Sorry for taking two weeks to notice this.

For a while we were using the GCC compiler sanitizers in CI but turned them off after encountering mysterious flaky failures. Perhaps things have improved since then?

If I were setting this up from scratch on Linux, I'd use an LLVM toolchain.

I have a vague feeling that the tests will also run faster under LLVM's ASan implementation. Of course it's apples-to-oranges because of the different CPU and OS but the Mac ASan builds using LLVM run the tests in 8.5 minutes but the GCC ASan tests run in 15 minutes.

Thankfully, we have a neat fix for this already. @nascheme set up ASan docker images that have a CPython build using an LLVM toolchain, see https://github.com/nascheme/cpython_sanity. You should be able to follow the set up of the docker images for the TSan tests, which also use the cpython_sanity images and an LLVM toolchain. This also nicely sidesteps the need to build CPython from source under TSan and the docker images already have a build environment installed.

I haven't seen flakiness running gcc but in any case moving to clang allows to reduce run time a bit, mostly numpy build time, see this workflow run in my fork.
I can move to clang in this PR if this is the preferred option.

As for the Asan docker image, it is not usable without further investigations into the leaks reported when running the free-threaded python build which is the only one available in those images as mentioned in my 3rd remark in the description: "Trying to use ghcr.io/nascheme/numpy-asan:3.14t shows many leaks and at this point, I did not check any of those and felt it was better to get something working reliably with the GIL-enabled interpreter rather than nothing."
I'm trying to narrow down the tests causing those leaks but it will take weeks given the time I can spend on this in my spare time.

which is the only one available in those images as mentioned in my 3rd remark in the description

Sorry, missed this.

I'd like to fix these issues on the free-threaded build, but no worries if you're not interested.

I can move to clang in this PR if this is the preferred option.

Let's do that.

Sorry, missed this.

no worries

I'd like to fix these issues on the free-threaded build, but no worries if you're not interested.

I'll try & post the list of test files that shows leak even if I can't narrow it down to individual tests just yet. This first pass should be faster and can help further investigations by others. Maybe this is better posted as a new issue in the bug tracker.

Let's do that.

done. rebased on main and added clang-21 installation.

First time I've seen use_sigaltstack or strict_init_order. Should we maybe be enabling in other sanitizer jobs?

I've never used them myself before and never saw them either. They come from a grep on ASAN_OPTIONS on the numpy code base which lead me to the following line:

Given it seemed to be used for the linux-x64 build in their, I've copied the same options in the new job.

This looks a bit questionable, if acceptable. We should replace it as soon as Clang 21 packages are available from Ubuntu though, it looks like that's in the 26.04 image which should arrive in a month or two. Maybe add a comment?

comment added.

This looks a bit questionable, if acceptable.

What kind of issue are you worried about ?

I don't want to speak for Ralf, but I guess just depending on upstream binaries instead of system binaries is a little odd. Maybe also the security implications of downloading and executing binaries like this?

Yes, just a general security principle. The more random downloads there are, with no pinning or hashes, the wider the trust circle. If it's the best option for right now, then sure it's not a major issue. But when we can replace it with trusting Ubuntu packages, we should.

I don't think this could be considered as a major supply chain security risk given the source (not so random, upstream LLVM repos) and the fact that's this is only a test job which does not expose sensitive secrets and does not produce any artefacts. It could have been better by manually adding the repo and the public key rather than an unchecked script download but I did not considered the risk enough to warrant for the extra complexity.

I agree however that this can count as an exemple of bad habit regarding supply chain security risk.

@nascheme published some new images including a GIL-enabled ASAN python build. See #30905 for an update of this job. This moves the supply chain security risk to what's been accepted for the TSAN job.

Yep, agreed with all your thoughts - thanks for the follow-up!

I wonder if would be good if I change my docker images to use Ubuntu 25 rather than 24. The 25 release comes with Clang 21 as an Ubuntu package. For testing with TSAN or ASAN, perhaps it's better to be running on the newest stable OS version that's supported.

That does seem useful indeed, newer Clang versions can help. But no hurry to change it right now on account of NumPy.

The line numbers in the suppressions file might change with bug fix releases. Might be better to use 3.14.3 here?

The line numbers in the suppressions file are just illustrative (the same goes for numpy line numbers in there).
They are not used to determine suppressions, it's just a comment.
I used the same major.minor minus free-threading as what's found in https://github.com/nascheme/cpython_sanity (although cpython 3.14 images have not been rebuilt in a while so stuck to 3.14.0 for now).
I see both pros and cons in pinning python to an exact release. In the pros, obviously stability of the job, it won't fail because a new cpython version is available. On the other hand, I think it would be best to test with the latest patch version as is done in most of the other jobs.

I'm in the process of building images for 3.14.3. They will also be built automatically when there is a new release, which will be nice.