fix: handle EPIPE errors on child process stdin writes#75602
Merged
Conversation
openclaw-barnacle
Bot
added
agents
Contributor
|
Codex review: needs changes before merge. What this changes: The PR adds stdin error listeners/write callbacks for iMessage RPC, MCP stdio sends, and runCommandWithTimeout input writes, plus regression tests and changelog entries. Required change before merge: A repair worker can make the remaining mechanical policy fix by adding allowed changelog attribution without changing runtime scope; maintainers still decide final merge scope among overlapping PRs. Security review: Security review cleared: The diff is limited to local child-process stdin error handling, tests, and changelog text, with no new dependency, workflow, permission, secret, package-resolution, download, or supply-chain surface. Review findings:
Review detailsBest possible solution: Land one maintainer-approved fix for #75438 that handles the iMessage RPC stdin failure locally, either keeps or splits the MCP/exec hardening by scope, adds required changelog attribution, and then supersedes the overlapping fix PRs. Do we have a high-confidence way to reproduce the issue? Yes. #75438 provides a concrete real crash signature, current main still has the unguarded stdin writes, and the PR adds focused mocked-stream tests for write callback and stdin error behavior. Is this the best way to solve the issue? Unclear. The runtime approach is plausible and matches the reported failure mode, but this exact branch is not merge-ready until the changelog entries are credited and maintainers choose the final scope among overlapping PRs. Full review comments:
Overall correctness: patch is incorrect Acceptance criteria:
What I checked:
Likely related people:
Remaining risk / open question:
Codex review notes: model gpt-5.5, reasoning high; reviewed against 7b3dfbf21407. |
amknight
force-pushed
the
ak/stdin-epipe-error-handling
branch
from
65afa79 to
9883e96
Compare
amknight
force-pushed
the
ak/stdin-epipe-error-handling
branch
from
9883e96 to
274f8a5
Compare
openclaw-barnacle
Bot
added
channel: imessage
amknight
force-pushed
the
ak/stdin-epipe-error-handling
branch
from
274f8a5 to
9e087ac
Compare
Fix three child-process stdin write paths that let async EPIPE errors escape to uncaughtException and crash the gateway. extensions/imessage/src/client.ts (the actual #75438 crash path): - Add child.stdin.on('error') listener in start() to catch async EPIPE and reject all pending requests via failAll(). - Add write callback to request() stdin.write() that rejects the specific pending request on error, instead of leaving it hanging until timeout. src/agents/mcp-stdio-transport.ts: - Fix write callback race in send(): previously resolved the promise immediately when write() returned true, then the write callback with EPIPE would fire after the promise was already fulfilled. Now always settles the promise from the write callback so the outcome is known before resolving. src/process/exec.ts: - Add stdin.on('error') before writing input so EPIPE from a prematurely-exited child is swallowed — the process exit handler reports the real status. One reporter observed a gateway crash after 10.5 hours of stable uptime — a single EPIPE on an iMessage RPC child process stdin write killed the gateway with code 1. Fixes: #75438
amknight
force-pushed
the
ak/stdin-epipe-error-handling
branch
from
9e087ac to
22e9656
Compare
ihnotic
added a commit
to ihnotic/openclaw
that referenced
this pull request
May 1, 2026
* refactor: trim provider discovery internal exports * refactor: trim voice runtime internal exports * fix(whatsapp): stage qrcode runtime dependency * refactor: trim stream helper internal exports * refactor: trim provider constant exports * fix: make Discord voice reconnect timing resilient * refactor: trim onboarding internal helpers * docs(sandboxing): clarify sandbox setup scripts require source checkout (openclaw#75594) Add inline docker build commands for npm-installed users who don't have the source checkout scripts. Update all docs referencing sandbox-setup.sh, sandbox-common-setup.sh and sandbox-browser-setup.sh to note they are source-checkout-only and link to the new inline instructions. Fixes openclaw#75485. * fix(plugins): skip update when bundled plugin version is newer than installed clawhub/marketplace version (openclaw#75604) * fix(plugin-sdk): restore deprecated reply pipeline compat exports * refactor: trim test support helper exports * test: stabilize Parallels update smokes * refactor: trim sessions spawn harness type exports * fix(gateway): refresh stale channel health cache * fix(agent): apply configured fast mode to embedded runs * fix(agent): default missing model cost metadata * fix(agent): honor explicit OpenAI SSE transport * fix(extensions): guard model and Twilio fetches * fix(cli): repair agent runtime deps during startup * fix(whatsapp): mirror qrcode from root runtime deps * refactor: trim sanitize history harness exports * refactor: trim subagent test helper exports * [codex] Defer status reaction cleanup (openclaw#75582) Summary: - The PR updates the shared status reaction controller to track active remove-capable reactions, defer cleanup until clear/restoreInitial, adjust controller and Slack lifecycle tests, add a changelog entry, and carries qrcode runtime-dependency mirror hunks from its older base. ClawSweeper fixups: - Included follow-up commit: fix: limit status reaction restore cleanup - Included follow-up commit: chore: merge main into status reaction cleanup - Included follow-up commit: fix: mirror qrcode runtime dependency Validation: - ClawSweeper review passed for head f3efcb4. - Required merge gates passed before the squash merge. Prepared head SHA: f3efcb4 Review: openclaw#75582 (comment) Co-authored-by: Peter Steinberger <[email protected]> Co-authored-by: Peter Steinberger <[email protected]> * refactor: trim runtime test helper type exports * refactor: delete unused test helpers * refactor: delete unused test support modules * fix(agents): trim trailing assistant turns and rewrite blank user messages in session repair (openclaw#75606) * fix(agents): trim trailing assistant turns and rewrite blank user messages in session repair Session-file repair now: - Trims trailing assistant messages so the JSONL never ends on role=assistant, preventing the Anthropic 400 prefill-loop that fires when thinking is enabled. (openclaw#75271) - Rewrites blank-only user messages to a synthetic '(continue)' placeholder instead of dropping them, so strict providers (Qwen/mlx-vlm, Anthropic) no longer reject transcripts missing a user turn. (openclaw#75313) Closes openclaw#75271, closes openclaw#75313. * refactor: clean up comments in session-file repair * fix(agents): preserve trailing assistant tool-call turns during session trim Mirror the outbound guard (stripTrailingAssistantPrefillTurns): skip assistant entries containing toolCall/toolUse/functionCall blocks so transcript repair can synthesize missing tool results. Addresses PR review feedback from clawsweeper on openclaw#75606. * refactor: delete unused contract test helpers * test: use built-in OpenAI provider in Windows smoke * fix: recover Discord voice auto-join after resume * refactor: trim cli test helper exports * fix: send twilio notify twiml directly * Prefer Codex native workspace tools (openclaw#75308) Summary: - The PR adds Codex dynamic-tool profile config defaulting to `native-first`, filters duplicate workspace/process/planning tools from Codex app-server thread payloads, keeps managed `web_search`, updates docs/manifest/config baselines/changelog, and adds regression tests. ClawSweeper fixups: - Included follow-up commit: test(codex): pin native-first tool catalog - Included follow-up commit: chore(config): refresh generated schema baseline - Included follow-up commit: chore: add codex native-first changelog - Included follow-up commit: chore: move native-first changelog entry - Included follow-up commit: chore: refresh config baseline after rebase Validation: - ClawSweeper review passed for head 30e5cec. - Required merge gates passed before the squash merge. Prepared head SHA: 30e5cec Review: openclaw#75308 (comment) Co-authored-by: Peter Steinberger <[email protected]> Co-authored-by: pashpashpash <[email protected]> * refactor: trim cli program test exports * refactor: trim command test helper exports * ci: stop parity gate on pull requests * chore: update dependencies * chore: sync whatsapp dependency lockfile * fix(agents): dedupe messaging tool replies by route * fix: handle EPIPE errors on child process stdin writes (openclaw#75602) Fix three child-process stdin write paths that let async EPIPE errors escape to uncaughtException and crash the gateway. extensions/imessage/src/client.ts (the actual openclaw#75438 crash path): - Add child.stdin.on('error') listener in start() to catch async EPIPE and reject all pending requests via failAll(). - Add write callback to request() stdin.write() that rejects the specific pending request on error, instead of leaving it hanging until timeout. src/agents/mcp-stdio-transport.ts: - Fix write callback race in send(): previously resolved the promise immediately when write() returned true, then the write callback with EPIPE would fire after the promise was already fulfilled. Now always settles the promise from the write callback so the outcome is known before resolving. src/process/exec.ts: - Add stdin.on('error') before writing input so EPIPE from a prematurely-exited child is swallowed — the process exit handler reports the real status. One reporter observed a gateway crash after 10.5 hours of stable uptime — a single EPIPE on an iMessage RPC child process stdin write killed the gateway with code 1. Fixes: openclaw#75438 * refactor: trim cron test helper exports * refactor: delete unused repo scan helper * fix: default Discord voice to explicit opt-in * refactor: trim test utility exports * fix: show google meet twilio call diagnostics * build: refresh a2ui bundle hash * refactor: trim auto reply test helper exports * fix(app): retry device tokens on pinned gateways (openclaw#75537) * test(e2e): add bundled plugin runtime smoke * test(e2e): activate channel rows for runtime smoke * test(e2e): let channel runtime smoke load channels * test(e2e): tolerate missing pgrep in runtime smoke * test(e2e): assert canonical TTS provider in smoke * test(e2e): satisfy runtime smoke lint * test(e2e): account for lazy plugin commands in smoke * test(e2e): give plugin runtime RPCs more headroom * test(e2e): share runtime deps across matrix probes * test(e2e): skip lazy tool catalog probes * test(e2e): isolate plugin matrix runtime deps * test(e2e): configure tts provider sections in matrix * fix(plugins): preserve requested speech fallback * test(e2e): harden bundled plugin runtime smoke * docs(changelog): credit plugin runtime smoke fix * fix(plugins): scope requested speech providers * fix(test): satisfy plugin smoke lint * fix(test): tolerate channel readiness degradation * refactor: trim gateway test helper exports * fix: allow doctor repair size drops * fix: async transcript I/O to unblock gateway event loop (openclaw#75595) * fix: async transcript I/O to unblock gateway event loop Two related fixes for event-loop starvation caused by synchronous file operations on session transcript files during gateway hot paths. ## sessions.list: yield between transcript reads (openclaw#75330) Extract filterAndSortSessionEntries() from listSessionsFromStore() and add a new listSessionsFromStoreAsync() that yields to the event loop via setImmediate every 10 session rows. The sessions.list RPC handler now uses the async version. The synchronous version is kept for callers that need it (sessions- resolve visibility checks, embedded backends, subagent tools). The dominant blocker is readSessionTitleFieldsFromTranscript(), which performs fs.statSync + fs.openSync + fs.readSync (head) + fs.readSync (tail) for every session row that requests derived titles or last- message previews. With 100+ sessions, this blocks the event loop for 32-64 seconds, starving WebSocket heartbeats, channel I/O, and concurrent RPC. ## session compaction: async file copy (openclaw#75414) Add captureCompactionCheckpointSnapshotAsync() using fs.promises for stat, copyFile, and unlink instead of fsSync equivalents. Switch both compact.ts and compact.queued.ts to the async version. The synchronous copyFileSync of large transcript files (20MB+ observed in production) was blocking the event loop for the entire copy duration — one reporter measured a 43-minute event loop block from a single compaction checkpoint capture. Refs: openclaw#75330, openclaw#75414 * test: cover async transcript I/O responsiveness * fix: avoid sync checkpoint metadata reads * refactor: trim agent test helper exports * fix(gateway): preflight strict agent delivery * fix(onboard): run noninteractive migration imports * fix(discord): send component-only native replies * fix(slack): send block-only slash replies * fix(telegram): send interactive-only button replies * fix(line): send quick-reply-only payloads * fix(auto-reply): keep docking in direct chats * fix(discord): pin text dm main route owner * fix(channels): pin dm main route owners * fix(update): verify daemon restart port * fix(update): use service env for doctor * refactor: trim status scan test exports * slack: persist thread participation best-effort (openclaw#75583) * refactor: delete unused test helper code * fix(gateway): defer session store read maintenance * discord: persist component registries best-effort (openclaw#75584) * test: retry Windows Parallels agent turn * fix: type non-interactive onboard prompter * refactor: trim gateway test helper barrel * fix: declare deepinfra manifest model discovery * refactor: derive deepinfra catalog from manifest * docs: note deepinfra model catalog migration * refactor: trim gateway helper state exports * fix: allow onboarding config size drops * fix: declare groq setup auth metadata * fix: declare groq manifest model catalog * docs: note groq manifest catalog migration * fix: carry matrix dm allowlist state * refactor: trim shared test helper exports * fix: preserve OpenAI Codex xhigh thinking policy * fix(infra): block ambient Homebrew env vars from brew resolution (openclaw#74463) * fix: address issue * fix: address issue * fix: address PR review feedback * fix: address PR review feedback * fix: address codex review feedback * docs: add changelog entry for PR merge * fix: declare venice manifest catalog metadata * refactor: derive venice fallback catalog from manifest * docs: note venice manifest catalog migration * refactor: trim extension internal type exports * fix(infra): block Windows system path env vars from workspace .env injection (openclaw#74456) * fix: address issue * fix: address PR review feedback * fix: address codex review feedback * fix: address codex review feedback * fix: address codex review feedback * docs: add changelog entry for PR merge * Update CHANGELOG.md * fix: block workspace CLOUDSDK_PYTHON override and always set trusted interpreter for gcloud (openclaw#74492) * fix: address issue * docs: add changelog entry for PR merge * refactor: trim extension runtime barrels * fix(plugins): scope install slot selection * fix(plugins): satisfy slot registry type * fix: declare zai manifest model catalog * docs: note zai manifest catalog migration * refactor: trim private extension exports * test(docker): install procps for plugin watchdogs * refactor: delete unused extension shared shims * fix: declare stepfun setup auth metadata * test(pairing): clear allowlist cache before read spy (openclaw#74147) * fix: declare qianfan setup auth metadata * fix(doctor): keep plugin runtime deps repair explicit (openclaw#75603) * fix(doctor): keep plugin runtime deps repair explicit * fix(doctor): keep plugin runtime deps repair explicit * fix(doctor): keep plugin runtime deps repair explicit --------- Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com> * feat(slack): publish App Home tab views * fix(onboarding): scope post-config runtime deps (openclaw#75653) * fix(whatsapp): drop stale qrcode runtime dependency * fix(zai): satisfy catalog lint * refactor: trim internal extension seams * test: require parallels agent responses * refactor: trim extension runtime reexports * fix(feishu): recover WebSocket after SDK retry exhaustion (openclaw#73739) * fix(feishu): recover WebSocket after SDK retry exhaustion * fix(feishu): recover WebSocket after SDK retry exhaustion --------- Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com> * feat(google-meet): add transcribe caption health * refactor: trim extension test hooks * test: configure parallels smoke provider timeout * fix(doctor): keep noninteractive service repair explicit * fix(plugins): use built code for tool discovery * test(pairing): pass read spy path after cache reset * refactor: trim extension helper shims * fix(slack): declare Slack type dependency * test(plugins): mock install slot registry * docs(changelog): backfill 84e9463 qianfan and a4fd45c stepfun setup auth metadata * test: quote parallels provider config json * refactor: trim messaging runtime barrels * test(plugin-sdk): align facade loader windows fast path * refactor: trim extension barrel leftovers * test(ci): stabilize pricing and codex web config checks * refactor: trim channel dead exports * fix(config): accept optional Codex search location * test(config): isolate codex web schema acceptance * refactor: trim extension shim reexports * test(config): type fresh codex schema import * refactor: trim browser action barrel * docs(changelog): finalize 2026.4.30 notes * refactor: trim provider model constants * fix(channels): honor module loader native opt-out * refactor: trim core command dead exports * refactor: trim provider internal exports * refactor: trim extension helper exports * test(parallels): write Windows provider config via batch file * refactor: trim browser route exports * refactor: trim qqbot helper exports * refactor: trim qqbot bridge exports * test(parallels): expose portable Git to Windows agent turns * refactor: trim qqbot utility exports * fix(context-engine): honor assembled prompt authority in precheck (openclaw#74255) Merged via squash. Prepared head SHA: 650b023 Co-authored-by: 100yenadmin <[email protected]> Co-authored-by: jalehman <[email protected]> Reviewed-by: @jalehman * refactor: trim qqbot internal types * refactor: trim mattermost helper exports * refactor: trim matrix helper exports * refactor: trim tlon helper exports * test(parallels): retry Windows agent idle exits * refactor: trim browser helper types * test(parallels): budget Windows agent retry * fix(ci): keep tool display serialization local * refactor: trim voice-call helper exports * refactor: trim bluebubbles helper exports * refactor: trim bluebubbles config helper exports * fix(webchat): create dashboard sessions from New Chat (openclaw#73725) Summary: - The PR rewires Control UI/WebChat New Chat to create and switch to a dashboard session through `sessions.create`, adds guarded UI/session helper logic and regression tests, and updates the changelog. ClawSweeper fixups: - Included follow-up commit: fix(webchat): create dashboard sessions from New Chat Validation: - ClawSweeper review passed for head 983c634. - Required merge gates passed before the squash merge. Prepared head SHA: 983c634 Review: openclaw#73725 (comment) Co-authored-by: vincentkoc <[email protected]> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com> * refactor: trim brave and diffs helper exports * fix(discord): avoid resolving token during action discovery (openclaw#75424) Summary: - The PR changes Discord message-action discovery to inspect configured accounts without resolving bot tokens, resolves scoped channel SecretRefs during message-tool execution even with an injected config snapshot, adds regression tests and a changelog entry, and restores a tool-display serializer export. ClawSweeper fixups: - Included follow-up commit: fix(discord): avoid resolving token during action discovery - Included follow-up commit: fix(tools): restore tool display serializer export Validation: - ClawSweeper review passed for head a2cd832. - Required merge gates passed before the squash merge. Prepared head SHA: a2cd832 Review: openclaw#75424 (comment) Co-authored-by: Clawdbot <[email protected]> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com> * Mattermost: refresh slash callback command validation (openclaw#72923) * fix(mattermost): refresh slash callback tokens * fix(mattermost): reconcile slash callback method * fix(mattermost): bound slash command lookups * fix(mattermost): cache slash validation lookups * fix(mattermost): refresh slash routing * fix(mattermost): require slash callback secret * fix(mattermost): rate limit slash validation * fix(mattermost): throttle slash validation * fix(mattermost): bound slash token cache * fix(mattermost): sanitize slash callback logs * fix(mattermost): avoid stale slash token cache * fix(mattermost): scope slash token gate to command * fix(mattermost): rate-limit slash validation * fix(mattermost): redact slash validation errors * fix(mattermost): satisfy slash sanitizer lint * Move Mattermost slash refresh changelog entry to Unreleased Fixes * Apply oxfmt accordion blank-line on Mattermost slash docs --------- Co-authored-by: Devin Robison <[email protected]> * refactor: trim discord helper exports * refactor: trim discord internal helper exports * refactor: trim discord monitor helper exports * refactor: trim discord test helper exports * refactor: trim feishu helper exports * docs(doctor): clarify service repair prompts Clarify when doctor reports service repair state versus when gateway install performs launcher writes.