Allow cancellation of pending splice funding negotiations

[wpaulino]

A user may wish to cancel an in-flight funding negotiation for whatever reason (e.g., mempool feerates have gone down, inability to sign, etc.), so we should make it possible for them to do so. Note that this can only be done for splice funding negotiations for which the user has made a contribution to.

[ldk-reviews-bot]

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-claude-review-bot]

This .expect() can panic in release builds. While cancel_splice in channel.rs verifies made_contribution is true, the maybe_create_splice_funding_failed! macro additionally subtracts contributions that overlap with prior RBF rounds (via prior_contributed_inputs/outputs). For a non-initiator who reuses the same UTXOs across RBF attempts with no explicit output contributions, the subtraction can empty the lists, causing the macro to return None (line 6740-6742 of channel.rs: if !is_initiator && contributed_inputs.is_empty() && contributed_outputs.is_empty() { return None; }).

The debug_assert!(splice_funding_failed.is_some()) at channel.rs:12323 catches this in debug, but this expect will crash in release for that edge case. Consider handling None gracefully, e.g. by returning an APIError or skipping the events.

[wpaulino]

@jkczyz looks like that if statement it's referring to is indeed happening after the filtering. We should check whether the contribution is empty prior to filtering. I also noticed that we'll always emit DiscardFunding even when both contributed inputs and outputs are empty, we should only do so when there is actually something to discard.

[jkczyz]

@jkczyz looks like that if statement it's referring to is indeed happening after the filtering. We should check whether the contribution is empty prior to filtering.

Hmm... we may want to base this on #4514. It refactors that code a bit and removes maybe_create_splice_funding_failed!. I believe the new splice_funding_failed_for! macro does it correctly now (dc0609d)

I also noticed that we'll always emit DiscardFunding even when both contributed inputs and outputs are empty, we should only do so when there is actually something to discard.

I believe that is fixed in #4514, too. Can't recall if it's the same commit, but the PR should consolidate the filtering logic to FundingContribution::into_unique_contributions.

[ldk-claude-review-bot]

Review Summary

Two new issues found (in addition to the two previously flagged issues which remain unaddressed):

Inline comments posted:

1. lightning/src/ln/channelmanager.rs:4940-4941 — PersistenceNotifierGuard::manually_notify may not trigger event/persistence notification after successful cancellation. The old abandon_splice used optionally_notify with SkipPersistHandleEvents, ensuring the background processor was woken up. The new code relies solely on process_background_events(), which may return SkipPersistNoEvents, delaying delivery of SpliceFailed/DiscardFunding events and the tx_abort message. Other public APIs like funding_contributed and funding_transaction_signed use optionally_notify.

2. lightning/src/ln/splicing_tests.rs:3005-3007 — Dead code: the if state == 0 branch is unreachable because state 0 returns early at line 2990.

Previously flagged issues (still applicable):

• channel.rs:12795 — debug_assert!(splice_funding_failed.is_some()) can fail for non-initiator with RBF rounds where maybe_create_splice_funding_failed! filters all contributions.
• channel.rs:12754-12759 — Contribution check uses has_local_contribution() for AwaitingSignatures but contributed_inputs()/contributed_outputs() for other variants — different computation paths for the same semantic check.

Verification notes:

• The counterparty_aborted → allow_resumption parameter rename and boolean inversion are correct across all 8 call sites.
• The cancel_funding_contributed flow is sound for all FundingNegotiation states, including the quiescent_action early path.
• Quiescence state is correctly preserved across disconnect/reconnect for AwaitingSignatures, allowing post-reconnect cancellation.
• The reestablishment protocol provides crash recovery if persistence is missed.

[jkczyz]

Do we need to worry about updating PendingFunding::contributions when reseting? This may be a pre-existing issue, though.

[wpaulino]

Already fixed in a547960.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 4th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 5th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 6th Reminder

Hey @jkczyz! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-claude-review-bot]

The previous abandon_splice used PersistenceNotifierGuard::optionally_notify and returned NotifyOption::SkipPersistHandleEvents on success, which would wake up the background processor to deliver the newly-added SpliceFailed/DiscardFunding events and the tx_abort message promptly.

manually_notify delegates the notification decision to process_background_events(), which returns SkipPersistNoEvents when there are no pending background events. This means when no holding-cell HTLCs are freed (the handle_holding_cell_free_result path that calls notify()), the background processor is never woken up. Events and messages sit in memory until the next polling interval or until some unrelated activity triggers notification.

This is also a persistence concern: the splice state reset and quiescence exit modify channel state, but without notification, persistence may not happen until the next trigger. If the node crashes in between, the cancel is effectively lost (though the reestablishment protocol handles recovery).

Consider using optionally_notify (returning SkipPersistHandleEvents on success, SkipPersistNoEvents on error) to match the behavior of other public APIs like funding_contributed and funding_transaction_signed.

[ldk-claude-review-bot]

Dead code: state == 0 can never be true here because that case returned early at line 2990. The if branch is unreachable — only the else ever runs.

Suggested change

	acceptor.node.handle_tx_abort(node_id_initiator, tx_abort);
	if state == 0 {
	assert!(acceptor.node.get_and_clear_pending_msg_events().is_empty());
	acceptor.node.handle_tx_abort(node_id_initiator, tx_abort);
	{
	let tx_abort = get_event_msg!(acceptor, MessageSendEvent::SendTxAbort, node_id_initiator);