Before this patch credentials applier used to just skip if Tarantool
was in Read Only mode. Now it starts a fiber that waits for instance
to be switched to Read Write mode and then applies in the background.

Part of #8967

NO_DOC=documentation request will be filed manually for the whole
       credentials

If MP_ERROR map contains two MP_ERROR_STACK keys, then the second call to
`error_set_prev(effect, cur)' will crash, because `effect' is NULL, but
`err == NULL' is false, because it is assigned on the first iteration.
This patch raises an error if more than one MP_ERROR_STACK key is present.

NO_DOC=bugfix

Closes #9136

Wraps multistatement DDL functions into begin/commit block if no
transaction is active.

The functions are:
- `box.schema.space.drop`
- `box.schema.index.create`
- `box.schema.index.drop`
- `box.schema.index.alter`
- `box.schema.sequence.drop`
- `box.schema.func.drop`
- `box.schema.user.create`
- `box.schema.user.drop`
- `box.schema.role.drop`

Added tests for atomicity of each transactioned function except
the `box.schema.role.drop`, which is implicitly tested with the
`box.schema.user.drop` test, and the `box.schema.index.drop`,
which is impossible to test in this flavor without using error
injection.

Updated the tests modified in tarantool/tarantool#8947, because
the space drop is atomic now.

Closes #4348

NO_DOC=bugfix

The patch updates curl module to the version 8.3.0 [1] and updates a
CMake module for building curl library.

Changes in CMake module:

- Option `CURL_STATICLIB` is gone and replaced with `BUILD_STATIC_LIBS`.
- Option `CURL_USE_GNUTLS` was added and disabled by default.
- NSS library support was removed and option `CURL_USE_NSS` has been
  removed as well.
- Option `CMAKE_UNITY_BUILD` was added and disabled by default.
- Option `CURL_DISABLE_FORM_API` was added and disabled by default. It is
  in fact depends on `CURL_DISABLE_MIME`, but anyway disabled explicitly.

Changelog: https://curl.se/changes.html#8_3_0

1. https://github.com/curl/curl/releases/tag/curl-8_3_0

NO_DOC=libcurl submodule bump
NO_TEST=libcurl submodule bump

Fixes #9086

With this patch, mp_check sets diag with detailed information about
the MsgPack decoding error. The diag includes the error reason, which is
appended to the error message, and the data offset, which is stored in
an error payload field. Possible error reasons are: truncated input,
junk after input, illegal code, invalid extension. In case of truncated
input, the error also includes the trunc_count payload field, which is
set to the number of missing MsgPack values. Failing to decode a MsgPack
extension adds two payload fields, ext_type and ext_len, and also an
error cause, which is set by the extension decoder. For all extensions
except the error extension, the error cause is just "cannot unpack FOO".
For the error extension, it includes a detailed cause pointing to the
error in the MsgPack data stored in the extension.

Currently, the mp_check error is reported only by the Lua msgapck
decoder while other mp_check users (e.g. xrow decoder) override it.
We may improve on this in future.

Examples:

tarantool> require('msgpack').decode('\x94\xc0')
---
- error: Invalid MsgPack - truncated input
...

tarantool> box.error.last():unpack()
---
- offset: 2
  code: 20
  base_type: ClientError
  type: ClientError
  trunc_count: 3
  message: Invalid MsgPack - truncated input
  trace:
  - file: ./src/box/msgpack.c
    line: 151
...

tarantool> require('msgpack').decode(string.char(
         >   130,  39, 170, 114, 101, 116, 117, 114, 110,  32,  46,
         >    46,  46,  33, 145, 199,  74,   3, 129,   0, 145, 134,
         >     0, 171,  67, 108, 105, 101, 110, 116,  69, 114, 114,
         >   111, 114,   1, 170,  99, 111, 110, 102, 105, 103,  46,
         >   108, 117,  97,   2, 211,   0,   0,   0,   0,   0,   0,
         >     0, 201,   3, 173,  85, 110, 107, 110, 111, 119, 110,
         >    32, 101, 114, 114, 111, 114,   4, 211,   0,   0,   0,
         >     0,   0,   0,   0,   0,   5, 211,   0,   0,   0,   0,
         >     0,   0,   0,   0))
---
- error: Invalid MsgPack - invalid extension
...

tarantool> box.error.last():unpack()
---
- code: 20
  base_type: ClientError
  prev: Invalid MsgPack - cannot unpack error
  message: Invalid MsgPack - invalid extension
  ext_len: 74
  ext_type: 3
  trace:
  - file: ./src/box/msgpack.c
    line: 161
  type: ClientError
  offset: 18
...

tarantool> box.error.last().prev:unpack()
---
- code: 20
  base_type: ClientError
  type: ClientError
  prev: Invalid MsgPack - MP_ERROR_LINE value must be MP_UINT
  message: Invalid MsgPack - cannot unpack error
  trace:
  - file: ./src/box/msgpack.c
    line: 126
...

tarantool> box.error.last().prev.prev:unpack()
---
- offset: 30
  code: 20
  base_type: ClientError
  type: ClientError
  message: Invalid MsgPack - MP_ERROR_LINE value must be MP_UINT
  trace:
  - file: ./src/box/mp_error.cc
    line: 350
...

