debug_executionWitness: legacy + canonical conformance

[awskii]

Adds the zkEVM (canonical) conformance runner for debug_executionWitness, the legacy-mode field population, the optional mode request param, and a format spec.

Changes

• zkevmtest runner — a cmd/evm subcommand (mirroring staterunner/blockrunner/enginexrunner) that checks debug_executionWitness (canonical mode) against the ethereum/execution-spec-tests zkevm@v0.4.0 corpus (~22.5k tests). Runs as the zkevm-witness-race shard in the eest-spec-tests workflow, not under go test. Known divergences (zkevm@v0.4.0 fixtures: stale EIP-8037 AUTH_BASE gas on EIP-7702 undelegated clears #21563, zkevm@v0.4.0 eip8025_optional_proofs witness_validation_* are stateless-verifier negative tests, not producer outputs #21566) are absorbed in the runner so the shard budget stays 0.
• legacy keys/codes — keys holds the 20B address / 32B storage-slot preimages; codes holds pre-state bytecode incl. EIP-7702 designators and the empty-code entry.
• mode request param (legacy/canonical).
• Spec at docs/plans/witness-legacy-mode-spec.md, re-verified against code.

#21487

Carries #21487's suite plus the fixes that make it pass; #21487 is redundant once CI is green here. The open question from #21487 — whether a fixture-gated suite belongs in the required race-gate — is resolved: it's now a zkevmtest runner shard in the eest-spec-tests workflow (the #21092 pattern), not a go test package.

Mainnet legacy soak vs reth-legacy

Rolling soak near tip (block ~25.25M, ~3.7k blocks checked):

• 0 health failures — no 500s, no root mismatches; every witness passes verifyWitnessStateless.
• 90.6% strict set-equal on {keys, codes, state}.
• Divergences are almost all over-inclusion (204 blocks keys, 86 codes, 62 state) — a few extra nodes per block, still re-executing to the correct root. 3 blocks show minor keys/codes under-inclusion, none affecting verifyWitnessStateless.

[Copilot]

Pull request overview

Copilot reviewed 20 out of 21 changed files in this pull request and generated 3 comments.

[taratorio]

from claude review

Review: PR #21629 — debug_executionWitness: legacy + canonical conformance

Overview

Four logical pieces, all coherent with each other:

1. zkevmtest runner (cmd/evm/zkevmrunner.go) — imports each EEST zkevm@v0.4.0 fixture chain into an in-memory node (BAL executor + historical commitment), queries debug_executionWitness in canonical mode per block, multiset-compares state/codes/headers against the fixture.
2. Legacy-mode field population — keys (20B address / 32B slot preimages) and codes (accessed ∪ modified ∪ pre-state, incl. EIP-7702 designators, plus a single empty entry).
3. Optional mode request param — legacy (default) / canonical, strict validation.
4. CI plumbing — two new shards (zkevm-witness, zkevm-witness-race-all) wired through the single-source tools/eest-spec-shards.yml, Makefile, run script, and workflow cache.

Verification performed

• Built cmd/evm; ran all new unit tests (TestWitnessBlockTestParser, TestBranchData_ChildCount, the four new rpc/jsonrpc witness tests, updated TestExecutionWitness) — all pass locally.
• CI fully green including both new shards (zkevm-witness 9m29s, zkevm-witness-race-all 33m21s).
• Traced the shard plumbing end-to-end: *zkevm* base resolution correctly precedes *-stable* in tools/run-eest-spec-test.sh (line 68), the zkevm-witness* route arm catches the -race-all variant, Makefile jq filters partition shards cleanly, and the workflow's load-matrix picks new shards up automatically.
• Checked the delete-then-recreate edge in accountExists (rpc/jsonrpc/debug_execution_witness.go line 416): safe — UpdateAccountData removes the address from DeletedAccounts, so checking DeletedAccounts first is correct.
• Confirmed callCodeAccessHook is interface-gated (execution/state/intra_block_state.go line 635) — only RecordingState implements codeAccessTracker, so normal sync execution is unaffected by the GetDelegatedDesignation hook.
• Confirmed the {0x80} append happens after verifyWitnessStateless and before the sort (debug_execution_witness.go lines 767-786), so the producer's own verification never sees the unreachable node; the RLPDecode skip (trie.go ~line 1553) covers external consumers feeding a legacy witness back in.
• Trailing *string param is the established optional-arg pattern in this RPC layer; JSON-RPC-level backward compatible.

