Fix a debug panic caused by receiving MPP parts after a failure

[TheBlueMatt]

Prior to cryptographic payment secrets, when we process a received
payment in process_pending_htlc_fowards we'd remove its entry
from the pending_inbound_payments map and give the user a
PaymentReceived event.

Thereafter, if a second HTLC came in with the same payment hash, it
would find no entry in the pending_inbound_payments map and be
immediately failed in process_pending_htlc_forwards.

Thus, each HTLC will either result in a PaymentReceived event or
be failed, with no possibility for both.

As of 8464875, we no longer
materially have a pending-inbound-payments map, and thus
more-than-happily accept a second payment with the same payment
hash even if we just failed a previous one for having mis-matched
payment data.

This can cause an issue if the two HTLCs are received back-to-back,
with the first being accepted as valid, generating a
PaymentReceived event. Then, when the second comes in we'll hit
the "total value {} ran over expected value" condition and fail
all pending HTLCs with the same payment hash. At this point,
we'll have a pending failure for both HTLCs, as well as a
PaymentReceived event for the user.

Thereafter, if the user attempts to fail the HTLC in response to
the PaymentReceived, they'll get a debug panic at channel.rs:1657
'Tried to fail an HTLC that was already failed'.

The solution is to avoid bulk-failing all pending HTLCs for a
payment. This feels like the right thing to do anyway - if a sender
accidentally sends an extra HTLC after a payment has ben fully
paid, we shouldn't fail the entire payment.

Found by the chanmon_consistency fuzz test.

[TheBlueMatt]

Note that these panics are debug-only (apparently for good reason!)

[codecov-commenter]

Codecov Report

Merging #1266 (9cf0435) into main (0df247d) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main    #1266   +/-   ##
=======================================
  Coverage   90.50%   90.50%           
=======================================
  Files          71       71           
  Lines       39210    39258   +48     
=======================================
+ Hits        35486    35531   +45     
- Misses       3724     3727    +3     

Impacted Files	Coverage Δ
lightning/src/ln/channelmanager.rs	84.59% <ø> (ø)
lightning/src/ln/functional_tests.rs	97.03% <100.00%> (-0.01%)	⬇️
lightning-background-processor/src/lib.rs	92.60% <0.00%> (-0.44%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0df247d...9cf0435. Read the comment docs.

[TheBlueMatt]

Rebased on the Payee -> PaymentParameters change.

[jkczyz]

Any reason expect_pending_htlcs_forwardable shouldn't be used in both places?

[TheBlueMatt]

Yes, it currently calls process_pending_htlc_forwards twice without checking for a new event, which we don't want here.

[jkczyz]

Are there two failed HTLCs because the second payment was sent over two paths? Or am I misunderstanding what's going on here?

[TheBlueMatt]

Hmm? There were two send_payment calls, so we have two HTLCs to fail?

[jkczyz]

My confusion again here on the testing scenario. I think what threw me was that nodes[1] was failing a payment hash that it knew the preimage for. And I was thinking that it would only fail one HTLC since the first should have been sufficient. But I understand now that that would be incorrect behavior.

Then again, seeing this part of the commit message:

The solution is to avoid bulk-failing all pending HTLCs for a
payment. This feels like the right thing to do anyway - if a sender
accidentally sends an extra HTLC after a payment has ben fully
paid, we shouldn't fail the entire payment.

Makes me think only on path should be failed. What am I missing?

[jkczyz]

Actually, nevermind about this. I understand what's going on now.

[TheBlueMatt]

Is there a way I could clarify the test comment?

[jkczyz]

I think just extending the last sentence to say something like "and that panic does not occur if the user manually fails the payment".

[TheBlueMatt]

Added a further comment in the test.

[TheBlueMatt]

Squashed without changes.

[arik-so]

re-ACKing

[TheBlueMatt]

CI failure is unrelated (tokio MSRV bump).