fix: skip non-callable items in cleanup instead of logging TypeError

bkrabach · microsoft-amplifier · bkrabach · commit e8ee4ab9d825 · 2026-02-21T04:26:59.000-08:00
The root cause was that _cleanup_fns is a writable Python list, so external code could bypass register_cleanup() and append None, dicts, or other non-callable items directly. Both PySession::cleanup() and PyCoordinator::cleanup() now guard with is_none()/is_callable() checks before calling, matching the existing guard in register_cleanup(). 🤖 Generated with [Amplifier](https://github.com/microsoft/amplifier) Co-Authored-By: Amplifier <240397093+microsoft-amplifier@users.noreply.github.com>
diff --git a/bindings/python/src/lib.rs b/bindings/python/src/lib.rs
@@ -677,6 +677,17 @@ impl PySession {
             // Step 1: Call all cleanup functions in reverse order
             // ----------------------------------------------------------
             for callable in cleanup_callables.iter().rev() {
+                // Guard: skip None and non-callable items (defense-in-depth)
+                let should_skip = Python::try_attach(|py| -> bool {
+                    let bound = callable.bind(py);
+                    bound.is_none() || !bound.is_callable()
+                })
+                .unwrap_or(true);
+
+                if should_skip {
+                    continue;
+                }
+
                 // 1a: Call the function inside the GIL
                 let call_outcome: Option<PyResult<(bool, Py<PyAny>)>> =
                     Python::try_attach(|py| -> PyResult<(bool, Py<PyAny>)> {
@@ -1486,6 +1497,10 @@ impl PyCoordinator {
                 // Execute in reverse order
                 for i in (0..len).rev() {
                     let cleanup_fn = list.get_item(i)?;
+                    // Guard: skip None and non-callable items (defense-in-depth)
+                    if cleanup_fn.is_none() || !cleanup_fn.is_callable() {
+                        continue;
+                    }
                     // Try calling; catch and log errors
                     match cleanup_fn.call0() {
                         Ok(result) => {
diff --git a/bindings/python/tests/test_rust_session_lifecycle.py b/bindings/python/tests/test_rust_session_lifecycle.py
@@ -384,3 +384,98 @@ def test_coordinator_hooks_returns_rust_registry():
     assert isinstance(hooks, RustHookRegistry), (
         f"Expected RustHookRegistry, got {type(hooks)}"
     )
+
+
+# ---------------------------------------------------------------------------
+# Cleanup defense-in-depth: skip None and non-callable items in _cleanup_fns
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_session_cleanup_skips_non_callable_items():
+    """PySession.cleanup() must silently skip non-callable items in
+    _cleanup_fns — no 'Error during cleanup' log messages."""
+    import logging
+    import io
+
+    session = await _make_initialized_session()
+
+    # Register a legitimate cleanup via the proper API
+    called = []
+
+    def good_cleanup():
+        called.append("good")
+
+    session.coordinator.register_cleanup(good_cleanup)
+
+    # Directly append non-callable items to the list — simulates what
+    # happens when external code bypasses register_cleanup()
+    fns = session.coordinator._cleanup_fns
+    fns.append(None)
+    fns.append({"name": "not-callable"})
+    fns.append(42)
+
+    # Capture log output from the session logger
+    log_stream = io.StringIO()
+    handler = logging.StreamHandler(log_stream)
+    handler.setLevel(logging.DEBUG)
+    logger = logging.getLogger("amplifier_core.session")
+    logger.addHandler(handler)
+    try:
+        await session.cleanup()
+    finally:
+        logger.removeHandler(handler)
+
+    # The good cleanup function must still have been called
+    assert "good" in called, "Good cleanup function should have been called"
+
+    # No "Error during cleanup" messages should appear for non-callable items
+    log_output = log_stream.getvalue()
+    assert "Error during cleanup" not in log_output, (
+        f"Non-callable items should be silently skipped, but got: {log_output}"
+    )
+
+
+@pytest.mark.asyncio
+async def test_coordinator_cleanup_skips_non_callable_items():
+    """PyCoordinator.cleanup() must silently skip non-callable items in
+    _cleanup_fns — no 'Error during cleanup' log messages."""
+    import logging
+    import io
+
+    session = await _make_initialized_session()
+    coordinator = session.coordinator
+
+    # Register a legitimate cleanup via the proper API
+    called = []
+
+    def good_cleanup():
+        called.append("good")
+
+    coordinator.register_cleanup(good_cleanup)
+
+    # Directly append non-callable items to the list
+    fns = coordinator._cleanup_fns
+    fns.append(None)
+    fns.append({"name": "not-callable"})
+    fns.append(42)
+
+    # Capture log output from the coordinator logger
+    log_stream = io.StringIO()
+    handler = logging.StreamHandler(log_stream)
+    handler.setLevel(logging.DEBUG)
+    logger = logging.getLogger("amplifier_core.coordinator")
+    logger.addHandler(handler)
+    try:
+        await coordinator.cleanup()
+    finally:
+        logger.removeHandler(handler)
+
+    # The good cleanup function must still have been called
+    assert "good" in called, "Good cleanup function should have been called"
+
+    # No "Error during cleanup" messages should appear for non-callable items
+    log_output = log_stream.getvalue()
+    assert "Error during cleanup" not in log_output, (
+        f"Non-callable items should be silently skipped, but got: {log_output}"
+    )
