I think Ian's remark goes a long way, and is prudent advice anyway: If all asserts are your own you can make sure to scrub the sensitive information before asserting. Admittedly, that will complicate the code (e.g. instead of simply
assert(critical condition); it would be if(!critical_condition) { memset(secret, 0, sizeof(secret)); assert(critical_condition); }).