Bug 2431943

Summary: PyTorch 2.9.1-4.fc44 segfaults often on aarch64
Product: [Fedora] Fedora Reporter: Alexander Lent <lx>
Component: python-torchAssignee: Alexander Lent <lx>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: alexjnewt, jeremy.linton, lx, pbrobinson, rocm-packagers-sig, Tom.Rix
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: aarch64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2434948, 2434974    
Attachments:
Description Flags
Core Dump of PyTorch crashing during import on aarch64
none
fully decoded backtrace + OperatorEntry.cpp:309 find parameter decoding
none
verify flat hash size before walking off the end. none

Description Alexander Lent 2026-01-22 04:05:11 UTC
The PyTorch package, version 2.9.1 segfault-s when importing the module.

The released versions with the issue are 2.9.1-4.fc44, and 2.9.1-5.fc44, with the latter produced with the same problem in the mass rebuild for Fedora 44.

Reproducible: Sometimes

Steps to Reproduce:
1. Install an impacted build of the python3-torch package.
2. Try to python3 -c "import torch".

I've been testing with:

while true; do python3 -c 'import torch' && echo "ok" || echo "bad"; done
Actual Results:
It crashes with a segfault rough 50% (or more) of the time.

Expected Results:
The "torch" module is successfully loaded and you can write Python code with it.

Additional Information:
It appears to be an issue when built with GCC 16 (16.0.1?); building with Clang/LLVM 21.1.8 works in my testing, at least so far as eliminating the crash and not introducing any other similarly conspicuous crashes.

Comment 1 Jeremy Linton 2026-01-22 18:02:47 UTC
How are you installing python3-torch-2.9.1-5.fc44, because on my machine it won't install without --skip-broken due to a failed python3-sympy dependency which is also https://bugzilla.redhat.com/show_bug.cgi?id=2432011

Comment 2 Alexander Lent 2026-01-22 21:49:51 UTC
I think the package update that broke sympy had not propagated to my local mirror yet. I am in the same boat now, though; It has held me up from pushing the PR temporarily switching to clang.

When I looked deeper into this, by trying to change the optimization flags with GCC 16, that wasn't effective. I think that's because the PyTorch build system injects `-O2`in multiple places.

The specifics of the crash are that it's is inside a hash map implementation used to choose between different implementations of functions at runtime. As you might expect, an intimidating C++ backtrace with several lines of templated type information per frame resulted.

I regret not writing down the specific symbols or assembly that I saw. IIRC it was an inlined version of std::equal_to<some_types>:operator() and for some reason the compiler had implemented it by loading data at various offsets from a base address into the SIMD registers and doing a bunch of SIMD operations on said data. When I tried to manually probe the offending address in GDB, I got an error.

Comment 3 Alexander Lent 2026-01-22 21:59:30 UTC
At this point, I'm not necessarily convinced the issue is GCC 16, specifically, it might just be exposing some issue in the existing code.

Comment 4 Jeremy Linton 2026-01-22 22:18:28 UTC
Can gnome-abrt/"Problem Reporting" create and upload a report?

Comment 5 Jeremy Linton 2026-01-22 22:24:46 UTC
Or just 'coredumpctl info` output for the corefile, and attach it. Also what is the HW platform? (Mac, rpi, etc).

Comment 6 Tom.Rix 2026-01-23 20:11:59 UTC
I have worked around the sympy problem here
https://src.fedoraproject.org/rpms/python-torch/c/a62f1f295a83d991668b7bcc6bdb9183ef97d8b5?branch=rawhide
build has started, it usually takes a day or two to propagate.

Comment 7 Alexander Lent 2026-01-28 05:07:07 UTC
Created attachment 2123998 [details]
Core Dump of PyTorch crashing during import on aarch64

Comment 8 Alexander Lent 2026-01-28 05:07:45 UTC
After manually installing the latest sympy build, from https://bodhi.fedoraproject.org/updates/FEDORA-2026-e754c9e961 or https://koji.fedoraproject.org/koji/buildinfo?buildID=2923700 , I was able to generate a core file which is attached (compressed). Please take a look.

I captured this core on an NVIDIA DGX Spark system.

Comment 9 Jeremy Linton 2026-01-28 16:15:51 UTC
I've duplicated it to, on an x13s, so not related to anything nvidia. I see the crash in the c++/gcc stl_function.h:374 as called from the pytorch flat_hash_map.h:58.

At a quick glance it appears to be an out of bounds access trying to load a single element into v31. The address at x0+0x190 is ok, but the address at x0+1e0, which has crossed a page boundary by 32 bytes from the previous access is not.

Comment 10 Jeremy Linton 2026-01-28 17:59:50 UTC
Created attachment 2124529 [details]
fully decoded backtrace + OperatorEntry.cpp:309 find parameter decoding

Attached a complete backtrace and decoding of the OperatorEntry.cpp:309 _kernel->find(dispatch_key); call parameters which are crashing.

Comment 11 Jeremy Linton 2026-01-28 20:12:10 UTC
If this flat_hash behaves anything like the normal std::hash, then the iterator in find() needs to validate the node before trying to use its value.

Comment 12 Alexander Lent 2026-01-29 06:56:31 UTC
Thanks for tracking down the issue; I'm going to trace through the sources to see if I can understand where this is coming from.

Comment 13 Jeremy Linton 2026-01-29 22:08:55 UTC
It looks like the way this is intended to work is that each bucket has a distance value which is -1 when its not used, and the distance from where the entry should have been placed when its filled. Which is 0 if its in the correct location. The hash is terminated with a pre-filled bucket, which isn't used for normal hash lookups because the num_slots_minus_one is used to compute the bucket, except that if you do land on that bucket in find/emplace then the distance check which terminates anytime it finds a bucket with a distance less than the current walk length will happily walk off the end because 0<=0, and the pointer is ++'ed to the next/invalid entry.

I added a iterator==end() check to abort find() and that moved the crash, to emplace() where a similar bit of logic is being used. Converting that to a iterator==end() break; I think will make the crash go away, but fundamentally that suggests that the num_slots_minus_one check is off by one.

Comment 14 Alexander Lent 2026-01-30 02:43:08 UTC
Thanks, I'll take a look at num_slots_minus_one to see if I can apply the suggested fix, and to make sure I understand it. If I do, I'll check against latest upstream and see if I can file a bug or suggest a change there.

Comment 15 Jeremy Linton 2026-01-30 15:28:15 UTC
Yes, I've definitely created a workaround patch, understanding why this is suddenly happening or fixing the off by one error, is probably the right fix.

Comment 16 Jeremy Linton 2026-01-30 15:29:08 UTC
Created attachment 2127523 [details]
verify flat hash size before walking off the end.

Comment 17 Jeremy Linton 2026-02-03 21:07:12 UTC
I opened an upstream issue, for further discussion: https://github.com/pytorch/pytorch/issues/174230