[Custom Transactions] Add TxBuilder::get_next_commitment_stats

[tankyleo]

    Add `TxBuilder::get_next_commitment_stats`

    Given a snapshot of the lightning state machine,
    `TxBuilder::get_next_commitment_stats` calculates the transaction fees,
    the dust exposure, and the holder and counterparty balances
    (the balances themselves do *not* account for the transaction fee).

and

    Add `ChannelContext::get_next_{local, remote}_commitment_stats`

    In upcoming commits, these methods will serve as proxies to
    `SpecTxBuilder::get_next_commitment_stats` in all validation of channel
    updates in `ChannelContext`.

    Eventually, these methods will completely replace
    `get_pending_htlc_stats`, and
    `get_next_{local, remote}_commit_tx_fee_msat`.

    When predicting the HTLCs on next commitment, we take the conservative
    approach and only assume that a HTLC will not be in the next commitment
    when it is guaranteed that it won't be.

    While we previously took into account HTLCs in the holding cell when
    validating channel updates, we now choose to ignore them; our
    counterparty certainly does not know about them, and we will re-validate
    their addition to the channel upon freeing the holding cell.

[ldk-reviews-bot]

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[tankyleo]

We discussed earlier passing the entire list of HTLCs to TxBuilder, and letting it do the dust-vs-non-dust sorting itself. There are nonetheless multiple places in channel that are interested in knowing the exact HTLC dust limit (see get_pending_{inbound, outbound}_htlc_details, get_available_balances_for_scope).

So we prefer to add a single method that surfaces this limit to channel, and then let channel sort HTLCs depending on whether their value sits above or below that amount.

As a result, builders of custom transactions will only have a say on where the dust limit sits, and won't be able to choose arbitrary subsets for dust and non-dust HTLCs.

[carlaKC]

We discussed earlier passing the entire list of HTLCs to TxBuilder, and letting it do the dust-vs-non-dust sorting itself.

Is the main motivation for this to get all of the commitment-related logic out of channel.rs, or that we think that custom tx builders will want to specifically choose certain htlcs to be dust?

get_available_balances_for_scope

The key questions we're looking to answer seems to be "can I afford a commitment with this theoretical dust/nondust htlc"? This does seem to be something we could move into TxBuilder if we pass the full HTLC set and use a version of HTLCCandidate which just tells TxBuilder whether it is dust (we never actually use this amount other than the dust check).

Sadly here's no getting around needing to know the dust limit if we want to clamp our capacity to that value, so we'd still need to surface htlc_success_timeout_dust_limits.

get_pending_{inbound, outbound}_htlc_details

Tempting to suggest just adding an is_dust check to TxBuilder for these to make it slightly more abstract than surfacing the second stage fees, but given the above requirement to know the exact dust limit maybe we just want to leave as-is.

so tl;dr: I'd be interested in seeing what trying to pull more of the dust logic out into TxBuilder looks like, even if just gives us a clearer idea of where the trait line should be.

---

Meta note: This has got a lot of overlap with 3bb0586, so I think we should either:

1. Rebase Update fee and dust handling for zero fee channels #3884 on this PR
2. Pull the commit out into a common prefactor (I have a slight pref for this, but happy with either)

[tankyleo]

Is the main motivation for this to #3775 (comment), or that we think that custom tx builders will want to specifically choose certain htlcs to be dust?

I would say we focus on the latter for this PR, and let the former be the overarching goal :)

so tl;dr: I'd be interested in seeing what trying to pull more of the dust logic out into TxBuilder looks like, even if just gives us a clearer idea of where the trait line should be.

Let me know what you think of this new direction here. Still have some clunkiness to resolve, but that's what it's looking like right now.

• htlc_success_timeout_dust_limits is used only in get_available_balances_for_scope, and I will see if I can come up with a better method call that fits better with the "what is our available balance" question.
• Definitely take your point about surfacing second-stage tx fees, will review that part too. Right now we only need it to calculate dust exposure due to excess feerates set by a counterparty (in a channel where they are the funder), see https://delvingbitcoin.org/t/disclosure-irrevocable-fees-stealing-from-ln-using-revoked-commitment-transactions/1314

[tankyleo]

Meta note: This has got a lot of overlap with 3bb0586

Definitely let me rebase on top of your PR, you've rebased once already :)

[ldk-reviews-bot]

🔔 1st Reminder

Hey @carlaKC! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[carlaKC]

Let me know what you think of this new direction here.

I like this approach! Definitely prefer being able to move a lot of the dust / second stage tx reasoning into the builder 👍

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @carlaKC! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[tankyleo]

I'm aware I still owe a follow-up PR from the previous PR in this project, will push that soon in a separate PR :)

[TheBlueMatt]

Not really sure I understand the point of these two methods if we have htlc_success_timeout_dust_limit as a method - if the API includes a method to say "hey, for an HTLC of type X what is the threshold where its dust", why bother with a method to say "given these HTLCs, how many are dust?", it seems the second can be calculated from the first, no? The same applies for passing the HTLC list to commit_tx_fee_sat.

Alternatively, we could drop the htlc_success_timeout_dust_limits method (if we want to not require there be some strict threshold to indicate when an HTLC is dust, though I think its a fine assumption to bake into the API, I dunno why someone would want to have some HTLCs be dust and others at the same value not be) and have a more generic "is HTLC dust on the next counterparty/local commitment transaction" call, but even there it seems like we don't need all of these methods.

[tankyleo]

Sounds good yes I initially had a version of the API that matches what you describe. We wanted to see what it would look like if we moved more logic out of channel into TxBuilder, but I agree we only really need the dust limits.

I will clean up those methods, and add TxBuilder methods for 1) the dust limit 2) the htlc endogenous fees (to calculate counterparty dust exposure).

[TheBlueMatt]

I mean don't get me wrong, I'd love to move more logic out of channel.rs into TxBuilder, that would be great, but we also don't want to have an overlapping API where we have two ways to do things over the API. Also, we want to eventually make TxBuilder public, so it would be nice to avoid adding too much complexity (in the form of a ton of different methods).

[tankyleo]

FWIW the real blocker on the more ambitious / complex API was the get_available_balances method - at the moment this method requires an exact dust limit above which all HTLCs are non-dust.

I have some code written that moves most of get_available_balances behind TxBuilder, but the complexity is not worth it, especially if we can make the assumption you describe above about the strict dust-vs-nondust threshold.

[ldk-reviews-bot]

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.

[codecov]

Codecov Report

❌ Patch coverage is 1.81818% with 270 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.70%. Comparing base (39e8d7d) to head (7dbb0fb).
⚠️ Report is 43 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/sign/tx_builder.rs	2.89%	168 Missing ⚠️
lightning/src/ln/channel.rs	0.00%	102 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3921      +/-   ##
==========================================
- Coverage   88.93%   88.70%   -0.24%     
==========================================
  Files         174      174              
  Lines      123876   124502     +626     
  Branches   123876   124502     +626     
==========================================
+ Hits       110173   110434     +261     
- Misses      11250    11586     +336     
- Partials     2453     2482      +29     

Flag	Coverage Δ
fuzzing	22.50% <1.81%> (+0.32%)	⬆️
tests	88.52% <1.81%> (-0.24%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[elnosh]

for what it can be worth it I have reviewed 1eb1c9e and it looks correct to me.

As for my understanding on the reasoning for the change, motivation seems to be to move usage of second_stage_tx_fees_sat and htlc_tx_fees_sat to TxBuilder in order to abstract away usage of weight of htlc transactions away from channel.rs.

[tankyleo]

@TheBlueMatt did you have a chance to look at the latest commit here ? It has the API cleanup, thank you !

[TheBlueMatt]

Discussed it offline, but I'm somewhat skeptical of a design that adds too many more methods on TxBuilder. We should consider exploring options that keep TxBuilder much smaller with more logic in larger methods (that we're willing to call and throw away some of the result of, eg relying more on something like that looks like build_commitment_stats to figure out dust exposures and whether an htlc is acceptable).

[tankyleo]

@TheBlueMatt would appreciate a look here :)

• ci-tests.sh passes on my machine
• i thought we could start with these 4 places for this PR
• with this API, we can eventually completely phase out get_pending_htlc_stats, next_{local, remote}_commit_tx_fee_msat

[TheBlueMatt]

Nice! This tees us up to clean up channel.rs a lot.

[TheBlueMatt]

Shouldn't this only count sent HTLCs? If our counterparty adds a dust HTLC it doesnt impact how much of our money might be burned to dust

[tankyleo]

hmmm inbound HTLCs are your money once the preimage is revealed, so you do care how many of them go to dust ?

[TheBlueMatt]

Yea, I guess it depends on the context, if we're deciding if we should accept the HTLC (vs fail it back) it is dust (cause it might become our money), if we're deciding if the commitment transaction is safe to accept its not dust (cause we'll fail the HTLC). Kinda annoying to capture...

[tankyleo]

let me see the only two times we currently look at on_holder_tx_dust_exposure_msat when validating counterparty updates is in validate_update_fee (called when receiving update_fee), and fn can_accept_incoming_htlc (called when the HTLC is already Committed).

if we're deciding if we should accept the HTLC (vs fail it back) it is dust (cause it might become our money),

Do I understand correct this is fn can_accept_incoming_htlc ?

if we're deciding if the commitment transaction is safe to accept its not dust (cause we'll fail the HTLC).

Were you referring to the fn validate_commitment_signed function ? Currently we don't validate dust exposure there

[TheBlueMatt]

This needs to depend on who generated the commitment we're talking about - if we're being called in, eg, validate_update_add_htlc, we're looking at a commitment the counterparty generated, which shouldn't include any LocalAnnounced or RemoteRemoved HTLCs, whereas if we're being called from can_send_update_fee we can't assume we'll wait until the counterparty sends a CS, so we need those.

[tankyleo]

For LocalAnnounced HTLCs, we could do

(1) -> update_add_htlc `LocalAnnounced`
(2) <- update_add_htlc `validate_update_add`
-> commitment_signed
<- revoke_and_ack
(3) <- commitment_signed
-> revoke_and_ack
-> commitment_signed
<- revoke_and_ack

At (3), (1) is present on the local commitment transaction (generated by the counterparty), so seems reasonable to count it on the commitments at (2) ?

As for RemoteRemoved HTLCs, these for sure won't be on the next local commitment transaction, but might still be present on the next remote commitment transaction depending on the ordering of the CS...

So far, I have attempted to imitate fn next_local_commit_tx_fee_msat and fn next_remote_commit_tx_fee_msat as much as possible, will review all this tomorrow thank you.

[TheBlueMatt]

Right, but an alternative situation is

(1) -> update_add_htlc `LocalAnnounced`
(2) <- update_add_htlc `validate_update_add`
-> commitment_signed
(3) <- commitment_signed
<- revoke_and_ack
-> revoke_and_ack
-> commitment_signed
<- revoke_and_ack

Now at (3), because its before the received RAA, the HTLC is not present in the commitment transactions. Indeed, it will be included in some counterparty commitment transaction in the future eventually, but it definitely isn't in this one, and it seems weird to consider it because that will cause us to think a commitment tx is "invalid" (as in protocol-invalid-they-overdrew-reserves) when its not.

[tankyleo]

Right so at (2), you would rather err on the side of considering HTLCs not present ? So far I've erred on the side of assuming they will be present (which is the current behavior I believe)

[TheBlueMatt]

Same here.

[TheBlueMatt]

Suggested change

	#[cfg(any(test, fuzzing))]
	#[derive(Clone, PartialEq, PartialOrd, Eq, Ord)]
	#[cfg_attr(any(test, fuzzing), derive(Clone, PartialEq, PartialOrd, Eq, Ord))]

[TheBlueMatt]

Yea, I guess it depends on the context, if we're deciding if we should accept the HTLC (vs fail it back) it is dust (cause it might become our money), if we're deciding if the commitment transaction is safe to accept its not dust (cause we'll fail the HTLC). Kinda annoying to capture...

[TheBlueMatt]

Right, but an alternative situation is

(1) -> update_add_htlc `LocalAnnounced`
(2) <- update_add_htlc `validate_update_add`
-> commitment_signed
(3) <- commitment_signed
<- revoke_and_ack
-> revoke_and_ack
-> commitment_signed
<- revoke_and_ack

Now at (3), because its before the received RAA, the HTLC is not present in the commitment transactions. Indeed, it will be included in some counterparty commitment transaction in the future eventually, but it definitely isn't in this one, and it seems weird to consider it because that will cause us to think a commitment tx is "invalid" (as in protocol-invalid-they-overdrew-reserves) when its not.

[TheBlueMatt]

Presumably we need the option to do this, though, since we want to check a theoretical "next commitment if we included the entire holding cell" before we accept something new into the holding cell, to make sure we aren't just accepting it to fail it later.