starknet_os_flow_tests,blockifier_test_utils: add secp256r1 zero-x-point OS flow test

Yoni-Starkware · claude · Yoni-Starkware · commit 44a1128bd356 · 2026-06-11T11:15:00.000+03:00
Add an OS flow test exercising the secp256r1 affine point with x == 0 (which exists on secp256r1 but
not secp256k1) through three txs in one flow: add(x==0, generator), mul(x==0, 3), and a mul whose
scalar-mul precompute table reaches that point as an intermediate (2 * P/2). Each tx checks the EC
result in the contract, exercising the OS handling of the x == 0 point end-to-end.

Adds test_add_secp256r1_checked and test_mul_point_secp256r1_checked entry points to the cairo1 test
feature contract. Growing TestContract shifts two size-dependent expectations, updated here: the
bouncer migration-gas expects and the V2 compiled-class-hash estimation margin (350 -&gt; 400; the
estimate's per-entry-point/segment overhead slightly under-counts, proportional to size).

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/crates/blockifier/src/bouncer_test.rs b/crates/blockifier/src/bouncer_test.rs
@@ -843,11 +843,11 @@ fn class_hash_migration_data_from_state(
 
     if should_migrate {
         expect![[r#"
-            107086865
+            111498104
         "#]]
         .assert_debug_eq(&migration_sierra_gas.0);
         expect![[r#"
-            231505645
+            241253787
         "#]]
         .assert_debug_eq(&migration_proving_gas.0);
     } else {
diff --git a/crates/blockifier_test_utils/resources/feature_contracts/cairo1/test_contract.cairo b/crates/blockifier_test_utils/resources/feature_contracts/cairo1/test_contract.cairo
@@ -24,8 +24,11 @@ mod TestContract {
     use starknet::info::v2::{ExecutionInfo, ResourceBounds, TxInfo as TxInfoV2};
     use starknet::info::v3::TxInfo as TxInfoV3;
     use starknet::info::{BlockInfo, SyscallResultTrait, get_contract_address};
-    use starknet::secp256_trait::{Signature, is_valid_signature};
-    use starknet::secp256r1::{Secp256r1Impl, Secp256r1Point};
+    use starknet::secp256_trait::{Secp256Trait, Signature, is_valid_signature};
+    use starknet::secp256r1::{
+        Secp256r1Impl, Secp256r1Point, secp256r1_add_syscall, secp256r1_get_xy_syscall,
+        secp256r1_mul_syscall, secp256r1_new_syscall,
+    };
     use starknet::storage_access::{
         storage_address_from_base_and_offset, storage_base_address_from_felt252,
     };
@@ -974,6 +977,34 @@ mod TestContract {
         starknet::secp256r1::secp256r1_mul_syscall(p: generator, :scalar).unwrap_syscall();
     }
 
+    // Adds (x, y) to the generator and asserts the result equals (expected_x, expected_y).
+    #[external(v0)]
+    fn test_add_secp256r1_checked(
+        ref self: ContractState, x: u256, y: u256, expected_x: u256, expected_y: u256,
+    ) {
+        let p0 = secp256r1_new_syscall(x, y).unwrap_syscall().unwrap();
+        let generator = Secp256Trait::get_generator_point();
+        let sum = secp256r1_add_syscall(p0, p1: generator).unwrap_syscall();
+        let (rx, ry) = secp256r1_get_xy_syscall(sum).unwrap_syscall();
+        assert(rx == expected_x && ry == expected_y, 'unexpected add result');
+    }
+
+    // Multiplies (x, y) by scalar and asserts the result equals (expected_x, expected_y).
+    #[external(v0)]
+    fn test_mul_point_secp256r1_checked(
+        ref self: ContractState,
+        x: u256,
+        y: u256,
+        scalar: u256,
+        expected_x: u256,
+        expected_y: u256,
+    ) {
+        let p = secp256r1_new_syscall(x, y).unwrap_syscall().unwrap();
+        let prod = secp256r1_mul_syscall(:p, :scalar).unwrap_syscall();
+        let (rx, ry) = secp256r1_get_xy_syscall(prod).unwrap_syscall();
+        assert(rx == expected_x && ry == expected_y, 'unexpected mul result');
+    }
+
     /// Returns a golden valid message hash and its signature, for testing.
     fn get_message_and_secp256r1_signature() -> (u256, Signature, u256, u256, EthAddress) {
         let msg_hash = 0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855;
diff --git a/crates/starknet_os/src/hints/hint_implementation/compiled_class/compiled_class_test.rs b/crates/starknet_os/src/hints/hint_implementation/compiled_class/compiled_class_test.rs
@@ -77,11 +77,12 @@ const EXPECTED_BUILTIN_USAGE_PARTIAL_CONTRACT_V2_HASH: expect_test::Expect =
     expect!["range_check_builtin: 581"];
 const EXPECTED_N_STEPS_PARTIAL_CONTRACT_V2_HASH: Expect = expect!["23616"];
 // Allowed margin between estimated and actual execution resources.
-// Larger than strictly needed (max observed margin is ~325 on `test_contract`) so adding new
+// Larger than strictly needed (max observed margin is ~370 on `test_contract`) so adding new
 // feature contracts doesn't immediately bust the budget. The residual gap comes from non-Blake
-// constants in `casm_hash_estimation` (entry-point / segment overheads); the Blake step formula
-// itself is exact for every input checked in `blake2s_test`.
-const ALLOWED_MARGIN_BLAKE_N_STEPS: usize = 350;
+// constants in `casm_hash_estimation` (entry-point / segment overheads that slightly under-count,
+// proportional to the number of entry points and segments); the Blake step formula itself is exact
+// for every input checked in `blake2s_test`.
+const ALLOWED_MARGIN_BLAKE_N_STEPS: usize = 400;
 const ALLOWED_MARGIN_BLAKE_OPCODE_COUNT: usize = 4;
 
