According to the business logic and assertions `idx` and `data32`
variables cannot be equal to NULL at the same time. However, we
cannot rely on assertions.

Let's check that explicitly. If this situation occurs somehow
the function exits as we cannot recover from this situation: we
don't have sources, from which values for enumeration can be taken.
Moreover, continuing of the code execution is such situation may
lead to accessing NULL if `c<limit`.

Closes tarantool/security#59

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>

(cherry picked from commit 73b01ea5)

Bump the small submodule and use small_getpagesize(), which is a
wrapper over sysconf(_SC_PAGESIZE) with a proper error checking.

Closes tarantool/security#78

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 7932144d)

obuf_alloc(&log->zbuf, XLOG_FIXHEADER_SIZE) can potentially fail,
because there is no obuf_reserve() prior to it.

Closes tarantool/security#74

NO_DOC=bugfix
NO_CHANGELOG=bugfix
NO_TEST=no test harness for checking OOM

(cherry picked from commit 32dfcb3c)

The YAML serializer fails to detect aliases in objects returned by
the __serialize method:

tarantool> x = {}
---
...

tarantool> {a = x, b = x}
---
- a: &0 []
  b: *0
...

tarantool> setmetatable({}, {
         >     __serialize = function() return {a = x, b = x} end,
         > })
---
- a: []
  b: []
...

Fix this by scanning the object returned by the __serialize method
(called by luaL_checkfield) for references.

Closes #8240

NO_DOC=bug fix

(cherry picked from commit b42302f5)

The YAML format supports aliasing - if the same object is referenced
more than once, it will be encoded in one places with other places
being turned to references:

  tarantool> x = {}
  ---
  ...

  tarantool> {a = x, b = x}
  ---
  - a: &0 []
    b: *0
  ...

This feature is useful for dumping a space list (e.g. box.space)
to the console, because each space is referenced by name and id.

However, it doesn't work if the referenced object implements
the __serialize method:

  tarantool> x = setmetatable({}, {
           >     __serialize = function() return {} end,
           > })
  ---
  ...

  tarantool> {a = x, b = x}
  ---
  - a: []
    b: []
  ...

This happens because we check for aliases in dump_array and dump_table
(with get_yaml_anchor), after calling the __serialize method via
luaL_checkfield. Since the __serialize method may (and usually does)
return a different object on each invocation, aliases aren't detected.

Let's fix it by calling alias detection (get_yaml_anchor) before
luaL_checkfield and passing the anchor to dump_table/dump_array.

Needed for https://github.com/tarantool/tarantool-ee/issues/221
Part of #8240

NO_DOC=bug fix
NO_CHANGELOG=next commit

(cherry picked from commit 310de56f)

It was possible to execute arbitrary Lua code outside of the setfenv()
environment. Example:

NO_WRAP
```lua
tarantool> box.cfg{replication_synchro_quorum = [=[N / 2 + 1]] _G.test = true --[[]=]}
tarantool> test
---
- true
...
```
NO_WRAP

How it works:

```lua
local expr = [[%s]]
```

Let's assume that `%s` is replaced by `]]<..code..>--[[`. The result is the
following (newlines are added for readability):

```lua
local expr = [[]]
<..code..>
--[[]]
```

This code is executed outside of the setfenv() protected function.

The fix is to pass the expression as an argument instead of using
`snprintf()`.

Fixes https://github.com/tarantool/security/issues/20
Fixes GHSA-74jr-2fq7-vp42

NO_DOC=bugfix

Sometimes the return value of cfg_gets() is checked for NULL, and sometimes
not. Actually this is intended, although a bit confusing. If an option can
have a nil value, it must be checked for NULL, but if it can't be nil,
there is no sense in it. The nil value can be assigned only by default, it
cannot be set via box.cfg{}.

This patch removes the NULL checks for cfg_gets("election_mode") and
cfg_gets("election_fencing_mode") because they are not nil by default.
All other non-nil options (e.g. cfg_gets("bootstrap_strategy")) are
already implemented without the NULL checks.

Follow-up tarantool/security#75

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 5a2dc43c)

`mpstream_encode_double`, apparently, has a typo: the result of
`mpstream_reserve` is checked after encoding the double into the result
buffer — fix it.

Closes tarantool/security#63

NO_DOC=bug fix
NO_CHANGELOG=see NO_TEST
NO_TEST=unlikely to happen because malloc shouldn't normally fail, and
	we don't test other mpstream methods for OOM either

(cherry picked from commit ccf3130c)

 - Use tabs instead of spaces as we usually do.
 - Drop pointless coversion of (void *) to (char *).
 - Add missing comments to struct mpstream members.
 - Cleanup header list.
 - Use short licence.

NO_DOC=code cleanup
NO_TEST=code cleanup
NO_CHANGELOG=code cleanup

(cherry picked from commit c2b76592)

`fiber_new_system` can potentially fail — its return value for the watcher
fiber must be checked and an exception must be raised in case it does fail.

Closes tarantool/security#87

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<no test harness for checking OOM>

(cherry picked from commit e9fad4c7)

This patch fixes an issue with checking the result of sql_get_coll_seq()
in sql_expr_coll(). This fix only changes the error if the collation
combination is invalid because sql_get_coll_seq() sets the is_aborted
flag and error will be thrown in any case.

Closes tarantool/security#80

NO_DOC=change of returned error in rare case
NO_CHANGELOG=change of returned error in rare case

(cherry picked from commit e9f1beab)

`set_client_ciphersuite` can potentially dereference NULL if the session's
cipher is not set — add a check for this condition.

Closes tarantool/security#27

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>

(cherry picked from commit a8c6c27c)

The main cord's event loop is initialized by fiber_init(), but for some
reason successful initialization is only checked in main() after other
initialization code might try to use the event loop already.

For example, some of the loop users are coio_enable(), signal_init(),
tarantooL_lua_init(), and they are all run before we actually check that
loop is not NULL.

Closes tarantool/security#28

NO_DOC=code health
NO_TEST=code health
NO_CHANGELOG=code health

(cherry picked from commit 579ac6d3)

This patch replaces malloc() with xmalloc() in key_def_dup() to avoid
the possibility of skipping the malloc() return value check.

Closes tarantool/security#81

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 8ca94313)

The problem is if cat fails, because a patch file doesn't exist
PATH_COMMAND written like this won't detect it, because the last
command (patch) will complete successfully (apply existing patches
found by cat):

  cat XXX.patch YYY.patch | patch -p1

The proper way is to use PATCH_COMMAND continuation:

  PATCH_COMMAND patch -p1 -i XXX.patch
  COMMAND       patch -p1 -i YYY.patch

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit 9549310d)

- Drop testing for macOS 11 since macOS 13 is now available

- Add missing testing for macOS 12:
  - debug build (x86_64)
  - debug, release, and static-cmake builds (aarch64)

- Add testing for macOS 13:
  - debug, release, release-lto, and static-cmake builds (x86_64)
  - debug, release, release-lto, and static-cmake builds (aarch64)

Closes #6739
Closes tarantool/tarantool-qa#301

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

(cherry picked from commit a13504d8)

tls_construct_ctos_session_ticket() has a potential
NULL pointer dereference.

Closes tarantool/security#54

NO_DOC=security
NO_TEST=security
NO_CHANGELOG=security

(cherry picked from commit 639ec224)

Now, delete in ephemeral space is obviously incorrect - if we try to
delete a tuple, which is not present in index, NULL dereference will
happen. Fortunately, ephemeral spaces are used for internal purposes
only, so, most likely, this never happens. Let's fix this part not to
confuse code analyzers.

Closes https://github.com/tarantool/security/issues/38

NO_TEST=shouldn't normally happen
NO_CHANGELOG=shouldn't normally happen
NO_DOC=shouldn't normally happen

(cherry picked from commit a2d5e54e)

Added bounds check after conversion of a string key to int to avoid
potential out-of-bounds access.

Closes tarantool/security#45

NO_TEST=trivial
NO_CHANGELOG=internal
NO_DOC=internal

(cherry picked from commit 66f2679d)

Sometimes, we only need to test static-build, e.g. when we apply a patch
to a third party sub-project. Let's introduce a new label to run the ci
checks faster in this case.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

(cherry picked from commit 09a77cd7)

We're going to add a whole bunch of them. Putting them all in
a sub-directory will help keeping the file tree organized.

Note, we have to update .gitignore so that the patches/ sub-directory
is ignored only at the top level (it's used by quilt).

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit b8ec809e)

This is useful for example for the analysis of performance complaints
from users, when they claim that one version of Tarantool is slower
than another, in fact comparing debug and release builds.

NO_DOC=minor change
NO_TEST=minor change

(cherry picked from commit 45576088)

When log format is JSON and a Lua table is written to the log, such
messages are saved by the flight recorder as a "json" string. Fix it.

Part of tarantool/tarantool-ee#325

NO_DOC=bugfix
NO_TEST=will be added to EE, because there are no flightrec in CE
NO_CHANGELOG=will be added to EE, because there are no flightrec in CE

Bitset index size calculation uses the cardinality of the 'flag' bitset,
but when the bitset index is empty, i.e., uninitialized, the
'flag' bitset is not allocated, hence we should simply return 0.

Closes #5809

NO_DOC=bugfix

(cherry picked from commit d542a01a)

After adding the autorequiring luatest [1,2], there is no need to use
the following approach now:

```
local t = require('luatest')
local g = t.group()

server:exec(function()
    local t = require('luatest') -- duplicate
    t.assert(...)
end)
```

Modern approach looks like:

```
local t = require('luatest')
local g = t.group()

-- `t` already available in the remote server
server:exec(function() t.assert(...) end)

-- also it works with any variable
local my_custom_t = require('luatest')

server:exec(function()
    my_custom_t.assert(...) -- already available
end)
```

[1] tarantool/luatest#277
[2] tarantool/luatest#289

Part of tarantool/luatest#233

NO_DOC=test fix
NO_TEST=test fix
NO_CHANGELOG=test fix

(cherry picked from commit 98dd8e69)

We didn't take into consideration the fact, that precision
value passed to control the width of nanoseconds part in
datetime_object:format could be more than maximum positive
value, integer may have. Currently it leads to segfault.

```
tarantool> require('datetime').new{}:format('%2147483648f')
```

We should check errno in order to find out, if overflow
occurs. The problem is the fact, that `width` variable must
have int type due to snprintf requirements ("%*d") and
strtol returns long. Errno won't be set if returned value
is in bounds [INT_MAX, LONG_MAX], but it will overflow
int resulting in inconsistent behavior.

So, let's save the result of strotl to the temp value.
If this value doesn't belong to the above-mentioned set,
or errno was set, we assign to `width` maximum value, it
may have: 9.

Closes tarantool/security#31

NO_DOC=bugfix

(cherry picked from commit b6159217)

This patch fixes some possible bugs that may occur due to malloc
failure.

Closes tarantool/security#65
Closes tarantool/security#66
Closes tarantool/security#68

NO_DOC=bugfix
NO_TEST=hard to reproduce due to malloc() failure being an unusual case

To improve the stability of the tests, let's use unix sockets for iproto
connection instead of ports.

NO_DOC=testing stuff
NO_TEST=testing stuff
NO_CHANGELOG=testing stuff

(cherry picked from commit 65f66a6a)

Bump test-run to new version with the following improvements:

- Bump luatest to 0.5.7-25-g9e117e6 [1]

[1] tarantool/test-run@7c77fcb

NO_DOC=testing stuff
NO_TEST=testing stuff
NO_CHANGELOG=testing stuff

(cherry picked from commit 4334862f)

Bump test-run to new version with the following improvements:

- Bump luatest to 0.5.7-24-g8de38b3 [1] [2]
- Add ignore_zero option to get_vclock [3]

[1] https://github.com/tarantool/test-run/pull/370
[2] https://github.com/tarantool/test-run/pull/368
[3] https://github.com/tarantool/test-run/pull/367

NO_DOC=testing stuff
NO_TEST=testing stuff
NO_CHANGELOG=testing stuff

(cherry picked from commit 764299c1)

As a result of the commit 98fcd437 ("ci:
add CMAKE_EXTRA_PARAMS to LuaJIT workflow") both <inputs.buildtype> and
<inputs.GC64> parameters have become obsolete. All jobs with LuaJIT
integration testing has started to use these in scope of the commit
tarantool/luajit@5b53850da30e532ced976e95af1f301667a6a272 ("ci: use
CMAKE_EXTRA_PARAMS in LuaJIT integration"). Hence, the value of
<inputs.CMAKE_EXTRA_PARAMS> has to be used to specify the build flavor,
so <inputs.buildtype> and <inputs.GC64> can be dropped later.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

Reviewed-by: Yaroslav Lobankov <y.lobankov@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>
(cherry picked from commit 7c5cc681)

As a result of the commit 1eb0a696 ("ci:
change runner dispatch for LuaJIT testing") <inputs.host> parameter has
become obsolete. The testing workflow has been updated in scope of the
commit tarantool/luajit@fcaecf8fb42ff8a35582fbd8d034eb6f3b9b5b68 ("ci:
use strategy matrix for integration workflow"). Hence, the only changes
required to finish the transition from <inputs.host> to <inputs.arch> +
<inputs.os> are the following:
* Drop <inputs.host> parameter from the LuaJIT integration workflow
* Make both <inputs.arch> and <inputs.os> parameters obligatory

Besides, there is no need to obtain the kernel name and the machine
hardware name in scope of the separate workflow step, since all info
need to be passed to .test.mk is already passed via workflow inputs.
Anyway, .test.mk need to be adjusted to the values used for the new
workflow parameters.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

Reviewed-by: Yaroslav Lobankov <y.lobankov@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>
(cherry picked from commit fdf45222)

Before the patch the LuaJIT integration workflow was dispatched to the
runner with the name given via <inputs.host> parameter. Unfortunately,
as a result of runners renaming we can't continue to dispatch the
workflow this way.

As a result of the patch there are two new workflow parameters:
<inputs.arch> to pass the host architecture name (i.e. x86_64 or ARM64)
and <inputs.os> to pass the OS family name (either Linux or macOS).
Considering two values we can choose the proper runner in LuaJIT
integration workflow. Besides, this change bring LuaJIT CI closer to
matrix usage for its integration workflow.

All three workflow parameters are not obligatory for now to avoid
tarantool/luajit CI break on both long-term and working branches. When
all branches are rebased on the new approach, <inputs.host> parameter
will be removed and both <inputs.arch> and <inputs.os> will become
obligatory.

Moreover, the new 'regular' label is also added to <runs-on> list, since
the new "lightweight" runners have been introduced to ghacts-shared-*
pool. There are a couple of LuaJIT tests that requires more memory than
provided by "lightweight" runners, so only "regular" ones need to be
chosen for LuaJIT integration testing.

Last but not least: attentive reader might notice there are strange
values used as a default for <inputs.host> as well as <inputs.arch> and
<inputs.os>. This is ugly hack required for the transition period, since
one can't use empty string or unknown label name within <runs-on> label
list. Hence 'self-hosted' looks like the most robust option for both old
and new behaviours.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

Reviewed-by: Yaroslav Lobankov <y.lobankov@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>
(cherry picked from commit 1eb0a696)

Fun fact: our self-hosted macOS runner has the same name as the one
provided by GitHub. Hence sometimes when no self-hosted runners are
available, the public GitHub one is chosen.

This patch enforces LuaJIT integration workflow to use only self-hosted
runner by explicitly specifying this in runs-on section.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

Reviewed-by: Yaroslav Lobankov <y.lobankov@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>
(cherry picked from commit a8b95d09)

It's quite inconvenient to extend LuaJIT integration workflow now: one
needs to patch GitHub workflow file in Tarantool repository and then
setup integration testing in LuaJIT repository.

This patch introduces a new workflow parameter that can replace several
existing parameters (e.g. buildtype and GC64) and allow to easy extend
integration CI in LuaJIT (with rare little touches in Tarantool).

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

Reviewed-by: Sergey Kaplun <skaplun@tarantool.org>
Reviewed-by: Yaroslav Lobankov <y.lobankov@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>
(cherry picked from commit 98fcd437)

Fixing a bug with nodes in 'manual' election mode bumping the term
excessively revealed a hang in election_pre_vote test. Turns out the
test passed thanks to the previous buggy behaviour.

The following behaviour is expected: when a node is configured in manual
election mode, calling box.ctl.promote() on it should make it bump term
once, try to gather votes and fail on timeout.

Once the extra term bump on timeout was removed in commit 5765fdc4
("raft: fix 'manual' nodes bumping the term excessively"),
box.ctl.promote() without a quorum started hanging.

Let's return the correct behaviour: 'manual' nodes should transition
back to follower if an election timeout passes after the promotion
without any term outcome.

Enable the test_promote_no_quorum testcase of election_pre_vote test
back, since it's fixed now.

Follow-up #8168
Closes #8217

NO_DOC=bugfix
NO_CHANGELOG=changes not released behaviour

(cherry picked from commit 352fe0c7)

The memtx transaction manager MVCC invariant violation described in
c8eccfbb could actually lead to a bug described in #7394, since
`space:count` inherently relies on this invariant: add a test for this
case.

Closes #7394

NO_CHANGELOG=<bug was fixed in c8eccfbb>
NO_DOC=bugfix

(cherry picked from commit db6245f8)

A tuple update with the first operation creating a new field
somewhere deep in the tuple and the second operation trying to go
into that new field could crash. This happened because the route
branching function xrow_update_route_branch() missed this case.

It can be detected when see that the bar path is already fully
used (the next JSON token is END), and the new operation's path
is still not END.

Closes #8216

NO_DOC=bugfix

(cherry picked from commit d4e92809)

A tuple update with the first operation creating a new field
inside an array and the second operation trying to go into that
field could crash. This happened because the branching function
xrow_update_op_do_field_##op_type() didn't take into account newly
set scalar fields and an `unreachable()` was hit.

Part of #8216

NO_DOC=bugfix
NO_CHANGELOG=next commit

(cherry picked from commit eb26e732)

They are going to be needed above their declaration prior to this
patch. Also had to add a couple of obvious comments to calm
checkpatch down.

Needed for #8216

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 3260b930)