feat(tests): enhance eip7883 test coverage

[LouisTsai-Csie]

🗒️ Description

EIP-7883: ModExp Gas Cost Increase

This EIP changes the gas cost, so it falls under this category in the checklist. While this category is meant specifically for gas cost changes, I’ve added a broader set of scenarios, similar to what would be done for a new precompile, since the existing tests from Byzantium are incomplete.

Call contexts

• CALL / DELEGATECALL / STATICCALL / CALLCODE
• Transaction Entry-point
• Initcode call: IMO this is unnecessary, since we still need to use *CALL to trigger the precompile in the create/create2 initcode, it is exactly the same testing scenario as the call context one.
• Precompile as Set-code Delegated Address: please check this in eip-7702 test, it is not located in eip-7883 test.

Inputs

• precompile/test/inputs/valid
• precompile/test/inputs/valid/boundary
• precompile/test/inputs/valid/crypto
• precompile/test/inputs/all_zeros
• precompile/test/inputs/max_values
• precompile/test/inputs/invalid
• precompile/test/inputs/invalid/crypto
• precompile/test/inputs/invalid/corrupted

Value Transfer

• Minimum Fee Precompile
• No-Fee Precompile: Do not need this one, as Modexp is not no-fee precompile

Out-of-bounds checks

• precompile/test/out_of_bounds/max
• precompile/test/out_of_bounds/max_plus_one

Input Lengths

• Zero-length Input
• Static Required Input Length: The input length is dynamic
• Dynamic Required Input Length

Gas usage

• Constant Gas Cost: We do not need this one, as the gas cost is dynamic
• Variable Gas Cost: See analysis below
• Excessive Gas: Already have this in benchmark test

Fork transition

• Pre-fork Block Call
• Cold/Warm Precompile Address State: We do not need this one as the Modexp is not a new precompile.

🔗 Related Issues or PRs

Issue #1791, #1790, #1971

✅ Checklist

• All: Ran fast tox checks to avoid unnecessary CI fails, see also Code Standards and Enabling Pre-commit Checks:

  uvx --with=tox-uv tox -e lint,typecheck,spellcheck,markdownlint

• All: PR title adheres to the repo standard - it will be used as the squash commit message and should start type(scope):.
• All: Considered adding an entry to CHANGELOG.md.
• All: Considered updating the online docs in the ./docs/ directory.
• All: Set appropriate labels for the changes (only maintainers can apply labels).
• Tests: Ran mkdocs serve locally and verified the auto-generated docs for new tests in the Test Case Reference are correctly formatted.
• Tests: For PRs implementing a missed test case, update the post-mortem document to add an entry the list.
• Ported Tests: All converted JSON/YML tests from ethereum/tests or tests/static have been assigned @ported_from marker.

[LouisTsai-Csie]

I tried to use a hash-based method (see the comment) here for simplicity but failed, so I simply store all the data in storage for comparison. I still prefer the hash-based method as it reduces the SSTORE operation count

[spencer-tb]

I tried to do this today but had issues with guido-4 and geth-fail vectors. I then realised we have a bug in the chunking method for cases where len(modexp_expected) // 32 = 0. For guido-4 this equates to 8 // 32 = 0. So then we get for i in range(0), meaning we don't store the result for guido-4.

We should try and get the hash method working nonetheless!

[LouisTsai-Csie]

I’ve updated the implementation to a hash-based method, but some issues have come up.

From EIP-198:

Consumes floor(mult_complexity(max(length_of_MODULUS, length_of_BASE)) * max(ADJUSTED_EXPONENT_LENGTH, 1) / GQUADDIVISOR) gas, and if there is enough gas, returns (BASE**EXPONENT) % MODULUS as a byte array with the same length as the modulus.

Given a ModExp input where (base, exponent, modulus) yields the value 0x01 and the modulus length is 4, what should the output be? Should it be 0x00000001 (left-padded) or 0x01000000 (right-padded)?

Referring to Mario’s vector update (check vector.json change in this PR), I initially thought it should be the latter.

However, after reviewing the relevant EIPs, such as eip-198, eip-2565, eip-7883, and eip-7823, and implementing the hashing comparison, I now think the correct format might be the former (left-padded).

The previous test cases did not fail because, as you mentioned, for some cases the length was smaller than 32, so len(modexp_expected) // 32 evaluated to 0, resulting in no loop execution. Even if the calculated result was non-zero, we should be checking the range from 0 to len(modexp_expected) // 32 + 1. Otherwise, we miss trailing bytes.

Short summary: the legacy approach never fully validated the output format. After switching to the updated verification method, I think these vectors might have an issue:

geth-fail-length

Input:  000000000000000000000000000000000000000000000000000000000000000000
Output: 000000000000000000000000000000000000000000000000000000000000000001

• base_len = 0 → base = 0
• exp_len = 34 → exponent = 34 zero bytes (value 0)
• mod_len = 33 → modulus = 0x...0002 (value 2)
  Per EIP-198, exponent = 0 and modulus > 1 → result is 1, left-padded to modulus length.

guido-4-even

Input:  0001000000000000
Output: 0000000000000001

The result might need to be left-padded, not right-padded.

[LouisTsai-Csie]

I update the implementation and then run consume engine command on the server, it now works fine.

[spencer-tb]

Amazing catch! I struggled to find the issue last night. Could you please update the vectors?
It would be good to run these against the clients!

[spencer-tb]

So we never properly tested the expectation of these cases, from what I can see:

• marius-1-even - 12 bytes expected
• guido-1-even - 16 bytes expected
• guido-2-even - 16 bytes expected
• guido-4-even - 8 bytes expected
• marcin-1-exp-heavy - 8 bytes expected
• marcin-2-exp-heavy - 16 bytes expected
• marcin-3-exp-heavy - 24 bytes expected

Only the call, the gas calculation and the return length!

[spencer-tb]

I update the implementation and then run consume engine command on the server, it now works fine.

Nice! Thanks for taking care of this

[LouisTsai-Csie]

I've already updated the test vector. My current understanding also, is that we never really test the actual data for the return data! For the geth-fail-length, it would be critical as the output provided is even incorrect.

[LouisTsai-Csie]

For this test case, it should take 1200 gas cost after Osaka is activated, but in this test case, it only takes 500. Still looking into the root cause here.

This is one is the "marcin-1-balanced", you can find it in the vectors.json file

[LouisTsai-Csie]

I spent the entire afternoon debugging this issue without understanding what went wrong. So I decided towrite down every step I took, traces, opcode sequences, the LLM conversation history, and all the tricks I tried.
It turned into a lengthy and tedious comment. But after finishing it, I realized the root cause was simply that I forgot to pass the calldata to the transaction. So, it’s fixed now.

[LouisTsai-Csie]

To be honest, I do not know why these timestamp values are 14_999-15_001, I use this trick as this is how Spencer test CLZ opcode.

[marioevz]

All transition forks that are defined in our tests have a transition time hard-coded to 15k seconds.
So on 14,999 we should still see Prague rules, and Osaka rules in the rest.

[LouisTsai-Csie]

For these test cases, the input exceeds the boundary for the ModExp precompile. However, it’s unclear whether the failure is due to exceeding the transaction gas limit or violating the input boundary constraints.

[marioevz]

We should double check this and do the actual calculation of the gas required to do this operation, It might even be higher than the tx gas limit cap introduced in Osaka, and in that case the test might be unnecessary.

[LouisTsai-Csie]

I tested with different input values and evaluated the gas cost. Based on the results, I removed some of the test cases.

If the exponent length exceeds the limit, it’s highly unlikely that the base or modulus could also exceed it. In such cases, the total gas cost will break the transaction gas cap.

For combinations like (base, exponent), (exponent, modulus), or (base, exponent, modulus) that exceed the limit, the gas cost is greater than 500 million.

But I do not evaluate it using fuzzing or formal verification, so there might be some corner case that support such combination. I am wondering how can I prove this attribute.

[LouisTsai-Csie]

To verify the table, you can check this script, compare to eip-7883, and use it ot generate the test case as well as the labels: https://gist.github.com/1c8fd82ac1e75e9cfd1c79e5a2f5fbe6.git

I was inspired by this paper: https://arxiv.org/pdf/2504.12034

[LouisTsai-Csie]

This change is necessary but requires additional refactoring.

For case 4 in modexpFiller.json, the test description is:

4 - Would also parse as a base of 3, an exponent of 65535, and a modulus of 2**255. It attempts to read 32 bytes for the modulus starting from 0x80, but since there’s no further data, it right-pads the result with 31 zero bytes.

Although the operation modulus = input_data[current_index : current_index + modulus_length] is technically valid, as Python silently pads with null bytes when slicing beyond the end, we actually need to left-pad with \x00 instead.

Example: https://onecompiler.com/python/43smfe6dm

Regarding the 1024-byte length restriction, in case 2, the exponent length is 2**256 - 1, which can cause current_index + modulus_length to overflow. Therefore, I added this condition to prevent overflow. It aligns with the logic in EIP-7883, although such a restriction does not exist in EIP-198.

Some idea for refactoring in ModexpInput: We should consider not passing ModexpInput data type to the test, but bytes data instead, this would be much more flexible for strange testing scenario.

[LouisTsai-Csie]

I didn’t create a separate PR for issue #1971, as it depends on the infrastructure introduced in this PR.

There are 37 test cases in the legacy modexpFiller.json test. Most of them have been ported, but the following cases are still pending and require further analysis:

• Case 2: Would parse a base length of 0, a modulus length of 32, and an exponent length of 2256 - 1, where the base is empty, the modulus is 2256 - 2 and the exponent is (2256 - 3) * 256(2**256 - 33) (yes, that's a really big number). It would then immediately fail, as it's not possible to provide enough gas to make that computation.
• Case 28: base length 4TiB
• Case 29: exp length 4TiB; returns 0 because mod is zero
• Case 30: base and mod have zero-length. exp's length is 2^255. Since mod is zero, the result should be zero.
• Case 36: the input found on 10 Oct. 2017 that overflows the gas calculation
• Case 37: input found in July 2022, overflows the gas calculation

1. Based on the description of case 2, 28, 29 and 30, they will fail as eip7623 introduces the upper bound for each field, we already have similar test in test_modexp_invalid_inputs.
2. For case 36, 37, I am checking if it is valid after Fusaka.

[spencer-tb]

Thanks for working on this. Just some small comments for now.

Could you double check my understanding for my comment here:
#1929 (comment)

[spencer-tb]

Nice! I had no idea we had these vectors

[LouisTsai-Csie]

This is from here, could you help check if there is anything missing?

[spencer-tb]

I tried to do this today but had issues with guido-4 and geth-fail vectors. I then realised we have a bug in the chunking method for cases where len(modexp_expected) // 32 = 0. For guido-4 this equates to 8 // 32 = 0. So then we get for i in range(0), meaning we don't store the result for guido-4.

We should try and get the hash method working nonetheless!