Relax GQA seqlens_k shape validation for backward compat with older models

[vraspar]

Problem

PR #28031 fixed a security OOB GEMM bug via crafted seqlens_k by changing && to || in the shape validation in group_query_attention_helper.h. This correctly enforces the spec (1D Tensor of shape (batch_size)) but breaks models (e.g. qwen3-0.6b, qwen3-1.7b) whose builder.py emits seqlens_k with shape [1,1] instead of [1].

Fix

Relax the shape check to accept shapes with unit dimensions around the batch axis. The validation rule is:

1. seqlens_k must be at least 1D (scalars are rejected)
2. Total element count must equal batch_size
3. Each dimension must be 1 or batch_size (e.g. accepts [B], [B,1], [1,B] but rejects [2,2] for B=4)

Also fixes the same latent &&/|| bug in the JS/WebGPU EP (group-query-attention.ts).

Security: The per-element value bounds checks in Compute() are unchanged -- the OOB fix from #28031 is fully preserved.

Changes

• group_query_attention_helper.h -- scalar rejection + element-count shape check (shared by CPU, CUDA, WebGPU EPs)
• group-query-attention.ts -- same fix for the JS WebGPU path
• group_query_attention_op_test.cc -- tests for [1,1] compat, multi-batch [2,1] compat, trailing-batch [1,2] compat, scalar rejection, wrong-count rejection, and invalid factored shape rejection

[edgchen1]

should we use the same error message here and in onnxruntime/contrib_ops/cpu/bert/group_query_attention_helper.h?

[vraspar]

JS now uses same messages as C++

[edgchen1]

nit: [1, 1] as an example shape will only work if batch size is 1. since we already have example shape [B, 1], maybe we can omit it.

[vraspar]

Removed from both C++ and JS comments

[edgchen1]

this is a large output tolerance. is it feasible to test with actual expected values? as the existing tests also do this, perhaps it can be done in another PR. at least, I think it would be worth a comment.

[edgchen1]

consider reusing/creating another test helper like RunGQASeqlensKTest() to reduce code duplication.

[vraspar]

Extended RunGQASeqlensKTest with seqlens_k_shape param.

[vraspar]

Sorry about the force-push — Copilot CLI rewrote the branch and lost the incremental diff history.

Addressed all 5 comments:

• group_query_attention_helper.h:267 — Tightened the factored-shape check so each dim must be 1 or batch_size (rejects e.g. [2,2] for B=4). Added SeqlensKInvalidFactoredShape test to cover it.
• group-query-attention.ts:203 — Aligned error messages between JS and C++ so they match.
• group-query-attention.ts:197 — Removed [1, 1] from the comment in both C++ and JS. Now just shows [B, 1] instead of [B].
• group_query_attention_op_test.cc:267 — Added a comment explaining the loose tolerance: these tests validate shape acceptance, not numerical correctness. Agree exact-value tests can be a follow-up.
• group_query_attention_op_test.cc:237 — Extended RunGQASeqlensKTest with an optional seqlens_k_shape param. All 5 shape tests use the helper now, net -73 lines.

[Copilot]

Pull request overview

Relaxes seqlens_k shape validation for GroupQueryAttention to restore backward compatibility with older model exporters that emit extra unit dimensions (e.g., [B,1]), while keeping the value-range checks that prevent OOB access.

Changes:

• Update C++ CheckInputs() validation to accept seqlens_k shapes with batch_size total elements (with additional per-dimension constraints).
• Apply equivalent validation updates in the JS/WebGPU validateInputs() path.
• Extend CPU and JS test coverage with legacy-shape acceptance and wrong-shape rejection cases.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
onnxruntime/contrib_ops/cpu/bert/group_query_attention_helper.h	Updates seqlens_k shape validation and error messages in shared helper.
js/web/lib/wasm/jsep/webgpu/ops/group-query-attention.ts	Aligns WebGPU input validation with the relaxed seqlens_k shape rules.
onnxruntime/test/contrib_ops/group_query_attention_op_test.cc	Adds regression tests for legacy 2D shapes and invalid element-count/shape cases.
js/web/test/data/ops/group-query-attention.jsonc	Adds a Web test case covering legacy [1,1] seqlens_k shape acceptance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description says the seqlens_k shape validation is relaxed to only check total element count (Size() == batch_size). This implementation still adds an additional per-dimension constraint (each dim must be 1 or batch_size), which will reject shapes like [2,2] for batch_size=4 even though the element count matches. Please either (a) loosen the validation to match the stated behavior, or (b) update the PR description to reflect the intended restriction and why it’s needed.

[Copilot]

This new check allows rank-0 (scalar) seqlens_k when batch_size==1 because TensorShape::Size() returns 1 for empty shapes and the dim loop is skipped. If the goal is only to accept 1D with optional unit dimensions (e.g., [B,1], [1,B]), consider explicitly rejecting scalar shapes (NumDimensions()==0) to avoid widening accepted inputs beyond what’s described by the spec/comment.

Suggested change

	// dimensions (e.g. [B, 1] instead of [B]). Allow shapes where each dim is 1 or batch_size.
	// dimensions (e.g. [B, 1] instead of [B]). Allow shapes where each dim is 1 or batch_size.
	if (seqlens_k->Shape().NumDimensions() == 0) {
	return ORT_MAKE_STATUS(ONNXRUNTIME, INVALID_ARGUMENT,
	"seqlens_k must not be a scalar; expected a 1D tensor of shape (batch_size) "
	"or a tensor with only unit dimensions and one batch_size dimension.");
	}

[edgchen1]

perhaps we could also verify that NumDimensions() > 0. sounds like we want at least 1D shape.

[vraspar]

I highly doubt it will break any models but just want to be on side of caution if we should add this check @guschmue

[Copilot]

As written, a scalar seqlens_k (dims=[]) will be accepted when batchSize===1 because reduce() returns 1 and the per-dim loop is skipped. If you only intend to allow older builders that add unit dimensions (e.g., [B,1]/[1,B]) and still require at least 1 dimension, add an explicit dims.length>=1 check to match the spec and the comment above this block.

[edgchen1]

perhaps we could also verify that NumDimensions() > 0. sounds like we want at least 1D shape.

[vraspar]

Addressed remaining comments:

• *\helper.h:265* (edgchen1 + Copilot) — Added \NumDimensions() == 0\ rejection so scalar \seqlens_k\ is no longer silently accepted when \�atch_size==1. Same check added in JS path (\dims.length === 0).
• *\ est.cc:26* (edgchen1) — Changed \seqlens_k_shape\ param to \std::optional<std::vector<int64_t>>\ so empty {}\ isn't confused with scalar shape. All call sites wrapped with explicit \std::vector<int64_t>{...}.
• *\helper.h:277* (Copilot) — Updated PR description to reflect the full validation rule (at least 1D + element count + per-dim constraint).
• Added \SeqlensKScalarRejected\ test to cover the new scalar rejection path.

[vraspar]

Validated with https://huggingface.co/schmuell/Qwen3-1.7B

[ankitm3k]

@vraspar your PR #28031 broke the functionality & I have tested with open source models too. FYI intel#1067