## H

## Library EraVM.Introduction

This is the specification of the instruction set of EraVM 1.4.1, a language virtual machine for zkSync Era. It describes the virtual machine's architecture, instruction syntax and semantics, and some elements of system protocol.

## Table of contents

#### Overview

- Glossary: a list of all important recurring terms and notations defined in this document.
- Archoverview: a bird's eye overview of EraVM architecture with links to more detailed descriptions of its parts.
- PrimitiveValue: defines a tagged 256-bit word datatype; can be an integer or a pointer.

#### EraVM Structure

StateDefinitions collects all system state, persistent and transient.

- Registers: a group of isolated read/write memory cells available to all instructions.
- Flags: special registers showing the status of the latest computations.
- Predication: how setting flags makes EraVM skip of execute instructions.
- Memory: transient memory (heap, stack) for supporting computations and persistent storages of contracts.
- PointerDefinitions: definition of pointers to transient memory and operations on them.
- Slices: how individual pointers are restricted to selected subranges of memory addresses.
- Callstack: states of running functions and contracts.
- MemoryContext: how new transient memory is allocated when a contract is called.

#### Instruction Set

- Addressing: how instructions can refer to their arguments.
- Resolution: how instruction arguments are resolved to the operand values.
- InstructionSets: overview of all layers of instruction set and their relations.

Modifiers: recurring modifiers supported by many instructions: mod\_set\_flags and mod\_swap.

AssemblyInstructionSet: instruction set exposed to assembly programmers. CoreInstructionSet: simplified instruction set used to define instruction semantic. MachInstructionDefinition: layout of encoded assembly instructions. Conversions between instruction sets: asm to core and asm to mach.

#### EraVM operation

- Ergs: resource/gas system and basic operation costs.
- MemoryOps: precise formalization of memory writes and reads.

- MemoryForwarding: a mechanism to pass memory slices between contracts.
- Events: different types of events emitted when EraVM is operating.
- KernelMode: privileged mode of execution for system contracts allowing a restricted part of the instructions set.
- StaticMode: mode of execution with limited effects on persistent state.
- SmallStep: formal semantics of instruction execution cycle, in small-step operational style
- Panics: a mechanism of signaling irrecoverable errors and a list of situations where they occur.

#### · Instruction set semantic

Stack manipulation

```
SpAdd: SpAddDefinition: forward stack pointer. SpSub: SpSubDefinition: rewind stack pointer.
```

Arithmetic

```
Add: AddDefinition:
Sub: SubDefinition:
Mul: MulDefinition:
Div: DivDefinition:
```

Bitwise logical

```
And : AndDefinition :
Or : OrDefinition :
Xor : XorDefinition :
```

Bitwise shifts

```
Sh1:ShlDefinition:left logical shift.
Shr:ShrDefinition:right logical shift.
Rol:RolDefinition:left circular shift.
Ror:RorDefinition:right circular shift.
```

Control flow

```
Nop: NopDefinition: do nothing.
```

**Jump**: JumpDefinition: jump to code (conditional jumps are implemented through Predication).

NearCall : NearCallDefinition : call a function in the same contract.

**NearRet**: NearRetDefinition: normal return from near call to the call site, return unspend ergs.

 $\label{lem:nearRevertDefinition:return from near call due to a recoverable error, return unspend ergs, roll back storage/events, execute exception handler.}$ 

NearRetTo: NearRetToDefinition: Like NearRet but returns to explicit label.

**NearRevertTo:** NearRevertToDefinition: like NearRevert but executes code at label instead of exception handler.

Panic: PanicDefinition: trigger panic.

NearPanicTo: NearPanicToDefinition: trigger panic and return to label.

Farcall: FarcallDefinition: call a contract

FarRet: FarRetDefinition: return from farcall.

FarRevert: FarRevertDefinition: like FarRet but roll back storage/events and execute exception handler.

Operations with heaps

LoadPtr : LoadPtrDefinition : load word by a fat pointer.

**LoadPtrInc**: LoadPtrIncDefinition: like LoadPtr, additionally return an incremented pointer.

Load: LoadDefinition: load word from heap by a fat pointer.

LoadInc: LoadIncDefinition: like Load, additionally return offset+32.

Store: StoreDefinition: store word to heap by an offset.

StoreInc: StoreIncDefinition: like Store, additionally return offset+32.

Operations with static memory page (unique "heap"-like unbound page, kernel-only)

StaticRead: StaticReadDefinition: load word from heap by a fat pointer. StaticReadInc: StaticReadIncDefinition: like Load, additionally return offset+32.

StaticWrite: StaticWriteDefinition: store word to heap by an offset.
StaticWriteInc: StaticWriteIncDefinition: like Store, additionally return offset+32.

Operations with pointers

PtrAdd: PtrAddDefinition: increment pointer.

PtrSub: PtrSubDefinition: decrement pointer.

PtrSub: PtrSubDefinition: decrement pointer.

PtrShrink: PtrShrinkDefinition: restrict the range of addresses that a pointer can reference

PtrPack: PtrPackDefinition: put data in the unused high 128 bits of a pointer.

Operations with storage

SStore: SStoreDefinition: store value at a key in storage of the current contract.

SLoad: SLoadDefinition: load value by key from storage of the current contract.

Operations with transient storage (resets after each transaction)

TransientStore: TransientStoreDefinition: store value at a key in transient storage of the current contract.

**TransientLoad**: TransientLoadDefinition: load value by key from transient storage of the current contract.

Events and precompiles

OpEvent: OpEventDefinition: emit an event.
ToL1: ToL1Definition: emit a message to L1.

PrecompileCall: PrecompileCallDefinition: call an extension of VM specific to

currently executing system contract.

**Context**: ContextDefinition: access the context register and context captured value (used to emulate msg.value).

Contract: ContractDefinition: access associated contract addresses (current, caller, or code)

**VM**: VMDefinition: access some parts of VM execution state such as stack pointer.

- ABI (memory layouts of compound data structures serialized to 256-bit words.)
  - Coder: general definitions of encoding, decoding, composition and required properties.
  - NearCallABI
  - FatPointerABI
  - FarCallABI
  - FarRetABI
  - MetaParametersABI: layout of result of ContextMeta.
  - PrecompileParametersABI: layout of result of ContextMeta.

#### Instruction encoding

- EncodingTools: binary encoding of different parts of instruction layout.
- encode\_opcode : encoding source/destination, addressing modes, and all modifiers as a single 11-bit opcode value.
- MachEncoder: the main assembly instruction encoder definition.

#### Elements of protocol

- Bootloader: a system contract in charge of block construction.
- Precompiles: extensions of virtual machine.
- VersionedHash: used to fetch the contract code.
- Decommitter: fetches the contract code.

## Library EraVM.Glossary

Section Glossary.

## **Notations**

- Definitional equality is denoted with A := B. Its meaning is: A can be substituted with B.
- · Ranges of numbers are denoted as follows:

$$[start, limit) := \{n | start \le n < limit\}$$

In other words, start of the range is included, and limit is excluded.

• Accessing subranges of a binary representation of a number is denoted with  $\{low, high\}$ . For example, this denotes a binary number obtained by taking bits from 128-th inclusive to to 256-th exclusive of the value op:

$$op{128,256}$$

• Concatenation of sequences of binary numbers is denoted with ##

For example, the following denotes concatenating bit representations of the numbers a and b:

$$a\#\#b$$

## Glossary

- ABI application binary interface. See ABI.
- Active external frame the closest external frame to the top of call stack. For example, in a callstack (InternalCall (InternalCall (ExternalCall (InternalCall ...)))) the active external frame will be the third frame in stack. See active extframe.
- **Auxheap** one of two heap variants (heap and auxheap), mostly used by system contracts. Executing one of far call instructions creates a new external frame and allocates pages for code, constants, data stack, heap and aux heap.
- Burning ergs setting ergs to zero in topmost call stack frame, external or internal. See Ergs.
- Callstack a stack of context information. Executing one of near call instructions pushes a frame
  of type InternalCall to the callstack, executing one of far call instructions pushes a frame of
  type ExternalCall. See CallStack.
- Checkpoint see state checkpoint. Not to confuse with EraVM snapshot.
- Code page a read only page filled with instruction\_predicated. Created by far calls, filled with code obtained from Decommitter. See code page.
- Const page a read only page filled with constant data. Created by far calls, filled with constants obtained from Decommitter. Can be implemented by putting constants to code pages instead. See const page.
- Context instructions instructions implemented as variants of context machine instruction:
  - OpContextCaller
  - OpContextCodeAddress
  - o OpContextErgsLeft
  - OpContextGetContextU128
  - OpContextIncrementTxNumber
  - OpContextMeta
  - OpContextSetContextU128
  - OpContextSetErgsPerPubdataByte
  - OpContextSp

- OpContextThis
- Running instance of a contract, or a function a set of memory pages, call stack frames, and
  other resources associated with a running contract or function. They are distinct per function/
  contract call
- Current contract contract currently being executed. See ecf\_this\_address and active extframe.
- **Current function** the most recent of functions currently being executed.
- Data page one of types of memory pages. See data page.
- **Data stack** a stack implicitly operated upon by instructions using address modes like RelSpPop or RelSP. Located on pages of type stack\_page. Every contract instance has its own stack; functions invoked by OpNearCall share the stack with their caller.
- Decommitter a module responsible for storing contract code and providing it upon guery.
- Exception handler a code <u>address</u> of a piece of code associated to a call stack frame. This code will be executed if the corresponding function reverts or panics.
- External/internal frame, function/contract frame –
- Far call execution of one of the following instructions: OpFarCall, OpMimicCall, OpDelegateCall.
- **Fat pointer** a full 128-bit data\_page pointer encoding page id, a span of addresses from some starting address and with a specified length, and an offset inside this span. See <u>fat ptr</u>.
- **GPR**, **general purpose register** one of 16 registers r0–r15 containing primitive values. Register r0 is a constant register, can not be written to and is read-only.
- **Heap** one of two heap variants (heap and auxheap), mostly used by system contracts. Executing one of far call instructions creates a new external frame and allocates pages for code, constants, data stack, heap and aux heap.
- **Heap pointer** a pair of address in heap and a limit; it is associated with a span [0;limit). See heap ptr.
- **Heap variant** either Heap or Auxheap, depending on the context.
- Integer value a primitive value with a reset pointer tag. See IntValue.
- L1 level-1, refers to the main Ethereum blockchain, also known as the Ethereum Mainnet. Used to distinguish from scaling solutions or Layer 2 solutions that aim to improve the scalability and throughput of the Ethereum blockchain.
- Log instructions variations of log machine instruction: OpSLoad, OpSStore, OpEvent, OpToL1Message, OpPrecompileCall.
- **Memory forwarding** a mechanism of sharing a read-only fragment ofmemory between contracts. The memory fragment is created from span and described by fat\_ptr. This fragment can be narrowed or shrunk as a result of far call or executing OpPtrShrink.
- Machine instruction a low-level machine instruction with a fixed format. The high-level instruction predicated is encoded to machine instructions.
- Memory growth a process, where an access to a heap variant beyond its bound leads to increasing the bound and payment.
- Narrowing a fat pointer subtract a given number from its length and add it to its start; it is
  guaranteed to not overflow. See <u>fat\_ptr\_narrow</u>. Used when passing a fat pointer to a far call,
  or returning it from a contract.
- Near call calling a function that belongs to the same contract.
- Operand data or the address that is operated upon by the instruction. It represents the input or output values used by the instruction to perform a specific operation or computation. See InstructionArguments.
- Page see page type.
- **Pointer value** a primitive\_value with a set pointer tag. May contain a fat pointer. See PtrValue.
- **Precompile call** an invokation of OpPrecompileCall. Precompiles are extensions of EraVM bound to one of the system contracts. When this contract executes an instruction OpPrecompileCall, EraVM executes an algorithm specific to this contract. See Precompiles.
- **Precompile processor** a module responsible for encoding the algorithms of precompile calls and executing them.
- **Primitive value** a tagged word. See primitive value.

- **Shrinking a fat pointer** subtract a given number from its length; it is guaranteed to not overflow. See fat ptr shrink. Triggered by OpPtrShrink instruction.
- Slice see slice.
- Span see span.
- **Stack page** a type of pages. See stack page.
- System contracts contracts with addresses from 0 to KERNEL MODE MAXADDR LIMIT. They are executed in KernelMode.
- Topmost callstack frame the last frame pushed to call stack.
- **Word** 256-bit unsigned untagged integer value.
- Address resolution a matching between instruction operands and locations using the supported address modes. See resolve.
- Base cost the fixed cost of executing instruction, in ergs. Some instructions imply additional costs, e.g. far calls may require paying for code decommitment. **Bootloader** – a system contract written in YUL in charge of block construction.
- Cell alias to "word". Often used to distinguish between values themselves and the memory locations holding them.
- **Depot** all storages in all shards. See depot.
- **Ergs** resource spent on actions such as executing instructions. See Ergs.
- **Instruction predicate see** Predication.
- Flag see flag state.
- Fully qualified address see fqa key.
- Instruction low-level command or operation that is executed by a virtual machine to perform a specific task. Instructions supported by EraVm are described by the type instruction predicated.
- **Kernel mode** a mode of execution for system contracts opening access to full instruction set. containing instructions potentially harmful to the global state e.g. OpContextIncrementTxNumber. See KernelMode.
- **Key** a 256-bit address of a cell in storage.
- Location see loc.
- **Panic** irrecoverable error. Handled by formally executing OpPanic.
- **Revert** execution of OpRevert, usually as a consequence of recoverable error.
- Malformed transaction a transaction rejected by the bootloader. Handling it is the responsibility of the server that controls EraVM.
- **Predicate see** Predication.
- **Predication** see Predication.
- **Program counter** the code address of the next instruction to be executed. See cf pc.
- Rollback restoration of the qs revertable portion of state as a result of revert or panic. The state is saved at every near or far call. See also state checkpoint.
- **Shard** a collection of storages. See shard.
- Snapshot a copy of the full state of EraVM. Server makes a snapshot of VM state every time a transaction is successfully completed. When the bootloader encounters a malformed transaction, it fails, and the server restarts EraVM from the most recent snapshot, skipping this transaction.
- Server a program that launches EraVM and controls it. Feeds the transactions to the bootloader, provides decommitter and other external modules, restarts EraVM from the latest snapshot in case of malformed transactions.
- Stack pointer the stack address where the next element will be pushed. It is the address of the (top of the stack + 1).
- Static mode see StaticMode.
- **Storage** see storage.
- **Total cost** a sum of base cost of an instruction and all its additional costs.
- **Versioned hash** a key used to retrieve the contract code from decommitter. See versioned hash and Decommitter.
- **VM** the same as EraVM, the abstract virtual machine that this document specifies.

# Library EraVM.Core

```
Require Common.
Import Common ZArith Types.
```

Section Parameters.

Section ArchOverview.

## EraVM architecture overview

EraVM is a 256-bit register-based language machine with two stacks and dedicated memory for code, data, stack and constants.

```
Definition word_bits: nat := 256.

Definition word: Type := BITS word_bits.

word0 is a word with a zero value.

Definition word0: word := fromZ 0%Z.

Helpers
Definition bytes_in_word : nat := word_bits/bits_in_byte.
Definition z_bytes_in_word : Z := Z.of_nat bytes_in_word.

Definition word_to_bytes (w:u256) : tuple.tuple_of 32 u8 := @bitsToBytes 32 w.
Definition bytes_to_word (bs: tuple.tuple_of 32 u8) : word := @bytesToBits_bs.

End Parameters.
```



- Memory provides access to transient memory pages. See Memory.
- Storage provides access to persistent storage with two shards, each shard maps  $2^{160}$  contracts, to a key-value storage. See <code>Depot</code>.
- EventSink collects events and messages to L1. See Events.
- Precompile processor executes system contract-specific extensions to the EraVM instruction set, called precompiles, e.g. keccak256, sha256, and so on. See Precompiles.
- Decommitment processor stores and decommits the code of contracts. See Decommitter.

### Functions and contracts

In EraVM, contracts are the coarse-grained execution units. Contracts may have multiple **functions** in them; a contract may execute its functions by using **near call** instruction OpNearCall. A contract may also call other contracts by using **far call** instructions OpFarCall, OpMimicCall, or

#### OpDelegateCall.

A **running instance** of a function or a contract is a piece of VM runtime state associated with the current execution of a function or a contract, as described by **callstack**.

EraVM allows recursive execution of functions and contracts. For example, a contract A calls a function  $f_1$  which calls a function  $f_2$  which calls a contract B, which calls a function  $g_1$ , which calls A again ...

$$A \rightarrow f_1 \rightarrow f_2 \rightarrow B \rightarrow g_1 \rightarrow A \rightarrow \dots$$

During the execution of  $g_1$ , **running instances** of A,  $f_1$ ,  $f_2$  keep existing, waiting for the control to return to them.

Executing a contract allocates memory pages dedicated to it (see <a href="alloc\_pages\_extframe">alloc\_pages\_extframe</a>). In a running instance of a contract, this contract's functions share these memory pages.

Contracts have more contract-specific state associated to them than functions (compare InternalCall and ExternalCall). However, running instances of both functions and contracts have their own exception handlers, program counters, stack pointers and allocated ergs (see callstack\_common).

### **Execution state**

EraVM's functionality is to sequentially execute instructions.

The main components of EraVM's execution state are:

- 256-bit tagged general-purpose registers R1–R15 and a reserved constant register R0 holding 0.
   See regs state.
- Three flags: OverFlow/Less-Than, EQuals, Greater-Than. See flags state.
- Data stack containing tagged words. It is located on a dedicated stack page.
- Callstack, holding callframes, which contain such information as the program counter, data stack
  pointer, ergs for the current function/contract instance, current contract's address, and so on. See
  CallStack.
- Frames in callstack; can be internal (belong to a function, near called) frames or external frames (belong to a contract, far called, richer state).
- Read-only pages for constants and code, one per contract stack frame.

### Instructions

The type asm instruction describes the supported instructions.

All instructions are predicated: they contain an explicit condition related to the current flags state. If the condition is satisfied, they are executed, otherwise they are skipped (but their basic\_cost is still paid).

Instructions accept data and return results in various formats:

- The formats of instruction operands are described in Addressing.
- The address resolution to locations in memory/registers is described in resolve

• Reading and writing to memory is described in MemoryOps.

## Modes

EraVM has two modes which can be independently turned on and off.

1. Kernel mode/User Mode

First KERNEL\_MODE\_MAXADDR\_LIMIT contracts are marked as **system contracts**. EraVM executes them in kernel mode, allowing an access to a richer instruction set, containing instructions potentially harmful to the global state e.g. OpContextIncrementTxNumber. See KernelMode.

2. Static mode/Non-static mode

Intuitively, executing code in static mode aims at limiting its effects on the global state, similar to executing pure functions. Globally visible actions like emitting events or writing to storage are forbidden in static mode. See StaticMode.

## **Ergs**

Instructions and some other actions should be paid for with a resource called **ergs**, similar to Ethereum's gas. See the overview in Ergs.

## Operation

The VM is started by a server that controls it and feeds the transactions to the Bootloader.

### Context of EraVM

When the server needs to build a new batch, it starts an instance of EraVM.

EraVM accepts three parameters:

- 1. Bootloader's versioned hash. It is used to fetch the bootloader code from Decommitter.
- 2. Default code hash DEFAULT\_AA\_VHASH. It is used to fetch the default code from Decommitter in case of a far call to a contract without any associated code.
- 3. A boolean flag is\_porter\_available, to determine the number of shards (two if zkPorter is available, one otherwise).

Bootloader is a contract written in YUL in charge of block construction. See Bootloader.

 $\label{lem:code} \textbf{EraVM retrives the code of bootloader from $\tt Decommitter and proceeds with sequential execution of instructions on the bootloader's code page.}$ 

### Failures and rollbacks

There are three types of behaviors triggered by execution failures.

 Skipping a malformed transaction. It is a mechanism implemented by the server, external to EraVM. Server makes a snapshot of EraVM state after completing every transaction. When the bootloader encounters a malformed transaction, it fails, and the server restarts EraVM from the most recent snapshot, skipping this transaction.

This behavior is specific to bootloader; the contract code has no ways of invoking it.

- Revert is triggered by the contract code explicitly by executing OpRevert. EraVM saves its
  persistent state to state\_checkpoint on every near or far call. If the contract code
  identifies a recoverable error, it may execute OpRevert. Then EraVM rolls the storage and
  event queues back to the last state\_checkpoint and executes the exception handler.
  See rollback.
- 3. Panic is triggered either explicitly by executing OpPanic/OpNearPanicTo, or internally when some execution invariants are violated. For example, attempting to execute in user mode an instruction, which is exclusive to kernel mode, results in panic.

On panic, the persistent state of EraVM is rolled back in the same way as on revert. See rollback.

```
End ArchOverview.
Definition timestamp := nat.
Definition tx_num := u16.
```

# Library EraVM.PrimitiveValue

Require Types.

Section PrimitiveValue.

## Primitive values

**Primitive value** is a tagged word. The tag is ptr is a boolean.

- If is\_ptr is set, it is guaranteed that the lowest 128-bits of the word contain a serialized fat\_ptr. Such values can be used as operands in instructions that require pointer arguments, for example, OpPtrAdd. The other half (128 most significant bits) may hold meaningful data, e.g. when forming a value according to FarCall ABI using Assembly.OpPtrPack instruction.
- If is\_ptr is cleared, there are no guarantees to its value. It may contain an integer, a representation of a heap\_ptr, a representation of a span of addresses, etc.

```
Context {word:Type}.
Inductive primitive_value :=
  mk_pv {
      is_ptr: bool;
      value: word;
    }.
```

Only Registers and stack\_pages hold primitive values; other types of memory, including storage and heap pages, contain non-tagged data.

Function clear pointer tag clears the pointer tag of a primitive value.

```
Definition clear_pointer_tag (pv:primitive_value): primitive_value := match pv with | mk_pv _ value \Rightarrow mk_pv false value end.
```

End PrimitiveValue.

For brevity, a primitive value is called a pointer value if its tag is set, and integer value otherwise.

```
Notation IntValue := (mk_pv false).

Notation PtrValue := (mk_pv true).

Definition pv0 := IntValue Types.zero256.
```

## Library EraVM.State

```
From RecordUpdate Require Import RecordSet.
Require ABI Core Decommitter GPR Ergs Event History CallStack TransientMemory
VMPanic.
Import ssreflect ssrfun ssrbool eqtype ssreflect.tuple zmodp.
Import RecordSetNotations.
Import Core Flags ZArith ABI Common GPR Ergs Event CallStack History MemoryBase
memory. Depot Decommitter Predication Primitive Value Transient Memory VMPanic.
Section StateDefinitions.
Definition exception handler := code address.
Definition instruction invalid: predicated Assembly.asm instruction: = invalid
Assembly.OpInvalid.
Definition decommitter := decommitter instruction invalid.
Definition code page := code page instruction invalid.
Definition memory := @memory code page const page data page stack page.
Definition query := @query [ eqType of contract address] [eqType of
PrecompileParametersABI.params].
Definition event := @event [ eqType of contract_address].
Definition page has id := @page has id code page const page data page
stack page.
```

## EraVM state

EraVM employs a state that comprises the following components:

- 1. The global state contains:
- before 1.5: current price of publishing one byte of pubdata to L1 gs\_current\_ergs\_per\_pubdata\_byte.
- since 1.5: of publishing one byte of pubdata to L1 gs current ergs per pubdata byte.
- transaction number in the current block gs tx number in block
- decommitter gs contracts
- a revertable part <a href="state\_checkpoint">state\_checkpoint</a>. It houses the **depot** state, embodying all contracts storages across all shards, as well as two queues for events and L1 messages.

Launching a contract (far call) or a function (near call) defines a checkpoint. If a contract or a function reverts or panics, the state rolls back to the latest snapshot (see rollback).

The rollback may be implemented in any efficient way conforming to this behavior.

```
Record state_checkpoint := {
    gs_depot: depot;
    gs_events: @history [eqType of query];
    gs_ll_msgs: @history [eqType of event];
}.

Record global_state :=
    mk_gstate {
    gs_current_ergs_per_pubdata_byte: ergs;
    gs_tx_number_in_block: tx_num;
    gs_contracts: decommitter;
    gs_revertable:> state_checkpoint;
    }.

Inductive rollback checkpoint: global_state → global_state → Prop :=
| rb_apply: ∀ e tx ccs_cp,
    rollback checkpoint (mk_gstate e tx ccs_cp) (mk_gstate e tx ccs_checkpoint).
```

- 2. The transient state contains:
  - flags gs\_flags: boolean values representing some characteristics of the computation results. See Flags.
  - general purpose registers gs\_regs: 15 mutable tagged words (primitive values)
     r1-r15, and a reserved read-only zero valued r0. See Registers.
  - all memory gs\_pages allocated by VM, including code pages, data stack pages, data pages for heap variants etc. See memory.

- gs\_callstack, where each currently running contract and function has a stack frame. Note, that program counter, data stack pointer, and the remaining ergs allocated for the current function's run are parts of a stack frame. See Callstack.
- 128-bit register gs context u128. Its usage is detailed below.

#### helpers

```
Definition callstack := @callstack state_checkpoint.
Record transient_state :=
    mk_transient_state {
        gs_flags : flags_state;
        gs_regs: regs_state;
        gs_pages: memory;
        gs_callstack: callstack;
        gs_context_u128: u128;
        gs_status: status;
    }.

Record state :=
    mk_state {
        gs_transient :> transient_state;
        gs_global :> global_state;
    }.
```

## Context register

The 128-bit context value occurs in two places in EraVM:

- In the mutable gs context u128 register, forming a part of the EraVM state state.
- In the read-only ecf\_context\_u128\_value of each external call stack frame callstack\_external.

These values are distinct: the value in callstack is a snapshot of the register gs\_context\_u128 in a moment of a far call.

The typical usage of the context value is as follows:

- 1. Set the value of gs\_context\_u128 to C by executing the instruction OpContextSetContextU128.
- 2. Launch a contract using one of the far call instructions. This action pushes a new callstack\_external frame F onto the gs\_callstack. The value of the F's field ecf\_context\_u128\_value is equal to C. In addition, far calls reset gs\_context\_u128 to 0.
- 3. Retrieve the context value by executing the instruction OpContextGetContextU128 to use it.
- 4. On contract code completion, the gs\_context\_u128 is reset to zero by either OpFarRet, OpFarRevert, or OpPanic.

Note that setting the context register gs context u128 is forbidden in StaticMode. See

#### forbidden static.

Context is used to simulate msg.value, a Solidity construction standing for the amount of wei sent in a transaction. The system contract MsgValueSimulator is responsible for ensuring that whenever this context value is set to C, there are indeed C wei transferred to the callee.

#### Helpers

```
Inductive global state new depot: depot → global state → global state → Prop :=
| gsnd apply: ∀ current ergs per pubdata byte tx codes d evs 11s d',
 global state new depot d'
   gs current ergs per pubdata byte := current ergs per pubdata byte;
   gs tx number in block := tx;
   gs contracts := codes;
   gs_revertable := {| gs_depot := d; gs_events := evs; gs_l1_msgs := l1s |} ;
 | }
 { |
   gs current ergs per pubdata byte := current ergs per pubdata byte;
   gs tx number in block := tx;
   gs contracts := codes;
   gs revertable := {| gs depot := d'; gs events := evs; gs l1 msgs := l1s |}
 | } .
Inductive emit event e: global state → global state → Prop :=
| ee apply: ∀ current ergs per pubdata byte tx codes d evs 11s d',
 emit event e
   gs current ergs per pubdata byte := current ergs per pubdata byte;
   gs_tx_number in block := tx;
   gs contracts := codes;
   gs revertable := {| gs depot := d; gs events := evs; gs l1 msgs := l1s |} ;
 | }
 { |
   gs current ergs per pubdata byte := current ergs per pubdata byte;
   gs tx number in block := tx;
   gs contracts := codes;
   gs revertable := {| gs depot := d'; gs events := e::evs; gs l1 msgs := l1s
|};
 | } .
Inductive emit 11 msg e: global state → global state → Prop :=
| eel1 apply: ∀ current ergs per pubdata byte tx codes d evs 11s d',
 emit 11 msg e
 { |
   gs current ergs per pubdata byte := current ergs per pubdata byte;
   gs tx number in block := tx;
   gs contracts := codes;
   gs revertable := {| gs depot := d; gs events := evs; gs l1 msgs := l1s |} ;
 { |
   gs current ergs per pubdata byte := current ergs per pubdata byte;
```

```
gs tx number in block := tx;
    gs contracts := codes;
    gs revertable := {| gs depot := d'; gs events := evs; gs l1 msgs := e::l1s
|};
 | } .
Inductive tx inc : tx num \rightarrow tx num \rightarrow Prop := | txi apply: \forall n m, uinc of n =
(false, m) \rightarrow tx inc n m.
Inductive global state increment tx tx mod: global state → global state → Prop
\mid gsit apply: \forall current ergs per pubdata byte tx new tx codes rev ,
  tx \mod tx   new  tx  \rightarrow
  global state increment tx tx mod
    gs current ergs per pubdata byte := current ergs per pubdata byte;
    gs tx number in block := tx;
    gs contracts := codes;
    gs revertable := rev;
    gs current ergs per pubdata byte := current ergs per pubdata byte;
    gs_tx_number_in_block := new_tx;
   gs contracts := codes;
    gs revertable := rev;
 | } .
End StateDefinitions.
Definition heap_variant_page_id (page_type: data_page_type)
  : callstack → page id :=
 match page_type with
 | Heap ⇒ @active heap id state checkpoint
 | AuxHeap ⇒ @active auxheap id state checkpoint
 end.
Definition heap_variant_page (page_type: data_page_type) (cs:callstack)
(mem:memory) :=
   match page type with
   | Heap ⇒ active heappage
    | AuxHeap ⇒ active auxheappage
    end (page has id mem) cs .
Definition heap_variant_id (page_type: data_page_type)
  : callstack → page id :=
 match page type with
 | Heap \Rightarrow @active heap id
 | AuxHeap \Rightarrow @active auxheap id
 end state checkpoint.
```

# Library EraVM.GPR

From RecordUpdate Require Import RecordSet. Require Core List PrimitiveValue.

```
Import Core PrimitiveValue.

Section Registers.
  Import RecordSetNotations.
  Context (pv := @primitive value Core.word).
```

# GPR (General Purpose Registers)

EraVM has 15 mutable general purpose registers R1, R2, ..., R15. They hold primitive\_value word, so they are tagged 256-bit words. The tag is set when the register contains a fat pointer in its 128 least significant bits (it may contain other useful data in topmost 128-bits; this is used e.g. for encoding parameters of FarCall).

Additionally, EraVM has one read-only, **constant register** R0 which evaluates to IntValue 0, that is, an untagged integer 0.

```
Inductive reg name : Set :=
 R0 | R1 | R2 | R3 | R4 | R5 | R6 | R7 | R8 | R9 | R10 | R11 | R12 | R13
| R14 | R15.
Record regs_state := mk_regs {
                          r1 : pv;
                          r2 : pv;
                          r3 : pv;
                          r4 : pv;
                          r5 : pv;
                          r6 : pv;
                          r7 : pv;
                          r8 : pv;
                          r9 : pv;
                          r10 : pv;
                          r11 : pv;
                          r12 : pv;
                          r13 : pv;
                          r14 : pv;
                          r15 : pv;
                        } .
```

Function fetch gpr loads a value from register.

```
Definition fetch_gpr (rs:regs_state) (r:reg_name) : pv :=
  match r with
  | R0 ⇒ IntValue word0
  | R1 ⇒ r1 rs
  | R2 ⇒ r2 rs
  | R3 ⇒ r3 rs
  | R4 ⇒ r4 rs
```

```
| R5 \Rightarrow r5 rs
    | R6 \Rightarrow r6 rs
    | R7 \Rightarrow r7 rs
    | R8 \Rightarrow r8 rs
    | R9 \Rightarrow r9 rs
    | R10 \Rightarrow r10 rs
     \mid R11 \Rightarrow r11 rs
     | R12 \Rightarrow r12 rs
    \mid R13 \Rightarrow r13 rs
    | R14 \Rightarrow r14 rs
    \mid R15 \Rightarrow r15 rs
    end.
helpers
  #[export] Instance etaGPRs : Settable := settable! mk regs < r1; r2; r3;</pre>
r4; r5; r6; r7; r8; r9; r10; r11; r12; r13; r14; r15 >.
 Predicate store gpr stores value to a general purpose register. Storing to R0 is ignored.
  Definition store gpr (rs: regs state) (name: reg name) (pv: primitive value)
: regs state :=
    match name with
    | R0 \Rightarrow rs
     | R1 \Rightarrow rs < | r1 := pv| >
     | R2 \Rightarrow rs < | r2 := pv| >
    | R3 \Rightarrow rs < | r3 := pv| >
    | R4 \Rightarrow rs < | r4 := pv| >
    | R5 \Rightarrow rs < | r5 := pv| >
    | R6 \Rightarrow rs < | r6 := pv| >
    | R7 \Rightarrow rs < | r7 := pv| >
    | R8 \Rightarrow rs < | r8 := pv| >
    | R9 \Rightarrow rs < | r9 := pv| >
    | R10 ⇒rs <| r10 := pv|>
    | R11 ⇒rs <| r11 := pv|>
    | R12 \Rightarrow rs < | r12 := pv| >
    | R13 \Rightarrow rs < | r13 := pv| >
    | R14 ⇒rs <| r14 := pv|>
    | R15 \Rightarrow rs < | r15 := pv| >
    end.
  Definition reg map f (rs:regs state) : regs state :=
    match rs with
     | mk regs r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15 \Rightarrow
          ( mk regs (f r1) (f r2) (f r3) (f r4) (f r5) (f r6) (f r7) (f r8) (f
r9) (f r10) (f r11) (f r12) (f r13) (f r14) (f r15))
    end.
End Registers.
```

# Library EraVM.Flags

```
Require Bool. Import Bool.
```

# Flags

Flags are boolean values, which reflect certain characteristics of the result of the last instruction.

It is commonly said that a flag is **set** if its value is **true**, and a flag is **cleared** if its value is false.

In EraVM there are three flags:

1. OF LT: overflow or less than;

```
Inductive OF_LT := Set_OF_LT | Clear_OF_LT.
```

```
2. EQ: equals;
```

```
Inductive EQ := Set EQ | Clear EQ.
```

3. GT: greater than.

```
Inductive GT := Set GT | Clear GT.
```

#### More specifically:

- 1. OF LT is set in the following cases:
  - Overflow
  - Underflow
  - Division by zero
  - Panic, then when the exception handler starts execution, OF LT is set.
- 2. EQ is set when the result of a binary operation is zero.
- 3. GT is set when the first operand of a binary operation was greater than the second.

#### Helpers

```
Definition OF_LT_to_bool (f:OF_LT) := if f then true else false.
Definition EQ_to_bool (f:EQ) := if f then true else false.
Definition GT_to_bool (f:GT) := if f then true else false.

#[reversible]
   Coercion OF_LT_to_bool : OF_LT >-> bool.
#[reversible]
   Coercion EQ_to_bool : EQ >-> bool.
#[reversible]
   Coercion GT_to_bool : GT >-> bool.
```

```
Definition EQ_of_bool (f:bool) := if f then Set_EQ else Clear_EQ.

Definition OF_LT_of_bool (f:bool) := if f then Set_OF_LT else Clear_OF_LT.

Definition GT_of_bool (f:bool) := if f then Set_GT else Clear_GT.
```

State of three flags  ${\tt flags\_state}$  is stored in the global  ${\tt state}$  in the field  ${\tt gs\_xstate}$  in the field  ${\tt gs\_flags}$ .

## Usage

Flags are used to control the execution flow. See Predication.

#### Helpers

# Library EraVM.Predication

```
Require Common Flags.

Import Common Flags.

Import ssrbool.

Section Predication.
```

## Predication

Every instruction on the code\_page is predicated, meaning it is augmented with a predicate. A predicate describes a condition on flags; if this condition is satisfied, then the instruction is executed; otherwise, EraVM skips the instruction.

When an instruction is skipped, its base cost is still paid.

```
Inductive predicate : Set :=
| IfAlways | IfGT | IfEQ | IfLT | IfGE | IfLE | IfNotEQ | IfGTOrLT.
Definition predicate holds (c:predicate) (fs:flags state) : bool :=
  match c, fs with
  | IfAlways,
 | IfGT, mk_fs _ _ Set_GT
| IfEQ, mk_fs _ Set_EQ _
  | IfLT, mk_fs Set_OF_LT _ _
  | IfGE, mk_fs _ Set_EQ
 | IfGE, mk_fs _ Set_GT
| IfLE, mk_fs _ Set_EQ _
 | IfLE, mk fs Set OF LT
  | IfNotEQ, mk_fs _ Clear_EQ _
  | IfGTOrLT, mk fs Set OF LT
  | IfGTOrLT,mk_fs \_ \_ Set_GT \Rightarrow true
  | _{'} \rightarrow false
Inductive predicate spec: predicate → flags state → Prop
\mid ac Always: \forall fs,
    predicate spec IfAlways fs
\mid ac GT: \forall of \existst eq,
    predicate spec IfGT (mk fs of lt eq Set GT)
\mid ac EQ: \forall of \existst gt,
    predicate_spec IfEQ (mk_fs of_lt Set_EQ gt)
\mid ac LT: \forall eq gt,
    predicate spec IfLT (mk fs Set OF LT eq gt)
\mid ac GE1: \forall fs,
    predicate spec IfEQ fs \rightarrow
    predicate spec IfGE fs
| ac GE2: \forall fs,
    predicate spec IfGT fs →
    predicate spec IfGE fs
\mid ac LE1: \forall fs,
    predicate spec IfLT fs →
    predicate spec IfLE fs
```

```
\mid ac LE2: \forall fs,
      predicate spec IfEQ fs \rightarrow
      predicate spec IfLE fs
  \mid ac NotEQ: \forall of lt gt,
      predicate spec IfNotEQ (mk fs of lt Clear EQ gt)
  \mid ac IfGTOrLT1: \forall fs,
      predicate spec IfGT fs→
      predicate spec IfGTOrLT fs
  \mid ac IfGTOrLT2: \forall fs,
      predicate spec IfLT fs→
      predicate spec IfGTOrLT fs
proofs
 Hint Constructors predicate_spec:flags.
 Theorem predicate holds spec :
    ∀ c fs, predicate holds c fs = true ↔ predicate spec c fs.
  Proof.
    split; destruct c, fs as [[] []];
      simpl in *; try solve [auto with flags| inversion 1; inversion H0].
  Oed.
 Theorem predicate activated dec: ∀ ec flags, decidable (predicate spec ec
flags).
 Proof.
   intros ec flags.
   unfold decidable.
   destruct ec, flags as [[][][]]; solve [left;constructor| right;inversion 1
| auto with flags | right; inversion 1; subst; inversion H0].
  Defined.
 Record predicated (instruction:Type): Type :=
    Ins {
       ins spec: instruction;
        ins cond: predicate;
      } .
 Invalid instruction. It is a default value on code pages. See code page.
  Definition invalid {I} (ins:I) : predicated I :=
    { |
      ins spec := ins;
      ins cond:= IfAlways
```

| } .

End Predication.

# Library EraVM.TransientMemory

Require PrimitiveValue memory.Pages memory.PageTypes Pointer.

Import PrimitiveValue memory.Pages memory.PageTypes Pointer.

Export memory.Pages memory.PageTypes.

## Informal overview

All memory available to the contract code can be divided into transient and persistent memory.

- Transient memory exists to enable computations and does not persist between VM, like the main memory of personal computers.
- **Persistent memory** exists as a storage of untagged 256-bit words shared between the network participants.

Contract code uses transient memory to perform computations and uses the storage to publish its results

## Persistent memory

The global persistent data structure is the depot. It holds untagged 256-bit words.

Depot is split in two shards: one corresponds to rollup, another to porter (see shard exists).

Each shard is a map from a contract\_address (160 bit, might be extended in future to up to 256 bits) to contract storage.

Each contract storage is a linear mapping from  $2^{256}$  keys to 256-bit untagged words.

To address a word in any contract's storage, it is sufficient to know:

- shard
- contract address
- key

See fqa\_key.

Contract has one independent storage per shard.

One shard is selected as currently active in state.

Contract code is global and shared between shards.

## Transient memory

Transient memory consists of **pages** (page\_type) holding data or code. Each page holds  $2^{32}$  bytes; all bytes are initialized to zero at genesis.

New pages are allocated implicitly when the contract execution starts; calling another contract allocates more pages. Pages persist for as long as they are referenced from the live code.

Pages hold one of:

- data:  $2^{32}$  byte-addressable data for heap or auxheap; bounded, so reading or writing outside bounds leads to a paid growth of available portion.
- code: instruction-addressable, read-only;
- constants:  $2^{16}$  word-addressable, read-only;
- stack:  $2^{16}$  words, word-addressable, tagged words. When the execution of a contract starts, the initial value of stack pointer is INITIAL SP ON FAR CALL.

The following describes all types of memory formally and with greater detail.

The definition vm page collects the specific types of pages used by EraVM semantic.

```
Definition stack_address := stack_address pv0.
Definition stack_address_bits := stack_address_bits pv0.
Definition stack_page := stack_page pv0.
Definition stack_page_params := stack_page_params pv0.

#[global]
    Canonical vm_page {instr} (inv:instr) type : page := @mk_page (code_page inv) const_page data_page stack_page type.

#[global]
    Canonical vm_mem {instr} (inv:instr) type : memory := @mk_pages (code_page inv) const_page data_page stack_page type.
```

# Library EraVM.memory.Depot

```
Require Core PrimitiveValue MemoryBase.

Import Common Core MemoryBase BinInt PrimitiveValue.

Section Depot.
```

# Storage of a contract

A **storage** is a persistent linear mapping from  $2^{256}$  addresses to words.

Therefore, given a storage, each word storage is addressed through a 256-bit address.

In storage, individual bytes inside a word can not be addressed directly: a load or a store happen on a word level.

Both word address in storage and word width are 256 bits.

All words in a storage are zero-initialized on genesis. Therefore, reading storage word prior to writing yields zero. It is a well-defined behavior.

Storage start blanks.

```
Definition storage_empty : storage := empty storage_params.
```

Storage does not hold contract code, it is a responsibility of decommitment processor decommitter.

Storage is a part of a shard, which is a part of depot.

One storage is selected as an active storage, it is the storage corresponding to the current\_shard and current\_contract.

Use the instruction Opsstore to write to the active storage, Opsload to read from the active storage.

## Instructions

Instruction OpSLoad implements reading from storage; instruction OpSStore implements writing to storage.

## Memory model

Storage has a sequentially-consistent, strong memory model. All writes are atomic and immediately visible; reads are guaranteed to return the last value written.

## Shards and contracts

A **contract** is uniquely identified by its 160-bit address **contract\_address**. In future, the address could be seamlessly extended to up to 256 bits.

A **shard** is a mapping of contract addresses to storages.

Therefore, every contract is associated with as many storages as there are shards.

Contracts are also associated with code. The association is global per depot and implemented by <code>Decommitter</code>. Therefore, the contract code is the same for all shards, but the storages of a contract in different shards differ.

Unlike in Ethereum, there is only type of accounts capable of both transacting coins and executing contracts.

Contracts with addresses in range from 0 (inclusive) to KERNEL\_MODE\_MAXADDR (exclusive) are system contracts; they are allowed to execute all instructions.

## Depot

**Depot** is a collection of shards. Depot is the global storage of storages of all contracts.

```
Definition depot_params :=
    {|
       addressable_block := shard;
      address_bits := 8;
      default_value := empty _;
      writable := true
```

```
| } .
  Definition depot := mem parameterized depot params.
  Definition shard id := BITS (address bits depot params).
 There are currently two shards: one for zkRollup, one for zkPorter.
  Inductive shard exists: shard id → Prop :=
  | se rollup: shard exists (fromZ 0)
  | se porter: shard exists (fromZ 1)
 The fully qualified address of a word in depot is a triple:
  (shard_id,contract_id,key)
 It is formalized by fqa key.
  Record fqa_storage := mk_fqa_storage {
                             k shard: shard id;
                             k contract: contract address;
  Record fqa_key := mk_fqa_key {
                         k storage :> fqa storage;
                         k key: storage address
  Inductive storage get (d: depot): fqa storage → storage → Prop :=
  \mid sg apply: \forall storage shard s c st,
      shard exists s \rightarrow
      MemoryBase.load result depot params s d shard \rightarrow
      MemoryBase.load result shard params c shard storage →
      storage get d (mk fqa storage s c) st .
  Inductive storage read (d: depot): fqa key → word → Prop :=
  | sr apply: ∀ storage sk c w,
      storage get d sk storage →
      storage read d (mk fqa key sk c) w.
  Inductive storage write (d: depot): fqa key → word → depot → Prop :=
  | sw apply: ∀ storage shard sk s c k w shard' depot' storage',
      storage get d sk storage →
      MemoryBase.store result storage params k storage w storage' →
      MemoryBase.store result shard params c shard storage' shard' →
      MemoryBase.store result depot params s d shard' depot' →
      storage write d (mk fqa key sk k) w depot'.
End Depot.
```

# Library EraVM.memory.Pages

```
Require Common MemoryBase.

Import Common MemoryBase.

Section Pages.
```

# Main memory (transient)

## Memory structure

Contract execution routinely uses **main memory** to hold instructions, stack, heaps, and constants.

When the execution of a contract starts, new pages are allocated for:

```
    contract code: code_page, fetched by decommitter; see Decommitter and FarCallDefinitions);
    data stack: stack_page;
    heap: data_page;
    aux_heap: data_page;
    constants: const_page, implementation may chose to allocate code and constants on the same page.
```

Therefore, the types of pages are: data pages, stack pages, constant data pages, and code pages.

Memory is a collection of pages memory, each page is attributed a unique identifier page\_id. Pages persist for as long as they can be read by some code; in presence of FatPointer the page lifetime may exceed the lifetime of the frame that created it.

```
Definition page_id := nat.
Definition pages := list (page_id × page).
Record memory := mk pages {
```

```
mem_pages:> pages;
}.

Inductive page_has_id : memory → page_id → page → Prop :=
| mpid_select : ∀ mm id page,
    List.In (id, page) mm →
    page_has_id (mk_pages mm) id page.
```

The set of identifiers has a complete linear order, ordering the pages by the time of creation. The ability to distinguish older pages from newer is necessary to prevent returning fat pointers to pages from older frames. See e.g. step\_RetExt\_ForwardFatPointer.

```
Section Order.
  Definition page_ordering := Nat.leb.
  Definition page_eq x y := page_ordering x y && page_ordering y x.
  Definition page_neq x y := negb (page_eq x y).
  Definition page_older (id1 id2: page_id) : bool :=
     page_ordering id1 id2.
End Order.
```

Predicate page\_replace describes a relation between two memories m1 and m2, where m2 is a copy of m1 but a page with it id is replaced by another page p.

Function page\_alloc creates a new page in memory.

End Pages.

```
Definition page_alloc (p:page) (m: memory) : memory :=
  let new_id := length (mem_pages m) in
  match m with
  | mk_pages mem_pages \Rightarrow mk_pages (cons (new_id, p) mem_pages)
  end.
```

# Library EraVM.memory.PageTypes

```
Require List Core MemoryBase.

Import Common Core MemoryBase List.

Section Memory.
```

## Data pages

A **data page** contains individually addressable bytes. Each data page holds  $2^{32}$  bytes.

There are currently two types of data pages:

- Heap
- AuxHeap.

We call both of them **heap variants** for brevity, as in almost all cases they are handled in a similar way.

```
Inductive data_page_type := Heap | AuxHeap.
Definition page_bound := prod data_page_type mem_address.

Local Open Scope ZMod_scope.
Definition growth (current_bound: mem_address) (query_bound: mem_address)
    : mem_address :=
    if query_bound < current_bound then zero32 else
        snd (query_bound - current_bound)</pre>
```

Note: only selected few instructions can access data pages:

- OpLoad/OpLoadInc
- OpStore/OpStoreInc
- OpLoadPointer/OpLoadPointerInc

Every byte on data pages has an address, but these instructions read or store 32-byte words.

Fat pointers fat ptr define slices of data pages and allow passing them between contracts.

### Stack pages

A **stack page** contains  $2^{16}$  primitive values (see <u>primitive\_value</u>). Reminder: primitive values are tagged words.

#### Data stack in EraVM

There are two stacks in EraVM: call stack to support the execution of functions and contracts, and data stack to facilitate computations. This section details the data stack.

At each moment of execution, one stack page is active; it is associated with the topmost of external frames, which belongs to the contract currently being executed. See <a href="mailto:active\_extframe">active\_extframe</a>, its field <a href="mailto:ecf\_mem\_ctx">ecf\_mem\_ctx</a> and subfield <a href="mailto:ctx\_stack\_page\_id">ctx\_stack\_page\_id</a>.

Each contract instance has an independent stack on a separate page. Instead of zero, stack pointer on new stack pages start with a value INITIAL\_SP\_ON\_FAR\_CALL. Stack addresses in range [0; INITIAL\_SP\_ON\_FAR\_CALL) can be used as a scratch space.

Topmost frame of the callstack, whether internal or external, contains the stack pointer (SP) value  $cf\_sp$ ; which points to the address after the topmost element of the stack. That means that the topmost element of the stack is located in word number (SP-1) on the associated stack page.

Data stack grows towards greater addresses. In other words, pushing to stack increases stack pointer value, and popping elements decreases stack pointer.

### Const pages

A **const page** contains  $2^{16}$  non tagged words. They are not writable.

Implementation may put constants and code on the same pages. In this case, the bytes on the same virtual page can be addressed in two ways:

- For instructions OpJump and OpNearCall, the code addressing will be used: consecutive addresses correspond to 8-bytes instructions.
- For instructions like OpAdd with CodeAddr addressing mode, the const data addressing will be used: consecutive addresses correspond to 32-bytes words.

For example, OpJump 0, OpJump 1, OpJump 2, OpJump 3 will refer to the first four instructions on the page; their binary representations, put together, can be fetched by addressing the const page's 0-th word e.g. OpAdd (CodeAddr R0 zero\_16) (Reg R0) (Reg R1).

### Code pages

A  $\operatorname{\mathbf{code}}$  page contains  $2^{16}$  instructions. They are not writable.

On genesis, code pages are filled as follows:

- The contract code is places starting from the address 0.
- The rest is filled with a value guaranteed to decode as invalid instruction.

Const pages can coincide with code pages.

# Library EraVM.Pointer

```
From RecordUpdate Require Import RecordSet.

Require memory.Pages memory.PageTypes.

Import Arith Core Common MemoryBase PageTypes Pages RecordSetNotations BinInt zmodp.

Import ssreflect.tuple ssreflect.eqtype.

Section PointerDefinitions.
   Context (bytes_in_word := u32_of z_bytes_in_word).

Open Scope ZMod_scope.
```

This library describes concepts related to data pages: spans, heap pointers, and fat pointers.

## Span

A **span** is a range of addresses from  $s_start$  inclusive to  $s_start + s_length$  exclusive. It is not bound to a specific page.

```
Record span :=
    mk_span {
        s_start : mem_address;
        s_length: mem_address;
    }.

Definition span_empty := mk_span zero32 zero32.

Inductive span_limit: span → mem_address → Prop :=
    | sl_apply:∀ start length limit,
        (false, limit) = start + length →
        span_limit (mk_span start length) limit.

Inductive bound of_span : span → data_page_type → page_bound → Prop :=
    | qos apply: ∀ s limit hv,
```

```
span_limit s limit →
bound of span s hv (hv, limit).
```

## Usage

Passing a span in ForwardNewHeapPointer as an argument to far calls or far returns creates a fat pointer. The required encoding is described by FarRetABI or FarCallABI. See FarCallDefinitions and FarRet.

See also: Slices.

In EraVM, heap variants have a bound, stored in call stack frames (see ctx\_heap\_bound of ecf\_mem\_ctx). If memory is accessed beyond this bound, the bound is adjusted and the growth (difference between bounds) is paid in ergs. Definition span\_induced\_growth computes how many bytes should the user pay for.

```
Inductive span_induced_growth: span → mem_address → mem_address → Prop :=
| gb_bytes: ∀ start length query_bound current_bound diff,
    start + length = (false,query_bound) →
    diff = growth current_bound query_bound →
    span_induced_growth (mk_span start length) current_bound diff.
```

Section HeapPointer.

## Heap pointer

A **heap pointer** is an absolute address hp\_addr on some data page. Heap pointers are used in instructions:

- OpLoad/OpLoadInc
- OpStore/OpStoreInc

```
Record heap_ptr :=
    mk_hptr
    {
        hp_addr: mem_address;
    }.
Definition heap_ptr_empty : heap_ptr := mk_hptr zero32.

Inductive hp_resolves_to : heap_ptr → mem_address → Prop :=
| tpr_apply: ∀ addr,
        hp resolves to (mk hptr addr) addr.
```

Incrementing a heap pointer with hp\_inc increases its offset by 32, the size of a word in bytes. This is used by instructions OpLoadInc and OpStoreInc.

```
Inductive hp_inc : heap_ptr → heap_ptr → Prop :=
|fpi_apply :
| V ofs ofs',
| ofs + bytes_in_word = (false,ofs') →
| hp_inc (mk_hptr ofs) (mk_hptr ofs').

Definition hp_inc_OF (hp: heap_ptr) : option heap_ptr :=
| match hp with | mk_hptr ofs ⇒
| match ofs + bytes_in_word with | (false, ofs') ⇒ Some (mk_hptr ofs') |
| _ ⇒ None | end | end.
```

## Usage

Heap pointers are used by the following instructions:

- OpLoad/OpLoadInc
- OpStore/OpStoreInc

The layout of a heap pointer in a 256-bit word is described by decode heap ptr.

## Relation to fat pointers

Heap pointers are bearing a similarity to fat pointers. They can be thought about as fat pointers where:

- the span starts at 0;
- an offset is the address;
- length is the limit, and
- page ID is ignored.

Heap pointers are not necessarily tagged and do not receive any special treatment from the VM's side.

End HeapPointer.

Definition free ptr is auxiliary and is only used to facilitate the definition of fat ptr.

```
Record free_ptr :=
    mk_ptr {
        p_span :> span;
        p_offset: mem_address;
    }.

Definition fresh_ptr (s:span) : free_ptr :=
    mk_ptr s zero32.

Definition validate_in_bounds (p:free_ptr) : bool := p.(p_offset) <</pre>
```

Section FatPointer.

#### Fat pointer

A **fat pointer** defines an address inside a span of a specific data memory page fp\_page. We may denote is as a 4-tuple: ( page, start, length, offset). These four components are enough to unambiguously identify a slice of a data memory page.

```
Record fat_ptr :=
  mk_fat_ptr {
     fp_page: page_id;
     fp_ptr :> free_ptr;
  }.
```

#### Usage

- Fat pointers are used to pass read-only spans of data pages between contracts.
- Fat pointers are created from spans by OpFarCall/OpMimicCall/OpDelegateCall or through OpFarRet/OpFarRevert.
  - Far calls accept a serialized instance of FarCall.params in a register. If it contains a span in fwd\_memory, then when the contract starts executing, r1 is assigned the fat pointer obtained from the slice.
  - Far returns accept a serialized instance of FarRet.fwd\_memory in a register. If it contains a span in fwd\_memory, then after return r1 is assigned the fat pointer obtained from the slice.
- An existing fat pointer is passed by using ForwardFatPointer.

Pointers may be created only by far calls (OpFarCall, OpMimicCall, OpDelegateCall) or far returns (OpFarRet, OpFarRevert).

```
Record validation_exception :=
   mk_ptr_validation_exception
    {
      ptr_deref_beyond_heap_range : bool;
      ptr_bad_span: bool;
    }.

Definition no_exceptions : validation_exception
    := mk_ptr_validation_exception false false.

Inductive fat_ptr_nullable :=
   | NullPtr
   | NotNullPtr (ptr: fat_ptr)
    .
```

A fat pointer (page, start, length, offset) is **invalid** if:

- $\mathit{start}_{\mathbb{N}} \! + \! \mathit{length}_{\mathbb{N}} \! \! \geq \! \! 2^{32}$ , or
- offset>length.

By a subscript  $\mathbb{N}$  we denote that we explicitly interpret start and length as natural numbers, and addition on natural numbers does not overflow.

If offset = length, the span of the pointer is empty, but it is still valid.

**Narrowing a fat pointer** moves its start to where start+offset was, and sets offset to zero:

```
(page, start, length, offset) \mapsto (page, start + offset, length - offset, 0)
```

#### Before shrinking



#### After shrinking



A fat pointer is automatically narrowed in two situations:

- by far calls with forwarding mode ForwardFatPointer;
- by returns from far calls with forwarding mode ForwardFatPointer.

**Attention**: **shrinking** and **narrowing** far pointers are different. See <code>fat\_ptr\_shrink</code> and <code>fat\_ptr\_narrow</code>.

Definition fat ptr narrow := fat ptr liftP free ptr narrow.

**Shrinking a fat pointer** with fat\_ptr\_shrink subtracts a given number diff from its length; it is guaranteed to not overflow.

Shrinking may result in a pointer with offset > length, but such pointer will not resolve to a memory location.

```
Inductive free_ptr_shrink (diff: mem_address) : free_ptr \rightarrow free_ptr \rightarrow Prop
```

```
| tptl apply: ∀ start ofs length length',
        length - diff = (false, length') →
        free_ptr_shrink diff (mk_ptr (mk_span start length) ofs) (mk_ptr
(mk span start length') ofs).
    Definition free ptr shrink OF (diff: mem address) : free ptr → option
free_ptr :=
      fun fp \Rightarrow match fp with
              | mk ptr (mk span start length) p offset ⇒
                  match length - diff with
                  | (false, length') ⇒ Some (mk ptr (mk span start length')
p offset)
                  | ⇒ None
                  end
              end.
    Definition fat ptr shrink diff := fat ptr liftP (free ptr shrink diff).
    Definition fat ptr shrink OF diff := fat ptr opt map (free ptr shrink OF
diff).
```

Incrementing a fat pointer with fp\_inc increases its offset by 32, the size of a word in bytes. This is used by the instruction OpLoadPointerInc.

```
Definition ptr inc OF (p: free ptr) : option free ptr :=
   match p with
   | mk_ptr s ofs ⇒
     match ofs + bytes in word with
      | (false, ofs') ⇒ Some (mk ptr s ofs')
     | ⇒ None
     end
   end.
  Inductive ptr inc : free ptr → free ptr → Prop :=
  |fpf apply :
   ∀ ofs ofs's,
     ofs + bytes in word = (false, ofs') →
     ptr inc (mk ptr s ofs) (mk ptr s ofs').
 Definition fat ptr inc := fat ptr liftP ptr inc.
  Definition fat ptr inc OF := fat ptr opt map ptr inc OF.
End FatPointer.
```

# Library EraVM.Slice

End PointerDefinitions.

```
From RecordUpdate Require Import RecordSet.

Require Pointer TransientMemory lib.PMap_ext.
```

```
Section Slices.

Import Bool Core Common MemoryBase RecordSetNotations Pointer TransientMemory PMap_ext.

Open Scope ZMod scope.
```

#### Slice

Data slice is a virtual memory page holding a read-only fragment of a data page.

Accesses through a fat pointer should be in bounds of its span. However, loads by fat pointer return words, not individual bytes, so it is important to cut off parts of the memory page outside the pointer's span.

For example, suppose P is a fat pointer (page,0,33,10). Reading 32-byte word yields bytes from the offset 10-th to 42-th (excluded). However, the span of P is [0,33) so the bytes from 33-th to 42-th are outside of this span. EraVM treats the bytes outside P's span as if they were zeros.

More generally, suppose P := (page, start, length, offset) is a fat pointer. Accesses through OpLoadPtr and OpLoadPtrInc return 32-byte words starting at an address start + offset.

However, a 32-byte word spans across addresses in range [ start+offset,start+offset+32) and therefore can surpass the upper bound start+length) if  $length-offset \le 32$ .

Reading past start+offset yields zero bytes. In other words, attempting to read a word that spans across the pointer bound start+offset will return zero bytes for the addresses [start+length,start+offset+32).

```
Definition data_page_slice_params := data_page_params <| writable := false |>.
Definition data_slice := mem_parameterized data_page_slice_params.

Definition do_slice_page (from_incl to_excl: mem_address) (m:data_page) :
data_slice :=
let from_key := MemoryBase.addr_to_key _ from_incl in
let to_key := MemoryBase.addr_to_key _ to_excl in
let contents := pmap_slice m from_key to_key in
mk_mem_data_page_slice_params contents.
```

Predicate slice page describes a slice visible to a fat pointer.

#### Library EraVM.CallStack

```
From RecordUpdate Require Import RecordSet.
Import RecordSetNotations.
Require Common Ergs KernelMode memory.Depot TransientMemory MemoryContext.

Import Common Ergs KernelMode memory.Depot TransientMemory MemoryContext List ListNotations.

Section Callstack.

Context (CALLSTACK_LIMIT : nat).
Context {state_checkpoint: Type} {ins: Type} (ins_invalid: ins).

Definition exception handler := code address.
```

#### Call stack

EraVM operates with two stacks:

- 1. call stack, which supports function and contract execution
- 2. data stack, aiding in computations.

Data stack has a role similar to the stack in JVM and other language virtual machines. Call stack may be implemented in any way, but it is separated from data stack. This section covers the call stack in detail.

A **stack frame**, or **call frame**, is a data structure representing a fragment of current execution environment associated with a running instance of a contract or a function.

There are two types of stack frames:

- External frames ExternalCall: created on far calls (by instructions OpFarCall, OpMimicCall, OpDelegateCall).
- Internal frames InternalCall: created by near calls (by instruction OpNearCall).

Each external frame is **associated** with a contract address. It means that it was created when the associated contract address was far called. Naturally, each contract may be called many times recursively, therefore at each moment of time any contract may have multiple external frames associated to it.

callstack is a stack of a maximum of CALLSTACK\_LIMIT stack frames. It is unrelated to the stack\_page which holds data stack.

There is one callstack per execution, stored in state in gs callstack field.

Internal call frames hold the following information:

- cf\_exception\_handler\_location: a code\_address of an exception handler. On revert or panic VM destroys the topmost frame and jumps to this handler.
- cf\_sp: current data stack pointer. The topmost element in data stack is located at cf\_sp-1 in the currently active stackpage.
- cf\_ergs\_remaining: ergs allocated for the current function or contract. It decreases as VM spends ergs for its operation.
- cf\_saved\_checkpoint : a snapshot of the state for a rollback. In case of panic or revert, the state of storage and event queues will be restored.

External call frames hold the same information as internal. Additionally, they hold:

- Three associated contract addresses:
  - 1. ecf this address: the stack frame was created when this contract was called.
  - 2. ecf\_msg\_sender: the stack frame was created when this contract invoked one of far call instructions.
  - 3. ecf\_code\_address: which contract owns the code associated with the stack frame. It is not always the same contract as ecf\_this\_address.
- ecf\_mem\_ctx : current mem\_ctx holding ids of active stack, heap variants, code, const pages and bounds of data pages.
- boolean ecf\_is\_static: true if the code associated with this frame is being executed in static mode.
- ecf\_context\_u128\_value : captured value of gs\_context\_u128. It represents a snapshot of the value of global register gs\_context\_u128 in a moment of far call to the current contract.
- ecf\_shards: shards associated with ecf\_this\_address, ecf\_msg\_sender and ecf code address.

```
ecf code address: contract address;
      } .
 Record callstack external :=
   mk extcf {
        ecf associated:> associated contracts;
        ecf mem ctx: mem ctx;
        ecf_is_static: bool; (* forbids any write-
like "log" and so state modifications, event emissions, etc *)
        ecf context u128 value: u128;
        ecf shards:> active shards;
        ecf common :> callstack common
 Inductive callstack :=
 | InternalCall ( : callstack common) (tail: callstack): callstack
 | ExternalCall ( : callstack external) (tail: option callstack): callstack.
 Fixpoint callstack depth cf :=
    (match cf with
    | InternalCall x tail \Rightarrow 1 + callstack depth tail
    | ExternalCall x (Some tail) => 1 + callstack depth tail
    | ExternalCall x None \Rightarrow 1
    end) %nat.
```

#### Operation

When the server starts forming a new block, it starts a new instance of VM to execute the code called Bootloader. Bootloader is a contract with an address BOOTLOADER\_SYSTEM\_CONTRACT\_ADDRESS. To support its execution, a corresponding ExternalCall frame with is pushed to the call stack.

Handling each transaction requires executing OpFarCall, which pushes another call frame to the callstack.

As the transaction is executed, call stack changes as follows:

- OpNearCall pushes an InternalCall frame to callstack.
- OpFarCall, OpDelegateCall, or OpMimicCall push an ExternalCall frame to callstack.
- OpNearRet, OpNearRetTo, OpNearRevert, OpNearRevertTo, OpPanic, OpFarRet, OpFarRevert pop a frame from callstack.

Attempting to have more than CALLSTACK LIMIT elements in callstack will force the VM into panic.

Panics are equivalent to executing OpPanic, so they pop up the topmost stack frame and pass the control to the exception handler, specified in the popped frame.

Executing any instruction I changes the topmost frame:

- 1. cf pc is incremented, unless I is OpJump.
- 2. cf sp may be modified if I affects the data stack pointer through addressing modes

RelSpPop or RelSpPop.

3. cf\_ergs\_remaining is decreased by the **total cost** of I. Total cost is a sum of base\_cost and additional costs, described by the small step predicates like step\_jump.

```
Definition stack overflow (xstack:callstack) : bool :=
    Nat.1tb CALLSTACK LIMIT (callstack depth xstack).
  Definition cfc (ef: callstack) : callstack common :=
    match ef with
    | InternalCall x \Rightarrow x
    \mid ExternalCall x \Rightarrow x
    end.
  Definition cfc map (f:callstack common→callstack common) (ef: callstack) :
callstack :=
   match ef with
   | InternalCall x tail \Rightarrow InternalCall (f x) tail
    \mid ExternalCall x tail \Rightarrow ExternalCall (x <\mid ecf common ::= f \mid>) tail
    end.
  Section ErgsManagement.
    Open Scope ZMod scope.
    Definition ergs remaining (ef:callstack) : ergs := (cfc
ef).(cf ergs remaining).
    Definition ergs map (f: ergs→ergs) (ef:callstack) : callstack
      := cfc map (fun x \Rightarrow x < | cf ergs remaining ::= f | > ) ef.
    Definition ergs set newergs := ergs map (fun ⇒ newergs).
    Inductive ergs return: ergs → callstack → callstack → Prop :=
    | er return: ∀ delta new ergs ef ef',
        delta + ergs remaining ef = (false, new ergs) →
        ef' = ergs set new ergs ef →
        ergs return delta ef ef'.
    Inductive ergs return caller and drop : callstack → callstack → Prop
    |erc internal: ∀ caller new caller cf,
        ergs return (ergs remaining (InternalCall cf caller)) caller
          new caller →
        ergs return caller and drop (InternalCall cf caller) new caller
    |erc external: ∀ caller new caller cf,
        ergs return (ergs remaining (ExternalCall cf (Some caller))) caller
        ergs return caller and drop (ExternalCall cf (Some caller)) new caller.
    Definition ergs reset := ergs set zero32.
    Definition affordable (ef: callstack) (e:ergs): bool :=
      match ergs remaining ef - e with
      | (false, paid) \Rightarrow true
      | (true, overflowed) ⇒ false
```

```
end.
    Inductive pay : ergs → callstack → callstack → Prop :=
    \mid pay ergs : \forall e ef paid,
        ergs remaining ef - e = (false, paid) →
        pay e ef (ergs set paid ef).
  End ErgsManagement.
  Section SP.
 Fetching value of the stack pointer itself.
    Definition sp get (cf: callstack) : stack address :=
      (cfc cf).(cf sp).
    Definition sp map extcall (f:stack address→stack address) ef :=
      (ef <| ecf common ::= fun cf \Rightarrow cf <| cf sp ::= f |> |>).
    Inductive sp map extcall spec f: callstack external → callstack external →
Prop :=
    \mid sme apply: \forall a d e g h eh sp pc ss ergs,
        sp map extcall spec f (mk extcf a d e g h (mk cf eh sp pc ergs ss))
          (mk_extcf a d e g h (mk_cf eh (f sp) pc ergs ss)).
    Theorem sp map extcall correct:
      \forall f ef, sp map extcall spec f ef (sp map extcall f ef).
    Definition sp map (f:stack address→stack address) ef : callstack :=
      match ef with
      | InternalCall x tail \Rightarrow InternalCall (x <| cf sp ::= f |>) tail
      \mid ExternalCall x tail \Rightarrow ExternalCall (sp map extcall f x) tail
      end.
    Definition sp update new_sp := sp_map (fun _ ⇒ new_sp).
    Inductive sp map spec f : callstack → callstack → Prop :=
    usp ext:
      ∀ ecf ecf' tail,
        sp map extcall spec f ecf ecf' →
        sp map spec f (ExternalCall ecf tail) (ExternalCall ecf' tail)
    | usp int:
      \forall eh sp pc ergs tail ss,
        sp map spec f (InternalCall (mk cf eh sp pc ergs ss ) tail)
(InternalCall (mk cf eh (f sp) pc ergs ss) tail).
    Theorem sp map spec correct f:
      \forall ef, sp map spec f ef (sp map f ef).
  End SP.
  Section PC.
    Definition pc get (ef: callstack) : code address :=
      match ef with
      | InternalCall cf \Rightarrow cf.(cf pc)
      | ExternalCall of tail ⇒ ef.(ecf common).(cf pc)
```

```
end.
    Definition pc map f ef :=
      match ef with
      | InternalCall x tail \Rightarrow InternalCall (x <| cf pc ::= f |>) tail
      | ExternalCall x tail \Rightarrow ExternalCall (x < | ecf common ::= fun cf \Rightarrow cf < |
cf pc ::= f |> |>) tail
      end.
    Definition pc set new := pc map (fun \Rightarrow new).
    Inductive pc map cfc spec f: callstack common \rightarrow callstack common
                               → Prop :=
    | upc map:
      ∀ ehl sp ergs pc pc' ss,
        f pc = pc' \rightarrow
        pc_map_cfc_spec f (mk_cf ehl sp pc ergs ss) (mk cf ehl sp pc' ergs ss).
    Inductive pc map extcall spec f: callstack external → callstack external
                                   → Prop :=
    | upe update:
      ∀ cf cf' ac memory is static context u128 value cc,
        pc_map_cfc spec f cf cf' ->
        pc map extcall spec f
          (mk extcf ac memory is static
             context u128 value cc cf)
          (mk extcf ac memory is static
             context u128 value cc cf')
    Inductive pc map spec f : callstack → callstack → Prop :=
    | upc ext:
      ∀ ecf ecf' tail ,
        pc map extcall spec f ecf ecf' →
        pc map spec f (ExternalCall ecf tail) (ExternalCall ecf' tail)
    | upc int:
      ∀ cf cf' tail,
        pc map cfc spec f cf cf' →
        pc_map_spec f (InternalCall cf tail) (InternalCall cf' tail).
    Theorem pc map correct:
      \forall ef f, pc map spec f ef (pc map f ef).
  End PC.
  Section TopmostExternalFrame.
    Fixpoint active extframe (ef : callstack) : callstack external :=
      match ef with
      | InternalCall tail ⇒ active extframe tail
      | ExternalCall x tail \Rightarrow x
      end.
    Inductive active extframe spec : callstack → callstack external → Prop :=
    | te Top: \forall x t, active extframe spec (ExternalCall x t) x
    | te Deeper: ∀ c t f,
        active extframe spec t f \rightarrow active extframe spec (InternalCall c t) f
```

```
Theorem active extframe correct:
      \forall ef, active extframe spec ef (active extframe ef).
   Fixpoint change active extframe f (ef:callstack) : callstack :=
     match ef with
      | InternalCall x tail \Rightarrow InternalCall x (change active extframe f tail)
      | ExternalCall x tail ⇒ ExternalCall (f x) tail
      end.
    Inductive change active extframe spec f : callstack → callstack → Prop :=
    | ct base: \forall cf t,
        change active extframe spec f (ExternalCall cf t) (ExternalCall (f cf)
t)
    \mid ct ind: \forall cf t t',
        change active extframe spec f t t' →
        change active extframe spec f (InternalCall cf t) (InternalCall cf t')
   Lemma change active extframe correct : \forall f ef,
        change active extframe spec f ef (change active extframe f ef).
    Definition update memory context (ctx:mem ctx): callstack → callstack :=
      change active extframe (fun ef \Rightarrow ef <| ecf mem ctx := ctx |> ).
   Definition revert state (cs:callstack) : state checkpoint :=
     match cs with
      | InternalCall x tail \Rightarrow x. (cf saved checkpoint)
      | ExternalCall x tail ⇒ x.(ecf common).(cf saved checkpoint)
     end .
    Definition current shard xstack : shard id := (active extframe
xstack).(ecf shards).(shard this).
    Definition current contract xstack : contract address := ecf this address
(active extframe xstack).
 End TopmostExternalFrame.
 Section ActiveMemory.
   Section ActivePageId.
      Context (ef:callstack) (active extframe := active extframe ef).
      Definition get mem ctx: mem ctx := active extframe.(ecf mem ctx).
      Definition active code id: page id := get mem ctx.(ctx code page id).
      Definition active stack id: page id := get mem ctx.(ctx stack page id).
      Definition active const id: page id := get mem ctx. (ctx const page id).
      Definition active heap id : page id := get mem ctx.(ctx heap page id).
      Definition active auxheap id : page id :=
get mem ctx.(ctx auxheap page id).
```

```
Definition heap_bound := get mem ctx.(ctx heap bound).
      Definition auxheap bound := get mem ctx.(ctx auxheap bound).
      Definition heap variant bound (page type:data page type): mem address :=
       match page type with
        | Heap ⇒ heap bound
        | AuxHeap ⇒ auxheap bound
        end.
      Definition heap variant_page_id (page_type: data_page_type)
        : page id :=
       match page type with
        | Heap ⇒ active heap id
        | AuxHeap ⇒ active auxheap id
        end.
    End ActivePageId.
    Section ActivePages.
      Context {code page const page data page stack page} (page has id: page id
→ @page code page const page data page stack page → Prop).
      Definition active exception handler (ef: callstack) : exception handler
•=
        (cfc ef).(cf exception handler location).
      Context (ef: callstack) (page id := fun i \Rightarrow page has id (i ef)).
      Inductive active codepage : code page → Prop :=
      | ap active code: ∀ codepage,
          page id active code id (mk page (CodePage codepage)) →
          active codepage codepage.
      Inductive active constpage : const page → Prop :=
      | ap active const: ∀ constpage,
          page_id active_const_id (mk_page (ConstPage constpage)) --
          active constpage constpage.
      Inductive active stackpage : stack page → Prop :=
      | ap active stack: ∀ stackpage,
          page id active stack id (mk page (StackPage stackpage)) →
          active stackpage stackpage.
      Inductive active heappage : data_page → Prop :=
      \mid ap active heap: \forall p,
          page id active heap id (mk page (DataPage p)) →
          active heappage p.
      Inductive active auxheappage : data page → Prop :=
      \mid ap active auxheap: \forall p,
          page id active auxheap id (mk page (DataPage p)) →
          active auxheappage p.
    End ActivePages.
 End ActiveMemory.
```

```
Definition in_kernel_mode (ef:callstack) : bool :=
  let ef := active_extframe ef in
  addr_is_kernel ef.(ecf_this_address).
```

# Library EraVM.MemoryContext

```
From RecordUpdate Require Import RecordSet.

Require memory.Pages memory.PageTypes.

Import memory.Pages memory.PageTypes.

Section MemoryContext.
   Import RecordSetNotations.
   Import seq Arith.

Open Scope ZMod scope.
```

End Callstack.

# Memory context

Creation of an external frame leads to allocation of pages for code, constant data, stack, and heap variants (see alloc\_pages\_extframe).

**Memory context** is a collection of pages associated with a contract's frame, plus the bounds for heap variants. It is stored in ecf\_mem\_ctx field of ExternalCall frame.

```
Record mem_ctx :=
    mk_mem_ctx
    {
       ctx_code_page_id: page_id;
       ctx_const_page_id: page_id;
       ctx_stack_page_id: page_id;
       ctx_heap_page_id: page_id;
       ctx_auxheap_page_id: page_id;
       ctx_heap_bound: mem_address;
       ctx_auxheap_bound: mem_address;
    }
}
```

The exact values of identifiers of pages in mem ctx are not guaranteed, neither is their order.

However, pages are ordered according to the order of creation (see page older).

```
Definition list_mem_ctx (ap:mem_ctx) : list page_id :=
  match ap with
  | mk_mem_ctx code_id const_id stack_id heap_id auxheap_id _ _ ⇒
       [:: code_id; const_id; stack_id; heap_id; auxheap_id]
  end.

Definition page_older (id: page_id) (mps: mem_ctx) : bool :=
  List.forallb (page_older id) (list_mem_ctx mps).
```

Function is active page returns true if memory page id belongs to the context c.

```
Definition is_active_page (c:mem_ctx) (id: page_id) : bool :=
  List.existsb (page eq id) (list mem ctx c).
```

If an instruction addresses a heap variant outside of its bounds, the bound of this heap variant is adjusted to include the used address. Predicates grow\_heap\_page, grow heap variant are relating memory contexts where a heap variant is grown.

#### WARNING: KNOWN DIVERGENCE (in versions prior to v1.4.1)

In earlier implementations, if heap/auxheap was grown inside a near call, the parent's heap/auxheap bound may be restored after ret as if no growth happened. Since v 1.4.1 the implementation conforms to the spec.

```
Inductive grow heap page: mem address → mem ctx → mem ctx → Prop :=
 \mid gp heap: \forall ap new bound diff,
      ap.(ctx heap bound) + diff = (false, new bound) →
      grow heap page diff ap (ap < | ctx heap bound := new bound |>).
 Inductive grow auxheap page : mem address → mem ctx → mem ctx → Prop :=
 \mid gp auxheap: \forall ap new bound diff,
      ap.(ctx auxheap bound) + diff = (false, new bound) →
      grow auxheap page diff ap (ap <| ctx auxheap bound := new bound |>).
 Inductive grow heap variant: data page type → mem address → mem ctx → mem ctx
→ Prop :=
 | ghv heap: ∀ diff ap ap',
      grow heap page diff ap ap' →
      grow heap variant Heap diff ap ap'
 | ghv auxheap: ∀ diff ap ap',
      grow auxheap page diff ap ap' →
      grow heap variant AuxHeap diff ap ap'.
End MemoryContext.
```

## Library EraVM.PointerErasure

```
Require Common Pointer.
Import Common Pointer.
```

# Pointer Erasure (since v1.4.1)

Recall that fat ptr contain four fields:

In kernel mode, these fields are observable by all instructions, even by those that work with integers.

In user mode, fat\_ptr are opaque: if an instruction expects an integer (with a cleared is\_ptr tag), and it is provided a pointer instead (with a set is\_ptr tag), the pointer value is downcast to the integer before the instruction is able to observe it.

The downcasting zeroes the fields page and start.

```
Section PointerErasure.
 Context (is kernel mode: bool).
 Definition span erase (s:span) : span :=
   if is kernel mode then s else
     match s with
     | mk span start len \Rightarrow mk span \# 0 len
 Definition free ptr erase (fp: free ptr) : free ptr :=
   if is kernel mode then fp else
     match fp with
     | mk_ptr s ofs ⇒ mk_ptr (span_erase s) ofs
 Definition fat ptr erase (fp:fat ptr) : fat ptr:=
   if is kernel mode then fp else
     match fp with
     | mk fat ptr page ptr → mk fat ptr 0%nat (free ptr erase ptr)
 Definition fat ptr nullable erase (fp:fat ptr nullable) : fat ptr nullable :=
   if is kernel mode then fp else
```

```
match fp with
| NullPtr ⇒ NullPtr
| NotNullPtr fp ⇒ NotNullPtr (fat_ptr_erase fp)
end.
```

End PointerErasure.

# Library EraVM.Binding

```
From RecordUpdate Require Import RecordSet.
Import RecordSetNotations.
Require
 ABI
   Addressing
   CallStack
   Core
   Coder
   GPR
   isa.CoreSet
   Pointer
   PointerErasure
   PrimitiveValue
   State.
Import
 ABI
   FatPointerABI
   Addressing
   Addressing.Coercions
   CallStack
   Coder
   Core
   GPR
   isa.CoreSet
   MemoryOps
   Pointer
   PointerErasure
   PrimitiveValue
   State
   Types.
```

Section OperandBinding.

# Binding operands in core instructions

The instructions from <code>CoreInstructionSet</code> are parameterized with an instance of <code>descr</code>, specifying the exact types of their operands. This allows for <code>instruction</code> definition to be reused:

- the instruction decoded are instructions decoded from Assembly.asm\_instruction. They
  contain descriptions of operand sources and destinations, e.g. register or various memory
  locations.
- the instruction bound are instructions that contain the values fetched, stored, and with decoding/encoding already performed. It allows to bind these values equationally inside the spec clauses such as step add.

The rest of this section is technical; refer to bind\_fat\_ptr and similar predicates to see how the compound instruction arguments are encoded and decoded for small step relations, e.g. step\_ptradd for OpPtrAdd.

```
#[qlobal]
    Canonical Structure bound: descr :=
    src pv := @primitive value Core.word;
    src fat ptr := option (@primitive value (u128 \times fat ptr nullable));
   src heap ptr := option (@primitive value (u224 × heap ptr));
    src farcall params := option (@primitive value FarCallABI.params);
   src nearcall params := option (@primitive_value (u224 x
NearCallABI.params));
   src_ret_params := option (@primitive value FarRetABI.params);
   src precompile params := option (@primitive value
PrecompileParametersABI.params);
   dest pv := @primitive value Core.word;
   dest heap ptr := option (@primitive value (u224 × heap ptr) );
   dest fat ptr := option (@primitive value (u128 × fat ptr nullable) );
   dest meta params := option (@primitive value (MetaParametersABI.params ));
 | }
```

Knowing the call stack, memory pages and registers are enough to bind any value appearing in CoreInstructionSet; additionally, kernel mode affects it: pointer erasure only happens in user mode.

To bind a src\_pv type of instruction operand, load its value and apply the effects of RelSpPop addressing mode. Additionally, if the instruction expects an integer, but gets a pointer with a tag, the pointer erasure happens (since v.1.4.1).

```
Inductive bind src: binding state → binding state → in any → @primitive value
word → Prop :=
 | bind src int apply: ♥ regs (mem:State.memory) (cs cs':State.callstack)
(op:in any) (v:word) (is k: bool),
      bind any src (mk bind st is k cs regs mem) (mk bind st is k cs' regs mem)
op (IntValue v) \rightarrow
      bind src (mk bind st is k cs regs mem) (mk bind st is k cs' regs mem) op
(IntValue v)
 | bind src ptr apply: ∀ regs (mem:State.memory) (cs cs':State.callstack)
(op:in any) (v v':word)
                           (decoded decoded erased: fat ptr nullable)
                           (encoded erased high128: u128)
                           (is k: bool),
      bind any src (mk bind st is k cs regs mem) (mk bind st is k cs' regs mem)
op (PtrValue v) →
      Some (high128, decoded) = decode fat ptr word v \rightarrow
      decoded erased = fat ptr nullable erase is k decoded →
      Some encoded erased = encode fat ptr decoded →
      v' = high128 ## encoded erased →
     bind src (mk bind st is k cs regs mem) (mk bind st is k cs' regs mem) op
(IntValue v')
```

To bind a dest\_pv type of instruction operand, store its value and apply the effects of RelSpPush addressing mode.

To bind src\_fat\_ptr or any other compound value encoded in a binary form, bind both the encoded and decoded value.

```
Some (high128, decoded) = decode fat ptr word v.(value) →
      bind fat ptr s s' op (Some (PtrValue (high128, decoded)))
  Inductive bind heap ptr: binding state → binding state → in any → option
(@primitive value (u224 \times heap ptr)) \rightarrow Prop :=
  | bind heap ptr apply : \forall op v s s' decoded,
      bind src s s' op v →
      Some decoded = decode heap ptr v. (value) →
      bind heap ptr s s' op (Some (IntValue decoded)).
  Inductive bind farcall params: binding state → binding state → in any →
option (@primitive value FarCallABI.params) → Prop :=
  \mid bind farcall params apply : \forall op v s s' decoded tag,
      bind src s s' op v →
      Some decoded = FarCallABI.coder.(decode) v.(value) →
      bind farcall params s s' op (Some (mk pv tag (decoded)))
  Inductive bind nearcall params: binding state \rightarrow binding state \rightarrow in any \rightarrow
option (@primitive value (u224× NearCallABI.params)) → Prop :=
  \mid bind nearcall params apply : \forall op v s s' decoded tag,
      bind src s s' op v →
      Some decoded = NearCallABI.decode word v.(value) →
      bind nearcall params s s' op (Some (mk pv tag decoded)).
  Inductive bind farret params: binding state → binding state → in any → option
(@primitive value FarRetABI.params) → Prop :=
  | bind farret params apply : \forall op v s s' decoded tag,
      bind src s s' op v →
      Some decoded = FarRetABI.coder.(decode) v.(value) →
      bind farret params s s' op (Some (mk pv tag decoded)).
  Inductive bind precompile params: binding state → binding state → in any →
option (@primitive value PrecompileParametersABI.params) → Prop :=
  | bind precompile params apply : \forall op v s s' decoded tag,
      bind src s s' op v →
      Some decoded = PrecompileParametersABI.ABI.(decode) v.(value) →
      bind precompile params s s' op (Some (mk pv tag decoded)).
  Inductive bind dest fat ptr: binding state \rightarrow binding state \rightarrow out any \rightarrow
                                 option (@primitive value (u128 \times
fat ptr nullable) ) → Prop :=
  | bind dest fat ptr apply: ∀ s s' op encoded ptr (high128:u128),
      bind dest s s' op (PtrValue encoded) →
      encode fat ptr word high128 ptr = Some encoded →
      bind dest fat ptr s s' op (Some (PtrValue (high128, ptr)))
  Inductive bind dest heap ptr: binding state \rightarrow binding state \rightarrow out any \rightarrow
option (@primitive value (u224 × heap ptr) ) → Prop :=
  | bind dest heap ptr apply: ∀ s s' op (encoded:word) high224 hptr,
      bind dest s s' op (IntValue encoded) →
      encode heap ptr word high224 hptr = Some encoded →
      bind dest heap ptr s s' op (Some (IntValue (high224, hptr)))
```

```
Inductive bind dest meta params: binding state → binding state → out any →
option (@primitive value (MetaParametersABI.params)) → Prop :=
 | bind dest meta params apply: \forall s s' op encoded params,
      bind dest s s' op (IntValue encoded) →
     MetaParametersABI.coder.(encode) params = Some encoded →
      bind dest meta params s s' op (Some (IntValue params))
 Definition bind relation :=
    { |
     mf src pv := bind src;
     mf src fat ptr := bind fat ptr;
     mf src heap ptr := bind heap ptr;
     mf src farcall params := bind farcall params;
     mf_src_nearcall_params := bind nearcall params;
     mf src ret params := bind farret params;
     mf src precompile params := bind precompile params;
     mf dest pv := bind dest;
     mf dest fat ptr := bind dest fat ptr;
     mf dest heap ptr := bind dest heap ptr;
      mf dest meta params := bind dest meta params;
   | } .
 #[local]
 Definition get binding state ts (s: transient state) : binding state :=
      bs is kernel mode := in kernel mode (gs callstack s);
     bs regs := gs regs s;
     bs mem := qs pages s;
      bs cs := gs callstack s;
    | } .
 #[local]
 Definition get binding state (s: state) : binding state :=
get binding state ts s.
 Inductive relate transient states (P: binding state → binding state → Prop):
transient state → transient state → Prop :=
 | rts apply:
    \forall ts1 ts2,
      P (get binding state ts ts1) (get binding state ts ts2)\rightarrow
      relate transient states P ts1 ts2.
 #[local]
 Definition merge binding transient state: binding state → transient state →
transient state :=
   fun bs s1 \Rightarrow
     match bs with
      | mk bind st cs regs gmem \Rightarrow s1
                                    <| gs regs := regs |>
                                    <| gs pages := gmem |>
                                    <| gs callstack := cs |>
      end.
 #[local]
 Definition merge binding state : state → binding state → state :=
    fun s1 bs \Rightarrow
```

```
match bs with
    | mk_bind_st _ cs regs gmem ⇒ s1 <| gs_transient ::=
merge_binding_transient_state bs |>
    end.

#[local]
Definition bind_operands_binding_state (s1 s2: binding_state) :
    @instruction decoded → @instruction bound → Prop :=
    ins_srelate bind_relation s1 s2 .
```

The definition bind\_operands relates two transient\_states before and after binding, and two instructions:

- $i_1$  is a decoded instruction obtained by applying to core to Assembly.asm instruction;
- $i_2$  is a bound instruction where fetching and storing values, as well as encoding and decoding are abstracted.

The values of operands in  $i_2$  can be further bound by relations, see e.g. step add.

```
#[global]
  Definition bind_operands (s1 s2:transient_state) (i1: @instruction decoded)
(i2: @instruction bound) : Prop :=
    relate_transient_states (fun bs1 bs2 ⇒ bind_operands_binding_state bs1 bs2
i1 i2) s1 s2.

End OperandBinding.
```

#### Library EraVM. History

```
Require Common.

Section History.

Import ssreflect ssrfun ssrbool eqtype ssreflect.tuple seq.
```

#### History

**History** is a data structure supporting appending elements of type  $\mathbb{T}$  to it.

```
Context (T:eqType).
Definition history := seq T.
Context (l:history).
```

history supports checking if an element is contained in it.

```
Definition contains (elem:T): bool := if has (fun e \Rightarrow e == elem) l then true else false.

End History.
```

#### Library EraVM.Event

```
From mathcomp Require ssreflect ssrfun ssrbool eqtype tuple zmodp.
Require Core memory.Depot TransientMemory.

Import Core memory.Depot TransientMemory.

Section Events.

Import ssreflect ssreflect.tuple ssreflect.eqtype ssrbool.

Context {contract_address precompile_params: eqType}.
```

#### **Events**

VM interfaces with two queues:

- 1. L1 l1\_msg events (see gs\_l1\_msgs), emitted by OpToL1Message.
- 2. L2 events events (see gs events), emitted by OpEvent.

These queues are subject to rollbacks: in case of revert or panic, the events emitted during the function or contract execution are rolled back.

```
Record event := {
      ev shard id: shard id;
     ev is first: bool;
     ev tx number in block: tx num;
     ev address: contract address;
     ev key: word;
      ev value: word;
   } .
equality on events
 Definition ev eqn (x y:event) : bool :=
   match x, y with
   | Build_event ev_shard_id1 ev_is_first1 ev_tx_number_in_block1 ev_address1
ev key1 ev value1 ,
      Build event ev shard id2 ev is first2 ev tx number in block2 ev address2
ev key2 ev value2 ⇒
        (ev shard id1 == ev shard id2 ) &&
          (ev is first1 == ev is first2) &&
```

```
(ev tx number in block1 == ev tx number in block2) &&
           (ev address1 == ev address2) &&
           (ev key1 == ev key2) &&
           (ev value1 == ev value2)
    end.
  Lemma ev eqnP : Equality.axiom ev eqn.
  Proof.
    move \Rightarrow [a b c d e q] [a' b' c' d' e' q'].
    simpl.
    Local Ltac orelse H := try rewrite! Bool.andb false r; try rewrite H;
constructor; injection; intros; subst; by rewrite eq refl in H.
    destruct (a == a') eqn: H1; [move: (eqP H1) \Rightarrow \rightarrow | by orelse H1].
    destruct (b == b') eqn: H2; [move: (eqP H2) \Rightarrow \rightarrow | by orelse H2].
    destruct (c == c') eqn: H3; [move: (eqP H3) \Rightarrow \rightarrow | by orelse H3].
    destruct (d == d') eqn: H4; [move: (eqP H4) \Rightarrow \rightarrow | by orelse H4].
    destruct (e == e') eqn: H5; [move: (eqP H5) \Rightarrow \rightarrow | by orelse H5].
    destruct (g == g') eqn: H6; [move: (eqP H6) \Rightarrow \rightarrow | by orelse H6].
    by rewrite eq refl; constructor.
  Qed.
  Canonical ev eqMixin := EqMixin ev eqnP.
  Canonical ev eqType := Eval hnf in EqType ev eqMixin.
  Definition 11 msg := event.
  Record precompile query := {
      q tx number in block: tx num;
      q shard id: shard id;
      q contract address: contract address;
      q key: precompile params
equality on precompile queries
  Definition pq eqn (x y:precompile query) : bool :=
    match x, y with
    | Build precompile query q tx number in block1 q shard id1
q contract address1 q key1,
      Build precompile query q tx number in block2 q shard id2
q contract address2 q key2 \Rightarrow
        (q tx number in block1 == q tx number in block2) &&
           (q shard id1 == q shard id2) &&
           (q contract address1 == q contract address2) &&
           (q key1 == q key2)
    end .
  Lemma pq eqnP : Equality.axiom pq eqn.
  Proof.
    move \Rightarrow [a b c d] [a' b' c' d'] \Rightarrow //=.
    destruct (a == a') eqn: H1; move: H1; last by constructor; injection;
intros; subst; move: H1; rewrite eq refl.
    move /eqP \Rightarrow \rightarrow //=.
    destruct (b == b') eqn: H2; [| by rewrite H2; constructor; injection;
intros; subst; rewrite eq refl in H2].
    destruct (c == c') eqn: H3; [| by rewrite ! Bool.andb false r; constructor;
injection; intros; subst; rewrite eq refl in H3].
    destruct (d == d') eqn: H4; [| by rewrite ! Bool.andb false r; constructor;
injection; intros; subst; rewrite eq refl in H4].
```

```
move: H2 (eqP H2) \Rightarrow \rightarrow //=. constructor.
    by rewrite (eqP H3) (eqP H4).
  Qed.
  Canonical pq eqMixin := EqMixin pq eqnP.
  Canonical pq eqType := Eval hnf in EqType pq eqMixin.
 Inductive query :=
 | EventQuery : event → query
  | L1MsqQuery : l1 msq → query
  | PrecompileQuery : precompile query → query.
equality on queries
 Definition query eqn (x y: query) : bool :=
   match x, y with
   | EventQuery x, EventQuery y \Rightarrow x == y
    | L1MsgQuery x, L1MsgQuery y \Rightarrow x == y
    | PrecompileQuery x, PrecompileQuery y \Rightarrow x == y
    \mid _{,_{-}} \Rightarrow false
  Lemma query eqnP : Equality.axiom query eqn.
  Proof.
    unfold query eqn.
   move \Rightarrow x y.
   destruct x, y =>//; try destruct ( == ) eqn: Heq; try (by done);
constructor; try move /eqP in Heq; by [subst|injection].
  Qed.
 Canonical query eqMixin := EqMixin query eqnP.
 Canonical query eqType := Eval hnf in EqType query eqMixin.
  (* todo: probably these structures can be redesigned *)
End Events.
```

# Library EraVM.MemoryBase

```
From RecordUpdate Require Import RecordSet.
From Bits Require spec.

Require BinNums FMapPositive ZArith.
Require Common.

Section MemoryBase.
   Import ssreflect.
   Import BinNums ZArith spec FMapPositive.
```

Memory is modeled as a mapping from addresses (integers of address\_bits bits) to values of type addressable\_block. Unmapped addresses are mapped to the default\_value.

We use a map from positive numbers implemented as a tree to store values in memory. However, address space starts at zero. Therefore, having an address A we map it to the key K(A) as follows:

$$K(A) := A + 1$$

```
Program Definition addr_to_key (addr: address): positive :=
  match address_bits with
  | 0 ⇒ fun _ ⇒ _
  | S bts ⇒ fun Heq ⇒ Z.to_pos ((@toZ bts addr) + 1)
  end (@eq_refl Z).
```

All memory addresses are initialized to the default value at memory genesis.

```
Definition load (addr : address) (m : mem_parameterized) : addressable_block
:=
    match PositiveMap.find (addr_to_key addr) m.(contents) with
    | None ⇒ default_value
    | Some v ⇒ v
    end.

Definition store (val:addressable_block) (addr : address) (m :
mem_parameterized) : mem_parameterized :=
    mk_mem (PositiveMap.add (addr_to_key addr) val m).
```

An empty memory.

```
Definition empty := mk_mem (PositiveMap.empty addressable_block).
```

Heap variants are byte-addressable, but reads and words operate on 256-bit words. Multicell loads return len consecutive bytes from memory m at an address a.

```
Import Arith.
Open Scope bits scope.
Fixpoint load multicell (a:address) (len:nat) (m:mem parameterized)
  : option (list addressable block) :=
  match len with
  | O ⇒ Some nil
  | S lft \Rightarrow let value := load a m in
            let (overflow, nextaddr) := uadd of a (fromZ 1) in
             if overflow then None else
              match load multicell nextaddr lft m with
               | Some tail ⇒ Some (cons value tail)
               | None ⇒ None
               end
  end.
Inductive load multicell result:
  address → V len: nat, mem parameterized → list addressable block → Prop :=
\mid lmr end : \forall a m,
    load multicell result a 0%nat m nil
| lmr progress: ∀ addr nextaddr mem value n tail,
    (\overline{false}, nextaddr) = uinc of addr \rightarrow
    load result addr mem value →
    load multicell result nextaddr n mem tail →
    load multicell result addr (S n) mem (cons value tail)
Theorem load multicell spec:
  \forall a len m ls,
    load multicell a len m = Some ls \rightarrow
    load multicell result a len m ls.
Theorem load multicell_result_size:
  \forall tlam v,
    load multicell result a tl m v \rightarrow
    seq.size v = tl.
```

Similarly, store\_multicell accepts a list of values and puts them in memory starting from the address a.

```
Import seq.
  Fixpoint store multicell (a:address) (vals: list addressable block)
(m:mem parameterized)
    : option mem parameterized :=
   if writable mem params then
      match vals with
      | [::] \Rightarrow Some m
      | v :: tail ⇒
          let stored := store v a m in
          let (overflow, nextaddr) := uinc of a in
          if overflow then None else
            store multicell nextaddr tail stored
      end
    else None.
  Inductive store multicell result:
    address \rightarrow list addressable block \rightarrow mem parameterized \rightarrow mem parameterized \rightarrow
Prop :=
  \mid smr end : \forall a m,
      writable mem params = true →
      store multicell result a [::] m m
  | smr progress: ∀ addr nextaddr mem mem' mem'' value tail,
      writable mem_params = true →
      (false, nextaddr) = uinc of addr →
      store result addr mem value mem' →
      store multicell result nextaddr tail mem' mem'' →
      store multicell result addr (value::tail) mem mem''
  Theorem store multicell spec:
    ∀ ls a m m',
      store multicell a ls m = Some m' →
      store multicell result a ls m m'.
End MemoryBase.
```

## Library EraVM.MemoryOps

```
Require Addressing Core Common List Pointer TransientMemory Resolution Slice. Import ssreflect eqtype.

Import Addressing Core ZArith Common CallStack GPR MemoryBase PrimitiveValue Pointer Resolution Slice TransientMemory.

Section MemoryOps.
```

#### Data loading and storing

This section formalizes reading from memory or registers (fetch) and writing to memory or registers (store).

```
Import Addressing.Coercions.
 Context {instruction: Type} (instruction_invalid:instruction)
    {state checkpoint: Type}
    (callstack:= @callstack state checkpoint)
 Section FetchStore.
   Context (memory := @memory (@code_page instruction instruction_invalid)
const page data page stack page)
   Context (regs: regs state) (cs: callstack) (mem: memory) .
   Inductive fetch result : Type :=
    | FetchIns (ins: instruction)
    | FetchPV (pv: @primitive_value word).
   Inductive fetch: loc → fetch result → Prop :=
    | fetch_reg: ∀ name reg val,
        reg val = fetch gpr regs name →
        fetch (LocReg name) (FetchPV reg val)
    | fetch imm: ∀ imm imm',
        fetch (LocImm imm) (FetchPV (IntValue imm'))
    | fetch stackaddr:

∀ stackpage (value: primitive value) addr,

       active stackpage (page has id mem) cs stackpage →
       MemoryBase.load result addr stackpage value →
       fetch (LocStackAddress addr) (FetchPV value)
    | fetch codeaddr:
     ∀ codepage addr ins,
       active codepage (page has id mem) cs codepage →
       load_result _ addr codepage ins →
        fetch (LocCodeAddr addr) (FetchIns ins)
    | fetch constaddr:
      ∀ constpage addr value,
       active constpage (page has id mem) cs constpage →
       load result   addr constpage value →
        fetch (LocConstAddr addr) (FetchPV (IntValue value))
   Definition next ins := LocCodeAddr (pc get cs).
   Definition fetch instr := fetch next ins.
   Inductive store_loc: primitive_value → loc → (regs_state × memory) → Prop
```

Loading a primitive value from registers or memory, applying effects of RelSpPop if necessary.

```
Inductive load: in_any → callstack × primitive_value → Prop :=
| ld_apply : ∀ (arg:in_any) loc res new_cs,
    resolve_apply regs cs arg (new_cs, loc) →
    fetch loc (FetchPV res) →
    load arg (new_cs, res).
```

A special version of load for registers because it has less potential effects on the state, which makes it easier and more precise.

```
Inductive load_reg: in_reg → primitive_value → Prop :=
| ldr_apply : V loc res,
    fetch_gpr regs loc = res →
    load_reg (Reg loc) res.

Definition load_int a cs w := load a (cs, IntValue w).
Definition load_reg_int a w := load_reg a (IntValue w).
```

Storing a primitive value to registers or memory, applying effects of RelspPush if necessary.

A special version of store for registers because it has less potential effects on the state, which makes it easier and more precise.

```
Inductive store_reg: out_reg → primitive_value → regs_state → Prop :=
| sr_apply: ∀ (arg:out_reg) loc new_regs pv,
```

```
store gpr regs loc pv = new regs →
        store reg arg pv new regs.
    Definition store int a w rs m cs := store a (IntValue w) (rs, m, cs).
  End FetchStore.
  Inductive loads (regs:regs state) (cs:callstack) (mem:memory) : list (in any
x primitive value) → callstack → Prop :=
 | rsl nil:
    loads regs cs mem nil cs
  | rsl cons: \(\forall \) (arg:in any) pv (tail: list (in any \(\times\) primitive value)) cs1
cs2,
      load regs cs mem arg (cs1, pv) \rightarrow
      loads regs cs1 mem tail cs2 →
      loads regs cs mem ((arg,pv)::tail) cs2.
 Inductive load regs (regs:regs state) : list (in reg × primitive value) →
Prop :=
 | rslr nil:
   load regs regs nil
  | rslr cons: ∀ (arg:in reg) pv (tail: list (in reg × primitive value)),
      load reg regs arg pv →
      load regs regs tail →
      load regs regs ((arg,pv)::tail).
 Inductive stores (regs:regs state) (cs:callstack) (mem:memory) : list
(out any × primitive value) → (regs state × memory × callstack) → Prop :=
 rss nil:
    stores regs cs mem nil (regs, mem, cs)
 | rss cons: ∀ (arg:out any) pv (tail: list (out any × primitive value)) regs1
mem1 cs1 regs2 mem2 cs2,
      store regs cs mem arg pv (regs1, mem1, cs1) →
      stores regs1 cs1 mem1 tail (regs2, mem2, cs2) →
      stores regs cs mem ((arg,pv)::tail) (regs2, mem2, cs2).
 Inductive store regs (regs:regs state) : list (out reg × primitive value) →
regs state → Prop :=
 | rssr nil:
   store regs regs nil regs
 | rssr cons: ∀ (arg:out reg) pv (tail: list (out reg × primitive value))
regs1 regs2 ,
      store reg regs arg pv regs1 →
      store regs regs1 tail regs2 →
      store regs regs ((arg,pv)::tail) regs2.
End MemoryOps.
Section Multibyte.
```

## Multibyte loads and stores

Instructions such as OpStore and OpLoadPointer operate with a byte addressable data\_pages, but load or store 256-bit words. Therefore, their effects are formalized separately.

```
Inductive endianness := LittleEndian | BigEndian.
Context (e:endianness) (mem:data_page).
Definition mb load word (addr:mem address) :option word.
Defined.
Inductive mb load result : mem address → word → Prop :=
| mldr apply: ∀ (addr:mem address) res,
    mb load word addr = Some res \rightarrow
    mb load result addr res.
Definition mb store word (addr:mem address) (val: word) : option data page :=
  let ls := match e with
            | LittleEndian ⇒ word to bytes val
            | BigEndian ⇒tuple.rev_tuple (word_to_bytes val)
            end in
 store multicell addr (tuple.tval ls) mem.
Inductive mb store word result: mem address → word → data page → Prop :=
| sdr apply :
 ∀ addr val page',
   mb store word addr val = Some page' →
   mb store word result addr val page'.
```

#### Reading from memory slices

Reading from slice is particular in the following way: if the accessed word passes over bounds, the bytes below the bound are formally assigned zeros. See Slices.

## Library EraVM.MemoryManagement

```
Require CallStack Ergs TransientMemory Pointer.

Import CallStack Common Core TransientMemory MemoryContext Ergs Pointer.

Section MemoryForwarding.
Open Scope ZMod_scope.

Context {state_checkpoint: Type} (callstack:=@callstack state_checkpoint).
```

## Memory forwarding

Contracts communicate by passing each other fat ptr. Far returns and far calls are able to:

- create them ForwardNewFatPointer
- reuse existing pointers ForwardExistingFatPointer.

They chose the action based on an instance of fwd\_memory passed through ABIs.

```
Inductive fwd_memory :=
   ForwardExistingFatPointer (p:fat_ptr_nullable)
| ForwardNewFatPointer (heap var: data page type) (s:span).
```

- A fat pointer defines a slice of memory and provides a read-only access to it.
- Fat pointers are created from a slice of heap or auxheap of a current contract.
- If the span of a new fat pointer crosses the heap boundary heap\_variant\_bound then the heap has to grow, and that difference has to be paid for.
- growth\_query defines by how much a a heap variant should be grown.

```
let current bound := heap variant bound cs hv in
      query - current bound = (true, ) →
      growth to bound (hv, query) cs None
 Inductive grow: growth query → callstack → callstack → Prop :=
 \mid gr grow: \forall hv cs1 cs2 diff new apages,
      let apages := get mem ctx cs1 in
      grow heap variant hv diff apages new apages -
      cs2 = update memory context new apages cs1 →
      grow (Some (hv, diff)) cs1 cs2
 | gr nogrow: ∀ cs,
      grow None cs cs.
 Inductive bound grow pay: page bound → callstack → callstack → Prop :=
 | bgp apply: \forall bound query cs1 cs2 cs3,
      growth to bound bound cs1 query →
     pay (cost of growth query) cs1 cs2 →
      grow query cs2 cs3 →
      bound grow pay bound cs1 cs3.
 Inductive span grow pay: span → data page type → callstack → callstack → Prop
 \mid sgp apply: \forall s hv cs1 cs2 bound,
      bound of span s hv bound →
      bound grow pay bound cs1 cs2 →
      span grow pay s hv cs1 cs2.
 Inductive paid forward new fat ptr: data page type → span → callstack →
fat ptr × callstack → Prop :=
 \mid pfnfp apply: \forall s heap id type cs0 cs1 ,
      span grow pay s type cs0 cs1 →
      heap id = heap variant page id cs0 type →
      paid forward new fat ptr type s cs0 (mk fat ptr (Some heap id) (fresh ptr
s), cs1).
 Inductive growth to bound unaffordable (cs:callstack) bound : Prop :=
    | gtb apply: \forall query,
        growth to bound bound cs query →
        false = affordable cs (cost of growth query) →
        growth to bound unaffordable cs bound.
 Inductive growth to span unaffordable (cs:callstack) heap type hspan : Prop
    \mid gts apply: \forall bound,
        bound of span hspan heap type bound →
        growth to bound unaffordable cs bound →
        growth to span unaffordable cs heap type hspan.
End MemoryForwarding.
```

# Library EraVM.Addressing

```
Require Common TransientMemory GPR.

Import Common TransientMemory GPR.
```

#### Addressing modes

This section describes the addressing modes in asm\_instruction. Section InstructionArguments describes the types of the instruction arguments; each type corresponds to one or multiple possible addressing modes. Assembly instruction formats with the types of their arguments are described by asm instruction.

Core instructions instruction decoded have different types of operands detailed by instruction and decoded.

**Operands** are entities operated upon by instructions. They serve as sources of data, or as destinations for the results of the instruction execution.

**Addressing mode** refers to the way in which an instruction specifies the location of data that needs to be accessed or operated upon.

Abstract EraVM supports 8 addressing modes. Some of them only support reading (indicated by "in"), or writing (indicated by "out").

1. Register (in/out).

Concrete syntax example. Use r1 as a source:

```
add r1, r0, r3
```

2. Imm (in)

*Concrete syntax example.* Use immediate 42 as a source:

```
add 42, r0, r3
```

3. Code page, relative to GPR (in)

Concrete syntax example. Use 42-th word on the code page as a source:

```
add code[42], r0, r3
```

Note: words are enumerated starting at 0, each word contains 4 instructions, adjacent words are disjoint.

4. Const page, relative to GPR (in)

Currently, the concrete syntax is absent because code and constant pages coincide in current EraVM implementation. Use the following instead:

```
add code[42], r0, r3
```

5. Stack page, relative to GPR (in/out)

Concrete syntax example. Use (r1+42)-th word on the stack page as a source has two equivalent forms:

```
add stack[r1+42], r0, r3 add stack=[r1+42], r0, r3
```

6. Stack page, relative to GPR and SP (in/out)

Concrete syntax example. Use (r1+42)-th word relative to SP on the stack page as a source:

```
add stack-[r1+42], r0, r3
```

Note, that the following form is forbidden:

```
add stack+[r1+42], r0, r3
```

7. Stack page, relative to GPR and SP, with decreasing SP (in)

*Concrete syntax example.* Use SP- (r1+42) -th word on the stack page as a source:

```
add stack-=[r1+42], r0, r3
```

Note, that the following form is forbidden:

```
add stack+=[r1+42], r0, r3
```

8. Stack page, relative to GPR and SP, with increasing SP (out)

Concrete syntax example. Use SP+ (r1+42) -th word on the stack page as a destination:

```
add r3, r0, stack+=[r1+42]
```

Note that the current implementation encodes some of these modes in the same way e.g. mode 7 and mode 8 only differ by *in* or *out* position.

Predicate resolve formalizes resolving operands to immediate values, registers and memory locations.

MemoryOps formalizes reading and writing to locations.

- 1. Register addressing (in/out)
  - Refers to one of General Purpose Registers (GPR).
  - Concrete syntax example. Use r1 as a source:

```
add r1, r0, r3
```

```
Inductive reg_io : Type := Reg (reg:reg_name).
```

#### 2. **Immediate 16-bit value** (in)

• Concrete syntax example. Use immediate 42 as a source:

```
add 42, r0, r3
```

Note that negative imm operands may be supported by the assembler, for example:

```
add -42, r0, r3
```

However, the implementation will have to proceed as follows:

- put a negative immediate -42 on a const page to an address C, as a 2's complement, 256-bit wide:
- using the const in addessing mode, address the C-th constant, as in the following pseudocode:

```
add code[C], r0, r3
```

```
Inductive imm in : Type := Imm (imm: u16).
```

#### 3. Address on a code page, relative to a GPR (in)

- Resolved to  $(reg+imm) \mod 2^{16}$ . See rslv code.
- Code and const pages may coincide in the implementation.
- Concrete syntax example. Use 42-th word on the code page as a source:

```
add code[42], r0, r3
```

Note: words are enumerated starting at 0, each word contains 4 instructions, adjacent words are disjoint.

```
Inductive code in : Type := CodeAddr (reg:reg name) (imm:code address).
```

#### 4. Address on a const page, relative to a GPR (in)

- $\circ$  Resolved to  $(reg+imm) \mod 2^{16}$ . See rslv const.
- Code and const pages may coincide.
- Currently, the concrete syntax is absent because code and constant pages coincide in current EraVM implementation. Use the following instead:

```
add code[42], r0, r3
```

```
Inductive const in: Type := ConstAddr (reg:reg name) (imm:code address).
```

#### 5. Address on a stack page, relative to a GPR (in/out)

- Resolved to  $(reg+imm) \mod 2^{16}$ . See rslv stack abs.
- Concrete syntax example. Use (r1+42)-th word on the stack page as a source has two equivalent forms:

```
add stack[r1+42], r0, r3 add stack=[r1+42], r0, r3
```

```
Inductive stack_io : Type :=
| Absolute (reg:reg_name) (imm: stack_address)
```

#### 6. Address on a stack page, relative to SP and GPR

- Resolved to  $(SP-(reg+imm)) \mod 2^{16}$ . See rslv\_stack\_rel.
- Unlike RelSpPop, the direction of offset does not change depending on read/write.
- Concrete syntax example. Use (r1+42)-th word relative to SP on the stack page as a source:

```
add stack-[r1+42], r0, r3
```

Note, that the following form is forbidden:

```
add stack+[r1+42], r0, r3
```

```
| RelSP (reg:reg_name) (offset: stack_address)
```

#### 7. Stack page, relative to GPR and SP, accompanied by decreasing SP (in).

- A generalized version of pop operation.
- Resolved to  $(SP-(reg+imm)) \mod 2^{16}$ . See rslv stack rel.
- Additionally, after the resolution, SP is modified: SP -= (reg + imm).
- Concrete syntax example. Use SP- (r1+42) -th word on the stack page as a source:

```
add stack-=[r1+42], r0, r3
```

Note, that the following form is forbidden:

```
add stack+=[r1+42], r0, r3
```

```
Inductive stack_in_only : Type :=
| RelSpPop (reg:reg_name) (offset: stack_address)
```

- 8. Stack page, relative to GPR and SP, accompanied by increasing SP (out).
  - A generalized version of push operation.
  - Resolved to  $(SP+(reg+imm)) \mod 2^{16}$ .
  - Additionally, after the resolution, SP is modified: SP += (reg + imm).
  - Concrete syntax example. Use SP+ (r1+42) -th word on the stack page as a destination:

```
add r3, r0, stack+=[r1+42]
```

**WARNING: KNOWN DIVERGENCE (in versions prior to v1.4.1)** implementation of earlier versions diverged from the described spec:

- Implementation: the write happens to the new SP address
- Specification: the write happens to the old SP address

Since v 1.4.1 the implementation conforms to the spec.

```
Inductive stack_out_only : Type :=
| RelSpPush (reg:reg_name) (offset: stack_address)
.
```

Section InstructionArguments.

# Operand types

This section details the types of operand for asm\_instruction. The types of operands for instruction are different and detailed by instruction, descr, decoded and bound.

Instruction may have input and output operands.

- There are three types of input operands:
  - in reg: read from a GPR.
  - in\_any: read from reg, immediate value, or any memory. May be a generalized pop RelSpPop.
  - in regimm read from either reg or immmediate value.
- There are two types of input operands:
  - out reg: store to a GPR.
  - out any: store to a GPR or any writable memory location. May be a generalized push

```
RelSpPush.
```

To describe these types, we create a hierarchy of subtypes ordered by inclusion (see Coercions).

We denote input arguments as  $in_1$ ,  $in_2$ , and output arguments as  $out_1$ ,  $out_2$ . Many instructions have 2 input arguments and 1 output argument. The encoding limits the number of arguments of type  $in_any$  and  $out_any$ :

- For each instruction, there can be no more one argument of type in any.
- For each instruction, there can be no more one argument of type out any.

It is allowed to have both in any and out any in the same instruction.

```
Inductive stack in : Type :=
    | StackInOnly (arg: stack in only)
    | StackInAny (arg: stack io)
   Inductive stack out: Type :=
    | StackOutOnly (arg: stack out only)
    | StackOutAny (arg: stack io)
   Inductive stack any : Type :=
   | StackAnyIO (arg: stack io)
   | StackAnyIn (arg: stack in only)
    | StackAnyOut (arg: stack out only)
Utility conversions, click to unfold
   Definition stack in to any (s:stack in) : stack any :=
     match s with
     | StackInOnly arg ⇒ StackAnyIn arg
     | StackInAny arg ⇒ StackAnyIO arg
     end.
   Definition stack out to any (s:stack out) : stack any :=
     match s with
     | StackOutOnly arg ⇒ StackAnyOut arg
      | StackOutAny arg ⇒ StackAnyIO arg
     end.
```

The any auxiliary argument type allows for all addressing modes; it never occurs in instructions but is used to resolve argument locations.

```
Inductive any : Type :=
| AnyReg : reg_io → any
| AnyImm : imm_in → any
| AnyStack: stack_any→ any
| AnyCode : code in → any
```

```
| AnyConst: const_in → any
```

## Input arguments

Instructions may have no more than two input arguments.

Usually,  $in_1$  supports any types of arguments, except for RelSpPush.

Usually,  $in_2$  supports only arguments in GPRs.

```
Definition in reg : Type := reg io.
```

In exotic cases, an input argument may either be a register, or an immediate value, but not anything else.

#### Output arguments

Instructions may have no more than two output arguments.

Output arguments can not be immediate values.

A single immediate value is not sufficient to identify a memory cell, because we have multiple pages (see page).

Out arguments can not resolve to the addresses of constants or instructions, because code\_page and const page are not writable.

Therefore, we do not define out regimm, because it is impossible to write to immediate values.

```
Module Coercions.
 Coercion in any incl: in any >-> any.
 Coercion out any incl : out any >-> any.
  Coercion Imm : u16 >-> imm in.
  Coercion InReg : reg io >-> in any.
  Coercion InImm : imm in >-> in any.
  Coercion InStack: stack in >-> in any.
  Coercion InCode: code in >-> in any.
  Coercion InConst: const in >-> in any.
  Coercion StackInOnly: stack_in_only >-> stack_in.
  Coercion stack_in_to_any: stack_in >-> stack_any.
  Coercion OutReg : reg io >-> out any.
  Coercion OutStack: stack out >-> out any.
  Coercion AnyStack: stack any >-> any.
  Coercion StackOutOnly: stack out only >-> stack out.
  Coercion in regimm incl: in regimm >-> in any.
  Coercion StackInAny : stack io >-> stack in.
  Coercion Reg : reg name >-> reg io.
```

# Library EraVM.Resolution

```
Require Core Addressing CallStack .
Import ssreflect ssrfun ssrbool eqtype ssreflect.tuple.
Import Addressing Core Common ZArith CallStack GPR PrimitiveValue Pointer
TransientMemory.
Section AllResolution.
Section AddressingUtils.
  Import MemoryBase.
 Open Scope ZMod scope.
 Predicate reg rel implements the resolution for register-based relative addressing. Its specializations
 implement relative addressing for:

    the code page: reg rel code;

  the const page: reg_rel_const;
  the stack_page: reg_rel_const;
  (* Inductive equal bits \{n \ m\} (x :BITS n) (y: BITS m) (H: n = m) : Prop := *)
  Definition low16 (w: word) : u16 := low 16 w.
  Definition low32 (w: word) : u32 := low 32 w.
  Inductive reg rel : regs state → reg name → u16 → u16 → Prop :=
  | rca code pp: ∀ regs reg reg val base ofs
                    abs OF ignored,
      fetch gpr regs reg = IntValue reg val →
      base = low16 reg val \rightarrow
      base + ofs = (OF ignored, abs) \rightarrow
      reg rel regs reg ofs abs.
  Definition reg rel code : regs state → reg name → u16 → code address → Prop
    := reg rel.
  Definition reg rel const : regs state → reg name → u16 → const address → Prop
  Definition reg rel stack : regs state → reg name → u16 → stack address → Prop
    := reg rel.
 Note: in sp displ, delta = reg + imm.
  Definition sp_displ: regs_state → reg_name → u16 → stack_address → Prop :=
reg rel stack.
End AddressingUtils.
```

## Address resolution

Instructions have multiple ways of addressing data, i.e. immediate 16-bit values, GPRs, absolute or relative addresses in stack etc. They are described in section Addressing by types such as in\_any, out\_reg, and so on.

**Location** stands for a source and/or destination for data, addressable by instructions.

**Address resolution** is a matching between instruction operands and locations using the supported address modes.

There are five main locations that instructions can address:

- 1. Immediate data: the operand is provided directly as an unsigned 16-bit integer value.
- 2. Register: data can be fetched or stored to general purpose registers r1-r15.
- 3. Stack address: data can be fetched or stored to stack.
- 4. Code address: instructions can be fetched from a code page.
- 5. Constant address: data can be fetched from a read-only page holding constant words.

```
Inductive loc : Type :=
| LocImm: u16 → loc
| LocReg : reg_name → loc
| LocStackAddress: stack_address → loc
| LocCodeAddr: code_address → loc
| LocConstAddr: const_address → loc
```

Additionally, data can be fetched and stored to data pages; this process is more complicated and requires putting in registers specially formed pointers <a href="heap\_ptr">heap\_ptr</a>.

```
Section Resolution.
Import Addressing.Coercions.
Open Scope ZMod scope.
```

Resolution of RelSpPop and RelSpPush addressing modes modifies the stack pointer. This, and possible future effects, is described by resolve\_effect predicate.

```
Inductive resolve_effect := | NoEffect | NewSP (val: stack_address).

Record resolve_result :=
   mk_resolved {
      effect: resolve_effect;
      location:> loc;
   }.
```

```
Context {state_checkpoint}
  (callstack := @callstack state_checkpoint)
  (rs:regs_state)
  (cs: callstack)
  (sp:= sp_get cs).

Reserved Notation "[[ resolved ]]" (at level 9, no associativity).
Reserved Notation "[[ resolved ; 'SP' <- newsp ]]" (at level 9, no associativity).

Declare Scope Resolution_scope.
Open Scope Resolution_scope.</pre>
```

Address resolution is formalized by the predicate resolve.

```
Inductive resolve : any \rightarrow resolve result \rightarrow Prop :=
```

· Registers and immediate values are resolved to themselves.

```
| rslv_reg : V reg,
            resolve (Reg reg) [[ LocReg reg ]]
| rslv_imm: V imm,
            resolve (Imm imm) [[ LocImm imm ]]
```

• Absolute : Absolute stack addressing with a general purpose register and an immediate displacement is resolved to reg+imm.

```
| rslv_stack_abs: ∀ regs reg imm abs,
    reg_rel_stack regs reg imm abs →
    resolve (Absolute reg imm) [[ LocStackAddress abs ]]
```

• RelsP: Addressing relative to SP with a general purpose register and an immediate displacement is resolved to sp-(reg+imm).

```
| rslv_stack_rel: ∀ reg ofs delta_sp sp_rel,
    sp_displ rs reg ofs delta_sp →

    (false, sp_rel) = sp - delta_sp→
    resolve (RelSP reg ofs) [[ LocStackAddress sp rel ]]
```

• RelSpPop: Reading relative to SP with a general purpose register and an immediate

displacement, and SP decrement, is resolved to sp-(reg+imm); additionally, SP is assigned the same value sp-(reg+imm). The new SP value will then be used for the resolution of other operands.

In other words, it is equivalent to a sequence of two actions:

```
    SP = SP - (reg + imm)
    [SP] -> result
```

In other words, it is equivalent to:

- 1. pop the stack (reg + imm 1) times, discard these values
- 2. pop value from stack and return it

```
| rslv_stack_gpop: ∀ reg ofs delta_sp new_sp,
    sp_displ rs reg ofs delta_sp →
    (false, new_sp) = sp - delta_sp→
    resolve (RelSpPop reg ofs) [[ LocStackAddress new sp ; SP <- new sp ]]</pre>
```

• RelSpPush: Writing relative to SP with a general purpose register and an immediate displacement, and SP increment, is resolved to the current value of SP. Additionally, SP is assigned a new value sp+(reg+imm). The new SP value will then be used for the resolution of other operands.

In other words, it is equivalent to a sequence of two actions:

[SP] <- input value</li>
 SP = SP + (reg + imm)

In other words, it is equivalent to:

- 1. push the input value to the stack
- 2. allocate (reg+imm-1) slots in stack

Note: the reason of the asymmetry between RelSpPush and RelSpPop is because they are generalizations of push and pop operations.

Consider a stack implemented as an array with a pointer. Suppose that, like in EraVM, SP points the the next address after the last value in stack; in other words, the topmost element in the stack is located at sp-1. Then push and pop can be implemented in the following way:

• Push:

```
    [SP] <- new_value</li>
    SP = SP + 1
```

· Pop:

```
1. SP = SP - 1
2. [SP] -> result
```

This asymmetry naturally generalizes to RelSpPush and RelSpPop.

# Using RelSpPop and RelSpPush in one instruction

Suppose an instruction is using both RelSpPop and RelSpPush, then both effects are applied in order:

- First, the "in" effect of RelSpPop.
- Then, the "out" effect of RelspPush, where SP is already changed by RelspPop.
- If the instruction accesses SP, both effects will be applied prior to the instruction-specific logic.

See an example in sem. ModSP. step.

Predicate apply\_effects formalizes the application of address resolution side effects to the state. In the current state of EraVM, only SP modifications are allowed, therefore the effect is limited to the topmost frame of callstack, which holds the current value of sp in cf\_sp.

End Resolution.

# Library EraVM.isa.Instructions

Section InstructionSets.

## **EraVM** instruction sets

*Note* If you are interested in the instruction set exposed to the assembly programmer, skim this section quickly and then proceed to AssemblyInstructionSet, CoreInstructionSet and to core.

The spec introduces the following layers of abstraction for the instruction set, from lowest level to the highest level:

 Binary encoding (as BITS 64 type instances). Binary encoded instructions, each instruction is 64-bit wide.

The exact type for such instructions is BITS 64.

The definition <code>encode\_mach\_instruction</code> formalizes the encoding algorithm. It depends on <code>encode predicate</code> and <code>encode opcode</code>.

The encoding is an injection, because most instructions ignore the values of some instruction fields such as op\_dst1.

- 2. Low-level machine instructions mach instruction.
  - Fixed format with two input operands, two output operands, two immediate values.
  - Restricted sources/destinations (e.g. second input can only be fetched from registers), instructions may ignore some instruction fields.
- 3. Assembly instructions (see section AssemblyInstructionSet).

An assembly instruction is an instance of predicated asm\_instruction. The type asm\_instruction defines instruction format with the exact operand types and all their supported modifiers.

The instruction semantic is defined for these instructions; see step in section SmallStep.

The following abstraction levels simplify the definition of instruction semantic but are invisible for assembly programmer.

4. Core instructions (see the type instruction in section CoreInstructionSet). The exact type for such instructions is predicated (instruction decoded).

A simplified instruction set where the mod\_swap modifier is applied and there are no restrictions on the operand sources or destinations, such as "the second input operand may only be fetched from register". Because of fewer restrictions, the definitions are more uniform. The translation from asm\_instruction to instruction is implemented in section AssemblyToCore.

Additionally, the type instruction describes the meaningful operand types for instructions after decoding, e.g. OpFarRet loads an operand from a register, but then describlizes it into a compound value. The types of such compound values are explicitly provided by bound definition.

The type <u>instruction</u> describes a schema of core instructions; this schema can be specialized to describe:

- fetched and decoded instruction instruction decoded;
- an instruction where input and output operands are bound to the memory locations instruction bound. This abstracts loading and storing operands, and their serialization/deserialization in case of ABI encoded instruction parameters.

Adding a layer of <u>instruction bound</u> allows describing instruction semantics as if instructions were accepting structural values directly, omitting fetching values, binary encoding and decoding.

- See <a href="step\_add">step\_add</a> for an example of how instruction-specific semantic is defined omitting loading and storing details.
- See step\_ContextMeta for an example of how instruction-specific semantic is defined omitting not only loading and storing, but also serialization/deserialization details.
- See OperandBinding for the details of binding, e.g. bind\_farret\_params describes how OpFarRet's ABI parameters are describlized.

End InstructionSets.

# Library EraVM.isa.Modifiers

Require Flags.
Import Flags.

Section Modifiers.

## Instruction modifiers

There are two modifiers common between multiple asm instruction: swap and set flags.

#### Swap modifier

This modifier, when applied, swaps two input operands. Definition asm\_instruction shows which instructions support it.

Input operands usually have different addressing modes, e.g. the divisor in Assembly.OpDiv may be only fetched from registers, not memory. Applying swap modifier allows to fetch rather the divisor from memory, and the divident can be fetched from register.

The function to\_core transforms asm\_instruction into a core instruction and applies the swap modifier.

```
Inductive mod_swap := Swap | NoSwap.

Definition apply_swap {T} (md: mod_swap) (a b:T) : TxT :=
  match md with
  | NoSwap \Rightarrow (a,b)
  | Swap \Rightarrow (b,a)
  end.
```

## Set flags

End Modifiers.

Only instructions with the modifier mod\_set\_flags set may change the state of flags in gs\_flags. Therefore, if mod\_set\_flags is not set, it is guaranteed that the instruction will not change the flags state.

```
Inductive mod set flags := SetFlags | PreserveFlags.
```

If set flags modifier md is set, preserve the old flags state f; otherwise, return the new state f'.

```
Definition apply_set_flags (md: mod_set_flags) (f f':flags_state) :
flags_state :=
    match md with
    | SetFlags \( \rightarrow f' \)
    | PreserveFlags \( \rightarrow f \)
    end.
```

# Library EraVM.isa.Assembly

Require Addressing Common memory. Depot Transient Memory Pointer Predication isa. Modifiers.

Import Addressing Common memory.Depot TransientMemory Pointer Predication
Modifiers.

Section AssemblyInstructionSet.

# EraVM assembly instruction set

This section describes an instruction set asm instruction which is a target for compiler.

The type asm\_instruction defines instruction format with the precise types of their operands, and all their supported modifiers. This set is a slice in the middle of the abstractions hierarchy:

- The next lower level is machine instructions. The assembly encodes asm\_instruction to the lower-level machine instructions which are then mapped to their binary encodings.
- The next higher level are **core instructions** described in section CoreInstructionSet. These instructions have are simplified formats, impose less constraints on the operand sources and destinations, and do not support the mod swap modifier.

For all practical purposes, the reader of the specification should start at this level, unless their interest is in lower-level encoding details. The encoding layout is formalized by mach\_instruction type, which is then serialized to binary by encode mach instruction.

The function base cost defines the basic costs of each instruction in ergs.

```
Inductive asm instruction: Type :=
 | OpInvalid
 qOoNqO |
 | OpSpAdd (in1: in reg) (ofs: imm in)
(* encoded as NoOp with out 1 in address mode Addressing.RelSpPush*)
 | OpSpSub (in1: in reg) (ofs: imm in)
(* encoded as NoOp with in 1 in address mode Addressing.RelSpPop *)
 | OpJump (dest: in any) (ret addr: out any)
 | OpAnd (in1: in any) (in2: in reg) (out1: out any) (flags:mod set flags)
 | OpOr (in1: in any) (in2: in reg) (out1: out any) (flags:mod set flags)
 | OpXor (in1: in any) (in2: in reg) (out1: out any) (flags:mod set flags)
 | OpAdd (in1: in any) (in2: in reg) (out1: out any) (flags:mod set flags)
 | OpSub (in1: in any) (in2: in reg) (out1: out any) (swap:mod swap)
(flags:mod set flags)
 OpShl (in1: in any) (in2: in reg) (out1: out any) (swap:mod swap)
(flags:mod set flags)
 | OpShr (in1: in any) (in2: in reg) (out1: out_any) (swap:mod_swap)
(flags:mod set flags)
 | OpRol (in1: in any) (in2: in reg) (out1: out any) (swap:mod swap)
(flags:mod set flags)
 | OpRor (in1: in any) (in2: in reg) (out1: out any) (swap:mod swap)
(flags:mod set flags)
 | OpMul (in1: in any) (in2: in reg) (out1: out any) (out2: out reg)
(flags:mod set flags)
 | OpDiv (in1: in any) (in2: in reg) (out1: out any) (out2: out reg)
(swap:mod swap) (flags:mod set flags)
 | OpNearCall (arg: in reg) (dest: imm in) (handler: imm in)
 | OpFarCall (enc: in reg) (dest: in reg) (handler: imm in) (is static:bool)
(is shard provided: bool)
```

```
| OpMimicCall (enc: in reg) (dest: in reg) (handler: imm in) (is static:bool)
(is shard provided: bool)
  | OpDelegateCall(enc: in reg) (dest: in reg) (handler: imm in)
(is static:bool) (is shard provided: bool)
 OpNearRet
 | OpNearRetTo (dest: imm in)
 | OpFarRet (args: in_reg)
 | OpNearRevert
 | OpNearRevertTo(dest: imm in)
 | OpFarRevert (args: in reg)
 | OpNearPanicTo (dest: imm in)
 | OpPanic
 | OpPtrAdd (in1: in any) (in2: in reg) (out: out any) (swap:mod swap)
 | OpPtrSub (in1: in any) (in2: in req) (out: out any) (swap:mod swap)
 | OpPtrShrink (in1: in any) (in2: in reg) (out: out any) (swap:mod swap)
 | OpPtrPack (in1: in any) (in2: in reg) (out: out any) (swap:mod swap)
 | OpLoad (ptr: in regimm) (res: out reg) (mem:data page type)
 | OpLoadInc (ptr: in regimm) (res: out reg) (mem:data page type) (inc ptr:
out reg)
 | OpStore (ptr: in regimm) (val: in reg) (mem:data page type)
 | OpStoreInc (ptr: in regimm) (val: in reg) (mem:data page type) (inc ptr:
out reg)
 | OpLoadPointer (ptr: in reg) (res: out reg)
 | OpLoadPointerInc (ptr: in reg) (res: out reg) (inc ptr: out reg)
 | OpContractThis (out: out reg)
 | OpContractCaller (out: out reg)
 | OpContractCodeAddress (out: out reg)
 | OpVMMeta (out: out reg)
 | OpVMErgsLeft (out: out reg)
 | OpVMSP (out: out reg)
 | OpGetCapturedContext (out: out reg)
 | OpSetContextReg (in1: in reg)
  (* Removed in VM 1.5.0
| OpContextSetErgsPerPubdataByte (in1: in reg)
 | OpIncrementTxNumber
 | OpAuxMutating (in1: in reg)
 | OpSLoad (in1: in reg) (out: out reg)
 | Opsstore (in1: in reg) (in2: in reg)
 | OpPrecompileCall (in1: in_reg) (in2: in_reg) (out: out_reg)
 | OpEvent (in1: in reg) (in2: in reg) (is first: bool)
 | OpToL1Message (in1: in reg) (in2: in reg) (is first: bool)
  (* Since VM 1.5.0 *)
  | OpTransientStore (in1: in reg) (in2: in reg)
  (* Since VM 1.5.0 *)
```

```
| OpTransientLoad (in1: in_reg) (out: out_reg)
(* Since VM 1.5.0 *)
| OpStaticRead (in1: in_regimm) (out: out_reg)
(* Since VM 1.5.0 *)
| OpStaticReadInc (in1: in_regimm) (out1: out_reg) (out2: out_reg)
(* Since VM 1.5.0 *)
| OpStaticWrite (in1: in_regimm) (in2: in_reg)
(* Since VM 1.5.0 *)
| OpStaticWriteInc (in1: in_regimm) (in2: in_reg) (out: out_reg)
(* Since VM 1.5.0 *)
| OpDecommit (in1: in_reg) (in2: in_reg) (out: out_reg)
.
```

End AssemblyInstructionSet.

# Library EraVM.isa.CoreSet

Require Addressing isa. Modifiers Pointer Predication Transient Memory. Import Addressing Modifiers Transient Memory Pointer Predication.

Section CoreInstructionSet.

## Core instruction set

This section describes a schema <u>instruction</u> of a simplified instruction set appearing in semantic definitions for <u>asm\_instruction</u>. The meaning of "schema" here is that <u>instruction</u> needs to be specialized with a proper instance of <u>descr</u> record to describe an instruction at different stages of its execution.

The schema <u>instruction</u> is parameterized with types of various instruction operands. Conventionally, their names reflect the following information:

- the prefix is src for source operands and dest for output operands.
- the suffix shows the type of data fetched or stored from register/memory.

#### For example:

- src pv means "a source operand with a meaning of a primitive value";
- src fat ptr means "a source operand which will be decoded to a fat ptr";
- dest\_heap\_ptr means "a destination operand with a meaning of heap\_ptr; such pointer will be encoded and written to memory".

Therefore, the exact definitions of instructions should be specialized with an instance of descr to give precise meaning to instruction operands. Currently, two such instances are used:

- instruction decoded is decoded from asm instruction.
- instruction bound is an instruction where operands have been bound to their source/ destination locations in memory; at this stage, reads, writes, encoding and decodings (parts of ABI) are accounted for.

Having instruction bound allows attributing semantic in a more concise way. See

OperandBinding. For additional versatility, the definitions may bind both the decoded values and their representations as primitive values; see bound.

```
Structure descr: Type := {
     src pv: Type;
     src fat ptr: Type;
     src heap ptr: Type ;
     src farcall params: Type;
     src nearcall params: Type;
     src ret params: Type;
     src precompile params: Type;
     dest pv: Type;
     dest heap ptr: Type;
     dest fat ptr: Type;
     dest meta params: Type;
 Context {d: descr}
    (src pv:= src pv d)
    (src fat ptr:= src fat ptr d)
    (src heap ptr:= src heap ptr d)
    (src farcall params:= src farcall params d)
    (src nearcall params:= src nearcall params d)
    (src ret params:= src ret params d)
    (src precompile params:= src precompile params d)
    (dest pv:= dest pv d)
    (dest heap ptr:= dest heap ptr d)
    (dest fat ptr:= dest fat ptr d)
    (dest meta params:= dest meta params d)
 Inductive instruction: Type :=
 | OpInvalid
 | OpNoOp
 | OpSpAdd (in1: src pv) (ofs: stack address)
(* encoded as NoOp with $out 1$ *)
 | OpSpSub (in1: src pv) (ofs: stack address)
(* encoded as NoOp with $in 1$ *)
 | OpJump (dest: src pv) (out1: dest pv)
 | OpAnd (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpOr (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpXor (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpAdd (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpSub (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpShl (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpShr (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpRol (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpRor (in1: src pv) (in2: src pv) (out1: dest pv) (flags:mod set flags)
 | OpMul (in1: src pv) (in2: src pv) (out1: dest pv) (out2: dest pv)
(flags:mod set flags)
 | OpDiv (in1: src pv) (in2: src pv) (out1: dest pv) (out2: dest pv)
(flags:mod set flags)
```

```
| OpNearCall (in1: src nearcall params) (dest: code address) (handler:
code address)
 | OpFarCall (enc: src farcall params) (dest: src pv) (handler: code address)
(is static:bool) (is shard provided: bool)
 | OpMimicCall (enc: src farcall params) (dest: src pv) (handler:
code address) (is static:bool) (is shard provided: bool)
  | OpDelegateCall(enc: src farcall params) (dest: src pv) (handler:
code_address) (is_static:bool) (is_shard_provided: bool)
 OpNearRet
 | OpNearRetTo (label: code address)
 | OpFarRet (args: src ret params)
 | OpNearRevert
 | OpNearRevertTo (label: code address)
 | OpFarRevert (args: src ret params)
 | OpNearPanicTo (label: code address)
 | OpPanic
 | OpPtrAdd (in1: src fat ptr) (in2: src pv) (out: dest fat ptr)
 | OpPtrSub (in1: src fat ptr) (in2: src pv) (out: dest fat ptr)
 | OpPtrShrink (in1: src fat ptr) (in2: src pv) (out: dest fat ptr)
 | OpPtrPack (in1: src fat ptr) (in2: src pv) (out: dest pv)
 | OpLoad (ptr: src heap ptr) (res: dest pv) (mem:data page type)
 | OpLoadInc (ptr: src heap ptr) (res: dest pv) (mem:data page type) (inc ptr:
dest heap ptr)
 OpStore (ptr: src heap ptr) (val: src pv) (mem:data page type)
 | OpStoreInc (ptr: src heap ptr) (val: src pv) (mem:data page type) (inc ptr:
dest heap ptr)
 | OpLoadPointer (ptr: src fat ptr) (res: dest pv)
  | OpLoadPointerInc (ptr: src fat ptr) (res: dest pv) (inc ptr: dest fat ptr)
 | OpContractThis (out: dest pv)
 | OpContractCaller (out: dest pv)
 | OpContractCodeAddress (out: dest pv)
 | OpVMMeta (out: dest meta params)
 | OpVMErgsLeft (out: dest pv)
 | OpVMSP (out: dest pv)
 | OpGetCapturedContext (out: dest pv)
  | OpSetContextReg (in1: src pv)
  (* Removed in VM 1.5.0
| OpContextSetErgsPerPubdataByte (in1: src pv)
 | OpIncrementTxNumber
 | OpSLoad (in1: src pv) (out: dest pv)
 | Opsstore (in1: src pv) (in2: src pv)
 | OpToL1Message (in1: src pv) (in2: src pv) (is first: bool)
 | OpEvent (in1: src pv) (in2: src pv) (is first: bool)
```

```
| OpPrecompileCall (in1: src precompile params) (ergs:src pv) (out: dest pv)
  | OpTransientStore (in1: src pv) (in2: src pv)
  (* Since VM 1.5.0 *)
 | OpTransientLoad (in1: src pv) (out: dest pv)
  (* Since VM 1.5.0 *)
  | OpStaticRead (in1: src heap ptr) (out: dest pv)
  (* Since VM 1.5.0 *)
  OpStaticReadInc (in1: src heap ptr) (out1: dest pv) (out2: dest heap ptr)
  (* Since VM 1.5.0 *)
  | OpStaticWrite (in1: src heap ptr) (in2: src pv)
  (* Since VM 1.5.0 *)
  | OpStaticWriteInc (in1: src heap ptr) (in2: src pv) (out: dest heap ptr)
  (* Since VM 1.5.0 *)
  | OpDecommit (in1: src pv) (in2: src pv) (out: dest pv)
  (* Since VM 1.5.0 *)
 | OpAuxMutating (in1: src pv)
End CoreInstructionSet.
#[global]
 Canonical Structure decoded: descr :=
 let src := in any in
 let dest := out any in
 { |
   src pv := src;
   src fat ptr :=src;
   src heap ptr :=src;
   src farcall params := src;
   src nearcall params := src;
   src ret params := src;
    src precompile params := src;
   dest pv := dest;
   dest heap ptr := dest;
   dest fat ptr := dest;
   dest meta params := dest;
 | } .
Section InstructionMapper.
 Notation state rel S OP V := (S \rightarrow S \rightarrow OP \rightarrow V \rightarrow Prop).
 Record relate st {S} {A B: descr}: Type :=
     mf src pv : state rel S (src pv A) (src pv B);
     mf src fat ptr: state rel S (src fat ptr A) (src fat ptr B);
      mf src heap ptr: state rel S (src heap ptr A) (src heap ptr B);
      mf src farcall params: state rel S (src farcall params A)
(src farcall params B);
      mf src nearcall params: state rel S (src nearcall params A)
(src nearcall params B);
      mf src ret params: state rel S (src ret params A) (src ret params B);
      mf src precompile params: state rel S (src precompile params A)
(src precompile params B);
      mf dest pv: state rel S (dest pv A) (dest pv B);
      mf dest heap ptr: state rel S (dest heap ptr A) (dest heap ptr B);
```

```
mf dest fat ptr : state rel S (dest fat ptr A) (dest fat ptr B);
      mf dest meta params: state rel S (dest meta params A) (dest meta params
B);
  Generalizable Variables s i o imm fs.
  Context {S A B} (m:@relate st S A B)
    (mf src pv := mf src pv m)
    (mf src fat ptr := mf src fat ptr m)
    (mf src heap ptr := mf src heap ptr m)
    (mf src farcall params := mf src farcall params m)
    (mf src nearcall params := mf src nearcall params m)
    (mf src ret params := mf src ret params m)
    (mf src precompile params := mf src precompile params m)
    (mf dest pv := mf dest pv m)
    (mf dest heap ptr := mf dest heap ptr m)
    (mf dest fat ptr := mf dest fat ptr m)
    (mf dest meta params := mf dest meta params m)
  Inductive ins srelate : S \rightarrow S \rightarrow @instruction A \rightarrow @instruction B \rightarrow Prop :=
  |sim noop: ∀ s, ins srelate s s OpNoOp OpNoOp
  |sim invalid: ∀ s, ins srelate s s OpInvalid OpInvalid
  |sim_sp_add: `(
                    mf src pv s0 s1 i1 i1' \rightarrow
                    ins srelate s0 s1 (OpSpAdd i1 imm1) (OpSpAdd i1' imm1)
  |sim_sp_sub: `
                    mf src pv s0 s1 i1 i1' →
                    ins srelate s0 s1 (OpSpSub i1 imm1) (OpSpSub i1' imm1)
  |sim jump: `(
                  mf src pv s0 s1 i1 i1' →
                  mf dest pv s0 s1 o1 o1' →
                  ins srelate s0 s1 (OpJump i1 o1) (OpJump i1' o1')
  |sim_and: `(
                mf src pv s0 s1 i1 i1' →
                mf src pv s1 s2 i2 i2' →
                 mf dest pv s2 s3 o1 o1' \rightarrow
                 ins srelate s0 s3 (OpAnd i1 i2 o1 fs) (OpAnd i1' i2' o1' fs)
  |sim_or: `(
               mf src pv s0 s1 i1 i1' →
               mf src pv s1 s2 i2 i2' →
               mf dest pv s2 s3 o1 o1' →
                ins srelate s0 s3 (OpOr i1 i2 o1 fs) (OpOr i1' i2' o1' fs)
  |sim_xor: `(
                mf_src_pv s0 s1 i1 i1' →
                mf_src_pv s1 s2 i2 i2' \rightarrow
                 mf dest pv s2 s3 o1 o1' \rightarrow
                 ins srelate s0 s3 (OpXor i1 i2 o1 fs) (OpXor i1' i2' o1' fs)
  |sim_add: `(
                 mf src pv s0 s1 i1 i1' \rightarrow
```

```
mf src pv s1 s2 i2 i2' →
                 mf dest pv s2 s3 o1 o1' \rightarrow
                 ins srelate s0 s3 (OpAdd i1 i2 o1 fs) (OpAdd i1' i2' o1' fs)
  |sim_sub: `(
                 mf src pv s0 s1 i1 i1' →
                 mf src pv s1 s2 i2 i2' →
                 mf_dest_pv s2 s3 o1 o1' ->
                  ins srelate s0 s3 (OpSub i1 i2 o1 fs) (OpSub i1' i2' o1' fs)
  |sim_shl: `(
                 mf src pv s0 s1 i1 i1' \rightarrow
                 mf src pv s1 s2 i2 i2' →
                 mf dest pv s2 s3 o1 o1' \rightarrow
                 ins srelate s0 s3 (OpShl i1 i2 o1 fs) (OpShl i1' i2' o1' fs)
  |sim_shr: `(
                 mf src pv s0 s1 i1 i1' →
                 mf src pv s1 s2 i2 i2' →
                 mf dest pv s2 s3 o1 o1' \rightarrow
                 ins srelate s0 s3 (OpShr i1 i2 o1 fs) (OpShr i1' i2' o1' fs)
  |sim_rol: `(
                 mf src pv s0 s1 i1 i1' →
                 mf src pv s1 s2 i2 i2' →
                 mf dest pv s2 s3 o1 o1' \rightarrow
                 ins srelate s0 s3 (OpRol i1 i2 o1 fs) (OpRol i1' i2' o1' fs)
  |sim_ror: `(
                 mf src pv s0 s1 i1 i1' →
                 mf src pv s1 s2 i2 i2' →
                 mf dest pv s2 s3 o1 o1' \rightarrow
                  ins srelate s0 s3 (OpRor i1 i2 o1 fs) (OpRor i1' i2' o1' fs)
  |sim PtrAdd: `(
                     mf src fat ptr s0 s1 i1 i1' \rightarrow
                     mf src pv s1 s2 i2 i2' →
                     mf dest_fat_ptr s2 s3 o1 o1' \rightarrow
                     ins srelate s0 s3 (OpPtrAdd i1 i2 o1) (OpPtrAdd i1' i2' o1')
  |sim PtrSub: `(
                     mf src fat ptr s0 s1 i1 i1' \rightarrow
                     mf src pv s1 s2 i2 i2' →
                     mf_dest_fat_ptr\ s2\ s3\ o1\ o1' \rightarrow
                     ins srelate s0 s3 (OpPtrSub i1 i2 o1) (OpPtrSub i1' i2' o1')
  |sim PtrShrink: `(
                        mf src fat ptr s0 s1 i1 i1' \rightarrow
                        mf src pv s1 s2 i2 i2' →
                        mf dest fat ptr s2 s3 o1 o1' \rightarrow
                        ins_srelate s0 s3 (OpPtrShrink i1 i2 o1) (OpPtrShrink i1'
i2' o1')
  |sim_PtrPack: `(
                      mf src fat ptr s0 s1 i1 i1' \rightarrow
                      mf_src_pv s1 s2 i2 i2' →
                      mf_dest_pv s2 s3 o1 o1' \rightarrow
```

```
ins srelate s0 s3 (OpPtrPack i1 i2 o1) (OpPtrPack i1' i2'
01')
 |sim mul: `(
                 mf src pv s0 s1 i1 i1' →
                 mf src pv s1 s2 i2 i2' \rightarrow
                 mf dest pv s2 s3 o1 o1' \rightarrow
                 mf dest pv s3 s4 o2 o2' \rightarrow
                 ins srelate s0 s4 (OpMul i1 i2 o1 o2 fs) (OpMul i1' i2' o1' o2'
fs )
  |sim div:
                 mf src pv s0 s1 i1 i1' →
                 mf src pv s1 s2 i2 i2' \rightarrow
                 mf dest pv s2 s3 o1 o1' \rightarrow
                 mf dest pv s3 s4 o2 o2' \rightarrow
                 ins srelate s0 s4 (OpDiv i1 i2 o1 o2 fs) (OpDiv i1' i2' o1' o2'
fs)
  |sim_nearcall: `(
                      ∀ dest handler,
                        mf src nearcall params s0 s1 i1 i1' \rightarrow
                        ins srelate s0 s1 (OpNearCall i1 dest handler)
(OpNearCall i1' dest handler)
  |sim_farcall: `(
                     ∀ handler static shard,
                       mf src farcall params s0 s1 i1 i1' →
                       mf src pv s1 s2 i2 i2' →
                       ins srelate s0 s2 (OpFarCall i1 i2 handler static shard)
(OpFarCall i1' i2' handler static shard)
  |sim mimiccall: `(

∀ handler static shard,

                         mf src farcall params s0 s1 i1 i1' →
                         mf src pv s1 s2 i2 i2' →
                         ins srelate s0 s2 (OpMimicCall i1 i2 handler static
shard) (OpMimicCall i1' i2' handler static shard)
  |sim delegatecall: `(
                          ∀ handler static shard,
                            mf src farcall params s0 s1 i1 i1' →
                            mf src pv s1 s2 i2 i2' →
                            ins_srelate s0 s2(OpDelegateCall i1 i2 handler
static shard) (OpDelegateCall i1' i2' handler static shard)
  |sim nearret: ∀ s, ins srelate s s OpNearRet OpNearRet
  |sim nearrevert: ∀ s, ins srelate s s OpNearRevert OpNearRevert
  |sim nearpanic: ∀ s, ins srelate s s OpPanic OpPanic
  |sim nearretto: \forall s l, ins srelate s s (OpNearRetTo l) (OpNearRetTo l)
  |sim_nearrevertto: \forall s l, ins_srelate s s (OpNearRevertTo l) (OpNearRevertTo
  |sim nearpanicto: \forall s l, ins srelate s s (OpNearPanicTo l) (OpNearPanicTo l)
  |sim farret: `(
                    mf src ret params s0 s1 i1 i1' \rightarrow
                    ins srelate s0 s1 (OpFarRet i1) (OpFarRet i1')
```

```
|sim farrevert: `(
                      mf src ret params s0 s1 i1 i1' →
                      ins srelate s0 s1 (OpFarRevert i1) (OpFarRevert i1')
  |sim load:`( ∀ type,
         mf src heap ptr s0 s1 i1 i1' \rightarrow
         mf dest pv s1 s2 o1 o1' →
         ins_srelate s0 s2 (OpLoad i1 o1 type) (OpLoad i1' o1' type)
  |sim loadptr:`(
       mf src fat ptr s0 s1 i1 i1' →
       mf dest pv s1 s2 o1 o1' →
       ins srelate s0 s2 (OpLoadPointer i1 o1) (OpLoadPointer i1' o1')
  |sim loadinc:`( ∀ type,
         mf src heap ptr s0 s1 i1 i1' →
         mf dest pv s1 s2 o1 o1' →
         mf dest heap ptr s2 s3 o2 o2' →
         ins srelate s0 s3 (OpLoadInc i1 o1 type o2) (OpLoadInc i1' o1' type
02')
 |sim loadptrinc:`(
       mf src fat ptr s0 s1 i1 i1' →
       mf dest pv s1 s2 o1 o1' →
       mf dest fat ptr s2 s3 o2 o2' \rightarrow
       ins srelate s0 s3 (OpLoadPointerInc i1 o1 o2) (OpLoadPointerInc i1' o1'
02')
  |sim store:`( ∀ type,
         mf src heap ptr s0 s1 i1 i1' →
         mf src pv s1 s2 i2 i2' →
         mf dest pv s2 s3 o1 o1' →
         ins srelate s0 s3 (OpStore i1 i2 type) (OpStore i1' i2' type)
  |sim storeinc:`( ∀ type,
         mf src heap ptr s0 s1 i1 i1' →
         mf src pv s1 s2 i2 i2' →
         mf_dest_heap_ptr s2 s3 o1 o1' ->
         ins srelate s0 s3 (OpStoreInc i1 i2 type o1) (OpStoreInc i1' i2' type
01')
  |sim OpContextThis: `(
                           mf dest pv s0 s1 o1 o1' \rightarrow
                           ins srelate s0 s1 (OpContractThis o1) (OpContractThis
  |sim OpContractCaller: `(
                             mf dest pv s0 s1 o1 o1' →
                             ins srelate s0 s1 (OpContractCaller o1)
(OpContractCaller o1'))
  |sim OpContractCodeAddress: `(
                                  mf dest pv s0 s1 o1 o1' →
                                  ins srelate s0 s1 (OpContractCodeAddress o1)
(OpContractCodeAddress o1'))
  |sim OpContextMeta: `(
                           mf dest meta params s0 s1 o1 o1' \rightarrow
                           ins srelate s0 s1 (OpVMMeta o1) (OpVMMeta o1'))
  |sim OpVMErgsLeft: `(
```

```
mf dest pv s0 s1 o1 o1' →
                                ins srelate s0 s1 (OpVMErgsLeft o1) (OpVMErgsLeft
01'))
  |sim OpVMSp: `(
                         mf dest pv s0 s1 o1 o1' →
                         ins srelate s0 s1 (OpVMSP o1) (OpVMSP o1'))
  |sim OpVMGetVMU128: `(
                                      mf dest pv s0 s1 o1 o1' \rightarrow
                                      ins srelate s0 s1 (OpGetCapturedContext o1)
(OpGetCapturedContext o1'))
  |sim OpContextSetContextU128: `(
                                      mf src pv s0 s1 i1 i1' →
                                      ins srelate s0 s1 (OpSetContextReg i1)
(OpSetContextReg i1'))
  |sim_OpContextIncrementTxNumber: `(
                                         mf dest pv s0 s1 o1 o1' \rightarrow
                                         ins srelate s0 s1 (OpIncrementTxNumber )
(OpIncrementTxNumber ))
  |sim OpSLoad: `(
                     mf src pv s0 s1 i1 i1' \rightarrow
                     mf dest pv s1 s2 o1 o1' \rightarrow
                     ins srelate s0 s2 (OpSLoad i1 o1) (OpSLoad i1' o1'))
  |sim OpSStore: `(
                      mf src pv s0 s1 i1 i1' →
                      mf src pv s1 s2 i2 i2' →
                      ins srelate s0 s2 (OpSStore i1 i2) (OpSStore i1' i2'))
  |sim OpToL1Message: `(∀ first,
                             mf src pv s0 s1 i1 i1' →
                             mf src pv s1 s2 i2 i2' →
                              ins srelate s0 s2 (OpToL1Message i1 i2 first)
(OpToL1Message i1' i2' first))
  |sim_OpEvent: `(∀ first,
                       mf src pv s0 s1 i1 i1' →
                       mf src pv s1 s2 i2 i2' →
                       ins srelate s0 s2 (OpEvent i1 i2 first) (OpEvent i1' i2'
first))
  |sim OpPrecompileCall: `(
                               mf\_src\_precompile\_params s0 s1 i1 i1' \rightarrow
                              mf src pv s1 s2 i2 i2' →
                               mf dest pv s2 s3 o1 o1' \rightarrow
                               ins srelate s0 s3 (OpPrecompileCall i1 i2 o1)
(OpPrecompileCall i1' i2' o1'))
  |sim OpDecommit: `(
                               mf src pv s0 s1 i1 i1' →
                               mf src pv s1 s2 i2 i2' →
                               mf dest pv s2 s3 o1 o1' \rightarrow
                               ins srelate s0 s3 (OpDecommit i1 i2 o1)
(OpDecommit i1' i2' o1'))
  |sim OpTransientLoad: `(
                     mf src pv s0 s1 i1 i1' \rightarrow
                     mf dest pv s1 s2 o1 o1' \rightarrow
                     ins srelate s0 s2 (OpTransientLoad i1 o1) (OpTransientLoad
i1' o1'))
  |sim OpTransientStore: `(
                      mf_src_pv s0 s1 i1 i1' →
                      mf src pv s1 s2 i2 i2' →
                      ins srelate s0 s2 (OpTransientStore i1 i2)
```

```
(OpTransientStore i1' i2'))
  |sim static store: `(
        mf_src_heap_ptr s0 s1 i1 i1' →
        mf src pv s1 s2 i2 i2' →
         mf dest pv s2 s3 o1 o1' →
         ins srelate s0 s3 (OpStaticWrite i1 i2 ) (OpStaticWrite i1' i2')
  |sim static store inc:`(
        mf src heap ptr s0 s1 i1 i1' →
         mf src pv s1 s2 i2 i2' →
        mf dest heap ptr s2 s3 o1 o1' \rightarrow
         ins srelate s0 s3 (OpStaticWriteInc i1 i2 o1) (OpStaticWriteInc i1'
i2' o1')
  |sim static load:`(
        mf src heap_ptr s0 s1 i1 i1' →
         mf dest pv s1 s2 o1 o1' →
         ins srelate s0 s2 (OpStaticRead i1 o1) (OpStaticRead i1' o1')
  |sim static load inc:`(
         mf src heap ptr s0 s1 i1 i1' →
         mf dest pv s1 s2 o1 o1' →
         mf dest heap ptr s2 s3 o2 o2' →
         ins srelate s0 s3 (OpStaticReadInc i1 o1 o2) (OpStaticReadInc i1' o1'
02')
 Generalizable No Variables.
End InstructionMapper.
```

## Library EraVM.isa.GeneratedMachISA

```
(* GENERATED FILE, DO NOT EDIT MANUALLY. *)
From RecordUpdate Require Import RecordSet.
Require isa.Modifiers isa.Assembly Predication.
Import Types Modifiers Predication.

Inductive src_mode :=
| SrcReg
| SrcSpRelativePop
| SrcSpRelative
| SrcStackAbsolute
| SrcImm
| SrcCodeAddr
.

Inductive src_special_mode := | SrcSpecialReg | SrcSpecialImm.

Inductive dst_mode :=
```

```
DstReg
| DstSpRelativePush
| DstSpRelative
| DstStackAbsolute
Inductive mod context: Set :=
 | This
 | Caller
 | CodeAddress
 | Meta
 | ErgsLeft
 | Sp
 | GetContextU128
 | SetContextU128
 | PubdataSpent
 | IncrementTx
Inductive mach opcode : Type :=
| OpLoadPtr (inc: bool)
| OpJump (src0 mode: src mode)
| OpMimicCall (is shard: bool) (is static: bool)
OpVMMeta
| OpDiv (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
(set flags: mod set flags)
| OpSLoad
| OpAnd (src0 mode: src mode) (dst0 mode: dst mode) (set flags: mod set flags)
| OpContractThis
| OpInvalid
| OpSub (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
(set flags: mod set flags)
| OpNoOp (src0 mode: src mode) (dst0 mode: dst mode)
| OpIncrementTxNumber
| OpRol (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
(set flags: mod set flags)
| OpMul (src0 mode: src mode) (dst0 mode: dst mode) (set flags: mod set flags)
| OpSetContextReg
| OpDelegateCall (is shard: bool) (is static: bool)
| OpRet (to label: bool)
| OpEvent (is first: bool)
| OpPrecompileCall
| OpStoreHeap (src0 mode: src special mode) (inc: bool)
| OpShr (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
(set flags: mod set flags)
| OpPanic (to label: bool)
| OpContractCodeAddress
Opsstore
| OpPtrSub (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
| OpToL1Message (is first: bool)
| OpAuxMutating
| OpPtrAdd (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
| OpNearCall
| OpLoadHeap (src0 mode: src special mode) (inc: bool)
| OpStoreAuxHeap (src0 mode: src special mode) (inc: bool)
| OpXor (src0 mode: src mode) (dst0 mode: dst mode) (set flags: mod set flags)
| OpStaticRead (src0 mode: src special mode) (inc: bool)
| OpFarCall (is shard: bool) (is static: bool)
```

```
| OpGetCapturedContext
| OpOr (src0 mode: src mode) (dst0 mode: dst mode) (set flags: mod set flags)
OpPtrPack (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
| OpVMErgsLeft
| OpVMSp
| OpLoadAuxHeap (src0 mode: src special mode) (inc: bool)
| OpTransientStore
OpDecommit
| OpPtrShrink (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
| OpRevert (to label: bool)
| OpStaticWrite (src0 mode: src special mode) (inc: bool)
| OpTransientLoad
| OpShl (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
(set flags: mod set flags)
| OpRor (src0 mode: src mode) (dst0 mode: dst mode) (swap: mod swap)
(set flags: mod set flags)
| OpContractCaller
| OpAdd (src0 mode: src mode) (dst0 mode: dst mode) (set flags: mod set flags)
```

The definition mach\_instruction showcases the layout of instruction fields. This layout is applied against the instruction's binary representation.

```
Section MachInstructionDefinition.
  Context {reg_type imm_type: Type}.
  Record mach_instruction :=
    mk_ins {
        op_code: mach_opcode;
        op_predicate: predicate;
        op_src0: reg_type;
        op_src1: reg_type;
        op_dst0: reg_type;
        op_inm0: imm_type;
        op_imm0: imm_type;
        }.
    #[export] Instance etaIns : Settable _ := settable! mk_ins < op_code;
    op_predicate; op_src0; op_src1; op_dst0; op_dst1; op_imm0; op_imm1>.
    End MachInstructionDefinition.
```

# Library EraVM.isa.AssemblyToCore

```
Require Addressing Assembly isa.Modifiers CoreSet.

Import Addressing.Coercions.

Section AssemblyToCore.

Syntactically translate asm_instruction to a core instruction, preceding execution:
```

- 1. apply mod swap modifier to instructions where applicable;
- 2. remove the restrictions on operand types e.g. in assembly OpAdd may accept the first argument in memory and the second argument only in register, but in core set both arguments can be fetched from either memory or registers. This simplifies attributing semantic to instructions.

```
Definition to core (input: Assembly.asm instruction) : @instruction decoded
 match input with
  | Assembly.OpInvalid ⇒ OpInvalid
  | Assembly.OpNoOp ⇒ OpNoOp
  | Assembly.OpSpAdd in1 (Imm ofs) \Rightarrow @OpSpAdd decoded in1 ofs
  | Assembly.OpSpSub in1 (Imm ofs) \Rightarrow @OpSpSub decoded in1 ofs
  | Assembly.OpJump dest ret addr ⇒ @OpJump decoded dest ret addr
  | Assembly.OpAnd in1 in2 out1 flags ⇒
      @OpAnd decoded in1 in2 out1 flags
  | Assembly.OpOr in1 in2 out1 flags ⇒
      @OpOr decoded in1 in2 out1 flags
  | Assembly.OpXor in1 in2 out1 flags ⇒
      @OpXor decoded in1 in2 out1 flags
  | Assembly.OpAdd in1 in2 out1 flags ⇒
      @OpAdd decoded in1 in2 out1 flags
  | Assembly.OpSub in1 in2 out1 swap flags ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpSub decoded in1' in2' out1 flags
  | Assembly.OpShl in1 in2 out1 swap flags ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpShl decoded in1' in2' out1 flags
  | Assembly.OpShr in1 in2 out1 swap flags ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpShr decoded in1' in2' out1 flags
  | Assembly.OpRol in1 in2 out1 swap flags ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpRol decoded in1' in2' out1 flags
  | Assembly.OpRor in1 in2 out1 swap flags ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpRor decoded in1' in2' out1 flags
  | Assembly.OpMul in1 in2 out1 out2 flags ⇒
      @OpMul decoded in1 in2 out1 out2 flags
  | Assembly.OpDiv in1 in2 out1 out2 swap flags ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpDiv decoded in1' in2' out1 out2 flags
  | Assembly.OpPtrAdd in1 in2 out swap ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpPtrAdd decoded in1' in2' out
  | Assembly.OpPtrSub in1 in2 out swap ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpPtrSub decoded in1' in2' out
  | Assembly.OpPtrShrink in1 in2 out swap ⇒
      let (in1', in2') := apply swap swap in1 in2 in
      @OpPtrShrink decoded in1' in2' out
  | Assembly.OpPtrPack in1 in2 out swap ⇒
      let (in1', in2') := apply swap swap in1 in2 in
```

```
@OpPtrPack decoded in1' in2' out
    | Assembly.OpStore ptr val mem ⇒
        @OpStore decoded ptr val mem
    | Assembly.OpNearCall in1 (Imm dest) (Imm handler) → @OpNearCall decoded
in1 dest handler
    | Assembly.OpFarCall enc dest (Imm handler) is static is shard provided ⇒
        @OpFarCall decoded enc dest handler is static is shard provided
    | Assembly.OpMimicCall enc dest (Imm handler) is static is shard provided ⇒
        @OpMimicCall decoded enc dest handler is static is shard provided
    | Assembly.OpDelegateCall enc dest (Imm handler) is static
is shard provided ⇒
        @OpDelegateCall decoded enc dest handler is static is shard provided
    | Assembly.OpNearRet ⇒ OpNearRet
    | Assembly.OpNearRetTo (Imm dest) ⇒ OpNearRetTo dest
    | Assembly.OpFarRet args ⇒ @OpFarRet decoded args
   | Assembly.OpNearRevert ⇒ @OpNearRevert decoded
   | Assembly.OpNearRevertTo (Imm dest) → @OpNearRevertTo decoded dest
   | Assembly.OpFarRevert args \Rightarrow @OpFarRevert decoded args
    | Assembly.OpNearPanicTo (Imm label) → @OpNearPanicTo decoded label
    | Assembly.OpPanic → @OpPanic decoded
    | Assembly.OpLoad ptr res mem → @OpLoad decoded ptr res mem
    | Assembly.OpLoadInc ptr res mem inc ptr \Rightarrow @OpLoadInc decoded ptr res mem
inc ptr
    | Assembly.OpStoreInc ptr val mem inc ptr → @OpStoreInc decoded ptr val mem
inc ptr
    | Assembly.OpLoadPointer ptr res ⇒ @OpLoadPointer decoded ptr res
    | Assembly.OpLoadPointerInc ptr res inc ptr ⇒ @OpLoadPointerInc decoded ptr
res inc ptr
    | Assembly.OpContractThis out → @OpContractThis decoded out
    | Assembly.OpContractCaller out → @OpContractCaller decoded out
    | Assembly.OpContractCodeAddress out → @OpContractCodeAddress decoded out
   | Assembly.OpVMMeta out ⇒ @OpVMMeta decoded out
   | Assembly.OpVMErgsLeft out ⇒ @OpVMErgsLeft decoded out
   | Assembly.OpVMSP out ⇒ @OpVMSP decoded out
    | Assembly.OpGetCapturedContext out → @OpGetCapturedContext decoded out
   | Assembly.OpSetContextReg in1 → @OpSetContextReg decoded in1
    | Assembly.OpIncrementTxNumber ⇒ @OpIncrementTxNumber decoded
    | Assembly.OpSLoad in1 out ⇒ @OpSLoad decoded in1 out
    | Assembly.OpSStore in1 in2 ⇒
        @Opsstore decoded in1 in2
    | Assembly.OpToL1Message in1 in2 is first ⇒
        @OpToL1Message decoded in1 in2 is first
    | Assembly.OpEvent in1 in2 is first ⇒
        @OpEvent decoded in1 in2 is first
    | Assembly.OpPrecompileCall in1 in2 out ⇒
        @OpPrecompileCall decoded in1 in2 out
  (* TODO: the following is not implemented yet *)
    | Assembly.OpAuxMutating in1 → @OpAuxMutating decoded in1
    | Assembly.OpTransientStore in1 in2 → @OpTransientStore decoded in1 in2
    | Assembly.OpTransientLoad in1 out1 → @OpTransientLoad decoded in1 out1
    | Assembly.OpDecommit in1 in2 out1 ⇒ @OpDecommit decoded in1 in2 out1
    | Assembly.OpStaticWrite in1 in2 → @OpStaticWrite decoded in1 in2
    | Assembly.OpStaticWriteInc in1 in2 out1 → @OpStaticWriteInc decoded in1
in2 out1
    | Assembly.OpStaticRead in1 out1 → @OpStaticRead decoded in1 out1
```

```
| Assembly.OpStaticReadInc in1 out1 out2 → @OpStaticReadInc decoded in1
out1 out2
    end.

End AssemblyToCore.

Module Coercions.
    Coercion to_core: Assembly.asm_instruction >-> CoreSet.instruction.
End Coercions.
```

# Library EraVM.isa.AssemblyToMach

```
From RecordUpdate Require Import RecordSet.
Require GeneratedMachISA.
Require Addressing isa.Modifiers isa.Assembly Predication.
Import ssreflect.
Import RecordSetNotations.
Import Assembly Addressing Common GeneratedMachISA Modifiers TransientMemory Pointer Predication.
Import Addressing.Coercions.
```

# Encoding of asm\_instruction to the universal instruction layout

In the lowest level, all instructions are encoded to a uniform 64-bit format; its fields are described by mach\_instruction.

This file details the encoding of asm instruction to mach instruction.

```
Definition dst_mode_of (op:out_any) :=
   match op with
   | OutReg x \Rightarrow DstReg
   | OutStack (StackOutOnly (RelSpPush _ _ _)) \Rightarrow DstSpRelativePush
   | OutStack (StackOutAny (Absolute _ _)) \Rightarrow DstSpRelative
   | OutStack (StackOutAny (RelSP _ _)) \Rightarrow DstSpRelative
   end
.
#[local]
   Coercion src_mode_of: in_any >-> src_mode.
#[local]
   Coercion src_special_mode_of: in_regimm >-> src_special_mode.
#[local]
   Coercion dst_mode_of: out_any >-> dst_mode.
```

The Opcode field includes information such as modifiers and addressing modes.

```
Definition opcode of (ins: asm instruction) : mach opcode :=
 let no label := false in
 let with label := true in
 let no inc := false in
 let inc := true in
 match ins with
 | Assembly.OpInvalid ⇒ OpInvalid
 | Assembly.OpNoOp ⇒ OpNoOp SrcReg DstReg
 | Assembly.OpSpAdd \_ \rightarrow OpNoOp SrcReg DstSpRelativePush
 | Assembly.OpSpSub _{\_} \Rightarrow OpNoOp SrcSpRelativePop DstReg
                                   (* FIXME *)
 | Assembly.OpJump dest ret addr ⇒ OpJump dest
 \mid Assembly.OpAnd src0 _ out sflags \Rightarrow OpAnd src0 out sflags
 \mid Assembly.OpOr src0 _ out sflags \Rightarrow OpOr src0 out sflags
 | Assembly.OpXor src0 out sflags ⇒ OpXor src0 out sflags
 \mid Assembly.OpAdd src0 _ out sflags \Rightarrow OpAdd src0 out sflags
 | Assembly.OpSub src0 src1 dst swap sflags → OpSub src0 dst swap sflags
 | Assembly.OpShl src0 src1 dst swap sflags → OpShl src0 dst swap sflags
 | Assembly.OpShr src0 src1 dst swap sflags → OpShr src0 dst swap sflags
 | Assembly.OpRol src0 src1 dst swap sflags → OpRol src0 dst swap sflags
 | Assembly.OpRor src0 src1 dst swap sflags → OpRor src0 dst swap sflags
 | Assembly.OpMul src0 dst0 sflags \Rightarrow OpMul src0 dst0 sflags
 \mid Assembly.OpDiv src0 _ dst0 _ swap sflags \Rightarrow OpDiv src0 dst0 swap sflags
 | Assembly.OpNearCall _ _ → OpNearCall
  | Assembly.OpFarCall enc dest handler is static is_shard_provided ⇒ OpFarCall
is static is shard provided
  | Assembly.OpMimicCall _ _ is_static is_shard_provided → OpMimicCall
is static is shard provided
                             _ _ is_static is_shard_provided ⇒ OpDelegateCall
  | Assembly.OpDelegateCall
is static is shard provided
 | Assembly.OpNearRet ⇒ OpRet no label
 | Assembly.OpNearRetTo ⇒ OpRet with label
 | Assembly.OpFarRet _ ⇒ OpRet with_label
 | Assembly.OpNearRevert ⇒ OpRevert no label
 | Assembly.OpNearRevertTo ⇒ OpRevert with label
 | Assembly.OpFarRevert ⇒ OpRevert no label
```

```
| Assembly.OpNearPanicTo ⇒ OpPanic with label
 | Assembly.OpPanic ⇒ OpPanic no label
 | Assembly.OpPtrSub src0 \_ dst0 swap \Rightarrow OpPtrSub src0 dst0 swap
 | Assembly.OpPtrShrink src0 | dst0 swap ⇒ OpPtrShrink src0 dst0 swap
 | Assembly.OpLoad src0 dst0 Heap ⇒ OpLoadHeap src0 no inc
 | Assembly.OpLoad src0 dst0 AuxHeap → OpLoadAuxHeap src0 no inc
 \mid Assembly.OpLoadInc src0 dst0 Heap \Rightarrow OpLoadHeap src0 inc
 | Assembly.OpLoadInc src0 dst0 AuxHeap → OpLoadAuxHeap src0 inc
 | Assembly.OpStore src0 | Heap \Rightarrow OpStoreHeap src0 no inc
 | Assembly.OpStoreInc src0 | Heap \Rightarrow OpStoreHeap src0 inc
 | Assembly.OpStoreInc src0 \_ AuxHeap \_ \Rightarrow OpStoreAuxHeap src0 inc
 | Assembly.OpLoadPointer \_ \_ \Rightarrow OpLoadPtr no_inc
 | Assembly.OpLoadPointerInc _ _ _ ⇒ OpLoadPtr inc
 | Assembly.OpContractThis ⇒ OpContractThis
 | Assembly.OpContractCaller ⇒ OpContractCaller
 | Assembly.OpContractCodeAddress ⇒ OpContractCodeAddress
 | Assembly.OpVMMeta ⇒ OpVMMeta
 | Assembly.OpVMErgsLeft ⇒ OpVMErgsLeft
 | Assembly.OpVMSP ⇒ OpVMSp
 | Assembly.OpGetCapturedContext ⇒ OpGetCapturedContext
 | Assembly.OpSetContextReg ⇒ OpSetContextReg
  (*| Assembly.OpContextSetErgsPerPubdataByte => OpSetErgsPerPubdataByte*)
 | Assembly.OpIncrementTxNumber ⇒ OpIncrementTxNumber
 | Assembly.OpSLoad _ _ ⇒ OpSLoad
 | Assembly.OpSStore \_ \_ \Rightarrow OpSStore
 | Assembly.OpPrecompileCall _ _ _ ⇒ OpPrecompileCall
 | Assembly.OpEvent _ is_first ⇒ OpEvent is_first
 | Assembly.OpToL1Message \_ \_ is\_first \Rightarrow OpToL1Message is\_first
 | Assembly.OpTransientStore _ _ ⇒ OpTransientStore
 | Assembly.OpTransientLoad _ _ ⇒ OpTransientLoad | Assembly.OpStaticWrite src0 _ ⇒ OpStaticWrite src0 no_inc
 \mid Assembly.OpStaticWriteInc src0 \_ \rightarrow OpStaticWrite src0 inc
 | Assembly.OpStaticRead src0 → OpStaticRead src0 no inc
 \mid Assembly.OpStaticReadInc src0 \_ \Rightarrow OpStaticRead src0 inc
 | Assembly.OpDecommit _ _ ⇒ OpDecommit
 end.
Definition set src0 (src0: in any) : mach instruction → mach instruction :=
 fun ins \Rightarrow
   match src0 with
   | InReq (Req name) \Rightarrow ins <| op src0 := Some name |>
   | InImm (Imm val) \Rightarrow ins < | op imm0 := Some val | >
   | InStack (StackInOnly (RelSpPop reg ofs))
   | InStack (StackInAny (Absolute reg ofs) )
   | InStack (StackInAny (RelSP reg ofs) )
   | InCode (CodeAddr reg ofs)
   | InConst (ConstAddr reg ofs) ⇒ ins <| op src0 := Some reg |> <| op imm0 :=
Some ofs |>
   end
#[local]
```

```
Definition set src0 special (src0: in regimm) : mach instruction →
mach instruction :=
  fun ins \Rightarrow
    match src0 with
    | RegImmR (Reg name) \Rightarrow ins <| op src0 := Some name |>
    | RegImmI (Imm val) \Rightarrow ins < | op_imm0 := Some val | >
    end
#[local]
Definition set dst0 (dst0: out any) : mach instruction → mach instruction :=
  fun ins \Rightarrow
    match dst0 with
    | OutReg (Reg name) \Rightarrow ins <| op dst0 := Some name |>
    | OutStack (StackOutOnly (RelSpPush reg ofs))
    | OutStack (StackOutAny (Absolute reg ofs) )
    | OutStack (StackOutAny (RelSP reg ofs) ) ⇒
        ins <| op dst0 := Some reg |> <| op imm1 := Some ofs|>
    end
```

Section AsmToMachConversion.

Import ssrfun.

The encoding of asm instruction to mach instruction happens in two stages:

- 1. Put the information in the fields of mach\_instruction but keep ignored fields uninitialized (equal to None).
- 2. Flatten mach\_instruction, erasing difference between meaningful and ignored fields. Fields that were equal to None are assigned default values: zero for immediates, R0 for registers.

```
Definition asm_to_mach_opt (ins: predicated asm_instruction) : option
(@mach instruction (option GPR.reg name) (option u16) ):=
    match ins with
    | Ins ins pred ⇒
        let mk src0 src1 dst0 dst1 imm0 imm1 := mk ins (opcode of ins) pred
src0 src1 dst0 dst1 imm0 imm1 in
        let template : mach instruction := mk None None None None None in
        match ins with
        | Assembly.OpInvalid
        | Assembly.OpNoOp
        | Assembly.OpPanic
        | Assembly.OpIncrementTxNumber \Rightarrow Some template
        | Assembly.OpSetContextReg (Reg src0)
          \Rightarrow Some (template <| op src0 := Some src0 |> )
        | Assembly.OpSpAdd (Reg reg) (Imm ofs) \Rightarrow Some (template <| op dst0 :=
Some reg |> <| op imm1 := Some ofs |> )
        | Assembly.OpSpSub (Reg reg) (Imm ofs) \Rightarrow Some (template <| op src0 :=
Some reg |> <| op imm0 := Some ofs |> )
        | Assembly.OpJump dest ret addr \Rightarrow Some (set src0 dest (set dst0
ret addr template))
        | Assembly.OpAdd src0 (Reg src1) dst0
```

```
| Assembly.OpOr src0 (Reg src1) dst0
        | Assembly.OpXor src0 (Reg src1) dst0
        | Assembly.OpAnd src0 (Reg src1) dst0
        | Assembly.OpSub src0 (Reg src1) dst0 _ _
        \mid Assembly.OpShl src0 (Reg src1) dst0 \_ \_
        | Assembly.OpShr src0 (Reg src1) dst0 \_ \_
        | Assembly.OpRol src0 (Reg src1) dst0
        | Assembly.OpRor src0 (Reg src1) dst0
        | Assembly.OpPtrAdd src0 (Reg src1) dst0
        | Assembly.OpPtrSub src0 (Reg src1) dst0
        | Assembly.OpPtrShrink src0 (Reg src1) dst0
        | Assembly.OpPtrPack src0 (Reg src1) dst0
          ⇒ Some (set src0 src0 (set dst0 dst0 (template <| op src1 := Some
src1 |>)))
        | Assembly.OpMul src0 (Reg src1) dst0 (Reg dst1) _
        | Assembly.OpDiv src0 (Reg src1) dst0 (Reg dst1)
          ⇒ Some (set src0 src0 (set dst0 dst0 (template <| op src1 := Some
src1 |> <| op dst1 := Some dst1 |>)))
        | Assembly.OpNearCall (Reg arg) (Imm dest) (Imm handler) \Rightarrow
            Some ({|
                  op code := opcode of ins;
                  op predicate := pred;
                  op src0 := Some arg;
                  op src1 := None;
                  op dst0 := None;
                  op dst1 := None;
                  op imm0 := Some dest;
                  op imm1 := Some handler;
                | } )
        | Assembly.OpNearRet
        | Assembly.OpNearRevert ⇒ Some template
        | Assembly.OpNearRetTo (Imm dest)
        | Assembly.OpNearPanicTo (Imm dest)
        | Assembly.OpNearRevertTo (Imm dest) ⇒ Some (template <| op imm0 :=
Some dest |>)
        | Assembly.OpFarRet (Reg args)
        | Assembly.OpFarRevert (Reg args) ⇒ Some (template <| op_src0 := Some
args |>)
        | Assembly.OpSStore (Reg src0) (Reg src1)
        | Assembly.OpEvent (Reg src0) (Reg src1)
         | Assembly.OpTransientStore (Reg src0) (Reg src1)
        | Assembly.OpToL1Message (Reg src0) (Reg src1) \Rightarrow
            Some (template < | op src0 := Some src0 |> < | op src1 := Some src1
|>)
        | Assembly.OpSLoad (Reg src0) (Reg dst0)
        | Assembly.OpTransientLoad (Reg src0) (Reg dst0) ⇒
            Some (template < op src0 := Some src0 |> < op dst0:= Some dst0|>)
        | Assembly.OpContractThis (Reg dst0)
        | Assembly.OpContractCaller (Reg dst0)
        | Assembly.OpContractCodeAddress (Reg dst0)
        | Assembly.OpVMMeta (Reg dst0)
        | Assembly.OpVMErgsLeft (Reg dst0)
        | Assembly.OpVMSP (Reg dst0)
        | Assembly.OpGetCapturedContext (Reg dst0) ⇒
```

```
Some (template < | op dst0:= Some dst0|>)
        | Assembly.OpPrecompileCall (Reg src0) (Reg src1) (Reg dst0) ⇒
            Some (template <| op dst0:= Some dst0|>)
        | Assembly.OpFarCall (Reg params) (Reg dest) (Imm handler) \_\_
        | Assembly.OpMimicCall (Reg params) (Reg dest) (Imm handler)
        | Assembly.OpDelegateCall (Reg params) (Reg dest) (Imm handler) \_ \Rightarrow
            Some (template
                    <| op src0 := Some params |>
                                    <| op src1 := Some dest |>
                                                     <| op imm0 := Some handler</pre>
|> )
        | Assembly.OpLoad ptr (Reg res) _
        | Assembly.OpStaticRead ptr (Reg res) ⇒
            Some (set src0 special ptr (template <| op dst0 := Some res|> ))
        | Assembly.OpStore ptr (Reg val)
        | Assembly.OpStaticWrite ptr (Reg val) ⇒
            Some (set src0 special ptr (template <| op src1 := Some val|> ))
        | Assembly.OpLoadPointer (Reg name) (Reg res) ⇒
            Some (template < | op src0 := Some name |> < | op dst0 := Some res|>
)
        | Assembly.OpLoadInc ptr (Reg res) (Reg inc ptr) \Rightarrow
            Some (set src0 special ptr template <| op dst0 := Some res|> <|
op dst1 := Some inc ptr |> )
        | Assembly.OpStaticReadInc ptr (Reg res) (Reg inc ptr) ⇒
            Some (set src0 special ptr (template <| op dst0 := Some res|> <|
op dst1 := Some inc ptr |>))
        | Assembly.OpStoreInc ptr (Reg val) _ (Reg inc_ptr)
        | Assembly.OpStaticWriteInc ptr (Reg val) (Reg inc ptr) ⇒
            Some (set src0 special ptr (template <| op src1 := Some val |> <|
op dst1 := Some inc ptr |>))
        | Assembly.OpLoadPointerInc (Reg ptr) (Reg res) (Reg inc ptr) ⇒
            Some (template < | op_src0 := Some ptr |> < | op_dst0 := Some res|>
<| op dst1 := Some inc ptr |>)
        | Assembly.OpDecommit (Reg src0) (Reg src1) (Reg dst0) ⇒
            Some (template <| op src0 := Some src0 |> <| op src1 := Some src1
|> <| op dst1 := Some dst0 |>)
        | Assembly.OpAuxMutating (Reg ptr) ⇒
            Some (template <| op src0 := Some ptr |> )
        end
   end.
 Definition mach flatten (i:@mach instruction (option GPR.reg name) (option
u16)) : @mach instruction GPR.reg name u16 :=
    let or r0 := Option.default GPR.R0 in
   let or_zero := Option.default zero16 in
   match i with
    | mk_ins op_code op_predicate op_src0 op_src1 op_dst0 op_dst1 op_imm0
op_imm1 \Rightarrow
       mk ins op code op predicate
          (or_r0 op_src0)
          (or r0 op src1)
```

```
(or_r0 op_dst0)
          (or_r0 op_dst1)
          (or_zero op_imm0)
          (or_zero op_imm1)
    end.

Definition asm_to_mach (asm_ins: predicated asm_instruction) : option
mach_instruction :=
    option_map mach_flatten (asm_to_mach_opt asm_ins).

End AsmToMachConversion.
```

# Library EraVM.Ergs

```
Require Common isa. Assembly TransientMemory.
Import Common Assembly TransientMemory ZArith.

Section Ergs.
Open Scope Z scope.
```

## **Ergs**

**Ergs** is the resource spent on executing actions in EraVM.

The most common action consuming ergs is executing an instruction. Instructions have a fixed base\_cost, failure to pay this cost results in panic.

In EraVM, the instructions are predicated. If an instruction is not executed because of mismatch between their predicate ins\_cond with the current gs\_flags, its base cost is still paid. Therefore, it is cheaper to jump over expensive instructions like OpFarCall than to predicate them so that they are not executed.

Additionally, actions like decommitting code for execution, accessing contract storage, or growing memory bounds, also cost ergs.

Internally, ergs are 32-bit unsigned numbers.

```
Definition ergs_bits := 32%nat.

Definition ergs := BITS ergs_bits.

Definition ergs of : Z \rightarrow ergs := fromZ.
```

#### Ergs and callstack

Every frame in callstack, whether external or internal, keeps its associated ergs in the field cf\_ergs\_remaining. Spending ergs decreases this value cf\_ergs\_remaining.

#### Calls

Calling functions/contracts requires passing ergs to the new calling frame, so that the callee's code would be able to operate and spend ergs (see e.g. step nearcall).

For far calls, it is not possible to pass more than max\_passable ergs (currently 63/64 of ergs available in current frame). For near calls, passing 0 ergs leads to passing all ergs in the current frame.

#### Returns

If a function returns without panic, the remaining ergs are returned to its parent frame i.e. added to the parent frame's cf ergs remaining.

If a function panics, all its ergs are burned (see sem.Panic.step\_panic). Panic does not burn ergs of parent frames.

The following return instructions lead to returning remaining ergs to the caller:

- OpNearRet
- OpNearRetTo
- OpFarRet
- OpNearRevert
- OpNearRevertTo
- OpFarRevert
- OpNearPanicTo

#### Actions consuming ergs

Each instruction has a fixed based cost that gets deducted before executing it (see base cost).

Additionally, the following actions lead to spending ergs:

- 1. Decommitting contract code. Performing far call to a contract which was not called during the construction of the current block costs ergs per each word of contract code. See Decommitter, FarCall.
- 2. TODO Accessing storage
- 3. Memory growth. Data pages holding heap variants are bounded, and only accesses to addresses within these bounds are free. Reading or writing to these pages outside bounds forces the **memory growth** with bound adjustment. The number of bytes by which the bounded area has grown has to be paid; see grow\_and\_pay.
- 4. Passing messages to L1 by OpToL1Message.

#### Burning ergs

Burning ergs refers to a situation of panic, when the topmost callstack frame is destroyed with its
allocated ergs. The general rule is: if some invariant of execution breaks, VM panics, burning all ergs in
the current frame. This is a fail-fast behavior in case of irrecoverable errors. Some examples are:

- · using an integer value where pointer value is expected
- executing kernel-only instruction in user mode
- call stack overflow

Some situations that provoke panic are:

- having not enough ergs to pay, e.g. for memory growth;
- attempting to execute an instruction with an invalid encoding;
- attempting to execute kernel-only instruction in user mode.

See section Panics for the full description.

#### **Parameters**

The following definitions are used to derive the costs of instructions and other actions.

```
Definition VM CYCLE COST IN ERGS: Z := 4.
Definition RAM PERMUTATION COST IN ERGS: Z := 1.
Definition CODE DECOMMITMENT COST PER WORD IN ERGS: Z := 4.
Definition STORAGE APPLICATION COST IN ERGS: Z := 678.
Definition CODE DECOMMITTER SORTER COST IN ERGS: Z := 1.
Definition LOG DEMUXER COST IN ERGS: Z := 1.
Definition STORAGE SORTER COST IN ERGS: Z := 2.
Definition EVENTS OR L1 MESSAGES SORTER COST IN ERGS: Z := 1.
Definition INITIAL WRITES PUBDATA HASHER COST IN ERGS: Z := 18.
Definition REPEATED WRITES PUBDATA HASHER COST IN ERGS: Z := 11.
Definition CODE DECOMMITMENT SORTER COST IN ERGS: Z := 1.
Definition L1 MESSAGE MIN COST IN ERGS: Z := 156250.
Definition INITIAL WRITES PUBDATA HASHER MIN COST IN ERGS: Z := 0.
Definition REPEATED WRITES PUBDATA HASHER MIN COST IN ERGS: Z := 0.
Definition STORAGE WRITE HASHER MIN COST IN ERGS: Z := 0.
Definition KECCAK256 CIRCUIT COST IN ERGS: Z := 40.
Definition SHA256 CIRCUIT COST IN ERGS: Z := 7.
Definition ECRECOVER CIRCUIT COST IN ERGS: Z := 1112.
Definition MAX TX ERGS LIMIT: Z := 80000000.
Definition VM INITIAL FRAME ERGS: Z := unsigned max 32.
Definition EVM SIMULATOR STIPEND: Z := 2^30.
```

```
Definition ERGS PER CIRCUIT: Z := 80000.
Definition INVALID OPCODE ERGS: Z := unsigned max 32.
Definition RICH ADDRESSING OPCODE ERGS: Z :=
   VM CYCLE COST IN ERGS + 2 × RAM PERMUTATION COST IN ERGS.
Definition AVERAGE OPCODE ERGS: Z := VM CYCLE COST IN ERGS +
RAM PERMUTATION COST IN ERGS.
Definition STORAGE READ IO PRICE: Z := 150.
Definition STORAGE WRITE IO PRICE: Z := 250.
Definition EVENT IO PRICE: Z := 25.
Definition L1 MESSAGE IO PRICE: Z := 100.
Definition CALL LIKE ERGS COST: Z := 20.
Definition ERGS PER CODE WORD DECOMMITTMENT: Z :=
CODE DECOMMITMENT COST PER WORD IN ERGS.
Definition VM MAX STACK DEPTH: Z := VM INITIAL FRAME ERGS / CALL LIKE ERGS COST
+ 80.
Definition INITIAL FRAME SUCCESSFUL EXIT PC: Z := 0.
Definition INITIAL FRAME FORMAL EH LOCATION: Z := unsigned max 16.
Definition SYSTEM CONTRACTS OFFSET ADDRESS: Z := 2 ^ 15.
Definition KECCAK256 ROUND FUNCTION PRECOMPILE ADDRESS: Z :=
SYSTEM CONTRACTS OFFSET ADDRESS + 0x10.
Definition SHA256 ROUND FUNCTION PRECOMPILE ADDRESS: Z := 0x02.
Definition ECRECOVER INNER FUNCTION PRECOMPILE ADDRESS: Z := 0x01.
Definition SECP256R1_VERIFY_PRECOMPILE_ADDRESS: Z := 0x100.
Definition MAX PUBDATA COST PER QUERY: Z := 65.
Definition INITIAL STORAGE WRITE PUBDATA BYTES: Z := 64.
Definition REPEATED STORAGE WRITE PUBDATA BYTES: Z := 40.
Definition L1 MESSAGE PUBDATA BYTES: Z := 1 + 1 + 2 + 20 + 32 + 32.
Definition MAX PUBDATA PER BLOCK: Z := 110000.
Definition STORAGE AUX BYTE: u8 := fromZ 0.
Definition EVENT AUX BYTE: u8 := fromZ 1.
Definition L1 MESSAGE AUX BYTE: u8 := fromZ 2.
Definition PRECOMPILE AUX BYTE: u8 := fromZ 3.
Definition TRANSIENT STORAGE AUX BYTE: u8 := fromZ 4.
Definition BOOTLOADER FORMAL ADDRESS LOW: Z := SYSTEM CONTRACTS OFFSET ADDRESS
+ 0 \times 01.
Definition DEPLOYER SYSTEM CONTRACT ADDRESS LOW: Z :=
SYSTEM CONTRACTS OFFSET ADDRESS + 0x02.
Definition ADDRESS UNRESTRICTED SPACE: u64 := fromZ (2^16).
Definition ADDRESS ECRECOVER: u16 := fromZ 0x0001.
Definition ADDRESS SHA256: u16 := fromZ 0x0002.
Definition ADDRESS RIPEMD160: u16 := fromZ 0x0003.
Definition ADDRESS IDENTITY: u16 := fromZ 0x0004.
```

```
Definition ADDRESS BOOTLOADER: u16 := fromZ 0x8001.
Definition ADDRESS ACCOUNT CODE STORAGE: u16 := fromZ 0x8002.
Definition ADDRESS NONCE HOLDER: u16 := fromZ 0x8003.
Definition ADDRESS KNOWN CODES STORAGE: u16 := fromZ 0x8004.
Definition ADDRESS IMMUTABLE SIMULATOR: u16 := fromZ 0x8005.
Definition ADDRESS CONTRACT DEPLOYER: u16 := fromZ 0x8006.
Definition ADDRESS FORCE DEPLOYER: u16 := fromZ 0x8007.
Definition ADDRESS L1 MESSENGER: u16 := fromZ 0x8008.
Definition ADDRESS MSG VALUE: u16 := fromZ 0x8009.
Definition ADDRESS ETH TOKEN: u16 := fromZ 0x800A.
Definition ADDRESS SYSTEM CONTEXT: u16 := fromZ 0x800B.
Definition ADDRESS BOOTLOADER UTILITIES: u16 := fromZ 0x800C.
Definition ADDRESS EVENT WRITER: u16 := fromZ 0x800D.
Definition ADDRESS KECCAK256: u16 := fromZ 0x8010.
Definition BOOTLOADER MAX MEMORY: Z := unsigned max 32.
Definition NEW FRAME MEMORY STIPEND: Z := 2^12.
Definition NEW KERNEL FRAME MEMORY STIPEND: Z := 2^21.
Definition INTERNAL ERGS TO VISIBLE ERGS CONVERSION CONSTANT: Z := 1.
Definition MAX AUTOMATICALLY SUPPORTED MSG VALUE BYTECODE: Z := 100000.
Definition DECOMMITMENT MSG VALUE SIMULATOR OVERHEAD: Z :=
    ERGS PER CODE WORD DECOMMITTMENT ×
MAX AUTOMATICALLY SUPPORTED MSG VALUE BYTECODE / 32.
Definition MSG VALUE SIMULATOR ADDITIVE COST: Z :=
    14500 + DECOMMITMENT MSG VALUE SIMULATOR OVERHEAD.
Definition MIN STORAGE WRITE PRICE FOR REENTRANCY PROTECTION: Z := 2300 + 1.
Definition MIN STORAGE WRITE COST: Z := Z.max
MIN STORAGE WRITE PRICE FOR REENTRANCY PROTECTION
STORAGE WRITE HASHER MIN COST IN ERGS.
Definition STORAGE ACCESS COLD READ COST: Z := 2000.
Definition STORAGE ACCESS COLD WRITE COST: Z := Z.max MIN STORAGE WRITE COST
5500.
Definition MSG VALUE SIMULATOR MIN USED ERGS: Z := 8000 +
DECOMMITMENT MSG VALUE SIMULATOR OVERHEAD.
Definition growth cost (diff:mem address) : ergs := diff.
End Ergs.
Section Costs.
 Open Scope Z scope.
```

## Costs

Basic costs of all instructions. They are paid when the instruction starts executing; see Semantics.step.

Instructions may also impose additional costs e.g. far returns and far calls may grow heap; far calls also may induce code decommitment\_cost.

```
Definition base cost (ins:asm instruction) :=
   (match ins with
   | OpInvalid ⇒ INVALID OPCODE ERGS
    | OpJump _ _ → RICH_ADDRESSING_OPCODE_ERGS
   | OpAnd _ _ _ ⇒ RICH_ADDRESSING_OPCODE_ERGS
   | OpOr _ _ _ ⇒ RICH_ADDRESSING_OPCODE_ERGS
   | OpXor _ _ _ ⇒ RICH_ADDRESSING_OPCODE ERGS
   | OpShl _ _ _ ⇒ RICH_ADDRESSING_OPCODE_ERGS
   | OpShr | → RICH_ADDRESSING_OPCODE_ERGS
   | OpMul _ _ _ ⇒ RICH_ADDRESSING_OPCODE_ERGS
   | OpDiv _ _ _ ⇒ RICH_ADDRESSING_OPCODE_ERGS
   OpFarCall _
   | OpDelegateCall | OpMimicCall | ⇒ 2 × VM_CYCLE_COST_IN_ERGS
                        + RAM PERMUTATION COST IN ERGS
                        + STORAGE READ IO PRICE
                        + CALL LIKE ERGS COST
                        + STORAGE SORTER COST IN ERGS
                        + CODE DECOMMITMENT SORTER COST IN ERGS
    | OpNearRet | OpNearRetTo | OpNearRevert | OpNearRevertTo |
OpNearPanicTo
   | OpFarRet | OpFarRevert
   | OpPanic
     ⇒ AVERAGE OPCODE ERGS
   | OpPtrAdd _ _ _ _ _
   OpPtrSub _ _ _ _
   | OpPtrShrink _ _ _ 
| OpPtrPack _ _ _ ⇒ RICH_ADDRESSING_OPCODE_ERGS
     OpStore _ _ _
    | OpStoreInc _ _ _ _
    | OpStaticWrite
   | OpStaticWriteInc
     ⇒ 2 × VM CYCLE COST IN ERGS + 5 × RAM PERMUTATION_COST_IN_ERGS
```

```
| OpLoad _ _ _ _
            OpLoadInc _ _ _ _
            | OpLoadPointer _ _ _ |
| OpLoadPointerInc _ _ _ _
            | OpStaticRead _ _
            | OpStaticReadInc
                ⇒ VM CYCLE COST IN ERGS + 3 × RAM PERMUTATION COST IN ERGS
            | OpContractThis
            | OpContractCaller
            | OpContractCodeAddress
            | OpVMMeta
            | OpVMErgsLeft
            | OpVMSP
            | OpGetCapturedContext
            | OpSetContextReg
            | OpAuxMutating
            | OpIncrementTxNumber
                \Rightarrow AVERAGE OPCODE ERGS
            | OpSLoad _ _⇒ VM_CYCLE_COST IN ERGS
                                              + RAM PERMUTATION COST IN ERGS
                                                 + LOG DEMUXER COST IN ERGS
                                                + STORAGE SORTER COST IN ERGS
                                                + STORAGE ACCESS COLD READ COST
            + 2 × LOG DEMUXER COST IN ERGS
                                                + 2 × STORAGE SORTER COST IN ERGS
                                                 + STORAGE ACCESS COLD WRITE COST
            \label{eq:cost_in_error} \begin{tabular}{ll} & \begin{tabular}{l
                                                + RAM PERMUTATION COST IN ERGS
                                                + 2 × LOG DEMUXER COST IN ERGS
                                                + 2 × EVENTS OR L1 MESSAGES SORTER COST IN ERGS
            | OpEvent _ _ ⇒ EVENT_IO_PRICE 
+ VM_CYCLE_COST_IN_ERGS
                                                 + RAM PERMUTATION COST IN ERGS
                                                 + 2 × LOG DEMUXER COST IN ERGS
                                                 + 2 × EVENTS OR L1 MESSAGES SORTER COST IN ERGS
            \mid OpPrecompileCall \_ \_
            | OpDecommit ⇒
                     VM CYCLE COST IN ERGS + RAM PERMUTATION COST IN ERGS +
LOG DEMUXER COST IN ERGS
            | OpTransientLoad _ _ ⇒
                     VM CYCLE COST IN ERGS
                      + RAM PERMUTATION COST IN ERGS
                      + LOG_DEMUXER COST IN ERGS
                     + STORAGE_SORTER_COST_IN_ERGS
            | OpTransientStore ⇒
                      VM CYCLE COST IN ERGS
                      + RAM PERMUTATION COST IN ERGS
                      + 2 × LOG DEMUXER COST IN ERGS
                      + 2 × STORAGE SORTER COST IN ERGS
            end) %Z.
```

Implementation note: Coq allows partially evaluating base cost to get the absolute erg costs for each instruction: Compute base\_costs. Current costs are: | Invalid => 4294967295 | NearCall => 25 | FarCall | MimicCall | DelegateCall => 182 | NearRet | NearRetTo | FarRet | NearRevert | NearRevertTo | FarRevert | NearPanicTo | Panic | ContractThis | ContractCaller | ContractCodeAddress | VMMeta | VMErgsLeft | VMSp | GetCapturedContext | SetContextReg | IncrementTxNumber | AuxMutating => 5 | SLoad => 2008 | SStore => 5511 | Event => 34 | ToL1Message => 109 | TransientWrite => 11 | TransientRead => 8 | Load | LoadInc | LoadPointer | LoadPointerInc | StaticRead | StaticReadInc => 7 | Store | StoreInc | StaticWrite | StaticWriteInc => 13

End Costs.

| <otherwise> => 6

# Library EraVM.KernelMode

```
Require isa.CoreSet memory.Depot.

Import CoreSet TransientMemory memory.Depot.

Section KernelMode.
   Import ZArith Arith spec.
   Open Scope Z_scope.
   Open Scope ZMod_scope.

Context {descr: CoreSet.descr}.
```

#### Kernel Mode

EraVM operates either in **kernel** or in **user mode**. Some instructions (see <a href="requires\_kernel">requires\_kernel</a> are only allowed in kernel mode; executing them in user mode results in panic.

Current mode is determined by the address of the currently executed contract C:

- if C < KERNEL MODE MAXADDR LIMIT, EraVM is in kernel mode;
- otherwise, EraVM is in user mode.

```
Definition KERNEL_MODE_MAXADDR_LIMIT : contract_address := fromZ (2^16).

Definition addr_is_kernel (addr:contract_address) : bool :=
   addr < KERNEL MODE MAXADDR LIMIT.</pre>
```

Current contract's address can be obtained from the active external frame in callstack. Topmost external frame (active frame) is obtained through active\_extframe, it contains the current contract's address in its field ecf\_this\_address.

The list of instructions requiring kernel mode is encoded by the definition requires kernel ins == true, the instruction ins is only allowed in kernel mode.

```
⇒ true
| _ ⇒ false
end
```

Function check requires kernel returns false if:

- an instruction ins requires kernel mode, and
- VM is not in kernel mode, as indicated by in kernel.

```
Definition check_requires_kernel
  (ins: @instruction descr)
  (in_kernel: bool) : bool :=
   (negb in_kernel) || in_kernel.
```

End KernelMode.

# Library EraVM.StaticMode

Require isa.CoreSet.

Import isa.CoreSet Addressing GPR Common.
Section StaticMode.

## Static mode

Static mode is a mode of execution.

Intuitively, executing code in static mode aims at limiting its effects on the global state, similar to executing pure functions.

If VM is in static mode, attempting to execute instructions affecting global system state results in panic with reason ForbiddenInStaticMode. Refer to forbidden\_static for a full list of instructions forbidden in static mode.

Current mode is determined by the flag ecf\_is\_static in the active\_extframe in gs callstack.

#### Entering static mode

To execute the code of a contract in static mode, use one of far call instructions with a static modifier, for example:

```
OpFarCall (Reg R1) (Reg R2) (Imm zero16) true false ^ is_static
```

The same applies to OpMimicCall and OpDelegateCall.

#### Exiting static mode

If VM executes a contract C in static mode, the mode will persist until the end of execution of C. If C calls itself or other contracts, these calls will be automatically marked as static, even if the far call instruction was not explicit about it.

There is no other way to exit the static mode.

#### Usage

Static mode is unrelated and orthogonal to kernel mode.

Executing a contract C in static mode restricts the changes to the state produced by C or any other code that it might call.

Static calls are guaranteed to preserve the state of storage, will not emit events, or modify the gs context u128 register.

Function forbidden static returns true if instruction ins is forbidden in static mode.

Function check forbidden static returns false if:

- an instruction ins is not allowed in static mode, and
- the current mode is static, as indicated by static mode active.

```
Definition check_forbidden_static
  (ins: instruction)
```

```
(static mode active: bool) : bool :=
    if static mode active
    then negb (forbidden static ins)
    else true.
End StaticMode.
Library EraVM.Steps
From RecordUpdate Require Import RecordSet.
Require
 Flags
    isa.CoreSet
   KernelMode
   State.
Import
  Flags
    isa.CoreSet
    KernelMode
    RecordSetNotations
    State.
 A type of a small step relation, in style of structural operational semantics.
Definition smallstep := state \rightarrow state \rightarrow Prop .
Definition tsmallstep := transient_state → transient_state → Prop.
Definition flags tsmallstep := flags state → flags state → Prop.
Definition callstack smallstep := callstack → callstack → Prop.
 Relations step transient only and step transient define the type of small steps only affecting
 gs_transient part.
Inductive step transient only (xs1 xs2:transient state) : smallstep :=
| stransient oapply:
  ∀ gs,
    step transient only xs1 xs2 {|
                           gs transient := xs1;
                           gs global := gs;
                         | }
                         { |
                           gs transient := xs2;
                           gs global := gs;
                         | } .
Inductive step_transient (S: transient_state → transient_state → Prop) :
```

smallstep :=

| stransient apply:

```
∀ xs1 xs2 s1 s2 ,
   S xs1 xs2 →
   step_transient_only xs1 xs2 s1 s2→
   step transient S s1 s2.
```

Relations tstep\_flags and step\_transient\_callstack help defining smallstep relations where only flags or callstack are changing.

```
Definition tstep_flags {descr:CoreSet.descr} (P: @instruction descr →
flags_tsmallstep): @instruction descr → tsmallstep :=
fun i xs xs' ⇒ ∀ f2, P i (gs flags xs) f2 → xs' = xs <| gs flags := f2 |>.
```

Relations step\_transient\_callstack and help defining smallstep relations where only callstack is changing.

```
Inductive step transient callstack (S: callstack → callstack → Prop) :
transient state → transient state → Prop :=
| scs apply:
  ∀ flags regs pages ctx cs1 cs2 xs1 xs2 status,
   S cs1 cs2 \rightarrow
   xs1 = \{ |
            gs callstack := cs1;
            gs flags := flags;
            gs regs := regs;
            gs pages := pages;
            gs context u128 := ctx;
            gs status := status;
          | } →
    xs2 = \{ |
            gs_callstack := cs2;
            gs flags := flags;
            gs regs := regs;
            gs pages := pages;
            gs context u128 := ctx;
            gs status := status;
          | } →
    step transient callstack S xs1 xs2.
Inductive step callstack (S: callstack \rightarrow callstack \rightarrow Prop) : smallstep :=
\mid sc apply: \forall xs1 xs2 s1 s2,
    step transient callstack S xs1 xs2 →
    step transient only xs1 xs2 s1 s2 →
    step callstack S s1 s2.
```

# Library EraVM.Semantics

```
From RecordUpdate Require Import RecordSet.

Require VMPanic StaticMode isa.AssemblyToCore sem.SemanticCommon.

Section VMParameters.

Local Open Scope ZMod_scope.

Definition VM_INITIAL_FRAME_ERGS: nat := Z.to_nat (unsigned_max ergs_bits).
Context (CALL_LIKE_ERGS_COST := Z.to_nat CALL_LIKE_ERGS_COST).
Definition VM_MAX_STACK_DEPTH: nat := VM_INITIAL_FRAME_ERGS /
CALL_LIKE_ERGS_COST + 80.
End VMParameters.

Section SmallStep.
Local Open Scope ZMod_scope.

Context (ins := @instruction bound).

Definition update_pc_regular : callstack → callstack := pc_map (fun x ⇒ uadd_wrap x # 1).
```

Every instruction is either executed, skipped, or triggers panic instantly. Panic can also be triggered later during the execution.

```
Inductive action: Type := Execute | Skip | Panic : reason → action.
```

After the instruction is selected, panic is immediately triggered:

- on call stack overflow;
- if the base cost of instruction is unaffordable;
- if the instruction is not allowed in user mode, and VM is in user mode;
- if the instruction is not allowed in static mode, and VM is in static mode.

```
Definition chose_action (s:transient_state) (i:@predicated asm_instruction):
action :=
    if stack_overflow VM_MAX_STACK_DEPTH (gs_callstack s) then
        Panic CallStackOverflow
    else
        if negb (check_requires_kernel i.(ins_spec _) (in_kernel_mode

(gs_callstack s))) then
        Panic NotInKernelMode
    else
        if negb (check_forbidden_static i.(ins_spec _) (active_extframe)

(gs_callstack s)).(ecf_is_static)) then
        Panic ForbiddenInStaticMode
    else
        if ergs_of (base_cost i.(ins_spec _)) > ergs_remaining (gs_callstack)
```

The definition smallsteps gathers the references to all the small step predicates for various  $asm_instructions$ .

```
Definition smallsteps : list (@instruction bound → smallstep) :=
                                       step_nop ;
fun i ⇒ step transient (tstep flags step add i);
fun i ⇒ step transient (tstep flags step sub i);
fun i \Rightarrow step transient (tstep flags step and i);
                                       step context;
fun i ⇒ step transient (tstep flags step mul i);
fun i ⇒ step_transient (tstep_flags step_div i);
fun i ⇒ step_transient ( step_farret i);
                                       step farrevert;
                                       step farcall ;
                                       step jump;
fun i ⇒ step transient ( step load i);
fun i ⇒ step transient ( step load inc i);
fun i ⇒ step transient ( step load ptr i);
fun i \Rightarrow step transient ( step load ptr inc i);
fun i ⇒ step transient (tstep flags step mul i);
fun i \Rightarrow step callstack (step sp add i);
fun i ⇒ step callstack ( step sp sub i);
                                       step nearcall ;
                                       step panicto;
fun i ⇒ step_transient ( step_nearret i);
fun i ⇒ step transient ( step nearretto i);
                                       step nearrevert;
                                       step nearrevertto;
                                       step event ;
fun i \Rightarrow step transient (tstep flags step or i);
                                       step oppanic ;
                                       step precompile ;
                                       step ptradd;
                                       step ptrsub ;
                                       step ptrshrink ;
                                       step ptrpack ;
fun i \Rightarrow step transient (tstep flags step rol i);
fun i ⇒ step transient (tstep flags step ror i);
                                       step sload ;
                                       step sstore ;
fun i ⇒ step transient (tstep flags step shl i);
fun i ⇒ step transient (tstep flags step shr i);
fun i \Rightarrow step transient (step store i);
fun i ⇒ step transient ( step storeinc i);
                                       step tol1;
fun i ⇒ step transient (tstep flags step xor i)
```

```
].
Inductive dispatch: @instruction bound → smallstep :=
| dispatch apply: \forall s1 s2 ins S,
    In S smallsteps →
    S ins s1 s2 \rightarrow
    dispatch ins s1 s2.
Generalizable Variables cs.
Inductive execute action: action → @instruction decoded → smallstep :=
| ea execute:
  `(\forall instr gs instr bound new s xs0 xs1,
         cs0 = gs callstack xs0 \rightarrow
         cs1 = update pc regular cs0 \rightarrow
         pay (ergs of (base cost instr)) cs1 cs2 \rightarrow
         bind operands (xs0 <| gs callstack := cs2 |>) xs1 instr instr bound \rightarrow
         let s1 := mk state xs1 gs in
         dispatch instr bound s1 new s →
         execute action Execute instr (mk state xs0 gs) new s
| ea skip:
   (\forall instr qs xs0 xs1,
         cs0 = gs callstack xs0 \rightarrow
         cs1 = update pc regular cs0 \rightarrow
         pay (ergs of (base cost instr)) cs1 cs2 →
         let new s := mk state xs1 gs in
         execute_action Skip instr (mk_state xs0 gs) new_s
| ea panic:
  ∀ reason s new s instr,
    step panic reason s new s →
    execute action (Panic reason) instr s new s
Generalizable No Variables.
Definition fetch predicated instruction (s: transient state) ins :=
  @fetch instr instruction invalid (gs regs s) (gs callstack s) (gs pages
     (@FetchIns (predicated asm_instruction) ins).
step is the main predicate defining a VM transition in a small step structural operational style.
Inductive step: smallstep :=
| step correct:
```

∀ (s new\_s : state) cond (instr:asm instruction)

(ins bound:@instruction bound),

fetch predicated instruction s (Ins instr cond) →

```
execute_action (chose_action s (Ins _ instr cond)) instr s new_s →
    step s new_s.
End SmallStep.
```

# Library EraVM.VMPanic

Require Common isa.CoreSet.
Import Common isa.CoreSet.

Section Panics.

#### **Panic**

**Panic** refers to a situation of irrecoverable error. It can occur for one of the following reasons:

- There are not enough ergs to execute an action.
- Executing an instruction requiring kernel mode in user mode.
- Executing an instruction mutating global state in static mode.
- Violation of one of VM inner invariants.
- Overflow of callstack.
- Attempt to execute an invalid instruction.
- Providing an integer value (with the tag cleared) instead of a pointer value (with the tag set) to an instruction that expects a tagged fat pointer value, e.g. OpPtrAdd.

#### Complete list of panic reasons

The type reason describes all situations where EraVM panics.

**Note** this is an exhaustive list! If there is a panic situation which does not match to any condition described by reason, please, report it to Igor iz@matterlabs.dev.

Inductive reason :=

- See step RetExt ForwardFatPointer requires ptrtag.
- | RetABIExistingFatPointerWithoutTag
- See step RetExt ForwardFatPointer returning older pointer.
- | RetABIReturnsPointerCreatedByCaller

| • | Malformed fat_ptr is such that validate returns false.         |
|---|----------------------------------------------------------------|
|   | FatPointerMalformed                                            |
| • | See step_PtrAdd_overflow and step_PtrSub_underflow.            |
|   | FatPointerOverflow                                             |
| • | See step_PtrAdd_diff_too_large and step_PtrSub_diff_too_large. |
|   | FatPointerDeltaTooLarge                                        |
| • | See e.g. step_RetExt_heapvar_growth_unaffordable               |
| I | FatPointerCreationUnaffordable                                 |
| • | See chose_action.                                              |
| I | NotInKernelMode                                                |
| • | See chose_action.                                              |
|   | ForbiddenInStaticMode                                          |
| • | See chose_action.                                              |
|   | CallStackOverflow                                              |
| • | See step_PtrPack_notzero.                                      |
|   | PtrPackExpectsOp2Low128BitsZero                                |

| • | Instruction expects a tagged fat_ptr, e.g. step_PtrAdd_in1_not_ptr.                                       |
|---|-----------------------------------------------------------------------------------------------------------|
|   | ExpectedFatPointer                                                                                        |
| • | Instruction expects a non-tagged primitive value, e.g. step_PtrAdd_in2_ptr.                               |
| ١ | ExpectedInteger                                                                                           |
| • | Executing OpPanic or OpNearPanicTo.                                                                       |
| ١ | TriggeredExplicitly                                                                                       |
| • | Attempt to dereference a pointer past MAX_OFFSET_TO_DEREF_LOW_U32.                                        |
| ı | HeapPtrOffsetTooLarge                                                                                     |
| • | Not enough ergs to pay for growing heap beyound the current bound.                                        |
| ١ | HeapGrowthUnaffordable                                                                                    |
| • | Incrementing a heap pointer by executing OpLoadInc or OpStoreInc results in overflow.                     |
| ١ | HeapPtrIncOverflow                                                                                        |
| • | Incrementing a fat pointer by executing OpLoadPtrInc results in overflow.                                 |
|   | FatPtrIncOverflow                                                                                         |
| • | Instructions e.g. OpLoad expect a heap pointer with a is_ptr tag reset, not a fat pointer with a set tag. |
|   | ExpectedHeapPointer                                                                                       |

- Not enough ergs to pay base\_cost of instruction. Reminder: the cost is paid even if instruction is skipped by predication.
   NotEnoughErgsToPayBaseCost
- Far call expects to return an existing fat\_ptr but the provided value is not tagged as pointer.
- | FarCallInputIsNotPointerWhenExpected
- Far call expects the storage of DEPLOYER\_SYSTEM\_CONTRACT\_ADDRESS to hold a valid versioned hash for the callee contract, but the hash for the callee contract is malformed.
- | FarCallInvalidCodeHashFormat
- In a far call, not enough ergs to pay for code decommitment.
- | FarCallNotEnoughErgsToDecommit
- In a far call, attempt to return a new fat\_ptr but it requires growing heap and there are not enough ergs to pay for this growth.
- | FarCallNotEnoughErgsToGrowMemory
- Trying to far call a contract whose code is not yet deployed.
- | FarCallCallInNowConstructedSystemContract
- Attempt to write to a storage by executing Opsstore but not enough ergs to pay the associated cost. See step\_sstore\_unaffordable.
- | StorageWriteUnaffordable

Inductive status :=

```
| NoPanic
| Panic : reason → status
.
End Panics.
```

TransientMemory

## Library EraVM.sem.SemanticCommon

From RecordUpdate Require Import RecordSet. Require ABI Addressing Binding CallStack Common Flags KernelMode MemoryContext MemoryOps State Steps TransientMemory VMPanic sem.StepPanic Import ssreflect ssrfun ssrbool eqtype ssreflect.tuple. Import Addressing Bool Common Coder Core Flags CallStack Decommitter Ergs GPR List ListNotations KernelMode MemoryContext memory.Depot MemoryBase MemoryOps Pointer PrimitiveValue RecordSetNotations State

```
ZArith
   ZBits.
Export Steps Binding VMPanic StepPanic.
Section Params.
 Open Scope ZMod scope.
 Definition MAX OFFSET TO DEREF LOW U32: u32 := fromZ (2^32 - 33)%Z.
 Definition MAX_OFFSET_FOR_ADD_SUB: u256 := fromZ (2^32)%Z.
End Params.
Section Depot.
 Definition is rollup (xstack: callstack) : bool := zero8 == current_shard
 Definition net pubdata cs : Z := if is rollup cs then
INITIAL STORAGE WRITE PUBDATA BYTES else 0%Z.
End Depot.
Definition current storage fqa (xstack:callstack) : fqa storage :=
 mk fqa storage (current shard xstack) (current contract xstack).
(* FIXME *)
Local Open Scope ZMod scope.
Definition bitwise flags (result: Core.word) : Flags.flags state :=
Flags.bflags false (result == zero256) false.
Definition topmost 128 bits match (x y : Core.word) : Prop := @high 128 128 x =
@high 128 128 y.
Library EraVM.sem.Nop
Require SemanticCommon.
Import Core isa. CoreSet State SemanticCommon.
Section NoOpDefinition.
```

# Nop

## Abstract Syntax

OpNoOp

## Syntax

nop

#### Summary

Do nothing.

#### Affected parts of VM state

· execution stack : PC is increased.

#### Similar instructions

OpSpAdd, OpSpSub and OpNoOp are translated to mach\_instruction with the same mach\_opcode. See asm to mach.

## **Encoding**

NoOp, SpAdd, SpSub are encoded as the same instruction.

End NoOpDefinition.

# Library EraVM.sem.SpAdd

Require SemanticCommon.

Import Arith Addressing CallStack Core isa.CoreSet TransientMemory Resolution State SemanticCommon PrimitiveValue spec.

Section SpAddDefinition.

Open Scope ZMod scope.

# **SpAdd**

## **Abstract Syntax**

```
OpSpAdd (in1: in_reg) (ofs: imm_in)
```

#### Syntax

```
nop r0, r0, stack+=[reg+ofs]
```

#### Summary

Add (in1 + ofs) to SP.

#### Semantic

- Advances PC
- $SP_{new} := SP + (in_1 + ofs)$ , but only if there was no overflow.

## Affected parts of VM state

execution stack: PC is increased; SP may be increased.

#### Usage

Adjusting SP e.g. reserving space on stack.

#### Similar instructions

OpSpSub subtracts a value from SP.

## **Encoding**

• NoOp, SpAdd, SpSub are encoded as the same instruction.

```
Inductive step_sp_add : instruction → callstack_smallstep :=
| step_op_sp_add:
| V (cs0 new_cs: callstack) (old_sp intermediate_sp new_sp ofs:
```

```
stack_address) op __,
    sp_get cs0 = old_sp →
        (false, intermediate_sp) = old_sp + (low stack_address_bits op) →
        (false, new_sp) = intermediate_sp + ofs→
        new_cs = sp_update new_sp cs0 →
        step_sp_add (OpSpAdd (mk_pv __ op) ofs) cs0 new_cs
```

End SpAddDefinition.

# Library EraVM.sem.SpSub

Require SemanticCommon.

Import Arith Addressing CallStack Core isa.CoreSet TransientMemory Resolution State SemanticCommon PrimitiveValue spec.

Section SpSubDefinition.

Open Scope ZMod scope.

# SpSub

#### **Abstract Syntax**

OpSpSub (in1: in reg) (ofs: imm in)

## Syntax

nop stack-=[reg+ofs]

#### Summary

Subtract (in1 + ofs) from SP.

#### Semantic

- Advances PC
- $SP_{new} := SP (in_1 + of_s)$ , but only if there was no overflow.

#### Affected parts of VM state

execution stack: PC is increased; SP may be decreased.

#### Usage

Adjusting SP e.g. deallocating space on stack.

#### Similar instructions

OpSpSub subtracts value from SP.

#### **Encoding**

• NoOp, SpAdd, SpSub are encoded as the same instruction.

```
Inductive step_sp_sub : instruction → callstack_smallstep :=
| step_op_sp_sub:
| V (cs0 new_cs: callstack) (old_sp intermediate_sp new_sp ofs:
stack_address) op __,
| sp_get cs0 = old_sp →
| (false, intermediate_sp) = old_sp + (low stack_address_bits op) →
| (false, new_sp) = intermediate_sp - ofs→
| new_cs = sp_update new_sp cs0 →
| step_sp_sub (OpSpSub (mk_pv __ op) ofs) cs0 new_cs
```

End SpSubDefinition.

# Library EraVM.sem.Jump

```
From RecordUpdate Require Import RecordSet.

Require SemanticCommon.

Import Addressing Bool Core Common Predication GPR CallStack TransientMemory MemoryOps isa.CoreSet State
    PrimitiveValue SemanticCommon RecordSetNotations.

Section JumpDefinition.

Inductive step_jump_aux: @instruction bound → callstack → callstack → Prop :=
```

# Jump

Unconditional jump (becomes conditional through predication).

#### **Abstract Syntax**

```
OpJump (dest: in_any) (return_address: out_reg)
```

FIXME The output operand may be changed to out any!

# **Syntax**

- jmp destination, ret addr
- jmp destination, alias for jmp destination, r0

## Legacy Syntax

• jump destination

Note: Argument destination uses the full addressing mode in\_any, therefore can be immediate 16-bit value, register, a register value with an offset, and so on.

#### Semantic

- Fetch a new address from operand destination.
- Save the old PC (return address) to return address
- Assign to current PC the fetched value truncated to code address bits bits.

FIXME semantic is obsolete

#### Affected parts of VM state

execution stack: PC is overwritten with a new value.

#### Usage

- Unconditional jumps
- In EraVM, all instructions are predicated (see Predication.cond), therefore in conjunction with a required condition type jump implements a conditional jump instruction.
- Currently, the compiler may emit jumps rather than OpNearCall/OpNearRet and similar instructions when possible. It is cheaper, and most functions do not require to install a non-default cf exception handler location, nor passing less than all available ergs.
- Can be used to implement cheap calling convention by playing both the role of call-like and ret-like instruction.

#### Similar instructions

Calls: see OpNearCall, OpFarCall, OpDelegateCall, OpMimicCall.

```
Inductive step_jump: @instruction bound → smallstep :=
| step_Jump: ∀ ins (s1 s2:state),
    step_callstack (step_jump_aux ins) s1 s2 →
    step_jump ins s1 s2.
```

End JumpDefinition.

# Library EraVM.sem.Add

```
Require SemanticCommon.

Import Bool Common Flags CoreSet TransientMemory Modifiers State PrimitiveValue
SemanticCommon.

Import ssreflect.tuple ssreflect.eqtype.

Section AddDefinition.
   Open Scope ZMod_scope.

Generalizable Variables op tag.
   Inductive step_add: instruction → flags_tsmallstep :=
```

#### Add

#### **Abstract Syntax**

OpAdd (in1: in\_any) (in2: in\_reg) (out1: out\_any) (flags:mod\_set\_flags)

## Syntax

- add in1, in2, out
- add! in1, in2, out, to set set flags modifier.

#### Summary

Unsigned overflowing addition of two numbers modulo  $2^{256}$ .

#### Semantic

• result is computed by unsigned addition of two numbers with overflow modulo  $2^{256}$ .

$$result := op_1 + op_2 \mod 2^{256}$$

- · flags are computed as follows:
  - $\circ$  LT OF is set if overflow occurs, i.e.  $op_1{+}op_2{\ge}2^{256}$
  - $\circ$  EQ is set if result = 0.
  - GT is set if both LT OF and EQ are cleared.

Reminder: flags are only set if set\_flags modifier is set.

## Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- flags, if set flags modifier is set.

#### Usage

- Arithmetic operations.
- There is no dedicated mov instruction, so add is used to copy values around. Copying A to B is implemented as add A, r0, B.

#### Similar instructions

Flags are computed exactly as in sub, but the meaning of overflow is different for addition and subtraction.

```
| step_Add:
| V mod_sf old_flags new_flags result new_OF,
| (new_OF, result) = op1 + op2 →
| let new_EQ := result == zero256 in
| let new_GT := negb new_EQ && negb new_OF in
| new_flags = apply_set_flags mod_sf
| old_flags
| (bflags new_OF new_EQ new_GT) →
| step_add (OpAdd (mk_pv tag1 op1) (mk_pv tag2 op2) (IntValue result)
| mod_sf) old_flags new_flags)
| .
| Generalizable No Variables.
```

End AddDefinition.

# Library EraVM.sem.Sub

```
Require SemanticCommon.

Import Bool Common Flags CoreSet TransientMemory Modifiers State
   PrimitiveValue SemanticCommon.
Import ssreflect.tuple ssreflect.eqtype.

Section SubDefinition.
   Open Scope ZMod_scope.

Generalizable Variables op tag.

Inductive step_sub: instruction → flags_tsmallstep :=
```

## Sub

## **Abstract Syntax**

```
OpSub (in1: in_any) (in2: in_reg) (out1: out_any) (swap:mod_swap)
(flags:mod_set_flags)
```

#### **Syntax**

- sub in1, in2, out
- sub.s in1, in2, out, to set swap modifier.
- sub! in1, in2, out, to set set flags modifier.
- sub.s! in1, in2, out, to set both swap and set flags modifiers.

#### Summary

Unsigned overflowing subtraction of two numbers modulo  $2^{256}$ .

#### Semantic

• result is computed by unsigned subtraction of two numbers with overflow modulo  $2^{256}$ .

$$result := \left\{ egin{array}{ll} op_1 - op_2 & ext{,if } op_1 {\geq} op_2 \ 2^{256} - (op_2 - op_1) & ext{,if } op_1 {<} op_2 \end{array} 
ight.$$

- · flags are computed as follows:
  - $\circ$  LT OF is set if overflow occurs, i.e.  $op_1{<}op_2$
  - $\circ$  EQ is set if result=0.
  - GT is set if both LT OF and EQ are cleared.

Reminder: flags are only set if set flags modifier is set.

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- Registers, if out resolves to a register.
- flags, if set\_flags modifier is set.

#### Usage

Arithmetic operations.

#### Similar instructions

Flags are computed exactly as in add, but the meaning of overflow is different for addition and subtraction.

```
| step_Sub:
| V mod_sf old_flags new_flags,
| `(
| let (new_OF, result) := op1 - op2 in |
| let new_EQ := result == zero256 in |
| let new_GT := negb new_EQ && negb new_OF in |
| new_flags = apply_set_flags mod_sf |
| old_flags |
| (bflags new_OF new_EQ new_GT) →
| step_sub (OpSub (mk_pv tag1 op1) (mk_pv tag2 op2) (IntValue result) |
| mod_sf) old_flags new_flags) |
| Generalizable No Variables.
| End SubDefinition.
```

# Library EraVM.sem.Mul

```
Require sem.SemanticCommon.

Import Bool Core Modifiers Common Flags isa.CoreSet CallStack TransientMemory
MemoryOps State
    ZArith PrimitiveValue SemanticCommon List ListNotations.

Import ssreflect.eqtype ssreflect.tuple.

Section MulDefinition.
    Open Scope ZMod_scope.

Generalizable Variables tag.

Inductive step_mul: instruction → flags_tsmallstep :=
```

## Mul

## **Abstract Syntax**

```
OpMul (in1: in_any) (in2: in_reg) (out1: out_any) (out2: out_reg)
(flags:mod set flags)
```

#### Syntax

- mul in1, in2, out1, out2
- mul! in1, in2, out1, out2, to set set flags modifier.

#### Summary

Unsigned multiplication of two numbers modulo  $2^{512}$ ; the high and low 256 bits of the result are returned in two separate operands.

#### Semantic

1. Compute result by unsigned multiplication of in1 by in2.

$$\left\{egin{array}{l} result_{high}:=rac{op_1 imes op_2}{2^{256}} \ result_{low}:=op_1 imes op_2 \mod 2^{256} \end{array}
ight.$$

- 2. Flags are computed as follows:
  - $\circ$  LT OF is set if overflow occurs, i.e.  $op_1{ imes}op_2{ o}2^{256}$
  - $\circ$  EQ is set if  $result_{low} = 0$ .
  - GT is set if LT OF and EQ are cleared.

Reminder: flags are only set if set flags modifier is set.

```
(bflags\ new\_OF\ new\_EQ\ new\_GT) \rightarrow \\ step\_mul\ (OpMul\ (mk\_pv\ tag1\ op1)\ (mk\_pv\ tag2\ op2)\ (IntValue\ low256)\\ (IntValue\ high256)\ mod\_sf)\ old\_flags\ new\_flags\\ ).
```

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out1 uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, by out2 and out1, provided out1 resolves to GPR.
- flags, if set flags modifier is set.

## Usage

Arithmetic operations.

#### Similar instructions

• See OpDiv.

Generalizable No Variables. End MulDefinition.

# Library EraVM.sem.Div

```
Require sem.SemanticCommon.

Import Addressing Bool ZArith Common Flags GPR isa.CoreSet CallStack Modifiers
State
   ZBits Addressing.Coercions PrimitiveValue SemanticCommon List ListNotations.

Section DivDefinition.
   Open Scope Z_scope.

Generalizable Variables tag.

Inductive step_div: instruction → flags_tsmallstep :=
```

## Div

## **Abstract Syntax**

```
OpDiv (in1: in_any) (in2: in_reg) (out1: out_any) (out2: out_reg) (swap:mod_swap)
(flags:mod_set_flags)
```

#### Syntax

- div in1, in2, out1, out2
- div.s in1, in2, out1, out2, to set swap modifier.
- div! in1, in2, out1, out2, to set set flags modifier.
- div.s! in1, in2, out1, out2, to set both swap and set flags modifiers.

#### Summary

Unsigned division of in1 by in2. The quotient is returned in out1, the remainder is returned in out2.

#### Semantic

• If in  $2 \neq 0$ :

$$\left\{egin{array}{l} out_1 := rac{op_1}{op_2} \ out_2 := \mathrm{rem} \ op_1 \ op_2 \end{array}
ight.$$

Flags are computed as follows:

- LT OF is cleared;
- EQ is set if the quotient is zero;
- GT is set if the reminder is zero.
- If in2 = 0:

$$\begin{cases} out_1 := 0 \\ out_2 := 0 \end{cases}$$

Flags are computed as follows:

- LT OF is set.
- $\circ$  EQ is set if  $result_{low} = 0$ .
- GT is set if LT OF and EQ are cleared.

Reminder: flags are only set if set\_flags modifier is set.

```
| step Div no overflow:
     (\forall mod sf old flags new flags w quot w rem quot rem (x y:{\tt Z}) op1 op2,
           x = toZ op1 \rightarrow
           y = toZ op2 \rightarrow
           y ≠ 0 →
           quot = Z.div x y \rightarrow
           rem = Z.rem x y \rightarrow
           w quot = u256 of quot \rightarrow
           w rem = u256 of rem \rightarrow
           let new EQ := quot =? 0 in
           let new GT := rem =? 0 in
           new flags = apply set flags mod sf
                           old flags
                           (bflags false new EQ new GT) \rightarrow
           step_div (OpDiv (mk_pv tag1 op1) (mk_pv tag2 op2) (IntValue w_quot)
(IntValue w rem) mod sf) old flags new flags)
  | step Div overflow:
    \forall mod sf old flags new flags (x y:Z) op1 op2,
       ` (
           x = toZ op1 \rightarrow
           y = toZ op2 \rightarrow
           new flags = apply set flags mod sf old flags (bflags true false
false) →
           step div (OpDiv (mk pv tag1 op1) (mk pv tag2 op2) (IntValue zero256)
(IntValue zero256) mod sf) old flags new flags
```

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out1 uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, by out2 and out1, provided out1 resolves to GPR.
- flags, if set flags modifier is set.

#### Usage

Arithmetic operations.

#### Similar instructions

• See OpMul.

End DivDefinition.

# Library EraVM.sem.And

```
Require SemanticCommon.
Import Common CoreSet Modifiers SemanticCommon PrimitiveValue.
Section AndDefinition.
   Open Scope ZMod_scope.
Generalizable Variables op tag.
Inductive step_and: instruction → flags_tsmallstep :=
```

#### Bitwise AND

#### **Abstract Syntax**

OpAnd (in1: in any) (in2: in reg) (out1: out any) (flags:mod set flags)

#### Syntax

- and in1, in2, out
- and! in1, in2, out, to set set flags modifier.

#### Summary

Bitwise AND of two 256-bit numbers.

#### Semantic

· result is computed as a bitwise AND of two operands.

- · flags are computed as follows:
  - $\circ$  EQ is set if result = 0.
  - OF LT and GT are cleared

Reminder: flags are only set if set\_flags modifier is set.

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- · Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- flags, if set flags modifier is set.

#### Usage

· operations with bit masks

#### Similar instructions

• and, or and xor are encoded as variants of the same mach\_instruction.

```
| step_And:
| ∀ mod_sf old_flags new_flags result,
| `(
| result = bitwise_and op1 op2 →
| new_flags = apply_set_flags mod_sf
| old_flags
| (bitwise_flags result) →
| step_and (OpAnd (mk_pv tag1 op1) (mk_pv tag2 op2) (IntValue result)
| mod_sf) old_flags new_flags)
| . Generalizable No Variables.
| End AndDefinition.
```

# Library EraVM.sem.Or

```
Require SemanticCommon.

Import Common CoreSet Modifiers SemanticCommon PrimitiveValue.

Section OrDefinition.

Open Scope ZMod scope.
```

```
Inductive step_or: instruction → flags_tsmallstep :=
```

#### Bitwise OR

#### **Abstract Syntax**

```
OpOr (in1: in any) (in2: in reg) (out1: out any) (flags:mod set flags)
```

#### Syntax

- or in1, in2, out
- or! in1, in2, out, to set set\_flags modifier.

#### Summary

Bitwise OR of two 256-bit numbers.

#### Semantic

- result is computed as a bitwise OR of two operands.
- flags are computed as follows:
  - $\circ$  EQ is set if result=0.
  - OF LT and GT are cleared

Reminder: flags are only set if set\_flags modifier is set.

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- flags, if set flags modifier is set.

#### Usage

operations with bit masks

#### Similar instructions

• and, or and xor are encoded as variants of the same mach instruction.

# Library EraVM.sem.Xor

```
Require SemanticCommon.

Import Common CoreSet Modifiers SemanticCommon PrimitiveValue.

Section XorDefinition.
   Open Scope ZMod_scope.

Generalizable Variables op tag.

Inductive step xor: instruction → flags tsmallstep :=
```

#### Bitwise XOR

#### Abstract Syntax

```
OpXor (in1: in_any) (in2: in_reg) (out1: out_any) (flags:mod_set_flags)
```

#### **Syntax**

- or in1, in2, out
- or! in1, in2, out, to set set flags modifier.

#### Summary

Bitwise XOR of two 256-bit numbers.

#### Semantic

- result is computed as a bitwise XOR of two operands.
- · flags are computed as follows:
  - $\circ$  EQ is set if result = 0.
  - OF LT and GT are cleared

Reminder: flags are only set if set\_flags modifier is set.

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- flags, if set flags modifier is set.

#### Usage

· operations with bit masks

#### Similar instructions

• and, or and xor are encoded as variants of the same instruction.

```
step_xor (OpXor (mk_pv tag1 op1) (mk_pv tag2 op2) (IntValue result)
mod_sf) old_flags new_flags)
.
```

End XorDefinition.

## Library EraVM.sem.Shl

```
Require sem.SemanticCommon.
Import Arith Core isa.CoreSet PrimitiveValue SemanticCommon spec.
Section ShlDefinition.
   Open Scope ZMod_scope.
   Generalizable Variables tag.
   Import operations operations.BitsNotations.
   Inductive step shl: instruction → flags tsmallstep :=
```

#### Shl

#### **Abstract Syntax**

```
OpShl (in1: in_any) (in2: in_reg) (out: out_any) (swap:mod_swap)
(flags:mod_set_flags)
```

#### Syntax

- shl in1, in2, out
- shl.s in1, in2, out, to set swap modifier.
- shl! in1, in2, out, to set set flags modifier.
- shl.s! in1, in2, out, to set both swap and set flags modifiers.

#### Summary

Bitwise left shift of in1 by the number of binary digits specified by the lowest byte of in2. New binary digits (least significant bits in out) are zeros.

#### Semantic

Follows the scheme described in binop state bitwise effect spec.

result is computed as in1 << (in2 mod 256)</li>

```
· flags are computed as follows:
```

- $\circ$  EQ is set if result = 0.
- other flags are reset

Reminder: flags are only set if set flags modifier is set.

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- · Current stack memory page, if out resolves to it.
- · GPRs, if out resolves to a register.
- flags, if set flags modifier is set.

#### Usage

- · Operations with bit masks.
- Fast arithmetic.

#### Similar instructions

shl, shr, rol and ror are encoded as variants of the same instruction.

End ShlDefinition.

# Library EraVM.sem.Shr

```
Require sem.SemanticCommon.
Import Arith Core isa.CoreSet PrimitiveValue SemanticCommon spec.
Section ShrDefinition.
  Open Scope ZMod_scope.
  Generalizable Variables tag.
  Import operations operations.BitsNotations.

Inductive step_shr: instruction → flags_tsmallstep :=
```

#### Shr

#### **Abstract Syntax**

```
OpShr (in1: in_any) (in2: in_reg) (out: out_any) (swap:mod_swap)
(flags:mod_set_flags)
```

#### Syntax

- shr in1, in2, out
- shr.s in1, in2, out, to set swap modifier.
- shr! in1, in2, out, to set set flags modifier.
- shr.s! in1, in2, out, to set both swap and set flags modifiers.

#### Summary

Bitwise left shift of in1 by the number of binary digits specified by the lowest byte of in2. New binary digits (most significant bits in out) are zeros.

#### Semantic

Follows the scheme described in binop state bitwise effect spec.

- result is computed as in1 >> (in2 mod 256)
- flags are computed as follows:
  - $\circ$  EQ is set if result = 0.
  - other flags are reset

Reminder: flags are only set if set flags modifier is set.

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- flags, if set flags modifier is set.

#### Usage

- · Operations with bit masks.
- Fast arithmetic.

#### Similar instructions

• shl, shr, rol and ror are encoded as variants of the same instruction.

End ShrDefinition.

# Library EraVM.sem.Rol

```
Require sem.SemanticCommon.
Import Arith Core isa.CoreSet PrimitiveValue SemanticCommon spec.
Section RolDefinition.
   Open Scope ZMod_scope.
   Generalizable Variables tag.
   Inductive step_rol: instruction → flags_tsmallstep :=
```

#### Rol

#### Abstract Syntax

```
OpRol (in1: in_any) (in2: in_reg) (out: out_any) (swap:mod_swap)
(flags:mod_set_flags)
```

#### Syntax

```
    rol in1, in2, out
```

- rol.s in1, in2, out, to set swap modifier.
- rol! in1, in2, out, to set set flags modifier.
- rol.s! in1, in2, out, to set both swap and set flags modifiers.

#### Summary

Bitwise circular left shift of in1 by the number of binary digits specified by the lowest byte of in2. New binary digits (least significant bits in out) are taken from the most significant bits of in1.

#### Semantic

- result is computed as in1 <<< (in2 mod 256)</li>
- · flags are computed as follows:
  - $\circ$  EQ is set if result=0.
  - other flags are reset

Reminder: flags are only set if set flags modifier is set.

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- · GPRs, if out resolves to a register.
- flags, if set flags modifier is set.

#### Usage

- Operations with bit masks.
- · Fast arithmetic.

#### Similar instructions

shl, shr, rol and ror are encoded as variants of the same instruction.

End RolDefinition.

# Library EraVM.sem.Ror

```
Require sem.SemanticCommon.
Import Arith Core isa.CoreSet PrimitiveValue SemanticCommon spec.
Section RorDefinition.
   Open Scope ZMod_scope.
   Generalizable Variables tag.
   Inductive step_ror: instruction → flags_tsmallstep :=
```

#### Ror

#### **Abstract Syntax**

```
OpRor (in1: in_any) (in2: in_reg) (out: out_any) (swap:mod_swap)
(flags:mod set flags)
```

#### Syntax

- ror in1, in2, out
- ror.s in1, in2, out, to set swap modifier.
- ror! in1, in2, out, to set set flags modifier.
- ror.s! in1, in2, out, to set both swap and set flags modifiers.

#### Summary

Bitwise circular left shift of in1 by the number of binary digits specified by the lowest byte of in2. New binary digits (most significant bits in out) are taken from the least significant bits of in1.

#### Semantic

- result is computed as in1 >>> (in2 mod 256)
- · flags are computed as follows:
  - $\circ$  EQ is set if result=0.
  - other flags are reset

Reminder: flags are only set if set flags modifier is set.

#### Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- · Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- flags, if set flags modifier is set.

#### Usage

- Operations with bit masks.
- Fast arithmetic.

#### Similar instructions

shl, shr, rol and ror are encoded as variants of the same instruction.

End RorDefinition.

# Library EraVM.sem.NearCall

Require SemanticCommon.

Import NearCallABI Addressing Common Core Flags CallStack GPR Ergs isa.CoreSet
TransientMemory PrimitiveValue State SemanticCommon.

Import ssreflect ssrfun ssrbool eqtype ssreflect.tuple.

```
Section NearCallDefinition.
Open Scope ZMod scope.
```

#### NearCall

#### **Abstract Syntax**

```
OpNearCall (in1: in reg) (dest: imm in) (handler: imm in)
```

#### Syntax

- call abi reg, callee address, exception handler as a fully expanded form.
- call abi reg, callee address
  - The assembler expands this variation to call abi\_reg, callee\_address, DEFAULT UNWIND DEST. Here:

DEFAULT\_UNWIND\_DEST is a reserved system label; the linker will resolve it to the default exception handler.

- call callee address is a simplified form.
  - Assembler expands this variation to call r0, callee\_address,

DEFAULT\_UNWIND\_DEST, where:

DEFAULT\_UNWIND\_DEST is a reserved system label; linker will resolve it to the default exception handler.

R0 is a reserved read-only register that holds 0. This variation passes all ergs to the callee.

#### Summary

Reserves a portion of the currently available ergs for a new function instance and calls the code inside the current contract space.

#### Semantic

Reminder: the *callee* is the function that we call; the *caller* is the currently executing function where a call takes place. In other words, the caller calls the callee.

Step-by-step explanation:

1. Read the value of abi\_reg and decode the following structure from NearCallABI from it. The ergs\_passed field indicates the amount of ergs we intend to pass, but the actual amount of ergs passed gets decided at runtime (see step 2).

```
Record params := { ergs passed: u32; }.
```

The actual amount of passed ergs is determined by split ergs callee caller based

on:

- The ergs allocated for the caller frame.
- The value of ergs passed.

- 2. Explanation for split ergs caller callee:
  - if ergs\_passed = 0, pass all available ergs to the callee and set the caller\_ergs to zero. Upon the callee's normal return, its unspent ergs are returned back to the caller.
  - otherwise, if caller\_ergs  $\geq$  ergs\_passed, pass exactly ergs\_passed. The caller ergs is set to the unspent amount ergs passed caller ergs.
  - otherwise, if the call is not affordable (ergs\_passed > caller\_ergs), pass all available ergs to the callee.

Function split ergs callee caller returns a pair of erg values, where:

- the first component is the amount of ergs actually passed to the callee;
- the second component is the amount of ergs left to the caller.

Note: after a normal return (not panic), the remaining ergs are returned to the caller.

- 3. Decrease the number of ergs in the caller frame.
- 4. Set up the new frame:
  - new PC is assigned the instruction's callee address argument.
  - new exception handler is assigned the instruction's handler address argument.
  - new SP is copied from the old frame as is.
  - the allocated ergs are determined by split ergs caller callee in (2).
- 5. Clear flags.

```
Inductive step_nearcall: @instruction bound → smallstep :=
| step_NearCall_pass_some_ergs:
| V (expt_handler call_addr: code_address)
| (passed_ergs callee_ergs caller_ergs: ergs)
| (new_caller:callstack) (new_frame:callstack_common) __flags
(cs:callstack) high224 regs ctx pages gs,
```

```
(callee ergs, caller ergs) = split ergs callee caller passed ergs
(ergs remaining cs) →
      new caller = ergs set caller ergs cs \rightarrow
      new frame = mk cf expt handler (sp get cs) call addr callee ergs
(gs revertable gs) →
      step nearcall
        (OpNearCall (Some (IntValue (high224, mk params passed ergs)))
call addr expt handler)
          gs transient := {|
                           gs flags := flags;
                           gs callstack := cs;
                           gs regs := regs;
                           gs context u128 := ctx;
                           gs pages := pages;
                           gs status := NoPanic;
          gs global := gs;
        { |
          gs transient := {|
                           gs flags := flags clear;
                           gs callstack := InternalCall new frame new caller;
                           gs regs := regs;
                           gs context u128 := ctx;
                           gs pages := pages;
                           gs status := NoPanic;
                          | };
          gs_global := gs;
        | } .
```

#### Affected parts of VM state

- Execution stack: a new frame is pushed on top of the execution stack, and the caller frame is changed.
  - Čaller frame:

PC of the caller frame is advanced by one, as in any instruction.

Ergs are split between caller and callee frames. See split ergs callee caller.

New (callee) frame:

PC is set to callee\_address
SP is copied to the new frame as is.

ergs are set to the actual amount passed. See split\_ergs\_callee\_caller.

exception handler

Flags are always cleared.

#### Usage

• Set ergs passed=0 to pass all available ergs to callee.

- If the first argument is omitted, all available ergs will be passed to callee.
  - Explanation: if the first argument is omitted, the assembler implicitly puts r0 in its place. The reserved register r0 always holds zero, therefore ergs passed will be decoded into zero as well.
- No particular calling convention is enforced for near calls, so it can be decided by compiler.
- Can be used for internal system code, like bootloader. For example, wrap a pair of AA call + fee payment in any order in such near call, and then rollback the entire frame atomically.

#### Similar instructions

 See OpFarCall, OpMimicCall, OpDelegateCall. They are used to call code of other contracts.

End NearCallDefinition.

## Library EraVM.sem.NearRet

```
Require SemanticCommon.

Import Common Flags CallStack isa.CoreSet State SemanticCommon.

Section NearRetDefinition.

Generalizable Variables __ regs pages ctx.

Inductive step nearret: @instruction bound → tsmallstep :=
```

# NearRet (normal return, not panic/revert)

#### **Abstract Syntax**

OpNearRet

#### Syntax

ret.ok aliased as ret

A normal return from a **near** call. Will pop up current callframe, give back unspent ergs and continue execution from the saved return address (from where the call had taken place).

#### Semantic

- 1. Pass all ergs from the current frame to the parent frame.
- 2. Drop current frame.
- 3. Clear flags.

```
| step_NearRet:
  \forall cf caller stack new caller pages,
        ergs return caller and drop (InternalCall cf caller stack) new caller
        step_nearret OpNearRet {|
                       gs_flags := __;
                       gs callstack := InternalCall cf caller stack;
                       gs regs := regs;
                       gs_pages := pages;
                       gs_context_u128 := ctx;
                       gs status := NoPanic;
                       gs_flags := flags_clear;
                       gs callstack := new caller;
                       gs regs := regs;
                       gs pages := pages;
                       gs_context_u128 := ctx;
                       gs status := NoPanic;
```

#### Affected parts of VM state

- · Flags are cleared.
- Execution stack:
  - Current frame is dropped.
  - Caller frame:

Unspent ergs are given back to caller (but memory growth is paid first).

#### Usage

Normal return from functions.

# Library EraVM.sem.NearRevert

Require SemanticCommon.

Import Common Flags CallStack GPR TransientMemory isa.CoreSet State
SemanticCommon.

Section NearRevertDefinition.
Generalizable Variables regs \_\_\_.

Inductive step nearrevert: @instruction bound → smallstep :=

# NearRevert (return with recoverable error)

#### **Abstract Syntax**

OpNearRevert

#### **Syntax**

ret.revert aliased as revert

An erroneous return from a **near** call, executes an exception handler. Will revert all changes in global\_state produced in the current frame, pop up current frame, give back unspent ergs, and proceed to execute exception handler.

The assembler expands revert to revert r1, but r1 is ignored by returns from near calls.

#### Semantic

- 1. Perform a rollback.
- 2. Retrieve an exception handler E from the current frame.
- 3. Pass all ergs from the topmost frame to the parent frame.
- 4. Drop topmost frame.
- 5. Clear flags
- 6. Proceed with executing E.

```
| step NearRevert:
    \forall cf caller_stack new_caller new_cs _eh _sp _pc _ergs saved ctx gs new_gs
pages,
          let cs := InternalCall (mk cf eh sp pc ergs saved) caller stack
in
          let handler := active exception handler cs in
          ergs return caller and drop cs new caller →
          rollback saved gs new gs →
          new cs = pc set handler new caller \rightarrow
          step nearrevert OpNearRevert
                             gs transient := {|
                                               gs_flags := __;
                                               gs callstack := InternalCall cf
caller stack;
                                               gs regs := regs;
                                               gs pages := pages;
                                               gs context u128 := ctx;
                                               gs status := NoPanic;
                             gs_global := gs;
                           | }
                           { |
                             gs transient := {|
                                               gs flags := flags clear;
                                               gs callstack := new cs;
                                               gs regs := regs;
                                               gs_pages := pages;
                                               gs context u128 := ctx;
                                               gs status := NoPanic;
                             gs_global := new gs;
                           | }
        )
```

#### Affected parts of VM state

- Flags are cleared.
- Execution stack:
  - Current frame is dropped.
  - Caller frame:

Unspent ergs are given back to caller (but memory growth is paid first).

Program counter is overwritten with the exception handler address of the dead frame.

#### Usage

Return from a recoverable error, fail-safe.

# Library EraVM.sem.NearRetTo

```
Require SemanticCommon.

Import Common Flags CallStack isa.CoreSet State SemanticCommon.

Section NearRetToDefinition.
   Generalizable Variables __ regs pages ctx.
   Inductive step nearretto: @instruction bound → tsmallstep :=
```

# NearRetTo (normal return to label, not panic/revert)

#### **Abstract Syntax**

OpNearRetTo (label: code address)

#### Syntax

• ret label

A normal return from a **near** call. Will pop up current callframe, give back unspent ergs and continue execution from an explicitly provided label.

#### Semantic

- 1. Pass all ergs from the current frame to the parent frame.
- 2. Drop current frame.
- 3. Clear flags
- 4. Set PC to the label value.

```
gs_regs := regs;
gs_pages := pages;
gs_context_u128 := ctx;
gs_status := NoPanic;

|}
{|
    gs_flags := flags_clear;
    gs_callstack := pc_set label new_caller;

    gs_regs := regs;
    gs_pages := pages;
    gs_context_u128 := ctx;
    gs_status := NoPanic;
|}
```

Affected parts of VM state

- · Flags are cleared.
- Execution stack:
  - Current frame is dropped.
  - Caller frame:

Unspent ergs are given back to caller (but memory growth is paid first). program counter is assigned the label.

#### Usage

A combination of return and jump.

Generalizable No Variables. End NearRetToDefinition.

# Library EraVM.sem.NearRevertTo

```
Require SemanticCommon.

Import Common Flags CallStack GPR TransientMemory isa.CoreSet State SemanticCommon.

Section NearRevert.
   Generalizable Variables regs pages __.
   Inductive step_nearrevertto: @instruction bound → smallstep :=
```

# NearRevertTo (return with recoverable error)

#### **Abstract Syntax**

OpNearRevertTo

#### Syntax

ret.revert label aliased as revert label

An erroneous return from a near call to a specified label. Will revert all changes in global state produced in the current frame, pop up current frame, give back unspent ergs, and proceed to execute exception handler.

The assembler expands revert label to revert r1, label, but r1 is ignored by returns from near calls.

#### Semantic

- 1. Perform a rollback.
- Pass all ergs from the topmost frame to the parent frame.
   Drop topmost frame.
   Clear flags

- 5. Proceed with executing label, i.e. replace program counter with the label's value.

```
| step_NearRevert:
   ∀ cf caller stack new_caller _eh _sp _pc _ergs saved ctx label gs new_gs
pages,
         let cs := InternalCall (mk cf eh sp pc ergs saved) caller stack
in
         let handler := active exception handler cs in
          ergs return caller and drop cs new caller →
          rollback saved gs new gs →
          step nearrevertto (OpNearRevertTo label)
                              gs transient := {|
                                               gs_flags := __ ;
                                               gs_callstack := InternalCall cf
caller stack;
                                               gs regs := regs;
                                               gs pages := pages;
                                               gs context u128 := ctx;
```

#### Affected parts of VM state

- · Flags are cleared.
- Execution stack:
  - · Current frame is dropped.
  - Caller frame:

Unspent ergs are given back to caller (but memory growth is paid first). Program counter is overwritten with the exception handler address of the dead frame.

#### Usage

Return from a recoverable error, fail-safe.

End NearRevert.

# Library EraVM.sem.StepPanic

```
From RecordUpdate Require Import RecordSet.
```

Require Addressing CallStack Common GPR Flags isa.CoreSet State Steps VMPanic. Import Addressing CallStack Common GPR Flags isa.CoreSet PrimitiveValue State Steps VMPanic. Import RecordSetNotations.

Section StepPanic.

# Handling panics

EraVM handles the panic situation as follows:

- return from the current function signaling an error;
- execute exception handler;
- · burn all ergs in current frame;
- set OF flag;
- · restore depot and event queues to the state before external call (see gs revertable).
- when returning from a far call, return no data.

#### Case 1: panic from near call

- 1. Perform a rollback.
- 2. Drop current frame with its ergs.
- 3. Set PC to the exception handler of the dropped frame.
- 4. Clear flags, and set OF.
- 5. Clears the context register.

```
Inductive step panic reason: smallstep :=
 | step PanicLocal nolabel:

∀ flags pages cf caller stack regs gs gs¹

     let handler := active exception handler (InternalCall cf caller stack) in
      rollback (cf saved checkpoint cf) gs gs' →
     step panic reason
                   gs transient:= {|
                                   gs flags := flags;
                                   gs_callstack := InternalCall cf
caller stack;
                                   gs regs := regs;
                                   gs context u128 := ;
                                   gs status := Panic reason;
                                   gs pages := pages;
                   gs_global := gs;
                 | }
                   gs_transient:= {|
                                   gs_flags := set_overflow flags_clear;
                                   gs regs := regs;
                                   gs callstack := pc set
cf. (cf exception handler location) caller stack;
                                   gs context u128 := zero128;
                                   gs status := NoPanic;
                                   gs pages := pages;
                                 | };
```

```
gs_global := gs'
}
```

#### Case 2: panic from external call

Performs all the same actions as a panic from internal call: 1. Perform a rollback. 2. Drop current frame and its ergs 3. Clear flags and set OF. 4. Clear context register. 5. Set PC to the exception handler address of a dropped frame..

In addition to that: 6. Put an encoded zero-pointer into R1 and tag R1 as a pointer. All other registers are zeroed. Registers R2, R3 and R4 are reserved and may gain a special meaning in newer versions of EraVM.

```
| step PanicExt:

∀ flags pages cf caller_stack __ regs gs gs' new_regs,
     let cs0 := ExternalCall cf (Some caller stack) in
      rollback (cf_saved_checkpoint cf) gs gs' →
     new_regs = regs_state_zero <| r1 := PtrValue zero256 |> ->
      step_panic reason
                   gs_transient := {|
                                    gs flags := flags;
                                    gs callstack := cs0;
                                    gs regs := regs;
                                     gs_context_u128 := __;
                                     gs_status := Panic reason;
                                     gs pages := pages;
                                  | } ;
                   gs_global := gs;
                 { |
                   gs transient := {|
                                     gs flags := set overflow flags clear;
                                     gs regs := new regs;
                                     gs callstack := pc set
(active exception handler cs0) caller stack;
                                     gs context u128 := zero128;
                                     gs status := NoPanic;
                                     gs pages := pages;
                                  | };
                   gs global := gs'
```

End StepPanic.

# Library EraVM.sem.Panic

Require SemanticCommon VMPanic StepPanic.

Import isa.CoreSet SemanticCommon VMPanic StepPanic.

Inductive step\_oppanic: @instruction bound → smallstep :=

# Panic (irrecoverable error, not normal return/not return from recoverable error)

Return from a function/contract signaling an error; execute exception handler, burn all ergs in current frame, set OF flag, return nothing, perform rollback. See Panics.

#### **Abstract Syntax**

OpPanic

#### Syntax

ret.panic aliased as panic

An abnormal return from a **near** call. Will drop current callframe, burn all ergs and pass control to the current exception handler, setting OF flag.

Additionally, restore storage and event queues to the state before external call.

#### Semantic

Trigger panic with a reason TriggeredExplicitly. See Panics.

```
| step_trigger_panic:
    ∀ s s',
    step_panic TriggeredExplicitly s s' →
    step oppanic OpPanic s s'.
```

#### Affected parts of VM state

- Flags are cleared, then OF is set.
- Context register is zeroed (only returns from far calls).
- Registers are cleared (only returns from far calls).
- Execution stack:
  - Current frame is dropped.
  - Caller frame:

if a label is explicitly provided, and current frame is internal (near call), then caller's PC is overwritten with the label. Returns from external calls ignore label, even if it is explicitly provided.

Unspent ergs are given back to caller (but memory growth is paid first).

· Storage changes are reverted.

#### Usage

 Abnormal returns from near/far calls when an irrecoverable error has happened. Use revert for recoverable errors.

#### Similar instructions

- ret returns to the caller instead of executing an exception handler, and does not burn ergs.
- revert acts similar to panic but does not burn ergs, returns data to the caller, and does not set an overflow flag.

# Library EraVM.sem.NearPanicTo

From RecordUpdate Require Import RecordSet. Require SemanticCommon StepPanic.

Import Common Flags CallStack GPR TransientMemory isa.CoreSet State SemanticCommon VMPanic RecordSetNotations StepPanic isa.CoreSet.

Section NearPanicToDefinition.
Inductive step\_panicto: instruction → smallstep :=

# NearPanic (abnormal return, not return/revert)

#### **Abstract Syntax**

OpNearPanicTo

#### **Syntax**

ret.panic label aliased as panic label

An erroneous return from a **near** call to a specified label. Will revert all changes in <code>global\_state</code> produced in the current frame, drop the current frame, give back unspent ergs, and proceed to execute exception handler.

The assembler expands panic label to panic r1, label, but r1 is ignored by returns from near calls

#### Semantic

- 1. Perform a rollback.
- 2. Drop topmost frame. Its ergs are burned (lost).
- 3. Set flag OF LT, clear all other flags.
- 4. Proceed with executing label, i.e. replace program counter with the label's value.

#### Affected parts of VM state

- Flags are cleared.
- Execution stack:
  - Current frame is dropped.
  - Caller frame:

Unspent ergs are given back to caller (but memory growth is paid first). Program counter is overwritten with the exception handler address of the dead frame.

#### Usage

Return from an irrecoverable error, fail-fast.

End NearPanicToDefinition.

# Library EraVM.sem.Farcall

```
From RecordUpdate Require Import RecordSet.
Require
ABI
CallStack
Common
Decommitter
MemoryManagement
MemoryOps
Pointer
SemanticCommon
TransientMemory
isa.CoreSet
Import
  BinIntDef.Z
   Bool
   List
    ListNotations
    ZArith.
Import
    ABI
     FarCallABI
     FatPointerABI
    CallStack
    Coder
    Common
    Core
    Decommitter
    Ergs
    Flags
    GPR
    KernelMode
    memory.Depot
    MemoryBase
    MemoryContext
    MemoryManagement
    MemoryOps
```

```
PrimitiveValue
RecordSetNotations
SemanticCommon
TransientMemory
State
VersionedHash
isa.CoreSet
Addressing
```

Import Addressing.Coercions.

```
Local Coercion Z.b2z: bool >-> Z. Section FarCalls.
```

#### Far calls

Far calls are calls to the code outside the current contract space. This section describes three instructions to perform far calls:

- OpFarCall
- OpDelegateCall
- OpMimicCall (available only in kernel mode)

These instructions differ in the way they construct new frame.

The far call instructions have rich semantics; their full effect on the VM state is described through the following main predicates:

- Semantics.step
- step
- fetch\_operands
- farcall

If you know about fetching operands for instructions and the instruction fetching described in Semantics.step, start investigating farcalls from the farcall predicate.

```
Section Parameters.

Open Scope Z_scope.

Open Scope ZMod scope.
```

#### Global farcall parameters

1. Initial preallocated stack space.

A far call creates a new context with a new stack page (and other pages, see page\_alloc). The initial SP value after a far call is set to INITIAL SP ON FAR CALL.

Therefore, addresses in range from 0 inclusive to INITIAL\_SP\_ON\_FAR\_CALL exclusive can be used as a scratch space.

```
Definition INITIAL_SP_ON_FAR_CALL : stack_address := fromZ 1024.
```

2. Initial heap and auxheap pages bound.

The heap and auxheap pages start with <a href="NEW\_FRAME\_MEMORY\_STIPEND">NEW\_FRAME\_MEMORY\_STIPEND</a> bound. Growing them beyond this bound costs ergs.

```
Definition NEW_FRAME_MEMORY_STIPEND : mem_address := fromZ 1024.
```

End Parameters.

3. Maximal fraction of ergs allowed to pass.

It is not allowed to pass more than 63/64th of your remaining ergs to a far call.

```
Definition max_passable (remaining:ergs) : ergs := fromZ (toZ remaining × 63 /
64 ) %Z.
Inductive pass_allowed_ergs : (ergs × callstack )-> ergs × callstack → Prop :=
| pae_apply: V csl cs2 pass_ergs_query,
    let pass_ergs_actual := min (max_passable (ergs_remaining csl))
pass_ergs_query in
    pay pass_ergs_actual csl cs2 →
    pass_ergs_query ≠ zero32 →
    pass_allowed_ergs (pass_ergs_query,csl) (pass_ergs_actual, cs2)
| pae_zero: V csl cs2,
    let pass_ergs_actual := max_passable (ergs_remaining csl) in
    pay pass_ergs_actual csl cs2 →
    pass_allowed_ergs (zero32, csl) (pass_ergs_actual, cs2).
```

#### Helpers

Far call creates a new execution context with new pages for:

- code
- const (in the current implementation, const and code pages are the same page).
- stack
- heap
- auxheap

The initial bounds for the new heap and auxheap pages are set to NEW FRAME MEMORY STIPEND.

```
Inductive alloc pages extframe: pages × mem ctx → code page → const page →
pages × mem ctx → Prop :=
| ape alloc: ∀ code const (mm:pages) ctx code id const id stack id heap id
heap aux id,
    code_id = List.length mm \rightarrow
    (const id = code id + 1) nat \rightarrow
    (stack id = code id + 2)%nat →
    (heap id = code id + 3)%nat \rightarrow
    (heap aux id = code id + 4) % nat \rightarrow
    alloc pages extframe (mm, ctx) code const
      ( (heap aux id, (mk page (DataPage (empty data page params))))::
          (heap id, (mk page (DataPage (empty ))))::
          (stack id, (mk page (StackPage (empty stack page params))))::
          (const id, (mk page (ConstPage const)))::
          (code id, (mk page (CodePage code)))::mm,
        { |
          ctx code page id := code id;
          ctx const page id := const id;
          ctx stack page id := stack id;
          ctx heap page id := heap id;
          ctx auxheap page id := heap aux id;
          ctx heap bound := NEW FRAME MEMORY STIPEND;
          ctx auxheap bound := NEW FRAME MEMORY STIPEND;
        |} ).
Inductive alloc mem extframe: memory × mem ctx → code page → const page →
memory × mem ctx → Prop :=
| ame apply: ∀ p c p' c' code const,
    alloc pages extframe (p,c) code const (p',c') →
    alloc mem extframe (mk pages p,c) code const (mk pages p',c').
```

Fetch code and pay the associated cost. If  $masking\_allowed$  is true and there is no code associated with a given contract address, then the default AA code will be fetched. See  $code\_fetch$ .

```
pay cost decomm cs0 cs1 →
   paid code fetch masking allowed sid depot codes dest addr cs0 (Fetched cs1
new code page new const page)
| cfp unaffordable:
 ▼ depot (codes:decommitter) (dest addr: contract address) vhash dest addr
new code page new const page code length cost decomm cs0 ,
   code_fetch _ depot codes.(cm_storage _) sid dest_addr masking_allowed
(vhash, (new_code_page, new_const_page), code_length) →
   decommitment cost codes vhash code length cost decomm →
   affordable cs0 cost decomm = false \rightarrow
   paid code fetch masking allowed sid depot codes dest addr cs0
(CodeFetchUnaffordable cost decomm)
| cfp invalid hash:
 ♥ depot (codes:decommitter) (dest addr: contract address) vhash dest addr
new code page new const page code length cs0 ,
   code fetch depot codes.(cm storage ) sid dest addr masking allowed
(vhash, (new code page, new const page), code length) →
   marker valid (extra marker vhash) = false →
   paid code fetch masking allowed sid depot codes dest addr cs0
(CodeFetchInvalidVerisonedHashFormat vhash)
```

#### System calls

A system call is a far call that satisfies the following conditions:

- The destination is a kernel address.
- The field is system of FarCall.params passed through an operand is set to 1.

#### Far call instructions

#### Summary

- · Far calls are calls to the code outside the current contract space.
- Mimic calls are a kernel-only variation of far calls allowing to mimic a call from any contract by impersonating an arbitrary caller and putting an arbitrary address into the new callframe's ecf msg sender field.
- Delegate calls are a variation of far calls allowing to call a contract with the current storage space.

**Example**: Suppose we have contracts A,B,C. Contract A called contract B normally, then contract B delegated to contract C. Then C's code will be executed in a context of B's storage, as if contract A called contract C. If contract C returns normally, the execution will proceed from the next

instruction of B after delegate call. In case of revert or panic in C, all the usual rules apply.

#### Abstract and concrete syntax

```
    OpFarCall abi_params address handler is_static
    far_call abi_reg, dest_addr, handler
    far_call.static abi_reg, dest_addr, handler
    far_call.shard abi_reg, dest_addr, handler
    OpDelegateCall abi_params address handler is_static`
    far_call.delegate abi_reg, dest_addr, handler
    far_call.delegate.static abi_reg, dest_addr, handler
    far_call.delegate.shard abi_reg, dest_addr, handler
    OpMimicCall abi_params address handler is_static
    far_call.mimic abi_reg, dest_addr
    far_call.mimic.static abi_reg, dest_addr
    far_call.mimic.static abi_reg, dest_addr
    far_call.mimic.static abi_reg, dest_addr, handler
    far_call.mimic.shard abi_reg, dest_addr
    far_call.mimic.shard abi_reg, dest_addr, handler
    far_call.mimic.shard abi_reg, dest_addr, handler
```

- **static** modifier marks the new execution stack frame as 'static', preventing some instructions from being executed. Calls from a static calls are automatically marked static.
- shard modifier allows calling code from other shards. The shard ID will be taken from abi reg.

#### Semantic

1. Decode the structure params from abi reg:

```
Inductive fwd_memory :=
   ForwardFatPointer (p:fat_ptr)
| ForwardNewFatPointer (heap_var: data_page_type) (s:span).

Record params :=
   mk_params {
      fwd_memory: fwd_memory;
      ergs_passed: ergs;
      shard_id: shard_id;
      constructor_call: bool;
      to_system: bool;
   }.
```

3. Decommit code of the callee contract (formalized by paid code fetch):

• load the versioned\_hash of the called code from the storage of a special contract located at DEPLOYER SYSTEM CONTRACT ADDRESS.

- o for non-system calls, if there is no code stored for a provided hash value, mask it into VersionedHash.DEFAULT\_AA\_VHASH and execute VersionedHash.DEFAULT\_AA\_CODE.
- if the code with such hash has not been accessed in the current block, pay for decommitment.
- 4. Forward data to the new frame (formalized by paid forward and adjust bounds).
  - If params. (fwd\_memory) is ForwardExistingFatPointer p, we are forwarding an existing fat pointer.

```
ensure that abi_reg is tagged as a pointer.
check the pointer validity;
fat ptr narrow the pointer;
```

 If params. (fwd\_memory) is ForwardNewFatPointer variant span, a new fat\_ptr is created. This pointer refers to the provided span of specified heap variant.

Note the decoding of ForwardNewFatPointer in fwd\_memory\_adapter and especially span of.

- 5. Allocate new pages for code, constants, stack, heap and auxheap (formalized by alloc pages extframe).
- 6. Reserve ergs for the new external frame (formalized by pass allowed ergs).
  - Maximum amount of ergs passed to an external call is 63/64 of ergs allocated for the caller.
  - · Attempting to pass more ergs will result in only passing the maximum amount allowed.
  - Trying to pass 0 ergs will result in passing maximum amount of ergs allowed.
- 7. Clear the context register.
- 8. Clear flags.
- 9. Modify GPRs depending on the call being system or not (formalized by regs effect):
  - Effect of a non-system call:
     All registers are cleared.
     Register R1 is assigned a fat pointer to forward data to the far call. See
     paid forward.
  - Effect of a system call:

```
Register R1 is assigned a fat pointer to forward data to the far call. See paid_forward.

Register R2 is assigned a bit-value:
   bit 1 indicates "this is a system call"
   bit 0 indicates "this is a constructor call"

Registers r3, r4, ..., r15 are reserved; their pointer tags are cleared, but their values are unchanged.

Registers r14 and r15 are cleared.
```

```
Definition regs effect regs (is system is ctor:bool) ptr :=
 let far call r2 :=
    let is system bit := Z.shiftl is system 1 in
   let is ctor bit := Z.shiftl is ctor 0 in
   let bits := Z.lor is_system_bit is_ctor_bit in
    IntValue (fromZ bits) in
 match encode fat ptr word zero128 ptr with
    | Some enc ptr \Rightarrow Some
        (if is system then
          regs
            <| r1 := PtrValue enc ptr |>
            <| r2 := far call r2 |>
      (* In system calls, preserve values in r3-r13 but clear ptr tags *)
            <| r3 ::= clear pointer tag |>
            <| r4 ::= clear pointer tag |>
            <| r5 ::= clear pointer tag |>
            <| r6 ::= clear pointer tag |>
            <| r7 ::= clear pointer tag |>
            <| r8 ::= clear pointer tag |>
            <| r9 ::= clear pointer tag |>
            <| r10 ::= clear pointer tag |>
            <| r11 ::= clear pointer tag |>
            <| r12 ::= clear pointer tag |>
            <| r13 ::= clear pointer tag |>
            (* zero the rest *)
            <| r14 := IntValue word0 |>
            <| r15 := IntValue word0 |>
        else
          regs state zero <| r1 := PtrValue enc ptr |> <| r2 := far call r2 |>
        )
     _ ⇒ None
 end.
```

#### 10. Form a new execution stack frame:

- the call is static if the current call is static, or if .is\_static modifier is applied to instruction;
- set exception handler to handler address provided in the instruction;
- it is a checkpoint that saves all storage states;
- start PC at 0;
- start SP at INITIAL SP ON FAR CALL;
- this\_address,msg\_sender and context fields are affected by the farcall\_type as follows:

```
Normal far call sets:
                     this address <- destination address;
                    msg sender <- caller address;
                     context <- value of context register gs context u128.
                 Delegate call sets:
                    this address <- this address of the current frame;
                    msg sender <- msg sender of the current frame;
                     context <- context u128 of the current frame.
                 Mimic call sets:
                     this address <- destination address;
                    msg sender <- value of r15;
                     context <- value of context register gs context u128.
Definition CALL IMPLICIT PARAMETER REG := R15.
Inductive farcall type : Set := Normal | Mimic | Delegate.
Definition select this address type (caller dest: contract address) :=
 match type with
 | Normal ⇒ dest
 | Mimic ⇒ dest
 | Delegate ⇒ caller
 end.
Definition select sender type (callers caller caller: contract address) regs
 match type with
 | Normal \Rightarrow caller
 | Delegate ⇒ callers caller
  | Mimic ⇒
      let r15 value := (fetch gpr regs CALL IMPLICIT PARAMETER REG).(value) in
      low contract address bits r15 value
  end.
Definition select associated contracts type regs (ac:associated contracts)
(call dest: contract address): associated contracts :=
 match ac with
 | mk_assoc_contracts this_address msg_sender code address ⇒
        ecf this address := select this address type this address call dest;
        ecf msg sender := select sender type ac. (ecf msg sender) this address
regs;
        ecf code address := call dest;
      | }
  end.
Definition select ctx type (reg ctx frame ctx: u128) :=
 match type with
 | Normal | Mimic ⇒ reg ctx
 | Delegate ⇒ frame ctx
Definition new code shard id (is call shard:bool)
  (provided current shard: shard id) : shard id :=
  if is call shard then provided else current_shard.
```

```
Definition select shards (type: farcall type) (is call shard: bool) (provided:
shard id) (ss: active shards) : active shards :=
 match ss with
 | mk shards old_this _ code ⇒
     let new caller := old this in
     let new code := new code shard id is call shard provided new caller in
      let new this := match type with | Delegate ⇒ new caller | ⇒ new code
end in
      { |
        shard_this := new_this;
       shard caller := new caller;
       shard code := new code;
 end.
Section FarCallDefinitions.
 Import Pointer.
 Context (type:farcall type) (is static call is shard provided:bool)
(dest:contract address) (handler: code address) (gs:global state).
 Inductive farcall : @primitive value FarCallABI.params → tsmallstep :=
 | farcall fwd existing fatptr: ∀ flags old regs old pages cs0 cs1
new caller stack new stack reg context u128 new regs new pages new code page
new const page new mem ctx (in ptr narrowed ptr: fat ptr) abi shard ergs query
ergs actual is syscall query,
      let caller extframe := active extframe cs0 in
     let mem ctx0 := ecf mem ctx caller extframe in
     let is_system := addr_is_kernel dest && is_syscall_query in
     let allow masking := negb is system in
     let callee shard := if is shard provided then abi shard else
current shard cs0 in
     paid code fetch allow masking callee shard (gs depot gs) (gs contracts
gs) dest cs0 (Fetched cs1 new code page new const page) →
      (*!*) validate in ptr = no exceptions →
      (*!*) fat ptr narrow in ptr narrowed ptr →
     alloc pages extframe (old pages, mem ctx0) new code page new const page
(new pages, new mem ctx) →
     pass_allowed_ergs (ergs_query,cs1) (ergs_actual, new_caller_stack) ->
     new stack = ExternalCall { |
                           ecf associated := select associated contracts type
old regs caller extframe. (ecf associated) dest;
                           ecf context u128 value := select ctx type
reg_context_u128 caller_extframe.(ecf context u128 value);
                           ecf_shards := select_shards type is_shard_provided
abi shard caller extframe. (ecf shards);
                           ecf mem ctx := new mem ctx;
                           ecf is static := ecf is static caller extframe ||
is static call;
                           ecf common := {|
```

```
cf exception handler location :=
handler;
                                           cf sp := INITIAL SP ON FAR CALL;
                                           cf pc := zero16;
                                           cf ergs remaining := ergs actual;
                                           cf saved checkpoint :=
gs.(gs revertable);
                                         | };
                         |} (Some new caller stack) →
      Some new regs = regs effect old regs is system false (NotNullPtr
narrowed ptr) →
      farcall
        (PtrValue {|
FarCallABI.fwd memory := ForwardExistingFatPointer (NotNullPtr in ptr);
           ergs passed := ergs query;
FarCallABI.shard id := abi shard;
           constructor call := false;
           to_system := is_syscall_query;
        | } )
        { |
          gs flags := flags;
          gs regs := old regs;
          gs pages := old pages;
          gs callstack := cs0;
          gs context u128 := reg context u128;
          gs status := NoPanic;
          gs flags := flags clear;
          gs regs := new regs;
          gs_pages := new_pages;
          gs callstack := new stack;
          gs context u128 := zero128;
          gs status := NoPanic;
  \mid farcall fwd new ptr: \forall flags old regs old pages cs0 cs1 cs2 new regs
new_caller_stack new_stack reg_context_u128 new_pages new_code_page
new const page new mem ctx abi shard ergs query ergs actual is syscall query
out ptr in_span page_type,
      let is system := addr is kernel dest && is syscall query in
      let allow masking := negb is system in
      let callee shard := if is shard provided then abi shard else
current shard cs0 in
      paid code fetch allow masking callee shard
        gs.(gs revertable).(gs depot) gs.(gs contracts) dest cs0 (Fetched cs1
new code page new const page) →
      (*!*) paid_forward_new_fat_ptr page_type in_span cs0 (out_ptr, cs1) \rightarrow
      let caller extframe := active extframe cs2 in
      let mem ctx0 := caller extframe.(ecf mem ctx) in
      alloc pages extframe (old pages, mem ctx0) new code page new const page
(new pages, new mem ctx) →
      pass_allowed_ergs (ergs_query,cs2) (ergs_actual, new_caller_stack) →
```

```
new stack = ExternalCall {|
                           ecf associated := select associated contracts type
old regs caller extframe. (ecf associated) dest;
                           ecf context u128 value := select ctx type
reg context u128 caller extframe. (ecf context u128 value);
                            ecf shards := select shards type is shard provided
abi_shard caller_extframe.(ecf_shards);
                           ecf mem ctx := new mem ctx;
                           ecf is static := ecf is static caller extframe ||
is static call;
                            ecf common := {|
                                           cf exception handler location :=
handler;
                                           cf_sp := INITIAL_SP_ON_FAR_CALL;
                                           cf pc := zero16;
                                           cf_ergs_remaining := ergs_actual;
                                           cf saved checkpoint :=
gs.(gs revertable);
                                         | } ;
                         | \} (Some new caller stack) \rightarrow
      Some new_regs = regs_effect old_regs is_system false (NotNullPtr out_ptr)
      farcall
        (IntValue {|
FarCallABI.fwd memory := ForwardNewFatPointer page type in span;
          ergs passed := ergs query;
FarCallABI.shard id := abi shard;
          constructor call := false;
          to_system := is_syscall_query;
(*!*) |})
          gs flags := flags;
          gs regs := old regs;
          gs pages := old pages;
          gs callstack := cs0;
          gs_context_u128 := reg_context_u128;
          gs status := NoPanic;
          gs flags := flags clear;
          gs regs := new regs;
          gs_pages := new_pages;
          gs_callstack := new_stack;
          gs context u128 := zero128;
          gs status := NoPanic;
```

- flags are cleared
- registers are affected as described by regs effect.

- new pages appear as described by alloc pages extframe.
- · context register is zeroed.
- execution stack is affected in a non-trivial way (see step 10 in description for farcall).

#### Comparison with near calls

- Far calls can not accept more than max\_passable ergs, while near calls may accept all available
  ergs.
- Abnormal returns from far calls through OpPanic or OpRevert roll back all storage changes that
  occured during the contract execution.

This includes exceptional situations when an error occured and the current instruction is masked as OpPanic.

#### Usage

- Calling other contracts
- Calling precompiles Usually we call a system contract with assigned precompile. It prepares data for a precompile, performs precompile call, and returns the result.

#### **Encoding**

• In the encoding, OpDelegateCall, OpFarCall, and OpMimicCall share the same opcode.

#### **Panics**

1. Attempting to pass an existing fat ptr, but the passed value is not tagged as a pointer.

```
| farcall_fwd_existing_fatptr_notag: ∀ (ts1 ts2:transient_state) ___0 __1
_2 __3 __4,

ts2 = ts1 <| gs_status := Panic FarCallInputIsNotPointerWhenExpected |> →
farcall
   (IntValue {|
            FarCallABI.fwd_memory := ForwardExistingFatPointer ___0;
            ergs_passed := ___1;
            FarCallABI.shard_id := ___2;
            constructor_call := ___3;
            to_system := __4;
            |}) ts1 ts2
```

2. The hash for the contract code (stored in the storage of DEPLOYER\_SYSTEM\_CONTRACT\_ADDRESS) is malformed.

```
| farcall_malformed_decommitment_hash: ∀ cs0 abi_shard is_syscall_query ts1
```

```
ts2 1 2 3 4 tag,
     let is system := addr is kernel dest && is syscall query in
     let allow masking := negb is system in
     let callee shard := if is shard provided then abi shard else
current shard cs0 in
     paid code fetch allow masking callee shard (gs depot gs) (gs contracts
gs) dest cs0 (CodeFetchInvalidVerisonedHashFormat 4) \rightarrow
      ts2 = ts1 < | gs status := Panic FarCallInvalidCodeHashFormat |> \rightarrow
      farcall
        (mk pv tag {|
         FarCallABI.fwd memory := 1;
         ergs passed := 2;
         FarCallABI.shard id := abi shard;
         constructor call := 3;
         to system := is syscall query;
       | } )
      ts1 ts2
```

3. Not enough ergs to pay for code decommitment.

```
\mid farcall decommitment unaffordable: \forall cs0 abi shard is syscall query ts1 ts2
 _1 ___2 ___3 ___4 _tag,
      let is system := addr is kernel dest && is syscall query in
      let allow masking := negb is system in
      let callee shard := if is shard provided then abi shard else
current shard cs0 in
      paid code fetch allow masking callee shard (gs depot gs) (gs contracts
gs) dest cs0 (CodeFetchUnaffordable 1) \rightarrow
      cs0 = gs callstack ts1 \rightarrow
      ts2 = ts1 < | gs status := Panic FarCallNotEnoughErgsToDecommit |> \rightarrow
      farcall
        (mk pv tag {|
          FarCallABI.fwd memory := 2;
          ergs_passed := ___3;
          FarCallABI.shard id := abi shard;
          constructor call := 4;
          to system := is syscall query;
        | } )
       ts1 ts2
```

4. Paid for decommitment; Returning a new fat pointer, but not enough ergs to pay for memory growth.

```
| farcall_fwd_new_ptr_growth_unaffordable: \( \forall \) cs0 cs1 ___1 __2 abi_shard ergs_query is_syscall_query in_span page_type bound growth_query ts1 ts2,

let is_system := addr_is_kernel dest && is_syscall_query in let allow_masking := negb is_system in let callee_shard := if is_shard_provided then abi_shard else current_shard cs0 in

paid_code_fetch allow_masking callee_shard
```

```
gs.(gs revertable).(gs depot) gs.(gs contracts) dest cs0 (Fetched cs1
1 2) →
    bound of span in span page type bound -
    growth to bound bound cs1 growth query -
    affordable cs1 (cost of growth growth query) = false \rightarrow
    cs0 = gs callstack ts1 \rightarrow
    ts2 = ts1 < | gs status := Panic FarCallNotEnoughErgsToGrowMemory |> \rightarrow
    farcall
      (IntValue { |
        FarCallABI.fwd memory := ForwardNewFatPointer page type in span;
        ergs passed := ergs query;
        FarCallABI.shard id := abi shard;
        constructor_call := false;
        to system := is syscall query;
        | } )
     ts1 ts2
```

#### Not formalized

system contracts + constructor calls + "call in now constructed system contract" exception

```
End FarCallDefinitions.
Inductive step farcall : instruction → smallstep :=
| step farcall normal: ∀ handler pv abi (dest:word) call shard call as static
s1 s2 ts1 ts2 ( :bool),
   let dest addr := low contract address bits dest in
   let handler code addr := low code address bits handler in
   farcall Normal call as static call shard dest addr handler code addr
s1.(gs global) pv abi ts1 ts2 →
   step transient only ts1 ts2 s1 s2 →
   step farcall (OpFarCall (Some pv abi) (mk pv dest) handler call shard
call as static) s1 s2
| step farcall mimic: ∀ handler pv abi (dest:word) call shard call as static s1
s2 ts1 ts2 ( :bool),
   let dest addr := low contract address bits dest in
   let handler code addr := low code address bits handler in
    farcall Mimic call as static call shard dest addr handler code addr
s1.(gs global) pv abi ts1 ts2 \rightarrow
   step transient only ts1 ts2 s1 s2 →
   step_farcall (OpMimicCall (Some pv_abi) (mk_pv __ dest) handler call_shard
call as static) s1 s2
| step_farcall_delegate: ∀ handler pv_abi (dest:word) call_shard call_as_static
s1 s2 ts1 ts2 ( :bool),
   let dest addr := low contract address bits dest in
   let handler code addr := low code address bits handler in
```

```
farcall Delegate call_as_static call_shard dest_addr handler_code_addr
s1.(gs_global) pv_abi ts1 ts2 →
    step_transient_only ts1 ts2 s1 s2 →
    step_farcall (OpDelegateCall (Some pv_abi) (mk_pv __ dest) handler
call_shard call_as_static) s1 s2
.
End FarCalls.
```

# Library EraVM.sem.FarRet

```
From RecordUpdate Require Import RecordSet.
Require
ABI
Bool
CallStack
Coder
Common
Flags
MemoryContext
MemoryManagement
Pointer
PrimitiveValue
SemanticCommon
State.
Import
ABI
FatPointerABI
Bool
CallStack
Coder
Common
Flags
isa.CoreSet
MemoryContext
MemoryManagement
Pointer
PrimitiveValue
RecordSetNotations
SemanticCommon
State
StepPanic
Section FarRetDefinition.
  Let reserve regs :=
  regs <| r2 := reserved |> <| r3 := reserved |> <| r4 := reserved |>.
  Inductive step farret: instruction → tsmallstep :=
```

# Far return (normal return, not panic/revert)

# **Abstract Syntax**

```
OpFarRet (args: in reg)
```

#### Syntax

```
ret in1
```

A normal return from a **far** call. Will pop up current callframe, return unspent ergs to the caller, and continue execution from the saved return address (from where the call had taken place). The register args describes a span of memory passed to the external caller.

The assembler expands ret to ret r1; r1 is ignored by returns from near calls.

#### Semantic

1. Fetch the value from register args and decode the value of type fwd memory:

```
Inductive fwd_memory :=
   ForwardFatPointer (p:fat_ptr)
| ForwardNewFatPointer (heap var: data page type) (s:span).
```

The exact encoding is described by ABI.

- 2. Forward memory to the caller (see paid forward):
  - If args is ForwardFatPointer p, an existing fat ptr is forwarded:

ensure that the register containing args is tagged as a pointer. ensure that the memory page of p does NOT refer to a page owned by an older frame

fat ptr narrow p so it starts at its current offset, and the offset is reset to zero.

There is no payment because the existing fat pointer has already been paid for.

Attention: shrinking and narrowing far pointers are different. See fat\_ptr\_shrink and fat ptr narrow.

• If args is ForwardNewFatPointer heap\_variant [start; limit), a new fat ptr is created:

let B be the bound of the heap variant taken from ctx heap bound field of

```
ecf mem ctx of the active extframe.
```

let I be the page id of the <code>heap\_variant</code> taken from <code>ctx\_heap\_page\_id</code> field of <code>ecf\_mem\_ctx</code> of the <code>active\_extframe</code>.

build a fat pointer P from the span as described in <code>paid\_forward\_heap\_span</code>.

$$P := (I, (start, limit), 0)$$

if start+limit>B, pay for the growth difference (growth\_cost (start+limit-B)).

Note: it is not useful to readjust the current heap/auxheap bounds after paying for growth. The bounds are part of <a href="mailto:mem\_ctx">mem\_ctx</a> of the topmost frame, which is about to be discarded.

- 3. Return the remaining ergs from cf ergs remaining of the destroyed frame to the caller.
- 4. Clear flags.
- 5. Encode P and store it in register r1, setting its pointer tag.

All other registers are zeroed. Registers r2, r3, and r4 are reserved and may gain a special meaning in newer versions of EraVM.

6. Clear context register.

```
| step RetExt heapvar:

∀ pages cf caller_stack cs1 new_caller new_regs ___1 ___2 ___3 out_ptr

heap type hspan params s1 s2 status enc ptr,
    let cs0 := ExternalCall cf (Some caller stack) in
    paid forward new fat ptr heap type hspan cs0 (out ptr, cs1) \rightarrow
    ergs return caller and drop cs1 new caller →
    params = FarRetABI.mk params (ForwardNewFatPointer heap type hspan) →
    Some enc ptr = encode fat ptr word zero128 (NotNullPtr out ptr) \rightarrow
    new regs = (reserve regs state zero)
                              <| r1 := PtrValue enc ptr |> \rightarrow
    step transient only {|
                           gs flags := 1 ;
                           gs callstack := cs0;
                           gs regs := 2;
                           gs context u128 := 3;
                           gs pages := pages;
                           gs status := status;
                         | }
                         { |
                           gs_flags := flags_clear;
                           gs callstack := new caller;
                           gs regs := new regs;
```

```
gs context u128 := zero128;
                          gs pages := pages;
                          gs status := status;
                           |} s1 s2 →
    step farret (OpFarRet (Some (IntValue params))) s1 s2
 | step RetExt ForwardFatPointer:

∀ pages cf caller_stack cs1 new_caller new_regs ___1 __2 ___3 in_ptr out_ptr

page params s1 s2 status enc ptr,
   let cs0 := ExternalCall cf (Some caller stack) in
   in ptr.(fp page) = Some page →
   page older page (get mem ctx cs0) = false→
   validate in_ptr = no_exceptions →
    fat ptr narrow in ptr out ptr →
   ergs return caller and drop cs1 new caller →
   params = FarRetABI.mk params (ForwardExistingFatPointer (NotNullPtr
in ptr)) \rightarrow
   Some enc_ptr = encode_fat_ptr_word zero128 (NotNullPtr out_ptr) \rightarrow
   new regs = (reserve regs state zero)
                             <| r1 := PtrValue enc ptr |> \rightarrow
   step transient only {|
                          gs flags := 1;
                          gs callstack := cs0;
                          gs_regs := ___2;
                          gs_context_u128 := 3;
                          gs pages := pages;
                          gs status := status;
                        | }
                        { |
                          gs flags := flags clear;
                          gs callstack := new caller;
                          gs regs := new regs;
                          gs context u128 := zero128;
                          gs pages := pages;
                          gs status := status;
                          |} s1 s2 →
    step farret (OpFarRet (Some (PtrValue params))) s1 s2
```

- Flags are cleared.
- Context register is zeroed (only returns from far calls).
- Registers are cleared (only returns from far calls).

- Execution stack:
  - Current frame is dropped.
  - Caller frame:

Unspent ergs are given back to caller (but memory growth is paid first).

#### Usage

#### Similar instructions

- revert executes the current frame's exception handler instead of returning to the caller.
- panic executes the current frame's exception handler instead of returning to the caller, and sets overflow flag.

#### **Panics**

1. Attempt to forward an existing fat pointer, but the value holding RetABI is not tagged as a pointer.

```
| step_RetExt_ForwardFatPointer_requires_ptrtag:
V cf caller_stack params ___1 __2 (s1 s2:state),
let cs0 := ExternalCall cf (Some caller_stack) in
gs_callstack s1 = cs0 →
params = FarRetABI.mk_params (ForwardExistingFatPointer ___1) →
step_panic
RetABIExistingFatPointerWithoutTag
s1 s2 →
step_farret (OpFarRet (Some (IntValue ___2))) s1 s2
```

2. Attempt to return a pointer created before the current callframe. It is forbidden to pass a pointer to a contract in a far call and return it back. Otherwise we could create a  $\mathtt{fat\_ptr}\,P$  to a heap page of contract A, pass it to a contract B, return it back to A, and then modify the contents on the heap page of A. This way we will also modify the memory  $\mathtt{slice}$  associated with P.

In other words, this is a situation where:

- caller makes far call to some contract;
- callee does return-forward @calldataptr;
- caller modifies calldata corresponding heap region, that leads to modification of returndata.

```
| step_RetExt_ForwardFatPointer_returning_older_pointer:
V cf caller_stack in_ptr page params (s1 s2:state) _tag,
let cs0 := ExternalCall cf (Some caller_stack) in
gs callstack s1 = cs0 →
```

```
in ptr.(fp page) = Some page →
    page older page (get mem ctx cs0) = true →
    params = FarRetABI.mk params (ForwardExistingFatPointer (NotNullPtr
in ptr)) \rightarrow
   step_panic
     RetABIReturnsPointerCreatedByCaller
      s1 s2 →
    step farret (OpFarRet (Some (mk pv tag params))) s1 s2
      3. Attempt to return a malformed pointer.
  | step RetExt ForwardFatPointer returning malformed pointer:
  \forall cf caller stack tag (in ptr: fat ptr) params (s1 s2:state) ,
    let cs0 := ExternalCall cf (Some caller stack) in
    gs callstack s1 = cs0 \rightarrow
    validate in ptr ≠ no exceptions →
    params = FarRetABI.mk params (ForwardExistingFatPointer (NotNullPtr
in_ptr)) →
   step panic
     FatPointerMalformed
      s1 s2 →
    step farret (OpFarRet (Some (mk pv tag params))) s1 s2
      4. Attempt to return a new pointer but unable to pay for memory growth.
| step RetExt heapvar growth unaffordable:

∀ cf caller stack tag heap type hspan params (s1 s2:state),

    let cs0 := ExternalCall cf (Some caller_stack) in
    gs callstack s1 = cs0 \rightarrow
    params = FarRetABI.mk_params (ForwardNewFatPointer heap_type hspan) →
    growth to span unaffordable cs0 heap type hspan →
    step panic
     FatPointerCreationUnaffordable
      s1 s2 →
    step farret (OpFarRet (Some (mk pv tag params))) s1 s2
End FarRetDefinition.
```

# Library EraVM.sem.FarRevert

```
From RecordUpdate Require Import RecordSet.

Require
ABI
Bool
CallStack
Coder
```

```
Common
Flags
MemoryContext
MemoryManagement
Pointer
PrimitiveValue
SemanticCommon
State.
Import
FatPointerABI
Bool
CallStack
Coder
Common
Flags
GPR
isa.CoreSet
MemoryContext
MemoryManagement
Pointer
PrimitiveValue
RecordSetNotations
SemanticCommon
State
StepPanic
Section FarRevertDefinition.
  Let reserve regs :=
  regs <| r2 := reserved |> <| r3 := reserved |> <| r4 := reserved |>.
  Inductive step_farrevert: instruction → smallstep :=
```

# Far revert (return from recoverable error, not panic/normal return)

# **Abstract Syntax**

OpFarRevert (args: in\_reg)

#### Syntax

```
ret.revert in1 aliased as revert in1
```

An abnormal return from a far call. Will pop up current callframe, give back unspent ergs and execute a currently active exception handler. The register abi\_reg describes a slice of memory passed to the external caller.

Restores storage to the state before external call.

The assembler expands revert to revert r1; r1 is ignored by returns from near calls.

#### Semantic

- 1. Let E be the address of the  $active\_exception\_handler$ .
- 2. Perform a rollback.
- 3. Proceed with the same steps as OpFarRetABI (see step farret).
- 4. Set PC to E.

```
| step_RevertExt_heapvar:

∀ gs gs' pages cf caller_stack cs1 cs2 new_caller new_regs params out_ptr

heap_type hspan ___2 ___3 ___4 _tag ptr_enc,
      let cs0 := ExternalCall cf (Some caller stack) in
      params = ForwardNewFatPointer heap type hspan →
      paid forward new fat ptr heap type hspan cs0 (out ptr, cs1) →
      ergs return caller and drop cs1 cs2 \rightarrow
      new_caller = pc_set (active_exception_handler cs0) cs2 →
      rollback cf.(cf saved checkpoint) gs gs' →
      Some ptr enc = encode fat ptr word zero128 (NotNullPtr out ptr) \rightarrow
      new regs = reserve (regs state zero <| r1 := PtrValue ptr enc |> )\rightarrow
      step farrevert (OpFarRevert (Some (mk pv tag (FarRetABI.mk params
params))))
                       gs transient := {|
                                         gs flags := 2 ;
                                         gs callstack := cs0;
                                         gs regs := 3;
                                         gs_context_u128 := 4;
                                         gs pages := pages;
                                         gs status := NoPanic;
                       gs global := gs;
                     { |
```

```
gs transient := {|
                                         gs flags := flags clear;
                                         gs callstack := new caller;
                                         gs regs := new regs;
                                         gs context u128 := zero128;
                                         gs pages := pages;
                                         gs_status := NoPanic;
                                       | } ;
                        gs global := gs';
  | step RevertExt ForwardFatPointer:

∀ pages cf caller_stack cs1 cs2 new_caller new_regs ___2 ___3 ___4 in_ptr

out ptr page params gs gs' ptr enc,
      let cs0 := ExternalCall cf (Some caller stack) in
      (* Panic if not a pointer *)
      params = ForwardExistingFatPointer (NotNullPtr in ptr) →
      in ptr.(fp page) = Some page →
      MemoryContext.page older page (get mem ctx cs0) = false →
      validate in ptr = no exceptions →
      fat ptr narrow in ptr out ptr →
      ergs return caller and drop cs1 cs2 \rightarrow
      new_caller = pc_set (active_exception_handler cs0) cs2 →
      Some ptr_enc = encode_fat_ptr_word zero128 (NotNullPtr out_ptr) \rightarrow
      new\_regs = (reserve \ regs\_state\_zero) < | \ r1 := PtrValue \ ptr\_enc \ |> \rightarrow
      rollback cf.(cf saved checkpoint) gs gs' →
      step farrevert (OpFarRevert (Some (PtrValue (FarRetABI.mk params
params))))
                       gs transient := {|
                                         gs_flags := ___2;
                                         gs callstack := cs0;
                                         gs regs := 3 ;
                                         gs context u128 := 4;
                                         gs_pages := pages;
                                         gs_status := NoPanic;
                       gs global := gs;
                     | }
                        gs transient := {|
                                         gs_flags := flags_clear;
                                         gs callstack := new_caller;
                                         gs_regs := new regs;
                                         gs context u128 := zero128;
                                         gs pages := pages;
                                         gs status := NoPanic;
```

```
|};
   gs_global := gs';
|}
```

- · Flags are cleared.
- Context register is zeroed (only returns from far calls).
- Registers are cleared (only returns from far calls).
- Execution stack:
  - Current frame is dropped.
  - Caller frame:

if a label is explicitly provided, and current frame is internal (near call), then caller's PC is overwritten with the label. Returns from external calls ignore label, even if it is explicitly provided

Unspent ergs are given back to caller (but memory growth is paid first).

Storage changes are reverted.

#### Usage

 Abnormal returns from near/far calls when a recoverable error happened. Use panic for irrecoverable errors.

#### Similar instructions

- ret returns to the caller instead of executing an exception handler.
- panic acts similar to revert but does not let pass any data to the caller and sets an overflow flag, and burns ergs in current frame.

#### **Panics**

1. Attempt to forward an existing fat pointer, but the value holding RetABI is not tagged as a pointer.

```
| step_RevertExt_ForwardFatPointer_requires_ptrtag:
V cf caller_stack __ params (s1 s2:state),
let cs0 := ExternalCall cf (Some caller_stack) in
gs_callstack s1 = cs0 →
params = FarRetABI.mk_params (ForwardExistingFatPointer __) →
step_panic
RetABIExistingFatPointerWithoutTag
s1 s2 →
step_farrevert (OpFarRevert (Some (IntValue params))) s1 s2
```

2. Attempt to return a pointer created before the current callframe. It is forbidden to pass a pointer to a contract in a far call and return it back. Otherwise we could create a  $\mathtt{fat\_ptr}\,P$  to a heap page of contract A, pass it to a contract B, return it back to A, and then modify the contents on the heap page of A. This way we will also modify the memory  $\mathtt{slice}$  associated with P.

In other words, this is a situation where:

- caller makes far call to some contract;
- callee does return-forward @calldataptr;
- caller modifies calldata corresponding heap region, that leads to modification of returndata.

```
| step_RevertExt_ForwardFatPointer_returning_older_pointer:
V cf caller_stack in_ptr page params (s1 s2:state) ,
  let cs0 := ExternalCall cf (Some caller_stack) in
  gs_callstack s1 = cs0 →
  in_ptr.(fp_page) = Some page →
  page_older page (get_mem_ctx cs0) = true →
  params = FarRetABI.mk_params (ForwardExistingFatPointer (NotNullPtr
in_ptr)) →
  step_panic
  RetABIReturnsPointerCreatedByCaller
  s1 s2 →
  step farrevert (OpFarRevert (Some (PtrValue params))) s1 s2
```

3. Attempt to return a malformed pointer.

```
| step_RevertExt_ForwardFatPointer_returning_malformed_pointer:
V cf caller_stack (in_ptr: fat_ptr) params (s1 s2:state) ,
    let cs0 := ExternalCall cf (Some caller_stack) in
    gs_callstack s1 = cs0 →

    validate in_ptr ≠ no_exceptions →

    params = FarRetABI.mk_params (ForwardExistingFatPointer (NotNullPtr
in_ptr)) →
    step_panic
    FatPointerMalformed
    s1 s2 →
    step_farrevert (OpFarRevert (Some (PtrValue params))) s1 s2
```

4. Attempt to return a new pointer but unable to pay for memory growth.

```
| step_RevertExt_heapvar_growth_unaffordable:
    V cf caller_stack heap_type hspan params (s1 s2:state),
    let cs0 := ExternalCall cf (Some caller_stack) in
    gs callstack s1 = cs0 →
```

```
params = FarRetABI.mk_params (ForwardNewFatPointer heap_type hspan) →
growth_to_span_unaffordable cs0 heap_type hspan →
step_panic
  FatPointerCreationUnaffordable
  s1 s2 →
step_farrevert (OpFarRevert (Some (IntValue params))) s1 s2.
```

End FarRevertDefinition.

# Library EraVM.sem.LoadPtr

```
Require SemanticCommon Slice.

Import TransientMemory MemoryOps isa.CoreSet Pointer SemanticCommon PrimitiveValue Slice State.

Section LoadPtrDefinition.

Open Scope ZMod_scope.
  Inductive step_load_ptr : instruction → tsmallstep :=
```

#### LoadPointer

# **Abstract Syntax**

```
OpLoadPointer (ptr: in reg) (res: out reg)
```

# **Syntax**

• uma.fat ptr read in1, out aliased as 1d in1, out

# Summary

Read 32 consecutive bytes from address provided by a fat pointer ptr of active heap or aux\_heap page as a 256-bit word, Big Endian. Reading bytes past the slice bound yields zero bytes.

#### Semantic

1. Let in\_ptr = (page, start, offset, length) be a fat\_ptr decoded from in1. Requires that in1 is tagged as a pointer.

- 2. Validate that offset is in bounds: offset < length.
- 3. Read 32 consecutive bytes as a Big Endian 256-bit word from address offset in heap variant.

Reading bytes past start + length returns zero bytes. For example, consider a pointer with:

```
{|
page := _;
start := 0;
length := 5;
offset := 2
|}
```

Reading will produce a word with 3 most significant bytes read from memory fairly (addresses 2, 3, 4) and 29 zero bytes coming from attempted reads past  $fp\_start + fp\_length$  bound.

4. Store the word to res.

# Affected parts of VM state

- execution stack: PC, as by any instruction;
- GPRs, because res only resolves to a register.

#### Usage

- Read data from a read-only slice returned from a far call, or passed to a far call.
- One of few instructions that accept only reg or imm operand but do not have full addressing mode, therefore can't e.g. address stack. The full list is: OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc.

#### Similar instructions

• OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc are variants of the same instruction.

#### **Panics**

1. Argument is not a tagged pointer.

```
| step_LoadPointer_not_tagged:

V ____ (s1 s2:state),
    step_panic ExpectedFatPointer s1 s2 →
    step_load_ptr (OpLoadPointer (Some (IntValue ___)) ____) s1 s2
.
```

End LoadPtrDefinition.

# Library EraVM.sem.LoadPtrInc

Require SemanticCommon Slice.

Import Arith isa.CoreSet TransientMemory MemoryOps Pointer SemanticCommon
PrimitiveValue Slice State.

```
Section LoadPtrIncDefinition.
Open Scope ZMod_scope.
```

# LoadPointerInc

# **Abstract Syntax**

OpLoadPointerInc (ptr: in\_reg) (res: out\_reg) (inc\_ptr: out\_reg)

# Syntax

• uma.fat ptr read.inc in1, out aliased as ld.inc in1, out

#### Summary

Read 32 consecutive bytes from address ptr of active heap or aux\_heap page as a 256-bit word, Big Endian. Reading bytes past the slice bound yields zero bytes.

Additionally, store a pointer to the next word to inc ptr register.

#### Semantic

- 1. Let in\_ptr = (page, start, offset, length) be a fat\_ptr decoded from in1. Requires that in1 is tagged as a pointer.
- 2. Validate that offset is in bounds: offset < length.
- 3. Read 32 consecutive bytes as a Big Endian 256-bit word from address offset in heap variant.

Reading bytes past start + length returns zero bytes. For example, consider a pointer with:

```
{|
page := _;
start := 0;
length := 5;
offset := 2
|}
```

Reading will produce a word with 3 most significant bytes read from memory fairly (addresses 2, 3, 4) and 29 zero bytes coming from attempted reads past  $fp\_start + fp\_length$  bound.

- 4. Store the word to res.
- 5. Store an encoded fat pointer to the next 32-byte word in heap variant in inc\_ptr. Its fields are assigned as follows:

```
page := in_ptr.(fp_page);
start := in_ptr.(fp_page);
length := in_ptr.(fp_length);
offset := in_ptr.(fp_offset) + 32;
```

```
Inductive step_load_ptr_inc : instruction → tsmallstep :=
| step_LoadPointerInc:
| V result addr selected_page (in_ptr:fat_ptr) out_ptr slice page_id s
high128,

validate_in_bounds in_ptr = true →
    page_id = in_ptr.(fp_page) →

page_has_id s.(gs_pages) page_id (mk_page (DataPage selected_page)) →
    slice page selected page in ptr slice →
```

```
ptr_resolves_to in_ptr addr →
    mb_load_slice_result BigEndian slice addr result →

fat_ptr_inc in_ptr out_ptr →

step_load_ptr_inc (OpLoadPointerInc (Some (PtrValue (high128, NotNullPtr in_ptr))) (IntValue result) (Some (PtrValue (high128, NotNullPtr out_ptr)))) s
```

- execution stack: PC, as by any instruction;
- GPRs

# Usage

- Read data from a read-only slice returned from a far call, or passed to a far call.
- One of few instructions that accept only reg or imm operand but do not have full addressing mode, therefore can't e.g. address stack. The full list is: OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc.

#### Similar instructions

• OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc are variants of the same instruction.

#### **Panics**

1. Argument is not a tagged pointer.

step panic FatPtrIncOverflow s1 s2 →

in\_ptr))) \_\_\_\_\_) s1 s2

step load ptr inc (OpLoadPointerInc (Some (PtrValue (high128, NotNullPtr

.

# Library EraVM.sem.Load

Require SemanticCommon MemoryManagement.

Import Arith MemoryOps MemoryManagement isa.CoreSet Pointer SemanticCommon
PrimitiveValue State.

Section LoadDefinition.

```
Open Scope ZMod scope.
```

```
Generalizable Variables cs flags regs mem.

Inductive step load: instruction → tsmallstep :=
```

#### Load

# **Abstract Syntax**

```
OpLoad (ptr: in regimm) (res: out reg) (mem:data page type)
```

#### Syntax

- uma.heap read in1, out aliased as ld.1 in1, out
- uma.aux heap read in1, out aliased as 1d.2 in1, out

#### Summary

Decode the heap address from in1, load 32 consecutive bytes from the specified active heap variant.

#### Semantic

- 1. Decode a heap\_ptr addr from ptr.
- 2. Ensure reading 32 consecutive bytes is possible; for that, check if  $addr < 2^{32} 32$ .
- 3. Let B be the selected heap variant bound. If addr+32>B, grow heap variant bound and pay for the growth. We are aiming at reading a 256-bit word starting from address addr so the heap variant bound should contain all of it.

4. Read 32 consecutive bytes as a Big Endian 256-bit word from addr in the heap variant, store result to res.

```
| step Load:
   ♥ new cs heap variant ctx result mem selected page bound addr high224,
     addr ≤ MAX OFFSET TO DEREF LOW U32 = true →
     heap variant page heap variant cs1 mem selected page →
     mb_load_result BigEndian selected_page addr result →
     word upper bound (mk hptr addr) bound →
     bound grow pay (heap variant, bound) cs0 new cs →
      step load (OpLoad (Some (IntValue (high224, mk hptr addr))) (IntValue
result) heap_variant)
           gs callstack := cs0;
           gs regs := regs;
          gs pages := mem;
          gs flags := flags;
          gs context u128 := ctx;
          gs status := NoPanic;
         | }
         { |
           gs callstack := new cs;
           gs regs := regs;
           gs pages := mem;
           gs flags := flags;
          gs context u128 := ctx;
          gs status := NoPanic;
         | }
```

# Affected parts of VM state

- · execution stack:
  - PC, as by any instruction;
  - ergs allocated for the current function/contract instance, if the heap variant has to be grown;
  - heap variant bounds, if heap variant has to be grown.
- registers, because res only resolves to a register.

#### Usage

- Only OpLoad and OpLoadInc are capable of reading data from heap variants.
- One of few instructions that accept only reg or imm operand but do not have full addressing mode, therefore can't e.g. address stack. The full list is: OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc.

#### Similar instructions

• OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc are variants of the same mach instruction.

#### **Panics**

1. Accessing an address greater than MAX OFFSET TO DEREF LOW U32.

2. Passed fat ptr instead of heap ptr.

3. Accessing an address requires growing the bound of the corresponding heap variant, but the growth is unaffordable.

```
| step_Load_growth_unaffordable:
V (s1 s2:state) cs ptr bound heap_variant ___ high224,
   `(
        word_upper_bound ptr bound →
        growth_to_bound_unaffordable cs (heap_variant, bound) →
        gs_callstack s1 = cs →
```

# Library EraVM.sem.LoadInc

Require SemanticCommon MemoryManagement.

Import Arith MemoryOps MemoryManagement isa.CoreSet Pointer SemanticCommon PrimitiveValue State.

Section LoadIncDefinition.

```
Open Scope ZMod_scope.

Generalizable Variables cs flags regs mem.

Inductive step load inc : instruction → tsmallstep :=
```

# LoadInc

# **Abstract Syntax**

```
OpLoadInc (ptr: in_regimm) (res: out_reg) (mem:data_page_type) (inc_ptr:
  out reg)
```

# **Syntax**

- uma.inc.heap read in1, out1, out2 aliased as ld.1.inc in1, out1, out2
- uma.inc.aux heap read in1, out1, out2 aliased as ld.2.inc in1, out1, out2

#### Summary

Decode the heap address from in1, load 32 consecutive bytes from the specified active heap variant. Additionally, store a pointer to the next word to  $inc\_ptr$  register.

#### Semantic

1. Decode a heap ptr addr from ptr.

- 2. Ensure reading 32 consecutive bytes is possible; for that, check if  $addr < 2^{32} 32$ .
- 3. Let B be the selected heap variant bound. If addr+32>B, grow heap variant bound and pay for the growth. We are aiming at reading a 256-bit word starting from address addr so the heap variant bound should contain all of it.
- 4. Read 32 consecutive bytes as a Big Endian 256-bit word from addr in the heap variant, store result to res.
- 5. Store an encoded heap\_ptr addr+32 to the next 32-byte word in the heap variant in inc\_ptr.

- execution stack:
  - PC, as by any instruction;
  - allocated ergs if the heap variant has to be grown;
  - heap variant bounds, if heap variant has to be grown.
- GPRs, because res and inc ptr only resolve to registers.

# Usage

- Only OpLoad and OpLoadInc are capable of reading from heap variantheap.
- One of few instructions that accept only reg or imm operand but do not have full addressing mode, therefore can't e.g. address stack. The full list is: OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc.

#### Similar instructions

 OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc are variants of the same instruction.

#### **Panics**

1. Accessing an address greater than MAX OFFSET TO DEREF LOW U32.

2. Passed fat ptr instead of heap ptr.

```
| step_Load_expects_intvalue:

V s1 s2 _____,

(
    step_panic ExpectedHeapPointer s1 s2 →
    step_load_inc (OpLoadInc (Some (PtrValue ___)) _____) s1

s2
```

3. Accessing an address requires growing the bound of the corresponding heap variant, but the growth is unaffordable.

```
| step_Load_growth_unaffordable:
V (s1 s2:state) cs ptr bound heap_variant ____ high224,
   `(
        word_upper_bound ptr bound →
        growth_to_bound_unaffordable cs (heap_variant, bound) →
```

```
gs_callstack s1 = cs →
    step_panic HeapGrowthUnaffordable s1 s2 →
    step_load_inc (OpLoadInc (Some (IntValue (high224, ptr))) ____
heap_variant ____) s1 s2
```

4. Incremented pointer overflows.

```
| step_LoadInc_inc_overflow:
    ∀ (s1 s2:state) heap_variant result hptr ___ high224,
    `(
        hp_inc_OF hptr = None →
        step_panic HeapPtrIncOverflow s1 s2 →
        step_load_inc (OpLoadInc (Some (IntValue (high224, hptr))) (IntValue result) heap_variant ___) s1 s2
    )
```

End LoadIncDefinition.

# Library EraVM.sem.Store

```
Require SemanticCommon MemoryManagement.
Import Core Common TransientMemory MemoryOps MemoryManagement isa.CoreSet State
   SemanticCommon Pointer PrimitiveValue.

Section StoreDefinition.
   Open Scope ZMod_scope.

Inductive step store: instruction → tsmallstep :=
```

#### Store

#### **Abstract Syntax**

```
OpStore (ptr: in_regimm) (val: in_reg) (mem:data_page_type)
```

# Syntax

- uma.heap write in1, in2 aliased as st.1.inc in1, out
- uma.aux heap write in1, in2 aliased as st.2.inc in1, out

# Summary

Decode the heap address from in1, load 32 consecutive bytes from the specified active heap variant.

#### Semantic

- 1. Decode a heap ptr addr from ptr.
- 2. Ensure storing 32 consecutive bytes is possible; for that, check if  $addr < 2^{32} 32$
- 3. Let B be the selected heap variant bound. If addr+32>B, grow heap variant bound and pay for the growth. We are aiming at reading a 256-bit word starting from address addr so the heap variant bound should contain all of it.
- 4. Store 32 consecutive bytes as a Big Endian 256-bit word from val to addr in the heap variant.

```
| step Store:
    \forall high224 result flags new cs heap variant value new mem selected page
bound modified page cs regs mem addr ctx,
      let selected page id := heap variant id heap variant cs in
      addr ≤ MAX OFFSET TO DEREF LOW U32 = true →
      heap variant page heap variant cs mem selected page →
      word upper bound (mk hptr addr) bound →
      bound grow pay (heap variant, bound) cs new cs →
      mb store word result BigEndian selected page addr value modified page →
      page_replace selected_page_id (mk_page (DataPage modified_page)) mem
\texttt{new mem} \ {\scriptstyle \rightarrow}
      step store (OpStore (Some (IntValue (high224, mk hptr addr))) (IntValue
result) heap variant)
           { |
             gs callstack := cs;
             gs_pages := mem;
             gs regs := regs;
             gs flags := flags;
             gs context u128 := ctx;
             gs status := NoPanic;
           | }
            { |
             gs callstack := new_cs;
```

```
gs_pages := new_mem;

gs_regs := regs;
gs_flags := flags;
gs_context_u128 := ctx;
gs_status := NoPanic;
];
```

- execution stack:
  - PC, as by any instruction;
  - allocated ergs if the heap variant has to be grown;
  - heap bounds, if heap variant has to be grown.
- GPRs, because out only resolves to a register.
- TransientMemory page

#### Usage

- Only OpLoad and OpLoadInc are capable of reading data from heap variant.
- One of few instructions that accept only reg or imm operand but do not have full addressing mode, therefore can't e.g. address stack. The full list is: OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc.

#### Similar instructions

• OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc are variants of the same instruction.

#### **Panics**

1. Accessing an address greater than MAX OFFSET TO DEREF LOW U32.

2. Fat pointer provided where heap pointer is expected.

```
| step_Store_expects_intvalue:
V s1 s2 __1 __2 __3,
   `(
      step_panic ExpectedHeapPointer s1 s2 →
      step_store (OpStore (Some (PtrValue __1)) __2 __3) s1 s2
)
```

3. Accessing an address requires growing the bound of the corresponding heap variant, but the growth is unaffordable.

```
| step_Store_growth_unaffordable:
| ∀ (s1 s2:state) high224 cs ptr bound heap_variant ___1,
| `(
| word_upper_bound ptr bound →
| growth_to_bound_unaffordable cs (heap_variant, bound) →
| gs_callstack s1 = cs →
| step_panic HeapGrowthUnaffordable s1 s2 →
| step_store (OpStore (Some (IntValue (high224, ptr))) ___1
| heap_variant) s1 s2
| )
| .
End StoreDefinition.
```

# Library EraVM.sem.StoreInc

```
Require SemanticCommon MemoryManagement.
Import Core Common TransientMemory MemoryOps MemoryManagement isa.CoreSet State
   SemanticCommon Pointer PrimitiveValue.

Section StoreIncDefinition.
   Open Scope ZMod_scope.

Inductive step storeinc: instruction → tsmallstep :=
```

#### StoreInc

# **Abstract Syntax**

```
OpStoreInc (ptr: in_regimm) (val: in_reg) (mem:data_page_type) (inc_ptr:
  out_reg)
```

# Syntax

```
uma.inc.heap_write in1, in2 aliased as st.1.inc in1, out
uma.inc.aux heap write in1, in2 aliased as st.2.inc in1, out
```

#### Summary

Decode the heap address from in1, load 32 consecutive bytes from the specified active heap variant. Additionally, store a pointer to the next word to inc ptr register.

#### Semantic

- 1. Decode a heap ptr addr from ptr.
- 2. Ensure storing 32 consecutive bytes is possible; for that, check if  $addr < 2^{32} 32$ .
- 3. Let B be the selected heap variant bound. If addr+32>B, grow heap variant bound and pay for the growth. We are aiming at reading a 256-bit word starting from address addr so the heap variant bound should contain all of it.
- 4. Store 32 consecutive bytes as a Big Endian 256-bit word from val to addr in the heap variant.
- 5. Store an encoded heap\_ptr addr+32 to the next 32-byte word in the heap variant in inc\_ptr.

```
| step_StoreInc:
```

```
V hptr flags new_cs heap_variant value new_mem selected_page bound
modified_page cs regs mem ___1 addr hptr_mod ctx high224,

let selected_page_id := heap_variant_id heap_variant cs in

hptr = mk_hptr addr →

addr ≤ MAX_OFFSET_TO_DEREF_LOW_U32 = true →

heap_variant_page heap_variant cs mem selected_page →

word_upper_bound hptr bound →
bound_grow_pay (heap_variant, bound) cs new_cs →

mb_store_word_result_BigEndian_selected_page_addr_value_modified_page →
page_replace_selected_page_id (mk_page_(DataPage_modified_page)) mem

new_mem →

hp_inc_hptr_hptr_mod →
```

```
step_storeinc (OpStoreInc (Some (IntValue (high224, hptr))) (mk_pv ___1
value) heap variant (Some (IntValue (high224,hptr mod))))
             gs callstack := cs;
             gs pages := mem;
             gs_regs := regs;
             gs flags := flags;
             gs context u128 := ctx;
             gs status := NoPanic;
           { |
             gs callstack := new cs;
             gs pages := new mem;
             gs regs := regs;
             gs flags := flags;
             gs context u128 := ctx;
             gs status := NoPanic;
           | }
```

- execution stack:
  - PC, as by any instruction;
  - allocated ergs if the heap variant has to be grown;
  - heap variant bounds, if heap variant has to be grown.
- GPRs, because res and inc ptr only resolve to registers.

# Usage

- Only OpStore and OpStoreInc are capable of writing to heap variant.
- One of few instructions that accept only reg or imm operand but do not have full addressing mode, therefore can't e.g. address stack. The full list is: OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc.

#### Similar instructions

• OpLoad, OpLoadInc, OpStore, OpStoreInc, OpLoadPointer, OpLoadPointerInc are variants of the same instruction.

#### **Panics**

1. Accessing an address greater than MAX OFFSET TO DEREF LOW U32.

```
| step_Store_offset_too_large:
| V heap_variant ___1 ___2 addr s1 s2 high224,
| `(
| addr > MAX_OFFSET_TO_DEREF_LOW_U32 = true →
| step_panic HeapPtrOffsetTooLarge s1 s2 →
| step_storeinc (OpStoreInc (Some (IntValue (high224, mk_hptr addr)))
| 1 heap_variant ___2) s1 s2
| )
```

2. Fat pointer provided where heap pointer is expected.

3. Accessing an address requires growing the bound of the corresponding heap variant, but the growth is unaffordable.

```
| step_Store_growth_unaffordable:
| ∀ (s1 s2:state) cs hptr bound heap_variant ___1 ___2 high242,
| `(
| word_upper_bound hptr bound →
| growth_to_bound_unaffordable cs (heap_variant, bound) →
| gs_callstack s1 = cs →
| step_panic HeapGrowthUnaffordable s1 s2 →
| step_storeinc (OpStoreInc (Some (IntValue (high242, hptr))) ___1
| heap_variant ___2) s1 s2
| )
```

4. Incrementing the pointer leads to overflow.

End StoreIncDefinition.

# Library EraVM.sem.PtrAdd

Require SemanticCommon.

Import Arith Core TransientMemory MemoryBase Pointer PrimitiveValue SemanticCommon State isa.CoreSet spec.

Section PtrAddDefinition. Open Scope ZMod scope.

# **PtrAdd**

## **Abstract Syntax**

OpPtrAdd (in1: in\_any) (in2: in\_reg) (out: out\_any) (swap:mod\_swap)

## Syntax

- ptr.add in1, in2, out
- ptr.add.s in1, in2, out

## Summary

Takes a fat pointer from in1 and a 32-bit unsigned number from in2. Advances the fat pointer's offset by that number, and writes (in2{128...255} II incremented pointer) to out.

## Semantic

- 1. Fetch input operands, swap them if swap modifier is set. Now operands are  $op_1$  and  $op_2$ .
- 2. Ensure the  $op_1$  is tagged as a pointer, and  $op_2$  is not tagged as a pointer. Otherwise panic.
- 3. Decode fat pointer  $ptr_{in}$  from  $op_1$
- 4. Let diff be  $op_2$  truncated to 32 bits:

$$diff:=op_2 \mod 2^{32}$$

It is required that  $op_2 < MAX_OFFSET_FOR_ADD_SUB$ , otherwise VM panics.

5. Advance pointer offset of  $ptr_{in}$  by diff.

```
ptr_{out} := ptr_{in}|_{offset:=offset+diff}
```

6. Store the result, tagged as a pointer, to out. The most significant 128 bits of result are taken from op1, the least significant bits hold an encoded pointer:

```
result := op_1\{255...128\} \# \# \mathtt{encode}(ptr_{out})
```

## Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- · Flags are unaffected

## Usage

Manipulating fat pointers to pass slices of memory between functions.

## Similar instructions

- Takes part in a group of pointer manipulating instructions:
  - OpPtrAdd
  - OpPtrSub
  - OpPtrShrink
  - OpPtrPack
- Instruction OpPtrSub effectively performs the same actions but the offset is negated.

## **Encoding**

Instructions OpPtrAdd, OpPtrSub, OpPtrPack and OpPtrShrink are sharing an opcode.

## **Panics**

1. First argument is not a pointer (after accounting for swap).

```
| step_PtrAdd_in1_not_ptr:

▼ s1 s2 _____,

step_panic ExpectedFatPointer s1 s2 →

step_ptradd (OpPtrAdd (Some (IntValue ___)) _____) s1 s2
```

2. Second argument is a pointer (after accounting for swap).

```
| step_PtrAdd_in2_ptr:

V s1 s2 _____,

step_panic ExpectedInteger s1 s2 →
step_ptradd (OpPtrAdd (Some (PtrValue ___)) (PtrValue ___) ___) s1 s2
```

3. Second argument is larger than MAX\_OFFSET\_FOR\_ADD\_SUB (after accounting for swap).

4. Addition overflows.

```
| step_PtrAdd_overflow:
    ∀ s1 s2 ofs new_ofs pid (arg_delta:word) (mem_delta: mem_address) span high128,

arg_delta < MAX_OFFSET_FOR_ADD_SUB = true →
    mem_delta = low mem_address_bits arg_delta →
    (true, new_ofs) = ofs + mem_delta →
```

# Library EraVM.sem.PtrSub

```
Require SemanticCommon.

Import
   Arith
Core
TransientMemory
MemoryBase
Pointer
PrimitiveValue
SemanticCommon
State
isa.CoreSet
.
Import spec.

Section PtrSubDefinition.
Open Scope ZMod scope.
```

## **PtrSub**

# Abstract Syntax

```
OpPtrSub (in1: in_any) (in2: in_reg) (out: out_any) (swap:mod_swap)
```

# Syntax

- ptr.sub in1, in2, out
- ptr.sub.s in1, in2, out

## Summary

Takes a fat pointer from in1 and a 32-bit unsigned number from in2. Advances the fat pointer's offset

by that number, and writes (in2{128...255} II incremented pointer) to out.

## Semantic

- 1. Fetch input operands, swap them if swap modifier is set. Now operands are  $op_1$  and  $op_2$ .
- 2. Ensure the  $op_1$  is tagged as a pointer, and  $op_2$  is not tagged as a pointer. Otherwise panic.
- 3. Decode fat pointer  $ptr_{in}$  from  $op_1$
- 4. Let diff be  $op_2$  truncated to 32 bits:

$$diff:= op_2 \mod 2^{32}$$

It is required that  $op_2 < MAX_OFFSET_FOR_ADD_SUB$ , otherwise VM panics.

5. Advance pointer offset of  $ptr_{in}$  by diff.

$$ptr_{out} := ptr_{in}|_{offset:=offset-diff}$$

6. Store the result, tagged as a pointer, to out. The most significant 128 bits of result are taken from op1, the least significant bits hold an encoded pointer:

$$result := op_1\{255...128\} \# \# \mathtt{encode}(ptr_{out})$$

## Affected parts of VM state

• execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.

- Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- · Flags are unaffected

# Usage

Manipulating fat pointers to pass slices of memory between functions.

## Similar instructions

- Takes part in a group of pointer manipulating instructions:
  - OpPtrAdd
  - OpPtrSub
  - OpPtrShrink
  - OpPtrPack
- Instruction OpPtrSub effectively performs the same actions but the offset is added, not subtracted.

## **Encoding**

Instructions OpPtrSub, OpPtrSub, OpPtrPack and OpPtrShrink are sharing an opcode.

## **Panics**

1. First argument is not a pointer (after accounting for swap).

```
| step_PtrSub_in1_not_ptr:

V s1 s2 _____,

step_panic ExpectedFatPointer s1 s2 →
step_ptrsub (OpPtrSub (Some (IntValue ___)) ____ ) s1 s2
```

2. Second argument is a pointer (after accounting for swap).

```
| step_PtrSub_in2_ptr:

▼ s1 s2 ____,

step_panic ExpectedFatPointer s1 s2 →

step_ptrsub (OpPtrSub ___ (PtrValue ) ) s1 s2
```

```
3. Second argument is larger than MAX_OFFSET_FOR_SUB_SUB (after accounting for swap).
  | step PtrSub diff too large:

∀ s1 s2 (arg_delta:word) (mem_delta: mem_address) _____,
      arg delta ≥ MAX OFFSET FOR ADD SUB = true →
      step panic FatPointerDeltaTooLarge s1 s2 →
      step ptrsub (OpPtrSub (Some (PtrValue )) (IntValue arg delta) ) s1
      Subtraction underflows.
  | step PtrSub underflow:

∀ high128 s1 s2 ofs new ofs pid (arg delta:word) (mem delta: mem address)

span,
      arg\_delta < MAX\_OFFSET\_FOR\_ADD\_SUB = true \rightarrow
      mem delta = low mem address bits arg delta →
      (true, new ofs) = ofs - mem delta \rightarrow
      step panic FatPointerOverflow s1 s2 →
      step ptrsub (OpPtrSub
                     (Some (PtrValue (high128, NotNullPtr (mk_fat_ptr pid
(mk ptr span ofs)))))
                     (IntValue arg delta)
                     (Some (PtrValue (high128, NotNullPtr (mk fat ptr pid
(mk ptr span new ofs))))))
        s1 s2
End PtrSubDefinition.
Library EraVM.sem.PtrShrink
Require SemanticCommon.
Import Common Core TransientMemory isa.CoreSet State
  Pointer PrimitiveValue SemanticCommon ZArith.
Section PtrShrinkDefinition.
```

Open Scope ZMod scope.

Inductive step ptrshrink: instruction → smallstep :=

# **PtrShrink**

**Attention**: **shrinking** and **narrowing** far pointers are different. See <code>fat\_ptr\_shrink</code> and <code>fat\_ptr\_narrow</code>.

## **Abstract Syntax**

```
OpPtrShrink (in1: in any) (in2: in reg) (out: out any) (swap:mod swap)
```

## **Syntax**

ptr.shrink in1, in2, ou1ptr.shrink.s in1, in2, ou1

## Summary

**Shrink** the fat pointer, decreasing its length.

## Semantic

- 1. Fetch input operands, swap them if swap modifier is set. Now operands are  $op_1$  and  $op_2$ .
- 2. Ensure the  $op_1$  is tagged as a pointer, and  $op_2$  is not tagged as a pointer. Otherwise panic.
- 3. Decode fat pointer  $ptr_{in}$  from  $op_1$
- 4. Let diff be  $op_2$  truncated to 32 bits:

$$\textit{diff}:= op_2 \mod 2^{32}$$

5. Rewind pointer length of  $ptr_{in}$  by diff.

$$ptr_{out} := ptr_{in}|_{length:=length-diff}$$

6. Store the result, tagged as a pointer, to out:

$$result := op_1\{255...128\} \# \# \mathtt{encode}(ptr_{out})$$

```
| step_PtrShrink :
    V s high128 ptr_in ptr_out delta ,

let diff := low mem_address_bits delta in
    fat ptr shrink diff ptr in ptr out →
```

## Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- Flags are unaffected

## Usage

Manipulating fat pointers to pass slices of memory between functions.

## Similar instructions

- Takes part in a group of pointer manipulating instructions:
  - OpPtrAdd
  - OpPtrSub
  - OpPtrShrink
  - OpPtrPack

## Encoding

Instructions OpPtrAdd, OpPtrSub, OpPtrPack and OpPtrShrink are sharing an opcode.

## **Panics**

1. First argument is not a pointer (after accounting for swap).

```
| step_PtrShrink_in1_not_ptr:

V s1 s2 ___2 __3 __4,
    step_panic ExpectedFatPointer s1 s2 →
    step_ptrshrink (OpPtrShrink (Some (IntValue ___2)) ___3 ___4) s1 s2
```

2. Second argument is a pointer (after accounting for swap).

```
| step_PtrShrink_in2_ptr:
V s1 s2 __1 __3 __4,
step_panic ExpectedFatPointer s1 s2 →
step_ptrshrink (OpPtrShrink (Some __1) (PtrValue __3) __4) s1 s2
```

3. Shrinking underflows.

End PtrShrinkDefinition.

# Library EraVM.sem.PtrPack

```
Require SemanticCommon.

Import Common Core TransientMemory isa.CoreSet State
   SemanticCommon PrimitiveValue ZArith FatPointerABI.

Section PtrPackDefinition.
   Open Scope ZMod_scope.
   Inductive step ptrpack : instruction → smallstep :=
```

## PtrPack

# **Abstract Syntax**

```
OpPtrPack (in1: in_any) (in2: in_reg) (out: out_any) (swap:mod_swap)
```

## Syntax

```
ptr.pack in1, in2, ou1ptr.pack.s in1, in2, ou1
```

## Summary

Concatenates the lower 128 bit of in1 and the higher 128 bits of in2, writes result to out. in1 should hold a fat ptr.

See Usage.

## Semantic

- 1. Fetch input operands, swap them if swap modifier is set. Now operands are  $op_1$  and  $op_2$ .
- 2. Ensure the  $op_1$  is tagged as a pointer, and  $op_2$  is not tagged as a pointer. Otherwise panic.
- 3. Ensure that the lower 128 bits of  $op_2$  are zero. Otherwise panic.
- 4. Store the result, tagged as a pointer, to out:

```
result := op_2\{255...128\} \#\#op_1\{128...0\}
```

# Affected parts of VM state

- execution stack: PC, as by any instruction; SP, if in1 uses RelPop addressing mode, or if out uses RelPush addressing mode.
- Current stack memory page, if out resolves to it.
- GPRs, if out resolves to a register.
- Flags are unaffected

## Usage

• fat pointer in  $in_1$  spans across bits  $in_1$  0...127, and the bits  $in_1$  128...255 are therefore available to put other data. This is used by for memory forwarding to far calls when we need to forward an existing fat pointer.

To pass a fat pointer P to far call, it is necessary to encode an instance of FarCallABI with fwd memory := ForwardFatPointer P into a PtrValue.

```
Module ABI.FarCall.

Record params :=
    mk_params {
        fwd_memory: fwd_memory;
        ergs_passed: ergs;
        shard_id: shard_id;
        constructor_call: bool;
        to_system: bool;
    }.
```

The compound type of FarCallABI is serialized to a word in such a way that the pointer takes up the lower 128 bits of memory. This matches the layout of any fat pointer: serialized pointers occupy the lower 128 bit of a word.

Therefore, encoding an instance of FarCallABI can be done as follows:

- take an existing PtrValue P
- form a value A encoding ergs\_passed, shard\_id and other fields of FarCallABI in A{128...255}.
- invoke OpPtrPack PAB. Now B stores an encoded instance of FarCallABI and can be passed to one of far call instructions.

#### Similar instructions

- Takes part in a group of pointer manipulating instructions:
  - OpPtrAdd
  - OpPtrSub
  - OpPtrShrink
  - OpPtrPack

## Encoding

Instructions OpPtrAdd, OpPtrSub, OpPtrPack and OpPtrShrink are sharing an opcode.

## **Panics**

1. First argument is not a pointer (after accounting for swap).

```
| step_PtrPack_inl_not_ptr:

▼ s1 s2 ___1 __2 __3,

step_panic ExpectedFatPointer s1 s2 →

step_ptrpack (OpPtrPack (Some (IntValue ___1)) ___2 ___3) s1 s2
```

2. Second argument is a pointer (after accounting for swap).

```
| step_PtrPack_in2_ptr:

V s1 s2 ___1 __2 __3,

step_panic ExpectedFatPointer s1 s2 →

step_ptrpack (OpPtrPack (Some ___1) (PtrValue __2) ___3) s1 s2
```

3. Low 128 bits of the second operand are not zero (after accounting for swap).

End PtrPackDefinition.

# Library EraVM.sem.SStore

```
From RecordUpdate Require Import RecordSet.
Require SemanticCommon.

Import Common Core Predication Ergs isa.CoreSet CallStack Event memory.Depot
TransientMemory MemoryOps State
   PrimitiveValue SemanticCommon ZArith RecordSetNotations.

Section SStoreDefinition.

Definition sstore_cost cs : ergs :=
   let pubdata := (net_pubdata cs) in
   ergs_of (pubdata × Z.of_nat bytes_in_word).

Inductive step_sstore: instruction → smallstep :=
```

# **SStore**

# **Abstract Syntax**

```
OpSStore (in1: in_reg) (in2: in_reg)
```

# Syntax

• log.swrite in1, in2 aliased as sstore in1, in2

## Summary

Store word in current storage by key.

## Semantic

Store word in current shard, and current contract's storage by key key.

Current contract is identified by the field ecf\_this\_address of the active external frame.

Pay for storage write.

```
| step SStore:
  \forall cs new_cs key new_depot write_value gs new_gs ts1 ts2 \_ ,
    (* there are currently no refunds *)
    cs = gs callstack ts1 \rightarrow
   let fqa storage := mk fqa key (current storage fqa cs) key in
    let old depot := gs.(gs revertable).(gs depot) in
    storage write old depot fqa storage write value new depot →
   global_state_new_depot new_depot gs new_gs →
    ts2 = ts1 < | gs callstack := new cs | > \rightarrow
   pay (sstore_cost cs) cs new_cs →
    step_sstore (OpSStore (mk_pv __ key) (IntValue write_value))
                   gs_transient := ts1;
                   gs_global := gs;
                { |
                   gs transient := ts2;
                   gs global := new gs;
```

## Affected parts of VM state

```
    execution stack:
```

- PC, as by any instruction;
- allocated ergs
- GPRs, because res only resolves to a register.
- Depot of current shard.

## Usage

- Only **SStore** is capable to write data to storage.
- SStore is rolled back if the current frame ended by OpPanic or OpRevert.

## Similar instructions

• OpSLoad, OpSStore, OpEvent, OpToL1Message, OpPrecompileCall share the same opcode.

## **Panics**

1. Not enough ergs to pay for storage write.

End SStoreDefinition.

# Library EraVM.sem.SLoad

Require SemanticCommon.

Import isa.CoreSet TransientMemory memory.Depot PrimitiveValue SemanticCommon State.

```
Section SLoadDefinition.

Generalizable Variable __.

Inductive step sload: instruction → smallstep :=
```

## **SLoad**

## **Abstract Syntax**

```
OpSLoad (key: in_reg) (dest: out_reg)
```

# **Syntax**

• log.sread in1, out aliased as sload in1, out

## Summary

Access word in current storage by key.

## Semantic

1. Load word from current shard, current contract's storage by key key.

Current contract is identified by the field ecf this address of the active external frame.

2. Store the value to dest.

```
| step_SLoad:
    ∀ read_value key (s:state) __,
    let fqa_storage := mk_fqa_key (current_storage_fqa (gs_callstack s)) key
in
    storage_read (gs_revertable s).(gs_depot) fqa_storage read_value →
        step_sload (OpSLoad (mk_pv __ key) (IntValue read_value)) s s
```

# Affected parts of VM state

- execution stack: PC, as by any instruction;
- GPRs, because res only resolves to a register.

## Usage

Only <u>SLoad</u> is capable of reading data from storage.

## Similar instructions

• OpSLoad, OpSStore, OpEvent, OpToL1Message, OpPrecompileCall share the same opcode.

End SLoadDefinition.

# Library EraVM.sem.TransientLoad

```
Require SemanticCommon.
Import isa.CoreSet TransientMemory memory.Depot PrimitiveValue SemanticCommon
State.

Section TransientLoadDefinition.
   Generalizable Variable __.

Inductive step tload: instruction → smallstep :=
```

## **TransientLoad**

# **Abstract Syntax**

OpTransientLoad (key: in reg) (dest: out reg)

## **Syntax**

• ldt in1, out

## Legacy Syntax

tload in1, out

## Summary

Access word in current transient storage by key. Transient contract storage of all contracts resets when <code>OpIncrementTxNumber</code> is called.

## Semantic

- 1. Load word from current shard, current contract's transient storage by key key.
  - Current contract is identified by the field ecf this address of the active external frame.
- 2. Store the value to dest.

## Affected parts of VM state

- execution stack: PC, as by any instruction;
- GPRs, because res only resolves to a register.
- transient storage of current contract.

## Usage

Only TLoad is capable of reading data from transient storage.

## Similar instructions

• OpSLoad, OpSStore, OpEvent, OpToL1Message, OpPrecompileCall, OpTransientLoad, OpTransientStore share the same opcode.

End TransientLoadDefinition.

# Library EraVM.sem.TransientStore

```
From RecordUpdate Require Import RecordSet.
Require SemanticCommon.

Import Common Core Predication Ergs isa.CoreSet CallStack Event memory.Depot
TransientMemory MemoryOps State
   PrimitiveValue SemanticCommon ZArith RecordSetNotations.

Section TransientStoreDefinition.

Definition sstore_cost cs : ergs :=
   let pubdata := (net_pubdata cs) in
   ergs_of (pubdata × Z.of_nat bytes_in_word).

Inductive step sstore: instruction → smallstep :=
```

## **TransientStore**

## **Abstract Syntax**

OpTransientStore (in1: in\_reg) (in2: in\_reg)

# Syntax

• stt in1, in2

# Legacy Syntax

tstore in1, in2

## Summary

Store word in current storage by key.

#### Semantic

Store word in current shard, and current contract's transient storage by key key.

Current contract is identified by the field ecf this address of the active external frame.

Pay for transient storage write.

```
(* FIXME: semantic is incorrect *)
| step TransientStore:
  orall cs new_cs key new_depot write_value gs new_gs ts1 ts2 \_ ,
    (* there are currently no refunds *)
    cs = gs\_callstack ts1 \rightarrow
    let fqa storage := mk fqa key (current storage fqa cs) key in
    let old depot := gs.(gs revertable).(gs depot) in
    storage write old depot fqa storage write value new depot →
    {\tt global\_state\_new\_depot\ new\_depot\ gs\ new\_gs} \,\, \rightarrow \,\,
    ts2 = ts1 < | gs callstack := new cs |> \rightarrow
    pay (sstore_cost cs) cs new_cs →
    step sstore (OpTransientStore (mk pv key) (IntValue write value))
                   gs transient := ts1;
                   gs global := gs;
                   gs transient := ts2;
                    gs global := new gs;
```

## Affected parts of VM state

- execution stack:
  - PC, as by any instruction;
  - allocated ergs
- GPRs, because res only resolves to a register.
- Depot of current shard.

## Usage

- Only TransientStore is capable to write data to storage.
- TransientStore is rolled back if the current frame ended by OpPanic or OpRevert.

## Similar instructions

• OpSLoad, OpTransientStore, OpEvent, OpToL1Message, OpPrecompileCall share the same opcode.

## **Panics**

1. Not enough ergs to pay for storage write.

```
(* FIXME: the semantic is *)
| step_TransientStore_unaffordable:
| V cs gs ts1 ts2 ___1 ___2,
| (* there are currently no refunds *)
| cs = gs_callstack ts1 \rightarrow
| affordable cs (sstore_cost cs) = false \rightarrow
| ts2 = ts1 <| gs_status := Panic StorageWriteUnaffordable |> \rightarrow
| step_sstore (OpSLoad ___1 ___2)
| {|
| gs_transient := ts1;
| gs_global := gs;
| |
| gs_transient := ts2;
| gs_global := gs;
| |
```

End TransientStoreDefinition.

# Library EraVM.sem.OpEvent

```
Require SemanticCommon.

Import CallStack Event isa.CoreSet State PrimitiveValue SemanticCommon.
Import ssreflect ssrfun ssrbool ssreflect.eqtype ssreflect.tuple.

Section EventDefinition.
   Inductive step_event: instruction → smallstep :=
```

## **Event**

# Abstract Syntax

```
OpEvent (in1: in_reg) (in2: in_reg) (is_first: bool)
```

## Syntax

- log.event in1, in2 aliased as event in1, in2
- log.event.first in1, in2 aliased as event.i in1, in2

## Summary

Emit an event with provided key and value. See event for more details on events system.

#### Semantic

- 1. Fetch key and value from in1 and in2.
- 2. If is first is true, mark the event as the first in a chain of events.
- 3. Emit event.

```
| step Event:
 ∀ xs is_first _tag1 _tag2
   key value gs new gs,
   let regs := gs regs xs in
   let pages := gs pages xs in
   let xstack := gs callstack xs in
   emit event (EventQuery { |
                    ev shard id := current shard xstack;
                    ev is first := is first;
                    ev tx number in block := gs tx number in block gs;
                    ev address := current contract xstack;
                    ev key := key;
                    ev value := value;
                  | \}) gs new_gs \rightarrow
    step_event (OpEvent (mk_pv _tag1 key) (mk_pv _tag2 value) is_first)
                 gs global := gs;
                 gs transient := xs;
               | }
                 gs global := new gs;
                 gs_transient := xs;
```

# Affected parts of VM state

Event queue.

## Usage

TODO

## Similar instructions

• OpSLoad, OpSStore, OpEvent, OpToL1Message, OpPrecompileCall are variants of the same mach instruction.

End EventDefinition.

# Library EraVM.sem.ToL1

From RecordUpdate Require Import RecordSet.

Require SemanticCommon.

Import Arith Common Ergs CallStack Event TransientMemory isa.CoreSet State
 PrimitiveValue SemanticCommon RecordSetNotations.
Import ssreflect.tuple ssreflect.eqtype.

Section ToL1Definition.

Open Scope ZMod scope.

# ToL1Message

## **Abstract Syntax**

OpToL1Message (in1: in\_reg) (in2: in\_reg) (is\_first: bool)

# **Syntax**

- log.to 11 in1, in2 aliased as event in1, in2
- log.to l1 event.first in1, in2 aliased as event.i in1, in2

## Summary

Emit a message to L1 with provided key and value. See event for more details on events system.

## Semantic

- 1. Fetch key and value from key and value.
- 2. If is first is true, mark the event as the first in a chain of events.
- 3. Emit L1 message event.

```
Inductive step tol1: instruction → smallstep :=
  | step_ToL1:
    ∀ cs new cs is first key value gs new_gs cost cost_truncated ts1 ts2 ___
  1,
      cost = gs current ergs per pubdata byte gs x ergs of
L1 MESSAGE PUBDATA BYTES →
      cost < (fromZ (unsigned_max ergs_bits)) →</pre>
      cost truncated = low ergs bits cost →
      pay cost truncated cs new cs →
      emit 11 msg {|
          ev shard id := current shard cs;
          ev is first := is first;
          ev tx number in block := gs tx number in block gs;
          ev address := current contract cs;
          ev key := key;
          ev value := value;
        |} gs new gs →
      ts2 = ts1 < | gs callstack := new cs |> \rightarrow
      step_tol1 (OpToL1Message (mk_pv __ key) (mk_pv ___1 value) is_first)
             gs transient := ts1;
             gs_global := gs;
           | }
             gs transient := ts2;
             gs global := new gs;
```

## Affected parts of VM state

Event queue.

## Usage

Communicating with L1.

#### Similar instructions

• OpSLoad, OpSStore, OpEvent, OpToL1Message, OpPrecompileCall share the same opcode.

End ToL1Definition.

# Library EraVM.sem.PrecompileCall

From RecordUpdate Require Import RecordSet.

Require SemanticCommon Precompiles.

Import Addressing ABI Bool Common Coder Predication Ergs CallStack Event
TransientMemory MemoryOps isa.CoreSet State

Addressing.Coercions PrimitiveValue SemanticCommon RecordSetNotations PrecompileParametersABI.

Section PrecompileCallDefinition.

Open Scope ZMod\_scope.

Import ssreflect.tuple ssreflect.eqtype.

# PrecompileCall

## **Abstract Syntax**

OpPrecompileCall (in1: in\_reg) (in2: in\_reg) (dst:out\_reg)

## Syntax

• log.precompile in1, in2, out1

## Summary

A precompile call is a call to an extension of a virtual machine. The extension operates differently

depending on the currently executing contract's address. Only system contracts may have precompiles.

#### Semantic

Attempt to pay the extra cost:

$$cost_{extra} = in_2 \mod 2^{32}$$

- · If the cost is affordable:
  - $\circ$  pay  $cost_{extra}$
  - execute the precompile logic associated to the currently executing contract. This will emit a special event.
  - $\circ$  set  $out_1$  to one.

```
Inductive step precompile: instruction → smallstep :=
  | step PrecompileCall affordable:
    \forall flags pages cs regs result new cs extra ergs gs new gs ctx 1 new xs
params,
      let heap id := active heap id cs in
     let cost := low ergs_bits extra_ergs in
     pay cost cs new cs →
      result = one256 →
     let xs := {|
                     gs callstack := new cs;
                     gs regs := regs;
                     gs pages := pages;
                     gs flags := flags;
                     gs context u128 := ctx;
                     gs status := NoPanic;
      Precompiles.precompile processor (current contract cs) params xs new xs →
      emit event (PrecompileQuery { |
                      q_contract_address := current_contract cs;
                      q tx number in block := gs tx number in block gs;
                      q shard id := current shard cs;
                      q key := params;
                    |}) gs new gs →
      step precompile (OpPrecompileCall (Some (IntValue params)) (mk pv 1
extra ergs) (IntValue result))
                        gs transient := {|
                                      gs regs := regs;
                                      gs pages := pages;
                                      gs callstack := cs;
                                      gs flags := flags;
                                      gs context u128 := ctx;
```

```
gs_status := NoPanic;
    |};
    gs_global := gs;

|}
{|
    gs_transient := new_xs;
    gs_global := new_gs;
|}
```

• If the cost is unaffordable, do not pay anything beyound  ${\tt base\_cost}$  of this instruciton. Set  $out_1$  to zero.

```
| step PrecompileCall unaffordable:
    \forall flags pages cs regs extra ergs 1 2 s1 s2 result ctx,
      let cost := low ergs bits extra ergs in
      affordable cs cost = false →
      result = zero256 \rightarrow
      step transient only
        { |
          gs callstack := cs;
          gs regs := regs;
          gs flags := flags;
          qs pages := pages;
          gs context u128 := ctx;
          gs status := NoPanic;
          gs callstack := ergs reset cs;
          gs regs := regs;
          gs flags := flags;
          gs pages := pages;
          gs context u128 := ctx;
          gs status := NoPanic;
        |} s1 s2 →
      step_precompile (OpPrecompileCall ___2 (mk_pv ___1 extra_ergs) (IntValue
result)) s1 s2
End PrecompileCallDefinition.
```

# Library EraVM.sem.Contract

```
From RecordUpdate Require Import RecordSet.

Require SemanticCommon.

Import Addressing ABI Bool Coder Core Common Predication Ergs CallStack
```

TransientMemory MemoryOps isa.CoreSet State
Addressing.Coercions PrimitiveValue SemanticCommon RecordSetNotations
ABI.MetaParametersABI.

Section ContractDefinitions.

# ContractThis Abstract Syntax

OpContractThis (out: out\_reg)

# Syntax

context.this out

## Summary

Retrieves the address of the currently executed contract.

## Semantic

- Fetch the address of the currently executed contract from the active external frame.
- Widen the address to word bits, zero-extended, and write to register out.

## Affected parts of VM state

• registers : out register is modified.

## Usage

On OpDelegateCall this address is preserved to be one of the caller. See select this address.

## Similar instructions

See OpContractCaller, OpContractCodeAddress.

# Encoding

A variant of context mach\_instruction.

```
Inductive step_contract: instruction → smallstep :=

| step_ContractThis:
| V this_addr (this_addr_word:word) (s1 s2: state),

| this_addr = ecf_this_address (active_extframe (gs_callstack s1)) →
| this_addr_word = widen word_bits this_addr →

| step_contract (OpContractThis (IntValue this addr_word)) s1 s2
```

# ContractCaller

# **Abstract Syntax**

OpContractCaller (out: out\_reg)

# Syntax

context.caller out

# Summary

Retrieves the address of the contract which has called the currently executed contract.

## Semantic

- Fetch the address of the currently executed contract from the active external frame.
- Widen address is widened to word bits, zero-extended, and written to register out.

## Affected parts of VM state

· registers : out register is modified.

## Usage

On OpDelegateCall this address is preserved to be the caller of the caller. See select sender.

#### Similar instructions

See OpContractThis, OpContractCodeAddress.

# **Encoding**

A variant of context mach instruction.

# ContractCodeAddress Abstract Syntax

OpContractCodeAddress (out: out\_reg)

## Syntax

context.code source out

## Summary

Retrieves the address of the contract code that is actually being executed.

## Semantic

- Fetch the contract address of the currently executed code from the active external frame.
- Widen the address to word bits, zero-extended, and write to register out.

## Affected parts of VM state

registers: out register is modified.

## Usage

- In the execution frame created by OpDelegateCall this will be the address of the contract that was called by OpDelegateCall.
- Necessary to implement Solidity's immutable under OpDelegateCall.

#### Similar instructions

See OpContractThis, OpContractCaller.

# **Encoding**

End ContractDefinitions.

• A variant of context mach instruction.

# Library EraVM.sem.VM

```
From RecordUpdate Require Import RecordSet.

Require SemanticCommon.

Import Addressing ABI Bool Coder Core Common Predication Ergs CallStack TransientMemory MemoryOps isa.CoreSet State
   Addressing.Coercions PrimitiveValue SemanticCommon RecordSetNotations ABI.MetaParametersABI.

Section VMDefinitions.

Inductive step_vm: instruction → smallstep :=
```

# VMErgsLeft Abstract Syntax

OpVMErgsLeft (out: out\_reg)

## Syntax

context.ergs left out

## Summary

Retrieves the number of ergs allocated for the current frame.

#### Semantic

- Fetch the currently allocated ergs from the topmost frame, external or internal. The ergs belonging to the parent frames are not counted.
- Widen the ergs number to word\_bits, zero-extended, and write to out.

## Affected parts of VM state

registers: out register is modified.

# Usage

- Check if the number of ergs is sufficient for an expensive task.
- Should be used before OpPrecompileCall.

## Similar instructions

The context instruction family.

## **Encoding**

A variant of context mach instruction.

```
∀ ergs_left_word (s1 s2:state),
  ergs_left_word = widen word_bits (ergs_remaining (gs_callstack s1)) →
  step vm (OpvMErgsLeft (IntValue ergs left word)) s1 s2
```

# **VMSP**

## **Abstract Syntax**

OpVMSp (out: out\_reg)

# Syntax

context.sp out

## Summary

Retrieves current stack pointer.

## Semantic

- Fetch the current SP from the topmost frame, external or internal.
- Widen the SP value to word bits, zero-extended, and write to out.

## Affected parts of VM state

• registers : out register is modified.

## Usage

- · Check if the number of ergs is sufficient for an expensive task.
- Should be used before OpPrecompileCall.

## Similar instructions

The context instruction family.

## **Encoding**

• A variant of context mach\_instruction.

# **VMMeta**

VM internal state introspection.

## Abstract Syntax

OpVMMeta (out: out reg)

# Syntax

context.meta out

## Summary

Fetches

## Semantic

• Stores the encoded value of MetaParametersABI in out. They follow the structure:

```
Record params := {
    ergs_per_pubdata_byte: ergs;
    heap_size: mem_address;
    aux_heap_size: mem_address;
    this_shard_id: shard_id;
    caller_shard_id: shard_id;
    code_shard_id: shard_id;
}.
```

## Affected parts of VM state

· registers : out register is modified.

#### Similar instructions

The context instruction family.

# **Encoding**

• A variant of context mach instruction.

# Library EraVM.sem.Context

```
From RecordUpdate Require Import RecordSet.

Require SemanticCommon.

Import Addressing ABI Bool Coder Core Common Predication Ergs CallStack TransientMemory MemoryOps isa.CoreSet State
   Addressing.Coercions PrimitiveValue SemanticCommon RecordSetNotations ABI.MetaParametersABI.

Section ContextDefinitions.

Inductive step_context: instruction → smallstep :=
```

## ContextGetContextU128

## **Abstract Syntax**

OpContextGetContextU128 (out: out reg)

## Syntax

context.get context u128 out

# Summary

Retrieves current captured context value from the active external frame.

