common/test: reproduce BOLT 12 PR #1295 marker-jump spec contradiction

[vincenzopalazzo]

Add a failing C unit test in common/test/run-bolt12_proof_marker_jump.c
that reproduces the BOLT 12 spec contradiction raised on
lightning/bolts#1295.

In lightning/bolts#1295 (head db3eff3a54, 12-offer-encoding.md),
the writer rule (lines 1041-1049) mandates that after a
proof_omitted_tlvs entry of 239, the next entry MUST be
1000000000, because the writer needs to skip past the
signature/payer-proof TLV range (240..999999999) which is not valid
for marker numbers.

However the reader rule (lines 1065-1067) only accepts the next entry
if it is prev + 1 or <included TLV> + 1. There is no carve-out for
the 239 -> 1000000000 jump, so a reader applying the spec literally
will reject a marker sequence the writer rule mandates. The issue is
still open on the spec PR.

CLN's reader in common/bolt12_proof.c lines 339-388 is a literal
transcription of the bogus reader rule. The buggy branch is at line
379, which errors out when omitted != prev_omitted + 1 and
find_tlv_num(pptlv, omitted - 1) is false:

if (omitted != prev_omitted + 1) {
    /* O(n^2) but doesn't matter */
    if (!find_tlv_num(pptlv, omitted - 1)) {
        return tal_fmt(ctx, "proof_omitted_tlvs[%zi] is"
                       " not one greater than the previous %"PRIu64
                       " nor an included tlv entry",
                       i, prev_omitted);
    }
}

Fed the writer-rule-mandated sequence [1, 2, ..., 239, 1000000000],
this returns an error on the 1000000000 entry, because it is not
prev_omitted + 1 = 240 and there is no included TLV at 999999999
for the fallback to find. That is exactly the contradiction.

The new test constructs the minimum tlv_payer_proof needed to reach
the marker-validation loop: required field pointers populated,
preimage matching invoice_payment_hash, pptlv->fields deliberately
left empty so find_tlv_num returns false in every branch.

Then it sets proof_omitted_tlvs to [1, 2, ..., 239, 1000000000]
and asserts that check_payer_proof returns NULL. It does not, and
the assertion blows up:

$ ./common/test/run-bolt12_proof_marker_jump
check_payer_proof rejected the writer-rule-mandated 239 -> 1000000000 jump: proof_omitted_tlvs[239] is not one greater than the previous 239 nor an included tlv entry
Assertion failed: (err == NULL), function main, file run-bolt12_proof_marker_jump.c, line 127.

The failure naming [239] (the slot holding 1000000000) and
previous 239 is exactly the spec contradiction surfaced in CLN.

The test is expected to fail on current master, the failure IS the
reproduction. I am not fixing the underlying bug in this PR, the fix
belongs in the spec PR first (amend reader rule 1065 to allow the
239 -> 1000000000 jump) and only then mirrored into CLN.

Landing the failing test now means the eventual spec fix has a
concrete CLN-side regression target instead of a vague note about
remembering to update the validator.

Link: lightning/bolts#1295 (comment)
Link: lightningdevkit/rust-lightning#4297

Signed-off-by: Vincenzo Palazzo vincenzopalazzodev@gmail.com

---

• The changelog has been updated in the relevant commit(s) according to the guidelines.
• Tests have been added or modified to reflect the changes.
• Documentation has been reviewed and updated as needed.
• Related issues have been listed and linked, including any that this PR closes.