Do not broadcast commitment txn on Permanent mon update failure

[TheBlueMatt]

See doc updates for more info on the edge case this prevents, and
there isn't really a strong reason why we would need to broadcast
the latest state immediately. Specifically, in the case of HTLC
claims (the most important reason to ensure we have state on chain
if it cannot be persisted), we will still force-close if there are
HTLCs which need claiming and are going to expire.

Surprisingly, there were no tests which failed as a result of this
change, but a new one has been added.

[codecov]

Codecov Report

Merging #1106 (5f848de) into main (107c6c7) will increase coverage by 1.71%.
The diff coverage is 90.00%.

❗ Current head 5f848de differs from pull request most recent head f99da12. Consider uploading reports for the commit f99da12 to get more accurate results

@@            Coverage Diff             @@
##             main    #1106      +/-   ##
==========================================
+ Coverage   90.40%   92.12%   +1.71%     
==========================================
  Files          68       66       -2     
  Lines       34796    40933    +6137     
==========================================
+ Hits        31458    37708    +6250     
+ Misses       3338     3225     -113     

Impacted Files	Coverage Δ
lightning/src/ln/channelmanager.rs	89.20% <50.00%> (+5.68%)	⬆️
lightning/src/chain/channelmonitor.rs	91.28% <100.00%> (+0.33%)	⬆️
lightning/src/ln/chanmon_update_fail_tests.rs	98.79% <100.00%> (+1.14%)	⬆️
lightning/src/chain/mod.rs	58.82% <0.00%> (-2.29%)	⬇️
lightning-background-processor/src/lib.rs	93.75% <0.00%> (-0.49%)	⬇️
lightning/src/chain/onchaintx.rs	94.27% <0.00%> (-0.48%)	⬇️
lightning/src/ln/onion_utils.rs	94.91% <0.00%> (-0.46%)	⬇️
lightning-invoice/src/utils.rs	84.09% <0.00%> (-0.18%)	⬇️
lightning-persister/src/lib.rs	94.21% <0.00%> (-0.10%)	⬇️
lightning/src/ln/payment_tests.rs	98.75% <0.00%> (-0.09%)	⬇️
... and 23 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 107c6c7...f99da12. Read the comment docs.

[valentinewallace]

Trying to parse this watchtower case -- in this situation, we're switching watchtowers, but have no way of contacting the old watchtower to just delete our data, therefore the channel needs to close via PermanentFailure?

[TheBlueMatt]

Yea, but honestly its confusing, I replaced it with a better example.

[valentinewallace]

Checking -- "ensure no further off-chain updates can occur" == "applied the final monitor update mentioned on L170"? Or?

[TheBlueMatt]

It means "no ChannelManager still knows about this channel", I reworded it.

[valentinewallace]

Bit confused how to implement these new requirements in the sample. I guess we now need a proxy layer implementing Persist between the FilesystemPersister and ChainMonitor?

[TheBlueMatt]

Bit confused how to implement these new requirements in the sample.

I think we, in general, need to think hard about how we handle disk failures in the sample/lightning-persister. If the disk gets unplugged while we're running, we should just shut down and move on, but there's no way to get an error out of the Persister. The way the code works today is unsafe in this condition - if the disk gets unplugged, we'll broadcast the latest state and keep going, if the user then plugs the disk back in and restarts we may revoke the now-broadcasted state.

I think the end result for the sample needs to be a "really definitely broadcast the latest state from the channelmonitor for channel X" command, which is marked unsafe. We should probably also have a programatic way to detect monitors in this condition and not just rely on the logs in ChannelManager deserialization, I'll work on that bit here.

[TheBlueMatt]

Rebased on upstream. Need to make sure all the updated content in the failure enum docs is still kept and should rename temporaryfailure -> asyncpersist or so.

[codecov-commenter]

Codecov Report

Base: 90.78% // Head: 91.21% // Increases project coverage by +0.43% 🎉

Coverage data is based on head (74745cb) compared to base (48d21ba).
Patch coverage: 89.09% of modified lines in pull request are covered.

❗ Current head 74745cb differs from pull request most recent head 52934e0. Consider uploading reports for the commit 52934e0 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1106      +/-   ##
==========================================
+ Coverage   90.78%   91.21%   +0.43%     
==========================================
  Files          86       87       +1     
  Lines       46631    50794    +4163     
  Branches    46631    50794    +4163     
==========================================
+ Hits        42335    46333    +3998     
- Misses       4296     4461     +165     

Impacted Files	Coverage Δ
lightning/src/chain/mod.rs	68.18% <ø> (ø)
lightning/src/util/errors.rs	72.22% <0.00%> (ø)
lightning/src/chain/channelmonitor.rs	91.21% <75.00%> (+<0.01%)	⬆️
lightning/src/ln/channelmanager.rs	88.11% <83.23%> (+3.05%)	⬆️
lightning-invoice/src/payment.rs	93.13% <87.50%> (+2.26%)	⬆️
lightning/src/util/persist.rs	95.23% <87.50%> (+0.50%)	⬆️
lightning/src/chain/chainmonitor.rs	97.78% <88.46%> (-0.28%)	⬇️
lightning-persister/src/lib.rs	93.45% <100.00%> (ø)
lightning/src/ln/chanmon_update_fail_tests.rs	97.72% <100.00%> (+<0.01%)	⬆️
lightning/src/ln/channel.rs	88.66% <100.00%> (ø)
... and 17 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[TheBlueMatt]

Finally getting back to the monitor work, finally updated this to include a monitor update failure type rework, but no further functional changes.

[TheBlueMatt]

Oops, somehow I totally lost track of this PR having a pending review, so sorry about that! Rebased on latest git and addressed feedback.

[TheBlueMatt]

Rebased to address conflicts and went ahead and squashed as its been a while.

[jkczyz]

Looks like there is not test for this scenario. All tests pass when reverting to true.

[TheBlueMatt]

Its unobservable - note that the monitor_update, which is the place the bool is propagated to, is drop'd.

[jkczyz]

Could you update the docs since it's no longer from an Err? Would be good to link to the corresponding method docs and maybe phrase the docs to be a little clearer, too.

[wpaulino]

+1, also a bit weird that it's still considered an APIError variant, but that might require some more brainstorming than a simple rename/doc update.

[TheBlueMatt]

Yea, did update the docs, but agree - this shouldnt really be an error at all, it should just be Ok. I think there's only one(-ish) place where it Errs - sending payments - so it should be easy to do in a followup.

[wpaulino]

IIUC, while the user could choose not to broadcast the latest commitment transaction, which has been revoked, it could still be done by LDK if it contained any pending HTLCs that are expiring soon.

[TheBlueMatt]

Indeed, somewhat of a separate issue that should be addressed in #1593

[wpaulino]

+1, also a bit weird that it's still considered an APIError variant, but that might require some more brainstorming than a simple rename/doc update.

[wpaulino]

LGTM, feel free to squash.

[jkczyz]

Yes, please squash.

[TheBlueMatt]

Addressed one more comment and squashed. Diff since last push:

$ git diff-tree -U1 fc18acb4 4ac58048
diff --git a/lightning/src/util/errors.rs b/lightning/src/util/errors.rs
index 83324eab6..ad6993542 100644
--- a/lightning/src/util/errors.rs
+++ b/lightning/src/util/errors.rs
@@ -48,7 +48,9 @@ pub enum APIError {
 	},
-	/// An attempt to call watch/update_channel returned a
-	/// [`ChannelMonitorUpdateStatus::InProgress`] indicating the persistence of a monitor update
-	/// is awaiting async resolution. Once it resolves the attempted action should complete
-	/// automatically.
+	/// An attempt to call [`chain::Watch::watch_channel`]/[`chain::Watch::update_channel`]
+	/// returned a [`ChannelMonitorUpdateStatus::InProgress`] indicating the persistence of a
+	/// monitor update is awaiting async resolution. Once it resolves the attempted action should
+	/// complete automatically.
 	///
+	/// [`chain::Watch::watch_channel`]: crate::chain::Watch::watch_channel
+	/// [`chain::Watch::update_channel`]: crate::chain::Watch::update_channel
 	/// [`ChannelMonitorUpdateStatus::InProgress`]: crate::chain::ChannelMonitorUpdateStatus::InProgress

[TheBlueMatt]

Oops, sorry, reordered the missing hunk into the right commit, no ultimate diff, though.