fix(vm): harden constant call timeout deadline

yanghang8612 · yanghang8612 · commit 057bf4e21705 · 2026-05-09T10:45:03.000+08:00
diff --git a/actuator/src/main/java/org/tron/core/actuator/VMActuator.java b/actuator/src/main/java/org/tron/core/actuator/VMActuator.java
@@ -398,13 +398,9 @@ private void create()
       byte[] ops = newSmartContract.getBytecode().toByteArray();
       rootInternalTx = new InternalTransaction(trx, trxType);
 
-      long maxCpuTimeOfOneTx = rootRepository.getDynamicPropertiesStore()
-          .getMaxCpuTimeOfOneTx() * VMConstant.ONE_THOUSAND;
-      long thisTxCPULimitInUs = (long) (maxCpuTimeOfOneTx * getCpuLimitInUsRatio());
-      long constantCallTimeoutMs = CommonParameter.getInstance().getConstantCallTimeoutMs();
-      if (isConstantCall && constantCallTimeoutMs > 0L) {
-        thisTxCPULimitInUs = constantCallTimeoutMs * VMConstant.ONE_THOUSAND;
-      }
+      long thisTxCPULimitInUs = calculateCpuLimitInUs(isConstantCall,
+          rootRepository.getDynamicPropertiesStore().getMaxCpuTimeOfOneTx(),
+          getCpuLimitInUsRatio(), CommonParameter.getInstance().getConstantCallTimeoutMs());
       long vmStartInUs = System.nanoTime() / VMConstant.ONE_THOUSAND;
       long vmShouldEndInUs = vmStartInUs + thisTxCPULimitInUs;
       ProgramInvoke programInvoke = ProgramInvokeFactory
@@ -516,13 +512,9 @@ private void call()
         energyLimit = getTotalEnergyLimit(creator, caller, contract, feeLimit, callValue);
       }
 
-      long maxCpuTimeOfOneTx = rootRepository.getDynamicPropertiesStore()
-          .getMaxCpuTimeOfOneTx() * VMConstant.ONE_THOUSAND;
-      long thisTxCPULimitInUs = (long) (maxCpuTimeOfOneTx * getCpuLimitInUsRatio());
-      long constantCallTimeoutMs = CommonParameter.getInstance().getConstantCallTimeoutMs();
-      if (isConstantCall && constantCallTimeoutMs > 0L) {
-        thisTxCPULimitInUs = constantCallTimeoutMs * VMConstant.ONE_THOUSAND;
-      }
+      long thisTxCPULimitInUs = calculateCpuLimitInUs(isConstantCall,
+          rootRepository.getDynamicPropertiesStore().getMaxCpuTimeOfOneTx(),
+          getCpuLimitInUsRatio(), CommonParameter.getInstance().getConstantCallTimeoutMs());
       long vmStartInUs = System.nanoTime() / VMConstant.ONE_THOUSAND;
       long vmShouldEndInUs = vmStartInUs + thisTxCPULimitInUs;
       ProgramInvoke programInvoke = ProgramInvokeFactory
@@ -699,6 +691,14 @@ private double getCpuLimitInUsRatio() {
     return cpuLimitRatio;
   }
 
+  static long calculateCpuLimitInUs(boolean isConstantCall, long maxCpuTimeOfOneTxMs,
+      double cpuLimitInUsRatio, long constantCallTimeoutMs) {
+    if (isConstantCall && constantCallTimeoutMs > 0L) {
+      return constantCallTimeoutMs * VMConstant.ONE_THOUSAND;
+    }
+    return (long) (maxCpuTimeOfOneTxMs * VMConstant.ONE_THOUSAND * cpuLimitInUsRatio);
+  }
+
   public long getTotalEnergyLimitWithFixRatio(AccountCapsule creator, AccountCapsule caller,
       TriggerSmartContract contract, long feeLimit, long callValue)
       throws ContractValidateException {
diff --git a/actuator/src/test/java/org/tron/core/actuator/VMActuatorTest.java b/actuator/src/test/java/org/tron/core/actuator/VMActuatorTest.java
@@ -0,0 +1,23 @@
+package org.tron.core.actuator;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+
+public class VMActuatorTest {
+
+  @Test
+  public void testConstantCallUsesConfiguredTimeoutVerbatim() {
+    assertEquals(123_000L, VMActuator.calculateCpuLimitInUs(true, 80L, 5.0, 123L));
+  }
+
+  @Test
+  public void testConstantCallWithoutConfiguredTimeoutUsesNetworkDeadline() {
+    assertEquals(400_000L, VMActuator.calculateCpuLimitInUs(true, 80L, 5.0, 0L));
+  }
+
+  @Test
+  public void testNonConstantCallIgnoresConfiguredTimeout() {
+    assertEquals(400_000L, VMActuator.calculateCpuLimitInUs(false, 80L, 5.0, 123L));
+  }
+}
diff --git a/common/src/main/java/org/tron/common/parameter/CommonParameter.java b/common/src/main/java/org/tron/common/parameter/CommonParameter.java
@@ -64,8 +64,8 @@ public class CommonParameter {
    * functions, estimateenergy, eth_call, eth_estimateGas, and any other
    * RPC routed through Wallet#callConstantContract. 0 = use the same
    * deadline as block processing (current behaviour). When operators set
-   * this in config the value must be positive; validated at config-load
-   * in VmConfig.
+   * this in config the value must be positive and fit VM deadline conversion;
+   * validated at config-load in VmConfig.
    */
   @Getter
   @Setter
diff --git a/common/src/main/java/org/tron/core/config/args/VmConfig.java b/common/src/main/java/org/tron/core/config/args/VmConfig.java
@@ -9,14 +9,16 @@
 
 /**
  * VM configuration bean. Field names match config.conf keys under the "vm" section.
- * Bound automatically via ConfigBeanFactory — no manual key constants needed.
+ * Most fields are bound automatically via ConfigBeanFactory; opt-in fields that
+ * must stay absent from reference.conf are bound manually after hasPath checks.
  */
 @Slf4j
 @Getter
 @Setter
 public class VmConfig {
 
   private static final String CONSTANT_CALL_TIMEOUT_MS_KEY = "constantCallTimeoutMs";
+  static final long MAX_CONSTANT_CALL_TIMEOUT_MS = Long.MAX_VALUE / 1_000L;
 
   private boolean supportConstant = false;
   private long maxEnergyLimitForConstant = 100_000_000L;
@@ -71,13 +73,19 @@ private void postProcess(Config vmSection) {
 
     // constantCallTimeoutMs is excluded from ConfigBeanFactory binding (no
     // setter) and intentionally absent from reference.conf, so hasPath alone
-    // tells us whether the operator opted in. Only positive values are valid.
+    // tells us whether the operator opted in. Only positive values that can be
+    // safely converted to microseconds are valid.
     if (vmSection.hasPath(CONSTANT_CALL_TIMEOUT_MS_KEY)) {
       long value = vmSection.getLong(CONSTANT_CALL_TIMEOUT_MS_KEY);
       if (value <= 0L) {
         throw new IllegalArgumentException(
             "vm.constantCallTimeoutMs must be > 0 when configured, got " + value);
       }
+      if (value > MAX_CONSTANT_CALL_TIMEOUT_MS) {
+        throw new IllegalArgumentException(
+            "vm.constantCallTimeoutMs must be <= " + MAX_CONSTANT_CALL_TIMEOUT_MS
+                + " to fit VM deadline conversion, got " + value);
+      }
       constantCallTimeoutMs = value;
     }
   }
diff --git a/common/src/test/java/org/tron/core/config/args/VmConfigTest.java b/common/src/test/java/org/tron/core/config/args/VmConfigTest.java
@@ -91,9 +91,10 @@ public void testEstimateEnergyMaxRetryBoundaryValues() {
 
   // ===========================================================================
   // Constant-call timeout (issue #6681). The validation rule: any positive
-  // value is accepted, but zero/negative is rejected ONLY when the operator
-  // explicitly set the property in their config. Absence keeps the in-Java
-  // default (0L = "share the block-processing deadline").
+  // value that fits VM deadline conversion is accepted, but zero/negative is
+  // rejected ONLY when the operator explicitly set the property in their
+  // config. Absence keeps the in-Java default (0L = "share the
+  // block-processing deadline").
   // ===========================================================================
 
   @Test
@@ -139,4 +140,16 @@ public void testConstantCallTimeoutNegativeRejected() {
           ex.getMessage().contains("constantCallTimeoutMs"));
     }
   }
+
+  @Test
+  public void testConstantCallTimeoutOverflowRejected() {
+    long value = VmConfig.MAX_CONSTANT_CALL_TIMEOUT_MS + 1L;
+    try {
+      VmConfig.fromConfig(withRef("vm { constantCallTimeoutMs = " + value + " }"));
+      org.junit.Assert.fail("expected IllegalArgumentException for overflowing ms");
+    } catch (IllegalArgumentException ex) {
+      org.junit.Assert.assertTrue(ex.getMessage(),
+          ex.getMessage().contains("deadline conversion"));
+    }
+  }
 }
diff --git a/framework/src/main/resources/config.conf b/framework/src/main/resources/config.conf
@@ -715,12 +715,12 @@ vm = {
   # triggerconstantcontract, triggersmartcontract dispatched to view/pure
   # functions, estimateenergy, eth_call, eth_estimateGas, and any other RPC
   # routed through the constant-call path. When set, must be a positive
-  # integer and is used verbatim as the per-call deadline (no clamp against
-  # the network's maxCpuTimeOfOneTx). Omit the property entirely to keep the
-  # default behaviour of sharing the block-processing deadline. Migration
-  # note: if previously running --debug to extend constant calls, switch to
-  # this option (--debug also extends block-processing, which is unsafe; see
-  # issue #6266).
+  # integer that fits VM deadline conversion and is used verbatim as the
+  # per-call deadline (no clamp against the network's maxCpuTimeOfOneTx).
+  # Omit the property entirely to keep the default behaviour of sharing the
+  # block-processing deadline. Migration note: if previously running --debug
+  # to extend constant calls, switch to this option (--debug also extends
+  # block-processing, which is unsafe; see issue #6266).
   # constantCallTimeoutMs = 100
 }
 
