[wip] Enforce flatbuffer verification

[lucylq]

[edit] on ci this adds closer to 10-12kB, and puts us way above 50kb :(
linux: echo 'Fail 56448 > 45000'
gcc: echo 'Fail 60296 > 48500'

Seems like this only adds 8kb, so let's try to enable it. It's logging that adds 20-30kb.

1. Default to Verification::InternalConsistency even in release builds.
2. If Verification::InternalConsistency is requested but not available, error out.
3. Embedded and other systems that do not want it can opt-out by disabling the flag.

Test Plan
Check CI size test

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18824

• 📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

❗ 1 Active SEVs

There are 1 currently active SEVs. If your PR is affected, please view them below:

• Rolling out OSDC (ARC) runners on pull workflow for PyTorch trunk commits

❌ 5 New Failures, 3 Unrelated Failures

As of commit 1015912 with merge base 5e8a0df ():

NEW FAILURES - The following jobs have failed:

• pull / test-arm-cortex-m-size-test (bare_metal) / linux-job (gh)
  RuntimeError: Command docker exec -t 65cb5dd27a6ea663429f0e1e065bcd52bbc20aba7f88fdc2999b6f093d245175 /exec failed with exit code 1
• pull / test-arm-cortex-m-size-test (zephyr-preset) / linux-job (gh)
  RuntimeError: Command docker exec -t 60775cf3632ef01f835ee34597642a1d4343fb03be229cd5b187effae8d5d0cf /exec failed with exit code 1
• pull / test-binary-size-linux / linux-job (gh)
  RuntimeError: Command docker exec -t 072bcc5b70ad0f1e9155b0e4840e637b658a3bf147d5485c110cfce61f887107 /exec failed with exit code 1
• pull / test-binary-size-linux-gcc / linux-job (gh)
  RuntimeError: Command docker exec -t b8d1336f6bac22ebc0120d344756d9b835f725fcdf8005edf3b74d6828162080 /exec failed with exit code 1
• pull / unittest / macos / macos-job (gh)
  export/tests/test_target_recipes.py::TestTargetRecipes::test_mv3_model

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

• pull / test-samsung-models-linux / linux-job (gh) (trunk failure)
  test_w2l_fp16
• pull / unittest / windows / windows-job (gh) (trunk failure)
  ##[error]The operation was canceled.
• pull / unittest-editable / windows / windows-job (gh) (trunk failure)
  ##[error]The operation was canceled.

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[github-actions]

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

[Copilot]

Pull request overview

Enables ExecuTorch flatbuffer/program verification by default (including release builds) and makes Verification::InternalConsistency a strict requirement when requested, rather than silently falling back to minimal checks.

Changes:

• Default CMake preset EXECUTORCH_ENABLE_PROGRAM_VERIFICATION to ON (release builds now include verification unless explicitly disabled).
• Change Program::load() (and related Module/Python entrypoints) default verification level to Verification::InternalConsistency.
• When verification code is compiled out, requesting InternalConsistency now returns Error::NotSupported instead of logging and falling back.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tools/cmake/preset/default.cmake	Defaults program verification build option to ON.
CMakeLists.txt	Updates documentation/comments around the verification build flag behavior and size impact.
runtime/executor/targets.bzl	Updates Buck/Bazel-side comments describing verification size and behavior when disabled.
runtime/executor/program.h	Switches default verification argument to InternalConsistency.
runtime/executor/program.cpp	Enforces NotSupported when InternalConsistency is requested but compiled out; keeps minimal checks only for Minimal.
extension/pybindings/pybindings.cpp	Updates Python bindings’ default verification argument to InternalConsistency.
extension/module/module.h	Updates Module API default verification argument to InternalConsistency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The error text says "use Verification::Minimal to skip verification", but Minimal still performs basic checks (e.g., root table offset bounds check below). Consider rewording to avoid implying verification is entirely skipped (e.g., "use Verification::Minimal for basic verification" / "reduced verification").

Suggested change

	"use Verification::Minimal to skip verification.");
	"use Verification::Minimal for basic verification.");

[Copilot]

With the default argument now set to Verification::InternalConsistency, building with ET_ENABLE_PROGRAM_VERIFICATION=0 (or equivalent build option) will make Program::load(loader) fail with Error::NotSupported unless callers explicitly pass Verification::Minimal. If the goal is that space-constrained builds can "opt out" purely via the build flag, consider making the default conditional on ET_ENABLE_PROGRAM_VERIFICATION (or introducing a "Default" mode) or documenting this behavior prominently.