Circuit soundness bug: unchecked program counter

[adr1anh]

The function get_from_vec_alloc_relaxed_r1cs does not check that program_counter is valid (i.e. in the range { $0,1,\ldots, \ell-1 $}. If program_counter is outside this range, the function returns the first RelaxedR1CSInstance by default.

This can be fixed by enforcing that the sum of all equal_bits (including one for the first instance) is 1. This ensures that exactly one of the equal_bits is set, and therefore program_counter is in the correct range.
Another possibility would be to ensure the returned index is equal to the input target_index.

Since the returned index is the same as the input target_index, it is not necessary for the function to return it. Instead, the function could return a vector of the equal_bits, which are already recomputed during the computation of U_next.

[adr1anh]

The comment in /src/supernova/circuit.rs#L420-L437 explains that ignoring the range constraint on last_augmented_circuit_index is fine, since this would make the first running instance unsatisfiable with high probability. It is not clear that this always holds for every combination of circuits.

In the fix, this comment should probably be removed.