fix: expand memory before slicing initcode in CREATE2 wrapper

[RealiCZ]

Summary

Important

Post-mainnet follow-up fix

Fix an out-of-bounds memory access in the storage_gas_ext::create<IS_CREATE2> wrapper.

The wrapper sliced initcode out of interpreter memory via memory.slice_len(offset, len) before memory was expanded. The canonical revm CREATE2 path called later does call resize_memory!, but by then the slice has already been taken — so a CREATE2 whose (offset, len) extended past the current memory size could read past the allocated region in our wrapper.

Test plan

• New crates/mega-evm/tests/rex4/create_safety.rs covering CREATE2 with (offset, len) extending past current memory, including the clean-OOG and successful-expansion paths.
• cargo test -p mega-evm (run before pushing).
• cargo clippy --workspace --lib --examples --tests --benches --all-features --locked and cargo fmt --all --check.

[claude]

The api:unchanged label appears to be missing. The PR only modifies the internal storage_gas_ext::create wrapper (a private function) and adds test files — no public crate interface is changed. The api:* family (api:breaking / api:unchanged / api:compatible) currently has no representative label on this PR.

[claude]

The current labels (comp:core, rust, spec:stable) look correct, but the PR is missing an api:* label. The api:breaking, api:compatible, and api:unchanged labels form a mutually exclusive group — every PR should carry exactly one. Since this bug fix introduces no changes to the public interface or API, api:unchanged should be added.

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.1%. Comparing base (92e2168) to head (1dff3a9).
⚠️ Report is 42 commits behind head on main.

Files with missing lines	Patch %	Lines
crates/mega-evm/src/evm/instructions.rs	80.0%	2 Missing and 1 partial ⚠️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[RealiCZ]

Closing this PR — it was opened against the wrong target branch (main).

Reopened here: #293

[claude]

LGTM. The fix is correct and the reasoning is sound.

Bug: storage_gas_ext::create<IS_CREATE2> called memory.slice_len(offset, len) before memory was expanded to fit the requested region. Canonical revm's resize_memory! came later (inside compute_gas_ext::create2), so a CREATE2 whose (offset + len) exceeded current memory size could read past the allocated region in the wrapper.

Fix: The early resize_memory! before the slice is the right call. Since resize_memory! uses return on OOG, the slice_len is never reached on an OOG expansion — clean.

Gas accounting: The deferred-recording design (recording resize_gas into the compute tracker only after the inner CREATE2 returns without error) correctly mirrors wrap_op_compute_gas's skip-on-error semantics. The split is arithmetically equivalent to what the canonical path would have captured: compute_gas_ext::create2's gas_before snapshot is already taken after the resize, so its window excludes the expansion cost; resize_gas fills that gap separately. No double-charging, no undercounting on the success path.

Tests: All three cases are covered — OOG-resize no-panic, correct compute gas delta on success, and deferred skip when the inner CREATE2 OOGs. The deferred-recording test in particular is a nice property-level check that would catch a regression to eager recording.