Merge tag 'go1.21.6' into update-go1.21.6

* tag 'go1.21.6':
  [release-branch.go1.21] go1.21.6
  [release-branch.go1.21] crypto/tls: align FIPS-only mode with BoringSSL policy
  [release-branch.go1.21] crypto/internal/boring: upgrade module to fips-20220613
  [release-branch.go1.21] runtime: add race annotations in IncNonDefault
  [release-branch.go1.21] maps: fix aliasing problems with Clone
  [release-branch.go1.21] runtime: put ReadMemStats debug assertions behind a double-check mode
  [release-branch.go1.21] runtime: add the disablethp GODEBUG setting
  [release-branch.go1.21] runtime/pprof: fix generics function names
  [release-branch.go1.21] os/signal: skip nohup tests on darwin builders
  [release-branch.go1.21] os/signal: remove go t.Run from TestNohup
  [release-branch.go1.21] cmd/compile: fix escape analysis of string min/max
  [release-branch.go1.21] cmd/compile: fix memcombine pass for big endian, > 1 byte elements

VERSION

@@ -1,2 +1,2 @@
-go1.21.5
-time 2023-11-29T21:21:46Z
+go1.21.6
+time 2024-01-04T23:43:26Z

doc/godebug.md

@@ -134,6 +134,19 @@ The default is tlsmaxrsasize=8192, limiting RSA to 8192-bit keys. To avoid
 denial of service attacks, this setting and default was backported to Go
 1.19.13, Go 1.20.8, and Go 1.21.1.
 
+Go 1.22 changed how the runtime interacts with transparent huge pages on Linux.
+In particular, a common default Linux kernel configuration can result in
+significant memory overheads, and Go 1.22 no longer works around this default.
+To work around this issue without adjusting kernel settings, transparent huge
+pages can be disabled for Go memory with the
+[`disablethp` setting](/pkg/runtime#hdr-Environment_Variable).
+This behavior was backported to Go 1.21.1, but the setting is only available
+starting with Go 1.21.6.
+This setting may be removed in a future release, and users impacted by this issue
+should adjust their Linux configuration according to the recommendations in the
+[GC guide](/doc/gc-guide#Linux_transparent_huge_pages), or switch to a Linux
+distribution that disables transparent huge pages altogether.
+
 ### Go 1.21
 
 Go 1.21 made it a run-time error to call `panic` with a nil interface value,

src/cmd/compile/internal/escape/call.go

@@ -186,14 +186,22 @@ func (e *escape) callCommon(ks []hole, call ir.Node, init *ir.Nodes, wrapper *ir
 		argument(e.discardHole(), &call.X)
 		argument(e.discardHole(), &call.Y)
 
-	case ir.ODELETE, ir.OMAX, ir.OMIN, ir.OPRINT, ir.OPRINTN, ir.ORECOVER:
+	case ir.ODELETE, ir.OPRINT, ir.OPRINTN, ir.ORECOVER:
 		call := call.(*ir.CallExpr)
 		fixRecoverCall(call)
 		for i := range call.Args {
 			argument(e.discardHole(), &call.Args[i])
 		}
 		argumentRType(&call.RType)
 
+	case ir.OMIN, ir.OMAX:
+		call := call.(*ir.CallExpr)
+		fixRecoverCall(call)
+		for i := range call.Args {
+			argument(ks[0], &call.Args[i])
+		}
+		argumentRType(&call.RType)
+
 	case ir.OLEN, ir.OCAP, ir.OREAL, ir.OIMAG, ir.OCLOSE, ir.OCLEAR:
 		call := call.(*ir.UnaryExpr)
 		argument(e.discardHole(), &call.X)

src/cmd/compile/internal/ssa/memcombine.go

@@ -313,8 +313,8 @@ func combineLoads(root *Value, n int64) bool {
 	if isLittleEndian && shift0 != 0 {
 		v = leftShift(loadBlock, pos, v, shift0)
 	}
-	if isBigEndian && shift0-(n-1)*8 != 0 {
-		v = leftShift(loadBlock, pos, v, shift0-(n-1)*8)
+	if isBigEndian && shift0-(n-1)*size*8 != 0 {
+		v = leftShift(loadBlock, pos, v, shift0-(n-1)*size*8)
 	}
 
