stable-diffusion-webui
stable-diffusion-webui copied to clipboard
AUTOMATIC1111
[Bug]: vae.pt load error
Is there an existing issue for this?
- [X] I have searched the existing issues and checked the recent builds/commits
What happened?
load vae wrong
Steps to reproduce the problem
1.I put anythingV3.vae.pt in the models\Stable-diffusion with anythingV3.safetensors. 2.I also put anythingV3.vae.pt in vae folder. 3.webui, I change sd vae (anythingV3.vae.pt), then report the error.
What should have happened?
load the vae.
Commit where the problem happens
no
What platforms do you use to access the UI ?
No response
What browsers do you use to access the UI ?
No response
Command Line Arguments
Loading VAE weights specified in settings: D:\StableDiffusion\stable-diffusion-webui\models\VAE\AnythingV3.vae.pt
List of extensions
No
Console logs
Loading VAE weights specified in settings: D:\StableDiffusion\stable-diffusion-webui\models\VAE\AnythingV3.vae.pt
changing setting sd_vae to AnythingV3.vae.pt: TypeError
Traceback (most recent call last):
File "D:\StableDiffusion\stable-diffusion-webui\modules\shared.py", line 554, in set
self.data_labels[key].onchange()
File "D:\StableDiffusion\stable-diffusion-webui\modules\call_queue.py", line 15, in f
res = func(*args, **kwargs)
File "D:\StableDiffusion\stable-diffusion-webui\webui.py", line 121, in <lambda>
shared.opts.onchange("sd_vae", wrap_queued_call(lambda: modules.sd_vae.reload_vae_weights()), call=False)
File "D:\StableDiffusion\stable-diffusion-webui\modules\sd_vae.py", line 207, in reload_vae_weights
load_vae(sd_model, vae_file, vae_source)
File "D:\StableDiffusion\stable-diffusion-webui\modules\sd_vae.py", line 145, in load_vae
vae_dict_1 = load_vae_dict(vae_file, map_location=shared.weight_load_location)
File "D:\StableDiffusion\stable-diffusion-webui\modules\sd_vae.py", line 123, in load_vae_dict
vae_ckpt = sd_models.read_state_dict(filename, map_location=map_location)
File "D:\StableDiffusion\stable-diffusion-webui\modules\sd_models.py", line 219, in read_state_dict
pl_sd = torch.load(checkpoint_file, map_location=torch.device or shared.weight_load_location)
File "D:\StableDiffusion\stable-diffusion-webui\modules\safe.py", line 106, in load
return load_with_extra(filename, extra_handler=global_extra_handler, *args, **kwargs)
File "D:\StableDiffusion\stable-diffusion-webui\modules\safe.py", line 151, in load_with_extra
return unsafe_torch_load(filename, *args, **kwargs)
File "D:\StableDiffusion\stable-diffusion-webui\venv\lib\site-packages\torch\serialization.py", line 789, in load
return _load(opened_zipfile, map_location, pickle_module, **pickle_load_args)
File "D:\StableDiffusion\stable-diffusion-webui\venv\lib\site-packages\torch\serialization.py", line 1131, in _load
result = unpickler.load()
File "D:\StableDiffusion\stable-diffusion-webui\venv\lib\site-packages\torch\serialization.py", line 1101, in persistent_load
load_tensor(dtype, nbytes, key, _maybe_decode_ascii(location))
File "D:\StableDiffusion\stable-diffusion-webui\venv\lib\site-packages\torch\serialization.py", line 1083, in load_tensor
wrap_storage=restore_location(storage, location),
File "D:\StableDiffusion\stable-diffusion-webui\venv\lib\site-packages\torch\serialization.py", line 1058, in restore_location
result = map_location(storage, location)
TypeError: Device(): argument 'type' (position 1) must be str, not torch.storage.UntypedStorage
Additional information
No response
load failed indeed.
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/content/stable-diffusion-webui/modules/safe.py", line 135, in load_with_extra check_pt(filename, extra_handler) File "/content/stable-diffusion-webui/modules/safe.py", line 102, in check_pt unpickler.load() _pickle.UnpicklingError: invalid load key, '<'.
-----> !!!! The file is most likely corrupted !!!! <----- You can skip this check with --disable-safe-unpickle commandline argument, but that is not going to help you.
changing setting sd_vae to vae-ft-mse-840000-ema-pruned.ckpt: AttributeError
Traceback (most recent call last):
File "/content/stable-diffusion-webui/modules/shared.py", line 554, in set
self.data_labels[key].onchange()
File "/content/stable-diffusion-webui/modules/call_queue.py", line 15, in f
res = func(*args, **kwargs)
File "/content/stable-diffusion-webui/webui.py", line 121, in
I personally started getting this error specifically with this file when suddenly, mid use, windows defender started flagging the file as Trojan:Win32/Casdet!rfn (which states this file executes commands from an attacker) and automatically quarantines the file, removing it from the folder which keeps it from loading.
This occurred seemingly randomly after many, many hours of use, so it at first just seemed like some error before I checked Windows Defender's task history.
A bit of an alarm, but might be a false positive... But to be safe, can always switch to the safetensors version of the vae.
You can get the safetensors version of the vae from here: https://huggingface.co/AIARTCHAN/aichan_blend/tree/main/vae
I personally started getting this error specifically with this file when suddenly, mid use, windows defender started flagging the file as Trojan:Win32/Casdet!rfn
Just started having the same issue with a couple of .pt files after months of use. Happened just after defender updated to security intelligence version 1.385.456.0 so I wonder if a recent update allowed it to detect whatever it is that's going on here
I've also got the same Windows Defender message (Trojan:Win32/Casdet!rfn) for all my vae.pt files. Windows Defender message: Trojan:Win32/Casdet!rfn OS: Windows 10 Python version: Python 3.10.6 SD-WebUI revision: 3715ece0adce7bf7c5e9c5ab3710b2fdc3848f39 torch version: 1.13.1+cu117 torchvision version: 0.14.1+cu117
However, It seems that it could be a false-positive since malwarebytes is coming up clean for all the vae.pt files in the affected folder. Another SD repo is also reporting the same trojan flagg: https://github.com/invoke-ai/InvokeAI/issues/2989
I encountered the same error last week.
In an attempt to verify whether the VAE files were corrupted, I downloaded the same VAEs from Civitai. The Civitai versions are slightly larger than the Hugging Face versions and work as expected without errors.
Perhaps large downloads from Hugging Face are being truncated somehow?
Also encountered the virus alert problem this afternoon. Expecting it is probably a false positive, but using an alternative scanner to double-check while waiting for Windows Defender to download new signatures.
Getting the same thing....please let us know if it is a false postive or not.....strange.
had it too just now, using Dream textures in blender, win defender: Casdet!rfn
TLDR at end
Well, I unpacked the Anything-V3.0.vae.pt file with sha256: f921fb3f29891d2a77a6571e56b8b5052420d2884129517a333c60b1b4816cdf (which was the only file flagged by Windows Defender on my machine), packed them back into 2 separate .zip files so it'd be under VirusTotal's 500 MB limit and then uploaded them to VirusTotal and there wasn't a single detection by any of the +50 anti-virus's that VirusTotal uses.
So from this, I don't personally believe there's any real "virus" per se, but there could always be something malicious hidden in the python code that's always included in a .pt file (PT = pytorch machine learning file, which means python code is included, where malicious code can be hidden within). This is why many users are switching to safetensors formats, because these include all the data needed for generation, but none of the extra python scripts, so less chance for some malicious code hidden in them.
It might just be that the new windows defender update is detecting "potentially risky pickles" or something. To note, Huggingface has always flagged the anything v3 vae.pt as being suspicious due to containing the pickle import "pytorch_lightning.callbacks.model_checkpoint.ModelCheckpoint"
Another point of note is that this recent windows defender update that dropped a few days ago seems to have been detecting a lot of ai related things this last week or so. Seems like they've been usually detected as trojans that can execute code, which I feel probably has to due with python code that can be included in the files, but I'm not an expert.
The biggest thing is that these particular casdet!rfn defections are still a fairly new occurrence, seemingly with no real true confirmations either way as of yet, and a little more waiting might offer more concrete answers. I personally feel that these are most likely false alarms, but there's always a risk... Keep in mind that due to the vast number of users, there's often an associated influx of people also ready to take advantage of the people using less-than-secure/unfamiliar systems. Using the vae.safetensors and safetensors models when available or simply avoid the detected vaes altogether is the safest answer.
If you decide to trust it (or risk it), you can always go into Windows Defender Virus & Threat Detection's Protection History and restore the file and it should show back up in your folder.
Frankly speaking, this whole NAI leak is riskier than usual due to the very nature of it only existing as a leak/not-officially released file. On top of getting all of these potential detections (the ckpt model also has some history of detections that may or may not be false alarms as well), I'd be very wary to use anything other than the safetensors version of the model and vae.
TLDR: I unpacked the anything v3 vae.pt files and virustotal didn't have any of their AVs detect anything at all, but due to vae.pt file nature, may still be unsafe due to potential of hiding malicious code in the file type. Use this info (and the flagged files) at your own risk. I'm no expert.
Done a little bit of digging and found a few interesting things. After opening one of the offending files with torch and inspecting the model that it contains, I haven't been able to identify anything within the model beyond the weights and biases that I was expecting. That being said these are very large files so it's possible I missed something, and it's definitely possible that any offending code could be executed while torch is loading and processing the file itself.
I've found by re-saving the model through torch results in a file that Windows Defender does not flag as harmful and appears to function as intended. This makes me suspect that something that was/could be pickled alongside the model itself (such as "pytorch_lightning.callbacks.model_checkpoint.ModelCheckpoint" as @SqueakyZee mentioned) is causing Defender to flag the file. This is not definitely not the opinion of an expert, but re-pickling the model should at least reduce the chance of something malicious hiding inside.
Also just noticed that Defender is now only flagging some of the previously problematic files, so maybe these are just false positives that are now being dealt with.
It's more or less confirmed to be a false positive. Since the last windows update Defender has been flagging specific python paks as trojan. People have been reporting the issue in BlueStacks as well (specifically in the Nougat framework)
I get a similar issue trying to run DeepDanbooru.
`Error verifying pickled file from C:\StableDiffusion\SDTest\stable-diffusion-webui\models\torch_deepdanbooru\model-resnet_custom_v3.pt: Traceback (most recent call last): File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\safe.py", line 135, in load_with_extra check_pt(filename, extra_handler) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\safe.py", line 81, in check_pt with zipfile.ZipFile(filename) as z: File "C:\Users\ZCaliber\AppData\Local\Programs\Python\Python310\lib\zipfile.py", line 1249, in init self.fp = io.open(file, filemode) OSError: [Errno 22] Invalid argument: 'C:\StableDiffusion\SDTest\stable-diffusion-webui\models\torch_deepdanbooru\model-resnet_custom_v3.pt'
The file may be malicious, so the program is not going to read it. You can skip this check with --disable-safe-unpickle commandline argument.
Traceback (most recent call last):
File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\routes.py", line 337, in run_predict
output = await app.get_blocks().process_api(
File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\blocks.py", line 1015, in process_api
result = await self.call_function(
File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\blocks.py", line 833, in call_function
prediction = await anyio.to_thread.run_sync(
File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio\to_thread.py", line 31, in run_sync
return await get_asynclib().run_sync_in_worker_thread(
File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio_backends_asyncio.py", line 937, in run_sync_in_worker_thread
return await future
File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio_backends_asyncio.py", line 867, in run
result = context.run(func, *args)
File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\ui.py", line 915, in
Even A1111 thinks it's pickled. Then Windows defender gives the Trojan alert. Same file name. Casdet!rfn
I get a similar issue trying to run DeepDanbooru.
`Error verifying pickled file from C:\StableDiffusion\SDTest\stable-diffusion-webui\models\torch_deepdanbooru\model-resnet_custom_v3.pt: Traceback (most recent call last): File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\safe.py", line 135, in load_with_extra check_pt(filename, extra_handler) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\safe.py", line 81, in check_pt with zipfile.ZipFile(filename) as z: File "C:\Users\ZCaliber\AppData\Local\Programs\Python\Python310\lib\zipfile.py", line 1249, in init self.fp = io.open(file, filemode) OSError: [Errno 22] Invalid argument: 'C:\StableDiffusion\SDTest\stable-diffusion-webui\models\torch_deepdanbooru\model-resnet_custom_v3.pt'
The file may be malicious, so the program is not going to read it. You can skip this check with --disable-safe-unpickle commandline argument.
Traceback (most recent call last): File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\routes.py", line 337, in run_predict output = await app.get_blocks().process_api( File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\blocks.py", line 1015, in process_api result = await self.call_function( File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\blocks.py", line 833, in call_function prediction = await anyio.to_thread.run_sync( File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio\to_thread.py", line 31, in run_sync return await get_asynclib().run_sync_in_worker_thread( File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio_backends_asyncio.py", line 937, in run_sync_in_worker_thread return await future File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio_backends_asyncio.py", line 867, in run result = context.run(func, *args) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\ui.py", line 915, in fn=lambda *args: process_interrogate(interrogate_deepbooru, *args), File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\ui.py", line 150, in process_interrogate return [interrogation_function(ii_singles[mode]), None] File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\ui.py", line 177, in interrogate_deepbooru prompt = deepbooru.model.tag(image) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\deepbooru.py", line 44, in tag self.start() File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\deepbooru.py", line 35, in start self.load() File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\deepbooru.py", line 29, in load self.model.load_state_dict(torch.load(files[0], map_location="cpu")) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\deepbooru_model.py", line 675, in load_state_dict self.tags = state_dict.get('tags', []) AttributeError: 'NoneType' object has no attribute 'get'`
Even A1111 thinks it's pickled. Then Windows defender gives the Trojan alert. Same file name. Casdet!rfn
The error is misleading. Automatic111 can't verify the file because Windows Defender is blocking it before the pickle scan can take place. Your code is throwing an OSError, meaning that it is a system related error.
https://docs.python.org/3/library/exceptions.html?highlight=oserror#OSError
I get a similar issue trying to run DeepDanbooru.
Error verifying pickled file from C:\StableDiffusion\SDTest\stable-diffusion-webui\models\torch_deepdanbooru\model-resnet_custom_v3.pt: Traceback (most recent call last): File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\safe.py", line 135, in load_with_extra check_pt(filename, extra_handler) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\safe.py", line 81, in check_pt with zipfile.ZipFile(filename) as z: File "C:\Users\ZCaliber\AppData\Local\Programs\Python\Python310\lib\zipfile.py", line 1249, in **init** self.fp = io.open(file, filemode) OSError: [Errno 22] Invalid argument: 'C:\StableDiffusion\SDTest\stable-diffusion-webui\models\torch_deepdanbooru\model-resnet_custom_v3.pt' The file may be malicious, so the program is not going to read it. You can skip this check with --disable-safe-unpickle commandline argument. Traceback (most recent call last): File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\routes.py", line 337, in run_predict output = await app.get_blocks().process_api( File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\blocks.py", line 1015, in process_api result = await self.call_function( File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\gradio\blocks.py", line 833, in call_function prediction = await anyio.to_thread.run_sync( File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio\to_thread.py", line 31, in run_sync return await get_asynclib().run_sync_in_worker_thread( File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio_backends_asyncio.py", line 937, in run_sync_in_worker_thread return await future File "C:\StableDiffusion\SDTest\stable-diffusion-webui\venv\lib\site-packages\anyio_backends_asyncio.py", line 867, in run result = context.run(func, *args) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\ui.py", line 915, in fn=lambda *args: process_interrogate(interrogate_deepbooru, *args), File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\ui.py", line 150, in process_interrogate return [interrogation_function(ii_singles[mode]), None] File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\ui.py", line 177, in interrogate_deepbooru prompt = deepbooru.model.tag(image) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\deepbooru.py", line 44, in tag self.start() File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\deepbooru.py", line 35, in start self.load() File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\deepbooru.py", line 29, in load self.model.load_state_dict(torch.load(files[0], map_location="cpu")) File "C:\StableDiffusion\SDTest\stable-diffusion-webui\modules\deepbooru_model.py", line 675, in load_state_dict self.tags = state_dict.get('tags', []) AttributeError: 'NoneType' object has no attribute 'get'Even A1111 thinks it's pickled. Then Windows defender gives the Trojan alert. Same file name. Casdet!rfnThe error is misleading. Automatic111 can't verify the file because Windows Defender is blocking it before the pickle scan can take place. Your code is throwing an OSError, meaning that it is a system related error.
https://docs.python.org/3/library/exceptions.html?highlight=oserror#OSError
Yes, it means I need to close my firewall, after closing my firewall, it makes well.