matter-labs · StanislavBreadless · Oct 4, 2023 · Oct 11, 2023 · Oct 12, 2023 · Oct 13, 2023
@@ -488,6 +488,10 @@ object "Bootloader" {
                 ret := 0x000000000000000000000000000000000000800e
             }
 
+            function KECCAK256_ADDR() -> ret {
+                ret := 0x0000000000000000000000000000000000008010
+            }
+
             function L1_MESSENGER_ADDR() -> ret {
                 ret := 0x0000000000000000000000000000000000008008
             }
@@ -634,6 +638,70 @@ object "Bootloader" {
                     }
             }
 
+            /// @dev Checks whether the code hash of the Keccak256 precompile contract is correct and updates it if needed.
+            /// @dev When we upgrade to the new version of the Keccak256 precompile contract, the keccak precompile will not work correctly 
+            /// and so the upgrade it should be done before any `keccak` calls. 
+            /// @dev Since this upgrade has 
+            function upgradeKeccakIfNeeded() {
+                let expectedCodeHash := {{KECCAK256_EXPECTED_CODE_HASH}}
+
+                let actualCodeHash := getRawCodeHash(KECCAK256_ADDR(), true)
+                if iszero(eq(expectedCodeHash, actualCodeHash)) {
+                    // The `mimicCallOnlyResult` requires that the first word of the data
+                    // contains its length. Here is 36 bytes, i.e. 4 byte selector + 32 byte hash.
+                    mstore(0, 36)
+                    mstore(32, {{PADDED_FORCE_DEPLOY_KECCAK256_SELECTOR}})
+                    mstore(36, expectedCodeHash)
+
+                    // We'll use a mimicCall to simulate the correct sender.
+                    let success := mimicCallOnlyResult(
+                        CONTRACT_DEPLOYER_ADDR(),
+                        FORCE_DEPLOYER(), 
+                        0,
+                        0,
+                        0,
+                        0,
+                        0,
+                        0
+                    )
+
+                    if iszero(success) {
+                        assertionError("keccak256 upgrade fail")
+                    }
+                }
+            }
+
+            function getRawCodeHash(addr, assertSuccess) -> ret {
+                mstore(0, {{RIGHT_PADDED_GET_RAW_CODE_HASH_SELECTOR}})
+                mstore(4, addr)
+                let success := call(
+                    gas(),
+                    ACCOUNT_CODE_STORAGE_ADDR(),
+                    0,
+                    0,
+                    36,
+                    0,
+                    32
+                )
+
+                // In case the call to the account code storage fails, 
+                // it most likely means that the caller did not provide enough gas for
+                // the call. 
+                // In case the caller is certain that the amount of gas provided is enough, i.e. 
+                // (`assertSuccess` = true), then we should panic.
+                if iszero(success) {
+                    if assertSuccess {
+                        // The call must've succeeded, but revert the bootloader.
+                        assertionError("getRawCodeHash failed")
+                    }
+
+                    // Most likely not enough gas provided, revert the current frame.
+                    nearCallPanic()
+                }
+
+                ret := mload(0)
+            }
+
             /// @dev Calculates the canonical hash of the L1->L2 transaction that will be
             /// sent to L1 as a message to the L1 contract that a certain operation has been processed.
             function getCanonicalL1TxHash(txDataOffset) -> ret {
@@ -1956,26 +2024,7 @@ object "Bootloader" {
             /// @dev Checks whether an address is an EOA (i.e. has not code deployed on it)
             /// @param addr The address to check
             function isEOA(addr) -> ret {
-                mstore(0, {{RIGHT_PADDED_GET_RAW_CODE_HASH_SELECTOR}})
-                mstore(4, addr)
-                let success := call(
-                    gas(),
-                    ACCOUNT_CODE_STORAGE_ADDR(),
-                    0,
-                    0,
-                    36,
-                    0,
-                    32
-                )
-
-                if iszero(success) {
-                    // The call to the account code storage should always succeed
-                    nearCallPanic()
-                }
-
-                let rawCodeHash := mload(0)
-
-                ret := iszero(rawCodeHash)
+                ret := iszero(getRawCodeHash(addr, false))
             }
 
             /// @dev Calls the `payForTransaction` method of an account
@@ -3657,6 +3706,8 @@ object "Bootloader" {
                 /// the operator still provides it to make sure that its data is in sync. 
                 let EXPECTED_BASE_FEE := mload(192)
 
+                upgradeKeccakIfNeeded()
+
                 validateOperatorProvidedPrices(L1_GAS_PRICE, FAIR_L2_GAS_PRICE)
 
                 let baseFee := 0

@@ -4,7 +4,7 @@ pragma solidity ^0.8.0;
 
 import {ImmutableData} from "./interfaces/IImmutableSimulator.sol";
 import {IContractDeployer} from "./interfaces/IContractDeployer.sol";
-import {CREATE2_PREFIX, CREATE_PREFIX, NONCE_HOLDER_SYSTEM_CONTRACT, ACCOUNT_CODE_STORAGE_SYSTEM_CONTRACT, FORCE_DEPLOYER, MAX_SYSTEM_CONTRACT_ADDRESS, KNOWN_CODE_STORAGE_CONTRACT, ETH_TOKEN_SYSTEM_CONTRACT, IMMUTABLE_SIMULATOR_SYSTEM_CONTRACT, COMPLEX_UPGRADER_CONTRACT} from "./Constants.sol";
+import {CREATE2_PREFIX, CREATE_PREFIX, NONCE_HOLDER_SYSTEM_CONTRACT, ACCOUNT_CODE_STORAGE_SYSTEM_CONTRACT, FORCE_DEPLOYER, MAX_SYSTEM_CONTRACT_ADDRESS, KNOWN_CODE_STORAGE_CONTRACT, ETH_TOKEN_SYSTEM_CONTRACT, IMMUTABLE_SIMULATOR_SYSTEM_CONTRACT, COMPLEX_UPGRADER_CONTRACT, KECCAK256_SYSTEM_CONTRACT} from "./Constants.sol";
 
 import {Utils} from "./libraries/Utils.sol";
 import {EfficientCall} from "./libraries/EfficientCall.sol";
@@ -228,8 +228,24 @@ contract ContractDeployer is IContractDeployer, ISystemContract {
             false,
             _deployment.callConstructor
         );
+    }
+
+    /// @notice The method that is temporarily needed to upgrade the Keccka256 precompile. It is to be removed in the 
+    /// future. Unlike a normal forced deployment, it does not update account information as it requires updating a 
+    /// mapping, and so requires Keccak256 precompile to work already.
+    /// @dev This method expects the sender (FORCE_DEPLOYER) to provide the correct bytecode hash for the Keccak256 
+    /// precompile. 
+    function forceDeployKeccak256(bytes32 _keccak256BytecodeHash) external payable onlyCallFrom(FORCE_DEPLOYER) {
+        _ensureBytecodeIsKnown(_keccak256BytecodeHash);
 
-        emit ContractDeployed(_sender, _deployment.bytecodeHash, _deployment.newAddress);
+        _constructContract(
+            msg.sender,
+            address(KECCAK256_SYSTEM_CONTRACT),
+            _keccak256BytecodeHash,
+            msg.data[0:0],
+            false,
+            false
+        );
     }
 
     /// @notice This method is to be used only during an upgrade to set bytecodes on specific addresses.
@@ -295,7 +311,6 @@ contract ContractDeployer is IContractDeployer, ISystemContract {
         _storeAccountInfo(_newAddress, newAccountInfo);
 
         _constructContract(msg.sender, _newAddress, _bytecodeHash, _input, false, true);
-        emit ContractDeployed(msg.sender, _bytecodeHash, _newAddress);
     }
 
