execution/stagedsync: recover CodePath alongside CodeHashPath in parallel normalizeWriteSet

[mh0lt]

Recover CodePath alongside CodeHashPath in the parallel executor's
normalizeWriteSet, so an account can never be persisted with a non-empty
codeHash but no code bytes (codeHash-no-code).

Root cause

On re-execution, SetCode short-circuits (so.Code() already returns the prior
incarnation's bytes, bytes.Equal), so the validated incarnation emits no fresh
CodePath. normalizeWriteSet keeps CodeHashPath (resolved from the version
map / filled from committed state) but the incarnation filter drops the stale
CodePath — leaving a codeHash with no code. A later block that CALLs the
contract executes it as empty and diverges (wrong gas → wrong root). Two ways the
fresh CodePath goes missing:

• CREATE/CREATE2 of an ordinary contract — reproduced on mainnet: a Safe proxy
  deployed via the SafeProxyFactory at block 25291004, CALLed and reverted
  6785 blocks later at 25297789.
• EIP-7702 delegating tx — the delegated sender then fails EIP-3607 as
  "sender not an eoa".

Fix

After the fill-missing pass in normalizeWriteSet: for any address with a
non-empty CodeHashPath in the output but no CodePath (and not
self-destructed), recover the code so code always travels with its hash —

• versionMap hit → the code was written in this block; recover it for any
  contract (genuine in-block code).
• versionMap miss → fall back to committed state via stateReader, bounded to
  7702 designators (stateReader also returns an unchanged contract's existing
  code, and re-emitting that for every touched contract is write amplification with
  no correctness benefit; an unchanged contract's code is already in CodeDomain).

The recovered code is validated to hash to the codeHash it is recovered for
(crypto.Keccak256Hash(code) == codeHash.Value()); a mismatch is skipped, so
recovery never writes code that disagrees with its hash.

Tests

• TestNormalizeWriteSet_CodePathTravelsWithCodeHash — 7702 designator via the
  versionMap.
• TestNormalizeWriteSet_CodePathRecoveredFromStateReader — committed 7702
  designator via the stateReader fallback.
• TestNormalizeWriteSet_CodePathRecoveredForCreatedContract — ordinary CREATE2
  contract (the SafeProxyFactory case).
• TestNormalizeWriteSet_CodePathRecoveryRejectsHashMismatch — code whose keccak
  ≠ the recovered hash is rejected, not emitted.

All fail-without / pass-with the fix on main.

Scope and limitations

Forward-prevention only. This stops new codeHash-no-code from being written;
it cannot repair codeHash-no-code already collated into immutable snapshot .kv
files — that requires a snapshot unwind.

Targets main; a cherry-pick to release/3.5 will follow (not release/3.4,
which does not run parallel execution by default).

[mh0lt]

Update: on-node reproduction + strengthened fix

Running the perf-stack binary on a cold mainnet minimal resync reproduced this bug on re-execution — sender not an eoa at blocks 25277235, 25279079, and 25280960 (different addresses each time). The original recovery did not fire on these ([codepath-recovery] silent), which exposed a gap:

Root cause of the gap: the recovery only re-emitted code present in this tx's versionMap (rr.Version().TxIndex == txIndex). The real failure path is a re-executing 7702 delegation whose code equals the already-committed designator → IBS.SetCode short-circuits (bytes.Equal) → the validated incarnation writes no CodePath, and the prior incarnation's versionMap entry is invalidated on re-exec. So the versionMap has nothing for this tx; the fill-missing loop still fills CodeHashPath from committed state → codeHash persists with no code.

Strengthened fix (7a84cb413d): recover the designator from the versionMap, else fall back to stateReader.ReadAccountCode (mirroring how CodeHashPath is recovered), and gate emission on types.ParseDelegation so only 7702 designators are re-emitted — never ordinary unchanged contract code (no write amplification, no callee misattribution). New TestNormalizeWriteSet_CodePathRecoveredFromStateReader covers the stateReader path.

Scope: this prevents the drop during forward execution. It cannot repair state already collated into immutable snapshots with codeHash-but-no-code — that requires a snapshot unwind (separate work, in development). Full forward validation therefore needs a fresh resync with this fix in place (the existing corrupt datadir can't validate it).

[Copilot]

Pull request overview

Fixes an intermittent parallel-execution consistency gap in normalizeWriteSet where an address can end up with a non-empty CodeHashPath persisted without its companion CodePath, causing EIP-7702 delegated EOAs to be misclassified (surfacing as false EIP-3607 “sender not an eoa” rejections).

Changes:

• Add a recovery pass in normalizeWriteSet to re-emit missing CodePath when a non-empty CodeHashPath is present (and the code parses as an EIP-7702 delegation designator).
• Add unit tests covering both version-map recovery and stateReader fallback recovery scenarios for the dropped-CodePath case.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
execution/stagedsync/exec3_parallel.go	Adds CodePath recovery logic to keep delegation designator code aligned with its emitted CodeHashPath during parallel normalize.
execution/stagedsync/exec3_finalize_test.go	Adds regression tests ensuring CodePath is recovered alongside CodeHashPath for EIP-7702 delegation scenarios.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[AskAlexSharov]

if err != nil \|\| accounts.InternCodeHash(hh) != h {

this pattern looks very weird. don't know what it means

[mh0lt]

Fixed by 953389b.

emit now verifies the recovered code against the emitted hash before re-emitting — crypto.Keccak256Hash(code) != want.Value() → skip — on both the versionMap and stateReader recovery paths, so a CodePath is only re-added when the code genuinely hashes to the CodeHashPath it is recovered for. Recovery can therefore never persist an account whose code disagrees with its codeHash.

Test: TestNormalizeWriteSet_CodePathRecoveryRejectsHashMismatch (constructs a candidate whose keccak ≠ the recovered hash and asserts no CodePath is emitted).

[mh0lt]

The shipped check is a direct value comparison — no intern:

if crypto.Keccak256Hash(code) != want.Value() { return false }

This leans on the trade-off unique is built around: Make pays a lookup once (and at most one canonical allocation per distinct value, shared thereafter) so that every read and comparison afterward is cheap and allocation-free. CodeHash is a unique.Handle[common.Hash], so a handle compare is a word compare and .Value() is an allocation-free read of the canonical value — no Make, no map lookup.

Escape analysis confirms it (go build -gcflags=-m):

exec3_parallel.go: inlining call to accounts.CodeHash.Value
exec3_parallel.go: inlining call to unique.Handle[go.shape.[32]uint8].Value

.Value() (and the underlying unique.Handle.Value) inline to a direct read — no escapes to heap / moved to heap note anywhere in the closure, and crypto.Keccak256Hash(code) is a stack [32]byte that's compared and discarded.

So InternCodeHash(hh) != h is the wrong side of the trade here: it re-pays the Make lookup to turn an already-cheap value compare into a handle compare — useful when you'll store and reuse the handle, pure overhead for a one-shot check. Reading .Value() and comparing is the intended path, and it allocates nothing.

[yperbasis]

Requesting changes on three points (plus a style one):

1. Verify recovered code against the emitted hash before re-emitting. The hash and the code can come from different sources (vm.Read at ceiling txIndex+1 can return another tx's write; the stateReader current-view races the publish loop's apply progress). On disagreement this persists code that doesn't match the persisted codeHash — and CodeDomain isn't covered by the state root, so a wrong designator target would silently misdirect later execution, worse than today's loud sender not an eoa. A keccak over ≤23 bytes, skipping emission on mismatch, closes this. (Same gap as Copilot's inline comment.)

2. Narrow the trigger. The fill-missing loop emits CodeHashPath for every touched account, so the recovery runs for every touched non-empty-code account on the serialized result-processing path: a full stateReader.ReadAccountCode per storage-touched contract per tx just to discard via ParseDelegation, and a redundant CodePath re-emit for every tx touching a delegated EOA (deduped at DomainPut, but still TouchKey + GetLatest + writeLog per touch — constant on post-Pectra mainnet). Suggest gating recovery on the address having a CodePath/CodeHashPath entry (any incarnation) in the raw writeset: a drop requires this tx to have written code; when the hash comes purely from the fill loop, the code is already committed in CodeDomain (or unrecoverable anyway). With that, recovery should ~never fire in production — so also add a log when it does; a silent safety net hides the upstream scheduler bug it catches (the [codepath-recovery] log mentioned in the PR comments isn't in this diff).

3. Correct the mechanism claims in the comments/test docstrings. The premise of TestNormalizeWriteSet_CodePathTravelsWithCodeHash — "blockIO.WriteSet retains both incarnations' entries (versionMap doesn't clear old)" — is contradicted by the pipeline: RecordWrites replaces the per-tx write set (versionedio.go:1321) and re-exec shrinkage deletes dropped paths from the versionMap (exec3_parallel.go:2331); IBS emits CodePath/CodeHashPath/CodeSizePath atomically. The "short-circuit against an already-committed designator" path also produces no corruption — the committed designator bytes are already in CodeDomain, which is why the narrowed gate loses nothing. The tests are fine as robustness tests of normalizeWriteSet's contract against arbitrary inputs, but the docstrings shouldn't present a mechanism the scheduler prevents. If the trigger is narrowed per point 2, TestNormalizeWriteSet_CodePathRecoveredFromStateReader should assert no emission instead.

4. Comment style: the new multi-paragraph block comments are well over the repo's comment limits — condense to one or two sentences stating the invariant; the scenario forensics belong in the PR description.