[go] runtime/secret: implement new secret package

56 views
Skip to first unread message

Daniel Morsing (Gerrit)

unread,
Oct 3, 2025, 8:14:37 AMOct 3
to goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com

Daniel Morsing voted and added 1 comment

Votes added by Daniel Morsing

Commit-Queue+1

1 comment

Patchset-level comments
File-level comment, Patchset 15 (Latest):
Daniel Morsing . resolved

This is ready for review. The trybots are unhappy about the tests using gdb to get the core dump, but I've asked on go-dev about what can be done to fix it. I would very much prefer that the core tests aren't skipped since leakage is a hard problem to detect within the process itself.

Does anything need to happen since Keith wrote most of this code? what's the policy on co-authorship?

Open in Gerrit

Related details

Attention set is empty
Submit Requirements:
  • requirement is not satisfiedCode-Review
  • requirement satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
  • requirement is not satisfiedTryBots-Pass
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
Gerrit-Change-Number: 704615
Gerrit-PatchSet: 15
Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
Gerrit-CC: Austin Clements <aus...@google.com>
Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
Gerrit-CC: Keith Randall <k...@golang.org>
Gerrit-Comment-Date: Fri, 03 Oct 2025 12:14:28 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
unsatisfied_requirement
satisfied_requirement
open
diffy

Keith Randall (Gerrit)

unread,
Oct 7, 2025, 1:28:59 PMOct 7
to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
Attention needed from Daniel Morsing

Keith Randall added 1 comment

Patchset-level comments
Daniel Morsing . resolved

This is ready for review. The trybots are unhappy about the tests using gdb to get the core dump, but I've asked on go-dev about what can be done to fix it. I would very much prefer that the core tests aren't skipped since leakage is a hard problem to detect within the process itself.

Does anything need to happen since Keith wrote most of this code? what's the policy on co-authorship?

Keith Randall

Co-authorship is fine. We've all signed the CLA, which is what matters.

I do think we still need to come to agreement on the pointer leak thing. Maybe it is ok, but I don't have the expertise to make that call.

I will take a look at this CL this week. Sounds like I might be reviewing some of my own code. I'm sure it is awesome 😊

Open in Gerrit

Related details

Attention is currently required from:
  • Daniel Morsing
Submit Requirements:
  • requirement is not satisfiedCode-Review
  • requirement satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
  • requirement is not satisfiedTryBots-Pass
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
Gerrit-Change-Number: 704615
Gerrit-PatchSet: 15
Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
Gerrit-CC: Austin Clements <aus...@google.com>
Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
Gerrit-CC: Keith Randall <k...@golang.org>
Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
Gerrit-Comment-Date: Tue, 07 Oct 2025 17:28:55 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
unsatisfied_requirement
satisfied_requirement
open
diffy

Daniel Morsing (Gerrit)

unread,
Oct 8, 2025, 3:54:01 AMOct 8
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Daniel Morsing

Daniel Morsing uploaded new patchset

Daniel Morsing uploaded patch set #16 to this change.
Following approvals got outdated and were removed:
  • TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
Open in Gerrit

Related details

Attention is currently required from:
  • Daniel Morsing
Submit Requirements:
  • requirement is not satisfiedCode-Review
  • requirement satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
  • requirement is not satisfiedTryBots-Pass
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: newpatchset
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
Gerrit-Change-Number: 704615
Gerrit-PatchSet: 16
unsatisfied_requirement
satisfied_requirement
open
diffy

Filippo Valsorda (Gerrit)

unread,
Oct 8, 2025, 5:03:13 AMOct 8
to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
Attention needed from Daniel Morsing and Keith Randall

Filippo Valsorda added 1 comment

Patchset-level comments
Daniel Morsing . resolved

This is ready for review. The trybots are unhappy about the tests using gdb to get the core dump, but I've asked on go-dev about what can be done to fix it. I would very much prefer that the core tests aren't skipped since leakage is a hard problem to detect within the process itself.

Does anything need to happen since Keith wrote most of this code? what's the policy on co-authorship?

Keith Randall

Co-authorship is fine. We've all signed the CLA, which is what matters.

I do think we still need to come to agreement on the pointer leak thing. Maybe it is ok, but I don't have the expertise to make that call.

I will take a look at this CL this week. Sounds like I might be reviewing some of my own code. I'm sure it is awesome 😊

Filippo Valsorda

I'm ok with leaking pointers if it makes this viable.

The primary use case for runtime/secret is cryptographic keys involved in forward secrecy mechanisms, and cryptographic code already never ever encodes secrets in pointers and offsets, because there is just no way to stop the CPU from leaking them through cache side-channels.

Open in Gerrit

Related details

Attention is currently required from:
  • Daniel Morsing
  • Keith Randall
Submit Requirements:
  • requirement is not satisfiedCode-Review
  • requirement satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
  • requirement is not satisfiedTryBots-Pass
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
Gerrit-Change-Number: 704615
Gerrit-PatchSet: 16
Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
Gerrit-CC: Austin Clements <aus...@google.com>
Gerrit-CC: Filippo Valsorda <fil...@golang.org>
Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
Gerrit-CC: Keith Randall <k...@golang.org>
Gerrit-Attention: Keith Randall <k...@golang.org>
Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
Gerrit-Comment-Date: Wed, 08 Oct 2025 09:03:03 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Keith Randall <k...@golang.org>
Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
unsatisfied_requirement
satisfied_requirement
open
diffy

Daniel Morsing (Gerrit)

unread,
Oct 8, 2025, 5:08:46 AMOct 8
to goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
Attention needed from Filippo Valsorda and Keith Randall

Daniel Morsing added 2 comments

Patchset-level comments
Daniel Morsing . resolved

This is ready for review. The trybots are unhappy about the tests using gdb to get the core dump, but I've asked on go-dev about what can be done to fix it. I would very much prefer that the core tests aren't skipped since leakage is a hard problem to detect within the process itself.

Does anything need to happen since Keith wrote most of this code? what's the policy on co-authorship?

Keith Randall

Co-authorship is fine. We've all signed the CLA, which is what matters.

I do think we still need to come to agreement on the pointer leak thing. Maybe it is ok, but I don't have the expertise to make that call.

I will take a look at this CL this week. Sounds like I might be reviewing some of my own code. I'm sure it is awesome 😊

Filippo Valsorda

I'm ok with leaking pointers if it makes this viable.

The primary use case for runtime/secret is cryptographic keys involved in forward secrecy mechanisms, and cryptographic code already never ever encodes secrets in pointers and offsets, because there is just no way to stop the CPU from leaking them through cache side-channels.

Daniel Morsing

That about matches with my expectation. I'm gonna go rack my brain to see if I can come up with a succinct way of describing the secrecy guarantees (hopefully also get some better terminology. Reading the code back, I must have used a dozen different synonyms for "secret" in the comments)

File-level comment, Patchset 16 (Latest):
Daniel Morsing . resolved

Rebased to resolve the conflict with GC leak detection

Open in Gerrit

Related details

Attention is currently required from:
  • Filippo Valsorda
  • Keith Randall
Submit Requirements:
  • requirement is not satisfiedCode-Review
  • requirement satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
  • requirement is not satisfiedTryBots-Pass
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
Gerrit-Change-Number: 704615
Gerrit-PatchSet: 16
Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
Gerrit-CC: Austin Clements <aus...@google.com>
Gerrit-CC: Filippo Valsorda <fil...@golang.org>
Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
Gerrit-CC: Keith Randall <k...@golang.org>
Gerrit-Attention: Keith Randall <k...@golang.org>
Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
Gerrit-Comment-Date: Wed, 08 Oct 2025 09:08:38 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Keith Randall <k...@golang.org>
Comment-In-Reply-To: Filippo Valsorda <fil...@golang.org>
Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
unsatisfied_requirement
satisfied_requirement
open
diffy

Keith Randall (Gerrit)

unread,
Oct 15, 2025, 2:22:05 PMOct 15
to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
Attention needed from Daniel Morsing and Filippo Valsorda

Keith Randall added 9 comments

Patchset-level comments
File-level comment, Patchset 16 (Latest):
Keith Randall . resolved

Looks pretty good, thanks for taking this up.

File src/runtime/asm_amd64.s
Line 504, Patchset 16 (Latest): // If in secret mode, erase registers on transition
Keith Randall . unresolved

It seems unfortunate to add this overhead to every systemstack call. We use systemstack a lot in the runtime.

File src/runtime/preempt_xreg.go
Line 104, Patchset 16 (Latest): // if we're running secret code. Set a flag to clear them our by
Keith Randall . unresolved

out

Line 166, Patchset 16 (Latest): if xRegs.cache != nil {
memclrNoHeapPointers(unsafe.Pointer(xRegs.cache), unsafe.Sizeof(xRegState{}))
}
xRegs.secret = false
Keith Randall . unresolved

Should this be inside the `if` above?

File src/runtime/runtime2.go
Line 551, Patchset 16 (Latest): secretStack stack // the shadow stack for returning into the kernel
Keith Randall . unresolved

I was wondering if we could keep a pool of these somewhere else, like in a P or M.
Only the last one allocated per M might still be in use, right? So maybe 2 per M would be enough.

File src/runtime/secret/crash_test.go
Line 98, Patchset 16 (Latest): secretStoreAddr := uint64(uintptr(unsafe.Pointer(&secretStore[0])))
Keith Randall . unresolved

Will ASLR break this?

File src/runtime/secret/secret.go
Line 39, Patchset 16 (Latest):func Do(f func()) {
Keith Randall . unresolved

We should probably mention the pointer leak thing here if we're going to allow it.

File src/runtime/secret_amd64.s
Line 19, Patchset 16 (Latest):TEXT ·secretEraseRegistersMcall(SB),NOSPLIT|NOFRAME,$0-0
Keith Randall . unresolved

Maybe a comment here that we need to avoid clobbering args of mcall.

Line 125, Patchset 16 (Latest): CMPL AX, AX //eflags
Keith Randall . unresolved

I don't think it really matters, but to be safe use BX here, we know it is cleared.

Open in Gerrit

Related details

Attention is currently required from:
  • Daniel Morsing
  • Filippo Valsorda
Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 16
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Comment-Date: Wed, 15 Oct 2025 18:21:59 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 16, 2025, 9:19:04 AMOct 16
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing and Filippo Valsorda

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #17 to this change.
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Filippo Valsorda
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 17
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 16, 2025, 9:24:07 AMOct 16
    to goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Filippo Valsorda and Keith Randall

    Daniel Morsing voted and added 2 comments

    Votes added by Daniel Morsing

    Commit-Queue+1

    2 comments

    Patchset-level comments
    File-level comment, Patchset 17 (Latest):
    Daniel Morsing . resolved

    Going to see if I can't get all the trybots happy about the core dump before I address the other comments

    File src/runtime/secret/crash_test.go
    Line 98, Patchset 16: secretStoreAddr := uint64(uintptr(unsafe.Pointer(&secretStore[0])))
    Keith Randall . resolved

    Will ASLR break this?

    Daniel Morsing

    Rewrote the test so that it no longer relies on the address of the secretStore.

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 17
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Comment-Date: Thu, 16 Oct 2025 13:24:00 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: Yes
    Comment-In-Reply-To: Keith Randall <k...@golang.org>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 16, 2025, 10:19:33 AMOct 16
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #18 to this change.
    Following approvals got outdated and were removed:
    • TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 18
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 16, 2025, 10:21:31 AMOct 16
    to goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Filippo Valsorda and Keith Randall

    Daniel Morsing voted Commit-Queue+1

    Commit-Queue+1
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 18
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Comment-Date: Thu, 16 Oct 2025 14:21:21 +0000
    Gerrit-HasComments: No
    Gerrit-Has-Labels: Yes
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 16, 2025, 11:36:44 AMOct 16
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #19 to this change.
    Following approvals got outdated and were removed:
    • TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 19
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 16, 2025, 11:38:56 AMOct 16
    to goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Filippo Valsorda and Keith Randall

    Daniel Morsing voted Commit-Queue+1

    Commit-Queue+1
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 19
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Comment-Date: Thu, 16 Oct 2025 15:38:49 +0000
    Gerrit-HasComments: No
    Gerrit-Has-Labels: Yes
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 17, 2025, 5:40:57 AMOct 17
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #20 to this change.
    Following approvals got outdated and were removed:
    • TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 20
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 17, 2025, 5:41:42 AMOct 17
    to goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Filippo Valsorda and Keith Randall

    Daniel Morsing voted and added 8 comments

    Votes added by Daniel Morsing

    Commit-Queue+1

    8 comments

    Patchset-level comments
    File-level comment, Patchset 20 (Latest):
    Daniel Morsing . resolved

    PTAL

    File src/runtime/asm_amd64.s
    Line 504, Patchset 16: // If in secret mode, erase registers on transition
    Keith Randall . resolved

    It seems unfortunate to add this overhead to every systemstack call. We use systemstack a lot in the runtime.

    Daniel Morsing

    I was working off the old CL, but thinking about it now, systemstack is only called with other go code that should have no reason to spill confidential values onto the stack or into any buffers. Removed

    File src/runtime/preempt_xreg.go
    Line 104, Patchset 16: // if we're running secret code. Set a flag to clear them our by
    Keith Randall . resolved

    out

    Daniel Morsing

    Removed the xregs code because it wasn't needed, Done

    Line 166, Patchset 16: if xRegs.cache != nil {

    memclrNoHeapPointers(unsafe.Pointer(xRegs.cache), unsafe.Sizeof(xRegState{}))
    }
    xRegs.secret = false
    Keith Randall . resolved

    Should this be inside the `if` above?

    Daniel Morsing

    Done

    File src/runtime/runtime2.go
    Line 551, Patchset 16: secretStack stack // the shadow stack for returning into the kernel
    Keith Randall . unresolved

    I was wondering if we could keep a pool of these somewhere else, like in a P or M.
    Only the last one allocated per M might still be in use, right? So maybe 2 per M would be enough.

    Daniel Morsing

    I think that brings us back to a situation where we'd have to track which M executed secret code, plus now that I've removed the async xRegs code, heap allocations are the only thing that relies on a garbage collection having run after returning from secret code.


    If shadow secret stack allocation cost is a factor, there are ways around it. Create a goroutine that sets up a secret and then receives requests for encryption/decryption. That way, we only have to allocate once. That scheme could definitely work for TLS and SSH which are the motivating uses for creating the package.

    File src/runtime/secret/secret.go
    Line 39, Patchset 16:func Do(f func()) {
    Keith Randall . resolved

    We should probably mention the pointer leak thing here if we're going to allow it.

    Daniel Morsing

    Done

    File src/runtime/secret_amd64.s
    Line 19, Patchset 16:TEXT ·secretEraseRegistersMcall(SB),NOSPLIT|NOFRAME,$0-0
    Keith Randall . resolved

    Maybe a comment here that we need to avoid clobbering args of mcall.

    Daniel Morsing

    Done

    Line 125, Patchset 16: CMPL AX, AX //eflags
    Keith Randall . resolved

    I don't think it really matters, but to be safe use BX here, we know it is cleared.

    Daniel Morsing

    Done

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 20
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Comment-Date: Fri, 17 Oct 2025 09:41:35 +0000
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 17, 2025, 6:12:47 AMOct 17
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Filippo Valsorda and Keith Randall

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #21 to this change.
    Following approvals got outdated and were removed:
    • TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 21
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 17, 2025, 6:13:35 AMOct 17
    to goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Filippo Valsorda and Keith Randall

    Daniel Morsing added 1 comment

    Patchset-level comments
    File-level comment, Patchset 21 (Latest):
    Daniel Morsing . resolved

    Missed a spot. Sorry :)

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 21
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Comment-Date: Fri, 17 Oct 2025 10:13:27 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Jes Cok (Gerrit)

    unread,
    Oct 17, 2025, 6:16:25 AMOct 17
    to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

    Jes Cok added 1 comment

    Commit Message
    Line 24, Patchset 20:CL600635. I have added arm64 support, signal handling, preemption
    Jes Cok . unresolved

    CL 600635, please add space character. Also I noticed that in this CL, there are some `Copyright 2024` headers which come from that CL, should they be `Copyright 2025`?

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 21
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Jes Cok <xigua...@gmail.com>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Comment-Date: Fri, 17 Oct 2025 10:16:18 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 17, 2025, 6:26:24 AMOct 17
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #22 to this change.
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Filippo Valsorda
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 22
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 17, 2025, 6:27:09 AMOct 17
    to goph...@pubsubhelper.golang.org, Jes Cok, Go LUCI, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Filippo Valsorda, Jes Cok and Keith Randall

    Daniel Morsing added 1 comment

    Commit Message
    Line 24, Patchset 20:CL600635. I have added arm64 support, signal handling, preemption
    Jes Cok . resolved

    CL 600635, please add space character. Also I noticed that in this CL, there are some `Copyright 2024` headers which come from that CL, should they be `Copyright 2025`?

    Daniel Morsing

    Done.


    As for the copyright notices, those are the files that were created by the previous CL. I'm not sure what the policy is here, but I left them as is.

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Filippo Valsorda
    • Jes Cok
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 22
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Jes Cok <xigua...@gmail.com>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Jes Cok <xigua...@gmail.com>
    Gerrit-Comment-Date: Fri, 17 Oct 2025 10:27:00 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    Comment-In-Reply-To: Jes Cok <xigua...@gmail.com>
    unsatisfied_requirement
    open
    diffy

    Filippo Valsorda (Gerrit)

    unread,
    Oct 30, 2025, 7:05:38 AMOct 30
    to Daniel Morsing, goph...@pubsubhelper.golang.org, Jes Cok, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Keith Randall

    Filippo Valsorda added 1 comment

    Patchset-level comments
    File-level comment, Patchset 22 (Latest):
    Filippo Valsorda . resolved

    Friendly ping, I think this is ready for another round of review?

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 22
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Jes Cok <xigua...@gmail.com>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Comment-Date: Thu, 30 Oct 2025 11:05:27 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Filippo Valsorda (Gerrit)

    unread,
    Oct 30, 2025, 8:02:55 AMOct 30
    to Daniel Morsing, goph...@pubsubhelper.golang.org, Jes Cok, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Keith Randall

    Filippo Valsorda added 1 comment

    Commit Message
    Line 24, Patchset 20:CL600635. I have added arm64 support, signal handling, preemption
    Jes Cok . resolved

    CL 600635, please add space character. Also I noticed that in this CL, there are some `Copyright 2024` headers which come from that CL, should they be `Copyright 2025`?

    Daniel Morsing

    Done.


    As for the copyright notices, those are the files that were created by the previous CL. I'm not sure what the policy is here, but I left them as is.

    Filippo Valsorda

    The copyright year is the year the file was first mailed to Gerrit, not when it lands.

    Gerrit-Comment-Date: Thu, 30 Oct 2025 12:02:45 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    Comment-In-Reply-To: Jes Cok <xigua...@gmail.com>
    Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Oct 30, 2025, 8:35:21 AMOct 30
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Keith Randall

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #23 to this change.
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Keith Randall
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 23
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 10, 2025, 9:37:33 AMNov 10
    to goph...@pubsubhelper.golang.org, Michael Matloob, Jes Cok, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Keith Randall and Michael Matloob

    Daniel Morsing added 2 comments

    Patchset-level comments
    File-level comment, Patchset 23 (Latest):
    Daniel Morsing . resolved

    Is it feasible to land this before the go1.26 freeze? Maybe behind an experiment flag if that makes a difference

    File src/runtime/malloc.go
    Line 1126, Patchset 23 (Latest): if sizeSpecializedMallocEnabled && heapBitsInSpan(size) && gp.secret == 0 {
    Daniel Morsing . unresolved

    Just realised that the specialized mallocs being called directly from the compiler now means that this check doesn't do anything. I'll take a stab at updating mkmalloc to fix this, but I might need some help from @mat...@golang.org

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Keith Randall
    • Michael Matloob
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 23
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Jes Cok <xigua...@gmail.com>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-CC: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Michael Matloob <mat...@golang.org>
    Gerrit-Comment-Date: Mon, 10 Nov 2025 14:37:24 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Michael Matloob (Gerrit)

    unread,
    Nov 10, 2025, 11:30:38 AMNov 10
    to Daniel Morsing, goph...@pubsubhelper.golang.org, Michael Knyszek, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Keith Randall and Michael Knyszek

    Michael Matloob added 1 comment

    File src/runtime/malloc.go
    Line 1126, Patchset 23 (Latest): if sizeSpecializedMallocEnabled && heapBitsInSpan(size) && gp.secret == 0 {
    Daniel Morsing . unresolved

    Just realised that the specialized mallocs being called directly from the compiler now means that this check doesn't do anything. I'll take a stab at updating mkmalloc to fix this, but I might need some help from @mat...@golang.org

    Michael Matloob

    cc @mkny...@google.com

    Hi, I haven't read up on the details of the proposal, but (not having the secret-specific context) I want to mention that not all specialized mallocs are called from the compiler: only those where the compiler knows the size at compile time. So we still need this code path.

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Keith Randall
    • Michael Knyszek
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 23
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-CC: Michael Knyszek <mkny...@google.com>
    Gerrit-CC: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Attention: Michael Knyszek <mkny...@google.com>
    Gerrit-Comment-Date: Mon, 10 Nov 2025 16:30:33 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 10, 2025, 11:43:17 AMNov 10
    to goph...@pubsubhelper.golang.org, Michael Knyszek, Michael Matloob, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Keith Randall, Michael Knyszek and Michael Matloob

    Daniel Morsing added 1 comment

    File src/runtime/malloc.go
    Line 1126, Patchset 23 (Latest): if sizeSpecializedMallocEnabled && heapBitsInSpan(size) && gp.secret == 0 {
    Daniel Morsing . unresolved

    Just realised that the specialized mallocs being called directly from the compiler now means that this check doesn't do anything. I'll take a stab at updating mkmalloc to fix this, but I might need some help from @mat...@golang.org

    Michael Matloob

    cc @mkny...@google.com

    Hi, I haven't read up on the details of the proposal, but (not having the secret-specific context) I want to mention that not all specialized mallocs are called from the compiler: only those where the compiler knows the size at compile time. So we still need this code path.

    Daniel Morsing

    Ah, the check I am referring to is the `gp.secret == 0` part, not the entire `if` statement


    Essentially, the tiny allocator has to be disabled when code is running in secret mode. I tried modifying `malloc_stubs.go` to call into `smallNoScanStub` from the `tinyStub`, but I'm hitting a couple of codegen bugs that I'm not sure how to resolve

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Keith Randall
    • Michael Knyszek
    • Michael Matloob
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 23
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-CC: Michael Knyszek <mkny...@google.com>
    Gerrit-CC: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Michael Knyszek <mkny...@google.com>
    Gerrit-Comment-Date: Mon, 10 Nov 2025 16:43:09 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    Comment-In-Reply-To: Michael Matloob <mat...@golang.org>
    Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 11, 2025, 8:24:54 AMNov 11
    to goph...@pubsubhelper.golang.org, Michael Knyszek, Michael Matloob, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Keith Randall, Michael Knyszek and Michael Matloob

    Daniel Morsing added 1 comment

    File src/runtime/malloc.go
    Line 1126, Patchset 23 (Latest): if sizeSpecializedMallocEnabled && heapBitsInSpan(size) && gp.secret == 0 {
    Daniel Morsing . unresolved

    Just realised that the specialized mallocs being called directly from the compiler now means that this check doesn't do anything. I'll take a stab at updating mkmalloc to fix this, but I might need some help from @mat...@golang.org

    Michael Matloob

    cc @mkny...@google.com

    Hi, I haven't read up on the details of the proposal, but (not having the secret-specific context) I want to mention that not all specialized mallocs are called from the compiler: only those where the compiler knows the size at compile time. So we still need this code path.

    Daniel Morsing

    Ah, the check I am referring to is the `gp.secret == 0` part, not the entire `if` statement


    Essentially, the tiny allocator has to be disabled when code is running in secret mode. I tried modifying `malloc_stubs.go` to call into `smallNoScanStub` from the `tinyStub`, but I'm hitting a couple of codegen bugs that I'm not sure how to resolve

    Daniel Morsing

    Alright, I managed to make switchable allocators work, but I had to rewrite the allocator generator to do so :) CL 719580


    I'm unsure whether I should land the allocator change and rebase this CL on top of it, or if I should just roll it into this one. Any thoughts?

    Gerrit-Comment-Date: Tue, 11 Nov 2025 13:24:45 +0000
    unsatisfied_requirement
    open
    diffy

    Filippo Valsorda (Gerrit)

    unread,
    Nov 11, 2025, 11:59:07 AMNov 11
    to Daniel Morsing, goph...@pubsubhelper.golang.org, Michael Knyszek, Michael Matloob, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Keith Randall, Michael Knyszek and Michael Matloob

    Filippo Valsorda added 3 comments

    Patchset-level comments
    Filippo Valsorda . unresolved

    Chatted with @rol...@golang.org, let's hide the exported package (and any dangerous behavior if it's easy) behind a GOEXPERIMENT.

    File src/runtime/secret/secret.go
    Line 26, Patchset 23 (Latest):// platforms Do will immediately panic.
    Filippo Valsorda . unresolved

    On unsupported platforms this should just invoke f. We can't litter every call site with build tags.

    Line 27, Patchset 23 (Latest):// - Protection does not extend to any new goroutines made by f.
    Filippo Valsorda . unresolved

    Let's panic if a new goroutine is started. We can always relax it later.

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Attention: Michael Knyszek <mkny...@google.com>
    Gerrit-Comment-Date: Tue, 11 Nov 2025 16:58:57 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Michael Knyszek (Gerrit)

    unread,
    Nov 11, 2025, 12:46:42 PMNov 11
    to Daniel Morsing, goph...@pubsubhelper.golang.org, Michael Matloob, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Keith Randall and Michael Matloob

    Michael Knyszek added 4 comments

    File src/runtime/malloc.go
    Line 1126, Patchset 23 (Latest): if sizeSpecializedMallocEnabled && heapBitsInSpan(size) && gp.secret == 0 {
    Daniel Morsing . unresolved

    Just realised that the specialized mallocs being called directly from the compiler now means that this check doesn't do anything. I'll take a stab at updating mkmalloc to fix this, but I might need some help from @mat...@golang.org

    Michael Matloob

    cc @mkny...@google.com

    Hi, I haven't read up on the details of the proposal, but (not having the secret-specific context) I want to mention that not all specialized mallocs are called from the compiler: only those where the compiler knows the size at compile time. So we still need this code path.

    Daniel Morsing

    Ah, the check I am referring to is the `gp.secret == 0` part, not the entire `if` statement


    Essentially, the tiny allocator has to be disabled when code is running in secret mode. I tried modifying `malloc_stubs.go` to call into `smallNoScanStub` from the `tinyStub`, but I'm hitting a couple of codegen bugs that I'm not sure how to resolve

    Daniel Morsing

    Alright, I managed to make switchable allocators work, but I had to rewrite the allocator generator to do so :) CL 719580


    I'm unsure whether I should land the allocator change and rebase this CL on top of it, or if I should just roll it into this one. Any thoughts?

    Michael Knyszek

    allocator bits LGTM, but yeah you will need to add a fallback case in the directly-called-and-generated tiny allocator routines.

    File src/runtime/secret.go
    Line 161, Patchset 23 (Latest):func getsp() uintptr {
    Michael Knyszek . unresolved

    maybe just add this to internal/runtime/sys as GetCurrentSP?

    File src/runtime/secret/secret.go
    Line 39, Patchset 23 (Latest):// - Pointer addresses may leak into data buffers used by the runtime
    // to perform garbage collection. Users should not encode confidential
    // information into pointers.
    Michael Knyszek . unresolved

    this feels like way overkill to state... it is hard to construct a pointer field that's valid, you don't have very many bits to encode sensitive data into, so this would need be extremely elaborate to not cause random GC crashes.

    like:

    ```
    x := new([1<<20]byte)
    x = (*[1<<20]byte)(unsafe.Pointer(uintptr(unsafe.Pointer(x))|twentyBitsOfSensitiveData))
    ```

    unless you mean something like, a data structure's actual layout somehow encodes sensitive information? in that case it may be worth stating that explicitly. or perhaps I'm not being creative enough.

    File src/runtime/sys_linux_amd64.s
    Line 234, Patchset 23 (Latest): // R14 later, but the function is ABI0
    Michael Knyszek . unresolved

    here and elsewhere: trailing whitespace

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Keith Randall
    • Michael Matloob
    Gerrit-Comment-Date: Tue, 11 Nov 2025 17:46:37 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Cherry Mui (Gerrit)

    unread,
    Nov 11, 2025, 1:28:57 PMNov 11
    to Daniel Morsing, goph...@pubsubhelper.golang.org, Michael Matloob, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Keith Randall and Michael Matloob

    Cherry Mui added 12 comments

    Patchset-level comments
    Cherry Mui . resolved

    Thank you for the CL! Not a complete review, just some drive-by comments. Thanks.

    File src/runtime/asm_amd64.s
    Line 941, Patchset 23 (Latest): JEQ nosecret
    Cherry Mui . unresolved

    Nit: use tab here.

    File src/runtime/asm_arm64.s
    Line 1226, Patchset 23 (Latest): MOVD R2, R13
    Cherry Mui . unresolved

    Remove trailing space.

    File src/runtime/preempt.go
    Line 410, Patchset 23 (Latest): // allow any conservative scanning of stacks, as that may lead
    Cherry Mui . unresolved

    It seems reasonable not to conservatively scan the stack containing secrets. However, we could preempt the goroutine for other reasons, like scheduling purposes. I think we can still allow those, just not async preemption for stack scanning.

    File src/runtime/secret_amd64.s
    Line 72, Patchset 23 (Latest): // (Assembled with gcc. The Go assembler doesn't know these instructions.)
    // 62 e1 fd 48 28 c0 vmovapd %zmm0,%zmm16
    Cherry Mui . unresolved

    Go assembler does support VMOVAPD Z0, Z16.

    Line 107, Patchset 23 (Latest): // (Assembled with gcc. The Go assembler doesn't know these instructions.)
    // c4 e1 fc 47 c0 kxorq %k0,%k0,%k0
    Cherry Mui . unresolved

    Go assembler does support KXORQ instruction.

    File src/runtime/secret_arm64.s
    Line 19, Patchset 23 (Latest): // integer registers
    Cherry Mui . unresolved

    Remove trailing space.

    File src/runtime/signal_unix.go
    Line 429, Patchset 23 (Latest):// If we're running secret code, the state on the signal stack might be
    // confidential. In which case, we copy the signal stack, and return the stacksize
    // and the SP to switch to. sigtramp can then clear the stack and switch to our
    // new context stack
    Cherry Mui . unresolved

    So the idea here is that we switch to a different stack, and clear the old signal stack (which could contain secrets), and return to the kernel from a new stack? This might work but it seems weird that we are returning from a different stack. What if there are stack pointers on the stack? What if we are called from another signal handler (probably from non-Go code) that does signal forwarding?

    Another approach I can think of is that when we enter secret.Do, we allocate a new signal stack, and clear it when we return out of secret.Do. We don't have to clear it at every signal. Or are we concerned that other, non-Go signal handler could copy things out of our signal stack? Or concerned that the code in secret.Do may call some non-Go code that installs its own signal stack?

    Line 502, Patchset 23 (Latest): runningSecret := atomic.Loadint32(&gp.secret) > 0
    Cherry Mui . unresolved

    Why this needs to be atomic?

    File src/runtime/sys_linux_amd64.s
    Line 233, Patchset 23 (Latest): // TODO(dmo): what is the ABI guarantee here? we use

    // R14 later, but the function is ABI0
    Cherry Mui . unresolved

    Good question. I think the assumption here is that it is called from Go, not assembly, so R14 is set. Perhaps we should make this function ABIInternal (at some point).

    Remove trailing space in the comment.

    File src/runtime/sys_linux_arm64.s
    Line 230, Patchset 23 (Latest): BL ·secretEraseRegisters(SB)
    Cherry Mui . unresolved

    Nit: too many tabs.

    Line 479, Patchset 23 (Latest): CBZ R0, nosecret
    Cherry Mui . unresolved

    Nit: use tab here.

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Keith Randall
    • Michael Matloob
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 23
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Cherry Mui <cher...@google.com>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-CC: Michael Knyszek <mkny...@google.com>
    Gerrit-CC: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Comment-Date: Tue, 11 Nov 2025 18:28:52 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 12, 2025, 11:14:56 AMNov 12
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Daniel Morsing, Keith Randall and Michael Matloob

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #24 to this change.
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Morsing
    • Keith Randall
    • Michael Matloob
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 24
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 12, 2025, 11:16:09 AMNov 12
    to goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Cherry Mui, Dmitri Shuralyov, Filippo Valsorda, Keith Randall and Michael Knyszek

    Daniel Morsing voted and added 18 comments

    Votes added by Daniel Morsing

    Commit-Queue+1

    18 comments

    Patchset-level comments
    File-level comment, Patchset 23:
    Filippo Valsorda . resolved

    Chatted with @rol...@golang.org, let's hide the exported package (and any dangerous behavior if it's easy) behind a GOEXPERIMENT.

    Daniel Morsing

    Done. Will need a new set of builders to test this CL going forward, I guess gotip-linux-amd64-runtimesecret, gotip-linux-arm64-runtimesecret @dmit...@golang.org

    File src/runtime/asm_amd64.s
    Line 941, Patchset 23: JEQ nosecret
    Cherry Mui . resolved

    Nit: use tab here.

    Daniel Morsing

    Done

    File src/runtime/asm_arm64.s
    Line 1226, Patchset 23: MOVD R2, R13
    Cherry Mui . resolved

    Remove trailing space.

    Daniel Morsing

    Done

    File src/runtime/malloc.go
    Line 1126, Patchset 23: if sizeSpecializedMallocEnabled && heapBitsInSpan(size) && gp.secret == 0 {
    Daniel Morsing . resolved

    Just realised that the specialized mallocs being called directly from the compiler now means that this check doesn't do anything. I'll take a stab at updating mkmalloc to fix this, but I might need some help from @mat...@golang.org

    Michael Matloob

    cc @mkny...@google.com

    Hi, I haven't read up on the details of the proposal, but (not having the secret-specific context) I want to mention that not all specialized mallocs are called from the compiler: only those where the compiler knows the size at compile time. So we still need this code path.

    Daniel Morsing

    Ah, the check I am referring to is the `gp.secret == 0` part, not the entire `if` statement


    Essentially, the tiny allocator has to be disabled when code is running in secret mode. I tried modifying `malloc_stubs.go` to call into `smallNoScanStub` from the `tinyStub`, but I'm hitting a couple of codegen bugs that I'm not sure how to resolve

    Daniel Morsing

    Alright, I managed to make switchable allocators work, but I had to rewrite the allocator generator to do so :) CL 719580


    I'm unsure whether I should land the allocator change and rebase this CL on top of it, or if I should just roll it into this one. Any thoughts?

    Michael Knyszek

    allocator bits LGTM, but yeah you will need to add a fallback case in the directly-called-and-generated tiny allocator routines.

    Daniel Morsing

    Since performance testing on CL 719580 showed improvement, I spun it out as its own CL and then rebased this CL on top of it.

    File src/runtime/preempt.go
    Line 410, Patchset 23: // allow any conservative scanning of stacks, as that may lead
    Cherry Mui . resolved

    It seems reasonable not to conservatively scan the stack containing secrets. However, we could preempt the goroutine for other reasons, like scheduling purposes. I think we can still allow those, just not async preemption for stack scanning.

    Daniel Morsing

    Preemption for other reasons might leak registers into the preemption buffers. Added to the comment to explain

    File src/runtime/secret.go
    Line 161, Patchset 23:func getsp() uintptr {
    Michael Knyszek . resolved

    maybe just add this to internal/runtime/sys as GetCurrentSP?

    Daniel Morsing

    Done

    File src/runtime/secret/secret.go
    Line 26, Patchset 23:// platforms Do will immediately panic.
    Filippo Valsorda . resolved

    On unsupported platforms this should just invoke f. We can't litter every call site with build tags.

    Daniel Morsing

    Done

    Line 27, Patchset 23:// - Protection does not extend to any new goroutines made by f.
    Filippo Valsorda . resolved

    Let's panic if a new goroutine is started. We can always relax it later.

    Daniel Morsing

    Done

    Line 39, Patchset 23:// - Pointer addresses may leak into data buffers used by the runtime

    // to perform garbage collection. Users should not encode confidential
    // information into pointers.
    Michael Knyszek . resolved

    this feels like way overkill to state... it is hard to construct a pointer field that's valid, you don't have very many bits to encode sensitive data into, so this would need be extremely elaborate to not cause random GC crashes.

    like:

    ```
    x := new([1<<20]byte)
    x = (*[1<<20]byte)(unsafe.Pointer(uintptr(unsafe.Pointer(x))|twentyBitsOfSensitiveData))
    ```

    unless you mean something like, a data structure's actual layout somehow encodes sensitive information? in that case it may be worth stating that explicitly. or perhaps I'm not being creative enough.

    Daniel Morsing

    This is referring to the data structures actual layout. I've expanded the wording a bit to explain the requirement and why it is usually implicitly fulfilled by the intended users of this code.

    File src/runtime/secret_amd64.s
    Line 72, Patchset 23: // (Assembled with gcc. The Go assembler doesn't know these instructions.)

    // 62 e1 fd 48 28 c0 vmovapd %zmm0,%zmm16
    Cherry Mui . resolved

    Go assembler does support VMOVAPD Z0, Z16.

    Daniel Morsing

    Done

    Line 107, Patchset 23: // (Assembled with gcc. The Go assembler doesn't know these instructions.)

    // c4 e1 fc 47 c0 kxorq %k0,%k0,%k0
    Cherry Mui . resolved

    Go assembler does support KXORQ instruction.

    Daniel Morsing

    Done

    File src/runtime/secret_arm64.s
    Line 19, Patchset 23: // integer registers
    Cherry Mui . resolved

    Remove trailing space.

    Daniel Morsing

    Done

    File src/runtime/signal_unix.go
    Line 429, Patchset 23:// If we're running secret code, the state on the signal stack might be

    // confidential. In which case, we copy the signal stack, and return the stacksize
    // and the SP to switch to. sigtramp can then clear the stack and switch to our
    // new context stack
    Cherry Mui . resolved

    So the idea here is that we switch to a different stack, and clear the old signal stack (which could contain secrets), and return to the kernel from a new stack? This might work but it seems weird that we are returning from a different stack. What if there are stack pointers on the stack? What if we are called from another signal handler (probably from non-Go code) that does signal forwarding?

    Another approach I can think of is that when we enter secret.Do, we allocate a new signal stack, and clear it when we return out of secret.Do. We don't have to clear it at every signal. Or are we concerned that other, non-Go signal handler could copy things out of our signal stack? Or concerned that the code in secret.Do may call some non-Go code that installs its own signal stack?

    Daniel Morsing

    The signal stack is tied to the M while the "secretness" of the machine context that gets put onto the signal stack is tied to the G. The shadow stack is a way of tying the place with confidential information directly to the G, so that we don't have to track which Ms ran which Gs.


    [Keith's comment](https://github.com/golang/go/issues/21865#issuecomment-2292354685) and [my followup](https://github.com/golang/go/issues/21865#issuecomment-3327040593) on the issue about the problem are worth a read.

    Line 502, Patchset 23: runningSecret := atomic.Loadint32(&gp.secret) > 0
    Cherry Mui . resolved

    Why this needs to be atomic?

    Daniel Morsing

    The secret stack is allocated by the code that calls secret.Do, while the signal handler uses it. This access is atomic to act as a fence between before the secret stack is allocated and after.

    File src/runtime/sys_linux_amd64.s
    Line 234, Patchset 23: // R14 later, but the function is ABI0
    Michael Knyszek . resolved

    here and elsewhere: trailing whitespace

    Daniel Morsing

    Done

    Line 233, Patchset 23: // TODO(dmo): what is the ABI guarantee here? we use

    // R14 later, but the function is ABI0
    Cherry Mui . resolved

    Good question. I think the assumption here is that it is called from Go, not assembly, so R14 is set. Perhaps we should make this function ABIInternal (at some point).

    Remove trailing space in the comment.

    Daniel Morsing

    Done

    File src/runtime/sys_linux_arm64.s
    Line 230, Patchset 23: BL ·secretEraseRegisters(SB)
    Cherry Mui . resolved

    Nit: too many tabs.

    Daniel Morsing

    Done

    Line 479, Patchset 23: CBZ R0, nosecret
    Cherry Mui . resolved

    Nit: use tab here.

    Daniel Morsing

    Done

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Cherry Mui
    • Dmitri Shuralyov
    • Filippo Valsorda
    • Keith Randall
    • Michael Knyszek
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 24
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Cherry Mui <cher...@google.com>
    Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-CC: Michael Knyszek <mkny...@google.com>
    Gerrit-CC: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Cherry Mui <cher...@google.com>
    Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
    Gerrit-Attention: Michael Knyszek <mkny...@google.com>
    Gerrit-Comment-Date: Wed, 12 Nov 2025 16:15:58 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: Yes
    Comment-In-Reply-To: Michael Matloob <mat...@golang.org>
    Comment-In-Reply-To: Filippo Valsorda <fil...@golang.org>
    Comment-In-Reply-To: Cherry Mui <cher...@google.com>
    Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
    Comment-In-Reply-To: Michael Knyszek <mkny...@google.com>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 12, 2025, 11:20:29 AMNov 12
    to goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Go LUCI, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Cherry Mui, Dmitri Shuralyov, Filippo Valsorda, Keith Randall and Michael Knyszek

    Daniel Morsing added 1 comment

    File src/runtime/asm_amd64.s
    Line 510, Patchset 24 (Latest):#ifdef GOEXPERIMENT_runtimesecret
    Daniel Morsing . resolved

    I've reenabled this check in this patchset, I'm sure there are places where registers can leak from code running in g0 to cgo or some other execution environment that I'm not considering and since this is an experiment now, we shouldn't see any performance impact.

    Gerrit-Comment-Date: Wed, 12 Nov 2025 16:20:19 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 12, 2025, 12:14:20 PMNov 12
    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
    Attention needed from Cherry Mui, Daniel Morsing, Dmitri Shuralyov, Filippo Valsorda, Keith Randall and Michael Knyszek

    Daniel Morsing uploaded new patchset

    Daniel Morsing uploaded patch set #25 to this change.
    Following approvals got outdated and were removed:
    • TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Cherry Mui
    • Daniel Morsing
    • Dmitri Shuralyov
    • Filippo Valsorda
    • Keith Randall
    • Michael Knyszek
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: newpatchset
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 25
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Cherry Mui <cher...@google.com>
    Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-CC: Michael Knyszek <mkny...@google.com>
    Gerrit-CC: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Cherry Mui <cher...@google.com>
    Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 12, 2025, 12:15:22 PMNov 12
    to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Cherry Mui, Dmitri Shuralyov, Filippo Valsorda, Keith Randall and Michael Knyszek

    Daniel Morsing voted Commit-Queue+1

    Commit-Queue+1
    Open in Gerrit

    Related details

    Attention is currently required from:
    • Cherry Mui
    • Dmitri Shuralyov
    • Filippo Valsorda
    • Keith Randall
    • Michael Knyszek
    Submit Requirements:
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    • requirement is not satisfiedTryBots-Pass
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
    Gerrit-Change-Number: 704615
    Gerrit-PatchSet: 25
    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
    Gerrit-CC: Austin Clements <aus...@google.com>
    Gerrit-CC: Cherry Mui <cher...@google.com>
    Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
    Gerrit-CC: Keith Randall <k...@golang.org>
    Gerrit-CC: Michael Knyszek <mkny...@google.com>
    Gerrit-CC: Michael Matloob <mat...@golang.org>
    Gerrit-Attention: Keith Randall <k...@golang.org>
    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
    Gerrit-Attention: Cherry Mui <cher...@google.com>
    Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
    Gerrit-Attention: Michael Knyszek <mkny...@google.com>
    Gerrit-Comment-Date: Wed, 12 Nov 2025 17:15:12 +0000
    Gerrit-HasComments: No
    Gerrit-Has-Labels: Yes
    unsatisfied_requirement
    open
    diffy

    Daniel Morsing (Gerrit)

    unread,
    Nov 12, 2025, 2:03:13 PMNov 12
    to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
    Attention needed from Cherry Mui, Dmitri Shuralyov, Filippo Valsorda, Keith Randall and Michael Knyszek

    Daniel Morsing added 1 comment

    File src/runtime/runtime2.go
    Line 551, Patchset 16: secretStack stack // the shadow stack for returning into the kernel
    Keith Randall . resolved

    I was wondering if we could keep a pool of these somewhere else, like in a P or M.
    Only the last one allocated per M might still be in use, right? So maybe 2 per M would be enough.

    Daniel Morsing

    I think that brings us back to a situation where we'd have to track which M executed secret code, plus now that I've removed the async xRegs code, heap allocations are the only thing that relies on a garbage collection having run after returning from secret code.


    If shadow secret stack allocation cost is a factor, there are ways around it. Create a goroutine that sets up a secret and then receives requests for encryption/decryption. That way, we only have to allocate once. That scheme could definitely work for TLS and SSH which are the motivating uses for creating the package.

    Daniel Morsing

    oh wait, I read this suggestion wrong, you were talking about a simple allocation cache.


    An arbitrary number of secretStacks can be live at the same time, so I don't think there's much to be gained by having it cached. A better avenue is probably using a different allocator that isn't the stack one, but I think I need to figure out what the performance numbers are before I put in the work for that. The remarks I made about amortizing the cost above are still valid, so I believe we can work around it for the first prototype users of this.

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Cherry Mui
    • Dmitri Shuralyov
    • Filippo Valsorda
    • Keith Randall
    • Michael Knyszek
    Submit Requirements:
      • requirement is not satisfiedCode-Review
      • requirement satisfiedNo-Unresolved-Comments
      • requirement is not satisfiedReview-Enforcement
      • requirement satisfiedTryBots-Pass
      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
      Gerrit-MessageType: comment
      Gerrit-Project: go
      Gerrit-Branch: master
      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
      Gerrit-Change-Number: 704615
      Gerrit-PatchSet: 25
      Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
      Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
      Gerrit-CC: Austin Clements <aus...@google.com>
      Gerrit-CC: Cherry Mui <cher...@google.com>
      Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
      Gerrit-CC: Filippo Valsorda <fil...@golang.org>
      Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
      Gerrit-CC: Keith Randall <k...@golang.org>
      Gerrit-CC: Michael Knyszek <mkny...@google.com>
      Gerrit-CC: Michael Matloob <mat...@golang.org>
      Gerrit-Attention: Keith Randall <k...@golang.org>
      Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
      Gerrit-Attention: Cherry Mui <cher...@google.com>
      Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
      Gerrit-Attention: Michael Knyszek <mkny...@google.com>
      Gerrit-Comment-Date: Wed, 12 Nov 2025 19:03:03 +0000
      Gerrit-HasComments: Yes
      Gerrit-Has-Labels: No
      Comment-In-Reply-To: Keith Randall <k...@golang.org>
      Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
      unsatisfied_requirement
      satisfied_requirement
      open
      diffy

      Keith Randall (Gerrit)

      unread,
      Nov 12, 2025, 2:19:45 PMNov 12
      to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
      Attention needed from Cherry Mui, Daniel Morsing, Dmitri Shuralyov, Filippo Valsorda and Michael Knyszek

      Keith Randall added 11 comments

      File src/runtime/asm_amd64.s
      Line 518, Patchset 25 (Latest): get_tls(CX)
      Keith Randall . unresolved

      We can probably get rid of these two instructions. Or put them just after the secretEraseRegisters call.
      That way there's no extra instructions if the experiment is off.

      Line 655, Patchset 25 (Latest): get_tls(CX)
      Keith Randall . resolved

      Like you did here.

      File src/runtime/defs_linux_amd64.go
      Line 294, Patchset 25 (Latest):const stubSigStackSize = 4096
      Keith Randall . unresolved

      Where does this number come from?

      File src/runtime/runtime2.go
      Line 551, Patchset 16: secretStack stack // the shadow stack for returning into the kernel
      Keith Randall . resolved

      I was wondering if we could keep a pool of these somewhere else, like in a P or M.
      Only the last one allocated per M might still be in use, right? So maybe 2 per M would be enough.

      Daniel Morsing

      I think that brings us back to a situation where we'd have to track which M executed secret code, plus now that I've removed the async xRegs code, heap allocations are the only thing that relies on a garbage collection having run after returning from secret code.


      If shadow secret stack allocation cost is a factor, there are ways around it. Create a goroutine that sets up a secret and then receives requests for encryption/decryption. That way, we only have to allocate once. That scheme could definitely work for TLS and SSH which are the motivating uses for creating the package.

      Keith Randall

      Acknowledged

      File src/runtime/secret/crash_test.go
      Line 184, Patchset 25 (Latest):// TODO: linux only?
      Keith Randall . unresolved

      I think this has been resolved? The code that uses it has been commented out.

      File src/runtime/secret/internal/dirtysecret/asm_amd64.s
      Line 33, Patchset 25 (Latest): BYTE $0x62; BYTE $0x71; BYTE $0xfd; BYTE $0x48; BYTE $0x10; BYTE $0x30
      Keith Randall . unresolved

      These instructions exist in the assembler now.

      Line 167, Patchset 25 (Latest): /*
      Keith Randall . unresolved

      Is there a plan to enable these?

      Line 205, Patchset 25 (Latest): /*
      Keith Randall . unresolved

      These we could do now.

      File src/runtime/secret/internal/dirtysecret/asm_arm64.s
      Line 64, Patchset 25 (Latest): // TODO(dmo): more substantial dirtying here
      Keith Randall . unresolved

      We should at least add F0-F31 here.

      File src/runtime/secret/secret_test.go
      Line 5, Patchset 25 (Latest):// the race detector does not like our pointer shenanigans
      Keith Randall . resolved

      The race detector is such a buzzkill.

      File src/runtime/vgetrandom_linux.go
      Line 95, Patchset 25 (Latest): // TODO(dmo): vdso calls while running secret code can spill secrets onto the stack.
      Keith Randall . unresolved

      I would think secret code is exactly the place where they would want vgetrandom to work.
      Do we really need to disable it in secret mode?

      Open in Gerrit

      Related details

      Attention is currently required from:
      • Cherry Mui
      • Daniel Morsing
      • Dmitri Shuralyov
      • Filippo Valsorda
      • Michael Knyszek
      Submit Requirements:
        • requirement is not satisfiedCode-Review
        • requirement is not satisfiedNo-Unresolved-Comments
        • requirement is not satisfiedReview-Enforcement
        • requirement satisfiedTryBots-Pass
        Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
        Gerrit-MessageType: comment
        Gerrit-Project: go
        Gerrit-Branch: master
        Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
        Gerrit-Change-Number: 704615
        Gerrit-PatchSet: 25
        Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
        Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
        Gerrit-CC: Austin Clements <aus...@google.com>
        Gerrit-CC: Cherry Mui <cher...@google.com>
        Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
        Gerrit-CC: Filippo Valsorda <fil...@golang.org>
        Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
        Gerrit-CC: Keith Randall <k...@golang.org>
        Gerrit-CC: Michael Knyszek <mkny...@google.com>
        Gerrit-CC: Michael Matloob <mat...@golang.org>
        Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
        Gerrit-Attention: Cherry Mui <cher...@google.com>
        Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
        Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
        Gerrit-Attention: Michael Knyszek <mkny...@google.com>
        Gerrit-Comment-Date: Wed, 12 Nov 2025 19:19:38 +0000
        unsatisfied_requirement
        satisfied_requirement
        open
        diffy

        Daniel Morsing (Gerrit)

        unread,
        Nov 13, 2025, 6:38:55 AMNov 13
        to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
        Attention needed from Cherry Mui, Daniel Morsing, Dmitri Shuralyov, Filippo Valsorda and Michael Knyszek

        Daniel Morsing uploaded new patchset

        Daniel Morsing uploaded patch set #26 to this change.
        Following approvals got outdated and were removed:
        • TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
        Open in Gerrit

        Related details

        Attention is currently required from:
        • Cherry Mui
        • Daniel Morsing
        • Dmitri Shuralyov
        • Filippo Valsorda
        • Michael Knyszek
        Submit Requirements:
          • requirement is not satisfiedCode-Review
          • requirement is not satisfiedNo-Unresolved-Comments
          • requirement is not satisfiedReview-Enforcement
          • requirement is not satisfiedTryBots-Pass
          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
          Gerrit-MessageType: newpatchset
          Gerrit-Project: go
          Gerrit-Branch: master
          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
          Gerrit-Change-Number: 704615
          Gerrit-PatchSet: 26
          unsatisfied_requirement
          open
          diffy

          Daniel Morsing (Gerrit)

          unread,
          Nov 13, 2025, 6:40:39 AMNov 13
          to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
          Attention needed from Cherry Mui, Dmitri Shuralyov, Filippo Valsorda, Keith Randall and Michael Knyszek

          Daniel Morsing added 9 comments

          Patchset-level comments
          File-level comment, Patchset 26 (Latest):
          Daniel Morsing . resolved

          PTAL

          File src/runtime/asm_amd64.s
          Line 518, Patchset 25: get_tls(CX)
          Keith Randall . resolved

          We can probably get rid of these two instructions. Or put them just after the secretEraseRegisters call.


          That way there's no extra instructions if the experiment is off.

          Daniel Morsing

          Done

          File src/runtime/defs_linux_amd64.go
          Line 294, Patchset 25:const stubSigStackSize = 4096
          Keith Randall . resolved

          Where does this number come from?

          Daniel Morsing

          It was gathered experimentally. Added to the comment explaining the rationale

          File src/runtime/secret/crash_test.go
          Line 184, Patchset 25:// TODO: linux only?
          Keith Randall . resolved

          I think this has been resolved? The code that uses it has been commented out.

          Daniel Morsing

          Done

          File src/runtime/secret/internal/dirtysecret/asm_amd64.s
          Line 33, Patchset 25: BYTE $0x62; BYTE $0x71; BYTE $0xfd; BYTE $0x48; BYTE $0x10; BYTE $0x30
          Keith Randall . resolved

          These instructions exist in the assembler now.

          Daniel Morsing

          Done

          Keith Randall . unresolved

          Is there a plan to enable these?

          Daniel Morsing

          This is left over from your original CL and I honestly haven't given it that much thought. We're probably in a better spot to do runtime checking of SIMD features now, but I'm going to admit ignorance on what that actually looks like.

          Line 205, Patchset 25: /*
          Keith Randall . resolved

          These we could do now.

          Daniel Morsing

          Done

          File src/runtime/secret/internal/dirtysecret/asm_arm64.s
          Line 64, Patchset 25: // TODO(dmo): more substantial dirtying here
          Keith Randall . resolved

          We should at least add F0-F31 here.

          Daniel Morsing

          Done

          File src/runtime/vgetrandom_linux.go
          Line 95, Patchset 25: // TODO(dmo): vdso calls while running secret code can spill secrets onto the stack.
          Keith Randall . resolved

          I would think secret code is exactly the place where they would want vgetrandom to work.
          Do we really need to disable it in secret mode?

          Daniel Morsing

          I must have done this code right after I did a bunch of assembly where the register erasing can only happen from inside the function, because the compiler will happily generate the right spills for me if I just call `secretEraseRegisters`. Done

          Open in Gerrit

          Related details

          Attention is currently required from:
          • Cherry Mui
          • Dmitri Shuralyov
          • Filippo Valsorda
          • Keith Randall
          • Michael Knyszek
          Submit Requirements:
          • requirement is not satisfiedCode-Review
          • requirement is not satisfiedNo-Unresolved-Comments
          • requirement is not satisfiedReview-Enforcement
          • requirement is not satisfiedTryBots-Pass
          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
          Gerrit-MessageType: comment
          Gerrit-Project: go
          Gerrit-Branch: master
          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
          Gerrit-Change-Number: 704615
          Gerrit-PatchSet: 26
          Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
          Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
          Gerrit-CC: Austin Clements <aus...@google.com>
          Gerrit-CC: Cherry Mui <cher...@google.com>
          Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
          Gerrit-CC: Filippo Valsorda <fil...@golang.org>
          Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
          Gerrit-CC: Keith Randall <k...@golang.org>
          Gerrit-CC: Michael Knyszek <mkny...@google.com>
          Gerrit-CC: Michael Matloob <mat...@golang.org>
          Gerrit-Attention: Keith Randall <k...@golang.org>
          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
          Gerrit-Attention: Cherry Mui <cher...@google.com>
          Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
          Gerrit-Attention: Michael Knyszek <mkny...@google.com>
          Gerrit-Comment-Date: Thu, 13 Nov 2025 11:40:31 +0000
          unsatisfied_requirement
          open
          diffy

          Dmitri Shuralyov (Gerrit)

          unread,
          Nov 13, 2025, 10:29:51 AMNov 13
          to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
          Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

          Dmitri Shuralyov added 1 comment

          Patchset-level comments
          Filippo Valsorda . resolved

          Chatted with @rol...@golang.org, let's hide the exported package (and any dangerous behavior if it's easy) behind a GOEXPERIMENT.

          Daniel Morsing

          Done. Will need a new set of builders to test this CL going forward, I guess gotip-linux-amd64-runtimesecret, gotip-linux-arm64-runtimesecret @dmit...@golang.org

          Dmitri Shuralyov

          A new builder is typically appropriate when the goal is to run all of the Go tests under a different mode. For example, if the GOEXPERIMENT modifies runtime behavior.

          If the change of behavior here is more contained and the goal is to run tests inside the runtime/secret package, tests that require that GOEXPERIMENT environment variable to be set, that can be arranged by registering a custom test with said environment variable in cmd/dist/test.go. See https://cs.opensource.google/go/go/+/master:src/cmd/dist/test.go;l=747-754;drc=4bfc3a9d14c0b3bfcfe4ce987e47cda6720785a2 for example. An upside of this approach is that it means other people running all.bash locally can get signal from runtime/secret tests without needing to do anything differently.

          If you think it's still better to go with the dedicated builder testing approach, please file a tracking issue for it and add a new-builder label. Thanks.

          Open in Gerrit

          Related details

          Attention is currently required from:
          • Cherry Mui
          • Daniel Morsing
          Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
          Gerrit-Attention: Michael Knyszek <mkny...@google.com>
          Gerrit-Comment-Date: Thu, 13 Nov 2025 15:29:47 +0000
          Gerrit-HasComments: Yes
          Gerrit-Has-Labels: No
          Comment-In-Reply-To: Filippo Valsorda <fil...@golang.org>
          Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
          unsatisfied_requirement
          open
          diffy

          Daniel Morsing (Gerrit)

          unread,
          Nov 13, 2025, 11:07:20 AMNov 13
          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
          Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

          Daniel Morsing uploaded new patchset

          Daniel Morsing uploaded patch set #27 to this change.
          Open in Gerrit

          Related details

          Attention is currently required from:
          • Cherry Mui
          • Daniel Morsing
          • Filippo Valsorda
          • Keith Randall
          • Michael Knyszek
          Submit Requirements:
          • requirement is not satisfiedCode-Review
          • requirement is not satisfiedNo-Unresolved-Comments
          • requirement is not satisfiedReview-Enforcement
          • requirement is not satisfiedTryBots-Pass
          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
          Gerrit-MessageType: newpatchset
          Gerrit-Project: go
          Gerrit-Branch: master
          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
          Gerrit-Change-Number: 704615
          Gerrit-PatchSet: 27
          unsatisfied_requirement
          open
          diffy

          Daniel Morsing (Gerrit)

          unread,
          Nov 13, 2025, 11:12:29 AMNov 13
          to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
          Attention needed from Cherry Mui, Dmitri Shuralyov, Filippo Valsorda, Keith Randall and Michael Knyszek

          Daniel Morsing voted and added 1 comment

          Votes added by Daniel Morsing

          Commit-Queue+1

          1 comment

          Patchset-level comments
          Filippo Valsorda . resolved

          Chatted with @rol...@golang.org, let's hide the exported package (and any dangerous behavior if it's easy) behind a GOEXPERIMENT.

          Daniel Morsing

          Done. Will need a new set of builders to test this CL going forward, I guess gotip-linux-amd64-runtimesecret, gotip-linux-arm64-runtimesecret @dmit...@golang.org

          Dmitri Shuralyov

          A new builder is typically appropriate when the goal is to run all of the Go tests under a different mode. For example, if the GOEXPERIMENT modifies runtime behavior.

          If the change of behavior here is more contained and the goal is to run tests inside the runtime/secret package, tests that require that GOEXPERIMENT environment variable to be set, that can be arranged by registering a custom test with said environment variable in cmd/dist/test.go. See https://cs.opensource.google/go/go/+/master:src/cmd/dist/test.go;l=747-754;drc=4bfc3a9d14c0b3bfcfe4ce987e47cda6720785a2 for example. An upside of this approach is that it means other people running all.bash locally can get signal from runtime/secret tests without needing to do anything differently.

          If you think it's still better to go with the dedicated builder testing approach, please file a tracking issue for it and add a new-builder label. Thanks.

          Daniel Morsing

          Well, the runtime changes are supposed to be dormant when the secret code isn't used, so I guess a dist package scoped test would cover most the bases. But then again, testing that the runtime changes are dormant is part of the test 😊


          I've added the dist test suggested and we can revisit the builder once internal users start appearing. I think Filippo is considering using this package to harden the `crypto/tls` package for forward-secrecy capable ciphers in the near future.

          Open in Gerrit

          Related details

          Attention is currently required from:
          • Cherry Mui
          • Dmitri Shuralyov
          • Filippo Valsorda
          • Keith Randall
          • Michael Knyszek
          Submit Requirements:
          • requirement is not satisfiedCode-Review
          • requirement is not satisfiedNo-Unresolved-Comments
          • requirement is not satisfiedReview-Enforcement
          • requirement is not satisfiedTryBots-Pass
          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
          Gerrit-MessageType: comment
          Gerrit-Project: go
          Gerrit-Branch: master
          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
          Gerrit-Change-Number: 704615
          Gerrit-PatchSet: 27
          Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
          Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
          Gerrit-CC: Austin Clements <aus...@google.com>
          Gerrit-CC: Cherry Mui <cher...@google.com>
          Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
          Gerrit-CC: Filippo Valsorda <fil...@golang.org>
          Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
          Gerrit-CC: Keith Randall <k...@golang.org>
          Gerrit-CC: Michael Knyszek <mkny...@google.com>
          Gerrit-CC: Michael Matloob <mat...@golang.org>
          Gerrit-Attention: Keith Randall <k...@golang.org>
          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
          Gerrit-Attention: Cherry Mui <cher...@google.com>
          Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
          Gerrit-Attention: Michael Knyszek <mkny...@google.com>
          Gerrit-Comment-Date: Thu, 13 Nov 2025 16:12:21 +0000
          Gerrit-HasComments: Yes
          Gerrit-Has-Labels: Yes
          Comment-In-Reply-To: Filippo Valsorda <fil...@golang.org>
          Comment-In-Reply-To: Dmitri Shuralyov <dmit...@golang.org>
          Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
          unsatisfied_requirement
          open
          diffy

          Cherry Mui (Gerrit)

          unread,
          Nov 13, 2025, 11:26:23 AMNov 13
          to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
          Attention needed from Dmitri Shuralyov, Filippo Valsorda, Keith Randall and Michael Knyszek

          Cherry Mui added 6 comments

          File src/runtime/preempt.go
          Line 410, Patchset 23: // allow any conservative scanning of stacks, as that may lead
          Cherry Mui . unresolved

          It seems reasonable not to conservatively scan the stack containing secrets. However, we could preempt the goroutine for other reasons, like scheduling purposes. I think we can still allow those, just not async preemption for stack scanning.

          Daniel Morsing

          Preemption for other reasons might leak registers into the preemption buffers. Added to the comment to explain

          Cherry Mui

          What is the preemption buffer? g.sched? That contains only the PC, SP, FP, etc., no user data.

          File src/runtime/secret.go
          Line 71, Patchset 26: // Q: what does "all" mean in this context? Do we need to
          // worry about just Go-allocatable registers, or do we need
          // to consider any register potentially used by assembly?
          Cherry Mui . unresolved

          I think we should erase all registers, except the ones that are "reserved", like SP, LR, and G. One can call assembly code to handle some secret data, like hashing or encrpytion.

          Line 76, Patchset 26: // Figure out the regions of stack we need to zero.
          // Our frame layout is as diagrammed below. (With memclr*
          // the sole function we're going to call.)
          // +----------------------+
          // | secret.Do |
          // +----------------------+ <- csp (caller stack pointer)
          // | secret_eraseSecrets |
          // +----------------------+ <- sp (stack pointer)
          // | memclrNoHeapPointers |
          // +----------------------+
          Cherry Mui . unresolved

          This depends on the implementation detail of memclrNoHeapPointers. Would it be simpler and more reliable to switch to systemstack to erase from sp? Maybe we could even mcall an erase function which directly returns to our caller, so we don't need to worry about the current frame as well.

          File src/runtime/secret/internal/dirtysecret/asm_amd64.s
          Line 32, Patchset 26: VMOVUPD (AX), Z14
          Cherry Mui . unresolved

          Nit: tab here, also below.

          File src/runtime/secret_amd64.s
          Line 72, Patchset 26: VMOVAPD Z0, Z16
          Cherry Mui . unresolved

          Nit: tab here, also below.

          File src/runtime/signal_unix.go
          Line 429, Patchset 23:// If we're running secret code, the state on the signal stack might be
          // confidential. In which case, we copy the signal stack, and return the stacksize
          // and the SP to switch to. sigtramp can then clear the stack and switch to our
          // new context stack
          Cherry Mui . unresolved

          So the idea here is that we switch to a different stack, and clear the old signal stack (which could contain secrets), and return to the kernel from a new stack? This might work but it seems weird that we are returning from a different stack. What if there are stack pointers on the stack? What if we are called from another signal handler (probably from non-Go code) that does signal forwarding?

          Another approach I can think of is that when we enter secret.Do, we allocate a new signal stack, and clear it when we return out of secret.Do. We don't have to clear it at every signal. Or are we concerned that other, non-Go signal handler could copy things out of our signal stack? Or concerned that the code in secret.Do may call some non-Go code that installs its own signal stack?

          Daniel Morsing

          The signal stack is tied to the M while the "secretness" of the machine context that gets put onto the signal stack is tied to the G. The shadow stack is a way of tying the place with confidential information directly to the G, so that we don't have to track which Ms ran which Gs.


          [Keith's comment](https://github.com/golang/go/issues/21865#issuecomment-2292354685) and [my followup](https://github.com/golang/go/issues/21865#issuecomment-3327040593) on the issue about the problem are worth a read.

          Cherry Mui

          Thanks for the pointer. I'm not a fan of switching the stack where we return from the signal handler. If the signal handler is invoked by the kernel and the only thing on the signal handler is the signal context, that is probably fine. But if it is invoked by some user C code, which does happen in cgo binaries, I don't think it is going to work very well.

          We could pin the G to the M. It is heavy weight, but other parts of secret.Do is sort of heavy weight, too, so perhaps not too bad?

          Open in Gerrit

          Related details

          Attention is currently required from:
          • Dmitri Shuralyov
          • Filippo Valsorda
          • Keith Randall
          • Michael Knyszek
          Submit Requirements:
          • requirement is not satisfiedCode-Review
          • requirement is not satisfiedNo-Unresolved-Comments
          • requirement is not satisfiedReview-Enforcement
          • requirement is not satisfiedTryBots-Pass
          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
          Gerrit-MessageType: comment
          Gerrit-Project: go
          Gerrit-Branch: master
          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
          Gerrit-Change-Number: 704615
          Gerrit-PatchSet: 26
          Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
          Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
          Gerrit-CC: Austin Clements <aus...@google.com>
          Gerrit-CC: Cherry Mui <cher...@google.com>
          Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
          Gerrit-CC: Filippo Valsorda <fil...@golang.org>
          Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
          Gerrit-CC: Keith Randall <k...@golang.org>
          Gerrit-CC: Michael Knyszek <mkny...@google.com>
          Gerrit-CC: Michael Matloob <mat...@golang.org>
          Gerrit-Attention: Keith Randall <k...@golang.org>
          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
          Gerrit-Attention: Dmitri Shuralyov <dmit...@golang.org>
          Gerrit-Attention: Michael Knyszek <mkny...@google.com>
          Gerrit-Comment-Date: Thu, 13 Nov 2025 16:26:17 +0000
          Gerrit-HasComments: Yes
          Gerrit-Has-Labels: No
          unsatisfied_requirement
          open
          diffy

          Cherry Mui (Gerrit)

          unread,
          Nov 13, 2025, 1:57:07 PMNov 13
          to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
          Attention needed from Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

          Cherry Mui added 1 comment

          File src/runtime/signal_unix.go
          Line 429, Patchset 23:// If we're running secret code, the state on the signal stack might be
          // confidential. In which case, we copy the signal stack, and return the stacksize
          // and the SP to switch to. sigtramp can then clear the stack and switch to our
          // new context stack
          Cherry Mui . unresolved

          So the idea here is that we switch to a different stack, and clear the old signal stack (which could contain secrets), and return to the kernel from a new stack? This might work but it seems weird that we are returning from a different stack. What if there are stack pointers on the stack? What if we are called from another signal handler (probably from non-Go code) that does signal forwarding?

          Another approach I can think of is that when we enter secret.Do, we allocate a new signal stack, and clear it when we return out of secret.Do. We don't have to clear it at every signal. Or are we concerned that other, non-Go signal handler could copy things out of our signal stack? Or concerned that the code in secret.Do may call some non-Go code that installs its own signal stack?

          Daniel Morsing

          The signal stack is tied to the M while the "secretness" of the machine context that gets put onto the signal stack is tied to the G. The shadow stack is a way of tying the place with confidential information directly to the G, so that we don't have to track which Ms ran which Gs.


          [Keith's comment](https://github.com/golang/go/issues/21865#issuecomment-2292354685) and [my followup](https://github.com/golang/go/issues/21865#issuecomment-3327040593) on the issue about the problem are worth a read.

          Cherry Mui

          Thanks for the pointer. I'm not a fan of switching the stack where we return from the signal handler. If the signal handler is invoked by the kernel and the only thing on the signal handler is the signal context, that is probably fine. But if it is invoked by some user C code, which does happen in cgo binaries, I don't think it is going to work very well.

          We could pin the G to the M. It is heavy weight, but other parts of secret.Do is sort of heavy weight, too, so perhaps not too bad?

          Cherry Mui

          We could also have the scheduler track which M the secret G has run on and received a signal. Then the signal stack could be zeroed when the scheduler switches the G off it or when secret.Do returns.

          Open in Gerrit

          Related details

          Attention is currently required from:
          • Daniel Morsing
          • Filippo Valsorda
          • Keith Randall
          • Michael Knyszek
            Submit Requirements:
              • requirement is not satisfiedCode-Review
              • requirement is not satisfiedNo-Unresolved-Comments
              • requirement is not satisfiedReview-Enforcement
              • requirement satisfiedTryBots-Pass
              Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
              Gerrit-MessageType: comment
              Gerrit-Project: go
              Gerrit-Branch: master
              Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
              Gerrit-Change-Number: 704615
              Gerrit-PatchSet: 27
              Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
              Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
              Gerrit-CC: Austin Clements <aus...@google.com>
              Gerrit-CC: Cherry Mui <cher...@google.com>
              Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
              Gerrit-CC: Filippo Valsorda <fil...@golang.org>
              Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
              Gerrit-CC: Keith Randall <k...@golang.org>
              Gerrit-CC: Michael Knyszek <mkny...@google.com>
              Gerrit-CC: Michael Matloob <mat...@golang.org>
              Gerrit-Attention: Keith Randall <k...@golang.org>
              Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
              Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
              Gerrit-Attention: Michael Knyszek <mkny...@google.com>
              Gerrit-Comment-Date: Thu, 13 Nov 2025 18:57:02 +0000
              unsatisfied_requirement
              satisfied_requirement
              open
              diffy

              Daniel Morsing (Gerrit)

              unread,
              Nov 14, 2025, 4:45:10 AMNov 14
              to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
              Attention needed from Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

              Daniel Morsing uploaded new patchset

              Daniel Morsing uploaded patch set #28 to this change.
              Following approvals got outdated and were removed:
              • TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

              Related details

              Attention is currently required from:
              • Daniel Morsing
              • Filippo Valsorda
              • Keith Randall
              • Michael Knyszek
              Submit Requirements:
                • requirement is not satisfiedCode-Review
                • requirement is not satisfiedNo-Unresolved-Comments
                • requirement is not satisfiedReview-Enforcement
                • requirement is not satisfiedTryBots-Pass
                Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                Gerrit-MessageType: newpatchset
                Gerrit-Project: go
                Gerrit-Branch: master
                Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                Gerrit-Change-Number: 704615
                Gerrit-PatchSet: 28
                unsatisfied_requirement
                open
                diffy

                Daniel Morsing (Gerrit)

                unread,
                Nov 14, 2025, 4:46:11 AMNov 14
                to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                Daniel Morsing added 4 comments

                File src/runtime/preempt.go
                Line 410, Patchset 23: // allow any conservative scanning of stacks, as that may lead
                Cherry Mui . resolved

                It seems reasonable not to conservatively scan the stack containing secrets. However, we could preempt the goroutine for other reasons, like scheduling purposes. I think we can still allow those, just not async preemption for stack scanning.

                Daniel Morsing

                Preemption for other reasons might leak registers into the preemption buffers. Added to the comment to explain

                Cherry Mui

                What is the preemption buffer? g.sched? That contains only the PC, SP, FP, etc., no user data.

                Daniel Morsing

                I'm referring to `src/runtime/preempt_xreg.go`, the extended register state that preemption stores in off-stack buffers.

                File src/runtime/secret.go
                Line 71, Patchset 26: // Q: what does "all" mean in this context? Do we need to
                // worry about just Go-allocatable registers, or do we need
                // to consider any register potentially used by assembly?
                Cherry Mui . resolved

                I think we should erase all registers, except the ones that are "reserved", like SP, LR, and G. One can call assembly code to handle some secret data, like hashing or encrpytion.

                Daniel Morsing

                I think this is the status quo, for a decent value of "all". I've changed this comment to reflect this.

                File src/runtime/secret/internal/dirtysecret/asm_amd64.s
                Line 32, Patchset 26: VMOVUPD (AX), Z14
                Cherry Mui . resolved

                Nit: tab here, also below.

                Daniel Morsing

                Done

                File src/runtime/secret_amd64.s
                Line 72, Patchset 26: VMOVAPD Z0, Z16
                Cherry Mui . resolved

                Nit: tab here, also below.

                Daniel Morsing

                Done. Starting to think we should have a goasmfmt 😊

                Open in Gerrit

                Related details

                Attention is currently required from:
                • Cherry Mui
                • Filippo Valsorda
                • Keith Randall
                • Michael Knyszek
                Submit Requirements:
                • requirement is not satisfiedCode-Review
                • requirement is not satisfiedNo-Unresolved-Comments
                • requirement is not satisfiedReview-Enforcement
                • requirement is not satisfiedTryBots-Pass
                Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                Gerrit-MessageType: comment
                Gerrit-Project: go
                Gerrit-Branch: master
                Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                Gerrit-Change-Number: 704615
                Gerrit-PatchSet: 28
                Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                Gerrit-CC: Austin Clements <aus...@google.com>
                Gerrit-CC: Cherry Mui <cher...@google.com>
                Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                Gerrit-CC: Keith Randall <k...@golang.org>
                Gerrit-CC: Michael Knyszek <mkny...@google.com>
                Gerrit-CC: Michael Matloob <mat...@golang.org>
                Gerrit-Attention: Keith Randall <k...@golang.org>
                Gerrit-Attention: Cherry Mui <cher...@google.com>
                Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                Gerrit-Comment-Date: Fri, 14 Nov 2025 09:46:03 +0000
                unsatisfied_requirement
                open
                diffy

                Cherry Mui (Gerrit)

                unread,
                Nov 14, 2025, 10:38:07 AMNov 14
                to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                Attention needed from Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

                Cherry Mui added 1 comment

                File src/runtime/preempt.go
                Line 410, Patchset 23: // allow any conservative scanning of stacks, as that may lead
                Cherry Mui . unresolved

                It seems reasonable not to conservatively scan the stack containing secrets. However, we could preempt the goroutine for other reasons, like scheduling purposes. I think we can still allow those, just not async preemption for stack scanning.

                Daniel Morsing

                Preemption for other reasons might leak registers into the preemption buffers. Added to the comment to explain

                Cherry Mui

                What is the preemption buffer? g.sched? That contains only the PC, SP, FP, etc., no user data.

                Daniel Morsing

                I'm referring to `src/runtime/preempt_xreg.go`, the extended register state that preemption stores in off-stack buffers.

                Cherry Mui

                Good point on that. That buffer is associated to the G, which we can clear. There is also a very temporary scratch space on the P, which we can also clear when we copy the data to the per-G buffer (in `xRegSave`). The one on the P that is used on the return path (`xRegRestore` and `asyncPreempt`), is a bit tricky, where we need the data to reload the registers. Maybe we can write an assembly code that clears it using fewer registers (the integer registers are still available when we're done with that buffer). Or maybe we can have the scheduler clears it when it moves the G to a different P.

                (Sounds nontrivial. Probably fine as a followup CL.)

                Open in Gerrit

                Related details

                Attention is currently required from:
                • Daniel Morsing
                Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                Gerrit-Comment-Date: Fri, 14 Nov 2025 15:37:59 +0000
                unsatisfied_requirement
                open
                diffy

                Daniel Morsing (Gerrit)

                unread,
                Nov 14, 2025, 11:05:16 AMNov 14
                to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                Attention needed from Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

                Daniel Morsing uploaded new patchset

                Daniel Morsing uploaded patch set #29 to this change.
                Open in Gerrit

                Related details

                Attention is currently required from:
                • Daniel Morsing
                • Filippo Valsorda
                • Keith Randall
                • Michael Knyszek
                Submit Requirements:
                • requirement is not satisfiedCode-Review
                • requirement is not satisfiedNo-Unresolved-Comments
                • requirement is not satisfiedReview-Enforcement
                • requirement is not satisfiedTryBots-Pass
                Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                Gerrit-MessageType: newpatchset
                Gerrit-Project: go
                Gerrit-Branch: master
                Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                Gerrit-Change-Number: 704615
                Gerrit-PatchSet: 29
                unsatisfied_requirement
                open
                diffy

                Daniel Morsing (Gerrit)

                unread,
                Nov 14, 2025, 11:06:49 AMNov 14
                to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                Daniel Morsing voted and added 2 comments

                Votes added by Daniel Morsing

                Commit-Queue+1

                2 comments

                File src/runtime/preempt.go
                Line 410, Patchset 23: // allow any conservative scanning of stacks, as that may lead
                Cherry Mui . resolved

                It seems reasonable not to conservatively scan the stack containing secrets. However, we could preempt the goroutine for other reasons, like scheduling purposes. I think we can still allow those, just not async preemption for stack scanning.

                Daniel Morsing

                Preemption for other reasons might leak registers into the preemption buffers. Added to the comment to explain

                Cherry Mui

                What is the preemption buffer? g.sched? That contains only the PC, SP, FP, etc., no user data.

                Daniel Morsing

                I'm referring to `src/runtime/preempt_xreg.go`, the extended register state that preemption stores in off-stack buffers.

                Cherry Mui

                Good point on that. That buffer is associated to the G, which we can clear. There is also a very temporary scratch space on the P, which we can also clear when we copy the data to the per-G buffer (in `xRegSave`). The one on the P that is used on the return path (`xRegRestore` and `asyncPreempt`), is a bit tricky, where we need the data to reload the registers. Maybe we can write an assembly code that clears it using fewer registers (the integer registers are still available when we're done with that buffer). Or maybe we can have the scheduler clears it when it moves the G to a different P.

                (Sounds nontrivial. Probably fine as a followup CL.)

                Daniel Morsing

                I did actually attempt this on an earlier patchset (patch 19), but I pulled that code because I was seeing random failures.


                I'll leave a TODO.

                File src/runtime/secret.go
                Line 76, Patchset 26: // Figure out the regions of stack we need to zero.
                // Our frame layout is as diagrammed below. (With memclr*
                // the sole function we're going to call.)
                // +----------------------+
                // | secret.Do |
                // +----------------------+ <- csp (caller stack pointer)
                // | secret_eraseSecrets |
                // +----------------------+ <- sp (stack pointer)
                // | memclrNoHeapPointers |
                // +----------------------+
                Cherry Mui . resolved

                This depends on the implementation detail of memclrNoHeapPointers. Would it be simpler and more reliable to switch to systemstack to erase from sp? Maybe we could even mcall an erase function which directly returns to our caller, so we don't need to worry about the current frame as well.

                Daniel Morsing

                Done and the code is so much more simpler for it. Keith made these lovely diagrams, feels almost rude to remove them 😊

                Open in Gerrit

                Related details

                Attention is currently required from:
                • Cherry Mui
                • Filippo Valsorda
                • Keith Randall
                • Michael Knyszek
                Submit Requirements:
                • requirement is not satisfiedCode-Review
                • requirement is not satisfiedNo-Unresolved-Comments
                • requirement is not satisfiedReview-Enforcement
                • requirement is not satisfiedTryBots-Pass
                Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                Gerrit-MessageType: comment
                Gerrit-Project: go
                Gerrit-Branch: master
                Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                Gerrit-Change-Number: 704615
                Gerrit-PatchSet: 29
                Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                Gerrit-CC: Austin Clements <aus...@google.com>
                Gerrit-CC: Cherry Mui <cher...@google.com>
                Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                Gerrit-CC: Keith Randall <k...@golang.org>
                Gerrit-CC: Michael Knyszek <mkny...@google.com>
                Gerrit-CC: Michael Matloob <mat...@golang.org>
                Gerrit-Attention: Keith Randall <k...@golang.org>
                Gerrit-Attention: Cherry Mui <cher...@google.com>
                Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                Gerrit-Comment-Date: Fri, 14 Nov 2025 16:06:40 +0000
                Gerrit-HasComments: Yes
                Gerrit-Has-Labels: Yes
                unsatisfied_requirement
                open
                diffy

                Cherry Mui (Gerrit)

                unread,
                Nov 14, 2025, 11:38:02 AMNov 14
                to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                Attention needed from Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

                Cherry Mui added 1 comment

                File src/runtime/secret.go
                Line 76, Patchset 26: // Figure out the regions of stack we need to zero.
                // Our frame layout is as diagrammed below. (With memclr*
                // the sole function we're going to call.)
                // +----------------------+
                // | secret.Do |
                // +----------------------+ <- csp (caller stack pointer)
                // | secret_eraseSecrets |
                // +----------------------+ <- sp (stack pointer)
                // | memclrNoHeapPointers |
                // +----------------------+
                Cherry Mui . unresolved

                This depends on the implementation detail of memclrNoHeapPointers. Would it be simpler and more reliable to switch to systemstack to erase from sp? Maybe we could even mcall an erase function which directly returns to our caller, so we don't need to worry about the current frame as well.

                Daniel Morsing

                Done and the code is so much more simpler for it. Keith made these lovely diagrams, feels almost rude to remove them 😊

                Cherry Mui

                Nice!

                I think we still want to erase the registers?

                On ARM64, we probably still want to skip the word below SP for the frame pointer. The epilogue will load the frame pointer from it. (Sorry, that layout is unfortunate...)

                Open in Gerrit

                Related details

                Attention is currently required from:
                • Daniel Morsing
                • Filippo Valsorda
                • Keith Randall
                • Michael Knyszek
                  Submit Requirements:
                    • requirement is not satisfiedCode-Review
                    • requirement is not satisfiedNo-Unresolved-Comments
                    • requirement is not satisfiedReview-Enforcement
                    • requirement satisfiedTryBots-Pass
                    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                    Gerrit-MessageType: comment
                    Gerrit-Project: go
                    Gerrit-Branch: master
                    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                    Gerrit-Change-Number: 704615
                    Gerrit-PatchSet: 29
                    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                    Gerrit-CC: Austin Clements <aus...@google.com>
                    Gerrit-CC: Cherry Mui <cher...@google.com>
                    Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                    Gerrit-CC: Keith Randall <k...@golang.org>
                    Gerrit-CC: Michael Knyszek <mkny...@google.com>
                    Gerrit-CC: Michael Matloob <mat...@golang.org>
                    Gerrit-Attention: Keith Randall <k...@golang.org>
                    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                    Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                    Gerrit-Comment-Date: Fri, 14 Nov 2025 16:37:56 +0000
                    Gerrit-HasComments: Yes
                    Gerrit-Has-Labels: No
                    unsatisfied_requirement
                    satisfied_requirement
                    open
                    diffy

                    Daniel Morsing (Gerrit)

                    unread,
                    Nov 14, 2025, 1:51:32 PMNov 14
                    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                    Attention needed from Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

                    Daniel Morsing uploaded new patchset

                    Daniel Morsing uploaded patch set #30 to this change.
                    Following approvals got outdated and were removed:
                    • TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

                    Related details

                    Attention is currently required from:
                    • Daniel Morsing
                    • Filippo Valsorda
                    • Keith Randall
                    • Michael Knyszek
                    Submit Requirements:
                      • requirement is not satisfiedCode-Review
                      • requirement is not satisfiedNo-Unresolved-Comments
                      • requirement is not satisfiedReview-Enforcement
                      • requirement is not satisfiedTryBots-Pass
                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                      Gerrit-MessageType: newpatchset
                      Gerrit-Project: go
                      Gerrit-Branch: master
                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                      Gerrit-Change-Number: 704615
                      Gerrit-PatchSet: 30
                      unsatisfied_requirement
                      open
                      diffy

                      Daniel Morsing (Gerrit)

                      unread,
                      Nov 14, 2025, 2:07:50 PMNov 14
                      to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                      Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                      Daniel Morsing added 3 comments

                      Patchset-level comments
                      File-level comment, Patchset 30 (Latest):
                      Daniel Morsing . resolved

                      removed some more churn from files that we no longer need to touch

                      File src/runtime/secret.go
                      Line 76, Patchset 26: // Figure out the regions of stack we need to zero.
                      // Our frame layout is as diagrammed below. (With memclr*
                      // the sole function we're going to call.)
                      // +----------------------+
                      // | secret.Do |
                      // +----------------------+ <- csp (caller stack pointer)
                      // | secret_eraseSecrets |
                      // +----------------------+ <- sp (stack pointer)
                      // | memclrNoHeapPointers |
                      // +----------------------+
                      Cherry Mui . resolved

                      This depends on the implementation detail of memclrNoHeapPointers. Would it be simpler and more reliable to switch to systemstack to erase from sp? Maybe we could even mcall an erase function which directly returns to our caller, so we don't need to worry about the current frame as well.

                      Daniel Morsing

                      Done and the code is so much more simpler for it. Keith made these lovely diagrams, feels almost rude to remove them 😊

                      Cherry Mui

                      Nice!

                      I think we still want to erase the registers?

                      On ARM64, we probably still want to skip the word below SP for the frame pointer. The epilogue will load the frame pointer from it. (Sorry, that layout is unfortunate...)

                      Daniel Morsing

                      We clear the registers on entry into systemstack, this cleanup code runs with a non-zero gp.secret


                      Adjusted the SP as suggested

                      File src/runtime/secret/internal/dirtysecret/asm_amd64.s
                      Keith Randall . resolved

                      Is there a plan to enable these?

                      Daniel Morsing

                      This is left over from your original CL and I honestly haven't given it that much thought. We're probably in a better spot to do runtime checking of SIMD features now, but I'm going to admit ignorance on what that actually looks like.

                      Daniel Morsing

                      tried enabling it, lets see if it breaks!

                      Open in Gerrit

                      Related details

                      Attention is currently required from:
                      • Cherry Mui
                      • Filippo Valsorda
                      • Keith Randall
                      • Michael Knyszek
                      Submit Requirements:
                      • requirement is not satisfiedCode-Review
                      • requirement is not satisfiedNo-Unresolved-Comments
                      • requirement is not satisfiedReview-Enforcement
                      • requirement is not satisfiedTryBots-Pass
                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                      Gerrit-MessageType: comment
                      Gerrit-Project: go
                      Gerrit-Branch: master
                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                      Gerrit-Change-Number: 704615
                      Gerrit-PatchSet: 30
                      Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                      Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                      Gerrit-CC: Austin Clements <aus...@google.com>
                      Gerrit-CC: Cherry Mui <cher...@google.com>
                      Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                      Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                      Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                      Gerrit-CC: Keith Randall <k...@golang.org>
                      Gerrit-CC: Michael Knyszek <mkny...@google.com>
                      Gerrit-CC: Michael Matloob <mat...@golang.org>
                      Gerrit-Attention: Keith Randall <k...@golang.org>
                      Gerrit-Attention: Cherry Mui <cher...@google.com>
                      Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                      Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                      Gerrit-Comment-Date: Fri, 14 Nov 2025 19:07:40 +0000
                      Gerrit-HasComments: Yes
                      Gerrit-Has-Labels: No
                      Comment-In-Reply-To: Keith Randall <k...@golang.org>
                      unsatisfied_requirement
                      open
                      diffy

                      Daniel Morsing (Gerrit)

                      unread,
                      Nov 17, 2025, 9:08:16 AM (13 days ago) Nov 17
                      to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                      Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                      Daniel Morsing added 1 comment

                      File src/runtime/signal_unix.go
                      Line 429, Patchset 23:// If we're running secret code, the state on the signal stack might be
                      // confidential. In which case, we copy the signal stack, and return the stacksize
                      // and the SP to switch to. sigtramp can then clear the stack and switch to our
                      // new context stack
                      Cherry Mui . unresolved

                      So the idea here is that we switch to a different stack, and clear the old signal stack (which could contain secrets), and return to the kernel from a new stack? This might work but it seems weird that we are returning from a different stack. What if there are stack pointers on the stack? What if we are called from another signal handler (probably from non-Go code) that does signal forwarding?

