Add CA2027: Detect non-cancelable Task.Delay in Task.WhenAny (#51452)

Co-authored-by: Copilot <[email protected]>

Author: Copilot

src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.NetAnalyzers.md

@@ -2178,6 +2178,18 @@ JsonDocument implements IDisposable and needs to be properly disposed. When only
 |CodeFix|True|
 ---
 
+## [CA2027](https://learn.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca2027): Cancel Task.Delay after Task.WhenAny completes
+
+When Task.Delay is used with Task.WhenAny to implement a timeout, the timer created by Task.Delay continues to run even after WhenAny completes, wasting resources. If your target framework supports Task.WaitAsync, use that instead as it has built-in timeout support without leaving timers running. Otherwise, pass a CancellationToken to Task.Delay that can be canceled when the operation completes.
+
+|Item|Value|
+|-|-|
+|Category|Reliability|
+|Enabled|True|
+|Severity|Info|
+|CodeFix|False|
+---
+
 ## [CA2100](https://learn.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca2100): Review SQL queries for security vulnerabilities
 
 SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.

src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.NetAnalyzers.sarif

@@ -3890,6 +3890,26 @@
             ]
           }
         },
+        "CA2027": {
+          "id": "CA2027",
+          "shortDescription": "Cancel Task.Delay after Task.WhenAny completes",
+          "fullDescription": "When Task.Delay is used with Task.WhenAny to implement a timeout, the timer created by Task.Delay continues to run even after WhenAny completes, wasting resources. If your target framework supports Task.WaitAsync, use that instead as it has built-in timeout support without leaving timers running. Otherwise, pass a CancellationToken to Task.Delay that can be canceled when the operation completes.",
+          "defaultLevel": "note",
+          "helpUri": "https://learn.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca2027",
+          "properties": {
+            "category": "Reliability",
+            "isEnabledByDefault": true,
+            "typeName": "DoNotUseNonCancelableTaskDelayWithWhenAny",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Telemetry",
+              "EnabledRuleInAggressiveMode"
+            ]
+          }
+        },
         "CA2100": {
           "id": "CA2100",
           "shortDescription": "Review SQL queries for security vulnerabilities",

src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.NetAnalyzers/AnalyzerReleases.Unshipped.md

@@ -12,3 +12,4 @@ CA2023 | Reliability | Warning | LoggerMessageDefineAnalyzer, [Documentation](ht
 CA2024 | Reliability | Warning | DoNotUseEndOfStreamInAsyncMethods, [Documentation](https://learn.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca2024)
 CA2025 | Reliability | Disabled | DoNotPassDisposablesIntoUnawaitedTasksAnalyzer, [Documentation](https://learn.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca2025)
 CA2026 | Reliability | Info | PreferJsonElementParse, [Documentation](https://learn.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca2026)
+CA2027 | Reliability | Info | DoNotUseNonCancelableTaskDelayWithWhenAny, [Documentation](https://learn.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca2027)

src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.NetAnalyzers/Microsoft.NetCore.Analyzers/MicrosoftNetCoreAnalyzersResources.resx

@@ -1646,6 +1646,15 @@
   <data name="DoNotUseWhenAllWithSingleTaskFix" xml:space="preserve">
     <value>Replace 'WhenAll' call with argument</value>
   </data>
+  <data name="DoNotUseNonCancelableTaskDelayWithWhenAnyTitle" xml:space="preserve">
+    <value>Cancel Task.Delay after Task.WhenAny completes</value>
+  </data>
+  <data name="DoNotUseNonCancelableTaskDelayWithWhenAnyMessage" xml:space="preserve">
+    <value>Using Task.WhenAny with Task.Delay may result in a timer continuing to run after the operation completes, wasting resources</value>
+  </data>
+  <data name="DoNotUseNonCancelableTaskDelayWithWhenAnyDescription" xml:space="preserve">
+    <value>When Task.Delay is used with Task.WhenAny to implement a timeout, the timer created by Task.Delay continues to run even after WhenAny completes, wasting resources. If your target framework supports Task.WaitAsync, use that instead as it has built-in timeout support without leaving timers running. Otherwise, pass a CancellationToken to Task.Delay that can be canceled when the operation completes.</value>
+  </data>
   <data name="UseStringEqualsOverStringCompareCodeFixTitle" xml:space="preserve">
     <value>Use 'string.Equals'</value>
   </data>

src/Microsoft.CodeAnalysis.NetAnalyzers/src/Microsoft.CodeAnalysis.NetAnalyzers/Microsoft.NetCore.Analyzers/Tasks/DoNotUseNonCancelableTaskDelayWithWhenAny.cs

@@ -0,0 +1,152 @@
+// Copyright (c) Microsoft.  All Rights Reserved.  Licensed under the MIT license.  See License.txt in the project root for license information.
+
+using System.Collections.Immutable;
+using Analyzer.Utilities;
+using Analyzer.Utilities.Extensions;
+using Analyzer.Utilities.Lightup;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.Diagnostics;
+using Microsoft.CodeAnalysis.Operations;
+using static Microsoft.NetCore.Analyzers.MicrosoftNetCoreAnalyzersResources;
+
+namespace Microsoft.NetCore.Analyzers.Tasks
+{
+    /// <summary>
+    /// CA2027: <inheritdoc cref="DoNotUseNonCancelableTaskDelayWithWhenAnyTitle"/>
+    /// </summary>
+    [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)]
+    public sealed class DoNotUseNonCancelableTaskDelayWithWhenAny : DiagnosticAnalyzer
+    {
+        internal const string RuleId = "CA2027";
+
+        internal static readonly DiagnosticDescriptor Rule = DiagnosticDescriptorHelper.Create(
+            RuleId,
+            CreateLocalizableResourceString(nameof(DoNotUseNonCancelableTaskDelayWithWhenAnyTitle)),
+            CreateLocalizableResourceString(nameof(DoNotUseNonCancelableTaskDelayWithWhenAnyMessage)),
+            DiagnosticCategory.Reliability,
+            RuleLevel.IdeSuggestion,
+            CreateLocalizableResourceString(nameof(DoNotUseNonCancelableTaskDelayWithWhenAnyDescription)),
+            isPortedFxCopRule: false,
+            isDataflowRule: false);
+
+        public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics { get; } = ImmutableArray.Create(Rule);
+
+        public override void Initialize(AnalysisContext context)
+        {
+            context.EnableConcurrentExecution();
+            context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
+
+            context.RegisterCompilationStartAction(context =>
+            {
+                var compilation = context.Compilation;
+
+                if (!compilation.TryGetOrCreateTypeByMetadataName(WellKnownTypeNames.SystemThreadingTasksTask, out var taskType) ||
+                    !compilation.TryGetOrCreateTypeByMetadataName(WellKnownTypeNames.SystemThreadingCancellationToken, out var cancellationTokenType))
+                {
+                    return;
+                }
+
+                context.RegisterOperationAction(context =>
+                {
+                    var invocation = (IInvocationOperation)context.Operation;
+
+                    // Check if this is a call to Task.WhenAny
+                    var method = invocation.TargetMethod;
+                    if (!SymbolEqualityComparer.Default.Equals(method.ContainingType, taskType) ||
+                        !method.IsStatic ||
+                        method.Name != nameof(Task.WhenAny))
+                    {
+                        return;
+                    }
+
+                    // Count the total number of tasks passed to WhenAny
+                    int taskCount = 0;
+                    List<IOperation>? taskDelayOperations = null;
+
+                    // Task.WhenAny has params parameters, so arguments are often implicitly wrapped in an array
+                    // We need to check inside the array initializer or collection expression
+                    for (int i = 0; i < invocation.Arguments.Length; i++)
+                    {
+                        var argument = invocation.Arguments[i].Value.WalkDownConversion();
+
+                        // Check if this is an array creation
+                        if (argument is IArrayCreationOperation { Initializer: not null } arrayCreation)
+                        {
+                            // Check each element in the array
+                            foreach (var element in arrayCreation.Initializer.ElementValues)
+                            {
+                                taskCount++;
+                                if (IsNonCancelableTaskDelay(element, taskType, cancellationTokenType))
+                                {
+                                    (taskDelayOperations ??= []).Add(element);
+                                }
+                            }
+                        }
+                        else if (ICollectionExpressionOperationWrapper.IsInstance(argument))
+                        {
+                            // Check each element in the collection expression
+                            var collectionExpression = ICollectionExpressionOperationWrapper.FromOperation(argument);
+                            foreach (var element in collectionExpression.Elements)
+                            {
+                                taskCount++;
+                                if (IsNonCancelableTaskDelay(element, taskType, cancellationTokenType))
+                                {
+                                    (taskDelayOperations ??= []).Add(element);
+                                }
+                            }
+                        }
+                        else
+                        {
+                            // Direct argument (not params or array)
+                            taskCount++;
+                            if (IsNonCancelableTaskDelay(argument, taskType, cancellationTokenType))
+                            {
+                                (taskDelayOperations ??= []).Add(argument);
+                            }
+                        }
+                    }
+
+                    // Only report diagnostics if there are at least 2 tasks total
+                    // (avoid flagging Task.WhenAny(Task.Delay(...)) which may be used to avoid exceptions)
+                    if (taskCount >= 2 && taskDelayOperations is not null)
+                    {
+                        foreach (var operation in taskDelayOperations)
+                        {
+                            context.ReportDiagnostic(operation.CreateDiagnostic(Rule));
+                        }
+                    }
+                }, OperationKind.Invocation);
+            });
+        }
+
+        private static bool IsNonCancelableTaskDelay(IOperation operation, INamedTypeSymbol taskType, INamedTypeSymbol cancellationTokenType)
+        {
+            operation = operation.WalkDownConversion();
+
+            if (operation is not IInvocationOperation invocation)
+            {
+                return false;
+            }
+
+            // Check if this is Task.Delay
+            var method = invocation.TargetMethod;
+            if (!SymbolEqualityComparer.Default.Equals(method.ContainingType, taskType) ||
+                !method.IsStatic ||
+                method.Name != nameof(Task.Delay))
+            {
+                return false;
+            }
+
+            // Check if any parameter is a CancellationToken, in which case we consider it cancelable
+            foreach (var parameter in method.Parameters)
+            {
+                if (SymbolEqualityComparer.Default.Equals(parameter.Type, cancellationTokenType))
+                {
+                    return false;
+                }
+            }
+
+            return true; // Task.Delay without CancellationToken
+        }
+    }
+}