[abrawill]

If the hardware is exotic I guess you’d have no choice. But for security critical don’t you run the risk of relying on obscurity rather than security due to the niche-ness of your stack?

What does a vendor compiler do or do better than a compatible generic one?

[Jtsummers]

When you get a critical system certified for fielding you aren't just certifying the source code, but the actual executable and build process and test process and other things. This requires reproducibility for years to come. Choosing generic compilers may work in dev and parts of test, but not for actual deployment as a consequence (or it doesn't work well). Suppose you picked clang 11 several years back. Now you need to do an update to the system, you can still use clang 11, but not clang 14 at least not without doing a comprehensive recertification process. Also, if an issue is discovered in clang 11 it's likely been fixed in clang 14, but again you have to get your system recertified with clang 14. And that's if the issue is fixed, it may still exist.

With a vendor supplied compiler you can say, "We're using version 11.2". A year or two later an issue is discovered, the vendor will backport a fix to 11.2 giving you 11.2.1 which is much less effort for recertification. You aren't depending on the kindness of strangers (a terrible strategy) because you're actually paying someone to do the work.

[abrawill]

That explains a lot! Never worked with certified code, but I see how it makes sense.

Do the vendor compilers have a very focused feature set as a result? To reduce both test surface area and chance of expensive mistakes?

[moloch-hai]

Mainly their own costs. They have a captive market, and tooling is a "cost center".