Improve checks for ignore containment

Make pack object lookup use loops

Minor fix for previously merged netops code.

The code doesn't use SSL and a test requires it.

The base object is a good cache candidate, so we shouldn't forget to add
it to the cache.

This avoid allocating the array on the heap for relatively small
chains. The expected performance increase is sadly not really
noticeable.

Instead of going through a special entry in the chain, let's pass it as
an output parameter.

Pass unconverted Unicode path data when iconv doesn't like it

Be more careful with user-supplied buffers

Some improvements to the cert checking

Configuration snapshotting

The switch makes the loop somewhat unwieldy. Let's assume it's fine and
perform the check when we're accessing the data.

This makes our code look a lot more like git's.

Dependency chains are often large and require a few
reallocations. Allocate a 64-element chain before doing anything else to
avoid allocations during the loop.

This value comes from the stack-allocated one git uses. We still
allocate this on the heap, but it does help performance a little bit.

Bring back the use of the delta base cache for unpacking objects. When
generating the delta chain, we stop when we find a delta base in the
pack's cache and use that as the starting point.

We currently make use of recursive function calls to unpack an object,
resolving the deltas as we come back down the chain. This means that we
have unbounded stack growth as we look up objects in a pack.

This is now done in two steps: first we figure out what the dependency
chain is by looking up the delta bases until we reach a non-delta
object, pushing the information we need onto a stack and then we pop
from that stack and apply the deltas until there are no more left.

This version of the code does not make use of the delta base cache so it
is slower than what's in the mainline. A later commit will reintroduce
it.

Repeating this error message makes it harder to find out where we
actually are finding the error, and they don't really describe what
we're trying to do.

Add filter options and ALLOW_UNSAFE

It seems that with the various recent changes to reference updating
and reflog writing, that the thread safety of refdb updates has
been reduced (either that or it was never thread safe and the
window for error has increased).  Either way, this test is now
sometimes segfaulting which is no good, so let's disable the test
for now.  We don't really make any public promises about thread
safety for this type of operation, so I think this is acceptable,
at least in the short term.

Only on a filesystem that is composed/decomposed insensitive,
should be testing that a branch can be looked up by the opposite
form and still work correctly.

One of the test helpers provides a quick way for looking up a
boolean key.  But if the key way missing completely, the check
would actually raise an error.  Given the way we use this helper,
if the key is missing, this should just return false, I think.

indexer: avoid memory moves

When using Iconv to convert unicode data and iconv doesn't like
the source data (because it thinks that it's not actual UTF-8),
instead of stopping the operation, just use the unconverted data.
This will generally do the right thing on the filesystem, since
that is the source of the non-UTF-8 path data anyhow.

This adds some tests for creating and looking up branches with
messy Unicode names.  Also, this takes the helper function that
was previously internal to `git_repository_init` and makes it
into `git_path_does_fs_decompose_unicode` which is a useful in
tests to understand what the expected results should be.

Our vector does a move of the rest of the array when we remove an
item. Doing this repeatedly can be expensive, and we do this a lot in
the indexer. Instead, set the value to NULL and skip those entries.

perf reported around 30% of `index-pack` time was going into
memmove. With this change, that goes away and we spent most of the time
hashing and inflating data.

iconv debugging aids

This is quite close to running "git for-each-ref" except:

  1. It does not take any formatting or selection options at
     all.

  2. The output is not sorted.

I wrote it to look at debugging some issues with ref
iteration, but there's no reason it can't live on as an
example command.

The cmake module we provide is in the file FindIconv.cmake,
so we must match the case correctly. It happens to work in
practice because we only turn on ICONV on Darwin, and people
generally have case-insensitive filesystems there.

Note that we only need to update the package name here. The
package itself still sets the all-uppercase ICONV_FOUND
flag, so we continue to use uppercase in the rest of cmake.

This adds in missing calls to `git_buf_sanitize` and fixes a
number of places where `git_buf` APIs could inadvertently write
NUL terminator bytes into invalid buffers.  This also changes the
behavior of `git_buf_sanitize` to NUL terminate a buffer if it can
and of `git_buf_shorten` to do nothing if it can.

Adds tests of filtering code with zeroed (i.e. unsanitized) buffer
which was previously triggering a segfault.

Accessing the repository's config and immediately taking a snapshot of
it is a common operation, so let's provide a convenience function for
it.

Fix the issues in git_shutdown

Diff and status do not want core.safecrlf to actually raise an
error regardless of the setting, so this extends the filter API
with an additional options flags parameter and adds a flag so that
filters can be applied with GIT_FILTER_OPT_ALLOW_UNSAFE, indicating
that unsafe filter application should be downgraded from a failure
to a warning.

odb: ignore files in the objects dir

1) Call to git_shutdown results in setting git__n_shutdown_callbacks
to -1. Next call to git__on_shutdown results in ABW (Array Bound Write)
for array git__shutdown_callbacks. In the current Implementation,
git_atomic_dec is called git__n_shutdown_callbacks + 1 times. I have
modified it to a for loop so that it is more readable. It would not
set git__n_shutdown_callbacks to a negative number and reset the
elements of git__shutdown_callbacks to NULL.

2) In function git_sysdir_get, shutdown function is registered only if
git_sysdir__dirs_shutdown_set is set to 0. However, after this variable
is set to 1, it is never reset to 0. If git_sysdir_global_init is
called again from synchronized_threads_init it does not register
shutdown function for this subsystem.

The diff code was using an "ignored_prefix" directory to track if
a parent directory was ignored that contained untracked files
alongside tracked files. Unfortunately, when negative ignore rules
were used for directories inside ignored parents, the wrong rules
were applied to untracked files inside the negatively ignored
child directories.

This commit moves the logic for ignore containment into the workdir
iterator (which is a better place for it), so the ignored-ness of
a directory is contained in the frame stack during traversal.  This
allows a child directory to override with a negative ignore and yet
still restore the ignored state of the parent when we traverse out
of the child.

Along with this, there are some problems with "directory only"
ignore rules on container directories.  Given "a/*" and "!a/b/c/"
(where the second rule is a directory rule but the first rule is
just a generic prefix rule), then the directory only constraint
was having "a/b/c/d/file" match the first rule and not the second.
This was fixed by having ignore directory-only rules test a rule
against the prefix of a file with LEADINGDIR enabled.

Lastly, spot checks for ignores using `git_ignore_path_is_ignored`
were tested from the top directory down to the bottom to deal with
the containment problem, but this is wrong. We have to test bottom
to top so that negative subdirectory rules will be checked before
parent ignore rules.

This does change the behavior of some existing tests, but it seems
only to bring us more in line with core Git, so I think those
changes are acceptable.

The brace in the check for peel's return was surrounding the wrong
thing, which made 'error' be set to 1 when there was an error instead of
the error code.