Signal / Token has leaky ergonomics

[rixtox]

The AbortSignal / Cancel Token–style abort protocol has long been criticized for its ergonomics. This concern was raised as early as 2016, when the initial cancelable promises proposal was presented to the working group. In the meeting notes, Yehuda Katz, Mark Miller, and Waldemar Horwat all pointed out usability concerns (May 25, 2016 notes). Kevin Smith, who originally drafted the proposal, also acknowledged ergonomic shortcomings in subsequent discussions (zenparsing/es-cancel-token#3, zenparsing/es-cancel-token#2). Domenic Denicola likewise recognized these issues in his presentation materials.

I would like to highlight a different ergonomic problem that has received comparatively little attention: the leaky behavior of abort signal handlers.

Consider the following example from MDN:

function myCoolPromiseAPI(/* …, */ { signal }) {
  return new Promise((resolve, reject) => {
    // If the signal is already aborted, immediately throw in order to reject the promise.
    signal.throwIfAborted();

    // Perform the main purpose of the API
    // Call resolve(result) when done.

    // Watch for 'abort' signals
    // Passing `once: true` ensures the Promise can be garbage collected after abort is called
    signal.addEventListener(
      "abort",
      () => {
        // Stop the main operation
        // Reject the promise with the abort reason.
        reject(signal.reason);
      },
      { once: true },
    );
  });
}

In this example, the asynchronous operation registers an abort event listener but never explicitly removes it. If the signal is never aborted, the listener remains attached indefinitely. This results in a retained closure and, depending on the structure of the surrounding code, can cause memory to be retained longer than intended.

Importantly, the { once: true } option only guarantees automatic removal after the abort event fires. It does not address the case where the operation completes successfully without the signal ever being triggered. In such cases, the handler persists for the lifetime of the signal.

A complete unit test demonstrating this retention behavior is available here:
https://stackblitz.com/edit/abortcontroller-leak-tests?file=AbortController.test.ts

This issue is not limited to trivial examples. The composition example in the current design discussion (see the “composition-any” section) also exhibits similar leakage characteristics: upstream handlers remain attached even if all downstream handlers are unsubscribed.

To gauge real-world practices, I conducted a non-comprehensive GitHub code search for addEventListener("abort", ...) in JavaScript and TypeScript codebases. Only a small minority of examples properly unregister the listener on successful completion. In practice, most implementations omit cleanup.

At present, AbortController is primarily used in a limited set of WHATWG interfaces, which somewhat mitigates the impact. However, if this protocol becomes a core language standard and is widely adopted across userland libraries, we should expect long-lived signals to propagate through deeply nested asynchronous call chains. In such environments, failure to systematically unregister handlers could lead to sustained resource retention and difficult-to-diagnose memory leaks.

Given that cancellation is fundamentally a control-flow concern, it is worth questioning whether a design that requires manual lifecycle management of event listeners is appropriate at the language level. If handler cleanup is routinely forgotten in practice, the abstraction may be too low-level for its intended role.

I believe this retention behavior deserves explicit consideration in evaluating the long-term viability of the current abort protocol design.

[bakkot]

In the WHATWG proposal for extending AbortController/AbortSignal in a way which would make it usable for JS, one suggestion (not currently in that PR, but favored by a few people in the thread) is that the addAbortCallback method should return a disposable unregistration token. That would allow you to write code like

async function doTasks({ signal }) {
  using _ = signal.addAbortCallback(() => {
    console.log('aborted');
  });

  await task1({ signal });
  await task2({ signal });

  // cleanup handler is automatically removed when we get here, or if either task throws
}

or with explicit removal

function doTasks({ signal }) {
  const unregisterToken = signal.addAbortCallback(() => {
    console.log('aborted');
  });
  return new Promise(resolve => {
    whenConditionIsMet(() => {
      resolve();
      unregisterToken.unregister(); // or whatever other name
    });
  });
}

I think this is about the best we can do, at least within the space of designs which involve registering a callback to be invoked. (And while it is possible there are good and idiomatic-for-JS designs which do not involve registering a callback to be invoked, I have come up with or encountered any.)

[rixtox]

And while it is possible there are good and idiomatic-for-JS designs which do not involve registering a callback to be invoked, I have not come up with or encountered any.

I think it is worth pointing out that there are prior art designs that do not fundamentally rely on ad-hoc callback registration as the primary cancellation mechanism.

Structured Concurrency as Prior Art

Both Swift and Java have adopted Structured Concurrency, where cancellation is a first-class concern of the async model itself rather than an event-style side channel.

• Swift (2021) — Structured Concurrency with task cancellation:
  https://github.com/swiftlang/swift-evolution/blob/main/proposals/0304-structured-concurrency.md#cancellation-1

• Java (2022) — Structured Concurrency (JEP 428):
  https://openjdk.org/jeps/428#Shutdown-policies

In these systems:

• Cancellation is tied to the lifetime of tasks, not to manually registered listeners.
• Child tasks are structurally scoped to their parent.
• Resource lifetime cannot outlive the dynamic extent of the parent task.
• Cancellation propagation is automatic and deterministic.

While Swift internally allows registering cancellation handlers, the crucial difference is that its async/await model enforces structured lifetime guarantees. In other words, Swift has cancelable tasks (effectively cancelable promises) with lexical scoping of async work. The “cancel signal” is not an external event emitter; it is part of the continuation of the async call stack itself. Cancellation handlers are implemented more like algebraic effects than like event listeners attached to a long-lived object.

Because of these structural guarantees, Swift does not require developers to manually reason about the lifetime of cancellation callbacks in the same way that AbortSignal does. The lifetime is derived from scope.

JavaScript Experiments in Structured Concurrency

Although JavaScript lacks native cancelable promises, several libraries have explored structured concurrency semantics on top of generators and cooperative scheduling. These provide a useful data point for evaluating ergonomics:

• Effect (formerly effect-ts):
  https://effect.website/docs/getting-started/creating-effects/#advanced-usage

• Effection:
  https://frontside.com/effection/guides/v4/operations/#cleanup

• ember-concurrency:
  https://ember-concurrency.com/api/Yieldable.html

These libraries model async work as structured tasks with scoped cleanup, rather than as promise-returning functions augmented by side-channel abort signals. Cancellation is part of the control-flow abstraction, not an external event subscription.

Why This Matters

The proposed addAbortCallback + disposable token pattern improves ergonomics relative to raw addEventListener. However, it still fundamentally relies on registering callbacks against a potentially long-lived signal object, with lifetime management remaining the responsibility of user code.

Structured concurrency approaches demonstrate that cancellation can instead be:

• Scoped
• Deterministic
• Lifetime-bound
• Free from manual unregistration patterns

Given that cancellation is fundamentally a control-flow and lifetime problem, not an event-dispatch problem, it seems worth considering whether callback registration is the right foundational abstraction for a language-level solution.

At minimum, prior art suggests that designs not centered on callback registration do exist, and they have proven both ergonomic and robust in other ecosystems.

[bakkot]

Sorry, I should have been clearer: by "idiomatic for JS", I mean that it must be usable by normal async functions. There was a point ten years ago when we could in principle have put some other form of cancelation in the language, but we didn't, and the opportunity has now passed. This is both my own opinion and practical reality: multiple implementations have said they are not interested in ever pursuing any form of cancelation which is not a generalization of AbortController.

Incidentally, if we additionally have a disposable AbortController, then we end up with something which looks a lot like structured concurrency:

async function task(id, { signal }) {
  signal.throwIfAborted();
  const work = startWork(id);
  using _ = signal.addAbortCallback(() => {
    work.cancel();
  });
  return await work.completed();
}

async function doTwoTasks() {
  using controller = new AbortController.AutoAbort();
  const task1 = task(1, { signal: controller.signal });
  const task2 = task(2, { signal: controller.signal });
  return await Promise.all([task1, task2]);
}

With this pattern, work is almost scoped, in the sense that it does not outlive the block which initiates it except that we don't wait for tasks which require async cleanup, which would require whatwg/dom#1389 plus await using controller instead of using controller.

Also it is deterministic, there is no manual unregistration, and a given task's handlers are released as soon as that task completes. This is (arguably) quite close to what Swift has, except that Swift has an ambient Task instead of manually threading signals.

[bakkot]

Though I guess, having said that, we don't strictly need addAbortCallback; you can get by simply by checking signal.aborted after each async step. I don't love this, but it does work and avoids any possibility of handlers leaking.

[rixtox]

This is both my own opinion and practical reality: multiple implementations have said they are not interested in ever pursuing any form of cancelation which is not a generalization of AbortController.

I’ve heard this position stated several times, but I don’t think the underlying rationale has ever been clearly articulated in a consolidated, technical form.

Is the resistance based on specific technical constraints (e.g., VM implementation complexity, observable semantic hazards, optimization barriers, interaction with async functions, or web compatibility concerns)? Or is it primarily about ecosystem convergence between TC39 and WHATWG? Clarifying that distinction would help frame the actual design space we are operating within.

The history of the 2016 Cancelable Promises proposal is also relevant here. After pivoting toward cancel tokens, the proposal was ultimately withdrawn following significant pushback within TC39 and parts of the implementation community. However, I am not aware of a clear technical retrospective explaining the decisive objections. (tc39/proposal-cancelable-promises#70 (comment))

If cancelable promises (and cancel token) were rejected for fundamental semantic reasons, those reasons should still apply today. If the objections were more about specific surface design or integration details, then it may be worth re-examining them in light of the maturity of async/await and the growing interest in structured concurrency patterns.

More broadly, I am concerned about the long-term architectural implications.

If we converge on a generalized AbortController pattern that approximates structured concurrency but does not fully provide its safety guarantees, we may inadvertently lock the language into a weaker model. A partially structured system—where lifetime management is still manual or signal-based rather than scope-based—could become the de facto standard. At that point, introducing a more principled, native form of structured concurrency would be extremely difficult, because it would either:

1. Obsolete or undermine the AbortController ecosystem, or
2. Require two competing cancellation paradigms to coexist indefinitely.

In other words, we may be making a choice that constrains JavaScript’s concurrency model for decades.

This is not an argument against incremental improvements to AbortController. It is an argument for being explicit about whether we view it as:

• A pragmatic compromise given historical constraints, or
• The long-term foundation of JavaScript’s concurrency model.

