htlcswitch: fix empty commit sig and no commit sig

[joostjager]

Builds on top of #3564.

This PR fixes two known bugs in the commitment tx update sequence:

• Sending an commit sig message that didn't sign any new updates ("empty commit sig")
• Not sending a commit sig message when it is expected.

In addition to that, several simplifications are carried through where values were tracked in the link that can also be obtained from the channel.

[halseth]

For reference: #1927

[joostjager]

@halseth's repro of empty commitSig: #3012

[cfromknecht]

merge with prior commit? should we also use this in l.debugf(), l.errorf(), etc? atm i think some use chan point and others use short channel id, would be nice if we were consistent

[joostjager]

Hehe. Ok, I know that I sometimes comment on commit structure in PRs and suggest some of them to be merged. This is particular the case for structs that are introduced in a separate commit but it is hard to review the code without any further context. In this case the prefix logger is an object that doesn't need much context to review (although this is a sliding scale) and therefore I made it a separate commit.

[joostjager]

Added commits to also make the link logging consistent. Open question is what we think is the best prefix to use for link and channel? uint64, shortchan, chanpoint?

[cfromknecht]

code looks duplicated from earlier commit, perhaps make internal helper

[joostjager]

But it isn't duplicated. Here we check if we owe a signature, while in ReceiveNewCommitment, we check whether the remote party owed anything.

[halseth]

Awesome change, making the channel state machine more deterministic and easy to reason about! LGTM 💯

[cfromknecht]

Great work! Indeed this simplifies state machine and reduces the chance of bugs due to local state, e.g. needsUpdate 🍾

[joostjager]

PR is approved, but need to do interop testing with CL and Eclair

[joostjager]

Testing interop between CL 0.7.2 and this branch 5080a030968e783eb3e133ba5a3aa6c868169c95. Setup: connect CL and LND nodes with a channel. Then pay invoices both ways concurrently. Used script:

#!/bin/bash

while true
do
        LNCLI="$HOME/lightninglabs/lnd/lncli-debug --network=regtest"

        ID1=`od -vAn -N4 -tu4 < /dev/urandom`
        ID2=`od -vAn -N4 -tu4 < /dev/urandom`

        BOLT1=`lightning-cli invoice 10000 $ID1 x | jq -r .bolt11`
        BOLT2=`$LNCLI addinvoice 10 | jq -r .pay_req`

        $LNCLI --network=regtest payinvoice -f $BOLT1
        lightning-cli pay $BOLT2
done

I ran four instances of the script in parallel. No anomalies observed and channel remained functional.

[joostjager]

Same test for Eclair 0.3.2-5ad3944, no problems observed.

#!/bin/bash

while true
do
        LNCLI="$HOME/lightninglabs/lnd/lncli-debug --network=regtest"
        ECLAIRCLI="$HOME/Downloads/eclair-cli.sh -a localhost:8081 -p foobar"
        ID1=`od -vAn -N4 -tu4 < /dev/urandom`
        ID2=`od -vAn -N4 -tu4 < /dev/urandom`

        BOLT1=`$ECLAIRCLI createinvoice --amountMsat=10000 --description="test" | jq -r .serialized`
        BOLT2=`$LNCLI addinvoice 10 | jq -r .pay_req`

        $LNCLI --network=regtest payinvoice -f $BOLT1
        $ECLAIRCLI payinvoice --invoice=$BOLT2
done

[joostjager]

Finally interop with lnd 0.8. Works too.

[joostjager]

Moved PR back into the board's approved column. Ready for a final check

[joostjager]

Rebased

[Roasbeef]

Solid set of changes, no major comments on initial pass. I've let a comment on a older related PR, to see how we can reconcile the two of them. Only material comment is a shift to avoid grabbing the channel state machine's mutex twice when we receive a new commitment.

[Roasbeef]

Perhaps we should instead obtain the mutex once within ReceiveNewCommitment, then either make this a private method, or update the godoc to note that it expects the mutex to already be held?

[joostjager]

It is also called without a lock from ChannelLink. I now created a private no-lock version and a public method that wraps it in a lock.

I am wondering whether our channel manipulations are always safe though. Something like this for example:

if lc.OweCommitment(true) {
			commitSig, htlcSigs, _, err := lc.SignNextCommitment()

I think the channel isn't modified concurrently, but why it the lock there then? Is it a safety precaution? Or for reading channel state in another subsystem?

[Roasbeef]

The lock was mostly a safety precaution when the struct was first created just to ensure things were goroutine safe, so all other code added afterwards followed that trend. In the past there were also instances of grabbing live state machines from the peer, and using that to populate RPC information.

[Roasbeef]

Ah, I see how this is used here now. Updating my prior comment, we can make a private version of this method that assumes the lock is already held, then call that when accepting a new commitment.

[Roasbeef]

Nice, this should also lower idle CPU usage for routing nodes with tons of channels.

[joostjager]

Test from #3012 added to this PR. It needed a bit of modification, but the idea of the scenario is the same.

For review, this is the delta with the previous revision of this pr:
https://github.com/joostjager/lnd/compare/hodl-drop-fix-better-ref..joostjager:hodl-drop-fix-better

[Roasbeef]

LGTM 🎷