Casting a uint64_t greater than INT64_MAX to int64_t is
implementation-defined behaviour, according to the C standard. Let's
avoid that.

In both cases fixed `len` is uint32_t and `ibuf_used(in)` returns a
size_t (aka uint64_t on every platform that we care about).
Hence the result of the subtraction is uint64_t and better use
it directly. Besides, `coio_breadn_timeout` also takes a size_t.

While I'm at it, let's actually change `len` to be uint64_t:
`mp_decode_uint()` returns that anyway.

Closes tarantool/security#108
Closes tarantool/security#109

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

Due to a typo some big numbers were coded as MP_(U)INT.

Since msgpackffi is used in selectffi, which is used for memtx,
that could lead to strange select results with big number keys.

Closes #6119

NO_DOC=bugfix

This patch fixes incorrect conversion of an integer greater than
INT64_MAX or less than 0 to decimal during SQL arithmetic operations.

Closes #8460

NO_DOC=bugfix

This commit fixes the following assertion failure that happens on
a client in case a remote schema contains an unknown field type:

  src/box/lua/misc.cc:395: int lbox_tuple_format_new(lua_State*):
  Assertion `fields[i].type != field_type_MAX' failed.

To fix the bug we remove the code that tries to set field types from
box.internal.new_tuple_format. Actually, the format is used solely for
providing field names so types are ignored anyway.

Closes #4632

NO_DOC=bug fix

Prior to this patch, the return value of region_alloc() in
lbox_tuple_format_new() was not checked. This patch fixes this by
replacing region_alloc() with xregion_alloc(). Also, this patch
replaces region_alloc_array() to xregion_alloc_array() in the same
function.

Closes tarantool/security#116

NO_DOC=bugfix
NO_TEST=hard to reproduce the bug
NO_CHANGELOG=bugfix for unlikely bug

The `merger.new()` call has the following code in the
`luaT_merger_new_parse_sources()` function:

 | uint32_t source_count = lua_objlen(L, idx);
 | for (uint32_t i = 0; i < source_count; ++i) {
 |     <...>
 | }
 | lua_pop(L, source_count);

It is possible that zero amount of sources are passed:

 | merger.new(kd, {})

In this case the `source_count` variable is zero.

`lua_pop()` is a macro defined this way:

 | #define lua_pop(L,n)		lua_settop(L, -(n)-1)

It means that `n` in the `-(n)-1` expression is an unsigned 32 bit zero.
Unsigned overflow is okay: it has defined behavior by the C standard and
has the result 2^32-1 in the given case.

The `lua_settop()` function is defined as follows:

 | LUA_API void  (lua_settop) (lua_State *L, int idx);

We pass the `-(n)-1` value as `int idx` argument to `lua_settop()`. The
value has uint32_t type and it is out of the `int` range ([-2^31,
2^31]). Casting it to `int` has implementation defined behavior
according to the standard (n1256,
6.3.1.3.3).

In practice, we're building Tarantool only for architectures with two's
complement integers. The result of the cast is -1 and everything works
as expected: the stack top remains unchanged.

However, it is easy to eliminate the signed integer overflow, so it is
worthful to do. We can just save the stack top value and use
`lua_settop()` to restore it, which is quite common idiom.

The problem can be found by clang's undefined behavior sanitizer.

Apply the following patch:

NO_WRAP
 | --- a/cmake/compiler.cmake
 | +++ b/cmake/compiler.cmake
 | @@ -238,6 +238,7 @@ macro(enable_tnt_compile_flags)
 |                  alignment bool bounds builtin enum float-cast-overflow
 |                  float-divide-by-zero function integer-divide-by-zero return
 |                  shift unreachable vla-bound
 | +                implicit-integer-sign-change
 |              )
 |
 |              # Exclude "object-size".
 | @@ -272,7 +273,7 @@ macro(enable_tnt_compile_flags)
 |              # the typeof(*obj) when obj is NULL, even though there is nothing
 |              # related to return.
 |
 | -            set(SANITIZE_FLAGS "-fsanitize=${SANITIZE_FLAGS} -fno-sanitize-recover=${SANITIZE_FLAGS}")
 | +            set(SANITIZE_FLAGS "-fsanitize=${SANITIZE_FLAGS}")
 |
 |              add_compile_flags("C;CXX" "${SANITIZE_FLAGS}")
 |          endif()
NO_WRAP

Build Tarantool with the sanitizer:

 | CC=clang-15 CXX=clang++-15 cmake . \
 |     -DCMAKE_BUILD_TYPE=Debug       \
 |     -DENABLE_BACKTRACE=ON          \
 |     -DENABLE_DIST=ON               \
 |     -DENABLE_FEEDBACK_DAEMON=OFF   \
 |     -DENABLE_BUNDLED_LIBCURL=OFF   \
 |     -DENABLE_BUNDLED_LIBUNWIND=OFF \
 |     -DENABLE_UB_SANITIZER=ON && make -j

Run the interactive console and create a merger with zero sources:

 | tarantool> key_def = require('key_def')
 | tarantool> merger = require('merger')
 | tarantool> kd = key_def.new({{field = 1, type = 'number'}})
 | tarantool> m = merger.new(kd, {})

Observe the 2^32-1 cast to 32 bit signed integer:

 | <...>/src/box/lua/merger.c:334:2: runtime error: implicit conversion
 |     from type 'unsigned int' of value 4294967295 (32-bit, unsigned)
 |     to type 'int' changed the value to -1 (32-bit, signed)
 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 |     <...>/src/box/lua/merger.c:334:2 in

The commit eliminates this report from the clang's sanitizer.

I've added a test case, which goes over the relevant code path. It
succeeds as before the commit as well as after it. If we'll enable a
relevant dynamic analysis in a future (such as clang's
`-fsanitize=implicit-integer-sign-change`), the test case may reveal
problems on the given code path.

Reported-in: https://github.com/tarantool/security/issues/103

NO_DOC=no user-visible behavior changes
NO_CHANGELOG=no user-visible behavior changes

If a read view is created while space upgrade is in progress, tuples
fetched from the read view may be either upgraded or not. We need to
be able to differentiate those tuples so that we can use the appropriate
tuple format for them. To achieve that this commit adds the following
function stubs:

 - memtx_space_upgrade_track_tuple and memtx_space_upgrade_untrack_tuple
   will be used to maintain a set of all upgraded tuples.
 - memtx_read_view_tuple_needs_upgrade will do a lookup in the set of
   all upgraded tuples to check if a tuple needs upgrade.

The stubs will be implemented in the EE repository.

Note that we have to call memtx_space_upgrade_untrack_tuple from
memtx_engine_rollback_statement. The problem is that the space may be
deleted while a transaction is inprogress, in which case we must not
access space->upgrade in memtx_engine_rollback_statement. Fortunately,
we call memtx_tx_on_space_delete when a memtx space is altered to
rollback memtx transactions. So to handle this situation we set
txn_stmt->engine_savepoint to NULL from memtx_tx_history_remove_stmt
called from memtx_tx_on_space_delete. This makes the rollback function
return early.

Needed for tarantool/tarantool-ee#236

NO_DOC=ee
NO_TEST=ee
NO_CHANGELOG=ee

This reverts commit e771d06d.

Not needed anymore.

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

Currently, we pass only disable_decompression flag, but to handle tuples
in case the read view was created while space upgrade was in progress,
we'll need extra information stored in the read view struct. Let's pass
index_read_view to memtx_prepeare_read_view_tuple instead of the flag.
To do that we need to store the flag in struct read_view.

Needed for tarantool/tarantool-ee#236

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

This commit introduces read_view_tuple struct which is used for
returning raw tuple data and size from a read view. In the following
commits we'll add a flag indicating if the tuple was upgraded or not to
this struct (relevant if the read view was created while space upgrade
was running).

Needed for tarantool/tarantool-ee#236

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

This commit adds the new callback space_vtab::prepare_upgrade. It is
invoked after preparing to alter a space and passed the old and new
space objects, like prepare_alter. The generic callback implementation
raises an error saying that the engine doesn't support space upgrade.
The memtx implementation raises an error saying that space upgrade isn't
available in the community edition. It'll be overridden in the Tarantool
EE repository.

The new callback replaces calls to space_upgrade_check_alter and
space_upgrade_new. Their job is now supposed to be done by the callback
implementation in Tarantool EE. This change makes it easier to extend
space upgrade implementation in Tarantool EE. In particular, we can now
make it engine-dependent, which is required to fix the issue with tuple
formats when a read view is created while space upgrade is in progress.

Needed for tarantool/tarantool-ee#236

NO_DOC=refactoring
NO_CHANGELOG=refactoring

```
<...>/src/box/sql/vdbe.c:378:11: error: variable 'nVmStep' set but not
    used [-Werror,-Wunused-but-set-variable]
        unsigned nVmStep = 0;      /* Number of virtual machine steps */
                 ^
```

The usage of the variable was removed in commit dbad19ef ("sql: drop
unused functions").

See also #8110.

NO_DOC=no user visible behavior changes
NO_TEST=see NO_DOC
NO_CHANGELOG=dbad19ef is not released yet

This patch prohibits the use of ARRAY, MAP and INTERVAL in ORDER BY.
In addition, GROUP BY now also checks the types of the arguments when
building the VDBE.

Closes #6668

NO_DOC=bugfix

This patch makes SQL to support collations for the ANY type.

Closes #8070

NO_DOC=ANY already supports collations in BOX.

0b876b76 introduced `uint64_t` schema version to deal with the
possible 32-bit counter overflow problem. But for some reason
message pack still serialized 64-bit schema version as 32-bit one.
Current commit fixes the issue.

NO_CHANGELOG=internal fix
NO_DOC=internal fix
NO_TEST=internal fix

This update pulls the following commits:

* Add mp_memcpy and mp_memcpy_safe
* Add mp_encode_*_safe family that handles buffer overflow

Required for refactoring emerged when fixing issues:

https://github.com/tarantool/tarantool-ee/issues/357
https://github.com/tarantool/tarantool-ee/issues/358

NO_DOC=submodule update
NO_TEST=submodule update
NO_CHANGELOG=submodule update

The test checks that the number of IPROTO requests handled by a test
server is reported correctly in statistics. Since a net.box connection
sends a few "service" requests (e.g. to fetch schema), the test excludes
them from the total count. The problem is this doesn't always work with
service requests sent to enable graceful shutdown.

To enable graceful shutdown a client sends an IPROTO_WATCH request.
The server replies to the client with IPROTO_EVENT. Upon receiving
the event, the client sends another IPROTO_WATCH request to ack it.
The whole procedure is fully asynchronous, which means it may finish
after we start processing user requests over the connection.

To correctly account service requests, let's disable this feature.

Closes tarantool/tarantool-qa#269

NO_DOC=test fix
NO_CHANGELOG=test fix

* ARM64: Avoid side-effects of constant rematerialization.
* ARM64: Fix {AHUV}LOAD specialized to nil/false/true.
* ARM64: Fix pcall() error case.
* Fix math.min()/math.max() inconsistencies.
* test: add test case for math.modf

Closes #6163
Part of #8069
Follows up #7230

NO_DOC=LuaJIT submodule bump
NO_TEST=LuaJIT submodule bump

This is the maximum record size we can store in the buffer.

Needed for:
  https://github.com/tarantool/tarantool-ee/issues/358

NO_DOC=internal
NO_CHANGELOG=internal

Apparently, push responses were not considered when designing flight
recorder: write push responses to flight recorder immediately when a push
is initiated (i.e., synchronously).

Needed for tarantool/tarantool-ee#338

NO_CHANGELOG=<affects EE feature>
NO_DOC=<bugfix>
NO_TEST=<tested in EE PR>

Periodically this test hangs on pthread_join() on macOS.
This patch adds a workaround until #8423 is implemented.

Closes #8420

NO_DOC=test fix
NO_CHANGELOG=test fix

Method `getDangiCalZoneAstroCalc` is used to calculate an argument for
base class constructor when it is not built yet. Fortunately, it does not
use class fields - let's make it static to use it before class
initialization legitimately.

Closes tarantool/security#96

NO_TEST=no behaviour changes
NO_CHANGELOG=no behaviour changes
NO_DOC=no behaviour changes

Method `func_index_def_new` is used to calculate an argument for base
class constructor when it is not built yet. Fortunately, it does not
use class fields - let's make it static to use it before class
initialization legitimately.

Part of tarantool/security#96

NO_TEST=no behaviour changes
NO_CHANGELOG=no behaviour changes
NO_DOC=no behaviour changes

Continuation marker can be set up with `\set continuation` command.
Works on both server and client side in any language.

Closes #4317
Requires #7357

@TarantoolBot document
Title: introduce line carrying slash

Now we can use multiline commands with lines ending by configuring
continuation symbol. Works only when there is no set delimiter.
Consider the example where the marker is set, used and removed:
```
tarantool> \set continuation on
---
- true
...

tarantool> a = 10\
         > + 12
---
...

tarantool> \set continuation off
---
- true
...

tarantool> a = 10\
---
- error: '[string "a = 10\"]:1: unexpected symbol near ''\'''
...

tarantool>

```

Language in `local_read()` used to be set to `box.session.language` while
the latter is always `nil` and `set_language()` sets `self.language`.

Now the language in `local_read()` is identified correctly. This is
required for performing continuation check (gh-4317) on any language
while the check for complete lua statement happens only in Lua mode.

Needed for #4317

NO_DOC=refactoring
NO_CHANGELOG=refactoring
NO_TEST=invisible to user

GNU Readline starting from version 8.1 has bracketed paste[0] enabled by
default which complicates handling pasted multiline text and is not
supported for now.

This patch disables the feature even if it is enabled in inputrc, by user
or by default.

[0] https://cirw.in/blog/bracketed-paste

Needed for #4317

NO_TEST=readline config
NO_DOC=readline config
NO_CHANGELOG=readline config

In the test we start replicas only with master in box.cfg.replication.
We cannot use bootstrap_strategy = 'auto' mode, which is default, as
it properly works only when all participants of the cluster are listed
in replication parameter. Sometimes, when one replica connects to the
master, the other one has already successfully joined, so the first
replica sees in ballot, that it doesn't have all nodes from cluster
in box.cfg.replication and fails to start.

Let's use 'legacy' bootstrap strategy for now.

Closes tarantool/tarantool-qa#310

NO_DOC=test-fix
NO_CHANGELOG=test-fix

In some cases unsafe extension decoding was done without bound and type
checks: add necessary checks.

Closes tarantool/security#73

NO_DOC=bugfix

This patch addresses coverity complain 1535241.

Follow-up #8047

NO_TEST=nit
NO_CHANGELOG=nit
NO_DOC=nit

If the 'after' key is less than the search key in case of ge/gt or
greater than the search key in case of le/lt, the iterator either
crashes (vinyl) or returns invalid result (memtx). This happens because
the engine implementation doesn't expect an invalid 'after' key.
Let's fix this by raising an error at the top level in case the 'after'
key doesn't meet the search criteria.

Closes #8403
Closes #8404

NO_DOC=bug fix
NO_CHANGELOG=unreleased

Currently, if the position isn't compatible with the index, we raise
an error like "Invalid key part count ...". From this error it's
difficult to figure out whether it's for the given iterator position of
for the search key. Let's always raise ER_ITERATOR_POSITION in this
case. Later on we'll use stacked diag to add extra error info.

Needed for #8403
Needed for #8404

NO_DOC=bug fix
NO_CHANGELOG=unreleased

We need to compare a tuple position with a search key in select() and
pairs() to make sure the tuple position meets the search criteria. The
problem is that we strip the MessagePack header from the position while
key_compare() takes keys with headers. Let's make key_compare take keys
without headers like the rest of comparator functions. Since in Vinyl we
often need to compare keys with headers, we also add vy_key_compare()
helper function.

Needed for #8403
Needed for #8404

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

Enable CI for branches with names `release/x.y.z`. Sometimes we are
going to create such branches, and we need to have working CI for them.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

This patch adds a rule to ignore the Makefile on the path test/*/*/.

NO_DOC=No need, changes in .gitignore
NO_TEST=No need, changes in .gitignore
NO_CHANGELOG=No need, changes in .gitignore

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

The 1.10 branch is not supported anymore and there is no need to keep
the logic for it.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

Sources should be pushed to the repo on a release tag only,
an `*-entrypoint` tag is an auxiliary one.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

If the tuple pointed to by 'after' isn't in the space, eq pagination
would skip it because of the broken 'equals' flag update in the memtx
iterator.

Closes #8373

NO_DOC=bug fix
NO_CHANGELOG=unreleased

Since JIT is disabled in the previous commit, regular testing on
macOS/M1 can be returned back to Tarantool CI routine. Furthermore, all
specialized targets in .test.mk and auxiliary environment tweaks in
macOS-related workflows are also removed in scope of this patch.

Follows up #8252

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci