htlcswitch: reliable HTLC tracking

[halseth]

This PR is a primary step towards fixing #2183

We handle a few problems regarding atomicity of payments within the switch. Since the writing of a payment hash to the ControlTower and switch CircuitMap is not atomic, we risked these getting out of sync, and potentially leaving preimages in limbo. This PR attempts to fix a few of these issues by giving the htlcswitch the responsibility for storing the preimage a payment succeeds, and immediately returning them if we notice a replay of a payment. We do this by using the OutgoingPayment bucket within the DB also for in-fligh payments (not only for completed payments as before).

We ensure all outgoing payments are given a unique ID, since this is what is used to determine if a payment is already committed to the switch circuit.

To ensure the payment DB and CircuitMap stay in sync, we acquire a mutex tied to the particular paymentID before using them.

This is also a step towards idempotent payments, since we'll now return a pendingPayment as normal even if the HTLC is already sent.

TODO

• Fix compilation errors with existing unit tests.
• Unit tests for the following scenarios:
  • A a payment in flight, and we replay it on restart. It will be added to the DB, and at the same time it gets settled. Since we haven't yet added it to the pending payment map, no response is sent. We then add it to the pending payment map, but the event has already happened. We fix this by using a multimutex, this ensures that the payment won't be attempted settled between we add it to the DB and adding it to the pendingpayment map, and at the same time allows distinct payment IDs to be cleared concurrently.
  • Another race: we add the payment to the DB, add to pending payment map, a settle comes in and is removed from the circuit map, we add it to the circuit map again.

[cfromknecht]

@halseth did an initial pass, great commits!

[cfromknecht]

👍

[cfromknecht]

use ErrRouterShuttingDown?

[halseth]

lol, rebase fail

[cfromknecht]

do we need to hold the lock around ClearForTakeoff? this limits it to single writer, and we lose out on all benefits of using Batch

[halseth]

The reason I did this was to handle the case where ClearForTakeoff is called concurrently with a HTLC for the same payment has gets settled. Without the lock we risk getting ErrPaymentInFlight returned, but before we add the pending payment to the map the HTLC is settled.

I do see the lost benefit of batch... Time to bring out the multimutex? 😁

[halseth]

Used a multimutex, was the only way to really ensure the CircuitMap and ControlTower would always stay in sync.

[cfromknecht]

👍

[cfromknecht]

what if this overwrites an existing entry? seems the prior caller would never receive anything on their channels. do we need to support multiple subscribers?

[halseth]

The thought here was only to handle the restart case, and otherwise make the caller responsible for not sending the HTLC more than once. But I definitely see the advantages of just handling duplicate entries, will see if can be easily handled!

[cfromknecht]

and otherwise make the caller responsible for not sending the HTLC more than once

Isn't that hard to do if they have to call SendHTLC to see if they've already sent/re-register for ntfns?

Can you describe the scenario we're trying to solve?

[halseth]

Went back to return results to all callers, so no overwriting would happen!

[cfromknecht]

Am i understanding this right, in that we may reuse paymentID if one was found in ClearForTakeoff?

[cfromknecht]

Nvm we'd use the new one only if the payment was grounded which I think is okay

[cfromknecht]

the side-effects of this transaction are not idempotent, which means we may see invalid reads from any of these subcommands. specifically, pid and preimage should be set to zero values each time the function is invoked

[halseth]

Shouldn't matter, since pid is only used in case of ErrPaymentInFlight || nil and preimage only in case of ErrAlreadyPaid. But probably doesn't hurt to do what you suggest.

[cfromknecht]

This commit should be reverted, and leave the batch error handling as is. If the function returns an error, then each will be run in isolation (again). This is the intent behind capturing the errors, but allowing the transaction to return nil

https://github.com/etcd-io/bbolt/blob/master/db.go#L787

[halseth]

Ah, I see TIL! Will revert and maybe add a comment explaining this 👍

[halseth]

I was kinda puzzled by why it was done this way tbh, probably should have asked before changing it :p

[halseth]

Discussed a bit offline with @cfromknecht, have some ideas on how to simplify this quite a bit, and will push an update in a few days. Stay tuned.

[halseth]

Usage of the preimage cache to determine settled: Is it vulnerable to a form of attack where we are used as an intermediate node to get the preimage injected in our cache, preventing us from paying after restart?

If we already know the preimage, do we really want to pay to it? If we allow that, we risk any intermediate node also knowing it, being able to claim the payment before it reaches the receiver.

This PR originally allowed this, by keeping a map from paymentID->preimage we required the settle for this exact payment to succeed, not only the preimage being known. However, as discussed in #2265 (comment) this meant that an redundant preimage bucket structure was added, and the current version of the PR uses the preimage cache to avoid this.

cc @cfromknecht @joostjager

[cfromknecht]

If we already know the preimage, do we really want to pay to it? If we allow that, we risk any intermediate node also knowing it, being able to claim the payment before it reaches the receiver.

This is also true, but the new scenario joost is referring to is that we send the payment, then get used as an intermediary, restart, then report the payment succeeding even though we haven't heard back on the exact status of the payment.

However, as discussed in #2265 (comment) this meant that an redundant preimage bucket structure was added, and the current version of the PR uses the preimage cache to avoid this.

Would be nice to find a way to avoid the redundant storage, while also retaining the strictness of the original proposal.

[cfromknecht]

IMO this code should really stay in the htlcswitch as it's properties are very intertwined with the operation of the circuit map. It is a helper object of the switch, which should be used by w/e packages need to interact with SendHTLC

[cfromknecht]

Even if it's not used by the switch directly, it is exposed so that users of the htlcswitch package properly adhere to the semantics required by SendHTLC.

[halseth]

It seems that what we want is the ability to distinguish between a previous attempt that completed and that we have the preimage in our cache for some other reason.

This could be solved as in the original proposal with a persistent map pid->preimage, but as discussed earlier this necessitates a new bucket structure as far as I can tell. I think however this is okay, as it allows us to nicely separate the knowledge of the different parts of the payment flow between the router (OutgoingPayment, invoice, routes, map pid->paymenthash etc) and the switch (map pid->circuit, map pid->preimage).

We could reuse the OutgoingPayment bucket structure (https://github.com/lightningnetwork/lnd/blob/master/channeldb/payments.go) as much as possible, since these are already indexed by paymentID in the database. Currently this struct contains a payment preimage, but we could move this to its own bucket ("preimage bucket"), indexed by the same pid.

To send a payment, we would get a new unique pid, and create an outgoing payment in the database. Since no preimage was yet stored for this pid, this would indicate it is still in flight.

Sending the corresponding HTLC to the switch, it would commit the circuit, using the unique pid as key. Here we could add a check to the new "preimage bucket" in the same DB transaction to ensure we don't yet know the preimage. If we do, we return it.

When the result comes back, we would tear down the circuit and store the preimage (in case of success) in the same db transaction. The outgoing payment would therefore be considered settled, since the preimage now is found in the bucket.

In case the payment fails we could consider deleting the OutgoingPayment, but I think maybe it could be useful also keep failed payment attempts around?

This approach is essentially what I did in an earlier branch (master...halseth:reliable-payments-reused-buckets), except for storing the preimages in their own bucket. That approach was awkward since the switch needed to be aware of the whole OutgoingPayment and all its fields.

lmk what you think.

tl;dr: We use the OutgoingPayment struct in the DB to also encompass payments in flight (and failed even), and only write the preimage for this pid after the payment succeed.

[joostjager]

I think the commits lookup preimage in cache, ignore ErrDuplicateAdd and use multimutex should be squashed in a single commit.

The first two introduce functionality that doesn't really work reliable until the last is in place too. Checking out the intermediate commits doesn't give useful behaviour.

They are all small too and (at least to me) it would make review easier. To see a set of changes that together does something meaningful.

[joostjager]

Consider moving the control tower up to the router level already in this pr. To finalize the required switch changes for reliable payments.

[halseth]

Done. Note that there still might be some switch changes left (most notably making SendHTLC async), but I figured this PR was big enough as is now.

[joostjager]

Can the multi mutex be avoided by looking up the preimage after commiting the circuit? If it is present then, the circuit could be teared down again. Or left in half open state, where it will be cleaned up later.

[halseth]

Very good idea, don!

[joostjager]

Pasting my own notes used during review here for reference:

Switch.SendHTLC
        ControlTower.ClearForTakeoff
        multimutex lock
        LookupPreimage (return success if present)
        add pending payment in memory
        forward
                CommitCircuit (fail if duplicate payment id)
                async handoff to link
        multimutex unlock
        wait for payment complete

ChannelLink.handleUpstreamMsg
        AddPreimage
        Switch.handlePacketForward
                CloseCircuit
                Switch.handleLocalResponse
                        multimutex lock
                        Teardown circuit
                        remove pending payment in memory
                        multimutex unlock
                        ControlTower.success
                        signal payment complete

[halseth]

After discussion with @joostjager we came to a design that should be both simpler and easier to review. This is done by splitting up the forward method, such that we can lookup the preimage in the cache between committing the circuit and forwarding the HTLC to the link. This let us avoid the use of a multimutex, since we can just bail out after committing the circuit and finding the preimage present.

PTAL @joostjager @cfromknecht @Roasbeef

[joostjager]

Should this happen before teardown? To prevent this:

Teardown circuit

        CommitCircuit (succeeds)

        get or create pending payment in memory (create)

get or create pending payment in memory + signal result

        async handoff to link if commit succeeded (pay twice)

        wait for pending payment result

[halseth]

Yes, indeed! I also believe the pending payment should be created by SendHTLC after CommitCircuit, such that the two methods perform the operations in the opposite order: 6ffe4eb

Fixed: e07dc19

[halseth]

Blocked by #2501

[Roasbeef]

Chatted with Johan offline, and I think we went down this rabbit hole due to one of my earlier comments that was a bit vague. We discussed a simpler version that hopefully should be easier to implement and also reason about during review as it involves much less shuffling around of the existing control flow and doesn't introduce any new dependancies.

[Roasbeef]

Closing in favor of #2762.