Before I forget, here is a quick brain dump on $SUBJECT. The latest release of flex is currently 2.5.35. 2.5.33 is pretty widespread as well, and there's at least one 2.5.34 in the buildfarm. There was no 2.5.32. 2.5.31 and (possibly) earlier versions contain an extremely nasty security problem CVE-2006-0459, which results in the generated scanner containing a buffer-overflow problem that might be exploitable for arbitrary code execution. However, this is possible only if the scanner definition uses REJECT or trailing context, which AFAIK none of the scanners in the PG sources do, so the security issue is not directly a problem for us. It appears that at least some Linux distros are still shipping 2.5.31 with a patch for the security issue; there is one such machine in the buildfarm.
I conclude that we should set the configure version cutoff at 2.5.31, so as to avoid breaking things for people using those distros. However, the flex sourceforge site no longer distributes 2.5.31, so there's no very easy way to get hold of it for testing purposes. If it turns out to have any problems as reported by the buildfarm, I recommend we just bump the minimum to 2.5.33 rather than try to debug the issue. Both 2.5.33 and 2.5.35 generate scanners that cause some compilation warnings when using our preferred gcc flags and the flex options we'll be needing for a reentrant lexer. In particular I get this: In file included from gram.y:11141: scan.c: In function 'yy_try_NUL_trans': scan.c:15722: warning: unused variable 'yyg' which doesn't appear to be fixable without patching flex. I've filed a bug about it upstream https://sourceforge.net/tracker/?func=detail&aid=2820457&group_id=97492&atid=618177 but I fear we shall just have to live with it until upstream releases a version with a fix. These versions also neglect to generate prototypes for two global functions yyget_column() and yyset_column(), which apparently are part of a feature so new it isn't even documented yet :-(. That results in warnings thanks to -Wmissing-prototypes. However, these two warnings are easily worked around by adding extern's to the scan.l file, so I've done that rather than annoy upstream with two cosmetic bugs filed on the same day. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers