feat: Improve validations in history map rollback (#44)

## What ❔

1. Adds internal error instead of panic on attempt to rollback to
invalid snapshot
2. Forbids rollbacks to non-existent snapshots
3. Clarifies `materialize_element` logic

## Is this a breaking change?
- [ ] Yes
- [X] No

## Checklist

<!-- Check your PR fulfills the following items. -->
<!-- For draft PRs check the boxes as you complete them. -->

- [X] PR title corresponds to the body of PR (we generate changelog
entries from PRs).
- [ ] Tests for the changes have been added / updated.
- [ ] Documentation comments have been added / updated.
- [X] Code has been formatted.

---------

Co-authored-by: Antonio Locascio <antonio.locascio1@gmail.com>

Author: 0xVolosnikov

basic_system/src/system_implementation/flat_storage_model/account_cache.rs

@@ -84,6 +84,7 @@ where
         }
     }
 
+    /// Read element and initialize it if needed
     fn materialize_element<const PROOF_ENV: bool>(
         &mut self,
         ee_type: ExecutionEnvironmentType,
@@ -111,10 +112,13 @@ where
         let native = R::Native::from_computational(WARM_ACCOUNT_CACHE_ACCESS_NATIVE_COST);
         resources.charge(&R::from_ergs_and_native(ergs, native))?;
 
-        let mut cold_read_charged = false;
+        let mut initialized_element = false;
 
         self.cache
             .get_or_insert(address.into(), || {
+                // Element doesn't exist in cache yet, initialize it
+                initialized_element = true;
+
                 // - first get a hash of properties from storage
                 match ee_type {
                     ExecutionEnvironmentType::NoEE => {
@@ -141,8 +145,6 @@ where
                     _ => return Err(InternalError("Unsupported EE").into()),
                 }
 
-                cold_read_charged = true;
-
                 // to avoid divergence we read as-if infinite ergs
                 let hash = resources.with_infinite_ergs(|inf_resources| {
                     storage.read_special_account_property::<AccountAggregateDataHash>(
@@ -179,16 +181,19 @@ where
                     }
                 };
 
+                // Note: we initialize it as cold, should be warmed up separately
+                // Since in case of revert it should become cold again and initial record can't be rolled back
                 Ok(CacheRecord::new(acc_data.0, acc_data.1))
             })
-            // We're adding a read snapshot for case when we're rollbacking the initial read.
             .and_then(|mut x| {
+                // Warm up element according to EVM rules if needed
                 let is_warm = x
                     .current()
                     .metadata()
                     .considered_warm(self.current_tx_number);
                 if is_warm == false {
-                    if cold_read_charged == false {
+                    if initialized_element == false {
+                        // Element exists in cache, but wasn't touched in current tx yet
                         match ee_type {
                             ExecutionEnvironmentType::NoEE => {
                                 // Access list accesses are always done in NoEE.
@@ -383,9 +388,15 @@ where
         self.cache.snapshot()
     }
 
-    pub fn finish_frame(&mut self, rollback_handle: Option<&CacheSnapshotId>) {
+    #[must_use]
+    pub fn finish_frame(
+        &mut self,
+        rollback_handle: Option<&CacheSnapshotId>,
+    ) -> Result<(), InternalError> {
         if let Some(x) = rollback_handle {
-            self.cache.rollback(*x);
+            self.cache.rollback(*x)
+        } else {
+            Ok(())
         }
     }
 

basic_system/src/system_implementation/flat_storage_model/mod.rs

@@ -477,12 +477,17 @@ where
         }
     }
 
-    fn finish_frame(&mut self, rollback_handle: Option<&Self::StateSnapshot>) {
+    fn finish_frame(
+        &mut self,
+        rollback_handle: Option<&Self::StateSnapshot>,
+    ) -> Result<(), InternalError> {
         self.storage_cache
-            .finish_frame(rollback_handle.map(|x| &x.storage));
+            .finish_frame(rollback_handle.map(|x| &x.storage))?;
         self.preimages_cache
-            .finish_frame(rollback_handle.map(|x| &x.preimages));
+            .finish_frame(rollback_handle.map(|x| &x.preimages))?;
         self.account_data_cache
-            .finish_frame(rollback_handle.map(|x| &x.account_data));
+            .finish_frame(rollback_handle.map(|x| &x.account_data))?;
+
+        Ok(())
     }
 }

basic_system/src/system_implementation/flat_storage_model/preimage_cache.rs

@@ -278,7 +278,10 @@ impl<R: Resources, A: Allocator + Clone> SnapshottableIo
         self.publication_storage.start_frame()
     }
 
-    fn finish_frame(&mut self, rollback_handle: Option<&Self::StateSnapshot>) {
-        self.publication_storage.finish_frame(rollback_handle);
+    fn finish_frame(
+        &mut self,
+        rollback_handle: Option<&Self::StateSnapshot>,
+    ) -> Result<(), InternalError> {
+        self.publication_storage.finish_frame(rollback_handle)
     }
 }

basic_system/src/system_implementation/flat_storage_model/storage_cache.rs

@@ -11,6 +11,7 @@ use storage_models::common_structs::{AccountAggregateDataHash, StorageCacheModel
 use zk_ee::common_structs::cache_record::{Appearance, CacheRecord};
 use zk_ee::common_traits::key_like_with_bounds::{KeyLikeWithBounds, TyEq};
 use zk_ee::execution_environment_type::ExecutionEnvironmentType;
+use zk_ee::system::errors::InternalError;
 use zk_ee::{
     common_structs::{WarmStorageKey, WarmStorageValue},
     kv_markers::{StorageAddress, UsizeDeserializable},
@@ -140,12 +141,19 @@ where
     }
 
     #[track_caller]
-    pub fn finish_frame_impl(&mut self, rollback_handle: Option<&CacheSnapshotId>) {
+    #[must_use]
+    pub fn finish_frame_impl(
+        &mut self,
+        rollback_handle: Option<&CacheSnapshotId>,
+    ) -> Result<(), InternalError> {
         if let Some(x) = rollback_handle {
-            self.cache.rollback(*x);
+            self.cache.rollback(*x)
+        } else {
+            Ok(())
         }
     }
 
+    /// Read element and initialize it if needed
     fn materialize_element<'a>(
         cache: &'a mut HistoryMap<K, CacheRecord<V, StorageElementMetadata>, A>,
         resources_policy: &mut P,
@@ -159,10 +167,13 @@ where
     ) -> Result<(AddressItem<'a, K, V, A>, IsWarmRead), SystemError> {
         resources_policy.charge_warm_storage_read(ee_type, resources)?;
 
-        let mut cold_read_charged = false;
+        let mut initialized_element = false;
 
         cache
-            .get_or_insert( key, || {
+            .get_or_insert(key, || {
+                // Element doesn't exist in cache yet, initialize it
+                initialized_element = true;
+
                 let mut dst =
                     core::mem::MaybeUninit::<InitialStorageSlotData<EthereumIOTypesConfig>>::uninit(
                     );
@@ -179,21 +190,24 @@ where
                 // correctly.
                 let data_from_oracle = unsafe { dst.assume_init() } ;
 
-                resources_policy.charge_cold_storage_read_extra(ee_type, resources, data_from_oracle.is_new_storage_slot,is_access_list)?;
-                cold_read_charged = true;
+                resources_policy.charge_cold_storage_read_extra(ee_type, resources, data_from_oracle.is_new_storage_slot, is_access_list)?;
 
                 let appearance = match data_from_oracle.is_new_storage_slot {
                     true => Appearance::Unset,
                     false => Appearance::Retrieved,
                 };
+
+                // Note: we initialize it as cold, should be warmed up separately
+                // Since in case of revert it should become cold again and initial record can't be rolled back
                 Ok(CacheRecord::new(data_from_oracle.initial_value.into(), appearance))
             })
-            // We're adding a read snapshot for case when we're rollbacking the initial read.
             .and_then(|mut x| {
+                // Warm up element according to EVM rules if needed
                 let is_warm_read = x.current().metadata().considered_warm(current_tx_number);
                 if is_warm_read == false {
-                    if cold_read_charged == false {
-                        resources_policy.charge_cold_storage_read_extra(ee_type, resources,false,is_access_list)?;
+                    if initialized_element == false {
+                        // Element exists in cache, but wasn't touched in current tx yet
+                        resources_policy.charge_cold_storage_read_extra(ee_type, resources,false, is_access_list)?;
                     }
 
                     x.update(|cache_record| {
@@ -524,8 +538,11 @@ where
         self.0.start_frame()
     }
 
-    fn finish_frame(&mut self, rollback_handle: Option<&Self::StateSnapshot>) {
-        self.0.finish_frame_impl(rollback_handle);
+    fn finish_frame(
+        &mut self,
+        rollback_handle: Option<&Self::StateSnapshot>,
+    ) -> Result<(), InternalError> {
+        self.0.finish_frame_impl(rollback_handle)
     }
 }
 

basic_system/src/system_implementation/system/io_subsystem.rs

@@ -378,9 +378,9 @@ where
         &mut self,
         rollback_handle: Option<&FullIOStateSnapshot>,
     ) -> Result<(), InternalError> {
-        self.storage.finish_frame(rollback_handle.map(|x| &x.io));
+        self.storage.finish_frame(rollback_handle.map(|x| &x.io))?;
         self.transient_storage
-            .finish_frame(rollback_handle.map(|x| &x.transient));
+            .finish_frame(rollback_handle.map(|x| &x.transient))?;
         self.logs_storage
             .finish_frame(rollback_handle.map(|x| x.messages));
         self.events_storage

storage_models/src/common_structs/generic_transient_storage.rs

@@ -4,7 +4,7 @@ use zk_ee::common_structs::history_map::HistoryMapItemRefMut;
 use core::alloc::Allocator;
 use core::marker::PhantomData;
 use zk_ee::common_traits::key_like_with_bounds::KeyLikeWithBounds;
-use zk_ee::system::errors::SystemError;
+use zk_ee::system::errors::{InternalError, SystemError};
 use zk_ee::{
     common_structs::history_map::{CacheSnapshotId, HistoryMap},
     memory::stack_trait::{StackCtor, StackCtorConst},
@@ -49,8 +49,8 @@ where
 
     pub fn begin_new_tx(&mut self) {
         // Just discard old history
-        // Note: it will reset snapshots counter
-        // Could be also done in separate finish_tx (to not reset for first tx), but it doesn't matter
+        // Note: it will reset snapshots counter, old snapshots handlers can't be used anymore
+        // Note: We will reset it redundantly for first tx
         self.cache = HistoryMap::new(self.alloc.clone());
         self.current_tx_number += 1;
     }
@@ -60,6 +60,7 @@ where
         self.cache.snapshot()
     }
 
+    /// Read element and initialize it if needed
     fn materialize_element<'a>(
         cache: &'a mut HistoryMap<K, V, A>,
         key: &'a K,
@@ -93,9 +94,14 @@ where
     }
 
     #[track_caller]
-    pub fn finish_frame(&mut self, rollback_handle: Option<&CacheSnapshotId>) {
+    pub fn finish_frame(
+        &mut self,
+        rollback_handle: Option<&CacheSnapshotId>,
+    ) -> Result<(), InternalError> {
         if let Some(x) = rollback_handle {
-            self.cache.rollback(*x);
+            self.cache.rollback(*x)
+        } else {
+            Ok(())
         }
     }
 }

storage_models/src/common_structs/traits/snapshottable_io.rs

@@ -1,9 +1,14 @@
+use zk_ee::system::errors::InternalError;
+
 /// TODO
 pub trait SnapshottableIo {
     type StateSnapshot;
 
     fn begin_new_tx(&mut self);
 
     fn start_frame(&mut self) -> Self::StateSnapshot;
-    fn finish_frame(&mut self, rollback_handle: Option<&Self::StateSnapshot>);
+    fn finish_frame(
+        &mut self,
+        rollback_handle: Option<&Self::StateSnapshot>,
+    ) -> Result<(), InternalError>;
 }

zk_ee/src/common_structs/history_map.rs

@@ -113,11 +113,17 @@ where
         snapshot_id
     }
 
+    #[must_use]
     /// Rollbacks the data to the state at the provided `snapshot_id`.
-    pub fn rollback(&mut self, snapshot_id: CacheSnapshotId) {
+    pub fn rollback(&mut self, snapshot_id: CacheSnapshotId) -> Result<(), InternalError> {
         if snapshot_id < self.state.frozen_snapshot_id {
-            // TODO: replace with internal error
-            panic!("Rolling below frozen snapshot is illegal and will cause UB.")
+            return Err(InternalError("History map: rollback below frozen snapshot"));
+        }
+
+        if snapshot_id >= self.state.next_snapshot_id {
+            return Err(InternalError(
+                "History map: rollback to non-existent snapshot",
+            ));
         }
 
         // Go over all elements changed since last `commit` and roll them back
@@ -145,6 +151,8 @@ where
                 }
             }
         }
+
+        Ok(())
     }
 
     /// Commits (freezes) changes up to this point and frees memory taken by snapshots that can't be
@@ -723,7 +731,7 @@ mod tests {
 
         map.snapshot();
 
-        map.rollback(ss);
+        map.rollback(ss).expect("Correct snapshot");
 
         map.for_total_diff_operands::<_, ()>(|l, r, k| {
             assert_eq!(1, *l);
@@ -764,7 +772,7 @@ mod tests {
         // Just for fun.
         map.snapshot();
 
-        map.rollback(ss);
+        map.rollback(ss).expect("Correct snapshot");
 
         let mut v = map.get_or_insert::<()>(&1, || Ok(5)).unwrap();