libzcash::PHGRProof (SproutProofVerifier) don't work when libsnark compiled with enabled optimisations on gcc 11.x #591
Description
A very deeply hidden bug appears only on GCC/G++ 11.x when the internal libsnark is compiled using highly optimized assembly implementations. It is not the default compilation behavior for Komodod from the KomodoPlatform, but it was always (implicitly) the default build behavior for KomodoOcean.
Steps to reproduce:
- Install
Ubuntu 22.04.2 LTS, which haveg++ (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0by default. - Clone https://github.com/KomodoPlatform/komodo repo,
masterbranch. - Enable assembly optimisations for
libsnarkbuild by build daemon with:
CONFIGURE_FLAGS='CXXFLAGS=-DUSE_ASM=1' zcutil/build.sh -j$(nproc)
Preprocessor directive USE_ASM is default for KomodoOcean, as it used in other sources, not libsnark only, and it set from config/bitcoin-config.h by default.
- Try to sync
SUPERNETassetchain or any other chain which havesproutinvolved transactions:
./src/komodod -ac_name=SUPERNET -ac_supply=816061
- You will get an error like this:
2023-07-11 15:01:07 receive version message: /MagicBean:0.8.0beta1/: version 170012, blocks=2600141, us=1.1.1.1:53908, peer=13
2023-07-11 15:01:07 Added time data, samples 13, offset +0 (+0 minutes)
2023-07-11 15:01:07 UpdateTip: new best=000114edf65c405771c40e90b8ac5d626a50c8d497b28b0814dbc0863df4d3ea height=28746 log2_work=29.498648 tx=41966 date=2018-01-02 21:14:21 progress=0.011056 cache=0.6MiB(2766tx)
2023-07-11 15:01:07 UpdateTip: new best=0001a6c23d96b6a2217040bd5c501b1591481ade182994cac84e5ba826cb9101 height=28747 log2_work=29.498712 tx=41967 date=2018-01-02 21:14:50 progress=0.011056 cache=0.6MiB(2767tx)
2023-07-11 15:01:07 UpdateTip: new best=000078d5165eafa590b7fe09cd9d88643b9da07153705c4e768266e20065406a height=28748 log2_work=29.498776 tx=41969 date=2018-01-02 21:16:27 progress=0.011056 cache=0.6MiB(2769tx)
2023-07-11 15:01:07 ERROR: CheckTransaction(): joinsplit does not verify
2023-07-11 15:01:07 ERROR: CheckBlock: CheckTransaction failed
2023-07-11 15:01:07 Misbehaving: 8.8.8.8:11340 (0 -> 100)
2023-07-11 15:01:07 InvalidChainFound: invalid block=0000179a03788e84f5853240a1255816ace966732cf302c1be0869da931f1885 height=28749 log2_work=29.49884 date=2018-01-02 21:17:27
2023-07-11 15:01:07 InvalidChainFound: current best=000078d5165eafa590b7fe09cd9d88643b9da07153705c4e768266e20065406a height=28748 log2_work=29.498776 date=2018-01-02 21:16:27
2023-07-11 15:01:07 ERROR: ConnectTip(): ConnectBlock 0000179a03788e84f5853240a1255816ace966732cf302c1be0869da931f1885 failed
2023-07-11 15:01:07 InvalidChainFound: invalid block=0000179a03788e84f5853240a1255816ace966732cf302c1be0869da931f1885 height=28749 log2_work=29.49884 date=2018-01-02 21:17:27
2023-07-11 15:01:07 InvalidChainFound: current best=000078d5165eafa590b7fe09cd9d88643b9da07153705c4e768266e20065406a height=28748 log2_work=29.498776 date=2018-01-02 21:16:27
2023-07-11 15:01:14 receive version message: /MagicBean:0.8.0beta1/: version 170012, blocks=2600141, us=1.1.1.1:52914, peer=14
2023-07-11 15:01:14 Added time data, samples 14, offset +0 (+0 minutes)
Which means that:
bool operator()(const libzcash::PHGRProof& proof) const
{
// ...
}return false on valid transaction, i.e. ProofVerifier::check on perform_verification returns false from r1cs_ppzksnark_online_verifier_strong_IC.
Of course, the chances that somebody will try to use assembly optimisations for libsnark are very low, but the fact is that in KomodoOcean they are used by default. Furthermore, libsnark compiled even with these optimisations has not had any issues when compiled with gcc 10 from Debian 11. However, gcc 11 seems to have introduced some bug in the library. Additionally, we (and it seems ZCash as well) do not have any proper tests to catch this libsnark behavior and that is the point to consider.