Skip to content

Splice fixes for chanmon_consistency fuzz target#4655

Open
wpaulino wants to merge 4 commits into
lightningdevkit:mainfrom
wpaulino:splice-chanmon-consistency-fixes
Open

Splice fixes for chanmon_consistency fuzz target#4655
wpaulino wants to merge 4 commits into
lightningdevkit:mainfrom
wpaulino:splice-chanmon-consistency-fixes

Conversation

@wpaulino

@wpaulino wpaulino commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

While this target found several issues in our production code, there were also issues with the fuzz target itself, which this PR addresses. It fixes the following payloads from #4363:

00a6a61b1b1b211b211e1b1b1b1b211b211b211e1b1b261b1b211b1ba1
e8a3a3201ba31b201ba3a3201ba3a3201b201ba3a3201b040d80c113ff
a3cd00a2a1181021181118101810211811181000bb10181021ffff38
ffa1ffffa0414da373ff
a2cd00a2a118102118602700cda2a000a100733a3a6b73a3ffb4ffb7a1
ffa1ffacab211b11baff
88a4a6ffacadab21bcff

wpaulino added 4 commits June 1, 2026 15:08
@wpaulino
Allow pending splice broadcasts at fuzz EOF
89bdf95 
If the input ends immediately after `tx_signatures`, the corresponding
`SpliceNegotiated` event may still be pending, leaving the valid
interactive funding transaction in the test broadcaster.
@wpaulino
Ignore stale splice signing fuzz events
9397749 
Now that the fuzz target supports canceling splice funding attempts, we
may see failed signing attempts due to the cancellation.
@wpaulino
Raise iteration capacity in chanmon consistency when settling state
561f3ab 
LDK and the chanmon_consistency fuzz target have grown in complexity
recently and thus require more iterations than previously assumed to
fully settle the state of all active channels.
@wpaulino
Replay seen blocks after node reload in chanmon_consistency
baa5d0c 
This replicates what a node in production would see, and is necessary to
replay certain actions within LDK that happened prior to the reload.
@ldk-reviews-bot

ldk-reviews-bot commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@wpaulino wpaulino requested a review from TheBlueMatt June 1, 2026 22:17
@wpaulino wpaulino self-assigned this Jun 1, 2026
@wpaulino wpaulino added this to the 0.3 milestone Jun 1, 2026
ldk-claude-review-bot
ldk-claude-review-bot reviewed Jun 1, 2026
View reviewed changes
Comment thread fuzz/src/chanmon_consistency.rs
Comment on lines +2016 to +2021
for (idx, node) in nodes.iter().enumerate() {
if node.broadcaster.txn_broadcasted.borrow().is_empty() {
continue;
}

let pending_events = node.get_and_clear_pending_events();

@ldk-claude-review-bot ldk-claude-review-bot Jun 1, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The verification is one-directional: for each broadcast tx, you check a matching SpliceNegotiated event exists, but you don't verify the reverse — that every pending SpliceNegotiated event has a corresponding broadcast tx. A node with no broadcasts (skipped at line 2017) but with dangling SpliceNegotiated events passes silently.

Consider also checking nodes that have no broadcasts but do have pending SpliceNegotiated events, as that would indicate the splice tx was not broadcast despite an event being generated.

Suggested change
for (idx, node) in nodes.iter().enumerate() {
if node.broadcaster.txn_broadcasted.borrow().is_empty() {
continue;
}
let pending_events = node.get_and_clear_pending_events();
for (idx, node) in nodes.iter().enumerate() {
let pending_events = node.get_and_clear_pending_events();
if node.broadcaster.txn_broadcasted.borrow().is_empty() {
assert!(
!pending_events.iter().any(|e| matches!(e, events::Event::SpliceNegotiated { .. })),
"node {} has pending SpliceNegotiated event(s) but no broadcast tx",
idx,
);
continue;
}

@ldk-claude-review-bot

ldk-claude-review-bot commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

Review Summary

1 inline comment posted:

  • fuzz/src/chanmon_consistency.rs:2016-2021 — The broadcast/event verification in assert_test_invariants is one-directional: it checks every broadcast tx has a matching SpliceNegotiated event, but nodes with no broadcasts are skipped entirely even if they have dangling SpliceNegotiated events. This could mask a bug where an event is generated without its corresponding tx being broadcast.

No other issues found. The remaining changes are correct:

  • Height tracking on reload (self.height = manager.0.height) and block replay in restart_node properly handle the case where the deserialized manager is behind the pre-reload height.
  • The FundingTransactionReadyForSigning error handling for stale signing events invalidated by tx_abort is appropriate.
  • The MAX_SETTLE_ITERATIONS increase from 100 to 256 and the typo fix are straightforward.
  • Storing (Transaction, TransactionType) in the broadcaster and asserting InteractiveFunding in the SpliceNegotiated handler adds useful validation.

@ldk-reviews-bot

ldk-reviews-bot commented Jun 3, 2026

Copy link
Copy Markdown

🔔 1st Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot

ldk-reviews-bot commented Jun 6, 2026

Copy link
Copy Markdown

🔔 2nd Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot

ldk-reviews-bot commented Jun 8, 2026

Copy link
Copy Markdown

🔔 3rd Reminder

Hey @TheBlueMatt! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

TheBlueMatt
TheBlueMatt reviewed Jun 8, 2026
View reviewed changes
Comment thread fuzz/src/chanmon_consistency.rs
continue;
}

let pending_events = node.get_and_clear_pending_events();

@TheBlueMatt TheBlueMatt Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it not a cleaner fix to just handle the events here? We could filter the events by FundingNegotiated if we want to retain previous behavior, though not sure it matters much.

Comment thread fuzz/src/chanmon_consistency.rs
use std::sync::{Arc, Mutex};

const MAX_FEE: u32 = 10_000;
const MAX_SETTLE_ITERATIONS: usize = 256;

@TheBlueMatt TheBlueMatt Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow

joostjager
joostjager reviewed Jun 8, 2026
View reviewed changes
Comment thread fuzz/src/chanmon_consistency.rs
assert!(nodes[0].broadcaster.txn_broadcasted.borrow().is_empty());
assert!(nodes[1].broadcaster.txn_broadcasted.borrow().is_empty());
assert!(nodes[2].broadcaster.txn_broadcasted.borrow().is_empty());
// Broadcast transactions are handled explicitly. If the input ends immediately after

@joostjager joostjager Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For context, #4657 is changing chanmon_consistency broadcast handling so broadcast transactions are routed through an explicit modeled mempool, with finish draining remaining broadcasts through relay/mining cleanup.

@TheBlueMatt TheBlueMatt Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we fix this failure there, then?

@joostjager joostjager Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something needs to be re-aligned either way, depending on merge order. Not sure what parts of this PR can be omitted with the more realistic mempool.

Prefer to keep #4657 a pure refactor though, and not include splice bug fixes. It's big enough already.

joostjager
joostjager reviewed Jun 8, 2026
View reviewed changes
Comment thread fuzz/src/chanmon_consistency.rs
if !self.nodes[node_idx].deferred {
self.nodes[node_idx].checkpoint_manager_persistence();
}
let pre_reload_height = self.nodes[node_idx].height;

@joostjager joostjager Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this pins the node's replay height to the manager height after reload, but can't this skip part of startup sync if an older monitor was reloaded below that height?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheBlueMatt TheBlueMatt TheBlueMatt left review comments

@joostjager joostjager joostjager left review comments

+1 more reviewer

@ldk-claude-review-bot ldk-claude-review-bot ldk-claude-review-bot left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@wpaulino wpaulino

Labels

None yet

Projects

None yet

Milestone

0.3

Development

Successfully merging this pull request may close these issues.

5 participants

@wpaulino @ldk-reviews-bot @ldk-claude-review-bot @TheBlueMatt @joostjager