From ce68047f96c8a35d2c3598a41efbc749964e6b1c Mon Sep 17 00:00:00 2001
From: Keith Randall <khr@google.com>
Date: Tue, 13 Feb 2018 12:33:55 -0800
Subject: [release-branch.go1.9] cmd/compile: fix constant folding of right
 shifts

The sub-word shifts need to sign-extend before shifting, to avoid
bringing in data from higher in the argument.

Fixes #23812

Change-Id: I0a95a0b49c48f3b40b85765bb4a9bb492be0cd73
Reviewed-on: https://go-review.googlesource.com/93716
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
Reviewed-on: https://go-review.googlesource.com/102775
Run-TryBot: Andrew Bonventre <andybons@golang.org>
---
 src/cmd/compile/internal/ssa/gen/AMD64.rules |  6 ++---
 src/cmd/compile/internal/ssa/gen/AMD64Ops.go | 24 ++++++++++----------
 src/cmd/compile/internal/ssa/rewriteAMD64.go | 12 +++++-----
 test/fixedbugs/issue23812.go                 | 34 ++++++++++++++++++++++++++++
 4 files changed, 55 insertions(+), 21 deletions(-)
 create mode 100644 test/fixedbugs/issue23812.go

diff --git a/src/cmd/compile/internal/ssa/gen/AMD64.rules b/src/cmd/compile/internal/ssa/gen/AMD64.rules
index ff38be550e..89d082ac7f 100644
--- a/src/cmd/compile/internal/ssa/gen/AMD64.rules
+++ b/src/cmd/compile/internal/ssa/gen/AMD64.rules
@@ -1499,9 +1499,9 @@
 (SUBQconst (MOVQconst [d]) [c]) -> (MOVQconst [d-c])
 (SUBQconst (SUBQconst x [d]) [c]) && is32Bit(-c-d) -> (ADDQconst [-c-d] x)
 (SARQconst [c] (MOVQconst [d])) -> (MOVQconst [d>>uint64(c)])
-(SARLconst [c] (MOVQconst [d])) -> (MOVQconst [d>>uint64(c)])
-(SARWconst [c] (MOVQconst [d])) -> (MOVQconst [d>>uint64(c)])
-(SARBconst [c] (MOVQconst [d])) -> (MOVQconst [d>>uint64(c)])
+(SARLconst [c] (MOVQconst [d])) -> (MOVQconst [int64(int32(d))>>uint64(c)])
+(SARWconst [c] (MOVQconst [d])) -> (MOVQconst [int64(int16(d))>>uint64(c)])
+(SARBconst [c] (MOVQconst [d])) -> (MOVQconst [int64(int8(d))>>uint64(c)])
 (NEGQ (MOVQconst [c])) -> (MOVQconst [-c])
 (NEGL (MOVLconst [c])) -> (MOVLconst [int64(int32(-c))])
 (MULQconst [c] (MOVQconst [d])) -> (MOVQconst [c*d])
diff --git a/src/cmd/compile/internal/ssa/gen/AMD64Ops.go b/src/cmd/compile/internal/ssa/gen/AMD64Ops.go
index c984cbfb12..12757a7d5a 100644
--- a/src/cmd/compile/internal/ssa/gen/AMD64Ops.go
+++ b/src/cmd/compile/internal/ssa/gen/AMD64Ops.go
@@ -268,22 +268,22 @@ func init() {
 		// Note: x86 is weird, the 16 and 8 byte shifts still use all 5 bits of shift amount!
 
 		{name: "SHRQ", argLength: 2, reg: gp21shift, asm: "SHRQ", resultInArg0: true, clobberFlags: true},              // unsigned arg0 >> arg1, shift amount is mod 64
-		{name: "SHRL", argLength: 2, reg: gp21shift, asm: "SHRL", resultInArg0: true, clobberFlags: true},              // unsigned arg0 >> arg1, shift amount is mod 32
-		{name: "SHRW", argLength: 2, reg: gp21shift, asm: "SHRW", resultInArg0: true, clobberFlags: true},              // unsigned arg0 >> arg1, shift amount is mod 32
-		{name: "SHRB", argLength: 2, reg: gp21shift, asm: "SHRB", resultInArg0: true, clobberFlags: true},              // unsigned arg0 >> arg1, shift amount is mod 32
+		{name: "SHRL", argLength: 2, reg: gp21shift, asm: "SHRL", resultInArg0: true, clobberFlags: true},              // unsigned uint32(arg0) >> arg1, shift amount is mod 32
+		{name: "SHRW", argLength: 2, reg: gp21shift, asm: "SHRW", resultInArg0: true, clobberFlags: true},              // unsigned uint16(arg0) >> arg1, shift amount is mod 32
+		{name: "SHRB", argLength: 2, reg: gp21shift, asm: "SHRB", resultInArg0: true, clobberFlags: true},              // unsigned uint8(arg0) >> arg1, shift amount is mod 32
 		{name: "SHRQconst", argLength: 1, reg: gp11, asm: "SHRQ", aux: "Int8", resultInArg0: true, clobberFlags: true}, // unsigned arg0 >> auxint, shift amount 0-63
-		{name: "SHRLconst", argLength: 1, reg: gp11, asm: "SHRL", aux: "Int8", resultInArg0: true, clobberFlags: true}, // unsigned arg0 >> auxint, shift amount 0-31
-		{name: "SHRWconst", argLength: 1, reg: gp11, asm: "SHRW", aux: "Int8", resultInArg0: true, clobberFlags: true}, // unsigned arg0 >> auxint, shift amount 0-15
-		{name: "SHRBconst", argLength: 1, reg: gp11, asm: "SHRB", aux: "Int8", resultInArg0: true, clobberFlags: true}, // unsigned arg0 >> auxint, shift amount 0-7
+		{name: "SHRLconst", argLength: 1, reg: gp11, asm: "SHRL", aux: "Int8", resultInArg0: true, clobberFlags: true}, // unsigned uint32(arg0) >> auxint, shift amount 0-31
+		{name: "SHRWconst", argLength: 1, reg: gp11, asm: "SHRW", aux: "Int8", resultInArg0: true, clobberFlags: true}, // unsigned uint16(arg0) >> auxint, shift amount 0-15
+		{name: "SHRBconst", argLength: 1, reg: gp11, asm: "SHRB", aux: "Int8", resultInArg0: true, clobberFlags: true}, // unsigned uint8(arg0) >> auxint, shift amount 0-7
 
 		{name: "SARQ", argLength: 2, reg: gp21shift, asm: "SARQ", resultInArg0: true, clobberFlags: true},              // signed arg0 >> arg1, shift amount is mod 64
-		{name: "SARL", argLength: 2, reg: gp21shift, asm: "SARL", resultInArg0: true, clobberFlags: true},              // signed arg0 >> arg1, shift amount is mod 32
-		{name: "SARW", argLength: 2, reg: gp21shift, asm: "SARW", resultInArg0: true, clobberFlags: true},              // signed arg0 >> arg1, shift amount is mod 32
-		{name: "SARB", argLength: 2, reg: gp21shift, asm: "SARB", resultInArg0: true, clobberFlags: true},              // signed arg0 >> arg1, shift amount is mod 32
+		{name: "SARL", argLength: 2, reg: gp21shift, asm: "SARL", resultInArg0: true, clobberFlags: true},              // signed int32(arg0) >> arg1, shift amount is mod 32
+		{name: "SARW", argLength: 2, reg: gp21shift, asm: "SARW", resultInArg0: true, clobberFlags: true},              // signed int16(arg0) >> arg1, shift amount is mod 32
+		{name: "SARB", argLength: 2, reg: gp21shift, asm: "SARB", resultInArg0: true, clobberFlags: true},              // signed int8(arg0) >> arg1, shift amount is mod 32
 		{name: "SARQconst", argLength: 1, reg: gp11, asm: "SARQ", aux: "Int8", resultInArg0: true, clobberFlags: true}, // signed arg0 >> auxint, shift amount 0-63
-		{name: "SARLconst", argLength: 1, reg: gp11, asm: "SARL", aux: "Int8", resultInArg0: true, clobberFlags: true}, // signed arg0 >> auxint, shift amount 0-31
-		{name: "SARWconst", argLength: 1, reg: gp11, asm: "SARW", aux: "Int8", resultInArg0: true, clobberFlags: true}, // signed arg0 >> auxint, shift amount 0-15
-		{name: "SARBconst", argLength: 1, reg: gp11, asm: "SARB", aux: "Int8", resultInArg0: true, clobberFlags: true}, // signed arg0 >> auxint, shift amount 0-7
+		{name: "SARLconst", argLength: 1, reg: gp11, asm: "SARL", aux: "Int8", resultInArg0: true, clobberFlags: true}, // signed int32(arg0) >> auxint, shift amount 0-31
+		{name: "SARWconst", argLength: 1, reg: gp11, asm: "SARW", aux: "Int8", resultInArg0: true, clobberFlags: true}, // signed int16(arg0) >> auxint, shift amount 0-15
+		{name: "SARBconst", argLength: 1, reg: gp11, asm: "SARB", aux: "Int8", resultInArg0: true, clobberFlags: true}, // signed int8(arg0) >> auxint, shift amount 0-7
 
 		{name: "ROLQ", argLength: 2, reg: gp21shift, asm: "ROLQ", resultInArg0: true, clobberFlags: true},              // arg0 rotate left arg1 bits.
 		{name: "ROLL", argLength: 2, reg: gp21shift, asm: "ROLL", resultInArg0: true, clobberFlags: true},              // arg0 rotate left arg1 bits.
diff --git a/src/cmd/compile/internal/ssa/rewriteAMD64.go b/src/cmd/compile/internal/ssa/rewriteAMD64.go
index 9213616f83..379ea55b88 100644
--- a/src/cmd/compile/internal/ssa/rewriteAMD64.go
+++ b/src/cmd/compile/internal/ssa/rewriteAMD64.go
@@ -33234,7 +33234,7 @@ func rewriteValueAMD64_OpAMD64SARBconst_0(v *Value) bool {
 	}
 	// match: (SARBconst [c] (MOVQconst [d]))
 	// cond:
-	// result: (MOVQconst [d>>uint64(c)])
+	// result: (MOVQconst [int64(int8(d))>>uint64(c)])
 	for {
 		c := v.AuxInt
 		v_0 := v.Args[0]
@@ -33243,7 +33243,7 @@ func rewriteValueAMD64_OpAMD64SARBconst_0(v *Value) bool {
 		}
 		d := v_0.AuxInt
 		v.reset(OpAMD64MOVQconst)
-		v.AuxInt = d >> uint64(c)
+		v.AuxInt = int64(int8(d)) >> uint64(c)
 		return true
 	}
 	return false
@@ -33489,7 +33489,7 @@ func rewriteValueAMD64_OpAMD64SARLconst_0(v *Value) bool {
 	}
 	// match: (SARLconst [c] (MOVQconst [d]))
 	// cond:
-	// result: (MOVQconst [d>>uint64(c)])
+	// result: (MOVQconst [int64(int32(d))>>uint64(c)])
 	for {
 		c := v.AuxInt
 		v_0 := v.Args[0]
@@ -33498,7 +33498,7 @@ func rewriteValueAMD64_OpAMD64SARLconst_0(v *Value) bool {
 		}
 		d := v_0.AuxInt
 		v.reset(OpAMD64MOVQconst)
-		v.AuxInt = d >> uint64(c)
+		v.AuxInt = int64(int32(d)) >> uint64(c)
 		return true
 	}
 	return false
@@ -33809,7 +33809,7 @@ func rewriteValueAMD64_OpAMD64SARWconst_0(v *Value) bool {
 	}
 	// match: (SARWconst [c] (MOVQconst [d]))
 	// cond:
-	// result: (MOVQconst [d>>uint64(c)])
+	// result: (MOVQconst [int64(int16(d))>>uint64(c)])
 	for {
 		c := v.AuxInt
 		v_0 := v.Args[0]
@@ -33818,7 +33818,7 @@ func rewriteValueAMD64_OpAMD64SARWconst_0(v *Value) bool {
 		}
 		d := v_0.AuxInt
 		v.reset(OpAMD64MOVQconst)
-		v.AuxInt = d >> uint64(c)
+		v.AuxInt = int64(int16(d)) >> uint64(c)
 		return true
 	}
 	return false
diff --git a/test/fixedbugs/issue23812.go b/test/fixedbugs/issue23812.go
new file mode 100644
index 0000000000..0a40deb212
--- /dev/null
+++ b/test/fixedbugs/issue23812.go
@@ -0,0 +1,34 @@
+// run
+
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import "fmt"
+
+func main() {
+	want := int32(0x3edae8)
+	got := foo(1)
+	if want != got {
+		panic(fmt.Sprintf("want %x, got %x", want, got))
+	}
+}
+
+func foo(a int32) int32 {
+	return shr1(int32(shr2(int64(0x14ff6e2207db5d1f), int(a))), 4)
+}
+
+func shr1(n int32, m int) int32 { return n >> uint(m) }
+
+func shr2(n int64, m int) int64 {
+	if m < 0 {
+		m = -m
+	}
+	if m >= 64 {
+		return n
+	}
+
+	return n >> uint(m)
+}
-- 
cgit v1.2.3-54-g00ecf


From 7467b006914721db65b39c26c626be5e693448f0 Mon Sep 17 00:00:00 2001
From: Keith Randall <khr@google.com>
Date: Wed, 14 Feb 2018 14:21:31 -0800
Subject: [release-branch.go1.9] cmd/compile: fix constant folding of right
 shifts on s390x

Repeat previous fix on amd64 for s390x.
Sub-word right shifts should sign extend before shifting.

Update #23812

Change-Id: I2d770190c7d8a22310b0dbd9facb3fb05afa362a
Reviewed-on: https://go-review.googlesource.com/94028
Run-TryBot: Keith Randall <khr@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/102777
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Keith Randall <khr@golang.org>
---
 src/cmd/compile/internal/ssa/gen/S390X.rules | 2 +-
 src/cmd/compile/internal/ssa/gen/S390XOps.go | 8 ++++----
 src/cmd/compile/internal/ssa/rewriteS390X.go | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/cmd/compile/internal/ssa/gen/S390X.rules b/src/cmd/compile/internal/ssa/gen/S390X.rules
index 8a627e75f5..e1c1bd6a0f 100644
--- a/src/cmd/compile/internal/ssa/gen/S390X.rules
+++ b/src/cmd/compile/internal/ssa/gen/S390X.rules
@@ -978,7 +978,7 @@
 (SUBconst (MOVDconst [d]) [c]) -> (MOVDconst [d-c])
 (SUBconst (SUBconst x [d]) [c]) && is32Bit(-c-d) -> (ADDconst [-c-d] x)
 (SRADconst [c] (MOVDconst [d])) -> (MOVDconst [d>>uint64(c)])
-(SRAWconst [c] (MOVDconst [d])) -> (MOVDconst [d>>uint64(c)])
+(SRAWconst [c] (MOVDconst [d])) -> (MOVDconst [int64(int32(d))>>uint64(c)])
 (NEG (MOVDconst [c])) -> (MOVDconst [-c])
 (NEGW (MOVDconst [c])) -> (MOVDconst [int64(int32(-c))])
 (MULLDconst [c] (MOVDconst [d])) -> (MOVDconst [c*d])
diff --git a/src/cmd/compile/internal/ssa/gen/S390XOps.go b/src/cmd/compile/internal/ssa/gen/S390XOps.go
index 2a08a276d9..9f74a11b86 100644
--- a/src/cmd/compile/internal/ssa/gen/S390XOps.go
+++ b/src/cmd/compile/internal/ssa/gen/S390XOps.go
@@ -295,15 +295,15 @@ func init() {
 		{name: "SLWconst", argLength: 1, reg: gp11, asm: "SLW", aux: "Int8"}, // arg0 << auxint, shift amount 0-31
 
 		{name: "SRD", argLength: 2, reg: sh21, asm: "SRD"},                   // unsigned arg0 >> arg1, shift amount is mod 64
-		{name: "SRW", argLength: 2, reg: sh21, asm: "SRW"},                   // unsigned arg0 >> arg1, shift amount is mod 32
+		{name: "SRW", argLength: 2, reg: sh21, asm: "SRW"},                   // unsigned uint32(arg0) >> arg1, shift amount is mod 32
 		{name: "SRDconst", argLength: 1, reg: gp11, asm: "SRD", aux: "Int8"}, // unsigned arg0 >> auxint, shift amount 0-63
-		{name: "SRWconst", argLength: 1, reg: gp11, asm: "SRW", aux: "Int8"}, // unsigned arg0 >> auxint, shift amount 0-31
+		{name: "SRWconst", argLength: 1, reg: gp11, asm: "SRW", aux: "Int8"}, // unsigned uint32(arg0) >> auxint, shift amount 0-31
 
 		// Arithmetic shifts clobber flags.
 		{name: "SRAD", argLength: 2, reg: sh21, asm: "SRAD", clobberFlags: true},                   // signed arg0 >> arg1, shift amount is mod 64
-		{name: "SRAW", argLength: 2, reg: sh21, asm: "SRAW", clobberFlags: true},                   // signed arg0 >> arg1, shift amount is mod 32
+		{name: "SRAW", argLength: 2, reg: sh21, asm: "SRAW", clobberFlags: true},                   // signed int32(arg0) >> arg1, shift amount is mod 32
 		{name: "SRADconst", argLength: 1, reg: gp11, asm: "SRAD", aux: "Int8", clobberFlags: true}, // signed arg0 >> auxint, shift amount 0-63
-		{name: "SRAWconst", argLength: 1, reg: gp11, asm: "SRAW", aux: "Int8", clobberFlags: true}, // signed arg0 >> auxint, shift amount 0-31
+		{name: "SRAWconst", argLength: 1, reg: gp11, asm: "SRAW", aux: "Int8", clobberFlags: true}, // signed int32(arg0) >> auxint, shift amount 0-31
 
 		{name: "RLLGconst", argLength: 1, reg: gp11, asm: "RLLG", aux: "Int8"}, // arg0 rotate left auxint, rotate amount 0-63
 		{name: "RLLconst", argLength: 1, reg: gp11, asm: "RLL", aux: "Int8"},   // arg0 rotate left auxint, rotate amount 0-31
diff --git a/src/cmd/compile/internal/ssa/rewriteS390X.go b/src/cmd/compile/internal/ssa/rewriteS390X.go
index e84cb5b10c..4fdbbdae3c 100644
--- a/src/cmd/compile/internal/ssa/rewriteS390X.go
+++ b/src/cmd/compile/internal/ssa/rewriteS390X.go
@@ -34589,7 +34589,7 @@ func rewriteValueS390X_OpS390XSRAW_0(v *Value) bool {
 func rewriteValueS390X_OpS390XSRAWconst_0(v *Value) bool {
 	// match: (SRAWconst [c] (MOVDconst [d]))
 	// cond:
-	// result: (MOVDconst [d>>uint64(c)])
+	// result: (MOVDconst [int64(int32(d))>>uint64(c)])
 	for {
 		c := v.AuxInt
 		v_0 := v.Args[0]
@@ -34598,7 +34598,7 @@ func rewriteValueS390X_OpS390XSRAWconst_0(v *Value) bool {
 		}
 		d := v_0.AuxInt
 		v.reset(OpS390XMOVDconst)
-		v.AuxInt = d >> uint64(c)
+		v.AuxInt = int64(int32(d)) >> uint64(c)
 		return true
 	}
 	return false
-- 
cgit v1.2.3-54-g00ecf


From 15474dce9d295055c70c0a6ad092fd95563ddca9 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Thu, 15 Feb 2018 15:57:13 -0800
Subject: [release-branch.go1.9] cmd/go: restrict meta imports to valid schemes

Before this change, when using -insecure, we permitted any meta import
repo root as long as it contained "://". When not using -insecure, we
restrict meta import repo roots to be valid URLs. People may depend on
that somehow, so permit meta import repo roots to be invalid URLs, but
require them to have valid schemes per RFC 3986.

Fixes #23867

Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d
Reviewed-on: https://go-review.googlesource.com/94603
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/102776
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
---
 src/cmd/go/internal/get/vcs.go      | 34 +++++++++++++++++++++++++++--
 src/cmd/go/internal/get/vcs_test.go | 43 +++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/src/cmd/go/internal/get/vcs.go b/src/cmd/go/internal/get/vcs.go
index 86d2e32efb..dcc7047211 100644
--- a/src/cmd/go/internal/get/vcs.go
+++ b/src/cmd/go/internal/get/vcs.go
@@ -767,8 +767,8 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re
 		}
 	}
 
-	if !strings.Contains(mmi.RepoRoot, "://") {
-		return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, mmi.RepoRoot)
+	if err := validateRepoRootScheme(mmi.RepoRoot); err != nil {
+		return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, mmi.RepoRoot, err)
 	}
 	rr := &repoRoot{
 		vcs:      vcsByCmd(mmi.VCS),
@@ -782,6 +782,36 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re
 	return rr, nil
 }
 
+// validateRepoRootScheme returns an error if repoRoot does not seem
+// to have a valid URL scheme. At this point we permit things that
+// aren't valid URLs, although later, if not using -insecure, we will
+// restrict repoRoots to be valid URLs. This is only because we've
+// historically permitted them, and people may depend on that.
+func validateRepoRootScheme(repoRoot string) error {
+	end := strings.Index(repoRoot, "://")
+	if end <= 0 {
+		return errors.New("no scheme")
+	}
+
+	// RFC 3986 section 3.1.
+	for i := 0; i < end; i++ {
+		c := repoRoot[i]
+		switch {
+		case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z':
+			// OK.
+		case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.':
+			// OK except at start.
+			if i == 0 {
+				return errors.New("invalid scheme")
+			}
+		default:
+			return errors.New("invalid scheme")
+		}
+	}
+
+	return nil
+}
+
 var fetchGroup singleflight.Group
 var (
 	fetchCacheMu sync.Mutex
diff --git a/src/cmd/go/internal/get/vcs_test.go b/src/cmd/go/internal/get/vcs_test.go
index 62d352ae57..31fa9ef430 100644
--- a/src/cmd/go/internal/get/vcs_test.go
+++ b/src/cmd/go/internal/get/vcs_test.go
@@ -390,3 +390,46 @@ func TestMatchGoImport(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateRepoRootScheme(t *testing.T) {
+	tests := []struct {
+		root string
+		err  string
+	}{
+		{
+			root: "",
+			err:  "no scheme",
+		},
+		{
+			root: "http://",
+			err:  "",
+		},
+		{
+			root: "a://",
+			err:  "",
+		},
+		{
+			root: "a#://",
+			err:  "invalid scheme",
+		},
+		{
+			root: "-config://",
+			err:  "invalid scheme",
+		},
+	}
+
+	for _, test := range tests {
+		err := validateRepoRootScheme(test.root)
+		if err == nil {
+			if test.err != "" {
+				t.Errorf("validateRepoRootScheme(%q) = nil, want %q", test.root, test.err)
+			}
+		} else if test.err == "" {
+			if err != nil {
+				t.Errorf("validateRepoRootScheme(%q) = %q, want nil", test.root, test.err)
+			}
+		} else if err.Error() != test.err {
+			t.Errorf("validateRepoRootScheme(%q) = %q, want %q", test.root, err, test.err)
+		}
+	}
+}
-- 
cgit v1.2.3-54-g00ecf


From 703bb6a7124da10fea81bf1e3318b37d8ebd4ec9 Mon Sep 17 00:00:00 2001
From: Andrew Bonventre <andybons@golang.org>
Date: Fri, 23 Mar 2018 16:40:15 -0400
Subject: [release-branch.go1.9] net/http/pprof: harden handler responses

A very small number of old browsers consider content as HTML
even when it is explicitly stated in the Content-Type header
that it is not. If content served is based on user-supplied
input, then an XSS is possible. Introduce three mitigations:

+ Don't reflect user input in error strings
+ Set a Content-Disposition header when requesting a resource
  that should never be displayed in a browser window
+ Set X-Content-Type-Options: nosniff on all responses

Change-Id: I81c9d6736e0439ebd1db99cd7fb701cc56d24805
Reviewed-on: https://go-review.googlesource.com/102318
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/103164
Reviewed-by: Andrew Bonventre <andybons@golang.org>
---
 src/net/http/pprof/pprof.go      | 52 ++++++++++++++++--------------
 src/net/http/pprof/pprof_test.go | 69 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 98 insertions(+), 23 deletions(-)
 create mode 100644 src/net/http/pprof/pprof_test.go

diff --git a/src/net/http/pprof/pprof.go b/src/net/http/pprof/pprof.go
index 12c7599ab0..7f01ee47a0 100644
--- a/src/net/http/pprof/pprof.go
+++ b/src/net/http/pprof/pprof.go
@@ -80,6 +80,7 @@ func init() {
 // command line, with arguments separated by NUL bytes.
 // The package initialization registers it as /debug/pprof/cmdline.
 func Cmdline(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 	fmt.Fprintf(w, strings.Join(os.Args, "\x00"))
 }
@@ -100,33 +101,36 @@ func durationExceedsWriteTimeout(r *http.Request, seconds float64) bool {
 	return ok && srv.WriteTimeout != 0 && seconds >= srv.WriteTimeout.Seconds()
 }
 
+func serveError(w http.ResponseWriter, status int, txt string) {
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Header().Set("X-Go-Pprof", "1")
+	w.Header().Del("Content-Disposition")
+	w.WriteHeader(status)
+	fmt.Fprintln(w, txt)
+}
+
 // Profile responds with the pprof-formatted cpu profile.
 // The package initialization registers it as /debug/pprof/profile.
 func Profile(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	sec, _ := strconv.ParseInt(r.FormValue("seconds"), 10, 64)
 	if sec == 0 {
 		sec = 30
 	}
 
 	if durationExceedsWriteTimeout(r, float64(sec)) {
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		w.Header().Set("X-Go-Pprof", "1")
-		w.WriteHeader(http.StatusBadRequest)
-		fmt.Fprintln(w, "profile duration exceeds server's WriteTimeout")
+		serveError(w, http.StatusBadRequest, "profile duration exceeds server's WriteTimeout")
 		return
 	}
 
 	// Set Content Type assuming StartCPUProfile will work,
 	// because if it does it starts writing.
 	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("Content-Disposition", `attachment; filename="profile"`)
 	if err := pprof.StartCPUProfile(w); err != nil {
 		// StartCPUProfile failed, so no writes yet.
-		// Can change header back to text content
-		// and send error code.
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		w.Header().Set("X-Go-Pprof", "1")
-		w.WriteHeader(http.StatusInternalServerError)
-		fmt.Fprintf(w, "Could not enable CPU profiling: %s\n", err)
+		serveError(w, http.StatusInternalServerError,
+			fmt.Sprintf("Could not enable CPU profiling: %s", err))
 		return
 	}
 	sleep(w, time.Duration(sec)*time.Second)
@@ -137,29 +141,25 @@ func Profile(w http.ResponseWriter, r *http.Request) {
 // Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.
 // The package initialization registers it as /debug/pprof/trace.
 func Trace(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	sec, err := strconv.ParseFloat(r.FormValue("seconds"), 64)
 	if sec <= 0 || err != nil {
 		sec = 1
 	}
 
 	if durationExceedsWriteTimeout(r, sec) {
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		w.Header().Set("X-Go-Pprof", "1")
-		w.WriteHeader(http.StatusBadRequest)
-		fmt.Fprintln(w, "profile duration exceeds server's WriteTimeout")
+		serveError(w, http.StatusBadRequest, "profile duration exceeds server's WriteTimeout")
 		return
 	}
 
 	// Set Content Type assuming trace.Start will work,
 	// because if it does it starts writing.
 	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("Content-Disposition", `attachment; filename="trace"`)
 	if err := trace.Start(w); err != nil {
 		// trace.Start failed, so no writes yet.
-		// Can change header back to text content and send error code.
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		w.Header().Set("X-Go-Pprof", "1")
-		w.WriteHeader(http.StatusInternalServerError)
-		fmt.Fprintf(w, "Could not enable tracing: %s\n", err)
+		serveError(w, http.StatusInternalServerError,
+			fmt.Sprintf("Could not enable tracing: %s", err))
 		return
 	}
 	sleep(w, time.Duration(sec*float64(time.Second)))
@@ -170,6 +170,7 @@ func Trace(w http.ResponseWriter, r *http.Request) {
 // responding with a table mapping program counters to function names.
 // The package initialization registers it as /debug/pprof/symbol.
 func Symbol(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 
 	// We have to read the whole POST body before
@@ -222,18 +223,23 @@ func Handler(name string) http.Handler {
 type handler string
 
 func (name handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	debug, _ := strconv.Atoi(r.FormValue("debug"))
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 	p := pprof.Lookup(string(name))
 	if p == nil {
-		w.WriteHeader(404)
-		fmt.Fprintf(w, "Unknown profile: %s\n", name)
+		serveError(w, http.StatusNotFound, "Unknown profile")
 		return
 	}
 	gc, _ := strconv.Atoi(r.FormValue("gc"))
 	if name == "heap" && gc > 0 {
 		runtime.GC()
 	}
+	debug, _ := strconv.Atoi(r.FormValue("debug"))
+	if debug != 0 {
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	} else {
+		w.Header().Set("Content-Type", "application/octet-stream")
+		w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, name))
+	}
 	p.WriteTo(w, debug)
 }
 
diff --git a/src/net/http/pprof/pprof_test.go b/src/net/http/pprof/pprof_test.go
new file mode 100644
index 0000000000..47dd35b9b0
--- /dev/null
+++ b/src/net/http/pprof/pprof_test.go
@@ -0,0 +1,69 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package pprof
+
+import (
+	"bytes"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestHandlers(t *testing.T) {
+	testCases := []struct {
+		path               string
+		handler            http.HandlerFunc
+		statusCode         int
+		contentType        string
+		contentDisposition string
+		resp               []byte
+	}{
+		{"/debug/pprof/<script>scripty<script>", Index, http.StatusNotFound, "text/plain; charset=utf-8", "", []byte("Unknown profile\n")},
+		{"/debug/pprof/heap", Index, http.StatusOK, "application/octet-stream", `attachment; filename="heap"`, nil},
+		{"/debug/pprof/heap?debug=1", Index, http.StatusOK, "text/plain; charset=utf-8", "", nil},
+		{"/debug/pprof/cmdline", Cmdline, http.StatusOK, "text/plain; charset=utf-8", "", nil},
+		{"/debug/pprof/profile?seconds=1", Profile, http.StatusOK, "application/octet-stream", `attachment; filename="profile"`, nil},
+		{"/debug/pprof/symbol", Symbol, http.StatusOK, "text/plain; charset=utf-8", "", nil},
+		{"/debug/pprof/trace", Trace, http.StatusOK, "application/octet-stream", `attachment; filename="trace"`, nil},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.path, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "http://example.com"+tc.path, nil)
+			w := httptest.NewRecorder()
+			tc.handler(w, req)
+
+			resp := w.Result()
+			if got, want := resp.StatusCode, tc.statusCode; got != want {
+				t.Errorf("status code: got %d; want %d", got, want)
+			}
+
+			body, err := ioutil.ReadAll(resp.Body)
+			if err != nil {
+				t.Errorf("when reading response body, expected non-nil err; got %v", err)
+			}
+			if got, want := resp.Header.Get("X-Content-Type-Options"), "nosniff"; got != want {
+				t.Errorf("X-Content-Type-Options: got %q; want %q", got, want)
+			}
+			if got, want := resp.Header.Get("Content-Type"), tc.contentType; got != want {
+				t.Errorf("Content-Type: got %q; want %q", got, want)
+			}
+			if got, want := resp.Header.Get("Content-Disposition"), tc.contentDisposition; got != want {
+				t.Errorf("Content-Disposition: got %q; want %q", got, want)
+			}
+
+			if resp.StatusCode == http.StatusOK {
+				return
+			}
+			if got, want := resp.Header.Get("X-Go-Pprof"), "1"; got != want {
+				t.Errorf("X-Go-Pprof: got %q; want %q", got, want)
+			}
+			if !bytes.Equal(body, tc.resp) {
+				t.Errorf("response: got %q; want %q", body, tc.resp)
+			}
+		})
+	}
+
+}
-- 
cgit v1.2.3-54-g00ecf


From e3047e744f4e6ffdce1f52c3bc4f8838c9883f5f Mon Sep 17 00:00:00 2001
From: Andrew Bonventre <andybons@golang.org>
Date: Wed, 28 Mar 2018 17:42:01 -0400
Subject: [release-branch.go1.9] doc: document Go 1.9.5

Change-Id: I8f12b188d2e13555e1d7634b9cc0319fc737cb1d
Reviewed-on: https://go-review.googlesource.com/103216
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-on: https://go-review.googlesource.com/103220
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
---
 doc/devel/release.html | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/devel/release.html b/doc/devel/release.html
index d82fb0c630..4d4765a292 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -63,6 +63,13 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.4">Go
 1.9.4</a> milestone on our issue tracker for details.
 </p>
 
+<p>
+go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command,
+and the <code>net</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.5">Go
+1.9.5 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.8">go1.8 (released 2017/02/16)</h2>
 
 <p>
-- 
cgit v1.2.3-54-g00ecf


From 954d811c77fa64382adfb4b31dbe699e04430edc Mon Sep 17 00:00:00 2001
From: Andrew Bonventre <andybons@golang.org>
Date: Wed, 28 Mar 2018 21:11:05 -0400
Subject: [release-branch.go1.9] doc: update release notes for Go 1.9.5

Change-Id: Idf88d289bac9603d852a9d19eb4b764f8589f8d9
Reviewed-on: https://go-review.googlesource.com/103159
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-on: https://go-review.googlesource.com/103161
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
---
 doc/devel/release.html | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/doc/devel/release.html b/doc/devel/release.html
index 4d4765a292..6fc86b9438 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -64,8 +64,7 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.4">Go
 </p>
 
 <p>
-go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command,
-and the <code>net</code> package.
+go1.9.5 (released 2018/03/28) includes fixes to the compiler and go command.
 See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.5">Go
 1.9.5 milestone</a> on our issue tracker for details.
 </p>
-- 
cgit v1.2.3-54-g00ecf


From 9c69ed5d094bb8806b71076ab986c35df0a3f8a3 Mon Sep 17 00:00:00 2001
From: Andrew Bonventre <andybons@golang.org>
Date: Wed, 28 Mar 2018 21:25:09 -0400
Subject: [release-branch.go1.9] doc: update 1.9.5 release notes to include
 net/http/pprof

Change-Id: I7c0716711a2cadd347fdf242c792b109539f7355
Reviewed-on: https://go-review.googlesource.com/103163
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-on: https://go-review.googlesource.com/103165
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 doc/devel/release.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/devel/release.html b/doc/devel/release.html
index 6fc86b9438..cc481fd42f 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -64,7 +64,8 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.4">Go
 </p>
 
 <p>
-go1.9.5 (released 2018/03/28) includes fixes to the compiler and go command.
+go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command, and
+<code>net/http/pprof</code> package.
 See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.5">Go
 1.9.5 milestone</a> on our issue tracker for details.
 </p>
-- 
cgit v1.2.3-54-g00ecf


From f5c8db9643005344b9d1306588afea35c18140cc Mon Sep 17 00:00:00 2001
From: Keith Randall <khr@google.com>
Date: Tue, 6 Feb 2018 09:44:34 -0800
Subject: [release-branch.go1.9] cmd/compile: use unsigned loads for
 multi-element comparisons

When loading multiple elements of an array into a single register,
make sure we treat them as unsigned.  When treated as signed, the
upper bits might all be set, causing the shift-or combo to clobber
the values higher in the register.

Fixes #23719.

Change-Id: Ic87da03e9bd0fe2c60bb214b99f846e4e9446052
Reviewed-on: https://go-review.googlesource.com/92335
Run-TryBot: Keith Randall <khr@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ilya Tocar <ilya.tocar@intel.com>
Reviewed-on: https://go-review.googlesource.com/103115
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Keith Randall <khr@golang.org>
---
 src/cmd/compile/internal/gc/asm_test.go | 14 +++++++++++
 src/cmd/compile/internal/gc/walk.go     |  7 +++++-
 test/fixedbugs/issue23719.go            | 42 +++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 test/fixedbugs/issue23719.go

diff --git a/src/cmd/compile/internal/gc/asm_test.go b/src/cmd/compile/internal/gc/asm_test.go
index 08ec638f44..95c354380e 100644
--- a/src/cmd/compile/internal/gc/asm_test.go
+++ b/src/cmd/compile/internal/gc/asm_test.go
@@ -909,6 +909,20 @@ var linuxAMD64Tests = []*asmTest{
 		`,
 		[]string{"b\\+40\\(SP\\)"},
 	},
+	{
+		`
+		func f73(a,b [3]int16) bool {
+		    return a == b
+		}`,
+		[]string{"\tCMPL\t[A-Z]"},
+	},
+	{
+		`
+		func f74(a,b [12]int8) bool {
+		    return a == b
+		}`,
+		[]string{"\tCMPQ\t[A-Z]", "\tCMPL\t[A-Z]"},
+	},
 }
 
 var linux386Tests = []*asmTest{
diff --git a/src/cmd/compile/internal/gc/walk.go b/src/cmd/compile/internal/gc/walk.go
index ab2e38208d..a814ee4bf7 100644
--- a/src/cmd/compile/internal/gc/walk.go
+++ b/src/cmd/compile/internal/gc/walk.go
@@ -3390,18 +3390,23 @@ func walkcompare(n *Node, init *Nodes) *Node {
 				i++
 				remains -= t.Elem().Width
 			} else {
+				elemType := t.Elem().ToUnsigned()
 				cmplw := nod(OINDEX, cmpl, nodintconst(int64(i)))
-				cmplw = conv(cmplw, convType)
+				cmplw = conv(cmplw, elemType) // convert to unsigned
+				cmplw = conv(cmplw, convType) // widen
 				cmprw := nod(OINDEX, cmpr, nodintconst(int64(i)))
+				cmprw = conv(cmprw, elemType)
 				cmprw = conv(cmprw, convType)
 				// For code like this:  uint32(s[0]) | uint32(s[1])<<8 | uint32(s[2])<<16 ...
 				// ssa will generate a single large load.
 				for offset := int64(1); offset < step; offset++ {
 					lb := nod(OINDEX, cmpl, nodintconst(int64(i+offset)))
+					lb = conv(lb, elemType)
 					lb = conv(lb, convType)
 					lb = nod(OLSH, lb, nodintconst(int64(8*t.Elem().Width*offset)))
 					cmplw = nod(OOR, cmplw, lb)
 					rb := nod(OINDEX, cmpr, nodintconst(int64(i+offset)))
+					rb = conv(rb, elemType)
 					rb = conv(rb, convType)
 					rb = nod(OLSH, rb, nodintconst(int64(8*t.Elem().Width*offset)))
 					cmprw = nod(OOR, cmprw, rb)
diff --git a/test/fixedbugs/issue23719.go b/test/fixedbugs/issue23719.go
new file mode 100644
index 0000000000..c97e63636c
--- /dev/null
+++ b/test/fixedbugs/issue23719.go
@@ -0,0 +1,42 @@
+// run
+
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+func main() {
+	v1 := [2]int32{-1, 88}
+	v2 := [2]int32{-1, 99}
+	if v1 == v2 {
+		panic("bad comparison")
+	}
+
+	w1 := [2]int16{-1, 88}
+	w2 := [2]int16{-1, 99}
+	if w1 == w2 {
+		panic("bad comparison")
+	}
+	x1 := [4]int16{-1, 88, 88, 88}
+	x2 := [4]int16{-1, 99, 99, 99}
+	if x1 == x2 {
+		panic("bad comparison")
+	}
+
+	a1 := [2]int8{-1, 88}
+	a2 := [2]int8{-1, 99}
+	if a1 == a2 {
+		panic("bad comparison")
+	}
+	b1 := [4]int8{-1, 88, 88, 88}
+	b2 := [4]int8{-1, 99, 99, 99}
+	if b1 == b2 {
+		panic("bad comparison")
+	}
+	c1 := [8]int8{-1, 88, 88, 88, 88, 88, 88, 88}
+	c2 := [8]int8{-1, 99, 99, 99, 99, 99, 99, 99}
+	if c1 == c2 {
+		panic("bad comparison")
+	}
+}
-- 
cgit v1.2.3-54-g00ecf


From 51fd3d43da17fa897aa6e0bfbfdb1844f3579fbf Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Tue, 13 Feb 2018 17:43:16 -0800
Subject: [release-branch.go1.9] cmd/go: add options to security whitelist

Also permit passing flags to pkg-config, as we used to.

Also change the error message to refer to https://golang.org/s/invalidflag.

Fixes #23749

Change-Id: I3fbeb4c346610e6fd55e8720e720b0a40e352ab5
Reviewed-on: https://go-review.googlesource.com/93836
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/103135
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
---
 src/cmd/go/internal/work/build.go         | 15 ++++++----
 src/cmd/go/internal/work/security.go      | 50 ++++++++++++++++++++++++++++---
 src/cmd/go/internal/work/security_test.go |  7 +++++
 3 files changed, 63 insertions(+), 9 deletions(-)

diff --git a/src/cmd/go/internal/work/build.go b/src/cmd/go/internal/work/build.go
index a129692d66..23946e466b 100644
--- a/src/cmd/go/internal/work/build.go
+++ b/src/cmd/go/internal/work/build.go
@@ -1526,15 +1526,20 @@ func splitPkgConfigOutput(out []byte) []string {
 // Calls pkg-config if needed and returns the cflags/ldflags needed to build the package.
 func (b *Builder) getPkgConfigFlags(p *load.Package) (cflags, ldflags []string, err error) {
 	if pkgs := p.CgoPkgConfig; len(pkgs) > 0 {
+		var pcflags []string
+		for len(pkgs) > 0 && strings.HasPrefix(pkgs[0], "--") {
+			pcflags = append(pcflags, pkgs[0])
+			pkgs = pkgs[1:]
+		}
 		for _, pkg := range pkgs {
 			if !load.SafeArg(pkg) {
 				return nil, nil, fmt.Errorf("invalid pkg-config package name: %s", pkg)
 			}
 		}
 		var out []byte
-		out, err = b.runOut(p.Dir, p.ImportPath, nil, b.PkgconfigCmd(), "--cflags", "--", pkgs)
+		out, err = b.runOut(p.Dir, p.ImportPath, nil, b.PkgconfigCmd(), "--cflags", pcflags, "--", pkgs)
 		if err != nil {
-			b.showOutput(p.Dir, b.PkgconfigCmd()+" --cflags "+strings.Join(pkgs, " "), string(out))
+			b.showOutput(p.Dir, b.PkgconfigCmd()+" --cflags "+strings.Join(pcflags, " ")+strings.Join(pkgs, " "), string(out))
 			b.Print(err.Error() + "\n")
 			return nil, nil, errPrintedOutput
 		}
@@ -1544,15 +1549,15 @@ func (b *Builder) getPkgConfigFlags(p *load.Package) (cflags, ldflags []string,
 				return nil, nil, err
 			}
 		}
-		out, err = b.runOut(p.Dir, p.ImportPath, nil, b.PkgconfigCmd(), "--libs", "--", pkgs)
+		out, err = b.runOut(p.Dir, p.ImportPath, nil, b.PkgconfigCmd(), "--libs", pcflags, "--", pkgs)
 		if err != nil {
-			b.showOutput(p.Dir, b.PkgconfigCmd()+" --libs "+strings.Join(pkgs, " "), string(out))
+			b.showOutput(p.Dir, b.PkgconfigCmd()+" --libs "+strings.Join(pcflags, " ")+strings.Join(pkgs, " "), string(out))
 			b.Print(err.Error() + "\n")
 			return nil, nil, errPrintedOutput
 		}
 		if len(out) > 0 {
 			ldflags = strings.Fields(string(out))
-			if err := checkLinkerFlags("CFLAGS", "pkg-config --cflags", ldflags); err != nil {
+			if err := checkLinkerFlags("LDFLAGS", "pkg-config --libs", ldflags); err != nil {
 				return nil, nil, err
 			}
 		}
diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index fee5beeb15..54fd6b9782 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -34,6 +34,7 @@ import (
 	"fmt"
 	"os"
 	"regexp"
+	"strings"
 )
 
 var re = regexp.MustCompile
@@ -45,26 +46,42 @@ var validCompilerFlags = []*regexp.Regexp{
 	re(`-O([^@\-].*)`),
 	re(`-W`),
 	re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
+	re(`-f(no-)?blocks`),
+	re(`-f(no-)?common`),
+	re(`-f(no-)?constant-cfstrings`),
+	re(`-f(no-)?exceptions`),
+	re(`-finput-charset=([^@\-].*)`),
+	re(`-f(no-)?lto`),
+	re(`-f(no-)?modules`),
 	re(`-f(no-)?objc-arc`),
 	re(`-f(no-)?omit-frame-pointer`),
+	re(`-f(no-)?openmp(-simd)?`),
+	re(`-f(no-)?permissive`),
 	re(`-f(no-)?(pic|PIC|pie|PIE)`),
+	re(`-f(no-)?rtti`),
 	re(`-f(no-)?split-stack`),
 	re(`-f(no-)?stack-(.+)`),
 	re(`-f(no-)?strict-aliasing`),
 	re(`-fsanitize=(.+)`),
 	re(`-g([^@\-].*)?`),
 	re(`-m(arch|cpu|fpu|tune)=([^@\-].*)`),
+	re(`-m(no-)?avx[0-9a-z.]*`),
+	re(`-m(no-)?ms-bitfields`),
 	re(`-m(no-)?stack-(.+)`),
 	re(`-mmacosx-(.+)`),
 	re(`-mnop-fun-dllimport`),
+	re(`-m(no-)?sse[0-9.]*`),
+	re(`-pedantic(-errors)?`),
+	re(`-pipe`),
 	re(`-pthread`),
-	re(`-std=([^@\-].*)`),
+	re(`-?-std=([^@\-].*)`),
 	re(`-x([^@\-].*)`),
 }
 
 var validCompilerFlagsWithNextArg = []string{
 	"-D",
 	"-I",
+	"-isystem",
 	"-framework",
 	"-x",
 }
@@ -79,16 +96,29 @@ var validLinkerFlags = []*regexp.Regexp{
 	re(`-m(arch|cpu|fpu|tune)=([^@\-].*)`),
 	re(`-(pic|PIC|pie|PIE)`),
 	re(`-pthread`),
+	re(`-?-static([-a-z0-9+]*)`),
 
 	// Note that any wildcards in -Wl need to exclude comma,
 	// since -Wl splits its argument at commas and passes
 	// them all to the linker uninterpreted. Allowing comma
 	// in a wildcard would allow tunnelling arbitrary additional
 	// linker arguments through one of these.
+	re(`-Wl,--(no-)?as-needed`),
+	re(`-Wl,-Bdynamic`),
+	re(`-Wl,-Bstatic`),
+	re(`-Wl,--disable-new-dtags`),
+	re(`-Wl,--enable-new-dtags`),
+	re(`-Wl,--end-group`),
+	re(`-Wl,-framework,[^,@\-][^,]+`),
+	re(`-Wl,-headerpad_max_install_names`),
+	re(`-Wl,--no-undefined`),
 	re(`-Wl,-rpath,([^,@\-][^,]+)`),
+	re(`-Wl,-search_paths_first`),
+	re(`-Wl,--start-group`),
+	re(`-Wl,-?-unresolved-symbols=[^,]+`),
 	re(`-Wl,--(no-)?warn-([^,]+)`),
 
-	re(`[a-zA-Z0-9_].*\.(o|obj|dll|dylib|so)`), // direct linker inputs: x.o or libfoo.so (but not -foo.o or @foo.o)
+	re(`[a-zA-Z0-9_/].*\.(a|o|obj|dll|dylib|so)`), // direct linker inputs: x.o or libfoo.so (but not -foo.o or @foo.o)
 }
 
 var validLinkerFlagsWithNextArg = []string{
@@ -96,6 +126,7 @@ var validLinkerFlagsWithNextArg = []string{
 	"-l",
 	"-L",
 	"-framework",
+	"-Wl,-framework",
 }
 
 func checkCompilerFlags(name, source string, list []string) error {
@@ -147,10 +178,21 @@ Args:
 					i++
 					continue Args
 				}
+
+				// Permit -Wl,-framework -Wl,name.
+				if i+1 < len(list) &&
+					strings.HasPrefix(arg, "-Wl,") &&
+					strings.HasPrefix(list[i+1], "-Wl,") &&
+					load.SafeArg(list[i+1][4:]) &&
+					!strings.Contains(list[i+1][4:], ",") {
+					i++
+					continue Args
+				}
+
 				if i+1 < len(list) {
-					return fmt.Errorf("invalid flag in %s: %s %s", source, arg, list[i+1])
+					return fmt.Errorf("invalid flag in %s: %s %s (see https://golang.org/s/invalidflag)", source, arg, list[i+1])
 				}
-				return fmt.Errorf("invalid flag in %s: %s without argument", source, arg)
+				return fmt.Errorf("invalid flag in %s: %s without argument (see https://golang.org/s/invalidflag)", source, arg)
 			}
 		}
 	Bad:
diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
index 739ab5a6ee..976501b810 100644
--- a/src/cmd/go/internal/work/security_test.go
+++ b/src/cmd/go/internal/work/security_test.go
@@ -132,6 +132,9 @@ var goodLinkerFlags = [][]string{
 	{"-l", "世界"},
 	{"-L", "framework"},
 	{"-framework", "Chocolate"},
+	{"-Wl,-framework", "-Wl,Chocolate"},
+	{"-Wl,-framework,Chocolate"},
+	{"-Wl,-unresolved-symbols=ignore-all"},
 }
 
 var badLinkerFlags = [][]string{
@@ -185,6 +188,10 @@ var badLinkerFlags = [][]string{
 	{"-l", "-foo"},
 	{"-framework", "-Caffeine"},
 	{"-framework", "@Home"},
+	{"-Wl,-framework,-Caffeine"},
+	{"-Wl,-framework", "-Wl,@Home"},
+	{"-Wl,-framework", "@Home"},
+	{"-Wl,-framework,Chocolate,@Home"},
 	{"-x", "--c"},
 	{"-x", "@obj"},
 	{"-Wl,-rpath,@foo"},
-- 
cgit v1.2.3-54-g00ecf


From c1bf152756e188f8a34f60b2c708a50eed24a7c6 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Fri, 16 Feb 2018 16:17:44 -0800
Subject: [release-branch.go1.9] cmd/go: permit pkg-config flags in any
 argument position

