Add caller CancellationToken propagation for hedging and timeout (#3094)

Adds caller cancellation token propagation in hedging and timeout strategies.

Author: DaRosenberg

src/Polly.Core/Hedging/HedgingResilienceStrategy.cs

@@ -1,5 +1,6 @@
 using Polly.Hedging.Utils;
 using Polly.Telemetry;
+using Polly.Utils;
 
 namespace Polly.Hedging;
 
@@ -57,7 +58,7 @@ protected internal override async ValueTask<Outcome<T>> ExecuteCore<TState>(
 
                 if (loadedExecution.Outcome is Outcome<T> outcome)
                 {
-                    return outcome;
+                    return outcome.WithCallerCancellationToken(cancellationToken);
                 }
 
                 var delay = await GetHedgingDelayAsync(context, hedgingContext.LoadedTasks).ConfigureAwait(continueOnCapturedContext);
@@ -72,7 +73,7 @@ protected internal override async ValueTask<Outcome<T>> ExecuteCore<TState>(
                 if (!execution.IsHandled)
                 {
                     execution.AcceptOutcome();
-                    return outcome;
+                    return outcome.WithCallerCancellationToken(cancellationToken);
                 }
             }
         }

src/Polly.Core/Timeout/TimeoutResilienceStrategy.cs

@@ -1,4 +1,5 @@
 using Polly.Telemetry;
+using Polly.Utils;
 
 namespace Polly.Timeout;
 
@@ -89,7 +90,7 @@ protected internal override async ValueTask<Outcome<TResult>> ExecuteCore<TResul
             return Outcome.FromException<TResult>(timeoutException.TrySetStackTrace());
         }
 
-        return outcome;
+        return outcome.WithCallerCancellationToken(previousToken);
     }
 
     private static CancellationTokenRegistration CreateRegistration(CancellationTokenSource cancellationSource, CancellationToken previousToken)

src/Polly.Core/Utils/OutcomeUtilities.cs

@@ -0,0 +1,32 @@
+namespace Polly.Utils;
+
+internal static class OutcomeUtilities
+{
+    /// <summary>
+    /// Ensures that an <see cref="OperationCanceledException"/> escaping a strategy that substituted the
+    /// execution <see cref="CancellationToken"/> (e.g. timeout or hedging) carries the caller's token when
+    /// the cancellation was caused by that token.
+    /// </summary>
+    /// <typeparam name="T">The result type of the outcome.</typeparam>
+    /// <param name="outcome">The outcome produced by the strategy.</param>
+    /// <param name="callerToken">The cancellation token that was associated with the execution before the strategy substituted it.</param>
+    /// <returns>
+    /// An outcome whose <see cref="OperationCanceledException"/> carries <paramref name="callerToken"/> when the caller
+    /// requested cancellation, preserving the original exception as its <see cref="Exception.InnerException"/>;
+    /// otherwise the original <paramref name="outcome"/> unchanged.
+    /// </returns>
+    /// <remarks>
+    /// The rewrite happens only when <paramref name="callerToken"/> actually requested cancellation. This preserves
+    /// the contract that a real timeout, or an unrelated <see cref="OperationCanceledException"/> thrown while the
+    /// caller's token was not cancelled, is left untouched.
+    /// </remarks>
+    public static Outcome<T> WithCallerCancellationToken<T>(this Outcome<T> outcome, CancellationToken callerToken)
+    {
+        if (callerToken.IsCancellationRequested && outcome.Exception is OperationCanceledException oce && oce.CancellationToken != callerToken)
+        {
+            return Outcome.FromException<T>(new OperationCanceledException(oce.Message, oce, callerToken).TrySetStackTrace());
+        }
+
+        return outcome;
+    }
+}

test/Polly.Core.Tests/Hedging/HedgingResilienceStrategyTests.cs

@@ -935,6 +935,36 @@ public async Task ExecuteAsync_EnsureOnHedgingTelemetry()
         _events.Select(v => v.Event.EventName).Distinct().Count().ShouldBe(2);
     }
 
+    [Fact]
+    public async Task ExecuteCore_CallerCancellation_EnsureExceptionCarriesCallerToken()
+    {
+        // arrange
+        using var cancellationSource = new CancellationTokenSource();
+        _options.MaxHedgedAttempts = 1;
+        _options.Delay = LongDelay; // ensure no secondary attempt starts before the primary completes
+        ConfigureHedging(); // ShouldHandle returns false, so the primary's outcome is accepted as-is
+
+        var strategy = (HedgingResilienceStrategy<string>)Create().GetPipelineDescriptor().FirstStrategy.StrategyInstance;
+
+        var context = ResilienceContextPool.Shared.Get(CancellationToken);
+        context.CancellationToken = cancellationSource.Token;
+
+        // act
+        var outcome = await strategy.ExecuteCore(
+            (ctx, _) =>
+            {
+                cancellationSource.Cancel();
+                ctx.CancellationToken.ThrowIfCancellationRequested();
+                return Outcome.FromResultAsValueTask("unreachable");
+            },
+            context,
+            "state");
+
+        // assert
+        var exception = outcome.Exception.ShouldBeOfType<OperationCanceledException>();
+        exception.CancellationToken.ShouldBe(cancellationSource.Token);
+    }
+
     private void ConfigureHedging() =>
         ConfigureHedging(_ => false, _actions.Generator);
 

test/Polly.Core.Tests/Issues/IssuesTests.CancellationTokenPropagation_3086.cs

@@ -0,0 +1,203 @@
+using Polly.Hedging;
+using Polly.Timeout;
+
+namespace Polly.Core.Tests.Issues;
+
+public partial class IssuesTests
+{
+    // https://github.com/App-vNext/Polly/issues/3086
+    // When a strategy substitutes the caller's CancellationToken with an internal one (timeout, hedging),
+    // a caller-initiated cancellation must still surface an OperationCanceledException carrying the
+    // caller's token, so that callers can distinguish caller cancellation from other failures.
+    [Fact]
+    public async Task Timeout_CallerCancellation_ExceptionCarriesCallerToken_3086()
+    {
+        var pipeline = new ResiliencePipelineBuilder()
+            .AddTimeout(TimeSpan.FromMinutes(1))
+            .Build();
+
+        using var cts = new CancellationTokenSource();
+
+        var exception = await Should.ThrowAsync<OperationCanceledException>(() =>
+            pipeline.ExecuteAsync(
+                async token =>
+                {
+                    cts.Cancel(); // simulate cancellation request from upstream caller
+                    token.ThrowIfCancellationRequested(); // simulate cancellation response from downstream code
+                },
+                cts.Token).AsTask());
+
+        exception.CancellationToken.ShouldBe(cts.Token);
+    }
+
+    [Fact]
+    public async Task TimeoutThenRetry_CallerCancellation_ExceptionCarriesCallerToken_3086()
+    {
+        var pipeline = new ResiliencePipelineBuilder()
+            .AddTimeout(TimeSpan.FromMinutes(1))
+            .AddRetry(new() { MaxRetryAttempts = 3, Delay = TimeSpan.Zero })
+            .Build();
+
+        using var cts = new CancellationTokenSource();
+
+        var exception = await Should.ThrowAsync<OperationCanceledException>(() =>
+            pipeline.ExecuteAsync(
+                async token =>
+                {
+                    cts.Cancel();
+                    token.ThrowIfCancellationRequested();
+                },
+                cts.Token).AsTask());
+
+        exception.CancellationToken.ShouldBe(cts.Token);
+    }
+
+    [Fact]
+    public async Task RetryThenTimeout_CallerCancellation_ExceptionCarriesCallerToken_3086()
+    {
+        var pipeline = new ResiliencePipelineBuilder()
+            .AddRetry(new() { MaxRetryAttempts = 3, Delay = TimeSpan.Zero })
+            .AddTimeout(TimeSpan.FromMinutes(1))
+            .Build();
+
+        using var cts = new CancellationTokenSource();
+
+        var exception = await Should.ThrowAsync<OperationCanceledException>(() =>
+            pipeline.ExecuteAsync(
+                async token =>
+                {
+                    cts.Cancel();
+                    token.ThrowIfCancellationRequested();
+                },
+                cts.Token).AsTask());
+
+        exception.CancellationToken.ShouldBe(cts.Token);
+    }
+
+    [Fact]
+    public async Task NestedTimeouts_CallerCancellation_ExceptionCarriesCallerToken_3086()
+    {
+        var innermost = new ResiliencePipelineBuilder()
+            .AddTimeout(TimeSpan.FromMinutes(1))
+            .Build();
+
+        var inner = new ResiliencePipelineBuilder()
+            .AddTimeout(TimeSpan.FromMinutes(2))
+            .AddPipeline(innermost)
+            .Build();
+
+        var pipeline = new ResiliencePipelineBuilder()
+            .AddTimeout(TimeSpan.FromMinutes(3))
+            .AddPipeline(inner)
+            .Build();
+
+        using var cts = new CancellationTokenSource();
+
+        var exception = await Should.ThrowAsync<OperationCanceledException>(() =>
+            pipeline.ExecuteAsync(
+                async token =>
+                {
+                    cts.Cancel();
+                    token.ThrowIfCancellationRequested();
+                },
+                cts.Token).AsTask());
+
+        exception.CancellationToken.ShouldBe(cts.Token);
+    }
+
+    [Fact]
+    public async Task Hedging_CallerCancellation_ExceptionCarriesCallerToken_3086()
+    {
+        var pipeline = new ResiliencePipelineBuilder<string>()
+            .AddHedging(new HedgingStrategyOptions<string>
+            {
+                MaxHedgedAttempts = 1,
+                Delay = TimeSpan.FromMinutes(1), // ensure only the primary attempt runs before cancellation
