SONARPY-3003 Rule S7514 Control flow statements should not be used inside TaskGroup or Nursery blocks (#311)

GitOrigin-RevId: 5c5c3533afd6c39cc783f8138496cf11f0bba89b

Author: guillaume-dequenne

python-checks/src/main/java/org/sonar/python/checks/ControlFlowInTaskGroupCheck.java

@@ -0,0 +1,116 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.BaseTreeVisitor;
+import org.sonar.plugins.python.api.tree.BreakStatement;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.ContinueStatement;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.FunctionDef;
+import org.sonar.plugins.python.api.tree.ReturnStatement;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.WithItem;
+import org.sonar.plugins.python.api.tree.WithStatement;
+import org.sonar.plugins.python.api.types.v2.TriBool;
+import org.sonar.python.types.v2.TypeCheckBuilder;
+
+@Rule(key = "S7514")
+public class ControlFlowInTaskGroupCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Refactor the block to eliminate this \"%s\" statement.";
+  private static final String SECONDARY_MESSAGE = "This is an async task group context.";
+  private List<TypeCheckBuilder> taskGroupTypeChecks = new ArrayList<>();
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::setupTypeChecks);
+    context.registerSyntaxNodeConsumer(Tree.Kind.WITH_STMT, this::checkWithStatement);
+  }
+
+  private void setupTypeChecks(SubscriptionContext ctx) {
+    taskGroupTypeChecks = new ArrayList<>();
+    taskGroupTypeChecks.add(ctx.typeChecker().typeCheckBuilder().isTypeOrInstanceWithName("asyncio.TaskGroup"));
+    taskGroupTypeChecks.add(ctx.typeChecker().typeCheckBuilder().isTypeWithFqn("trio.open_nursery"));
+    taskGroupTypeChecks.add(ctx.typeChecker().typeCheckBuilder().isTypeOrInstanceWithName("anyio.create_task_group"));
+  }
+
+  private void checkWithStatement(SubscriptionContext ctx) {
+    WithStatement withStatement = (WithStatement) ctx.syntaxNode();
+    if (!withStatement.isAsync()) {
+      return;
+    }
+
+    Optional<Expression> taskGroupItem = withStatement.withItems().stream()
+      .map(WithItem::test)
+      .filter(this::isTaskGroupOrNursery).findFirst();
+    taskGroupItem.ifPresent(t -> {
+        ControlFlowVisitor visitor = new ControlFlowVisitor(ctx, t);
+        withStatement.statements().accept(visitor);
+      }
+    );
+  }
+
+  private boolean isTaskGroupOrNursery(Expression expression) {
+    boolean result = taskGroupTypeChecks.stream()
+      .anyMatch(typeCheck -> typeCheck.check(expression.typeV2()) == TriBool.TRUE);
+    if (!result && expression instanceof CallExpression callExpression) {
+      result = taskGroupTypeChecks.stream()
+        .anyMatch(typeCheck -> typeCheck.check(callExpression.callee().typeV2()) == TriBool.TRUE);
+    }
+    return result;
+  }
+
+  private static class ControlFlowVisitor extends BaseTreeVisitor {
+    private final SubscriptionContext ctx;
+    private final Expression taskGroupItem;
+
+    public ControlFlowVisitor(SubscriptionContext ctx, Expression taskGroupItem) {
+      this.ctx = ctx;
+      this.taskGroupItem = taskGroupItem;
+    }
+
+    @Override
+    public void visitReturnStatement(ReturnStatement returnStatement) {
+      ctx.addIssue(returnStatement, String.format(MESSAGE, "return"))
+        .secondary(taskGroupItem, SECONDARY_MESSAGE);
+    }
+
+    @Override
+    public void visitBreakStatement(BreakStatement breakStatement) {
+      ctx.addIssue(breakStatement, String.format(MESSAGE, "break"))
+        .secondary(taskGroupItem, SECONDARY_MESSAGE);
+    }
+
+    @Override
+    public void visitContinueStatement(ContinueStatement continueStatement) {
+      ctx.addIssue(continueStatement, String.format(MESSAGE, "continue"))
+        .secondary(taskGroupItem, SECONDARY_MESSAGE);
+    }
+
+    @Override
+    public void visitFunctionDef(FunctionDef functionDef) {
+      // Skip nested functions
+    }
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -157,6 +157,7 @@ public Stream<Class<?>> getChecks() {
       ConsistentReturnCheck.class,
       ConstantConditionCheck.class,
       ConstantValueDictComprehensionCheck.class,
+      ControlFlowInTaskGroupCheck.class,
       CorsCheck.class,
       CsrfDisabledCheck.class,
       DataEncryptionCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7514.html

@@ -0,0 +1,121 @@
+<p>This rule raises when a control flow statement (<code>return</code>, <code>break</code>, <code>continue</code>) is used inside a TaskGroup or
+Nursery context manager.</p>
+<h2>Why is this an issue?</h2>
+<p>Using control flow statements like <code>return</code>, <code>break</code>, or <code>continue</code> inside async TaskGroup or Nursery blocks leads
+to counterintuitive behavior that can confuse developers and introduce bugs.</p>
+<h3>What is the potential impact?</h3>
+<h4>Deferred execution in TaskGroup</h4>
+<p>In asyncio’s TaskGroup, control flow statements don’t take immediate effect. Instead, they wait for all tasks in the group to complete before
+executing. This can lead to:</p>
+<ul>
+  <li> Unexpected delays when tasks run longer than anticipated </li>
+  <li> Code that appears to exit early but actually continues running </li>
+  <li> Potential infinite loops if background tasks never complete </li>
+</ul>
+<h4>Lost return values in Nurseries</h4>
+<p>In Trio and AnyIO nurseries, return values can be lost if other tasks in the nursery raise exceptions:</p>
+<ul>
+  <li> When a background task raises an exception, the return value from the main flow is discarded </li>
+  <li> The nursery’s exception handling takes precedence over return values </li>
+  <li> Silent data loss that’s difficult to debug </li>
+</ul>
+<h2>How to fix it in Asyncio</h2>
+<p>Move the control flow statement outside the TaskGroup or Nursery block, and use the appropriate cancellation mechanism before exiting the
+block.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import asyncio
+
+async def process():
+    async with asyncio.TaskGroup() as tg:
+        tg.create_task(background_task())
+
+        if condition():
+            return "result"  # Noncompliant: waits for background_task() to complete
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import asyncio
+
+async def process():
+    result = None
+    async with asyncio.TaskGroup() as tg:
+        task = tg.create_task(background_task())
+
+        if condition():
+            result = "result"
+            task.cancel()
+
+    return result
+</pre>
+<h2>How to fix it in Trio</h2>
+<p>Move the control flow statement outside the Nursery block, and use the appropriate cancellation mechanism before exiting the block.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+import trio
+
+async def process():
+    async with trio.open_nursery() as nursery:
+        nursery.start_soon(background_task)
+
+        if condition():
+            return "result"  # Noncompliant: value may be lost
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+import trio
+
+async def process():
+    result = None
+    async with trio.open_nursery() as nursery:
+        nursery.start_soon(background_task)
+
+        if condition():
+            result = "result"
+            nursery.cancel_scope.cancel()
+
+    return result
+</pre>
+<h2>How to fix it in AnyIO</h2>
+<p>Move the control flow statement outside the TaskGroup block, and use the appropriate cancellation mechanism before exiting the block.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="3" data-diff-type="noncompliant">
+import anyio
+
+async def process():
+    async with anyio.create_task_group() as tg:
+        tg.start_soon(background_task)
+
+        if condition():
+            return "result"  # Noncompliant: waits for background_task
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="3" data-diff-type="compliant">
+import anyio
+
+async def process():
+    result = None
+    async with anyio.create_task_group() as tg:
+        tg.start_soon(background_task)
+
+        if condition():
+            result = "result"
+            tg.cancel_scope.cancel()
+
+    return result
+</pre>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> Asyncio documentation - <a href="https://docs.python.org/3/library/asyncio-task.html#task-groups">Task Groups</a> </li>
+  <li> Trio documentation - <a href="https://trio.readthedocs.io/en/latest/reference-core.html#nurseries-and-spawning">Nurseries and spawning</a>
+  </li>
+  <li> AnyIO documentation - <a href="https://anyio.readthedocs.io/en/stable/tasks.html#creating-and-managing-tasks">Creating and managing tasks</a>
+  </li>
+  <li> Trio issue #1493 - <a href="https://github.com/python-trio/trio/issues/1493">Returning a value from inside a nursery block behaves
+  counterintuitively</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7514.json

@@ -0,0 +1,26 @@
+{
+  "title": "Control flow statements should not be used inside TaskGroup or Nursery blocks",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "async",
+    "asyncio",
+    "trio",
+    "anyio"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7514",
+  "sqKey": "S7514",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "RELIABILITY": "HIGH"
+    },
+    "attribute": "LOGICAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -281,6 +281,7 @@
     "S7510",
     "S7511",
     "S7512",
+    "S7514",
     "S7516",
     "S7517",
     "S7519"

python-checks/src/test/java/org/sonar/python/checks/ControlFlowInTaskGroupCheckTest.java

@@ -0,0 +1,29 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class ControlFlowInTaskGroupCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/controlFlowInTaskGroup.py", new ControlFlowInTaskGroupCheck());
+  }
+
+}