revert: "fix: batched merkle tree zeroing"

[ananas-block]

Reverts #2045

Summary by CodeRabbit

• Refactor
  • Improved validation and error handling for root history operations through implementation of stricter internal constraints
  • Removed an obsolete error condition to simplify error management and reduce handling complexity
  • Enhanced internal consistency checks to ensure more reliable and robust operation execution throughout the system

[coderabbitai]

Walkthrough

The pull request removes error handling from the root-zeroing operation in the batched Merkle tree implementation. The zero_out_roots method signature changes from returning a Result to an in-place void function, the associated CannotZeroCompleteRootHistory error variant is eliminated, and the logic shifts to use stricter loop bounds with assertion-based invariant enforcement.

Changes

Cohort / File(s)	Summary
Error variant removal program-libs/batched-merkle-tree/src/errors.rs	Removed CannotZeroCompleteRootHistory error variant from BatchedMerkleTreeError enum and its corresponding numeric mapping (14313) in the From<BatchedMerkleTreeError> for u32 implementation.
Method signature and logic refactoring program-libs/batched-merkle-tree/src/merkle_tree.rs	Updated zero_out_roots to remove Result return type; shifted error signaling to assertion-based invariants. Modified root-zeroing loop from 0..num_remaining_roots to 1..num_remaining_roots, added assertion that oldest_index advancement matches first_safe_root_index, and updated call sites to pass root_index directly. Test code adjusted to reflect new semantics and removed intermediate root-tracking variables.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Extra attention areas:
  • Verify that the shift from loop 0..num_remaining_roots to 1..num_remaining_roots doesn't inadvertently skip or double-zero critical root entries
  • Confirm that assertion-based invariant enforcement (oldest_index == first_safe_root_index) is sufficient and won't mask edge cases previously caught by explicit error propagation
  • Validate that all call sites of zero_out_roots have been correctly updated and no orphaned error handling remains
  • Review test expectations to ensure they capture the intended root-zeroing behavior under the new indexing scheme

Poem

🌳 No more errors to unwind,
Assertions guard what once was signed,
Roots now zero, clean and tight,
Invariants hold the path aright! 🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: reverting a previous fix to batched merkle tree zeroing. It directly matches the PR's stated objective to revert PR #2045.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 70.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch revert-2045-jorrit/batched-merkle-tree-fix-clean

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

program-libs/batched-merkle-tree/src/merkle_tree.rs (2)

827-840: Major: Semantic mismatch between call site and function parameter.

Line 840 passes root_index to a function whose parameter is named first_safe_root_index (line 750). This semantic mismatch suggests:

1. Either the parameter should be renamed to reflect what's actually passed, or
2. The wrong value is being passed

The previous implementation likely calculated a distinct first_safe_root_index value. Passing root_index directly may not correctly identify which root is "safe" to keep, potentially affecting the correctness of the zeroing logic.

Either rename the function parameter to root_index for clarity, or verify that root_index and first_safe_root_index are semantically equivalent in this context:

-fn zero_out_roots(&mut self, sequence_number: u64, first_safe_root_index: u32) {
+fn zero_out_roots(&mut self, sequence_number: u64, root_index: u32) {

---

1148-1508: Minor: Debug println statements left in test code.

Multiple println! statements are scattered throughout the test code (lines 1167, 1220-1223, 1227, 1288, 1302, 1322, 1404, 1471, 1480, 1503), suggesting debugging artifacts that should be removed before merging.

Remove debug println statements or replace them with proper test logging if the output is needed:

-            println!("root_index: {}", root_index);

-            println!(
-                "currently inserted elements: {:?}",
-                account.queue_batches.batches[1].get_num_inserted_elements()
-            );

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f30d22b and f566c80.

⛔ Files ignored due to path filters (11)

• Cargo.lock is excluded by !**/*.lock and included by none
• program-tests/batched-merkle-tree-test/Cargo.toml is excluded by none and included by none
• program-tests/batched-merkle-tree-test/tests/e2e.rs is excluded by none and included by none
• program-tests/batched-merkle-tree-test/tests/e2e_tests/address.rs is excluded by none and included by none
• program-tests/batched-merkle-tree-test/tests/e2e_tests/e2e.rs is excluded by none and included by none
• program-tests/batched-merkle-tree-test/tests/e2e_tests/mod.rs is excluded by none and included by none
• program-tests/batched-merkle-tree-test/tests/e2e_tests/shared.rs is excluded by none and included by none
• program-tests/batched-merkle-tree-test/tests/e2e_tests/simulate_txs.rs is excluded by none and included by none
• program-tests/batched-merkle-tree-test/tests/e2e_tests/state.rs is excluded by none and included by none
• program-tests/batched-merkle-tree-test/tests/merkle_tree.rs is excluded by none and included by none
• program-tests/registry-test/tests/tests.rs is excluded by none and included by none

📒 Files selected for processing (2)

• program-libs/batched-merkle-tree/src/errors.rs (0 hunks)
• program-libs/batched-merkle-tree/src/merkle_tree.rs (11 hunks)

💤 Files with no reviewable changes (1)

• program-libs/batched-merkle-tree/src/errors.rs

🧰 Additional context used

🧬 Code graph analysis (1)

program-libs/batched-merkle-tree/src/merkle_tree.rs (1)

program-libs/batched-merkle-tree/src/batch.rs (1)

• get_num_inserted_elements (258-260)

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: programs (system-cpi-test-v2-functional-account-infos, ["cargo-test-sbf -p system-cpi-v2-test -- ...
• GitHub Check: programs (system-cpi-test-v2-functional-read-only, ["cargo-test-sbf -p system-cpi-v2-test -- func...
• GitHub Check: programs (system-cpi-test, ["cargo-test-sbf -p system-cpi-test", "cargo test -p light-system-prog...
• GitHub Check: programs (compressed-token-and-e2e, ["cargo-test-sbf -p compressed-token-test --test v1", "cargo-...
• GitHub Check: Forester e2e test
• GitHub Check: lint
• GitHub Check: Test program-libs-slow
• GitHub Check: Test batched-merkle-tree-simulate
• GitHub Check: Test program-libs-fast

🔇 Additional comments (1)

program-libs/batched-merkle-tree/src/merkle_tree.rs (1)

750-774: Critical: Off-by-one error in security-critical root zeroing logic.

The loop change from 0..num_remaining_roots to 1..num_remaining_roots (line 763) zeros one fewer root than before. According to the extensive security documentation (lines 700-749), all overlapping roots must be zeroed to prevent proving inclusion of nullified values after bloom filters are cleared.

The comment "Skip one iteration we don't need to zero out the first safe root" (line 761-762) appears inconsistent with the assertion at line 769-772, which verifies that oldest_root_index advances to exactly match first_safe_root_index. If we skip zeroing the first root but still expect to reach first_safe_root_index, the invariant may be violated.

This off-by-one change could leave an exploitable root in the history that allows proving inclusion of values that should have been invalidated—a critical security vulnerability in a Merkle tree implementation.

Verify this change doesn't violate the security invariant by checking:

1. Whether the assertion at line 769 can still pass with the reduced loop iterations
2. Whether any root that should be zeroed is left non-zero

[Nsthjuhh]

Walkthrough

The pull request removes error handling from the root-zeroing operation in the batched Merkle tree implementation. The zero_out_roots method signature changes from returning a Result to an in-place void function, the associated CannotZeroCompleteRootHistory error variant is eliminated, and the logic shifts to use stricter loop bounds with assertion-based invariant enforcement.

Changes

Cohort / File(s)	Summary
Error variant removal program-libs/batched-merkle-tree/src/errors.rs	Removed CannotZeroCompleteRootHistory error variant from BatchedMerkleTreeError enum and its corresponding numeric mapping (14313) in the From<BatchedMerkleTreeError> for u32 implementation.
Method signature and logic refactoring program-libs/batched-merkle-tree/src/merkle_tree.rs	Updated zero_out_roots to remove Result return type; shifted error signaling to assertion-based invariants. Modified root-zeroing loop from 0..num_remaining_roots to 1..num_remaining_roots, added assertion that oldest_index advancement matches first_safe_root_index, and updated call sites to pass root_index directly. Test code adjusted to reflect new semantics and removed intermediate root-tracking variables.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Extra attention areas:
  • Verify that the shift from loop 0..num_remaining_roots to 1..num_remaining_roots doesn't inadvertently skip or double-zero critical root entries
  • Confirm that assertion-based invariant enforcement (oldest_index == first_safe_root_index) is sufficient and won't mask edge cases previously caught by explicit error propagation
  • Validate that all call sites of zero_out_roots have been correctly updated and no orphaned error handling remains
  • Review test expectations to ensure they capture the intended root-zeroing behavior under the new indexing scheme

Poem

🌳 No more errors to unwind,
Assertions guard what once was signed,
Roots now zero, clean and tight,
Invariants hold the path aright! 🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: reverting a previous fix to batched merkle tree zeroing. It directly matches the PR's stated objective to revert PR #2045.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 70.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch revert-2045-jorrit/batched-merkle-tree-fix-clean

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Nsthjuhh]

Walkthrough

The pull request removes error handling from the root-zeroing operation in the batched Merkle tree implementation. The zero_out_roots method signature changes from returning a Result to an in-place void function, the associated CannotZeroCompleteRootHistory error variant is eliminated, and the logic shifts to use stricter loop bounds with assertion-based invariant enforcement.

Changes

Cohort / File(s)	Summary
Error variant removal program-libs/batched-merkle-tree/src/errors.rs	Removed CannotZeroCompleteRootHistory error variant from BatchedMerkleTreeError enum and its corresponding numeric mapping (14313) in the From<BatchedMerkleTreeError> for u32 implementation.
Method signature and logic refactoring program-libs/batched-merkle-tree/src/merkle_tree.rs	Updated zero_out_roots to remove Result return type; shifted error signaling to assertion-based invariants. Modified root-zeroing loop from 0..num_remaining_roots to 1..num_remaining_roots, added assertion that oldest_index advancement matches first_safe_root_index, and updated call sites to pass root_index directly. Test code adjusted to reflect new semantics and removed intermediate root-tracking variables.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Extra attention areas:
  • Verify that the shift from loop 0..num_remaining_roots to 1..num_remaining_roots doesn't inadvertently skip or double-zero critical root entries
  • Confirm that assertion-based invariant enforcement (oldest_index == first_safe_root_index) is sufficient and won't mask edge cases previously caught by explicit error propagation
  • Validate that all call sites of zero_out_roots have been correctly updated and no orphaned error handling remains
  • Review test expectations to ensure they capture the intended root-zeroing behavior under the new indexing scheme

Poem

🌳 No more errors to unwind,
Assertions guard what once was signed,
Roots now zero, clean and tight,
Invariants hold the path aright! 🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: reverting a previous fix to batched merkle tree zeroing. It directly matches the PR's stated objective to revert PR #2045.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 70.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch revert-2045-jorrit/batched-merkle-tree-fix-clean

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}