[Flaky Test] ExactlyOnceKafka: fix mode (a), characterize mode (b)

[xiangfu0]

Summary

ExactlyOnceKafkaRealtimeClusterIntegrationTest.setUp has been the dominant integration-test flake on master (16 of 30 most-recent failed Pinot Tests runs). After ~10 CI iterations on this branch, two distinct root causes emerged:

Mode	Symptom	Status
(a) Kafka markers don't propagate	commitTransaction() returns but partition LSO never advances; read_committed=0	Fixed — caused by log.flush.interval.messages=1, removed
(b) Pinot consumer wedges at ~17 763 offsets in	Pinot COUNT(*) stuck at 0 forever, Kafka has all data	Characterized but not fixed — see investigation below

Mode (a): root cause and fix

The test was the only one to override getKafkaExtraProperties to set log.flush.interval.messages=1 (added by #18061). Each setUp pushes ~115 545 records × 2 transactions ≈ 231 k records, so this forced ~231 k fsync syscalls on the partition log. On CI's shared disk that creates a multi-minute fsync backlog; the transactional COMMIT marker writes (WriteTxnMarkers) ride the same per-partition I/O queue and are stuck behind it.

Kafka's transactional protocol already provides durability via acks=all + transaction.state.log.replication.factor=3 + transaction.state.log.min.isr=1 — the forced fsync was redundant.

Fix: remove the override.

Mode (b): characterization

Diagnostic logging added in this PR caught the wedge in the act. With Kafka fully populated (verified by an independent read_committed standalone consumer in the test), Pinot's per-partition consumer:

1. Advances rapidly from offset 0 to ~17 730 / ~17 763 within the first 8 seconds (~50 polls).
2. Locks at exactly that offset for the remaining 20 minutes (1 200 + consecutive empty polls).
3. The consumer's position() query confirms its internal position never moves past 17 763.

The number 17 763 is suspicious: MAX_PARTITION_FETCH_BYTES_CONFIG = 10 MB divided by ~590 bytes/record ≈ 17 772 records per fetch. The wedge happens at exactly the consumer-side fetch-size boundary, suggesting a broker-side fetch-session bug under read_committed after a single max-size fetch full of aborted records.

Recovery attempts that didn't work:

• seek(currentPosition) — seek() only updates consumer-side state, not broker fetch-session state.
• assign(emptyList()) + reassign + seek — should terminate the broker session, but the consumer still locked at the same offset.
• Reordering setUp to push and verify Kafka before creating the table — same wedge anyway.

The wedge appears to be a Kafka broker bug at the max.partition.fetch.bytes boundary under read_committed with aborted records. Fixing it likely requires either (i) a Pinot-level periodic full consumer recreation (heavy), (ii) a Kafka client-version bump or config change, or (iii) an upstream Kafka broker fix. Beyond this PR's scope.

What this PR ships

1. Remove log.flush.interval.messages=1 — fixes mode (a) completely. Independent of mode (b), this is a clear improvement (the property was never necessary).
2. Strict post-push verification — waitForCommittedRecordsVisible (≥ 1) → waitForAllCommittedRecordsVisible (== expected, with overshoot detection so an aborted-batch leak fails fast). The previous "any record" check would have hidden a partial-commit bug.
3. Reorder setUp: push and verify Kafka before creating the realtime table. Doesn't fix mode (b) but eliminates a real race in setup ordering and is sensible regardless.
4. KafkaPartitionLevelConsumer empty-poll fix: read consumer position when poll returns empty and update _lastFetchedOffset accordingly; track _lastSeekedStartOffset separately so the seek-check at the top of fetchMessages doesn't re-seek and wipe the consumer's internal advance through aborted records. This is a real production fix for read_committed consumers — without it, an empty-first-poll legitimately keeps _lastFetchedOffset = -1 and the existing < 0 clause re-seeks on every call. Mirrored to both pinot-kafka-3.0 and pinot-kafka-4.0.
5. Diagnostic override of waitForAllDocsLoaded that on success is silent, but on timeout dumps current Pinot count, kafka committed/uncommitted counts, and a stack-trace snapshot of every Pinot/Kafka consumer thread. This is what enabled the mode (b) characterization.

