The implementation of DonorAbortMigrationCmd does not record the fact that a migration has been aborted in the event that it is unable to lookup an existing migration when the command is received. There is a chance (albeit quite rare) that the donor receives an abort command before the migration it intends to abort is started, in which case the donor will report an unknown migration and then proceed to run the full migration that was presumed aborted. The solution is to durably record that the migration is in an aborted state, even if there is no existing known migration.

As an addendum to this work, we should consider updating the PrimaryOnlyService documentation to mention that the lookup method should only be used strictly to observe a service but not interact with it in any way. Instead users should prefer getOrCreate to ensure that some instance (and backing state) always exists.