Skip to content

[Core] Upgrade to xgrammar 0.1.18, add cache size limit #16283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vllm-bot merged 1 commit into from
Apr 9, 2025
Merged

[Core] Upgrade to xgrammar 0.1.18, add cache size limit #16283

vllm-bot merged 1 commit into from
Apr 9, 2025

Conversation

@russellb
Copy link
Member

@russellb russellb commented Apr 8, 2025

xgrammar 0.1.18 includes a fix for security vulnerability where a
malicious user can cause vllm to consume all of the host's RAM with
the knowledge that each unique grammar adds an entry to an unbounded
cache in memory.

The cache was implemented in xgrammar PR 243:
mlc-ai/xgrammar#243

This commit makes use of the new option to limit the cache size.
The default is 512MB, which should be reasonable for most use cases.
It will cache roughly 1000 json schemas. The cache size can be changed
using the VLLM_XGRAMMAR_CACHE_MB environment variable.

The security vulnerability was reported here:
GHSA-389x-67px-mjg3

Signed-off-by: Russell Bryant [email protected]

@russellb
[Core] Upgrade to xgrammar 0.1.18, add cache size limit
549f429 
xgrammar 0.1.18 includes a fix for security vulnerability where a
malicious user can cause vllm to consume all of the host's RAM with
the knowledge that each unique grammar adds an entry to an unbounded
cache in memory.

The cache was implemented in xgrammar PR 243:
mlc-ai/xgrammar#243

This commit makes use of the new option to limit the cache size.
The default is 512MB, which should be reasonable for most use cases.
It will cache roughly 1000 json schemas. The cache size can be changed
using the `VLLM_XGRAMMAR_CACHE_MB` environment variable.

The security vulnerability was reported here:
GHSA-389x-67px-mjg3

Signed-off-by: Russell Bryant <[email protected]>
@russellb russellb requested a review from mgoin as a code owner April 8, 2025 19:59
@github-actions
Copy link

github-actions bot commented Apr 8, 2025

👋 Hi! Thank you for contributing to the vLLM project.

💬 Join our developer Slack at https://slack.vllm.ai to discuss your PR in #pr-reviews, coordinate on features in #feat- channels, or join special interest groups in #sig- channels.

Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can either: Add ready label to the PR or enable auto-merge.

🚀

mgoin
mgoin approved these changes Apr 8, 2025
View reviewed changes
Copy link
Member

@mgoin mgoin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the fix

@mgoin mgoin added the ready ONLY add when PR is ready to merge/full CI is needed label Apr 8, 2025
@mgoin mgoin enabled auto-merge (squash) April 8, 2025 20:38
@vllm-bot vllm-bot merged commit cb84e45 into vllm-project:main Apr 9, 2025
83 of 86 checks passed
yma11 pushed a commit to yma11/vllm that referenced this pull request Apr 16, 2025
@russellb @yma11
[Core] Upgrade to xgrammar 0.1.18, add cache size limit (vllm-project…
bd9db6a 
…#16283)

Signed-off-by: Russell Bryant <[email protected]>
yangw-dev pushed a commit to yangw-dev/vllm that referenced this pull request Apr 21, 2025
@russellb @yangw-dev
[Core] Upgrade to xgrammar 0.1.18, add cache size limit (vllm-project…
fe98dff 
…#16283)

Signed-off-by: Russell Bryant <[email protected]>
Signed-off-by: Yang Wang <[email protected]>
@lk-chen lk-chen mentioned this pull request Apr 28, 2025
Closed
jikunshang pushed a commit to jikunshang/vllm that referenced this pull request Apr 29, 2025
@russellb @dbyoung18
[Core] Upgrade to xgrammar 0.1.18, add cache size limit (vllm-project…
94efac2 
…#16283)

Signed-off-by: Russell Bryant <[email protected]>
lk-chen pushed a commit to lk-chen/vllm that referenced this pull request Apr 29, 2025
@russellb @lk-chen
[Core] Upgrade to xgrammar 0.1.18, add cache size limit (vllm-project…
3f6fcdf 
…#16283)

Signed-off-by: Russell Bryant <[email protected]>
RichardoMrMu pushed a commit to RichardoMrMu/vllm that referenced this pull request May 12, 2025
@russellb
[Core] Upgrade to xgrammar 0.1.18, add cache size limit (vllm-project…
cb7f374 
…#16283)

Signed-off-by: Russell Bryant <[email protected]>
Signed-off-by: Mu Huai <[email protected]>
yma11 pushed a commit to yma11/vllm that referenced this pull request Jun 4, 2025
@russellb @yma11
[Core] Upgrade to xgrammar 0.1.18, add cache size limit (vllm-project…
cba80cf 
…#16283)

Signed-off-by: Russell Bryant <[email protected]>
@Wanli-Jiang Wanli-Jiang mentioned this pull request Jun 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mgoin mgoin mgoin approved these changes

Assignees

No one assigned

Labels

ci/build ready ONLY add when PR is ready to merge/full CI is needed structured-output v1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@russellb @mgoin @vllm-bot