pytorch
diff --git a/‎.github/workflows/mlx.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/mlx.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backends/mlx/CMakeLists.txt‎
Lines changed: 22 additions & 27 deletions b/‎backends/mlx/CMakeLists.txt‎
Lines changed: 22 additions & 27 deletions
diff --git a/‎backends/mlx/runtime/MLXBackend.cpp‎
Lines changed: 54 additions & 9 deletions b/‎backends/mlx/runtime/MLXBackend.cpp‎
Lines changed: 54 additions & 9 deletions
@@ -32,7 +32,7 @@ jobs:
 
         echo "::group::Install ExecuTorch and configure build"
         ${CONDA_RUN} python install_executorch.py > /dev/null
-        ${CONDA_RUN} cmake --preset mlx-release -DEXECUTORCH_BUILD_TESTS=ON
+        ${CONDA_RUN} cmake --preset mlx-release -DEXECUTORCH_BUILD_TESTS=ON -DEXECUTORCH_MLX_ENABLE_SANITIZERS=ON
         echo "::endgroup::"
 
         ${CONDA_RUN} pip list
 
@@ -16,20 +16,32 @@ endif()
 
 # Source root directory for executorch.
 if(NOT EXECUTORCH_ROOT)
-  set(EXECUTORCH_ROOT ${CMAKE_CURRENT_SOURCE_DIR}/../../..)
+  set(EXECUTORCH_ROOT ${CMAKE_CURRENT_SOURCE_DIR}/../..)
 endif()
 
 include(${EXECUTORCH_ROOT}/tools/cmake/Utils.cmake)
 
-set(_common_compile_options -Wno-deprecated-declarations)
+set(_common_compile_options -Wall -Werror -Wno-deprecated-declarations)
+
+# Sanitizer flags (asan + ubsan) for security hardening — CI only. Enable via:
+# cmake --preset mlx-release -DEXECUTORCH_MLX_ENABLE_SANITIZERS=ON
+option(EXECUTORCH_MLX_ENABLE_SANITIZERS
+       "Enable ASan + UBSan for MLX delegate and tests" OFF
+)
+if(EXECUTORCH_MLX_ENABLE_SANITIZERS)
+  list(APPEND _common_compile_options -fsanitize=address,undefined
+       -fno-omit-frame-pointer
+  )
+  set(_mlx_sanitizer_link_options -fsanitize=address,undefined)
+endif()
 
 # -----------------------------------------------------------------------------
 # Code generation from schema.fbs
 # -----------------------------------------------------------------------------
 #
-# The generate.py script generates all code from schema.fbs: - Python:
-# mlx_graph_schema.py, _generated_serializers.py, _generated/ - C++:
-# MLXLoader.h, MLXLoader.cpp, schema_generated.h
+# The generate.py script generates all code from schema.fbs: Python:
+# mlx_graph_schema.py, _generated_serializers.py, _generated/ C++: MLXLoader.h,
+# MLXLoader.cpp, schema_generated.h
 #
 # We run generate.py at build time so these files don't need to be checked in.
 # -----------------------------------------------------------------------------
@@ -200,25 +212,6 @@ set(MLX_METAL_JIT
     CACHE BOOL "Use JIT compiled Metal kernels"
 )
 
-# Apply JSON patch to prevent conflict with ExecuTorch's nlohmann_json MLX uses
-# FetchContent for json; ExecuTorch already has it as submodule
-execute_process(
-  COMMAND git apply --check ${CMAKE_CURRENT_SOURCE_DIR}/patches/mlx_json.patch
-  WORKING_DIRECTORY ${MLX_SOURCE_DIR}
-  RESULT_VARIABLE _patch_check_result
-  OUTPUT_QUIET ERROR_QUIET
-)
-if(_patch_check_result EQUAL 0)
-  execute_process(
-    COMMAND git apply ${CMAKE_CURRENT_SOURCE_DIR}/patches/mlx_json.patch
-    WORKING_DIRECTORY ${MLX_SOURCE_DIR}
-    RESULT_VARIABLE _patch_result
-  )
-  if(_patch_result EQUAL 0)
-    message(STATUS "Applied MLX JSON patch")
-  endif()
-endif()
-
 # Add MLX subdirectory
 message(STATUS "Adding MLX from submodule: ${MLX_SOURCE_DIR}")
 add_subdirectory(${MLX_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}/mlx)
@@ -237,7 +230,7 @@ set(_mlx_backend__srcs ${CMAKE_CURRENT_SOURCE_DIR}/runtime/MLXLoader.cpp
 add_library(mlxdelegate ${_mlx_backend__srcs})
 
 # Ensure schema is generated before compiling
-add_dependencies(mlxdelegate mlx_schema flatc)
+add_dependencies(mlxdelegate mlx_schema)
 
 # Add logging flag if enabled
 if(ET_MLX_ENABLE_OP_LOGGING)
@@ -247,7 +240,6 @@ endif()
 
 target_include_directories(
   mlxdelegate PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/runtime
-                      ${_mlx_schema__include_dir} ${MLX_SOURCE_DIR}
 )
 
 # Link against MLX and executorch mlx is only available at BUILD_INTERFACE -
@@ -257,7 +249,10 @@ target_link_libraries(
 )
 
 executorch_target_link_options_shared_lib(mlxdelegate)
-target_compile_options(mlxdelegate PUBLIC ${_common_compile_options})
+target_compile_options(mlxdelegate PRIVATE ${_common_compile_options})
+if(EXECUTORCH_MLX_ENABLE_SANITIZERS)
+  target_link_options(mlxdelegate PRIVATE ${_mlx_sanitizer_link_options})
+endif()
 
 install(
   TARGETS mlxdelegate mlx_schema
 
@@ -72,10 +72,24 @@ array tensor_to_mlx(
 
   ::mlx::core::Shape shape;
   for (int i = 0; i < t.dim(); ++i) {
-    shape.push_back(static_cast<int>(t.size(i)));
+    auto dim_size = t.size(i);
+    if (dim_size > std::numeric_limits<int>::max() ||
+        dim_size < std::numeric_limits<int>::min()) {
+      throw std::runtime_error(
+          "tensor_to_mlx: dimension " + std::to_string(i) + " size " +
+          std::to_string(dim_size) + " exceeds int range");
+    }
+    shape.push_back(static_cast<int>(dim_size));
   }
 
-  void* data_ptr = const_cast<void*>(t.const_data_ptr());
+  // SAFETY: MLX reads this data during async_eval() Metal command encoding,
+  // which completes before the lock is released. The ET tensor must remain
+  // valid until async_eval returns.
+  const void* cptr = t.const_data_ptr();
+  if (!cptr) {
+    throw std::runtime_error("tensor_to_mlx: tensor has null data pointer");
+  }
+  void* data_ptr = const_cast<void*>(cptr);
   auto deleter = [](void*) {};
   return array(data_ptr, shape, dtype, deleter);
 }
@@ -115,8 +129,11 @@ void write_output(array& arr, ETTensor& out) {
   }
 
   if (!shape_matches) {
-    std::vector<executorch::aten::SizesType> new_sizes(
-        mlx_shape.begin(), mlx_shape.end());
+    std::vector<executorch::aten::SizesType> new_sizes;
+    new_sizes.reserve(mlx_shape.size());
+    for (auto d : mlx_shape) {
+      new_sizes.push_back(static_cast<executorch::aten::SizesType>(d));
+    }
     auto err = resize_tensor(
         out,
         ArrayRef<executorch::aten::SizesType>(
@@ -134,7 +151,12 @@ void write_output(array& arr, ETTensor& out) {
         " bytes, output has " + std::to_string(out_nbytes) + " bytes");
   }
 
-  std::memcpy(out.mutable_data_ptr(), arr.data<void>(), out_nbytes);
+  const void* src = arr.data<void>();
+  if (!src) {
+    throw std::runtime_error(
+        "write_output: arr.data<void>() is null after wait()");
+  }
+  std::memcpy(out.mutable_data_ptr(), src, out_nbytes);
 }
 
 } // namespace
@@ -172,7 +194,7 @@ class MLXBackend final : public ::executorch::runtime::BackendInterface {
   ~MLXBackend() override = default;
 
   bool is_available() const override {
-    return true;
+    return ::mlx::core::metal::is_available();
   }
 
   Result<DelegateHandle*> init(
@@ -189,9 +211,20 @@ class MLXBackend final : public ::executorch::runtime::BackendInterface {
     try {
       new (handle) MLXHandle();
 
+      if (!processed || !processed->data() || processed->size() == 0) {
+        throw std::runtime_error("init: null or empty delegate payload");
+      }
+
       handle->program = loader::load_program(
           static_cast<const uint8_t*>(processed->data()), processed->size());
 
+      // Validate schema version
+      if (handle->program.version != "1") {
+        throw std::runtime_error(
+            "Unsupported MLX schema version '" + handle->program.version +
+            "' (expected '1'). Rebuild the .pte with a matching SDK version.");
+      }
+
       // Load constants from named_data_map
       // Constants are stored by name in the .pte file and provided by ET at
       // runtime
@@ -214,7 +247,9 @@ class MLXBackend final : public ::executorch::runtime::BackendInterface {
       handle->state.bind(
           handle->program, handle->constants, handle->mutable_buffers);
 
-      // Run init chain if present
+      // Run init chain if present.
+      // SAFETY: The >= 0 check ensures init_chain_idx is non-negative, so the
+      // static_cast<uint32_t> cannot produce UINT32_MAX from a -1 sentinel.
       if (handle->program.init_chain_idx >= 0) {
         handle->interpreter.run_chain(
             handle->program,
@@ -258,8 +293,12 @@ class MLXBackend final : public ::executorch::runtime::BackendInterface {
 
         h->state.reset();
 
-        const size_t expected_args =
-            program.input_map.size() + program.output_map.size();
+        const size_t n_inputs = program.input_map.size();
+        const size_t n_outputs = program.output_map.size();
+        if (n_inputs > SIZE_MAX - n_outputs) {
+          throw std::runtime_error("execute: input + output count overflow");
+        }
+        const size_t expected_args = n_inputs + n_outputs;
         if (args.size() != expected_args) {
           ET_LOG(
               Error, "Expected %zu args, got %zu", expected_args, args.size());
@@ -268,6 +307,12 @@ class MLXBackend final : public ::executorch::runtime::BackendInterface {
 
         // Bind inputs
         for (const auto& slot : program.input_map) {
+          if (arg_idx >= args.size()) {
+            throw std::runtime_error(
+                "execute: arg_idx " + std::to_string(arg_idx) +
+                " out of bounds (args.size()=" + std::to_string(args.size()) +
+                ")");
+          }
           if (slot.slot_type == SlotType::TensorSlot) {
             const ETTensor& tensor = args[arg_idx++]->toTensor();
             Tid tid{slot.idx};