maintainer: avoid panic when maintainer bootstrap

[wk989898]

What problem does this PR solve?

Issue Number: close #4509

What is changed and how it works?

When FinishBootstrap fails, TiCDC should be able to retry bootstrap with a complete set of cached bootstrap responses.

Before this change, bootstrap responses were effectively consumed once collected. If bootstrap failed and a new node joined later, the next retry round could end up seeing only the newly joined node's response, instead of reusing the responses from existing nodes as well. This made the retry path incomplete.

This PR fixes that behavior by retaining cached bootstrap responses until the higher-level bootstrap process succeeds and explicitly clears them.

It also adds integration coverage for the retry path triggered by node scheduling after an initial bootstrap failure.

• Keep bootstrap responses cached after collectBootstrapResponses() returns them.
• Add explicit ClearBootstrapResponses() and let upper layers clear responses only after successful bootstrap completion.
• Apply this behavior in both maintainer bootstrap and coordinator bootstrap handling.
• Change determineStartTs to return a normal error when bootstrap responses do not contain a valid checkpoint, instead of panicking.
• Add unit tests for:
  • retaining bootstrap responses across retry rounds
  • returning an error when checkpoint information is missing
• Add a new integration test bootstrap_retry_after_error that:
  • injects ErrSnapshotLostByGC during bootstrap
  • blocks stop temporarily so the failed maintainer can still observe node changes
  • starts a new TiCDC node to trigger maintainer node changed -> bootstrap response -> handle bootstrap response
  • verifies the changefeed finally stays in failed state with ErrSnapshotLostByGC

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No code

Questions

Will it cause performance regression or break compatibility?

Do you need to update user documentation, design documentation or monitoring documentation?

Release note

Please refer to [Release Notes Language Style Guide](https://pingcap.github.io/tidb-dev-guide/contribute-to-tidb/release-notes-style-guide.html) to write a quality release note.

If you don't think this PR needs a release note then fill it with `None`.

Summary by CodeRabbit

• Bug Fixes

  • Bootstrap initialization now returns structured errors for missing checkpoint timestamps instead of crashing, improving stability and diagnostics.

• Tests

  • New integration test validates bootstrap-retry and failure flows; CI updated to run it.
  • New unit test verifies error propagation when bootstrap checkpoints are missing (duplicate test entry present in the test file).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Replace panics in maintainer bootstrap timestamp detection with structured error returns and propagate errors; add unit test(s) (one duplicated) asserting error propagation; add an integration test script exercising bootstrap-retry-after-error and register it in CI.

Changes

Cohort / File(s)	Summary
Bootstrap error handling maintainer/maintainer_controller_bootstrap.go	Changed determineStartTs signature to return (uint64, uint64, error). Replaced log.Panic on missing checkpointTs / redoCheckpointTs with returned errors.WrapError(...); updated FinishBootstrap to handle/propagate the error.
Unit tests maintainer/maintainer_controller_test.go	Added TestFinishBootstrapReturnsErrorWhenCheckpointMissing and import alias cerrors (github.com/pingcap/ticdc/pkg/errors). Note: the same test function was introduced twice (duplicate definitions) in this diff.
Integration test script tests/integration_tests/bootstrap_retry_after_error/run.sh	New end-to-end script that sets up a TiDB/TiCDC multi-node scenario, induces bootstrap failure via failpoints, validates bootstrap-retry behavior when cached bootstrap responses report empty checkpointTs, checks for absence of panics, and performs cleanup.
CI test registration tests/integration_tests/run_light_it_in_ci.sh	Appended bootstrap_retry_after_error to the G15 mysql light integration test group.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

lgtm, approved

Suggested reviewers

• hongyunyan
• lidezhu

Poem

🐰 I nudged the code to breathe, not scream,
Where panics leapt, now errors stream.
Tests hopped in — one echoed twice,
A retry script danced through failpoint ice.
Logs whisper safe; the rabbit grins, at ease.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR contains a significant defect: the test file maintainer/maintainer_controller_test.go includes TestFinishBootstrapReturnsErrorWhenCheckpointMissing defined twice (duplicate), which introduces duplicate test code and is unrelated to the bootstrap panic fix objective.	Remove the duplicate TestFinishBootstrapReturnsErrorWhenCheckpointMissing test definition from maintainer/maintainer_controller_test.go to avoid test conflicts and code duplication.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'maintainer: avoid panic when maintainer bootstrap' directly addresses the main objective of the PR: eliminating a panic that occurs during maintainer bootstrap when checkpoints are missing.
Linked Issues check	✅ Passed	The PR successfully addresses issue #4509 by converting the panic in determineStartTs into proper error handling with traced errors, adding unit and integration tests to validate the new behavior.
Description check	✅ Passed	The PR description is mostly complete with the problem statement, implementation details, and test coverage clearly explained, though the release note section is unfilled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the maintainer bootstrap process by replacing a potential panic with explicit error handling. Previously, if critical timestamp information was missing during bootstrap, the application would panic. The changes refactor the relevant functions to return an error in such scenarios, improving the system's stability and allowing for more controlled error recovery.

Highlights

• Error Handling: Modified the determineStartTs function to return an error instead of panicking when startTs or redoStartTs are not found during the maintainer bootstrap process.
• Robustness: Updated the FinishBootstrap function to gracefully handle the error returned by determineStartTs, preventing a fatal program termination.
• Test Coverage: Added a new unit test, TestFinishBootstrapReturnsErrorWhenCheckpointMissing, to specifically verify that the system correctly returns an error when checkpoint information is absent during bootstrap, ensuring the panic is avoided.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request refactors the determineStartTs function in maintainer_controller_bootstrap.go to return an error instead of panicking when startTs or redoStartTs are not found. This change replaces log.Panic with errors.WrapError for more graceful error handling. The FinishBootstrap function was updated to handle this new error return. Additionally, a new test case, TestFinishBootstrapReturnsErrorWhenCheckpointMissing, was added to maintainer_controller_test.go to validate the new error-handling behavior.

[gemini-code-assist]

Replacing log.Panic with an error return is a critical improvement for the robustness of the system. Panicking can lead to unexpected service interruptions, whereas returning an error allows for graceful handling and recovery. The error message also provides clear context about the issue.

[gemini-code-assist]

This change correctly replaces a log.Panic with a structured error return. This is crucial for system stability, as it allows the application to handle the absence of startTs gracefully rather than crashing. The use of errors.WrapError provides a clear and traceable error message.

[gemini-code-assist]

This new test case TestFinishBootstrapReturnsErrorWhenCheckpointMissing is well-designed. It specifically targets the scenario where checkpointTs is missing, ensuring that the new error handling in determineStartTs functions as expected. Verifying the error type, code, and message is crucial for robust error management.

[wk989898]

/test mysql

[wk989898]

/test pull-cdc-mysql-integration-light

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/integration_tests/bootstrap_retry_after_error/run.sh`:
- Around line 37-45: The negative log check in check_cdc_logs_not_contains can
falsely pass when the glob cdc*.log matches nothing; modify the function
(check_cdc_logs_not_contains) to first verify that at least one CDC log file
exists (e.g., use compgen -G "$work_dir/cdc*.log" or an explicit file-list
check) and fail fast with a clear error if none are found, then run grep against
the confirmed file list (so the subsequent grep -Eqs and grep -Ens are executed
only when files are present).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 756d7ee8-6050-40d4-9d00-f604a8a6eb83

📥 Commits

Reviewing files that changed from the base of the PR and between aad433e and 5c81cb5.

📒 Files selected for processing (1)

• tests/integration_tests/bootstrap_retry_after_error/run.sh

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

maintainer/maintainer_controller_bootstrap.go (1)

178-187: Use a bootstrap-specific RFC error instead of dispatcher-init error

These branches return ErrChangefeedInitTableTriggerDispatcherFailed, but the failure is “missing bootstrap checkpoint ts,” not dispatcher initialization. A dedicated error code/message would improve alert routing and triage.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@maintainer/maintainer_controller_bootstrap.go` around lines 178 - 187, The
branches that return errors for missing bootstrap checkpoint timestamps
currently use errors.ErrChangefeedInitTableTriggerDispatcherFailed which is
misleading; define a bootstrap-specific error constant (e.g.
errors.ErrChangefeedInitBootstrapMissingCheckpoint) and replace the usages in
both branches (the one returning for empty checkpointTs and the one guarded by
c.enableRedo when redoStartTs == 0) so they wrap the new bootstrap-specific
error with the existing descriptive messages (e.g. "all bootstrap responses
reported empty checkpointTs" and "all bootstrap responses reported empty
redoCheckpointTs"). Ensure the new constant is declared alongside other
changefeed errors and used in the errors.WrapError calls instead of
errors.ErrChangefeedInitTableTriggerDispatcherFailed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@maintainer/maintainer_controller_bootstrap.go`:
- Around line 91-96: The current bootstrap code calls log.Panic when
c.determineStartTs(allNodesResp) fails and then returns errors.Trace(err);
remove the panic and instead log the failure with log.Error (including
zap.String("changefeed", c.changefeedID.Name())) and return the original err
value (not re-wrapped) so the caller can propagate the already-wrapped error
from determineStartTs; update the failing block around c.determineStartTs to
perform a non-panicking log and return nil, err.

---

Nitpick comments:
In `@maintainer/maintainer_controller_bootstrap.go`:
- Around line 178-187: The branches that return errors for missing bootstrap
checkpoint timestamps currently use
errors.ErrChangefeedInitTableTriggerDispatcherFailed which is misleading; define
a bootstrap-specific error constant (e.g.
errors.ErrChangefeedInitBootstrapMissingCheckpoint) and replace the usages in
both branches (the one returning for empty checkpointTs and the one guarded by
c.enableRedo when redoStartTs == 0) so they wrap the new bootstrap-specific
error with the existing descriptive messages (e.g. "all bootstrap responses
reported empty checkpointTs" and "all bootstrap responses reported empty
redoCheckpointTs"). Ensure the new constant is declared alongside other
changefeed errors and used in the errors.WrapError calls instead of
errors.ErrChangefeedInitTableTriggerDispatcherFailed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2dc19bf5-5a20-4c46-985f-01f8e0528bbd

📥 Commits

Reviewing files that changed from the base of the PR and between 5c81cb5 and 3a2ab29.

📒 Files selected for processing (2)

• maintainer/maintainer_controller_bootstrap.go
• tests/integration_tests/bootstrap_retry_after_error/run.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/integration_tests/bootstrap_retry_after_error/run.sh

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove panic on bootstrap start-ts resolution failure

Line 93 still panics, so the maintainer can crash in the exact failure path this PR is trying to harden. Return the error instead of panicking, and propagate it without re-wrapping at Line 95.

✅ Suggested fix

 	startTs, redoStartTs, err := c.determineStartTs(allNodesResp)
 	if err != nil {
-		log.Panic("cant not found the startTs from the bootstrap response",
-			zap.String("changefeed", c.changefeedID.Name()))
-		return nil, errors.Trace(err)
+		log.Error("cannot determine start ts from bootstrap response",
+			zap.Stringer("changefeed", c.changefeedID),
+			zap.Error(err))
+		return nil, err
 	}

As per coding guidelines "When an error comes from a third-party or library call in Go, wrap it immediately with `errors.Trace(err)` or `errors.WrapError(...)` to attach a stack trace; upstream callers should propagate wrapped errors without wrapping again".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	startTs, redoStartTs, err := c.determineStartTs(allNodesResp)
	if err != nil {
	log.Panic("cant not found the startTs from the bootstrap response",
	zap.String("changefeed", c.changefeedID.Name()))
	return nil, errors.Trace(err)
	}
	startTs, redoStartTs, err := c.determineStartTs(allNodesResp)
	if err != nil {
	log.Error("cannot determine start ts from bootstrap response",
	zap.Stringer("changefeed", c.changefeedID),
	zap.Error(err))
	return nil, err
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@maintainer/maintainer_controller_bootstrap.go` around lines 91 - 96, The
current bootstrap code calls log.Panic when c.determineStartTs(allNodesResp)
fails and then returns errors.Trace(err); remove the panic and instead log the
failure with log.Error (including zap.String("changefeed",
c.changefeedID.Name())) and return the original err value (not re-wrapped) so
the caller can propagate the already-wrapped error from determineStartTs; update
the failing block around c.determineStartTs to perform a non-panicking log and
return nil, err.

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/integration_tests/bootstrap_retry_after_error/run.sh`:
- Around line 94-96: There is an extra blank line after the line that resets the
environment variable export GO_FAILPOINTS='' in the script; remove the redundant
empty line so the export is immediately followed by the next non-empty line
(collapse the double blank line) to satisfy shfmt and fix the formatting check
in tests/integration_tests/bootstrap_retry_after_error/run.sh.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c378f080-08bb-4ccd-b92b-e675982a4fc2

📥 Commits

Reviewing files that changed from the base of the PR and between 3a2ab29 and f7ea48b.

📒 Files selected for processing (1)

• tests/integration_tests/bootstrap_retry_after_error/run.sh

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test pull-cdc-mysql-integration-light

[wk989898]

/test all

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: asddongmen, hongyunyan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [asddongmen,hongyunyan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-04-03 17:55:58.305365332 +0000 UTC m=+546963.510725389: ☑️ agreed by hongyunyan.
• 2026-04-13 03:27:49.614194301 +0000 UTC m=+1358874.819554357: ☑️ agreed by asddongmen.

[wk989898]

/retest

[ti-chi-bot]

@wk989898: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-unit-test	f777938	link	unknown	/test pull-unit-test
pull-cdc-kafka-integration-light	f777938	link	unknown	/test pull-cdc-kafka-integration-light
pull-cdc-kafka-integration-heavy	f777938	link	unknown	/test pull-cdc-kafka-integration-heavy

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.