Replace MerkleTreeBuilder.Finish with non-mutating CalculateRoot

auditing.go

@@ -147,14 +147,15 @@ func (builder *MerkleTreeBuilder) Add(hash ct.MerkleTreeNode) {
 	}
 }
 
-func (builder *MerkleTreeBuilder) Finish() ct.MerkleTreeNode {
+func (builder *MerkleTreeBuilder) CalculateRoot() ct.MerkleTreeNode {
 	if len(builder.stack) == 0 {
-		panic("MerkleTreeBuilder.Finish called on an empty tree")
+		panic("MerkleTreeBuilder.CalculateRoot called on an empty tree")
 	}
-	for len(builder.stack) > 1 {
-		left, right := builder.stack[len(builder.stack)-2], builder.stack[len(builder.stack)-1]
-		builder.stack = builder.stack[:len(builder.stack)-2]
-		builder.stack = append(builder.stack, hashChildren(left, right))
+	i := len(builder.stack) - 1
+	hash := builder.stack[i]
+	for i > 0 {
+		i -= 1
+		hash = hashChildren(builder.stack[i], hash)
 	}
-	return builder.stack[0]
+	return hash
 }

cmd/common.go

@@ -246,7 +246,7 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
 				continue
 			}
 
-			rootHash := treeBuilder.Finish()
+			rootHash := treeBuilder.CalculateRoot()
 			if !bytes.Equal(rootHash, latestSTH.SHA256RootHash[:]) {
 				log.Printf("Validation of log entries failed - calculated tree root (%x) does not match signed tree root (%s).  If this error persists for an extended period, it should be construed as misbehavior by the log.\n", rootHash, latestSTH.SHA256RootHash)
 				exitCode |= 8