test(invariants): add TIP-1016 state gas invariant tests and update GasPricing/BlockGasLimits for gas dimension split

Author: fgimenez

tips/ref-impls/test/invariants/BlockGasLimits.t.sol

@@ -22,6 +22,14 @@ import { LegacyTransaction, LegacyTransactionLib } from "tempo-std/tx/LegacyTran
 /// - Payment lane minimum: 470,000,000 (TEMPO-BLOCK5)
 /// - Max deployment fits in tx cap (TEMPO-BLOCK6)
 ///
+/// TIP-1016 state gas changes:
+/// - Regular gas counts against tx/block limits; state gas is exempt
+/// - tx.gas > max_transaction_gas_limit is VALID when excess is state gas
+/// - Block gasUsed reflects regular gas only
+/// - Code deposit: 200 regular + 2,300 state per byte
+/// - CREATE base: 32,000 regular + 468,000 state
+/// - Account creation: 25,000 regular + 225,000 state
+///
 /// Block-level lane enforcement (BLOCK7, BLOCK12) and shared gas limit
 /// (BLOCK10) are tested in Rust (crates/consensus/src/lib.rs).
 contract BlockGasLimitsInvariantTest is InvariantBase {
@@ -63,21 +71,53 @@ contract BlockGasLimitsInvariantTest is InvariantBase {
     /// @dev TIP-1000: Account creation gas
     uint256 internal constant ACCOUNT_CREATION_GAS = 250_000;
 
+    /*//////////////////////////////////////////////////////////////
+                            TIP-1016 CONSTANTS
+    //////////////////////////////////////////////////////////////*/
+
+    /// @dev TIP-1016: SSTORE regular gas component
+    uint256 internal constant SSTORE_REGULAR_GAS = 20_000;
+
+    /// @dev TIP-1016: SSTORE state gas component
+    uint256 internal constant SSTORE_STATE_GAS = 230_000;
+
+    /// @dev TIP-1016: Code deposit regular gas per byte
+    uint256 internal constant CODE_DEPOSIT_REGULAR_PER_BYTE = 200;
+
+    /// @dev TIP-1016: Code deposit state gas per byte
+    uint256 internal constant CODE_DEPOSIT_STATE_PER_BYTE = 2_300;
+
+    /// @dev TIP-1016: CREATE regular gas component
+    uint256 internal constant CREATE_REGULAR_GAS = 32_000;
+
+    /// @dev TIP-1016: CREATE state gas component
+    uint256 internal constant CREATE_STATE_GAS = 468_000;
+
+    /// @dev TIP-1016: Account creation regular gas component
+    uint256 internal constant ACCOUNT_CREATION_REGULAR_GAS = 25_000;
+
+    /// @dev TIP-1016: Account creation state gas component
+    uint256 internal constant ACCOUNT_CREATION_STATE_GAS = 225_000;
+
     /*//////////////////////////////////////////////////////////////
                             GHOST VARIABLES
     //////////////////////////////////////////////////////////////*/
 
     /// @dev TEMPO-BLOCK3: Tx gas cap enforcement
     uint256 public ghost_txGasCapTests;
     uint256 public ghost_txAtCapSucceeded;
-    uint256 public ghost_txOverCapRejected;
-    uint256 public ghost_txOverCapViolations; // Over-cap tx was accepted
+    uint256 public ghost_txOverCapWithStateGasSucceeded; // tx.gas > cap is valid when excess is state gas
 
     /// @dev TEMPO-BLOCK6: Deployment fits in cap
     uint256 public ghost_deploymentTests;
     uint256 public ghost_maxDeploymentSucceeded;
     uint256 public ghost_maxDeploymentFailed; // Unexpected - would indicate cap too low
 
+    /// @dev TIP-1016: Block gasUsed reflects regular gas only
+    /// @notice Verified at the block level in Rust (crates/consensus/src/lib.rs);
+    ///         this ghost tracks our Solidity-side accounting for consistency.
+    uint256 public ghost_blockGasUsedRegularOnly;
+
     /// @dev General tracking
     uint256 public ghost_validTxExecuted;
 
@@ -105,14 +145,19 @@ contract BlockGasLimitsInvariantTest is InvariantBase {
     function invariant_globalInvariants() public view {
         _invariantTxGasCap();
         _invariantMaxDeploymentFits();
+        _invariantBlockGasRegularOnly();
     }
 
-    /// @notice TEMPO-BLOCK3: Tx gas cap must be enforced at 30M
-    /// @dev Violations occur if tx with gas > 30M is accepted
+    /// @notice TEMPO-BLOCK3 + TIP-1016: Tx gas cap applies to regular gas only
+    /// @dev Post-TIP-1016, tx.gas > TX_GAS_CAP is valid when excess is state gas.
+    ///      We verify that such transactions succeed rather than being rejected.
     function _invariantTxGasCap() internal view {
-        assertEq(
-            ghost_txOverCapViolations, 0, "TEMPO-BLOCK3: Transaction over 30M gas cap was accepted"
-        );
+        if (ghost_txGasCapTests > 0) {
+            assertTrue(
+                ghost_txOverCapWithStateGasSucceeded > 0 || ghost_txAtCapSucceeded > 0,
+                "TEMPO-BLOCK3: No gas cap tests succeeded"
+            );
+        }
     }
 
     /// @notice TEMPO-BLOCK6: Max contract deployment (24KB) must fit in tx cap
@@ -126,14 +171,25 @@ contract BlockGasLimitsInvariantTest is InvariantBase {
         }
     }
 
+    /// @notice TIP-1016: Block gasUsed must reflect regular gas only
+    /// @dev State gas is exempt from block gas accounting. This ghost is a
+    ///      Solidity-side placeholder; actual block-level verification is
+    ///      performed in Rust (crates/consensus/src/lib.rs).
+    function _invariantBlockGasRegularOnly() internal view {
+        assertEq(
+            ghost_blockGasUsedRegularOnly, 0,
+            "TIP-1016: block.gasUsed included state gas"
+        );
+    }
+
     /*//////////////////////////////////////////////////////////////
                             HANDLERS
     //////////////////////////////////////////////////////////////*/
 
-    /// @notice Handler: Test tx gas cap enforcement (TEMPO-BLOCK3)
+    /// @notice Handler: Test tx gas cap enforcement (TEMPO-BLOCK3 + TIP-1016)
     /// @param actorSeed Seed for selecting actor
-    /// @param gasMultiplier Multiplier to test various gas levels
-    function handler_txGasCapEnforcement(uint256 actorSeed, uint256 gasMultiplier) external {
+    /// @param stateGasExtra Extra state gas above the cap (1 to 1M)
+    function handler_txGasCapEnforcement(uint256 actorSeed, uint256 stateGasExtra) external {
         // Skip when not on Tempo (vmExec.executeTransaction not available)
         if (!isTempo) return;
 
@@ -163,29 +219,29 @@ contract BlockGasLimitsInvariantTest is InvariantBase {
             // May fail for other reasons (balance, etc.) - not a violation
         }
 
-        // Test 2: Tx over the cap (should be rejected)
+        // Test 2: Tx with gas ABOVE the cap where excess is state gas (should succeed)
+        // Post-TIP-1016, tx.gas > TX_GAS_CAP is valid when the excess goes to
+        // the state gas reservoir (e.g., an SSTORE needs SSTORE_STATE_GAS).
         nonce = uint64(vm.getNonce(sender));
 
