Sync with Microsoft ONNX Runtime - 17062026#1143
Open
ai-fw-intg wants to merge 12 commits into
Open
Conversation
### Description <!-- Describe your changes. --> Reject sub-byte packed types with appropriate error message. The TensorAt API returns a void*, it fundamentally cannot point to a sub-byte element. The fix is to reject sub-byte types at the API boundary, similar to how strings are rejected. Tests have been updated to reflect the changes. ### Motivation and Context <!-- - Why is this change required? What problem does it solve? - If it fixes an open issue, please link to the issue here. --> TensorAt computed pointer offsets using logical element indices but Size() returns the byte size of the packed storage unit (1 byte for Int4x2/UInt4x2 which holds 2 elements). This caused out-of-bounds pointer returns when element indices exceeded the actual buffer size. The API fundamentally cannot return a pointer to a sub-byte element, so reject sub-byte packed types with an appropriate error message, similar to how strings are already rejected. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
microsoft#29054) Adds complete 2‑bit quantization support to the WebGPU GatherBlockQuantized operator. The implementation includes: 1. Sign‑extension logic for 2‑bit signed quantized values 2. Sign‑extension logic for 2‑bit signed zero points 3. Maintains full backward compatibility with existing 4‑bit and 8‑bit support ### Motivation and Context This change addresses GitHub issue microsoft#28895: "Add 2‑bit quantization support to the WebGPU GatherBlockQuantized operator". The existing codebase had partial 2‑bit support but was missing sign‑extension, which is critical for correct dequantization of signed 2‑bit values (range [-2, 1]).
Bumps [tmp](https://github.com/raszi/node-tmp) from 0.2.6 to 0.2.7. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/raszi/node-tmp/commit/8ea1f37d75c67569e0f151448330d52f7babf211"><code>8ea1f37</code></a> Bump up the version</li> <li><a href="https://github.com/raszi/node-tmp/commit/8f24f788a356b5d45c9bec894632bd4931338153"><code>8f24f78</code></a> Merge commit from fork</li> <li><a href="https://github.com/raszi/node-tmp/commit/ce787f37aaacccad921ae90990c9da33481fe59c"><code>ce787f3</code></a> Reject non-string prefix, postfix, template</li> <li>See full diff in <a href="https://github.com/raszi/node-tmp/compare/v0.2.6...v0.2.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/onnxruntime/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ft#28186) ### Description Harden the `.ort` FlatBuffer model loader to reject malformed buffers early instead of dereferencing null pointers, allocating attacker-controlled sizes, or accessing out-of-bounds memory. ### Changes **Null table offset validation** (`flatbuffers_utils.h`/`.cc`) - Add `ValidateRequiredTableOffsets<T>()` template that scans a FlatBuffer vector of table offsets and rejects any null (zero) entries before the caller dereferences them. - Apply to opset imports, initializers, sparse initializers, node args, nodes, node edges, and metadata properties. **Initializer raw_data size validation** (`graph_flatbuffers_utils.cc`) - After reading shape and type, compute expected byte count and compare against actual `raw_data` size. Reject mismatches with a descriptive error. **Node index hardening** (`graph.cc`) - Compute `required_node_slot_count` by scanning actual node/edge indices instead of trusting the serialized `max_node_index` field, which could be attacker-controlled and cause oversized allocation. - Reject duplicate node indices, dangling `NodeEdge` references to missing nodes, duplicate `NodeArg` names, and unknown `NodeArg` references in graph inputs/outputs. **Regression tests** (`ort_model_only_test.cc`) - `RejectsInitializerRawDataSizeMismatch`: crafted buffer with wrong raw_data size - `RejectsNullNodeArgTableEntry`: buffer with zeroed-out node arg offset - `RejectsDanglingNodeEdge`: buffer with a NodeEdge pointing to a non-existent node ### Motivation These checks defend against crafted `.ort` files that could cause null-pointer dereferences, excessive memory allocation, or out-of-bounds access during model loading. ### Testing - `git diff --check` passes (no whitespace issues) - Incremental build of touched core objects succeeds - New regression tests exercise each validation path --------- Co-authored-by: tlwu <tlwu@example.com>