 const CLASS_HASH_WITH_SEGMENTATION: &str =
diff --git a/crates/starknet_os_flow_tests/src/tests.rs b/crates/starknet_os_flow_tests/src/tests.rs
@@ -1721,6 +1721,82 @@ async fn test_new_syscalls_flow(#[case] use_kzg_da: bool, #[case] n_blocks_in_mu
     ));
 }
 
+/// Runs three secp256r1 operations involving the affine point with x == 0 (which exists on
+/// secp256r1 but not secp256k1) as txs in a single flow, then runs the OS. Each contract entry
+/// point asserts the correct result, so this exercises the OS handling of the x == 0 point
+/// end-to-end (it previously mishandled the point; see the per-tx comments). The u256 (low, high)
+/// limb pairs are the inputs followed by the expected result.
+#[tokio::test]
+async fn test_secp256r1_zero_x_point_handling() {
+    let test_contract = FeatureContract::TestContract(CairoVersion::Cairo1(RunnableCairo1::Casm));
+    let (mut test_builder, [main_contract_address]) = TestBuilder::create_standard([(
+        test_contract,
+        default_test_contract_constructor_calldata(),
+    )])
+    .await;
+
+    // add(x == 0 point, generator).
+    test_builder.add_funded_account_invoke(invoke_tx_args! {
+        calldata: create_calldata(
+            main_contract_address,
+            "test_add_secp256r1_checked",
+            &[
+                Felt::ZERO,
+                Felt::ZERO,
+                Felt::from_hex_unchecked("0x541c2af31dae871728bf856a174f93f4"),
+                Felt::from_hex_unchecked("0x66485c780e2f83d72433bd5d84a06bb6"),
+                Felt::from_hex_unchecked("0x309d479ae02982a3a0c135a210379e6f"),
+                Felt::from_hex_unchecked("0x00486efab89170d45f6160cbc7d034a9"),
+                Felt::from_hex_unchecked("0xbe0766825f92a0794540ee7970f48bb9"),
+                Felt::from_hex_unchecked("0x651969b753803a6019cec6e6877a0ff8"),
+            ],
+        ),
+    });
+
+    // mul(x == 0 point, 3).
+    test_builder.add_funded_account_invoke(invoke_tx_args! {
+        calldata: create_calldata(
+            main_contract_address,
+            "test_mul_point_secp256r1_checked",
+            &[
+                Felt::ZERO,
+                Felt::ZERO,
+                Felt::from_hex_unchecked("0x541c2af31dae871728bf856a174f93f4"),
+                Felt::from_hex_unchecked("0x66485c780e2f83d72433bd5d84a06bb6"),
+                Felt::from(3_u8),
+                Felt::ZERO,
+                Felt::from_hex_unchecked("0x1e1338620020b5febb703b78a52557b1"),
+                Felt::from_hex_unchecked("0x4edb2f8a9b1b9d31dc704c71e17cd2d5"),
+                Felt::from_hex_unchecked("0x149ce1aa9aee2f11be92df6e405c55b8"),
+                Felt::from_hex_unchecked("0x9f6c246d01e73176c7318a8b17bd3ca2"),
+            ],
+        ),
+    });
+
+    // mul(P/2, 3), where 2 * (P/2) == the x == 0 point: it appears mid-computation as the
+    // scalar-mul precompute entry table[2].
+    test_builder.add_funded_account_invoke(invoke_tx_args! {
+        calldata: create_calldata(
+            main_contract_address,
+            "test_mul_point_secp256r1_checked",
+            &[
+                Felt::from_hex_unchecked("0x278e28febff3b05632eeff09011c5579"),
+                Felt::from_hex_unchecked("0x81bfb55b010b1bdf08b8d9d8590087aa"),
+                Felt::from_hex_unchecked("0x50799b354b0fb1e77eb75eba8bff3d58"),
+                Felt::from_hex_unchecked("0x8cd2f199d9815d7585073034eb76c93d"),
+                Felt::from(3_u8),
+                Felt::ZERO,
+                Felt::from_hex_unchecked("0x3987510e0f01f0675cab69d0ccb480b7"),
+                Felt::from_hex_unchecked("0x6f370ba949025de60e38bfaec452e3d5"),
+                Felt::from_hex_unchecked("0x5df6f10c46fb2a67036c5251f9e5c9af"),
+                Felt::from_hex_unchecked("0xd62ff00ad9d9eaa09da9ba13a1c26049"),
+            ],
+        ),
+    });
+
+    test_builder.build_and_run().await.perform_default_validations();
+}
+
 /// Runs the same syscall several times from various call depths. E.g.,
 /// 1. sha256()
 /// 2. call_contract(sha256)
