chore: fixing @safety warnings

[benesjan]

Fixes #11087

Note for reviewer

I originally addressed a bunch of other stuff in this PR but as @nventuro pointed out it became too messy so I separated those changes into a PR up the stack.

Merging currently blocked by this nargo fmt bug

[benesjan]

• refactor: random fixes and readability improvements #11129
• chore: fixing @safety warnings #11094 👈 (View in Graphite)
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[nventuro]

@fcarreiro this is an old issue from october that doesn't seem to have much activity or tracking - is there any blocker to getting this done?

[fcarreiro]

Maybe it's a good idea to add tracking, you are right. The pointed ticket is tracking something else which is considered done.

Regarding a solution: TBH IDK how to solve it, and currently the AVM team is quite busy with other stuff. IDK if we'd be able to come back to this until just after Ignition (especially since it's not really an AVM thing).

Possible solutions: (1) The easy way to make this secure, IIRC, is to constrain the hashes there in place. Something like assert(old_hash == hash([a,b,c])) and assert(new_hash == hash([selector,a,b,c]). This would blow up the constraints and when I was doing this everyone was chipping away constraints so I thought it wouldn't fly.
(2) Something that I tried was to change the the private interfaces (macros) and call methods to take a slice. Then I could do the same as I did in public. This didn't work because sizes need to be known at comptime sadly.
(3) The other possible solution (more elegant from some PoV and less from other) is to change all the users of the "call with hash" method to include the selector themselves. IIRC from a discussion with Palla, the major offenders and only real need for passing the hash are the contract (?) entry points which then kind of call other functions with an already given set of params. Selectors are now an aztec-nr/js only concept but IIRC then it would be ok to change the JS code to insert the selector appropiately.

This is all from the top of my mind so there might be mistakes. Please add that info if you create a ticket, thanks!

[nventuro]

Can we add some whitespace and do // @safety? It looks very odd otherwise

[benesjan]

Currently this makes the compiler cry. But it will be trivial to change later as it's just a string replacement.

[nventuro]

noir-lang/noir#6992

[nventuro]

I don't think the Noir team would necessarily be happy about exposing this in their stdlib - did you check with them?

[benesjan]

No, decided to go ahead and then tag Tom for a review as the change is easy to revert.

[TomAFrench]

I would prefer to keep this as an internal implementation detail to the stdlib. If you need something similar then you can vendor it into aztec-nr.

[benesjan]

That would require me to copy not only from_field_unsafe but also compute_decomposition which seems like quite a lot of code to copy and I feel like it does not really belong to Aztec.nr (it feels too low-level).

But maybe we could make the API std nicer by moving the from_field_unsafe func to EmbeddedCurveScalar just like was done for from_field?

[TomAFrench]

compute_decomposition is a very small function though?

Regardless, the noir stdlib is a very conservative library as breaking changes are a breaking change to the language itself. We're not going to be exposing this function oublically for that reason.

[benesjan]

@TomAFrench As you please. I will revert this change as the scope of the PR is already quite big and don't want to make it bigger.

[benesjan]

Regardless, the noir stdlib is a very conservative library as breaking changes are a breaking change to the language itself.

I feel like in this case this might not be that big of a deal because we are exposing the function and if we did the change I proposed we would be moving a function which was not intended for external use. So the breaking change would be only for users that used the func anyway just like we did in aztec-packages.

I would also argue that us needing this function is a good sign that it's desirable to expose.

But the best approach might be to just change the API such that we don't need the function. Which could be done by having an MSM func that takes in the values from the smaller field and then does the conversion on its own. This would also improve safety since we rely on MSM to constrain the limbs.

@TomAFrench WDYT?

[TomAFrench]

Merging master as I want to check if failures in another branch are from master.

[TomAFrench]

Note that the format of safety comments is in the process of changing.

[benesjan]

@TomAFrench @nventuro could I get an approval here or are we waiting for new Noir sync?

I've already addressed all of Nico's comments here and it now contains only safety warnings so I think this should be fine to merge.

I am having too many PRs open...

[TomAFrench]

As soon as ci is unfucked we're going to be merging a change to the safety comment format so i think we should either hold off until that's in or just preemptively switch to the new format .

[TomAFrench]

The new comment format is now in Aztec packages