\n\nThanks @vincentkoc * fix(security): keep plain audit off plugin runtimes Keep routine security audit on config/filesystem checks by default, reserving plugin runtime collectors for deep audit paths.\n\nThanks @vincentkoc * test(e2e): bound telegram rtt warm samples * test(rtt): expose warm sample metrics * test(e2e): target successful rtt samples * test(e2e): measure telegram normal reply rtt * test(e2e): allow rtt retries to reach sample target * refactor: trim provider helper exports * fix(ci): satisfy rtt lint rules * refactor: trim google meet helper exports * refactor: trim google meet transport exports * refactor: trim google chat helper exports * test(rtt): support main package measurements * refactor: trim irc helper exports * refactor: trim signal helper exports * refactor: trim line helper exports * test(plugins): materialize runtime deps fixtures * test(parallels): force Windows OpenAI SSE smoke * refactor: trim mattermost helper exports * refactor: trim nextcloud talk helper exports * refactor: trim provider helper exports * fix(gateway): bound session transcript hot paths Bound recent transcript reads and oversized injected-message writes across gateway session paths.\n\nThanks @vincentkoc * fix(plugins): reuse cold inspect registry snapshots (openclaw#75620) Summary: - The PR reuses a request-scoped cold manifest registry/runtime context across plugin status and inspect report paths, threads that context through provider/setup/metadata helpers, adds targeted coverage, and adds a changelog entry. ClawSweeper fixups: - Included follow-up commit: fix(plugins): preserve setup auto-enable lookup Validation: - ClawSweeper review passed for head 4d8e8e2. - Required merge gates passed before the squash merge. Prepared head SHA: 4d8e8e2 Review: openclaw#75620 (comment) Co-authored-by: Vincent Koc <[email protected]> * fix(plugins): avoid source rebuilds for policy toggles Reuse current installed-plugin registry records for policy-only enable and disable refreshes.\n\nThanks @vincentkoc * refactor: trim msteams helper exports * test(parallels): force POSIX OpenAI SSE smoke * refactor: trim telegram helper exports * refactor: trim whatsapp helper exports * test(parallels): batch POSIX provider config * refactor: trim slack helper exports * refactor: trim matrix helper exports * test(release): repair release validation checks * refactor: trim voice call helper exports * refactor: trim memory wiki helper exports * refactor: trim nostr helper exports * test(release): forward validation fixes * test(release): run doctor fix in setup-entry e2e * refactor: trim qa matrix helper exports * refactor: trim memory core helper exports * test(release): fix setup fallback loader validation * refactor: trim file transfer helper exports * refactor: trim tlon helper exports * refactor: trim browser helper exports * test(release): harden channel add setup fallback * refactor: trim imessage helper exports * test(ci): update imessage runtime api guard * test(release): include mirrored root runtime deps * refactor: trim qa lab helper exports * fix(bluebubbles): UTI-aware audio attachment detection (openclaw#75488) Co-authored-by: Omar Shahine <[email protected]> * test(release): remove stale runtime deps local * refactor: trim qqbot helper exports * refactor: trim codex internal exports * refactor: trim whatsapp test helper exports * refactor: trim telegram test harness exports * refactor: remove stale openrouter runtime barrel * refactor: trim zalo helper exports * test(release): harden docker release validation * fix(rtt): parse telegram scenario list * refactor: trim feishu lifecycle helper exports * test(plugins): use valid plugin origin in loader test * fix(rtt): wait between telegram samples * fix(config): surface backup restore copy failures in audit and logs (openclaw#70515) Merged via squash. Prepared head SHA: 7c77974 Co-authored-by: davidangularme <[email protected]> Co-authored-by: jalehman <[email protected]> Reviewed-by: @jalehman * refactor: trim zalouser helper exports * fix: stop stale OpenAI Responses replay in Telegram Drop incomplete OpenAI/Codex tool-call replay turns and avoid previous_response_id deltas when Responses store is disabled. Verified on Zeus with focused tests, build, UI build, channel probe, and live Telegram-session canary. * fix: stop stale Telegram final-answer replay Suppress stale replayed final answers after newer Telegram/tool turns, supersede overlapping runs, and preserve current anchored output when replay frames contain old finals. Verified locally and on live Zeus with Telegram multi-skill expected-answer checks and ZeusChat model-switch browser checks. * Stop direct NO_REPLY fallback chatter (#11) Co-authored-by: Zeus3000 <[email protected]> * Repair mismatched reset transcript files (#13) Co-authored-by: Zeus3000 <[email protected]> * Promote substantive stale-replay commentary (#15) Co-authored-by: Zeus3000 <[email protected]> * fix: preserve Telegram transcript user turns --------- Co-authored-by: Peter Steinberger <[email protected]> Co-authored-by: Alex Knight <[email protected]> Co-authored-by: Vincent Koc <[email protected]> Co-authored-by: Peter Steinberger <[email protected]> Co-authored-by: Peter Steinberger <[email protected]> Co-authored-by: pashpashpash <[email protected]> Co-authored-by: Shakker <[email protected]> Co-authored-by: Pavan Kumar Gondhi <[email protected]> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com> Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com> Co-authored-by: Andrew <[email protected]> Co-authored-by: 100yenadmin <[email protected]> Co-authored-by: jalehman <[email protected]> Co-authored-by: vincentkoc <[email protected]> Co-authored-by: Conan-Scott <[email protected]> Co-authored-by: Clawdbot <[email protected]> Co-authored-by: Agustin Rivera <[email protected]> Co-authored-by: Devin Robison <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> Co-authored-by: Omar Shahine <[email protected]> Co-authored-by: Omar Shahine <[email protected]> Co-authored-by: Fred David blum <[email protected]> Co-authored-by: davidangularme <[email protected]> Co-authored-by: Zeus3000 <[email protected]>
This was referenced May 1, 2026
lxe
pushed a commit
to lxe/openclaw
that referenced
this pull request
May 6, 2026
Fix three child-process stdin write paths that let async EPIPE errors escape to uncaughtException and crash the gateway. extensions/imessage/src/client.ts (the actual openclaw#75438 crash path): - Add child.stdin.on('error') listener in start() to catch async EPIPE and reject all pending requests via failAll(). - Add write callback to request() stdin.write() that rejects the specific pending request on error, instead of leaving it hanging until timeout. src/agents/mcp-stdio-transport.ts: - Fix write callback race in send(): previously resolved the promise immediately when write() returned true, then the write callback with EPIPE would fire after the promise was already fulfilled. Now always settles the promise from the write callback so the outcome is known before resolving. src/process/exec.ts: - Add stdin.on('error') before writing input so EPIPE from a prematurely-exited child is swallowed — the process exit handler reports the real status. One reporter observed a gateway crash after 10.5 hours of stable uptime — a single EPIPE on an iMessage RPC child process stdin write killed the gateway with code 1. Fixes: openclaw#75438
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add write callbacks and error listeners to child process stdin writes that currently lack them, preventing uncaught EPIPE from crashing the entire gateway.
Problem
When a child process closes its stdin (exit, crash, transport close) while a write is in-flight, Node emits an async EPIPE error. Two code paths had no mechanism to catch this:
mcp-stdio-transport.ts—send()calledstdin.write(json)without a write callback. The EPIPE escapes to theuncaughtExceptionhandler and callsprocess.exit(1).process/exec.ts—stdin.write(input)had no error listener on the stdin stream.One reporter observed this crash after 10.5 hours of stable gateway uptime — a single EPIPE on an iMessage RPC child process stdin write killed the gateway with
code=1.Fix
mcp-stdio-transport.ts: Use a write callback to reject the promise on error, plustry/catcharound the synchronous write path.process/exec.ts: Attachstdin.on('error')before writing so EPIPE from a prematurely-exited child is swallowed — the process exit handler reports the real status.Files changed
src/agents/mcp-stdio-transport.ts— write callback + try/catch insend()src/process/exec.ts— stdin error listener before writeRefs: #75438