Joe Tsai [Sat, 11 Oct 2025 00:56:04 +0000 (17:56 -0700)]
encoding/json/v2: report EOF for top-level values in UnmarshalDecode
The fully streaming UnmarshalJSONFrom method and UnmarshalFromFunc
introduce an edge case where they can encounter EOF in the stream,
where it should be reported upstream as EOF rather than
ErrUnexpectedEOF or be wrapped within a SemanticError.
This is not possible with other unmarshal methods since the
"json" package would read the appropriate JSON value
before calling the custom method or function.
To avoid custom unmarshal methods from encountering EOF,
check whether the stream is already at EOF for top-level values
before calling the custom method.
Also, when wrapping EOF within a SemanticError, convert it
to ErrUnexpectedEOF to better indicate that this is unexpected.
Fixes #75802
Change-Id: I001396734b7e95b5337f77b71326284974ee730a
Reviewed-on: https://go-review.googlesource.com/c/go/+/710877
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> Reviewed-by: Michael Pratt <mpratt@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Julien Cretel [Wed, 1 Oct 2025 20:08:18 +0000 (20:08 +0000)]
all: replace calls to errors.As with errors.AsType
This change replaces most occurrences (in code as well as in comments) of
errors.As with errors.AsType. It leaves the errors package and vendored
code untouched.
Change-Id: I3bde73f318a0b408bdb8f5a251494af15a13118a
GitHub-Last-Rev: 8aaaa36a5a12d2a6a90c6d51680464e1a3115139
GitHub-Pull-Request: golang/go#75698
Reviewed-on: https://go-review.googlesource.com/c/go/+/708495
Auto-Submit: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Alan Donovan <adonovan@google.com> Reviewed-by: Michael Pratt <mpratt@google.com>
Roland Shoemaker [Thu, 9 Oct 2025 20:35:24 +0000 (13:35 -0700)]
crypto/x509: rework fix for CVE-2025-58187
In CL 709854 we enabled strict validation for a number of properties of
domain names (and their constraints). This caused significant breakage,
since we didn't previously disallow the creation of certificates which
contained these malformed domains.
Rollback a number of the properties we enforced, making domainNameValid
only enforce the same properties that domainToReverseLabels does. Since
this also undoes some of the DoS protections our initial fix enabled,
this change also adds caching of constraints in isValid (which perhaps
is the fix we should've initially chosen).
Updates #75835
Fixes #75828
Change-Id: Ie6ca6b4f30e9b8a143692b64757f7bbf4671ed0e
Reviewed-on: https://go-review.googlesource.com/c/go/+/710735
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
Cherry Mui [Sat, 11 Oct 2025 14:36:49 +0000 (10:36 -0400)]
cmd/link: in TestFallocate, only check number of blocks on Darwin
The number-of-blocks check was introduced when fixing a Darwin-
specific bug. On Darwin, the file allocation syscall is a bit
tricky. On Linux and BSDs, it is more straightforward and unlikely
to go wrong.
The test itself, on the other hand, is less reliable on Linux (and
perhaps BSDs), as it is considered less portable and is an
implementation detail of the file system.
Given these two reasons, only check it on Darwin.
Fixes #75795.
Change-Id: I3da891fd60a141c3eca5d0f5ec20c2cad65b8862
Reviewed-on: https://go-review.googlesource.com/c/go/+/711095
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Keith Randall <khr@golang.org>
Joe Tsai [Mon, 6 Oct 2025 19:56:29 +0000 (12:56 -0700)]
encoding/json: fix regression in quoted numbers under goexperiment.jsonv2
The legacy parsing of quoted numbers in v1 was according to
the Go grammar for a number, rather than
the JSON grammar for a number.
The former is a superset of the latter.
This is a historical mistake, but usages exist that depend on it.
We already have branches for StringifyWithLegacySemantics
to handle quoted nulls, so we can expand it to handle this.
Fixes #75619
Change-Id: Ic07802539b7cbe0e1f53bd0f7e9bb344a8447203
Reviewed-on: https://go-review.googlesource.com/c/go/+/709615 Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Joseph Tsai <joetsai@digital-static.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com>
Michael Anthony Knyszek [Thu, 9 Oct 2025 20:58:34 +0000 (20:58 +0000)]
runtime: fail TestGoroutineLeakProfile on data race
Some of the programs in testdata/testgoroutineleakprofile have data
races because they were taken from a corpus that showcases general Go
concurrency bugs, not just leaked goroutines.
This causes some flakiness as tests might fail due to, for example, a
concurrent map access, even outside of race mode.
Let's just call data races a failure and fix them in the examples. As
far as I can tell, there are only two that show up consistently.
Fixes #75732.
Change-Id: I160b3a1cdce4c2de3f2320b68b4083292e02b557
Reviewed-on: https://go-review.googlesource.com/c/go/+/710756
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Michael Knyszek <mknyszek@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com>
Sean Liao [Thu, 9 Oct 2025 00:56:09 +0000 (01:56 +0100)]
net/url: disallow raw IPv6 addresses in host
RFC 3986 requires square brackets around IPv6 addresses.
Parse's acceptance of raw IPv6 addresses is non compliant,
and complicates splitting out a port.
Fixes #31024
Fixes #75223
Change-Id: I477dc420a7441cb33156627dbd5e46d88c677f1e
Reviewed-on: https://go-review.googlesource.com/c/go/+/710176
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Michael Pratt <mpratt@google.com>
Sean Liao [Thu, 9 Oct 2025 01:26:02 +0000 (02:26 +0100)]
net/http: strip request body headers on POST to GET redirects
According to WHATWG Fetch, when the body is dropped in a redirect,
headers that describe the body should also be dropped.
https://fetch.spec.whatwg.org/#http-redirect-fetch
Fixes #57273
Change-Id: I84598f69608e95c1b556ea0ce5953ed43bf2d824
Reviewed-on: https://go-review.googlesource.com/c/go/+/710395
Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
cuishuang [Fri, 10 Oct 2025 03:47:13 +0000 (11:47 +0800)]
all: omit unnecessary reassignment
The new version of Go has been optimized, and variables do not need
to be reassigned.
Change-Id: I0374b049271e53510f2b162f6821fb3595f2c8ff
Reviewed-on: https://go-review.googlesource.com/c/go/+/710835
Auto-Submit: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Alan Donovan <adonovan@google.com> Reviewed-by: Michael Pratt <mpratt@google.com>
Sean Liao [Wed, 8 Oct 2025 21:33:24 +0000 (22:33 +0100)]
net/http: set cookie host to Request.Host when available
When both Request.URL and Request.Host are set, the host in URL
is used for connecting at the transport level, while Host is used
for the request host line. Cookies should be set for the request,
not the underlying connection destination.
