The opposite of 'EXP_Ttl(req, oc) > req->t_req' should not have been
'EXP_Ttl(NULL, oc) < req->t_req'. If we somehow enter the lookup when
the two operands are equal, the objcore suffers a phenomenon known as
Schrödinger's expiry.

The chances of running into this scenario range from epsilon to 100%.

Because 't_req' is stable across restarts, a soft purge will reliably
trigger this case.

Test case by Alve Elde who first demonstrated the problem.

As both the varnish working directory and the secret file may
pre-exist, this ensures permissions remain restrictive on it.

There's no way to probe the current push status or maximum frame size.

Except that the old default value replaces the maximum one. Aligning
with the literal maximum value for the underlying HTTP/2 setting breaks
32bit builds because the byte tweaks take a detour via ssize_t. When it
casts to uintmax_t the MSB is propagated all the way, triggering the
following error at build time:

> 4294967295b is too large for this architecture.

Instead of fighting a tweak that is clearly wrong, grant h2 clients a
maximum of 2GB of uncompressed headers (instead of 4GB) that will never
happen, because h2 is overall much wronger.

This parameter has a new role that consists in interrupting connections
when decoding an HPACK block leads to a header list so large that the
client must be stopped.

By default, too large is 150% of http_req_size.

Since http_req_size was already established for this purpose, and is
now enforced for h2 traffic, it should naturally become the basis for
the MAX_HEADER_LIST_SIZE setting in the initial SETTINGS frame sent
to clients.

The h2_max_header_list_size parameter will grow a new purpose.

With the exception of h2_max_header_list_size that is not advertised as
such despite being ent as part of the initial SETTINGS frame. The same
parameter also sees its default and maximum values updated to 2^32-1.

This is based on this sentence from rfc9113:

> The initial value of this setting is unlimited.

This aligns the h2_max_header_list_size parameter with the values set in
h2_settings.h for MAX_HEADER_LIST_SIZE.

For the sole purpose of having these limits tested in a single place.

Fixes #3709
Closes #3892

Refs #3709

It does a first pass on header names and values, and only logs errors,
so the signature is updated accordingly and the call site is moved into
h2h_addhdr().

Better diff with the --ignore-all-space option.

It became explicit in rfc9113:

> The same pseudo-header field name MUST NOT appear more than once in a
> field block.

While at it, the duplicate pseudo-header error can be consolidated in a
single location instead of adding one more branch.

Instead of passing both a decoder and individual decoder fields, the
signature for h2h_addhdr() changed to only take the decoder. The order
of parameters is destination first, then the source following the
calling conventon of functions like memcpy().

Internally the function is reorganized with a bunch of txt variables to
keep track of the header being added, its name and value. In addition to
clarity, this also helps improve safety and correctness.

For example the :authority pseudo-header name is erased in place to turn
it into a regular host header, but having a dedicated txt for the header
name allows its preservation.

The extra space before the colon looked uncanny. The rest is just code
indentation improvements.

Better diff with the --ignore-all-space --word-diff options.

When a stale object is soft-purged, the time until the object expires
should not be reset, as repeated soft-purges could keep the object
around indefinitely.

This commit introduces EXP_Reduce(), a function to reduce object timers.
The goal is to provide a function better suited to soft-purging objects,
as EXP_Rearm() has some non-obvious disadvantages when used or this
purpose.

When EXP_Rearm() is used to soft-purge an object by setting its TTL to
0, the expiry is effectively reset to the start of the objects grace
period. This happens because the object TTL includes a time delta
between object insertion time (oc->t_origin) and now. The result is that
a soft-purge extends the lifetime of an already stale object, and
repeated soft-purges can keep the object away from expiry indefinitely.

The EXP_Reduce() function is better suited for soft-purging, as it only
updates an objects TTL if it would reduce the objects lifetime. The
function also has facilities for reducing grace and keep.

If a format never matches anything, the 4294967296th transaction
proccessed by varnishncsa will wrap its generation around to zero,
be considered a match, and let vsb_fcat() pass a null string to
VSB_quote().

Better diff with the --word-diff --word-diff-regex=. options.

Releasing 7.5.0

Before the h2 frame dispatch we only need to check that coming from a
HEADERS frame the very next frame is a CONTINUATION, when the HPACK
block didn't fit in the former.

The CONTINUATION dispatch will then make the stream consistency check.

When a stream times out waiting for window credits, and all the other
streams are broke, declare the whole connection bankrupt.

It replaces idle_send_timeout when the stream is waiting for window
credits before sending more DATA frames. The idle_send_timeout will
still apply to individual writes to the socket, but triggering it is
considered a failure condition (this was already the case).

The two loops are merged into a single one to better deal with the
lack of ordering guarantees of request vs connection stream control
flow window crediting.

Refs #2980

This parameter needs to be somewhat high because web browsers may for
example only credit streams for image resources just enough to parse
metadata like width and height of a picture in order to perform layout
computations and fetch resources more sensitive to latency before the
effective image payloads.