Misc updates to tee up async ChannelMonitorUpdate persist for claims against closed channels
#3413
Conversation
lightning/src/ln/channelmanager.rs
Outdated
| if remaining_in_flight != 0 { | ||
| return; | ||
| } |
There was a problem hiding this comment.
Can this be pulled out and done unconditionally prior to the channel assignment? We're checking it again later, which would be unnecessary if done earlier? IIUC, we'd only skip the logging below.
There was a problem hiding this comment.
Yea, I was trying to retain the log, which I think is pretty important. I cleaned the flow up and added more logging though.
Makes `test_durable_preimages_on_closed_channel` more robust against changes to the order in which transactions are broadcast.
TheBlueMatt
force-pushed
the
2024-11-async-persist-claiming-from-closed-chan-1
branch
from
7ec1631 to
0578332
Compare
Its somewhat mechanical - basically just taking the |
|
Also rebased. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3413 +/- ##
==========================================
+ Coverage 89.24% 90.63% +1.39%
==========================================
Files 130 130
Lines 106959 112982 +6023
Branches 106959 112982 +6023
==========================================
+ Hits 95452 102401 +6949
+ Misses 8718 8175 -543
+ Partials 2789 2406 -383 ☔ View full report in Codecov by Sentry. |
TheBlueMatt
force-pushed
the
2024-11-async-persist-claiming-from-closed-chan-1
branch
from
0578332 to
55b712e
Compare
| if !in_flight_updates.contains(&update) { | ||
| in_flight_updates.push(update.clone()); | ||
| } | ||
| let event = BackgroundEvent::MonitorUpdateRegeneratedOnStartup { |
There was a problem hiding this comment.
Should we also check for duplicates before pushing this background event, like how we do for in_flight_updates just above?
There was a problem hiding this comment.
The reason we check for duplicates is because we replay the background events by just running them again through the normal process which leads to duplicates. We shouldn't have dups in the background events themselves, I believe.
| @@ -3241,18 +3264,17 @@ macro_rules! handle_monitor_update_completion { | |||
| } | |||
|
|
|||
| macro_rules! handle_new_monitor_update { | |||
| ($self: ident, $update_res: expr, $chan: expr, _internal, $completed: expr) => { { | |||
There was a problem hiding this comment.
I feel like this macro is losing readability in this PR and the follow-up due to more cases being jammed into it. Thoughts on splitting this into a few different macros, like handle_monitor_update_res_internal for the first block, handle_initial_monitor_res for the INITIAL_MONITOR case, etc?
There was a problem hiding this comment.
Hmm, I mean sure I can move the _internal case out into a different macro, but is that all that more readable? All the macro variants have an explicit string in them so its easy to see which one is being called. Its less clear that a freestanding macro is "inner" to the handle_new_monitor_update macro vs the file or whatever.
| mem::drop(peer_state); | ||
| mem::drop(per_peer_state); | ||
|
|
||
| self.handle_monitor_update_completion_actions(update_actions); |
There was a problem hiding this comment.
Missing test coverage for !update_actions.is_empty() case.
There was a problem hiding this comment.
I think this is actually currently unreachable :/. In order to hit it we have to have a channel-closing-update which has attached post-update actions, which they never do. Otherwise, post-update actions always complete with their update (either immediately or when the update completion comes in).
| if let Some(peer_state_mtx) = per_peer_state.get(&shutdown_res.counterparty_node_id) { | ||
| let mut peer_state = peer_state_mtx.lock().unwrap(); | ||
| if peer_state.in_flight_monitor_updates.get(&funding_txo).map(|l| l.is_empty()).unwrap_or(true) { |
There was a problem hiding this comment.
I wonder if it would make sense to put this handling in locked_close_channel so we don't need to acquire the lock again here? Probably doesn't matter too much though.
There was a problem hiding this comment.
Yea, we probably should. I was trying to avoid changing the ShutdownRes type in this PR, if its alright I'm gonna leave it for a followup with a TODO here.
| log_trace!(logger, "Channel is open and awaiting update, resuming it"); | ||
| handle_monitor_update_completion!(self, peer_state_lock, peer_state, per_peer_state, chan); | ||
| } else { | ||
| log_trace!(logger, "Channel is open but not awaiting update"); |
There was a problem hiding this comment.
Is this reachable? Seems like it might not be since we already checked that there are no-inflight updates. Missing test coverage if so
There was a problem hiding this comment.
In practice I believe its unreachable, but technically its reachable from the public API - someone can return repeated MonitorEvent::Completeds.
TheBlueMatt
force-pushed
the
2024-11-async-persist-claiming-from-closed-chan-1
branch
4 times, most recently
from
ad59652 to
e75fbd8
Compare
|
Okay I believe I've addressed all feedback here. |
| let in_flight_updates = $peer_state.in_flight_monitor_updates.entry(funding_txo) | ||
| .or_insert_with(Vec::new); | ||
| if !in_flight_updates.contains(&update) { | ||
| in_flight_updates.push(update.clone()); | ||
| } |
There was a problem hiding this comment.
Thinking more on this race condition to make sure I'm following. Is one possible consequence of running the post-completion actions early that we may free an upstream channel before a preimage is persisted on the downstream channel? If there's a money-losing condition like that, it does seem worth testing, currently commenting out pushing the in_flight_update lines passes tests. Not gonna hold up the PR on it though.
There was a problem hiding this comment.
In theory, yes, but this specific race condition on this line is entirely theoretical - to trigger this race we'd have to have s post-completion action tied to the close event, which we never do. Sadly that makes it untestable.
TheBlueMatt
force-pushed
the
2024-11-async-persist-claiming-from-closed-chan-1
branch
2 times, most recently
from
3add30b to
068d2ce
Compare
Thanks, I went through this all again. LGTM. Feel free to squash. |
TheBlueMatt
force-pushed
the
2024-11-async-persist-claiming-from-closed-chan-1
branch
from
068d2ce to
8cae621
Compare
|
Squashed without further updates. |
TheBlueMatt
dismissed stale reviews from valentinewallace and jkczyz
via
2a38a70
TheBlueMatt
force-pushed
the
2024-11-async-persist-claiming-from-closed-chan-1
branch
from
8cae621 to
2a38a70
Compare
|
Oops, sorry, fixed a no-std issue and an intermediary-commit issue: $ git diff-tree -U1 8cae62161 db85fbc8f
diff --git a/lightning/src/sync/nostd_sync.rs b/lightning/src/sync/nostd_sync.rs
index 56fb5e954..19faa1b5e 100644
--- a/lightning/src/sync/nostd_sync.rs
+++ b/lightning/src/sync/nostd_sync.rs
@@ -12,3 +12,3 @@ pub struct Mutex<T: ?Sized> {
#[cfg(test)]
-unsafe impl<T: ?Sized> RefUnwindSafe for Mutex<T> {}
+impl<T: ?Sized> core::panic::RefUnwindSafe for Mutex<T> {} |
|
CI is still sad |
TheBlueMatt
force-pushed
the
2024-11-async-persist-claiming-from-closed-chan-1
branch
from
2a38a70 to
db85fbc
Compare
|
Ugh, sorry, fixed. |
When deciding if we should remove a `PeerState` entry we want to ensure we don't remove if there are pending updates in `in_flight_monitor_updates`. Previously this was done with a simple `in_flight_monitor_updates.is_empty()`, however this can prevent removal of `PeerState` entries if a channel had an update at some point (leaving an entry in the map) but the update was ultimately completed. Instead, we need to iterate over the entries in `in_flight_monitor_updates` and decline to remove `PeerState`s only if there is an entry for a pending update still in-flight.
On startup, if we have a channel which was closed immediately before shutdown such that the `ChannelMonitorUpdate` marking the channel as closed is still in-flight, it doesn't make sense to generate a fresh `ChannelMonitorUpdate` marking the channel as closed immediately after the existing in-flight one. Here we detect this case and drop the extra update, though its not all that harmful it does avoid some test changes in the coming commits.
During block connection, we cannot apply `ChannelMonitorUpdate`s if we're running during the startup sequence (i.e. before the user has called any methods outside of block connection). We previously handled this by simply always pushing any `ChannelMonitorUpdate`s generated during block connection into the `pending_background_events` queue. However, this results in `ChannelMonitorUpdate`s going through the queue when we could just push them immediately. Here we explicitly check `background_events_processed_since_startup` and use that to decide whether to push updates through the background queue instead.
In the coming commits we'll start handling `ChannelMonitorUpdate`s during channel closure in-line rather than after dropping locks via `finish_close_channel`. In order to make that easy, here we add a new `REMAIN_LOCKED_UPDATE_ACTIONS_PROCESSED_LATER` variant to `handle_new_monitor_update!` which can attempt to apply an update without dropping the locks and processing `MonitorUpdateCompletionAction`s immediately.
Closing channels requires a two step process - first `update_maps_on_chan_removal` is called while holding the same per-peer lock under which the channel reached the terminal state, then after dropping the same lock(s), `finish_close_channel` is called. Because the channel is closed and thus no further `ChannelMonitorUpdate`s are generated for the off-chain state, we'd previously applied the `ChannelMonitorUpdate` in `finish_close_channel`. This was tweaked somewhat in c99d3d7 when we stopped using `u64::MAX` for any updates after closure. However, we worked around the races that implied by setting the `update_id` only when we go to apply the `ChannelMonitorUpdate`, rather than when we create it. In a coming commit, we'll need to have an `update_id` immediately upon creation (to track in-flight updates that haven't reached application yet). This implies that we can no longer apply closure `ChannelMonitorUpdate`s after dropping the per-peer lock(s), as the updates must be well-ordered with any later updates to the same channel, even after it has been closed. Thus, here, we add `ChannelMonitorUpdate` handling to `update_maps_on_chan_removal`, renaming it `locked_close_channel` to better capture its new purpose.
c99d3d7 updated `ChannelMonitorUpdate::update_id` to continue counting up even after the channel is closed. It, however, accidentally updated the `ChannelMonitorUpdate` application logic to skip testing that `ChannelMonitorUpdate`s are well-ordered after the channel has been closed (in an attempt to ensure other checks in the same conditional block were applied). This fixes that oversight.
When we handle a `ChannelMonitorUpdate` completion we always complete everything that was waiting on any updates to the same channel all at once. Thus, we need to skip all updates if there's pending updates besides the one that was just completed. We handled this correctly for open channels, but the shortcut for closed channels ignored any other pending updates entirely. Here we fix this, which is ultimately required for tests which are added in a few commits to pass.
TheBlueMatt
dismissed stale reviews from valentinewallace and jkczyz
via
b50354d
TheBlueMatt
force-pushed
the
2024-11-async-persist-claiming-from-closed-chan-1
branch
from
db85fbc to
b50354d
Compare
|
Grrrr $ git diff-tree -U1 db85fbc8f b50354dc4
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
index c33e25462..9ca99056e 100644
--- a/lightning/src/ln/channelmanager.rs
+++ b/lightning/src/ln/channelmanager.rs
@@ -9646,3 +9646,3 @@ where
};
- if let Some(shutdown_result) = shutdown_result {
+ if let Some(mut shutdown_result) = shutdown_result {
let context = &chan.context(); |
#3355 did a lot of the most complex work towards being able to do async
ChannelMonitorUpdatepersistence for updates writing a preimage for a closed channel, and I'd intended to get the rest of it done in one PR. Sadly, things kept coming up, so there's a laundry list of small-ish changes which need to land first. This PR tees up those small changes (plus one relatively straightforward refactor that touches a lot of lines), with the final PR coming separately.