Refactor bytecode circuit by leolara · Pull Request #340 · privacy-ethereum/zkevm-specs

leolara · 2022-12-13T11:22:50Z

Closes #151

andyguzmaneth · 2022-12-22T12:14:24Z

@Brechtpd can you assign a reviewer to this task?

Brechtpd · 2022-12-22T16:03:06Z

+    if cur.q_last == 1:
+        assert cur.tag == BytecodeFieldTag.Header


This doesn't seem to check that length and hash are set to the correct empty values (the to_header checks only check the current row values, and these checks are disabled on this row), so maybe only rows on not(q_last) be considered valid for lookup?

@Brechtpd

So perhaps we could have at the beginning:

if cur.q_first == 1 || cur.q_last== 1: assert cur.tag == BytecodeFieldTag.Header

And then apply the main rules to every row including last? That way when it loops from last to first it will check that last is empty?

Is this the right approach in your oponion?

Or how do we express that q_last is not valid for lookup?

I think the approach you propose here would work perfectly if not for unusable rows. But because we still have unusable rows (because zk is enabled) this wrap around cannot be exploited easily (there are rows with random data in between the first and last rows). I think just having a q_enabled column in the circuit that is 1 on all rows with valid data (which with the current code would exclude the q_last row) would be the standard way to do it. So I would say the current code works, but just have to be careful to disable lookups on the q_last row by disabling q_enabled there, so just adding a warning in the spec I think is okay.

I think it'd be easier to to just make sure the length = 0 and hash = EMPTY_HASH when q_last, otherwise it seems we need to add extra computation to the table.

@han0110 @Brechtpd as the last thing that Han said is exactly the header to header check, I did that the last row does that check, as that check does not use the next row it should be ok.

I think it'd be easier to to just make sure the length = 0 and hash = EMPTY_HASH when q_last, otherwise it seems we need to add extra computation to the table.

Yeah I guess the lookup table is safe to use without any additional selector as long as we ensure q_last is set to 1 at the very last usable row.

Brechtpd · 2022-12-22T16:03:49Z

        unroll(bytes([Opcode.ADD, Opcode.PUSH32, Opcode.ADD]), randomness),
    ]
-    verify(k, bytecodes, randomness, True)
+    verify(k, bytecodes, randomness, False)  # Push without data must fail


Should it? I thought this was currently allowed but I could be wrong.

Is it allowed? Is this because we should allow invalid bytecode to run in the EVM as it would? The EVM would rise an exception and revert the transaction?

In that case perhaps we need some changes to the spec.

As far as I know this currently is allowed, future EIPs like EIP-3670 may introduce these kinds of checks but I don't think any checks (except on total bytecode size) are currently being done.

Executing this kind of code will result in a revert (which is totally valid to do), but the bytecode of a smart contract may also just just contain sections that are never used by transactions but still needs to be loaded in.

I think push without data should be allowed and it's will be padded with n zero when EVM really executes this PUSHn.

The reason this case fails here is because there will be next_push_data_left unassigned in the padding rows, we might need to assign it for the first padding row to pass the assert next.push_data_left == cur.push_data_size

@han0110 @Brechtpd what I have done (that it seemed more semantic to me but perhaps there is something wrong) is to only assert assert next.push_data_left == when we are in a Byte -> Byte transition, please let me know if there is something wrong with this approach.

This approach also looks much better to me!

andyguzmaneth · 2022-12-22T16:30:54Z

Thanks for the review! FYI @leolara

Co-authored-by: Brecht Devos <Brechtp.Devos@gmail.com>

han0110

The refactor looks really great and codes look well organized! Nice work! Only left 2 comments that might need to be addressed.

han0110 · 2022-12-29T15:53:37Z

+    if cur.q_last == 1:
+        assert cur.tag == BytecodeFieldTag.Header


I think it'd be easier to to just make sure the length = 0 and hash = EMPTY_HASH when q_last, otherwise it seems we need to add extra computation to the table.

han0110 · 2022-12-29T16:04:27Z

        unroll(bytes([Opcode.ADD, Opcode.PUSH32, Opcode.ADD]), randomness),
    ]
-    verify(k, bytecodes, randomness, True)
+    verify(k, bytecodes, randomness, False)  # Push without data must fail


I think push without data should be allowed and it's will be padded with n zero when EVM really executes this PUSHn.

The reason this case fails here is because there will be next_push_data_left unassigned in the padding rows, we might need to assign it for the first padding row to pass the assert next.push_data_left == cur.push_data_size

Co-authored-by: Han <tinghan0110@gmail.com>

leolara · 2022-12-30T08:55:36Z

@han0110 @Brechtpd please check again :-)

han0110

All LGTM now!

Brechtpd

LGTM, great work!

leolara · 2022-12-31T01:17:41Z

Thanks @han0110 @Brechtpd @ed255

leolara force-pushed the leo/refactor-bytecode-circuit branch from bd55a45 to cde07c3 Compare December 13, 2022 11:23

leolara mentioned this pull request Dec 14, 2022

Refactor Bytecode circuit to be a finite state machine #151

Closed

Refactor bytecode circuit (draft)

4e375e3

leolara force-pushed the leo/refactor-bytecode-circuit branch from cde07c3 to 4e375e3 Compare December 15, 2022 04:56

leolara added 3 commits December 16, 2022 10:53

Use cur instead of curr like in halo2

fdc3372

Fix docs error

d22cde2

Spec in code with tests

b2f05e4

leolara marked this pull request as ready for review December 16, 2022 10:17

leolara added 2 commits December 16, 2022 17:19

Fix linting

8db0f5e

Fix types

dd62265

leolara requested a review from han0110 December 17, 2022 06:36

Fix documentation

f894c72