Update continuity, go-winio and hcsshim

Update dependencies and remove the local bindfilter files. Those have been moved to go-winio. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
2023-02-28 10:58:50 -08:00
parent 00efd3e6d8
commit db32798592
32 changed files with 581 additions and 400 deletions
--- a/vendor/github.com/Microsoft/go-winio/.golangci.yml
+++ b/vendor/github.com/Microsoft/go-winio/.golangci.yml
@@ -8,12 +8,8 @@ linters:
    - containedctx # struct contains a context
    - dupl # duplicate code
    - errname # erorrs are named correctly
-    - goconst # strings that should be constants
-    - godot # comments end in a period
-    - misspell
    - nolintlint # "//nolint" directives are properly explained
    - revive # golint replacement
-    - stylecheck # golint replacement, less configurable than revive
    - unconvert # unnecessary conversions
    - wastedassign

@@ -23,10 +19,7 @@ linters:
    - exhaustive # check exhaustiveness of enum switch statements
    - gofmt # files are gofmt'ed
    - gosec # security
-    - nestif # deeply nested ifs
    - nilerr # returns nil even with non-nil error
-    - prealloc # slices that can be pre-allocated
-    - structcheck # unused struct fields
    - unparam # unused function params

 issues:
@@ -56,6 +49,8 @@ issues:


 linters-settings:
+  exhaustive:
+    default-signifies-exhaustive: true
  govet:
    enable-all: true
    disable:
@@ -98,6 +93,8 @@ linters-settings:
        disabled: true
      - name: flag-parameter # excessive, and a common idiom we use
        disabled: true
+      - name: unhandled-error # warns over common fmt.Print* and io.Close; rely on errcheck instead
+        disabled: true
      # general config
      - name: line-length-limit
        arguments:
@@ -138,7 +135,3 @@ linters-settings:
            - VPCI
            - WCOW
            - WIM
-  stylecheck:
-    checks:
-      - "all"
-      - "-ST1003" # use revive's var naming
--- a/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/bind_filter.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/bind_filter.go
@@ -0,0 +1,308 @@
+//go:build windows
+// +build windows
+
+package bindfilter
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+//go:generate go run github.com/Microsoft/go-winio/tools/mkwinsyscall -output zsyscall_windows.go ./bind_filter.go
+//sys bfSetupFilter(jobHandle windows.Handle, flags uint32, virtRootPath string, virtTargetPath string, virtExceptions **uint16, virtExceptionPathCount uint32) (hr error) = bindfltapi.BfSetupFilter?
+//sys bfRemoveMapping(jobHandle windows.Handle, virtRootPath string)  (hr error) = bindfltapi.BfRemoveMapping?
+//sys bfGetMappings(flags uint32, jobHandle windows.Handle, virtRootPath *uint16, sid *windows.SID, bufferSize *uint32, outBuffer *byte)  (hr error) = bindfltapi.BfGetMappings?
+
+// BfSetupFilter flags. See:
+// https://github.com/microsoft/BuildXL/blob/a6dce509f0d4f774255e5fbfb75fa6d5290ed163/Public/Src/Utilities/Native/Processes/Windows/NativeContainerUtilities.cs#L193-L240
+//
+//nolint:revive // var-naming: ALL_CAPS
+const (
+	BINDFLT_FLAG_READ_ONLY_MAPPING uint32 = 0x00000001
+	// Tells bindflt to fail mapping with STATUS_INVALID_PARAMETER if a mapping produces
+	// multiple targets.
+	BINDFLT_FLAG_NO_MULTIPLE_TARGETS uint32 = 0x00000040
+)
+
+//nolint:revive // var-naming: ALL_CAPS
+const (
+	BINDFLT_GET_MAPPINGS_FLAG_VOLUME uint32 = 0x00000001
+	BINDFLT_GET_MAPPINGS_FLAG_SILO   uint32 = 0x00000002
+	BINDFLT_GET_MAPPINGS_FLAG_USER   uint32 = 0x00000004
+)
+
+// ApplyFileBinding creates a global mount of the source in root, with an optional
+// read only flag.
+// The bind filter allows us to create mounts of directories and volumes. By default it allows
+// us to mount multiple sources inside a single root, acting as an overlay. Files from the
+// second source will superscede the first source that was mounted.
+// This function disables this behavior and sets the BINDFLT_FLAG_NO_MULTIPLE_TARGETS flag
+// on the mount.
+func ApplyFileBinding(root, source string, readOnly bool) error {
+	// The parent directory needs to exist for the bind to work. MkdirAll stats and
+	// returns nil if the directory exists internally so we should be fine to mkdirall
+	// every time.
+	if err := os.MkdirAll(filepath.Dir(root), 0); err != nil {
+		return err
+	}
+
+	if strings.Contains(source, "Volume{") && !strings.HasSuffix(source, "\\") {
+		// Add trailing slash to volumes, otherwise we get an error when binding it to
+		// a folder.
+		source = source + "\\"
+	}
+
+	flags := BINDFLT_FLAG_NO_MULTIPLE_TARGETS
+	if readOnly {
+		flags |= BINDFLT_FLAG_READ_ONLY_MAPPING
+	}
+
+	// Set the job handle to 0 to create a global mount.
+	if err := bfSetupFilter(
+		0,
+		flags,
+		root,
+		source,
+		nil,
+		0,
+	); err != nil {
+		return fmt.Errorf("failed to bind target %q to root %q: %w", source, root, err)
+	}
+	return nil
+}
+
+// RemoveFileBinding removes a mount from the root path.
+func RemoveFileBinding(root string) error {
+	if err := bfRemoveMapping(0, root); err != nil {
+		return fmt.Errorf("removing file binding: %w", err)
+	}
+	return nil
+}
+
+// GetBindMappings returns a list of bind mappings that have their root on a
+// particular volume. The volumePath parameter can be any path that exists on
+// a volume. For example, if a number of mappings are created in C:\ProgramData\test,
+// to get a list of those mappings, the volumePath parameter would have to be set to
+// C:\ or the VOLUME_NAME_GUID notation of C:\ (\\?\Volume{GUID}\), or any child
+// path that exists.
+func GetBindMappings(volumePath string) ([]BindMapping, error) {
+	rootPtr, err := windows.UTF16PtrFromString(volumePath)
+	if err != nil {
+		return nil, err
+	}
+
+	flags := BINDFLT_GET_MAPPINGS_FLAG_VOLUME
+	// allocate a large buffer for results
+	var outBuffSize uint32 = 256 * 1024
+	buf := make([]byte, outBuffSize)
+
+	if err := bfGetMappings(flags, 0, rootPtr, nil, &outBuffSize, &buf[0]); err != nil {
+		return nil, err
+	}
+
+	if outBuffSize < 12 {
+		return nil, fmt.Errorf("invalid buffer returned")
+	}
+
+	result := buf[:outBuffSize]
+
+	// The first 12 bytes are the three uint32 fields in getMappingsResponseHeader{}
+	headerBuffer := result[:12]
+	// The alternative to using unsafe and casting it to the above defined structures, is to manually
+	// parse the fields. Not too terrible, but not sure it'd worth the trouble.
+	header := *(*getMappingsResponseHeader)(unsafe.Pointer(&headerBuffer[0]))
+
+	if header.MappingCount == 0 {
+		// no mappings
+		return []BindMapping{}, nil
+	}
+
+	mappingsBuffer := result[12 : int(unsafe.Sizeof(mappingEntry{}))*int(header.MappingCount)]
+	// Get a pointer to the first mapping in the slice
+	mappingsPointer := (*mappingEntry)(unsafe.Pointer(&mappingsBuffer[0]))
+	// Get slice of mappings
+	mappings := unsafe.Slice(mappingsPointer, header.MappingCount)
+
+	mappingEntries := make([]BindMapping, header.MappingCount)
+	for i := 0; i < int(header.MappingCount); i++ {
+		bindMapping, err := getBindMappingFromBuffer(result, mappings[i])
+		if err != nil {
+			return nil, fmt.Errorf("fetching bind mappings: %w", err)
+		}
+		mappingEntries[i] = bindMapping
+	}
+
+	return mappingEntries, nil
+}
+
+// mappingEntry holds information about where in the response buffer we can
+// find information about the virtual root (the mount point) and the targets (sources)
+// that get mounted, as well as the flags used to bind the targets to the virtual root.
+type mappingEntry struct {
+	VirtRootLength      uint32
+	VirtRootOffset      uint32
+	Flags               uint32
+	NumberOfTargets     uint32
+	TargetEntriesOffset uint32
+}
+
+type mappingTargetEntry struct {
+	TargetRootLength uint32
+	TargetRootOffset uint32
+}
+
+// getMappingsResponseHeader represents the first 12 bytes of the BfGetMappings() response.
+// It gives us the size of the buffer, the status of the call and the number of mappings.
+// A response
+type getMappingsResponseHeader struct {
+	Size         uint32
+	Status       uint32
+	MappingCount uint32
+}
+
+type BindMapping struct {
+	MountPoint string
+	Flags      uint32
+	Targets    []string
+}
+
+func decodeEntry(buffer []byte) (string, error) {
+	name := make([]uint16, len(buffer)/2)
+	err := binary.Read(bytes.NewReader(buffer), binary.LittleEndian, &name)
+	if err != nil {
+		return "", fmt.Errorf("decoding name: %w", err)
+	}
+	return windows.UTF16ToString(name), nil
+}
+
+func getTargetsFromBuffer(buffer []byte, offset, count int) ([]string, error) {
+	if len(buffer) < offset+count*6 {
+		return nil, fmt.Errorf("invalid buffer")
+	}
+
+	targets := make([]string, count)
+	for i := 0; i < count; i++ {
+		entryBuf := buffer[offset+i*8 : offset+i*8+8]
+		tgt := *(*mappingTargetEntry)(unsafe.Pointer(&entryBuf[0]))
+		if len(buffer) < int(tgt.TargetRootOffset)+int(tgt.TargetRootLength) {
+			return nil, fmt.Errorf("invalid buffer")
+		}
+		decoded, err := decodeEntry(buffer[tgt.TargetRootOffset : tgt.TargetRootOffset+tgt.TargetRootLength])
+		if err != nil {
+			return nil, fmt.Errorf("decoding name: %w", err)
+		}
+		decoded, err = getFinalPath(decoded)
+		if err != nil {
+			return nil, fmt.Errorf("fetching final path: %w", err)
+		}
+
+		targets[i] = decoded
+	}
+	return targets, nil
+}
+
+func getFinalPath(pth string) (string, error) {
+	// BfGetMappings returns VOLUME_NAME_NT paths like \Device\HarddiskVolume2\ProgramData.
+	// These can be accessed by prepending \\.\GLOBALROOT to the path. We use this to get the
+	// DOS paths for these files.
+	if strings.HasPrefix(pth, `\Device`) {
+		pth = `\\.\GLOBALROOT` + pth
+	}
+
+	han, err := openPath(pth)
+	if err != nil {
+		return "", fmt.Errorf("fetching file handle: %w", err)
+	}
+	defer func() {
+		_ = windows.CloseHandle(han)
+	}()
+
+	buf := make([]uint16, 100)
+	var flags uint32 = 0x0
+	for {
+		n, err := windows.GetFinalPathNameByHandle(han, &buf[0], uint32(len(buf)), flags)
+		if err != nil {
+			// if we mounted a volume that does not also have a drive letter assigned, attempting to
+			// fetch the VOLUME_NAME_DOS will fail with os.ErrNotExist. Attempt to get the VOLUME_NAME_GUID.
+			if errors.Is(err, os.ErrNotExist) && flags != 0x1 {
+				flags = 0x1
+				continue
+			}
+			return "", fmt.Errorf("getting final path name: %w", err)
+		}
+		if n < uint32(len(buf)) {
+			break
+		}
+		buf = make([]uint16, n)
+	}
+	finalPath := syscall.UTF16ToString(buf)
+	// We got VOLUME_NAME_DOS, we need to strip away some leading slashes.
+	// Leave unchanged if we ended up requesting VOLUME_NAME_GUID
+	if len(finalPath) > 4 && finalPath[:4] == `\\?\` && flags == 0x0 {
+		finalPath = finalPath[4:]
+		if len(finalPath) > 3 && finalPath[:3] == `UNC` {
+			// return path like \\server\share\...
+			finalPath = `\` + finalPath[3:]
+		}
+	}
+
+	return finalPath, nil
+}
+
+func getBindMappingFromBuffer(buffer []byte, entry mappingEntry) (BindMapping, error) {
+	if len(buffer) < int(entry.VirtRootOffset)+int(entry.VirtRootLength) {
+		return BindMapping{}, fmt.Errorf("invalid buffer")
+	}
+
+	src, err := decodeEntry(buffer[entry.VirtRootOffset : entry.VirtRootOffset+entry.VirtRootLength])
+	if err != nil {
+		return BindMapping{}, fmt.Errorf("decoding entry: %w", err)
+	}
+	targets, err := getTargetsFromBuffer(buffer, int(entry.TargetEntriesOffset), int(entry.NumberOfTargets))
+	if err != nil {
+		return BindMapping{}, fmt.Errorf("fetching targets: %w", err)
+	}
+
+	src, err = getFinalPath(src)
+	if err != nil {
+		return BindMapping{}, fmt.Errorf("fetching final path: %w", err)
+	}
+
+	return BindMapping{
+		Flags:      entry.Flags,
+		Targets:    targets,
+		MountPoint: src,
+	}, nil
+}
+
+func openPath(path string) (windows.Handle, error) {
+	u16, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return 0, err
+	}
+	h, err := windows.CreateFile(
+		u16,
+		0,
+		windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE|windows.FILE_SHARE_DELETE,
+		nil,
+		windows.OPEN_EXISTING,
+		windows.FILE_FLAG_BACKUP_SEMANTICS, // Needed to open a directory handle.
+		0)
+	if err != nil {
+		return 0, &os.PathError{
+			Op:   "CreateFile",
+			Path: path,
+			Err:  err,
+		}
+	}
+	return h, nil
+}
--- a/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/zsyscall_windows.go
@@ -0,0 +1,116 @@
+//go:build windows
+
+// Code generated by 'go generate' using "github.com/Microsoft/go-winio/tools/mkwinsyscall"; DO NOT EDIT.
+
+package bindfilter
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modbindfltapi = windows.NewLazySystemDLL("bindfltapi.dll")
+
+	procBfGetMappings   = modbindfltapi.NewProc("BfGetMappings")
+	procBfRemoveMapping = modbindfltapi.NewProc("BfRemoveMapping")
+	procBfSetupFilter   = modbindfltapi.NewProc("BfSetupFilter")
+)
+
+func bfGetMappings(flags uint32, jobHandle windows.Handle, virtRootPath *uint16, sid *windows.SID, bufferSize *uint32, outBuffer *byte) (hr error) {
+	hr = procBfGetMappings.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procBfGetMappings.Addr(), 6, uintptr(flags), uintptr(jobHandle), uintptr(unsafe.Pointer(virtRootPath)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(bufferSize)), uintptr(unsafe.Pointer(outBuffer)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func bfRemoveMapping(jobHandle windows.Handle, virtRootPath string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(virtRootPath)
+	if hr != nil {
+		return
+	}
+	return _bfRemoveMapping(jobHandle, _p0)
+}
+
+func _bfRemoveMapping(jobHandle windows.Handle, virtRootPath *uint16) (hr error) {
+	hr = procBfRemoveMapping.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procBfRemoveMapping.Addr(), 2, uintptr(jobHandle), uintptr(unsafe.Pointer(virtRootPath)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func bfSetupFilter(jobHandle windows.Handle, flags uint32, virtRootPath string, virtTargetPath string, virtExceptions **uint16, virtExceptionPathCount uint32) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(virtRootPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(virtTargetPath)
+	if hr != nil {
+		return
+	}
+	return _bfSetupFilter(jobHandle, flags, _p0, _p1, virtExceptions, virtExceptionPathCount)
+}
+
+func _bfSetupFilter(jobHandle windows.Handle, flags uint32, virtRootPath *uint16, virtTargetPath *uint16, virtExceptions **uint16, virtExceptionPathCount uint32) (hr error) {
+	hr = procBfSetupFilter.Find()
+	if hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procBfSetupFilter.Addr(), 6, uintptr(jobHandle), uintptr(flags), uintptr(unsafe.Pointer(virtRootPath)), uintptr(unsafe.Pointer(virtTargetPath)), uintptr(unsafe.Pointer(virtExceptions)), uintptr(virtExceptionPathCount))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
--- a/vendor/github.com/containerd/continuity/.golangci.yml
+++ b/vendor/github.com/containerd/continuity/.golangci.yml
@@ -1,7 +1,5 @@
 linters:
  enable:
-    - structcheck
-    - varcheck
    - staticcheck
    - unconvert
    - gofmt
--- a/vendor/github.com/containerd/continuity/context.go
+++ b/vendor/github.com/containerd/continuity/context.go
@@ -18,6 +18,7 @@ package continuity

 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -151,7 +152,7 @@ func (c *context) Resource(p string, fi os.FileInfo) (Resource, error) {
 	}

 	base.xattrs, err = c.resolveXAttrs(fp, fi, base)
-	if err != nil && err != ErrNotSupported {
+	if err != nil && !errors.Is(err, ErrNotSupported) {
 		return nil, err
 	}

@@ -410,7 +411,7 @@ func (c *context) Apply(resource Resource) error {
 		return fmt.Errorf("resource %v escapes root", resource)
 	}

-	var chmod = true
+	chmod := true
 	fi, err := c.driver.Lstat(fp)
 	if err != nil {
 		if !os.IsNotExist(err) {
--- a/vendor/github.com/containerd/continuity/driver/utils.go
+++ b/vendor/github.com/containerd/continuity/driver/utils.go
@@ -56,7 +56,7 @@ func WriteFile(r Driver, filename string, data []byte, perm os.FileMode) error {
 	return nil
 }

-// ReadDir works the same as ioutil.ReadDir with the Driver abstraction
+// ReadDir works the same as os.ReadDir with the Driver abstraction
 func ReadDir(r Driver, dirname string) ([]os.FileInfo, error) {
 	f, err := r.Open(dirname)
 	if err != nil {
--- a/vendor/github.com/containerd/continuity/fs/copy.go
+++ b/vendor/github.com/containerd/continuity/fs/copy.go
@@ -18,7 +18,6 @@ package fs

 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sync"
@@ -111,7 +110,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 		}
 	}

-	fis, err := ioutil.ReadDir(src)
+	entries, err := os.ReadDir(src)
 	if err != nil {
 		return fmt.Errorf("failed to read %s: %w", src, err)
 	}
@@ -124,18 +123,23 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 		return fmt.Errorf("failed to copy xattrs: %w", err)
 	}

-	for _, fi := range fis {
-		source := filepath.Join(src, fi.Name())
-		target := filepath.Join(dst, fi.Name())
+	for _, entry := range entries {
+		source := filepath.Join(src, entry.Name())
+		target := filepath.Join(dst, entry.Name())
+
+		fileInfo, err := entry.Info()
+		if err != nil {
+			return fmt.Errorf("failed to get file info for %s: %w", entry.Name(), err)
+		}

 		switch {
-		case fi.IsDir():
+		case entry.IsDir():
 			if err := copyDirectory(target, source, inodes, o); err != nil {
 				return err
 			}
 			continue
-		case (fi.Mode() & os.ModeType) == 0:
-			link, err := getLinkSource(target, fi, inodes)
+		case (fileInfo.Mode() & os.ModeType) == 0:
+			link, err := getLinkSource(target, fileInfo, inodes)
 			if err != nil {
 				return fmt.Errorf("failed to get hardlink: %w", err)
 			}
@@ -146,7 +150,7 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 			} else if err := CopyFile(target, source); err != nil {
 				return fmt.Errorf("failed to copy files: %w", err)
 			}
-		case (fi.Mode() & os.ModeSymlink) == os.ModeSymlink:
+		case (fileInfo.Mode() & os.ModeSymlink) == os.ModeSymlink:
 			link, err := os.Readlink(source)
 			if err != nil {
 				return fmt.Errorf("failed to read link: %s: %w", source, err)
@@ -154,18 +158,18 @@ func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) er
 			if err := os.Symlink(link, target); err != nil {
 				return fmt.Errorf("failed to create symlink: %s: %w", target, err)
 			}
-		case (fi.Mode() & os.ModeDevice) == os.ModeDevice,
-			(fi.Mode() & os.ModeNamedPipe) == os.ModeNamedPipe,
-			(fi.Mode() & os.ModeSocket) == os.ModeSocket:
-			if err := copyIrregular(target, fi); err != nil {
+		case (fileInfo.Mode() & os.ModeDevice) == os.ModeDevice,
+			(fileInfo.Mode() & os.ModeNamedPipe) == os.ModeNamedPipe,
+			(fileInfo.Mode() & os.ModeSocket) == os.ModeSocket:
+			if err := copyIrregular(target, fileInfo); err != nil {
 				return fmt.Errorf("failed to create irregular file: %w", err)
 			}
 		default:
-			logrus.Warnf("unsupported mode: %s: %s", source, fi.Mode())
+			logrus.Warnf("unsupported mode: %s: %s", source, fileInfo.Mode())
 			continue
 		}

-		if err := copyFileInfo(fi, source, target); err != nil {
+		if err := copyFileInfo(fileInfo, source, target); err != nil {
 			return fmt.Errorf("failed to copy file info: %w", err)
 		}

--- a/vendor/github.com/containerd/continuity/fs/copy_windows.go
+++ b/vendor/github.com/containerd/continuity/fs/copy_windows.go
@@ -49,7 +49,6 @@ func copyFileInfo(fi os.FileInfo, src, name string) error {
 	secInfo, err := windows.GetNamedSecurityInfo(
 		src, windows.SE_FILE_OBJECT,
 		windows.OWNER_SECURITY_INFORMATION|windows.DACL_SECURITY_INFORMATION)
-
 	if err != nil {
 		return err
 	}
@@ -68,7 +67,6 @@ func copyFileInfo(fi os.FileInfo, src, name string) error {
 		name, windows.SE_FILE_OBJECT,
 		windows.OWNER_SECURITY_INFORMATION|windows.DACL_SECURITY_INFORMATION,
 		sid, nil, dacl, nil); err != nil {
-
 		return err
 	}
 	return nil
--- a/vendor/github.com/containerd/continuity/fs/diff.go
+++ b/vendor/github.com/containerd/continuity/fs/diff.go
@@ -80,12 +80,13 @@ type ChangeFunc func(ChangeKind, string, os.FileInfo, error) error
 //
 // The change callback is called by the order of path names and
 // should be appliable in that order.
-//  Due to this apply ordering, the following is true
-//  - Removed directory trees only create a single change for the root
-//    directory removed. Remaining changes are implied.
-//  - A directory which is modified to become a file will not have
-//    delete entries for sub-path items, their removal is implied
-//    by the removal of the parent directory.
+//
+//	Due to this apply ordering, the following is true
+//	- Removed directory trees only create a single change for the root
+//	  directory removed. Remaining changes are implied.
+//	- A directory which is modified to become a file will not have
+//	  delete entries for sub-path items, their removal is implied
+//	  by the removal of the parent directory.
 //
 // Opaque directories will not be treated specially and each file
 // removed from the base directory will show up as a removal.
--- a/vendor/github.com/containerd/continuity/fs/dtype_linux.go
+++ b/vendor/github.com/containerd/continuity/fs/dtype_linux.go
@@ -21,14 +21,13 @@ package fs

 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"syscall"
 	"unsafe"
 )

 func locateDummyIfEmpty(path string) (string, error) {
-	children, err := ioutil.ReadDir(path)
+	children, err := os.ReadDir(path)
 	if err != nil {
 		return "", err
 	}
--- a/vendor/github.com/containerd/continuity/fs/du_unix.go
+++ b/vendor/github.com/containerd/continuity/fs/du_unix.go
@@ -28,10 +28,11 @@ import (

 // blocksUnitSize is the unit used by `st_blocks` in `stat` in bytes.
 // See https://man7.org/linux/man-pages/man2/stat.2.html
-//   st_blocks
-//     This field indicates the number of blocks allocated to the
-//     file, in 512-byte units.  (This may be smaller than
-//     st_size/512 when the file has holes.)
+//
+//	st_blocks
+//	  This field indicates the number of blocks allocated to the
+//	  file, in 512-byte units.  (This may be smaller than
+//	  st_size/512 when the file has holes.)
 const blocksUnitSize = 512

 type inode struct {
@@ -48,7 +49,6 @@ func newInode(stat *syscall.Stat_t) inode {
 }

 func diskUsage(ctx context.Context, roots ...string) (Usage, error) {
-
 	var (
 		size   int64
 		inodes = map[inode]struct{}{} // expensive!
--- a/vendor/github.com/containerd/continuity/fs/du_windows.go
+++ b/vendor/github.com/containerd/continuity/fs/du_windows.go
@@ -26,9 +26,7 @@ import (
 )

 func diskUsage(ctx context.Context, roots ...string) (Usage, error) {
-	var (
-		size int64
-	)
+	var size int64

 	// TODO(stevvooe): Support inodes (or equivalent) for windows.

@@ -57,9 +55,7 @@ func diskUsage(ctx context.Context, roots ...string) (Usage, error) {
 }

 func diffUsage(ctx context.Context, a, b string) (Usage, error) {
-	var (
-		size int64
-	)
+	var size int64

 	if err := Changes(ctx, a, b, func(kind ChangeKind, _ string, fi os.FileInfo, err error) error {
 		if err != nil {
--- a/vendor/github.com/containerd/continuity/fs/fstest/compare_windows.go
+++ b/vendor/github.com/containerd/continuity/fs/fstest/compare_windows.go
@@ -16,9 +16,15 @@

 package fstest

-// TODO: Any more metadata files generated by Windows layers?
-// TODO: Also skip Recycle Bin contents in Windows layers which is used to store deleted files in some cases
 var metadataFiles = map[string]bool{
-	"\\System Volume Information": true,
-	"\\WcSandboxState":            true,
+	"\\System Volume Information":           true,
+	"\\WcSandboxState":                      true,
+	"\\Windows":                             true,
+	"\\Windows\\System32":                   true,
+	"\\Windows\\System32\\config":           true,
+	"\\Windows\\System32\\config\\DEFAULT":  true,
+	"\\Windows\\System32\\config\\SAM":      true,
+	"\\Windows\\System32\\config\\SECURITY": true,
+	"\\Windows\\System32\\config\\SOFTWARE": true,
+	"\\Windows\\System32\\config\\SYSTEM":   true,
 }
--- a/vendor/github.com/containerd/continuity/fs/fstest/continuity_util.go
+++ b/vendor/github.com/containerd/continuity/fs/fstest/continuity_util.go
@@ -129,7 +129,6 @@ func compareResource(r1, r2 continuity.Resource) bool {
 	// TODO(dmcgowan): Check if is XAttrer

 	return compareResourceTypes(r1, r2)
-
 }

 func compareResourceTypes(r1, r2 continuity.Resource) bool {
--- a/vendor/github.com/containerd/continuity/fs/fstest/file_windows.go
+++ b/vendor/github.com/containerd/continuity/fs/fstest/file_windows.go
@@ -32,13 +32,13 @@ func Lchtimes(name string, atime, mtime time.Time) Applier {
 // that the filter will mount. It is used for testing the snapshotter
 func Base() Applier {
 	return Apply(
-		CreateDir("Windows", 0755),
-		CreateDir("Windows/System32", 0755),
-		CreateDir("Windows/System32/Config", 0755),
-		CreateFile("Windows/System32/Config/SYSTEM", []byte("foo\n"), 0777),
-		CreateFile("Windows/System32/Config/SOFTWARE", []byte("foo\n"), 0777),
-		CreateFile("Windows/System32/Config/SAM", []byte("foo\n"), 0777),
-		CreateFile("Windows/System32/Config/SECURITY", []byte("foo\n"), 0777),
-		CreateFile("Windows/System32/Config/DEFAULT", []byte("foo\n"), 0777),
+		CreateDir("Windows", 0o755),
+		CreateDir("Windows/System32", 0o755),
+		CreateDir("Windows/System32/Config", 0o755),
+		CreateFile("Windows/System32/Config/SYSTEM", []byte("foo\n"), 0o777),
+		CreateFile("Windows/System32/Config/SOFTWARE", []byte("foo\n"), 0o777),
+		CreateFile("Windows/System32/Config/SAM", []byte("foo\n"), 0o777),
+		CreateFile("Windows/System32/Config/SECURITY", []byte("foo\n"), 0o777),
+		CreateFile("Windows/System32/Config/DEFAULT", []byte("foo\n"), 0o777),
 	)
 }
--- a/vendor/github.com/containerd/continuity/fs/fstest/testsuite.go
+++ b/vendor/github.com/containerd/continuity/fs/fstest/testsuite.go
@@ -81,14 +81,14 @@ var (
 	// baseApplier creates a basic filesystem layout
 	// with multiple types of files for basic tests.
 	baseApplier = Apply(
-		CreateDir("/etc/", 0755),
-		CreateFile("/etc/hosts", []byte("127.0.0.1 localhost"), 0644),
+		CreateDir("/etc/", 0o755),
+		CreateFile("/etc/hosts", []byte("127.0.0.1 localhost"), 0o644),
 		Link("/etc/hosts", "/etc/hosts.allow"),
-		CreateDir("/usr/local/lib", 0755),
-		CreateFile("/usr/local/lib/libnothing.so", []byte{0x00, 0x00}, 0755),
+		CreateDir("/usr/local/lib", 0o755),
+		CreateFile("/usr/local/lib/libnothing.so", []byte{0x00, 0x00}, 0o755),
 		Symlink("libnothing.so", "/usr/local/lib/libnothing.so.2"),
-		CreateDir("/home", 0755),
-		CreateDir("/home/derek", 0700),
+		CreateDir("/home", 0o755),
+		CreateDir("/home/derek", 0o700),
 		// TODO: CreateSocket: how should Sockets be handled in continuity?
 	)

@@ -96,10 +96,10 @@ var (
 	basicTest = []Applier{
 		baseApplier,
 		Apply(
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0644),
-			CreateFile("/etc/fstab", []byte("/dev/sda1\t/\text4\tdefaults 1 1\n"), 0600),
-			CreateFile("/etc/badfile", []byte(""), 0666),
-			CreateFile("/home/derek/.zshrc", []byte("#ZSH is just better\n"), 0640),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0o644),
+			CreateFile("/etc/fstab", []byte("/dev/sda1\t/\text4\tdefaults 1 1\n"), 0o600),
+			CreateFile("/etc/badfile", []byte(""), 0o666),
+			CreateFile("/home/derek/.zshrc", []byte("#ZSH is just better\n"), 0o640),
 		),
 		Apply(
 			Remove("/etc/badfile"),
@@ -111,8 +111,8 @@ var (
 		),
 		Apply(
 			RemoveAll("/home"),
-			CreateDir("/home/derek", 0700),
-			CreateFile("/home/derek/.bashrc", []byte("#not going away\n"), 0640),
+			CreateDir("/home/derek", 0o700),
+			CreateFile("/home/derek/.bashrc", []byte("#not going away\n"), 0o640),
 			Link("/etc/hosts", "/etc/hosts.allow"),
 		),
 	}
@@ -121,58 +121,58 @@ var (
 	// deletions are properly picked up and applied
 	deletionTest = []Applier{
 		Apply(
-			CreateDir("/test/somedir", 0755),
-			CreateDir("/lib", 0700),
-			CreateFile("/lib/hidden", []byte{}, 0644),
+			CreateDir("/test/somedir", 0o755),
+			CreateDir("/lib", 0o700),
+			CreateFile("/lib/hidden", []byte{}, 0o644),
 		),
 		Apply(
-			CreateFile("/test/a", []byte{}, 0644),
-			CreateFile("/test/b", []byte{}, 0644),
-			CreateDir("/test/otherdir", 0755),
-			CreateFile("/test/otherdir/.empty", []byte{}, 0644),
+			CreateFile("/test/a", []byte{}, 0o644),
+			CreateFile("/test/b", []byte{}, 0o644),
+			CreateDir("/test/otherdir", 0o755),
+			CreateFile("/test/otherdir/.empty", []byte{}, 0o644),
 			RemoveAll("/lib"),
-			CreateDir("/lib", 0700),
-			CreateFile("/lib/not-hidden", []byte{}, 0644),
+			CreateDir("/lib", 0o700),
+			CreateFile("/lib/not-hidden", []byte{}, 0o644),
 		),
 		Apply(
 			Remove("/test/a"),
 			Remove("/test/b"),
 			RemoveAll("/test/otherdir"),
-			CreateFile("/lib/newfile", []byte{}, 0644),
+			CreateFile("/lib/newfile", []byte{}, 0o644),
 		),
 	}

 	// updateTest covers file updates for content and permission
 	updateTest = []Applier{
 		Apply(
-			CreateDir("/d1", 0755),
-			CreateDir("/d2", 0700),
-			CreateFile("/d1/f1", []byte("something..."), 0644),
-			CreateFile("/d1/f2", []byte("else..."), 0644),
-			CreateFile("/d1/f3", []byte("entirely..."), 0644),
+			CreateDir("/d1", 0o755),
+			CreateDir("/d2", 0o700),
+			CreateFile("/d1/f1", []byte("something..."), 0o644),
+			CreateFile("/d1/f2", []byte("else..."), 0o644),
+			CreateFile("/d1/f3", []byte("entirely..."), 0o644),
 		),
 		Apply(
-			CreateFile("/d1/f1", []byte("file content of a different length"), 0664),
+			CreateFile("/d1/f1", []byte("file content of a different length"), 0o664),
 			Remove("/d1/f3"),
-			CreateFile("/d1/f3", []byte("updated content"), 0664),
-			Chmod("/d1/f2", 0766),
-			Chmod("/d2", 0777),
+			CreateFile("/d1/f3", []byte("updated content"), 0o664),
+			Chmod("/d1/f2", 0o766),
+			Chmod("/d2", 0o777),
 		),
 	}

 	// directoryPermissionsTest covers directory permissions on update
 	directoryPermissionsTest = []Applier{
 		Apply(
-			CreateDir("/d1", 0700),
-			CreateDir("/d2", 0751),
-			CreateDir("/d3", 0777),
+			CreateDir("/d1", 0o700),
+			CreateDir("/d2", 0o751),
+			CreateDir("/d3", 0o777),
 		),
 		Apply(
-			CreateFile("/d1/f", []byte("irrelevant"), 0644),
-			CreateDir("/d1/d", 0700),
-			CreateFile("/d1/d/f", []byte("irrelevant"), 0644),
-			CreateFile("/d2/f", []byte("irrelevant"), 0644),
-			CreateFile("/d3/f", []byte("irrelevant"), 0644),
+			CreateFile("/d1/f", []byte("irrelevant"), 0o644),
+			CreateDir("/d1/d", 0o700),
+			CreateFile("/d1/d/f", []byte("irrelevant"), 0o644),
+			CreateFile("/d2/f", []byte("irrelevant"), 0o644),
+			CreateFile("/d3/f", []byte("irrelevant"), 0o644),
 		),
 	}

@@ -180,28 +180,28 @@ var (
 	// files
 	parentDirectoryPermissionsTest = []Applier{
 		Apply(
-			CreateDir("/d1", 0700),
-			CreateDir("/d1/a", 0700),
-			CreateDir("/d1/a/b", 0700),
-			CreateDir("/d1/a/b/c", 0700),
-			CreateFile("/d1/a/b/f", []byte("content1"), 0644),
-			CreateDir("/d2", 0751),
-			CreateDir("/d2/a/b", 0751),
-			CreateDir("/d2/a/b/c", 0751),
-			CreateFile("/d2/a/b/f", []byte("content1"), 0644),
+			CreateDir("/d1", 0o700),
+			CreateDir("/d1/a", 0o700),
+			CreateDir("/d1/a/b", 0o700),
+			CreateDir("/d1/a/b/c", 0o700),
+			CreateFile("/d1/a/b/f", []byte("content1"), 0o644),
+			CreateDir("/d2", 0o751),
+			CreateDir("/d2/a/b", 0o751),
+			CreateDir("/d2/a/b/c", 0o751),
+			CreateFile("/d2/a/b/f", []byte("content1"), 0o644),
 		),
 		Apply(
-			CreateFile("/d1/a/b/f", []byte("content1"), 0644),
-			Chmod("/d1/a/b/c", 0700),
-			CreateFile("/d2/a/b/f", []byte("content2"), 0644),
-			Chmod("/d2/a/b/c", 0751),
+			CreateFile("/d1/a/b/f", []byte("content1"), 0o644),
+			Chmod("/d1/a/b/c", 0o700),
+			CreateFile("/d2/a/b/f", []byte("content2"), 0o644),
+			Chmod("/d2/a/b/c", 0o751),
 		),
 	}

 	hardlinkUnmodified = []Applier{
 		baseApplier,
 		Apply(
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0644),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0o644),
 		),
 		Apply(
 			Link("/etc/hosts", "/etc/hosts.deny"),
@@ -213,7 +213,7 @@ var (
 	hardlinkBeforeUnmodified = []Applier{
 		baseApplier,
 		Apply(
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0644),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0o644),
 		),
 		Apply(
 			Link("/etc/hosts", "/etc/before-hosts"),
@@ -225,11 +225,11 @@ var (
 	hardlinkBeforeModified = []Applier{
 		baseApplier,
 		Apply(
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0644),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost.localdomain"), 0o644),
 		),
 		Apply(
 			Remove("/etc/hosts"),
-			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost"), 0644),
+			CreateFile("/etc/hosts", []byte("127.0.0.1 localhost"), 0o644),
 			Link("/etc/hosts", "/etc/before-hosts"),
 		),
 	}
--- a/vendor/github.com/containerd/continuity/fs/path.go
+++ b/vendor/github.com/containerd/continuity/fs/path.go
@@ -25,9 +25,7 @@ import (
 	"path/filepath"
 )

-var (
-	errTooManyLinks = errors.New("too many links")
-)
+var errTooManyLinks = errors.New("too many links")

 type currentPath struct {
 	path     string
--- a/vendor/github.com/containerd/continuity/hardlinks.go
+++ b/vendor/github.com/containerd/continuity/hardlinks.go
@@ -21,9 +21,7 @@ import (
 	"os"
 )

-var (
-	errNotAHardLink = fmt.Errorf("invalid hardlink")
-)
+var errNotAHardLink = fmt.Errorf("invalid hardlink")

 type hardlinkManager struct {
 	hardlinks map[hardlinkKey][]Resource
--- a/vendor/golang.org/x/tools/go/packages/packages.go
+++ b/vendor/golang.org/x/tools/go/packages/packages.go
@@ -878,12 +878,19 @@ func (ld *loader) loadPackage(lpkg *loaderPackage) {
 	// never has to create a types.Package for an indirect dependency,
 	// which would then require that such created packages be explicitly
 	// inserted back into the Import graph as a final step after export data loading.
+	// (Hence this return is after the Types assignment.)
 	// The Diamond test exercises this case.
 	if !lpkg.needtypes && !lpkg.needsrc {
 		return
 	}
 	if !lpkg.needsrc {
-		ld.loadFromExportData(lpkg)
+		if err := ld.loadFromExportData(lpkg); err != nil {
+			lpkg.Errors = append(lpkg.Errors, Error{
+				Pos:  "-",
+				Msg:  err.Error(),
+				Kind: UnknownError, // e.g. can't find/open/parse export data
+			})
+		}
 		return // not a source package, don't get syntax trees
 	}

@@ -970,7 +977,8 @@ func (ld *loader) loadPackage(lpkg *loaderPackage) {
 		// The config requested loading sources and types, but sources are missing.
 		// Add an error to the package and fall back to loading from export data.
 		appendError(Error{"-", fmt.Sprintf("sources missing for package %s", lpkg.ID), ParseError})
-		ld.loadFromExportData(lpkg)
+		_ = ld.loadFromExportData(lpkg) // ignore any secondary errors
+
 		return // can't get syntax trees for this package
 	}

@@ -1194,9 +1202,10 @@ func sameFile(x, y string) bool {
 	return false
 }

-// loadFromExportData returns type information for the specified
+// loadFromExportData ensures that type information is present for the specified
 // package, loading it from an export data file on the first request.
-func (ld *loader) loadFromExportData(lpkg *loaderPackage) (*types.Package, error) {
+// On success it sets lpkg.Types to a new Package.
+func (ld *loader) loadFromExportData(lpkg *loaderPackage) error {
 	if lpkg.PkgPath == "" {
 		log.Fatalf("internal error: Package %s has no PkgPath", lpkg)
 	}
@@ -1207,8 +1216,8 @@ func (ld *loader) loadFromExportData(lpkg *loaderPackage) (*types.Package, error
 	// must be sequential. (Finer-grained locking would require
 	// changes to the gcexportdata API.)
 	//
-	// The exportMu lock guards the Package.Pkg field and the
-	// types.Package it points to, for each Package in the graph.
+	// The exportMu lock guards the lpkg.Types field and the
+	// types.Package it points to, for each loaderPackage in the graph.
 	//
 	// Not all accesses to Package.Pkg need to be protected by exportMu:
 	// graph ordering ensures that direct dependencies of source
@@ -1217,18 +1226,18 @@ func (ld *loader) loadFromExportData(lpkg *loaderPackage) (*types.Package, error
 	defer ld.exportMu.Unlock()

 	if tpkg := lpkg.Types; tpkg != nil && tpkg.Complete() {
-		return tpkg, nil // cache hit
+		return nil // cache hit
 	}

 	lpkg.IllTyped = true // fail safe

 	if lpkg.ExportFile == "" {
 		// Errors while building export data will have been printed to stderr.
-		return nil, fmt.Errorf("no export data file")
+		return fmt.Errorf("no export data file")
 	}
 	f, err := os.Open(lpkg.ExportFile)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	defer f.Close()

@@ -1240,7 +1249,7 @@ func (ld *loader) loadFromExportData(lpkg *loaderPackage) (*types.Package, error
 	// queries.)
 	r, err := gcexportdata.NewReader(f)
 	if err != nil {
-		return nil, fmt.Errorf("reading %s: %v", lpkg.ExportFile, err)
+		return fmt.Errorf("reading %s: %v", lpkg.ExportFile, err)
 	}

 	// Build the view.
@@ -1284,7 +1293,7 @@ func (ld *loader) loadFromExportData(lpkg *loaderPackage) (*types.Package, error
 	// (May modify incomplete packages in view but not create new ones.)
 	tpkg, err := gcexportdata.Read(r, ld.Fset, view, lpkg.PkgPath)
 	if err != nil {
-		return nil, fmt.Errorf("reading %s: %v", lpkg.ExportFile, err)
+		return fmt.Errorf("reading %s: %v", lpkg.ExportFile, err)
 	}
 	if _, ok := view["go.shape"]; ok {
 		// Account for the pseudopackage "go.shape" that gets
@@ -1297,8 +1306,7 @@ func (ld *loader) loadFromExportData(lpkg *loaderPackage) (*types.Package, error

 	lpkg.Types = tpkg
 	lpkg.IllTyped = false
-
-	return tpkg, nil
+	return nil
 }

 // impliedLoadMode returns loadMode with its dependencies.
--- a/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
+++ b/vendor/golang.org/x/tools/internal/gcimporter/iexport.go
@@ -22,6 +22,7 @@ import (
 	"strconv"
 	"strings"

+	"golang.org/x/tools/internal/tokeninternal"
 	"golang.org/x/tools/internal/typeparams"
 )

@@ -138,6 +139,17 @@ func iexportCommon(out io.Writer, fset *token.FileSet, bundle, shallow bool, ver
 		p.doDecl(p.declTodo.popHead())
 	}

+	// Produce index of offset of each file record in files.
+	var files intWriter
+	var fileOffset []uint64 // fileOffset[i] is offset in files of file encoded as i
+	if p.shallow {
+		fileOffset = make([]uint64, len(p.fileInfos))
+		for i, info := range p.fileInfos {
+			fileOffset[i] = uint64(files.Len())
+			p.encodeFile(&files, info.file, info.needed)
+		}
+	}
+
 	// Append indices to data0 section.
 	dataLen := uint64(p.data0.Len())
 	w := p.newWriter()
@@ -163,16 +175,75 @@ func iexportCommon(out io.Writer, fset *token.FileSet, bundle, shallow bool, ver
 	}
 	hdr.uint64(uint64(p.version))
 	hdr.uint64(uint64(p.strings.Len()))
+	if p.shallow {
+		hdr.uint64(uint64(files.Len()))
+		hdr.uint64(uint64(len(fileOffset)))
+		for _, offset := range fileOffset {
+			hdr.uint64(offset)
+		}
+	}
 	hdr.uint64(dataLen)

 	// Flush output.
 	io.Copy(out, &hdr)
 	io.Copy(out, &p.strings)
+	if p.shallow {
+		io.Copy(out, &files)
+	}
 	io.Copy(out, &p.data0)

 	return nil
 }

+// encodeFile writes to w a representation of the file sufficient to
+// faithfully restore position information about all needed offsets.
+// Mutates the needed array.
+func (p *iexporter) encodeFile(w *intWriter, file *token.File, needed []uint64) {
+	_ = needed[0] // precondition: needed is non-empty
+
+	w.uint64(p.stringOff(file.Name()))
+
+	size := uint64(file.Size())
+	w.uint64(size)
+
+	// Sort the set of needed offsets. Duplicates are harmless.
+	sort.Slice(needed, func(i, j int) bool { return needed[i] < needed[j] })
+
+	lines := tokeninternal.GetLines(file) // byte offset of each line start
+	w.uint64(uint64(len(lines)))
+
+	// Rather than record the entire array of line start offsets,
+	// we save only a sparse list of (index, offset) pairs for
+	// the start of each line that contains a needed position.
+	var sparse [][2]int // (index, offset) pairs
+outer:
+	for i, lineStart := range lines {
+		lineEnd := size
+		if i < len(lines)-1 {
+			lineEnd = uint64(lines[i+1])
+		}
+		// Does this line contains a needed offset?
+		if needed[0] < lineEnd {
+			sparse = append(sparse, [2]int{i, lineStart})
+			for needed[0] < lineEnd {
+				needed = needed[1:]
+				if len(needed) == 0 {
+					break outer
+				}
+			}
+		}
+	}
+
+	// Delta-encode the columns.
+	w.uint64(uint64(len(sparse)))
+	var prev [2]int
+	for _, pair := range sparse {
+		w.uint64(uint64(pair[0] - prev[0]))
+		w.uint64(uint64(pair[1] - prev[1]))
+		prev = pair
+	}
+}
+
 // writeIndex writes out an object index. mainIndex indicates whether
 // we're writing out the main index, which is also read by
 // non-compiler tools and includes a complete package description
@@ -255,6 +326,12 @@ type iexporter struct {
 	strings     intWriter
 	stringIndex map[string]uint64

+	// In shallow mode, object positions are encoded as (file, offset).
+	// Each file is recorded as a line-number table.
+	// Only the lines of needed positions are saved faithfully.
+	fileInfo  map[*token.File]uint64 // value is index in fileInfos
+	fileInfos []*filePositions
+
 	data0       intWriter
 	declIndex   map[types.Object]uint64
 	tparamNames map[types.Object]string // typeparam->exported name
@@ -263,6 +340,11 @@ type iexporter struct {
 	indent int // for tracing support
 }

+type filePositions struct {
+	file   *token.File
+	needed []uint64 // unordered list of needed file offsets
+}
+
 func (p *iexporter) trace(format string, args ...interface{}) {
 	if !trace {
 		// Call sites should also be guarded, but having this check here allows
@@ -286,6 +368,25 @@ func (p *iexporter) stringOff(s string) uint64 {
 	return off
 }

+// fileIndexAndOffset returns the index of the token.File and the byte offset of pos within it.
+func (p *iexporter) fileIndexAndOffset(file *token.File, pos token.Pos) (uint64, uint64) {
+	index, ok := p.fileInfo[file]
+	if !ok {
+		index = uint64(len(p.fileInfo))
+		p.fileInfos = append(p.fileInfos, &filePositions{file: file})
+		if p.fileInfo == nil {
+			p.fileInfo = make(map[*token.File]uint64)
+		}
+		p.fileInfo[file] = index
+	}
+	// Record each needed offset.
+	info := p.fileInfos[index]
+	offset := uint64(file.Offset(pos))
+	info.needed = append(info.needed, offset)
+
+	return index, offset
+}
+
 // pushDecl adds n to the declaration work queue, if not already present.
 func (p *iexporter) pushDecl(obj types.Object) {
 	// Package unsafe is known to the compiler and predeclared.
@@ -346,7 +447,13 @@ func (p *iexporter) doDecl(obj types.Object) {
 	case *types.Func:
 		sig, _ := obj.Type().(*types.Signature)
 		if sig.Recv() != nil {
-			panic(internalErrorf("unexpected method: %v", sig))
+			// We shouldn't see methods in the package scope,
+			// but the type checker may repair "func () F() {}"
+			// to "func (Invalid) F()" and then treat it like "func F()",
+			// so allow that. See golang/go#57729.
+			if sig.Recv().Type() != types.Typ[types.Invalid] {
+				panic(internalErrorf("unexpected method: %v", sig))
+			}
 		}

 		// Function.
@@ -458,13 +565,30 @@ func (w *exportWriter) tag(tag byte) {
 }

 func (w *exportWriter) pos(pos token.Pos) {
-	if w.p.version >= iexportVersionPosCol {
+	if w.p.shallow {
+		w.posV2(pos)
+	} else if w.p.version >= iexportVersionPosCol {
 		w.posV1(pos)
 	} else {
 		w.posV0(pos)
 	}
 }

+// posV2 encoding (used only in shallow mode) records positions as
+// (file, offset), where file is the index in the token.File table
+// (which records the file name and newline offsets) and offset is a
+// byte offset. It effectively ignores //line directives.
+func (w *exportWriter) posV2(pos token.Pos) {
+	if pos == token.NoPos {
+		w.uint64(0)
+		return
+	}
+	file := w.p.fset.File(pos) // fset must be non-nil
+	index, offset := w.p.fileIndexAndOffset(file, pos)
+	w.uint64(1 + index)
+	w.uint64(offset)
+}
+
 func (w *exportWriter) posV1(pos token.Pos) {
 	if w.p.fset == nil {
 		w.int64(0)
--- a/vendor/golang.org/x/tools/internal/gcimporter/iimport.go
+++ b/vendor/golang.org/x/tools/internal/gcimporter/iimport.go
@@ -137,12 +137,23 @@ func iimportCommon(fset *token.FileSet, imports map[string]*types.Package, data
 	}

 	sLen := int64(r.uint64())
+	var fLen int64
+	var fileOffset []uint64
+	if insert != nil {
+		// Shallow mode uses a different position encoding.
+		fLen = int64(r.uint64())
+		fileOffset = make([]uint64, r.uint64())
+		for i := range fileOffset {
+			fileOffset[i] = r.uint64()
+		}
+	}
 	dLen := int64(r.uint64())

 	whence, _ := r.Seek(0, io.SeekCurrent)
 	stringData := data[whence : whence+sLen]
-	declData := data[whence+sLen : whence+sLen+dLen]
-	r.Seek(sLen+dLen, io.SeekCurrent)
+	fileData := data[whence+sLen : whence+sLen+fLen]
+	declData := data[whence+sLen+fLen : whence+sLen+fLen+dLen]
+	r.Seek(sLen+fLen+dLen, io.SeekCurrent)

 	p := iimporter{
 		version: int(version),
@@ -151,6 +162,9 @@ func iimportCommon(fset *token.FileSet, imports map[string]*types.Package, data

 		stringData:  stringData,
 		stringCache: make(map[uint64]string),
+		fileOffset:  fileOffset,
+		fileData:    fileData,
+		fileCache:   make([]*token.File, len(fileOffset)),
 		pkgCache:    make(map[uint64]*types.Package),

 		declData: declData,
@@ -280,6 +294,9 @@ type iimporter struct {

 	stringData  []byte
 	stringCache map[uint64]string
+	fileOffset  []uint64 // fileOffset[i] is offset in fileData for info about file encoded as i
+	fileData    []byte
+	fileCache   []*token.File // memoized decoding of file encoded as i
 	pkgCache    map[uint64]*types.Package

 	declData    []byte
@@ -352,6 +369,55 @@ func (p *iimporter) stringAt(off uint64) string {
 	return s
 }

