Router: Ensure used liquidity is always limited by hop's capacity

Previously, when recomputing fees for bottleneck hops, we might allow
the tracked used liquidity values to surpass the actual hop capacity,
which is bogus. Here, we assert we'd always limit the amount spend on
a hop by its capacity.

Found by a `fuzz` test hitting the related `debug_assert`.

Author: tnull

lightning/src/routing/router.rs

@@ -3113,13 +3113,19 @@ where L::Target: Logger {
 				// on the same liquidity in future paths.
 				let mut prevented_redundant_path_selection = false;
 				for (hop, _) in payment_path.hops.iter() {
-					let spent_on_hop_msat = value_contribution_msat + hop.next_hops_fee_msat;
+					let hop_capacity = hop.candidate.effective_capacity();
+					let hop_max_msat = max_htlc_from_capacity(hop_capacity, channel_saturation_pow_half);
+					let spent_on_hop_msat = value_contribution_msat
+						.saturating_add(hop.next_hops_fee_msat)
+						.min(hop_max_msat);
 					let used_liquidity_msat = used_liquidities
 						.entry(hop.candidate.id())
-						.and_modify(|used_liquidity_msat| *used_liquidity_msat += spent_on_hop_msat)
+						.and_modify(|used_liquidity_msat| {
+							*used_liquidity_msat = used_liquidity_msat
+								.saturating_add(spent_on_hop_msat)
+								.min(hop_max_msat)
+						})
 						.or_insert(spent_on_hop_msat);
-					let hop_capacity = hop.candidate.effective_capacity();
-					let hop_max_msat = max_htlc_from_capacity(hop_capacity, channel_saturation_pow_half);
 					if *used_liquidity_msat == hop_max_msat {
 						// If this path used all of this channel's available liquidity, we know
 						// this path will not be selected again in the next loop iteration.