Download the readline and libiconv archives from the backup storage to
avoid network issues with accessing https://ftp.gnu.org in the future.

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

Regular region implementation supports allocations of size 0 with no
extra efforts. It returns a non-NULL pointer in this case. However in
case of ASAN friendly implementation it will require a special care for
this case. Instead let's avaid allocations if size 0 for region.

Also use xregion_ macros for allocations. Our current policy is to panic
on OOM on runtime allocations.

Part of tarantool/tarantool#7327

NO_TEST=internal
NO_CHANGELOG=internal
NO_DOC=internal

When a replica is restarted, it doesn't immediately switch to the
'follow' state. First it needs to sync. Let's wait for the 'follow'
state a bit to fix the following failure:

NO_WRAP
[039] replication-luatest/gh_9049_schema_downgrade_t>                 [ fail ]
[039] Test failed! Output from reject file /tmp/t/rejects/replication-luatest/gh_9049_schema_downgrade.reject:
[039] Tarantool version is 3.0.0-alpha3-18-g6892907bad9d
[039] TAP version 13
[039] 1..1
[039] # Started on Thu Sep 21 13:55:09 2023
[039] # Starting group: replication-luatest.gh_9049_schema_downgrade
[039] not ok 1  replication-luatest.gh_9049_schema_downgrade.test_schema_downgrade
[039] #   ...st/replication-luatest/gh_9049_schema_downgrade_test.lua:33: expected: "follow"
[039] #   actual: "sync"
[039] #   stack traceback:
[039] #         ...st/replication-luatest/gh_9049_schema_downgrade_test.lua:31: in function 'replication-luatest.gh_9049_schema_downgrade.test_schema_downgrade'
[039] #         ...
[039] #         [C]: in function 'xpcall'
[039] #   artifacts:
[039] #   replica -> /tmp/t/039_replication-luatest/artifacts/replica-AgoXGWUXxvnc
[039] #   master -> /tmp/t/039_replication-luatest/artifacts/master-ZUTtyXyAX9YF
[039] # Ran 1 tests in 1.768 seconds, 0 succeeded, 1 failed
NO_WRAP

Fixes commit 71de4b2c ("box: fix schema downgrade replication").

NO_DOC=test fix
NO_CHANGELOG=test fix

The new option is backed by `box.cfg.auth_retries`. It is available only
in Enterprise Edition builds.

Needed for tarantool/tarantool-ee#541

NO_DOC=will be added to Enterprise Edition
NO_CHANGELOG=will be added to Enterprise Edition

Required to suppress the ASAN leak detector.

Closes #9158

NO_DOC=ASAN
NO_TEST=ASAN
NO_CHANGELOG=ASAN

Before this patch credentials applier used to just skip if Tarantool
was in Read Only mode. Now it starts a fiber that waits for instance
to be switched to Read Write mode and then applies in the background.

Part of #8967

NO_DOC=documentation request will be filed manually for the whole
       credentials

We decided not to merge entries from Tarantool CE changelog to
Tarantool EE changelog. Instead we now add a link to CE release notes
to EE release notes. Update the script accordingly.

NO_DOC=tools
NO_TEST=tools
NO_CHANGELOG=tools

If MP_ERROR map contains two MP_ERROR_STACK keys, then the second call to
`error_set_prev(effect, cur)' will crash, because `effect' is NULL, but
`err == NULL' is false, because it is assigned on the first iteration.
This patch raises an error if more than one MP_ERROR_STACK key is present.

NO_DOC=bugfix

Closes #9136

Wraps multistatement DDL functions into begin/commit block if no
transaction is active.

The functions are:
- `box.schema.space.drop`
- `box.schema.index.create`
- `box.schema.index.drop`
- `box.schema.index.alter`
- `box.schema.sequence.drop`
- `box.schema.func.drop`
- `box.schema.user.create`
- `box.schema.user.drop`
- `box.schema.role.drop`

Added tests for atomicity of each transactioned function except
the `box.schema.role.drop`, which is implicitly tested with the
`box.schema.user.drop` test, and the `box.schema.index.drop`,
which is impossible to test in this flavor without using error
injection.

Updated the tests modified in tarantool/tarantool#8947, because
the space drop is atomic now.

Closes #4348

NO_DOC=bugfix

Sequences can only be attached to integer fields of a space. The
corresponding check is done in both schema.lua and alter.cc. The
problem is that in order to make the index alter transactional,
we have to perform the `_index` space tuple replace before the
existed sequence is unattached from the space (because the index
alter may be yielding). And the check existing in the alter.cc
won't allow us to do that in some cases.

