Merge branch 'next' into md/opt-sol-honk

Author: Maddiaa0

.github/workflows/fund-sepolia-accounts.yml

@@ -17,6 +17,11 @@ on:
         required: false
         type: string
         default: master
+      funding_amount:
+        description: The amount of ETH to fund each account with
+        required: true
+        type: number
+        default: 5
     secrets:
       GCP_SA_KEY:
         required: true
@@ -43,6 +48,11 @@ on:
         required: false
         type: string
         default: master
+      funding_amount:
+        description: The amount of ETH to fund each account with
+        required: true
+        type: number
+        default: 5
 
 jobs:
   fund-sepolia-accounts:
@@ -79,7 +89,7 @@ jobs:
           if [[ "${{ steps.get-mnemonic.outputs.new_mnemonic }}" == "true" ]]; then
             echo "Generating new mnemonic"
           else
-            MNEMONIC="${{ steps.get-mnemonic.outputs.mnemonic }}"
+            export MNEMONIC="${{ steps.get-mnemonic.outputs.mnemonic }}"
             echo "Using mnemonic from GCP"
           fi
 
@@ -89,7 +99,7 @@ jobs:
           export ETHEREUM_HOST="https://json-rpc.${{ secrets.GCP_SEPOLIA_URL }}?key=${{ secrets.GCP_SEPOLIA_API_KEY }}"
 
           echo "Funding accounts..."
-          $REPO/spartan/scripts/prepare_sepolia_accounts.sh ${{ inputs.values_file }} 30 "$MNEMONIC_FILE"
+          $REPO/spartan/scripts/prepare_sepolia_accounts.sh ${{ inputs.values_file }} ${{ inputs.funding_amount }} "$MNEMONIC_FILE"
           mnemonic=$(cat "$MNEMONIC_FILE")
           rm "$MNEMONIC_FILE"
           echo "::add-mask::$mnemonic"

.test_patterns.yml

@@ -249,6 +249,10 @@ tests:
     error_regex: "ContractFunctionExecutionError: The contract function"
     owners:
       - *mitch
+  - regex: "src/e2e_block_building"
+    error_regex: "✕ detects an upcoming reorg and builds a block for the correct slot"
+    owners:
+      - *palla
 
   # Nightly GKE tests
   - regex: "spartan/bootstrap.sh"

barretenberg/cpp/pil/vm2/alu.pil

@@ -9,6 +9,8 @@ namespace alu;
 pol commit sel;
 
 pol commit sel_op_add;
+pol commit sel_op_sub;
+pol commit sel_op_mul;
 pol commit sel_op_eq;
 pol commit sel_op_lt;
 pol commit sel_op_lte;
@@ -37,24 +39,29 @@ pol commit cf;
 pol commit helper1;
 
 // maximum bits the number can hold (i.e. 8 for a u8):
-// TODO(MW): Now unused since we redirect the LT/LTE range checks to GT gadget - remove?
 pol commit max_bits;
 // maximum value the number can hold (i.e. 255 for a u8), we 'mod' by max_value + 1
 pol commit max_value;
 // we need a selector to conditionally lookup ff_gt when inputs a, b are fields:
 pol commit sel_is_ff;
+// we need a selector to conditionally perform u128 multiplication:
+pol commit sel_is_u128;
 
 pol IS_NOT_FF = 1 - sel_is_ff;
+pol IS_NOT_U128 = 1 - sel_is_u128;
 
 sel * (1 - sel) = 0;
 cf * (1 - cf) = 0;
 sel_is_ff * (1 - sel_is_ff) = 0;
+sel_is_u128 * (1 - sel_is_u128) = 0;
 
 // TODO: Consider to gate with (1 - sel_tag_err) for op_id. This might help us remove the (1 - sel_tag_err)
 // in various operation relations below.
 // Note that the op_ids below represent a binary decomposition (see constants_gen.pil):
 #[OP_ID_CHECK]
 op_id = sel_op_add * constants.AVM_EXEC_OP_ID_ALU_ADD
+      + sel_op_sub * constants.AVM_EXEC_OP_ID_ALU_SUB
+      + sel_op_mul * constants.AVM_EXEC_OP_ID_ALU_MUL
       + sel_op_eq * constants.AVM_EXEC_OP_ID_ALU_EQ
       + sel_op_lt * constants.AVM_EXEC_OP_ID_ALU_LT
       + sel_op_lte * constants.AVM_EXEC_OP_ID_ALU_LTE
@@ -78,18 +85,28 @@ execution.sel_execute_alu {
 
 // IS_FF CHECKING
 
-// TODO(MW): remove this and check for all (i.e. replace with sel), just being lazy for now. For add, we don't care, for lt we need to differentiate.
 pol CHECK_TAG_FF = sel_op_lt + sel_op_lte + sel_op_not;
 // We prove that sel_is_ff == 1 <==> ia_tag == MEM_TAG_FF
 pol TAG_FF_DIFF = ia_tag - constants.MEM_TAG_FF;
 pol commit tag_ff_diff_inv;
 #[TAG_IS_FF]
 CHECK_TAG_FF * (TAG_FF_DIFF * (sel_is_ff * (1 - tag_ff_diff_inv) + tag_ff_diff_inv) + sel_is_ff - 1) = 0;
 
+// IS_U128 CHECKING
+
+pol CHECK_TAG_U128 = sel_op_mul;
+// We prove that sel_is_u128 == 1 <==> ia_tag == MEM_TAG_U128
+pol TAG_U128_DIFF = ia_tag - constants.MEM_TAG_U128;
+pol commit tag_u128_diff_inv;
+#[TAG_IS_U128]
+CHECK_TAG_U128 * (TAG_U128_DIFF * (sel_is_u128 * (1 - tag_u128_diff_inv) + tag_u128_diff_inv) + sel_is_u128 - 1) = 0;
+
+// Note: if we never need sel_is_ff and sel_is_u128 in the same op, can combine the above checks into one
+
 // TAG CHECKING
 
 // Will become e.g. sel_op_add * ia_tag + (comparison ops) * MEM_TAG_U1 + ....
-pol EXPECTED_C_TAG = (sel_op_add + sel_op_truncate) * ia_tag + (sel_op_eq + sel_op_lt + sel_op_lte) * constants.MEM_TAG_U1;
+pol EXPECTED_C_TAG = (sel_op_add + sel_op_sub + sel_op_truncate + sel_op_mul) * ia_tag + (sel_op_eq + sel_op_lt + sel_op_lte) * constants.MEM_TAG_U1;
 
 // The tag of c is generated by the opcode and is never wrong.
 // Gating with (1 - sel_tag_err) is necessary because when an error occurs, we have to set the tag to 0,
@@ -120,8 +137,91 @@ sel { ia_tag, max_bits, max_value } in precomputed.sel_tag_parameters { precompu
 
 sel_op_add * (1 - sel_op_add) = 0;
 
-#[ALU_ADD]
-sel_op_add * (1 - sel_tag_err) * (ia + ib - ic - cf * (max_value + 1)) = 0;
+// SUB
+
+sel_op_sub * (1 - sel_op_sub) = 0;
+
+// ADD & SUB - Shared relation:
+
+// For add, sel_op_add - sel_op_sub = 1 => check a + b - cf * carry = c
+// For sub, sel_op_add - sel_op_sub = -1 => check a - b + cf * carry = c
+#[ALU_ADD_SUB]
+(sel_op_add + sel_op_sub) * (1 - sel_tag_err) * (ia - ic + (sel_op_add - sel_op_sub) * (ib - cf * (max_value + 1))) = 0;
+
+// MUL
+
+sel_op_mul * (1 - sel_op_mul) = 0;
+
+pol commit c_hi;
+
+// MUL - non u128
+
+#[ALU_MUL_NON_U128]
+sel_op_mul * IS_NOT_U128 * (1 - sel_tag_err)
+    * (
+        ia * ib
+        - ic
+        - (max_value + 1) * c_hi
+    ) = 0;
+
+// MUL - u128
+
+pol commit sel_mul_u128;
+// sel_op_mul & sel_is_u128:
+sel_mul_u128 - sel_is_u128 * sel_op_mul = 0;
+
+// Taken from vm1:
+// We express a, b in 64-bit slices: a = a_l + a_h * 2^64
+//                                   b = b_l + b_h * 2^64
+// => a * b = a_l * b_l + (a_h * b_l + a_l * b_h) * 2^64 + (a_h * b_h) * 2^128 = c_hi_full * 2^128 + c
+// => the 'top bits' are given by (c_hi_full - (a_h * b_h)) * 2^128
+// We can show for a 64 bit c_hi = c_hi_full - (a_h * b_h) % 2^64 that:
+// a_l * b_l + (a_h * b_l + a_l * b_h) * 2^64 = c_hi * 2^128 + c
+// Equivalently (cf = 0 if a_h & b_h = 0):
+// a * b_l + a_l * b_h * 2^64 = (cf * 2^64 + c_hi) * 2^128 + c
+// => no need for a_h in final relation
+
+pol commit a_lo;
+pol commit a_hi;
+pol commit b_lo;
+pol commit b_hi;
+pol TWO_POW_64 = 2 ** 64;
+
+#[A_MUL_DECOMPOSITION]
+sel_mul_u128 * (ia - (a_lo + TWO_POW_64 * a_hi)) = 0;
+#[B_MUL_DECOMPOSITION]
+sel_mul_u128 * (ib - (b_lo + TWO_POW_64 * b_hi)) = 0;
+
+#[ALU_MUL_U128]
+sel_mul_u128 * (1 - sel_tag_err)
+    * (
+        ia * b_lo + a_lo * b_hi * TWO_POW_64            // a * b without the hi bits
+        - ic                                            // c_lo
+        - (max_value + 1) * (cf * TWO_POW_64 + c_hi)    // c_hi * 2^128 + (cf ? 2^192 : 0)
+    ) = 0;
+
+// TODO: Once lookups support expression in tuple, we can inline constant_64 into the lookup.
+// Note: only used for MUL, so gated by sel_op_mul
+pol commit constant_64;
+sel_op_mul * (64 - constant_64) = 0;
+
+#[RANGE_CHECK_MUL_U128_A_LO]
+sel_mul_u128 { a_lo, constant_64 } in range_check.sel { range_check.value, range_check.rng_chk_bits };
+
+#[RANGE_CHECK_MUL_U128_A_HI]
+sel_mul_u128 { a_hi, constant_64 } in range_check.sel { range_check.value, range_check.rng_chk_bits };
+
+#[RANGE_CHECK_MUL_U128_B_LO]
+sel_mul_u128 { b_lo, constant_64 } in range_check.sel { range_check.value, range_check.rng_chk_bits };
+
+#[RANGE_CHECK_MUL_U128_B_HI]
+sel_mul_u128 { b_hi, constant_64 } in range_check.sel { range_check.value, range_check.rng_chk_bits };
+
+// No need to range_check c_hi for cases other than u128 because we know a and b's size from the tags and have looked
+// up max_value. i.e. we cannot provide a malicious c, c_hi such that a + b - c_hi * 2^n = c passes for n < 128.
+// No need to range_check c_lo = ic because the memory write will ensure ic <= max_value.
+#[RANGE_CHECK_MUL_U128_C_HI]
+sel_mul_u128 { c_hi, constant_64 } in range_check.sel { range_check.value, range_check.rng_chk_bits };
 
 // EQ
 
@@ -280,21 +380,21 @@ sel_op_truncate = sel_trunc_non_trivial + sel_trunc_trivial;
 #[TRUNC_TRIVIAL_CASE]
 sel_trunc_trivial * (ia - ic) = 0;
 
-pol commit lo_128; // 128-bit low limb of ia.
-pol commit hi_128; // 128-bit high limb of ia.
+// NOTE: reusing a_lo and a_hi columns from MUL in TRUNC:
+// For truncate, a_lo = 128-bit low limb of ia and a_hi = 128-bit high limb of ia.
 pol commit mid;
 
 #[LARGE_TRUNC_CANONICAL_DEC]
-sel_trunc_gte_128 { ia, lo_128, hi_128 }
+sel_trunc_gte_128 { ia, a_lo, a_hi }
 in
 ff_gt.sel_dec { ff_gt.a, ff_gt.a_lo, ff_gt.a_hi };
 
 #[SMALL_TRUNC_VAL_IS_LO]
-sel_trunc_lt_128 * (lo_128 - ia) = 0;
+sel_trunc_lt_128 * (a_lo - ia) = 0;
 
-// lo_128 = ic + mid * 2^ia_tag_bits, where 2^ia_tag_bits is max_value + 1.
+// a_lo = ic + mid * 2^ia_tag_bits, where 2^ia_tag_bits is max_value + 1.
 #[TRUNC_LO_128_DECOMPOSITION]
-sel_trunc_non_trivial * (ic + mid * (max_value + 1) - lo_128) = 0;
+sel_trunc_non_trivial * (ic + mid * (max_value + 1) - a_lo) = 0;
 
 // TODO: Once lookups support expression in tuple, we can inline mid_bits into the lookup.
 pol commit mid_bits;
@@ -305,4 +405,4 @@ mid_bits = sel_trunc_non_trivial * (128 - max_bits);
 // is supported by our range_check gadget.
 // No need to range_check ic because the memory write will ensure ic <= max_value.
 #[RANGE_CHECK_TRUNC_MID]
-sel_trunc_non_trivial {mid, mid_bits} in range_check.sel { range_check.value, range_check.rng_chk_bits };
+sel_trunc_non_trivial { mid, mid_bits } in range_check.sel { range_check.value, range_check.rng_chk_bits };

barretenberg/cpp/pil/vm2/execution.pil

@@ -8,7 +8,7 @@ include "sha256.pil";
 include "ecc_mem.pil";
 include "poseidon2_mem.pil";
 include "scalar_mul.pil";
-include "to_radix.pil";
+include "to_radix_mem.pil";
 include "ff_gt.pil";
 include "gt.pil";
 include "context.pil";
@@ -288,16 +288,72 @@ pol commit expected_tag_reg[7];
 
 pol commit sel_should_check_gas;
 sel_should_check_gas = sel_should_read_registers * (1 - sel_register_read_error);
-
 // NOTE: Gas is constrained in gas.pil.
 // The "output we want is" sel_out_of_gas from gas.pil.
 
+//////////////////////////////////////////
+// Bitwise, Dynamic L2 Gas Calculation
+//////////////////////////////////////////
 // For bitwise, the tag determines the dynamic_l2_gas_factor
 #[DYN_L2_FACTOR_BITWISE]
 sel_gas_bitwise { mem_tag_reg[0], dynamic_l2_gas_factor }
 in
 precomputed.sel_tag_parameters { precomputed.clk, precomputed.tag_byte_length };
 
