Remove extra SHL/SHR CTL. #1270
Conversation
evm/src/arithmetic/mod.rs
Outdated
| let shifted_input1 = if input1.bits() <= 32 { | ||
| U256::one() << input1 | ||
| } else { | ||
| U256::zero() | ||
| }; | ||
| input0.overflowing_mul(shifted_input1).0 |
There was a problem hiding this comment.
Hmm, are you sure this is right? Maybe I'm missing something, but I would have expected this to be
| let shifted_input1 = if input1.bits() <= 32 { | |
| U256::one() << input1 | |
| } else { | |
| U256::zero() | |
| }; | |
| input0.overflowing_mul(shifted_input1).0 | |
| if input0 < U256::from(256usize) { | |
| input1 << input0 | |
| } else { | |
| U256::zero() | |
| } |
as in
plonky2/evm/src/cpu/kernel/interpreter.rs
Line 673 in 51eb7c0
If your implementation is correct, could you please document (i) why the argument order is reversed (cf. https://www.evm.codes/#1b?fork=shanghai) and (ii) why you limit input1 to 2^32 rather than 256? Thanks!
On the other hand, if my suggestion is correct, then we should probably expand the test suite since it would be a bit concerning that this wasn't caught!
There was a problem hiding this comment.
The argument order for the generation on the Arithmetic side was indeed reversed: I fixed this.
I limited input1 to 2^32 bits (mistakenly) basing my code on this piece of code in operation.rs:
if input0.bits() <= 32 {
let (_, read) = mem_read_gp_with_log_and_fill(LOOKUP_CHANNEL, lookup_addr, state, &mut row);
state.traces.push_memory(read);
} else {
// The shift constraints still expect the address to be set, even though no read will occur.
let channel = &mut row.mem_channels[LOOKUP_CHANNEL];
channel.addr_context = F::from_canonical_usize(lookup_addr.context);
channel.addr_segment = F::from_canonical_usize(lookup_addr.segment);
channel.addr_virtual = F::from_canonical_usize(lookup_addr.virt);
}
where we carry out a memory read if the number of bits is less than 32. I changed the limitation to 16 bits in the new version, but I was wondering why there was a difference between the memory reads and the limit in shift?
evm/src/arithmetic/mod.rs
Outdated
| let shifted_input1 = if input1.bits() <= 32 { | ||
| U256::one() << input1 | ||
| } else { | ||
| U256::zero() | ||
| }; | ||
| if shifted_input1.is_zero() { | ||
| U256::zero() | ||
| } else { | ||
| input0 / shifted_input1 | ||
| } |
There was a problem hiding this comment.
Similar concern to BinaryOperator::Shl above. I would have expected this to be
| let shifted_input1 = if input1.bits() <= 32 { | |
| U256::one() << input1 | |
| } else { | |
| U256::zero() | |
| }; | |
| if shifted_input1.is_zero() { | |
| U256::zero() | |
| } else { | |
| input0 / shifted_input1 | |
| } | |
| input1 >> input0 |
as in
plonky2/evm/src/cpu/kernel/interpreter.rs
Line 683 in 51eb7c0
Note that, in any case, we can just use the U256 arithmetic operations here rather than mimicking the way the values are verified later (e.g. shifted_input1 is not used elsewhere).
evm/src/arithmetic/shift.rs
Outdated
| // The second register holds the input which needs shifting. | ||
| u256_to_array(&mut lv[INPUT_REGISTER_1], input); | ||
| u256_to_array(&mut lv[OUTPUT_REGISTER], result); | ||
| // If `shift > 2^32`, the shifted displacement is set to 0. |
There was a problem hiding this comment.
| // If `shift > 2^32`, the shifted displacement is set to 0. | |
| // If `shift >= 256`, the shifted displacement is set to 0. |
evm/src/arithmetic/shift.rs
Outdated
| lv[IS_SHR] = F::ZERO; | ||
|
|
||
| for _i in 0..N_RND_TESTS { | ||
| let shift = U256::from(rng.gen::<usize>()); |
There was a problem hiding this comment.
If shift is a random usize-sized value, then the probability that it is less than 256 is about 2^-56. :)
| let shift = U256::from(rng.gen::<usize>()); | |
| let shift = U256::from(rng.gen::<u8>()); |
Probably better to have a separate test for big shifts where the expected result is zero.
evm/src/arithmetic/shift.rs
Outdated
| U256::from(lv[ai].to_canonical_u64()) + full_input * U256::from(1 << 16); | ||
| } | ||
|
|
||
| let output = full_input * shifted; |
There was a problem hiding this comment.
Note that making the suggested change of usize to u8 above triggers an overflow exception on this line. Probably easiest to just do
| let output = full_input * shifted; | |
| let output = full_input << shift; |
…est. Fix max number of bit shifts. Cleanup.
|
@unzvfu Thank you for your review! As suggested in one of the comments, I added separate tests for |
|
Just a side note on my latest commit and comment: the shift issue on main was causing a couple of tests to fail in evm-tests ( |
evm/src/arithmetic/divmod.rs
Outdated
|
|
||
| /// Verify that num = quo * den + rem and 0 <= rem < den. | ||
| fn eval_packed_divmod_helper<P: PackedField>( | ||
| pub fn eval_packed_divmod_helper<P: PackedField>( |
There was a problem hiding this comment.
Nit:
| pub fn eval_packed_divmod_helper<P: PackedField>( | |
| pub(crate) fn eval_packed_divmod_helper<P: PackedField>( |
evm/src/arithmetic/mul.rs
Outdated
| let input1 = read_value_i64_limbs(lv, INPUT_REGISTER_1); | ||
|
|
||
| /// Given the two limbs of `left_in` and `right_in`, computes `left_in * right_in`. | ||
| pub fn generate_mul<F: PrimeField64>(lv: &mut [F], left_in: [i64; 16], right_in: [i64; 16]) { |
There was a problem hiding this comment.
Nit:
| pub fn generate_mul<F: PrimeField64>(lv: &mut [F], left_in: [i64; 16], right_in: [i64; 16]) { | |
| pub(crate) fn generate_mul<F: PrimeField64>(lv: &mut [F], left_in: [i64; 16], right_in: [i64; 16]) { |
evm/src/arithmetic/mul.rs
Outdated
| eval_packed_generic_mul(lv, is_mul, input0_limbs, input1_limbs, yield_constr); | ||
| } | ||
|
|
||
| pub fn eval_ext_mul_circuit<F: RichField + Extendable<D>, const D: usize>( |
There was a problem hiding this comment.
Nit:
| pub fn eval_ext_mul_circuit<F: RichField + Extendable<D>, const D: usize>( | |
| pub(crate) fn eval_ext_mul_circuit<F: RichField + Extendable<D>, const D: usize>( |
evm/src/arithmetic/mul.rs
Outdated
| generate_mul(lv, input0, input1); | ||
| } | ||
|
|
||
| pub fn eval_packed_generic_mul<P: PackedField>( |
There was a problem hiding this comment.
Nit:
| pub fn eval_packed_generic_mul<P: PackedField>( | |
| pub(crate) fn eval_packed_generic_mul<P: PackedField>( |
evm/src/arithmetic/shift.rs
Outdated
| /// The logic is the same as the one for MUL. The only difference is that | ||
| /// the inputs are in `INPUT_REGISTER_1` and `INPUT_REGISTER_2` instead of | ||
| /// `INPUT_REGISTER_0` and `INPUT_REGISTER_1`. | ||
| pub fn eval_packed_shl<P: PackedField>( |
There was a problem hiding this comment.
Nit:
| pub fn eval_packed_shl<P: PackedField>( | |
| fn eval_packed_shl<P: PackedField>( |
evm/src/arithmetic/shift.rs
Outdated
| eval_packed_shr(lv, nv, yield_constr); | ||
| } | ||
|
|
||
| pub fn eval_ext_circuit_shl<F: RichField + Extendable<D>, const D: usize>( |
There was a problem hiding this comment.
Nit:
| pub fn eval_ext_circuit_shl<F: RichField + Extendable<D>, const D: usize>( | |
| fn eval_ext_circuit_shl<F: RichField + Extendable<D>, const D: usize>( |
evm/src/arithmetic/shift.rs
Outdated
| ); | ||
| } | ||
|
|
||
| pub fn eval_ext_circuit_shr<F: RichField + Extendable<D>, const D: usize>( |
There was a problem hiding this comment.
Nit:
| pub fn eval_ext_circuit_shr<F: RichField + Extendable<D>, const D: usize>( | |
| fn eval_ext_circuit_shr<F: RichField + Extendable<D>, const D: usize>( |
This PR changes the way SHL and SHR are generated so that all the CPU CTLs looking into
ArithmeticStarkhave the same form, and we can save one CTL.Here, shift operations are generated on the arithmetic side rather on the CPU side. This leads to specific constraints for the shift operations, since now, the first input is
shiftrather than1 << shift.The three input registers are used in the Arithmetic STARK: the first is
shift, the second is the input, and the third is1 << shift.This way, we can have the same CTL shape for all arithmetic operations, and it removes the special shift CTL.
@unzvfu Would mind looking at this if you have the time?