[Bug][Advanced] cancel_task() writes status=cancelled before CancelledError propagates, duration_seconds never persisted for cancelled tasks

[anshul23102]

Summary

cancel_task() in backend/secuscan/executor.py writes status = 'cancelled' to the database immediately after calling task.cancel(), before the asyncio CancelledError has propagated and before execute_task()'s except asyncio.CancelledError handler has run. That handler contains the UPDATE tasks SET duration_seconds = ... WHERE id = ? AND status = 'running' guard. Because cancel_task() has already flipped the status to 'cancelled', the WHERE status = 'running' predicate never matches, so duration_seconds is never written for any cancelled task. This is a persistent data-loss race condition.

Affected Code

cancel_task() (executor.py ~line 543)

async def cancel_task(self, task_id: str):
    task = self._running_tasks.get(task_id)
    if task:
        task.cancel()
        # race: status written here, before CancelledError propagates
        await db.execute(
            "UPDATE tasks SET status = 'cancelled' WHERE id = ?",
            (task_id,)
        )

execute_task() CancelledError handler (executor.py)

except asyncio.CancelledError:
    await db.execute(
        """UPDATE tasks
           SET status = 'cancelled', duration_seconds = ?
           WHERE id = ? AND status = 'running'""",
        (elapsed, task_id)
    )

The WHERE status = 'running' guard is the correct place to write duration_seconds, but cancel_task() pre-empts it by writing 'cancelled' first.

Impact

• Data loss: duration_seconds is NULL for every cancelled task. Any analytics, billing, or audit logic that reads this field gets incorrect data silently.
• Masked bug surface: the double-write means the execute_task handler silently becomes a no-op for cancellations, so any future logic added inside that handler will also be silently skipped.
• Non-deterministic: under load, the window between task.cancel() and CancelledError propagation varies, making this difficult to catch in tests.

Fix

Remove the premature status update from cancel_task() and let the CancelledError handler in execute_task() own the final state write:

async def cancel_task(self, task_id: str):
    task = self._running_tasks.get(task_id)
    if task:
        task.cancel()
        # do not write status here; execute_task's CancelledError handler owns it

If a cancellation signal needs to be visible before the handler runs, use a separate status = 'cancelling' intermediate state that the handler checks for in its WHERE clause.

Environment

• File: backend/secuscan/executor.py
• Functions: cancel_task(), execute_task()
• Trigger: any call to DELETE /tasks/{task_id} or POST /tasks/{task_id}/cancel while the task is running

[anshul23102]

@utksh1 assign/

GSSoC '26

[arpanmukherjee38]

Hi @utksh1, I'd love to resolve this asyncio race condition under GSSoC '26. I can cleanly modify executor.py to remove the premature database write from cancel_task(), allowing the CancelledError block in execute_task() to safely compute and persist duration_seconds while the task status is still evaluated as 'running'. Could you please assign this issue to me?

[Avnithakur731-a]

Hi @utksh1

I’ve carefully reviewed this issue and explored the related implementation areas in the codebase. The problem statement is clear to me, and I already have an approach in mind for implementing a clean, scalable, and maintainable solution while preserving the existing architecture and coding standards.

I’m actively contributing under GSSoC 2026 and would genuinely love to work on this issue. I can start immediately and will ensure:

• clean and well-documented code
• proper testing and edge-case handling
• regular progress updates
• adherence to project guidelines

Please consider assigning this issue to me. Thank you!

[aaniya22]

Hi, I would like to work on this issue under GSSoC'26.
Please assign this to me. Thank you!

[Avnithakur731-a]

Hi @utksh1,
Thanks for assigning this issue to me. I’ve started working on #314 and will update the fix soon.