Since the check already exists in `box.schema.index.alter`, it's
decided to drop it from the `_index` `on_replace` trigger.

The downside of the solution is that uncareful manual altering the
index can silently put the space into an inconsistent condition:
the next insert into the space can either fail or silently succeed
whereas it's not supposed operation for the space. Example:

```lua
box.cfg{}
s = box.schema.space.create('s')
pk = s:create_index('pk', {parts = {{1, 'unsigned'}}, sequence = true})

-- Manual altering the index without dropping the sequence.
box.space._index:update({s.id, pk.id}, {{'=', 6, {{0, 'string'}}}})

-- This will fail: passed integer (from sequence) in string field.
s:insert({box.NULL})

-- Manual altering the index without dropping the sequence again.
box.space._index:update({s.id, pk.id}, {{'=', 6, {{0, 'scalar'}}}})

-- This will succeed: passed integer (from sequence) in scalar field.
-- Though it shouldn't have been done at all: one should not pass
-- NULL in the field which is indexed by the primary key.
s:insert({box.NULL})
```

NO_DOC=no visible changes
NO_TEST=no visible changes
NO_CHANGELOG=no visible changes

Before this commit disable of functional index caused index rebuild
which does not allow the box.schema.space.drop function to be
atomic. Since effectively the disabled functional index rebuild is
a no-op, the "rebuild" step was omitted and effective changes are
applied instead.

NO_TEST=no functional changes
NO_DOC=no functional changes
NO_CHANGELOG=no functional changes

This patch is intended to resolve the following issue that appears while
calling `cmake` for submodules from time to time:

    fatal: No tags can describe '<sha>'.
    Try --always, or create some tags.

This happens because the `actions/checkout` GitHub action fetches the
repository with the `--unshallow` option, but it doesn't do the same for
submodules. So this leads to the error above while using `git describe`
for submodules.

This is fixed by converting a shallow submodule to a complete one.

NO_DOC=ci
NO_TEST=circuit
NO_CHANGELOG=ci

The patch updates curl module to the version 8.3.0 [1] and updates a
CMake module for building curl library.

Changes in CMake module:

- Option `CURL_STATICLIB` is gone and replaced with `BUILD_STATIC_LIBS`.
- Option `CURL_USE_GNUTLS` was added and disabled by default.
- NSS library support was removed and option `CURL_USE_NSS` has been
  removed as well.
- Option `CMAKE_UNITY_BUILD` was added and disabled by default.
- Option `CURL_DISABLE_FORM_API` was added and disabled by default. It is
  in fact depends on `CURL_DISABLE_MIME`, but anyway disabled explicitly.

Changelog: https://curl.se/changes.html#8_3_0

1. https://github.com/curl/curl/releases/tag/curl-8_3_0

NO_DOC=libcurl submodule bump
NO_TEST=libcurl submodule bump

Fixes #9086

The commit populates submodule session with an event for each public
trigger - they will be used for user-defined triggers. Old triggers are
not removed because they are used for internal purposes - audit from EE
uses them, for instance. Also, the commit introduces a test for all
triggers that use old API. It checks only session triggers now - all the
other triggers will be included there after they will be moved to the
trigger registry.

In order to have an opportunity to move user-defined triggers to trigger
registry, the commit introduces helper luaT_event_reset_trigger that
supports two different ways to set triggers - key-value API and positional
API. The first one is a new API that allows to set or delete trigger only
by name. The second API is implemented for the sake of backward
compatibility - it mimics behavior of function lbox_trigger_reset, which
was used to modify triggers, but sets the triggers to event from trigger
registry instead of separate trigger list. Also, positional API allows
to pass a name as the third argument - in this case the function will
set or delete trigger by passed name - the first argument is a new
trigger (or nil, if the function is called to delete a trigger), the
second argument will be ignored in this case.

The new helper supports not only functions - any callable object can be
used as a trigger.

Part of #6484
Part of #8657

NO_CHANGELOG=later
NO_DOC=later

Sql fuzzer uses box module depending on event subsystem, which was
not initialized by mistake. It didn't cause any problems because box
does not use events yet, but it will use them when triggers will be
moved to the trigger registry, so let's initialize event in sql fuzzer.

Part of #8657

NO_CHANGELOG=test
NO_DOC=test

Boolean type is required by box.session.on_auth triggers.