Closes #7968

NO_DOC=error reporting improvement

NO_DOC=no code changes
NO_TEST=no code changes
NO_CHANGELOG=no code changes

Some downgrade operations are performed with disabled system space
triggers because they were prohibited recently (creation of SQL built-in
functions) or never allowed (dropping a system space). This works fine
on the instance running downgrade but apparently fails on replicas.

To fix this issue, let's disable the checks the operations that prevent
downgrade in the following scenarios:
 - in the fiber that is currently running a schema upgrade or downgrade;
 - in the applier fiber so that it can replicate changes done by upgrade
   or downgrade on the master;
 - during recovery so that DDL records written to the WAL can be
   replayed.

We already have all the necessary infrastructure in-place - we use it
for allowing DDL operations with an old schema for upgrade.

Closes #9049

NO_DOC=bug fix

Remove issues released in 2.11.1 from master (3.0.0-alpha3)

NO_CHANGELOG=changelog
NO_DOC=changelog
NO_TEST=changelog

If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes
are allocated for `struct error_field` in error_payload_prepare(). However,
the size of this structure is 16 because of the padding for the alignment.
Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure.

Closes #9098

NO_DOC=bugfix

This patch introduces initial support for roles. Dependencies are not
currently supported for roles.

Part of #9078

@TarantoolBot document
Title: Roles

Two new options have been added: "roles" and "roles_cfg". The first one
is an array and the second one is a map. Each of these can be defined
per instance, replica set, group, and globally. As with almost all other
options, with the exception of those defined as 'map', the 'roles'
option for the lower scope will replace the roles for the higher scope.
Value roles_cfg however defined as "map", so it will be merged.

The "roles" option defines the roles for each instance. A role is a
program that runs when a configuration is loaded or reloaded. If a role
is defined more than once on an instance, it will still only be run
once. Three functions must be defined in the role: validate(), apply()
and stop(). Each of these functions should throw an error if it occurs.

The "roles_cfg" option specifies the configuration for each role. In
this option, the role name is the key and the role configuration is the
value.

On each run, all roles will be loaded (if necessary) in the order in
which they were specified; the configuration for each role will then be
validated using the corresponding validate() function in the same order;
and then they will all be run with apply() function in the same order.
If some roles have been removed from the instance, they will be stopped
in reverse order using the stop() function.

Example of a role structure:
```
local M = {}

-- Validates configuration of the role.
--
-- Called on initial configuration apply at startup and on
-- configuration reload if the role is enabled for the given instance.
--
-- The cfg argument may have arbitrary user provided value,
-- including nil.
--
-- Must raise an error if the validation fail.
function M.validate(cfg)
    -- <...>
end

-- Applies the given configuration of the role.
--
-- Called on initial configuration apply at startup and on
-- configuration reload if the role is enabled for the given instance.
--
-- The cfg argument may have arbitrary user provided value,
-- including nil.
--
-- Must raise an error if the given configuration can't be applied.
function M.apply(cfg)
    -- <...>
end

-- Stops the role.
--
-- Called on configuration reload if the role was enabled before
-- and removed now from the list of roles of the given instance.
--
-- Should cancel all background fibers and clean up hold
-- resources.
--
-- Must raise an error if this action can't be performed.
function M.stop()
    -- <...>
end

return M
```

An attempt to print a dead fiber raised a fatal error, which is quite
unexpected. This patch updates __tostring metamethod of fiber_object so
that it pushes the "fiber: <fid> (dead)" string instead of the error.
The __serialize metamethod is patched similarly.

Closes #4265

NO_DOC=bugfix

All user-defined users and roles are not being removed and their
privileges are not being revoked when this user or role is removed
from config. This is done to prevent extreme repercussions of
misconfiguration, e.g. empty config is provided to cluster and it
breaks up.

Default users and roles are not supposed to be changed, so this rule
does not apply to them. Now all of non-default privileges will be
revoked if such user or role is removed from config.

Default users:
* guest
* admin

Default roles:
* super
* public
* replication

Part of #8967

NO_DOC=documentation request will be filed manually for the whole
       credentials

Prior to this patch, the table had no information about the leader
other than his id in the "leader" field. It may not be convenient for
the user to search for a name corresponding to a given id. Much more
convenient to see the leader's name in box.info.election.

Closes #8931

@TarantoolBot document
Title: Document `box.info.election`

box.info.election now contains one more field: `leader_name`: string.
There are several possible values ​​for this field:

 - `nil`, if there is no leader in a cluster.

 - `box.NULL`, if there is a leader, but he does not have a name.

 - `some string`, if there is a leader and he has a name.

Example:

```console
tarantool> box.info.election
---
- leader_idle: 0
  leader_name: node1
  state: leader
  vote: 1
  term: 3
  leader: 1
...
```

[box-info-election] https://www.tarantool.io/en/doc/latest/reference/reference_lua/box_info/election/

Introduce fully temporary spaces: same as data-temporary space but with
temporary metadata. Basically temporary spaces now do not exist on
restart and do not exist on replicas. They can also be created, altered
and deleted when box.cfg.read_only = true.

To avoid conflicts with spaces created on replicas, the temporary
space ids by default start in a special range starting at
BOX_SPACE_ID_TEMPORARY_MIN.

Temporary spaces currently do not support several features e.g.
foreign key references (to and from), functional indexes, sql sequences,
sql triggers, etc. This may change in the future.

Implementing temporary spaces requires temporary tuples to be
inserted into system spaces: tuples which are neither replicated or
persisted. This mostly done in on_replace_dd_* triggers by dropping the
txn->stmt->row.

Closes #8323

@TarantoolBot document
Title: Introduce fully temporary spaces with temporary metadata

Temporary spaces are now data-temporary spaces with temporary metadata.
Created by specifying { type = "temporary" } in the options.
Temporary spaces will not exist upon server restart and will not
exist on replicas. They can also be created in read-only mode.

Introduces a new field `type` to the space definition. Currently it can
only be "normal" or "data-temporary". It is backwards compatible with
temporary=true.

@TarantoolBot document
Title: Introduce space field type

A new space definition field "type" can now be used to specify the type
of the space. Usage: box.schema.create_space("s", { type = "normal" }).
Currently only 2 types are supported: "normal" & "data-temporary", which
is equivalent to { temporary = true }. Old-style { temporary = true } is
still supported, but only one option either 'temporary' or 'type' may be
specified at the same time.

Space type "temporary" will be introduced in a later commit.
In the future options "local", "synchronous", etc. may also be
supported.

NO_TEST=will be tested in the following commit

We already use this info in one of the test and going to use it more.

Part of #7327

@TarantoolBot document
Title: new tarantool.build.asan flag

It is `true` if `ENABLE_ASAN` build option is set and `false` otherwise.

Vinyl tuples returned to the user are allocated with malloc. They may be
pinned by Lua indefinitely. Currently, there's no way to figure out how
much memory is occupied by these tuples. This commit adds a statistic to
box.stat.vinyl() that accounts them.

Closes #8485

@TarantoolBot document
Title: Document `memory.tuple` statistic of `box.stat.vinyl()`

The new statistic shows the total size of memory in bytes occupied by
Vinyl tuples. It includes cached tuples and tuples pinned by the Lua
world.

* Fix maxslots when recording BC_TSETM.
* Fix TDUP load forwarding after table rehash.
* Fix binary number literal parsing.
* Fix maxslots when recording BC_VARG, part 3.
* test: fix flaky <unit-jit-parse.test.lua> again
* Fix predict_next() in parser.
* Revert to trivial pow() optimizations to prevent inaccuracies.
* Fix pow() optimization inconsistencies.
* Improve assertions.
* Remove pow() splitting and cleanup backends.
* test: introduce `samevalues()` TAP checker
* MIPS: Add MIPS64 R6 port.
* DynASM/MIPS: Fix shadowed variable.
* MIPS64: Fix register allocation in assembly of HREF.
* Prevent integer overflow while parsing long strings.
* Fix LJ_MAX_JSLOTS assertion in rec_check_slots().
* Fix debug.getinfo() argument check.
* ARM: Fix GCC 7 -Wimplicit-fallthrough warnings.
* DynASM: Fix warning.
* Fix GCC 7 -Wimplicit-fallthrough warnings.
* Cleanup math function compilation and fix inconsistencies.
* FFI: Eliminate hardcoded string hashes.
* Windows: Add UWP support, part 1.
* build: fix non-Linux/macOS builds
* PPC: Add soft-float support to JIT compiler backend.
* PPC: Add soft-float support to interpreter.
* MIPS64: Add soft-float support to JIT compiler backend.
* MIPS: Fix handling of spare long-range jump slots.
* test: introduce mcode generator for tests
* MIPS: Use precise search for exit jump patching.
* sysprof: improve parser's memory footprint
* tools: add execution permission to sysprof parser
* sysprof: remove `split by vmstate` option

Part of #8825

NO_DOC=LuaJIT submodule bump
NO_TEST=LuaJIT submodule bump

Fiber flags are initialized after fiber stack creation. As result
currently check for custom stack in fiber_stack_watermark_create does
not work. This leads to heap-buffer-overflow on putting watermark
if custom stack size is less than FIBER_STACK_SIZE_WATERMARK.

Close #9026

NO_DOC=bugfix

`msg` is used after it is freed in iproto_msg_delete.

Close #9037

NO_TEST=tested by ASAN
NO_DOC=bugfix

This patch introduces all audit options.

Closes #8861

NO_DOC=Was already described before.

When fiber region is freed/destroyed and ENABLE_BACKTRACE is set then
`fiber_on_gc_truncate` callback is called. At this time both `used`
argument and `fiber->gc_initial_size` are equal to 0. Thus
`fiber->first_alloc_bt` is accessed which is already freed.

With a bad luck freeing fiber region can put slab back into slab arena.
So writing after free can change memory used by another thread.

Closes #9020

NO_TEST=tested by ASAN
NO_DOC=bugfix

The maximum length of box.cfg{} string parameters is now 512 instead of
256 before.

NO_DOC=no need to document
NO_TEST=will be added in EE

Memory is leaked in the following scenario:
- MP_ERROR_STACK with 2 errors is passed to error_unpack_unsafe():
  1. A correct MP_MAP with MP_ERROR_* fields;
  2. Something unexpected, e.g. MP_INT;
- This first call to mp_decode_error_one() allocates memory for the first
  error in error_build_xc() -> `new ClientError()`;
- The second call to mp_decode_error_one() returns NULL, and
  error_unpack_unsafe() returns NULL too. Memory from the previous step
  is leaked.

Closes #8921

NO_DOC=bugfix

The patch introduces Lua module trigger, which allows to set, delete and
call triggers from event registry.

Closes #8656

NO_DOC=later

part_count was checked in index_def_check(), which was called too late.
Before that check:
1. `malloc(sizeof(*part_def) * part_count)` can fail for huge part_count;
2. key_def_new() can crash for zero part_count because of out of bound
   access in:

NO_WRAP
   - #1 key_def_contains_sequential_parts (def=0x5555561a2ef0) at src/box/tuple_extract_key.cc:26
   - #2 key_def_set_extract_func (key_def=0x5555561a2ef0) at src/box/tuple_extract_key.cc:442
   - #3 key_def_set_func (def=0x5555561a2ef0) at src/box/key_def.c:162
   - #4 key_def_new (parts=0x7fffc4001350, part_count=0, for_func_index=false) at src/box/key_def.c:320
NO_WRAP

Closes #8688

NO_DOC=bugfix

box.ctl.demote() used not to do anything with election_mode='off'
if the synchro queue didn't belong to the caller in the same term
as the election state.

The reason could be that if the synchro queue term is "outdated",
there is no guarantee that some other instance doesn't own it in
the latest term right now.

The "problem" is that this could be workarounded easily by just
calling promote + demote together.

There isn't much sense in fixing it for the off-mode because the
only reasons off-mode exists are 1) for people who don't use
synchro at all, 2) who did use it and want to stop. Hence they
need demote just to disown the queue.

The patch "legalizes" the mentioned workaround by allowing to
perform demote in off-mode even if the synchro queue term is old.

Closes #6860

NO_DOC=bugfix

NO_DOC=no code changes
NO_TEST=no code changes
NO_CHANGELOG=no code changes

This patch introduces initial support for the vshard configuration.
There is still a lot to be done in both vshard and the config to be able
to run vshard naturally. Key support restrictions introduced in the
patch:
1) at the moment there are only two roles: storage and router;
2) the entire config is considered a configuration for one sharded
system;
3) the rebalancer is currently disabled;
4) The router can automatically find all masters, but once all masters
are found, any changes to the masters will be ignored until
vshard.router.cfg() is called manually.

Closes #9007

NO_DOC=Will be described when full support for vshard is introduced.

This patch introduces all sharding parameters except "weight".

Part of #9007

NO_DOC=Will be described when full support for vshard is introduced.

It is convenient for development environments, when the configuration
file and the application sources reside in the same directory.

The same logic was recently implemented for the main script, see #8182.
The same problems appears in context of startup from a configuration
file, so it seems meaningful to adjust module search paths in this case
too.

Part of #8862

NO_DOC=This change is too minor to describe in the documentation issue
       https://github.com/tarantool/doc/issues/3544. I'll work with the
       documentation team regarding details of startup/reload flow and
       we'll determine what should go to the user documentation and what
       shouldn't.

The new default directory layout is the following.

```
+ var/
  + lib/
    + instance-001/
      - *.xlog
      - *.snap
      - *.vylog
  + log/
    + instance-001/
      - tarantool.log
  + run/
    + instance-001/
      - tarantool.control
      - tarantool.pid
```

Our guess is that it should be convenient for development environments,
when the application consists of several instances. The idea is borrowed
from the `cartridge-cli` and `tt` tools.

We plan to synchronize these defaults with the `tt` tool, to simplify
cases, when pure tarantool (without `tt`) should be run in the
directories layout created by `tt`. It should simplify debugging using
`gdb`, `strace` and other tools.

Also, it should reduce possible confusion for users of `cartridge-cli`
and `tt`.

Part of #8862

NO_DOC=https://github.com/tarantool/doc/issues/3544 already points to
       the actual instance config schema

The current working directory of a tarantool process is changed during
startup to `process.work_dir`.

The mkdir applier works before and after this point, so it should take
into account both situations.

Before first box.cfg() call (in the box_cfg applier) it should prepend
directories with `process.work_dir`. However, it shouldn't do that after
the current wordking directory change.

Part of #8862

NO_DOC=It is bugfix.

The `process.work_dir` option can be set in the configuration. All the
other directories/files has the before-box-cfg creation logic and it
seems meaningful to support it for `process.work_dir` too.

Part of #8862

NO_DOC=This change is too minor to describe in the documentation issue
       https://github.com/tarantool/doc/issues/3544. I'll work with the
       documentation team regarding details of startup/reload flow and
       we'll determine what should go to the user documentation and what
       shouldn't.

For example, if we want the logs to be in a separate `var/log`
directory, it is convenient to just configure it as `var/run/{{
instance_name }}.log` and let tarantool create the parent directory.

Part of #8862

NO_DOC=This change is too minor to describe in the documentation issue
       https://github.com/tarantool/doc/issues/3544. I'll work with the
       documentation team regarding details of startup/reload flow and
       we'll determine what should go to the user documentation and what
       shouldn't.

For example, if we want the console socket to be in a separate `var/run`
directory, it is convenient to just configure it as `var/run/{{
instance_name }}.control` and let tarantool create the parent directory.

Part of #8862

NO_DOC=This change is too minor to describe in the documentation issue
       https://github.com/tarantool/doc/issues/3544. I'll work with the
       documentation team regarding details of startup/reload flow and
       we'll determine what should go to the user documentation and what
       shouldn't.

Before this patch an attempt to set, say, `wal.dir` option to a
non-existent directory `foo` succeeds, while the same with `foo/bar`
directory fails.

The patch removes a race condition check, because `fio.mktree()`
performs the check on its own. See #4660 for details.

Part of #8862

NO_DOC=It is a bugfix.

We agreed that it is up to a user how to draw a line between one set of
instances that is considered as a separate cluster and another set of
instances that is assumed as a different cluster. This line is virtual
and there is no sense to impose restrictions until we add some certain
(and consistent) semantic to word 'cluster' in context of tarantool.

Part of #8862

NO_DOC=There is an existing documentation request
       https://github.com/tarantool/doc/issues/3544 and it doesn't
       describe such details. I'll work with the documentation team on
       demand on all the necessary details anyway.

Before this patch, user password could be set or updated only for
auth_type == 'chap-sha1'. Now password can be set, updated or removed
for any auth_type. Note that the password is changed only if necessary
to minimise db writes.

Part of #8967

NO_DOC=tarantool/doc#3544 links the most actual schema,
       no need to update the issue.

In the initial credentials schema, the hashes were supposed to give a
way to have passwords out of plain-text config file.
Later, it was decided to remove this feature, because this way of
authorisation is inferior to the one with auth service and tokens,
but the latter is out of scope for current config development.
This patch removes `credentials.password.{sha1,sha256}` and moves
plain password from `credentials.password.plain` to `credentials.password`.

Part of #8967

NO_DOC=tarantool/doc#3544 links the most actual schema,
       no need to update the issue.
NO_CHANGELOG=removed feature was not released yet