Summary: flex versions, bugs, warnings, etc

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-hackers(at)postgreSQL(dot)org
Subject: Summary: flex versions, bugs, warnings, etc
Date: 2009-07-12 22:15:50
Message-ID: 24287.1247436950@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Before I forget, here is a quick brain dump on $SUBJECT.

The latest release of flex is currently 2.5.35. 2.5.33 is pretty
widespread as well, and there's at least one 2.5.34 in the buildfarm.
There was no 2.5.32. 2.5.31 and (possibly) earlier versions contain
an extremely nasty security problem CVE-2006-0459, which results in the
generated scanner containing a buffer-overflow problem that might be
exploitable for arbitrary code execution. However, this is possible
only if the scanner definition uses REJECT or trailing context, which
AFAIK none of the scanners in the PG sources do, so the security issue
is not directly a problem for us. It appears that at least some Linux
distros are still shipping 2.5.31 with a patch for the security issue;
there is one such machine in the buildfarm.

I conclude that we should set the configure version cutoff at 2.5.31,
so as to avoid breaking things for people using those distros. However,
the flex sourceforge site no longer distributes 2.5.31, so there's no
very easy way to get hold of it for testing purposes. If it turns out
to have any problems as reported by the buildfarm, I recommend we just
bump the minimum to 2.5.33 rather than try to debug the issue.

Both 2.5.33 and 2.5.35 generate scanners that cause some compilation
warnings when using our preferred gcc flags and the flex options
we'll be needing for a reentrant lexer. In particular I get this:

In file included from gram.y:11141:
scan.c: In function 'yy_try_NUL_trans':
scan.c:15722: warning: unused variable 'yyg'

which doesn't appear to be fixable without patching flex.
I've filed a bug about it upstream
https://sourceforge.net/tracker/?func=detail&aid=2820457&group_id=97492&atid=618177
but I fear we shall just have to live with it until upstream releases
a version with a fix.

These versions also neglect to generate prototypes for two global
functions yyget_column() and yyset_column(), which apparently are
part of a feature so new it isn't even documented yet :-(. That
results in warnings thanks to -Wmissing-prototypes. However, these
two warnings are easily worked around by adding extern's to the
scan.l file, so I've done that rather than annoy upstream with two
cosmetic bugs filed on the same day.

regards, tom lane

Browse pgsql-hackers by date

  From Date Subject
Next Message Andrew Dunstan 2009-07-12 22:28:41 Re: Upgrading our minimum required flex version for 8.5
Previous Message Ron Mayer 2009-07-12 21:59:22 Re: Maintenance Policy?