EOF validation fuzzing issues

[chfast]

EOF validation fuzzing issues / missing test cases found by fuzzers.

[chfast]

evm1: invalid_container_section_index
revm: 1
code: ef0001010004020001000504ff0300008000023a60cbee1800

ef0001 010004 0200010005 040000 00 00800002 3a60cbee18
ef0001010004020001000504000000008000023a60cbee18

Fixed by https://github.com/bluealloy/revm/pull/1648. Covered by https://github.com/ethereum/execution-spec-tests/blob/main/tests/prague/eip7692_eof_v1/eip7620_eof_create/test_returncontract.py#L35.

[chfast]

evm1: invalid_non_returning_flag
revm: 1
code: ef000101000c020003000400010003041d0000008000000080000000000000e300020000e50001

evm1: invalid_non_returning_flag
revm: 1
code: ef000101000c02000300110001000104000000008000000000000000000000e30001e30002e30001e30002e300025bfefee4
size: 50

The "invalid_non_returning_flag" means a code section is declared "non-returning" but there is the RETF (or JUMPF) instruction.

Fixed in revm.

Tests: https://github.com/ethereum/execution-spec-tests/pull/794.

[chfast]

evm1: success
revm: 0
code: ef00010100040200010001040000000080000000

This is actually the smallest EOF container. It looks revm is confused about the non-returning flag again. Fixed by https://github.com/chfast/fuzzers/pull/1.

[chfast]

evm1: unreachable_code_sections
revm: 1
code: ef000101000c02000300030001000304000000008000000080000000800000e50001fee50002
size: 38

0x # EOF
ef0001 # Magic and Version ( 1 )
01000c # Types length ( 12 )
020003 # Total code sections ( 3 )
  0003 # Code section 0 , 3 bytes
  0001 # Code section 1 , 1 bytes
  0003 # Code section 2 , 3 bytes
040000 # Data section length(  0 )
    00 # Terminator (end of header)
       # Code section 0 types
    00 # 0 inputs
    80 # 0 outputs  (Non-returning function)
  0000 # max stack:  0
       # Code section 1 types
    00 # 0 inputs
    80 # 0 outputs  (Non-returning function)
  0000 # max stack:  0
       # Code section 2 types
    00 # 0 inputs
    80 # 0 outputs  (Non-returning function)
  0000 # max stack:  0
       # Code section 0 - in=0 out=non-returning height=0
e50001 # [0] JUMPF(0x0001 <truncated immediate>)
       # Code section 1 - in=0 out=non-returning height=0
    fe # [0] INVALID
       # Code section 2 - in=0 out=non-returning height=0
e50002 # [0] JUMPF(0x0002 <truncated immediate>)
       # Data section (empty)
EOF code is invalid - EOF Code Invalid : Unreachable code section 2

Fixed by https://github.com/bluealloy/revm/pull/1659.

[chfast]

evm1: incompatible_container_kind
revm: 1
besu: 1
code: ef00010100040200010004030001001404000000008000025f5fee00ef000101000402000100010400000000800000fe
size: 48

revm: Fixed in the fuzzer by forcing "runtime" validation mode in revm. besu: FIXME

./evmtool pretty-print -f ef00010100040200010004030001001404000000008000025f5fee00ef000101000402000100010400000000800000fe
0x # EOF
ef0001 # Magic and Version ( 1 )
010004 # Types length ( 4 )
020001 # Total code sections ( 1 )
  0004 # Code section 0 , 4 bytes
030001 # Total subcontainers ( 1 )
  0014 # Sub container 0, 20 byte
040000 # Data section length(  0 )
    00 # Terminator (end of header)
       # Code section 0 types
    00 # 0 inputs
    80 # 0 outputs  (Non-returning function)
  0002 # max stack:  2
       # Code section 0 - in=0 out=non-returning height=2
    5f # [0] PUSH0
    5f # [1] PUSH0
  ee00 # [2] RETURNCONTRACT(0)
           # Subcontainer 0 starts here
    ef0001 # Magic and Version ( 1 )
    010004 # Types length ( 4 )
    020001 # Total code sections ( 1 )
      0001 # Code section 0 , 1 bytes
    040000 # Data section length(  0 )
        00 # Terminator (end of header)
           # Code section 0 types
        00 # 0 inputs
        80 # 0 outputs  (Non-returning function)
      0000 # max stack:  0
           # Code section 0 - in=0 out=non-returning height=0
        fe # [0] INVALID
           # Data section (empty)
           # Subcontainer 0 ends
       # Data section (empty)

TEST_F(eof_validation, fuzzing_invalid_container_type)
{
    // This case is top-level container using RETURNCONTRACT.
    // This is not valid "runtime" EOF.
    const auto code =
        eof_bytecode(returncontract(0, OP_PUSH0, OP_PUSH0), 2).container(eof_bytecode(OP_INVALID));
    EXPECT_EQ(code,
        "ef00010100040200010004030001001404000000008000025f5fee00"
        "ef000101000402000100010400000000800000fe");
    add_test_case(code, EOFValidationError::incompatible_container_kind);
}

[chfast]

evm1: success
revm: 0
code: ef00010100100200040008000a00040007040000000080000200000001008000000000000260006000e3000100600035e10001e4e50002e3000300612015600155e4
size: 66

Fixed by forcing "runtime" mode in https://github.com/chfast/fuzzers/pull/1.

[chfast]

evm1: success
revm: 0
code: ef00010100100200040008000a00040002040000000080000200000001008000000000000060006028e3000100610034e10001e4e50002e30003005be4
size: 61

Fixed by forcing "runtime" mode in https://github.com/chfast/fuzzers/pull/1.

[chfast]

evm1: invalid_non_returning_flag
revm: 1
code: ef000101000c02000300040003000104000000008000000000000000000000e3000100e5000200
size: 39

Tests: https://github.com/ethereum/execution-spec-tests/pull/794

[chfast]

All above seems fixed. Latest tested revm: #b30dff48.

[chfast]

Besu stack overflow. git: e57c811e472b7f9fc4d229ac5c9fd30983c9de52 crash.txt

[chfast]

evm1: invalid_max_stack_height
besu: 1
besu git: e57c811e472b7f9fc4d229ac5c9fd30983c9de52
code: ef0001010004020001001004002f0000800004444444440444e10003e10000444419001f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f
size: 82

evm1: invalid_max_stack_height
besu: 1
code: ef000101000402000100240400000000800009444444444444e100064244e1000944e100071044e10006444444e10006444401104452fd
size: 55

evm1: invalid_max_stack_height
besu: 1
code: ef0001 010004 0200010018 040000 00 00800004 444444e2000004e2000000444444e200000444e500004400
size: 43

evm1: invalid_max_stack_height
besu: 1
code: ef000101000402000113fc040000000080033f5fe113f75f5fe113f25f5fe113ed5f5fe113e85f5fe113e35f5fe113de5f5fe113d95f5fe113d45f5fe113cf5f5fe113ca5f5fe113c55f5fe113c05f5fe113bb5f5fe113b65f5fe113b15f5fe113ac5f5fe113a75f5fe113a25f5fe1139d5f5fe113985f5fe113935f5fe1138e5f5fe113895f5fe113845f5fe1137f5f5fe1137a5f5fe113755f5fe113705f5fe1136b5f5fe113665f5fe113615f5fe1135c5f5fe113575f5fe113525f5fe1134d5f5fe113485f5fe113435f5fe1133e5f5fe113395f5fe113345f5fe1132f5f5fe1132a5f5fe113255f5fe113205f5fe1131b5f5fe113165f5fe113115f5fe1130c5f5fe113075f5fe113025f5fe112fd5f5fe112f85f5fe112f35f5fe112ee5f5fe112e95f5fe112e45f5fe112df5f5fe112da5f5fe112d55f5fe112d05f5fe112cb5f5fe112c65f5fe112c15f5fe112bc5f5fe112b75f5fe112b25f5fe112ad5f5fe112a85f5fe112a35f5fe1129e5f5fe112995f5fe112945f5fe1128f5f5fe1128a5f5fe112855f5fe112805f5fe1127b5f5fe112765f5fe112715f5fe1126c5f5fe112675f5fe112625f5fe1125d5f5fe112585f5fe112535f5fe1124e5f5fe112495f5fe112445f5fe1123f5f5fe1123a5f5fe112355f5fe112305f5fe1122b5f5fe112265f5fe112215f5fe1121c5f5fe112175f5fe112125f5fe1120d5f5fe112085f5fe112035f5fe111fe5f5fe111f95f5fe111f45f5fe111ef5f5fe111ea5f5fe111e55f5fe111e05f5fe111db5f5de111d65f5fe111d15f5fe111cc5f5fe111c75f5fe111c25f5fe111bd5f5fe111b85f5fe111b35f5fe111ae5f5fe111a95f5fe111a45f5fe1119f5f5fe1119a5f5fe111955f5fe111905f5fe1118b5f5fe111865f5fe111815f5fe1117c5f5fe111775f5fe111725f5fe1116d5f5fe111685f5fe111635f5fe1115e5f5fe111595f5fe111545f5fe1114f5f5fe1114a5f5fe111455f5fe111405f5fe1113b5f5fe111365f5fe111315f5fe1112c5f5fe111275f5fe111225f5fe1111d5f5fe111185f5fe111135f5fe1110e5f5fe111095f5fe111045f5fe110ff5f5fe110fa5f5fe110f55f5fe110f05f5fe110eb5f5fe110e65f5fe110e15f5fe110dc5f5fe110d75f5fe110d25f5fe110cd5f5fe110c85f5fe110c35f5fe110be5f5fe110b95f5fe110b45f5fe110af5f5fe110aa5f5fe110a55f5fe110a05f5fe1109b5f5fe110965f5fe110915f5fe1108c5f5fe110875f5fe110825f5fe1107d5f5fe110785f5fe110735f5fe1106e5f5fe110695f5fe110645f5fe1105f5f5fe1105a5f5fe110555f5fe110505f5fe1104b5f5fe110465f5fe110415f5fe1103c5f5fe110375f5fe110325f5fe1102d5f5fe110285f5fe110235f5fe1101e5f5fe110195f5fe110145f5fe1100f5f5fe1100a5f5fe110055f5fe110005f5fe10ffb5f5fe10ff65f5fe10ff15f5fe10fec5f5fe10fe75f5fe10fe25f5fe10fdd5f5fe10fd85f5fe10fd35f5fe10fce5f5fe10fc95f5fe10fc45f5fe10fbf5f5fe10fba5f5fe10fb55f5fe10fb05f5fe10fab5f5fe10fa65f5fe10fa15f5fe10f9c5f5fe10f975f5fe10f925f5fe10f8d5f5fe10f885f5fe10f835f5fe10f7e5f5fe10f795f5fe10f745f5fe10f6f5f5fe10f6a5f5fe10f655f5fe10f605f5fe10f5b5f5fe10f565f5fe10f515f5fe10f4c5f5fe10f475f5fe10f425f5fe10f3d5f5fe10f385f5fe10f335f5fe10f2e5f5fe10f295f5fe10f245f5fe10f1f5f5fe10f1a5f5fe10f155f5fe10f105f5fe10f0b5f5fe10f065f5fe10f015f5fe10efc5f5fe10ef75f5fe10ef25f5fe10eed5f5fe10ee85f5fe10ee35f5fe10ede5f5fe10ed95f5fe10ed45f5fe10ecf5f5fe10eca5f5fe10ec55f5fe10ec05f5fe10ebb5f5fe10eb65f5fe10eb15f5fe10eac5f5fe10ea75f5fe10ea25f5fe10e9d5f5fe10e985f5fe10e935f5fe10e8e5f5fe10e895f5fe10e845f5fe10e7f5f5fe10e7a5f5fe10e755f5fe10e705f5fe10e6b5f5fe10e665f5fe10e615f5fe10e5c5f5fe10e575f5fe10e525f5fe10e4d5f5fe10e485f5fe10e435f5fe10e3e5f5fe10e395f5fe10e345f5fe10e2f5f5fe10e2a5f5fe10e255f5fe10e205f5fe10e1b5f5fe10e165f5fe10e115f5fe10e0c5f5fe10e075f5fe10e025f5fe10dfd5f5fe10df85f5fe10df35f5fe10dee5f5fe10de95f5fe10de45f5fe10ddf5f5fe10dda5f5fe10dd55f5fe10dd05f5fe10dcb5f5fe10dc65f5fe10dc15f5fe10dbc5f5fe10db75f5fe10db25f5fe10dad5f5fe10da85f5fe10da35f5fe10d9e5f5fe10d995f5fe10d945f5fe10d8f5f5fe10d8a5f5fe10d855f5fe10d805f5fe10d7b5f5fe10d765f5fe10d715f5fe10d6c5f5fe10d675f5fe10d625f5fe10d5d5f5fe10d585f5fe10d535f5fe10d4e5f5fe10d495f5fe10d445f5fe10d3f5f5fe10d3a5f5fe10d355f5fe10d305f5fe10d2b5f5fe10d265f5fe10d215f5fe10d1c5f5fe10d175f5fe10d125f5fe10d0d5f5fe10d085f5fe10d035f5fe10cfe5f5fe10cf95f5fe10cf45f5fe10cef5f5fe10cea5f5fe10ce55f5fe10ce05f5fe10cdb5f5fe10cd65f5fe10cd15f5fe10ccc5f5fe10cc75f5fe10cc25f5fe10cbd5f5fe10cb85f5fe10cb35f5fe10cae5f5fe10ca95f5fe10ca45f5fe10c9f5f5fe10c9a5f5fe10c955f5fe10c905f5fe10c8b5f5fe10c865f5fe10c815f5fe10c7c5f5fe10c775f5fe10c725f5fe10c6d5f5fe10c685f5fe10c635f5fe10c5e5f5fe10c595f5fe10c545f5fe10c4f5f5fe10c4a5f5fe10c455f5fe10c405f5fe10c3b5f5fe10c365f5fe10c315f5fe10c2c5f5fe10c275f5fe10c225f5fe10c1d5f5fe10c185f5fe10c135f5fe10c0e5f5fe10c095f5fe10c045f5fe10bff5f5fe10bfa5f5fe10bf55f5fe10bf05f5fe10beb5f5fe10be65f5fe10be15f5fe10bdc5f5fe10bd75f5fe10bd25f5fe10bcd5f5fe10bc85f5fe10bc35f5fe10bbe5f5fe10bb95f5fe10bb45f5fe10baf5f5fe10baa5f5fe10ba55f5fe10ba05f5fe10b9b5f5fe10b965f5fe10b915f5fe10b8c5f5fe10b875f5fe10b825f5fe10b7d5f5fe10b785f5fe10b735f5fe10b6e5f5fe10b695f5fe10b645f5fe10b5f5f5fe10b5a5f5fe10b555f5fe10b505f5fe10b4b5f5fe10b465f5fe10b415f5fe10b3c5f5fe10b375f5fe10b325f5fe10b2d5f5fe10b285f5fe10b235f5fe10b1e5f5fe10b195f5fe10b145f5fe10b0f5f5fe10b0a5f5fe10b055f5fe10b005f5fe10afb5f5fe10af65f5fe10af15f5fe10aec5f5fe10ae75f5fe10ae25f5fe10add5f5fe10ad85f5fe10ad35f5fe10ace5f5fe10ac95f5fe10ac45f5fe10abf5f5fe10aba5f5fe10ab55f5fe10ab05f5fe10aab5f5fe10aa65f5fe10aa15f5fe10a9c5f5fe10a975f5fe10a925f5fe10a8d5f5fe10a885f5fe10a835f5fe10a7e5f5fe10a795f5fe10a745f5fe10a6f5f5fe10a6a5f5fe10a655f5fe10a605f5fe10a5b5f5fe10a565f5fe10a515f5fe10a4c5f5fe10a475f5fe10a425f5fe10a3d5f5fe10a385f5fe10a335f5fe10a2e5f5fe10a295f5fe10a245f5fe10a1f5f5fe10a1a5f5fe10a155f5fe10a105f5fe10a0b5f5fe10a065f5fe10a015f5fe109fc5f5de109f75f5fe109f25f5fe109ed5f5fe109e85f5fe109e35f5fe109de5f5fe109d95f5fe109d45f5fe109cf5f5fe109ca5f5fe109c55f5fe109c05f5fe109bb5f5fe109b65f5fe109b15f5fe109ac5f5fe109a75f5fe109a25f5fe1099d5f5fe109985f5fe109935f5fe1098e5f5fe109895f5fe109845f5fe1097f5f5fe1097a5f5fe109755f5fe109705f5fe1096b5f5fe109665f5fe109615f5fe1095c5f5fe109575f5fe109525f5fe1094d5f5fe109485f5fe109435f5fe1093e5f5fe109395f5fe109345f5fe1092f5f5fe1092a5f5fe109255f5fe109205f5fe1091b5f5fe109165f5fe109115f5fe1090c5f5fe109075f5fe109025f5fe108fd5f5fe108f85f5fe108f35f5fe108ee5f5fe108e95f5fe108e45f5fe108df5f5fe108da5f5fe108d55f5fe108d05f5fe108cb5f5fe108c65f5fe108c15f5fe108bc5f5fe108b75f5fe108b25f5fe108ad5f5fe108a85f5fe108a35f5fe1089e5f5fe108995f5fe108945f5fe1050b5f5fe105065f5fe105015f5fe104fc5f5fe104f75f5fe104f25f5fe104ed5f5fe104e85f5fe104e35f5fe104de5f5fe104d95f5fe104d45f5fe104cf5f5fe104ca5f5fe104c55f5fe104c05f5fe104bb5f5fe104b65f5fe104b15f5fe104ac5f5fe104a75f5fe104a25f5fe1049d5f5fe104985f5fe104935f5fe1048e5f5fe104895f5fe104845f5fe1047f5f5fe1047a5f5fe104755f5fe104705f5fe1046b5f5fe104665f5fe104615f5fe1045c5f5fe104575f5fe104525f5fe1044d5f5fe104485f5fe104435f5fe1043e5f5fe104345f5fe104345f5fe1042f5f5fe1042a5f5fe104255f5fe104205f5fe1041b5f5fe104165f5fe104115f5fe1040c5f5fe104075f5fe104025f5fe103fd5f5fe103f85f5fe103f35f5fe103ee5f5fe103e95f5fe103e45f5fe103df5f5fe103da5f5fe103d55f5fe103d05f5fe103cb5f5fe103c65f5fe103c15f5fe103bc5f5fe103b75f5fe103b25f5fe103ad5f5fe103a85f5fe103a35f5fe1039e5f5fe103995f5fe103945f5fe1038f5f5fe1038a5f5fe103855f5fe107045f5fe106ff5f5fe106fa5f5fe106f55f5fe106f05f5fe106eb5f5fe106e65f5fe106e15f5fe106dc5f5fe106d75f5fe106d25f5fe106cd5f5fe106c85f5fe106c35f5fe106be5f5fe106b95f5fe106b45f5fe106af5f5fe106aa5f5fe106a55f5fe106a05f5fe1069b5f5fe106965f5fe106915f5fe1068c5f5fe106875f5fe106825f5fe1067d5f5fe106785f5fe106735f5fe1066e5f5fe106695f5fe106645f5fe1065f5f5fe1065a5f5fe106555f5fe106505f5fe1064b5f5fe106465f5fe106415f5fe1063c5f5fe106375f5fe106325f5fe1062d5f5fe106285f5fe106235f5fe1061e5f5fe106195f5fe106145f5fe1060f5f5fe1060a5f5fe106055f5fe106005f5fe105fb5f5fe105f65f5fe105f15f5fe105ec5f5fe105e75f5fe105e25f5fe105dd5f5fe105d85f5fe105d35f5fe105ce5f5fe105c95f5fe105c45f5fe105bf5f5fe105ba5f5fe105b55f5fe105b05f5fe105ab5f5fe105a65f5fe105a15f5fe1059c5f5fe105975f5fe105925f5fe1058d5f5fe105885f5fe105835f5fe1057e5f5fe105795f5fe105745f5fe1056f5f5fe1056a5f5fe105655f5fe105605f5fe1055b5f5fe105565f5fe105515f5fe1054c5f5fe105475f5fe105425f5fe1053d5f5fe105385f5fe105335f5fe1052e5f5fe105295f5fe105245f5fe1051f5f5fe1051a5f5fe105155f5fe105105f5fe1050b5f5fe105065f5fe105015f5fe104fc5f5fe104f75f5fe104f25f5fe104ed5f5fe104e85f5fe104e35f5fe104de5f5fe104d95f5fe104d45f5fe104cf5f5fe104ca5f5fe104c55f5fe104c05f5fe104bb5f5fe104b65f5fe104b15f5fe104ac5f5fe104a75f5fe104a25f5fe1049d5f5fe104985f5fe104935f5fe1048e5f5fe104895f5fe104845f5fe1047f5f5fe1047a5f5fe104755f5fe104705f5fe1046b5f5fe104665f5fe104615f5fe1045c5f5fe104575f5fe104525f5fe1044d5f5fe104485f5fe104435f5fe1043e5f5fe104345f5fe104345f5fe1042f5f5fe1042a5f5fe101dba0a0e104205f5fe1041b5f5fe104165f5fe104115f5fe1040c5f5fe104075f5fe104025f5fe103fd5f5fe103f85f5fe103f35f5fe103ee5f5fe103e95f5fe103e45f5fe103df5f5fe103da5f5fe103d55f5fe103d05f5fe103cb5f5fe103c65f5fe103c15f5fe103bc5f5fe103b75f5fe103b25f5fe103ad5f5fe103a85f5fe103a35f5fe1039e5f5fe103995f5fe103945f5fe1038f5f5fe1038a5f5fe10000000be103805f5fe1037b5f5fe103765f5fe103715f5fe1036c5f5fe103675f5fe103625f5fe1035d5f5fe103585f5fe103535f5fe1034e5f5fe103495f5fe103445f5fe1033f5f5fe1033a5f5fe103355f5fe103305f5fe1032b5f5fe103265f5fe103215f5fe1031c5f5fe103175f5fe103125f5fe1030d5f5fe103085f5fe103035f5fe102fe5f5fe102f95f5fe102f45f5fe102ef5f5fe102ea5f5fe102e55f5fe102e05f5fe102db5f5fe102d65f5fe102d15f5fe102cc5f5fe102c75f5fe102c25f5fe102bd5f5fe102b85f5fe102b35f5fe102ae5f5fe102a95f5fe102a45f5fe1029f5f5fe1029a5f5fe102955f5fe102905f5fe1028b5f5fe102865f5fe102815f5fe1027c5f5fe1025f775fe102725f5fe1026d5f5fe102685f5fe102635f5fe1025e5f5fe102595f5fe102545f5fe1024f5f5fe1024a5f5fe102455f5fe102405f5fe1023b5f5fe102365f5fe102315f5fe1022c5f5fe102275f5fe102225f5fe1021d5f5fe102185f5fe102135f5fe1020e5f5fe102095f5fe102045f5fe101ff5f5fe101fa5f5fe101f55f5fe101f05f5fe101eb5f5fe101e65f5fe101e15f5fe101dc5f5fe101d75f5fe101d25f5fe101cd5f5fe101c85f5fe101c35f5fe101be5f5fe101b95f5fe101b45f5fe101af5f5fe101aa5f5fe101a55f5fe101a05f5fe1019b5f5fe101965f5fe101915f5fe1018c5f5fe101875f5fe101825f5fe1017d5f5fe101785f5fe101735f5fe1016e5f5fe101695f5fe101645f5fe1015f5f5fe1015a5f5fe101555f5fe101505f5fe1014b5f5fe101465f5fe101415f5fe1013c5f5fe101375f5fe101325f5fe1012d5f5fe101285f5fe101235f5fe1011e5f5fe101195f5fe101145f5fe1010f5f5fe1010a5f5fe101055f5fe101005f5fe100fb5f5fe100f65f5fe100f15f5fe100ec5f5fe100e75f5fe100e25f5fe100dd5f5fe100d85f5fe100d35f5fe100ce5f5fe100c95f5fe100c45f5fe100bf5f5fe100ba5f5fe100b55f5fe100b05f5fe100ab5f5fe100a65f5fe100a15f5fe1009c5f5fe100975f5fe100925f5fe1008d5f5fe100885f5fe100835f5fe1007e5f5fe100795f5fe100745f5fe1006f5f5fe1006a5f5fe100655f5fe100605f5fe1005b5f5fe100565f5fe100515f5fe1004c5f5fe100475f5fe100425f5fe1003d5f5fe100385f5fe100335f5fe1002e5f5fe100295f5fe100245f5fe1001f5f5fe1001a5f5fe100155f5fe100105f5fe1000b5f5fe100065f5fe100015f00
size: 5135

The reduced test case is:

./evmtool pretty-print ef0001010004020001000b04000000008000025f5fe10003e100005f5ffe
0x # EOF
ef0001 # Magic and Version ( 1 )
010004 # Types length ( 4 )
020001 # Total code sections ( 1 )
  000b # Code section 0 , 11 bytes
040000 # Data section length(  0 )
    00 # Terminator (end of header)
       # Code section 0 types
    00 # 0 inputs
    80 # 0 outputs  (Non-returning function)
  0002 # max stack:  2
       # Code section 0 - in=0 out=non-returning height=2
    5f # [0] PUSH0
    5f # [1] PUSH0
e10003 # [2] RJUMPI(3)
e10000 # [5] RJUMPI(0)
    5f # [8] PUSH0
    5f # [9] PUSH0
    fe # [10] INVALID
       # Data section (empty)

At the INVALID the correct stack height is [2-3] however besu probably computes it as 2 and therefore for besu the max stack height of 2 is correct. Similarly as the below, the confusion is related to double RJUMPIs.

evmone's repro:

TEST_F(eof_validation, fuzzing2)
{
    const auto code = eof_bytecode(
        OP_PUSH0 + rjumpi(3, OP_PUSH0) + OP_RJUMPI + "0000" + OP_PUSH0 + OP_PUSH0 + OP_INVALID, 2);
    EXPECT_EQ(code, "ef0001010004020001000b04000000008000025f5fe10003e100005f5ffe");
    add_test_case(code, EOFValidationError::invalid_max_stack_height);
}

[chfast]

evm1: stack_underflow
besu: 1
besu git: e57c811e472b7f9fc4d229ac5c9fd30983c9de52
code: ef00010100040200010016040000000080000544e200000444e100084444444444e100000444e50000
size: 41

The reduced test case is:

./evmtool pretty-print ef0001010004020001000b04000000008000035f5fe100055f5fe10000f3
0x # EOF
ef0001 # Magic and Version ( 1 )
010004 # Types length ( 4 )
020001 # Total code sections ( 1 )
  000b # Code section 0 , 11 bytes
040000 # Data section length(  0 )
    00 # Terminator (end of header)
       # Code section 0 types
    00 # 0 inputs
    80 # 0 outputs  (Non-returning function)
  0003 # max stack:  3
       # Code section 0 - in=0 out=non-returning height=3
    5f # [0] PUSH0
    5f # [1] PUSH0
e10005 # [2] RJUMPI(5)
    5f # [5] PUSH0
    5f # [6] PUSH0
e10000 # [7] RJUMPI(0)
    f3 # [10] RETURN
       # Data section (empty)

At the RETURN the stack height is [1-2] what should give the stack underflow error. However, besu thinks this is ok. The confusion comes probably from the second RJUMPI targeting the same RETURN. If the test is reduced to single RJUMPI besu computes correct result.

evmone's repro:

TEST_F(eof_validation, fuzzing)
{
    const auto code = eof_bytecode(
        OP_PUSH0 + rjumpi(5, OP_PUSH0) + OP_PUSH0 + rjumpi(0, OP_PUSH0) + OP_RETURN, 3);
    EXPECT_EQ(code, "ef0001010004020001000b04000000008000035f5fe100055f5fe10000f3");
    add_test_case(code, EOFValidationError::stack_underflow);
}

• was likely fixed by https://github.com/ethereum/execution-spec-tests/blob/47c5b7295be836f3d800353f30297ca360d4b2da/tests/prague/eip7692_eof_v1/eip4200_relative_jumps/test_rjump.py#L355.
• but is for sure fixed by https://github.com/ethereum/execution-spec-tests/pull/789/files#diff-040ca5c1c7c3aa205bef1f5899cf611ecf8be31e5558f8f11407a83daf539ad6R931

[chfast]

evm1: success
besu: 0
besu git: e57c811e472b7f9fc4d229ac5c9fd30983c9de52
code: ef00010100040200010051040000000080000b424444e1fffc44e1fffc44e1fffc0244444480024444e1fffc4444e1fffc44e1fffc44e1fffc44e1fffc44e100054444e1fffc44e1fffc44e1fffc44e1fffc444480024444e1fffc44e1fffc44e1fffc00
size: 100

Reduced:

./evmtool pretty-print -f ef0001010004020001000b04000000008000025f5fe10003e10000e0fffd
0x # EOF
ef0001 # Magic and Version ( 1 )
010004 # Types length ( 4 )
020001 # Total code sections ( 1 )
  000b # Code section 0 , 11 bytes
040000 # Data section length(  0 )
    00 # Terminator (end of header)
       # Code section 0 types
    00 # 0 inputs
    80 # 0 outputs  (Non-returning function)
  0002 # max stack:  2
       # Code section 0 - in=0 out=non-returning height=2
    5f # [0] PUSH0
    5f # [1] PUSH0
e10003 # [2] RJUMPI(3)
e10000 # [5] RJUMPI(0)
e0fffd # [8] RJUMP(-3)
       # Data section (empty)
EOF code is invalid - EOF Code Invalid : Stack maximum violation on backwards jump from 8 to 8, 1 != 0

evmone's repro:

TEST_F(eof_validation, fuzzing3)
{
    const auto code =
        eof_bytecode(OP_PUSH0 + rjumpi(3, OP_PUSH0) + OP_RJUMPI + "0000" + rjump(-3), 2);
    EXPECT_EQ(code, "ef0001010004020001000b04000000008000025f5fe10003e10000e0fffd");
    add_test_case(code, EOFValidationError::success);
}

fixed by https://github.com/ethereum/execution-spec-tests/pull/756/files#diff-de486eec197639146b2f760d2a8468589b30cea1268d1b3b1360b04bb74ecd1dR701

[rakita]

Can you add the version git commit being tested with each finding?

