KEMBAR78
C++ API `torch::nn:functional::_unpool_output_size`: Segfault by unknown memory access. · Issue #106702 · pytorch/pytorch · GitHub
Skip to content

C++ API torch::nn:functional::_unpool_output_size: Segfault by unknown memory access. #106702

New issue
New issue
Closed
Closed
C++ API torch::nn:functional::_unpool_output_size: Segfault by unknown memory access.#106702
Labels
actionablemodule: cppRelated to C++ APImodule: crashProblem manifests as a hard crash, as opposed to a RuntimeErrormodule: nnRelated to torch.nntriagedThis issue has been looked at a team member, and triaged and prioritized into an appropriate module
@Sehun0819

Description

@Sehun0819
Sehun0819
opened on Aug 7, 2023

🐛 Describe the bug

When the size of stride or padding is shorter than the size of kernel_size, torch::nn:functional::_unpool_output_size crashes.

Test code:

#include <stdint.h>
#include <stddef.h>
#include <c10/util/irange.h>
#include <cassert>
#include <torch/torch.h>

namespace F = torch::nn::functional;
using namespace torch::nn;

int main() {
  try {
    torch::TensorOptions toptions = torch::TensorOptions();

    auto result = F::_unpool_output_size(
      torch::randn({}, toptions),{0},{},{},{});
  } catch (std::exception& e) {
    return -2;
  }

  return 0;
}

Error log:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==702702==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000406ae7 bp 0x7ffc2be1c650 sp 0x7ffc2be1bfe0 T0)
==702702==The signal is caused by a READ memory access.
==702702==Hint: address points to the zero page.
    #0 0x406ae7 in torch::nn::functional::_unpool_output_size(at::Tensor const&, c10::ArrayRef<long> const&, c10::ArrayRef<long> const&, c10::ArrayRef<long> const&, c10::optional<std::vector<long, std::allocator<long> > > const&) /home/sehoon/pytorch/torch/csrc/api/include/torch/nn/functional/pooling.h:640:35
    #1 0x405a1a in main /home/sehoon/pytorch/test/cpp/reproduce/_unpool_output_size_bo.cpp:14:19
    #2 0x7ff876d66d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7ff876d66e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x4054a4 in _start (/home/sehoon/pytorch/build/bin/reproduce__unpool_output_size_bo+0x4054a4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/sehoon/pytorch/torch/csrc/api/include/torch/nn/functional/pooling.h:640:35 in torch::nn::functional::_unpool_output_size(at::Tensor const&, c10::ArrayRef<long> const&, c10::ArrayRef<long> const&, c10::ArrayRef<long> const&, c10::optional<std::vector<long, std::allocator<long> > > const&)
==702702==ABORTING

Error location:

  for (const auto d : c10::irange(kernel_size.size())) {
    default_size.push_back(
        (input_size[d + 2] - 1) * stride[d] + kernel_size[d] - 2 * padding[d]);
  }

Program crashed at stride[d] because stride.size() is zero. input_size[d+2] doesn't look safe as well, but I have no idea how it passed sanitizer.

Versions

PyTorch version: 2.1.0a0+git416bf4e
Is debug build: True
CUDA used to build PyTorch: Could not collect
ROCM used to build PyTorch: N/A

OS: Ubuntu 22.04.2 LTS (x86_64)
GCC version: (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Clang version: 12.0.1 (git@github.com:starlab-unist/llvm-project.git 82ccd79bfce79353c2bb4c1ab258ebfeb536a67d)
CMake version: version 3.26.4
Libc version: glibc-2.35

Python version: 3.9.17 (main, Jul 5 2023, 20:41:20) [GCC 11.2.0] (64-bit runtime)
Python platform: Linux-5.15.0-78-generic-x86_64-with-glibc2.35
Is CUDA available: False
CUDA runtime version: 11.7.99
CUDA_MODULE_LOADING set to: N/A
GPU models and configuration:
GPU 0: NVIDIA GeForce RTX 3090
GPU 1: NVIDIA GeForce RTX 3090
GPU 2: NVIDIA GeForce RTX 3090
GPU 3: NVIDIA GeForce RTX 3090

Nvidia driver version: 535.86.10
cuDNN version: Probably one of the following:
/usr/local/cuda-11.7/targets/x86_64-linux/lib/libcudnn.so.8.9.2
/usr/local/cuda-11.7/targets/x86_64-linux/lib/libcudnn_adv_infer.so.8.9.2
/usr/local/cuda-11.7/targets/x86_64-linux/lib/libcudnn_adv_train.so.8.9.2
/usr/local/cuda-11.7/targets/x86_64-linux/lib/libcudnn_cnn_infer.so.8.9.2
/usr/local/cuda-11.7/targets/x86_64-linux/lib/libcudnn_cnn_train.so.8.9.2
/usr/local/cuda-11.7/targets/x86_64-linux/lib/libcudnn_ops_infer.so.8.9.2
/usr/local/cuda-11.7/targets/x86_64-linux/lib/libcudnn_ops_train.so.8.9.2
HIP runtime version: N/A
MIOpen runtime version: N/A
Is XNNPACK available: True

CPU:
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 46 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 96
On-line CPU(s) list: 0-95
Vendor ID: GenuineIntel
Model name: Intel(R) Xeon(R) Gold 6248R CPU @ 3.00GHz
CPU family: 6
Model: 85
Thread(s) per core: 2
Core(s) per socket: 24
Socket(s): 2
Stepping: 7
CPU max MHz: 4000.0000
CPU min MHz: 1200.0000
BogoMIPS: 6000.00
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cdp_l3 invpcid_single intel_ppin ssbd mba ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm mpx rdt_a avx512f avx512dq rdseed adx smap clflushopt clwb intel_pt avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts pku ospke avx512_vnni md_clear flush_l1d arch_capabilities
Virtualization: VT-x
L1d cache: 1.5 MiB (48 instances)
L1i cache: 1.5 MiB (48 instances)
L2 cache: 48 MiB (48 instances)
L3 cache: 71.5 MiB (2 instances)
NUMA node(s): 2
NUMA node0 CPU(s): 0-23,48-71
NUMA node1 CPU(s): 24-47,72-95
Vulnerability Itlb multihit: KVM: Mitigation: VMX disabled
Vulnerability L1tf: Not affected
Vulnerability Mds: Not affected
Vulnerability Meltdown: Not affected
Vulnerability Mmio stale data: Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Retbleed: Mitigation; Enhanced IBRS
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Enhanced IBRS, IBPB conditional, RSB filling, PBRSB-eIBRS SW sequence
Vulnerability Srbds: Not affected
Vulnerability Tsx async abort: Mitigation; TSX disabled

Versions of relevant libraries:
[pip3] numpy==1.25.2
[pip3] torch==2.1.0a0+git416bf4e
[conda] mkl 2023.1.0 h6d00ec8_46342
[conda] mkl-include 2023.1.0 h06a4308_46342
[conda] numpy 1.25.2 pypi_0 pypi
[conda] torch 2.1.0a0+git416bf4e dev_0

cc @jbschlosser @albanD @mruberry @walterddr @mikaylagawarecki

Metadata

Metadata

Assignees

No one assigned

    Labels

    actionablemodule: cppRelated to C++ APImodule: crashProblem manifests as a hard crash, as opposed to a RuntimeErrormodule: nnRelated to torch.nntriagedThis issue has been looked at a team member, and triaged and prioritized into an appropriate module

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions