Batch funding

[wvanlint]

Implements batch funding:

• A batch funding transaction can be provided to ChannelManager, together with the temporary channel IDs it is funding.
• The state of the batch will be maintained by the ChannelManager, tracking whether channels have received funding_signed and whether the monitor is persisted.
• Channels will have an additional state flag to indicate that funding_signed has been received but broadcasting the funding transaction is held until all channels in the batch have received funding_signed and have their monitors persisted. This state is cleared by ChannelManager at the appropriate time.
• No persistence is necessary as funding nodes can forget channels if they have not broadcast the corresponding funding transaction.
• When a channel in a batch closes or a peer disconnects, this propagates to the other channels in the batch.
• To avoid deadlocks, locks are acquired in the same order. The newly added locks are held at the innermost level, with locks around the state of the batch being acquired before locks around batches being closed.

Fixes #1510.

[TheBlueMatt]

This wasn't as bad as I thought it would be, but is definitely gonna require re-reading most of channel and channelmanager to convince myself its correct :)

[TheBlueMatt]

I think the new state should also be added here, but we'll need test coverage - can you add a test that checks for receiving our peer's channel_ready on a channel which is currently WaitingForBatch? This is basically the peer accepting the channel 0conf.

[wvanlint]

The WaitingForBatch flag is not a MULTI_STATE_FLAG I believe as it is only set on FundingSent? I did a pass through all the uses of FundingSent in channel.rs and added tests for the channel_ready behavior.

[TheBlueMatt]

Hmm, yea, the MULTI_STATE_FLAGS thing is a bit of a misnomer, I think, it maybe should just be NON_STATE_FLAGS - the channel_state is really the OR of a state (the initial states and then ChannelReady) and some flags. MULTI_STATE_FLAGS lists the flags. But, eg, is monitor_updating_restored correct - below the funding_broadcastable setting we set it back to None if channel_state & !MULTI_STATE_FLAGS >= ChannelReady (which is true if WaitingForBatch is set even if we're not ChannelReady). Similar in do_best_block_updated. Still, to your point, if we do add it to MULTI_STATE_FLAGS I think we'll probably break check_get_channel_ready (we'll need to also skip the send if we are in WaitingForBatch.

[wvanlint]

It seems there are a couple of use cases:

• A mask of flags that can be applied to multiple states and should be inherited when transitioning between states. MULTI_STATE_FLAGS seems to fulfill that purpose for the *ShutdownSent, PeerDisconnected, MonitorUpdateInProgress flags.
• A mask of all flags that can be applied to only look at the sequential states and compare them. I added a superset of MULTI_STATE_FLAGS called STATE_FLAGS here.

I went through all uses of Channel::channel_state, verified the usage and adjusted any < or > comparisons to occur against self.channel_state & !STATE_FLAGS.

[codecov-commenter]

Codecov Report

Attention: 44 lines in your changes are missing coverage. Please review.

Comparison is base (20e1c27) 88.86% compared to head (7b013b5) 88.91%.
Report is 1 commits behind head on main.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2486      +/-   ##
==========================================
+ Coverage   88.86%   88.91%   +0.05%     
==========================================
  Files         113      113              
  Lines       84517    85131     +614     
  Branches    84517    85131     +614     
==========================================
+ Hits        75103    75696     +593     
- Misses       7211     7222      +11     
- Partials     2203     2213      +10     

Files	Coverage Δ
lightning/src/ln/reload_tests.rs	96.24% <100.00%> (+0.19%)	⬆️
lightning/src/ln/functional_test_utils.rs	91.43% <98.43%> (+0.27%)	⬆️
lightning/src/events/mod.rs	29.98% <0.00%> (+0.24%)	⬆️
lightning/src/ln/functional_tests.rs	97.30% <98.22%> (-0.03%)	⬇️
lightning/src/ln/channel.rs	88.32% <95.69%> (+0.27%)	⬆️
lightning/src/ln/channelmanager.rs	81.60% <81.93%> (+0.04%)	⬆️

... and 5 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ariard]

I think the current approach of dropping the whole batch is the safest one from a malleability viewpoint, yet once the transaction is counter-signed by all counterparties and broadcast, malleability is no more an issue if we can confirm the transaction.

