Kernel Contract Suite for ML & Transaction Kernels
- Kernel Contract Suite is a formal collection of contracts that convert implicit kernel behaviors into explicit invariants, ensuring consistent ML performance across heterogeneous silicon.
- It features an eight-part contract language detailing preconditions, postconditions, and measurement protocols that rigorously specify numerical and operational properties.
- The suite also supports deployment workflows and transactional verification by guiding conformance tests, secure logging, and divergence bounds from training to inference.
Searching arXiv for the cited papers to ground the article in current literature. Searching for "Kernel Contracts: A Specification Language for ML Kernel Correctness Across Heterogeneous Silicon". Searching for "Training-Inference Kernel Contracts: Bounding Divergence in Post-Training and Deployment". Kernel Contract Suite denotes a formalized collection of contracts or invariants that turns an implicit kernel-level guarantee into an explicit, testable artifact. In the ML-kernel literature, the suite is presented as a normative reference for correctness across heterogeneous silicon and for bounding divergence between training and inference kernels at fixed parameters; in a separate line of work on a minimal transactional object kernel, the suite is a formal target for verification and cryptographic compilation, specifying six structural properties as invariants of the transition function (Veit, 23 Apr 2026, Xu et al., 26 May 2026, Goes, 17 May 2026).
1. Contract suites as formal arbiters of kernel behavior
The central premise is that every kernel ships with an implicit contract about what it computes, yet that contract is rarely written down. When kernels disagree across stacks or devices—such as a matmul on AMD producing a different gradient than the same matmul on NVIDIA, a fused attention kernel silently downcasting an accumulator, or an out-of-bounds access returning zero on one stack and garbage on another—there is otherwise no formal artifact to arbitrate the dispute. The heterogeneous-silicon formulation addresses this by defining a specification language in which the contract itself, rather than only an empirical discrepancy, becomes the unit of analysis (Veit, 23 Apr 2026).
In the training–inference setting, the same contractual idea is specialized to pairs of concrete programs, and , that evaluate the same checkpoint but may induce different distributions because they use different finite-precision kernels. Here the contract is explicitly a tuple
combining numerical, statistical, runtime, and observability clauses with an escalation policy from violations to routing actions. The suite therefore governs not only correctness in the narrow numerical sense, but also deployment-time divergence, traffic routing, and audit reproducibility (Xu et al., 26 May 2026).
A distinct but related usage appears in the single-verb send kernel. There, the suite collects formal invariants over the global append-only log , transaction record , and the transition function induced by send, run, and execute. The six structural properties—authenticated provenance, opaque encapsulation, atomic multi-object commit, deterministic replay, immutable history, and history-derived state—are asserted as kernel-level properties, with opacity against the operator additionally requiring operator-faithful trust or a cryptographic compiler (Goes, 17 May 2026).
A common misconception is to treat a contract suite as merely a regression test collection. The cited work is more specific: the suite itself is the normative specification, and pass/fail is defined contract-by-contract against explicit preconditions, postconditions, tolerances, measurement protocols, and violation signatures. This suggests a shift from ad hoc benchmark disagreement toward specification-based conformance.
2. Eight-part contract language for heterogeneous ML kernels
In the heterogeneous-silicon formulation, every kernel contract is a self-contained document with eight elements: identifier, scope, precondition, postcondition, tolerance, reference oracle, measurement protocol, and violation signature. The identifier has the form C-FAM-NN, where FAM∈{PRC, ORD, CMP, EXC} denotes the failure family and NN is a two-digit class number. Scope names the governed operation classes, such as matmul, fused_attention, reduction, indexing, or collective. The precondition is a predicate on inputs, shapes, value ranges, and environment, while the postcondition is a relation between the kernel output and a reference oracle of the form
The closeness predicate may be elementwise or relative, and the tolerance may be absolute, relative, ULP-based, or an elementwise combination such as “absolute 1e-3 and ulp 2” (Veit, 23 Apr 2026).
The reference oracle defines what counts as correct computation. The paper lists four typical forms: higher precision 0, alternate stack, algebraic property, and spec reference, with IEEE 754-2019 given as an example of the last category. The measurement protocol is a reproducible recipe for generating inputs, pulling samples, and applying pass/fail; examples include sampling 1024 random inputs per shape and computing max relative error, sweeping 1 and asserting DIMENSION_UNSUPPORTED for out-of-range shapes, or injecting NaN at random positions and checking propagation policy bitwise. The violation signature is a concise characterization of how and where a violating implementation deviates, such as error exceeding tolerance only in a specified regime or silent out-of-bounds acceptance for a specified index set (Veit, 23 Apr 2026).
The training–inference formulation uses a different abstraction level but preserves the same contractual intent. A clause
2
attaches a stable identifier to a metric 3, threshold 4, slice set 5, allowed exceedance rate 6, violation level 7, and remediation action 8. Hard clauses have 9; soft clauses permit bounded exceedance under the evaluation distribution. This structure makes the suite simultaneously numerical and operational: it can express logit drift, top-0 agreement, reward drift, p95 latency, failure rates, tracing requirements, and routing actions in a single contractual object (Xu et al., 26 May 2026).
3. Taxonomy, calibration, and empirically grounded violation classes
The heterogeneous-silicon paper groups twelve contract classes into four families and requires that each class be grounded in published empirical evidence. The taxonomy is as follows.
| Family | Contract classes | Core claim |
|---|---|---|
| Precision Regimes | C-PRC-01, C-PRC-02, C-PRC-03, C-PRC-04 | Accumulator preservation, stable algorithms, declared denormal policy, scaling invariance |
| Ordering & Determinism | C-ORD-01, C-ORD-02, C-ORD-03 | Reduction-order tolerance, declared determinism class, overlap preservation |
| Compiler-Induced | C-CMP-01, C-CMP-02, C-CMP-03 | Fused/sequential equivalence, schedule invariance, shape-polymorphism preservation |
| Exceptional-Value | C-EXC-01, C-EXC-02 | NaN/Inf propagation semantics, out-of-bounds access semantics |
Several of these classes are defined with highly specific claims. C-PRC-01 states that declared accumulator precision 1 is never down-cast. C-PRC-02 requires that numerically unstable patterns such as softmax, variance, and log-sum-exp use a stable algorithm, including max-subtraction or Welford. C-ORD-01 bounds parallel reduction variation by a backward-error bound 2 regardless of block or order. C-CMP-03 requires support for the entire declared shape class, not just benchmark shapes. C-EXC-02 requires indexing operations to follow a declared RAISE, CLAMP, ZERO, or UNDEFINED policy exactly (Veit, 23 Apr 2026).
A notable methodological requirement is three-state calibration. Every contract must admit a baseline implementation that fails visible tests, a bad implementation that passes visible smoke tests but fails the contract under its measurement protocol, and a good implementation that passes both. The paper states that failure to separate bad from good indicates an under-specified contract or insufficient tests. This calibration criterion is important because it distinguishes the suite from a purely descriptive taxonomy: a contract is only adequate if it can separate visible pass/contract fail from visible pass/contract pass (Veit, 23 Apr 2026).
The case studies illustrate how informal diagnoses are mapped to specific measurable violations. Huawei Ascend silent precision coercion is mapped to C-PRC-01, with a violation signature in which output saturates at approximately 65 504, the FP16 maximum, instead of tracking the FP32 reference. Sakana AI reward hacking is mapped to C-CMP-03, where “fast” kernels pass the test set 3 but fail on held-out shapes in the declared class 4. AMD out-of-bounds silent acceptance is mapped to C-EXC-02: AMD MI300X raises approximately 1 700 fewer OOB exceptions than NVIDIA or Intel and returns plausible but undefined values, yielding an observed output that matches none of RAISE, CLAMP, or ZERO and is therefore an undeclared policy (Veit, 23 Apr 2026).
4. Training–inference contracts and bounds on divergence
For post-training and deployment, the contract suite is formulated on fixed model parameters 5, with 6 and 7 producing logits 8 and next-token distributions
9
where 0 is the sampling temperature. Drift metrics include logit drift 1 measured in 2 or 3, distributional drifts 4 and 5, reward drift for bounded rewards 6, and runtime drifts such as p90 or p95 latency, memory, and failure rates under live load (Xu et al., 26 May 2026).
The principal analytical result is a chain of bounds from raw logit drift to distributional divergence and then to reward drift. Writing 7, 8, and 9, the paper gives
0
For bounded reward,
1
Thus a numerical clause on max logit drift 2 implies
3
The paper’s emphasis is that a low-level numerical clause propagates into a bounded effect on sampled behavior (Xu et al., 26 May 2026).
The RL specialization makes this operational for post-training. With behavior policy 4 and target policy 5, the importance ratio is 6. Under support overlap, bounded advantage, and bounded score-norm assumptions, the gradient-bias bound is
7
Composed with the logit-to-TV bound, this yields a direct route from a numerical kernel clause to a bound on per-token policy-gradient bias. The paper further states that restoring 8 or clipping it via PPO’s clip(w,1−c,1+c) can be interpreted as using the PPO-9 trust-region as a budget on train–infer kernel divergence (Xu et al., 26 May 2026).
A further misconception is that deployment contracts require production-scale empirical validation before being meaningful. The paper explicitly describes itself as a framework and vocabulary paper and states that it does not report production-scale empirical validation. Its contribution is instead the formal vocabulary, the divergence chain, the RL specialization, and the operational machinery.
5. Conformance, observability, and deployment workflows
In the heterogeneous-silicon setting, a Kernel Contract Suite is a collection of contracts plus an overarching test architecture. The suite itself is the normative specification, analogous to IEC 62443 for industrial control systems. Independent labs act as conformance assessment bodies, running the measurement protocols and certifying pass/fail per contract. The trace discipline is explicit: every test invocation must emit a record
(contract ID, kernel ID, stack, version, input-hash, residual, tolerance, verdict).
These traces feed contract evolution, attribution, and certified audit logs. The test matrix is driven by contract class rather than brute-force enumeration, and the tolerance specification protocol prefers an FP64 reference with 0, using 1 for simple operations and 2 for reductions; when FP64 is unavailable, the highest precision on the same stack is used and the tolerance is marked stack-dependent. Critical contracts such as C-PRC-01, C-EXC-02, and C-ORD-01 are retested on every stack bump, while others are retested selectively depending on release-note scope (Veit, 23 Apr 2026).
The training–inference paper addresses a complementary operational setting: continuous deployment. Its four-stage promotion pipeline is Offline CI → Shadow → Canary → Full. Offline CI runs all hard numerical clauses and a deterministic subset of statistical, runtime, and observability clauses on a fixed evaluation set, aborting on any hard violation. Shadow mirrors a small fraction of live traffic to the candidate and logs all clause metrics; any L2 or L3 violation aborts promotion. Canary routes a fraction 3 of live traffic through the candidate, updates a scalar health score
4
and chooses primary, guarded, or safe according to thresholds 5. Full promotion is 100% live traffic under contract. The minimal YAML DSL versions the contract alongside model and kernel hashes, slice definitions, clause families, thresholds, exceedance rates, levels, and remediation targets such as vllm-bf16-h100 or pytorch-bf16-ref (Xu et al., 26 May 2026).
Taken together, these workflows show two modes of conformance. One is certification-oriented and lab-mediated; the other is online, slice-aware, and routing-sensitive. A plausible implication is that the same contractual artifact can act both as a compliance object and as a deployment-control object, provided its clauses are instrumented with sufficient observability.
6. The single-verb send kernel: invariants, semantics, and trust models
In the object/transaction literature, the contract suite is formal rather than empirical. The global append-only log is 6, the per-transaction pending log is 7, the per-transaction external sends are 8, and the transaction-record log is 9. Persistent objects are
0
The suite specifies six structural properties. Authenticated provenance is the invariant
1
together with the requirement that in send_pers the appended triple is exactly 2, where 3 is the kernel-supplied caller atom. Atomic multi-object commit is
4
Immutable history is prefix monotonicity of the log, and history-derived state is defined by
5
Deterministic replay requires that, under admissibility assumptions, replay from a fixed initial state and fixed transaction sequence is uniquely determined (Goes, 17 May 2026).
These guarantees are enforced by the semantics of send, run, and execute. The kernel structurally classifies every send target into one of six cases without input from the caller: built-in, object creation, persistent send, special-pair form, external target, and ephemeral target, with a catchall abort. Persistent dispatch reads only program(t,K⊕Δ) and encode(log(t,K⊕Δ)); no other send case reads any log. The paper therefore states a non-interference hyper-property: if two global logs differ only on object 6’s log, and sends to 7 return the same values and onward sends in both executions, then execution yields the same post-state outside 8, the same 9, and the same return value up to the abort-cohort signal (Goes, 17 May 2026).
The trust model is sharply distinguished. Under kernel-faithful trust, the implementation of send/run/execute follows the specified semantics exactly, and all six properties hold as kernel-level invariants against arbitrary programs. Opacity against the operator additionally requires operator-faithful trust: the operator accesses logs only via recall and does not censor or reorder transactions. When the operator cannot be trusted, the paper compiles kernel programs into multi-party cryptographic protocols, using confidentiality labels as identities, MPC-gated transfer for cross-object flows, and zero-knowledge proofs for public faithfulness obligations. The resulting security guarantee is simulation-based: the adversary’s view is indistinguishable from a simulator given only the public transaction record, external outputs, and the hyper-flows permitted by the kernel contract (Goes, 17 May 2026).
This second usage broadens the meaning of a kernel contract suite beyond numerical ML correctness. It shows that the same contractual idiom can specify provenance, encapsulation, replay, and history discipline at the kernel transition level, with cryptographic compilation preserving exactly those invariants under an operator-adversarial deployment model.