Skip to content

feat(evmrpc): bound debug_trace struct-logger memory via max_trace_struct_log_bytes (PLT-205)#3677

Open
amir-deris wants to merge 2 commits into
mainfrom
amir/plt-205-debug-trace-memory-growth
Open

feat(evmrpc): bound debug_trace struct-logger memory via max_trace_struct_log_bytes (PLT-205)#3677
amir-deris wants to merge 2 commits into
mainfrom
amir/plt-205-debug-trace-memory-growth

Conversation

@amir-deris

@amir-deris amir-deris commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

debug_trace* calls that use the default struct logger retain one structured log entry per executed opcode. Traces that touch many distinct storage slots grow memory quadratically, and an unbounded trace can OOM the RPC node. Upstream geth exposes a per-call Limit on the struct logger but leaves it unset (unlimited) by default.

This PR adds an operator-configurable, node-side cap on the retained default struct-logger output so a single trace cannot grow without bound.

Changes

  • New config evm.max_trace_struct_log_bytes (MaxTraceStructLogBytes) bounding the bytes of retained struct-logger output for a single default debug_trace* call. Defaults to 256 MiB; 0 disables the cap (matches upstream geth's unlimited behavior).
  • DebugAPI.clampDefaultStructLogLimit applies the cap across TraceTransaction, TraceBlockByNumber, TraceBlockByHash, and TraceCall. It:
    • is a no-op for custom tracers (only the default struct logger is affected),
    • is a no-op when the cap is disabled (0),
    • clamps a larger caller-supplied Limit down to the node cap,
    • honors a smaller caller-supplied Limit.
  • Wired into config parsing (ReadConfig), the TOML template, and DefaultConfig.

Tests

  • TestClampDefaultStructLogLimit covers all clamp/no-op branches (no limit set, nil nested config, larger limit clamped, smaller limit honored, custom tracer, disabled cap, nil config).
  • config_test.go asserts the default value and rejects a bad type for the new flag.

PLT-205

@cursor

cursor Bot commented Jun 30, 2026

Copy link
Copy Markdown

PR Summary

Low Risk
Operational guardrail on debug trace memory only; custom tracers and trace cache paths are unaffected, with behavior revertible via config 0.

Overview
Adds operator setting evm.max_trace_struct_log_bytes (default 256 MiB, 0 = unlimited like geth) and wires it through config, TOML, and DebugAPI.

clampDefaultStructLogLimit sets or lowers the default struct logger’s Limit on debug_traceTransaction, debug_traceBlock*, and debug_traceCall. Custom tracers are unchanged; smaller client Limit values are kept.

Tests cover clamp branches and config parsing for the new flag.

Reviewed by Cursor Bugbot for commit fae41aa. Bugbot is set up for automated code reviews on this repo. Configure here.

@amir-deris amir-deris changed the title Added config for trace limit and added test feat(evmrpc): bound debug_trace struct-logger memory via max_trace_struct_log_bytes (PLT-205) Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed✅ passed✅ passed✅ passedJul 1, 2026, 2:27 PM

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 73.91304% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.28%. Comparing base (d4cb291) to head (fae41aa).

Files with missing lines Patch % Lines
evmrpc/tracers.go 70.00% 3 Missing and 3 partials ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3677      +/-   ##
==========================================
- Coverage   59.27%   58.28%   -0.99%     
==========================================
  Files        2272     2185      -87     
  Lines      188193   178197    -9996     
==========================================
- Hits       111547   103861    -7686     
+ Misses      66593    65104    -1489     
+ Partials    10053     9232     -821     
Flag Coverage Δ
sei-chain-pr 69.06% <73.91%> (?)
sei-db 70.41% <ø> (ø)
sei-db-state-db ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
evmrpc/config/config.go 71.42% <100.00%> (+0.59%) ⬆️
evmrpc/tracers.go 68.95% <70.00%> (+0.06%) ⬆️

... and 118 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@seidroid seidroid Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A clean, well-tested, well-documented change that adds an operator cap on default struct-logger trace output. However, Codex flags a likely-correctness issue that defeats the feature's purpose: geth's logger.Config.Limit may count retained struct-log entries, not bytes, which would make the byte-named MaxTraceStructLogBytes config and its 256 MiB default ineffective — this must be verified against the pinned geth version before merge.

Findings: 2 blocking | 4 non-blocking | 1 posted inline

Blockers

  • Verify the units of geth's eth/tracers/logger.Config.Limit against the pinned dependency (sei-protocol/go-ethereum v1.15.7-sei-17). Codex reports (and historically geth implemented) Limit as a count of retained StructLog entries (len(l.logs) >= cfg.Limit), not bytes. If that holds at this version, the config name MaxTraceStructLogBytes, the doc comments ("in bytes"), and the 256 MiB default are misleading and provide essentially no memory protection (256M entries × hundreds of bytes each = tens of GB), so the PR would not accomplish its stated goal. If verified that this geth version bounds by output bytes (resultSize/logs.Size()), the PR is correct and this resolves to a no-op. I could not verify this in-sandbox (module cache, gh api, and web access were all blocked), so this needs author confirmation. If it is entry-count, fix by either renaming the knob to reflect entries and choosing a sane entry-count default, or by enforcing a true byte cap.
  • 1 blocking issue(s) flagged inline on specific lines.

Non-blocking

  • Behavior change: the default debug_trace* path was previously unlimited and now truncates at the cap. When the struct logger hits its Limit it silently stops appending entries — the trace result is returned incomplete with no error/flag. Tools consuming full opcode traces may now get partial results without indication. Worth a CHANGELOG/release note and possibly surfacing the truncation in the response.
  • Consider an integration-level test that actually exercises a trace exceeding the cap and asserts the output is bounded/truncated end-to-end; current tests only unit-test the clampDefaultStructLogLimit branch logic (which is good but doesn't prove the limit takes effect in a real trace).
  • Cursor's review file (cursor-review.md) was empty — that pass produced no output. Codex contributed the single (High) finding noted above.
  • Nit: int(debugCfg.MaxTraceStructLogBytes) narrows a uint64 to int. On 64-bit nodes (the only supported target) this is fine and the //nolint:gosec is reasonable, but an operator-set value above 2^31 on a 32-bit build would overflow to a negative int and disable the cap. A clamp to math.MaxInt (or documenting 64-bit-only) would be more defensive.

Comment thread evmrpc/config/config.go
MaxConcurrentSimulationCalls: runtime.NumCPU(),
MaxTraceLookbackBlocks: 10000,
TraceTimeout: 30 * time.Second,
MaxTraceStructLogBytes: 256 * 1024 * 1024, // 256 MiB

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[blocker] The 256 MiB default and the MaxTraceStructLogBytes name assume geth's logger.Config.Limit is measured in bytes. Codex flags (and historical geth implements) Limit as a count of StructLog entries (len(l.logs) >= cfg.Limit), not bytes. Please verify against the pinned sei-protocol/go-ethereum v1.15.7-sei-17 source: if OnOpcode/CaptureState compares against len(logs) rather than an output byte size (resultSize/logs.Size()), then this default permits ~256M entries (tens of GB) and the cap does not bound memory as intended — the config would need to either be renamed to reflect entry-count with an appropriate default, or be changed to enforce an actual byte limit. If this geth version does bound by output bytes, disregard — the PR is correct as written. (I could not verify the dependency source in this review environment.)

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — small operational guardrail on debug trace memory with conservative defaults and clear test coverage.

Extended reasoning...

Overview

Adds MaxTraceStructLogBytes (default 256 MiB, 0=unlimited) to evmrpc/config and wires it into DebugAPI via a new clampDefaultStructLogLimit helper invoked by TraceTransaction, TraceBlockByNumber, TraceBlockByHash, and TraceCall. The clamp only affects the default geth struct logger; named/custom tracers are skipped, and the cap only ever tightens — never loosens — a caller-supplied Limit.

