Currently the Bitcoin source code relies on assertions (because they may have side effects), and some compile-time and runtime settable consistency checks.

This leads to a few odditiies:

• Failing to build with -NDEBUG
• Uncertainty what performance impact consistency checks have.
• Conflict between the 'asserts are good because it tests the assumptions you're relying on hold'/'better fail than have undefined behavior' and 'asserts are bad because if they're exploitable they're potentially a massive DoS to the network'.

This leads to only limited assert usage (because you don't want them for anything potentially exploitable), and a few very expensive optional consistency checks (-checkmempool, DEBUG_LOCKORDER, ...).

My proposal:

• Add a -checks command-line flag which enables inexpensive consistency checks.
• Enable -checks by default in debug builds, but not in release/gitian builds.
• Add a safe CHECK() macro which
  • always evaluates its arguments
  • is a no-op without -checks but like assert() with -checks.
• Get rid of all assert()s.