routing: fix stuck inflight payments

[yyforyongyu]

Replaces #8150, this PR attempts to fix #8146.

Timed out HTLCs are properly handle

The original assumption was, when the HTLC timed out, the attempt result wasn't sent back the payment lifecycle, thus causing the payment to be in stuck. However, this assumption is not true, as shown in the newly added itest - when an outgoing HTLC has timed out, the payment will be marked as failed. Moreover, if the outgoing HTLC is swept by the remote via the preimage path, the payment will be marked as succeeded. All these are expected behavior.

HTLC Attempt result is not saved

If there's already a result in db, GetAttemptResult will return it, so the result must not be found in db. Also notice that, since there's no result in db, the only line we can hit is:

lnd/htlcswitch/switch.go

Line 466 in e6fbaaf

nChan, err = s.networkResults.subscribeResult(attemptID)

as otherwise hitting this line will return the error ErrPaymentIDNotFound:

lnd/htlcswitch/switch.go

Line 456 in e6fbaaf

res, err := s.networkResults.getResult(attemptID)

And the method GetAttemptResult is blocking at line:

lnd/htlcswitch/switch.go

Line 456 in e6fbaaf

res, err := s.networkResults.getResult(attemptID)

On the other hand, these network results will be cleaned when ChannelRouter starts here:

lnd/routing/router.go

Line 657 in e6fbaaf

if err := r.cfg.Payer.CleanStore(toKeep); err != nil {

But this cleanup only applied to terminated payments. For inflight payments, we always keep the network results. This rules out the possibility that the HTLC attempt once had a result but was later removed.

This seems to leave us only one possibility - that the network result was never written to disk, causing an HTLC attempt waiting for its result forever, hence the payment stayed inflight, which leads to suspicion that this line is hit, thus the line go s.handleLocalResponse(packet) is skipped so the result is not saved:

lnd/htlcswitch/switch.go

Lines 1289 to 1293 in e02fd39

	// closeCircuit returns a nil circuit when a settle packet returns an
	// ErrUnknownCircuit error upon the inner call to CloseCircuit.
	if circuit == nil {
	return nil
	}

This PR refactors handlePacketForward and makes sure the network result is always saved for locally-initiated packet.

Fixes,

• fix [bug]: trackpayment shows payment IN_FLIGHT but logs shows failed: no_route #8178
• fix [bug]: LND consumes a lot of memory during start up, subsequently releasing when start up is successful. #7829
• fix Payment status: IN_FLIGHT (stuck) - (updated) -> v0.13.1-beta.rc2 #5396
• fix LND has some very old inflight payments without associated HTLC  #6834

[saubyk]

cc: @Roasbeef for approach ack

[bitromortac]

First pass done, looks really good already 🔥. I'll let this run on a node that has stuck inflight payments.

[bitromortac]

Is the repeated itest needed? What's the main difference for SendPaymentV2?

[yyforyongyu]

Not sure I follow, but it's testing a different RPC? Tho SendToRouteV2 looks similar to SendPaymentV2, it's nonetheless an independent RPC that can diverge someday.

[bitromortac]

is that change needed? I think for the same reason mentioned below, we don't expect UpdateFailMalformedHTLC here because of the conversion, right?

[yyforyongyu]

Good catch! Yeah based on the callsites I don't think this is needed, now removed.

[bitromortac]

nit: payHash can be used more to compress some lines below

[yyforyongyu]

done!

[yyforyongyu]

lightninglabs-deploy mute 336h

[yyforyongyu]

!lightninglabs-deploy mute 336h30m

[yyforyongyu]

!lightninglabs-deploy mute 336h30m

[kilrau]

Why are you guys muting this? This happens in prod and imo serious

[saubyk]

Why are you guys muting this? This happens in prod and imo serious

Hi @kilrau the notifications for reviews were muted as YY focused on other prs, but as you can see the pr is still tagged for 18.3 and will be picked up again soon

[kilrau]

Why are you guys muting this? This happens in prod and imo serious

Hi @kilrau the notifications for reviews were muted as YY focused on other prs, but as you can see the pr is still tagged for 18.3 and will be picked up again soon

Getting this into 0.18.3 sounds good 🙏

[coderabbitai]

Important

Review skipped

Auto reviews are limited to specific labels.

Labels to auto review (1)

• llm-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[ziggie1984]

Exchanged with the guys from the BOLTZ team, and it seems like they are suffering from another issue in regards of Inflight Payments which I am not sure this PR will solve.

There seems to be an edge case where we fail a payment ( exitresumePayment) although we have still Inflight HTLCs which need to be resolved. This has some side effects:

When a service tries to use trackpayment => this call remains pending although we already canceled all resultCollector goroutines, so it will pending until the next restart.

Moreover this payment will be inflight until the next restart in general, where we try to recollect all the Inflight HTLCs of a payment.

I think I might have found the culprit based on a logs of a payment attempt which got stuck:

So basically we are in the process of adding a new HTLC Attempt to the payment here:

Code parts taken from this PR.

attempt, err := p.registerAttempt(rt, ps.RemainingAmt)
		if err != nil {
			return exitWithErr(err)
		}

This will however return an error if the payment is failed already in
func (p *controlTower) RegisterAttempt(....

// Check if registering a new attempt is allowed.
		if err := payment.Registrable(); err != nil {
			return err
		}

hence the Payment Lifecycle will exit with (as seen in the picture):

	// If the payment is already failed, we won't allow adding more HTLCs.
	if m.State.PaymentFailed {
		return ErrPaymentPendingFailed
	}

I think the problem is For MPP when we hit the MPP Timeout error we would mark a payment prematurely as failed although HTLCs are still pending in handleSwitchErr

Because we would fail a payment as soon as the final hop reported the failure which is the case for the MPP Timeout for example.

I think my analysis describes whats happening in the above log picture, although it's not a full log but just a grep of the payment hash. However I think we really need to be carefull to not prematurely kill the payment lifecycle until all HTLCs reported back, or when killing the payment flow, we should at least also kill the trackpayment stream so that the subscriber is not waiting forever.

[ziggie1984]

here is another log which shows the MPP-Timeout of one of the HTLCAttempts:

[ziggie1984]

First pass done, mostly nits. Except from my other comment related to the other problem with Inflight HTLCs.

[ziggie1984]

Nit: handlePacketAdd => handlePacketSettle

[yyforyongyu]

fixed

[ziggie1984]

Nit: ... and when UpdateFulfillHTLC is received.

[yyforyongyu]

done!

[ziggie1984]

Nit: godocs

[yyforyongyu]

fixed

[ziggie1984]

Nit: Maybe add a comment why both checks, the stream and the normal findpayment command should be done here ?

[yyforyongyu]

done!

[ziggie1984]

Q: when can this happen, would be good to describe it in the comment.

[yyforyongyu]

Cool let me dig a bit...

[ziggie1984]

wondering whether the three commits on top of this PR are related ?

[yyforyongyu]

you mean the last three? yeah they are related as they are required to get the itest pass.

[ziggie1984]

maybe switch the order so we have the release at the end ?

[yyforyongyu]

Interesting case @ziggie1984! Cool could you open a new issue to track this instead - think I know what happened, but don't have a good fix, plus I prefer not growing the scope of this PR to stay focused. In short it's due to async fetching of the same payment, and it happens when an invoice times out exactly during the period while the node is still restarting. Would also be great to have raw logs instead of screenshots, as the timestamps were messed up and difficult to analyze.

[bitromortac]

Nice, looks very close 🚀, just a few nits and questions.

[ziggie1984]

LGTM 🐝, still had some general questions about this code change but all non-blocking

[ziggie1984]

So we clean the store only once on startup ? Would it make sense to run this periodically:

from the comment of the clean function:

This should be called
// preiodically to let the switch clean up payment results that we have
// handled.

[yyforyongyu]

Good q - yeah I think it should be cleaned more frequently. I also remember we can fetch whatever is stored here from our open channel, which makes this store redundant. Will make an issue to track it - either clean it more often or just don't store it.

[ziggie1984]

Q: Is the hash set equal of AMP being used ?

[yyforyongyu]

yeah I think so

[ziggie1984]

Nit: maybe add it to the comment then, I would have found it useful ?

[ziggie1984]

should be => can we be sure that INFLIGHT HTLCs will never have payment status (e.g. StatusInFlight) which could lead us to retry the payment and send more HTCL attempts ?

[yyforyongyu]

I think once there are inflight HTLCs the payment should always be StatusInFlight tho,

lnd/channeldb/payment_status.go

Lines 142 to 153 in ab96de3

	// Based on the above variables, we derive the status using the following
	// table,
	// | inflight | settled | htlc failed | payment failed | status |
	// |:--------:|:-------:|:-----------:|:--------------:|:--------------------:|
	// | true | true | true | true | StatusInFlight |
	// | true | true | true | false | StatusInFlight |
	// | true | true | false | true | StatusInFlight |
	// | true | true | false | false | StatusInFlight |
	// | true | false | true | true | StatusInFlight |
	// | true | false | true | false | StatusInFlight |
	// | true | false | false | true | StatusInFlight |
	// | true | false | false | false | StatusInFlight |

Since the fee limit is zero, it means there are no routes to be tried, unless we can find a zero-fee route.

[ziggie1984]

would the zero-fee route cause a problem in terms of not setting a timeout here ?

[yyforyongyu]

if there exists a zero-fee route (which seems impossible?), then whether to send another attempt or not is determined by the remaining payment amt, if it's not zero, then another attempt will be tried.

[bitromortac]

A question is whether we really would like to set a zero fee limit here (and starve the payment), as in principle we may want to have payments to continue after a restart, right? I think that's why resumePayment was added. Do we have an itest for a payment that continues its pathfinding after a restart?

[yyforyongyu]

Good question! I think we need to revisit the restart process a bit - atm, there's the existing issue re how we should go and handle the payment timeout from the sender side. The second issue now is the one you mentioned above. Say we have this case,

1. invoice has a timeout of 60s.
2. the sender tries to fulfill the invoice via MPP, say htlc1 and htlc2.
3. htlc1 is sent, but if the sender restarts before sending htlc2(or even before the creation of it, as long as there's a remaining amount), and,
4. the sender's restart finishes before the invoice times out.
5. the payment is now resumed, with only htlc1 sent, and some remaining amount to try.

In this case, this payment is def gonna fail since it won't try another route. I also don't think this is an urgent issue, also guess that's why we log errors during the shutdown process if we still have inflight payments. There are multiple ways to fix it and think it's worthy having a tracking issue.

[ziggie1984]

maybe switch the order so we have the release at the end ?

[ziggie1984]

maybe add in the description that the culprit of this problem is still not detected ? (Meaning why those payments are still inflight and did not resolve their corresponding payment attempt)

[yyforyongyu]

cool updated.

[ziggie1984]

Could you find out which misalignments in particular ?

[yyforyongyu]

That's what the TODO is for...

[ziggie1984]

ok sure, was just asking what misalignment means in this context, afaict it means somehow we mark channels prematurely as closed although they are still pending ?

[bitromortac]

LGTM ⚡