fuzz: cover deferred writing in chanmon_consistency

[joostjager]

Adds fuzz coverage for #4351

[ldk-reviews-bot]

👋 I see @wpaulino was un-assigned.
If you'd like another reviewer assignment, please click here.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.11%. Comparing base (75ac90a) to head (5eb96ab).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4465      +/-   ##
==========================================
- Coverage   86.12%   86.11%   -0.02%     
==========================================
  Files         157      157              
  Lines      108824   108871      +47     
  Branches   108824   108871      +47     
==========================================
+ Hits        93727    93755      +28     
- Misses      12480    12501      +21     
+ Partials     2617     2615       -2     

Flag	Coverage Δ
tests	86.11% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[joostjager]

Rebased

[joostjager]

Will hold off on this until pre-existing fuzz failures #4496 and #4472 are in

[joostjager]

Prerequisites are in, rebased.

[TheBlueMatt]

This LGTM, why is it draft?

[joostjager]

I first wanted to do a serious local run, but then it turned out there are so many pre-existing fuzz failures that it is hard to see what's new. I've bisected the failures to the various PRs that introduced them.

[joostjager]

Although for this PR I could just see if anything pops up that doesnt repro on main. Will do that.

[joostjager]

Several newly introduced fuzz failures to address:

7084a32219ffa61b1919192119197084a32219ff4400001d228012ffab
10fa0040801170704040198040111911191f1f1170bbff1170ffb3b2b6
10000150804211be707040198011191f1119401f401f0aa97210b6ff25
10000150804211707040198011191f11191f1a4040a91f7210b6ff25

[joostjager]

Zoomed in on one of those sequences, and it seems it is reproducible with another string without deferred mode too.

0270801109191109191f1f10b6ff

[joostjager]

Dependency: #4520

[joostjager]

Interestingly the non-deferred mode reproducer 0270801109191109191f1f10b6ff doesn't fail on main anymore, with #4520 not yet merged. Bisected the fixing PR to #4529 (@tankyleo).

It seems the increased headroom made the bug unobservable to the fuzzer?

I ran the fuzzer on this branch overnight, and no failures were found.

[joostjager]

I'll try to add a new invariant to the fuzzer so it catches the problem in a more robust way.

[joostjager]

Invariant addition: #4601

[joostjager]

Will rebase this after #4571

[ldk-claude-review-bot]

Nit: The docstring says this "simulates the pattern of snapshotting the pending count, persisting the ChannelManager, then flushing the queued monitor writes." However, in the actual fuzz loop, the flush happens during event processing (called from release_pending_monitor_events), while the ChannelManager is serialized at the end of each loop iteration (lines 3023-3031) — i.e., after the flush, not before.

This means the fuzzer always tests the scenario where the ChannelManager snapshot captures post-flush state. The more interesting crash scenario — serializing the ChannelManager while monitor writes are still queued, then crashing before the flush — is not directly exercised by this ordering. (The fuzzer does partially cover stale-monitor restarts through the use_old_mons selection in reload_node, but that's a different axis.)

Consider either updating the docstring to reflect what actually happens, or restructuring so the ChannelManager is serialized at the flush call-site to match the documented pattern.

[ldk-claude-review-bot]

When persister_res == Completed, this drains pending_monitors for all channels, not just those whose operations were included in the current flush(count) call. This is correct today because update_ret is constant for the lifetime of a node (set at creation/reload, never mutated by the mon_style fuzz commands at 0x00-0x06). That invariant ensures:

• If update_ret == Completed: every prior flush also used Completed, so there are no "orphaned" pending entries from an earlier InProgress flush.
• If update_ret == InProgress: this branch is never taken.

But this is a subtle invariant — if a future change allows update_ret to be toggled mid-run (e.g., fuzz commands updating the live persister), this would silently promote monitors whose corresponding channel_monitor_updated calls were never made by the flush. Consider adding a comment documenting this assumption, or tightening the logic to only promote monitors that correspond to channels with operations in the flushed batch.

[ldk-claude-review-bot]

I've completed a thorough re-review of the entire PR diff, including:

1. Tracing the full lifecycle of LatestMonitorState (pending_monitors vs pending_monitor_completions)
2. Verifying the deferred flush mechanism (checkpoint_manager_persistence → flush → Persist callbacks)
3. Checking that assert_eq!(pending_operation_count(), 0) invariants hold at all call sites
4. Verifying the reload path with deferred + InProgress combinations
5. Confirming the settle loop (process_all_events) converges correctly with deferred mode
6. Checking make_channel setup with deferred mode
7. Reviewing all fuzz command handlers (0x00-0xff) for deferred-mode safety

No new issues found beyond what was already noted in the prior review pass.

Prior review status:

• Line 367 (docstring accuracy): Still applies but is a documentation nit, not a bug.
• Line 386 (drain_all for Completed): Still applies as a fragility note. The invariant that update_ret is constant during a node's lifetime ensures correctness.
• Line 421 (mark_persisted bug claim): Confirmed false positive as noted in the prior summary. pending_monitors and pending_monitor_completions are independent lists, and out-of-order completion works correctly.
• Line 1179 (update_ret ordering): Confirmed false positive as noted in the prior summary. The fresh persister is created with Completed at line 1108, the flush at line 1176 runs while update_ret is still Completed, and only line 1181 changes it.

No issues found.

[ldk-claude-review-bot]

Bug: mark_persisted removes all pending entries with id <= monitor_id from the shadow's pending_monitors (via retain), but only the single selected entry was acknowledged with ChainMonitor::channel_monitor_updated. The older entries that are removed will never be acknowledged.

ChainMonitor::channel_monitor_updated removes only the specific completed_update_id from its internal pending_monitor_updates list, and only emits MonitorEvent::Completed when all pending updates have been individually acknowledged.

Regression from old code: The old complete_monitor_update only removed the selected entry (via remove(0), remove(1), or pop()) and left other entries intact for future completion. The new code's reuse of mark_persisted here also cleans up older entries that still need ChainMonitor acknowledgment.

Trigger scenario:

1. persistence_style = InProgress, two updates accumulate: pending_monitors = [(3, data3), (5, data5)]
2. Fuzz command 0xf2/0xf6/0xfa/0xfe calls complete_monitor_update(Last)
3. take_pending(Last) removes (5, data5) → pending_monitors = [(3, data3)]
4. channel_monitor_updated(5) — ChainMonitor removes 5, still has 3 pending
5. mark_persisted(5, data5) — retain removes (3, data3) → pending_monitors = []
6. Shadow has no record of update 3, ChainMonitor still has 3 pending forever
7. MonitorEvent::Completed is never emitted → channel operations blocked → process_all_events panics at 100 iterations

Fix: mark_update_completed should only update persisted_monitor_id/persisted_monitor without removing other pending entries. The retain cleanup in mark_persisted is correct for track_monitor_update (persister callback context) but wrong here (explicit completion context). Consider splitting the logic or adding a dedicated method that doesn't retain-prune.

[joostjager]

I reworked this PR and based it on a preparatory commit that makes the fuzzer's persistence model much more understandable, in my opinion. The prep work was taken from the force-close fuzzing PR #4381 that is still WIP, so it should be useful there as well.