Commit45f3e20

mikaylagawarecki

authored and

pytorchmergebot

committed

Improve error message for weights_only load (#129705)

As@vmoens pointed out, the current error message does not make the "either/or" between setting `weights_only=False` and using `add_safe_globals` clear enough, and should print the code for the user to call `add_safe_globals`New formatting looks like suchIn the case that `add_safe_globals` can be used```python>>> import torch>>> from torch.testing._internal.two_tensor import TwoTensor>>> torch.save(TwoTensor(torch.randn(2), torch.randn(2)), "two_tensor.pt")>>> torch.load("two_tensor.pt", weights_only=True)Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/data/users/mg1998/pytorch/torch/serialization.py", line 1225, in load raise pickle.UnpicklingError(_get_wo_message(str(e))) from None_pickle.UnpicklingError: Weights only load failed. This file can still be loaded, to do so you have two options (1) Re-running `torch.load` with `weights_only` set to `False` will likely succeed, but it can result in arbitrary code execution. Do it only if you got the file from a trusted source. (2) Alternatively, to load with `weights_only=True` please check the recommended steps in the following error message. WeightsUnpickler error: Unsupported global: GLOBAL torch.testing._internal.two_tensor.TwoTensor was not an allowed global by default. Please use `torch.serialization.add_safe_globals([TwoTensor])` to allowlist this global if you trust this class/function.Check the documentation of torch.load to learn more about types accepted by default with weights_onlyhttps://pytorch.org/docs/stable/generated/torch.load.html.```For other issues (unsupported bytecode)```python>>> import torch>>> t = torch.randn(2, 3)>>> torch.save(t, "protocol_5.pt", pickle_protocol=5)>>> torch.load("protocol_5.pt", weights_only=True)/data/users/mg1998/pytorch/torch/_weights_only_unpickler.py:359: UserWarning: Detected pickle protocol 5 in the checkpoint, which was not the default pickle protocol used by `torch.load` (2). The weights_only Unpickler might not support all instructions implemented by this protocol, please file an issue for adding support if you encounter this. warnings.warn(Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/data/users/mg1998/pytorch/torch/serialization.py", line 1225, in load raise pickle.UnpicklingError(_get_wo_message(str(e))) from None_pickle.UnpicklingError: Weights only load failed. Re-running `torch.load` with `weights_only` set to `False` will likely succeed, but it can result in arbitrary code execution. Do it only if you got the file from a trusted source. Please file an issue with the following so that we can make `weights_only=True` compatible with your use case: WeightsUnpickler error: Unsupported operand 149Check the documentation of torch.load to learn more about types accepted by default with weights_onlyhttps://pytorch.org/docs/stable/generated/torch.load.html.```Old formatting would have been like:```pythonTraceback (most recent call last): File "<stdin>", line 1, in <module> File "/data/users/mg1998/pytorch/torch/serialization.py", line 1203, in load raise pickle.UnpicklingError(UNSAFE_MESSAGE + str(e)) from None_pickle.UnpicklingError: Weights only load failed. Re-running `torch.load` with `weights_only` set to `False` will likely succeed, but it can result in arbitrary code execution. Do it only if you get the file from a trusted source. Alternatively, to load with `weights_only` please check the recommended steps in the following error message. WeightsUnpickler error: Unsupported global: GLOBAL torch.testing._internal.two_tensor.TwoTensor was not an allowed global by default. Please use `torch.serialization.add_safe_globals` to allowlist this global if you trust this class/function.```Pull Requestresolved:#129705Approved by:https://github.com/albanD,https://github.com/vmoensghstack dependencies:#129239,#129396,#129509

1 parent99456a6 commit45f3e20Copy full SHA for 45f3e20

File tree

3 files changed

+47

-9

lines changed

test
- test_serialization.py
torch
- _weights_only_unpickler.py
- serialization.py

3 files changed

+47

-9

lines changed

`‎test/test_serialization.py‎`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1112,6 +1112,22 @@ def fake_set_state(obj, *args):`
`1112`	`1112`	`torch.serialization.clear_safe_globals()`
`1113`	`1113`	`ClassThatUsesBuildInstruction.__setstate__=None`
`1114`	`1114`
	`1115`	`+@parametrize("unsafe_global", [True,False])`
	`1116`	`+deftest_weights_only_error(self,unsafe_global):`
	`1117`	`+sd= {'t':TwoTensor(torch.randn(2),torch.randn(2))}`
	`1118`	`+pickle_protocol=torch.serialization.DEFAULT_PROTOCOLifunsafe_globalelse5`
	`1119`	`+withBytesIOContext()asf:`
	`1120`	`+torch.save(sd,f,pickle_protocol=pickle_protocol)`
	`1121`	`+f.seek(0)`
	`1122`	`+ifunsafe_global:`
	`1123`	`+withself.assertRaisesRegex(pickle.UnpicklingError,`
	`1124`	+r"use `torch.serialization.add_safe_globals\(\[TwoTensor\]\)` to allowlist"):
	`1125`	`+torch.load(f,weights_only=True)`
	`1126`	`+else:`
	`1127`	`+withself.assertRaisesRegex(pickle.UnpicklingError,`
	`1128`	+"file an issue with the following so that we can make `weights_only=True`"):
	`1129`	`+torch.load(f,weights_only=True)`
	`1130`	`+`
`1115`	`1131`	`@parametrize('weights_only', (False,True))`
`1116`	`1132`	`deftest_serialization_math_bits(self,weights_only):`
`1117`	`1133`	`t=torch.randn(1,dtype=torch.cfloat)`

`‎torch/_weights_only_unpickler.py‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -210,8 +210,8 @@ def load(self):`
`210`	`210`	`else:`
`211`	`211`	`raiseRuntimeError(`
`212`	`212`	`f"Unsupported global: GLOBAL{full_path} was not an allowed global by default. "`
`213`		-"Please use `torch.serialization.add_safe_globals` to allowlist this global "
`214`		`-"if you trust this class/function."`
	`213`	+f"Please use `torch.serialization.add_safe_globals([{name}])` to allowlist "
	`214`	`+"this globalif you trust this class/function."`
`215`	`215`	`)`
`216`	`216`	`elifkey[0]==NEWOBJ[0]:`
`217`	`217`	`args=self.stack.pop()`

`‎torch/serialization.py‎`

Lines changed: 29 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`importio`
`6`	`6`	`importos`
`7`	`7`	`importpickle`
	`8`	`+importre`
`8`	`9`	`importshutil`
`9`	`10`	`importstruct`
`10`	`11`	`importsys`
`@@ -1107,12 +1108,33 @@ def load(`
`1107`	`1108`	`"""`
`1108`	`1109`	`torch._C._log_api_usage_once("torch.load")`
`1109`	`1110`	`UNSAFE_MESSAGE= (`
`1110`		-"Weights only load failed. Re-running `torch.load` with `weights_only` set to `False`"
`1111`		`-" will likely succeed, but it can result in arbitrary code execution."`
`1112`		`-" Do it only if you get the file from a trusted source. Alternatively, to load"`
`1113`		-" with `weights_only` please check the recommended steps in the following error message."
`1114`		`-" WeightsUnpickler error: "`
	`1111`	+"Re-running `torch.load` with `weights_only` set to `False` will likely succeed, "
	`1112`	`+"but it can result in arbitrary code execution. Do it only if you got the file from a "`
	`1113`	`+"trusted source."`
`1115`	`1114`	`)`
	`1115`	`+DOCS_MESSAGE= (`
	`1116`	`+"\n\nCheck the documentation of torch.load to learn more about types accepted by default with "`
	`1117`	`+"weights_only https://pytorch.org/docs/stable/generated/torch.load.html."`
	`1118`	`+ )`
	`1119`	`+`
	`1120`	`+def_get_wo_message(message:str)->str:`
	`1121`	`+pattern=r"GLOBAL (\S+) was not an allowed global by default."`
	`1122`	`+has_unsafe_global=re.search(pattern,message)isnotNone`
	`1123`	`+ifhas_unsafe_global:`
	`1124`	`+updated_message= (`
	`1125`	`+"Weights only load failed. This file can still be loaded, to do so you have two options "`
	`1126`	+f"\n\t(1){UNSAFE_MESSAGE}\n\t(2) Alternatively, to load with `weights_only=True` please check "
	`1127`	`+"the recommended steps in the following error message.\n\tWeightsUnpickler error: "`
	`1128`	`++message`
	`1129`	`+ )`
	`1130`	`+else:`
	`1131`	`+updated_message= (`
	`1132`	`+f"Weights only load failed.{UNSAFE_MESSAGE}\n Please file an issue with the following "`
	`1133`	+"so that we can make `weights_only=True` compatible with your use case: WeightsUnpickler "
	`1134`	`+"error: "+message`
	`1135`	`+ )`
	`1136`	`+returnupdated_message+DOCS_MESSAGE`
	`1137`	`+`
`1116`	`1138`	`ifweights_onlyisNone:`
`1117`	`1139`	`weights_only,warn_weights_only=False,True`
`1118`	`1140`	`else:`
`@@ -1200,7 +1222,7 @@ def load(`
`1200`	`1222`	`**pickle_load_args,`
`1201`	`1223`	`)`
`1202`	`1224`	`exceptRuntimeErrorase:`
`1203`		`-raisepickle.UnpicklingError(UNSAFE_MESSAGE+str(e))fromNone`
	`1225`	`+raisepickle.UnpicklingError(_get_wo_message(str(e)))fromNone`
`1204`	`1226`	`return_load(`
`1205`	`1227`	`opened_zipfile,`
`1206`	`1228`	`map_location,`
`@@ -1224,7 +1246,7 @@ def load(`
`1224`	`1246`	`**pickle_load_args,`
`1225`	`1247`	`)`
`1226`	`1248`	`exceptRuntimeErrorase:`
`1227`		`-raisepickle.UnpicklingError(UNSAFE_MESSAGE+str(e))fromNone`
	`1249`	`+raisepickle.UnpicklingError(_get_wo_message(str(e)))fromNone`
`1228`	`1250`	`return_legacy_load(`
`1229`	`1251`	`opened_file,map_location,pickle_module,**pickle_load_args`
`1230`	`1252`	`)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit45f3e20

File tree

3 files changed

3 files changed

`‎test/test_serialization.py‎`

`‎torch/_weights_only_unpickler.py‎`

`‎torch/serialization.py‎`

0 commit comments