fuzz: add force-close support to chanmon_consistency#4381
Draft
joostjager wants to merge 19 commits into
Draft
Conversation
|
👋 I see @wpaulino was un-assigned. |
joostjager
force-pushed
the
fuzz-force-close
branch
from
081de37 to
97e65bc
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4381 +/- ##
==========================================
+ Coverage 86.12% 86.44% +0.31%
==========================================
Files 157 158 +1
Lines 108922 109153 +231
Branches 108922 109153 +231
==========================================
+ Hits 93812 94358 +546
+ Misses 12495 12252 -243
+ Partials 2615 2543 -72
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
wpaulino
reviewed
Feb 10, 2026
| }, | ||
| events::Event::SplicePending { .. } => {}, | ||
| events::Event::SpliceFailed { .. } => {}, | ||
| events::Event::ChannelClosed { .. } => {}, |
Contributor
There was a problem hiding this comment.
We should probably open a new channel to replace the force closed one?
|
|
||
| // Only check for no broadcasts if no force-closes happened. | ||
| if !fc_ab && !fc_bc { | ||
| assert!(broadcast.txn_broadcasted.borrow().is_empty()); |
Contributor
There was a problem hiding this comment.
I have some changes that will be going up soon that rework this, you may want to wait until then. Each node will have its own broadcaster, and there's also a concept of a "chain" now so we can mine transactions.
Contributor
Author
There was a problem hiding this comment.
Changes were very useful! The per-node broadcasters (broadcast_a/broadcast_b/broadcast_c) are used to selectively drain and confirm each node's force-close commitment txs, and the ChainState abstraction is used to confirm broadcast transactions and advance block height past HTLC timelocks during settlement.
joostjager
force-pushed
the
fuzz-force-close
branch
5 times, most recently
from
24da03b to
1f6b57a
Compare
Collaborator
|
Needs rebase. Is this stalled waiting on fixes that were discovered by the fuzzer? |
joostjager
force-pushed
the
fuzz-force-close
branch
from
1f6b57a to
633c959
Compare
Contributor
Author
|
I was working on my local branch only for a while. Just pushed what I have. But indeed, the mixed mode failure is also showing up in different ways with fc fuzzing. |
joostjager
force-pushed
the
fuzz-force-close
branch
2 times, most recently
from
a1b1367 to
ba6cbfa
Compare
joostjager
force-pushed
the
fuzz-force-close
branch
2 times, most recently
from
f3cbd42 to
88ee2b7
Compare
Contributor
Author
|
Rebased onto #4571, because compile times became unworkable with the many macros. |
joostjager
force-pushed
the
fuzz-force-close
branch
from
88ee2b7 to
67bcdec
Compare
joostjager
force-pushed
the
fuzz-force-close
branch
6 times, most recently
from
5e7af7c to
2667e5e
Compare
joostjager
force-pushed
the
fuzz-force-close
branch
4 times, most recently
from
be4dd9c to
88a8c7e
Compare
joostjager
force-pushed
the
fuzz-force-close
branch
from
88a8c7e to
f8efcb9
Compare
Assert that channel HTLC sets are empty after harness quiescence.
When we make an MPP claim we push RAA blockers for each chanel to ensure we don't allow any single channel to make too much progress until all channels have the preimage durably on disk. We don't have to store those RAA blockers on disk in the ChannelManager as there's no point - if the ChannelManager gets to disk with the RAA blockers it also brought with it the pending ChannelMonitorUpdates that contain the preimages and will now be replayed, ensuring the preimage makes it to all ChannelMonitors. However, just because those RAA blockers dissapear on reload doesn't mean the implications of them does too - if a later ChannelMonitorUpdate was blocked in the channel we don't have logic to unblock it on startup. Here we add such logic, simply attempting to unblock all blocked `ChannelMonitorUpdate`s that existed on startup. Code written by Claude. Fixes lightningdevkit#4518
Before reporting a next outbound HTLC limit, simulate adding that HTLC to the next remote commitment. If that simulation fails or would drop the holder below the selected channel reserve, report zero capacity instead.
Collect local notes and fuzz inputs used while investigating the force-close chanmon_consistency work. These files are marked dropme so they can aid review and reduction without becoming part of the final patch set.