I think there are intersections here with dual-funding/splicing and per-counterparty negotiated option_zeroconf, at least in term of API.

[TheBlueMatt]

I think the current approach of dropping the whole batch is the safest one from a malleability viewpoint, yet once the transaction is counter-signed by all counterparties and broadcast, malleability is no more an issue if we can confirm the transaction.

Not sure what you're referring to? Are you referring to some specific above discussion or just stating that we need to drop the batch if some output doesn't get a counter-signature?

[TheBlueMatt]

Okay, thanks for all the work here, I really like the overall patch, but a handful of comments on minor tweaks for readability. I'd also love to see more test coverage of some edge cases, eg what happens if a peer sends us a channel_ready before we've broadcasted while we're waiting on a batch, a test of the initial monitor update(s) completing async, and a test for shutting down with one of the two channels having had their initial monitor update persisted but not the other one.

[TheBlueMatt]

I do kinda wonder if we shouldn't put this up further and renumber later flags. We'd have to juggle it a bunch in the serialization logic so maybe not worth it, but there's a few places it'd simplify the code cause we could keep >= kinda things.

[wvanlint]

Hmm, right, it would make the serialization logic more complex. I do wonder if this can be refactored at some point to model the ordered states and flags without bitwise logic.

[wvanlint]

Expanded testing coverage which covers:

• Asynchronous monitor persistence in ln::functional_tests::test_batch_channel_open
• Peer disconnection in ln::functional_tests::test_disconnect_in_funding_batch
• Early channel ready in ln::channel::tests::test_waiting_for_batch
• Reloading the node with a partially succeeded funding batch in ln::reload_tests::test_reload_partial_funding_batch

[TheBlueMatt]

Ugh, I'd like to land this monday for 0.0.117 (later probably we can't make the release 😭), and am happy with the channel.rs changes and most of channelmanager, just want to see the lockorder inverted so we can simplify the potential for races.

[wvanlint]

In the latest change, the lock order is now reversed, acquiring funding_batch_states locks before per_peer_state locks. This improves the locking behavior when making changes across the batch instead of minimizing the number of code changes.

It does require a central place to propagate closures of channels to the remaining channels in the batch. Previously, this was done in update_maps_on_chan_removal, but that macro assumes per_peer_state locks are held. Instead, ChannelManager::finish_force_close_channel was extended as a method to handle all channel closures as it enforces no per_peer_state locks are held after #2597. ShutdownResult was extended as well, and is now sometimes constructed in ChannelManager, but provides a step towards further unification of channel close handling and can be moved into Channel methods that move to Shutdown states as well.

[TheBlueMatt]

A few minor cleanups and assertions, still digging into test coverage.

[TheBlueMatt]

LGTM, please squash the fixup.

[wvanlint]

Squashed.

[wpaulino]

Glad we were able to get rid of the additional tracking map!

[wpaulino]

Nit: also update the Finishing force-closure of channel... log below

[wvanlint]

Done in follow-up.

[wpaulino]

Nit: use check_closed_event?

[wvanlint]

Unfortunately, that function does not match exactly as there are multiple closure reasons (the root cause one and the batch closure). Tried to refactor this in the follow-up.

[wpaulino]

Probably a good time to make this a struct now, but not a blocker.

[wvanlint]

Done in follow-up.

[wpaulino]

Nit: these are all unused now

[wvanlint]

Removed in follow-up.

[wpaulino]

Nit: channel_idx is unused now

[wvanlint]

Removed in follow-up.

[TheBlueMatt]

Lets address any remaining feedback in a followup so we can land this.

[TheBlueMatt]

transcaction 😂

[wvanlint]

Fixed in follow-up 😅

[wvanlint]

Following up in #2613.