torch.load without weights_only parameter is unsafe
#1852
Comments
|
Duplicate of #1831 |
|
@araffin you should specify |
|
could you elaborate a bit? |
|
@araffin I don't think there is an announcement, but we're definitely thinking of it. |
araffin
added
enhancement
|
Thanks, btw what is the minimum pytorch version to be able to set |
|
@araffin The PR that added the option is pytorch/pytorch#86812, first release with it is PyTorch 1.13.0 |
|
After trying out, we cannot use |
araffin
removed
good first issue
…his version now attempts to use torch.load weights_only=True related to DLR-RM/stable-baselines3#1852 😮💨
|
So glad I found this! If you're getting the error: when loading a model this is a possible cause. 2.2.1 doesn't have throw the error, but because it doesn't use I think it's this line here? Maybe a param of some kind that passes weights_only through to the underlying torch.load and let the dev / user decide if they trust the source? I'll drop a PR when my testing comes out OK! I promise it'll be cleaner than the heap of late night hacking I've been trying to get to play Pokémon ;) |
Please provide a minimal example to reproduce the error.
I guess you are doing something custom because the tests passes on the CI server.
yes, probably. |
For sure! Right now the only example I have is my 16mb blob of model, so I'm trying to find the minimal reproduction of that here.
Yup! I too think it's something strange I'm doing with my model in particular, because I don't think I'm doing anything fancy with model.save and model.load themselves.
Excellent! Hopefully my weights_only idea is overkill and it's just a weird quirk of my model that I can adjust, and the PR will just be a test and maybe a warning if someone makes the same mistake as I'm making. If not, the pull request I'm working on still defaults to weights_only=True and throws a warning if it's overridden to false. My theory is that won't disrupt existing users but would allow people doing weird stuff to be able to load models they trust. |
|
@araffin Figured it out! My learning_rate_schedule was using np.pi and np.sin. I've got a test to reproduce now and a pull request ready if my approach is OK! How would you feel about me adding an enhancement to warn if model.save() is called with objects that won't unpickle with weights_only=True? |
|
thanks for finding out. from stable_baselines3 import PPO
import numpy as np
model = PPO("MlpPolicy", "CartPole-v1", learning_rate=lambda _: np.sin(1))
model.save("demo")
model = PPO.load("demo")it comes from I have a simpler fix in your case, cast to float as it is the required type for lr schedule: from stable_baselines3 import PPO
import numpy as np
model = PPO("MlpPolicy", "CartPole-v1", learning_rate=lambda _: float(np.sin(1)))
model.save("demo")
model = PPO.load("demo")EDIT: a better PR would be to cast any call to |
Oooh, good call! I'll start on that a bit later today! I'm curious about the gymnasium loading issue mentioned earlier as well. Maybe something similar where it's using fancy numpy types? |
it's different, the problem occurs because we want to save the complete |
|
I also ran into the same error as @markscsmith . I'm storing some values (some probably np.nan) in the env that are probably causing the error. I made a workaround by changing weights_only = False. I understand that the issue originates from me doing something that I probably shouldn't, but I don't really see the harm in doing this:
|
|
@araffin I took a look at the logic around the learning_rate solution and am running tests on a fix now. I'll open a new issue and PR for that fix in particular. Thank you again for the help figuring this out! @Franziac do you have more detail about what you mean by values in the env? Based on araffin's previous comments it might be as simple as converting the types into safely-unpickleable types in the right spot. That said, arrafin, if you think you're going to get a bunch of bug reports like this from people doing odd stuff with models, I've cleaned up my original changes for weights_only a bit, and am noodling how to do a warning on save of "hey, when you try to unpickle this you're going to get an error!" My first instinct was "how do I get weights_only=False?" but you led me to ask "why is weights_only=False suddenly necessary?" I imagine this would help @Franziac identify when the special case is needed as well. Given that torch is the one creating that option in the first place, maybe something to do upstream in pytorch? They seem to be getting a fair number of issues around this as well, and a proactive "hey this object contains weird stuff, weights_only=False will be necessary. Here are the objects that are weird:" might be a nudge to devs to cast to safer types? It aligns well with the advice you gave me that worked for me too! |
|
@Franziac please provide a minimal working example to reproduce the issue. |
This is found via https://github.com/pytorch-labs/torchfix/
torch.loadwithoutweights_onlyparameter is unsafe. Explicitly setweights_onlyto False only if you trust the data you load and full pickle functionality is needed, otherwise setweights_only=True.stable_baselines3/common/policies.py:176:27
stable_baselines3/common/save_util.py:450:33
The text was updated successfully, but these errors were encountered: