More testing (#16)

* Added more tests/comments

* Added some extra tests with partial filling of orders

Author: Brechtpd

Circuits/DepositCircuit.h

@@ -57,6 +57,9 @@ class DepositGadget : public GadgetT
         publicKeyY(pb, 256, FMT(prefix, ".publicKeyY")),
 
         // Calculate the new balance
+        // We can't let the deposit fail (it's onchain so it needs to be included),
+        // and we do want to cap the balance to NUM_BITS_AMOUNT bits max, so cap the balance even
+        // if it means that the user loses some tokens (NUM_BITS_AMOUNT bits should be more than enough).
         uncappedBalanceAfter(pb, balanceBefore.balance, amount.packed, FMT(prefix, ".uncappedBalanceAfter")),
         balanceAfter(pb, uncappedBalanceAfter.result(), constants.maxAmount, NUM_BITS_AMOUNT + 1, FMT(prefix, ".balanceAfter")),
 
@@ -121,7 +124,7 @@ class DepositGadget : public GadgetT
                 amount.bits};
     }
 
-    const VariableT getNewAccountsRoot() const
+    const VariableT& getNewAccountsRoot() const
     {
         return updateAccount.result();
     }
@@ -210,7 +213,7 @@ class DepositCircuit : public GadgetT
         publicData.generate_r1cs_constraints();
 
         // Check the new merkle root
-        forceEqual(pb, deposits.back().getNewAccountsRoot(), merkleRootAfter.packed, "newMerkleRoot");
+        requireEqual(pb, deposits.back().getNewAccountsRoot(), merkleRootAfter.packed, "newMerkleRoot");
     }
 
     bool generateWitness(const DepositBlock& block)

Circuits/OffchainWithdrawalCircuit.h

@@ -80,7 +80,7 @@ class OffchainWithdrawalGadget : public GadgetT
         balanceBefore(pb, FMT(prefix, ".balanceBefore")),
         accountBefore(pb, FMT(prefix, ".accountBefore")),
         // Operator state
-        balanceBefore_O(pb, FMT(prefix, ".accountBefore_O")),
+        balanceBefore_O(pb, FMT(prefix, ".balanceBefore_O")),
 
         // Inputs
         accountID(pb, NUM_BITS_ACCOUNT, FMT(prefix, ".accountID")),
@@ -246,12 +246,12 @@ class OffchainWithdrawalGadget : public GadgetT
                 fFee.bits()};
     }
 
-    const VariableT getNewAccountsRoot() const
+    const VariableT& getNewAccountsRoot() const
     {
         return updateAccount_A.result();
     }
 
-    const VariableT getNewOperatorBalancesRoot() const
+    const VariableT& getNewOperatorBalancesRoot() const
     {
         return updateBalanceF_O.result();
     }
@@ -378,7 +378,7 @@ class OffchainWithdrawalCircuit : public GadgetT
         publicData.generate_r1cs_constraints();
 
         // Check the new merkle root
-        forceEqual(pb, updateAccount_O->result(), merkleRootAfter.packed, "newMerkleRoot");
+        requireEqual(pb, updateAccount_O->result(), merkleRootAfter.packed, "newMerkleRoot");
     }
 
     bool generateWitness(const OffchainWithdrawalBlock& block)

Circuits/OnchainWithdrawalCircuit.h

@@ -31,6 +31,7 @@ class OnchainWithdrawalGadget : public GadgetT
     // Calculate how much can be withdrawn
     MinGadget amountToWithdrawMin;
     TernaryGadget amountToWithdraw;
+    // Float
     FloatGadget amountWithdrawn;
     RequireAccuracyGadget requireAccuracyAmountWithdrawn;
 
@@ -67,17 +68,19 @@ class OnchainWithdrawalGadget : public GadgetT
         amountRequested(pb, NUM_BITS_AMOUNT, FMT(prefix, ".amountRequested")),
 
         // Calculate how much can be withdrawn
+        // In shutdown mode always withdraw the complete balance
         amountToWithdrawMin(pb, amountRequested.packed, balanceBefore.balance, NUM_BITS_AMOUNT, FMT(prefix, ".min(amountRequested, balance)")),
         amountToWithdraw(pb, bShutdownMode, balanceBefore.balance, amountToWithdrawMin.result(), FMT(prefix, ".amountToWithdraw")),
+        // Float
         amountWithdrawn(pb, constants, Float28Encoding, FMT(prefix, ".amountWithdrawn")),
         requireAccuracyAmountWithdrawn(pb, amountWithdrawn.value(), amountToWithdraw.result(), Float28Accuracy, NUM_BITS_AMOUNT, FMT(prefix, ".requireAccuracyAmountRequested")),
 
-        // Shutdown mode
+        // Shutdown mode - Reset values to genesis state
         amountToSubtract(pb, bShutdownMode, amountToWithdraw.result(), amountWithdrawn.value(), FMT(prefix, ".amountToSubtract")),
         tradingHistoryAfter(pb, bShutdownMode, constants.emptyTradeHistory, balanceBefore.tradingHistory, FMT(prefix, ".tradingHistoryAfter")),
         publicKeyXAfter(pb, bShutdownMode, constants.zero, accountBefore.publicKey.x, FMT(prefix, ".publicKeyXAfter")),
         publicKeyYAfter(pb, bShutdownMode, constants.zero, accountBefore.publicKey.y, FMT(prefix, ".publicKeyYAfter")),
-        nonceAfter(pb, bShutdownMode, constants.zero, accountBefore.nonce, FMT(prefix, ".tradingHistoryAfter")),
+        nonceAfter(pb, bShutdownMode, constants.zero, accountBefore.nonce, FMT(prefix, ".nonceAfter")),
 
         // Calculate the new balance
         balance_after(pb, balanceBefore.balance, amountToSubtract.result(), FMT(prefix, ".balance_after")),
@@ -109,6 +112,7 @@ class OnchainWithdrawalGadget : public GadgetT
         // Withdrawal calculations
         amountToWithdrawMin.generate_r1cs_witness();
         amountToWithdraw.generate_r1cs_witness();
+        // Float
         amountWithdrawn.generate_r1cs_witness(toFloat(pb.val(amountToWithdraw.result()), Float28Encoding));
         requireAccuracyAmountWithdrawn.generate_r1cs_witness();
 
@@ -137,6 +141,7 @@ class OnchainWithdrawalGadget : public GadgetT
         // Withdrawal calculations
         amountToWithdrawMin.generate_r1cs_constraints();
         amountToWithdraw.generate_r1cs_constraints();
+        // Float
         amountWithdrawn.generate_r1cs_constraints();
         requireAccuracyAmountWithdrawn.generate_r1cs_constraints();
 
@@ -194,7 +199,6 @@ class OnchainWithdrawalCircuit : public GadgetT
     EqualGadget bShutdownMode;
 
     // Withdrawals
-    bool onchainDataAvailability;
     unsigned int numWithdrawals;
     std::vector<OnchainWithdrawalGadget> withdrawals;
     std::vector<sha256_many> hashers;
@@ -219,9 +223,8 @@ class OnchainWithdrawalCircuit : public GadgetT
 
     }
 
-    void generate_r1cs_constraints(bool onchainDataAvailability, int numWithdrawals)
+    void generate_r1cs_constraints(int numWithdrawals)
     {
-        this->onchainDataAvailability = onchainDataAvailability;
         this->numWithdrawals = numWithdrawals;
 
         constants.generate_r1cs_constraints();
@@ -275,7 +278,7 @@ class OnchainWithdrawalCircuit : public GadgetT
         publicData.generate_r1cs_constraints();
 
         // Check the new merkle root
-        forceEqual(pb, withdrawals.back().getNewAccountsRoot(), merkleRootAfter.packed, "newMerkleRoot");
+        requireEqual(pb, withdrawals.back().getNewAccountsRoot(), merkleRootAfter.packed, "newMerkleRoot");
     }
 
     bool generateWitness(const OnchainWithdrawalBlock& block)

Circuits/OrderCancellationCircuit.h

@@ -79,11 +79,11 @@ class OrderCancellationGadget : public GadgetT
 
         // User state
         tradeHistoryBefore(pb, FMT(prefix, ".tradeHistoryBefore")),
-        balanceTBefore(pb, FMT(prefix, ".balanceFBefore")),
-        balanceFBefore(pb, FMT(prefix, ".balanceBefore")),
+        balanceTBefore(pb, FMT(prefix, ".balanceTBefore")),
+        balanceFBefore(pb, FMT(prefix, ".balanceFBefore")),
         accountBefore(pb, FMT(prefix, ".accountBefore")),
         // Operator state
-        balanceBefore_O(pb, FMT(prefix, ".accountBefore_O")),
+        balanceBefore_O(pb, FMT(prefix, ".balanceBefore_O")),
 
         // Inputs
         accountID(pb, NUM_BITS_ACCOUNT, FMT(prefix, ".accountID")),
@@ -249,12 +249,12 @@ class OrderCancellationGadget : public GadgetT
                 fFee.bits()};
     }
 
-    const VariableT getNewAccountsRoot() const
+    const VariableT& getNewAccountsRoot() const
     {
         return updateAccount_A.result();
     }
 
-    const VariableT getNewOperatorBalancesRoot() const
+    const VariableT& getNewOperatorBalancesRoot() const
     {
         return updateBalanceF_O.result();
     }
@@ -375,7 +375,7 @@ class OrderCancellationCircuit : public GadgetT
         publicData.generate_r1cs_constraints();
 
         // Check the new merkle root
-        forceEqual(pb, updateAccount_O->result(), merkleRootAfter.packed, "newMerkleRoot");
+        requireEqual(pb, updateAccount_O->result(), merkleRootAfter.packed, "newMerkleRoot");
     }
 
     bool generateWitness(const Loopring::OrderCancellationBlock& block)

Circuits/RingSettlementCircuit.h

@@ -159,16 +159,14 @@ class RingSettlementGadget : public GadgetT
     TransferGadget protocolFeeA_from_balanceAO_to_balanceAP;
     TransferGadget protocolFeeB_from_balanceBO_to_balanceBP;
 
-    // Update trading history
-    UpdateTradeHistoryGadget updateTradeHistoryA;
-    UpdateTradeHistoryGadget updateTradeHistoryB;
-
     // Update UserA
+    UpdateTradeHistoryGadget updateTradeHistory_A;
     UpdateBalanceGadget updateBalanceS_A;
     UpdateBalanceGadget updateBalanceB_A;
     UpdateAccountGadget updateAccount_A;
 
     // Update UserB
+    UpdateTradeHistoryGadget updateTradeHistory_B;
     UpdateBalanceGadget updateBalanceS_B;
     UpdateBalanceGadget updateBalanceB_B;
     UpdateAccountGadget updateAccount_B;
@@ -209,7 +207,7 @@ class RingSettlementGadget : public GadgetT
         balanceA_P(pb, FMT(prefix, ".balanceA_P")),
         balanceB_P(pb, FMT(prefix, ".balanceB_P")),
         balanceA_O(pb, FMT(prefix, ".balanceA_O")),
-        balanceB_O(pb, FMT(prefix, ".balanceA_O")),
+        balanceB_O(pb, FMT(prefix, ".balanceB_O")),
         // Initial trading history roots
         tradingHistoryRootA_O(make_variable(pb, FMT(prefix, ".tradingHistoryRootA_O"))),
         tradingHistoryRootB_O(make_variable(pb, FMT(prefix, ".tradingHistoryRootB_O"))),
@@ -249,20 +247,14 @@ class RingSettlementGadget : public GadgetT
         protocolFeeA_from_balanceAO_to_balanceAP(pb, balanceA_O, balanceA_P, feeCalculatorA.getProtocolFee(), FMT(prefix, ".protocolFeeA_from_balanceAO_to_balanceAP")),
         protocolFeeB_from_balanceBO_to_balanceBP(pb, balanceB_O, balanceB_P, feeCalculatorB.getProtocolFee(), FMT(prefix, ".protocolFeeB_from_balanceBO_to_balanceBP")),
 
