Delete: emit write-cancelled when scan phase aborts

vdavid · vdavid · commit b40188919e3d · 2026-05-19T12:28:29.000+02:00
`scan_volume_recursive`'s top-of-function cancel check returned `Err(Cancelled)` without emitting the terminal event, so a mid-scan cancel of a volume delete propagated up silently and the FE never saw `write-cancelled`. With M4's settle event in place the dialog still closed via the safety-net path, but the selection-recovery / log trail / dialog state-machine all want the proper event.

The cancel check fires at every recursion level, so emitting from inside `scan_volume_recursive` would multi-fire. Instead: add a small `emit_cancelled_if_aborted` helper next to the entry point, call it at each of the three `scan_volume_recursive(...).await?` sites in `delete_volume_files_with_progress_inner`. The pattern mirrors the five existing emit-then-return cancel sites elsewhere in the file.

Regression test in `delete_volume_reuse_tests.rs` pre-sets `state.intent` to `Stopped`, runs a delete, asserts the result is `Cancelled` AND the event sink received a `write-cancelled` with `rolled_back: false`.
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/delete.rs b/apps/desktop/src-tauri/src/file_system/write_operations/delete.rs
@@ -223,6 +223,12 @@ impl VolumeScanTracker {
 ///    photos can take ~17 s of USB roundtrips.
 /// 2. **After each subtree** (this function's tail), as a final snapshot for that branch. Throttled
 ///    by the shared `VolumeScanTracker` so it doesn't race with the per-entry callback.
+///
+/// **Cancel contract**: this function does NOT emit `write-cancelled` before returning
+/// `Err(Cancelled)`. The cancel check fires at every recursion level, so emitting here would
+/// multi-fire. Top-level callers must call `emit_cancelled_if_aborted` (or otherwise emit
+/// `write-cancelled`) on the returned result before propagating it, so the FE sees the proper
+/// terminal event for the cancel flow.
 #[allow(
     clippy::too_many_arguments,
     reason = "Matches the parameter pattern of other write operation functions"
@@ -409,6 +415,26 @@ async fn scan_volume_recursive(
     Ok(())
 }
 
+/// Emits `write-cancelled` when `result` is `Err(Cancelled)`. Use this after
+/// every top-level `scan_volume_recursive` call so the FE sees the proper
+/// terminal event before the error propagates up. See `scan_volume_recursive`'s
+/// "Cancel contract" doc for why this is the caller's responsibility.
+fn emit_cancelled_if_aborted(
+    result: &Result<(), WriteOperationError>,
+    events: &dyn OperationEventSink,
+    operation_id: &str,
+    tracker: &VolumeScanTracker,
+) {
+    if matches!(result, Err(WriteOperationError::Cancelled { .. })) {
+        events.emit_cancelled(WriteCancelledEvent {
+            operation_id: operation_id.to_string(),
+            operation_type: WriteOperationType::Delete,
+            files_processed: tracker.files_so_far.load(std::sync::atomic::Ordering::Relaxed),
+            rolled_back: false,
+        });
+    }
+}
+
 /// Deletes files on a non-local volume (like MTP) with progress reporting.
 ///
 /// Uses `volume.list_directory()` for scanning and `volume.delete()` per item.
@@ -506,7 +532,7 @@ pub(super) async fn delete_volume_files_with_progress_inner(
                     // `is_dir_hint = Some(true)` so the recursion never re-probes
                     // the top-level. Any subtree that's open in another pane and
                     // watcher-fresh gets cache-fed inside the walker.
-                    scan_volume_recursive(
+                    let result = scan_volume_recursive(
                         &*volume,
                         volume_id,
                         source,
@@ -518,13 +544,15 @@ pub(super) async fn delete_volume_files_with_progress_inner(
                         operation_id,
                         &tracker,
                     )
-                    .await?;
+                    .await;
+                    emit_cancelled_if_aborted(&result, events, operation_id, &tracker);
+                    result?;
                 }
                 None => {
                     // Scan preview was non-volume (local-FS) or didn't include
                     // this source. Fall back to the no-preview shape for this
                     // path: oracle-aware walker resolves the type.
-                    scan_volume_recursive(
+                    let result = scan_volume_recursive(
                         &*volume,
                         volume_id,
                         source,
@@ -536,7 +564,9 @@ pub(super) async fn delete_volume_files_with_progress_inner(
                         operation_id,
                         &tracker,
                     )
-                    .await?;
+                    .await;
+                    emit_cancelled_if_aborted(&result, events, operation_id, &tracker);
+                    result?;
                 }
             }
 
@@ -600,7 +630,7 @@ pub(super) async fn delete_volume_files_with_progress_inner(
             };
 
             if is_dir {
-                scan_volume_recursive(
+                let result = scan_volume_recursive(
                     &*volume,
                     volume_id,
                     source,
@@ -612,7 +642,9 @@ pub(super) async fn delete_volume_files_with_progress_inner(
                     operation_id,
                     &tracker,
                 )
-                .await?;
+                .await;
+                emit_cancelled_if_aborted(&result, events, operation_id, &tracker);
+                result?;
             } else {
                 // Top-level file: size unknown without listing the parent, use 0.
                 // Progress still tracks file count accurately, and individual file
diff --git a/apps/desktop/src-tauri/src/file_system/write_operations/delete_volume_reuse_tests.rs b/apps/desktop/src-tauri/src/file_system/write_operations/delete_volume_reuse_tests.rs
@@ -16,8 +16,8 @@ use std::sync::atomic::{AtomicBool, AtomicU64, AtomicUsize, Ordering};
 use std::time::Duration;
 
 use super::delete::delete_volume_files_with_progress_inner;
-use super::state::{CachedScanResult, SCAN_PREVIEW_RESULTS, WriteOperationState};
-use super::types::{CollectorEventSink, WriteOperationConfig};
+use super::state::{CachedScanResult, OperationIntent, SCAN_PREVIEW_RESULTS, WriteOperationState};
+use super::types::{CollectorEventSink, WriteOperationConfig, WriteOperationError};
 use crate::file_system::get_volume_manager;
 use crate::file_system::listing::caching::{CachedListing, LISTING_CACHE};
 use crate::file_system::listing::metadata::FileEntry;
@@ -436,3 +436,60 @@ async fn delete_mid_scan_listing_close() {
     remove_listing(&parent_lid_inserted);
     get_volume_manager().unregister(&vid);
 }
+
+/// Regression test: cancel landing during the scan phase of a volume delete
+/// must emit `write-cancelled` before propagating `Err(Cancelled)` up. Prior
+/// to the fix, `scan_volume_recursive`'s top-of-function cancel check returned
+/// `Cancelled` without emitting, and the `?` propagation at the call site
+/// passed it through silently — the FE never saw the terminal cancel event.
+///
+/// The pattern: pre-set `state.intent` to `Stopped` so the recursion's cancel
+/// check fires on first entry. Direct `intent.store(...)` is acceptable here
+/// because we're testing the emit behaviour on Cancelled return, not the
+/// state-machine transition itself.
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn delete_cancel_during_scan_emits_write_cancelled() {
+    let vid = unique("cancel_scan_emits");
+
+    let vol = Arc::new(CountingVolume::new("cancel-scan-vol", false));
+    vol.inner.create_file(Path::new("/dir/a.jpg"), b"alpha").await.unwrap();
+    vol.inner.create_file(Path::new("/dir/b.jpg"), b"betabb").await.unwrap();
+    get_volume_manager().register(&vid, vol.clone() as Arc<dyn Volume>);
+
+    let events = Arc::new(CollectorEventSink::new());
+    let state = make_state();
+    // Pre-cancel: the very first cancel check inside `scan_volume_recursive`
+    // will fire and return `Cancelled`. Without the fix, no `write-cancelled`
+    // event would be emitted before the `?` propagates the error.
+    state.intent.store(OperationIntent::Stopped as u8, Ordering::Relaxed);
+
+    let config = WriteOperationConfig::default(); // preview_id: None
+
+    let result = delete_volume_files_with_progress_inner(
+        vol.clone() as Arc<dyn Volume>,
+        &vid,
+        events.as_ref(),
+        "test-op-cancel-scan-emits",
+        &state,
+        &[PathBuf::from("/dir")],
+        &config,
+    )
+    .await;
+
+    assert!(
+        matches!(result, Err(WriteOperationError::Cancelled { .. })),
+        "scan-time cancel must propagate as Cancelled: {:?}",
+        result
+    );
+    let cancelled = events.cancelled.lock().unwrap();
+    assert!(
+        !cancelled.is_empty(),
+        "write-cancelled must be emitted before Cancelled propagates from scan",
+    );
+    assert!(
+        !cancelled.first().unwrap().rolled_back,
+        "scan-time cancel is a Stopped (not RollingBack) outcome"
+    );
+
+    get_volume_manager().unregister(&vid);
+}
