add timeout retry strategy to outbound payment

[kafaichoi]

Closes #1408

This PR allow us to set timeout(time-based) as an alternative to existing count-based approach in outbound payment retry.

I also have some naming suggestion. I can make another PR(to avoid too much changes in this PR) to fix this if you agree that's improvement

1. InvoicePayment.payment_cache was actually used to store "retry attempts"(so it can be zero) but now it's used to store payment attempt. Should we rename it to payment_attempts_cache

[codecov-commenter]

Codecov Report

Merging #1418 (8d99732) into main (d166044) will increase coverage by 0.02%.
The diff coverage is 88.96%.

❗ Current head 8d99732 differs from pull request most recent head ca4099f. Consider uploading reports for the commit ca4099f to get more accurate results

@@            Coverage Diff             @@
##             main    #1418      +/-   ##
==========================================
+ Coverage   90.88%   90.90%   +0.02%     
==========================================
  Files          76       77       +1     
  Lines       42067    42116      +49     
  Branches    42067    42116      +49     
==========================================
+ Hits        38232    38286      +54     
+ Misses       3835     3830       -5     

Impacted Files	Coverage Δ
lightning-invoice/src/lib.rs	87.39% <ø> (ø)
lightning/src/routing/scoring.rs	96.19% <ø> (+1.53%)	⬆️
lightning/src/util/time.rs	81.25% <81.25%> (ø)
lightning-invoice/src/payment.rs	92.90% <94.38%> (+0.14%)	⬆️
lightning-background-processor/src/lib.rs	94.37% <100.00%> (ø)
lightning-invoice/src/utils.rs	96.77% <0.00%> (+0.14%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d166044...ca4099f. Read the comment docs.

[jkczyz]

Thanks for the contribution! Generally speaking, I'm in favor of renaming wherever it makes sense. Left some comments and will put a little more thought into naming as the review proceeds.

[jkczyz]

Is this needed? Looks like it is set but never read.

[kafaichoi]

Good catch. It's not used anywhere now. But it will be useful for improving logging? Should I remove it or use it for improving logging msg(shown both count and total time spent)?

https://github.com/lightningdevkit/rust-lightning/pull/1418/files#diff-5165a75ba263a549c7fb9f4b555e449e44b0b680a80a9715a99d11157802a0d7R452

[jkczyz]

I believe we can simply store SystemTime::now() plus the duration from MaxDuration (i.e., when timeout occurs) and do any necessary math when logging.

[maxgiraldo]

IMO, I would remove it if it's not being used.

[jkczyz]

Not quite sure I follow why the count is incremented above and then decremented here.

[kafaichoi]

Because the original logic in the code is always add one count(no matter if it's retryable here). But since now the retryable logic is encapsulated into a function that takes a PaymentAttempts and if we simply passed the updated one, then that will be incorrect(as we want to test if it can be tested before adding 1 count).

[jkczyz]

Couldn't this be accounted for in is_retryable_now? It's adding 1 back as it is.

[kafaichoi]

So the logic in retry_payment is

1. always add 1 to counts in PaymentAttempts
2. check if it's retryable
3. the rest of logic

Retry::is_retryable_now take PaymentAttempts struct and use the counts field to determine if it's retryable if retry strategy is count-based. So in step2, if we don't decrement it by 1, it will be incorrect.

Retry::Attempts(max_retry_count) => max_retry_count + 1 > attempts.counts, the + 1 should be correct. For example,
if max_retry_count is 1 and attempts.count is 1, this means current retry count is 0(the first attempt is not retry attempt) so the + 1 here is required to make this function return true in this case.

[jkczyz]

Do we need to store both count and time if only one is used?

[kafaichoi]

It's not necessary but the advantage is we can have more information in error log if retry fail. related comment #1418 (comment)

And if really want to optimize this, I guess it makes sense to merge payment_cache and retry_attempts fields in InvoicePayer into one enum field to avoid impossible state(where retry strategy is count base but we store time vice versa).

[jkczyz]

Hmm... not sure how we'd do that because you need to know the maximum attempts when inserting into the map. Let me know if I misunderstood or if you have a more concrete idea.

We could also use a type parameter implementing a common trait (in a similar manner to the Time trait) such that there is never an invalid state.

[kafaichoi]

I tried but unable to do the optimization of storing only either count and time(based on Retry). and storing both has a pro for displaying user more info in retry error. So I will put this optimization on pause but please let me know if this is high-priority I can give it another try.

[jkczyz]

Note that SystemTime is only available with std feature, so this will need to be conditional. See places in this file where #[cfg(feature = "std")] is used.

With that in mind, RetryAttempts::MaxDuration won't be applicable without the feature, too.

[jkczyz]

nit: s/Retry strategy of retrying/Strategy for retrying

[jkczyz]

How about:

enum Retry {
    Attempts(usize),
    Timeout(Duration),
}

[kafaichoi]

much more concise! Thanks

[jkczyz]

Sleeps in testing tend to be a bit flaky and slow down test execution. Ideally, we can inject the time into the code such that in testing it can be manually advanced. We do that in the scorer code:

rust-lightning/lightning/src/routing/scoring.rs

Line 1164 in a3832b0

struct SinceEpoch(Duration);

We wouldn't need to expose the Time trait in InvoicePayer's public interface since it is an implementation detail and can be conditioned for tests to use SinceEpoch instead of SystemTime. It would be great if we can refactor the time code into a util::time module such that it could be reused here. We could symlink it into the lightning-invoice crate to re-use across crates.

[jkczyz]

I believe we can simply store SystemTime::now() plus the duration from MaxDuration (i.e., when timeout occurs) and do any necessary math when logging.

[jkczyz]

Hmm... not sure how we'd do that because you need to know the maximum attempts when inserting into the map. Let me know if I misunderstood or if you have a more concrete idea.

We could also use a type parameter implementing a common trait (in a similar manner to the Time trait) such that there is never an invalid state.

[jkczyz]

Couldn't this be accounted for in is_retryable_now? It's adding 1 back as it is.

[jkczyz]

Please indent with tabs instead of spaces here and throughout.

[kafaichoi]

Thank you for the thorough review. @jkczyz I have changed the PR status to draft and will change it back once it's ready to review again later.

[maxgiraldo]

This is more of a curiosity, but do we only ever care about the current time, or could this be used to ask if something is retry-able at other times?

Suggested change

	fn is_retryable_now(&self, attempts: &PaymentAttempts) -> bool {
	match self {
	Retry::Attempts(0) => false,
	Retry::Attempts(max_retry_count) => max_retry_count + 1 > attempts.counts,
	Retry::Timeout(max_duration) => *max_duration >= SystemTime::now().duration_since(attempts.first_attempted_at).unwrap()
	}
	}
	fn is_retryable_at(&self, attempts: &PaymentAttempts, at: SystemTime) -> bool {
	match self {
	Retry::Attempts(0) => false,
	Retry::Attempts(max_retry_count) => max_retry_count + 1 > attempts.counts,
	Retry::Timeout(max_duration) => *max_duration >= at.duration_since(attempts.first_attempted_at).unwrap()
	}
	}

[kafaichoi]

yea that was my initial reason adding the latest_attempted_at but since this is not needed anywhere yet so I removed it according to other feedback.

[TheBlueMatt]

I'd really rather not make this pub. One (kinda dirty) hack to avoid that while re-using the module in both crates is to symlink the file file in both crates.

[kafaichoi]

How about moving it lightning::util::test_utils?(see last commit 6b241ed)

[TheBlueMatt]

Hmm, I'd kinda still prefer we keep the trait sealed (which I think requires the symlink hack, but maybe there's a way to use a foreign sealed trait?).

I'm not sure that we have an immediate use-case for users implementing their own Time, and even if we wanted users to be able to cancel payments on no-std we'd probably want to do it via some kind of "abandon payment now" API, not with reentrancy calling user code on a Time trait. Additionally, we can't capture traits with associated types in bindings, so we'd have to make it non-exported there anyway.

[kafaichoi]

right. There is only one utils.rs instead of utils/mod.rs under lightning-invoice, So to avoid too much code change. I simply symlink it as time_utils.rs. Please let me know if it's reasonable?

[TheBlueMatt]

nit: EOL whitespace here (and a number of similar places in this file).

[kafaichoi]

Sorry. I will fix this after other issues resolved(I need to find a way to config my editor to avoid these)

[TheBlueMatt]

Hmm, I believe this leaves an unused parameter T in no-std builds. We either need to always include the field and let the ConfiguredTime "turn it off" in no-std or we need have two completely separate types for no-std vs std (which is gonna be a lot of code duplication).

[kafaichoi]

Then it's probably better to just always include this field(remove the configuration std condition check)?
Btw how can I replicate the error/warning of unused parameter T in no-std builds in local?(everything look fine when I do cargo build for no-std)

[TheBlueMatt]

Nice! I'm a fan of the high-level structure now, I think.

[TheBlueMatt]

This should use Instant not SystemTime - we need a counter not the current wall clock time.

[TheBlueMatt]

Why is this a separate branch? If max_retry_count is 0, we'll always return false when counts is 2, which it will be when we first check for a retry.

[kafaichoi]

I removed this branch after switching back to store retry_count instead of total attempt count

[TheBlueMatt]

Maybe just make this >=?

[TheBlueMatt]

You have a double /// here.

[TheBlueMatt]

I'm not sure why we insert at 1 here, that's a behavior change from the original code, which always inserted at 0.

[jkczyz]

Yeah, also see: #1418 (comment)

I'm not sure I follow why the count logic needs to change if you are just adding another strategy.

[kafaichoi]

My understanding of previous code is the count we store is the number of retry.

For example, in pay_pubkey, it's set as 0 when there is no entry found in payment_cache.
https://github.com/lightningdevkit/rust-lightning/pull/1418/files#diff-5165a75ba263a549c7fb9f4b555e449e44b0b680a80a9715a99d11157802a0d7L330

However, in this PR, I changed it to store number of attempt(which should be number of retry + 1). And we will only want to create and store PaymentAttempts when there is at least one attempt. That's the reason why count is set as 1 in PaymentAttempts::new.

[kafaichoi]

I have actually tried to change storing total attempt to storing retry count(like current behaviour). 145bede

It does look cleaner :). Please let me know if you still find it weird that I have to do - 1 here b08f0ea @jkczyz

The biggest reason is I think Retry::is_retryable_now shouldn't be aware that PaymentAttempts passed has just been added 1 retry count. It should simply take PaymentAttempts and determine if it's retryable right now based on the current field. (My apology if my explanation is still confusing)

[jkczyz]

Nice! Looks much better modulo Matt's comment about incrementing after calling is_retryable_now.

[TheBlueMatt]

The enum-level docs probably need updating to no longer only talk about counts.

[TheBlueMatt]

Don't we need to drop the lock in the retry branch? Looks like you swapped the branch order but left the lock-drop in the other branch now.

[kafaichoi]

Sorry totally my mistake

[jkczyz]

Could you make this a single statement so we don't import Eternity when not configured?

[kafaichoi]

emm in line 255. there is also #[cfg(feature = "no-std")] so we will only import Eternity and ConfiguredTime set as Eternity together when no-std feature is set

I am not sure how to do the import and type declaration in one single statement. and it looks like there is cfg-if crate for providing a helpful macro to avoid duplicate cfg here? Is that what u meant?

[jkczyz]

Ah, never mind. Forgot that you still would need to import the util module even if you fully-qualified as util::time::Eternity on line 258.

[jkczyz]

You can remove these two tests since they were moved.

[jkczyz]

Need to update the docs.

[jkczyz]

No need to wrap the doc example. Or at very least would need to indent accordingly.

[jkczyz]

Could you move these before core::ops::Deref?

[jkczyz]

The phrasing is a little awkward here. How about "Time elapsed before abandoning retries for a payment."?

[kafaichoi]

yours is much better. Thanks!

[jkczyz]

Yeah, also see: #1418 (comment)

I'm not sure I follow why the count logic needs to change if you are just adding another strategy.

[jkczyz]

nit: no space after impl but add a space before PaymentAttempts .

[jkczyz]

nit: space after PaymentAttempts

[jkczyz]

Might as well use something more realistic looking like seconds since no actual sleeps occur.

[jkczyz]

Looks like this should have been removed from the first commit since the code was not needed.

[jkczyz]

Similarly, this should be in the first commit.

[jkczyz]

Here and below:

s/Time Trait/[Time] trait

[jkczyz]

The symlink is the other way around, no? Just say other crates may symlink this file instead of referencing which files, as otherwise the list may go out of date.

[jkczyz]

nit: add blank line between imports and Time docs

[jkczyz]

Hmm... The attempts won't be accurate here since you've incremented earlier (and in Debug) but no retry occurs here. Similarly below.

Would it simplify things if we made PaymentAttempts::retry_count simply a count representing the number of attempts up until the retry? I believe that is what was done previously and as is still documented on the hash map:

/// Caches the overall attempts at making a payment, which is updated prior to retrying.

Essentially, the attempt is counted only once we get an event back on whether a path was successful or not. So renaming to count, unconditionally incrementing in this function, and not incrementing in Debug should give the correct number. Would need to modify is_retryable_now, too, IIUC.

Then you don't need to worry about the lock since you can increment in the above look-up, clone, and drop the lock implicitly in one statement similarly to the code prior to the change.

[kafaichoi]

ah u are right that the log in this branch(has_expired true) is not accurate. But can we simply move this has_expire check before is_retryable_now? I ran test in local after this change and all test case passed as well.

As per your suggestion, I believed that was my initial approach(got forced-pushed) but I decided to change it to only store retry_count because this part( #1418 (comment)) is confusing to others.

If we want to avoid the confusing part in my previous forced-pushed commit, does it mean we need to change the logic in Retry::is_retryable_now to be aware of the fact count always get incremented by 1 before calling retry_payment. I found that it's actually more confusing as now Retry::is_retryable_now is not a context-free function especially now is_retryable_now is also reused inside PaymentSendFailure::AllFailedRetrySafe

[jkczyz]

ah u are right that the log in this branch(has_expired true) is not accurate. But can we simply move this has_expire check before is_retryable_now? I ran test in local after this change and all test case passed as well.

Either order should be fine, but arguably you wouldn't attempt to retry if the count had been exceeded already.

As per your suggestion, I believed that was my initial approach(got forced-pushed) but I decided to change it to only store retry_count because this part( #1418 (comment)) is confusing to others.

Ah, I see. Seems like the confusion could have been resolved by maintaining the original behavior, no?

If we want to avoid the confusing part in my previous forced-pushed commit, does it mean, does it mean we need to change the logic in Retry::is_retryable_now to be aware of the fact count always get incremented by 1 before calling retry_payment. I found that it's actually more confusing as now Retry::is_retryable_now is not a context-free function especially now is_retryable_now is also reused inside PaymentSendFailure::AllFailedRetrySafe

Hmm... so the invariant was that the attempt count was incremented only after the result of the attempt is known. For PaymentSendFailure::AllFailedRetrySafe, we receive this result immediately rather than needing to wait for an event, so we never hit the retry_payment path.

I can see your argument as to why a retry count may make more sense. However, such a change should really be a separate commit with the what and why clearly described in the commit message. Admittedly, I've been lax about asking for the rationale in commit messages, which is okay when the commit is obvious. But the atomicity of commits is important, and this one makes two separate behavioral changes. I'd prefer if they were separate so that they can be considered independently.

[TheBlueMatt]

FWIW I believe the original behavior was inconsistent - AFAICT we'll retry automatically once even with the max-retries count set to 0 if the payment fails immediately when we try to send instead of when an HTLC fails. Not that that behavior is really broken, its just confusing, so its all a bit of a mess.

[jkczyz]

Hmm... I think it should work as expected. For AllFailedRetrySafe the number of attempts before increment (i.e., retry_count) and max retries are both 0, so an error is returned here:

rust-lightning/lightning-invoice/src/payment.rs

Lines 370 to 372 in 9fbafd4

	let retry_count = payment_cache.get_mut(&payment_hash).unwrap();
	if *retry_count >= self.retry_attempts.0 {
	Err(e)

And for PartialFailure we hit the retry_payment case where the number of attempts is incremented and compared against maximum number of attempts (i.e. max retries plus one).

rust-lightning/lightning-invoice/src/payment.rs

Lines 402 to 411 in 9fbafd4

	let max_payment_attempts = self.retry_attempts.0 + 1;
	let attempts = *self.payment_cache.lock().unwrap()
	.entry(payment_hash)
	.and_modify(|attempts| *attempts += 1)
	.or_insert(1);
	if attempts >= max_payment_attempts {
	log_trace!(self.logger, "Payment {} exceeded maximum attempts; not retrying (attempts: {})", log_bytes!(payment_hash.0), attempts);
	return Err(());
	}

[TheBlueMatt]

Ah, maybe I'm wrong.....its more than a bit confusing, though...

[kafaichoi]

@jkczyz Thank you so much for breaking it down. I will break the last commit into 2 as per your suggestion so it's easier for us to see if the change make sense or not(And I will also look into if the original approach result in some incorrect log msg) . However, I will probably only have time this weekend🙏🏽

[kafaichoi]

@jkczyz I have made changes to restore the previous behavior and store attempts instead of retry attempts. After spending more time understanding the code, I actually think it's cleaner to keep in the original way :)

And I changed it back to impl Display for PaymentAttempts(somehow I can't find your related comment now)

[TheBlueMatt]

Oops looks like this needs a rebase, sorry about that.

[TheBlueMatt]

Ugh needs rebase again. Really sorry somehow I missed you'd pushed the commits above and didn't manage to review before it got stale again :(

[kafaichoi]

Ugh needs rebase again. Really sorry somehow I missed you'd pushed the commits above and didn't manage to review before it got stale again :(

no worry! I actually felt so bad this relative simple PR causing core developers lots of time reviewing on this 😭

[TheBlueMatt]

no worry! I actually felt so bad this relative simple PR causing core developers lots of time reviewing on this 😭

Nah! Final round review takes a bit of time, but passes before then take 5-10 minutes, don't sweat it :).

[jkczyz]

nit: could you wrap at 100 characters?

[kafaichoi]

sure. (wish cargo fmt is integrated here 😬)

[jkczyz]

Doesn't this break for Retry::Attempts(0)? The cache will have a value of 0 which would cause is_retryable_now to return true. But in this case we wouldn't want to the retry since InvoicePayer is configured for no retries. Perhaps we need a test for this case?

[TheBlueMatt]

I was gonna let this one slide, IIUC it's how upstream works now, and not super surprising that we'd not instantly fail and at least try to find a route that we can send over. Though really this should only happen in race conditions and pretty exceedingly rare, if everything is working right.

Dunno if it's worth trying to build a test for but can just move the increment up.

[jkczyz]

Sure, let's just move the increment up. Upstream, the check has the operands flipped with the opposite meaning (error), so works as intended.

[kafaichoi]

ah good catch. I have moved the increment up.