TSan with OpenSSL

colesbury · colesbury · commit b2850a2dd4d7 · 2026-01-12T12:44:48.000-05:00
diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
@@ -23,8 +23,18 @@ jobs:
         && ' (free-threading)'
         || ''
       }}
-    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-24.04]
+        openssl_ver: [3.5.4]
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 60
+    env:
+      OPENSSL_VER: ${{ matrix.openssl_ver }}
+      MULTISSL_DIR: ${{ github.workspace }}/multissl
+      OPENSSL_DIR: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}
+      LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}/lib
     steps:
     - uses: actions/checkout@v4
       with:
@@ -69,6 +79,16 @@ jobs:
     - name: Add ccache to PATH
       run: |
         echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
+    - name: 'Restore OpenSSL build (TSan)'
+      id: cache-openssl
+      uses: actions/cache@v4
+      if: inputs.sanitizer == 'TSan'
+      with:
+        path: ./multissl/openssl/${{ env.OPENSSL_VER }}
+        key: ${{ matrix.os }}-multissl-openssl-tsan-${{ env.OPENSSL_VER }}
+    - name: Install OpenSSL (TSan)
+      if: steps.cache-openssl.outputs.cache-hit != 'true' && inputs.sanitizer == 'TSan'
+      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --openssl "$OPENSSL_VER" --system Linux --tsan
     - name: Configure CPython
       run: >-
         ./configure
@@ -79,6 +99,7 @@ jobs:
           || '--with-undefined-behavior-sanitizer'
         }}
         --with-pydebug
+        ${{ inputs.sanitizer == 'TSan' && ' --with-openssl="$OPENSSL_DIR"' || '' }}
         ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
     - name: Build CPython
       run: make -j4
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
@@ -158,6 +158,12 @@
     dest='keep_sources',
     help="Keep original sources for debugging."
 )
+parser.add_argument(
+    '--tsan',
+    action='store_true',
+    dest='tsan',
+    help="Build with thread sanitizer. (Disables fips in OpenSSL 3.x)."
+)
 
 
 class AbstractBuilder(object):
@@ -312,6 +318,8 @@ def _build_src(self, config_args=()):
         """Now build openssl"""
         log.info("Running build in {}".format(self.build_dir))
         cwd = self.build_dir
+        if self.args.tsan:
+            config_args += ("-fsanitize=thread",)
         cmd = [
             "./config", *config_args,
             "shared", "--debug",
