9 files changed, 253 insertions, 10 deletions
diff --git a/Changelog.md b/Changelog.md
index c12afcd2..8b44934d 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -28,6 +28,7 @@ Bugfixes:
  * Fixed crash concerning non-callable types.
  * Unused variable warnings no longer issued for variables used inside inline assembly.
  * Code Generator: Fix ABI encoding of empty literal string.
+ * Code Generator: Fix negative stack size checks.
  * Inline Assembly: Enforce function arguments when parsing functional instructions.
  * Fixed segfault with constant function parameters
 
diff --git a/libevmasm/Assembly.cpp b/libevmasm/Assembly.cpp
index 27199b7b..597fdae1 100644
--- a/libevmasm/Assembly.cpp
+++ b/libevmasm/Assembly.cpp
@@ -328,6 +328,7 @@ Json::Value Assembly::stream(ostream& _out, string const& _prefix, StringMap con
 
 AssemblyItem const& Assembly::append(AssemblyItem const& _i)
 {
+	assertThrow(m_deposit >= 0, AssemblyException, "");
 	m_deposit += _i.deposit();
 	m_items.push_back(_i);
 	if (m_items.back().location().isEmpty() && !m_currentSourceLocation.isEmpty())
diff --git a/libsolidity/analysis/TypeChecker.cpp b/libsolidity/analysis/TypeChecker.cpp
index b276a2d4..1563467c 100644
--- a/libsolidity/analysis/TypeChecker.cpp
+++ b/libsolidity/analysis/TypeChecker.cpp
@@ -1886,7 +1886,7 @@ void TypeChecker::expectType(Expression const& _expression, Type const& _expecte
 	{
 		auto literal = dynamic_cast<Literal const*>(&_expression);
 
-		if (literal && !boost::starts_with(literal->value(), "0x"))
+		if (literal && !literal->isHexNumber())
 			m_errorReporter.warning(
 				_expression.location(),
 				"Decimal literal assigned to bytesXX variable will be left-aligned. "
diff --git a/libsolidity/ast/AST.cpp b/libsolidity/ast/AST.cpp
index b929b6fe..403f4b79 100644
--- a/libsolidity/ast/AST.cpp
+++ b/libsolidity/ast/AST.cpp
@@ -530,20 +530,26 @@ IdentifierAnnotation& Identifier::annotation() const
 	return dynamic_cast<IdentifierAnnotation&>(*m_annotation);
 }
 
+bool Literal::isHexNumber() const
+{
+	if (token() != Token::Number)
+		return false;
+	return boost::starts_with(value(), "0x");
+}
+
 bool Literal::looksLikeAddress() const
 {
 	if (subDenomination() != SubDenomination::None)
 		return false;
-	if (token() != Token::Number)
+
+	if (!isHexNumber())
 		return false;
 
-	string lit = value();
-	return lit.substr(0, 2) == "0x" && abs(int(lit.length()) - 42) <= 1;
+	return abs(int(value().length()) - 42) <= 1;
 }
 
 bool Literal::passesAddressChecksum() const
 {
-	string lit = value();
-	solAssert(lit.substr(0, 2) == "0x", "Expected hex prefix");
-	return dev::passesAddressChecksum(lit, true);
+	solAssert(isHexNumber(), "Expected hex number");
+	return dev::passesAddressChecksum(value(), true);
 }
diff --git a/libsolidity/ast/AST.h b/libsolidity/ast/AST.h
index 83572692..e8831dc0 100644
--- a/libsolidity/ast/AST.h
+++ b/libsolidity/ast/AST.h
@@ -1590,6 +1590,9 @@ public:
 
 	SubDenomination subDenomination() const { return m_subDenomination; }
 
+	/// @returns true if this is a number with a hex prefix.
+	bool isHexNumber() const;
+
 	/// @returns true if this looks like a checksummed address.
 	bool looksLikeAddress() const;
 	/// @returns true if it passes the address checksum test.
diff --git a/libsolidity/codegen/ContractCompiler.cpp b/libsolidity/codegen/ContractCompiler.cpp
index 977a2c7c..74b07d4d 100644
--- a/libsolidity/codegen/ContractCompiler.cpp
+++ b/libsolidity/codegen/ContractCompiler.cpp
@@ -267,13 +267,19 @@ void ContractCompiler::appendFunctionSelector(ContractDefinition const& _contrac
 	m_context << notFound;
 	if (fallback)
 	{
+		m_context.setStackOffset(0);
 		if (!fallback->isPayable())
 			appendCallValueCheck();
 
+		// Return tag is used to jump out of the function.
 		eth::AssemblyItem returnTag = m_context.pushNewTag();
 		fallback->accept(*this);
 		m_context << returnTag;
-		appendReturnValuePacker(FunctionType(*fallback).returnParameterTypes(), _contract.isLibrary());
+		solAssert(FunctionType(*fallback).parameterTypes().empty(), "");
+		solAssert(FunctionType(*fallback).returnParameterTypes().empty(), "");
+		// Return tag gets consumed.
+		m_context.adjustStackOffset(-1);
+		m_context << Instruction::STOP;
 	}
 	else
 		m_context.appendRevert();
@@ -285,16 +291,26 @@ void ContractCompiler::appendFunctionSelector(ContractDefinition const& _contrac
 		CompilerContext::LocationSetter locationSetter(m_context, functionType->declaration());
 
 		m_context << callDataUnpackerEntryPoints.at(it.first);
+		m_context.setStackOffset(0);
 		// We have to allow this for libraries, because value of the previous
 		// call is still visible in the delegatecall.
 		if (!functionType->isPayable() && !_contract.isLibrary())
 			appendCallValueCheck();
 
+		// Return tag is used to jump out of the function.
 		eth::AssemblyItem returnTag = m_context.pushNewTag();
+		// Parameter for calldataUnpacker
 		m_context << CompilerUtils::dataStartOffset;
 		appendCalldataUnpacker(functionType->parameterTypes());
 		m_context.appendJumpTo(m_context.functionEntryLabel(functionType->declaration()));
 		m_context << returnTag;
+		// Return tag and input parameters get consumed.
+		m_context.adjustStackOffset(
+			CompilerUtils(m_context).sizeOnStack(functionType->returnParameterTypes()) -
+			CompilerUtils(m_context).sizeOnStack(functionType->parameterTypes()) -
+			1
+		);
+		// Consumes the return parameters.
 		appendReturnValuePacker(functionType->returnParameterTypes(), _contract.isLibrary());
 	}
 }
diff --git a/libsolidity/codegen/ExpressionCompiler.cpp b/libsolidity/codegen/ExpressionCompiler.cpp
index a65549fd..9d4024c9 100644
--- a/libsolidity/codegen/ExpressionCompiler.cpp
+++ b/libsolidity/codegen/ExpressionCompiler.cpp
@@ -88,6 +88,7 @@ void ExpressionCompiler::appendStateVariableAccessor(VariableDeclaration const&
 	FunctionType accessorType(_varDecl);
 
 	TypePointers paramTypes = accessorType.parameterTypes();
+	m_context.adjustStackOffset(1 + CompilerUtils::sizeOnStack(paramTypes));
 
 	// retrieve the position of the variable
 	auto const& location = m_context.storageLocationOfVariable(_varDecl);
diff --git a/test/liblll/EndToEndTest.cpp b/test/liblll/EndToEndTest.cpp
index 70a91807..f3bfb438 100644
--- a/test/liblll/EndToEndTest.cpp
+++ b/test/liblll/EndToEndTest.cpp
@@ -401,6 +401,41 @@ BOOST_AUTO_TEST_CASE(keccak256_32bytes)
 		fromHex("b10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6")));
 }
 
+// The following tests are for the built-in macros.
+// Note that panic, returnlll and return_one_arg are well covered above.
+
+BOOST_AUTO_TEST_CASE(allgas)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(return (- (gas) allgas)))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(u256(16))); // == 21 - SUB - GAS
+}
+
+BOOST_AUTO_TEST_CASE(send_two_args)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(send 0xdead 42))
+	)";
+	compileAndRun(sourceCode);
+	callFallbackWithValue(42);
+	BOOST_CHECK(balanceAt(Address(0xdead)) == 42);
+}
+
+BOOST_AUTO_TEST_CASE(send_three_args)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(send allgas 0xdead 42))
+	)";
+	compileAndRun(sourceCode);
+	callFallbackWithValue(42);
+	BOOST_CHECK(balanceAt(Address(0xdead)) == 42);
+}
+
 BOOST_AUTO_TEST_CASE(msg_six_args)
 {
 	char const* sourceCode = R"(
@@ -418,7 +453,64 @@ BOOST_AUTO_TEST_CASE(msg_six_args)
 	BOOST_CHECK(callFallbackWithValue(42) == encodeArgs(u256(42)));
 }
 
-BOOST_AUTO_TEST_CASE(create_1_arg)
+BOOST_AUTO_TEST_CASE(msg_five_args)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(when (= 0 (calldatasize))
+					(seq
+						(mstore 0x20 1)
+						(mstore 0x40 2)
+						(return (msg 1000 (address) 42 0x20 0x40))))
+				(when (= 3 (+ (calldataload 0x00) (calldataload 0x20)))
+					(return (callvalue)))))
+
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallbackWithValue(42) == encodeArgs(u256(42)));
+}
+
+BOOST_AUTO_TEST_CASE(msg_four_args)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(when (= 0 (calldatasize))
+					(return (msg 1000 (address) 42 0xff)))
+				(return (callvalue))))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallbackWithValue(42) == encodeArgs(u256(42)));
+}
+
+BOOST_AUTO_TEST_CASE(msg_three_args)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(when (= 0 (calldatasize))
+					(return (msg (address) 42 0xff)))
+				(return (callvalue))))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallbackWithValue(42) == encodeArgs(u256(42)));
+}
+
+BOOST_AUTO_TEST_CASE(msg_two_args)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(when (= 0 (calldatasize))
+					(return (msg (address) 0xff)))
+				(return 42)))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(u256(42)));
+}
+
+BOOST_AUTO_TEST_CASE(create_one_arg)
 {
 	char const* sourceCode = R"(
 		(returnlll
@@ -432,7 +524,7 @@ BOOST_AUTO_TEST_CASE(create_1_arg)
 	BOOST_CHECK(callFallback() == encodeArgs(u256(42)));
 }
 
-BOOST_AUTO_TEST_CASE(create_2_args)
+BOOST_AUTO_TEST_CASE(create_two_args)
 {
 	char const* sourceCode = R"(
 		(returnlll
@@ -470,6 +562,42 @@ BOOST_AUTO_TEST_CASE(sha3_one_arg)
 		fromHex("b10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6")));
 }
 
+BOOST_AUTO_TEST_CASE(sha3pair)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(return (sha3pair 0x01 0x02)))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(
+		fromHex("0xe90b7bceb6e7df5418fb78d8ee546e97c83a08bbccc01a0644d599ccd2a7c2e0")));
+}
+
+BOOST_AUTO_TEST_CASE(sha3trip)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(return (sha3trip 0x01 0x02 0x03)))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(
+		fromHex("0x6e0c627900b24bd432fe7b1f713f1b0744091a646a9fe4a65a18dfed21f2949c")));
+}
+
+BOOST_AUTO_TEST_CASE(makeperm) // Covers makeperm (implicit), permcount and perm
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(perm 'x) (x (+ 1 x))
+				(perm 'y) (y (+ 10 y))
+				(when (= 2 permcount)
+					(return (+ x y)))))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(u256(11)));
+}
+
 BOOST_AUTO_TEST_CASE(ecrecover)
 {
 	char const* sourceCode = R"(
@@ -489,6 +617,72 @@ BOOST_AUTO_TEST_CASE(ecrecover)
 	BOOST_CHECK(callFallback() == encodeArgs(fromHex("0x8743523d96a1b2cbe0c6909653a56da18ed484af")));
 }
 
+BOOST_AUTO_TEST_CASE(sha256_two_args)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(lit 0x20 "abcdefghijklmnopqrstuvwxyzABCDEF")
+				(lit 0x40 "GHIJKLMNOPQRSTUVWXYZ0123456789?!")
+				(sha256 0x20 0x40)
+				(return 0x00 0x20)))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(
+		fromHex("0xcf25a9fe3d86ae228c226c81d2d8c64c687cd6dc4586d10d8e7e4e5b6706d429")));
+}
+
+BOOST_AUTO_TEST_CASE(ripemd160_two_args)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(lit 0x20 "abcdefghijklmnopqrstuvwxyzABCDEF")
+				(lit 0x40 "GHIJKLMNOPQRSTUVWXYZ0123456789?!")
+				(ripemd160 0x20 0x40)
+				(return 0x00 0x20)))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(
+		fromHex("0x36c6b90a49e17d4c1e1b0e634ec74124d9b207da")));
+}
+
+BOOST_AUTO_TEST_CASE(sha256_one_arg)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(sha256 0x6162636465666768696a6b6c6d6e6f707172737475767778797a414243444546)
+				(return 0x00 0x20)))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(
+		fromHex("0xcfd2f1fad75a1978da0a444883db7251414b139f31f5a04704c291fdb0e175e6")));
+}
+
+BOOST_AUTO_TEST_CASE(ripemd160_one_arg)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(seq
+				(ripemd160 0x6162636465666768696a6b6c6d6e6f707172737475767778797a414243444546)
+				(return 0x00 0x20)))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(
+		fromHex("0xac5ab22e07b0fb80c69b6207902f725e2507e546")));
+}
+
+BOOST_AUTO_TEST_CASE(wei_szabo_finney_ether)
+{
+	char const* sourceCode = R"(
+		(returnlll
+			(return (+ wei (+ szabo (+ finney ether)))))
+	)";
+	compileAndRun(sourceCode);
+	BOOST_CHECK(callFallback() == encodeArgs(u256(1001001000000000001)));
+}
+
 BOOST_AUTO_TEST_CASE(shift_left)
 {
 	char const* sourceCode = R"(
diff --git a/test/libsolidity/SolidityEndToEndTest.cpp b/test/libsolidity/SolidityEndToEndTest.cpp
index ffee5e36..da725581 100644
--- a/test/libsolidity/SolidityEndToEndTest.cpp
+++ b/test/libsolidity/SolidityEndToEndTest.cpp
@@ -9501,6 +9501,27 @@ BOOST_AUTO_TEST_CASE(revert)
 	BOOST_CHECK(callContractFunction("a()") == encodeArgs(u256(42)));
 }
 
+BOOST_AUTO_TEST_CASE(negative_stack_height)
+{
+	// This code was causing negative stack height during code generation
+	// because the stack height was not adjusted at the beginning of functions.
+	char const* sourceCode = R"(
+		contract C {
+			mapping(uint => Invoice) public invoices;
+			struct Invoice {
+				uint AID;
+				bool Aboola;
+				bool Aboolc;
+				bool exists;
+			}
+			function nredit(uint startindex) public constant returns(uint[500] CIDs, uint[500] dates, uint[500] RIDs, bool[500] Cboolas, uint[500] amounts){}
+			function return500InvoicesByDates(uint begindate, uint enddate, uint startindex) public constant returns(uint[500] AIDs, bool[500] Aboolas, uint[500] dates, bytes32[3][500] Abytesas, bytes32[3][500] bytesbs, bytes32[2][500] bytescs, uint[500] amounts, bool[500] Aboolbs, bool[500] Aboolcs){}
+			function return500PaymentsByDates(uint begindate, uint enddate, uint startindex) public constant returns(uint[500] BIDs, uint[500] dates, uint[500] RIDs, bool[500] Bboolas, bytes32[3][500] bytesbs,bytes32[2][500] bytescs, uint[500] amounts, bool[500] Bboolbs){}
+		}
+	)";
+	compileAndRun(sourceCode, 0, "C");
+}
+
 BOOST_AUTO_TEST_CASE(literal_empty_string)
 {
 	char const* sourceCode = R"(