When I set opt_level to a very large value (such as 10000) in statement tvm.transform.PassContext(), TVM can run well and generated a compiled model without any warning messages. I think it should be a vulnerability.
Hackers can attack TVM by tampering with the unused internal code of opt_level. Due to the lack of warning information, it is difficult for users to notice that they have been attacked.
I think a warning message should be given to remind users when using invalid opt_level.
@tqchen @comaniac @FrozenGene
Do we need to fix this vulnerability?
I’m not familiar with the open source system vulnerability so I’m not sure if it is needed. It doesn’t hurt to add the checks and warnings tho.
Thanks for bringing this up. Right now the API allows opt_level to be the threshold to toggle the passes being enabled. So the API right now also works for opt_level=10000 as intended.
While the exact API design can be discussed(e.g. whether or not we should bring more friendly message for recommended opt_level. The particular issue is more of an usabilty improvement rather than a security issue.
I think add one warning message is enough, which is the common way taken by traditional compiler.
Example:
warning: optimization level '-O5' is not supported; using '-O3' instead