JIT has been disabled for these 4 tests on arm64 to avoid failing due to
side-effects of constant rematerialization:
* <app-tap/datetime.test.lua>
* <box-luatest/gh_6539_log_user_space_empty_or_nil_select_test.lua>
* <box-luatest/pagination_netbox_test.lua>
* <engine-luatest/pagination_test.lua>

The problem was solved via the commit
15e62a67 ("luajit: bump new version").
So, enable JIT compilation for these tests back.

Closes #6599
Closes #7739
Closes #8011

NO_CHANGELOG=tests
NO_DOC=tests

(cherry picked from commit 915e0b3a)

Follow-up #8463

NO_DOC=style fix
NO_CHANGELOG=style fix
NO_TEST=style fix

(cherry picked from commit 64532551)

Bump test-run to new version with the following improvements:

- Bump luatest to 0.5.7-29-geef05dd [1]

[1] tarantool/test-run@cc3c38e

NO_DOC=testing stuff
NO_TEST=testing stuff
NO_CHANGELOG=testing stuff

(cherry picked from commit 8ac35039)

The `lua_add_key_u64()` function pushes an `uint64_t` value using
`lua_pushinteger()`, which accepts `int64_t` argument. A value >= 2^63
will be interpreted as a negative value on all architectures we're
supporting. However, technically it is implementation defined behavior
(see n1256, 6.3.1.3.3).

It is not a problem, in fact, because the function is used only to
report `http_client:stat()` statistics and because values beyond 2^63-1
are unreachable in practice.

OTOH, it is easy to eliminate the undefined behavior by replacing
`lua_pushinteger()` with our own helper function, which accepts
`uint64_t`: `luaL_pushuint64()`.

The values above 10^14 - 1 are now pushed as `cdata<uint64_t>`. Lower
values are pushed as `number` just like before the commit.

Reported-in: https://github.com/tarantool/security/issues/103

NO_DOC=The type of values in the statistics is not specified explicitly
       in the documentation (not obligated to be `number`) and it is
       quite common for Tarantool to return a value of `cdata<int64_t>`
       or `cdata<uint64_t>` type for an integer with a large absolute
       value.
NO_CHANGELOG=see NO_DOC
NO_TEST=It is hard to reach so large values externally (send 2^63
        requests) and it doesn't look worthful to introduce an error
        injection/a internal API to test it. `luaL_pushuint64()` is
        covered by the module API test.

(cherry picked from commit 3dbbf2d3)

The index directory is created on demand since commit c00ba8e7
("xlog: make log directory if needed") and removed when it becomes
empty. There's no need to create it when an index is created anymore.

Follow-up #8441

NO_DOC=bugfix

(cherry picked from commit 9b50c095)

When vinyl space is dropped, its files are left on the file system
until GC removes them. At the moment GC removes only run files,
but not the root directory. These empty directories are never
removed and occupy 4KB on ext-family file systems each. In a case
of many dropped vinyl spaces it can become a serious disk space
and inode leak. Current commit makes gc always remove root directory
if there are no runs in it.

Closes #8441

NO_DOC=bugfix

(cherry picked from commit ee3c1964)

`func_opts_reg` definition misses a `OPT_END` termintator item. This
leads to UB on iterating it. Particularly when `func_opts_reg` is used
as argument to `opts_decode` in `func_def_new_from_tuple`.

Closes #8463

NO_DOC=bugfix

(cherry picked from commit a652b03f)

The function is unused and still triggers some static analysis
warnings. Let's drop it.

itoa() became unused with removal of fdprintf(), so let's drop it as
well.

Closes tarantool/security#113

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 01220555)

Casting a uint64_t greater than INT64_MAX to int64_t is
implementation-defined behaviour, according to the C standard. Let's
avoid that.

In both cases fixed `len` is uint32_t and `ibuf_used(in)` returns a
size_t (aka uint64_t on every platform that we care about).
Hence the result of the subtraction is uint64_t and better use
it directly. Besides, `coio_breadn_timeout` also takes a size_t.

While I'm at it, let's actually change `len` to be uint64_t:
`mp_decode_uint()` returns that anyway.

Closes tarantool/security#108
Closes tarantool/security#109

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit cc2d765a)

Due to a typo some big numbers were coded as MP_(U)INT.

Since msgpackffi is used in selectffi, which is used for memtx,
that could lead to strange select results with big number keys.

Closes #6119

NO_DOC=bugfix

(cherry picked from commit 67a586e1)

This patch fixes incorrect conversion of an integer greater than
INT64_MAX or less than 0 to decimal during SQL arithmetic operations.

Closes #8460

NO_DOC=bugfix

(cherry picked from commit 1e660dcf)

This commit fixes the following assertion failure that happens on
a client in case a remote schema contains an unknown field type:

  src/box/lua/misc.cc:395: int lbox_tuple_format_new(lua_State*):
  Assertion `fields[i].type != field_type_MAX' failed.

To fix the bug we remove the code that tries to set field types from
box.internal.new_tuple_format. Actually, the format is used solely for
providing field names so types are ignored anyway.

Closes #4632

NO_DOC=bug fix

(cherry picked from commit 67578d1f)

Prior to this patch, the return value of region_alloc() in
lbox_tuple_format_new() was not checked. This patch fixes this by
replacing region_alloc() with xregion_alloc(). Also, this patch
replaces region_alloc_array() to xregion_alloc_array() in the same
function.

Closes tarantool/security#116

NO_DOC=bugfix
NO_TEST=hard to reproduce the bug
NO_CHANGELOG=bugfix for unlikely bug

(cherry picked from commit 701fce89)

The `merger.new()` call has the following code in the
`luaT_merger_new_parse_sources()` function:

 | uint32_t source_count = lua_objlen(L, idx);
 | for (uint32_t i = 0; i < source_count; ++i) {
 |     <...>
 | }
 | lua_pop(L, source_count);

It is possible that zero amount of sources are passed:

 | merger.new(kd, {})

In this case the `source_count` variable is zero.

`lua_pop()` is a macro defined this way:

 | #define lua_pop(L,n)		lua_settop(L, -(n)-1)

It means that `n` in the `-(n)-1` expression is an unsigned 32 bit zero.
Unsigned overflow is okay: it has defined behavior by the C standard and
has the result 2^32-1 in the given case.

The `lua_settop()` function is defined as follows:

 | LUA_API void  (lua_settop) (lua_State *L, int idx);

We pass the `-(n)-1` value as `int idx` argument to `lua_settop()`. The
value has uint32_t type and it is out of the `int` range ([-2^31,
2^31]). Casting it to `int` has implementation defined behavior
according to the standard (n1256,
6.3.1.3.3).

In practice, we're building Tarantool only for architectures with two's
complement integers. The result of the cast is -1 and everything works
as expected: the stack top remains unchanged.

However, it is easy to eliminate the signed integer overflow, so it is
worthful to do. We can just save the stack top value and use
`lua_settop()` to restore it, which is quite common idiom.

The problem can be found by clang's undefined behavior sanitizer.

Apply the following patch:

NO_WRAP
 | --- a/cmake/compiler.cmake
 | +++ b/cmake/compiler.cmake
 | @@ -238,6 +238,7 @@ macro(enable_tnt_compile_flags)
 |                  alignment bool bounds builtin enum float-cast-overflow
 |                  float-divide-by-zero function integer-divide-by-zero return
 |                  shift unreachable vla-bound
 | +                implicit-integer-sign-change
 |              )
 |
 |              # Exclude "object-size".
 | @@ -272,7 +273,7 @@ macro(enable_tnt_compile_flags)
 |              # the typeof(*obj) when obj is NULL, even though there is nothing
 |              # related to return.
 |
 | -            set(SANITIZE_FLAGS "-fsanitize=${SANITIZE_FLAGS} -fno-sanitize-recover=${SANITIZE_FLAGS}")
 | +            set(SANITIZE_FLAGS "-fsanitize=${SANITIZE_FLAGS}")
 |
 |              add_compile_flags("C;CXX" "${SANITIZE_FLAGS}")
 |          endif()
NO_WRAP

Build Tarantool with the sanitizer:

 | CC=clang-15 CXX=clang++-15 cmake . \
 |     -DCMAKE_BUILD_TYPE=Debug       \
 |     -DENABLE_BACKTRACE=ON          \
 |     -DENABLE_DIST=ON               \
 |     -DENABLE_FEEDBACK_DAEMON=OFF   \
 |     -DENABLE_BUNDLED_LIBCURL=OFF   \
 |     -DENABLE_BUNDLED_LIBUNWIND=OFF \
 |     -DENABLE_UB_SANITIZER=ON && make -j

Run the interactive console and create a merger with zero sources:

 | tarantool> key_def = require('key_def')
 | tarantool> merger = require('merger')
 | tarantool> kd = key_def.new({{field = 1, type = 'number'}})
 | tarantool> m = merger.new(kd, {})

Observe the 2^32-1 cast to 32 bit signed integer:

 | <...>/src/box/lua/merger.c:334:2: runtime error: implicit conversion
 |     from type 'unsigned int' of value 4294967295 (32-bit, unsigned)
 |     to type 'int' changed the value to -1 (32-bit, signed)
 | SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 |     <...>/src/box/lua/merger.c:334:2 in

The commit eliminates this report from the clang's sanitizer.

I've added a test case, which goes over the relevant code path. It
succeeds as before the commit as well as after it. If we'll enable a
relevant dynamic analysis in a future (such as clang's
`-fsanitize=implicit-integer-sign-change`), the test case may reveal
problems on the given code path.

Reported-in: https://github.com/tarantool/security/issues/103

NO_DOC=no user-visible behavior changes
NO_CHANGELOG=no user-visible behavior changes

(cherry picked from commit ed2d260f)

If a read view is created while space upgrade is in progress, tuples
fetched from the read view may be either upgraded or not. We need to
be able to differentiate those tuples so that we can use the appropriate
tuple format for them. To achieve that this commit adds the following
function stubs:

 - memtx_space_upgrade_track_tuple and memtx_space_upgrade_untrack_tuple
   will be used to maintain a set of all upgraded tuples.
 - memtx_read_view_tuple_needs_upgrade will do a lookup in the set of
   all upgraded tuples to check if a tuple needs upgrade.

The stubs will be implemented in the EE repository.

Note that we have to call memtx_space_upgrade_untrack_tuple from
memtx_engine_rollback_statement. The problem is that the space may be
deleted while a transaction is inprogress, in which case we must not
access space->upgrade in memtx_engine_rollback_statement. Fortunately,
we call memtx_tx_on_space_delete when a memtx space is altered to
rollback memtx transactions. So to handle this situation we set
txn_stmt->engine_savepoint to NULL from memtx_tx_history_remove_stmt
called from memtx_tx_on_space_delete. This makes the rollback function
return early.

Needed for tarantool/tarantool-ee#236

NO_DOC=ee
NO_TEST=ee
NO_CHANGELOG=ee

(cherry picked from commit 921a0717)

This reverts commit e771d06d.

Not needed anymore.

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit faa50a3a)

Currently, we pass only disable_decompression flag, but to handle tuples
in case the read view was created while space upgrade was in progress,
we'll need extra information stored in the read view struct. Let's pass
index_read_view to memtx_prepeare_read_view_tuple instead of the flag.
To do that we need to store the flag in struct read_view.

Needed for tarantool/tarantool-ee#236

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit f9dd677f)

This commit introduces read_view_tuple struct which is used for
returning raw tuple data and size from a read view. In the following
commits we'll add a flag indicating if the tuple was upgraded or not to
this struct (relevant if the read view was created while space upgrade
was running).

Needed for tarantool/tarantool-ee#236

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 14cab2cd)

This commit adds the new callback space_vtab::prepare_upgrade. It is
invoked after preparing to alter a space and passed the old and new
space objects, like prepare_alter. The generic callback implementation
raises an error saying that the engine doesn't support space upgrade.
The memtx implementation raises an error saying that space upgrade isn't
available in the community edition. It'll be overridden in the Tarantool
EE repository.

The new callback replaces calls to space_upgrade_check_alter and
space_upgrade_new. Their job is now supposed to be done by the callback
implementation in Tarantool EE. This change makes it easier to extend
space upgrade implementation in Tarantool EE. In particular, we can now
make it engine-dependent, which is required to fix the issue with tuple
formats when a read view is created while space upgrade is in progress.

Needed for tarantool/tarantool-ee#236

NO_DOC=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 93b3bba9)

This patch prohibits the use of ARRAY, MAP and INTERVAL in ORDER BY.
In addition, GROUP BY now also checks the types of the arguments when
building the VDBE.

Closes #6668

NO_DOC=bugfix

(cherry picked from commit 0ead015b)

This patch makes SQL to support collations for the ANY type.

Closes #8070

NO_DOC=ANY already supports collations in BOX.

(cherry picked from commit da8336ce)

0b876b76 introduced `uint64_t` schema version to deal with the
possible 32-bit counter overflow problem. But for some reason
message pack still serialized 64-bit schema version as 32-bit one.
Current commit fixes the issue.

NO_CHANGELOG=internal fix
NO_DOC=internal fix
NO_TEST=internal fix

(cherry picked from commit ec9bdca7)

This update pulls the following commits:

* Add mp_memcpy and mp_memcpy_safe
* Add mp_encode_*_safe family that handles buffer overflow

Required for refactoring emerged when fixing issues:

https://github.com/tarantool/tarantool-ee/issues/357
https://github.com/tarantool/tarantool-ee/issues/358

NO_DOC=submodule update
NO_TEST=submodule update
NO_CHANGELOG=submodule update

(cherry picked from commit 3c4e5526)

The test checks that the number of IPROTO requests handled by a test
server is reported correctly in statistics. Since a net.box connection
sends a few "service" requests (e.g. to fetch schema), the test excludes
them from the total count. The problem is this doesn't always work with
service requests sent to enable graceful shutdown.

To enable graceful shutdown a client sends an IPROTO_WATCH request.
The server replies to the client with IPROTO_EVENT. Upon receiving
the event, the client sends another IPROTO_WATCH request to ack it.
The whole procedure is fully asynchronous, which means it may finish
after we start processing user requests over the connection.

To correctly account service requests, let's disable this feature.

Closes tarantool/tarantool-qa#269

NO_DOC=test fix
NO_CHANGELOG=test fix

(cherry picked from commit 4e9bffc1)

* ARM64: Avoid side-effects of constant rematerialization.
* ARM64: Fix {AHUV}LOAD specialized to nil/false/true.
* ARM64: Fix pcall() error case.
* Fix math.min()/math.max() inconsistencies.
* test: add test case for math.modf

Closes #6163
Part of #8069
Follows up #7230

NO_DOC=LuaJIT submodule bump
NO_TEST=LuaJIT submodule bump

This is the maximum record size we can store in the buffer.

Needed for:
  https://github.com/tarantool/tarantool-ee/issues/358

NO_DOC=internal
NO_CHANGELOG=internal

(cherry picked from commit 2c7490e7)

Apparently, push responses were not considered when designing flight
recorder: write push responses to flight recorder immediately when a push
is initiated (i.e., synchronously).

Needed for tarantool/tarantool-ee#338

NO_CHANGELOG=<affects EE feature>
NO_DOC=<bugfix>
NO_TEST=<tested in EE PR>

(cherry picked from commit c71bfcfa)

Periodically this test hangs on pthread_join() on macOS.
This patch adds a workaround until #8423 is implemented.

Closes #8420

NO_DOC=test fix
NO_CHANGELOG=test fix

(cherry picked from commit f1ae7264)

Method `getDangiCalZoneAstroCalc` is used to calculate an argument for
base class constructor when it is not built yet. Fortunately, it does not
use class fields - let's make it static to use it before class
initialization legitimately.

Closes tarantool/security#96

NO_TEST=no behaviour changes
NO_CHANGELOG=no behaviour changes
NO_DOC=no behaviour changes

(cherry picked from commit 4305d397)

Method `func_index_def_new` is used to calculate an argument for base
class constructor when it is not built yet. Fortunately, it does not
use class fields - let's make it static to use it before class
initialization legitimately.

Part of tarantool/security#96

NO_TEST=no behaviour changes
NO_CHANGELOG=no behaviour changes
NO_DOC=no behaviour changes

(cherry picked from commit b5163ef7)

In the test we start replicas only with master in box.cfg.replication.
We cannot use bootstrap_strategy = 'auto' mode, which is default, as
it properly works only when all participants of the cluster are listed
in replication parameter. Sometimes, when one replica connects to the
master, the other one has already successfully joined, so the first
replica sees in ballot, that it doesn't have all nodes from cluster
in box.cfg.replication and fails to start.

Let's use 'legacy' bootstrap strategy for now.

Closes tarantool/tarantool-qa#310

NO_DOC=test-fix
NO_CHANGELOG=test-fix

(cherry picked from commit 1051aa7f)

Fix grammar, punctuation, and wording

NO_CHANGELOG=changelog
NO_DOC=changelog
NO_TEST=changelog

In some cases unsafe extension decoding was done without bound and type
checks: add necessary checks.

Closes tarantool/security#73

NO_DOC=bugfix

(cherry picked from commit 1de6a071)

This patch addresses coverity complain 1535241.

Follow-up #8047

NO_TEST=nit
NO_CHANGELOG=nit
NO_DOC=nit

(cherry picked from commit 089cbfa9)

If the 'after' key is less than the search key in case of ge/gt or
greater than the search key in case of le/lt, the iterator either
crashes (vinyl) or returns invalid result (memtx). This happens because
the engine implementation doesn't expect an invalid 'after' key.
Let's fix this by raising an error at the top level in case the 'after'
key doesn't meet the search criteria.

Closes #8403
Closes #8404

NO_DOC=bug fix
NO_CHANGELOG=unreleased

(cherry picked from commit c561202d)

Currently, if the position isn't compatible with the index, we raise
an error like "Invalid key part count ...". From this error it's
difficult to figure out whether it's for the given iterator position of
for the search key. Let's always raise ER_ITERATOR_POSITION in this
case. Later on we'll use stacked diag to add extra error info.

Needed for #8403
Needed for #8404

NO_DOC=bug fix
NO_CHANGELOG=unreleased

(cherry picked from commit 81d43c17)

We need to compare a tuple position with a search key in select() and
pairs() to make sure the tuple position meets the search criteria. The
problem is that we strip the MessagePack header from the position while
key_compare() takes keys with headers. Let's make key_compare take keys
without headers like the rest of comparator functions. Since in Vinyl we
often need to compare keys with headers, we also add vy_key_compare()
helper function.

Needed for #8403
Needed for #8404

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 41b8a012)

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

(cherry picked from commit dcf1f1ec)

Enable CI for branches with names `release/x.y.z`. Sometimes we are
going to create such branches, and we need to have working CI for them.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

(cherry picked from commit 9fe135c5)

This patch adds a rule to ignore the Makefile on the path test/*/*/.

NO_DOC=No need, changes in .gitignore
NO_TEST=No need, changes in .gitignore
NO_CHANGELOG=No need, changes in .gitignore

(cherry picked from commit 25d93952)