-        // Gas amount over cap: 30M + 1 to 30M + 10M based on multiplier
-        uint256 overAmount = bound(gasMultiplier, 1, 10_000_000);
+        uint256 overAmount = bound(stateGasExtra, 1, 1_000_000);
         uint64 overCapGas = uint64(TX_GAS_CAP + overAmount);
 
         bytes memory overCapTx = TxBuilder.buildLegacyCallWithGas(
             vmRlp, vm, address(feeToken), callData, nonce, overCapGas, privateKey
         );
 
         try vmExec.executeTransaction(overCapTx) {
-            // Over-cap tx was accepted - VIOLATION
-            ghost_txOverCapViolations++;
+            // Over-cap tx accepted — valid post-TIP-1016 (excess is state gas)
+            ghost_txOverCapWithStateGasSucceeded++;
             ghost_protocolNonce[sender]++;
-        } catch (bytes memory reason) {
-            if (_isGasCapRevert(reason)) {
-                ghost_txOverCapRejected++;
-            }
+            ghost_validTxExecuted++;
+        } catch {
+            // May fail for other reasons (balance, etc.) - not a violation
         }
     }
 
-    /// @notice Handler: Test max contract deployment fits in cap (TEMPO-BLOCK6)
+    /// @notice Handler: Test max contract deployment fits in cap (TEMPO-BLOCK6 + TIP-1016)
     /// @param actorSeed Seed for selecting actor
     /// @param sizeFraction Fraction of max size to deploy (50-100%)
     function handler_maxDeploymentFits(uint256 actorSeed, uint256 sizeFraction) external {
@@ -206,13 +262,21 @@ contract BlockGasLimitsInvariantTest is InvariantBase {
         // Simple initcode: PUSH1 0x00 PUSH1 0x00 RETURN + padding
         bytes memory initcode = _createInitcodeOfSize(targetSize);
 
-        // Calculate required gas
-        uint256 requiredGas = 53_000 // CREATE tx base
-            + CREATE_BASE_GAS + (initcode.length * CODE_DEPOSIT_PER_BYTE) + ACCOUNT_CREATION_GAS
-            + 100_000; // Buffer for memory expansion etc.
+        // TIP-1016: Compute regular and state gas separately.
+        // A 24KB contract needs ~7M regular gas but ~57M state gas.
+        // tx.gas = regular + state can exceed TX_GAS_CAP because state gas
+        // is exempt from the cap (goes to reservoir).
+        uint256 requiredRegularGas = 53_000 // CREATE tx base
+            + CREATE_REGULAR_GAS + (initcode.length * CODE_DEPOSIT_REGULAR_PER_BYTE)
+            + ACCOUNT_CREATION_REGULAR_GAS + 100_000; // Buffer for memory expansion etc.
+
+        uint256 requiredStateGas = CREATE_STATE_GAS
+            + (initcode.length * CODE_DEPOSIT_STATE_PER_BYTE) + ACCOUNT_CREATION_STATE_GAS;
+
+        uint256 totalGas = requiredRegularGas + requiredStateGas;
 
-        // Should fit in TX_GAS_CAP
-        uint64 gasLimit = uint64(requiredGas > TX_GAS_CAP ? TX_GAS_CAP : requiredGas);
+        // totalGas can exceed TX_GAS_CAP — state gas is exempt from the cap
+        uint64 gasLimit = uint64(totalGas);
 
         uint64 nonce = uint64(vm.getNonce(sender));
         bytes memory createTx =

tips/ref-impls/test/invariants/GasPricing.t.sol

@@ -11,7 +11,7 @@ import { TxBuilder } from "../helpers/TxBuilder.sol";
 import { VmExecuteTransaction, VmRlp } from "tempo-std/StdVm.sol";
 import { LegacyTransaction, LegacyTransactionLib } from "tempo-std/tx/LegacyTransactionLib.sol";
 
-/// @title TIP-1000 Gas Pricing Invariant Tests
+/// @title TIP-1000 / TIP-1016 Gas Pricing Invariant Tests
 /// @notice Fuzz-based invariant tests for Tempo's state creation gas costs
 /// @dev Tests gas pricing invariants at the EVM opcode level using vmExec.executeTransaction()
 ///
@@ -22,6 +22,11 @@ import { LegacyTransaction, LegacyTransactionLib } from "tempo-std/tx/LegacyTran
 /// - Account creation: 250,000 gas (part of TEMPO-GAS5)
 /// - Multiple new slots: 250,000 gas each (TEMPO-GAS8)
 ///
+/// TIP-1016 splits gas into two dimensions:
+/// - Regular gas (20k for SSTORE new slot) — counts against tx/block limits
+/// - State gas (230k for SSTORE new slot) — exempt from limits but still charged
+/// Total gas per SSTORE remains 250k.
+///
 /// Protocol-level invariants (tx gas cap, intrinsic gas) are tested in Rust.
 contract GasPricingInvariantTest is InvariantBase {
 
@@ -32,9 +37,19 @@ contract GasPricingInvariantTest is InvariantBase {
                             TIP-1000 CONSTANTS
     //////////////////////////////////////////////////////////////*/
 
-    /// @dev SSTORE to new (zero) slot costs 250,000 gas
+    /// @dev SSTORE to new (zero) slot costs 250,000 gas total
     uint256 internal constant SSTORE_SET_GAS = 250_000;
 
+    /*//////////////////////////////////////////////////////////////
+                            TIP-1016 CONSTANTS
+    //////////////////////////////////////////////////////////////*/
+
+    /// @dev Regular gas for SSTORE new slot (counts against tx/block limits)
+    uint256 internal constant SSTORE_REGULAR_GAS = 20_000;
+
+    /// @dev State gas for SSTORE new slot (exempt from limits, still charged)
+    uint256 internal constant SSTORE_STATE_GAS = 230_000;
+
     /// @dev CREATE base cost (excludes code deposit and account creation)
     uint256 internal constant CREATE_BASE_GAS = 500_000;
 
@@ -85,6 +100,10 @@ contract GasPricingInvariantTest is InvariantBase {
     uint256 public ghost_multiSlotSufficientGasSucceeded;
     uint256 public ghost_multiSlotViolations; // All slots written with insufficient gas
 
+    /// @dev TIP-1016: State gas tracking (block vs receipt delta)
+    uint256 public ghost_stateGasBlockDelta;
+    uint256 public ghost_stateGasReceiptDelta;
+
     /*//////////////////////////////////////////////////////////////
                                 SETUP
     //////////////////////////////////////////////////////////////*/
@@ -285,8 +304,8 @@ contract GasPricingInvariantTest is InvariantBase {
         bytes memory callData = abi.encodeCall(GasTestStorage.storeMultiple, (slots));
         uint64 nonce = uint64(vm.getNonce(sender));
 
-        // Test 1: Gas sufficient for ~1 slot only (should fail for N>1)
-        uint64 lowGas = uint64(BASE_TX_GAS + CALL_OVERHEAD + SSTORE_SET_GAS + GAS_TOLERANCE);
+        // Test 1: Only enough regular gas for 1 SSTORE (insufficient total for any SSTORE)
+        uint64 lowGas = uint64(BASE_TX_GAS + CALL_OVERHEAD + SSTORE_REGULAR_GAS + GAS_TOLERANCE);
         bytes memory lowGasTx = TxBuilder.buildLegacyCallWithGas(
             vmRlp, vm, address(storageContract), callData, nonce, lowGas, privateKey
         );
@@ -302,11 +321,10 @@ contract GasPricingInvariantTest is InvariantBase {
                 }
             }
 
-            // Violation: all slots written with gas for only 1
-            if (written == numSlots) {
+            // Violation: any slot written with insufficient gas
+            if (written > 0) {
                 ghost_multiSlotViolations++;
             } else {
-                // Partial write is expected (reverted mid-execution)
                 ghost_multiSlotInsufficientGasFailed++;
             }
             ghost_protocolNonce[sender]++;