fix: harden ABI parser bounds and revert reason decoding

[0xbigapple]

What does this PR do?

This PR hardens ABI decoding for malformed dynamic data in both contract event parsing and JSON-RPC revert reason handling.

It:

• rejects negative or out-of-bounds ABI offsets and lengths in ContractEventParser
• rejects negative dynamic lengths instead of treating them as empty values
• extracts shared revert error handling used by both eth_call and eth_estimateGas
• adds focused tests for parser bounds checks and revert reason decoding
• adds tryDecodeRevertReason to centralize duplicated revert error handling used by eth_call and eth_estimateGas

Why are these changes required?

Previously, malformed ABI payloads could:

• reach subBytes() with invalid offsets or oversized lengths
• treat negative dynamic lengths as empty string / bytes
• affect event handling and revert reason decoding in eth_call and eth_estimateGas

This PR has been tested by:

• Unit Tests
  • :framework:test --tests org.tron.common.logsfilter.EventParserTest
  • :framework:test --tests org.tron.core.services.jsonrpc.TronJsonRpcRevertReasonTest
• Manual Testing
  • deployed a test contract to a local private chain
  • verified malformed revert payloads through eth_call
  • verified malformed revert payloads through eth_estimateGas
  • verified malformed event payloads through emitted logs

Follow up

Extra details

---

Summary by cubic

Strengthens ABI parsing bounds and revert reason decoding. Adds tests to cover all parseDataBytes type branches and revert parsing used by eth_call and eth_estimateGas.

• Bug Fixes

  • Hardened ContractEventParser: reject empty sources; out-of-range/negative offsets and lengths; prevent truncation in subBytes; reject negative dynamic lengths; decode string with UTF-8.
  • Safer revert reasons: only parse Error(string) selector, ignore short/malformed data, and cap payload at 4KB.

• Refactors

  • Added TronJsonRpcImpl.tryDecodeRevertReason and used in eth_call and eth_estimateGas.
  • Added unit tests for parseDataBytes (all types), revert reason limits, and JSON-RPC error paths.

^{Written for commit 17e9cc2. Summary will update on new commits.}

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Improved contract event parsing with enhanced validation and bounds checking for safer data extraction.
  • Contract call failures now display revert reason messages in error responses when available.
  • Fixed string decoding to use UTF-8 encoding consistently.

• Tests

  • Added comprehensive test coverage for contract event parsing and RPC error handling scenarios.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR enhances error handling and safety in contract event parsing and JSON-RPC execution. Changes include UTF-8 charset enforcement for string decoding, strengthened length validation with explicit exception throwing, refined byte-slicing bounds checking, revert reason extraction with payload size limits, and comprehensive test coverage for both features.

Changes

Cohort / File(s)	Summary
Event Parsing Logic framework/src/main/java/org/tron/common/logsfilter/ContractEventParser.java	Enforces UTF-8 charset when decoding strings, adds explicit negative-length validation, and refines subBytes() bounds checking to validate start/length parameters and throw OutputLengthException with diagnostic details.
Event Parsing Tests framework/src/test/java/org/tron/common/logsfilter/EventParserTest.java	New test cases validating subBytes() rejection of oversized/negative/empty inputs and parseDataBytes() handling of malformed ABI payloads (negative offsets/lengths, oversized strings).
Revert Reason Decoding framework/src/main/java/org/tron/core/services/jsonrpc/TronJsonRpcImpl.java	Adds tryDecodeRevertReason() static method to safely decode Error(string) revert reasons from contract execution results with payload size enforcement; integrates decoding into call() and estimateGas() error messages.
Revert Reason Tests framework/src/test/java/org/tron/core/services/jsonrpc/TronJsonRpcRevertReasonTest.java	Validates tryDecodeRevertReason() against malformed/oversized payloads, null inputs, short selectors, and non-Error selectors; confirms successful decoding of valid ABI data and payload-limit boundaries.
JSON-RPC Integration Tests framework/src/test/java/org/tron/core/jsonrpc/JsonRpcCallAndEstimateGasTest.java	Comprehensive test suite verifying call() and estimateGas() append revert reasons appropriately, skip non-Error selectors/short data, and return correct energy/result values under mocked contract execution scenarios.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Bounds now checked with careful pride,
UTF-8 leads where strings reside,
Revert reasons safely decoded true,
Tests ensure each path rings through,
A safer hop for every view! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.26% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'fix: harden ABI parser bounds and revert reason decoding' accurately and concisely summarizes the main changes across all modified files: strengthening ABI parser validation and improving revert reason decoding safety.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/abi-bounds-checks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 4 files

[Copilot]

Pull request overview

This PR hardens ABI decoding against malformed dynamic offsets/lengths in the contract event parser and makes JSON-RPC revert reason handling safer and shared between eth_call and eth_estimateGas.

Changes:

• Tighten ContractEventParser.subBytes() bounds checks and reject negative dynamic lengths during ABI decoding.
• Extract revert reason decoding into TronJsonRpcImpl.tryDecodeRevertReason() and reuse it in eth_call/eth_estimateGas.
• Add unit tests covering malformed ABI payloads for both event parsing and revert reason decoding.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
framework/src/main/java/org/tron/common/logsfilter/ContractEventParser.java	Adds stricter bounds checks and rejects negative lengths in dynamic ABI decoding.
framework/src/main/java/org/tron/core/services/jsonrpc/TronJsonRpcImpl.java	Introduces shared tryDecodeRevertReason() and applies it to JSON-RPC failure paths.
framework/src/test/java/org/tron/common/logsfilter/EventParserTest.java	Adds focused tests for subBytes() bounds and negative/malicious ABI fields.
framework/src/test/java/org/tron/core/services/jsonrpc/TronJsonRpcRevertReasonTest.java	Adds tests ensuring revert reason decoding fails closed on malicious ABI lengths and succeeds on valid input.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[0xbigapple]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.