Commit Graph

74 Commits (3936ebfe5d2335248146c33d01aa239e8308b01a)

Author SHA1 Message Date
Daniel Martí 3936ebfe5d update to Go 1.24.0 and test with it on CI as well 2 months ago
Daniel Martí be2921064a temporarily disable staticcheck
It's not crucial for CI to work, and go1.24.0 is around the corner.
3 months ago
Daniel Martí 30357af923
drop Go 1.22 and require Go 1.23.0 or later (#876)
This lets us start taking advantage of featurs from Go 1.23,
particularly tracking aliases in go/types and iterators.

Note that we need to add code to properly handle or skip over the new
*types.Alias type which go/types produces for Go type aliases.
Also note that we actually turn this mode off entirely for now,
due to the bug reported at https://go.dev/issue/70394.

We don't yet remove our own alias tracking code yet due to the above.
We hope to be able to remove it very soon.
5 months ago
Daniel Martí 9db3b45d03 CI: start testing on Go 1.23
And update some actions and staticcheck while here.

Drop the testing of Go master as well, as I haven't used or maintained
such a setup for a while now. We can simply add Go 1.24 RC versions
to the go-version matrix once they come out.

Fixes #859.
7 months ago
Daniel Martí ad2ecc7f2f drop Go 1.21 and start using go/version
Needing to awkwardly treat Go versions as if they were semver
is no longer necessary thanks to go/version being in Go 1.22.0 now.
1 year ago
Daniel Martí e6299c5ac3 CI: start testing on 1.22 now that it's released 1 year ago
Daniel Martí de65196495 fix support for go1.22rc1
In early December, a new internal package linknamed from runtime
was introduced, internal/chacha8rand. Re-generate the tables.

Note that due to the same group of CLs and refactors,
math/rand and net are no longer linknamed from runtime in Go 1.22.
They are still in Go 1.21, so keep those entries around for now.
We can remove math/rand/v2, as it doesn't yet exist in 1.21.

Fixes #820.
1 year ago
Daniel Martí d283d8479c add and test initial support for Go 1.22
The Go 1.21 linker patches luckily rebased on master as of
de5b418bea70aaf27de1f47e9b5813940d1e15a4 just fine.
The addition of the strings import in the second patch was removed,
since the file in Go 1.22 now has this package import.

We can remove the Go 1.20 linker patches too, since we no longer support
that Go version in the upcoming release.

Start treating runtime/internal/startlinetest as part of the runtime,
since otherwise its test-only trickery breaks "garble build std":

    # runtime/internal/startlinetest
    [...]/XS7r7lPHkTG.s:23: ABI selector only permitted when compiling runtime, reference was to "HGoWHDsKwh.AlfA2or7Nnb"
    asm: assembly of $WORK/.tmp/garble-shared1535203339/HGoWHDsKwh/XS7r7lPHkTG.s failed

While here, update actions/checkout and staticcheck in CI.
1 year ago
Daniel Martí 126618a0d5 drop support for Go 1.20
Go 1.21.0 was released in August 2023, so our upcoming release
will no longer support the Go 1.20 release series.

The first Go 1.22 release candidate is also due in December 2023,
less than a month from now, so dropping 1.20 will simplify 1.22 work.
1 year ago
Daniel Martí 716322cdf8 all: start suggesting Go 1.21 and testing on it
Also note that the first release is now 1.21.0,
so we no longer need to use the awkward 1.21.x notation in warnings.
2 years ago
Daniel Martí 2a10dc7f41 minor tweaks in preparation for Go 1.21
Update CI to use a newer version of Go master,
now that we're already getting release candidates.

Look at the diffs between Go 1.20 and master of `go help build`
and `go help testflag`, and add two flags that were recently added.

