7

I'm working on an ASP.NET web site and I'd like to deploy the pdb files because when unexpected exceptions are thrown, I want to log them with line numbers so I can track down the problem.

But I'm concerned about security and performance.

Is there any security risk to having pdb files on a web server, if I use the stack trace information to log to a non-public file on the web server and don't show it to the user?

As far as performance, I know that it's more expensive to deal with exceptions when there's a pdb file, but the goal is not to have any exceptions, and on the rare case when they occur, to get good tracing data so we can fix the problem.

But one thing I'm not clear about is this: if an exception is thrown and caught, do I still pay the pdb penalty? I'm thinking particularly about the ThreadAbortException thrown when you Response.Redirect. This is a legacy app with a lot of these as part of normal program flow, and so I just catch and ignore these exceptions, but will the presence of a pdb file make this much more costly? Or does .NET ignore the pdb file unless you ask for the stack trace (which I don't, for this particular exception)?

Beyond that, as long as there are no exceptions except for ones I really do want to know about in detail, is there any performance hit from deploying pdb files to the web server?

Joshua Frank
  • 13,120
  • 11
  • 46
  • 95

3 Answers3

6

As for security I can't see any real issues with deploying a PDB. The PDB just contains

  • Mapping between source lines and IL offsets
  • Names of locals
  • Names of source files
  • List of using directives relevant to a given function

Even if the PDB information was leaked I wouldn't consider any of that sensitive information

As for performance the mere presence of a PDB isn't going to change the execution logic of your application. It's only relevant for debugging purposes and normal execution doesn't interact with it

JaredPar
  • 733,204
  • 149
  • 1,241
  • 1,454
  • Thanks for the quick response. Can you comment specifically on the ThreadAbortException scenario? If the app redirects and throws one of these, and I catch and ignore it, do I pay the pdb lookup penalty? – Joshua Frank Feb 19 '14 at 17:37
  • @JoshuaFrank i'm still unclear why you believe exceptions will reference the PDB at all. They may very well do that but to my knowledge they don't – JaredPar Feb 19 '14 at 18:23
  • I suppose I'm unclear on when, exactly, the pdb file is used to look up symbols. Is it when the exception is thrown, or when your exception handler code asks for stack trace data? I was asking specifically because of this comment on another SO question, which in the context of the question makes it sound like you pay the lookup cost when the exception is **thrown**: http://stackoverflow.com/questions/381537/deploying-pdb-files-in-iis-any-benefit#comment16486391_382087 – Joshua Frank Feb 19 '14 at 18:41
  • @JoshuaFrank this appears to happen only when the `StackTrace` property is invoked. All of the logic to build up the file names happens here AFAICT – JaredPar Feb 20 '14 at 00:12
  • Ah, that was exactly how I hoped it would be, and it makes sense that it wouldn't do that expensive lookup unless you actually need the data. Thanks for all your help! – Joshua Frank Feb 20 '14 at 11:18
1

I agree with JaredPar, though you might consider that that most of the things he has listed make it even easier to decompile and reverse engineer your site if the server is hacked.

On the other side,it would also be relatively easy (though with a bit more work) to reverse engineer it without the PDBs, so it's only a minor security risk. Also, depending on the scope of your web site reverse engineering might not even be an issue.

Adrian Grigore
  • 33,034
  • 36
  • 130
  • 210
0

You want to deploy PDB files you desire the extra debugging benefits, such additional information line numbers and such for stack-tracing purposes when exceptions are thrown, as well as as remote debugging of applications. The caveat is that exception handling tend to perform slower when using .pdb debugging.

szr
  • 139
  • 10