Narrow connect-cleanup suppress in ClusterClient.connect to match pool's shielded-cleanup discipline

antoineleclair · claude · antoineleclair · commit b0a6ef2acc61 · 2026-04-30T16:52:31.000-04:00
The ``try_connect`` cleanup arm wrapped
``await asyncio.shield(conn.close())`` in a
``contextlib.suppress(BaseException)``. The wide width
swallowed everything the shielded close could raise —
including ``KeyboardInterrupt`` / ``SystemExit`` (signal
shutdowns), programming-bug class exceptions like
``AttributeError``, and any unexpected ``Exception`` — and
the bare ``raise`` after the suppress re-raised the original
handshake exception, supplanting the new signal entirely.

Mirror the pool's canonical pattern at
``pool.py:1018-1042``:

* ``asyncio.CancelledError`` is absorbed (asyncio re-
  delivers at the next await; the bare ``raise`` re-
  delivers the original handshake exception, so the
  outer-cancel signal is not lost — just delayed by one
  await boundary).
* ``OSError`` / ``DqliteConnectionError`` are caught and
  logged (transport-class teardown failures on a half-
  built conn are expected).
* ``KI`` / ``SystemExit`` / other ``Exception`` subclasses
  propagate — these are the cases the wide suppress was
  silently dropping.

The cleanup arm's intent (drain the inner client's
``_pending_drain`` task before the half-built conn falls
out of scope) is preserved; only the failure-mode width
changes.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqliteclient/cluster.py b/src/dqliteclient/cluster.py
@@ -584,8 +584,31 @@ async def try_connect() -> DqliteConnection:
                     # drain task is GC'd mid-flight, producing a
                     # "Task was destroyed but it is pending" warning
                     # at interpreter shutdown.
-                    with contextlib.suppress(BaseException):
-                        await asyncio.shield(conn.close())
+                    #
+                    # Mirrors ``pool.py``'s shielded-cleanup
+                    # discipline:
+                    #
+                    # * CancelledError absorbed (canonical asyncio
+                    #   pattern — asyncio re-delivers at the next
+                    #   await; the bare ``raise`` below re-delivers
+                    #   the original handshake exception).
+                    # * OSError / DqliteConnectionError caught and
+                    #   logged (transport-class teardown failures
+                    #   on a half-built conn are expected).
+                    # * KI / SystemExit / unexpected Exception
+                    #   subclasses propagate — a wide
+                    #   ``suppress(BaseException)`` here would
+                    #   silently swallow signal-class shutdowns and
+                    #   programming bugs alike, supplanting the
+                    #   original handshake exception.
+                    try:
+                        with contextlib.suppress(asyncio.CancelledError):
+                            await asyncio.shield(conn.close())
+                    except (OSError, DqliteConnectionError):
+                        logger.debug(
+                            "ClusterClient.connect cleanup: conn.close() failed",
+                            exc_info=True,
+                        )
                     raise
                 return conn
             except (OSError, DqliteConnectionError, ClusterError) as exc:
diff --git a/tests/test_cluster_connect_cleanup_propagates_signals.py b/tests/test_cluster_connect_cleanup_propagates_signals.py
@@ -0,0 +1,62 @@
+"""Pin: ``ClusterClient.connect``'s try_connect cleanup arm
+must NOT swallow unexpected exceptions raised by the
+shielded ``conn.close()``. The wide
+``contextlib.suppress(BaseException)`` catches a
+programming-bug class like ``AttributeError`` that the
+narrow canonical pattern (``suppress(asyncio.CancelledError)``
+plus a transport-class except) deliberately lets propagate.
+
+Mirrors the pool's discipline at
+``pool.py:1018-1042``:
+
+* ``CancelledError``: absorbed (asyncio re-delivers at next
+  await; the bare ``raise`` re-delivers the original
+  handshake exception).
+* ``OSError`` / ``DqliteConnectionError``: caught and logged
+  (transport-class teardown failures on a half-built conn
+  are expected).
+* anything else (KI / SystemExit / unexpected ``Exception``
+  subclasses): propagate.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+from dqliteclient.cluster import ClusterClient
+
+
+@pytest.mark.asyncio
+async def test_connect_cleanup_arm_does_not_swallow_unexpected_exception() -> None:
+    cluster = ClusterClient.from_addresses(["localhost:9001"], timeout=0.5)
+
+    async def _fake_find_leader(**kwargs: object) -> str:
+        return "localhost:9001"
+
+    cluster.find_leader = _fake_find_leader  # type: ignore[method-assign]
+
+    import dqliteclient.cluster as cluster_mod
+
+    real_dc = cluster_mod.DqliteConnection
+
+    class _StubDqliteConnection:
+        def __init__(self, *a: object, **kw: object) -> None:
+            pass
+
+        async def connect(self) -> None:
+            raise OSError("simulated handshake failure")
+
+        async def close(self) -> None:
+            # Programming-bug class — the wide BaseException
+            # suppress would silently swallow this; the narrow
+            # canonical pattern lets it propagate so the real
+            # source of the bug surfaces.
+            raise AttributeError("unexpected attribute access in close()")
+
+    cluster_mod.DqliteConnection = _StubDqliteConnection  # type: ignore[assignment]
+
+    try:
+        with pytest.raises(AttributeError, match="unexpected attribute access"):
+            await cluster.connect("default")
+    finally:
+        cluster_mod.DqliteConnection = real_dc  # type: ignore[assignment]