There were two non implemented checks, non-returning and container-kind (Initcode/Runtime) with container access checks. Commits related to Revm fixes

Added missing CALLF/JUMPF non-returning check. and Later commit is a fix on misunderstanding on spec. https://github.com/bluealloy/revm/pull/1663 and https://github.com/bluealloy/revm/pull/1664

• 42bbc74c - fix(EOF): returning to non-returning jumpf, enable valition error (#1664) (4 days ago)
• dc2b3340 - feat(EOF): Add non-returning CALLF/JUMPF checks (#1663) (4 days ago)

This was a regression on e1236000 commit; code access must have a tracker. https://github.com/bluealloy/revm/pull/1659

• 9eabd4bd - fix(EOF): Validate code access in stack (#1659) (5 days ago)

Added missing Container kind check and container tracker (If it is used): https://github.com/bluealloy/revm/pull/1648

• e1236000 - feat(EOF): EOF Validation add code type and sub container tracker (#1648) (6 days ago)

overflow panic https://github.com/bluealloy/revm/pull/1656

• d71acb54 - fix(EOF): Overflow on num_sections (#1656) (6 days ago)

[chfast]

./evmtool pretty-print -f ef0001010004020001000b04000000008000024744e10003e10000e0fff5
0x # EOF
ef0001 # Magic and Version ( 1 )
010004 # Types length ( 4 )
020001 # Total code sections ( 1 )
  000b # Code section 0 , 11 bytes
040000 # Data section length(  0 )
    00 # Terminator (end of header)
       # Code section 0 types
    00 # 0 inputs
    80 # 0 outputs  (Non-returning function)
  0002 # max stack:  2
       # Code section 0 - in=0 out=non-returning height=2
    47 # [0] SELFBALANCE
    44 # [1] PREVRANDAO
e10003 # [2] RJUMPI(3)
e10000 # [5] RJUMPI(0)
e0fff5 # [8] RJUMP(-11)
       # Data section (empty)

TEST_F(eof_validation, fuzzing4)
{
    const auto code =
        eof_bytecode(OP_PUSH0 + rjumpi(3, OP_PUSH0) + OP_RJUMPI + "0000" + rjump(-11), 2);
    EXPECT_EQ(code, "ef0001010004020001000b04000000008000025f5fe10003e10000e0fff5");
    add_test_case(code, EOFValidationError::stack_height_mismatch);
}

[shemnon]

https://github.com/hyperledger/besu/pull/7419 appears to fix all the besu failures above -

• https://github.com/ipsilon/eof/issues/146#issuecomment-2258029799 now fails with an underflow
• https://github.com/ipsilon/eof/issues/146#issuecomment-2258045321 now succeeds
• https://github.com/ipsilon/eof/issues/146#issuecomment-2262588486 now fails on backwards jump test

Except for the stack exceptionsin https://github.com/ipsilon/eof/issues/146#issuecomment-2257859537, which is fixed by https://github.com/hyperledger/besu/pull/7396 which removes the recursive validation call

[shemnon]

Geth RETF check (same as revm bug?)

besu: EOF Code Invalid : No RETF or qualifying JUMPF
geth: OK
evm1: err: invalid_non_returning_flag
code: ef00010100080200020005000d0400000000800002010200025fe3000100e1000760016005e000025f5f00
size: 43

This wasn't from the initial corpus, so it needs a unit test

covered by tests/prague/eip7692_eof_v1/eip4750_functions/test_code_validation.py::test_eof_validity[fork_CancunEIP7692-eof_test-callf_to_non_returning in https://github.com/ethereum/execution-spec-tests/pull/756

[shemnon]

Geth invalid jump destination (RJUMPV)

besu: OK
geth: err(18): invalid jump destination
evm1: OK 60c9e2c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fe6800
code: ef00010100040200010199040000000080000160c9e2c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fe6800
size: 428

covered by tests/prague/eip7692_eof_v1/eip4200_relative_jumps/test_rjumpv.py::test_rjumpv_large_backwards[fork_CancunEIP7692-eof_test-len_9] in https://github.com/ethereum/execution-spec-tests/pull/756

[shemnon]

Geth invalid backwards jump

besu: OK
geth: err(0): invalid backward jump
evm1: OK 5f6400e100025f8080506000e200fff8e0fff5
code: ef0001010004020001001304000000008000045f6400e100025f8080506000e200fff8e0fff5
size: 38

I think this is a shorter version of the max negative test, which github won't let me paste.

Reduces to a backwards RJUMPI/RJUMPV onto a DUP tests/prague/eip7692_eof_v1/eip4200_relative_jumps/test_rjumpv.py::test_rjumpv_backwards_onto_dup[fork_CancunEIP7692-eof_test] and tests/prague/eip7692_eof_v1/eip4200_relative_jumps/test_rjumpi.py::test_rjumpi_backwards_onto_dup[fork_CancunEIP7692-eof_test] in https://github.com/ethereum/execution-spec-tests/pull/756

[pdobacz]

@shemnon Can you post geth's commit SHA? this will be useful to reduce the test cases and write an EEST test to cover these

[shemnon]

2e2bb7b6c198ccb1387c4ad2d9765d09463d6fa1 Off of an omnibus of fixes I'm getting ready for Marius when he's back from vacation - https://github.com/shemnon/go-ethereum/tree/eof/fuzzing-1

[shemnon]

Geth stack check on LT - https://github.com/shemnon/go-ethereum/tree/eof/remove-txcreate@ 2e2bb7b6c198ccb1387c4ad2d9765d09463d6fa1

besu: EOF Code Invalid : Operation 0x10 requires stack of 2 but may only have 1 items
geth: OK
evm1: err: stack_underflow
code: ef0001010004020001001404000000008000025f6000e100086080e10007e000055fe000001000
size: 39

Covered by tests/prague/eip7692_eof_v1/eip4200_relative_jumps/test_rjumpi.py::test_tangled_rjumpi[fork_CancunEIP7692-eof_test] in https://github.com/ethereum/execution-spec-tests/pull/756

[shemnon]

revm - accepts initcode (commit b30dff48b32e2cc83e6ba2cb0c98ce0a4d384504)

besu: Code is initcode, not runtime
geth: err(0): incompatible container kind
evm1: err: incompatible_container_kind
revm: OK 
code: ef000101000402000100060300010014040000000080000260006000ee00ef000101000402000100010400000000800000fe
size: 50

@rakita is revme bytecode ef000101000402000100060300010014040000000080000260006000ee00ef000101000402000100010400000000800000fe the best way to do fuzzing with revm? It doesn't handle large (valid) inputs at all. such as max code size tests.

[jochem-brouwer]

How can I add EthereumJS to this fuzzing process? Should I provide an entrypoint?

[shemnon]

Here's the interface besu, geth, and evm1 conform to:

• a CLI that accepts a loop of input.
• input will be a hex string that is a program to be validated.

• For each input one line of output

  • If the input is in all ways valid the line starts with "OK" (and is maybe just "OK"
  • If invalid, for any reason, starts with "err" and ideally gives an invalid reason.

  A persistent process is needed because starting and stopping the CLI for each input will slow down fuzzing. Even for "lightweight" programs. Parsing should be so fast that such setup and tear down matters.

[jochem-brouwer]

Ok, great, I will implement such interface and will report back :smile:

[jochem-brouwer]

Do you have a code example of such interface, or a full description of this interface? Such that we can add EthereumJS in one-go without having to go back and forth a lot to fix any interface bugs :smile:

[shemnon]

A loop I created for revm - https://github.com/bluealloy/revm/pull/1677

[jochem-brouwer]

@shemnon could you check if this works? :smile: https://github.com/ethereumjs/ethereumjs-monorepo/pull/3553

[shemnon]

ethjs from https://github.com/ethereumjs/ethereumjs-monorepo/pull/3553 @ 1973edfa633fffe893441fd740f1ea48f3c785e3

SWAPN stack checking

besu: EOF Code Invalid : Operation 0xE7 requires stack of 21 but may only have 20 items
revm: err validation: Stack requirement is above smallest stack items
etjs: OK
evm1: err: stack_underflow
code: ef0001010004020001002b040000000080001460016001600160016001600160016001600160016001600160016001600160016001600160016001e71300
size: 62

Added height 21 to tests/prague/eip7692_eof_v1/eip663_dupn_swapn_exchange/test_swapn.py::test_swapn_stack_underflow[fork_CancunEIP7692-eof_test-stack_height_*]

[shemnon]

ethjs from https://github.com/ethereumjs/ethereumjs-monorepo/pull/3553 @ 1973edfa633fffe893441fd740f1ea48f3c785e3

besu: EOF Code Invalid : No RETF or qualifying JUMPF
revm: err validation: Non returning section is returning
etjs: OK
evm1: err: invalid_non_returning_flag
code: ef000101000802000200040007040001000080000000000000e3000100e00000e0000000ef
size: 37

Covered by tests/prague/eip7692_eof_v1/eip4750_functions/test_code_validation.py::test_eof_validity[fork_CancunEIP7692-eof_test-callf_to_non_returning in https://github.com/ethereum/execution-spec-tests/pull/756

[chfast]

besu upgraded to 2ddfc2cbfb0ed9e5dd151c7e7df385d1aceafd18 and all reported issues are fixed.

[shemnon]

Geth from https://github.com/MariusVanDerWijden/go-ethereum/commit/2ffab55c7f1263d2de9df615b4dfb7e9636d5349

geth: OK
this: err: EOF Code Invalid : jumpf_destination_incompatible_outputs target  2 with more outputs 3 than current section's outputs 0
evm1: err: jumpf_destination_incompatible_outputs
revm: err validation: JUMPF needs more outputs
code: ef000101000c020003080c0003000304000000008003ff00000000030300045f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5f5fe3000150505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505050505061201560015560006000f3e500025f50e4
size: 2097

Covered by unit tests in https://github.com/ethereum/execution-spec-tests/pull/789

[shemnon]

Geth from https://github.com/MariusVanDerWijden/go-ethereum/commit/2ffab55c7f1263d2de9df615b4dfb7e9636d5349

geth: OK
this: err: EOF Code Invalid : stack_height_mismatch backwards RJUMPV from 18 to 10, min 4 != 3
evm1: err: stack_height_mismatch
revm: err validation: Backward jump has different smallest stack item
code: ef000101000402000100170400000000800005650000e100025f5f5f5f6000e10001506000e200fff400
size: 42

Covered by unit tests in https://github.com/ethereum/execution-spec-tests/pull/789 - also inspired RJUMPV variant