diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 00645cb0..7ef6c586 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,7 +25,7 @@ jobs: test: strategy: matrix: - go-version: [1.21.x] + go-version: [1.21.x, 1.22.x] os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: @@ -53,17 +53,17 @@ jobs: # Static checks from this point forward. Only run on one Go version and on # linux, since it's the fastest platform, and the tools behave the same. - name: Test third-party project builds - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' + if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x' run: | go install ./scripts/check-third-party.sh - - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' + - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x' run: ./scripts/crlf-test.sh - - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' + - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x' run: diff <(echo -n) <(gofmt -d .) - - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' + - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x' run: go vet ./... - - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x' + - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x' uses: dominikh/staticcheck-action@v1 with: version: "2023.1.6" @@ -81,11 +81,12 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-go@v4 with: - go-version: 1.21.x + go-version: 1.22.x cache: false - run: go test -short ./... test-gotip: + if: false # let tip for 1.23 settle first runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/CHANGELOG.md b/CHANGELOG.md index d86cc8a3..d4f615d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,22 @@ # Changelog +## [v0.12.0] - 2024-02-?? + +This release continues support for Go 1.21 and includes fixes for Go 1.22, +now that the final 1.22.0 release is out. + +@lu4p improved the detection of types used with reflection to track `make` calls too, +fixing more `cannot use T1 as T2` errors when obfuscating types. See [#690]. + +@pagran added a trash block generator to the control flow obfuscator. +TODO: link to the docs once they are in master? +See [#825]. + +A number of bugfixes are also included: +* Avoid an error when building for `GOOS=ios` - [#816] +* Prevent the shuffle literal obfuscation from being optimized away - [#819] +* Support inline comments in assembly `#include` lines - [#812] + ## [v0.11.0] - 2023-12-02 This release drops support for Go 1.20, continues support for Go 1.21, @@ -261,6 +278,12 @@ Known bugs: * obfuscating the standard library with `GOPRIVATE=*` is not well supported yet * `garble test` is temporarily disabled, as it is currently broken +[#690]: https://github.com/burrowers/garble/issues/690 +[#812]: https://github.com/burrowers/garble/issues/812 +[#816]: https://github.com/burrowers/garble/pull/816 +[#819]: https://github.com/burrowers/garble/pull/819 +[#825]: https://github.com/burrowers/garble/pull/825 + [v0.11.0]: https://github.com/burrowers/garble/releases/tag/v0.11.0 [#462]: https://github.com/burrowers/garble/issues/462 [#685]: https://github.com/burrowers/garble/issues/685 diff --git a/go_std_tables.go b/go_std_tables.go index 6d801f01..6d6fc7ba 100644 --- a/go_std_tables.go +++ b/go_std_tables.go @@ -1,6 +1,6 @@ // Code generated by scripts/gen-go-std-tables.sh; DO NOT EDIT. -// Generated from Go version devel go1.22-a2a2c5b947 Wed Dec 20 02:18:50 2023 +0000. +// Generated from Go version devel go1.23-1400b26852 Thu Feb 8 03:02:00 2024 +0000. package main @@ -20,8 +20,11 @@ var runtimeAndDeps = map[string]bool{ "runtime/internal/sys": true, "runtime/internal/syscall": true, "runtime": true, - // Not a runtime dependency, but still uses tricks allowed by import path. - // Not a big deal either way, given that it's only imported in test packages. + // Not runtime dependencies, but still use tricks allowed by import path. + // TODO: collect directly from cmd/internal/objabi/pkgspecial.go, + // in this particular case from allowAsmABIPkgs. + "reflect": true, + "syscall": true, "runtime/internal/startlinetest": true, } diff --git a/hash.go b/hash.go index 6d78d0fc..e7def1f1 100644 --- a/hash.go +++ b/hash.go @@ -41,7 +41,7 @@ func decodeBuildIDHash(str string) []byte { panic(fmt.Sprintf("invalid hash %q: %v", str, err)) } if len(h) != buildIDHashLength { - panic(fmt.Sprintf("decodeHash expects to result in a hash of length %d, got %d", buildIDHashLength, len(h))) + panic(fmt.Sprintf("decodeBuildIDHash expects to result in a hash of length %d, got %d", buildIDHashLength, len(h))) } return h } diff --git a/scripts/gen-go-std-tables.sh b/scripts/gen-go-std-tables.sh index 63480253..30f771e6 100755 --- a/scripts/gen-go-std-tables.sh +++ b/scripts/gen-go-std-tables.sh @@ -34,8 +34,11 @@ var runtimeAndDeps = map[string]bool{ $(for path in ${runtime_and_deps}; do echo "\"${path}\": true," done) - // Not a runtime dependency, but still uses tricks allowed by import path. - // Not a big deal either way, given that it's only imported in test packages. + // Not runtime dependencies, but still use tricks allowed by import path. + // TODO: collect directly from cmd/internal/objabi/pkgspecial.go, + // in this particular case from allowAsmABIPkgs. + "reflect": true, + "syscall": true, "runtime/internal/startlinetest": true, } diff --git a/shared.go b/shared.go index 811ee876..b5b84018 100644 --- a/shared.go +++ b/shared.go @@ -188,6 +188,7 @@ func (p *listedPackage) obfuscatedImportPath() string { case "runtime", "reflect", "embed": return p.ImportPath } + // Intrinsics are matched by package import path as well. if compilerIntrinsicsPkgs[p.ImportPath] { return p.ImportPath } diff --git a/testdata/script/crossbuild.txtar b/testdata/script/crossbuild.txtar index 75f47b9b..b2e5208c 100644 --- a/testdata/script/crossbuild.txtar +++ b/testdata/script/crossbuild.txtar @@ -18,6 +18,16 @@ [arm] env GOARCH=arm64 exec garble build -gcflags=math/bits=-d=ssa/intrinsics/debug=1 stderr 'intrinsic substitution for Len64.*BitLen64' + +# As a last step, also test building for MacOS if we're not already on it. +# We already cover Windows and Linux above, and MacOS is the other major OS. +# The way it is implemented in the standard library, in particular with syscalls, +# is different enough that it sometimes causes special bugs. +[darwin] stop +env GOOS=darwin +env GOARCH=arm64 +exec garble build + -- go.mod -- module test/main diff --git a/testdata/script/gogarble.txtar b/testdata/script/gogarble.txtar index 3d9dab3f..3931c9c2 100644 --- a/testdata/script/gogarble.txtar +++ b/testdata/script/gogarble.txtar @@ -36,11 +36,11 @@ exec garble build std # Also ensure we are obfuscating low-level std packages. exec garble build -o=out ./stdimporter ! stderr . # no warnings -! binsubstr out 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now' 'syscall.Listen' +! binsubstr out 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now' # The same low-level std packages appear in plain sight in regular builds. go build -o=out_regular ./stdimporter -binsubstr out_regular 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now' 'syscall.Listen' +binsubstr out_regular 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now' # Also check that a full rebuild is reproducible, via a new GOCACHE. # This is slow, but necessary to uncover bugs hidden by the build cache. @@ -79,7 +79,6 @@ import ( "net/http" "runtime/debug" "time" - "syscall" ) func main() { @@ -88,5 +87,4 @@ func main() { // as it is implemented by runtime via a linkname. debug.WriteHeapDump(1) time.Now() - syscall.Listen(0, 1) }