Fixes #38988
Change-Id: I09053b87ccac67081f6038d205837d9763701526
Reviewed-on: https://go-review.googlesource.com/c/go/+/710335 Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Alan Donovan [Fri, 26 Sep 2025 17:33:09 +0000 (13:33 -0400)]
cmd/go: unify "go fix" and "go vet"
This change unifies the fix and vet subcommands; they use the
same run function, action graph, and external tool (-vettool
for go vet and -fixtool for go fix). go fix runs the tool
with the -fix flag, whereas although go vet also supports
-fix, it is not the default. The two tools have different
(overlapping) suites of analyzers.
The high-level parts are fully parameterized over the
vet/fix distinction; the lower-level parts (the action
graph) continue to use only the "vet" terminology.
The cmd/{vet,fix} executable is referred to as the "tool".
The tool is generally invoked in -json mode, regardless
of whether -json was requested, so that the tool produces
a cacheable JSON blob on stdout. When the go user did not
request -json, this blob is parsed and printed to stderr
by logic in the go vet command. (Formerly the tool would
print diagnostics to stderr, but this interacts poorly
with the build cache.)
go fix's legacy -fix=fixer,... flag is now a no-op that
prints a warning that the flag is obsolete.
The unitchecker's -c=n flag (to display n lines of context
around each diagnostic) is reimplemented in go vet based
on the JSON information, to avoid reliance on the stderr
output of the tool.
cmd/fix is added to dist's prebuilt set of tools since
go fix cannot build it dynamically (though ideally
it would).
Updates #71859
For #75432
Change-Id: I0a84746720b59d05d662ed57826747c5598dca44
Reviewed-on: https://go-review.googlesource.com/c/go/+/700795 Reviewed-by: Michael Matloob <matloob@google.com>
Auto-Submit: Alan Donovan <adonovan@google.com> Reviewed-by: Michael Matloob <matloob@golang.org>
TryBot-Bypass: Alan Donovan <adonovan@google.com>
Damien Neil [Thu, 9 Oct 2025 22:25:30 +0000 (15:25 -0700)]
net/http: run TestRequestWriteTransport with fake time to avoid flakes
This test verifies whether or not we use the chunked encoding when
sending a request with a body like io.NopCloser(strings.NewReader("")).
This depends on whether the transport can read a single byte from the
request body within 200ms, which is flaky on very slow builders.
Use fake time to avoid flakes.
Fixes #52575
Change-Id: Ie11a58ac6bc18d43af1423827887e804242dee30
Reviewed-on: https://go-review.googlesource.com/c/go/+/710737
Auto-Submit: Nicholas Husin <nsh@golang.org> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Nicholas Husin <nsh@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
WANG Xuerui [Thu, 9 Oct 2025 07:52:02 +0000 (15:52 +0800)]
cmd/compile: declare no output register for loong64 LoweredAtomic{And,Or}32 ops
The ICE seen on loong64 while compiling the `(*gcWork).tryStealSpan`
function was due to an `LoweredAtomicAnd32` op (inlined from the
`(pMask).clear` implementation) being incorrectly assigned an output
register while it shouldn't have. Because the op is of mem type, it has
needRegister() == false; hence in the shuffle phase of regalloc, its
bogus output register has no associated `orig` value recorded. The bug
was introduced in CL 482756, but only recently exposed by CL 696035.
Since the old-style atomic ops need no return value (and is even
documented so besides the loong64 ssa op definition), just fix the
register info for both.
While at it, add a note in the ssa op definition file about the
architectural necessity of resultNotInArgs for loong64 atomic ops,
because the practice is not seen in several other arches I have
checked.
Updates #75776
Change-Id: I087f51b8a2825d7b00fc3965b0afcc8b02cad277
Reviewed-on: https://go-review.googlesource.com/c/go/+/710475
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com> Reviewed-by: abner chenc <chenguoqi@loongson.cn> Reviewed-by: Cherry Mui <cherryyz@google.com>
This change creates calls to size-specialized malloc functions instead
of calls to newObject when we know the size of the allocation at
compilation time. Most of it is a matter of calling the newObject
function (which will create calls to the size-specialized functions)
rather then the newObjectNonSpecialized function (which won't). In the
newHeapaddr, small, non-pointer case, we'll create a non specialized
newObject and transform that into the appropriate size-specialized
function when we produce the mallocgc in flushPendingHeapAllocations.
We have to update some of the rewrites in generic.rules to also apply to
the size-specialized functions when they apply to newObject.
The messiest thing is we have to adjust the offset we use to save the
memory profiler stack, because the depth of the call to profilealloc is
two frames fewer in the size-specialized malloc functions compared to
when newObject calls mallocgc. A bunch of tests have been adjusted to
account for that.
Change-Id: I6a6a6964c9037fb6719e392c4a498ed700b617d7
Reviewed-on: https://go-review.googlesource.com/c/go/+/707856 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Michael Matloob <matloob@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@golang.org>
Michael Anthony Knyszek [Thu, 9 Oct 2025 21:13:59 +0000 (21:13 +0000)]
reflect: remove timeout in TestChanOfGC
This test has an arbitrary 5 second timeout, and this seems to fire on
Darwin with mayMoreStackMove enabled (which is slow). Just rely on the
regular test timeout instead of this arbitrary shorter timeout to
eliminate the possibility that the test is just too slow.
On my Linux VM, I can get this test to take up to 2 seconds with
mayMoreStackMove set on all the same packages dist does, so this failure
mode is actually plausible.
Fixes #75742.
Change-Id: Iebcc859cab26e9205b57b869690162a9a424dfce
Reviewed-on: https://go-review.googlesource.com/c/go/+/710618 Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Roland Shoemaker [Thu, 9 Oct 2025 00:13:12 +0000 (17:13 -0700)]
net/url: allow IP-literals with IPv4-mapped IPv6 addresses
The security fix we applied in CL709857 was overly broad. It applied
rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but
these were later allowed in RFC 3986, which is the canonical URI syntax
RFC.
Revert the portion of CL709857 which restricted IPv4-mapped addresses,
and update the related tests.
Fixes #75815
Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d
Reviewed-on: https://go-review.googlesource.com/c/go/+/710375
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ethan Lee <ethanalee@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Federico Guerinoni [Mon, 6 Oct 2025 23:13:14 +0000 (01:13 +0200)]
path/filepath: return cleaned path from Rel
As the doc says, Rel should return a cleaned path.
Fixes #75763
Change-Id: Ic0f5a3b1da3cc4cf3c31fdb1a88ebcc4ea6f9169
Reviewed-on: https://go-review.googlesource.com/c/go/+/709675 Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Sean Liao <sean@liao.dev>
Auto-Submit: Sean Liao <sean@liao.dev> Reviewed-by: Carlos Amedee <carlos@golang.org>
Mateusz Poliwczak [Tue, 7 Oct 2025 17:57:59 +0000 (17:57 +0000)]
cmd/compile/internal/devirtualize: improve concrete type analysis
This change improves the concrete type analysis in the devirtualizer,
it not longer relies on ir.Reassigned, it now statically tries to
determine the concrete type of an interface, even when assigned
multiple times, following type assertions and iface conversions.
Alternative to CL 649195
Updates #69521
Fixes #64824
Change-Id: Ib1656e19f3619ab2e1e6b2c78346cc320490b2af
GitHub-Last-Rev: e8fa0b12f0a7b1d7ae00e5edb54ce04d1f702c09
GitHub-Pull-Request: golang/go#71935
Reviewed-on: https://go-review.googlesource.com/c/go/+/652036 Reviewed-by: Michael Pratt <mpratt@google.com> Reviewed-by: Keith Randall <khr@golang.org> Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Keith Randall <khr@golang.org>
Alan Donovan [Wed, 8 Oct 2025 16:19:14 +0000 (12:19 -0400)]
cmd/internal/obj: fix Link.Diag printf errors
go1.26's vet printf checker can associate the printf-wrapper
property with local vars and struct fields if they are assigned
from a printf-like func literal (CL 706635). This leads to better
detection of mistakes.
Change-Id: I604be1e200aa1aba75e09d4f36ab68c1dba3b8a3
Reviewed-on: https://go-review.googlesource.com/c/go/+/710195
Auto-Submit: Alan Donovan <adonovan@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cherry Mui <cherryyz@google.com>
Change-Id: I8db8ac7b7b3430b946b89e88dd6c1546804125c3
Reviewed-on: https://go-review.googlesource.com/c/go/+/697360
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Keith Randall <khr@google.com>
Auto-Submit: Michael Munday <mikemndy@gmail.com>
Ian Alexander [Thu, 21 Aug 2025 01:21:41 +0000 (21:21 -0400)]
cmd/go: refactor usage of `workFilePath`
This commit refactors usage of the global variable `workFilePath` to
the global LoaderState field of the same name.
This commit is part of the overall effort to eliminate global
modloader state.
[git-generate]
cd src/cmd/go/internal/modload
rf 'ex { workFilePath -> LoaderState.workFilePath }'
rf 'add State.requirements \
// Set to the path to the go.work file, or "" if workspace mode is\
// disabled'
rf 'rm workFilePath'
Change-Id: I53cdbc3cc619914421513db74a74a04ab10b3e33
Reviewed-on: https://go-review.googlesource.com/c/go/+/698062 Reviewed-by: Michael Matloob <matloob@google.com> Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Damien Neil [Fri, 15 Aug 2025 22:24:05 +0000 (15:24 -0700)]
cmd/go, testing: add TB.ArtifactDir and -artifacts flag
Add TB.ArtifactDir, which returns a directory for a test to store
output files in. Add a -artifacts testflag which enables persistent
storage of artifacts in the output directory (-outputdir, or the
current directory by default).
Fixes #71287
Change-Id: I5f6515a6cd6c103f88588f4c033d5ea11ffd0c3c
Reviewed-on: https://go-review.googlesource.com/c/go/+/696399
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Alan Donovan <adonovan@google.com>
Ian Alexander [Thu, 21 Aug 2025 00:14:59 +0000 (20:14 -0400)]
cmd/go: refactor usage of `requirements`
This commit refactors usage of the global variable `requirements` to
the global LoaderState field of the same name.
This commit is part of the overall effort to eliminate global
modloader state.
[git-generate]
cd src/cmd/go/internal/modload
rf 'ex { requirements -> LoaderState.requirements }'
rf 'add State.MainModules \
// requirements is the requirement graph for the main module.\
//\
// It is always non-nil if the main module'\\\''s go.mod file has been\
// loaded.\
//\
// This variable should only be read from the loadModFile\
// function, and should only be written in the loadModFile and\
// commitRequirements functions. All other functions that need or\
// produce a *Requirements should accept and/or return an explicit\
// parameter.'
rf 'rm requirements'
Change-Id: I9d7d1d301a9e89f9214ce632fa5b656dd2940f39
Reviewed-on: https://go-review.googlesource.com/c/go/+/698061
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Matloob <matloob@golang.org> Reviewed-by: Michael Matloob <matloob@google.com>
Reason for revert: doesn't handle unaligned accesses correctly.
Update #74998
Change-Id: I1d6210eeca9336f2ce311e99944cb270565563aa
Reviewed-on: https://go-review.googlesource.com/c/go/+/709795 Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@google.com>
Damien Neil [Thu, 11 Sep 2025 20:32:10 +0000 (13:32 -0700)]
archive/tar: set a limit on the size of GNU sparse file 1.0 regions
Sparse files in tar archives contain only the non-zero components
of the file. There are several different encodings for sparse
files. When reading GNU tar pax 1.0 sparse files, archive/tar did
not set a limit on the size of the sparse region data. A malicious
archive containing a large number of sparse blocks could cause
archive/tar to read an unbounded amount of data from the archive
into memory.
Since a malicious input can be highly compressable, a small
compressed input could cause very large allocations.
Cap the size of the sparse block data to the same limit used
for PAX headers (1 MiB).
Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
for reporting this issue.
Fixes CVE-2025-58183
Fixes #75677
Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709861
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Michael Pratt <mpratt@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Damien Neil [Thu, 25 Sep 2025 21:41:53 +0000 (14:41 -0700)]
net/mail: avoid quadratic behavior in mail address parsing
RFC 5322 domain-literal parsing built the dtext value one character
at a time with string concatenation, resulting in excessive
resource consumption when parsing very large domain-literal values.
Replace with a subslice.
Benchmark not included in this CL because it's too narrow to be
of general ongoing use, but for:
Damien Neil [Tue, 30 Sep 2025 22:11:16 +0000 (15:11 -0700)]
net/textproto: avoid quadratic complexity in Reader.ReadResponse
Reader.ReadResponse constructed a response string from repeated
string concatenation, permitting a malicious sender to cause excessive
memory allocation and CPU consumption by sending a response consisting
of many short lines.
Use a strings.Builder to construct the string instead.
Thanks to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-61724
Fixes #75716
Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2940 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709859
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Roland Shoemaker [Tue, 30 Sep 2025 18:16:56 +0000 (11:16 -0700)]
encoding/pem: make Decode complexity linear
Because Decode scanned the input first for the first BEGIN line, and
then the first END line, the complexity of Decode is quadratic. If the
input contained a large number of BEGINs and then a single END right at
the end of the input, we would find the first BEGIN, and then scan the
entire input for the END, and fail to parse the block, so move onto the
next BEGIN, scan the entire input for the END, etc.
Instead, look for the first END in the input, and then the first BEGIN
that precedes the found END. We then process the bytes between the BEGIN
and END, and move onto the bytes after the END for further processing.
This gives us linear complexity.
Fixes CVE-2025-61723
Fixes #75676
Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2921 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709858
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Ethan Lee [Fri, 29 Aug 2025 17:35:55 +0000 (17:35 +0000)]
net/url: enforce stricter parsing of bracketed IPv6 hostnames
- Previously, url.Parse did not enforce validation of hostnames within
square brackets.
- RFC 3986 stipulates that only IPv6 hostnames can be embedded within
square brackets in a URL.
- Now, the parsing logic should strictly enforce that only IPv6
hostnames can be resolved when in square brackets. IPv4, IPv4-mapped
addresses and other input will be rejected.
- Update url_test to add test cases that cover the above scenarios.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua
University for reporting this issue.
Fixes CVE-2025-47912
Fixes #75678
Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2680 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709857
TryBot-Bypass: Michael Pratt <mpratt@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Michael Pratt <mpratt@google.com>
Michael Pratt [Mon, 6 Oct 2025 21:55:06 +0000 (17:55 -0400)]
runtime: make work.spanSPMCs.all doubly-linked
Making this a doubly-linked list allows spanQueue.destroy to immediately
remove and free rings rather than simply marking them as dead and
waiting for the sweeper to deal with them.
For #75771.
Change-Id: I6a6a636c0fb6be08ee967cb6d8f0577511a33c13
Reviewed-on: https://go-review.googlesource.com/c/go/+/709657
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
Michael Pratt [Mon, 6 Oct 2025 21:28:37 +0000 (17:28 -0400)]
runtime: free spanQueue on P destroy
Span queues must be empty when destroying a P since we are outside of
the mark phase. But we don't actually free them, so they simply sit
around using memory. More importantly, they are still in
work.spanSPMCs.all, so freeDeadSpanSPMCs must continue traversing past
them until the end of time.
Prior to CL 709575, keeping them in work.spanSPMCs.all allowed programs
with low GOMAXPROCS to continue triggering the bug if they ever had high
GOMAXPROCS in the past.
The spanSPMCs list is singly-linked, so it is not efficient to remove a
random element from the middle. Instead, we simply mark it as dead to
all freeDeadSpanSPMCs to free it when it scans the full list.
For #75771.
Change-Id: I6a6a636cfa22a4bdef0c273d083c91553e923fe5
Reviewed-on: https://go-review.googlesource.com/c/go/+/709656
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
Nicholas Husin [Wed, 3 Sep 2025 13:30:56 +0000 (09:30 -0400)]
encoding/asn1: prevent memory exhaustion when parsing using internal/saferio
Within parseSequenceOf, reflect.MakeSlice is being used to pre-allocate
a slice that is needed in order to fully validate the given DER payload.
The size of the slice allocated are also multiple times larger than the
input DER:
- When using asn1.Unmarshal directly, the allocated slice is ~28x
larger.
- When passing in DER using x509.ParseCertificateRequest, the allocated
slice is ~48x larger.
- When passing in DER using ocsp.ParseResponse, the allocated slice is
~137x larger.
As a result, a malicious actor can craft a big empty DER payload,
resulting in an unnecessary large allocation of memories. This can be a
way to cause memory exhaustion.
To prevent this, we now use SliceCapWithSize within internal/saferio to
enforce a memory allocation cap.
Thanks to Jakub Ciolek for reporting this issue.
For #75671
Fixes CVE-2025-58185
Change-Id: Id50e76187eda43f594be75e516b9ca1d2ae6f428
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2700 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709856 Reviewed-by: Carlos Amedee <carlos@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Nicholas Husin [Tue, 30 Sep 2025 18:02:38 +0000 (14:02 -0400)]
net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed
When handling HTTP headers, net/http does not currently limit the number
of cookies that can be parsed. The only limitation that exists is for
the size of the entire HTTP header, which is controlled by
MaxHeaderBytes (defaults to 1 MB).
Unfortunately, this allows a malicious actor to send HTTP headers which
contain a massive amount of small cookies, such that as much cookies as
possible can be fitted within the MaxHeaderBytes limitation. Internally,
this causes us to allocate a massive number of Cookie struct.
For example, a 1 MB HTTP header with cookies that repeats "a=;" will
cause an allocation of ~66 MB in the heap. This can serve as a way for
malicious actors to induce memory exhaustion.
To fix this, we will now limit the number of cookies we are willing to
parse to 3000 by default. This behavior can be changed by setting a new
GODEBUG option: GODEBUG=httpcookiemaxnum. httpcookiemaxnum can be set to
allow a higher or lower cookie limit. Setting it to 0 will also allow an
infinite number of cookies to be parsed.
Thanks to jub0bs for reporting this issue.
For #75672
Fixes CVE-2025-58186
Change-Id: Ied58b3bc8acf5d11c880f881f36ecbf1d5d52622
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2720 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709855 Reviewed-by: Carlos Amedee <carlos@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Don't use domainToReverseLabels to check if domain names are valid,
since it is not particularly performant, and can contribute to DoS
vectors. Instead just iterate over the name and enforce the properties
we care about.
This also enforces that DNS names, both in SANs and name constraints,
are valid. We previously allowed invalid SANs, because some
intermediates had these weird names (see #23995), but there are
currently no trusted intermediates that have this property, and since we
target the web PKI, supporting this particular case is not a high
priority.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-58187
Fixes #75681
Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2820 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709854
Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
crypto/x509: mitigate DoS vector when intermediate certificate contains DSA public key
An attacker could craft an intermediate X.509 certificate
containing a DSA public key and can crash a remote host
with an unauthenticated call to any endpoint that
verifies the certificate chain.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-58188
Fixes #75675
Change-Id: I2ecbb87b9b8268dbc55c8795891e596ab60f0088
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2780 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709853 Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Ian Alexander [Wed, 20 Aug 2025 23:44:11 +0000 (19:44 -0400)]
cmd/go: refactor usage of `modRoots`
This commit refactors usage of the global variable `modRoots` to the
global LoaderState field of the same name.
This commit is part of the overall effort to eliminate global
modloader state.
[git-generate]
cd src/cmd/go/internal/modload
rf 'ex { modRoots -> LoaderState.modRoots }'
rf 'add State.RootMode \
// These are primarily used to initialize the MainModules, and should\
// be eventually superseded by them but are still used in cases where\
// the module roots are required but MainModules has not been\
// initialized yet. Set to the modRoots of the main modules.\
// modRoots != nil implies len(modRoots) > 0'
rf 'rm modRoots'
Change-Id: Ie9e1f3d468cfceee25efefaf945b10492318b079
Reviewed-on: https://go-review.googlesource.com/c/go/+/698059 Reviewed-by: Michael Matloob <matloob@google.com> Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Michael Anthony Knyszek [Tue, 7 Oct 2025 16:10:19 +0000 (16:10 +0000)]
runtime: fix self-deadlock on sbrk platforms
The sbrk mem.go implementation doesn't enforce being called on the
systemstack, but it can call back into itself if there's a stack growth.
Because the sbrk implementation requires acquiring memlock, it can
self-deadlock.
For the most part the mem.go API is called on the system stack, but
there are cases where we call sysAlloc on the regular Go stack. This is
fine in general, except on sbrk platforms because of the aforementioned
deadlock.
This change, rather than adding a new invariant to mem.go, switches to
the systemstack in the mem.go API implementation for sbrk platforms.
Change-Id: Ie0f0ea80a8d7578cdeabc8252107e64a5e633856
Reviewed-on: https://go-review.googlesource.com/c/go/+/709775 Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Ian Alexander [Wed, 20 Aug 2025 23:34:40 +0000 (19:34 -0400)]
cmd/go: refactor usage of `RootMode`
This commit refactors usage of the global variable `RootMode` to the
global LoaderState variable of the same name.
This commit is part of the overall effort to eliminate global
modloader state.
[git-generate]
cd src/cmd/go/internal/modload
rf 'mv State.rootMode State.RootMode'
for dir in load modcmd run tool toolchain work ; do
cd ../${dir}
rf 'ex {
import "cmd/go/internal/modload";
modload.RootMode -> modload.LoaderState.RootMode
}'
done
cd ../modload
rf 'ex { RootMode -> LoaderState.RootMode }'
rf 'add State.ForceUseModules \
// RootMode determines whether a module root is needed.'
rf 'rm RootMode'
Change-Id: Ib5e513ee570dfc3b01cc974fe32944e5e391fd82
Reviewed-on: https://go-review.googlesource.com/c/go/+/698058
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Matloob <matloob@google.com> Reviewed-by: Michael Matloob <matloob@golang.org>
Ian Alexander [Wed, 20 Aug 2025 23:21:56 +0000 (19:21 -0400)]
cmd/go: refactor usage of `ForceUseModules`
This commit refactors usage of the global variable `ForceUseModules`
to the global LoaderState field of the same name.
This commit is part of the overall effort to eliminate global
modloader state.
[git-generate]
cd src/cmd/go/internal/modload
rf 'mv State.forceUseModules State.ForceUseModules'
rf 'ex { ForceUseModules -> LoaderState.ForceUseModules }'
for dir in load modcmd modget run toolchain work workcmd ; do
cd ../${dir}
rf 'ex {
import "cmd/go/internal/modload";
modload.ForceUseModules -> modload.LoaderState.ForceUseModules
}'
done
cd ../modload
rf 'add State.initialized \
// ForceUseModules may be set to force modules to be enabled when\
// GO111MODULE=auto or to report an error when GO111MODULE=off.'
rf 'rm ForceUseModules'
Change-Id: Ibdecfd273ff672516c9eb86279e5dfc6cdecb2ea
Reviewed-on: https://go-review.googlesource.com/c/go/+/698057 Reviewed-by: Michael Matloob <matloob@google.com> Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Change-Id: I0b8526dd03d82fa074ce4f97f1789eeac702b3eb
Reviewed-on: https://go-review.googlesource.com/c/go/+/709755 Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Keith Randall <khr@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
thepudds [Fri, 3 Oct 2025 14:59:54 +0000 (10:59 -0400)]
fmt: reduce Errorf("x") allocations to match errors.New("x")
For unformatted strings, it comes up periodically that there are
more allocations using fmt.Errorf("x") compared to errors.New("x").
People cite it as a reason to switch code using fmt.Errorf to
use errors.New instead.
Three examples from the last few weeks essentially made
this suggestion: #75235, CL 708496, and CL 708618. Prior to that,
it is periodically suggested as a vet check (e.g., proposals #17173
and #52696) or in various CLs to change the standard library
(e.g., CL 403938 and CL 588776).
On the other hand, I believe the position of the core Go team
is that it is usually not worthwhile to make such a change. For example,
in #52696, Russ wrote:
Thanks for raising the issue, but please don't do this. Using
fmt.Errorf("foo") is completely fine, especially in a program where
all the errors are constructed with fmt.Errorf. Having to
mentally switch between two functions based on the argument
is unnecessary noise.
This CL attempts to mostly take performance out of the discussion.
We drop from 2 allocations to 0 allocations for a non-escaping error,
and drop from 2 allocations to 1 allocation for an escaping error:
This now matches the allocations for errors.New("foo") in both cases.
The CPU cost difference is greatly reduced, though there is still
a small ~4ns difference measurable in these microbenchmarks. Previously,
it was ~64ns vs. ~21ns for fmt.Errorf("x") vs. errors.New("x")
for escaping errors, whereas with this CL it is now ~25ns vs. ~21ns.
When fmt.Errorf("foo") executes with this CL, there are essentially
three optimizations now, in rough order of usefulness:
(1) we always avoid an allocation inside the doPrintf machinery;
(2) if the error does not otherwise escape, we can stack allocate
the errors.errorString struct by virtue of mid-stack inlining
of fmt.Errorf and the resulting inlining of errors.New, which
also can be more effective via PGO;
(3) stringslite.IndexByte is a tiny bit faster than going through the
for loops looking for '%' inside doPrintf.
See https://blog.filippo.io/efficient-go-apis-with-the-inliner/ for
background on avoiding heap allocations via mid-stack inlining.
The common case here is likely that the string format argument is a
constant when there are no other arguments.
However, one concern could be that by not allocating a copy, we could
now keep a string argument alive longer with this change, which could
be a pessimization if for example that string argument is a
slice of a much bigger string:
s := bigString[m:n]
longLivedErr := fmt.Errorf(s)
Aside from that being perhaps unusual code, vet will complain about
s there as a "non-constant format string in call to fmt.Errorf", so that
particular example seems unlikely to occur frequently in practice.
The main benchmark results are below. "old" is prior to this CL, "new"
is with this CL. The non-escaping case is "local", the escaping case is
"sink". In practice, I suspect errors escape the majority of the time.
Benchmark code at https://go.dev/play/p/rlRSO1ehx8O
Cherry Mui [Sat, 4 Oct 2025 15:32:33 +0000 (11:32 -0400)]
test/codegen: make sure assignment results are used.
Some tests make assignments to an argument without reading it.
With CL 708865, they are treated as dead stores and are removed.
Make sure the results are used.
Fixes #75745.
Fixes #75746.
Change-Id: I05580beb1006505ec1550e5fa245b54dcefd10b9
Reviewed-on: https://go-review.googlesource.com/c/go/+/708916
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Keith Randall <khr@golang.org>
tony [Mon, 29 Sep 2025 14:25:57 +0000 (14:25 +0000)]
runtime: delete redundant code in the page allocator
The page allocator's scavenge index has sysGrow called on it twice,
once in pageAlloc.grow, and once in pageAlloc.sysGrow on 64-bit
platforms. Calling it twice is OK since sysGrow is idempotent,
but it's also wasteful. This change removes the call
in pageAlloc.sysGrow.
Change-Id: I5b955b6e2beed5c2b8305ab82b76718ea305792c
Reviewed-on: https://go-review.googlesource.com/c/go/+/707735
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Keith Randall [Sat, 17 May 2025 22:05:56 +0000 (15:05 -0700)]
cmd/compile: redo arm64 LR/FP save and restore
Instead of storing LR (the return address) at 0(SP) and the FP
(parent's frame pointer) at -8(SP), store them at framesize-8(SP)
and framesize-16(SP), respectively.
We push and pop data onto the stack such that we're never accessing
anything below SP.
The prolog/epilog lengths are unchanged (3 insns for a typical prolog,
2 for a typical epilog).
We use 8 bytes more per frame.
Typical prologue:
STP.W (FP, LR), -16(SP)
MOVD SP, FP
SUB $C, SP
Typical epilogue:
ADD $C, SP
LDP.P 16(SP), (FP, LR)
RET
The previous word where we stored LR, at 0(SP), is now unused.
We could repurpose that slot for storing a local variable.
The new prolog and epilog instructions are recognized by libunwind,
so pc-sampling tools like perf should now be accurate. (TODO: except
maybe after the first RET instruction? Have to look into that.)
Update #73753 (fixes, for arm64)
Update #57302 (Quim thinks this will help on that issue)
Change-Id: I4800036a9a9a08aaaf35d9f99de79a36cf37ebb8
Reviewed-on: https://go-review.googlesource.com/c/go/+/674615 Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@google.com>
Michael Pratt [Mon, 6 Oct 2025 18:38:47 +0000 (14:38 -0400)]
runtime: remove batching from spanSPMC free
Added in CL 700496, freeSomeSpanSPMCs attempts to bound tail latency by
processing at most 64 entries at a time, as well as returning early if
it notices a preemption request. Both of those are attempts to reduce
tail latency, as we cannot preempt the function while it holds the lock.
This scheme is based on a similar scheme in freeSomeWbufs.
freeSomeWbufs has a key difference: all workbufs in its list are
unconditionally freed. So freeSomeWbufs will always make forward
progress in each call (unless it is constantly preempted).
In contrast, freeSomeSpanSPMCs only frees "dead" entries. If the list
contains >64 live entries, a call may make no progress, and the caller
will simply keep calling in a loop forever, until the GC ends at which
point it returns success early. The infinite loop likely restarts at the
next GC cycle.
The queues are used on each P, so it is easy to have 64 permanently live
queues if GOMAXPROCS >= 64. If GOMAXPROCS < 64, it is possible to
transiently have more queues, but spanQueue.drain increases queue size
in an attempt to reach a steady state of one queue per P.
We must drop work.spanSPMCs.lock to allow preemption, but dropping the
lock allows mutation of the linked list, meaning we cannot simply
continue iteration after retaking lock. Since there is no
straightforward resolution to this and we expect this to generally only
be around 1 entry per P, simply remove the batching and process the
entire list without preemption. We may want to revisit this in the
future for very high GOMAXPROCS or if application regularly otherwise
create very long lists.
Fixes #75771.
Change-Id: I6a6a636cd3be443aacde5a678c460aa7066b4c4a
Reviewed-on: https://go-review.googlesource.com/c/go/+/709575 Reviewed-by: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Michael Anthony Knyszek [Fri, 3 Oct 2025 16:23:10 +0000 (16:23 +0000)]
runtime: bump thread count slack for TestReadMetricsSched
This test is *still* flaky, but it appears to be just
mayMoreStackPreempt and the thread count *occasionally* exceeds the
original (and arbitrary) thread count slack by exactly 1.
Bump the thread count slack by one. We can investigate further and bump
it again if it continues to be a problem.
Fixes #75664.
Change-Id: I29c922bba6d2cc99a8c3bf5e04cc512d0694f7fa
Reviewed-on: https://go-review.googlesource.com/c/go/+/708868 Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
If -bogo-local-dir is provided but doesn't exist, populate it with a git
checkout of the BoringSSL repo at the correct SHA.
Without any -bogo-local-dir argument the BoGo TLS handshake test will
fetch the BoringSSL source at a specific SHA as a Go module in a r/o
module directory. When debugging, or extending BoGo coverage, it's
preferable to have a mutable local copy of BoGo that the test will
use.
The pre-existing -bogo-local-dir flag offered a way to use a checkout of
BoGo but it relied on the user fetching the correct repo & revision
manually ahead of time. This commit extends the test to automatically
invoke `git` to clone the repo into the provided local dir at the
correct SHA based on the boringsslModVer const if the local dir doesn't
exist.
This leaves the user ready to make changes in local BoGo dir to aid
debugging, or to upstream as CRs to BoringSSL, and prevents using an
incorrect SHA by mistake.
Updates #72006
Change-Id: I0451a3d35203878cdf02a7587e138c3cd60d15a9
Reviewed-on: https://go-review.googlesource.com/c/go/+/687475 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Bypass: Daniel McCarney <daniel@binaryparadox.net>
qmuntal [Fri, 3 Oct 2025 09:18:47 +0000 (11:18 +0200)]
cmd/link: add LIBRARY statement only with -buildmode=cshared
When creating a .def file for Windows linking, add a LIBRARY statement
only when building a DLL with -buildmode=cshared. That statement is
documented to instruct the linker to create a DLL, overriding any
other flag that might indicate building an executable.
Fixes #75734
Change-Id: I0231435df70b71a493a39deb639f6328a8e354f6
Reviewed-on: https://go-review.googlesource.com/c/go/+/708815 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dominic Della Valle <ddvpublic@gmail.com> Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Cherry Mui [Mon, 22 Sep 2025 14:57:29 +0000 (10:57 -0400)]
cmd/compile: remove stores to unread parameters
Currently, we remove stores to local variables that are not read.
We don't do that for arguments. But arguments and locals are
essentially the same. Arguments are passed by value, and are not
expected to be read in the caller's frame. So we can remove the
writes to them as well. One exception is the cgo_unsafe_arg
directive, which makes all the arguments effectively address-taken.
cgo_unsafe_arg implies ABI0, so we just skip ABI0 functions'
arguments.
Cherry-picked from the dev.simd branch. This CL is not
necessarily SIMD specific. Apply early to reduce risk.
Change-Id: I8999fc50da6a87f22c1ec23e9a0c15483b6f7df8
Reviewed-on: https://go-review.googlesource.com/c/go/+/705815
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/708865
This CL fixes a condition for the previous fix CL 704056.
Cherry-picked from the dev.simd branch. This CL is not
necessarily SIMD specific. Apply early to reduce risk. Test is
SIMD specific so not included for now.
Change-Id: I1f1f8c6f72870403cb3dff14755c43385dc0c933
Reviewed-on: https://go-review.googlesource.com/c/go/+/705499
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/708864 Reviewed-by: David Chase <drchase@google.com>
cmd/compile: handle rematerialized op for incompatible reg constraint
This CL fixes an issue raised by contributor dominikh@.
Cherry-picked from the dev.simd branch. This CL is not
necessarily SIMD specific. Apply early to reduce risk. Test is
SIMD specific so not included for now.
Change-Id: I941b330a6ba6f6c120c69951ddd24933f2f0b3ec
Reviewed-on: https://go-review.googlesource.com/c/go/+/704056
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/708861
Cherry Mui [Tue, 16 Sep 2025 01:27:19 +0000 (21:27 -0400)]
cmd/compile: use the right type for spill slot
Currently, when shuffling registers, if we need to spill a
register, we always create a spill slot of type int64. The type
doesn't actually matter, as long as it is wide enough to hold the
registers. This is no longer true with SIMD registers, which could
be wider than a int64. Create the slot with the proper type
instead.
Cherry-picked from the dev.simd branch. This CL is not
necessarily SIMD specific. Apply early to reduce risk. Test is
SIMD specific so not included for now.
Change-Id: I85c82e2532001bfdefe98c9446f2dd18583d49b4
Reviewed-on: https://go-review.googlesource.com/c/go/+/704055
TryBot-Bypass: Cherry Mui <cherryyz@google.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/708860
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
David Chase [Wed, 3 Sep 2025 17:09:32 +0000 (13:09 -0400)]
cmd/compile: enhance prove to deal with double-offset IsInBounds checks
For chunked iterations (useful for, but not exclusive to,
SIMD calculations) it is common to see the combination of
```
for ; i <= len(m)-4; i += 4 {
```
and
```
r0, r1, r2, r3 := m[i], m[i+1], m[i+2], m[i+3]
``
Prove did not handle the case of len-offset1 vs index+offset2
checking, but this change fixes this. There may be other
similar cases yet to handle -- this worked for the chunked
loops for simd, as well as a handful in std.
Cherry-picked from the dev.simd branch. This CL is not
necessarily SIMD specific. Apply early to reduce risk.
Change-Id: I3785df83028d517e5e5763206653b34b2befd3d0
Reviewed-on: https://go-review.googlesource.com/c/go/+/700696 Reviewed-by: Keith Randall <khr@golang.org> Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/708859 Reviewed-by: David Chase <drchase@google.com>
This CL implements the check for rematerializeable value's output
regspec at its remateralization site. It has some potential problems,
please see the TODO in regalloc.go.
Fixes #70451.
Cherry-picked from the dev.simd branch. This CL is not
necessarily SIMD specific. Apply early to reduce risk.
Change-Id: Ib624b967031776851136554719e939e9bf116b7c
Reviewed-on: https://go-review.googlesource.com/c/go/+/695315 Reviewed-by: David Chase <drchase@google.com>
TryBot-Bypass: David Chase <drchase@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/708857 Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
David Chase [Wed, 2 Jul 2025 22:00:12 +0000 (18:00 -0400)]
cmd/compile: minor tweak for race detector
This makes the front-end a little bit less temp-happy
when instrumenting, which repairs the "is it a constant?"
test in the simd intrinsic conversion which is otherwise
broken by race detection.
Also, this will perhaps be better code.
Cherry-picked from the dev.simd branch. This CL is not
necessarily SIMD specific. Apply early to reduce risk.
Change-Id: I84b7a45b7bff62bb2c9f9662466b50858d288645
Reviewed-on: https://go-review.googlesource.com/c/go/+/685637
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/708856
Cherry Mui [Fri, 20 Jun 2025 16:02:18 +0000 (12:02 -0400)]
cmd/compile: don't treat devel compiler as a released compiler
The compiler has a logic to print different messages on internal
compiler error depending on whether this is a released version of
Go. It hides the panic stack trace if it is a released version. It
does this by checking the version and see if it has a "go" prefix.
This includes all the released versions. However, for a non-
released build, if there is no explicit version set, cmd/dist now
sets the toolchain version as go1.X-devel_XXX, which makes it be
treated as a released compiler, and causes the stack trace to be
hidden. Change the logic to not match a devel compiler as a
released compiler.
Cherry-picked from the dev.simd branch. This CL is not
necessarily SIMD specific. Apply early to reduce risk.
Change-Id: I5d3b2101527212f825b6e4000b36030c4f83870b
Reviewed-on: https://go-review.googlesource.com/c/go/+/682975 Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/708855 Reviewed-by: Junyang Shao <shaojunyang@google.com>
matloob [Wed, 1 Oct 2025 16:06:14 +0000 (12:06 -0400)]
runtime: support valgrind (but not asan) in specialized malloc functions
We're adding this so that the compiler doesn't need to know about
valgrind since it's just implemented using a build tag.
Change-Id: I6a6a696452b0379caceca2ae4e49195016f7a90d
Reviewed-on: https://go-review.googlesource.com/c/go/+/708296 Reviewed-by: Michael Matloob <matloob@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Matloob <matloob@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
Daniel McCarney [Mon, 30 Jun 2025 16:45:36 +0000 (12:45 -0400)]
crypto/tls: add flag to render HTML BoGo report
Updates the BoGo test runner to add a `-bogo-html-report` flag. When
provided, an HTML report is written to the flag argument path. The
report shows the fail/pass/skip status of run tests and allows
sorting/searching the output.
Change-Id: I8c704a51fbb03500f4134ebfaba06248baa3ca2f
Reviewed-on: https://go-review.googlesource.com/c/go/+/684955
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Bypass: Daniel McCarney <daniel@binaryparadox.net>
Commit-Queue: Carlos Amedee <carlos@golang.org>
Cherry Mui [Thu, 2 Oct 2025 22:24:12 +0000 (18:24 -0400)]
cmd/link: support .def file with MSVC clang toolchain
lld-link supports .def file, but requires a "-def:" (or "/def:")
flag. (MinGW linker, on the other hand, requires no flag.) Pass
the flag when using MSVC-based toolchain.
The Director function has been superseded by Rewrite.
Rewrite avoids fundamental security issues with hop-by-hop header
handling in the Director API and has better default handling
of X-Forwarded-* headers.
Fixes #73161
Change-Id: Iadaf3070e0082458f79fb892ade51cb7ce832802
Reviewed-on: https://go-review.googlesource.com/c/go/+/708615 Reviewed-by: Nicholas Husin <husin@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <nsh@golang.org>
Nicholas S. Husin [Thu, 2 Oct 2025 16:41:25 +0000 (12:41 -0400)]
net/http: update bundled x/net/http2 and delete obsolete http2inTests
http2inTests is no longer needed after go.dev/cl/708135 and should be
deleted. To prevent errors in future vendored dependency updates,
h2_bundle.go is also updated together in this change.
Change-Id: I7b8c3f6854203fab4ec639a2a268df0cd2b1dee7
Reviewed-on: https://go-review.googlesource.com/c/go/+/708595 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Nicholas Husin <husin@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Damien Neil [Thu, 2 Oct 2025 17:45:01 +0000 (10:45 -0700)]
io/fs: move path name documentation up to the package doc comment
Perhaps surprisingly to users, io/fs path names are slash-separated.
Move the documentation for path names up to the top of the package
rather than burying it in the ValidPath documentation.
Change-Id: Id338df07c74a16be74c687ac4c45e0513ee40a8c
Reviewed-on: https://go-review.googlesource.com/c/go/+/708616
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Alan Donovan <adonovan@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
Michael Anthony Knyszek [Thu, 2 Oct 2025 19:15:34 +0000 (19:15 +0000)]
runtime: skip TestGoroutineLeakProfile under mayMoreStackPreempt
This may be the long-term fix, but we first need to understand if this
just makes the tests flaky, or if it's revealing an actual underlying
issue. I'm leaning toward the former. If it is the former, ideally we
just make the tests robust (wait longer, maybe?).
For now, this change will make the longtest builders OK again.
For #75729.
Change-Id: If9b30107d04a8e5af5670850add3a53f9471eec6
Reviewed-on: https://go-review.googlesource.com/c/go/+/708715 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
Daniel Martà [Sat, 30 Aug 2025 20:13:12 +0000 (21:13 +0100)]
cmd/go: update `go help mod edit` with the tool and ignore sections
The types were added to the docs, but not the fields in GoMod.
While here, I was initially confused about what is the top-level type
given that `type Module` comes first. Move `type GoMod` to the top
as it is the actual top-level type.
Change-Id: I1270154837501f5c7f5b21959b2841fd4ac808d0
Reviewed-on: https://go-review.googlesource.com/c/go/+/700116 Reviewed-by: Sean Liao <sean@liao.dev> Reviewed-by: Carlos Amedee <carlos@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Matloob <matloob@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com>
cmd/compile: propagate len([]T{}) to make builtin to allow stack allocation
Updates #75620
Change-Id: I6a6a6964af4512e30eb4806e1dc7b0fd0835744f
Reviewed-on: https://go-review.googlesource.com/c/go/+/707255 Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Keith Randall <khr@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Keith Randall <khr@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
Daniel McCarney [Mon, 29 Sep 2025 18:31:38 +0000 (14:31 -0400)]
crypto/tls: rm marshalEncryptedClientHelloConfigList dead code
This package internal function has no call sites.
Change-Id: I262058199fd2f387ef3b5e21099421720cc5413e
Reviewed-on: https://go-review.googlesource.com/c/go/+/707815
TryBot-Bypass: Daniel McCarney <daniel@binaryparadox.net>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
Joe Tsai [Mon, 15 Sep 2025 19:56:11 +0000 (12:56 -0700)]
encoding/json: fix Decoder.InputOffset regression in goexperiment.jsonv2
The Decoder.InputOffset method was always ambiguous about the exact
offset returned since anything between the end of the previous token
to the start of the next token could be a valid result.
Empirically, it seems that the behavior was to report
the end of the previous token unless Decoder.More is called,
in which case it reports the start of the next token.
This is an odd semantic since a relatively side-effect free method
like More is not quite so side-effect free.
However, our goal is to preserve historical v1 semantic when possible
regardless of whether it made sense.
Note that jsontext.Decoder.InputOffset consistently always reports
the end of the previous token. Users can explicitly choose the
exact position they want by inspecting the UnreadBuffer.
Fixes #75468
Change-Id: I1e946e83c9d29dfc09f2913ff8d6b2b80632f292
Reviewed-on: https://go-review.googlesource.com/c/go/+/703856 Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Junyang Shao <shaojunyang@google.com>