test on Go 1.22.x, draft changelog

.github/workflows/test.yml

@@ -25,7 +25,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.21.x]
+        go-version: [1.21.x, 1.22.x]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -53,17 +53,17 @@ jobs:
     # Static checks from this point forward. Only run on one Go version and on
     # linux, since it's the fastest platform, and the tools behave the same.
     - name: Test third-party project builds
-      if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
+      if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x'
       run: |
         go install
         ./scripts/check-third-party.sh
-    - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
+    - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x'
       run: ./scripts/crlf-test.sh
-    - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
+    - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x'
       run: diff <(echo -n) <(gofmt -d .)
-    - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
+    - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x'
       run: go vet ./...
-    - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21.x'
+    - if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.22.x'
       uses: dominikh/staticcheck-action@v1
       with:
         version: "2023.1.6"
@@ -81,11 +81,12 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: 1.21.x
+        go-version: 1.22.x
         cache: false
     - run: go test -short ./...
 
   test-gotip:
+    if: false # let tip for 1.23 settle first
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## [v0.12.0] - 2024-02-??
+
+This release continues support for Go 1.21 and includes fixes for Go 1.22,
+now that the final 1.22.0 release is out.
+
+@lu4p improved the detection of types used with reflection to track `make` calls too,
+fixing more `cannot use T1 as T2` errors when obfuscating types. See [#690].
+
+@pagran added a trash block generator to the control flow obfuscator.
+TODO: link to the docs once they are in master?
+See [#825].
+
+A number of bugfixes are also included:
+* Avoid an error when building for `GOOS=ios` - [#816]
+* Prevent the shuffle literal obfuscation from being optimized away - [#819]
+* Support inline comments in assembly `#include` lines - [#812]
+
 ## [v0.11.0] - 2023-12-02
 
 This release drops support for Go 1.20, continues support for Go 1.21,
@@ -261,6 +278,12 @@ Known bugs:
 * obfuscating the standard library with `GOPRIVATE=*` is not well supported yet
 * `garble test` is temporarily disabled, as it is currently broken
 
+[#690]: https://github.com/burrowers/garble/issues/690
+[#812]: https://github.com/burrowers/garble/issues/812
+[#816]: https://github.com/burrowers/garble/pull/816
+[#819]: https://github.com/burrowers/garble/pull/819
+[#825]: https://github.com/burrowers/garble/pull/825
+
 [v0.11.0]: https://github.com/burrowers/garble/releases/tag/v0.11.0
 [#462]: https://github.com/burrowers/garble/issues/462
 [#685]: https://github.com/burrowers/garble/issues/685

hash.go

@@ -41,7 +41,7 @@ func decodeBuildIDHash(str string) []byte {
 		panic(fmt.Sprintf("invalid hash %q: %v", str, err))
 	}
 	if len(h) != buildIDHashLength {
-		panic(fmt.Sprintf("decodeHash expects to result in a hash of length %d, got %d", buildIDHashLength, len(h)))
+		panic(fmt.Sprintf("decodeBuildIDHash expects to result in a hash of length %d, got %d", buildIDHashLength, len(h)))
 	}
 	return h
 }

scripts/gen-go-std-tables.sh

@@ -34,8 +34,11 @@ var runtimeAndDeps = map[string]bool{
 $(for path in ${runtime_and_deps}; do
 	echo "\"${path}\": true,"
 done)
-	// Not a runtime dependency, but still uses tricks allowed by import path.
-	// Not a big deal either way, given that it's only imported in test packages.
+	// Not runtime dependencies, but still use tricks allowed by import path.
+	// TODO: collect directly from cmd/internal/objabi/pkgspecial.go,
+	// in this particular case from allowAsmABIPkgs.
+	"reflect": true,
+	"syscall": true,
 	"runtime/internal/startlinetest": true,
 }
 

shared.go

@@ -188,6 +188,7 @@ func (p *listedPackage) obfuscatedImportPath() string {
 	case "runtime", "reflect", "embed":
 		return p.ImportPath
 	}
+	// Intrinsics are matched by package import path as well.
 	if compilerIntrinsicsPkgs[p.ImportPath] {
 		return p.ImportPath
 	}

testdata/script/crossbuild.txtar

@@ -18,6 +18,16 @@
 [arm] env GOARCH=arm64
 exec garble build -gcflags=math/bits=-d=ssa/intrinsics/debug=1
 stderr 'intrinsic substitution for Len64.*BitLen64'
+
+# As a last step, also test building for MacOS if we're not already on it.
+# We already cover Windows and Linux above, and MacOS is the other major OS.
+# The way it is implemented in the standard library, in particular with syscalls,
+# is different enough that it sometimes causes special bugs.
+[darwin] stop
+env GOOS=darwin
+env GOARCH=arm64
+exec garble build
+
 -- go.mod --
 module test/main
 

testdata/script/gogarble.txtar

@@ -36,11 +36,11 @@ exec garble build std
 # Also ensure we are obfuscating low-level std packages.
 exec garble build -o=out ./stdimporter
 ! stderr . # no warnings
-! binsubstr out 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now' 'syscall.Listen'
+! binsubstr out 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now'
 
 # The same low-level std packages appear in plain sight in regular builds.
 go build -o=out_regular ./stdimporter
-binsubstr out_regular 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now' 'syscall.Listen'
+binsubstr out_regular 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now'
 
 # Also check that a full rebuild is reproducible, via a new GOCACHE.
 # This is slow, but necessary to uncover bugs hidden by the build cache.
@@ -79,7 +79,6 @@ import (
 	"net/http"
 	"runtime/debug"
 	"time"
-	"syscall"
 )
 
 func main() {
@@ -88,5 +87,4 @@ func main() {
 	// as it is implemented by runtime via a linkname.
 	debug.WriteHeapDump(1)
 	time.Now()
-	syscall.Listen(0, 1)
 }