Exit quiescence when splice_init and tx_init_rbf are rejected

[jkczyz]

Summary

• Fix quiescence not being exited when tx_init_rbf or splice_init is rejected with Abort (e.g., insufficient RBF feerate, negotiation in progress), which left the channel stuck in a quiescent state
• Refactor both handlers to return InteractiveTxMsgError, reusing the same pattern already used by the interactive TX message handlers, with a shared handle_interactive_tx_msg_err helper in channelmanager

Test plan

• Existing test_splice_rbf_insufficient_feerate updated to verify quiescence is properly exited after tx_abort
• Existing test_splice_feerate_too_high updated to verify quiescence is properly exited after splice_init rejection
• All splicing tests pass

🤖 Generated with Claude Code

Based on #4494.

[ldk-reviews-bot]

👋 Thanks for assigning @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 84.72222% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.04%. Comparing base (2adb690) to head (bdc17dc).
⚠️ Report is 15 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channelmanager.rs	78.78%	12 Missing and 2 partials ⚠️
lightning/src/ln/channel.rs	89.74%	7 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4495      +/-   ##
==========================================
- Coverage   87.09%   87.04%   -0.05%     
==========================================
  Files         163      163              
  Lines      108856   108649     -207     
  Branches   108856   108649     -207     
==========================================
- Hits        94808    94575     -233     
- Misses      11563    11606      +43     
+ Partials     2485     2468      -17     

Flag	Coverage Δ
fuzzing	40.17% <55.55%> (-0.03%)	⬇️
tests	86.13% <84.72%> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-claude-review-bot]

In splice_init, resolve_queued_contribution (which can return Abort(FeeRateTooHigh)) is called before validate_splice_init checks is_quiescent(). If a misbehaving peer sends splice_init during the STFU handshake (before quiescence is established), and the holder has a queued contribution with a low max_feerate, the Abort error would flow into quiescent_negotiation_err → exit_quiescence(), which has debug_assert!(!is_local_stfu_sent()) / debug_assert!(!is_remote_stfu_sent()).

Those asserts would fire because the STFU flags are still set (handshake incomplete). In release builds, exit_quiescence would harmlessly return false, but in debug/test builds this would panic.

Same issue applies to tx_init_rbf at line 12762 (and line 12780).

Consider guarding with an is_quiescent() check before calling exit_quiescence:

Suggested change

	fn quiescent_negotiation_err(&mut self, err: ChannelError) -> InteractiveTxMsgError {
	let exited_quiescence =
	if matches!(err, ChannelError::Abort(_)) { self.exit_quiescence() } else { false };
	InteractiveTxMsgError { err, splice_funding_failed: None, exited_quiescence }
	}
	fn quiescent_negotiation_err(&mut self, err: ChannelError) -> InteractiveTxMsgError {
	let exited_quiescence = if matches!(err, ChannelError::Abort(_))
	&& self.context.channel_state.is_quiescent()
	{
	self.exit_quiescence()
	} else {
	false
	};
	InteractiveTxMsgError { err, splice_funding_failed: None, exited_quiescence }
	}

[jkczyz]

Fixed, though I took the opportunity to have validate_splice_init and validate_ tx_init_rbf no longer call validate_splice_contributions and FundingScope::for_splice. Rather they are called at those call sites. This let's us check if we are quiescent before checking fee rates when calling resolve_queued_contribution.

[ldk-claude-review-bot]

No new issues found beyond the prior review comments.

Prior comment status:

• lightning/src/ln/channel.rs:14248 (quiescent_negotiation_err debug_assert) — On deeper analysis, this appears to be a false positive. Both validate_splice_init (line 12687) and validate_tx_init_rbf (line 12957) check is_quiescent() early and return WarnAndDisconnect if not quiescent. All Abort-producing code paths are gated behind these checks, so debug_assert!(is_quiescent()) in quiescent_negotiation_err should always hold. The new tests test_splice_init_before_quiescence_sends_warning and test_tx_init_rbf_before_quiescence_sends_warning confirm the correct behavior.

