Exit quiescence when splice_init and tx_init_rbf are rejected

[jkczyz]

Summary

• Fix quiescence not being exited when tx_init_rbf or splice_init is rejected with Abort (e.g., insufficient RBF feerate, negotiation in progress), which left the channel stuck in a quiescent state
• Refactor both handlers to return InteractiveTxMsgError, reusing the same pattern already used by the interactive TX message handlers, with a shared handle_interactive_tx_msg_err helper in channelmanager

Test plan

• Existing test_splice_rbf_insufficient_feerate updated to verify quiescence is properly exited after tx_abort
• Existing test_splice_feerate_too_high updated to verify quiescence is properly exited after splice_init rejection
• All splicing tests pass

🤖 Generated with Claude Code

Based on #4494.

[ldk-reviews-bot]

I've assigned @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 61.79775% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.22%. Comparing base (8d00139) to head (959b553).
⚠️ Report is 111 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channelmanager.rs	42.85%	30 Missing and 2 partials ⚠️
lightning/src/ln/channel.rs	92.30%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4495      +/-   ##
==========================================
- Coverage   86.24%   86.22%   -0.02%     
==========================================
  Files         160      161       +1     
  Lines      107909   108651     +742     
  Branches   107909   108651     +742     
==========================================
+ Hits        93061    93681     +620     
- Misses      12212    12339     +127     
+ Partials     2636     2631       -5     

Flag	Coverage Δ
tests	86.22% <61.79%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-claude-review-bot]

In splice_init, resolve_queued_contribution (which can return Abort(FeeRateTooHigh)) is called before validate_splice_init checks is_quiescent(). If a misbehaving peer sends splice_init during the STFU handshake (before quiescence is established), and the holder has a queued contribution with a low max_feerate, the Abort error would flow into quiescent_negotiation_err → exit_quiescence(), which has debug_assert!(!is_local_stfu_sent()) / debug_assert!(!is_remote_stfu_sent()).

Those asserts would fire because the STFU flags are still set (handshake incomplete). In release builds, exit_quiescence would harmlessly return false, but in debug/test builds this would panic.

Same issue applies to tx_init_rbf at line 12762 (and line 12780).

Consider guarding with an is_quiescent() check before calling exit_quiescence:

Suggested change

	fn quiescent_negotiation_err(&mut self, err: ChannelError) -> InteractiveTxMsgError {
	let exited_quiescence =
	if matches!(err, ChannelError::Abort(_)) { self.exit_quiescence() } else { false };
	InteractiveTxMsgError { err, splice_funding_failed: None, exited_quiescence }
	}
	fn quiescent_negotiation_err(&mut self, err: ChannelError) -> InteractiveTxMsgError {
	let exited_quiescence = if matches!(err, ChannelError::Abort(_))
	&& self.context.channel_state.is_quiescent()
	{
	self.exit_quiescence()
	} else {
	false
	};
	InteractiveTxMsgError { err, splice_funding_failed: None, exited_quiescence }
	}

[jkczyz]

Fixed, though I took the opportunity to have validate_splice_init and validate_ tx_init_rbf no longer call validate_splice_contributions and FundingScope::for_splice. Rather they are called at those call sites. This let's us check if we are quiescent before checking fee rates when calling resolve_queued_contribution.

[ldk-claude-review-bot]

resolve_queued_contribution takes &self (not &mut self), so it has no mutable side effects. It's a pure computation. Good — no rollback needed.

I'm satisfied with the review. No new issues found beyond my prior comment (which is still valid but defensive). The PR is well-structured.

No issues found.

Summary

After thorough review of all files in this diff — channel.rs, channelmanager.rs, funding.rs, and splicing_tests.rs — I found no new issues beyond the one flagged in my prior review pass.

Prior comment status:

• lightning/src/ln/channel.rs:13970-13974 — The quiescent_negotiation_err / exit_quiescence debug_assert concern remains valid as a defensive hardening suggestion, though the new commit (d275551) that defers resolve_queued_contribution until after validate_splice_init/validate_tx_init_rbf significantly reduces the practical risk. The new tests (test_splice_init_before_quiescence_sends_warning, test_tx_init_rbf_before_quiescence_sends_warning) confirm that misbehaving peers hitting these paths before quiescence get WarnAndDisconnect (not Abort), so the debug_assert shouldn't fire in practice.

Verification of key changes:

• min_rbf_feerate correctly computes max(prev + 25, ceil(prev * 25/24)) with crossover at 600 sat/kwu
• Asymmetric validation (stricter for own RBFs, lenient 25/24 for counterparty) is correct and tested
• validate_splice_init/validate_tx_init_rbf refactoring preserves all validation logic and parameter passing
• handle_interactive_tx_msg_err extraction is a clean refactor of the inline code in internal_tx_msg
• exit_quiescence correctly had its test-only attribute removed for production use
• resolve_queued_contribution is side-effect-free (&self), so ordering changes are safe
• All test feerate values updated consistently from (prev * 25).div_ceil(24) to prev + 25 where prev is at/near FEERATE_FLOOR_SATS_PER_KW (253)