[runtime] Handle notifyCheckpointAborted to stop leaking checkpoint entries

[weiqingy]

Closes #665.

What this PR does

DurableExecutionManager.checkpointIdToSeqNums leaked entries on aborted checkpoints. Flink calls notifyCheckpointAborted(...) when a checkpoint is aborted (timeout, alignment failure, backend pressure); the existing code only handled the complete path. Under sustained abort pressure the map grew unboundedly.

Production changes

1. DurableExecutionManager.notifyCheckpointAborted(long) (new, package-private) — removes the entry from checkpointIdToSeqNums. No pruneState call — durable writes for an aborted checkpoint were never committed, so the prior committed checkpoint's recovery state is still load-bearing and must not be pruned. Guarded by actionStateStore != null to mirror the symmetric guard from [Bug][runtime] Fix memory leak in DurableExecutionManager.checkpointIdToSeqNums #645.
2. ActionExecutionOperator.notifyCheckpointAborted(long) (new @Override) — thin delegate to the manager, then super.notifyCheckpointAborted(...). Mirrors the existing notifyCheckpointComplete override exactly.
3. Javadoc invariant statement on snapshotLastCompletedSequenceNumbers and notifyCheckpointComplete strengthened to name BOTH release paths (complete OR abort). The actionStateStore != null guard now lives on three methods; the javadoc makes the three-way symmetry explicit and cross-links [Bug][runtime] Fix memory leak in DurableExecutionManager.checkpointIdToSeqNums #645 + [Bug][runtime] DurableExecutionManager leaks checkpointIdToSeqNums entries on aborted checkpoints #665.
4. @VisibleForTesting getCheckpointIdToSeqNums() accessor — mirrors getActionStateStore() precedent. (Same addition as in [runtime] Lock null-store symmetry invariant in DurableExecutionManager #666; the second PR to land drops the duplicate on rebase.)

Tests (DEM-level, three new)

• notifyAbortedRemovesEntryWithoutPruning — entry released, durable state untouched. Uses a real InMemoryActionStateStore (not a mock) so wrongful pruning would be observable.
• completedAndAbortedInterleavedKeepsInFlightEntries — three in-flight checkpoints; one completes (state pruned), one aborts (state preserved), one remains.
• noStoreModeNotifyCheckpointAbortedIsNoOp — symmetric null-store no-op coverage.

Sanity-mutation verified locally:

• Emptying the new method's body → 2 of 3 new tests fail.
• Adding a wrongful actionStateStore.pruneState(...) call → 2 of 3 new tests fail (state was incorrectly pruned).

Operator-level harness test deferred to #646 — the new operator override is a one-line delegate; the logic is in the manager.

Test plan

• mvn test -Dtest=DurableExecutionManagerTest -pl runtime — 5/5 pass (2 existing + 3 new)
• mvn test -Dtest=ActionExecutionOperatorTest -pl runtime — 28/28 pass
• mvn test -pl runtime — 307/307 pass (no regressions)
• ./tools/lint.sh -c — 0 violations
• ./tools/check-license.sh — clean (no new tracked files)
• Sanity mutation: empty new method body → expected tests fail
• Sanity mutation: wrongful pruneState call on abort → expected tests fail

Documentation

• doc-needed
• doc-not-needed
• doc-included

[wenjin272]

Hi, @weiqingy. It appears that after the merge of #659, both #666 and #667 have some conflicts.

[weiqingy]

Hi @wenjin272, the PR has been updated to resolve the conflicts.

[weiqingy]

The one CI failure (it-python [java-17] [python-3.12] [flink-2.1]) is the known test_react_agent_on_local_runner LLM flake against Ollama qwen3:1.7b, not caused by this PR:

FAILED flink_agents/e2e_tests/e2e_tests_integration/react_agent_test.py::test_react_agent_on_local_runner
  - assert 432596736 == 1386528

The test expects 4444 × 312 = 1386528, but the LLM made an extra unnecessary multiply(1386528, 312) call and returned 432596736. The test source has a comment right next to the assertion: "This may be caused by the LLM response does not match the output schema, you can rerun this case."

This same failure (same exact numbers, 432596736 == 1386528) is currently failing on main at b38ae21 — the commit this PR is rebased onto — and on several other recent main-branch runs. Failure runs through the Python local_runner, which logs "Local runner does not support durable execution; recovery is not available." — the Java DurableExecutionManager / ActionExecutionOperator paths changed by this PR are never exercised.

Will re-run CI.

[wenjin272]

The one CI failure (it-python [java-17] [python-3.12] [flink-2.1]) is the known test_react_agent_on_local_runner LLM flake against Ollama qwen3:1.7b, not caused by this PR:

FAILED flink_agents/e2e_tests/e2e_tests_integration/react_agent_test.py::test_react_agent_on_local_runner
  - assert 432596736 == 1386528

The test expects 4444 × 312 = 1386528, but the LLM made an extra unnecessary multiply(1386528, 312) call and returned 432596736. The test source has a comment right next to the assertion: "This may be caused by the LLM response does not match the output schema, you can rerun this case."

This same failure (same exact numbers, 432596736 == 1386528) is currently failing on main at b38ae21 — the commit this PR is rebased onto — and on several other recent main-branch runs. Failure runs through the Python local_runner, which logs "Local runner does not support durable execution; recovery is not available." — the Java DurableExecutionManager / ActionExecutionOperator paths changed by this PR are never exercised.

Will re-run CI.

I believe we need to polish the stability and observability of CI in version 0.4. If you encounter any unstable cases, please contact me to rerun them. I now have the permission to rerun failed CI jobs.

[wenjin272]

Hi, @weiqingy, LGTM. I left a comment that may need to be confirmed.

[wenjin272]

It appears that only tests are calling this method. We may need to verify whether this is an unnecessary interface or if the call was accidentally removed during a previous conflict resolution.