[release-branch.go1.24] go1.24.10

Change-Id: I74370108e95298bec0fe0f7738867072ece0d0ff
Reviewed-on: https://go-review.googlesource.com/c/go/+/718063
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>

VERSION

@@ -0,0 +1,2 @@
+go1.24.10
+time 2025-10-31T13:24:27Z

codereview.cfg

@@ -1 +1,2 @@
-branch: master
+branch: release-branch.go1.24
+parent-branch: master

doc/godebug.md

@@ -151,8 +151,29 @@ for example,
 see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables)
 and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
 
+### Go 1.26
+
+Go 1.26 added a new `httpcookiemaxnum` setting that controls the maximum number
+of cookies that net/http will accept when parsing HTTP headers. If the number of
+cookie in a header exceeds the number set in `httpcookiemaxnum`, cookie parsing
+will fail early. The default value is `httpcookiemaxnum=3000`. Setting
+`httpcookiemaxnum=0` will allow the cookie parsing to accept an indefinite
+number of cookies. To avoid denial of service attacks, this setting and default
+was backported to Go 1.25.2 and Go 1.24.8.
+
 ### Go 1.24
 
+Go 1.24 added a new `fips140` setting that controls whether the Go
+Cryptographic Module operates in FIPS 140-3 mode.
+The possible values are:
+- "off": no special support for FIPS 140-3 mode. This is the default.
+- "on": the Go Cryptographic Module operates in FIPS 140-3 mode.
+- "only": like "on", but cryptographic algorithms not approved by
+  FIPS 140-3 return an error or panic.
+For more information, see [FIPS 140-3 Compliance](/doc/security/fips140).
+This setting is fixed at program startup time, and can't be modified
+by changing the `GODEBUG` environment variable after the program starts.
+
 Go 1.24 changed the global [`math/rand.Seed`](/pkg/math/rand/#Seed) to be a
 no-op. This behavior is controlled by the `randseednop` setting.
 For Go 1.24 it defaults to `randseednop=1`.
@@ -213,6 +234,10 @@ use and validate the CRT parameters in the encoded private key. This behavior
 can be controlled with the `x509rsacrt` setting. Using `x509rsacrt=0` restores
 the Go 1.23 behavior.
 
+Go 1.24.5 disabled build information stamping when multiple VCS are detected due
+to concerns around VCS injection attacks. This behavior can be renabled with the
+setting `allowmultiplevcs=1`.
+
 ### Go 1.23
 
 Go 1.23 changed the channels created by package time to be unbuffered

lib/fips140/fips140.sum

@@ -9,4 +9,4 @@
 #
 #	go test cmd/go/internal/fips140 -update
 #
-v1.0.0.zip b50508feaeff05d22516b21e1fd210bbf5d6a1e422eaf2cfa23fe379342713b8
+v1.0.0-c2097c7c.zip daf3614e0406f67ae6323c902db3f953a1effb199142362a039e7526dfb9368b

lib/fips140/inprocess.txt

@@ -0,0 +1 @@
+v1.0.0-c2097c7c

lib/fips140/v1.0.0.txt

@@ -0,0 +1 @@
+v1.0.0-c2097c7c

src/archive/tar/common.go

@@ -39,6 +39,7 @@ var (
 	errMissData        = errors.New("archive/tar: sparse file references non-existent data")
 	errUnrefData       = errors.New("archive/tar: sparse file contains unreferenced data")
 	errWriteHole       = errors.New("archive/tar: write non-NUL byte in sparse hole")
+	errSparseTooLong   = errors.New("archive/tar: sparse map too long")
 )
 
 type headerError []string

src/archive/tar/reader.go

@@ -531,12 +531,17 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
 		cntNewline int64
 		buf        bytes.Buffer
 		blk        block
+		totalSize  int
 	)
 
 	// feedTokens copies data in blocks from r into buf until there are
 	// at least cnt newlines in buf. It will not read more blocks than needed.
 	feedTokens := func(n int64) error {
 		for cntNewline < n {
+			totalSize += len(blk)
+			if totalSize > maxSpecialFileSize {
+				return errSparseTooLong
+			}
 			if _, err := mustReadFull(r, blk[:]); err != nil {
 				return err
 			}
@@ -569,8 +574,8 @@ func readGNUSparseMap1x0(r io.Reader) (sparseDatas, error) {
 	}
 
 	// Parse for all member entries.
-	// numEntries is trusted after this since a potential attacker must have
-	// committed resources proportional to what this library used.
+	// numEntries is trusted after this since feedTokens limits the number of
+	// tokens based on maxSpecialFileSize.
 	if err := feedTokens(2 * numEntries); err != nil {
 		return nil, err
 	}

src/archive/tar/reader_test.go

@@ -621,6 +621,11 @@ func TestReader(t *testing.T) {
 			},
 			Format: FormatPAX,
 		}},
+	}, {
+		// Small compressed file that uncompresses to
+		// a file with a very large GNU 1.0 sparse map.
+		file: "testdata/gnu-sparse-many-zeros.tar.bz2",
+		err:  errSparseTooLong,
 	}}
 
 	for _, v := range vectors {

src/bytes/iter.go

@@ -67,26 +67,26 @@ func splitSeq(s, sep []byte, sepSave int) iter.Seq[[]byte] {
 	}
 }
 
-// SplitSeq returns an iterator over all substrings of s separated by sep.
-// The iterator yields the same strings that would be returned by [Split](s, sep),
-// but without constructing the slice.
+// SplitSeq returns an iterator over all subslices of s separated by sep.
+// The iterator yields the same subslices that would be returned by [Split](s, sep),
+// but without constructing a new slice containing the subslices.
 // It returns a single-use iterator.
 func SplitSeq(s, sep []byte) iter.Seq[[]byte] {
 	return splitSeq(s, sep, 0)
 }
 
-// SplitAfterSeq returns an iterator over substrings of s split after each instance of sep.
-// The iterator yields the same strings that would be returned by [SplitAfter](s, sep),
-// but without constructing the slice.
+// SplitAfterSeq returns an iterator over subslices of s split after each instance of sep.
+// The iterator yields the same subslices that would be returned by [SplitAfter](s, sep),
+// but without constructing a new slice containing the subslices.
 // It returns a single-use iterator.
 func SplitAfterSeq(s, sep []byte) iter.Seq[[]byte] {
 	return splitSeq(s, sep, len(sep))
 }
 
-// FieldsSeq returns an iterator over substrings of s split around runs of
+// FieldsSeq returns an iterator over subslices of s split around runs of
 // whitespace characters, as defined by [unicode.IsSpace].
-// The iterator yields the same strings that would be returned by [Fields](s),
-// but without constructing the slice.
+// The iterator yields the same subslices that would be returned by [Fields](s),
+// but without constructing a new slice containing the subslices.
 func FieldsSeq(s []byte) iter.Seq[[]byte] {
 	return func(yield func([]byte) bool) {
 		start := -1
@@ -116,10 +116,10 @@ func FieldsSeq(s []byte) iter.Seq[[]byte] {
 	}
 }
 
-// FieldsFuncSeq returns an iterator over substrings of s split around runs of
+// FieldsFuncSeq returns an iterator over subslices of s split around runs of
 // Unicode code points satisfying f(c).
-// The iterator yields the same strings that would be returned by [FieldsFunc](s),
-// but without constructing the slice.
+// The iterator yields the same subslices that would be returned by [FieldsFunc](s),
+// but without constructing a new slice containing the subslices.
 func FieldsFuncSeq(s []byte, f func(rune) bool) iter.Seq[[]byte] {
 	return func(yield func([]byte) bool) {
 		start := -1

src/cmd/cgo/internal/test/issue42018_windows.go

@@ -27,6 +27,7 @@ func test42018(t *testing.T) {
 	recurseHWND(400, hwnd, uintptr(unsafe.Pointer(&i)))
 }
 
+//go:noinline
 func recurseHANDLE(n int, p C.HANDLE, v uintptr) {
 	if n > 0 {
 		recurseHANDLE(n-1, p, v)
@@ -36,6 +37,7 @@ func recurseHANDLE(n int, p C.HANDLE, v uintptr) {
 	}
 }
 
+//go:noinline
 func recurseHWND(n int, p C.HWND, v uintptr) {
 	if n > 0 {
 		recurseHWND(n-1, p, v)

src/cmd/cgo/internal/testsanitizers/asan_test.go

@@ -42,6 +42,8 @@ func TestASAN(t *testing.T) {
 		{src: "asan_global3_fail.go", memoryAccessError: "global-buffer-overflow", errorLocation: "asan_global3_fail.go:13"},
 		{src: "asan_global4_fail.go", memoryAccessError: "global-buffer-overflow", errorLocation: "asan_global4_fail.go:21"},
 		{src: "asan_global5.go"},
+		{src: "asan_global_asm"},
+		{src: "asan_global_asm2_fail", memoryAccessError: "global-buffer-overflow", errorLocation: "main.go:17"},
 		{src: "arena_fail.go", memoryAccessError: "use-after-poison", errorLocation: "arena_fail.go:26", experiments: []string{"arenas"}},
 	}
 	for _, tc := range cases {

src/cmd/cgo/internal/testsanitizers/cc_test.go

@@ -536,7 +536,7 @@ func (c *config) checkRuntime() (skip bool, err error) {
 
 // srcPath returns the path to the given file relative to this test's source tree.
 func srcPath(path string) string {
-	return filepath.Join("testdata", path)
+	return "./testdata/" + path
 }
 
 // A tempDir manages a temporary directory within a test.

src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm/asm.s

@@ -0,0 +1,8 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+#include "textflag.h"
+
+DATA	·x(SB)/8, $123
+GLOBL	·x(SB), NOPTR, $8

src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm/main.go

@@ -0,0 +1,11 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+var x uint64
+
+func main() {
+	println(x)
+}

src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm2_fail/asm.s

@@ -0,0 +1,8 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+#include "textflag.h"
+
+DATA	·x(SB)/8, $123
+GLOBL	·x(SB), NOPTR, $8

src/cmd/cgo/internal/testsanitizers/testdata/asan_global_asm2_fail/main.go

@@ -0,0 +1,20 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import "unsafe"
+
+var x uint64
+
+func main() {
+	bar(&x)
+}
+
+func bar(a *uint64) {
+	p := (*uint64)(unsafe.Add(unsafe.Pointer(a), 1*unsafe.Sizeof(uint64(1))))
+	if *p == 10 { // BOOM
+		println("its value is 10")
+	}
+}

src/cmd/compile/internal/inline/inl.go

@@ -42,6 +42,7 @@ import (
 	"cmd/compile/internal/types"
 	"cmd/internal/obj"
 	"cmd/internal/pgo"
+	"cmd/internal/src"
 )
 
 // Inlining budget parameters, gathered in one place
@@ -169,19 +170,8 @@ func CanInlineFuncs(funcs []*ir.Func, profile *pgoir.Profile) {
 	}
 
 	ir.VisitFuncsBottomUp(funcs, func(funcs []*ir.Func, recursive bool) {
-		numfns := numNonClosures(funcs)
-
 		for _, fn := range funcs {
-			if !recursive || numfns > 1 {
-				// We allow inlining if there is no
-				// recursion, or the recursion cycle is
-				// across more than one function.
-				CanInline(fn, profile)
-			} else {
-				if base.Flag.LowerM > 1 && fn.OClosure == nil {
-					fmt.Printf("%v: cannot inline %v: recursive\n", ir.Line(fn), fn.Nname)
-				}
-			}
+			CanInline(fn, profile)
 			if inlheur.Enabled() {
 				analyzeFuncProps(fn, profile)
 			}
@@ -974,6 +964,16 @@ func inlineCostOK(n *ir.CallExpr, caller, callee *ir.Func, bigCaller, closureCal
 	return true, 0, metric, hot
 }
 
+// parsePos returns all the inlining positions and the innermost position.
+func parsePos(pos src.XPos, posTmp []src.Pos) ([]src.Pos, src.Pos) {
+	ctxt := base.Ctxt
+	ctxt.AllPos(pos, func(p src.Pos) {
+		posTmp = append(posTmp, p)
+	})
+	l := len(posTmp) - 1
+	return posTmp[:l], posTmp[l]
+}
+
 // canInlineCallExpr returns true if the call n from caller to callee
 // can be inlined, plus the score computed for the call expr in question,
 // and whether the callee is hot according to PGO.
@@ -1001,12 +1001,15 @@ func canInlineCallExpr(callerfn *ir.Func, n *ir.CallExpr, callee *ir.Func, bigCa
 		return false, 0, false
 	}
 
-	if callee == callerfn {
-		// Can't recursively inline a function into itself.
-		if log && logopt.Enabled() {
-			logopt.LogOpt(n.Pos(), "cannotInlineCall", "inline", fmt.Sprintf("recursive call to %s", ir.FuncName(callerfn)))
+	callees, calleeInner := parsePos(n.Pos(), make([]src.Pos, 0, 10))
+
+	for _, p := range callees {
+		if p.Line() == calleeInner.Line() && p.Col() == calleeInner.Col() && p.AbsFilename() == calleeInner.AbsFilename() {
+			if log && logopt.Enabled() {
+				logopt.LogOpt(n.Pos(), "cannotInlineCall", "inline", fmt.Sprintf("recursive call to %s", ir.FuncName(callerfn)))
+			}
+			return false, 0, false
 		}
-		return false, 0, false
 	}
 
 	if base.Flag.Cfg.Instrumenting && types.IsNoInstrumentPkg(callee.Sym().Pkg) {

src/cmd/compile/internal/inline/interleaved/interleaved.go

@@ -253,7 +253,7 @@ func (s *inlClosureState) mark(n ir.Node) ir.Node {
 
 	if isTestingBLoop(n) {
 		// No inlining nor devirtualization performed on b.Loop body
-		if base.Flag.LowerM > 1 {
+		if base.Flag.LowerM > 0 {
 			fmt.Printf("%v: skip inlining within testing.B.loop for %v\n", ir.Line(n), n)
 		}
 		// We still want to explore inlining opportunities in other parts of ForStmt.

src/cmd/compile/internal/ssa/_gen/AMD64Ops.go

@@ -886,8 +886,8 @@ func init() {
 				inputs:   []regMask{buildReg("DI")},
 				clobbers: buildReg("DI"),
 			},
-			faultOnNilArg0: true,
-			unsafePoint:    true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
+			//faultOnNilArg0: true, // Note: removed for 73748. TODO: reenable at some point
+			unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
 		},
 
 		// arg0 = address of memory to zero
@@ -924,10 +924,10 @@ func init() {
 				inputs:   []regMask{buildReg("DI"), buildReg("SI")},
 				clobbers: buildReg("DI SI X0"), // uses X0 as a temporary
 			},
-			clobberFlags:   true,
-			faultOnNilArg0: true,
-			faultOnNilArg1: true,
-			unsafePoint:    true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
+			clobberFlags: true,
+			//faultOnNilArg0: true, // Note: removed for 73748. TODO: reenable at some point
+			//faultOnNilArg1: true,
+			unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
 		},
 
 		// arg0 = destination pointer

src/cmd/compile/internal/ssa/_gen/ARM64.rules

@@ -1148,10 +1148,12 @@
 (SUB a l:(MNEGW x y)) && v.Type.Size() <= 4 && l.Uses==1 && clobber(l) => (MADDW a x y)
 
 // madd/msub can't take constant arguments, so do a bit of reordering if a non-constant is available.
-(ADD a p:(ADDconst [c] m:((MUL|MULW|MNEG|MNEGW) _ _))) && p.Uses==1 && m.Uses==1 => (ADDconst [c] (ADD <v.Type> a m))
-(ADD a p:(SUBconst [c] m:((MUL|MULW|MNEG|MNEGW) _ _))) && p.Uses==1 && m.Uses==1 => (SUBconst [c] (ADD <v.Type> a m))
-(SUB a p:(ADDconst [c] m:((MUL|MULW|MNEG|MNEGW) _ _))) && p.Uses==1 && m.Uses==1 => (SUBconst [c] (SUB <v.Type> a m))
-(SUB a p:(SUBconst [c] m:((MUL|MULW|MNEG|MNEGW) _ _))) && p.Uses==1 && m.Uses==1 => (ADDconst [c] (SUB <v.Type> a m))
+// Note: don't reorder arithmetic concerning pointers, as we must ensure that
+// no intermediate computations are invalid pointers.
+(ADD <t> a p:(ADDconst [c] m:((MUL|MULW|MNEG|MNEGW) _ _))) && p.Uses==1 && m.Uses==1 && !t.IsPtrShaped() => (ADDconst [c] (ADD <v.Type> a m))
+(ADD <t> a p:(SUBconst [c] m:((MUL|MULW|MNEG|MNEGW) _ _))) && p.Uses==1 && m.Uses==1 && !t.IsPtrShaped() => (SUBconst [c] (ADD <v.Type> a m))
+(SUB <t> a p:(ADDconst [c] m:((MUL|MULW|MNEG|MNEGW) _ _))) && p.Uses==1 && m.Uses==1 && !t.IsPtrShaped() => (SUBconst [c] (SUB <v.Type> a m))
+(SUB <t> a p:(SUBconst [c] m:((MUL|MULW|MNEG|MNEGW) _ _))) && p.Uses==1 && m.Uses==1 && !t.IsPtrShaped() => (ADDconst [c] (SUB <v.Type> a m))
 
 // optimize ADCSflags, SBCSflags and friends
 (ADCSflags x y (Select1 <types.TypeFlags> (ADDSconstflags [-1] (ADCzerocarry <typ.UInt64> c)))) => (ADCSflags x y c)

src/cmd/compile/internal/ssa/_gen/ARM64Ops.go

@@ -536,8 +536,8 @@ func init() {
 				inputs:   []regMask{buildReg("R20")},
 				clobbers: buildReg("R16 R17 R20 R30"),
 			},
-			faultOnNilArg0: true,
-			unsafePoint:    true, // FP maintenance around DUFFZERO can be clobbered by interrupts
+			//faultOnNilArg0: true, // Note: removed for 73748. TODO: reenable at some point
+			unsafePoint: true, // FP maintenance around DUFFZERO can be clobbered by interrupts
 		},
 
 		// large zeroing
@@ -577,9 +577,9 @@ func init() {
 				inputs:   []regMask{buildReg("R21"), buildReg("R20")},
 				clobbers: buildReg("R16 R17 R20 R21 R26 R30"),
 			},
-			faultOnNilArg0: true,
-			faultOnNilArg1: true,
-			unsafePoint:    true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
+			//faultOnNilArg0: true, // Note: removed for 73748. TODO: reenable at some point
+			//faultOnNilArg1: true,
+			unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
 		},
 
 		// large move

src/cmd/compile/internal/ssa/func.go

@@ -41,11 +41,12 @@ type Func struct {
 	ABISelf        *abi.ABIConfig // ABI for function being compiled
 	ABIDefault     *abi.ABIConfig // ABI for rtcall and other no-parsed-signature/pragma functions.
 
-	scheduled   bool  // Values in Blocks are in final order
-	laidout     bool  // Blocks are ordered
-	NoSplit     bool  // true if function is marked as nosplit.  Used by schedule check pass.
-	dumpFileSeq uint8 // the sequence numbers of dump file. (%s_%02d__%s.dump", funcname, dumpFileSeq, phaseName)
-	IsPgoHot    bool
+	scheduled         bool  // Values in Blocks are in final order
+	laidout           bool  // Blocks are ordered
+	NoSplit           bool  // true if function is marked as nosplit.  Used by schedule check pass.
+	dumpFileSeq       uint8 // the sequence numbers of dump file. (%s_%02d__%s.dump", funcname, dumpFileSeq, phaseName)
+	IsPgoHot          bool
+	HasDeferRangeFunc bool // if true, needs a deferreturn so deferrangefunc can use it for recover() return PC
 
 	// when register allocation is done, maps value ids to locations
 	RegAlloc []Location

src/cmd/compile/internal/ssa/opGen.go

@@ -13777,11 +13777,10 @@ var opcodeTable = [...]opInfo{
 		},
 	},
 	{
-		name:           "DUFFZERO",
-		auxType:        auxInt64,
-		argLen:         2,
-		faultOnNilArg0: true,
-		unsafePoint:    true,
+		name:        "DUFFZERO",
+		auxType:     auxInt64,
+		argLen:      2,
+		unsafePoint: true,
 		reg: regInfo{
 			inputs: []inputInfo{
 				{0, 128}, // DI
@@ -13851,13 +13850,11 @@ var opcodeTable = [...]opInfo{
 		},
 	},
 	{
-		name:           "DUFFCOPY",
-		auxType:        auxInt64,
-		argLen:         3,
-		clobberFlags:   true,
-		faultOnNilArg0: true,
-		faultOnNilArg1: true,
-		unsafePoint:    true,
+		name:         "DUFFCOPY",
+		auxType:      auxInt64,
+		argLen:       3,
+		clobberFlags: true,
+		unsafePoint:  true,
 		reg: regInfo{
 			inputs: []inputInfo{
 				{0, 128}, // DI
@@ -22970,11 +22967,10 @@ var opcodeTable = [...]opInfo{
 		},
 	},
 	{
-		name:           "DUFFZERO",
-		auxType:        auxInt64,
-		argLen:         2,
-		faultOnNilArg0: true,
-		unsafePoint:    true,
+		name:        "DUFFZERO",
+		auxType:     auxInt64,
+		argLen:      2,
+		unsafePoint: true,
 		reg: regInfo{
 			inputs: []inputInfo{
 				{0, 1048576}, // R20
@@ -22996,12 +22992,10 @@ var opcodeTable = [...]opInfo{
 		},
 	},
 	{
-		name:           "DUFFCOPY",
-		auxType:        auxInt64,
-		argLen:         3,
-		faultOnNilArg0: true,
-		faultOnNilArg1: true,
-		unsafePoint:    true,
+		name:        "DUFFCOPY",
+		auxType:     auxInt64,
+		argLen:      3,
+		unsafePoint: true,
 		reg: regInfo{
 			inputs: []inputInfo{
 				{0, 2097152}, // R21

src/cmd/compile/internal/ssa/prove.go

@@ -552,8 +552,9 @@ func (ft *factsTable) newLimit(v *Value, newLim limit) bool {
 	}
 
 	if lim.unsat() {
+		r := !ft.unsat
 		ft.unsat = true
-		return true
+		return r
 	}
 
 	// Check for recursion. This normally happens because in unsatisfiable

src/cmd/compile/internal/ssa/regalloc.go

@@ -1670,6 +1670,7 @@ func (s *regAllocState) regalloc(f *Func) {
 				}
 				tmpReg = s.allocReg(m, &tmpVal)
 				s.nospill |= regMask(1) << tmpReg
+				s.tmpused |= regMask(1) << tmpReg
 			}
 
 			// Now that all args are in regs, we're ready to issue the value itself.

src/cmd/compile/internal/ssa/rewrite.go

@@ -1470,6 +1470,11 @@ func GetPPC64Shiftme(auxint int64) int64 {
 // operation.  Masks can also extend from the msb and wrap to
 // the lsb too.  That is, the valid masks are 32 bit strings
 // of the form: 0..01..10..0 or 1..10..01..1 or 1...1
+//
+// Note: This ignores the upper 32 bits of the input. When a
+// zero extended result is desired (e.g a 64 bit result), the
+// user must verify the upper 32 bits are 0 and the mask is
+// contiguous (that is, non-wrapping).
 func isPPC64WordRotateMask(v64 int64) bool {
 	// Isolate rightmost 1 (if none 0) and add.
 	v := uint32(v64)
@@ -1480,6 +1485,16 @@ func isPPC64WordRotateMask(v64 int64) bool {
 	return (v&vp == 0 || vn&vpn == 0) && v != 0
 }
 
+// Test if this mask is a valid, contiguous bitmask which can be
+// represented by a RLWNM mask and also clears the upper 32 bits
+// of the register.
+func isPPC64WordRotateMaskNonWrapping(v64 int64) bool {
+	// Isolate rightmost 1 (if none 0) and add.
+	v := uint32(v64)
+	vp := (v & -v) + v
+	return (v&vp == 0) && v != 0 && uint64(uint32(v64)) == uint64(v64)
+}
+
 // Compress mask and shift into single value of the form
 // me | mb<<8 | rotate<<16 | nbits<<24 where me and mb can
 // be used to regenerate the input mask.
@@ -1589,7 +1604,7 @@ func mergePPC64AndSrdi(m, s int64) int64 {
 	if rv&uint64(mask) != 0 {
 		return 0
 	}
-	if !isPPC64WordRotateMask(mask) {
+	if !isPPC64WordRotateMaskNonWrapping(mask) {
 		return 0
 	}
 	return encodePPC64RotateMask((32-s)&31, mask, 32)
@@ -1604,7 +1619,7 @@ func mergePPC64AndSldi(m, s int64) int64 {
 	if rv&uint64(mask) != 0 {
 		return 0
 	}
-	if !isPPC64WordRotateMask(mask) {
+	if !isPPC64WordRotateMaskNonWrapping(mask) {
 		return 0
 	}
 	return encodePPC64RotateMask(s&31, mask, 32)

src/cmd/compile/internal/ssa/rewriteARM64.go

@@ -1331,10 +1331,11 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 		}
 		break
 	}
-	// match: (ADD a p:(ADDconst [c] m:(MUL _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (ADD <t> a p:(ADDconst [c] m:(MUL _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (ADDconst [c] (ADD <v.Type> a m))
 	for {
+		t := v.Type
 		for _i0 := 0; _i0 <= 1; _i0, v_0, v_1 = _i0+1, v_1, v_0 {
 			a := v_0
 			p := v_1
@@ -1343,7 +1344,7 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 			}
 			c := auxIntToInt64(p.AuxInt)
 			m := p.Args[0]
-			if m.Op != OpARM64MUL || !(p.Uses == 1 && m.Uses == 1) {
+			if m.Op != OpARM64MUL || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 				continue
 			}
 			v.reset(OpARM64ADDconst)
@@ -1355,10 +1356,11 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 		}
 		break
 	}
-	// match: (ADD a p:(ADDconst [c] m:(MULW _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (ADD <t> a p:(ADDconst [c] m:(MULW _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (ADDconst [c] (ADD <v.Type> a m))
 	for {
+		t := v.Type
 		for _i0 := 0; _i0 <= 1; _i0, v_0, v_1 = _i0+1, v_1, v_0 {
 			a := v_0
 			p := v_1
@@ -1367,7 +1369,7 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 			}
 			c := auxIntToInt64(p.AuxInt)
 			m := p.Args[0]
-			if m.Op != OpARM64MULW || !(p.Uses == 1 && m.Uses == 1) {
+			if m.Op != OpARM64MULW || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 				continue
 			}
 			v.reset(OpARM64ADDconst)
@@ -1379,10 +1381,11 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 		}
 		break
 	}
-	// match: (ADD a p:(ADDconst [c] m:(MNEG _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (ADD <t> a p:(ADDconst [c] m:(MNEG _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (ADDconst [c] (ADD <v.Type> a m))
 	for {
+		t := v.Type
 		for _i0 := 0; _i0 <= 1; _i0, v_0, v_1 = _i0+1, v_1, v_0 {
 			a := v_0
 			p := v_1
@@ -1391,7 +1394,7 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 			}
 			c := auxIntToInt64(p.AuxInt)
 			m := p.Args[0]
-			if m.Op != OpARM64MNEG || !(p.Uses == 1 && m.Uses == 1) {
+			if m.Op != OpARM64MNEG || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 				continue
 			}
 			v.reset(OpARM64ADDconst)
@@ -1403,10 +1406,11 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 		}
 		break
 	}
-	// match: (ADD a p:(ADDconst [c] m:(MNEGW _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (ADD <t> a p:(ADDconst [c] m:(MNEGW _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (ADDconst [c] (ADD <v.Type> a m))
 	for {
+		t := v.Type
 		for _i0 := 0; _i0 <= 1; _i0, v_0, v_1 = _i0+1, v_1, v_0 {
 			a := v_0
 			p := v_1
@@ -1415,7 +1419,7 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 			}
 			c := auxIntToInt64(p.AuxInt)
 			m := p.Args[0]
-			if m.Op != OpARM64MNEGW || !(p.Uses == 1 && m.Uses == 1) {
+			if m.Op != OpARM64MNEGW || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 				continue
 			}
 			v.reset(OpARM64ADDconst)
@@ -1427,10 +1431,11 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 		}
 		break
 	}
-	// match: (ADD a p:(SUBconst [c] m:(MUL _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (ADD <t> a p:(SUBconst [c] m:(MUL _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (SUBconst [c] (ADD <v.Type> a m))
 	for {
+		t := v.Type
 		for _i0 := 0; _i0 <= 1; _i0, v_0, v_1 = _i0+1, v_1, v_0 {
 			a := v_0
 			p := v_1
@@ -1439,7 +1444,7 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 			}
 			c := auxIntToInt64(p.AuxInt)
 			m := p.Args[0]
-			if m.Op != OpARM64MUL || !(p.Uses == 1 && m.Uses == 1) {
+			if m.Op != OpARM64MUL || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 				continue
 			}
 			v.reset(OpARM64SUBconst)
@@ -1451,10 +1456,11 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 		}
 		break
 	}
-	// match: (ADD a p:(SUBconst [c] m:(MULW _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (ADD <t> a p:(SUBconst [c] m:(MULW _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (SUBconst [c] (ADD <v.Type> a m))
 	for {
+		t := v.Type
 		for _i0 := 0; _i0 <= 1; _i0, v_0, v_1 = _i0+1, v_1, v_0 {
 			a := v_0
 			p := v_1
@@ -1463,7 +1469,7 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 			}
 			c := auxIntToInt64(p.AuxInt)
 			m := p.Args[0]
-			if m.Op != OpARM64MULW || !(p.Uses == 1 && m.Uses == 1) {
+			if m.Op != OpARM64MULW || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 				continue
 			}
 			v.reset(OpARM64SUBconst)
@@ -1475,10 +1481,11 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 		}
 		break
 	}
-	// match: (ADD a p:(SUBconst [c] m:(MNEG _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (ADD <t> a p:(SUBconst [c] m:(MNEG _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (SUBconst [c] (ADD <v.Type> a m))
 	for {
+		t := v.Type
 		for _i0 := 0; _i0 <= 1; _i0, v_0, v_1 = _i0+1, v_1, v_0 {
 			a := v_0
 			p := v_1
@@ -1487,7 +1494,7 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 			}
 			c := auxIntToInt64(p.AuxInt)
 			m := p.Args[0]
-			if m.Op != OpARM64MNEG || !(p.Uses == 1 && m.Uses == 1) {
+			if m.Op != OpARM64MNEG || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 				continue
 			}
 			v.reset(OpARM64SUBconst)
@@ -1499,10 +1506,11 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 		}
 		break
 	}
-	// match: (ADD a p:(SUBconst [c] m:(MNEGW _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (ADD <t> a p:(SUBconst [c] m:(MNEGW _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (SUBconst [c] (ADD <v.Type> a m))
 	for {
+		t := v.Type
 		for _i0 := 0; _i0 <= 1; _i0, v_0, v_1 = _i0+1, v_1, v_0 {
 			a := v_0
 			p := v_1
@@ -1511,7 +1519,7 @@ func rewriteValueARM64_OpARM64ADD(v *Value) bool {
 			}
 			c := auxIntToInt64(p.AuxInt)
 			m := p.Args[0]
-			if m.Op != OpARM64MNEGW || !(p.Uses == 1 && m.Uses == 1) {
+			if m.Op != OpARM64MNEGW || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 				continue
 			}
 			v.reset(OpARM64SUBconst)
@@ -16604,10 +16612,11 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		v.AddArg3(a, x, y)
 		return true
 	}
-	// match: (SUB a p:(ADDconst [c] m:(MUL _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (SUB <t> a p:(ADDconst [c] m:(MUL _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (SUBconst [c] (SUB <v.Type> a m))
 	for {
+		t := v.Type
 		a := v_0
 		p := v_1
 		if p.Op != OpARM64ADDconst {
@@ -16615,7 +16624,7 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		}
 		c := auxIntToInt64(p.AuxInt)
 		m := p.Args[0]
-		if m.Op != OpARM64MUL || !(p.Uses == 1 && m.Uses == 1) {
+		if m.Op != OpARM64MUL || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 			break
 		}
 		v.reset(OpARM64SUBconst)
@@ -16625,10 +16634,11 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		v.AddArg(v0)
 		return true
 	}
-	// match: (SUB a p:(ADDconst [c] m:(MULW _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (SUB <t> a p:(ADDconst [c] m:(MULW _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (SUBconst [c] (SUB <v.Type> a m))
 	for {
+		t := v.Type
 		a := v_0
 		p := v_1
 		if p.Op != OpARM64ADDconst {
@@ -16636,7 +16646,7 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		}
 		c := auxIntToInt64(p.AuxInt)
 		m := p.Args[0]
-		if m.Op != OpARM64MULW || !(p.Uses == 1 && m.Uses == 1) {
+		if m.Op != OpARM64MULW || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 			break
 		}
 		v.reset(OpARM64SUBconst)
@@ -16646,10 +16656,11 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		v.AddArg(v0)
 		return true
 	}
-	// match: (SUB a p:(ADDconst [c] m:(MNEG _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (SUB <t> a p:(ADDconst [c] m:(MNEG _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (SUBconst [c] (SUB <v.Type> a m))
 	for {
+		t := v.Type
 		a := v_0
 		p := v_1
 		if p.Op != OpARM64ADDconst {
@@ -16657,7 +16668,7 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		}
 		c := auxIntToInt64(p.AuxInt)
 		m := p.Args[0]
-		if m.Op != OpARM64MNEG || !(p.Uses == 1 && m.Uses == 1) {
+		if m.Op != OpARM64MNEG || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 			break
 		}
 		v.reset(OpARM64SUBconst)
@@ -16667,10 +16678,11 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		v.AddArg(v0)
 		return true
 	}
-	// match: (SUB a p:(ADDconst [c] m:(MNEGW _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (SUB <t> a p:(ADDconst [c] m:(MNEGW _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (SUBconst [c] (SUB <v.Type> a m))
 	for {
+		t := v.Type
 		a := v_0
 		p := v_1
 		if p.Op != OpARM64ADDconst {
@@ -16678,7 +16690,7 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		}
 		c := auxIntToInt64(p.AuxInt)
 		m := p.Args[0]
-		if m.Op != OpARM64MNEGW || !(p.Uses == 1 && m.Uses == 1) {
+		if m.Op != OpARM64MNEGW || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 			break
 		}
 		v.reset(OpARM64SUBconst)
@@ -16688,10 +16700,11 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		v.AddArg(v0)
 		return true
 	}
-	// match: (SUB a p:(SUBconst [c] m:(MUL _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (SUB <t> a p:(SUBconst [c] m:(MUL _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (ADDconst [c] (SUB <v.Type> a m))
 	for {
+		t := v.Type
 		a := v_0
 		p := v_1
 		if p.Op != OpARM64SUBconst {
@@ -16699,7 +16712,7 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		}
 		c := auxIntToInt64(p.AuxInt)
 		m := p.Args[0]
-		if m.Op != OpARM64MUL || !(p.Uses == 1 && m.Uses == 1) {
+		if m.Op != OpARM64MUL || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 			break
 		}
 		v.reset(OpARM64ADDconst)
@@ -16709,10 +16722,11 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		v.AddArg(v0)
 		return true
 	}
-	// match: (SUB a p:(SUBconst [c] m:(MULW _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (SUB <t> a p:(SUBconst [c] m:(MULW _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (ADDconst [c] (SUB <v.Type> a m))
 	for {
+		t := v.Type
 		a := v_0
 		p := v_1
 		if p.Op != OpARM64SUBconst {
@@ -16720,7 +16734,7 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		}
 		c := auxIntToInt64(p.AuxInt)
 		m := p.Args[0]
-		if m.Op != OpARM64MULW || !(p.Uses == 1 && m.Uses == 1) {
+		if m.Op != OpARM64MULW || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 			break
 		}
 		v.reset(OpARM64ADDconst)
@@ -16730,10 +16744,11 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		v.AddArg(v0)
 		return true
 	}
-	// match: (SUB a p:(SUBconst [c] m:(MNEG _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (SUB <t> a p:(SUBconst [c] m:(MNEG _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (ADDconst [c] (SUB <v.Type> a m))
 	for {
+		t := v.Type
 		a := v_0
 		p := v_1
 		if p.Op != OpARM64SUBconst {
@@ -16741,7 +16756,7 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		}
 		c := auxIntToInt64(p.AuxInt)
 		m := p.Args[0]
-		if m.Op != OpARM64MNEG || !(p.Uses == 1 && m.Uses == 1) {
+		if m.Op != OpARM64MNEG || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 			break
 		}
 		v.reset(OpARM64ADDconst)
@@ -16751,10 +16766,11 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		v.AddArg(v0)
 		return true
 	}
-	// match: (SUB a p:(SUBconst [c] m:(MNEGW _ _)))
-	// cond: p.Uses==1 && m.Uses==1
+	// match: (SUB <t> a p:(SUBconst [c] m:(MNEGW _ _)))
+	// cond: p.Uses==1 && m.Uses==1 && !t.IsPtrShaped()
 	// result: (ADDconst [c] (SUB <v.Type> a m))
 	for {
+		t := v.Type
 		a := v_0
 		p := v_1
 		if p.Op != OpARM64SUBconst {
@@ -16762,7 +16778,7 @@ func rewriteValueARM64_OpARM64SUB(v *Value) bool {
 		}
 		c := auxIntToInt64(p.AuxInt)
 		m := p.Args[0]
-		if m.Op != OpARM64MNEGW || !(p.Uses == 1 && m.Uses == 1) {
+		if m.Op != OpARM64MNEGW || !(p.Uses == 1 && m.Uses == 1 && !t.IsPtrShaped()) {
 			break
 		}
 		v.reset(OpARM64ADDconst)

src/cmd/compile/internal/ssa/tighten.go

@@ -118,18 +118,21 @@ func tighten(f *Func) {
 
 		// If the target location is inside a loop,
 		// move the target location up to just before the loop head.
-		for _, b := range f.Blocks {
-			origloop := loops.b2l[b.ID]
-			for _, v := range b.Values {
-				t := target[v.ID]
-				if t == nil {
-					continue
-				}
-				targetloop := loops.b2l[t.ID]
-				for targetloop != nil && (origloop == nil || targetloop.depth > origloop.depth) {
-					t = idom[targetloop.header.ID]
-					target[v.ID] = t
-					targetloop = loops.b2l[t.ID]
+		if !loops.hasIrreducible {
+			// Loop info might not be correct for irreducible loops. See issue 75569.
+			for _, b := range f.Blocks {
+				origloop := loops.b2l[b.ID]
+				for _, v := range b.Values {
+					t := target[v.ID]
+					if t == nil {
+						continue
+					}
+					targetloop := loops.b2l[t.ID]
+					for targetloop != nil && (origloop == nil || targetloop.depth > origloop.depth) {
+						t = idom[targetloop.header.ID]
+						target[v.ID] = t
+						targetloop = loops.b2l[t.ID]
+					}
 				}
 			}
 		}

src/cmd/compile/internal/ssagen/ssa.go

@@ -4433,6 +4433,9 @@ func (s *state) call(n *ir.CallExpr, k callKind, returnResultAddr bool, deferExt
 					callABI = s.f.ABI1
 				}
 			}
+			if fn := n.Fun.Sym().Name; n.Fun.Sym().Pkg == ir.Pkgs.Runtime && fn == "deferrangefunc" {
+				s.f.HasDeferRangeFunc = true
+			}
 			break
 		}
 		closure = s.expr(fn)
@@ -6566,10 +6569,13 @@ func genssa(f *ssa.Func, pp *objw.Progs) {
 		// nop (which will never execute) after the call.
 		Arch.Ginsnop(s.pp)
 	}
-	if openDeferInfo != nil {
+	if openDeferInfo != nil || f.HasDeferRangeFunc {
 		// When doing open-coded defers, generate a disconnected call to
 		// deferreturn and a return. This will be used to during panic
 		// recovery to unwind the stack and return back to the runtime.
+		//
+		// deferrangefunc needs to be sure that at least one of these exists;
+		// if all returns are dead-code eliminated, there might not be.
 		s.pp.NextLive = s.livenessMap.DeferReturn
 		p := s.pp.Prog(obj.ACALL)
 		p.To.Type = obj.TYPE_MEM

src/cmd/compile/internal/test/inl_test.go

@@ -230,6 +230,9 @@ func TestIntendedInlining(t *testing.T) {
 			"(*Pointer[go.shape.int]).Store",
 			"(*Pointer[go.shape.int]).Swap",
 		},
+		"testing": {
+			"(*B).Loop",
+		},
 	}
 
 	if !goexperiment.SwissMap {

src/cmd/compile/internal/types2/assignments.go

@@ -204,7 +204,7 @@ func (check *Checker) lhsVar(lhs syntax.Expr) Type {
 			// dot-imported variables.
 			if w, _ := obj.(*Var); w != nil && w.pkg == check.pkg {
 				v = w
-				v_used = v.used
+				v_used = check.usedVars[v]
 			}
 		}
 	}
@@ -213,7 +213,7 @@ func (check *Checker) lhsVar(lhs syntax.Expr) Type {
 	check.expr(nil, &x, lhs)
 
 	if v != nil {
-		v.used = v_used // restore v.used
+		check.usedVars[v] = v_used // restore v.used
 	}
 
 	if x.mode == invalid || !isValid(x.typ) {

src/cmd/compile/internal/types2/call.go

@@ -687,7 +687,7 @@ func (check *Checker) selector(x *operand, e *syntax.SelectorExpr, def *TypeName
 		if pname, _ := obj.(*PkgName); pname != nil {
 			assert(pname.pkg == check.pkg)
 			check.recordUse(ident, pname)
-			pname.used = true
+			check.usedPkgNames[pname] = true
 			pkg := pname.imported
 
 			var exp Object
@@ -972,13 +972,13 @@ func (check *Checker) use1(e syntax.Expr, lhs bool) bool {
 				// dot-imported variables.
 				if w, _ := obj.(*Var); w != nil && w.pkg == check.pkg {
 					v = w
-					v_used = v.used
+					v_used = check.usedVars[v]
 				}
 			}
 		}
 		check.exprOrType(&x, n, true)
 		if v != nil {
-			v.used = v_used // restore v.used
+			check.usedVars[v] = v_used // restore v.used
 		}
 	case *syntax.ListExpr:
 		return check.useN(n.ElemList, lhs)

src/cmd/compile/internal/types2/check.go

@@ -162,6 +162,8 @@ type Checker struct {
 	dotImportMap  map[dotImportKey]*PkgName  // maps dot-imported objects to the package they were dot-imported through
 	brokenAliases map[*TypeName]bool         // set of aliases with broken (not yet determined) types
 	unionTypeSets map[*Union]*_TypeSet       // computed type sets for union types
+	usedVars      map[*Var]bool              // set of used variables
+	usedPkgNames  map[*PkgName]bool          // set of used package names
 	mono          monoGraph                  // graph for detecting non-monomorphizable instantiation loops
 
 	firstErr error                    // first error encountered
@@ -285,12 +287,14 @@ func NewChecker(conf *Config, pkg *Package, info *Info) *Checker {
 	// (previously, pkg.goVersion was mutated here: go.dev/issue/61212)
 
 	return &Checker{
-		conf:   conf,
-		ctxt:   conf.Context,
-		pkg:    pkg,
-		Info:   info,
-		objMap: make(map[Object]*declInfo),
-		impMap: make(map[importKey]*Package),
+		conf:         conf,
+		ctxt:         conf.Context,
+		pkg:          pkg,
+		Info:         info,
+		objMap:       make(map[Object]*declInfo),
+		impMap:       make(map[importKey]*Package),
+		usedVars:     make(map[*Var]bool),
+		usedPkgNames: make(map[*PkgName]bool),
 	}
 }
 
@@ -298,6 +302,8 @@ func NewChecker(conf *Config, pkg *Package, info *Info) *Checker {
 // The provided files must all belong to the same package.
 func (check *Checker) initFiles(files []*syntax.File) {
 	// start with a clean slate (check.Files may be called multiple times)
+	// TODO(gri): what determines which fields are zeroed out here, vs at the end
+	// of checkFiles?
 	check.files = nil
 	check.imports = nil
 	check.dotImportMap = nil
@@ -309,6 +315,13 @@ func (check *Checker) initFiles(files []*syntax.File) {
 	check.objPath = nil
 	check.cleaners = nil
 
+	// We must initialize usedVars and usedPkgNames both here and in NewChecker,
+	// because initFiles is not called in the CheckExpr or Eval codepaths, yet we
+	// want to free this memory at the end of Files ('used' predicates are
+	// only needed in the context of a given file).
+	check.usedVars = make(map[*Var]bool)
+	check.usedPkgNames = make(map[*PkgName]bool)
+
 	// determine package name and collect valid files
 	pkg := check.pkg
 	for _, file := range files {
@@ -482,8 +495,11 @@ func (check *Checker) checkFiles(files []*syntax.File) {
 	check.seenPkgMap = nil
 	check.brokenAliases = nil
 	check.unionTypeSets = nil
+	check.usedVars = nil
+	check.usedPkgNames = nil
 	check.ctxt = nil
 
+	// TODO(gri): shouldn't the cleanup above occur after the bailout?
 	// TODO(gri) There's more memory we should release at this point.
 }
 

src/cmd/compile/internal/types2/object.go

@@ -242,13 +242,12 @@ func (a *object) cmp(b *object) int {
 type PkgName struct {
 	object
 	imported *Package
-	used     bool // set if the package was used
 }
 
 // NewPkgName returns a new PkgName object representing an imported package.
 // The remaining arguments set the attributes found with all Objects.
 func NewPkgName(pos syntax.Pos, pkg *Package, name string, imported *Package) *PkgName {
-	return &PkgName{object{nil, pos, pkg, name, Typ[Invalid], 0, black, nopos}, imported, false}
+	return &PkgName{object{nil, pos, pkg, name, Typ[Invalid], 0, black, nopos}, imported}
 }
 
 // Imported returns the package that was imported.
@@ -331,10 +330,10 @@ func (obj *TypeName) IsAlias() bool {
 // A Variable represents a declared variable (including function parameters and results, and struct fields).
 type Var struct {
 	object
+	origin   *Var // if non-nil, the Var from which this one was instantiated
 	embedded bool // if set, the variable is an embedded struct field, and name is the type name
 	isField  bool // var is struct field
-	used     bool // set if the variable was used
-	origin   *Var // if non-nil, the Var from which this one was instantiated
+	isParam  bool // var is a param, for backport of 'used' check to go1.24 (go.dev/issue/72826)
 }
 
 // NewVar returns a new variable.
@@ -345,7 +344,7 @@ func NewVar(pos syntax.Pos, pkg *Package, name string, typ Type) *Var {
 
 // NewParam returns a new variable representing a function parameter.
 func NewParam(pos syntax.Pos, pkg *Package, name string, typ Type) *Var {
-	return &Var{object: object{nil, pos, pkg, name, typ, 0, colorFor(typ), nopos}, used: true} // parameters are always 'used'
+	return &Var{object: object{nil, pos, pkg, name, typ, 0, colorFor(typ), nopos}, isParam: true}
 }
 
 // NewField returns a new variable representing a struct field.

src/cmd/compile/internal/types2/resolver.go

@@ -295,7 +295,7 @@ func (check *Checker) collectObjects() {
 
 				if imp.fake {
 					// match 1.17 cmd/compile (not prescribed by spec)
-					pkgName.used = true
+					check.usedPkgNames[pkgName] = true
 				}
 
 				// add import to file scope
@@ -715,7 +715,7 @@ func (check *Checker) unusedImports() {
 	// (initialization), use the blank identifier as explicit package name."
 
 	for _, obj := range check.imports {
-		if !obj.used && obj.name != "_" {
+		if obj.name != "_" && !check.usedPkgNames[obj] {
 			check.errorUnusedPkg(obj)
 		}
 	}

src/cmd/compile/internal/types2/sizeof_test.go

@@ -36,7 +36,7 @@ func TestSizeof(t *testing.T) {
 		{term{}, 12, 24},
 
 		// Objects
-		{PkgName{}, 64, 104},
+		{PkgName{}, 60, 96},
 		{Const{}, 64, 104},
 		{TypeName{}, 56, 88},
 		{Var{}, 64, 104},

src/cmd/compile/internal/types2/stmt.go

@@ -58,7 +58,7 @@ func (check *Checker) usage(scope *Scope) {
 	var unused []*Var
 	for name, elem := range scope.elems {
 		elem = resolve(name, elem)
-		if v, _ := elem.(*Var); v != nil && !v.used {
+		if v, _ := elem.(*Var); v != nil && !v.isParam && !check.usedVars[v] {
 			unused = append(unused, v)
 		}
 	}
@@ -824,10 +824,10 @@ func (check *Checker) typeSwitchStmt(inner stmtContext, s *syntax.SwitchStmt, gu
 	if lhs != nil {
 		var used bool
 		for _, v := range lhsVars {
-			if v.used {
+			if check.usedVars[v] {
 				used = true
 			}
-			v.used = true // avoid usage error when checking entire function
+			check.usedVars[v] = true // avoid usage error when checking entire function
 		}
 		if !used {
 			check.softErrorf(lhs, UnusedVar, "%s declared and not used", lhs.Value)
@@ -934,7 +934,7 @@ func (check *Checker) rangeStmt(inner stmtContext, s *syntax.ForStmt, rclause *s
 			if typ == nil || typ == Typ[Invalid] {
 				// typ == Typ[Invalid] can happen if allowVersion fails.
 				obj.typ = Typ[Invalid]
-				obj.used = true // don't complain about unused variable
+				check.usedVars[obj] = true // don't complain about unused variable
 				continue
 			}
 

src/cmd/compile/internal/types2/typexpr.go

@@ -55,7 +55,7 @@ func (check *Checker) ident(x *operand, e *syntax.Name, def *TypeName, wantType
 		// avoid "declared but not used" errors
 		// (don't use Checker.use - we don't want to evaluate too much)
 		if v, _ := obj.(*Var); v != nil && v.pkg == check.pkg /* see Checker.use1 */ {
-			v.used = true
+			check.usedVars[v] = true
 		}
 		return
 	}
@@ -83,7 +83,7 @@ func (check *Checker) ident(x *operand, e *syntax.Name, def *TypeName, wantType
 	// (This code is only needed for dot-imports. Without them,
 	// we only have to mark variables, see *Var case below).
 	if pkgName := check.dotImportMap[dotImportKey{scope, obj.Name()}]; pkgName != nil {
-		pkgName.used = true
+		check.usedPkgNames[pkgName] = true
 	}
 
 	switch obj := obj.(type) {
@@ -120,7 +120,7 @@ func (check *Checker) ident(x *operand, e *syntax.Name, def *TypeName, wantType
 		// from other packages to avoid potential race conditions with
 		// dot-imported variables.
 		if obj.pkg == check.pkg {
-			obj.used = true
+			check.usedVars[obj] = true
 		}
 		check.addDeclDep(obj)
 		if !isValid(typ) {

src/cmd/go/internal/auth/auth.go

@@ -128,7 +128,8 @@ func runGoAuth(client *http.Client, res *http.Response, url string) {
 	// If no GOAUTH command provided a credential for the given url
 	// and an error occurred, log the error.
 	if cfg.BuildX && url != "" {
-		if ok := loadCredential(&http.Request{}, url); !ok && len(cmdErrs) > 0 {
+		req := &http.Request{Header: make(http.Header)}
+		if ok := loadCredential(req, url); !ok && len(cmdErrs) > 0 {
 			log.Printf("GOAUTH encountered errors for %s:", url)
 			for _, err := range cmdErrs {
 				log.Printf("  %v", err)

src/cmd/go/internal/fips140/fips140.go

@@ -114,7 +114,11 @@ func Init() {
 		fsys.Bind(Dir(), filepath.Join(cfg.GOROOT, "src/crypto/internal/fips140"))
 	}
 
-	if cfg.Experiment.BoringCrypto && Enabled() {
+	// ExperimentErr != nil if GOEXPERIMENT failed to parse. Typically
+	// cmd/go main will exit in this case, but it is allowed during
+	// toolchain selection, as the GOEXPERIMENT may be valid for the
+	// selected toolchain version.
+	if cfg.ExperimentErr == nil && cfg.Experiment.BoringCrypto && Enabled() {
 		base.Fatalf("go: cannot use GOFIPS140 with GOEXPERIMENT=boringcrypto")
 	}
 }

src/cmd/go/internal/fips140/mkzip.go

@@ -27,10 +27,10 @@ import (
 	"log"
 	"os"
 	"path/filepath"
-	"regexp"
 	"strings"
 
 	"golang.org/x/mod/module"
+	"golang.org/x/mod/semver"
 	modzip "golang.org/x/mod/zip"
 )
 
@@ -61,7 +61,7 @@ func main() {
 
 	// Must have valid version, and must not overwrite existing file.
 	version := flag.Arg(0)
-	if !regexp.MustCompile(`^v\d+\.\d+\.\d+$`).MatchString(version) {
+	if semver.Canonical(version) != version {
 		log.Fatalf("invalid version %q; must be vX.Y.Z", version)
 	}
 	if _, err := os.Stat(version + ".zip"); err == nil {
@@ -95,6 +95,7 @@ func main() {
 
 	var zbuf2 bytes.Buffer
 	zw := zip.NewWriter(&zbuf2)
+	foundVersion := false
 	for _, f := range zr.File {
 		// golang.org/fips140@v1.2.3/dir/file.go ->
 		// golang.org/fips140@v1.2.3/fips140/v1.2.3/dir/file.go
@@ -102,6 +103,34 @@ func main() {
 			f.Name = "golang.org/fips140@" + version + "/fips140/" + version +
 				strings.TrimPrefix(f.Name, "golang.org/fips140@"+version)
 		}
+		// Inject version in [crypto/internal/fips140.Version].
+		if f.Name == "golang.org/fips140@"+version+"/fips140/"+version+"/fips140.go" {
+			rf, err := f.Open()
+			if err != nil {
+				log.Fatal(err)
+			}
+			contents, err := io.ReadAll(rf)
+			if err != nil {
+				log.Fatal(err)
+			}
+			returnLine := `return "latest" //mkzip:version`
+			if !bytes.Contains(contents, []byte(returnLine)) {
+				log.Fatalf("did not find %q in fips140.go", returnLine)
+			}
+			// Use only the vX.Y.Z part of a possible vX.Y.Z-hash version.
+			v, _, _ := strings.Cut(version, "-")
+			newLine := `return "` + v + `"`
+			contents = bytes.ReplaceAll(contents, []byte(returnLine), []byte(newLine))
+			wf, err := zw.Create(f.Name)
+			if err != nil {
+				log.Fatal(err)
+			}
+			if _, err := wf.Write(contents); err != nil {
+				log.Fatal(err)
+			}
+			foundVersion = true
+			continue
+		}
 		wf, err := zw.CreateRaw(&f.FileHeader)
 		if err != nil {
 			log.Fatal(err)
@@ -117,6 +146,9 @@ func main() {
 	if err := zw.Close(); err != nil {
 		log.Fatal(err)
 	}
+	if !foundVersion {
+		log.Fatal("did not find fips140.go file")
+	}
 
 	err = os.WriteFile(version+".zip", zbuf2.Bytes(), 0666)
 	if err != nil {

src/cmd/go/internal/gover/mod.go

@@ -109,6 +109,9 @@ func ModIsPrefix(path, vers string) bool {
 // The caller is assumed to have checked that ModIsValid(path, vers) is true.
 func ModIsPrerelease(path, vers string) bool {
 	if IsToolchain(path) {
+		if path == "toolchain" {
+			return IsPrerelease(FromToolchain(vers))
+		}
 		return IsPrerelease(vers)
 	}
 	return semver.Prerelease(vers) != ""

src/cmd/go/internal/load/pkg.go

@@ -2474,7 +2474,6 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 	var repoDir string
 	var vcsCmd *vcs.Cmd
 	var err error
-	const allowNesting = true
 
 	wantVCS := false
 	switch cfg.BuildBuildvcs {
@@ -2494,7 +2493,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 			// (so the bootstrap toolchain packages don't even appear to be in GOROOT).
 			goto omitVCS
 		}
-		repoDir, vcsCmd, err = vcs.FromDir(base.Cwd(), "", allowNesting)
+		repoDir, vcsCmd, err = vcs.FromDir(base.Cwd(), "")
 		if err != nil && !errors.Is(err, os.ErrNotExist) {
 			setVCSError(err)
 			return
@@ -2517,10 +2516,11 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 	}
 	if repoDir != "" && vcsCmd.Status != nil {
 		// Check that the current directory, package, and module are in the same
-		// repository. vcs.FromDir allows nested Git repositories, but nesting
-		// is not allowed for other VCS tools. The current directory may be outside
-		// p.Module.Dir when a workspace is used.
-		pkgRepoDir, _, err := vcs.FromDir(p.Dir, "", allowNesting)
+		// repository. vcs.FromDir disallows nested VCS and multiple VCS in the
+		// same repository, unless the GODEBUG allowmultiplevcs is set. The
+		// current directory may be outside p.Module.Dir when a workspace is
+		// used.
+		pkgRepoDir, _, err := vcs.FromDir(p.Dir, "")
 		if err != nil {
 			setVCSError(err)
 			return
@@ -2532,7 +2532,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 			}
 			goto omitVCS
 		}
-		modRepoDir, _, err := vcs.FromDir(p.Module.Dir, "", allowNesting)
+		modRepoDir, _, err := vcs.FromDir(p.Module.Dir, "")
 		if err != nil {
 			setVCSError(err)
 			return
@@ -2571,7 +2571,12 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 		vers := revInfo.Version
 		if vers != "" {
 			if st.Uncommitted {
-				vers += "+dirty"
+				// SemVer build metadata is dot-separated https://semver.org/#spec-item-10
+				if strings.HasSuffix(vers, "+incompatible") {
+					vers += ".dirty"
+				} else {
+					vers += "+dirty"
+				}
 			}
 			info.Main.Version = vers
 		}

src/cmd/go/internal/modfetch/repo.go

@@ -230,7 +230,7 @@ func LookupLocal(ctx context.Context, path string) Repo {
 
 	return lookupLocalCache.Do(path, func() Repo {
 		return newCachingRepo(ctx, path, func(ctx context.Context) (Repo, error) {
-			repoDir, vcsCmd, err := vcs.FromDir(path, "", true)
+			repoDir, vcsCmd, err := vcs.FromDir(path, "")
 			if err != nil {
 				return nil, err
 			}

src/cmd/go/internal/vcs/vcs.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	"internal/godebug"
 	"internal/lazyregexp"
 	"internal/singleflight"
 	"io/fs"
@@ -839,11 +840,13 @@ type vcsPath struct {
 	schemelessRepo bool                                // if true, the repo pattern lacks a scheme
 }
 
+var allowmultiplevcs = godebug.New("allowmultiplevcs")
+
 // FromDir inspects dir and its parents to determine the
 // version control system and code repository to use.
 // If no repository is found, FromDir returns an error
 // equivalent to os.ErrNotExist.
-func FromDir(dir, srcRoot string, allowNesting bool) (repoDir string, vcsCmd *Cmd, err error) {
+func FromDir(dir, srcRoot string) (repoDir string, vcsCmd *Cmd, err error) {
 	// Clean and double-check that dir is in (a subdirectory of) srcRoot.
 	dir = filepath.Clean(dir)
 	if srcRoot != "" {
@@ -857,21 +860,28 @@ func FromDir(dir, srcRoot string, allowNesting bool) (repoDir string, vcsCmd *Cm
 	for len(dir) > len(srcRoot) {
 		for _, vcs := range vcsList {
 			if isVCSRoot(dir, vcs.RootNames) {
-				// Record first VCS we find.
-				// If allowNesting is false (as it is in GOPATH), keep looking for
-				// repositories in parent directories and report an error if one is
-				// found to mitigate VCS injection attacks.
 				if vcsCmd == nil {
+					// Record first VCS we find.
 					vcsCmd = vcs
 					repoDir = dir
-					if allowNesting {
+					if allowmultiplevcs.Value() == "1" {
+						allowmultiplevcs.IncNonDefault()
 						return repoDir, vcsCmd, nil
 					}
+					// If allowmultiplevcs is not set, keep looking for
+					// repositories in current and parent directories and report
+					// an error if one is found to mitigate VCS injection
+					// attacks.
 					continue
 				}
-				// Otherwise, we have one VCS inside a different VCS.
-				return "", nil, fmt.Errorf("directory %q uses %s, but parent %q uses %s",
-					repoDir, vcsCmd.Cmd, dir, vcs.Cmd)
+				if vcsCmd == vcsGit && vcs == vcsGit {
+					// Nested Git is allowed, as this is how things like
+					// submodules work. Git explicitly protects against
+					// injection against itself.
+					continue
+				}
+				return "", nil, fmt.Errorf("multiple VCS detected: %s in %q, and %s in %q",
+					vcsCmd.Cmd, repoDir, vcs.Cmd, dir)
 			}
 		}
 

src/cmd/go/internal/vcs/vcs_test.go

@@ -239,7 +239,7 @@ func TestFromDir(t *testing.T) {
 			}
 
 			wantRepoDir := filepath.Dir(dir)
-			gotRepoDir, gotVCS, err := FromDir(dir, tempDir, false)
+			gotRepoDir, gotVCS, err := FromDir(dir, tempDir)
 			if err != nil {
 				t.Errorf("FromDir(%q, %q): %v", dir, tempDir, err)
 				continue

src/cmd/go/internal/work/security.go

@@ -227,21 +227,6 @@ var validLinkerFlags = []*lazyregexp.Regexp{
 	re(`\./.*\.(a|o|obj|dll|dylib|so|tbd)`),
 }
 
-var validLinkerFlagsOnDarwin = []*lazyregexp.Regexp{
-	// The GNU linker interprets `@file` as "read command-line options from
-	// file". Thus, we forbid values starting with `@` on linker flags.
-	// However, this causes a problem when targeting Darwin.
-	// `@executable_path`, `@loader_path`, and `@rpath` are special values
-	// used in Mach-O to change the library search path and can be used in
-	// conjunction with the `-install_name` and `-rpath` linker flags.
-	// Since the GNU linker does not support Mach-O, targeting Darwin
-	// implies not using the GNU linker. Therefore, we allow @ in the linker
-	// flags if and only if cfg.Goos == "darwin" || cfg.Goos == "ios".
-	re(`-Wl,-dylib_install_name,@rpath(/[^,]*)?`),
-	re(`-Wl,-install_name,@rpath(/[^,]*)?`),
-	re(`-Wl,-rpath,@(executable_path|loader_path)(/[^,]*)?`),
-}
-
 var validLinkerFlagsWithNextArg = []string{
 	"-arch",
 	"-F",
@@ -264,13 +249,8 @@ func checkCompilerFlags(name, source string, list []string) error {
 }
 
 func checkLinkerFlags(name, source string, list []string) error {
-	validLinkerFlagsForPlatform := validLinkerFlags
-	if cfg.Goos == "darwin" || cfg.Goos == "ios" {
-		validLinkerFlagsForPlatform = append(validLinkerFlags, validLinkerFlagsOnDarwin...)
-	}
-
 	checkOverrides := true
-	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlagsForPlatform, validLinkerFlagsWithNextArg, checkOverrides)
+	return checkFlags(name, source, list, invalidLinkerFlags, validLinkerFlags, validLinkerFlagsWithNextArg, checkOverrides)
 }
 
 // checkCompilerFlagsForInternalLink returns an error if 'list'

src/cmd/go/internal/work/security_test.go

@@ -8,8 +8,6 @@ import (
 	"os"
 	"strings"
 	"testing"
-
-	"cmd/go/internal/cfg"
 )
 
 var goodCompilerFlags = [][]string{
@@ -247,8 +245,6 @@ var badLinkerFlags = [][]string{
 	{"-Wl,--hash-style=foo"},
 	{"-x", "--c"},
 	{"-x", "@obj"},
-	{"-Wl,-dylib_install_name,@foo"},
-	{"-Wl,-install_name,@foo"},
 	{"-Wl,-rpath,@foo"},
 	{"-Wl,-R,foo,bar"},
 	{"-Wl,-R,@foo"},
@@ -265,21 +261,6 @@ var badLinkerFlags = [][]string{
 	{"./-Wl,--push-state,-R.c"},
 }
 
-var goodLinkerFlagsOnDarwin = [][]string{
-	{"-Wl,-dylib_install_name,@rpath"},
-	{"-Wl,-dylib_install_name,@rpath/"},
-	{"-Wl,-dylib_install_name,@rpath/foo"},
-	{"-Wl,-install_name,@rpath"},
-	{"-Wl,-install_name,@rpath/"},
-	{"-Wl,-install_name,@rpath/foo"},
-	{"-Wl,-rpath,@executable_path"},
-	{"-Wl,-rpath,@executable_path/"},
-	{"-Wl,-rpath,@executable_path/foo"},
-	{"-Wl,-rpath,@loader_path"},
-	{"-Wl,-rpath,@loader_path/"},
-	{"-Wl,-rpath,@loader_path/foo"},
-}
-
 func TestCheckLinkerFlags(t *testing.T) {
 	for _, f := range goodLinkerFlags {
 		if err := checkLinkerFlags("test", "test", f); err != nil {
@@ -291,31 +272,6 @@ func TestCheckLinkerFlags(t *testing.T) {
 			t.Errorf("missing error for %q", f)
 		}
 	}
-
-	goos := cfg.Goos
-
-	cfg.Goos = "darwin"
-	for _, f := range goodLinkerFlagsOnDarwin {
-		if err := checkLinkerFlags("test", "test", f); err != nil {
-			t.Errorf("unexpected error for %q: %v", f, err)
-		}
-	}
-
-	cfg.Goos = "ios"
-	for _, f := range goodLinkerFlagsOnDarwin {
-		if err := checkLinkerFlags("test", "test", f); err != nil {
-			t.Errorf("unexpected error for %q: %v", f, err)
-		}
-	}
-
-	cfg.Goos = "linux"
-	for _, f := range goodLinkerFlagsOnDarwin {
-		if err := checkLinkerFlags("test", "test", f); err == nil {
-			t.Errorf("missing error for %q", f)
-		}
-	}
-
-	cfg.Goos = goos
 }
 
 func TestCheckFlagAllowDisallow(t *testing.T) {

src/cmd/go/testdata/script/build_version_stamping_git.txt

@@ -108,6 +108,19 @@ go version -m example$GOEXE
 stdout '\s+mod\s+example\s+v1.0.3-0.20220719150703-2e239bf29c13\s+'
 rm example$GOEXE
 
+# Create +incompatible module
+exec git checkout v1.0.4
+exec git rm go.mod
+exec git commit -m 'commit 6'
+exec git tag v2.0.0
+exec git checkout HEAD^ go.mod
+# And make the tree +dirty
+mv README4 README5
+go build
+go version -m example$GOEXE
+stdout '\s+mod\s+example\s+v2.0.0\+incompatible.dirty\s+'
+rm example$GOEXE
+
 -- $WORK/repo/go.mod --
 module example
 

src/cmd/go/testdata/script/fipssnap.txt

@@ -1,4 +1,4 @@
-env snap=v1.0.0
+env snap=v1.0.0-c2097c7c
 env alias=inprocess
 
 env GOFIPS140=$snap
@@ -23,8 +23,7 @@ stdout crypto/internal/fips140/$snap/sha256
 ! stdout crypto/internal/fips140/check
 
 # again with GOFIPS140=$alias
-# TODO: enable when we add inprocess.txt
-# env GOFIPS140=$alias
+env GOFIPS140=$alias
 
 # default GODEBUG includes fips140=on
 go list -f '{{.DefaultGODEBUG}}'

src/cmd/go/testdata/script/goauth_git.txt

@@ -49,6 +49,8 @@ go get vcs-test.golang.org/auth/or401
 go mod tidy
 go list all
 stdout vcs-test.golang.org/auth/or404
+# With cached credentials, re-downloading in debug mode should succeed.
+go get -x vcs-test.golang.org/auth/or401
 
 # Clearing GOAUTH credentials should result in failures.
 env GOAUTH='off'

src/cmd/go/testdata/script/mod_get_toolchain.txt

@@ -89,12 +89,14 @@ stderr '^go: added toolchain go1.24rc1$'
 grep 'go 1.22.9' go.mod  # no longer implied
 grep 'toolchain go1.24rc1' go.mod
 
-# go get toolchain@latest finds go1.999testmod.
+# go get toolchain@latest finds go1.23.9.
 cp go.mod.orig go.mod
 go get toolchain@latest
-stderr '^go: added toolchain go1.999testmod$'
+stderr '^go: added toolchain go1.23.9$'
 grep 'go 1.21' go.mod
-grep 'toolchain go1.999testmod' go.mod
+grep 'toolchain go1.23.9' go.mod
+
+
 
 # Bug fixes.
 
@@ -110,7 +112,7 @@ stderr '^go: upgraded go 1.19 => 1.21.0'
 
 # go get toolchain@1.24rc1 is OK too.
 go get toolchain@1.24rc1
-stderr '^go: downgraded toolchain go1.999testmod => go1.24rc1$'
+stderr '^go: downgraded toolchain go1.99rc1 => go1.24rc1$'
 
 # go get go@1.21 should work if we are the Go 1.21 language version,
 # even though there's no toolchain for it.

src/cmd/go/testdata/script/test_multivcs.txt

@@ -0,0 +1,54 @@
+# To avoid VCS injection attacks, we should not accept multiple different VCS metadata
+# folders within a single module (either in the same directory, or nested in different
+# directories.)
+#
+# This behavior should be disabled by setting the allowmultiplevcs GODEBUG.
+
+[short] skip
+[!git] skip
+
+cd samedir
+
+exec git init .
+
+# Without explicitly requesting buildvcs, the go command should silently continue
+# without determining the correct VCS.
+go test -c -o $devnull .
+
+# If buildvcs is explicitly requested, we expect the go command to fail
+! go test -buildvcs -c -o $devnull .
+stderr '^error obtaining VCS status: multiple VCS detected:'
+
+env GODEBUG=allowmultiplevcs=1
+go test -buildvcs -c -o $devnull .
+
+env GODEBUG=
+cd ../nested
+exec git init .
+# cd a
+go test -c -o $devnull ./a
+! go test -buildvcs -c -o $devnull ./a
+stderr '^error obtaining VCS status: multiple VCS detected:'
+# allowmultiplevcs doesn't disable the check that the current directory, package, and
+# module are in the same repository.
+env GODEBUG=allowmultiplevcs=1
+! go test -buildvcs -c -o $devnull ./a
+stderr '^error obtaining VCS status: main package is in repository'
+
+-- samedir/go.mod --
+module example
+
+go 1.18
+-- samedir/example.go --
+package main
+-- samedir/.bzr/test --
+hello
+
+-- nested/go.mod --
+module example
+
+go 1.18
+-- nested/a/example.go --
+package main
+-- nested/a/.bzr/test --
+hello

src/cmd/go/testdata/script/version_buildvcs_nested.txt

@@ -9,25 +9,35 @@ cd root
 go mod init example.com/root
 exec git init
 
-# Nesting repositories in parent directories are ignored, as the current
-# directory main package, and containing main module are in the same repository.
-# This is an error in GOPATH mode (to prevent VCS injection), but for modules,
-# we assume users have control over repositories they've checked out.
+
+# Nesting repositories in parent directories are an error, to prevent VCS injection.
+# This can be disabled with the allowmultiplevcs GODEBUG.
 mkdir hgsub
 cd hgsub
 exec hg init
 cp ../../main.go main.go
 ! go build
+stderr '^error obtaining VCS status: multiple VCS detected: hg in ".*hgsub", and git in ".*root"$'
+stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
+env GODEBUG=allowmultiplevcs=1
+! go build
 stderr '^error obtaining VCS status: main module is in repository ".*root" but current directory is in repository ".*hgsub"$'
 stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
 go build -buildvcs=false
+env GODEBUG=
 go mod init example.com/root/hgsub
+! go build
+stderr '^error obtaining VCS status: multiple VCS detected: hg in ".*hgsub", and git in ".*root"$'
+stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
+env GODEBUG=allowmultiplevcs=1
 go build
+env GODEBUG=
 cd ..
 
 # It's an error to build a package from a nested Git repository if the package
 # is in a separate repository from the current directory or from the module
-# root directory.
+# root directory. Otherwise nested Git repositories are allowed, as this is
+# how Git implements submodules (and protects against Git based VCS injection.)
 mkdir gitsub
 cd gitsub
 exec git init

src/cmd/internal/obj/arm64/obj7.go

@@ -907,18 +907,49 @@ func preprocess(ctxt *obj.Link, cursym *obj.LSym, newprog obj.ProgAlloc) {
 				p.To.Reg = REGFP
 				p.To.Offset = REGLINK
 
-				// ADD $aoffset, RSP, RSP
-				q = newprog()
-				q.As = AADD
-				q.From.Type = obj.TYPE_CONST
-				q.From.Offset = int64(aoffset)
-				q.To.Type = obj.TYPE_REG
-				q.To.Reg = REGSP
-				q.Spadj = -aoffset
-				q.Pos = p.Pos
-				q.Link = p.Link
-				p.Link = q
-				p = q
+				if aoffset < 1<<12 {
+					// ADD $aoffset, RSP, RSP
+					q = newprog()
+					q.As = AADD
+					q.From.Type = obj.TYPE_CONST
+					q.From.Offset = int64(aoffset)
+					q.To.Type = obj.TYPE_REG
+					q.To.Reg = REGSP
+					q.Spadj = -aoffset
+					q.Pos = p.Pos
+					q.Link = p.Link
+					p.Link = q
+					p = q
+				} else {
+					// Put frame size in a separate register and
+					// add it in with a single instruction,
+					// so we never have a partial frame during
+					// the epilog. See issue 73259.
+
+					// MOVD $aoffset, REGTMP
+					q = newprog()
+					q.As = AMOVD
+					q.From.Type = obj.TYPE_CONST
+					q.From.Offset = int64(aoffset)
+					q.To.Type = obj.TYPE_REG
+					q.To.Reg = REGTMP
+					q.Pos = p.Pos
+					q.Link = p.Link
+					p.Link = q
+					p = q
+					// ADD REGTMP, RSP, RSP
+					q = newprog()
+					q.As = AADD
+					q.From.Type = obj.TYPE_REG
+					q.From.Reg = REGTMP
+					q.To.Type = obj.TYPE_REG
+					q.To.Reg = REGSP
+					q.Spadj = -aoffset
+					q.Pos = p.Pos
+					q.Link = p.Link
+					p.Link = q
+					p = q
+				}
 			}
 
 			// If enabled, this code emits 'MOV PC, R27' before every 'MOV LR, PC',

src/cmd/internal/obj/wasm/wasmobj.go

@@ -1006,9 +1006,10 @@ func genWasmExportWrapper(s *obj.LSym, appendp func(p *obj.Prog, as obj.As, args
 	// In the unwinding case, we call wasm_pc_f_loop_export to handle stack switch and rewinding,
 	// until a normal return (non-unwinding) back to this function.
 	p = appendp(p, AIf)
-	p = appendp(p, AI32Const, retAddr)
-	p = appendp(p, AI32Const, constAddr(16))
-	p = appendp(p, AI32ShrU)
+	p = appendp(p, AI64Const, retAddr)
+	p = appendp(p, AI64Const, constAddr(16))
+	p = appendp(p, AI64ShrU)
+	p = appendp(p, AI32WrapI64)
 	p = appendp(p, ACall, obj.Addr{Type: obj.TYPE_MEM, Name: obj.NAME_EXTERN, Sym: wasm_pc_f_loop_export})
 	p = appendp(p, AEnd)
 

src/cmd/internal/objabi/pkgspecial.go

@@ -43,6 +43,9 @@ type PkgSpecial struct {
 }
 
 var runtimePkgs = []string{
+	// TODO(panjf2000): consider syncing the list inside the
+	// 	isAsyncSafePoint in preempt.go based on this list?
+
 	"runtime",
 
 	"internal/runtime/atomic",

src/cmd/link/internal/loadelf/ldelf.go

@@ -609,7 +609,7 @@ func Load(l *loader.Loader, arch *sys.Arch, localSymVersion int, f *bio.Reader,
 				continue
 			}
 
-			if strings.HasPrefix(elfsym.name, ".LASF") || strings.HasPrefix(elfsym.name, ".LLRL") || strings.HasPrefix(elfsym.name, ".LLST") {
+			if strings.HasPrefix(elfsym.name, ".LASF") || strings.HasPrefix(elfsym.name, ".LLRL") || strings.HasPrefix(elfsym.name, ".LLST") || strings.HasPrefix(elfsym.name, ".LVUS") {
 				// gcc on s390x and riscv64 does this.
 				continue
 			}

src/cmd/link/internal/loader/loader.go

@@ -253,6 +253,12 @@ type Loader struct {
 
 	WasmExports []Sym
 
+	// sizeFixups records symbols that we need to fix up the size
+	// after loading. It is very rarely needed, only for a DATA symbol
+	// and a BSS symbol with the same name, and the BSS symbol has
+	// larger size.
+	sizeFixups []symAndSize
+
 	flags uint32
 
 	strictDupMsgs int // number of strict-dup warning/errors, when FlagStrictDups is enabled
@@ -432,16 +438,16 @@ func (st *loadState) addSym(name string, ver int, r *oReader, li uint32, kind in
 		return i
 	}
 	// symbol already exists
+	// Fix for issue #47185 -- given two dupok or BSS symbols with
+	// different sizes, favor symbol with larger size. See also
+	// issue #46653 and #72032.
+	oldsz := l.SymSize(oldi)
+	sz := int64(r.Sym(li).Siz())
 	if osym.Dupok() {
 		if l.flags&FlagStrictDups != 0 {
 			l.checkdup(name, r, li, oldi)
 		}
-		// Fix for issue #47185 -- given two dupok symbols with
-		// different sizes, favor symbol with larger size. See
-		// also issue #46653.
-		szdup := l.SymSize(oldi)
-		sz := int64(r.Sym(li).Siz())
-		if szdup < sz {
+		if oldsz < sz {
 			// new symbol overwrites old symbol.
 			l.objSyms[oldi] = objSym{r.objidx, li}
 		}
@@ -452,20 +458,65 @@ func (st *loadState) addSym(name string, ver int, r *oReader, li uint32, kind in
 	if oldsym.Dupok() {
 		return oldi
 	}
-	overwrite := r.DataSize(li) != 0
-	if overwrite {
+	// If one is a DATA symbol (i.e. has content, DataSize != 0,
+	// including RODATA) and the other is BSS, the one with content wins.
+	// If both are BSS, the one with larger size wins.
+	//
+	// For a special case, we allow a TEXT symbol overwrites a BSS symbol
+	// even if the BSS symbol has larger size. This is because there is
+	// code like below to take the address of a function
+	//
+	//	//go:linkname fn
+	//	var fn uintptr
+	//	var fnAddr = uintptr(unsafe.Pointer(&fn))
+	//
+	// TODO: maybe limit this case to just pointer sized variable?
+	//
+	// In summary, the "overwrite" variable and the final result are
+	//
+	// new sym       old sym       result
+	// -------------------------------------------------------
+	// TEXT          BSS           new wins
+	// DATA          DATA          ERROR
+	// DATA lg/eq    BSS  sm/eq    new wins
+	// DATA small    BSS  large    merge: new with larger size
+	// BSS  large    DATA small    merge: old with larger size
+	// BSS  large    BSS  small    new wins
+	// BSS  sm/eq    D/B  lg/eq    old wins
+	// BSS           TEXT          old wins
+	oldtyp := sym.AbiSymKindToSymKind[objabi.SymKind(oldsym.Type())]
+	newtyp := sym.AbiSymKindToSymKind[objabi.SymKind(osym.Type())]
+	newIsText := newtyp.IsText()
+	oldHasContent := oldr.DataSize(oldli) != 0
+	newHasContent := r.DataSize(li) != 0
+	oldIsBSS := oldtyp.IsData() && !oldHasContent
+	newIsBSS := newtyp.IsData() && !newHasContent
+	switch {
+	case newIsText && oldIsBSS,
+		newHasContent && oldIsBSS,
+		newIsBSS && oldIsBSS && sz > oldsz:
 		// new symbol overwrites old symbol.
-		oldtyp := sym.AbiSymKindToSymKind[objabi.SymKind(oldsym.Type())]
-		if !(oldtyp.IsData() && oldr.DataSize(oldli) == 0) {
-			log.Fatalf("duplicated definition of symbol %s, from %s and %s", name, r.unit.Lib.Pkg, oldr.unit.Lib.Pkg)
-		}
 		l.objSyms[oldi] = objSym{r.objidx, li}
-	} else {
-		// old symbol overwrites new symbol.
-		typ := sym.AbiSymKindToSymKind[objabi.SymKind(oldsym.Type())]
-		if !typ.IsData() { // only allow overwriting data symbol
-			log.Fatalf("duplicated definition of symbol %s, from %s and %s", name, r.unit.Lib.Pkg, oldr.unit.Lib.Pkg)
+		if oldsz > sz {
+			// If the BSS symbol has a larger size, expand the data
+			// symbol's size so access from the BSS side cannot overrun.
+			// It is hard to modify the symbol size until all Go objects
+			// (potentially read-only) are loaded, so we record it in
+			// a fixup table and apply them later. This is very rare.
+			// One case is a global variable with a Go declaration and an
+			// assembly definition, which typically have the same size,
+			// but in ASAN mode the Go declaration has a larger size due
+			// to the inserted red zone.
+			l.sizeFixups = append(l.sizeFixups, symAndSize{oldi, uint32(oldsz)})
 		}
+	case newIsBSS:
+		// old win, just ignore the new symbol.
+		if sz > oldsz {
+			// See the comment above for sizeFixups.
+			l.sizeFixups = append(l.sizeFixups, symAndSize{oldi, uint32(sz)})
+		}
+	default:
+		log.Fatalf("duplicated definition of symbol %s, from %s (type %s size %d) and %s (type %s size %d)", name, r.unit.Lib.Pkg, newtyp, sz, oldr.unit.Lib.Pkg, oldtyp, oldsz)
 	}
 	return oldi
 }
@@ -1706,14 +1757,6 @@ func (l *Loader) GetVarDwarfAuxSym(i Sym) Sym {
 // expected to have the actual content/payload) and then a set of
 // interior loader.Sym's that point into a portion of the container.
 func (l *Loader) AddInteriorSym(container Sym, interior Sym) {
-	// Container symbols are expected to have content/data.
-	// NB: this restriction may turn out to be too strict (it's possible
-	// to imagine a zero-sized container with an interior symbol pointing
-	// into it); it's ok to relax or remove it if we counter an
-	// oddball host object that triggers this.
-	if l.SymSize(container) == 0 && len(l.Data(container)) == 0 {
-		panic("unexpected empty container symbol")
-	}
 	// The interior symbols for a container are not expected to have
 	// content/data or relocations.
 	if len(l.Data(interior)) != 0 {
@@ -2255,6 +2298,10 @@ func (l *Loader) LoadSyms(arch *sys.Arch) {
 		st.preloadSyms(r, hashedDef)
 		st.preloadSyms(r, nonPkgDef)
 	}
+	for _, sf := range l.sizeFixups {
+		pp := l.cloneToExternal(sf.sym)
+		pp.size = int64(sf.size)
+	}
 	for _, vr := range st.linknameVarRefs {
 		l.checkLinkname(vr.pkg, vr.name, vr.sym)
 	}
@@ -2460,7 +2507,7 @@ func topLevelSym(sname string, skind sym.SymKind) bool {
 // a symbol originally discovered as part of an object file, it's
 // easier to do this if we make the updates to an external symbol
 // payload.
-func (l *Loader) cloneToExternal(symIdx Sym) {
+func (l *Loader) cloneToExternal(symIdx Sym) *extSymPayload {
 	if l.IsExternal(symIdx) {
 		panic("sym is already external, no need for clone")
 	}
@@ -2512,6 +2559,8 @@ func (l *Loader) cloneToExternal(symIdx Sym) {
 	// Some attributes were encoded in the object file. Copy them over.
 	l.SetAttrDuplicateOK(symIdx, r.Sym(li).Dupok())
 	l.SetAttrShared(symIdx, r.Shared())
+
+	return pp
 }
 
 // Copy the payload of symbol src to dst. Both src and dst must be external

src/cmd/link/link_test.go

@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	imacho "cmd/internal/macho"
+	"cmd/internal/objfile"
 	"cmd/internal/sys"
 )
 
@@ -1511,6 +1512,9 @@ func TestCheckLinkname(t *testing.T) {
 		{"ok.go", true},
 		// push linkname is ok
 		{"push.go", true},
+		// using a linknamed variable to reference an assembly
+		// function in the same package is ok
+		{"textvar", true},
 		// pull linkname of blocked symbol is not ok
 		{"coro.go", false},
 		{"coro_var.go", false},
@@ -1528,7 +1532,7 @@ func TestCheckLinkname(t *testing.T) {
 		test := test
 		t.Run(test.src, func(t *testing.T) {
 			t.Parallel()
-			src := filepath.Join("testdata", "linkname", test.src)
+			src := "./testdata/linkname/" + test.src
 			exe := filepath.Join(tmpdir, test.src+".exe")
 			cmd := testenv.Command(t, testenv.GoToolPath(t), "build", "-o", exe, src)
 			out, err := cmd.CombinedOutput()
@@ -1541,3 +1545,53 @@ func TestCheckLinkname(t *testing.T) {
 		})
 	}
 }
+
+func TestLinknameBSS(t *testing.T) {
+	// Test that the linker chooses the right one as the definition
+	// for linknamed variables. See issue #72032.
+	testenv.MustHaveGoBuild(t)
+	t.Parallel()
+
+	tmpdir := t.TempDir()
+
+	src := filepath.Join("testdata", "linkname", "sched.go")
+	exe := filepath.Join(tmpdir, "sched.exe")
+	cmd := testenv.Command(t, testenv.GoToolPath(t), "build", "-o", exe, src)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("build failed unexpectedly: %v:\n%s", err, out)
+	}
+
+	// Check the symbol size.
+	f, err := objfile.Open(exe)
+	if err != nil {
+		t.Fatalf("fail to open executable: %v", err)
+	}
+	defer f.Close()
+	syms, err := f.Symbols()
+	if err != nil {
+		t.Fatalf("fail to get symbols: %v", err)
+	}
+	found := false
+	for _, s := range syms {
+		if s.Name == "runtime.sched" || s.Name == "_runtime.sched" {
+			found = true
+			if s.Size < 100 {
+				// As of Go 1.25 (Mar 2025), runtime.sched has 6848 bytes on
+				// darwin/arm64. It should always be larger than 100 bytes on
+				// all platforms.
+				t.Errorf("runtime.sched symbol size too small: want > 100, got %d", s.Size)
+			}
+		}
+	}
+	if !found {
+		t.Errorf("runtime.sched symbol not found")
+	}
+
+	// Executable should run.
+	cmd = testenv.Command(t, exe)
+	out, err = cmd.CombinedOutput()
+	if err != nil {
+		t.Errorf("executable failed to run: %v\n%s", err, out)
+	}
+}

src/cmd/link/testdata/linkname/sched.go

@@ -0,0 +1,19 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import _ "unsafe"
+
+type schedt struct{}
+
+//go:linkname sched runtime.sched
+var sched schedt
+
+func main() {
+	select {
+	default:
+		println("hello")
+	}
+}

src/cmd/link/testdata/linkname/textvar/asm.s

@@ -0,0 +1,6 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+TEXT	·asmfunc(SB),0,$0-0
+	RET

src/cmd/link/testdata/linkname/textvar/main.go

@@ -0,0 +1,17 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Using a linknamed variable to reference an assembly
+// function in the same package is ok.
+
+package main
+
+import _ "unsafe"
+
+func main() {
+	println(&asmfunc)
+}
+
+//go:linkname asmfunc
+var asmfunc uintptr

src/crypto/fips140/fips140.go

@@ -10,7 +10,7 @@ import (
 	"internal/godebug"
 )
 
-var fips140GODEBUG = godebug.New("#fips140")
+var fips140GODEBUG = godebug.New("fips140")
 
 // Enabled reports whether the cryptography libraries are operating in FIPS
 // 140-3 mode.

src/crypto/internal/fips140/cast.go

@@ -56,9 +56,10 @@ func CAST(name string, f func() error) {
 }
 
 // PCT runs the named Pairwise Consistency Test (if operated in FIPS mode) and
-// returns any errors. If an error is returned, the key must not be used.
+// aborts the program (stopping the module input/output and entering the "error
+// state") if the test fails.
 //
-// PCTs are mandatory for every key pair that is generated/imported, including
+// PCTs are mandatory for every generated (but not imported) key pair, including
 // ephemeral keys (which effectively doubles the cost of key establishment). See
 // Implementation Guidance 10.3.A Additional Comment 1.
 //
@@ -66,17 +67,23 @@ func CAST(name string, f func() error) {
 //
 // If a package p calls PCT during key generation, an invocation of that
 // function should be added to fipstest.TestConditionals.
-func PCT(name string, f func() error) error {
+func PCT(name string, f func() error) {
 	if strings.ContainsAny(name, ",#=:") {
 		panic("fips: invalid self-test name: " + name)
 	}
 	if !Enabled {
-		return nil
+		return
 	}
 
 	err := f()
 	if name == failfipscast {
 		err = errors.New("simulated PCT failure")
 	}
-	return err
+	if err != nil {
+		fatal("FIPS 140-3 self-test failed: " + name + ": " + err.Error())
+		panic("unreachable")
+	}
+	if debug {
+		println("FIPS 140-3 PCT passed:", name)
+	}
 }

src/crypto/internal/fips140/ecdh/ecdh.go

@@ -161,6 +161,27 @@ func GenerateKey[P Point[P]](c *Curve[P], rand io.Reader) (*PrivateKey, error) {
 		if err != nil {
 			continue
 		}
+
+		// A "Pairwise Consistency Test" makes no sense if we just generated the
+		// public key from an ephemeral private key. Moreover, there is no way to
+		// check it aside from redoing the exact same computation again. SP 800-56A
+		// Rev. 3, Section 5.6.2.1.4 acknowledges that, and doesn't require it.
+		// However, ISO 19790:2012, Section 7.10.3.3 has a blanket requirement for a
+		// PCT for all generated keys (AS10.35) and FIPS 140-3 IG 10.3.A, Additional
+		// Comment 1 goes out of its way to say that "the PCT shall be performed
+		// consistent [...], even if the underlying standard does not require a
+		// PCT". So we do it. And make ECDH nearly 50% slower (only) in FIPS mode.
+		fips140.PCT("ECDH PCT", func() error {
+			p1, err := c.newPoint().ScalarBaseMult(privateKey.d)
+			if err != nil {
+				return err
+			}
+			if !bytes.Equal(p1.Bytes(), privateKey.pub.q) {
+				return errors.New("crypto/ecdh: public key does not match private key")
+			}
+			return nil
+		})
+
 		return privateKey, nil
 	}
 }
@@ -188,28 +209,6 @@ func NewPrivateKey[P Point[P]](c *Curve[P], key []byte) (*PrivateKey, error) {
 		panic("crypto/ecdh: internal error: public key is the identity element")
 	}
 
-	// A "Pairwise Consistency Test" makes no sense if we just generated the
-	// public key from an ephemeral private key. Moreover, there is no way to
-	// check it aside from redoing the exact same computation again. SP 800-56A
-	// Rev. 3, Section 5.6.2.1.4 acknowledges that, and doesn't require it.
-	// However, ISO 19790:2012, Section 7.10.3.3 has a blanket requirement for a
-	// PCT for all generated keys (AS10.35) and FIPS 140-3 IG 10.3.A, Additional
-	// Comment 1 goes out of its way to say that "the PCT shall be performed
-	// consistent [...], even if the underlying standard does not require a
-	// PCT". So we do it. And make ECDH nearly 50% slower (only) in FIPS mode.
-	if err := fips140.PCT("ECDH PCT", func() error {
-		p1, err := c.newPoint().ScalarBaseMult(key)
-		if err != nil {
-			return err
-		}
-		if !bytes.Equal(p1.Bytes(), publicKey) {
-			return errors.New("crypto/ecdh: public key does not match private key")
-		}
-		return nil
-	}); err != nil {
-		panic(err)
-	}
-
 	k := &PrivateKey{d: bytes.Clone(key), pub: PublicKey{curve: c.curve, q: publicKey}}
 	return k, nil
 }

src/crypto/internal/fips140/ecdsa/cast.go

@@ -51,8 +51,8 @@ func testHash() []byte {
 	}
 }
 
-func fipsPCT[P Point[P]](c *Curve[P], k *PrivateKey) error {
-	return fips140.PCT("ECDSA PCT", func() error {
+func fipsPCT[P Point[P]](c *Curve[P], k *PrivateKey) {
+	fips140.PCT("ECDSA PCT", func() error {
 		hash := testHash()
 		drbg := newDRBG(sha512.New, k.d, bits2octets(P256(), hash), nil)
 		sig, err := sign(c, k, drbg, hash)

src/crypto/internal/fips140/ecdsa/ecdsa.go

@@ -166,11 +166,6 @@ func NewPrivateKey[P Point[P]](c *Curve[P], D, Q []byte) (*PrivateKey, error) {
 		return nil, err
 	}
 	priv := &PrivateKey{pub: *pub, d: d.Bytes(c.N)}
-	if err := fipsPCT(c, priv); err != nil {
-		// This can happen if the application went out of its way to make an
-		// ecdsa.PrivateKey with a mismatching PublicKey.
-		return nil, err
-	}
 	return priv, nil
 }
 
@@ -203,10 +198,7 @@ func GenerateKey[P Point[P]](c *Curve[P], rand io.Reader) (*PrivateKey, error) {
 		},
 		d: k.Bytes(c.N),
 	}
-	if err := fipsPCT(c, priv); err != nil {
-		// This clearly can't happen, but FIPS 140-3 mandates that we check it.
-		panic(err)
-	}
+	fipsPCT(c, priv)
 	return priv, nil
 }
 

src/crypto/internal/fips140/ecdsa/hmacdrbg.go

@@ -121,7 +121,7 @@ func newDRBG[H fips140.Hash](hash func() H, entropy, nonce []byte, s personaliza
 //
 // This should only be used for ACVP testing. hmacDRBG is not intended to be
 // used directly.
-func TestingOnlyNewDRBG(hash func() fips140.Hash, entropy, nonce []byte, s []byte) *hmacDRBG {
+func TestingOnlyNewDRBG[H fips140.Hash](hash func() H, entropy, nonce []byte, s []byte) *hmacDRBG {
 	return newDRBG(hash, entropy, nonce, plainPersonalizationString(s))
 }
 

src/crypto/internal/fips140/ed25519/cast.go

@@ -12,8 +12,8 @@ import (
 	"sync"
 )
 
-func fipsPCT(k *PrivateKey) error {
-	return fips140.PCT("Ed25519 sign and verify PCT", func() error {
+func fipsPCT(k *PrivateKey) {
+	fips140.PCT("Ed25519 sign and verify PCT", func() error {
 		return pairwiseTest(k)
 	})
 }

src/crypto/internal/fips140/ed25519/ed25519.go

@@ -69,10 +69,7 @@ func generateKey(priv *PrivateKey) (*PrivateKey, error) {
 	fips140.RecordApproved()
 	drbg.Read(priv.seed[:])
 	precomputePrivateKey(priv)
-	if err := fipsPCT(priv); err != nil {
-		// This clearly can't happen, but FIPS 140-3 requires that we check.
-		panic(err)
-	}
+	fipsPCT(priv)
 	return priv, nil
 }
 
@@ -88,10 +85,6 @@ func newPrivateKeyFromSeed(priv *PrivateKey, seed []byte) (*PrivateKey, error) {
 	}
 	copy(priv.seed[:], seed)
 	precomputePrivateKey(priv)
-	if err := fipsPCT(priv); err != nil {
-		// This clearly can't happen, but FIPS 140-3 requires that we check.
-		panic(err)
-	}
 	return priv, nil
 }
 
@@ -137,12 +130,6 @@ func newPrivateKey(priv *PrivateKey, privBytes []byte) (*PrivateKey, error) {
 
 	copy(priv.prefix[:], h[32:])
 
-	if err := fipsPCT(priv); err != nil {
-		// This can happen if the application messed with the private key
-		// encoding, and the public key doesn't match the seed anymore.
-		return nil, err
-	}
-
 	return priv, nil
 }
 

src/crypto/internal/fips140/fips140.go

@@ -62,6 +62,10 @@ func Name() string {
 	return "Go Cryptographic Module"
 }
 
+// Version returns the formal version (such as "v1.0.0") if building against a
+// frozen module with GOFIPS140. Otherwise, it returns "latest".
 func Version() string {
-	return "v1.0"
+	// This return value is replaced by mkzip.go, it must not be changed or
+	// moved to a different file.
+	return "latest" //mkzip:version
 }

src/crypto/internal/fips140/mlkem/mlkem1024.go

@@ -118,10 +118,7 @@ func generateKey1024(dk *DecapsulationKey1024) (*DecapsulationKey1024, error) {
 	var z [32]byte
 	drbg.Read(z[:])
 	kemKeyGen1024(dk, &d, &z)
-	if err := fips140.PCT("ML-KEM PCT", func() error { return kemPCT1024(dk) }); err != nil {
-		// This clearly can't happen, but FIPS 140-3 requires us to check.
-		panic(err)
-	}
+	fips140.PCT("ML-KEM PCT", func() error { return kemPCT1024(dk) })
 	fips140.RecordApproved()
 	return dk, nil
 }
@@ -149,10 +146,6 @@ func newKeyFromSeed1024(dk *DecapsulationKey1024, seed []byte) (*DecapsulationKe
 	d := (*[32]byte)(seed[:32])
 	z := (*[32]byte)(seed[32:])
 	kemKeyGen1024(dk, d, z)
-	if err := fips140.PCT("ML-KEM PCT", func() error { return kemPCT1024(dk) }); err != nil {
-		// This clearly can't happen, but FIPS 140-3 requires us to check.
-		panic(err)
-	}
 	fips140.RecordApproved()
 	return dk, nil
 }

src/crypto/internal/fips140/mlkem/mlkem768.go

@@ -177,10 +177,7 @@ func generateKey(dk *DecapsulationKey768) (*DecapsulationKey768, error) {
 	var z [32]byte
 	drbg.Read(z[:])
 	kemKeyGen(dk, &d, &z)
-	if err := fips140.PCT("ML-KEM PCT", func() error { return kemPCT(dk) }); err != nil {
-		// This clearly can't happen, but FIPS 140-3 requires us to check.
-		panic(err)
-	}
+	fips140.PCT("ML-KEM PCT", func() error { return kemPCT(dk) })
 	fips140.RecordApproved()
 	return dk, nil
 }
@@ -208,10 +205,6 @@ func newKeyFromSeed(dk *DecapsulationKey768, seed []byte) (*DecapsulationKey768,
 	d := (*[32]byte)(seed[:32])
 	z := (*[32]byte)(seed[32:])
 	kemKeyGen(dk, d, z)
-	if err := fips140.PCT("ML-KEM PCT", func() error { return kemPCT(dk) }); err != nil {
-		// This clearly can't happen, but FIPS 140-3 requires us to check.
-		panic(err)
-	}
 	fips140.RecordApproved()
 	return dk, nil
 }

src/crypto/internal/fips140/rsa/keygen.go

@@ -105,7 +105,28 @@ func GenerateKey(rand io.Reader, bits int) (*PrivateKey, error) {
 		// negligible chance of failure we can defer the check to the end of key
 		// generation and return an error if it fails. See [checkPrivateKey].
 
-		return newPrivateKey(N, 65537, d, P, Q)
+		k, err := newPrivateKey(N, 65537, d, P, Q)
+		if err != nil {
+			return nil, err
+		}
+
+		if k.fipsApproved {
+			fips140.PCT("RSA sign and verify PCT", func() error {
+				hash := []byte{
+					0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+					0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+					0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+					0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
+				}
+				sig, err := signPKCS1v15(k, "SHA-256", hash)
+				if err != nil {
+					return err
+				}
+				return verifyPKCS1v15(k.PublicKey(), "SHA-256", hash, sig)
+			})
+		}
+
+		return k, nil
 	}
 }
 

src/crypto/internal/fips140/rsa/rsa.go

@@ -310,26 +310,6 @@ func checkPrivateKey(priv *PrivateKey) error {
 		return errors.New("crypto/rsa: d too small")
 	}
 
-	// If the key is still in scope for FIPS mode, perform a Pairwise
-	// Consistency Test.
-	if priv.fipsApproved {
-		if err := fips140.PCT("RSA sign and verify PCT", func() error {
-			hash := []byte{
-				0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
-				0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
-				0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
-				0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
-			}
-			sig, err := signPKCS1v15(priv, "SHA-256", hash)
-			if err != nil {
-				return err
-			}
-			return verifyPKCS1v15(priv.PublicKey(), "SHA-256", hash, sig)
-		}); err != nil {
-			return err
-		}
-	}
-
 	return nil
 }
 

src/crypto/internal/fips140only/fips140only.go

@@ -16,7 +16,7 @@ import (
 
 // Enabled reports whether FIPS 140-only mode is enabled, in which non-approved
 // cryptography returns an error or panics.
-var Enabled = godebug.New("#fips140").Value() == "only"
+var Enabled = godebug.New("fips140").Value() == "only"
 
 func ApprovedHash(h hash.Hash) bool {
 	switch h.(type) {

src/crypto/internal/fips140test/cast_test.go

@@ -5,17 +5,18 @@
 package fipstest
 
 import (
+	"crypto"
 	"crypto/rand"
-	"crypto/x509"
-	"encoding/pem"
 	"fmt"
 	"internal/testenv"
 	"io/fs"
 	"os"
 	"regexp"
+	"slices"
 	"strings"
 	"testing"
 
+	"crypto/internal/fips140"
 	// Import packages that define CASTs to test them.
 	_ "crypto/internal/fips140/aes"
 	_ "crypto/internal/fips140/aes/gcm"
@@ -34,7 +35,33 @@ import (
 	_ "crypto/internal/fips140/tls13"
 )
 
-func findAllCASTs(t *testing.T) map[string]struct{} {
+var allCASTs = []string{
+	"AES-CBC",
+	"CTR_DRBG",
+	"CounterKDF",
+	"DetECDSA P-256 SHA2-512 sign",
+	"ECDH PCT",
+	"ECDSA P-256 SHA2-512 sign and verify",
+	"ECDSA PCT",
+	"Ed25519 sign and verify",
+	"Ed25519 sign and verify PCT",
+	"HKDF-SHA2-256",
+	"HMAC-SHA2-256",
+	"KAS-ECC-SSC P-256",
+	"ML-KEM PCT",
+	"ML-KEM PCT",
+	"ML-KEM-768",
+	"PBKDF2",
+	"RSA sign and verify PCT",
+	"RSASSA-PKCS-v1.5 2048-bit sign and verify",
+	"SHA2-256",
+	"SHA2-512",
+	"TLSv1.2-SHA2-256",
+	"TLSv1.3-SHA2-256",
+	"cSHAKE128",
+}
+
+func TestAllCASTs(t *testing.T) {
 	testenv.MustHaveSource(t)
 
 	// Ask "go list" for the location of the crypto/internal/fips140 tree, as it
@@ -48,7 +75,7 @@ func findAllCASTs(t *testing.T) map[string]struct{} {
 	t.Logf("FIPS module directory: %s", fipsDir)
 
 	// Find all invocations of fips140.CAST or fips140.PCT.
-	allCASTs := make(map[string]struct{})
+	var foundCASTs []string
 	castRe := regexp.MustCompile(`fips140\.(CAST|PCT)\("([^"]+)"`)
 	if err := fs.WalkDir(os.DirFS(fipsDir), ".", func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
@@ -62,93 +89,101 @@ func findAllCASTs(t *testing.T) map[string]struct{} {
 			return err
 		}
 		for _, m := range castRe.FindAllSubmatch(data, -1) {
-			allCASTs[string(m[2])] = struct{}{}
+			foundCASTs = append(foundCASTs, string(m[2]))
 		}
 		return nil
 	}); err != nil {
 		t.Fatalf("WalkDir: %v", err)
 	}
 
-	return allCASTs
+	slices.Sort(foundCASTs)
+	if !slices.Equal(foundCASTs, allCASTs) {
+		t.Errorf("AllCASTs is out of date. Found CASTs: %#v", foundCASTs)
+	}
 }
 
 // TestConditionals causes the conditional CASTs and PCTs to be invoked.
 func TestConditionals(t *testing.T) {
 	mlkem.GenerateKey768()
-	k, err := ecdh.GenerateKey(ecdh.P256(), rand.Reader)
+	kDH, err := ecdh.GenerateKey(ecdh.P256(), rand.Reader)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
+	} else {
+		ecdh.ECDH(ecdh.P256(), kDH, kDH.PublicKey())
 	}
-	ecdh.ECDH(ecdh.P256(), k, k.PublicKey())
 	kDSA, err := ecdsa.GenerateKey(ecdsa.P256(), rand.Reader)
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
+	} else {
+		ecdsa.SignDeterministic(ecdsa.P256(), sha256.New, kDSA, make([]byte, 32))
 	}
-	ecdsa.SignDeterministic(ecdsa.P256(), sha256.New, kDSA, make([]byte, 32))
 	k25519, err := ed25519.GenerateKey()
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
+	} else {
+		ed25519.Sign(k25519, make([]byte, 32))
 	}
-	ed25519.Sign(k25519, make([]byte, 32))
-	rsa.VerifyPKCS1v15(&rsa.PublicKey{}, "", nil, nil)
-	// Parse an RSA key to hit the PCT rather than generating one (which is slow).
-	block, _ := pem.Decode([]byte(strings.ReplaceAll(
-		`-----BEGIN RSA TESTING KEY-----
-MIIEowIBAAKCAQEAsPnoGUOnrpiSqt4XynxA+HRP7S+BSObI6qJ7fQAVSPtRkqso
-tWxQYLEYzNEx5ZSHTGypibVsJylvCfuToDTfMul8b/CZjP2Ob0LdpYrNH6l5hvFE
-89FU1nZQF15oVLOpUgA7wGiHuEVawrGfey92UE68mOyUVXGweJIVDdxqdMoPvNNU
-l86BU02vlBiESxOuox+dWmuVV7vfYZ79Toh/LUK43YvJh+rhv4nKuF7iHjVjBd9s
-B6iDjj70HFldzOQ9r8SRI+9NirupPTkF5AKNe6kUhKJ1luB7S27ZkvB3tSTT3P59
-3VVJvnzOjaA1z6Cz+4+eRvcysqhrRgFlwI9TEwIDAQABAoIBAEEYiyDP29vCzx/+
-dS3LqnI5BjUuJhXUnc6AWX/PCgVAO+8A+gZRgvct7PtZb0sM6P9ZcLrweomlGezI
-FrL0/6xQaa8bBr/ve/a8155OgcjFo6fZEw3Dz7ra5fbSiPmu4/b/kvrg+Br1l77J
-aun6uUAs1f5B9wW+vbR7tzbT/mxaUeDiBzKpe15GwcvbJtdIVMa2YErtRjc1/5B2
-BGVXyvlJv0SIlcIEMsHgnAFOp1ZgQ08aDzvilLq8XVMOahAhP1O2A3X8hKdXPyrx
-IVWE9bS9ptTo+eF6eNl+d7htpKGEZHUxinoQpWEBTv+iOoHsVunkEJ3vjLP3lyI/
-fY0NQ1ECgYEA3RBXAjgvIys2gfU3keImF8e/TprLge1I2vbWmV2j6rZCg5r/AS0u
-pii5CvJ5/T5vfJPNgPBy8B/yRDs+6PJO1GmnlhOkG9JAIPkv0RBZvR0PMBtbp6nT
-Y3yo1lwamBVBfY6rc0sLTzosZh2aGoLzrHNMQFMGaauORzBFpY5lU50CgYEAzPHl
-u5DI6Xgep1vr8QvCUuEesCOgJg8Yh1UqVoY/SmQh6MYAv1I9bLGwrb3WW/7kqIoD
-fj0aQV5buVZI2loMomtU9KY5SFIsPV+JuUpy7/+VE01ZQM5FdY8wiYCQiVZYju9X
-Wz5LxMNoz+gT7pwlLCsC4N+R8aoBk404aF1gum8CgYAJ7VTq7Zj4TFV7Soa/T1eE
-k9y8a+kdoYk3BASpCHJ29M5R2KEA7YV9wrBklHTz8VzSTFTbKHEQ5W5csAhoL5Fo
-qoHzFFi3Qx7MHESQb9qHyolHEMNx6QdsHUn7rlEnaTTyrXh3ifQtD6C0yTmFXUIS
-CW9wKApOrnyKJ9nI0HcuZQKBgQCMtoV6e9VGX4AEfpuHvAAnMYQFgeBiYTkBKltQ
-XwozhH63uMMomUmtSG87Sz1TmrXadjAhy8gsG6I0pWaN7QgBuFnzQ/HOkwTm+qKw
-AsrZt4zeXNwsH7QXHEJCFnCmqw9QzEoZTrNtHJHpNboBuVnYcoueZEJrP8OnUG3r
-UjmopwKBgAqB2KYYMUqAOvYcBnEfLDmyZv9BTVNHbR2lKkMYqv5LlvDaBxVfilE0
-2riO4p6BaAdvzXjKeRrGNEKoHNBpOSfYCOM16NjL8hIZB1CaV3WbT5oY+jp7Mzd5
-7d56RZOE+ERK2uz/7JX9VSsM/LbH9pJibd4e8mikDS9ntciqOH/3
------END RSA TESTING KEY-----`, "TESTING KEY", "PRIVATE KEY")))
-	if _, err := x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
-		t.Fatal(err)
+	kRSA, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Error(err)
+	} else {
+		rsa.SignPKCS1v15(kRSA, crypto.SHA256.String(), make([]byte, 32))
 	}
 	t.Log("completed successfully")
 }
 
-func TestCASTFailures(t *testing.T) {
+func TestCASTPasses(t *testing.T) {
 	testenv.MustHaveExec(t)
-
-	allCASTs := findAllCASTs(t)
-	if len(allCASTs) == 0 {
-		t.Fatal("no CASTs found")
+	if err := fips140.Supported(); err != nil {
+		t.Skipf("FIPS140 not supported: %v", err)
 	}
 
-	for name := range allCASTs {
+	cmd := testenv.Command(t, testenv.Executable(t), "-test.run=^TestConditionals$", "-test.v")
+	cmd.Env = append(cmd.Env, "GODEBUG=fips140=debug")
+	out, err := cmd.CombinedOutput()
+	t.Logf("%s", out)
+	if err != nil || !strings.Contains(string(out), "completed successfully") {
+		t.Errorf("TestConditionals did not complete successfully")
+	}
+
+	for _, name := range allCASTs {
 		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-			cmd := testenv.Command(t, testenv.Executable(t), "-test.run=TestConditionals", "-test.v")
-			cmd = testenv.CleanCmdEnv(cmd)
-			cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s,fips140=on", name))
-			out, err := cmd.CombinedOutput()
-			if err == nil {
-				t.Error(err)
+			if !strings.Contains(string(out), fmt.Sprintf("passed: %s\n", name)) {
+				t.Errorf("CAST/PCT %s success was not logged", name)
 			} else {
-				t.Logf("CAST/PCT %s failed and caused the program to exit or the test to fail", name)
-				t.Logf("%s", out)
-			}
-			if strings.Contains(string(out), "completed successfully") {
-				t.Errorf("CAST/PCT %s failure did not stop the program", name)
+				t.Logf("CAST/PCT succeeded: %s", name)
+			}
+		})
+	}
+}
+
+func TestCASTFailures(t *testing.T) {
+	testenv.MustHaveExec(t)
+	if err := fips140.Supported(); err != nil {
+		t.Skipf("FIPS140 not supported: %v", err)
+	}
+
+	for _, name := range allCASTs {
+		t.Run(name, func(t *testing.T) {
+			// Don't parallelize if running in verbose mode, to produce a less
+			// confusing recoding for the validation lab.
+			if !testing.Verbose() {
+				t.Parallel()
+			}
+			t.Logf("Testing CAST/PCT failure...")
+			cmd := testenv.Command(t, testenv.Executable(t), "-test.run=TestConditionals", "-test.v")
+			cmd.Env = append(cmd.Env, fmt.Sprintf("GODEBUG=failfipscast=%s,fips140=on", name))
+			out, err := cmd.CombinedOutput()
+			t.Logf("%s", out)
+			if err == nil {
+				t.Fatal("Test did not fail as expected")
+			}
+			if strings.Contains(string(out), "completed successfully") {
+				t.Errorf("CAST/PCT %s failure did not stop the program", name)
+			} else if !strings.Contains(string(out), "self-test failed: "+name) {
+				t.Errorf("CAST/PCT %s failure did not log the expected message", name)
+			} else {
+				t.Logf("CAST/PCT %s failed as expected and caused the program to exit", name)
 			}
 		})
 	}

src/crypto/internal/fips140test/check_test.go

@@ -26,7 +26,7 @@ func TestFIPSCheckVerify(t *testing.T) {
 		return
 	}
 
-	if godebug.New("#fips140").Value() == "on" {
+	if godebug.New("fips140").Value() == "on" {
 		t.Fatalf("GODEBUG=fips140=on but verification did not run")
 	}
 

src/crypto/tls/defaults.go

@@ -92,7 +92,8 @@ var defaultCipherSuitesTLS13NoAES = []uint16{
 }
 
 // The FIPS-only policies below match BoringSSL's
-// ssl_compliance_policy_fips_202205, which is based on NIST SP 800-52r2.
+// ssl_compliance_policy_fips_202205, which is based on NIST SP 800-52r2, with
+// minor changes per https://go.dev/issue/71757.
 // https://cs.opensource.google/boringssl/boringssl/+/master:ssl/ssl_lib.cc;l=3289;drc=ea7a88fa
 
 var defaultSupportedVersionsFIPS = []uint16{
@@ -102,7 +103,7 @@ var defaultSupportedVersionsFIPS = []uint16{
 
 // defaultCurvePreferencesFIPS are the FIPS-allowed curves,
 // in preference order (most preferable first).
-var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384}
+var defaultCurvePreferencesFIPS = []CurveID{CurveP256, CurveP384, CurveP521}
 
 // defaultSupportedSignatureAlgorithmsFIPS currently are a subset of
 // defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
@@ -115,6 +116,7 @@ var defaultSupportedSignatureAlgorithmsFIPS = []SignatureScheme{
 	PKCS1WithSHA384,
 	ECDSAWithP384AndSHA384,
 	PKCS1WithSHA512,
+	ECDSAWithP521AndSHA512,
 }
 
 // defaultCipherSuitesFIPS are the FIPS-allowed cipher suites.

src/crypto/tls/ech.go

@@ -381,8 +381,28 @@ func decodeInnerClientHello(outer *clientHelloMsg, encoded []byte) (*clientHello
 		return nil, errInvalidECHExt
 	}
 
-	if len(inner.supportedVersions) != 1 || (len(inner.supportedVersions) >= 1 && inner.supportedVersions[0] != VersionTLS13) {
-		return nil, errors.New("tls: client sent encrypted_client_hello extension and offered incompatible versions")
+	hasTLS13 := false
+	for _, v := range inner.supportedVersions {
+		// Skip GREASE values (values of the form 0x?A0A).
+		// GREASE (Generate Random Extensions And Sustain Extensibility) is a mechanism used by
+		// browsers like Chrome to ensure TLS implementations correctly ignore unknown values.
+		// GREASE values follow a specific pattern: 0x?A0A, where ? can be any hex digit.
+		// These values should be ignored when processing supported TLS versions.
+		if v&0x0F0F == 0x0A0A && v&0xff == v>>8 {
+			continue
+		}
+
+		// Ensure at least TLS 1.3 is offered.
+		if v == VersionTLS13 {
+			hasTLS13 = true
+		} else if v < VersionTLS13 {
+			// Reject if any non-GREASE value is below TLS 1.3, as ECH requires TLS 1.3+.
+			return nil, errors.New("tls: client sent encrypted_client_hello extension with unsupported versions")
+		}
+	}
+
+	if !hasTLS13 {
+		return nil, errors.New("tls: client sent encrypted_client_hello extension but did not offer TLS 1.3")
 	}
 
 	return inner, nil

src/crypto/tls/fips_test.go

@@ -106,7 +106,7 @@ func isFIPSCipherSuite(id uint16) bool {
 
 func isFIPSCurve(id CurveID) bool {
 	switch id {
-	case CurveP256, CurveP384:
+	case CurveP256, CurveP384, CurveP521:
 		return true
 	}
 	return false
@@ -130,6 +130,7 @@ func isFIPSSignatureScheme(alg SignatureScheme) bool {
 		PKCS1WithSHA384,
 		ECDSAWithP384AndSHA384,
 		PKCS1WithSHA512,
+		ECDSAWithP521AndSHA512,
 		PSSWithSHA256,
 		PSSWithSHA384,
 		PSSWithSHA512:

src/crypto/tls/handshake_server.go

@@ -338,7 +338,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro
 	if http11fallback {
 		return "", nil
 	}
-	return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
+	return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos)
 }
 
 // supportsECDHE returns whether ECDHE key exchanges can be used with this

src/crypto/x509/parser.go

@@ -395,10 +395,8 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string
 			if err != nil {
 				return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err)
 			}
-			if len(uri.Host) > 0 {
-				if _, ok := domainToReverseLabels(uri.Host); !ok {
-					return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr)
-				}
+			if len(uri.Host) > 0 && !domainNameValid(uri.Host, false) {
+				return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr)
 			}
 			uris = append(uris, uri)
 		case nameTypeIP:
@@ -564,15 +562,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
 					return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
 				}
 
-				trimmedDomain := domain
-				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
-					// constraints can have a leading
-					// period to exclude the domain
-					// itself, but that's not valid in a
-					// normal domain name.
-					trimmedDomain = trimmedDomain[1:]
-				}
-				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
+				if !domainNameValid(domain, true) {
 					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
 				}
 				dnsNames = append(dnsNames, domain)
@@ -613,12 +603,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
 						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
 					}
 				} else {
-					// Otherwise it's a domain name.
-					domain := constraint
-					if len(domain) > 0 && domain[0] == '.' {
-						domain = domain[1:]
-					}
-					if _, ok := domainToReverseLabels(domain); !ok {
+					if !domainNameValid(constraint, true) {
 						return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
 					}
 				}
@@ -634,15 +619,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
 					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
 				}
 
-				trimmedDomain := domain
-				if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
-					// constraints can have a leading
-					// period to exclude the domain itself,
-					// but that's not valid in a normal
-					// domain name.
-					trimmedDomain = trimmedDomain[1:]
-				}
-				if _, ok := domainToReverseLabels(trimmedDomain); !ok {
+				if !domainNameValid(domain, true) {
 					return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
 				}
 				uriDomains = append(uriDomains, domain)
@@ -1283,3 +1260,62 @@ func ParseRevocationList(der []byte) (*RevocationList, error) {
 
 	return rl, nil
 }
+
+// domainNameValid is an alloc-less version of the checks that
+// domainToReverseLabels does.
+func domainNameValid(s string, constraint bool) bool {
+	// TODO(#75835): This function omits a number of checks which we
+	// really should be doing to enforce that domain names are valid names per
+	// RFC 1034. We previously enabled these checks, but this broke a
+	// significant number of certificates we previously considered valid, and we
+	// happily create via CreateCertificate (et al). We should enable these
+	// checks, but will need to gate them behind a GODEBUG.
+	//
+	// I have left the checks we previously enabled, noted with "TODO(#75835)" so
+	// that we can easily re-enable them once we unbreak everyone.
+
+	// TODO(#75835): this should only be true for constraints.
+	if len(s) == 0 {
+		return true
+	}
+
+	// Do not allow trailing period (FQDN format is not allowed in SANs or
+	// constraints).
+	if s[len(s)-1] == '.' {
+		return false
+	}
+
+	// TODO(#75835): domains must have at least one label, cannot have
+	// a leading empty label, and cannot be longer than 253 characters.
+	// if len(s) == 0 || (!constraint && s[0] == '.') || len(s) > 253 {
+	// 	return false
+	// }
+
+	lastDot := -1
+	if constraint && s[0] == '.' {
+		s = s[1:]
+	}
+
+	for i := 0; i <= len(s); i++ {
+		if i < len(s) && (s[i] < 33 || s[i] > 126) {
+			// Invalid character.
+			return false
+		}
+		if i == len(s) || s[i] == '.' {
+			labelLen := i
+			if lastDot >= 0 {
+				labelLen -= lastDot + 1
+			}
+			if labelLen == 0 {
+				return false
+			}
+			// TODO(#75835): labels cannot be longer than 63 characters.
+			// if labelLen > 63 {
+			// 	return false
+			// }
+			lastDot = i
+		}
+	}
+
+	return true
+}

src/crypto/x509/parser_test.go

@@ -5,9 +5,13 @@
 package x509
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"encoding/asn1"
 	"encoding/pem"
 	"os"
+	"strings"
 	"testing"
 
 	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
@@ -184,3 +188,106 @@ func TestParsePolicies(t *testing.T) {
 		})
 	}
 }
+
+func TestDomainNameValid(t *testing.T) {
+	for _, tc := range []struct {
+		name       string
+		dnsName    string
+		constraint bool
+		valid      bool
+	}{
+		// TODO(#75835): these tests are for stricter name validation, which we
+		// had to disable. Once we reenable these strict checks, behind a
+		// GODEBUG, we should add them back in.
+		// {"empty name, name", "", false, false},
+		// {"254 char label, name", strings.Repeat("a.a", 84) + "aaa", false, false},
+		// {"254 char label, constraint", strings.Repeat("a.a", 84) + "aaa", true, false},
+		// {"253 char label, name", strings.Repeat("a.a", 84) + "aa", false, false},
+		// {"253 char label, constraint", strings.Repeat("a.a", 84) + "aa", true, false},
+		// {"64 char single label, name", strings.Repeat("a", 64), false, false},
+		// {"64 char single label, constraint", strings.Repeat("a", 64), true, false},
+		// {"64 char label, name", "a." + strings.Repeat("a", 64), false, false},
+		// {"64 char label, constraint", "a." + strings.Repeat("a", 64), true, false},
+
+		// TODO(#75835): these are the inverse of the tests above, they should be removed
+		// once the strict checking is enabled.
+		{"254 char label, name", strings.Repeat("a.a", 84) + "aaa", false, true},
+		{"254 char label, constraint", strings.Repeat("a.a", 84) + "aaa", true, true},
+		{"253 char label, name", strings.Repeat("a.a", 84) + "aa", false, true},
+		{"253 char label, constraint", strings.Repeat("a.a", 84) + "aa", true, true},
+		{"64 char single label, name", strings.Repeat("a", 64), false, true},
+		{"64 char single label, constraint", strings.Repeat("a", 64), true, true},
+		{"64 char label, name", "a." + strings.Repeat("a", 64), false, true},
+		{"64 char label, constraint", "a." + strings.Repeat("a", 64), true, true},
+
+		// Check we properly enforce properties of domain names.
+		{"empty name, constraint", "", true, true},
+		{"empty label, name", "a..a", false, false},
+		{"empty label, constraint", "a..a", true, false},
+		{"period, name", ".", false, false},
+		{"period, constraint", ".", true, false}, // TODO(roland): not entirely clear if this is a valid constraint (require at least one label?)
+		{"valid, name", "a.b.c", false, true},
+		{"valid, constraint", "a.b.c", true, true},
+		{"leading period, name", ".a.b.c", false, false},
+		{"leading period, constraint", ".a.b.c", true, true},
+		{"trailing period, name", "a.", false, false},
+		{"trailing period, constraint", "a.", true, false},
+		{"bare label, name", "a", false, true},
+		{"bare label, constraint", "a", true, true},
+		{"63 char single label, name", strings.Repeat("a", 63), false, true},
+		{"63 char single label, constraint", strings.Repeat("a", 63), true, true},
+		{"63 char label, name", "a." + strings.Repeat("a", 63), false, true},
+		{"63 char label, constraint", "a." + strings.Repeat("a", 63), true, true},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			valid := domainNameValid(tc.dnsName, tc.constraint)
+			if tc.valid != valid {
+				t.Errorf("domainNameValid(%q, %t) = %v; want %v", tc.dnsName, tc.constraint, !tc.valid, tc.valid)
+			}
+			// Also check that we enforce the same properties as domainToReverseLabels
+			trimmedName := tc.dnsName
+			if tc.constraint && len(trimmedName) > 1 && trimmedName[0] == '.' {
+				trimmedName = trimmedName[1:]
+			}
+			_, revValid := domainToReverseLabels(trimmedName)
+			if valid != revValid {
+				t.Errorf("domainNameValid(%q, %t) = %t != domainToReverseLabels(%q) = %t", tc.dnsName, tc.constraint, valid, trimmedName, revValid)
+			}
+		})
+	}
+}
+
+func TestRoundtripWeirdSANs(t *testing.T) {
+	// TODO(#75835): check that certificates we create with CreateCertificate that have malformed SAN values
+	// can be parsed by ParseCertificate. We should eventually restrict this, but for now we have to maintain
+	// this property as people have been relying on it.
+	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	badNames := []string{
+		"baredomain",
+		"baredomain.",
+		strings.Repeat("a", 255),
+		strings.Repeat("a", 65) + ".com",
+	}
+	tmpl := &Certificate{
+		EmailAddresses: badNames,
+		DNSNames:       badNames,
+	}
+	b, err := CreateCertificate(rand.Reader, tmpl, tmpl, &k.PublicKey, k)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = ParseCertificate(b)
+	if err != nil {
+		t.Fatalf("Couldn't roundtrip certificate: %v", err)
+	}
+}
+
+func FuzzDomainNameValid(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data string) {
+		domainNameValid(data, false)
+		domainNameValid(data, true)
+	})
+}

src/crypto/x509/verify.go

@@ -391,6 +391,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
 // domainToReverseLabels converts a textual domain name like foo.example.com to
 // the list of labels in reverse order, e.g. ["com", "example", "foo"].
 func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
+	reverseLabels = make([]string, 0, strings.Count(domain, ".")+1)
 	for len(domain) > 0 {
 		if i := strings.LastIndexByte(domain, '.'); i == -1 {
 			reverseLabels = append(reverseLabels, domain)
@@ -428,7 +429,7 @@ func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
 	return reverseLabels, true
 }
 
-func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) {
+func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string, reversedDomainsCache map[string][]string, reversedConstraintsCache map[string][]string) (bool, error) {
 	// If the constraint contains an @, then it specifies an exact mailbox
 	// name.
 	if strings.Contains(constraint, "@") {
@@ -441,10 +442,10 @@ func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, erro
 
 	// Otherwise the constraint is like a DNS constraint of the domain part
 	// of the mailbox.
-	return matchDomainConstraint(mailbox.domain, constraint)
+	return matchDomainConstraint(mailbox.domain, constraint, reversedDomainsCache, reversedConstraintsCache)
 }
 
-func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
+func matchURIConstraint(uri *url.URL, constraint string, reversedDomainsCache map[string][]string, reversedConstraintsCache map[string][]string) (bool, error) {
 	// From RFC 5280, Section 4.2.1.10:
 	// “a uniformResourceIdentifier that does not include an authority
 	// component with a host name specified as a fully qualified domain
@@ -473,7 +474,7 @@ func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
 		return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())
 	}
 
-	return matchDomainConstraint(host, constraint)
+	return matchDomainConstraint(host, constraint, reversedDomainsCache, reversedConstraintsCache)
 }
 
 func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) {
@@ -490,16 +491,21 @@ func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) {
 	return true, nil
 }
 
-func matchDomainConstraint(domain, constraint string) (bool, error) {
+func matchDomainConstraint(domain, constraint string, reversedDomainsCache map[string][]string, reversedConstraintsCache map[string][]string) (bool, error) {
 	// The meaning of zero length constraints is not specified, but this
 	// code follows NSS and accepts them as matching everything.
 	if len(constraint) == 0 {
 		return true, nil
 	}
 
-	domainLabels, ok := domainToReverseLabels(domain)
-	if !ok {
-		return false, fmt.Errorf("x509: internal error: cannot parse domain %q", domain)
+	domainLabels, found := reversedDomainsCache[domain]
+	if !found {
+		var ok bool
+		domainLabels, ok = domainToReverseLabels(domain)
+		if !ok {
+			return false, fmt.Errorf("x509: internal error: cannot parse domain %q", domain)
+		}
+		reversedDomainsCache[domain] = domainLabels
 	}
 
 	// RFC 5280 says that a leading period in a domain name means that at
@@ -513,9 +519,14 @@ func matchDomainConstraint(domain, constraint string) (bool, error) {
 		constraint = constraint[1:]
 	}
 
-	constraintLabels, ok := domainToReverseLabels(constraint)
-	if !ok {
-		return false, fmt.Errorf("x509: internal error: cannot parse domain %q", constraint)
+	constraintLabels, found := reversedConstraintsCache[constraint]
+	if !found {
+		var ok bool
+		constraintLabels, ok = domainToReverseLabels(constraint)
+		if !ok {
+			return false, fmt.Errorf("x509: internal error: cannot parse domain %q", constraint)
+		}
+		reversedConstraintsCache[constraint] = constraintLabels
 	}
 
 	if len(domainLabels) < len(constraintLabels) ||
@@ -636,6 +647,19 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 		}
 	}
 
+	// Each time we do constraint checking, we need to check the constraints in
+	// the current certificate against all of the names that preceded it. We
+	// reverse these names using domainToReverseLabels, which is a relatively
+	// expensive operation. Since we check each name against each constraint,
+	// this requires us to do N*C calls to domainToReverseLabels (where N is the
+	// total number of names that preceed the certificate, and C is the total
+	// number of constraints in the certificate). By caching the results of
+	// calling domainToReverseLabels, we can reduce that to N+C calls at the
+	// cost of keeping all of the parsed names and constraints in memory until
+	// we return from isValid.
+	reversedDomainsCache := map[string][]string{}
+	reversedConstraintsCache := map[string][]string{}
+
 	if (certType == intermediateCertificate || certType == rootCertificate) &&
 		c.hasNameConstraints() {
 		toCheck := []*Certificate{}
@@ -656,20 +680,20 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 
 					if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "email address", name, mailbox,
 						func(parsedName, constraint any) (bool, error) {
-							return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string))
+							return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string), reversedDomainsCache, reversedConstraintsCache)
 						}, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil {
 						return err
 					}
 
 				case nameTypeDNS:
 					name := string(data)
-					if _, ok := domainToReverseLabels(name); !ok {
+					if !domainNameValid(name, false) {
 						return fmt.Errorf("x509: cannot parse dnsName %q", name)
 					}
 
 					if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "DNS name", name, name,
 						func(parsedName, constraint any) (bool, error) {
-							return matchDomainConstraint(parsedName.(string), constraint.(string))
+							return matchDomainConstraint(parsedName.(string), constraint.(string), reversedDomainsCache, reversedConstraintsCache)
 						}, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil {
 						return err
 					}
@@ -683,7 +707,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 
 					if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "URI", name, uri,
 						func(parsedName, constraint any) (bool, error) {
-							return matchURIConstraint(parsedName.(*url.URL), constraint.(string))
+							return matchURIConstraint(parsedName.(*url.URL), constraint.(string), reversedDomainsCache, reversedConstraintsCache)
 						}, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil {
 						return err
 					}
@@ -841,31 +865,45 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e
 		}
 	}
 
-	if len(opts.KeyUsages) == 0 {
-		opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
-	}
-
-	for _, eku := range opts.KeyUsages {
-		if eku == ExtKeyUsageAny {
-			// If any key usage is acceptable, no need to check the chain for
-			// key usages.
-			return candidateChains, nil
-		}
-	}
-
 	chains = make([][]*Certificate, 0, len(candidateChains))
-	var incompatibleKeyUsageChains, invalidPoliciesChains int
+
+	var invalidPoliciesChains int
 	for _, candidate := range candidateChains {
-		if !checkChainForKeyUsage(candidate, opts.KeyUsages) {
-			incompatibleKeyUsageChains++
-			continue
-		}
 		if !policiesValid(candidate, opts) {
 			invalidPoliciesChains++
 			continue
 		}
 		chains = append(chains, candidate)
 	}
+
+	if len(chains) == 0 {
+		return nil, CertificateInvalidError{c, NoValidChains, "all candidate chains have invalid policies"}
+	}
+
+	for _, eku := range opts.KeyUsages {
+		if eku == ExtKeyUsageAny {
+			// If any key usage is acceptable, no need to check the chain for
+			// key usages.
+			return chains, nil
+		}
+	}
+
+	if len(opts.KeyUsages) == 0 {
+		opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
+	}
+
+	candidateChains = chains
+	chains = chains[:0]
+
+	var incompatibleKeyUsageChains int
+	for _, candidate := range candidateChains {
+		if !checkChainForKeyUsage(candidate, opts.KeyUsages) {
+			incompatibleKeyUsageChains++
+			continue
+		}
+		chains = append(chains, candidate)
+	}
+
 	if len(chains) == 0 {
 		var details []string
 		if incompatibleKeyUsageChains > 0 {
@@ -913,7 +951,10 @@ func alreadyInChain(candidate *Certificate, chain []*Certificate) bool {
 		if !bytes.Equal(candidate.RawSubject, cert.RawSubject) {
 			continue
 		}
-		if !candidate.PublicKey.(pubKeyEqual).Equal(cert.PublicKey) {
+		// We enforce the canonical encoding of SPKI (by only allowing the
+		// correct AI paremeter encodings in parseCertificate), so it's safe to
+		// directly compare the raw bytes.
+		if !bytes.Equal(candidate.RawSubjectPublicKeyInfo, cert.RawSubjectPublicKeyInfo) {
 			continue
 		}
 		var certSAN *pkix.Extension

src/crypto/x509/verify_test.go

@@ -6,6 +6,7 @@ package x509
 
 import (
 	"crypto"
+	"crypto/dsa"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -1351,7 +1352,7 @@ var nameConstraintTests = []struct {
 
 func TestNameConstraints(t *testing.T) {
 	for i, test := range nameConstraintTests {
-		result, err := matchDomainConstraint(test.domain, test.constraint)
+		result, err := matchDomainConstraint(test.domain, test.constraint, map[string][]string{}, map[string][]string{})
 
 		if err != nil && !test.expectError {
 			t.Errorf("unexpected error for test #%d: domain=%s, constraint=%s, err=%s", i, test.domain, test.constraint, err)
@@ -3012,3 +3013,165 @@ func TestPoliciesValid(t *testing.T) {
 		})
 	}
 }
+
+func TestInvalidPolicyWithAnyKeyUsage(t *testing.T) {
+	loadTestCert := func(t *testing.T, path string) *Certificate {
+		b, err := os.ReadFile(path)
+		if err != nil {
+			t.Fatal(err)
+		}
+		p, _ := pem.Decode(b)
+		c, err := ParseCertificate(p.Bytes)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return c
+	}
+
+	testOID3 := mustNewOIDFromInts([]uint64{1, 2, 840, 113554, 4, 1, 72585, 2, 3})
+	root, intermediate, leaf := loadTestCert(t, "testdata/policy_root.pem"), loadTestCert(t, "testdata/policy_intermediate_require.pem"), loadTestCert(t, "testdata/policy_leaf.pem")
+
+	expectedErr := "x509: no valid chains built: all candidate chains have invalid policies"
+
+	roots, intermediates := NewCertPool(), NewCertPool()
+	roots.AddCert(root)
+	intermediates.AddCert(intermediate)
+
+	_, err := leaf.Verify(VerifyOptions{
+		Roots:               roots,
+		Intermediates:       intermediates,
+		KeyUsages:           []ExtKeyUsage{ExtKeyUsageAny},
+		CertificatePolicies: []OID{testOID3},
+	})
+	if err == nil {
+		t.Fatal("unexpected success, invalid policy shouldn't be bypassed by passing VerifyOptions.KeyUsages with ExtKeyUsageAny")
+	} else if err.Error() != expectedErr {
+		t.Fatalf("unexpected error, got %q, want %q", err, expectedErr)
+	}
+}
+
+func TestCertificateChainSignedByECDSA(t *testing.T) {
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	root := &Certificate{
+		SerialNumber:          big.NewInt(1),
+		Subject:               pkix.Name{CommonName: "X"},
+		NotBefore:             time.Now().Add(-time.Hour),
+		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
+		IsCA:                  true,
+		KeyUsage:              KeyUsageCertSign | KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+	}
+	caDER, err := CreateCertificate(rand.Reader, root, root, &caKey.PublicKey, caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	root, err = ParseCertificate(caDER)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	leafKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	leaf := &Certificate{
+		SerialNumber:          big.NewInt(42),
+		Subject:               pkix.Name{CommonName: "leaf"},
+		NotBefore:             time.Now().Add(-10 * time.Minute),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              KeyUsageDigitalSignature,
+		ExtKeyUsage:           []ExtKeyUsage{ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	leafDER, err := CreateCertificate(rand.Reader, leaf, root, &leafKey.PublicKey, caKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	leaf, err = ParseCertificate(leafDER)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	inter, err := ParseCertificate(dsaSelfSignedCNX(t))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	inters := NewCertPool()
+	inters.AddCert(root)
+	inters.AddCert(inter)
+
+	wantErr := "certificate signed by unknown authority"
+	_, err = leaf.Verify(VerifyOptions{Intermediates: inters, Roots: NewCertPool()})
+	if !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("got %v, want %q", err, wantErr)
+	}
+}
+
+// dsaSelfSignedCNX produces DER-encoded
+// certificate with the properties:
+//
+//	Subject=Issuer=CN=X
+//	DSA SPKI
+//	Matching inner/outer signature OIDs
+//	Dummy ECDSA signature
+func dsaSelfSignedCNX(t *testing.T) []byte {
+	t.Helper()
+	var params dsa.Parameters
+	if err := dsa.GenerateParameters(&params, rand.Reader, dsa.L1024N160); err != nil {
+		t.Fatal(err)
+	}
+
+	var dsaPriv dsa.PrivateKey
+	dsaPriv.Parameters = params
+	if err := dsa.GenerateKey(&dsaPriv, rand.Reader); err != nil {
+		t.Fatal(err)
+	}
+	dsaPub := &dsaPriv.PublicKey
+
+	type dsaParams struct{ P, Q, G *big.Int }
+	paramDER, err := asn1.Marshal(dsaParams{dsaPub.P, dsaPub.Q, dsaPub.G})
+	if err != nil {
+		t.Fatal(err)
+	}
+	yDER, err := asn1.Marshal(dsaPub.Y)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	spki := publicKeyInfo{
+		Algorithm: pkix.AlgorithmIdentifier{
+			Algorithm:  oidPublicKeyDSA,
+			Parameters: asn1.RawValue{FullBytes: paramDER},
+		},
+		PublicKey: asn1.BitString{Bytes: yDER, BitLength: 8 * len(yDER)},
+	}
+
+	rdn := pkix.Name{CommonName: "X"}.ToRDNSequence()
+	b, err := asn1.Marshal(rdn)
+	if err != nil {
+		t.Fatal(err)
+	}
+	rawName := asn1.RawValue{FullBytes: b}
+
+	algoIdent := pkix.AlgorithmIdentifier{Algorithm: oidSignatureDSAWithSHA256}
+	tbs := tbsCertificate{
+		Version:            0,
+		SerialNumber:       big.NewInt(1002),
+		SignatureAlgorithm: algoIdent,
+		Issuer:             rawName,
+		Validity:           validity{NotBefore: time.Now().Add(-time.Hour), NotAfter: time.Now().Add(24 * time.Hour)},
+		Subject:            rawName,
+		PublicKey:          spki,
+	}
+	c := certificate{
+		TBSCertificate:     tbs,
+		SignatureAlgorithm: algoIdent,
+		SignatureValue:     asn1.BitString{Bytes: []byte{0}, BitLength: 8},
+	}
+	dsaDER, err := asn1.Marshal(c)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return dsaDER
+}

src/database/sql/convert.go

@@ -335,7 +335,6 @@ func convertAssignRows(dest, src any, rows *Rows) error {
 			if rows == nil {
 				return errors.New("invalid context to convert cursor rows, missing parent *Rows")
 			}
-			rows.closemu.Lock()
 			*d = Rows{
 				dc:          rows.dc,
 				releaseConn: func(error) {},
@@ -351,7 +350,6 @@ func convertAssignRows(dest, src any, rows *Rows) error {
 					parentCancel()
 				}
 			}
-			rows.closemu.Unlock()
 			return nil
 		}
 	}

src/database/sql/fakedb_test.go

@@ -5,6 +5,7 @@
 package sql
 
 import (
+	"bytes"
 	"context"
 	"database/sql/driver"
 	"errors"
@@ -15,7 +16,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"testing"
 	"time"
 )
@@ -91,8 +91,6 @@ func (cc *fakeDriverCtx) OpenConnector(name string) (driver.Connector, error) {
 type fakeDB struct {
 	name string
 
-	useRawBytes atomic.Bool
-
 	mu       sync.Mutex
 	tables   map[string]*table
 	badConn  bool
@@ -684,8 +682,6 @@ func (c *fakeConn) PrepareContext(ctx context.Context, query string) (driver.Stm
 		switch cmd {
 		case "WIPE":
 			// Nothing
-		case "USE_RAWBYTES":
-			c.db.useRawBytes.Store(true)
 		case "SELECT":
 			stmt, err = c.prepareSelect(stmt, parts)
 		case "CREATE":
@@ -789,9 +785,6 @@ func (s *fakeStmt) ExecContext(ctx context.Context, args []driver.NamedValue) (d
 	case "WIPE":
 		db.wipe()
 		return driver.ResultNoRows, nil
-	case "USE_RAWBYTES":
-		s.c.db.useRawBytes.Store(true)
-		return driver.ResultNoRows, nil
 	case "CREATE":
 		if err := db.createTable(s.table, s.colName, s.colType); err != nil {
 			return nil, err
@@ -1076,10 +1069,9 @@ type rowsCursor struct {
 	errPos int
 	err    error
 
-	// a clone of slices to give out to clients, indexed by the
-	// original slice's first byte address.  we clone them
-	// just so we're able to corrupt them on close.
-	bytesClone map[*byte][]byte
+	// Data returned to clients.
+	// We clone and stash it here so it can be invalidated by Close and Next.
+	driverOwnedMemory [][]byte
 
 	// Every operation writes to line to enable the race detector
 	// check for data races.
@@ -1096,9 +1088,19 @@ func (rc *rowsCursor) touchMem() {
 	rc.line++
 }
 
+func (rc *rowsCursor) invalidateDriverOwnedMemory() {
+	for _, buf := range rc.driverOwnedMemory {
+		for i := range buf {
+			buf[i] = 'x'
+		}
+	}
+	rc.driverOwnedMemory = nil
+}
+
 func (rc *rowsCursor) Close() error {
 	rc.touchMem()
 	rc.parentMem.touchMem()
+	rc.invalidateDriverOwnedMemory()
 	rc.closed = true
 	return rc.closeErr
 }
@@ -1129,6 +1131,8 @@ func (rc *rowsCursor) Next(dest []driver.Value) error {
 	if rc.posRow >= len(rc.rows[rc.posSet]) {
 		return io.EOF // per interface spec
 	}
+	// Corrupt any previously returned bytes.
+	rc.invalidateDriverOwnedMemory()
 	for i, v := range rc.rows[rc.posSet][rc.posRow].cols {
 		// TODO(bradfitz): convert to subset types? naah, I
 		// think the subset types should only be input to
@@ -1136,20 +1140,13 @@ func (rc *rowsCursor) Next(dest []driver.Value) error {
 		// a wider range of types coming out of drivers. all
 		// for ease of drivers, and to prevent drivers from
 		// messing up conversions or doing them differently.
-		dest[i] = v
-
-		if bs, ok := v.([]byte); ok && !rc.db.useRawBytes.Load() {
-			if rc.bytesClone == nil {
-				rc.bytesClone = make(map[*byte][]byte)
-			}
-			clone, ok := rc.bytesClone[&bs[0]]
-			if !ok {
-				clone = make([]byte, len(bs))
-				copy(clone, bs)
-				rc.bytesClone[&bs[0]] = clone
-			}
-			dest[i] = clone
+		if bs, ok := v.([]byte); ok {
+			// Clone []bytes and stash for later invalidation.
+			bs = bytes.Clone(bs)
+			rc.driverOwnedMemory = append(rc.driverOwnedMemory, bs)
+			v = bs
 		}
+		dest[i] = v
 	}
 	return nil
 }

src/database/sql/sql.go

@@ -3368,38 +3368,36 @@ func (rs *Rows) Scan(dest ...any) error {
 		// without calling Next.
 		return fmt.Errorf("sql: Scan called without calling Next (closemuScanHold)")
 	}
+
 	rs.closemu.RLock()
-
-	if rs.lasterr != nil && rs.lasterr != io.EOF {
-		rs.closemu.RUnlock()
-		return rs.lasterr
-	}
-	if rs.closed {
-		err := rs.lasterrOrErrLocked(errRowsClosed)
-		rs.closemu.RUnlock()
-		return err
-	}
-
-	if scanArgsContainRawBytes(dest) {
+	rs.raw = rs.raw[:0]
+	err := rs.scanLocked(dest...)
+	if err == nil && scanArgsContainRawBytes(dest) {
 		rs.closemuScanHold = true
-		rs.raw = rs.raw[:0]
 	} else {
 		rs.closemu.RUnlock()
 	}
+	return err
+}
+
+func (rs *Rows) scanLocked(dest ...any) error {
+	if rs.lasterr != nil && rs.lasterr != io.EOF {
+		return rs.lasterr
+	}
+	if rs.closed {
+		return rs.lasterrOrErrLocked(errRowsClosed)
+	}
 
 	if rs.lastcols == nil {
-		rs.closemuRUnlockIfHeldByScan()
 		return errors.New("sql: Scan called without calling Next")
 	}
 	if len(dest) != len(rs.lastcols) {
-		rs.closemuRUnlockIfHeldByScan()
 		return fmt.Errorf("sql: expected %d destination arguments in Scan, not %d", len(rs.lastcols), len(dest))
 	}
 
 	for i, sv := range rs.lastcols {
 		err := convertAssignRows(dest[i], sv, rs)
 		if err != nil {
-			rs.closemuRUnlockIfHeldByScan()
 			return fmt.Errorf(`sql: Scan error on column index %d, name %q: %w`, i, rs.rowsi.Columns()[i], err)
 		}
 	}

src/database/sql/sql_test.go

@@ -5,6 +5,7 @@
 package sql
 
 import (
+	"bytes"
 	"context"
 	"database/sql/driver"
 	"errors"
@@ -4446,10 +4447,6 @@ func testContextCancelDuringRawBytesScan(t *testing.T, mode string) {
 	db := newTestDB(t, "people")
 	defer closeDB(t, db)
 
-	if _, err := db.Exec("USE_RAWBYTES"); err != nil {
-		t.Fatal(err)
-	}
-
 	// cancel used to call close asynchronously.
 	// This test checks that it waits so as not to interfere with RawBytes.
 	ctx, cancel := context.WithCancel(context.Background())
@@ -4541,6 +4538,61 @@ func TestContextCancelBetweenNextAndErr(t *testing.T) {
 	}
 }
 
+type testScanner struct {
+	scanf func(src any) error
+}
+
+func (ts testScanner) Scan(src any) error { return ts.scanf(src) }
+
+func TestContextCancelDuringScan(t *testing.T) {
+	db := newTestDB(t, "people")
+	defer closeDB(t, db)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	scanStart := make(chan any)
+	scanEnd := make(chan error)
+	scanner := &testScanner{
+		scanf: func(src any) error {
+			scanStart <- src
+			return <-scanEnd
+		},
+	}
+
+	// Start a query, and pause it mid-scan.
+	want := []byte("Alice")
+	r, err := db.QueryContext(ctx, "SELECT|people|name|name=?", string(want))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !r.Next() {
+		t.Fatalf("r.Next() = false, want true")
+	}
+	go func() {
+		r.Scan(scanner)
+	}()
+	got := <-scanStart
+	defer close(scanEnd)
+	gotBytes, ok := got.([]byte)
+	if !ok {
+		t.Fatalf("r.Scan returned %T, want []byte", got)
+	}
+	if !bytes.Equal(gotBytes, want) {
+		t.Fatalf("before cancel: r.Scan returned %q, want %q", gotBytes, want)
+	}
+
+	// Cancel the query.
+	// Sleep to give it a chance to finish canceling.
+	cancel()
+	time.Sleep(10 * time.Millisecond)
+
+	// Cancelling the query should not have changed the result.
+	if !bytes.Equal(gotBytes, want) {
+		t.Fatalf("after cancel: r.Scan result is now %q, want %q", gotBytes, want)
+	}
+}
+
 func TestNilErrorAfterClose(t *testing.T) {
 	db := newTestDB(t, "people")
 	defer closeDB(t, db)
@@ -4574,10 +4626,6 @@ func TestRawBytesReuse(t *testing.T) {
 	db := newTestDB(t, "people")
 	defer closeDB(t, db)
 
-	if _, err := db.Exec("USE_RAWBYTES"); err != nil {
-		t.Fatal(err)
-	}
-
 	var raw RawBytes
 
 	// The RawBytes in this query aliases driver-owned memory.

src/debug/buildinfo/buildinfo_test.go

@@ -11,6 +11,7 @@ import (
 	"encoding/binary"
 	"flag"
 	"fmt"
+	"internal/obscuretestdata"
 	"internal/testenv"
 	"os"
 	"os/exec"
@@ -275,24 +276,16 @@ func TestReadFile(t *testing.T) {
 
 // Test117 verifies that parsing of the old, pre-1.18 format works.
 func Test117(t *testing.T) {
-	// go117 was generated for linux-amd64 with:
-	//
-	// main.go:
-	//
-	// package main
-	// func main() {}
-	//
-	// GOTOOLCHAIN=go1.17 go mod init example.com/go117
-	// GOTOOLCHAIN=go1.17 go build
-	//
-	// TODO(prattmic): Ideally this would be built on the fly to better
-	// cover all executable formats, but then we need a network connection
-	// to download an old Go toolchain.
-	info, err := buildinfo.ReadFile("testdata/go117")
+	b, err := obscuretestdata.ReadFile("testdata/go117/go117.base64")
 	if err != nil {
 		t.Fatalf("ReadFile got err %v, want nil", err)
 	}
 
+	info, err := buildinfo.Read(bytes.NewReader(b))
+	if err != nil {
+		t.Fatalf("Read got err %v, want nil", err)
+	}
+
 	if info.GoVersion != "go1.17" {
 		t.Errorf("GoVersion got %s want go1.17", info.GoVersion)
 	}
@@ -306,20 +299,14 @@ func Test117(t *testing.T) {
 
 // TestNotGo verifies that parsing of a non-Go binary returns the proper error.
 func TestNotGo(t *testing.T) {
-	// notgo was generated for linux-amd64 with:
-	//
-	// main.c:
-	//
-	// int main(void) { return 0; }
-	//
-	// cc -o notgo main.c
-	//
-	// TODO(prattmic): Ideally this would be built on the fly to better
-	// cover all executable formats, but then we need to encode the
-	// intricacies of calling each platform's C compiler.
-	_, err := buildinfo.ReadFile("testdata/notgo")
+	b, err := obscuretestdata.ReadFile("testdata/notgo/notgo.base64")
+	if err != nil {
+		t.Fatalf("ReadFile got err %v, want nil", err)
+	}
+
+	_, err = buildinfo.Read(bytes.NewReader(b))
 	if err == nil {
-		t.Fatalf("ReadFile got nil err, want non-nil")
+		t.Fatalf("Read got nil err, want non-nil")
 	}
 
 	// The precise error text here isn't critical, but we want something
@@ -410,13 +397,13 @@ func TestIssue54968(t *testing.T) {
 }
 
 func FuzzRead(f *testing.F) {
-	go117, err := os.ReadFile("testdata/go117")
+	go117, err := obscuretestdata.ReadFile("testdata/go117/go117.base64")
 	if err != nil {
 		f.Errorf("Error reading go117: %v", err)
 	}
 	f.Add(go117)
 
-	notgo, err := os.ReadFile("testdata/notgo")
+	notgo, err := obscuretestdata.ReadFile("testdata/notgo/notgo.base64")
 	if err != nil {
 		f.Errorf("Error reading notgo: %v", err)
 	}

src/debug/buildinfo/testdata/go117/README.md

@@ -0,0 +1,15 @@
+go117.base64 is a base64-encoded Go 1.17 hello world binary used to test
+debug/buildinfo of pre-1.18 buildinfo encoding.
+
+The binary is base64 encoded to hide it from security scanners that believe a
+Go 1.17 is inherently insecure.
+
+Generate go117.base64 with:
+
+$ GOTOOLCHAIN=go1.17 GOOS=linux GOARCH=amd64 go build -trimpath
+$ base64 go117 > go117.base64
+$ rm go117
+
+TODO(prattmic): Ideally this would be built on the fly to better cover all
+executable formats, but then we need a network connection to download an old Go
+toolchain.

src/debug/buildinfo/testdata/go117/go.mod

@@ -0,0 +1,3 @@
+module example.com/go117
+
+go 1.17

src/debug/buildinfo/testdata/go117/main.go

@@ -0,0 +1,7 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+func main() {}