From a166f95505318157cfbd4a5415d11bd4993bc74f Mon Sep 17 00:00:00 2001
From: Sam Gross <colesbury@gmail.com>
Date: Mon, 12 Jan 2026 14:43:12 -0500
Subject: [PATCH 1/2] gh-143750: Compile OpenSSL with TSan for TSan CI

- Also fix "Install dependencies" step so that we use the installed Clang.
  We can use clang-20 on both ASan and TSan now.
---
 .github/workflows/reusable-san.yml | 39 ++++++++++++++++++++++--------
 Tools/ssl/multissltests.py         |  8 ++++++
 2 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
index c601d0b73380d4..b6493c64e626eb 100644
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -23,8 +23,17 @@ jobs:
         && ' (free-threading)'
         || ''
       }}
-    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-24.04]
+        openssl_ver: [3.5.4]
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 60
+    env:
+      OPENSSL_VER: ${{ matrix.openssl_ver }}
+      MULTISSL_DIR: ${{ github.workspace }}/multissl
+      OPENSSL_DIR: ${{ github.workspace }}/multissl/openssl/${{ matrix.openssl_ver }}
     steps:
     - uses: actions/checkout@v4
       with:
@@ -37,17 +46,16 @@ jobs:
         # Install clang
         wget https://apt.llvm.org/llvm.sh
         chmod +x llvm.sh
-
-        if [ "${SANITIZER}" = "TSan" ]; then
-          sudo ./llvm.sh 17  # gh-121946: llvm-18 package is temporarily broken
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-17 100
-          sudo update-alternatives --set clang /usr/bin/clang-17
-          sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-17 100
-          sudo update-alternatives --set clang++ /usr/bin/clang++-17
+        sudo ./llvm.sh 20
+        sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-20 100
+        sudo update-alternatives --set clang /usr/bin/clang-20
+        sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-20 100
+        sudo update-alternatives --set clang++ /usr/bin/clang++-20
+        sudo update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer /usr/bin/llvm-symbolizer-20 100
+        sudo update-alternatives --set llvm-symbolizer /usr/bin/llvm-symbolizer-20
+        if [ "${{ inputs.sanitizer }}" = "TSan" ]; then
           # Reduce ASLR to avoid TSan crashing
           sudo sysctl -w vm.mmap_rnd_bits=28
-        else
-          sudo ./llvm.sh 20
         fi
 
     - name: Sanitizer option setup
@@ -69,6 +77,16 @@ jobs:
     - name: Add ccache to PATH
       run: |
         echo "PATH=/usr/lib/ccache:$PATH" >> "$GITHUB_ENV"
+    - name: 'Restore OpenSSL build (TSan)'
+      id: cache-openssl
+      uses: actions/cache@v4
+      if: inputs.sanitizer == 'TSan'
+      with:
+        path: ./multissl/openssl/${{ env.OPENSSL_VER }}
+        key: ${{ matrix.os }}-multissl-openssl-tsan-${{ env.OPENSSL_VER }}
+    - name: Install OpenSSL (TSan)
+      if: steps.cache-openssl.outputs.cache-hit != 'true' && inputs.sanitizer == 'TSan'
+      run: python3 Tools/ssl/multissltests.py --steps=library --base-directory "$MULTISSL_DIR" --openssl "$OPENSSL_VER" --system Linux --tsan
     - name: Configure CPython
       run: >-
         ./configure
@@ -79,6 +97,7 @@ jobs:
           || '--with-undefined-behavior-sanitizer'
         }}
         --with-pydebug
+        ${{ inputs.sanitizer == 'TSan' && ' --with-openssl="$OPENSSL_DIR" --with-openssl-rpath=auto' || '' }}
         ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
     - name: Build CPython
       run: make -j4
diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py
index 56976de49989ec..0874d2a8108c75 100755
--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -158,6 +158,12 @@
     dest='keep_sources',
     help="Keep original sources for debugging."
 )
+parser.add_argument(
+    '--tsan',
+    action='store_true',
+    dest='tsan',
+    help="Build with thread sanitizer. (Disables fips in OpenSSL 3.x)."
+)
 
 
 class AbstractBuilder(object):
@@ -312,6 +318,8 @@ def _build_src(self, config_args=()):
         """Now build openssl"""
         log.info("Running build in {}".format(self.build_dir))
         cwd = self.build_dir
+        if self.args.tsan:
+            config_args += ("-fsanitize=thread",)
         cmd = [
             "./config", *config_args,
             "shared", "--debug",

From 4ea7a62b457a79478e96503bc15f347fa1618939 Mon Sep 17 00:00:00 2001
From: Sam Gross <colesbury@gmail.com>
Date: Mon, 12 Jan 2026 14:48:55 -0500
Subject: [PATCH 2/2] Move and adjust check to satisfy lint

---
 .github/workflows/reusable-san.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
index b6493c64e626eb..17fcff116788db 100644
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -53,13 +53,13 @@ jobs:
         sudo update-alternatives --set clang++ /usr/bin/clang++-20
         sudo update-alternatives --install /usr/bin/llvm-symbolizer llvm-symbolizer /usr/bin/llvm-symbolizer-20 100
         sudo update-alternatives --set llvm-symbolizer /usr/bin/llvm-symbolizer-20
-        if [ "${{ inputs.sanitizer }}" = "TSan" ]; then
-          # Reduce ASLR to avoid TSan crashing
-          sudo sysctl -w vm.mmap_rnd_bits=28
-        fi
 
     - name: Sanitizer option setup
       run: |
+        if [ "${SANITIZER}" = "TSan" ]; then
+          # Reduce ASLR to avoid TSan crashing
+          sudo sysctl -w vm.mmap_rnd_bits=28
+        fi
         if [ "${SANITIZER}" = "TSan" ]; then
           echo "TSAN_OPTIONS=${SAN_LOG_OPTION} suppressions=${GITHUB_WORKSPACE}/Tools/tsan/suppressions${{
               fromJSON(inputs.free-threading)