Findings

No correctness blockers. In order of importance:

1. PR description is stale (worth fixing before merge — it's reviewer/archaeology-facing)

• It claims the suite is "Kept out of the default go test ./... (make test-all drops it via GOTEST_PACKAGES)" — but the final state has GOTEST_PACKAGES = ./... (Makefile line 93) with no exclusion. Commit 67160ee's exclusion was superseded when 0da251f moved the suite from a go-test package to the cmd/evm zkevmtest CLI runner, which is the cleaner outcome — but the body should say that instead.
• "runs in its own execution-eest-zkevm race shard" — actual shard names are zkevm-witness / zkevm-witness-race-all.

2. WITNESS_STRICT_VERIFY env handling footgun (debug_execution_witness.go lines 1533, 1543)

• Code checks os.Getenv(...) != "", so WITNESS_STRICT_VERIFY=false enables strict mode, while the spec doc says =true. Erigon's dbg.EnvBool convention would both parse correctly and hoist the per-read os.Getenv out of the stateless-verify hot loop (it currently fires on every account/storage read during verification).

3. Stale env-var residue in test (debug_execution_witness_test.go)

• TestResolveWitnessMode failure message reads "param legacy should win over canonical env" — the env override was removed in 7352a9b; the message describes a dead behavior.

4. emptyCodeAccessed overlay asymmetry (question, not a bug)

• ReadAccountData sets the flag only on the inner-reader path (debug_execution_witness.go line 146); overlay-served reads (account modified in-block, re-read later) and codeOverlay hits with empty code don't. If intentional ("legacy emits the empty entry for pre-state empty-code materialization only"), fine — the mainnet soak's residual ≤1-code diffs suggest this is the remaining heuristic gap vs reth-legacy. A one-line answer in the PR would help future readers.

5. bytes.Contains(node, trie.EmptyRoot[:]) heuristic (debug_execution_witness.go line 776)

• A storage value or slot key coincidentally equal to EmptyRoot would false-positive the {0x80} append. Harmless (over-inclusion of an unreachable node, post-verification), and matching reth-legacy is the goal — just noting it's containment, not field-position, matching. Acceptable as-is.

6. Minor

• runZkevmTestsParallel is a third copy of the worker-pool pattern in blockrunner.go/staterunner.go. Consistent with existing idiom, so fine here; a shared helper is a candidate follow-up, not a request for this PR.
• compareWitness compares headers by recomputed hash rather than raw bytes — tolerates re-encoding differences, which is the right call for RLP fixtures.
• .gitignore .claude/scheduled_tasks.lock is unrelated housekeeping riding along. Trivial.
• zkevm-witness-race-all at 33m is now the slowest EEST shard (60m timeout). The PR body already flags the open question of whether a fixture-gated suite belongs in the required race gate — agreed that's worth settling, but not a blocker.

What's done well

• The expected-failure matcher (newZkevmFailMatcher) keeps the failure budget at 0 while pinning known divergences to tracked issues (zkevm@v0.4.0 fixtures: stale EIP-8037 AUTH_BASE gas on EIP-7702 undelegated clears #21563, zkevm@v0.4.0 eip8025_optional_proofs witness_validation_* are stateless-verifier negative tests, not producer outputs #21566) — and CheckFailureForName flips to a failure if a fixture unexpectedly stops diverging. That's the right shape for an imported suite.
• TDD discipline is visible in the history (aad7982 red-gate before the materialization work) and the new behaviors all have focused unit tests, including the EIP-7702 designator survival case and the keys-only-for-existing-accounts rule.
• accountExists failing open on read errors (over-include the key rather than emit an incomplete witness) is the correct bias, and commit 754290a documents why.
• Single-source shard manifest discipline maintained — one YAML edit propagates to Makefile, script, and workflow.

Verdict

Approve with nits. Correctness is well-evidenced (22,532-fixture conformance green in CI including under race, plus a 1.2k-block mainnet soak vs reth-legacy). Before merge: update the stale PR description (finding 1), and ideally the WITNESS_STRICT_VERIFY parsing (finding 2) and the stale test message (finding 3) — all small.

[awskii]

Thanks — went through the claude-review findings:

• 1 (stale PR description) — updated. It now describes the zkevmtest runner + the single zkevm-witness-race shard, with GOTEST_PACKAGES = ./... (no exclusion).
• 2 (WITNESS_STRICT_VERIFY footgun) — fixed in ab2007f: parsed once via dbg.EnvBool into a witnessStateless.strictVerify field, out of the per-read verify loop. =false now disables instead of enabling, and the os.Getenv no longer fires on every account/storage read. Production behavior (env unset) is unchanged.
• 3 (stale test message) — fixed in e47daa8 (dropped the "canonical env" wording).
• 4 (emptyCodeAccessed overlay asymmetry) — intentional: legacy emits the single empty entry only for pre-state empty-code materialization; overlay/in-block reads are post-state, so they don't set it. That's the remaining ≤1-code heuristic gap vs reth-legacy in the soak. Sharpened the inline comment to say so.
• 5 (EmptyRoot containment) — leaving as-is: harmless over-inclusion of an unreachable node post-verification, and matching reth-legacy is the goal.
• 6 (minor) — runZkevmTestsParallel follows the existing blockrunner/staterunner idiom (a shared helper is a reasonable follow-up, not this PR); the .gitignore line is a valid entry; headers-by-hash is intentional for RLP fixtures.

[awskii]

Ran a continuous legacy-mode debug_executionWitness parity soak (erigon-legacy vs a reth-legacy oracle) on mainnet around block 25.25M after this merged: ~4.9k blocks, 0 health failures, ~480 key/state divergences vs reth. Posting the root cause since the divergences look alarming but aren't.

The divergences are benign minimization differences — erigon's witness self-verifies in every one. verifyWitnessStateless runs inline (rpc/jsonrpc/debug_execution_witness.go:766); divergent blocks reproduce the post-state root (logged as a parity diff, never a verify failure). The divergent slots are all zero-valued read-only SLOADs.

Breakdown:

• keys-over (dominant, 265 blocks): erigon records a zero-read on an EIP-7702 delegated EOA (0xef0100||impl); reth-legacy drops it.
• keys-under (rare, 4 blocks): erigon drops a zero-read on a born-in-block CREATE2 contract; reth-legacy keeps it. reth also emits duplicate keys, which inflates the raw under-count (e.g. 8 distinct slots showed as u=15).

Root cause is a created-flag asymmetry. The IBS sets created on CREATE/CREATE2, so post-creation zero-SLOADs short-circuit without calling RecordingState.ReadAccountStorage (:186) and never reach WitnessKeys (:934). A 7702 delegation doesn't set created, so its zero-reads go through the reader and get kept. reth has the inverse coverage. Neither omission breaks verification.

Caveat for anyone using WITNESS_STRICT_VERIFY to triage this: it's not a reliable arbiter. It errors on any node physically absent from the witness, but reborn-contract reads short-circuit in the stateless IBS before reaching its strict trie check, so it conflates "absent" with "needed". The lenient self-verify (root match) is the correct test, and it passes.

No correctness fix needed. If exact key-set parity with reth-legacy is wanted, the one safe change is to also minimize 7702-EOA empty zero-reads (mirror the CREATE2 path) — removes the keys-over noise, keeps self-verify valid. Can open a follow-up PR if useful.