fix: allow negative gas refund propagation (#333)

abmcar · web-flow · commit ca09d81974d0 · 2026-02-05T17:03:19.000+08:00
diff --git a/src/compiler/evm_frontend/evm_imported.cpp b/src/compiler/evm_frontend/evm_imported.cpp
@@ -794,6 +794,7 @@ const uint8_t *evmHandleCreateInternal(zen::runtime::EVMInstance *Instance,
   if (GasUsed != 0) {
     Instance->chargeGas(GasUsed);
   }
+  // Track subcall refund (may be negative)
   Instance->addGasRefund(Result.gas_refund);
 
   std::vector<uint8_t> ReturnData(Result.output_data,
@@ -956,6 +957,7 @@ static uint64_t evmHandleCallInternal(zen::runtime::EVMInstance *Instance,
     Instance->chargeGas(GasUsed);
   }
 
+  // Track subcall refund (may be negative)
   Instance->addGasRefund(Result.gas_refund);
 
   // Copy return data to memory if output area is specified.
diff --git a/src/evm/interpreter.h b/src/evm/interpreter.h
@@ -30,7 +30,7 @@ struct EVMFrame {
   evmc_message Msg = {};
   evmc::Host *Host = nullptr;
   evmc_tx_context MTx = {};
-  uint64_t GasRefundSnapshot = 0;
+  int64_t GasRefundSnapshot = 0;
 
   size_t Sp = 0;
   uint64_t Pc = 0;
diff --git a/src/evm/opcode_handlers.cpp b/src/evm/opcode_handlers.cpp
@@ -1461,11 +1461,8 @@ void CallHandler::doExecute() {
     return;
   }
 
-  if (Result.gas_refund > 0) {
-    // Track subcall refund at Instance level
-    Context->getInstance()->addGasRefund(Result.gas_refund);
-  }
-
+  // Track subcall refund at Instance level (may be negative)
+  Context->getInstance()->addGasRefund(Result.gas_refund);
   Context->setStatus(EVMC_SUCCESS);
 }
 
diff --git a/src/runtime/evm_instance.h b/src/runtime/evm_instance.h
@@ -59,9 +59,9 @@ class EVMInstance final : public RuntimeObject<EVMInstance> {
   void chargeGas(uint64_t GasCost);
   void addGas(uint64_t GasAmount);
 
-  void addGasRefund(uint64_t Amount) { GasRefund += Amount; }
-  void setGasRefund(uint64_t Amount) { GasRefund = Amount; }
-  uint64_t getGasRefund() const { return GasRefund; }
+  void addGasRefund(int64_t Amount) { GasRefund += Amount; }
+  void setGasRefund(int64_t Amount) { GasRefund = Amount; }
+  int64_t getGasRefund() const { return GasRefund; }
   void restoreGasRefundSnapshot() {
     if (!GasRefundStack.empty()) {
       GasRefund = GasRefundStack.back();
@@ -288,7 +288,7 @@ class EVMInstance final : public RuntimeObject<EVMInstance> {
   newEVMInstance(Isolation &Iso, const EVMModule &Mod, uint64_t GasLimit = 0);
 
   const EVMModule *Mod = nullptr;
-  uint64_t GasRefund = 0;
+  int64_t GasRefund = 0;
   // memory
   uint8_t *MemoryBase = nullptr;
   uint64_t MemorySize = 0;

Original file line number	Diff line number	Diff line change
`@@ -794,6 +794,7 @@ const uint8_t evmHandleCreateInternal(zen::runtime::EVMInstance Instance,`
`794`	`794`	`if (GasUsed != 0) {`
`795`	`795`	`Instance->chargeGas(GasUsed);`
`796`	`796`	`}`
	`797`	`+ // Track subcall refund (may be negative)`
`797`	`798`	`Instance->addGasRefund(Result.gas_refund);`
`798`	`799`
`799`	`800`	`std::vector<uint8_t> ReturnData(Result.output_data,`
`@@ -956,6 +957,7 @@ static uint64_t evmHandleCallInternal(zen::runtime::EVMInstance *Instance,`
`956`	`957`	`Instance->chargeGas(GasUsed);`
`957`	`958`	`}`
`958`	`959`
	`960`	`+ // Track subcall refund (may be negative)`
`959`	`961`	`Instance->addGasRefund(Result.gas_refund);`
`960`	`962`
`961`	`963`	`// Copy return data to memory if output area is specified.`
Original file line number	Diff line number	Diff line change
`@@ -1461,11 +1461,8 @@ void CallHandler::doExecute() {`
`1461`	`1461`	`return;`
`1462`	`1462`	`}`
`1463`	`1463`
`1464`		`- if (Result.gas_refund > 0) {`
`1465`		`- // Track subcall refund at Instance level`
`1466`		`- Context->getInstance()->addGasRefund(Result.gas_refund);`
`1467`		`- }`
`1468`		`-`
	`1464`	`+ // Track subcall refund at Instance level (may be negative)`
	`1465`	`+ Context->getInstance()->addGasRefund(Result.gas_refund);`
`1469`	`1466`	`Context->setStatus(EVMC_SUCCESS);`
`1470`	`1467`	`}`
`1471`	`1468`