Remember claim outpoints after their spending transactions have reached the anti-reorg delay, even after normal claim tracking is cleaned up. This prevents later claims for newly learned preimages from attempting to spend outputs that were already irrevocably claimed on chain.
Allow fuzz builds to use cheaper ECDSA signatures and skip assertions that rely on production signature sizes. The fuzz signer intentionally trades realistic DER lengths for speed, so weight lower-bound checks must not assume low-R signatures there.
Replace the chanmon consistency harness' Watch wrapper with a Persist implementation backed by HarnessPersister. Monitor writes now flow through the real ChainMonitor persistence hooks. Track restart candidates separately from monitor completion callbacks. A monitor can stop being a valid reload candidate once a newer baseline is durable, while its callback may still be needed to unblock the live ChainMonitor. On reload, choose the durable baseline, first pending snapshot, or last pending snapshot. Startup monitor registration completes immediately before the configured persistence style is restored.
Seed each harness wallet with confirmed coinbase outputs before building channels. The modeled chain now includes the wallet funding, so later chain checks can require transactions to spend existing outputs.
Track confirmed UTXOs in the harness chain state and require transactions to spend outputs that exist and remain unspent. Also reject absolute-height timelocks before they mature, while preserving the obscured commitment number encoding used by commitment transactions.
Notify channel monitors about confirmed transactions and best-block updates while harness nodes catch up to the modeled chain. When advancing across empty blocks, jump directly to the next block that contains transactions while still reporting the intervening best block.
Teach the harness to deliver additional control and announcement messages emitted during reconnects and timer-driven state changes. This keeps delayed message handling from panicking on valid events that can be produced by the channel manager.
Stop treating every channel close or broadcast transaction as an immediate invariant failure. Later commits add explicit force-close coverage, so the baseline harness must allow channels and broadcaster queues to reflect closure progress.
Return the transactions confirmed from the pending pool and apply their effects to the harness wallets. This keeps wallet UTXO state aligned with the fake chain when splice or other pending transactions are mined by fuzz input.
Map the primary signer-unblock opcodes so nodes 0, 1, and 2 each get distinct controls for counterparty commitment signing, per-commitment points, and commitment secret release. Make node B's primary signer-unblock controls retry all pending channels once an operation is available, while keeping the older channel-specific release-secret controls for now. This avoids duplicated node coverage and makes the byte controls easier to reason about in reduced test cases.
Make event processing robust to splice, close, spendable-output, and bump-transaction events that can arise during on-chain cleanup. Splice pending handling now finds the matching broadcast transaction by txid instead of assuming queue order.
Add cleanup helpers and fuzz opcodes for monitor bump events, broadcast confirmation, careful chain advancement, and node resyncs. The all-events loop now advances messages, node events, monitor events, pending transactions, and broadcasts until the harness quiesces.
Before final assertions, catch raw monitors up to node height and drive timer ticks plus block advancement until pending work clears. The final liveness probe now uses each channel's advertised sendable range instead of a fixed amount that may be outside its limits.
joostjager
force-pushed
the
fuzz-force-close
branch
from
f8efcb9 to
8fe4ffb
Compare
Track payment hashes, paths, claims, sender outcomes, and closed channels so settle-all can distinguish unresolved work from valid force-close outcomes. Keep payments pending until the sender observes PaymentSent or PaymentFailed, including abandoned sends with committed HTLCs still in flight. When reload selects an older raw monitor, catch it up to the harness node height immediately so it observes historical funding spends before later sync starts from the manager height. This lets the harness accept sender failure for claimed dust paths while still asserting that observable payment lifecycles complete.
Add explicit force-close fuzz actions for the A-B and B-C channels. Enable holder commitment and holder HTLC signing together so on-chain cleanup retries do not split the paired monitor-side signer operations. The all-node holder-signing byte remains as a compatibility alias for existing fuzz inputs. The harness records dust HTLC paths before closing so later payment resolution checks can account for claims blocked by dust outputs.
joostjager
force-pushed
the
fuzz-force-close
branch
from
8fe4ffb to
e3ff354
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add force-close coverage to the
chanmon_consistencyfuzzer. Previously, the fuzzer only exercised cooperative channel flows. This PR enables the fuzzer to force-close channels and verify that on-chain resolution, HTLC timeouts, and payment preimage propagation all work correctly under channel monitor consistencyconstraints.