fix-2360: prevent CPU spin loop after SSE client disconnect

[crivetimihai]

Summary

Fixes the CPU spin loop issue where Gunicorn workers consume 100%+ CPU when idle after load tests stop. The root cause was fire-and-forget asyncio.create_task() patterns leaving orphaned tasks in anyio's _deliver_cancellation spin loop.

Key fixes:

• Track respond tasks in _respond_tasks dict for proper lifecycle management
• Cancel respond tasks before removing sessions (prevents orphaning)
• Escalation path: cancel → timeout → disconnect transport → retry cancel → move to stuck_tasks
• Add cleanup on SSE response creation failure (prevents orphaned tasks)
• Add stuck task reaper (30s interval) to clean completed tasks and retry cancellation
• Redis respond loop now uses timeout-based polling with session existence check
• SSE generator's finally block now also invokes disconnect callback

Load testing:

• Updated make load-test-spin-detector to be full-featured (JWT auth, all user classes, 4000-user baseline)
• Spike/drop pattern stress tests session cleanup

Closes #2360 - [BUG]: anyio cancel scope spin loop causes 100% CPU after load test stops
Closes #2357 - [BUG]: (sse): Granian CPU spikes to 800% after load stops, recovers when load resumes

Test plan

• Unit tests for task tracking/cancellation (9 new tests)
• Test for escalation path with fake transport verifying disconnect() is called
• Tests for stuck task reaper lifecycle
• All existing tests pass
• Run make load-test-spin-detector to verify CPU returns to idle during pause phases

[crivetimihai]

Update: Fixed blocking pubsub.listen() pattern

Root Cause Identified

The CPU spin loop is caused by anyio's _deliver_cancellation function continuously rescheduling itself when tasks don't respond to cancellation.

When a cancel scope is triggered (e.g., SSE client disconnects):

1. anyio calls task.cancel() for each task in the scope
2. If tasks don't respond (stuck in blocking operations), should_retry stays True
3. It reschedules itself with call_soon() immediately
4. This creates a tight CPU spin loop

Problematic Pattern

async for message in pubsub.listen():  # Blocks indefinitely

This async iterator blocks waiting for Redis and doesn't respond to CancelledError until the next message arrives.

Fix Applied

Changed to timeout-based polling in:

• mcpgateway/services/cancellation_service.py
• mcpgateway/services/event_service.py

while True:
    try:
        message = await asyncio.wait_for(
            pubsub.get_message(timeout=1.0), timeout=1.5)
    except asyncio.TimeoutError:
        continue  # Loop back, allowing cancellation check

Status: Partial Fix

Testing shows this helped delay the spin loop but containers are still hitting ~800% CPU eventually. There are likely additional spin sources to investigate:

• sse_starlette task group cancellation behavior
• Other blocking async operations
• Possible issues in the MCP client HTTP streaming

Continuing investigation...

[crivetimihai]

Investigation Update: Remaining Spin Sources

Current Status

The pubsub.listen() fix helped but containers still reach ~800% CPU after load tests complete.

Evidence

• Load test finished (no active nginx traffic in last 10 seconds)
• Locust has completed but containers still spinning
• All 24 workers per container at ~17% CPU each = ~800% total
• Each worker has 1 running thread (main event loop) and ~45 sleeping threads
• No new logs being generated (silent CPU spin)

Root Cause Pattern

anyio's _deliver_cancellation() keeps rescheduling itself with call_soon() when:

1. A cancel scope is triggered (e.g., SSE client disconnects)
2. Tasks in the scope don't respond to cancellation (stuck in blocking operations)
3. should_retry stays True → reschedules immediately → CPU spin

Remaining Investigation Areas

1. sse_starlette task groups - When SSE connections close, sse_starlette's task group cancellation may have tasks that don't respond

2. MCP client HTTP streaming - response.aiter_lines() and similar patterns in mcpgateway/translate.py may block on HTTP connections

3. Other async iterators - Multiple async for patterns in codebase that may block on external I/O:

   • async for line in response.aiter_lines() (translate.py, llm_proxy_service.py)
   • async for event in self._agent.astream_events() (mcp_client_chat_service.py)
   • async for key in redis.scan_iter() (auth_cache.py, registry_cache.py)

Next Steps

1. Add timeout-based polling to remaining blocking patterns
2. Check if MCP client connections are properly cleaned up after session ends
3. Consider adding explicit cancellation checks in long-running async generators

[crivetimihai]

Additional Fix: Timeouts for Session/Transport Cleanup

py-spy profiling after the previous fix still showed CPU spin at ~800% with _deliver_cancellation in the call stack. The root cause was identified in MCP session cleanup operations.

Root Cause

When closing MCP sessions, session.__aexit__() and transport.__aexit__() try to cancel internal tasks. If these tasks (like post_writer waiting on anyio.streams.memory.receive()) don't respond to CancelledError, anyio's cancel scope keeps calling call_soon() to reschedule _deliver_cancellation, creating a CPU spin loop.

Stack Trace Pattern (from py-spy)

limited_check (gateway_service.py:3349)
  → _check_single_gateway_health (3571)
    → session (mcp_session_pool.py:1005)
      → acquire (519)
        → _close_session (902)
          → session.__aexit__
            → anyio _deliver_cancellation (spin loop)

Fix

Added asyncio.wait_for() with 5-second timeout to all __aexit__ calls:

1. mcp_session_pool.py: _close_session() and _create_session() cleanup
2. session_registry.py: Redis pubsub cleanup
3. registry_cache.py: Redis pubsub cleanup
4. translate.py: Streamable HTTP context cleanup

If cleanup times out, we log a warning and proceed anyway (best-effort cleanup). This prevents indefinite blocking and the resulting CPU spin.

[crivetimihai]

Configuration: Cleanup Timeout Now Configurable

Made SESSION_CLEANUP_TIMEOUT configurable via MCP_SESSION_POOL_CLEANUP_TIMEOUT (default: 5.0 seconds).

Clarification on Implications

Timeout	What it controls	Default
TOOL_TIMEOUT	How long a tool call can run	60s
MCP_SESSION_POOL_CLEANUP_TIMEOUT	How long to wait for __aexit__ cleanup	5s

The cleanup timeout does NOT affect tool execution. It only applies to:

• Session eviction (stale/invalid sessions)
• Session release after use (returning to pool)
• Pool shutdown (graceful close)
• Failed session creation cleanup

Configuration

# .env
MCP_SESSION_POOL_CLEANUP_TIMEOUT=5.0

# Helm values.yaml
mcpContextForge:
  config:
    MCP_SESSION_POOL_CLEANUP_TIMEOUT: "5.0"

When to Adjust

• Increase (e.g., 10.0): If you see frequent "cleanup timed out" warnings in logs
• Decrease (e.g., 2.0): For faster shutdown, accepting risk of resource leaks

[crivetimihai]

Fix: SSE Cancel Scope Deadline

Found the root cause via web search - this is a known issue:

• AnyIO Issue #695
• Claude Agent SDK Issue #378

Similar issues exist in other Python projects:

• Disconnecting an MCP server causes a CPU core to get stuck at 100% Chainlit/chainlit#2182

Problem

When an SSE connection ends, sse_starlette's task group tries to cancel all tasks. If a task (like _listen_for_disconnect waiting on receive()) doesn't respond to cancellation, anyio's _deliver_cancellation keeps calling call_soon() to reschedule itself, causing a CPU spin loop.

Fix

Created a patched EventSourceResponse that overrides __call__ to set a deadline on the cancel scope when cancellation starts:

async def cancel_on_finish(coro):
    await coro()
    # Set deadline to prevent indefinite spin if tasks don't respond
    task_group.cancel_scope.deadline = anyio.current_time() + SSE_TASK_GROUP_CLEANUP_TIMEOUT
    task_group.cancel_scope.cancel()

This ensures that if tasks don't respond within 5 seconds, the scope times out and exits cleanly instead of spinning.

Configuration

SSE_TASK_GROUP_CLEANUP_TIMEOUT = 5.0 (hardcoded for now, can be made configurable if needed)

Testing Needed

Rebuild containers and verify the spin no longer occurs after load tests.

[crivetimihai]

PR Summary: CPU Spin Loop Mitigation (Issue #2360)

Problem

After load tests or sustained traffic, Gunicorn workers enter 100% CPU spin loops while appearing idle. Root cause: anyio's _deliver_cancellation enters an infinite loop when MCP SDK tasks don't respond to CancelledError (anyio#695).

Before fix:

• CPU: ~800% per gateway (24 workers × ~33% each) when idle after load test
• 37.5% of workers (9/24) stuck in _deliver_cancellation spin
• 8,000+ epoll_pwait syscalls/second per spinning worker

After fix:

• CPU: ~2.5% per gateway when idle
• Zero spinning workers
• Clean recovery after load tests

---

Changes Overview

File	Changes
docker-compose.yml	Added 3-layer mitigation config with documented env vars
mcpgateway/config.py	+41 lines: New config options for timeouts and patch
mcpgateway/transports/sse_transport.py	+249 lines: anyio monkey-patch implementation
mcpgateway/services/mcp_session_pool.py	+77 lines: Cleanup timeout support
mcpgateway/cache/session_registry.py	+396 lines: Task tracking and cleanup
tests/loadtest/locustfile_spin_detector.py	+1608 lines: New load test for spin detection
Makefile	+58 lines: make load-test-spin-detector target
docs/docs/operations/cpu-spin-loop-mitigation.md	+396 lines: Comprehensive documentation

---

New Configuration Options

Layer 1: SSE Connection Protection

- SSE_SEND_TIMEOUT=30.0              # ASGI send() timeout
- SSE_RAPID_YIELD_WINDOW_MS=1000     # Detection window
- SSE_RAPID_YIELD_MAX=50             # Max yields before disconnect

Layer 2: Cleanup Timeouts

- MCP_SESSION_POOL_CLEANUP_TIMEOUT=0.5   # Session __aexit__ timeout
- SSE_TASK_GROUP_CLEANUP_TIMEOUT=0.5     # SSE task group timeout

Layer 3: anyio Monkey-Patch (Experimental)

- ANYIO_CANCEL_DELIVERY_PATCH_ENABLED=true   # Enable workaround
- ANYIO_CANCEL_DELIVERY_MAX_ITERATIONS=500   # ~60ms recovery time

Layer 4: Worker Recycling

- GUNICORN_MAX_REQUESTS=1000000      # Recycle workers (reduced from 10M)
- GUNICORN_MAX_REQUESTS_JITTER=100000

---

How MAX_ITERATIONS Works

Value	Recovery Time	Use Case
100	~12ms	Aggressive - fastest spin recovery
500	~60ms	Recommended - balanced
1000	~121ms	Conservative

Normal cancellations complete in 1-10 iterations. Values above 100 handle edge cases.

---

New Load Test: make load-test-spin-detector

Escalating spike/drop pattern specifically designed to trigger and detect CPU spin loops:

Wave 1:  4,000 users for 30s → 10s pause (check CPU)
Wave 2:  6,000 users for 45s → 15s pause
Wave 3:  8,000 users for 60s → 20s pause
Wave 4: 10,000 users for 75s → 30s pause
Wave 5: 10,000 users for 90s → 30s pause
→ Repeats forever (Ctrl+C to stop)

Pass criteria: CPU drops to <10% during pause phases

---

Testing Results

Scenario	CPU After Load	Spinning Workers
Without mitigation	~800%	9/24 (37.5%)
With mitigation	~2.5%	0/24 (0%)

Tested with:

• 4,000-10,000 concurrent users
• 3,000+ RPS sustained
• Multiple spike/drop cycles

---

Documentation

New operations guide: docs/docs/operations/cpu-spin-loop-mitigation.md

• Problem description and root cause analysis
• Layer-by-layer mitigation explanation
• Configuration reference
• Troubleshooting guide
• Verification steps

---

Related Issues

• Closes [BUG]: anyio cancel scope spin loop causes 100% CPU after load test stops #2360
• Upstream: anyio#695
• Related: Claude SDK#378

[jonpspri]

Let's be clear. I hate that we've gotten to this. But the patch is as clean as it can get without introducing a new object to encapsulate the process. Let's be sure we're monitoring the upstream so we can rip this out when it's corrected.