Add test for aggregated revoked HTLC claim on anchors channel

[wpaulino]

This PR adds a new test to cover the aggregated revoked HTLC claim edge case for channels featuring anchors outputs.

Along the way, we also fix a few issues to allow the anchors build to run, and we start running it in CI.

Fixes #1905.

[TheBlueMatt]

Right, I think this is totally fine, but what's the worst-case here? Can we get a combinitorial explosion from the ~800 HTLCs in a state? In practice we rarely combine HTLC claims, but let's say we have one HTLC claim which is soon and 800 which are a ways away, then we could combine them into one claim, then then the counterparty could peel them off by claiming on-chain one at a time? That's still only 800 entries which is fine, is there a way for them to somehow get N^2 behavior or worse?

[wpaulino]

As I was confirming the runtime cost here, I realized that pending_claim_requests keeps a bunch of stale entries if something like this ends up happening because we don't clear the previous claim (now invalid since the counterparty claimed at least one of the same outputs as us). The reason for this is to merge the output the counterparty claimed back into it's original claim if it's reorged out of the chain.

So if we aggregate the HTLCs to timeout into a single claim, and the counterparty claims them one-by-one with the preimage, we'll end up with a new entry in pending_claim_requests per HTLC the counterparty claimed, but only one entry for the latest claim in pending_claim_events. The reason the events don't grow linearly in this case is because we can be more aggressive removing them since they do not represent the "main" state of a claim/request, they're simply a proxy to the consumer's claim.

1. Claiming 483 HTLCs in a single claim:

• 1 pending_claim_requests (483 HTLCs)
• 1 pending_claim_events (483 HTLCs)

2. Counterparty claims 1 HTLC:

• 2 pending_claim_requests (first 483 HTLCs (stale), second 482 HTLCs)
• 1 pending_claim_events (482 HTLCs)

3. Counterparty claims another HTLC:

• 3 pending_claim_requests (first 483 HTLCs (stale), second 482 HTLCs (stale), third 481 HTLCs)
• 1 pending_claim_events (481 HTLCs)

[TheBlueMatt]

Ah! indeed, I misread, yea, okay, so this doesn't even grow at all, cool. FWIW, I'm not at all worried about one-entry-per-HTLC (isnt it 966 - 483 max per direction?) , only if we get to N^3 or something stupid we need to start worrying about it.

[ariard]

I still think it's 483 as we shouldn't aggregate in a single pending_claim_events offered outputs (timeout path for us) and received outputs (preimage path for us). The runtime cost reasoning sounds correct, it's like at worst 482 pending_claim_requests entries + 1 pending_claim_events iiuc.

[ariard]

Can document the above reasoning near pending_claim_events.

[codecov-commenter]

Codecov Report

Patch coverage: 90.67% and project coverage change: -0.14 ⚠️

Comparison is base (48fa2fd) 91.33% compared to head (ba8a280) 91.20%.

❗ Current head ba8a280 differs from pull request most recent head d5bd25c. Consider uploading reports for the commit d5bd25c to get more accurate results

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2034      +/-   ##
==========================================
- Coverage   91.33%   91.20%   -0.14%     
==========================================
  Files         101      101              
  Lines       48837    49489     +652     
  Branches    48837    49489     +652     
==========================================
+ Hits        44604    45134     +530     
- Misses       4233     4355     +122     

Impacted Files	Coverage Δ
lightning/src/util/events.rs	34.05% <0.00%> (+2.51%)	⬆️
lightning/src/chain/onchaintx.rs	92.66% <81.57%> (-3.11%)	⬇️
lightning/src/ln/monitor_tests.rs	97.54% <93.08%> (-2.10%)	⬇️
lightning/src/ln/chan_utils.rs	94.62% <100.00%> (+0.91%)	⬆️
lightning/src/ln/functional_test_utils.rs	92.65% <100.00%> (+0.23%)	⬆️

... and 36 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[TheBlueMatt]

Feel free to squash, LGTM, I think, needs another review tho.

[ariard]

thanks for the additional test coverage, gonna look more

[ariard]

Thanks for the great test!

[ariard]

The expected forwarding frequency to ChainMonitor could be more documented.

IIRC, we generate a new ClaimEvent in update_claims_view_from_requests, which itself relies on 2 event: new block connected and off-chain forward preimage release. ChainMonitor could call get_and_clear_pending_claim_events() more often to generate ClaimEvent::BumpHTLC in reaction to the second trigger. However, in the lack of fee-estimation based on ongoing mempool networks congestion, I don't think it matters.

