SONARPY-2942 Rule S7497: Cancellation exceptions should be re-raised after cleanup (#286)

GitOrigin-RevId: 6d63ebd45d824fcdacdf5e0f50b962a8c1b72357

Author: ghislainpiot

python-checks/src/main/java/org/sonar/python/checks/CancellationReraisedInAsyncCheck.java

@@ -0,0 +1,170 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+
+package org.sonar.python.checks;
+
+import javax.annotation.Nullable;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.BaseTreeVisitor;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.ExceptClause;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.RaiseStatement;
+import org.sonar.plugins.python.api.tree.ReturnStatement;
+import org.sonar.plugins.python.api.tree.Token;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.Tree.Kind;
+import org.sonar.plugins.python.api.tree.TryStatement;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckMap;
+
+@Rule(key = "S7497")
+public class CancellationReraisedInAsyncCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Ensure that the %s exception is re-raised after your cleanup code.";
+
+  private static final String ASYNCIO_CANCELLED_ERROR = "asyncio.CancelledError";
+  private static final String TRIO_CANCELLED = "trio.Cancelled";
+  private static final String ANYIO_CANCELLED = "anyio.get_cancelled_exc_class";
+  private static final String MESSAGE_SECONDARY = "This function is async.";
+
+  private TypeCheckMap<String> cancelledExceptionTypeCheckMap;
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Kind.FILE_INPUT, this::initializeChecksForFile);
+    context.registerSyntaxNodeConsumer(Kind.TRY_STMT, this::checkTryStatement);
+  }
+
+  private void initializeChecksForFile(SubscriptionContext ctx) {
+    cancelledExceptionTypeCheckMap = new TypeCheckMap<>();
+    cancelledExceptionTypeCheckMap.put(ctx.typeChecker().typeCheckBuilder().isTypeOrInstanceWithName(ASYNCIO_CANCELLED_ERROR), ASYNCIO_CANCELLED_ERROR);
+    cancelledExceptionTypeCheckMap.put(ctx.typeChecker().typeCheckBuilder().isTypeWithFqn(TRIO_CANCELLED), TRIO_CANCELLED);
+    cancelledExceptionTypeCheckMap.put(ctx.typeChecker().typeCheckBuilder().isTypeOrInstanceWithName(ANYIO_CANCELLED), "cancellation");
+
+  }
+
+  private void checkTryStatement(SubscriptionContext context) {
+    var tryStatement = (TryStatement) context.syntaxNode();
+    var enclosingAsyncToken = TreeUtils.asyncTokenOfEnclosingFunction(tryStatement).orElse(null);
+
+    if (enclosingAsyncToken == null) {
+      return;
+    }
+
+    tryStatement.exceptClauses().forEach(exceptClause -> checkExceptClause(context, exceptClause, enclosingAsyncToken));
+  }
+
+  private void checkExceptClause(SubscriptionContext subscriptionContext, ExceptClause exceptClause, Token enclosingAsyncToken) {
+    var exception = exceptClause.exception();
+    if (exception == null) {
+      return;
+    }
+    String isOffendingException = isOffendingException(exception);
+    if (isOffendingException.isEmpty()) {
+      return;
+    }
+
+    var isCompliant = true;
+    var hasTopLevelPass = exceptClause.body().statements().stream().anyMatch(s -> s.is(Kind.PASS_STMT));
