Index: llvm/trunk/lib/Transforms/Instrumentation/EfficiencySanitizer.cpp
===================================================================
--- llvm/trunk/lib/Transforms/Instrumentation/EfficiencySanitizer.cpp
+++ llvm/trunk/lib/Transforms/Instrumentation/EfficiencySanitizer.cpp
@@ -63,6 +63,8 @@
 STATISTIC(NumAccessesWithIrregularSize,
           "Number of accesses with a size outside our targeted callout sizes");
 STATISTIC(NumIgnoredStructs, "Number of ignored structs");
+STATISTIC(NumIgnoredGEPs, "Number of ignored GEP instructions");
+STATISTIC(NumInstrumentedGEPs, "Number of instrumented GEP instructions");
 
 static const uint64_t EsanCtorAndDtorPriority = 0;
 static const char *const EsanModuleCtorName = "esan.module_ctor";
@@ -145,6 +147,7 @@
   bool runOnFunction(Function &F, Module &M);
   bool instrumentLoadOrStore(Instruction *I, const DataLayout &DL);
   bool instrumentMemIntrinsic(MemIntrinsic *MI);
+  bool instrumentGetElementPtr(Instruction *I, Module &M);
   bool shouldIgnoreMemoryAccess(Instruction *I);
   int getMemoryAccessFuncIndex(Value *Addr, const DataLayout &DL);
   Value *appToShadow(Value *Shadow, IRBuilder<> &IRB);
@@ -171,6 +174,9 @@
   Function *MemmoveFn, *MemcpyFn, *MemsetFn;
   Function *EsanCtorFunction;
   Function *EsanDtorFunction;
+  // Remember the counter variable for each struct type to avoid
+  // recomputing the variable name later during instrumentation.
+  std::map<Type *, GlobalVariable *> StructTyMap;
 };
 } // namespace
 
@@ -321,6 +327,9 @@
                          ConstantAggregateZero::get(CounterArrayTy),
                          CounterNameStr);
 
+    // Remember the counter variable for each struct type.
+    StructTyMap.insert(std::pair<Type *, GlobalVariable *>(StructTy, Counters));
+
     // FieldTypeNames.
     // We pass the field type name array to the runtime for better reporting.
     auto *TypeNameArrayTy = ArrayType::get(Int8PtrTy, StructTy->getNumElements());
@@ -477,6 +486,7 @@
     return false;
   SmallVector<Instruction *, 8> LoadsAndStores;
   SmallVector<Instruction *, 8> MemIntrinCalls;
+  SmallVector<Instruction *, 8> GetElementPtrs;
   bool Res = false;
   const DataLayout &DL = M.getDataLayout();
 
@@ -488,6 +498,8 @@
         LoadsAndStores.push_back(&Inst);
       else if (isa<MemIntrinsic>(Inst))
         MemIntrinCalls.push_back(&Inst);
+      else if (isa<GetElementPtrInst>(Inst))
+        GetElementPtrs.push_back(&Inst);
     }
   }
 
@@ -503,6 +515,12 @@
     }
   }
 
+  if (Options.ToolType == EfficiencySanitizerOptions::ESAN_CacheFrag) {
+    for (auto Inst : GetElementPtrs) {
+      Res |= instrumentGetElementPtr(Inst, M);
+    }
+  }
+
   return Res;
 }
 
@@ -591,6 +609,49 @@
   return Res;
 }
 
+bool EfficiencySanitizer::instrumentGetElementPtr(Instruction *I, Module &M) {
+  GetElementPtrInst *GepInst = dyn_cast<GetElementPtrInst>(I);
+  if (GepInst == nullptr || !isa<StructType>(GepInst->getSourceElementType()) ||
+      StructTyMap.count(GepInst->getSourceElementType()) == 0 ||
+      !GepInst->hasAllConstantIndices() ||
+      // Only handle simple struct field GEP.
+      GepInst->getNumIndices() != 2) {
+    ++NumIgnoredGEPs;
+    return false;
+  }
+  StructType *StructTy = dyn_cast<StructType>(GepInst->getSourceElementType());
+  if (shouldIgnoreStructType(StructTy)) {
+    ++NumIgnoredGEPs;
+    return false;
+  }
+  ++NumInstrumentedGEPs;
+  // Use the last index as the index within the struct.
+  ConstantInt *Idx = dyn_cast<ConstantInt>(GepInst->getOperand(2));
+  if (Idx == nullptr || Idx->getZExtValue() > StructTy->getNumElements())
+    return false;
+
+  GlobalVariable *CounterArray = StructTyMap[StructTy];
+  if (CounterArray == nullptr)
+    return false;
+  IRBuilder<> IRB(I);
+  Constant *Indices[2];
+  // Xref http://llvm.org/docs/LangRef.html#i-getelementptr and
+  // http://llvm.org/docs/GetElementPtr.html.
+  // The first index of the GEP instruction steps through the first operand,
+  // i.e., the array itself.
+  Indices[0] = ConstantInt::get(IRB.getInt32Ty(), 0);
+  // The second index is the index within the array.
+  Indices[1] = ConstantInt::get(IRB.getInt32Ty(), Idx->getZExtValue());
+  Constant *Counter =
+      ConstantExpr::getGetElementPtr(ArrayType::get(IRB.getInt64Ty(),
+                                                    StructTy->getNumElements()),
+                                     CounterArray, Indices);
+  Value *Load = IRB.CreateLoad(Counter);
+  IRB.CreateStore(IRB.CreateAdd(Load, ConstantInt::get(IRB.getInt64Ty(), 1)),
+                  Counter);
+  return true;
+}
+
 int EfficiencySanitizer::getMemoryAccessFuncIndex(Value *Addr,
                                                   const DataLayout &DL) {
   Type *OrigPtrTy = Addr->getType();
Index: llvm/trunk/test/Instrumentation/EfficiencySanitizer/struct_field_count_basic.ll
===================================================================
--- llvm/trunk/test/Instrumentation/EfficiencySanitizer/struct_field_count_basic.ll
+++ llvm/trunk/test/Instrumentation/EfficiencySanitizer/struct_field_count_basic.ll
@@ -0,0 +1,95 @@
+; Test basic EfficiencySanitizer struct field count instrumentation.
+;
+; RUN: opt < %s -esan -esan-cache-frag -esan-instrument-loads-and-stores=false -esan-instrument-memintrinsics=false -S | FileCheck %s
+
+%struct.A = type { i32, i32 }
+%union.U = type { double }
+%struct.C = type { %struct.anon, %union.anon, [10 x i8] }
+%struct.anon = type { i32, i32 }
+%union.anon = type { double }
+
+define i32 @main() {
+entry:
+  %a = alloca %struct.A, align 4
+  %u = alloca %union.U, align 8
+  %c = alloca [2 x %struct.C], align 16
+  %k = alloca %struct.A*, align 8
+  %x = getelementptr inbounds %struct.A, %struct.A* %a, i32 0, i32 0
+  %y = getelementptr inbounds %struct.A, %struct.A* %a, i32 0, i32 1
+  %f = bitcast %union.U* %u to float*
+  %d = bitcast %union.U* %u to double*
+  %arrayidx = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 0
+  %cs = getelementptr inbounds %struct.C, %struct.C* %arrayidx, i32 0, i32 0
+  %x1 = getelementptr inbounds %struct.anon, %struct.anon* %cs, i32 0, i32 0
+  %arrayidx2 = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 1
+  %cs3 = getelementptr inbounds %struct.C, %struct.C* %arrayidx2, i32 0, i32 0
+  %y4 = getelementptr inbounds %struct.anon, %struct.anon* %cs3, i32 0, i32 1
+  %arrayidx5 = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 0
+  %cu = getelementptr inbounds %struct.C, %struct.C* %arrayidx5, i32 0, i32 1
+  %f6 = bitcast %union.anon* %cu to float*
+  %arrayidx7 = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 1
+  %cu8 = getelementptr inbounds %struct.C, %struct.C* %arrayidx7, i32 0, i32 1
+  %d9 = bitcast %union.anon* %cu8 to double*
+  %arrayidx10 = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 0
+  %c11 = getelementptr inbounds %struct.C, %struct.C* %arrayidx10, i32 0, i32 2
+  %arrayidx12 = getelementptr inbounds [10 x i8], [10 x i8]* %c11, i64 0, i64 2
+  %k1 = load %struct.A*, %struct.A** %k, align 8
+  %arrayidx13 = getelementptr inbounds %struct.A, %struct.A* %k1, i64 0
+  ret i32 0
+}
+
+; CHECK: @llvm.global_ctors = {{.*}}@esan.module_ctor
+
+; CHECK:        %a = alloca %struct.A, align 4
+; CHECK-NEXT:   %u = alloca %union.U, align 8
+; CHECK-NEXT:   %c = alloca [2 x %struct.C], align 16
+; CHECK-NEXT:   %k = alloca %struct.A*, align 8
+; CHECK-NEXT:   %0 = load i64, i64* getelementptr inbounds ([2 x i64], [2 x i64]* @"struct.A#2#11#11", i32 0, i32 0)
+; CHECK-NEXT:   %1 = add i64 %0, 1
+; CHECK-NEXT:   store i64 %1, i64* getelementptr inbounds ([2 x i64], [2 x i64]* @"struct.A#2#11#11", i32 0, i32 0)
+; CHECK-NEXT:   %x = getelementptr inbounds %struct.A, %struct.A* %a, i32 0, i32 0
+; CHECK-NEXT:   %2 = load i64, i64* getelementptr inbounds ([2 x i64], [2 x i64]* @"struct.A#2#11#11", i32 0, i32 1)
+; CHECK-NEXT:   %3 = add i64 %2, 1
+; CHECK-NEXT:   store i64 %3, i64* getelementptr inbounds ([2 x i64], [2 x i64]* @"struct.A#2#11#11", i32 0, i32 1)
+; CHECK-NEXT:   %y = getelementptr inbounds %struct.A, %struct.A* %a, i32 0, i32 1
+; CHECK-NEXT:   %f = bitcast %union.U* %u to float*
+; CHECK-NEXT:   %d = bitcast %union.U* %u to double*
+; CHECK-NEXT:   %arrayidx = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 0
+; CHECK-NEXT:   %4 = load i64, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 0)
+; CHECK-NEXT:   %5 = add i64 %4, 1
+; CHECK-NEXT:   store i64 %5, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 0)
+; CHECK-NEXT:   %cs = getelementptr inbounds %struct.C, %struct.C* %arrayidx, i32 0, i32 0
+; CHECK-NEXT:   %6 = load i64, i64* getelementptr inbounds ([2 x i64], [2 x i64]* @"struct.anon#2#11#11", i32 0, i32 0)
+; CHECK-NEXT:   %7 = add i64 %6, 1
+; CHECK-NEXT:   store i64 %7, i64* getelementptr inbounds ([2 x i64], [2 x i64]* @"struct.anon#2#11#11", i32 0, i32 0)
+; CHECK-NEXT:   %x1 = getelementptr inbounds %struct.anon, %struct.anon* %cs, i32 0, i32 0
+; CHECK-NEXT:   %arrayidx2 = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 1
+; CHECK-NEXT:   %8 = load i64, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 0)
+; CHECK-NEXT:   %9 = add i64 %8, 1
+; CHECK-NEXT:   store i64 %9, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 0)
+; CHECK-NEXT:   %cs3 = getelementptr inbounds %struct.C, %struct.C* %arrayidx2, i32 0, i32 0
+; CHECK-NEXT:   %10 = load i64, i64* getelementptr inbounds ([2 x i64], [2 x i64]* @"struct.anon#2#11#11", i32 0, i32 1)
+; CHECK-NEXT:   %11 = add i64 %10, 1
+; CHECK-NEXT:   store i64 %11, i64* getelementptr inbounds ([2 x i64], [2 x i64]* @"struct.anon#2#11#11", i32 0, i32 1)
+; CHECK-NEXT:   %y4 = getelementptr inbounds %struct.anon, %struct.anon* %cs3, i32 0, i32 1
+; CHECK-NEXT:   %arrayidx5 = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 0
+; CHECK-NEXT:   %12 = load i64, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 1)
+; CHECK-NEXT:   %13 = add i64 %12, 1
+; CHECK-NEXT:   store i64 %13, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 1)
+; CHECK-NEXT:   %cu = getelementptr inbounds %struct.C, %struct.C* %arrayidx5, i32 0, i32 1
+; CHECK-NEXT:   %f6 = bitcast %union.anon* %cu to float*
+; CHECK-NEXT:   %arrayidx7 = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 1
+; CHECK-NEXT:   %14 = load i64, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 1)
+; CHECK-NEXT:   %15 = add i64 %14, 1
+; CHECK-NEXT:   store i64 %15, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 1)
+; CHECK-NEXT:   %cu8 = getelementptr inbounds %struct.C, %struct.C* %arrayidx7, i32 0, i32 1
+; CHECK-NEXT:   %d9 = bitcast %union.anon* %cu8 to double*
+; CHECK-NEXT:   %arrayidx10 = getelementptr inbounds [2 x %struct.C], [2 x %struct.C]* %c, i64 0, i64 0
+; CHECK-NEXT:   %16 = load i64, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 2)
+; CHECK-NEXT:   %17 = add i64 %16, 1
+; CHECK-NEXT:   store i64 %17, i64* getelementptr inbounds ([3 x i64], [3 x i64]* @"struct.C#3#14#13#13", i32 0, i32 2)
+; CHECK-NEXT:   %c11 = getelementptr inbounds %struct.C, %struct.C* %arrayidx10, i32 0, i32 2
+; CHECK-NEXT:   %arrayidx12 = getelementptr inbounds [10 x i8], [10 x i8]* %c11, i64 0, i64 2
+; CHECK-NEXT:   %k1 = load %struct.A*, %struct.A** %k, align 8
+; CHECK-NEXT:   %arrayidx13 = getelementptr inbounds %struct.A, %struct.A* %k1, i64 0
+; CHECK-NEXT:   ret i32 0