If it is the latter, then we should be confident that it provides the same safety, composability, and lifetime guarantees that structured concurrency offers in other ecosystems. If it does not, then we should carefully consider whether we are foreclosing the possibility of a more principled solution in the future.

Before assuming that “generalizations of AbortController” define the entire feasible design space, it would be helpful to restate the technical constraints that rule out alternatives. That context is essential for evaluating whether the current direction is inevitable—or simply the path of least resistance.

[bakkot]

I’ve heard this position stated several times, but I don’t think the underlying rationale has ever been clearly articulated in a consolidated, technical form.

The stated reason is that we already have one form of cancelation, in AbortController, and adding another would cause an undesirable ecosystem split.

If cancelable promises (and cancel token) were rejected for fundamental semantic reasons, those reasons should still apply today. If the objections were more about specific surface design or integration details, then it may be worth re-examining them in light of the maturity of async/await and the growing interest in structured concurrency patterns.

We were not able to come to consensus as a committee on cancelable promises; it's not that they were outright rejected, although many individuals did regard them as having fundamental semantic flaws. But there is not much point in re-examining this now because browsers have said that they are no longer willing to pursue anything in that vein.

In other words, we may be making a choice that constrains JavaScript’s concurrency model for decades.

The choice was already made almost a decade ago when AbortController shipped and started being built into APIs like fetch. We can't remove it. Any future extensions will necessarily need to be compatible with AbortController and APIs built on it.

So, if you have ideas for how to improve things given this constraint, I'm happy to hear them. In particular I think it's worth trying to articulate exactly what you want from Swift's model which is not achieved by the token-based design. But I don't think there's any point in trying to do greenfield design as if we did not live in a world where AbortController was already the standard way of doing cancelation.

[rixtox]

In particular I think it's worth trying to articulate exactly what you want from Swift's model which is not achieved by the token-based design.

Alright — the specific property I want from Swift/structured concurrency that I don’t see achieved by a token-based design is:

“Join on cancellation / failure”: when one child in a fan-out fails (or the parent scope is aborted), the runtime cancels sibling work and then waits for all children to finish their cleanup before the parent resumes/throws.

This is the key difference between “we can propagate a cancellation request” and “we have structured lifetime semantics”.

Concrete example: fan-out + sibling cancellation + scoped cleanup

Here’s a fan-out example written in Effection (generator-based structured concurrency). It has essentially the semantics I’m describing:

import { run, Operation, action, all } from 'effection';
function* structuredFanOut(): Operation<void> {
  try {
    console.log(`[Tick ${yield* tick()}] structuredFanOut start`);
    yield* all([
      childTask1(),
      childTask2(),
    ]);
  } catch (error) {
    console.log(`[Tick ${yield* tick()}] structuredFanOut error: ${error}`);
  } finally {
    console.log(`[Tick ${yield* tick()}] structuredFanOut cleanup`);
  }
}
function* childTask1(): Operation<void> {
  try {
    for (let i = 0; i < 5; i++) {
      console.log(`[Tick ${yield* tick()}] childTask1 i=${i}`);
    }
  } finally {
    console.log(`[Tick ${yield* tick()}] childTask1 cleanup`);
  }
}
function* childTask2(): Operation<void> {
  try {
    for (let i = 0; i < 2; i++) {
      console.log(`[Tick ${yield* tick()}] childTask2 i=${i}`);
    }
    throw 'childTask2 error';
  } finally {
    console.log(`[Tick ${yield* tick()}] childTask2 cleanup`);
  }
}

let count = 0;
function* tick(): Operation<number> {
  yield* action((resolve) => {
    const id = setImmediate(resolve);
    return () => clearImmediate(id);
  });
  return ++count;
}

await run(structuredFanOut);

Output (important lines emphasized by ordering):

• sibling is canceled promptly when one child throws
• both children run cleanup
• parent only observes the exception after children have cleaned up

[Tick 1] structuredFanOut start
[Tick 2] childTask1 i=0
[Tick 3] childTask2 i=0
[Tick 4] childTask1 i=1
[Tick 5] childTask2 i=1
[Tick 6] childTask1 i=2
[Tick 7] childTask2 cleanup
[Tick 8] childTask1 cleanup
[Tick 9] structuredFanOut error: childTask2 error
[Tick 10] structuredFanOut cleanup

The gap with native Promises today

Here’s the closest equivalent with native async functions:

async function promiseFanOut(): Promise<void> {
  try {
    console.log(`[Tick ${await tick()}] promiseFanOut start`);
    await Promise.all([
      childTask1(),
      childTask2(),
    ]);
  } catch (error) {
    console.log(`[Tick ${await tick()}] promiseFanOut error: ${error}`);
  } finally {
    console.log(`[Tick ${await tick()}] promiseFanOut cleanup`);
  }
}
async function childTask1(): Promise<void> {
  try {
    for (let i = 0; i < 5; i++) {
      console.log(`[Tick ${await tick()}] childTask1 i=${i}`);
    }
  } finally {
    console.log(`[Tick ${await tick()}] childTask1 cleanup`);
  }
}
async function childTask2(): Promise<void> {
  try {
    for (let i = 0; i < 2; i++) {
      console.log(`[Tick ${await tick()}] childTask2 i=${i}`);
    }
    throw 'childTask2 error';
  } finally {
    console.log(`[Tick ${await tick()}] childTask2 cleanup`);
  }
}

let count = 0;
async function tick(): Promise<number> {
  await new Promise((resolve) => setImmediate(resolve));
  return ++count;
}

await promiseFanOut();

