Allow tensor subclasses and add torch.serialization.add_safe_globals that allows users to allowlist classes for weights_only load

[mikaylagawarecki]

Conditions for allowlisting tensor subclasses

We allow tensor subclasses types that
(1) Do not override __setstate__, __getattr__, __setattr__, __get__, __set__ or __getattribute__ of torch.Tensor (torch.Tensor does not have a definition of __getattr__, __get__ or __set__ so we check that these are None)
(2) Use the generic tp_alloc
(3) Are in a module that has been imported by the user
to be pushed onto the stack as strings by GLOBAL instructions, while storing the type in a dict

The strings will be converted to the classes as appropriate when executing REBUILD with _rebuild_from_type_v2

*Note that we use inspect.getattr_static(sys.modules[module], name) to get the class/function as this method claims to have no code execution.

The rationale for the 3 conditions above is as follows:

The rebuild func provided by Tensor.__reduce_ex__ is torch._tensor._rebuild_from_type_v2, which is defined as such (note the call to getattr, Tensor.__setstate__ and the call to as_subclass as well as the call to _set_obj_state which calls setattr)

pytorch/torch/_tensor.py

Lines 57 to 71 in 4e66aaa

	def _rebuild_from_type_v2(func, new_type, args, state):
	ret = func(*args)
	if type(ret) is not new_type:
	ret = ret.as_subclass(new_type)
	# Tensor does define __setstate__ even though it doesn't define
	# __getstate__. So only use __setstate__ if it is NOT the one defined
	# on Tensor
	if (
	getattr(ret.__class__, "__setstate__", Tensor.__setstate__)
	is not Tensor.__setstate__
	):
	ret.__setstate__(state)
	else:
	ret = torch._utils._set_obj_state(ret, state)
	return ret

as_subclass is implemented with a call to THPVariable_NewWithVar

that will eventually call tp_alloc here

pytorch/torch/csrc/autograd/python_variable.cpp

Line 2053 in 4e66aaa

PyObject* obj = type->tp_alloc(type, 0);

The func arg to _rebuild_from_type_v2 for wrapper subclasses is Tensor.rebuild_wrapper_subclass, which will similarly call into THPVariable_NewWithVar and hit the above tp_alloc

Note that we do not call tp_init or tp_new (i.e. cls.__init__ or cls.__new__) when unpickling

How do we check something is a tensor subclass/constraints around imports

In order to check whether bla is a tensor subclass in the bytecode GLOBAL module.name, we need to do an issubclass check, which entails converting the global string to the appropriate type. We do not arbitrarily import modules but will perform this check as long as the given subclass (given by module.name) has already been imported by the user (i.e. module in sys.modules and issubclass(getattr(sys[modules], name), torch.Tensor)

This PR also allowlisted torch._utils._rebuild_wrapper_subclass and torch.device (used by _rebuild_wrapper_subclass)

API for allow listing

This PR also added torch.serialization.{add/get/clear}_safe_globals that enables user to allowlist globals they have deemed safe and manipulate this list (for example they could allowlist a tensor subclass with a custom __setstate__ if they have checked that this is safe).

Next steps:

• Add testing and allowlist required classes for all in-core tensor subclasses (e.g. DTensor, FakeTensor etc.)

Stack from ghstack (oldest at bottom):

• -> Allow tensor subclasses and add torch.serialization.add_safe_globals that allows users to allowlist classes for weights_only load #124331

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/124331

• 📄 Preview Python docs built from this PR
• 📄 Preview C++ docs built from this PR
• ❓ Need help or want to give feedback on the CI? Visit the bot commands wiki or our office hours

Note: Links to docs will display an error until the docs builds have been completed.

✅ No Failures

As of commit e91a1de with merge base 8619fe6 ():
💚 Looks good so far! There are no failures yet. 💚

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[mikaylagawarecki]

Marking as draft after discussion with Alban -- while we will likely still need a way for users to allowlist specific classes, want to also look into whether there is a generic way to allowlist tensor subclasses (with appropriate guardrails for security)

[mikaylagawarecki]

@albanD I think there might be a fundamental problem here that prevents us from allowlisting all tensor subclasses.

The GLOBAL <bla> in the pickle file will have as a string, in order to check issubclass(bla, torch.Tensor), we need to convert the string bla to the actual type object. To my knowledge, I could not find a safe way to do this, and I suspect this line here might not be what we consider secure. wdyt?

Is there a way where we can constrain this such that it is still secure?

[mikaylagawarecki]

From offline discussion, a good middle ground is to put the responsibility to import the module on the user

[albanD]

Sounds good!

[albanD]

This code will be called for any class that is not allowed for which the parent module is not already imported right?

[mikaylagawarecki]

you're right! edited a bit to reflect this case, is the new phrasing clear

[albanD]

We should have a docs page that go over this and point to it in the end.
This is ok temporarily while we're getting this landing page.

[albanD]

Suggested change

	if isinstance(arg, type) and arg in self.tensor_subclasses_found
	if isinstance(arg, type) and issubclass(arg, torch.Tensor)

Why not this?

[mikaylagawarecki]

This is a valid point, but to be extra safe, I think that we should actually never let the subclass type be on the unpickler's stack so in the most recent push I changed the strategy here to
(1) GLOBAL finds the subclass, if it meets the criteria, it pushes the str "module.attr" onto the unpickler's stack and adds self.tensor_subclasses_found["module.attr"] = module.attr
(2) when executing REDUCE for rebuild_from_type_v2, we properly translate the str back to the actual type

Does that sound reasonable to you?

[albanD]

Sound good.

[albanD]

Huh why?

[mikaylagawarecki]

This is weird to me as well, but seems to be necessary because TwoTensor is imported again later in the test, can minimize this to this will still throw the error

from torch.testing._internal.two_tensor import TwoTensor

def test_safe_globals_for_weights_only(self):
    t = TwoTensor(torch.randn(2, 3), torch.randn(2, 3))
    from torch.testing._internal.two_tensor import TwoTensor

raises

t = TwoTensor(torch.randn(2, 3), torch.randn(2, 3))
UnboundLocalError: local variable 'TwoTensor' referenced before assignment

[albanD]

Sounds good!

[mikaylagawarecki]

@pytorchbot merge

[pytorchmergebot]

Merge started

Your change will be merged once all checks pass (ETA 0-4 Hours).

Learn more about merging in the wiki.

Questions? Feedback? Please reach out to the PyTorch DevX Team

Advanced Debugging

Check the merge workflow status
here