Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ASAN: fix use-after-free (pytorch#101400)
arguments() returns vector member of object returned by schema() call.
When object returned by schema() call is destroyed, the vector is deallocated as well,
it's lifetime isn't extended.
This issue detected while running `pytest -v test/mobile/test_lite_script_type.py -k test_nest_typing_namedtuple_custom_classtype` with ASAN.
<details>
<summary>ASAN output</summary>
```
==1134126==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0005a5790 at pc 0x03ff844488d8 bp 0x03fff584afe8 sp 0x03fff584afd8
READ of size 8 at 0x60d0005a5790 thread T0
#0 0x3ff844488d7 in __gnu_cxx::__normal_iterator<c10::Argument const*, std::vector<c10::Argument, std::allocator<c10::Argument> > >::__normal_iterator(c10::Argument const* const&) /usr/lib/gcc/s390x-i
bm-linux-gnu/11/include/g++-v11/bits/stl_iterator.h:1028
#1 0x3ff8444293f in std::vector<c10::Argument, std::allocator<c10::Argument> >::begin() const /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/stl_vector.h:821
csarofeen#2 0x3ff84d807d1 in torch::jit::toPyObject(c10::IValue) /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:617
csarofeen#3 0x3ff84d80305 in torch::jit::toPyObject(c10::IValue) /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604
csarofeen#4 0x3ff84856871 in pybind11::detail::type_caster<c10::IValue, void>::cast(c10::IValue, pybind11::return_value_policy, pybind11::handle) /home/user/pytorch/torch/csrc/jit/python/pybind.h:138
csarofeen#5 0x3ff85318191 in pybind11::cpp_function::initialize<torch::jit::initJitScriptBindings(_object*)::$_45, c10::IValue, torch::jit::mobile::Module&, pybind11::tuple const&, pybind11::name, pybind11::is
_method, pybind11::sibling, pybind11::arg>(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_me
thod const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::operator()(pybind11::detail::function_call&) const /home/user/pytorch/cmake/../third_party/pybin
d11/include/pybind11/pybind11.h:249
csarofeen#6 0x3ff85317cfd in pybind11::cpp_function::initialize<torch::jit::initJitScriptBindings(_object*)::$_45, c10::IValue, torch::jit::mobile::Module&, pybind11::tuple const&, pybind11::name, pybind11::is
_method, pybind11::sibling, pybind11::arg>(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_me
thod const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::__invoke(pybind11::detail::function_call&) /home/user/pytorch/cmake/../third_party/pybind11/incl
ude/pybind11/pybind11.h:224
csarofeen#7 0x3ff82ee52e9 in pybind11::cpp_function::dispatcher(_object*, _object*, _object*) /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:929
csarofeen#8 0x3ffab002903 in cfunction_call Objects/methodobject.c:543
csarofeen#9 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
csarofeen#10 0x3ffaaf8e919 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
csarofeen#11 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#12 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#13 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#14 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#15 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
csarofeen#16 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#17 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#18 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#19 0x3ffaaf8a615 in _PyObject_FastCallDictTstate Objects/call.c:142
csarofeen#20 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
csarofeen#21 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
csarofeen#22 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
csarofeen#23 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
csarofeen#24 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#25 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#26 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
csarofeen#27 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#28 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#29 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#30 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#31 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#32 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#33 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#34 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#35 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
csarofeen#36 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#37 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#38 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#39 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#40 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#41 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#42 0x3ffab0ff7d7 in _PyEval_EvalFrameDefault Python/ceval.c:4198
csarofeen#43 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#44 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#45 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#46 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#47 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#48 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#49 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#50 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#51 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
csarofeen#52 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#53 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#54 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#55 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#56 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#57 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#58 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#59 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#60 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
csarofeen#61 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#62 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#63 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#64 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#65 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#66 0x3ffaaf8ab9b in PyVectorcall_Call Objects/call.c:267
csarofeen#67 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
csarofeen#68 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
csarofeen#69 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
csarofeen#70 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
csarofeen#71 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#72 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#73 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#74 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153
csarofeen#75 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
csarofeen#76 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
csarofeen#77 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
csarofeen#78 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
csarofeen#79 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#80 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#81 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
csarofeen#82 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#83 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#84 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#85 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#86 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#87 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#88 0x3ffab0ff7d7 in _PyEval_EvalFrameDefault Python/ceval.c:4198
csarofeen#89 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#90 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#91 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#92 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
csarofeen#93 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
csarofeen#94 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
csarofeen#95 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
csarofeen#96 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
csarofeen#97 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#98 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#99 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#100 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#101 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#102 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#103 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
csarofeen#104 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#105 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#106 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#107 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#108 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#109 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#110 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#111 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#112 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
csarofeen#113 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#114 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#115 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#116 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153
csarofeen#117 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
csarofeen#118 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
csarofeen#119 0x3ffaaf8ad17 in _PyObject_Call Objects/call.c:305
csarofeen#120 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
csarofeen#121 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
csarofeen#122 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
csarofeen#123 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#124 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#125 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#126 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#127 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#128 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#129 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
csarofeen#130 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#131 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#132 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#133 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#134 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#135 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#136 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#137 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#138 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
csarofeen#139 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#140 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#141 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#142 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
csarofeen#143 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
csarofeen#144 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
csarofeen#145 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
csarofeen#146 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
csarofeen#147 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#148 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#149 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#150 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#151 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#152 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#153 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
csarofeen#154 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#155 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#156 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#157 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#158 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#159 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#160 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
csarofeen#161 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#162 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#163 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#164 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
csarofeen#165 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
csarofeen#166 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
csarofeen#167 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
csarofeen#168 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
csarofeen#169 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#170 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#171 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#172 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#173 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#174 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#175 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
csarofeen#176 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#177 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#178 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#179 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#180 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#181 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#182 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#183 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#184 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
csarofeen#185 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#186 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#187 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#188 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153
csarofeen#189 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
csarofeen#190 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
csarofeen#191 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
csarofeen#192 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
csarofeen#193 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#194 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#195 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
csarofeen#196 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#197 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#198 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#199 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
csarofeen#200 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
csarofeen#201 0x3ffaaf8ada9 in PyObject_Call Objects/call.c:317
csarofeen#202 0x3ffab1059c7 in do_call_core Python/ceval.c:5943
csarofeen#203 0x3ffab0ffd39 in _PyEval_EvalFrameDefault Python/ceval.c:4277
csarofeen#204 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#205 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#206 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#207 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#208 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#209 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#210 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
csarofeen#211 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#212 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#213 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#214 0x3ffaaf8e941 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#215 0x3ffaaf8eddd in method_vectorcall Objects/classobject.c:53
csarofeen#216 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#216 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#217 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#218 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#219 0x3ffab0ff779 in _PyEval_EvalFrameDefault Python/ceval.c:4181
csarofeen#220 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#221 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#222 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#223 0x3ffaaf8a695 in _PyObject_FastCallDictTstate Objects/call.c:153
csarofeen#224 0x3ffaaf8b271 in _PyObject_Call_Prepend Objects/call.c:431
csarofeen#225 0x3ffab03f307 in slot_tp_call Objects/typeobject.c:7494
csarofeen#226 0x3ffaaf8a933 in _PyObject_MakeTpCall Objects/call.c:215
csarofeen#227 0x3ffab0f0081 in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
csarofeen#228 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#229 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#230 0x3ffab0ffa57 in _PyEval_EvalFrameDefault Python/ceval.c:4231
csarofeen#231 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#232 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#233 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#234 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#235 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#236 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#237 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
csarofeen#238 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#239 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#240 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#241 0x3ffab0f00a9 in _PyObject_VectorcallTstate Include/cpython/abstract.h:114
csarofeen#242 0x3ffab0f013d in PyObject_Vectorcall Include/cpython/abstract.h:123
csarofeen#243 0x3ffab105447 in call_function Python/ceval.c:5891
csarofeen#244 0x3ffab0ff905 in _PyEval_EvalFrameDefault Python/ceval.c:4213
csarofeen#245 0x3ffab0f052b in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
csarofeen#246 0x3ffab102b67 in _PyEval_Vector Python/ceval.c:5065
csarofeen#247 0x3ffaaf8aec1 in _PyFunction_Vectorcall Objects/call.c:342
csarofeen#248 0x3ffaaf8ab15 in PyVectorcall_Call Objects/call.c:255
csarofeen#249 0x3ffaaf8ac65 in _PyObject_Call Objects/call.c:290
0x60d0005a5790 is located 80 bytes inside of 136-byte region [0x60d0005a5740,0x60d0005a57c8)
freed by thread T0 here:
#0 0x3ffab537de5 in operator delete(void*) /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:160
#1 0x3ff55984fdb in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:145
previously allocated by thread T0 here:
#0 0x3ffab53734f in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x3ff5598443f in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:127
csarofeen#2 0x3fff5849ecf ([stack]+0xb2ecf)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/stl_iterator.h:1028 in __gnu_cxx::__normal_iterator<c10::Argument const*, std::vector<c10::Argument, std::allocator<c10::Argument> > >::__normal_iterator(c10::Argument const* const&)
Shadow bytes around the buggy address:
0x100c1a000b4aa0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x100c1a000b4ab0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x100c1a000b4ac0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x100c1a000b4ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x100c1a000b4ae0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x100c1a000b4af0: fd fd[fd]fd fd fd fd fd fd fa fa fa fa fa fa fa
0x100c1a000b4b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100c1a000b4b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100c1a000b4b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100c1a000b4b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100c1a000b4b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1134126==ABORTING
```
Additional backtraces (not full):
Allocation:
```
#0 __memset_z196 () at ../sysdeps/s390/memset-z900.S:144
#1 0x000003ff96f3072a in __asan::Allocator::Allocate (this=this@entry=0x3ff97041eb8 <__asan::instance>, size=size@entry=136, alignment=8, alignment@entry=0, stack=<optimized out>,
stack@entry=0x3ffdbb45d78, alloc_type=<optimized out>, can_fill=true) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_allocator.cpp:599
csarofeen#2 0x000003ff96f2c088 in __asan::asan_memalign (alignment=alignment@entry=0, size=size@entry=136, stack=stack@entry=0x3ffdbb45d78, alloc_type=alloc_type@entry=__asan::FROM_NEW)
at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_allocator.cpp:1039
csarofeen#3 0x000003ff96fb73b0 in operator new (size=136) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:99
csarofeen#4 0x000003ff41404440 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> >::allocate (this=0x3ffdbb468c0,
__n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:127
csarofeen#5 0x000003ff414042a0 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> > >::allocate (__a=...,
__n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/alloc_traits.h:464
csarofeen#6 0x000003ff41403b66 in std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> > > (__a=...)
at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/allocated_ptr.h:98
csarofeen#7 0x000003ff4140372a in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (this=0x3ffdbb47888, __p=@0x3ffdbb47880: 0x0, __a=..., __args=..., __args=..., __args=..., __args=...)
at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:648
csarofeen#8 0x000003ff41403328 in std::__shared_ptr<c10::FunctionSchema, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<c10::FunctionSchema>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (this=0x3ffdbb47880, __tag=..., __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1342
csarofeen#9 0x000003ff41402f06 in std::shared_ptr<c10::FunctionSchema>::shared_ptr<std::allocator<c10::FunctionSchema>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (
this=0x3ffdbb47880, __tag=..., __args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:409
csarofeen#10 0x000003ff41402b6e in std::allocate_shared<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (__a=...,
__args=..., __args=..., __args=..., __args=...) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:862
csarofeen#11 0x000003ff4140215c in std::make_shared<c10::FunctionSchema, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::vector<c10::Argument, std::allocator<c10::Argument> >, std::vector<c10::Argument, std::allocator<c10::Argument> > > (__args=..., __args=..., __args=..., __args=...)
at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:878
csarofeen#12 0x000003ff413d180c in c10::TupleType::createWithSpec<c10::basic_string_view<char> > (qualName=..., field_names=std::vector of length 1, capacity 1 = {...},
field_types=std::vector of length 1, capacity 1 = {...}, field_defaults=std::vector of length 0, capacity 0) at /home/user/pytorch/aten/src/ATen/core/type.cpp:769
csarofeen#13 0x000003ff413b9ca6 in c10::TupleType::createNamed (qualName=..., field_names=std::vector of length 1, capacity 1 = {...}, field_types=std::vector of length 1, capacity 1 = {...})
at /home/user/pytorch/aten/src/ATen/core/type.cpp:725
csarofeen#14 0x000003ff4115fbac in c10::ivalue::TupleTypeFactory<c10::TupleType>::fallback (type=...) at /home/user/pytorch/aten/src/ATen/core/dynamic_type.cpp:383
csarofeen#15 0x000003ff708217fe in c10::ivalue::Tuple::type<c10::TupleType> (this=0x6080004b8520) at /home/user/pytorch/aten/src/ATen/core/ivalue_inl.h:781
csarofeen#16 0x000003ff70800740 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:613
csarofeen#17 0x000003ff70800306 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604
csarofeen#18 0x000003ff702d6872 in pybind11::detail::type_caster<c10::IValue, void>::cast (src=...) at /home/user/pytorch/torch/csrc/jit/python/pybind.h:138
csarofeen#19 0x000003ff70d98192 in pybind11::cpp_function::initialize<torch::jit::initJitScriptBindings(_object*)::$_45, c10::IValue, torch::jit::mobile::Module&, pybind11::tuple const&, pybind11::name, pybind11::is_method, pybind11::sibling, pybind11::arg>(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_method const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::operator()(pybind11::detail::function_call&) const (this=0x3ffdbb4ca20, call=...)