Fixes #23875

Change-Id: I503af71f44d11cd6b787fef100246b55735614a0
Reviewed-on: https://go-review.googlesource.com/94896
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/103155
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
---
 src/cmd/go/go_test.go             | 33 +++++++++++++++++++++++++++++++++
 src/cmd/go/internal/work/build.go | 16 ++++++++++++----
 2 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/src/cmd/go/go_test.go b/src/cmd/go/go_test.go
index 28c2bc147a..03d29609a9 100644
--- a/src/cmd/go/go_test.go
+++ b/src/cmd/go/go_test.go
@@ -4496,3 +4496,36 @@ func TestBadCgoDirectives(t *testing.T) {
 	tg.run("build", "-n", "x")
 	tg.grepStderr("-D@foo", "did not find -D@foo in commands")
 }
+
+func TestTwoPkgConfigs(t *testing.T) {
+	if !canCgo {
+		t.Skip("no cgo")
+	}
+	if runtime.GOOS == "windows" || runtime.GOOS == "plan9" {
+		t.Skipf("no shell scripts on %s", runtime.GOOS)
+	}
+	tg := testgo(t)
+	defer tg.cleanup()
+	tg.parallel()
+	tg.tempFile("src/x/a.go", `package x
+		// #cgo pkg-config: --static a
+		import "C"
+	`)
+	tg.tempFile("src/x/b.go", `package x
+		// #cgo pkg-config: --static a
+		import "C"
+	`)
+	tg.tempFile("pkg-config.sh", `#!/bin/sh
+echo $* >>`+tg.path("pkg-config.out"))
+	tg.must(os.Chmod(tg.path("pkg-config.sh"), 0755))
+	tg.setenv("GOPATH", tg.path("."))
+	tg.setenv("PKG_CONFIG", tg.path("pkg-config.sh"))
+	tg.run("build", "x")
+	out, err := ioutil.ReadFile(tg.path("pkg-config.out"))
+	tg.must(err)
+	out = bytes.TrimSpace(out)
+	want := "--cflags --static --static -- a a\n--libs --static --static -- a a"
+	if !bytes.Equal(out, []byte(want)) {
+		t.Errorf("got %q want %q", out, want)
+	}
+}
diff --git a/src/cmd/go/internal/work/build.go b/src/cmd/go/internal/work/build.go
index 23946e466b..e931629105 100644
--- a/src/cmd/go/internal/work/build.go
+++ b/src/cmd/go/internal/work/build.go
@@ -1525,11 +1525,19 @@ func splitPkgConfigOutput(out []byte) []string {
 
 // Calls pkg-config if needed and returns the cflags/ldflags needed to build the package.
 func (b *Builder) getPkgConfigFlags(p *load.Package) (cflags, ldflags []string, err error) {
-	if pkgs := p.CgoPkgConfig; len(pkgs) > 0 {
+	if pcargs := p.CgoPkgConfig; len(pcargs) > 0 {
+		// pkg-config permits arguments to appear anywhere in
+		// the command line. Move them all to the front, before --.
 		var pcflags []string
-		for len(pkgs) > 0 && strings.HasPrefix(pkgs[0], "--") {
-			pcflags = append(pcflags, pkgs[0])
-			pkgs = pkgs[1:]
+		var pkgs []string
+		for _, pcarg := range pcargs {
+			if pcarg == "--" {
+				// We're going to add our own "--" argument.
+			} else if strings.HasPrefix(pcarg, "--") {
+				pcflags = append(pcflags, pcarg)
+			} else {
+				pkgs = append(pkgs, pcarg)
+			}
 		}
 		for _, pkg := range pkgs {
 			if !load.SafeArg(pkg) {
-- 
cgit v1.2.3-54-g00ecf


From ad22922d03bc1db8da5f266c4c6cf8df895cac9b Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Tue, 27 Mar 2018 17:06:53 -0700
Subject: [release-branch.go1.9] cmd/go: add more C compiler/linker options to
 whitelist

Fixes #23937

Change-Id: Ie63d91355d1a724d0012d99d457d939deeeb8d3e
Reviewed-on: https://go-review.googlesource.com/102818
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
Reviewed-on: https://go-review.googlesource.com/103156
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
---
 src/cmd/go/internal/work/security.go      | 48 +++++++++++++++++++++++++++++--
 src/cmd/go/internal/work/security_test.go |  4 ---
 2 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 54fd6b9782..5c67aa945e 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -46,12 +46,19 @@ var validCompilerFlags = []*regexp.Regexp{
 	re(`-O([^@\-].*)`),
 	re(`-W`),
 	re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
+	re(`-Wa,-mbig-obj`),
+	re(`-ansi`),
 	re(`-f(no-)?blocks`),
 	re(`-f(no-)?common`),
 	re(`-f(no-)?constant-cfstrings`),
+	re(`-fdiagnostics-show-note-include-stack`),
 	re(`-f(no-)?exceptions`),
+	re(`-f(no-)?inline-functions`),
 	re(`-finput-charset=([^@\-].*)`),
+	re(`-f(no-)?fat-lto-objects`),
 	re(`-f(no-)?lto`),
+	re(`-fmacro-backtrace-limit=(.+)`),
+	re(`-fmessage-length=(.+)`),
 	re(`-f(no-)?modules`),
 	re(`-f(no-)?objc-arc`),
 	re(`-f(no-)?omit-frame-pointer`),
@@ -62,27 +69,42 @@ var validCompilerFlags = []*regexp.Regexp{
 	re(`-f(no-)?split-stack`),
 	re(`-f(no-)?stack-(.+)`),
 	re(`-f(no-)?strict-aliasing`),
+	re(`-f(un)signed-char`),
+	re(`-f(no-)?use-linker-plugin`), // safe if -B is not used; we don't permit -B
 	re(`-fsanitize=(.+)`),
+	re(`-ftemplate-depth-(.+)`),
+	re(`-fvisibility=(.+)`),
 	re(`-g([^@\-].*)?`),
+	re(`-m32`),
+	re(`-m64`),
 	re(`-m(arch|cpu|fpu|tune)=([^@\-].*)`),
 	re(`-m(no-)?avx[0-9a-z.]*`),
 	re(`-m(no-)?ms-bitfields`),
 	re(`-m(no-)?stack-(.+)`),
 	re(`-mmacosx-(.+)`),
+	re(`-mios-simulator-version-min=(.+)`),
+	re(`-miphoneos-version-min=(.+)`),
 	re(`-mnop-fun-dllimport`),
 	re(`-m(no-)?sse[0-9.]*`),
+	re(`-mwindows`),
 	re(`-pedantic(-errors)?`),
 	re(`-pipe`),
 	re(`-pthread`),
 	re(`-?-std=([^@\-].*)`),
+	re(`-?-stdlib=([^@\-].*)`),
+	re(`-w`),
 	re(`-x([^@\-].*)`),
 }
 
 var validCompilerFlagsWithNextArg = []string{
+	"-arch",
 	"-D",
 	"-I",
-	"-isystem",
 	"-framework",
+	"-isysroot",
+	"-isystem",
+	"--sysroot",
+	"-target",
 	"-x",
 }
 
@@ -90,43 +112,65 @@ var validLinkerFlags = []*regexp.Regexp{
 	re(`-F([^@\-].*)`),
 	re(`-l([^@\-].*)`),
 	re(`-L([^@\-].*)`),
+	re(`-O`),
+	re(`-O([^@\-].*)`),
 	re(`-f(no-)?(pic|PIC|pie|PIE)`),
 	re(`-fsanitize=([^@\-].*)`),
 	re(`-g([^@\-].*)?`),
 	re(`-m(arch|cpu|fpu|tune)=([^@\-].*)`),
+	re(`-mmacosx-(.+)`),
+	re(`-mios-simulator-version-min=(.+)`),
+	re(`-miphoneos-version-min=(.+)`),
+	re(`-mwindows`),
 	re(`-(pic|PIC|pie|PIE)`),
 	re(`-pthread`),
+	re(`-shared`),
 	re(`-?-static([-a-z0-9+]*)`),
+	re(`-?-stdlib=([^@\-].*)`),
 
 	// Note that any wildcards in -Wl need to exclude comma,
 	// since -Wl splits its argument at commas and passes
 	// them all to the linker uninterpreted. Allowing comma
 	// in a wildcard would allow tunnelling arbitrary additional
 	// linker arguments through one of these.
+	re(`-Wl,--(no-)?allow-multiple-definition`),
 	re(`-Wl,--(no-)?as-needed`),
 	re(`-Wl,-Bdynamic`),
 	re(`-Wl,-Bstatic`),
+	re(`-Wl,-d[ny]`),
 	re(`-Wl,--disable-new-dtags`),
 	re(`-Wl,--enable-new-dtags`),
 	re(`-Wl,--end-group`),
 	re(`-Wl,-framework,[^,@\-][^,]+`),
 	re(`-Wl,-headerpad_max_install_names`),
 	re(`-Wl,--no-undefined`),
-	re(`-Wl,-rpath,([^,@\-][^,]+)`),
+	re(`-Wl,-rpath[=,]([^,@\-][^,]+)`),
 	re(`-Wl,-search_paths_first`),
+	re(`-Wl,-sectcreate,([^,@\-][^,]+),([^,@\-][^,]+),([^,@\-][^,]+)`),
 	re(`-Wl,--start-group`),
+	re(`-Wl,-?-static`),
+	re(`-Wl,--subsystem,(native|windows|console|posix|xbox)`),
+	re(`-Wl,-undefined[=,]([^,@\-][^,]+)`),
 	re(`-Wl,-?-unresolved-symbols=[^,]+`),
 	re(`-Wl,--(no-)?warn-([^,]+)`),
+	re(`-Wl,-z,(no)?execstack`),
+	re(`-Wl,-z,relro`),
 
 	re(`[a-zA-Z0-9_/].*\.(a|o|obj|dll|dylib|so)`), // direct linker inputs: x.o or libfoo.so (but not -foo.o or @foo.o)
 }
 
 var validLinkerFlagsWithNextArg = []string{
+	"-arch",
 	"-F",
 	"-l",
 	"-L",
 	"-framework",
+	"-isysroot",
+	"--sysroot",
+	"-target",
 	"-Wl,-framework",
+	"-Wl,-rpath",
+	"-Wl,-undefined",
 }
 
 func checkCompilerFlags(name, source string, list []string) error {
diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
index 976501b810..bd898c9de6 100644
--- a/src/cmd/go/internal/work/security_test.go
+++ b/src/cmd/go/internal/work/security_test.go
@@ -140,9 +140,6 @@ var goodLinkerFlags = [][]string{
 var badLinkerFlags = [][]string{
 	{"-DFOO"},
 	{"-Dfoo=bar"},
-	{"-O"},
-	{"-O2"},
-	{"-Osmall"},
 	{"-W"},
 	{"-Wall"},
 	{"-fobjc-arc"},
@@ -155,7 +152,6 @@ var badLinkerFlags = [][]string{
 	{"-fno-stack-xxx"},
 	{"-mstack-overflow"},
 	{"-mno-stack-overflow"},
-	{"-mmacosx-version"},
 	{"-mnop-fun-dllimport"},
 	{"-std=c99"},
 	{"-xc"},
-- 
cgit v1.2.3-54-g00ecf


From f69b0c627f94b7dcaf4ec654df8e0ffa4bf46957 Mon Sep 17 00:00:00 2001
From: Andrew Bonventre <andybons@golang.org>
Date: Wed, 28 Mar 2018 23:43:38 -0400
Subject: [release-branch.go1.9] go1.9.5

Change-Id: If8542fb3e9064971fb0b3be8f910fbfd5061010e
Reviewed-on: https://go-review.googlesource.com/103167
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 3461c2bcf8..fd1cb91ec0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-go1.9.4
\ No newline at end of file
+go1.9.5
\ No newline at end of file
-- 
cgit v1.2.3-54-g00ecf


From 93cfaa058a98efeead43f084589da8bb966ce3da Mon Sep 17 00:00:00 2001
From: Josh Bleecher Snyder <josharian@gmail.com>
Date: Thu, 12 Apr 2018 08:23:00 -0700
Subject: [release-branch.go1.9] cmd/compile: fix evaluation of "" < s

Fixes #24934

Change-Id: Ifa79ab3dfe69297eeef85f7193cd5f85e5982bc5
Reviewed-on: https://go-review.googlesource.com/106655
Run-TryBot: Josh Bleecher Snyder <josharian@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Reviewed-on: https://go-review.googlesource.com/108943
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
---
 src/cmd/compile/internal/gc/walk.go |  7 ++++
 test/fixedbugs/issue24817.go        | 64 +++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 test/fixedbugs/issue24817.go

diff --git a/src/cmd/compile/internal/gc/walk.go b/src/cmd/compile/internal/gc/walk.go
index a814ee4bf7..7909072340 100644
--- a/src/cmd/compile/internal/gc/walk.go
+++ b/src/cmd/compile/internal/gc/walk.go
@@ -1272,6 +1272,13 @@ opswitch:
 		}
 		if cs != nil {
 			cmp := Op(n.Etype)
+			// Our comparison below assumes that the non-constant string
+			// is on the left hand side, so rewrite "" cmp x to x cmp "".
+			// See issue 24817.
+			if Isconst(n.Left, CTSTR) {
+				cmp = brrev(cmp)
+			}
+
 			// maxRewriteLen was chosen empirically.
 			// It is the value that minimizes cmd/go file size
 			// across most architectures.
diff --git a/test/fixedbugs/issue24817.go b/test/fixedbugs/issue24817.go
new file mode 100644
index 0000000000..ba2a138ed3
--- /dev/null
+++ b/test/fixedbugs/issue24817.go
@@ -0,0 +1,64 @@
+// run
+
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Check all ways to compare a non-constant string to the empty string.
+
+package main
+
+import (
+	"fmt"
+	"os"
+)
+
+var (
+	s      = "abc"
+	e      = ""
+	failed bool
+)
+
+func main() {
+	want(true, "" < s, `"" < s`)
+	want(false, s < "", `s < ""`)
+	want(false, "" < e, `"" < e`)
+	want(false, e < "", `e < ""`)
+
+	want(true, "" <= s, `"" <= s`)
+	want(false, s <= "", `s <= ""`)
+	want(true, "" <= e, `"" <= e`)
+	want(true, e <= "", `e <= ""`)
+
+	want(false, "" > s, `"" > s`)
+	want(true, s > "", `s > ""`)
+	want(false, "" > e, `"" > e`)
+	want(false, e > "", `e > ""`)
+
+	want(false, "" >= s, `"" >= s`)
+	want(true, s >= "", `s >= ""`)
+	want(true, "" >= e, `"" >= e`)
+	want(true, e >= "", `e >= ""`)
+
+	want(false, "" == s, `"" == s`)
+	want(false, s == "", `s == ""`)
+	want(true, "" == e, `"" == e`)
+	want(true, e == "", `e == ""`)
+
+	want(true, "" != s, `"" != s`)
+	want(true, s != "", `s != ""`)
+	want(false, "" != e, `"" != e`)
+	want(false, e != "", `e != ""`)
+
+	if failed {
+		os.Exit(1)
+	}
+}
+
+//go:noinline
+func want(b bool, have bool, msg string) {
+	if b != have {
+		fmt.Println(msg)
+		failed = true
+	}
+}
-- 
cgit v1.2.3-54-g00ecf


From 50f65726a9ac8d6dd4bd2c1c609db16debd98d5c Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Wed, 14 Feb 2018 07:42:40 -0800
Subject: [release-branch.go1.9] cmd/compile: permit go:cgo_import_dynamic
 anywhere

It's used on Solaris to import symbols from shared libraries, e.g., in
golang.org/x/sys/unix and golang.org/x/net/internal/socket.
We could use a different directive but that would require build tags
in all the places that use it.

Fixes golang/go#23939

Change-Id: I47fcf72a6d2862e304204705979c2056c2f78ec5
Reviewed-on: https://go-review.googlesource.com/94018
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit 41d3d153eb76f000e9f6e9edf68ed441d15081cb)
Reviewed-on: https://go-review.googlesource.com/110077
Reviewed-by: Ian Lance Taylor <iant@golang.org>
---
 src/cmd/compile/internal/gc/noder.go | 28 +++++++++++++++++++++++++++-
 src/cmd/go/internal/load/pkg.go      |  1 +
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/src/cmd/compile/internal/gc/noder.go b/src/cmd/compile/internal/gc/noder.go
index 7cd941206b..37fad2d714 100644
--- a/src/cmd/compile/internal/gc/noder.go
+++ b/src/cmd/compile/internal/gc/noder.go
@@ -1190,8 +1190,22 @@ func (p *noder) pragma(pos src.Pos, text string) syntax.Pragma {
 		}
 		p.linknames = append(p.linknames, linkname{pos, f[1], f[2]})
 
+	case strings.HasPrefix(text, "go:cgo_import_dynamic "):
+		// This is permitted for general use because Solaris
+		// code relies on it in golang.org/x/sys/unix and others.
+		fields := pragmaFields(text)
+		if len(fields) >= 4 {
+			lib := strings.Trim(fields[3], `"`)
+			if lib != "" && !safeArg(lib) && !isCgoGeneratedFile(pos) {
+				p.error(syntax.Error{Pos: pos, Msg: fmt.Sprintf("invalid library name %q in cgo_import_dynamic directive", lib)})
+			}
+			p.pragcgobuf += p.pragcgo(pos, text)
+			return pragmaValue("go:cgo_import_dynamic")
+		}
+		fallthrough
 	case strings.HasPrefix(text, "go:cgo_"):
-		// For security, we disallow //go:cgo_* directives outside cgo-generated files.
+		// For security, we disallow //go:cgo_* directives other
+		// than cgo_import_dynamic outside cgo-generated files.
 		// Exception: they are allowed in the standard library, for runtime and syscall.
 		if !isCgoGeneratedFile(pos) && !compiling_std {
 			p.error(syntax.Error{Pos: pos, Msg: fmt.Sprintf("//%s only allowed in cgo-generated code", text)})
@@ -1227,6 +1241,18 @@ func isCgoGeneratedFile(pos src.Pos) bool {
 	return strings.HasPrefix(filepath.Base(filepath.Clean(pos.AbsFilename())), "_cgo_")
 }
 
+// safeArg reports whether arg is a "safe" command-line argument,
+// meaning that when it appears in a command-line, it probably
+// doesn't have some special meaning other than its own name.
+// This is copied from SafeArg in cmd/go/internal/load/pkg.go.
+func safeArg(name string) bool {
+	if name == "" {
+		return false
+	}
+	c := name[0]
+	return '0' <= c && c <= '9' || 'A' <= c && c <= 'Z' || 'a' <= c && c <= 'z' || c == '.' || c == '_' || c == '/' || c >= utf8.RuneSelf
+}
+
 func mkname(sym *types.Sym) *Node {
 	n := oldname(sym)
 	if n.Name != nil && n.Name.Pack != nil {
diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
index 65b17012a3..6ca89d946d 100644
--- a/src/cmd/go/internal/load/pkg.go
+++ b/src/cmd/go/internal/load/pkg.go
@@ -1218,6 +1218,7 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) *Package
 // GNU binutils flagfile specifiers, sometimes called "response files").
 // To be conservative, we reject almost any arg beginning with non-alphanumeric ASCII.
 // We accept leading . _ and / as likely in file system paths.
+// There is a copy of this function in cmd/compile/internal/gc/noder.go.
 func SafeArg(name string) bool {
 	if name == "" {
 		return false
-- 
cgit v1.2.3-54-g00ecf


From 3e0aad426509bdc53dce55b7da088305c9e955d2 Mon Sep 17 00:00:00 2001
From: Andrew Bonventre <andybons@golang.org>
Date: Mon, 30 Apr 2018 13:49:16 -0400
Subject: [release-branch.go1.9] doc: document Go 1.9.6

Change-Id: I9699b22d3a308cda685aa684b32dcde99333df46
Reviewed-on: https://go-review.googlesource.com/110315
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit 40685b230a012dd5a9ca471dbf21b65457c32147)
Reviewed-on: https://go-review.googlesource.com/110375
Reviewed-by: Andrew Bonventre <andybons@golang.org>
---
 doc/devel/release.html | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/devel/release.html b/doc/devel/release.html
index cc481fd42f..5fe6a0eda0 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -70,6 +70,13 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.5">Go
 1.9.5 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.9.6 (released 2018/05/01) includes fixes to the compiler and go command.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.6">Go
+1.9.6 milestone</a> on our issue tracker for details.
+</p>
+
+
 <h2 id="go1.8">go1.8 (released 2017/02/16)</h2>
 
 <p>
-- 
cgit v1.2.3-54-g00ecf


From 20f58c6075aef1bb7327ab0691ae095f9412ab5b Mon Sep 17 00:00:00 2001
From: Andrew Bonventre <andybons@golang.org>
Date: Mon, 30 Apr 2018 14:22:44 -0400
Subject: [release-branch.go1.9] go1.9.6

Change-Id: I00cd8ac03baa5961eb2b6206a4f407b5d89bcece
Reviewed-on: https://go-review.googlesource.com/110336
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index fd1cb91ec0..a5f6513a6d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-go1.9.5
\ No newline at end of file
+go1.9.6
\ No newline at end of file
-- 
cgit v1.2.3-54-g00ecf


From 0ce6af9f1892cb6137e3c05fb0adf763d03f3fea Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Fri, 20 Apr 2018 14:43:17 -0700
Subject: [release-branch.go1.9] misc/cgo/testcshared: use file descriptor 30
 for TestUnexportedSymbols

Backport of CL 108537 to 1.9 release branch.

We were using file descriptor 100, which requires the Linux kernel to
grow the fdtable size. That step may sometimes require a long time,
causing the test to fail. Switch to file descriptor 30, which should
not require growing the fdtable.

Updates #23784
Fixes #25278

Change-Id: I19ea6ab1724ec1807643d5111c44631e20be76b0
Reviewed-on: https://go-review.googlesource.com/111996
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 misc/cgo/testcshared/main2.c              | 2 +-
 misc/cgo/testcshared/src/libgo2/libgo2.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/misc/cgo/testcshared/main2.c b/misc/cgo/testcshared/main2.c
index 6e8bf141ca..1a3f1d7545 100644
--- a/misc/cgo/testcshared/main2.c
+++ b/misc/cgo/testcshared/main2.c
@@ -9,7 +9,7 @@
 #include <time.h>
 #include <unistd.h>
 
-#define fd (100)
+#define fd (30)
 
 // Tests libgo2.so, which does not export any functions.
 // Read a string from the file descriptor and print it.
diff --git a/misc/cgo/testcshared/src/libgo2/libgo2.go b/misc/cgo/testcshared/src/libgo2/libgo2.go
index 1b69d8f09f..e57c93b77d 100644
--- a/misc/cgo/testcshared/src/libgo2/libgo2.go
+++ b/misc/cgo/testcshared/src/libgo2/libgo2.go
@@ -21,7 +21,7 @@ import (
 // that the C code can also use.
 
 const (
-	fd = 100
+	fd = 30
 )
 
 func init() {
-- 
cgit v1.2.3-54-g00ecf


From f31a132e58427ed331005f1f9c53737ce4414577 Mon Sep 17 00:00:00 2001
From: Alex Brainman <alex.brainman@gmail.com>
Date: Sat, 5 May 2018 15:28:56 +1000
Subject: [release-branch.go1.9] crypto/x509: copy and use adjusted
 syscall.CertChainPolicyPara

As discussed in issue #21376, it is unsafe to have
syscall.CertChainPolicyPara.ExtraPolicyPara uintptr -
it has to be a pointer type. So copy syscall.CertChainPolicyPara
into crypto/tls package, make ExtraPolicyPara unsafe.Pointer,
and use new struct instead of syscall.CertChainPolicyPara.

Fixes #25034

Change-Id: If914af056cbbb0c4d93ffaa915b3d2cb5ecad0cd
Reviewed-on: https://go-review.googlesource.com/111715
Reviewed-by: Austin Clements <austin@google.com>
Run-TryBot: Austin Clements <austin@google.com>
Reviewed-on: https://go-review.googlesource.com/112179
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 src/crypto/x509/root_windows.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/crypto/x509/root_windows.go b/src/crypto/x509/root_windows.go
index a936fec7d8..4589c5ab5e 100644
--- a/src/crypto/x509/root_windows.go
+++ b/src/crypto/x509/root_windows.go
@@ -95,6 +95,12 @@ func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) e
 	return nil
 }
 
+type _CertChainPolicyPara struct {
+	Size            uint32
+	Flags           uint32
+	ExtraPolicyPara unsafe.Pointer
+}
+
 // checkChainSSLServerPolicy checks that the certificate chain in chainCtx is valid for
 // use as a certificate chain for a SSL/TLS server.
 func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) error {
@@ -108,13 +114,13 @@ func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContex
 	}
 	sslPara.Size = uint32(unsafe.Sizeof(*sslPara))
 
-	para := &syscall.CertChainPolicyPara{
-		ExtraPolicyPara: uintptr(unsafe.Pointer(sslPara)),
+	para := &_CertChainPolicyPara{
+		ExtraPolicyPara: unsafe.Pointer(sslPara),
 	}
 	para.Size = uint32(unsafe.Sizeof(*para))
 
 	status := syscall.CertChainPolicyStatus{}
-	err = syscall.CertVerifyCertificateChainPolicy(syscall.CERT_CHAIN_POLICY_SSL, chainCtx, para, &status)
+	err = syscall.CertVerifyCertificateChainPolicy(syscall.CERT_CHAIN_POLICY_SSL, chainCtx, (*syscall.CertChainPolicyPara)(unsafe.Pointer(para)), &status)
 	if err != nil {
 		return err
 	}
-- 
cgit v1.2.3-54-g00ecf


From 408b3d7a507c0f4e0f49d80f6fb280232b99afc9 Mon Sep 17 00:00:00 2001
From: Martin Möhrmann <moehrmann@google.com>
Date: Fri, 4 May 2018 06:54:18 +0200
Subject: [release-branch.go1.9] strings: fix encoding of \u0080 in map
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix encoding of PAD (U+0080) which has the same value as utf8.RuneSelf
being incorrectly encoded as \x80 in strings.Map due to using <= instead
of a < comparison operator to check one byte encodings for utf8.

Fixes golang/go#25573

Change-Id: Ib6c7d1f425a7ba81e431b6d64009e713d94ea3bc
Reviewed-on: https://go-review.googlesource.com/111286
Run-TryBot: Martin Möhrmann <moehrmann@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit 8c62fc0ca3c96ecbd3a6e81546aa8c53e32ff500)
Reviewed-on: https://go-review.googlesource.com/114636
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
---
 src/strings/strings.go      |  4 ++--
 src/strings/strings_test.go | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/strings/strings.go b/src/strings/strings.go
index 0c836c09d4..0d660b6217 100644
--- a/src/strings/strings.go
+++ b/src/strings/strings.go
@@ -523,7 +523,7 @@ func Map(mapping func(rune) rune, s string) string {
 		b = make([]byte, len(s)+utf8.UTFMax)
 		nbytes = copy(b, s[:i])
 		if r >= 0 {
-			if r <= utf8.RuneSelf {
+			if r < utf8.RuneSelf {
 				b[nbytes] = byte(r)
 				nbytes++
 			} else {
@@ -553,7 +553,7 @@ func Map(mapping func(rune) rune, s string) string {
 		r := mapping(c)
 
 		// common case
-		if (0 <= r && r <= utf8.RuneSelf) && nbytes < len(b) {
+		if (0 <= r && r < utf8.RuneSelf) && nbytes < len(b) {
 			b[nbytes] = byte(r)
 			nbytes++
 			continue
diff --git a/src/strings/strings_test.go b/src/strings/strings_test.go
index 869be9c477..b5fbe64594 100644
--- a/src/strings/strings_test.go
+++ b/src/strings/strings_test.go
@@ -522,6 +522,7 @@ var upperTests = []StringTest{
 	{"AbC123", "ABC123"},
 	{"azAZ09_", "AZAZ09_"},
 	{"\u0250\u0250\u0250\u0250\u0250", "\u2C6F\u2C6F\u2C6F\u2C6F\u2C6F"}, // grows one byte per char
+	{"a\u0080\U0010FFFF", "A\u0080\U0010FFFF"},                           // test utf8.RuneSelf and utf8.MaxRune
 }
 
 var lowerTests = []StringTest{
@@ -530,6 +531,7 @@ var lowerTests = []StringTest{
 	{"AbC123", "abc123"},
 	{"azAZ09_", "azaz09_"},
 	{"\u2C6D\u2C6D\u2C6D\u2C6D\u2C6D", "\u0251\u0251\u0251\u0251\u0251"}, // shrinks one byte per char
+	{"A\u0080\U0010FFFF", "a\u0080\U0010FFFF"},                           // test utf8.RuneSelf and utf8.MaxRune
 }
 
 const space = "\t\v\r\f\n\u0085\u00a0\u2000\u3000"
@@ -642,6 +644,27 @@ func TestMap(t *testing.T) {
 	if m != expect {
 		t.Errorf("replace invalid sequence: expected %q got %q", expect, m)
 	}
+
+	// 8. Check utf8.RuneSelf and utf8.MaxRune encoding
+	encode := func(r rune) rune {
+		switch r {
+		case utf8.RuneSelf:
+			return unicode.MaxRune
+		case unicode.MaxRune:
+			return utf8.RuneSelf
+		}
+		return r
+	}
+	s := string(utf8.RuneSelf) + string(utf8.MaxRune)
+	r := string(utf8.MaxRune) + string(utf8.RuneSelf) // reverse of s
+	m = Map(encode, s)
+	if m != r {
+		t.Errorf("encoding not handled correctly: expected %q got %q", r, m)
+	}
+	m = Map(encode, r)
+	if m != s {
+		t.Errorf("encoding not handled correctly: expected %q got %q", s, m)
+	}
 }
 
 func TestToUpper(t *testing.T) { runStringTests(t, ToUpper, "ToUpper", upperTests) }
-- 
cgit v1.2.3-54-g00ecf


From 6130a52f21dffb50aa57d7665a05805cbf044c5c Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Wed, 30 May 2018 15:07:04 -0700
Subject: [release-branch.go1.9] cmd/go: accept more safe CFLAGS/LDFLAGS

Fixes #23749
Fixes #24703
Fixes #24858

Change-Id: Ib32d8efee294004c70fdd602087df2da0867f099
Reviewed-on: https://go-review.googlesource.com/115415
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit cc6e568c818053ddc16b80b0406a87d19de7a120)
Reviewed-on: https://go-review.googlesource.com/115436
Reviewed-by: Andrew Bonventre <andybons@golang.org>
---
 src/cmd/go/internal/work/security.go      | 37 +++++++++++++++++++++++++++----
 src/cmd/go/internal/work/security_test.go |  5 +++++
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index 5c67aa945e..1b82af9c97 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -41,43 +41,57 @@ var re = regexp.MustCompile
 
