Enforce rocmlirMIGraphXAttentionCreate input contract in release builds

The previous round of C API hardening guarded the entry-point arguments
with assert(), which compiles to a no-op under NDEBUG. Release-build
callers that violated the contract (NULL queries / keys / values, NULL
preSoftmaxElemWiseInputs with a non-zero count, negative splitKV /
slidingWindowSize / numPreSoftmaxInputs, NULL resultType) would still
fall through to the same confusing failure modes the assertions were
meant to prevent: NULL deref while iterating the inputs array, "no Q
operand" diagnostics on a half-built op, or splitKV silently dropped.

Replace the asserts with `if (...) return reject(msg)` checks that fire
uniformly in debug and release builds, write a
"rocmlirMIGraphXAttentionCreate: <reason>" line to stderr (matching the
existing `mlirMIGraphXAddBackendPipeline` diagnostic style in this
file), and return a null MlirOperation. Callers can detect the failure
with mlirOperationIsNull. The order of checks now also catches a
negative numPreSoftmaxInputs before it is used as a loop bound, fixing
a subtle order-of-evaluation hazard in the previous assert chain.

Document the new contract in mlir-c/Dialect/MIGraphX.h: list every
condition that returns null and clarify that all *other* invariants
(operand element types, shape compatibility, feature/operand
consistency) are still enforced by the AttentionOp verifier rather
than by the C API. This matches what the implementation actually does
and lets callers distinguish "I gave it garbage" (null return,
detectable here) from "the verifier rejected my IR" (verified op
returned but parsing/verification fails later).

Existing CAPI tests (mlir/test/CAPI/mixr_attention.c) continue to pass
unchanged because they always provide valid inputs.

Made-with: Cursor

Author: umangyadav

mlir/include/mlir-c/Dialect/MIGraphX.h

@@ -105,6 +105,17 @@ mlirMIGraphXAddBackendPipeline(MlirPassManager pm,
 /// \p prefixOffset is required when prefix_offset is set; pass null to omit.
 /// \p splitKV is the number of KV splits (0 or 1 = omit attribute).
 /// \p slidingWindowSize is the window size (0 = omit attribute).
+///
+/// Contract violations are rejected with a stderr diagnostic and a null
+/// MlirOperation return (check via mlirOperationIsNull). The same contract
+/// is enforced in both debug and release builds. Specifically the function
+/// returns a null op (and writes a "rocmlirMIGraphXAttentionCreate: ..."
+/// line to stderr) if any of \p queries, \p keys, \p values is null, if
+/// \p numPreSoftmaxInputs is negative or \p preSoftmaxElemWiseInputs is
+/// NULL when the count is positive, if \p splitKV or \p slidingWindowSize
+/// is negative, or if \p resultType is null. All other invariants (operand
+/// element types, shape compatibility, feature/operand consistency, etc.)
+/// are still left to the AttentionOp verifier.
 MLIR_CAPI_EXPORTED MlirOperation rocmlirMIGraphXAttentionCreate(
     MlirLocation location, MlirValue queries, MlirValue keys, MlirValue values,
     intptr_t numPreSoftmaxInputs, const MlirValue *preSoftmaxElemWiseInputs,

mlir/lib/CAPI/Dialect/MIGraphX.cpp

@@ -170,20 +170,35 @@ MLIR_CAPI_EXPORTED MlirOperation rocmlirMIGraphXAttentionCreate(
     MlirType resultType, MlirType lseType, MlirType softmaxType,
     MlirRegion preSoftmaxBody, uint32_t features, MlirValue currentSeqLen,
     MlirValue prefixOffset, int32_t splitKV, int32_t slidingWindowSize) {
-  // Reject contract violations up front. The op verifier would catch most
-  // of these later, but the failure modes are confusing (NULL deref on
-  // the inputs array, "no Q operand" diagnostics on the parsed op) and
-  // splitKV < 0 used to be silently dropped.
-  assert(!mlirValueIsNull(queries) && "queries operand is required");
-  assert(!mlirValueIsNull(keys) && "keys operand is required");
-  assert(!mlirValueIsNull(values) && "values operand is required");
-  assert((numPreSoftmaxInputs == 0 || preSoftmaxElemWiseInputs != nullptr) &&
-         "preSoftmaxElemWiseInputs array must be non-NULL when count > 0");
-  assert(numPreSoftmaxInputs >= 0 &&
-         "numPreSoftmaxInputs must be non-negative");
-  assert(splitKV >= 0 && "splitKV must be non-negative (0 or 1 = omit)");
-  assert(slidingWindowSize >= 0 && "slidingWindowSize must be non-negative");
-  assert(!mlirTypeIsNull(resultType) && "resultType is required");
+  // Reject contract violations up front and uniformly across debug and
+  // release builds. The op verifier would catch most of these later, but
+  // the failure modes are confusing in NDEBUG builds (NULL deref on the
+  // inputs array, "no Q operand" diagnostics on a half-built op,
+  // splitKV < 0 silently dropped) and the previous assert-only checks
+  // compiled out in release. Returning a null MlirOperation lets callers
+  // detect failure with mlirOperationIsNull and matches the conventions
+  // documented in the header.
+  auto reject = [](const char *msg) -> MlirOperation {
+    llvm::errs() << "rocmlirMIGraphXAttentionCreate: " << msg << "\n";
+    return MlirOperation{nullptr};
+  };
+  if (mlirValueIsNull(queries))
+    return reject("queries operand is required");
+  if (mlirValueIsNull(keys))
+    return reject("keys operand is required");
+  if (mlirValueIsNull(values))
+    return reject("values operand is required");
+  if (numPreSoftmaxInputs < 0)
+    return reject("numPreSoftmaxInputs must be non-negative");
+  if (numPreSoftmaxInputs > 0 && preSoftmaxElemWiseInputs == nullptr)
+    return reject(
+        "preSoftmaxElemWiseInputs array must be non-NULL when count > 0");
+  if (splitKV < 0)
+    return reject("splitKV must be non-negative (0 or 1 = omit)");
+  if (slidingWindowSize < 0)
+    return reject("slidingWindowSize must be non-negative");
+  if (mlirTypeIsNull(resultType))
+    return reject("resultType is required");
 
   MlirContext ctx = mlirLocationGetContext(location);
   MlirOperationState state = mlirOperationStateGet(