Lynn Boger [Tue, 3 Feb 2015 18:13:31 +0000 (12:13 -0600)]
runtime: Change memprofrate to memprofilerate
Use memprofilerate in GODEBUG instead of memprofrate to be
consistent with other uses.
Change-Id: Iaf6bd3b378b1fc45d36ecde32f3ad4e63ca1e86b
Reviewed-on: https://go-review.googlesource.com/3800 Reviewed-by: Ian Lance Taylor <iant@golang.org>
Russ Cox [Thu, 29 Jan 2015 21:16:24 +0000 (16:16 -0500)]
liblink: the zero Prog is now valid and ready for use
Use AXXX instead of AGOK (neither is a valid instruction but AXXX is zero)
for the initial setting of Prog.as, and now there are no non-zero default
field settings.
Remove the arch-specific zprog/zprg in favor of a single global zprog.
Remove the arch-specific prg constructor in favor of emallocz(sizeof(Prog)).
Russ Cox [Thu, 29 Jan 2015 20:35:56 +0000 (15:35 -0500)]
liblink: remove dead computation of p->back in span6/span8
Originally, when this code was part of 6l/8l, every new
Prog was constructed starting with zprg, which set back=2,
and then this code walked over the list setting back=1 for
backward branches, back=0 otherwise. The initial back=2
setting was used to identify forward branches (the branched-to
instruction had back == 2 since it hadn't yet been set to 0 or 1).
When the code was extracted into liblink and linked directly
with 6a/6g/8a/8g, those programs created the Prog struct
and did not set back=2, breaking this backward branch detection.
No one noticed, because the next loop recomputes the information.
The only requirement for the next loop is that p->back == 0 or 1 for
each of the Progs in the list.
The initialization of the zprg with back=2 would cause problems
in this second loop, for the few liblink-internally-generated instructions
that are created by copying zprg, except that the first loop was
making sure that back == 0 or 1.
The first loop's manipulation of p->back can thus be deleted,
provided we also delete the zprg.back = 2 initializations.
This is awful and my fault. I apologize.
While we're here, remove the .scale = 1 from the zprg init too.
Anything that sets up a scaled index should set the scale itself.
(And mostly those come from outside liblink anyway.)
Tested by checking that all generated code is bit-for-bit
identical to before this CL.
Russ Cox [Thu, 29 Jan 2015 19:58:54 +0000 (14:58 -0500)]
liblink: place TEXT/GLOBL flags in p->from3 always
Before, amd64 and 386 stored the flags in p->from.scale
and arm and ppc64 stored the flags in p->reg.
Both caused special cases in printing and in handling of the
addresses.
To avoid possible conflicts with the real meaning of p->from
and to avoid storing a non-register value in a reg field,
use from3 to hold a TYPE_CONST value giving the flags.
There is still a special case for printing, because the flags
are specified without a $, and normally a TYPE_CONST prints
with a $. But that's much less special than what came before.
This allows us to remove the textflag and settextflag methods
from LinkArch. They are no longer architecture-specific.
Russ Cox [Thu, 29 Jan 2015 18:50:19 +0000 (13:50 -0500)]
cmd/9a: fix GLOBL instruction
Because it was lumped in with the TEXT instruction,
the high 32 bits of the 64-bit constant holding the size
were always set to 0x80000000 (ArgsSizeUnknown).
This only worked because cmd/9l was reading the 64-bit
value into an int32.
While we're here, fix 5a.
It wasn't as much of a problem there because
the two values were being stored in two different fields.
But it was still wrong.
