Allow BUILD/NEWOBJ instruction for items added via torch.serialization.add_safe_globals #129251
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Jun 21, 2024
🔗 Helpful Links🧪 See artifacts and rendered test results at hud.pytorch.org/pr/129251
Note: Links to docs will display an error until the docs builds have been completed. ✅ No FailuresAs of commit 5c9cdb3 with merge base 0acd09a ( This comment was automatically generated by Dr. CI and updates every 15 minutes. |
albanD
approved these changes
Jun 24, 2024
pytorchmergebot
pushed a commit
that referenced
this pull request
Jun 25, 2024
Also changes default for `weights_only` to `None` per comment below (hence the `suppress-bc-linter` tag) Pull Request resolved: #129239 Approved by: https://github.com 8000 /albanD ghstack dependencies: #129244, #129251
pytorchmergebot
pushed a commit
that referenced
this pull request
Jun 25, 2024
Pull Request resolved: #129396 Approved by: https://github.com/albanD ghstack dependencies: #129244, #129251, #129239
mikaylagawarecki
added a commit
to mikaylagawarecki/pytorch
that referenced
this pull request
Jun 25, 2024
…safe_globals ghstack-source-id: 34a8fc3 Pull Request resolved: pytorch#129251 (cherry picked from commit 50b888d)
atalman
pushed a commit
that referenced
this pull request
Jun 26, 2024
* Fix allowlisting of builtins for weights_only unpickler ghstack-source-id: de329c7 Pull Request resolved: #129244 (cherry picked from commit cc99c01) * Allow NEWOBJ instruction for items added via torch.serialization.add_safe_globals ghstack-source-id: 34a8fc3 Pull Request resolved: #129251 (cherry picked 8000 from commit 50b888d) * Add warning for weights_only ghstack-source-id: ffa772c Pull Request resolved: #129239 (cherry picked from commit b3f9aa3f8f4c03b40fed53423d4a0a9340e3bd09) * Add example for torch.serialization.add_safe_globals ghstack-source-id: 6dc3275 Pull Request resolved: #129396 (cherry picked from commit ed8c36eda0f4dcf7b1d9c5eb2fb1cdccdf3fee6e)
mikaylagawarecki
added a commit
to mikaylagawarecki/pytorch
that referenced
this pull request
Jun 26, 2024
…n.add_safe_globals (pytorch#129251) Previously, allowlisting functions/classes via `torch.serialization.add_safe_globals(obj)` for the `weights_only` Unpickler had the following effect: - For a [`GLOBAL`](https://github.com/python/cpython/blob/3.12/Lib/pickletools.py#L1926-L1939) instruction, `GLOBAL obj.__module__ obj.__name__` would be allowed and translated back to obj to be pushed back to the stack. - For a [`REDUCE`](https://github.com/python/cpython/blob/3.12/Lib/pickletools.py#L1926-L1982) instruction where we expect the stack to contain `func` and `args`, `func` is allowed if it was added via `add_safe_globals` However, it did not have an effect on `BUILD` and `NEWOBJ` instructions Some classes may be rebuilt via [`NEWOBJ`](https://github.com/python/cpython/blob/3.12/Lib/pickletools.py#L2091-L2104) instruction, which indicates that their constructor should be used to rebuild the class. Further, a [`BUILD`](https://github.com/python/cpython/blob/3.12/Lib/pickletools.py#L1984-L2007) instruction might be used if an object's `__reduce__`/`__reduce_ex__` returns a non-None value for `state`. Which indicates a `__setstate__` or `__dict__.update`. **This PR makes sure that adding objects to the allowlist will also allow `NEWOBJ` and `BUILD` instructions for them.** In particular, the update for `NEWOBJ` should unblock allowlisting of [`ScaledMMConfig`](https://github.com/pytorch-labs/float8_experimental/blob/d4ade877dff327ea7f51e91f7cc218ae956e8cfd/float8_experimental/float8_tensor.py#L26-L30) in float8_experimental @drisspg Pull Request resolved: pytorch#129251 Approved by: https://github.com/albanD ghstack dependencies: pytorch#129244
atalman
pushed a commit
that referenced
this pull request
Jun 27, 2024
* Fix allowlisting of builtins for weights_only unpickler (#129244) Since we use [`DEFAULT_PROTOCOL=2`](https://github.com/pytorch/pytorch/blob/main/torch/serialization.py#L62), some functions/classes that were renamed from python 2-->3 will be pickled with their python2 name. This PR ensures that when a mod `GLOBAL <python2_mod>.<python2_name> ` is encountered, [following the strategy used by pickle](https://github.com/python/cpython/blob/main/Lib/pickle.py#L1590C13-L1593C63) it is properly mapped to `<python3_mod>.<python3_name>`. This fix ensures that `add_safe_globals` works properly for such functions/classes (i.e. users will allowlist the python3 func and the weights_only unpickler will do the appropriate translation when checking whether a class was allowlisted). An example is as follows: `__builtin__` was named to `builtins`, see the [release notes for Python 3.0](https://docs.python.org/3/whatsnew/3.0.html) > Renamed module `__builtin__` to [`builtins`](https://docs.python.org/3/library/builtins.html#module-builtins) (removing the underscores, adding an ‘s’). The __builtins__ variable found in most global namespaces is unchanged. To modify a builtin, you should use [builtins](https://docs.python.org/3/library/builtins.html#module-builtins), not `__builtins__`! However, since we use [`DEFAULT_PROTOCOL=2`](https://github.com/pytorch/pytorch/blob/main/torch/serialization.py#L62), builtins will be pickled with their module string as `__builtin__`. ```python >>> import pickle >>> import pickletools >>> print.__module__ 'builtins' >>> with open('print.pkl', 'wb') as f: >>> pickle.dump(print, f, protocol=2) # 2 because this is the default protocol used by pytorch >>> with open('print.pkl', 'rb') as f: >>> pickletools.dis(f) 0: \x80 PROTO 2 2: c GLOBAL '__builtin__ print' # pickle saves the module string as __builtin__ !!! :( 21: q BINPUT 0 23: . STOP ``` Pull Request resolved: #129244 Approved by: https://github.com/albanD * Allow BUILD/NEWOBJ instruction for items added via torch.serialization.add_safe_globals (#129251) Previously, allowlisting functions/classes via `torch.serialization.add_safe_globals(obj)` for the `weights_only` Unpickler had the following effect: - For a [`GLOBAL`](https://github.com/python/cpython/blob/3.12/Lib/pickletools.py#L1926-L1939) instruction, `GLOBAL obj.__module__ obj.__name__` would be allowed and translated back to obj to be pushed back to the stack. - For a [`REDUCE`](https://github.com/python/cpython/blob/3.12/Lib/pickletools.py#L1926-L1982) instruction where we expect the stack to contain `func` and `args`, `func` is allowed if it was added via `add_safe_globals` However, it did not have an effect on `BUILD` and `NEWOBJ` instructions Some classes may be rebuilt via [`NEWOBJ`](https://github.com/python/cpython/blob/3.12/Lib/pickletools.py#L2091-L2104) instruction, which indicates that their constructor should be used to rebuild the class. Further, a [`BUILD`](https://github.com/python/cpython/blob/3.12/Lib/pickletools.py#L1984-L2007) instruction might be used if an object's `__reduce__`/`__reduce_ex__` returns a non-None value for `state`. Which indicates a `__setstate__` or `__dict__.update`. **This PR makes sure that adding objects to the allowlist will also allow `NEWOBJ` and `BUILD` instructions for them.** In particular, the update for `NEWOBJ` should unblock allowlisting of [`ScaledMMConfig`](https://github.com/pytorch-labs/float8_experimental/blob/d4ade877dff327ea7f51e91f7cc218ae956e8cfd/float8_experimental/float8_tensor.py#L26-L30) in float8_experimental @drisspg Pull Request resolved: #129251 Approved by: https://github.com/albanD ghstack dependencies: #129244 * Remove dependency on private _compat_pickle in CPython ghstack-source-id: 7d6ee40 Pull Request resolved: #129509
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, allowlisting functions/classes via
torch.serialization.add_safe_globals(obj)for theweights_onlyUnpickler had the following effect:GLOBALinstruction,GLOBAL obj.__module__ obj.__name__would be allowed and translated back to obj to be pushed back to the stack.REDUCEinstruction where we expect the stack to containfuncandargs,funcis allowed if it was added viaadd_safe_globalsHowever, it did not have an effect on
BUILDandNEWOBJinstructionsSome classes may be rebuilt via
NEWOBJinstruction, which indicates that their constructor should be used to rebuild the class.Further, a
BUILDinstruction might be used if an object's__reduce__/__reduce_ex__returns a non-None value forstate. Which indicates a__setstate__or__dict__.update.This PR makes sure that adding objects to the allowlist will also allow
NEWOBJandBUILDinstructions for them.In particular, the update for
NEWOBJshould unblock allowlisting ofScaledMMConfigin float8_experimental @drisspgcc @mrshenli @pritamdamania87 @zhaojuanmao @satgera @gqchen @aazzolini @osalpekar @jiayisuse @H-Huang @kwen2501 @awgu @penguinwu @fegin @XilunWu @wanchaol @fduwjj @wz337 @tianyu-l @wconstab @yf225 @chauhang @d4l3k @albanD
Stack from ghstack (oldest at bottom):