burrowers · pagran · Feb 18, 2024 · Feb 17, 2024
diff --git a/go_std_tables.go b/go_std_tables.go
diff --git a/scripts/check-third-party.sh b/scripts/check-third-party.sh
@@ -33,6 +33,9 @@ modules=(
 	github.com/andybalholm/brotli v1.0.4
 
 	# TODO: consider github.com/mattn/go-sqlite3 to cover a DB and more cgo
+
+	# TODO: add x/net and x/unix as they include hacks like go:linkname
+	# or copying syscall types.
 )
 
 SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)

diff --git a/scripts/gen-go-std-tables.sh b/scripts/gen-go-std-tables.sh
@@ -34,12 +34,6 @@ var runtimeAndDeps = map[string]bool{
 $(for path in ${runtime_and_deps}; do
 	echo "\"${path}\": true,"
 done)
-	// Not runtime dependencies, but still use tricks allowed by import path.
-	// TODO: collect directly from cmd/internal/objabi/pkgspecial.go,
-	// in this particular case from allowAsmABIPkgs.
-	"reflect": true,
-	"syscall": true,
-	"runtime/internal/startlinetest": true,
 }
 
 var runtimeLinknamed = []string{

diff --git a/shared.go b/shared.go
@@ -183,8 +183,12 @@ func (p *listedPackage) obfuscatedImportPath() string {
 	//   * runtime: it is special in many ways
 	//   * reflect: its presence turns down dead code elimination
 	//   * embed: its presence enables using //go:embed
+	//   * others like syscall are allowed by import path to have more ABI tricks
+	//
+	// TODO: collect directly from cmd/internal/objabi/pkgspecial.go,
+	// in this particular case from allowAsmABIPkgs.
 	switch p.ImportPath {
-	case "runtime", "reflect", "embed":
+	case "runtime", "reflect", "embed", "syscall", "runtime/internal/startlinetest":
 		return p.ImportPath
 	}
 	// Intrinsics are matched by package import path as well.

diff --git a/testdata/script/gogarble.txtar b/testdata/script/gogarble.txtar
@@ -36,11 +36,11 @@ exec garble build std
 # Also ensure we are obfuscating low-level std packages.
 exec garble build -o=out ./stdimporter
 ! stderr . # no warnings
-! binsubstr out 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now'
+! binsubstr out 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now' 'syscall.Listen'
 
 # The same low-level std packages appear in plain sight in regular builds.
 go build -o=out_regular ./stdimporter
-binsubstr out_regular 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now'
+binsubstr out_regular 'http.ListenAndServe' 'debug.WriteHeapDump' 'time.Now' 'syscall.Listen'
 
 # Also check that a full rebuild is reproducible, via a new GOCACHE.
 # This is slow, but necessary to uncover bugs hidden by the build cache.
@@ -79,6 +79,7 @@ import (
 	"net/http"
 	"runtime/debug"
 	"time"
+	"syscall"
 )
 
 func main() {
@@ -87,4 +88,5 @@ func main() {
 	// as it is implemented by runtime via a linkname.
 	debug.WriteHeapDump(1)
 	time.Now()
+	syscall.Listen(0, 1)
 }
diff --git a/testdata/script/implement.txtar b/testdata/script/implement.txtar
@@ -61,6 +61,21 @@ func main() {
 	fmt.Println(T("foo"))
 	fmt.Println(T("foo").unexportedMethod())
 }
+
+-- main_linux.go --
+package main
+
+import "syscall"
+
+// golang.org/x/sys/unix has a copy of syscall.Rlimit and converts with it.
+// Note that syscall.Rlimit is only declared in some unix GOOSes.
+type Rlimit2 struct {
+	Cur uint64
+	Max uint64
+}
+
+var _ = (*syscall.Rlimit)(new(Rlimit2))
+
 -- lib1/lib1.go --
 package lib1