req_fsm: Ensure failed sub-requests reach transmit

A VCL failure on the client side transitions to vcl_synth, except
failures from vcl_synth that lead to minimal errors. The ESI transport
is not allowed to reply with minimal responses so this would lead to a
panic.

On top of that, the vcl_req_reset feature flag emulates `return (fail)`
statements when an HTTP/2 client disconnected, resulting in the same
panic scenario.

For sub-requests, we masquerade the fail transition as a deliver and
trade the illegal minimal response for the synthetic response.

Fixes #4022

bin/varnishd/cache/cache_req_fsm.c

@@ -333,7 +333,11 @@ cnt_synth(struct worker *wrk, struct req *req)
 
 	VSLb_ts_req(req, "Process", W_TIM_real(wrk));
 
-	if (wrk->vpi->handling == VCL_RET_FAIL) {
+	while (wrk->vpi->handling == VCL_RET_FAIL) {
+		if (req->esi_level > 0) {
+			wrk->vpi->handling = VCL_RET_DELIVER;
+			break;
+		}
 		VSB_destroy(&synth_body);
 		(void)VRB_Ignore(req);
 		(void)req->transport->minimal_response(req, 500);

bin/varnishtest/tests/e00037.vtc

+varnishtest "Double fail ESI sub request"
+
+server s1 {
+	rxreq
+	txresp -body {<esi:include src="/inc"/>}
+} -start
+
+varnish v1 -vcl+backend {
+	sub vcl_backend_response {
+		set beresp.do_esi = true;
+	}
+
+	sub vcl_recv {
+		if (req.esi_level > 0) {
+			return (fail);
+		}
+	}
+
+	sub vcl_synth {
+		return (fail);
+	}
+} -start
+
+client c1 {
+	non_fatal
+	txreq
+	rxresp
+} -run