 var validCompilerFlags = []*regexp.Regexp{
 	re(`-D([A-Za-z_].*)`),
+	re(`-F([^@\-].*)`),
 	re(`-I([^@\-].*)`),
 	re(`-O`),
 	re(`-O([^@\-].*)`),
 	re(`-W`),
 	re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
 	re(`-Wa,-mbig-obj`),
+	re(`-Wp,-D([A-Za-z_].*)`),
 	re(`-ansi`),
+	re(`-f(no-)?asynchronous-unwind-tables`),
 	re(`-f(no-)?blocks`),
+	re(`-f(no-)builtin-[a-zA-Z0-9_]*`),
 	re(`-f(no-)?common`),
 	re(`-f(no-)?constant-cfstrings`),
 	re(`-fdiagnostics-show-note-include-stack`),
+	re(`-f(no-)?eliminate-unused-debug-types`),
 	re(`-f(no-)?exceptions`),
+	re(`-f(no-)?fast-math`),
 	re(`-f(no-)?inline-functions`),
 	re(`-finput-charset=([^@\-].*)`),
 	re(`-f(no-)?fat-lto-objects`),
+	re(`-f(no-)?keep-inline-dllexport`),
 	re(`-f(no-)?lto`),
 	re(`-fmacro-backtrace-limit=(.+)`),
 	re(`-fmessage-length=(.+)`),
 	re(`-f(no-)?modules`),
 	re(`-f(no-)?objc-arc`),
+	re(`-f(no-)?objc-nonfragile-abi`),
+	re(`-f(no-)?objc-legacy-dispatch`),
 	re(`-f(no-)?omit-frame-pointer`),
 	re(`-f(no-)?openmp(-simd)?`),
 	re(`-f(no-)?permissive`),
 	re(`-f(no-)?(pic|PIC|pie|PIE)`),
+	re(`-f(no-)?plt`),
 	re(`-f(no-)?rtti`),
 	re(`-f(no-)?split-stack`),
 	re(`-f(no-)?stack-(.+)`),
 	re(`-f(no-)?strict-aliasing`),
 	re(`-f(un)signed-char`),
 	re(`-f(no-)?use-linker-plugin`), // safe if -B is not used; we don't permit -B
+	re(`-f(no-)?visibility-inlines-hidden`),
 	re(`-fsanitize=(.+)`),
 	re(`-ftemplate-depth-(.+)`),
 	re(`-fvisibility=(.+)`),
 	re(`-g([^@\-].*)?`),
 	re(`-m32`),
 	re(`-m64`),
-	re(`-m(arch|cpu|fpu|tune)=([^@\-].*)`),
+	re(`-m(abi|arch|cpu|fpu|tune)=([^@\-].*)`),
+	re(`-marm`),
+	re(`-mfloat-abi=([^@\-].*)`),
+	re(`-mfpmath=[0-9a-z,+]*`),
 	re(`-m(no-)?avx[0-9a-z.]*`),
 	re(`-m(no-)?ms-bitfields`),
 	re(`-m(no-)?stack-(.+)`),
@@ -86,12 +100,16 @@ var validCompilerFlags = []*regexp.Regexp{
 	re(`-miphoneos-version-min=(.+)`),
 	re(`-mnop-fun-dllimport`),
 	re(`-m(no-)?sse[0-9.]*`),
+	re(`-mthumb(-interwork)?`),
+	re(`-mthreads`),
 	re(`-mwindows`),
+	re(`--param=ssp-buffer-size=[0-9]*`),
 	re(`-pedantic(-errors)?`),
 	re(`-pipe`),
 	re(`-pthread`),
 	re(`-?-std=([^@\-].*)`),
 	re(`-?-stdlib=([^@\-].*)`),
+	re(`--sysroot=([^@\-].*)`),
 	re(`-w`),
 	re(`-x([^@\-].*)`),
 }
@@ -115,15 +133,20 @@ var validLinkerFlags = []*regexp.Regexp{
 	re(`-O`),
 	re(`-O([^@\-].*)`),
 	re(`-f(no-)?(pic|PIC|pie|PIE)`),
+	re(`-f(no-)?openmp(-simd)?`),
 	re(`-fsanitize=([^@\-].*)`),
 	re(`-g([^@\-].*)?`),
-	re(`-m(arch|cpu|fpu|tune)=([^@\-].*)`),
+	re(`-headerpad_max_install_names`),
+	re(`-m(abi|arch|cpu|fpu|tune)=([^@\-].*)`),
+	re(`-mfloat-abi=([^@\-].*)`),
 	re(`-mmacosx-(.+)`),
 	re(`-mios-simulator-version-min=(.+)`),
 	re(`-miphoneos-version-min=(.+)`),
+	re(`-mthreads`),
 	re(`-mwindows`),
 	re(`-(pic|PIC|pie|PIE)`),
 	re(`-pthread`),
+	re(`-rdynamic`),
 	re(`-shared`),
 	re(`-?-static([-a-z0-9+]*)`),
 	re(`-?-stdlib=([^@\-].*)`),
@@ -134,22 +157,27 @@ var validLinkerFlags = []*regexp.Regexp{
 	// in a wildcard would allow tunnelling arbitrary additional
 	// linker arguments through one of these.
 	re(`-Wl,--(no-)?allow-multiple-definition`),
+	re(`-Wl,--(no-)?allow-shlib-undefined`),
 	re(`-Wl,--(no-)?as-needed`),
 	re(`-Wl,-Bdynamic`),
 	re(`-Wl,-Bstatic`),
+	re(`-WL,-O([^@,\-][^,]*)?`),
 	re(`-Wl,-d[ny]`),
 	re(`-Wl,--disable-new-dtags`),
+	re(`-Wl,-e[=,][a-zA-Z0-9]*`),
 	re(`-Wl,--enable-new-dtags`),
 	re(`-Wl,--end-group`),
 	re(`-Wl,-framework,[^,@\-][^,]+`),
 	re(`-Wl,-headerpad_max_install_names`),
 	re(`-Wl,--no-undefined`),
-	re(`-Wl,-rpath[=,]([^,@\-][^,]+)`),
+	re(`-Wl,-rpath(-link)?[=,]([^,@\-][^,]+)`),
+	re(`-Wl,-s`),
 	re(`-Wl,-search_paths_first`),
 	re(`-Wl,-sectcreate,([^,@\-][^,]+),([^,@\-][^,]+),([^,@\-][^,]+)`),
 	re(`-Wl,--start-group`),
 	re(`-Wl,-?-static`),
-	re(`-Wl,--subsystem,(native|windows|console|posix|xbox)`),
+	re(`-Wl,-?-subsystem,(native|windows|console|posix|xbox)`),
+	re(`-Wl,-syslibroot[=,]([^,@\-][^,]+)`),
 	re(`-Wl,-undefined[=,]([^,@\-][^,]+)`),
 	re(`-Wl,-?-unresolved-symbols=[^,]+`),
 	re(`-Wl,--(no-)?warn-([^,]+)`),
@@ -157,6 +185,7 @@ var validLinkerFlags = []*regexp.Regexp{
 	re(`-Wl,-z,relro`),
 
 	re(`[a-zA-Z0-9_/].*\.(a|o|obj|dll|dylib|so)`), // direct linker inputs: x.o or libfoo.so (but not -foo.o or @foo.o)
+	re(`\./.*\.(a|o|obj|dll|dylib|so)`),
 }
 
 var validLinkerFlagsWithNextArg = []string{
diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
index bd898c9de6..c3a61b8e70 100644
--- a/src/cmd/go/internal/work/security_test.go
+++ b/src/cmd/go/internal/work/security_test.go
@@ -12,6 +12,7 @@ import (
 var goodCompilerFlags = [][]string{
 	{"-DFOO"},
 	{"-Dfoo=bar"},
+	{"-F/Qt"},
 	{"-I/"},
 	{"-I/etc/passwd"},
 	{"-I."},
@@ -62,6 +63,8 @@ var goodCompilerFlags = [][]string{
 var badCompilerFlags = [][]string{
 	{"-D@X"},
 	{"-D-X"},
+	{"-F@dir"},
+	{"-F-dir"},
 	{"-I@dir"},
 	{"-I-dir"},
 	{"-O@1"},
@@ -125,6 +128,7 @@ var goodLinkerFlags = [][]string{
 	{"-Wl,--no-warn-error"},
 	{"foo.so"},
 	{"_世界.dll"},
+	{"./x.o"},
 	{"libcgosotest.dylib"},
 	{"-F", "framework"},
 	{"-l", "."},
@@ -191,6 +195,7 @@ var badLinkerFlags = [][]string{
 	{"-x", "--c"},
 	{"-x", "@obj"},
 	{"-Wl,-rpath,@foo"},
+	{"../x.o"},
 }
 
 func TestCheckLinkerFlags(t *testing.T) {
-- 
cgit v1.2.3-54-g00ecf


From 05604d7450b7cfcd946762039ee46e9ab85297d6 Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Wed, 25 Apr 2018 11:06:41 -0400
Subject: [release-branch.go1.9] cmd/go: add minimal module-awareness for
 legacy operation

We want authors to be able to publish code that works with both
the current standard go command and the planned new go command
support for modules. If authors have tagged their code v2 or later,
semantic import versioning means the import paths must include a
v2 path element after the path prefix naming the module.
One option for making this convention compatible with original go get
is to move code into a v2 subdirectory of the root.
That makes sense for some authors, but many authors would prefer
not to move all the code into a v2 subdirectory for a transition and
then move it back up once we everyone has a module-aware go command.

Instead, this CL teaches the old (non-module-aware) go command
a tiny amount about modules and their import paths, to expand
the options for authors who want to publish compatible packages.
If an author has a v2 of a package, say my/thing/v2/sub/pkg,
in the my/thing repo's sub/pkg subdirectory (no v2 in the file system path),
then old go get continues to import that package as my/thing/sub/pkg.
But when go get is processing code in any module (code in a tree with
a go.mod file) and encounters a path like my/thing/v2/sub/pkg,
it will check to see if my/thing/go.mod says "module my/thing/v2".
If so, the go command will read the import my/thing/v2/sub/pkg
as if it said my/thing/sub/pkg, which is the correct "old" import path
for the package in question.

This CL will be back-ported to Go 1.10 and Go 1.9 as well.

Once users have updated to the latest Go point releases containing
this new logic, authors will be able to update to using modules
within their own repos, including using semantic import paths
with vN path elements, and old go get will still be able to consume
those repositories.

This CL also makes "go get" ignore meta go-import lines using
the new "mod" VCS type. This allows a package to specify both
a "mod" type and a "git" type, to present more efficient module
access to module-aware go but still present a Git repo to the old
"go get".

Fixes #24751.
Fixes #25069.

This backport to Go 1.9 also had to pick up p.Internal.RawImports
from CL 74750 and CL 74356 and use it to prepare an updated
set of -importmap arguments for the compiler. (The old code only
understood vendor-related rewriting of import paths.)

Backport fixes #25140.

Change-Id: I378955613a0d63834d4f50f121f4db7e4d87dc0a
Reviewed-on: https://go-review.googlesource.com/115298
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-by: Andrew Bonventre <andybons@golang.org>
---
 src/cmd/go/internal/get/discovery.go               |   7 +
 src/cmd/go/internal/get/get.go                     |   2 +-
 src/cmd/go/internal/get/pkg_test.go                |  14 +
 src/cmd/go/internal/list/list.go                   |   4 +-
 src/cmd/go/internal/load/pkg.go                    | 289 +++++++++++++++++----
 src/cmd/go/internal/test/test.go                   |  37 ++-
 src/cmd/go/internal/work/build.go                  |   9 +-
 src/cmd/go/testdata/modlegacy/src/new/go.mod       |   1 +
 src/cmd/go/testdata/modlegacy/src/new/new.go       |   3 +
 src/cmd/go/testdata/modlegacy/src/new/p1/p1.go     |   7 +
 src/cmd/go/testdata/modlegacy/src/new/p2/p2.go     |   1 +
 src/cmd/go/testdata/modlegacy/src/new/sub/go.mod   |   1 +
 .../go/testdata/modlegacy/src/new/sub/inner/go.mod |   1 +
 .../go/testdata/modlegacy/src/new/sub/inner/x/x.go |   1 +
 .../go/testdata/modlegacy/src/new/sub/x/v1/y/y.go  |   1 +
 src/cmd/go/testdata/modlegacy/src/old/p1/p1.go     |   5 +
 src/cmd/go/testdata/modlegacy/src/old/p2/p2.go     |   1 +
 src/cmd/go/vendor_test.go                          |  31 +++
 18 files changed, 343 insertions(+), 72 deletions(-)
 create mode 100644 src/cmd/go/testdata/modlegacy/src/new/go.mod
 create mode 100644 src/cmd/go/testdata/modlegacy/src/new/new.go
 create mode 100644 src/cmd/go/testdata/modlegacy/src/new/p1/p1.go
 create mode 100644 src/cmd/go/testdata/modlegacy/src/new/p2/p2.go
 create mode 100644 src/cmd/go/testdata/modlegacy/src/new/sub/go.mod
 create mode 100644 src/cmd/go/testdata/modlegacy/src/new/sub/inner/go.mod
 create mode 100644 src/cmd/go/testdata/modlegacy/src/new/sub/inner/x/x.go
 create mode 100644 src/cmd/go/testdata/modlegacy/src/new/sub/x/v1/y/y.go
 create mode 100644 src/cmd/go/testdata/modlegacy/src/old/p1/p1.go
 create mode 100644 src/cmd/go/testdata/modlegacy/src/old/p2/p2.go

diff --git a/src/cmd/go/internal/get/discovery.go b/src/cmd/go/internal/get/discovery.go
index b2918dbb4f..97aa1d7e8d 100644
--- a/src/cmd/go/internal/get/discovery.go
+++ b/src/cmd/go/internal/get/discovery.go
@@ -55,6 +55,13 @@ func parseMetaGoImports(r io.Reader) (imports []metaImport, err error) {
 			continue
 		}
 		if f := strings.Fields(attrValue(e.Attr, "content")); len(f) == 3 {
+			// Ignore VCS type "mod", which is new Go modules.
+			// This code is for old go get and must ignore the new mod lines.
+			// Otherwise matchGoImport will complain about two
+			// different metaImport lines for the same Prefix.
+			if f[1] == "mod" {
+				continue
+			}
 			imports = append(imports, metaImport{
 				Prefix:   f[0],
 				VCS:      f[1],
diff --git a/src/cmd/go/internal/get/get.go b/src/cmd/go/internal/get/get.go
index e5dda643e4..54460ec38f 100644
--- a/src/cmd/go/internal/get/get.go
+++ b/src/cmd/go/internal/get/get.go
@@ -210,7 +210,7 @@ var downloadRootCache = map[string]bool{}
 // download runs the download half of the get command
 // for the package named by the argument.
 func download(arg string, parent *load.Package, stk *load.ImportStack, mode int) {
-	if mode&load.UseVendor != 0 {
+	if mode&load.ResolveImport != 0 {
 		// Caller is responsible for expanding vendor paths.
 		panic("internal error: download mode has useVendor set")
 	}
diff --git a/src/cmd/go/internal/get/pkg_test.go b/src/cmd/go/internal/get/pkg_test.go
index b8937a57ec..1179d86693 100644
--- a/src/cmd/go/internal/get/pkg_test.go
+++ b/src/cmd/go/internal/get/pkg_test.go
@@ -47,6 +47,20 @@ var parseMetaGoImportsTests = []struct {
 			{"baz/quux", "git", "http://github.com/rsc/baz/quux"},
 		},
 	},
+	{
+		`<meta name="go-import" content="foo/bar git https://github.com/rsc/foo/bar">
+		<meta name="go-import" content="foo/bar mod http://github.com/rsc/baz/quux">`,
+		[]metaImport{
+			{"foo/bar", "git", "https://github.com/rsc/foo/bar"},
+		},
+	},
+	{
+		`<meta name="go-import" content="foo/bar mod http://github.com/rsc/baz/quux">
+		<meta name="go-import" content="foo/bar git https://github.com/rsc/foo/bar">`,
+		[]metaImport{
+			{"foo/bar", "git", "https://github.com/rsc/foo/bar"},
+		},
+	},
 	{
 		`<head>
 		<meta name="go-import" content="foo/bar git https://github.com/rsc/foo/bar">
diff --git a/src/cmd/go/internal/list/list.go b/src/cmd/go/internal/list/list.go
index 241d0894c0..6ef3314ea3 100644
--- a/src/cmd/go/internal/list/list.go
+++ b/src/cmd/go/internal/list/list.go
@@ -201,8 +201,8 @@ func runList(cmd *base.Command, args []string) {
 
 	for _, pkg := range loadpkgs(args) {
 		// Show vendor-expanded paths in listing
-		pkg.TestImports = pkg.Vendored(pkg.TestImports)
-		pkg.XTestImports = pkg.Vendored(pkg.XTestImports)
+		pkg.TestImports = pkg.Resolve(pkg.TestImports)
+		pkg.XTestImports = pkg.Resolve(pkg.XTestImports)
 
 		do(&pkg.PackagePublic)
 	}
diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
index 6ca89d946d..de3f5b8fa2 100644
--- a/src/cmd/go/internal/load/pkg.go
+++ b/src/cmd/go/internal/load/pkg.go
@@ -6,6 +6,7 @@
 package load
 
 import (
+	"bytes"
 	"crypto/sha1"
 	"fmt"
 	"go/build"
@@ -16,6 +17,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"sort"
+	"strconv"
 	"strings"
 	"unicode"
 	"unicode/utf8"
@@ -122,8 +124,9 @@ func (p *Package) AllFiles() []string {
 type PackageInternal struct {
 	// Unexported fields are not part of the public API.
 	Build        *build.Package
-	Pkgdir       string // overrides build.PkgDir
-	Imports      []*Package
+	Pkgdir       string     // overrides build.PkgDir
+	Imports      []*Package // this package's direct imports
+	RawImports   []string   // this package's original imports as they appear in the text of the program
 	Deps         []*Package
 	GoFiles      []string // GoFiles+CgoFiles+TestGoFiles+XTestGoFiles files, absolute paths
 	SFiles       []string
@@ -169,7 +172,7 @@ func (e *NoGoError) Error() string {
 	return "no Go files in " + e.Package.Dir
 }
 
-// Vendored returns the vendor-resolved version of imports,
+// Resolve returns the resolved version of imports,
 // which should be p.TestImports or p.XTestImports, NOT p.Imports.
 // The imports in p.TestImports and p.XTestImports are not recursively
 // loaded during the initial load of p, so they list the imports found in
@@ -179,14 +182,14 @@ func (e *NoGoError) Error() string {
 // can produce better error messages if it starts with the original paths.
 // The initial load of p loads all the non-test imports and rewrites
 // the vendored paths, so nothing should ever call p.vendored(p.Imports).
-func (p *Package) Vendored(imports []string) []string {
+func (p *Package) Resolve(imports []string) []string {
 	if len(imports) > 0 && len(p.Imports) > 0 && &imports[0] == &p.Imports[0] {
-		panic("internal error: p.vendored(p.Imports) called")
+		panic("internal error: p.Resolve(p.Imports) called")
 	}
 	seen := make(map[string]bool)
 	var all []string
 	for _, path := range imports {
-		path = VendoredImportPath(p, path)
+		path = ResolveImportPath(p, path)
 		if !seen[path] {
 			seen[path] = true
 			all = append(all, path)
@@ -245,6 +248,7 @@ func (p *Package) copyBuild(pp *build.Package) {
 	// We modify p.Imports in place, so make copy now.
 	p.Imports = make([]string, len(pp.Imports))
 	copy(p.Imports, pp.Imports)
+	p.Internal.RawImports = pp.Imports
 	p.TestGoFiles = pp.TestGoFiles
 	p.TestImports = pp.TestImports
 	p.XTestGoFiles = pp.XTestGoFiles
@@ -380,16 +384,16 @@ func makeImportValid(r rune) rune {
 
