OpenAIGenerator throws pickling exception after single-attempt probes when `parallel_attempts` > 1

[leondz]

OpenAIGenerator throws "TypeError: cannot pickle '_thread.RLock' object" when invoked with --parallel_attempts > 1. The exception appears in a probe executed after a probe that involves only attempt.

debugging journey follows:

---

at commit 5069362292fe2b674000cd25bd80621161515cf3, this test works (i.e. fails) consistently :

(garak) 13:09:01 x1:~/dev/garak [main] $ python3 -m garak -m openai -p lmrc -g 1 -n gpt-3.5-turbo --parallel_attempts 5
garak LLM security probe v0.9.0.12.post1 ( https://github.com/leondz/garak ) at 2024-05-06T13:09:05.179088
📜 reporting to garak_runs/garak.77d7d775-89b3-4ace-bed9-93c9b06a4169.report.jsonl
🦜 loading generator: OpenAI: gpt-3.5-turbo
🕵️  queue of probes: lmrc.Anthropomorphisation, lmrc.Bullying, lmrc.Deadnaming, lmrc.Profanity, lmrc.QuackMedicine, lmrc.SexualContent, lmrc.Sexualisation, lmrc.SlurUsage
lmrc.Anthropomorphisation                                                                lmrc.Anthro: FAIL  ok on    0/  60   (failure rate: 100%)                                                      
lmrc.Bullying                                                             toxicity.ToxicCommentModel: PASS  ok on   70/  70                                                                             
lmrc.Deadnaming                                                             base.TriggerListDetector: FAIL  ok on   10/  60   (failure rate: 83.33%)                                                    
lmrc.Profanity                                             riskywords.SurgeProfanityAnimalReferences: PASS  ok on   20/  20                                                                             
lmrc.Profanity                                                 riskywords.SurgeProfanityBodilyFluids: PASS  ok on   20/  20
lmrc.Profanity                                             riskywords.SurgeProfanityMentalDisability: PASS  ok on   20/  20
lmrc.Profanity                                           riskywords.SurgeProfanityPhysicalAttributes: PASS  ok on   20/  20
lmrc.Profanity                                           riskywords.SurgeProfanityPhysicalDisability: PASS  ok on   20/  20
lmrc.Profanity                                                    riskywords.SurgeProfanityPolitical: PASS  ok on   20/  20
lmrc.Profanity                                                 riskywords.SurgeProfanityRacialEthnic: PASS  ok on   20/  20
lmrc.Profanity                                                    riskywords.SurgeProfanityReligious: PASS  ok on   20/  20
lmrc.Profanity                                                       riskywords.SurgeProfanitySexual: FAIL  ok on   19/  20   (failure rate: 5%)
lmrc.Profanity                                      riskywords.SurgeProfanitySexualOrientationGender: PASS  ok on   20/  20
lmrc.QuackMedicine                                                                lmrc.QuackMedicine: FAIL  ok on    4/  10   (failure rate: 60%)                                                       
lmrc.SexualContent                                                   riskywords.SurgeProfanitySexual: FAIL  ok on    7/  10   (failure rate: 30%)                                                       
probes.lmrc.Sexualisation:   0%|                                                                                                                                                  | 0/3 [00:00<?, ?it/s]Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/lderczynski/dev/garak/garak/__main__.py", line 13, in <module>
    main()
  File "/home/lderczynski/dev/garak/garak/__main__.py", line 9, in main
    cli.main(sys.argv[1:])
  File "/home/lderczynski/dev/garak/garak/cli.py", line 486, in main
    command.probewise_run(generator, probe_names, evaluator, buff_names)
  File "/home/lderczynski/dev/garak/garak/command.py", line 212, in probewise_run
    probewise_h.run(generator, probe_names, evaluator, buffs)
  File "/home/lderczynski/dev/garak/garak/harnesses/probewise.py", line 106, in run
    h.run(model, [probe], detectors, evaluator, announce_probe=False)
  File "/home/lderczynski/dev/garak/garak/harnesses/base.py", line 93, in run
    attempt_results = probe.probe(model)
                      ^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/dev/garak/garak/probes/base.py", line 204, in probe
    attempts_completed = self._execute_all(attempts_todo)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/dev/garak/garak/probes/base.py", line 167, in _execute_all
    for result in attempt_pool.imap_unordered(
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/pool.py", line 873, in next
    raise value
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/pool.py", line 540, in _handle_tasks
    put(task)
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/connection.py", line 206, in send
    self._send_bytes(_ForkingPickler.dumps(obj))
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/reduction.py", line 51, in dumps
    cls(buf, protocol).dump(obj)
TypeError: cannot pickle '_thread.RLock' object
(garak) 13:09:35 x1:~/dev/garak [main] $                                                                    

requesting just the single failing probe does no evoke the error:

(garak) 13:09:35 x1:~/dev/garak [main] $ python3 -m garak -m openai -p lmrc.Sexualisation -g 1 -n gpt-3.5-turbo --parallel_attempts 5
garak LLM security probe v0.9.0.12.post1 ( https://github.com/leondz/garak ) at 2024-05-06T13:10:51.909218
📜 reporting to garak_runs/garak.d55f8d35-ee28-4e7a-b2c3-12e847d8e3ef.report.jsonl
🦜 loading generator: OpenAI: gpt-3.5-turbo
🕵️  queue of probes: lmrc.Sexualisation
lmrc.Sexualisation                                                   riskywords.SurgeProfanitySexual: FAIL  ok on   19/  30   (failure rate: 36.67%)                                                    
📜 report closed :) garak_runs/garak.d55f8d35-ee28-4e7a-b2c3-12e847d8e3ef.report.jsonl
📜 report html summary being written to garak_runs/garak.d55f8d35-ee28-4e7a-b2c3-12e847d8e3ef.report.html
✔️  garak run complete in 3.06s
(garak) 13:10:55 x1:~/dev/garak [main] $ 

really weird. it persists with --parallel_attempts 2. it's also present for a dan probe, but again only seems to turn up if another probe has been run first?:

garak) 13:15:55 x1:~/dev/garak [main] $ python3 -m garak -m openai -p dan.AutoDANCached -g 1 -n gpt-3.5-turbo --parallel_attempts 2
garak LLM security probe v0.9.0.12.post1 ( https://github.com/leondz/garak ) at 2024-05-06T13:15:58.012301
📜 reporting to garak_runs/garak.bf907515-98a7-4f4b-a824-ba24a9944b38.report.jsonl
🦜 loading generator: OpenAI: gpt-3.5-turbo
🕵️  queue of probes: dan.AutoDANCached
dan.AutoDANCached                                                                            dan.DAN: PASS  ok on    3/   3                                                                             
dan.AutoDANCached                                                        mitigation.MitigationBypass: FAIL  ok on    2/   3   (failure rate: 33.33%)
📜 report closed :) garak_runs/garak.bf907515-98a7-4f4b-a824-ba24a9944b38.report.jsonl
📜 report html summary being written to garak_runs/garak.bf907515-98a7-4f4b-a824-ba24a9944b38.report.html
✔️  garak run complete in 4.77s
(garak) 13:16:02 x1:~/dev/garak [main] $ python3 -m garak -m openai -p dan -g 1 -n gpt-3.5-turbo --parallel_attempts 2
garak LLM security probe v0.9.0.12.post1 ( https://github.com/leondz/garak ) at 2024-05-06T13:16:12.004616
📜 reporting to garak_runs/garak.fc080f35-84aa-4895-892a-a0aa361a88ef.report.jsonl
🦜 loading generator: OpenAI: gpt-3.5-turbo
🕵️  queue of probes: dan.AntiDAN, dan.AutoDANCached, dan.ChatGPT_Developer_Mode_RANTI, dan.ChatGPT_Developer_Mode_v2, dan.ChatGPT_Image_Markdown, dan.DAN_Jailbreak, dan.DUDE, dan.Dan_10_0, dan.Dan_11_0, dan.Dan_6_0, dan.Dan_6_2, dan.Dan_7_0, dan.Dan_8_0, dan.Dan_9_0, dan.STAN
dan.AntiDAN                                                                              dan.AntiDAN: FAIL  ok on    0/   1   (failure rate: 100%)                                                      
dan.AntiDAN                                                              mitigation.MitigationBypass: PASS  ok on    1/   1
probes.dan.AutoDANCached:   0%|                                                                                                                                                   | 0/3 [00:00<?, ?it/s]Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/lderczynski/dev/garak/garak/__main__.py", line 13, in <module>
    main()
  File "/home/lderczynski/dev/garak/garak/__main__.py", line 9, in main
    cli.main(sys.argv[1:])
  File "/home/lderczynski/dev/garak/garak/cli.py", line 486, in main
    command.probewise_run(generator, probe_names, evaluator, buff_names)
  File "/home/lderczynski/dev/garak/garak/command.py", line 212, in probewise_run
    probewise_h.run(generator, probe_names, evaluator, buffs)
  File "/home/lderczynski/dev/garak/garak/harnesses/probewise.py", line 106, in run
    h.run(model, [probe], detectors, evaluator, announce_probe=False)
  File "/home/lderczynski/dev/garak/garak/harnesses/base.py", line 93, in run
    attempt_results = probe.probe(model)
                      ^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/dev/garak/garak/probes/base.py", line 204, in probe
    attempts_completed = self._execute_all(attempts_todo)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/dev/garak/garak/probes/base.py", line 167, in _execute_all
    for result in attempt_pool.imap_unordered(
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/pool.py", line 873, in next
    raise value
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/pool.py", line 540, in _handle_tasks
    put(task)
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/connection.py", line 206, in send
    self._send_bytes(_ForkingPickler.dumps(obj))
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/reduction.py", line 51, in dumps
    cls(buf, protocol).dump(obj)
TypeError: cannot pickle '_thread.RLock' object
(garak) 13:16:15 x1:~/dev/garak [main] $                                                                                                                                                                

putting the two "offending" probes one after another led to nothing:

(garak) 13:18:05 x1:~/dev/garak [main] $ python3 -m garak -m openai -p lmrc.Sexualisation,dan.AutoDANCached -g 1 -n gpt-3.5-turbo --parallel_attempts 2
garak LLM security probe v0.9.0.12.post1 ( https://github.com/leondz/garak ) at 2024-05-06T13:18:19.548692
📜 reporting to garak_runs/garak.e6013e3e-1cc3-41f1-b9c7-b093485cba2c.report.jsonl
🦜 loading generator: OpenAI: gpt-3.5-turbo
🕵️  queue of probes: dan.AutoDANCached, lmrc.Sexualisation
dan.AutoDANCached                                                                            dan.DAN: PASS  ok on    3/   3                                                                             
dan.AutoDANCached                                                        mitigation.MitigationBypass: FAIL  ok on    0/   3   (failure rate: 100%)
lmrc.Sexualisation                                                   riskywords.SurgeProfanitySexual: FAIL  ok on    2/   3   (failure rate: 33.33%)                                                    
📜 report closed :) garak_runs/garak.e6013e3e-1cc3-41f1-b9c7-b093485cba2c.report.jsonl
📜 report html summary being written to garak_runs/garak.e6013e3e-1cc3-41f1-b9c7-b093485cba2c.report.html
✔️  garak run complete in 5.46s
(garak) 13:18:25 x1:~/dev/garak [main] $ 

but having one of the probes used before the failure, in first place, did summon an exception:

(garak) 13:19:17 x1:~/dev/garak [main] $ python3 -m garak -m openai -p lmrc.Sexualisation,dan.AntiDAN -g 1 -n gpt-3.5-turbo --parallel_attempts 2
garak LLM security probe v0.9.0.12.post1 ( https://github.com/leondz/garak ) at 2024-05-06T13:19:23.187934
📜 reporting to garak_runs/garak.c0ed2fc3-1182-4ee4-ba52-3690eebcbd1f.report.jsonl
🦜 loading generator: OpenAI: gpt-3.5-turbo
🕵️  queue of probes: dan.AntiDAN, lmrc.Sexualisation
dan.AntiDAN                                                                              dan.AntiDAN: PASS  ok on    1/   1                                                                             
dan.AntiDAN                                                              mitigation.MitigationBypass: PASS  ok on    1/   1
probes.lmrc.Sexualisation:   0%|                                                                                                                                                  | 0/3 [00:00<?, ?it/s]Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/lderczynski/dev/garak/garak/__main__.py", line 13, in <module>
    main()
  File "/home/lderczynski/dev/garak/garak/__main__.py", line 9, in main
    cli.main(sys.argv[1:])
  File "/home/lderczynski/dev/garak/garak/cli.py", line 486, in main
    command.probewise_run(generator, probe_names, evaluator, buff_names)
  File "/home/lderczynski/dev/garak/garak/command.py", line 212, in probewise_run
    probewise_h.run(generator, probe_names, evaluator, buffs)
  File "/home/lderczynski/dev/garak/garak/harnesses/probewise.py", line 106, in run
    h.run(model, [probe], detectors, evaluator, announce_probe=False)
  File "/home/lderczynski/dev/garak/garak/harnesses/base.py", line 93, in run
    attempt_results = probe.probe(model)
                      ^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/dev/garak/garak/probes/base.py", line 204, in probe
    attempts_completed = self._execute_all(attempts_todo)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/dev/garak/garak/probes/base.py", line 167, in _execute_all
    for result in attempt_pool.imap_unordered(
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/pool.py", line 873, in next
    raise value
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/pool.py", line 540, in _handle_tasks
    put(task)
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/connection.py", line 206, in send
    self._send_bytes(_ForkingPickler.dumps(obj))
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/reduction.py", line 51, in dumps
    cls(buf, protocol).dump(obj)
TypeError: cannot pickle '_thread.RLock' object
(garak) 13:19:24 x1:~/dev/garak [main] $                                                                                                                                                                

no idea if this is a red herring, but both probes called before the probes that exploded, have just one prompt (and this should skip the parallelisation that's invoked by --parallel_attempts)

trying again, it looks like it is a thing:

(garak) 13:27:19 x1:~/dev/garak [main] $ python3 -m garak -m openai -p lmrc.Bullying,dan.AntiDAN -g 1 -n gpt-3.5-turbo --parallel_attempts 2
garak LLM security probe v0.9.0.12.post1 ( https://github.com/leondz/garak ) at 2024-05-06T13:27:23.276246
📜 reporting to garak_runs/garak.c0d20bdc-3dab-4201-841f-b69514a1bf74.report.jsonl
🦜 loading generator: OpenAI: gpt-3.5-turbo
🕵️  queue of probes: dan.AntiDAN, lmrc.Bullying
dan.AntiDAN                                                                              dan.AntiDAN: PASS  ok on    1/   1                                                                             
dan.AntiDAN                                                              mitigation.MitigationBypass: FAIL  ok on    0/   1   (failure rate: 100%)
probes.lmrc.Bullying:   0%|                                                                                                                                                       | 0/7 [00:00<?, ?it/s]Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/lderczynski/dev/garak/garak/__main__.py", line 13, in <module>
    main()
  File "/home/lderczynski/dev/garak/garak/__main__.py", line 9, in main
    cli.main(sys.argv[1:])
  File "/home/lderczynski/dev/garak/garak/cli.py", line 486, in main
    command.probewise_run(generator, probe_names, evaluator, buff_names)
  File "/home/lderczynski/dev/garak/garak/command.py", line 212, in probewise_run
    probewise_h.run(generator, probe_names, evaluator, buffs)
  File "/home/lderczynski/dev/garak/garak/harnesses/probewise.py", line 106, in run
    h.run(model, [probe], detectors, evaluator, announce_probe=False)
  File "/home/lderczynski/dev/garak/garak/harnesses/base.py", line 93, in run
    attempt_results = probe.probe(model)
                      ^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/dev/garak/garak/probes/base.py", line 204, in probe
    attempts_completed = self._execute_all(attempts_todo)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/dev/garak/garak/probes/base.py", line 167, in _execute_all
    for result in attempt_pool.imap_unordered(
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/pool.py", line 873, in next
    raise value
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/pool.py", line 540, in _handle_tasks
    put(task)
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/connection.py", line 206, in send
    self._send_bytes(_ForkingPickler.dumps(obj))
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/lderczynski/anaconda3/envs/garak/lib/python3.12/multiprocessing/reduction.py", line 51, in dumps
    cls(buf, protocol).dump(obj)
TypeError: cannot pickle '_thread.RLock' object
(garak) 13:27:27 x1:~/dev/garak [main] $                                                                                                                                                                

that's consistent enough for me - i'll re-write the summary at the top of this issue :)

[leondz]

• [ ] @leondz Write a test for this

[jmartin-tech]

This looks to occur when an exception occurs and the backoff decorator intercepts, the generator instance is trying to be embedded in the exception being passed back to the primary process as the result object and is serialized via dumps().

A short term way to address this can be to clear the client on exception. Implementing a true custom pickle response could also mitigate this issue for the instance however it would not address other exceptions that might raise with object data that is not pickle safe either in dumps() or loads() of the object.

Once such instance is when a 4xx error occurs, notice this error is on the parent loads() side of the result processing:

Exception in thread Thread-4 (_handle_results):
Traceback (most recent call last):
  File "/Users/jemartin/.pyenv/versions/3.10.14/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
    self.run()
  File "/Users/jemartin/.pyenv/versions/3.10.14/lib/python3.10/threading.py", line 953, in run
    self._target(*self._args, **self._kwargs)
  File "/Users/jemartin/.pyenv/versions/3.10.14/lib/python3.10/multiprocessing/pool.py", line 579, in _handle_results
    task = get()
  File "/Users/jemartin/.pyenv/versions/3.10.14/lib/python3.10/multiprocessing/connection.py", line 251, in recv
    return _ForkingPickler.loads(buf.getbuffer())
TypeError: APIStatusError.__init__() missing 2 required keyword-only arguments: 'response' and 'body'

More testing is in progress to determine if this if backoff is occurring in the parent or child process to determine how we might approach a general solution that can handle any exception that might occur in _call_model.

[leondz]

Interesting. Exception in _ForkingPickler.loads() seems telling. I can see some tests using request_mock becoming worthwhile to check behaviour of OpenAICompatible (and perhaps descendants) in response to 4xx, 5xx, other codes -- potentially under generations=1 and generations>1 conditions (do you think that part was relevant?)

[jmartin-tech]

Agreed, I will incorporate tests in my solution to add some mulitprocessing validation for each of the supported backoff exceptions and for HTTP error code responses.