Lane queue has no task-level timeout — hung promises permanently block session lanes

[kyletabor]

Summary

Session lanes in the gateway's command queue (src/process/command-queue.ts) have no task-level timeout. If an enqueued task's promise never settles, the lane is permanently jammed with no automatic recovery. This affects all messaging channels and cron.

Symptom

Webchat session stops responding permanently. Gateway is healthy (memory, CPU, /health all normal), but the session lane is dead:

[diagnostic] lane wait exceeded: lane=session:agent:main:treehouse-sess-mmthhrfo-6vvcjy waitedMs=215576 queueAhead=2
[diagnostic] lane wait exceeded: lane=session:agent:main:treehouse-sess-mmthhrfo-6vvcjy waitedMs=178957 queueAhead=1
[diagnostic] lane wait exceeded: lane=session:agent:main:treehouse-sess-mmthhrfo-6vvcjy waitedMs=91671  queueAhead=1
http: proxy error: context canceled
http: proxy error: context canceled

New messages queue up behind the stuck task and wait forever. The session never recovers without a gateway restart.

Root Cause

In pump() (src/process/command-queue.ts, lines 118-143), each dequeued task is awaited with no timeout protection:

void (async () => {
  try {
    const result = await entry.task();  // <-- no timeout, hangs forever if promise never settles
    const completedCurrentGeneration = completeTask(state, taskId, taskGeneration);
    if (completedCurrentGeneration) {
      pump();  // <-- never reached
    }
    entry.resolve(result);
  } catch (err) {
    // ... also never reached
  }
})();

If entry.task() never resolves or rejects:

1. completeTask() never runs
2. activeTaskIds retains the stale task ID
3. pump() is never called again
4. Since session lanes are maxConcurrent=1 (hardcoded in getLaneState, lines 67-74), the lane is permanently blocked

The only recovery is resetAllLanes() (lines 251-266), which requires a SIGUSR1 gateway restart. There is no automatic detection, health check, or recovery mechanism for stuck lanes.

How It Happens

Any scenario where an enqueued task's promise hangs:

• Upstream API call (Anthropic, OpenAI, etc.) hangs without responding or erroring
• WebSocket connection drops mid-request without clean error propagation
• AbortSignal from scheduleAbortTimer fires but the underlying HTTP fetch doesn't honor it
• Unhandled exception path in async task code that prevents the promise from settling

The agent runner's internal timeout (scheduleAbortTimer in run/attempt.ts) only works if the task code checks the abort signal. If the underlying fetch call is hung at the OS/socket level, the abort signal may not terminate it, and the lane queue's await entry.task() remains suspended indefinitely.

Affected Channels

All channels route through the same lane system via enqueueCommandInLane with session lanes (maxConcurrent=1):

• WhatsApp (web provider)
• Telegram
• Discord
• Webchat/Treehouse
• Cron jobs (via CommandLane.Cron)

Environment

• OpenClaw v2026.3.12 (Docker, linux/arm64)
• Node 22
• Gateway healthy during incident: {"ok":true,"status":"live"}
• No OOM, no CPU spike, no rate limiting
• Concurrent event: WhatsApp health-monitor restarted due to stale-socket at 20:25:19, shortly before the lane jammed

Related Issues

• [Bug]: Cron jobs broken after update to 2026.3.8 #42883 — Cron flows break after v2026.3.8 upgrade (5+ users, multiple OSes/providers)
• [Bug]: Cron jobs enqueued but never execute — lane never dispatches, runningAtMs written on enqueue causes permanent stale marker loop #42960 — Cron enqueued but never executes (still open)
• cron run (manual trigger) enqueues but never executes #42997 — Manual cron run enqueues but idle
• [Bug]: openclaw cron run always times out (gateway timeout after 30000ms) despite daemon running normally #29601 — cron run always times out at 30s
• Session write lock race condition causes intermittent 10s timeouts #15623 — Session write lock race condition under concurrency (closed as stale, never fixed)

These all share the same underlying pattern: work enters the lane queue and never completes, with no automatic recovery.

Suggested Fix Directions

For maintainer consideration — several approaches could address this, each with trade-offs:

a) Promise.race wrapper in pump() — Race each task against a configurable timeout promise. If the timeout wins, reject the entry, clear activeTaskIds, and call pump(). Simple and targeted, but creates "zombie task" concerns (the original hung promise keeps running in the background).

b) Periodic lane health monitor — A background interval that checks for lanes where activeTaskIds.size > 0 and no progress has been made for N seconds. Could auto-clear stale tasks or trigger resetAllLanes() for just the affected lane. More defensive but adds runtime complexity.

c) Better abort signal propagation — Ensure scheduleAbortTimer actually terminates the underlying HTTP fetch (via AbortController on the fetch call itself, not just the agent-level signal). Fixes the root cause but requires changes deeper in the API call stack.

d) Combination — Defense in depth: fix abort propagation (c) to prevent most hangs, add a queue-level timeout (a) as a safety net, and a health monitor (b) as a last resort.

Open Questions

• Is the lack of task-level timeout in pump() deliberate? (e.g., to avoid killing legitimately long-running tasks like compaction)
• What's the expected maximum task duration for session lane work?
• Would a configurable taskTimeoutMs option on enqueueCommandInLane be acceptable?
• Should the fix prioritize the queue level, the API call level, or both?

[Ryce]

This is a state-loss-then-no-recovery pattern. The lane queue has maxConcurrent=1 per session, and once a task hangs, the session is permanently dead until gateway restart. No timeout, no health check, no automatic recovery.

The related issues (#42883, #42960, #42997, #29601) all point to the same root: work enters the lane queue and vanishes with no visibility or recovery path. Users see "session stopped responding" with no actionable diagnosis.

Your Promise.race wrapper (option a) is the minimal viable fix. The zombie task concern is real but manageable — the alternative (permanent session death with no recovery) is worse. A taskTimeoutMs parameter on enqueueCommandInLane would let callers set appropriate limits: cron tasks might tolerate 5min, session agent turns might want 120s, message delivery might want 30s.

The deeper issue is the abort signal not propagating to the OS/socket level. When scheduleAbortTimer fires but the underlying fetch is stuck at the socket layer, the abort signal is effectively cosmetic. fetch() with an AbortController wired to the timeout is the proper fix at the API call level, but that's a broader change across all provider adapters.

For the queue level, option (b) periodic health monitor is good defense-in-depth. It doesn't need to be complex — just check if any lane has had activeTaskIds > 0 for longer than a threshold with no completeTask() calls, and auto-clear just that lane. This handles the case where even the Promise.race timeout somehow fails.

The diagnostic logs already show the system detecting the problem (lane wait exceeded) — it just doesn't act on it. The gap between "detect stuck lane" and "recover stuck lane" is the whole issue.

[Hollychou924]

Fix Direction: Task-Level Timeout for Lane Queue

The analysis is spot-on. The pump() function in src/process/command-queue.ts needs a task-level timeout wrapper to prevent permanent lane blocking.

Concrete fix:

// In pump(), wrap entry.task() with a race against a timeout:
const LANE_TASK_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes, configurable

void (async () => {
  try {
    const timeoutPromise = new Promise<never>((_, reject) => {
      const timer = setTimeout(() => {
        reject(new Error(`lane task timeout after ${LANE_TASK_TIMEOUT_MS}ms: lane=${lane}`));
      }, LANE_TASK_TIMEOUT_MS);
      // Allow GC if task completes before timeout
      if (timer.unref) timer.unref();
    });

    const result = await Promise.race([entry.task(), timeoutPromise]);
    const completedCurrentGeneration = completeTask(state, taskId, taskGeneration);
    if (completedCurrentGeneration) {
      pump();
    }
    entry.resolve(result);
  } catch (err) {
    // Reject the queued task, then pump next
    entry.reject(err as Error);
    const completedCurrentGeneration = completeTask(state, taskId, taskGeneration);
    if (completedCurrentGeneration) {
      pump();
    }
  }
})();

Key points:

1. The timeout rejects the current task and unblocks the lane — the queued messages behind it get processed
2. The timeout duration should be configurable (e.g., gateway.laneTaskTimeoutMs) so users with slow upstream APIs can increase it
3. timer.unref() prevents the timer from keeping the process alive if everything else completes normally
4. This doesn't fix the root cause of hung fetches (OS-level socket hang), but it provides automatic recovery without requiring a gateway restart

Additional: health check for stuck lanes:

A companion diagnostic endpoint could expose lane state for monitoring:

// Expose via /health or /status:
{ 
  lane: 'session:agent:main:treehouse-sess-mmthhrfo-6vvcjy',
  waitedMs: 215576, 
  queueAhead: 2,
  status: 'stuck'  // if waitedMs > threshold
}

The existing lane wait exceeded diagnostic log already detects this — exposing it via the health endpoint would enable automated alerts before users notice the hang.

[kyletabor]

PR submitted: #48690

Implements the Promise.race wrapper approach (option a from the issue) with a configurable taskTimeoutMs parameter on enqueueCommandInLane. Default timeout is 5 minutes; callers can pass 0 or Infinity to opt out for legitimately long-running tasks.

The fix is minimal and surgical — 2 files changed, no caller modifications needed. Existing callers get the default 5-minute safety net automatically. Includes 6 new tests covering timeout behavior, per-task configuration, diagnostic logging, and safe interaction with resetAllLanes generation bumps.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 8, 2026, 1:09 AM ET / 05:09 UTC.

Summary
Codex review failed: codex execution failed.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Include the exact command, prompt, or workflow that triggered it.
• Add expected vs actual behavior.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b8adc11977ab.

Label changes

Label changes:

• add clawsweeper:needs-info: Current issue advisory state selects this label.
• remove P2: Current review triage priority is none.
• remove clawsweeper:no-new-fix-pr: Current issue advisory state no longer selects this label.
• remove clawsweeper:linked-pr-open: Current issue advisory state no longer selects this label.
• remove impact:session-state: Current review selected no impact labels.
• remove impact:message-loss: Current review selected no impact labels.
• remove clawsweeper:not-repro-on-main: Current issue advisory state no longer selects this label.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this issue with exit 1.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.