On Fri, Apr 11, 2008 at 03:00:14PM -0400, Robert C. Seacord wrote: > Ian, > >I know I'm biased, but I think "use a different compiler" is clearly > >implied by the text of the advisory. If the advisory mentioned that > >other compilers also implement the same optimization, then that > >implication would not be there. > > > yes, i agree we should make this change, and warn against assuming this > optimization is not performed on other compilers.
Thanks. I hope that you will correct the advisory promptly to avoid any implication that one should switch from GCC to a different compiler based on this issue, since we've already established that most of GCC's competitors perform similar optimizations under some cicumstances (even if the particular example that appears in the CERT report is not affected, other, similar examples will be, particularly if they appear in a loop). Both CERT and GCC have their reputations to consider here, and I think that this advisory has damaged the reputations of *both*. > if i understand you correctly (and based on our own tests) none of the > compilation flags we've discussed address this issue, so we should also > remove this as a "solution". The advisory should emphasize the solution of auditing buffer overflow checks to make sure that they are correct C, and should help people write such checks correctly.
