pytest: reproduce issue #8899 fulfilled HTLC SENT_REMOVE_HTLC deadline force-close

vincenzopalazzo · claude · vincenzopalazzo · commit d6d86931e65c · 2026-03-13T21:43:50.000+01:00
Add test that reproduces the bug where CLN force-closes a channel with "Fulfilled HTLC SENT_REMOVE_HTLC cltv hit deadline" even though the node already has the preimage and just needs to send update_fulfill_htlc to the upstream peer. The test sets up l1->l2->l3 routing where l2 disconnects from l1 right before sending update_fulfill_htlc, leaving the incoming HTLC stuck in SENT_REMOVE_HTLC state. When blocks advance past the deadline, l2 force-closes instead of attempting to reconnect and complete the fulfill. Ref: #8899 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/tests/test_closing.py b/tests/test_closing.py
@@ -3957,6 +3957,82 @@ def censoring_sendrawtx(r):
     # FIXME: l2 should complain!
 
 
+@unittest.skipIf(TEST_NETWORK != 'regtest', 'elementsd anchors unsupported')
+def test_fulfilled_htlc_deadline_no_force_close(node_factory, bitcoind):
+    """Test that l2 does not force-close when fulfilled HTLC is in
+    SENT_REMOVE_HTLC state (preimage known, fulfill queued to channeld
+    but not yet sent to upstream peer).
+
+    Reproduces https://github.com/ElementsProject/lightning/issues/8899:
+    CLN force-closed with 'Fulfilled HTLC SENT_REMOVE_HTLC cltv hit deadline'
+    without attempting to send update_fulfill_htlc upstream first.
+    """
+    # l1 -> l2 -> l3 topology.
+    # l2 disconnects from l1 right before sending update_fulfill_htlc,
+    # so the incoming HTLC on l1-l2 stays in SENT_REMOVE_HTLC.
+    # l2 cannot reconnect (dev-no-reconnect), simulating the scenario where
+    # the upstream peer appears connected but isn't processing messages.
+    #
+    # Use identical feerates to avoid gratuitous commits to update them.
+    opts = [{'dev-no-reconnect': None,
+             'feerates': (7500, 7500, 7500, 7500)},
+            {'disconnect': ['-WIRE_UPDATE_FULFILL_HTLC'],
+             'dev-no-reconnect': None,
+             'feerates': (7500, 7500, 7500, 7500)},
+            {'feerates': (7500, 7500, 7500, 7500)}]
+
+    l1, l2, l3 = node_factory.line_graph(3, opts=opts, wait_for_announce=True)
+
+    amt = 12300000
+    inv = l3.rpc.invoice(amt, 'test_fulfilled_deadline', 'desc')
+
+    # Use explicit route with known delays to have predictable cltv_expiry.
+    # delay=16 for first hop (cltv_delta=6 + cltv_final=10),
+    # delay=10 for second hop (cltv_final=10).
+    route = [{'amount_msat': amt + 1 + amt * 10 // 1000000,
+              'id': l2.info['id'],
+              'delay': 16,
+              'channel': first_scid(l1, l2)},
+             {'amount_msat': amt,
+              'id': l3.info['id'],
+              'delay': 10,
+              'channel': first_scid(l2, l3)}]
+    l1.rpc.sendpay(route, inv['payment_hash'],
+                   payment_secret=inv['payment_secret'])
+
+    # l3 fulfills the HTLC, preimage flows back to l2.
+    # l2 transitions the incoming HTLC (from l1) to SENT_REMOVE_HTLC,
+    # then tries to send update_fulfill_htlc to l1 but disconnects.
+    l2.daemon.wait_for_log('dev_disconnect: -WIRE_UPDATE_FULFILL_HTLC')
+
+    # Verify the HTLC is stuck: l2 has the preimage but can't send it
+    # to l1 because of the disconnect.
+    wait_for(lambda: only_one(l2.rpc.listpeerchannels(l1.info['id'])['channels'])['htlcs'] != [])
+
+    # Now mine blocks up to the deadline.
+    # Default regtest cltv_expiry_delta=6, so deadline = cltv_expiry - (6+1)/2 = cltv_expiry - 3.
+    # With delay=16 on first hop, cltv_expiry should be 119 (starting height ~103 + 16).
+    # Deadline = 119 - 3 = 116. We're at ~108 after mine_funding_to_announce,
+    # so we need ~8 blocks to hit it.
+    #
+    # BUG: l2 will force-close with "Fulfilled HTLC 0 SENT_REMOVE_HTLC cltv ... hit deadline"
+    # even though it has the preimage and just needs to reconnect to send it upstream.
+    # The correct behavior would be to NOT force-close when the HTLC is in
+    # SENT_REMOVE_HTLC (preimage known, fulfill already queued to channeld).
+    bitcoind.generate_block(7)
+    sync_blockheight(bitcoind, [l2])
+    assert not l2.daemon.is_in_log('hit deadline')
+
+    bitcoind.generate_block(1)
+    sync_blockheight(bitcoind, [l2])
+
+    # This is the bug: l2 force-closes with SENT_REMOVE_HTLC.
+    # After a fix, this line should be changed to assert the force-close
+    # does NOT happen:
+    #   assert not l2.daemon.is_in_log('Fulfilled HTLC 0 SENT_REMOVE_HTLC')
+    l2.daemon.wait_for_log('Fulfilled HTLC 0 SENT_REMOVE_HTLC cltv .* hit deadline')
+
+
 def test_closing_tx_valid(node_factory, bitcoind):
     l1, l2 = node_factory.line_graph(2, opts={'may_reconnect': True,
                                               'dev-no-reconnect': None})
