KEMBAR78
Fix weights_only for BUILD instructions for user allowlisted objects with __slots__ by mikaylagawarecki · Pull Request #138936 · pytorch/pytorch · GitHub
Skip to content

Fix weights_only for BUILD instructions for user allowlisted objects with __slots__ #138936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Fix weights_only for BUILD instructions for user allowlisted objects with __slots__ #138936

wants to merge 4 commits into from

Conversation

@mikaylagawarecki
Copy link
Contributor

@mikaylagawarecki mikaylagawarecki commented Oct 25, 2024
edited
Loading

Previously BUILD instruction missed handling for __slots__. This only applies for things allowlisted via add_safe_globals/safe_globals that use slots.

Background

When does pickle serialize a BUILD instruction? When state is not None and state_setter is None [link]. In this case, the docs tell us that either __setstate__ or a __dict__ update will be performed [link]

__reduce__/__reduce_ex__ are expected to return tuples of length 2 to 6 where state is the 3rd argument. When user doesn't patch __reduce__ but patches __setstate__/__getstate__, state will be what is yielded by __getstate__

Note the return type for __getstate__

  • For a class that has no instance __dict__ and no __slots__, the default state is None.
  • For a class that has an instance __dict__ and no __slots__, the default state is self.__dict__.
  • For a class that has an instance __dict__ and __slots__, the default state is a tuple consisting of two dictionaries: self.__dict__, and a dictionary mapping slot names to slot values. Only slots that have a value are included in the latter.
  • For a class that has __slots__ and no instance __dict__, the default state is a tuple whose first item is None and whose second item is a dictionary mapping slot names to slot values described in the previous bullet.

see handling in pickle code https://github.com/python/cpython/blob/c5b99f5c2c5347d66b9da362773969c531fb6c85/Lib/pickle.py#L1846-L1867

Before this PR, we didn't account for the fact that when __setstate__ is not defined, state might be a tuple so this would fail

from dataclasses import dataclass

# Define the dataclass
@dataclass
class MyDataClass:
    __slots__ = ["x", "y"]
    x: int
    y: str
# Create an instance of the dataclass
my_data = MyDataClass(x=2, y=3)
# Save the dataclass to a file
torch.save(my_data, "my_data.pt")
with torch.serialization.safe_globals([MyDataClass]):
    loaded_my_data = torch.load("my_data.pt", weights_only=True)
# AttributeError: 'MyDataClass' object has no attribute '__dict__'

Stack from ghstack (oldest at bottom):

@mikaylagawarecki mikaylagawarecki mentioned this pull request Oct 25, 2024
Closed
@pytorch-bot
Copy link

pytorch-bot bot commented Oct 25, 2024
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/138936

Note: Links to docs will display an error until the docs builds have been completed.

✅ No Failures

As of commit 96123eb with merge base 73fde0d (image):
💚 Looks good so far! There are no failures yet. 💚

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@mikaylagawarecki mikaylagawarecki mentioned this pull request Oct 25, 2024
Closed
@mikaylagawarecki mikaylagawarecki added release notes: python_frontend python frontend release notes category topic: bug fixes topic category labels Oct 25, 2024
@mikaylagawarecki
Update on "Fix weights_only for BUILD instructions with __slots__"
15c6048 
Previously BUILD instruction missed handling for `__slots__`

see handling in pickle code https://github.com/python/cpython/blob/c5b99f5c2c5347d66b9da362773969c531fb6c85/Lib/pickle.py#L1846-L1867

e.g.

```python
from dataclasses import dataclass

# Define the dataclass
dataclass
class MyDataClass:
    __slots__ = ["x", "y"]
    x: int
    y: str
# Create an instance of the dataclass
my_data = MyDataClass(x=2, y=3)
# Save the dataclass to a file
torch.save(my_data, "my_data.pt")
with torch.serialization.safe_globals([MyDataClass]):
    loaded_my_data = torch.load("my_data.pt", weights_only=True)
# AttributeError: 'MyDataClass' object has no attribute '__dict__'
```






[ghstack-poisoned]
@mikaylagawarecki mikaylagawarecki mentioned this pull request Oct 28, 2024
Closed
@mikaylagawarecki
Update on "Fix weights_only for BUILD instructions with __slots__"
0a00140 
Previously `BUILD` instruction missed handling for `__slots__`.

### Background
When does pickle serialize a `BUILD` instruction? When `state` is not `None` and `state_setter` is `None` [[link](https://github.com/python/cpython/blob/c5b99f5c2c5347d66b9da362773969c531fb6c85/Lib/pickle.py#L765)]

`__reduce__`/`__reduce_ex__` are expected to return tuples of length 2 to 6 where `state` is the 3rd argument.

Note the return type for [`__getstate__` ](https://docs.python.org/3/library/pickle.html#object.__getstate__)

- For a class that has no instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and no [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is None.
- For a class that has an instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and no [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is `self.__dict__`.
- For a class that has an instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is a tuple consisting of two dictionaries: `self.__dict__`, and a dictionary mapping slot names to slot values. Only slots that have a value are included in the latter.
- For a class that has [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__) and no instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__), the default state is a tuple whose first item is None and whose second item is a dictionary mapping slot names to slot values described in the previous bullet.

see handling in pickle code https://github.com/python/cpython/blob/c5b99f5c2c5347d66b9da362773969c531fb6c85/Lib/pickle.py#L1846-L1867

Before this PR, this would fail

```python
from dataclasses import dataclass

# Define the dataclass
dataclass
class MyDataClass:
    __slots__ = ["x", "y"]
    x: int
    y: str
# Create an instance of the dataclass
my_data = MyDataClass(x=2, y=3)
# Save the dataclass to a file
torch.save(my_data, "my_data.pt")
with torch.serialization.safe_globals([MyDataClass]):
    loaded_my_data = torch.load("my_data.pt", weights_only=True)
# AttributeError: 'MyDataClass' object has no attribute '__dict__'
```






[ghstack-poisoned]
@mikaylagawarecki mikaylagawarecki changed the title Fix weights_only for BUILD instructions with __slots__ Fix weights_only for BUILD instructions for user allowlisted objects with __slots__ Oct 29, 2024
This was referenced Oct 29, 2024
Closed
Closed
Closed
malfet
malfet reviewed Oct 31, 2024
View reviewed changes
@mikaylagawarecki
Update on "Fix weights_only for BUILD instructions for user allowlist…
96123eb 
…ed objects with __slots__"

Previously `BUILD` instruction missed handling for `__slots__`. **This only applies for things allowlisted via `add_safe_globals`/`safe_globals` that use slots.**

### Background
When does pickle serialize a `BUILD` instruction? When `state` is not `None` and `state_setter` is `None` [[link](https://github.com/python/cpython/blob/c5b99f5c2c5347d66b9da362773969c531fb6c85/Lib/pickle.py#L765)]. In this case, the docs tell us that either `__setstate__` or a `__dict__` update will be performed [[link](https://github.com/python/cpython/blob/3.13/Lib/pickletools.py#L1984)]

`__reduce__`/`__reduce_ex__` are expected to return tuples of length 2 to 6 where `state` is the 3rd argument. When user doesn't patch `__reduce__` but patches `__setstate__`/`__getstate__`, state will be what is yielded by `__getstate__`

Note the return type for [`__getstate__` ](https://docs.python.org/3/library/pickle.html#object.__getstate__)

- For a class that has no instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and no [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is None.
- For a class that has an instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and no [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is `self.__dict__`.
- For a class that has an instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is a tuple consisting of two dictionaries: `self.__dict__`, and a dictionary mapping slot names to slot values. Only slots that have a value are included in the latter.
- For a class that has [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__) and no instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__), the default state is a tuple whose first item is None and whose second item is a dictionary mapping slot names to slot values described in the previous bullet.

see handling in pickle code https://github.com/python/cpython/blob/c5b99f5c2c5347d66b9da362773969c531fb6c85/Lib/pickle.py#L1846-L1867

Before this PR, we didn't account for the fact that when `__setstate__` is not defined, `state` might be a tuple so this would fail

```python
from dataclasses import dataclass

# Define the dataclass
dataclass
class MyDataClass:
    __slots__ = ["x", "y"]
    x: int
    y: str
# Create an instance of the dataclass
my_data = MyDataClass(x=2, y=3)
# Save the dataclass to a file
torch.save(my_data, "my_data.pt")
with torch.serialization.safe_globals([MyDataClass]):
    loaded_my_data = torch.load("my_data.pt", weights_only=True)
# AttributeError: 'MyDataClass' object has no attribute '__dict__'
```






