Improving assert-printing in DMD
John Colvin via Digitalmars-d
digitalmars-d at puremagic.com
Thu Oct 1 03:51:10 PDT 2015
On Thursday, 1 October 2015 at 09:59:41 UTC, Jonathan M Davis
wrote:
> In almost all cases, printing out an assertion is by far the
> best thing to do, and in general, the more information that's
> printed, the better. But if anyone is dealing with sensitive
> data, they _have_ to be smart about what they do with it, and
> if that means that they can't put it an assertion directly,
> because assertions print too much information, then so be it.
> We're talking about a minority case where almost every other
> program would benefit. Most programs don't even have assertions
> turned on in release, which is where this would matter.
>
> If a failed assertion could print out sensitive information,
> then just don't put the information directly in the assertion.
> Heck, anyone paranoid enough about it could create a special
> secureAssert function or something that did something like
>
> void secureAssert(E)(lazy E expression,
> lazy string msg,
> string file = __FILE__,
> size_T line = __LINE__)
> {
> version(assert)
> {
> immutable result = cast(bool)expression();
> if(!result)
> throw new AssertError(msg, file, line);
> }
> }
>
> I see no reason to make the debugging tools that we have worse
> because of fear of someone who's writing code that processes
> sensitive information. That code just needs to be written in a
> way that's not going to leak the information. As Dmitry points
> out, there are plenty of other ways for the information to be
> leaked. So, not improving assertions due to security concerns
> really isn't a valid approach IMHO.
>
> Now, there are other reasons why we might not want to (e.g. if
> the performance were worse, you might not want to make
> assertions print additional information), but I think that it's
> far better for code that needs to be that secure to do its own
> thing than to hamper everyone over the concerns of the minority.
>
>> At the very least there should be a compiler switch to turn
>> assert-printing on/off
>
> I expect that most folks who would want to avoid have
> assertions printing out sensitive information would still want
> assertions that didn't relate to sensitive information to
> print. A compiler switch is a pretty blunt instrument,
> especially when someone could write their own code which
> asserts without showing any sensitive information while still
> testing that information.
>
> - Jonathan M Davis
All reasonable points, so I guess it's not such a bad thing after
all. I just wanted to be sure that security was considered here.
More information about the Digitalmars-d
mailing list