+//////////////////////////////////////////
+// ToRadixBE, Dynamic L2 Gas Calculation
+//////////////////////////////////////////
+// The dynamic l2 gas factor depends on the number of limbs (located in register[2]) and
+// the number of limbs that the field modulus, p, decomposes into given a radix (num_p_limbs).
+
+// num_p_limbs is stored in a precomputed table that supports radix values in the range [0, 256].
+// To ensure the lookup never fails if radix > 256, we just set num_p_limbs to 32.
+// It is expected that an error will later be thrown when the to_radix subtrace validates the radix (located in register[1])
+
+// TODO: Theoretically, because we have access to a GreaterThan gadget - we could compare 257 > radix (instead of radix > 256)
+//       This potentially more optimal for the circuit as the boolen result of this can be used directly in the GET_SAFE_LIMBS lookup
+
+// In reality to keep the simulator cleaner and more sane, we will perform radix > 256.
+pol commit two_five_six;
+sel_gas_to_radix * (two_five_six - 256) = 0; // While we don't support constants in lookups
+
+pol commit sel_radix_gt_256; // sel_radix_gt_256 = 1 iff radix > 256
+#[CHECK_RADIX_GT_256]
+sel_gas_to_radix { /*radix=*/register[1], two_five_six, sel_radix_gt_256 }
+in
+gt.sel { gt.input_a, gt.input_b, gt.res };
+
+// Boolean for if we should look up the num_p_limbs value
+pol commit sel_lookup_num_p_limbs;
+sel_lookup_num_p_limbs = sel_gas_to_radix * (1 - sel_radix_gt_256);
+
+// If radix > 256, num_p_limbs has to equal 32 - otherwise we rely on the lookup
+pol commit num_p_limbs;
+#[NUM_P_LIMBS_CEIL]
+sel_gas_to_radix * (sel_radix_gt_256 * (num_p_limbs - 32)) = 0;
+
+#[GET_P_LIMBS]
+sel_lookup_num_p_limbs { /*radix=*/register[1], num_p_limbs }
+in
+precomputed.sel_to_radix_p_limb_counts
+    { precomputed.clk, precomputed.to_radix_num_limbs_for_p };
+
+// We now compute the dynamic l2 gas factor as max(num_limbs, num_p_limbs)
+// The easiest way to do this is to do check if num_limbs > num_p_limbs.
+// If so then dynamic_l2_gas_factor = num_limbs
+// Otherwise dynamic_l2_gas_factor = num_p_limbs
+pol commit sel_use_num_limbs;
+#[GET_MAX_LIMBS]
+sel_gas_to_radix { /*num_limbs=*/register[2], num_p_limbs, sel_use_num_limbs }
+in
+gt.sel { gt.input_a, gt.input_b, gt.res };
+
+#[DYN_L2_FACTOR_TO_RADIX_BE] // num_limbs > num_p_limbs ? num_limbs : num_p_limbs
+sel_gas_to_radix * ((/*num_limbs=*/register[2] - num_p_limbs) * sel_use_num_limbs + num_p_limbs - dynamic_l2_gas_factor) = 0;
+
+//////////////////////////////////////////
+// SSTORE, Dynamic L2 Gas Calculation
+//////////////////////////////////////////
 // We can probably unconditionally write to the written_public_data_slots_tree here
 // to avoid writing later in opcode execution, since the root would be reverted if it errors before
 // the opcode execution. However, this feels like an early optimization
@@ -315,6 +371,9 @@ sel_gas_sstore {
     written_public_data_slots_tree_check.root
 };
 
+// todo(ilyas): we are going to need these kinds of checks in general as well
+// i.e. opcodes without dynamic components need to assert dyn_l2 & dyn_da are zero
+// i.e. opcodes with only a single dynamic components need to assert the others are zero.
 #[SSTORE_DYN_L2_GAS_IS_ZERO]
 sel_execute_sstore * dynamic_l2_gas_factor = 0;
 

barretenberg/cpp/pil/vm2/opcodes/external_call.pil

@@ -5,6 +5,9 @@ namespace execution;
 // Register 2 contains allocated da gas
 // Register 3 contains the address of the contract to call
 
+#[skippable_if]
+sel_enter_call = 0;
+
 // TODO: Remove this as a column when we can lookup with constants
 pol commit constant_32;
 sel_enter_call * (32 - constant_32) = 0;

barretenberg/cpp/pil/vm2/precomputed.pil

@@ -96,9 +96,11 @@ pol constant opcode_out_of_range;
 
 // Used for getting the number of safe limbs for a given radix.
 // The selector is on for 1 < clk <= 256
-pol constant sel_to_radix_safe_limbs;
+pol constant sel_to_radix_p_limb_counts;
 // Number of safe limbs for a given radix=clk.
 pol constant to_radix_safe_limbs;
+// Number of limbs for the decomposition of p given a radix
+pol constant to_radix_num_limbs_for_p;
 
 // Radix decompositions of P.
 pol constant sel_p_decomposition;

barretenberg/cpp/pil/vm2/to_radix.pil

@@ -139,7 +139,7 @@ namespace to_radix;
     #[FETCH_SAFE_LIMBS]
     start { radix, safe_limbs }
     in
-    precomputed.sel_to_radix_safe_limbs
+    precomputed.sel_to_radix_p_limb_counts
         { precomputed.clk, precomputed.to_radix_safe_limbs };
 
     pol commit is_unsafe_limb;