If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes
are allocated for `struct error_field` in error_payload_prepare(). However,
the size of this structure is 16 because of the padding for the alignment.
Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure.

Closes #9098

NO_DOC=bugfix

The patch adds a fuzzing test for IPROTO decoding function
xrow_header_decode().

NO_DOC=testing
NO_CHANGELOG=testing

This patch introduces initial support for roles. Dependencies are not
currently supported for roles.

Part of #9078

@TarantoolBot document
Title: Roles

Two new options have been added: "roles" and "roles_cfg". The first one
is an array and the second one is a map. Each of these can be defined
per instance, replica set, group, and globally. As with almost all other
options, with the exception of those defined as 'map', the 'roles'
option for the lower scope will replace the roles for the higher scope.
Value roles_cfg however defined as "map", so it will be merged.

The "roles" option defines the roles for each instance. A role is a
program that runs when a configuration is loaded or reloaded. If a role
is defined more than once on an instance, it will still only be run
once. Three functions must be defined in the role: validate(), apply()
and stop(). Each of these functions should throw an error if it occurs.

The "roles_cfg" option specifies the configuration for each role. In
this option, the role name is the key and the role configuration is the
value.

On each run, all roles will be loaded (if necessary) in the order in
which they were specified; the configuration for each role will then be
validated using the corresponding validate() function in the same order;
and then they will all be run with apply() function in the same order.
If some roles have been removed from the instance, they will be stopped
in reverse order using the stop() function.

Example of a role structure:
```
local M = {}

-- Validates configuration of the role.
--
-- Called on initial configuration apply at startup and on
-- configuration reload if the role is enabled for the given instance.
--
-- The cfg argument may have arbitrary user provided value,
-- including nil.
--
-- Must raise an error if the validation fail.
function M.validate(cfg)
    -- <...>
end

-- Applies the given configuration of the role.
--
-- Called on initial configuration apply at startup and on
-- configuration reload if the role is enabled for the given instance.
--
-- The cfg argument may have arbitrary user provided value,
-- including nil.
--
-- Must raise an error if the given configuration can't be applied.
function M.apply(cfg)
    -- <...>
end

-- Stops the role.
--
-- Called on configuration reload if the role was enabled before
-- and removed now from the list of roles of the given instance.
--
-- Should cancel all background fibers and clean up hold
-- resources.
--
-- Must raise an error if this action can't be performed.
function M.stop()
    -- <...>
end

return M
```

They are rather noisy. Also delete debug log on arena creation. These
two make sense only with each other.

Part of #7327

NO_TEST=internal
NO_DOC=internal
NO_CHANGELOG=internal

An attempt to print a dead fiber raised a fatal error, which is quite
unexpected. This patch updates __tostring metamethod of fiber_object so
that it pushes the "fiber: <fid> (dead)" string instead of the error.
The __serialize metamethod is patched similarly.

Closes #4265

NO_DOC=bugfix

All user-defined users and roles are not being removed and their
privileges are not being revoked when this user or role is removed
from config. This is done to prevent extreme repercussions of
misconfiguration, e.g. empty config is provided to cluster and it
breaks up.

Default users and roles are not supposed to be changed, so this rule
does not apply to them. Now all of non-default privileges will be
revoked if such user or role is removed from config.

Default users:
* guest
* admin

Default roles:
* super
* public
* replication

Part of #8967

NO_DOC=documentation request will be filed manually for the whole
       credentials

Prior to this patch, the table had no information about the leader
other than his id in the "leader" field. It may not be convenient for
the user to search for a name corresponding to a given id. Much more
convenient to see the leader's name in box.info.election.

Closes #8931

@TarantoolBot document
Title: Document `box.info.election`

box.info.election now contains one more field: `leader_name`: string.
There are several possible values ​​for this field:

 - `nil`, if there is no leader in a cluster.

 - `box.NULL`, if there is a leader, but he does not have a name.

 - `some string`, if there is a leader and he has a name.

Example:

```console
tarantool> box.info.election
---
- leader_idle: 0
  leader_name: node1
  state: leader
  vote: 1
  term: 3
  leader: 1
...
```

[box-info-election] https://www.tarantool.io/en/doc/latest/reference/reference_lua/box_info/election/

The wording "Check constraint 'constr_name' failed for tuple" implies that
the tuple should follow. This patch adds the missed "a" article.

Closes #9045

NO_DOC=minor
NO_CHANGELOG=minor

The test starts the cluster and immediately tries to create a space
on master. Sometimes it fails with "Can't modify data on a read-only
instance - it is an orphan" error.

When the instance is not in sync with sufficient number of nodes
it has orphan status, which means the instance is read-only. Sometimes,
the instance doesn't have enough time to connect to all instances and
get out of orphan state.

Let's add waiting until every node is connected to every other node
in the replica set.

Closes tarantool/tarantool-qa#326

NO_CHANGELOG=test
NO_DOC=test

Changed `else if` to `elseif`. There was a typo in the
serializer that led to unclosed `if` statements.

On a set of 50000 protobuf struct samples generates 863
(3% of all errors) fewer errors.

NO_CHANGELOG=internal
NO_DOC=fuzzer fix

Added checks before serializing return and break to program if
inside returnable or breakable code block.

On a set of 50000 protobuf struct samples generates 11749
(42% of all errors) fewer errors.

NO_CHANGELOG=internal
NO_DOC=fuzzer fix

The context object is created to manage the context of Lua program.
It will be used in the next commit to check if `break` or `return` is
inside a breakable or returnable code block.

NO_CHANGELOG=internal
NO_DOC=fuzzer fix

When the configuration changes and the instance is reloaded with it,
some roles or users may have been removed from the config. In such case,
it would be destructive to delete/disable them on the instance, so
this test checks that all users and roles removed in config stay
on the instance and keep all the privileges.

Part of #8967

NO_DOC=test
NO_CHANGELOG=test

This helpers does the following:
1. starts a server
2. writes a script/config
3. verifies invariants
4. writes a new script/config
5. reloads
6. verifies invariants after reload

This patch allows to set not only script, but config too on the step 4,
before the reload.

Part of #8967

NO_DOC=test helper upgrade
NO_CHANGELOG=see NO_DOC
NO_TEST=see NO_DOC

Usually treegen.clean is called after a test by g.after_all function
or an equivalent. In some rare cases internal helpers use their own
treegen and clean up after themself. In such a case, treegen.clean
would look for an internal list of all directories and find nil. This
causes an error in ipairs iteration in internal logic and fails the
whole test.

This patch adds minor durability improvement for such a case. Now if
internal list of all directories is nil (e.g. when treegen.clean was
called beforehand), the function does nothing.

Part of #8967

NO_DOC=test helper update
NO_CHANGELOG=see NO_DOC
NO_TEST=see NO_DOC

Introduce fully temporary spaces: same as data-temporary space but with
temporary metadata. Basically temporary spaces now do not exist on
restart and do not exist on replicas. They can also be created, altered
and deleted when box.cfg.read_only = true.

To avoid conflicts with spaces created on replicas, the temporary
space ids by default start in a special range starting at
BOX_SPACE_ID_TEMPORARY_MIN.

Temporary spaces currently do not support several features e.g.
foreign key references (to and from), functional indexes, sql sequences,
sql triggers, etc. This may change in the future.

Implementing temporary spaces requires temporary tuples to be
inserted into system spaces: tuples which are neither replicated or
persisted. This mostly done in on_replace_dd_* triggers by dropping the
txn->stmt->row.

Closes #8323

@TarantoolBot document
Title: Introduce fully temporary spaces with temporary metadata

Temporary spaces are now data-temporary spaces with temporary metadata.
Created by specifying { type = "temporary" } in the options.
Temporary spaces will not exist upon server restart and will not
exist on replicas. They can also be created in read-only mode.

Everywhere where we refer to temporary spaces we now say data-temporary.
This is because temporary spaces were never truly temporary because
their definitions would still be persisted and replicated and they
couldn't be created on read-only replicas. In a following commit we will
introduce a new fully temporary type of spaces, which will be just
called 'temporary', so this commit signifies this terminology change.

NO_DOC=renaming
NO_CHANGELOG=renaming
NO_TEST=renaming

If a lot of tests are running in parallel, 50 sec limit may not be enough.
Let's increase it to 120 sec.

Closes tarantool/tarantool-qa#273

NO_DOC=test
NO_CHANGELOG=test

We already use this info in one of the test and going to use it more.

Part of #7327

@TarantoolBot document
Title: new tarantool.build.asan flag

It is `true` if `ENABLE_ASAN` build option is set and `false` otherwise.

Vinyl tuples returned to the user are allocated with malloc. They may be
pinned by Lua indefinitely. Currently, there's no way to figure out how
much memory is occupied by these tuples. This commit adds a statistic to
box.stat.vinyl() that accounts them.

Closes #8485

@TarantoolBot document
Title: Document `memory.tuple` statistic of `box.stat.vinyl()`

The new statistic shows the total size of memory in bytes occupied by
Vinyl tuples. It includes cached tuples and tuples pinned by the Lua
world.

Commit 97c2c9a4 ("box: disable DDL with old schema") added a check
to the on-replace trigger installed on all system spaces that fails the
operation if the schema version is outdated unless it's recovery time or
the operation was issued by the fiber performing a schema upgrade.

This new check breaks the replication use case:

 1. Tarantool binary is updated on all instances to a version that
    requires a newer schema - OK.
 2. box.schema.upgrade() is called on the master instance - OK.
 3. Operations performed by the master to upgrade the schema are
    replicated to the replicas - FAIL.

To fix this issue, let's bypass the schema version check for applier
fibers.

Follow-up #7149
Closes #9048

NO_DOC=bug fix
NO_CHANGELOG=unreleased

The test starts a child tarantool instance in the current working
directory and run box.cfg(). The current working directory is a source
directory. test-run.py runs many tests from it in parallel and in some
circumstances it appears that the directory is locked by some other
box.cfg() call from some other tarantool instance (maybe another test is
doing the same).

The test is rewritten to use a temporary directory for such runs.

The test.interactive_tarantool helper is used for convenience instead of
a popen wrapper that is written specifically for the test.

NO_DOC=It is a fix of a test.
NO_CHANGELOG=see NO_DOC

For some unknown reason ASAN crashes with SIGSEGV on this test during
shutdown. See tarantool/tarantool-qa#324 for details.

NO_DOC=test
NO_CHANGELOG=test

Before this patch interactive_tarantool `:read_response()` helper used
to just deserialise Lua errors as tables like `[{error = 'msg'}]`.
Now it checks if response is actually an error and rethrows it.
This provides additional verification for many tests that use
interactive_tarantool.

This patch is a followup to commit 261a21bd ("test/config: adjust
initial permissions in a test"). It provides additional output checks
to prevent similar issues.

Part of #8967

NO_DOC=test helper update
NO_CHANGELOG=test helper update
NO_TEST=test helper update

Fiber flags are initialized after fiber stack creation. As result
currently check for custom stack in fiber_stack_watermark_create does
not work. This leads to heap-buffer-overflow on putting watermark
if custom stack size is less than FIBER_STACK_SIZE_WATERMARK.

Close #9026

NO_DOC=bugfix

This patch introduces all audit options.

Closes #8861

NO_DOC=Was already described before.

`*type_out` was set to uninitialized value for `field->type == MP_EXT`.
This was introduced by commit 9f9142d6 ("box: cleanup on tuple encoding
failure")

Closes #9023

NO_DOC=bugfix
NO_CHANGELOG=not user-visible

Just to demonstrate that the format argument of ok/is/isnt macros is now
optional.

NO_DOC=test
NO_CHANGELOG=test

It's really annoying to add a message after each check in a unit test.
Let's make this optional. If the message is omitted, "line %d" will be
used instead. Also, let's print the expression on failure because it
may be useful if exact sources are unavailable.

NO_DOC=refactoring
NO_CHANGELOG=refactoring

The ok/is/isnt macros expand to {} so they may be used without
a trailing semicolon. This is going to be fixed so let's add
missing semicolons.

NO_DOC=code cleanup
NO_CHANGELOG=code cleanup

There's no need to duplicate all unit test helpers for TAP compatible
tests. The only difference between them is that plan() prints the TAP
version so let's do just that.

NO_DOC=code cleanup
NO_CHANGELOG=code cleanup

The test checks, whether the instance notices leader hang during
sync. For that it stops server2 and generates some data on the
master (server1). The problem is, when connection to server3
flakes, server1 resigns and becomes read only due to fencing
enabled.

Let's disable fencing for this test, as we don't want automatic
leader resigning here.

Closes tarantool/tarantool-qa#325

NO_CHANGELOG=test
NO_DOC=test

Memory is leaked in the following scenario:
- MP_ERROR_STACK with 2 errors is passed to error_unpack_unsafe():
  1. A correct MP_MAP with MP_ERROR_* fields;
  2. Something unexpected, e.g. MP_INT;
- This first call to mp_decode_error_one() allocates memory for the first
  error in error_build_xc() -> `new ClientError()`;
- The second call to mp_decode_error_one() returns NULL, and
  error_unpack_unsafe() returns NULL too. Memory from the previous step
  is leaked.

Closes #8921

NO_DOC=bugfix

The patch introduces Lua module trigger, which allows to set, delete and
call triggers from event registry.

Closes #8656

NO_DOC=later

Future module trigger will allow user to call triggers from Lua. We have
function adapter to call an abstract function from any language, but
it's convenient to call Lua functions directly when they are called from
Lua, so let's add a method that allows to get underlying Lua function (or
another callable object).

NO_CHANGELOG=internal
NO_DOC=internal

The patch introduces new event subsystem. This subsystem is designed to
store user-defined triggers and has nothing in common with core triggers.

Each trigger has its own name and is represented by func_adapter.
Triggers are stored in events - named wrappers over rlist. Event objects
are opaque, hence rlist field should not be used directly - event
provides event_find_trigger, event_reset_triggers methods and
event_trigger_iterator. Iterator provides stable iteration and all the
non-deleted triggers will surely be traversed.

On way to the goal this patch also fixes include list in func_adapter.h.

Part of #8656

NO_CHANGELOG=internal
NO_DOC=internal

part_count was checked in index_def_check(), which was called too late.
Before that check:
1. `malloc(sizeof(*part_def) * part_count)` can fail for huge part_count;
2. key_def_new() can crash for zero part_count because of out of bound
   access in:

NO_WRAP
   - #1 key_def_contains_sequential_parts (def=0x5555561a2ef0) at src/box/tuple_extract_key.cc:26
   - #2 key_def_set_extract_func (key_def=0x5555561a2ef0) at src/box/tuple_extract_key.cc:442
   - #3 key_def_set_func (def=0x5555561a2ef0) at src/box/key_def.c:162
   - #4 key_def_new (parts=0x7fffc4001350, part_count=0, for_func_index=false) at src/box/key_def.c:320
NO_WRAP

Closes #8688

NO_DOC=bugfix

box.ctl.demote() used not to do anything with election_mode='off'
if the synchro queue didn't belong to the caller in the same term
as the election state.

The reason could be that if the synchro queue term is "outdated",
there is no guarantee that some other instance doesn't own it in
the latest term right now.

The "problem" is that this could be workarounded easily by just
calling promote + demote together.

There isn't much sense in fixing it for the off-mode because the
only reasons off-mode exists are 1) for people who don't use
synchro at all, 2) who did use it and want to stop. Hence they
need demote just to disown the queue.

The patch "legalizes" the mentioned workaround by allowing to
perform demote in off-mode even if the synchro queue term is old.

Closes #6860

NO_DOC=bugfix

The function update_view_references is called when an SQL view
is created or dropped. The goal of this function is to modify
(increment or decrement) view_ref_count member of spaces that
the view references.

There were a several issues that deserves to be refactored:
* By design in case of error it left the job partially done, so
  some space references were modified while some other - not.
  Although there was no bug since special steps were made in case
  of error, this pattern is inconvenient and should be avoided.
* In case of error the failing space name was returned via special
  argument which is not flexible and even requires allocation.
* Another argument - suppress_error - has actually never
  suppressed any error because the only case when an error could
  occur is creation of a view, which used suppress_error = false.
* Fail of that function was not actually covered with tests.

So this commit:
* Makes the function to do all or nothing.
* Forces the function to set diag by itself in case of error.
* Removes suppress_error argument while adding several asserts.\
* Adds a small test that fulfills coverage.

NO_DOC=refactoring
NO_CHANGELOG=reafactoring

The test gives some initial permissions for a newly created user. Then,
it synchronizes the permissions with ones that are given in the new
configuration format. The resulting permissions should be the same as
described in the configuration (plus defaults).

The code that grants the initial permissions has a typo in one of the
permission descriptions, so it is not granted (and this error is
silently ignored). It doesn't affect the test case successfulness,
because this permission is anyway expected to be revoked by the
synchronization.

The patch fixes the initial privilege granting code and makes the test
actually verifying that the given permission is revoked.

Part of #8967

NO_DOC=It is a fix of a test.
NO_CHANGELOG=see NO_DOC