feat(AVM)!: Implement bytecodes limit in circuit (#16684)

Implements bytecodes limit in circuit via a transient tree

Author: sirasistant

barretenberg/cpp/pil/vm2/bytecode/bc_retrieval.pil

@@ -61,10 +61,15 @@ pol commit private_function_root;
 // These should be looked up and constrained by the caller.
 pol commit public_data_tree_root;
 pol commit nullifier_tree_root;
+pol commit prev_retrieved_bytecodes_tree_root;
+pol commit prev_retrieved_bytecodes_tree_size;
+
+// next state
+pol commit next_retrieved_bytecodes_tree_root;
+pol commit next_retrieved_bytecodes_tree_size;
 
 pol commit instance_exists;
-// The only error that can happen is if the nullifier does not exist.
-error = sel * (1 - instance_exists);
+instance_exists * (1 - instance_exists) = 0;
 
 #[CONTRACT_INSTANCE_RETRIEVAL]
 sel {
@@ -81,11 +86,45 @@ sel {
     contract_instance_retrieval.nullifier_tree_root
 };
 
+pol commit no_remaining_bytecodes;
+no_remaining_bytecodes * (1 - no_remaining_bytecodes) = 0;
+
+// The tree size is 1 (AVM_RETRIEVED_BYTECODES_TREE_INITIAL_SIZE) + retrieved_bytecodes_count
+pol REMAINING_BYTECODES = constants.MAX_PUBLIC_CALLS_TO_UNIQUE_CONTRACT_CLASS_IDS + constants.AVM_RETRIEVED_BYTECODES_TREE_INITIAL_SIZE - prev_retrieved_bytecodes_tree_size;
+
+pol commit remaining_bytecodes_inv;
+
+#[NO_REMAINING_BYTECODES]
+sel * (REMAINING_BYTECODES * (no_remaining_bytecodes * (1 - remaining_bytecodes_inv) + remaining_bytecodes_inv) - 1 + no_remaining_bytecodes) = 0;
+
+pol commit is_new_class;
+
+#[IS_NEW_CLASS_CHECK]
+instance_exists {
+    current_class_id,
+    is_new_class,
+    prev_retrieved_bytecodes_tree_root
+} in retrieved_bytecodes_tree_check.sel {
+    retrieved_bytecodes_tree_check.class_id,
+    retrieved_bytecodes_tree_check.leaf_not_exists,
+    retrieved_bytecodes_tree_check.root
+};
+
+sel * (1 - instance_exists) * is_new_class = 0;
+
+pol TOO_MANY_BYTECODES = no_remaining_bytecodes * is_new_class;
+
+// We error if instance doesn't exist or if we have too many bytecodes.
+sel * (instance_exists * (1 - TOO_MANY_BYTECODES) - (1 - error)) = 0;
+
+pol commit should_retrieve;
+should_retrieve = sel * (1 - error);
+
 // Observe the following also connects the current_class_id of the instance to the class members.
 // Note: only need to derive the class id if the instance exists.
 // TODO: Probably some latch is also needed.
 #[CLASS_ID_DERIVATION]
-instance_exists {
+should_retrieve {
   current_class_id,
   artifact_hash,
   private_function_root,
@@ -97,20 +136,42 @@ instance_exists {
   class_id_derivation.public_bytecode_commitment
 };
 
+#[RETRIEVED_BYTECODES_INSERTION]
+should_retrieve {
+    current_class_id,
+    should_retrieve, // 1
+    prev_retrieved_bytecodes_tree_root,
+    prev_retrieved_bytecodes_tree_size,
+    next_retrieved_bytecodes_tree_root,
+    next_retrieved_bytecodes_tree_size
+} in retrieved_bytecodes_tree_check.sel {
+    retrieved_bytecodes_tree_check.class_id,
+    retrieved_bytecodes_tree_check.write,
+    retrieved_bytecodes_tree_check.root,
+    retrieved_bytecodes_tree_check.tree_size_before_write,
+    retrieved_bytecodes_tree_check.write_root,
+    retrieved_bytecodes_tree_check.tree_size_after_write
+};
+
 // TODO(dbanks12): re-enable once C++ and PIL use standard poseidon2 hashing for bytecode commitments.
-// Note: only need to hash the bytecode if the instance exists. Otherwise there is nothing to hash!
+// Note: only need to hash the bytecode if there is no error. Otherwise there is nothing to hash!
 //#[BYTECODE_HASH_IS_CORRECT]
-//instance_exists { bytecode_id, /*public_bytecode_commitment=*/ bytecode_id } in bc_hashing.latch { bc_hashing.bytecode_id, bc_hashing.output_hash };
+//should_retrieve { bytecode_id, /*public_bytecode_commitment=*/ bytecode_id } in bc_hashing.latch { bc_hashing.bytecode_id, bc_hashing.output_hash };
 
