EVM 深入解析：从字节码到智能合约执行<\/h1>

1. EVM 概述<\/h2>
EVM（以太坊虚拟机）是以太坊协议的核心组件，负责智能合约的部署和执行。可以将其想象为一台拥有数百万个可执行合约的超级计算机，每个合约都有自己的永久存储空间。<\/p>

1.1 合约编译结构<\/h3>

Solidity代码编译成字节码后，通常分为三部分：<\/p>

Contract Creation Code<\/strong>：合约创建代码<\/li>
Runtime Code<\/strong>：运行时代码<\/li>

Metadata<\/strong>：元数据<\/li> <\/ul>
这些部分之间通常用INVALID<\/code>操作码分隔。当看到CODECOPY-39<\/code>时，通常表示合约的创建部分。<\/p>
2. EVM 核心组件<\/h2> 2.1 堆栈(Stack)<\/h3> EVM使用后进先出(LIFO)的堆栈结构<\/li> 堆栈深度为1024个项，每个项256位(32字节)<\/li> 操作码使用堆栈顶部的元素作为输入<\/li> <\/ul> 2.2 内存(Memory)<\/h3> 可扩展的字节寻址一维数组<\/li> 初始为空，读写和扩展都需要消耗Gas<\/li> 内存成本与使用量成比例上升<\/li> 理论上有\(2^{256}\)<\/span>个元素，但受Gas限制实际使用有限<\/li> 交易结束后内存内容被丢弃<\/li> 大多数内存读取操作以32字节为单位<\/li> <\/ul> 内存扩展Gas成本计算<\/h4> 内存扩展成本计算公式：<\/p> memory_size_word = (memory_byte_size + 31) \/ 32 memory_cost = (memory_size_word ** 2) \/ 512 + (3 * memory_size_word) memory_expansion_cost = new_memory_cost - last_memory_cost <\/code><\/pre> 2.3 存储(Storage)<\/h3> 持久化存储，比内存昂贵得多<\/li> 可视为初始化为零的\(2^{256}\)<\/span>个32字节值的数组<\/li> 智能合约可以在任何位置读写值<\/li> 固定大小值从slot0开始分配<\/li> 动态大小值通过哈希安全定位<\/li> <\/ul> 3. 内存操作<\/h2> 3.1 内存数据结构<\/h3> 简单字节数组，数据可以32字节或1字节存储<\/li> 读取始终以32字节为单位<\/li> 主要操作码： MSTORE(x,y)<\/code>：从内存位置x存储32字节的y<\/li> MLOAD(x)<\/code>：将内存位置x开始的32字节加载到堆栈<\/li> MSTORE8(x,y)<\/code>：将1字节的y存储到位置x<\/li> <\/ul> <\/li> <\/ul> 3.2 空闲内存指针(Free Memory Pointer)<\/h3> 内存布局：<\/p> 0x00-0x3f<\/code> (64字节)：暂存空间<\/li> 0x40-0x5f<\/code> (32字节)：空闲内存指针(初始为0x80)<\/li> 0x60-0x7f<\/code> (32字节)：零槽(不应写入)<\/li> <\/ul> 空闲内存指针更新公式：<\/p> freeMemoryPointer + dataSizeBytes = newFreeMemoryPointer <\/code><\/pre> 初始化代码：<\/p> 60 80 = PUSH1 0x80 60 40 = PUSH1 0x40 52 = MSTORE <\/code><\/pre> 3.3 内存中的数据结构操作<\/h3> 结构体(Struct)<\/h4> struct<\/span> Point<\/span> { <\/span><\/span> uint256<\/span> x; <\/span><\/span> uint32<\/span> y; <\/span><\/span> uint32<\/span> z; <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 读取 <\/span><\/span><\/span><\/span>assembly<\/span> { <\/span><\/span> x :=<\/span> mload<\/span>(0x80<\/span>) <\/span><\/span> y :=<\/span> mload<\/span>(add<\/span>(0x80<\/span>,0x20<\/span>)) <\/span><\/span> z :=<\/span> mload<\/span>(add<\/span>(0xa0<\/span>,0x20<\/span>)) <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 写入 <\/span><\/span><\/span><\/span>assembly { <\/span><\/span> mstore<\/span>(0x80<\/span>,1<\/span>) <\/span><\/span> mstore<\/span>(add<\/span>(0x80<\/span>,0x20<\/span>),2<\/span>) <\/span><\/span> mstore<\/span>(add<\/span>(0xa0<\/span>,0x20<\/span>),3<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>固定大小数组<\/h4> uint32<\/span>[3<\/span>] memory<\/span> arr =<\/span> [uint32<\/span>(1<\/span>), uint32<\/span>(2<\/span>), uint32<\/span>(3<\/span>)]; <\/span><\/span> <\/span><\/span>\/\/ 读取 <\/span><\/span><\/span><\/span>assembly<\/span> { <\/span><\/span> a0 :=<\/span> mload<\/span>(0x80<\/span>) <\/span><\/span> a1 :=<\/span> mload<\/span>(0xa0<\/span>) <\/span><\/span> a2 :=<\/span> mload<\/span>(0xc0<\/span>) <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 写入 <\/span><\/span><\/span><\/span>assembly { <\/span><\/span> mstore<\/span>(arr, 11<\/span>) \/\/ 0x80 <\/span><\/span><\/span><\/span> mstore<\/span>(add<\/span>(arr, 0x20<\/span>), 22<\/span>) \/\/ 0xa0 <\/span><\/span><\/span><\/span> mstore<\/span>(add<\/span>(arr, 0x40<\/span>), 33<\/span>) \/\/ 0xc0 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>动态数组<\/h4> uint256<\/span>[] memory<\/span> arr =<\/span> new<\/span> uint256<\/span>[](5<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 读取 <\/span><\/span><\/span><\/span>assembly<\/span> { <\/span><\/span> p :=<\/span> arr <\/span><\/span> len :=<\/span> mload<\/span>(arr) <\/span><\/span> a0 :=<\/span> mload<\/span>(add<\/span>(arr, 0x20<\/span>)) <\/span><\/span> a1 :=<\/span> mload<\/span>(add<\/span>(arr, 0x40<\/span>)) <\/span><\/span> a2 :=<\/span> mload<\/span>(add<\/span>(arr, 0x60<\/span>)) <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 写入 <\/span><\/span><\/span><\/span>assembly { <\/span><\/span> p :=<\/span> arr <\/span><\/span> mstore<\/span>(arr, 3<\/span>) \/\/ 存储数组长度 <\/span><\/span><\/span><\/span> mstore<\/span>(add<\/span>(arr, 0x20<\/span>), 11<\/span>) <\/span><\/span> mstore<\/span>(add<\/span>(arr, 0x40<\/span>), 22<\/span>) <\/span><\/span> mstore<\/span>(add<\/span>(arr, 0x60<\/span>), 33<\/span>) <\/span><\/span> mstore<\/span>(0x40<\/span>, add<\/span>(arr, 0x80<\/span>)) \/\/ 更新空闲内存指针 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 存储操作<\/h2> 4.1 存储布局规则<\/h3> 不同类型变量的存储位置：<\/p> 类型<\/th> 声明<\/th> 值位置<\/th> <\/tr> <\/thead> 简单变量<\/td> T v<\/code><\/td> v<\/code>的slot<\/td> <\/tr> 固定大小数组<\/td> T[10] v<\/code><\/td> v[n]<\/code>在(v的slot) + n * (T的大小)<\/code><\/td> <\/tr> 动态数组<\/td> T[] v<\/code><\/td> v[n]<\/code>在keccak256(v的slot) + n * (T的大小)<\/code>v.length<\/code>在v的slot<\/code><\/td> <\/tr> 映射<\/td> mapping(T1 => T2) v<\/code><\/td> v[key]<\/code>在keccak256(key . (v的slot))<\/code><\/td> <\/tr> <\/tbody> <\/table> 4.2 槽打包(Slot Packing)<\/h3> Solidity编译器会尝试将多个小类型变量打包到一个32字节的存储槽中。例如：<\/p> contract<\/span> StorageTest<\/span> { <\/span><\/span> uint32<\/span> value1; \/\/ 4 bytes slot0 <\/span><\/span><\/span><\/span> uint32<\/span> value2; \/\/ 4 bytes slot0 <\/span><\/span><\/span><\/span> uint64<\/span> value3; \/\/ 8 bytes slot0 <\/span><\/span><\/span><\/span> uint128<\/span> value4;\/\/ 16 bytes slot0 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>4.3 存储操作码<\/h3> SSTORE<\/code>：从堆栈获取32字节key和32字节value，将value存储到key指定的位置<\/li> SLOAD<\/code>：从堆栈获取32字节key，将key位置的32字节value推送到堆栈<\/li> <\/ul> 5. Calldata<\/h2> Calldata是发送给函数的编码参数，即发送给EVM的数据。每个calldata长度为32字节(64个字符)，分为静态和动态两种类型。<\/p> 5.1 编码<\/h3> 使用abi.encode()<\/code>生成原始调用数据<\/li> 对特定接口函数，使用abi.encodeWithSelector()<\/code><\/li> <\/ul> interface<\/span> A<\/span> { <\/span><\/span> function<\/span> transfer<\/span>(uint256<\/span>[] memory<\/span> ids, address<\/span> to) external<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>contract<\/span> B<\/span> { <\/span><\/span> function<\/span> a<\/span>(uint256<\/span>[] memory<\/span> ids, address<\/span> to) external<\/span> pure<\/span> returns<\/span>(bytes<\/span> memory<\/span>) { <\/span><\/span> return<\/span> abi.encodeWithSelector(A.transfer.selector, ids, to); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.2 解码<\/h3> 使用abi.decode()<\/code>解码：<\/p> (uint256<\/span> a, uint256<\/span> b) =<\/span> abi.decode(data, (uint256<\/span>, uint256<\/span>)); <\/span><\/span><\/code><\/pre>5.3 静态变量示例<\/h3> 对于函数transfer(uint256 amount, address to)<\/code>，参数：<\/p> amount: 1300655506<\/li> address: 0x68b3465833fb72A70ecDF485E0e4C7bD8665Fc45<\/li> <\/ul> 生成的calldata：<\/p> 0x000000000000000000000000000000000000000000000000000000004d866d9200000000000000000000000068b3465833fb72a70ecdf485e0e4c7bd8665fc45 <\/code><\/pre> 5.4 函数选择器<\/h3> 函数选择器是函数签名keccak256哈希的前4个字节。例如transfer(uint256,address)<\/code>的选择器：<\/p> keccak256("transfer(uint256,address)") → 前4字节为b7760c8f <\/code><\/pre> 完整calldata：<\/p> 0xb7760c8f000000000000000000000000000000000000000000000000000000004d866d9200000000000000000000000068b3465833fb72a70ecdf485e0e4c7bd8665fc45 <\/code><\/pre> 5.5 动态变量<\/h3> 动态变量(如bytes、string、动态数组)的结构：<\/p> 第一个32字节：偏移量(动态数据开始位置)<\/li> 第二个32字节：长度<\/li> 后续：元素<\/li> <\/ol> 例如字符串"Hello World!"的编码：<\/p> 0x0000000000000000000000000000000000000000000000000000000000000020 \/\/ 偏移量32字节 0x000000000000000000000000000000000000000000000000000000000000000c \/\/ 长度12字节 0x48656c6c6f20576f726c64210000000000000000000000000000000000000000 \/\/ 内容"Hello World!" <\/code><\/pre> 6. 参考资料<\/h2> EVM Deep Dives: The Path to Shadowy Super Coder<\/a><\/li> Deconstructing a Solidity Smart Contract<\/a><\/li> <\/ol>

类型<\/th>	声明<\/th>	值位置<\/th> <\/tr> <\/thead>
简单变量<\/td>	`T v<\/code><\/td>`	`v<\/code>的slot<\/td> <\/tr>`
固定大小数组<\/td>	`T[10] v<\/code><\/td>`	`v[n]<\/code>在(v的slot) + n * (T的大小)<\/code><\/td> <\/tr>`
动态数组<\/td>	`T[] v<\/code><\/td>`	`v[n]<\/code>在keccak256(v的slot) + n * (T的大小)<\/code>v.length<\/code>在v的slot<\/code><\/td> <\/tr>`
映射<\/td>	`mapping(T1 => T2) v<\/code><\/td>`	v[key]<\/code>在keccak256(key . (v的slot))<\/code><\/td> <\/tr> <\/tbody> <\/table> 4.2 槽打包(Slot Packing)<\/h3> Solidity编译器会尝试将多个小类型变量打包到一个32字节的存储槽中。例如：<\/p> contract<\/span> StorageTest<\/span> { <\/span><\/span> uint32<\/span> value1; \/\/ 4 bytes slot0 <\/span><\/span><\/span><\/span> uint32<\/span> value2; \/\/ 4 bytes slot0 <\/span><\/span><\/span><\/span> uint64<\/span> value3; \/\/ 8 bytes slot0 <\/span><\/span><\/span><\/span> uint128<\/span> value4;\/\/ 16 bytes slot0 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>4.3 存储操作码<\/h3> SSTORE<\/code>：从堆栈获取32字节key和32字节value，将value存储到key指定的位置<\/li> SLOAD<\/code>：从堆栈获取32字节key，将key位置的32字节value推送到堆栈<\/li> <\/ul> 5. Calldata<\/h2> Calldata是发送给函数的编码参数，即发送给EVM的数据。每个calldata长度为32字节(64个字符)，分为静态和动态两种类型。<\/p> 5.1 编码<\/h3> 使用abi.encode()<\/code>生成原始调用数据<\/li> 对特定接口函数，使用abi.encodeWithSelector()<\/code><\/li> <\/ul> interface<\/span> A<\/span> { <\/span><\/span> function<\/span> transfer<\/span>(uint256<\/span>[] memory<\/span> ids, address<\/span> to) external<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>contract<\/span> B<\/span> { <\/span><\/span> function<\/span> a<\/span>(uint256<\/span>[] memory<\/span> ids, address<\/span> to) external<\/span> pure<\/span> returns<\/span>(bytes<\/span> memory<\/span>) { <\/span><\/span> return<\/span> abi.encodeWithSelector(A.transfer.selector, ids, to); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.2 解码<\/h3> 使用abi.decode()<\/code>解码：<\/p> (uint256<\/span> a, uint256<\/span> b) =<\/span> abi.decode(data, (uint256<\/span>, uint256<\/span>)); <\/span><\/span><\/code><\/pre>5.3 静态变量示例<\/h3> 对于函数transfer(uint256 amount, address to)<\/code>，参数：<\/p> amount: 1300655506<\/li> address: 0x68b3465833fb72A70ecDF485E0e4C7bD8665Fc45<\/li> <\/ul> 生成的calldata：<\/p> 0x000000000000000000000000000000000000000000000000000000004d866d9200000000000000000000000068b3465833fb72a70ecdf485e0e4c7bd8665fc45 <\/code><\/pre> 5.4 函数选择器<\/h3> 函数选择器是函数签名keccak256哈希的前4个字节。例如transfer(uint256,address)<\/code>的选择器：<\/p> keccak256("transfer(uint256,address)") → 前4字节为b7760c8f <\/code><\/pre> 完整calldata：<\/p> 0xb7760c8f000000000000000000000000000000000000000000000000000000004d866d9200000000000000000000000068b3465833fb72a70ecdf485e0e4c7bd8665fc45 <\/code><\/pre> 5.5 动态变量<\/h3> 动态变量(如bytes、string、动态数组)的结构：<\/p> 第一个32字节：偏移量(动态数据开始位置)<\/li> 第二个32字节：长度<\/li> 后续：元素<\/li> <\/ol> 例如字符串"Hello World!"的编码：<\/p> 0x0000000000000000000000000000000000000000000000000000000000000020 \/\/ 偏移量32字节 0x000000000000000000000000000000000000000000000000000000000000000c \/\/ 长度12字节 0x48656c6c6f20576f726c64210000000000000000000000000000000000000000 \/\/ 内容"Hello World!" <\/code><\/pre> 6. 参考资料<\/h2> EVM Deep Dives: The Path to Shadowy Super Coder<\/a><\/li> Deconstructing a Solidity Smart Contract<\/a><\/li> <\/ol>

EVM 深入解析：从字节码到智能合约执行<\/h1>

1. EVM 概述<\/h2> EVM（以太坊虚拟机）是以太坊协议的核心组件，负责智能合约的部署和执行。可以将其想象为一台拥有数百万个可执行合约的超级计算机，每个合约都有自己的永久存储空间。<\/p>

3. 内存操作<\/h2>

3.3 内存中的数据结构操作<\/h3>

4. 存储操作<\/h2>

5. Calldata<\/h2> Calldata是发送给函数的编码参数，即发送给EVM的数据。每个calldata长度为32字节(64个字符)，分为静态和动态两种类型。<\/p>

6. 参考资料<\/h2> EVM Deep Dives: The Path to Shadowy Super Coder<\/a><\/li> Deconstructing a Solidity Smart Contract<\/a><\/li> <\/ol>

1. EVM 概述<\/h2>
EVM（以太坊虚拟机）是以太坊协议的核心组件，负责智能合约的部署和执行。可以将其想象为一台拥有数百万个可执行合约的超级计算机，每个合约都有自己的永久存储空间。<\/p>

5. Calldata<\/h2>
Calldata是发送给函数的编码参数，即发送给EVM的数据。每个calldata长度为32字节(64个字符)，分为静态和动态两种类型。<\/p>

6. 参考资料<\/h2>

EVM Deep Dives: The Path to Shadowy Super Coder<\/a><\/li>
Deconstructing a Solidity Smart Contract<\/a><\/li> <\/ol>