Skip to content

merge develop into master#37

Merged
allformless merged 51 commits into
masterfrom
develop
Jul 8, 2026
Merged

merge develop into master#37
allformless merged 51 commits into
masterfrom
develop

Conversation

@allformless

Copy link
Copy Markdown
Owner

Description

merge develop into master

Rationale

tell us why we need these changes...

Example

add an example CLI or API response...

Changes

Notable changes:

  • add each change in a bullet point here
  • ...

zlacfzy and others added 30 commits May 6, 2026 17:09
* Revert "pathdb: add backward compatibility for legacy journal file format"

This reverts commit f4d66f2.

* triedb/pathdb: remove legacy field JournalFilePath
…90) (bnb-chain#3686)

`TestSubscribePendingTxHashes` hangs indefinitely because pending tx
events are permanently missed due to a race condition in
`NewPendingTransactions` (and `NewHeads`). Both handlers called their
event subscription functions (`SubscribePendingTxs`,
`SubscribeNewHeads`) inside goroutines, so the RPC handler returned the
subscription ID to the client before the filter was installed in the
event loop. When the client then sent a transaction, the event fired but
no filter existed to catch it — the event was silently lost.

- Move `SubscribePendingTxs` and `SubscribeNewHeads` calls out of
goroutines so filters are installed synchronously before the RPC
response is sent, matching the pattern already used by `Logs` and
`TransactionReceipts`

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: s1na <1591639+s1na@users.noreply.github.com>
…nb-chain#3688)

* eth/filters: rangeLogs should error on invalid block range (#33763)

Fixes log filter to reject out of order block ranges.

* eth/filters: fix testFilters

---------

Co-authored-by: vickkkkkyy <vickyaviles847@gmail.com>
…b-chain#3681)

Later on we can consider making these limits configurable if the
use-case arose.

Co-authored-by: Sina M <1591639+s1na@users.noreply.github.com>
bnb-chain#3683)

Co-authored-by: Mayveskii <artemii.maevskii@danila-master.ru>
…nb-chain#3687)

* core, internal/ethapi: fix incorrect max-initcode RPC error mapping (#34067)

Problem:

The max-initcode sentinel moved from core to vm, but RPC pre-check
mapping still depended on core.ErrMaxInitCodeSizeExceeded. This mismatch
could surface inconsistent error mapping when oversized initcode is
submitted through JSON-RPC.

Solution:

- Remove core.ErrMaxInitCodeSizeExceeded from the core pre-check error
set.
- Map max-initcode validation errors in RPC from
vm.ErrMaxInitCodeSizeExceeded.
- Keep the RPC error code mapping unchanged (-38025).

Impact:

- Restores consistent max-initcode error mapping after the sentinel
move.
- Preserves existing JSON-RPC client expectations for error code -38025.
- No consensus, state, or protocol behavior changes.

* core/txpool: fix reference ErrMaxInitCodeSizeExceeded

---------

Co-authored-by: Daniel Liu <139250065@qq.com>
)

* internal/ethapi: limit number of getProofs keys (#34617)

We can consider making this limit configurable if ever the need arose.

* internal/ethapi: remove maxGetStorageSlots

---------

Co-authored-by: Sina M <1591639+s1na@users.noreply.github.com>
)

Fixes a regression in #33593 where a block gas limit > gasCap resulted
in more execution than the gas cap.

Co-authored-by: Sina M <1591639+s1na@users.noreply.github.com>
We got a report for a bug in the tracing journal which has the
responsibility to emit events for all state that must be reverted.

The edge case is as follows: on CREATE operations the nonce is
incremented. When a create frame reverts, the nonce increment associated
with it does **not** revert. This works fine on master. Now one step
further: if the parent frame reverts tho, the nonce **should** revert
and there is the bug.

Co-authored-by: Sina M <1591639+s1na@users.noreply.github.com>
…chain#3700)

Cherry-pick of go-ethereum 8581125 (PR #33839).

The cgo path in secp256k1/secp256.go already rejects non-32-byte hashes,
but the nocgo (pure-Go) path did not. PR #33104 added the check to Sign
and sigToPub but missed VerifySignature. Without it, a wrong-length hash
gets passed to decred's Verify and silently gives a bogus result — a
truncated hash may match a different signature, an extended hash silently
ignores extra bytes.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…898) (bnb-chain#3710)

Fixes #34881

This fixes a hang in `Table.waitForNodes`. It is a replacement for PRs

- #34890 doesn't really fix the issue, just makes it less likely
- #33665 tries to fix it by moving the feed send outside of the lock

I created this PR because I want to keep the synchronous node feed
sending in `Table.nodeAdded`.

---------

Co-authored-by: Felix Lange <fjl@twurst.com>
Co-authored-by: Csaba Kiraly <csaba.kiraly@gmail.com>
…0) (bnb-chain#3708)

* eth/downloader: drop peers sending invalid bodies or receipts (#34745)

Cherry-pick of go-ethereum 75a64ee (PR #34745).

- Fixes an error shadowing issue in the deliver() function, where a stale
  result from GetDeliverySlot caused the original failure to be
  overwritten by errStaleDelivery.
- Adds errInvalidBody and errInvalidReceipt propagation via res.Done so
  the eth protocol handler tears down the connection of peers sending
  invalid responses, instead of just adjusting capacity while keeping
  the peer connected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* eth/downloader: use batch index in deliver reconstruct (#34870)

Cherry-pick of go-ethereum 5b837e5 (PR #34870).

reconstruct() indexes into the parallel response slices (bodies,
receipts). After PR #34745 (now applied in this stack) moved
`accepted++` inside the success branch, passing `accepted` to
`reconstruct()` underflowed the response index whenever an earlier
header in the same batch hit a stale slot — the next successful slot
would read from the wrong response slice element.

Switch to the loop's range index `k`, which always tracks the response
position regardless of stale gaps.

NOTE: based on `fix/downloader-drop-invalid-peers` (PR bnb-chain#3699) — must
land after / merged together with that PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* cmd, core/rawdb: remove multidatabase CLI support

* node, eth: remove multidatabase open wiring

* core, trie, eth: read state from the single database

* ethdb, core/rawdb: remove the StateStore abstraction
…t (#34680) (bnb-chain#3706)

Cherry-pick of go-ethereum 3772bb5 (PR #34680).

accountTip and storageTip both returned common.Hash{} as the "not found"
sentinel. That collides with a legitimate disk-layer fallback when the
disk layer's root is itself the zero hash — as is the case for a fresh
verkle/bintrie database whose empty trie hashes to EmptyVerkleHash.

Switch to a (hash, ok) return signature so callers can distinguish the
two cases. Update lookupAccount/lookupStorage at the call sites.

The upstream regression test (TestLookupZeroBaseRootFallback) depends on
test helpers not present in BSC's layertree_test.go and is omitted; the
existing pathdb test suite (TestAccountLookup / TestStorageLookup et al.)
still exercises the happy path.

This is defensive hardening — BSC does not activate verkle in production,
so the zero-root collision is theoretical today. Recommended as
prerequisite for future verkle adoption.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…b-chain#3718)

* crypto: add hash length check in nocgo sigToPub

Upstream PR #33839 added the hash length guard to both VerifySignature
and sigToPub. The prior backport only covered VerifySignature; mirror
the same check in sigToPub so callers like Ecrecover reject malformed
hash inputs with a clear error instead of relying on downstream library
behavior.

* triedb/pathdb: add regression test for zero-base-root fallback

Cover the sentinel collision fixed in the prior commit: when the disk
layer root is common.Hash{} (e.g. a fresh verkle/bintrie database
whose empty trie hashes to zero), the legitimate fall-through to the
disk layer must not be mistaken for the stale-state sentinel. Pins
both the fall-through and the still-stale-on-unknown-state contract
so a future refactor that always returns ok=true would fail here.
…34728) (bnb-chain#3712)

Co-authored-by: Snehendu Roy <81818503+snehendu098@users.noreply.github.com>
…nb-chain#3711)

In openFreezerFileForAppend, if Seek fails after the file is
successfully opened, the file handle is not closed, leaking a
descriptor.

Similarly in newTable, if opening the meta file fails, the
already-opened index file is not closed. And if newMetadata fails, both
the index and meta files are leaked.

Under repeated error conditions (e.g., corrupted filesystem), these
leaks accumulate and may exhaust the OS file descriptor limit, causing
cascading failures.

Co-authored-by: rayoo <rayjun0412@gmail.com>
…in#3707)

Cherry-pick of go-ethereum b9c5fe6d2 (PR #34862).

The mux tracer fanned out every standard hook to its children but never
forwarded OnSystemCall{Start,End}. Tracers that rely on these — like
logger.jsonLogger, which uses the start hook to silence its opcode hook
for the duration of a system call — never got the signal when wrapped
behind a mux. Combining --trace with --opcode-count in evm t8n produces
exactly that wrapping, and the first system call (e.g.
ProcessBeaconBlockRoot) crashes t8n on nil env deref.

Forwards OnSystemCallStartV2 (with V1 fallback per child) and
OnSystemCallEnd through the mux. Same precedence as
core/state_processor.go.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…b-chain#3705)

Cherry-pick of go-ethereum ea1cf7bf5 (PR #34787) — alternative to PR
#34746 implementing the simpler approach: when serving GetBlockBodies /
GetReceipts and a requested item is unavailable, stop serving instead
of silently dropping it.

Requests for unavailable items are typically a sign that the peer is
following a different fork; replying with a sparse list is misleading
because the dropped slots are silently elided. Halting at the first gap
gives the requester a clearer signal and saves work.

Adapted to BSC's two receipts handlers (68 and 69) which retain the
empty-receipts-root branch — that branch continues to serve. Test
adjusted to match the new "stop at gap" semantics.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
zlacfzy and others added 21 commits June 10, 2026 10:02
…4888) (bnb-chain#3701)

Cherry-pick of go-ethereum e1e3eaa (PR #34888).

The discv4 read loop allocates `buf` once and reuses it for every
ReadFromUDPAddrPort call. When a packet fails handlePacket, the raw
buffer `buf[:nbytes]` was sent by reference to the `unhandled` channel;
by the time the consumer (discv5 in mixed-mode) processes it, the next
ReadFromUDPAddrPort had overwritten the buffer contents.

bytes.Clone the slice before sending so the consumer owns an independent
copy.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ers (#34743) (bnb-chain#3702)

* p2p/discover: fix timeout loop early exit when removing expired matchers (#34743)

Cherry-pick of go-ethereum 51c9721 (PR #34743), adapted minimally to
keep BSC's manual list iteration (BSC has not adopted the upstream
iterList helper, so the upstream regression fixed by 60db25b never
applied here).

In both the gotreply and timeout-deadline loops, plist.Remove(el)
invalidates el.Next(), so the next iteration's el.Next() returns nil and
the loop exits after removing only the first expired/done matcher.
Save el.Next() before calling plist.Remove(el) so iteration continues
through every entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* p2p/discover: fix resetTimeout loop early exit on clock-warp removal

The prior backport of upstream #34743 ported the gotreply and timeout
loops but missed the resetTimeout loop. When the system clock jumps
backward, expired matchers can still be removed inside resetTimeout via
plist.Remove(el); after removal el.Next() returns nil, exiting the loop
early and skipping subsequent stale matchers. Save the next element
before removing the current one, matching the pattern used in the
other two loops.

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* eth/tracers/logger: fix exclude address list (#34887)

Cherry-pick of go-ethereum f7b7d4c (PR #34887).

In NewAccessListTracer, when a prelude AccessList entry's address was
in addressesToExclude, list.addAddress was correctly skipped — but the
inner for-loop still called list.addSlot for every slot under that
address, causing the excluded address to leak into the tracer's output
with storage keys attached.

Refactored to `continue` on the excluded address so both addAddress and
the slot loop are skipped together.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* eth/tracers/logger: fix exclude address list (#34887)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ain#3684)

* cmd, core, eth, tests: prevent state flushing in RPC (#33931)

Fixes ethereum/go-ethereum#33572

* core/vm: clean vm.Config

* eth: check block to avoid panic

---------

Co-authored-by: rjl493456442 <garyrong0905@gmail.com>
…ade (bnb-chain#3721)

Wire the Pasteur hardfork to upgrade two system contracts whose bytecode
changed on the genesis-contract side:
  - StakeHub (0x2002): propagate slash eviction to BSCValidatorSet after
    consensus-key rotation (bsc-genesis-contract bnb-chain#664)
  - BSCGovernor (0x2004): reject blacklisted voter on castVoteBySig (bnb-chain#667)

Adds the `pasteur` bytecode package (StakeHub/Governor for Mainnet,
Chapel, Rialto) and applies it in upgradeBuildInSystemContract when
IsOnPasteur. Bytecode extracted from the regenerated genesis
(bsc-genesis-contract commit 3f02a2e); CommitUrl points there for now and
should be updated to the Pasteur release merge commit once available.

