Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfixes: R1CS lowering (includes a soundness bugfix) #124

Merged
merged 4 commits into from
Dec 19, 2022
Merged

Bugfixes: R1CS lowering (includes a soundness bugfix) #124

merged 4 commits into from
Dec 19, 2022

Conversation

alex-ozdemir
Copy link
Contributor

Fixes 4 bugs in R1CS lowering:

  • division-by-zero in finite fields: previously, this always caused incompleteness. Now, the behavior depends on the CIRC_RELAXATION envvar:
    • CIRC_RELAXATION=incomplete: divide-by-0 causes incompletenes
    • CIRC_RELAXATION=nondet: divide-by-0 allows the output to take any value
    • CIRC_RELAXATION=det: divide-by-0 forces the output to 0
  • bit-vector overshift: previously, this cause incompleteness. Now, we follow the semantics of SMT-LIB (the result saturates).
  • bit-vector udiv-by-zero: previously, the output value was an unconstrained bit-vector. Now, it is MAX (following SMT-LIB).
  • bit-vector comparisons: previously, the prover could lie, claiming that x < y when actually x >= y. All bit-vector comparisons are affected, including those in udiv and urem.
    • soundness bug!

@alex-ozdemir
Bugfixes: R1CS lowering (includes a soundness bugfix)
f391bac 
Fixes 4 bugs in R1CS lowering:
* division-by-zero in finite fields: previously, this always caused
  incompleteness. Now, the behavior depends on the CIRC_RELAXATION
  envvar:
  * CIRC_RELAXATION=incomplete: divide-by-0 causes incompletenes
  * CIRC_RELAXATION=nondet: divide-by-0 allows the output to take any value
  * CIRC_RELAXATION=det: divide-by-0 forces the output to 0
* bit-vector overshift: previously, this cause incompleteness. Now,
  we follow the semantics of SMT-LIB (the result saturates).
* bit-vector udiv-by-zero: previously, the output value was an
  unconstrained bit-vector. Now, it is MAX (following SMT-LIB).
* bit-vector comparisons: previously, the prover could lie, claiming
  that x < y when actually x >= y. All bit-vector comparisons are
  affected, including those in udiv and urem.
  * soundness bug!
@alex-ozdemir
fmt & lint
7c853a6
@alex-ozdemir
fmt again
6395c44
@alex-ozdemir
change dflt to incomplete
686e5ac
@alex-ozdemir alex-ozdemir merged commit 05b793d into circify:master Dec 19, 2022
@alex-ozdemir alex-ozdemir deleted the fix-r1cs-trans branch December 19, 2022 17:36
alex-ozdemir added a commit that referenced this pull request Dec 20, 2022
@alex-ozdemir
Revert "Bugfixes: R1CS lowering (includes a soundness bugfix) (#124)"
c95b92f 
This reverts commit 05b793d.

Right now Z#'s represents field comparisons and remainders
using 255-bit bit-vectors. Our field-blaster is not intended to be
correct or sound for bit-vectors that are this wide. Previously, a bug
in the field-blaster essentially allowed compilation and proving to
succeed anyway.

With the (reverted) bugfix, the field-blaster crashes.

Ultimately, we want Z# to handle these operations using
range-checks---not bit-vectors. So, I'm reverting the bugfix for now.
@woopuiyung woopuiyung mentioned this pull request Dec 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@alex-ozdemir