While here, bump a hopeful TODO for a feature request,
since that one definitely did not happen for 1.21.
2 years ago
Daniel Martí da5ddfa45d avoid go:linkname warnings when building on tip
Packages like os and sync have started using go:linknames pointing to
packages outside their dependency tree, much like runtime already did.
This started causing warnings to be printed while obfuscsating std:

    > exec garble build -o=out_rebuild ./stdimporter
    [stderr]
    # sync
    //go:linkname refers to syscall.hasWaitingReaders - add `import _ "syscall"` for garble to find the package
    # os
    //go:linkname refers to net.newUnixFile - add `import _ "net"` for garble to find the package
    > bincmp out_rebuild out
    PASS

Relax the restriction in listPackage so that any package in std
is now allowed to list packages in runtimeLinknamed,
which makes the warnings and any potential problems go away.
Also make these std test cases check that no warnings are printed,
since I only happened to notice this problem by chance.
2 years ago
Daniel Martí 7872177381 CI: try macos-latest again
And bump go-internal to its latest version, to include its fix
for those pesky "signal: killed" failures on macos.

While here, run the tests with -short on GOARCH=386,
and make our use of actions/setup-go a bit more consistent.
2 years ago
Daniel Martí bdcb80ee63 adapt to tip's error message change from "GOROOT" to "std" 2 years ago
Daniel Martí b129987b46 CI: upgrade go tip
The previous commits fix support for the latest master versions.
2 years ago
Daniel Martí 950ddaf503 CI: skip regular `go test` on linux
See the added comment.
An alternative would be to split up the work into more jobs,
but that doesn't feel necessary, and we still have a global limit
on how many free runners we can run jobs on at once.

While here, update the comments, and remove unnecessary step names.
2 years ago
Daniel Martí 7bb040e635 update to Go tip from April 28th
A couple of new packages in runtimeAndDeps,
and go list's Package.DepsErrors may now include package build errors
which we want to ignore as we would print those as duplicates.
2 years ago
Daniel Martí 4d7546703a update gotip in CI and fix -tiny on the latest tip
printOneCgoTraceback now returns a boolean rather than an int.
Since we need to have different logic based on the Go version,
and toolchainVersionSemver was only set for the main process,
move the string to the shared cache global.
This is a nice thing to do anyway, to reduce the number of globals.

While here, update actions/setup-go to v4, which starts caching
GOMODCACHE and GOCACHE by default now.
Disable it, because it still doesn't help in our case,
and GitHub's Actions caching is still really inefficient.

And update staticcheck too.
2 years ago
Daniel Martí 1f39d0af72 update gotip and adapt to upstream changes
https://go.dev/cl/466095 lightly refactored the runtime
in a way that broke extractNameOff. In particular, the code

	func cfuncname(f funcInfo) *byte {
		if !f.valid() || f.nameOff == 0 {
			return nil
		}
		return &f.datap.funcnametab[f.nameOff]
	}
	func funcname(f funcInfo) string {
		return gostringnocopy(cfuncname(f))
	}

is now simply

	func funcname(f funcInfo) string {
		if !f.valid() {
			return ""
		}
		return f.datap.funcName(f.nameOff)
	}

Since extractNameOff looked for the func named cfuncname,
and looked for the nameOff selector inside an index expression,
all of that code no longer worked properly.

It all existed to find the name of the field, nameOff,
so that we would automatically adapt if upstream renames it.
Unsurprisingly, the code using the field got refactored first.
It doesn't seem like the extra code on our part is helping us,
and assuming the name of the field works for all Go versions,
so do that instead.

If upstream does rename the field in the future,
the obfuscated Go builds will start failing in an obvious way.
If or when that comes to pass, we can change our constant string.
2 years ago
Daniel Martí 9598e439ed CI: test against a newer Go tip
While here, update staticcheck.
2 years ago
Daniel Martí b322876efe drop support for Go 1.19
Now that we're done with garble v0.9.x,
v0.10 will only support Go 1.20 as a minimum version.
2 years ago
Daniel Martí 4919be0658 switch to final Go 1.20 release and re-enable gotip in CI
Go master, the upcoming Go 1.21, has had its merge window open for over
two weeks at this point, and it seems calmer at this point.

ALso update staticcheck to its latest release, which supports Go 1.20.
2 years ago
Daniel Martí d9e74dabbb CI: add Go 1.20rc3, disable gotip for now
tip is now the start of Go 1.21 as of a couple of days ago.
However, the first week or two is when the biggest changes land,
which means that Go tip is far more prone to bugs and changes that might
break garble.

