Consider channels "live" even if they are awaiting a monitor update #954
Conversation
Codecov Report
@@ Coverage Diff @@
## main #954 +/- ##
==========================================
+ Coverage 90.59% 92.06% +1.47%
==========================================
Files 60 60
Lines 30423 39444 +9021
==========================================
+ Hits 27561 36314 +8753
- Misses 2862 3130 +268
Continue to review full report at Codecov.
|
|
Addressed a few comments left on other PRs, including #949 (comment) |
| @@ -3996,7 +3996,7 @@ impl<Signer: Sign> Channel<Signer> { | |||
| return Err(ChannelError::Ignore(format!("Cannot send less than their minimum HTLC value ({})", self.counterparty_htlc_minimum_msat))); | |||
| } | |||
|
|
|||
| if (self.channel_state & (ChannelState::PeerDisconnected as u32 | ChannelState::MonitorUpdateFailed as u32)) != 0 { | |||
| if (self.channel_state & (ChannelState::PeerDisconnected as u32)) != 0 { | |||
| // Note that this should never really happen, if we're !is_live() on receipt of an | |||
| // incoming HTLC for relay will result in us rejecting the HTLC and we won't allow | |||
| // the user to send directly into a !is_live() channel. However, if we | |||
There was a problem hiding this comment.
This comment sounds weird, I still think we should be able to receive a HTLC even if the forwarding channel is knock-out, though we don't currently in decode_update_add_htlc_onion. Maybe possible after #680.
There was a problem hiding this comment.
Right, I suppose its reasonable to accept an HTLC for forwarding to a channel which is disconnected currently if you're a special type of node that can make the channel become connected soon (of course for a general purpose node we should definitely fail). There isn't a lot of harm in waiting to fail until the payment gets to the send_htlc call (instead of doing it immediately upon receipt), so I think I agree we should just drop it (but keep this return).
All that to say, I don't think anything needs to change in this PR, correct? The comment is still true today, though I agree we could change it in a followup and should change it after #680.
There was a problem hiding this comment.
Yeah I just believe this forwarding policy makes really sense if the next hop is owned by a mobile client, with a clear agreement "I'm going to be offline 99% of my time, please cache my HTLC" ? Or at least it would be worthy as an experimentation.
Right, it's more a good-place-to-clean-once-we-have-680.
|
Code Review ACK 8671aca |
|
Tagging as 0.0.99 as #949 depends on this and because this would be critical for any async-monitor-update routing node. |
TheBlueMatt
force-pushed
the
2021-06-no-spurious-forward-fails
branch
from
8671aca to
eab577c
Compare
|
Squashed with no changes: |
There was a problem hiding this comment.
Somethings aren't clear to me when reading the commit message / PR description:
In both of these cases, we almost certainly want
Channel::is_live()to include channels which are simply pending a
monitor update, as some clients may update monitors asynchronously,
Either drop "almost certainly" or explain when this is not the case.
thus any rejection of HTLCs based on a monitor update still pending
causing a race condition.
Reads strange. Start new sentence here and replace "causing" with "causes"?
After #851, we always ensure any holding cells are free'd when
sending P2P messages, making this much more trivially correct -
What is "this" referring to? "this change"?
instead of having to ensure that we always have a matching holding
cell free any time we add something to the holding cell, we can
simply rely on the fact that it always happens.
Unclear to me what is meant by a "matching holding cell" (matching what?) and what "it always happens" is referring to.
| @@ -922,40 +922,6 @@ fn do_test_monitor_update_fail_raa(test_ignore_second_cs: bool) { | |||
| commitment_signed_dance!(nodes[1], nodes[0], send_event.commitment_msg, false, true); | |||
| check_added_monitors!(nodes[1], 0); | |||
|
|
|||
| let mut events_2 = nodes[1].node.get_and_clear_pending_msg_events(); | |||
There was a problem hiding this comment.
Is there a TL;DR to summarize the changes to this test to help in review?
There was a problem hiding this comment.
Because it is no longer the case that receiving an HTLC while we're pending a monitor update restoration causes the HTLC to fail, code which relied on that behavior broke. eg the first code hunk which was removed explicitly delivered an HTLC and expected it to fail, which no longer happens.
The big if-block diff hunk is because the two cases have converged somewhat - we now always have a payment in node[1]'s outbound holding cell.
| @@ -1630,12 +1640,19 @@ fn test_monitor_update_fail_claim() { | |||
|
|
|||
| *nodes[1].chain_monitor.update_ret.lock().unwrap() = Some(Err(ChannelMonitorUpdateErr::TemporaryFailure)); | |||
| assert!(nodes[1].node.claim_funds(payment_preimage_1)); | |||
| nodes[1].logger.assert_log("lightning::ln::channelmanager".to_string(), "Temporary failure claiming HTLC, treating as success: Failed to update ChannelMonitor".to_string(), 1); | |||
There was a problem hiding this comment.
Is there any way to assert the state of the channel rather than examining the log?
There was a problem hiding this comment.
This line was only moved, not created. the log assert is nice IMO as it checks the specific error, not just that one happened, though the observable state is still checked in that no new message was generated.
TheBlueMatt
force-pushed
the
2021-06-no-spurious-forward-fails
branch
from
eab577c to
0534e8b
Compare
|
I rewrote the commit message in the main commit (without changing its contents), let me know what you think. |
Looks good. Thanks for doing it! |
We use `Channel::is_live()` to gate inclusion of a channel in `ChannelManager::list_usable_channels()` and when sending an HTLC to select whether a channel is available for forwarding through/sending to. In both of these cases, we should consider a channel `is_live()` when they are pending a monitor update. Some clients may update monitors asynchronously, thus we may simply be waiting a short duration for a monitor update to complete, and shouldn't fail all forwarding HTLCs during that time. After lightningdevkit#851, we always ensure any holding cells are free'd when sending P2P messages, making this change much more trivially correct - instead of having to ensure that we always free the holding cell when a channel becomes live again after adding something to the holding cell, we can simply rely on the fact that it always happens. Fixes lightningdevkit#661.
TheBlueMatt
force-pushed
the
2021-06-no-spurious-forward-fails
branch
from
0534e8b to
b58c884
Compare
|
Squashed with no changes: The full diff from the previous ack is still trivial, so will merge after CI: |
We use
Channel::is_live()to gate inclusion of a channel inChannelManager::list_usable_channels()and when sending anHTLC to select whether a channel is available for
forwarding through/sending to.
In both of these cases, we almost certainly want
Channel::is_live()to include channels which are simply pending amonitor update, as some clients may update monitors asynchronously,
thus any rejection of HTLCs based on a monitor update still pending
causing a race condition.
After #851, we always ensure any holding cells are free'd when
sending P2P messages, making this much more trivially correct -
instead of having to ensure that we always have a matching holding
cell free any time we add something to the holding cell, we can
simply rely on the fact that it always happens.
Fixes #661.
This should make #949's tests a bit easier to implement.