t8n tool exits with SIGSEGV when tracing is enabled

[danceratopz]

I'm currently adding nimbus t8n tool support to ethereum/execution-spec-tests, cf ethereum/execution-spec-tests#229. All test cases (valid until Shanghai) execute correctly with tracing disabled.

When tracing is enabled, however, there is one single fail, which can be reproduced using the following command with master df9c73c; it causes t8n to exit with SIGSEGV (more context regarding the test case below):

echo '{
         "alloc": {
             "0xa94f5374fce5edbc8e2a8697c15331677e6ebf0b": {
                 "balance": "0x3635c9adc5dea00000"
             }
         },
         "txs": [
             {
                 "type": "0x0",
                 "chainId": "0x1",
                 "nonce": "0x0",
                 "gasPrice": "0xa",
                 "gas": "0x186a0",
                 "to": "0x0000000000000000000000000000000000000009",
                 "value": "0x0",
                 "input": "0x",
                 "v": "0x26",
                 "r": "0x803b06b78b7bd29d0faf9401f2df5d71e8a445ad1ac0a45d2e5256ba23c43ed1",
                 "s": "0x6634f86b79da86a904b1900a52e470847ffe730ef4ec32a3b0f7eece7bfaae96",
                 "sender": "0xa94f5374fce5edbc8e2a8697c15331677e6ebf0b"
             }
         ],
         "env": {
             "currentCoinbase": "0x2adc25665018aa1fe0e6bc666dac8fc2697ff9ba",
             "currentGasLimit": "100000000000000000",
             "currentNumber": "2",
             "currentTimestamp": "24",
             "currentRandom": "0",
             "currentDifficulty": "0",
             "blockHashes": {
                 "0": "0xea2d7e0192d890c222f0302d972a02db0bf0c6d08257d73aa1210d08d24f30c3",
                 "1": "0x068f4313da4cb34b1b6b18ff37eb6ca9f7ad9d294357db81c75cb7790d25dd67"
             },
             "ommers": [],
             "withdrawals": [],
             "parentDifficulty": "0",
             "parentTimestamp": "12",
             "parentBaseFee": "7",
             "parentGasUsed": "0",
             "parentGasLimit": "100000000000000000",
             "parentUncleHash": "0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347"
         }
     }' | ./nimbus-eth1/tools/t8n/t8n --input.alloc=stdin --input.txs=stdin --input.env=stdin \
          --output.result=stdout --output.alloc=stdout --output.body=txs.rlp --output.basedir=/tmp/tmp123/ \
          --state.fork=Shanghai --state.chainid=1 --state.reward=0 --trace

Resulting backtrace:

Traceback (most recent call last, using override)
../csu/libc-start.c(392) 
../sysdeps/nptl/libc_start_call_main.h(58) 
nimbus-eth1/nimbus/evm/state.nim(493) main
nimbus-eth1/nimbus/evm/state.nim(486) NimMain
nimbus-eth1/tools/t8n/t8n.nim(53) main
nimbus-eth1/tools/t8n/transition.nim(481) transitionAction
nimbus-eth1/tools/t8n/transition.nim(239) exec
nimbus-eth1/nimbus/core/executor/process_transaction.nim(168) processTransaction
nimbus-eth1/nimbus/core/executor/process_transaction.nim(148) asyncProcessTransaction
nimbus-eth1/vendor/nim-chronos/chronos/asyncfutures2.nim(318) futureContinue
nimbus-eth1/nimbus/core/executor/process_transaction.nim(151) asyncProcessTransaction
nimbus-eth1/nimbus/core/executor/process_transaction.nim(137) asyncProcessTransaction
nimbus-eth1/vendor/nim-chronos/chronos/asyncfutures2.nim(318) futureContinue
nimbus-eth1/nimbus/core/executor/process_transaction.nim(139) asyncProcessTransaction
nimbus-eth1/nimbus/core/executor/process_transaction.nim(72) asyncProcessTransactionImpl
nimbus-eth1/vendor/nim-chronos/chronos/asyncfutures2.nim(318) futureContinue
nimbus-eth1/nimbus/core/executor/process_transaction.nim(112) asyncProcessTransactionImpl
nimbus-eth1/nimbus/transaction/call_evm.nim(233) txCallEvm
nimbus-eth1/nimbus/transaction/call_common.nim(305) runComputation
nimbus-eth1/nimbus/evm/state_transactions.nim(63) execComputation
nimbus-eth1/nimbus/evm/interpreter_dispatch.nim(306) execCallOrCreate
nimbus-eth1/nimbus/evm/interpreter_dispatch.nim(264) executeOpcodes
nimbus-eth1/nimbus/evm/computation.nim(409) traceError
nimbus-eth1/nimbus/evm/tracer/json_tracer.nim(188) captureFault
nimbus-eth1/nimbus/evm/tracer/json_tracer.nim(113) captureOpImpl
nimbus-eth1/nimbus/evm/tracer/json_tracer.nim(51) writeJson
nimbus-eth1/vendor/nimbus-build-system/vendor/Nim/lib/pure/json.nim(820) dollar
nimbus-eth1/vendor/nimbus-build-system/vendor/Nim/lib/pure/json.nim(718) toUgly
nimbus-eth1/vendor/nimbus-build-system/vendor/Nim/lib/pure/json.nim(708) toUgly
nimbus-eth1/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(631) signalHandler
SIGSEGV: Illegal storage access. (Attempt to read from nil?)
fish: Process 114639, '/home/dtopz/code/github/danceratopz/nimbus-eth1/tools/t8n/t8n' from job 4, 'echo '{…' terminated by signal "alloc": {… (…)
fish: Process SIGSEGV, 'Address boundary error' from job , '' terminated by signal  ()

If the --trace option is not specified, t8n generates the expected output on stdout.

Test Case Context

The t8n command above is executed as part of the withdrawal test case, tests/shanghai/eip4895_withdrawals/test_withdrawals.py#L727:

tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=9-amount=1]

which implements a blockchain test with two blocks:

1. In the first block a withdrawal is made to the precompile address 0x09.
2. In the second block a no-value transaction is sent to the precompile address 0x09.

This test is parametrized by precompile address and, interestingly, the error is not triggered for other precompile addresses, i.e., the following tests all run without problem:

tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=1-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=1-amount=1]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=2-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=2-amount=1]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=3-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=3-amount=1]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=4-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=4-amount=1]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=5-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=5-amount=1]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=6-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=6-amount=1]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=7-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=7-amount=1]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=8-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=8-amount=1]

only the following two cases involving the 0x09 precompile trigger the issue:

tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=9-amount=0]
tests/shanghai/eip4895_withdrawals/test_withdrawals.py::test_withdrawing_to_precompiles[fork=Shanghai-precompile=9-amount=1]

These test cases can be executed with:

fill tests/shanghai/eip4895_withdrawals/test_withdrawals.py --evm-bin=~/path/to/nimbus-eth1/tools/t8n/t8n -v --t8n-dump-dir=/tmp/nimbus-t8n-dump -k precompile -x --traces