librdkafka relies on asserts for error handling

[teskje]

We have recently stumbled over a segfault in librdkafka. Upon investigation we found that the segfault occurs in rd_kafka_broker_add_logical. What happens is that rd_kafka_broker_add returns NULL for whatever reason (likely the exhaustion of the thread limit), then the subsequent operations on rkb cause NULL pointer dereferencing.

The code has an assert checking that rkb is not NULL, but that's not sufficient. In production code asserts are often disabled for performance reasons. Thus they should only be used to check code invariants that are expected to always hold. librdkafka uses them to check for runtime errors, which makes it unsafe to use with asserts disabled (using NDEBUG under Linux).

rd_kafka_broker_add_logical is not the only place where asserts are used for error checking. For example, the alloc functions (rd_malloc, rd_calloc, rd_realloc) use the same pattern to check whether the allocation succeeded.