fix(air): update tests and CHANGELOG for memory addr range check

AMATH · amathxbt · commit f7bc64507c90 · 2026-03-29T02:08:13.000Z
- Update build_trace_row() test helper to populate ADDR_LO_COL_IDX and
  ADDR_HI_COL_IDX columns so that verify_memory_access() comparisons remain
  correct now that fill_trace() writes these two new witness columns.
- Import ADDR_HI_COL_IDX and ADDR_LO_COL_IDX in the test module.
- Add CHANGELOG entry under v0.23.0 Bug Fixes.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 #### Bug Fixes
 
+- Fixed a proof-soundness vulnerability in the memory chiplet AIR: `word_addr` was never constrained to `[0, 2^32)`, allowing a dishonest prover to supply arbitrary field elements as memory addresses. The fix commits to two 16-bit witness columns (`addr_lo`, `addr_hi`) and enforces a reconstruction constraint plus range checks via the existing range-check bus ([#2935](https://github.com/0xMiden/miden-vm/pull/2935)).
 - Reverted `InvokeKind::ProcRef` back to `InvokeKind::Exec` in `visit_mut_procref` and added an explanatory comment (#2893).
 #### Changes
 
diff --git a/processor/src/trace/chiplets/memory/tests.rs b/processor/src/trace/chiplets/memory/tests.rs
@@ -3,9 +3,9 @@ use alloc::vec::Vec;
 use miden_air::trace::{
     RowIndex,
     chiplets::memory::{
-        FLAG_SAME_CONTEXT_AND_WORD, IDX0_COL_IDX, IDX1_COL_IDX, IS_READ_COL_IDX,
-        IS_WORD_ACCESS_COL_IDX, MEMORY_ACCESS_ELEMENT, MEMORY_ACCESS_WORD, MEMORY_READ,
-        MEMORY_WRITE, TRACE_WIDTH as MEMORY_TRACE_WIDTH,
+        ADDR_HI_COL_IDX, ADDR_LO_COL_IDX, FLAG_SAME_CONTEXT_AND_WORD, IDX0_COL_IDX,
+        IDX1_COL_IDX, IS_READ_COL_IDX, IS_WORD_ACCESS_COL_IDX, MEMORY_ACCESS_ELEMENT,
+        MEMORY_ACCESS_WORD, MEMORY_READ, MEMORY_WRITE, TRACE_WIDTH as MEMORY_TRACE_WIDTH,
     },
 };
 use miden_core::{ONE, WORD_SIZE, Word, ZERO, assert_matches, field::Field};
@@ -577,6 +577,14 @@ fn build_trace_row(
         row[FLAG_SAME_CONTEXT_AND_WORD] = ZERO;
     }
 
+    // Populate address limb columns matching what fill_trace() writes.
+    // ADDR_LO = word_addr & 0xFFFF, ADDR_HI = word_addr >> 16.
+    let word_addr_u32: u32 = word.as_canonical_u64().try_into().unwrap();
+    let addr_lo = u16::try_from(word_addr_u32 & 0xFFFF).unwrap();
+    let addr_hi = u16::try_from(word_addr_u32 >> 16).unwrap();
+    row[ADDR_LO_COL_IDX] = Felt::new(addr_lo as u64);
+    row[ADDR_HI_COL_IDX] = Felt::new(addr_hi as u64);
+
     row
 }
 