Security risks

None of note. This is a memory bound that tightens an existing behavior; it does not touch auth, crypto, consensus, or any external surface. Worst-case it returns a smaller trace than a caller requested, which is the documented intent. Defaults preserve upstream geth behavior when set to 0.

Level of scrutiny

Low. This is operator-facing tunable behind a config flag, with the default selected to be conservative (256 MiB). Verified Config.Limit semantics in the vendored geth (eth/tracers/logger/logger.go:49: "maximum size of output, but zero means unlimited") match the PR — so the "honor smaller caller limit, override 0/larger" logic is correct.

Other factors

Test coverage in tracers_structlog_limit_test.go hits the edges that matter (nil config, nil nested Config, larger caller limit, smaller caller limit, custom-tracer no-op, disabled-cap no-op, nil-safe). Config plumbing follows the established pattern in the file (flag constant, default value, ReadConfig branch, app.toml template snippet, bad-type test). No outstanding reviewer comments to address.

@seidroid seidroid Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The config plumbing, clamp logic, and tests are clean and well-structured, but the feature does not achieve its stated goal: go-ethereum's logger.Config.Limit bounds the number of retained struct-log entries (opcodes), not bytes, so treating it as a byte count means the advertised 256 MiB memory cap is not actually enforced and the OOM this PR targets can still occur.

Findings: 2 blocking | 3 non-blocking | 2 posted inline

Blockers

  • None at the file/PR level.
  • 2 blocking issue(s) flagged inline on specific lines.

Non-blocking

  • int(debugCfg.MaxTraceStructLogBytes) at tracers.go:208 (with //nolint:gosec): a very large operator-configured uint64 (> math.MaxInt, or > MaxInt32 on 32-bit builds) wraps to a negative int, which clampDefaultStructLogLimit then treats as <= 0 and silently disables the cap — the opposite of the operator's intent. Consider clamping to math.MaxInt instead of a raw conversion.
  • Cursor second-opinion review file (cursor-review.md) was empty — no findings were contributed from that pass.
  • Codex's single finding (Limit is an entry count, not bytes) is corroborated here and captured as the primary inline blocker.

Comment thread evmrpc/tracers.go
config.Config = &traceLogger.Config{}
}
if config.Config.Limit <= 0 || config.Config.Limit > api.maxStructLogBytes {
config.Config.Limit = api.maxStructLogBytes

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[blocker] This assigns a byte budget to logger.Config.Limit, but in go-ethereum that field caps the number of retained struct-log entries (one per executed opcode), not bytes — the struct logger compares len(l.logs) against Limit. With the 256 MiB default this becomes Limit = 268,435,456 entries. Since each struct-log entry (PC, op, gas, and optionally stack/memory/storage snapshots) is far larger than one byte, a node would OOM long before accumulating 268M entries, so the intended memory bound is effectively never enforced and the OOM this PR targets can still happen. The cap needs to be expressed in entries with a realistic default (order 10^4–10^6, tuned to the desired memory ceiling), or memory must be bounded some other way — the byte framing does not map onto Limit.

Comment thread evmrpc/config/config.go
// Timeout for each trace call
TraceTimeout time.Duration `mapstructure:"trace_timeout"`

// MaxTraceStructLogBytes bounds the retained struct-logger output (in bytes) for a

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[blocker] The Bytes/"in bytes" naming and documentation are misleading given that this value flows into logger.Config.Limit, which is an entry (opcode) count rather than a byte count (see tracers.go:224). Both the config name (max_trace_struct_log_bytes / MaxTraceStructLogBytes) and the 256 MiB default should be reworked to reflect entry-count semantics, and the default chosen to actually bound memory to the intended ceiling. As written the default provides essentially no protection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants