Add check of copy constraints after witness generation

src/circuit_builder.rs

@@ -293,11 +293,12 @@ impl<F: Extendable<D>, const D: usize> CircuitBuilder<F, D> {
             sigmas_root,
         };
 
-        let generators = self.generators;
         let prover_only = ProverOnlyCircuitData {
-            generators,
+            generators: self.generators,
             constants_commitment,
             sigmas_commitment,
+            copy_constraints: self.copy_constraints,
+            gate_instances: self.gate_instances,
         };
 
         // The HashSet of gates will have a non-deterministic order. When converting to a Vec, we

src/circuit_data.rs

@@ -3,11 +3,12 @@ use anyhow::Result;
 use crate::field::extension_field::Extendable;
 use crate::field::field::Field;
 use crate::fri::FriConfig;
-use crate::gates::gate::GateRef;
+use crate::gates::gate::{GateInstance, GateRef};
 use crate::generator::WitnessGenerator;
 use crate::polynomial::commitment::ListPolynomialCommitment;
 use crate::proof::{Hash, HashTarget, Proof};
 use crate::prover::prove;
+use crate::target::Target;
 use crate::verifier::verify;
 use crate::witness::PartialWitness;
 
@@ -52,7 +53,7 @@ impl CircuitConfig {
 
 /// Circuit data required by the prover or the verifier.
 pub struct CircuitData<F: Extendable<D>, const D: usize> {
-    pub(crate) prover_only: ProverOnlyCircuitData<F>,
+    pub(crate) prover_only: ProverOnlyCircuitData<F, D>,
     pub(crate) verifier_only: VerifierOnlyCircuitData<F>,
     pub(crate) common: CommonCircuitData<F, D>,
 }
@@ -75,7 +76,7 @@ impl<F: Extendable<D>, const D: usize> CircuitData<F, D> {
 /// required, like LDEs of preprocessed polynomials. If more succinctness was desired, we could
 /// construct a more minimal prover structure and convert back and forth.
 pub struct ProverCircuitData<F: Extendable<D>, const D: usize> {
-    pub(crate) prover_only: ProverOnlyCircuitData<F>,
+    pub(crate) prover_only: ProverOnlyCircuitData<F, D>,
     pub(crate) common: CommonCircuitData<F, D>,
 }
 
@@ -98,12 +99,16 @@ impl<F: Extendable<D>, const D: usize> VerifierCircuitData<F, D> {
 }
 
 /// Circuit data required by the prover, but not the verifier.
-pub(crate) struct ProverOnlyCircuitData<F: Field> {
+pub(crate) struct ProverOnlyCircuitData<F: Extendable<D>, const D: usize> {
     pub generators: Vec<Box<dyn WitnessGenerator<F>>>,
     /// Commitments to the constants polynomial.
     pub constants_commitment: ListPolynomialCommitment<F>,
     /// Commitments to the sigma polynomial.
     pub sigmas_commitment: ListPolynomialCommitment<F>,
+    /// The circuit's copy constraints.
+    pub copy_constraints: Vec<(Target, Target)>,
+    /// The concrete placement of each gate in the circuit.
+    pub gate_instances: Vec<GateInstance<F, D>>,
 }
 
 /// Circuit data required by the verifier, but not the prover.

src/prover.rs

@@ -23,7 +23,7 @@ use crate::witness::PartialWitness;
 pub const PLONK_BLINDING: [bool; 5] = [false, false, true, true, true];
 
 pub(crate) fn prove<F: Extendable<D>, const D: usize>(
-    prover_data: &ProverOnlyCircuitData<F>,
+    prover_data: &ProverOnlyCircuitData<F, D>,
     common_data: &CommonCircuitData<F, D>,
     inputs: PartialWitness<F>,
 ) -> Proof<F, D> {
@@ -38,6 +38,13 @@ pub(crate) fn prove<F: Extendable<D>, const D: usize>(
         "to generate witness"
     );
 
+    timed!(
+        witness
+            .check_copy_constraints(&prover_data.copy_constraints, &prover_data.gate_instances)
+            .unwrap(), // TODO: Change return value to `Result` and use `?` here.
+        "to check copy constraints"
+    );
+
     let config = &common_data.config;
     let num_wires = config.num_wires;
     let num_challenges = config.num_challenges;
@@ -162,7 +169,7 @@ fn compute_z<F: Extendable<D>, const D: usize>(
 
 fn compute_vanishing_polys<F: Extendable<D>, const D: usize>(
     common_data: &CommonCircuitData<F, D>,
-    prover_data: &ProverOnlyCircuitData<F>,
+    prover_data: &ProverOnlyCircuitData<F, D>,
     wires_commitment: &ListPolynomialCommitment<F>,
     plonk_zs_commitment: &ListPolynomialCommitment<F>,
     betas: &[F],

src/witness.rs

@@ -1,7 +1,10 @@
 use std::collections::HashMap;
 
+use anyhow::{ensure, Result};
+
 use crate::field::extension_field::{Extendable, FieldExtension};
 use crate::field::field::Field;
+use crate::gates::gate::GateInstance;
 use crate::target::Target;
 use crate::wire::Wire;
 
@@ -97,6 +100,30 @@ impl<F: Field> PartialWitness<F> {
             self.set_target(target, value);
         }
     }
+
+    /// Checks that the copy constraints are satisfied in the witness.
+    pub fn check_copy_constraints<const D: usize>(
+        &self,
+        copy_constraints: &[(Target, Target)],
+        gate_instances: &[GateInstance<F, D>],
+    ) -> Result<()>
+    where
+        F: Extendable<D>,
+    {
+        for &(a, b) in copy_constraints {
+            if let (Target::Wire(wa), Target::Wire(wb)) = (a, b) {
+                let va = self.target_values.get(&a).copied().unwrap_or(F::ZERO);
+                let vb = self.target_values.get(&b).copied().unwrap_or(F::ZERO);
+                ensure!(
+                    va == vb,
+                    "Copy constraint between wire {} of gate #{} (`{}`) and wire {} of gate #{} (`{}`) is not satisfied.\
+                     Got values of {} and {} respectively.",
+                    wa.input, wa.gate, gate_instances[wa.gate].gate_type.0.id(), wb.input, wb.gate,
+                    gate_instances[wb.gate].gate_type.0.id(), va, vb);
+            }
+        }
+        Ok(())
+    }
 }
 
 impl<F: Field> Default for PartialWitness<F> {