cmd/dist: don't test FIPS when ASAN is on

CL 627603 added a clear error that FIPS+ASAN doesn't work, and disabled a test in check_test.go. The :gofips140 test variants in cmd/dist need to be disabled as well. Remove a return after testing.T.Skipf since it's unreachable. For #70321. Fixes #70496. Change-Id: Ia53830db1260a817aff1a82cbd91b725e0791437 Cq-Include-Trybots: luci.golang.try:gotip-linux-amd64-asan-clang15 Reviewed-on: https://go-review.googlesource.com/c/go/+/631095 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
golang · Nov 22, 2024 · 4865aad · 4865aad
1 parent de76c0d
commit 4865aad
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/src/cmd/dist/test.go b/src/cmd/dist/test.go
@@ -714,7 +714,7 @@ func (t *tester) registerTests() {
 	})
 
 	// Check that all crypto packages compile (and test correctly, in longmode) with fips.
-	if fipsSupported() {
+	if t.fipsSupported() {
 		// Test standard crypto packages with fips140=on.
 		t.registerTest("GODEBUG=fips140=on go test crypto/...", &goTest{
 			variant: "gofips140",
@@ -1794,7 +1794,7 @@ func isEnvSet(evar string) bool {
 	return false
 }
 
-func fipsSupported() bool {
+func (t *tester) fipsSupported() bool {
 	// Use GOFIPS140 or GOEXPERIMENT=boringcrypto, but not both.
 	if strings.Contains(goexperiment, "boringcrypto") {
 		return false
@@ -1811,6 +1811,13 @@ func fipsSupported() bool {
 		goos == "aix":
 		return false
 	}
+
+	// For now, FIPS+ASAN doesn't need to work.
+	// If this is made to work, also re-enable the test in check_test.go.
+	if t.asan {
+		return false
+	}
+
 	return true
 }
 

diff --git a/src/crypto/internal/fips140/check/check.go b/src/crypto/internal/fips140/check/check.go
@@ -83,7 +83,8 @@ func init() {
 		// crypto/internal/fips140deps and then call it to unpoison the range
 		// before reading it, but it is unclear whether that would then cause
 		// false negatives. For now, FIPS+ASAN doesn't need to work.
-		// If this is made to work, also re-enable the test in check_test.go.
+		// If this is made to work, also re-enable the test in check_test.go
+		// and in cmd/dist/test.go.
 		panic("fips140: cannot verify in asan mode")
 	}
 

diff --git a/src/crypto/internal/fips140test/check_test.go b/src/crypto/internal/fips140test/check_test.go
@@ -41,7 +41,6 @@ func TestFIPSCheckVerify(t *testing.T) {
 	if asan.Enabled {
 		// Verification panics with asan; don't bother.
 		t.Skipf("skipping with -asan")
-		return
 	}
 
 	cmd := testenv.Command(t, os.Args[0], "-test.v", "-test.run=TestFIPSCheck")