Gateway WS handler CPU-spin starvation reproduces on Raspberry Pi 5 / ARM64 across 4.26 → 4.29; clean rollback to 4.23 every time

[jsc2304]

Summary

Every release of OpenClaw since 2026.4.24 produces the same boot-time WebSocket handler starvation on a Raspberry Pi 5 / ARM64 native systemd install. The gateway's [gateway] ready line fires, plugin/channel providers register, but the gateway pegs ~100% on a single CPU core and the WS handler on 127.0.0.1:18789 either never responds or responds intermittently with degraded latency. Internal subsystems (memory-core ↔ cron-service) cannot reach each other while the event loop is starved. The 2026.4.23 rollback is clean every time — within ~30s the gateway reports Connect: ok ~30 ms with idle CPU.

This was previously reported via comments on #73655 and #74323 (closed as duplicate of #73655). Filing this as a dedicated tracking issue because the symptom now reproduces unchanged across three consecutive upgrade attempts on this host (4.26, 4.27 (skipped after release-note read), 4.29) — including 4.29 which carries explicit Refs #73655 and Refs #72338 fixes intended to address it.

Environment

• OpenClaw: tested 2026.4.26 (be8c246), 2026.4.29 (a448042). Last known-good: 2026.4.23 (a979721).
• Hardware: Raspberry Pi 5 (8 GB), ARM64 (aarch64)
• OS: Linux 6.12.62+rpt-rpi-2712 (64-bit, Debian-derived)
• Node: tested both v22.22.2 and v24.15.0 (NodeSource apt). Symptom changes shape with Node version (see below) but does not go away.
• Install: npm i -g openclaw into ~/.npm-global
• Gateway: systemctl --user openclaw-gateway (loopback only, no remote, no reverse proxy)
• Plugins: telegram (3 accounts), discord, memory-core, embedded acpx, browser-control. No Manifest plugin, no Lark, no Polymarket — different from Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655 reporter's stack.

Reproduction

# Pre-flight (every attempt)
cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak-pre-update
rm -rf ~/.openclaw/plugin-runtime-deps/openclaw-unknown-*
rm -rf ~/.openclaw/plugin-runtime-deps/openclaw-2026.4.<old>-*

# Update
openclaw update --yes
# → "Update Result: OK", doctor passes (~60-160s, varies)

# Health
openclaw gateway probe
# → "Connect: failed - timeout" repeatedly for 4-8+ minutes

The gateway log shows:

[gateway] ready                                           (within 8s)
[plugins] embedded acpx runtime backend registered        (+12s)
[browser/server] Browser control listening on http://127.0.0.1:18791/   (+15s, this works)
[telegram] [<account>] starting provider                  (+30-180s, varies wildly)
[discord] [default] starting provider
[plugins] memory-core: managed dreaming cron could not be reconciled (cron service unavailable).   ← starvation marker
[ws] closed before connect ... code=1006                  (repeating, while CPU pegged)

ss -tln | grep :18789 shows the listener up with Recv-Q=1 (one queued connection unserviced). top -bn1 -p $(MainPID) shows 90-280% CPU sustained. curl -m3 -H 'Connection:Upgrade' -H 'Upgrade:websocket' -H 'Sec-WebSocket-Key: dGVzdA==' -H 'Sec-WebSocket-Version: 13' http://127.0.0.1:18789/ returns 0 bytes after 3s.

Symptom variations across attempts

Attempt	Versions	Symptom
1	Node 22.22.2 + 4.26	WS handler completely dead from boot; recv-Q stuck; probe times out indefinitely (>5 min waited)
2	Node 24.15.0 + 4.26	WS handler intermittently responds after ~3 min; one probe succeeds with 435 ms RPC, next probe times out; CPU 100%+ pegged
3	Node 24.15.0 + 4.29	Same as #2; 8+ min after boot CPU still pegged 100%, 6/6 fresh probes timeout, internal cron-service unreachable

The 4.26 changelog #72720 fix ("skip CLI startup self-respawn for foreground gateway runs so low-memory Linux/Node 24 hosts start through the same path … without hanging before logs") does help — on Node 22 the gateway never reaches a state where any probe can succeed; on Node 24 it eventually serves a few. But that fix only addresses the observable liveness, not the underlying event-loop starvation.

