Skip to content

Refactoring for TGL integration (including Phoenix, FA4, and cross-node support)#7

Open
avnermay wants to merge 45 commits intomainfrom
avner/sglang-fa4-phnx
Open

Refactoring for TGL integration (including Phoenix, FA4, and cross-node support)#7
avnermay wants to merge 45 commits intomainfrom
avner/sglang-fa4-phnx

Conversation

@avnermay
Copy link
Copy Markdown
Collaborator

@avnermay avnermay commented Mar 31, 2026

No description provided.

avnermay and others added 30 commits March 18, 2026 12:39
@avnermay
Changes for SGLang support
a8be14c
@avnermay
Small test script
1b2af07
@avnermay
Changes
b9aceb5
@avnermay
Runner helpers
fb9546a
@avnermay
Updates to small test, assert in loader.py
e8f7292
@avnermay
Changes
af8c8ac
@avnermay
Refactor of runner_helpers for all send/receive commands to use same …
ff11967 
…functions
@avnermay
Switch some torch.empty calls back to torch.zeros for correctness
6795127
@avnermay
Add PrefillRequest and SpeculationRequest objects in runner_helpers.py
04439b1
@avnermay
NIT bug fix
a3d6cf0
@avnermay
Further refactor of PrefillRequest, SpeculationRequest, SpeculationRe…
0b8a6e5 
…sponse
@avnermay
Improvements to logging
6a36a14
@avnermay
Support for Phoenix V1
b8c1fd7
@avnermay
dist_utils needed for cross-node support
4c127df
@avnermay
Merge branch 'avner/sglang' into avner/sglang-phnx
7a968e8
@avnermay
Fix bugs in how recovery_activations and eagle_activations are set an…
82ca79c 
…d sent to draft process
@avnermay
Merge branch 'avner/sglang' into avner/sglang-phnx
e632702
@avnermay
FA4 initial implementation by CC
7053b80
@avnermay
FA4 support
66b8b7b
@avnermay
Add tests and tree_mask.py so that FA4 works
65301a3
@avnermay
Merge branch 'avner/sglang-fa4' into avner/sglang-phnx-fa4
5256853
@avnermay
Remove debug loading of Eagle activations
fc1130d
@avnermay
Merge branch 'avner/sglang' into avner/sglang-fa4
aa50214
@avnermay
Merge branch 'avner/sglang-fa4' into avner/sglang-fa4-phnx
42cea6b
Update pyproject.toml to reflect flash-attn 4 dependency, and no more…
d1c9215 
… flashinfer dependency
Merge branch 'avner/sglang-fa4' into avner/sglang-fa4-phnx
eb13cd3
@avnermay
Fix FA4 import
2463748
@avnermay
Merge branch 'avner/sglang-fa4' into avner/sglang-fa4-phnx
7184e54
@avnermay
Add logging statement once draft process is waiting for target proces…
d86d0fb 
…s in cross-node case
@avnermay
Merge branch 'avner/sglang-fa4' into avner/sglang-fa4-phnx
ab487ac
@avnermay avnermay changed the title Refactoring for TGL integration (including FA4 and cross-node support) Refactoring for TGL integration (including Phoenix, FA4, and cross-node support) Mar 31, 2026
arnica-github-connector[bot]
arnica-github-connector bot reviewed Mar 31, 2026
View reviewed changes
ssd/engine/model_runner.py
self.block_size = config.kvcache_block_size
self.enforce_eager = config.enforce_eager
self.tokenizer = AutoTokenizer.from_pretrained(config.tokenizer_path if config.tokenizer_path else config.model, use_fast=True)
self.tokenizer = AutoTokenizer.from_pretrained(config.tokenizer_path if config.tokenizer_path else config.model, use_fast=True, trust_remote_code=True)
Copy link
Copy Markdown

@arnica-github-connector arnica-github-connector bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Static Code Analysis Risk: Together python huggingface trust remote code

trust_remote_code=True downloads and executes arbitrary Python code from the model repository without sandboxing (OWASP LLM03:2025 Supply Chain). A malicious or compromised model repo can achieve RCE on every host that loads the model (CWE-94). Pin to a verified commit hash and audit remote code before use, or use models that don't require trust_remote_code.

Severity: High 🚨
Status: Open 🔴

References:

  1. https://cwe.mitre.org/data/definitions/94
  2. https://huggingface.co/docs/transformers/main/en/main_classes/model#transformers.PreTrainedModel.from_pretrained
  3. https://genai.owasp.org/llmrisk/llm032025-supply-chain/
  4. https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/

Suggested reviewers 🧐: @avnermay

More details:

🌻 View in Arnica

If you see an issue, please contact Shasheen in the #security-engineering Slack channel.

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

To acknowledge the finding as a valid code risk: [arnica] ack <acknowledge additional details>

To dismiss the risk with a reason: [arnica] dismiss <fp|accept|capacity> <dismissal reason>

Examples

  • [arnica] ack This is a valid risk and I'm looking into it

  • [arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive)

  • [arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system

  • [arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arnica-github-connector arnica-github-connector[bot] arnica-github-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avnermay