Enable decoding HTLC onions when fully committed

[wpaulino]

This PR ensures all new incoming HTLCs going forward will have their onion decoded when they become fully committed to decide how we should proceed with each one. As a result, we'll obtain HTLCHandlingFailed events for any failed HTLC that comes across a channel.

We will now start writing channels with the new serialization version (4), and we will still be able to downgrade back to the commit that introduced it since reading version 4 is supported.

Note that existing pending inbound HTLCs may already have their resolution if they were received in a previous version of LDK. We must support those until we no longer allow downgrading beyond this commit.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 98.41772% with 5 lines in your changes missing coverage. Please review.

Project coverage is 88.44%. Comparing base (ad462bd) to head (d8d9dc7).
Report is 62 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channel.rs	88.46%	0 Missing and 3 partials ⚠️
lightning/src/ln/payment_tests.rs	98.09%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2933      +/-   ##
==========================================
+ Coverage   88.42%   88.44%   +0.02%     
==========================================
  Files         149      149              
  Lines      112959   113363     +404     
  Branches   112959   113363     +404     
==========================================
+ Hits        99883   100268     +385     
  Misses      10605    10605              
- Partials     2471     2490      +19     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[TheBlueMatt]

Tagging 0.0.122 not because we need to land this for 0.0.122, but because we have to at least be roughly confident in it working and the tests in it being sufficient.

[valentinewallace]

As discussed offline, we'll want to land a cfg-flagged version of this PR :)

[TheBlueMatt]

Okay, sounds like @valentinewallace took a glance at this, and I did too. Nothing too wild here, tests pass, we can do this in the next release (or whenever), but should cfg-flag the changes and land it sooner so that we don't have this branch get toooo stale.

[wpaulino]

Before I go down the cfg flag path, does it make sense to merge this now as is if the project is doing branched releases going forward?

[TheBlueMatt]

Yea, I don't see why not? Just cause we're branching off for future releases doesn't mean we can't/shouldn't have future code behind cfg flags on the working tip.

[jkczyz]

Chatted with @wpaulino today. His quiescence branch is based on this PR and IIUC requires it. He agreed to rebase it soon. @TheBlueMatt @wpaulino Do we still want a cfg flag for this?

[TheBlueMatt]

I think we're probably okay without now. @valentinewallace checked today and said support was added in 0.0.123, which means if we ship this we'll support downgrading two versions of LDK but not more, which is pretty normal for us, I think.

[jkczyz]

@wpaulino Needs another rebase.

[TheBlueMatt]

Shouldn't we be bumping the MIN_SERIALIZATION_VERSION here (and should have done so in the old code, but it didn't matter then)?

[wpaulino]

Unfortunately I don't recall some of the context here. It does seem safe to bump it now given that we're not supporting downgrades past 0.0.122. I think it just wasn't bumped in the parent PR because we were still using the named constant to write the current version.

[TheBlueMatt]

Can you justify all the changes to dust calculation here and below?

[wpaulino]

The incoming HTLC is now included in the pending stats. This wasn't the case before because we'd previously evaluate the incoming add upon receiving it, while now we wait until it's fully committed by both sides.

[TheBlueMatt]

Can you update comments/git commit message so that its clearer?

[wpaulino]

Done

[valentinewallace]

This seems like it should be ::InvalidOnion...?

[wpaulino]

I would think so too, but the error we get from processing doesn't come out as malformed from construct_pending_htlc_status.

We get a PendingHTLCStatus::Fail(HTLCFailureMsg::Relay(msgs::UpdateFailHTLC)) with the reason:

Got blinded non final data with an HMAC of 0

I believe this has always been the case and is just being surfaced by this PR now.

[valentinewallace]

The behavior of the intro node returning update_fail rather than malformed there aligns with the route blinding spec; intro nodes always error in the same way regardless of the "real" error. So it seems the issue is that real error isn't being bubbled up to be accurately included in the event, only the blinded one. That said, this case seems quite rare so doesn't seem worth addressing.

[wpaulino]

Can you confirm this has always been the case but is just being exposed now as a result of the changes? If so, it's probably best to address on its own as a follow-up.

[valentinewallace]

Looked into this again. So the issue is that as coded in fe65648 we'll never map the result of construct_pending_htlc_status to HTLCDestination::InvalidOnion, to do so would require checking the onion error code within and tailoring the HTLCDestination more based on that. Don't think it's worth bothering to address though as this case is quite rare (and also broken for unblinded forwards, just not tested).

[valentinewallace]

Comment 2 lines up needs updating. Also, it looks like we'll always pass in None to this method for the fee spike buffer now, may be able to remove that parameter (I'm still trying to figure out why this patch affects whether we include a fee spike buffer, though...)

Edit: no test coverage when I revert this diff btw.

[wpaulino]

I'm still trying to figure out why this patch affects whether we include a fee spike buffer

This is related to https://github.com/lightningdevkit/rust-lightning/pull/2933/files#r1769645521.

Before this PR, we'd evaluate can_accept_incoming_htlc prior to the incoming HTLC being committed, so all stats computations would not include it. Now, it's evaluated after it has been accepted.

We still check within update_add_htlc that we can accept it (to return an actual error/force close), but the check here is concerned with whether we can accept another HTLC (to prevent stuck channels). The HTLCCandidate argument to next_remote_commit_tx_fee_msat now replaces the use of the fee_spike_buffer_htlc being Some in this context.

Thanks for pointing this out though, because I think the amount of this HTLCCandidate should now be updated to be the smallest non-dust HTLC allowed for the channel? cc @TheBlueMatt

no test coverage when I revert this diff btw

With some of the context above, I assume that's because none of our tests care for whether we can accept more than one HTLC after accepting one, they only care for exactly one more.

[TheBlueMatt]

Thanks for pointing this out though, because I think the amount of this HTLCCandidate should now be updated to be the smallest non-dust HTLC allowed for the channel? cc @TheBlueMatt

Right, the API for next_remote_commit_tx_fee_msat probably needs to change - the second argument is now always None but here we really want to pass no HTLC for the first argument but Some for the second. Maybe we just make the HTLCCandidate amount an Option?

[TheBlueMatt]

But indeed we should update the comment here too.

[wpaulino]

Updated the API and comments.

[valentinewallace]

LGTM

[valentinewallace]

Looked into this again. So the issue is that as coded in fe65648 we'll never map the result of construct_pending_htlc_status to HTLCDestination::InvalidOnion, to do so would require checking the onion error code within and tailoring the HTLCDestination more based on that. Don't think it's worth bothering to address though as this case is quite rare (and also broken for unblinded forwards, just not tested).

[TheBlueMatt]

Need to glance at the dust buffer stuff again but I think this LGTM.