[dev.boringcrypto.go1.11] all: merge go1.11.13 into dev.boringcrypto.go1.11

Change-Id: I1d19c9f720ba936213448bbbc22d795c8166eebc

README.boringcrypto.md

@@ -0,0 +1,18 @@
+# dev.boringcrypto branch
+
+We have been working inside Google on a fork of Go that uses
+BoringCrypto (the core of [BoringSSL](https://boringssl.googlesource.com/boringssl/)) for various crypto primitives, in
+furtherance of some [work related to FIPS 140-2](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2964.pdf). We have heard that
+some external users of Go would be interested in this code as well, so
+I intend to create a new branch dev.boringcrypto that will hold
+patches to make Go use BoringCrypto.
+
+Unlike typical dev branches, we do not intend any eventual merge of
+this code into the master branch. Instead we intend to maintain in
+that branch the latest release plus BoringCrypto patches. In this
+sense it is a bit like dev.typealias holding go1.8+type alias patches.
+
+To be clear, we are not making any statements or representations about
+the suitability of this code in relation to the FIPS 140-2 standard.
+Interested users will have to evaluate for themselves whether the code
+is useful for their own purposes.

api/go1.11.txt

@@ -1,7 +1,7 @@
 pkg crypto/cipher, func NewGCMWithTagSize(Block, int) (AEAD, error)
 pkg crypto/rsa, method (*PrivateKey) Size() int
 pkg crypto/rsa, method (*PublicKey) Size() int
-pkg crypto/tls, type ConnectionState struct, ExportKeyingMaterial func(string, []uint8, int) ([]uint8, bool)
+pkg crypto/tls, method (*ConnectionState) ExportKeyingMaterial(string, []uint8, int) ([]uint8, error)
 pkg database/sql, method (IsolationLevel) String() string
 pkg database/sql, type DBStats struct, Idle int
 pkg database/sql, type DBStats struct, InUse int

api/go1.9.txt

@@ -7,6 +7,7 @@ pkg crypto, const BLAKE2b_512 Hash
 pkg crypto, const BLAKE2s_256 = 16
 pkg crypto, const BLAKE2s_256 Hash
 pkg crypto/x509, type Certificate struct, ExcludedDNSDomains []string
+pkg crypto/x509, type VerifyOptions struct, IsBoring func(*Certificate) bool
 pkg database/sql, method (*Conn) BeginTx(context.Context, *TxOptions) (*Tx, error)
 pkg database/sql, method (*Conn) Close() error
 pkg database/sql, method (*Conn) ExecContext(context.Context, string, ...interface{}) (Result, error)

doc/contrib.html

@@ -34,6 +34,7 @@ We encourage all Go users to subscribe to
 <p>A <a href="/doc/devel/release.html">summary</a> of the changes between Go releases. Notes for the major releases:</p>
 
 <ul>
+	<li><a href="/doc/go1.11">Go 1.11</a> <small>(August 2018)</small></li>
 	<li><a href="/doc/go1.10">Go 1.10</a> <small>(February 2018)</small></li>
 	<li><a href="/doc/go1.9">Go 1.9</a> <small>(August 2017)</small></li>
 	<li><a href="/doc/go1.8">Go 1.8</a> <small>(February 2017)</small></li>

doc/devel/release.html

@@ -23,6 +23,110 @@ in supported releases as needed by issuing minor revisions
 (for example, Go 1.6.1, Go 1.6.2, and so on).
 </p>
 
+<h2 id="go1.11">go1.11 (released 2018/08/24)</h2>
+
+<p>
+Go 1.11 is a major release of Go.
+Read the <a href="/doc/go1.11">Go 1.11 Release Notes</a> for more information.
+</p>
+
+<h3 id="go1.11.minor">Minor revisions</h3>
+
+<p>
+go1.11.1 (released 2018/10/01) includes fixes to the compiler, documentation, go
+command, runtime, and the <code>crypto/x509</code>, <code>encoding/json</code>,
+<code>go/types</code>, <code>net</code>, <code>net/http</code>, and
+<code>reflect</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.1">Go
+1.11.1 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.2 (released 2018/11/02) includes fixes to the compiler, linker,
+documentation, go command, and the <code>database/sql</code> and
+<code>go/types</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.2">Go
+1.11.2 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.3 (released 2018/12/12) includes three security fixes to "go get" and
+the <code>crypto/x509</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.3">Go
+1.11.3 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.4 (released 2018/12/14) includes fixes to cgo, the compiler, linker,
+runtime, documentation, go command, and the <code>net/http</code> and
+<code>go/types</code> packages.
+It includes a fix to a bug introduced in Go 1.11.3 that broke <code>go</code>
+<code>get</code> for import path patterns containing "<code>...</code>".
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+label%3ACherryPickApproved">Go
+1.11.4 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.5 (released 2019/01/23) includes a security fix to the
+<code>crypto/elliptic</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.5+label%3ACherryPickApproved">Go
+1.11.5 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.6 (released 2019/03/14) includes fixes to cgo, the compiler, linker,
+runtime, go command, and the <code>crypto/x509</code>, <code>encoding/json</code>,
+<code>net</code>, and <code>net/url</code> packages. See the
+<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.6">Go
+1.11.6 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.7 (released 2019/04/05) includes fixes to the runtime and the
+<code>net</code> packages. See the
+<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.7">Go
+1.11.7 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.8 (released 2019/04/08) was accidentally released without its
+intended fix. It is identical to go1.11.7, except for its version
+number. The intended fix is in go1.11.9.
+</p>
+
+<p>
+go1.11.9 (released 2019/04/11) fixes an issue where using the prebuilt binary
+releases on older versions of GNU/Linux
+<a href="https://golang.org/issues/31293">led to failures</a>
+when linking programs that used cgo.
+Only Linux users who hit this issue need to update.
+</p>
+
+<p>
+go1.11.10 (released 2019/05/06) includes fixes to the runtime and the linker.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.10">Go
+1.11.10 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.11 (released 2019/06/11) includes a fix to the <code>crypto/x509</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.11">Go
+1.11.11 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.12">Go
+1.11.12 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.11.13 (released 2019/08/13) includes security fixes to the
+<code>net/http</code> and <code>net/url</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.13">Go
+1.11.13 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.10">go1.10 (released 2018/02/16)</h2>
 
 <p>
@@ -57,6 +161,44 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.3">Go
 1.10.3 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.10.4 (released 2018/08/24) includes fixes to the go command, linker, and the
+<code>net/http</code>, <code>mime/multipart</code>, <code>ld/macho</code>,
+<code>bytes</code>, and <code>strings</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.4">Go
+1.10.4 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.10.5 (released 2018/11/02) includes fixes to the go command, linker, runtime
+and the <code>database/sql</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.5">Go
+1.10.5 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.10.6 (released 2018/12/12) includes three security fixes to "go get" and
+the <code>crypto/x509</code> package.
+It contains the same fixes as Go 1.11.3 and was released at the same time.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.6">Go
+1.10.6 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.10.7 (released 2018/12/14) includes a fix to a bug introduced in Go 1.10.6
+that broke <code>go</code> <code>get</code> for import path patterns containing
+"<code>...</code>".
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.7+label%3ACherryPickApproved">
+Go 1.10.7 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.10.8 (released 2019/01/23) includes a security fix to the
+<code>crypto/elliptic</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.8+label%3ACherryPickApproved">Go
+1.10.8 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.9">go1.9 (released 2017/08/24)</h2>
 
 <p>

doc/docs.html

@@ -50,10 +50,10 @@ learned. You can {{if not $.GoogleCN}}<a href="//tour.golang.org/">take the tour
 online</a> or{{end}} install it locally with:
 </p>
 <pre>
-$ go get golang.org/x/tour/gotour
+$ go get golang.org/x/tour
 </pre>
 <p>
-This will place the <code>gotour</code> binary in your workspace's <code>bin</code> directory.
+This will place the <code>tour</code> binary in your workspace's <code>bin</code> directory.
 </p>
 
 <h3 id="code"><a href="code.html">How to write Go code</a></h3>

doc/go1.11.html

@@ -15,14 +15,7 @@ Do not send CLs removing the interior tags from such phrases.
   ul li { margin: 0.5em 0; }
 </style>
 
-<h2 id="introduction">DRAFT RELEASE NOTES - Introduction to Go 1.11</h2>
-
-<p>
-  <strong>
-    Go 1.11 is not yet released. These are work-in-progress
-    release notes. Go 1.11 is expected to be released in August 2018.
-  </strong>
-</p>
+<h2 id="introduction">Introduction to Go 1.11</h2>
 
 <p>
   The latest Go release, version 1.11, arrives six months after <a href="go1.10">Go 1.10</a>.
@@ -95,7 +88,8 @@ Do not send CLs removing the interior tags from such phrases.
 
 <h3 id="wasm">WebAssembly</h3>
 <p>
-  Go 1.11 adds an experimental port to WebAssembly (<code>js/wasm</code>).
+  Go 1.11 adds an experimental port to <a href="https://webassembly.org">WebAssembly</a>
+  (<code>js/wasm</code>).
 </p>
 <p>
   Go programs currently compile to one WebAssembly module that
@@ -116,6 +110,10 @@ Do not send CLs removing the interior tags from such phrases.
   tools</a> except when those GOOS/GOARCH values are being used.
   If you have existing filenames matching those patterns, you will need to rename them.
 </p>
+<p>
+  More information can be found on the
+  <a href="https://golang.org/wiki/WebAssembly">WebAssembly wiki page</a>.
+</p>
 
 <h3 id="riscv">RISC-V GOARCH values reserved</h3>
 <p><!-- CL 106256 -->
@@ -350,6 +348,20 @@ updating. See the <a href="go1.10.html#cgo">Go 1.10 release notes</a> for
 details. <!-- CL 126275, CL 127156, CL 122217, CL 122575, CL 123177 -->
 </p>
 
+<h3 id="go_command">Go command</h3>
+
+<p><!-- CL 126656 -->
+  The environment variable <code>GOFLAGS</code> may now be used
+  to set default flags for the <code>go</code> command.
+  This is useful in certain situations.
+  Linking can be noticeably slower on underpowered systems due to DWARF,
+  and users may want to set <code>-ldflags=-w</code> by default.
+  For modules, some users and CI systems will want vendoring always,
+  so they should set <code>-mod=vendor</code> by default.
+  For more information, see the <a href="/cmd/go/#hdr-Environment_variables"><code>go</code>
+  command documentation</a>.
+</p>
+
 <h3 id="godoc">Godoc</h3>
 
 <p>
@@ -384,10 +396,20 @@ details. <!-- CL 126275, CL 127156, CL 122217, CL 122575, CL 123177 -->
   time.
   In general, systems that need consistent formatting of Go source code should
   use a specific version of the <code>gofmt</code> binary.
-  See the <a href="/pkg/go/format/">go/format</a> package godoc for more
+  See the <a href="/pkg/go/format/">go/format</a> package documentation for more
   information.
 </p>
 
+<h3 id="run">Run</h3>
+
+<p>
+  <!-- CL 109341 -->
+  The <a href="/cmd/go/"><code>go</code>&nbsp;<code>run</code></a>
+  command now allows a single import path, a directory name or a
+  pattern matching a single package.
+  This allows <code>go</code>&nbsp;<code>run</code>&nbsp;<code>pkg</code> or <code>go</code>&nbsp;<code>run</code>&nbsp;<code>dir</code>, most importantly <code>go</code>&nbsp;<code>run</code>&nbsp;<code>.</code>
+</p>
+
 <h2 id="runtime">Runtime</h2>
 
 <p><!-- CL 85887 -->
@@ -398,7 +420,7 @@ details. <!-- CL 126275, CL 127156, CL 122217, CL 122575, CL 123177 -->
 </p>
 
 <p><!-- CL 108679, CL 106156 -->
-  On macOS and iOS, the runtime now uses <code>libSystem.so</code> instead of
+  On macOS and iOS, the runtime now uses <code>libSystem.dylib</code> instead of
   calling the kernel directly. This should make Go binaries more
   compatible with future versions of macOS and iOS.
   The <a href="/pkg/syscall">syscall</a> package still makes direct
@@ -500,7 +522,8 @@ for k := range m {
   <dd>
     <p><!-- CL 85115 -->
       <a href="/pkg/crypto/tls/#ConnectionState"><code>ConnectionState</code></a>'s new
-      <code>ExportKeyingMaterial</code> field allows exporting keying material bound to the
+      <a href="/pkg/crypto/tls/#ConnectionState.ExportKeyingMaterial"><code>ExportKeyingMaterial</code></a>
+      method allows exporting keying material bound to the
       connection according to RFC 5705.
     </p>
 

misc/boring/README.md

@@ -0,0 +1,114 @@
+# README.md
+
+This directory holds build scripts for unofficial, unsupported
+distributions of Go+BoringCrypto.
+
+## Version strings
+
+The distribution name for a Go+BoringCrypto release has the form `<GoVersion>b<BoringCryptoVersion>`,
+where `<GoVersion>` is the Go version the release is based on, and `<BoringCryptoVersion>` is
+an integer that increments each time there is a new release with different BoringCrypto bits.
+The `<BoringCryptoVersion>` is stored in the `VERSION` file in this directory.
+
+For example, the first release is based on Go 1.8.3 is `go1.8.3b1`.
+If the BoringCrypto bits are updated, the next would be `go1.8.3b2`.
+If, after that, Go 1.9 is released and the same BoringCrypto code added to it,
+that would result in `go1.9b2`. There would likely not be a `go1.9b1`,
+since that would indicate Go 1.9 with the older BoringCrypto code.
+
+## Releases
+
+The `build.release` script prepares a binary release and publishes it in Google Cloud Storage
+at `gs://go-boringcrypto/`, making it available for download at
+`https://go-boringcrypto.storage.googleapis.com/<FILE>`.
+The script records each published release in the `RELEASES` file in this directory.
+
+The `build.docker` script, which must be run after `build.release`, prepares a Docker image
+and publishes it on hub.docker.com in the goboring organization.
+`go1.8.3b1` is published as `goboring/golang:1.8.3b1`.
+
+## Release process
+
+1. If the BoringCrypto bits have been updated, increment the number in `VERSION`,
+send that change out as a CL for review, get it committed, and run `git sync`.
+
+2. Run `build.release`, which will determine the base Go version and the BoringCrypto
+version, build a release, and upload it.
+
+3. Run `build.docker`, which will build and upload a Docker image from the latest release.
+
+4. Send out a CL with the updated `RELEASES` file and get it committed.
+
+## Release process for dev.boringcrypto.go1.8.
+
+In addition to the dev.boringcrypto branch, we have a dev.boringcrypto.go1.8 branch,
+which is BoringCrypto backported to the Go 1.8 release branch.
+To issue new BoringCrypto releases based on Go 1.8:
+
+1. Do a regular release on the (not Go 1.8) dev.boringcrypto branch.
+
+2. Change to the dev.boringcrypto.go1.8 branch and cherry-pick all
+BoringCrypto updates, including the update of the `VERSION` file.
+Mail them out and get them committed.
+
+3. **Back on the (not Go 1.8) dev.boringcrypto branch**,
+run `make.bash` and then `build.release <commit>`,
+where `<commit>` is the latest commit on the dev.boringcrypto.go1.8 branch.
+The script will build a release and upload it.
+
+4. Run `build.docker`.
+
+5. Send out a CL with the updated `RELEASES` file and get it committed.
+
+## Building from Docker
+
+A Dockerfile that starts with `FROM golang:1.8.3` can switch
+to `FROM goboring/golang:1.8.3b2` (see [goboring/golang on Docker Hub](https://hub.docker.com/r/goboring/golang/))
+and should need no other modifications.
+
+## Building from Bazel
+
+Starting from [bazelbuild/rules_go](https://github.com/bazelbuild/rules_go)
+tag 0.7.1, simply download the BoringCrypto-enabled Go SDK using
+`go_download_sdk()` before calling `go_register_toolchains()`.
+
+For example, to use Go 1.9.3 with BoringCrypto on Linux, use the following lines
+in `WORKSPACE`:
+```python
+load("@io_bazel_rules_go//go:def.bzl", "go_rules_dependencies", "go_download_sdk", "go_register_toolchains")
+
+go_rules_dependencies()
+
+go_download_sdk(
+    name = "go_sdk",
+    sdks = {
+       "linux_amd64": ("go1.9.3b4.linux-amd64.tar.gz", "db1997b2454a2f27669b849d2d2cafb247a55128d53da678f06cb409310d6660"),
+    },
+    urls = ["https://storage.googleapis.com/go-boringcrypto/{}"],
+)
+
+go_register_toolchains()
+```
+
+**Note**: you must *not* enable `pure` mode, since cgo must be enabled. To
+ensure that binaries are linked with BoringCrypto, you can set `pure = "off"` on
+all relevant `go_binary` rules.
+
+## Caveat
+
+BoringCrypto is used for a given build only in limited circumstances:
+
+  - The build must be GOOS=linux, GOARCH=amd64.
+  - The build must have cgo enabled.
+  - The android build tag must not be specified.
+  - The cmd_go_bootstrap build tag must not be specified.
+
+The version string reported by `runtime.Version` does not indicate that BoringCrypto
+was actually used for the build. For example, linux/386 and non-cgo linux/amd64 binaries
+will report a version of `go1.8.3b2` but not be using BoringCrypto.
+
+To check whether a given binary is using BoringCrypto, run `go tool nm` on it and check
+that it has symbols named `*_Cfunc__goboringcrypto_*`.
+
+The program [rsc.io/goversion](https://godoc.org/rsc.io/goversion) will report the
+crypto implementation used by a given binary when invoked with the `-crypto` flag.

misc/boring/RELEASES

@@ -0,0 +1,17 @@
+# This file lists published Go+BoringCrypto releases.
+# Each line describes a single release: <version> <git commit> <target> <URL> <sha256sum>
+go1.9rc2b2 91753387bdf7 linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.9rc2b2.linux-amd64.tar.gz 59355a45e6970e8013060851ddb3f079afe8db52e90db520a0826a13f1b5ae5b
+go1.8.3b3 f6ff81bac156 linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.8.3b3.linux-amd64.tar.gz 6287ad971cd268bb2684fb8b1275dea928ad527823062bc057e73036c419e7af
+go1.9rc2b4 c339bc4e07a6 linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.9rc2b4.linux-amd64.tar.gz a8f677d48dc93920065fca4dca1a55bf7110aba132489c47e25d26d55c67eb32
+go1.9b4 e6ad24cde71e linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.9b4.linux-amd64.tar.gz 6592e36a05df8e7c59812328a3a4bfa6c4eed72132fc31245951c3ade3ef2a8a
+go1.9b4 e6ad24cde71e src https://go-boringcrypto.storage.googleapis.com/go1.9b4.src.tar.gz c85f31dc743fee0e8ce0c6ffc286e27c1f51b66c9b923afafb43cdc378a41091
+go1.8.3b4 42cb4dcdb59a linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.8.3b4.linux-amd64.tar.gz 4011c86e6175925e1c63dc7c19a51f825be53bbe7b08260918e5107b0fbd4f85
+go1.8.3b4 42cb4dcdb59a src https://go-boringcrypto.storage.googleapis.com/go1.8.3b4.src.tar.gz 2531ca8918aa024aed8f4a6c9e5c3b25bc8777623f1efa66aec7214601d474e4
+go1.9.2b4 cda3c6f91d7c linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.9.2b4.linux-amd64.tar.gz 7c5e9a033ddc3ab36646e3bac7fd16962742710c70c18122e44a9ab56cdd3cf7
+go1.9.2b4 cda3c6f91d7c src https://go-boringcrypto.storage.googleapis.com/go1.9.2b4.src.tar.gz 38a2260b64a6a5ab20f8972d08b4765bad116721356433f39aebd29c7598218c
+go1.9.3b4 f4e5ebdf35c8 linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.9.3b4.linux-amd64.tar.gz db1997b2454a2f27669b849d2d2cafb247a55128d53da678f06cb409310d6660
+go1.9.3b4 f4e5ebdf35c8 src https://go-boringcrypto.storage.googleapis.com/go1.9.3b4.src.tar.gz 7485e1fc53a9fab9cf34f71de74d69f4c50f9d11a449647de40ee04b59bf8a5b
+go1.9.7b4 0bad1bef406e linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.9.7b4.linux-amd64.tar.gz 9e33a0deb8fed3bd7fa3d122bb5143be9e0a974a422ab4ddac5e765fa1310a6f
+go1.9.7b4 0bad1bef406e src https://go-boringcrypto.storage.googleapis.com/go1.9.7b4.src.tar.gz ad9fb6e22a27382c468467ecade4937f725b33818852f1c1da0d09b471e7486c
+go1.10.3b4 35ba5284935c linux-amd64 https://go-boringcrypto.storage.googleapis.com/go1.10.3b4.linux-amd64.tar.gz 6754729d78a375bd1debd980b1e3e7fd49198a980d0bbd8f39e89569aa001942
+go1.10.3b4 35ba5284935c src https://go-boringcrypto.storage.googleapis.com/go1.10.3b4.src.tar.gz f3e75c60a835c11b97e30429b63917ceb31f799b2ba7e2001d99db908fb8e28f

misc/boring/VERSION

@@ -0,0 +1 @@
+4

misc/boring/build.docker

@@ -0,0 +1,57 @@
+#!/bin/bash
+# Copyright 2017 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# build.docker builds and publishes a Docker image for
+# a given Go+BoringCrypto release.
+
+set -e
+
+# With no arguments, use the most recent linux-amd64 release in the RELEASES file.
+case "$#" in
+0)
+	version=$(grep linux-amd64 RELEASES | tail -1 | awk '{print $1}');;
+1)
+	version="$1";;
+*)
+	echo 'usage: build.docker [version]' >&2
+	exit 2
+esac
+
+url="$(grep "^$version .* linux-amd64 " RELEASES | awk '{print $4}')"
+sha256="$(grep "^$version .* linux-amd64 " RELEASES | awk '{print $5}')"
+if [ "$sha256" = "" ]; then
+	echo "cannot find $version in RELEASES file" >&2
+	exit 2
+fi
+
+# Build a temporary directory with a Dockerfile.
+dir=$(mktemp -d)
+trap "rm -rf $dir" EXIT
+
+if echo "$url" | grep '!' >/dev/null; then
+	# ! is sed delimiter below. Should never happen.
+	echo "URL contains an exclamation mark!" >&2
+	exit 2
+fi
+
+sed "s!UUU!$url!; s/SSS/$sha256/" dockerfile.in >$dir/Dockerfile
+cp go-wrapper $dir/go-wrapper
+
+dversion=$(echo "$version" | sed 's/^go//')
+docker build -t goboring/golang:$dversion $dir
+docker run goboring/golang:$dversion go version
+docker run goboring/golang:$dversion go tool nm /usr/local/go/bin/go >$dir/nm
+if ! grep crypto/sha1.boringNewSHA1 $dir/nm >/dev/null; then
+	echo 'built docker image but did NOT find sha1.boringNewSHA1 in go command!' >&2
+	exit 2
+fi
+if egrep 'crypto/sha1\.\(\*digest\)' $dir/nm >/dev/null; then
+	echo 'built docker image but DID find sha1.(*digest) in go command unexpectedly!' >&2
+	exit 2
+fi
+docker push goboring/golang:$dversion
+
+echo
+echo published as goboring/golang:$dversion

misc/boring/build.release

@@ -0,0 +1,104 @@
+#!/bin/bash
+# Copyright 2017 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# build.release builds and publishes a new Go+BoringCrypto release.
+# After running this script, the change to the RELEASES file should be
+# sent out for review and committed to the repository (but the release
+# is already done, so there's not much to review).
+
+set -e
+
+case "$#" in
+0)
+	rev=HEAD;;
+1)
+	rev="$1";;
+*)
+	echo 'usage: build.release [git-rev]' >&2
+	exit 2
+esac
+
+# Determine commit to use.
+commit=$(git rev-parse "$rev" | awk '{print substr($1, 1, 12)}')
+if [ "$commit" = "" ]; then
+	echo 'cannot find commit in git history' >&2
+	exit 2
+fi
+
+# Determine base Go release from tags.
+base=$(git log --decorate=short --oneline "$rev" | grep 'tag: go' | sed 1q | sed 's/[),].*//; s/.*tag: //')
+if [ "$base" = "" ]; then
+	echo "cannot find go release tag in git history for $rev" >&2
+	exit 2
+fi
+
+# Determine boring crypto version from file.
+boring=$(git show "$commit:misc/boring/VERSION")
+if [ "$boring" = "" ]; then
+	echo "missing BORINGVERSION file in $commit" >&2
+	exit 2
+fi
+
+# Make sure we're not redefining a published release.
+version="${base}b${boring}"
+if grep "^$version " RELEASES >/dev/null; then
+	echo "found $version in RELEASES - not rereleasing" >&2
+	exit 2
+fi
+
+# Show what's going on, while the release builds.
+# Good time for user to type ^C if something is wrong.
+echo >&2
+echo "building $version from $commit" >&2
+echo >&2
+git log -n1 "$commit" >&2
+echo >&2
+
+# Build the release tool in a temporary GOPATH.
+dir=$(mktemp -d)
+trap "rm -rf $dir" EXIT
+export GOPATH="$dir"
+export GOBIN="$dir"
+go get -u golang.org/x/build/cmd/release
+
+# Build the release.
+sha() {
+    if hash sha256sum 2>/dev/null; then
+        sha256sum "$@"
+    else
+        shasum -a 256 "$@"
+    fi
+}
+shortgo=$(echo "$base" | perl -pe 's/(go\d+\.\d+)(\.\d+|rc\d+)/$1/')
+$dir/release -target linux-amd64 -rev "$commit" -version "$version" -tools "release-branch.$shortgo"
+$dir/release -target src -rev "$commit" -version "$version" -tools "release-branch.$shortgo"
+output="$version.linux-amd64.tar.gz"
+ls -l "$output"
+sha256=$(sha "$output" | awk '{print $1}')
+outputsrc="$version.src.tar.gz"
+ls -l "$outputsrc"
+sha256src=$(sha "$outputsrc" | awk '{print $1}')
+
+trap "rm -f /tmp/go.release.$$ /tmp/go.nm.$$" EXIT
+tar -xzf "$output" -O go/bin/go >/tmp/go.release.$$
+go tool nm /tmp/go.release.$$ >/tmp/go.nm.$$
+if ! grep crypto/sha1.boringNewSHA1 /tmp/go.nm.$$ >/dev/null; then
+	echo 'built release but did NOT find sha1.boringNewSHA1 in go command!' >&2
+	exit 2
+fi
+if egrep 'crypto/sha1\.\(\*digest\)' /tmp/go.nm.$$ >/dev/null; then
+	echo 'built release but DID find sha1.(*digest) in go command unexpectedly!' >&2
+	exit 2
+fi
+
+# Publish the release.
+gsutil cp "$output" gs://go-boringcrypto/
+url="https://go-boringcrypto.storage.googleapis.com/$output"
+gsutil cp "$outputsrc" gs://go-boringcrypto/
+urlsrc="https://go-boringcrypto.storage.googleapis.com/$outputsrc"
+
+# Record that it was published.
+echo "$version $commit linux-amd64 $url $sha256" >>RELEASES
+echo "$version $commit src $urlsrc $sha256src" >>RELEASES

misc/boring/dockerfile.in

@@ -0,0 +1,29 @@
+# Template for Dockerfile, used in build.docker script.
+# Based on https://github.com/docker-library/golang/blob/master/1.9-rc/stretch/Dockerfile
+FROM buildpack-deps:stretch-scm
+
+# gcc for cgo
+RUN apt-get update && apt-get install -y --no-install-recommends \
+		g++ \
+		gcc \
+		libc6-dev \
+		make \
+		pkg-config \
+	&& rm -rf /var/lib/apt/lists/*
+
+ADD UUU /go.tgz
+
+RUN set -eux; \
+	\
+	echo "SSS /go.tgz" | sha256sum -c -; \
+	tar -C /usr/local -xzf /go.tgz; \
+	rm /go.tgz; \
+	export PATH="/usr/local/go/bin:$PATH"; \
+	go version
+
+ENV GOPATH /go
+ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
+WORKDIR $GOPATH
+
+COPY go-wrapper /usr/local/bin/

misc/boring/go-wrapper

@@ -0,0 +1,100 @@
+#!/bin/sh
+# Copied from https://raw.githubusercontent.com/docker-library/golang/master/1.9-rc/stretch/go-wrapper
+# Copied into Docker images.
+
+set -e
+
+usage() {
+	base="$(basename "$0")"
+	cat <<EOUSAGE
+
+usage: $base command [args]
+
+This script assumes that is is run from the root of your Go package (for
+example, "/go/src/app" if your GOPATH is set to "/go").
+
+In Go 1.4, a feature was introduced to supply the canonical "import path" for a
+given package in a comment attached to a package statement
+(https://golang.org/s/go14customimport).
+
+This script allows us to take a generic directory of Go source files such as
+"/go/src/app" and determine that the canonical "import path" of where that code
+expects to live and reference itself is "github.com/jsmith/my-cool-app".  It
+will then ensure that "/go/src/github.com/jsmith/my-cool-app" is a symlink to
+"/go/src/app", which allows us to build and run it under the proper package
+name.
+
+For compatibility with versions of Go older than 1.4, the "import path" may also
+be placed in a file named ".godir".
+
+Available Commands:
+
+  $base download
+  $base download -u
+    (equivalent to "go get -d [args] [godir]")
+
+  $base install
+  $base install -race
+    (equivalent to "go install [args] [godir]")
+
+  $base run
+  $base run -app -specific -arguments
+    (assumes "GOPATH/bin" is in "PATH")
+
+EOUSAGE
+}
+
+# make sure there is a subcommand specified
+if [ "$#" -eq 0 ]; then
+	usage >&2
+	exit 1
+fi
+# "shift" so that "$@" becomes the remaining arguments and can be passed along to other "go" subcommands easily
+cmd="$1"
+shift
+
+goDir="$(go list -e -f '{{.ImportComment}}' 2>/dev/null || true)"
+
+if [ -z "$goDir" -a -s .godir ]; then
+	goDir="$(cat .godir)"
+fi
+
+dir="$(pwd -P)"
+if [ "$goDir" ]; then
+	goPath="${GOPATH%%:*}" # this just grabs the first path listed in GOPATH, if there are multiple (which is the detection logic "go get" itself uses, too)
+	goDirPath="$goPath/src/$goDir"
+	mkdir -p "$(dirname "$goDirPath")"
+	if [ ! -e "$goDirPath" ]; then
+		ln -sfv "$dir" "$goDirPath"
+	elif [ ! -L "$goDirPath" ]; then
+		echo >&2 "error: $goDirPath already exists but is unexpectedly not a symlink!"
+		exit 1
+	fi
+	goBin="$goPath/bin/$(basename "$goDir")"
+else
+	goBin="$(basename "$dir")" # likely "app"
+fi
+
+case "$cmd" in
+	download)
+		set -- go get -v -d "$@"
+		if [ "$goDir" ]; then set -- "$@" "$goDir"; fi
+		set -x; exec "$@"
+		;;
+		
+	install)
+		set -- go install -v "$@"
+		if [ "$goDir" ]; then set -- "$@" "$goDir"; fi
+		set -x; exec "$@"
+		;;
+		
+	run)
+		set -x; exec "$goBin" "$@"
+		;;
+		
+	*)
+		echo >&2 'error: unknown command:' "$cmd"
+		usage >&2
+		exit 1
+		;;
+esac

misc/cgo/test/cgo_test.go

@@ -92,6 +92,8 @@ func Test25143(t *testing.T)                 { test25143(t) }
 func Test23356(t *testing.T)                 { test23356(t) }
 func Test26066(t *testing.T)                 { test26066(t) }
 func Test26213(t *testing.T)                 { test26213(t) }
+func Test27660(t *testing.T)                 { test27660(t) }
+func Test28896(t *testing.T)                 { test28896(t) }
 
 func BenchmarkCgoCall(b *testing.B)  { benchCgoCall(b) }
 func BenchmarkGoString(b *testing.B) { benchGoString(b) }

misc/cgo/test/issue27340.go

@@ -0,0 +1,12 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Failed to resolve typedefs consistently.
+// No runtime test; just make sure it compiles.
+
+package cgotest
+
+import "./issue27340"
+
+var issue27340Var = issue27340.Issue27340GoFunc

misc/cgo/test/issue27340/a.go

@@ -0,0 +1,42 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Failed to resolve typedefs consistently.
+// No runtime test; just make sure it compiles.
+// In separate directory to isolate #pragma GCC diagnostic.
+
+package issue27340
+
+// We use the #pragma to avoid a compiler warning about incompatible
+// pointer types, because we generate code passing a struct ptr rather
+// than using the typedef. This warning is expected and does not break
+// a normal build.
+// We can only disable -Wincompatible-pointer-types starting with GCC 5.
+
+// #if __GNU_MAJOR__ >= 5
+//
+// #pragma GCC diagnostic ignored "-Wincompatible-pointer-types"
+//
+// typedef struct {
+// 	int a;
+// } issue27340Struct, *issue27340Ptr;
+//
+// static void issue27340CFunc(issue27340Ptr p) {}
+//
+// #else /* _GNU_MAJOR_ < 5 */
+//
+// typedef struct {
+// 	int a;
+// } issue27340Struct;
+//
+// static issue27340Struct* issue27340Ptr(issue27340Struct* p) { return p; }
+//
+// static void issue27340CFunc(issue27340Struct *p) {}
+// #endif /* _GNU_MAJOR_ < 5 */
+import "C"
+
+func Issue27340GoFunc() {
+	var s C.issue27340Struct
+	C.issue27340CFunc(C.issue27340Ptr(&s))
+}

misc/cgo/test/issue28896.go

@@ -0,0 +1,83 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// cgo was incorrectly adding padding after a packed struct.
+
+package cgotest
+
+/*
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+typedef struct {
+	void *f1;
+	uint32_t f2;
+} __attribute__((__packed__)) innerPacked;
+
+typedef struct {
+	innerPacked g1;
+	uint64_t g2;
+} outerPacked;
+
+typedef struct {
+	void *f1;
+	uint32_t f2;
+} innerUnpacked;
+
+typedef struct {
+	innerUnpacked g1;
+	uint64_t g2;
+} outerUnpacked;
+
+size_t offset(int x) {
+	switch (x) {
+	case 0:
+		return offsetof(innerPacked, f2);
+	case 1:
+		return offsetof(outerPacked, g2);
+	case 2:
+		return offsetof(innerUnpacked, f2);
+	case 3:
+		return offsetof(outerUnpacked, g2);
+	default:
+		abort();
+	}
+}
+*/
+import "C"
+
+import (
+	"testing"
+	"unsafe"
+)
+
+func offset(i int) uintptr {
+	var pi C.innerPacked
+	var po C.outerPacked
+	var ui C.innerUnpacked
+	var uo C.outerUnpacked
+	switch i {
+	case 0:
+		return unsafe.Offsetof(pi.f2)
+	case 1:
+		return unsafe.Offsetof(po.g2)
+	case 2:
+		return unsafe.Offsetof(ui.f2)
+	case 3:
+		return unsafe.Offsetof(uo.g2)
+	default:
+		panic("can't happen")
+	}
+}
+
+func test28896(t *testing.T) {
+	for i := 0; i < 4; i++ {
+		c := uintptr(C.offset(C.int(i)))
+		g := offset(i)
+		if c != g {
+			t.Errorf("%d: C: %d != Go %d", i, c, g)
+		}
+	}
+}

misc/cgo/test/issue9026/issue9026.go

@@ -29,7 +29,7 @@ func Test(t *testing.T) {
 	// Brittle: the assertion may fail spuriously when the algorithm
 	// changes, but should remain stable otherwise.
 	got := fmt.Sprintf("%T %T", in, opts)
-	want := "issue9026._Ctype_struct___0 *issue9026._Ctype_struct___1"
+	want := "issue9026._Ctype_struct___0 *issue9026._Ctype_struct___0"
 	if got != want {
 		t.Errorf("Non-deterministic type names: got %s, want %s", got, want)
 	}

misc/cgo/test/test27660.go

@@ -0,0 +1,54 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Stress the interaction between the race detector and cgo in an
+// attempt to reproduce the memory corruption described in #27660.
+// The bug was very timing sensitive; at the time of writing this
+// test would only trigger the bug about once out of every five runs.
+
+package cgotest
+
+// #include <unistd.h>
+import "C"
+
+import (
+	"context"
+	"math/rand"
+	"runtime"
+	"sync"
+	"testing"
+	"time"
+)
+
+func test27660(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	ints := make([]int, 100)
+	locks := make([]sync.Mutex, 100)
+	// Slowly create threads so that ThreadSanitizer is forced to
+	// frequently resize its SyncClocks.
+	for i := 0; i < 100; i++ {
+		go func() {
+			for ctx.Err() == nil {
+				// Sleep in C for long enough that it is likely that the runtime
+				// will retake this goroutine's currently wired P.
+				C.usleep(1000 /* 1ms */)
+				runtime.Gosched() // avoid starvation (see #28701)
+			}
+		}()
+		go func() {
+			// Trigger lots of synchronization and memory reads/writes to
+			// increase the likelihood that the race described in #27660
+			// results in corruption of ThreadSanitizer's internal state
+			// and thus an assertion failure or segfault.
+			for ctx.Err() == nil {
+				j := rand.Intn(100)
+				locks[j].Lock()
+				ints[j]++
+				locks[j].Unlock()
+			}
+		}()
+		time.Sleep(time.Millisecond)
+	}
+}

misc/wasm/wasm_exec.html

@@ -12,6 +12,11 @@ license that can be found in the LICENSE file.
 </head>
 
 <body>
+	<!--
+	Add the following polyfill for Microsoft Edge 17/18 support:
+	<script src="https://cdn.jsdelivr.net/npm/text-encoding@0.7.0/lib/encoding.min.js"></script>
+	(see https://caniuse.com/#feat=textencoder)
+	-->
 	<script src="wasm_exec.js"></script>
 	<script>
 		if (!WebAssembly.instantiateStreaming) { // polyfill

src/cmd/cgo/gcc.go

@@ -163,6 +163,10 @@ func (p *Package) Translate(f *File) {
 		// Convert C.ulong to C.unsigned long, etc.
 		cref.Name.C = cname(cref.Name.Go)
 	}
+
+	var conv typeConv
+	conv.Init(p.PtrSize, p.IntSize)
+
 	p.loadDefines(f)
 	p.typedefs = map[string]bool{}
 	p.typedefList = nil
@@ -178,7 +182,7 @@ func (p *Package) Translate(f *File) {
 		}
 		needType := p.guessKinds(f)
 		if len(needType) > 0 {
-			p.loadDWARF(f, needType)
+			p.loadDWARF(f, &conv, needType)
 		}
 
 		// In godefs mode we're OK with the typedefs, which
@@ -472,7 +476,7 @@ func (p *Package) guessKinds(f *File) []*Name {
 // loadDWARF parses the DWARF debug information generated
 // by gcc to learn the details of the constants, variables, and types
 // being referred to as C.xxx.
-func (p *Package) loadDWARF(f *File, names []*Name) {
+func (p *Package) loadDWARF(f *File, conv *typeConv, names []*Name) {
 	// Extract the types from the DWARF section of an object
 	// from a well-formed C program. Gcc only generates DWARF info
 	// for symbols in the object file, so it is not enough to print the
@@ -579,8 +583,6 @@ func (p *Package) loadDWARF(f *File, names []*Name) {
 	}
 
 	// Record types and typedef information.
-	var conv typeConv
-	conv.Init(p.PtrSize, p.IntSize)
 	for i, n := range names {
 		if strings.HasSuffix(n.Go, "GetTypeID") && types[i].String() == "func() CFTypeID" {
 			conv.getTypeIDs[n.Go[:len(n.Go)-9]] = true
@@ -1734,10 +1736,10 @@ func runGcc(stdin []byte, args []string) (string, string) {
 // with equivalent memory layout.
 type typeConv struct {
 	// Cache of already-translated or in-progress types.
-	m map[dwarf.Type]*Type
+	m map[string]*Type
 
 	// Map from types to incomplete pointers to those types.
-	ptrs map[dwarf.Type][]*Type
+	ptrs map[string][]*Type
 	// Keys of ptrs in insertion order (deterministic worklist)
 	// ptrKeys contains exactly the keys in ptrs.
 	ptrKeys []dwarf.Type
@@ -1772,8 +1774,8 @@ var unionWithPointer = make(map[ast.Expr]bool)
 func (c *typeConv) Init(ptrSize, intSize int64) {
 	c.ptrSize = ptrSize
 	c.intSize = intSize
-	c.m = make(map[dwarf.Type]*Type)
-	c.ptrs = make(map[dwarf.Type][]*Type)
+	c.m = make(map[string]*Type)
+	c.ptrs = make(map[string][]*Type)
 	c.getTypeIDs = make(map[string]bool)
 	c.bool = c.Ident("bool")
 	c.byte = c.Ident("byte")
@@ -1881,11 +1883,12 @@ func (c *typeConv) FinishType(pos token.Pos) {
 	// Keep looping until they're all done.
 	for len(c.ptrKeys) > 0 {
 		dtype := c.ptrKeys[0]
+		dtypeKey := dtype.String()
 		c.ptrKeys = c.ptrKeys[1:]
-		ptrs := c.ptrs[dtype]
-		delete(c.ptrs, dtype)
+		ptrs := c.ptrs[dtypeKey]
+		delete(c.ptrs, dtypeKey)
 
-		// Note Type might invalidate c.ptrs[dtype].
+		// Note Type might invalidate c.ptrs[dtypeKey].
 		t := c.Type(dtype, pos)
 		for _, ptr := range ptrs {
 			ptr.Go.(*ast.StarExpr).X = t.Go
@@ -1897,18 +1900,29 @@ func (c *typeConv) FinishType(pos token.Pos) {
 // Type returns a *Type with the same memory layout as
 // dtype when used as the type of a variable or a struct field.
 func (c *typeConv) Type(dtype dwarf.Type, pos token.Pos) *Type {
-	if t, ok := c.m[dtype]; ok {
-		if t.Go == nil {
-			fatalf("%s: type conversion loop at %s", lineno(pos), dtype)
+	// Always recompute bad pointer typedefs, as the set of such
+	// typedefs changes as we see more types.
+	checkCache := true
+	if dtt, ok := dtype.(*dwarf.TypedefType); ok && c.badPointerTypedef(dtt) {
+		checkCache = false
+	}
+
+	key := dtype.String()
+
+	if checkCache {
+		if t, ok := c.m[key]; ok {
+			if t.Go == nil {
+				fatalf("%s: type conversion loop at %s", lineno(pos), dtype)
+			}
+			return t
 		}
-		return t
 	}
 
 	t := new(Type)
 	t.Size = dtype.Size() // note: wrong for array of pointers, corrected below
 	t.Align = -1
 	t.C = &TypeRepr{Repr: dtype.Common().Name}
-	c.m[dtype] = t
+	c.m[key] = t
 
 	switch dt := dtype.(type) {
 	default:
@@ -2071,10 +2085,11 @@ func (c *typeConv) Type(dtype dwarf.Type, pos token.Pos) *Type {
 		// Placeholder initialization; completed in FinishType.
 		t.Go = &ast.StarExpr{}
 		t.C.Set("<incomplete>*")
-		if _, ok := c.ptrs[dt.Type]; !ok {
+		key := dt.Type.String()
+		if _, ok := c.ptrs[key]; !ok {
 			c.ptrKeys = append(c.ptrKeys, dt.Type)
 		}
-		c.ptrs[dt.Type] = append(c.ptrs[dt.Type], t)
+		c.ptrs[key] = append(c.ptrs[key], t)
 
 	case *dwarf.QualType:
 		t1 := c.Type(dt.Type, pos)
@@ -2462,11 +2477,6 @@ func (c *typeConv) Struct(dt *dwarf.StructType, pos token.Pos) (expr *ast.Struct
 
 	anon := 0
 	for _, f := range dt.Field {
-		if f.ByteOffset > off {
-			fld, sizes = c.pad(fld, sizes, f.ByteOffset-off)
-			off = f.ByteOffset
-		}
-
 		name := f.Name
 		ft := f.Type
 
@@ -2515,6 +2525,19 @@ func (c *typeConv) Struct(dt *dwarf.StructType, pos token.Pos) (expr *ast.Struct
 			// structs are in system headers that cannot be corrected.
 			continue
 		}
+
+		// Round off up to talign, assumed to be a power of 2.
+		off = (off + talign - 1) &^ (talign - 1)
+
+		if f.ByteOffset > off {
+			fld, sizes = c.pad(fld, sizes, f.ByteOffset-off)
+			off = f.ByteOffset
+		}
+		if f.ByteOffset < off {
+			// Drop a packed field that we can't represent.
+			continue
+		}
+
 		n := len(fld)
 		fld = fld[0 : n+1]
 		if name == "" {

src/cmd/cgo/out.go

@@ -740,6 +740,12 @@ func (p *Package) writeExports(fgo2, fm, fgcc, fgcch io.Writer) {
 	fmt.Fprintf(fgcc, "#include <stdlib.h>\n")
 	fmt.Fprintf(fgcc, "#include \"_cgo_export.h\"\n\n")
 
+	// We use packed structs, but they are always aligned.
+	// The pragmas and address-of-packed-member are not recognized as warning groups in clang 3.4.1, so ignore unknown pragmas first.
+	fmt.Fprintf(fgcc, "#pragma GCC diagnostic ignored \"-Wunknown-pragmas\"\n")
+	fmt.Fprintf(fgcc, "#pragma GCC diagnostic ignored \"-Wpragmas\"\n")
+	fmt.Fprintf(fgcc, "#pragma GCC diagnostic ignored \"-Waddress-of-packed-member\"\n")
+
 	fmt.Fprintf(fgcc, "extern void crosscall2(void (*fn)(void *, int, __SIZE_TYPE__), void *, int, __SIZE_TYPE__);\n")
 	fmt.Fprintf(fgcc, "extern __SIZE_TYPE__ _cgo_wait_runtime_init_done();\n")
 	fmt.Fprintf(fgcc, "extern void _cgo_release_context(__SIZE_TYPE__);\n\n")
@@ -1340,6 +1346,13 @@ __cgo_size_assert(double, 8)
 
 extern char* _cgo_topofstack(void);
 
+/* We use packed structs, but they are always aligned.  */
+/* The pragmas and address-of-packed-member are not recognized as warning groups in clang 3.4.1, so ignore unknown pragmas first. */
+
+#pragma GCC diagnostic ignored "-Wunknown-pragmas"
+#pragma GCC diagnostic ignored "-Wpragmas"
+#pragma GCC diagnostic ignored "-Waddress-of-packed-member"
+
 #include <errno.h>
 #include <string.h>
 `

src/cmd/compile/internal/gc/const.go

@@ -121,6 +121,17 @@ func (n *Node) Int64() int64 {
 	return n.Val().U.(*Mpint).Int64()
 }
 
+// CanInt64 reports whether it is safe to call Int64() on n.
+func (n *Node) CanInt64() bool {
+	if !Isconst(n, CTINT) {
+		return false
+	}
+
+	// if the value inside n cannot be represented as an int64, the
+	// return value of Int64 is undefined
+	return n.Val().U.(*Mpint).CmpInt64(n.Int64()) == 0
+}
+
 // Bool returns n as a bool.
 // n must be a boolean constant.
 func (n *Node) Bool() bool {

src/cmd/compile/internal/gc/main.go

@@ -481,13 +481,17 @@ func Main(archInit func(*Arch)) {
 	// Phase 1: const, type, and names and types of funcs.
 	//   This will gather all the information about types
 	//   and methods but doesn't depend on any of it.
+	//
+	//   We also defer type alias declarations until phase 2
+	//   to avoid cycles like #18640.
+	//   TODO(gri) Remove this again once we have a fix for #25838.
 	defercheckwidth()
 
 	// Don't use range--typecheck can add closures to xtop.
 	timings.Start("fe", "typecheck", "top1")
 	for i := 0; i < len(xtop); i++ {
 		n := xtop[i]
-		if op := n.Op; op != ODCL && op != OAS && op != OAS2 {
+		if op := n.Op; op != ODCL && op != OAS && op != OAS2 && (op != ODCLTYPE || !n.Left.Name.Param.Alias) {
 			xtop[i] = typecheck(n, Etop)
 		}
 	}
@@ -499,7 +503,7 @@ func Main(archInit func(*Arch)) {
 	timings.Start("fe", "typecheck", "top2")
 	for i := 0; i < len(xtop); i++ {
 		n := xtop[i]
-		if op := n.Op; op == ODCL || op == OAS || op == OAS2 {
+		if op := n.Op; op == ODCL || op == OAS || op == OAS2 || op == ODCLTYPE && n.Left.Name.Param.Alias {
 			xtop[i] = typecheck(n, Etop)
 		}
 	}

src/cmd/compile/internal/gc/reflect.go

@@ -1299,6 +1299,33 @@ func dtypesym(t *types.Type) *obj.LSym {
 	// for security, only the exported fields.
 	case TSTRUCT:
 		fields := t.Fields().Slice()
+
+		// omitFieldForAwfulBoringCryptoKludge reports whether
+		// the field t should be omitted from the reflect data.
+		// In the crypto/... packages we omit an unexported field
+		// named "boring", to keep from breaking client code that
+		// expects rsa.PublicKey etc to have only public fields.
+		// As the name suggests, this is an awful kludge, but it is
+		// limited to the dev.boringcrypto branch and avoids
+		// much more invasive effects elsewhere.
+		omitFieldForAwfulBoringCryptoKludge := func(t *types.Field) bool {
+			if t.Sym == nil || t.Sym.Name != "boring" || t.Sym.Pkg == nil {
+				return false
+			}
+			path := t.Sym.Pkg.Path
+			if t.Sym.Pkg == localpkg {
+				path = myimportpath
+			}
+			return strings.HasPrefix(path, "crypto/")
+		}
+		newFields := fields[:0:0]
+		for _, t1 := range fields {
+			if !omitFieldForAwfulBoringCryptoKludge(t1) {
+				newFields = append(newFields, t1)
+			}
+		}
+		fields = newFields
+
 		for _, t1 := range fields {
 			dtypesym(t1.Type)
 		}

src/cmd/compile/internal/gc/ssa.go

@@ -3863,6 +3863,18 @@ func (s *state) boundsCheck(idx, len *ssa.Value) {
 	s.check(cmp, panicindex)
 }
 
+func couldBeNegative(v *ssa.Value) bool {
+	switch v.Op {
+	case ssa.OpSliceLen, ssa.OpSliceCap, ssa.OpStringLen:
+		return false
+	case ssa.OpConst64:
+		return v.AuxInt < 0
+	case ssa.OpConst32:
+		return int32(v.AuxInt) < 0
+	}
+	return true
+}
+
 // sliceBoundsCheck generates slice bounds checking code. Checks if 0 <= idx <= len, branches to exit if not.
 // Starts a new block on return.
 // idx and len are already converted to full int width.
@@ -3870,6 +3882,15 @@ func (s *state) sliceBoundsCheck(idx, len *ssa.Value) {
 	if Debug['B'] != 0 {
 		return
 	}
+	if couldBeNegative(len) {
+		// OpIsSliceInBounds requires second arg not negative; if it's not obviously true, must check.
+		cmpop := ssa.OpGeq64
+		if len.Type.Size() == 4 {
+			cmpop = ssa.OpGeq32
+		}
+		cmp := s.newValue2(cmpop, types.Types[TBOOL], len, s.zeroVal(len.Type))
+		s.check(cmp, panicslice)
+	}
 
 	// bounds check
 	cmp := s.newValue2(ssa.OpIsSliceInBounds, types.Types[TBOOL], idx, len)

src/cmd/compile/internal/gc/subr.go

@@ -1116,7 +1116,7 @@ func calcHasCall(n *Node) bool {
 
 	// When using soft-float, these ops might be rewritten to function calls
 	// so we ensure they are evaluated first.
-	case OADD, OSUB, OMINUS:
+	case OADD, OSUB, OMINUS, OMUL:
 		if thearch.SoftFloat && (isFloat[n.Type.Etype] || isComplex[n.Type.Etype]) {
 			return true
 		}
@@ -1627,8 +1627,9 @@ func genwrapper(rcvr *types.Type, method *types.Field, newnam *types.Sym) {
 		return
 	}
 
-	// Only generate I.M wrappers for I in I's own package.
-	if rcvr.IsInterface() && rcvr.Sym != nil && rcvr.Sym.Pkg != localpkg {
+	// Only generate I.M wrappers for I in I's own package
+	// but keep doing it for error.Error (was issue #29304).
+	if rcvr.IsInterface() && rcvr.Sym != nil && rcvr.Sym.Pkg != localpkg && rcvr != types.Errortype {
 		return
 	}
 

src/cmd/compile/internal/gc/typecheck.go

@@ -202,8 +202,16 @@ func typecheck(n *Node, top int) *Node {
 				// since it would expand indefinitely when aliases
 				// are substituted.
 				cycle := cycleFor(n)
-				for _, n := range cycle {
-					if n.Name != nil && !n.Name.Param.Alias {
+				for _, n1 := range cycle {
+					if n1.Name != nil && !n1.Name.Param.Alias {
+						// Cycle is ok. But if n is an alias type and doesn't
+						// have a type yet, we have a recursive type declaration
+						// with aliases that we can't handle properly yet.
+						// Report an error rather than crashing later.
+						if n.Name != nil && n.Name.Param.Alias && n.Type == nil {
+							lineno = n.Pos
+							Fatalf("cannot handle alias type declaration (issue #25838): %v", n)
+						}
 						lineno = lno
 						return n
 					}
@@ -1263,7 +1271,7 @@ func typecheck1(n *Node, top int) *Node {
 			n.Op = OCALLFUNC
 			if t.Etype != TFUNC {
 				name := l.String()
-				if isBuiltinFuncName(name) {
+				if isBuiltinFuncName(name) && l.Name.Defn != nil {
 					// be more specific when the function
 					// name matches a predeclared function
 					yyerror("cannot call non-function %s (type %v), declared at %s",
@@ -3987,6 +3995,12 @@ func deadcode(fn *Node) {
 }
 
 func deadcodeslice(nn Nodes) {
+	var lastLabel = -1
+	for i, n := range nn.Slice() {
+		if n != nil && n.Op == OLABEL {
+			lastLabel = i
+		}
+	}
 	for i, n := range nn.Slice() {
 		// Cut is set to true when all nodes after i'th position
 		// should be removed.
@@ -4009,10 +4023,14 @@ func deadcodeslice(nn Nodes) {
 				// If "then" or "else" branch ends with panic or return statement,
 				// it is safe to remove all statements after this node.
 				// isterminating is not used to avoid goto-related complications.
+				// We must be careful not to deadcode-remove labels, as they
+				// might be the target of a goto. See issue 28616.
 				if body := body.Slice(); len(body) != 0 {
 					switch body[(len(body) - 1)].Op {
 					case ORETURN, ORETJMP, OPANIC:
-						cut = true
+						if i > lastLabel {
+							cut = true
+						}
 					}
 				}
 			}

src/cmd/compile/internal/gc/walk.go

@@ -3701,6 +3701,12 @@ func walkinrange(n *Node, init *Nodes) *Node {
 		return n
 	}
 
+	// Ensure that Int64() does not overflow on a and c (it'll happen
+	// for any const above 2**63; see issue #27143).
+	if !a.CanInt64() || !c.CanInt64() {
+		return n
+	}
+
 	if opl == OLT {
 		// We have a < b && ...
 		// We need a ≤ b && ... to safely use unsigned comparison tricks.

src/cmd/compile/internal/ssa/deadstore.go

@@ -197,7 +197,8 @@ func elimDeadAutosGeneric(f *Func) {
 			panic("unhandled op with sym effect")
 		}
 
-		if v.Uses == 0 || len(args) == 0 {
+		if v.Uses == 0 && v.Op != OpNilCheck || len(args) == 0 {
+			// Nil check has no use, but we need to keep it.
 			return
 		}
 

src/cmd/compile/internal/ssa/gen/AMD64.rules

@@ -1510,13 +1510,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORL <v.Type> (SHLLconst <v.Type> [j0] (MOVWload [i0] {s} p mem)) y)
+  -> @mergePoint(b,x0,x1,y) (ORL <v.Type> (SHLLconst <v.Type> [j0] (MOVWload [i0] {s} p mem)) y)
 
 (ORQ
     s1:(SHLQconst [j1] x1:(MOVBload [i1] {s} p mem))
@@ -1531,13 +1531,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORQ <v.Type> (SHLQconst <v.Type> [j0] (MOVWload [i0] {s} p mem)) y)
+  -> @mergePoint(b,x0,x1,y) (ORQ <v.Type> (SHLQconst <v.Type> [j0] (MOVWload [i0] {s} p mem)) y)
 
 (ORQ
     s1:(SHLQconst [j1] x1:(MOVWload [i1] {s} p mem))
@@ -1552,13 +1552,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORQ <v.Type> (SHLQconst <v.Type> [j0] (MOVLload [i0] {s} p mem)) y)
+  -> @mergePoint(b,x0,x1,y) (ORQ <v.Type> (SHLQconst <v.Type> [j0] (MOVLload [i0] {s} p mem)) y)
 
 // Little-endian indexed loads
 
@@ -1635,13 +1635,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORL <v.Type> (SHLLconst <v.Type> [j0] (MOVWloadidx1 [i0] {s} p idx mem)) y)
+  -> @mergePoint(b,x0,x1,y) (ORL <v.Type> (SHLLconst <v.Type> [j0] (MOVWloadidx1 [i0] {s} p idx mem)) y)
 
 (ORQ
     s1:(SHLQconst [j1] x1:(MOVBloadidx1 [i1] {s} p idx mem))
@@ -1656,13 +1656,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORQ <v.Type> (SHLQconst <v.Type> [j0] (MOVWloadidx1 [i0] {s} p idx mem)) y)
+  -> @mergePoint(b,x0,x1,y) (ORQ <v.Type> (SHLQconst <v.Type> [j0] (MOVWloadidx1 [i0] {s} p idx mem)) y)
 
 (ORQ
     s1:(SHLQconst [j1] x1:(MOVWloadidx1 [i1] {s} p idx mem))
@@ -1677,13 +1677,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORQ <v.Type> (SHLQconst <v.Type> [j0] (MOVLloadidx1 [i0] {s} p idx mem)) y)
+  -> @mergePoint(b,x0,x1,y) (ORQ <v.Type> (SHLQconst <v.Type> [j0] (MOVLloadidx1 [i0] {s} p idx mem)) y)
 
 // Big-endian loads
 
@@ -1777,13 +1777,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORL <v.Type> (SHLLconst <v.Type> [j1] (ROLWconst <typ.UInt16> [8] (MOVWload [i0] {s} p mem))) y)
+  -> @mergePoint(b,x0,x1,y) (ORL <v.Type> (SHLLconst <v.Type> [j1] (ROLWconst <typ.UInt16> [8] (MOVWload [i0] {s} p mem))) y)
 
 (ORQ
     s0:(SHLQconst [j0] x0:(MOVBload [i0] {s} p mem))
@@ -1798,13 +1798,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORQ <v.Type> (SHLQconst <v.Type> [j1] (ROLWconst <typ.UInt16> [8] (MOVWload [i0] {s} p mem))) y)
+  -> @mergePoint(b,x0,x1,y) (ORQ <v.Type> (SHLQconst <v.Type> [j1] (ROLWconst <typ.UInt16> [8] (MOVWload [i0] {s} p mem))) y)
 
 (ORQ
     s0:(SHLQconst [j0] r0:(ROLWconst [8] x0:(MOVWload [i0] {s} p mem)))
@@ -1821,7 +1821,7 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(r0)
@@ -1829,7 +1829,7 @@
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORQ <v.Type> (SHLQconst <v.Type> [j1] (BSWAPL <typ.UInt32> (MOVLload [i0] {s} p mem))) y)
+  -> @mergePoint(b,x0,x1,y) (ORQ <v.Type> (SHLQconst <v.Type> [j1] (BSWAPL <typ.UInt32> (MOVLload [i0] {s} p mem))) y)
 
 // Big-endian indexed loads
 
@@ -1923,13 +1923,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORL <v.Type> (SHLLconst <v.Type> [j1] (ROLWconst <typ.UInt16> [8] (MOVWloadidx1 [i0] {s} p idx mem))) y)
+  -> @mergePoint(b,x0,x1,y) (ORL <v.Type> (SHLLconst <v.Type> [j1] (ROLWconst <typ.UInt16> [8] (MOVWloadidx1 [i0] {s} p idx mem))) y)
 
 (ORQ
     s0:(SHLQconst [j0] x0:(MOVBloadidx1 [i0] {s} p idx mem))
@@ -1944,13 +1944,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORQ <v.Type> (SHLQconst <v.Type> [j1] (ROLWconst <typ.UInt16> [8] (MOVWloadidx1 [i0] {s} p idx mem))) y)
+  -> @mergePoint(b,x0,x1,y) (ORQ <v.Type> (SHLQconst <v.Type> [j1] (ROLWconst <typ.UInt16> [8] (MOVWloadidx1 [i0] {s} p idx mem))) y)
 
 (ORQ
     s0:(SHLQconst [j0] r0:(ROLWconst [8] x0:(MOVWloadidx1 [i0] {s} p idx mem)))
@@ -1967,7 +1967,7 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(r0)
@@ -1975,7 +1975,7 @@
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORQ <v.Type> (SHLQconst <v.Type> [j1] (BSWAPL <typ.UInt32> (MOVLloadidx1 [i0] {s} p idx mem))) y)
+  -> @mergePoint(b,x0,x1,y) (ORQ <v.Type> (SHLQconst <v.Type> [j1] (BSWAPL <typ.UInt32> (MOVLloadidx1 [i0] {s} p idx mem))) y)
 
 // Combine 2 byte stores + shift into rolw 8 + word store
 (MOVBstore [i] {s} p w

src/cmd/compile/internal/ssa/gen/MIPS.rules

@@ -670,8 +670,8 @@
 (SGTUconst [c] (MOVHUreg _)) && 0xffff < uint32(c) -> (MOVWconst [1])
 (SGTconst [c] (ANDconst [m] _)) && 0 <= int32(m) && int32(m) < int32(c) -> (MOVWconst [1])
 (SGTUconst [c] (ANDconst [m] _)) && uint32(m) < uint32(c) -> (MOVWconst [1])
-(SGTconst [c] (SRLconst _ [d])) && 0 <= int32(c) && uint32(d) <= 31 && 1<<(32-uint32(d)) <= int32(c) -> (MOVWconst [1])
-(SGTUconst [c] (SRLconst _ [d])) && uint32(d) <= 31 && 1<<(32-uint32(d)) <= uint32(c) -> (MOVWconst [1])
+(SGTconst [c] (SRLconst _ [d])) && 0 <= int32(c) && uint32(d) <= 31 && 0xffffffff>>uint32(d) < uint32(c) -> (MOVWconst [1])
+(SGTUconst [c] (SRLconst _ [d])) && uint32(d) <= 31 && 0xffffffff>>uint32(d) < uint32(c) -> (MOVWconst [1])
 
 // absorb constants into branches
 (EQ  (MOVWconst [0]) yes no) -> (First nil yes no)

src/cmd/compile/internal/ssa/gen/MIPS64.rules

@@ -667,8 +667,8 @@
 (SGTconst [c] (MOVWUreg _)) && c < 0 -> (MOVVconst [0])
 (SGTconst [c] (ANDconst [m] _)) && 0 <= m && m < c -> (MOVVconst [1])
 (SGTUconst [c] (ANDconst [m] _)) && uint64(m) < uint64(c) -> (MOVVconst [1])
-(SGTconst [c] (SRLVconst _ [d])) && 0 <= c && 0 < d && d <= 63 && 1<<uint64(64-d) <= c -> (MOVVconst [1])
-(SGTUconst [c] (SRLVconst _ [d])) && 0 < d && d <= 63 && 1<<uint64(64-d) <= uint64(c) -> (MOVVconst [1])
+(SGTconst [c] (SRLVconst _ [d])) && 0 <= c && 0 < d && d <= 63 && 0xffffffffffffffff>>uint64(d) < uint64(c) -> (MOVVconst [1])
+(SGTUconst [c] (SRLVconst _ [d])) && 0 < d && d <= 63 && 0xffffffffffffffff>>uint64(d) < uint64(c) -> (MOVVconst [1])
 
 // absorb constants into branches
 (EQ  (MOVVconst [0]) yes no) -> (First nil yes no)

src/cmd/compile/internal/ssa/gen/S390X.rules

@@ -1445,13 +1445,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORW <v.Type> (SLWconst <v.Type> [j1] (MOVHZload [i0] {s} p mem)) y)
+  -> @mergePoint(b,x0,x1,y) (ORW <v.Type> (SLWconst <v.Type> [j1] (MOVHZload [i0] {s} p mem)) y)
 
 (OR
     s0:(SLDconst [j0] x0:(MOVBZload [i0] {s} p mem))
@@ -1466,13 +1466,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (OR <v.Type> (SLDconst <v.Type> [j1] (MOVHZload [i0] {s} p mem)) y)
+  -> @mergePoint(b,x0,x1,y) (OR <v.Type> (SLDconst <v.Type> [j1] (MOVHZload [i0] {s} p mem)) y)
 
 (OR
     s0:(SLDconst [j0] x0:(MOVHZload [i0] {s} p mem))
@@ -1487,13 +1487,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (OR <v.Type> (SLDconst <v.Type> [j1] (MOVWZload [i0] {s} p mem)) y)
+  -> @mergePoint(b,x0,x1,y) (OR <v.Type> (SLDconst <v.Type> [j1] (MOVWZload [i0] {s} p mem)) y)
 
 // Big-endian indexed loads
 
@@ -1575,13 +1575,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORW <v.Type> (SLWconst <v.Type> [j1] (MOVHZloadidx [i0] {s} p idx mem)) y)
+  -> @mergePoint(b,x0,x1,y) (ORW <v.Type> (SLWconst <v.Type> [j1] (MOVHZloadidx [i0] {s} p idx mem)) y)
 
 (OR
     s0:(SLDconst [j0] x0:(MOVBZloadidx [i0] {s} p idx mem))
@@ -1596,13 +1596,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (OR <v.Type> (SLDconst <v.Type> [j1] (MOVHZloadidx [i0] {s} p idx mem)) y)
+  -> @mergePoint(b,x0,x1,y) (OR <v.Type> (SLDconst <v.Type> [j1] (MOVHZloadidx [i0] {s} p idx mem)) y)
 
 (OR
     s0:(SLDconst [j0] x0:(MOVHZloadidx [i0] {s} p idx mem))
@@ -1617,13 +1617,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (OR <v.Type> (SLDconst <v.Type> [j1] (MOVWZloadidx [i0] {s} p idx mem)) y)
+  -> @mergePoint(b,x0,x1,y) (OR <v.Type> (SLDconst <v.Type> [j1] (MOVWZloadidx [i0] {s} p idx mem)) y)
 
 // Little-endian loads
 
@@ -1715,13 +1715,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORW <v.Type> (SLWconst <v.Type> [j0] (MOVHZreg (MOVHBRload [i0] {s} p mem))) y)
+  -> @mergePoint(b,x0,x1,y) (ORW <v.Type> (SLWconst <v.Type> [j0] (MOVHZreg (MOVHBRload [i0] {s} p mem))) y)
 
 (OR
     s1:(SLDconst [j1] x1:(MOVBZload [i1] {s} p mem))
@@ -1737,13 +1737,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (OR <v.Type> (SLDconst <v.Type> [j0] (MOVHZreg (MOVHBRload [i0] {s} p mem))) y)
+  -> @mergePoint(b,x0,x1,y) (OR <v.Type> (SLDconst <v.Type> [j0] (MOVHZreg (MOVHBRload [i0] {s} p mem))) y)
 
 (OR
     s1:(SLDconst [j1] r1:(MOVHZreg x1:(MOVHBRload [i1] {s} p mem)))
@@ -1760,7 +1760,7 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(r0)
@@ -1768,7 +1768,7 @@
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (OR <v.Type> (SLDconst <v.Type> [j0] (MOVWZreg (MOVWBRload [i0] {s} p mem))) y)
+  -> @mergePoint(b,x0,x1,y) (OR <v.Type> (SLDconst <v.Type> [j0] (MOVWZreg (MOVWBRload [i0] {s} p mem))) y)
 
 // Little-endian indexed loads
 
@@ -1860,13 +1860,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (ORW <v.Type> (SLWconst <v.Type> [j0] (MOVHZreg (MOVHBRloadidx [i0] {s} p idx mem))) y)
+  -> @mergePoint(b,x0,x1,y) (ORW <v.Type> (SLWconst <v.Type> [j0] (MOVHZreg (MOVHBRloadidx [i0] {s} p idx mem))) y)
 
 (OR
     s1:(SLDconst [j1] x1:(MOVBZloadidx [i1] {s} p idx mem))
@@ -1882,13 +1882,13 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (OR <v.Type> (SLDconst <v.Type> [j0] (MOVHZreg (MOVHBRloadidx [i0] {s} p idx mem))) y)
+  -> @mergePoint(b,x0,x1,y) (OR <v.Type> (SLDconst <v.Type> [j0] (MOVHZreg (MOVHBRloadidx [i0] {s} p idx mem))) y)
 
 (OR
     s1:(SLDconst [j1] r1:(MOVHZreg x1:(MOVHBRloadidx [i1] {s} p idx mem)))
@@ -1905,7 +1905,7 @@
   && s0.Uses == 1
   && s1.Uses == 1
   && or.Uses == 1
-  && mergePoint(b,x0,x1) != nil
+  && mergePoint(b,x0,x1,y) != nil
   && clobber(x0)
   && clobber(x1)
   && clobber(r0)
@@ -1913,7 +1913,7 @@
   && clobber(s0)
   && clobber(s1)
   && clobber(or)
-  -> @mergePoint(b,x0,x1) (OR <v.Type> (SLDconst <v.Type> [j0] (MOVWZreg (MOVWBRloadidx [i0] {s} p idx mem))) y)
+  -> @mergePoint(b,x0,x1,y) (OR <v.Type> (SLDconst <v.Type> [j0] (MOVWZreg (MOVWBRloadidx [i0] {s} p idx mem))) y)
 
 // Combine stores into store multiples.
 // 32-bit

src/cmd/compile/internal/ssa/gen/generic.rules

@@ -1539,8 +1539,8 @@
 // Don't Move from memory if the values are likely to already be
 // in registers.
 (Move {t1} [n] dst p1
-	mem:(Store {t2} op2:(OffPtr [o2] p2) d1
-		(Store {t3} op3:(OffPtr [0] p3) d2 _)))
+	mem:(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1
+		(Store {t3} op3:(OffPtr <tt3> [0] p3) d2 _)))
 	&& isSamePtr(p1, p2) && isSamePtr(p2, p3)
 	&& alignof(t2) <= alignof(t1)
 	&& alignof(t3) <= alignof(t1)
@@ -1548,12 +1548,12 @@
 	&& registerizable(b, t3)
 	&& o2 == sizeof(t3)
 	&& n == sizeof(t2) + sizeof(t3)
-	-> (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1
-		(Store {t3} (OffPtr <t3.(*types.Type)> [0] dst) d2 mem))
+	-> (Store {t2} (OffPtr <tt2> [o2] dst) d1
+		(Store {t3} (OffPtr <tt3> [0] dst) d2 mem))
 (Move {t1} [n] dst p1
-	mem:(Store {t2} op2:(OffPtr [o2] p2) d1
-		(Store {t3} op3:(OffPtr [o3] p3) d2
-			(Store {t4} op4:(OffPtr [0] p4) d3 _))))
+	mem:(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1
+		(Store {t3} op3:(OffPtr <tt3> [o3] p3) d2
+			(Store {t4} op4:(OffPtr <tt4> [0] p4) d3 _))))
 	&& isSamePtr(p1, p2) && isSamePtr(p2, p3) && isSamePtr(p3, p4)
 	&& alignof(t2) <= alignof(t1)
 	&& alignof(t3) <= alignof(t1)
@@ -1564,14 +1564,14 @@
 	&& o3 == sizeof(t4)
 	&& o2-o3 == sizeof(t3)
 	&& n == sizeof(t2) + sizeof(t3) + sizeof(t4)
-	-> (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1
-		(Store {t3} (OffPtr <t3.(*types.Type)> [o3] dst) d2
-			(Store {t4} (OffPtr <t4.(*types.Type)> [0] dst) d3 mem)))
+	-> (Store {t2} (OffPtr <tt2> [o2] dst) d1
+		(Store {t3} (OffPtr <tt3> [o3] dst) d2
+			(Store {t4} (OffPtr <tt4> [0] dst) d3 mem)))
 (Move {t1} [n] dst p1
-	mem:(Store {t2} op2:(OffPtr [o2] p2) d1
-		(Store {t3} op3:(OffPtr [o3] p3) d2
-			(Store {t4} op4:(OffPtr [o4] p4) d3
-				(Store {t5} op5:(OffPtr [0] p5) d4 _)))))
+	mem:(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1
+		(Store {t3} op3:(OffPtr <tt3> [o3] p3) d2
+			(Store {t4} op4:(OffPtr <tt4> [o4] p4) d3
+				(Store {t5} op5:(OffPtr <tt5> [0] p5) d4 _)))))
 	&& isSamePtr(p1, p2) && isSamePtr(p2, p3) && isSamePtr(p3, p4) && isSamePtr(p4, p5)
 	&& alignof(t2) <= alignof(t1)
 	&& alignof(t3) <= alignof(t1)
@@ -1585,16 +1585,16 @@
 	&& o3-o4 == sizeof(t4)
 	&& o2-o3 == sizeof(t3)
 	&& n == sizeof(t2) + sizeof(t3) + sizeof(t4) + sizeof(t5)
-	-> (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1
-		(Store {t3} (OffPtr <t3.(*types.Type)> [o3] dst) d2
-			(Store {t4} (OffPtr <t4.(*types.Type)> [o4] dst) d3
-				(Store {t5} (OffPtr <t5.(*types.Type)> [0] dst) d4 mem))))
+	-> (Store {t2} (OffPtr <tt2> [o2] dst) d1
+		(Store {t3} (OffPtr <tt3> [o3] dst) d2
+			(Store {t4} (OffPtr <tt4> [o4] dst) d3
+				(Store {t5} (OffPtr <tt5> [0] dst) d4 mem))))
 
 // Same thing but with VarDef in the middle.
 (Move {t1} [n] dst p1
 	mem:(VarDef
-		(Store {t2} op2:(OffPtr [o2] p2) d1
-			(Store {t3} op3:(OffPtr [0] p3) d2 _))))
+		(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1
+			(Store {t3} op3:(OffPtr <tt3> [0] p3) d2 _))))
 	&& isSamePtr(p1, p2) && isSamePtr(p2, p3)
 	&& alignof(t2) <= alignof(t1)
 	&& alignof(t3) <= alignof(t1)
@@ -1602,13 +1602,13 @@
 	&& registerizable(b, t3)
 	&& o2 == sizeof(t3)
 	&& n == sizeof(t2) + sizeof(t3)
-	-> (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1
-		(Store {t3} (OffPtr <t3.(*types.Type)> [0] dst) d2 mem))
+	-> (Store {t2} (OffPtr <tt2> [o2] dst) d1
+		(Store {t3} (OffPtr <tt3> [0] dst) d2 mem))
 (Move {t1} [n] dst p1
 	mem:(VarDef
-		(Store {t2} op2:(OffPtr [o2] p2) d1
-			(Store {t3} op3:(OffPtr [o3] p3) d2
-				(Store {t4} op4:(OffPtr [0] p4) d3 _)))))
+		(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1
+			(Store {t3} op3:(OffPtr <tt3> [o3] p3) d2
+				(Store {t4} op4:(OffPtr <tt4> [0] p4) d3 _)))))
 	&& isSamePtr(p1, p2) && isSamePtr(p2, p3) && isSamePtr(p3, p4)
 	&& alignof(t2) <= alignof(t1)
 	&& alignof(t3) <= alignof(t1)
@@ -1619,15 +1619,15 @@
 	&& o3 == sizeof(t4)
 	&& o2-o3 == sizeof(t3)
 	&& n == sizeof(t2) + sizeof(t3) + sizeof(t4)
-	-> (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1
-		(Store {t3} (OffPtr <t3.(*types.Type)> [o3] dst) d2
-			(Store {t4} (OffPtr <t4.(*types.Type)> [0] dst) d3 mem)))
+	-> (Store {t2} (OffPtr <tt2> [o2] dst) d1
+		(Store {t3} (OffPtr <tt3> [o3] dst) d2
+			(Store {t4} (OffPtr <tt4> [0] dst) d3 mem)))
 (Move {t1} [n] dst p1
 	mem:(VarDef
-		(Store {t2} op2:(OffPtr [o2] p2) d1
-			(Store {t3} op3:(OffPtr [o3] p3) d2
-				(Store {t4} op4:(OffPtr [o4] p4) d3
-					(Store {t5} op5:(OffPtr [0] p5) d4 _))))))
+		(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1
+			(Store {t3} op3:(OffPtr <tt3> [o3] p3) d2
+				(Store {t4} op4:(OffPtr <tt4> [o4] p4) d3
+					(Store {t5} op5:(OffPtr <tt5> [0] p5) d4 _))))))
 	&& isSamePtr(p1, p2) && isSamePtr(p2, p3) && isSamePtr(p3, p4) && isSamePtr(p4, p5)
 	&& alignof(t2) <= alignof(t1)
 	&& alignof(t3) <= alignof(t1)
@@ -1641,10 +1641,10 @@
 	&& o3-o4 == sizeof(t4)
 	&& o2-o3 == sizeof(t3)
 	&& n == sizeof(t2) + sizeof(t3) + sizeof(t4) + sizeof(t5)
-	-> (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1
-		(Store {t3} (OffPtr <t3.(*types.Type)> [o3] dst) d2
-			(Store {t4} (OffPtr <t4.(*types.Type)> [o4] dst) d3
-				(Store {t5} (OffPtr <t5.(*types.Type)> [0] dst) d4 mem))))
+	-> (Store {t2} (OffPtr <tt2> [o2] dst) d1
+		(Store {t3} (OffPtr <tt3> [o3] dst) d2
+			(Store {t4} (OffPtr <tt4> [o4] dst) d3
+				(Store {t5} (OffPtr <tt5> [0] dst) d4 mem))))
 
 // Prefer to Zero and Store than to Move.
 (Move {t1} [n] dst p1

src/cmd/compile/internal/ssa/prove.go

@@ -197,6 +197,9 @@ func newFactsTable(f *Func) *factsTable {
 // update updates the set of relations between v and w in domain d
 // restricting it to r.
 func (ft *factsTable) update(parent *Block, v, w *Value, d domain, r relation) {
+	if parent.Func.pass.debug > 2 {
+		parent.Func.Warnl(parent.Pos, "parent=%s, update %s %s %s", parent, v, w, r)
+	}
 	// No need to do anything else if we already found unsat.
 	if ft.unsat {
 		return
@@ -234,6 +237,9 @@ func (ft *factsTable) update(parent *Block, v, w *Value, d domain, r relation) {
 			panic("unknown relation")
 		}
 		if !ok {
+			if parent.Func.pass.debug > 2 {
+				parent.Func.Warnl(parent.Pos, "unsat %s %s %s", v, w, r)
+			}
 			ft.unsat = true
 			return
 		}
@@ -260,6 +266,9 @@ func (ft *factsTable) update(parent *Block, v, w *Value, d domain, r relation) {
 		ft.facts[p] = oldR & r
 		// If this relation is not satisfiable, mark it and exit right away
 		if oldR&r == 0 {
+			if parent.Func.pass.debug > 2 {
+				parent.Func.Warnl(parent.Pos, "unsat %s %s %s", v, w, r)
+			}
 			ft.unsat = true
 			return
 		}
@@ -361,7 +370,7 @@ func (ft *factsTable) update(parent *Block, v, w *Value, d domain, r relation) {
 		lim = old.intersect(lim)
 		ft.limits[v.ID] = lim
 		if v.Block.Func.pass.debug > 2 {
-			v.Block.Func.Warnl(parent.Pos, "parent=%s, new limits %s %s %s", parent, v, w, lim.String())
+			v.Block.Func.Warnl(parent.Pos, "parent=%s, new limits %s %s %s %s", parent, v, w, r, lim.String())
 		}
 		if lim.min > lim.max || lim.umin > lim.umax {
 			ft.unsat = true
@@ -425,13 +434,13 @@ func (ft *factsTable) update(parent *Block, v, w *Value, d domain, r relation) {
 			//
 			// Useful for i > 0; s[i-1].
 			lim, ok := ft.limits[x.ID]
-			if ok && lim.min > opMin[v.Op] {
+			if ok && ((d == signed && lim.min > opMin[v.Op]) || (d == unsigned && lim.umin > 0)) {
 				ft.update(parent, x, w, d, gt)
 			}
 		} else if x, delta := isConstDelta(w); x != nil && delta == 1 {
 			// v >= x+1 && x < max  ⇒  v > x
 			lim, ok := ft.limits[x.ID]
-			if ok && lim.max < opMax[w.Op] {
+			if ok && ((d == signed && lim.max < opMax[w.Op]) || (d == unsigned && lim.umax < opUMax[w.Op])) {
 				ft.update(parent, v, x, d, gt)
 			}
 		}
@@ -442,7 +451,7 @@ func (ft *factsTable) update(parent *Block, v, w *Value, d domain, r relation) {
 	if r == gt || r == gt|eq {
 		if x, delta := isConstDelta(v); x != nil && d == signed {
 			if parent.Func.pass.debug > 1 {
-				parent.Func.Warnl(parent.Pos, "x+d >= w; x:%v %v delta:%v w:%v d:%v", x, parent.String(), delta, w.AuxInt, d)
+				parent.Func.Warnl(parent.Pos, "x+d %s w; x:%v %v delta:%v w:%v d:%v", r, x, parent.String(), delta, w.AuxInt, d)
 			}
 			if !w.isGenericIntConst() {
 				// If we know that x+delta > w but w is not constant, we can derive:
@@ -503,8 +512,10 @@ func (ft *factsTable) update(parent *Block, v, w *Value, d domain, r relation) {
 					// the other must be true
 					if l, has := ft.limits[x.ID]; has {
 						if l.max <= min {
-							// x>min is impossible, so it must be x<=max
-							ft.update(parent, vmax, x, d, r|eq)
+							if r&eq == 0 || l.max < min {
+								// x>min (x>=min) is impossible, so it must be x<=max
+								ft.update(parent, vmax, x, d, r|eq)
+							}
 						} else if l.min > max {
 							// x<=max is impossible, so it must be x>min
 							ft.update(parent, x, vmin, d, r)
@@ -527,21 +538,40 @@ var opMax = map[Op]int64{
 	OpAdd32: math.MaxInt32, OpSub32: math.MaxInt32,
 }
 
+var opUMax = map[Op]uint64{
+	OpAdd64: math.MaxUint64, OpSub64: math.MaxUint64,
+	OpAdd32: math.MaxUint32, OpSub32: math.MaxUint32,
+}
+
 // isNonNegative reports whether v is known to be non-negative.
 func (ft *factsTable) isNonNegative(v *Value) bool {
 	if isNonNegative(v) {
 		return true
 	}
 
+	var max int64
+	switch v.Type.Size() {
+	case 1:
+		max = math.MaxInt8
+	case 2:
+		max = math.MaxInt16
+	case 4:
+		max = math.MaxInt32
+	case 8:
+		max = math.MaxInt64
+	default:
+		panic("unexpected integer size")
+	}
+
 	// Check if the recorded limits can prove that the value is positive
-	if l, has := ft.limits[v.ID]; has && (l.min >= 0 || l.umax <= math.MaxInt64) {
+	if l, has := ft.limits[v.ID]; has && (l.min >= 0 || l.umax <= uint64(max)) {
 		return true
 	}
 
 	// Check if v = x+delta, and we can use x's limits to prove that it's positive
 	if x, delta := isConstDelta(v); x != nil {
 		if l, has := ft.limits[x.ID]; has {
-			if delta > 0 && l.min >= -delta && l.max <= math.MaxInt64-delta {
+			if delta > 0 && l.min >= -delta && l.max <= max-delta {
 				return true
 			}
 			if delta < 0 && l.min >= -delta {

src/cmd/compile/internal/ssa/rewriteMIPS.go

@@ -5623,7 +5623,7 @@ func rewriteValueMIPS_OpMIPSSGTUconst_0(v *Value) bool {
 		return true
 	}
 	// match: (SGTUconst [c] (SRLconst _ [d]))
-	// cond: uint32(d) <= 31 && 1<<(32-uint32(d)) <= uint32(c)
+	// cond: uint32(d) <= 31 && 0xffffffff>>uint32(d) < uint32(c)
 	// result: (MOVWconst [1])
 	for {
 		c := v.AuxInt
@@ -5632,7 +5632,7 @@ func rewriteValueMIPS_OpMIPSSGTUconst_0(v *Value) bool {
 			break
 		}
 		d := v_0.AuxInt
-		if !(uint32(d) <= 31 && 1<<(32-uint32(d)) <= uint32(c)) {
+		if !(uint32(d) <= 31 && 0xffffffff>>uint32(d) < uint32(c)) {
 			break
 		}
 		v.reset(OpMIPSMOVWconst)
@@ -5860,7 +5860,7 @@ func rewriteValueMIPS_OpMIPSSGTconst_10(v *Value) bool {
 		return true
 	}
 	// match: (SGTconst [c] (SRLconst _ [d]))
-	// cond: 0 <= int32(c) && uint32(d) <= 31 && 1<<(32-uint32(d)) <= int32(c)
+	// cond: 0 <= int32(c) && uint32(d) <= 31 && 0xffffffff>>uint32(d) < uint32(c)
 	// result: (MOVWconst [1])
 	for {
 		c := v.AuxInt
@@ -5869,7 +5869,7 @@ func rewriteValueMIPS_OpMIPSSGTconst_10(v *Value) bool {
 			break
 		}
 		d := v_0.AuxInt
-		if !(0 <= int32(c) && uint32(d) <= 31 && 1<<(32-uint32(d)) <= int32(c)) {
+		if !(0 <= int32(c) && uint32(d) <= 31 && 0xffffffff>>uint32(d) < uint32(c)) {
 			break
 		}
 		v.reset(OpMIPSMOVWconst)

src/cmd/compile/internal/ssa/rewriteMIPS64.go

@@ -6003,7 +6003,7 @@ func rewriteValueMIPS64_OpMIPS64SGTUconst_0(v *Value) bool {
 		return true
 	}
 	// match: (SGTUconst [c] (SRLVconst _ [d]))
-	// cond: 0 < d && d <= 63 && 1<<uint64(64-d) <= uint64(c)
+	// cond: 0 < d && d <= 63 && 0xffffffffffffffff>>uint64(d) < uint64(c)
 	// result: (MOVVconst [1])
 	for {
 		c := v.AuxInt
@@ -6012,7 +6012,7 @@ func rewriteValueMIPS64_OpMIPS64SGTUconst_0(v *Value) bool {
 			break
 		}
 		d := v_0.AuxInt
-		if !(0 < d && d <= 63 && 1<<uint64(64-d) <= uint64(c)) {
+		if !(0 < d && d <= 63 && 0xffffffffffffffff>>uint64(d) < uint64(c)) {
 			break
 		}
 		v.reset(OpMIPS64MOVVconst)
@@ -6221,7 +6221,7 @@ func rewriteValueMIPS64_OpMIPS64SGTconst_10(v *Value) bool {
 		return true
 	}
 	// match: (SGTconst [c] (SRLVconst _ [d]))
-	// cond: 0 <= c && 0 < d && d <= 63 && 1<<uint64(64-d) <= c
+	// cond: 0 <= c && 0 < d && d <= 63 && 0xffffffffffffffff>>uint64(d) < uint64(c)
 	// result: (MOVVconst [1])
 	for {
 		c := v.AuxInt
@@ -6230,7 +6230,7 @@ func rewriteValueMIPS64_OpMIPS64SGTconst_10(v *Value) bool {
 			break
 		}
 		d := v_0.AuxInt
-		if !(0 <= c && 0 < d && d <= 63 && 1<<uint64(64-d) <= c) {
+		if !(0 <= c && 0 < d && d <= 63 && 0xffffffffffffffff>>uint64(d) < uint64(c)) {
 			break
 		}
 		v.reset(OpMIPS64MOVVconst)

src/cmd/compile/internal/ssa/rewritegeneric.go

@@ -16223,9 +16223,9 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		v.AddArg(v0)
 		return true
 	}
-	// match: (Move {t1} [n] dst p1 mem:(Store {t2} op2:(OffPtr [o2] p2) d1 (Store {t3} op3:(OffPtr [0] p3) d2 _)))
+	// match: (Move {t1} [n] dst p1 mem:(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1 (Store {t3} op3:(OffPtr <tt3> [0] p3) d2 _)))
 	// cond: isSamePtr(p1, p2) && isSamePtr(p2, p3) && alignof(t2) <= alignof(t1) && alignof(t3) <= alignof(t1) && registerizable(b, t2) && registerizable(b, t3) && o2 == sizeof(t3) && n == sizeof(t2) + sizeof(t3)
-	// result: (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1 (Store {t3} (OffPtr <t3.(*types.Type)> [0] dst) d2 mem))
+	// result: (Store {t2} (OffPtr <tt2> [o2] dst) d1 (Store {t3} (OffPtr <tt3> [0] dst) d2 mem))
 	for {
 		n := v.AuxInt
 		t1 := v.Aux
@@ -16242,6 +16242,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op2.Op != OpOffPtr {
 			break
 		}
+		tt2 := op2.Type
 		o2 := op2.AuxInt
 		p2 := op2.Args[0]
 		d1 := mem.Args[1]
@@ -16255,6 +16256,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op3.Op != OpOffPtr {
 			break
 		}
+		tt3 := op3.Type
 		if op3.AuxInt != 0 {
 			break
 		}
@@ -16265,14 +16267,14 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		}
 		v.reset(OpStore)
 		v.Aux = t2
-		v0 := b.NewValue0(v.Pos, OpOffPtr, t2.(*types.Type))
+		v0 := b.NewValue0(v.Pos, OpOffPtr, tt2)
 		v0.AuxInt = o2
 		v0.AddArg(dst)
 		v.AddArg(v0)
 		v.AddArg(d1)
 		v1 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v1.Aux = t3
-		v2 := b.NewValue0(v.Pos, OpOffPtr, t3.(*types.Type))
+		v2 := b.NewValue0(v.Pos, OpOffPtr, tt3)
 		v2.AuxInt = 0
 		v2.AddArg(dst)
 		v1.AddArg(v2)
@@ -16281,9 +16283,9 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		v.AddArg(v1)
 		return true
 	}
-	// match: (Move {t1} [n] dst p1 mem:(Store {t2} op2:(OffPtr [o2] p2) d1 (Store {t3} op3:(OffPtr [o3] p3) d2 (Store {t4} op4:(OffPtr [0] p4) d3 _))))
+	// match: (Move {t1} [n] dst p1 mem:(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1 (Store {t3} op3:(OffPtr <tt3> [o3] p3) d2 (Store {t4} op4:(OffPtr <tt4> [0] p4) d3 _))))
 	// cond: isSamePtr(p1, p2) && isSamePtr(p2, p3) && isSamePtr(p3, p4) && alignof(t2) <= alignof(t1) && alignof(t3) <= alignof(t1) && alignof(t4) <= alignof(t1) && registerizable(b, t2) && registerizable(b, t3) && registerizable(b, t4) && o3 == sizeof(t4) && o2-o3 == sizeof(t3) && n == sizeof(t2) + sizeof(t3) + sizeof(t4)
-	// result: (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1 (Store {t3} (OffPtr <t3.(*types.Type)> [o3] dst) d2 (Store {t4} (OffPtr <t4.(*types.Type)> [0] dst) d3 mem)))
+	// result: (Store {t2} (OffPtr <tt2> [o2] dst) d1 (Store {t3} (OffPtr <tt3> [o3] dst) d2 (Store {t4} (OffPtr <tt4> [0] dst) d3 mem)))
 	for {
 		n := v.AuxInt
 		t1 := v.Aux
@@ -16300,6 +16302,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op2.Op != OpOffPtr {
 			break
 		}
+		tt2 := op2.Type
 		o2 := op2.AuxInt
 		p2 := op2.Args[0]
 		d1 := mem.Args[1]
@@ -16313,6 +16316,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op3.Op != OpOffPtr {
 			break
 		}
+		tt3 := op3.Type
 		o3 := op3.AuxInt
 		p3 := op3.Args[0]
 		d2 := mem_2.Args[1]
@@ -16326,6 +16330,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op4.Op != OpOffPtr {
 			break
 		}
+		tt4 := op4.Type
 		if op4.AuxInt != 0 {
 			break
 		}
@@ -16336,21 +16341,21 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		}
 		v.reset(OpStore)
 		v.Aux = t2
-		v0 := b.NewValue0(v.Pos, OpOffPtr, t2.(*types.Type))
+		v0 := b.NewValue0(v.Pos, OpOffPtr, tt2)
 		v0.AuxInt = o2
 		v0.AddArg(dst)
 		v.AddArg(v0)
 		v.AddArg(d1)
 		v1 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v1.Aux = t3
-		v2 := b.NewValue0(v.Pos, OpOffPtr, t3.(*types.Type))
+		v2 := b.NewValue0(v.Pos, OpOffPtr, tt3)
 		v2.AuxInt = o3
 		v2.AddArg(dst)
 		v1.AddArg(v2)
 		v1.AddArg(d2)
 		v3 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v3.Aux = t4
-		v4 := b.NewValue0(v.Pos, OpOffPtr, t4.(*types.Type))
+		v4 := b.NewValue0(v.Pos, OpOffPtr, tt4)
 		v4.AuxInt = 0
 		v4.AddArg(dst)
 		v3.AddArg(v4)
@@ -16360,9 +16365,9 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		v.AddArg(v1)
 		return true
 	}
-	// match: (Move {t1} [n] dst p1 mem:(Store {t2} op2:(OffPtr [o2] p2) d1 (Store {t3} op3:(OffPtr [o3] p3) d2 (Store {t4} op4:(OffPtr [o4] p4) d3 (Store {t5} op5:(OffPtr [0] p5) d4 _)))))
+	// match: (Move {t1} [n] dst p1 mem:(Store {t2} op2:(OffPtr <tt2> [o2] p2) d1 (Store {t3} op3:(OffPtr <tt3> [o3] p3) d2 (Store {t4} op4:(OffPtr <tt4> [o4] p4) d3 (Store {t5} op5:(OffPtr <tt5> [0] p5) d4 _)))))
 	// cond: isSamePtr(p1, p2) && isSamePtr(p2, p3) && isSamePtr(p3, p4) && isSamePtr(p4, p5) && alignof(t2) <= alignof(t1) && alignof(t3) <= alignof(t1) && alignof(t4) <= alignof(t1) && alignof(t5) <= alignof(t1) && registerizable(b, t2) && registerizable(b, t3) && registerizable(b, t4) && registerizable(b, t5) && o4 == sizeof(t5) && o3-o4 == sizeof(t4) && o2-o3 == sizeof(t3) && n == sizeof(t2) + sizeof(t3) + sizeof(t4) + sizeof(t5)
-	// result: (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1 (Store {t3} (OffPtr <t3.(*types.Type)> [o3] dst) d2 (Store {t4} (OffPtr <t4.(*types.Type)> [o4] dst) d3 (Store {t5} (OffPtr <t5.(*types.Type)> [0] dst) d4 mem))))
+	// result: (Store {t2} (OffPtr <tt2> [o2] dst) d1 (Store {t3} (OffPtr <tt3> [o3] dst) d2 (Store {t4} (OffPtr <tt4> [o4] dst) d3 (Store {t5} (OffPtr <tt5> [0] dst) d4 mem))))
 	for {
 		n := v.AuxInt
 		t1 := v.Aux
@@ -16379,6 +16384,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op2.Op != OpOffPtr {
 			break
 		}
+		tt2 := op2.Type
 		o2 := op2.AuxInt
 		p2 := op2.Args[0]
 		d1 := mem.Args[1]
@@ -16392,6 +16398,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op3.Op != OpOffPtr {
 			break
 		}
+		tt3 := op3.Type
 		o3 := op3.AuxInt
 		p3 := op3.Args[0]
 		d2 := mem_2.Args[1]
@@ -16405,6 +16412,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op4.Op != OpOffPtr {
 			break
 		}
+		tt4 := op4.Type
 		o4 := op4.AuxInt
 		p4 := op4.Args[0]
 		d3 := mem_2_2.Args[1]
@@ -16418,6 +16426,7 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		if op5.Op != OpOffPtr {
 			break
 		}
+		tt5 := op5.Type
 		if op5.AuxInt != 0 {
 			break
 		}
@@ -16428,28 +16437,28 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 		}
 		v.reset(OpStore)
 		v.Aux = t2
-		v0 := b.NewValue0(v.Pos, OpOffPtr, t2.(*types.Type))
+		v0 := b.NewValue0(v.Pos, OpOffPtr, tt2)
 		v0.AuxInt = o2
 		v0.AddArg(dst)
 		v.AddArg(v0)
 		v.AddArg(d1)
 		v1 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v1.Aux = t3
-		v2 := b.NewValue0(v.Pos, OpOffPtr, t3.(*types.Type))
+		v2 := b.NewValue0(v.Pos, OpOffPtr, tt3)
 		v2.AuxInt = o3
 		v2.AddArg(dst)
 		v1.AddArg(v2)
 		v1.AddArg(d2)
 		v3 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v3.Aux = t4
-		v4 := b.NewValue0(v.Pos, OpOffPtr, t4.(*types.Type))
+		v4 := b.NewValue0(v.Pos, OpOffPtr, tt4)
 		v4.AuxInt = o4
 		v4.AddArg(dst)
 		v3.AddArg(v4)
 		v3.AddArg(d3)
 		v5 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v5.Aux = t5
-		v6 := b.NewValue0(v.Pos, OpOffPtr, t5.(*types.Type))
+		v6 := b.NewValue0(v.Pos, OpOffPtr, tt5)
 		v6.AuxInt = 0
 		v6.AddArg(dst)
 		v5.AddArg(v6)
@@ -16465,9 +16474,9 @@ func rewriteValuegeneric_OpMove_0(v *Value) bool {
 func rewriteValuegeneric_OpMove_10(v *Value) bool {
 	b := v.Block
 	_ = b
-	// match: (Move {t1} [n] dst p1 mem:(VarDef (Store {t2} op2:(OffPtr [o2] p2) d1 (Store {t3} op3:(OffPtr [0] p3) d2 _))))
+	// match: (Move {t1} [n] dst p1 mem:(VarDef (Store {t2} op2:(OffPtr <tt2> [o2] p2) d1 (Store {t3} op3:(OffPtr <tt3> [0] p3) d2 _))))
 	// cond: isSamePtr(p1, p2) && isSamePtr(p2, p3) && alignof(t2) <= alignof(t1) && alignof(t3) <= alignof(t1) && registerizable(b, t2) && registerizable(b, t3) && o2 == sizeof(t3) && n == sizeof(t2) + sizeof(t3)
-	// result: (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1 (Store {t3} (OffPtr <t3.(*types.Type)> [0] dst) d2 mem))
+	// result: (Store {t2} (OffPtr <tt2> [o2] dst) d1 (Store {t3} (OffPtr <tt3> [0] dst) d2 mem))
 	for {
 		n := v.AuxInt
 		t1 := v.Aux
@@ -16488,6 +16497,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op2.Op != OpOffPtr {
 			break
 		}
+		tt2 := op2.Type
 		o2 := op2.AuxInt
 		p2 := op2.Args[0]
 		d1 := mem_0.Args[1]
@@ -16501,6 +16511,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op3.Op != OpOffPtr {
 			break
 		}
+		tt3 := op3.Type
 		if op3.AuxInt != 0 {
 			break
 		}
@@ -16511,14 +16522,14 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		}
 		v.reset(OpStore)
 		v.Aux = t2
-		v0 := b.NewValue0(v.Pos, OpOffPtr, t2.(*types.Type))
+		v0 := b.NewValue0(v.Pos, OpOffPtr, tt2)
 		v0.AuxInt = o2
 		v0.AddArg(dst)
 		v.AddArg(v0)
 		v.AddArg(d1)
 		v1 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v1.Aux = t3
-		v2 := b.NewValue0(v.Pos, OpOffPtr, t3.(*types.Type))
+		v2 := b.NewValue0(v.Pos, OpOffPtr, tt3)
 		v2.AuxInt = 0
 		v2.AddArg(dst)
 		v1.AddArg(v2)
@@ -16527,9 +16538,9 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		v.AddArg(v1)
 		return true
 	}
-	// match: (Move {t1} [n] dst p1 mem:(VarDef (Store {t2} op2:(OffPtr [o2] p2) d1 (Store {t3} op3:(OffPtr [o3] p3) d2 (Store {t4} op4:(OffPtr [0] p4) d3 _)))))
+	// match: (Move {t1} [n] dst p1 mem:(VarDef (Store {t2} op2:(OffPtr <tt2> [o2] p2) d1 (Store {t3} op3:(OffPtr <tt3> [o3] p3) d2 (Store {t4} op4:(OffPtr <tt4> [0] p4) d3 _)))))
 	// cond: isSamePtr(p1, p2) && isSamePtr(p2, p3) && isSamePtr(p3, p4) && alignof(t2) <= alignof(t1) && alignof(t3) <= alignof(t1) && alignof(t4) <= alignof(t1) && registerizable(b, t2) && registerizable(b, t3) && registerizable(b, t4) && o3 == sizeof(t4) && o2-o3 == sizeof(t3) && n == sizeof(t2) + sizeof(t3) + sizeof(t4)
-	// result: (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1 (Store {t3} (OffPtr <t3.(*types.Type)> [o3] dst) d2 (Store {t4} (OffPtr <t4.(*types.Type)> [0] dst) d3 mem)))
+	// result: (Store {t2} (OffPtr <tt2> [o2] dst) d1 (Store {t3} (OffPtr <tt3> [o3] dst) d2 (Store {t4} (OffPtr <tt4> [0] dst) d3 mem)))
 	for {
 		n := v.AuxInt
 		t1 := v.Aux
@@ -16550,6 +16561,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op2.Op != OpOffPtr {
 			break
 		}
+		tt2 := op2.Type
 		o2 := op2.AuxInt
 		p2 := op2.Args[0]
 		d1 := mem_0.Args[1]
@@ -16563,6 +16575,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op3.Op != OpOffPtr {
 			break
 		}
+		tt3 := op3.Type
 		o3 := op3.AuxInt
 		p3 := op3.Args[0]
 		d2 := mem_0_2.Args[1]
@@ -16576,6 +16589,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op4.Op != OpOffPtr {
 			break
 		}
+		tt4 := op4.Type
 		if op4.AuxInt != 0 {
 			break
 		}
@@ -16586,21 +16600,21 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		}
 		v.reset(OpStore)
 		v.Aux = t2
-		v0 := b.NewValue0(v.Pos, OpOffPtr, t2.(*types.Type))
+		v0 := b.NewValue0(v.Pos, OpOffPtr, tt2)
 		v0.AuxInt = o2
 		v0.AddArg(dst)
 		v.AddArg(v0)
 		v.AddArg(d1)
 		v1 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v1.Aux = t3
-		v2 := b.NewValue0(v.Pos, OpOffPtr, t3.(*types.Type))
+		v2 := b.NewValue0(v.Pos, OpOffPtr, tt3)
 		v2.AuxInt = o3
 		v2.AddArg(dst)
 		v1.AddArg(v2)
 		v1.AddArg(d2)
 		v3 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v3.Aux = t4
-		v4 := b.NewValue0(v.Pos, OpOffPtr, t4.(*types.Type))
+		v4 := b.NewValue0(v.Pos, OpOffPtr, tt4)
 		v4.AuxInt = 0
 		v4.AddArg(dst)
 		v3.AddArg(v4)
@@ -16610,9 +16624,9 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		v.AddArg(v1)
 		return true
 	}
-	// match: (Move {t1} [n] dst p1 mem:(VarDef (Store {t2} op2:(OffPtr [o2] p2) d1 (Store {t3} op3:(OffPtr [o3] p3) d2 (Store {t4} op4:(OffPtr [o4] p4) d3 (Store {t5} op5:(OffPtr [0] p5) d4 _))))))
+	// match: (Move {t1} [n] dst p1 mem:(VarDef (Store {t2} op2:(OffPtr <tt2> [o2] p2) d1 (Store {t3} op3:(OffPtr <tt3> [o3] p3) d2 (Store {t4} op4:(OffPtr <tt4> [o4] p4) d3 (Store {t5} op5:(OffPtr <tt5> [0] p5) d4 _))))))
 	// cond: isSamePtr(p1, p2) && isSamePtr(p2, p3) && isSamePtr(p3, p4) && isSamePtr(p4, p5) && alignof(t2) <= alignof(t1) && alignof(t3) <= alignof(t1) && alignof(t4) <= alignof(t1) && alignof(t5) <= alignof(t1) && registerizable(b, t2) && registerizable(b, t3) && registerizable(b, t4) && registerizable(b, t5) && o4 == sizeof(t5) && o3-o4 == sizeof(t4) && o2-o3 == sizeof(t3) && n == sizeof(t2) + sizeof(t3) + sizeof(t4) + sizeof(t5)
-	// result: (Store {t2} (OffPtr <t2.(*types.Type)> [o2] dst) d1 (Store {t3} (OffPtr <t3.(*types.Type)> [o3] dst) d2 (Store {t4} (OffPtr <t4.(*types.Type)> [o4] dst) d3 (Store {t5} (OffPtr <t5.(*types.Type)> [0] dst) d4 mem))))
+	// result: (Store {t2} (OffPtr <tt2> [o2] dst) d1 (Store {t3} (OffPtr <tt3> [o3] dst) d2 (Store {t4} (OffPtr <tt4> [o4] dst) d3 (Store {t5} (OffPtr <tt5> [0] dst) d4 mem))))
 	for {
 		n := v.AuxInt
 		t1 := v.Aux
@@ -16633,6 +16647,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op2.Op != OpOffPtr {
 			break
 		}
+		tt2 := op2.Type
 		o2 := op2.AuxInt
 		p2 := op2.Args[0]
 		d1 := mem_0.Args[1]
@@ -16646,6 +16661,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op3.Op != OpOffPtr {
 			break
 		}
+		tt3 := op3.Type
 		o3 := op3.AuxInt
 		p3 := op3.Args[0]
 		d2 := mem_0_2.Args[1]
@@ -16659,6 +16675,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op4.Op != OpOffPtr {
 			break
 		}
+		tt4 := op4.Type
 		o4 := op4.AuxInt
 		p4 := op4.Args[0]
 		d3 := mem_0_2_2.Args[1]
@@ -16672,6 +16689,7 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		if op5.Op != OpOffPtr {
 			break
 		}
+		tt5 := op5.Type
 		if op5.AuxInt != 0 {
 			break
 		}
@@ -16682,28 +16700,28 @@ func rewriteValuegeneric_OpMove_10(v *Value) bool {
 		}
 		v.reset(OpStore)
 		v.Aux = t2
-		v0 := b.NewValue0(v.Pos, OpOffPtr, t2.(*types.Type))
+		v0 := b.NewValue0(v.Pos, OpOffPtr, tt2)
 		v0.AuxInt = o2
 		v0.AddArg(dst)
 		v.AddArg(v0)
 		v.AddArg(d1)
 		v1 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v1.Aux = t3
-		v2 := b.NewValue0(v.Pos, OpOffPtr, t3.(*types.Type))
+		v2 := b.NewValue0(v.Pos, OpOffPtr, tt3)
 		v2.AuxInt = o3
 		v2.AddArg(dst)
 		v1.AddArg(v2)
 		v1.AddArg(d2)
 		v3 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v3.Aux = t4
-		v4 := b.NewValue0(v.Pos, OpOffPtr, t4.(*types.Type))
+		v4 := b.NewValue0(v.Pos, OpOffPtr, tt4)
 		v4.AuxInt = o4
 		v4.AddArg(dst)
 		v3.AddArg(v4)
 		v3.AddArg(d3)
 		v5 := b.NewValue0(v.Pos, OpStore, types.TypeMem)
 		v5.Aux = t5
-		v6 := b.NewValue0(v.Pos, OpOffPtr, t5.(*types.Type))
+		v6 := b.NewValue0(v.Pos, OpOffPtr, tt5)
 		v6.AuxInt = 0
 		v6.AddArg(dst)
 		v5.AddArg(v6)

src/cmd/compile/internal/ssa/softfloat.go

@@ -4,7 +4,10 @@
 
 package ssa
 
-import "math"
+import (
+	"cmd/compile/internal/types"
+	"math"
+)
 
 func softfloat(f *Func) {
 	if !f.Config.SoftFloat {
@@ -53,6 +56,15 @@ func softfloat(f *Func) {
 					v.Type = f.Config.Types.UInt64
 				}
 				newInt64 = newInt64 || v.Type.Size() == 8
+			} else if (v.Op == OpStore || v.Op == OpZero || v.Op == OpMove) && v.Aux.(*types.Type).IsFloat() {
+				switch size := v.Aux.(*types.Type).Size(); size {
+				case 4:
+					v.Aux = f.Config.Types.UInt32
+				case 8:
+					v.Aux = f.Config.Types.UInt64
+				default:
+					v.Fatalf("bad float type with size %d", size)
+				}
 			}
 		}
 	}

src/cmd/compile/internal/types/type.go

@@ -817,7 +817,7 @@ func (t *Type) ChanArgs() *Type {
 	return t.Extra.(ChanArgs).T
 }
 
-// FuncArgs returns the channel type for TFUNCARGS type t.
+// FuncArgs returns the func type for TFUNCARGS type t.
 func (t *Type) FuncArgs() *Type {
 	t.wantEtype(TFUNCARGS)
 	return t.Extra.(FuncArgs).T

src/cmd/go/alldocs.go

@@ -144,7 +144,7 @@
 // 		link against shared libraries previously created with
 // 		-buildmode=shared.
 // 	-mod mode
-// 		module download mode to use: readonly, release, or vendor.
+// 		module download mode to use: readonly or vendor.
 // 		See 'go help modules' for more.
 // 	-pkgdir dir
 // 		install and load all packages from dir instead of the usual locations.
@@ -889,7 +889,7 @@
 //
 // Usage:
 //
-// 	go mod download [-dir] [-json] [modules]
+// 	go mod download [-json] [modules]
 //
 // Download downloads the named modules, which can be module patterns selecting
 // dependencies of the main module or module queries of the form path@version.
@@ -905,13 +905,15 @@
 // corresponding to this Go struct:
 //
 //     type Module struct {
-//         Path    string // module path
-//         Version string // module version
-//         Error   string // error loading module
-//         Info    string // absolute path to cached .info file
-//         GoMod   string // absolute path to cached .mod file
-//         Zip     string // absolute path to cached .zip file
-//         Dir     string // absolute path to cached source root directory
+//         Path     string // module path
+//         Version  string // module version
+//         Error    string // error loading module
+//         Info     string // absolute path to cached .info file
+//         GoMod    string // absolute path to cached .mod file
+//         Zip      string // absolute path to cached .zip file
+//         Dir      string // absolute path to cached source root directory
+//         Sum      string // checksum for path, version (as in go.sum)
+//         GoModSum string // checksum for go.mod (as in go.sum)
 //     }
 //
 // See 'go help modules' for more about module queries.
@@ -1447,6 +1449,12 @@
 // 		The directory where the go command will write
 // 		temporary source files, packages, and binaries.
 //
+// Each entry in the GOFLAGS list must be a standalone flag.
+// Because the entries are space-separated, flag values must
+// not contain spaces. In some cases, you can provide multiple flag
+// values instead: for example, to set '-ldflags=-s -w'
+// you can use 'GOFLAGS=-ldflags=-s -ldflags=-w'.
+//
 // Environment variables for use with cgo:
 //
 // 	CC
@@ -1614,7 +1622,19 @@
 //
 // The go command automatically updates go.mod each time it uses the
 // module graph, to make sure go.mod always accurately reflects reality
-// and is properly formatted.
+// and is properly formatted. For example, consider this go.mod file:
+//
+//         module M
+//
+//         require (
+//                 A v1
+//                 B v1.0.0
+//                 C v1.0.0
+//                 D v1.2.3
+//                 E dev
+//         )
+//
+//         exclude D v1.2.3
 //
 // The update rewrites non-canonical version identifiers to semver form,
 // so A's v1 becomes v1.0.0 and E's dev becomes the pseudo-version for the

src/cmd/go/go_boring_test.go

@@ -0,0 +1,20 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main_test
+
+import "testing"
+
+func TestBoringInternalLink(t *testing.T) {
+	tg := testgo(t)
+	defer tg.cleanup()
+	tg.parallel()
+	tg.tempFile("main.go", `package main
+		import "crypto/sha1"
+		func main() {
+			sha1.New()
+		}`)
+	tg.run("build", "-ldflags=-w -extld=false", tg.path("main.go"))
+	tg.run("build", "-ldflags=-extld=false", tg.path("main.go"))
+}

src/cmd/go/go_test.go

@@ -4154,8 +4154,12 @@ func TestBinaryOnlyPackages(t *testing.T) {
 	tg.grepStdout("false", "did not see BinaryOnly=false for p4")
 }
 
-// Issue 16050.
-func TestAlwaysLinkSysoFiles(t *testing.T) {
+// Issue 16050 and 21884.
+func TestLinkSysoFiles(t *testing.T) {
+	if runtime.GOOS != "linux" || runtime.GOARCH != "amd64" {
+		t.Skip("not linux/amd64")
+	}
+
 	tg := testgo(t)
 	defer tg.cleanup()
 	tg.parallel()
@@ -4174,6 +4178,10 @@ func TestAlwaysLinkSysoFiles(t *testing.T) {
 	tg.setenv("CGO_ENABLED", "0")
 	tg.run("list", "-f", "{{.SysoFiles}}", "syso")
 	tg.grepStdout("a.syso", "missing syso file with CGO_ENABLED=0")
+
+	tg.setenv("CGO_ENABLED", "1")
+	tg.run("list", "-msan", "-f", "{{.SysoFiles}}", "syso")
+	tg.grepStdoutNot("a.syso", "unexpected syso file with -msan")
 }
 
 // Issue 16120.

src/cmd/go/internal/get/get.go

@@ -232,7 +232,7 @@ var downloadCache = map[string]bool{}
 var downloadRootCache = map[string]bool{}
 
 // download runs the download half of the get command
-// for the package named by the argument.
+// for the package or pattern named by the argument.
 func download(arg string, parent *load.Package, stk *load.ImportStack, mode int) {
 	if mode&load.ResolveImport != 0 {
 		// Caller is responsible for expanding vendor paths.
@@ -402,6 +402,23 @@ func downloadPackage(p *load.Package) error {
 		security = web.Insecure
 	}
 
+	// p can be either a real package, or a pseudo-package whose “import path” is
+	// actually a wildcard pattern.
+	// Trim the path at the element containing the first wildcard,
+	// and hope that it applies to the wildcarded parts too.
+	// This makes 'go get rsc.io/pdf/...' work in a fresh GOPATH.
+	importPrefix := p.ImportPath
+	if i := strings.Index(importPrefix, "..."); i >= 0 {
+		slash := strings.LastIndexByte(importPrefix[:i], '/')
+		if slash < 0 {
+			return fmt.Errorf("cannot expand ... in %q", p.ImportPath)
+		}
+		importPrefix = importPrefix[:slash]
+	}
+	if err := CheckImportPath(importPrefix); err != nil {
+		return fmt.Errorf("%s: invalid import path: %v", p.ImportPath, err)
+	}
+
 	if p.Internal.Build.SrcRoot != "" {
 		// Directory exists. Look for checkout along path to src.
 		vcs, rootPath, err = vcsFromDir(p.Dir, p.Internal.Build.SrcRoot)
@@ -421,7 +438,7 @@ func downloadPackage(p *load.Package) error {
 			}
 			repo = remote
 			if !*getF && err == nil {
-				if rr, err := RepoRootForImportPath(p.ImportPath, IgnoreMod, security); err == nil {
+				if rr, err := RepoRootForImportPath(importPrefix, IgnoreMod, security); err == nil {
 					repo := rr.Repo
 					if rr.vcs.resolveRepo != nil {
 						resolved, err := rr.vcs.resolveRepo(rr.vcs, dir, repo)
@@ -438,7 +455,7 @@ func downloadPackage(p *load.Package) error {
 	} else {
 		// Analyze the import path to determine the version control system,
 		// repository, and the import path for the root of the repository.
-		rr, err := RepoRootForImportPath(p.ImportPath, IgnoreMod, security)
+		rr, err := RepoRootForImportPath(importPrefix, IgnoreMod, security)
 		if err != nil {
 			return err
 		}

src/cmd/go/internal/get/path.go

@@ -0,0 +1,192 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package get
+
+import (
+	"fmt"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+// The following functions are copied verbatim from cmd/go/internal/module/module.go,
+// with a change to additionally reject Windows short-names,
+// and one to accept arbitrary letters (golang.org/issue/29101).
+//
+// TODO(bcmills): After the call site for this function is backported,
+// consolidate this back down to a single copy.
+//
+// NOTE: DO NOT MERGE THESE UNTIL WE DECIDE ABOUT ARBITRARY LETTERS IN MODULE MODE.
+
+// CheckImportPath checks that an import path is valid.
+func CheckImportPath(path string) error {
+	if err := checkPath(path, false); err != nil {
+		return fmt.Errorf("malformed import path %q: %v", path, err)
+	}
+	return nil
+}
+
+// checkPath checks that a general path is valid.
+// It returns an error describing why but not mentioning path.
+// Because these checks apply to both module paths and import paths,
+// the caller is expected to add the "malformed ___ path %q: " prefix.
+// fileName indicates whether the final element of the path is a file name
+// (as opposed to a directory name).
+func checkPath(path string, fileName bool) error {
+	if !utf8.ValidString(path) {
+		return fmt.Errorf("invalid UTF-8")
+	}
+	if path == "" {
+		return fmt.Errorf("empty string")
+	}
+	if strings.Contains(path, "..") {
+		return fmt.Errorf("double dot")
+	}
+	if strings.Contains(path, "//") {
+		return fmt.Errorf("double slash")
+	}
+	if path[len(path)-1] == '/' {
+		return fmt.Errorf("trailing slash")
+	}
+	elemStart := 0
+	for i, r := range path {
+		if r == '/' {
+			if err := checkElem(path[elemStart:i], fileName); err != nil {
+				return err
+			}
+			elemStart = i + 1
+		}
+	}
+	if err := checkElem(path[elemStart:], fileName); err != nil {
+		return err
+	}
+	return nil
+}
+
+// checkElem checks whether an individual path element is valid.
+// fileName indicates whether the element is a file name (not a directory name).
+func checkElem(elem string, fileName bool) error {
+	if elem == "" {
+		return fmt.Errorf("empty path element")
+	}
+	if strings.Count(elem, ".") == len(elem) {
+		return fmt.Errorf("invalid path element %q", elem)
+	}
+	if elem[0] == '.' && !fileName {
+		return fmt.Errorf("leading dot in path element")
+	}
+	if elem[len(elem)-1] == '.' {
+		return fmt.Errorf("trailing dot in path element")
+	}
+
+	charOK := pathOK
+	if fileName {
+		charOK = fileNameOK
+	}
+	for _, r := range elem {
+		if !charOK(r) {
+			return fmt.Errorf("invalid char %q", r)
+		}
+	}
+
+	// Windows disallows a bunch of path elements, sadly.
+	// See https://docs.microsoft.com/en-us/windows/desktop/fileio/naming-a-file
+	short := elem
+	if i := strings.Index(short, "."); i >= 0 {
+		short = short[:i]
+	}
+	for _, bad := range badWindowsNames {
+		if strings.EqualFold(bad, short) {
+			return fmt.Errorf("disallowed path element %q", elem)
+		}
+	}
+
+	// Reject path components that look like Windows short-names.
+	// Those usually end in a tilde followed by one or more ASCII digits.
+	if tilde := strings.LastIndexByte(short, '~'); tilde >= 0 && tilde < len(short)-1 {
+		suffix := short[tilde+1:]
+		suffixIsDigits := true
+		for _, r := range suffix {
+			if r < '0' || r > '9' {
+				suffixIsDigits = false
+				break
+			}
+		}
+		if suffixIsDigits {
+			return fmt.Errorf("trailing tilde and digits in path element")
+		}
+	}
+
+	return nil
+}
+
+// pathOK reports whether r can appear in an import path element.
+//
+// NOTE: This function DIVERGES from module mode pathOK by accepting Unicode letters.
+func pathOK(r rune) bool {
+	if r < utf8.RuneSelf {
+		return r == '+' || r == '-' || r == '.' || r == '_' || r == '~' ||
+			'0' <= r && r <= '9' ||
+			'A' <= r && r <= 'Z' ||
+			'a' <= r && r <= 'z'
+	}
+	return unicode.IsLetter(r)
+}
+
+// fileNameOK reports whether r can appear in a file name.
+// For now we allow all Unicode letters but otherwise limit to pathOK plus a few more punctuation characters.
+// If we expand the set of allowed characters here, we have to
+// work harder at detecting potential case-folding and normalization collisions.
+// See note about "safe encoding" below.
+func fileNameOK(r rune) bool {
+	if r < utf8.RuneSelf {
+		// Entire set of ASCII punctuation, from which we remove characters:
+		//     ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
+		// We disallow some shell special characters: " ' * < > ? ` |
+		// (Note that some of those are disallowed by the Windows file system as well.)
+		// We also disallow path separators / : and \ (fileNameOK is only called on path element characters).
+		// We allow spaces (U+0020) in file names.
+		const allowed = "!#$%&()+,-.=@[]^_{}~ "
+		if '0' <= r && r <= '9' || 'A' <= r && r <= 'Z' || 'a' <= r && r <= 'z' {
+			return true
+		}
+		for i := 0; i < len(allowed); i++ {
+			if rune(allowed[i]) == r {
+				return true
+			}
+		}
+		return false
+	}
+	// It may be OK to add more ASCII punctuation here, but only carefully.
+	// For example Windows disallows < > \, and macOS disallows :, so we must not allow those.
+	return unicode.IsLetter(r)
+}
+
+// badWindowsNames are the reserved file path elements on Windows.
+// See https://docs.microsoft.com/en-us/windows/desktop/fileio/naming-a-file
+var badWindowsNames = []string{
+	"CON",
+	"PRN",
+	"AUX",
+	"NUL",
+	"COM1",
+	"COM2",
+	"COM3",
+	"COM4",
+	"COM5",
+	"COM6",
+	"COM7",
+	"COM8",
+	"COM9",
+	"LPT1",
+	"LPT2",
+	"LPT3",
+	"LPT4",
+	"LPT5",
+	"LPT6",
+	"LPT7",
+	"LPT8",
+	"LPT9",
+}

src/cmd/go/internal/get/vcs.go

@@ -647,14 +647,7 @@ const (
 func RepoRootForImportPath(importPath string, mod ModuleMode, security web.SecurityMode) (*RepoRoot, error) {
 	rr, err := repoRootFromVCSPaths(importPath, "", security, vcsPaths)
 	if err == errUnknownSite {
-		// If there are wildcards, look up the thing before the wildcard,
-		// hoping it applies to the wildcarded parts too.
-		// This makes 'go get rsc.io/pdf/...' work in a fresh GOPATH.
-		lookup := strings.TrimSuffix(importPath, "/...")
-		if i := strings.Index(lookup, "/.../"); i >= 0 {
-			lookup = lookup[:i]
-		}
-		rr, err = repoRootForImportDynamic(lookup, mod, security)
+		rr, err = repoRootForImportDynamic(importPath, mod, security)
 		if err != nil {
 			err = fmt.Errorf("unrecognized import path %q (%v)", importPath, err)
 		}
@@ -667,6 +660,7 @@ func RepoRootForImportPath(importPath string, mod ModuleMode, security web.Secur
 		}
 	}
 
+	// Should have been taken care of above, but make sure.
 	if err == nil && strings.Contains(importPath, "...") && strings.Contains(rr.Root, "...") {
 		// Do not allow wildcards in the repo root.
 		rr = nil
@@ -966,10 +960,14 @@ func matchGoImport(imports []metaImport, importPath string) (metaImport, error)
 
 // expand rewrites s to replace {k} with match[k] for each key k in match.
 func expand(match map[string]string, s string) string {
+	// We want to replace each match exactly once, and the result of expansion
+	// must not depend on the iteration order through the map.
+	// A strings.Replacer has exactly the properties we're looking for.
+	oldNew := make([]string, 0, 2*len(match))
 	for k, v := range match {
-		s = strings.Replace(s, "{"+k+"}", v, -1)
+		oldNew = append(oldNew, "{"+k+"}", v)
 	}
-	return s
+	return strings.NewReplacer(oldNew...).Replace(s)
 }
 
 // vcsPaths defines the meaning of import paths referring to

src/cmd/go/internal/help/helpdoc.go

@@ -507,6 +507,12 @@ General-purpose environment variables:
 		The directory where the go command will write
 		temporary source files, packages, and binaries.
 
