XXX(breaks more tests): Make Channel's block connection API more electrum-friendly

Electrum clients primarily operate in a world where they query (and
subscribe to notifications for) transactions by script_pubkeys.
They may never learn very much about the actual blockchain and
orient their events around individual transactions, not the
blockchain.

This makes our ChannelManager interface somewhat more amenable to
such a client by splitting `block_connected` into
`transactions_confirmed` and `update_best_block`. The first handles
checking the funding transaction and storing its height/confirmation
block, whereas the second handles funding_locked and reorg logic.

Sadly, this interface is somewhat easy to misuse - XXX something about
how you can miss a disconnect that un-confirms our funding transaction!

This commit also corrects our "funding was reorganized out of the
best chain" heuristic, instead of a flat 6 blocks, it uses half the
confirmation count required as the point at which we force-close.

XXX: for low confirmation counts (also on main), this may cause spurious
closes in case of an ill-timed one-block reorg

Author: TheBlueMatt

lightning/src/ln/channel.rs

@@ -361,13 +361,10 @@ pub(super) struct Channel<Signer: Sign> {
 
 	last_sent_closing_fee: Option<(u32, u64, Signature)>, // (feerate, fee, holder_sig)
 
-	/// The hash of the block in which the funding transaction reached our CONF_TARGET. We use this
-	/// to detect unconfirmation after a serialize-unserialize roundtrip where we may not see a full
-	/// series of block_connected/block_disconnected calls. Obviously this is not a guarantee as we
-	/// could miss the funding_tx_confirmed_in block as well, but it serves as a useful fallback.
+	/// The hash of the block in which the funding transaction was included.
 	funding_tx_confirmed_in: Option<BlockHash>,
+	funding_tx_confirmation_height: u64,
 	short_channel_id: Option<u64>,
-	funding_tx_confirmations: u64,
 
 	counterparty_dust_limit_satoshis: u64,
 	#[cfg(test)]
@@ -424,10 +421,6 @@ struct CommitmentTxInfoCached {
 }
 
 pub const OUR_MAX_HTLCS: u16 = 50; //TODO
-/// Confirmation count threshold at which we close a channel. Ideally we'd keep the channel around
-/// on ice until the funding transaction gets more confirmations, but the LN protocol doesn't
-/// really allow for this, so instead we're stuck closing it out at that point.
-const UNCONF_THRESHOLD: u32 = 6;
 const SPENDING_INPUT_FOR_A_OUTPUT_WEIGHT: u64 = 79; // prevout: 36, nSequence: 4, script len: 1, witness lengths: (3+1)/4, sig: 73/4, if-selector: 1, redeemScript: (6 ops + 2*33 pubkeys + 1*2 delay)/4
 const B_OUTPUT_PLUS_SPENDING_INPUT_WEIGHT: u64 = 104; // prevout: 40, nSequence: 4, script len: 1, witness lengths: 3/4, sig: 73/4, pubkey: 33/4, output: 31 (TODO: Wrong? Useless?)
 
@@ -565,7 +558,7 @@ impl<Signer: Sign> Channel<Signer> {
 
 			funding_tx_confirmed_in: None,
 			short_channel_id: None,
-			funding_tx_confirmations: 0,
+			funding_tx_confirmation_height: 0,
 
 			feerate_per_kw: feerate,
 			counterparty_dust_limit_satoshis: 0,
@@ -800,7 +793,7 @@ impl<Signer: Sign> Channel<Signer> {
 
 			funding_tx_confirmed_in: None,
 			short_channel_id: None,
-			funding_tx_confirmations: 0,
+			funding_tx_confirmation_height: 0,
 
 			feerate_per_kw: msg.feerate_per_kw,
 			channel_value_satoshis: msg.funding_satoshis,
@@ -3484,38 +3477,7 @@ impl<Signer: Sign> Channel<Signer> {
 		self.network_sync == UpdateStatus::DisabledMarked
 	}
 
-	/// When we receive a new block, we (a) check whether the block contains the funding
-	/// transaction (which would start us counting blocks until we send the funding_signed), and
-	/// (b) check the height of the block against outbound holding cell HTLCs in case we need to
-	/// give up on them prematurely and time them out. Everything else (e.g. commitment
-	/// transaction broadcasts, channel closure detection, HTLC transaction broadcasting, etc) is
-	/// handled by the ChannelMonitor.
-	///
-	/// If we return Err, the channel may have been closed, at which point the standard
-	/// requirements apply - no calls may be made except those explicitly stated to be allowed
-	/// post-shutdown.
-	/// Only returns an ErrorAction of DisconnectPeer, if Err.
-	///
-	/// May return some HTLCs (and their payment_hash) which have timed out and should be failed
-	/// back.
-	pub fn block_connected(&mut self, header: &BlockHeader, txdata: &TransactionData, height: u32) -> Result<(Option<msgs::FundingLocked>, Vec<(HTLCSource, PaymentHash)>), msgs::ErrorMessage> {
-		let mut timed_out_htlcs = Vec::new();
-		self.holding_cell_htlc_updates.retain(|htlc_update| {
-			match htlc_update {
-				&HTLCUpdateAwaitingACK::AddHTLC { ref payment_hash, ref source, ref cltv_expiry, .. } => {
-					if *cltv_expiry <= height + HTLC_FAIL_BACK_BUFFER {
-						timed_out_htlcs.push((source.clone(), payment_hash.clone()));
-						false
-					} else { true }
-				},
-				_ => true
-			}
-		});
-
-		if self.funding_tx_confirmations > 0 {
-			self.funding_tx_confirmations += 1;
-		}
-
+	pub fn transactions_confirmed(&mut self, block_hash: &BlockHash, height: u32, txdata: &TransactionData) -> Result<(), msgs::ErrorMessage> {
 		let non_shutdown_state = self.channel_state & (!MULTI_STATE_FLAGS);
 		if non_shutdown_state & !(ChannelState::TheirFundingLocked as u32) == ChannelState::FundingSent as u32 {
 			for &(index_in_block, tx) in txdata.iter() {
@@ -3554,18 +3516,61 @@ impl<Signer: Sign> Channel<Signer> {
 							panic!("Block was bogus - either height 16 million or had > 16 million transactions");
 						}
 						assert!(txo_idx <= 0xffff); // txo_idx is a (u16 as usize), so this is just listed here for completeness
-						self.funding_tx_confirmations = 1;
+						self.funding_tx_confirmation_height = height as u64;
+						self.funding_tx_confirmed_in = Some(*block_hash);
 						self.short_channel_id = Some(((height as u64)         << (5*8)) |
 						                             ((index_in_block as u64) << (2*8)) |
 						                             ((txo_idx as u64)        << (0*8)));
 					}
 				}
 			}
 		}
+		Ok(())
+	}
+
+	/// When a new block is connected, we check the height of the block against outbound holding
+	/// cell HTLCs in case we need to give up on them prematurely and time them out. Everything
+	/// else (e.g. commitment transaction broadcasts, channel closure detection, HTLC transaction
+	/// broadcasting, etc) is handled by the ChannelMonitor.
+	///
+	/// If we return Err, the channel may have been closed, at which point the standard
+	/// requirements apply - no calls may be made except those explicitly stated to be allowed
+	/// post-shutdown.
+	///
+	/// May return some HTLCs (and their payment_hash) which have timed out and should be failed
+	/// back.
+	pub fn update_best_block(&mut self, height: u32, highest_header_time: u32) -> Result<(Option<msgs::FundingLocked>, Vec<(HTLCSource, PaymentHash)>), msgs::ErrorMessage> {
+		let mut timed_out_htlcs = Vec::new();
+		self.holding_cell_htlc_updates.retain(|htlc_update| {
+			match htlc_update {
+				&HTLCUpdateAwaitingACK::AddHTLC { ref payment_hash, ref source, ref cltv_expiry, .. } => {
+					if *cltv_expiry <= height + HTLC_FAIL_BACK_BUFFER {
+						timed_out_htlcs.push((source.clone(), payment_hash.clone()));
+						false
+					} else { true }
+				},
+				_ => true
+			}
+		});
+
+		self.update_time_counter = cmp::max(self.update_time_counter, highest_header_time);
+		if self.funding_tx_confirmation_height > 0 {
+			let funding_tx_confirmations = height as i64 - self.funding_tx_confirmation_height as i64 + 1;
+			if funding_tx_confirmations <= 0 {
+				self.funding_tx_confirmation_height = 0;
+			}
 
-		self.update_time_counter = cmp::max(self.update_time_counter, header.time);
-		if self.funding_tx_confirmations > 0 {
-			if self.funding_tx_confirmations == self.minimum_depth as u64 {
+			let non_shutdown_state = self.channel_state & (!MULTI_STATE_FLAGS);
+			if (non_shutdown_state >= ChannelState::ChannelFunded as u32 ||
+			   (non_shutdown_state & ChannelState::OurFundingLocked as u32) == ChannelState::OurFundingLocked as u32) &&
+			    funding_tx_confirmations < self.minimum_depth as i64 / 2 {
+				return Err(msgs::ErrorMessage {
+					channel_id: self.channel_id(),
+					data: format!("Funding transaction was un-confirmed. Locked at {} confs, now have {} confs.", self.minimum_depth, funding_tx_confirmations),
+				});
+			}
+
+			if funding_tx_confirmations == self.minimum_depth as i64 {
 				let need_commitment_update = if non_shutdown_state == ChannelState::FundingSent as u32 {
 					self.channel_state |= ChannelState::OurFundingLocked as u32;
 					true
@@ -3584,7 +3589,6 @@ impl<Signer: Sign> Channel<Signer> {
 					// funding_tx_confirmed_in and return.
 					false
 				};
-				self.funding_tx_confirmed_in = Some(header.block_hash());
 
