The reason of the update is to protect us against possible MITM attack
from a malicious HTTPS proxy server with trusted certificate when TLS
1.3 is used (CVE-2021-22890, [1]). libcurl versions prior to 7.76.0 can
skip a TLS handshake with a target host in this circumstances.

Other vulnerabilities fixed in the (7.71.1; 7.76.0] version range do not
look relevant to our built-in http client. See [2] for the full list.

The CMake version requirement is updated from 3.1 to 3.2, because curl's
CMakeLists.txt has the following clause at beginning:

 | cmake_minimum_required(VERSION 3.2...3.16 FATAL_ERROR)

(It was there in vanilla curl 7.71.1 too and we had to remove it in
order to support CMake 2. Now we don't support CMake 2, so it is good
time to get rid of the extra patch upward vanilla curl repository.)

According to the CMake versions table in
8a7702b1 ('github-ci: purge Debian
Jessie from CI'), CMake 3.2+ is available on all supported OSes.

[1]: https://curl.se/docs/CVE-2021-22890.html
[2]: https://curl.se/docs/vulnerabilities.html

@TarantoolBot document
Title: Now we require CMake 3.2 to build tarantool

In https://github.com/tarantool/doc/issues/1780 we requested to update
the CMake minimum version to 3.1. Now it is time for 3.2. See details in
the linked commit.

Please, update the 'Building from source' manual.

LuaJIT submodule is bumped to introduce the following changes:
* test: disable too deep recursive PUC-Rio test
* test: disable PUC-Rio hanging GC test
* test: disable PUC-Rio test checking -h option
* test: disable PUC-Rio test for checking arg layout
* test: disable PUC-Rio tests for several -l options
* test: disable PUC-Rio test for syntax level error
* test: disable PUC-Rio test for non-ascii variable
* test: disable PUC-Rio test for fast function name
* test: disable PUC-Rio test for variables in error
* test: disable PUC-Rio test for getfenv in tailcall
* test: remove string.gfind assert in PUC-Rio test
* test: use math.fmod in PUC-Rio tests
* test: disable locale-dependent PUC-Rio tests
* test: adapt PUC-Rio test for %q in string.format
* test: disable PUC-Rio test for per-coroutine hooks
* test: adapt PUC-Rio test with activeline check
* test: disable PUC-Rio test for tailcall info
* test: adapt PUC-Rio test with count hooks
* test: adapt PUC-Rio test for debug in vararg func
* test: adapt PUC-Rio tests with vararg functions
* test: disable PUC-Rio suite tests for line hook
* test: adapt PUC-Rio tests counting GC steps
* test: disable PUC-Rio tests for bytecode header
* test: disable PUC-Rio tests confused by -v output
* test: adapt PUC-Rio test for arg presence
* test: remove quotes in progname from PUC-Rio
* test: adapt PUC-Rio suite for out-of-source build
* test: build auxiliary C libs from PUC-Rio Lua 5.1
* test: add PUC-Rio Lua 5.1 test suite

Within this changeset PUC-Rio Lua 5.1 suite[1] is added to Tarantool
testing. Considering Tarantool specific changes in runtime the suite
itself is adjusted in LuaJIT submodule.

<test/luajit-test-init.lua> pretest runner is adjusted by setting custom
`_loadstring()` and `_dofile()` global function to run tests correctly
for out-of-source build.

Also, this patch excludes PUC-Rio-Lua-5.1 test suite from ASAN checks.

[1]: https://www.lua.org/tests/lua5.1-tests.tar.gz



Closes #5845
Closes #5686
Closes #5694
Closes #5701
Closes #5708
Closes #5710
Closes #5711
Closes #5712
Part of #4473

Reviewed-by: Igor Munkin <imun@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>

LuaJIT submodule is bumped to introduce the following changes:
* tools: introduce --leak-only memprof parser option

Within this changeset the new Lua module providing post-processing
routines for parsed memory events is introduced:
* memprof/process.lua: post-process the collected events

The changes provide an option showing only heap difference. One can
launch memory profile parser with the introduced option via the
following command:
$ tarantool -e 'require("memprof")(arg)' - --leak-only filename.bin

Closes #5812

Reviewed-by: Igor Munkin <imun@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>

LuaJIT submodule is bumped to introduce the following changes:
* test: fix dynamic modules loading on MacOS
* test: make utils.selfrun usage easier
* test: remove excess dependency for tests target

Within this changeset SIP issues are worked around and dynamic modules
loading on MacOS is fixed. As a result LuaJIT tests can be enabled for
static build target on MacOS.

Closes #5959
Follows up #4862

Reviewed-by: Alexander V. Tikhonov <avtikhon@tarantool.org>
Reviewed-by: Sergey Kaplun <skaplun@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>

* tools: make memprof parser output user-friendly

Closes #5811
Part of #5657

* memprof: report stack resizing as internal event

Closes #5842
Follows up #5442

Was caught by base64 test with enabled ASAN.

It also caused data corruption - garbage instead of "extra bits" was
saved into state->result if there was no space in output buffer.

Decode state removed along with helper functions.

Added test for "zero-sized output buffer" case.

Fixes: #3069
(cherry picked from commit 7214add2c7f2a86265a5e08f2184029a19fc184d)

LuaJIT submodule is bumped to introduce the following changes:
* test: disable LuaJIT CLI tests in lua-Harness suite
* test: set USERNAME env var for lua-Harness suite
* test: adjust lua-Harness tests that use dofile
* test: adjust lua-Harness suite to CMake machinery
* test: add lua-Harness test suite

Within this changeset lua-Harness suite[1] is added to Tarantool
testing. Considering Tarantool specific changes in runtime the suite
itself is adjusted in LuaJIT submodule.

However, Tarantool provides and unconditionally loads TAP module
conflicting with the one used in the new suite. Hence, the Tarantool
built-in module is "unloaded" in test/luajit-test-init.lua.

Furthermore, Tarantool provides UTF-8 support via another built-in
module. Its interfaces differ from the ones implemented in Lua5.3 and
moonjit. At the same time our LuaJIT fork provides no UTF-8 support, so
lua-Harness UTF-8 detector is simply confused with non-nil utf8 global
variable. As a result, utf8 is set to nil in test/luajit-test-init.lua.

There are also some tests launching Lua interpreter, so strict need to
be disabled for their child tests too. Hence `strict.off()` is added to
`progname` (i.e. arg[-1] considering the way Tarantool parses its CLI
arguments) command used in these tests.

[1]: https://framagit.org/fperrad/lua-Harness/tree/a74be27/test_lua



Closes #5844
Part of #4473

Reviewed-by: Sergey Ostanevich <sergos@tarantool.org>
Reviewed-by: Igor Munkin <imun@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>

LuaJIT submodule is bumped to introduce the following changes:
* test: adjust LuaJIT test suite for Tarantool
* test: change LuaJIT test suite to match b4e6bf0
* test: change LuaJIT test suite to match 5a61e1a
* test: change LuaJIT test suite to match c198167
* test: change LuaJIT test suite to match de5568e
* test: add LuaJIT-test-cleanup test suite
* test: fix Lua command in utils.selfrun
* test: fix luacheck invocation for non-real paths

Within this changeset LuaJIT-test-cleanup suite[1] is added to Tarantool
testing. Considering Tarantool specific changes in runtime the suite
itself is adjusted in LuaJIT submodule. However, there is <strict>
module enabled by default in Debug build, so the testing environment
need to be tweaked via test/luajit-test-init.lua script to be run prior
to every LuaJIT suite test is started.

[1]: https://github.com/LuaJIT/LuaJIT-test-cleanup/tree/014708b/test



Closes #4064
Part of #4473

Reviewed-by: Sergey Kaplun <skaplun@tarantool.org>
Reviewed-by: Sergey Ostanevich <sergos@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>

* core: fix cdata decrementing

Closes #5820
Follows up #5187

LuaJIT submodule is bumped to introduce the following changes:
* test: run luacheck static analysis via CMake
* test: fix warnings found with luacheck in misclib*
* test: run LuaJIT tests via CMake
* build: replace GNU Make with CMake
* build: preserve the original build system

Since LuaJIT build system is ported to CMake in scope of the changeset
mentioned above, the module building the LuaJIT bundled in Tarantool is
completely reworked. There is no option to build Tarantool against
another prebuilt LuaJIT due to a91962c0
('Until Bug#962848 is fixed, don't try to compile with external
LuaJIT'), so all redundant options defining the libluajit to be used in
Tarantool are dropped with the related auxiliary files.

To run LuaJIT related tests or static analysis for Lua files within
LuaJIT repository, <LuaJIT-test> and <LuaJIT-luacheck> targets are used
respectively as a dependency of the corresponding Tarantool targets.

As an additional dependency to run LuaJIT tests, prove[1] utility is
required, so the necessary binary packages are added to the lists with
build requirements.

[1]: https://metacpan.org/pod/TAP::Harness#prove



Closes #4862
Closes #5470
Closes #5631

Reviewed-by: Sergey Kaplun <skaplun@tarantool.org>
Reviewed-by: Timur Safin <tsafin@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>

Updated third_party/zstd submodule from v1.3.3 to v1.4.8 version.

Found issue building on Fedora 33:

  third_party/zstd/lib/decompress/zstd_decompress.c: In function ‘ZSTD_findFrameCompressedSize’:
  third_party/zstd/lib/decompress/zstd_decompress.c:1502:18: error: ‘zfh.headerSize’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
   1502 |         ip += zfh.headerSize;
        |                  ^

Also found that later releases of third_party/zstd submodule already
fixed it. Decided to bump third_party/zstd submodule from v1.3.3 to
v1.4.8. Added to zstd cmake build rules new files appeared on bumping.

Found that some checking in static-build test exporting symbols like:

  ZSTD_free
  ZSTD_malloc

never were public symbols and should not be tested for presence in the
Tarantool executable, but also these symbols currently outdated and
broke the testing. To avoid of it these symbols removed from test.

Needed for #5502
Closes #5697

Not all invalid characters were ignored by base64 decoder
causing data corruption and reads beyond decode table
(faults under ASAN).

Added corresponding check into base64 unit test.

Fixes: #5627

* core: remove excess assertion inside memprof
* core: fix resources leak in memory profiler
* misc: fix build with disabled memory profiler

Follows up #5442

* tools: introduce a memory profile parser
* misc: add Lua API for memory profiler
* core: introduce memory profiler
* vm: introduce VM states for Lua and fast functions
* core: introduce write buffer module
* utils: introduce leb128 reader and writer

Relates to #5490
Closes #5442

* x64: Fix __call metamethod return dispatch.

Since the commit ae7e2103 we use internal serializer
thus we no longer need serpent code.

The patch removes the references from the source code
and .gitmodules file, still one might need to run

 | git submodule deinit -f third_party/serpent

manually to clean up the working tree depending
on local git version.

Closes #5517

Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>

Context is just a string with a few characters before and after
wrong token, wrong token itself and a symbolic arrow pointing to
this token.

Closes #4339

Print tokens themselves instead of token names "T_*" in the error
messages.

Part of #4339

* test: fix warnings spotted by luacheck

* misc: add lmisclib.h to lua.hpp header
* build: fix build for Windows-like systems
* test: fix warning for old gcc at testgetmetrics.c

* test: introduce the root CMakeLists.txt

Blocked check if the current cmake of the older than
3.2...3.16 version to be able to build curl at the old OS:

  - CentOS 6
  - CentOS 7
  - Debian 8
  - Ubuntu 14.04

Used in 'third_party/curl' repository branch:

  curl-7_71_1-tarantool

Needed for #4968

* jit: fix cdatanum addressing for GC64 mode on x86

* test: force enable assert checks in release build

* jit: fix cdatanum addressing for GC64 mode on x86

* misc: add C and Lua API for platform metrics
* core: introduce various platform metrics

* gdb: fix the extension to be loaded with Python 2

The submodule was on 7.66.0 version. This update closes security
problem for us:

May leak a part of a password in a DNS query when the password
contains '@' symbol. It occurs on an HTTP redirect, so one of
possible workarounds is to disable follow_location option
(available since 2.1.2-42-gdf87154ff within 2.1 series and since
2.2.0-202-gdaf1ced88 in 2.2+ series). Another way: verify that a
password does not contain the '@' symbol.

https://curl.haxx.se/docs/CVE-2020-8169.html

See also release notes:

https://curl.haxx.se/changes.html#7_71_1
https://curl.haxx.se/changes.html#7_71_0
https://curl.haxx.se/changes.html#7_70_0
https://curl.haxx.se/changes.html#7_69_1
https://curl.haxx.se/changes.html#7_69_0
https://curl.haxx.se/changes.html#7_68_0
https://curl.haxx.se/changes.html#7_67_0



Closes #4698

Co-authored-by: Alexander Turenko <alexander.turenko@tarantool.org>

As stated in the 'OS/X AND DARWIN BUGS' section of the libev
documentation [1], kqueue() and poll() have known problems on Mac OS, so
the library uses select() on Mac OS (it is the build time default). The
library however uses the trick to overcome 1024 fds limit: libev sets
the undocumented macro _DARWIN_UNLIMITED_SELECT, which enables linking
against select() implementation without the limit.

The magic macro stops working at some point around Mac OS 10.10 (see
[2]), because it was defined after <sys/time.h> inclusion.  For recent
Mac OS versions the macro has effect only when it is defined before
<sys/time.h> inclusion.

The macro definition was [moved][3] in libev 4.25. Excerpt from the
changelog [4]:

 | 4.25 Fri Dec 21 07:49:20 CET 2018
 | <...>
 | - move the darwin select workaround higher in ev.c, as newer versions of
 |   darwin managed to break their broken select even more.

More proper fix would be updating of libev to a newer version, however I
would postpone it until a moment when we'll have a time to properly test
everything with a new version of the library.

[1]: http://pod.tst.eu/http://cvs.schmorp.de/libev/ev.pod#OS_X_AND_DARWIN_BUGS
[2]: http://lists.schmorp.de/pipermail/libev/2018q2/002788.html
[3]: http://cvs.schmorp.de/libev/ev.c?r1=1.482&r2=1.483
[4]: http://cvs.schmorp.de/libev/Changes?view=markup



Fixes #3867
Fixes #4673

Investigated-by: Maria Khaydich <maria.khaydich@tarantool.org>
Co-authored-by: Maria Khaydich <maria.khaydich@tarantool.org>

- jit: abort trace execution on JIT mode change
- jit: abort trace recording and execution for C API

Reviewed-by: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>

- Add the chdir option for make.

A special format for encoding UUIDs to MsgPack is introduced.
It is supported by both lua and C encoders/decoders, and it is now
possible to insert UUIDs into spaces, but only into unindexed fields
without format for now.

Prerequisite #4268

@TarantoolBot document
Title: Internals: msgpack format for UUID

UUID values share the MessagePack type with decimals:
both use MP_EXT. A new subtype is introduced for UUIDs,
MP_UUID = `0x02`
UUID is encoded as follows:
```
    +--------+---------+-----------+
    | MP_EXT | MP_UUID | UuidValue |
    +--------+---------+-----------+
```
Since UUID is 16 bytes in size, the header, MP_EXT, is always the same:
`0xd8`. MP_UUID = `0x02` follows. The header is followed by the 16
bytes of the UuidValue.

UuidValue consists of 11 fields, which are encoded as big endian
unsigned integers in the following order: `time_low` (4 bytes), `time_mid`
(2 bytes), `time_hi_and_version` (2 bytes), `clock_seq_hi_and_reserved` (1
byte), `clock_seq_low` (1 byte), `node[0], ..., node[5]` (1 byte each).

The total size of such a representation is 18 bytes, whereas storing
uuids as strings requires from 34 (when '-'s are ommitted) to 38 bytes
per UUID, giving a 2x space usage improvement.

Cleaned up the tests code according to the Lua style guide:
- made scoped variables local
- added os.exit call at the end of the test chunk
- adjusted the messages in test:ok calls

- Make string to number conversions fail on NUL char.

- gdb: adjust the extension to be used with Python 2
- gdb: introduce luajit-gdb extension

libcurl has a built-in threaded resolver used for asynchronous DNS
requests, however, when DNS server is slow to respond, the request still
hangs tarantool until it is finished. The reason is that curl calls
thread_join on the resolving thread internally upon timeout, making the
calling thread hang until resolution has ended.
Use c-ares as an asynchronous resolver instead to eliminate the problem.

Closes #4591

Revert "build: introduce LUAJIT_ENABLE_PAIRSMM flag"

Related to #4770

When json.decode is used with 2 arguments, 2nd argument seeps out to the
json configuration of the instance. Moreover, due to current
serializer.cfg implementation it remains invisible while checking
settings using json.cfg table.

This fixes commit 6508ddb7 ('json: fix
stack-use-after-scope in json_decode()').

Closes #4761