Current split-brain detector implementation raises an error each time a
CONFIRM or ROLLBACK entry is received from the previous synchronous
transaction queue owner. It is assumed that the new queue owner must
have witnessed all the previous CONFIRMS. Besides, according to Raft,
ROLLBACK should never happen.

Actually there is a case when a CONFIRM from an old term is legal: it's
possible that during leader transition old leader writes a CONFIRM for
the same transaction that is confirmed by the new leader's PROMOTE. If
PROMOTE and CONFIRM lsns match there is nothing bad about such
situation.

Symmetrically, when an old leader issues a ROLLBACK with the lsn right
after the new leader's PROMOTE lsn, it is not a split-brain.

Allow such cases by tracking the last confirmed lsn for each synchronous
transaction queue owner and silently nopifying CONFIRMs with an lsn less
than the one recorded and ROLLBACKs with lsn greater than that.

Closes #9138

NO_DOC=bugfix

Previously the replicas only persisted the confirmed lsn of the current
synchronous transaction queue owner. As soon as the onwer changed, the
info about which lsn was confirmed by the previous owner was lost.

Actually, this info is needed to correctly filter synchro requests
coming from the old term, so start tracking confirmed vclock instead of
the confirmed lsn on replicas.

In-scope of #9138

NO_TEST=covered by the next commit
NO_CHANGELOG=internal change

@TarantoolBot document
Title: Document new IPROTO_RAFT_PROMOTE request field

IPROTO_RAFT_PROMOTE and IPROTO_RAFT_DEMOTE requests receive a new key
value pair:

IPROTO_VCLOCK : MP_MAP

The vclock holds a confirmed vclock of the node sending the request.

Synchronous requests will receive a new field encoding a full vclock
soon. Theoretically a vclock may take up to ~ 300-400 bytes (3 bytes for
a map header + 32 components each taking up 1 byte for replica id and up
to 9 bytes for lsn). So it makes no sense to increase
SYNCHRO_BODY_LEN_MAX from 32 to 400-500. It would become almost the same
as plain BODY_LEN_MAX. Simply reuse the latter everywhere.

In-scope-of #9138

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

There was an error in xrow_decode_synchro: it compared the expected type
of the value to the type of the key (MP_UINT) instead of the type of the
actual value. This went unnoticed because all values in synchro requests
were integers.

This is going to change soon, when PROMOTE requests will start holding a
vclock, so fix the wrong type check.

In-scope-of #9138

NO_DOC=bugfix
NO_CHANGELOG=not user-visible

Without checking the return value of lua_pcall()` in
`lua_field_inspect_ucdata()`, the error message itself is returned as a
serialized result. The result status of `lua_pcall()` is not ignored
now.

NO_DOC=bugfix

Closes #9396

Netbox internally watches 'box.shutdown' for the sake of graceful
shutdown. The event subscription is async with connection API.
Additionally we check error count on server using different connection.
As a result we may or may not account error for the netbox internal
watch failure.

Let's account the internal watch failure reliably. Also while we at it
let's get rid of races for error count check.

Close #9423

NO_CHANGELOG=internal
NO_DOC=internal

If `config.etcd` is present and non-empty, `config.etcd.prefix` is
required.

This validation check was not performed due to a mistake in a schema
node wrapper that adds a validator that checks an attempt to use an
Enterprise Edition option on Community Edition.

Part of #8862

NO_DOC=bugfix

Looks like this is typo introduced in the commit 0704ebb7 ("xlog:
rework writer API").

Close #9428

NO_TEST=will be tested when fiber_cxx_invoke suppression will be removed
NO_CHANGELOG=introduced in 3.0.0-alpha3
NO_DOC=bugfix

Starting with commit f1c2127d ("replication: add META stage to JOIN")
replication master appends a special section, called IPROTO_JOIN_META to
the initial snapshot sent to the replica. This section contains the
latest raft term and synchronous transaction queue owner and term.

The section is only sent to nodes, which have a non-zero version_id.
For some reason, version_id encoding for FETCH_SNAPSHOT (analog of JOIN
for anonymous replicas) wasn't added in that commit, so anonymous
replicas do not receive synchronous queue state.

This leads to them raising ER_SPLIT_BRAIN errors later after join, when
the first synchronous row arrives.

In order to fix this, start encoding version_id in FETCH_SNAPSHOT
requests.

Closes #9401

@TarantoolBot document
Title: new field in `IPROTO_FETCH_SNAPSHOT` request

`IPROTO_FETCH_SNAPSHOT` request was bodyless (only contained a header)
until now, but now it receives a body with a single field:
`IPROTO_SERVER_VERSION` : MP_UINT -- an encoded representation of the
server version of a replica issuing the request.

Added a new is_sync parameter to `box.begin()`, `box.commit()`, and
`box.atomic()`. To make the transaction synchronous, set the `is_sync`
option to `true`. If any value other than `true/nil` is set, for example
`is_sync = "some string"`, then an error will be thrown.

Example:

```Lua
-- Sync transactions
box.atomic({is_sync = true}, function() ... end)

box.begin({is_sync = true}) ... box.commit({is_sync = true})

box.begin({is_sync = true}) ... box.commit()

box.begin() ... box.commit({is_sync = true})

-- Async transactions
box.atomic(function() ... end)

box.begin() ... box.commit()
```

Closes #8650

@TarantoolBot document
Title: box.atomic({is_sync = true})

Added the new `is_sync` parameter to `box.atomic()`. To make the
transaction synchronous, set the `is_sync` option to `true`. Setting
`is_sync = false` is prohibited. If to set any value other than true
for example `is_sync = "some string"`, then an error will be thrown.

This patch adds dependencies support for roles.

Part of #9078

@TarantoolBot document
Title: dependencies for roles

Roles can now have dependencies. This means that the verify() and
apply() methods will be executed for these roles, taking into account
the dependencies. Dependencies should be written in the "dependencies"
field of the array type. Note, the roles will be loaded (not applied!)
in the same order in which they were specified, i.e. not taking
dependencies into account.

Example:

Dependencies of role A: B, C
Dependencies of role B: D
No other role has dependencies.

Order in which roles were given: [E, C, A, B, D, G]
They will be loaded in the same order: [E, C, A, B, D, G]
The order, in which functions verify() and apply() will be executed:
[E, C, D, B, A, G].

Closes #9405

@TarantoolBot document
Title: Document then new built-in system event `box.wal_error`

The new event is broadcast whenever Tarantool fails to commit
a transaction to the write-ahead log (WAL), which usually means
there's a problem with the underlying disk storage. The new event's
payload is a table that currently contains the only field `count` that
stores the number of WAL errors happened so far or nil if there hasn't
been any WAL errors.

Test suite run can produce coredumps in case of bugs. Unfortunately
coredumps related to bugs are mixed with coredumps produced related to
special test conditions, like when we test Tarantool response to deadly
signal. Avoid producing coredumps in correct test suite run.

NO_CHANGELOG=internal
NO_DOC=internal

The fix is simple: look up the function in `box.func` by name and, if
found, execute its `call` method. The only tricky part is to avoid the
lookup before `box.cfg` is called because `box.func` is unavailable at
the time. We achieve that by checking `box.ctl.is_recovery_finished`.

Closes #9131

NO_DOC=bug fix

On Tarantool shutdown we destroy all the fibers in some sequence. We
don't require that all the fibers are finished before shutdown. So it
may turn out that we first destroy some alive fiber and then destroy
another alive fiber which joins the first one. Currently we have
use-after-free issue in this case because clearing `link` field of
the second fiber changes `wake` field of the first fiber.

Close #9406

NO_DOC=bugfix

Graceful shutdown is done in a special fiber which is started for
example on SIGTERM. So it can run concurrently with fiber executing
Tarantool init script. On init fiber exit we break event loop to pass
control back to the Tarantool initialization code. But we fail to run
event loop a bit more to finish graceful shutdown.

The test is a bit contrived. A more real world case is when Tarantool is
termintated during lingering box.cfg().

Close #9411

NO_DOC=bugfix

It was suggested by Igor Munkin (@igormunkin) in PR #9288.

Part of #8862
Follows up PR #9288

NO_DOC=the help message is not an API, nothing to document
NO_CHANGELOG=see NO_DOC
NO_TEST=see NO_DOC

According to ANSI, EXISTS is a predicate that tests a given subquery and
returns true if it returns more than 0 rows, false otherwise. However,
after 2a720d11, EXISTS worked correctly only if there were exactly 0
or 1 rows, and in all other cases it gave an error. This patch makes
EXITS work properly.

Closes #8676

NO_DOC=bugfix

Before this commit the space rollback had been treated as a new space
creation, so it caused creation of a new space object in the Lua's
box.space namespace. Since the preceding space drop removed the space
object from the namespace, on the space rollback all the Lua users of
the space loosed the track of its changes: the original space object
is never updated anymore.

This is fixed by detecting the space rollback and restoring the old
space object instead of creating a new one.

Closes #9120

NO_DOC=bugfix

This patch fixes an assertion or segmentation error if a FOREIGN KEY or
CHECK constraint is declared before the first column.

Closes #8392

NO_DOC=bugfix

In the `.github/workflows/source.yml` workflow for preparing a tarball
with the source code, a PackPack Docker container is already used. For
uploading the tarball to the repo, the `aws` utility is used, which is
installed before. To skip installation of additional packages on the
self-hosted runners, we are moving to the GitHub-hosted runners, which
already have the `aws` utility installed. Step `Prepare checkout` is
removed because the GitHub-hosted runner is an ephemeral environment.

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

In this commit, we're fixing a problem with Docker in the workflow
`.github/workflows/source.yml`.

The mentioned workflow uses the `.github/actions/environment` action
that needs a permission to make a loopback device for [1]. We didn't
allow for that before due to missing container args, and it caused the
following error:

```
umount: /tmp/luajit-test-vardir: must be superuser to unmount.
256000+0 records in
256000+0 records out
1048576000 bytes (1.0 GB, 1000 MiB) copied, 1.36702 s, 767 MB/s
mount: /tmp/luajit-test-vardir: mount failed: Operation not permitted.
Error: Process completed with exit code 1.
```

The problem started since commit af996bbb ("ci: dockerize
linux workflows"). The simplest way to fix the issue is not to run
the workflow inside a Docker container because a tarball with the
source code is created via the `./packpack/packpack tarball` command
that runs a Docker container as well.

[1] https://github.com/tarantool/tarantool/issues/7472

NO_DOC=ci
NO_TEST=ci
NO_CHANGELOG=ci

This patch removes the sql_default_value field from the struct field_def
and the sql_default_value_expr field from the struct tuple_field as they
are no longer needed.

Follow-up #8793

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

The patch introduces a new CMake target "checkpatch", that checks
patches on top of the master branch using script checkpatch.pl [1]. By
default CMake looking for `checkpatch.pl` in a directory "checkpatch" in
Tarantool's repository root directory and in a directories specified in
PATH. By default commit revisions range checked by checkpatch is
`origin/master..HEAD`, `origin/master` could be overridden with
environment variable `CHECKPATCH_GIT_REF`.

1. https://github.com/tarantool/checkpatch

NO_CHANGELOG=build
NO_DOC=build
NO_TEST=build

We run SVACE on static build. It doesn't compile unless libsvace is in
the allow list.

Follow-up #9242

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

SVACE stopped working after commit 98b38e89 ("cmake: allow to
bundle static dependencies in main project") changed the bundled libs
directory layout. To fix this, let's introduce the new cmake option
BUNDLED_LIBS_INSTALL_DIR and set it in static-build/CMakeLists.txt to
the legacy location. Also, let's use the legacy directories for each
external project's PREFIX, SOURCE_DIR, BINARY_DIR, and STAMP_DIR.

Follow-up #9242

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

* Mark CONV as non-weak, to prevent elimination of its side-effect.
* Fix ABC FOLD rule with constants.
* test: add test for conversions folding
* Add NaN check to IR_NEWREF.
* test: fix flaky OOM error frame test
* LJ_GC64: Fix lua_concat().
* test: introduce asserts assert_str{_not}_equal
* ci: enable codespell
* cmake: introduce target with codespell
* codehealth: fix typos
* tools: add cli flag to run profile dump parsers
* profilers: purge generation mechanism
* memprof: refactor symbol resolution
* sysprof: fix crash during FFUNC stream
* Fix last commit.
* Print errors from __gc finalizers instead of rethrowing them.
* x86/x64: Fix math.ceil(-0.9) result sign.
* test: fix flaky fix-jit-dump-ir-conv.test.lua
* IR_MIN/IR_MAX is non-commutative due to underlying FPU ops.
* Fix jit.dump() output for IR_CONV.
* Fix FOLD rule for x-0.
* FFI: Fix pragma push stack limit check and throw on overflow.
* Prevent compile of __concat with tailcall to fast function.
* Fix base register coalescing in side trace.
* Fix register mask for stack check in head of side trace.
* x64: Properly fix __call metamethod return dispatch.

Closes #8594
Closes #8767
Closes #9339
Part of #9145

NO_DOC=LuaJIT submodule bump
NO_TEST=LuaJIT submodule bump

Currently, if a statement is rolled back during rollback to a savepoint, it
does not appear in neither on_commit nor on_rollback triggers. Fix this by
running on_rollback triggers during the rollback to the savepoint.

Closes #7810

NO_DOC=bugfix

Currently, if a transaction is aborted by a fiber yield or by a timeout,
txn_rollback_to_svp() is called to rollback all statements of the txn.
After that the transaction is completely aborted on attempt to commit it.
If an on_rollback trigger is set, it is called from txn_complete_fail(),
however it receives an empty iterator, because at this point the statements
are already destroyed. This patch invokes on_rollback triggers directly
from txn_rollback_to_svp() for abort-by-yield, and postpones the rollback
for abort-by-timeout.

Closes #9340

NO_DOC=bugfix

Currently on_rollback triggers are called on rollback of the whole
transaction. To make it possible to invoke them on rollback to a
savepoint, we need to pass a statement at which the savepoint was
created.

Needed for #9340

NO_DOC=refactoring
NO_TEST=refactroring
NO_CHANGELOG=refactoring

Now, one can specify a function name when configuring the lua_call
privilege to a user or role. If omitted, the privilege will grant
access to any global Lua function except for built-ins and stored
procedures. If specified, the privilege will be applied only to
the given function name, which may be a built-in, but still not
a stored procedure. The function doesn't need to be defined at the
time the privilege is granted.

Since global Lua functions aren't stored in the database and hence
have no numeric ids, we store string names in the _priv system table.
Fortunately, it's already allowed for entity access so we don't need
to update the system schema. The cached runtime access information
is stored in a global hash table. Entries in the hash table are created
on demand and removed if they store no grants.

Closes #9360

NO_DOC=updated doc ticket manually

NO_DOC=no code changes
NO_TEST=no code changes
NO_CHANGELOG=no code changes

The option --sync was ignored due to a misprint.
The temporary dir was never removed, overflowing the /tmp by default.

NO_TEST=test update
NO_DOC=test update
NO_CHANGELOG=test update

This test is no longer needed in the Tarantool test suite
since it was added to LuaJIT's test suite along with the fix
for the issue mentioned in #3060 in scope of #8825 in commit
tarantool/luajit@7b98314e0dacc7313c061aceeb0a32afd4e8cbce.

Closes #3060
Related to #8825

NO_DOC=Cleanup
NO_TEST=Already included in LuaJIT bump
NO_CHANGELOG=Already included in LuaJIT bump

Currently, the lua_call privilege simply doesn't work for registered
functions. This patch fixes this issue: now, it grants access to any
registered function that is written in Lua unless it's a built-in
function, such as dostring, or a persistent function.

Note, this patch renames access_check_call to access_check_lua_call to
avoid confusion because this function is now global. It also renames
access_check_eval to access_check_lua_eval for consistency.

Closes #9363

NO_DOC=updated doc ticket manually
NO_CHANGELOG=feature has not been released yet

Prior to this patch a bunch of illegal conditions was possible:
1. The joinability of a fiber could be changed while the fiber is
   being joined by someone. This could lead to double recycling:
   the first one happened on the fiber finish, and the second one
   in the fiber join.
2. The joinability of a dead joinable fiber could be altered, this
   led to inability jo join the dead fiber and free its resources.
3. A running fiber could be joined concurrently by two or more
   fibers, so the fiber could be recycled more than once (once
   per each concurrent join).
4. A dead recycled fiber could be made joinable and joined leading
   to the double recycle.

Fixed these issues by adding a new FIBER_JOIN_BEEN_INVOKED flag: now
the `fiber_set_joinable` and `fiber_join_timeout` functions detect
the double join. Because of the API limitations both of them panic
when an invalid condition is met:
- The `fiber_set_joinable` was not designed to report errors.
- The `fiber_join_timeout` can't raise any error unless a timeout
  is met, because the `fiber_join` users don't expect to receive
  any error from this function at all (except the one generated
  by the joined fiber).

It's still possible that a fiber join is performed on a struct which
has been recycled and, if the new fiber is joinable too, this can't
be detected. The current fiber API does not allow to fix this, so
this is to be the user's responsibility, they should be warned about
the fact the double join to the same fiber is illegal.

Closes #7562

@TarantoolBot document
Title: `fiber_join`, `fiber_join_timeout` and `fiber_set_joinable`
behave differently now.

`fiber_join` and `fiber_join_timeout` now panic in case if double
join of the given fiber is detected.

`fiber_set_joinable` now panics if the given fiber is dead or is
joined already. This prevents some amount of error conditions that
could happen when using the API in an unexpected way, including:
- Making a dead joinable fiber non-joinable could lead to a memory
  leak: one can't join the fiber anymore.
- Making a dead joinable fiber joinable again is a sign of attempt
  to join the fiber later. That means the fiber struct may be joined
  later, when it's been recycled and reused. This could lead to a
  very hard to debug double join.
- Making an alive joined fiber non-joinable would lead to the double
  free: once on the fiber function finish, and secondly in the active
  fiber join finish. Risks of making it joinable are described above.
- Making a dead and recycled fiber joinable allowed to join the fiber
  once again leading to a double free.

Any given by the API `struct fiber` should only be joined once. If a
fiber is joined after the first join on it has finished the behavior
is undefined: it can either be a panic or an incidental join to a
totally foreign fiber.

Setting a box.cfg option to inf or nan can result in a crash or invalid
behavior. For example, setting `box.cfg.checkpoint_interval` to 0/0
triggers an assertion failure. Let's add a check against inf and nan for
all options. These special numbers don't make any sense as configuration
option values anyway.

Closes #4962

NO_DOC=bug fix

Since our SQL statistics are disabled, this field is no longer required.

Closes #9343

NO_DOC=refactoring
NO_TEST=refactroring
NO_CHANGELOG=refactoring

There is only one place where the field is filled with other then 0.
Still, there is only two possible options, one of them is 0, the other
is default value. Let's use them without filling the field.

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

Prior to this patch only the flags given by the CMAKE_C_FLAGS were
shown in the tarantool -v and Lua's tarantool.build.flags. Make
it also show the flags from CMAKE_C_FLAGS_<CONFIG> and CFLAGS_LTO
variables. The first one is config-specific set of flags (different
for Debug, Release, RelWithDebInfo and MinSizeRel configs), the
former is set in the cmake/lto.cmake if LTO is enabled.

Closes #8022

NO_DOC=build