 // Mode flags for loadImport and download (in get.go).
 const (
-	// useVendor means that loadImport should do vendor expansion
-	// (provided the vendoring experiment is enabled).
-	// That is, useVendor means that the import path came from
-	// a source file and has not been vendor-expanded yet.
-	// Every import path should be loaded initially with useVendor,
-	// and then the expanded version (with the /vendor/ in it) gets
-	// recorded as the canonical import path. At that point, future loads
-	// of that package must not pass useVendor, because
+	// ResolveImport means that loadImport should do import path expansion.
+	// That is, ResolveImport means that the import path came from
+	// a source file and has not been expanded yet to account for
+	// vendoring or possible module adjustment.
+	// Every import path should be loaded initially with ResolveImport,
+	// and then the expanded version (for example with the /vendor/ in it)
+	// gets recorded as the canonical import path. At that point, future loads
+	// of that package must not pass ResolveImport, because
 	// disallowVendor will reject direct use of paths containing /vendor/.
-	UseVendor = 1 << iota
+	ResolveImport = 1 << iota
 
 	// getTestDeps is for download (part of "go get") and indicates
 	// that test dependencies should be fetched too.
@@ -414,12 +418,12 @@ func LoadImport(path, srcDir string, parent *Package, stk *ImportStack, importPo
 	isLocal := build.IsLocalImport(path)
 	if isLocal {
 		importPath = dirToImportPath(filepath.Join(srcDir, path))
-	} else if mode&UseVendor != 0 {
-		// We do our own vendor resolution, because we want to
+	} else if mode&ResolveImport != 0 {
+		// We do our own path resolution, because we want to
 		// find out the key to use in packageCache without the
 		// overhead of repeated calls to buildContext.Import.
 		// The code is also needed in a few other places anyway.
-		path = VendoredImportPath(parent, path)
+		path = ResolveImportPath(parent, path)
 		importPath = path
 	}
 
@@ -439,7 +443,7 @@ func LoadImport(path, srcDir string, parent *Package, stk *ImportStack, importPo
 		// TODO: After Go 1, decide when to pass build.AllowBinary here.
 		// See issue 3268 for mistakes to avoid.
 		buildMode := build.ImportComment
-		if mode&UseVendor == 0 || path != origPath {
+		if mode&ResolveImport == 0 || path != origPath {
 			// Not vendoring, or we already found the vendored path.
 			buildMode |= build.IgnoreVendor
 		}
@@ -470,7 +474,7 @@ func LoadImport(path, srcDir string, parent *Package, stk *ImportStack, importPo
 	if perr := disallowInternal(srcDir, p, stk); perr != p {
 		return setErrorPos(perr, importPos)
 	}
-	if mode&UseVendor != 0 {
+	if mode&ResolveImport != 0 {
 		if perr := disallowVendor(srcDir, origPath, p, stk); perr != p {
 			return setErrorPos(perr, importPos)
 		}
@@ -529,24 +533,31 @@ func isDir(path string) bool {
 	return result
 }
 
-// VendoredImportPath returns the expansion of path when it appears in parent.
-// If parent is x/y/z, then path might expand to x/y/z/vendor/path, x/y/vendor/path,
-// x/vendor/path, vendor/path, or else stay path if none of those exist.
-// VendoredImportPath returns the expanded path or, if no expansion is found, the original.
-func VendoredImportPath(parent *Package, path string) (found string) {
-	if parent == nil || parent.Root == "" {
-		return path
-	}
+// ResolveImportPath returns the true meaning of path when it appears in parent.
+// There are two different resolutions applied.
+// First, there is Go 1.5 vendoring (golang.org/s/go15vendor).
+// If vendor expansion doesn't trigger, then the path is also subject to
+// Go 1.11 vgo legacy conversion (golang.org/issue/25069).
+func ResolveImportPath(parent *Package, path string) (found string) {
+	found = VendoredImportPath(parent, path)
+	if found != path {
+		return found
+	}
+	return ModuleImportPath(parent, path)
+}
 
-	dir := filepath.Clean(parent.Dir)
-	root := filepath.Join(parent.Root, "src")
-	if !hasFilePathPrefix(dir, root) || parent.ImportPath != "command-line-arguments" && filepath.Join(root, parent.ImportPath) != dir {
+// dirAndRoot returns the source directory and workspace root
+// for the package p, guaranteeing that root is a path prefix of dir.
+func dirAndRoot(p *Package) (dir, root string) {
+	dir = filepath.Clean(p.Dir)
+	root = filepath.Join(p.Root, "src")
+	if !hasFilePathPrefix(dir, root) || p.ImportPath != "command-line-arguments" && filepath.Join(root, p.ImportPath) != dir {
 		// Look for symlinks before reporting error.
 		dir = expandPath(dir)
 		root = expandPath(root)
 	}
 
-	if !hasFilePathPrefix(dir, root) || len(dir) <= len(root) || dir[len(root)] != filepath.Separator || parent.ImportPath != "command-line-arguments" && !parent.Internal.Local && filepath.Join(root, parent.ImportPath) != dir {
+	if !hasFilePathPrefix(dir, root) || len(dir) <= len(root) || dir[len(root)] != filepath.Separator || p.ImportPath != "command-line-arguments" && !p.Internal.Local && filepath.Join(root, p.ImportPath) != dir {
 		base.Fatalf("unexpected directory layout:\n"+
 			"	import path: %s\n"+
 			"	root: %s\n"+
@@ -554,14 +565,28 @@ func VendoredImportPath(parent *Package, path string) (found string) {
 			"	expand root: %s\n"+
 			"	expand dir: %s\n"+
 			"	separator: %s",
-			parent.ImportPath,
-			filepath.Join(parent.Root, "src"),
-			filepath.Clean(parent.Dir),
+			p.ImportPath,
+			filepath.Join(p.Root, "src"),
+			filepath.Clean(p.Dir),
 			root,
 			dir,
 			string(filepath.Separator))
 	}
 
+	return dir, root
+}
+
+// VendoredImportPath returns the vendor-expansion of path when it appears in parent.
+// If parent is x/y/z, then path might expand to x/y/z/vendor/path, x/y/vendor/path,
+// x/vendor/path, vendor/path, or else stay path if none of those exist.
+// VendoredImportPath returns the expanded path or, if no expansion is found, the original.
+func VendoredImportPath(parent *Package, path string) (found string) {
+	if parent == nil || parent.Root == "" {
+		return path
+	}
+
+	dir, root := dirAndRoot(parent)
+
 	vpath := "vendor/" + path
 	for i := len(dir); i >= len(root); i-- {
 		if i < len(dir) && dir[i] != filepath.Separator {
@@ -604,6 +629,164 @@ func VendoredImportPath(parent *Package, path string) (found string) {
 	return path
 }
 
+var (
+	modulePrefix   = []byte("\nmodule ")
+	goModPathCache = make(map[string]string)
+)
+
+// goModPath returns the module path in the go.mod in dir, if any.
+func goModPath(dir string) (path string) {
+	path, ok := goModPathCache[dir]
+	if ok {
+		return path
+	}
+	defer func() {
+		goModPathCache[dir] = path
+	}()
+
+	data, err := ioutil.ReadFile(filepath.Join(dir, "go.mod"))
+	if err != nil {
+		return ""
+	}
+	var i int
+	if bytes.HasPrefix(data, modulePrefix[1:]) {
+		i = 0
+	} else {
+		i = bytes.Index(data, modulePrefix)
+		if i < 0 {
+			return ""
+		}
+		i++
+	}
+	line := data[i:]
+
+	// Cut line at \n, drop trailing \r if present.
+	if j := bytes.IndexByte(line, '\n'); j >= 0 {
+		line = line[:j]
+	}
+	if line[len(line)-1] == '\r' {
+		line = line[:len(line)-1]
+	}
+	line = line[len("module "):]
+
+	// If quoted, unquote.
+	path = strings.TrimSpace(string(line))
+	if path != "" && path[0] == '"' {
+		s, err := strconv.Unquote(path)
+		if err != nil {
+			return ""
+		}
+		path = s
+	}
+	return path
+}
+
+// findVersionElement returns the slice indices of the final version element /vN in path.
+// If there is no such element, it returns -1, -1.
+func findVersionElement(path string) (i, j int) {
+	j = len(path)
+	for i = len(path) - 1; i >= 0; i-- {
+		if path[i] == '/' {
+			if isVersionElement(path[i:j]) {
+				return i, j
+			}
+			j = i
+		}
+	}
+	return -1, -1
+}
+
+// isVersionElement reports whether s is a well-formed path version element:
+// v2, v3, v10, etc, but not v0, v05, v1.
+func isVersionElement(s string) bool {
+	if len(s) < 3 || s[0] != '/' || s[1] != 'v' || s[2] == '0' || s[2] == '1' && len(s) == 3 {
+		return false
+	}
+	for i := 2; i < len(s); i++ {
+		if s[i] < '0' || '9' < s[i] {
+			return false
+		}
+	}
+	return true
+}
+
+// ModuleImportPath translates import paths found in go modules
+// back down to paths that can be resolved in ordinary builds.
+//
+// Define “new” code as code with a go.mod file in the same directory
+// or a parent directory. If an import in new code says x/y/v2/z but
+// x/y/v2/z does not exist and x/y/go.mod says “module x/y/v2”,
+// then go build will read the import as x/y/z instead.
+// See golang.org/issue/25069.
+func ModuleImportPath(parent *Package, path string) (found string) {
+	if parent == nil || parent.Root == "" {
+		return path
+	}
+
+	// If there are no vN elements in path, leave it alone.
+	// (The code below would do the same, but only after
+	// some other file system accesses that we can avoid
+	// here by returning early.)
+	if i, _ := findVersionElement(path); i < 0 {
+		return path
+	}
+
+	dir, root := dirAndRoot(parent)
+
+	// Consider dir and parents, up to and including root.
+	for i := len(dir); i >= len(root); i-- {
+		if i < len(dir) && dir[i] != filepath.Separator {
+			continue
+		}
+		if goModPath(dir[:i]) != "" {
+			goto HaveGoMod
+		}
+	}
+	// This code is not in a tree with a go.mod,
+	// so apply no changes to the path.
+	return path
+
+HaveGoMod:
+	// This import is in a tree with a go.mod.
+	// Allow it to refer to code in GOPATH/src/x/y/z as x/y/v2/z
+	// if GOPATH/src/x/y/go.mod says module "x/y/v2",
+
+	// If x/y/v2/z exists, use it unmodified.
+	if bp, _ := cfg.BuildContext.Import(path, "", build.IgnoreVendor); bp.Dir != "" {
+		return path
+	}
+
+	// Otherwise look for a go.mod supplying a version element.
+	// Some version-like elements may appear in paths but not
+	// be module versions; we skip over those to look for module
+	// versions. For example the module m/v2 might have a
+	// package m/v2/api/v1/foo.
+	limit := len(path)
+	for limit > 0 {
+		i, j := findVersionElement(path[:limit])
+		if i < 0 {
+			return path
+		}
+		if bp, _ := cfg.BuildContext.Import(path[:i], "", build.IgnoreVendor); bp.Dir != "" {
+			if mpath := goModPath(bp.Dir); mpath != "" {
+				// Found a valid go.mod file, so we're stopping the search.
+				// If the path is m/v2/p and we found m/go.mod that says
+				// "module m/v2", then we return "m/p".
+				if mpath == path[:j] {
+					return path[:i] + path[j:]
+				}
+				// Otherwise just return the original path.
+				// We didn't find anything worth rewriting,
+				// and the go.mod indicates that we should
+				// not consider parent directories.
+				return path
+			}
+		}
+		limit = i
+	}
+	return path
+}
+
 // hasGoFiles reports whether dir contains any files with names ending in .go.
 // For a vendor check we must exclude directories that contain no .go files.
 // Otherwise it is not possible to vendor just a/b/c and still import the
@@ -842,23 +1025,23 @@ const (
 
 // goTools is a map of Go program import path to install target directory.
 var GoTools = map[string]targetDir{
-	"cmd/addr2line": ToTool,
-	"cmd/api":       ToTool,
-	"cmd/asm":       ToTool,
-	"cmd/compile":   ToTool,
-	"cmd/cgo":       ToTool,
-	"cmd/cover":     ToTool,
-	"cmd/dist":      ToTool,
-	"cmd/doc":       ToTool,
-	"cmd/fix":       ToTool,
-	"cmd/link":      ToTool,
-	"cmd/newlink":   ToTool,
-	"cmd/nm":        ToTool,
-	"cmd/objdump":   ToTool,
-	"cmd/pack":      ToTool,
-	"cmd/pprof":     ToTool,
-	"cmd/trace":     ToTool,
-	"cmd/vet":       ToTool,
+	"cmd/addr2line":                        ToTool,
+	"cmd/api":                              ToTool,
+	"cmd/asm":                              ToTool,
+	"cmd/compile":                          ToTool,
+	"cmd/cgo":                              ToTool,
+	"cmd/cover":                            ToTool,
+	"cmd/dist":                             ToTool,
+	"cmd/doc":                              ToTool,
+	"cmd/fix":                              ToTool,
+	"cmd/link":                             ToTool,
+	"cmd/newlink":                          ToTool,
+	"cmd/nm":                               ToTool,
+	"cmd/objdump":                          ToTool,
+	"cmd/pack":                             ToTool,
+	"cmd/pprof":                            ToTool,
+	"cmd/trace":                            ToTool,
+	"cmd/vet":                              ToTool,
 	"code.google.com/p/go.tools/cmd/cover": StalePath,
 	"code.google.com/p/go.tools/cmd/godoc": StalePath,
 	"code.google.com/p/go.tools/cmd/vet":   StalePath,
@@ -1112,7 +1295,7 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) *Package
 		if path == "C" {
 			continue
 		}
-		p1 := LoadImport(path, p.Dir, p, stk, p.Internal.Build.ImportPos[path], UseVendor)
+		p1 := LoadImport(path, p.Dir, p, stk, p.Internal.Build.ImportPos[path], ResolveImport)
 		if p.Standard && p.Error == nil && !p1.Standard && p1.Error == nil {
 			p.Error = &PackageError{
 				ImportStack: stk.Copy(),
diff --git a/src/cmd/go/internal/test/test.go b/src/cmd/go/internal/test/test.go
index ebebffd777..839add34ee 100644
--- a/src/cmd/go/internal/test/test.go
+++ b/src/cmd/go/internal/test/test.go
@@ -429,7 +429,7 @@ var testMainDeps = map[string]bool{
 	// Dependencies for testmain.
 	"testing":                   true,
 	"testing/internal/testdeps": true,
-	"os": true,
+	"os":                        true,
 }
 
 func runTest(cmd *base.Command, args []string) {
@@ -499,10 +499,10 @@ func runTest(cmd *base.Command, args []string) {
 			for _, path := range p.Imports {
 				deps[path] = true
 			}
-			for _, path := range p.Vendored(p.TestImports) {
+			for _, path := range p.Resolve(p.TestImports) {
 				deps[path] = true
 			}
-			for _, path := range p.Vendored(p.XTestImports) {
+			for _, path := range p.Resolve(p.XTestImports) {
 				deps[path] = true
 			}
 		}
@@ -715,8 +715,9 @@ func builderTest(b *work.Builder, p *load.Package) (buildAction, runAction, prin
 	var imports, ximports []*load.Package
 	var stk load.ImportStack
 	stk.Push(p.ImportPath + " (test)")
+	rawTestImports := str.StringList(p.TestImports)
 	for i, path := range p.TestImports {
-		p1 := load.LoadImport(path, p.Dir, p, &stk, p.Internal.Build.TestImportPos[path], load.UseVendor)
+		p1 := load.LoadImport(path, p.Dir, p, &stk, p.Internal.Build.TestImportPos[path], load.ResolveImport)
 		if p1.Error != nil {
 			return nil, nil, nil, p1.Error
 		}
@@ -742,8 +743,9 @@ func builderTest(b *work.Builder, p *load.Package) (buildAction, runAction, prin
 	stk.Pop()
 	stk.Push(p.ImportPath + "_test")
 	pxtestNeedsPtest := false
+	rawXTestImports := str.StringList(p.XTestImports)
 	for i, path := range p.XTestImports {
-		p1 := load.LoadImport(path, p.Dir, p, &stk, p.Internal.Build.XTestImportPos[path], load.UseVendor)
+		p1 := load.LoadImport(path, p.Dir, p, &stk, p.Internal.Build.XTestImportPos[path], load.ResolveImport)
 		if p1.Error != nil {
 			return nil, nil, nil, p1.Error
 		}
@@ -810,8 +812,20 @@ func builderTest(b *work.Builder, p *load.Package) (buildAction, runAction, prin
 		ptest.GoFiles = append(ptest.GoFiles, p.GoFiles...)
 		ptest.GoFiles = append(ptest.GoFiles, p.TestGoFiles...)
 		ptest.Internal.Target = ""
-		ptest.Imports = str.StringList(p.Imports, p.TestImports)
-		ptest.Internal.Imports = append(append([]*load.Package{}, p.Internal.Imports...), imports...)
+		// Note: The preparation of the compiler import map requires that common
+		// indexes in ptest.Imports, ptest.Internal.Imports, and ptest.Internal.RawImports
+		// all line up (but RawImports can be shorter than the others).
+		// That is, for 0 ≤ i < len(RawImports),
+		// RawImports[i] is the import string in the program text,
+		// Imports[i] is the expanded import string (vendoring applied or relative path expanded away),
+		// and Internal.Imports[i] is the corresponding *Package.
+		// Any implicitly added imports appear in Imports and Internal.Imports
+		// but not RawImports (because they were not in the source code).
+		// We insert TestImports, imports, and rawTestImports at the start of
+		// these lists to preserve the alignment.
+		ptest.Imports = str.StringList(p.TestImports, p.Imports)
+		ptest.Internal.Imports = append(imports, p.Internal.Imports...)
+		ptest.Internal.RawImports = str.StringList(rawTestImports, p.Internal.RawImports)
 		ptest.Internal.Pkgdir = testDir
 		ptest.Internal.Fake = true
 		ptest.Internal.ForceLibrary = true
@@ -856,10 +870,11 @@ func builderTest(b *work.Builder, p *load.Package) (buildAction, runAction, prin
 				Build: &build.Package{
 					ImportPos: p.Internal.Build.XTestImportPos,
 				},
-				Imports:  ximports,
-				Pkgdir:   testDir,
-				Fake:     true,
-				External: true,
+				Imports:    ximports,
+				RawImports: rawXTestImports,
+				Pkgdir:     testDir,
+				Fake:       true,
+				External:   true,
 			},
 		}
 		if pxtestNeedsPtest {
diff --git a/src/cmd/go/internal/work/build.go b/src/cmd/go/internal/work/build.go
index e931629105..346ceac7a9 100644
--- a/src/cmd/go/internal/work/build.go
+++ b/src/cmd/go/internal/work/build.go
@@ -2262,11 +2262,10 @@ func (gcToolchain) gc(b *Builder, p *load.Package, archive, obj string, asmhdr b
 		gcargs = append(gcargs, "-dwarf=false")
 	}
 
-	for _, path := range p.Imports {
-		if i := strings.LastIndex(path, "/vendor/"); i >= 0 {
-			gcargs = append(gcargs, "-importmap", path[i+len("/vendor/"):]+"="+path)
-		} else if strings.HasPrefix(path, "vendor/") {
-			gcargs = append(gcargs, "-importmap", path[len("vendor/"):]+"="+path)
+	for i, raw := range p.Internal.RawImports {
+		final := p.Imports[i]
+		if final != raw {
+			gcargs = append(gcargs, "-importmap", raw+"="+final)
 		}
 	}
 
diff --git a/src/cmd/go/testdata/modlegacy/src/new/go.mod b/src/cmd/go/testdata/modlegacy/src/new/go.mod
new file mode 100644
index 0000000000..d0dd46d314
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/new/go.mod
@@ -0,0 +1 @@
+module "new/v2"
diff --git a/src/cmd/go/testdata/modlegacy/src/new/new.go b/src/cmd/go/testdata/modlegacy/src/new/new.go
new file mode 100644
index 0000000000..e99c47a6a8
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/new/new.go
@@ -0,0 +1,3 @@
+package new
+
+import _ "new/v2/p2"
diff --git a/src/cmd/go/testdata/modlegacy/src/new/p1/p1.go b/src/cmd/go/testdata/modlegacy/src/new/p1/p1.go
new file mode 100644
index 0000000000..4539f40919
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/new/p1/p1.go
@@ -0,0 +1,7 @@
+package p1
+
+import _ "old/p2"
+import _ "new/v2"
+import _ "new/v2/p2"
+import _ "new/sub/v2/x/v1/y" // v2 is module, v1 is directory in module
+import _ "new/sub/inner/x"   // new/sub/inner/go.mod overrides new/sub/go.mod
diff --git a/src/cmd/go/testdata/modlegacy/src/new/p2/p2.go b/src/cmd/go/testdata/modlegacy/src/new/p2/p2.go
new file mode 100644
index 0000000000..9b9052f541
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/new/p2/p2.go
@@ -0,0 +1 @@
+package p2
diff --git a/src/cmd/go/testdata/modlegacy/src/new/sub/go.mod b/src/cmd/go/testdata/modlegacy/src/new/sub/go.mod
new file mode 100644
index 0000000000..484d20c6b2
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/new/sub/go.mod
@@ -0,0 +1 @@
+module new/sub/v2
diff --git a/src/cmd/go/testdata/modlegacy/src/new/sub/inner/go.mod b/src/cmd/go/testdata/modlegacy/src/new/sub/inner/go.mod
new file mode 100644
index 0000000000..ba3934541f
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/new/sub/inner/go.mod
@@ -0,0 +1 @@
+module new/sub/inner
diff --git a/src/cmd/go/testdata/modlegacy/src/new/sub/inner/x/x.go b/src/cmd/go/testdata/modlegacy/src/new/sub/inner/x/x.go
new file mode 100644
index 0000000000..823aafd071
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/new/sub/inner/x/x.go
@@ -0,0 +1 @@
+package x
diff --git a/src/cmd/go/testdata/modlegacy/src/new/sub/x/v1/y/y.go b/src/cmd/go/testdata/modlegacy/src/new/sub/x/v1/y/y.go
new file mode 100644
index 0000000000..789ca715ec
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/new/sub/x/v1/y/y.go
@@ -0,0 +1 @@
+package y
diff --git a/src/cmd/go/testdata/modlegacy/src/old/p1/p1.go b/src/cmd/go/testdata/modlegacy/src/old/p1/p1.go
new file mode 100644
index 0000000000..90527483ab
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/old/p1/p1.go
@@ -0,0 +1,5 @@
+package p1
+
+import _ "old/p2"
+import _ "new/p1"
+import _ "new"
diff --git a/src/cmd/go/testdata/modlegacy/src/old/p2/p2.go b/src/cmd/go/testdata/modlegacy/src/old/p2/p2.go
new file mode 100644
index 0000000000..9b9052f541
--- /dev/null
+++ b/src/cmd/go/testdata/modlegacy/src/old/p2/p2.go
@@ -0,0 +1 @@
+package p2
diff --git a/src/cmd/go/vendor_test.go b/src/cmd/go/vendor_test.go
index 739ce5a5a4..d68e4f94fe 100644
--- a/src/cmd/go/vendor_test.go
+++ b/src/cmd/go/vendor_test.go
@@ -327,3 +327,34 @@ func TestVendor12156(t *testing.T) {
 	tg.grepStderrNot("panic", "panicked")
 	tg.grepStderr(`cannot find package "x"`, "wrong error")
 }
+
+// Module legacy support does path rewriting very similar to vendoring.
+
+func TestModLegacy(t *testing.T) {
+	tg := testgo(t)
+	defer tg.cleanup()
+	tg.setenv("GOPATH", filepath.Join(tg.pwd(), "testdata/modlegacy"))
+	tg.run("list", "-f", "{{.Imports}}", "old/p1")
+	tg.grepStdout("new/p1", "old/p1 should import new/p1")
+	tg.run("list", "-f", "{{.Imports}}", "new/p1")
+	tg.grepStdout("new/p2", "new/p1 should import new/p2 (not new/v2/p2)")
+	tg.grepStdoutNot("new/v2", "new/p1 should NOT import new/v2*")
+	tg.grepStdout("new/sub/x/v1/y", "new/p1 should import new/sub/x/v1/y (not new/sub/v2/x/v1/y)")
+	tg.grepStdoutNot("new/sub/v2", "new/p1 should NOT import new/sub/v2*")
+	tg.grepStdout("new/sub/inner/x", "new/p1 should import new/sub/inner/x (no rewrites)")
+	tg.run("build", "old/p1", "new/p1")
+}
+
+func TestModLegacyGet(t *testing.T) {
+	testenv.MustHaveExternalNetwork(t)
+
+	tg := testgo(t)
+	defer tg.cleanup()
+	tg.makeTempdir()
+	tg.setenv("GOPATH", tg.path("."))
+	tg.run("get", "vcs-test.golang.org/git/modlegacy1-old.git/p1")
+	tg.run("list", "-f", "{{.Deps}}", "vcs-test.golang.org/git/modlegacy1-old.git/p1")
+	tg.grepStdout("new.git/p2", "old/p1 should depend on new/p2")
+	tg.grepStdoutNot("new.git/v2/p2", "old/p1 should NOT depend on new/v2/p2")
+	tg.run("build", "vcs-test.golang.org/git/modlegacy1-old.git/p1", "vcs-test.golang.org/git/modlegacy1-new.git/p1")
+}
-- 
cgit v1.2.3-54-g00ecf


From 91f0e20ecbff8c7744c7b8a7a6a4582a3bfef5a2 Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Fri, 1 Jun 2018 15:47:29 -0400
Subject: [release-branch.go1.9] cmd/go: fix 'go get' compatibility for direct
 download of vgo-aware module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CL 109340 added “minimal module-awareness for legacy operation.”
One part of that is reinterpreting imports inside code trees with go.mod files
as using semantic import versioning, and converting them back to
legacy import paths by stripping the major version element
(for example, interpreting import "x.com/foo/v2/bar" as import "x.com/foo/bar").
This rewrite was not being applied during "go get", with the effect that once
you had the target code downloaded already, everything was fine,
but it didn't download and build successfully the first time.

Fixes #25687.
Cherry-pick fixes #25691.

Change-Id: I3e122efdc8fd9a0a4e66f5aa3e6a99f90c7df779
Reviewed-on: https://go-review.googlesource.com/115797
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://go-review.googlesource.com/116175
---
 src/cmd/go/internal/get/get.go  |  8 ++++----
 src/cmd/go/internal/load/pkg.go |  9 ++++++++-
 src/cmd/go/vendor_test.go       | 44 ++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 55 insertions(+), 6 deletions(-)

diff --git a/src/cmd/go/internal/get/get.go b/src/cmd/go/internal/get/get.go
index 54460ec38f..6495576ab4 100644
--- a/src/cmd/go/internal/get/get.go
+++ b/src/cmd/go/internal/get/get.go
@@ -218,7 +218,7 @@ func download(arg string, parent *load.Package, stk *load.ImportStack, mode int)
 		if parent == nil {
 			return load.LoadPackage(path, stk)
 		}
-		return load.LoadImport(path, parent.Dir, parent, stk, nil, mode)
+		return load.LoadImport(path, parent.Dir, parent, stk, nil, mode|load.ResolveModule)
 	}
 
 	p := load1(arg, mode)
@@ -347,12 +347,12 @@ func download(arg string, parent *load.Package, stk *load.ImportStack, mode int)
 				base.Errorf("%s", err)
 				continue
 			}
-			// If this is a test import, apply vendor lookup now.
-			// We cannot pass useVendor to download, because
+			// If this is a test import, apply module and vendor lookup now.
+			// We cannot pass ResolveImport to download, because
 			// download does caching based on the value of path,
 			// so it must be the fully qualified path already.
 			if i >= len(p.Imports) {
-				path = load.VendoredImportPath(p, path)
+				path = load.ResolveImportPath(p, path)
 			}
 			download(path, p, stk, 0)
 		}
diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
index de3f5b8fa2..873abe07a0 100644
--- a/src/cmd/go/internal/load/pkg.go
+++ b/src/cmd/go/internal/load/pkg.go
@@ -395,7 +395,11 @@ const (
 	// disallowVendor will reject direct use of paths containing /vendor/.
 	ResolveImport = 1 << iota
 
-	// getTestDeps is for download (part of "go get") and indicates
+	// ResolveModule is for download (part of "go get") and indicates
+	// that the module adjustment should be done, but not vendor adjustment.
+	ResolveModule
+
+	// GetTestDeps is for download (part of "go get") and indicates
 	// that test dependencies should be fetched too.
 	GetTestDeps
 )
@@ -425,6 +429,9 @@ func LoadImport(path, srcDir string, parent *Package, stk *ImportStack, importPo
 		// The code is also needed in a few other places anyway.
 		path = ResolveImportPath(parent, path)
 		importPath = path
+	} else if mode&ResolveModule != 0 {
+		path = ModuleImportPath(parent, path)
+		importPath = path
 	}
 
 	p := packageCache[importPath]
diff --git a/src/cmd/go/vendor_test.go b/src/cmd/go/vendor_test.go
index d68e4f94fe..c394365d9f 100644
--- a/src/cmd/go/vendor_test.go
+++ b/src/cmd/go/vendor_test.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	"fmt"
 	"internal/testenv"
+	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -351,10 +352,51 @@ func TestModLegacyGet(t *testing.T) {
 	tg := testgo(t)
 	defer tg.cleanup()
 	tg.makeTempdir()
-	tg.setenv("GOPATH", tg.path("."))
+	tg.setenv("GOPATH", tg.path("d1"))
 	tg.run("get", "vcs-test.golang.org/git/modlegacy1-old.git/p1")
 	tg.run("list", "-f", "{{.Deps}}", "vcs-test.golang.org/git/modlegacy1-old.git/p1")
 	tg.grepStdout("new.git/p2", "old/p1 should depend on new/p2")
 	tg.grepStdoutNot("new.git/v2/p2", "old/p1 should NOT depend on new/v2/p2")
 	tg.run("build", "vcs-test.golang.org/git/modlegacy1-old.git/p1", "vcs-test.golang.org/git/modlegacy1-new.git/p1")
+
+	tg.setenv("GOPATH", tg.path("d2"))
+
+	tg.must(os.RemoveAll(tg.path("d2")))
+	tg.run("get", "github.com/rsc/vgotest5")
+	tg.run("get", "github.com/rsc/vgotest4")
+	tg.run("get", "github.com/myitcv/vgo_example_compat")
+
+	if testing.Short() {
+		return
+	}
+
+	tg.must(os.RemoveAll(tg.path("d2")))
+	tg.run("get", "github.com/rsc/vgotest4")
+	tg.run("get", "github.com/rsc/vgotest5")
+	tg.run("get", "github.com/myitcv/vgo_example_compat")
+
+	tg.must(os.RemoveAll(tg.path("d2")))
+	tg.run("get", "github.com/rsc/vgotest4", "github.com/rsc/vgotest5")
+	tg.run("get", "github.com/myitcv/vgo_example_compat")
+
+	tg.must(os.RemoveAll(tg.path("d2")))
+	tg.run("get", "github.com/rsc/vgotest5", "github.com/rsc/vgotest4")
+	tg.run("get", "github.com/myitcv/vgo_example_compat")
+
+	tg.must(os.RemoveAll(tg.path("d2")))
+	tg.run("get", "github.com/myitcv/vgo_example_compat")
+	tg.run("get", "github.com/rsc/vgotest4", "github.com/rsc/vgotest5")
+
+	pkgs := []string{"github.com/myitcv/vgo_example_compat", "github.com/rsc/vgotest4", "github.com/rsc/vgotest5"}
+	for i := 0; i < 3; i++ {
+		for j := 0; j < 3; j++ {
+			for k := 0; k < 3; k++ {
+				if i == j || i == k || k == j {
+					continue
+				}
+				tg.must(os.RemoveAll(tg.path("d2")))
+				tg.run("get", pkgs[i], pkgs[j], pkgs[k])
+			}
+		}
+	}
 }
-- 
cgit v1.2.3-54-g00ecf


From f7343499018d20ba9537c38ac9a5129b3beca3b7 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Tue, 5 Jun 2018 17:10:29 -0400
Subject: [release-branch.go1.9] doc: document Go 1.9.7

Change-Id: I10dededb41162a99dbc42792a9d314c6dabddcca
Reviewed-on: https://go-review.googlesource.com/116362
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
(cherry picked from commit b3a9948126471ac285e30c7920465c4c28ea0526)
Reviewed-on: https://go-review.googlesource.com/116475
Reviewed-by: Filippo Valsorda <filippo@golang.org>
---
 doc/devel/release.html | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/devel/release.html b/doc/devel/release.html
index 5fe6a0eda0..1ee0aa9cea 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -76,6 +76,15 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.6">Go
 1.9.6 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.9.7 (released 2018/06/05) includes fixes to the go command, and the
+<code>crypto/x509</code>, and <code>strings</code> packages.
+In particular, it adds <a href="https://go.googlesource.com/go/+/d4e21288e444d3ffd30d1a0737f15ea3fc3b8ad9">
+minimal support to the go command for the vgo transition</a>.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.7">Go
+1.9.7 milestone</a> on our issue tracker for details.
+</p>
+
 
 <h2 id="go1.8">go1.8 (released 2017/02/16)</h2>
 
-- 
cgit v1.2.3-54-g00ecf


From 7df09b4a03f9e53334672674ba7983d5e7128646 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Wed, 6 Jun 2018 15:40:41 -0400
Subject: [release-branch.go1.9] go1.9.7

Change-Id: I417f9b711f92d0297d9d24272cb88365cdd945d3
Reviewed-on: https://go-review.googlesource.com/116497
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index a5f6513a6d..eee2d5be21 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-go1.9.6
\ No newline at end of file
+go1.9.7
\ No newline at end of file
-- 
cgit v1.2.3-54-g00ecf