 				//TODO: Note that this must be a duplicate of the previous commitment point they sent us,
 				//as otherwise we will have a commitment transaction that they can't revoke (well, kinda,
@@ -3604,21 +3608,35 @@ impl<Signer: Sign> Channel<Signer> {
 				}
 			}
 		}
+
 		Ok((None, timed_out_htlcs))
 	}
 
+	/// When we receive a new block, we (a) check whether the block contains the funding
+	/// transaction (which would start us counting blocks until we send the funding_signed), and
+	/// (b) check the height of the block against outbound holding cell HTLCs in case we need to
+	/// give up on them prematurely and time them out. Everything else (e.g. commitment
+	/// transaction broadcasts, channel closure detection, HTLC transaction broadcasting, etc) is
+	/// handled by the ChannelMonitor.
+	///
+	/// If we return Err, the channel may have been closed, at which point the standard
+	/// requirements apply - no calls may be made except those explicitly stated to be allowed
+	/// post-shutdown.
+	/// Only returns an ErrorAction of DisconnectPeer, if Err.
+	///
+	/// May return some HTLCs (and their payment_hash) which have timed out and should be failed
+	/// back.
+	pub fn block_connected(&mut self, header: &BlockHeader, txdata: &TransactionData, height: u32) -> Result<(Option<msgs::FundingLocked>, Vec<(HTLCSource, PaymentHash)>), msgs::ErrorMessage> {
+		self.transactions_confirmed(&header.block_hash(), height, txdata)?;
+		self.update_best_block(height, header.time)
+	}
+
 	/// Called by channelmanager based on chain blocks being disconnected.
 	/// Returns true if we need to close the channel now due to funding transaction
 	/// unconfirmation/reorg.
-	pub fn block_disconnected(&mut self, header: &BlockHeader) -> bool {
-		if self.funding_tx_confirmations > 0 {
-			self.funding_tx_confirmations -= 1;
-			if self.funding_tx_confirmations == UNCONF_THRESHOLD as u64 {
-				return true;
-			}
-		}
-		if Some(header.block_hash()) == self.funding_tx_confirmed_in {
-			self.funding_tx_confirmations = self.minimum_depth as u64 - 1;
+	pub fn block_disconnected(&mut self, header: &BlockHeader, new_height: u32) -> bool {
+		if self.update_best_block(new_height, header.time).is_err() {
+			return true;
 		}
 		false
 	}
@@ -4426,7 +4444,7 @@ impl<Signer: Sign> Writeable for Channel<Signer> {
 
 		self.funding_tx_confirmed_in.write(writer)?;
 		self.short_channel_id.write(writer)?;
-		self.funding_tx_confirmations.write(writer)?;
+		self.funding_tx_confirmation_height.write(writer)?;
 
 		self.counterparty_dust_limit_satoshis.write(writer)?;
 		self.holder_dust_limit_satoshis.write(writer)?;
@@ -4586,7 +4604,7 @@ impl<'a, Signer: Sign, K: Deref> ReadableArgs<&'a K> for Channel<Signer>
 
 		let funding_tx_confirmed_in = Readable::read(reader)?;
 		let short_channel_id = Readable::read(reader)?;
-		let funding_tx_confirmations = Readable::read(reader)?;
+		let funding_tx_confirmation_height = Readable::read(reader)?;
 
 		let counterparty_dust_limit_satoshis = Readable::read(reader)?;
 		let holder_dust_limit_satoshis = Readable::read(reader)?;
@@ -4656,7 +4674,7 @@ impl<'a, Signer: Sign, K: Deref> ReadableArgs<&'a K> for Channel<Signer>
 
 			funding_tx_confirmed_in,
 			short_channel_id,
-			funding_tx_confirmations,
+			funding_tx_confirmation_height,
 
 			counterparty_dust_limit_satoshis,
 			holder_dust_limit_satoshis,

lightning/src/ln/channelmanager.rs

@@ -3390,7 +3390,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 
 		assert_eq!(*self.last_block_hash.read().unwrap(), header.block_hash(),
 			"Blocks must be disconnected in chain-order - the disconnected header must be the last connected header");
-		self.latest_block_height.fetch_sub(1, Ordering::AcqRel);
+		let new_height = self.latest_block_height.fetch_sub(1, Ordering::AcqRel) as u32 - 1;
 		*self.last_block_hash.write().unwrap() = header.prev_blockhash;
 
 		let mut failed_channels = Vec::new();
@@ -3400,7 +3400,7 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			let short_to_id = &mut channel_state.short_to_id;
 			let pending_msg_events = &mut channel_state.pending_msg_events;
 			channel_state.by_id.retain(|_,  v| {
-				if v.block_disconnected(header) {
+				if v.block_disconnected(header, new_height) {
 					if let Some(short_id) = v.get_short_channel_id() {
 						short_to_id.remove(&short_id);
 					}