Version bump to 3.11.3 (#21607)

* Disable `torch.load` in `TorchModuleWrapper` when in safe mode. (#21575)

Raise an exception and explain the user about the risks.

* Propagate `safe_mode` flag to legacy h5 loading code. (#21602)

Also:
- made various error messages related to `safe_mode` more consistent
- removed no-op renaming code in legacy saving
- uncommented unit tests in `serialization_lib_test.py`

* Fix GRU with return_state=True on tf backend with cuda (#21603)

* Version bump to 3.11.3

---------

Co-authored-by: hertschuh <[email protected]>
Co-authored-by: Matt Watson <[email protected]>

Author: 3 people

keras/src/backend/tensorflow/rnn.py

@@ -778,7 +778,7 @@ def _cudnn_gru(
     return (
         last_output,
         outputs,
-        state,
+        [state],
     )
 
 

keras/src/layers/core/lambda_layer.py

@@ -167,14 +167,15 @@ def _serialize_function_to_config(self, fn):
         )
 
     @staticmethod
-    def _raise_for_lambda_deserialization(arg_name, safe_mode):
+    def _raise_for_lambda_deserialization(safe_mode):
         if safe_mode:
             raise ValueError(
-                f"The `{arg_name}` of this `Lambda` layer is a Python lambda. "
-                "Deserializing it is unsafe. If you trust the source of the "
-                "config artifact, you can override this error "
-                "by passing `safe_mode=False` "
-                "to `from_config()`, or calling "
+                "Requested the deserialization of a `Lambda` layer whose "
+                "`function` is a Python lambda. This carries a potential risk "
+                "of arbitrary code execution and thus it is disallowed by "
+                "default. If you trust the source of the artifact, you can "
+                "override this error by passing `safe_mode=False` to the "
+                "loading function, or calling "
                 "`keras.config.enable_unsafe_deserialization()."
             )
 
@@ -187,7 +188,7 @@ def from_config(cls, config, custom_objects=None, safe_mode=None):
             and "class_name" in fn_config
             and fn_config["class_name"] == "__lambda__"
         ):
-            cls._raise_for_lambda_deserialization("function", safe_mode)
+            cls._raise_for_lambda_deserialization(safe_mode)
             inner_config = fn_config["config"]
             fn = python_utils.func_load(
                 inner_config["code"],
@@ -206,7 +207,7 @@ def from_config(cls, config, custom_objects=None, safe_mode=None):
                 and "class_name" in fn_config
                 and fn_config["class_name"] == "__lambda__"
             ):
-                cls._raise_for_lambda_deserialization("function", safe_mode)
+                cls._raise_for_lambda_deserialization(safe_mode)
                 inner_config = fn_config["config"]
                 fn = python_utils.func_load(
                     inner_config["code"],

keras/src/layers/rnn/gru_test.py

@@ -205,6 +205,41 @@ def test_pass_initial_state(self):
             output,
         )
 
+    def test_pass_return_state(self):
+        sequence = np.arange(24).reshape((2, 4, 3)).astype("float32")
+        initial_state = np.arange(4).reshape((2, 2)).astype("float32")
+
+        # Test with go_backwards=False
+        layer = layers.GRU(
+            2,
+            kernel_initializer=initializers.Constant(0.01),
+            recurrent_initializer=initializers.Constant(0.02),
+            bias_initializer=initializers.Constant(0.03),
+            return_state=True,
+        )
+        output, state = layer(sequence, initial_state=initial_state)
+        self.assertAllClose(
+            np.array([[0.23774096, 0.33508456], [0.83659905, 1.0227708]]),
+            output,
+        )
+        self.assertAllClose(output, state)
+
+        # Test with go_backwards=True
+        layer = layers.GRU(
+            2,
+            kernel_initializer=initializers.Constant(0.01),
+            recurrent_initializer=initializers.Constant(0.02),
+            bias_initializer=initializers.Constant(0.03),
+            return_state=True,
+            go_backwards=True,
+        )
+        output, state = layer(sequence, initial_state=initial_state)
+        self.assertAllClose(
+            np.array([[0.13486053, 0.23261218], [0.78257304, 0.9691353]]),
+            output,
+        )
+        self.assertAllClose(output, state)
+
     def test_masking(self):
         sequence = np.arange(24).reshape((2, 4, 3)).astype("float32")
         mask = np.array([[True, True, False, True], [True, False, False, True]])

keras/src/legacy/saving/legacy_h5_format.py

@@ -11,6 +11,7 @@
 from keras.src.legacy.saving import saving_options
 from keras.src.legacy.saving import saving_utils
 from keras.src.saving import object_registration
+from keras.src.saving import serialization_lib
 from keras.src.utils import io_utils
 
 try:
@@ -72,7 +73,9 @@ def save_model_to_hdf5(model, filepath, overwrite=True, include_optimizer=True):
             f.close()
 
 
-def load_model_from_hdf5(filepath, custom_objects=None, compile=True):
+def load_model_from_hdf5(
+    filepath, custom_objects=None, compile=True, safe_mode=True
+):
     """Loads a model saved via `save_model_to_hdf5`.
 
     Args:
@@ -128,7 +131,9 @@ def load_model_from_hdf5(filepath, custom_objects=None, compile=True):
             model_config = model_config.decode("utf-8")
         model_config = json_utils.decode(model_config)
 
-        with saving_options.keras_option_scope(use_legacy_config=True):
+        legacy_scope = saving_options.keras_option_scope(use_legacy_config=True)
+        safe_mode_scope = serialization_lib.SafeModeScope(safe_mode)
+        with legacy_scope, safe_mode_scope:
             model = saving_utils.model_from_config(
                 model_config, custom_objects=custom_objects
             )

keras/src/legacy/saving/legacy_h5_format_test.py

@@ -158,8 +158,13 @@ def test_saving_lambda(self):
 
         temp_filepath = os.path.join(self.get_temp_dir(), "lambda_model.h5")
         legacy_h5_format.save_model_to_hdf5(model, temp_filepath)
-        loaded = legacy_h5_format.load_model_from_hdf5(temp_filepath)
 
+        with self.assertRaisesRegex(ValueError, "arbitrary code execution"):
+            legacy_h5_format.load_model_from_hdf5(temp_filepath)
+
+        loaded = legacy_h5_format.load_model_from_hdf5(
+            temp_filepath, safe_mode=False
+        )
         self.assertAllClose(mean, loaded.layers[1].arguments["mu"])
         self.assertAllClose(std, loaded.layers[1].arguments["std"])
 
@@ -353,8 +358,13 @@ def test_saving_lambda(self):
 
         temp_filepath = os.path.join(self.get_temp_dir(), "lambda_model.h5")
         tf_keras_model.save(temp_filepath)
-        loaded = legacy_h5_format.load_model_from_hdf5(temp_filepath)
 
+        with self.assertRaisesRegex(ValueError, "arbitrary code execution"):
+            legacy_h5_format.load_model_from_hdf5(temp_filepath)
+
+        loaded = legacy_h5_format.load_model_from_hdf5(
+            temp_filepath, safe_mode=False
+        )
         self.assertAllClose(mean, loaded.layers[1].arguments["mu"])
         self.assertAllClose(std, loaded.layers[1].arguments["std"])
 

keras/src/legacy/saving/saving_utils.py

@@ -1,4 +1,3 @@
-import json
 import threading
 
 from absl import logging
@@ -81,10 +80,6 @@ def model_from_config(config, custom_objects=None):
             function_dict["config"]["closure"] = function_config[2]
             config["config"]["function"] = function_dict
 
-    # TODO(nkovela): Swap find and replace args during Keras 3.0 release
-    # Replace keras refs with keras
-    config = _find_replace_nested_dict(config, "keras.", "keras.")
-
     return serialization.deserialize_keras_object(
         config,
         module_objects=MODULE_OBJECTS.ALL_OBJECTS,
@@ -231,13 +226,6 @@ def _deserialize_metric(metric_config):
     return metrics_module.deserialize(metric_config)
 
 
-def _find_replace_nested_dict(config, find, replace):
-    dict_str = json.dumps(config)
-    dict_str = dict_str.replace(find, replace)
-    config = json.loads(dict_str)
-    return config
-
-
 def _resolve_compile_arguments_compat(obj, obj_config, module):
     """Resolves backwards compatibility issues with training config arguments.
 

keras/src/legacy/saving/serialization.py

@@ -2,7 +2,6 @@
 
 import contextlib
 import inspect
-import json
 import threading
 import weakref
 
@@ -485,12 +484,6 @@ def deserialize(config, custom_objects=None):
             arg_spec = inspect.getfullargspec(cls.from_config)
             custom_objects = custom_objects or {}
 
-            # TODO(nkovela): Swap find and replace args during Keras 3.0 release
-            # Replace keras refs with keras
-            cls_config = _find_replace_nested_dict(
-                cls_config, "keras.", "keras."
-            )
-
             if "custom_objects" in arg_spec.args:
                 deserialized_obj = cls.from_config(
                     cls_config,
@@ -565,10 +558,3 @@ def validate_config(config):
 def is_default(method):
     """Check if a method is decorated with the `default` wrapper."""
     return getattr(method, "_is_default", False)
-
-
-def _find_replace_nested_dict(config, find, replace):
-    dict_str = json.dumps(config)
-    dict_str = dict_str.replace(find, replace)
-    config = json.loads(dict_str)
-    return config

keras/src/saving/saving_api.py

@@ -194,7 +194,10 @@ def load_model(filepath, custom_objects=None, compile=True, safe_mode=True):
         )
     if str(filepath).endswith((".h5", ".hdf5")):
         return legacy_h5_format.load_model_from_hdf5(
-            filepath, custom_objects=custom_objects, compile=compile
+            filepath,
+            custom_objects=custom_objects,
+            compile=compile,
+            safe_mode=safe_mode,
         )
     elif str(filepath).endswith(".keras"):
         raise ValueError(

keras/src/saving/saving_lib_test.py

@@ -880,7 +880,7 @@ def test_safe_mode(self):
             ]
         )
         model.save(temp_filepath)
-        with self.assertRaisesRegex(ValueError, "Deserializing it is unsafe"):
+        with self.assertRaisesRegex(ValueError, "arbitrary code execution"):
             model = saving_lib.load_model(temp_filepath)
         model = saving_lib.load_model(temp_filepath, safe_mode=False)
 

keras/src/saving/serialization_lib.py

@@ -656,12 +656,12 @@ class ModifiedMeanSquaredError(keras.losses.MeanSquaredError):
     if config["class_name"] == "__lambda__":
         if safe_mode:
             raise ValueError(
-                "Requested the deserialization of a `lambda` object. "
-                "This carries a potential risk of arbitrary code execution "
-                "and thus it is disallowed by default. If you trust the "
-                "source of the saved model, you can pass `safe_mode=False` to "
-                "the loading function in order to allow `lambda` loading, "
-                "or call `keras.config.enable_unsafe_deserialization()`."
+                "Requested the deserialization of a Python lambda. This "
+                "carries a potential risk of arbitrary code execution and thus "
+                "it is disallowed by default. If you trust the source of the "
+                "artifact, you can override this error by passing "
+                "`safe_mode=False` to the loading function, or calling "
+                "`keras.config.enable_unsafe_deserialization()."
             )
         return python_utils.func_load(inner_config["value"])
     if tf is not None and config["class_name"] == "__typespec__":