What 4.29 changes (and what it does not)

What worked as documented:

• Fixes #74692 (sqlite-vec mirrored into bundled-plugin runtime-deps) — verified after rollback that memory-graph stats returns the correct rows; vector extension loads fine. So the fix is good, just lands inside a release whose other regressions block the upgrade for this host.

What did not change the symptom on this hardware:

• Refs #73655 (conservative stuck-session recovery that releases only stale session lanes…) — no observable effect on the boot-time CPU peg. The starvation appears to begin during plugin/runtime-deps materialization, before any session lane could be marked stuck.
• Refs #72338 (subagents/runs.json file-signature caching) — no observable effect; CPU stays pegged for >8 min post-restart with the new cache in place.

Possible root cause angle

This is one host's read, not a diagnosis: the symptom feels less like leak (1) Manifest EADDRINUSE retry and more like a pre-session starvation source — runtime-deps materialization, mirror staging, model-pricing fetch, or plugin-discovery work — that owns the event loop during and after [gateway] ready. Two specific observations:

• This host has no 2099/2100 Manifest listener, so leak (1) of Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655 cannot apply.
• The cron service unavailable log line fires during the CPU peg, not after a queued reply. That suggests internal RPC contention rather than session-write-lock starvation.

Whatever it is, it scales with something Pi5-specific (slow disk? ARM64 jit warm-up? lower core count vs the m1/m2 reporters?) since the same 4.26 → 4.29 upgrade reportedly works on faster-ARM64 mac hosts (per #74323's macOS reporter, after they reverted to a working 4.26).

Workaround

npm i -g openclaw@2026.4.23
systemctl --user daemon-reload && systemctl --user restart openclaw-gateway
# Reachable in ~30s, RPC ~30ms, idle CPU 0%, RSS ~650MB. No data loss across the round-trip.

What I can capture next time

If a maintainer wants targeted evidence on the next attempt, I can capture any of:

• OPENCLAW_GATEWAY_STARTUP_TRACE=1 per-phase timings and lookup-table counts
• per-thread CPU samples on the gateway PID (top -H -p $PID)
• signal-handler counts (/proc/$PID/status | grep Sig, plus the MaxListenersExceededWarning mentioned in Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655 if it appears)
• lsof -p $PID snapshot during the peg
• strace -c -p $PID 30s sample to see which syscalls dominate
• raw gateway log (StandardOutput=append: is configured)
• any other capture you'd like

Happy to retry the upgrade on this host with capture instrumentation as soon as someone is in a position to consume the evidence. Holding on 4.23 until then.

Cross-references

• Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655 — Gateway leak triad, root-cause hypothesis (still open). My prior 4.26 reproduction comment: Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655 (comment) . 4.29 reproduction comment: Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655 (comment)
• Gateway WebSocket handshake timeout on loopback affects active-memory, streaming, and embedded runs #74323 — closed as duplicate of Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655.
• Gateway CPU spin causes Telegram replies to stall and status probe to time out #72338 — earlier CPU-spin pattern (filed against 4.24).

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. The report is recent and now has strong Pi5 profiling that ties most CPU spin to model normalization and plugin manifest churn, while current main contains later mitigations that have not yet been retested on the affected host and do not prove the residual WS/RPC latency is gone.

Reproducibility: yes. on the reporter's Pi5 for 2026.4.26, 2026.4.29, and main a301df0, with concrete upgrade, probe, CPU, rollback, and V8 profile data. This read-only checkout cannot reproduce the ARM64 systemd host, and current HEAD has not been retested there.

Next step
Needs maintainer or reporter hardware validation before a safe fix PR because current main includes post-report mitigations and the remaining failure mode is not isolated to one narrow source edit.

Review details

Best possible solution:

Retest current HEAD on the affected Pi5 with startup trace and a Node profile, then fix the remaining blocking Gateway/model-catalog/plugin startup path only if the residual WS/RPC latency still reproduces.

Do we have a high-confidence way to reproduce the issue?

