If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes
are allocated for `struct error_field` in error_payload_prepare(). However,
the size of this structure is 16 because of the padding for the alignment.
Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure.

Closes #9098

NO_DOC=bugfix

This patch introduces initial support for roles. Dependencies are not
currently supported for roles.

Part of #9078

@TarantoolBot document
Title: Roles

Two new options have been added: "roles" and "roles_cfg". The first one
is an array and the second one is a map. Each of these can be defined
per instance, replica set, group, and globally. As with almost all other
options, with the exception of those defined as 'map', the 'roles'
option for the lower scope will replace the roles for the higher scope.
Value roles_cfg however defined as "map", so it will be merged.

The "roles" option defines the roles for each instance. A role is a
program that runs when a configuration is loaded or reloaded. If a role
is defined more than once on an instance, it will still only be run
once. Three functions must be defined in the role: validate(), apply()
and stop(). Each of these functions should throw an error if it occurs.

The "roles_cfg" option specifies the configuration for each role. In
this option, the role name is the key and the role configuration is the
value.

On each run, all roles will be loaded (if necessary) in the order in
which they were specified; the configuration for each role will then be
validated using the corresponding validate() function in the same order;
and then they will all be run with apply() function in the same order.
If some roles have been removed from the instance, they will be stopped
in reverse order using the stop() function.

Example of a role structure:
```
local M = {}

-- Validates configuration of the role.
--
-- Called on initial configuration apply at startup and on
-- configuration reload if the role is enabled for the given instance.
--
-- The cfg argument may have arbitrary user provided value,
-- including nil.
--
-- Must raise an error if the validation fail.
function M.validate(cfg)
    -- <...>
end

-- Applies the given configuration of the role.
--
-- Called on initial configuration apply at startup and on
-- configuration reload if the role is enabled for the given instance.
--
-- The cfg argument may have arbitrary user provided value,
-- including nil.
--
-- Must raise an error if the given configuration can't be applied.
function M.apply(cfg)
    -- <...>
end

-- Stops the role.
--
-- Called on configuration reload if the role was enabled before
-- and removed now from the list of roles of the given instance.
--
-- Should cancel all background fibers and clean up hold
-- resources.
--
-- Must raise an error if this action can't be performed.
function M.stop()
    -- <...>
end

return M
```

They are rather noisy. Also delete debug log on arena creation. These
two make sense only with each other.

Part of #7327

NO_TEST=internal
NO_DOC=internal
NO_CHANGELOG=internal

An attempt to print a dead fiber raised a fatal error, which is quite
unexpected. This patch updates __tostring metamethod of fiber_object so
that it pushes the "fiber: <fid> (dead)" string instead of the error.
The __serialize metamethod is patched similarly.

Closes #4265

NO_DOC=bugfix

All user-defined users and roles are not being removed and their
privileges are not being revoked when this user or role is removed
from config. This is done to prevent extreme repercussions of
misconfiguration, e.g. empty config is provided to cluster and it
breaks up.

Default users and roles are not supposed to be changed, so this rule
does not apply to them. Now all of non-default privileges will be
revoked if such user or role is removed from config.

Default users:
* guest
* admin

Default roles:
* super
* public
* replication

Part of #8967

NO_DOC=documentation request will be filed manually for the whole
       credentials

Prior to this patch, the table had no information about the leader
other than his id in the "leader" field. It may not be convenient for
the user to search for a name corresponding to a given id. Much more
convenient to see the leader's name in box.info.election.

Closes #8931

@TarantoolBot document
Title: Document `box.info.election`

box.info.election now contains one more field: `leader_name`: string.
There are several possible values ​​for this field:

 - `nil`, if there is no leader in a cluster.

 - `box.NULL`, if there is a leader, but he does not have a name.

 - `some string`, if there is a leader and he has a name.

Example:

```console
tarantool> box.info.election
---
- leader_idle: 0
  leader_name: node1
  state: leader
  vote: 1
  term: 3
  leader: 1
...
```

[box-info-election] https://www.tarantool.io/en/doc/latest/reference/reference_lua/box_info/election/

The wording "Check constraint 'constr_name' failed for tuple" implies that
the tuple should follow. This patch adds the missed "a" article.

Closes #9045

NO_DOC=minor
NO_CHANGELOG=minor

The tuple_compare_slowpath comparator had unreachable
branch under this condition: `key_def->part_count == 1
&& part->fieldno == 0 && (!has_json_paths || part->path
== NULL)`. The condition will never be true in the
function context.

It has been introduced in the commit
c8b87dc7 ("Speed up
tuple_compare()."), when there was no sqeuential
comparators, and so it was reasonable at that moment.
But since the sequential comparators had been introduced
in the commit
78102868 ("Don't store
offsets for sequential multi-parts keys") the condition
became permanently falsy.

There're two ways it can be true:
1. `key_def->part_count == 1 && part->fieldno == 0 &&
   !has_json_paths`
2. `key_def->part_count == 1 && part->fieldno == 0 &&
   has_json_paths && part->path == NULL`

Condition 1 will never happen because if we have a key
starting from `fieldno = 0` with any part count
following and without JSON paths, then it is compared
using `tuple_compare_sequential` instead.

Proof:
1. The key is sequential if and only if it does not have
   JSON paths and for all key parts
   `index_def->parts[i].fieldno == i`.
2. The `key_def->part_count == 1 && part->fieldno == 0
   && !has_json_paths` condition fully satisfies this
   condition.
3. The `tuple_compare_slowpath` is only set as a
   comparator if the key is not sequential. Proof:

   The only places the comparator is set are:
   - `key_def_set_compare_func_fast` under the
     `!is_sequential` condition.
   - `key_def_set_compare_func_plain` under the
     `!key_def_is_sequential` condition.
   - `key_def_set_compare_func_json`, which is only
     called under `def->has_json_paths` condition, which
     conflicts with the `!has_json_paths` condition.

Condition 2: has JSON path means we have `path`
parameter in the index definition, but the following
condition requires the path to be `NULL`, which is
impossible if the part count is 1.

Proof:
1. A key has JSON paths if and only if one of its parts'
   path does not equal NULL.
2. If key part count is one and the only part has path,
   then the `part->path == NULL` part fails.
3. If key part count is one and the only part does not
   have JSON path then the key has no JSON paths, goto
   Condition 1.

Closes #8900

NO_DOC=dead code elimination
NO_TEST=dead code elimination
NO_CHANGELOG=dead code elimination

Introduce fully temporary spaces: same as data-temporary space but with
temporary metadata. Basically temporary spaces now do not exist on
restart and do not exist on replicas. They can also be created, altered
and deleted when box.cfg.read_only = true.

To avoid conflicts with spaces created on replicas, the temporary
space ids by default start in a special range starting at
BOX_SPACE_ID_TEMPORARY_MIN.

Temporary spaces currently do not support several features e.g.
foreign key references (to and from), functional indexes, sql sequences,
sql triggers, etc. This may change in the future.

Implementing temporary spaces requires temporary tuples to be
inserted into system spaces: tuples which are neither replicated or
persisted. This mostly done in on_replace_dd_* triggers by dropping the
txn->stmt->row.

Closes #8323

@TarantoolBot document
Title: Introduce fully temporary spaces with temporary metadata

Temporary spaces are now data-temporary spaces with temporary metadata.
Created by specifying { type = "temporary" } in the options.
Temporary spaces will not exist upon server restart and will not
exist on replicas. They can also be created in read-only mode.

A tiny preparatory commit for meta-temporary spaces

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

Move code that handles txn row counters into a separate function in
preparation of meta-temporary spaces introduction.

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

Everywhere where we refer to temporary spaces we now say data-temporary.
This is because temporary spaces were never truly temporary because
their definitions would still be persisted and replicated and they
couldn't be created on read-only replicas. In a following commit we will
introduce a new fully temporary type of spaces, which will be just
called 'temporary', so this commit signifies this terminology change.

NO_DOC=renaming
NO_CHANGELOG=renaming
NO_TEST=renaming

Introduces a new field `type` to the space definition. Currently it can
only be "normal" or "data-temporary". It is backwards compatible with
temporary=true.

@TarantoolBot document
Title: Introduce space field type

A new space definition field "type" can now be used to specify the type
of the space. Usage: box.schema.create_space("s", { type = "normal" }).
Currently only 2 types are supported: "normal" & "data-temporary", which
is equivalent to { temporary = true }. Old-style { temporary = true } is
still supported, but only one option either 'temporary' or 'type' may be
specified at the same time.

Space type "temporary" will be introduced in a later commit.
In the future options "local", "synchronous", etc. may also be
supported.

NO_TEST=will be tested in the following commit

This way we will have access to build info in those modules. In
particularly build.asan flag is going to be used in buffer.lua in scope
of #7327.

Part of #7327

NO_TEST=internal
NO_DOC=internal
NO_CHANGELOG=internal

We already use this info in one of the test and going to use it more.

Part of #7327

@TarantoolBot document
Title: new tarantool.build.asan flag

It is `true` if `ENABLE_ASAN` build option is set and `false` otherwise.

Vinyl tuples returned to the user are allocated with malloc. They may be
pinned by Lua indefinitely. Currently, there's no way to figure out how
much memory is occupied by these tuples. This commit adds a statistic to
box.stat.vinyl() that accounts them.

Closes #8485

@TarantoolBot document
Title: Document `memory.tuple` statistic of `box.stat.vinyl()`

The new statistic shows the total size of memory in bytes occupied by
Vinyl tuples. It includes cached tuples and tuples pinned by the Lua
world.

Commit 97c2c9a4 ("box: disable DDL with old schema") added a check
to the on-replace trigger installed on all system spaces that fails the
operation if the schema version is outdated unless it's recovery time or
the operation was issued by the fiber performing a schema upgrade.

This new check breaks the replication use case:

 1. Tarantool binary is updated on all instances to a version that
    requires a newer schema - OK.
 2. box.schema.upgrade() is called on the master instance - OK.
 3. Operations performed by the master to upgrade the schema are
    replicated to the replicas - FAIL.

To fix this issue, let's bypass the schema version check for applier
fibers.

Follow-up #7149
Closes #9048

NO_DOC=bug fix
NO_CHANGELOG=unreleased

Fiber flags are initialized after fiber stack creation. As result
currently check for custom stack in fiber_stack_watermark_create does
not work. This leads to heap-buffer-overflow on putting watermark
if custom stack size is less than FIBER_STACK_SIZE_WATERMARK.

Close #9026

NO_DOC=bugfix

`msg` is used after it is freed in iproto_msg_delete.

Close #9037

NO_TEST=tested by ASAN
NO_DOC=bugfix

This patch introduces all audit options.

Closes #8861

NO_DOC=Was already described before.

When fiber region is freed/destroyed and ENABLE_BACKTRACE is set then
`fiber_on_gc_truncate` callback is called. At this time both `used`
argument and `fiber->gc_initial_size` are equal to 0. Thus
`fiber->first_alloc_bt` is accessed which is already freed.

With a bad luck freeing fiber region can put slab back into slab arena.
So writing after free can change memory used by another thread.

Closes #9020

NO_TEST=tested by ASAN
NO_DOC=bugfix

`*type_out` was set to uninitialized value for `field->type == MP_EXT`.
This was introduced by commit 9f9142d6 ("box: cleanup on tuple encoding
failure")

Closes #9023

NO_DOC=bugfix
NO_CHANGELOG=not user-visible

The maximum length of box.cfg{} string parameters is now 512 instead of
256 before.

NO_DOC=no need to document
NO_TEST=will be added in EE

Memory is leaked in the following scenario:
- MP_ERROR_STACK with 2 errors is passed to error_unpack_unsafe():
  1. A correct MP_MAP with MP_ERROR_* fields;
  2. Something unexpected, e.g. MP_INT;
- This first call to mp_decode_error_one() allocates memory for the first
  error in error_build_xc() -> `new ClientError()`;
- The second call to mp_decode_error_one() returns NULL, and
  error_unpack_unsafe() returns NULL too. Memory from the previous step
  is leaked.

Closes #8921

NO_DOC=bugfix

The patch introduces Lua module trigger, which allows to set, delete and
call triggers from event registry.

Closes #8656

NO_DOC=later

Future module trigger will allow user to call triggers from Lua. We have
function adapter to call an abstract function from any language, but
it's convenient to call Lua functions directly when they are called from
Lua, so let's add a method that allows to get underlying Lua function (or
another callable object).

NO_CHANGELOG=internal
NO_DOC=internal

The patch introduces new event subsystem. This subsystem is designed to
store user-defined triggers and has nothing in common with core triggers.

Each trigger has its own name and is represented by func_adapter.
Triggers are stored in events - named wrappers over rlist. Event objects
are opaque, hence rlist field should not be used directly - event
provides event_find_trigger, event_reset_triggers methods and
event_trigger_iterator. Iterator provides stable iteration and all the
non-deleted triggers will surely be traversed.

On way to the goal this patch also fixes include list in func_adapter.h.

Part of #8656

NO_CHANGELOG=internal
NO_DOC=internal

part_count was checked in index_def_check(), which was called too late.
Before that check:
1. `malloc(sizeof(*part_def) * part_count)` can fail for huge part_count;
2. key_def_new() can crash for zero part_count because of out of bound
   access in:

NO_WRAP
   - #1 key_def_contains_sequential_parts (def=0x5555561a2ef0) at src/box/tuple_extract_key.cc:26
   - #2 key_def_set_extract_func (key_def=0x5555561a2ef0) at src/box/tuple_extract_key.cc:442
   - #3 key_def_set_func (def=0x5555561a2ef0) at src/box/key_def.c:162
   - #4 key_def_new (parts=0x7fffc4001350, part_count=0, for_func_index=false) at src/box/key_def.c:320
NO_WRAP

Closes #8688

NO_DOC=bugfix

box.ctl.demote() used not to do anything with election_mode='off'
if the synchro queue didn't belong to the caller in the same term
as the election state.

The reason could be that if the synchro queue term is "outdated",
there is no guarantee that some other instance doesn't own it in
the latest term right now.

The "problem" is that this could be workarounded easily by just
calling promote + demote together.

There isn't much sense in fixing it for the off-mode because the
only reasons off-mode exists are 1) for people who don't use
synchro at all, 2) who did use it and want to stop. Hence they
need demote just to disown the queue.

The patch "legalizes" the mentioned workaround by allowing to
perform demote in off-mode even if the synchro queue term is old.

Closes #6860

NO_DOC=bugfix

The function update_view_references is called when an SQL view
is created or dropped. The goal of this function is to modify
(increment or decrement) view_ref_count member of spaces that
the view references.

There were a several issues that deserves to be refactored:
* By design in case of error it left the job partially done, so
  some space references were modified while some other - not.
  Although there was no bug since special steps were made in case
  of error, this pattern is inconvenient and should be avoided.
* In case of error the failing space name was returned via special
  argument which is not flexible and even requires allocation.
* Another argument - suppress_error - has actually never
  suppressed any error because the only case when an error could
  occur is creation of a view, which used suppress_error = false.
* Fail of that function was not actually covered with tests.

So this commit:
* Makes the function to do all or nothing.
* Forces the function to set diag by itself in case of error.
* Removes suppress_error argument while adding several asserts.\
* Adds a small test that fulfills coverage.

NO_DOC=refactoring
NO_CHANGELOG=reafactoring

By design a newly created SrcList object contains one element
with NULL name. That was confusing and led to strange NULL checks
in a list that could not contain NULL names.

Fix it by clearing the list before usage.

NO_DOC=refactoring
NO_CHANGELOG=reafactoring
NO_TEST=refactoring

Since we panic on OOM now, no OOM error handling is needed now.
Fix both internals of the function and how it is used in alter.

NO_DOC=refactoring
NO_CHANGELOG=reafactoring
NO_TEST=refactoring

We have a few functions that decode MsgPack data assuming it was
previously checked with mp_check(). This means it's safe to expect
that MP_EXT contains valid data because we install a custom checker
for MP_EXT in msgpack_init. So let's replace errors with assertions,
removing the dead code.

NO_DOC=code cleanup
NO_TEST=code cleanup
NO_CHANGELOG=code cleanup

The new macro is like assert, but it evaluates the checked expression
even in the release mode.

NO_DOC=internal
NO_TEST=internal
NO_CHANGELOG=internal

This update pulls the following commits:

* Add mp_check_on_error callback
* Make test output TAP compatible

It also drops the msgpack test result file because the test was switched
to the TAP compatible format.

Needed for #7968

NO_DOC=internal
NO_CHANGELOG=internal

This patch introduces initial support for the vshard configuration.
There is still a lot to be done in both vshard and the config to be able
to run vshard naturally. Key support restrictions introduced in the
patch:
1) at the moment there are only two roles: storage and router;
2) the entire config is considered a configuration for one sharded
system;
3) the rebalancer is currently disabled;
4) The router can automatically find all masters, but once all masters
are found, any changes to the masters will be ignored until
vshard.router.cfg() is called manually.

Closes #9007

NO_DOC=Will be described when full support for vshard is introduced.

This patch introduces all sharding parameters except "weight".

Part of #9007

NO_DOC=Will be described when full support for vshard is introduced.

This patch moves the code that compiles iproto.advertise.peer to
instance_config. This will allow us to use this function for
iproto.advertise.sharding.

Part of #9007

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

It is convenient for development environments, when the configuration
file and the application sources reside in the same directory.

The same logic was recently implemented for the main script, see #8182.
The same problems appears in context of startup from a configuration
file, so it seems meaningful to adjust module search paths in this case
too.

Part of #8862

NO_DOC=This change is too minor to describe in the documentation issue
       https://github.com/tarantool/doc/issues/3544. I'll work with the
       documentation team regarding details of startup/reload flow and
       we'll determine what should go to the user documentation and what
       shouldn't.

The new default directory layout is the following.

```
+ var/
  + lib/
    + instance-001/
      - *.xlog
      - *.snap
      - *.vylog
  + log/
    + instance-001/
      - tarantool.log
  + run/
    + instance-001/
      - tarantool.control
      - tarantool.pid
```

Our guess is that it should be convenient for development environments,
when the application consists of several instances. The idea is borrowed
from the `cartridge-cli` and `tt` tools.

We plan to synchronize these defaults with the `tt` tool, to simplify
cases, when pure tarantool (without `tt`) should be run in the
directories layout created by `tt`. It should simplify debugging using
`gdb`, `strace` and other tools.

Also, it should reduce possible confusion for users of `cartridge-cli`
and `tt`.

Part of #8862

NO_DOC=https://github.com/tarantool/doc/issues/3544 already points to
       the actual instance config schema