                      Another approach I can think of is that when we enter secret.Do, we allocate a new signal stack, and clear it when we return out of secret.Do. We don't have to clear it at every signal. Or are we concerned that other, non-Go signal handler could copy things out of our signal stack? Or concerned that the code in secret.Do may call some non-Go code that installs its own signal stack?

                      Daniel Morsing

                      The signal stack is tied to the M while the "secretness" of the machine context that gets put onto the signal stack is tied to the G. The shadow stack is a way of tying the place with confidential information directly to the G, so that we don't have to track which Ms ran which Gs.


                      [Keith's comment](https://github.com/golang/go/issues/21865#issuecomment-2292354685) and [my followup](https://github.com/golang/go/issues/21865#issuecomment-3327040593) on the issue about the problem are worth a read.

                      Cherry Mui

                      Thanks for the pointer. I'm not a fan of switching the stack where we return from the signal handler. If the signal handler is invoked by the kernel and the only thing on the signal handler is the signal context, that is probably fine. But if it is invoked by some user C code, which does happen in cgo binaries, I don't think it is going to work very well.

                      We could pin the G to the M. It is heavy weight, but other parts of secret.Do is sort of heavy weight, too, so perhaps not too bad?

                      Cherry Mui

                      We could also have the scheduler track which M the secret G has run on and received a signal. Then the signal stack could be zeroed when the scheduler switches the G off it or when secret.Do returns.

                      Daniel Morsing

                      I think the last sticking point here is the signal handling code, and I do not blame you too much. It is a gnarly hack, borne out of 2 facts:

                      1) the signal machine context is read by the kernel off the stack pointer. Essentially, the `rt_sigreturn` syscall takes the stack pointer as an argument. Hence the confidential information has to stay in on the stack until after control has been handed to the kernel.
                      2) we cannot clear an Ms signal stack from anywhere other than from inside the M, lest we smash the stack while it is handling a signal. This complicates matters since sleeping or blocked Ms might have confidential information in their signal stack, but no way of guaranteeing that we can run them in a timely manner.

                      Doing the clearing while handling the signal solves these 2 problems with minimal runtime involvement (although you could argue that ship sailed when I started adding things to systemstack :) )

                      Note that switching to the shadow signal stack and executing code on it was done for simplicity's sake. We could clear out the bottom of the signal stack with the confidential information, then switch the stack pointer right before we trap into the OS with the `rt_sigreturn`, and never run code with the adjusted stack pointer.

                      I have a couple of other ideas on how to handle this, but it's gonna take a bit of exploratory testing to see if they are feasible and I don't know if they will be ready before the 1.26 freeze

                      Gerrit-Comment-Date: Mon, 17 Nov 2025 14:08:06 +0000
                      Gerrit-HasComments: Yes
                      Gerrit-Has-Labels: No
                      unsatisfied_requirement
                      open
                      diffy

                      Daniel Morsing (Gerrit)

                      unread,
                      Nov 18, 2025, 6:03:47 AM (12 days ago) Nov 18
                      to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                      Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                      Daniel Morsing uploaded new patchset

                      Daniel Morsing uploaded patch set #31 to this change.
                      Open in Gerrit

                      Related details

                      Attention is currently required from:
                      • Cherry Mui
                      • Filippo Valsorda
                      • Keith Randall
                      • Michael Knyszek
                      Submit Requirements:
                      • requirement is not satisfiedCode-Review
                      • requirement is not satisfiedNo-Unresolved-Comments
                      • requirement is not satisfiedReview-Enforcement
                      • requirement is not satisfiedTryBots-Pass
                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                      Gerrit-MessageType: newpatchset
                      Gerrit-Project: go
                      Gerrit-Branch: master
                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                      Gerrit-Change-Number: 704615
                      Gerrit-PatchSet: 31
                      unsatisfied_requirement
                      open
                      diffy

                      Daniel Morsing (Gerrit)

                      unread,
                      Nov 18, 2025, 9:56:52 AM (11 days ago) Nov 18
                      to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                      Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                      Daniel Morsing uploaded new patchset

                      Daniel Morsing uploaded patch set #32 to this change.
                      Open in Gerrit

                      Related details

                      Attention is currently required from:
                      • Cherry Mui
                      • Filippo Valsorda
                      • Keith Randall
                      • Michael Knyszek
                      Submit Requirements:
                      • requirement is not satisfiedCode-Review
                      • requirement is not satisfiedNo-Unresolved-Comments
                      • requirement is not satisfiedReview-Enforcement
                      • requirement is not satisfiedTryBots-Pass
                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                      Gerrit-MessageType: newpatchset
                      Gerrit-Project: go
                      Gerrit-Branch: master
                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                      Gerrit-Change-Number: 704615
                      Gerrit-PatchSet: 32
                      unsatisfied_requirement
                      open
                      diffy

                      Daniel Morsing (Gerrit)

                      unread,
                      Nov 19, 2025, 7:12:21 AM (11 days ago) Nov 19
                      to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                      Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                      Daniel Morsing uploaded new patchset

                      Daniel Morsing uploaded patch set #33 to this change.
                      Open in Gerrit

                      Related details

                      Attention is currently required from:
                      • Cherry Mui
                      • Filippo Valsorda
                      • Keith Randall
                      • Michael Knyszek
                      Submit Requirements:
                      • requirement is not satisfiedCode-Review
                      • requirement is not satisfiedNo-Unresolved-Comments
                      • requirement is not satisfiedReview-Enforcement
                      • requirement is not satisfiedTryBots-Pass
                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                      Gerrit-MessageType: newpatchset
                      Gerrit-Project: go
                      Gerrit-Branch: master
                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                      Gerrit-Change-Number: 704615
                      Gerrit-PatchSet: 33
                      unsatisfied_requirement
                      open
                      diffy

                      Daniel Morsing (Gerrit)

                      unread,
                      Nov 19, 2025, 7:25:54 AM (11 days ago) Nov 19
                      to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                      Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                      Daniel Morsing added 2 comments

                      Patchset-level comments
                      File-level comment, Patchset 33 (Latest):
                      Daniel Morsing . resolved

                      Alright, a lot of things changed in this last patchset, and for the better:

                      1) the signal stack switch has been replaced by a method where we use the kernels propensity to write register values onto the signal stack to our advantage.
                      2) less invasive mkmalloc implementation, no longer requires the previous CL in this stack
                      3) more testing hooks for things covered by TestCore. We now explicitly check for the signal stacks being cleared.

                      PTAL

                      File src/runtime/signal_unix.go
                      Line 429, Patchset 23:// If we're running secret code, the state on the signal stack might be
                      // confidential. In which case, we copy the signal stack, and return the stacksize
                      // and the SP to switch to. sigtramp can then clear the stack and switch to our
                      // new context stack
                      Cherry Mui . resolved

                      So the idea here is that we switch to a different stack, and clear the old signal stack (which could contain secrets), and return to the kernel from a new stack? This might work but it seems weird that we are returning from a different stack. What if there are stack pointers on the stack? What if we are called from another signal handler (probably from non-Go code) that does signal forwarding?

                      Another approach I can think of is that when we enter secret.Do, we allocate a new signal stack, and clear it when we return out of secret.Do. We don't have to clear it at every signal. Or are we concerned that other, non-Go signal handler could copy things out of our signal stack? Or concerned that the code in secret.Do may call some non-Go code that installs its own signal stack?

                      Daniel Morsing

                      The signal stack is tied to the M while the "secretness" of the machine context that gets put onto the signal stack is tied to the G. The shadow stack is a way of tying the place with confidential information directly to the G, so that we don't have to track which Ms ran which Gs.


                      [Keith's comment](https://github.com/golang/go/issues/21865#issuecomment-2292354685) and [my followup](https://github.com/golang/go/issues/21865#issuecomment-3327040593) on the issue about the problem are worth a read.

                      Cherry Mui

                      Thanks for the pointer. I'm not a fan of switching the stack where we return from the signal handler. If the signal handler is invoked by the kernel and the only thing on the signal handler is the signal context, that is probably fine. But if it is invoked by some user C code, which does happen in cgo binaries, I don't think it is going to work very well.

                      We could pin the G to the M. It is heavy weight, but other parts of secret.Do is sort of heavy weight, too, so perhaps not too bad?

                      Cherry Mui

                      We could also have the scheduler track which M the secret G has run on and received a signal. Then the signal stack could be zeroed when the scheduler switches the G off it or when secret.Do returns.

                      Daniel Morsing

                      I think the last sticking point here is the signal handling code, and I do not blame you too much. It is a gnarly hack, borne out of 2 facts:

                      1) the signal machine context is read by the kernel off the stack pointer. Essentially, the `rt_sigreturn` syscall takes the stack pointer as an argument. Hence the confidential information has to stay in on the stack until after control has been handed to the kernel.
                      2) we cannot clear an Ms signal stack from anywhere other than from inside the M, lest we smash the stack while it is handling a signal. This complicates matters since sleeping or blocked Ms might have confidential information in their signal stack, but no way of guaranteeing that we can run them in a timely manner.

                      Doing the clearing while handling the signal solves these 2 problems with minimal runtime involvement (although you could argue that ship sailed when I started adding things to systemstack :) )

                      Note that switching to the shadow signal stack and executing code on it was done for simplicity's sake. We could clear out the bottom of the signal stack with the confidential information, then switch the stack pointer right before we trap into the OS with the `rt_sigreturn`, and never run code with the adjusted stack pointer.

                      I have a couple of other ideas on how to handle this, but it's gonna take a bit of exploratory testing to see if they are feasible and I don't know if they will be ready before the 1.26 freeze

                      Daniel Morsing

                      Alright, I implemented a way that is much simpler, faster and easier to port to other platforms, PTAL

                      Open in Gerrit

                      Related details

                      Attention is currently required from:
                      • Cherry Mui
                      • Filippo Valsorda
                      • Keith Randall
                      • Michael Knyszek
                      Submit Requirements:
                        • requirement is not satisfiedCode-Review
                        • requirement satisfiedNo-Unresolved-Comments
                        • requirement is not satisfiedReview-Enforcement
                        • requirement is not satisfiedTryBots-Pass
                        Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                        Gerrit-MessageType: comment
                        Gerrit-Project: go
                        Gerrit-Branch: master
                        Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                        Gerrit-Change-Number: 704615
                        Gerrit-PatchSet: 33
                        Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                        Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                        Gerrit-CC: Austin Clements <aus...@google.com>
                        Gerrit-CC: Cherry Mui <cher...@google.com>
                        Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                        Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                        Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                        Gerrit-CC: Keith Randall <k...@golang.org>
                        Gerrit-CC: Michael Knyszek <mkny...@google.com>
                        Gerrit-CC: Michael Matloob <mat...@golang.org>
                        Gerrit-Attention: Keith Randall <k...@golang.org>
                        Gerrit-Attention: Cherry Mui <cher...@google.com>
                        Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                        Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                        Gerrit-Comment-Date: Wed, 19 Nov 2025 12:25:45 +0000
                        unsatisfied_requirement
                        satisfied_requirement
                        open
                        diffy

                        Daniel Morsing (Gerrit)

                        unread,
                        Nov 19, 2025, 9:29:56 AM (10 days ago) Nov 19
                        to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                        Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                        Daniel Morsing uploaded new patchset

                        Daniel Morsing uploaded patch set #34 to this change.
                        Open in Gerrit

                        Related details

                        Attention is currently required from:
                        • Cherry Mui
                        • Filippo Valsorda
                        • Keith Randall
                        • Michael Knyszek
                        Submit Requirements:
                        • requirement is not satisfiedCode-Review
                        • requirement satisfiedNo-Unresolved-Comments
                        • requirement is not satisfiedReview-Enforcement
                        • requirement is not satisfiedTryBots-Pass
                        Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                        Gerrit-MessageType: newpatchset
                        Gerrit-Project: go
                        Gerrit-Branch: master
                        Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                        Gerrit-Change-Number: 704615
                        Gerrit-PatchSet: 34
                        unsatisfied_requirement
                        satisfied_requirement
                        open
                        diffy

                        Daniel Morsing (Gerrit)

                        unread,
                        Nov 19, 2025, 11:17:44 AM (10 days ago) Nov 19
                        to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                        Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                        Daniel Morsing uploaded new patchset

                        Daniel Morsing uploaded patch set #35 to this change.
                        Open in Gerrit

                        Related details

                        Attention is currently required from:
                        • Cherry Mui
                        • Filippo Valsorda
                        • Keith Randall
                        • Michael Knyszek
                        Submit Requirements:
                        • requirement is not satisfiedCode-Review
                        • requirement satisfiedNo-Unresolved-Comments
                        • requirement is not satisfiedReview-Enforcement
                        • requirement is not satisfiedTryBots-Pass
                        Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                        Gerrit-MessageType: newpatchset
                        Gerrit-Project: go
                        Gerrit-Branch: master
                        Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                        Gerrit-Change-Number: 704615
                        Gerrit-PatchSet: 35
                        unsatisfied_requirement
                        satisfied_requirement
                        open
                        diffy

                        Michael Matloob (Gerrit)

                        unread,
                        Nov 19, 2025, 11:24:01 AM (10 days ago) Nov 19
                        to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Knyszek, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                        Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

                        Michael Matloob added 2 comments

                        File src/runtime/_mkmalloc/mkmalloc.go
                        Line 174, Patchset 32: {subBasicLit, "isTiny_", str(0)},
                        Michael Matloob . unresolved

                        Can we make isTiny_ a bool instead and use str(false)/str(true) instead? I think that would make the code a little more readable?

                        File src/runtime/malloc_stubs.go
                        Line 68, Patchset 35 (Latest): if goexperiment.RuntimeSecret && isTiny && gp.secret > 0 {
                        return mallocgcSmallNoScanSC2(size, typ, needzero)
                        }
                        Michael Matloob . unresolved

                        Can we put this code into another function that's inlined in the tiny case, (and inlined to an empty bodied function in the alternate case)? then we won't have to insert it into the generated code for the non-tiny functions.

                        Open in Gerrit

                        Related details

                        Attention is currently required from:
                        • Cherry Mui
                        • Daniel Morsing
                        • Filippo Valsorda
                        • Keith Randall
                        • Michael Knyszek
                          Submit Requirements:
                            • requirement is not satisfiedCode-Review
                            • requirement is not satisfiedNo-Unresolved-Comments
                            • requirement is not satisfiedReview-Enforcement
                            • requirement is not satisfiedTryBots-Pass
                            Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                            Gerrit-MessageType: comment
                            Gerrit-Project: go
                            Gerrit-Branch: master
                            Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                            Gerrit-Change-Number: 704615
                            Gerrit-PatchSet: 35
                            Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                            Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                            Gerrit-CC: Austin Clements <aus...@google.com>
                            Gerrit-CC: Cherry Mui <cher...@google.com>
                            Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                            Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                            Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                            Gerrit-CC: Keith Randall <k...@golang.org>
                            Gerrit-CC: Michael Knyszek <mkny...@google.com>
                            Gerrit-CC: Michael Matloob <mat...@golang.org>
                            Gerrit-Attention: Keith Randall <k...@golang.org>
                            Gerrit-Attention: Cherry Mui <cher...@google.com>
                            Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                            Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                            Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                            Gerrit-Comment-Date: Wed, 19 Nov 2025 16:23:56 +0000
                            Gerrit-HasComments: Yes
                            Gerrit-Has-Labels: No
                            unsatisfied_requirement
                            open
                            diffy

                            Michael Knyszek (Gerrit)

                            unread,
                            Nov 19, 2025, 11:44:14 AM (10 days ago) Nov 19
                            to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                            Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                            Michael Knyszek added 1 comment

                            Patchset-level comments
                            Daniel Morsing . resolved

                            Alright, a lot of things changed in this last patchset, and for the better:

                            1) the signal stack switch has been replaced by a method where we use the kernels propensity to write register values onto the signal stack to our advantage.
                            2) less invasive mkmalloc implementation, no longer requires the previous CL in this stack
                            3) more testing hooks for things covered by TestCore. We now explicitly check for the signal stacks being cleared.

                            PTAL

                            Michael Knyszek

                            the mkmalloc stuff LGTM, modulo Michael's comments. thanks!

                            Open in Gerrit

                            Related details

                            Attention is currently required from:
                            • Cherry Mui
                            • Daniel Morsing
                            • Filippo Valsorda
                            • Keith Randall
                            Gerrit-Comment-Date: Wed, 19 Nov 2025 16:44:08 +0000
                            Gerrit-HasComments: Yes
                            Gerrit-Has-Labels: No
                            Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
                            unsatisfied_requirement
                            open
                            diffy

                            Daniel Morsing (Gerrit)

                            unread,
                            Nov 19, 2025, 5:54:33 PM (10 days ago) Nov 19
                            to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                            Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Matloob

                            Daniel Morsing added 2 comments

                            File src/runtime/_mkmalloc/mkmalloc.go
                            Line 174, Patchset 32: {subBasicLit, "isTiny_", str(0)},
                            Michael Matloob . resolved

                            Can we make isTiny_ a bool instead and use str(false)/str(true) instead? I think that would make the code a little more readable?

                            Daniel Morsing

                            Doing so hits a bug in the mkmalloc generator. It expects an `ast.BasicLit` and `true` or `false` are `ast.Ident`s

                            File src/runtime/malloc_stubs.go
                            Line 68, Patchset 35 (Latest): if goexperiment.RuntimeSecret && isTiny && gp.secret > 0 {
                            return mallocgcSmallNoScanSC2(size, typ, needzero)
                            }
                            Michael Matloob . resolved

                            Can we put this code into another function that's inlined in the tiny case, (and inlined to an empty bodied function in the alternate case)? then we won't have to insert it into the generated code for the non-tiny functions.

                            Daniel Morsing

                            It's possible, but because it has to return the function early depending on `gp.secret`, the enclosing function has to have an if statement and the empty inlined function turns into
                            ```
                            avoid := nil

                            if avoid != nil {
                            return avoid
                            }
                            ```
                            in the non-tiny case. Worse, the entirety of the specialized tiny function gets inlined yet again because the enclosing function now includes both terminating and non-terminating returns. It's not pretty and given the results I got from CL 719580, I suspect there's also a performance penalty

                            Between the 2 options, I think a superfluous if statement that gets constant folded away is a lot more readable

                            Open in Gerrit

                            Related details

                            Attention is currently required from:
                            • Cherry Mui
                            • Filippo Valsorda
                            • Keith Randall
                            • Michael Matloob
                            Submit Requirements:
                              • requirement is not satisfiedCode-Review
                              • requirement satisfiedNo-Unresolved-Comments
                              • requirement is not satisfiedReview-Enforcement
                              • requirement is not satisfiedTryBots-Pass
                              Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                              Gerrit-MessageType: comment
                              Gerrit-Project: go
                              Gerrit-Branch: master
                              Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                              Gerrit-Change-Number: 704615
                              Gerrit-PatchSet: 35
                              Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                              Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                              Gerrit-CC: Austin Clements <aus...@google.com>
                              Gerrit-CC: Cherry Mui <cher...@google.com>
                              Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                              Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                              Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                              Gerrit-CC: Keith Randall <k...@golang.org>
                              Gerrit-CC: Michael Knyszek <mkny...@google.com>
                              Gerrit-CC: Michael Matloob <mat...@golang.org>
                              Gerrit-Attention: Keith Randall <k...@golang.org>
                              Gerrit-Attention: Michael Matloob <mat...@golang.org>
                              Gerrit-Attention: Cherry Mui <cher...@google.com>
                              Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                              Gerrit-Comment-Date: Wed, 19 Nov 2025 22:54:23 +0000
                              Gerrit-HasComments: Yes
                              Gerrit-Has-Labels: No
                              Comment-In-Reply-To: Michael Matloob <mat...@golang.org>
                              unsatisfied_requirement
                              satisfied_requirement
                              open
                              diffy

                              Daniel Morsing (Gerrit)

                              unread,
                              Nov 19, 2025, 6:09:48 PM (10 days ago) Nov 19
                              to goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                              Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Matloob

                              Daniel Morsing voted Commit-Queue+1

                              Commit-Queue+1
                              Gerrit-Comment-Date: Wed, 19 Nov 2025 23:09:38 +0000
                              Gerrit-HasComments: No
                              Gerrit-Has-Labels: Yes
                              unsatisfied_requirement
                              satisfied_requirement
                              open
                              diffy

                              Michael Matloob (Gerrit)

                              unread,
                              Nov 20, 2025, 8:34:01 AM (10 days ago) Nov 20
                              to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Cherry Mui, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                              Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                              Michael Matloob added 2 comments

                              File src/runtime/_mkmalloc/mkmalloc.go
                              Line 174, Patchset 32: {subBasicLit, "isTiny_", str(0)},
                              Michael Matloob . resolved

                              Can we make isTiny_ a bool instead and use str(false)/str(true) instead? I think that would make the code a little more readable?

                              Daniel Morsing

                              Doing so hits a bug in the mkmalloc generator. It expects an `ast.BasicLit` and `true` or `false` are `ast.Ident`s

                              Michael Matloob

                              Got it. I'll try to fix that after this CL is in.

                              File src/runtime/malloc_stubs.go
                              Line 68, Patchset 35 (Latest): if goexperiment.RuntimeSecret && isTiny && gp.secret > 0 {
                              return mallocgcSmallNoScanSC2(size, typ, needzero)
                              }
                              Michael Matloob . resolved

                              Can we put this code into another function that's inlined in the tiny case, (and inlined to an empty bodied function in the alternate case)? then we won't have to insert it into the generated code for the non-tiny functions.

                              Daniel Morsing

                              It's possible, but because it has to return the function early depending on `gp.secret`, the enclosing function has to have an if statement and the empty inlined function turns into
                              ```
                              avoid := nil

                              if avoid != nil {
                              return avoid
                              }
                              ```
                              in the non-tiny case. Worse, the entirety of the specialized tiny function gets inlined yet again because the enclosing function now includes both terminating and non-terminating returns. It's not pretty and given the results I got from CL 719580, I suspect there's also a performance penalty

                              Between the 2 options, I think a superfluous if statement that gets constant folded away is a lot more readable

                              Michael Matloob

                              Yeah I realized the return issue after writing the comment... We absolutely don't want the rest of the tiny function to be inlined again. I still want to try to see if there's something we can do here, but it shouldn't block this CL. I'll take a look to see if there's anything we can do with mkmalloc after this CL is submitted if there's time before the freeze.

