RFC: Change what assert does on error

Adam Wilson flyboynw at gmail.com
Thu Jul 3 07:21:09 UTC 2025 

On Wednesday, 2 July 2025 at 23:26:36 UTC, Walter Bright wrote:
> If a variable has an out of bounds value in it, it cannot be 
> determined why it is out of bounds. It may very well be out of 
> bounds because of memory corruption elsewhere due to some other 
> bug or a malware attack.
>
>
>> and rollback to that point... which is what stack unwinding 
>> achieves.
>
> Stack unwinding may be just what the malware needs to install 
> itself. The stack may be corrupt, which is why Error does not 
> guarantee running destructors on the stack.

This argument is, in practice, a Slippery Slope fallacy and thus 
can be dismissed without further consideration.

But because this is the NG's we will consider it further anyways.

Yes, malware could theoretically use the stack unwinding to 
inject further malware. But doing so would require Administrative 
level local access and if the malware has that level of access, 
then you have far bigger problems to occupy yourself with. 
Furthermore, I, and GROK, are not aware of any actual attacks 
exploiting stack unwinding in the wild.

So your malware case is purely theoretical at this point in time.

And yes, the stack may be corrupt ... so what? I'll still know 
more than I get from a terse termination message. There is no 
rational argument that can be made that intentionally reducing 
error reporting data is ever a good idea. Even corrupt data tells 
me something that a terse termination method cannot.

Finally, we don't live in the 80's anymore. Most of my code lives 
on servers located in data centers hundreds of miles away from 
where I live and is guarded by dudes with guns. If I show up to 
the DC to try to debug my program on their servers I'll end up in 
jail. Or worse.

It is an absolute non-negotiable business requirement that I be 
able to get debugging information out of the server without 
physical access to the device. If you won't deliver the logging 
data, corrupted or not, on an assert, then no business can 
justify using D in production. It's that simple.

More information about the Digitalmars-d mailing list