When making a host call, the tracer adds witnesses for all the words in memory here:
https://github.com/ICME-Lab/zkEngine_dev/blob/6e8d49cb74df4356f36704d54dfe053db1397810/third-party/wasmi/crates/wasmi/src/engine/executor_v1.rs#L2388C2-L2397C10
The problem is that later, the memory truncation function makes some of those witnesses out of bound.
This can be tested by running this function:
(module
(import "host" "call" (func $f (param i32) (result i32)))
(memory 1 2)
(func $test
(memory.grow (i32.const 1))
(call $f)
(drop)
)
(export "test" (func $test))
)And providing a dummy host call. Eventually it panics when reaching this point.
A simple fix is to not truncate the memory when there is a Instruction::HostCallStep in the execution trace. However I think it should also be sound to remove the out of bounds witnesses from the trace. Since the only potential reader of those would be another host call. I wouldn't mind sending a PR with this, I'm just not sure if it's correct.
When making a host call, the tracer adds witnesses for all the words in memory here:
https://github.com/ICME-Lab/zkEngine_dev/blob/6e8d49cb74df4356f36704d54dfe053db1397810/third-party/wasmi/crates/wasmi/src/engine/executor_v1.rs#L2388C2-L2397C10
The problem is that later, the memory truncation function makes some of those witnesses out of bound.
This can be tested by running this function:
And providing a dummy host call. Eventually it panics when reaching this point.
A simple fix is to not truncate the memory when there is a
Instruction::HostCallStepin the execution trace. However I think it should also be sound to remove the out of bounds witnesses from the trace. Since the only potential reader of those would be another host call. I wouldn't mind sending a PR with this, I'm just not sure if it's correct.