Just regular update to bring openssl security fixes into tarantool.

Fixes #6947

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency

The limbo cleared TXN_WAIT_SYNC and TXN_WAIT_ACK flags for all
removed entries - succeeded and failed. For succeeded it is fine.
For failed it was not.

The reason is that a transaction could be rolled back after a
successful WAL write but before its waiting fiber wakes up. Then
on wakeup the fiber wouldn't not see TXN_WAIT_SYNC flag and assert
that the transaction signature >= 0. It wasn't true for txns
rolled back due to synchro-reasons like a foreign PROMOTE not
including this transaction.

The patch makes so a failed transaction keeps its TXN_WAIT_SYNC
flag so as its owner fiber on wakeup would reach
txn_limbo_wait_complete(), notice the bad signature, and follow
the rollback-path.

TXN_WAIT_ACK is dropped, because the transaction owner otherwise
would try to call txn_limbo_ack() for the transaction even if the
limbo doesn't belong to the instance anymore.

An alternative solution would be to check signature value for all
transactions even when journal_entry->res is >= 0. But that would
slow down the common path even for non-synchro transactions.

Closes #6842

NO_DOC=Bugfix

LSN to a limbo entry used to be assigned either before a WAL write
when the txn was from an applier, or one event loop iteration
after a WAL write for instance's own transactions.

The latter means that the WAl write callback only did
fiber_wakeup() on a fiber which is supposed to assign the LSN
later.

That made possible a bug when a remote PROMOTE was received during
a local txn WAL write. They were written to WAL in that order. But
PROMOTE WAL write was handled *before* the txn's WAL write. That
led to a crash, because PROMOTE processing wasn't ready to the
limbo having entries without an LSN.

The reason why it happened was that the finished WAL batches, even
if are sent to WAL far from each other in time, still can be
processed in TX thread all at once, without yields. They just keep
stacking in an inter-thread queue until TX thread picks them up.
If TX thread is slow enough, the WAL batches will form bigger
"batches of batches" in this WAL->TX queue.

When it happened for a txn + PROMOTE, the txn WAL write trigger
only called fiber_wakeup() without LSN assign. The PROMOTE WAL
write trigger was applied right away without yields, didn't meet
its assumptions, and crashed.

The patch makes an LSN be assigned to a limbo entry right in WAL
write trigger. The cost of this is to store limbo entry as a
member in struct txn.

The patch only fixes the issue for PROMOTE covering the older
transaction. The not covering case is still failing, subject of
another commit.

A side effect which allowed to make the patch a bit simpler - LSN
is assigned to all limbo entries now, even to the non-synchro
ones.

The alternative solution was to create an on WAL write trigger
for each synchro transaction and store the limbo entry in its data
field. But that is more complicated. I decided it is time to add
the entry to the txn. For non-synchro transactions it shouldn't
add any cost, because the limbo entry is only touched for newly
allocated txns (which eventually will stop being allocated and
will only be reused from txn_cache); for synchro transactions on
their normal path; for all transactions on failure path.

Another alternative solution was to make limbo's latch a
read-write latch. "Readers" would be new transactions until they
finish WAL write, "writers" would be PROMOTE, DEMOTE, probably
ROLLBACK. That way a PROMOTE wouldn't start until all limbo
entries have LSNs. But that looks like an overkill. At least for
this issue.

Part of #6842

NO_DOC=Bugfix
NO_CHANGELOG=To be added later

Before the patch a limbo owner could try to add new transaction to
it while processing a remote PROMOTE. That led to a crash - commit
of PROMOTE after the WAL write expected that it would empty the
whole queue, which didn't work for records not having an LSN yet.

Interestingly, all worked fine when PROMOTE was local - it turns
the limbo into the auto-rollback mode. It didn't happen for
requests coming from the applier.

This patch extends synchro request execution pipeline - now there
is a preparation step. It is done both for local and for remote
synchro requests the same. For PROMOTE it activates auto-rollback
mode.

DEMOTE might seem the same, but it doesn't look affected. To
receive a foreign DEMOTE the node would need not to be the queue
owner. Hence it wouldn't be able to append new synchro txns during
the DEMOTE WAL write.

Part of #6842

NO_DOC=Bugfix
NO_CHANGELOG=To be added later

It waits for vclock of another server. Save several lines of
relatively frequently used code. Is going to be used even more in
following patches.

Needed for #6842

NO_DOC=Refactoring
NO_TEST=Refactoring
NO_CHANGELOG=Refactoring

It used the global txn_limbo in one place instead of the limbo
passed as an argument.

NO_DOC=Refactoring
NO_TEST=Refactoring
NO_CHANGELOG=Refactoring

box_issue_promote/demote used to make WAL write and synchro
command apply in 2 separate synchro requests. Soon these APIs are
going to change a little. This patch moves the request creation
into the limbo internals so as box wouldn't care about request
structs.

Box now calls a single txn_limbo_write_promote/demote() function
which writes and applies a request under the hood.

Part of #6842

NO_DOC=Refactoring
NO_TEST=Refactoring
NO_CHANGELOG=Refactoring

The new name is txn_limbo_req_commit(). The reason is that the
future commits will introduce txn_limbo_req_prepare() and
txn_limbo_req_rollback().

The reason is that at least PROMOTE and DEMOTE requests need to
signal their start somehow before going into WAL so as new
synchronous transactions couldn't interfere. It is already done
in txn_limbo_write_promote() and txn_limbo_write_demote(). But not
done when a synchro command comes from an applier.

The new pipeline will be that both local and remote synchro
commands will make a prepare() before WAL write, and then either
commit() or rollback() of the request + commit/rollback() of the
limbo state (txn_limbo_begin/commit/rollback).

Essentially, txn_limbo_req_*() will be similar to txn_stmt_*(),
and txn_limbo_begin/commit/rollback() will be similar to
txn_begin/commit/rollback().

That is also going to be needed to remove panic() from limbo WAL
write failures.

Part of #6842

NO_DOC=Refactoring
NO_TEST=Refactoring
NO_CHANGELOG=Refactoring

The trigger is invoked on min/max/get/select/iterator. The trigger
callback is passed a context with space, index, iterator type, and key
(MsgPack array). The trigger is run only if access and sanity checks
have passed. It will be used for auditing SELECT events in the EE
version.

NO_TEST=ee
NO_DOC=internal
NO_CHANGELOG=internal

The trigger is invoked on IPROTO CALL/EVAL. The trigger callback is
passed a context with function name or eval expression and arguments
(MsgPack data). It will be used for auditing CALL/EVAL events in the EE
version.

NO_TEST=ee
NO_DOC=internal
NO_CHANGELOG=internal

box_process_call() uses func_call(), which not only calls the given
function, but also checks that the current user has the right to execute
it. As a result, we can't add auditing for only those function calls
that passed the access check (apparently, there's no reason to log
function calls that failed with an 'access denied' error - we have a
separate audit event for this).

To fix this, let's introduce func_call_no_access_check() helper, which
calls a function without checking access rights, and use it along with
existing func_access_check() in box_process_call(). func_call() is now
an inline function that calls func_access_check() and then on success
func_call_no_access_check().

It's probably wrong that func_call() checks access rights, because this
means that to use a space with a functional index/constraint, the user
needs not only read/write access to the space itself, but also execute
access to the function. I think we should check the right to execute
such function only once - on functional index/constraint creation, not
on every call, but I'm not going to change this now, because nobody's
complained so far, and a change like this needs a proper discussion
anyway.

NO_TEST=refactoring
NO_DOC=refactoring
NO_CHANGELOG=refactoring

The trigger is invoked on console eval. The trigger callback is passed
the eval expression string. It will be used for auditing console events
in the EE version.

NO_TEST=ee
NO_DOC=internal
NO_CHANGELOG=internal

Simply add Lua wrappers for recently introduced prbuf.

Introduce new buffer (in addition to ibuf) - prbuf. "pr" stands for
"partitioned ring-". It save all metadata in the same memory chunk
provided for storage, so it can be completely restored from the 'raw'
memory. API:

```
-- mem is a chunk of raw (char *) memory, of size mem_size.
-- It is used for data storage. Note that available space is of less
-- size due to prbuf metadata overhead.
-- Returns handle to prbuf.
--
require('buffer').prbuf_create(mem, mem_size)

-- mem is a chunk of memory, which contains already created prbuf.
-- It implies that once prbuf_create() was called with the same memory.
-- If mem does not contain valid buffer - raise an appropriate error.
require('buffer').prbuf_open(mem)

-- Returns continuous chunk of memory with given size. May return nil
-- in case if requested chunk is too large. Note that after copying
-- object to returned chunk, it should be committed with prbuf:commit();
-- otherwise :prepare() may return the same chunk twice.
prbuf:prepare(size)

-- Commits the last prepared chunk. Undefined behaviour in case of
-- committing the same chunk twice.
prbuf:commit()

-- Create and return prbuf_iterator. Does not fail. Created iterator
-- points to nowhere - it should be adjusted with :next() call to
-- the first entry.
prbuf:iterator_create()

-- Advance iterator position. Returns prbuf_entry or nil in case
-- iterator has reached the end. Entry consists of two members:
-- size and ptr. The last one is an array of characters of given size.
iterator:next()
```

 Usage examples:

```

local ibuf = buffer.ibuf()
local prbuf_size = 100
local memory = ibuf:alloc(prbuf_size)
local prbuf = buffer.prbuf_create(memory, prbuf_size)

local sample_size = 4
local raw = prbuf:prepare(4)
if raw == nil then
    -- allocation size is too large, try smaller.
end
raw[0] = ...
...
raw[3] = ...
prbuf:commit()
local prbuf_recovered = buffer.prbuf_open(memory)
local iter = prbuf_recovered:iterator_create()
local entry = iter:next()
assert(tonumber(entry.size) == 4)
-- Check values stored in the buffer.
assert(entry.ptr[0] == ...)
entry = iter:next()
-- Our buffer has only one entry.
assert(entry == nil)

```

NO_DOC=<Feature for internal usage>
NO_CHANGELOG=<Feature for internal usage>

Required for backward compatibility.

Follow-up commit a303b53b ("cfg: add audit_format option").

NO_DOC=ee
NO_CHANGELOG=ee

prbuf is partitioned ring buffer. The main property of the buffer is
that it can be recovered from raw memory. To achieve this buffer saves
metadata before each stored entry. For further details see source code.

NO_DOC=<Private data structure>
NO_CHANGELOG=<No user visible changes>

Currently `tarantoolctl rocks --help` generate such help message:

NAME
	/usr/bin/tarantoolctl - LuaRocks main command-line interface

SYNOPSIS
	/usr/bin/tarantoolctl [<flags...>] [VAR=VALUE]...

This is wrong.

This patch makes the output look like this:

NAME
	/usr/bin/tarantoolctl rocks - LuaRocks main command-line interface

SYNOPSIS
	/usr/bin/tarantoolctl rocks [<flags...>] [VAR=VALUE]...

NO_DOC=bugfix

This patch updates libicu version to 71.1.
See changelog for details (https://icu.unicode.org/download/71).
The main reason to do that is a bug in datetime parsing that was
found using icu-date module (tarantool/icu-date#27)
and was fixed in linicu upstream
(https://unicode-org.atlassian.net/browse/ICU-21802).

NO_DOC=build
NO_TEST=build

* memprof: enrich symtab when new trace is compiled
* memprof: substitute long proto names with aliases
* memprof: enrich symtab when meeting new prototype
* memprof: add symbol generations

Closes #5815

NO_DOC=LuaJIT submodule bump
NO_TEST=LuaJIT submodule bump

Unlimited number of make jobs may lead to OOM. We should use
`make -j $(nproc)` instead of `make -j` on Linux. Note, on OSX
and FreeBSD the `nproc` command is unavailable out of the box.
So using `sysctl -n hw.ncpu` instead.

Closes #7020

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

We have recently turned off retrying test runs after a failure for
improving developer experience on using test-run on local machines.
Now to enable tests auto-rerun on CI let's pass TEST_RUN_RETRIES=3
to environment.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

Bump test-run to new version with the following improvements:

- Add option to tune test run retries after failure [1]
- Set 0 as default value for retries after failure [1]
- Add an option to show test-run's environment vars [2]
- Prettify `test-run.py --help` output [3]

[1] https://github.com/tarantool/test-run/pull/336
[2] https://github.com/tarantool/test-run/pull/326
[3] https://github.com/tarantool/test-run/pull/337

NO_DOC=testing stuff
NO_TEST=testing stuff
NO_CHANGELOG=testing stuff

This patch introduces memtx_tx_region and memtx_tx_mempool:
engineers must use only these proxies to collect statistics.

Also this patch introduces box.stat.memtx.mvcc - the way to
get memtx mvcc memory statistics.

Closes #6150

@TarantoolBot document
Title: Memtx MVCC memory monitoring

Introduce memtx MVCC memory monitoring. One can get it with
box.stat.memtx.tx() method or use index to access a particular
statistic. The statistics format:

txn:
  statements:
    max: 0
    avg: 0
    total: 0
  user:
    max: 0
    avg: 0
    total: 0
  system:
    max: 0
    avg: 0
    total: 0
mvcc:
  trackers:
    max: 0
    avg: 0
    total: 0
  conflicts:
    max: 0
    avg: 0
    total: 0
  tuples:
    tracking:
      stories:
        count: 0
        total: 0
      retained:
        count: 0
        total: 0
    used:
      stories:
        count: 0
        total: 0
      retained:
        count: 0
        total: 0
    read_view:
      stories:
        count: 0
        total: 0
      retained:
        count: 0
        total: 0

Since transaction can allocate objects on its own, we need to track it
to collect memory statistics of memtx txm. Txn's use only region
allocator so this patch introduces tx_region methods - txns should use
it instead of region methods to collect allocation statistics.

Part of #6150

NO_DOC=no visible changes
NO_CHANGELOG=no visible changes
NO_TEST=already covered

Since a transaction has been prepared its garbage (produced stories
and replaced tuples) cannot be deleted because they are recognized
as used in read-view even if there are no transactions in read-view.
This problem makes it difficult to test the memory monitoring system,
so this patch solves the problem.

Close #6635
Part of #6150

NO_DOC=no visible changes
NO_CHANGELOG=no visible changes

NO_DOC=refactoring
NO_CHANGELOG=refactoring
NO_TEST=refactoring

It is difficult to monitor memory consumption for each transcation
when some functions allocating on txn's region do not have any information
about owner of the region. This patch solve the problem.

Part of #6150

NO_DOC=refactoring
NO_CHANGELOG=refactoring
NO_TEST=refactoring

An opportunity to call garbage collector of memtx transaction
manager manually allows to understand which garbage cannot be freed.
This knowledge can help us to improve garbage collector. Also this
opportunity makes it easier to test memtx mvcc memory monitoring.

Part of #6150

NO_DOC=internal feature
NO_CHANGELOG=internal feature
NO_TEST=internal feature

There is no information about owner of txn_stmt when it is
being allocated. It makes difficult to track memory
consumption for each transaction. That is why we need to
pass transaction itself to txn_stmt_new() instead of its region.

Part of #6150

NO_DOC=refactoring
NO_CHANGELOG=refactoring
NO_TEST=refactoring

Commit/rollback triggers are run asynchronously, upon receiving the
write status from WAL. We can't run them in the original fiber that
submitted the WAL request, because it would open a time window between
writing a transaction to WAL and committing it in tx, which could lead
to violating the cascading rolback principles. As a result,
commit/rollback triggers run with admin privileges.

Let's fix this issue by temporarily setting session and credentials to
the original fiber's for running commit/rollback triggers.

Closes #7005

NO_DOC=bugfix

Tarantool used to crash if launched with multiple -e or -l options without
a space between the option and the value, e.g.: `tarantool -ea -eb`.
It happened because optv[] was allocated for argc==3 items, while 4
options were written to it after parsing (-e, a, -e, b).
This patch allocates optv[] for the maximum possible number of options:
(argc - 1) * 2.

Closes #5747

NO_DOC=bugfix

In commit c1c77782
("replication: fix bootstrap failing with ER_READONLY")
seek_once was changed to seek_wait. Seek_once returned a non-negative int
on success and -1 if failed, seek_wait returns True on success and
False if failed. Therefore no need to compare it to 0 anymore.

NO_DOC=Minor fix in test
NO_CHANGELOG=Minor fix in test

The option will be used in the Enterprise version to configure audit
log event filter.

NO_DOC=ee
NO_CHANGELOG=ee

The functions are not used since commit 1a6ad79e ("lua/cfg: drop
unused log methods").

NO_DOC=drop unused code
NO_TEST=drop unused code
NO_CHANGELOG=drop unused code

This patch fixes an issue with the implicit cast of INTEGER and DECIMAL
values to DOUBLE when they are passed as the first argument to the
ROUND() function.

Closes #6988

@TarantoolBot document
Title: ROUND() now properly supports INTEGER and DECIMAL

INTEGER and DECIMAL values passed as the first argument now will not be
cast to DOUBLE and the result will be of the same type as the first
argument. Also, the default type for the ROUND() is now DECIMAL.

We need to include EXTRA_CORE_INCLUDE_DIRS in order to build unit tests.
Including it into test/CMakeLists.txt is useless. Moreover, it may break
EE build in case EXTRA_CORE_INCLUDE_DIRS includes a system directory
that contains a file that has the same name as one of our internal
headers.

See https://github.com/tarantool/tarantool-ee/issues/71

NO_DOC=cmake
NO_TEST=cmake
NO_CHANGELOG=cmake

The option will be used in the Enterprise version to configure audit
log format.

NO_DOC=ee
NO_CHANGELOG=ee

The function doesn't modify neither the array passed to it, nor the
strings in the array so it should use const.

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

@TarantoolBot document
Title: Document transaction isolation settings

All transactions in tarantool see only committed changes, but is
a loose concept since the commit of a transaction is long-term
act and there's a dilemma of choosing a timepoint at which the
changes must be seen by other transactions.

When enabled, mvcc engine allows some options on this field.
To be  specific we introduced two levels of isolaton:
* read-committed: all transaction that have started committing
(box.commit() was called) are visible.
* read-confirmed: all transaction that have finished committing
(box.commit() returnd) are visible.

The first level is good for RW transactions since it allows to
avoid some conflicts, while the second is good for RO transactions
since it allows to get tuples that a definitely was perisisten on
disk.

There's also a default option that allows mvcc engine to decide:
* best-effort: do the best depending of which actions the
transaction has made.

For autocommit transaction (one-statement actions without explicit
box.begin/commit calls) an obvious rule is apllied: RO (select,
get, count etc) transactions are done with read-confirmed; all
other (replace, delete, etc) - read-committed.

If a transaction has an explicit box.begin call, the level can be
specified in the following way:
box.begin({tnx_isolation = 'default'})
box.begin({txn_isolation = 'read-committed'})
box.begin({txn_isolation = 'read-confirmed'})
box.begin({tnx_isolation = 'best-effort'})

One can similarly set the level in net.box stream begin() method.

If not specified (or if 'default' was passed) the level is taken
from configuration. One can set default level in box.cfg:
box.cfg({default_txn_isolation = 'read-committed'})
box.cfg({default_txn_isolation = 'read-confirmed'})
box.cfg({default_tnx_isolation = 'best-effort'})

The default option is 'best-effort'.

In iproto the level is specified by IPROTO_TNX_ISOLATION key in
the body of IPROTO_BEGIN request. The value is the one of the
following enum values:
enum txn_isolation_level {
	/** Take isolation level from global default level. */
	TXN_ISOLATION_DEFAULT = 0,
	/** Allow to read committed, but not confirmed changes. */
	TXN_ISOLATION_READ_COMMITTED = 1,
	/** Allow to read only confirmed changes. */
	TXN_ISOLATION_READ_CONFIRMED = 2,
	/** Determine isolation level automatically. */
	TXN_ISOLATION_BEST_EFFORD = 3,
};

NO_TEST=no changes
Closes #6930

Introduce new option IPROTO_TXN_ISOLATION (0x59) in the body of
IPROTO_BEGIN request, so a user can set isolation level similar
to box.begin in lua.

The value must be one of the following integers:
enum txn_isolation_level {
	/** Take isolation level from global default level. */
	TXN_ISOLATION_DEFAULT,
	/** Allow to read committed, but not confirmed changes. */
	TXN_ISOLATION_READ_COMMITTED,
	/** Allow to read only confirmed changes. */
	TXN_ISOLATION_READ_CONFIRMED,
	/** Determine isolation level automatically. */
	TXN_ISOLATION_BEST_EFFORT,
};

Support the new option in net.box.

Part of #6930
NO_DOC=see later commits
NO_CHANGELOG=see later commits

Now memtx TX manager tries to determine the best isolation level
by itself. There could be two options:
* READ_COMMITTED, when the transaction see changes of other tx
that are committed but not yet confirmed (written to WAL)
* READ_CONFIRMED, when the transaction see only confirmed changes.

Introduce a simple way to specify the isolation level explicitly:
box.begin{tx_isolation = 'default'} - the same as box.begin().
box.begin{tx_isolation = 'read-committed'} - READ_COMMITTED.
box.begin{tx_isolation = 'read-confirmed'} - READ_CONFIRMED.
box.begin{tx_isolation = 'best-effort'} - old automatic way.

Intrduce a bit more complex but potentially faster way to set
isolation level, like that:
my_level = box.tnx_isolation_level.READ_COMMITTED
..
box.begin{tx_isolation = my_level}

For simplicity of implementation also support symmetric values as
'READ_COMMITTED' and box.tnx_isolation_level['read-committed'].

Introduce a new box.cfg option - default_tx_isolation, that is
used as a default when a transaction is started. The option is
dynamic and possible values are the same as in box.begin, except
'default' which is meaningless.

In addition to string value the corresponding numeric values can
be used in both box.begin and box.cfg.

Part of #6930
NO_DOC=see later commits
NO_CHANGELOG=see later commits