fix: remove grcov from nix flake

flake.nix

@@ -63,7 +63,7 @@
               clangStdenv
               llvm_15
               typos
-              grcov
+              # grcov # TODO uncomment this line after https://github.com/mozilla/grcov/issues/1187#issuecomment-2252214718
             ] ++ lib.optionals stdenv.isDarwin
               [ darwin.apple_sdk.frameworks.Security ];
 

plonk/src/circuit/plonk_verifier/gadgets.rs

@@ -34,16 +34,20 @@ use jf_utils::{bytes_to_field_elements, field_switching};
 
 /// Aggregate polynomial commitments into a single commitment (in the
 /// ScalarsAndBases form). Useful in batch opening.
+///
 /// The verification key type is guaranteed to match the Plonk proof type.
+///
 /// The returned commitment is a generalization of `[F]1` described
 /// in Sec 8.3, step 10 of https://eprint.iacr.org/2019/953.pdf
-/// input
+///
+/// Input:
 /// - vks: verification key variable
 /// - challenges: challenge variable in FpElemVar form
 /// - poly_evals: zeta^n, zeta^n-1 and Lagrange evaluated at 1
 /// - batch_proof: batched proof inputs
 /// - non_native_field_info: aux information for non-native field
-/// Output
+///
+/// Output:
 /// - scalar and bases prepared for MSM
 /// - buffer info for u and v powers
 pub(super) fn aggregate_poly_commitments_circuit<E, F>(

plonk/src/proof_system/prover.rs

@@ -68,8 +68,10 @@ impl<E: Pairing> Prover<E> {
     }
 
     /// Round 1:
+    ///
     /// 1. Compute and commit wire witness polynomials.
     /// 2. Compute public input polynomial.
+    ///
     /// Return the wire witness polynomials and their commitments,
     /// also return the public input polynomial.
     pub(crate) fn run_1st_round<C: Arithmetization<E::ScalarField>, R: CryptoRng + RngCore>(

plonk/src/proof_system/verifier.rs

@@ -190,11 +190,12 @@ where
 
     /// Batchly verify multiple (aggregated) PCS opening proofs.
     ///
-    /// We need to verify that
+    /// We need to verify that:
     /// - `e(Ai, [x]2) = e(Bi, [1]2) for i \in {0, .., m-1}`, where
     /// - `Ai = [open_proof_i] + u_i * [shifted_open_proof_i]` and
     /// - `Bi = eval_point_i * [open_proof_i] + u_i * next_eval_point_i *
     ///   [shifted_open_proof_i] + comm_i - eval_i * [1]1`.
+    ///
     /// By Schwartz-Zippel lemma, it's equivalent to check that for a random r:
     /// - `e(A0 + ... + r^{m-1} * Am, [x]2) = e(B0 + ... + r^{m-1} * Bm, [1]2)`.
     pub(crate) fn batch_verify_opening_proofs<T>(

relation/src/constraint_system.rs

@@ -822,10 +822,10 @@ impl<F: FftField> PlonkCircuit<F> {
         self.eval_domain.size() != 1
     }
 
-    /// Re-arrange the order of the gates so that
+    /// Re-arrange the order of the gates so that:
     /// 1. io gates are in the front.
     /// 2. variable table lookup gate are at the rear so that they do not affect
-    /// the range gates when merging the lookup tables.
+    ///    the range gates when merging the lookup tables.
     ///
     /// Remember to pad gates before calling the method.
     fn rearrange_gates(&mut self) -> Result<(), CircuitError> {

relation/src/gadgets/ecc/emulated/short_weierstrass.rs

@@ -153,28 +153,36 @@ impl<F: PrimeField> PlonkCircuit<F> {
     /// Constrain variable `p2` to be the point addition of `p0` and
     /// `p1` over an elliptic curve.
     /// Let p0 = (x0, y0, inf0), p1 = (x1, y1, inf1), p2 = (x2, y2, inf2)
-    /// The addition formula for affine points of sw curve is
-    ///   If either p0 or p1 is infinity, then p2 equals to another point.
+    /// The addition formula for affine points of sw curve is as follows:
+    ///
+    /// If either p0 or p1 is infinity, then p2 equals to another point.
     ///   1. if p0 == p1
-    ///     - if y0 == 0 then inf2 = 1
-    ///     - Calculate s = (3 * x0^2 + a) / (2 * y0)
-    ///     - x2 = s^2 - x0 - x1
-    ///     - y2 = s(x0 - x2) - y0
+    ///      - if y0 == 0 then inf2 = 1
+    ///      - Calculate s = (3 * x0^2 + a) / (2 * y0)
+    ///      - x2 = s^2 - x0 - x1
+    ///      - y2 = s(x0 - x2) - y0
     ///   2. Otherwise
-    ///     - if x0 == x1 then inf2 = 1
-    ///     - Calculate s = (y0 - y1) / (x0 - x1)
-    ///     - x2 = s^2 - x0 - x1
-    ///     - y2 = s(x0 - x2) - y0
+    ///      - if x0 == x1 then inf2 = 1
+    ///      - Calculate s = (y0 - y1) / (x0 - x1)
+    ///      - x2 = s^2 - x0 - x1
+    ///      - y2 = s(x0 - x2) - y0
+    ///
     /// The first case is equivalent to the following:
+    ///
     /// - inf0 == 1 || inf1 == 1 || x0 != x1 || y0 != y1 || y0 != 0 || inf2 == 0
     /// - (x0 + x1 + x2) * (y0 + y0)^2 == (3 * x0^2 + a)^2
     /// - (y2 + y0) * (y0 + y0) == (3 * x0^2 + a) (x0 - x2)
+    ///
     /// The second case is equivalent to the following:
+    ///
     /// - inf0 == 1 || inf1 == 1 || x0 != x1 || y0 == y1 || inf2 == 0
     /// - (x0 - x1)^2 (x0 + x1 + x2) == (y0 - y1)^2
     /// - (x0 - x2) (y0 - y1) == (y0 + y2) (x0 - x1)
+    ///
     /// First check in both cases can be combined into the following:
+    ///
     /// inf0 == 1 || inf1 == 1 || inf2 == 0 || x0 != x1 || (y0 == y1 && y0 != 0)
+    ///
     /// For the rest equality checks,
     ///   - Both LHS and RHS must be multiplied with an indicator variable
     ///     (!inf0 && !inf1). So that if either p0 or p1 is infinity, those