 	// Install with (Copy v).
@@ -588,14 +588,14 @@ func combineStores(root *Value, n int64) bool {
 	isLittleEndian := true
 	shift0 := shift(a[0].store, shiftBase)
 	for i := int64(1); i < n; i++ {
-		if shift(a[i].store, shiftBase) != shift0+i*8 {
+		if shift(a[i].store, shiftBase) != shift0+i*size*8 {
 			isLittleEndian = false
 			break
 		}
 	}
 	isBigEndian := true
 	for i := int64(1); i < n; i++ {
-		if shift(a[i].store, shiftBase) != shift0-i*8 {
+		if shift(a[i].store, shiftBase) != shift0-i*size*8 {
 			isBigEndian = false
 			break
 		}
@@ -618,8 +618,8 @@ func combineStores(root *Value, n int64) bool {
 	if isLittleEndian && shift0 != 0 {
 		sv = rightShift(root.Block, root.Pos, sv, shift0)
 	}
-	if isBigEndian && shift0-(n-1)*8 != 0 {
-		sv = rightShift(root.Block, root.Pos, sv, shift0-(n-1)*8)
+	if isBigEndian && shift0-(n-1)*size*8 != 0 {
+		sv = rightShift(root.Block, root.Pos, sv, shift0-(n-1)*size*8)
 	}
 	if sv.Type.Size() > size*n {
 		sv = truncate(root.Block, root.Pos, sv, sv.Type.Size(), size*n)

src/cmd/compile/internal/test/memcombine_test.go

@@ -71,3 +71,129 @@ func readUint32be(b []byte) uint64 {
 //go:noinline
 func nop() {
 }
+
+type T32 struct {
+	a, b uint32
+}
+
+//go:noinline
+func (t *T32) bigEndianLoad() uint64 {
+	return uint64(t.a)<<32 | uint64(t.b)
+}
+
+//go:noinline
+func (t *T32) littleEndianLoad() uint64 {
+	return uint64(t.a) | (uint64(t.b) << 32)
+}
+
+//go:noinline
+func (t *T32) bigEndianStore(x uint64) {
+	t.a = uint32(x >> 32)
+	t.b = uint32(x)
+}
+
+//go:noinline
+func (t *T32) littleEndianStore(x uint64) {
+	t.a = uint32(x)
+	t.b = uint32(x >> 32)
+}
+
+type T16 struct {
+	a, b uint16
+}
+
+//go:noinline
+func (t *T16) bigEndianLoad() uint32 {
+	return uint32(t.a)<<16 | uint32(t.b)
+}
+
+//go:noinline
+func (t *T16) littleEndianLoad() uint32 {
+	return uint32(t.a) | (uint32(t.b) << 16)
+}
+
+//go:noinline
+func (t *T16) bigEndianStore(x uint32) {
+	t.a = uint16(x >> 16)
+	t.b = uint16(x)
+}
+
+//go:noinline
+func (t *T16) littleEndianStore(x uint32) {
+	t.a = uint16(x)
+	t.b = uint16(x >> 16)
+}
+
+type T8 struct {
+	a, b uint8
+}
+
+//go:noinline
+func (t *T8) bigEndianLoad() uint16 {
+	return uint16(t.a)<<8 | uint16(t.b)
+}
+
+//go:noinline
+func (t *T8) littleEndianLoad() uint16 {
+	return uint16(t.a) | (uint16(t.b) << 8)
+}
+
+//go:noinline
+func (t *T8) bigEndianStore(x uint16) {
+	t.a = uint8(x >> 8)
+	t.b = uint8(x)
+}
+
+//go:noinline
+func (t *T8) littleEndianStore(x uint16) {
+	t.a = uint8(x)
+	t.b = uint8(x >> 8)
+}
+
+func TestIssue64468(t *testing.T) {
+	t32 := T32{1, 2}
+	if got, want := t32.bigEndianLoad(), uint64(1<<32+2); got != want {
+		t.Errorf("T32.bigEndianLoad got %x want %x\n", got, want)
+	}
+	if got, want := t32.littleEndianLoad(), uint64(1+2<<32); got != want {
+		t.Errorf("T32.littleEndianLoad got %x want %x\n", got, want)
+	}
+	t16 := T16{1, 2}
+	if got, want := t16.bigEndianLoad(), uint32(1<<16+2); got != want {
+		t.Errorf("T16.bigEndianLoad got %x want %x\n", got, want)
+	}
+	if got, want := t16.littleEndianLoad(), uint32(1+2<<16); got != want {
+		t.Errorf("T16.littleEndianLoad got %x want %x\n", got, want)
+	}
+	t8 := T8{1, 2}
+	if got, want := t8.bigEndianLoad(), uint16(1<<8+2); got != want {
+		t.Errorf("T8.bigEndianLoad got %x want %x\n", got, want)
+	}
+	if got, want := t8.littleEndianLoad(), uint16(1+2<<8); got != want {
+		t.Errorf("T8.littleEndianLoad got %x want %x\n", got, want)
+	}
+	t32.bigEndianStore(1<<32 + 2)
+	if got, want := t32, (T32{1, 2}); got != want {
+		t.Errorf("T32.bigEndianStore got %x want %x\n", got, want)
+	}
+	t32.littleEndianStore(1<<32 + 2)
+	if got, want := t32, (T32{2, 1}); got != want {
+		t.Errorf("T32.littleEndianStore got %x want %x\n", got, want)
+	}
+	t16.bigEndianStore(1<<16 + 2)
+	if got, want := t16, (T16{1, 2}); got != want {
+		t.Errorf("T16.bigEndianStore got %x want %x\n", got, want)
+	}
+	t16.littleEndianStore(1<<16 + 2)
+	if got, want := t16, (T16{2, 1}); got != want {
+		t.Errorf("T16.littleEndianStore got %x want %x\n", got, want)
+	}
+	t8.bigEndianStore(1<<8 + 2)
+	if got, want := t8, (T8{1, 2}); got != want {
+		t.Errorf("T8.bigEndianStore got %x want %x\n", got, want)
+	}
+	t8.littleEndianStore(1<<8 + 2)
+	if got, want := t8, (T8{2, 1}); got != want {
+		t.Errorf("T8.littleEndianStore got %x want %x\n", got, want)
+	}
+}

src/crypto/internal/boring/Dockerfile

@@ -13,15 +13,21 @@ WORKDIR /boring
 ENV LANG=C
 ENV LANGUAGE=
 
-# Following NIST submission draft dated July 3, 2021.
-# This corresponds to boringssl.googlesource.com/boringssl tag fips-20210429.
-ENV ClangV=12
+# Following NIST submission draft for In Progress module validation.
+# This corresponds to boringssl.googlesource.com/boringssl tag fips-20220613.
 RUN apt-get update && \
-        apt-get install --no-install-recommends -y cmake xz-utils wget unzip ca-certificates clang-$ClangV python
+        apt-get install --no-install-recommends -y cmake xz-utils wget unzip ca-certificates python lsb-release software-properties-common gnupg
+
+# Install Clang.
+ENV ClangV=14
+RUN \
+	wget https://apt.llvm.org/llvm.sh && \
+	chmod +x llvm.sh && \
+	./llvm.sh $ClangV
 
 # Download, validate, unpack, build, and install Ninja.
-ENV NinjaV=1.10.2
-ENV NinjaH=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed
+ENV NinjaV=1.10.1
+ENV NinjaH=a6b6f7ac360d4aabd54e299cc1d8fa7b234cd81b9401693da21221c62569a23e
 RUN \
 	wget https://github.com/ninja-build/ninja/archive/refs/tags/v$NinjaV.tar.gz && \
 	echo "$NinjaH v$NinjaV.tar.gz" >sha && sha256sum -c sha && \
@@ -33,9 +39,9 @@ RUN \
 
 # Download, validate, unpack, and install Go.
 ARG GOARCH
-ENV GoV=1.16.5
-ENV GoHamd64=b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061
-ENV GoHarm64=d5446b46ef6f36fdffa852f73dfbbe78c1ddf010b99fa4964944b9ae8b4d6799
+ENV GoV=1.18.1
+ENV GoHamd64=b3b815f47ababac13810fc6021eb73d65478e0b2db4b09d348eefad9581a2334
+ENV GoHarm64=56a91851c97fb4697077abbca38860f735c32b38993ff79b088dac46e4735633
 RUN \
 	eval GoH=\${GoH$GOARCH} && \
 	wget https://golang.org/dl/go$GoV.linux-$GOARCH.tar.gz && \
@@ -45,8 +51,8 @@ RUN \
 	ln -s /usr/local/go/bin/go /usr/local/bin/
 
 # Download, validate, and unpack BoringCrypto.
-ENV BoringV=853ca1ea1168dff08011e5d42d94609cc0ca2e27
-ENV BoringH=a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2
+ENV BoringV=0c6f40132b828e92ba365c6b7680e32820c63fa7
+ENV BoringH=62f733289f2d677c2723f556aa58034c438f3a7bbca6c12b156538a88e38da8a
 RUN \
 	wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-$BoringV.tar.xz && \
 	echo "$BoringH boringssl-$BoringV.tar.xz" >sha && sha256sum -c sha && \

src/crypto/internal/boring/LICENSE

@@ -6,7 +6,7 @@ When building with GOEXPERIMENT=boringcrypto, the following applies.
 The goboringcrypto_linux_amd64.syso object file is built
 from BoringSSL source code by build/build.sh and is covered
 by the BoringSSL license reproduced below and also at
-https://boringssl.googlesource.com/boringssl/+/fips-20190808/LICENSE.
+https://boringssl.googlesource.com/boringssl/+/fips-20220613/LICENSE.
 
