update libsimplicity to 714b44dafd66ab5d164c9247a0f793c320272162

simplicity-sys/depend/simplicity-HEAD-revision.txt

@@ -1,2 +1,2 @@
 # This file has been automatically generated.
-1b85dc31d80d36dc012755e4369aeeac815476a6
+714b44dafd66ab5d164c9247a0f793c320272162

simplicity-sys/depend/simplicity/Makefile

@@ -1,5 +1,5 @@
 OBJS := bitstream.o cmr.o dag.o deserialize.o eval.o frame.o jets.o jets-secp256k1.o rsort.o sha256.o type.o typeInference.o primitive/elements/env.o primitive/elements/exec.o primitive/elements/ops.o primitive/elements/jets.o primitive/elements/primitive.o
-TEST_OBJS := test.o ctx8Pruned.o ctx8Unpruned.o hashBlock.o schnorr0.o schnorr6.o primitive/elements/checkSigHashAllTx1.o
+TEST_OBJS := test.o ctx8Pruned.o ctx8Unpruned.o hashBlock.o regression4.o schnorr0.o schnorr6.o typeSkipTest.o primitive/elements/checkSigHashAllTx1.o
 
 # From https://fastcompression.blogspot.com/2019/01/compiler-warnings.html
 CWARN := -Werror -Wall -Wextra -Wcast-qual -Wcast-align -Wstrict-aliasing -Wpointer-arith -Winit-self -Wshadow -Wswitch-enum -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wfloat-equal -Wundef -Wconversion
@@ -17,6 +17,9 @@ jets-secp256k1.o: jets-secp256k1.c
 primitive/elements/jets.o: primitive/elements/jets.c
 	$(CC) -c $(CFLAGS) $(CWARN) -Wno-switch-enum -Wswitch $(CPPFLAGS) -o $@ $<
 
+sha256.o: sha256.c
+	$(CC) -c $(CFLAGS) -msha -msse4 $(CWARN) -Wno-cast-align -Wno-sign-conversion $(CPPFLAGS) -o $@ $<
+
 %.o: %.c
 	$(CC) -c $(CFLAGS) $(CWARN) $(CPPFLAGS) -o $@ $<
 

simplicity-sys/depend/simplicity/ctx8Pruned.c

@@ -260,11 +260,10 @@ const unsigned char ctx8Pruned[] = {
 };
 
 const size_t sizeof_ctx8Pruned = sizeof(ctx8Pruned);
-const unsigned char ctx8Pruned_witness[] = {
+const unsigned char ctx8Pruned_witness[] = "";
 
-};
 
-const size_t sizeof_ctx8Pruned_witness = sizeof(ctx8Pruned_witness);
+const size_t sizeof_ctx8Pruned_witness = 0;
 
 /* The commitment Merkle root of the above ctx8Pruned Simplicity expression. */
 const uint32_t ctx8Pruned_cmr[] = {

simplicity-sys/depend/simplicity/ctx8Unpruned.c

@@ -250,11 +250,10 @@ const unsigned char ctx8Unpruned[] = {
 };
 
 const size_t sizeof_ctx8Unpruned = sizeof(ctx8Unpruned);
-const unsigned char ctx8Unpruned_witness[] = {
+const unsigned char ctx8Unpruned_witness[] = "";
 
-};
 
-const size_t sizeof_ctx8Unpruned_witness = sizeof(ctx8Unpruned_witness);
+const size_t sizeof_ctx8Unpruned_witness = 0;
 
 /* The commitment Merkle root of the above ctx8Unpruned Simplicity expression. */
 const uint32_t ctx8Unpruned_cmr[] = {

simplicity-sys/depend/simplicity/dag.c

@@ -502,7 +502,7 @@ simplicity_err fillWitnessData(dag_node* dag, type* type_dag, const size_t len,
         /* Traverse the witness type to parse the witness's compact representation as a bit string. */
         size_t cur = typeSkip(WITNESS_B(dag, type_dag, i), type_dag);
         bool calling = true;
-        type_dag[cur].back = 0;
+        setTypeBack(cur, type_dag, 0);
         while (cur) {
           if (SUM == type_dag[cur].kind) {
             /* Parse one bit and traverse the left type or the right type depending on the value of the bit parsed. */
@@ -512,7 +512,7 @@ simplicity_err fillWitnessData(dag_node* dag, type* type_dag, const size_t len,
             dag[i].compactValue.len++;
             size_t next = typeSkip(type_dag[cur].typeArg[bit], type_dag);
             if (next) {
-              type_dag[next].back = type_dag[cur].back;
+              setTypeBack(next, type_dag, type_dag[cur].back);
               cur = next;
             } else {
               cur = type_dag[cur].back;
@@ -523,17 +523,21 @@ simplicity_err fillWitnessData(dag_node* dag, type* type_dag, const size_t len,
             size_t next;
             if (calling) {
               next = typeSkip(type_dag[cur].typeArg[0], type_dag);
+              /* Note: Because we are using 'typeSkip' we have an invarant on 'cur' such that whenever type_dag[cur].kind == PRODUCT,
+                 then it is a product of two non-trival types.  This implies that 'next' cannot actually be 0. */
               if (next) {
                 /* Traverse the first element of the product type, if it has any data. */
-                type_dag[next].back = cur;
+                setTypeBack(next, type_dag, cur);
                 cur = next;
                 continue;
               }
             }
             next = typeSkip(type_dag[cur].typeArg[1], type_dag);
+            /* Note: Because we are using 'typeSkip' we have an invarant on 'cur' such that whenever type_dag[cur].kind == PRODUCT,
+               then it is a product of two non-trival types.  This implies that 'next' cannot actually be 0. */
             if (next) {
               /* Traverse the second element of the product type, if it has any data. */
-              type_dag[next].back = type_dag[cur].back;
+              setTypeBack(next, type_dag, type_dag[cur].back);
               cur = next;
               calling = true;
             } else {
@@ -550,7 +554,6 @@ simplicity_err fillWitnessData(dag_node* dag, type* type_dag, const size_t len,
          * at least one bit of witness data is required per PRODUCT type encountered.
          * This ought to limit the total number of times through the above loop to no more that 3 * dag[i].witness.len.
          */
-        /* :TODO: build a test case that creates such a long chain of products with unit types for a witness value. */
       }
     }
   }

simplicity-sys/depend/simplicity/eval.c

@@ -158,7 +158,7 @@ static void writeValue(frameItem* dst, const bitstring* compactValue, size_t typ
   size_t cur = typeSkip(typeIx, type_dag);
   size_t offset = 0;
   bool calling = true;
-  type_dag[cur].back = 0;
+  setTypeBack(cur, type_dag, 0);
   while (cur) {
     if (SUM == type_dag[cur].kind) {
       simplicity_debug_assert(calling);
@@ -171,7 +171,7 @@ static void writeValue(frameItem* dst, const bitstring* compactValue, size_t typ
 
       size_t next = typeSkip(type_dag[cur].typeArg[bit], type_dag);
       if (next) {
-        type_dag[next].back = type_dag[cur].back;
+        setTypeBack(next, type_dag, type_dag[cur].back);
         cur = next;
       } else {
         cur = type_dag[cur].back;
@@ -182,17 +182,21 @@ static void writeValue(frameItem* dst, const bitstring* compactValue, size_t typ
       size_t next;
       if (calling) {
         next = typeSkip(type_dag[cur].typeArg[0], type_dag);
+        /* Note: Because we are using 'typeSkip' we have an invarant on 'cur' such that whenever type_dag[cur].kind == PRODUCT,
+           then it is a product of two non-trival types.  This implies that 'next' cannot actually be 0. */
         if (next) {
           /* Traverse the first element of the product type, if it has any data. */
-          type_dag[next].back = cur;
+          setTypeBack(next, type_dag, cur);
           cur = next;
           continue;
         }
       }
       next = typeSkip(type_dag[cur].typeArg[1], type_dag);
+      /* Note: Because we are using 'typeSkip' we have an invarant on 'cur' such that whenever type_dag[cur].kind == PRODUCT,
+         then it is a product of two non-trival types.  This implies that 'next' cannot actually be 0. */
       if (next) {
         /* Traverse the second element of the product type, if it has any data. */
-        type_dag[next].back = type_dag[cur].back;
+        setTypeBack(next, type_dag, type_dag[cur].back);
         cur = next;
         calling = true;
       } else {

simplicity-sys/depend/simplicity/hashBlock.c

@@ -170,11 +170,10 @@ const unsigned char hashBlock[] = {
 };
 
 const size_t sizeof_hashBlock = sizeof(hashBlock);
-const unsigned char hashBlock_witness[] = {
+const unsigned char hashBlock_witness[] = "";
 
-};
 
-const size_t sizeof_hashBlock_witness = sizeof(hashBlock_witness);
+const size_t sizeof_hashBlock_witness = 0;
 
 /* The commitment Merkle root of the above hashBlock Simplicity expression. */
 const uint32_t hashBlock_cmr[] = {

simplicity-sys/depend/simplicity/jets-secp256k1.c

@@ -5,6 +5,25 @@
 #include "sha256.h"
 #include "secp256k1/secp256k1_impl.h"
 
+/* Tests to see if a secp256k1 jacobian point is on curve.
+ *
+ * This function doesn't occur in the libsecp256k1 library, so we implement it here.
+ * We test if the point satisfies the jacobian equation y^2 = x^3 + 7*z^6.
+ *
+ * Warning, the degenerate point (0, 0, 0) is accepted by this definition even though arguably it isn't on curve.
+ * However libsecp256k1 sets the point to (0, 0, 0) when the infinity flag is set See 'secp256k1_gej_set_infinity',
+ * and we end up using it as a canonical representative of infinity.
+ */
+static bool simplicity_gej_is_valid_var(const secp256k1_gej *a) {
+  secp256k1_fe x3, y2, z6;
+  secp256k1_fe_sqr(&y2, &a->y);
+  secp256k1_fe_sqr(&x3, &a->x); secp256k1_fe_mul(&x3, &x3, &a->x);
+  secp256k1_fe_sqr(&z6, &a->z); secp256k1_fe_mul(&z6, &z6, &a->z); secp256k1_fe_sqr(&z6, &z6);
+  secp256k1_fe_mul_int(&z6, 7);
+  secp256k1_fe_add(&x3, &z6);
+  return secp256k1_fe_equal_var(&y2, &x3);
+}
+
 /* Read a secp256k1 field element value from the 'src' frame, advancing the cursor 256 cells.
  *
  * Precondition: '*src' is a valid read frame for 256 more cells;
@@ -467,14 +486,8 @@ bool gej_is_on_curve(frameItem* dst, frameItem src, const txEnv* env) {
   (void) env; // env is unused;
 
   secp256k1_gej a;
-  secp256k1_fe x3, y2, z6;
   read_gej(&a, &src);
-  secp256k1_fe_sqr(&y2, &a.y);
-  secp256k1_fe_sqr(&x3, &a.x); secp256k1_fe_mul(&x3, &x3, &a.x);
-  secp256k1_fe_sqr(&z6, &a.z); secp256k1_fe_mul(&z6, &z6, &a.z); secp256k1_fe_sqr(&z6, &z6);
-  secp256k1_fe_mul_int(&z6, 7);
-  secp256k1_fe_add(&x3, &z6);
-  writeBit(dst, secp256k1_fe_equal_var(&y2, &x3));
+  writeBit(dst, simplicity_gej_is_valid_var(&a));
   return true;
 }
 
@@ -487,7 +500,7 @@ bool ge_is_on_curve(frameItem* dst, frameItem src, const txEnv* env) {
   return true;
 }
 
-bool scale(frameItem* dst, frameItem src, const txEnv* env) {
+bool off_curve_scale(frameItem* dst, frameItem src, const txEnv* env) {
   (void) env; // env is unused;
 
   secp256k1_gej r, a;
@@ -501,6 +514,24 @@ bool scale(frameItem* dst, frameItem src, const txEnv* env) {
   return true;
 }
 
+bool scale(frameItem* dst, frameItem src, const txEnv* env) {
+  (void) env; // env is unused;
+
+  secp256k1_gej r, a;
+  secp256k1_scalar na;
+  static const secp256k1_scalar ng = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
+
+  read_scalar(&na, &src);
+  read_gej(&a, &src);
+  if (simplicity_gej_is_valid_var(&a)) {
+    secp256k1_ecmult(&r, &a, &na, &ng);
+    write_gej(dst, &r);
+    return true;
+  } else {
+    return false;
+  }
+}
+
 bool generate(frameItem* dst, frameItem src, const txEnv* env) {
   (void) env; // env is unused;
 
@@ -515,7 +546,7 @@ bool generate(frameItem* dst, frameItem src, const txEnv* env) {
   return true;
 }
 
-bool linear_combination_1(frameItem* dst, frameItem src, const txEnv* env) {
+bool off_curve_linear_combination_1(frameItem* dst, frameItem src, const txEnv* env) {
   (void) env; // env is unused;
 
   secp256k1_gej r, a;
@@ -529,6 +560,24 @@ bool linear_combination_1(frameItem* dst, frameItem src, const txEnv* env) {
   return true;
 }
 
+bool linear_combination_1(frameItem* dst, frameItem src, const txEnv* env) {
+  (void) env; // env is unused;
+
+  secp256k1_gej r, a;
+  secp256k1_scalar na, ng;
+
+  read_scalar(&na, &src);
+  read_gej(&a, &src);
+  read_scalar(&ng, &src);
+  if (simplicity_gej_is_valid_var(&a)) {
+    secp256k1_ecmult(&r, &a, &na, &ng);
+    write_gej(dst, &r);
+    return true;
+  } else {
+    return false;
+  }
+}
+
 bool linear_verify_1(frameItem* dst, frameItem src, const txEnv* env) {
   (void) dst; // dst is unused;
   (void) env; // env is unused;

simplicity-sys/depend/simplicity/jets.h

@@ -379,8 +379,10 @@ bool gej_x_equiv(frameItem* dst, frameItem src, const txEnv* env);
 bool gej_y_is_odd(frameItem* dst, frameItem src, const txEnv* env);
 bool gej_is_on_curve(frameItem* dst, frameItem src, const txEnv* env);
 bool ge_is_on_curve(frameItem* dst, frameItem src, const txEnv* env);
+bool off_curve_scale(frameItem* dst, frameItem src, const txEnv* env);
 bool scale(frameItem* dst, frameItem src, const txEnv* env);
 bool generate(frameItem* dst, frameItem src, const txEnv* env);
+bool off_curve_linear_combination_1(frameItem* dst, frameItem src, const txEnv* env);
 bool linear_combination_1(frameItem* dst, frameItem src, const txEnv* env);
 bool linear_verify_1(frameItem* dst, frameItem src, const txEnv* env);
 bool decompress(frameItem* dst, frameItem src, const txEnv* env);

simplicity-sys/depend/simplicity/primitive/elements/exec.c

@@ -30,6 +30,7 @@
  *               NULL != tx;
  *               NULL != taproot;
  *               unsigned char genesisBlockHash[32]
+ *               0 <= budget;
  *               NULL != amr implies unsigned char amr[32]
  *               unsigned char program[program_len]
  *               unsigned char witness[witness_len]
@@ -41,7 +42,11 @@ extern bool elements_simplicity_execSimplicity( simplicity_err* error, unsigned
                                               , const unsigned char* amr
                                               , const unsigned char* program, size_t program_len
                                               , const unsigned char* witness, size_t witness_len) {
-  if (!error || !tx || !taproot) return false;
+  simplicity_assert(NULL != error);
+  simplicity_assert(NULL != tx);
+  simplicity_assert(NULL != taproot);
+  simplicity_assert(NULL != genesisBlockHash);
+  simplicity_assert(0 <= budget);
   simplicity_assert(NULL != program || 0 == program_len);
   simplicity_assert(NULL != witness || 0 == witness_len);
 

simplicity-sys/depend/simplicity/primitive/elements/primitiveJetNode.inc

@@ -2218,7 +2218,7 @@
 ,[LINEAR_COMBINATION_1] =
 { .tag = JET
 , .jet = linear_combination_1
-, .cmr = {{0xd88320f4u, 0x71f3beeeu, 0xa1313d55u, 0x1e419be0u, 0x5727ae5fu, 0x4de6a2f2u, 0xf26f3cb5u, 0xe8dddd3fu}}
+, .cmr = {{0x00bef144u, 0xda3f5163u, 0x318c01ebu, 0x66cc681fu, 0x29ccb987u, 0xea2a88d0u, 0x83345a1cu, 0xaa082ce3u}}
 , .sourceIx = ty_ppw256pw512w256w256
 , .targetIx = ty_pw512w256
 , .cost = 86722 /* milli weight units */
@@ -3330,7 +3330,7 @@
 ,[SCALE] =
 { .tag = JET
 , .jet = scale
-, .cmr = {{0xb8a80c64u, 0x954912e5u, 0x43d42c1au, 0xf315321bu, 0xcffb6668u, 0x0050fc09u, 0xa5afd756u, 0x011b8284u}}
+, .cmr = {{0x574ce760u, 0x24a5f011u, 0xa2d0bcebu, 0xb0f81a15u, 0xe0f9d06bu, 0x34f20994u, 0x33cb114fu, 0x53468d4fu}}
 , .sourceIx = ty_pw256pw512w256
 , .targetIx = ty_pw512w256
 , .cost = 75377 /* milli weight units */