contractcourt: stop lnd when received witness is empty

[yyforyongyu]

This is the first commit from #7615. Making a PR for it so affected users can apply the patch first.

This commit adds a length check in isPreimageSpend to make sure it won't ever panic and adds a unit test to verify it.

[morehouse]

LGTM with a couple nits.

[morehouse]

Shouldn't we call this witnessSpendRemote?

[yyforyongyu]

named it to witnessSpendSuccess instead. So what I want to differentiate here is not local vs remote but how the preimage is revealed - either via the second stage success tx, or a direct spend. And in the test case setup we then start paying attention to whether it's a local view or a remote view.

[morehouse]

How about witnessSpendLocal?

[yyforyongyu]

The direct spend can happen for both local and remote tho.

[ziggie1984]

You are right in general the Preimage Spent can happen by us on the remote, but refering to the naming of the file htlc_timeout_resolver their are only two possibilities for the preimage spent. Either on the remote via the witnessSpendSuccess or on our local via the witnessSpendLocal ?

[yyforyongyu]

Updated the tests to more clearly express the testing objects.

[ziggie1984]

looks great now!

[ellemouton]

If it is the local commitment tx, and we are sweeping the pre-image path, then it must be an incoming HTLC. An outgoing htlc on our commitment tx can only be swept by us via the timeout path.

[yyforyongyu]

updated.

[Crypt-iQ]

I don't think this should be done, we should instead figure out why bitcoind isn't serving witness data and, if we're able to, refuse to startup. Also this skips potentially notifying on a preimage spend if the bitcoind were to later right itself via user running -reindex.

[morehouse]

I don't think this should be done, we should instead figure out why bitcoind isn't serving witness data and, if we're able to, refuse to startup. Also this skips potentially notifying on a preimage spend if the bitcoind were to later right itself via user running -reindex.

This PR seems valuable to me on its own -- why shouldn't we do a bounds check before accessing the array element? We already do the bounds check for the remote commitment.

Whether this PR fixes the root cause is orthogonal.

[Crypt-iQ]

This PR seems valuable to me on its own -- why shouldn't we do a bounds check before accessing the array element? We already do the bounds check for the remote commitment.

I think the PR is fine after we've fixed the issue. I'd prefer that before it's actually fixed, we fail loudly on missing witness data. Otherwise continuing rather than panic means a -reindex won't extract the preimage on-chain.

Whether this PR fixes the root cause is orthogonal.

I don't agree because if we fix this immediately, we may never fix the root cause as it'll fail silently

[yyforyongyu]

I think the PR is fine after we've fixed the issue. I'd prefer that before it's actually fixed, we fail loudly on missing witness data.

Yeah we should fix it, tho I don't think it can be fixed inside lnd. And I also don't think we should let it go silently. I've added an error log in the latest push, but don't think it's enough. If we are sure it's an issue from bitcoind, we need to panic there with some info like reindex your bitcoind since it's very critical to have a healthy chain backend.

[lightninglabs-deploy]

@Crypt-iQ: review reminder
@yyforyongyu, remember to re-request review from reviewers when ready

[ziggie1984]

Great work yy 🤝, had some minor nits. Gracefully shutting down LND when no witness data is present makes a lot of sense. Especially because we cannot guarantee the user setting -rpcserialversion .

[ziggie1984]

You are right in general the Preimage Spent can happen by us on the remote, but refering to the naming of the file htlc_timeout_resolver their are only two possibilities for the preimage spent. Either on the remote via the witnessSpendSuccess or on our local via the witnessSpendLocal ?

[ziggie1984]

Base-Branch can be changed to master.

LGTM 🚀