 BoringSSL is a fork of OpenSSL. As such, large parts of it fall under OpenSSL
 licensing. Files that are completely new have a Google copyright and an ISC

src/crypto/internal/boring/README.md

@@ -27,13 +27,14 @@ syso/goboringcrypto_linux_arm64.syso is built with:
 
 	GOARCH=arm64 ./build.sh
 
-Both run on an x86 Debian Linux system using Docker.
+Both run using Docker.
+
 For the arm64 build to run on an x86 system, you need
 
 	apt-get install qemu-user-static qemu-binfmt-support
 
 to allow the x86 kernel to run arm64 binaries via QEMU.
 
-See build.sh for more details about the build.
-
+For the amd64 build to run on an Apple Silicon macOS, you need Rosetta 2.
 
+See build.sh for more details about the build.

src/crypto/internal/boring/aes.go

@@ -228,26 +228,41 @@ func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
 	if tagSize != gcmTagSize {
 		return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
 	}
-	return c.newGCM(false)
+	return c.newGCM(0)
 }
 
+const (
+	VersionTLS12 = 0x0303
+	VersionTLS13 = 0x0304
+)
+
 func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
-	return c.(*aesCipher).newGCM(true)
+	return c.(*aesCipher).newGCM(VersionTLS12)
+}
+
+func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) {
+	return c.(*aesCipher).newGCM(VersionTLS13)
 }
 
-func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
+func (c *aesCipher) newGCM(tlsVersion uint16) (cipher.AEAD, error) {
 	var aead *C.GO_EVP_AEAD
 	switch len(c.key) * 8 {
 	case 128:
-		if tls {
+		switch tlsVersion {
+		case VersionTLS12:
 			aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12()
-		} else {
+		case VersionTLS13:
+			aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls13()
+		default:
 			aead = C._goboringcrypto_EVP_aead_aes_128_gcm()
 		}
 	case 256:
-		if tls {
+		switch tlsVersion {
+		case VersionTLS12:
 			aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12()
-		} else {
+		case VersionTLS13:
+			aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls13()
+		default:
 			aead = C._goboringcrypto_EVP_aead_aes_256_gcm()
 		}
 	default:

src/crypto/internal/boring/build-goboring.sh

@@ -122,7 +122,7 @@ awk -f boringx.awk goboringcrypto.h # writes goboringcrypto.x
 awk -f boringh.awk goboringcrypto.h # writes goboringcrypto[01].h
 
 ls -l ../boringssl/include
-clang++ -std=c++11 -fPIC -I../boringssl/include -O2 -o a.out  goboringcrypto.cc
+clang++ -fPIC -I../boringssl/include -O2 -o a.out  goboringcrypto.cc
 ./a.out || exit 2
 
 # clang implements u128 % u128 -> u128 by calling __umodti3,

src/crypto/internal/boring/build.sh

@@ -22,6 +22,12 @@ platform=""
 buildargs=""
 case "$GOARCH" in
 amd64)
+	if ! docker run --rm -t amd64/ubuntu:focal uname -m >/dev/null 2>&1; then
+		echo "# Docker cannot run amd64 binaries."
+		exit 1
+	fi
+	platform="--platform linux/amd64"
+	buildargs="--build-arg ubuntu=amd64/ubuntu"
 	;;
 arm64)
 	if ! docker run --rm -t arm64v8/ubuntu:focal uname -m >/dev/null 2>&1; then

src/crypto/internal/boring/goboringcrypto.h

@@ -125,7 +125,9 @@ void _goboringcrypto_EVP_AEAD_CTX_cleanup(GO_EVP_AEAD_CTX*);
 int _goboringcrypto_EVP_AEAD_CTX_seal(const GO_EVP_AEAD_CTX*, uint8_t*, size_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t);
 int _goboringcrypto_EVP_AEAD_CTX_open(const GO_EVP_AEAD_CTX*, uint8_t*, size_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t);
 const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_128_gcm_tls12(void);
+const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_128_gcm_tls13(void);
 const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_256_gcm_tls12(void);
+const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_256_gcm_tls13(void);
 enum go_evp_aead_direction_t {
 	go_evp_aead_open = 0,
 	go_evp_aead_seal = 1

src/crypto/internal/boring/notboring.go

@@ -50,6 +50,7 @@ func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: no
 
 func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") }
 func NewGCMTLS(cipher.Block) (cipher.AEAD, error)   { panic("boringcrypto: not available") }
+func NewGCMTLS13(cipher.Block) (cipher.AEAD, error) { panic("boringcrypto: not available") }
 
 type PublicKeyECDSA struct{ _ int }
 type PrivateKeyECDSA struct{ _ int }