Method

How Ashiba attributes silent-correctness failures across silicon.

Two ML kernels can disagree numerically, both pass functional tests, and both be — depending on the contract — correct. There is no formal artifact today against which "correct" can be graded. That is the specification gap. Kernel Contracts is the language that closes it.

The contract object

A kernel contract is an eight-part formal object:

Identifier — fully-qualified name
Scope — shapes, dtypes, devices, backends
Precondition — constraints on inputs
Postcondition — declarative clause over output and reference
Tolerance — allowed deviation from reference, substrate-parameterized
Reference oracle — implementation the postcondition is stated against
Measurement protocol — how conformance is observed
Violation signature — measurable deviation that constitutes a violation

Three primitives, twelve classes

All twelve contract classes group under three physically-grounded failure primitives:

Path dependence. The result depends on an evaluation order the contract allows to vary. Root cause: IEEE 754 non-associativity combined with non-deterministic parallel scheduling.

Domain violation. The operator encounters inputs outside its valid domain — subnormals, NaN, overflow, out-of-range indices. Root cause: finite precision combined with unconstrained input distributions.

Resource contention. The result depends on concurrent access to shared silicon resources — atomics, memory-model reorderings, collective-operation arbitrations. Root cause: shared-memory concurrency combined with silicon-specific arbitration policies.

Three primitives, twelve manifestations, one framework.

What an engagement produces

Our methodology adapts forty years of silicon-test engineering — Shewhart statistical process control, ATPG coverage mathematics, Huang-Abraham algorithm-based fault tolerance, Freivalds probabilistic verification — to the ML kernel domain. For a given workload we deliver:

A contract suite — the twelve-class taxonomy instantiated for your kernels, tolerance calibrated to your substrate mix.
A measurement protocol — executable probes with logged false-positive bounds.
A violation attribution — when divergence is observed, traced to the specific contract class and failure primitive. No "looks like a precision issue" hand-waving.
A conformance report — graded against the contract suite in the register of an ISASecure or ASIL assessment. Reviewable, citable, shareable with your silicon vendor as a technical artifact rather than a bug report.

Intellectual ancestry

Shewchuk 1997 on adaptive-precision geometric predicates. Demmel and Nguyen on ReproBLAS. Wilkinson's backward error analysis. Bates on approximate-computing error debt. The silicon-test lineage: Shewhart SPC, ATPG, Huang-Abraham ABFT, Freivalds. Each contributes one component of the framework. The port from silicon test to ML kernel is the work.

Method

The contract object

Three primitives, twelve classes

What an engagement produces

Intellectual ancestry

See also