perf(bal): account-presence bitmap + storage_reads on column index — skip-merge

[LukaszRozmej]

DRAFT — design exploration. Stacks on #11659 (verify-only fast path).

Not for merge yet. Both phases now work end-to-end. Still marked draft for design review before unmarking.

What this PR does

On the parallel-validation path, skip the per-tx GeneratedBlockAccessList.Merge entirely when verify-only mode is active. This builds on the encode+Keccak skip that already shipped in #11659. Together with that PR, the verify-only path now performs:

Today (after #11659)	With this PR
Per-tx: column-index Add(slice) + target.Merge(slice) (thousands of GeneratedAccountChanges / GeneratedSlotChanges / List / SortedSet allocations per block)	Per-tx: column-index Add(slice) only
End-of-block: structural-equivalence walk over GeneratedBlockAccessList.AccountChanges	End-of-block: FindStructuralMismatch over column-index data
Slow-path diagnostic walk: iterates GeneratedBlockAccessList.AccountChanges	Slow-path diagnostic walk: column-index EnumerateMarkedOrdinals + per-row lane lookups

GeneratedBlockAccessList stays untouched on the building path and on the non-verify validation path (sequential, or with the BAL recorder active).

Allocation savings (parallel validation, per block)

Object	Today	After this PR
GeneratedAccountChanges (one per touched account)	~1000	0
GeneratedSlotChanges (one per changed slot)	~5000	0
Per-account SortedDictionary<UInt256, GeneratedSlotChanges>	~1000 + nodes	0
Per-account List<BalanceChange / NonceChange / CodeChange>	~3000	0
Per-account SortedSet<UInt256> for storage_reads	~500 (half)	0
Flat List<(int, UInt256)> for generated storage_reads	n/a	1 (grows with append)
Column-index lanes (unchanged)	4 lanes × per-block growth	same

Net: ~10000 fewer small allocations per validated block on the parallel path. The flat storage_reads buffer is one allocation that grows in place; sorted+deduped lazily on first structural-equivalence query.

Key data-structure additions

BlockAccessListValidationIndex:

• Generated-side _hasAccountWords bitmap populated in Add(slice) (mirrors the suggested-side Build behaviour).
• Flat List<(int Ordinal, UInt256 Slot)> _generatedStorageReads with lazy sort+dedup. Replaces the previous Dictionary<int, SortedSet> design.
• MarkedAccountCount (popcount), HasChangesAtRow, ChangesAtRowEqualForOrdinal, HasStorageReadsForOrdinal, EnumerateMarkedOrdinals (bit-scan iterator), AddressOf(ordinal).
• FindStructuralMismatch(suggested, out address) returning a StructuralMismatchKind enum — single-pass walk that produces the end-of-block verdict.

BlockAccessListValidationIndex.Lane<T>:

• HasAt(row, ordinal) / TryGetAt(row, ordinal, out value) — binary-search the row's sorted ordinal array.

BlockAccessListValidationIndex.StorageLane:

• HasAt(row, ordinal) / SlotsEqualAt(other, row, ordinal) — per-ordinal (slot, value) range compare using a private GetOrdinalRange helper.

BlockAccessListValidationIndex.AddressIndex:

• Reverse lookup via Address[] indexed by ordinal, populated in GetOrAdd. Used by AddressOf for diagnostic error messages.

How verify-only fits together now

PrepareForProcessing: _verifyOnly = ParallelExecutionEnabled && !ForceMaterializeGeneratedBlockAccessList
                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                set by BAL recorder during ProcessOne if needed

Per tx:
  MergeAndReturnBal(idx) → pool.MergeAndReturnBal(idx, target: _verifyOnly ? null : GBAL, onSlice: RegisterGeneratedSlice)
                                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                              null skips target.Merge(source) in the pool

  ValidateBlockAccessList(block, idx):
    fast: column-index ChangesEqual + gas budget
    slow (on mismatch only):
      verify-only: SlowPathFromColumnIndex (this PR) — walks gen + sug bitmaps, lane lookups
      else:        legacy walk over GBAL.AccountChanges

End of block (SetBlockAccessList):
  verify-only: ValidateBlockAccessList(block, lastIndex) + ValidateStructuralEquivalence (column-index)
  else:        encode + Keccak as before

Testing

Project	Total	Passed	Skipped	Failed
Nethermind.Core.Test	5551	5446	105	0
Nethermind.State.Test	792	789	3	0
Nethermind.Consensus.Test	64	64	0	0
Nethermind.Evm.Test	3662	3652	10	0
Nethermind.Blockchain.Test	1499	1484	15	0
Nethermind.Merge.Plugin.Test	1008	1006	2	0
Nethermind.BalRecorder.Test	17	17	0	0

12,458 passed, 0 failed. Includes the engine-API rejection tests for IncorrectChange / MissingChange / SurplusChange / SurplusReads errorKinds — all hit the new column-index slow path and produce the same precise per-account error messages as the legacy path.