What this PR does NOT do

• Does not claim to fix mode (b). The wedge will likely still recur in CI for this test. The PR characterizes it sharply (offset matches MAX_PARTITION_FETCH_BYTES, consumer-side recovery doesn't work) so a follow-up has a strong starting point.
• Does not add retries that mask exactly-once regressions — the fresh-topic-per-attempt loop from earlier on this branch was removed in response to review feedback.

Test plan

• ./mvnw test-compile (JDK 21) — clean
• ./mvnw spotless:apply checkstyle:check license:check — clean
• KafkaPartitionLevelConsumerTest unit tests pass with consumer fix
• CI for this PR — mode (b) flake will likely still hit; the test diagnostic in surefire output will surface where in the wedge it stalls

Related (prior flake-fix attempts)

• [Flaky Test] Fix ExactlyOnceKafkaRealtimeClusterIntegrationTest countRecords early termination #18238 / [Flaky Test] Fix ExactlyOnceKafkaRealtimeClusterIntegrationTest setUp #18061 / Fix flaky ExactlyOnce and PartialUpsertRebalance integration tests #17834 / Fix EmbeddedKafkaCluster startup/teardown ordering in integration tests #17855 / Give more wait time and retry for kafka setup for ExactlyOnceKafkaRealtimeClusterIntegrationTest and separate it from the test suite run #17752

🤖 Generated with Claude Code

[codecov-commenter]

Codecov Report

❌ Patch coverage is 27.77778% with 26 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.39%. Comparing base (4499bf5) to head (3cce4ee).
⚠️ Report is 6 commits behind head on master.

Files with missing lines	Patch %	Lines
...in/stream/kafka30/KafkaPartitionLevelConsumer.java	27.77%	19 Missing and 7 partials ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #18337      +/-   ##
============================================
+ Coverage     63.38%   63.39%   +0.01%     
- Complexity     1668     1673       +5     
============================================
  Files          3252     3253       +1     
  Lines        198661   198799     +138     
  Branches      30770    30798      +28     
============================================
+ Hits         125925   126033     +108     
- Misses        62666    62690      +24     
- Partials      10070    10076       +6     

Flag	Coverage Δ
custom-integration1	?
integration	0.00% <ø> (-100.00%)	⬇️
integration1	?
integration2	0.00% <ø> (ø)
java-21	63.39% <27.77%> (+0.01%)	⬆️
temurin	63.39% <27.77%> (+0.01%)	⬆️
unittests	63.39% <27.77%> (+0.01%)	⬆️
unittests1	55.35% <ø> (+<0.01%)	⬆️
unittests2	34.94% <27.77%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[xiangfu0]

Found 1 high-signal issue; see inline comment.

[xiangfu0]

Retrying the full setup on a fresh topic changes this from an exactly-once regression test into a best-of-three liveness check. If Pinot/Kafka regresses such that the original topic consistently stalls but a newly created topic happens to converge, CI will now go green and we lose the signal this test is supposed to provide. Pinot's review guidance is to avoid masking real races with retries; can we scope the retry to the metadata-bootstrap case only, or keep the first-topic failure as a hard failure once the standalone read_committed verification has run?

[Jackie-Jiang]

I do have concern on the caveat mentioned above:

This is a CI-stability workaround. A passing test now means at least one of three attempts (each on its own topic) converged. A real exactly-once regression that only manifests on the original topic could be masked. Follow-ups should root-cause modes (a) and (b) in the Pinot consumer / Kafka client paths rather than rely on the retry indefinitely. The class-level comment makes the trade-off explicit.

The goal is not to make the test pass, but to fix the actual issue. Why does Kafka marker or Pinot consumer stall? Is it due to resource issue?
Making 3 attempts for a test can mask the real issue, and makes the test less valuable.

[xiangfu0]

You're both right — masking with retries is the wrong direction. After re-reading the test history I think I have the actual root cause:

Root cause: log.flush.interval.messages=1 forces an fsync per record

The test sets:

@Override
protected Properties getKafkaExtraProperties() {
  Properties props = new Properties();
  props.setProperty(\"log.flush.interval.messages\", \"1\");
  return props;
}

This was added in #18061 ("to ensure transactional data is flushed to disk immediately"), but Kafka's transactional protocol already provides durability via acks=all + transaction.state.log.replication.factor=3 + transaction.state.log.min.isr=1, which the embedded cluster sets up. Forcing an fsync per record is unnecessary and turns out to be the root of both stall modes.

Why this produces the two failure modes

Per attempt the test pushes ~115 545 records × 2 transactions ≈ 231 k records. With log.flush.interval.messages=1, each record triggers an fsync on the partition log. On the GitHub-hosted runner's shared disk an fsync averages ~1–10 ms, so the broker's I/O thread is now buried under 200–2000+ seconds of fsync work just for the data writes.

The transaction COMMIT marker writes (WriteTxnMarkers requests from the coordinator → data-partition leaders) ride the same per-partition I/O queue. They are tiny in bytes but cannot be applied until the queued fsyncs ahead of them drain.

• Mode (a) "read_committed=0, read_uncommitted=~150k" — commitTransaction() returns successfully because the coordinator's PrepareCommit on __transaction_state succeeded (small topic, fast). But the per-partition COMMIT markers are stuck behind the fsync backlog, so the LSO never advances and no read_committed consumer (test consumer or Pinot server) sees the records within 120 s.
• Mode (b) "records in Kafka, Pinot stalls" — once the markers eventually drain, the broker is still I/O-bound. Fetch responses to Pinot's consuming segment are delayed, batches arrive too slowly to converge to 115 545 within the 1 200 000 ms budget.

The log.flush.interval.messages=1 setting is the only thing this test class overrides on the broker config — and it is the only realtime-Kafka integration test that flakes at >50% on master. The correlation is exact.

Proposed fix

1. Remove log.flush.interval.messages=1. Rely on Kafka defaults (no forced flush; durability comes from replication + acks). This eliminates the I/O backlog that produces both stall modes.
2. Strengthen the existing post-push verification from "read_committed > 0" to "read_committed == expected" with overshoot detection. This is a real test-correctness improvement that I think is worth keeping — the previous "any record" check could have hidden a partial-commit bug.
3. Drop the fresh-topic retry logic entirely — agreed it converts an exactly-once regression test into a best-of-three liveness check and shouldn't ship.

I'll force-push a rewritten version of this PR with only #1 + #2. Will report local validation results too.

[xiangfu0]

Update: actual root cause for mode (b) found.

The diagnostic logging from the previous commit caught the stall in flagrante delicto. The thread dump on timeout shows both consumer threads parked here:

```
thread 'mytable__0__0__20260426T2300Z' state=TIMED_WAITING
at java.base/java.lang.Thread.sleep0(Native Method)
at com.google.common.util.concurrent.Uninterruptibles.sleepUninterruptibly(Uninterruptibles.java:405)
at RealtimeSegmentDataManager.processStreamEvents(RealtimeSegmentDataManager.java:755)
at RealtimeSegmentDataManager.consumeLoop(RealtimeSegmentDataManager.java:526)
at RealtimeSegmentDataManager$PartitionConsumer.run(RealtimeSegmentDataManager.java:834)
```

Line 755 is the "empty batch received -> sleep idlePipeSleepTimeMillis" branch. Pinot's COUNT(*) was frozen at 0 for the entire 20-minute budget while my standalone read_committed verification consumer reported all 115 545 records visible.

The bug is in `KafkaPartitionLevelConsumer.fetchMessages()` (both pinot-kafka-3.0 and pinot-kafka-4.0):

```java
if (_lastFetchedOffset < 0 || _lastFetchedOffset != startOffset - 1) {
_consumer.seek(_topicPartition, startOffset); // (A)
}
ConsumerRecords<Bytes, Bytes> consumerRecords = _consumer.poll(Duration.ofMillis(timeoutMs));
List<ConsumerRecord<Bytes, Bytes>> records = consumerRecords.records(_topicPartition);
...
long offsetOfNextBatch = startOffset;
if (!records.isEmpty()) {
...
_lastFetchedOffset = records.get(records.size() - 1).offset();
offsetOfNextBatch = _lastFetchedOffset + 1;
}
return new KafkaMessageBatch(..., offsetOfNextBatch, ...);
```

Sequence:

1. `_lastFetchedOffset = -1` initially.
2. First call: seek to 0 (A), poll. The first records on the topic are the aborted transactional batch — this test pushes "abort, then commit" by design. With `isolation.level=read_committed`, the KafkaConsumer filters those out and returns empty `ConsumerRecords`, while internally advancing its position past the aborted region.
3. `records.isEmpty()` → `_lastFetchedOffset` stays `-1`, `offsetOfNextBatch = startOffset = 0` (unchanged).
4. RealtimeSegmentDataManager.consumeLoop sees empty batch, `_currentOffset` doesn't move, sleeps 100 ms, calls `fetchMessages` again with startOffset=0.
5. `_lastFetchedOffset < 0` → seek back to 0 (A), undoing the consumer's internal advance through the aborted batch.
6. Wedged forever.

This is also a clean explanation for why mode (b) is the dominant flake (>50% of master failures): any time the broker is under enough load that the first poll within the 5 s fetch timeout doesn't reach the committed records past the aborted batch, the seek-back kicks in and the consumer is stuck. When the broker happens to be fast enough that poll #1 returns committed records on the first try, the test passes.

Fix (latest commit `8e2de6429a`): when poll returns no records, read `consumer.position()` and update `_lastFetchedOffset` / `offsetOfNextBatch` from it so subsequent calls resume from the actual broker-side position rather than re-seeking to the original startOffset. Position is best-effort; on failure we fall back to startOffset (preserves current behavior for exotic broker errors). The behavior change is observable only when poll returns empty AND the consumer has internally advanced — i.e. `read_committed` with skipped aborted records; for `read_uncommitted` or empty topics, `currentPosition == startOffset` and the fix is a no-op.

Same one-spot fix applied to both `pinot-kafka-3.0` and `pinot-kafka-4.0` (identical code path).

CI is running now with both fixes (`log.flush.interval.messages=1` removal for mode (a) + the consumer fix for mode (b)). Will report.

[xiangfu0]

Status update after ~10 CI iterations on this branch.

Two distinct root causes for this test's flake:

1. Mode (a) — Kafka markers don't propagate. Caused by the test's redundant log.flush.interval.messages=1 override (added in [Flaky Test] Fix ExactlyOnceKafkaRealtimeClusterIntegrationTest setUp #18061). On the CI runner's shared disk, ~231 k fsync syscalls per setUp create an I/O backlog that delays the transactional COMMIT marker writes. Removed in this PR. Kafka's transactional protocol already provides durability via acks=all + replication, so the property was unnecessary.

2. Mode (b) — Pinot consumer wedges. The diagnostic logging (added in this PR) caught it: the consumer advances rapidly from offset 0 to ~17 763 within ~8 seconds, then locks at that exact offset for the remaining 20 minutes while Kafka has all 115 545 committed records readable to a fresh standalone consumer. The number 17 763 is suspicious: it matches MAX_PARTITION_FETCH_BYTES_CONFIG (10 MB) ÷ ~590 bytes/record. The wedge happens at exactly the consumer-side fetch-size boundary.

I tried several recovery approaches in the consumer:

• seek(currentPosition) — no effect, since seek() only updates consumer-side position, not the broker-side fetch session.
• assign(emptyList()) + reassign + seek — should terminate the broker session entirely, but the consumer still locked at the same offset.

Reordering setUp to push & verify Kafka before creating the realtime table (so the consumer never sees a moving LSO) also didn't help — the wedge happens anyway, with all data already present in Kafka.

So mode (b) appears to be a Kafka broker-side fetch-session bug under read_committed after a max-fetch-size response of aborted records. Beyond what consumer-side intervention can recover. Fixing it likely needs either a Pinot-level periodic full consumer recreation, a Kafka client/broker version change, or an upstream investigation.

This PR ships the mode (a) fix, the strict post-push verification, the setUp reorder, the read_committed empty-poll consumer fix (production-relevant), and diagnostic logging that's what enabled the mode (b) characterization. It does not claim to fix mode (b); the test will still flake on that path. PR description updated with the full story.

The retry / fresh-topic logic from earlier on this branch is removed per your earlier feedback — the changes here are all bug fixes, not retries that mask regressions.