executorch icon indicating copy to clipboard operation
executorch copied to clipboard
verified publisher icon pytorch

Module.execute does not check input count

Open GregoryComer opened this issue 7 months ago • 0 comments

🐛 Describe the bug

The execute function in module.cpp will cause silent memory corruption if too many input EValues are passed.

https://github.com/pytorch/executorch/blob/976fe484c811277252756a39a9b6c76fd8c6e3cb/extension/module/module.cpp#L233-L244

If input_values.size() > inputs.size(), the indexing operation on line 242 will write past the end of the array. I encountered this when I updated a model definition but hadn't updated the C++ runner code yet and it caused a memory-related crash when destructing the module.

We should check for input_values.size() <= inputs.size() and log an error + return an error code (Error::InvalidArgument) if the check fails.

As an aside, passing fewer inputs in may or may not be a desirable feature, given that some may be memory planned or unchanged between calls. We can ignore this case for the sake of this bug as it's not a correctness issue, but it might be good to error out for clarity if too few inputs are passed.

Versions

Repro-able on main, though it's likely been like this for a long time (or forever).

GregoryComer avatar Apr 28 '25 09:04 GregoryComer