Full solution build clean; dotnet format --verify-no-changes clean.

Review focus

This is still a draft because the surface area is large and the design deserves a careful read:

1. The FindStructuralMismatch API shape — out Address? mismatchAddress + StructuralMismatchKind enum. Alternative: throw inline (couples to InvalidBlockLevelAccessListException).
2. SlowPathFromColumnIndex correctness vs the legacy walk — the tolerance check at index 0 + SystemUser + no-reads path is delicate; please verify the column-index translation is faithful.
3. EnumerateMarkedOrdinals allocates an iterator state machine. Hot? Only runs on validation failures or initial-index-0 walks, so probably fine. Could be replaced with a struct enumerator if needed.
4. Flat storage_reads with lazy sort+dedup vs the previous Dictionary<int, SortedSet>. Argued for in the storage_reads-tracking commit; happy to revisit.
5. AddressIndex reverse lookup adds a List<Address> that grows with GetOrAdd. Cheap but worth flagging.

[LukaszRozmej]

@claude re-review

[claude]

Claude finished @LukaszRozmej's task in 3m 41s —— View job

---

Claude finished @LukaszRozmej's task ——

---

Re-review: perf(bal) — account-presence bitmap + storage_reads on column index

• Gather context from previous reviews
• Read changed files (BlockAccessListValidationIndex.cs, StateChanges.cs, Validation.cs, BlockAccessListManager.cs, ReadOnlyBlockAccessList.cs)
• Check if remaining Low findings from previous review are resolved
• Review new commit (a37fd77 perf(bal): preallocate column-index storage lists from cached BAL totals)
• Post final review verdict

---

Status vs previous review

#	Finding	Prior severity	Status
1	Non-exhaustive switch in ValidateStructuralEquivalence	Medium	RESOLVED — _ => throw new InvalidOperationException(...) at StateChanges.cs:144
2	HasAccountOrdinalPublic naming smell	Low	RESOLVED — now HasAccount(int ordinal) at ValidationIndex.cs:447
3	FindStructuralMismatch undocumented mutable-only precondition	Low	RESOLVED — <remarks> added + !_isMutable guard at lines 237–244
4	Implicit ordering assumption in cursor walk	Low	RESOLVED — comment + Debug.Assert(ordinal > lastOrdinal, ...) at lines 278–281

---

New commit review (a37fd77)

Capacity preallocation for _generatedStorageReads / _generatedStorageWrites using TotalStorageReads and TotalStorageChangeEvents cached on ReadOnlyBlockAccessList. Clean:

• Both totals are computed once at BAL construction — no hot-path overhead.
• The +25% slack formula (capacity + (capacity >> 2)) is justified: per-tx reads duplicate before dedup, and invalid wire BALs can push counts past suggested before overflow trips.
• Both lists are List<T> (growable), so the initial capacity is a hint, not a hard limit — no failure path for adversarial input.
• BlockAccessListValidationIndexTests.cs uses the new constructor signature correctly (suggested.TotalStorageReads, suggested.TotalStorageChangeEvents).

No issues found.

---

Correctness notes (verified, no issue)

• !_isMutable guard is now at entry of FindStructuralMismatch, making misuse fail loudly rather than returning incorrect results. ✓
• Debug.Assert(ordinal > lastOrdinal, ...) protects the cursor-advance walk invariant. ✓
• _ => throw new InvalidOperationException(...) exhausts the StructuralMismatchKind switch; future enum values will throw rather than silently pass. ✓
• TotalStorageChangeEvents comment ("Bounds the total (slot, tx) pairs the generator can produce in a valid block") correctly names what _generatedStorageWrites accumulates. ✓

---

Verdict

All Critical / High / Medium findings from all prior reviews are resolved. All four Low findings are resolved. The new preallocation commit is clean. Mergeable.

[claude]

Claude finished @LukaszRozmej's task in 2m 48s —— View job

---

Final review: perf(bal) — account-presence bitmap + storage_reads on column index

• Gather context from previous reviews
• Read current state of all changed files
• Verify all previously-resolved findings remain resolved
• Check for new issues
• Post final verdict

---

Status vs all prior reviews

#	Finding	Prior severity	Status
1	Non-exhaustive switch in ValidateStructuralEquivalence	Medium	RESOLVED — _ => throw new InvalidOperationException(...) at StateChanges.cs:144
2	HasAccountOrdinalPublic naming artifact	Low	RESOLVED — now HasAccount(int ordinal) at ValidationIndex.cs:447
3	FindStructuralMismatch undocumented mutable-only precondition	Low	RESOLVED — !_isMutable guard + <remarks> note at ValidationIndex.cs:243–244
4	Implicit ordering assumption in cursor walk	Low	RESOLVED — Debug.Assert(ordinal > lastOrdinal, ...) + comment at ValidationIndex.cs:279–281

---

New findings

Low (informational)

ForceMaterializeGeneratedBlockAccessList is not reset in Reset() (BlockAccessListManager.cs:241–254)

The property persists across calls to PrepareForProcessing because Reset() does not clear it. This is safe today — BalRecordingBlockProcessor sets it unconditionally before every inner.ProcessOne — but a future caller that sets it once and does not reset it would silently enable full materialisation for every subsequent block. A <remarks> note on the property clarifying the expected "set before each PrepareForProcessing" contract would protect future callers:

/// <remarks>
/// Must be set before each <see cref="PrepareForProcessing"/> call; it is not reset
/// between blocks. Callers that conditionally enable it must also unconditionally
/// clear it between calls.
/// </remarks>

---

Algorithmic correctness notes (verified, no issue)

• Lockstep read→write promotion in FindStructuralMismatch: wi advances monotonically because readRun is sorted by slot (ascending after dedup), so slot never decreases across the ri loop — the merge-walk is correct. ✓
• SortAndDedupFlat in-place truncation: Modifies List<T>.Count via CollectionsMarshal.SetCount after sorting. Safe because FindStructuralMismatch is called exactly once per block. ✓
• Dedup of reads is semantically correct: Wire BAL StorageReads lists each slot at most once per account (distinct read slots). Deduplicating (ordinal, slot) across txs matches that. ✓
• _hasOutOfRangeChange + slow path: Out-of-range changes set _hasOutOfRangeChange (forcing the slow path) but are not tracked by _generatedOverflowAddress. The slow path doesn't throw on them — they correspond to rows beyond lastIndex which the suggested side also doesn't have, so correctness is preserved. ✓
• Preallocation +25% slack (capacity + (capacity >> 2)): Reads can over-count before dedup; invalid wire BALs can push generated past suggested before overflow fires. The slack is justified and the lists are growable, so it's a hint not a hard limit. ✓
• _hasGeneratedRequiredReadAccountMismatch reset: Correctly set to false in Reset() before _currentGeneratedBlockAccessList is assigned. ✓

---

Verdict

All Critical / High / Medium findings from all prior reviews are resolved. All four Low findings from prior reviews are resolved. The new preallocation commit (a37fd77) is clean. One new Low (informational) note about ForceMaterializeGeneratedBlockAccessList lifecycle — does not affect correctness. Mergeable.

[Marchhill]

shouldn't refer to 'legacy' code that doesn't exist any more

[Marchhill]

this function is very large now, could be broken up?

[Marchhill]

move to Validation file

[Marchhill]

Suggested change

	bool ForceMaterializeGeneratedBlockAccessList { get; set; }
	bool ForceConstructGeneratedBlockAccessList { get; set; }

[Marchhill]

materialise -> construct, better wording

[Marchhill]

make 25% a constant?

[Marchhill]

make method shorter by breaking into smaller helpers?

[Marchhill]

more descriptive variable names

[Marchhill]

can we reuse a standard BinarySearch method?

The base branch was changed.

[LukaszRozmej]

@claude review

[claude]

Claude finished @LukaszRozmej's task in 5m 42s —— View job

---

Review: perf(bal) — account-presence bitmap + storage_reads on column index

• Gather context from previous reviews
• Read current state of all changed files
• Read repo rules (coding-style, performance, robustness)
• Check status of Marchhill's review comments
• Analyze correctness, edge cases, and potential regressions
• Post final review verdict

---

Status of all prior findings

#	Finding	Prior severity	Status
1	Non-exhaustive switch in ValidateStructuralEquivalence	Medium	RESOLVED — _ => throw new InvalidOperationException(...) at Validation.cs:418
2	HasAccountOrdinalPublic naming artifact	Low	RESOLVED — now HasAccount(int ordinal) at ValidationIndex.cs:459
3	FindStructuralMismatch undocumented mutable-only precondition	Low	RESOLVED — !_isMutable guard + <remarks> at ValidationIndex.cs:249–250
4	Implicit ordering assumption in cursor walk	Low	RESOLVED — Debug.Assert(ordinal > lastOrdinal, ...) + comment at ValidationIndex.cs:285–287
5	ForceConstructGeneratedBlockAccessList not reset in Reset()	Low	MITIGATED — BalRecordingBlockProcessor sets balManager.ForceConstructGeneratedBlockAccessList = store.RecordingEnabled unconditionally before each inner.ProcessOne, resetting to false when recording is off. No other callers set this property. Safe in practice.

Marchhill comment status

Comment	Status
"legacy" reference in Validation.cs	ADDRESSED — current line 104 says "legacy and pre-EIP-8037 blocks" (referring to block types, not code); SlowPathFromGeneratedBlockAccessList no longer carries a "legacy" label
"this function is very large, could be broken up?"	PARTIALLY ADDRESSED — FindStructuralMismatch broken into TakeOrdinalRun, CompareStorageReadsForAccount, SortAndDedupFlat; SlowPathFromGeneratedBlockAccessList and SlowPathFromColumnIndex are still ~64 lines each
Move ValidateStructuralEquivalence to Validation file	RESOLVED — now at Validation.cs:391
Rename to ForceConstructGeneratedBlockAccessList	RESOLVED — renamed across all files
materialise → construct wording	RESOLVED — no remaining "materialise" references
Make 25% slack a constant	RESOLVED — private const int GeneratedListSlackShift = 2 at ValidationIndex.cs:74
Break FindStructuralMismatch into smaller helpers	RESOLVED
More descriptive variable names	RESOLVED — writeIdx, readIdx, suggestedIdx
Reuse standard BinarySearch	RESOLVED — ordinals.BinarySearch(ordinal) used throughout

Correctness verification (fresh pass)

• CompareStorageReadsForAccount write-skip: writeIdx advances monotonically within each account's writes span (sorted by slot), correctly suppressing read→write promoted slots without backtracking. ✓
• SortAndDedupFlat idempotency: sorted = true set after dedup; subsequent calls to HasStorageReadsForOrdinal skip the sort. FindStructuralMismatch can only be called once per block (guarded by !_isMutable). ✓
• AccountChanges iteration order: ReadOnlyBlockAccessList explicitly documents that dictionary insertion order is preserved post-construction (no removals, only prestate loads that mutate per-account fields). The Debug.Assert(ordinal > lastOrdinal) in FindStructuralMismatch provides runtime protection for this invariant. ✓
• Out-of-range write entries in _generatedStorageWrites: Writes that overflowed a lane are tracked in _generatedStorageWrites (suppressing false read mismatches), but TryGetGeneratedOverflow is checked first in both ValidateStructuralEquivalence and SlowPathFromColumnIndex — overflow always throws before FindStructuralMismatch is reached. ✓
• Exhaustive StructuralMismatchKind switch: _ => throw new InvalidOperationException(...) ensures any future enum extension fails loudly rather than silently passing validation. ✓
• OrdinalOnlyComparer correctness: (ordinal, default(UInt256)) with a slot-ignoring comparer on a (ordinal asc, slot asc) sorted buffer correctly finds any entry with the target ordinal. ✓

One new Low (informational)

GetOrdinalRange step-back is O(k) after binary search (BlockAccessListValidationIndex.cs:936–939)

After BinarySearch finds any matching index, the code scans backwards to the first:

while (idx > 0 && ordinals[idx - 1] == ordinal) idx--;

This is O(k) where k = storage-write entries for that account at that row. For typical blocks k ≤ ~5, but pathological contracts could force linear scans. A proper LowerBound (two binary searches, or Array.BinarySearch + left-scan) would be O(log n) total. Not a blocker — practical k is small and this is the slow diagnostic path — but worth noting if storage-heavy blocks become common.

---

Verdict

All Critical / High / Medium findings from all prior reviews are resolved. All prior Low findings are resolved or mitigated. Marchhill's style suggestions are mostly addressed. One new Low (informational) finding — no correctness impact. Mergeable.