+    if (hasTopLevelPass) {
+      isCompliant = false;
+    } else {
+      var complianceChecker = new ComplianceChecker(exceptClause);
+      exceptClause.accept(complianceChecker);
+      isCompliant = complianceChecker.isCompliant();
+    }
+
+    if (!isCompliant) {
+      subscriptionContext.addIssue(
+          exception,
+          String.format(MESSAGE, isOffendingException))
+        .secondary(enclosingAsyncToken, MESSAGE_SECONDARY);
+    }
+  }
+
+  private String isOffendingException(Expression exception) {
+    var isOffendingTypeOpt = cancelledExceptionTypeCheckMap.getOptionalForType(exception.typeV2());
+    if (isOffendingTypeOpt.isPresent()) {
+      return isOffendingTypeOpt.get();
+    }
+    if (exception instanceof CallExpression callExpression) {
+      var result = cancelledExceptionTypeCheckMap.getOptionalForType(callExpression.callee().typeV2());
+      if (result.isPresent()) {
+        return result.get();
+      }
+    }
+    return "";
+
+  }
+
+  private static boolean isReRaise(RaiseStatement raiseStatement, ExceptClause exceptClause) {
+    var isBareRaise = raiseStatement.expressions().isEmpty();
+    var exceptionInstanceName = TreeUtils.toOptionalInstanceOf(Name.class, exceptClause.exceptionInstance());
+
+    var isReRaise = raiseStatement.expressions().size() == 1 && exceptionInstanceName.isPresent()
+      && raiseStatement.expressions().get(0).is(Kind.NAME)
+      && ((Name) raiseStatement.expressions().get(0)).name().equals(exceptionInstanceName.get().name());
+
+    return isBareRaise || isReRaise;
+  }
+
+  static class ComplianceChecker extends BaseTreeVisitor {
+    private final ExceptClause exceptClause;
+    private boolean hasRaiseStatement = false;
+    private boolean isCompliant = true;
+
+    ComplianceChecker(ExceptClause exceptClause) {
+      this.exceptClause = exceptClause;
+    }
+
+    boolean isCompliant() {
+      // If we never found a raise statement, it's not compliant
+      return isCompliant && hasRaiseStatement;
+    }
+
+    @Override
+    public void visitRaiseStatement(RaiseStatement raiseStatement) {
+      hasRaiseStatement = true;
+
+      // Check if this is a proper re-raise
+      if (!isReRaise(raiseStatement, exceptClause)) {
+        isCompliant = false;
+        return;
+      }
+
+      super.visitRaiseStatement(raiseStatement);
+    }
+
+    @Override
+    public void visitReturnStatement(ReturnStatement returnStatement) {
+      isCompliant = false;
+    }
+
+    @Override
+    protected void scan(@Nullable Tree tree) {
+      if (!isCompliant) {
+        return;
+      }
+      super.scan(tree);
+    }
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -136,6 +136,7 @@ public Stream<Class<?>> getChecks() {
       BusyWaitingInAsyncCheck.class,
       CancellationScopeNoCheckpointCheck.class,
       CaughtExceptionsCheck.class,
+      CancellationReraisedInAsyncCheck.class,
       ChangeMethodContractCheck.class,
       ChildAndParentExceptionCaughtCheck.class,
       CipherBlockChainingCheck.class,

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7497.html

@@ -0,0 +1,130 @@
+<p>This rule raises an issue when a cancellation excception is caught without re-raising it.</p>
+<h2>Why is this an issue?</h2>
+<p>Asynchronous frameworks like <code>asyncio</code>, <code>trio</code>, and <code>anyio</code> use special exceptions to signal that a task or
+operation should be cancelled. These exceptions are not typical errors indicating a logical flaw in the task but are directives for the task to
+terminate its execution prematurely and perform necessary cleanup.</p>
+<p>When a task is cancelled, the framework typically injects this cancellation exception into it. The task is expected to:</p>
+<ul>
+  <li> Catch this specific cancellation exception. </li>
+  <li> Perform any urgent and brief cleanup actions (e.g., releasing locks or other resources). </li>
+  <li> Re-raise the cancellation exception. </li>
+</ul>
+<p>If a cancellation exception is caught and not re-raised (e.g., it’s suppressed with a <code>pass</code> statement, only logged, the handler returns
+normally, or a different exception is raised instead), the cancellation signal is effectively "swallowed".</p>
+<p>This prevents the framework and any calling code from knowing that the task has acknowledged the cancellation and is stopping. The task might even
+continue running parts of its code after the <code>except</code> block, which is contrary to the purpose of cancellation.</p>
+<p>Properly propagating cancellation exceptions is crucial for the cooperative multitasking model these frameworks rely on.</p>
+<h3>What is the potential impact?</h3>
+<p>Suppressing cancellation exceptions can lead to significant problems:</p>
+<ul>
+  <li> <strong>Unresponsive Applications</strong>: Tasks ignoring cancellation may run indefinitely, making the application unresponsive to shutdown
+  signals. </li>
+  <li> <strong>Resource Leaks</strong>: Tasks not stopping properly can leave resources (files, connections, locks) unreleased, leading to resource
+  exhaustion. </li>
+  <li> <strong>Incorrect State</strong>: Partial execution of cancelled operations can leave the application in an inconsistent state, risking data
+  corruption. </li>
+  <li> <strong>Debugging Difficulties</strong>: Troubleshooting why tasks continue running or why shutdown fails becomes challenging. </li>
+  <li> <strong>Broken Abstractions</strong>: Reliable cancellation is essential for async patterns and libraries; ignoring it breaks timeouts and task
+  groups. </li>
+</ul>
+<h2>How to fix it in Asyncio</h2>
+<p>If you need to catch cancellation exceptions for cleanup purposes, make sure to re-raise them after your cleanup code.</p>
+<p>Alternatively, you could add a specific handler for cancellation exceptions before your general exception handler.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+import asyncio
+
+async def compute_result(data): ...
+
+async def process_data(data):
+    try:
+        result = await compute_result(data)
+        return result
+    except asyncio.CancelledError:
+        return  # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+import asyncio
+
+async def compute_result(data): ...
+
+async def process_data(data):
+    try:
+        result = await compute_result(data)
+        return result
+    except asyncio.CancelledError:  # Compliant
+        raise
+</pre>
+<h2>How to fix it in Trio</h2>
+<p>If you need to catch cancellation exceptions for cleanup purposes, make sure to re-raise them after your cleanup code.</p>
+<p>Alternatively, you could add a specific handler for cancellation exceptions before your general exception handler.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="2" data-diff-type="noncompliant">
+import trio
+
+async def compute_result(data): ...
+
+async def process_data(data):
+    try:
+        result = await compute_result(data)
+        return result
+    except trio.Cancelled:  # Noncompliant
+        return
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="2" data-diff-type="compliant">
+import trio
+
+async def compute_result(data): ...
+
+async def process_data(data):
+    try:
+        result = await compute_result(data)
+        return result
+    except trio.Cancelled:  # Compliant
+        raise
+</pre>
+<h2>How to fix it in AnyIO</h2>
+<p>If you need to catch cancellation exceptions for cleanup purposes, make sure to re-raise them after your cleanup code.</p>
+<p>Alternatively, you could add a specific handler for cancellation exceptions before your general exception handler.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="3" data-diff-type="noncompliant">
+import anyio
+
+async def compute_result(data): ...
+
+async def process_data(data):
+    try:
+        result = await compute_result(data)
+        return result
+    except anyio.Cancelled:  # Noncompliant
+        return
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="3" data-diff-type="compliant">
+import anyio
+
+async def compute_result(data): ...
+
+async def process_data(data):
+    try:
+        result = await compute_result(data)
+        return result
+    except anyio.Cancelled:  # Compliant
+        raise
+</pre>
+<h3>Pitfalls</h3>
+<p>Asynchronous cleanup operations in <code>except CancelledError</code> or <code>finally</code> blocks can themselves be interrupted by cancellation.
+While <code>asyncio.shield()</code> (or library equivalents) can protect critical cleanup code, use it sparingly as it may delay shutdown.</p>
+<h2>Resources</h2>
+<h3>Documentation</h3>
+<ul>
+  <li> Asyncio documentation - <a href="https://docs.python.org/3/library/asyncio-task.html#task-cancellation">Task Cancellation</a> </li>
+  <li> Trio documentation - <a href="https://trio.readthedocs.io/en/latest/reference-core.html#trio.Cancelled">Exceptions and warnings</a> </li>
+  <li> AnyIO documentation - <a href="https://anyio.readthedocs.io/en/stable/cancellation.html#timeouts">Timeouts</a> </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S7497.json

@@ -0,0 +1,27 @@
+{
+  "title": "Cancellation exceptions should be re-raised after cleanup",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "async",
+    "asyncio",
+    "trio",
+    "anyio"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7497",
+  "sqKey": "S7497",
+  "scope": "All",
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "MAINTAINABILITY": "MEDIUM",
+      "RELIABILITY": "HIGH"
+    },
+    "attribute": "LOGICAL"
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -265,6 +265,7 @@
     "S7492",
     "S7493",
     "S7494",
+    "S7497",
     "S7498",
     "S7499",
     "S7500",

python-checks/src/test/java/org/sonar/python/checks/CancellationReraisedInAsyncCheckTest.java

@@ -0,0 +1,30 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+
+package org.sonar.python.checks;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class CancellationReraisedInAsyncCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/cancellationReraisedInAsync.py", new CancellationReraisedInAsyncCheck());
+  }
+
+}