                              Open in Gerrit

                              Related details

                              Attention is currently required from:
                              • Cherry Mui
                              • Daniel Morsing
                              • Filippo Valsorda
                              • Keith Randall
                                Submit Requirements:
                                  • requirement is not satisfiedCode-Review
                                  • requirement satisfiedNo-Unresolved-Comments
                                  • requirement is not satisfiedReview-Enforcement
                                  • requirement satisfiedTryBots-Pass
                                  Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                  Gerrit-MessageType: comment
                                  Gerrit-Project: go
                                  Gerrit-Branch: master
                                  Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                  Gerrit-Change-Number: 704615
                                  Gerrit-PatchSet: 35
                                  Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                  Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                  Gerrit-CC: Austin Clements <aus...@google.com>
                                  Gerrit-CC: Cherry Mui <cher...@google.com>
                                  Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                  Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                  Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                  Gerrit-CC: Keith Randall <k...@golang.org>
                                  Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                  Gerrit-CC: Michael Matloob <mat...@golang.org>
                                  Gerrit-Attention: Keith Randall <k...@golang.org>
                                  Gerrit-Attention: Cherry Mui <cher...@google.com>
                                  Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                  Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                  Gerrit-Comment-Date: Thu, 20 Nov 2025 13:33:56 +0000
                                  Gerrit-HasComments: Yes
                                  Gerrit-Has-Labels: No
                                  Comment-In-Reply-To: Michael Matloob <mat...@golang.org>
                                  Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
                                  unsatisfied_requirement
                                  satisfied_requirement
                                  open
                                  diffy

                                  Cherry Mui (Gerrit)

                                  unread,
                                  Nov 20, 2025, 11:41:28 AM (9 days ago) Nov 20
                                  to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                  Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                  Cherry Mui voted and added 13 comments

                                  Votes added by Cherry Mui

                                  Code-Review+1

                                  13 comments

                                  Patchset-level comments
                                  File-level comment, Patchset 35 (Latest):
                                  Cherry Mui . resolved

                                  LGTM mostly. Thank you!
                                  (I haven't looked carefully at the GC special stuff and the tests. Perhaps others have them covered already.)

                                  File src/runtime/cpuflags.go
                                  Line 17, Patchset 35 (Latest): offsetX86HasAVX512F = unsafe.Offsetof(cpu.X86.HasAVX512F)
                                  Cherry Mui . unresolved

                                  Just use HasAVX512. In other places like preempt_amd64.s, we don't really distinguish F vs. other "always have" features.

                                  File src/runtime/proc.go
                                  Line 4445, Patchset 35 (Latest): if goexperiment.RuntimeSecret && gp.secret > 0 {
                                  Cherry Mui . unresolved

                                  Do we need to reset gp.secret to 0 here? (If we are leaving secret.Do without calling dec.)

                                  File src/runtime/secret.go
                                  Line 1, Patchset 35 (Latest):// Copyright 2024 The Go Authors. All rights reserved.
                                  Cherry Mui . unresolved

                                  Nit: 2025. (Apply to all new files.)

                                  Line 23, Patchset 35 (Latest): // we're potentially racing with a signal being delivered,
                                  // so do it atomically
                                  atomic.Xaddint32(&gp.secret, 1)
                                  Cherry Mui . unresolved

                                  If the signal is delivered to this g, it cannot at the same time executing code (as it is running the signal handler). What potential race could occur?

                                  Line 80, Patchset 35 (Latest):// Use the sigPerThreadSyscall signal but do not set m.needPerThreadSyscall.
                                  // This turns into a no-op that just puts new context onto the signal stack
                                  Cherry Mui . unresolved

                                  In a cgo binary, the signal may have some meaning in the C side (e.g. used by glibc). It may not always be happy to receive an additional signal.

                                  I think it is safer to use a preemption signal. If there is no preemption request, it is no-op.

                                  File src/runtime/secret/internal/dirtysecret/export.go
                                  Line 8, Patchset 35 (Latest):// These functions cannot live in test files in the secret package
                                  // because we need to compile the crashing binary as non-test.
                                  // Otherwise, dist will pick up the crashing binary as a crashing test.
                                  Cherry Mui . unresolved

                                  I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                  File src/runtime/secret/secret.go
                                  Line 51, Patchset 35 (Latest): // unsupported, just invoke f directly.
                                  f()
                                  return
                                  Cherry Mui . unresolved

                                  Should it panic?

                                  Line 87, Patchset 35 (Latest): // Note: if f calls runtime.Goexit, step 3 and above will not
                                  // happen, as Goexit is unrecoverable. We handle that case in
                                  // runtime/proc.go:goexit0.
                                  Cherry Mui . unresolved

                                  If we call eraseSecrets in a deferred function, it will run even if f calls Goexit. Can we do it this way? I guess this depends on the frame size of this function is smaller than doHelper?

                                  Line 116, Patchset 35 (Latest):func count() int32
                                  func inc()
                                  func dec()
                                  func eraseSecrets()
                                  Cherry Mui . unresolved

                                  Would be good to make them "handshake" linknames. I.e. add linkname directives here like
                                  ```
                                  //go:linkname count
                                  func count() int
                                  ```
                                  (Doesn't need to specify the full name, which is inferred with the package prefix.)

                                  File src/runtime/signal_unix.go
                                  Cherry Mui

                                  Nice! Yeah, I was thinking clearing the signal stack by just sending a dummy signal. (It may not even need to be in STW. The M should be able to handle signals even if it is executing. Anyway, doing it during STW is fine.)

                                  File src/runtime/stack.go
                                  Line 1075, Patchset 35 (Latest): secretEraseRegisters()
                                  Cherry Mui . unresolved

                                  Why here instead of doing this at the entry?

                                  File src/runtime/sys_linux_arm64.s
                                  Line 322, Patchset 35 (Latest): BL ·secretEraseRegisters(SB)
                                  Cherry Mui . unresolved

                                  Nit: too many tabs. Lines above have both a space and a tab, remove the space.

                                  Open in Gerrit

                                  Related details

                                  Attention is currently required from:
                                  • Daniel Morsing
                                  • Filippo Valsorda
                                  • Keith Randall
                                  Submit Requirements:
                                    • requirement is not satisfiedCode-Review
                                    • requirement is not satisfiedNo-Unresolved-Comments
                                    • requirement is not satisfiedReview-Enforcement
                                    • requirement satisfiedTryBots-Pass
                                    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                    Gerrit-MessageType: comment
                                    Gerrit-Project: go
                                    Gerrit-Branch: master
                                    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                    Gerrit-Change-Number: 704615
                                    Gerrit-PatchSet: 35
                                    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                    Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                    Gerrit-CC: Austin Clements <aus...@google.com>
                                    Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                    Gerrit-CC: Keith Randall <k...@golang.org>
                                    Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                    Gerrit-CC: Michael Matloob <mat...@golang.org>
                                    Gerrit-Attention: Keith Randall <k...@golang.org>
                                    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                    Gerrit-Comment-Date: Thu, 20 Nov 2025 16:41:23 +0000
                                    Gerrit-HasComments: Yes
                                    Gerrit-Has-Labels: Yes
                                    unsatisfied_requirement
                                    satisfied_requirement
                                    open
                                    diffy

                                    Cherry Mui (Gerrit)

                                    unread,
                                    Nov 20, 2025, 11:43:30 AM (9 days ago) Nov 20
                                    to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                    Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                    Cherry Mui added 1 comment

                                    File src/runtime/secret/secret.go
                                    Line 87, Patchset 35 (Latest): // Note: if f calls runtime.Goexit, step 3 and above will not
                                    // happen, as Goexit is unrecoverable. We handle that case in
                                    // runtime/proc.go:goexit0.
                                    Cherry Mui . unresolved

                                    If we call eraseSecrets in a deferred function, it will run even if f calls Goexit. Can we do it this way? I guess this depends on the frame size of this function is smaller than doHelper?

                                    Cherry Mui

                                    I guess this depends on the frame size of this function is smaller than doHelper?

                                    (Clarify: I mean, if we do it in a defer function, I guess it depends on the deferred function's frame size is not larger than doHelper.)

                                    Gerrit-Comment-Date: Thu, 20 Nov 2025 16:43:26 +0000
                                    Gerrit-HasComments: Yes
                                    Gerrit-Has-Labels: No
                                    Comment-In-Reply-To: Cherry Mui <cher...@google.com>
                                    unsatisfied_requirement
                                    satisfied_requirement
                                    open
                                    diffy

                                    Daniel Morsing (Gerrit)

                                    unread,
                                    Nov 21, 2025, 4:48:46 PM (8 days ago) Nov 21
                                    to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                    Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                                    Daniel Morsing uploaded new patchset

                                    Daniel Morsing uploaded patch set #36 to this change.
                                    Following approvals got outdated and were removed:
                                    • Code-Review: +1 by Cherry Mui
                                    • TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
                                      Open in Gerrit

                                      Related details

                                      Attention is currently required from:
                                      • Cherry Mui
                                      • Daniel Morsing
                                      • Filippo Valsorda
                                      • Keith Randall
                                        Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 36
                                          Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                          Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-CC: Austin Clements <aus...@google.com>
                                          Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                          Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                          Gerrit-CC: Keith Randall <k...@golang.org>
                                          Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                          Gerrit-CC: Michael Matloob <mat...@golang.org>
                                          Gerrit-Attention: Keith Randall <k...@golang.org>
                                          Gerrit-Attention: Cherry Mui <cher...@google.com>
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 21, 2025, 4:57:13 PM (8 days ago) Nov 21
                                          to goph...@pubsubhelper.golang.org, Cherry Mui, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Filippo Valsorda and Keith Randall

                                          Daniel Morsing added 11 comments

                                          File src/runtime/cpuflags.go
                                          Line 17, Patchset 35: offsetX86HasAVX512F = unsafe.Offsetof(cpu.X86.HasAVX512F)
                                          Cherry Mui . resolved

                                          Just use HasAVX512. In other places like preempt_amd64.s, we don't really distinguish F vs. other "always have" features.

                                          Daniel Morsing

                                          Done

                                          File src/runtime/proc.go
                                          Line 4445, Patchset 35: if goexperiment.RuntimeSecret && gp.secret > 0 {
                                          Cherry Mui . resolved

                                          Do we need to reset gp.secret to 0 here? (If we are leaving secret.Do without calling dec.)

                                          Daniel Morsing

                                          Done, put clearing it in gdestroy so we should never have a stale value

                                          aside: we've always given out old partially uncleared Gs? Seems risky for very little benefit.

                                          File src/runtime/secret.go
                                          Line 1, Patchset 35:// Copyright 2024 The Go Authors. All rights reserved.
                                          Cherry Mui . unresolved

                                          Nit: 2025. (Apply to all new files.)

                                          Daniel Morsing

                                          Those are from Keith's original implementation. Following [Filippo's](https://go-review.googlesource.com/c/go/+/704615/comment/ae58d592_da7e6c13/) lead here. Don't know if we have a "co-authorship copyright headers spanning multiple years" policy but I wouldn't be surprised if there isn't one 😂

                                          Line 23, Patchset 35: // we're potentially racing with a signal being delivered,

                                          // so do it atomically
                                          atomic.Xaddint32(&gp.secret, 1)
                                          Cherry Mui . resolved

                                          If the signal is delivered to this g, it cannot at the same time executing code (as it is running the signal handler). What potential race could occur?

                                          Daniel Morsing

                                          Previously, `gp.secret` acted as a fence on whether the `gp.secretStack` field would have a defined value. Now, it's not necessary. Done.

                                          Aside: Do we define our memory model WRT. signals anywhere? I can't believe we'd ever support an architecture that doesn't flush memory on signal delivery and have non-atomic int32 assigns.

                                          Line 80, Patchset 35:// Use the sigPerThreadSyscall signal but do not set m.needPerThreadSyscall.

                                          // This turns into a no-op that just puts new context onto the signal stack
                                          Cherry Mui . resolved

                                          In a cgo binary, the signal may have some meaning in the C side (e.g. used by glibc). It may not always be happy to receive an additional signal.

                                          I think it is safer to use a preemption signal. If there is no preemption request, it is no-op.

                                          Daniel Morsing

                                          Done. I was initially thinking of doing this, but I saw some bookkeeping code that made me think the runtime needed to be updated to work around being sent preemption signals with no request backing them, but thinking about it again, I guess they have handle them if someone sends them explicitly from outside the environment.

                                          File src/runtime/secret/internal/dirtysecret/export.go
                                          Line 8, Patchset 35:// These functions cannot live in test files in the secret package

                                          // because we need to compile the crashing binary as non-test.
                                          // Otherwise, dist will pick up the crashing binary as a crashing test.
                                          Cherry Mui . resolved

                                          I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                          Daniel Morsing

                                          I think I managed to conflate 2 different facts and not explain either of them in the process.

                                          1) the original tests built a version of themselves to test the crashing behavior. This interacted badly with dist when running on the builders.
                                          2) the tests needed access to internal packages like internal/cpu, hence they had to live in-tree.

                                          I've re-written the crash test so it can live as simple testdata file.

                                          File src/runtime/secret/secret.go
                                          Line 51, Patchset 35: // unsupported, just invoke f directly.
                                          f()
                                          return
                                          Cherry Mui . resolved

                                          Should it panic?

                                          Daniel Morsing

                                          Went with Filippo's suggestion earlier from an earlier patchset. I think this is a better interface since users don't have to special case their code depending on platform support

                                          Line 116, Patchset 35:func count() int32

                                          func inc()
                                          func dec()
                                          func eraseSecrets()
                                          Cherry Mui . resolved

                                          Would be good to make them "handshake" linknames. I.e. add linkname directives here like
                                          ```
                                          //go:linkname count
                                          func count() int
                                          ```
                                          (Doesn't need to specify the full name, which is inferred with the package prefix.)

                                          Daniel Morsing

                                          Done

                                          Line 116, Patchset 35:func count() int32

                                          func inc()
                                          func dec()
                                          func eraseSecrets()
                                          Cherry Mui . resolved

                                          Would be good to make them "handshake" linknames. I.e. add linkname directives here like
                                          ```
                                          //go:linkname count
                                          func count() int
                                          ```
                                          (Doesn't need to specify the full name, which is inferred with the package prefix.)

                                          Daniel Morsing

                                          Done

                                          File src/runtime/stack.go
                                          Line 1075, Patchset 35: secretEraseRegisters()
                                          Cherry Mui . resolved

                                          Why here instead of doing this at the entry?

                                          Daniel Morsing

                                          Not seeing a reason why not. Done

                                          File src/runtime/sys_linux_arm64.s
                                          Line 322, Patchset 35: BL ·secretEraseRegisters(SB)
                                          Cherry Mui . resolved

                                          Nit: too many tabs. Lines above have both a space and a tab, remove the space.

                                          Daniel Morsing

                                          Done

                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: comment
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 36
                                          Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                          Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-CC: Austin Clements <aus...@google.com>
                                          Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                          Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                          Gerrit-CC: Keith Randall <k...@golang.org>
                                          Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                          Gerrit-CC: Michael Matloob <mat...@golang.org>
                                          Gerrit-Attention: Keith Randall <k...@golang.org>
                                          Gerrit-Attention: Cherry Mui <cher...@google.com>
                                          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-Comment-Date: Fri, 21 Nov 2025 21:57:04 +0000
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 22, 2025, 6:09:49 AM (8 days ago) Nov 22
                                          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Filippo Valsorda and Keith Randall

                                          Daniel Morsing uploaded new patchset

                                          Daniel Morsing uploaded patch set #37 to this change.
                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 37
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 22, 2025, 6:14:55 AM (8 days ago) Nov 22
                                          to goph...@pubsubhelper.golang.org, Cherry Mui, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Filippo Valsorda and Keith Randall

                                          Daniel Morsing voted and added 2 comments

                                          Votes added by Daniel Morsing

                                          Commit-Queue+1

                                          2 comments

                                          Patchset-level comments
                                          File-level comment, Patchset 37 (Latest):
                                          Daniel Morsing . resolved

                                          PTAL

                                          File src/runtime/secret/secret.go
                                          Line 87, Patchset 35: // Note: if f calls runtime.Goexit, step 3 and above will not

                                          // happen, as Goexit is unrecoverable. We handle that case in
                                          // runtime/proc.go:goexit0.
                                          Cherry Mui . resolved

                                          If we call eraseSecrets in a deferred function, it will run even if f calls Goexit. Can we do it this way? I guess this depends on the frame size of this function is smaller than doHelper?

                                          Cherry Mui

                                          I guess this depends on the frame size of this function is smaller than doHelper?

                                          (Clarify: I mean, if we do it in a defer function, I guess it depends on the deferred function's frame size is not larger than doHelper.)

                                          Daniel Morsing

                                          Tried implementing this and realised that erasing registers isn't needed because mcall already does it for us by the time we get down this path. Left a comment to that effect and added a best-effort test

                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: comment
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 37
                                          Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                          Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-CC: Austin Clements <aus...@google.com>
                                          Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                          Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                          Gerrit-CC: Keith Randall <k...@golang.org>
                                          Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                          Gerrit-CC: Michael Matloob <mat...@golang.org>
                                          Gerrit-Attention: Keith Randall <k...@golang.org>
                                          Gerrit-Attention: Cherry Mui <cher...@google.com>
                                          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-Comment-Date: Sat, 22 Nov 2025 11:14:45 +0000
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 22, 2025, 6:52:55 AM (8 days ago) Nov 22
                                          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Daniel Morsing uploaded new patchset

                                          Daniel Morsing uploaded patch set #38 to this change.
                                          Following approvals got outdated and were removed:
                                          • TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 38
                                          Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                          Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-CC: Austin Clements <aus...@google.com>
                                          Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                          Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                          Gerrit-CC: Keith Randall <k...@golang.org>
                                          Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                          Gerrit-CC: Michael Matloob <mat...@golang.org>
                                          Gerrit-Attention: Keith Randall <k...@golang.org>
                                          Gerrit-Attention: Cherry Mui <cher...@google.com>
                                          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 22, 2025, 7:06:53 AM (8 days ago) Nov 22
                                          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Daniel Morsing uploaded new patchset

                                          Daniel Morsing uploaded patch set #39 to this change.
                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 39
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 22, 2025, 7:39:03 AM (8 days ago) Nov 22
                                          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Daniel Morsing uploaded new patchset

                                          Daniel Morsing uploaded patch set #40 to this change.
                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 40
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 22, 2025, 5:29:41 PM (7 days ago) Nov 22
                                          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Daniel Morsing uploaded new patchset

                                          Daniel Morsing uploaded patch set #41 to this change.
                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 41
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 24, 2025, 4:39:38 AM (6 days ago) Nov 24
                                          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Daniel Morsing uploaded new patchset

                                          Daniel Morsing uploaded patch set #42 to this change.
                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 42
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 24, 2025, 4:39:58 AM (6 days ago) Nov 24
                                          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Daniel Morsing uploaded new patchset

                                          Daniel Morsing uploaded patch set #43 to this change.
                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 43
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Cherry Mui (Gerrit)

                                          unread,
                                          Nov 24, 2025, 1:02:51 PM (5 days ago) Nov 24
                                          to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Cherry Mui added 3 comments

                                          File src/runtime/secret.go
                                          Line 1, Patchset 35:// Copyright 2024 The Go Authors. All rights reserved.
                                          Cherry Mui . resolved

                                          Nit: 2025. (Apply to all new files.)

                                          Daniel Morsing

                                          Those are from Keith's original implementation. Following [Filippo's](https://go-review.googlesource.com/c/go/+/704615/comment/ae58d592_da7e6c13/) lead here. Don't know if we have a "co-authorship copyright headers spanning multiple years" policy but I wouldn't be surprised if there isn't one 😂

                                          Cherry Mui

                                          Alright. I don't think it matters too much.

                                          Line 23, Patchset 35: // we're potentially racing with a signal being delivered,
                                          // so do it atomically
                                          atomic.Xaddint32(&gp.secret, 1)
                                          Cherry Mui . resolved

                                          If the signal is delivered to this g, it cannot at the same time executing code (as it is running the signal handler). What potential race could occur?

                                          Daniel Morsing

                                          Previously, `gp.secret` acted as a fence on whether the `gp.secretStack` field would have a defined value. Now, it's not necessary. Done.

                                          Aside: Do we define our memory model WRT. signals anywhere? I can't believe we'd ever support an architecture that doesn't flush memory on signal delivery and have non-atomic int32 assigns.

                                          Cherry Mui

                                          I'm not sure we explicitly mentioned that. I'd think we treat the signal handler as part of the program running sequentially. That is,
                                          instructions before the signal PC, signal handler, instructions after the signal PC, run sequentially as part of the program order. They run on the same OS thread anyway, so the memory accesses should follow the sequential order.

                                          File src/runtime/secret/internal/dirtysecret/export.go
                                          Line 8, Patchset 35:// These functions cannot live in test files in the secret package
                                          // because we need to compile the crashing binary as non-test.
                                          // Otherwise, dist will pick up the crashing binary as a crashing test.
                                          Cherry Mui . unresolved

                                          I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                          Daniel Morsing

                                          I think I managed to conflate 2 different facts and not explain either of them in the process.

                                          1) the original tests built a version of themselves to test the crashing behavior. This interacted badly with dist when running on the builders.
                                          2) the tests needed access to internal packages like internal/cpu, hence they had to live in-tree.

                                          I've re-written the crash test so it can live as simple testdata file.

                                          Cherry Mui

                                          files in testdata directory could import internal packages. I think we can move the test-only functions to testdata as well, instead of copying them in crash_test.go. So we don't have to build them in regular, non-test builds.

                                          There could be multiple packages in testdata as well, which are importable from other testdata packages.

                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: comment
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 43
                                          Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                          Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-CC: Austin Clements <aus...@google.com>
                                          Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                          Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                          Gerrit-CC: Keith Randall <k...@golang.org>
                                          Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                          Gerrit-CC: Michael Matloob <mat...@golang.org>
                                          Gerrit-Attention: Keith Randall <k...@golang.org>
                                          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-Comment-Date: Mon, 24 Nov 2025 18:02:31 +0000
                                          Gerrit-HasComments: Yes
                                          Gerrit-Has-Labels: No
                                          Comment-In-Reply-To: Cherry Mui <cher...@google.com>
                                          Comment-In-Reply-To: Daniel Morsing <daniel....@gmail.com>
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Cherry Mui (Gerrit)

                                          unread,
                                          Nov 24, 2025, 1:08:37 PM (5 days ago) Nov 24
                                          to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Cherry Mui added 1 comment

                                          File src/runtime/secret/internal/dirtysecret/export.go
                                          Line 8, Patchset 35:// These functions cannot live in test files in the secret package
                                          // because we need to compile the crashing binary as non-test.
                                          // Otherwise, dist will pick up the crashing binary as a crashing test.
                                          Cherry Mui . unresolved

                                          I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                          Daniel Morsing

                                          I think I managed to conflate 2 different facts and not explain either of them in the process.

                                          1) the original tests built a version of themselves to test the crashing behavior. This interacted badly with dist when running on the builders.
                                          2) the tests needed access to internal packages like internal/cpu, hence they had to live in-tree.

                                          I've re-written the crash test so it can live as simple testdata file.

                                          Cherry Mui

                                          files in testdata directory could import internal packages. I think we can move the test-only functions to testdata as well, instead of copying them in crash_test.go. So we don't have to build them in regular, non-test builds.

                                          There could be multiple packages in testdata as well, which are importable from other testdata packages.

                                          Cherry Mui

                                          I think we want to move all test-only code to testdata. And on crash_test.go, just build the test program without copying. Just do a "go build" with cmd.Dir as `testdata` (or `testdata/some_package` if that makes sense) and put the output binary in a temporary directory, and run it. (See the runtime's [buildTestProg](https://cs.opensource.google/go/go/+/master:src/runtime/crash_test.go;l=128). It has more complex configuration handling which we don't need.)

                                          Gerrit-Comment-Date: Mon, 24 Nov 2025 18:08:33 +0000
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 24, 2025, 2:03:20 PM (5 days ago) Nov 24
                                          to goph...@pubsubhelper.golang.org, Go LUCI, Cherry Mui, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Filippo Valsorda and Keith Randall

                                          Daniel Morsing added 1 comment

                                          File src/runtime/secret/internal/dirtysecret/export.go
                                          Line 8, Patchset 35:// These functions cannot live in test files in the secret package
                                          // because we need to compile the crashing binary as non-test.
                                          // Otherwise, dist will pick up the crashing binary as a crashing test.
                                          Cherry Mui . unresolved

                                          I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                          Daniel Morsing

                                          I think I managed to conflate 2 different facts and not explain either of them in the process.

                                          1) the original tests built a version of themselves to test the crashing behavior. This interacted badly with dist when running on the builders.
                                          2) the tests needed access to internal packages like internal/cpu, hence they had to live in-tree.

                                          I've re-written the crash test so it can live as simple testdata file.

                                          Cherry Mui

                                          files in testdata directory could import internal packages. I think we can move the test-only functions to testdata as well, instead of copying them in crash_test.go. So we don't have to build them in regular, non-test builds.

                                          There could be multiple packages in testdata as well, which are importable from other testdata packages.

                                          Cherry Mui

                                          I think we want to move all test-only code to testdata. And on crash_test.go, just build the test program without copying. Just do a "go build" with cmd.Dir as `testdata` (or `testdata/some_package` if that makes sense) and put the output binary in a temporary directory, and run it. (See the runtime's [buildTestProg](https://cs.opensource.google/go/go/+/master:src/runtime/crash_test.go;l=128). It has more complex configuration handling which we don't need.)

                                          Daniel Morsing

                                          `secret_test.go` also uses these assembly files. I could pull them out into their own package so they can be shared, but it'd have to be internal and then I'm back to square one with having to have a `dirtysecret` and `crashsecret` package live in the source tree itself

                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Gerrit-Attention: Cherry Mui <cher...@google.com>
                                          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-Comment-Date: Mon, 24 Nov 2025 19:03:09 +0000
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Cherry Mui (Gerrit)

                                          unread,
                                          Nov 24, 2025, 2:56:11 PM (5 days ago) Nov 24
                                          to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Cherry Mui added 1 comment

                                          File src/runtime/secret/internal/dirtysecret/export.go
                                          Line 8, Patchset 35:// These functions cannot live in test files in the secret package
                                          // because we need to compile the crashing binary as non-test.
                                          // Otherwise, dist will pick up the crashing binary as a crashing test.
                                          Cherry Mui . unresolved

                                          I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                          Daniel Morsing

                                          I think I managed to conflate 2 different facts and not explain either of them in the process.

                                          1) the original tests built a version of themselves to test the crashing behavior. This interacted badly with dist when running on the builders.
                                          2) the tests needed access to internal packages like internal/cpu, hence they had to live in-tree.

                                          I've re-written the crash test so it can live as simple testdata file.

                                          Cherry Mui

                                          files in testdata directory could import internal packages. I think we can move the test-only functions to testdata as well, instead of copying them in crash_test.go. So we don't have to build them in regular, non-test builds.

                                          There could be multiple packages in testdata as well, which are importable from other testdata packages.

                                          Cherry Mui

                                          I think we want to move all test-only code to testdata. And on crash_test.go, just build the test program without copying. Just do a "go build" with cmd.Dir as `testdata` (or `testdata/some_package` if that makes sense) and put the output binary in a temporary directory, and run it. (See the runtime's [buildTestProg](https://cs.opensource.google/go/go/+/master:src/runtime/crash_test.go;l=128). It has more complex configuration handling which we don't need.)

                                          Daniel Morsing

                                          `secret_test.go` also uses these assembly files. I could pull them out into their own package so they can be shared, but it'd have to be internal and then I'm back to square one with having to have a `dirtysecret` and `crashsecret` package live in the source tree itself

                                          Cherry Mui

                                          Could you put functions in secret_test.go in testdata as well? It could be Go tests, or just a main executable with multiple entry points (like, crash if the check fails). And have a test driver in runtime/secret to build and run the actual tests in testdata.

                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-Comment-Date: Mon, 24 Nov 2025 19:56:07 +0000
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 24, 2025, 3:19:57 PM (5 days ago) Nov 24
                                          to goph...@pubsubhelper.golang.org, Go LUCI, Cherry Mui, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Filippo Valsorda and Keith Randall

                                          Daniel Morsing added 1 comment

                                          File src/runtime/secret/internal/dirtysecret/export.go
                                          Line 8, Patchset 35:// These functions cannot live in test files in the secret package
                                          // because we need to compile the crashing binary as non-test.
                                          // Otherwise, dist will pick up the crashing binary as a crashing test.
                                          Cherry Mui . unresolved

                                          I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                          Daniel Morsing

                                          I think I managed to conflate 2 different facts and not explain either of them in the process.

                                          1) the original tests built a version of themselves to test the crashing behavior. This interacted badly with dist when running on the builders.
                                          2) the tests needed access to internal packages like internal/cpu, hence they had to live in-tree.

                                          I've re-written the crash test so it can live as simple testdata file.

                                          Cherry Mui

                                          files in testdata directory could import internal packages. I think we can move the test-only functions to testdata as well, instead of copying them in crash_test.go. So we don't have to build them in regular, non-test builds.

                                          There could be multiple packages in testdata as well, which are importable from other testdata packages.

                                          Cherry Mui

                                          I think we want to move all test-only code to testdata. And on crash_test.go, just build the test program without copying. Just do a "go build" with cmd.Dir as `testdata` (or `testdata/some_package` if that makes sense) and put the output binary in a temporary directory, and run it. (See the runtime's [buildTestProg](https://cs.opensource.google/go/go/+/master:src/runtime/crash_test.go;l=128). It has more complex configuration handling which we don't need.)

                                          Daniel Morsing

                                          `secret_test.go` also uses these assembly files. I could pull them out into their own package so they can be shared, but it'd have to be internal and then I'm back to square one with having to have a `dirtysecret` and `crashsecret` package live in the source tree itself

                                          Cherry Mui

                                          Could you put functions in secret_test.go in testdata as well? It could be Go tests, or just a main executable with multiple entry points (like, crash if the check fails). And have a test driver in runtime/secret to build and run the actual tests in testdata.

                                          Daniel Morsing

                                          We'd lose dashboard functionality like watchflakes picking up the right tests, and I think it would make the organization more muddled.

                                          As kludge-y as `crash_test.go` is, it is at least miles better than what it was previously.

                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Gerrit-Attention: Cherry Mui <cher...@google.com>
                                          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-Comment-Date: Mon, 24 Nov 2025 20:19:48 +0000
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Cherry Mui (Gerrit)

                                          unread,
                                          Nov 24, 2025, 4:48:26 PM (5 days ago) Nov 24
                                          to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Cherry Mui added 1 comment

                                          File src/runtime/secret/internal/dirtysecret/export.go
                                          Line 8, Patchset 35:// These functions cannot live in test files in the secret package
                                          // because we need to compile the crashing binary as non-test.
                                          // Otherwise, dist will pick up the crashing binary as a crashing test.
                                          Cherry Mui . unresolved

                                          I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                          Daniel Morsing

                                          I think I managed to conflate 2 different facts and not explain either of them in the process.

                                          1) the original tests built a version of themselves to test the crashing behavior. This interacted badly with dist when running on the builders.
                                          2) the tests needed access to internal packages like internal/cpu, hence they had to live in-tree.

                                          I've re-written the crash test so it can live as simple testdata file.

                                          Cherry Mui

                                          files in testdata directory could import internal packages. I think we can move the test-only functions to testdata as well, instead of copying them in crash_test.go. So we don't have to build them in regular, non-test builds.

                                          There could be multiple packages in testdata as well, which are importable from other testdata packages.

                                          Cherry Mui

                                          I think we want to move all test-only code to testdata. And on crash_test.go, just build the test program without copying. Just do a "go build" with cmd.Dir as `testdata` (or `testdata/some_package` if that makes sense) and put the output binary in a temporary directory, and run it. (See the runtime's [buildTestProg](https://cs.opensource.google/go/go/+/master:src/runtime/crash_test.go;l=128). It has more complex configuration handling which we don't need.)

                                          Daniel Morsing

                                          `secret_test.go` also uses these assembly files. I could pull them out into their own package so they can be shared, but it'd have to be internal and then I'm back to square one with having to have a `dirtysecret` and `crashsecret` package live in the source tree itself

                                          Cherry Mui

                                          Could you put functions in secret_test.go in testdata as well? It could be Go tests, or just a main executable with multiple entry points (like, crash if the check fails). And have a test driver in runtime/secret to build and run the actual tests in testdata.

                                          Daniel Morsing

                                          We'd lose dashboard functionality like watchflakes picking up the right tests, and I think it would make the organization more muddled.

                                          As kludge-y as `crash_test.go` is, it is at least miles better than what it was previously.

                                          Cherry Mui

                                          We'd lose dashboard functionality like watchflakes picking up the right tests

                                          We can still achieve that by having multiple tests crash_test.go, each invokes a different entry point of the test binary. The runtime's testdata/testprog does this.

                                          If you think that is too annoying and you want to keep the current layout, it would better for the test-only code be in separate files, and with a clear a comment on each file (including the assembly files) saying that this is test-only.

                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                          Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                          Gerrit-Comment-Date: Mon, 24 Nov 2025 21:48:23 +0000
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 24, 2025, 6:52:50 PM (5 days ago) Nov 24
                                          to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                          Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                          Daniel Morsing uploaded new patchset

                                          Daniel Morsing uploaded patch set #44 to this change.
                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Daniel Morsing
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                          • requirement is not satisfiedCode-Review
                                          • requirement is not satisfiedNo-Unresolved-Comments
                                          • requirement is not satisfiedReview-Enforcement
                                          • requirement is not satisfiedTryBots-Pass
                                          Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                          Gerrit-MessageType: newpatchset
                                          Gerrit-Project: go
                                          Gerrit-Branch: master
                                          Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                          Gerrit-Change-Number: 704615
                                          Gerrit-PatchSet: 44
                                          unsatisfied_requirement
                                          open
                                          diffy

                                          Daniel Morsing (Gerrit)

                                          unread,
                                          Nov 24, 2025, 6:58:54 PM (5 days ago) Nov 24
                                          to goph...@pubsubhelper.golang.org, Go LUCI, Cherry Mui, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                          Attention needed from Cherry Mui, Filippo Valsorda and Keith Randall

                                          Daniel Morsing voted and added 2 comments

                                          Votes added by Daniel Morsing

                                          Commit-Queue+1

                                          2 comments

                                          Patchset-level comments
                                          File-level comment, Patchset 44 (Latest):
                                          Daniel Morsing . resolved

                                          Rebased onto master to fix the dev.simd conflicts

                                          File src/runtime/secret/internal/dirtysecret/export.go
                                          Line 8, Patchset 35:// These functions cannot live in test files in the secret package
                                          // because we need to compile the crashing binary as non-test.
                                          // Otherwise, dist will pick up the crashing binary as a crashing test.
                                          Cherry Mui . resolved

                                          I'm not sure I follow this comment. Can this be in runtime/secret/testdata? I don't think dist does anything special with files in testdata (and we have a bunch of crashing programs in runtime/testdata). Then we don't need to edit deps_test.go. (Generally, I hope we don't have too many test-only packages.)

                                          Daniel Morsing

                                          I think I managed to conflate 2 different facts and not explain either of them in the process.

                                          1) the original tests built a version of themselves to test the crashing behavior. This interacted badly with dist when running on the builders.
                                          2) the tests needed access to internal packages like internal/cpu, hence they had to live in-tree.

                                          I've re-written the crash test so it can live as simple testdata file.

                                          Cherry Mui

                                          files in testdata directory could import internal packages. I think we can move the test-only functions to testdata as well, instead of copying them in crash_test.go. So we don't have to build them in regular, non-test builds.

                                          There could be multiple packages in testdata as well, which are importable from other testdata packages.

                                          Cherry Mui

                                          I think we want to move all test-only code to testdata. And on crash_test.go, just build the test program without copying. Just do a "go build" with cmd.Dir as `testdata` (or `testdata/some_package` if that makes sense) and put the output binary in a temporary directory, and run it. (See the runtime's [buildTestProg](https://cs.opensource.google/go/go/+/master:src/runtime/crash_test.go;l=128). It has more complex configuration handling which we don't need.)

                                          Daniel Morsing

                                          `secret_test.go` also uses these assembly files. I could pull them out into their own package so they can be shared, but it'd have to be internal and then I'm back to square one with having to have a `dirtysecret` and `crashsecret` package live in the source tree itself

                                          Cherry Mui

                                          Could you put functions in secret_test.go in testdata as well? It could be Go tests, or just a main executable with multiple entry points (like, crash if the check fails). And have a test driver in runtime/secret to build and run the actual tests in testdata.

                                          Daniel Morsing

                                          We'd lose dashboard functionality like watchflakes picking up the right tests, and I think it would make the organization more muddled.

                                          As kludge-y as `crash_test.go` is, it is at least miles better than what it was previously.

                                          Cherry Mui

                                          We'd lose dashboard functionality like watchflakes picking up the right tests

                                          We can still achieve that by having multiple tests crash_test.go, each invokes a different entry point of the test binary. The runtime's testdata/testprog does this.

                                          If you think that is too annoying and you want to keep the current layout, it would better for the test-only code be in separate files, and with a clear a comment on each file (including the assembly files) saying that this is test-only.

                                          Daniel Morsing

                                          I think leave the structure as is. Added breadcrumb comments to make it more obvious what it is.

                                          Open in Gerrit

                                          Related details

                                          Attention is currently required from:
                                          • Cherry Mui
                                          • Filippo Valsorda
                                          • Keith Randall
                                          Submit Requirements:
                                            • requirement is not satisfiedCode-Review
                                            • requirement satisfiedNo-Unresolved-Comments
                                            • requirement is not satisfiedReview-Enforcement
                                            • requirement is not satisfiedTryBots-Pass
                                            Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                            Gerrit-MessageType: comment
                                            Gerrit-Project: go
                                            Gerrit-Branch: master
                                            Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                            Gerrit-Change-Number: 704615
                                            Gerrit-PatchSet: 44
                                            Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                            Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                            Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                            Gerrit-CC: Austin Clements <aus...@google.com>
                                            Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                            Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                            Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                            Gerrit-CC: Keith Randall <k...@golang.org>
                                            Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                            Gerrit-CC: Michael Matloob <mat...@golang.org>
                                            Gerrit-Attention: Keith Randall <k...@golang.org>
                                            Gerrit-Attention: Cherry Mui <cher...@google.com>
                                            Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                            Gerrit-Comment-Date: Mon, 24 Nov 2025 23:58:44 +0000
                                            Gerrit-HasComments: Yes
                                            Gerrit-Has-Labels: Yes
                                            unsatisfied_requirement
                                            satisfied_requirement
                                            open
                                            diffy

                                            Cherry Mui (Gerrit)

                                            unread,
                                            Nov 26, 2025, 12:34:22 PM (3 days ago) Nov 26
                                            to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                            Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                            Cherry Mui voted Code-Review+2

                                            Code-Review+2
                                            Open in Gerrit

                                            Related details

                                            Attention is currently required from:
                                            • Daniel Morsing
                                            • Filippo Valsorda
                                            • Keith Randall
                                            Submit Requirements:
                                            • requirement satisfiedCode-Review
                                            • requirement satisfiedNo-Unresolved-Comments
                                            • requirement is not satisfiedReview-Enforcement
                                            • requirement satisfiedTryBots-Pass
                                            Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                            Gerrit-MessageType: comment
                                            Gerrit-Project: go
                                            Gerrit-Branch: master
                                            Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                            Gerrit-Change-Number: 704615
                                            Gerrit-PatchSet: 44
                                            Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                            Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                            Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                            Gerrit-CC: Austin Clements <aus...@google.com>
                                            Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                            Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                            Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                            Gerrit-CC: Keith Randall <k...@golang.org>
                                            Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                            Gerrit-CC: Michael Matloob <mat...@golang.org>
                                            Gerrit-Attention: Keith Randall <k...@golang.org>
                                            Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                            Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                            Gerrit-Comment-Date: Wed, 26 Nov 2025 17:34:19 +0000
                                            Gerrit-HasComments: No
                                            Gerrit-Has-Labels: Yes
                                            satisfied_requirement
                                            unsatisfied_requirement
                                            open
                                            diffy

                                            Michael Knyszek (Gerrit)

                                            unread,
                                            Nov 26, 2025, 1:16:26 PM (3 days ago) Nov 26
                                            to Daniel Morsing, goph...@pubsubhelper.golang.org, Cherry Mui, Go LUCI, Dmitri Shuralyov, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                            Attention needed from Daniel Morsing, Filippo Valsorda and Keith Randall

                                            Michael Knyszek added 2 comments

                                            File src/runtime/mgc.go
                                            Line 849, Patchset 44 (Latest): for mp := allm; mp != nil; mp = mp.alllink {
                                            Michael Knyszek . unresolved

                                            an O(M) operation during the STW is worrying to me in terms of latency. we've made a lot of progress over the years reducing pause time to essentially just be O(P) (there are some exceptions, but they're intentionally made as cheap as possible; sending a signal does not seem as cheap).

                                            I think this could represent a real regression in applications with a lot of idle threads.

                                            it's OK for the experiment, but dealing with this is IMO important before enabling the experiment by default.

                                            please add a TODO here.

                                            File src/runtime/secret.go
                                            Line 63, Patchset 44 (Latest):
                                            // addSecret records the fact that we need to zero p immediately
                                            // when it is freed.
                                            func addSecret(p unsafe.Pointer) {
                                            lock(&mheap_.speciallock)
                                            s := (*specialSecret)(mheap_.specialSecretAlloc.alloc())
                                            s.special.kind = _KindSpecialSecret
                                            unlock(&mheap_.speciallock)
                                            addspecial(p, &s.special, false)
                                            }
                                            Michael Knyszek . unresolved

                                            how big are secret contexts supposed to be, generally?

                                            if they're relatively large (an entire goroutine's lifetime), then I suspect this will really hurt allocation performance at scale because of the lock access. also, if you allocate in a loop, you'll get O(n^2) behavior up to the number of objects in a span because of how addspecial traverses the linked list. (we should make specials better, but that's a bigger job.)

                                            again, fine for an experiment, but I think we should try to resolve this before we turn the experiment on by default.

                                            for the scalability bit we can add a per-P cache of secret specials. for the O(n^2) problem with specials, we could consider adding specials from the _back_ since that's the general order of allocation.

                                            please add a TODO.

                                            Open in Gerrit

                                            Related details

                                            Attention is currently required from:
                                            • Daniel Morsing
                                            • Filippo Valsorda
                                            • Keith Randall
                                            Submit Requirements:
                                            • requirement satisfiedCode-Review
                                            • requirement is not satisfiedNo-Unresolved-Comments
                                            • requirement is not satisfiedReview-Enforcement
                                            • requirement satisfiedTryBots-Pass
                                            Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                            Gerrit-MessageType: comment
                                            Gerrit-Project: go
                                            Gerrit-Branch: master
                                            Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                            Gerrit-Change-Number: 704615
                                            Gerrit-PatchSet: 44
                                            Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                            Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                            Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                            Gerrit-CC: Austin Clements <aus...@google.com>
                                            Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                            Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                            Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                            Gerrit-CC: Keith Randall <k...@golang.org>
                                            Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                            Gerrit-CC: Michael Matloob <mat...@golang.org>
                                            Gerrit-Attention: Keith Randall <k...@golang.org>
                                            Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                            Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                            Gerrit-Comment-Date: Wed, 26 Nov 2025 18:16:22 +0000
                                            Gerrit-HasComments: Yes
                                            Gerrit-Has-Labels: No
                                            satisfied_requirement
                                            unsatisfied_requirement
                                            open
                                            diffy

                                            Daniel Morsing (Gerrit)

                                            unread,
                                            Nov 26, 2025, 3:57:08 PM (3 days ago) Nov 26
                                            to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                            Attention needed from Cherry Mui, Daniel Morsing, Filippo Valsorda and Keith Randall

                                            Daniel Morsing uploaded new patchset

                                            Daniel Morsing uploaded patch set #45 to this change.
                                            Following approvals got outdated and were removed:
                                            • Code-Review: +2 by Cherry Mui
                                            • TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
                                              Open in Gerrit

                                              Related details

                                              Attention is currently required from:
                                              • Cherry Mui
                                              • Daniel Morsing
                                              • Filippo Valsorda
                                              • Keith Randall
                                                Submit Requirements:
                                                • requirement is not satisfiedCode-Review
                                                • requirement is not satisfiedNo-Unresolved-Comments
                                                • requirement is not satisfiedReview-Enforcement
                                                • requirement is not satisfiedTryBots-Pass
                                                Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                Gerrit-MessageType: newpatchset
                                                Gerrit-Project: go
                                                Gerrit-Branch: master
                                                Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                                Gerrit-Change-Number: 704615
                                                Gerrit-PatchSet: 45
                                                Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                                Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                                Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                                Gerrit-CC: Austin Clements <aus...@google.com>
                                                Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                                Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                                Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                                Gerrit-CC: Keith Randall <k...@golang.org>
                                                Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                                Gerrit-CC: Michael Matloob <mat...@golang.org>
                                                Gerrit-Attention: Keith Randall <k...@golang.org>
                                                Gerrit-Attention: Cherry Mui <cher...@google.com>
                                                unsatisfied_requirement
                                                open
                                                diffy

                                                Daniel Morsing (Gerrit)

                                                unread,
                                                Nov 26, 2025, 3:58:40 PM (3 days ago) Nov 26
                                                to goph...@pubsubhelper.golang.org, Cherry Mui, Go LUCI, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                                Attention needed from Cherry Mui, Filippo Valsorda, Keith Randall and Michael Knyszek

                                                Daniel Morsing added 2 comments

                                                File src/runtime/mgc.go
                                                Line 849, Patchset 44: for mp := allm; mp != nil; mp = mp.alllink {
                                                Michael Knyszek . resolved

                                                an O(M) operation during the STW is worrying to me in terms of latency. we've made a lot of progress over the years reducing pause time to essentially just be O(P) (there are some exceptions, but they're intentionally made as cheap as possible; sending a signal does not seem as cheap).

                                                I think this could represent a real regression in applications with a lot of idle threads.

                                                it's OK for the experiment, but dealing with this is IMO important before enabling the experiment by default.

                                                please add a TODO here.

                                                Daniel Morsing

                                                Added a TODO with some ideas how to handle this

                                                File src/runtime/secret.go

                                                // addSecret records the fact that we need to zero p immediately
                                                // when it is freed.
                                                func addSecret(p unsafe.Pointer) {
                                                lock(&mheap_.speciallock)
                                                s := (*specialSecret)(mheap_.specialSecretAlloc.alloc())
                                                s.special.kind = _KindSpecialSecret
                                                unlock(&mheap_.speciallock)
                                                addspecial(p, &s.special, false)
                                                }
                                                Michael Knyszek . resolved

                                                how big are secret contexts supposed to be, generally?

                                                if they're relatively large (an entire goroutine's lifetime), then I suspect this will really hurt allocation performance at scale because of the lock access. also, if you allocate in a loop, you'll get O(n^2) behavior up to the number of objects in a span because of how addspecial traverses the linked list. (we should make specials better, but that's a bigger job.)

                                                again, fine for an experiment, but I think we should try to resolve this before we turn the experiment on by default.

                                                for the scalability bit we can add a per-P cache of secret specials. for the O(n^2) problem with specials, we could consider adding specials from the _back_ since that's the general order of allocation.

                                                please add a TODO.

                                                Daniel Morsing

                                                Added TODO that explains the intended usage for these.

                                                Open in Gerrit

                                                Related details

                                                Attention is currently required from:
                                                • Cherry Mui
                                                • Filippo Valsorda
                                                • Keith Randall
                                                • Michael Knyszek
                                                Submit Requirements:
                                                  • requirement is not satisfiedCode-Review
                                                  • requirement satisfiedNo-Unresolved-Comments
                                                  • requirement is not satisfiedReview-Enforcement
                                                  • requirement is not satisfiedTryBots-Pass
                                                  Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                  Gerrit-MessageType: comment
                                                  Gerrit-Project: go
                                                  Gerrit-Branch: master
                                                  Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                                  Gerrit-Change-Number: 704615
                                                  Gerrit-PatchSet: 45
                                                  Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                                  Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                                  Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                                  Gerrit-CC: Austin Clements <aus...@google.com>
                                                  Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                                  Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                                  Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                                  Gerrit-CC: Keith Randall <k...@golang.org>
                                                  Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                                  Gerrit-CC: Michael Matloob <mat...@golang.org>
                                                  Gerrit-Attention: Keith Randall <k...@golang.org>
                                                  Gerrit-Attention: Cherry Mui <cher...@google.com>
                                                  Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                                  Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                                                  Gerrit-Comment-Date: Wed, 26 Nov 2025 20:58:30 +0000
                                                  Gerrit-HasComments: Yes
                                                  Gerrit-Has-Labels: No
                                                  Comment-In-Reply-To: Michael Knyszek <mkny...@google.com>
                                                  unsatisfied_requirement
                                                  satisfied_requirement
                                                  open
                                                  diffy

                                                  Cherry Mui (Gerrit)

                                                  unread,
                                                  Nov 26, 2025, 5:23:58 PM (3 days ago) Nov 26
                                                  to Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                                  Attention needed from Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

                                                  Cherry Mui voted

                                                  Code-Review+2
                                                  Commit-Queue+1
                                                  Open in Gerrit

                                                  Related details

                                                  Attention is currently required from:
                                                  • Daniel Morsing
                                                  • Filippo Valsorda
                                                  • Keith Randall
                                                  • Michael Knyszek
                                                    Submit Requirements:
                                                    • requirement satisfiedCode-Review
                                                    • requirement satisfiedNo-Unresolved-Comments
                                                    • requirement is not satisfiedReview-Enforcement
                                                    • requirement is not satisfiedTryBots-Pass
                                                    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                    Gerrit-MessageType: comment
                                                    Gerrit-Project: go
                                                    Gerrit-Branch: master
                                                    Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                                    Gerrit-Change-Number: 704615
                                                    Gerrit-PatchSet: 45
                                                    Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                                    Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                                    Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                                    Gerrit-CC: Austin Clements <aus...@google.com>
                                                    Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                                    Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                                    Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                                    Gerrit-CC: Keith Randall <k...@golang.org>
                                                    Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                                    Gerrit-CC: Michael Matloob <mat...@golang.org>
                                                    Gerrit-Attention: Keith Randall <k...@golang.org>
                                                    Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                                    Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                                    Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                                                    Gerrit-Comment-Date: Wed, 26 Nov 2025 22:23:54 +0000
                                                    Gerrit-HasComments: No
                                                    Gerrit-Has-Labels: Yes
                                                    satisfied_requirement
                                                    unsatisfied_requirement
                                                    open
                                                    diffy

                                                    Roland Shoemaker (Gerrit)

                                                    unread,
                                                    Nov 26, 2025, 5:24:32 PM (3 days ago) Nov 26
                                                    to Daniel Morsing, goph...@pubsubhelper.golang.org, Cherry Mui, Go LUCI, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Filippo Valsorda, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                                    Attention needed from Daniel Morsing, Filippo Valsorda, Keith Randall and Michael Knyszek

                                                    Roland Shoemaker voted

                                                    Auto-Submit+1
                                                    Code-Review+1
                                                    Open in Gerrit

                                                    Related details

                                                    Attention is currently required from:
                                                    • Daniel Morsing
                                                    • Filippo Valsorda
                                                    • Keith Randall
                                                    • Michael Knyszek
                                                    Submit Requirements:
                                                      • requirement satisfiedCode-Review
                                                      • requirement satisfiedNo-Unresolved-Comments
                                                      • requirement satisfiedReview-Enforcement
                                                      • requirement is not satisfiedTryBots-Pass
                                                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                      Gerrit-MessageType: comment
                                                      Gerrit-Project: go
                                                      Gerrit-Branch: master
                                                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                                      Gerrit-Change-Number: 704615
                                                      Gerrit-PatchSet: 45
                                                      Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                                      Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>
                                                      Gerrit-CC: Austin Clements <aus...@google.com>
                                                      Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                                      Gerrit-CC: Filippo Valsorda <fil...@golang.org>
                                                      Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                                      Gerrit-CC: Keith Randall <k...@golang.org>
                                                      Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                                      Gerrit-CC: Michael Matloob <mat...@golang.org>
                                                      Gerrit-Attention: Keith Randall <k...@golang.org>
                                                      Gerrit-Attention: Filippo Valsorda <fil...@golang.org>
                                                      Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                                                      Gerrit-Comment-Date: Wed, 26 Nov 2025 22:24:26 +0000
                                                      Gerrit-HasComments: No
                                                      Gerrit-Has-Labels: Yes
                                                      satisfied_requirement
                                                      unsatisfied_requirement
                                                      open
                                                      diffy

                                                      Filippo Valsorda (Gerrit)

                                                      unread,
                                                      Nov 26, 2025, 6:17:00 PM (3 days ago) Nov 26
                                                      to Filippo Valsorda, Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Roland Shoemaker, Cherry Mui, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com
                                                      Attention needed from Daniel Morsing, Keith Randall, Michael Knyszek and Roland Shoemaker

                                                      Filippo Valsorda added 1 comment

                                                      Patchset-level comments
                                                      File-level comment, Patchset 45:
                                                      Filippo Valsorda . resolved

                                                      Resolved a trivial conflict.

                                                      ```
                                                      diff --git a/src/runtime/proc.go b/src/runtime/proc.go
                                                      index b44b3f5..1653809 100644
                                                      --- a/src/runtime/proc.go
                                                      +++ b/src/runtime/proc.go
                                                      @@ -4489,12 +4489,8 @@ func gdestroy(gp *g) {
                                                      gp.labels = nil
                                                      gp.timer = nil
                                                      gp.bubble = nil
                                                      -<<<<<<< Side #1 (Conflict 1 of 1)
                                                      gp.fipsOnlyBypass = false
                                                      -||||||| Base
                                                      -=======
                                                      gp.secret = 0
                                                      ->>>>>>> Side #2 (Conflict 1 of 1 ends)
                                                       	if gcBlackenEnabled != 0 && gp.gcAssistBytes > 0 {
                                                      // Flush assist credit to the global pool. This gives
                                                      ```
                                                      Open in Gerrit

                                                      Related details

                                                      Attention is currently required from:
                                                      • Daniel Morsing
                                                      • Keith Randall
                                                      • Michael Knyszek
                                                      • Roland Shoemaker
                                                      Submit Requirements:
                                                      • requirement satisfiedCode-Review
                                                      • requirement satisfiedNo-Unresolved-Comments
                                                      • requirement satisfiedReview-Enforcement
                                                      • requirement is not satisfiedTryBots-Pass
                                                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                      Gerrit-MessageType: comment
                                                      Gerrit-Project: go
                                                      Gerrit-Branch: master
                                                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                                      Gerrit-Change-Number: 704615
                                                      Gerrit-PatchSet: 46
                                                      Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                                      Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Reviewer: Filippo Valsorda <fil...@golang.org>
                                                      Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>
                                                      Gerrit-CC: Austin Clements <aus...@google.com>
                                                      Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                                      Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                                      Gerrit-CC: Keith Randall <k...@golang.org>
                                                      Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                                      Gerrit-CC: Michael Matloob <mat...@golang.org>
                                                      Gerrit-Attention: Keith Randall <k...@golang.org>
                                                      Gerrit-Attention: Roland Shoemaker <rol...@golang.org>
                                                      Gerrit-Attention: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Attention: Michael Knyszek <mkny...@google.com>
                                                      Gerrit-Comment-Date: Wed, 26 Nov 2025 23:16:50 +0000
                                                      Gerrit-HasComments: Yes
                                                      Gerrit-Has-Labels: No
                                                      satisfied_requirement
                                                      unsatisfied_requirement
                                                      open
                                                      diffy

                                                      Filippo Valsorda (Gerrit)

                                                      unread,
                                                      Nov 26, 2025, 6:17:00 PM (3 days ago) Nov 26
                                                      to Filippo Valsorda, Daniel Morsing, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
                                                      Attention needed from Daniel Morsing, Keith Randall, Michael Knyszek and Roland Shoemaker

                                                      Filippo Valsorda uploaded new patchset

                                                      Filippo Valsorda uploaded patch set #46 to the change originally created by Daniel Morsing.
                                                      Following approvals got outdated and were removed:
                                                      • TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
                                                      Open in Gerrit

                                                      Related details

                                                      Attention is currently required from:
                                                      • Daniel Morsing
                                                      • Keith Randall
                                                      • Michael Knyszek
                                                      • Roland Shoemaker
                                                      Submit Requirements:
                                                      • requirement satisfiedCode-Review
                                                      • requirement satisfiedNo-Unresolved-Comments
                                                      • requirement satisfiedReview-Enforcement
                                                      • requirement is not satisfiedTryBots-Pass
                                                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                      Gerrit-MessageType: newpatchset
                                                      satisfied_requirement
                                                      unsatisfied_requirement
                                                      open
                                                      diffy

                                                      Gopher Robot (Gerrit)

                                                      unread,
                                                      Nov 26, 2025, 6:43:00 PM (3 days ago) Nov 26
                                                      to Daniel Morsing, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, Filippo Valsorda, Roland Shoemaker, Cherry Mui, Dmitri Shuralyov, Michael Knyszek, Michael Matloob, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com

                                                      Gopher Robot submitted the change with unreviewed changes

                                                      Unreviewed changes

                                                      45 is the latest approved patch-set.
                                                      The change was submitted with unreviewed changes in the following files:

                                                      ```
                                                      The name of the file: src/runtime/proc.go
                                                      Insertions: 1, Deletions: 0.

                                                      The diff is too large to show. Please review the diff.
                                                      ```

                                                      Change information

                                                      Commit message:
                                                      runtime/secret: implement new secret package

                                                      Implement secret.Do.

                                                      - When secret.Do returns:
                                                      - Clear stack that is used by the argument function.
                                                      - Clear all the registers that might contain secrets.
                                                      - On stack growth in secret mode, clear the old stack.
                                                      - When objects are allocated in secret mode, mark them and then zero
                                                      the marked objects immediately when they are freed.
                                                      - If the argument function panics, raise that panic as if it originated
                                                      from secret.Do. This removes anything about the secret function
                                                      from tracebacks.

                                                      For now, this is only implemented on linux for arm64 and amd64.

                                                      This is a rebased version of Keith Randalls initial implementation at
                                                      CL 600635. I have added arm64 support, signal handling, preemption
                                                      handling and dealt with vDSOs spilling into system stacks.

                                                      Fixes #21865
                                                      Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                                      Co-authored-by: Keith Randall <k...@golang.org>
                                                      Reviewed-by: Roland Shoemaker <rol...@golang.org>
                                                      Auto-Submit: Filippo Valsorda <fil...@golang.org>
                                                      Reviewed-by: Cherry Mui <cher...@google.com>
                                                      Files:
                                                      • A doc/next/6-stdlib/1-secret.md
                                                      • M src/cmd/dist/test.go
                                                      • M src/go/build/deps_test.go
                                                      • A src/internal/goexperiment/exp_runtimesecret_off.go
                                                      • A src/internal/goexperiment/exp_runtimesecret_on.go
                                                      • M src/internal/goexperiment/flags.go
                                                      • M src/runtime/_mkmalloc/mkmalloc.go
                                                      • M src/runtime/asm_amd64.s
                                                      • M src/runtime/asm_arm64.s
                                                      • M src/runtime/malloc.go
                                                      • M src/runtime/malloc_generated.go
                                                      • M src/runtime/malloc_stubs.go
                                                      • M src/runtime/mgc.go
                                                      • M src/runtime/mheap.go
                                                      • M src/runtime/preempt.go
                                                      • M src/runtime/proc.go
                                                      • M src/runtime/runtime2.go
                                                      • A src/runtime/secret.go
                                                      • A src/runtime/secret/asm_amd64.s
                                                      • A src/runtime/secret/asm_arm64.s
                                                      • A src/runtime/secret/crash_test.go
                                                      • A src/runtime/secret/export.go
                                                      • A src/runtime/secret/secret.go
                                                      • A src/runtime/secret/secret_test.go
                                                      • A src/runtime/secret/stubs.go
                                                      • A src/runtime/secret/stubs_noasm.go
                                                      • A src/runtime/secret/testdata/crash.go
                                                      • A src/runtime/secret_amd64.s
                                                      • A src/runtime/secret_arm64.s
                                                      • A src/runtime/secret_asm.go
                                                      • A src/runtime/secret_noasm.go
                                                      • A src/runtime/secret_nosecret.go
                                                      • M src/runtime/signal_linux_amd64.go
                                                      • M src/runtime/signal_linux_arm64.go
                                                      • M src/runtime/signal_unix.go
                                                      • M src/runtime/sizeof_test.go
                                                      • M src/runtime/stack.go
                                                      • M src/runtime/sys_linux_amd64.s
                                                      • M src/runtime/sys_linux_arm64.s
                                                      • M src/runtime/time_linux_amd64.s
                                                      • M src/runtime/vgetrandom_linux.go
                                                      • M src/syscall/asm_linux_amd64.s
                                                      Change size: XL
                                                      Delta: 42 files changed, 3170 insertions(+), 21 deletions(-)
                                                      Branch: refs/heads/master
                                                      Submit Requirements:
                                                      • requirement satisfiedCode-Review: +2 by Cherry Mui, +1 by Roland Shoemaker
                                                      • requirement satisfiedTryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
                                                      Open in Gerrit
                                                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                      Gerrit-MessageType: merged
                                                      Gerrit-Project: go
                                                      Gerrit-Branch: master
                                                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                                      Gerrit-Change-Number: 704615
                                                      Gerrit-PatchSet: 47
                                                      Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                                      Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Reviewer: Filippo Valsorda <fil...@golang.org>
                                                      Gerrit-Reviewer: Gopher Robot <go...@golang.org>
                                                      open
                                                      diffy
                                                      satisfied_requirement

                                                      David Chase (Gerrit)

                                                      unread,
                                                      Nov 27, 2025, 12:37:56 AM (3 days ago) Nov 27
                                                      to Gopher Robot, Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, Roland Shoemaker, Cherry Mui, Dmitri Shuralyov, Michael Matloob, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com

                                                      David Chase has created a revert of this change

                                                      Related details

                                                      Attention set is empty
                                                      Submit Requirements:
                                                      • requirement satisfiedCode-Review
                                                      • requirement satisfiedNo-Unresolved-Comments
                                                      • requirement satisfiedReview-Enforcement
                                                      • requirement satisfiedTryBots-Pass
                                                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                      Gerrit-MessageType: revert
                                                      satisfied_requirement
                                                      open
                                                      diffy

                                                      David Chase (Gerrit)

                                                      unread,
                                                      Nov 27, 2025, 1:01:34 AM (3 days ago) Nov 27
                                                      to Gopher Robot, Daniel Morsing, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, Roland Shoemaker, Cherry Mui, Dmitri Shuralyov, Michael Matloob, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com

                                                      David Chase voted and added 1 comment

                                                      Votes added by David Chase

                                                      Commit-Queue+1

                                                      1 comment

                                                      Patchset-level comments
                                                      File-level comment, Patchset 47 (Latest):
                                                      David Chase . unresolved

                                                      This breaks amd64 linux longtest, specifically

                                                      cmd/cgo/internal/testshared$ go test -run TestStd .

                                                      There is a revert created, that depends on the revert of another CL.

                                                      Open in Gerrit

                                                      Related details

                                                      Attention set is empty
                                                      Submit Requirements:
                                                      • requirement satisfiedCode-Review
                                                      • requirement satisfiedNo-Unresolved-Comments
                                                      • requirement satisfiedReview-Enforcement
                                                      • requirement satisfiedTryBots-Pass
                                                      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
                                                      Gerrit-MessageType: comment
                                                      Gerrit-Project: go
                                                      Gerrit-Branch: master
                                                      Gerrit-Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
                                                      Gerrit-Change-Number: 704615
                                                      Gerrit-PatchSet: 47
                                                      Gerrit-Owner: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Reviewer: Cherry Mui <cher...@google.com>
                                                      Gerrit-Reviewer: Daniel Morsing <daniel....@gmail.com>
                                                      Gerrit-Reviewer: David Chase <drc...@google.com>
                                                      Gerrit-Reviewer: Filippo Valsorda <fil...@golang.org>
                                                      Gerrit-Reviewer: Gopher Robot <go...@golang.org>
                                                      Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>
                                                      Gerrit-CC: Austin Clements <aus...@google.com>
                                                      Gerrit-CC: Dmitri Shuralyov <dmit...@golang.org>
                                                      Gerrit-CC: Ian Lance Taylor <ia...@golang.org>
                                                      Gerrit-CC: Keith Randall <k...@golang.org>
                                                      Gerrit-CC: Michael Knyszek <mkny...@google.com>
                                                      Gerrit-CC: Michael Matloob <mat...@golang.org>
                                                      Gerrit-Comment-Date: Thu, 27 Nov 2025 06:01:29 +0000
                                                      Gerrit-HasComments: Yes
                                                      Gerrit-Has-Labels: Yes
                                                      satisfied_requirement
                                                      open
                                                      diffy

                                                      Daniel Morsing (Gerrit)

                                                      unread,
                                                      Nov 27, 2025, 2:31:39 AM (3 days ago) Nov 27
                                                      to Gopher Robot, goph...@pubsubhelper.golang.org, David Chase, Go LUCI, Filippo Valsorda, Roland Shoemaker, Cherry Mui, Dmitri Shuralyov, Michael Matloob, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com

                                                      Daniel Morsing added 1 comment

                                                      Patchset-level comments
                                                      David Chase . resolved

                                                      This breaks amd64 linux longtest, specifically

                                                      cmd/cgo/internal/testshared$ go test -run TestStd .

                                                      There is a revert created, that depends on the revert of another CL.

                                                      Daniel Morsing

                                                      I have a fix up at CL 724001

                                                      Gerrit-Comment-Date: Thu, 27 Nov 2025 07:31:31 +0000
                                                      Gerrit-HasComments: Yes
                                                      Gerrit-Has-Labels: No
                                                      Comment-In-Reply-To: David Chase <drc...@google.com>
                                                      satisfied_requirement
                                                      open
                                                      diffy

                                                      Ian Lance Taylor (Gerrit)

                                                      unread,
                                                      Nov 28, 2025, 1:39:02 AM (yesterday) Nov 28
                                                      to Gopher Robot, Daniel Morsing, goph...@pubsubhelper.golang.org, David Chase, Go LUCI, Filippo Valsorda, Roland Shoemaker, Cherry Mui, Dmitri Shuralyov, Michael Matloob, Keith Randall, Austin Clements, Ian Lance Taylor, golang-co...@googlegroups.com

                                                      Ian Lance Taylor added 1 comment

                                                      Patchset-level comments
                                                      Ian Lance Taylor . resolved

                                                      Bsaed on the build dashboard, this appears to have caused https://go.dev/issue/76586, a failure on the gotip-linux-amd64-asan-clang15 builder.

                                                      Gerrit-Comment-Date: Fri, 28 Nov 2025 06:38:57 +0000
                                                      Gerrit-HasComments: Yes
                                                      Gerrit-Has-Labels: No
                                                      satisfied_requirement
                                                      open
                                                      diffy
                                                      Reply all
                                                      Reply to author
                                                      Forward
                                                      0 new messages