• lightning/src/ln/channel.rs:9358 (on_tx_signatures_exchange else branch) — On re-reading the diff, exit_quiescence() at line 9360 is positioned after the inner if let / else block but still inside the outer if let Some(pending_splice) block. It is called for both the success and debug_assert!(false) branches. My prior comment was incorrect.

• Minor observations about internal_tx_complete duplication and needs_holding_cell_release being broader than the old flag remain valid but harmless, as confirmed by the can_generate_new_commitment() guard (line 8671) and assert!(!is_quiescent()) (line 8686) in the holding cell release path.

[jkczyz]

Note that we'll now abort an in-progress RBF if the counterparty misbehaves by sending us tx_init_rbf. The spec isn't really clear on what to do here. There's a similar case in validate_splice_init where we'll disconnect if we already have a pending splice (even if negotiation is still in progress). The spec does indicate this should be done. So maybe both of these are fine?

[jkczyz]

Rebased

[wpaulino]

Hm I'm not sure we want to use this since the debug assertions there are reachable, but the mark_response_received call makes me realize we may need to do this elsewhere to avoid an unintentional disconnect (maybe write a test to confirm?).

[jkczyz]

Hm I'm not sure we want to use this since the debug assertions there are reachable,

The fixup commit makes sure that we don't return ChannelError::Abort until we know we are quiescent, so I think those asserts are unreachable from here?

but the mark_response_received call makes me realize we may need to do this elsewhere to avoid an unintentional disconnect (maybe write a test to confirm?).

Like when processing splice_init, splice_ack, tx_init_rbf, tx_ack_rbf, or interactive-tx messages?

One thing I noticed when exploring this as since we don't have a FundedChannel for v2 establishment, we use UNFUNDED_CHANNEL_AGE_LIMIT_TICKS to timeout instead. So updating sent_message_awaiting_response on the ChannelContext has no effect there. We'd effectively have two different mechanisms for timing out. Are we ok with that? Or should we try to use the UNFUNDED_CHANNEL_AGE_LIMIT_TICKS for splice funding, too?

[wpaulino]

Like when processing splice_init, splice_ack, tx_init_rbf, tx_ack_rbf, or interactive-tx messages?

It should be when processing a message that triggers the end of quiescence (see FundedChannel::should_disconnect_peer_awaiting_response), so either tx_abort or tx_signatures.

One thing I noticed when exploring this as since we don't have a FundedChannel for v2 establishment, we use UNFUNDED_CHANNEL_AGE_LIMIT_TICKS to timeout instead. So updating sent_message_awaiting_response on the ChannelContext has no effect there. We'd effectively have two different mechanisms for timing out. Are we ok with that? Or should we try to use the UNFUNDED_CHANNEL_AGE_LIMIT_TICKS for splice funding, too?

The quiescence timeout needs to be much shorter because we have an active open channel that can handle payments.

[jkczyz]

Gotcha. Updated and added a few tests. PTAL.

[wpaulino]

We should include a payment such that the outbound HTLC gets sent out after the abort as a result of freeing the holding cell.

[jkczyz]

Done.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

This does feel a bit like a leaky abstraction - can we move exited_quiescence into the ChannelError and just call it needs_holding_cell_release? Even moreso because the variable doesn't make sense if we disconnect, close, or send an error.

[jkczyz]

Ok, I think we can infer it from tx_abort. At least I managed to get Clause to convince me that. Also, renamed the variables to needs_holding_cell_release and include similar inference elsewhere.

Let me know if this is looks good. I can make it a fixup if you prefer. May need a careful look, though.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-claude-review-bot]

Bug: regression in defensive coding — channel can get stuck in quiescence in release builds.

The old code called clear_quiescent() before the if let, so it always ran regardless of which branch was taken. The new code only calls exit_quiescence() in the success branch. If this debug_assert!(false) branch is somehow reached in a release build (e.g., due to a bug elsewhere), the channel would be stuck in quiescence indefinitely — unable to generate new commitments — until a disconnect/reconnect cycle recovers it.

Consider moving exit_quiescence() after the if/else, or adding it to the else branch:

Suggested change

	} else {
	debug_assert!(false);
	}
	} else {
	debug_assert!(false);
	self.exit_quiescence();
	}

[jkczyz]

Done. BTW, the reason it is moved after rather than left before is we can't take two mutable references to self.