From effe1425dd698dda2497e9ce25f5c1655b33ecc4 Mon Sep 17 00:00:00 2001 From: Aleksei Nikiforov Date: Mon, 15 May 2023 15:32:05 +0000 Subject: [PATCH] ASAN: fix use-after-free (#101400) arguments() returns vector member of object returned by schema() call. When object returned by schema() call is destroyed, the vector is deallocated as well, it's lifetime isn't extended. This issue detected while running `pytest -v test/mobile/test_lite_script_type.py -k test_nest_typing_namedtuple_custom_classtype` with ASAN.
ASAN output ``` ==1134126==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0005a5790 at pc 0x03ff844488d8 bp 0x03fff584afe8 sp 0x03fff584afd8 READ of size 8 at 0x60d0005a5790 thread T0 #0 0x3ff844488d7 in __gnu_cxx::__normal_iterator > >::__normal_iterator(c10::Argument const* const&) /usr/lib/gcc/s390x-i bm-linux-gnu/11/include/g++-v11/bits/stl_iterator.h:1028 #1 0x3ff8444293f in std::vector >::begin() const /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/stl_vector.h:821 #2 0x3ff84d807d1 in torch::jit::toPyObject(c10::IValue) /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:617 #3 0x3ff84d80305 in torch::jit::toPyObject(c10::IValue) /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604 #4 0x3ff84856871 in pybind11::detail::type_caster::cast(c10::IValue, pybind11::return_value_policy, pybind11::handle) /home/user/pytorch/torch/csrc/jit/python/pybind.h:138 #5 0x3ff85318191 in pybind11::cpp_function::initialize(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_me thod const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::operator()(pybind11::detail::function_call&) const /home/user/pytorch/cmake/../third_party/pybin d11/include/pybind11/pybind11.h:249 #6 0x3ff85317cfd in pybind11::cpp_function::initialize(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_me thod const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::__invoke(pybind11::detail::function_call&) /home/user/pytorch/cmake/../third_party/pybind11/incl ude/pybind11/pybind11.h:224 #7 0x3ff82ee52e9 in pybind11::cpp_function::dispatcher(_object*, _object*, _object*) /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:929 #8 0x3ffab002903 in cfunction_call Objects/methodobject.c:543 #9 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215 #10 0x3ffaaf8e919 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 #11 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #12 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #13 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #14 0x3ffab105447 in call_function Python/ceval.c:5891 #15 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181 #16 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #17 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #18 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #19 0x3ffaaf8a615 in _PyObject_FastCallDictTstate Objects/call.c:142 #20 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431 #21 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494 #22 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215 #23 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 #24 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #25 0x3ffab105447 in call_function Python/ceval.c:5891 #26 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213 #27 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #28 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #29 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #30 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #31 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #32 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #33 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #34 0x3ffab105447 in call_function Python/ceval.c:5891 #35 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213 #36 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #37 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #38 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #39 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #40 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #41 0x3ffab105447 in call_function Python/ceval.c:5891 #42 0x3ffab0ff7d7 in _PyEval_EvalFrameDefault Python/ceval.c:4198 #43 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #44 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #45 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #46 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #47 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #48 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #49 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #50 0x3ffab105447 in call_function Python/ceval.c:5891 #51 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231 #52 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #53 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #54 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #55 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #56 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #57 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #58 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #59 0x3ffab105447 in call_function Python/ceval.c:5891 #60 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231 #61 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #62 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #63 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #64 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #65 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #66 0x3ffaaf8ab9b in PyVectorcall_Call Objects/call.c:267 #67 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290 #68 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317 #69 0x3ffab1059c7 in do_call_core Python/ceval.c:5943 #70 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277 #71 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #72 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #73 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #74 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153 #75 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431 #76 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494 #77 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215 #78 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 #79 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #80 0x3ffab105447 in call_function Python/ceval.c:5891 #81 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231 #82 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #83 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #84 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #85 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #86 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #87 0x3ffab105447 in call_function Python/ceval.c:5891 #88 0x3ffab0ff7d7 in _PyEval_EvalFrameDefault Python/ceval.c:4198 #89 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #90 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #91 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #92 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255 #93 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290 #94 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317 #95 0x3ffab1059c7 in do_call_core Python/ceval.c:5943 #96 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277 #97 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #98 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #99 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #100 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #101 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #102 0x3ffab105447 in call_function Python/ceval.c:5891 #103 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181 #104 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #105 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #106 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #107 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #108 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #109 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #110 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #111 0x3ffab105447 in call_function Python/ceval.c:5891 #112 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181 #113 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #114 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #115 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #116 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153 #117 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431 #118 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494 #119 0x3ffaaf8ad17 in _PyObject_Call Objects/call.c:305 #120 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317 #121 0x3ffab1059c7 in do_call_core Python/ceval.c:5943 #122 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277 #123 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #124 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #125 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #126 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #127 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #128 0x3ffab105447 in call_function Python/ceval.c:5891 #129 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213 #130 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #131 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #132 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #133 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #134 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #135 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #136 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #137 0x3ffab105447 in call_function Python/ceval.c:5891 #138 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231 #139 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #140 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #141 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #142 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255 #143 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290 #144 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317 #145 0x3ffab1059c7 in do_call_core Python/ceval.c:5943 #146 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277 #147 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #148 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #149 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #150 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #151 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #152 0x3ffab105447 in call_function Python/ceval.c:5891 #153 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213 #154 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #155 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #156 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #157 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #158 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #159 0x3ffab105447 in call_function Python/ceval.c:5891 #160 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231 #161 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #162 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #163 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #164 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255 #165 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290 #166 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317 #167 0x3ffab1059c7 in do_call_core Python/ceval.c:5943 #168 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277 #169 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #170 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #171 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #172 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #173 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #174 0x3ffab105447 in call_function Python/ceval.c:5891 #175 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181 #176 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #177 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #178 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #179 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #180 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #181 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #182 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #183 0x3ffab105447 in call_function Python/ceval.c:5891 #184 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181 #185 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #186 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #187 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #188 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153 #189 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431 #190 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494 #191 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215 #192 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 #193 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #194 0x3ffab105447 in call_function Python/ceval.c:5891 #195 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231 #196 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #197 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #198 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #199 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255 #200 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290 #201 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317 #202 0x3ffab1059c7 in do_call_core Python/ceval.c:5943 #203 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277 #204 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #205 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #206 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #207 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #208 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #209 0x3ffab105447 in call_function Python/ceval.c:5891 #210 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181 #211 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #212 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #213 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #214 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #215 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53 #216 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #216 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #217 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #218 0x3ffab105447 in call_function Python/ceval.c:5891 #219 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181 #220 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #221 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #222 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #223 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153 #224 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431 #225 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494 #226 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215 #227 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 #228 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #229 0x3ffab105447 in call_function Python/ceval.c:5891 #230 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231 #231 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #232 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #233 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #234 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #235 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #236 0x3ffab105447 in call_function Python/ceval.c:5891 #237 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213 #238 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #239 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #240 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #241 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114 #242 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123 #243 0x3ffab105447 in call_function Python/ceval.c:5891 #244 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213 #245 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 #246 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065 #247 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342 #248 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255 #249 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290 0x60d0005a5790 is located 80 bytes inside of 136-byte region [0x60d0005a5740,0x60d0005a57c8) freed by thread T0 here: #0 0x3ffab537de5 in operator delete(void*) /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:160 #1 0x3ff55984fdb in __gnu_cxx::new_allocator, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:145 previously allocated by thread T0 here: #0 0x3ffab53734f in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:99 #1 0x3ff5598443f in __gnu_cxx::new_allocator, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:127 #2 0x3fff5849ecf ([stack]+0xb2ecf) SUMMARY: AddressSanitizer: heap-use-after-free /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/stl_iterator.h:1028 in __gnu_cxx::__normal_iterator > >::__normal_iterator(c10::Argument const* const&) Shadow bytes around the buggy address: 0x100c1a000b4aa0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x100c1a000b4ab0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x100c1a000b4ac0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd 0x100c1a000b4ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x100c1a000b4ae0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x100c1a000b4af0: fd fd[fd]fd fd fd fd fd fd fa fa fa fa fa fa fa 0x100c1a000b4b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c1a000b4b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c1a000b4b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c1a000b4b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c1a000b4b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1134126==ABORTING ``` Additional backtraces (not full): Allocation: ``` #0 __memset_z196 () at ../sysdeps/s390/memset-z900.S:144 #1 0x000003ff96f3072a in __asan::Allocator::Allocate (this=this@entry=0x3ff97041eb8 <__asan::instance>, size=size@entry=136, alignment=8, alignment@entry=0, stack=, stack@entry=0x3ffdbb45d78, alloc_type=, can_fill=true) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_allocator.cpp:599 #2 0x000003ff96f2c088 in __asan::asan_memalign (alignment=alignment@entry=0, size=size@entry=136, stack=stack@entry=0x3ffdbb45d78, alloc_type=alloc_type@entry=__asan::FROM_NEW) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_allocator.cpp:1039 #3 0x000003ff96fb73b0 in operator new (size=136) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:99 #4 0x000003ff41404440 in __gnu_cxx::new_allocator, (__gnu_cxx::_Lock_policy)2> >::allocate (this=0x3ffdbb468c0, __n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:127 #5 0x000003ff414042a0 in std::allocator_traits, (__gnu_cxx::_Lock_policy)2> > >::allocate (__a=..., __n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/alloc_traits.h:464 #6 0x000003ff41403b66 in std::__allocate_guarded, (__gnu_cxx::_Lock_policy)2> > > (__a=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/allocated_ptr.h:98 #7 0x000003ff4140372a in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count, std::__cxx11::basic_string, std::allocator > const&, std::__cxx11::basic_string, std::allocator >, std::vector >, std::vector > > (this=0x3ffdbb47888, __p=@0x3ffdbb47880: 0x0, __a=..., __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:648 #8 0x000003ff41403328 in std::__shared_ptr::__shared_ptr, std::__cxx11::basic_string, std::allocator > const&, std::__cxx11::basic_string, std::allocator >, std::vector >, std::vector > > (this=0x3ffdbb47880, __tag=..., __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1342 #9 0x000003ff41402f06 in std::shared_ptr::shared_ptr, std::__cxx11::basic_string, std::allocator > const&, std::__cxx11::basic_string, std::allocator >, std::vector >, std::vector > > ( this=0x3ffdbb47880, __tag=..., __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:409 #10 0x000003ff41402b6e in std::allocate_shared, std::__cxx11::basic_string, std::allocator > const&, std::__cxx11::basic_string, std::allocator >, std::vector >, std::vector > > (__a=..., __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:862 #11 0x000003ff4140215c in std::make_shared, std::allocator > const&, std::__cxx11::basic_string, std::allocator >, std::vector >, std::vector > > (__args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:878 #12 0x000003ff413d180c in c10::TupleType::createWithSpec > (qualName=..., field_names=std::vector of length 1, capacity 1 = {...}, field_types=std::vector of length 1, capacity 1 = {...}, field_defaults=std::vector of length 0, capacity 0) at /home/user/pytorch/aten/src/ATen/core/type.cpp:769 #13 0x000003ff413b9ca6 in c10::TupleType::createNamed (qualName=..., field_names=std::vector of length 1, capacity 1 = {...}, field_types=std::vector of length 1, capacity 1 = {...}) at /home/user/pytorch/aten/src/ATen/core/type.cpp:725 #14 0x000003ff4115fbac in c10::ivalue::TupleTypeFactory::fallback (type=...) at /home/user/pytorch/aten/src/ATen/core/dynamic_type.cpp:383 #15 0x000003ff708217fe in c10::ivalue::Tuple::type (this=0x6080004b8520) at /home/user/pytorch/aten/src/ATen/core/ivalue_inl.h:781 #16 0x000003ff70800740 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:613 #17 0x000003ff70800306 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604 #18 0x000003ff702d6872 in pybind11::detail::type_caster::cast (src=...) at /home/user/pytorch/torch/csrc/jit/python/pybind.h:138 #19 0x000003ff70d98192 in pybind11::cpp_function::initialize(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_method const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::operator()(pybind11::detail::function_call&) const (this=0x3ffdbb4ca20, call=...) at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:249 #20 0x000003ff70d97cfe in pybind11::cpp_function::initialize(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_method const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::__invoke(pybind11::detail::function_call&) (call=...) at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:224 #21 0x000003ff6e9652ea in pybind11::cpp_function::dispatcher (self=, args_in=(, (,)), kwargs_in=0x0) at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:929 ``` Deallocation: ``` #0 operator delete (ptr=0x60d0005a5740) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:160 #1 0x000003ff44904fdc in __gnu_cxx::new_allocator, (__gnu_cxx::_Lock_policy)2> >::deallocate (this=0x3ffc5dc8020, __p=0x60d0005a5740, __t=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:145 #2 0x000003ff44904fa8 in std::allocator_traits, (__gnu_cxx::_Lock_policy)2> > >::deallocate ( __a=..., __p=0x60d0005a5740, __n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/alloc_traits.h:496 #3 0x000003ff449041f2 in std::__allocated_ptr, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr ( this=0x3ffc5dc8030) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/allocated_ptr.h:74 #4 0x000003ff44904888 in std::_Sp_counted_ptr_inplace, (__gnu_cxx::_Lock_policy)2>::_M_destroy (this=0x60d0005a5740) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:538 #5 0x000003ff43895a62 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release (this=0x60d0005a5740) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:184 #6 0x000003ff43895420 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count (this=0x611000c40648) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:705 #7 0x000003ff4466e7f4 in std::__shared_ptr::~__shared_ptr (this=0x611000c40640) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1154 #8 0x000003ff4466d820 in std::shared_ptr::~shared_ptr (this=0x611000c40640) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:122 #9 0x000003ff448d82f6 in c10::TupleType::~TupleType (this=0x611000c40580) at /home/user/pytorch/aten/src/ATen/core/jit_type.h:1142 #10 0x000003ff448d8346 in c10::TupleType::~TupleType (this=0x611000c40580) at /home/user/pytorch/aten/src/ATen/core/jit_type.h:1142 #11 0x000003ff731296a4 in std::_Sp_counted_ptr::_M_dispose (this=0x603000c43ae0) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:348 #12 0x000003ff71eaf666 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release (this=0x603000c43ae0) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:168 #13 0x000003ff71eaf330 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count (this=0x3ffc5dc9368) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:705 #14 0x000003ff73129ee4 in std::__shared_ptr::~__shared_ptr (this=0x3ffc5dc9360) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1154 #15 0x000003ff73122390 in std::shared_ptr::~shared_ptr (this=0x3ffc5dc9360) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:122 #16 0x000003ff73d00788 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:613 #17 0x000003ff73d00306 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604 ```
Pull Request resolved: https://github.com/pytorch/pytorch/pull/101400 Approved by: https://github.com/zou3519 --- torch/csrc/jit/python/pybind_utils.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/torch/csrc/jit/python/pybind_utils.cpp b/torch/csrc/jit/python/pybind_utils.cpp index d6521caa38e30..bed44f7763a07 100644 --- a/torch/csrc/jit/python/pybind_utils.cpp +++ b/torch/csrc/jit/python/pybind_utils.cpp @@ -609,8 +609,7 @@ py::object toPyObject(IValue ivalue) { !tuple->type()->schema()->name().empty()) { auto unqualName = tuple->type()->name()->name(); - const std::vector& tuple_args = - tuple->type()->schema()->arguments(); + std::vector tuple_args = tuple->type()->schema()->arguments(); std::vector defaults; auto it = std::find_if(