I think this check doesn't have new coverage in `rpc_package.py ? I got a success for the following diff:

diff --git a/src/txmempool.cpp b/src/txmempool.cpp
index 85911e15d..c7fa9fc62 100644
--- a/src/txmempool.cpp
+++ b/src/txmempool.cpp
@@ -173,7 +173,7 @@ bool CTxMemPool::CalculateAncestorsAndCheckLimits(size_t entry_size,
 
         if (stageit->GetSizeWithDescendants() + entry_size > limitDescendantSize) {
             errString = strprintf("exceeds descendant size limit for tx %s [limit: %u]", stageit->GetTx().GetHash().ToString(), limitDescendantSize);
-            return false;
+            return true;
         } else if (stageit->GetCountWithDescendants() + entry_count > limitDescendantCount) {
             errString = strprintf("too many descendants for tx %s [limit: %u]", stageit->GetTx().GetHash().ToString(), limitDescendantCount);
             return false;

This error should be caught in the mempool_tests unit test?

It's true, though, that I didn't write tests for the size limits, just did count limits. I can add size limit tests.

Added a functional test for size limits - test_desc_size_limits() will fail if you apply this diff

This error should be caught in the mempool_tests unit test?

It should but I don't' get an error for any mempool_* unit tests. Won't be surprised there is a hole coverage before to this PR.

Added a functional test for size limits - test_desc_size_limits() will fail if you apply this diff

Thanks for adding one, there is at least one behavior change to cover introduce with this PR, entry_size can be > 1.

I think we have topologies of in-mempool transactions and packages bypassing this limit.

Let's say you have in-mempool, independent Tx_A and Tx_B where their virtual sizes are 30 KvB each.
Let's say you have packages transactions Tx_C and _Tx_D where Tx_C is a child of A and B and Tx_D is a child of Tx_C their virtual sizes are 30 KvB each.

In CheckPackageLimits, Tx_C isn't already in the mempool (mapTx is only updated in Finalize) and as such shouldn't part of staged_ancestors. This set should be composed of Tx_A and Tx_B only.

In CalculateAncestorsAndCheckLimits, totalSizeWithAncestors is the union Tx_A and Tx_B and its sum of 60 KvB is inferior to 101 KvB. After Tx_C and Tx_D are added to the mempool, the chain of transactions ABCD is of the sum 120 KvB.

Further, I don't think it's rejected by the check against limitDescendantSize, as Tx_A and Tx_B are evaluated independently, and not as a single cluster as they should be (Tx_A + Tx_C + Tx_D or Tx_B + Tx_C + Tx_D)

Note, you need to replace Tx by chain of transactions because of MAX_STANDARD_TX_WEIGHT but I think this reasoning holds ?

Hm, I don't think this case bypasses the algorithm. I've implemented this test in the latest push (see test_anc_size_limits()) and it passes for me. It's possible I misunderstood your description, but it seems like we're good here?

Thanks for writing the test, I noticed where my reasoning was flawed!

totalSizeWithAncestors is the union Tx_A and Tx_B and its sum of 60 KvB is inferior to 101 KvB.

We init totalSizeWithAncestors with the whole package size from now, instead of the entry only (L164 in src/txmempool.cpp). So we have A+B+C+D and the check against limitAncestorSize rejects the package. Maybe the variable could be renamed packageSizeWithAncestors, but that's a nit.

In the future, if packages are allowed to replace in-mempool transactions do we have concerns of the same transaction accounted twice falsifying this check ?

Let's say you have in-mempool { Tx_A } and in-package { Tx_A, Tx_B } where Tx_A is parent of Tx_B. Within this configuration, Tx_A is going to be counted twice, firstly as a staged_ancestors member and secondly as a package member.

If this reasoning holds, one solution to be future-proof could be to proceed to the evaluation against limitAncestorCount after the for iteration, and once dedup between staged_ancestors and package has been done.

Yep, this is absolutely a consideration for replacements and duplicates in packages in the future. I agree, we'll want to de-duplicate first (CMPA and CheckPackageLimits wouldn't be called for transactions already in the mempool, since PreChecks looks for txn-already-in-mempool before this). Additionally, we'll want to subtract the size/count of transactions being replaced from descendant limits before calling this function.

(I will note this down for the future - I think we're on the same page about this, and it's not yet applicable for this PR)

Additionally, we'll want to subtract the size/count of transactions being replaced from descendant limits before calling this function.

Exactly, this is another limit case to be aware of. And even trickier one like an ancestor of a second-stage package member being replaced by a first-stage package member and thus failing the whole package acceptance.

Yes, not yet applicable for this PR, good to not forget about it!

i think a simpler API would be to have staged always contain all the entries themselves? is there a reason not to (I think the epoch algorithm is relatively lightweight for this).

Now that this errString is only used for the PackageMempoolAcceptResult, I think you can just drop the "possibly" prefix. It may have been useful on individual MempoolAcceptResult to disambiguate between failure because a single transaction definitely exceeded the limits and failure because a transaction was in a package that possibly exceeded limits. Now that we're not using it there, I think it should just be removed.

In fact, I don't think this string ever gets used (in logging or returned to users). Should testmempoolaccept be updated to return the reject reason and debug message for the transaction result and package result (see ValidationState::ToString(), which indirectly gets called if sendrawtransaction fails).

Note, I still wonder if we need to make CPFP carve-out composable with package acceptance in the future. Otherwise a counterparty can build a branch of descendants from an output A on a multi-party unconfirmed ancestor to block package acceptance on an output B.

I don't think this is required for current LN safety, as least as long as implementation backends don't try to chain their commitment+CPFP transactions. But it might be useful for other second-layers applications (e.g Lightning Pool's batch execution+commitment txn).

can we use packages to just remove the carve out?

Ideally yes, carve-out don't scale for multi-party (n > 2) fee-bumping.

Though extending the carve-out to safely chain CPFPs was argued by Matt on the LDK side (see here https://lightningdevkit.slack.com/archives/CTBLT3CAU/p1625786787422100). Personally, I think this approach is a bit doomed as we can assume first-stage of the CPFP-chain can always be replaced by a valid claim of a counterparty, thus downgrading the feerate of your other broadcasted commitments and I prefer the concurrent domino fee-bumping approach even if it's more complexity swallowed by the LN backend.

Further, I think there is another multi-party contract issue we have to solve. Namely, the first-stage state transaction can be symmetric but the second-stage states asymmetric-though-composable. E.g a CTV tree with a root transaction with branch A/branch B spending 2 isolated outputs. Alice broadcast root+branch A and Bob broadcast root+branch B, thus accidentally or maliciously evicting Alice's branch. I think we would like the mempool logic to aggregate those in-flight packages by conserving the highest-feerate subgraphs and that would require some form of carve-out to avoid package limits interfering ?