fuzz: add force-close support to chanmon_consistency#4381
Draft
joostjager wants to merge 17 commits into
Draft
Conversation
|
👋 I see @wpaulino was un-assigned. |
joostjager
force-pushed
the
fuzz-force-close
branch
from
081de37 to
97e65bc
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4381 +/- ##
==========================================
+ Coverage 86.58% 86.68% +0.10%
==========================================
Files 159 159
Lines 110498 110827 +329
Branches 110498 110827 +329
==========================================
+ Hits 95678 96075 +397
+ Misses 12281 12221 -60
+ Partials 2539 2531 -8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
wpaulino
reviewed
Feb 10, 2026
| }, | ||
| events::Event::SplicePending { .. } => {}, | ||
| events::Event::SpliceFailed { .. } => {}, | ||
| events::Event::ChannelClosed { .. } => {}, |
Contributor
There was a problem hiding this comment.
We should probably open a new channel to replace the force closed one?
Contributor
Author
There was a problem hiding this comment.
My plan is to start with closing only, but indeed, re-opening is interesting too perhapas.
joostjager
force-pushed
the
fuzz-force-close
branch
5 times, most recently
from
24da03b to
1f6b57a
Compare
Collaborator
|
Needs rebase. Is this stalled waiting on fixes that were discovered by the fuzzer? |
joostjager
force-pushed
the
fuzz-force-close
branch
from
1f6b57a to
633c959
Compare
Contributor
Author
|
I was working on my local branch only for a while. Just pushed what I have. But indeed, the mixed mode failure is also showing up in different ways with fc fuzzing. |
joostjager
force-pushed
the
fuzz-force-close
branch
2 times, most recently
from
a1b1367 to
ba6cbfa
Compare
joostjager
force-pushed
the
fuzz-force-close
branch
2 times, most recently
from
f3cbd42 to
88ee2b7
Compare
Contributor
Author
|
Rebased onto #4571, because compile times became unworkable with the many macros. |
joostjager
force-pushed
the
fuzz-force-close
branch
from
88ee2b7 to
67bcdec
Compare
joostjager
force-pushed
the
fuzz-force-close
branch
6 times, most recently
from
5e7af7c to
2667e5e
Compare
joostjager
force-pushed
the
fuzz-force-close
branch
from
88a8c7e to
f8efcb9
Compare
joostjager
force-pushed
the
fuzz-force-close
branch
4 times, most recently
from
3a83a4e to
5b5597f
Compare
This was referenced May 19, 2026
joostjager
force-pushed
the
fuzz-force-close
branch
2 times, most recently
from
b57a8b7 to
9a3dc7c
Compare
Have ChannelMonitor hand singular ClaimRequests to OnchainTxHandler. Convert them to PackageTemplates only after duplicate filtering. This makes the single-outpoint invariant explicit at that boundary.
Clarify ChannelMonitor comments around on-chain event thresholds. Some events only wait for anti-reorg finality, while CSV-delayed outputs wait until spendable through the same threshold queue.
Move repeated OnchainTxHandler setup into shared test helpers so the claim-replay coverage can focus on the behavior under test.
Add a monitor test for an inbound HTLC claimed by preimage from a holder commitment. Confirm that the claimable balance remains unchanged after the HTLC-success spend reaches anti-reorg finality but before the CSV-delayed output is spendable.
Treat HTLCSpendConfirmation entries as irrevocably resolved once the commitment HTLC output spend reaches anti-reorg finality. Do not wait for CSV maturity of any delayed output created by that spend. Delayed outputs remain tracked separately as MaturingOutput entries, keeping claimable balances alive until they are CSV-mature and can be surfaced as SpendableOutputs.
Check that any HTLCSpendConfirmation carrying a local-output CSV has a matching delayed MaturingOutput. Scan spendable outputs before recording HTLC spend confirmations so the invariant is present when the assertion runs.
A replayed holder HTLC claim may arrive as a single-outpoint request after earlier requests were merged into a delayed package. Check whether an existing delayed package already covers the new request instead of requiring exact outpoint-set equality. Add focused OnchainTxHandler coverage and a ChannelMonitor regression through claim_funds for both current anchor variants.
When a transaction spends one outpoint from a delayed package, the split outpoint is tracked as a ContentiousOutpoint until the spend reaches anti-reorg finality. Reject replayed claim requests for those pending-spent outpoints so they are not added back before the spend reaches anti-reorg finality or reorgs out. Add an OnchainTxHandler regression that replays a holder claim during that pending-spent window and verifies reorg resurrection still works.
Classify duplicate outpoint state in one helper. Preserve existing filter ordering and timelock logging.
Filter regenerated HTLC claim requests once ChannelMonitor has persisted anti-reorg finality for the commitment HTLC output spend. This keeps replayed preimage updates from recreating claims after OnchainTxHandler has cleaned up its active retry state, relying on the monitor's persisted HTLC resolution state.
Log when a replayed preimage claim is skipped because the HTLC output reached anti-reorg finality without that preimage.
Hash HTLC claim outpoints in canonical order so the same logical HTLC set produces the same ClaimId regardless of descriptor order. Add a unit test covering reversed descriptor order.
Restore cfg(splicing) to the fuzz check-cfg allow list and gate chanmon consistency splice opcodes on that cfg again. Without the cfg, those inputs stop before executing splice-specific operations.
Route chanmon broadcasts through an explicit harness mempool. Relay, mining, wallet updates, and chain delivery share one path. This lets splice, anchor, and claim txs enter the mempool before mining.
Allow chanmon consistency inputs to block and later unblock holder-side signing operations. This lets focused force-close fuzzing reuse the signer-op machinery without carrying the larger mining and settlement model.
Replace repeated per-node setup and event-processing calls with loops. Keep the existing assertions and early-continue behavior intact.
joostjager
force-pushed
the
fuzz-force-close
branch
from
9a3dc7c to
7c85da3
Compare
Contributor
Author
|
Splitting functionality out of this final destination PR is still ongoing. The biggest chunk at the moment is the mempool modeling, which now has its own PR #4657. I’ve also expanded the fuzzing concept from covering only explicit user-triggered force closes to covering organic force closes as well, where LDK naturally force-closes because HTLCs time out. The latter requires more bookkeeping to keep stable invariants: we should only allow force closes when the harness expects them. Side note: payment tracking is another area that becomes more complex, because dust may impact what the final outcome is for the sender. |
Fold the mempool follow-up into the force-close fuzzing layer so this branch has one commit for settlement coverage. Keep relay and mining opcodes from the mempool model while adding explicit and timeout-driven close tracking, holder signer unblocks, and cleanup that drives on-chain claims.
joostjager
force-pushed
the
fuzz-force-close
branch
from
7c85da3 to
172860c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add force-close coverage to the
chanmon_consistencyfuzzer. Previously, the fuzzer only exercised cooperative channel flows. This PR enables the fuzzer to force-close channels and verify that on-chain resolution, HTLC timeouts, and payment preimage propagation all work correctly under channel monitor consistencyconstraints.
Based on #4583, #4657, #4660