We'll start tracking tip again in a few weeks, once the dust has settled
and we can look at what changes might have broken garble.
2 years ago
Daniel Martí 567b41c2b9 CI: bump gotip to December 2022
Go 1.20 isn't far away at this point,
and we're well into the freeze.

Also note that a build error output got refined again.
2 years ago
Daniel Martí 1877dfb474 CI: stop tracking macos-latest for now
Since it's not yet clear whether it's a bug on garble's end,
and the regression was the MacOS version bump and not any recent change
we did.

For #609.
2 years ago
Daniel Martí 12bc0349e6 make bincmp keep binaries around when it fails
Even if diffoscope is installed, because further investigation might be
needed, and some failures are rare or hard to reproduce.

Make GitHub Actions upload those artifacts,
so that a failed CI run on Windows or Mac due to bincmp
allows us to download and inspect those binaries locally.
2 years ago
Daniel Martí e61317e7ae fix garble with newer Go tip versions
Some big changes landed in Go for the upcoming 1.20.

While here, remove the use of GOGC=off with make.bash,
as https://go.dev/cl/436235 makes that unnecessary now.
2 years ago
Daniel Martí 58b2d64784 drop support for Go 1.18.x
With Go 1.19 having been out for two months,
and Go 1.20's first beta coming out in two months,
it is now time to move forward again.
3 years ago
Daniel Martí 5d926a8011 add support for the latest gotip
A new runtime package was added.
3 years ago
Daniel Martí eaa1dbd3e3 CI: update gotip for a new bugfix release 3 years ago
Daniel Martí 8ad374d2fb start testing on Go 1.19.x
While here, start the changelog for the upcoming release,
which will likely be a bugfix release as it's a bit early to drop 1.18.

We also bump staticcheck to get a version that supports 1.19.

I also noticed the "Go version X or newer" messages were slightly weird
and inconsistent. Our policy, per the README, is "Go version X or newer",
so the errors given to the user were unnecessarily confusing.
For example, now that Go 1.19 is out, we shouldn't simply recommend that
they upgrade to 1.18; we should recommend 1.18 or later.
3 years ago
Daniel Martí 60dbece24f work around another go/printer bug to fix andybalholm/brotli
When obfuscating the following piece of code:

	func issue_573(s struct{ f int }) {
		var _ *int = &s.f
		/*x*/
	}

the function body would roughly end up printed as:
we would roughly end up with:

	var _ *int = &dZ4xYx3N
	/*x*/.rbg1IM3V

Note that the /*x*/ comment got moved earlier in the source code.
This happens because the new identifiers are longer, so the printer
thinks that the selector now ends past the comment.

That would be fine - we don't really mind where comments end up,
because these non-directive comments end up being removed anyway.

However, the resulting syntax is wrong, as the period for the selector
must be on the first line rather than the second.
This is a go/printer bug that we should fix upstream,
but until then, we must work around it in Go 1.18.x and 1.19.x.

The fix is somewhat obvious in hindsight. To reduce the chances that
go/printer will trip over comments and produce invalid syntax,
get rid of most comments before we use the printer.
We still keep the removal of comments after printing,
since go/printer consumes some comments in ast.Node Doc fields.

Add the minimized unit test case above, and add the upstream project
that found this bug to check-third-party.
andybalholm/brotli helps cover a compression algorithm and ccgo code
generation from C to Go, and it's also a fairly popular module,
particular with HTTP implementations which want pure-Go brotli.

While here, fix the check-third-party script: it was setting GOFLAGS
a bit too late, so it may run `go get` on the wrong mod file.

Fixes #573.
3 years ago
Daniel Martí fa35e6d81c bump dependencies and gotip version
No breaking changes in Go master so far.
3 years ago
Daniel Martí 0119a775d7 CI: test with gotip as of July 30th
Practically Go 1.19, to be released next Tuesday.
3 years ago
Daniel Martí f6ef988823 add crypto/internal/boring/bcache to runtimeLinknamed
A chunk from crypto/internal/boring has been split away as a separate
package very recently, shortly before 1.19rc1 is due for release.
See https://go.dev/cl/407135 for more information.

