2019 04 in flight txn tracking clean

[ariard]

#333 without WIP Bump Tx stuff

[TheBlueMatt]

Hmm, I had these pending, I presume worth publishing until I get a chance to re-review, hopefully tomorrow.

[TheBlueMatt]

Can you add a comment describing exactly how this is used?

[ariard]

Better ?

[TheBlueMatt]

THe meaning of the u32 still isnt explained.

[TheBlueMatt]

Hmm, there is no variable called our_claim_txn_waiting_first_conf.

[ariard]

Yes it's inside the added commit, what is best practice referring it even if not present in commit or doing a generic reference?

[TheBlueMatt]

From IRC:

<BlueMatt> ariard: wait, no, yea, I'm still confused, it looks like this acts purely based on height
<BlueMatt> ariard: what I thought it was going to do was something like: step (1) create transactions (ie what we do now), step (2) add some mapping from txid to things-this-tx-resolves, step (3) monitor for confirmation of any tacked txids, step (4) when you see one, kick off a block-count-timer and then once you get enough confirmations, handle it
<BlueMatt> it looks like #336 skips (2) and (3), though I dont think addint them would be too hard?

[TheBlueMatt]

Mostly done reviewing, but here's some initial feedback.

[TheBlueMatt]

Hmmm...we need some kind of mechanism to prevent us from waiting until after an HTLC expires to fail it backwards. In fact, currently, we only close-to-chain when we're CLTV_CLAIM_BUFFER (6 blocks) away from expiry, and we only fail back after HTLC_FAIL_ANTI_REORG_DELAY (6 blocks), so we're kinda screwed. We should significantly increase CLTV_CLAIM_BUFFER, add some static asserts, and then make sure we always fail back maybe one or two blocks before expiry if we have an unconfirmed resolving tx pending.

[ariard]

Hmmm isn't more CLTV_EXPIRY_DELTA and HTLC_FAIL_ANTI_REORG_DELAY which are interwined ? Let's say remote commitment transaction hits onchain, and we resolves a received_HTLC with a timeout tx, after HTLC_FAIL_ANTI_REORG_DELAY we pass failure backward. As it's way inferior to CLTV_EXPIRY_DELTA, it should be safe, assuming would_broadcast_at_height react timely.

[TheBlueMatt]

Ah, yea, sorry, you're right, we should still try to check how far we are from where we need to have failed back by, but, indeed, its a question of CLTV_EXPIRY_DELTA.

[TheBlueMatt]

Ugh, I'll finish this review this week, but this is what I came up with when looking a week ago or so.

[TheBlueMatt]

Shouldn't this block only run in case either commitment_txid == current local txid or remote local txid? (ie doesn't this hunk, as written, always fail dust HTLCs backwards?)

[ariard]

Oh yes modified to only fail backward if commitment tx is last or previous local one.

But we still need to iterate on both HTLCs set as you may receive a update_fail_htlc + commitment signed from your counterpart. In case of last local tx hitting the chain, our in-memory last local tx datas won't contain the failed dust HTLC output. That's a edge-case but test_failure_delay_dust_htlc_local_commitment is explicitly testing that.

[TheBlueMatt]

Didn't review individual commits, just the total diff. Didn't get materially to tests yet either, but it does look like the tests could use some love, definitely a few more new tests would be much appreciated (eg to fix the issues I point out).

[TheBlueMatt]

docs please. Also, looks like right now this is always only ever taken while channel_state is taken. It could either be moved into the channel_state mutex or the places its taken broken up and scoped so that the locks don't always overlap. Don't sweat making fine-grained locks yet anyway, until we go around and split channels into their own locks.

[ariard]

Updated doc and moved it in ChannelHolder ? IIRC this buffer is just there to avoid inconsistencies between channel_manager and channel_monitor in case of reorgs and an HTLC-timeout being swept by a preimage tx, in this case we need to pass success backward and we need the channel to be still open. Do you think it's ok right now before we put more thoughts in channel locks refactoring ?

[TheBlueMatt]

THe meaning of the u32 still isnt explained.

[TheBlueMatt]

Hmm, probably want something smarter than just height + 3, gien the HTLC may be expiring in < 3 blocks.

