I think generally C compilers prefer to keep the stack intact for debugging and such.

Okay, yeah, I was indeed reading your original reply as a criticism of one of the people involved (presumably the security researcher), rather than as a criticism of the post title. Sorry for misunderstanding.

Apparently GCC does indeed do tail-call optimization at -O2: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#index-foptimize-sibling-calls

But in that case, I’m not sure why the solution to the denial of service vulnerability isn’t just “compile with -foptimize-sibling-calls.”

…what is your point? Some software (in a language that doesn’t have tail-recursion optimization) used recursion to handle user-provided input, and indeed it broke. Someone wrote to explain that that’s a potential vulnerability, the author agreed, and fixed it. Who here is misunderstanding how computers implement recursion?

TypeScript is a language, and traditionally languages are considered separate from their implementations. When I first saw the headline I hoped maybe it meant a non-JS runtime for compiled TS, and I’m well aware of the difference. Yes, that would be a much larger undertaking than porting the compiler to a new language, but the headline doesn’t indicate how large a project this is, and Microsoft certainly has the resources to write a new backend (even a native-code one) for the TS compiler.