Part of #8657

NO_CHANGELOG=internal
NO_DOC=internal

With this patch, mp_check sets diag with detailed information about
the MsgPack decoding error. The diag includes the error reason, which is
appended to the error message, and the data offset, which is stored in
an error payload field. Possible error reasons are: truncated input,
junk after input, illegal code, invalid extension. In case of truncated
input, the error also includes the trunc_count payload field, which is
set to the number of missing MsgPack values. Failing to decode a MsgPack
extension adds two payload fields, ext_type and ext_len, and also an
error cause, which is set by the extension decoder. For all extensions
except the error extension, the error cause is just "cannot unpack FOO".
For the error extension, it includes a detailed cause pointing to the
error in the MsgPack data stored in the extension.

Currently, the mp_check error is reported only by the Lua msgapck
decoder while other mp_check users (e.g. xrow decoder) override it.
We may improve on this in future.

Examples:

tarantool> require('msgpack').decode('\x94\xc0')
---
- error: Invalid MsgPack - truncated input
...

tarantool> box.error.last():unpack()
---
- offset: 2
  code: 20
  base_type: ClientError
  type: ClientError
  trunc_count: 3
  message: Invalid MsgPack - truncated input
  trace:
  - file: ./src/box/msgpack.c
    line: 151
...

tarantool> require('msgpack').decode(string.char(
         >   130,  39, 170, 114, 101, 116, 117, 114, 110,  32,  46,
         >    46,  46,  33, 145, 199,  74,   3, 129,   0, 145, 134,
         >     0, 171,  67, 108, 105, 101, 110, 116,  69, 114, 114,
         >   111, 114,   1, 170,  99, 111, 110, 102, 105, 103,  46,
         >   108, 117,  97,   2, 211,   0,   0,   0,   0,   0,   0,
         >     0, 201,   3, 173,  85, 110, 107, 110, 111, 119, 110,
         >    32, 101, 114, 114, 111, 114,   4, 211,   0,   0,   0,
         >     0,   0,   0,   0,   0,   5, 211,   0,   0,   0,   0,
         >     0,   0,   0,   0))
---
- error: Invalid MsgPack - invalid extension
...

tarantool> box.error.last():unpack()
---
- code: 20
  base_type: ClientError
  prev: Invalid MsgPack - cannot unpack error
  message: Invalid MsgPack - invalid extension
  ext_len: 74
  ext_type: 3
  trace:
  - file: ./src/box/msgpack.c
    line: 161
  type: ClientError
  offset: 18
...

tarantool> box.error.last().prev:unpack()
---
- code: 20
  base_type: ClientError
  type: ClientError
  prev: Invalid MsgPack - MP_ERROR_LINE value must be MP_UINT
  message: Invalid MsgPack - cannot unpack error
  trace:
  - file: ./src/box/msgpack.c
    line: 126
...

tarantool> box.error.last().prev.prev:unpack()
---
- offset: 30
  code: 20
  base_type: ClientError
  type: ClientError
  message: Invalid MsgPack - MP_ERROR_LINE value must be MP_UINT
  trace:
  - file: ./src/box/mp_error.cc
    line: 350
...

Closes #7968

NO_DOC=error reporting improvement

Just use xmalloc for allocating exception objects.

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

This update pulls the following commit:

* Introduce mp_check_exact helper function

Needed for #7968

NO_DOC=internal
NO_CHANGELOG=internal
NO_TEST=submodule update

The patch adds a fuzzing test for IPROTO decoding function
xrow_decode_error().

Follows up #8921
Follows up #9098

NO_DOC=testing
NO_CHANGELOG=testing

NO_DOC=no code changes
NO_TEST=no code changes
NO_CHANGELOG=no code changes

Some downgrade operations are performed with disabled system space
triggers because they were prohibited recently (creation of SQL built-in
functions) or never allowed (dropping a system space). This works fine
on the instance running downgrade but apparently fails on replicas.

To fix this issue, let's disable the checks the operations that prevent
downgrade in the following scenarios:
 - in the fiber that is currently running a schema upgrade or downgrade;
 - in the applier fiber so that it can replicate changes done by upgrade
   or downgrade on the master;
 - during recovery so that DDL records written to the WAL can be
   replayed.

We already have all the necessary infrastructure in-place - we use it
for allowing DDL operations with an old schema for upgrade.

Closes #9049

NO_DOC=bug fix

Remove issues released in 2.11.1 from master (3.0.0-alpha3)

NO_CHANGELOG=changelog
NO_DOC=changelog
NO_TEST=changelog

If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes
are allocated for `struct error_field` in error_payload_prepare(). However,
the size of this structure is 16 because of the padding for the alignment.
Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure.

Closes #9098

NO_DOC=bugfix

The patch adds a fuzzing test for IPROTO decoding function
xrow_header_decode().

NO_DOC=testing
NO_CHANGELOG=testing

This patch introduces initial support for roles. Dependencies are not
currently supported for roles.

Part of #9078

@TarantoolBot document
Title: Roles

Two new options have been added: "roles" and "roles_cfg". The first one
is an array and the second one is a map. Each of these can be defined
per instance, replica set, group, and globally. As with almost all other
options, with the exception of those defined as 'map', the 'roles'
option for the lower scope will replace the roles for the higher scope.
Value roles_cfg however defined as "map", so it will be merged.

The "roles" option defines the roles for each instance. A role is a
program that runs when a configuration is loaded or reloaded. If a role
is defined more than once on an instance, it will still only be run
once. Three functions must be defined in the role: validate(), apply()
and stop(). Each of these functions should throw an error if it occurs.

The "roles_cfg" option specifies the configuration for each role. In
this option, the role name is the key and the role configuration is the
value.

On each run, all roles will be loaded (if necessary) in the order in
which they were specified; the configuration for each role will then be
validated using the corresponding validate() function in the same order;
and then they will all be run with apply() function in the same order.
If some roles have been removed from the instance, they will be stopped
in reverse order using the stop() function.

Example of a role structure:
```
local M = {}

-- Validates configuration of the role.
--
-- Called on initial configuration apply at startup and on
-- configuration reload if the role is enabled for the given instance.
--
-- The cfg argument may have arbitrary user provided value,
-- including nil.
--
-- Must raise an error if the validation fail.
function M.validate(cfg)
    -- <...>
end

-- Applies the given configuration of the role.
--
-- Called on initial configuration apply at startup and on
-- configuration reload if the role is enabled for the given instance.
--
-- The cfg argument may have arbitrary user provided value,
-- including nil.
--
-- Must raise an error if the given configuration can't be applied.
function M.apply(cfg)
    -- <...>
end

-- Stops the role.
--
-- Called on configuration reload if the role was enabled before
-- and removed now from the list of roles of the given instance.
--
-- Should cancel all background fibers and clean up hold
-- resources.
--
-- Must raise an error if this action can't be performed.
function M.stop()
    -- <...>
end

return M
```

They are rather noisy. Also delete debug log on arena creation. These
two make sense only with each other.

Part of #7327

NO_TEST=internal
NO_DOC=internal
NO_CHANGELOG=internal

An attempt to print a dead fiber raised a fatal error, which is quite
unexpected. This patch updates __tostring metamethod of fiber_object so
that it pushes the "fiber: <fid> (dead)" string instead of the error.
The __serialize metamethod is patched similarly.

Closes #4265

NO_DOC=bugfix

All user-defined users and roles are not being removed and their
privileges are not being revoked when this user or role is removed
from config. This is done to prevent extreme repercussions of
misconfiguration, e.g. empty config is provided to cluster and it
breaks up.

Default users and roles are not supposed to be changed, so this rule
does not apply to them. Now all of non-default privileges will be
revoked if such user or role is removed from config.

Default users:
* guest
* admin

Default roles:
* super
* public
* replication

Part of #8967

NO_DOC=documentation request will be filed manually for the whole
       credentials

Prior to this patch, the table had no information about the leader
other than his id in the "leader" field. It may not be convenient for
the user to search for a name corresponding to a given id. Much more
convenient to see the leader's name in box.info.election.

Closes #8931

@TarantoolBot document
Title: Document `box.info.election`

box.info.election now contains one more field: `leader_name`: string.
There are several possible values ​​for this field:

 - `nil`, if there is no leader in a cluster.

 - `box.NULL`, if there is a leader, but he does not have a name.

 - `some string`, if there is a leader and he has a name.

Example:

```console
tarantool> box.info.election
---
- leader_idle: 0
  leader_name: node1
  state: leader
  vote: 1
  term: 3
  leader: 1
...
```

[box-info-election] https://www.tarantool.io/en/doc/latest/reference/reference_lua/box_info/election/

The wording "Check constraint 'constr_name' failed for tuple" implies that
the tuple should follow. This patch adds the missed "a" article.

Closes #9045

NO_DOC=minor
NO_CHANGELOG=minor

The tuple_compare_slowpath comparator had unreachable
branch under this condition: `key_def->part_count == 1
&& part->fieldno == 0 && (!has_json_paths || part->path
== NULL)`. The condition will never be true in the
function context.

It has been introduced in the commit
c8b87dc7 ("Speed up
tuple_compare()."), when there was no sqeuential
comparators, and so it was reasonable at that moment.
But since the sequential comparators had been introduced
in the commit
78102868 ("Don't store
offsets for sequential multi-parts keys") the condition
became permanently falsy.

There're two ways it can be true:
1. `key_def->part_count == 1 && part->fieldno == 0 &&
   !has_json_paths`
2. `key_def->part_count == 1 && part->fieldno == 0 &&
   has_json_paths && part->path == NULL`

Condition 1 will never happen because if we have a key
starting from `fieldno = 0` with any part count
following and without JSON paths, then it is compared
using `tuple_compare_sequential` instead.

Proof:
1. The key is sequential if and only if it does not have
   JSON paths and for all key parts
   `index_def->parts[i].fieldno == i`.
2. The `key_def->part_count == 1 && part->fieldno == 0
   && !has_json_paths` condition fully satisfies this
   condition.
3. The `tuple_compare_slowpath` is only set as a
   comparator if the key is not sequential. Proof:

   The only places the comparator is set are:
   - `key_def_set_compare_func_fast` under the
     `!is_sequential` condition.
   - `key_def_set_compare_func_plain` under the
     `!key_def_is_sequential` condition.
   - `key_def_set_compare_func_json`, which is only
     called under `def->has_json_paths` condition, which
     conflicts with the `!has_json_paths` condition.

Condition 2: has JSON path means we have `path`
parameter in the index definition, but the following
condition requires the path to be `NULL`, which is
impossible if the part count is 1.

Proof:
1. A key has JSON paths if and only if one of its parts'
   path does not equal NULL.
2. If key part count is one and the only part has path,
   then the `part->path == NULL` part fails.
3. If key part count is one and the only part does not
   have JSON path then the key has no JSON paths, goto
   Condition 1.

Closes #8900

NO_DOC=dead code elimination
NO_TEST=dead code elimination
NO_CHANGELOG=dead code elimination

The test starts the cluster and immediately tries to create a space
on master. Sometimes it fails with "Can't modify data on a read-only
instance - it is an orphan" error.

When the instance is not in sync with sufficient number of nodes
it has orphan status, which means the instance is read-only. Sometimes,
the instance doesn't have enough time to connect to all instances and
get out of orphan state.

Let's add waiting until every node is connected to every other node
in the replica set.

Closes tarantool/tarantool-qa#326

NO_CHANGELOG=test
NO_DOC=test

This patch fixes the following warning:

NO_WRAP
  CMake Warning (dev) at cmake-3.25/Modules/FindPackageHandleStandardArgs.cmake:438 (message):
    The package name passed to `find_package_handle_standard_args`
    (GetLIBUNWINDVersion.cmake) does not match the name of the calling package
    (LibUnwind).  This can lead to problems in calling code that expects
    `find_package` result variables (e.g., `_FOUND`) to follow a certain
    pattern.
  Call Stack (most recent call first):
    cmake/FindLibUnwind.cmake:82 (find_package_handle_standard_args)
    CMakeLists.txt:552 (find_package)
NO_WRAP

Closes #6998

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

Changed `else if` to `elseif`. There was a typo in the
serializer that led to unclosed `if` statements.

On a set of 50000 protobuf struct samples generates 863
(3% of all errors) fewer errors.

NO_CHANGELOG=internal
NO_DOC=fuzzer fix

Added checks before serializing return and break to program if
inside returnable or breakable code block.

On a set of 50000 protobuf struct samples generates 11749
(42% of all errors) fewer errors.

NO_CHANGELOG=internal
NO_DOC=fuzzer fix

The context object is created to manage the context of Lua program.
It will be used in the next commit to check if `break` or `return` is
inside a breakable or returnable code block.

NO_CHANGELOG=internal
NO_DOC=fuzzer fix

When the configuration changes and the instance is reloaded with it,
some roles or users may have been removed from the config. In such case,
it would be destructive to delete/disable them on the instance, so
this test checks that all users and roles removed in config stay
on the instance and keep all the privileges.

Part of #8967

NO_DOC=test
NO_CHANGELOG=test

This helpers does the following:
1. starts a server
2. writes a script/config
3. verifies invariants
4. writes a new script/config
5. reloads
6. verifies invariants after reload

This patch allows to set not only script, but config too on the step 4,
before the reload.

Part of #8967

NO_DOC=test helper upgrade
NO_CHANGELOG=see NO_DOC
NO_TEST=see NO_DOC

Usually treegen.clean is called after a test by g.after_all function
or an equivalent. In some rare cases internal helpers use their own
treegen and clean up after themself. In such a case, treegen.clean
would look for an internal list of all directories and find nil. This
causes an error in ipairs iteration in internal logic and fails the
whole test.

This patch adds minor durability improvement for such a case. Now if
internal list of all directories is nil (e.g. when treegen.clean was
called beforehand), the function does nothing.

Part of #8967

NO_DOC=test helper update
NO_CHANGELOG=see NO_DOC
NO_TEST=see NO_DOC