Use naive reduction when the output size of ReduceMean is far greater than reduce size. Shared reduction method may need to transpose input, which costs much time. ### Description <!-- Describe your changes. --> ### Motivation and Context <!-- - Why is this change required? What problem does it solve? - If it fixes an open issue, please link to the issue here. --> --------- Co-authored-by: wp <webgraphics@intel.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[4.2.0] - 2026-06-01</h2> <h3>Added</h3> <ul> <li>Added <code>docs/safety.md</code> with notes about processing untrusted YAML.</li> <li>Added <code>maxDepth</code> (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.</li> <li>Added <code>maxMergeSeqLength</code> (20) loader option. Not a problem after <code>merge</code> fix, but an additional restriction for safety.</li> <li>Added sourcemaps to <code>dist/</code> builds.</li> </ul> <h3>Changed</h3> <ul> <li>Stop resolving numbers with underscores as numeric scalars, <a href="https://redirect.github.com/nodeca/js-yaml/issues/627">#627</a>.</li> <li>Switched dev toolchains to Vite / neostandard.</li> <li>Updated demo.</li> <li>Reorganized tests.</li> <li><code>dist/</code> files are no longer kept in the repository.</li> </ul> <h3>Fixed</h3> <ul> <li>Fix parsing of properties on the first implicit block mapping key, <a href="https://redirect.github.com/nodeca/js-yaml/issues/62">#62</a>.</li> <li>Fix trailing whitespace handling when folding flow scalar lines, <a href="https://redirect.github.com/nodeca/js-yaml/issues/307">#307</a>.</li> <li>Reject top-level block scalars without content indentation, <a href="https://redirect.github.com/nodeca/js-yaml/issues/280">#280</a>.</li> <li>Ensure numbers survive round-trip, <a href="https://redirect.github.com/nodeca/js-yaml/issues/737">#737</a>.</li> <li>Fix test coverage for issue <a href="https://redirect.github.com/nodeca/js-yaml/issues/221">#221</a>.</li> <li>Fix flow scalar trailing whitespace folding, <a href="https://redirect.github.com/nodeca/js-yaml/issues/307">#307</a>.</li> <li>Fix digits in YAML named tag handles.</li> </ul> <h3>Security</h3> <ul> <li>Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).</li> </ul> <h2>[3.14.2] - 2025-11-15</h2> <h3>Security</h3> <ul> <li>Backported v4.1.1 fix to v3</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/onnxruntime/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.15 to 7.5.16. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/isaacs/node-tar/commit/cf213384ac558b539c07c830ed7cca5ffc9e8550"><code>cf21338</code></a> 7.5.16</li> <li><a href="https://github.com/isaacs/node-tar/commit/21a822027658c8063542be330530bbecdf0dbbfe"><code>21a8220</code></a> do not apply PAX header fields to meta entries</li> <li><a href="https://github.com/isaacs/node-tar/commit/52632cf38fdbdbbc7ab86184d68a85b11fdb0970"><code>52632cf</code></a> update project deps</li> <li><a href="https://github.com/isaacs/node-tar/commit/302f51ff3f8eefeccc06be4caf7d0de9b7c321d7"><code>302f51f</code></a> fix inconsequential typo in PENDINGLINKS symbol name</li> <li><a href="https://github.com/isaacs/node-tar/commit/55dbb99b27640bb12b2ac059b26883c23523b3e3"><code>55dbb99</code></a> remove some uses of mutate-fs</li> <li>See full diff in <a href="https://github.com/isaacs/node-tar/compare/v7.5.15...v7.5.16">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/onnxruntime/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.6.0 to 7.6.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/protobufjs/protobuf.js/releases">protobufjs's releases</a>.</em></p> <blockquote> <h2>protobufjs: v7.6.3</h2> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.2...protobufjs-v7.6.3">7.6.3</a> (2026-06-09)</h2> <h3>Bug Fixes</h3> <ul> <li>Avoid name collisions in generated code (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2311">#2311</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/78a9576269a5b590c54686a8122e78e28135cd50">78a9576</a>)</li> <li>Preserve null conversion behavior for fieldless messages (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2312">#2312</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/df91652aa5cb1ee0204566252df85cbe752298a6">df91652</a>)</li> </ul> <h2>protobufjs: v7.6.2</h2> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.1...protobufjs-v7.6.2">7.6.2</a> (2026-05-30)</h2> <h3>Bug Fixes</h3> <ul> <li>Backport consistency and correctness fixes (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2294">#2294</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/a92f72e1cb731f06040a7917d3e041666d5f5601">a92f72e</a>)</li> </ul> <h2>protobufjs: v7.6.1</h2> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.0...protobufjs-v7.6.1">7.6.1</a> (2026-05-22)</h2> <h3>Bug Fixes</h3> <ul> <li>Backport misc utility hardening (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2280">#2280</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/8a45c13d22ec2d05ab1b7935fcb5331ea59a9cd0">8a45c13</a>)</li> <li>Treat fixed64 as unsigned in converters (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2266">#2266</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/479dfdcc690feb9f71986049d3d38c7a0f979abb">479dfdc</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.3/CHANGELOG.md">protobufjs's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.2...protobufjs-v7.6.3">7.6.3</a> (2026-06-09)</h2> <h3>Bug Fixes</h3> <ul> <li>Avoid name collisions in generated code (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2311">#2311</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/78a9576269a5b590c54686a8122e78e28135cd50">78a9576</a>)</li> <li>Preserve null conversion behavior for fieldless messages (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2312">#2312</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/df91652aa5cb1ee0204566252df85cbe752298a6">df91652</a>)</li> </ul> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.1...protobufjs-v7.6.2">7.6.2</a> (2026-05-30)</h2> <h3>Bug Fixes</h3> <ul> <li>Backport consistency and correctness fixes (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2294">#2294</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/a92f72e1cb731f06040a7917d3e041666d5f5601">a92f72e</a>)</li> </ul> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.0...protobufjs-v7.6.1">7.6.1</a> (2026-05-22)</h2> <h3>Bug Fixes</h3> <ul> <li>Backport misc utility hardening (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2280">#2280</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/8a45c13d22ec2d05ab1b7935fcb5331ea59a9cd0">8a45c13</a>)</li> <li>Treat fixed64 as unsigned in converters (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2266">#2266</a>) (<a href="https://github.com/protobufjs/protobuf.js/commit/479dfdcc690feb9f71986049d3d38c7a0f979abb">479dfdc</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/protobufjs/protobuf.js/commit/1d3796d7d29830c73eec792ccbe769be6aa020ac"><code>1d3796d</code></a> chore: release protobufjs-v7.x (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2317">#2317</a>)</li> <li><a href="https://github.com/protobufjs/protobuf.js/commit/df91652aa5cb1ee0204566252df85cbe752298a6"><code>df91652</code></a> fix: Preserve null conversion behavior for fieldless messages (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2312">#2312</a>)</li> <li><a href="https://github.com/protobufjs/protobuf.js/commit/78a9576269a5b590c54686a8122e78e28135cd50"><code>78a9576</code></a> fix: Avoid name collisions in generated code (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2311">#2311</a>)</li> <li><a href="https://github.com/protobufjs/protobuf.js/commit/ec90ef9ccc30fffe6ea9ea37e45781071898229d"><code>ec90ef9</code></a> chore: release protobufjs-v7.x (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2295">#2295</a>)</li> <li><a href="https://github.com/protobufjs/protobuf.js/commit/a92f72e1cb731f06040a7917d3e041666d5f5601"><code>a92f72e</code></a> fix: Backport consistency and correctness fixes (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2294">#2294</a>)</li> <li><a href="https://github.com/protobufjs/protobuf.js/commit/f0b50d2fa1247d6652618190c2d6602e6830b90d"><code>f0b50d2</code></a> chore: release protobufjs-v7.x (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2268">#2268</a>)</li> <li><a href="https://github.com/protobufjs/protobuf.js/commit/8a45c13d22ec2d05ab1b7935fcb5331ea59a9cd0"><code>8a45c13</code></a> fix: Backport misc utility hardening (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2280">#2280</a>)</li> <li><a href="https://github.com/protobufjs/protobuf.js/commit/479dfdcc690feb9f71986049d3d38c7a0f979abb"><code>479dfdc</code></a> fix: Treat fixed64 as unsigned in converters (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2266">#2266</a>)</li> <li>See full diff in <a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.6.0...protobufjs-v7.6.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/onnxruntime/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Refactor global random seed management to use a function for better encapsulation. ### Description Convert the file-scope static to a function-local static in `GetGlobalRandomSeed()`, deferring initialization to first use. No API or behavioral change; all callers use `GetRandomSeed()`/`SetRandomSeed()` which remain identical. ### Motivation and Context The global `g_random_seed` was initialized via `std::chrono::system_clock::now()` at static construction time. When the ORT DLL is loaded dynamically (e.g., via `LoadLibraryExW` in the fuzzer), this triggers an ASan `initialization-order-fiasco`: ORT's `_GLOBAL__sub_I_random_seed.cc` calls `std::chrono::system_clock::now()` before libc++'s `chrono.cpp` globals (`GetSystemTimeAsFileTimeFunc`) are initialized.
…zer tests (microsoft#29073) ### Description This fixes a macOS AppleClang build failure in `onnxruntime_test_all` caused by directly including ONNX’s `onnx/defs/schema.h` from `graph_transform_test_layernorm.cc`. With the macOS arm64 CI build, ORT enables `-Wshorten-64-to-32` and treats warnings as errors. ONNX’s schema header pulls in protobuf v21.12 headers, and protobuf’s `google/protobuf/parse_context.h` emits several `-Wshorten-64-to-32` diagnostics under AppleClang. Because the test file included `onnx/defs/schema.h` directly, it bypassed ORT’s existing `core/graph/onnx_protobuf.h` wrapper, which already suppresses this known protobuf warning around ONNX/protobuf includes. The fix is to include/use the existing ORT ONNX protobuf wrapper instead of directly including `onnx/defs/schema.h`. ### Repro On macOS arm64 with AppleClang/Xcode, run: ```bash ./build.sh \ --config "${ORT_BUILD_CONFIG:-Release}" \ --use_xcode \ --apple_sysroot macosx \ --build_shared_lib \ --parallel \ --skip_tests \ --osx_arch arm64 \ --apple_deploy_target 14 \ --cmake_generator Ninja ``` A faster targeted repro is: ```bash python3 tools/ci_build/build.py \ --config Release \ --use_xcode \ --apple_sysroot macosx \ --build_shared_lib \ --parallel \ --skip_tests \ --osx_arch arm64 \ --apple_deploy_target 14 \ --cmake_generator Ninja \ --build_dir build/repro_ci \ --update --build \ --target onnxruntime_test_all ``` Before this fix, the build fails compiling: ```text onnxruntime/test/optimizer/graph_transform_test_layernorm.cc ``` with errors like: ```text google/protobuf/parse_context.h:328:47: error: implicit conversion loses integer precision: 'long' to 'int' [-Werror,-Wshorten-64-to-32] int chunk_size = buffer_end_ + kSlopBytes - ptr; ``` ### Root cause `graph_transform_test_layernorm.cc` directly included: ```cpp #include "onnx/defs/schema.h" ``` This exposed protobuf v21.12 headers to ORT’s normal AppleClang warning policy: - `-Wshorten-64-to-32` is enabled - warnings are treated as errors - protobuf v21.12 emits known `-Wshorten-64-to-32` warnings in `parse_context.h` ORT already has `core/graph/onnx_protobuf.h`, which wraps ONNX/protobuf includes with the appropriate diagnostic suppression. The direct ONNX include bypassed that wrapper. ### Summary of fix Replace the direct ONNX schema include in `graph_transform_test_layernorm.cc` with ORT’s existing ONNX protobuf wrapper include, so protobuf headers are included under the existing warning suppression. ### Validation Validated locally on macOS arm64 / Xcode 16.4 / AppleClang 17 with: ```bash python3 tools/ci_build/build.py \ --config Release \ --use_xcode \ --apple_sysroot macosx \ --build_shared_lib \ --parallel \ --skip_tests \ --osx_arch arm64 \ --apple_deploy_target 14 \ --cmake_generator Ninja \ --build_dir build/repro_ci \ --build \ --target onnxruntime_test_all ``` and then the broader build step: ```bash python3 tools/ci_build/build.py \ --config Release \ --use_xcode \ --apple_sysroot macosx \ --build_shared_lib \ --parallel \ --skip_tests \ --osx_arch arm64 \ --apple_deploy_target 14 \ --cmake_generator Ninja \ --build_dir build/repro_ci \ --build ``` Both completed successfully after the fix. Signed-off-by: Jonathan Clohessy <Jonathan.Clohessy@arm.com>
### Description Replaces the npm-based `@fs-eire/wgsl-template` Node.js engine used by the WebGPU EP's static build path with an in-tree, stdlib-only Python implementation under `wgsl_templates`. The dynamic generator path is removed from the build surface - the code logic remains as unreachable and will be removed in a follow-up. ### Motivation and Context The WebGPU EP's WGSL template-to-C++ codegen is currently driven by the @fs-eire/wgsl-template npm package, so any build that touches a .wgsl.template file needs Node.js installed and has to pull the package over the network. This npm package is also no longer maintained.
ai-fw-intg
requested review from
Jaswanth51,
ankitm3k,
jatinwadhwa921 and
vthaniel
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated daily backmerge from ORT main to ovep-develop. No conflicts detected. Do NOT squash or rebase - use merge commit only.