Skip to content

feat(symbolic): Cancun SELFDESTRUCT semantics#15179

Merged
figtracer merged 4 commits into
masterfrom
mablr/symex-cancun-selfdestruct
Jun 15, 2026
Merged

feat(symbolic): Cancun SELFDESTRUCT semantics#15179
figtracer merged 4 commits into
masterfrom
mablr/symex-cancun-selfdestruct

Conversation

@mablr

@mablr mablr commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Models fork-aware symbolic SELFDESTRUCT semantics for Cancun/EIP-6780.

Closes OSS-365

Changes

  • Pre-Cancun and same-transaction-created contracts still delete.
  • Cancun+ existing contracts transfer balance and halt while preserving code/storage.
  • Transaction-scoped created accounts are tracked for this decision.

Tests

  • Added Cancun preservation, same-transaction deletion, and false-pass prevention coverage.
  • Added unit coverage for created-account tracking across snapshots.

grandizzy
grandizzy requested changes Jun 15, 2026
View reviewed changes

@grandizzy grandizzy left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One blocking concern: symbolic beneficiaries can produce a false PASS. An unconstrained symbolic beneficiary resolves to a synthetic representative address that is never equal to state.address, so the beneficiary != address guard is always true and the beneficiary == self branch is never explored. For an existing Cancun contract, real EVM keeps the balance when the target is itself — the model transfers it away and can prove a property that doesn't actually hold. This matters more now that symbolic_selfdestruct_accepts_symbolic_beneficiary flips from incomplete → [PASS].

Suggested resolution: either report incomplete when a symbolic beneficiary may alias state.address, or fork on beneficiary_word == state.address_word. A few extra tests (self-beneficiary no-burn, CREATE2 same-tx, reverted-CREATE, sequence boundary) would also round out coverage. Details inline.

Comment thread crates/evm/symbolic/src/runtime/state.rs
Comment thread crates/evm/symbolic/src/executor/opcodes.rs
Comment thread crates/evm/symbolic/README.md Outdated
Comment thread crates/evm/symbolic/src/runtime/state.rs
@grandizzy grandizzy self-requested a review June 15, 2026 10:43
grandizzy
grandizzy approved these changes Jun 15, 2026
View reviewed changes

@grandizzy grandizzy left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

figtracer
figtracer approved these changes Jun 15, 2026
View reviewed changes

@figtracer figtracer left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@figtracer figtracer merged commit eed9ed2 into master Jun 15, 2026
19 checks passed
@figtracer figtracer deleted the mablr/symex-cancun-selfdestruct branch June 15, 2026 11:56
@github-project-automation github-project-automation Bot moved this to Done in Foundry Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grandizzy grandizzy grandizzy approved these changes

@figtracer figtracer figtracer approved these changes

@DaniPopes DaniPopes Awaiting requested review from DaniPopes DaniPopes is a code owner

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@0xrusowsky 0xrusowsky Awaiting requested review from 0xrusowsky 0xrusowsky is a code owner

@stevencartavia stevencartavia Awaiting requested review from stevencartavia stevencartavia is a code owner

Assignees

No one assigned

Labels

None yet

Projects

Foundry
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mablr @grandizzy @figtracer