PasteurTime scheduling in params/config.go is intentionally left unset.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* core/txpool/legacypool: remove overflowpool for txs

* cmd/geth: mark OverflowPoolSlots deprecated
* core/vm: reject duplicate bridge validators at Mendel

* core/vm: enforce duplicate bridge validator checks at Pasteur

* core/vm: reject duplicate bridge validators at Pasteur

* core/vm: reject duplicate bridge validators at Pasteur

* core/vm: reject duplicate bridge validators at Pasteur

* contracts.go: update precompile

---------

Co-authored-by: qybdyx <qybdyx@outlook.com>
…nb-chain#3691)

* miner: implement zero-simulate MEV

* miner: implement validator-side BidBlock handling

* fix: refine enable bidblock config

* miner: switch BidBlock vs simBid to two-stage selection

* fix: use builder timestamp when committing BidBlock

* miner: split BidBlock verify and sign

* miner: verify BidBlock GasFee after InsertChain

* miner: add BidBlock permission admission

* miner: revoke BidBlock permission on insert or gas-fee failure

* miner: add BidBlock permission RPC

* miner: expose BidBlock permission block number

* miner: skip revoked cached BidBlock

* miner: revoke malformed BidBlock winners

* miner: use must-before cutoff for BidBlock

* miner: preserve builder header for BidBlock commit

* miner: retry BidBlock candidates after failure

* parlia: add bindSign system tx mode

* parlia: expose builder finalize path

* parlia: clarify BidBlock system tx signing

* miner: support builder header preparation

* miner: preserve BidBlock execution header

* miner: align BidBlock system tx shape

* miner: reject disabled BidBlock submissions

* docs: drop BidBlock draft notes

* miner: align bid simulator constructor

* parlia: clarify generated tx signing flag

* parlia: align generated tx signing flag

* ethclient: add BidBlock RPC helpers

* parlia: align builder block time validator

* miner: reject BidBlock with unknown parent

* miner: align BidBlock selection gate

* miner: refine BidBlock helper names

* miner: address BidBlock review feedback

* miner: use deterministic BidBlock timestamp

* miner: address BidBlock review comments

* miner: simplify BidBlock fork checks

* miner: address BidBlock review nits

* parlia: use mode for system tx processing

* miner: prepare BidBlock before enqueue

* miner: log BidBlock bid comparison

* miner: simplify BidBlock candidate cache

* miner: keep one best BidBlock

* miner: return BidBlock cache feedback

* miner: share double-sign check

* miner: refine BidBlock validation flow

* miner: simplify BidBlock selection state

* miner: resolve develop rebase conflict

* miner: simplify BidBlock task state

* miner: validate BidBlock system tx ABI

* miner: clean up BidBlock review fixes

* miner: use fixed BidBlock system selectors

* miner: align BidBlock assembly return values

* miner: simplify BidBlock decoded payload

* miner: simplify BidBlock selection comments

* miner: add admin BidBlock permission control

* miner: defer BidBlock revoke until post-insert

* miner: simplify BidBlock permission checks

* miner: simplify BidBlock permission manager

* miner: simplify BidBlock preseal checks

* miner: avoid retaining work for BidBlock

* miner: simplify BidBlock validation flow

* miner: derive BidBlock gas fee from deposit

* miner: require BidBlock deposit tx

* miner: simplify BidBlock tx shape

* miner: simplify BidBlock config prep

* miner: check BidBlock parent header

* miner: organize BidBlock helpers

* miner: verify BidBlock at admission

* miner: gofmt BidBlock metrics

* miner: preserve builder vanity in BidBlock extra-data

* miner: dedupe BidBlock system-tx scan, expose BidBlockEnabled

* consensus/parlia: check upperlimit for header.Time when blockTimeVerify (#26)

