routing: use correct fees by searching backwards

[joostjager]

The original findPath implementation can come up with a path that is rejected in newRoute because of "channel graph has insufficient capacity". The reason is that findPath calculates with the same amt all the way, while newRoute takes into account that amt needs to increase with every hop (looking from target back to source).

This change makes findPath use the correct fees and eliminates the possibility that newRoute returns the insufficient capacity error.

In this PR:

• Refactor of the path finding unit test to be able add more cases without code duplication (table driven).
• Unit test for invalid "channel graph has insufficient capacity" result
• Reworked search algorithm to already take into account increasing amounts that need to be send to next hops

[joostjager]

@Roasbeef This is work in progress. Can you do an early check and tell me what you think of the general idea?

[Roasbeef]

What's this meant to fix? As they say, if it ain't broken, don't fix it...

…

On Mon, Jun 4, 2018, 2:12 PM Joost Jager ***@***.***> wrote: @Roasbeef <https://github.com/Roasbeef> This is work in progress. Can you do a early check and tell me what you think? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1321 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA87LsfwLbUu6WF5rdkmkOul6iBJ4Dp5ks5t5aKzgaJpZM4UZybJ> .

[joostjager]

The original findPath implementation can come up with a path that is rejected in newRoute because of "channel graph has insufficient capacity". The reason is that findPath calculates with the same amt all the way, while newRoute takes into account that amt needs to increase with every hop (looking from target back to source).

This change make findPath use the correct fees and eliminates the possibility that newRoute returns the insufficient capacity error.

[Roasbeef]

Gotcha, can you update the PR description, and also the commit messages with this information? Thanks!

In the past this wasn't an issue as each instance kicked off a k-shortest paths routine, so the failing paths would be excluded with a continue. We'll want to first get in the PR which adds fee limits to the path finding routine (say you don't want to pay more than 2% or w/e), as that will affect this implementation.

[joostjager]

The fee limit PR as it is now will fail finding a route if the lowest weight route exceeds the max fee. There may be a possible route, but it isn't found because the time/fee weight balance doesn't favor that route.

When the fee limits are merged, I can update this PR to also take the fee limits into account already during findPath. This will lead to less failed route calculations, because the algorithm will continue exploring the graph for higher weight paths that do satisfy the fee limit (which means a higher total time lock).

[halseth]

@joostjager can you add a test case that exercise the failure scenario you are trying to fix? Will help understanding the fix :)

[joostjager]

Yes, I am working on that.

[joostjager]

Quite some changes were needed to add this unit test in a maintainable way. I think trying to work towards a single test graph where many scenarios can be tested is better than setting up different graphs for different test cases.

Also, better visualization of the test graph would be useful. Maybe replace the ascii art with a graphviz generation script.

I see more potential work in the routing area, but will leave the scope of this PR as it is now to keep it manageable. Waiting for #1113

[Roasbeef]

Also, better visualization of the test graph would be useful. Maybe replace the ascii art with a graphviz generation script.

The first graph there is just the most basic one, the other graphs themselves are a bit more complex, and agreed that having a rendering of them would make it easier to set up tests, however, it's also pretty straight forward to add additional vertexes/edges to the basic graph at runtime.

[joostjager]

Yes indeed, runtime modifications is another option. Only makes it slightly more difficult to reason about what is happening.

The graph jsons contain info that could also be generated runtime. Another idea would be to describe the graph with only the essential values. For example, only aliases and generate the pubkeys (deterministically) in memory when the test runs. It makes the graph description short and can probably be described in go code instead of a separate json. Then, for a special test case like the one described in this issue, it is not much effort to bring up a custom graph.

This contradicts my comment above about working towards a single graph. It depends on the amount of effort required.

[joostjager]

Implemented alternative way to describe graph in #1358

[halseth]

This is an excellent observation! We might not see this routing failures that often, as long as fees are small compared to payment amounts, but totally agree that this is the way we should find paths correctly.

My main concern atm is that the path finding procedure does read a bit convoluted after these changes. Since we are shoehorning the target->source search into the existing block of code, variable names, map indexes, method names, comments and the steps taken now looks a bit off and is hard to follow. Instead we should try to do a bigger rewrite, where it is turned into a proper target->source search, where running amounts are kept as "distances". I don't think the changes should be that large.

You also mentioned that edge weights are a bit off since we are rounding to sat some places instead of using msat. I think it would be worthwhile to fix this, and make sure we are using msat everywhere. How big of a change would this be?

[halseth]

I don't get this to add up, maybe I'm missing something.

For a payment of 100,000,000 msat, the expected fees should be:
sophon->elst: 200 msat + 100,000,000 msat * 0/1,000,000 msat = 200 msat
pham->sophon: 10,000 msat + 100,000,200 msat * 1,000,000/1,000,000 msat = 100,010,200 msat

We must send paymentAmt+fees = 100,000,000 msat + 200 msat + 100,010,200 msat = 200,010,400 msat. This should not be able to go through the 120,000,000 msat channel?

[joostjager]

Great catch! This is indeed not correct. I hope that conversion to table-driven made this easier to spot. And I think it actually uncovers two existing bugs in newRoute on master:

• Fee calculation for a hop does not include the fee that needs to be paid to the next hop
• The incoming channel capacity "sanity" check does not include the fee to be paid to the current hop

I also made the expected total amount for a route explicit in the test table. Need to be careful with calculating expected values in unit tests, to prevent duplication of the same (incorrect logic). In this case, the calculation of the expected value was ok, but still.

See c21c980 for fixes.

[joostjager]

With regards to you other comments:

• Naming and structure: Now that we are on the same page about the general idea of this PR, I will start that kind of finishing work.

  One problem that I encountered in making this as simple as possible, is that ChannelEdgePolicy does not contain the "from" node. Therefore I needed to create a reverse lookup table and pass an extra argument to processNode. Do you think it would be good to add this property to ChannelEdgePolicy? Or, because it is currently specific to the backwards search (I think), deal with it in findPath and accept the extra complexity?

• I will look at msat vs sat. But channel capacities are an on-chain thing expressed in whole satoshis and I think it is good to keep that explicit by using btcutil.amount. Where did I say that edge weights are a bit off because of rounding? I know that the channel capacity check was not correct because of rounding, but don't think it affects the weights. Edge weights (on master) are indeed a bit off, but for another reason. And that is again that there is no running amount and fees (and therefore weights) are only based on payment amount.

[joostjager]

@halseth This test on master fails. newRoute on master returns 102000 for total amount.

[halseth]

Good catch! Does it make sense to add this test + fix to a separate PR?

[joostjager]

Good idea. The fee limit changes are dependent on the previous (backward search) work, but this one is independent.

[halseth]

I'm really starting to like these changes! 😀

Table driven tests removes a lot of code duplication, and makes it easier to spot errors in the tests. 👏

Most of my comments are about code cleanup and style to make the routing algorithm easier to follow.

[halseth]

Awesome refactor! 💯

[Roasbeef]

👍

[halseth]

nit: period at end of sentences.

[joostjager]

Fixed

[halseth]

nit: add a newline between test cases.

[joostjager]

Fixed

[halseth]

nit: you forgot to add "▼" to the new channels 😛

[joostjager]

Fixed

[halseth]

hm, something weird about the formatting here?

[joostjager]

Fixed

[halseth]

Add a comment explaining this calculation :)

[joostjager]

Comment added.

[halseth]

we must still make sure the source is added to the map with dist infinity

[joostjager]

The source node is already added in the graph.ForEachNode loop further up. The reason it was explictly added here previously, was to set (overwrite) the distance to 0. But because of backwards searching, this is no longer necessary.

[halseth]

Hmm, we are then assuming that the source node will always be returned from graph.ForEachNode. That's a reasonable assumption to make, but I think it won't hurt to also handle the case where it's not.

Maybe that's fine anyway, because we will just finish our path finding, and then discover no path was found to the source node? Or do we depend on it being in the map?

[joostjager]

It is always returned. If you look at

lnd/channeldb/graph.go

Line 276 in b5a2288

node, err := fetchLightningNode(nodes, selfPub)

it can be seen that even channeldb itself relies on the source pubkey being present in the node bucket.

If these semantics would change at some point, path finding would never find a path anymore. So the bug that would be created, will quickly surface.

I'd prefer not to add a check anyway, because it can only elicit questions from developer about the reason there might be for this to happen.

Comment added.

[halseth]

Reasonable, agreed!

[halseth]

can be written outEdge, inEdge *channeldb.ChannelEdgePolicy

[joostjager]

Fixed

[halseth]

nit: This comment should not mention the hop limit, as that is first checked below.

[joostjager]

Fixed. Probably something that was moved earlier.

[halseth]

the newRoute changes should be removed, since they were separated into a new PR.

[joostjager]

This PR is based upon the other PR, because I need the TestNewRoute function. Those changes are shown here to because the base of this PR is master. But really, all commits in this PR are stacked on top of the newRoute bugfix. Please let me know how to do this better.

[halseth]

👍

[halseth]

This is getting reallly close now, most comments about style, and removal of the (now) unnecessary DB migration.

Very excited to get this in!

[halseth]

Looking at where it is used, I think it should only need to know whether there's a channel or not between the nodes, not if the policy is known or not.

So in this case, we could extract both pubkeys from the ei, and compare them to the current dbNode to figure out the key of the peer.

[halseth]

To separate long lines like this, the first thing would be

err := putCha...
if err != nil {
    return err 
}

[halseth]

👍

[halseth]

Excellent! 😀

[halseth]

👍

[halseth]

Could add to the method description here that we search backwards now, and why 😄

[joostjager]

Added

[halseth]

Yeah, we probably shouldn't change ChannelEdgePolicy, as it directly maps to the wire messages being sent on the network. I'm fine with keeping this as is now, as I agree that this could be considered an implementation detail the caller shouldn't need to worry about.

[halseth]

This could be checked earlier in processEdge?

[joostjager]

Moved up

[halseth]

same, could check earlier for an early return.

[joostjager]

Moved up

[halseth]

Looks good now!

[joostjager]

Ok, semantics change compared to master, but I think it is better like this. As you say, policies are not required for the auto pilot.

But the change become bigger than I liked, because of the lookup of LightningNode which was previously done inside LightningNode.ForEachChannel. Needed to gain access to db somehow.

I kept the changes apart in commit d258efe. Maybe there is a cleaner way?

[halseth]

Hm, yeah this might not even work, since calling FetchLightningNode inside an already open DB transaction might cause problems.

I don't see an immediate way of achieving what we want without doing more changes to the database to make it possible to fetch the node without the edge policy. I'm okay with keeping your original implementation (skipping a nil-policy) with an added TODO saying that we ideally should support the case where the policy is nil.

[joostjager]

Ok, pulling out that commit.

[joostjager]

@halseth I think we have resolved all points now.

[halseth]

👍

[halseth]

For some reason I thought edgePolicies were stored in a bucket in addition to this. So I can understand why we were talking about different things now.. 😛 The final solution you came up with looks good to me though 😄

[joostjager]

Ah, that explains it 😄

[halseth]

Would be even safer to check !bytes.Equals(edgeBytes, unknownPolicy) (unknown policy wouldn't be required to be empty slice), where unknownPolicy is a constant defined as the empty slice.

[halseth]

again, compare agains unknownPolicy constant.

[halseth]

When this is addressed this PR can be squashed and rebased, and I think it should be good 👍

[halseth]

In case of other error we must return it such that the migration can be aborted.

[joostjager]

Good one, fixed.

[halseth]

I think we can safely return nil if the buckets are not found? We are probably then trying to migrate an empty DB.

[joostjager]

Yes, indeed.

[halseth]

error must be handled here also.

[joostjager]

Good point, added.

[joostjager]

unknownPolicy constant restored as empty slice and rebased.

[joostjager]

Rebased after gofmt commits on master

[joostjager]

Amended all commits with gofmt

[halseth]

This change looks mostly LGTM now, awesome work! Should get review from someone else before merge, however.

[halseth]

split over two lines

[halseth]

I know I suggested earlier to do it this way, but I didn't anticipate we would need these switch statements 😛

Could we instead do:

chanID := nodeEdge[33:]
edgeInfo, err := fetchChanEdgeInfo(edgeIndex, chanID)
    if err != nil {
        return err
    }

toEdgePolicy, err := fetchChanEdgePolicy(
    edges, chanID, nodeNub, nodes,
)
...

otherNode, err := edgeInfo.OtherNodeKeyBytes(nodePub)
if err != nil {
    return err
}

toEdgePolicy, err := fetchChanEdgePolicy(
    edges, chanID, otherNode, nodes,
)

(or just deserialize the toEdgePolicy directly if first checked if not unknownPolicy, as you suggested initially)

[joostjager]

Yes, this is better indeed than the ugly switches. Glad to hear to my initial creation was not so bad 😉 but I agree with you that readability and not duplicating code is important too.

[halseth]

nit: both lines a bit long

[joostjager]

Review comments addressed

[Roasbeef]

Excellent work! This PR includes quite a few nice clean ups w.r. to the testing code, and fixes a few legacy bugs related to incorrectly applying the fee limit during path finding.

The PR looks mostly good to me, however I noticed that in one area, it'll create a DB transaction inside of an existing one. Instead, it should carry over the same transaction as in the past, this has lead to deadlocks, and also creating a new transaction is an expensive activity. This is my only major comment in this PR.

I'll also move to start running this on a few nodes doing path finding, just to see if anything weird pops up.

[Roasbeef]

Forgetting to check the error here.

[Roasbeef]

We already have the edge info here, it's the value of the cursor seek, why fetch it again? Not blocking, more of a nit that code seems to have been unnecessarily changed.

[joostjager]

Initially it was unchanged. I modified it after discussion with @halseth for readability (over performance), see comments above.

[Roasbeef]

👍

[Roasbeef]

👍

[Roasbeef]

Ignoring the error here and above.

[Roasbeef]

Well, it's just a dumb value to set, as it more or less guarantees that the node won't be able to properly handle a timed out HTLC, and will likely lose money.

[Roasbeef]

Yay, no more reversal!

[Roasbeef]

This looks a bit dangerous and could possibly lead to a deadlock: we're creating a new DB transaction inside of an existing db transaction.

[Roasbeef]

bolt allow concurrent readers, but I'm weary of making additional transactions inside of callbacks like this. We started to expose the transaction object in these methods to safely allow nested calls without creating new database transactions. We could possibly add methods onto the EdgeInfo struct, which accepts the existing transaction (or if nil creates a new one), in order to allow the caller to fetch the full LightningNode struct without creating a new database transaction.

[Roasbeef]

Actually, I'll merge this as is, and then add a follow up commit to avoid the double DB transaction issue. Thanks for bearing with us through this review process! The final PR really turned out well!

[Roasbeef]

Committed as 29b6bae!

[joostjager]

I am happy that this one has been merged now. Will work on the follow-up.

[joostjager]

Ah, I see you fixed the open issues yourselves. I was thinking of adding a tx parameter to FetchLightningNode, but this works too of course.