sweep: create sweeper

[joostjager]

This PR moves the sweeper logic from utxonursery into a separate sweeper struct.

A follow up PR is #2000, which will let resolvers use the sweeper directly instead of going through nursery. The end goal is to remove nursery completely.

In this PR, there is no db migration to clean up now unused nursery store data. This allows us to keep the downgrade path open for a while.

[halseth]

2. What happens when the publish returns an error? It could be a non-recoverable error that has something to do with one of the inputs (wrong script, sign, ..). Or it could be a double spend because one or more of the inputs have been spent by the remote party or by our own sweep tx (that was published before restart). I think there are not many options then retry the next block?

We can be smarter about handling these errors. If the error is non-recoverable, then publishing in the next block won't really help (also can potentially get us banned by peers if we keep sending them invalid transactions). In that case we should return the error and exit IMO to surface the bug.

For double spends we can detect which input was already spent, remove it from the sweep, and retry. I think this is what is implicitly done already (since an input will be removed from the set after spend is detected), but I think it would help to make it more clear. We do something similar in the breacharbiter.

3. What happens when the tx never confirms (for example fee too low)? If we keep waiting, it will block sweeping any other input forever. At some point we need to give up and go back to 1. But will we forget about the lost inputs then and loose the money? Or retry them? In that case, we'll get a double spend with our own stuck tx and sweeping will again be blocked forever.

It should be handled, but my suggestion is to reduce the scope of this PR to not include it. This is an existing problem.

It will fail, but after that sweep tx confirms, and allsets doesn't contain those inputs anymore, it will succeed.

Yes, I think this is actually my suggestion. Maybe we are actually talking about the same solution here, the behavior is just not obvious. See comment above.

I don't see how the PR can be reduced in size significantly by simplifying the retry mechanism. I only see about 20 lines dealing with the retry logic. And a form of retry is needed in any case (items above).

I don't think retry logic is strictly needed, and can be added in a follow-up PR.

[joostjager]

@Roasbeef your comments have been processed.

[joostjager]

Discussed simplification with @halseth. We could take out the reschedule logic and just try to sweep once every block. Start the batch timer at the beginning of every block and if it expires, try to sweep.

The downside of this is that a transaction that is stuck because of low fees will keep blocking all subsequent sweep txes if the backend doesn't support RBF. (This is something that would be solved in a probabilistic way by the randomized exponential back off.) It is also a regression from nursery, because nursery does skip over stuck txes because they are organized per height.

If we'd decide to go this path, the follow up pr with exponential backoff should probably go in before release.

@Roasbeef your input please

[joostjager]

Added one commit that handles errors in a strict way, not to camouflage potential bugs.

[halseth]

This is starting to look pretty good to me :)

[halseth]

Can be moved to immediately before the loop, I guess. Rationale being that we might encounter an error before ever using the result of this calculation :)

[halseth]

since this is only used for calculating the dust limit(?), can we instead store the dust limit directly here?

[joostjager]

I wanted to have the dust limit calculation inside txgenerator to logically group the functionality together. generateInputPartitionings takes two fees and uses that as the basis to calculate the partitionings.

[halseth]

If this happens, feels like the whole sweeper should exit.

[joostjager]

What do you mean with exit? The only thing that is running is the sweeper main event loop and that one is exited.

[halseth]

Do you have an estimate how many blocks from sending the input to the sweeper until this condition is met, on average? (if it never successfully confirms)

[joostjager]

I think ((1 << 10) - 1) / 2 😄 so about 500 blocks.

[halseth]

is this not critical at this point?

[joostjager]

It is a pre-existing bug that I wanted to mark with a TODO.

[halseth]

warn?

[joostjager]

I think this is still happy flow, therefore Info.

[Roasbeef]

Why not just read the buckets directly? The migration logic would be more precise that way and less risk of accidentally reaching into the wrong bucket, if a future key/bucket in the codebase starts with the prefix.

[Roasbeef]

Made a commit with some additional logs that should likely be cherry picked in:

c2e4fb2

e8e9b52

Here's the branch itself as I'm modifying commits as I test: https://github.com/Roasbeef/lnd/pull/new/sweeper-debug

[Roasbeef]

With the patch above, I ran on a very old node with an ancient nursery and saw no transactions migrated:

./lnd.log.18:2018-12-16 20:06:20.012 [INF] SWPR: Migrating UTXO nursery finalized TXIDs

[joostjager]

• Commits cherry-picked except for wraps at 79 (instead of 80) chars.
• Sweeper store bucket scan replaced by exact bucket retrieval.
• Commit added to soften error handling again. Both error handling commits to be squashed when we are really certain that we want it like this.

[joostjager]

Tested nursery tx migration again. Seems to work on my machine.

[Roasbeef]

🎉 LGTM 🎉

Ready to merge on my end once the final two commits squashed.

[joostjager]

• Added one more commit: lnwallet: prevent static fee estimator fees from being modified
• Squashed error handling commits
• Fixed unit test flake

[cfromknecht]

Awesome work @joostjager, excited to finally have this in and help people sweep their stuck outputs! Very happy with the final iteration and the huge reduction in complexity over the nursery, LGTM 🎉

[Roasbeef]

LGTM 🔮