+Each entry in the GOFLAGS list must be a standalone flag.
+Because the entries are space-separated, flag values must
+not contain spaces. In some cases, you can provide multiple flag
+values instead: for example, to set '-ldflags=-s -w'
+you can use 'GOFLAGS=-ldflags=-s -ldflags=-w'.
+
 Environment variables for use with cgo:
 
 	CC

src/cmd/go/internal/list/list.go

@@ -510,7 +510,9 @@ func runList(cmd *base.Command, args []string) {
 		a := &work.Action{}
 		// TODO: Use pkgsFilter?
 		for _, p := range pkgs {
-			a.Deps = append(a.Deps, b.AutoAction(work.ModeInstall, work.ModeInstall, p))
+			if len(p.GoFiles)+len(p.CgoFiles) > 0 {
+				a.Deps = append(a.Deps, b.AutoAction(work.ModeInstall, work.ModeInstall, p))
+			}
 		}
 		b.Do(a)
 	}

src/cmd/go/internal/load/pkg.go

@@ -275,6 +275,12 @@ func (p *Package) copyBuild(pp *build.Package) {
 	p.SwigFiles = pp.SwigFiles
 	p.SwigCXXFiles = pp.SwigCXXFiles
 	p.SysoFiles = pp.SysoFiles
+	if cfg.BuildMSan {
+		// There's no way for .syso files to be built both with and without
+		// support for memory sanitizer. Assume they are built without,
+		// and drop them.
+		p.SysoFiles = nil
+	}
 	p.CgoCFLAGS = pp.CgoCFLAGS
 	p.CgoCPPFLAGS = pp.CgoCPPFLAGS
 	p.CgoCXXFLAGS = pp.CgoCXXFLAGS

src/cmd/go/internal/load/test.go

@@ -227,6 +227,12 @@ func TestPackagesFor(p *Package, cover *TestCover) (pmain, ptest, pxtest *Packag
 		}
 	}
 
+	allTestImports := make([]*Package, 0, len(pmain.Internal.Imports)+len(imports)+len(ximports))
+	allTestImports = append(allTestImports, pmain.Internal.Imports...)
+	allTestImports = append(allTestImports, imports...)
+	allTestImports = append(allTestImports, ximports...)
+	setToolFlags(allTestImports...)
+
 	// Do initial scan for metadata needed for writing _testmain.go
 	// Use that metadata to update the list of imports for package main.
 	// The list of imports is used by recompileForTest and by the loop

src/cmd/go/internal/modcmd/download.go

@@ -15,7 +15,7 @@ import (
 )
 
 var cmdDownload = &base.Command{
-	UsageLine: "go mod download [-dir] [-json] [modules]",
+	UsageLine: "go mod download [-json] [modules]",
 	Short:     "download modules to local cache",
 	Long: `
 Download downloads the named modules, which can be module patterns selecting
@@ -32,13 +32,15 @@ to standard output, describing each downloaded module (or failure),
 corresponding to this Go struct:
 
     type Module struct {
-        Path    string // module path
-        Version string // module version
-        Error   string // error loading module
-        Info    string // absolute path to cached .info file
-        GoMod   string // absolute path to cached .mod file
-        Zip     string // absolute path to cached .zip file
-        Dir     string // absolute path to cached source root directory
+        Path     string // module path
+        Version  string // module version
+        Error    string // error loading module
+        Info     string // absolute path to cached .info file
+        GoMod    string // absolute path to cached .mod file
+        Zip      string // absolute path to cached .zip file
+        Dir      string // absolute path to cached source root directory
+        Sum      string // checksum for path, version (as in go.sum)
+        GoModSum string // checksum for go.mod (as in go.sum)
     }
 
 See 'go help modules' for more about module queries.
@@ -52,13 +54,15 @@ func init() {
 }
 
 type moduleJSON struct {
-	Path    string `json:",omitempty"`
-	Version string `json:",omitempty"`
-	Error   string `json:",omitempty"`
-	Info    string `json:",omitempty"`
-	GoMod   string `json:",omitempty"`
-	Zip     string `json:",omitempty"`
-	Dir     string `json:",omitempty"`
+	Path     string `json:",omitempty"`
+	Version  string `json:",omitempty"`
+	Error    string `json:",omitempty"`
+	Info     string `json:",omitempty"`
+	GoMod    string `json:",omitempty"`
+	Zip      string `json:",omitempty"`
+	Dir      string `json:",omitempty"`
+	Sum      string `json:",omitempty"`
+	GoModSum string `json:",omitempty"`
 }
 
 func runDownload(cmd *base.Command, args []string) {
@@ -98,12 +102,18 @@ func runDownload(cmd *base.Command, args []string) {
 			m.Error = err.Error()
 			return
 		}
+		m.GoModSum, err = modfetch.GoModSum(m.Path, m.Version)
+		if err != nil {
+			m.Error = err.Error()
+			return
+		}
 		mod := module.Version{Path: m.Path, Version: m.Version}
 		m.Zip, err = modfetch.DownloadZip(mod)
 		if err != nil {
 			m.Error = err.Error()
 			return
 		}
+		m.Sum = modfetch.Sum(mod)
 		m.Dir, err = modfetch.Download(mod)
 		if err != nil {
 			m.Error = err.Error()

src/cmd/go/internal/modfetch/cache.go

@@ -290,6 +290,23 @@ func GoModFile(path, version string) (string, error) {
 	return file, nil
 }
 
+// GoModSum returns the go.sum entry for the module version's go.mod file.
+// (That is, it returns the entry listed in go.sum as "path version/go.mod".)
+func GoModSum(path, version string) (string, error) {
+	if !semver.IsValid(version) {
+		return "", fmt.Errorf("invalid version %q", version)
+	}
+	data, err := GoMod(path, version)
+	if err != nil {
+		return "", err
+	}
+	sum, err := goModSum(data)
+	if err != nil {
+		return "", err
+	}
+	return sum, nil
+}
+
 var errNotCached = fmt.Errorf("not in cache")
 
 // readDiskStat reads a cached stat result from disk,

src/cmd/go/internal/modfetch/codehost/git.go

@@ -694,6 +694,10 @@ func (r *gitRepo) ReadZip(rev, subdir string, maxSize int64) (zip io.ReadCloser,
 		return nil, "", err
 	}
 
+	if err := ensureGitAttributes(r.dir); err != nil {
+		return nil, "", err
+	}
+
 	// Incredibly, git produces different archives depending on whether
 	// it is running on a Windows system or not, in an attempt to normalize
 	// text file line endings. Setting -c core.autocrlf=input means only
@@ -709,3 +713,43 @@ func (r *gitRepo) ReadZip(rev, subdir string, maxSize int64) (zip io.ReadCloser,
 
 	return ioutil.NopCloser(bytes.NewReader(archive)), "", nil
 }
+
+// ensureGitAttributes makes sure export-subst and export-ignore features are
+// disabled for this repo. This is intended to be run prior to running git
+// archive so that zip files are generated that produce consistent ziphashes
+// for a given revision, independent of variables such as git version and the
+// size of the repo.
+//
+// See: https://github.com/golang/go/issues/27153
+func ensureGitAttributes(repoDir string) (err error) {
+	const attr = "\n* -export-subst -export-ignore\n"
+
+	d := repoDir + "/info"
+	p := d + "/attributes"
+
+	if err := os.MkdirAll(d, 0755); err != nil {
+		return err
+	}
+
+	f, err := os.OpenFile(p, os.O_CREATE|os.O_APPEND|os.O_RDWR, 0666)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		closeErr := f.Close()
+		if closeErr != nil {
+			err = closeErr
+		}
+	}()
+
+	b, err := ioutil.ReadAll(f)
+	if err != nil {
+		return err
+	}
+	if !bytes.HasSuffix(b, []byte(attr)) {
+		_, err := f.WriteString(attr)
+		return err
+	}
+
+	return nil
+}

src/cmd/go/internal/modfetch/coderepo.go

@@ -498,6 +498,11 @@ func (r *codeRepo) Zip(version string, tmpdir string) (tmpfile string, err error
 		}
 	}
 	for _, zf := range zr.File {
+		if !zf.FileInfo().Mode().IsRegular() {
+			// Skip symlinks (golang.org/issue/27093).
+			continue
+		}
+
 		if topPrefix == "" {
 			i := strings.Index(zf.Name, "/")
 			if i < 0 {

src/cmd/go/internal/modfetch/fetch.go

@@ -253,12 +253,17 @@ func checkSum(mod module.Version) {
 	checkOneSum(mod, h)
 }
 
+// goModSum returns the checksum for the go.mod contents.
+func goModSum(data []byte) (string, error) {
+	return dirhash.Hash1([]string{"go.mod"}, func(string) (io.ReadCloser, error) {
+		return ioutil.NopCloser(bytes.NewReader(data)), nil
+	})
+}
+
 // checkGoMod checks the given module's go.mod checksum;
 // data is the go.mod content.
 func checkGoMod(path, version string, data []byte) {
-	h, err := dirhash.Hash1([]string{"go.mod"}, func(string) (io.ReadCloser, error) {
-		return ioutil.NopCloser(bytes.NewReader(data)), nil
-	})
+	h, err := goModSum(data)
 	if err != nil {
 		base.Fatalf("go: verifying %s %s go.mod: %v", path, version, err)
 	}

src/cmd/go/internal/modload/build.go

@@ -25,15 +25,21 @@ var (
 )
 
 func isStandardImportPath(path string) bool {
+	return findStandardImportPath(path) != ""
+}
+
+func findStandardImportPath(path string) string {
 	if search.IsStandardImportPath(path) {
-		if _, err := os.Stat(filepath.Join(cfg.GOROOT, "src", path)); err == nil {
-			return true
+		dir := filepath.Join(cfg.GOROOT, "src", path)
+		if _, err := os.Stat(dir); err == nil {
+			return dir
 		}
-		if _, err := os.Stat(filepath.Join(cfg.GOROOT, "src/vendor", path)); err == nil {
-			return true
+		dir = filepath.Join(cfg.GOROOT, "src/vendor", path)
+		if _, err := os.Stat(dir); err == nil {
+			return dir
 		}
 	}
-	return false
+	return ""
 }
 
 func PackageModuleInfo(pkgpath string) *modinfo.ModulePublic {

src/cmd/go/internal/modload/help.go

@@ -420,7 +420,19 @@ See 'go help mod edit'.
 
 The go command automatically updates go.mod each time it uses the
 module graph, to make sure go.mod always accurately reflects reality
-and is properly formatted.
+and is properly formatted. For example, consider this go.mod file:
+
+        module M
+
+        require (
+                A v1
+                B v1.0.0
+                C v1.0.0
+                D v1.2.3
+                E dev
+        )
+
+        exclude D v1.2.3
 
 The update rewrites non-canonical version identifiers to semver form,
 so A's v1 becomes v1.0.0 and E's dev becomes the pseudo-version for the

src/cmd/go/internal/modload/import.go

@@ -181,7 +181,7 @@ func dirInModule(path, mpath, mdir string, isLocal bool) (dir string, haveGoFile
 	// So we only check local module trees
 	// (the main module, and any directory trees pointed at by replace directives).
 	if isLocal {
-		for d := dir; d != mdir && len(d) > len(mdir); d = filepath.Dir(d) {
+		for d := dir; d != mdir && len(d) > len(mdir); {
 			haveGoMod := haveGoModCache.Do(d, func() interface{} {
 				_, err := os.Stat(filepath.Join(d, "go.mod"))
 				return err == nil
@@ -190,6 +190,13 @@ func dirInModule(path, mpath, mdir string, isLocal bool) (dir string, haveGoFile
 			if haveGoMod {
 				return "", false
 			}
+			parent := filepath.Dir(d)
+			if parent == d {
+				// Break the loop, as otherwise we'd loop
+				// forever if d=="." and mdir=="".
+				break
+			}
+			d = parent
 		}
 	}
 

src/cmd/go/internal/modload/import_test.go

@@ -21,7 +21,7 @@ var importTests = []struct {
 	},
 	{
 		path: "golang.org/x/net",
-		err:  "missing module for import: golang.org/x/net@.* provides golang.org/x/net",
+		err:  "cannot find module providing package golang.org/x/net",
 	},
 	{
 		path: "golang.org/x/text",

src/cmd/go/internal/modload/load.go

@@ -399,11 +399,17 @@ func ModuleUsedDirectly(path string) bool {
 func Lookup(path string) (dir, realPath string, err error) {
 	pkg, ok := loaded.pkgCache.Get(path).(*loadPkg)
 	if !ok {
-		if isStandardImportPath(path) {
-			dir := filepath.Join(cfg.GOROOT, "src", path)
-			if _, err := os.Stat(dir); err == nil {
-				return dir, path, nil
-			}
+		// The loader should have found all the relevant paths.
+		// There are a few exceptions, though:
+		//	- during go list without -test, the p.Resolve calls to process p.TestImports and p.XTestImports
+		//	  end up here to canonicalize the import paths.
+		//	- during any load, non-loaded packages like "unsafe" end up here.
+		//	- during any load, build-injected dependencies like "runtime/cgo" end up here.
+		//	- because we ignore appengine/* in the module loader,
+		//	  the dependencies of any actual appengine/* library end up here.
+		dir := findStandardImportPath(path)
+		if dir != "" {
+			return dir, path, nil
 		}
 		return "", "", errMissing
 	}

src/cmd/go/internal/run/run.go

@@ -78,6 +78,9 @@ func runRun(cmd *base.Command, args []string) {
 		p = load.GoFilesPackage(files)
 	} else if len(args) > 0 && !strings.HasPrefix(args[0], "-") {
 		pkgs := load.PackagesAndErrors(args[:1])
+		if len(pkgs) == 0 {
+			base.Fatalf("go run: no packages loaded from %s", args[0])
+		}
 		if len(pkgs) > 1 {
 			var names []string
 			for _, p := range pkgs {

src/cmd/go/internal/work/build.go

@@ -99,7 +99,7 @@ and test commands:
 		link against shared libraries previously created with
 		-buildmode=shared.
 	-mod mode
-		module download mode to use: readonly, release, or vendor.
+		module download mode to use: readonly or vendor.
 		See 'go help modules' for more.
 	-pkgdir dir
 		install and load all packages from dir instead of the usual locations.

src/cmd/go/internal/work/exec.go

@@ -224,7 +224,9 @@ func (b *Builder) buildActionID(a *Action) cache.ActionID {
 		if len(p.SFiles) > 0 {
 			fmt.Fprintf(h, "asm %q %q %q\n", b.toolID("asm"), forcedAsmflags, p.Internal.Asmflags)
 		}
-		fmt.Fprintf(h, "GO$GOARCH=%s\n", os.Getenv("GO"+strings.ToUpper(cfg.BuildContext.GOARCH))) // GO386, GOARM, etc
+		// GO386, GOARM, GOMIPS, etc.
+		baseArch := strings.TrimSuffix(cfg.BuildContext.GOARCH, "le")
+		fmt.Fprintf(h, "GO$GOARCH=%s\n", os.Getenv("GO"+strings.ToUpper(baseArch)))
 
 		// TODO(rsc): Convince compiler team not to add more magic environment variables,
 		// or perhaps restrict the environment variables passed to subprocesses.
@@ -432,10 +434,6 @@ func (b *Builder) build(a *Action) (err error) {
 		return fmt.Errorf("missing or invalid binary-only package; expected file %q", a.Package.Target)
 	}
 
-	if p.Module != nil && !allowedVersion(p.Module.GoVersion) {
-		return fmt.Errorf("module requires Go %s", p.Module.GoVersion)
-	}
-
 	if err := b.Mkdir(a.Objdir); err != nil {
 		return err
 	}
@@ -636,12 +634,19 @@ func (b *Builder) build(a *Action) (err error) {
 	objpkg := objdir + "_pkg_.a"
 	ofile, out, err := BuildToolchain.gc(b, a, objpkg, icfg.Bytes(), len(sfiles) > 0, gofiles)
 	if len(out) > 0 {
-		b.showOutput(a, a.Package.Dir, a.Package.Desc(), b.processOutput(out))
+		output := b.processOutput(out)
+		if p.Module != nil && !allowedVersion(p.Module.GoVersion) {
+			output += "note: module requires Go " + p.Module.GoVersion
+		}
+		b.showOutput(a, a.Package.Dir, a.Package.Desc(), output)
 		if err != nil {
 			return errPrintedOutput
 		}
 	}
 	if err != nil {
+		if p.Module != nil && !allowedVersion(p.Module.GoVersion) {
+			b.showOutput(a, a.Package.Dir, a.Package.Desc(), "note: module requires Go "+p.Module.GoVersion)
+		}
 		return err
 	}
 	if ofile != objpkg {
@@ -2075,14 +2080,37 @@ func (b *Builder) ccompile(a *Action, p *load.Package, outfile string, flags []s
 }
 
 // gccld runs the gcc linker to create an executable from a set of object files.
-func (b *Builder) gccld(p *load.Package, objdir, out string, flags []string, objs []string) error {
+func (b *Builder) gccld(p *load.Package, objdir, outfile string, flags []string, objs []string) error {
 	var cmd []string
 	if len(p.CXXFiles) > 0 || len(p.SwigCXXFiles) > 0 {
 		cmd = b.GxxCmd(p.Dir, objdir)
 	} else {
 		cmd = b.GccCmd(p.Dir, objdir)
 	}
-	return b.run(nil, p.Dir, p.ImportPath, b.cCompilerEnv(), cmd, "-o", out, objs, flags)
+
+	cmdargs := []interface{}{cmd, "-o", outfile, objs, flags}
+	dir := p.Dir
+	out, err := b.runOut(dir, b.cCompilerEnv(), cmdargs...)
+	if len(out) > 0 {
+		// Filter out useless linker warnings caused by bugs outside Go.
+		// See also cmd/link/internal/ld's hostlink method.
+		var save [][]byte
+		for _, line := range bytes.SplitAfter(out, []byte("\n")) {
+			// golang.org/issue/26073 - Apple Xcode bug
+			if bytes.Contains(line, []byte("ld: warning: text-based stub file")) {
+				continue
+			}
+			save = append(save, line)
+		}
+		out = bytes.Join(save, nil)
+		if len(out) > 0 {
+			b.showOutput(nil, dir, p.ImportPath, b.processOutput(out))
+			if err != nil {
+				err = errPrintedOutput
+			}
+		}
+	}
+	return err
 }
 
 // Grab these before main helpfully overwrites them.

src/cmd/go/internal/work/security.go

@@ -170,6 +170,7 @@ var validLinkerFlags = []*regexp.Regexp{
 	re(`-Wl,-e[=,][a-zA-Z0-9]*`),
 	re(`-Wl,--enable-new-dtags`),
 	re(`-Wl,--end-group`),
+	re(`-Wl,--(no-)?export-dynamic`),
 	re(`-Wl,-framework,[^,@\-][^,]+`),
 	re(`-Wl,-headerpad_max_install_names`),
 	re(`-Wl,--no-undefined`),

src/cmd/go/script_test.go

@@ -629,6 +629,9 @@ func scriptMatch(ts *testScript, neg bool, args []string, text, name string) {
 		text = string(data)
 	}
 
+	// Matching against workdir would be misleading.
+	text = strings.Replace(text, ts.workdir, "$WORK", -1)
+
 	if neg {
 		if re.MatchString(text) {
 			if isGrep {

src/cmd/go/testdata/script/build_cache_gomips.txt

@@ -0,0 +1,37 @@
+# Set up fresh GOCACHE.
+env GOCACHE=$WORK/gocache
+mkdir $GOCACHE
+
+# Building for mipsle without setting GOMIPS will use floating point registers.
+env GOARCH=mipsle
+env GOOS=linux
+go build -gcflags=-S f.go
+stderr ADDD.F[0-9]+,.F[0-9]+,.F[0-9]+
+
+# Clean cache
+go clean -cache
+
+# Building with GOMIPS=softfloat will not use floating point registers
+env GOMIPS=softfloat
+go build -gcflags=-S f.go
+! stderr ADDD.F[0-9]+,.F[0-9]+,.F[0-9]+
+
+# Clean cache
+go clean -cache
+
+# Build without setting GOMIPS
+env GOMIPS=
+go build -gcflags=-S f.go
+stderr ADDD.F[0-9]+,.F[0-9]+,.F[0-9]+
+
+# Building with GOMIPS should still not use floating point registers.
+env GOMIPS=softfloat
+go build -gcflags=-S f.go
+! stderr ADDD.F[0-9]+,.F[0-9]+,.F[0-9]+
+
+-- f.go --
+package f
+
+func F(x float64) float64 {
+     return x + x
+}

src/cmd/go/testdata/script/gcflags_patterns.txt

@@ -2,24 +2,28 @@
 
 # -gcflags=-e applies to named packages, not dependencies
 go build -n -v -gcflags=-e z1 z2
-stderr 'compile.* -e .*-p z1'
-stderr 'compile.* -e .*-p z2'
+stderr 'compile.* -e.* -p z1'
+stderr 'compile.* -e.* -p z2'
 stderr 'compile.* -p y'
-! stderr 'compile.* -e .*-p [^z]'
+! stderr 'compile.* -e.* -p [^z]'
 
 # -gcflags can specify package=flags, and can be repeated; last match wins
 go build -n -v -gcflags=-e -gcflags=z1=-N z1 z2
-stderr 'compile.* -N .*-p z1'
-! stderr 'compile.* -e .*-p z1'
-! stderr 'compile.* -N .*-p z2'
-stderr 'compile.* -e .*-p z2'
+stderr 'compile.* -N.* -p z1'
+! stderr 'compile.* -e.* -p z1'
+! stderr 'compile.* -N.* -p z2'
+stderr 'compile.* -e.* -p z2'
 stderr 'compile.* -p y'
-! stderr 'compile.* -e .*-p [^z]'
-! stderr 'compile.* -N .*-p [^z]'
+! stderr 'compile.* -e.* -p [^z]'
+! stderr 'compile.* -N.* -p [^z]'
 
 # -gcflags can have arbitrary spaces around the flags
 go build -n -v -gcflags='  z1 =  	-e 	' z1
-stderr 'compile.* -e .*-p z1'
+stderr 'compile.* -e.* -p z1'
+
+# -gcflags='all=-e' should apply to all packages, even with go test
+go test -c -n -gcflags='all=-e' z1
+stderr 'compile.* -e.* -p z3 '
 
 # -ldflags for implicit test package applies to test binary
 go test -c -n -gcflags=-N -ldflags=-X=x.y=z z1
@@ -58,11 +62,15 @@ import _ "z2"
 -- z1/z_test.go --
 package z1_test
 import "testing"
+import _ "z3"
 func Test(t *testing.T) {}
 
 -- z2/z.go --
 package z2
 
+-- z3/z.go --
+package z3
+
 -- y/y.go --
 package y
 

src/cmd/go/testdata/script/get_brace.txt

@@ -0,0 +1,49 @@
+[!exec:git] skip
+
+# Set up some empty repositories.
+cd $WORK/_origin/foo
+exec git init
+exec git config user.name 'Nameless Gopher'
+exec git config user.email 'nobody@golang.org'
+exec git commit --allow-empty -m 'create master branch'
+
+cd $WORK
+cd '_origin/{confusing}'
+exec git init
+exec git config user.name 'Nameless Gopher'
+exec git config user.email 'nobody@golang.org'
+exec git commit --allow-empty -m 'create master branch'
+
+# Clone the empty repositories into GOPATH.
+# This tells the Go command where to find them: it takes the place of a user's meta-tag redirector.
+mkdir $GOPATH/src/example.com
+cd $GOPATH/src/example.com
+exec git clone $WORK/_origin/foo
+exec git clone $WORK/_origin/{confusing}
+
+# Commit contents to the repositories.
+cd $WORK/_origin/foo
+exec git add main.go
+exec git commit -m 'add main'
+
+cd $WORK
+cd '_origin/{confusing}'
+exec git add confusing.go
+exec git commit -m 'just try to delete this!'
+
+# 'go get' should refuse to download or update the confusingly-named repo.
+cd $GOPATH/src/example.com/foo
+! go get -u 'example.com/{confusing}'
+stderr 'invalid char'
+! go get -u example.com/foo
+stderr 'invalid import path'
+! exists example.com/{confusing}
+
+-- $WORK/_origin/foo/main.go --
+package main
+import _ "example.com/{confusing}"
+
+func main() {}
+
+-- $WORK/_origin/{confusing}/confusing.go --
+package confusing

src/cmd/go/testdata/script/get_dotfiles.txt

@@ -0,0 +1,61 @@
+[!exec:git] skip
+
+# Set up a benign repository and a repository with a dotfile name.
+cd $WORK/_origin/foo
+exec git init
+exec git config user.name 'Nameless Gopher'
+exec git config user.email 'nobody@golang.org'
+exec git commit --allow-empty -m 'create master branch'
+
+cd $WORK/_origin/.hidden
+exec git init
+exec git config user.name 'Nameless Gopher'
+exec git config user.email 'nobody@golang.org'
+exec git commit --allow-empty -m 'create master branch'
+
+# Clone the empty repositories into GOPATH.
+# This tells the Go command where to find them: it takes the place of a user's meta-tag redirector.
+mkdir $GOPATH/src/example.com
+cd $GOPATH/src/example.com
+exec git clone $WORK/_origin/foo
+exec git clone $WORK/_origin/.hidden
+
+# Add a benign commit.
+cd $WORK/_origin/foo
+cp _ok/main.go main.go
+exec git add main.go
+exec git commit -m 'add ok'
+
+# 'go get' should install the benign commit.
+cd $GOPATH
+go get -u example.com/foo
+
+# Now sneak in an import of a dotfile path.
+cd $WORK/_origin/.hidden
+exec git add hidden.go
+exec git commit -m 'nothing to see here, move along'
+
+cd $WORK/_origin/foo
+cp _sneaky/main.go main.go
+exec git add main.go
+exec git commit -m 'fix typo (heh heh heh)'
+
+# 'go get -u' should refuse to download or update the dotfile-named repo.
+cd $GOPATH/src/example.com/foo
+! go get -u example.com/foo
+stderr 'leading dot'
+! exists example.com/.hidden/hidden.go
+
+-- $WORK/_origin/foo/_ok/main.go --
+package main
+
+func main() {}
+
+-- $WORK/_origin/foo/_sneaky/main.go --
+package main
+import _ "example.com/.hidden"
+
+func main() {}
+
+-- $WORK/_origin/.hidden/hidden.go --
+package hidden

src/cmd/go/testdata/script/get_tilde.txt

@@ -0,0 +1,21 @@
+# Paths containing windows short names should be rejected before attempting to fetch.
+! go get example.com/longna~1.dir/thing
+stderr 'trailing tilde and digits'
+! go get example.com/longna~1/thing
+stderr 'trailing tilde and digits'
+! go get example.com/~9999999/thing
+stderr 'trailing tilde and digits'
+
+# A path containing an element that is just a tilde, or a tilde followed by non-digits,
+# should attempt to resolve.
+! go get example.com/~glenda/notfound
+! stderr 'trailing tilde and digits'
+stderr 'unrecognized import path'
+
+! go get example.com/~glenda2/notfound
+! stderr 'trailing tilde and digits'
+stderr 'unrecognized import path'
+
+! go get example.com/~/notfound
+! stderr 'trailing tilde and digits'
+stderr 'unrecognized import path'

src/cmd/go/testdata/script/get_unicode.txt

@@ -0,0 +1,37 @@
+[!exec:git] skip
+
+# Construct a repository that imports a non-ASCII path.
+cd $WORK/_origin/example.com/unicode
+exec git init
+exec git config user.name 'Nameless Gopher'
+exec git config user.email 'nobody@golang.org'
+exec git add unicode.go
+exec git commit -m 'add unicode.go'
+
+# Clone the repo into GOPATH so that 'go get -u' can find it.
+mkdir $GOPATH/src/example.com/unicode
+cd $GOPATH/src/example.com/unicode
+exec git clone $WORK/_origin/example.com/unicode .
+
+# Construct the imported repository.
+cd $WORK/_origin/example.com/испытание
+exec git init
+exec git config user.name 'Nameless Gopher'
+exec git config user.email 'nobody@golang.org'
+exec git add испытание.go
+exec git commit -m 'add испытание.go'
+
+# Clone that repo into GOPATH too.
+mkdir $GOPATH/src/example.com/испытание
+cd $GOPATH/src/example.com/испытание
+exec git clone $WORK/_origin/example.com/испытание .
+
+# Upgrading the importer should pull from the non-ASCII repo.
+cd $GOPATH
+go get -u example.com/unicode
+
+-- $WORK/_origin/example.com/unicode/unicode.go --
+package unicode
+import _ "example.com/испытание"
+-- $WORK/_origin/example.com/испытание/испытание.go --
+package испытание

src/cmd/go/testdata/script/mod_download.txt

@@ -15,6 +15,8 @@ stdout '^\t"Version": "v1.5.0"'
 stdout '^\t"Info": ".*(\\\\|/)pkg(\\\\|/)mod(\\\\|/)cache(\\\\|/)download(\\\\|/)rsc.io(\\\\|/)quote(\\\\|/)@v(\\\\|/)v1.5.0.info"'
 stdout '^\t"GoMod": ".*(\\\\|/)pkg(\\\\|/)mod(\\\\|/)cache(\\\\|/)download(\\\\|/)rsc.io(\\\\|/)quote(\\\\|/)@v(\\\\|/)v1.5.0.mod"'
 stdout '^\t"Zip": ".*(\\\\|/)pkg(\\\\|/)mod(\\\\|/)cache(\\\\|/)download(\\\\|/)rsc.io(\\\\|/)quote(\\\\|/)@v(\\\\|/)v1.5.0.zip"'
+stdout '^\t"Sum": "h1:6fJa6E\+wGadANKkUMlZ0DhXFpoKlslOQDCo259XtdIE="'  # hash of testdata/mod version, not real version!
+stdout '^\t"GoModSum": "h1:LzX7hefJvL54yjefDEDHNONDjII0t9xZLPXsUe\+TKr0="'
 ! stdout '"Error"'
 
 # download queries above should not have added to go.mod.

src/cmd/go/testdata/script/mod_git_export_subst.txt

@@ -0,0 +1,21 @@
+env GO111MODULE=on
+env GOPROXY=
+
+# Testing that git export-subst is disabled
+[!net] skip
+[!exec:git] skip
+go build
+
+-- x.go --
+package x
+
+import _ "github.com/jasonkeene/export-subst"
+
+-- go.mod --
+module x
+
+require github.com/jasonkeene/export-subst v0.0.0-20180927204031-5845945ec626
+
+-- go.sum --
+github.com/jasonkeene/export-subst v0.0.0-20180927204031-5845945ec626 h1:AUkXi/xFnm7lH2pgtvVkGb7buRn1ywFHw+xDpZ29Rz0=
+github.com/jasonkeene/export-subst v0.0.0-20180927204031-5845945ec626/go.mod h1:DwJXqVtrgrQkv3Giuf2Jh4YyubVe7y41S1eOIaysTJw=

src/cmd/go/testdata/script/mod_go_version.txt

@@ -3,9 +3,10 @@
 env GO111MODULE=on
 
 go list
-! go build
-stderr 'module requires Go 1.999'
+go build
 go build sub.1
+go build subver.1
+! stderr 'module requires'
 ! go build badsub.1
 stderr 'module requires Go 1.11111'
 
@@ -19,11 +20,13 @@ module m
 go 1.999
 require (
 	sub.1 v1.0.0
+	subver.1 v1.0.0
 	badsub.1 v1.0.0
 	versioned.1 v1.0.0
 )
 replace (
 	sub.1 => ./sub
+	subver.1 => ./subver
 	badsub.1 => ./badsub
 	versioned.1 v1.0.0 => ./versioned1
 	versioned.1 v1.1.0 => ./versioned2
@@ -39,12 +42,20 @@ go 1.11
 -- sub/x.go --
 package x
 
+-- subver/go.mod --
+module m
+go 1.11111
+
+-- subver/x.go --
+package x
+
 -- badsub/go.mod --
 module m
 go 1.11111
 
 -- badsub/x.go --
 package x
+invalid syntax
 
 -- versioned1/go.mod --
 module versioned
@@ -59,3 +70,4 @@ go 1.99999
 
 -- versioned2/x.go --
 package x
+invalid syntax

src/cmd/go/testdata/script/mod_list_test.txt

@@ -0,0 +1,16 @@
+env GO111MODULE=on
+
+# go list -compiled -test must handle test-only packages
+# golang.org/issue/27097.
+go list -compiled -test
+stdout '^m$'
+stdout '^m\.test$'
+stdout '^m \[m\.test\]$'
+
+-- go.mod --
+module m
+
+-- x_test.go --
+package x
+import "testing"
+func Test(t *testing.T) {}

src/cmd/go/testdata/script/mod_std_vendor.txt

@@ -0,0 +1,19 @@
+env GO111MODULE=on
+
+go list -f '{{.TestImports}}'
+stdout net/http # from .TestImports
+
+go list -test -f '{{.Deps}}'
+stdout golang_org/x/crypto # dep of .TestImports
+
+-- go.mod --
+module m
+
+-- x.go --
+package x
+
+-- x_test.go --
+package x
+import "testing"
+import _ "net/http"
+func Test(t *testing.T) {}

src/cmd/go/testdata/script/run_wildcard.txt

@@ -0,0 +1,5 @@
+# Fix for https://github.com/golang/go/issues/28696:
+# go run x/... should not panic when directory x doesn't exist.
+
+! go run nonexistent/...
+stderr '^go run: no packages loaded from nonexistent/...$'

src/cmd/link/elf_test.go

@@ -0,0 +1,113 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build dragonfly freebsd linux netbsd openbsd
+
+package main
+
+import (
+	"internal/testenv"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+var asmSource = `
+	.section .text1,"ax"
+s1:
+	.byte 0
+	.section .text2,"ax"
+s2:
+	.byte 0
+`
+
+var goSource = `
+package main
+func main() {}
+`
+
+// The linker used to crash if an ELF input file had multiple text sections
+// with the same name.
+func TestSectionsWithSameName(t *testing.T) {
+	testenv.MustHaveGoBuild(t)
+	testenv.MustHaveCGO(t)
+	t.Parallel()
+
+	objcopy, err := exec.LookPath("objcopy")
+	if err != nil {
+		t.Skipf("can't find objcopy: %v", err)
+	}
+
+	dir, err := ioutil.TempDir("", "go-link-TestSectionsWithSameName")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	gopath := filepath.Join(dir, "GOPATH")
+	env := append(os.Environ(), "GOPATH="+gopath)
+
+	if err := ioutil.WriteFile(filepath.Join(dir, "go.mod"), []byte("module elf_test\n"), 0666); err != nil {
+		t.Fatal(err)
+	}
+
+	asmFile := filepath.Join(dir, "x.s")
+	if err := ioutil.WriteFile(asmFile, []byte(asmSource), 0444); err != nil {
+		t.Fatal(err)
+	}
+
+	goTool := testenv.GoToolPath(t)
+	cmd := exec.Command(goTool, "env", "CC")
+	cmd.Env = env
+	ccb, err := cmd.Output()
+	if err != nil {
+		t.Fatal(err)
+	}
+	cc := strings.TrimSpace(string(ccb))
+
+	cmd = exec.Command(goTool, "env", "GOGCCFLAGS")
+	cmd.Env = env
+	cflagsb, err := cmd.Output()
+	if err != nil {
+		t.Fatal(err)
+	}
+	cflags := strings.Fields(string(cflagsb))
+
+	asmObj := filepath.Join(dir, "x.o")
+	t.Logf("%s %v -c -o %s %s", cc, cflags, asmObj, asmFile)
+	if out, err := exec.Command(cc, append(cflags, "-c", "-o", asmObj, asmFile)...).CombinedOutput(); err != nil {
+		t.Logf("%s", out)
+		t.Fatal(err)
+	}
+
+	asm2Obj := filepath.Join(dir, "x2.syso")
+	t.Logf("%s --rename-section .text2=.text1 %s %s", objcopy, asmObj, asm2Obj)
+	if out, err := exec.Command(objcopy, "--rename-section", ".text2=.text1", asmObj, asm2Obj).CombinedOutput(); err != nil {
+		t.Logf("%s", out)
+		t.Fatal(err)
+	}
+
+	for _, s := range []string{asmFile, asmObj} {
+		if err := os.Remove(s); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	goFile := filepath.Join(dir, "main.go")
+	if err := ioutil.WriteFile(goFile, []byte(goSource), 0444); err != nil {
+		t.Fatal(err)
+	}
+
+	cmd = exec.Command(goTool, "build")
+	cmd.Dir = dir
+	cmd.Env = env
+	t.Logf("%s build", goTool)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		t.Logf("%s", out)
+		t.Fatal(err)
+	}
+}

src/cmd/link/internal/ld/lib.go

@@ -861,6 +861,7 @@ var hostobj []Hostobj
 // These packages can use internal linking mode.
 // Others trigger external mode.
 var internalpkg = []string{
+	"crypto/internal/boring",
 	"crypto/x509",
 	"net",
 	"os/user",
@@ -982,6 +983,7 @@ func hostobjCopy() (paths []string) {
 			if err != nil {
 				Exitf("cannot reopen %s: %v", h.pn, err)
 			}
+			defer f.Close()
 			if _, err := f.Seek(h.off, 0); err != nil {
 				Exitf("cannot seek %s: %v", h.pn, err)
 			}
@@ -1323,9 +1325,24 @@ func (ctxt *Link) hostlink() {
 		ctxt.Logf("\n")
 	}
 
-	if out, err := exec.Command(argv[0], argv[1:]...).CombinedOutput(); err != nil {
+	out, err := exec.Command(argv[0], argv[1:]...).CombinedOutput()
+	if err != nil {
 		Exitf("running %s failed: %v\n%s", argv[0], err, out)
-	} else if len(out) > 0 {
+	}
+
+	// Filter out useless linker warnings caused by bugs outside Go.
+	// See also cmd/go/internal/work/exec.go's gccld method.
+	var save [][]byte
+	for _, line := range bytes.SplitAfter(out, []byte("\n")) {
+		// golang.org/issue/26073 - Apple Xcode bug
+		if bytes.Contains(line, []byte("ld: warning: text-based stub file")) {
+			continue
+		}
+		save = append(save, line)
+	}
+	out = bytes.Join(save, nil)
+
+	if len(out) > 0 {
 		// always print external output even if the command is successful, so that we don't
 		// swallow linker warnings (see https://golang.org/issue/17935).
 		ctxt.Logf("%s", out)

src/cmd/link/internal/ld/macho_combine_dwarf.go

@@ -265,7 +265,7 @@ func machoCombineDwarf(ctxt *Link, inexe, dsym, outexe string) (bool, error) {
 		}
 	}
 	// Do the final update of the DWARF segment's load command.
-	return false, machoUpdateDwarfHeader(&reader, ctxt.BuildMode, compressedSects)
+	return false, machoUpdateDwarfHeader(&reader, compressedSects, dwarfsize)
 }
 
 // machoCompressSections tries to compress the DWARF segments in dwarfm,
@@ -410,7 +410,7 @@ func machoUpdateSections(r loadCmdReader, seg, sect reflect.Value, deltaOffset,
 }
 
 // machoUpdateDwarfHeader updates the DWARF segment load command.
-func machoUpdateDwarfHeader(r *loadCmdReader, buildmode BuildMode, compressedSects []*macho.Section) error {
+func machoUpdateDwarfHeader(r *loadCmdReader, compressedSects []*macho.Section, dwarfsize uint64) error {
 	var seg, sect interface{}
 	cmd, err := r.Next()
 	if err != nil {
@@ -428,7 +428,6 @@ func machoUpdateDwarfHeader(r *loadCmdReader, buildmode BuildMode, compressedSec
 	}
 	segv := reflect.ValueOf(seg).Elem()
 	segv.FieldByName("Offset").SetUint(uint64(dwarfstart))
-	segv.FieldByName("Addr").SetUint(uint64(dwarfaddr))
 
 	if compressedSects != nil {
 		var segSize uint64
@@ -436,23 +435,27 @@ func machoUpdateDwarfHeader(r *loadCmdReader, buildmode BuildMode, compressedSec
 			segSize += newSect.Size
 		}
 		segv.FieldByName("Filesz").SetUint(segSize)
-		segv.FieldByName("Memsz").SetUint(uint64(Rnd(int64(segSize), 1<<pageAlign)))
+	} else {
+		segv.FieldByName("Filesz").SetUint(dwarfsize)
 	}
 
 	deltaOffset := uint64(dwarfstart) - realdwarf.Offset
 	deltaAddr := uint64(dwarfaddr) - realdwarf.Addr
 
-	// If we set Memsz to 0 (and might as well set Addr too),
-	// then the xnu kernel will bail out halfway through load_segment
-	// and not apply further sanity checks that we might fail in the future.
-	// We don't need the DWARF information actually available in memory.
-	// But if we do this for buildmode=c-shared then the user-space
-	// dynamic loader complains about memsz < filesz. Sigh.
-	if buildmode != BuildModeCShared {
-		segv.FieldByName("Addr").SetUint(0)
-		segv.FieldByName("Memsz").SetUint(0)
-		deltaAddr = 0
-	}
+	// We want the DWARF segment to be considered non-loadable, so
+	// force vmaddr and vmsize to zero. In addition, set the initial
+	// protection to zero so as to make the dynamic loader happy,
+	// since otherwise it may complain that that the vm size and file
+	// size don't match for the segment. See issues 21647 and 32673
+	// for more context. Also useful to refer to the Apple dynamic
+	// loader source, specifically ImageLoaderMachO::sniffLoadCommands
+	// in ImageLoaderMachO.cpp (various versions can be found online, see
+	// https://opensource.apple.com/source/dyld/dyld-519.2.2/src/ImageLoaderMachO.cpp.auto.html
+	// as one example).
+	segv.FieldByName("Addr").SetUint(0)
+	segv.FieldByName("Memsz").SetUint(0)
+	segv.FieldByName("Prot").SetUint(0)
+	deltaAddr = 0
 
 	if err := r.WriteAt(0, seg); err != nil {
 		return err

src/cmd/link/internal/loadelf/ldelf.go

@@ -678,6 +678,8 @@ func Load(arch *sys.Arch, syms *sym.Symbols, f *bio.Reader, pkg string, length i
 	// as well use one large chunk.
 
 	// create symbols for elfmapped sections
+	sectsymNames := make(map[string]bool)
+	counter := 0
 	for i := 0; uint(i) < elfobj.nsect; i++ {
 		sect = &elfobj.sect[i]
 		if sect.type_ == SHT_ARM_ATTRIBUTES && sect.name == ".ARM.attributes" {
@@ -709,6 +711,12 @@ func Load(arch *sys.Arch, syms *sym.Symbols, f *bio.Reader, pkg string, length i
 		}
 
 		name := fmt.Sprintf("%s(%s)", pkg, sect.name)
+		for sectsymNames[name] {
+			counter++
+			name = fmt.Sprintf("%s(%s%d)", pkg, sect.name, counter)
+		}
+		sectsymNames[name] = true
+
 		s := syms.Lookup(name, localSymVersion)
 
 		switch int(sect.flags) & (ElfSectFlagAlloc | ElfSectFlagWrite | ElfSectFlagExec) {

src/cmd/trace/trace.go

@@ -685,13 +685,14 @@ func generateTrace(params *traceParams, consumer traceConsumer) error {
 			}
 			ctx.emitSlice(&fakeMarkStart, text)
 		case trace.EvGCSweepStart:
-			slice := ctx.emitSlice(ev, "SWEEP")
+			slice := ctx.makeSlice(ev, "SWEEP")
 			if done := ev.Link; done != nil && done.Args[0] != 0 {
 				slice.Arg = struct {
 					Swept     uint64 `json:"Swept bytes"`
 					Reclaimed uint64 `json:"Reclaimed bytes"`
 				}{done.Args[0], done.Args[1]}
 			}
+			ctx.emit(slice)
 		case trace.EvGoStart, trace.EvGoStartLabel:
 			info := getGInfo(ev.G)
 			if ev.Type == trace.EvGoStartLabel {
@@ -846,7 +847,11 @@ func (ctx *traceContext) proc(ev *trace.Event) uint64 {
 	}
 }
 
-func (ctx *traceContext) emitSlice(ev *trace.Event, name string) *ViewerEvent {
+func (ctx *traceContext) emitSlice(ev *trace.Event, name string) {
+	ctx.emit(ctx.makeSlice(ev, name))
+}
+
+func (ctx *traceContext) makeSlice(ev *trace.Event, name string) *ViewerEvent {
 	// If ViewerEvent.Dur is not a positive value,
 	// trace viewer handles it as a non-terminating time interval.
 	// Avoid it by setting the field with a small value.
@@ -885,7 +890,6 @@ func (ctx *traceContext) emitSlice(ev *trace.Event, name string) *ViewerEvent {
 			sl.Cname = colorLightGrey
 		}
 	}
-	ctx.emit(sl)
 	return sl
 }
 

src/crypto/aes/cipher.go

@@ -6,6 +6,7 @@ package aes
 
 import (
 	"crypto/cipher"
+	"crypto/internal/boring"
 	"crypto/internal/subtle"
 	"strconv"
 )
@@ -37,6 +38,9 @@ func NewCipher(key []byte) (cipher.Block, error) {
 	case 16, 24, 32:
 		break
 	}
+	if boring.Enabled {
+		return boring.NewAESCipher(key)
+	}
 	return newCipher(key)
 }
 

src/crypto/aes/cipher_asm.go

@@ -8,6 +8,7 @@ package aes
 
 import (
 	"crypto/cipher"
+	"crypto/internal/boring"
 	"crypto/internal/subtle"
 	"internal/cpu"
 )
@@ -56,6 +57,7 @@ func newCipher(key []byte) (cipher.Block, error) {
 func (c *aesCipherAsm) BlockSize() int { return BlockSize }
 
 func (c *aesCipherAsm) Encrypt(dst, src []byte) {
+	boring.Unreachable()
 	if len(src) < BlockSize {
 		panic("crypto/aes: input not full block")
 	}
@@ -69,6 +71,7 @@ func (c *aesCipherAsm) Encrypt(dst, src []byte) {
 }
 
 func (c *aesCipherAsm) Decrypt(dst, src []byte) {
+	boring.Unreachable()
 	if len(src) < BlockSize {
 		panic("crypto/aes: input not full block")
 	}

src/crypto/ecdsa/boring.go

@@ -0,0 +1,100 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ecdsa
+
+import (
+	"crypto/internal/boring"
+	"math/big"
+	"sync/atomic"
+	"unsafe"
+)
+
+// Cached conversions from Go PublicKey/PrivateKey to BoringCrypto.
+//
+// A new 'boring atomic.Value' field in both PublicKey and PrivateKey
+// serves as a cache for the most recent conversion. The cache is an
+// atomic.Value because code might reasonably set up a key and then
+// (thinking it immutable) use it from multiple goroutines simultaneously.
+// The first operation initializes the cache; if there are multiple simultaneous
+// first operations, they will do redundant work but not step on each other.
+//
+// We could just assume that once used in a Sign or Verify operation,
+// a particular key is never again modified, but that has not been a
+// stated assumption before. Just in case there is any existing code that
+// does modify the key between operations, we save the original values
+// alongside the cached BoringCrypto key and check that the real key
+// still matches before using the cached key. The theory is that the real
+// operations are significantly more expensive than the comparison.
+
+type boringPub struct {
+	key  *boring.PublicKeyECDSA
+	orig PublicKey
+}
+
+func boringPublicKey(pub *PublicKey) (*boring.PublicKeyECDSA, error) {
+	b := (*boringPub)(atomic.LoadPointer(&pub.boring))
+	if b != nil && publicKeyEqual(&b.orig, pub) {
+		return b.key, nil
+	}
+
+	b = new(boringPub)
+	b.orig = copyPublicKey(pub)
+	key, err := boring.NewPublicKeyECDSA(b.orig.Curve.Params().Name, b.orig.X, b.orig.Y)
+	if err != nil {
+		return nil, err
+	}
+	b.key = key
+	atomic.StorePointer(&pub.boring, unsafe.Pointer(b))
+	return key, nil
+}
+
+type boringPriv struct {
+	key  *boring.PrivateKeyECDSA
+	orig PrivateKey
+}
+
+func boringPrivateKey(priv *PrivateKey) (*boring.PrivateKeyECDSA, error) {
+	b := (*boringPriv)(atomic.LoadPointer(&priv.boring))
+	if b != nil && privateKeyEqual(&b.orig, priv) {
+		return b.key, nil
+	}
+
+	b = new(boringPriv)
+	b.orig = copyPrivateKey(priv)
+	key, err := boring.NewPrivateKeyECDSA(b.orig.Curve.Params().Name, b.orig.X, b.orig.Y, b.orig.D)
+	if err != nil {
+		return nil, err
+	}
+	b.key = key
+	atomic.StorePointer(&priv.boring, unsafe.Pointer(b))
+	return key, nil
+}
+
+func publicKeyEqual(k1, k2 *PublicKey) bool {
+	return k1.X != nil &&
+		k1.Curve.Params() == k2.Curve.Params() &&
+		k1.X.Cmp(k2.X) == 0 &&
+		k1.Y.Cmp(k2.Y) == 0
+}
+
+func privateKeyEqual(k1, k2 *PrivateKey) bool {
+	return publicKeyEqual(&k1.PublicKey, &k2.PublicKey) &&
+		k1.D.Cmp(k2.D) == 0
+}
+
+func copyPublicKey(k *PublicKey) PublicKey {
+	return PublicKey{
+		Curve: k.Curve,
+		X:     new(big.Int).Set(k.X),
+		Y:     new(big.Int).Set(k.Y),
+	}
+}
+
+func copyPrivateKey(k *PrivateKey) PrivateKey {
+	return PrivateKey{
+		PublicKey: copyPublicKey(&k.PublicKey),
+		D:         new(big.Int).Set(k.D),
+	}
+}

src/crypto/ecdsa/ecdsa.go

@@ -21,11 +21,13 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/elliptic"
+	"crypto/internal/boring"
 	"crypto/sha512"
 	"encoding/asn1"
 	"errors"
 	"io"
 	"math/big"
+	"unsafe"
 
 	"crypto/internal/randutil"
 )
@@ -49,12 +51,16 @@ const (
 type PublicKey struct {
 	elliptic.Curve
 	X, Y *big.Int
+
+	boring unsafe.Pointer
 }
 
 // PrivateKey represents an ECDSA private key.
 type PrivateKey struct {
 	PublicKey
 	D *big.Int
+
+	boring unsafe.Pointer
 }
 
 type ecdsaSignature struct {
@@ -74,6 +80,15 @@ func (priv *PrivateKey) Public() crypto.PublicKey {
 // where the private part is kept in, for example, a hardware module. Common
 // uses should use the Sign function in this package directly.
 func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	if boring.Enabled && rand == boring.RandReader {
+		b, err := boringPrivateKey(priv)
+		if err != nil {
+			return nil, err
+		}
+		return boring.SignMarshalECDSA(b, digest)
+	}
+	boring.UnreachableExceptTests()
+
 	r, s, err := Sign(rand, priv, digest)
 	if err != nil {
 		return nil, err
@@ -103,6 +118,15 @@ func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error)
 
 // GenerateKey generates a public and private key pair.
 func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) {
+	if boring.Enabled && rand == boring.RandReader {
+		x, y, d, err := boring.GenerateKeyECDSA(c.Params().Name)
+		if err != nil {
+			return nil, err
+		}
+		return &PrivateKey{PublicKey: PublicKey{Curve: c, X: x, Y: y}, D: d}, nil
+	}
+	boring.UnreachableExceptTests()
+
 	k, err := randFieldElement(c, rand)
 	if err != nil {
 		return nil, err
@@ -156,6 +180,15 @@ var errZeroParam = errors.New("zero parameter")
 func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
 	randutil.MaybeReadByte(rand)
 
+	if boring.Enabled && rand == boring.RandReader {
+		b, err := boringPrivateKey(priv)
+		if err != nil {
+			return nil, nil, err
+		}
+		return boring.SignECDSA(b, hash)
+	}
+	boring.UnreachableExceptTests()
+
 	// Get min(log2(q) / 2, 256) bits of entropy from rand.
 	entropylen := (priv.Curve.Params().BitSize + 7) / 16
 	if entropylen > 32 {
@@ -232,6 +265,15 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
 // Verify verifies the signature in r, s of hash using the public key, pub. Its
 // return value records whether the signature is valid.
 func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
+	if boring.Enabled {
+		b, err := boringPublicKey(pub)
+		if err != nil {
+			return false
+		}
+		return boring.VerifyECDSA(b, hash, r, s)
+	}
+	boring.UnreachableExceptTests()
+
 	// See [NSA] 3.4.2
 	c := pub.Curve
 	N := c.Params().N

src/crypto/elliptic/elliptic.go

@@ -210,8 +210,9 @@ func (curve *CurveParams) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int,
 
 	x3 := new(big.Int).Mul(alpha, alpha)
 	beta8 := new(big.Int).Lsh(beta, 3)
+	beta8.Mod(beta8, curve.P)
 	x3.Sub(x3, beta8)
-	for x3.Sign() == -1 {
+	if x3.Sign() == -1 {
 		x3.Add(x3, curve.P)
 	}
 	x3.Mod(x3, curve.P)

src/crypto/hmac/hmac.go

@@ -22,6 +22,7 @@ timing side-channels:
 package hmac
 
 import (
+	"crypto/internal/boring"
 	"crypto/subtle"
 	"hash"
 )
@@ -68,6 +69,13 @@ func (h *hmac) Reset() {
 // the returned Hash does not implement encoding.BinaryMarshaler
 // or encoding.BinaryUnmarshaler.
 func New(h func() hash.Hash, key []byte) hash.Hash {
+	if boring.Enabled {
+		hm := boring.NewHMAC(h, key)
+		if hm != nil {
+			return hm
+		}
+		// BoringCrypto did not recognize h, so fall through to standard Go code.
+	}
 	hm := new(hmac)
 	hm.outer = h()
 	hm.inner = h()

src/crypto/hmac/hmac_test.go

@@ -5,6 +5,7 @@
 package hmac
 
 import (
+	"bytes"
 	"crypto/md5"
 	"crypto/sha1"
 	"crypto/sha256"
@@ -518,6 +519,31 @@ var hmacTests = []hmacTest{
 		sha512.Size,
 		sha512.BlockSize,
 	},
+	// HMAC without key is dumb but should probably not fail.
+	{
+		sha1.New,
+		[]byte{},
+		[]byte("message"),
+		"d5d1ed05121417247616cfc8378f360a39da7cfa",
+		sha1.Size,
+		sha1.BlockSize,
+	},
+	{
+		sha256.New,
+		[]byte{},
+		[]byte("message"),
+		"eb08c1f56d5ddee07f7bdf80468083da06b64cf4fac64fe3a90883df5feacae4",
+		sha256.Size,
+		sha256.BlockSize,
+	},
+	{
+		sha512.New,
+		[]byte{},
+		[]byte("message"),
+		"08fce52f6395d59c2a3fb8abb281d74ad6f112b9a9c787bcea290d94dadbc82b2ca3e5e12bf2277c7fedbb0154d5493e41bb7459f63c8e39554ea3651b812492",
+		sha512.Size,
+		sha512.BlockSize,
+	},
 }
 
 func TestHMAC(t *testing.T) {
@@ -569,6 +595,42 @@ func TestEqual(t *testing.T) {
 	}
 }
 
+func TestWriteAfterSum(t *testing.T) {
+	h := New(sha1.New, nil)
+	h.Write([]byte("hello"))
+	sumHello := h.Sum(nil)
+
+	h = New(sha1.New, nil)
+	h.Write([]byte("hello world"))
+	sumHelloWorld := h.Sum(nil)
+
+	// Test that Sum has no effect on future Sum or Write operations.
+	// This is a bit unusual as far as usage, but it's allowed
+	// by the definition of Go hash.Hash, and some clients expect it to work.
+	h = New(sha1.New, nil)
+	h.Write([]byte("hello"))
+	if sum := h.Sum(nil); !bytes.Equal(sum, sumHello) {
+		t.Fatalf("1st Sum after hello = %x, want %x", sum, sumHello)
+	}
+	if sum := h.Sum(nil); !bytes.Equal(sum, sumHello) {
+		t.Fatalf("2nd Sum after hello = %x, want %x", sum, sumHello)
+	}
+
+	h.Write([]byte(" world"))
+	if sum := h.Sum(nil); !bytes.Equal(sum, sumHelloWorld) {
+		t.Fatalf("1st Sum after hello world = %x, want %x", sum, sumHelloWorld)
+	}
+	if sum := h.Sum(nil); !bytes.Equal(sum, sumHelloWorld) {
+		t.Fatalf("2nd Sum after hello world = %x, want %x", sum, sumHelloWorld)
+	}
+
+	h.Reset()
+	h.Write([]byte("hello"))
+	if sum := h.Sum(nil); !bytes.Equal(sum, sumHello) {
+		t.Fatalf("Sum after Reset + hello = %x, want %x", sum, sumHello)
+	}
+}
+
 func BenchmarkHMACSHA256_1K(b *testing.B) {
 	key := make([]byte, 32)
 	buf := make([]byte, 1024)

src/crypto/internal/boring/LICENSE

@@ -0,0 +1,200 @@
+The Go source code and supporting files in this directory
+are covered by the usual Go license (see ../../../../LICENSE).
+
+The goboringcrypto_linux_amd64.syso object file is built
+from BoringSSL source code by build/build.sh and is covered
+by the BoringSSL license reproduced below and also at
+https://boringssl.googlesource.com/boringssl/+/fips-20170615/LICENSE.
+
+BoringSSL is a fork of OpenSSL. As such, large parts of it fall under OpenSSL
+licensing. Files that are completely new have a Google copyright and an ISC
+license. This license is reproduced at the bottom of this file.
+
+Contributors to BoringSSL are required to follow the CLA rules for Chromium:
+https://cla.developers.google.com/clas
+
+Some files from Intel are under yet another license, which is also included
+underneath.
+
+The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the
+OpenSSL License and the original SSLeay license apply to the toolkit. See below
+for the actual license texts. Actually both licenses are BSD-style Open Source
+licenses. In case of any license issues related to OpenSSL please contact
+openssl-core@openssl.org.
+
+The following are Google-internal bug numbers where explicit permission from
+some authors is recorded for use of their work. (This is purely for our own
+record keeping.)
+  27287199
+  27287880
+  27287883
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+
+ISC license used for completely new code in BoringSSL:
+
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+
+Some files from Intel carry the following license:
+
+# Copyright (c) 2012, Intel Corporation
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# *  Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# *  Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the
+#    distribution.
+#
+# *  Neither the name of the Intel Corporation nor the names of its
+#    contributors may be used to endorse or promote products derived from
+#    this software without specific prior written permission.
+#
+#
+# THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

src/crypto/internal/boring/aes.go

@@ -0,0 +1,391 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux,amd64
+// +build !android
+// +build !cmd_go_bootstrap
+// +build !msan
+
+package boring
+
+/*
+
+#include "goboringcrypto.h"
+
+// These wrappers allocate out_len on the C stack, and check that it matches the expected
+// value, to avoid having to pass a pointer from Go, which would escape to the heap.
+
+int EVP_AEAD_CTX_seal_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
+							  size_t exp_out_len,
+							  const uint8_t *nonce, size_t nonce_len,
+							  const uint8_t *in, size_t in_len,
+							  const uint8_t *ad, size_t ad_len) {
+	size_t out_len;
+	int ok = _goboringcrypto_EVP_AEAD_CTX_seal(ctx, out, &out_len, exp_out_len,
+		nonce, nonce_len, in, in_len, ad, ad_len);
+	if (out_len != exp_out_len) {
+		return 0;
+	}
+	return ok;
+};
+
+int EVP_AEAD_CTX_open_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out,
+							  size_t exp_out_len,
+							  const uint8_t *nonce, size_t nonce_len,
+							  const uint8_t *in, size_t in_len,
+							  const uint8_t *ad, size_t ad_len) {
+	size_t out_len;
+	int ok = _goboringcrypto_EVP_AEAD_CTX_open(ctx, out, &out_len, exp_out_len,
+		nonce, nonce_len, in, in_len, ad, ad_len);
+	if (out_len != exp_out_len) {
+		return 0;
+	}
+	return ok;
+};
+
+*/
+import "C"
+import (
+	"crypto/cipher"
+	"errors"
+	"runtime"
+	"strconv"
+	"unsafe"
+)
+
+type aesKeySizeError int
+
+func (k aesKeySizeError) Error() string {
+	return "crypto/aes: invalid key size " + strconv.Itoa(int(k))
+}
+
+const aesBlockSize = 16
+
+type aesCipher struct {
+	key []byte
+	enc C.GO_AES_KEY
+	dec C.GO_AES_KEY
+}
+
+type extraModes interface {
+	// Copied out of crypto/aes/modes.go.
+	NewCBCEncrypter(iv []byte) cipher.BlockMode
+	NewCBCDecrypter(iv []byte) cipher.BlockMode
+	NewCTR(iv []byte) cipher.Stream
+	NewGCM(nonceSize, tagSize int) (cipher.AEAD, error)
+
+	// Invented for BoringCrypto.
+	NewGCMTLS() (cipher.AEAD, error)
+}
+
+var _ extraModes = (*aesCipher)(nil)
+
+func NewAESCipher(key []byte) (cipher.Block, error) {
+	c := &aesCipher{key: make([]byte, len(key))}
+	copy(c.key, key)
+	// Note: 0 is success, contradicting the usual BoringCrypto convention.
+	if C._goboringcrypto_AES_set_decrypt_key((*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.uint(8*len(c.key)), &c.dec) != 0 ||
+		C._goboringcrypto_AES_set_encrypt_key((*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.uint(8*len(c.key)), &c.enc) != 0 {
+		return nil, aesKeySizeError(len(key))
+	}
+	return c, nil
+}
+
+func (c *aesCipher) BlockSize() int { return aesBlockSize }
+
+func (c *aesCipher) Encrypt(dst, src []byte) {
+	if inexactOverlap(dst, src) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
+	if len(src) < aesBlockSize {
+		panic("crypto/aes: input not full block")
+	}
+	if len(dst) < aesBlockSize {
+		panic("crypto/aes: output not full block")
+	}
+	C._goboringcrypto_AES_encrypt(
+		(*C.uint8_t)(unsafe.Pointer(&src[0])),
+		(*C.uint8_t)(unsafe.Pointer(&dst[0])),
+		&c.enc)
+}
+
+func (c *aesCipher) Decrypt(dst, src []byte) {
+	if inexactOverlap(dst, src) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
+	if len(src) < aesBlockSize {
+		panic("crypto/aes: input not full block")
+	}
+	if len(dst) < aesBlockSize {
+		panic("crypto/aes: output not full block")
+	}
+	C._goboringcrypto_AES_decrypt(
+		(*C.uint8_t)(unsafe.Pointer(&src[0])),
+		(*C.uint8_t)(unsafe.Pointer(&dst[0])),
+		&c.dec)
+}
+
+type aesCBC struct {
+	key  *C.GO_AES_KEY
+	mode C.int
+	iv   [aesBlockSize]byte
+}
+
+func (x *aesCBC) BlockSize() int { return aesBlockSize }
+
+func (x *aesCBC) CryptBlocks(dst, src []byte) {
+	if inexactOverlap(dst, src) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
+	if len(src)%aesBlockSize != 0 {
+		panic("crypto/cipher: input not full blocks")
+	}
+	if len(dst) < len(src) {
+		panic("crypto/cipher: output smaller than input")
+	}
+	if len(src) > 0 {
+		C._goboringcrypto_AES_cbc_encrypt(
+			(*C.uint8_t)(unsafe.Pointer(&src[0])),
+			(*C.uint8_t)(unsafe.Pointer(&dst[0])),
+			C.size_t(len(src)), x.key,
+			(*C.uint8_t)(unsafe.Pointer(&x.iv[0])), x.mode)
+	}
+}
+
+func (x *aesCBC) SetIV(iv []byte) {
+	if len(iv) != aesBlockSize {
+		panic("cipher: incorrect length IV")
+	}
+	copy(x.iv[:], iv)
+}
+
+func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
+	x := &aesCBC{key: &c.enc, mode: C.GO_AES_ENCRYPT}
+	copy(x.iv[:], iv)
+	return x
+}
+
+func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
+	x := &aesCBC{key: &c.dec, mode: C.GO_AES_DECRYPT}
+	copy(x.iv[:], iv)
+	return x
+}
+
+type aesCTR struct {
+	key        *C.GO_AES_KEY
+	iv         [aesBlockSize]byte
+	num        C.uint
+	ecount_buf [16]C.uint8_t
+}
+
+func (x *aesCTR) XORKeyStream(dst, src []byte) {
+	if inexactOverlap(dst, src) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
+	if len(dst) < len(src) {
+		panic("crypto/cipher: output smaller than input")
+	}
+	if len(src) == 0 {
+		return
+	}
+	C._goboringcrypto_AES_ctr128_encrypt(
+		(*C.uint8_t)(unsafe.Pointer(&src[0])),
+		(*C.uint8_t)(unsafe.Pointer(&dst[0])),
+		C.size_t(len(src)), x.key, (*C.uint8_t)(unsafe.Pointer(&x.iv[0])),
+		&x.ecount_buf[0], &x.num)
+}
+
+func (c *aesCipher) NewCTR(iv []byte) cipher.Stream {
+	x := &aesCTR{key: &c.enc}
+	copy(x.iv[:], iv)
+	return x
+}
+
+type aesGCM struct {
+	ctx  C.GO_EVP_AEAD_CTX
+	aead *C.GO_EVP_AEAD
+}
+
+const (
+	gcmBlockSize         = 16
+	gcmTagSize           = 16
+	gcmStandardNonceSize = 12
+)
+
+type aesNonceSizeError int
+
+func (n aesNonceSizeError) Error() string {
+	return "crypto/aes: invalid GCM nonce size " + strconv.Itoa(int(n))
+}
+
+type noGCM struct {
+	cipher.Block
+}
+
+func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
+	if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize {
+		return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time")
+	}
+	// Fall back to standard library for GCM with non-standard nonce or tag size.
+	if nonceSize != gcmStandardNonceSize {
+		return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
+	}
+	if tagSize != gcmTagSize {
+		return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
+	}
+	return c.newGCM(false)
+}
+
+func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) {
+	return c.newGCM(true)
+}
+
+func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
+	var aead *C.GO_EVP_AEAD
+	switch len(c.key) * 8 {
+	case 128:
+		if tls {
+			aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12()
+		} else {
+			aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
+		}
+	case 256:
+		if tls {
+			aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12()
+		} else {
+			aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
+		}
+	default:
+		// Fall back to standard library for GCM with non-standard key size.
+		return cipher.NewGCMWithNonceSize(&noGCM{c}, gcmStandardNonceSize)
+	}
+
+	g := &aesGCM{aead: aead}
+	if C._goboringcrypto_EVP_AEAD_CTX_init(&g.ctx, aead, (*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.size_t(len(c.key)), C.GO_EVP_AEAD_DEFAULT_TAG_LENGTH, nil) == 0 {
+		return nil, fail("EVP_AEAD_CTX_init")
+	}
+	// Note: Because of the finalizer, any time g.ctx is passed to cgo,
+	// that call must be followed by a call to runtime.KeepAlive(g),
+	// to make sure g is not collected (and finalized) before the cgo
+	// call returns.
+	runtime.SetFinalizer(g, (*aesGCM).finalize)
+	if g.NonceSize() != gcmStandardNonceSize {
+		panic("boringcrypto: internal confusion about nonce size")
+	}
+	if g.Overhead() != gcmTagSize {
+		panic("boringcrypto: internal confusion about tag size")
+	}
+
+	return g, nil
+}
+
+func (g *aesGCM) finalize() {
+	C._goboringcrypto_EVP_AEAD_CTX_cleanup(&g.ctx)
+}
+
+func (g *aesGCM) NonceSize() int {
+	return int(C._goboringcrypto_EVP_AEAD_nonce_length(g.aead))
+}
+
+func (g *aesGCM) Overhead() int {
+	return int(C._goboringcrypto_EVP_AEAD_max_overhead(g.aead))
+}
+
+// base returns the address of the underlying array in b,
+// being careful not to panic when b has zero length.
+func base(b []byte) *C.uint8_t {
+	if len(b) == 0 {
+		return nil
+	}
+	return (*C.uint8_t)(unsafe.Pointer(&b[0]))
+}
+
+func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+	if len(nonce) != gcmStandardNonceSize {
+		panic("cipher: incorrect nonce length given to GCM")
+	}
+	if uint64(len(plaintext)) > ((1<<32)-2)*aesBlockSize || len(plaintext)+gcmTagSize < len(plaintext) {
+		panic("cipher: message too large for GCM")
+	}
+	if len(dst)+len(plaintext)+gcmTagSize < len(dst) {
+		panic("cipher: message too large for buffer")
+	}
+
+	// Make room in dst to append plaintext+overhead.
+	n := len(dst)
+	for cap(dst) < n+len(plaintext)+gcmTagSize {
+		dst = append(dst[:cap(dst)], 0)
+	}
+	dst = dst[:n+len(plaintext)+gcmTagSize]
+
+	// Check delayed until now to make sure len(dst) is accurate.
+	if inexactOverlap(dst[n:], plaintext) {
+		panic("cipher: invalid buffer overlap")
+	}
+
+	outLen := C.size_t(len(plaintext) + gcmTagSize)
+	ok := C.EVP_AEAD_CTX_seal_wrapper(
+		&g.ctx,
+		(*C.uint8_t)(unsafe.Pointer(&dst[n])), outLen,
+		base(nonce), C.size_t(len(nonce)),
+		base(plaintext), C.size_t(len(plaintext)),
+		base(additionalData), C.size_t(len(additionalData)))
+	runtime.KeepAlive(g)
+	if ok == 0 {
+		panic(fail("EVP_AEAD_CTX_seal"))
+	}
+	return dst[:n+int(outLen)]
+}
+
+var errOpen = errors.New("cipher: message authentication failed")
+
+func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	if len(nonce) != gcmStandardNonceSize {
+		panic("cipher: incorrect nonce length given to GCM")
+	}
+	if len(ciphertext) < gcmTagSize {
+		return nil, errOpen
+	}
+	if uint64(len(ciphertext)) > ((1<<32)-2)*aesBlockSize+gcmTagSize {
+		return nil, errOpen
+	}
+
+	// Make room in dst to append ciphertext without tag.
+	n := len(dst)
+	for cap(dst) < n+len(ciphertext)-gcmTagSize {
+		dst = append(dst[:cap(dst)], 0)
+	}
+	dst = dst[:n+len(ciphertext)-gcmTagSize]
+
+	// Check delayed until now to make sure len(dst) is accurate.
+	if inexactOverlap(dst[n:], ciphertext) {
+		panic("cipher: invalid buffer overlap")
+	}
+
+	outLen := C.size_t(len(ciphertext) - gcmTagSize)
+	ok := C.EVP_AEAD_CTX_open_wrapper(
+		&g.ctx,
+		base(dst[n:]), outLen,
+		base(nonce), C.size_t(len(nonce)),
+		base(ciphertext), C.size_t(len(ciphertext)),
+		base(additionalData), C.size_t(len(additionalData)))
+	runtime.KeepAlive(g)
+	if ok == 0 {
+		return nil, errOpen
+	}
+	return dst[:n+int(outLen)], nil
+}
+
+func anyOverlap(x, y []byte) bool {
+	return len(x) > 0 && len(y) > 0 &&
+		uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
+		uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
+}
+
+func inexactOverlap(x, y []byte) bool {
+	if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
+		return false
+	}
+	return anyOverlap(x, y)
+}

src/crypto/internal/boring/boring.go

@@ -0,0 +1,83 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux,amd64
+// +build !android
+// +build !cmd_go_bootstrap
+// +build !msan
+
+package boring
+
+// #include "goboringcrypto.h"
+import "C"
+import (
+	"crypto/internal/boring/sig"
+	"math/big"
+)
+
+const available = true
+
+func init() {
+	C._goboringcrypto_BORINGSSL_bcm_power_on_self_test()
+	if C._goboringcrypto_FIPS_mode() != 1 {
+		panic("boringcrypto: not in FIPS mode")
+	}
+	sig.BoringCrypto()
+}
+
+// Unreachable marks code that should be unreachable
+// when BoringCrypto is in use. It panics.
+func Unreachable() {
+	panic("boringcrypto: invalid code execution")
+}
+
+// provided by runtime to avoid os import
+func runtime_arg0() string
+
+func hasSuffix(s, t string) bool {
+	return len(s) > len(t) && s[len(s)-len(t):] == t
+}
+
+// UnreachableExceptTests marks code that should be unreachable
+// when BoringCrypto is in use. It panics.
+func UnreachableExceptTests() {
+	name := runtime_arg0()
+	// If BoringCrypto ran on Windows we'd need to allow _test.exe and .test.exe as well.
+	if !hasSuffix(name, "_test") && !hasSuffix(name, ".test") {
+		println("boringcrypto: unexpected code execution in", name)
+		panic("boringcrypto: invalid code execution")
+	}
+}
+
+type fail string
+
+func (e fail) Error() string { return "boringcrypto: " + string(e) + " failed" }
+
+func bigToBN(x *big.Int) *C.GO_BIGNUM {
+	raw := x.Bytes()
+	return C._goboringcrypto_BN_bin2bn(base(raw), C.size_t(len(raw)), nil)
+}
+
+func bnToBig(bn *C.GO_BIGNUM) *big.Int {
+	raw := make([]byte, C._goboringcrypto_BN_num_bytes(bn))
+	n := C._goboringcrypto_BN_bn2bin(bn, base(raw))
+	return new(big.Int).SetBytes(raw[:n])
+}
+
+func bigToBn(bnp **C.GO_BIGNUM, b *big.Int) bool {
+	if *bnp != nil {
+		C._goboringcrypto_BN_free(*bnp)
+		*bnp = nil
+	}
+	if b == nil {
+		return true
+	}
+	raw := b.Bytes()
+	bn := C._goboringcrypto_BN_bin2bn(base(raw), C.size_t(len(raw)), nil)
+	if bn == nil {
+		return false
+	}
+	*bnp = bn
+	return true
+}

src/crypto/internal/boring/boring_test.go

@@ -0,0 +1,34 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Most functionality in this package is tested by replacing existing code
+// and inheriting that code's tests.
+
+package boring
+
+import "testing"
+
+// Test that func init does not panic.
+func TestInit(t *testing.T) {}
+
+// Test that Unreachable panics.
+func TestUnreachable(t *testing.T) {
+	defer func() {
+		if Enabled {
+			if err := recover(); err == nil {
+				t.Fatal("expected Unreachable to panic")
+			}
+		} else {
+			if err := recover(); err != nil {
+				t.Fatalf("expected Unreachable to be a no-op")
+			}
+		}
+	}()
+	Unreachable()
+}
+
+// Test that UnreachableExceptTests does not panic (this is a test).
+func TestUnreachableExceptTests(t *testing.T) {
+	UnreachableExceptTests()
+}

src/crypto/internal/boring/build/.gitignore

@@ -0,0 +1 @@
+boringssl-24e5886c0edfc409c8083d10f9f1120111efd6f5.tar.xz

src/crypto/internal/boring/build/README

@@ -0,0 +1,6 @@
+This is not a Go package. The directory must not contain Go sources,
+to prevent it from being considered a Go package.
+
+This directory holds the script for building ../goboringcrypto_*.syso.
+Run build.sh on an Ubuntu system.
+See the comment at the top of build.sh for details.

src/crypto/internal/boring/build/build.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# Copyright 2017 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+# Run on Ubuntu system set up with:
+#	sudo apt-get install debootstrap
+#	sudo apt-get install squid-deb-proxy
+#
+# The script sets up an Ubuntu chroot and then runs the build
+# in that chroot, to make sure we know exactly what software
+# is being used for the build. To repeat the script reusing the
+# chroot installation, run build.sh -quick. This mode is useful
+# if all you've modified is goboringcrypto.c and ../goboringcrypto.h
+# (or some of the setup scripts in this directory).
+
+# Comment this setting out if not using squid-deb-proxy,
+# but it will be much slower to repeat the script.
+http_proxy=http://127.0.0.1:8000
+
+chroot=/var/tmp/boringssl
+
+sudo umount -f $chroot/proc
+sudo umount -f $chroot/sys
+sudo umount -f $chroot/dev/pts
+sudo umount -f $chroot/dev
+
+set -e
+if [ "$1" != "-quick" ]; then
+	sudo rm -rf $chroot
+	sudo http_proxy=$http_proxy debootstrap --variant=minbase zesty $chroot
+fi
+
+sudo chown $USER $chroot
+sudo chmod u+w $chroot
+
+sudo mount -t proc proc $chroot/proc
+sudo mount -t sysfs sys $chroot/sys
+sudo mount -o bind /dev $chroot/dev
+sudo mount -t devpts devpts $chroot/dev/pts
+
+sudo cp sources.list $chroot/etc/apt/sources.list
+
+cp *chroot.sh $chroot
+
+# Following http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2964.pdf page 18.
+if [ ! -e $chroot/boringssl-24e5886c0edfc409c8083d10f9f1120111efd6f5.tar.xz ]; then
+	wget -O $chroot/boringssl-24e5886c0edfc409c8083d10f9f1120111efd6f5.tar.xz https://commondatastorage.googleapis.com/chromium-boringssl-docs/fips/boringssl-24e5886c0edfc409c8083d10f9f1120111efd6f5.tar.xz
+fi
+if [ "$(sha256sum $chroot/boringssl-24e5886c0edfc409c8083d10f9f1120111efd6f5.tar.xz | awk '{print $1}')" != 15a65d676eeae27618e231183a1ce9804fc9c91bcc3abf5f6ca35216c02bf4da ]; then
+	echo WRONG SHA256SUM
+	exit 2
+fi
+
+rm -rf $chroot/godriver
+mkdir $chroot/godriver
+cp ../goboringcrypto.h $chroot/godriver
+
+sudo http_proxy=$http_proxy chroot $chroot /root_setup_in_chroot.sh
+sudo chroot --userspec=$(id -u):$(id -g) $chroot /build_in_chroot.sh
+cp $chroot/godriver/goboringcrypto_linux_amd64.syso ..
+sha256sum ../goboringcrypto_linux_amd64.syso
+echo DONE