at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:249
csarofeen#20 0x000003ff70d97cfe in pybind11::cpp_function::initialize<torch::jit::initJitScriptBindings(_object*)::$_45, c10::IValue, torch::jit::mobile::Module&, pybind11::tuple const&, pybind11::name, pybind11::is_method, pybind11::sibling, pybind11::arg>(torch::jit::initJitScriptBindings(_object*)::$_45&&, c10::IValue (*)(torch::jit::mobile::Module&, pybind11::tuple const&), pybind11::name const&, pybind11::is_method const&, pybind11::sibling const&, pybind11::arg const&)::{lambda(pybind11::detail::function_call&)#1}::__invoke(pybind11::detail::function_call&) (call=...)
at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:224
csarofeen#21 0x000003ff6e9652ea in pybind11::cpp_function::dispatcher (self=<PyCapsule at remote 0x3ff83e27720>,
args_in=(<torch._C.LiteScriptModule at remote 0x3ff811844b0>, (<Tensor at remote 0x3ff814efb00>,)), kwargs_in=0x0) at /home/user/pytorch/cmake/../third_party/pybind11/include/pybind11/pybind11.h:929
```
Deallocation:
```
#0 operator delete (ptr=0x60d0005a5740) at /var/tmp/portage/sys-devel/gcc-11.3.1_p20230303/work/gcc-11-20230303/libsanitizer/asan/asan_new_delete.cpp:160
#1 0x000003ff44904fdc in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> >::deallocate (this=0x3ffc5dc8020,
__p=0x60d0005a5740, __t=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/ext/new_allocator.h:145
csarofeen#2 0x000003ff44904fa8 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> > >::deallocate (
__a=..., __p=0x60d0005a5740, __n=1) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/alloc_traits.h:496
csarofeen#3 0x000003ff449041f2 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr (
this=0x3ffc5dc8030) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/allocated_ptr.h:74
csarofeen#4 0x000003ff44904888 in std::_Sp_counted_ptr_inplace<c10::FunctionSchema, std::allocator<c10::FunctionSchema>, (__gnu_cxx::_Lock_policy)2>::_M_destroy (this=0x60d0005a5740)
at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:538
csarofeen#5 0x000003ff43895a62 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release (this=0x60d0005a5740) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:184
csarofeen#6 0x000003ff43895420 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count (this=0x611000c40648) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:705
csarofeen#7 0x000003ff4466e7f4 in std::__shared_ptr<c10::FunctionSchema, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=0x611000c40640)
at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1154
csarofeen#8 0x000003ff4466d820 in std::shared_ptr<c10::FunctionSchema>::~shared_ptr (this=0x611000c40640) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:122
csarofeen#9 0x000003ff448d82f6 in c10::TupleType::~TupleType (this=0x611000c40580) at /home/user/pytorch/aten/src/ATen/core/jit_type.h:1142
csarofeen#10 0x000003ff448d8346 in c10::TupleType::~TupleType (this=0x611000c40580) at /home/user/pytorch/aten/src/ATen/core/jit_type.h:1142
csarofeen#11 0x000003ff731296a4 in std::_Sp_counted_ptr<c10::TupleType*, (__gnu_cxx::_Lock_policy)2>::_M_dispose (this=0x603000c43ae0)
at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:348
csarofeen#12 0x000003ff71eaf666 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release (this=0x603000c43ae0) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:168
csarofeen#13 0x000003ff71eaf330 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count (this=0x3ffc5dc9368) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:705
csarofeen#14 0x000003ff73129ee4 in std::__shared_ptr<c10::TupleType, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=0x3ffc5dc9360)
at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr_base.h:1154
csarofeen#15 0x000003ff73122390 in std::shared_ptr<c10::TupleType>::~shared_ptr (this=0x3ffc5dc9360) at /usr/lib/gcc/s390x-ibm-linux-gnu/11/include/g++-v11/bits/shared_ptr.h:122
csarofeen#16 0x000003ff73d00788 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:613
csarofeen#17 0x000003ff73d00306 in torch::jit::toPyObject (ivalue=...) at /home/user/pytorch/torch/csrc/jit/python/pybind_utils.cpp:604
```
</details>
Pull Request resolved: pytorch#101400
Approved by: https://github.com/zou3519- Loading branch information
1 parent
66eef31
commit effe142