And the observed behavior is precisely the “leak past scope” problem:

• Promise.all rejects as soon as one child rejects
• sibling continues executing
• parent proceeds (catch/finally) before sibling cleanup completes

[Tick 1] promiseFanOut start
[Tick 2] childTask1 i=0
[Tick 3] childTask2 i=0
[Tick 4] childTask1 i=1
[Tick 5] childTask2 i=1
[Tick 6] childTask1 i=2
[Tick 7] childTask2 cleanup
[Tick 8] childTask1 i=3
[Tick 9] promiseFanOut error: childTask2 error
[Tick 10] childTask1 i=4
[Tick 11] promiseFanOut cleanup
[Tick 12] childTask1 cleanup

Why token-based cancellation doesn’t close this gap (by itself)

Even if we standardize an ergonomic “disposable abort callback” (using _ = signal.addAbortCallback(...)), and even if we add an AutoAbort controller that aborts on scope exit, that gives you:

• deterministic subscription lifetime for abort handlers
• a cancellation request that can propagate

But it does not give you the missing semantic guarantee:

• the parent does not automatically join on children’s cancellation/cleanup
• Promise.all still short-circuits on rejection
• there is still no built-in, language-level notion of “child tasks scoped to parent”

To get the Effection/Swift behavior, you need something like: “on first rejection, abort siblings and then await their completion/cleanup before resolving/rejecting the parent.” That’s not something an AbortSignal can enforce without an additional coordination primitive.

Concrete question

Given the constraint that cancellation must be compatible with AbortController, what is the intended path to achieve the “join on cancellation/failure” property with acceptable ergonomics?

In particular, is the expectation that this is solved by:

• a Promise combinator change/addition (e.g., a Promise.allScoped / Promise.allCancel / “all + cancel siblings + join cleanup”), or
• DOM-level extensions (e.g., await using controller + async disposal) plus a convention that all async APIs are disposal-aware, or
• some other token-based coordination mechanism that makes sibling cancellation + join composable?

I put the full unit test here as a concrete starting point:
https://stackblitz.com/edit/structured-concurrency-tests?file=StructuredConcurrency.test.ts

If there’s an existing pattern in the token-based design thread that achieves these semantics (cancel siblings promptly + parent only continues after cleanup), I’d like to understand it — because I haven’t been able to reproduce this property with AbortSignal without reintroducing a structured task runtime in userland.

[bakkot]

Great, thanks for the very clear comment. I agree such a thing is desirable although in practice I suspect it doesn't matter in most circumstances (which is to say, I have only rarely - not never, but rarely - encountered situations where async cleanup is necessary).

I think the best path to achieve this is to pursue a subclass of AbortController whose controller.abort returns basically Promise.all(allAbortHandlers.map(fn => fn(reason))) (this is the thing I linked above), and then make that subclass async-disposable. That would let you do

try {
  await using controller = new AsyncAbortController(); // or whatever
  await Promise.all([
    childTask1({ signal: controller.signal }),
    childTask2({ signal: controller.signal }),
  ]);
} finally {
  console.log('all tasks have either completed or been canceled and finished cleanup');
}

This is pretty much your "DOM-level extensions" path, although I'm not sure what "a convention that all async APIs are disposal-aware" means - the idea is that (just as today) all cancelable APIs should take an AbortSignal argument to which they would add their cleanup handler.

---

Your demo uses async generators. For those to work with this pattern, you of course have to explicitly yield at yield points (but that would be true no matter what; it is important that you be able to see every point at which an async generator can be interrupted). Here's a little wrapper which converts such an async generator into an async function with a signal argument; this could be built in to the language although given how little people actually use async generators it's probably OK for people to just copy the wrapper around.

const abortable = (genFn) => async (...args) => {
  const { signal } = args.pop();
  signal.throwIfAborted();

  const gen = genFn(...args);

  const { promise: abortPromise, reject: rejectOnAbort } = Promise.withResolvers();
  using _ = signal.addAbortCallback((reason) => rejectOnAbort(reason));

  try {
    let result;
    do {
      result = await Promise.race([gen.next(), abortPromise]);
    } while (!result.done);
    return result.value;
  } catch (e) {
    if (signal.aborted) {
      await gen.return();
    }
    throw e;
  }
};

[bakkot]

Here's a rough sketch of an implementation of AsyncAbortController. Playing with this a bit has shown that you do end up needing a wrapper for idiomatic use of async functions, which isn't great. If we go this route that's maybe that could be something built in (or we could find some better way of doing this).

I've included the example from your test, with the child tasks modified to take a signal argument and add signal.throwIfAborted() after each await point in the main body. promiseFanOut is modified to use an AsyncAbortController and to wrap the calls to the child tasks (this is the part which most needs improvement). This does not quite produce the results you assert in your test because it prints childTask1 i=3 before childTask1 cleanup, but that's a desirable property; cooperative concurrency means that functions should continue executing until they themselves reach a point at which they have declared they can be interrupted.

// in real life this would just be the regular AbortSignal
let internalAbort;
class _AbortSignal {
  #aborted = false;
  #reason = undefined;
  #callbacks = [];

  get aborted() {
    return this.#aborted;
  }

  get reason() {
    return this.#reason;
  }

  throwIfAborted() {
    if (this.#aborted) {
      throw this.#reason;
    }
  }

  addAbortCallback(fn) {
    if (this.#aborted) {
      fn(this.#reason);
      return null;
    }

    const idx = this.#callbacks.length;
    this.#callbacks.push(fn);
    return {
      [Symbol.dispose]: () => {
        if (this.#aborted) return;
        this.#callbacks[idx] = null;
      },
    };
  }

  static {
    internalAbort = async function (signal, reason) {
      if (signal.#aborted) return;
      signal.#aborted = true;
      signal.#reason = reason;
      const promises = signal.#callbacks.map((fn) => fn && Promise.try(fn, reason));
      signal.#callbacks = null;
      const results = await Promise.allSettled(promises);
      const errors = results.filter(r => r.status === 'rejected');
      if (errors.length > 0) {
        const novel = errors.filter(r => r.reason !== reason);
        if (novel.length > 0) {
          throw new AggregateError(novel);
        }
      }
    }
  }
}

class AsyncAbortController {
  #callbacks = [];
  #signal = new _AbortSignal(this.#callbacks);

  get signal() {
    return this.#signal;
  }

  abort(reason = new DOMException('The operation was aborted.', 'AbortError')) {
    return internalAbort(this.#signal, reason);
  }

  [Symbol.asyncDispose]() {
    return this.abort();
  }
}


// wrapper
const wrap = fn => async (...args) => {
  const { signal } = args.at(-1);
  const promise = fn(...args);
  using _ = signal.addAbortCallback(() => promise);
  return await promise;
};

// test
async function promiseFanOut() {
  try {
    await using controller = new AsyncAbortController();
    const { signal } = controller;
    console.log(`[Tick ${await tick()}] promiseFanOut start`);
    await Promise.all([
      wrap(childTask1)({ signal }),
      wrap(childTask2)({ signal }),
    ]);
  } catch (error) {
    console.log(`[Tick ${await tick()}] promiseFanOut error: ${error}`);
  } finally {
    console.log(`[Tick ${await tick()}] promiseFanOut cleanup`);
  }
}
async function childTask1({ signal }) {
  try {
    for (let i = 0; i < 5; i++) {
      console.log(`[Tick ${await tick()}] childTask1 i=${i}`);
      signal.throwIfAborted();
    }
  } finally {
    console.log(`[Tick ${await tick()}] childTask1 cleanup`);
  }
}
async function childTask2({ signal }) {
  try {
    for (let i = 0; i < 2; i++) {
      console.log(`[Tick ${await tick()}] childTask2 i=${i}`);
      signal.throwIfAborted();
    }
    throw 'childTask2 error';
  } finally {
    console.log(`[Tick ${await tick()}] childTask2 cleanup`);
  }
}

let count = 0;
async function tick() {
  await new Promise((resolve) => setImmediate(resolve));
  return ++count;
}


await promiseFanOut();

/*
results:
[Tick 1] promiseFanOut start
[Tick 2] childTask1 i=0
[Tick 3] childTask2 i=0
[Tick 4] childTask1 i=1
[Tick 5] childTask2 i=1
[Tick 6] childTask1 i=2
[Tick 7] childTask2 cleanup
[Tick 8] childTask1 i=3
[Tick 9] childTask1 cleanup
[Tick 10] promiseFanOut error: childTask2 error
[Tick 11] promiseFanOut cleanup
*/

[rixtox]

I experimented with the approach you suggested (async abort() that awaits handlers + async-disposable controller), and I was able to reproduce the “join on cancellation” semantics using a small prototype.

Here is a minimal AsyncAbortController implementation:

export class AsyncAbortController {
  public readonly signal: AsyncAbortSignal = {
    aborted: false,
    reason: undefined,
    throwIfAborted: () => {
      if (this.signal.aborted) {
        throw this.signal.reason;
      }
    },
    subscribe: (handler) => {
      if (this.signal.aborted) {
        return void handler(this.signal.reason);
      }
      this._handlers.push(handler);
      const unsub = () => {
        this._handlers = this._handlers.filter((h) => h !== handler);
      };
      unsub[Symbol.dispose] = unsub;
      return unsub;
    },
  };
  public async abort(reason?: any): Promise<void> {
    const handlers = this._handlers;
    this._handlers = [];
    await Promise.allSettled(handlers.map((h) => h(reason)));
  }
  public [Symbol.asyncDispose](): Promise<void> {
    return this.abort();
  }

  private _handlers: ((reason?: any) => Promise<void> | void)[] = [];
}

Using it like this:

async function promiseFanOut(): Promise<void> {
  try {
    await using controller = new AsyncAbortController();
    const { signal } = controller;
    console.log(`[Tick ${await tick(signal)}] promiseFanOut start`);
    await Promise.all([
      childTask1(signal),
      childTask2(signal),
    ]);
  } catch (error) {
    console.log(`[Tick ${await tick()}] promiseFanOut error: ${error}`);
  } finally {
    console.log(`[Tick ${await tick()}] promiseFanOut cleanup`);
  }
}
async function childTask1(signal: AsyncAbortSignal): Promise<void> {
  try {
    for (let i = 0; i < 5; i++) {
      console.log(`[Tick ${await tick(signal)}] childTask1 i=${i}`);
    }
  } finally {
    console.log(`[Tick ${await tick()}] childTask1 cleanup`);
  }
}
async function childTask2(signal: AsyncAbortSignal): Promise<void> {
  try {
    for (let i = 0; i < 2; i++) {
      console.log(`[Tick ${await tick(signal)}] childTask2 i=${i}`);
    }
    throw 'childTask2 error';
  } finally {
    console.log(`[Tick ${await tick()}] childTask2 cleanup`);
  }
}

let count = 0;
async function tick(signal?: AsyncAbortSignal): Promise<number> {
  let id: ReturnType<typeof setImmediate>;
  const { promise, resolve, reject } = Promise.withResolvers<void>();
  using _ = signal?.subscribe((reason) => {
    clearImmediate(id);
    reject(reason);
  });
  id = setImmediate(resolve);
  await promise;
  return ++count;
}

await promiseFanOut();

With children cooperating via signal.subscribe(...), I get the desired behavior:

[Tick 1] promiseFanOut start
[Tick 2] childTask1 i=0
[Tick 3] childTask2 i=0
[Tick 4] childTask1 i=1
[Tick 5] childTask2 i=1
[Tick 6] childTask1 i=2
[Tick 7] childTask2 cleanup
[Tick 8] childTask1 cleanup
[Tick 9] promiseFanOut error: childTask2 error
[Tick 10] promiseFanOut cleanup

Notably:

• Sibling cancellation happens promptly.
• Both children run cleanup.
• The parent only observes the error after all cleanup completes.

This matches the structured concurrency “join on cancellation” property I was describing earlier.

Full test case: https://stackblitz.com/edit/asyncabortcontroller?file=StructuredConcurrency.test.ts

---

What this experiment suggests

This does seem to confirm that:

• An async-returning abort(), and
• An await using async-disposable controller

are sufficient primitives to approximate structured concurrency semantics on top of Promise.

However, two observations fall out of this:

1. The semantics depend critically on async abort awaiting handlers.
   If abort() were synchronous (like today’s AbortController), this property would not hold.

2. All participating async operations must be written in a cooperative, signal-aware style.
   In other words, structured lifetime guarantees emerge only if every child properly subscribes and respects the signal.

That’s not necessarily a problem — Swift is also cooperative — but it does mean this pattern effectively becomes the structured concurrency layer for JavaScript.

---

The remaining open question

If this is the intended direction, then I think it would help to state explicitly that:

Async-disposable controllers + async-returning abort is the path toward structured lifetime semantics in JS.

Because once that’s clear, we can evaluate it not merely as “a better AbortController,” but as a concurrency model.

From my side, this experiment makes me more optimistic that the gap is bridgeable within the AbortController lineage — but it also reinforces that the critical design decision is whether abort() becomes async and whether async disposal is part of the core story.

Those two pieces seem to be what elevate this from “event-based cancellation” to “structured cancellation.”

[bakkot]

Your example unfortunately doesn't actually work if you make childTask1 cleanup take longer (that's what the wrapper is necessary for in my example).

Anyway:

If this is the intended direction

Well, it's my intended direction, or at least the best idea I currently have, but I certainly can't speak for the committee as a whole. I'm not the only one who wants disposable AbortController and async abort, though, so I'm hopeful about this option.

[rixtox]

You’re absolutely right — I see the issue now. If childTask1’s cleanup itself contains asynchronous work, then without the wrapper the parent can still resume before that cleanup completes. The wrap function is doing essential coordination work there.

That does, however, highlight an ergonomics concern.

The need for an explicit wrap(...) layer around otherwise “normal” async functions starts to feel reminiscent of early promisify patterns — i.e., a structural adaptation step that developers must remember to apply consistently, or else the semantics subtly degrade.

From a language design perspective, that suggests we may be missing one of the following:

1. A standardized signal-passing convention
   Today { signal } is conventional but not enforced. If async cancellation is going to be foundational, it might be worth standardizing how signals are threaded, so wrappers become unnecessary or implicit.

2. A first-class integration point between async functions and signals
   The wrapper exists because async functions don’t natively participate in cancellation coordination. We’re effectively retrofitting structured lifetime semantics onto a model that was never designed for it.

3. A built-in combinator with “cancel siblings + join cleanup” semantics
   If Promise.all had a structured variant that:

   • aborts siblings on first failure
   • awaits async cleanup before rejecting
     then the wrapper layer might disappear entirely.

The fact that the wrapper is required isn’t a deal-breaker, but it does suggest that the current primitives don’t compose ergonomically enough on their own.

If we do pursue async-disposable controllers + async abort, I think we should also explicitly consider how to make signal propagation and structured joining idiomatic — ideally without requiring per-call wrapping.

Otherwise, we risk landing in a situation where:

• The model is theoretically capable of structured semantics,
• But the “pit of success” still requires non-trivial ceremony.

That’s the main ergonomic gap I’m worried about at this point — not whether it’s possible, but whether it will feel native.

[bakkot]

Thought about it a little more and here's a better alternative to wrap:

// call this as the first line of any async function which needs to block cleanup
const mustComplete = signal => {
  const { promise, resolve } = Promise.withResolvers();
  signal.addAbortCallback(() => promise);
  return {
    [Symbol.dispose]: resolve,
  };
};

// usage:
async function childTask1({ signal }) {
  using _ = mustComplete(signal);
  try {
    for (let i = 0; i < 5; i++) {
      console.log(`[Tick ${await tick()}] childTask1 i=${i}`);
      signal.throwIfAborted();
    }
  } finally {
    console.log(`[Tick ${await tick()}] childTask1 cleanup`);
  }
}

Then the caller doesn't have to do anything special. This is still not ideal but is IMO much nicer than the previous wrap (especially if mustComplete is built in).

Full snippet with this helper instead of `wrap`, and with longer cleanups to confirm this really does work.

// in real life this would just be the regular AbortSignal
let internalAbort;
class _AbortSignal {
  #aborted = false;
  #reason = undefined;
  #callbacks = [];

  get aborted() {
    return this.#aborted;
  }

  get reason() {
    return this.#reason;
  }

  throwIfAborted() {
    if (this.#aborted) {
      throw this.#reason;
    }
  }

  addAbortCallback(fn) {
    if (this.#aborted) {
      fn(this.#reason);
      return null;
    }

    const idx = this.#callbacks.length;
    this.#callbacks.push(fn);
    return {
      [Symbol.dispose]: () => {
        if (this.#aborted) return;
        this.#callbacks[idx] = null;
      },
    };
  }

  static {
    internalAbort = async function (signal, reason) {
      if (signal.#aborted) return;
      signal.#aborted = true;
      signal.#reason = reason;
      const promises = signal.#callbacks.map((fn) => fn && Promise.try(fn, reason));
      signal.#callbacks = null;
      const results = await Promise.allSettled(promises);
      const errors = results.filter(r => r.status === 'rejected');
      if (errors.length > 0) {
        const novel = errors.filter(r => r.reason !== reason);
        if (novel.length > 0) {
          throw new AggregateError(novel);
        }
      }
    }
  }
}

class AsyncAbortController {
  #callbacks = [];
  #signal = new _AbortSignal(this.#callbacks);

  get signal() {
    return this.#signal;
  }

  abort(reason = new DOMException('The operation was aborted.', 'AbortError')) {
    return internalAbort(this.#signal, reason);
  }

  [Symbol.asyncDispose]() {
    return this.abort();
  }
}


// helper
const mustComplete = signal => {
  const { promise, resolve } = Promise.withResolvers();
  signal.addAbortCallback(() => promise);
  return {
    [Symbol.dispose]: resolve,
  };
};

// test
async function promiseFanOut() {
  try {
    await using controller = new AsyncAbortController();
    const { signal } = controller;
    console.log(`[Tick ${await tick()}] promiseFanOut start`);
    await Promise.all([
      childTask1({ signal }),
      childTask2({ signal }),
    ]);
  } catch (error) {
    console.log(`[Tick ${await tick()}] promiseFanOut error: ${error}`);
  } finally {
    console.log(`[Tick ${await tick()}] promiseFanOut cleanup`);
  }
}
async function childTask1({ signal }) {
  using _ = mustComplete(signal);
  try {
    for (let i = 0; i < 5; i++) {
      console.log(`[Tick ${await tick()}] childTask1 i=${i}`);
      signal.throwIfAborted();
    }
  } finally {
    console.log(`[Tick ${await tick()}] childTask1 cleanup 1`);
    console.log(`[Tick ${await tick()}] childTask1 cleanup 2`);
    console.log(`[Tick ${await tick()}] childTask1 cleanup 3`);
    console.log(`[Tick ${await tick()}] childTask1 cleanup 4`);
  }
}
async function childTask2({ signal }) {
  using _ = mustComplete(signal);
  try {
    for (let i = 0; i < 2; i++) {
      console.log(`[Tick ${await tick()}] childTask2 i=${i}`);
      signal.throwIfAborted();
    }
    throw 'childTask2 error';
  } finally {
    console.log(`[Tick ${await tick()}] childTask2 cleanup 1`);
    console.log(`[Tick ${await tick()}] childTask2 cleanup 2`);
    console.log(`[Tick ${await tick()}] childTask2 cleanup 3`);
    console.log(`[Tick ${await tick()}] childTask2 cleanup 4`);
  }
}

let count = 0;
async function tick() {
  await new Promise((resolve) => setTimeout(resolve, 0));
  return ++count;
}


await promiseFanOut();

Result:

[Tick 1] promiseFanOut start
[Tick 2] childTask1 i=0
[Tick 3] childTask2 i=0
[Tick 4] childTask1 i=1
[Tick 5] childTask2 i=1
[Tick 6] childTask1 i=2
[Tick 7] childTask2 cleanup 1
[Tick 8] childTask1 i=3
[Tick 9] childTask2 cleanup 2
[Tick 10] childTask1 i=4
[Tick 11] childTask2 cleanup 3
[Tick 12] childTask1 cleanup 1
[Tick 13] childTask2 cleanup 4
[Tick 14] childTask1 cleanup 2
[Tick 15] childTask1 cleanup 3
[Tick 16] childTask1 cleanup 4
[Tick 17] promiseFanOut error: childTask2 error
[Tick 18] promiseFanOut cleanup

[rixtox]

Yes — I was actually thinking about essentially the same pattern last night. Moving the coordination responsibility into the callee via something like mustComplete(signal) is definitely cleaner than wrapping at the call site.

That said, I wonder whether this direction might run into philosophical objections.

There has previously been strong sentiment in TC39 that cancellation should be strictly one-directional: a signal represents a request to abort, but it is “not interested” in completion. In that framing, abort() triggering and awaiting cleanup handlers starts to look like a bidirectional protocol rather than a pure notification mechanism.

mustComplete effectively introduces a completion sentinel that makes abort() wait for structured cleanup. Semantically, that’s exactly what we want for structured lifetime guarantees — but it does move the model from “fire-and-forget cancellation” toward “cancellation with join”.

If the committee is comfortable with that shift, I think this helper is a meaningful improvement. But it might be worth explicitly acknowledging that this is a change in the conceptual model of what abort represents.

[rixtox]

One additional observation: mustComplete(signal) is effectively equivalent to pairing a synchronous AbortSignal with a separate async join mechanism.

Concretely, you can model the same semantics today using AsyncDisposableStack + AbortSignal, by pushing an AsyncDisposable “completion sentinel” onto a stack that the parent awaits at scope exit. The downside is that this requires threading an extra AsyncDisposableStack parameter down the call stack alongside signal:

async function promiseFanOut(): Promise<void> {
  try {
    await using stack = new AsyncDisposableStack();
    const controller = new AbortController();
    using _ = defer(() => controller.abort());
    const { signal } = controller;
    console.log(`[Tick ${await tick(signal)}] promiseFanOut start`);
    await Promise.all([
      childTask1(stack, signal),
      childTask2(stack, signal),
    ]);
  } catch (error) {
    console.log(`[Tick ${await tick()}] promiseFanOut error: ${error}`);
  } finally {
    console.log(`[Tick ${await tick()}] promiseFanOut cleanup`);
  }
}
async function childTask1(stack: AsyncDisposableStack, signal: AbortSignal): Promise<void> {
  using _ = sentinel(stack);
  try {
    for (let i = 0; i < 5; i++) {
      console.log(`[Tick ${await tick(signal)}] childTask1 i=${i}`);
    }
  } finally {
    for (let i = 0; i < 2; i++) {
      console.log(`[Tick ${await tick()}] childTask1 cleanup i=${i}`);
    }
  }
}
async function childTask2(stack: AsyncDisposableStack, signal: AbortSignal): Promise<void> {
  using _ = sentinel(stack);
  try {
    for (let i = 0; i < 2; i++) {
      console.log(`[Tick ${await tick(signal)}] childTask2 i=${i}`);
    }
    throw 'childTask2 error';
  } finally {
    for (let i = 0; i < 2; i++) {
      console.log(`[Tick ${await tick()}] childTask2 cleanup i=${i}`);
    }
  }
}

let count = 0;
async function tick(signal?: AbortSignal): Promise<number> {
  let id: ReturnType<typeof setImmediate>;
  const { promise, resolve, reject } = Promise.withResolvers<void>();
  using _ = signal && useSignal(signal, (reason) => {
    clearImmediate(id);
    reject(reason);
  });
  id = setImmediate(resolve);
  await promise;
  return ++count;
}

function sentinel(stack: AsyncDisposableStack) {
  const { promise, resolve } = Promise.withResolvers<void>();
  stack.use(asyncDefer(() => promise));
  return defer(() => resolve());
}

function useSignal(signal: AbortSignal, onabort: (reason?: any) => void): Deferred {
  signal.throwIfAborted();
  signal.addEventListener('abort', onabort);
  return defer(() => signal.removeEventListener('abort', onabort));
}

interface Deferred {
  [Symbol.dispose](): void;
}
function defer(fn: () => void): Deferred {
  return {
    [Symbol.dispose]() {
      const f = fn;
      fn = undefined;
      f && f();
    },
  };
}

interface AsyncDeferred {
  [Symbol.asyncDispose](): Promise<void>;
}
function asyncDefer(fn: () => Promise<void>): AsyncDeferred {
  return {
    [Symbol.asyncDispose]() {
      const f = fn;
      fn = undefined;
      return f && f();
    },
  };
}

await promiseFanOut();

This reinforces the core point: to get “abort + join cleanup”, we need an additional join channel, whether that is:

• an async abort() that awaits handlers, or
• an explicit completion/join mechanism (AsyncDisposableStack/sentinel) that’s propagated structurally.

From an ergonomics standpoint, embedding this “must-complete” join behavior into the abort protocol (or providing a built-in helper) seems preferable to requiring every API to thread an additional AsyncDisposableStack parameter down the stack.