-// If class ID derivation is disabled (instance does not exist), force all members to 0.
+// If instance does not exist, force current_class_id to 0.
 #[CURRENT_CLASS_ID_IS_ZERO_IF_INSTANCE_DOES_NOT_EXIST]
 sel * (1 - instance_exists) * (current_class_id - 0) = 0;
-#[ARTIFACT_HASH_IS_ZERO_IF_INSTANCE_DOES_NOT_EXIST]
-sel * (1 - instance_exists) * (artifact_hash - 0) = 0;
-#[PRIVATE_FUNCTION_ROOT_IS_ZERO_IF_INSTANCE_DOES_NOT_EXIST]
-sel * (1 - instance_exists) * (private_function_root - 0) = 0;
-#[BYTECODE_ID_IS_ZERO_IF_INSTANCE_DOES_NOT_EXIST]
-sel * (1 - instance_exists) * (bytecode_id - 0) = 0;
+// If class ID derivation is disabled (error), force other members to 0.
+#[ARTIFACT_HASH_IS_ZERO_IF_ERROR]
+error * (artifact_hash - 0) = 0;
+#[PRIVATE_FUNCTION_ROOT_IS_ZERO_IF_ERROR]
+error * (private_function_root - 0) = 0;
+#[BYTECODE_ID_IS_ZERO_IF_ERROR]
+error * (bytecode_id - 0) = 0;
+
+// On error, constrain next root and size to be the same as the previous ones.
+error * (next_retrieved_bytecodes_tree_root - prev_retrieved_bytecodes_tree_root) = 0;
+error * (next_retrieved_bytecodes_tree_size - prev_retrieved_bytecodes_tree_size) = 0;
 
 // Note: we don't need to silo and check the class id because the deployer contract guarrantees
 // that if a contract instance exists, the class has been registered.

barretenberg/cpp/pil/vm2/constants_gen.pil

@@ -145,6 +145,9 @@ namespace constants;
     pol AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_HEIGHT = 6;
     pol AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_INITIAL_ROOT = 18291678969210913367302010540259942201271604198321103848479209155223586227821;
     pol AVM_WRITTEN_PUBLIC_DATA_SLOTS_TREE_INITIAL_SIZE = 1;
+    pol AVM_RETRIEVED_BYTECODES_TREE_HEIGHT = 5;
+    pol AVM_RETRIEVED_BYTECODES_TREE_INITIAL_ROOT = 7257575663883662864904159007845791361042428565864275462740313586853981161757;
+    pol AVM_RETRIEVED_BYTECODES_TREE_INITIAL_SIZE = 1;
     pol TIMESTAMP_OF_CHANGE_BIT_SIZE = 32;
     pol UPDATES_DELAYED_PUBLIC_MUTABLE_VALUES_LEN = 3;
     pol UPDATES_DELAYED_PUBLIC_MUTABLE_METADATA_BIT_SIZE = 144;

barretenberg/cpp/pil/vm2/context.pil

@@ -83,6 +83,9 @@ namespace execution;
     // L1 to L2 tree doesn't evolve during execution of the AVM
     pol commit l1_l2_tree_root;
 
+    pol commit prev_retrieved_bytecodes_tree_root;
+    pol commit prev_retrieved_bytecodes_tree_size;
+
     // Next Tree State
     pol commit note_hash_tree_root; // TODO: Constrain root, sizes and emitted not changing unless specific opcode selectors are on
     pol commit note_hash_tree_size;
@@ -98,6 +101,9 @@ namespace execution;
     pol commit written_public_data_slots_tree_root;
     pol commit written_public_data_slots_tree_size;
 
+    pol commit retrieved_bytecodes_tree_root;
+    pol commit retrieved_bytecodes_tree_size;
+
     // Prev side effects state
     pol commit prev_num_unencrypted_logs;
     pol commit prev_num_l2_to_l1_messages;
@@ -307,6 +313,13 @@ namespace execution;
     #[PARENT_DA_GAS_USED_STORE_ON_ENTER]
     NOT_LAST_EXEC * sel_enter_call * (parent_da_gas_used' - da_gas_used) = 0;
 
+    // The state of the retrieved bytecodes tree should be continuous unless we have finished an enqueued call
+    // The tx trace looks up the tree state at the start and end of an enqueued call
+    #[RETRIEVED_BYTECODES_TREE_ROOT_CONTINUITY]
+    sel * (1 - enqueued_call_end) * (retrieved_bytecodes_tree_root - prev_retrieved_bytecodes_tree_root') = 0;
+    #[RETRIEVED_BYTECODES_TREE_SIZE_CONTINUITY]
+    sel * (1 - enqueued_call_end) * (retrieved_bytecodes_tree_size - prev_retrieved_bytecodes_tree_size') = 0;
+
     #[CTX_STACK_CALL]
     sel_enter_call {
         next_context_id,
@@ -333,6 +346,7 @@ namespace execution;
         public_data_tree_size,
         written_public_data_slots_tree_root,
         written_public_data_slots_tree_size,
+        // Retrieved bytecodes tree is not commited and restored, since it's a tx global state.
         num_unencrypted_logs,
         num_l2_to_l1_messages
     } in

barretenberg/cpp/pil/vm2/execution.pil

@@ -28,6 +28,7 @@ include "trees/nullifier_check.pil";
 include "trees/public_data_check.pil";
 include "trees/written_public_data_slots_tree_check.pil";
 include "trees/l1_to_l2_message_tree_check.pil";
+include "trees/retrieved_bytecodes_tree_check.pil";
 
 include "bytecode/address_derivation.pil";
 include "bytecode/bc_decomposition.pil";
@@ -108,12 +109,20 @@ sel_first_row_in_context {
     contract_address,
     prev_nullifier_tree_root, // from context.pil
     prev_public_data_tree_root, // from context.pil
+    prev_retrieved_bytecodes_tree_root, // from context.pil
+    prev_retrieved_bytecodes_tree_size, // from context.pil
+    retrieved_bytecodes_tree_root, // from context.pil
+    retrieved_bytecodes_tree_size, // from context.pil
     sel_bytecode_retrieval_failure
 } in bc_retrieval.sel {
     bc_retrieval.bytecode_id,
     bc_retrieval.address,
     bc_retrieval.nullifier_tree_root,
     bc_retrieval.public_data_tree_root,
+    bc_retrieval.prev_retrieved_bytecodes_tree_root,
+    bc_retrieval.prev_retrieved_bytecodes_tree_size,
+    bc_retrieval.next_retrieved_bytecodes_tree_root,
+    bc_retrieval.next_retrieved_bytecodes_tree_size,
     bc_retrieval.error
 };
 
@@ -641,6 +650,11 @@ sel * (1 - sel_execute_emit_nullifier) * (prev_num_nullifiers_emitted - num_null
 sel * (1 - sel_execute_emit_unencrypted_log) * (prev_num_unencrypted_logs - num_unencrypted_logs) = 0;
 #[NUM_L2_TO_L1_MESSAGES_NOT_CHANGED]
 sel * (1 - sel_execute_send_l2_to_l1_msg) * (prev_num_l2_to_l1_messages - num_l2_to_l1_messages) = 0;
+// Retrieved bytecodes tree state can only change in the first row of a new context
+#[RETRIEVED_BYTECODES_TREE_ROOT_NOT_CHANGED]
+sel * (1 - sel_first_row_in_context) * (prev_retrieved_bytecodes_tree_root - retrieved_bytecodes_tree_root) = 0;
+#[RETRIEVED_BYTECODES_TREE_SIZE_NOT_CHANGED]
+sel * (1 - sel_first_row_in_context) * (prev_retrieved_bytecodes_tree_size - retrieved_bytecodes_tree_size) = 0;
 
 // Some opcodes cannot fail during opcode execution. They should not be able to set sel_opcode_error.
 // Note that some of these opcodes can fail in the stages before execution.

barretenberg/cpp/pil/vm2/trees/retrieved_bytecodes_tree_check.pil

@@ -0,0 +1,150 @@
+include "merkle_check.pil";
+
+include "../ff_gt.pil";
+include "../poseidon2_hash.pil";
+include "../constants_gen.pil";
+include "../precomputed.pil";
+
+// This gadget is used to track the unique class ids that have been retrieved in the TX.
+// It's a transient indexed tree that starts empty (with a prefill) on every transaction,
+// and it's discarded at the end of the transaction execution.
+// The leaves only contain the class id and the indexed tree pointers.
+//
+// Read usage:
+// sel {
+//     class_id,
+//     leaf_not_exists,
+//     retrieved_bytecodes_tree_root
+// } in retrieved_bytecodes_tree_check.sel {
+//     retrieved_bytecodes_tree_check.class_id,
+//     retrieved_bytecodes_tree_check.leaf_not_exists,
+//     retrieved_bytecodes_tree_check.root
+// };
+//
+// Write usage:
+// sel {
+//     class_id,
+//     sel, // 1
+//     prev_retrieved_bytecodes_tree_root,
+//     prev_retrieved_bytecodes_tree_size,
+//     next_retrieved_bytecodes_tree_root,
+//     next_retrieved_bytecodes_tree_size
+// } in retrieved_bytecodes_tree_check.sel {
+//     retrieved_bytecodes_tree_check.class_id,
+//     retrieved_bytecodes_tree_check.write,
+//     retrieved_bytecodes_tree_check.root,
+//     retrieved_bytecodes_tree_check.tree_size_before_write,
+//     retrieved_bytecodes_tree_check.write_root,
+//     retrieved_bytecodes_tree_check.tree_size_after_write
+// };
+
+namespace retrieved_bytecodes_tree_check;
+    pol commit sel;
+    sel * (1 - sel) = 0;
+
+    #[skippable_if]
+    sel = 0;
+
+    // Inputs to the gadget
+    pol commit write;
+    write * (1 - write) = 0;
+    pol READ = 1 - write;
+
+    pol commit class_id;
+    pol commit root;
+    pol commit leaf_not_exists;
+    leaf_not_exists * (1 - leaf_not_exists) = 0;
+    pol EXISTS = 1 - leaf_not_exists;
+
+    // Write specific inputs
+    pol commit write_root;
+    pol commit tree_size_before_write;
+    pol commit tree_size_after_write;
+
+    // Hints
+    pol commit low_leaf_class_id;
+    pol commit low_leaf_next_index;
+    pol commit low_leaf_next_class_id;
+
+    pol commit updated_low_leaf_next_index;
+    pol commit updated_low_leaf_next_class_id;
+
+    pol commit low_leaf_index;
+
+    // ========= HANDLE REDUNDANT WRITES  =========
+    pol commit should_insert;
+    should_insert = write * leaf_not_exists;
+    // On a failing write, the root must not change
+    write * EXISTS * (root - write_root) = 0;
+
+    tree_size_after_write = tree_size_before_write + should_insert;
+
+    // ========= COMPUTE LOW LEAF UPDATE =========
+    should_insert * (tree_size_before_write - updated_low_leaf_next_index) = 0;
+    should_insert * (class_id - updated_low_leaf_next_class_id) = 0;
+
+    // ========= LOW LEAF MERKLE CHECK =========
+    pol commit low_leaf_hash;
+    // The intermediate root is the root of the tree after the low leaf update but before the new leaf is inserted.
+    pol commit intermediate_root;
+    // TODO: We need this temporarily while we do not allow for aliases in the lookup tuple