[wpaulino]

It's not public so it can only follow the same frequency as ChannelMonitor::get_and_clear_pending_events, which we already require to be called pretty often (orders of magnitude less than the average block time).

[ariard]

Yeah not public, though still think those interfaces might more exposed a day for dual-funding/splicing support, if OnchainTxHandler becomes its own trait :)

[ariard]

I still think it's 483 as we shouldn't aggregate in a single pending_claim_events offered outputs (timeout path for us) and received outputs (preimage path for us). The runtime cost reasoning sounds correct, it's like at worst 482 pending_claim_requests entries + 1 pending_claim_events iiuc.

[wpaulino]

Rebased and updated the test to claim HTLCs across two commitments per @ariard's request.

[TheBlueMatt]

Assigned @arik-so as second reviewer.

[arik-so]

this sentence hurts my head lol

[arik-so]

is there a point in making sure that the handle error message is odd?

[wpaulino]

Their order doesn't really matter – one message is at the gossip level, the other at the peer/channel level.

[arik-so]

this kinda looks like it wants to be a lambda, seeing how the only change is once it's chan_a, and once it's chan_b

[wpaulino]

Definitely could be. FWIW this is being simplified a bit in #2059, so I think we can leave it as is here.

[ariard]

Thanks for adding the test coverage extension on correct punishment of multiple revoked channels!

[ariard]

Yeah not public, though still think those interfaces might more exposed a day for dual-funding/splicing support, if OnchainTxHandler becomes its own trait :)

[ariard]

Can document the above reasoning near pending_claim_events.

[ariard]

We still re-generate adequate ClaimEvent L965 in block_disconnected though I'm not sure if we have test coverage for both post-anchor bump HTLC/bump commitment ? Or at least doesn't seem so from a look in monitor_tests, reorg_tests and functional_tests. Can be added in future PRs to avoid delaying more this one.

[wpaulino]

Yeah I definitely plan on improving the test coverage, this PR is mostly just about addressing the revoked commitment case.

[arik-so]

Should this stop at the first find? Also, what's the utility of this rather verbose expression rather than a retain for inequality?

[wpaulino]

There should only be one entry at most per package ID. No reason we can't use retain though.

[wpaulino]

Also rebased on main again for the Windows CI fix.

[wpaulino]

Hmm, seeing an unrelated failure when running with the anchors flag on our MSRV:

error[E0599]: no function or associated item named `as_ptr` found for type `std::sync::Arc<_>` in the current scope
  --> /home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/futures-task-0.3.27/src/waker_ref.rs:61:20
   |
61 |     let ptr = Arc::as_ptr(wake).cast::<()>();
   |                    ^^^^^^ function or associated item not found in `std::sync::Arc<_>`

[TheBlueMatt]

Should be resolved with #2107

[TheBlueMatt]

Needs a rebase.

[wpaulino]

error: unresolved link to `ChannelTypeFeatures::supports_zero_conf`
   --> lightning/src/util/events.rs:915:34
    |
915 |         /// Furthermore, note that if [`ChannelTypeFeatures::supports_zero_conf`] returns true on this type,
    |                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the type alias `ChannelTypeFeatures` has no associated item named `supports_zero_conf`

Not sure how this is only failing on our MSRV builds... I guess cargo doc didn't support redirecting on type aliases back then? Maybe we should just get rid of the cargo doc step?

[TheBlueMatt]

Hum, that's annoying, uhhhh, yea, I guess let's only support cargo doc on, like, 1.63 or 1.59 if we can? but let's change the CI to actually test that, maybe in the check_commits run also do a cargo doc on anchors?

[arik-so]

I apologize for being dumb, but what's the benefit of cfg(debug_assertions) with an assert over debug_assert with no config flag? Is it just an optimization to not do the counting?

[wpaulino]

Is it just an optimization to not do the counting?

Yeah, we only want to run this code on debug_assertions which is active on tests.

[arik-so]

if there is an overlap between people working on this code and people who haven't memorized the meaning of the second bit in the channel update message, this needs a comment. However, I'm not sure such an overlap exists.

[wpaulino]

Just look at the spec 😛 It's checking if the channel is marked disabled once closed.

[arik-so]

or… we could use a constant instead of a magic 2. I know it's just used in tests, but given it's a test utility and not an individual test, might be some merit to not forcing readers to look up the spec. I won't block the PR over this though.

[TheBlueMatt]

nit: for future reference we actually dont have to define the type here, maybe we should remove them in all the tests...