Payment Retries

[jkczyz]

When a payment fails, it's useful to retry the payment once the network graph and channel scores are updated. InvoicePayer is a utility for making payments which caches the payment Invoice so that it can be used when retrying the payment. It is parameterized by a Payer and Router for ease of customization and testing.

PaymentRetryHandler is used in connection with InvoicePayer. It is an EventHandler decorator that intercepts PaymentFailed events and retries that payment using the cached Invoice.

[codecov]

Codecov Report

Merging #1059 (0386410) into main (2ed1ba6) will increase coverage by 0.18%.
The diff coverage is 91.54%.

❗ Current head 0386410 differs from pull request most recent head 010436d. Consider uploading reports for the commit 010436d to get more accurate results

@@            Coverage Diff             @@
##             main    #1059      +/-   ##
==========================================
+ Coverage   90.47%   90.66%   +0.18%     
==========================================
  Files          68       67       -1     
  Lines       35273    35261      -12     
==========================================
+ Hits        31914    31969      +55     
+ Misses       3359     3292      -67     

Impacted Files	Coverage Δ
lightning/src/util/events.rs	31.98% <12.50%> (-1.36%)	⬇️
lightning-invoice/src/utils.rs	72.64% <16.66%> (-11.45%)	⬇️
lightning-invoice/src/payment.rs	95.11% <95.11%> (ø)
lightning-invoice/src/lib.rs	88.59% <96.15%> (+0.48%)	⬆️
lightning-background-processor/src/lib.rs	94.52% <100.00%> (+0.28%)	⬆️
lightning/src/ln/channelmanager.rs	84.87% <100.00%> (+0.91%)	⬆️
lightning/src/ln/functional_tests.rs	97.44% <100.00%> (+0.07%)	⬆️
lightning/src/ln/onion_route_tests.rs	96.64% <100.00%> (+0.04%)	⬆️
lightning/src/routing/network_graph.rs	91.29% <100.00%> (ø)
lightning/src/util/logger.rs	83.14% <100.00%> (+1.00%)	⬆️
... and 32 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2ed1ba6...010436d. Read the comment docs.

[jkczyz]

It occurs to me that it would be better to separate the construction of InvoicePayer and PaymentRetryHandler, as it wouldn't require using an Arc while still allowing it.

[TheBlueMatt]

Nice, simple, clean API. I like it.

[TheBlueMatt]

I'm not sure I fully understand why this is separate from the Payer - can't we/shouldn't we just implement EventHandler on the Payer?

[jkczyz]

Separate from InvoicePayer, right? Payer is the trait parameter.

As of now, the ownership model is such that any decorating EventHandler (or BackgroundProcessor for that matter) would take ownership of this, which means InvoicePayer could then only be used as an event handler and no longer for initiating payments. For instance, we'll need to decorate this with NetworkUpdateHandler so that updates are applied before retries.

I suppose we could implement EventHandler for T: Deref<Target = InvoicePayer<...>> and users could use an Arc<InvoicePayer<...>> (haven't actually tried this). But it seems cleaner to separate paying from the retry behavior, which also lends to intuitive naming.

[TheBlueMatt]

Separate from InvoicePayer, right? Payer is the trait parameter.

Err, yes.

I suppose we could implement EventHandler for T: Deref<Target = InvoicePayer<...>> and users could use an Arc<InvoicePayer<...>> (haven't actually tried this)

Yes, along this line is what I was suggesting.

But it seems cleaner to separate paying from the retry behavior, which also lends to intuitive naming.

Hmm, I guess I don't see it, like, I have a thing that handles payment, I don't care about how it handles payment, or the fact that there's retries going on, I just want it to handle payment. Sure, I may need to wire it up, but having multiple things to wire up to get a payment to fire just seems like extra wires when its not adding flexibility for the user.

[jkczyz]

But it seems cleaner to separate paying from the retry behavior, which also lends to intuitive naming.

Hmm, I guess I don't see it, like, I have a thing that handles payment, I don't care about how it handles payment, or the fact that there's retries going on, I just want it to handle payment. Sure, I may need to wire it up, but having multiple things to wire up to get a payment to fire just seems like extra wires when its not adding flexibility for the user.

I see your point, though my remaining qualm is that you must pass it an EventHandler that way, whereas you have the option of not doing so otherwise. Further, you do need to know that it is handling retries since that dictates how you compose different event handlers (e.g., decorating it with NetworkUpdateHandler and not the other way around). So maybe it's better to be explicit about it?

[TheBlueMatt]

I see your point, though my remaining qualm is that you must pass it an EventHandler that way, whereas you have the option of not doing so otherwise.

I mean my usual reply applies - do users ever have a reasonable use case where they'd want to ignore most events?

Further, you do need to know that it is handling retries since that dictates how you compose different event handlers (e.g., decorating it with NetworkUpdateHandler and not the other way around). So maybe it's better to be explicit about it?

I'm not entirely convinced that it's clear in the current api that you have to hook these things up in a given order, whether it says retry or not. I wonder if we should make it more clear? Maybe have this object pass the update to the network graph itself?

[TheBlueMatt]

Can we actually #[doc(hidden)] this and all the other macros in this file that really shoulnd't be used by downstream crates but only LDK crates?

[jkczyz]

I could see log_internal needing that. But which other ones? Presumably users may want to log within their trait implementations, possibly using log_bytes, too.

[TheBlueMatt]

Hmm, I guess I was mostly figuring the logging stuff is a one-way street - the lightning crates log stuff, and users consume it and put it somewhere. I suppose there's no real reason to require that, though, so, ok, fair enough. Please do add it to the internal one, though.

[TheBlueMatt]

Should we somehow check that the route used on a retry is different from the original? I could see users using this API and just hooking it up to a remote route-getter which doesn't care about our failed payments.

[jkczyz]

I was hoping that for simplicity this could be route-agnostic. Any changes to the network or scoring could affect the route calculation, so we should let those modules (e.g., higher-level event handlers) take care of making adjustments for the next time a route is fetched, if necessary, even if it means the same route is tried.

[TheBlueMatt]

Right, I guess it doesn't matter a ton, just feels like this may be a common thing for users to do, and we'd retry the same route four times and then fail 10 seconds later when we could have told the user that we failed right away. Maybe we should expose the retry count instead to make it explicit for users?

[jkczyz]

Right, I guess it doesn't matter a ton, just feels like this may be a common thing for users to do, and we'd retry the same route four times and then fail 10 seconds later when we could have told the user that we failed right away.

Well, three times... first attempt counts as one. :)

Curious about the remote route-getter use case. If it typically will return the same route, it seems retries would not be valuable, which is an argument for keeping InvoicePayer and PaymentRetryHandle separate.

Maybe we should expose the retry count instead to make it explicit for users?

On the other hand, that would be a good argument for merging InvoicePayer and PaymentRetryHandle given the number of attempts is stored on the latter.

[TheBlueMatt]

Curious about the remote route-getter use case. If it typically will return the same route, it seems retries would not be valuable, which is an argument for keeping InvoicePayer and PaymentRetryHandle separate.

Hmm, true. I guess you wouldn't generally use the invoice utilities in this case? I wonder if we merge the two and make the NetworkGraph an optional part if we can then just do retries if we have one?

[jkczyz]

Hmm... may work, though now we start to affect the Router interface as it still needs a NetworkGraph for the first attempt. We could make it an Option in find_route. Alternatively, we could remove it entirely, so DefaultRouter would just hold its own NetworkGraph reference.

If we go with the latter option, then we could parameterize InvoicePayer with the number of attempts instead of using a constant, which would make the retry behavior explicit during its construction. This would of course require merging the two structs. How does that sound?

[TheBlueMatt]

Alternatively, we could remove it entirely, so DefaultRouter would just hold its own NetworkGraph reference.
If we go with the latter option, then we could parameterize InvoicePayer with the number of attempts instead of using a constant, which would make the retry behavior explicit during its construction. This would of course require merging the two structs. How does that sound?

I think I'm a fan of this, yea, it reduces extra wires to hook up, better captures the set of likely user use-cases and Does The Right Thing, or at least makes the right thing more obvious, in common cases.

[TheBlueMatt]

Needs rebase now 🎉.

[TheBlueMatt]

One question, but I like this API. Note that I don't think this can go in a release without #1053, so should either land after that, or at least in the same release.

[TheBlueMatt]

nit: it seems somewhat duplicative to get the entry above and then remove it here. You could just store the entry and remove the entry here, doing the and_modify.or_insert in the retry condition before the return.

[jkczyz]

We need the number of attempts using and_modify and or_insert for the comparison, which consumes the entry. But if no retry is needed we, couldn't then remove the entry directly since it has been consumed.

Probably could just do and_modify then match to determine whether or not there's a value, but that doesn't seem as clean.

[TheBlueMatt]

Its not quite as clean, but it does feel incredibly wasteful to hash into the hashmap twice for the same element 5 lines apart :/

--- a/lightning-invoice/src/payment.rs
+++ b/lightning-invoice/src/payment.rs
@@ -202,11 +202,13 @@ where
                                let mut attempts_by_payment_hash = self.payment_attempts.lock().unwrap();
-                               let attempts = attempts_by_payment_hash
-                                       .entry(*payment_hash)
-                                       .and_modify(|attempts| *attempts += 1)
-                                       .or_insert(1);
+                               let attempts_entry = attempts_by_payment_hash
+                                       .entry(*payment_hash);
+                               let attempts = if let hash_map::Entry::Occupied(e) = &attempts_entry { e.get() + 1 } else { 1 };
                                if !rejected_by_dest {
                                        let max_payment_attempts = self.retry_attempts + 1;
-                                       if *attempts < max_payment_attempts {
+                                       if attempts < max_payment_attempts {
                                                if self.pay_cached_invoice(payment_hash).is_ok() {
                                                        log_trace!(self.logger, "Payment {} failed; retrying (attempts: {})", log_bytes!(payment_hash.0), attempts);
+                                                       attempts_entry
+                                                       .and_modify(|attempts| *attempts += 1)
+                                                       .or_insert(1);
                                                        return;
@@ -224,3 +226,2 @@ where
                                self.remove_cached_invoice(payment_hash);
-                               attempts_by_payment_hash.remove(payment_hash);
                        },

[jkczyz]

Yeah, you still need to remove the entry later, but that does work. However, there's still an additional look-up when remove_cached_invoice is called. Given no tests failed when the attempts entry was not removed -- and that when called independently remove_cached_invoice won't remove the attempts entry -- it probably makes sense to combine these two hash maps to ensure consistency. Along with your improvement, that takes us to one look-up instead of three.

[jkczyz]

Once #1084 is merged, I can rebase and fix the failing checks.

[TheBlueMatt]

Can be rebased now :)

[TheBlueMatt]

Note we should consider the invoice expiry when/before retrying.

[arik-so]

I feel like the log could be a bit confusing here, because instead of a payment failed error, you immediately get an error retrying payment error.

[jkczyz]

Yeah, let me know if you have a suggestion for rewording.

[jkczyz]

Right, feels like we'll need to rewrite a good chunk of InvoicePayer to be stateless, might as well do it here instead of landing a bunch of code then replacing it tomorrow.

Ok, this is now using the parameters from PaymentPathFailed, so the only state is payment_cache for retry attempts. It's currently keyed by payment_hash, but I could change this to payment_id. I don't recall if we had a reason to prefer one over the other.

Otherwise, the main changes are:

• Unified the get_route interface into a single find_route function so that Router only needs one method
• Stored invoice expiry data in Payee since the Invoice is no longer cached
• Removed commit adding a proof-of-concept test to BackgroundProcessor

[TheBlueMatt]

Hmm, can we just write out a u64 instead? It feels a bit funky serializing a duration and losing a bunch of precision as a general thing?

[jkczyz]

Removed as per other discussion. Could also keep Duration and serialized as u128 nanoseconds. That said, for our use case, BOLT 11 defines the expiry time in seconds, so no need for more precision.

[TheBlueMatt]

What is a "user-defined epoch"? How is this expected to work with InvoicePayer - doesn't it always check against 1970? Can we just make this seconds-since-1970 and a u64?

[jkczyz]

The thought was to let the user set this relative to whatever they wanted because ultimately they would be setting it and interpreting it. So even if we say it's seconds since the UNIX epoch, there's really nothing enforcing that.

Anyhow, updated to u64 as discussed offline.

[TheBlueMatt]

We need to auto-insert here (and maybe a test for retry on reload, but I'm happy to add that as a followup for you).

[jkczyz]

Updated to handle this and added a unit test.

[valentinewallace]

Hmm, I just noticed that documentation for payment_id seems to be missing from ChannelMannager::send_payment. It would be nice to (a) document that the id should be stored for a retry, and (b) that it's needed because technically PaymentHashs can be non-unique.

[jkczyz]

Leaving unresolved pending discussions around changes to send_payment.

[valentinewallace]

I think it'd be a little nicer public API-wise if payment_id were a non-Option, and set to 0 if serialized before 0.0.104 (or wtv). Similar for the next commit.

[TheBlueMatt]

Maybe we leave it an Option for now and then just do a hard-break on our serialization backwards compat in like 2-3 versions?

[valentinewallace]

Fine by me! 🙂

[jkczyz]

Ah, maybe that is why we decided to key by payment_hash for now? I guess we could just not retry if PaymentId is None, though.

[valentinewallace]

Hmm, I think I'd feel better about this if we had a plan for this, it does seem like a lot of rewrites would have to happen to add spontaneous support (and feels odd to merge code that'll be definitely rewritten)? From Slack chats, it looks like the relevant user has implemented their own retries for now

[TheBlueMatt]

Need to properly interpret PaymentSendFailure errors but otherwise looking good, I think.

[TheBlueMatt]

This needs to figure out what's up - if we get a PaymentSendFailure::ParameterError or PaymentSendFailure::PathParameterError then we can return an error here, I think. AllFailedRetrySafe we should retry the requisite numbers right here, PartialFailure we should insert and retry the relevant paths.

[jkczyz]

Discussed offline. This may require a bit more work since we lose the PaymentId if send_payment returns an error. Ideally, we'd get back the proper RouteParameters for retry.

[TheBlueMatt]

This does not always imply failure to send at all - see PaymentSendFailure and the notes at PaymentSendFailure::PartialFailure about when retry is safe.

[jkczyz]

For these cases (both returned by send_payment and retry_payment), I take it we must retry here as there won't be a PaymentPathFailed event. Though one idea would be to generate them. It would make the retry attempt logic cleaner at very least.

[TheBlueMatt]

ACK with #1141. Happy to land this as-is, but #1141 will have to be included in the same release.

[TheBlueMatt]

Diff from previous ACKs is trivial test changes, taking:

$ git diff-tree -U3 2042241f8885c0a17740b3867db4364be9fff29d 010436d07
diff --git a/lightning-invoice/src/payment.rs b/lightning-invoice/src/payment.rs
index f51a4e580..7e931d66f 100644
--- a/lightning-invoice/src/payment.rs
+++ b/lightning-invoice/src/payment.rs
@@ -921,9 +921,9 @@ mod tests {
 
 		fn fails_on_attempt(self, attempt: usize) -> Self {
 			Self {
+				expectations: core::cell::RefCell::new(self.expectations.borrow().clone()),
 				attempts: core::cell::RefCell::new(0),
 				failing_on_attempt: Some(attempt),
-				..self
 			}
 		}
 
@@ -946,6 +946,18 @@ mod tests {
 		}
 	}
 
+	impl Drop for TestPayer {
+		fn drop(&mut self) {
+			if std::thread::panicking() {
+				return;
+			}
+
+			if !self.expectations.borrow().is_empty() {
+				panic!("Unsatisfied payment expectations: {:?}", self.expectations.borrow());
+			}
+		}
+	}
+
 	impl Payer for TestPayer {
 		fn node_id(&self) -> PublicKey {
 			let secp_ctx = Secp256k1::new();
$