     /// @notice Check that bytecode hash is marked as known on the `KnownCodeStorage` system contracts
@@ -352,5 +367,7 @@ contract ContractDeployer is IContractDeployer, ISystemContract {
             // If we do not call the constructor, we need to set the constructed code hash.
             ACCOUNT_CODE_STORAGE_SYSTEM_CONTRACT.storeAccountConstructedCodeHash(_newAddress, _bytecodeHash);
         }
+
+        emit ContractDeployed(_sender, _bytecodeHash, _newAddress);
     }
 }
@@ -1,15 +1,10 @@
 /**
  * @author Matter Labs
- * @custom:security-contact [email protected]
  * @notice The contract used to emulate EVM's keccak256 opcode.
- * @dev It accepts the data to be hashed, pad it by the specification 
- * and uses `precompileCall` to call the zkEVM built-in precompiles.
- * @dev Thus keccak256 precompile circuit operates over padded data to perform efficient sponge round computation.
+ * @dev It accepts the data to be hashed in the calldata, propagate it to the zkEVM built-in circuit precompile via `precompileCall` and burn .
  */
 object "Keccak256" {
-    code {
-        return(0, 0)
-    }
+    code { }
     object "Keccak256_deployed" {
         code {
             ////////////////////////////////////////////////////////////////
@@ -26,24 +21,38 @@ object "Keccak256" {
                 ret := 40
             }
 
+            /// @dev Returns a 32-bit mask value
+            function UINT32_BIT_MASK() -> ret {
+                ret := 0xffffffff
+            }
+
             ////////////////////////////////////////////////////////////////
             //                      HELPER FUNCTIONS
             ////////////////////////////////////////////////////////////////
+
+            /// @dev Load raw calldata fat pointer
+            function getCalldataPtr() -> calldataPtr {
+                calldataPtr := verbatim_0i_1o("get_global::ptr_calldata")
+            }
 
-            // @dev Packs precompile parameters into one word.
-            // Note: functions expect to work with 32/64 bits unsigned integers.
-            // Caller should ensure the type matching before!
+            /// @dev Packs precompile parameters into one word.
+            /// Note: functions expect to work with 32/64 bits unsigned integers.
+            /// Caller should ensure the type matching before!
             function unsafePackPrecompileParams(
-                uint32_inputOffsetInWords,
-                uint32_inputLengthInWords,
+                uint32_inputOffsetInBytes,
+                uint32_inputLengthInBytes,
                 uint32_outputOffsetInWords,
                 uint32_outputLengthInWords,
+                uint32_memoryPageToRead,
+                uint32_memoryPageToWrite,
                 uint64_perPrecompileInterpreted
             ) -> rawParams {
-                rawParams := uint32_inputOffsetInWords
-                rawParams := or(rawParams, shl(32, uint32_inputLengthInWords))
+                rawParams := uint32_inputOffsetInBytes
+                rawParams := or(rawParams, shl(32, uint32_inputLengthInBytes))
                 rawParams := or(rawParams, shl(64, uint32_outputOffsetInWords))
                 rawParams := or(rawParams, shl(96, uint32_outputLengthInWords))
+                rawParams := or(rawParams, shl(128, uint32_memoryPageToRead))
+                rawParams := or(rawParams, shl(160, uint32_memoryPageToWrite))
                 rawParams := or(rawParams, shl(192, uint64_perPrecompileInterpreted))
             }
 
@@ -56,73 +65,41 @@ object "Keccak256" {
             ////////////////////////////////////////////////////////////////
             //                      FALLBACK
             ////////////////////////////////////////////////////////////////
+
+            // 1. Load raw calldata fat pointer
+            let calldataFatPtr := getCalldataPtr()
 
