NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

Before these changes, it was impossible to define a custom absolute
path for `OUTPUT_DIR` when calling the static-build/make_packages.sh
script. The build failed due to missing directory inside the container.
Also, set the default value for `OUTPUT_DIR` to the absolute path from
where the static-build/make_packages.sh script runs instead of relative
path to the static-build directory.

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

This patch adds facility to make DEB and RPM packages with a statically
compiled Tarantool binary inside. The build is performed in a Docker
container, using PackPack docker image (centos-7) and CPack.

The packpack/packpack:centos-7 image has all the necessary dependencies
for building Tarantool and quite old glibc 2.17 which theoretically
provides compatibility of the created packages with any distro where
glibc >= 2.17.

The build can be run with the command below:

    $ VERSION=3.0.0 ./static-build/make_packages.sh

In the `static_build` directory, there will be the following packages:

    tarantool_3.0.0-1_amd64.deb
    tarantool-dev_3.0.0-1_amd64.deb
    tarantool-3.0.0-1.x86_64.rpm
    tarantool-devel-3.0.0-1.x86_64.rpm

`tarantool_3.0.0-1_amd64.deb`, `tarantool-3.0.0-1.x86_64.rpm` are
packages with the Tarantool server binary inside.

`tarantool-dev_3.0.0-1_amd64.deb`, `tarantool-devel-3.0.0-1.x86_64.rpm`
are packages with the Tarantool server development files inside.

NO_DOC=build
NO_TEST=build

Co-authored-by: Yaroslav Lobankov <y.lobankov@tarantool.org>

The ability to support backtraces is checked in cmake/compiler.cmake,
it makes no sense to duplicate the check in rpm/tarantool.spec. Also do
not enable backtraces unconditionally in apk/APKBUILD and static-build.

Part of #6998

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

An autoconf-generated configure script doesn't enable compiler
optimization flags if CFLAGS / CXXFLAGS options are set explicitly.
We started setting CFLAGS / CXXFLAGS in commit e6abe1c9
("cmake: add extra security compiler options"). As a result, users
started experiencing performance degradation issues, like the one
described in tarantool/tarantool-ee#440.

Let's set -O2 in CFLAGS / CXXFLAGS explicitly to fix that.

Closes #8606
Needed for tarantool/tarantool-ee#440

NO_DOC=build
NO_TEST=build

Method `getDangiCalZoneAstroCalc` is used to calculate an argument for
base class constructor when it is not built yet. Fortunately, it does not
use class fields - let's make it static to use it before class
initialization legitimately.

Closes tarantool/security#96

NO_TEST=no behaviour changes
NO_CHANGELOG=no behaviour changes
NO_DOC=no behaviour changes

This patch fixes potential read of uninitialized variable
in history_truncate_file()

Fixed in upstream:
https://git.savannah.gnu.org/cgit/readline.git/commit/?h=devel&id=b4ebdc06601fb54297435d2e286d901cba1cd6c6

Closes tarantool/security#95

NO_DOC=security
NO_TEST=security
NO_CHANGELOG=security

n_ssl3_mac(): Fix possible divide by zero.
Fixed in openssl3:
https://github.com/openssl/openssl/commit/624efd2ba6f1dabdcdecf17c77bd206c421efdaf

Closes tarantool/security#90

NO_DOC=security
NO_TEST=security
NO_CHANGELOG=security

If `dynamic_cast` fails, then NULL is returned. Even thought
assertion is set, we cannot rely on it, as we don't use debug
version of icu. Let's check if `rbnf` variable is not NULL
explicitly.

If it somehow turned out to be NULL, then memory allocation
error will be thrown.

Closes tarantool/security#61

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>

According to the business logic and assertions `idx` and `data32`
variables cannot be equal to NULL at the same time. However, we
cannot rely on assertions.

Let's check that explicitly. If this situation occurs somehow
the function exits as we cannot recover from this situation: we
don't have sources, from which values for enumeration can be taken.
Moreover, continuing of the code execution is such situation may
lead to accessing NULL if `c<limit`.

Closes tarantool/security#59

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>

`set_client_ciphersuite` can potentially dereference NULL if the session's
cipher is not set — add a check for this condition.

Closes tarantool/security#27

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>

The problem is if cat fails, because a patch file doesn't exist
PATH_COMMAND written like this won't detect it, because the last
command (patch) will complete successfully (apply existing patches
found by cat):

  cat XXX.patch YYY.patch | patch -p1

The proper way is to use PATCH_COMMAND continuation:

  PATCH_COMMAND patch -p1 -i XXX.patch
  COMMAND       patch -p1 -i YYY.patch

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

tls_construct_ctos_session_ticket() has a potential
NULL pointer dereference.

Closes tarantool/security#54

NO_DOC=security
NO_TEST=security
NO_CHANGELOG=security

Added bounds check after conversion of a string key to int to avoid
potential out-of-bounds access.

Closes tarantool/security#45

NO_TEST=trivial
NO_CHANGELOG=internal
NO_DOC=internal

We're going to add a whole bunch of them. Putting them all in
a sub-directory will help keeping the file tree organized.

Note, we have to update .gitignore so that the patches/ sub-directory
is ignored only at the top level (it's used by quilt).

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

The `tarantool_version` symbol identifies the binary as Tarantool (see also
https://github.com/tarantool/tarantool/blob/f991f7c0be73558f0710f0af871d07e8bd506efe/tools/tarabrt.sh#L179-L180

).
It is not exported and thus can be optimized away by LTO — add it to the
exports list.

Closes #8129

Acked-by: Aleksandr Lyapunov <alyapunov@tarantool.org>

NO_CHANGELOG=<internal change>
NO_DOC=<internal change>
NO_TEST=<no convenient way to test devtools>

Recently, ffi select was broken on M1 in commit ec1a71ff
("box: introduce pagination to memtx_tree and tuple position methods").
It turned out that ffi on M1 poorly supports a big quantity of arguments.
Fortunately, there is a workaround - we can pass only 64-bit integer
arguments beyond the 8th argument. Let's do it.

Closes #7946

NO_TEST=reflected in existing tests
NO_CHANGELOG=bugfix for unreleased feature
NO_DOC=bugfix

ICU symbol renaming was disabled in EE build by commit
https://github.com/tarantool/tarantool-ee/commit/f51346d682e3afd93592023d0dedfb1e45167c7a
("static-build: disable symbols renaming for libicu"), because EE build
exports ICU symbols so that they can be used by Lua modules. It isn't
necessary in CE build, but since we're planning to reuse the CE cmake
config in the EE repository, we should do that.

Needed for https://github.com/tarantool/tarantool-ee/issues/185

NO_DOC=no functional changes
NO_TEST=no functional changes
NO_CHANGELOG=no functional changes

Split it so that it can be reused in the EE repository:

 - static-build/cmake/AddDependencyProjects.cmake
   Adds the external projects that are required to build tarantool.
   The project names are stored in the TARANTOOL_DEPENDS variable.

 - static-build/cmake/AddTarantoolProject.cmake
   Should be called after AddDependencyProjects.cmake, because it
   uses the TARANTOOL_DEPENDS variable. Adds the Tarantool external
   project and sets the TARANTOOL_BINARY to the path to the built
   tarantool binary.

 - static-build/cmake/AddTests.cmake
   Should be called after AddTarantoolProject.cmake, because it uses
   the TARANTOOL_BINARY variable. Adds cmake tests for the static
   binary.

Now, static-build/CMakeLists.txt just includes the three helper files.
The helper files are designed in such a way that they can be included
from the EE repository's CMakeLists.txt. We split the original config
into the three helper files, because in the EE repository, we need to
add extra dependency projects and extra tests.

While we are at it, we also move the cmake tests from
static-build/test/static-build to static-build/test and
static-build/test/CheckDependencies.cmake to
static-build/cmake/CheckDependencies.cmake.

This commit introduces no functional changes - it just moves the code.

Needed for https://github.com/tarantool/tarantool-ee/issues/185

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

Since commit f6ea7180 ("Try to load several variants of libssl.")
the digest module uses an internal version of SHA1. Back then, we didn't
link the OpenSSL library. Instead, we tried to load it dynamically.
Since on some distributions the library could be missing, it was decided
to implement an internal version of SHA1, see #405.

However, since commit 59a55740 ("Link against libssl and libcrypto.
Issue #1382") we link the OpenSSL library unconditionally so there's no
need in having an internal implementation of SHA1. Let's drop it and
switch the digest module to the version of SHA1 implemented by the
crypto module using OpenSSL.

Part of #7987

NO_DOC=code cleanup
NO_TEST=code cleanup
NO_CHANGELOG=code cleanup

The `-Wa,--debug-prefix-map` compiler flag breaks GNU-based LTO, and also
we cannot reliably test this feature.

Follow-up 256da010

NO_CHANGELOG=bugfix
NO_DOC=bugfix
NO_TEST=bugfix

`dlsym` is known to be buggy in FreeBSD. See #7640.

NO_DOC=internal
NO_CHANGELOG=internal

See [1] for some details on why the code for log configuration needs
some care. In short log config validity checks are spread thru many
places, on some code paths we use one checks and on other code paths
other checks. And we make repetitive validity checks many times in
runtime on single configure call.

We can also reuse code for setting default values, checking options
type and resetting values to default.

- As a side effect of refactoring one can now reset values to default thru
  `log.cfg()` so now `log.cfg()` is on par with `box.cfg` in this respect.

- This patch also drops conversion `log_level` from string to number.

  Before (shorten):

    tarantool> box.cfg{log_level='warn'}
    tarantool> box.cfg.log_level
    - info
    tarantool> log.cfg.level
    - 5

  Also:
    tarantool> log.cfg{level='info'}
    tarantool> log.cfg.level
    - 5
    tarantool> box.cfg{}
    tarantool> box.cfg.log_level
    - 5

  After patch if `log_level`/`level` is given as string than it is saved
  and returned as string too. I guess it should not affect users but looks
  more handy.

- Also fixed issue with inconsistent setting `log_nonblock` thru
  `box.cfg()` and `log.cfg()`. In former case `nil` means setting default
  depending on logger type. In the latter case `nil` meant setting
  `nonblock` to `false`.

- Also patch fixes #7447.

Closes #7447.

[1] PR for this refactoring
https://github.com/tarantool/tarantool/pull/7454

NO_DOC=refactoring/tiny API improvemnent

Since our diagnostics use the `__FILE__` macro, they provide absolute
paths, which is kind of redundant and inconsistent: replace them with
relative ones.

As for debugging information, replacing absolute paths with relative ones
also requires an extra command to tell the debugger where to find the
source files, which is not convenient for developers: provide a new
`DEV_BUILD` option (turned off by default), which replaces absolute paths
with relative ones in debugging information if turned off.

Strip the prefix map flags from compiler flags exported to tarantool via
`src/trvia/config.h`.

Closes #7808

NO_DOC=<verbosity>
NO_TEST=<verbosity>

Setting hardening compiler flags is used in three places: default build,
static build and enterprise build — refactor it into a separate module.

Follow-up e6abe1c9

NO_CHANGELOG=refactoring
NO_DOC=refactoring
NO_TEST=refactoring

Introduce cmake option ENABLE_HARDENING, which is TRUE by default for
non-debug regular and static builds, excluding AArch64 and FreeBSD.
It passess compiler flags that harden Tarantool (including the bundled
libraries) against memory corruption attacks. The following flags are
passed:

* -Wformat - Check calls to printf and scanf, etc., to make sure that
  the arguments supplied have types appropriate to the format string
  specified.

* -Wformat-security -Werror=format-security - Warn about uses of format
  functions that represent possible security problems. And make the
  warning into an error.

* -fstack-protector-strong - Emit extra code to check for buffer
  overflows, such as stack smashing attacks.

* -fPIC -pie - Generate position-independent code (PIC). It allows to
  take advantage of the Address Space Layout Randomization (ASLR).

* -z relro -z now - Resolve all dynamically linked functions at the
  beginning of the execution, and then make the GOT read-only.

Also do not disable hardening for Debian and RPM-based Linux distros.

Closes #5372
Closes #7536

NO_DOC=build
NO_TEST=build

Currently `make` in `static-build` doesn't rebuild Tarantool when source
files are changed. Fix this by setting BUILD_ALWAYS option, which forces
rescan for changes of the external project [1]:

> This option is not normally needed unless developers are expected to
> modify something the external project's build depends on in a way that
> is not detectable via the step target dependencies (e.g. SOURCE_DIR is
> used without a download method and developers might modify the sources
> in SOURCE_DIR).

It is available since CMake 3.1, so update cmake_minimum_required, as we
already require it (fa8d70ca).

[1] https://cmake.org/cmake/help/latest/module/ExternalProject.html

Part of #7536

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=minor

Commit ed16c1e5 ("build: fix bundled
libcurl and c-ares build on OS X") fixed building libcurl with ares by
adding a dependency on libresolv for Mac OS X. It was forgotten to add
libresolv to check-dependencies exceptions for static build. Do this now.

NO_DOC=CI stuff
NO_TEST=CI stuff
NO_CHANGELOG=CI stuff

NO_DOC=build
NO_TEST=build

The static build for Linux leans on glibc provided iconv functions. On
Mac OS it links GNU libiconv statically. This patch updates the libiconv
version from 1.16 (released in 2019) to 1.17 (released in 2022).

It is just regular maintenance update. No behaviour changes are
expected. The libiconv 1.17 changelog (see the NEWS file in the archive)
does not mention anything that may have influence on behavior of
tarantool's iconv built-in module.

NO_DOC=no user-visible changes
NO_TEST=no user-visible changes
NO_CHANGELOG=no user-visible changes

Without `-isysroot <SDK_PATH>` the build fails:

```
/Library/Developer/CommandLineTools/usr/bin/make[4]: Making `all' in   \
    `makeconv'
/Library/Developer/CommandLineTools/usr/bin/c++ -O2 -W -Wall -pedantic \
    -Wpointer-arith -Wwrite-strings -Wno-long-long -std=c++11          \
    -Wno-ambiguous-reversed-operator     -o ../../bin/makeconv         \
    gencnvex.o genmbcs.o makeconv.o ucnvstat.o -L../../lib -licutu     \
    -L../../lib -licui18n -L../../lib -licuuc -L../../stubdata         \
    -licudata -lpthread -lm
ld: library not found for -lpthread
clang: error: linker command failed with exit code 1 (use -v to see    \
    invocation)
```

ICU is written on C++, so we should pass `CXXFLAGS`, not only `CFLAGS`.

Note: `CPPFLAGS` stands for C preprocessor flags, not C++ flags.

Fixes #7459

NO_DOC=it fixes a build failure for one of build types, nothing to
       document
NO_TEST=it will be tested in a next commit by enabling corresponding
        GitHub Action workflow

Just regular update to bring readline security fixes into tarantool.

Added a patch to fix file descriptor leak with zero-length history file.

Source of patch: https://ftp.gnu.org/gnu/readline/readline-8.0-patches/
Announcement: https://lists.gnu.org/archive/html/bug-readline/2019-08/msg00004.html

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency

Just regular update to bring ncurses security fixes into tarantool.

New version brings a number of functional and security fixes:
- ncurses 6.3 before patch 20220416 has an out-of-bounds read and
segmentation violation in convert_strings in tinfo/read_entry.c in the
terminfo library (CVE-2022-29458).
- ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based
buffer overflow (CVE-2021-39537).

CVE-2022-29458 Detail: https://nvd.nist.gov/vuln/detail/CVE-2022-29458
CVE-2021-39537 Detail: https://nvd.nist.gov/vuln/detail/CVE-2021-39537
Release announcement: https://lists.gnu.org/archive/html/bug-ncurses/2022-07/msg00008.html

NOTE: Build system uses a link to tarball on a local storage instead of
official mirror [1].

1. https://invisible-mirror.net/archives/ncurses/current/

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency

Just regular update to bring openssl security fixes into tarantool.

Added a patch for Mac OS to fix a build failure, see
https://github.com/openssl/openssl/issues/18720.

Changelog: https://www.openssl.org/news/cl111.txt
Vulnerabilities: https://www.openssl.org/news/vulnerabilities.html

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency

Just regular update to bring openssl security fixes into tarantool.

Fixes #6947

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency

This patch updates libicu version to 71.1.
See changelog for details (https://icu.unicode.org/download/71).
The main reason to do that is a bug in datetime parsing that was
found using icu-date module (tarantool/icu-date#27)
and was fixed in linicu upstream
(https://unicode-org.atlassian.net/browse/ICU-21802).

NO_DOC=build
NO_TEST=build

Use a new storage bucket, made specifically for open-source
third-party software distributions.

NO_DOC=testing
NO_TEST=testing
NO_CHANGELOG=testing

zlib.net is unavailable, so we have to download zlib distributions
from a backup storage on VKCS S3.

NO_DOC=testing
NO_TEST=testing
NO_CHANGELOG=testing

Investigation of GNU libunwind problems on the aarch64-linux-gnu
platform drive us to the conclusion that libunwind-1.2.1 provided by
major distribution packages is broken. Not to mention that its test
suite fails with SEGFAULTs.

Last but not least, some distributions, e.g. CentOS 8 (see #4611) do
not provide a libunwind package.

Hence, bundle libunwind: bundling is enabled by default on all
platforms, except for macOS — a system package can be used if its
version is greater or equal than 1.3.0 (minimal version that does not
seem to be broken on aarch64-linux-gnu).

* Add new submodule: bump it to current master.
* Refactor libunwind package search logic out of compiler.cmake.
* Add CMake script for building bundled libunwind.
* Add CMake script for extracting version of libunwind.
* Re-enable backtrace for all RHEL distributions by default.
* Remove libunwind from static build.

Needed for #4002
Closes #4611

NO_DOC=build system
NO_TEST=build system

Fix static build for macOS 11.5 or higher.
On macOS SDK ver. 11.5 some `*.dylib` files was replaced with `*.tbd`.
So we replace `libunwind.dylib` on `libunwind.tbd`.
Because of macOS 10.15 support being dropped
conditional is not needed.

Closes #6052