dsfb-gpu-debug-core 0.1.0

Deterministic CPU reference, hash chain, and semantic authority for dsfb-gpu-debug.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290

//! The canonical trace-event record.
//!
//! `TraceEvent` is the input atom of the DSFB-GPU-Debug pipeline. Each
//! record represents one observable point in the debug catalog — a span
//! emitted by a tracing system, a latency sample, an error stamp. The shape
//! is intentionally narrow: we keep only the fields the downstream pipeline
//! actually reads, so the canonical byte form is small and the hash chain
//! stays cheap to compute.
//!
//! Layout decisions:
//!
//! * `#[repr(C)]` so the struct can cross the FFI boundary into CUDA
//!   without per-field marshaling. The CUDA-side mirror in
//!   `cuda/layout.cuh` (introduced in Section H) lays the fields out
//!   identically.
//! * Field order is part of the in-crate canonical trace contract. Changing
//!   this order would change the catalog hash and therefore the case-file
//!   hash, so the order is not to be reshuffled.
//! * Widths chosen for the bounded v0 demo: `latency_us: u32` covers up to
//!   ~71 minutes of latency (way beyond the contract clamp of 32 767 ms),
//!   `entity_id` and `route_id` are `u32` to leave room without paying for
//!   `u64`, and the 16-bit status/error/kind/flags fields keep the total
//!   record size small.
//!
//! Stability: this type is deserialized from the canonical JSON fixture and
//! re-serialized into the case file's `input_catalog_hash`. The
//! serialization order is fixed by `serialize::write_event` (canonical key
//! ordering); modifying field names or order requires bumping the contract
//! version.

/// A single observable trace point.
///
/// All fields are unsigned; the deserializer rejects negative literals.
/// The constructors offered here are intentionally limited — callers should
/// build events via the fixture synthesizer or by parsing canonical JSON,
/// not by direct field assignment, so the bit-stability rules around field
/// widths are honored automatically.
#[repr(C)]
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug, Default)]
pub struct TraceEvent {
    /// Wall-clock timestamp, nanoseconds since the synthetic epoch (event
    /// 0). The pipeline derives the window index from this field via
    /// integer division by the contract's `window_size_ms * 1_000_000`.
    pub ts_ns: u64,
    /// The entity (service, process, sensor) the event belongs to.
    /// Bounded by `n_entities` in the contract.
    pub entity_id: u32,
    /// The route within the entity (e.g. an HTTP endpoint or a sensor
    /// channel). Not used by the v0 pipeline for windowing but carried
    /// into the canonical bytes so the hash chain reflects the full
    /// fixture shape.
    pub route_id: u32,
    /// Tracing span identifier. Carried for fidelity of the catalog hash;
    /// not consumed by the residual/sign stages.
    pub span_id: u64,
    /// Parent span identifier, or `0` for a root.
    pub parent_span_id: u64,
    /// Observed latency in microseconds. Clamped to
    /// `contract.numeric.latency_clamp_ms * 1000` at the residual boundary
    /// to keep Q16.16 quantization in range.
    pub latency_us: u32,
    /// HTTP-style status code (or a domain-specific equivalent). Carried
    /// through to the canonical bytes; the v0 pipeline checks for the
    /// error class via `error_code` not `status_code`.
    pub status_code: u16,
    /// Domain error code, with `0` meaning no error. Drives the error-rate
    /// derivative of the residual.
    pub error_code: u16,
    /// Free-form event-type discriminator (request, response, log,
    /// sample). Not consumed in v0 but preserved in the catalog hash.
    pub event_kind: u16,
    /// Bit-field for miscellaneous flags (sampled, replayed, simulated).
    /// Preserved verbatim for the catalog hash.
    pub flags: u16,
}

impl TraceEvent {
    /// Construct a fully-specified `TraceEvent`. Used by the fixture
    /// synthesizer and tests. There is no builder pattern on purpose —
    /// the type is small enough that positional construction is more
    /// auditable than a fluent builder.
    #[must_use]
    #[allow(clippy::too_many_arguments)]
    pub const fn new(
        ts_ns: u64,
        entity_id: u32,
        route_id: u32,
        span_id: u64,
        parent_span_id: u64,
        latency_us: u32,
        status_code: u16,
        error_code: u16,
        event_kind: u16,
        flags: u16,
    ) -> Self {
        Self {
            ts_ns,
            entity_id,
            route_id,
            span_id,
            parent_span_id,
            latency_us,
            status_code,
            error_code,
            event_kind,
            flags,
        }
    }

