On Mon, Apr 07, 2008 at 02:10:04PM -0400, Robert C. Seacord wrote: > Joe, > > Response below. > >On Mon, Apr 07, 2008 at 01:28:21PM -0400, Robert C. Seacord wrote: > > > >>You are also right that the popularity of gcc is one of the reasons we > >>decided to publish on this. If you identify other compilers that a) are > >>relatively popular, b) have changed their behavior recently, and c) > >>silently optimize out overflow checks we will consider publishing > >>vulnerability notes for those compilers as well. > >> > > > >What is the justification for requirement b)? We identified two distinct > >proprietary compilers that also do this optimization, but it isn't a > >recent change in behavior. > > > my thinking is that if this behavior has been in place for many years, > for example, users will have had the opportunity to discover the changed > behavior. our goal here is to disseminate this information more quickly.
But if your message motivates a user to switch compilers, the user might switch from gcc to another compiler that has for a long time performed the optimization.