Handle async initial ChannelMonitor persistence failing on restart

[TheBlueMatt]

Based on #1106, this is the second of many steps towards making the async monitor persistence feature more robust, eventually leading to 0.1 and a safe async KV store API.

If the initial ChannelMonitor persistence is done asynchronously
but does not complete before the node restarts (with a
ChannelManager persistence), we'll start back up with a channel
present but no corresponding ChannelMonitor.

Because the Channel is pending-monitor-update and has not yet
broadcasted its initial funding transaction, this is not a
violation of our API contract nor a safety violation. However, the
previous code would refuse to deserialize the ChannelManager
treating it as an API contract violation.

The solution is to test for this case explicitly and drop the
channel entirely as if the peer disconnected before we received
the funding_signed.

[codecov-commenter]

Codecov Report

Base: 90.73% // Head: 91.17% // Increases project coverage by +0.44% 🎉

Coverage data is based on head (763ed22) compared to base (7544030).
Patch coverage: 97.12% of modified lines in pull request are covered.

❗ Current head 763ed22 differs from pull request most recent head 958601f. Consider uploading reports for the commit 958601f to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1678      +/-   ##
==========================================
+ Coverage   90.73%   91.17%   +0.44%     
==========================================
  Files          87       87              
  Lines       46713    49843    +3130     
  Branches    46713    49843    +3130     
==========================================
+ Hits        42383    45444    +3061     
- Misses       4330     4399      +69     

Impacted Files	Coverage Δ
lightning/src/util/events.rs	38.13% <ø> (ø)
lightning/src/ln/chanmon_update_fail_tests.rs	97.67% <96.96%> (-0.06%)	⬇️
lightning/src/ln/channel.rs	88.67% <97.22%> (+0.01%)	⬆️
lightning/src/ln/channelmanager.rs	85.18% <100.00%> (+0.02%)	⬆️
lightning-net-tokio/src/lib.rs	76.73% <0.00%> (-0.31%)	⬇️
lightning/src/ln/functional_tests.rs	96.93% <0.00%> (-0.12%)	⬇️
lightning/src/ln/monitor_tests.rs	99.44% <0.00%> (-0.12%)	⬇️
lightning/src/ln/msgs.rs	86.41% <0.00%> (+0.17%)	⬆️
lightning/src/routing/scoring.rs	96.34% <0.00%> (+0.20%)	⬆️
lightning/src/ln/chan_utils.rs	95.32% <0.00%> (+0.76%)	⬆️
... and 7 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[ariard]

More parse to be done to check accuracy of code and documentation. Nice the documentation effort towards users!

[ariard]

Good comment, you might even add "YOU WILL LOSS THE INTEGRALITY OF YOUR CHANNEL BALANCE" to make even clearer that punishment induce loss of the whole funds. It can be hard for an uninformed user to estimate the punishment scope at first sight.

[TheBlueMatt]

This is #1106, see discussion there. Ultimately the issue is the docs were rewritten there assuming we're sticking with the "make sure you always store the first monitor locally and update it always" model, but we really want to drop that model (which this PR is the first step towards), so we're gonna have to rewrite those docs again soon :(.

[ariard]

I think in the future a ChannelManager could still decide to force-close the channel by broadcasting the current commitment transaction if there is a non-related or recoverable disk failure . Let's say you have a chain::Watch implementation coordinating a set of monitor replica (as documented in our glossary). If one of this monitor's Persist implementation is affected by a disk-failure, the error will be reported to the coordinator. If the number of monitor replica affected by a permanent failure is above some security or safety threshold, the coordinator could inform the ChannelManager to force-close channels by prevention (e.g to avoid the in-flight HTLCs exposure to increase). It should be safe to do so, as the latest state available in the available monitor replica should be equivalent to the latest off-chain one.

Just to say, it's good to have that level of documentation at the interface-level, however it's only documenting one model of deployment. As we refine those interfaces to support more fancy types of deployment, I think it would be good to gather it elsewhere, more accessible.

[TheBlueMatt]

Yea, I don't think that necessarily belongs in the interface directly, though. Users who wish to use a fancier model can manually broadcast at that point. We should, of course, support this, and document it, but I'm not sure the code needs to change. In any case, I basically want to rewrite all the monitor stuff soon-ish, soooo

[ariard]

I think you might note the trade-off brought by UpdateInProgress, if you allow the channel manager to keep moving on its own without state being fully persisted you gain in latency at the HTLC relay-level. However, you're increasing your risks w.r.t to state replication. This trade-off might be acceptable for some routing hops node operators if in the future scoring algorithms starts to encompass latency.

[TheBlueMatt]

Yea, probably worth mentioning in general, not specific to just the async stuff.

[TheBlueMatt]

Rebased after we landed #1106. Now the real work begins :)

[wpaulino]

Would be nice to make a TestChannelManager type alias for this, we have this same type declaration in several places.

[TheBlueMatt]

Let's do it as a part of #1696?

[wpaulino]

Can we extract the ChannelManager reloading into a macro/function? This seems like something super useful to use across tests and would reduce a good bit of code.

[TheBlueMatt]

Yea, #1696. I'm not really excited about doing it here - this PR is a part of the bigger 0.1 series which is nontrivial and needs to keep moving.

[wpaulino]

Let's check that the counterparty also forgets the channel here and in the other test.

[TheBlueMatt]

It doesn't forget the channel, though. Or, at least, it only will if it connects and gets the error-unknown channel message. Is it worth adding a specific test for that here? (I did add a check-list_channels-is-empty check).

[wpaulino]

I guess it's not required for the sake of what we're testing, but we could either do that or connect blocks until the 2016 block deadline is reached.

[wpaulino]

LGTM, feel free to squash.

[TheBlueMatt]

Squashed without further changes from e06229a1 to 37e54584

[jkczyz]

Not sure I understand why 0-conf is relevant here. Is the first paragraph of the comment describing how we would get inside the enclosing if? (Would prefer that the comment precede the if if that is the case.) And the second paragraph describing the assertion in the if immediately below?

[TheBlueMatt]

Hmm, I tend to always include comments describing how we got into a scope in the scope itself, otherwise the flow is hard to read due to everything being at the same indentation. I rewrote the comment a bit to split up the "why we're here" and the "what we're asserting".

[jkczyz]

funding_created?

[TheBlueMatt]

was referring to the channelmanager method, clarified.

[jkczyz]

Can much of this be DRY'ed up with do_test_outbound_reload_without_init_mon if node[0] and node[1] were swapped? Seems like the diff between the two functions is mostly but not entirely index changes. Not sure if a combined function would be more or less readable with an is_outbound param.

[TheBlueMatt]

Hmm, so the first few hunks setting up the channel are the same, but then they diverge a good bit before doing a similar reload block. I guess we could DRY some of the initial stuff, but I'd really like to just DRY up all the reload stuff spewed across all our tests at once, see #1696. I'm not really sure its worth DRYing up the three or four hunks that are the same across the tests, either.

[wpaulino]

Ready to merge after squash @TheBlueMatt.

[TheBlueMatt]

Squashed without changes:

$ git diff-tree -U1 763ed22f 958601f1
$