Ensure a 1:1 mapping of value sendable to send success in fuzzing

TheBlueMatt · TheBlueMatt · commit 08b5cb987812 · 2023-05-21T19:14:08.000Z
Now that the value available to send is expected to match the
success or failure of sending exactly, we should assert this in the
`chanmon_consistency` fuzzer.

In the next commit we'll actually rip the checks out of `send_htlc`
which will make this a somewhat less useful test, however fuzzing
on this specific commit can help to reveal bugs.
diff --git a/fuzz/src/chanmon_consistency.rs b/fuzz/src/chanmon_consistency.rs
@@ -285,7 +285,7 @@ impl KeyProvider {
 }
 
 #[inline]
-fn check_api_err(api_err: APIError) {
+fn check_api_err(api_err: APIError, sendable_bounds_violated: bool) {
 	match api_err {
 		APIError::APIMisuseError { .. } => panic!("We can't misuse the API"),
 		APIError::FeeRateTooHigh { .. } => panic!("We can't send too much fee?"),
@@ -305,6 +305,7 @@ fn check_api_err(api_err: APIError) {
 				_ if err.starts_with("Cannot send value that would put our exposure to dust HTLCs at") => {},
 				_ => panic!("{}", err),
 			}
+			assert!(sendable_bounds_violated);
 		},
 		APIError::MonitorUpdateInProgress => {
 			// We can (obviously) temp-fail a monitor update
@@ -313,17 +314,17 @@ fn check_api_err(api_err: APIError) {
 	}
 }
 #[inline]
-fn check_payment_err(send_err: PaymentSendFailure) {
+fn check_payment_err(send_err: PaymentSendFailure, sendable_bounds_violated: bool) {
 	match send_err {
-		PaymentSendFailure::ParameterError(api_err) => check_api_err(api_err),
+		PaymentSendFailure::ParameterError(api_err) => check_api_err(api_err, sendable_bounds_violated),
 		PaymentSendFailure::PathParameterError(per_path_results) => {
-			for res in per_path_results { if let Err(api_err) = res { check_api_err(api_err); } }
+			for res in per_path_results { if let Err(api_err) = res { check_api_err(api_err, sendable_bounds_violated); } }
 		},
 		PaymentSendFailure::AllFailedResendSafe(per_path_results) => {
-			for api_err in per_path_results { check_api_err(api_err); }
+			for api_err in per_path_results { check_api_err(api_err, sendable_bounds_violated); }
 		},
 		PaymentSendFailure::PartialFailure { results, .. } => {
-			for res in results { if let Err(api_err) = res { check_api_err(api_err); } }
+			for res in results { if let Err(api_err) = res { check_api_err(api_err, sendable_bounds_violated); } }
 		},
 		PaymentSendFailure::DuplicatePayment => panic!(),
 	}
@@ -351,6 +352,11 @@ fn send_payment(source: &ChanMan, dest: &ChanMan, dest_chan_id: u64, amt: u64, p
 	let mut payment_id = [0; 32];
 	payment_id[0..8].copy_from_slice(&payment_idx.to_ne_bytes());
 	*payment_idx += 1;
+	let (min_value_sendable, max_value_sendable) = source.list_usable_channels()
+		.iter().find(|chan| chan.short_channel_id == Some(dest_chan_id))
+		.map(|chan|
+			(chan.next_outbound_htlc_minimum_msat, chan.next_outbound_htlc_limit_msat))
+		.unwrap_or((0, 0));
 	if let Err(err) = source.send_payment_with_route(&Route {
 		paths: vec![Path { hops: vec![RouteHop {
 			pubkey: dest.get_our_node_id(),
@@ -362,9 +368,15 @@ fn send_payment(source: &ChanMan, dest: &ChanMan, dest_chan_id: u64, amt: u64, p
 		}], blinded_tail: None }],
 		payment_params: None,
 	}, payment_hash, RecipientOnionFields::secret_only(payment_secret), PaymentId(payment_id)) {
-		check_payment_err(err);
+		check_payment_err(err, amt > max_value_sendable || amt < min_value_sendable);
 		false
-	} else { true }
+	} else {
+		// Note that while the max is a strict upper-bound, we can occasionally send substantially
+		// below the minimum, with some gap which is unusable immediately below the minimum. Thus,
+		// we don't check against min_value_sendable here.
+		assert!(amt <= max_value_sendable);
+		true
+	}
 }
 #[inline]
 fn send_hop_payment(source: &ChanMan, middle: &ChanMan, middle_chan_id: u64, dest: &ChanMan, dest_chan_id: u64, amt: u64, payment_id: &mut u8, payment_idx: &mut u64) -> bool {
@@ -373,13 +385,19 @@ fn send_hop_payment(source: &ChanMan, middle: &ChanMan, middle_chan_id: u64, des
 	let mut payment_id = [0; 32];
 	payment_id[0..8].copy_from_slice(&payment_idx.to_ne_bytes());
 	*payment_idx += 1;
+	let (min_value_sendable, max_value_sendable) = source.list_usable_channels()
+		.iter().find(|chan| chan.short_channel_id == Some(middle_chan_id))
+		.map(|chan|
+			(chan.next_outbound_htlc_minimum_msat, chan.next_outbound_htlc_limit_msat))
+		.unwrap_or((0, 0));
+	let first_hop_fee = 50_000;
 	if let Err(err) = source.send_payment_with_route(&Route {
 		paths: vec![Path { hops: vec![RouteHop {
 			pubkey: middle.get_our_node_id(),
 			node_features: middle.node_features(),
 			short_channel_id: middle_chan_id,
 			channel_features: middle.channel_features(),
-			fee_msat: 50000,
+			fee_msat: first_hop_fee,
 			cltv_expiry_delta: 100,
 		},RouteHop {
 			pubkey: dest.get_our_node_id(),
@@ -391,9 +409,16 @@ fn send_hop_payment(source: &ChanMan, middle: &ChanMan, middle_chan_id: u64, des
 		}], blinded_tail: None }],
 		payment_params: None,
 	}, payment_hash, RecipientOnionFields::secret_only(payment_secret), PaymentId(payment_id)) {
-		check_payment_err(err);
+		let sent_amt = amt + first_hop_fee;
+		check_payment_err(err, sent_amt < min_value_sendable || sent_amt > max_value_sendable);
 		false
-	} else { true }
+	} else {
+		// Note that while the max is a strict upper-bound, we can occasionally send substantially
+		// below the minimum, with some gap which is unusable immediately below the minimum. Thus,
+		// we don't check against min_value_sendable here.
+		assert!(amt + first_hop_fee <= max_value_sendable);
+		true
+	}
 }
 
 #[inline]
diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs
@@ -6029,6 +6029,8 @@ impl<Signer: WriteableEcdsaChannelSigner> Channel<Signer> {
 			return Err(ChannelError::Ignore(format!("Cannot send value that would put our balance under counterparty-announced channel reserve value ({})", chan_reserve_msat)));
 		}
 
+		debug_assert!(amount_msat <= self.get_available_balances().next_outbound_htlc_limit_msat);
+
 		let need_holding_cell = (self.channel_state & (ChannelState::AwaitingRemoteRevoke as u32 | ChannelState::MonitorUpdateInProgress as u32)) != 0;
 		log_debug!(logger, "Pushing new outbound HTLC for {} msat {}", amount_msat,
 			if force_holding_cell { "into holding cell" }

Original file line number	Diff line number	Diff line change
`@@ -6029,6 +6029,8 @@ impl<Signer: WriteableEcdsaChannelSigner> Channel<Signer> {`
`6029`	`6029`	`return Err(ChannelError::Ignore(format!("Cannot send value that would put our balance under counterparty-announced channel reserve value ({})", chan_reserve_msat)));`
`6030`	`6030`	`}`
`6031`	`6031`
	`6032`	`+ debug_assert!(amount_msat <= self.get_available_balances().next_outbound_htlc_limit_msat);`
	`6033`	`+`
`6032`	`6034`	`let need_holding_cell = (self.channel_state & (ChannelState::AwaitingRemoteRevoke as u32 \| ChannelState::MonitorUpdateInProgress as u32)) != 0;`
`6033`	`6035`	`log_debug!(logger, "Pushing new outbound HTLC for {} msat {}", amount_msat,`
`6034`	`6036`	`if force_holding_cell { "into holding cell" }`