ASAN: fix use-after-free (#101400) · chunyuan-w/pytorch@effe142

Commit

ASAN: fix use-after-free (pytorch#101400)
arguments() returns vector member of object returned by schema() call.
When object returned by schema() call is destroyed, the vector is deallocated as well,
it's lifetime isn't extended.

This issue detected while running `pytest -v test/mobile/test_lite_script_type.py -k test_nest_typing_namedtuple_custom_classtype` with ASAN.

<details>
<summary>ASAN output</summary>

```
==1134126==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0005a5790 at pc 0x03ff844488d8 bp 0x03fff584afe8 sp 0x03fff584afd8
READ of size 8 at 0x60d0005a5790 thread T0
    #0 0x3ff844488d7 in __gnu_cxx::__normal_iterator<c10::Argument const*, std::vector<c10::Argument, std::allocator<c10::Argument> > >::__normal_iterator(c10::Argument const* const&) /usr/lib/gcc/s390x-i
bm-linux-gnu/11/include/g++-v11/bits/stl_iterator.h:1028
    #1 0x3ff8444293f in std::vector<c10::Argument, std::allocator<c10::Argument> >::begin() const /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/stl_vector.h:821
    #2 0x3ff84d807d1 in torch::jit::toPyObject(c10::IValue) /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:617
    #3 0x3ff84d80305 in torch::jit::toPyObject(c10::IValue) /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604
    #4 0x3ff84856871 in pybind11::detail::type_caster<c10::IValue, void>::cast(c10::IValue, pybind11::return_value_policy, pybind11::handle) /home/user/pytorch/torch/csrc/jit/python/pybind.h:138
    #5 0x3ff85318191 in pybind11::cpp_function::initialize<torch::jit::initJitScriptBindings(_object*)::$_45, c10::IValue, torch::jit::mobile::Module&, pybind11::tuple const&, pybind11::name, pybind11::is
_method, pybind11::sibling, pybind11::arg>(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_me
thod const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::operator()(pybind11::detail::function_call&) const /home/user/pytorch/cmake/../third_party/pybin
d11/include/pybind11/pybind11.h:249
    pytorch#6 0x3ff85317cfd in pybind11::cpp_function::initialize<torch::jit::initJitScriptBindings(_object*)::$_45, c10::IValue, torch::jit::mobile::Module&, pybind11::tuple const&, pybind11::name, pybind11::is
_method, pybind11::sibling, pybind11::arg>(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_me
thod const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::__invoke(pybind11::detail::function_call&) /home/user/pytorch/cmake/../third_party/pybind11/incl
ude/pybind11/pybind11.h:224
    pytorch#7 0x3ff82ee52e9 in pybind11::cpp_function::dispatcher(_object*, _object*, _object*) /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:929
    pytorch#8 0x3ffab002903 in cfunction_call Objects/methodobject.c:543
    pytorch#9 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
    pytorch#10 0x3ffaaf8e919 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    pytorch#11 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#12 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#13 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#14 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#15 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
    pytorch#16 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#17 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#18 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#19 0x3ffaaf8a615 in _PyObject_FastCallDictTstate Objects/call.c:142
    pytorch#20 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
    pytorch#21 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
    pytorch#22 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
    pytorch#23 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    pytorch#24 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#25 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#26 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
    pytorch#27 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#28 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#29 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#30 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#31 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#32 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#33 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#34 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#35 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
    pytorch#36 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#37 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#38 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#39 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#40 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#41 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#42 0x3ffab0ff7d7 in _PyEval_EvalFrameDefault Python/ceval.c:4198
    pytorch#43 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#44 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#45 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#46 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#47 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#48 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#49 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#50 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#51 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
    pytorch#52 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#53 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#54 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#55 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#56 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#57 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#58 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#59 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#60 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
    pytorch#61 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#62 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#63 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#64 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#65 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#66 0x3ffaaf8ab9b in PyVectorcall_Call Objects/call.c:267
    pytorch#67 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
    pytorch#68 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
    pytorch#69 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
    pytorch#70 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
    pytorch#71 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#72 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#73 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#74 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153
    pytorch#75 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
    pytorch#76 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
    pytorch#77 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
    pytorch#78 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    pytorch#79 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#80 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#81 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
    pytorch#82 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#83 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#84 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#85 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#86 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#87 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#88 0x3ffab0ff7d7 in _PyEval_EvalFrameDefault Python/ceval.c:4198
    pytorch#89 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#90 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#91 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#92 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
    pytorch#93 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
    pytorch#94 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
    pytorch#95 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
    pytorch#96 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
    pytorch#97 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#98 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#99 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#100 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#101 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#102 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#103 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
    pytorch#104 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#105 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#106 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#107 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#108 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#109 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#110 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#111 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#112 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
    pytorch#113 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#114 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#115 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#116 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153
    pytorch#117 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
    pytorch#118 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
    pytorch#119 0x3ffaaf8ad17 in _PyObject_Call Objects/call.c:305
    pytorch#120 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
    pytorch#121 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
    pytorch#122 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
    pytorch#123 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#124 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#125 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#126 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#127 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#128 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#129 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
    pytorch#130 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#131 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#132 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#133 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#134 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#135 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#136 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#137 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#138 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
    pytorch#139 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#140 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#141 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#142 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
    pytorch#143 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
    pytorch#144 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
    pytorch#145 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
    pytorch#146 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
    pytorch#147 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#148 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#149 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#150 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#151 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#152 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#153 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
    pytorch#154 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#155 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#156 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#157 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#158 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#159 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#160 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
    pytorch#161 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#162 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#163 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#164 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
    pytorch#165 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
    pytorch#166 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
    pytorch#167 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
    pytorch#168 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
    pytorch#169 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#170 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#171 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#172 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#173 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#174 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#175 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
    pytorch#176 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#177 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#178 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#179 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#180 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#181 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#182 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#183 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#184 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
    pytorch#185 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#186 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#187 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#188 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153
    pytorch#189 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
    pytorch#190 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
    pytorch#191 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
    pytorch#192 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    pytorch#193 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#194 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#195 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
    pytorch#196 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#197 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#198 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#199 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
    pytorch#200 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
    pytorch#201 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
    pytorch#202 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
    pytorch#203 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
    pytorch#204 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#205 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#206 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#207 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#208 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#209 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#210 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
    pytorch#211 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#212 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#213 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#214 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#215 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
    pytorch#216 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#216 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#217 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#218 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#219 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
    pytorch#220 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#221 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#222 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#223 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153
    pytorch#224 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
    pytorch#225 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
    pytorch#226 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
    pytorch#227 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    pytorch#228 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#229 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#230 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
    pytorch#231 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#232 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#233 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#234 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#235 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#236 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#237 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
    pytorch#238 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#239 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#240 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#241 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
    pytorch#242 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
    pytorch#243 0x3ffab105447 in call_function Python/ceval.c:5891
    pytorch#244 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
    pytorch#245 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    pytorch#246 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
    pytorch#247 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
    pytorch#248 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
    pytorch#249 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290

0x60d0005a5790 is located 80 bytes inside of 136-byte region [0x60d0005a5740,0x60d0005a57c8)
freed by thread T0 here:
    #0 0x3ffab537de5 in operator delete(void*) /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:160
    #1 0x3ff55984fdb in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:145

previously allocated by thread T0 here:
    #0 0x3ffab53734f in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x3ff5598443f in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:127
    #2 0x3fff5849ecf  ([stack]+0xb2ecf)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/stl_iterator.h:1028 in __gnu_cxx::__normal_iterator<c10::Argument const*, std::vector<c10::Argument, std::allocator<c10::Argument> > >::__normal_iterator(c10::Argument const* const&)
Shadow bytes around the buggy address:
  0x100c1a000b4aa0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x100c1a000b4ab0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x100c1a000b4ac0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x100c1a000b4ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x100c1a000b4ae0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x100c1a000b4af0: fd fd[fd]fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x100c1a000b4b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x100c1a000b4b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x100c1a000b4b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x100c1a000b4b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x100c1a000b4b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1134126==ABORTING
```

