Validate dim_order is a permutation in dim_order_to_stride (#17314)

rascani · claude · web-flow · commit 90e6e4ca4ef3 · 2026-02-10T10:44:36.000-08:00
### Summary
The validate_dim_order function only checked that values were in bounds,
allowing invalid inputs like {0, 0, 0} to pass. This caused
uninitialized memory access in dim_order_to_stride_nocheck.

Fix by using a bitmask to detect duplicates. Also adds test fixture with
runtime_init() for error logging and removes duplicate include.

### Test plan
```
./test/run_oss_cpp_tests.sh
```

---------

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/runtime/core/exec_aten/util/dim_order_util.h b/runtime/core/exec_aten/util/dim_order_util.h
@@ -8,13 +8,13 @@
 
 #pragma once
 
-#include <c10/util/irange.h>
 #include <cstdint>
 #include <cstdio>
 #include <cstring>
 
 #include <c10/util/irange.h>
 #include <executorch/runtime/core/error.h>
+#include <executorch/runtime/core/exec_aten/util/tensor_dimension_limit.h>
 #include <executorch/runtime/platform/assert.h>
 #include <executorch/runtime/platform/compiler.h>
 
@@ -24,10 +24,22 @@ namespace runtime {
 namespace {
 template <typename DimOrderType>
 bool validate_dim_order(const DimOrderType* dim_order, const size_t dims) {
+  static_assert(
+      kTensorDimensionLimit <= 16,
+      "Bitmask-based validation requires kTensorDimensionLimit <= 16");
+  if (dims > kTensorDimensionLimit) {
+    return false;
+  }
+  uint16_t seen = 0;
   for (const auto i : c10::irange(dims)) {
     if (dim_order[i] >= static_cast<DimOrderType>(dims)) {
       return false;
     }
+    const uint16_t mask = 1u << dim_order[i];
+    if (seen & mask) {
+      return false;
+    }
+    seen |= mask;
   }
   return true;
 }
@@ -150,7 +162,7 @@ ET_NODISCARD inline Error dim_order_to_stride(
   ET_CHECK_OR_RETURN_ERROR(
       validate_dim_order(dim_order, dims),
       InvalidArgument,
-      "Invalid dim order. One of the value is larger than the number of dims %zu",
+      "Invalid dim order: values must be a permutation of [0, %zu)",
       dims);
 
   dim_order_to_stride_nocheck(sizes, dim_order, dims, strides);
diff --git a/runtime/core/exec_aten/util/test/dim_order_util_test.cpp b/runtime/core/exec_aten/util/test/dim_order_util_test.cpp
@@ -12,6 +12,7 @@
 #include <numeric>
 
 #include <executorch/runtime/core/exec_aten/exec_aten.h>
+#include <executorch/runtime/platform/runtime.h>
 
 #include <gtest/gtest.h>
 
@@ -21,6 +22,15 @@ using executorch::runtime::is_channels_last_dim_order;
 using executorch::runtime::is_contiguous_dim_order;
 using executorch::runtime::stride_to_dim_order;
 
+class DimOrderUtilTest : public ::testing::Test {
+ protected:
+  void SetUp() override {
+    // As some of these tests cause ET_LOG to be called, the PAL must be
+    // initialized first by calling runtime_init();
+    executorch::runtime::runtime_init();
+  }
+};
+
 namespace {
 void check_strides_eq(
     executorch::aten::ArrayRef<executorch::aten::StridesType> strides_a,
@@ -39,7 +49,7 @@ void check_dim_order_eq(
 }
 } // namespace
 
-TEST(DimOrderUtilTest, DimOrderToStride) {
+TEST_F(DimOrderUtilTest, DimOrderToStride) {
   executorch::aten::SizesType sizes_1[1] = {5};
   executorch::aten::SizesType dim_order_1[1] = {0};
   executorch::aten::SizesType strides_1[1] = {0};
@@ -204,7 +214,7 @@ TEST(DimOrderUtilTest, DimOrderToStride) {
   check_strides_eq({strides_3_zero, 3}, {expected_strides_3_zero, 3});
 }
 
-TEST(DimOrderUtilTest, StrideToDimOrder) {
+TEST_F(DimOrderUtilTest, StrideToDimOrder) {
   executorch::aten::SizesType strides[3] = {5, 1, 15};
   executorch::aten::DimOrderType dim_order[3] = {0, 0, 0};
 
@@ -216,7 +226,7 @@ TEST(DimOrderUtilTest, StrideToDimOrder) {
   check_dim_order_eq(dim_order, expected_dim_order);
 }
 
-TEST(DimOrderUtilTest, StrideToDimOrderSameStrides) {
+TEST_F(DimOrderUtilTest, StrideToDimOrderSameStrides) {
   executorch::aten::SizesType strides[4] = {4, 3, 1, 1};
   executorch::aten::DimOrderType dim_order[4] = {0, 0, 0, 0};
 
@@ -227,7 +237,7 @@ TEST(DimOrderUtilTest, StrideToDimOrderSameStrides) {
   check_dim_order_eq(dim_order, expected_dim_order);
 }
 
-TEST(DimOrderUtilTest, IsDefaultDimOrderTest) {
+TEST_F(DimOrderUtilTest, IsDefaultDimOrderTest) {
   for (const auto i : c10::irange(1, 7)) {
     std::vector<executorch::aten::DimOrderType> dim_order(i);
     std::iota(dim_order.begin(), dim_order.end(), 0);
@@ -240,7 +250,7 @@ TEST(DimOrderUtilTest, IsDefaultDimOrderTest) {
   }
 }
 
-TEST(DimOrderUtilTest, IsDefaultDimOrderFailCasesTest) {
+TEST_F(DimOrderUtilTest, IsDefaultDimOrderFailCasesTest) {
   // Dims is default order but have two elements swapped
   for (const auto i : c10::irange(3, 8)) {
     std::vector<executorch::aten::DimOrderType> dim_order(i);
@@ -261,7 +271,7 @@ TEST(DimOrderUtilTest, IsDefaultDimOrderFailCasesTest) {
   }
 }
 
-TEST(DimOrderUtilTest, IsChannelsLastDimOrderTest) {
+TEST_F(DimOrderUtilTest, IsChannelsLastDimOrderTest) {
   executorch::aten::DimOrderType dim_order_4d[4] = {0, 2, 3, 1};
   executorch::aten::DimOrderType dim_order_5d[5] = {0, 2, 3, 4, 1};
 
@@ -273,7 +283,7 @@ TEST(DimOrderUtilTest, IsChannelsLastDimOrderTest) {
   EXPECT_FALSE(is_contiguous_dim_order(dim_order_5d, 5));
 }
 
-TEST(DimOrderUtilTest, IsChannelsLastDimOrderFailCasesTest) {
+TEST_F(DimOrderUtilTest, IsChannelsLastDimOrderFailCasesTest) {
   // Non 4D and 5D dim order returns false
   executorch::aten::DimOrderType dim_order_3d[4] = {1, 2, 0};
   executorch::aten::DimOrderType dim_order_6d[6] = {0, 2, 3, 4, 5, 1};
@@ -287,3 +297,52 @@ TEST(DimOrderUtilTest, IsChannelsLastDimOrderFailCasesTest) {
   EXPECT_FALSE(is_channels_last_dim_order(dim_order_4d, 4));
   EXPECT_FALSE(is_channels_last_dim_order(dim_order_5d, 5));
 }
+
+TEST_F(DimOrderUtilTest, DimOrderWithAllDuplicatesReturnsError) {
+  executorch::aten::SizesType sizes[3] = {2, 3, 4};
+  executorch::aten::SizesType dim_order[3] = {0, 0, 0};
+  executorch::aten::SizesType strides[3] = {0, 0, 0};
+
+  auto error = dim_order_to_stride(sizes, dim_order, 3, strides);
+  EXPECT_EQ(error, Error::InvalidArgument);
+}
+
+TEST_F(DimOrderUtilTest, DimOrderWithPartialDuplicateReturnsError) {
+  executorch::aten::SizesType sizes[3] = {2, 3, 4};
+  executorch::aten::SizesType dim_order[3] = {0, 1, 1};
+  executorch::aten::SizesType strides[3] = {0, 0, 0};
+
+  auto error = dim_order_to_stride(sizes, dim_order, 3, strides);
+  EXPECT_EQ(error, Error::InvalidArgument);
+}
+
+TEST_F(DimOrderUtilTest, DimOrderWithMissingValueReturnsError) {
+  executorch::aten::SizesType sizes[3] = {2, 3, 4};
+  executorch::aten::SizesType dim_order[3] = {1, 2, 2};
+  executorch::aten::SizesType strides[3] = {0, 0, 0};
+
+  auto error = dim_order_to_stride(sizes, dim_order, 3, strides);
+  EXPECT_EQ(error, Error::InvalidArgument);
+}
+
+TEST_F(DimOrderUtilTest, DimOrderWithOutOfBoundsValueReturnsError) {
+  executorch::aten::SizesType sizes[3] = {2, 3, 4};
+  executorch::aten::SizesType dim_order[3] = {0, 1, 5};
+  executorch::aten::SizesType strides[3] = {0, 0, 0};
+
+  auto error = dim_order_to_stride(sizes, dim_order, 3, strides);
+  EXPECT_EQ(error, Error::InvalidArgument);
+}
+
+TEST_F(DimOrderUtilTest, TooManyDimsReturnsError) {
+  constexpr size_t kTooManyDims =
+      executorch::runtime::kTensorDimensionLimit + 1;
+  std::vector<executorch::aten::SizesType> sizes(kTooManyDims, 1);
+  std::vector<executorch::aten::SizesType> dim_order(kTooManyDims);
+  std::iota(dim_order.begin(), dim_order.end(), 0);
+  std::vector<executorch::aten::SizesType> strides(kTooManyDims, 0);
+
+  auto error = dim_order_to_stride(
+      sizes.data(), dim_order.data(), kTooManyDims, strides.data());
+  EXPECT_EQ(error, Error::InvalidArgument);
+}
