From: Michael Paquier [mailto:michael(at)paquier(dot)xyz] > By the way, as long as I have my mind of it. Another strategy would be > to just make the checks in XLogReadRecord() a bit smarter if the whole record > header is not on the page. If we check at least for > AllocSizeIsValid(total_len) then there this code would not fail on an > allocation as you user reported. Still this misses the case where a record > size is lower than 1GB but invalid so you would allocate allocate_recordbuf > for nothing :(
That was my first thought, and I gave it up. As you say, XLogReadRecord() could allocate up to 1 GB of memory for a garbage. That allocation can fail due to memory shortage, which prevents the recovery from proceeding.