borsalino 0.1.0

Thin GPU compute abstraction — Metal and Vulkan backends for Industrial Algebra
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186

// Copyright (C) 2026 Industrial Algebra
// SPDX-License-Identifier: AGPL-3.0-only

//! GPU verification obligations for Borsalino kernels.
//!
//! This module integrates with the Karpal verification stack
//! (Phase 12e) to encode the safety properties that each GPU
//! kernel must satisfy. Properties are collected into
//! [`ObligationBundle`] instances that can be exported to SMT,
//! Lean 4, and Kani verification backends.
//!
//! # Properties verified
//!
//! | Property | What it prevents | Mechanism |
//! |---|---|---|
//! | Buffer aligned to 16 bytes | Unaligned buffer → GPU fault | Type-level guard |
//! | Workgroup size divides thread count | Mismatch → undefined behavior | Type-level guard |
//! | Dispatch within device limits | Excess threads → validation error | Type-level guard |
//! | Kernel output is deterministic | Nondeterministic GPU behaviour | Statistical (amari-flynn) |
//!
//! # Phase
//!
//! Phase 2 of the verification migration path: obligation bundles
//! and property types. Phase 3 adds `Proven<>` gates on dispatch.
//! Phase 4 adds Kani harnesses and statistical verification.

use karpal_verify::gpu::GpuObligationBundle;
use karpal_verify::{ObligationBundle, Origin};

// ── Re-exports ────────────────────────────────────────────────────

pub use karpal_proof::{Property, Proven};
pub use karpal_verify::gpu::{
    IsBufferAlignedTo16, IsDispatchWithinLimits, IsMSLKernelDeterministic,
    IsWorkgroupSizeDivisible,
};

// ── Obligation bundles ────────────────────────────────────────────

/// Build verification obligations for the `add_one` kernel.
///
/// Properties asserted:
/// - Input and output buffers are 16-byte aligned
/// - Thread count (4 × 256) is divisible by workgroup size (256)
/// - Dispatch fits within Metal's 1D grid limit
/// - Kernel is deterministic across dispatches
pub fn add_one_obligations() -> ObligationBundle {
    GpuObligationBundle::metal_kernel(
        "borsalino_add_one",
        Origin::new("borsalino", "kernels::add_one"),
    )
    .with_buffer_alignment("input_buffer", 16)
    .with_buffer_alignment("output_buffer", 16)
    .with_workgroup_divisibility("thread_count", 256)
    .with_dispatch_limit("workgroup_count", 65_535)
    .with_kernel_determinism("add_one_kernel")
    .into_bundle()
}

/// Build verification obligations for the `scale` kernel.
pub fn scale_obligations() -> ObligationBundle {
    GpuObligationBundle::metal_kernel(
        "borsalino_scale",
        Origin::new("borsalino", "kernels::scale"),
    )
    .with_buffer_alignment("input_buffer", 16)
    .with_buffer_alignment("output_buffer", 16)
    .with_workgroup_divisibility("thread_count", 256)
    .with_dispatch_limit("workgroup_count", 65_535)
    .with_kernel_determinism("scale_kernel")
    .into_bundle()
}

/// Build verification obligations for the `saxpy` kernel.
pub fn saxpy_obligations() -> ObligationBundle {
    GpuObligationBundle::metal_kernel(
        "borsalino_saxpy",
        Origin::new("borsalino", "kernels::saxpy"),
    )
    .with_buffer_alignment("x_buffer", 16)
    .with_buffer_alignment("y_buffer", 16)
    .with_buffer_alignment("out_buffer", 16)
    .with_workgroup_divisibility("thread_count", 256)
    .with_dispatch_limit("workgroup_count", 65_535)
    .with_kernel_determinism("saxpy_kernel")
    .into_bundle()
}

// ═══════════════════════════════════════════════════════════════════
// Tests
// ═══════════════════════════════════════════════════════════════════

#[cfg(test)]
mod tests {
    use super::*;
    use karpal_verify::{export_kani_bundle, export_lean_bundle, export_smt_bundle};

    #[test]
    fn add_one_bundle_contains_all_properties() {
        let bundle = add_one_obligations();
        let obligations = bundle.obligations();

        assert!(
            obligations
                .iter()
                .any(|o| o.property == IsBufferAlignedTo16::NAME)
        );
        assert!(
            obligations
                .iter()
                .any(|o| o.property == IsWorkgroupSizeDivisible::NAME)
        );
        assert!(
            obligations
                .iter()
                .any(|o| o.property == IsDispatchWithinLimits::NAME)
        );
        assert!(
            obligations
                .iter()
                .any(|o| o.property == IsMSLKernelDeterministic::NAME)
        );
    }

    #[test]
    fn add_one_bundle_exports_through_all_backends() {
        let bundle = add_one_obligations();

        let smt = export_smt_bundle(&bundle);
        let lean = export_lean_bundle("BorsalinoVerify", &bundle);
        let kani = export_kani_bundle(&bundle);

        assert!(!smt.is_empty(), "SMT export should not be empty");
        assert!(
            lean.contains("deterministic_kernel"),
            "Lean export should contain deterministic_kernel"
        );
        assert!(!kani.is_empty(), "Kani export should not be empty");
        assert!(
            kani.iter().any(|h| h.source.contains("kani::assert")),
            "Kani harness should contain assertions"
        );
    }

    #[test]
    fn scale_bundle_contains_all_properties() {
        let bundle = scale_obligations();
        let obligations = bundle.obligations();

        assert!(
            obligations
                .iter()
                .any(|o| o.property == IsBufferAlignedTo16::NAME)
        );
        assert!(
            obligations
                .iter()
                .any(|o| o.property == IsWorkgroupSizeDivisible::NAME)
        );
        assert!(
            obligations
                .iter()
                .any(|o| o.property == IsDispatchWithinLimits::NAME)
        );
        assert!(
            obligations
                .iter()
                .any(|o| o.property == IsMSLKernelDeterministic::NAME)
        );
    }

    #[test]
    fn saxpy_bundle_contains_three_buffer_alignments() {
        let bundle = saxpy_obligations();
        let obligations = bundle.obligations();

        let alignment_count = obligations
            .iter()
            .filter(|o| o.property == IsBufferAlignedTo16::NAME)
            .count();
        assert_eq!(
            alignment_count, 3,
            "saxpy should have 3 buffer alignment obligations (x, y, out)"
        );
    }
}