JumpTable for not Gorgon (#4381)

shargon · ajara87 · AnnaShaleva · web-flow · commit 63e2ba77578c · 2026-04-01T06:46:42.000-07:00
* JumpTable Faun * Update src/Neo/SmartContract/ApplicationEngine.cs * Update src/Neo/SmartContract/ApplicationEngine.cs * Apply suggestions from code review Co-authored-by: Alvaro <amjarag@gmail.com> * Add UT por hashkey * Apply suggestion from @ajara87 * Update tests/Neo.UnitTests/SmartContract/UT_ApplicationEngine.JumpTable.cs * Not Gorgon * fix ut * fix comments * Apply suggestions from code review Co-authored-by: Anna Shaleva <shaleva.ann@gmail.com> * Apply suggestions from code review Co-authored-by: Alvaro <amjarag@gmail.com> * Update tests/Neo.UnitTests/SmartContract/UT_ApplicationEngine.JumpTable.cs Co-authored-by: Owen <38493437+superboyiii@users.noreply.github.com> * Update Neo.VM package version to 3.9.3-CI00366 --------- Co-authored-by: Alvaro <amjarag@gmail.com> Co-authored-by: Anna Shaleva <shaleva.ann@nspcc.ru> Co-authored-by: Anna Shaleva <shaleva.ann@gmail.com> Co-authored-by: Owen <38493437+superboyiii@users.noreply.github.com>
diff --git a/src/Neo/Neo.csproj b/src/Neo/Neo.csproj
@@ -14,7 +14,7 @@
     <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="10.0.2" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.15.0" />
     <PackageReference Include="Neo.Cryptography.BLS12_381" Version="3.9.0" />
-    <PackageReference Include="Neo.VM" Version="3.9.0" />
+    <PackageReference Include="Neo.VM" Version="3.9.3-CI00366" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Neo/SmartContract/ApplicationEngine.cs b/src/Neo/SmartContract/ApplicationEngine.cs
@@ -38,6 +38,7 @@ public partial class ApplicationEngine : ExecutionEngine
     {
         protected static readonly JumpTable DefaultJumpTable = ComposeDefaultJumpTable();
         protected static readonly JumpTable NotEchidnaJumpTable = ComposeNotEchidnaJumpTable();
+        protected static readonly JumpTable NotGorgonJumpTable = ComposeNotGorgonJumpTable();
 
         /// <summary>
         /// The maximum cost that can be spent when a contract is executed in test mode.
@@ -270,11 +271,174 @@ private static JumpTable ComposeDefaultJumpTable()
 
         public static JumpTable ComposeNotEchidnaJumpTable()
         {
-            var jumpTable = ComposeDefaultJumpTable();
-            jumpTable[OpCode.SUBSTR] = VulnerableSubStr;
-            return jumpTable;
+            var table = ComposeNotGorgonJumpTable();
+
+            table[OpCode.SUBSTR] = VulnerableSubStr;
+
+            return table;
+        }
+
+        public static JumpTable ComposeNotGorgonJumpTable()
+        {
+            var table = ComposeDefaultJumpTable();
+
+            // Before https://github.com/neo-project/neo-vm/pull/543
+            table[OpCode.HASKEY] = HasKey_Before543;
+            table[OpCode.PICKITEM] = PickItem_Before543;
+            table[OpCode.SETITEM] = SetItem_Before543;
+            table[OpCode.REMOVE] = Remove_Before543;
+
+            return table;
         }
 
+        private static void Remove_Before543(ExecutionEngine engine, Instruction instruction)
+        {
+            var key = engine.Pop<PrimitiveType>();
+            var x = engine.Pop();
+            switch (x)
+            {
+                case VMArray array:
+                    var index = (int)key.GetInteger();
+                    if (index < 0 || index >= array.Count)
+                        throw new InvalidOperationException($"The index of {nameof(VMArray)} is out of range, {index}/[0, {array.Count}).");
+                    array.RemoveAt(index);
+                    break;
+                case Map map:
+                    map.Remove(key);
+                    break;
+                default:
+                    throw new InvalidOperationException($"Invalid type for {instruction.OpCode}: {x.Type}");
+            }
+        }
+
+        private static void SetItem_Before543(ExecutionEngine engine, Instruction instruction)
+        {
+            var value = engine.Pop();
+            if (value is Struct s) value = s.Clone(engine.Limits);
+            var key = engine.Pop<PrimitiveType>();
+            var x = engine.Pop();
+            switch (x)
+            {
+                case VMArray array:
+                    {
+                        var index = (int)key.GetInteger();
+                        if (index < 0 || index >= array.Count)
+                            throw new CatchableException($"The index of {nameof(VMArray)} is out of range, {index}/[0, {array.Count}).");
+                        array[index] = value;
+                        break;
+                    }
+                case Map map:
+                    {
+                        map[key] = value;
+                        break;
+                    }
+                case VM.Types.Buffer buffer:
+                    {
+                        var index = (int)key.GetInteger();
+                        if (index < 0 || index >= buffer.Size)
+                            throw new CatchableException($"The index of {nameof(Buffer)} is out of range, {index}/[0, {buffer.Size}).");
+                        if (value is not PrimitiveType p)
+                            throw new InvalidOperationException($"Only primitive type values can be set in {nameof(Buffer)} in {instruction.OpCode}.");
+                        var b = (int)p.GetInteger();
+                        if (b < sbyte.MinValue || b > byte.MaxValue)
+                            throw new InvalidOperationException($"Overflow in {instruction.OpCode}, {b} is not a byte type.");
+                        buffer.InnerBuffer.Span[index] = (byte)b;
+                        break;
+                    }
+                default:
+                    throw new InvalidOperationException($"Invalid type for {instruction.OpCode}: {x.Type}");
+            }
+        }
+
+        private static void PickItem_Before543(ExecutionEngine engine, Instruction instruction)
+        {
+            var key = engine.Pop<PrimitiveType>();
+            var x = engine.Pop();
+            switch (x)
+            {
+                case VMArray array:
+                    {
+                        var index = (int)key.GetInteger();
+                        if (index < 0 || index >= array.Count)
+                            throw new CatchableException($"The index of {nameof(VMArray)} is out of range, {index}/[0, {array.Count}).");
+                        engine.Push(array[index]);
+                        break;
+                    }
+                case Map map:
+                    {
+                        if (!map.TryGetValue(key, out var value))
+                            throw new CatchableException($"Key {key} not found in {nameof(Map)}.");
+                        engine.Push(value);
+                        break;
+                    }
+                case PrimitiveType primitive:
+                    {
+                        var byteArray = primitive.GetSpan();
+                        var index = (int)key.GetInteger();
+                        if (index < 0 || index >= byteArray.Length)
+                            throw new CatchableException($"The index of {nameof(PrimitiveType)} is out of range, {index}/[0, {byteArray.Length}).");
+                        engine.Push((BigInteger)byteArray[index]);
+                        break;
+                    }
+                case Buffer buffer:
+                    {
+                        var index = (int)key.GetInteger();
+                        if (index < 0 || index >= buffer.Size)
+                            throw new CatchableException($"The index of {nameof(Buffer)} is out of range, {index}/[0, {buffer.Size}).");
+                        engine.Push((BigInteger)buffer.InnerBuffer.Span[index]);
+                        break;
+                    }
+                default:
+                    throw new InvalidOperationException($"Invalid type for {instruction.OpCode}: {x.Type}");
+            }
+        }
+
+        private static void HasKey_Before543(ExecutionEngine engine, Instruction instruction)
+        {
+            var key = engine.Pop<PrimitiveType>();
+            var x = engine.Pop();
+            // Check the type of the top item and perform the corresponding action.
+            switch (x)
+            {
+                // For arrays, check if the index is within bounds and push the result onto the stack.
+                case VMArray array:
+                    {
+                        var index = (int)key.GetInteger();
+                        if (index < 0)
+                            throw new InvalidOperationException($"The negative index {index} is invalid for OpCode {instruction.OpCode}.");
+                        engine.Push(index < array.Count);
+                        break;
+                    }
+                // For maps, check if the key exists and push the result onto the stack.
+                case Map map:
+                    {
+                        engine.Push(map.ContainsKey(key));
+                        break;
+                    }
+                // For buffers, check if the index is within bounds and push the result onto the stack.
+                case VM.Types.Buffer buffer:
+                    {
+                        var index = (int)key.GetInteger();
+                        if (index < 0)
+                            throw new InvalidOperationException($"The negative index {index} is invalid for OpCode {instruction.OpCode}.");
+                        engine.Push(index < buffer.Size);
+                        break;
+                    }
+                // For byte strings, check if the index is within bounds and push the result onto the stack.
+                case ByteString array:
+                    {
+                        var index = (int)key.GetInteger();
+                        if (index < 0)
+                            throw new InvalidOperationException($"The negative index {index} is invalid for OpCode {instruction.OpCode}.");
+                        engine.Push(index < array.Size);
+                        break;
+                    }
+                default:
+                    throw new InvalidOperationException($"Invalid type for {instruction.OpCode}: {x.Type}");
+            }
+        }
+
+
         protected static void OnCallT(ExecutionEngine engine, Instruction instruction)
         {
             if (engine is ApplicationEngine app)
@@ -495,7 +659,25 @@ public static ApplicationEngine Create(TriggerType trigger, IVerifiable? contain
             var index = persistingBlock?.Index ?? NativeContract.Ledger.CurrentIndex(snapshot);
             settings ??= ProtocolSettings.Default;
             // Adjust jump table according persistingBlock
-            var jumpTable = settings.IsHardforkEnabled(Hardfork.HF_Echidna, index) ? DefaultJumpTable : NotEchidnaJumpTable;
+
+            JumpTable jumpTable;
+
+            if (settings.IsHardforkEnabled(Hardfork.HF_Gorgon, index))
+            {
+                jumpTable = DefaultJumpTable;
+            }
+            else
+            {
+                if (!settings.IsHardforkEnabled(Hardfork.HF_Echidna, index))
+                {
+                    jumpTable = NotEchidnaJumpTable;
+                }
+                else
+                {
+                    jumpTable = NotGorgonJumpTable;
+                }
+            }
+
             var engine = Provider?.Create(trigger, container, snapshot, persistingBlock, settings, gas, diagnostic, jumpTable)
                   ?? new ApplicationEngine(trigger, container, snapshot, persistingBlock, settings, gas, diagnostic, jumpTable);
 
diff --git a/tests/Neo.UnitTests/SmartContract/UT_ApplicationEngine.JumpTable.cs b/tests/Neo.UnitTests/SmartContract/UT_ApplicationEngine.JumpTable.cs
@@ -0,0 +1,111 @@
+// Copyright (C) 2015-2026 The Neo Project.
+//
+// UT_ApplicationEngine.JumpTable.cs file belongs to the neo project and is free
+// software distributed under the MIT software license, see the
+// accompanying file LICENSE in the main directory of the
+// repository or http://www.opensource.org/licenses/mit-license.php
+// for more details.
+//
+// Redistribution and use in source and binary forms with or without
+// modifications are permitted.
+
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+using Neo.Network.P2P.Payloads;
+using Neo.SmartContract;
+using Neo.VM;
+using System;
+using System.Numerics;
+
+namespace Neo.UnitTests.SmartContract
+{
+    public partial class UT_ApplicationEngine
+    {
+        [TestMethod]
+        public void TestHasKeyWithDifferentHF()
+        {
+            var script = BuildHasKeyLargeIndexScript();
+            const uint EchidnaEnable = 10u;
+            const uint GorgonEnable = 20u;
+            // Hardfork heights:
+            // Echidna at 10, Gorgon at 20
+            //  - index=5 => pre-Echidna (NotEchidnaJumpTable)
+            //  - index=15 => Echidna enabled, Gorgon NOT enabled (NotGorgonJumpTable)
+            //  - index=30 => Gorgon enabled (DefaultJumpTable)
+            var settings = ProtocolSettings.Default with
+            {
+                Hardforks = ProtocolSettings.Default.Hardforks
+                    .SetItem(Hardfork.HF_Echidna, EchidnaEnable)
+                    .SetItem(Hardfork.HF_Gorgon, GorgonEnable)
+            };
+
+            Assert.IsFalse(settings.IsHardforkEnabled(Hardfork.HF_Echidna, 5u));
+            Assert.IsTrue(settings.IsHardforkEnabled(Hardfork.HF_Echidna, 15u));
+            Assert.IsTrue(settings.IsHardforkEnabled(Hardfork.HF_Echidna, 30u));
+            Assert.IsFalse(settings.IsHardforkEnabled(Hardfork.HF_Gorgon, 15u));
+            Assert.IsTrue(settings.IsHardforkEnabled(Hardfork.HF_Gorgon, 30u));
+
+            // Case A: pre-Echidna => Overflow
+            ExecuteAndAssertFault<OverflowException>(script, settings, index: 5u);
+
+            // Case B: Echidna enabled but pre-Gorgon => Overflow
+            ExecuteAndAssertFault<OverflowException>(script, settings, index: 15u);
+
+            // Case C: Gorgon enabled => InvalidOperationException
+            ExecuteAndAssertFault<InvalidOperationException>(script, settings, index: 30u);
+        }
+
+        private static byte[] BuildHasKeyLargeIndexScript()
+        {
+            // HASKEY pops: key (PrimitiveType), then x (Array/Map/Buffer/ByteString)
+            // So push x first, then key.
+            var largeIndex = new BigInteger((long)int.MaxValue + 1);
+
+            using var sb = new ScriptBuilder();
+
+            // Build array: [1]
+            sb.EmitPush(1);
+            sb.EmitPush(1);
+            sb.Emit(OpCode.PACK);
+
+            // Push key and call HASKEY
+            sb.EmitPush(largeIndex);
+            sb.Emit(OpCode.HASKEY);
+
+            sb.Emit(OpCode.RET);
+            return sb.ToArray();
+        }
+
+        private static void ExecuteAndAssertFault<TException>(byte[] script, ProtocolSettings settings, uint index) where TException : Exception
+        {
+            var snapshotCache = TestBlockchain.GetTestSnapshotCache();
+            var block = new Block
+            {
+                Header = new Header
+                {
+                    PrevHash = UInt256.Zero,
+                    MerkleRoot = UInt256.Zero,
+                    Index = index,
+                    NextConsensus = UInt160.Zero,
+                    Witness = Witness.Empty
+                },
+                Transactions = []
+            };
+
+            using var engine = ApplicationEngine.Create(
+                TriggerType.Application,
+                container: null,
+                snapshotCache,
+                persistingBlock: block,
+                settings: settings,
+                gas: 100_00000000L);
+
+            engine.LoadScript(script);
+            engine.Execute();
+
+            Assert.AreEqual(VMState.FAULT, engine.State, $"Expected FAULT at index={index}.");
+            Assert.IsNotNull(engine.FaultException, $"Expected FaultException at index={index}.");
+            Assert.IsInstanceOfType(engine.FaultException, typeof(TException),
+                $"Expected {typeof(TException).Name} at index={index}, but got {engine.FaultException.GetType().Name}.");
+        }
+    }
+}
