Improve debug checks (prelude to STL Hardening) (#5270)

microsoft · Feb 11, 2025 · f953153 · f953153
1 parent fc15609
commit f953153
Show file tree

Hide file tree

Showing 37 changed files with 377 additions and 439 deletions.
diff --git a/docs/import_library.md b/docs/import_library.md
@@ -41,7 +41,7 @@ The caveats of this technique are:
   + This limitation is subtle (not readily apparent from the source code) and critical.
     If shared global state is necessary, our only option while preserving bincompat is adding a satellite DLL.
 * Due to having just two flavors of the import library (debug and release),
-  we cannot use anything that depends on `_CONTAINER_DEBUG_LEVEL` or `_ITERATOR_DEBUG_LEVEL`.
+  we cannot use anything that depends on `_ITERATOR_DEBUG_LEVEL`.
 
 For these reasons, especially the last one, we need to strictly control what is used by the import library.
 In particular, `basic_string` must not be used there.

diff --git a/stl/inc/__msvc_ranges_tuple_formatter.hpp b/stl/inc/__msvc_ranges_tuple_formatter.hpp
@@ -324,7 +324,7 @@ class basic_format_arg {
         case _Basic_format_arg_type::_Custom_type:
             return _STD forward<_Visitor>(_Vis)(_Custom_state);
         default:
-            _STL_VERIFY(false, "basic_format_arg is in impossible state");
+            _STL_REPORT_ERROR("basic_format_arg contains an impossible type");
             int _Dummy{};
             return _STD forward<_Visitor>(_Vis)(_Dummy);
         }

diff --git a/stl/inc/__msvc_string_view.hpp b/stl/inc/__msvc_string_view.hpp
@@ -1381,7 +1381,7 @@ class basic_string_view { // wrapper for any kind of contiguous character buffer
         : _Mydata(_Cts), _Mysize(_Count) {
 #if _CONTAINER_DEBUG_LEVEL > 0
         _STL_VERIFY(_Count == 0 || _Cts, "non-zero size null string_view");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+#endif
     }
 
 #if _HAS_CXX20
@@ -1476,7 +1476,7 @@ class basic_string_view { // wrapper for any kind of contiguous character buffer
     _NODISCARD constexpr const_reference operator[](const size_type _Off) const noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
         _STL_VERIFY(_Off < _Mysize, "string_view subscript out of range");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+#endif
 
         // CodeQL [SM01954] This index is optionally validated above.
         return _Mydata[_Off];
@@ -1490,30 +1490,30 @@ class basic_string_view { // wrapper for any kind of contiguous character buffer
 
     _NODISCARD constexpr const_reference front() const noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_VERIFY(_Mysize != 0, "cannot call front on empty string_view");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_VERIFY(_Mysize != 0, "front() called on empty string_view");
+#endif
         return _Mydata[0];
     }
 
     _NODISCARD constexpr const_reference back() const noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_VERIFY(_Mysize != 0, "cannot call back on empty string_view");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_VERIFY(_Mysize != 0, "back() called on empty string_view");
+#endif
         return _Mydata[_Mysize - 1];
     }
 
     constexpr void remove_prefix(const size_type _Count) noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_VERIFY(_Mysize >= _Count, "cannot remove prefix longer than total size");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_VERIFY(_Mysize >= _Count, "cannot remove_prefix() larger than string_view size");
+#endif
         _Mydata += _Count;
         _Mysize -= _Count;
     }
 
     constexpr void remove_suffix(const size_type _Count) noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_VERIFY(_Mysize >= _Count, "cannot remove suffix longer than total size");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_VERIFY(_Mysize >= _Count, "cannot remove_suffix() larger than string_view size");
+#endif
         _Mysize -= _Count;
     }
 

diff --git a/stl/inc/algorithm b/stl/inc/algorithm
@@ -7157,9 +7157,7 @@ _CONSTEXPR20 void sort_heap(_RanIt _First, _RanIt _Last, _Pr _Pred) { // order h
     const auto _ULast  = _STD _Get_unwrapped(_Last);
 #if _ITERATOR_DEBUG_LEVEL == 2
     const auto _Counterexample = _STD _Is_heap_until_unchecked(_UFirst, _ULast, _STD _Pass_fn(_Pred));
-    if (_Counterexample != _ULast) {
-        _STL_REPORT_ERROR("invalid heap in sort_heap()");
-    }
+    _STL_VERIFY(_Counterexample == _ULast, "invalid heap in sort_heap()");
 #endif // _ITERATOR_DEBUG_LEVEL == 2
     _STD _Sort_heap_unchecked(_UFirst, _ULast, _STD _Pass_fn(_Pred));
 }

diff --git a/stl/inc/array b/stl/inc/array
@@ -533,7 +533,7 @@ public:
     _NODISCARD _CONSTEXPR17 reference operator[](_In_range_(<, _Size) size_type _Pos) noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
         _STL_VERIFY(_Pos < _Size, "array subscript out of range");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+#endif
 
         return _Elems[_Pos];
     }
@@ -542,7 +542,7 @@ public:
     /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
         _STL_VERIFY(_Pos < _Size, "array subscript out of range");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+#endif
 
         return _Elems[_Pos];
     }
@@ -708,48 +708,48 @@ public:
 
     _NODISCARD reference operator[](size_type) noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_REPORT_ERROR("array subscript out of range");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_REPORT_ERROR("array<T, 0> subscript is invalid");
+#endif
 
         return *data();
     }
 
     _NODISCARD const_reference operator[](size_type) const noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_REPORT_ERROR("array subscript out of range");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_REPORT_ERROR("array<T, 0> subscript is invalid");
+#endif
 
         return *data();
     }
 
     _NODISCARD reference front() noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_REPORT_ERROR("array<T, 0>::front() invalid");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_REPORT_ERROR("array<T, 0>::front() is invalid");
+#endif
 
         return *data();
     }
 
     _NODISCARD const_reference front() const noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_REPORT_ERROR("array<T, 0>::front() invalid");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_REPORT_ERROR("array<T, 0>::front() is invalid");
+#endif
 
         return *data();
     }
 
     _NODISCARD reference back() noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_REPORT_ERROR("array<T, 0>::back() invalid");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_REPORT_ERROR("array<T, 0>::back() is invalid");
+#endif
 
         return *data();
     }
 
     _NODISCARD const_reference back() const noexcept /* strengthened */ {
 #if _CONTAINER_DEBUG_LEVEL > 0
-        _STL_REPORT_ERROR("array<T, 0>::back() invalid");
-#endif // _CONTAINER_DEBUG_LEVEL > 0
+        _STL_REPORT_ERROR("array<T, 0>::back() is invalid");
+#endif
 
         return *data();
     }