feat(bal): fix EIP-7928 BAL tracking for 7702 delegation OOG boundaries

Split the CALL instruction OOG check into two stages to match EELS:
1. If remaining < call_cost_no_delegation: untrack target (oog_before_target_access)
2. If remaining < base_cost (includes delegation): halt OOG without untracking target
   (oog_after_target_access and oog_success_minus_1 — target IS in BAL, delegation NOT)

Also add unconditional untrackAddress for OOG in EXTCODECOPY and CALL-type
opcodes when gas is exhausted before the target is accessed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Gabriel-Trintinalia

src/database/main.zig

@@ -253,6 +253,10 @@ pub const FallbackFns = struct {
     /// lightweight hook lets the fallback (e.g. WitnessDatabase) record the access for
     /// EIP-7928 BAL tracking without performing MPT verification.
     notify_storage_read: ?*const fn (*anyopaque, primitives.Address, primitives.StorageKey) void = null,
+    /// Returns true if the address was committed to the permanent access log.
+    /// Used by BaTracker to distinguish legitimately-accessed nonexistent accounts
+    /// from those only loaded for OOG gas calculation.
+    is_tracked_address: ?*const fn (*anyopaque, primitives.Address) bool = null,
 };
 
 /// In-memory database implementation.
@@ -263,6 +267,10 @@ pub const InMemoryDB = struct {
     block_hashes: std.AutoHashMap(u64, primitives.Hash),
     /// Optional fallback: called on cache miss for account/storage/code/blockHash.
     fallback: ?FallbackFns = null,
+    /// Addresses that were explicitly OOG-untracked via untrackAddress().
+    /// Used by BaTracker.computeHash() to exclude CALL gas-calc phantoms from the BAL.
+    /// Populated by untrackAddress(); never cleared between transactions (block-scoped).
+    oog_addresses: std.AutoHashMap(primitives.Address, void),
 
     const Self = @This();
 
@@ -272,6 +280,7 @@ pub const InMemoryDB = struct {
             .code = std.AutoHashMap(primitives.Hash, bytecode.Bytecode).init(allocator),
             .storage_map = std.HashMap(struct { primitives.Address, primitives.StorageKey }, primitives.StorageValue, StorageKeyContext, std.hash_map.default_max_load_percentage).init(allocator),
             .block_hashes = std.AutoHashMap(u64, primitives.Hash).init(allocator),
+            .oog_addresses = std.AutoHashMap(primitives.Address, void).init(allocator),
         };
     }
 
@@ -280,6 +289,7 @@ pub const InMemoryDB = struct {
         self.code.deinit();
         self.storage_map.deinit();
         self.block_hashes.deinit();
+        self.oog_addresses.deinit();
     }
 
     pub fn basic(self: *Self, address: primitives.Address) !?state.AccountInfo {
@@ -339,12 +349,20 @@ pub const InMemoryDB = struct {
         if (self.fallback) |fb| if (fb.revert_frame) |f| f(fb.ctx);
     }
 
-    /// Un-record a pending address access in the fallback.
+    /// Un-record a pending address access.
     /// Called when a CALL loaded an address for gas calculation but then went OOG.
+    /// Marks the address as an OOG phantom so BaTracker can exclude it from the BAL.
     pub fn untrackAddress(self: *Self, address: primitives.Address) void {
+        self.oog_addresses.put(address, {}) catch {};
         if (self.fallback) |fb| if (fb.untrack_address) |f| f(fb.ctx, address);
     }
 
+    /// Returns true if the address was OOG-untracked (loaded only for CALL gas calculation).
+    /// Used by BaTracker.computeHash() to exclude phantom accounts from the BAL.
+    pub fn isOogAddress(self: *const Self, address: primitives.Address) bool {
+        return self.oog_addresses.contains(address);
+    }
+
     /// Force-add an address to the current-tx access log regardless of witness state.
     /// Called for EIP-7702 delegation targets that execute but are not in the witness.
     pub fn forceTrackAddress(self: *Self, address: primitives.Address) void {
@@ -365,6 +383,14 @@ pub const InMemoryDB = struct {
         if (self.fallback) |fb| if (fb.notify_storage_read) |f| f(fb.ctx, address, slot);
     }
 
+    /// Returns true if the address was committed to the permanent access log in the fallback.
+    /// Used by BaTracker to distinguish legitimately-accessed nonexistent accounts
+    /// from those only loaded for OOG gas calculation.
+    pub fn isTrackedAddress(self: *Self, address: primitives.Address) bool {
+        if (self.fallback) |fb| if (fb.is_tracked_address) |f| return f(fb.ctx, address);
+        return false;
+    }
+
     pub fn basicRef(self: Self, address: primitives.Address) !?state.AccountInfo {
         return self.accounts.get(address);
     }

src/interpreter/opcodes/call.zig

@@ -144,11 +144,7 @@ fn callImpl(
         }
     }
 
-    // Determine warm/cold access for target address (code source).
-    // Record whether the address was already in the EVM state cache BEFORE this load.
-    // If not already loaded and the full base_cost check later fails (OOG), we untrack
-    // the address — it was loaded only for gas calculation, not for actual execution.
-    const target_already_loaded = h.isAddressLoaded(target_addr);
+    // Load target account info to determine warm/cold access and whether the account exists.
     const acct_info = h.accountInfo(target_addr);
     const is_cold = if (acct_info) |info| info.is_cold else pre_is_cold;
     const transfers_value = has_value and value > 0;
@@ -175,18 +171,21 @@ fn callImpl(
     }
 
     // Base call cost (warm/cold + value transfer + new account + EIP-7702 delegation target access)
-    const base_cost = gas_costs.getCallGasCost(spec, is_cold, transfers_value, account_exists) + delegation_gas;
+    const call_cost_no_delegation = gas_costs.getCallGasCost(spec, is_cold, transfers_value, account_exists);
+    const base_cost = call_cost_no_delegation + delegation_gas;
 
     // Determine forwarded gas (EIP-150 introduces 63/64 rule; pre-EIP-150 uses all remaining).
     const remaining = ctx.interpreter.gas.remaining;
+    if (remaining < call_cost_no_delegation) {
+        // OOG before the target was "accessed" in EIP-7928 terms (can't pay transfer/new-account).
+        // Per EELS: target is not yet in accessed_addresses at this point → untrack it.
+        h.untrackAddress(target_addr);
+        ctx.interpreter.halt(.out_of_gas);
+        return;
+    }
     if (remaining < base_cost) {
-        // The CALL goes OOG before executing. Un-track the target only when it was
-        // loaded purely for new_account_cost gas estimation (non-existing account with
-        // value transfer). Existing accounts (including 7702 sources with delegation_gas
-        // in base_cost) remain in the BAL — they were genuinely accessed.
-        if (!target_already_loaded and transfers_value and !account_exists) {
-            h.untrackAddress(target_addr);
-        }
+        // OOG after target access but before delegation (oog_after_target_access /
+        // oog_success_minus_1). Per EELS second check_gas: target IS in BAL, delegation NOT loaded.
         ctx.interpreter.halt(.out_of_gas);
         return;
     }

src/interpreter/opcodes/host_ops.zig

@@ -191,25 +191,29 @@ pub fn opExtcodecopy(ctx: *InstructionContext) void {
     if (size == 0) return;
 
     if (mem_off > std.math.maxInt(usize) or size > std.math.maxInt(usize)) {
+        h.untrackAddress(addr);
         ctx.interpreter.halt(.memory_limit_oog);
         return;
     }
 
     const mem_off_u: usize = @intCast(mem_off);
     const size_u: usize = @intCast(size);
     const new_size = std.math.add(usize, mem_off_u, size_u) catch {
+        h.untrackAddress(addr);
         ctx.interpreter.halt(.memory_limit_oog);
         return;
     };
 
     // Dynamic: copy cost — use divCeil to avoid (size + 31) overflow when size = maxInt(usize)
     const num_words = std.math.divCeil(usize, size_u, 32) catch unreachable;
     if (!ctx.interpreter.gas.spend(gas_costs.G_COPY * @as(u64, @intCast(num_words)))) {
+        h.untrackAddress(addr);
         ctx.interpreter.halt(.out_of_gas);
         return;
     }
 
     if (!expandMemory(ctx, new_size)) {
+        h.untrackAddress(addr);
         ctx.interpreter.halt(.out_of_gas);
         return;
     }