Makes garble work on the latest Go tip again.
3 years ago
Daniel Martí c9337022a0 bump gotip and x/exp, mention 1.19 in the changelog 3 years ago
Daniel Martí 201d890430 start checking some third party builds for regressions
Our tests should already be pretty extensive,
and any bug fixes should result in more regression test cases,
but testing against a few diverse and popular third party modules
will help prevent unintended regressions while developing garble.

The list is short for now. More can be added later.
This adds protobuf and wireguard from the original issue,
but not cobra and logrus, as they aren't particularly complex nor add
significant variety on top of protobuf and wireguard.

While here, we remove the job that only runs crlf-test.sh,
as we don't really need a separate job for a tiny script.

Fixes #240.
3 years ago
Daniel Martí 7fb390e403 fix support with the latest Go master version
It added packages which are only built with the boringcrypto build tag,
so trying to `go list` them will fail even though it doesn't matter.

While here, a few more minor cleanups:

1) Hide GarbleActionID and ToObfuscate from encoding/json, so that they
   can't possibly collide with the fields consumed from `go list -json`.

2) Add test cases for `garble build` with packages that fail to load.
   Note that this requires GOGARBLE=* to avoid its "does not match any
   package to be built" error.

3) Remove the last use of interface{}, in a testdata file.

Fixes #531.
3 years ago
Daniel Martí 6118c795c6 various version bumps
Use a gotip version that's a month newer.

Update to the latest staticcheck version, which supports Go 1.18.

Update all direct dependencies as well.
3 years ago
Daniel Martí 6a39ad2d81 make "garble version" include VCS information
When someone builds garble from a git clone,
the resulting binary used to not contain any information:

	$ garble version
	(devel)

Since Go 1.18, VCS information is stamped by default into binaries.
We now print it, alongside any other available build settings:

	$ garble version
	mvdan.cc/garble (devel)

	Build settings:
	       -compiler gc
	     CGO_ENABLED 1
	          GOARCH amd64
	            GOOS linux
	         GOAMD64 v3
	             vcs git
	    vcs.revision 91ea246349
	        vcs.time 2022-03-18T13:45:11Z
	    vcs.modified true

Note that it's still possible for a garble build to contain no useful
version information, such as when built via "go build -buildvcs=false".
However, if a user opts into omitting the information, it's on them to
figure out what version of garble they actually built.

While here, bump test-gotip.

Fixes #491.
3 years ago
lu4p 1a0b028db7 all: drop support for Go 1.17
Now that we've released v0.6.0, that will be the last feature release to
feature support for Go 1.17. The upcoming v0.7.0 will be Go 1.18+.

Code-wise, the cleanup here isn't super noticeable,
but it will be easier to work on features like VCS-aware version
information and generics support without worrying about Go 1.17.
Plus, now CI is back to being much faster.

Note how "go 1.18" in go.mod makes "go mod tidy" more aggressive.
3 years ago
Daniel Martí ab39ee804d fail if the current Go version is newer than what built garble
For instance, Go 1.18 added support for generics, so its compiler output
files changed format to accomodate for the new language feature.
If garble is built with Go 1.17 and then used to perform builds on Go
1.18, it will fail in a very confusing way, because garble's go/types
and go/importer packages will not know how to deal with that.

As already discussed in #269, require the version that built the garble
binary to be equal or newer. In that thread we discussed only comparing
the major version, so for example garble built on go1.18 could be used
on the toolchain go1.18.5. However, that could still fail in confusing
ways if a fix to go/types or go/importer happened in a point release.

While here, I noticed that we were still using Go 1.17 for some CI
checks. Fix that, except for staticcheck.

Fixes #269.
3 years ago
Daniel Martí 807884f15a CI: bump gotip to March 14th and the final Go 1.18 3 years ago
Daniel Martí 5c1b2f17f8 CI: start testing on Go 1.18rc1, bump gotip to 1.19
Our upcoming release will focus on supporting 1.17.x and 1.18.x.
Since gotip is now merging features for the future 1.19.x,
let's add 1.18rc1 to the matrix and bump gotip.

This will make our CI jobs a bit slower for the time being,
but that's the price to pay to ensure we support both versions.
After the next garble version is released,
we can consider dropping support for 1.17.x.
3 years ago
Daniel Martí 70b1cb2fd8 CI: start enforcing vet and staticcheck
Fix a staticcheck warning about unused code,
as well as an unparam warning and a missing copyright header.

We also bump the action versions to their latest releases,
and drop unnecessary "name" fields for self-describing steps.

Note that we drop the "go env" commands, as setup-go does that now.

Finally, I did briefly try to add caching,
but then realised it didn't help us at all. Document why.
3 years ago
Daniel Martí 2d4cc49d50 CI: bump gotip to February
While here, fix two typos.
3 years ago
Daniel Martí 66f5157f0f CI: use a newer gotip commit
And drop the continue-on-error line,
as we haven't had test-gotip failures in months.
Knowing when master fails can be useful.

While here, use GOGC=off to build faster, and explain why.
3 years ago
Daniel Martí 4f0657a19a prepare for v0.5.0
While here, add a TODO I forgot about, and run gofumpt.

Also bump all test timeouts slightly,
as the Mac and Windows hosted runners are a bit slow
and I've hit failures twice recently.
3 years ago
Daniel Martí 29ea99fc5f CI: test on GOARCH=386
Note that this cross-compilation disables cgo by default,
and so the cgo.txt test script isn't run on GOARCH=386.
That seems fine for now, as the test isn't arch-specific.

This testing uncovered one build failure in internal/literals;
the comparison between int and math.MaxUint32 is invalid on 32-bit.
To fix that build failure, use int64 consistently.

One test also incorrectly assumed amd64; it now supports 386 too.
For any other architecture, it's being skipped for now.

I also had to increase the -race test timeout,
as it usually takes 8-9m on GitHub Actions,
and the timeout would sometimes trigger.

Finally, use "go env" rather than "go version" on CI,
which gives us much more useful information,
and also includes Go's own version now via GOVERSION.

Fixes #426.
3 years ago
Daniel Martí 93b2873c28 ensure the runtime is built in a reproducible way
We went to great lengths to ensure garble builds are reproducible.
This includes how the tool itself works,
as its behavior should be the same given the same inputs.

However, we made one crucial mistake with the runtime package.
It has go:linkname directives pointing at other packages,
and some of those pointed packages aren't its dependencies.

Imagine two scenarios where garble builds the runtime package:

1) We run "garble build runtime". The way we handle linkname directives
   calls listPackage on the target package, to obfuscate the target's
   import path and object name. However, since we only obtained build
   info of runtime and its deps, calls for some linknames such as
   listPackage("sync/atomic") will fail. The linkname directive will
   leave its target untouched.

2) We run "garble build std". Unlike the first scenario, all listPackage
   calls issued by runtime's linkname directives will succeed, so its
   linkname directive targets will be obfuscated.

At best, this can result in inconsistent builds, depending on how the
runtime package was built. At worst, the mismatching object names can
result in errors at link time, if the target packages are actually used.

The modified test reproduces the worst case scenario reliably,
when the fix is reverted:

	> env GOCACHE=${WORK}/gocache-empty
	> garble build -a runtime
	> garble build -o=out_rebuild ./stdimporter
	[stderr]
	# test/main/stdimporter
	JZzQivnl.NtQJu0H3: relocation target JZzQivnl.iioHinYT not defined
	JZzQivnl.NtQJu0H3.func9: relocation target JZzQivnl.yz5z0NaH not defined
	JZzQivnl.(*ypvqhKiQ).String: relocation target JZzQivnl.eVciBQeI not defined
	JZzQivnl.(*ypvqhKiQ).PkgPath: relocation target JZzQivnl.eVciBQeI not defined
	[...]

The fix consists of two steps. First, if we're building the runtime and
listPackage fails on a package, that means we ran into scenario 1 above.
To avoid the inconsistency, we fill ListedPackages with "go list [...] std".
This means we'll always build runtime as described in scenario 2 above.

Second, when building packages other than the runtime,
we only allow listPackage to succeed if we're listing a dependency of
the current package.
This ensures we won't run into similar reproducibility bugs in the future.

Finally, re-enable test-gotip on CI since this was the last test flake.
3 years ago