fix: add fatal log on amendment-blocked shutdown

- signalStop() for graceful shutdown when unsupported amendment activates
- early shutdown ~1 minute before expected activation to avoid race
- try/catch in switchLastClosedLedger to survive unknown field crashes
  during shutdown window
- show amendment warning to all RPC users, not just admin

Fixes: #706

src/xrpld/app/ledger/detail/LedgerMaster.cpp

@@ -310,12 +310,28 @@ LedgerMaster::setValidLedger(std::shared_ptr<Ledger const> const& l)
             if (auto const first =
                     app_.getAmendmentTable().firstUnsupportedExpected())
             {
-                JLOG(m_journal.error()) << "One or more unsupported amendments "
-                                           "reached majority. Upgrade before "
-                                        << to_string(*first)
-                                        << " to prevent your server from "
-                                           "becoming amendment blocked.";
-                app_.getOPs().setAmendmentWarned();
+                using namespace std::chrono_literals;
+                auto const now = app_.timeKeeper().closeTime();
+                if (*first > now && (*first - now) <= 1min)
+                {
+                    // Shut down just before the amendment activates to
+                    // avoid processing ledgers with unknown fields.
+                    JLOG(m_journal.error())
+                        << "Unsupported amendment activating imminently "
+                           "at "
+                        << to_string(*first) << ". Shutting down.";
+                    app_.getOPs().setAmendmentBlocked();
+                }
+                else
+                {
+                    JLOG(m_journal.error())
+                        << "One or more unsupported amendments "
+                           "reached majority. Upgrade before "
+                        << to_string(*first)
+                        << " to prevent your server from "
+                           "becoming amendment blocked.";
+                    app_.getOPs().setAmendmentWarned();
+                }
             }
             else
                 app_.getOPs().clearAmendmentWarned();

src/xrpld/app/misc/AMMUtils.h

@@ -123,6 +123,17 @@ isOnlyLiquidityProvider(
     Issue const& ammIssue,
     AccountID const& lpAccount);
 
+/** Due to rounding, the LPTokenBalance of the last LP might
+ * not match the LP's trustline balance. If it's within the tolerance,
+ * update LPTokenBalance to match the LP's trustline balance.
+ */
+Expected<bool, TER>
+verifyAndAdjustLPTokenBalance(
+    Sandbox& sb,
+    STAmount const& lpTokens,
+    std::shared_ptr<SLE>& ammSle,
+    AccountID const& account);
+
 }  // namespace ripple
 
 #endif  // RIPPLE_APP_MISC_AMMUTILS_H_INLCUDED

src/xrpld/app/misc/NetworkOPs.cpp

@@ -1634,6 +1634,16 @@ NetworkOPsImp::setAmendmentBlocked()
 {
     amendmentBlocked_ = true;
     setMode(OperatingMode::CONNECTED);
+    if (!app_.config().standalone())
+    {
+        JLOG(m_journal.fatal())
+            << "One or more unsupported amendments activated. "
+               "Shutting down. Upgrade the server to remain "
+               "compatible with the network.";
+        app_.signalStop(
+            "One or more unsupported amendments activated. "
+            "Server must be upgraded to remain compatible with the network.");
+    }
 }
 
 inline bool
@@ -1789,8 +1799,23 @@ NetworkOPsImp::switchLastClosedLedger(
 
     clearNeedNetworkLedger();
 
-    // Update fee computations.
-    app_.getTxQ().processClosedLedger(app_, *newLCL, true);
+    // Update fee computations. May throw if the ledger contains
+    // transactions with fields unknown to this binary (e.g. after an
+    // unsupported amendment activates). Catch to allow graceful shutdown.
+    //@@start process-closed-ledger-catch
+    try
+    {
+        app_.getTxQ().processClosedLedger(app_, *newLCL, true);
+    }
+    catch (std::runtime_error const& e)
+    {
+        if (!amendmentBlocked_)
+            throw;
+        JLOG(m_journal.error())
+            << "Failed to process closed ledger: " << e.what();
+        return;
+    }
+    //@@end process-closed-ledger-catch
 
     // Caller must own master lock
     {
@@ -2449,7 +2474,7 @@ NetworkOPsImp::getServerInfo(bool human, bool admin, bool counters)
                 "may be incorrectly configured or some [validator_list_sites] "
                 "may be unreachable.";
         }
-        if (admin && isAmendmentWarned())
+        if (isAmendmentWarned())
         {
             Json::Value& w = warnings.append(Json::objectValue);
             w[jss::id] = warnRPC_UNSUPPORTED_MAJORITY;
@@ -2893,6 +2918,7 @@ NetworkOPsImp::pubLedger(std::shared_ptr<ReadView const> const& lpAccepted)
     // Ledgers are published only when they acquire sufficient validations
     // Holes are filled across connection loss or other catastrophe
 
+    //@@start pubLedger-accepted-ledger-construction
     std::shared_ptr<AcceptedLedger> alpAccepted =
         app_.getAcceptedLedgerCache().fetch(lpAccepted->info().hash);
     if (!alpAccepted)
@@ -2901,6 +2927,7 @@ NetworkOPsImp::pubLedger(std::shared_ptr<ReadView const> const& lpAccepted)
         app_.getAcceptedLedgerCache().canonicalize_replace_client(
             lpAccepted->info().hash, alpAccepted);
     }
+    //@@end pubLedger-accepted-ledger-construction
 
     XRPL_ASSERT(
         alpAccepted->getLedger().get() == lpAccepted.get(),

src/xrpld/app/misc/detail/AMMUtils.cpp

@@ -16,6 +16,8 @@
     OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 //==============================================================================
+
+#include <xrpld/app/misc/AMMHelpers.h>
 #include <xrpld/app/misc/AMMUtils.h>
 #include <xrpld/ledger/Sandbox.h>
 #include <xrpl/basics/Log.h>
@@ -462,4 +464,32 @@ isOnlyLiquidityProvider(
     return Unexpected<TER>(tecINTERNAL);  // LCOV_EXCL_LINE
 }
 
+Expected<bool, TER>
+verifyAndAdjustLPTokenBalance(
+    Sandbox& sb,
+    STAmount const& lpTokens,
+    std::shared_ptr<SLE>& ammSle,
+    AccountID const& account)
+{
+    if (auto const res = isOnlyLiquidityProvider(sb, lpTokens.issue(), account);
+        !res)
+        return Unexpected<TER>(res.error());
+    else if (res.value())
+    {
+        if (withinRelativeDistance(
+                lpTokens,
+                ammSle->getFieldAmount(sfLPTokenBalance),
+                Number{1, -3}))
+        {
+            ammSle->setFieldAmount(sfLPTokenBalance, lpTokens);
+            sb.update(ammSle);
+        }
+        else
+        {
+            return Unexpected<TER>(tecAMM_INVALID_TOKENS);
+        }
+    }
+    return true;
+}
+
 }  // namespace ripple

src/xrpld/app/tx/detail/AMMClawback.cpp

@@ -151,6 +151,17 @@ AMMClawback::applyGuts(Sandbox& sb)
     if (!accountSle)
         return tecINTERNAL;  // LCOV_EXCL_LINE
 
+    // retrieve LP token balance inside the amendment gate to avoid
+    // inconsistent error behavior
+    auto const lpTokenBalance = ammLPHolds(sb, *ammSle, holder, j_);
+    if (lpTokenBalance == beast::zero)
+        return tecAMM_BALANCE;
+
+    if (auto const res =
+            verifyAndAdjustLPTokenBalance(sb, lpTokenBalance, ammSle, holder);
+        !res)
+        return res.error();  // LCOV_EXCL_LINE
+
     auto const expected = ammHolds(
         sb,
         *ammSle,
@@ -248,10 +259,11 @@ AMMClawback::equalWithdrawMatchingOneAmount(
     STAmount const& amount)
 {
     auto frac = Number{amount} / amountBalance;
-    auto const amount2Withdraw = amount2Balance * frac;
+    auto amount2Withdraw = amount2Balance * frac;
 
     auto const lpTokensWithdraw =
         toSTAmount(lptAMMBalance.issue(), lptAMMBalance * frac);
+
     if (lpTokensWithdraw > holdLPtokens)
         // if lptoken balance less than what the issuer intended to clawback,
         // clawback all the tokens. Because we are doing a two-asset withdrawal,
@@ -272,18 +284,33 @@ AMMClawback::equalWithdrawMatchingOneAmount(
             mPriorBalance,
             ctx_.journal);
 
-    // Because we are doing a two-asset withdrawal,
-    // tfee is actually not used, so pass tfee as 0.
+    auto const& rules = sb.rules();
+
+    auto tokensAdj =
+        getRoundedLPTokens(rules, lptAMMBalance, frac, IsDeposit::No);
+
+    // LCOV_EXCL_START
+    if (tokensAdj == beast::zero)
+        return {tecAMM_INVALID_TOKENS, STAmount{}, STAmount{}, std::nullopt};
+    // LCOV_EXCL_STOP
+
+    frac = adjustFracByTokens(rules, lptAMMBalance, tokensAdj, frac);
+    auto amount2Rounded =
+        getRoundedAsset(rules, amount2Balance, frac, IsDeposit::No);
+
+    auto amountRounded =
+        getRoundedAsset(rules, amountBalance, frac, IsDeposit::No);
+
     return AMMWithdraw::withdraw(
         sb,
         ammSle,
         ammAccount,
         holder,
         amountBalance,
-        amount,
-        toSTAmount(amount2Balance.issue(), amount2Withdraw),
+        amountRounded,
+        amount2Rounded,
         lptAMMBalance,
-        toSTAmount(lptAMMBalance.issue(), lptAMMBalance * frac),
+        tokensAdj,
         0,
         FreezeHandling::fhIGNORE_FREEZE,
         WithdrawAll::No,

src/xrpld/app/tx/detail/AMMWithdraw.cpp

@@ -313,24 +313,9 @@ AMMWithdraw::applyGuts(Sandbox& sb)
     // might not match the LP's trustline balance
 
     if (auto const res =
-            isOnlyLiquidityProvider(sb, lpTokens.issue(), account_);
+            verifyAndAdjustLPTokenBalance(sb, lpTokens, ammSle, account_);
         !res)
         return {res.error(), false};
-    else if (res.value())
-    {
-        if (withinRelativeDistance(
-                lpTokens,
-                ammSle->getFieldAmount(sfLPTokenBalance),
-                Number{1, -3}))
-        {
-            ammSle->setFieldAmount(sfLPTokenBalance, lpTokens);
-            sb.update(ammSle);
-        }
-        else
-        {
-            return {tecAMM_INVALID_TOKENS, false};
-        }
-    }
 
     auto const tfee = getTradingFee(ctx_.view(), *ammSle, account_);