Merge branch 'main' into release/0.9.x

.github/workflows/scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
+        uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
         with:
           sarif_file: results.sarif

.licenserc.yaml

@@ -40,6 +40,7 @@ header: # <1>
     - '**/*.mlir'
     - '**/*.csv'
     - '**/*.tmpl'
+    - 'libspu/compiler/tests/interpret/template/**.template'
     - 'LICENSE'
     - 'NOTICE'
     - '.bazelversion'

.vscode/settings.json

@@ -41,5 +41,5 @@
     "[python]": {
         "editor.defaultFormatter": "ms-python.black-formatter"
     },
-    "mlir.server_path": "bazel-bin/libspu/compiler/tools/pphlo-lsp"
+    "mlir.server_path": "bazel-bin/libspu/compiler/tools/spu-lsp"
 }

CHANGELOG.md

@@ -10,6 +10,12 @@
 >
 > please add your unreleased change here.
 
+## 20240716
+
+- [SPU] 0.9.2b0 release
+- [Feature] Support jax.numpy.bitwise_count
+- [Bugfix] Fix jax.numpy.signbit wrong answer with very large input
+
 ## 20240621
 
 - [SPU] 0.9.1b0 release

README.md

@@ -71,4 +71,4 @@ If you think SPU is helpful for your research or development, please consider ci
 
 ## Acknowledgement
 
-We thank the significant contributions made by [Alibaba Gemini Lab](https://alibaba-gemini-lab.github.io).
+We thank the significant contributions made by [Alibaba Gemini Lab](https://alibaba-gemini-lab.github.io) and security advisories made by [VUL337@NISL@THU](https://netsec.ccert.edu.cn/vul337).

bazel/repositories.bzl

@@ -40,21 +40,21 @@ def _yacl():
         http_archive,
         name = "yacl",
         urls = [
-            "https://github.com/secretflow/yacl/archive/refs/tags/0.4.5b1.tar.gz",
+            "https://github.com/secretflow/yacl/archive/refs/tags/0.4.5b3.tar.gz",
         ],
-        strip_prefix = "yacl-0.4.5b1",
-        sha256 = "28064053b9add0db8e1e8e648421a0579f1d3e7ee8a4bbd7bd5959cb59598088",
+        strip_prefix = "yacl-0.4.5b3",
+        sha256 = "bd89d63312e5e83eff5e001e2cf2135baff321c4b72a309f7d00cc53ce02e1a1",
     )
 
 def _libpsi():
     maybe(
         http_archive,
         name = "psi",
         urls = [
-            "https://github.com/secretflow/psi/archive/refs/tags/v0.4.0.dev240524.tar.gz",
+            "https://github.com/secretflow/psi/archive/refs/tags/v0.4.0beta.tar.gz",
         ],
-        strip_prefix = "psi-0.4.0.dev240524",
-        sha256 = "c2868fa6a9d804e6bbed9922dab6dc819ec6e180e15eafe7eb1b661302508c88",
+        strip_prefix = "psi-0.4.0beta",
+        sha256 = "c2fbf486a66eca9d3ec1725a81d93a7c6e80a9206ef1c9263a1608e0bef95e1a",
     )
 
 def _rules_proto_grpc():
@@ -136,8 +136,8 @@ def _bazel_skylib():
     )
 
 def _com_github_openxla_xla():
-    OPENXLA_COMMIT = "d9d0e780ff6a37c4d501c8e0e4f4a9fdca30cbd4"
-    OPENXLA_SHA256 = "77ef83491f409afbe549a2bd695d710a70fdf7f04db35eeb1fba3e97ef767113"
+    OPENXLA_COMMIT = "9b0dd58c9b625a2e958f4fc7787a1ff5c95dbb40"
+    OPENXLA_SHA256 = "f150c5b49e4d4497aae2c79232f1efe2baccaa72223b21dc8715be73eab74417"
 
     # We need openxla to handle xla/mhlo/stablehlo
     maybe(
@@ -169,10 +169,10 @@ def _com_github_pybind11():
         http_archive,
         name = "pybind11",
         build_file = "@pybind11_bazel//:pybind11.BUILD",
-        sha256 = "bf8f242abd1abcd375d516a7067490fb71abd79519a282d22b6e4d19282185a7",
-        strip_prefix = "pybind11-2.12.0",
+        sha256 = "51631e88960a8856f9c497027f55c9f2f9115cafb08c0005439838a05ba17bfc",
+        strip_prefix = "pybind11-2.13.1",
         urls = [
-            "https://github.com/pybind/pybind11/archive/refs/tags/v2.12.0.tar.gz",
+            "https://github.com/pybind/pybind11/archive/refs/tags/v2.13.1.tar.gz",
         ],
     )
 
@@ -229,7 +229,7 @@ def _com_github_microsoft_seal():
     maybe(
         http_archive,
         name = "com_github_microsoft_seal",
-        sha256 = "78ef7334114de930daf7659e8ba60c5abfff85c86ec2b827a2b7c67c3c42da43",
+        sha256 = "acc2a1a127a85d1e1ffcca3ffd148f736e665df6d6b072df0e42fff64795a13c",
         strip_prefix = "SEAL-4.1.2",
         type = "tar.gz",
         patch_args = ["-p1"],

docs/development/pipeline.rst

@@ -39,17 +39,17 @@ The horizontal part depicts the data pipeline, from left to right.
 1. Data providers use :ref:`SPU io <reference/py_api:Runtime IO>` module to encrypt input data.
 
    * For SPU MPC backend, *encrypt* means to split plaintext data into shares.
-   * For floating point data, encoding to fixed-point may be also required.
+   * For floating-point data, encoding to fixed-point may be also required.
 
-2. The encrypted data is send to :ref:`SPU runtime <reference/py_api:Runtime Setup>`.
-3. The output data is fetched *result owner*, and decrypted by the :ref:`SPU io <reference/py_api:Runtime IO>` module.
+2. The encrypted data is sent to :ref:`SPU runtime <reference/py_api:Runtime Setup>`.
+3. The output data is fetched by *result owner*, and decrypted by the :ref:`SPU io <reference/py_api:Runtime IO>` module.
 
 
 Just in time
 ------------
 
-Jit is short for `Just-in-time compilation <https://en.wikipedia.org/wiki/Just-in-time_compilation>`_, with this approach, the compiler can get more information, such as input shapes, than in `AOT mode <https://en.wikipedia.org/wiki/Ahead-of-time_compilation>`_. Jit may introduce more evaluation overhead, but it's really trivial in secure computation setting.
+JIT is short for `Just-in-time compilation <https://en.wikipedia.org/wiki/Just-in-time_compilation>`_, with this approach, the compiler can get more information, such as input shapes, than in `AOT mode <https://en.wikipedia.org/wiki/Ahead-of-time_compilation>`_. JIT may introduce more evaluation overhead, but it's really trivial in secure computation setting.
 
-In SPU, jit has more benefits since the backend engine may be orders of magnitude faster if it knows the *visibility* of data. For example, when multiplying two secrets, the backend MPC engine may involve expensive *beaver triple* progress, but when one of the inputs (of multiply) is public known to all parties, the operation will be much faster. So we should *mark* as much data as possible to be *public* (if it doesn't need to be protected), and tell the compiler these information.
+In SPU, JIT has more benefits since the backend engine may be orders of magnitude faster if it knows the *visibility* of data. For example, when multiplying two secrets, the backend MPC engine may involve expensive *beaver triple* progress, but when one of the inputs (of multiply) is public known to all parties, the operation will be much faster. So we should *mark* as much data as possible to be *public* (if it doesn't need to be protected), and tell the compiler these information.
 
 So, SPU compilation normally happens after all data infeed is done, and `just in time` before the real evaluation.