    /// The window index this event falls into, given a window size in
    /// nanoseconds. Integer division; ties go to the lower window.
    #[must_use]
    pub const fn window_index(&self, window_size_ns: u64) -> u32 {
        // Saturate at u32::MAX rather than wrapping if the synthetic clock
        // ever exceeds 2^32 windows; the contract's bounded fixtures stay
        // well under that.
        let raw = self.ts_ns / window_size_ns;
        if raw > u32::MAX as u64 {
            u32::MAX
        } else {
            raw as u32
        }
    }
}

/// R.11c — compact GPU-ingest projection of `TraceEvent`. Carries
/// only the four fields the `window_feature_kernel_structured`
/// kernel actually reads (`ts_ns`, `entity_id`, `latency_us`, and
/// the `error_code != 0` flag), packed into 16 bytes. Throughput
/// dispatches H2D this projection instead of the 48-byte audit-
/// grade `TraceEvent`, cutting PCIe payload ~3× at full scale
/// (192 MB → 64 MB at K=128 256×4096).
///
/// **Audit invariance**: the 48-byte `TraceEvent` byte form, the
/// Audit-mode FFI, and every D16 audit-chain golden hash are
/// untouched. The projection is opt-in to the D64 throughput path.
///
/// **Provenance**: the projection is a deterministic function of
/// `TraceEvent[]`. An auditor can re-pack the events via
/// `GpuTraceEventCompact::from_trace_event` and verify the recorded
/// `compact_event_projection_hash` (the SHA-256 over the packed
/// byte stream) matches. The hash is surfaced through the dispatch
/// diagnostic so a verifier can confirm the compact bytes weren't
/// silently substituted between catalog ingest and the kernel.
///
/// **Byte layout (16 bytes, 8-byte aligned, repr(C))**:
///   offset  field                  type
///        0  `ts_ns`                u64
///        8  `entity_and_error`     u32   (low 31 bits = entity_id,
///                                         high bit = error_code != 0)
///       12  `latency_us`           u32
///
/// `entity_id` is bounded to 31 bits (max 2^31 − 1). All fixtures
/// the v0 plan supports cap `n_entities` at < 2^15.
#[repr(C)]
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug, Default)]
pub struct GpuTraceEventCompact {
    /// Wall-clock timestamp, nanoseconds since the synthetic epoch.
    pub ts_ns: u64,
    /// Bit-packed `(entity_id, error_flag)`. Low 31 bits carry
    /// `entity_id`; bit 31 is `1` iff the original event's
    /// `error_code` was non-zero.
    pub entity_and_error: u32,
    /// Observed latency in microseconds. Carried as the full
    /// `u32` from `TraceEvent` so any clamp behaviour upstream
    /// is preserved byte-for-byte.
    pub latency_us: u32,
}

impl GpuTraceEventCompact {
    /// Fixed byte width of one compact event. Mirrored on the GPU
    /// side as `cuda/layout.cuh::GpuTraceEventCompact`.
    pub const SIZE: usize = 16;
    /// Bit-31 flag in `entity_and_error` indicating
    /// `TraceEvent::error_code != 0`.
    pub const ERROR_BIT: u32 = 1u32 << 31;
    /// Bit-mask for the `entity_id` field within
    /// `entity_and_error`.
    pub const ENTITY_MASK: u32 = 0x7FFF_FFFF;

    /// Pack a single `TraceEvent` into the compact projection. The
    /// resulting bytes are a deterministic function of the input;
    /// two events that compare equal under
    /// `PartialEq<TraceEvent>` produce identical compact bytes.
    #[must_use]
    pub const fn from_trace_event(ev: &TraceEvent) -> Self {
        let entity_bits = ev.entity_id & Self::ENTITY_MASK;
        let error_bit = if ev.error_code != 0 {
            Self::ERROR_BIT
        } else {
            0
        };
        Self {
            ts_ns: ev.ts_ns,
            entity_and_error: entity_bits | error_bit,
            latency_us: ev.latency_us,
        }
    }

    /// Recover the entity id stored in the low 31 bits of
    /// `entity_and_error`.
    #[must_use]
    pub const fn entity_id(&self) -> u32 {
        self.entity_and_error & Self::ENTITY_MASK
    }

    /// `true` iff the original `TraceEvent::error_code` was
    /// non-zero. Stored as bit 31 of `entity_and_error` so the
    /// compact projection holds in 16 bytes.
    #[must_use]
    pub const fn error_nonzero(&self) -> bool {
        (self.entity_and_error & Self::ERROR_BIT) != 0
    }
}

/// R.11c — deterministically pack `events` into the compact GPU
/// projection. Throughput-dispatch helper; the audit path uses the
/// full 48-byte `TraceEvent` slice and is unchanged.
#[cfg(feature = "std")]
#[must_use]
pub fn pack_compact_event_projection(events: &[TraceEvent]) -> std::vec::Vec<GpuTraceEventCompact> {
    events
        .iter()
        .map(GpuTraceEventCompact::from_trace_event)
        .collect()
}

/// R.11c — SHA-256 over a compact-event slice's canonical byte
/// form. Used as the throughput-path provenance anchor: a verifier
/// re-packs `TraceEvent[]` via [`pack_compact_event_projection`]
/// and checks the recorded hash matches.
///
/// The canonical byte form is little-endian per field
/// (`ts_ns` u64 → 8 LE bytes, `entity_and_error` u32 → 4 LE bytes,
/// `latency_us` u32 → 4 LE bytes), concatenated in cell order.
/// Serialised explicitly via `to_le_bytes` so the hash is
/// reproducible without relying on the host's in-memory layout
/// and stays compatible with `forbid(unsafe_code)`.
#[cfg(feature = "std")]
#[must_use]
pub fn compact_event_projection_hash(compact: &[GpuTraceEventCompact]) -> [u8; 32] {
    let mut buf: std::vec::Vec<u8> =
        std::vec::Vec::with_capacity(compact.len() * GpuTraceEventCompact::SIZE);
    for ev in compact {
        buf.extend_from_slice(&ev.ts_ns.to_le_bytes());
        buf.extend_from_slice(&ev.entity_and_error.to_le_bytes());
        buf.extend_from_slice(&ev.latency_us.to_le_bytes());
    }
    crate::hash::sha256(&buf)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn window_index_partitions_at_boundaries() {
        let ev = TraceEvent {
            ts_ns: 1_500_000_000,
            ..TraceEvent::default()
        };
        // 1.5 seconds at a 1-second window → index 1.
        assert_eq!(ev.window_index(1_000_000_000), 1);

        let edge = TraceEvent {
            ts_ns: 2_000_000_000,
            ..TraceEvent::default()
        };
        // Exact boundary lands in the next window per integer-division semantics.
        assert_eq!(edge.window_index(1_000_000_000), 2);
    }

    #[test]
    fn window_index_floors_at_zero() {
        let ev = TraceEvent::default();
        assert_eq!(ev.window_index(1_000_000_000), 0);
    }

    #[test]
    fn struct_size_is_stable() {
        // The size of the canonical record is part of the prior-art posture
        // because the CUDA layout in `cuda/layout.cuh` mirrors it. If this
        // assertion changes, the CUDA mirror needs to change with it. The
        // expected size is the sum of declared field widths plus trailing
        // alignment padding to a multiple of 8 (the largest alignment).
        //
        // Field sizes (bytes): 8+4+4+8+8+4+2+2+2+2 = 44, padded to 48.
        assert_eq!(core::mem::size_of::<TraceEvent>(), 48);
    }
}