Fix holding cell freeing in case we fail to add some HTLC

[TheBlueMatt]

Based on #294.

Previously, if we went to free the holding cell HTLC updates, and
adding one failed as we hit our outbound HTLC limit (or in-flight
value limit), we would not send a commitment_signed, leaving us in
an invalid state. We first fix that bug, and then refuse to add
things to our holding cell once we reach our limits considering the
holding cell, as we shouldn't have multiple commitment dance rounds
worth of HTLCs in the holding cell anyway.

[TheBlueMatt]

Rebased.

[ariard]

See comments about your assumption if we hit HTLCs limit.
Btw, on d0275f8, channel.rs L 3171, in send_htlc, seems that comment doesn't match with check (think that is the comment which is wrong). Same on below check.

[ariard]

Your test don't check that right ? Because commenting out this part, it's still a success. So new requirement "if we went to free the holding cell HTLC updates, and adding one failed as we hit our outbound HTLC limit (or in-flight value limit), we would not send a commitment_signed" is not covered by test ?

[TheBlueMatt]

Yea, its not covered by the test, I'm not actually sure how to hit it after the other fixes, but if you dont have it and you do get a failure you will see the chanmon_fail_consistency test fail due to broken consistency (also if you only include this fix and comment out the "Cannot push more than their max accepted HTLCs" check, the test fails).

[ariard]

Yes try to hit it but seems hard to me because you will ever hit fix in get_outbound_pending_htlc_states while waiting for remote RAA and at handling this one you will flush the whole in a strait. You weren't able to backport the failure from chanmon_fail_consistency ? (try to test but hit failure assert from rust-secp on 1.29.2). Wonder if the fail come from an AddHTLC and not other cases..

[TheBlueMatt]

The test case here is (essentially) the backport from the fuzz test, but it won't actually hit because of the changes to considering holding cell when adding. Note that if you comment those changes out and a few bits of the test you can test this.

[ariard]

Yes but because fix in get_outbound_pending_htlc_stats, are we sure that the one in free_holding_cell_htlcs is still relevant? As you said you don't know how to hit it and me too

[TheBlueMatt]

No, I'm not, but it cant hurt :p (and I know its possible to hit with update_fee stuff, but hopefully that goes away before we have to care).

[ariard]

Ahah okay agree on the can't hurt

[ariard]

Also see #295 (review), seems to me some errors msgs in send_htlc are wrong.

[ariard]

Oh and maybe confusing "And then refuse to add things to our holding cell once we reach our limits considering the holding cell" isn't this TODO L3186 in channel.rs ?

[TheBlueMatt]

As for the error messages being confused, who's reserve value things are kinda goes both ways. Its our reserve value in that its the amount we have to keep to ourselves (as reserve), but its set by them, and to keep variable names consistent, the variable is their_reserve.

[ariard]

Nah don't talking about reserve value, but the one above, we check against their_max_htlc_value_in_flight_msat but we send back as error msg "Cannot send value that would put us over our max HTLC value in flight"?

[TheBlueMatt]

After IRC discussion removed the "our" to reduce confusion.