cmd/compile: give every really deep type a unique name

This avoids the security problem in #29312 where two very deep, but
distinct, types are given the same name. They both make it to the
linker which chooses one, and the use of the other is now type unsafe.

Instead, give every very deep type its own name. This errs on the
other side, in that very deep types that should be convertible to each
other might now not be. But at least that's not a security hole.

Update #29312.

Change-Id: Iac0ebe73fdc50594fd6fbf7432eef65f9a053126
Reviewed-on: https://go-review.googlesource.com/c/go/+/213517
Run-TryBot: Keith Randall <khr@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Reviewed-by: Robert Griesemer <gri@golang.org>

src/cmd/compile/internal/gc/fmt.go

@@ -1731,6 +1731,8 @@ func typeFormat(t *types.Type, s fmt.State, verb rune, mode fmtMode) {
 	}
 }
 
+var deepTypes map[*types.Type]string
+
 // See #16897 before changing the implementation of tconv.
 func tconv(t *types.Type, flag FmtFlag, mode fmtMode, depth int) string {
 	if t == nil {
@@ -1747,8 +1749,19 @@ func tconv(t *types.Type, flag FmtFlag, mode fmtMode, depth int) string {
 	// limits the depths of valid composite types, but they are likely
 	// artificially created.
 	// TODO(gri) should have proper cycle detection here, eventually (issue #29312)
+	// For now, ensure that each of these really deep types are at least uniquely
+	// named, so that such types don't collide in the linker and thus allow security holes.
 	if depth > 250 {
-		return "<...>"
+		if str := deepTypes[t]; str != "" {
+			return str
+		}
+		if deepTypes == nil {
+			deepTypes = map[*types.Type]string{}
+		}
+		id := len(deepTypes)
+		str := fmt.Sprintf("<...uniquetype_%d_in_%s>", id, curpkg().Path)
+		deepTypes[t] = str
+		return str
 	}
 
 	flag, mode = flag.update(mode)