Session write lock timeout freezes gateway when session file is large (>300KB)

[njuboy11]

Summary

When a session transcript grows large (300KB+), writing to the session file can take longer than the default lock acquisition timeout (60 seconds). This causes repeated SessionWriteLockTimeoutError failures, rendering the gateway unresponsive and requiring manual restarts.

Environment

• OpenClaw version: v2026.5.22-beta.1
• OS: Linux (Ubuntu 24.04, x64)
• Session file size at failure: ~400KB
• Session activity: ~40+ turn debugging session with multiple file reads/writes

Steps to Reproduce

1. Run a long conversation (40+ turns) with many tool calls and file modifications
2. Session file grows to 300KB+
3. Multiple processes try to write to the same session file (e.g. main gateway + completion sub-process)
4. Lock holder takes >60s to complete write
5. Other processes wait for lock, timeout after 60s -> SessionWriteLockTimeoutError

Expected Behavior

If a session write lock is held by a process that exceeds maxHoldMs (currently 5 minutes), the lock should be reclaimable by other processes during acquisition.

Actual Behavior

The shouldReclaim callback in acquireSessionWriteLock checks 6 stale conditions (missing PID, dead PID, recycled PID, too-old per staleMs, non-openclaw owner, orphan self-lock) but does NOT check maxHoldMs. So even when a live process holds the lock for well over 5 minutes, other processes wait 60 seconds then throw SessionWriteLockTimeoutError.

Log evidence:

error: Embedded agent failed before reply: session file locked (timeout 60000ms): 
  pid=98386 /root/.openclaw/agents/main/sessions/xxx.jsonl.lock

The watchdog timer (runLockWatchdogCheck) DOES enforce maxHoldMs, but it only runs every 60 seconds and is a separate mechanism from lock acquisition. The acquisition timeout fires before the watchdog can act.

Root Cause

In src/agents/session-write-lock.ts, the shouldReclaim callback inside acquireSessionWriteLock never consults maxHoldMs. The maxHoldMs value is stored as metadata but only used by the background watchdog, not during lock acquisition.

The relevant shouldReclaim logic only uses staleMs (30min default), never maxHoldMs (5min default). A lock could be held for 10 minutes by a live process, and shouldReclaim would still return false because the PID is alive and the age hasn't exceeded staleMs.

Workaround

Set environment variables to increase timeout and reduce staleness threshold:

OPENCLAW_SESSION_WRITE_LOCK_ACQUIRE_TIMEOUT_MS=120000
OPENCLAW_SESSION_WRITE_LOCK_STALE_MS=300000

Proposed Fix

In shouldReclaim, also enforce maxHoldMs: if nowMs - createdAt exceeds maxHoldMs, treat the lock as reclaimable (add "hold-exceeded" to staleReasons). This makes the acquisition path respect the same maxHoldMs constraint that the watchdog already enforces.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-23 15:50 UTC / May 23, 2026, 11:50 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main still resolves maxHoldMs but does not use it in the acquisition-time reclaim decision, and there is now an open same-author fix PR with closing syntax, so this issue should wait for that PR to be reviewed and either landed or closed.

Reproducibility: yes. at source level: a live lock older than maxHoldMs but younger than staleMs will not be marked stale by current inspectLockPayload during acquisition. I did not run a live multi-process reproduction in this read-only review.

Next step
A same-author open PR already uses closing syntax for this issue, so ClawSweeper should not create a parallel repair lane before that PR is reviewed.

Review details

Best possible solution:

Review the linked fix PR, add or require focused acquisition-time regression coverage if needed, then close this issue when that PR lands or when maintainers choose a different lock-safety policy.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: a live lock older than maxHoldMs but younger than staleMs will not be marked stale by current inspectLockPayload during acquisition. I did not run a live multi-process reproduction in this read-only review.

Is this the best way to solve the issue?

Yes in direction: making acquisition-time reclaim respect the existing max-hold policy is the narrow fix, but the paired PR should be reviewed with a focused regression test before this issue closes.

Label changes:

• add P1: The report describes a current user-facing gateway hang requiring manual restart in the session transcript write path.
• add impact:crash-loop: The issue is about gateway unresponsiveness and restart-required availability failure after repeated session lock timeouts.
• add impact:session-state: The affected surface is session transcript persistence and lock ownership state.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes a current user-facing gateway hang requiring manual restart in the session transcript write path.
• impact:crash-loop: The issue is about gateway unresponsiveness and restart-required availability failure after repeated session lock timeouts.
• impact:session-state: The affected surface is session transcript persistence and lock ownership state.

What I checked:

• Current acquisition path omits maxHoldMs: acquireSessionWriteLock resolves maxHoldMs and stores it as held-lock metadata, but the shouldReclaim callback only passes staleMs into inspectLockPayloadForSession and shouldReclaimContendedLockFile. (src/agents/session-write-lock.ts:741, b6530beb05da)
• Stale inspection only checks staleMs: The current stale reason calculation marks missing/dead/recycled PID, invalid createdAt, and ageMs > staleMs; there is no ageMs > maxHoldMs condition in the current-main source. (src/agents/session-write-lock.ts:471, b6530beb05da)
• Watchdog uses maxHoldMs separately: runLockWatchdogCheck does enforce maxHoldMs for locks already held by this process, matching the issue's claim that max-hold is enforced by the background watchdog rather than the acquisition callback. (src/agents/session-write-lock.ts:253, b6530beb05da)
• Docs describe maxHoldMs as watchdog-only today: The docs say staleMs controls when an existing lock can be reclaimed as stale, while maxHoldMs controls the in-process watchdog release threshold. Public docs: docs/reference/session-management-compaction.md. (docs/reference/session-management-compaction.md:100, b6530beb05da)
• Regression coverage gap: The current focused tests cover watchdog release with maxHoldMs, but the inspected test slice does not show acquisition-time reclaim coverage for a live lock older than max hold and younger than staleMs. (src/agents/session-write-lock.test.ts:314, b6530beb05da)
• Open paired fix PR: GitHub search found fix(session-lock): enforce maxHoldMs in shouldReclaim during lock acquisition #85764 open from the same author; its body contains closing syntax for this issue and its diff passes maxHoldMs into the acquisition inspection path. (7ae2720aa64f)

Likely related people:

• amknight: Authored the merged session write-lock scope/config plumbing commit that introduced the stale/max-hold configuration surface across the central session-lock path. (role: feature-history contributor; confidence: high; commits: 8a060b2904d4; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts, docs/reference/session-management-compaction.md)
• steipete: Remote file history shows multiple recent changes on the central session-lock implementation and tests, including non-reentrant/default behavior and later QA stabilization touches. (role: recent area contributor; confidence: medium; commits: cc91ff04ccac, 35ec4a9991fd, 844f1dd87a64; files: src/agents/session-write-lock.ts, src/agents/session-write-lock.test.ts)
• vincentkoc: Recent history includes session-lock cleanup/listener work and documentation touches near the same session maintenance surface. (role: adjacent lock cleanup contributor; confidence: medium; commits: f00f0a95968f, 736f627fb558; files: src/agents/session-write-lock.ts, docs/reference/session-management-compaction.md)

Remaining risk / open question:

• The linked open PR changes live-lock reclaim behavior but its current diff appears to lack a focused regression test for acquisition-time max-hold reclaim.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b6530beb05da.