-        // Update trading history
-        updateTradeHistoryA(pb, orderA.balanceSBefore.tradingHistory, subArray(orderA.orderID.bits, 0, NUM_BITS_TRADING_HISTORY),
-                            {orderA.tradeHistoryBefore.filled, orderA.tradeHistoryBefore.cancelled, orderA.tradeHistoryBefore.orderID},
-                            {filledAfterA.result(), orderA.tradeHistory.getCancelledToStore(), orderA.tradeHistory.getOrderIDToStore()},
-                            FMT(prefix, ".updateTradeHistoryA")),
-        updateTradeHistoryB(pb, orderB.balanceSBefore.tradingHistory, subArray(orderB.orderID.bits, 0, NUM_BITS_TRADING_HISTORY),
-                            {orderB.tradeHistoryBefore.filled, orderB.tradeHistoryBefore.cancelled, orderB.tradeHistoryBefore.orderID},
-                            {filledAfterB.result(), orderB.tradeHistory.getCancelledToStore(), orderB.tradeHistory.getOrderIDToStore()},
-                            FMT(prefix, ".updateTradeHistoryB")),
-
         // Update UserA
+        updateTradeHistory_A(pb, orderA.balanceSBefore.tradingHistory, subArray(orderA.orderID.bits, 0, NUM_BITS_TRADING_HISTORY),
+                             {orderA.tradeHistoryBefore.filled, orderA.tradeHistoryBefore.cancelled, orderA.tradeHistoryBefore.orderID},
+                             {filledAfterA.result(), orderA.tradeHistory.getCancelledToStore(), orderA.tradeHistory.getOrderIDToStore()},
+                             FMT(prefix, ".updateTradeHistory_A")),
         updateBalanceS_A(pb, orderA.accountBefore.balancesRoot, orderA.tokenS.bits,
                          {balanceS_A.front(), orderA.balanceSBefore.tradingHistory},
-                         {balanceS_A.back(), updateTradeHistoryA.result()},
+                         {balanceS_A.back(), updateTradeHistory_A.result()},
                          FMT(prefix, ".updateBalanceS_A")),
         updateBalanceB_A(pb, updateBalanceS_A.result(), orderA.tokenB.bits,
                          {balanceB_A.front(), orderA.balanceBBefore.tradingHistory},
@@ -274,9 +266,13 @@ class RingSettlementGadget : public GadgetT
                         FMT(prefix, ".updateAccount_A")),
 
         // Update UserB
+        updateTradeHistory_B(pb, orderB.balanceSBefore.tradingHistory, subArray(orderB.orderID.bits, 0, NUM_BITS_TRADING_HISTORY),
+                             {orderB.tradeHistoryBefore.filled, orderB.tradeHistoryBefore.cancelled, orderB.tradeHistoryBefore.orderID},
+                             {filledAfterB.result(), orderB.tradeHistory.getCancelledToStore(), orderB.tradeHistory.getOrderIDToStore()},
+                             FMT(prefix, ".updateTradeHistory_B")),
         updateBalanceS_B(pb, orderB.accountBefore.balancesRoot, orderB.tokenS.bits,
                          {balanceS_B.front(), orderB.balanceSBefore.tradingHistory},
-                         {balanceS_B.back(), updateTradeHistoryB.result()},
+                         {balanceS_B.back(), updateTradeHistory_B.result()},
                          FMT(prefix, ".updateBalanceS_B")),
         updateBalanceB_B(pb, updateBalanceS_B.result(), orderB.tokenB.bits,
                          {balanceB_B.front(), orderB.balanceBBefore.tradingHistory},
@@ -368,16 +364,14 @@ class RingSettlementGadget : public GadgetT
         protocolFeeA_from_balanceAO_to_balanceAP.generate_r1cs_witness();
         protocolFeeB_from_balanceBO_to_balanceBP.generate_r1cs_witness();
 
-        // Update trading history
-        updateTradeHistoryA.generate_r1cs_witness(ringSettlement.tradeHistoryUpdate_A.proof);
-        updateTradeHistoryB.generate_r1cs_witness(ringSettlement.tradeHistoryUpdate_B.proof);
-
         // Update UserA
+        updateTradeHistory_A.generate_r1cs_witness(ringSettlement.tradeHistoryUpdate_A.proof);
         updateBalanceS_A.generate_r1cs_witness(ringSettlement.balanceUpdateS_A.proof);
         updateBalanceB_A.generate_r1cs_witness(ringSettlement.balanceUpdateB_A.proof);
         updateAccount_A.generate_r1cs_witness(ringSettlement.accountUpdate_A.proof);
 
         // Update UserB
+        updateTradeHistory_B.generate_r1cs_witness(ringSettlement.tradeHistoryUpdate_B.proof);
         updateBalanceS_B.generate_r1cs_witness(ringSettlement.balanceUpdateS_B.proof);
         updateBalanceB_B.generate_r1cs_witness(ringSettlement.balanceUpdateB_B.proof);
         updateAccount_B.generate_r1cs_witness(ringSettlement.accountUpdate_B.proof);
@@ -433,16 +427,14 @@ class RingSettlementGadget : public GadgetT
         protocolFeeA_from_balanceAO_to_balanceAP.generate_r1cs_constraints();
         protocolFeeB_from_balanceBO_to_balanceBP.generate_r1cs_constraints();
 
-        // Update trading history
-        updateTradeHistoryA.generate_r1cs_constraints();
-        updateTradeHistoryB.generate_r1cs_constraints();
-
         // Update UserA
+        updateTradeHistory_A.generate_r1cs_constraints();
         updateBalanceS_A.generate_r1cs_constraints();
         updateBalanceB_A.generate_r1cs_constraints();
         updateAccount_A.generate_r1cs_constraints();
 
         // Update UserB
+        updateTradeHistory_B.generate_r1cs_constraints();
         updateBalanceS_B.generate_r1cs_constraints();
         updateBalanceB_B.generate_r1cs_constraints();
         updateAccount_B.generate_r1cs_constraints();
@@ -473,17 +465,17 @@ class RingSettlementGadget : public GadgetT
         };
     }
 
-    const VariableT getNewAccountsRoot() const
+    const VariableT& getNewAccountsRoot() const
     {
         return updateAccount_B.result();
     }
 
-    const VariableT getNewProtocolBalancesRoot() const
+    const VariableT& getNewProtocolBalancesRoot() const
     {
         return updateBalanceB_P.result();
     }
 
-    const VariableT getNewOperatorBalancesRoot() const
+    const VariableT& getNewOperatorBalancesRoot() const
     {
         return updateBalanceB_O.result();
     }
@@ -662,7 +654,7 @@ class RingSettlementCircuit : public GadgetT
         signatureVerifier.generate_r1cs_constraints();
 
         // Check the new merkle root
-        forceEqual(pb, updateAccount_O->result(), merkleRootAfter.packed, "newMerkleRoot");
+        requireEqual(pb, updateAccount_O->result(), merkleRootAfter.packed, "newMerkleRoot");
     }
 
     bool generateWitness(const RingSettlementBlock& block)