Locked splice bug fixes during channel reestablishment by wpaulino · Pull Request #4624 · lightningdevkit/rust-lightning

wpaulino · 2026-05-19T23:31:46Z

This PR includes fixes for two bugs/edge cases when handling a locked splice during reestablishment. These were found by the chanmon_consistency fuzz target.

ldk-reviews-bot · 2026-05-19T23:31:49Z

👋 Thanks for assigning @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

ldk-claude-review-bot · 2026-05-19T23:37:35Z

I've completed a thorough re-review of the entire PR diff, examining all changes across channel.rs, channelmanager.rs, and splicing_tests.rs. I verified:

Lock ordering safety: The new _with_funded_channel methods acquire short_to_chan_info.write(), pending_events.lock(), config.read(), and best_block.read() while peer_state is held. This follows the established lock ordering pattern already used throughout the codebase (e.g., in do_chain_event at lines 16379, 16395).
splice_locked vs inferred_splice_locked separation: splice_locked (what we need to re-send) flows through FundingTxSigned → handle_channel_resumption → SendSpliceLocked message event. inferred_splice_locked (what we infer the peer sent) flows through internal_splice_locked_with_funded_channel for local promotion. These are correctly distinct paths.
funding_locked_txid_sent_in_reestablish filtering: Correctly prevents duplicate splice_locked when the txid was already conveyed via my_current_funding_locked in the reestablish. The field is transient (not serialized), set at reestablish-send time, and consumed via .take() at reestablish-receive time.
Ordering of splice promotion vs holding cell freeing: internal_splice_locked_with_funded_channel runs inside the match arm (before check_free_peer_holding_cells). If the resulting monitor update is async, the channel's pending monitor flag prevents maybe_free_holding_cell_htlcs from releasing cells prematurely.
Error propagation: try_channel_entry! returns from the function on error, so check_free_peer_holding_cells is correctly skipped when the channel is force-closed.
All constructor sites: All 5 ReestablishResponses sites include splice_locked, all 4 ChannelContext constructors include funding_locked_txid_sent_in_reestablish: None.

No issues found.

codecov · 2026-05-20T00:56:11Z

Codecov Report

❌ Patch coverage is 96.98795% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.62%. Comparing base (1060865) to head (5e14a3f).
⚠️ Report is 12 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channelmanager.rs	96.52%	1 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4624      +/-   ##
==========================================
+ Coverage   86.59%   86.62%   +0.03%     
==========================================
  Files         159      159              
  Lines      110420   110568     +148     
  Branches   110420   110568     +148     
==========================================
+ Hits        95619    95784     +165     
+ Misses      12267    12250      -17     
  Partials     2534     2534

Flag	Coverage Δ
fuzzing-fake-hashes	`6.61% <0.00%> (+0.04%)`	⬆️
fuzzing-real-hashes	`23.26% <28.91%> (+0.10%)`	⬆️
tests	`86.23% <96.98%> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

jkczyz · 2026-05-20T22:11:49Z

+		let funding_locked_txid_sent_in_reestablish =
+			self.context.funding_locked_txid_sent_in_reestablish.take();


Is there any situation where we'd get here before calling get_channel_reestablish?

No because get_channel_reestablish gets called as soon as the peer is tracked in the manager as connected

jkczyz · 2026-05-20T22:29:16Z

+			if let Some(channel_ready_msg) = need_lnd_workaround {
+				self.internal_channel_ready_with_peer_state(counterparty_node_id, &channel_ready_msg, peer_state)?;
 			}
-		};

-		self.handle_holding_cell_free_result(holding_cell_res);
+			// A reestablish may infer a missed `splice_locked`; apply it before freeing holding
+			// cells so we don't generate commitment updates against stale splice state.
+			let post_splice_locked_update = if let Some(splice_locked) = inferred_splice_locked {
+				self.internal_splice_locked_with_peer_state(counterparty_node_id, &splice_locked, peer_state)?
+			} else {
+				None
+			};

-		if let Some(channel_ready_msg) = need_lnd_workaround {
-			self.internal_channel_ready(counterparty_node_id, &channel_ready_msg)?;
-		}
+			let holding_cell_res = self.check_free_peer_holding_cells(peer_state);
+			(post_splice_locked_update, holding_cell_res)
+		};

-		if let Some(splice_locked) = inferred_splice_locked {
-			self.internal_splice_locked(counterparty_node_id, &splice_locked)?;
+		if let Some(data) = post_splice_locked_update {
+			self.handle_post_monitor_update_chan_resume(data);
 		}
+		self.handle_holding_cell_free_result(holding_cell_res);


Should we do most of this inside of the hash_map::Entry::Occupied arm above? Was thinking we'd avoid the duplicate lookups, too.

Even just doing this change wasn't really worth it since this isn't a hot path

jkczyz · 2026-05-20T22:36:51Z

+		mem::drop(peer_state_lock);
+		mem::drop(per_peer_state);


Why don't we need to do the same in internal_channel_reestablish?

Because there the peer state is declared within a nested scope

In most cases, we end up sending our `splice_locked` either implicitly during reestablishment via `ChannelReestablish::my_current_funding_locked`, or explicitly after reestablishment. However, we did not consider that it's possible for the node to be notified of the splice confirmation after connecting to their peer but prior to reestablishing their channel. In such cases, we need to explicitly send the `splice_locked` since it wasn't included in `my_current_funding_locked`, but only after the channel has been reestablished. Found by the chanmon_consistency fuzz target.

Upon channel reestablishment, we free our holding cells to send any pending updates to our peer. If we happened to implicitly lock a pending splice during reestablishment, we want to make sure any updates we send after the fact are considering the new channel state (post-splice), even if the update was queued while the splice was still pending. Therefore, we must always handle the inferred `splice_locked` first. Found by the `chanmon_consistency` fuzz target.

wpaulino added this to the 0.3 milestone May 19, 2026

wpaulino requested review from TheBlueMatt and jkczyz May 19, 2026 23:31

wpaulino self-assigned this May 19, 2026

jkczyz reviewed May 20, 2026

View reviewed changes

Comment thread lightning/src/ln/channelmanager.rs

Comment thread lightning/src/ln/channelmanager.rs Outdated

wpaulino force-pushed the splice-locked-reestablish-fixes branch from 16fb802 to 24bac54 Compare May 20, 2026 18:44

wpaulino requested a review from jkczyz May 20, 2026 18:44

jkczyz reviewed May 20, 2026

View reviewed changes

wpaulino added 2 commits May 20, 2026 16:35

wpaulino force-pushed the splice-locked-reestablish-fixes branch from 24bac54 to 5e14a3f Compare May 20, 2026 23:36

TheBlueMatt approved these changes May 21, 2026

View reviewed changes

jkczyz approved these changes May 21, 2026

View reviewed changes

jkczyz merged commit 9ce02b3 into lightningdevkit:main May 21, 2026
24 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Locked splice bug fixes during channel reestablishment#4624

Locked splice bug fixes during channel reestablishment#4624
jkczyz merged 2 commits into
lightningdevkit:mainfrom
wpaulino:splice-locked-reestablish-fixes

wpaulino commented May 19, 2026

Uh oh!

ldk-reviews-bot commented May 19, 2026 •

edited

Loading

Uh oh!

ldk-claude-review-bot commented May 19, 2026 •

edited

Loading

Uh oh!

codecov Bot commented May 20, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

jkczyz May 20, 2026

Uh oh!

wpaulino May 20, 2026

Uh oh!

jkczyz May 20, 2026

Uh oh!

wpaulino May 20, 2026

Uh oh!

jkczyz May 20, 2026

Uh oh!

wpaulino May 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

		let funding_locked_txid_sent_in_reestablish =
		self.context.funding_locked_txid_sent_in_reestablish.take();

Conversation

wpaulino commented May 19, 2026

Uh oh!

ldk-reviews-bot commented May 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ldk-claude-review-bot commented May 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented May 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

jkczyz May 20, 2026

Choose a reason for hiding this comment

Uh oh!

wpaulino May 20, 2026

Choose a reason for hiding this comment

Uh oh!

jkczyz May 20, 2026

Choose a reason for hiding this comment

Uh oh!

wpaulino May 20, 2026

Choose a reason for hiding this comment

Uh oh!

jkczyz May 20, 2026

Choose a reason for hiding this comment

Uh oh!

wpaulino May 20, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

ldk-reviews-bot commented May 19, 2026 •

edited

Loading

ldk-claude-review-bot commented May 19, 2026 •

edited

Loading

codecov Bot commented May 20, 2026 •

edited

Loading