[ghstack-poisoned]
@mikaylagawarecki mikaylagawarecki mentioned this pull request Oct 31, 2024
Closed
malfet
malfet approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@malfet malfet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@malfet
Copy link
Contributor

malfet commented Oct 31, 2024

@pytorchbot merge

@pytorch-bot pytorch-bot bot added the ciflow/trunk Trigger trunk jobs on your pull request label Oct 31, 2024
@pytorchmergebot
Copy link
Collaborator

Merge started

Your change will be merged once all checks pass (ETA 0-4 Hours).

Learn more about merging in the wiki.

Questions? Feedback? Please reach out to the PyTorch DevX Team

Advanced Debugging
Check the merge workflow status
here

pytorchmergebot pushed a commit that referenced this pull request Nov 1, 2024
@mikaylagawarecki @pytorchmergebot
Add utility to get all unsafe globals in checkpoint (no pickletools d…
ea0e09b 
…ependency) (#139221)

Fixes #129698

#139106 without pickletools

Pull Request resolved: #139221
Approved by: https://github.com/malfet
ghstack dependencies: #138936
pytorchmergebot pushed a commit that referenced this pull request Nov 1, 2024
@mikaylagawarecki @pytorchmergebot
Add section to serialization note re weights_only (#139433)
a979318 
Pull Request resolved: #139433
Approved by: https://github.com/malfet
ghstack dependencies: #138936, #139221
@mikaylagawarecki mikaylagawarecki mentioned this pull request Nov 2, 2024
Closed
pytorchmergebot pushed a commit that referenced this pull request Nov 4, 2024
@mikaylagawarecki @pytorchmergebot
Remove hasattr(__slots__) for BUILD logic in weights_only unpickler (#…
f55dfbc 
…139541)

This is tested in PR stacked above in

```python
python test/distributed/fsdp/test_fsdp_state_dict.py TestFSDPStateDict.test_torch_save_load
```

We cannot depend on whether `hasattr(..., __slots__)` to know whether a BUILD instruction has slotstate. For example, if a class subclasses ABC `hasattr(__slots__)` will be `True` but there might be no slots (and hence `state` will not be a tuple). So revert #138936 to following the pickle library's code

```python

>>> from abc import ABC
>>> hasattr(ABC, "__slots__")
True
```

So

```python
import torch
from abc import ABC
from dataclasses import dataclass

class Foo(ABC):
    pass

class FooWrapper(Foo):
    def __init__(self, x, y):
        self.x = x
        self.y = y

f = FooWrapper(1, 2)
torch.save(f, "temp.pt")
with torch.serialization.safe_globals([FooWrapper]):
    torch.load("temp.pt")
```

Would fail on the previous code with
```
File "/data/users/mg1998/pytorch/torch/serialization.py", line 1934, in _load
    result = unpickler.load()
  File "/data/users/mg1998/pytorch/torch/_weights_only_unpickler.py", line 366, in load
    for k, v in slotstate.items():
```

As there is actually no slotstate

Pull Request resolved: #139541
Approved by: https://github.com/malfet
ghstack dependencies: #138936, #139221, #139433
pytorchmergebot pushed a commit that referenced this pull request Nov 4, 2024
@mikaylagawarecki @pytorchmergebot
Flip default on weights_only (#137602)
ca43ecd 
Pull Request resolved: #137602
Approved by: https://github.com/malfet, https://github.com/albanD
ghstack dependencies: #138936, #139221, #139433, #139541
pytorchmergebot pushed a commit that referenced this pull request Nov 4, 2024
@mikaylagawarecki @pytorchmergebot
[BE] Change _marked_safe_globals_list to set (#139303)
e947649 
Prevent same global from being added multiple times

Pull Request resolved: #139303
Approved by: https://github.com/janeyx99
ghstack dependencies: #138936, #139221, #139433, #139541, #137602
rahulsingh-intel pushed a commit to rahulsingh-intel/pytorch that referenced this pull request Nov 5, 2024
@mikaylagawarecki @rahulsingh-intel
Fix weights_only for BUILD instructions for user allowlisted objects …
ddf5ac4 
…with __slots__ (pytorch#138936)

Previously `BUILD` instruction missed handling for `__slots__`. **This only applies for things allowlisted via `add_safe_globals`/`safe_globals` that use slots.**

### Background
When does pickle serialize a `BUILD` instruction? When `state` is not `None` and `state_setter` is `None` [[link](https://github.com/python/cpython/blob/c5b99f5c2c5347d66b9da362773969c531fb6c85/Lib/pickle.py#L765)]. In this case, the docs tell us that either `__setstate__` or a `__dict__` update will be performed [[link](https://github.com/python/cpython/blob/3.13/Lib/pickletools.py#L1984)]

`__reduce__`/`__reduce_ex__` are expected to return tuples of length 2 to 6 where `state` is the 3rd argument. When user doesn't patch `__reduce__` but patches `__setstate__`/`__getstate__`, state will be what is yielded by `__getstate__`

Note the return type for [`__getstate__` ](https://docs.python.org/3/library/pickle.html#object.__getstate__)

- For a class that has no instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and no [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is None.
- For a class that has an instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and no [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is `self.__dict__`.
- For a class that has an instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__) and [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__), the default state is a tuple consisting of two dictionaries: `self.__dict__`, and a dictionary mapping slot names to slot values. Only slots that have a value are included in the latter.
- For a class that has [`__slots__`](https://docs.python.org/3/reference/datamodel.html#object.__slots__) and no instance [`__dict__`](https://docs.python.org/3/reference/datamodel.html#object.__dict__), the default state is a tuple whose first item is None and whose second item is a dictionary mapping slot names to slot values described in the previous bullet.

see handling in pickle code https://github.com/python/cpython/blob/c5b99f5c2c5347d66b9da362773969c531fb6c85/Lib/pickle.py#L1846-L1867

Before this PR, we didn't account for the fact that when `__setstate__` is not defined, `state` might be a tuple so this would fail

```python
from dataclasses import dataclass

# Define the dataclass
@DataClass
class MyDataClass:
    __slots__ = ["x", "y"]
    x: int
    y: str
# Create an instance of the dataclass
my_data = MyDataClass(x=2, y=3)
# Save the dataclass to a file
torch.save(my_data, "my_data.pt")
with torch.serialization.safe_globals([MyDataClass]):
    loaded_my_data = torch.load("my_data.pt", weights_only=True)
# AttributeError: 'MyDataClass' object has no attribute '__dict__'
```

Pull Request resolved: pytorch#138936
Approved by: https://github.com/malfet
rahulsingh-intel pushed a commit to rahulsingh-intel/pytorch that referenced this pull request Nov 5, 2024
@mikaylagawarecki @rahulsingh-intel
Add utility to get all unsafe globals in checkpoint (no pickletools d…
02f806e 
…ependency) (pytorch#139221)

Fixes pytorch#129698

pytorch#139106 without pickletools

Pull Request resolved: pytorch#139221
Approved by: https://github.com/malfet
ghstack dependencies: pytorch#138936
rahulsingh-intel pushed a commit to rahulsingh-intel/pytorch that referenced this pull request Nov 5, 2024
@mikaylagawarecki @rahulsingh-intel
Add section to serialization note re weights_only (pytorch#139433)
4a29fbf 
Pull Request resolved: pytorch#139433
Approved by: https://github.com/malfet
ghstack dependencies: pytorch#138936, pytorch#139221
@github-actions github-actions bot deleted the gh/mikaylagawarecki/278/head branch December 1, 2024 02:22
Esquains pushed a commit to Esquains/study1 that referenced this pull request Dec 15, 2024
@mikaylagawarecki
Fix weights_only for BUILD instructions with __slots__
0c66870 
ghstack-source-id: 9e12002
Pull Request resolved: pytorch/pytorch#138936
@Archana-Shinde1 Archana-Shinde1 mentioned this pull request May 5, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@malfet malfet malfet approved these changes

@albanD albanD Awaiting requested review from albanD

Assignees

No one assigned

Labels

ciflow/trunk Trigger trunk jobs on your pull request Merged release notes: python_frontend python frontend release notes category topic: bug fixes topic category

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mikaylagawarecki @malfet @pytorchmergebot