Dmitry Vyukov [Thu, 29 Jan 2015 09:47:30 +0000 (12:47 +0300)]
runtime: fix nosplit stack overflow
The overflow happens only with -gcflags="-N -l"
and can be reproduced with:
$ go test -gcflags="-N -l" -a -run=none net
runtime.cgocall: nosplit stack overflow
504 assumed on entry to runtime.cgocall
480 after runtime.cgocall uses 24
472 on entry to runtime.cgocall_errno
408 after runtime.cgocall_errno uses 64
400 on entry to runtime.exitsyscall
288 after runtime.exitsyscall uses 112
280 on entry to runtime.exitsyscallfast
152 after runtime.exitsyscallfast uses 128
144 on entry to runtime.writebarrierptr
88 after runtime.writebarrierptr uses 56
80 on entry to runtime.writebarrierptr_nostore1
24 after runtime.writebarrierptr_nostore1 uses 56
16 on entry to runtime.acquirem
-24 after runtime.acquirem uses 40
Move closure creation into separate function so that
frames of writebarrierptr_shadow and writebarrierptr_nostore1
are overlapped.
Trace writer goroutine synchronizes with StopTrace
using trace.shutdownSema runtime semaphore.
But race detector does not see that synchronization
and so produces false reports.
Teach race detector about the synchronization.
Austin Clements [Tue, 3 Feb 2015 14:18:15 +0000 (09:18 -0500)]
runtime: rearrange framepointer check condition
The test for the framepointer experiment flag is cheaper and more
branch-predictable than the other parts of this conditional, so move
it first. This is also more readable.
(Originally, the flag check required parsing the experiments string,
which is why it was done last. Now that flag is cached.)
Austin Clements [Tue, 3 Feb 2015 14:09:56 +0000 (09:09 -0500)]
runtime: use 2*regSize for saved frame pointer check
Previously, we checked for a saved frame pointer by looking for a
2*ptrSize gap between the argument pointer and the locals pointer.
The intent of this check was to look for a two stack slot gap (caller
IP and saved frame pointer), but stack slots are regSize, not ptrSize.
Correct this by checking instead for a 2*regSize gap.
On most platforms, this made no difference because ptrSize==regSize.
However, on amd64p32 (nacl), the saved frame pointer check incorrectly
fired when there was no saved frame pointer because the one stack slot
for the caller IP left an 8 byte gap, which is 2*ptrSize (but not
2*regSize) on amd64p32.
Mikio Hara [Mon, 2 Feb 2015 12:09:23 +0000 (21:09 +0900)]
net: case insensitivity of DNS labels in built-in stub resolver
This change adds support for case insensitivity of DNS labels to
built-in DNS stub resolver as described in RFC 4343.
Fixes #9215.
Change-Id: Ia752fe71866a3bfa3ea08371985b799d419ddea3
Reviewed-on: https://go-review.googlesource.com/3685 Reviewed-by: Ian Lance Taylor <iant@golang.org>
Lynn Boger [Wed, 28 Jan 2015 18:28:59 +0000 (12:28 -0600)]
runtime: Add memprofrate value to GODEBUG
Add memprofrate as a value recognized in GODEBUG. The
value provided is used as the new setting for
runtime.MemProfileRate, allowing the user to
adjust memory profiling.
Change-Id: If129a247683263b11e2dd42473cf9b31280543d5
Reviewed-on: https://go-review.googlesource.com/3450 Reviewed-by: Ian Lance Taylor <iant@golang.org>
Austin Clements [Wed, 14 Jan 2015 16:09:50 +0000 (11:09 -0500)]
cmd/6g, liblink, runtime: support saving base pointers
This adds a "framepointer" GOEXPERIMENT that that makes the amd64
toolchain maintain base pointer chains in the same way that gcc
-fno-omit-frame-pointer does. Go doesn't use these saved base
pointers, but this does enable external tools like Linux perf and
VTune to unwind Go stacks when collecting system-wide profiles.
This requires support in the compilers to not clobber BP, support in
liblink for generating the BP-saving function prologue and unwinding
epilogue, and support in the runtime to save BPs across preemption, to
skip saved BPs during stack unwinding and, and to adjust saved BPs
during stack moving.
As with other GOEXPERIMENTs, everything from the toolchain to the
runtime must be compiled with this experiment enabled. To do this,
run make.bash (or all.bash) with GOEXPERIMENT=framepointer.
Austin Clements [Tue, 27 Jan 2015 23:29:02 +0000 (18:29 -0500)]
runtime: eliminate uses of BP on amd64
Any place that clobbers BP in the runtime can potentially interfere
with frame pointer unwinding with GOEXPERIMENT=framepointer. This
change eliminates uses of BP in the runtime to address this problem.
We have spare registers everywhere this occurs, so there's no downside
to eliminating BP. Where possible, this uses the same new register as
the amd64p32 runtime, which doesn't use BP due to restrictions placed
on it by NaCL.
One nice side effect of this is that it will let perf/VTune unwind the
call stack even through a call to systemstack, which will let us get
really good call graphs from the garbage collector.
Austin Clements [Fri, 30 Jan 2015 20:30:41 +0000 (15:30 -0500)]
runtime: rename m.gcing to m.preemptoff and make it a string
m.gcing has become overloaded to mean "don't preempt this g" in
general. Once the garbage collector is preemptible, the one thing it
*won't* mean is that we're in the garbage collector.
So, rename gcing to "preemptoff" and make it a string giving a reason
that preemption is disabled. gcing was never set to anything but 0 or
1, so we don't have to worry about there being a stack of reasons.
Austin Clements [Fri, 30 Jan 2015 16:18:24 +0000 (11:18 -0500)]
cmd/9g: note suboptimal copy code
9g generates needlessly complex code for small copies. There are a
few other things that need to be improved about the copy code, so for
now just note the problem.
Dmitri Shuralyov [Mon, 2 Feb 2015 09:28:10 +0000 (01:28 -0800)]
go/printer: set prefix correctly when all comment lines blank
In stripCommonPrefix, the prefix was correctly calculated in all cases,
except one. That unhandled case is when there are more than 2 lines,
but all lines are blank (other than the first and last lines,
which contain /* and */ respectively).
This change detects that case and correctly sets the prefix calculated
from the last line. This is consistent with the (correct) behavior
that happens when there's at least one non-blank line.
That fixes issue #9751 that occurs for problematic input,
where cmd/gofmt and go/source would insert extra indentation on
every format operation. It also allows go/printer itself to print
such parsed files in an expected way.
Fixes #9751.
Change-Id: Id3dfb945beb59ffad3705085a3c285fca30a5f87
Reviewed-on: https://go-review.googlesource.com/3684 Reviewed-by: Robert Griesemer <gri@golang.org>
Rahul Chaudhry [Fri, 30 Jan 2015 23:07:11 +0000 (15:07 -0800)]
os: allow EROFS in TestMkdirAllAtSlash
On some systems (e.g. ChromeOS), / is mounted read-only.
This results in error code syscall.EROFS, which I guess
is just as valid as syscall.EACCES for this test.
Change-Id: I9188d5437a1b5ac1daa9c68b95b8dcb447666ca3
Reviewed-on: https://go-review.googlesource.com/3676 Reviewed-by: Ian Lance Taylor <iant@golang.org>
Dmitry Vyukov [Fri, 30 Jan 2015 11:36:12 +0000 (14:36 +0300)]
runtime: fix system memory allocator on plan9
The following line in sysFree:
n += (n + memRound) &^ memRound
doubles value of n (n += n).
Which is wrong and can lead to memory corruption.
Fixes #9712
Change-Id: I3c141b71da11e38837c09408cf4f1d22e8f7f36e
Reviewed-on: https://go-review.googlesource.com/3602 Reviewed-by: David du Colombier <0intro@gmail.com>
Rick Hudson [Thu, 29 Jan 2015 15:37:32 +0000 (10:37 -0500)]
runtime: scanvalid race Fixes #9727
Set gcscanvalid=false after you have cased to _Grunning.
If you do it before the cas and the atomicstatus races to a scan state,
the scan will set gcscanvalid=true and we will be _Grunning
with gcscanvalid==true which is not a good thing.
Austin Clements [Wed, 28 Jan 2015 20:55:23 +0000 (15:55 -0500)]
runtime: use func value for parfor body
Yet another leftover from C: parfor took a func value for the
callback, casted it to an unsafe.Pointer for storage, and then casted
it back to a func value to call it. This is unnecessary, so just
store the body as a func value. Beyond general cleanup, this also
eliminates the last use of unsafe in parfor.
Austin Clements [Wed, 28 Jan 2015 20:49:26 +0000 (15:49 -0500)]
runtime: eliminate parfor ctx field
Prior to the conversion of the runtime to Go, this void* was
necessary to get closure information in to C callbacks. There
are no more C callbacks and parfor is perfectly capable of
invoking a Go closure now, so eliminate ctx and all of its
unsafe-ness. (Plus, the runtime currently doesn't use ctx for
anything.)
Austin Clements [Wed, 28 Jan 2015 20:25:05 +0000 (15:25 -0500)]
runtime: use threads slice in parfor instead of unsafe pointer math
parfor originally used a tail array for its thread array. This got
replaced with a slice allocation in the conversion to Go, but many of
its gnarlier effects remained. Instead of keeping track of the
pointer to the first element of the slice and using unsafe pointer
math to get at the ith element, just keep the slice around and use
regular slice indexing. There is no longer any need for padding to
64-bit align the tail array (there hasn't been since the Go
conversion), so remove this unnecessary padding from the parfor
struct. Finally, since the slice tracks its own length, replace the
nthrmax field with len(thr).
Austin Clements [Thu, 29 Jan 2015 16:54:45 +0000 (11:54 -0500)]
runtime: check alignment of 8-byte atomic loads and stores on 386
Currently, if we do an atomic{load,store}64 of an unaligned address on
386, we'll simply get a non-atomic load/store. This has been the
source of myriad bugs, so add alignment checks to these two
operations. These checks parallel the equivalent checks in
sync/atomic.
The alignment check is not necessary in cas64 because it uses a locked
instruction. The CPU will either execute this atomically or raise an
alignment fault (#AC)---depending on the alignment check flag---either
of which is fine.
This also fixes the two places in the runtime that trip the new
checks. One is in the runtime self-test and shouldn't have caused
real problems. The other is in tickspersecond and could, in
principle, have caused a misread of the ticks per second during
initialization.
Russ Cox [Tue, 27 Jan 2015 01:58:17 +0000 (20:58 -0500)]
cmd/go: add build flag -toolexec
Like the -exec flag, which specifies a program to use to run a built executable,
the -toolexec flag specifies a program to use to run a tool like 5a, 5g, or 5l.
This flag enables running the toolchain under common testing environments,
such as valgrind.
This flag also enables the use of custom testing environments or the substitution
of alternate tools. See https://godoc.org/rsc.io/toolstash for one possibility.
Change-Id: I256aa7af2d96a4bc7911dc58151cc2155dbd4121
Reviewed-on: https://go-review.googlesource.com/3351 Reviewed-by: Rob Pike <r@golang.org>
Dmitry Vyukov [Mon, 19 Jan 2015 19:59:58 +0000 (22:59 +0300)]
cmd/gc: capture variables by value
Language specification says that variables are captured by reference.
And that is what gc compiler does. However, in lots of cases it is
possible to capture variables by value under the hood without
affecting visible behavior of programs. For example, consider
the following typical pattern:
func (o *Obj) requestMany(urls []string) []Result {
wg := new(sync.WaitGroup)
wg.Add(len(urls))
res := make([]Result, len(urls))
for i := range urls {
i := i
go func() {
res[i] = o.requestOne(urls[i])
wg.Done()
}()
}
wg.Wait()
return res
}
Currently o, wg, res, and i are captured by reference causing 3+len(urls)
allocations (e.g. PPARAM o is promoted to PPARAMREF and moved to heap).
But all of them can be captured by value without changing behavior.
This change implements simple strategy for capturing by value:
if a captured variable is not addrtaken and never assigned to,
then it is captured by value (it is effectively const).
This simple strategy turned out to be very effective:
~80% of all captures in std lib are turned into value captures.
The remaining 20% are mostly in defers and non-escaping closures,
that is, they do not cause allocations anyway.
Mikio Hara [Wed, 28 Jan 2015 02:38:05 +0000 (11:38 +0900)]
net: remove full stack test cases for IPConn
A few packages that handle net.IPConn in golang.org/x/net sub repository
already implement full stack test cases with more coverage than the net
package. There is no need to keep duplicate code around here.
This change removes full stack test cases for IPConn that require
knowing how to speak with each of protocol stack implementation of
supported platforms.
Change-Id: I871119a9746fc6a2b997b69cfd733463558f5816
Reviewed-on: https://go-review.googlesource.com/3404 Reviewed-by: Ian Lance Taylor <iant@golang.org>
Evan Phoenix [Wed, 28 Jan 2015 17:16:44 +0000 (09:16 -0800)]
expvar: Use sync/atomic to manipulate Int for better perf
Using a mutex to protect a single int operation is quite heavyweight.
Using sync/atomic provides much better performance. This change was
benchmarked as such:
Dominik Vogt [Tue, 13 Jan 2015 11:36:44 +0000 (12:36 +0100)]
cmd/cgo: add support for s390 and s390x
This patch was previously sent for review using hg:
golang.org/cl/173930043
Change-Id: I559a2f2ee07990d0c23d2580381e32f8e23077a5
Reviewed-on: https://go-review.googlesource.com/3033 Reviewed-by: Ian Lance Taylor <iant@golang.org>
Rick Hudson [Wed, 28 Jan 2015 20:57:46 +0000 (15:57 -0500)]
runtime: set minimum heap size to 4Mbytes
Set the minimum heap size to 4Mbytes except when the hash
table code wants to force a GC. In an unrelated change when a
mutator is asked to assist the GC by marking pointer workbufs
it will keep working until the requested number of pointers
are processed even if it means asking for additional workbufs.
Dmitry Vyukov [Wed, 21 Jan 2015 14:37:59 +0000 (17:37 +0300)]
cmd/gc: allocate buffers for non-escaped strings on stack
Currently we always allocate string buffers in heap.
For example, in the following code we allocate a temp string
just for comparison:
if string(byteSlice) == "abc" { ... }
This change extends escape analysis to cover []byte->string
conversions and string concatenation. If the result of operations
does not escape, compiler allocates a small buffer
on stack and passes it to slicebytetostring and concatstrings.
Then runtime uses the buffer if the result fits into it.
Size of the buffer is 32 bytes. There is no fundamental theory
behind this number. Just an observation that on std lib
tests/benchmarks frequency of string allocation is inversely
proportional to string length; and there is significant number
of allocations up to length 32.
Rick Hudson [Mon, 26 Jan 2015 18:51:39 +0000 (13:51 -0500)]
runtime: avoid redundant scans
During a concurrent GC stacks are scanned in
an initial scan phase informing the GC of all
pointers on the stack. The GC only needs to rescan
the stack if it potentially changes which can only
happen if the goroutine runs.
This CL tracks whether the Goroutine has run
since it was last scanned and thus may have changed
its stack. If necessary the stack is rescanned.
Dmitry Vyukov [Fri, 12 Dec 2014 17:58:09 +0000 (18:58 +0100)]
net/http/pprof: add tracing support
net/http/pprof part of tracing functionality:
https://docs.google.com/document/u/1/d/1FP5apqzBgr7ahCCgFO-yoVhk4YZrNIDNf9RybngBc14/pub
Full change:
https://codereview.appspot.com/146920043
Dmitry Vyukov [Tue, 27 Jan 2015 20:57:12 +0000 (23:57 +0300)]
cmd/gc: don't copy []byte during string comparison
Currently we allocate a new string during []byte->string conversion
in string comparison expressions. String allocation is unnecessary in
this case, because comparison does memorize the strings for later use.
This change uses slicebytetostringtmp to construct temp string directly
from []byte buffer and passes it to runtime.eqstring.
Dmitry Vyukov [Mon, 19 Jan 2015 20:46:22 +0000 (23:46 +0300)]
cmd/gc: improve escape analysis for &T{...}
Currently all PTRLIT element initializers escape. There is no reason for that.
This change links STRUCTLIT to PTRLIT; STRUCTLIT element initializers are
already linked to the STRUCTLIT. As the result, PTRLIT element initializers
escape when PTRLIT itself escapes.
Dmitry Vyukov [Fri, 12 Dec 2014 18:41:18 +0000 (19:41 +0100)]
cmd/go: add tracing support
cmd/go part of tracing functionality:
https://docs.google.com/document/u/1/d/1FP5apqzBgr7ahCCgFO-yoVhk4YZrNIDNf9RybngBc14/pub
Full change:
https://codereview.appspot.com/146920043
Dmitry Vyukov [Fri, 12 Dec 2014 18:43:23 +0000 (19:43 +0100)]
testing: add tracing support
testing part of tracing functionality:
https://docs.google.com/document/u/1/d/1FP5apqzBgr7ahCCgFO-yoVhk4YZrNIDNf9RybngBc14/pub
Full change:
https://codereview.appspot.com/146920043
Dmitry Vyukov [Fri, 12 Dec 2014 17:56:36 +0000 (18:56 +0100)]
runtime/pprof: add tracing support
runtime/pprof part of tracing functionality:
https://docs.google.com/document/u/1/d/1FP5apqzBgr7ahCCgFO-yoVhk4YZrNIDNf9RybngBc14/pub
Full change:
https://codereview.appspot.com/146920043
Dmitry Vyukov [Fri, 12 Dec 2014 17:41:57 +0000 (18:41 +0100)]
runtime: add tracing of runtime events
Add actual tracing of interesting runtime events.
Part of a larger tracing functionality:
https://docs.google.com/document/u/1/d/1FP5apqzBgr7ahCCgFO-yoVhk4YZrNIDNf9RybngBc14/pub
Full change:
https://codereview.appspot.com/146920043
Dmitry Vyukov [Fri, 12 Dec 2014 17:11:27 +0000 (18:11 +0100)]
runtime: add execution tracing functionality
This is first patch of series of patches that implement tracing functionality.
Design doc:
https://docs.google.com/document/u/1/d/1FP5apqzBgr7ahCCgFO-yoVhk4YZrNIDNf9RybngBc14/pub
Full change:
https://codereview.appspot.com/146920043
Dmitry Vyukov [Wed, 28 Jan 2015 14:28:50 +0000 (17:28 +0300)]
cmd/gc: fix condition for fast pathed interface conversions
For some reason the current conditions require the type to be "uintptr-shaped".
This cuts off structs and arrays with a pointer.
isdirectiface and width==widthptr is sufficient condition to enable the fast paths.
Dmitry Vyukov [Wed, 28 Jan 2015 13:17:36 +0000 (16:17 +0300)]
net/http: fix goroutine leak in benchmark
Race builders report goroutine leaks after addition of this benchmark:
http://build.golang.org/log/18e47f4cbc18ee8db125e1f1157573dd1e333c41
Close idle connection in default transport.
Dmitry Vyukov [Mon, 22 Dec 2014 19:31:55 +0000 (22:31 +0300)]
reflect: cache call frames
Call frame allocations can account for significant portion
of all allocations in a program, if call is executed
in an inner loop (e.g. to process every line in a log).
On the other hand, the allocation is easy to remove
using sync.Pool since the allocation is strictly scoped.
benchmark old ns/op new ns/op delta
BenchmarkCall 634 338 -46.69%
BenchmarkCall-4 496 167 -66.33%
benchmark old allocs new allocs delta
BenchmarkCall 1 0 -100.00%
BenchmarkCall-4 1 0 -100.00%
Update #7818
Change-Id: Icf60cce0a9be82e6171f0c0bd80dee2393db54a7
Reviewed-on: https://go-review.googlesource.com/1954 Reviewed-by: Keith Randall <khr@golang.org>
David Leon Gil [Tue, 27 Jan 2015 07:00:21 +0000 (23:00 -0800)]
crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.
Fixes #9452
--
This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:
This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.
ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:
*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.
*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.
--
Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.
--
[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"
[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"
[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"
[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"
[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"
New tests:
TestNonceSafety: Check that signatures are safe even with a
broken entropy source.
TestINDCCA: Check that signatures remain non-deterministic
with a functional entropy source.
Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.
Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340 Reviewed-by: Adam Langley <agl@golang.org>