Merge branch 'main' into poseidon_warning

evm/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "plonky2_evm"
 description = "Implementation of STARKs for the Ethereum Virtual Machine"
-version = "0.1.0"
+version = "0.1.1"
 authors = ["Daniel Lubarov <daniel@lubarov.com>", "William Borgeaud <williamborgeaud@gmail.com>"]
 readme = "README.md"
 repository = "https://github.com/mir-protocol/plonky2"
@@ -19,14 +19,14 @@ hex-literal = "0.4.1"
 itertools = "0.11.0"
 keccak-hash = "0.10.0"
 log = "0.4.14"
-plonky2_maybe_rayon = "0.1.0"
+plonky2_maybe_rayon = "0.1.1"
 num = "0.4.0"
 num-bigint = "0.4.3"
 once_cell = "1.13.0"
 pest = "2.1.3"
 pest_derive = "2.1.0"
-plonky2 = { version = "0.1.2", default-features = false, features = ["timing"] }
-plonky2_util = { version = "0.1.0" }
+plonky2 = { version = "0.1.4", default-features = false, features = ["timing"] }
+plonky2_util = { version = "0.1.1" }
 rand = "0.8.5"
 rand_chacha = "0.3.1"
 rlp = "0.5.1"

evm/src/arithmetic/addcy.rs

@@ -68,13 +68,14 @@ const GOLDILOCKS_INVERSE_65536: u64 = 18446462594437939201;
 
 /// Constrains x + y == z + cy*2^256, assuming filter != 0.
 ///
-/// NB: This function DOES NOT verify that cy is 0 or 1; the caller
-/// must do that.
-///
 /// Set `is_two_row_op=true` to allow the code to be called from the
 /// two-row `modular` code (for checking that the modular output is
 /// reduced).
 ///
+/// NB: This function ONLY verifies that cy is 0 or 1 when
+/// is_two_row_op=false; when is_two_row_op=true the caller must
+/// verify for itself.
+///
 /// Note that the digits of `x + y` are in `[0, 2*(2^16-1)]`
 /// (i.e. they are the sums of two 16-bit numbers), whereas the digits
 /// of `z` can only be in `[0, 2^16-1]`. In the function we check that:

evm/src/cpu/docs/out-of-gas.md

@@ -0,0 +1,23 @@
+# Out of Gas Errors
+
+The CPU table has a `gas` register that keeps track of the gas used by the transaction so far.
+
+The crucial invariant in our out-of-gas checking method is that at any point in the program's execution, we have not used more gas than we have available; that is `gas` is at most the gas allocation for the transaction (which is stored separately by the kernel). We assume that the gas allocation will never be 2^32 or more, so if `gas` does not fit in one limb, then we've run out of gas.
+
+When a native instruction (one that is not a syscall) is executed, a constraint ensures that the `gas` register is increased by the correct amount. This is not automatic for syscalls; the syscall handler itself must calculate and charge the appropriate amount.
+
+If everything goes smoothly and we have not run out of gas, `gas` should be no more than the gas allowance at the point that we `STOP`, `REVERT`, stack overflow, or whatever. Indeed, because we assume that the gas overflow handler is invoked _as soon as_ we've run out of gas, all these termination methods must verify that `gas` <= allowance, and `PANIC` if this is not the case. This is also true for the out-of-gas handler, which should check that (a) we have not yet run out of gas and (b) we are about to run out of gas, `PANIC`king if either of those does not hold.
+
+When we do run out of gas, however, this event must be handled. Syscalls are responsible for checking that their execution would not cause the transaction to run out of gas. If the syscall detects that it would need to charge more gas than available, it must abort the transaction by jumping to `exc_out_of_gas`, which in turn verifies that the out-of-gas hasn't _already_ occured.
+
+Native instructions do this differently. If the prover notices that execution of the instruction would cause an out-of-gas error, it must jump to the appropriate handler instead of executing the instruction. (The handler contains special code that `PANIC`s if the prover invoked it incorrectly.)
+
+## Overflow
+
+We must be careful to ensure that `gas` does not overflow to prevent denial of service attacks.
+
+Note that a syscall cannot be the instruction that causes an overflow. This is because every syscall is required to verify that its execution does not cause us to exceed the gas limit. Upon entry into a syscall, a constraint verifies that `gas` < 2^32. Some syscalls may have to be careful to ensure that the gas check is performed correctly (for example, that overflow modulo 2^256 does not occur). So we can assume that upon entry and exit out of a syscall, `gas` < 2^32.
+
+Similarly, native instructions alone cannot cause wraparound. The most expensive instruction, `JUMPI`, costs 10 gas. Even if we were to execute 2^32 consecutive `JUMPI` instructions, the maximum length of a trace, we are nowhere close to consuming 2^64 - 2^32 + 1 (= Golilocks prime) gas.
+
+The final scenario we must tackle is an expensive syscall followed by many expensive native instructions. Upon exit from a syscall, `gas` < 2^32. Again, even if that syscall is followed by 2^32 native instructions of cost 10, we do not see wraparound modulo Goldilocks.

field/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "plonky2_field"
 description = "Finite field arithmetic"
-version = "0.1.0"
+version = "0.1.1"
 license = "MIT OR Apache-2.0"
 authors = ["Daniel Lubarov <daniel@lubarov.com>", "William Borgeaud <williamborgeaud@gmail.com>", "Jacqueline Nabaglo <j@nab.gl>", "Hamish Ivey-Law <hamish@ivey-law.name>"]
 edition = "2021"

maybe_rayon/Cargo.toml

@@ -2,7 +2,7 @@
 name = "plonky2_maybe_rayon"
 description = "Feature-gated wrapper around rayon"
 license = "MIT OR Apache-2.0"
-version = "0.1.0"
+version = "0.1.1"
 edition = "2021"
 
 [features]

plonky2/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "plonky2"
 description = "Recursive SNARKs based on PLONK and FRI"
-version = "0.1.3"
+version = "0.1.4"
 license = "MIT OR Apache-2.0"
 authors = ["Daniel Lubarov <daniel@lubarov.com>", "William Borgeaud <williamborgeaud@gmail.com>", "Nicholas Ward <npward@berkeley.edu>"]
 readme = "README.md"
@@ -24,10 +24,10 @@ hashbrown = { version = "0.14.0", default-features = false, features = ["ahash",
 itertools = { version = "0.11.0", default-features = false }
 keccak-hash = { version = "0.8.0", default-features = false }
 log = { version = "0.4.14", default-features = false }
-plonky2_maybe_rayon = { version = "0.1.0", default-features = false }
+plonky2_maybe_rayon = { version = "0.1.1", default-features = false }
 num = { version = "0.4", default-features = false, features = ["rand"] }
-plonky2_field = { version = "0.1.0", default-features = false }
-plonky2_util = { version = "0.1.0", default-features = false }
+plonky2_field = { version = "0.1.1", default-features = false }
+plonky2_util = { version = "0.1.1", default-features = false }
 rand = { version = "0.8.4", default-features = false }
 rand_chacha = { version = "0.3.1", optional = true, default-features = false }
 serde = { version = "1.0", default-features = false, features = ["derive", "rc"] }

plonky2/src/util/mod.rs

@@ -19,7 +19,7 @@ pub(crate) fn transpose_poly_values<F: Field>(polys: Vec<PolynomialValues<F>>) -
     transpose(&poly_values)
 }
 
-pub fn transpose<F: Field>(matrix: &[Vec<F>]) -> Vec<Vec<F>> {
+pub fn transpose<T: Send + Sync + Copy>(matrix: &[Vec<T>]) -> Vec<Vec<T>> {
     let len = matrix[0].len();
     (0..len)
         .into_par_iter()

starky/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "starky"
 description = "Implementation of STARKs"
-version = "0.1.1"
+version = "0.1.2"
 license = "MIT OR Apache-2.0"
 authors = ["Daniel Lubarov <daniel@lubarov.com>", "William Borgeaud <williamborgeaud@gmail.com>"]
 readme = "README.md"
@@ -20,7 +20,7 @@ timing = ["plonky2/timing"]
 anyhow = { version = "1.0.40", default-features = false }
 itertools = { version = "0.11.0", default-features = false }
 log = { version = "0.4.14", default-features = false }
-plonky2_maybe_rayon = { version = "0.1.0", default-features = false }
+plonky2_maybe_rayon = { version = "0.1.1", default-features = false }
 plonky2 = { version = "0.1.2", default-features = false }
 
 [dev-dependencies]

util/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "plonky2_util"
 description = "Utilities used by Plonky2"
-version = "0.1.0"
+version = "0.1.1"
 license = "MIT OR Apache-2.0"
 edition = "2021"