From 7537193d45b49b38ad7dbe1c076da9d3f7625eed Mon Sep 17 00:00:00 2001 From: Matthias Goergens Date: Mon, 31 Jul 2023 23:04:45 +0800 Subject: [PATCH 1/7] Generalise transpose So that it also works with eg `u64`, not just with field elements. --- plonky2/src/util/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plonky2/src/util/mod.rs b/plonky2/src/util/mod.rs index d08f194d..9a54cea0 100644 --- a/plonky2/src/util/mod.rs +++ b/plonky2/src/util/mod.rs @@ -19,7 +19,7 @@ pub(crate) fn transpose_poly_values(polys: Vec>) - transpose(&poly_values) } -pub fn transpose(matrix: &[Vec]) -> Vec> { +pub fn transpose(matrix: &[Vec]) -> Vec> { let len = matrix[0].len(); (0..len) .into_par_iter() From 3a556029097a8d8132903f54bbd22c65334465ca Mon Sep 17 00:00:00 2001 From: Nicholas Ward Date: Mon, 31 Jul 2023 16:31:22 -0700 Subject: [PATCH 2/7] update versions for crates.io updates --- evm/Cargo.toml | 2 +- field/Cargo.toml | 2 +- maybe_rayon/Cargo.toml | 2 +- plonky2/Cargo.toml | 2 +- starky/Cargo.toml | 2 +- util/Cargo.toml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/evm/Cargo.toml b/evm/Cargo.toml index 068c8219..6e69e0d6 100644 --- a/evm/Cargo.toml +++ b/evm/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "plonky2_evm" description = "Implementation of STARKs for the Ethereum Virtual Machine" -version = "0.1.0" +version = "0.1.1" authors = ["Daniel Lubarov ", "William Borgeaud "] readme = "README.md" repository = "https://github.com/mir-protocol/plonky2" diff --git a/field/Cargo.toml b/field/Cargo.toml index 0ec85af7..08550515 100644 --- a/field/Cargo.toml +++ b/field/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "plonky2_field" description = "Finite field arithmetic" -version = "0.1.0" +version = "0.1.1" license = "MIT OR Apache-2.0" authors = ["Daniel Lubarov ", "William Borgeaud ", "Jacqueline Nabaglo ", "Hamish Ivey-Law "] edition = "2021" diff --git a/maybe_rayon/Cargo.toml b/maybe_rayon/Cargo.toml index 11eebc96..89499e74 100644 --- a/maybe_rayon/Cargo.toml +++ b/maybe_rayon/Cargo.toml @@ -2,7 +2,7 @@ name = "plonky2_maybe_rayon" description = "Feature-gated wrapper around rayon" license = "MIT OR Apache-2.0" -version = "0.1.0" +version = "0.1.1" edition = "2021" [features] diff --git a/plonky2/Cargo.toml b/plonky2/Cargo.toml index 40c4da86..3592e970 100644 --- a/plonky2/Cargo.toml +++ b/plonky2/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "plonky2" description = "Recursive SNARKs based on PLONK and FRI" -version = "0.1.3" +version = "0.1.4" license = "MIT OR Apache-2.0" authors = ["Daniel Lubarov ", "William Borgeaud ", "Nicholas Ward "] readme = "README.md" diff --git a/starky/Cargo.toml b/starky/Cargo.toml index c09ec5af..223ed945 100644 --- a/starky/Cargo.toml +++ b/starky/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "starky" description = "Implementation of STARKs" -version = "0.1.1" +version = "0.1.2" license = "MIT OR Apache-2.0" authors = ["Daniel Lubarov ", "William Borgeaud "] readme = "README.md" diff --git a/util/Cargo.toml b/util/Cargo.toml index f3cb862e..1ece1e57 100644 --- a/util/Cargo.toml +++ b/util/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "plonky2_util" description = "Utilities used by Plonky2" -version = "0.1.0" +version = "0.1.1" license = "MIT OR Apache-2.0" edition = "2021" From 84321955172cb0eb877af8ca0abc07ad76a409fc Mon Sep 17 00:00:00 2001 From: Nicholas Ward Date: Mon, 31 Jul 2023 16:34:27 -0700 Subject: [PATCH 3/7] update versions in cross-crate references --- evm/Cargo.toml | 6 +++--- plonky2/Cargo.toml | 6 +++--- starky/Cargo.toml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/evm/Cargo.toml b/evm/Cargo.toml index 6e69e0d6..e1864e90 100644 --- a/evm/Cargo.toml +++ b/evm/Cargo.toml @@ -19,14 +19,14 @@ hex-literal = "0.4.1" itertools = "0.11.0" keccak-hash = "0.10.0" log = "0.4.14" -plonky2_maybe_rayon = "0.1.0" +plonky2_maybe_rayon = "0.1.1" num = "0.4.0" num-bigint = "0.4.3" once_cell = "1.13.0" pest = "2.1.3" pest_derive = "2.1.0" -plonky2 = { version = "0.1.2", default-features = false, features = ["timing"] } -plonky2_util = { version = "0.1.0" } +plonky2 = { version = "0.1.4", default-features = false, features = ["timing"] } +plonky2_util = { version = "0.1.1" } rand = "0.8.5" rand_chacha = "0.3.1" rlp = "0.5.1" diff --git a/plonky2/Cargo.toml b/plonky2/Cargo.toml index 3592e970..c5de1e63 100644 --- a/plonky2/Cargo.toml +++ b/plonky2/Cargo.toml @@ -24,10 +24,10 @@ hashbrown = { version = "0.14.0", default-features = false, features = ["ahash", itertools = { version = "0.11.0", default-features = false } keccak-hash = { version = "0.8.0", default-features = false } log = { version = "0.4.14", default-features = false } -plonky2_maybe_rayon = { version = "0.1.0", default-features = false } +plonky2_maybe_rayon = { version = "0.1.1", default-features = false } num = { version = "0.4", default-features = false, features = ["rand"] } -plonky2_field = { version = "0.1.0", default-features = false } -plonky2_util = { version = "0.1.0", default-features = false } +plonky2_field = { version = "0.1.1", default-features = false } +plonky2_util = { version = "0.1.1", default-features = false } rand = { version = "0.8.4", default-features = false } rand_chacha = { version = "0.3.1", optional = true, default-features = false } serde = { version = "1.0", default-features = false, features = ["derive", "rc"] } diff --git a/starky/Cargo.toml b/starky/Cargo.toml index 223ed945..bc83dadf 100644 --- a/starky/Cargo.toml +++ b/starky/Cargo.toml @@ -20,7 +20,7 @@ timing = ["plonky2/timing"] anyhow = { version = "1.0.40", default-features = false } itertools = { version = "0.11.0", default-features = false } log = { version = "0.4.14", default-features = false } -plonky2_maybe_rayon = { version = "0.1.0", default-features = false } +plonky2_maybe_rayon = { version = "0.1.1", default-features = false } plonky2 = { version = "0.1.2", default-features = false } [dev-dependencies] From f574effe17c0900d86584afd692e3b1f03fd2605 Mon Sep 17 00:00:00 2001 From: Nicholas Ward Date: Mon, 31 Jul 2023 16:37:02 -0700 Subject: [PATCH 4/7] make imports conditional on config --- plonky2/src/hash/poseidon_goldilocks.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plonky2/src/hash/poseidon_goldilocks.rs b/plonky2/src/hash/poseidon_goldilocks.rs index 0d03b3e9..923b1b20 100644 --- a/plonky2/src/hash/poseidon_goldilocks.rs +++ b/plonky2/src/hash/poseidon_goldilocks.rs @@ -4,7 +4,9 @@ //! `poseidon_constants.sage` script in the `mir-protocol/hash-constants` //! repository. +#[cfg(target_arch="x86_64")] use plonky2_field::types::Field; +#[cfg(target_arch="x86_64")] use unroll::unroll_for_loops; use crate::field::goldilocks_field::GoldilocksField; From b414b8e92bc6b0772b3d645292690c2595f70455 Mon Sep 17 00:00:00 2001 From: Nicholas Ward Date: Mon, 31 Jul 2023 16:53:56 -0700 Subject: [PATCH 5/7] fmt --- plonky2/src/hash/poseidon_goldilocks.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plonky2/src/hash/poseidon_goldilocks.rs b/plonky2/src/hash/poseidon_goldilocks.rs index 923b1b20..78cedec2 100644 --- a/plonky2/src/hash/poseidon_goldilocks.rs +++ b/plonky2/src/hash/poseidon_goldilocks.rs @@ -4,9 +4,9 @@ //! `poseidon_constants.sage` script in the `mir-protocol/hash-constants` //! repository. -#[cfg(target_arch="x86_64")] +#[cfg(target_arch = "x86_64")] use plonky2_field::types::Field; -#[cfg(target_arch="x86_64")] +#[cfg(target_arch = "x86_64")] use unroll::unroll_for_loops; use crate::field::goldilocks_field::GoldilocksField; From c52ed29e08d607a0453d8d3631be3f78f86f5db6 Mon Sep 17 00:00:00 2001 From: Jacqueline Nabaglo Date: Mon, 31 Jul 2023 17:19:46 -0700 Subject: [PATCH 6/7] Gas handling brain dump --- evm/src/cpu/docs/out-of-gas.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 evm/src/cpu/docs/out-of-gas.md diff --git a/evm/src/cpu/docs/out-of-gas.md b/evm/src/cpu/docs/out-of-gas.md new file mode 100644 index 00000000..733384b2 --- /dev/null +++ b/evm/src/cpu/docs/out-of-gas.md @@ -0,0 +1,23 @@ +# Out of Gas Errors + +The CPU table has a `gas` register that keeps track of the gas used by the transaction so far. + +The crucial invariant in our out-of-gas checking method is that at any point in the program's execution, we have not used more gas than we have available; that is `gas` is at most the gas allocation for the transaction (which is stored separately by the kernel). We assume that the gas allocation will never be 2^32 or more, so if `gas` does not fit in one limb, then we've run out of gas. + +When a native instruction (one that is not a syscall) is executed, a constraint ensures that the `gas` register is increased by the correct amount. This is not automatic for syscalls; the syscall handler itself must calculate and charge the appropriate amount. + +If everything goes smoothly and we have not run out of gas, `gas` should be no more than the gas allowance at the point that we `STOP`, `REVERT`, stack overflow, or whatever. Indeed, because we assume that the gas overflow handler is invoked _as soon as_ we've run out of gas, all these termination methods must verify that `gas` <= allowance, and `PANIC` if this is not the case. This is also true for the out-of-gas handler, which should check that (a) we have not yet run out of gas and (b) we are about to run out of gas, `PANIC`king if either of those does not hold. + +When we do run out of gas, however, this event must be handled. Syscalls are responsible for checking that their execution would not cause the transaction to run out of gas. If the syscall detects that it would need to charge more gas than available, it must abort the transaction by jumping to `exc_out_of_gas`, which in turn verifies that the out-of-gas hasn't _already_ occured. + +Native instructions do this differently. If the prover notices that execution of the instruction would cause an out-of-gas error, it must jump to the appropriate handler instead of executing the instruction. (The handler contains special code that `PANIC`s if the prover invoked it incorrectly.) + +## Overflow + +We must be careful to ensure that `gas` does not overflow to prevent denial of service attacks. + +Note that a syscall cannot be the instruction that causes an overflow. This is because every syscall is required to verify that its execution does not cause us to exceed the gas limit. Upon entry into a syscall, a constraint verifies that `gas` < 2^32. Some syscalls may have to be careful to ensure that the gas check is performed correctly (for example, that overflow modulo 2^256 does not occur). So we can assume that upon entry and exit out of a syscall, `gas` < 2^32. + +Similarly, native instructions alone cannot cause wraparound. The most expensive instruction, `JUMPI`, costs 10 gas. Even if we were to execute 2^32 consecutive `JUMPI` instructions, the maximum length of a trace, we are nowhere close to consuming 2^64 - 2^32 + 1 (= Golilocks prime) gas. + +The final scenario we must tackle is an expensive syscall followed by many expensive native instructions. Upon exit from a syscall, `gas` < 2^32. Again, even if that syscall is followed by 2^32 native instructions of cost 10, we do not see wraparound modulo Goldilocks. From 9e0719e6bebd46294f2379854caff3144a6d7875 Mon Sep 17 00:00:00 2001 From: Hamish Ivey-Law <426294+unzvfu@users.noreply.github.com> Date: Tue, 1 Aug 2023 20:58:32 +1000 Subject: [PATCH 7/7] Better document constraints on addcy carries (#1139) * Add missing constraints on addcy carries. * Remove bit-checks; make documentation clearer. --- evm/src/arithmetic/addcy.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/evm/src/arithmetic/addcy.rs b/evm/src/arithmetic/addcy.rs index 40b7e093..3366e432 100644 --- a/evm/src/arithmetic/addcy.rs +++ b/evm/src/arithmetic/addcy.rs @@ -68,13 +68,14 @@ const GOLDILOCKS_INVERSE_65536: u64 = 18446462594437939201; /// Constrains x + y == z + cy*2^256, assuming filter != 0. /// -/// NB: This function DOES NOT verify that cy is 0 or 1; the caller -/// must do that. -/// /// Set `is_two_row_op=true` to allow the code to be called from the /// two-row `modular` code (for checking that the modular output is /// reduced). /// +/// NB: This function ONLY verifies that cy is 0 or 1 when +/// is_two_row_op=false; when is_two_row_op=true the caller must +/// verify for itself. +/// /// Note that the digits of `x + y` are in `[0, 2*(2^16-1)]` /// (i.e. they are the sums of two 16-bit numbers), whereas the digits /// of `z` can only be in `[0, 2^16-1]`. In the function we check that: