Inside json_decode() struct luaL_serializer is allocated on stack, but
json context stores pointer to it:

   998	static int json_decode(lua_State *l)
   999	{
  ...
  1007	    if (lua_gettop(l) == 2) {
  1008	        struct luaL_serializer user_cfg = *luaL_checkserializer(l);
  1009	        luaL_serializer_parse_options(l, &user_cfg);
  1010	        lua_pop(l, 1);
  1011	        json.cfg = &user_cfg;
  1012      }

Later (for instance in json_decode_descend()), it can be dereferenced
which in turn results in stack-use-after-scope (object turns into
garbage right after scope is ended). To fix it let's simply avoid
allocating and copying luaL_serializer on stack and instead use pointer
to it.

Bug is found by ASAN: test app-tap/json.test.lua fails with enabled
ASAN. Current fix allows to pass all tests.

Thanks to @Korablev77 for the initial investigation.

Closes #4637

Add LUAJIT_ENABLE_PAIRSMM flag as a build option for luajit.
If the flag is set, pairs/ipairs metamethods are available in
Lua 5.1.
For Tarantool this option is enabled by default.

Wrap throwing lua_newthread in luaT_newthread using luaT_cpcall
to process arising error properly.

Closes #4556

Count lines in the json parsing structure. It is needed to print
the number of line and column where a mistake was made.

Closes #3316

(cherry picked from commit 9f9bd3eb2d064129ff6b1a764140ebef242d7ff7)

Closes #4434
Follow-up #4366

@TarantoolBot document
Title: json/msgpack.cfg.encode_deep_as_nil option

Tarantool has several so called serializers to convert data
between Lua and another format: YAML, JSON, msgpack.

YAML is a crazy serializer without depth restrictions. But for
JSON, msgpack, and msgpackffi a user could set encode_max_depth
option. That option led to crop of a table when it had too many
nested levels. Sometimes such behaviour is undesirable.

Now an error is raised instead of data corruption:

    t = nil
    for i = 1, 100 do t = {t} end
    msgpack.encode(t) -- Here an exception is thrown.

To disable it and return the old behaviour back here is a new
option:

    <serializer>.cfg({encode_deep_as_nil = true})

Option encode_deep_as_nil works for JSON, msgpack, and msgpackffi
modules, and is false by default. It means, that now if some
existing users have cropping, even intentional, they will get the
exception.

The submodule was on 7.65.3 version. This update closes two security
problems:

https://curl.haxx.se/docs/CVE-2019-5482.html
https://curl.haxx.se/docs/CVE-2019-5481.html

See also curl-7.66.0 release notes:

https://curl.haxx.se/changes.html#7_66_0

Fixes #4502.

If the rock was packed with luarocks then the time in it is set to zeros
and this is not the case with the unix format can be removed when date given
is added to zipwriter_open_new_file_in_zip (luarocks/luarocks#1056)

Closes #4481

The json.encode() used to cause a segfault in case of recursive
table:
  tbl = {}
  tbl[1] = tbl
  json.encode(tbl)

Library doesn't test whether given object on Lua stack parsed
earlier, because it performs a lightweight in-depth traverse
of Lua stack. However it must stop when encode_max_depth is
reached (by design).

Tarantool's lua_cjson implementation has a bug introduced during
porting original library: it doesn't handle some corner cases:
entering into a map correctly increases a current depth, while
entering into an array didn't. This patch adopts author's
approach to check encode_max_depth limit. Thanks to handling this
constraint correctly the segfault no longer occurs.

Closes #4366

Update decNumber library, add methods to convert decimals to uint64_t
and int64_t, add unit tests.
Also replace decimal_round() function with decimal_round_with_mode() to
allow setting rounding mode.
We need to round with mode DEC_ROUND_DOWN in to_int64 conversions in
order to be consistent with double to int conversions.
It will be needed to compute hints for decimal fields.

Prerequisite #4333

This patch adds the methods necessary to encode and decode decimals to
MsgPack. MsgPack EXT type (MP_EXT) together with a new extension type
MP_DECIMAL is used as a record header.

The decimal MsgPack representation looks like this:
+--------+-------------------+------------+===============+
| MP_EXT | length (optional) | MP_DECIMAL | PackedDecimal |
+--------+-------------------+------------+===============+
The whole record may be encoded and decoded with
mp_encode_decimal() and mp_decode_decimal(). This is equivalent to
performing mp_encode_extl()/mp_decode_extl() on the first 3 fields and
decimal_pack/unpack() on the PackedDecimal field.

It is also possible to decode and encode decimals to msgpack from lua,
which means you can insert decimals into spaces, but only into unindexed
fields for now.

Follow up #692
Part of #4333

Hold libcurl-7.65.3. This version is not affected by the following
issues:

* #4180 ('httpc: redirects are broken with libcurl-7.30 and older');
* #4389 ('libcurl memory leak');
* #4397 ('HTTPS seem to be unstable').

After this patch libcurl will be statically linked when
ENABLE_BUNDLED_LIBCURL option is set. This option is set by default.

Closes #4318

@TarantoolBot document
Title: Tarantool dependency list was changed

* Added build dependencies: autoconf, automake, libtool, zlib-devel
  (zlib1g-dev on Debian).
* Added runtime dependencies: zlib (zlib1g on Debian).
* Removed build dependencies: libcurl-devel (libcurl4-openssl-dev on
  Debian).
* Removed runtime dependencies: curl.

The reason is that now we use compiled-in libcurl: so we don't depend on
a system libcurl, but inherit its dependencies.

We will use it for Lua console output format serialization

Part-of #3834

Made tarantoolctl compatible with luarocks-3.x.

Fixes #4052.

Add fixed-point decimal type to tarantool core.
Adapt decNumber floating-point decimal library for the purpose, write a
small wrapper and add unit tests.

A new decimal type is an alias for decNumber numbers from the decNumber
library.
Arithmetic operations (+, -, *, /) and some mathematic functions
(ln, log10, exp, pow, sqrt) are available together with methods to
pack and unpack decimal to and from its packed representation (useful
for serialization).

We introduce a single context for all the arithmetic operations
on decimals, which enforces both number precision and scale to be
in range [0, 38]. NaNs and Infinities are restricted.

Part of #692

Fixed GC issue.

yaml.encode() now wraps a string literal whose content is equal to a
null or a boolean value representation in YAML into single quotes. Those
literals are: 'false', 'no', 'true', 'yes', '~', 'null'.

Reverted the a2d7643c commit to use single quotes instead of multiline
encoding for 'true' and 'false' string literals.

Follows up #3476
Closes #3662
Closes #3583

Use lua_is*() functions instead of explicit lua_gettop() checks in
yaml.encode() and yaml.decode() functions.

Behaviour changes:

* yaml.decode(object, nil) ignores nil (it is consistent with encode
  behaviour).
* yaml.encode() gives an usage error instead of "unsupported Lua type
  'thread'".
* yaml.encode('', {}, {}) ignores 3rd argument (it is consistent with
  decode behaviour).

I. Fixes tarantoolctl rocks install hanging in resctricted networks
corner-case.

A customer configured two rocks servers:
1. offline (file:///path/to/rocks)
2. and default online (rocks.tarantool.org)

He tries to do `rocks install http 1.0.5-1`.

Online server is unavailable due to his local network policy, but
the rock is available offline. Despite anything, luarocks still
tries to fetch manifest online, which results in 30 sec hang since
network access is restricted.

This change aborts scanning when exact match is found

II. Remove cyclic dependencies

This is required to embed luarocks into tarantool, as
current tarantool preloader can't preload cyclic dependencies.
There should be a unidirectional dependency graph and
predictable order.

Note: as a consequence of this patch, operating systems other that
unix-compatible ones are no longer supported. This is because I
had to manually resolve dependency graph for predictable require()
order.

III. Use digest.md5_hex to compute md5 digests instead of openssl

luarocks has support for calculating md5 with 'md5' rock if it's
present, but we don't have it in tarantool, and instead have the
'digest' module. That's why luarocks falls back to 'openssl' binary
to calculate md5 digests.

This patch will allow luarocks to use our internal digests module.

Add an ability to pass options to json.encode()/decode().

Closes: #2888.

@TarantoolBot document
Title: json.encode() json.decode()
Add an ability to pass options to
json.encode() and json.decode().
These are the same options that
are used globally in json.cfg().

A possibility to build tarantool with included library dependencies.
Use the flag -DBUILD_STATIC=ON to build statically against curl, readline,
ncurses, icu and z.
Use the flag -DOPENSSL_USE_STATIC_LIBS=ON to build with static
openssl

Changes:
  * Add FindOpenSSL.cmake because some distributions do not support the use of
  openssl static libraries.
  * Find libssl before curl because of build dependency.
  * Catch all bundled libraries API and export then it in case of static
  build.
  * Rename crc32 internal functions to avoid a name clash with linked libraries.

Notes:
  * Bundled libyaml is not properly exported, use the system one.
  * Dockerfile to build static with docker is included

Fixes #3445

Strings containing "true" and "false" were converted
to a boolean type when serializing. Fixed.
Example:
type(yaml.decode(yaml.encode('false'))) == string
type(yaml.decode(yaml.encode('true'))) == string

Closes #3476.

New commit in third_party/libyaml downgrades
required cmake version.

Closes #3275.

Now it is possible to specify a number in exponential
form via all formats allowed by json standard.
json.decode('{"remained_amount":2.0e+3}')
json.decode('{"remained_amount":2.0E+3}')
json.decode('{"remained_amount":2e+3}')
json.decode('{"remained_amount":2E+3}')     <-- fixed

Closes #3514.

YAML formatting C API is needed for #2677, where it will be used
to send text pushes and prints as tagged YAML documents.

Push in the next patches is implemented as a virtual C method of
struct session, so it is necessary to be able format YAML from C.

Needed for #2677

Yaml.decode tag_only option allows to decode a single tag of a
YAML document. For #2677 it is needed to detect different push
types in text console: print pushes via console.print, and actual
pushes via box.session.push.

To distinguish them YAML tags will be used. A client console for
each message will try to find a tag. If a tag is absent, then the
message is a simple response to a request.

If a tag is !print!, then the document consists of a single
string, that must be printed. Such a document must be decoded to
get the printed string. So the calls sequence is
yaml.decode(tag_only) + yaml.decode. The reason why a print
message must be decoded is that a print() result on a server side
can be not well-formatted YAML, and must be encoded into it to be
correctly sent. For example, when I do on a server side something
like this:

console.print('very bad YAML string')

The result of a print() is not a YAML document, and to be sent it
must be encoded into YAML on a server side.

If a tag is !push!, then the document is sent via
box.session.push, and must not be decoded. It can be just printed
or ignored or something.

Needed for #2677

Encode_tagged is a workaround to be able to pass options to
yaml.encode().

Before the patch yaml.encode() in fact has this signature:
yaml.encode(...). So it was impossible to add any options to this
function - all of them would be treated as the parameters. But
documentation says: https://tarantool.io/en/doc/1.9/reference/reference_lua/yaml.html?highlight=yaml#lua-function.yaml.encode
that the function has this signature: yaml.encode(value).

I hope if anyone uses yaml.encode(), he does it according to the
documentation. And I can add the {tag_prefix, tag_handle} options
to yaml.encode() and remove yaml.encode_tagged() workaround.

Encode_tagged allows to define one global YAML tag for a
document. Tagged YAML documents are going to be used for
console text pushes to distinguish actual box.session.push() from
console.print(). The first will have tag !push, and the
second - !print.

OOM is not single possible error. Yaml library during dump can
raise such errors as YAML_MEMORY_ERROR, YAML_WRITER_ERROR,
YAML_EMITTER_ERROR. And each of them can contain any error
message that is skipped now, because Tarantool YAML does not
provide such API, that can lead to a non-OOM error.

But it is changed in next commits.

Any option of base64 leads to urlsafe encoding. It is wrong, and
caused by incorrect flag checking. Fix it.

Closes #3358

Closes #3148