Yes on the reporter's Pi5 for 2026.4.26, 2026.4.29, and main a301df0, with concrete upgrade, probe, CPU, rollback, and V8 profile data. This read-only checkout cannot reproduce the ARM64 systemd host, and current HEAD has not been retested there.

Is this the best way to solve the issue?

Unclear. The current-main mitigations are targeted and plausible, but the branch test still showed flapping RPC latency and there is no affected-host proof that d3e529 is stable enough to close this issue.

What I checked:

• affected_host_profile_matches_model_normalization_hotpath: The reporter's latest comment profile on plain main a301df0 shows heavy getPackageScopeConfig/syscall time and a strong match for the provider-model normalization cascade; their test of the fix(tui): cache normalizeDiscoveredPiModel to stop 100% CPU busy-loop #75503 branch reduced syscall ticks by 64%, allowed providers to start, and removed event_loop_delay warnings, but still left 3-5s status/config/health RPCs. (a301df06)
• current_main_skips_normalization_in_context_warmup: Current main now calls discoverModels with normalizeModels: false during context-window warmup, directly targeting the profile path where model discovery normalization repeatedly entered provider/plugin hooks. (src/agents/context.ts:240, d3e529255142)
• normalization_hook_still_exists_for_other_model_discovery_paths: normalizeDiscoveredPiModel still performs provider runtime, compat, and transport hook normalization, and discoverModels still maps getAll/getAvailable/find through it unless callers opt out, so current main has mitigations rather than proof that every Pi5 hot path is gone. (src/agents/pi-model-discovery.ts:70, d3e529255142)
• gateway_model_catalog_is_cached_after_success: Gateway model catalog loading now caches a successful catalog, coalesces in-flight refreshes, and serves the last catalog while stale refreshes run in the background, which is relevant to repeated model-catalog stalls but not affected-host proof. (src/gateway/server-model-catalog.ts:76, d3e529255142)
• pricing_refresh_deferred_after_ready_path: Current main defers optional model-pricing refresh until scheduled services activate after the Gateway runtime path, reducing another suspected startup blocker, with tests covering that pricing bootstrap is inert during initial runtime setup. (src/gateway/server-runtime-services.ts:92, d3e529255142)
• startup_still_has_plugin_and_sidecar_surfaces: Gateway startup still prepares plugin bootstrap/lookup-table work before runtime state and starts channels/sidecars after a setImmediate, so the area named by the report remains the relevant owner surface for any residual Pi5 stalls. (src/gateway/server.impl.ts:582, d3e529255142)

Likely related people:

• steipete: Authored the current-main fixes most adjacent to this report: skipping model normalization during context warmup, deferring Gateway pricing refresh, restoring provider catalog listing, and earlier provider metadata/runtime split work. (role: recent maintainer and adjacent Gateway/model startup owner; confidence: high; commits: f727fbc775dd, 0e8bd8e75c4c, 56c4f9761c75; files: src/agents/context.ts, src/gateway/server-runtime-services.ts, src/gateway/server-model-catalog.ts)
• scoootscooob: Authored the current-main startup control-plane retry commit in the Gateway startup area named by the report. (role: recent Gateway startup maintainer; confidence: medium; commits: ccb847e46f1b; files: src/gateway/server.impl.ts, src/gateway/server-startup-post-attach.ts, CHANGELOG.md)
• vincentkoc: Earlier history connects this maintainer to provider hook runtime seam work and Gateway first-turn startup readiness, both adjacent to model-catalog and WS readiness behavior. (role: provider hook and Gateway readiness history owner; confidence: medium; commits: a7436c8b4a93, f85cfc8b6c7e; files: src/plugins/provider-hook-runtime.ts, src/gateway/server-model-catalog.ts, src/gateway/server.impl.ts)

Remaining risk / open question:

• Current HEAD d3e529 has not been retested on the affected Raspberry Pi 5 after the model-normalization and pricing-refresh mitigations landed.
• The reporter saw residual 3-5s status/config/health RPC latency even after the fix(tui): cache normalizeDiscoveredPiModel to stop 100% CPU busy-loop #75503 branch improved the CPU-spin path, so another Gateway or session startup blocker may remain.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d3e529255142.

[TheCrazyLex]

@jsc2304 There were some possibly related hotpath fixes on the main branch. Could you try again with a fresh install from main branch?

[jsc2304]

@TheCrazyLex Tested a fresh build from main (HEAD a301df06, ~10 minutes after your suggestion). Result: substantial improvement in failure mode but still not stable on this Pi5, and the new diagnostic telemetry from 4.27 makes the symptom much more legible.

Setup

git clone --depth=50 https://github.com/openclaw/openclaw.git openclaw-main
cd openclaw-main
pnpm install --frozen-lockfile          # 56s
pnpm build                                # 1m37s
systemctl --user stop openclaw-gateway   # stop 4.23
node dist/index.js gateway --port 18789  # main in foreground

Build clean. (Discord opus native module fails to compile but is harmless for our setup.)

What changed

Better than 4.26 / 4.29

• CPU is no longer pegged. Steady-state ~0% instantaneous, ~20% lifetime-average from boot work. Compare to 4.29 which sustained 100%+ on a single core for >8 minutes.
• Internal RPCs do respond. The log shows successful health, system-presence, status, config.get round-trips, none of the cron service unavailable markers from 4.26/4.29.
• No EADDRINUSE retry loop, no MaxListenersExceededWarning, no sticky-IPv4 fallback — leaks (1) and (2) from Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655 don't appear in this configuration.

Still broken

The new [diagnostic] liveness warning lines (which I think are the 4.27 Refs #72338 payload-free liveness diagnostics — really helpful, thanks for adding these) tell the story directly:

2026-05-01T18:31:52  reasons=event_loop_delay  eventLoopDelayMaxMs=9512.7  cpuCoreRatio=0.576
2026-05-01T18:33:52  reasons=event_loop_delay  eventLoopDelayMaxMs=3361.7  cpuCoreRatio=0.215
2026-05-01T18:36:22  reasons=event_loop_delay  eventLoopDelayMaxMs=3158.3  cpuCoreRatio=0.169
2026-05-01T18:38:23  reasons=event_loop_delay  eventLoopDelayMaxMs=3435.1  cpuCoreRatio=0.273

Event loop is being blocked 3+ seconds at a time, every 2-3 minutes, with an initial spike of 9.5 seconds. That's why every individual status RPC takes 3000-3900ms in the log:

[ws] ⇄ res ✓ status 3257ms
[ws] ⇄ res ✓ config.get 3686ms
[ws] ⇄ res ✓ status 3370ms

openclaw gateway probe has a 4s default budget for the read step, so it lands inside or past the block window randomly — 8/8 of my external probes timed out, even though the internal handler is technically alive. After 10 minutes uptime, 0 chat providers had started (grep -c "starting provider" log → 0); only embedded acpx had registered.

Net assessment

main has eliminated the 100%-CPU-peg + cron-service-starvation outer symptom. Underneath, the event loop is still being blocked for multi-second stretches by something, which makes the gateway functionally unable to (a) finish booting chat providers within a useful window, and (b) serve external WS clients within typical timeout budgets. So on this Pi5 the failure has shifted from "fully starved" to "crippled but partially responsive."

Hypothesis

The eventLoopDelayMaxMs=9512.7 at the very first 30s interval — versus 3000-3500ms in subsequent intervals — looks like a single very expensive blocking operation during early startup, with smaller follow-on blocks every couple minutes. Candidates that fit "long sync work on Pi5 ARM64 / NVMe" but are nominally async:

• runtime-deps mirror materialization or fingerprint computation
• plugin chunk scanning / staged-package entry verification
• model catalog discovery and pricing-cache rebuilds

One concrete possibility: a CPU-bound crypto/hash loop or a JSON.parse of a large file running on the main thread without yielding.

What I'd capture next if useful

Now that we know the gateway does reach a serving state, focused captures should be tractable:

• OPENCLAW_GATEWAY_STARTUP_TRACE=1 per-phase event-loop delay timings (the 4.26 changelog item suggests this exists)
• node --cpu-prof over the first 60s of startup (the 9.5-second block is the biggest single signal)
• per-thread CPU samples (top -H -p $PID) during the event-loop-delay warnings
• strace -c -p $PID for 30s during a blocking interval

Tell me which would be most actionable and I'll re-build, capture, and post.

Rolled back to 4.23

Killed the main process, restarted the 4.23 systemd unit. Reachable in ~4 minutes (slower than usual, probably because main and 4.23 shared some cache state during the test). Final probe: Connect: ok (32ms) · RPC: ok. Memory v3 graph state preserved (1302 entities / 2312 relations / 96 sources). Production back online.

[hexsprite]

This symptom matches a separate root cause cluster I diagnosed tonight on macOS that has open PRs but is not in 4.29. Sharing in case you're willing to test against the branches — your deterministic Pi5 repro would be a valuable signal.

Two distinct bugs feeding the same gateway CPU peg:

#75439 — heartbeat exec-event runaway (open, CI green)

requestHeartbeatNow({reason: "exec-event"}) from backgrounded process.start exits (src/agents/bash-tools.exec-runtime.ts:347) bypasses the nextDueMs cooldown gate. Heartbeat run uses backgrounded bash → bash exits → exec-event wake → fires another heartbeat run → loop. Configured every: "30m" actually fires every ~10s on my workstation, with eventLoopDelayMaxMs >6s per liveness warning.

If your openclaw.json has heartbeat enabled (default on for many configs with telegram), this is one source of the post-[gateway] ready peg you're seeing.

Branch: hexsprite:fix/heartbeat-cooldown-non-interval-wakes. Originally filed as #75436, consolidated under #64016.

#75503 — TUI/gateway model-discovery normalize cascade (open, CI green)

pi-model-discovery.ts wraps registry.getAvailable() to call normalizeDiscoveredPiModel for every discovered model on every call. Each normalization fires three plugin-resolution hooks; each hook calls loadPluginManifestRegistry which iterates ALL plugin candidates and opens each manifest file via openBoundaryFileSync (= fs.openSync + fstatSync + closeSync, even on the per-manifest cache-hit path).

For ~50 discovered models × 3 hooks × ~50 plugin manifests = ~7,500 manifest open/stat/close cycles per getAvailable() call. Synchronous. Pegs the JS main thread.

The gateway calls this from loadGatewayModelCatalog (src/gateway/server-model-catalog.js). Symptom on M1 Mac: 100% CPU for ~40s during startup model resolution. On Pi5 ARM64 with SD-card storage where each fstatSync can take 10-50ms instead of microseconds, that 7,500-stat burst becomes 75s–6min instead of <1s — which lines up with your "8+ min after boot CPU still pegged" observation. Also fits "starvation appears to begin during plugin/runtime-deps materialization, before any session lane could be marked stuck" since this fires in ensureContextWindowCacheLoaded very early in boot.

Filed as #75137. Branch: hexsprite:fix/tui-cpu-normalize-model-cache. Diagnosis used Node --prof (not the inspector profiler — that one falsely reports (idle) because the JS isolate is saturated by a tight call chain that can't be sampled). The same diagnosis pattern would apply on Pi5 to confirm.

Capture I'd ask for if you can repro

If you set NODE_OPTIONS="--prof" for one boot and let the gateway run for ~30s before killing it, the resulting isolate-*-v8.log processed with node --prof-process should show one of:

1. Hot leaf in node::SocketAddressBlockListWrap::Initialize with the parent stack going through getPackageScopeConfig / loadPluginManifestRegistry / normalizeDiscoveredPiModel — that's fix(tui): cache normalizeDiscoveredPiModel to stop 100% CPU busy-loop #75503's fingerprint.
2. Many embedded run start: messageChannel=heartbeat lines in gateway.log with ~10s gaps — that's fix(heartbeat): centralized cooldown gate prevents exec-event runaway #75439's fingerprint.
3. Something else entirely — meaning your hardware exposes another path Gateway leak triad on plugin restart: Manifest EADDRINUSE retry loop, signal-handler accumulation, sync I/O on session JSONL → WS handshake starvation #73655 still hasn't covered.

If maintainers want a Pi5 validation before merging, this would close the loop on a real ARM64 environment.