[SC-L] Conditional Compile statements-- coding standards, and code review

[smurray1]

I am reviewing a QA team's procedures for code review.  I have an issue 
with conditional compile statements (#ifdef in the C world).  My issue 
is that it is very difficult to have complete confidence that a piece of 
code inside the condition (the "controlled text") does indeed not get 
compiled and included in the final executable.  The coding standards 
used by the organization are fairly rigorous, but there is no mention of 
prohibiting (or of even limiting) the used of conditional compile 
statements.  They are typically used for debug purposes-- that is, debug 
messages that get generated when the code is compiled for debugging and 
then are omitted in the production builds.  This is probably more of a 
correct code issue than a security issue,  but there are most definitely 
security implications. 

I am curious to hear people's thoughts on this.  Do most organizations 
prohibit (or at least limit) conditional compile statements?  If not, 
how is the "controlled text" inside conditional compile statements 
handled by code reviewers?  The QA procedures I am reviewing basically 
ignore them, since "They won't be in the production build", but I am 
very uncomfortable with that.   There are many ways in C to define the 
macro that controls the conditional compile (with #define statements, 
with compiler flags, etc).  It just seems very hard to verify that the 
ifdefs will work as planned in the final compile.

Thanks!!

Sean T Murray