Additional backtraces (not full):
Allocation:
```
#0  __memset_z196 () at ../sysdeps/s390/memset-z900.S:144
#1  0x000003ff96f3072a in __asan::Allocator::Allocate (this=this@entry=0x3ff97041eb8 <__asan::instance>, size=size@entry=136, alignment=8, alignment@entry=0, stack=<optimized out>,
    stack@entry=0x3ffdbb45d78, alloc_type=<optimized out>, can_fill=true) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_allocator.cpp:599
#2  0x000003ff96f2c088 in __asan::asan_memalign (alignment=alignment@entry=0, size=size@entry=136, stack=stack@entry=0x3ffdbb45d78, alloc_type=alloc_type@entry=__asan::FROM_NEW)
    at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_allocator.cpp:1039
#3  0x000003ff96fb73b0 in operator new (size=136) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:99
#4  0x000003ff41404440 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> >::allocate (this=0x3ffdbb468c0,
    __n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:127
#5  0x000003ff414042a0 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> > >::allocate (__a=...,
    __n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/alloc_traits.h:464
pytorch#6  0x000003ff41403b66 in std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> > > (__a=...)
    at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/allocated_ptr.h:98
pytorch#7  0x000003ff4140372a in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (this=0x3ffdbb47888, __p=@0x3ffdbb47880: 0x0, __a=..., __args=..., __args=..., __args=..., __args=...)
    at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:648
pytorch#8  0x000003ff41403328 in std::__shared_ptr<c10::FunctionSchema, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<c10::FunctionSchema>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (this=0x3ffdbb47880, __tag=..., __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1342
pytorch#9  0x000003ff41402f06 in std::shared_ptr<c10::FunctionSchema>::shared_ptr<std::allocator<c10::FunctionSchema>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (
    this=0x3ffdbb47880, __tag=..., __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:409
pytorch#10 0x000003ff41402b6e in std::allocate_shared<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (__a=...,
    __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:862
pytorch#11 0x000003ff4140215c in std::make_shared<c10::FunctionSchema, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (__args=..., __args=..., __args=..., __args=...)
    at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:878
pytorch#12 0x000003ff413d180c in c10::TupleType::createWithSpec<c10::basic_string_view<char> > (qualName=..., field_names=std::vector of length 1, capacity 1 = {...},
    field_types=std::vector of length 1, capacity 1 = {...}, field_defaults=std::vector of length 0, capacity 0) at /home/user/pytorch/aten/src/ATen/core/type.cpp:769
pytorch#13 0x000003ff413b9ca6 in c10::TupleType::createNamed (qualName=..., field_names=std::vector of length 1, capacity 1 = {...}, field_types=std::vector of length 1, capacity 1 = {...})
    at /home/user/pytorch/aten/src/ATen/core/type.cpp:725
pytorch#14 0x000003ff4115fbac in c10::ivalue::TupleTypeFactory<c10::TupleType>::fallback (type=...) at /home/user/pytorch/aten/src/ATen/core/dynamic_type.cpp:383
pytorch#15 0x000003ff708217fe in c10::ivalue::Tuple::type<c10::TupleType> (this=0x6080004b8520) at /home/user/pytorch/aten/src/ATen/core/ivalue_inl.h:781
pytorch#16 0x000003ff70800740 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:613
pytorch#17 0x000003ff70800306 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604
pytorch#18 0x000003ff702d6872 in pybind11::detail::type_caster<c10::IValue, void>::cast (src=...) at /home/user/pytorch/torch/csrc/jit/python/pybind.h:138
pytorch#19 0x000003ff70d98192 in pybind11::cpp_function::initialize<torch::jit::initJitScriptBindings(_object*)::$_45, c10::IValue, torch::jit::mobile::Module&, pybind11::tuple const&, pybind11::name, pybind11::is_method, pybind11::sibling, pybind11::arg>(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_method const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::operator()(pybind11::detail::function_call&) const (this=0x3ffdbb4ca20, call=...)
    at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:249
pytorch#20 0x000003ff70d97cfe in pybind11::cpp_function::initialize<torch::jit::initJitScriptBindings(_object*)::$_45, c10::IValue, torch::jit::mobile::Module&, pybind11::tuple const&, pybind11::name, pybind11::is_method, pybind11::sibling, pybind11::arg>(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_method const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::__invoke(pybind11::detail::function_call&) (call=...)
    at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:224
pytorch#21 0x000003ff6e9652ea in pybind11::cpp_function::dispatcher (self=<PyCapsule at remote 0x3ff83e27720>,
    args_in=(<torch._C.LiteScriptModule at remote 0x3ff811844b0>, (<Tensor at remote 0x3ff814efb00>,)), kwargs_in=0x0) at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:929
```

Deallocation:
```
#0  operator delete (ptr=0x60d0005a5740) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:160
#1  0x000003ff44904fdc in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> >::deallocate (this=0x3ffc5dc8020,
    __p=0x60d0005a5740, __t=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:145
#2  0x000003ff44904fa8 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> > >::deallocate (
    __a=..., __p=0x60d0005a5740, __n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/alloc_traits.h:496
#3  0x000003ff449041f2 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr (
    this=0x3ffc5dc8030) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/allocated_ptr.h:74
#4  0x000003ff44904888 in std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2>::_M_destroy (this=0x60d0005a5740)
    at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:538
#5  0x000003ff43895a62 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release (this=0x60d0005a5740) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:184
pytorch#6  0x000003ff43895420 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count (this=0x611000c40648) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:705
pytorch#7  0x000003ff4466e7f4 in std::__shared_ptr<c10::FunctionSchema, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=0x611000c40640)
    at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1154
pytorch#8  0x000003ff4466d820 in std::shared_ptr<c10::FunctionSchema>::~shared_ptr (this=0x611000c40640) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:122
pytorch#9  0x000003ff448d82f6 in c10::TupleType::~TupleType (this=0x611000c40580) at /home/user/pytorch/aten/src/ATen/core/jit_type.h:1142
pytorch#10 0x000003ff448d8346 in c10::TupleType::~TupleType (this=0x611000c40580) at /home/user/pytorch/aten/src/ATen/core/jit_type.h:1142
pytorch#11 0x000003ff731296a4 in std::_Sp_counted_ptr<c10::TupleType*, (__gnu_cxx::_Lock_policy)2>::_M_dispose (this=0x603000c43ae0)
    at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:348
pytorch#12 0x000003ff71eaf666 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release (this=0x603000c43ae0) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:168
pytorch#13 0x000003ff71eaf330 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count (this=0x3ffc5dc9368) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:705
pytorch#14 0x000003ff73129ee4 in std::__shared_ptr<c10::TupleType, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=0x3ffc5dc9360)
    at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1154
pytorch#15 0x000003ff73122390 in std::shared_ptr<c10::TupleType>::~shared_ptr (this=0x3ffc5dc9360) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:122
pytorch#16 0x000003ff73d00788 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:613
pytorch#17 0x000003ff73d00306 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604
```
</details>
Pull Request resolved: pytorch#101400
Approved by: https://github.com/zou3519
Loading branch information
AlekseiNikiforovIBM authored and pytorchmergebot committed May 15, 2023
1 parent 66eef31 commit effe142
torch/csrc/jit/python/pybind_utils.cpp
-Original file line number
+Diff line change
@@ Expand Up / @@ -609,8 +609,7 @@ py::object toPyObject(IValue ivalue) { @@
             !tuple->type()->schema()->name().empty()) {
           auto unqualName = tuple->type()->name()->name();
-          const std::vector<Argument>& tuple_args =
-              tuple->type()->schema()->arguments();
+          std::vector<Argument> tuple_args = tuple->type()->schema()->arguments();
           std::vector<pybind11::object> defaults;
           auto it = std::find_if(
@@ Expand Down @@
0 comments on commit `effe142`

Please sign in to comment.
Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `effe142`

Commit

There are no files selected for viewing

0 comments on commit effe142

0 comments on commit `effe142`
