Skip to content

Validate MoveCall#18658

Merged
lucylq merged 1 commit intomainfrom
security15.1
Apr 2, 2026
Merged

Validate MoveCall#18658
lucylq merged 1 commit intomainfrom
security15.1

Conversation

@lucylq
Copy link
Copy Markdown
Contributor

@lucylq lucylq commented Apr 1, 2026

Summary

Check MoveCall indices are within range (0 <= index < n_values_)

Use a macro to wrap the calls in MoveCall, JumpFalseCall, FreeCall

@lucylq lucylq requested a review from JacobSzwejbka as a code owner April 1, 2026 22:33
Copilot AI review requested due to automatic review settings April 1, 2026 22:33
@pytorch-bot
Copy link
Copy Markdown

pytorch-bot bot commented Apr 1, 2026
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18658

Note: Links to docs will display an error until the docs builds have been completed.

✅ You can merge normally! (2 Unrelated Failures)

As of commit 4a49d17 with merge base c39a0ff (image):

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 1, 2026
@lucylq lucylq added security-fix and removed CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. labels Apr 1, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 1, 2026

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds load-time validation for FlatBuffer instruction value indices and centralizes the bounds-check logic, preventing out-of-range access during execution.

Changes:

  • Introduces ET_CHECK_VALID_VALUE_INDEX macro to validate instruction value indices against n_value_.
  • Applies the validation to JumpFalseCall, MoveCall (both move_from/move_to), and FreeCall.
  • Changes the default instruction-args handler to log and fail fast on invalid instruction argument types.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

runtime/executor/method.cpp Outdated
default: {
chain_instruction_arg_lists[instr_idx] = InstructionArgs();
} break;
ET_LOG(Error, "Invalid instruction type %hhu", static_cast<uint8_t>(instruction->instr_args_type()));
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The log message doesn’t include enough context to diagnose which instruction caused the failure (e.g., instr_idx and/or the chain index i). Including those identifiers in the error log materially improves debuggability for malformed/corrupt programs.

Suggested change
ET_LOG(Error, "Invalid instruction type %hhu", static_cast<uint8_t>(instruction->instr_args_type()));
ET_LOG(
Error,
"Invalid instruction type %hhu at chain index %" ET_PRIsize_t
" instruction index %" ET_PRIsize_t,
static_cast<uint8_t>(instruction->instr_args_type()),
i,
instr_idx);

Copilot uses AI. Check for mistakes.
JacobSzwejbka
JacobSzwejbka approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@JacobSzwejbka JacobSzwejbka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good but with this general class of error checking should we be centralizing it at program load rather then method init?

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 1, 2026
@lucylq
Copy link
Copy Markdown
Contributor Author

lucylq commented Apr 1, 2026

Looks good but with this general class of error checking should we be centralizing it at program load rather then method init?

I feel like we might need a layered approach. The EValues are parsed at method load time, so it makes sense to check index validity of Free/JumpFalse/Move instructions here ..

@lucylq lucylq merged commit 1e9bd73 into main Apr 2, 2026
164 of 168 checks passed
@lucylq lucylq deleted the security15.1 branch April 2, 2026 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JacobSzwejbka JacobSzwejbka JacobSzwejbka approved these changes

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. security-fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lucylq @JacobSzwejbka