Narrow pool _release drain shield to not swallow KI / SystemExit

antoineleclair · claude · antoineleclair · commit 0cfb00e3c605 · 2026-04-28T21:54:45.000-04:00
The shielded pending-drain await previously used
contextlib.suppress(BaseException), which silently consumed
KeyboardInterrupt, SystemExit, and any other BaseException —
including a fresh CancelledError that an outer asyncio.timeout
might land on _release while the drain is in flight. Operators
expect Ctrl+C to escape; suppressing it at this boundary made
the cleanup a silent no-op past the next checkpoint.

Narrow to (CancelledError, Exception): CancelledError covers the
awaiter-side cancel that the shield's protect-the-inner-task
contract relies on; Exception covers a synthetic drain-failure
that the existing pin asserts; KeyboardInterrupt and SystemExit
now propagate cleanly. Mirrors the adjacent _release_reservation
shield's narrower CancelledError-only suppression.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqliteclient/pool.py b/src/dqliteclient/pool.py
@@ -1161,7 +1161,25 @@ async def _release(self, conn: DqliteConnection) -> None:
                 # "Task was destroyed but it is pending" on shutdown).
                 pending = getattr(conn, "_pending_drain", None)
                 if pending is not None and not pending.done():
-                    with contextlib.suppress(BaseException):
+                    # Absorb the await-side CancelledError so a fresh
+                    # outer cancel during release does not tear down
+                    # the bounded drain (the shield itself protects
+                    # the inner task; this suppress covers the
+                    # awaiter-side raise delivered when the
+                    # surrounding scope is cancelled). Do NOT suppress
+                    # KeyboardInterrupt / SystemExit — those must
+                    # propagate. Mirrors the ``_release_reservation``
+                    # shield two lines below.
+                    #
+                    # Also suppress Exception to cover the drain task
+                    # itself raising — production drains run inside
+                    # ``_bounded_drain`` which already wraps in
+                    # ``suppress(Exception)``, but the
+                    # belt-and-braces inner suppress here keeps the
+                    # cleanup path immune to a synthetic drain failure
+                    # (and to a future refactor that drops
+                    # ``_bounded_drain``'s wrap).
+                    with contextlib.suppress(asyncio.CancelledError, Exception):
                         await asyncio.shield(pending)
                 conn._pool_released = True
                 with contextlib.suppress(asyncio.CancelledError):
diff --git a/tests/test_pool_release_drain_does_not_swallow_keyboard_interrupt.py b/tests/test_pool_release_drain_does_not_swallow_keyboard_interrupt.py
@@ -0,0 +1,63 @@
+"""Pin: ``_release``'s shielded ``_pending_drain`` await suppresses
+``CancelledError`` and ``Exception``, but MUST NOT suppress arbitrary
+``BaseException``. The previous shape used
+``contextlib.suppress(BaseException)`` which silently consumed
+control-plane signals like ``KeyboardInterrupt`` / ``SystemExit``.
+
+Operators expect Ctrl+C to escape the cleanup path; suppressing
+those signals at this boundary turns them into silent no-ops until
+the next checkpoint that re-raises (none, in this code path —
+``_release`` returns normally).
+
+The test uses a custom ``BaseException`` subclass instead of
+``KeyboardInterrupt`` / ``SystemExit`` so pytest's own top-level
+handling does not intercept the signal.
+"""
+
+from __future__ import annotations
+
+import asyncio
+
+import pytest
+
+from dqliteclient import DqliteConnection
+from dqliteclient.pool import ConnectionPool
+
+
+class _SyntheticControlPlaneSignal(BaseException):
+    """A BaseException subclass that pytest does not intercept."""
+
+
+@pytest.mark.asyncio
+async def test_drain_base_exception_propagates_through_release() -> None:
+    pool = ConnectionPool(["localhost:9001"], min_size=0, max_size=1)
+    pool._size = 1
+    conn = DqliteConnection("localhost:9001")
+    conn._protocol = object()  # type: ignore[assignment]
+    conn._db_id = 1
+    conn._in_transaction = True
+
+    async def signaling_drain() -> None:
+        # Start the task on the loop, then raise the BaseException.
+        await asyncio.sleep(0)
+        raise _SyntheticControlPlaneSignal("control-plane signal")
+
+    conn._pending_drain = asyncio.create_task(signaling_drain())
+
+    async def fake_reset(c: DqliteConnection) -> bool:
+        return False
+
+    pool._reset_connection = fake_reset  # type: ignore[assignment]
+
+    async def noop() -> None:
+        return
+
+    pool._release_reservation = noop
+
+    async def fake_close() -> None:
+        return
+
+    conn.close = fake_close
+
+    with pytest.raises(_SyntheticControlPlaneSignal):
+        await pool._release(conn)
