From 9cca9168e6019f6c36ea5cd26948ace0e1cefc76 Mon Sep 17 00:00:00 2001 From: Michael J Klein Date: Tue, 7 Jan 2025 15:19:52 -0500 Subject: [PATCH] feat: `--pedantic-solving` flag (#6716) Co-authored-by: Akosh Farkash Co-authored-by: Tom French <15848336+TomAFrench@users.noreply.github.com> --- .github/workflows/test-js-packages.yml | 2 +- Cargo.lock | 46 +++ acvm-repo/acvm/src/pwg/blackbox/bigint.rs | 9 +- acvm-repo/acvm/src/pwg/blackbox/logic.rs | 12 +- acvm-repo/acvm/src/pwg/blackbox/mod.rs | 12 +- acvm-repo/acvm/src/pwg/blackbox/range.rs | 5 +- acvm-repo/acvm/src/pwg/memory_op.rs | 30 +- acvm-repo/acvm/src/pwg/mod.rs | 68 +++- acvm-repo/acvm/tests/solver.rs | 369 +++++++++++------- acvm-repo/acvm_js/src/execute.rs | 73 +++- acvm-repo/blackbox_solver/Cargo.toml | 1 + acvm-repo/blackbox_solver/src/bigint.rs | 100 ++++- .../src/curve_specific_solver.rs | 15 +- .../src/embedded_curve_ops.rs | 115 ++++-- acvm-repo/bn254_blackbox_solver/src/lib.rs | 10 +- acvm-repo/brillig_vm/src/lib.rs | 70 ++-- compiler/noirc_driver/src/lib.rs | 14 +- .../noirc_evaluator/src/brillig/brillig_ir.rs | 4 + .../src/ssa/ir/instruction/call.rs | 5 +- .../src/ssa/opt/constant_folding.rs | 3 +- .../noirc_frontend/src/elaborator/comptime.rs | 3 +- compiler/noirc_frontend/src/elaborator/mod.rs | 22 +- .../src/hir/comptime/interpreter.rs | 8 +- .../src/hir/comptime/interpreter/foreign.rs | 26 +- .../noirc_frontend/src/hir/comptime/tests.rs | 10 +- .../src/hir/def_collector/dc_crate.rs | 17 +- .../noirc_frontend/src/hir/def_map/mod.rs | 2 + compiler/noirc_frontend/src/tests.rs | 2 + examples/codegen_verifier/codegen_verifier.sh | 2 +- examples/prove_and_verify/prove_and_verify.sh | 4 +- .../comptime_blackbox/src/main.nr | 8 +- tooling/acvm_cli/src/cli/execute_cmd.rs | 12 +- tooling/debugger/src/context.rs | 11 +- tooling/lsp/src/lib.rs | 2 +- tooling/lsp/src/requests/mod.rs | 2 +- tooling/lsp/src/solver.rs | 4 + tooling/lsp/src/test_utils.rs | 2 +- tooling/nargo_cli/benches/criterion.rs | 3 +- tooling/nargo_cli/build.rs | 2 +- tooling/nargo_cli/src/cli/dap_cmd.rs | 12 +- tooling/nargo_cli/src/cli/debug_cmd.rs | 24 +- tooling/nargo_cli/src/cli/execute_cmd.rs | 15 +- tooling/nargo_cli/src/cli/info_cmd.rs | 4 +- tooling/nargo_cli/src/cli/lsp_cmd.rs | 3 +- tooling/nargo_cli/tests/stdlib-props.rs | 3 +- tooling/nargo_cli/tests/stdlib-tests.rs | 3 +- .../src/cli/execution_flamegraph_cmd.rs | 10 +- 47 files changed, 879 insertions(+), 300 deletions(-) diff --git a/.github/workflows/test-js-packages.yml b/.github/workflows/test-js-packages.yml index 5222b667c2a..2782b1aa44a 100644 --- a/.github/workflows/test-js-packages.yml +++ b/.github/workflows/test-js-packages.yml @@ -597,7 +597,7 @@ jobs: - name: Run nargo test working-directory: ./test-repo/${{ matrix.project.path }} run: | - nargo test --silence-warnings --skip-brillig-constraints-check --format json ${{ matrix.project.nargo_args }} | tee ${{ github.workspace }}/noir-repo/.github/critical_libraries_status/${{ matrix.project.repo }}/${{ matrix.project.path }}.actual.jsonl + nargo test --silence-warnings --pedantic-solving --skip-brillig-constraints-check --format json ${{ matrix.project.nargo_args }} | tee ${{ github.workspace }}/noir-repo/.github/critical_libraries_status/${{ matrix.project.repo }}/${{ matrix.project.path }}.actual.jsonl env: NARGO_IGNORE_TEST_FAILURES_FROM_FOREIGN_CALLS: true diff --git a/Cargo.lock b/Cargo.lock index 73c2b586bee..7622dd3d029 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -72,6 +72,7 @@ dependencies = [ "keccak", "libaes", "num-bigint", + "num-prime", "p256", "proptest", "sha2", @@ -1761,6 +1762,12 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foldhash" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f81ec6369c545a7d40e4589b5597581fa1c441fe1cce96dd1de43159910a36a2" + [[package]] name = "form_urlencoded" version = "1.2.1" @@ -2056,6 +2063,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3a9bfc1af68b1726ea47d3d5109de126281def866b33970e10fbab11b5dafab3" dependencies = [ "allocator-api2", + "equivalent", + "foldhash", ] [[package]] @@ -2846,6 +2855,15 @@ dependencies = [ "fid-rs", ] +[[package]] +name = "lru" +version = "0.12.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "234cf4f4a04dc1f57e24b96cc0cd600cf2af460d4161ac5ecdd0af8e1f3b2a38" +dependencies = [ + "hashbrown 0.15.1", +] + [[package]] name = "lsp-types" version = "0.88.0" @@ -3466,6 +3484,7 @@ checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" dependencies = [ "num-integer", "num-traits", + "rand", ] [[package]] @@ -3493,6 +3512,33 @@ dependencies = [ "num-traits", ] +[[package]] +name = "num-modular" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "64a5fe11d4135c3bcdf3a95b18b194afa9608a5f6ff034f5d857bc9a27fb0119" +dependencies = [ + "num-bigint", + "num-integer", + "num-traits", +] + +[[package]] +name = "num-prime" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e238432a7881ec7164503ccc516c014bf009be7984cde1ba56837862543bdec3" +dependencies = [ + "bitvec", + "either", + "lru", + "num-bigint", + "num-integer", + "num-modular", + "num-traits", + "rand", +] + [[package]] name = "num-traits" version = "0.2.19" diff --git a/acvm-repo/acvm/src/pwg/blackbox/bigint.rs b/acvm-repo/acvm/src/pwg/blackbox/bigint.rs index 7ce34dbc6fe..eb5a6f81e7d 100644 --- a/acvm-repo/acvm/src/pwg/blackbox/bigint.rs +++ b/acvm-repo/acvm/src/pwg/blackbox/bigint.rs @@ -12,12 +12,16 @@ use crate::pwg::OpcodeResolutionError; /// - When it encounters a bigint operation opcode, it performs the operation on the stored values /// and store the result using the provided ID. /// - When it gets a to_bytes opcode, it simply looks up the value and resolves the output witness accordingly. -#[derive(Default)] pub(crate) struct AcvmBigIntSolver { bigint_solver: BigIntSolver, } impl AcvmBigIntSolver { + pub(crate) fn with_pedantic_solving(pedantic_solving: bool) -> AcvmBigIntSolver { + let bigint_solver = BigIntSolver::with_pedantic_solving(pedantic_solving); + AcvmBigIntSolver { bigint_solver } + } + pub(crate) fn bigint_from_bytes( &mut self, inputs: &[FunctionInput], @@ -39,6 +43,9 @@ impl AcvmBigIntSolver { outputs: &[Witness], initial_witness: &mut WitnessMap, ) -> Result<(), OpcodeResolutionError> { + if self.bigint_solver.pedantic_solving() && outputs.len() != 32 { + panic!("--pedantic-solving: bigint_to_bytes: outputs.len() != 32: {}", outputs.len()); + } let mut bytes = self.bigint_solver.bigint_to_bytes(input)?; while bytes.len() < outputs.len() { bytes.push(0); diff --git a/acvm-repo/acvm/src/pwg/blackbox/logic.rs b/acvm-repo/acvm/src/pwg/blackbox/logic.rs index 8468b0ca27a..3fa72d9b215 100644 --- a/acvm-repo/acvm/src/pwg/blackbox/logic.rs +++ b/acvm-repo/acvm/src/pwg/blackbox/logic.rs @@ -14,13 +14,14 @@ pub(super) fn and( lhs: &FunctionInput, rhs: &FunctionInput, output: &Witness, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { assert_eq!( lhs.num_bits(), rhs.num_bits(), "number of bits specified for each input must be the same" ); - solve_logic_opcode(initial_witness, lhs, rhs, *output, |left, right| { + solve_logic_opcode(initial_witness, lhs, rhs, *output, pedantic_solving, |left, right| { bit_and(left, right, lhs.num_bits()) }) } @@ -32,13 +33,14 @@ pub(super) fn xor( lhs: &FunctionInput, rhs: &FunctionInput, output: &Witness, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { assert_eq!( lhs.num_bits(), rhs.num_bits(), "number of bits specified for each input must be the same" ); - solve_logic_opcode(initial_witness, lhs, rhs, *output, |left, right| { + solve_logic_opcode(initial_witness, lhs, rhs, *output, pedantic_solving, |left, right| { bit_xor(left, right, lhs.num_bits()) }) } @@ -49,11 +51,13 @@ fn solve_logic_opcode( a: &FunctionInput, b: &FunctionInput, result: Witness, + pedantic_solving: bool, logic_op: impl Fn(F, F) -> F, ) -> Result<(), OpcodeResolutionError> { - // TODO(https://github.com/noir-lang/noir/issues/5985): re-enable these once we figure out how to combine these with existing + // TODO(https://github.com/noir-lang/noir/issues/5985): re-enable these by + // default once we figure out how to combine these with existing // noirc_frontend/noirc_evaluator overflow error messages - let skip_bitsize_checks = true; + let skip_bitsize_checks = !pedantic_solving; let w_l_value = input_to_value(initial_witness, *a, skip_bitsize_checks)?; let w_r_value = input_to_value(initial_witness, *b, skip_bitsize_checks)?; let assignment = logic_op(w_l_value, w_r_value); diff --git a/acvm-repo/acvm/src/pwg/blackbox/mod.rs b/acvm-repo/acvm/src/pwg/blackbox/mod.rs index 5137b18179b..2f10e333c24 100644 --- a/acvm-repo/acvm/src/pwg/blackbox/mod.rs +++ b/acvm-repo/acvm/src/pwg/blackbox/mod.rs @@ -76,9 +76,15 @@ pub(crate) fn solve( BlackBoxFuncCall::AES128Encrypt { inputs, iv, key, outputs } => { solve_aes128_encryption_opcode(initial_witness, inputs, iv, key, outputs) } - BlackBoxFuncCall::AND { lhs, rhs, output } => and(initial_witness, lhs, rhs, output), - BlackBoxFuncCall::XOR { lhs, rhs, output } => xor(initial_witness, lhs, rhs, output), - BlackBoxFuncCall::RANGE { input } => solve_range_opcode(initial_witness, input), + BlackBoxFuncCall::AND { lhs, rhs, output } => { + and(initial_witness, lhs, rhs, output, backend.pedantic_solving()) + } + BlackBoxFuncCall::XOR { lhs, rhs, output } => { + xor(initial_witness, lhs, rhs, output, backend.pedantic_solving()) + } + BlackBoxFuncCall::RANGE { input } => { + solve_range_opcode(initial_witness, input, backend.pedantic_solving()) + } BlackBoxFuncCall::Blake2s { inputs, outputs } => { solve_generic_256_hash_opcode(initial_witness, inputs, None, outputs, blake2s) } diff --git a/acvm-repo/acvm/src/pwg/blackbox/range.rs b/acvm-repo/acvm/src/pwg/blackbox/range.rs index 4f9be14360e..d7083e4b9c0 100644 --- a/acvm-repo/acvm/src/pwg/blackbox/range.rs +++ b/acvm-repo/acvm/src/pwg/blackbox/range.rs @@ -7,10 +7,11 @@ use acir::{circuit::opcodes::FunctionInput, native_types::WitnessMap, AcirField} pub(crate) fn solve_range_opcode( initial_witness: &WitnessMap, input: &FunctionInput, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { // TODO(https://github.com/noir-lang/noir/issues/5985): - // re-enable bitsize checks - let skip_bitsize_checks = true; + // re-enable bitsize checks by default + let skip_bitsize_checks = !pedantic_solving; let w_value = input_to_value(initial_witness, *input, skip_bitsize_checks)?; if w_value.num_bits() > input.num_bits() { return Err(OpcodeResolutionError::UnsatisfiedConstrain { diff --git a/acvm-repo/acvm/src/pwg/memory_op.rs b/acvm-repo/acvm/src/pwg/memory_op.rs index a9ed7f5d15b..1a6519d19c5 100644 --- a/acvm-repo/acvm/src/pwg/memory_op.rs +++ b/acvm-repo/acvm/src/pwg/memory_op.rs @@ -66,6 +66,7 @@ impl MemoryOpSolver { op: &MemOp, initial_witness: &mut WitnessMap, predicate: &Option>, + pedantic_solving: bool, ) -> Result<(), OpcodeResolutionError> { let operation = get_value(&op.operation, initial_witness)?; @@ -83,7 +84,9 @@ impl MemoryOpSolver { let is_read_operation = operation.is_zero(); // Fetch whether or not the predicate is false (e.g. equal to zero) - let skip_operation = is_predicate_false(initial_witness, predicate)?; + let opcode_location = ErrorLocation::Unresolved; + let skip_operation = + is_predicate_false(initial_witness, predicate, pedantic_solving, &opcode_location)?; if is_read_operation { // `value_read = arr[memory_index]` @@ -131,6 +134,9 @@ mod tests { use super::MemoryOpSolver; + // use pedantic_solving for tests + const PEDANTIC_SOLVING: bool = true; + #[test] fn test_solver() { let mut initial_witness = WitnessMap::from(BTreeMap::from_iter([ @@ -150,7 +156,9 @@ mod tests { block_solver.init(&init, &initial_witness).unwrap(); for op in trace { - block_solver.solve_memory_op(&op, &mut initial_witness, &None).unwrap(); + block_solver + .solve_memory_op(&op, &mut initial_witness, &None, PEDANTIC_SOLVING) + .unwrap(); } assert_eq!(initial_witness[&Witness(4)], FieldElement::from(2u128)); @@ -175,7 +183,9 @@ mod tests { let mut err = None; for op in invalid_trace { if err.is_none() { - err = block_solver.solve_memory_op(&op, &mut initial_witness, &None).err(); + err = block_solver + .solve_memory_op(&op, &mut initial_witness, &None, PEDANTIC_SOLVING) + .err(); } } @@ -209,7 +219,12 @@ mod tests { for op in invalid_trace { if err.is_none() { err = block_solver - .solve_memory_op(&op, &mut initial_witness, &Some(Expression::zero())) + .solve_memory_op( + &op, + &mut initial_witness, + &Some(Expression::zero()), + PEDANTIC_SOLVING, + ) .err(); } } @@ -241,7 +256,12 @@ mod tests { for op in invalid_trace { if err.is_none() { err = block_solver - .solve_memory_op(&op, &mut initial_witness, &Some(Expression::zero())) + .solve_memory_op( + &op, + &mut initial_witness, + &Some(Expression::zero()), + PEDANTIC_SOLVING, + ) .err(); } } diff --git a/acvm-repo/acvm/src/pwg/mod.rs b/acvm-repo/acvm/src/pwg/mod.rs index e125ae419e4..ddc708e4238 100644 --- a/acvm-repo/acvm/src/pwg/mod.rs +++ b/acvm-repo/acvm/src/pwg/mod.rs @@ -145,6 +145,8 @@ pub enum OpcodeResolutionError { AcirMainCallAttempted { opcode_location: ErrorLocation }, #[error("{results_size:?} result values were provided for {outputs_size:?} call output witnesses, most likely due to bad ACIR codegen")] AcirCallOutputsMismatch { opcode_location: ErrorLocation, results_size: u32, outputs_size: u32 }, + #[error("(--pedantic): Predicates are expected to be 0 or 1, but found: {pred_value}")] + PredicateLargerThanOne { opcode_location: ErrorLocation, pred_value: F }, } impl From for OpcodeResolutionError { @@ -227,11 +229,12 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { assertion_payloads: &'a [(OpcodeLocation, AssertionPayload)], ) -> Self { let status = if opcodes.is_empty() { ACVMStatus::Solved } else { ACVMStatus::InProgress }; + let bigint_solver = AcvmBigIntSolver::with_pedantic_solving(backend.pedantic_solving()); ACVM { status, backend, block_solvers: HashMap::default(), - bigint_solver: AcvmBigIntSolver::default(), + bigint_solver, opcodes, instruction_pointer: 0, witness_map: initial_witness, @@ -403,7 +406,12 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { } Opcode::MemoryOp { block_id, op, predicate } => { let solver = self.block_solvers.entry(*block_id).or_default(); - solver.solve_memory_op(op, &mut self.witness_map, predicate) + solver.solve_memory_op( + op, + &mut self.witness_map, + predicate, + self.backend.pedantic_solving(), + ) } Opcode::BrilligCall { .. } => match self.solve_brillig_call_opcode() { Ok(Some(foreign_call)) => return self.wait_for_foreign_call(foreign_call), @@ -507,7 +515,14 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { unreachable!("Not executing a BrilligCall opcode"); }; - if is_predicate_false(&self.witness_map, predicate)? { + let opcode_location = + ErrorLocation::Resolved(OpcodeLocation::Acir(self.instruction_pointer())); + if is_predicate_false( + &self.witness_map, + predicate, + self.backend.pedantic_solving(), + &opcode_location, + )? { return BrilligSolver::::zero_out_brillig_outputs(&mut self.witness_map, outputs) .map(|_| None); } @@ -584,8 +599,15 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { return StepResult::Status(self.solve_opcode()); }; + let opcode_location = + ErrorLocation::Resolved(OpcodeLocation::Acir(self.instruction_pointer())); let witness = &mut self.witness_map; - let should_skip = match is_predicate_false(witness, predicate) { + let should_skip = match is_predicate_false( + witness, + predicate, + self.backend.pedantic_solving(), + &opcode_location, + ) { Ok(result) => result, Err(err) => return StepResult::Status(self.handle_opcode_resolution(Err(err))), }; @@ -627,15 +649,19 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { else { unreachable!("Not executing a Call opcode"); }; + + let opcode_location = + ErrorLocation::Resolved(OpcodeLocation::Acir(self.instruction_pointer())); if *id == AcirFunctionId(0) { - return Err(OpcodeResolutionError::AcirMainCallAttempted { - opcode_location: ErrorLocation::Resolved(OpcodeLocation::Acir( - self.instruction_pointer(), - )), - }); + return Err(OpcodeResolutionError::AcirMainCallAttempted { opcode_location }); } - if is_predicate_false(&self.witness_map, predicate)? { + if is_predicate_false( + &self.witness_map, + predicate, + self.backend.pedantic_solving(), + &opcode_location, + )? { // Zero out the outputs if we have a false predicate for output in outputs { insert_value(output, F::zero(), &mut self.witness_map)?; @@ -655,9 +681,7 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> ACVM<'a, F, B> { let result_values = &self.acir_call_results[self.acir_call_counter]; if outputs.len() != result_values.len() { return Err(OpcodeResolutionError::AcirCallOutputsMismatch { - opcode_location: ErrorLocation::Resolved(OpcodeLocation::Acir( - self.instruction_pointer(), - )), + opcode_location, results_size: result_values.len() as u32, outputs_size: outputs.len() as u32, }); @@ -776,9 +800,25 @@ fn any_witness_from_expression(expr: &Expression) -> Option { pub(crate) fn is_predicate_false( witness: &WitnessMap, predicate: &Option>, + pedantic_solving: bool, + opcode_location: &ErrorLocation, ) -> Result> { match predicate { - Some(pred) => get_value(pred, witness).map(|pred_value| pred_value.is_zero()), + Some(pred) => { + let pred_value = get_value(pred, witness)?; + let predicate_is_false = pred_value.is_zero(); + if pedantic_solving { + // We expect that the predicate should resolve to either 0 or 1. + if !predicate_is_false && !pred_value.is_one() { + let opcode_location = *opcode_location; + return Err(OpcodeResolutionError::PredicateLargerThanOne { + opcode_location, + pred_value, + }); + } + } + Ok(predicate_is_false) + } // If the predicate is `None`, then we treat it as an unconditional `true` None => Ok(false), } diff --git a/acvm-repo/acvm/tests/solver.rs b/acvm-repo/acvm/tests/solver.rs index 5998b5e6d05..2fd61050377 100644 --- a/acvm-repo/acvm/tests/solver.rs +++ b/acvm-repo/acvm/tests/solver.rs @@ -15,7 +15,7 @@ use acir::{ }; use acvm::pwg::{ACVMStatus, ErrorLocation, ForeignCallWaitInfo, OpcodeResolutionError, ACVM}; -use acvm_blackbox_solver::StubbedBlackBoxSolver; +use acvm_blackbox_solver::{BigIntSolver, StubbedBlackBoxSolver}; use bn254_blackbox_solver::{field_from_hex, Bn254BlackBoxSolver, POSEIDON2_CONFIG}; use brillig_vm::brillig::HeapValueType; @@ -27,6 +27,7 @@ use proptest::sample::select; #[test] fn bls12_381_circuit() { + let solver = StubbedBlackBoxSolver::default(); type Bls12FieldElement = GenericFieldElement; let addition = Opcode::AssertZero(Expression { @@ -46,7 +47,7 @@ fn bls12_381_circuit() { ]) .into(); - let mut acvm = ACVM::new(&StubbedBlackBoxSolver, &opcodes, witness_assignments, &[], &[]); + let mut acvm = ACVM::new(&solver, &opcodes, witness_assignments, &[], &[]); // use the partial witness generation solver with our acir program let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved, "should be fully solved"); @@ -59,6 +60,7 @@ fn bls12_381_circuit() { #[test] fn inversion_brillig_oracle_equivalence() { + let solver = StubbedBlackBoxSolver::default(); // Opcodes below describe the following: // fn main(x : Field, y : pub Field) { // let z = x + y; @@ -168,13 +170,7 @@ fn inversion_brillig_oracle_equivalence() { ]) .into(); let unconstrained_functions = vec![brillig_bytecode]; - let mut acvm = ACVM::new( - &StubbedBlackBoxSolver, - &opcodes, - witness_assignments, - &unconstrained_functions, - &[], - ); + let mut acvm = ACVM::new(&solver, &opcodes, witness_assignments, &unconstrained_functions, &[]); // use the partial witness generation solver with our acir program let solver_status = acvm.solve(); @@ -203,6 +199,7 @@ fn inversion_brillig_oracle_equivalence() { #[test] fn double_inversion_brillig_oracle() { + let solver = StubbedBlackBoxSolver::default(); // Opcodes below describe the following: // fn main(x : Field, y : pub Field) { // let z = x + y; @@ -334,13 +331,7 @@ fn double_inversion_brillig_oracle() { ]) .into(); let unconstrained_functions = vec![brillig_bytecode]; - let mut acvm = ACVM::new( - &StubbedBlackBoxSolver, - &opcodes, - witness_assignments, - &unconstrained_functions, - &[], - ); + let mut acvm = ACVM::new(&solver, &opcodes, witness_assignments, &unconstrained_functions, &[]); // use the partial witness generation solver with our acir program let solver_status = acvm.solve(); @@ -387,6 +378,7 @@ fn double_inversion_brillig_oracle() { #[test] fn oracle_dependent_execution() { + let solver = StubbedBlackBoxSolver::default(); // This test ensures that we properly track the list of opcodes which still need to be resolved // across any brillig foreign calls we may have to perform. // @@ -491,13 +483,7 @@ fn oracle_dependent_execution() { let witness_assignments = BTreeMap::from([(w_x, FieldElement::from(2u128)), (w_y, FieldElement::from(2u128))]).into(); let unconstrained_functions = vec![brillig_bytecode]; - let mut acvm = ACVM::new( - &StubbedBlackBoxSolver, - &opcodes, - witness_assignments, - &unconstrained_functions, - &[], - ); + let mut acvm = ACVM::new(&solver, &opcodes, witness_assignments, &unconstrained_functions, &[]); // use the partial witness generation solver with our acir program let solver_status = acvm.solve(); @@ -543,6 +529,7 @@ fn oracle_dependent_execution() { #[test] fn brillig_oracle_predicate() { + let solver = StubbedBlackBoxSolver::default(); let fe_0 = FieldElement::zero(); let fe_1 = FieldElement::one(); let w_x = Witness(1); @@ -613,13 +600,7 @@ fn brillig_oracle_predicate() { ]) .into(); let unconstrained_functions = vec![brillig_bytecode]; - let mut acvm = ACVM::new( - &StubbedBlackBoxSolver, - &opcodes, - witness_assignments, - &unconstrained_functions, - &[], - ); + let mut acvm = ACVM::new(&solver, &opcodes, witness_assignments, &unconstrained_functions, &[]); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved, "should be fully solved"); @@ -629,6 +610,7 @@ fn brillig_oracle_predicate() { #[test] fn unsatisfied_opcode_resolved() { + let solver = StubbedBlackBoxSolver::default(); let a = Witness(0); let b = Witness(1); let c = Witness(2); @@ -654,8 +636,7 @@ fn unsatisfied_opcode_resolved() { let opcodes = vec![Opcode::AssertZero(opcode_a)]; let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, values, &unconstrained_functions, &[]); + let mut acvm = ACVM::new(&solver, &opcodes, values, &unconstrained_functions, &[]); let solver_status = acvm.solve(); assert_eq!( solver_status, @@ -669,6 +650,7 @@ fn unsatisfied_opcode_resolved() { #[test] fn unsatisfied_opcode_resolved_brillig() { + let solver = StubbedBlackBoxSolver::default(); let a = Witness(0); let b = Witness(1); let c = Witness(2); @@ -778,8 +760,7 @@ fn unsatisfied_opcode_resolved_brillig() { Opcode::AssertZero(opcode_a), ]; let unconstrained_functions = vec![brillig_bytecode]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, values, &unconstrained_functions, &[]); + let mut acvm = ACVM::new(&solver, &opcodes, values, &unconstrained_functions, &[]); let solver_status = acvm.solve(); assert_eq!( solver_status, @@ -794,6 +775,8 @@ fn unsatisfied_opcode_resolved_brillig() { #[test] fn memory_operations() { + let solver = StubbedBlackBoxSolver::default(); + let initial_witness = WitnessMap::from(BTreeMap::from_iter([ (Witness(1), FieldElement::from(1u128)), (Witness(2), FieldElement::from(2u128)), @@ -828,8 +811,7 @@ fn memory_operations() { let opcodes = vec![init, read_op, expression]; let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, initial_witness, &unconstrained_functions, &[]); + let mut acvm = ACVM::new(&solver, &opcodes, initial_witness, &unconstrained_functions, &[]); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved); let witness_map = acvm.finalize(); @@ -837,39 +819,6 @@ fn memory_operations() { assert_eq!(witness_map[&Witness(8)], FieldElement::from(6u128)); } -fn allowed_bigint_moduli() -> Vec> { - let bn254_fq: Vec = vec![ - 0x47, 0xFD, 0x7C, 0xD8, 0x16, 0x8C, 0x20, 0x3C, 0x8d, 0xca, 0x71, 0x68, 0x91, 0x6a, 0x81, - 0x97, 0x5d, 0x58, 0x81, 0x81, 0xb6, 0x45, 0x50, 0xb8, 0x29, 0xa0, 0x31, 0xe1, 0x72, 0x4e, - 0x64, 0x30, - ]; - let bn254_fr: Vec = vec![ - 1, 0, 0, 240, 147, 245, 225, 67, 145, 112, 185, 121, 72, 232, 51, 40, 93, 88, 129, 129, - 182, 69, 80, 184, 41, 160, 49, 225, 114, 78, 100, 48, - ]; - let secpk1_fr: Vec = vec![ - 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF, 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, - 0xBA, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, - ]; - let secpk1_fq: Vec = vec![ - 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, - ]; - let secpr1_fq: Vec = vec![ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, - 0xFF, 0xFF, - ]; - let secpr1_fr: Vec = vec![ - 81, 37, 99, 252, 194, 202, 185, 243, 132, 158, 23, 167, 173, 250, 230, 188, 255, 255, 255, - 255, 255, 255, 255, 255, 0, 0, 0, 0, 255, 255, 255, 255, - ]; - - vec![bn254_fq, bn254_fr, secpk1_fr, secpk1_fq, secpr1_fq, secpr1_fr] -} - /// Whether to use a FunctionInput::constant or FunctionInput::witness: /// /// (value, use_constant) @@ -916,6 +865,7 @@ fn solve_array_input_blackbox_call( inputs: Vec, num_outputs: usize, num_bits: Option, + pedantic_solving: bool, f: F, ) -> Result, OpcodeResolutionError> where @@ -923,6 +873,7 @@ where (Vec>, Vec), ) -> Result, OpcodeResolutionError>, { + let solver = Bn254BlackBoxSolver(pedantic_solving); let initial_witness_vec: Vec<_> = inputs.iter().enumerate().map(|(i, (x, _))| (Witness(i as u32), *x)).collect(); let outputs: Vec<_> = (0..num_outputs) @@ -934,8 +885,7 @@ where let op = Opcode::BlackBoxFuncCall(f((inputs.clone(), outputs.clone()))?); let opcodes = vec![op]; let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&Bn254BlackBoxSolver, &opcodes, initial_witness, &unconstrained_functions, &[]); + let mut acvm = ACVM::new(&solver, &opcodes, initial_witness, &unconstrained_functions, &[]); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved); let witness_map = acvm.finalize(); @@ -947,7 +897,7 @@ where } prop_compose! { - fn bigint_with_modulus()(modulus in select(allowed_bigint_moduli())) + fn bigint_with_modulus()(modulus in select(BigIntSolver::allowed_bigint_moduli())) (inputs in proptest::collection::vec(any::<(u8, bool)>(), modulus.len()), modulus in Just(modulus)) -> (Vec, Vec) { let inputs = inputs.into_iter().zip(modulus.iter()).map(|((input, use_constant), modulus_byte)| { @@ -1028,7 +978,9 @@ fn bigint_solve_binary_op_opt( modulus: Vec, lhs: Vec, rhs: Vec, + pedantic_solving: bool, ) -> Result, OpcodeResolutionError> { + let solver = StubbedBlackBoxSolver(pedantic_solving); let initial_witness_vec: Vec<_> = lhs .iter() .chain(rhs.iter()) @@ -1070,8 +1022,7 @@ fn bigint_solve_binary_op_opt( opcodes.push(bigint_to_op); let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, initial_witness, &unconstrained_functions, &[]); + let mut acvm = ACVM::new(&solver, &opcodes, initial_witness, &unconstrained_functions, &[]); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved); let witness_map = acvm.finalize(); @@ -1094,6 +1045,7 @@ fn solve_blackbox_func_call( lhs: (FieldElement, bool), // if false, use a Witness rhs: (FieldElement, bool), // if false, use a Witness ) -> Result> { + let solver = StubbedBlackBoxSolver::default(); let (lhs, lhs_constant) = lhs; let (rhs, rhs_constant) = rhs; @@ -1113,8 +1065,7 @@ fn solve_blackbox_func_call( let op = Opcode::BlackBoxFuncCall(blackbox_func_call(lhs_opt, rhs_opt)?); let opcodes = vec![op]; let unconstrained_functions = vec![]; - let mut acvm = - ACVM::new(&StubbedBlackBoxSolver, &opcodes, initial_witness, &unconstrained_functions, &[]); + let mut acvm = ACVM::new(&solver, &opcodes, initial_witness, &unconstrained_functions, &[]); let solver_status = acvm.solve(); assert_eq!(solver_status, ACVMStatus::Solved); let witness_map = acvm.finalize(); @@ -1230,10 +1181,12 @@ where fn run_both_poseidon2_permutations( inputs: Vec, ) -> Result<(Vec, Vec), OpcodeResolutionError> { + let pedantic_solving = true; let result = solve_array_input_blackbox_call( inputs.clone(), inputs.len(), None, + pedantic_solving, poseidon2_permutation_op, )?; @@ -1283,8 +1236,9 @@ fn bigint_solve_binary_op( modulus: Vec, lhs: Vec, rhs: Vec, + pedantic_solving: bool, ) -> Vec { - bigint_solve_binary_op_opt(Some(middle_op), modulus, lhs, rhs).unwrap() + bigint_solve_binary_op_opt(Some(middle_op), modulus, lhs, rhs, pedantic_solving).unwrap() } // Using the given BigInt modulus, solve the following circuit: @@ -1294,8 +1248,38 @@ fn bigint_solve_binary_op( fn bigint_solve_from_to_le_bytes( modulus: Vec, inputs: Vec, + pedantic_solving: bool, ) -> Vec { - bigint_solve_binary_op_opt(None, modulus, inputs, vec![]).unwrap() + bigint_solve_binary_op_opt(None, modulus, inputs, vec![], pedantic_solving).unwrap() +} + +// Test bigint_solve_from_to_le_bytes with a guaranteed-invalid modulus +// and optional pedantic_solving +fn bigint_from_to_le_bytes_disallowed_modulus_helper( + modulus: &mut Vec, + patch_location: usize, + patch_amount: u8, + zero_or_ones_constant: bool, + use_constant: bool, + pedantic_solving: bool, +) -> (Vec, Vec) { + let allowed_moduli: HashSet> = + BigIntSolver::allowed_bigint_moduli().into_iter().collect(); + let mut patch_location = patch_location % modulus.len(); + let patch_amount = patch_amount.clamp(1, u8::MAX); + while allowed_moduli.contains(modulus) { + modulus[patch_location] = patch_amount.wrapping_add(modulus[patch_location]); + patch_location += 1; + patch_location %= modulus.len(); + } + + let zero_function_input = + if zero_or_ones_constant { FieldElement::zero() } else { FieldElement::one() }; + let zero: Vec<_> = modulus.iter().map(|_| (zero_function_input, use_constant)).collect(); + let expected_results: Vec<_> = drop_use_constant(&zero); + let results = bigint_solve_from_to_le_bytes(modulus.clone(), zero, pedantic_solving); + + (results, expected_results) } fn function_input_from_option( @@ -1388,6 +1372,7 @@ fn prop_assert_injective( distinct_inputs: Vec, num_outputs: usize, num_bits: Option, + pedantic_solving: bool, op: F, ) -> (bool, String) where @@ -1399,11 +1384,22 @@ where { let equal_inputs = drop_use_constant_eq(&inputs, &distinct_inputs); let message = format!("not injective:\n{:?}\n{:?}", &inputs, &distinct_inputs); - let outputs_not_equal = - solve_array_input_blackbox_call(inputs, num_outputs, num_bits, op.clone()) - .expect("injectivity test operations to have valid input") - != solve_array_input_blackbox_call(distinct_inputs, num_outputs, num_bits, op) - .expect("injectivity test operations to have valid input"); + let outputs_not_equal = solve_array_input_blackbox_call( + inputs, + num_outputs, + num_bits, + pedantic_solving, + op.clone(), + ) + .expect("injectivity test operations to have valid input") + != solve_array_input_blackbox_call( + distinct_inputs, + num_outputs, + num_bits, + pedantic_solving, + op, + ) + .expect("injectivity test operations to have valid input"); (equal_inputs || outputs_not_equal, message) } @@ -1483,10 +1479,12 @@ fn poseidon2_permutation_zeroes() { #[test] fn sha256_compression_zeros() { + let pedantic_solving = true; let results = solve_array_input_blackbox_call( [(FieldElement::zero(), false); 24].into(), 8, None, + pedantic_solving, sha256_compression_op, ); let expected_results: Vec<_> = vec![ @@ -1501,7 +1499,8 @@ fn sha256_compression_zeros() { #[test] fn blake2s_zeros() { - let results = solve_array_input_blackbox_call(vec![], 32, None, blake2s_op); + let pedantic_solving = true; + let results = solve_array_input_blackbox_call(vec![], 32, None, pedantic_solving, blake2s_op); let expected_results: Vec<_> = vec![ 105, 33, 122, 48, 121, 144, 128, 148, 225, 17, 33, 208, 66, 53, 74, 124, 31, 85, 182, 72, 44, 161, 165, 30, 27, 37, 13, 253, 30, 208, 238, 249, @@ -1514,7 +1513,8 @@ fn blake2s_zeros() { #[test] fn blake3_zeros() { - let results = solve_array_input_blackbox_call(vec![], 32, None, blake3_op); + let pedantic_solving = true; + let results = solve_array_input_blackbox_call(vec![], 32, None, pedantic_solving, blake3_op); let expected_results: Vec<_> = vec![ 175, 19, 73, 185, 245, 249, 161, 166, 160, 64, 77, 234, 54, 220, 201, 73, 155, 203, 37, 201, 173, 193, 18, 183, 204, 154, 147, 202, 228, 31, 50, 98, @@ -1527,10 +1527,12 @@ fn blake3_zeros() { #[test] fn keccakf1600_zeros() { + let pedantic_solving = true; let results = solve_array_input_blackbox_call( [(FieldElement::zero(), false); 25].into(), 25, Some(64), + pedantic_solving, keccakf1600_op, ); let expected_results: Vec<_> = vec![ @@ -1646,7 +1648,8 @@ proptest! { fn sha256_compression_injective(inputs_distinct_inputs in any_distinct_inputs(None, 24, 24)) { let (inputs, distinct_inputs) = inputs_distinct_inputs; if inputs.len() == 24 && distinct_inputs.len() == 24 { - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 8, None, sha256_compression_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 8, None, pedantic_solving, sha256_compression_op); prop_assert!(result, "{}", message); } } @@ -1654,14 +1657,16 @@ proptest! { #[test] fn blake2s_injective(inputs_distinct_inputs in any_distinct_inputs(None, 0, 32)) { let (inputs, distinct_inputs) = inputs_distinct_inputs; - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 32, None, blake2s_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 32, None, pedantic_solving, blake2s_op); prop_assert!(result, "{}", message); } #[test] fn blake3_injective(inputs_distinct_inputs in any_distinct_inputs(None, 0, 32)) { let (inputs, distinct_inputs) = inputs_distinct_inputs; - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 32, None, blake3_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 32, None, pedantic_solving, blake3_op); prop_assert!(result, "{}", message); } @@ -1670,7 +1675,8 @@ proptest! { let (inputs, distinct_inputs) = inputs_distinct_inputs; assert_eq!(inputs.len(), 25); assert_eq!(distinct_inputs.len(), 25); - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 25, Some(64), keccakf1600_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 25, Some(64), pedantic_solving, keccakf1600_op); prop_assert!(result, "{}", message); } @@ -1679,12 +1685,13 @@ proptest! { #[should_panic(expected = "Failure(BlackBoxFunctionFailed(Poseidon2Permutation, \"the number of inputs does not match specified length. 6 != 7\"))")] fn poseidon2_permutation_invalid_size_fails(inputs_distinct_inputs in any_distinct_inputs(None, 6, 6)) { let (inputs, distinct_inputs) = inputs_distinct_inputs; - let (result, message) = prop_assert_injective(inputs, distinct_inputs, 1, None, poseidon2_permutation_invalid_len_op); + let pedantic_solving = true; + let (result, message) = prop_assert_injective(inputs, distinct_inputs, 1, None, pedantic_solving, poseidon2_permutation_invalid_len_op); prop_assert!(result, "{}", message); } #[test] - fn bigint_from_to_le_bytes_zero_one(modulus in select(allowed_bigint_moduli()), zero_or_ones_constant: bool, use_constant: bool) { + fn bigint_from_to_le_bytes_zero_one(modulus in select(BigIntSolver::allowed_bigint_moduli()), zero_or_ones_constant: bool, use_constant: bool) { let zero_function_input = if zero_or_ones_constant { FieldElement::one() } else { @@ -1692,25 +1699,46 @@ proptest! { }; let zero_or_ones: Vec<_> = modulus.iter().map(|_| (zero_function_input, use_constant)).collect(); let expected_results = drop_use_constant(&zero_or_ones); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), zero_or_ones); + let pedantic_solving = true; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), zero_or_ones, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] fn bigint_from_to_le_bytes((input, modulus) in bigint_with_modulus()) { let expected_results: Vec<_> = drop_use_constant(&input); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), input); + let pedantic_solving = true; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), input, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] // TODO(https://github.com/noir-lang/noir/issues/5580): desired behavior? - fn bigint_from_to_le_bytes_extra_input_bytes((input, modulus) in bigint_with_modulus(), extra_bytes_len: u8, extra_bytes in proptest::collection::vec(any::<(u8, bool)>(), u8::MAX as usize)) { - let mut input = input; - let mut extra_bytes: Vec<_> = extra_bytes.into_iter().take(extra_bytes_len as usize).map(|(x, use_constant)| (FieldElement::from(x as u128), use_constant)).collect(); + fn bigint_from_to_le_bytes_extra_input_bytes((mut input, modulus) in bigint_with_modulus(), extra_bytes_len: u8, extra_bytes in proptest::collection::vec(any::<(u8, bool)>(), u8::MAX as usize)) { + let mut extra_bytes: Vec<_> = extra_bytes + .into_iter() + .take(extra_bytes_len as usize) + .map(|(x, use_constant)| (FieldElement::from(x as u128), use_constant)) + .collect(); + input.append(&mut extra_bytes); + let expected_results: Vec<_> = drop_use_constant(&input); + let pedantic_solving = false; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), input, pedantic_solving); + prop_assert_eq!(results, expected_results) + } + + #[test] + #[should_panic(expected = "--pedantic-solving: bigint_from_bytes: inputs.len() > modulus.len()")] + fn bigint_from_to_le_bytes_extra_input_bytes_with_pedantic((mut input, modulus) in bigint_with_modulus(), extra_bytes_len: u8, extra_bytes in proptest::collection::vec(any::<(u8, bool)>(), u8::MAX as usize)) { + let mut extra_bytes: Vec<_> = extra_bytes + .into_iter() + .take(extra_bytes_len as usize) + .map(|(x, use_constant)| (FieldElement::from(x as u128), use_constant)) + .collect(); input.append(&mut extra_bytes); let expected_results: Vec<_> = drop_use_constant(&input); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), input); + let pedantic_solving = true; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), input, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1723,94 +1751,109 @@ proptest! { let larger_value = FieldElement::from(std::cmp::max((u8::MAX as u16) + 1, larger_value) as u128); input[patch_location] = (larger_value, use_constant); let expected_results: Vec<_> = drop_use_constant(&input); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), input); + let pedantic_solving = true; + let results = bigint_solve_from_to_le_bytes(modulus.clone(), input, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] // TODO(https://github.com/noir-lang/noir/issues/5578): this test attempts to use a guaranteed-invalid BigInt modulus // #[should_panic(expected = "attempt to add with overflow")] - fn bigint_from_to_le_bytes_disallowed_modulus(mut modulus in select(allowed_bigint_moduli()), patch_location: usize, patch_amount: u8, zero_or_ones_constant: bool, use_constant: bool) { - let allowed_moduli: HashSet> = allowed_bigint_moduli().into_iter().collect(); - let mut patch_location = patch_location % modulus.len(); - let patch_amount = patch_amount.clamp(1, u8::MAX); - while allowed_moduli.contains(&modulus) { - modulus[patch_location] = patch_amount.wrapping_add(modulus[patch_location]); - patch_location += 1; - patch_location %= modulus.len(); - } - - let zero_function_input = if zero_or_ones_constant { - FieldElement::zero() - } else { - FieldElement::one() - }; - let zero: Vec<_> = modulus.iter().map(|_| (zero_function_input, use_constant)).collect(); - let expected_results: Vec<_> = drop_use_constant(&zero); - let results = bigint_solve_from_to_le_bytes(modulus.clone(), zero); + fn bigint_from_to_le_bytes_disallowed_modulus(mut modulus in select(BigIntSolver::allowed_bigint_moduli()), patch_location: usize, patch_amount: u8, zero_or_ones_constant: bool, use_constant: bool) { + let pedantic_solving = false; + let (results, expected_results) = bigint_from_to_le_bytes_disallowed_modulus_helper( + &mut modulus, + patch_location, + patch_amount, + zero_or_ones_constant, + use_constant, + pedantic_solving, + ); + prop_assert_eq!(results, expected_results) + } + #[test] + #[should_panic(expected = "--pedantic-solving: bigint_from_bytes: disallowed modulus [")] + fn bigint_from_to_le_bytes_disallowed_modulus_panics_with_pedantic(mut modulus in select(BigIntSolver::allowed_bigint_moduli()), patch_location: usize, patch_amount: u8, zero_or_ones_constant: bool, use_constant: bool) { + let pedantic_solving = true; + let (results, expected_results) = bigint_from_to_le_bytes_disallowed_modulus_helper( + &mut modulus, + patch_location, + patch_amount, + zero_or_ones_constant, + use_constant, + pedantic_solving, + ); prop_assert_eq!(results, expected_results) } #[test] fn bigint_add_commutative((xs, ys, modulus) in bigint_pair_with_modulus()) { - let lhs_results = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs.clone(), ys.clone()); - let rhs_results = bigint_solve_binary_op(bigint_add_op(), modulus, ys, xs); + let pedantic_solving = true; + let lhs_results = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs.clone(), ys.clone(), pedantic_solving); + let rhs_results = bigint_solve_binary_op(bigint_add_op(), modulus, ys, xs, pedantic_solving); prop_assert_eq!(lhs_results, rhs_results) } #[test] fn bigint_mul_commutative((xs, ys, modulus) in bigint_pair_with_modulus()) { - let lhs_results = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys.clone()); - let rhs_results = bigint_solve_binary_op(bigint_mul_op(), modulus, ys, xs); + let pedantic_solving = true; + let lhs_results = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys.clone(), pedantic_solving); + let rhs_results = bigint_solve_binary_op(bigint_mul_op(), modulus, ys, xs, pedantic_solving); prop_assert_eq!(lhs_results, rhs_results) } #[test] fn bigint_add_associative((xs, ys, zs, modulus) in bigint_triple_with_modulus()) { + let pedantic_solving = true; + // f(f(xs, ys), zs) == - let op_xs_ys = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs.clone(), ys.clone()); + let op_xs_ys = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs.clone(), ys.clone(), pedantic_solving); let xs_ys = use_witnesses(op_xs_ys); - let op_xs_ys_op_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs_ys, zs.clone()); + let op_xs_ys_op_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs_ys, zs.clone(), pedantic_solving); // f(xs, f(ys, zs)) - let op_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), ys.clone(), zs.clone()); + let op_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), ys.clone(), zs.clone(), pedantic_solving); let ys_zs = use_witnesses(op_ys_zs); - let op_xs_op_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus, xs, ys_zs); + let op_xs_op_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus, xs, ys_zs, pedantic_solving); prop_assert_eq!(op_xs_ys_op_zs, op_xs_op_ys_zs) } #[test] fn bigint_mul_associative((xs, ys, zs, modulus) in bigint_triple_with_modulus()) { + let pedantic_solving = true; + // f(f(xs, ys), zs) == - let op_xs_ys = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys.clone()); + let op_xs_ys = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys.clone(), pedantic_solving); let xs_ys = use_witnesses(op_xs_ys); - let op_xs_ys_op_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs_ys, zs.clone()); + let op_xs_ys_op_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs_ys, zs.clone(), pedantic_solving); // f(xs, f(ys, zs)) - let op_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), ys.clone(), zs.clone()); + let op_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), ys.clone(), zs.clone(), pedantic_solving); let ys_zs = use_witnesses(op_ys_zs); - let op_xs_op_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus, xs, ys_zs); + let op_xs_op_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus, xs, ys_zs, pedantic_solving); prop_assert_eq!(op_xs_ys_op_zs, op_xs_op_ys_zs) } #[test] fn bigint_mul_add_distributive((xs, ys, zs, modulus) in bigint_triple_with_modulus()) { + let pedantic_solving = true; + // xs * (ys + zs) == - let add_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), ys.clone(), zs.clone()); + let add_ys_zs = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), ys.clone(), zs.clone(), pedantic_solving); let add_ys_zs = use_witnesses(add_ys_zs); - let mul_xs_add_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), add_ys_zs); + let mul_xs_add_ys_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), add_ys_zs, pedantic_solving); // xs * ys + xs * zs - let mul_xs_ys = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys); + let mul_xs_ys = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs.clone(), ys, pedantic_solving); let mul_xs_ys = use_witnesses(mul_xs_ys); - let mul_xs_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs, zs); + let mul_xs_zs = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs, zs, pedantic_solving); let mul_xs_zs = use_witnesses(mul_xs_zs); - let add_mul_xs_ys_mul_xs_zs = bigint_solve_binary_op(bigint_add_op(), modulus, mul_xs_ys, mul_xs_zs); + let add_mul_xs_ys_mul_xs_zs = bigint_solve_binary_op(bigint_add_op(), modulus, mul_xs_ys, mul_xs_zs, pedantic_solving); prop_assert_eq!(mul_xs_add_ys_zs, add_mul_xs_ys_mul_xs_zs) } @@ -1820,7 +1863,8 @@ proptest! { fn bigint_add_zero_l((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_add_op(), modulus, zero, xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_add_op(), modulus, zero, xs, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1829,7 +1873,8 @@ proptest! { fn bigint_mul_zero_l((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results = drop_use_constant(&zero); - let results = bigint_solve_binary_op(bigint_mul_op(), modulus, zero, xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_mul_op(), modulus, zero, xs, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1837,14 +1882,16 @@ proptest! { fn bigint_mul_one_l((xs, modulus) in bigint_with_modulus()) { let one = bigint_to_one(&xs); let expected_results: Vec<_> = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_mul_op(), modulus, one, xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_mul_op(), modulus, one, xs, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] fn bigint_sub_self((xs, modulus) in bigint_with_modulus()) { let expected_results = drop_use_constant(&bigint_zeroed(&xs)); - let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs.clone(), xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs.clone(), xs, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1852,7 +1899,8 @@ proptest! { fn bigint_sub_zero((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results: Vec<_> = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs, zero); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs, zero, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1860,14 +1908,16 @@ proptest! { fn bigint_sub_one((xs, modulus) in bigint_with_modulus()) { let one = bigint_to_one(&xs); let expected_results: Vec<_> = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs, one); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_sub_op(), modulus, xs, one, pedantic_solving); prop_assert!(results != expected_results, "{:?} == {:?}", results, expected_results) } #[test] fn bigint_div_self((xs, modulus) in bigint_with_modulus()) { let one = drop_use_constant(&bigint_to_one(&xs)); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs.clone(), xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs.clone(), xs, pedantic_solving); prop_assert_eq!(results, one) } @@ -1876,7 +1926,18 @@ proptest! { fn bigint_div_by_zero((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results = drop_use_constant(&zero); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, zero); + let pedantic_solving = false; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, zero, pedantic_solving); + prop_assert_eq!(results, expected_results) + } + + #[test] + #[should_panic(expected = "Attempted to divide BigInt by zero")] + fn bigint_div_by_zero_with_pedantic((xs, modulus) in bigint_with_modulus()) { + let zero = bigint_zeroed(&xs); + let expected_results = drop_use_constant(&zero); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, zero, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1884,7 +1945,8 @@ proptest! { fn bigint_div_one((xs, modulus) in bigint_with_modulus()) { let one = bigint_to_one(&xs); let expected_results = drop_use_constant(&xs); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, one); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, xs, one, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1892,16 +1954,18 @@ proptest! { fn bigint_div_zero((xs, modulus) in bigint_with_modulus()) { let zero = bigint_zeroed(&xs); let expected_results = drop_use_constant(&zero); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, zero, xs); + let pedantic_solving = true; + let results = bigint_solve_binary_op(bigint_div_op(), modulus, zero, xs, pedantic_solving); prop_assert_eq!(results, expected_results) } #[test] fn bigint_add_sub((xs, ys, modulus) in bigint_pair_with_modulus()) { let expected_results = drop_use_constant(&xs); - let add_results = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs, ys.clone()); + let pedantic_solving = true; + let add_results = bigint_solve_binary_op(bigint_add_op(), modulus.clone(), xs, ys.clone(), pedantic_solving); let add_bigint = use_witnesses(add_results); - let results = bigint_solve_binary_op(bigint_sub_op(), modulus, add_bigint, ys); + let results = bigint_solve_binary_op(bigint_sub_op(), modulus, add_bigint, ys, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1909,9 +1973,10 @@ proptest! { #[test] fn bigint_sub_add((xs, ys, modulus) in bigint_pair_with_modulus()) { let expected_results = drop_use_constant(&xs); - let sub_results = bigint_solve_binary_op(bigint_sub_op(), modulus.clone(), xs, ys.clone()); + let pedantic_solving = true; + let sub_results = bigint_solve_binary_op(bigint_sub_op(), modulus.clone(), xs, ys.clone(), pedantic_solving); let add_bigint = use_witnesses(sub_results); - let results = bigint_solve_binary_op(bigint_add_op(), modulus, add_bigint, ys); + let results = bigint_solve_binary_op(bigint_add_op(), modulus, add_bigint, ys, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1919,9 +1984,10 @@ proptest! { #[test] fn bigint_div_mul((xs, ys, modulus) in bigint_pair_with_modulus()) { let expected_results = drop_use_constant(&xs); - let div_results = bigint_solve_binary_op(bigint_div_op(), modulus.clone(), xs, ys.clone()); + let pedantic_solving = true; + let div_results = bigint_solve_binary_op(bigint_div_op(), modulus.clone(), xs, ys.clone(), pedantic_solving); let div_bigint = use_witnesses(div_results); - let results = bigint_solve_binary_op(bigint_mul_op(), modulus, div_bigint, ys); + let results = bigint_solve_binary_op(bigint_mul_op(), modulus, div_bigint, ys, pedantic_solving); prop_assert_eq!(results, expected_results) } @@ -1929,9 +1995,10 @@ proptest! { #[test] fn bigint_mul_div((xs, ys, modulus) in bigint_pair_with_modulus()) { let expected_results = drop_use_constant(&xs); - let mul_results = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs, ys.clone()); + let pedantic_solving = true; + let mul_results = bigint_solve_binary_op(bigint_mul_op(), modulus.clone(), xs, ys.clone(), pedantic_solving); let mul_bigint = use_witnesses(mul_results); - let results = bigint_solve_binary_op(bigint_div_op(), modulus, mul_bigint, ys); + let results = bigint_solve_binary_op(bigint_div_op(), modulus, mul_bigint, ys, pedantic_solving); prop_assert_eq!(results, expected_results) } diff --git a/acvm-repo/acvm_js/src/execute.rs b/acvm-repo/acvm_js/src/execute.rs index c3627d0eff5..e4d52063977 100644 --- a/acvm-repo/acvm_js/src/execute.rs +++ b/acvm-repo/acvm_js/src/execute.rs @@ -30,12 +30,27 @@ pub async fn execute_circuit( program: Vec, initial_witness: JsWitnessMap, foreign_call_handler: ForeignCallHandler, +) -> Result { + let pedantic_solving = false; + execute_circuit_pedantic(program, initial_witness, foreign_call_handler, pedantic_solving).await +} + +/// `execute_circuit` with pedantic ACVM solving +async fn execute_circuit_pedantic( + program: Vec, + initial_witness: JsWitnessMap, + foreign_call_handler: ForeignCallHandler, + pedantic_solving: bool, ) -> Result { console_error_panic_hook::set_once(); - let mut witness_stack = - execute_program_with_native_type_return(program, initial_witness, &foreign_call_handler) - .await?; + let mut witness_stack = execute_program_with_native_type_return( + program, + initial_witness, + &foreign_call_handler, + pedantic_solving, + ) + .await?; let witness_map = witness_stack.pop().expect("Should have at least one witness on the stack").witness; Ok(witness_map.into()) @@ -53,6 +68,23 @@ pub async fn execute_circuit_with_return_witness( program: Vec, initial_witness: JsWitnessMap, foreign_call_handler: ForeignCallHandler, +) -> Result { + let pedantic_solving = false; + execute_circuit_with_return_witness_pedantic( + program, + initial_witness, + foreign_call_handler, + pedantic_solving, + ) + .await +} + +/// `executeCircuitWithReturnWitness` with pedantic ACVM execution +async fn execute_circuit_with_return_witness_pedantic( + program: Vec, + initial_witness: JsWitnessMap, + foreign_call_handler: ForeignCallHandler, + pedantic_solving: bool, ) -> Result { console_error_panic_hook::set_once(); @@ -63,6 +95,7 @@ pub async fn execute_circuit_with_return_witness( &program, initial_witness, &foreign_call_handler, + pedantic_solving, ) .await?; let solved_witness = @@ -87,12 +120,27 @@ pub async fn execute_program( program: Vec, initial_witness: JsWitnessMap, foreign_call_handler: ForeignCallHandler, +) -> Result { + let pedantic_solving = false; + execute_program_pedantic(program, initial_witness, foreign_call_handler, pedantic_solving).await +} + +/// `execute_program` with pedantic ACVM solving +async fn execute_program_pedantic( + program: Vec, + initial_witness: JsWitnessMap, + foreign_call_handler: ForeignCallHandler, + pedantic_solving: bool, ) -> Result { console_error_panic_hook::set_once(); - let witness_stack = - execute_program_with_native_type_return(program, initial_witness, &foreign_call_handler) - .await?; + let witness_stack = execute_program_with_native_type_return( + program, + initial_witness, + &foreign_call_handler, + pedantic_solving, + ) + .await?; Ok(witness_stack.into()) } @@ -101,6 +149,7 @@ async fn execute_program_with_native_type_return( program: Vec, initial_witness: JsWitnessMap, foreign_call_executor: &ForeignCallHandler, + pedantic_solving: bool, ) -> Result, Error> { let program: Program = Program::deserialize_program(&program) .map_err(|_| JsExecutionError::new( @@ -109,16 +158,22 @@ async fn execute_program_with_native_type_return( None, None))?; - execute_program_with_native_program_and_return(&program, initial_witness, foreign_call_executor) - .await + execute_program_with_native_program_and_return( + &program, + initial_witness, + foreign_call_executor, + pedantic_solving, + ) + .await } async fn execute_program_with_native_program_and_return( program: &Program, initial_witness: JsWitnessMap, foreign_call_executor: &ForeignCallHandler, + pedantic_solving: bool, ) -> Result, Error> { - let blackbox_solver = Bn254BlackBoxSolver; + let blackbox_solver = Bn254BlackBoxSolver(pedantic_solving); let executor = ProgramExecutor::new( &program.functions, &program.unconstrained_functions, diff --git a/acvm-repo/blackbox_solver/Cargo.toml b/acvm-repo/blackbox_solver/Cargo.toml index 532f6f2c54f..2c2e0d7675e 100644 --- a/acvm-repo/blackbox_solver/Cargo.toml +++ b/acvm-repo/blackbox_solver/Cargo.toml @@ -43,6 +43,7 @@ libaes = "0.7.0" [dev-dependencies] proptest.workspace = true +num-prime = { version = "0.4.4", default-features = false, features = ["big-int"] } [features] bn254 = ["acir/bn254"] diff --git a/acvm-repo/blackbox_solver/src/bigint.rs b/acvm-repo/blackbox_solver/src/bigint.rs index dab611a81e8..f7be1e80a55 100644 --- a/acvm-repo/blackbox_solver/src/bigint.rs +++ b/acvm-repo/blackbox_solver/src/bigint.rs @@ -10,14 +10,28 @@ use crate::BlackBoxResolutionError; /// - When it encounters a bigint operation opcode, it performs the operation on the stored values /// and store the result using the provided ID. /// - When it gets a to_bytes opcode, it simply looks up the value and resolves the output witness accordingly. -#[derive(Default, Debug, Clone, PartialEq, Eq)] - +#[derive(Debug, Clone, PartialEq, Eq)] pub struct BigIntSolver { bigint_id_to_value: HashMap, bigint_id_to_modulus: HashMap, + + // Use pedantic ACVM solving + pedantic_solving: bool, } impl BigIntSolver { + pub fn with_pedantic_solving(pedantic_solving: bool) -> BigIntSolver { + BigIntSolver { + bigint_id_to_value: Default::default(), + bigint_id_to_modulus: Default::default(), + pedantic_solving, + } + } + + pub fn pedantic_solving(&self) -> bool { + self.pedantic_solving + } + pub fn get_bigint( &self, id: u32, @@ -51,6 +65,17 @@ impl BigIntSolver { modulus: &[u8], output: u32, ) -> Result<(), BlackBoxResolutionError> { + if self.pedantic_solving { + if !self.is_valid_modulus(modulus) { + panic!("--pedantic-solving: bigint_from_bytes: disallowed modulus {:?}", modulus); + } + if inputs.len() > modulus.len() { + panic!( + "--pedantic-solving: bigint_from_bytes: inputs.len() > modulus.len() {:?}", + (inputs.len(), modulus.len()) + ); + } + } let bigint = BigUint::from_bytes_le(inputs); self.bigint_id_to_value.insert(output, bigint); let modulus = BigUint::from_bytes_le(modulus); @@ -84,8 +109,14 @@ impl BigIntSolver { } BlackBoxFunc::BigIntMul => lhs * rhs, BlackBoxFunc::BigIntDiv => { + if self.pedantic_solving && rhs == BigUint::ZERO { + return Err(BlackBoxResolutionError::Failed( + func, + "Attempted to divide BigInt by zero".to_string(), + )); + } lhs * rhs.modpow(&(&modulus - BigUint::from(2_u32)), &modulus) - } //TODO ensure that modulus is prime + } _ => unreachable!("ICE - bigint_op must be called for an operation"), }; if result > modulus { @@ -96,16 +127,57 @@ impl BigIntSolver { self.bigint_id_to_modulus.insert(output, modulus); Ok(()) } + + pub fn allowed_bigint_moduli() -> Vec> { + let bn254_fq: Vec = vec![ + 0x47, 0xFD, 0x7C, 0xD8, 0x16, 0x8C, 0x20, 0x3C, 0x8d, 0xca, 0x71, 0x68, 0x91, 0x6a, + 0x81, 0x97, 0x5d, 0x58, 0x81, 0x81, 0xb6, 0x45, 0x50, 0xb8, 0x29, 0xa0, 0x31, 0xe1, + 0x72, 0x4e, 0x64, 0x30, + ]; + let bn254_fr: Vec = vec![ + 1, 0, 0, 240, 147, 245, 225, 67, 145, 112, 185, 121, 72, 232, 51, 40, 93, 88, 129, 129, + 182, 69, 80, 184, 41, 160, 49, 225, 114, 78, 100, 48, + ]; + let secpk1_fr: Vec = vec![ + 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF, 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, + 0xAE, 0xBA, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, + ]; + let secpk1_fq: Vec = vec![ + 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, + ]; + let secpr1_fq: Vec = vec![ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0xFF, 0xFF, 0xFF, 0xFF, + ]; + let secpr1_fr: Vec = vec![ + 81, 37, 99, 252, 194, 202, 185, 243, 132, 158, 23, 167, 173, 250, 230, 188, 255, 255, + 255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 255, 255, 255, 255, + ]; + vec![bn254_fq, bn254_fr, secpk1_fr, secpk1_fq, secpr1_fq, secpr1_fr] + } + + pub fn is_valid_modulus(&self, modulus: &[u8]) -> bool { + Self::allowed_bigint_moduli().into_iter().any(|allowed_modulus| allowed_modulus == modulus) + } } /// Wrapper over the generic bigint solver to automatically assign bigint IDs. -#[derive(Default, Debug, Clone, PartialEq, Eq)] +#[derive(Debug, Clone, PartialEq, Eq)] pub struct BigIntSolverWithId { solver: BigIntSolver, last_id: u32, } impl BigIntSolverWithId { + pub fn with_pedantic_solving(pedantic_solving: bool) -> BigIntSolverWithId { + let solver = BigIntSolver::with_pedantic_solving(pedantic_solving); + BigIntSolverWithId { solver, last_id: Default::default() } + } + pub fn create_bigint_id(&mut self) -> u32 { let output = self.last_id; self.last_id += 1; @@ -145,3 +217,23 @@ impl BigIntSolverWithId { Ok(id) } } + +#[test] +fn all_allowed_bigint_moduli_are_prime() { + use num_prime::nt_funcs::is_prime; + use num_prime::Primality; + + for modulus in BigIntSolver::allowed_bigint_moduli() { + let modulus = BigUint::from_bytes_le(&modulus); + let prime_test_config = None; + match is_prime(&modulus, prime_test_config) { + Primality::Yes => (), + Primality::No => panic!("not all allowed_bigint_moduli are prime: {modulus}"), + Primality::Probable(probability) => { + if probability < 0.90 { + panic!("not all allowed_bigint_moduli are prime within the allowed probability: {} < 0.90", probability); + } + } + } + } +} diff --git a/acvm-repo/blackbox_solver/src/curve_specific_solver.rs b/acvm-repo/blackbox_solver/src/curve_specific_solver.rs index b8fc3f47033..37fe5d05363 100644 --- a/acvm-repo/blackbox_solver/src/curve_specific_solver.rs +++ b/acvm-repo/blackbox_solver/src/curve_specific_solver.rs @@ -7,6 +7,7 @@ use crate::BlackBoxResolutionError; /// /// Returns an [`BlackBoxResolutionError`] if the backend does not support the given [`acir::BlackBoxFunc`]. pub trait BlackBoxFunctionSolver { + fn pedantic_solving(&self) -> bool; fn multi_scalar_mul( &self, points: &[F], @@ -29,7 +30,16 @@ pub trait BlackBoxFunctionSolver { ) -> Result, BlackBoxResolutionError>; } -pub struct StubbedBlackBoxSolver; +// pedantic_solving: bool +pub struct StubbedBlackBoxSolver(pub bool); + +// pedantic_solving enabled by default +impl Default for StubbedBlackBoxSolver { + fn default() -> StubbedBlackBoxSolver { + let pedantic_solving = true; + StubbedBlackBoxSolver(pedantic_solving) + } +} impl StubbedBlackBoxSolver { fn fail(black_box_function: BlackBoxFunc) -> BlackBoxResolutionError { @@ -41,6 +51,9 @@ impl StubbedBlackBoxSolver { } impl BlackBoxFunctionSolver for StubbedBlackBoxSolver { + fn pedantic_solving(&self) -> bool { + self.0 + } fn multi_scalar_mul( &self, _points: &[F], diff --git a/acvm-repo/bn254_blackbox_solver/src/embedded_curve_ops.rs b/acvm-repo/bn254_blackbox_solver/src/embedded_curve_ops.rs index 6118233b0b7..ffe7fa50089 100644 --- a/acvm-repo/bn254_blackbox_solver/src/embedded_curve_ops.rs +++ b/acvm-repo/bn254_blackbox_solver/src/embedded_curve_ops.rs @@ -1,5 +1,6 @@ // TODO(https://github.com/noir-lang/noir/issues/4932): rename this file to something more generic use ark_ec::AffineRepr; +use ark_ff::MontConfig; use num_bigint::BigUint; use crate::FieldElement; @@ -13,6 +14,7 @@ pub fn multi_scalar_mul( points: &[FieldElement], scalars_lo: &[FieldElement], scalars_hi: &[FieldElement], + pedantic_solving: bool, ) -> Result<(FieldElement, FieldElement, FieldElement), BlackBoxResolutionError> { if points.len() != 3 * scalars_lo.len() || scalars_lo.len() != scalars_hi.len() { return Err(BlackBoxResolutionError::Failed( @@ -24,6 +26,9 @@ pub fn multi_scalar_mul( let mut output_point = ark_grumpkin::Affine::zero(); for i in (0..points.len()).step_by(3) { + if pedantic_solving && points[i + 2] > FieldElement::one() { + panic!("--pedantic-solving: is_infinity expected to be a bool, but found to be > 1") + } let point = create_point(points[i], points[i + 1], points[i + 2] == FieldElement::from(1_u128)) .map_err(|e| BlackBoxResolutionError::Failed(BlackBoxFunc::MultiScalarMul, e))?; @@ -48,12 +53,12 @@ pub fn multi_scalar_mul( let grumpkin_integer = BigUint::from_bytes_be(&bytes); // Check if this is smaller than the grumpkin modulus - // if grumpkin_integer >= ark_grumpkin::FrConfig::MODULUS.into() { - // return Err(BlackBoxResolutionError::Failed( - // BlackBoxFunc::MultiScalarMul, - // format!("{} is not a valid grumpkin scalar", grumpkin_integer.to_str_radix(16)), - // )); - // } + if pedantic_solving && grumpkin_integer >= ark_grumpkin::FrConfig::MODULUS.into() { + return Err(BlackBoxResolutionError::Failed( + BlackBoxFunc::MultiScalarMul, + format!("{} is not a valid grumpkin scalar", grumpkin_integer.to_str_radix(16)), + )); + } let iteration_output_point = ark_grumpkin::Affine::from(point.mul_bigint(grumpkin_integer.to_u64_digits())); @@ -75,11 +80,28 @@ pub fn multi_scalar_mul( pub fn embedded_curve_add( input1: [FieldElement; 3], input2: [FieldElement; 3], + pedantic_solving: bool, ) -> Result<(FieldElement, FieldElement, FieldElement), BlackBoxResolutionError> { + if pedantic_solving && (input1[2] > FieldElement::one() || input2[2] > FieldElement::one()) { + panic!("--pedantic-solving: is_infinity expected to be a bool, but found to be > 1") + } + let point1 = create_point(input1[0], input1[1], input1[2] == FieldElement::one()) .map_err(|e| BlackBoxResolutionError::Failed(BlackBoxFunc::EmbeddedCurveAdd, e))?; let point2 = create_point(input2[0], input2[1], input2[2] == FieldElement::one()) .map_err(|e| BlackBoxResolutionError::Failed(BlackBoxFunc::EmbeddedCurveAdd, e))?; + + if pedantic_solving { + for point in [point1, point2] { + if point == ark_grumpkin::Affine::zero() { + return Err(BlackBoxResolutionError::Failed( + BlackBoxFunc::EmbeddedCurveAdd, + format!("Infinite input: embedded_curve_add({}, {})", point1, point2), + )); + } + } + } + let res = ark_grumpkin::Affine::from(point1 + point2); if let Some((res_x, res_y)) = res.xy() { Ok(( @@ -118,6 +140,7 @@ fn create_point( #[cfg(test)] mod tests { use super::*; + use ark_ff::BigInteger; fn get_generator() -> [FieldElement; 3] { let generator = ark_grumpkin::Affine::generator(); @@ -131,7 +154,13 @@ mod tests { // We check that multiplying 1 by generator results in the generator let generator = get_generator(); - let res = multi_scalar_mul(&generator, &[FieldElement::one()], &[FieldElement::zero()])?; + let pedantic_solving = true; + let res = multi_scalar_mul( + &generator, + &[FieldElement::one()], + &[FieldElement::zero()], + pedantic_solving, + )?; assert_eq!(generator[0], res.0); assert_eq!(generator[1], res.1); @@ -144,7 +173,8 @@ mod tests { let scalars_lo = [FieldElement::one()]; let scalars_hi = [FieldElement::from(2u128)]; - let res = multi_scalar_mul(&points, &scalars_lo, &scalars_hi)?; + let pedantic_solving = true; + let res = multi_scalar_mul(&points, &scalars_lo, &scalars_hi, pedantic_solving)?; let x = "0702ab9c7038eeecc179b4f209991bcb68c7cb05bf4c532d804ccac36199c9a9"; let y = "23f10e9e43a3ae8d75d24154e796aae12ae7af546716e8f81a2564f1b5814130"; @@ -165,30 +195,33 @@ mod tests { "Limb 0000000000000000000000000000000100000000000000000000000000000000 is not less than 2^128".into(), )); - let res = multi_scalar_mul(&points, &[FieldElement::one()], &[invalid_limb]); + let pedantic_solving = true; + let res = + multi_scalar_mul(&points, &[FieldElement::one()], &[invalid_limb], pedantic_solving); assert_eq!(res, expected_error); - let res = multi_scalar_mul(&points, &[invalid_limb], &[FieldElement::one()]); + let res = + multi_scalar_mul(&points, &[invalid_limb], &[FieldElement::one()], pedantic_solving); assert_eq!(res, expected_error); } - // #[test] - // fn rejects_grumpkin_modulus() { - // let x = ark_grumpkin::FrConfig::MODULUS.to_bytes_be(); - - // let low = FieldElement::from_be_bytes_reduce(&x[16..32]); - // let high = FieldElement::from_be_bytes_reduce(&x[0..16]); + #[test] + fn rejects_grumpkin_modulus_when_pedantic() { + let x = ark_grumpkin::FrConfig::MODULUS.to_bytes_be(); + let low = FieldElement::from_be_bytes_reduce(&x[16..32]); + let high = FieldElement::from_be_bytes_reduce(&x[0..16]); - // let res = multi_scalar_mul(&get_generator(), &[low], &[high]); + let pedantic_solving = true; + let res = multi_scalar_mul(&get_generator(), &[low], &[high], pedantic_solving); - // assert_eq!( - // res, - // Err(BlackBoxResolutionError::Failed( - // BlackBoxFunc::MultiScalarMul, - // "30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47 is not a valid grumpkin scalar".into(), - // )) - // ); - // } + assert_eq!( + res, + Err(BlackBoxResolutionError::Failed( + BlackBoxFunc::MultiScalarMul, + "30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47 is not a valid grumpkin scalar".into(), + )) + ); + } #[test] fn rejects_invalid_point() { @@ -197,10 +230,12 @@ mod tests { let valid_scalar_low = FieldElement::zero(); let valid_scalar_high = FieldElement::zero(); + let pedantic_solving = true; let res = multi_scalar_mul( &[invalid_point_x, invalid_point_y, FieldElement::zero()], &[valid_scalar_low], &[valid_scalar_high], + pedantic_solving, ); assert_eq!( @@ -218,7 +253,8 @@ mod tests { let scalars_lo = [FieldElement::from(2u128)]; let scalars_hi = []; - let res = multi_scalar_mul(&points, &scalars_lo, &scalars_hi); + let pedantic_solving = true; + let res = multi_scalar_mul(&points, &scalars_lo, &scalars_hi, pedantic_solving); assert_eq!( res, @@ -234,9 +270,11 @@ mod tests { let x = FieldElement::from(1u128); let y = FieldElement::from(2u128); + let pedantic_solving = true; let res = embedded_curve_add( [x, y, FieldElement::from(0u128)], [x, y, FieldElement::from(0u128)], + pedantic_solving, ); assert_eq!( @@ -248,16 +286,39 @@ mod tests { ); } + #[test] + fn rejects_addition_of_infinite_points_when_pedantic() { + let x = FieldElement::from(1u128); + let y = FieldElement::from(1u128); + + let pedantic_solving = true; + let res = embedded_curve_add( + [x, y, FieldElement::from(1u128)], + [x, y, FieldElement::from(1u128)], + pedantic_solving, + ); + + assert_eq!( + res, + Err(BlackBoxResolutionError::Failed( + BlackBoxFunc::EmbeddedCurveAdd, + "Infinite input: embedded_curve_add(infinity, infinity)".into(), + )) + ); + } + #[test] fn output_of_msm_matches_add() -> Result<(), BlackBoxResolutionError> { let points = get_generator(); let scalars_lo = [FieldElement::from(2u128)]; let scalars_hi = [FieldElement::zero()]; - let msm_res = multi_scalar_mul(&points, &scalars_lo, &scalars_hi)?; + let pedantic_solving = true; + let msm_res = multi_scalar_mul(&points, &scalars_lo, &scalars_hi, pedantic_solving)?; let add_res = embedded_curve_add( [points[0], points[1], FieldElement::from(0u128)], [points[0], points[1], FieldElement::from(0u128)], + pedantic_solving, )?; assert_eq!(msm_res.0, add_res.0); diff --git a/acvm-repo/bn254_blackbox_solver/src/lib.rs b/acvm-repo/bn254_blackbox_solver/src/lib.rs index f738a375ab1..fc031faefa2 100644 --- a/acvm-repo/bn254_blackbox_solver/src/lib.rs +++ b/acvm-repo/bn254_blackbox_solver/src/lib.rs @@ -20,16 +20,21 @@ pub use poseidon2::{ type FieldElement = acir::acir_field::GenericFieldElement; #[derive(Default)] -pub struct Bn254BlackBoxSolver; +// pedantic_solving: bool +pub struct Bn254BlackBoxSolver(pub bool); impl BlackBoxFunctionSolver for Bn254BlackBoxSolver { + fn pedantic_solving(&self) -> bool { + self.0 + } + fn multi_scalar_mul( &self, points: &[FieldElement], scalars_lo: &[FieldElement], scalars_hi: &[FieldElement], ) -> Result<(FieldElement, FieldElement, FieldElement), BlackBoxResolutionError> { - multi_scalar_mul(points, scalars_lo, scalars_hi) + multi_scalar_mul(points, scalars_lo, scalars_hi, self.pedantic_solving()) } fn ec_add( @@ -44,6 +49,7 @@ impl BlackBoxFunctionSolver for Bn254BlackBoxSolver { embedded_curve_add( [*input1_x, *input1_y, *input1_infinite], [*input2_x, *input2_y, *input2_infinite], + self.pedantic_solving(), ) } diff --git a/acvm-repo/brillig_vm/src/lib.rs b/acvm-repo/brillig_vm/src/lib.rs index 639fd0e99f1..4459c222770 100644 --- a/acvm-repo/brillig_vm/src/lib.rs +++ b/acvm-repo/brillig_vm/src/lib.rs @@ -134,6 +134,8 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> VM<'a, F, B> { } None => (false, Vec::new(), HashMap::new()), }; + let bigint_solver = + BrilligBigIntSolver::with_pedantic_solving(black_box_solver.pedantic_solving()); Self { calldata, program_counter: 0, @@ -144,7 +146,7 @@ impl<'a, F: AcirField, B: BlackBoxFunctionSolver> VM<'a, F, B> { memory: Memory::default(), call_stack: Vec::new(), black_box_solver, - bigint_solver: Default::default(), + bigint_solver, profiling_active, profiling_samples: Vec::with_capacity(bytecode.len()), fuzzing_active, @@ -1029,7 +1031,8 @@ mod tests { }]; // Start VM - let mut vm = VM::new(calldata, &opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, &opcodes, vec![], &solver, false); let status = vm.process_opcode(); assert_eq!(status, VMStatus::Finished { return_data_offset: 0, return_data_size: 0 }); @@ -1079,7 +1082,8 @@ mod tests { Opcode::JumpIf { condition: destination, location: 6 }, ]; - let mut vm = VM::new(calldata, &opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, &opcodes, vec![], &solver, false); let status = vm.process_opcode(); assert_eq!(status, VMStatus::InProgress); @@ -1147,7 +1151,8 @@ mod tests { }, ]; - let mut vm = VM::new(calldata, &opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, &opcodes, vec![], &solver, false); let status = vm.process_opcode(); assert_eq!(status, VMStatus::InProgress); @@ -1219,7 +1224,8 @@ mod tests { }, }, ]; - let mut vm = VM::new(calldata, opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, opcodes, vec![], &solver, false); let status = vm.process_opcode(); assert_eq!(status, VMStatus::InProgress); @@ -1279,7 +1285,8 @@ mod tests { }, }, ]; - let mut vm = VM::new(calldata, opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, opcodes, vec![], &solver, false); let status = vm.process_opcode(); assert_eq!(status, VMStatus::InProgress); @@ -1325,7 +1332,8 @@ mod tests { }, Opcode::Mov { destination: MemoryAddress::direct(2), source: MemoryAddress::direct(0) }, ]; - let mut vm = VM::new(calldata, opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, opcodes, vec![], &solver, false); let status = vm.process_opcode(); assert_eq!(status, VMStatus::InProgress); @@ -1390,7 +1398,8 @@ mod tests { condition: MemoryAddress::direct(1), }, ]; - let mut vm = VM::new(calldata, opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, opcodes, vec![], &solver, false); let status = vm.process_opcode(); assert_eq!(status, VMStatus::InProgress); @@ -1486,7 +1495,8 @@ mod tests { .chain(cast_opcodes) .chain([equal_opcode, not_equal_opcode, less_than_opcode, less_than_equal_opcode]) .collect(); - let mut vm = VM::new(calldata, &opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, &opcodes, vec![], &solver, false); // Calldata copy let status = vm.process_opcode(); @@ -1586,7 +1596,8 @@ mod tests { ]; let opcodes = [&start[..], &loop_body[..]].concat(); - let vm = brillig_execute_and_get_vm(vec![], &opcodes); + let solver = StubbedBlackBoxSolver::default(); + let vm = brillig_execute_and_get_vm(vec![], &opcodes, &solver); vm.get_memory()[4..].to_vec() } @@ -1614,7 +1625,8 @@ mod tests { value: FieldElement::from(27_usize), }, ]; - let mut vm = VM::new(vec![], opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(vec![], opcodes, vec![], &solver, false); let status = vm.process_opcode(); assert_eq!(status, VMStatus::InProgress); @@ -1728,7 +1740,8 @@ mod tests { ]; let opcodes = [&start[..], &loop_body[..]].concat(); - let vm = brillig_execute_and_get_vm(memory, &opcodes); + let solver = StubbedBlackBoxSolver::default(); + let vm = brillig_execute_and_get_vm(memory, &opcodes, &solver); vm.memory.read(r_sum).to_field() } @@ -1819,7 +1832,8 @@ mod tests { ]; let opcodes = [&start[..], &recursive_fn[..]].concat(); - let vm = brillig_execute_and_get_vm(vec![], &opcodes); + let solver = StubbedBlackBoxSolver::default(); + let vm = brillig_execute_and_get_vm(vec![], &opcodes, &solver); vm.get_memory()[4..].to_vec() } @@ -1834,11 +1848,12 @@ mod tests { } /// Helper to execute brillig code - fn brillig_execute_and_get_vm( + fn brillig_execute_and_get_vm<'a, F: AcirField>( calldata: Vec, - opcodes: &[Opcode], - ) -> VM<'_, F, StubbedBlackBoxSolver> { - let mut vm = VM::new(calldata, opcodes, vec![], &StubbedBlackBoxSolver, false); + opcodes: &'a [Opcode], + solver: &'a StubbedBlackBoxSolver, + ) -> VM<'a, F, StubbedBlackBoxSolver> { + let mut vm = VM::new(calldata, opcodes, vec![], solver, false); brillig_execute(&mut vm); assert_eq!(vm.call_stack, vec![]); vm @@ -1880,7 +1895,8 @@ mod tests { }, ]; - let mut vm = brillig_execute_and_get_vm(vec![], &double_program); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = brillig_execute_and_get_vm(vec![], &double_program, &solver); // Check that VM is waiting assert_eq!( @@ -1973,7 +1989,8 @@ mod tests { }, ]; - let mut vm = brillig_execute_and_get_vm(initial_matrix.clone(), &invert_program); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = brillig_execute_and_get_vm(initial_matrix.clone(), &invert_program, &solver); // Check that VM is waiting assert_eq!( @@ -2083,7 +2100,9 @@ mod tests { }, ]; - let mut vm = brillig_execute_and_get_vm(input_string.clone(), &string_double_program); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = + brillig_execute_and_get_vm(input_string.clone(), &string_double_program, &solver); // Check that VM is waiting assert_eq!( @@ -2181,7 +2200,8 @@ mod tests { }, ]; - let mut vm = brillig_execute_and_get_vm(initial_matrix.clone(), &invert_program); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = brillig_execute_and_get_vm(initial_matrix.clone(), &invert_program, &solver); // Check that VM is waiting assert_eq!( @@ -2303,7 +2323,8 @@ mod tests { ]; let mut initial_memory = matrix_a.clone(); initial_memory.extend(matrix_b.clone()); - let mut vm = brillig_execute_and_get_vm(initial_memory, &matrix_mul_program); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = brillig_execute_and_get_vm(initial_memory, &matrix_mul_program, &solver); // Check that VM is waiting assert_eq!( @@ -2443,9 +2464,11 @@ mod tests { ]) .collect(); + let solver = StubbedBlackBoxSolver::default(); let mut vm = brillig_execute_and_get_vm( memory.into_iter().map(|mem_value| mem_value.to_field()).collect(), &program, + &solver, ); // Check that VM is waiting @@ -2517,7 +2540,8 @@ mod tests { }, ]; - let mut vm = VM::new(calldata, &opcodes, vec![], &StubbedBlackBoxSolver, false); + let solver = StubbedBlackBoxSolver::default(); + let mut vm = VM::new(calldata, &opcodes, vec![], &solver, false); vm.process_opcode(); vm.process_opcode(); diff --git a/compiler/noirc_driver/src/lib.rs b/compiler/noirc_driver/src/lib.rs index 87fbd3d1d3d..87da9cd658e 100644 --- a/compiler/noirc_driver/src/lib.rs +++ b/compiler/noirc_driver/src/lib.rs @@ -151,6 +151,12 @@ pub struct CompileOptions { #[arg(long, hide = true, allow_hyphen_values = true)] pub max_bytecode_increase_percent: Option, + /// Use pedantic ACVM solving, i.e. double-check some black-box function + /// assumptions when solving. + /// This is disabled by default. + #[arg(long, default_value = "false")] + pub pedantic_solving: bool, + /// Used internally to test for non-determinism in the compiler. #[clap(long, hide = true)] pub check_non_determinism: bool, @@ -311,8 +317,12 @@ pub fn check_crate( crate_id: CrateId, options: &CompileOptions, ) -> CompilationResult<()> { - let diagnostics = - CrateDefMap::collect_defs(crate_id, context, options.debug_comptime_in_file.as_deref()); + let diagnostics = CrateDefMap::collect_defs( + crate_id, + context, + options.debug_comptime_in_file.as_deref(), + options.pedantic_solving, + ); let crate_files = context.crate_files(&crate_id); let warnings_and_errors: Vec = diagnostics .into_iter() diff --git a/compiler/noirc_evaluator/src/brillig/brillig_ir.rs b/compiler/noirc_evaluator/src/brillig/brillig_ir.rs index 0ac9913c8e5..c3f1f97bb82 100644 --- a/compiler/noirc_evaluator/src/brillig/brillig_ir.rs +++ b/compiler/noirc_evaluator/src/brillig/brillig_ir.rs @@ -253,6 +253,10 @@ pub(crate) mod tests { pub(crate) struct DummyBlackBoxSolver; impl BlackBoxFunctionSolver for DummyBlackBoxSolver { + fn pedantic_solving(&self) -> bool { + true + } + fn multi_scalar_mul( &self, _points: &[FieldElement], diff --git a/compiler/noirc_evaluator/src/ssa/ir/instruction/call.rs b/compiler/noirc_evaluator/src/ssa/ir/instruction/call.rs index b0e5506e8dd..951761e041e 100644 --- a/compiler/noirc_evaluator/src/ssa/ir/instruction/call.rs +++ b/compiler/noirc_evaluator/src/ssa/ir/instruction/call.rs @@ -493,11 +493,12 @@ fn simplify_black_box_func( block: BasicBlockId, call_stack: CallStackId, ) -> SimplifyResult { + let pedantic_solving = true; cfg_if::cfg_if! { if #[cfg(feature = "bn254")] { - let solver = bn254_blackbox_solver::Bn254BlackBoxSolver; + let solver = bn254_blackbox_solver::Bn254BlackBoxSolver(pedantic_solving); } else { - let solver = acvm::blackbox_solver::StubbedBlackBoxSolver; + let solver = acvm::blackbox_solver::StubbedBlackBoxSolver(pedantic_solving); } }; match bb_func { diff --git a/compiler/noirc_evaluator/src/ssa/opt/constant_folding.rs b/compiler/noirc_evaluator/src/ssa/opt/constant_folding.rs index 9f533bd0401..9ceb9a2fde0 100644 --- a/compiler/noirc_evaluator/src/ssa/opt/constant_folding.rs +++ b/compiler/noirc_evaluator/src/ssa/opt/constant_folding.rs @@ -632,7 +632,8 @@ impl<'brillig> Context<'brillig> { let bytecode = &generated_brillig.byte_code; let foreign_call_results = Vec::new(); - let black_box_solver = Bn254BlackBoxSolver; + let pedantic_solving = true; + let black_box_solver = Bn254BlackBoxSolver(pedantic_solving); let profiling_active = false; let mut vm = VM::new( calldata, diff --git a/compiler/noirc_frontend/src/elaborator/comptime.rs b/compiler/noirc_frontend/src/elaborator/comptime.rs index f6ab755159a..d88bb62e871 100644 --- a/compiler/noirc_frontend/src/elaborator/comptime.rs +++ b/compiler/noirc_frontend/src/elaborator/comptime.rs @@ -97,6 +97,7 @@ impl<'context> Elaborator<'context> { self.crate_id, self.debug_comptime_in_file, self.interpreter_call_stack.clone(), + self.pedantic_solving, ); elaborator.function_context.push(FunctionContext::default()); @@ -474,7 +475,7 @@ impl<'context> Elaborator<'context> { Some(DependencyId::Function(function)) => Some(function), _ => None, }; - Interpreter::new(self, self.crate_id, current_function) + Interpreter::new(self, self.crate_id, current_function, self.pedantic_solving) } pub(super) fn debug_comptime T>( diff --git a/compiler/noirc_frontend/src/elaborator/mod.rs b/compiler/noirc_frontend/src/elaborator/mod.rs index c54f9355250..9b0b94c39eb 100644 --- a/compiler/noirc_frontend/src/elaborator/mod.rs +++ b/compiler/noirc_frontend/src/elaborator/mod.rs @@ -181,6 +181,9 @@ pub struct Elaborator<'context> { /// like `Foo { inner: 5 }`: in that case we already elaborated the code that led to /// that comptime value and any visibility errors were already reported. silence_field_visibility_errors: usize, + + /// Use pedantic ACVM solving + pedantic_solving: bool, } #[derive(Default)] @@ -198,6 +201,7 @@ struct FunctionContext { } impl<'context> Elaborator<'context> { + #[allow(clippy::too_many_arguments)] pub fn new( interner: &'context mut NodeInterner, def_maps: &'context mut DefMaps, @@ -206,6 +210,7 @@ impl<'context> Elaborator<'context> { crate_id: CrateId, debug_comptime_in_file: Option, interpreter_call_stack: im::Vector, + pedantic_solving: bool, ) -> Self { Self { scopes: ScopeForest::default(), @@ -233,6 +238,7 @@ impl<'context> Elaborator<'context> { interpreter_call_stack, in_comptime_context: false, silence_field_visibility_errors: 0, + pedantic_solving, } } @@ -240,6 +246,7 @@ impl<'context> Elaborator<'context> { context: &'context mut Context, crate_id: CrateId, debug_comptime_in_file: Option, + pedantic_solving: bool, ) -> Self { Self::new( &mut context.def_interner, @@ -249,6 +256,7 @@ impl<'context> Elaborator<'context> { crate_id, debug_comptime_in_file, im::Vector::new(), + pedantic_solving, ) } @@ -257,8 +265,16 @@ impl<'context> Elaborator<'context> { crate_id: CrateId, items: CollectedItems, debug_comptime_in_file: Option, + pedantic_solving: bool, ) -> Vec<(CompilationError, FileId)> { - Self::elaborate_and_return_self(context, crate_id, items, debug_comptime_in_file).errors + Self::elaborate_and_return_self( + context, + crate_id, + items, + debug_comptime_in_file, + pedantic_solving, + ) + .errors } pub fn elaborate_and_return_self( @@ -266,8 +282,10 @@ impl<'context> Elaborator<'context> { crate_id: CrateId, items: CollectedItems, debug_comptime_in_file: Option, + pedantic_solving: bool, ) -> Self { - let mut this = Self::from_context(context, crate_id, debug_comptime_in_file); + let mut this = + Self::from_context(context, crate_id, debug_comptime_in_file, pedantic_solving); this.elaborate_items(items); this.check_and_pop_function_context(); this diff --git a/compiler/noirc_frontend/src/hir/comptime/interpreter.rs b/compiler/noirc_frontend/src/hir/comptime/interpreter.rs index 6224552c0af..12b99818c46 100644 --- a/compiler/noirc_frontend/src/hir/comptime/interpreter.rs +++ b/compiler/noirc_frontend/src/hir/comptime/interpreter.rs @@ -67,6 +67,9 @@ pub struct Interpreter<'local, 'interner> { /// Stateful bigint calculator. bigint_solver: BigIntSolverWithId, + + /// Use pedantic ACVM solving + pedantic_solving: bool, } #[allow(unused)] @@ -75,14 +78,17 @@ impl<'local, 'interner> Interpreter<'local, 'interner> { elaborator: &'local mut Elaborator<'interner>, crate_id: CrateId, current_function: Option, + pedantic_solving: bool, ) -> Self { + let bigint_solver = BigIntSolverWithId::with_pedantic_solving(pedantic_solving); Self { elaborator, crate_id, current_function, bound_generics: Vec::new(), in_loop: false, - bigint_solver: BigIntSolverWithId::default(), + bigint_solver, + pedantic_solving, } } diff --git a/compiler/noirc_frontend/src/hir/comptime/interpreter/foreign.rs b/compiler/noirc_frontend/src/hir/comptime/interpreter/foreign.rs index 99cc11ecd2a..0221280ae1b 100644 --- a/compiler/noirc_frontend/src/hir/comptime/interpreter/foreign.rs +++ b/compiler/noirc_frontend/src/hir/comptime/interpreter/foreign.rs @@ -40,6 +40,7 @@ impl<'local, 'context> Interpreter<'local, 'context> { arguments, return_type, location, + self.pedantic_solving, ) } } @@ -52,6 +53,7 @@ fn call_foreign( args: Vec<(Value, Location)>, return_type: Type, location: Location, + pedantic_solving: bool, ) -> IResult { use BlackBoxFunc::*; @@ -79,9 +81,11 @@ fn call_foreign( location, acvm::blackbox_solver::ecdsa_secp256r1_verify, ), - "embedded_curve_add" => embedded_curve_add(args, location), - "multi_scalar_mul" => multi_scalar_mul(interner, args, location), - "poseidon2_permutation" => poseidon2_permutation(interner, args, location), + "embedded_curve_add" => embedded_curve_add(args, location, pedantic_solving), + "multi_scalar_mul" => multi_scalar_mul(interner, args, location, pedantic_solving), + "poseidon2_permutation" => { + poseidon2_permutation(interner, args, location, pedantic_solving) + } "keccakf1600" => keccakf1600(interner, args, location), "range" => apply_range_constraint(args, location), "sha256_compression" => sha256_compression(interner, args, location), @@ -269,13 +273,17 @@ fn ecdsa_secp256_verify( /// point2: EmbeddedCurvePoint, /// ) -> [Field; 3] /// ``` -fn embedded_curve_add(arguments: Vec<(Value, Location)>, location: Location) -> IResult { +fn embedded_curve_add( + arguments: Vec<(Value, Location)>, + location: Location, + pedantic_solving: bool, +) -> IResult { let (point1, point2) = check_two_arguments(arguments, location)?; let (p1x, p1y, p1inf) = get_embedded_curve_point(point1)?; let (p2x, p2y, p2inf) = get_embedded_curve_point(point2)?; - let (x, y, inf) = Bn254BlackBoxSolver + let (x, y, inf) = Bn254BlackBoxSolver(pedantic_solving) .ec_add(&p1x, &p1y, &p1inf.into(), &p2x, &p2y, &p2inf.into()) .map_err(|e| InterpreterError::BlackBoxError(e, location))?; @@ -292,6 +300,7 @@ fn multi_scalar_mul( interner: &mut NodeInterner, arguments: Vec<(Value, Location)>, location: Location, + pedantic_solving: bool, ) -> IResult { let (points, scalars) = check_two_arguments(arguments, location)?; @@ -306,7 +315,7 @@ fn multi_scalar_mul( scalars_hi.push(hi); } - let (x, y, inf) = Bn254BlackBoxSolver + let (x, y, inf) = Bn254BlackBoxSolver(pedantic_solving) .multi_scalar_mul(&points, &scalars_lo, &scalars_hi) .map_err(|e| InterpreterError::BlackBoxError(e, location))?; @@ -318,13 +327,14 @@ fn poseidon2_permutation( interner: &mut NodeInterner, arguments: Vec<(Value, Location)>, location: Location, + pedantic_solving: bool, ) -> IResult { let (input, state_length) = check_two_arguments(arguments, location)?; let (input, typ) = get_array_map(interner, input, get_field)?; let state_length = get_u32(state_length)?; - let fields = Bn254BlackBoxSolver + let fields = Bn254BlackBoxSolver(pedantic_solving) .poseidon2_permutation(&input, state_length) .map_err(|error| InterpreterError::BlackBoxError(error, location))?; @@ -435,6 +445,7 @@ mod tests { for blackbox in BlackBoxFunc::iter() { let name = blackbox.name(); + let pedantic_solving = true; match call_foreign( interpreter.elaborator.interner, &mut interpreter.bigint_solver, @@ -442,6 +453,7 @@ mod tests { Vec::new(), Type::Unit, no_location, + pedantic_solving, ) { Ok(_) => { // Exists and works with no args (unlikely) diff --git a/compiler/noirc_frontend/src/hir/comptime/tests.rs b/compiler/noirc_frontend/src/hir/comptime/tests.rs index 2d3bf928917..ce8d43e56d5 100644 --- a/compiler/noirc_frontend/src/hir/comptime/tests.rs +++ b/compiler/noirc_frontend/src/hir/comptime/tests.rs @@ -58,8 +58,14 @@ pub(crate) fn with_interpreter( let main = context.get_main_function(&krate).expect("Expected 'main' function"); - let mut elaborator = - Elaborator::elaborate_and_return_self(&mut context, krate, collector.items, None); + let pedantic_solving = true; + let mut elaborator = Elaborator::elaborate_and_return_self( + &mut context, + krate, + collector.items, + None, + pedantic_solving, + ); let errors = elaborator.errors.clone(); diff --git a/compiler/noirc_frontend/src/hir/def_collector/dc_crate.rs b/compiler/noirc_frontend/src/hir/def_collector/dc_crate.rs index b59c09eccaa..9081cb1cccd 100644 --- a/compiler/noirc_frontend/src/hir/def_collector/dc_crate.rs +++ b/compiler/noirc_frontend/src/hir/def_collector/dc_crate.rs @@ -275,6 +275,7 @@ impl DefCollector { ast: SortedModule, root_file_id: FileId, debug_comptime_in_file: Option<&str>, + pedantic_solving: bool, ) -> Vec<(CompilationError, FileId)> { let mut errors: Vec<(CompilationError, FileId)> = vec![]; let crate_id = def_map.krate; @@ -287,7 +288,12 @@ impl DefCollector { let crate_graph = &context.crate_graph[crate_id]; for dep in crate_graph.dependencies.clone() { - errors.extend(CrateDefMap::collect_defs(dep.crate_id, context, debug_comptime_in_file)); + errors.extend(CrateDefMap::collect_defs( + dep.crate_id, + context, + debug_comptime_in_file, + pedantic_solving, + )); let dep_def_map = context.def_map(&dep.crate_id).expect("ice: def map was just created"); @@ -452,8 +458,13 @@ impl DefCollector { }) }); - let mut more_errors = - Elaborator::elaborate(context, crate_id, def_collector.items, debug_comptime_in_file); + let mut more_errors = Elaborator::elaborate( + context, + crate_id, + def_collector.items, + debug_comptime_in_file, + pedantic_solving, + ); errors.append(&mut more_errors); diff --git a/compiler/noirc_frontend/src/hir/def_map/mod.rs b/compiler/noirc_frontend/src/hir/def_map/mod.rs index 2dd3034c9a5..5c95901e4b0 100644 --- a/compiler/noirc_frontend/src/hir/def_map/mod.rs +++ b/compiler/noirc_frontend/src/hir/def_map/mod.rs @@ -78,6 +78,7 @@ impl CrateDefMap { crate_id: CrateId, context: &mut Context, debug_comptime_in_file: Option<&str>, + pedantic_solving: bool, ) -> Vec<(CompilationError, FileId)> { // Check if this Crate has already been compiled // XXX: There is probably a better alternative for this. @@ -120,6 +121,7 @@ impl CrateDefMap { ast, root_file_id, debug_comptime_in_file, + pedantic_solving, )); errors.extend( diff --git a/compiler/noirc_frontend/src/tests.rs b/compiler/noirc_frontend/src/tests.rs index 3d2e71662e9..11c34424c40 100644 --- a/compiler/noirc_frontend/src/tests.rs +++ b/compiler/noirc_frontend/src/tests.rs @@ -114,6 +114,7 @@ pub(crate) fn get_program_with_maybe_parser_errors( }; let debug_comptime_in_file = None; + let pedantic_solving = true; // Now we want to populate the CrateDefMap using the DefCollector errors.extend(DefCollector::collect_crate_and_dependencies( @@ -122,6 +123,7 @@ pub(crate) fn get_program_with_maybe_parser_errors( program.clone().into_sorted(), root_file_id, debug_comptime_in_file, + pedantic_solving, )); } (program, context, errors) diff --git a/examples/codegen_verifier/codegen_verifier.sh b/examples/codegen_verifier/codegen_verifier.sh index f224f74168f..9d1a6251dde 100755 --- a/examples/codegen_verifier/codegen_verifier.sh +++ b/examples/codegen_verifier/codegen_verifier.sh @@ -11,7 +11,7 @@ $BACKEND contract -o ./src/contract.sol # We now generate a proof and check whether the verifier contract will verify it. -nargo execute witness +nargo execute --pedantic-solving witness PROOF_PATH=./target/proof $BACKEND prove -b ./target/hello_world.json -w ./target/witness.gz -o $PROOF_PATH diff --git a/examples/prove_and_verify/prove_and_verify.sh b/examples/prove_and_verify/prove_and_verify.sh index df3ec3ff97a..411f5258caf 100755 --- a/examples/prove_and_verify/prove_and_verify.sh +++ b/examples/prove_and_verify/prove_and_verify.sh @@ -3,7 +3,7 @@ set -eu BACKEND=${BACKEND:-bb} -nargo execute witness +nargo execute --pedantic-solving witness # TODO: `bb` should create `proofs` directory if it doesn't exist. mkdir -p proofs @@ -11,4 +11,4 @@ $BACKEND prove -b ./target/hello_world.json -w ./target/witness.gz # TODO: backend should automatically generate vk if necessary. $BACKEND write_vk -b ./target/hello_world.json -$BACKEND verify -k ./target/vk -p ./proofs/proof \ No newline at end of file +$BACKEND verify -k ./target/vk -p ./proofs/proof diff --git a/test_programs/noir_test_success/comptime_blackbox/src/main.nr b/test_programs/noir_test_success/comptime_blackbox/src/main.nr index c3784e73b09..859790f7d2d 100644 --- a/test_programs/noir_test_success/comptime_blackbox/src/main.nr +++ b/test_programs/noir_test_success/comptime_blackbox/src/main.nr @@ -121,10 +121,12 @@ fn test_sha256() { #[test] fn test_embedded_curve_ops() { let (sum, mul) = comptime { - let g1 = EmbeddedCurvePoint { x: 1, y: 17631683881184975370165255887551781615748388533673675138860, is_infinite: false }; let s1 = EmbeddedCurveScalar { lo: 1, hi: 0 }; - let sum = g1 + g1; - let mul = multi_scalar_mul([g1, g1], [s1, s1]); + let s2 = EmbeddedCurveScalar { lo: 2, hi: 0 }; + let g1 = EmbeddedCurvePoint { x: 1, y: 17631683881184975370165255887551781615748388533673675138860, is_infinite: false }; + let g2 = multi_scalar_mul([g1], [s2]); + let sum = g1 + g2; + let mul = multi_scalar_mul([g1, g2], [s1, s1]); (sum, mul) }; assert_eq(sum, mul); diff --git a/tooling/acvm_cli/src/cli/execute_cmd.rs b/tooling/acvm_cli/src/cli/execute_cmd.rs index c3c83a8f000..9fed8cbd497 100644 --- a/tooling/acvm_cli/src/cli/execute_cmd.rs +++ b/tooling/acvm_cli/src/cli/execute_cmd.rs @@ -35,12 +35,19 @@ pub(crate) struct ExecuteCommand { /// Set to print output witness to stdout #[clap(long, short, action)] print: bool, + + /// Use pedantic ACVM solving, i.e. double-check some black-box function + /// assumptions when solving. + /// This is disabled by default. + #[clap(long, default_value = "false")] + pedantic_solving: bool, } fn run_command(args: ExecuteCommand) -> Result { let bytecode = read_bytecode_from_file(&args.working_directory, &args.bytecode)?; let circuit_inputs = read_inputs_from_file(&args.working_directory, &args.input_witness)?; - let output_witness = execute_program_from_witness(circuit_inputs, &bytecode)?; + let output_witness = + execute_program_from_witness(circuit_inputs, &bytecode, args.pedantic_solving)?; assert_eq!(output_witness.length(), 1, "ACVM CLI only supports a witness stack of size 1"); let output_witness_string = create_output_witness_string( &output_witness.peek().expect("Should have a witness stack item").witness, @@ -67,13 +74,14 @@ pub(crate) fn run(args: ExecuteCommand) -> Result { pub(crate) fn execute_program_from_witness( inputs_map: WitnessMap, bytecode: &[u8], + pedantic_solving: bool, ) -> Result, CliError> { let program: Program = Program::deserialize_program(bytecode) .map_err(|_| CliError::CircuitDeserializationError())?; execute_program( &program, inputs_map, - &Bn254BlackBoxSolver, + &Bn254BlackBoxSolver(pedantic_solving), &mut DefaultForeignCallBuilder { output: PrintOutput::Stdout, ..Default::default() } .build(), ) diff --git a/tooling/debugger/src/context.rs b/tooling/debugger/src/context.rs index 256bb148ae9..9741749df64 100644 --- a/tooling/debugger/src/context.rs +++ b/tooling/debugger/src/context.rs @@ -233,7 +233,7 @@ pub struct ExecutionFrame<'a, B: BlackBoxFunctionSolver> { } pub(super) struct DebugContext<'a, B: BlackBoxFunctionSolver> { - acvm: ACVM<'a, FieldElement, B>, + pub(crate) acvm: ACVM<'a, FieldElement, B>, current_circuit_id: u32, brillig_solver: Option>, @@ -971,6 +971,7 @@ mod tests { #[test] fn test_resolve_foreign_calls_stepping_into_brillig() { + let solver = StubbedBlackBoxSolver::default(); let fe_1 = FieldElement::one(); let w_x = Witness(1); @@ -1031,7 +1032,7 @@ mod tests { debug_artifact, )); let mut context = DebugContext::new( - &StubbedBlackBoxSolver, + &solver, circuits, debug_artifact, initial_witness, @@ -1116,6 +1117,7 @@ mod tests { #[test] fn test_break_brillig_block_while_stepping_acir_opcodes() { + let solver = StubbedBlackBoxSolver::default(); let fe_0 = FieldElement::zero(); let fe_1 = FieldElement::one(); let w_x = Witness(1); @@ -1199,7 +1201,7 @@ mod tests { )); let brillig_funcs = &[brillig_bytecode]; let mut context = DebugContext::new( - &StubbedBlackBoxSolver, + &solver, circuits, debug_artifact, initial_witness, @@ -1240,6 +1242,7 @@ mod tests { #[test] fn test_address_debug_location_mapping() { + let solver = StubbedBlackBoxSolver::default(); let brillig_one = BrilligBytecode { bytecode: vec![BrilligOpcode::Return, BrilligOpcode::Return] }; let brillig_two = BrilligBytecode { @@ -1286,7 +1289,7 @@ mod tests { let brillig_funcs = &[brillig_one, brillig_two]; let context = DebugContext::new( - &StubbedBlackBoxSolver, + &solver, &circuits, &debug_artifact, WitnessMap::new(), diff --git a/tooling/lsp/src/lib.rs b/tooling/lsp/src/lib.rs index a152cc17c7b..97a1c7ad27b 100644 --- a/tooling/lsp/src/lib.rs +++ b/tooling/lsp/src/lib.rs @@ -452,7 +452,7 @@ fn prepare_package_from_source_string() { "#; let client = ClientSocket::new_closed(); - let mut state = LspState::new(&client, acvm::blackbox_solver::StubbedBlackBoxSolver); + let mut state = LspState::new(&client, acvm::blackbox_solver::StubbedBlackBoxSolver::default()); let (mut context, crate_id) = prepare_source(source.to_string(), &mut state); let _check_result = noirc_driver::check_crate(&mut context, crate_id, &Default::default()); diff --git a/tooling/lsp/src/requests/mod.rs b/tooling/lsp/src/requests/mod.rs index f7b58d7d42f..d81108c2ec5 100644 --- a/tooling/lsp/src/requests/mod.rs +++ b/tooling/lsp/src/requests/mod.rs @@ -633,7 +633,7 @@ mod initialization { #[test] async fn test_on_initialize() { let client = ClientSocket::new_closed(); - let mut state = LspState::new(&client, StubbedBlackBoxSolver); + let mut state = LspState::new(&client, StubbedBlackBoxSolver::default()); let params = InitializeParams::default(); let response = on_initialize(&mut state, params).await.unwrap(); assert!(matches!( diff --git a/tooling/lsp/src/solver.rs b/tooling/lsp/src/solver.rs index a36e30a944e..df5c8eeb44f 100644 --- a/tooling/lsp/src/solver.rs +++ b/tooling/lsp/src/solver.rs @@ -6,6 +6,10 @@ use acvm::BlackBoxFunctionSolver; pub(super) struct WrapperSolver(pub(super) Box>); impl BlackBoxFunctionSolver for WrapperSolver { + fn pedantic_solving(&self) -> bool { + self.0.pedantic_solving() + } + fn multi_scalar_mul( &self, points: &[acvm::FieldElement], diff --git a/tooling/lsp/src/test_utils.rs b/tooling/lsp/src/test_utils.rs index c0505107842..c2c19b0efc7 100644 --- a/tooling/lsp/src/test_utils.rs +++ b/tooling/lsp/src/test_utils.rs @@ -5,7 +5,7 @@ use lsp_types::{Position, Range, Url}; pub(crate) async fn init_lsp_server(directory: &str) -> (LspState, Url) { let client = ClientSocket::new_closed(); - let mut state = LspState::new(&client, StubbedBlackBoxSolver); + let mut state = LspState::new(&client, StubbedBlackBoxSolver::default()); let root_path = std::env::current_dir() .unwrap() diff --git a/tooling/nargo_cli/benches/criterion.rs b/tooling/nargo_cli/benches/criterion.rs index 3d81ade65bc..e43e498ea06 100644 --- a/tooling/nargo_cli/benches/criterion.rs +++ b/tooling/nargo_cli/benches/criterion.rs @@ -141,10 +141,11 @@ fn criterion_test_execution(c: &mut Criterion, test_program_dir: &Path, force_br let artifacts = artifacts.as_ref().expect("setup compiled them"); for (program, initial_witness) in artifacts { + let solver = bn254_blackbox_solver::Bn254BlackBoxSolver::default(); let _witness_stack = black_box(nargo::ops::execute_program( black_box(&program.program), black_box(initial_witness.clone()), - &bn254_blackbox_solver::Bn254BlackBoxSolver, + &solver, &mut foreign_call_executor, )) .expect("failed to execute program"); diff --git a/tooling/nargo_cli/build.rs b/tooling/nargo_cli/build.rs index 140575e0209..3b1aff88755 100644 --- a/tooling/nargo_cli/build.rs +++ b/tooling/nargo_cli/build.rs @@ -359,7 +359,7 @@ fn generate_compile_success_empty_tests(test_file: &mut File, test_data_dir: &Pa panic!("JSON was not well-formatted {:?}\n\n{:?}", e, std::str::from_utf8(&output.stdout)) }}); let num_opcodes = &json["programs"][0]["functions"][0]["opcodes"]; - assert_eq!(num_opcodes.as_u64().expect("number of opcodes should fit in a u64"), 0); + assert_eq!(num_opcodes.as_u64().expect("number of opcodes should fit in a u64"), 0, "expected the number of opcodes to be 0"); "#; generate_test_cases( diff --git a/tooling/nargo_cli/src/cli/dap_cmd.rs b/tooling/nargo_cli/src/cli/dap_cmd.rs index a84e961cfe7..7fbf685688a 100644 --- a/tooling/nargo_cli/src/cli/dap_cmd.rs +++ b/tooling/nargo_cli/src/cli/dap_cmd.rs @@ -50,6 +50,12 @@ pub(crate) struct DapCommand { #[clap(long)] preflight_skip_instrumentation: bool, + + /// Use pedantic ACVM solving, i.e. double-check some black-box function + /// assumptions when solving. + /// This is disabled by default. + #[arg(long, default_value = "false")] + pedantic_solving: bool, } fn parse_expression_width(input: &str) -> Result { @@ -137,6 +143,7 @@ fn load_and_compile_project( fn loop_uninitialized_dap( mut server: Server, expression_width: ExpressionWidth, + pedantic_solving: bool, ) -> Result<(), DapError> { loop { let req = match server.poll_request()? { @@ -197,7 +204,7 @@ fn loop_uninitialized_dap( noir_debugger::run_dap_loop( server, - &Bn254BlackBoxSolver, + &Bn254BlackBoxSolver(pedantic_solving), compiled_program, initial_witness, )?; @@ -269,5 +276,6 @@ pub(crate) fn run(args: DapCommand, _config: NargoConfig) -> Result<(), CliError let input = BufReader::new(std::io::stdin()); let server = Server::new(input, output); - loop_uninitialized_dap(server, args.expression_width).map_err(CliError::DapError) + loop_uninitialized_dap(server, args.expression_width, args.pedantic_solving) + .map_err(CliError::DapError) } diff --git a/tooling/nargo_cli/src/cli/debug_cmd.rs b/tooling/nargo_cli/src/cli/debug_cmd.rs index f4dd607a53e..2ed30639d32 100644 --- a/tooling/nargo_cli/src/cli/debug_cmd.rs +++ b/tooling/nargo_cli/src/cli/debug_cmd.rs @@ -85,7 +85,14 @@ pub(crate) fn run(args: DebugCommand, config: NargoConfig) -> Result<(), CliErro let compiled_program = nargo::ops::transform_program(compiled_program, target_width); - run_async(package, compiled_program, &args.prover_name, &args.witness_name, target_dir) + run_async( + package, + compiled_program, + &args.prover_name, + &args.witness_name, + target_dir, + args.compile_options.pedantic_solving, + ) } pub(crate) fn compile_bin_package_for_debugging( @@ -172,6 +179,7 @@ fn run_async( prover_name: &str, witness_name: &Option, target_dir: &PathBuf, + pedantic_solving: bool, ) -> Result<(), CliError> { use tokio::runtime::Builder; let runtime = Builder::new_current_thread().enable_all().build().unwrap(); @@ -179,7 +187,7 @@ fn run_async( runtime.block_on(async { println!("[{}] Starting debugger", package.name); let (return_value, witness_stack) = - debug_program_and_decode(program, package, prover_name)?; + debug_program_and_decode(program, package, prover_name, pedantic_solving)?; if let Some(solved_witness_stack) = witness_stack { println!("[{}] Circuit witness successfully solved", package.name); @@ -206,12 +214,13 @@ fn debug_program_and_decode( program: CompiledProgram, package: &Package, prover_name: &str, + pedantic_solving: bool, ) -> Result<(Option, Option>), CliError> { // Parse the initial witness values from Prover.toml let (inputs_map, _) = read_inputs_from_file(&package.root_dir, prover_name, Format::Toml, &program.abi)?; let program_abi = program.abi.clone(); - let witness_stack = debug_program(program, &inputs_map)?; + let witness_stack = debug_program(program, &inputs_map, pedantic_solving)?; match witness_stack { Some(witness_stack) => { @@ -229,9 +238,14 @@ fn debug_program_and_decode( pub(crate) fn debug_program( compiled_program: CompiledProgram, inputs_map: &InputMap, + pedantic_solving: bool, ) -> Result>, CliError> { let initial_witness = compiled_program.abi.encode(inputs_map, None)?; - noir_debugger::run_repl_session(&Bn254BlackBoxSolver, compiled_program, initial_witness) - .map_err(CliError::from) + noir_debugger::run_repl_session( + &Bn254BlackBoxSolver(pedantic_solving), + compiled_program, + initial_witness, + ) + .map_err(CliError::from) } diff --git a/tooling/nargo_cli/src/cli/execute_cmd.rs b/tooling/nargo_cli/src/cli/execute_cmd.rs index 709caf71185..88e74340c71 100644 --- a/tooling/nargo_cli/src/cli/execute_cmd.rs +++ b/tooling/nargo_cli/src/cli/execute_cmd.rs @@ -73,6 +73,7 @@ pub(crate) fn run(args: ExecuteCommand, config: NargoConfig) -> Result<(), CliEr args.oracle_resolver.as_deref(), Some(workspace.root_dir.clone()), Some(package.name.to_string()), + args.compile_options.pedantic_solving, )?; println!("[{}] Circuit witness successfully solved", package.name); @@ -108,12 +109,19 @@ fn execute_program_and_decode( foreign_call_resolver_url: Option<&str>, root_path: Option, package_name: Option, + pedantic_solving: bool, ) -> Result { // Parse the initial witness values from Prover.toml let (inputs_map, expected_return) = read_inputs_from_file(&package.root_dir, prover_name, Format::Toml, &program.abi)?; - let witness_stack = - execute_program(&program, &inputs_map, foreign_call_resolver_url, root_path, package_name)?; + let witness_stack = execute_program( + &program, + &inputs_map, + foreign_call_resolver_url, + root_path, + package_name, + pedantic_solving, + )?; // Get the entry point witness for the ABI let main_witness = &witness_stack.peek().expect("Should have at least one witness on the stack").witness; @@ -134,13 +142,14 @@ pub(crate) fn execute_program( foreign_call_resolver_url: Option<&str>, root_path: Option, package_name: Option, + pedantic_solving: bool, ) -> Result, CliError> { let initial_witness = compiled_program.abi.encode(inputs_map, None)?; let solved_witness_stack_err = nargo::ops::execute_program( &compiled_program.program, initial_witness, - &Bn254BlackBoxSolver, + &Bn254BlackBoxSolver(pedantic_solving), &mut DefaultForeignCallExecutor::new( PrintOutput::Stdout, foreign_call_resolver_url, diff --git a/tooling/nargo_cli/src/cli/info_cmd.rs b/tooling/nargo_cli/src/cli/info_cmd.rs index 6320cbbf350..651ddbc0b56 100644 --- a/tooling/nargo_cli/src/cli/info_cmd.rs +++ b/tooling/nargo_cli/src/cli/info_cmd.rs @@ -83,6 +83,7 @@ pub(crate) fn run(mut args: InfoCommand, config: NargoConfig) -> Result<(), CliE binary_packages, &args.prover_name, args.compile_options.expression_width, + args.compile_options.pedantic_solving, )? } else { binary_packages @@ -238,6 +239,7 @@ fn profile_brillig_execution( binary_packages: Vec<(Package, ProgramArtifact)>, prover_name: &str, expression_width: Option, + pedantic_solving: bool, ) -> Result, CliError> { let mut program_info = Vec::new(); for (package, program_artifact) in binary_packages.iter() { @@ -253,7 +255,7 @@ fn profile_brillig_execution( let (_, profiling_samples) = nargo::ops::execute_program_with_profiling( &program_artifact.bytecode, initial_witness, - &Bn254BlackBoxSolver, + &Bn254BlackBoxSolver(pedantic_solving), &mut DefaultForeignCallBuilder::default().build(), )?; diff --git a/tooling/nargo_cli/src/cli/lsp_cmd.rs b/tooling/nargo_cli/src/cli/lsp_cmd.rs index bfaa913b33a..dc5d0995c06 100644 --- a/tooling/nargo_cli/src/cli/lsp_cmd.rs +++ b/tooling/nargo_cli/src/cli/lsp_cmd.rs @@ -25,7 +25,8 @@ pub(crate) fn run(_args: LspCommand, _config: NargoConfig) -> Result<(), CliErro runtime.block_on(async { let (server, _) = async_lsp::MainLoop::new_server(|client| { - let router = NargoLspService::new(&client, Bn254BlackBoxSolver); + let pedantic_solving = true; + let router = NargoLspService::new(&client, Bn254BlackBoxSolver(pedantic_solving)); ServiceBuilder::new() .layer(TracingLayer::default()) diff --git a/tooling/nargo_cli/tests/stdlib-props.rs b/tooling/nargo_cli/tests/stdlib-props.rs index 24d53b48a6c..780b34bf0c3 100644 --- a/tooling/nargo_cli/tests/stdlib-props.rs +++ b/tooling/nargo_cli/tests/stdlib-props.rs @@ -78,7 +78,8 @@ fn run_snippet_proptest( Err(e) => panic!("failed to compile program; brillig = {force_brillig}:\n{source}\n{e:?}"), }; - let blackbox_solver = bn254_blackbox_solver::Bn254BlackBoxSolver; + let pedandic_solving = true; + let blackbox_solver = bn254_blackbox_solver::Bn254BlackBoxSolver(pedandic_solving); let foreign_call_executor = RefCell::new(DefaultForeignCallBuilder::default().build()); // Generate multiple input/output diff --git a/tooling/nargo_cli/tests/stdlib-tests.rs b/tooling/nargo_cli/tests/stdlib-tests.rs index 6aae94f6645..b162b282781 100644 --- a/tooling/nargo_cli/tests/stdlib-tests.rs +++ b/tooling/nargo_cli/tests/stdlib-tests.rs @@ -84,8 +84,9 @@ fn run_stdlib_tests(force_brillig: bool, inliner_aggressiveness: i64) { let test_report: Vec<(String, TestStatus)> = test_functions .into_iter() .map(|(test_name, test_function)| { + let pedantic_solving = true; let status = run_test( - &bn254_blackbox_solver::Bn254BlackBoxSolver, + &bn254_blackbox_solver::Bn254BlackBoxSolver(pedantic_solving), &mut context, &test_function, PrintOutput::Stdout, diff --git a/tooling/profiler/src/cli/execution_flamegraph_cmd.rs b/tooling/profiler/src/cli/execution_flamegraph_cmd.rs index bab15529744..dbb2a2c38bc 100644 --- a/tooling/profiler/src/cli/execution_flamegraph_cmd.rs +++ b/tooling/profiler/src/cli/execution_flamegraph_cmd.rs @@ -26,6 +26,12 @@ pub(crate) struct ExecutionFlamegraphCommand { /// The output folder for the flamegraph svg files #[clap(long, short)] output: PathBuf, + + /// Use pedantic ACVM solving, i.e. double-check some black-box function + /// assumptions when solving. + /// This is disabled by default. + #[clap(long, default_value = "false")] + pedantic_solving: bool, } pub(crate) fn run(args: ExecutionFlamegraphCommand) -> eyre::Result<()> { @@ -34,6 +40,7 @@ pub(crate) fn run(args: ExecutionFlamegraphCommand) -> eyre::Result<()> { &args.prover_toml_path, &InfernoFlamegraphGenerator { count_name: "samples".to_string() }, &args.output, + args.pedantic_solving, ) } @@ -42,6 +49,7 @@ fn run_with_generator( prover_toml_path: &Path, flamegraph_generator: &impl FlamegraphGenerator, output_path: &Path, + pedantic_solving: bool, ) -> eyre::Result<()> { let program = read_program_from_file(artifact_path).context("Error reading program from file")?; @@ -54,7 +62,7 @@ fn run_with_generator( let (_, mut profiling_samples) = nargo::ops::execute_program_with_profiling( &program.bytecode, initial_witness, - &Bn254BlackBoxSolver, + &Bn254BlackBoxSolver(pedantic_solving), &mut DefaultForeignCallBuilder::default().with_output(PrintOutput::Stdout).build(), )?; println!("Executed");