fix(adk): prevent panic when orphaned tool goroutine sends event after agent cancellation by shentongmartin · Pull Request #929 · cloudwego/eino

shentongmartin · 2026-04-02T11:55:41Z

Problem

When CancelAfterChatModel times out and escalates to CancelImmediate, GraphInterrupt fires with timeout=0. The compose graph returns immediately without waiting for the ToolsNode goroutines to finish — orphaning them. When an orphaned tool goroutine completes and eventSenderToolWrapper tries to send an event, the AsyncGenerator is already closed, causing a "send on closed channel" panic.

failed to stream tool call call_w70func5md40jfyccfceiuih:
  panic error: send on closed channel

goroutine stack:
  UnboundedChan.Send → AsyncGenerator.Send →
  chatModelAgentExecCtx.send → eventSenderToolHandler.WrapInvokableToolCall

The timeline:

Goroutine A (agent owner)          Goroutine B (orphaned tool)
─────────────────────────          ───────────────────────────
close(immediateChan)
GraphInterrupt(timeout=0)
compose graph returns immediately
  (ToolsNode task abandoned)
run() returns
generator.Close()
                                   tool completes
                                   eventSenderToolWrapper.send()
                                   generator.Send() → PANIC

Solution

Two-layer protection in chatModelAgentExecCtx.send:

isImmediateCancelled() check — fast path: if immediateChan is already closed, skip the send entirely. This covers the common case where the orphaned goroutine finishes after the agent has fully shut down.
trySend() safety net — handles the TOCTOU race: Goroutine B checks immediateChan (not yet closed), gets preempted, Goroutine A closes immediateChan → closes generator, Goroutine B resumes → generator.Send() would panic. trySend returns false instead.

Also routes SendEvent() (public API) through execCtx.send() instead of generator.Send() directly.

Key Insight

shouldCancel() (checks cancelChan) cannot be used here — it returns true for CancelAfterChatModel before the safe-point is reached, which would incorrectly skip events during normal safe-point cancellation. The correct signal is immediateChan, which only closes when CancelImmediate fires or timeout escalation occurs. This matches how cancelMonitoredModel and cancelMonitoredToolHandler already distinguish between "cancel requested" and "cancel now".

Summary

Problem	Solution
Orphaned tool goroutine panics with "send on closed channel" after `CancelImmediate`	Check `immediateChan` before sending; use `trySend` for TOCTOU race
`SendEvent()` public API bypasses cancel safety	Route through `execCtx.send()`

问题

当 CancelAfterChatModel 超时并升级为 CancelImmediate 时，GraphInterrupt 以 timeout=0 触发。compose 图立即返回，不等待 ToolsNode 的 goroutine 完成——使它们成为孤儿 goroutine。当孤儿 tool goroutine 完成后，eventSenderToolWrapper 尝试发送事件时，AsyncGenerator 已关闭，导致 "send on closed channel" panic。

时序：

Goroutine A (agent 拥有者)          Goroutine B (孤儿 tool)
─────────────────────────          ───────────────────────────
close(immediateChan)
GraphInterrupt(timeout=0)
compose 图立即返回
  (ToolsNode task 被放弃)
run() 返回
generator.Close()
                                   tool 完成执行
                                   eventSenderToolWrapper.send()
                                   generator.Send() → PANIC

解决方案

在 chatModelAgentExecCtx.send 中实现两层保护：

isImmediateCancelled() 检查 — 快速路径：如果 immediateChan 已关闭，直接跳过发送。覆盖孤儿 goroutine 在 agent 完全关闭后才完成的常见场景。
trySend() 安全网 — 处理 TOCTOU 竞态：Goroutine B 检查 immediateChan（尚未关闭），被调度器抢占，Goroutine A 关闭 immediateChan → 关闭 generator，Goroutine B 恢复 → generator.Send() 会 panic。trySend 返回 false 而不是 panic。

同时将 SendEvent()（公共 API）通过 execCtx.send() 路由，而不是直接调用 generator.Send()。

关键洞察

不能使用 shouldCancel()（检查 cancelChan）——它在安全点到达之前就对 CancelAfterChatModel 返回 true，会错误地跳过正常安全点取消期间的事件。正确的信号是 immediateChan，它只在 CancelImmediate 触发或超时升级时关闭。这与 cancelMonitoredModel 和 cancelMonitoredToolHandler 区分"取消已请求"和"立即取消"的方式一致。

总结

问题	解决方案
`CancelImmediate` 后孤儿 tool goroutine panic "send on closed channel"	发送前检查 `immediateChan`；用 `trySend` 处理 TOCTOU 竞态
`SendEvent()` 公共 API 绕过取消安全检查	改为通过 `execCtx.send()` 路由

…r agent cancellation When CancelAfterChatModel times out and escalates to CancelImmediate, GraphInterrupt fires with timeout=0. The compose graph returns immediately, orphaning parallel tool goroutines. When an orphaned tool completes, eventSenderToolWrapper tries to send an event via the AsyncGenerator which is already closed, causing 'send on closed channel' panic. - Add isImmediateCancelled() to cancelContext for checking immediateChan - Make chatModelAgentExecCtx.send cancel-aware: skip send when immediate cancel is active - Use trySend as safety net for the TOCTOU race window - Route SendEvent() through execCtx.send() instead of direct generator.Send() Change-Id: Ic7e0194c860e2692a3cddc559911ab379024f650

…ediate - unit_send_after_close: directly reproduces the panic by sending to a closed generator with isImmediateCancelled=true - unit_send_after_close_without_cancel_ctx: verifies trySend safety net prevents panic even without cancelCtx - integration_cancel_escalation_orphans_tool: end-to-end test with slow tool, CancelAfterChatModel timeout escalation, and orphaned goroutine Change-Id: Ia82fa957b102ccc2ac42094d18d4b15db2a1701c

codecov · 2026-04-02T12:01:08Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (alpha/09@41ec9e4). Learn more about missing BASE report.

Additional details and impacted files

@@             Coverage Diff             @@
##             alpha/09     #929   +/-   ##
===========================================
  Coverage            ?   81.50%           
===========================================
  Files               ?      158           
  Lines               ?    18917           
  Branches            ?        0           
===========================================
  Hits                ?    15419           
  Misses              ?     2364           
  Partials            ?     1134

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Add test cases for: - nil execCtx and nil generator defensive guards - nil cancelContext in isImmediateCancelled - TOCTOU race window (isImmediateCancelled=false but generator closed) - SendEvent public API with closed generator - SendEvent without exec context Change-Id: I197c36f34675f5376cbe5f830b15db6ca873cd1f

…r agent cancellation (#929) * fix(adk): prevent panic when orphaned tool goroutine sends event after agent cancellation When CancelAfterChatModel times out and escalates to CancelImmediate, GraphInterrupt fires with timeout=0. The compose graph returns immediately, orphaning parallel tool goroutines. When an orphaned tool completes, eventSenderToolWrapper tries to send an event via the AsyncGenerator which is already closed, causing 'send on closed channel' panic. - Add isImmediateCancelled() to cancelContext for checking immediateChan - Make chatModelAgentExecCtx.send cancel-aware: skip send when immediate cancel is active - Use trySend as safety net for the TOCTOU race window - Route SendEvent() through execCtx.send() instead of direct generator.Send() Change-Id: Ic7e0194c860e2692a3cddc559911ab379024f650 * test(adk): add test for orphaned tool goroutine panic after CancelImmediate - unit_send_after_close: directly reproduces the panic by sending to a closed generator with isImmediateCancelled=true - unit_send_after_close_without_cancel_ctx: verifies trySend safety net prevents panic even without cancelCtx - integration_cancel_escalation_orphans_tool: end-to-end test with slow tool, CancelAfterChatModel timeout escalation, and orphaned goroutine Change-Id: Ia82fa957b102ccc2ac42094d18d4b15db2a1701c * test(adk): improve coverage for orphaned tool goroutine fix Add test cases for: - nil execCtx and nil generator defensive guards - nil cancelContext in isImmediateCancelled - TOCTOU race window (isImmediateCancelled=false but generator closed) - SendEvent public API with closed generator - SendEvent without exec context Change-Id: I197c36f34675f5376cbe5f830b15db6ca873cd1f

shentongmartin added 2 commits April 2, 2026 19:52

JonXSnow approved these changes Apr 2, 2026

View reviewed changes

shentongmartin merged commit fc5c067 into alpha/09 Apr 2, 2026
16 checks passed

shentongmartin deleted the fix/orphaned_tool_event branch April 2, 2026 12:17

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(adk): prevent panic when orphaned tool goroutine sends event after agent cancellation#929

fix(adk): prevent panic when orphaned tool goroutine sends event after agent cancellation#929
shentongmartin merged 3 commits intoalpha/09from
fix/orphaned_tool_event

shentongmartin commented Apr 2, 2026

Uh oh!

codecov bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Conversation

shentongmartin commented Apr 2, 2026

Problem

Solution

Key Insight

Summary

问题

解决方案

关键洞察

总结

Uh oh!

codecov bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

codecov bot commented Apr 2, 2026 •

edited

Loading