-            // Copy calldata to memory for pad it
-            let bytesSize := calldatasize()
-            calldatacopy(0, 0, bytesSize)
-
-            let precompileParams
-            let gasToPay
-
-            // Most often keccak256 is called with "short" input, so optimize it as a special case.
-            // NOTE: we consider the special case for sizes less than `BLOCK_SIZE() - 1`, so
-            // there is only one round and it is and padding can be done branchless
-            switch lt(bytesSize, sub(BLOCK_SIZE(), 1))
-            case true {
-                // Write the 0x01 after the payload bytes and 0x80 at last byte of padded bytes
-                mstore(bytesSize, 0x0100000000000000000000000000000000000000000000000000000000000000)
-                mstore(
-                    sub(BLOCK_SIZE(), 1),
-                    0x8000000000000000000000000000000000000000000000000000000000000000
-                )
-
-                precompileParams := unsafePackPrecompileParams(
-                    0, // input offset in words
-                    5, // input length in words (Math.ceil(136/32) = 5)
-                    0, // output offset in words
-                    1, // output length in words
-                    1  // number of rounds
-                )
-                gasToPay := KECCAK_ROUND_GAS_COST()
+            // 2. Parse calldata fat pointer
+            let ptrOffset := and(calldataFatPtr, UINT32_BIT_MASK())
+            // TODO: Remove this check before merging.
+            // Assert that calldata ptr offset if zero. 
+            if ptrOffset {
+                revert(0, 0)
             }
-            default {
-                let padLen := sub(BLOCK_SIZE(), mod(bytesSize, BLOCK_SIZE()))
-                let paddedByteSize := add(bytesSize, padLen)
+            let ptrMemoryPage := and(shr(32, calldataFatPtr), UINT32_BIT_MASK())
+            let ptrStart := and(shr(64, calldataFatPtr), UINT32_BIT_MASK())
+            let ptrLength := and(shr(96, calldataFatPtr), UINT32_BIT_MASK())
 
-                switch eq(padLen, 1)
-                case true {
-                    // Write 0x81 after the payload bytes
-                    mstore(bytesSize, 0x8100000000000000000000000000000000000000000000000000000000000000)
-                } 
-                default {
-                    // Write the 0x01 after the payload bytes and 0x80 at last byte of padded bytes
-                    mstore(bytesSize, 0x0100000000000000000000000000000000000000000000000000000000000000)
-                    mstore(
-                        sub(paddedByteSize, 1),
-                        0x8000000000000000000000000000000000000000000000000000000000000000
-                    )
-                }
-
-                let numRounds := div(paddedByteSize, BLOCK_SIZE())
-                precompileParams := unsafePackPrecompileParams(
-                    0,                                // input offset in words
-                    div(add(paddedByteSize, 31), 32), // input length in words (safe to pass, never exceed `type(uint32).max`)
-                    0,                                // output offset in words
-                    1,                                // output length in words
-                    numRounds                         // number of rounds (safe to pass, never exceed `type(uint64).max`)
-                )
-                gasToPay := mul(KECCAK_ROUND_GAS_COST(), numRounds)
-            }
+            // 3. Pack precompile parameters
+            let precompileParams := unsafePackPrecompileParams(
+                ptrStart,                         // input offset in bytes
+                ptrLength,                        // input length in bytes (safe to pass, never exceed `type(uint32).max`)
+                0,                                // output offset in words
+                1,                                // output length in words (NOTE: VM doesn't check this value for now, but this could change in future)
+                ptrMemoryPage,                    // memory page to read from
+                0,                                // memory page to write to (0 means write to heap)
+                0                                 // per precompile interpreted value (0 since circuit doesn't react on this value anyway)
+            )
+            // 4. Calculate number of required hash rounds per calldata
+            let numRounds := div(add(ptrLength, sub(BLOCK_SIZE(), 1)), BLOCK_SIZE())
+            let gasToPay := mul(KECCAK_ROUND_GAS_COST(), numRounds)
 
+            // 5. Call precompile
             let success := precompileCall(precompileParams, gasToPay)
-
-            switch success
-            case 0 {
+            if iszero(success) {
                 revert(0, 0)
             }
-            default {
-                return(0, 32)
-            }
+            return(0, 32)
         }
     }
 }