Harden ConvTranspose pad computation with SafeInt and consistency checks#29446
Conversation
- Wrap ComputeTotalPad arithmetic in SafeInt<int64_t> to prevent signed integer overflow (matching ComputePad and ComputeOutputShape in the same header). - Add input validation in the explicit output_shape path of ComputeTransposePadAndOutputShape (stride, kernel, dilation, adj, in_size, out_size). - Add a post-computation consistency check verifying that the forward-conv re-derivation of input size matches the actual input size, preventing pad/buffer size mismatches. - Add unit tests covering: inconsistent output_shape (1D, 2D, 3D), zero output_shape, stride/dilation variants, group>1, large batch, valid output_shape requiring padding, and arithmetic overflow (guarded by ORT_NO_EXCEPTIONS).
The OverflowInPadComputation test was crashing during AddInput because
TensorShape::Size() overflowed for the huge W dimensions. Fix by using
a valid small W shape {1,1,3,3} with kernel_shape={3,3} attribute and
extreme dilation values that trigger SafeInt overflow in the pad
computation arithmetic instead.
Review summary — ConvTranspose explicit
|
- Add derived_in consistency check to the implicit path (no output_shape) to catch output_padding >= stride when dilation > stride, preventing the same Col2im OOB read on the implicit code path. - Add boundary test (output_shape=9, natural=7) for stride=2 explicit output_shape with explanation of integer division truncation at 8. - Add implicit path OOB test: output_padding=2 >= stride=2 with dilation=3 passes adj < max(stride, dilation) but fails consistency. - Add output_padding success test reusing known-correct values from ConvTranspose_2D_outputpadding_strides2. - Fix diagnostic: use output_padding instead of adj in error messages. - Add comment that derived_in < in_size is algebraically unreachable. - Use named constexpr for magic numbers in overflow tests. - Assert stable 'Integer overflow' substring instead of empty string. - Fix EP exclusion comments to accurately describe routing.
DML does not support 3D ConvTranspose and throws 'The parameter is incorrect' during session initialization.
…cks (#29446) This pull request strengthens validation and error handling for the ConvTranspose operator in ONNX Runtime, particularly when using explicit `output_shape` attributes. It adds comprehensive checks to prevent inconsistent or invalid configurations, improves arithmetic safety to guard against integer overflows, and introduces a suite of targeted unit tests to verify these behaviors. **Validation and Error Handling Improvements:** * Added stricter input validation in `ConvTransposeAttributes::ComputePadAndOutputShape` to ensure that all relevant parameters (`output_shape`, input size, stride, kernel, dilation, and output padding) are within valid ranges and to provide clear error messages when they are not. This includes checks that all values are positive and that output padding is non-negative. * Added a consistency check to verify that the explicit `output_shape` is compatible with the input dimensions and convolution parameters, preventing buffer overruns and logical inconsistencies. **Arithmetic Safety:** * Updated `ComputeTotalPad` to use `SafeInt` for all intermediate arithmetic, ensuring that integer overflows are detected and handled safely instead of producing undefined behavior. **Testing Enhancements:** * Added a comprehensive set of unit tests for `ConvTranspose` with explicit `output_shape`, including cases for invalid, inconsistent, and overflow-prone configurations, as well as valid edge cases (e.g., 1D, 2D, and 3D, large batch sizes, group > 1, and cases requiring padding). These tests verify that invalid configurations are rejected and that valid ones work as expected. These changes collectively improve the robustness, correctness, and maintainability of the ConvTranspose operator's implementation and its handling of explicit output shapes.
This pull request strengthens validation and error handling for the ConvTranspose operator in ONNX Runtime, particularly when using explicit
output_shapeattributes. It adds comprehensive checks to prevent inconsistent or invalid configurations, improves arithmetic safety to guard against integer overflows, and introduces a suite of targeted unit tests to verify these behaviors.Validation and Error Handling Improvements:
ConvTransposeAttributes::ComputePadAndOutputShapeto ensure that all relevant parameters (output_shape, input size, stride, kernel, dilation, and output padding) are within valid ranges and to provide clear error messages when they are not. This includes checks that all values are positive and that output padding is non-negative.output_shapeis compatible with the input dimensions and convolution parameters, preventing buffer overruns and logical inconsistencies.Arithmetic Safety:
ComputeTotalPadto useSafeIntfor all intermediate arithmetic, ensuring that integer overflows are detected and handled safely instead of producing undefined behavior.Testing Enhancements:
ConvTransposewith explicitoutput_shape, including cases for invalid, inconsistent, and overflow-prone configurations, as well as valid edge cases (e.g., 1D, 2D, and 3D, large batch sizes, group > 1, and cases requiring padding). These tests verify that invalid configurations are rejected and that valid ones work as expected.These changes collectively improve the robustness, correctness, and maintainability of the ConvTranspose operator's implementation and its handling of explicit output shapes.