Does not interact with the context register.

## Semantic

- Fetch the current context value from the active external frame.
- Widen the context value from 128 bits to word bits, zero-extended, and write to out.

## Affected parts of VM state

· registers : out register is modified.

## Usage

• See gs\_context\_u128, ecf\_context\_u128\_value.

## Similar instructions

- The context instruction family.
- Farcalls capture context. See OpFarCall, OpMimicCall, OpDelegateCall.

## Encoding

• A variant of context mach instruction.

### ContextSetContextU128

- · Only in kernel mode.
- Forbidden in static calls.

### Abstract Syntax

OpContextSetContextU128 (in: in reg)

### Syntax

context.set context u128 out

#### Summary

Sets context register.

Does not interact with the captured context value in the active external frame.

#### Semantic

- Fetch the value from out and narrow it to 128 bits.
- Store the shrunk value in the context register gs context u128.

#### Affected parts of VM state

• registers : out register is modified.

#### Usage

• See gs\_context\_u128, ecf\_context\_u128\_value.

#### Similar instructions

The context instruction family.

• Farcalls capture context. See OpFarCall, OpMimicCall, OpDelegateCall.

### Encoding

• A variant of context mach instruction.

```
| step_SetContextReg:

V (new_context256 :word) any_tag (new_context_u128:u128) xs1 xs2 s1 s2,
new_context_u128 = low 128 new_context256→
xs2 = xs1 <| gs_context_u128 := new_context_u128 |> →
step_transient_only xs1 xs2 s1 s2 →

step_context (OpSetContextReg (mk pv any tag new context256)) s1 s2
```

### ContextIncrementTxNumber

- · Kernel only.
- Forbidden in static context.

### Abstract Syntax

OpIncrementTxNumber

### Syntax

context.inc tx num out

### Summary

- Reset all transient storage.
- Increment the tx number counter in gs tx number in block.

#### Semantic

### Affected parts of VM state

- Tx counter.
- Transient storages.

### Usage

Utility in system contracts.

#### Similar instructions

• The context instruction family.

### **Encoding**

• A variant of context mach\_instruction.

```
(* FIXME: clear transient storage *)
| step_ContextIncTx:
| V transient gs new_gs,
| global_state_increment_tx tx_inc gs new_gs ->
| step_context OpIncrementTxNumber
| {|
| gs_transient := transient;
| gs_global := gs;
| | }
| {|
| gs_transient := transient;
| gs_global := new_gs;
| | }
```

End ContextDefinitions.

# Library EraVM.Coder

```
Require Common.
Import ssreflect ssrfun.
Section Encoding.
```

# **Encoding**

Application Binary Interfaces (ABI) require describing serialization and describing are alization.

Serialization encodes an instance of type T into a word of type word.

• Deserialization tries to decode an instance of type T from a word of type word.

```
Context {U T:Type}.
```

The type  $\underline{\mathtt{decoder}}$  defines an embedding of a subset of words of type  $\underline{\mathtt{word}}$  to a type  $\underline{\mathtt{T}}$ . Decoding may fail if the input word is malformed.

```
Definition decoder := U \rightarrow \text{option } T.
```

Definition encoder defines an embedding of type T to a set of possible word values.

```
Definition encoder := T \rightarrow \text{option U}.

Definition revertible (decode:decoder) (encode:encoder) := \forall obj encoded, encode obj = Some encoded \rightarrow decode encoded = Some obj.
```

The record coder connects a specific decoder with the matching encoder, and proofs of their properties.

revertible decode encode formalizes the following: if we encode an element t of type

```
Record coder := mk_coder {
    decode: decoder;
    encode: encoder;
```

decode and encode should be mutual inverses in the following sense:

```
_: revertible decode encode;
}.
End Encoding.

Section Properties.

Context {A B C: Type}.

Section PropertyComposition.
    Context (encode1: @encoder B A) (decode1:@decoder B A) (encode2: @encoder C B) (decode2: @decoder C B).
```

```
Theorem revertible1_compose:
    revertible decode1 encode1 →
    revertible decode2 encode2 →
    let encode3 : A → option C := pcomp encode2 encode1 in
    let decode3 : C → option A := pcomp decode1 decode2 in
    revertible decode3 encode3.

End PropertyComposition.

Definition coder_compose (c2: @coder C B) (c1: @coder B A) : @coder C A.
    Defined.
End Properties.
```

## Library EraVM.ABI

```
Require Coder Ergs Pointer GPR MemoryManagement TransientMemory lib.BitsExt.

Import ssreflect ssreflect.ssrfun ssreflect.ssrbool ssreflect.eqtype ssreflect.tuple zmodp.

Import Core Common Coder Bool GPR Ergs MemoryManagement TransientMemory Pointer.
```

# Application binary interface (ABI)

This section details the serialization and deserialization formats for compound instruction arguments.

The description from Rust VM implementation is described here: https://github.com/matter-labs/zkevm\_opcode\_defs/blob/v1.4.1/src/definitions/abi

```
Require Export

ABI.FatPointerABI

ABI.MetaParametersABI

ABI.PrecompileParametersABI

ABI.NearCallABI

ABI.FarRetABI

ABI.FarCallABI
```

# Library EraVM.ABI.NearCallABI

```
Require Coder Ergs TransientMemory.

Import ssreflect.

Import Types Core Coder Ergs TransientMemory.

Section NearCallABI.
```

Near call may only accept one parameter: the amount of ergs allocated to it.

```
Record params: Type :=

mk_params {
    ergs_passed: u32; (* in low 32 bits *)
    }.

Definition encode : params → option u32 := fun p → Some p. (ergs_passed).
Definition decode : u32 → option params := fun u → Some (mk_params u).

Definition encode_word (p:params) (high224: u224) : option word := option_map (fun encoded → high224 ## encoded) (encode p).

Definition decode_word (w:word) : option (u224 × params) := option_map (fun decoded → (@high 224 32 w, decoded)) (decode (low 32 w)).

Definition coder : @coder u32 params.
Defined.
End NearCallABI.

Library EraVM.ABI.FatPointerABI
```

```
Require Coder Pointer lib.BitsExt.
Import ssreflect ssreflect.ssrfun ssreflect.eqtype ssreflect.tuple.
Import Core Common Coder Pointer lib.BitsExt.
Section FatPointerABI.
 Record fat ptr layout displays the memory layout of a 128-bit fat pointer.
Record fat ptr layout := mk fat ptr layout {
                               length: u32;
                               start: u32;
                               page: u32;
                               offset: u32;
Definition null fat ptr layout := mk fat ptr layout zero32 zero32 zero32
zero32.
Section LayoutCoder.
 Functions encode layout and decode layout formalize the encoding of a fat ptr nullable to
 fat ptr layout.
  Definition encode layout : @encoder fat ptr layout fat ptr nullable :=
    fun fp : fat ptr nullable ⇒
      match fp with
```

```
| NullPtr ⇒ Some null fat ptr layout
      | NotNullPtr (mk fat ptr p (mk ptr (mk span s l) ofs)) \Rightarrow
          if (p == 0) \mid \mid (p \ge 2^32) then None else
            Some (mk fat ptr layout 1 s (# p) ofs)
      end.
  Definition decode layout : @decoder fat ptr layout fat ptr nullable :=
    fun w: fat_ptr_layout ⇒
      match w with
      | mk fat ptr layout length start page offset ⇒
          if page == zero32 then Some NullPtr else
            Some (NotNullPtr {|
                       fp page := toNat page;
                       fp ptr := {|
                                  p span := mk span start length;
                                  p offset := offset;
                                | }
                     | } )
      end.
  Theorem layout coding revertible: revertible decode layout encode layout.
  Definition fat ptr layout coder: @Coder.coder fat ptr layout
fat ptr nullable
    := mk_coder decode_layout encode_layout layout_coding_revertible.
End LayoutCoder.
Section BinaryCoder.
  #[local] Open Scope ZMod scope.
  Definition encode bin: @encoder u128 fat ptr layout :=
    fun fp: fat ptr layout ⇒
      match fp with
      | mk fat ptr layout length start page offset ⇒
          Some (length ## start ## page ## offset)
      end.
  Definition decode bin : @decoder u128 fat ptr layout :=
    fun w: u128 \Rightarrow
      let length := w \{ 3 \times 32, 4 \times 32 \} in
      let start := w \{ 2 \times 32, 3 \times 32 \} in
      let page := w \{ 32, 2 \times 32 \} in
      let offset := w { 0, 32 } in
      Some (mk fat ptr layout length start page offset).
  Lemma fat ptr bin revertible: revertible decode bin encode bin.
  Definition binary coder: @Coder.coder u128 fat ptr layout :=
    mk coder decode bin encode bin fat ptr bin revertible.
End BinaryCoder.
Section ComposedCoder.
 Definition ABI : @Coder.coder u128 fat ptr nullable :=
    coder compose binary coder fat ptr layout coder.
  Definition decode fat ptr (w:u128) : option fat ptr nullable := ABI.(decode)
```

```
Definition decode fat ptr word (w:word) : option (u128 × fat ptr nullable) :=
   let (high128, low128) := split2 128 128 w in
   match decode fat ptr low128 with
   | Some fpn \Rightarrow Some (high128, fpn)
   end
 Definition decode heap ptr (w:word) : option (u224 × heap ptr) :=
   let (msbs, ofs) := split2 32 w in
   Some (msbs, mk hptr ofs).
 Definition encode heap ptr (h:heap ptr) : option u32 :=
   Some (hp addr h)
 Definition encode heap ptr word (high224: u224) (h:heap ptr) : option word :=
   match encode heap ptr h with
   | Some hpenc ⇒ Some (high224 ## hpenc)
   ⇒ None
   end
 Definition encode fat ptr (fp: fat ptr nullable) : option u128 :=
ABI. (encode) fp.
 Definition encode fat ptr word (high bytes: u128) (fp: fat ptr nullable) :
option word :=
   match encode fat ptr fp with
```

# Library EraVM.ABI.ForwardPageTypesABI

| Some enc  $\Rightarrow$  Some (high bytes ## enc)

 $\mid \ \_ \Rightarrow \text{None}$ 

End ComposedCoder.
End FatPointerABI.

end.

```
Require Coder Ergs MemoryManagement Pointer TransientMemory lib.BitsExt
ABI.FatPointerABI.

Import ssreflect ssreflect.ssrfun ssreflect.eqtype ssreflect.tuple.
Import Arith Core Common Coder Ergs MemoryManagement Pointer TransientMemory
lib.BitsExt FatPointerABI.

Module FarCallForwardPageType.
Definition UseHeap: u8 := # 0.
Definition ForwardFatPointer: u8 := # 1.
Definition UseAuxHeap: u8 := # 2.
(* other u8 values are mapped to UseHeap. *)
End FarCallForwardPageType.

Definition data_page_type_to_u8 (t:data_page_type): u8 :=
```

```
match t with
 | Heap ⇒ FarCallForwardPageType.UseHeap
 | AuxHeap ⇒FarCallForwardPageType.UseAuxHeap
Definition span of (fp: fat ptr layout) : option span :=
 if fp.(offset) == zero32
 then Some (mk_span fp.(start) fp.(length))
 else None
Definition fwd memory adapter (fwd type: u8) (raw fat ptr layout:
fat ptr layout) : option MemoryManagement.fwd memory:=
 if fwd type == FarCallForwardPageType.ForwardFatPointer then
   option map ForwardExistingFatPointer
      (FatPointerABI.decode layout raw fat ptr layout)
   match span_of raw_fat_ptr_layout with
   | Some span ⇒
       Some (
           if fwd type == FarCallForwardPageType.UseAuxHeap then
             ForwardNewFatPointer AuxHeap span
            else (* Heap or a default option *)
             ForwardNewFatPointer Heap span
   | None ⇒ None
   end
```

# Library EraVM.ABI.FarCallABI

```
Require Coder Ergs memory.Depot MemoryManagement Pointer lib.BitsExt ABI.FatPointerABI ABI.ForwardPageTypesABI.

Import ssreflect ssreflect.ssrfun ssreflect.eqtype ssreflect.tuple.

Import Arith Core Common Coder Ergs memory.Depot MemoryManagement Pointer TransientMemory lib.BitsExt FatPointerABI ForwardPageTypesABI.
```

Section FarCallABI.

This record describes all the parameters that FarCalls can use.

```
Record params :=
  mk_params {
    fwd_memory: fwd_memory;
    ergs_passed: ergs;
    shard_id: shard_id;
    constructor_call: bool;
    to_system: bool;
}.
```

This record describes the layout of 256-bit word that encodes these parameters.

```
Record params layout :=
  mk params layout {
      raw_to_system_bool: u8;
      raw constructor call bool: u8;
      raw shard id: u8;
      raw memory_forwarding_type_enum : u8;
      raw ergs passed: u32;
      (*raw reserved: u64; *)
      raw fat ptr layout: fat ptr layout;
Section BinaryCoder.
  Open Scope ZMod scope.
  Definition encode bin : @encoder word params layout :=
    fun params ⇒
      match params with
       | mk params layout to system8 constructor call8 shard id8
memory forwarding type8 ergs passed32 (* reserved64 *) fat ptr layout128 \Rightarrow
          match FatPointerABI.encode bin fat ptr layout128 with
          | Some ptr_encoded128 ⇒ Some (
                                        to system8 ## constructor call8 ##
shard id8 ## memory forwarding type8 ##
                                          ergs passed32 ##
                                          zero64 ##
                                          ptr encoded128)
          | None ⇒ None
          end
      end
  Definition decode bin : @decoder word params layout :=
    fun w ⇒
      let to system : u8 := w \{ 256-8, 256 \} in
      let constructor call : u8 := w \{ 256 - 2 \times 8, 256 - 8 \} in
      let shard id : u8 := w \{ 256 - 3 \times 8, 256 - 2 \times 8 \} in
      let memory forwarding type : u8 := w \{ 256 - 4 \times 8, 256 - 3 \times 8 \} in
      let ergs passed : u32 := w \{ 256 - 2 \times 32, 256 - 32 \} in
      let ptr : option fat ptr layout := FatPointerABI.decode bin (low 128 w)
in
      match ptr with
      | Some ptr → Some (mk params layout to system constructor call shard id
memory forwarding type ergs passed ptr )
      | None ⇒ None
      end.
  Theorem binary coder revertible: revertible decode bin encode bin.
  Definition coder binary : @coder word params layout :=
    mk coder decode bin encode bin binary coder revertible.
End BinaryCoder.
```

```
Section LayoutCoder.
 Definition encode layout: @encoder params layout params :=
fun params ⇒
 match params with
 | mk params (ForwardExistingFatPointer fptr) ergs passed shard id
constructor call to system ⇒
     match FatPointerABI.encode_layout fptr with
        | Some ptr layout ⇒
            Some
              { |
                raw to system bool:= if to system then # 1 else # 0;
                raw constructor call bool := if constructor call then # 1 else
# 0;
                raw shard id := shard id;
                raw memory forwarding type enum :=
FarCallForwardPageType.ForwardFatPointer;
                raw ergs passed:= ergs passed;
                (*raw reserved: u64; *)
                raw fat ptr layout:= ptr layout;
      | None ⇒ None
     end
 | mk params (ForwardNewFatPointer heap variant span) ergs passed shard id
constructor_call to_system ⇒
     Some
          raw to system bool:= if to system then # 1 else # 0;
          raw constructor call bool := if constructor call then # 1 else # 0;
          raw shard id := shard id;
          raw memory forwarding type enum := data page type to u8 heap variant;
          raw ergs passed := ergs passed;
          (*raw reserved: u64; *)
          raw fat ptr layout:= {|
                                start := span.(s start);
                                length := span.(s length);
                                page := zero32;
                                offset := zero32;
                              | };
        | }
 end.
 Definition decode layout: @decoder params layout params :=
    fun layout ⇒
     match layout with
      | mk params layout raw to system bool raw constructor call bool
raw shard id raw memory forwarding type enum raw ergs passed raw fat ptr layout
          match fwd memory adapter raw memory forwarding type enum
raw fat ptr layout with
          | Some fwd_memory_value → Some (
                                          fwd memory := fwd memory value;
                                          ergs passed := raw ergs passed;
                                          shard id := raw shard id;
                                          constructor call :=
raw constructor call bool != zero8;
```

```
to_system := raw_to_system_bool !=
zero8;

| None \Rightarrow None
end
end
.
Theorem layout_coding_revertible: revertible decode_layout encode_layout.

Definition coder_layout := mk_coder decode_layout encode_layout
layout_coding_revertible.

End LayoutCoder.

Definition coder := coder_compose coder_binary coder_layout.
End FarCallABI.
```

# Library EraVM.ABI.FarRetABI

Require Coder Ergs MemoryManagement Pointer lib.BitsExt ABI.FatPointerABI ABI.ForwardPageTypesABI.

Import ssreflect.ssrfun ssreflect.eqtype ssreflect.tuple.

Import Arith Core Common Coder Ergs MemoryManagement Pointer TransientMemory
lib.BitsExt FatPointerABI ForwardPageTypesABI.

This record describes all the parameters that far returns can use.

```
Section FarRetABI.
  Record params :=
  mk_params {
     fwd_memory: fwd_memory;
  }.
```

This record describes the layout of 256-bit word that encodes these parameters.

```
Record params_layout :=
   mk_params_layout {
        (* reserved 3 bytes *)
        raw_memory_forwarding_type_enum : u8;
        (* last 16 bytes contain the pointer *)
        raw_fat_ptr_layout: fat_ptr_layout;
    }.

Section BinaryCoder.
   Open Scope ZMod_scope.
   Definition encode_bin : @encoder word params_layout :=
        fun params ⇒
```

```
match params with
       | mk params layout memory forwarding type8 fat ptr layout128 ⇒
          match FatPointerABI.encode bin fat ptr layout128 with
          | Some ptr encoded128 → Some (zero8 ## zero8 ## zero8 ##
memory forwarding type8 ##
                                         zero32 ##
                                         zero64 ##
                                         ptr encoded128)
          | None ⇒ None
          end
      end
  Definition decode bin : @decoder word params layout :=
      let memory forwarding type : u8 := w \{ 256 - 4 \times 8, 256 - 3 \times 8 \} in
      let ptr : option fat ptr layout := FatPointerABI.decode bin (low 128 w)
in
     match ptr with
      | Some ptr → Some (mk params layout memory forwarding type ptr)
      | None ⇒ None
      end.
 Theorem binary coder revertible: revertible decode bin encode bin.
  Definition coder binary : @coder word params layout :=
    mk coder decode bin encode bin binary coder revertible.
End BinaryCoder.
Section LayoutCoder.
Definition encode layout: @encoder params layout params :=
fun params ⇒
 match params with
 | mk params (ForwardExistingFatPointer fptr) ⇒
      match FatPointerABI.encode layout fptr with
      | Some ptr layout ⇒
            Some
              { |
                raw memory forwarding type enum :=
FarCallForwardPageType.ForwardFatPointer;
                raw_fat_ptr_layout:= ptr_layout;
              | }
      | None ⇒ None
  | mk params (ForwardNewFatPointer heap variant span) ⇒
      Some
          raw memory forwarding type enum := data page type to u8 heap variant;
          raw_fat_ptr_layout:= {|
                                start := span.(s start);
                                length := span.(s length);
                                page := zero32;
                                offset := zero32;
                              | };
        | }
```

```
end.
 Definition decode layout: @decoder params layout params :=
   fun layout ⇒
     match layout with
      \mid mk params layout raw memory forwarding type enum raw fat ptr layout \Rightarrow
          match fwd memory adapter raw memory forwarding type enum
raw_fat_ptr_layout with
          | Some fwd memory value → Some (mk params fwd memory value)
          | None ⇒ None
          end
      end
 Theorem layout coding revertible: revertible decode layout encode layout.
 Definition coder layout := mk coder decode layout encode layout
layout coding revertible.
End LayoutCoder.
Definition coder := coder compose coder binary coder layout.
End FarRetABI.
```

### Library EraVM.ABI.MetaParametersABI

```
Require Coder Ergs memory.Depot MemoryManagement Pointer TransientMemory lib.BitsExt.

Import ssreflect ssreflect.ssrfun ssreflect.eqtype ssreflect.tuple.

Import Arith Core Common Coder Ergs memory.Depot TransientMemory MemoryManagement Pointer lib.BitsExt.

Section MetaParametersABI.
```

Meta parameters are returned by OpContextMeta. This record shows the data that is contained in it.

```
Record params :=
  mk_params {
    ergs_per_pubdata_byte: ergs;
    heap_size: mem_address;
    aux_heap_size: mem_address;
    this_shard_id: shard_id;
    caller_shard_id: shard_id;
    code_shard_id: shard_id;
}
```

This record describes the exact memory layout in a 256-bit word, which holds parameters.

```
Record params layout :=
 mk params layout {
      (* reserved: u8 *)
      l code shard id : u8;
      l caller shard id : u8;
      l this shard id : u8;
     (* reserved: u96 *)
      l aux heap size : u32;
      l heap size : u32;
      (* reserved: u32 *)
      l ergs per pubdata byte: u32;
 } .
Section BinaryCoder.
  #[local] Open Scope ZMod scope.
  Context (zero96 : BITS 96 := # 0).
  Definition encode bin : @encoder word params layout :=
    fun layout ⇒
      match layout with
      | mk params layout
          1 code shard id8
          l caller shard id8
          1 this shard id8
          l aux heap size32
          1 heap size32
          l ergs per_pubdata_byte32
               zero8 ## 1 code shard id8 ## 1 caller shard id8 ##
1 this shard id8 ## zero96 ## 1 aux heap size32 ## 1 heap size32 ## zero32 ##
l ergs per pubdata byte32)
      end.
  Definition decode bin: @decoder word params layout :=
    fun w \Rightarrow
      Some { |
          (* reserved: u8 *)
          1 code shard id := w \{ 256 - 2 \times 8, 256 - 8 \};
          1 caller shard id := w \{256 - 3 \times 8, 256 - 2 \times 8\};
          1 this shard id := w \{256 - 4 \times 8, 256 - 3 \times 8\};
          (* reserved: u96 *)
          1 aux heap size := w \{ 3 \times 32, 4 \times 32 \};
          1 heap size := w \{ 2 \times 32, 3 \times 32 \};
          (* reserved: u32 *)
          l ergs per pubdata byte:= w { 0, 32 };
        | } .
  Theorem binary coder revertible: revertible decode bin encode bin.
  Definition binary coder := mk coder decode bin encode bin
binary coder revertible.
End BinaryCoder.
```

```
Section LayoutCoder.
Definition decode layout : @decoder params layout params :=
 fun layout ⇒
   match layout with
    | mk params layout 1 code shard id 1 caller shard id 1 this shard id
l_aux_heap_size l_heap_size
        l_ergs_per_pubdata byte \Rightarrow Some
                                       ergs per pubdata byte :=
l ergs per pubdata byte;
                                      heap size := 1 heap size;
                                       aux heap size := l aux heap size;
                                       this shard id := 1 this shard id;
                                       caller shard id := 1 caller shard id;
                                       code shard id := 1 code shard id;
    end.
Definition encode layout : @encoder params layout params :=
  fun params ⇒
    match params with
    | mk params ergs per pubdata byte heap size aux heap size this shard id
caller shard id code shard id ⇒ Some
                                       l ergs per pubdata byte :=
ergs per pubdata byte;
                                      l heap size := heap size;
                                      l aux heap size := aux heap size;
                                      l this shard id := this shard id;
                                      l caller shard id := caller shard id;
                                       l code shard id := code shard id;
    end.
Theorem layout coder revertible: revertible decode layout encode layout.
  Definition layout coder := mk coder decode layout encode layout
layout coder revertible.
End LayoutCoder.
Definition coder := coder compose binary coder layout coder.
End MetaParametersABI.
```

# Library EraVM.ABI.PrecompileParametersABI

```
Require Coder TransientMemory lib.BitsExt.

Import ssreflect ssreflect.ssrfun ssreflect.eqtype ssreflect.tuple.

Import Core Common Coder TransientMemory lib.BitsExt.
```

```
Section PrecompileParametersABI.
  Record params :=
  mk params
      input memory offset: mem address;
      input memory length: mem address;
      output_memory_offset: mem_address;
      output memory length: mem address;
      per precompile interpreted: u64;
      memory page to read: page id;
      memory page to write: page id;
      precompile interpreted data: u64;
    } .
equality
Definition params eqn (x y: params) : bool :=
  (x.(input memory offset) == y.(input memory offset)) &&
    (x.(input memory length) == y.(input memory length)) &&
    (x.(output memory offset) == y.(output memory offset)) &&
    (x.(output memory length) == y.(output memory length)) &&
    (x.(per precompile interpreted) == y.(per precompile interpreted)) &&
    (x.(memory page to read) == y.(memory page to read)) &&
    (x.(memory page to write) == y.(memory_page_to_write)) &&
    (x.(precompile interpreted data) == y.(precompile interpreted data)).
Lemma params eqnP : Equality.axiom params eqn.
Proof.
 move \Rightarrow x y.
 unfold params eqn.
  destruct x, y = > //=.
  repeat match goal with
           [ | - context [(?x == ?y)]] \Rightarrow
             let Hf := fresh "H" in
             destruct (x == y) eqn: Hf; try rewrite Hf
         end =>//=; constructor; auto;
    repeat match goal with [ H: (?x == ?y) = true |- ] \Rightarrow move: H \Rightarrow /eqP \rightarrow
    try injection; intros; subst;
    repeat match goal with [ H: (?x == ?x) = false \mid - ] \Rightarrow rewrite eq refl in H
end =>//=.
  - constructor.
Qed.
Canonical params eqMixin := EqMixin params eqnP.
Canonical params eqType := Eval hnf in EqType params eqMixin.
Axiom ABI: @coder word params.
End PrecompileParametersABI.
```

# Library EraVM.encoding.EncodingUtils

Require Common Predication isa. Modifiers isa. Generated MachISA.

```
Import ZBits ZArith.
Import Common GPR GeneratedMachISA Modifiers Predication.
```

Section EncodingTools.

## Encoding parts of instructions

The encoding of asm instruction is described in two stages:

- 1. asm\_to\_mach describes how fields asm\_instruction are mapped to the EraVM machine instruction mach instruction; this describes the instruction layout.
- 2. encode mach instruction describes the binary encoding of mach instruction.

EraVM instructions mach\_instruction are 64 bits wide. Starting from the least significant bit, they are made of the following parts:

```
    mach opcode (11 bits)
```

- 2 reserved bits
- predicate (3 bits)
- reg names (4 x 4 bits)
- immediate u16 values (2 x 16 bits, big endian)

The precise format is formalized by encode mach instruction.

Their encoding is independent and happens as follows:

- 1. The mach opcode packs together the information about
- the instruction meaning, e.g. is it addition, or call, or something else;
- its source and destination addressing modes. For example, in the encoding of add r1, r0, r3 the meaning of the register R1 in the field op\_src0 is "use the value from register r1 as the first operand". But in the encoding of add stack=[r1], r0, r3 the meaning of the register R1 in the field op\_src0 is "use the value on the stack page by address R1 as the first operand". This difference is reflected in the mach\_opcode field: the addressing modes are encoded by encode\_src\_mode/encode\_src\_special\_mode (for selected instructions)/encode dst mode) and mixed in mach\_opcode by encode\_opcode.

```
Definition encode_src_mode (sm:src_mode) : Z :=
  match sm with
  | SrcReg \Rightarrow 0
  | SrcSpRelativePop \Rightarrow 1
  | SrcSpRelative \Rightarrow 2
  | SrcStackAbsolute \Rightarrow 3
  | SrcImm \Rightarrow 4
  | SrcCodeAddr \Rightarrow 5
  end
.

Definition encode_src_special_mode (sm:src_special_mode) : Z :=
  match sm with
  | SrcSpecialReg \Rightarrow 0
  | SrcSpecialImm \Rightarrow 10
```

```
end
.
Definition encode_dst_mode (sm:dst_mode) : Z :=
  match sm with
  | DstReg \( \infty \) 0
  | DstSpRelativePush \( \infty \) 1
  | DstSpRelative \( \infty \) 2
  | DstStackAbsolute \( \infty \) 3
  end
```

The definitions  $encode\_set\_flags$  and  $encode\_swap$  are encoding the  $mod\_set\_flags$  and  $mod\_swap$  modifier values as one-bit numbers.

```
Definition encode_set_flags (m: mod_set_flags) : Z :=
  match m with
  | SetFlags ⇒ 1
  | PreserveFlags ⇒ 0
  end.
Definition encode_swap(m: mod_swap) : Z :=
  match m with
  | Swap ⇒ 1
  | NoSwap ⇒ 0
  end
```

2. <a href="mailto:encode\_predicate">encode\_predicate</a> maps eight different predicates to their encodings as 3-bit binary numbers.

3. Registers are encoded by their indices as 4-bit numbers, e.g. register R3 is encoded as  $3=0011_2$ . The meaning of two source and two destination registers depends on the instruction and/or addressing modes.

```
Definition encode reg (name:reg name) : BITS 4 :=
  # (reg idx name)
Definition encode reg opt (name:option reg name) : BITS 4 :=
 match name with
 | Some name ⇒ encode reg name
 | None \Rightarrow # 0
 end
      4. Immediate 16-bit values are encoded as-is.
 For example, the instruction sub r0, r1, r2 will be encoded as 00000000210004B, which, in
 binary form, is:
 Let's break it down:
 | 000000000000000 -> imm1
 | 00000000000000 -> imm0
 | 0000 -> Dst1: R0 (4 bits, ignored)
 | 0010 -> Dst0: R2 (4 bits)
 | 0001 -> Src1: R1 (4 bits)
 | 0000 -> Src0: R0 (4 bits)
 | 000 -> Predicate: IfAlways (3 bits)
 | 00 -> Reserved (2 bits)
 | 00001001011 -> Opcode (11 bits)
 Another example: sub stack=[r1+15], r2, stack+=[r3+63] is encoded as:
 003f000f0321007d, which, in binary form, is:
 0000 0000 0011 1111 0000 0000 0000 1111 0000 0011 0010 0001 0000 0000 0111 1101
 Let's break it down:
 | 0000 0000 0011 1111 -> imm1: 63
 | 0000 0000 0000 1111 -> imm0: 15
 | 0000 -> dst1: R0 (4 bits, ignored)
 | 0011 -> dst0: R3 (4 bits)
 | 0010 -> src1: R2 (4 bits)
 | 0001 -> src0: R1 (4 bits)
 | 000 -> Predicate: IfAlways (3 bits)
 | 00 -> Reserved (2 bits)
 | 000 0111 1101 -> Opcode (11 bits)
 Be careful with the big-endian byte order in multibyte numbers.
```

End EncodingTools.

# Library EraVM.encoding.GeneratedEncodeOpcode

```
(* GENERATED FILE, DO NOT EDIT MANUALLY. *)
Require isa. Modifiers encoding. Encoding Utils.
Import ZArith.
Import GeneratedMachISA Modifiers encoding.EncodingUtils.
Section OpcodeEncoderDefinition.
Coercion encode dst mode : dst mode >-> Z.
Coercion encode src mode : src mode >-> Z.
Coercion encode src special mode : src special mode >-> Z.
Coercion encode swap: mod swap >-> Z.
Coercion encode set flags : mod set flags >-> Z.
Coercion Z.b2z: bool >-> Z.
Definition encode opcode (op:mach opcode) : Z :=
  match op with
| OpInvalid \Rightarrow 0
| OpNoOp src dst \Rightarrow 1 + 4 × src + 1 × dst
| OpAdd src dst set flags \Rightarrow 25 + 8 × src + 2 × dst + set flags
| OpSub src dst swap set_flags \Rightarrow 73 + 16 \times src + 4 \times dst + 2 \times set flags + swap
| OpMul src dst set flags \Rightarrow 169 + 8 × src + 2 × dst + set flags
| OpDiv src dst swap set flags \Rightarrow 217 + 16 \times src + 4 \times dst + 2 \times set flags +
| OpJump src \Rightarrow 313 + 1 \times src
| OpXor src dst set flags \Rightarrow 319 + 8 × src + 2 × dst + set flags
| OpAnd src dst set flags \Rightarrow 367 + 8 × src + 2 × dst + set flags
| OpOr src dst set flags \Rightarrow 415 + 8 × src + 2 × dst + set flags
| OpShl src dst swap set flags \Rightarrow 463 + 16 \times src + 4 \times dst + 2 \times set flags +
| OpShr src dst swap set flags \Rightarrow 559 + 16 \times src + 4 \times dst + 2 \times set flags +
| OpRol src dst swap set flags \Rightarrow 655 + 16 \times src + 4 \times dst + 2 \times set flags +
| OpRor src dst swap set flags \Rightarrow 751 + 16 \times src + 4 \times dst + 2 \times set flags +
| OpPtrAdd src dst swap \Rightarrow 847 + 8 × src + 2 × dst + swap
| OpPtrSub src dst swap \Rightarrow 895 + 8 × src + 2 × dst + swap
| OpPtrPack src dst swap \Rightarrow 943 + 8 × src + 2 × dst + swap
| OpPtrShrink src dst swap \Rightarrow 991 + 8 × src + 2 × dst + swap
\mid OpNearCall \Rightarrow 1039
| OpContractThis \Rightarrow 1040
| OpContractCaller \Rightarrow 1041
| OpContractCodeAddress ⇒ 1042
| OpVMMeta ⇒ 1043
| OpVMErgsLeft ⇒ 1044
| OpVMSp \Rightarrow 1045
| OpGetCapturedContext ⇒ 1046
| OpSetContextReg ⇒ 1047
| OpAuxMutating \Rightarrow 1048
| OpIncrementTxNumber ⇒ 1049
```

```
| OpSLoad \Rightarrow 1050
\mid Opsstore \Rightarrow 1051
| OpToL1Message is first ⇒ 1052 + is first
| OpEvent is first \Rightarrow 1054 + is first
| OpPrecompileCall ⇒ 1056
| OpFarCall is shard is static \Rightarrow 1057 + 2 \times is static + is shard
  OpDelegateCall is shard is static \Rightarrow 1061 + 2 \times is static + is shard
| OpMimicCall is shard is static \Rightarrow 1065 + 2 \times is static + is shard
| OpRet to label \Rightarrow 1069 + to label
| OpRevert to label \Rightarrow 1071 + to label
| OpPanic to label \Rightarrow 1073 + to label
| OpLoadHeap src inc \Rightarrow 1075 + 10 \times src + inc
| OpStoreHeap src inc \Rightarrow 1077 + 10 \times src + inc
| OpLoadAuxHeap src inc \Rightarrow 1079 + 10 \times src + inc
  OpStoreAuxHeap src inc ⇒ 1081 + 10 × src + inc
| OpLoadPtr inc \Rightarrow 1083 + inc
| OpDecommit \Rightarrow 1093
| OpTransientLoad ⇒ 1094
| OpTransientStore \Rightarrow 1095
| OpStaticRead src inc \Rightarrow 1096 + 2 × src + inc
| OpStaticWrite src inc ⇒ 1100 + 2 × src + inc
  end
```

End OpcodeEncoderDefinition.

# Library EraVM.encoding.Encoder

```
From RecordUpdate Require Import RecordSet.

Require
   isa.Modifiers
   isa.GeneratedMachISA
   isa.AssemblyToMach
   encoding.EncodingUtils
   encoding.GeneratedEncodeOpcode.

Section MachEncoder.

Import ZArith.

Import Assembly Common GeneratedMachISA GeneratedEncodeOpcode
isa.AssemblyToMach Predication EncodingUtils.
```

# Encoding machine instructions

For an overview of instruction sets and different layers of instructions definitions, used in this specification, refer to InstructionSets.

The binary encoding is defined for mach\_instruction, which is a representation of an EraVM instruction aware of its encoding and layout. Once the asm\_instruction has been transformed into mach\_instruction via asm\_to\_mach, it is trivial to put all of mach\_instruction's fields in binary

```
form via encode_mach_instruction.
 Reminder: ## notation stands for concatenating binary strings; a ## b signifies that b holds less
 significant bits and a is prepended to it, forming a more significant part.
Definition encode_mach_instruction (i:@mach_instruction GPR.reg_name u16) :
BITS 64 :=
 match i with
  | mk ins op code op predicate op src0 op src1 op dst0 op dst1 op imm0 op imm1
     let reserved2 := @fromNat 2 0 in
          op imm1
       ## op_imm0
       ## encode reg op dst1
       ## encode reg op dst0
       ## encode reg op src1
       ## encode reg op src0
       ## encode predicate op predicate
       ## reserved2
       ## @fromZ 11 (encode_opcode op_code)
  end
Definition encode asm (i:predicated asm instruction) : option (BITS 64) :=
  option map encode_mach_instruction (asm_to_mach i)
End MachEncoder.
```

# Library EraVM.Bootloader

```
Require memory.Depot.
Import memory.Depot.

Section Bootloader.
Import ZArith spec.
Open Scope Z.
```

### **Bootloader**

Bootloader is a system contract in charge of block construction (sources).

Formally, bootloader is assigned an address BOOTLOADER\_SYSTEM\_CONTRACT\_ADDRESS, but on execution start EraVM decommits its code directly by its versioned\_hash.

```
Definition BOOTLOADER_SYSTEM_CONTRACT_ADDRESS : contract_address := fromZ ((2^15) + 1).
```

Using the bootloader versioned\_hash, EraVM queries the bootloader code from decommitter and starts executing it.

The heap page of the bootloader is different from other pages: it acts as an interface between server and EraVM. Server is able to modify the contents of this page at will. Server gradually fills it with transaction data, formatted according to an implementation-defined convention.

The bootloader then acts roughly as the following code (not an actual implementation):

```
contract Bootloader {
    function executeBlock(
        address operatorAddress,
        Transaction[2] memory transactions
) {
    for(uint i = 0; i < transactions.length; i++) {
        validateTransaction(transactions[i]);
        chargeFee(operatorAddress, transactions[i]);
        executeTransaction(transactions[i]);
    }
}

function validateTransaction(Transaction memory tx) {
    // validation logic
    }

function chargeFee(address operatorAddress, Transaction memory tx) {
    // charge fee
    }

function executeTransaction(Transaction memory tx) {
    // execution logic
    }
}</pre>
```

The bootloader is therefore responsible for:

- validating transactions;
- executing transactions to form a new block;
- setting some of the transaction- or block-wide transaction parameters (e.g. blockhash, tx.origin).

Server makes a snapshot of EraVM state after completing every transaction. When the bootloader encounters a malformed transaction, it fails, and the server restarts EraVM from the most recent snapshot, skipping this transaction. If a transaction is well-formed, EraVM may still panic while handling it outside the bootloader code. This is a normal situation and is handled by EraVM in a regular way, through panics. See e.g. OpPanic.

The exact code of the bootloader is a part of a protocol; its <u>versioned\_hash</u> is included in the block header.

End Bootloader.

# Library EraVM.Precompiles

Require memory. Depot ABI State.

```
Import ABI memory. Depot State.
```

Section Precompiles.

### Precompiles

Precompiles are extensions of VM bound to one of the system contracts. When this contract executes an instruction <code>OpPrecompileCall</code>, VM executes an algorithm specific to this contract.

This requires preparing data for the precompiled algorithm in a special, algorithm-dependent way.

Precompiles are able to change data pages.

Precompiles may fail.

Precompiles are not revertable; their functioning is not affected by rollbacks.

Currently we formalize precompiles as a black box.

```
Parameter precompile_processor : contract_address →
PrecompileParametersABI.params → transient_state → transient_state → Prop.
End Precompiles.
```

# Library EraVM. Versioned Hash

```
Require Coder PrimitiveValue TransientMemory.
```

```
Section VersionedHash.
   Import ZArith ssrbool eqtype ssreflect ssrfun ssrbool ssreflect.eqtype
ssreflect.tuple zmodp.
   Import Coder Common TransientMemory.

Context {word: Type}.
   Context {ins type: Type} (invalid_ins: ins_type).
```

#### Versioned hash

versioned hash is a hash augmented with additional information. It is used as a key to identify the contract code for decommitter.

Additional information includes:

- VERSION BYTE (currently 1)
- marker (is the contract being constructed or already constructed?)

The hash itself is described by partial hash; it is computed as SHA256 hash modulo  $2^{28\times8}$ .

Definition VERSION BYTE: u8 := fromZ 1%Z.

```
Inductive marker := CODE AT REST | YET CONSTRUCTED | INVALID.
decidable equality
  Scheme Equality for marker.
  Lemma marker eqP: Equality.axiom marker beq.
  Proof. by move \Rightarrow [] []; constructor. Qed.
  Canonical marker eqMixin := EqMixin marker_eqP.
  Canonical marker eqType := Eval hnf in EqType marker marker eqMixin.
  Definition marker valid (m: marker) :=
    match m with
    | INVALID ⇒ false
    |  _- \Rightarrow true
    end.
  Record versioned hash := mk vhash {
                                 code length in words: u16;
                                  extra marker: marker;
                                  partial hash: BITS (28×bits in byte) %nat
  Axiom hash coder: @Coder.coder word versioned hash.
 EraVM accepts DEFAULT AA VHASH as a parameter. See also Parameters.
  Parameter DEFAULT AA VHASH: versioned hash.
  Open Scope ZMod scope.
equality on versioned hashes
 Definition eqn (x y:versioned hash) : bool :=
    match x, y with
    \mid mk vhash 11 em1 ph1 , mk vhash 12 em2 ph2 \Rightarrow
        (11 == 12) \&\& (em1 == em2) \&\& (ph1 == ph2)
    end.
  Lemma eqnP : Equality.axiom eqn.
  Proof.
   move \Rightarrow [11 em1 ph1] [12 em2 ph2].
    simpl.
    destruct (11 == 12) eqn: H1;
      destruct (em1 == em2) eqn: H2;
     destruct (ph1 == ph2) eqn: H3;
     try move: (eqP H1) \Rightarrow ->; try move: (eqP H2) \Rightarrow ->; try move: (eqP H3) \Rightarrow
->; constructor =>//.
    - injection. move \Rightarrow ?; subst. by rewrite eq refl in H3.
    - injection. move \Rightarrow ?; subst. by rewrite eq refl in H2.
    - injection. move \Rightarrow ?; subst. by rewrite eq refl in H3.
```

```
- injection. move ⇒ ?; subst. by rewrite eq_refl in H1.
- injection. move ⇒ ?; subst. by rewrite eq_refl in H3.
- injection. move ⇒ ?; subst. by rewrite eq_refl in H2.
- injection. move ⇒ ?; subst. by rewrite eq_refl in H3.
Qed.

Canonical vh_eqMixin := EqMixin eqnP.
Canonical vh_eqType := Eval hnf in EqType _ vh_eqMixin.
```

End VersionedHash.

## Library EraVM.Decommitter

Require Common ABI lib.Decidability History memory.Depot MemoryOps VersionedHash.

Import Coder Core History VersionedHash Common Decidability Ergs MemoryBase memory.Depot TransientMemory ZArith ABI bits.

```
Section Decommitter.
Open Scope Z.
Open Scope ZMod scope.
```

#### Decommitter

Decommitter is a module external to EraVM, a key-value storage where:

- key is versioned hash
- value is the contract code

**Decommitting** refers to querying contract code from the decommitter and filling new code\_page and const\_page with it. The rest of the code page is filled with invalid instructions; the rest of const page is filled with zeros.

The mapping code\_hash\_location between contract addresses and the hashes of their codes is implemented by the storage of the contract DEPLOYER SYSTEM CONTRACT ADDRESS.

Note: storage with the same contract address may differ between shards.

```
Definition DEPLOYER_SYSTEM_CONTRACT_ADDRESS : contract_address := fromZ
((2^15) + 2).

Definition code_hash_location (for_contract: contract_address)
(sid:Depot.shard_id): fqa_key :=
    mk_fqa_key (mk_fqa_storage sid DEPLOYER_SYSTEM_CONTRACT_ADDRESS) (widen word_bits for_contract).

Context {ins_type: Type} (invalid_ins: ins_type) (code_page := code_page invalid_ins)
    (empty_code : code_page := @mk_code_page _ invalid_ins (empty_))
```

```
(empty_const: const_page := (empty _ )).
  Definition code storage params := {|
                                       addressable block := code page x
const page;
                                       address bits := 256;
                                       default value := (empty code,
empty_const);
                                      writable := false;
                                     | } .
  Definition code storage: Type := mem parameterized code storage params.
Import VersionedHash.
  Record decommitter :=
    mk code mgr {
        cm storage: code storage;
        cm accessed: history vh eqType;
 The versioned hash is called cold if it was not accessed during construction of the current block.
 Otherwise, it is warm. See is first access.
  Definition is first access cm vh := negb (contains _ (cm_accessed cm) vh).
 Decommitting code by a cold versioned hash costs (ERGS PER CODE WORD DECOMMITTMENT * (block
 size in words)) ergs. Decommitting warm code is free.
  Inductive decommitment cost (cm:decommitter) vhash (code_length_in_words:
code length): ergs → Prop :=
  |dc_fresh: ∀ bigcost cost,
      is first access cm vhash = true→
      bigcost = ergs_of Ergs.ERGS PER CODE WORD DECOMMITTMENT × (zeroExtend
(ergs bits - code address bits) code length in words) →
      (toZ bigcost ≤ unsigned max ergs bits)%Z →
      cost = low ergs bits bigcost →
      decommitment cost cm vhash code length in words cost
  |dc not fresh:
    is first access cm vhash = false \rightarrow
    decommitment cost cm vhash code length in words zero32.
  Inductive code fetch hash (d:depot) (cs: code storage) (sid: Depot.shard id)
(contract addr: contract address) :
    option (versioned hash × code length) → Prop :=
  |cfh found: ∀ hash enc code length in words extra marker partial hash,
      storage read d (code hash location contract addr sid) hash enc →
      hash enc ≠ zero256 →
      marker valid extra marker = true →
      hash coder.(Coder.decode) hash enc = Some (mk vhash code length in words
extra marker partial hash) →
      code fetch hash d cs sid contract addr (Some (mk vhash
```

```
code_length_in_words extra_marker partial_hash, code_length_in_words))
| cfh_not_found:
    storage_read d (code_hash_location contract_addr sid) zero256 →
    code fetch hash d cs sid contract addr None.
```

When decommitter does not have code for the requested hash, VM may allow masking, and request the code with default versioned hash <code>DEFAULT\_AA\_VHASH</code> instead. It is expected that:

- DEFAULT AA VHASH is well-formed (see marker valid), and
- decommitter has code matching DEFAULT AA VHASH.

VM does not mask the code for system contracts; see sem.FarCall.step.

DEFAULT AA CODE is the decommitter's answer to the query DEFAULT AA VHASH.

```
Parameter DEFAULT AA CODE: (code pagex const page).
 Inductive code fetch (d:depot) (cs: code storage) (sid: Depot.shard id)
(contract addr: contract address) :
   bool → (versioned hash × (code page × const page) × code length) → Prop :=
 | cfnm_no_masking: ∀ vhash (code_storage:code_storage) code_length_in_words
pages0 masking,
     code fetch hash d cs sid contract addr (Some (vhash,
code length in words)) →
     load result code storage params (widen 256 (partial hash vhash))
code storage pages0 →
      code fetch d cs sid contract addr masking (vhash, pages0,
code length in words)
 \mid cfnm masking: \forall (code storage:code storage) code length in words,
      code fetch hash d cs sid contract addr None \rightarrow
      code fetch d cs sid contract addr true (DEFAULT AA VHASH,
DEFAULT AA CODE, code length in words).
End Decommitter.
```

## Library EraVM.Arith

```
From mathcomp Require ssreflect ssrfun ssrbool eqtype tuple zmodp. Require Types.

Import Types ssreflect.tuple ssreflect.eqtype ssrbool.
```

# Common project-independent definitions

```
Section Operations.
  Import operations ZArith.
 Record udiv result {n} := mk divrem { div: BITS n; rem: BITS n }.
 Definition uadd of {n: nat} (a: BITS n) (b:BITS n) : bool × BITS n := adcB
false a b.
 Definition uadd wrap {n: nat} (a: BITS n) (b:BITS n) : BITS n := snd (uadd of
  Definition uinc of {n: nat} (a: BITS n) : bool × BITS n := uadd of a (fromZ
  Definition uinc_by_32_of {n: nat} (a: BITS n) : bool × BITS n := uadd_of a
(from Z 32).
 Definition usub uf {n: nat} (a: BITS n) (b:BITS n) : bool × BITS n := sbbB
 Definition umul {n: nat} (a: BITS n) (b:BITS n) : BITS (n+n) := fullmulB a b.
 Definition udiv {n: nat} (a: BITS (S n)) (b:BITS (S n)) : udiv_result :=
   let za := toZ a in
   let zb := toZ b in
   @mk divrem (S n) (fromZ (BinInt.Z.div za zb)) (fromZ (BinInt.Z.rem za zb)).
  Definition lt unsigned {n:nat} (a b: BITS n) := ltB a b.
  Definition gt unsigned {n:nat} (a b: BITS n) := lt unsigned b a.
  Definition le unsigned {n:nat} (a b: BITS n) := lt unsigned a b || (a == b).
  Definition ge unsigned {n:nat} (a b: BITS n) := gt unsigned a b || (a == b).
  Definition bitwise_xor {n} := @xorB n.
  Definition bitwise or {n} := @orB n.
  Definition bitwise and {n} := @andB n.
  Definition characteristic (n:nat): Z := 2 ^ (Z.of nat n).
  Definition unsigned max (n:nat): Z := characteristic n - 1.
 Definition unsigned min : Z := 0.
  Definition min {n} (a b: BITS n) : BITS n := if lt unsigned a b then a else
 Definition max {n} (a b: BITS n) : BITS n := if gt unsigned a b then a else
b.
 Definition widen {s} (result size: nat) (val: BITS s): BITS (s + (result size
- s)) := @zeroExtend (result_size - s)%nat s val.
 Definition rolBn {n} (p: BITS (S n)) (k: nat): BITS (S n) := Nat.iter k rolB
p.
```

```
Definition rorBn {n} (p: BITS (S n)) (k: nat): BITS (S n) := Nat.iter k rorB
p.
 Definition subrange len {skip} (from:nat) (len:nat) (w:BITS ((from + len) +
skip)) :=
   (@high len from (@low skip (ssrnat.addn from len) w)).
 Definition subrange {skip} (from:nat) (to:nat) (w:BITS (from + (to-from) +
skip)) :=
   @subrange len skip from (to-from) w.
End Operations.
Declare Scope ZMod scope.
Infix "+" := (uadd of) : ZMod scope.
Infix "-" := (usub uf) : ZMod_scope.
Infix "x" := (umul) : ZMod_scope.
Infix "<" := (lt_unsigned ) : ZMod_scope.</pre>
Infix ">" := (gt_unsigned) : ZMod_scope.
Infix "≤" := (le_unsigned) : ZMod_scope.
Infix "≥" := (ge unsigned) : ZMod scope.
(* Equality is already provided by eqType of ssreflect. *)
Notation "w { from , to }" := (@subrange _ from to w) (at level 10) :
ZMod scope .
Bind Scope ZMod scope with BITS.
```