+    pol commit tree_height;
+    sel * (constants.AVM_RETRIEVED_BYTECODES_TREE_HEIGHT - tree_height) = 0;
+
+    #[LOW_LEAF_POSEIDON2]
+    sel { sel, low_leaf_class_id, low_leaf_next_class_id, low_leaf_next_index, low_leaf_hash }
+    in poseidon2_hash.end { poseidon2_hash.start, poseidon2_hash.input_0, poseidon2_hash.input_1, poseidon2_hash.input_2, poseidon2_hash.output };
+
+    pol commit updated_low_leaf_hash;
+
+    #[UPDATED_LOW_LEAF_POSEIDON2]
+    should_insert { sel, low_leaf_class_id, updated_low_leaf_next_class_id, updated_low_leaf_next_index, updated_low_leaf_hash }
+    in poseidon2_hash.end { poseidon2_hash.start, poseidon2_hash.input_0, poseidon2_hash.input_1, poseidon2_hash.input_2, poseidon2_hash.output };
+
+    #[LOW_LEAF_MERKLE_CHECK]
+    sel { should_insert, low_leaf_hash, updated_low_leaf_hash,
+        low_leaf_index, tree_height, root, intermediate_root }
+    in merkle_check.start { merkle_check.write, merkle_check.read_node, merkle_check.write_node,
+        merkle_check.index, merkle_check.path_len, merkle_check.read_root, merkle_check.write_root };
+
+    // ========= LOW LEAF VALIDATION =========
+    pol commit class_id_low_leaf_class_id_diff_inv;
+    pol CLASS_ID_LOW_LEAF_CLASS_ID_DIFF = class_id - low_leaf_class_id;
+
+    // CLASS_ID_LOW_LEAF_CLASS_ID_DIFF == 0 <==> EXISTS == 1
+    #[EXISTS_CHECK]
+    sel * (CLASS_ID_LOW_LEAF_CLASS_ID_DIFF * (EXISTS * (1 - class_id_low_leaf_class_id_diff_inv) + class_id_low_leaf_class_id_diff_inv) - 1 + EXISTS) = 0;
+
+    // If the leaf doesn't exist, we need to validate that the class id is greater than the low leaf class id
+
+    #[LOW_LEAF_CLASS_ID_VALIDATION]
+    leaf_not_exists { class_id, low_leaf_class_id, sel }
+    in ff_gt.sel_gt { ff_gt.a, ff_gt.b, ff_gt.result };
+
+    // If next class id is not zero (which would be infinity), it has to be greater than the class id.
+    // We commit next_class_id_is_nonzero instead of next_class_id_is_zero since it'll be used as a selector for a lookup
+    pol commit next_class_id_is_nonzero;
+    next_class_id_is_nonzero * (1 - next_class_id_is_nonzero) = 0;
+    pol NEXT_CLASS_ID_IS_ZERO = 1 - next_class_id_is_nonzero;
+
+    pol commit next_class_id_inv;
+    #[NEXT_CLASS_ID_IS_ZERO_CHECK]
+    leaf_not_exists * (low_leaf_next_class_id * (NEXT_CLASS_ID_IS_ZERO * (1 - next_class_id_inv) + next_class_id_inv) - 1 + NEXT_CLASS_ID_IS_ZERO) = 0;
+
+    #[LOW_LEAF_NEXT_CLASS_ID_VALIDATION]
+    next_class_id_is_nonzero { low_leaf_next_class_id, class_id, sel }
+    in ff_gt.sel_gt { ff_gt.a, ff_gt.b, ff_gt.result };
+
+    // ========= NEW LEAF INSERTION =========
+    pol commit new_leaf_hash;
+
+    #[NEW_LEAF_POSEIDON2]
+    should_insert { sel, class_id, low_leaf_next_class_id, low_leaf_next_index, new_leaf_hash }
+    in poseidon2_hash.end { poseidon2_hash.start, poseidon2_hash.input_0, poseidon2_hash.input_1, poseidon2_hash.input_2, poseidon2_hash.output };
+
+    #[NEW_LEAF_MERKLE_CHECK]
+    should_insert { sel, precomputed.zero, new_leaf_hash,
+        tree_size_before_write, tree_height, intermediate_root, write_root }
+    in merkle_check.start { merkle_check.write, merkle_check.read_node, merkle_check.write_node,
+        merkle_check.index, merkle_check.path_len, merkle_check.read_root, merkle_check.write_root };
+