EIP-7676: EOF - Prepare for Address Space Extension
Update EOF opcodes so addresses are not trimmed during execution
Abstract
Operations in the Legacy EVM trim off the top 12 bytes of an address operand before evaluation. This EIP changes the handling of those opcodes within EOF so that no trimming occurs and the top twelve bytes need to be zero or an exceptional halt is raised.
Motivation
There have been proposals to extend Ethereum Addresses from 160 bits to 256, such as one that would use the extra bits for state expiry (such as the ethereum magicians forum topic "Increasing the address size from 20 to 32 bytes"). One issue ground the work to a halt: EVM opcodes that accept addresses trim all but the lowest 20 bytes out from the operand before processing. EVM Reference tests verify this behavior in the 'stBadOpcode/invalidAddr.json' tests.
The EVM Object Format presents an opportunity to remove this address masking in a backwards compatible way, by baking it into the format definition from the start.
Most of the work is already in place. The following 5 operations have already been banned from
EOF: EXTCODESIZE
, EXTCODECOPY
, EXTCODEHASH
, CALLCODE
, and SELFDESTRUCT
. Three call
operations, CALL
, DELEGATECALL
, and STATICCALL
are being revamped
in EIP-7069. That leaves only one operation, BALANCE
, with issues.
When future uses of address space extension are specified it is expected that the exceptional halt behavior will be modified.
Specification
We introduce one new instruction:
EXTBALANCE
(tbd
) with arguments(target_address)
, returningbalance
EXTBALANCE
will pop one stack item off of the stack, the address of another account or contract.
The balance of that account or contract will be pushed onto the stack.
If EXTBALANCE
is invoked with any of the high 12 bytes in target_address
set to a non-zero value
the operation will cause an exceptional halt. All gas in the current frame will be consumed on
failure, no gas schedule change is needed.
The gas cost of EXTBALANCE
will be costed according to the gas schedule for the BALANCE
operation specified in EIP-2929. This means if the account is not
in accessed_addresses
then it is charged 2600 gas and added to accessed_addresses
. If the
account is in accessed_addresses
then 100 gas is charged. The accessed_addresses
is shared with
all other operands described in EIP-2929.
Also, for the EXTCALL
, EXTDELEGATECALL
, and EXTSTATICCALL
operations a new step is added just
before the memory expansion check: halt with exceptional failure if any of the high 96 bits of
the target_address
are set.
It is anticipated that future EIPs will alter the behavior in a way that will not result in an exceptional halt. Contract implementors should not depend on the exceptional halt.
Rationale
New Opcode
There is no need to ban the BALANCE
opcode as it does not cause any problems that would require
banning it within an EOF container. Adding a new opcode also allows the existing opcode to behave
the same in EOF and legacy code, reducing potential friction points for end user confusion and bugs.
Revert on invalid address
There are two alternative ways to handle accounts with high bits set. The specification calls for an exceptional halt, but the alternative was to treat the account as empty. The reason the "empty account" approach was rejected is twofold:
- The
accessed_addresses
list could be required to track 256 bit accounts when an invalid address is accessed. - The
EXTCALL
series instructions could still send balance to those addresses and such accounts would then hold an (inaccessible) balance that would need to be reflected in the merkle trie.
No change in gas costing
Because the BALANCE operation already needs to check accessed_addresses
there is already a good
amount of processing that must go into the operation. Hence, no changes to the gas schedule are
needed to prevent abuse of the failures. Such incremental costs will be dominated by costs related
to reverts and address checking for valid accounts.
Backwards Compatibility
Preparing for Address Space Expansion is explicitly done inside the scope of EOF with the intent that it will not require changes in old contracts, but with the caveat that old contracts may not be able to use addresses in the expanded space.
Future EIPs should be mindful when adding new operation with an address operand or parameter to how it interacts with EOF and legacy contracts. Authors should ensure that such additions remain in harmony with this EIP.
Test Cases
Test cases similar to invalidAddr.json
tests in the standard reference tests will need to be
written for the EOF tests, except they would check for halts on invalid addresses.
Reference Implementation
TBD
Security Considerations
This EIP only defines a revert behavior for previously stripped addresses. Compilers will need to be
aware of the need to mask addresses coming in from call data. Some of this is already present in
existing Solidity ABI standards, but more care should be taken in examining the flow
around EXTBALANCE
and code for EXTCALL
operations to ensure that compiled code strips the high
bytes.
Copyright
Copyright and related rights waived via CC0.