+                ShouldHandle = _ => PredicateResult.False(), // accept the primary outcome as-is
+            })
+            .Build();
+
+        using var cts = new CancellationTokenSource();
+
+        var exception = await Should.ThrowAsync<OperationCanceledException>(() =>
+            pipeline.ExecuteAsync(
+                async token =>
+                {
+                    cts.Cancel();
+                    token.ThrowIfCancellationRequested();
+                    return "unreachable";
+                },
+                cts.Token).AsTask());
+
+        exception.CancellationToken.ShouldBe(cts.Token);
+    }
+
+    [Fact]
+    public async Task WithoutTokenSubstitution_CallerCancellation_ExceptionCarriesCallerToken_3086()
+    {
+        // A pipeline that does not substitute the token has always surfaced the caller's token
+        // and this case simply guards against regressions for the common path.
+        var pipeline = new ResiliencePipelineBuilder()
+            .AddRetry(new() { MaxRetryAttempts = 3, Delay = TimeSpan.Zero })
+            .Build();
+
+        using var cts = new CancellationTokenSource();
+
+        var exception = await Should.ThrowAsync<OperationCanceledException>(() =>
+            pipeline.ExecuteAsync(
+                async token =>
+                {
+                    cts.Cancel();
+                    token.ThrowIfCancellationRequested();
+                },
+                cts.Token).AsTask());
+
+        exception.CancellationToken.ShouldBe(cts.Token);
+    }
+
+    [Fact]
+    public async Task Timeout_RealTimeout_StillThrowsTimeoutRejectedException_3086()
+    {
+        // "only if": a real timeout (caller token not cancelled) must remain a TimeoutRejectedException,
+        // and must not be rewritten into a caller-cancellation.
+        var pipeline = new ResiliencePipelineBuilder { TimeProvider = TimeProvider }
+            .AddTimeout(TimeSpan.FromSeconds(1))
+            .Build();
+
+        await Should.ThrowAsync<TimeoutRejectedException>(() =>
+            pipeline.ExecuteAsync(
+                async token =>
+                {
+                    var delay = TimeProvider.Delay(TimeSpan.FromSeconds(10), token);
+                    TimeProvider.Advance(TimeSpan.FromSeconds(2));
+                    await delay;
+                },
+                CancellationToken.None).AsTask());
+    }
+
+    [Fact]
+    public async Task Timeout_UnrelatedCancellation_ExceptionPreserved_3086()
+    {
+        // "only if": when the caller token is not cancelled, an unrelated OperationCanceledException
+        // thrown by user code must propagate unchanged (its own token must be preserved).
+        var pipeline = new ResiliencePipelineBuilder()
+            .AddTimeout(TimeSpan.FromMinutes(1))
+            .Build();
+
+        using var callerCts = new CancellationTokenSource();
+        using var unrelatedCts = new CancellationTokenSource();
+
+        unrelatedCts.Cancel();
+
+        var exception = await Should.ThrowAsync<OperationCanceledException>(() =>
+            pipeline.ExecuteAsync(
+                async token =>
+                {
+                    await Task.Yield();
+                    throw new OperationCanceledException(unrelatedCts.Token);
+                },
+                callerCts.Token).AsTask());
+
+        exception.CancellationToken.ShouldBe(unrelatedCts.Token);
+    }
+}

test/Polly.Core.Tests/Timeout/TimeoutResilienceStrategyTests.cs

@@ -225,6 +225,28 @@ await Should.ThrowAsync<OperationCanceledException>(
         _args.ShouldBeEmpty();
     }
 
+    [Fact]
+    public async Task Execute_CallerCancellation_EnsureExceptionCarriesCallerToken()
+    {
+        var delay = TimeSpan.FromSeconds(10);
+
+        using var cts = new CancellationTokenSource();
+        SetTimeout(TimeSpan.FromSeconds(10));
+
+        var sut = CreateSut();
+
+        var exception = await Should.ThrowAsync<OperationCanceledException>(
+            () => sut.ExecuteAsync(async token =>
+            {
+                var task = _timeProvider.Delay(delay, token);
+                cts.Cancel();
+                await task;
+            },
+            cts.Token).AsTask());
+
+        exception.CancellationToken.ShouldBe(cts.Token);
+    }
+
     [Fact]
     public async Task Execute_NoTimeoutOrCancellation_EnsureCancellationTokenRestored()
     {