+func (p *iimporter) fileAt(index uint64) *token.File {
+	file := p.fileCache[index]
+	if file == nil {
+		off := p.fileOffset[index]
+		file = p.decodeFile(intReader{bytes.NewReader(p.fileData[off:]), p.ipath})
+		p.fileCache[index] = file
+	}
+	return file
+}
+
+func (p *iimporter) decodeFile(rd intReader) *token.File {
+	filename := p.stringAt(rd.uint64())
+	size := int(rd.uint64())
+	file := p.fake.fset.AddFile(filename, -1, size)
+
+	// SetLines requires a nondecreasing sequence.
+	// Because it is common for clients to derive the interval
+	// [start, start+len(name)] from a start position, and we
+	// want to ensure that the end offset is on the same line,
+	// we fill in the gaps of the sparse encoding with values
+	// that strictly increase by the largest possible amount.
+	// This allows us to avoid having to record the actual end
+	// offset of each needed line.
+
+	lines := make([]int, int(rd.uint64()))
+	var index, offset int
+	for i, n := 0, int(rd.uint64()); i < n; i++ {
+		index += int(rd.uint64())
+		offset += int(rd.uint64())
+		lines[index] = offset
+
+		// Ensure monotonicity between points.
+		for j := index - 1; j > 0 && lines[j] == 0; j-- {
+			lines[j] = lines[j+1] - 1
+		}
+	}
+
+	// Ensure monotonicity after last point.
+	for j := len(lines) - 1; j > 0 && lines[j] == 0; j-- {
+		size--
+		lines[j] = size
+	}
+
+	if !file.SetLines(lines) {
+		errorf("SetLines failed: %d", lines) // can't happen
+	}
+	return file
+}
+
 func (p *iimporter) pkgAt(off uint64) *types.Package {
 	if pkg, ok := p.pkgCache[off]; ok {
 		return pkg
@@ -645,6 +711,9 @@ func (r *importReader) qualifiedIdent() (*types.Package, string) {
 }

 func (r *importReader) pos() token.Pos {
+	if r.p.insert != nil { // shallow mode
+		return r.posv2()
+	}
 	if r.p.version >= iexportVersionPosCol {
 		r.posv1()
 	} else {
@@ -681,6 +750,15 @@ func (r *importReader) posv1() {
 	}
 }

+func (r *importReader) posv2() token.Pos {
+	file := r.uint64()
+	if file == 0 {
+		return token.NoPos
+	}
+	tf := r.p.fileAt(file - 1)
+	return tf.Pos(int(r.uint64()))
+}
+
 func (r *importReader) typ() types.Type {
 	return r.p.typAt(r.uint64(), nil)
 }
--- a/vendor/golang.org/x/tools/internal/pkgbits/decoder.go
+++ b/vendor/golang.org/x/tools/internal/pkgbits/decoder.go
@@ -373,7 +373,7 @@ func (r *Decoder) Int64() int64 {
 	return r.rawVarint()
 }

-// Int64 decodes and returns a uint64 value from the element bitstream.
+// Uint64 decodes and returns a uint64 value from the element bitstream.
 func (r *Decoder) Uint64() uint64 {
 	r.Sync(SyncUint64)
 	return r.rawUvarint()
--- a/vendor/golang.org/x/tools/internal/pkgbits/encoder.go
+++ b/vendor/golang.org/x/tools/internal/pkgbits/encoder.go
@@ -293,7 +293,7 @@ func (w *Encoder) Len(x int) { assert(x >= 0); w.Uint64(uint64(x)) }
 // Int encodes and writes an int value into the element bitstream.
 func (w *Encoder) Int(x int) { w.Int64(int64(x)) }

-// Len encodes and writes a uint value into the element bitstream.
+// Uint encodes and writes a uint value into the element bitstream.
 func (w *Encoder) Uint(x uint) { w.Uint64(uint64(x)) }

 // Reloc encodes and writes a relocation for the given (section,
--- a/vendor/golang.org/x/tools/internal/tokeninternal/tokeninternal.go
+++ b/vendor/golang.org/x/tools/internal/tokeninternal/tokeninternal.go
@@ -0,0 +1,59 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// package tokeninternal provides access to some internal features of the token
+// package.
+package tokeninternal
+
+import (
+	"go/token"
+	"sync"
+	"unsafe"
+)
+
+// GetLines returns the table of line-start offsets from a token.File.
+func GetLines(file *token.File) []int {
+	// token.File has a Lines method on Go 1.21 and later.
+	if file, ok := (interface{})(file).(interface{ Lines() []int }); ok {
+		return file.Lines()
+	}
+
+	// This declaration must match that of token.File.
+	// This creates a risk of dependency skew.
+	// For now we check that the size of the two
+	// declarations is the same, on the (fragile) assumption
+	// that future changes would add fields.
+	type tokenFile119 struct {
+		_     string
+		_     int
+		_     int
+		mu    sync.Mutex // we're not complete monsters
+		lines []int
+		_     []struct{}
+	}
+	type tokenFile118 struct {
+		_ *token.FileSet // deleted in go1.19
+		tokenFile119
+	}
+
+	type uP = unsafe.Pointer
+	switch unsafe.Sizeof(*file) {
+	case unsafe.Sizeof(tokenFile118{}):
+		var ptr *tokenFile118
+		*(*uP)(uP(&ptr)) = uP(file)
+		ptr.mu.Lock()
+		defer ptr.mu.Unlock()
+		return ptr.lines
+
+	case unsafe.Sizeof(tokenFile119{}):
+		var ptr *tokenFile119
+		*(*uP)(uP(&ptr)) = uP(file)
+		ptr.mu.Lock()
+		defer ptr.mu.Unlock()
+		return ptr.lines
+
+	default:
+		panic("unexpected token.File size")
+	}
+}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -4,11 +4,12 @@ github.com/AdaLogics/go-fuzz-headers
 # github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652
 ## explicit; go 1.18
 github.com/AdamKorcz/go-118-fuzz-build/testing
-# github.com/Microsoft/go-winio v0.6.0
+# github.com/Microsoft/go-winio v0.6.1-0.20230228163719-dd5de6900b62
 ## explicit; go 1.17
 github.com/Microsoft/go-winio
 github.com/Microsoft/go-winio/backuptar
 github.com/Microsoft/go-winio/internal/socket
+github.com/Microsoft/go-winio/pkg/bindfilter
 github.com/Microsoft/go-winio/pkg/etw
 github.com/Microsoft/go-winio/pkg/etwlogrus
 github.com/Microsoft/go-winio/pkg/fs
@@ -97,7 +98,7 @@ github.com/containerd/cgroups/v3/cgroup2/stats
 # github.com/containerd/console v1.0.3
 ## explicit; go 1.13
 github.com/containerd/console
-# github.com/containerd/continuity v0.3.0
+# github.com/containerd/continuity v0.3.1-0.20230206102841-68f7b34f5e11
 ## explicit; go 1.17
 github.com/containerd/continuity
 github.com/containerd/continuity/devices
@@ -496,7 +497,7 @@ golang.org/x/crypto/openpgp/errors
 golang.org/x/crypto/openpgp/packet
 golang.org/x/crypto/openpgp/s2k
 golang.org/x/crypto/pbkdf2
-# golang.org/x/mod v0.7.0
+# golang.org/x/mod v0.8.0
 ## explicit; go 1.17
 golang.org/x/mod/semver
 # golang.org/x/net v0.7.0
@@ -544,7 +545,7 @@ golang.org/x/text/unicode/norm
 # golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
 ## explicit
 golang.org/x/time/rate
-# golang.org/x/tools v0.5.0
+# golang.org/x/tools v0.6.0
 ## explicit; go 1.18
 golang.org/x/tools/cmd/stringer
 golang.org/x/tools/go/gcexportdata
@@ -558,6 +559,7 @@ golang.org/x/tools/internal/gcimporter
 golang.org/x/tools/internal/gocommand
 golang.org/x/tools/internal/packagesinternal
 golang.org/x/tools/internal/pkgbits
+golang.org/x/tools/internal/tokeninternal
 golang.org/x/tools/internal/typeparams
 golang.org/x/tools/internal/typesinternal
 # google.golang.org/appengine v1.6.7