fix: session write lock race — async release can delete newly-acquired lock

[jamie8johnson]

Session write lock race: release can destroy a freshly acquired lock

Summary

In src/agents/session-write-lock.ts, releaseHeldLock deletes the session key from the in-memory HELD_LOCKS Map (line 149) before starting the async file cleanup (handle.close() + fs.rm(), lines 150-161). This opens a race window where a concurrent acquireSessionWriteLock for the same session can acquire a new lock, only for the old release's deferred fs.rm to delete the new lock file out from under it.

Affected platforms

• macOS and Windows: always exploitable. getProcessStartTime() returns null on non-Linux platforms, so lock files never contain starttime. This means shouldTreatAsOrphanSelfLock (line 389) always reaches its !HELD_LOCKS.has() check for same-PID contention.
• Linux: exploitable only when /proc/<pid>/stat is unreadable (containers with restricted /proc, or unusual security policies), since a valid starttime in the payload causes shouldTreatAsOrphanSelfLock to return false early (line 398-399).

Step-by-step race scenario

Precondition: Process P holds a write lock on session S. Lock file exists at S.jsonl.lock with pid = P.pid and no starttime (macOS/Windows).

1. P calls release() for session S — enters releaseHeldLock.
2. Line 149: HELD_LOCKS.delete(normalizedSessionFile) executes synchronously. The Map no longer has session S.
3. Line 150: The async IIFE starts — handle.close() begins but has not resolved.
4. P calls acquireSessionWriteLock for session S (e.g., reentrant agent writing to the same transcript). A microtask or concurrent call from the same event loop tick.
5. Line 503: fs.open(lockPath, "wx") fails with EEXIST — the old lock file still exists on disk.
6. Line 541: readLockPayload reads the old lock file. Payload has pid = process.pid, no starttime.
7. Line 544: shouldTreatAsOrphanSelfLock is called:
   • pid === process.pid — true (same process)
   • hasValidStarttime — false (macOS, no /proc)
   • !HELD_LOCKS.has(normalizedSessionFile) — true (deleted at step 2)
   • Returns true
8. Line 548-556: reclaimDetails is constructed with stale: true forced and "orphan-self-pid" added to reasons.
9. Line 557: shouldReclaimContendedLockFile returns true (stale is true, reasons include "orphan-self-pid" which doesn't match the mtime-fallback filter).
10. Line 558: fs.rm(lockPath, { force: true }) — deletes the old lock file. continue re-enters the loop.
11. Line 503: fs.open(lockPath, "wx") succeeds — new lock file created, written, stored in HELD_LOCKS.
12. Meanwhile: The old release's async IIFE (from step 3) resumes. handle.close() completes, then line 157: fs.rm(held.lockPath, { force: true }) executes — deleting the new lock file.

Result: Process P believes it holds the session write lock (entry exists in HELD_LOCKS with a valid handle), but the lock file no longer exists on disk. Any other process can now open("wx") the same path and obtain a concurrent "lock" on the same session.

Impact

• Session transcript corruption: Two processes (or two agents in the same process) can write concurrently to the same .jsonl session file, interleaving or overwriting each other's JSON lines.
• Silent failure: The lock holder has no indication that its lock file was deleted. The HELD_LOCKS entry still exists, the handle is still open (pointing at a now-unlinked inode on Linux, or a deleted-but-cached file on macOS/Windows).
• Watchdog blind spot: The watchdog timer checks HELD_LOCKS entries but doesn't verify the lock file still exists on disk.

Suggested fixes

Option A — "releasing" guard set (minimal change):

Add a RELEASING_LOCKS: Set<string> alongside HELD_LOCKS. In releaseHeldLock, add the key to RELEASING_LOCKS before deleting from HELD_LOCKS, and remove it from RELEASING_LOCKS after the async fs.rm completes. In shouldTreatAsOrphanSelfLock, return false if RELEASING_LOCKS.has(normalizedSessionFile).

const RELEASING_LOCKS = new Set<string>();

// In releaseHeldLock, around line 149:
RELEASING_LOCKS.add(normalizedSessionFile);
HELD_LOCKS.delete(normalizedSessionFile);
held.releasePromise = (async () => {
  try { await held.handle.close(); } catch {}
  try { await fs.rm(held.lockPath, { force: true }); } catch {}
  finally { RELEASING_LOCKS.delete(normalizedSessionFile); }
})();

// In shouldTreatAsOrphanSelfLock:
if (RELEASING_LOCKS.has(params.normalizedSessionFile)) {
  return false;
}

Option B — move delete after async IO (simpler but changes semantics):

Move HELD_LOCKS.delete(normalizedSessionFile) to after the fs.rm completes (inside the async IIFE, after line 157). This keeps the entry visible in HELD_LOCKS during the entire cleanup, so shouldTreatAsOrphanSelfLock returns false and the acquirer waits/retries normally.

The downside is that HELD_LOCKS.size remains non-zero during cleanup, which keeps the watchdog running slightly longer, but this is harmless.

Option B is simpler and more correct — the lock should be considered "held" until cleanup actually finishes, not just until cleanup starts.

[jamie8johnson]

Update after deeper investigation: The risk is lower than initially described.

On Linux (primary deployment), the starttime field in the lock payload prevents shouldTreatAsOrphanSelfLock from firing (line 398-399 returns false when starttime is valid), so a concurrent acquirer would go through normal staleness checks rather than instant reclaim. The on-disk lock file (EEXIST on fs.open('wx')) provides an additional guard. No current caller exhibits a release-then-immediately-re-acquire pattern on the same session.

On macOS/Windows where getProcessStartTime() returns null, the orphan-self-lock path could fire, but the lock would also need to pass normal staleness checks first.

Revised severity: Low/theoretical. Consider leaving as-is or adding a code comment documenting the ordering intent.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still deletes the in-memory held-lock entry before async close/unlink cleanup completes, and the same-PID/no-starttime orphan path can still reclaim and remove the lock file during that gap; the reporter's follow-up lowers practical severity but does not harden the primitive.

Reproducibility: yes. A high-confidence source-level reproduction is to call release() without awaiting it, reacquire the same session while the old lock file still exists, and use a same-PID payload without starttime so orphan-self detection observes no HELD_LOCKS entry.

Next step
This is a valid, narrow correctness repair with clear files and validation; no open PR specifically fixes this release race, though the worker must account for same-helper overlap with #71903.

Review details

Best possible solution:

Harden the lock primitive by keeping the held entry visible until close/unlink cleanup finishes or adding an explicit releasing guard, then cover unawaited release plus same-session reacquire with a focused regression test.

Do we have a high-confidence way to reproduce the issue?

Yes. A high-confidence source-level reproduction is to call release() without awaiting it, reacquire the same session while the old lock file still exists, and use a same-PID payload without starttime so orphan-self detection observes no HELD_LOCKS entry.

Is this the best way to solve the issue?

Yes. A narrow fix in src/agents/session-write-lock.ts is the best path; it should preserve dead-PID and verified recycled-PID cleanup while preventing release-in-progress cleanup from deleting a fresh lock.

Acceptance criteria:

• pnpm test src/agents/session-write-lock.test.ts
• pnpm exec oxfmt --check --threads=1 src/agents/session-write-lock.ts src/agents/session-write-lock.test.ts CHANGELOG.md
• pnpm check:changed via the normal Testbox path before handoff

What I checked:

• release-ordering-gap: releaseHeldLock removes the normalized session from HELD_LOCKS before starting the releasePromise that awaits handle.close() and removes the lock path. (src/agents/session-write-lock.ts:178, a0d53726137d)
• same-pid-no-starttime-reclaim: shouldTreatAsOrphanSelfLock still returns reclaimLockWithoutStarttime for same-PID lock payloads without starttime once HELD_LOCKS no longer contains the session. (src/agents/session-write-lock.ts:475, a0d53726137d)
• contended-acquire-removes-lock: On EEXIST, acquireSessionWriteLock inspects the payload and removes the contended lock file when the derived details are reclaimable, then retries acquisition. (src/agents/session-write-lock.ts:666, a0d53726137d)
• no-starttime-platform-condition: getProcessStartTime returns null off Linux and when /proc stat cannot be read or parsed, matching the issue's no-starttime condition. (src/shared/pid-alive.ts:47, a0d53726137d)
• adjacent-tests-not-race-regression: The colocated tests cover same-PID no-starttime reclaim and active in-process no-starttime locks, but there is no release-in-progress reacquire regression or releasing guard. (src/agents/session-write-lock.test.ts:502, a0d53726137d)
• current-callers-lower-exposure: Representative transcript and embedded-run cleanup paths await lock.release(), which lowers current practical exposure but does not remove the primitive-level race for unawaited or future callers. (src/agents/pi-embedded-runner/run/attempt.subscription-cleanup.ts:70, a0d53726137d)

Likely related people:

• steipete: Introduced the single-writer session lock and later maintained the release/cleanup and orphan-lock hardening area. (role: original introducer and recent maintainer; confidence: high; commits: 6668805aca17, f4782e1e730e, 1becebe188eb; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts)
• Vishal Doshi: Commit e91a5b0 added releaseHeldLock/releasePromise/watchdog behavior, including the delete-before-async-cleanup structure targeted here. (role: introduced current release helper/watchdog shape; confidence: high; commits: e91a5b021648; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts)
• bmendonca3: Commit 4985c56 added shouldTreatAsOrphanSelfLock and orphan-self-pid forced reclaim behavior that combines with the release ordering gap. (role: introduced orphan-self reclaim path; confidence: high; commits: 4985c561dfc4; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts)
• Cedric: Authored merged PR fix(agents): reclaim untracked self-owned session locks #75822, which recently changed self-owned session-lock recovery in the same files. (role: recent adjacent maintainer; confidence: medium; commits: 2f2bb7dac630; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts, CHANGELOG.md)
• Vincent Koc: Authored the recycled-PID starttime recovery follow-up that is adjacent to the same lock identity checks. (role: PID/starttime behavior contributor; confidence: medium; commits: 5a2200b28003; files: src/shared/pid-alive.ts, src/agents/session-write-lock.ts)

Remaining risk / open question:

• The practical exposure appears low because representative current callers await release(), but the lock helper itself still permits the race for unawaited or future callers.
• Open PR fix(session-write-lock): prevent lock removal when subprocess inherits parent PID #71903 changes the same orphan-self helper for a different bug, so a repair should coordinate semantics to avoid conflicting lock recovery behavior.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a0d53726137d.