* consensus/parlia: share Prepare core with BidBlock builder

* consensus/parlia: unexport BidBlock system-tx helpers

* consensus/parlia: simplify ExtractBidBlockDepositValue scan

* miner: have validator own BidBlock extra-data

* miner: address BidBlock review feedback

* types: normalize empty BidBlock sidecars

* miner: preserve empty BidBlock withdrawals body

* miner: trim redundant BidBlock entry guards

* miner: mini improve (#27)

* miner: surface revoke error detail to builders

* miner: use rolling BidBlock revoke window

* miner: encode block builder info in requests hash

* fix: infer local mev blocks from empty builder

* docs: clarify block mev info versions

* miner: harden BidBlock checks and track revoked builders

* miner: validate BidBlock blob sidecars before seal

* check bidblock blob eligibility

* miner: check BidBlock bid tx gas price

* miner: check BidBlock non-system gas price

* miner: use BidBlock gas fee for price check

* miner: address BidBlock review comments.

* miner: improve BidBlock blob validation error.

* miner: enforce validator BidBlock gas limit.

* Revert "consensus/parlia: check upperlimit for header.Time when blockTimeVerify (#26)"

This reverts commit a8a9685.

* parlia: check upperlimit of block time

* miner: simplify BidBlock revoke duration.

* miner: add BidBlock RPC error codes.

* mev: add bid block hash tracing

* test: cover BidBlock consensus edge cases

* miner: add BidBlock migration metrics

* miner: gate BidBlock on Pasteur fork and default-enable

* miner: fold Pasteur gate into BidBlock enablement

---------

Co-authored-by: formless <213398294+allformless@users.noreply.github.com>
… block at Pasteur (bnb-chain#3726)

Builds on the Pasteur precompile set introduced in bnb-chain#3623.

The legacy v1 Tendermint light-client precompiles 0x64 (tmHeaderValidate)
and 0x65 (iavlMerkleProofValidate) are only reachable via the deprecated
BC<->BSC cross-chain stack (contracts/deprecated/), which no longer exists.
Rename the existing *Nano suspend handlers to tmHeaderValidateDeprecated /
iavlMerkleProofValidateDeprecated (error "deprecated") and map 0x64/0x65 to
them in the Pasteur set, deprecating them from Pasteur.

For the v2 cometBFT light-client (0x67), the verification work scales with
the light block's validator/signature count while the gas was flat. Price
the Pasteur variant's RequiredGas per input byte
(CometBFTLightBlockValidatePerByteGas) so gas tracks the real CPU/memory cost
(cf. the per-key pricing of 0x66 blsSignatureVerify). The pre-Pasteur Hertz
variant keeps the flat gas so earlier blocks replay identically.

Note: the per-byte rate is tunable; raising 0x67 gas affects the live
Greenfield/op-stack relayer gas budget and should be coordinated.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…2.6 (bnb-chain#3727)

Update the Pasteur upgrade CommitUrl for StakeHub (0x2002) and BSCGovernor
(0x2004) from the interim commit 3f02a2e to the tagged release v1.2.6
(commit 041881a02475638b19f3d840871b7621cdebd8f8).

The embedded bytecode is unchanged: verified the StakeHub/Governor code for
Mainnet/Chapel/Rialto matches the v1.2.6 genesis byte-for-byte, so this only
corrects the provenance reference to the official release tag.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…bnb-chain#3728)

The fake-beacon service (bnb-chain#2678) is an internal-only op-stack blob/DA shim,
off by default and bound to localhost. Its block-number lookup
(fetchBlockNumberByTime) has an unbounded retry loop with no lower bound
and no ctx cancellation, plus an inner nil-header dereference, so an
operator who enables and exposes it can leak handler goroutines
(SRC-2026-1000). Rather than patch an auxiliary, default-off feature, the
service is removed entirely.

Removes the beacon/fakebeacon package and its --fake-beacon[.addr|.port]
flags and startup wiring in cmd/geth and cmd/utils.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…nb-chain#3739)

* docs: add builder integration spec

* core/types: extract bid and block mev info into builder subpackage

* docs: fix BidBlock quota error mapping
* core/types: optimize BidBlock signing hash

* core/types: use header hash for BidBlock signing
@allformless allformless merged commit 9b2e10b into master Jul 8, 2026
11 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants