Skip to content

fix(sandbox): reap killed subprocess on UnixLocal exec timeout#3208

Draft
adityasingh2400 wants to merge 2 commits intoopenai:mainfrom
adityasingh2400:fix/unix-sandbox-audit
Draft

fix(sandbox): reap killed subprocess on UnixLocal exec timeout#3208
adityasingh2400 wants to merge 2 commits intoopenai:mainfrom
adityasingh2400:fix/unix-sandbox-audit

Conversation

@adityasingh2400
Copy link
Copy Markdown
Contributor

@adityasingh2400 adityasingh2400 commented May 8, 2026

Summary

UnixLocalSandboxSession._exec_internal handles asyncio.TimeoutError by SIGKILL-ing the subprocess group, but never awaits the killed asyncio.subprocess.Process. Two issues fall out of that:

  1. Transport not torn down inside the failing call. Because proc.wait() is never awaited, proc.returncode stays None and the underlying SubprocessTransport (pipes + child-watcher entry) hangs around until GC eventually finds it. Repeated timeouts queue up live transports for the lifetime of the event loop.
  2. Stale-pid signal. os.killpg(proc.pid, SIGKILL) runs unconditionally. If the process happened to exit between wait_for cancellation and the kill, the pid may already have been reused, and we'd send SIGKILL to an unrelated process group. The except Exception: pass masks this.

The fix mirrors what _terminate_pty_entry already does for PTY entries (if process.returncode is None ... ProcessLookupError suppressed):

  • Only signal when proc.returncode is None (and proc.pid is not None).
  • Narrow the swallowed exception to ProcessLookupError instead of Exception.
  • After the kill, await asyncio.wait_for(proc.wait(), timeout=5.0) so asyncio actually closes the transport before ExecTimeoutError is raised.

Two regression tests cover both behaviors:

  • test_timeout_reaps_subprocess_so_returncode_is_set captures the asyncio Process used by _exec_internal and asserts returncode is populated after the timeout fires (fails on main: returncode is None).
  • test_timeout_skips_killpg_for_already_exited_pid simulates the "process exited just before the timeout handler" race and asserts no killpg is issued (fails on main: a stale killpg is recorded).

Test plan

  • pytest tests/sandbox/test_unix_local.py -v (all 10 pass)
  • pytest tests/sandbox/ (765 passed, 19 skipped)
  • ruff check + ruff format --check
  • pyright src/agents/sandbox/sandboxes/unix_local.py tests/sandbox/test_unix_local.py
  • Both new tests fail on main (bug repros), pass with the fix

@adityasingh2400
fix(sandbox): reap killed subprocess on UnixLocal exec timeout
322c7c7 
When an exec timeout fires, the killed subprocess is never awaited,
leaving the asyncio SubprocessTransport (pipes, child-watcher entry)
attached to a returncode-still-None Process object until GC eventually
collects it. The unconditional os.killpg also signals a pid that may
already have exited and been reused, hitting an unrelated process group.

Skip the kill when proc.returncode is already set, narrow the swallowed
exception to ProcessLookupError, and await proc.wait() (bounded) so the
transport tears down inside the failing call.
@github-actions github-actions Bot added bug Something isn't working feature:sandboxes labels May 8, 2026
@seratch seratch marked this pull request as draft May 8, 2026 16:13
seratch
seratch requested changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@seratch seratch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you fix the CI errors?

@adityasingh2400
fix(sandbox/test): py3.10 compat + satisfy strict mypy
ec4e587 
- raise asyncio.TimeoutError (not bare TimeoutError) in the wait_for
  fixture: on Python 3.10 these are distinct classes, so the source's
  except asyncio.TimeoutError clause was missing the bare one and the
  exception was upgraded to ExecTransportError.
- import asyncio/os directly instead of reaching through
  unix_local_module.asyncio / .os, which mypy strict export rejects
  with attr-defined errors.
- type captured[] as list[asyncio.subprocess.Process] so proc.returncode
  is statically known and the type: ignore comments are no longer needed.
@adityasingh2400
Copy link
Copy Markdown
Contributor Author

adityasingh2400 commented May 8, 2026

Fixed CI - typecheck and 3.10 test pass locally now. Thanks for the heads up.

@seratch seratch marked this pull request as ready for review May 9, 2026 02:24
@seratch seratch marked this pull request as draft May 9, 2026 02:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seratch seratch seratch requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working feature:sandboxes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adityasingh2400 @seratch