Libstdc++ Debug Mode

The Debug Mode is documented in the manual at https://gcc.gnu.org/onlinedocs/libstdc++/manual/debug_mode.html

Debug Mode "Lite"

Libstdc++ also supports more lightweight assertions that do not catch as many problems, but which are ABI compatible with normal mode. These are enabled by defining the _GLIBCXX_ASSERTIONS macro. This is intended to be suitable for production code, not just for debugging during development.

Defining _GLIBCXX_DEBUG also defines _GLIBCXX_ASSERTIONS (in <bits/c++config.h>) so that the full Debug Mode also enables all lightweight checks.

Defining _GLIBCXX_ASSERTIONS must not cause changes to the linkage names, sizes or layout of types (this is in contrast to _GLIBCXX_DEBUG which changes the linkage names, sizes and layout of types, which is why it's not ABI compatible with normal mode). It must be safe to link together objects compiled with _GLIBCXX_ASSERTIONS and objects compiled without it. This is the raison d'être for a new mode.

Defining _GLIBCXX_ASSERTIONS must not cause changes to the Big-O complexity of algorithms and operations. This means that doing extra constant-time checks is OK (e.g. adding bounds checking to vector::operator[]) but changing an O(1) operation to an O(n) one, or O(n) to O(n²) is not OK.

It would be possible for the _FORTIFY_SOURCE macro used by Glibc (and automatically enabled by some GNU/Linux distros) to cause _GLIBCXX_ASSETIONS to be defined, so that the same macro can be used to turn on bounds-checking in Glibc and Libstdc++. An alternative would be to group the _GLIBCXX_ASSERTIONS checks into categories such as bounds checking, memory allocation, thread precondition violations etc. and have _FORTIFY_SOURCE only enable some categories. This should be discussed with Glibc and security teams, so that we don't weaken the usefulness of _FORTIFY_SOURCE by enabling unsuitable checks. The new -fhardened flag which defines _FORTIFY_SOURCE and _GLIBCXX_ASSERTIONS probably makes this unnecessary.

We might want to define _GLIBCXX_ASSERTIONS by default for non-optimized builds, to improve the general safety and security position of C++ code using libstdc++. See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112808

The checks currently enabled by _GLIBCXX_DEBUG should be audited to see whether they should be enabled by _GLIBCXX_ASSERTIONS instead. See Bug 56109 - Add light-weight ABI-compatible debug checks to standard containers and Bug 86843 - Allow separating debug mode into ABI-changing part and rest.

The google subversion branch has lots of useful checks, most of which are now enabled with _GLIBCXX_ASSERTIONS, but not all. See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56109 and https://gcc.gnu.org/ml/libstdc++/2015-08/msg00004.html for more details.

Checks that could/should be enabled by _GLIBCXX_ASSERTIONS:

bounds checking in vector/array/string (currently incomplete, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111250 for example).
swapping containers with non-equal, non-propagating allocators
dereferencing smart pointers
pthread return codes in std::mutex, std::thread etc. for UB such as unlocking a mutex in a thread that doesn't own it?
???