[TheBlueMatt]

Also, need to make sure we add to the map with the feerate actually used, not a new one fetched from the fee_estimator. Further, and this is somewhat of a strange edge-case, but in case we got called twice for the same block, but the feerate information changed between calls, we don't want to overwrite the entry in the map with new info.

[TheBlueMatt]

Note that these comments apply equally to several other similar lines below.

[ariard]

On feerate, updated to cache only actual value used. In case we got block twice, I kept only the first version seen, doesn't seem efficient, in case of bump needed, to send two bumped transactions at same height even their respective previous states has different feerate base.

[ariard]

And you may have the tx_broadcaster discard duplicate claim tx based on spend outpoint.

[TheBlueMatt]

(this and a bunch of other places): Is it possible that we need to fail this backwards before we reach HTLC_FAIL_ANTI_REORG_DELAY? ie because the inbound HTLC is close to timing out (and, thus, will result in a needless channel closure upstream). I think we need to check if the expiry + CLTV_EXPIRY_DELTA is at least HTLC_FAIL_ANTI_REORG_DELAY + CLTV_CLAIM_BUFFER (maybe + some headroom) away?

[ariard]

Not something to do now, but I'm more and more thinking that channel_manager shouldn't be a ChainListener and get all blockchain events through ChannelMonitor and register outpoint to watch if needed. It would avoid inconsistencies between both of them due to different handling of block height timer.

[TheBlueMatt]

Hmmm, see comment at https://github.com/rust-bitcoin/rust-lightning/pull/336/files#r304483221 I'd agree if block_connected in ChannelManager grows, but as long as we can keep it small, I don't see why its necessary.

[TheBlueMatt]

Not actually sure what you're saying here?

[ariard]

Going through core mempool rules the other day, I read that locktime transactions are going to be rejected from the mempool is locktime isn't equal or more to tip + 1 to avoid DoS vectors which means if we should broadcast timeout txn only at this given height to avoid having to rebuild it few blocks later. And for so track them with an OnchainEvent. It is how the mempool is working ?

[TheBlueMatt]

Ohh, I see your point. Still, broadcast_transaction should imply re-announcement (potentially at the appropriate time), if only because mempool transactions may time out. The docs on broadcast_transaction should make sure this is clear, but we shouldn't bother dealing with that.

[TheBlueMatt]

This isnt enough to verify that the given transaction is a local transaction, is it? I think you also need to check that commitment_txid == local_tx.txid for either prev or current?

[TheBlueMatt]

Probably worth trying to add a test case for this.

[ariard]

Yeah, was broken but not spotted by any other tests, seems it's really an edge case because if it's spending the funding output, dust htlcs are going to be cancelled on the behalf of remote commitment. Nevermind, switched the logic to be sure we have a previous_commitment or latest_commitment. Added test_no_failure_dust_htlc_local_commitment, turn to true the is_local_tx in check_spend_local_transaction

[ariard]

Updated at 0d3575a with your last review, I think we need to think more how we handle timelocks given #336 (comment), #336 (comment) and #336 (comment)

[TheBlueMatt]

Wait, why? If our counterparty broadcasts a commitment transaction, and it gets reorged out, we shoulnd't try to relay payments over the channel, that commitment transaction is probably gonna be mined again in a block soon, we should just move forward happily with a closed channel.

[ariard]

Oh I'm dumb, that's exactly what my test was trying to do, i.e testing some edge cases which is doable but doesn't make sense on a high-level. And from then, adding all this non-sense struct in channel_manager, I've dropped this commit and rewrote test_sweep_outbound_htlc_faiilure_update.

[TheBlueMatt]

I think this is pretty much ready to go.

[TheBlueMatt]

Isn't this now wrong given get_height_timer? Maybe also track what block we saw the ting which is being spent explicitly to avoid any confusion.

[TheBlueMatt]

New names are nice, but GRACE_PERIOD_BLOCKS isnt sufficiently clear, IMO, maybe NETWORK_SYNC_GRACE_PERIOD_BLOCKS?

[TheBlueMatt]

Doesn't need to happen in this PR, but in #347 this is gonna bite us - we don't track that all of these inputs are spent in the same transaction, with different expiries, so we may try to bump only one input, and then end up getting that confirmed, leaving nothing in the mempool trying to punish other inputs.