Wot Update 1.20
Charise Zelnick
The latest Go release, version 1.20, arrives six months after Go 1.19.Most of its changes are in the implementation of the toolchain, runtime, and libraries.As always, the release maintains the Go 1 promise of compatibility.We expect almost all Go programs to continue to compile and run as before.
The specification now defines that struct values are compared one field at a time,considering fields in the order they appear in the struct type definition,and stopping at the first mismatch.The specification could previously have been read as ifall fields needed to be compared beyond the first mismatch.Similarly, the specification now defines that array values are comparedone element at a time, in increasing index order.In both cases, the difference affects whether certain comparisons must panic.Existing programs are unchanged: the new spec wording describeswhat the implementations have always done.
Comparable types (such as ordinary interfaces)may now satisfy comparable constraints, even if the type argumentsare not strictly comparable (comparison may panic at runtime).This makes it possible to instantiate a type parameter constrained by comparable(e.g., a type parameter for a user-defined generic map key) with a non-strictly comparable type argumentsuch as an interface type, or a composite type containing an interface type.
The directory $GOROOT/pkg no longer storespre-compiled package archives for the standard library:go install no longer writes them,the go build no longer checks for them,and the Go distribution no longer ships them.Instead, packages in the standard library are built as neededand cached in the build cache, just like packages outside GOROOT.This change reduces the size of the Go distribution and alsoavoids C toolchain skew for packages that use cgo.
The implementation of go test -jsonhas been improved to make it more robust.Programs that run go test -jsondo not need any updates.Programs that invoke go tool test2jsondirectly should now run the test binary with -v=test2json(for example, go test -v=test2jsonor ./pkg.test -test.v=test2json)instead of plain -v.
The go command now definesarchitecture feature build tags, such as amd64.v2,to allow selecting a package implementation file based on the presenceor absence of a particular architecture feature.See go help buildconstraint for details.
When the main module is located within GOPATH/src,go install no longer installs libraries fornon-main packages to GOPATH/pkg,and go list no longer reports a Targetfield for such packages. (In module mode, compiled packages are stored in thebuild cacheonly, but a bug had causedthe GOPATH install targets to unexpectedly remain in effect.)
The go build, go install,and other build-related commands now support a -coverflag that builds the specified target with code coverage instrumentation.This is described in more detail in theCover section below.
The go command now disables cgo by defaulton systems without a C toolchain.More specifically, when the CGO_ENABLED environment variable is unset,the CC environment variable is unset,and the default C compiler (typically clang or gcc)is not found in the path,CGO_ENABLED defaults to 0.As always, you can override the default by setting CGO_ENABLED explicitly.
The most important effect of the default change is that when Go is installedon a system without a C compiler, it will now use pure Go builds for packagesin the standard library that use cgo, instead of using pre-distributed package archives(which have been removed, as noted above)or attempting to use cgo and failing.This makes Go work better in some minimal container environmentsas well as on macOS, where pre-distributed package archives havenot been used for cgo-based packages since Go 1.16.
The packages in the standard library that use cgo are net,os/user, andplugin.On macOS, the net and os/user packages have been rewritten not to use cgo:the same code is now used for cgo and non-cgo builds as well as cross-compiled builds.On Windows, the net and os/user packages have never used cgo.On other systems, builds with cgo disabled will use a pure Go version of these packages.
On macOS, the race detector has been rewritten not to use cgo:race-detector-enabled programs can be built and run without Xcode.On Linux and other Unix systems, and on Windows, a host C toolchainis required to use the race detector.
The vet tool now reports references to loop variables followinga call to T.Parallel()within subtest function bodies. Such references may observe the value of thevariable from a different iteration (typically causing test cases to beskipped) or an invalid state due to unsynchronized concurrent access.
The tool also detects reference mistakes in more places. Previously it wouldonly consider the last statement of the loop body, but now it recursivelyinspects the last statements within if, switch, and select statements.
The vet tool now reports use of the time format 2006-02-01 (yyyy-dd-mm)with Time.Format andtime.Parse.This format does not appear in common date standards, but is frequentlyused by mistake when attempting to use the ISO 8601 date format(yyyy-mm-dd).
Go 1.18 and 1.19 saw regressions in build speed, largely due to the additionof support for generics and follow-on work. Go 1.20 improves build speeds byup to 10%, bringing it back in line with Go 1.17.Relative to Go 1.19, generated code performance is also generally slightly improved.
Go 1.20 uses go: and type: prefixes for compiler-generatedsymbols rather than go. and type..This avoids confusion for user packages whose name starts with go..The debug/gosym package understandsthis new naming convention for binaries built with Go 1.20 and newer.
The ResponseController type provides a clearer, more discoverable wayto add per-handler controls. Two such controls also added in Go 1.20 areSetReadDeadline and SetWriteDeadline, which allow settingper-request read and write deadlines. For example:
The Rewrite hook accepts aProxyRequest parameter,which includes both the inbound request received by the proxy and the outboundrequest that it will send.Unlike Director hooks, which only operate on the outbound request,this permits Rewrite hooks to avoid certain scenarios wherea malicious inbound request may cause headers added by the hookto be removed before forwarding.See issue #50580.
The ProxyRequest.SetURLmethod routes the outbound request to a provided destinationand supersedes the NewSingleHostReverseProxy function.Unlike NewSingleHostReverseProxy, SetURLalso sets the Host header of the outbound request.
When the GODEBUG=tarinsecurepath=0 environment variable is set,Reader.Next methodwill now return the error ErrInsecurePathfor an entry with a file name that is an absolute path,refers to a location outside the current directory, contains invalidcharacters, or (on Windows) is a reserved name such as NUL.A future version of Go may disable insecure paths by default.
When the GODEBUG=zipinsecurepath=0 environment variable is set,NewReader will now return the errorErrInsecurePathwhen opening an archive which contains any file name that is an absolute path,refers to a location outside the current directory, contains invalidcharacters, or (on Windows) is a reserved names such as NUL.A future version of Go may disable insecure paths by default.
Reading from a directory file that contains file data will now return an error.The zip specification does not permit directory files to contain file data,so this change only affects reading from invalid archives.
The PrivateKey.Sign methodand theVerifyWithOptions functionnow support signing pre-hashed messages with Ed25519ph,indicated by anOptions.HashFuncthat returnscrypto.SHA512.They also now support Ed25519ctx and Ed25519ph with context,indicated by setting the newOptions.Contextfield.
crypto/rsa now uses a new, safer, constant-time backend. This causes a CPUruntime increase for decryption operations between approximately 15%(RSA-2048 on amd64) and 45% (RSA-4096 on arm64), and more on 32-bit architectures.Encryption operations are approximately 20x slower than before (but still 5-10x faster than decryption).Performance is expected to improve in future releases.Programs must not modify or manually generate the fields ofPrecomputedValues.
Parsed certificates are now shared across all clients actively using that certificate.The memory savings can be significant in programs that make many concurrent connections to aserver or collection of servers sharing any part of their certificate chains.
ParsePKCS8PrivateKeyandMarshalPKCS8PrivateKeynow support keys of type *crypto/ecdh.PrivateKey.ParsePKIXPublicKeyandMarshalPKIXPublicKeynow support keys of type *crypto/ecdh.PublicKey.Parsing NIST curve keys still returns values of type*ecdsa.PublicKey and *ecdsa.PrivateKey.Use their new ECDH methods to convert to the crypto/ecdh types.
The new SetFallbackRootsfunction allows a program to define a set of fallback root certificates in case anoperating system verifier or standard platform root bundle is unavailable at runtime.It will most commonly be used with a new package, golang.org/x/crypto/x509roots/fallback,which will provide an up to date root bundle.
The math/rand package now automatically seedsthe global random number generator(used by top-level functions like Float64 and Int) with a random value,and the top-level Seed function has been deprecated.Programs that need a reproducible sequence of random numbersshould prefer to allocate their own random source, using rand.New(rand.NewSource(seed)).
In Go 1.19.8 and later, this package sets limits the sizeof the MIME data it processes to protect against malicious inputs.Reader.NextPart and Reader.NextRawPart limit thenumber of headers in a part to 10000 and Reader.ReadForm limitsthe total number of headers in all FileHeaders to 10000.These limits may be adjusted with the GODEBUG=multipartmaxheaderssetting.Reader.ReadForm further limits the number of parts in a form to 1000.This limit may be adjusted with the GODEBUG=multipartmaxpartssetting.
c80f0f1006