checked before recovery_target_time).
+like(
+ $logfile,
+ qr/Recovery targets "recovery_target_name", "recovery_target_time" are set/,
+ 'errdetail lists the set parameters in order');
+# The parameter values must not be echoed (only the names are listed).
+unlike(
+ $logfile,
+ qr/are set[^\n]*=/,
+ 'errdetail does not echo parameter values');
+like(
+ $logfile,
+ qr/HINT:.*pg_settings/,
+ 'errhint points to pg_settings');
# Check behavior when recovery ends before target is reached
@@ -190,6 +268,173 @@ like(
qr/FATAL: .* recovery ended before configured recovery target was reached/,
'recovery end before target reached is a fatal error');
+# Conflicting recovery targets are rejected at every startup, regardless of
+# whether recovery.signal is present. Use a throwaway cluster initialized
+# from the existing backup so we can leave conflicting GUCs in its
+# postgresql.conf without polluting the primary used by later tests.
+# init_from_backup is called without has_restoring, so no recovery.signal
+# is created and the cluster would normally start as a plain primary; the
+# conflicting recovery_target_* GUCs must be rejected anyway.
+my $node_no_signal = PostgreSQL::Test::Cluster->new('multi_target_no_signal');
+$node_no_signal->init_from_backup($node_primary, 'my_backup');
+$node_no_signal->append_conf(
+ 'postgresql.conf', "recovery_target_name = '$recovery_name'
+recovery_target_time = '$recovery_time'");
+
+my $res_no_signal = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_no_signal->data_dir,
+ '--log' => $node_no_signal->logfile,
+ 'start',
+ ]);
+ok(!$res_no_signal,
+ 'server fails to start with conflicting recovery targets and no recovery.signal');
+
+my $logfile_no_signal = slurp_file($node_no_signal->logfile());
+like(
+ $logfile_no_signal,
+ qr/multiple recovery targets specified/,
+ 'expected error message logged without recovery.signal');
+like(
+ $logfile_no_signal,
+ qr/Recovery targets "recovery_target_name", "recovery_target_time" are set/,
+ 'errdetail lists the set parameters in order without recovery.signal');
+unlike(
+ $logfile_no_signal,
+ qr/are set[^\n]*=/,
+ 'errdetail does not echo parameter values without recovery.signal');
+like(
+ $logfile_no_signal,
+ qr/HINT:.*pg_settings/,
+ 'errhint points to pg_settings without recovery.signal');
+
+# Conflict involving the bare recovery_target (no suffix): it is checked first,
+# so its name appears at the head of the list. The list entries are quoted, so
+# the regex anchors on the closing quote to ensure "recovery_target" does not
+# match a prefix of "recovery_target_xid".
+my $node_bare = PostgreSQL::Test::Cluster->new('multi_target_bare');
+$node_bare->init_from_backup($node_primary, 'my_backup');
+$node_bare->append_conf('postgresql.conf',
+ "recovery_target = 'immediate'\nrecovery_target_xid = '$recovery_txid'");
+
+my $res_bare = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_bare->data_dir,
+ '--log' => $node_bare->logfile,
+ 'start',
+ ]);
+ok(!$res_bare,
+ 'server fails to start with bare recovery_target conflict');
+
+my $logfile_bare = slurp_file($node_bare->logfile());
+like(
+ $logfile_bare,
+ qr/Recovery targets "recovery_target", "recovery_target_xid" are set/,
+ 'errdetail lists the bare recovery_target first, without prefix mismatch');
+
+# Three conflicting targets: exercises the ", " separator between more than two
+# entries (no trailing separator after the last entry).
+my $node_three = PostgreSQL::Test::Cluster->new('multi_target_three');
+$node_three->init_from_backup($node_primary, 'my_backup');
+$node_three->append_conf('postgresql.conf',
+ "recovery_target_name = '$recovery_name'\n"
+ . "recovery_target_time = '$recovery_time'\n"
+ . "recovery_target_xid = '$recovery_txid'");
+
+my $res_three = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_three->data_dir,
+ '--log' => $node_three->logfile,
+ 'start',
+ ]);
+ok(!$res_three,
+ 'server fails to start with three conflicting recovery targets');
+
+my $logfile_three = slurp_file($node_three->logfile());
+like(
+ $logfile_three,
+ qr/Recovery targets "recovery_target_name", "recovery_target_time", "recovery_target_xid" are set/,
+ 'errdetail lists three set parameters with correct separators');
+
+# Same-GUC last-wins (one source of truth for the GUC's value): assigning a
+# recovery_target_* GUC and then assigning the same GUC to an empty string
+# leaves no target set and recovery proceeds to the end of WAL. This is the
+# "set then unset" form of GUC reassignment; the assign hook clears its own
+# type when the new value is empty. postgresql.conf cannot express duplicate
+# keys (ProcessConfigFile collapses them), so the postmaster command line is
+# used via "pg_ctl --options". Each of the five recovery_target_* assign
+# hooks is exercised once.
+#
+# Note: GUC values below are passed unquoted on the command line. Windows
+# cmd.exe does not strip single quotes the way POSIX shells do, so quoted
+# values would reach the postmaster verbatim and be rejected. recovery_time
+# from now() contains a space; we replace it with the ISO 8601 T separator
+# so the value is a single shell token without quoting.
+my $recovery_time_t = $recovery_time;
+$recovery_time_t =~ s/ /T/;
+
+test_recovery_standby_with_options(
+ 'recovery_target_xid set then cleared',
+ 'standby_xid_set_clear', $node_primary,
+ "-c recovery_target_xid=$recovery_txid -c recovery_target_xid=",
+ "6000", $lsn6);
+
+test_recovery_standby_with_options(
+ 'recovery_target_time set then cleared',
+ 'standby_time_set_clear', $node_primary,
+ "-c recovery_target_time=$recovery_time_t -c recovery_target_time=",
+ "6000", $lsn6);
+
+test_recovery_standby_with_options(
+ 'recovery_target_name set then cleared',
+ 'standby_name_set_clear', $node_primary,
+ "-c recovery_target_name=$recovery_name -c recovery_target_name=",
+ "6000", $lsn6);
+
+test_recovery_standby_with_options(
+ 'recovery_target_lsn set then cleared',
+ 'standby_lsn_set_clear', $node_primary,
+ "-c recovery_target_lsn=$recovery_lsn -c recovery_target_lsn=",
+ "6000", $lsn6);
+
+test_recovery_standby_with_options(
+ 'recovery_target set then cleared',
+ 'standby_immediate_set_clear', $node_primary,
+ "-c recovery_target=immediate -c recovery_target=",
+ "6000", $lsn6);
+
+# Same-GUC empty-then-set sanity: assigning an empty string and then a
+# non-empty value to the same GUC must end with the target set. The empty
+# value seen first must not poison a later non-empty assignment.
+my $node_xid_clear_set =
+ PostgreSQL::Test::Cluster->new('standby_xid_clear_set');
+$node_xid_clear_set->init_from_backup($node_primary, 'my_backup',
+ has_restoring => 1);
+
+my $res_xid_clear_set = run_log(
+ [
+ 'pg_ctl',
+ '--pgdata' => $node_xid_clear_set->data_dir,
+ '--log' => $node_xid_clear_set->logfile,
+ '--options' =>
+ "-c recovery_target_xid= -c recovery_target_xid=$recovery_txid",
+ 'start',
+ ]);
+ok($res_xid_clear_set,
+ 'server starts with recovery_target_xid cleared then set');
+
+$node_xid_clear_set->poll_query_until('postgres',
+ "SELECT '$lsn2'::pg_lsn <= pg_last_wal_replay_lsn()")
+ or die "Timed out while waiting for standby to catch up";
+my $count_xid_clear_set = $node_xid_clear_set->safe_psql('postgres',
+ "SELECT count(*) FROM tab_int");
+is($count_xid_clear_set, "2000",
+ 'recovery_target_xid honored when cleared then set');
+$node_xid_clear_set->teardown_node;
+
# Invalid recovery_target_timeline tests
my ($result, $stdout, $stderr) = $node_primary->psql('postgres',
"ALTER SYSTEM SET recovery_target_timeline TO 'bogus'");
--
2.52.0
^ permalink raw reply [nested|flat] 8+ messages in thread
end of thread, other threads:[~2026-06-22 04:37 UTC | newest]
Thread overview: 8+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-05-31 21:11 Re: [PATCH] Don't call ereport(ERROR) from recovery target GUC assign hooks Scott Ray <[email protected]>
2026-06-04 05:41 ` JoongHyuk Shin <[email protected]>
2026-06-06 20:10 ` Scott Ray <[email protected]>
2026-06-07 10:30 ` JoongHyuk Shin <[email protected]>
2026-06-07 15:44 ` Álvaro Herrera <[email protected]>
2026-06-21 09:27 ` JoongHyuk Shin <[email protected]>
2026-06-21 12:31 ` Álvaro Herrera <[email protected]>
2026-06-22 04:37 ` JoongHyuk Shin <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox