This implements stream data handling using a buffer between the H/2
session thread and each stream thread. This is needed to avoid head of
line blocking on the session socket when a data frame is received for a
stream thread that is not yet ready to receive it.

The buffer used will have to be as large as the send window the peer
expects at the time the stream is opened. This will typically be 65535
unless the h2_initial_window_size parameter has been changed.

Stream window updates will then be issued only once data is removed from
the buffer by the request body being consumed from the request handling
thread, limited in size to what space is then available in the buffer.

The H/2 session thread does have a VSL buffer already set up, but the
'wrk->vsl' pointer was not set. This caused issue for e.g. LRU_NukeOne()
as it wants to log. Set the buffer for the duration that the worker is
dedicated as an H/2 session thread.

This is an API for getting an arbitrary buffer through the
stevedores. The stevedore in question may then deploy LRU nuking or other
measures to control resource usage.

Working on the workspace sanitizer (ancestor of the workspace emulator)
final rollbacks were needed to unwind allocations. There was however a
branch where error handling was missing a workspace release, and it was
fine before the introduction of the final rollbacks.

To avoid turning the workspace emulator into a DoS vector the rollbacks
are now only enforced for emulator builds. The specific "insufficient
workspace" log is amended to ensure future changes to the session
workspace footprint don't accidentally remove test coverage for that
branch. The same could be done for other "insufficient workspace" logs
in the PROXY protocol parsing.

Refs 0632b846 (req: Prevent early rollback)
Refs ce71896a (sess: Plug conceptual leak)
Refs 246b1eb1 (busyobj: Plug conceptual leak)
Refs 5b4f0f1a (htc: Defer workspace rollbacks for request tasks)
Refs #3644

Spotted by Alf's single process fuzzing setup that we should eventually
revisit.

Refs #3152

Most of this is taken from #3650 but instead of `str[n]casecmp`
it uses VCT functionality, in order to avoid LOCALE poisoning.

Closes #3650

Fixes #3677

Otherwise we would entirely unravel the task workspace.

The goal of the workspace emulator is to replicate the regular workspace
behavior with individual allocations and make it work transparently.

It's the successor of the workspace sanitizer from #3320 with notable
differences:

- enabled at configure time instead of run time
- in a separate source file instead of mixed in
- using sparse allocations instead of built-in red zones

This means that the workspace emulator can be combined with regular
sanitizer, in particular asan and lsan. If available, asan's public
interface is used to mitigate the possible overflow of a reservation
after some of it was released.

Even without sanitizers, the fact that we integrate with jemalloc by
default and enable its abort and junk options in varnishtest is enough
to detect a use-after-free in some cases.

With sanitizers though, the workspace emulator can observe #3550.

One drawback is that the logic is split in two files, and some functions
are identical in the two files. It might be possible to split cache_ws.c
into something like cache_ws_alloc.c and cache_ws_util.c for example.

Closes #3320
Refs #3550
Refs #3600

When a session has data pipelined we perform a dirty dance to move it at
the beginning of the workspace. The rollbacks used to occur between
HTC_RxPipeline() and HTC_RxInit() calls until it was centralized in the
latter.

With a dedicated WS_ReqPipeline() operation we can capture the semantics
of initializing an existing connection for its next task with or without
data fetched from the previous task.

While conceptually there is still a use-after-free since the pipelined
data may belong to the same workspace, it is fine if that happens within
the bounds of an atomic workspace operation.

When we take on a new request on a connection from which something was
already received, we need to pipeline it and we do so at the beginning
of the request workspace. There's a high probability that the pipeline
is coming from the same workspace, which is a form of use-after-free
only made safe by the workspace implementation details.

To avoid the conceptual use-after-free, we defer req workspace rollbacks
and perform them during the next HTC_RxInit() call before the pipelining
operation.

Because HTTP/1 works directly on the session, a worker can safely switch
back and forth between sess and req tasks. This means that unless the
session goes idle the same workspace is used from one client request
to the next, hence the rollback previously happening in Req_Cleanup().

With h2 however there is a disconnect between the session and streams.
The connection is received in req0's workspace, and then copied into
a stream's req workspace via the pipelining scheme. Rollbacks can be
deferred as well, but they need to happen otherwise the session will
soon overflow. Independent HTC_RxInit() calls happen for req0 in the
h2 session thread, and for h2 streams in the regular request task code
path.

PROXY Protocol parsing may result in receiving more than the proxy
preamble itself and pipelining will happen, whether it is via a req
for HTTP/1 or req0 for h2.

On the other end of the spectrum when Varnish acts as a client it
only sends one HTTP/1 request at a time for a given connection, so
we never expect pipelining to occur in fetch task.

Some of the autoconf logic is originally from Asad. In addition, the
explicit call to __gcov_flush() is now vendored in vdef.h like other
toolchain abstractions.

Similarly to how the ASAN setup was split in two steps.

Spotted this unusual construct while sweeping through the sanitizer flags.

Instead of referring to them for every single binary we build... While
at it we shouldn't need to add -fsanitize=stuff to LDFLAGS, and we
didn't in some cases. That should lead to smaller lines when running
make with V=1 or when silent rules are disabled.

To avoid repetition and very long lines.

Removing unused *SAN_*FLAGS variables and making sure to quote anything
that may be relevant to quote. Hopefully indenting in more readable way.

Fixes: #3634

Previously we would read the response Content-Length from a failed oc,
which would make the error response valid. Now, if this is detected,
we don't touch the Content-Length.

With the synth->filters koncept out of the picture this becomes
possible.

Fixes: #3441