fix parsing of quoted time zone names

Fix parsing of the < > quoted time zone names. Compare the correct
character instead of repeatedly comparing the first character.

match historical behavior for tm_gmtoff member of struct tm

tm_gmtoff is a nonstandard field, but on historical systems which have
this field, it stores the offset of the local time zone from GMT or
UTC. this is the opposite of the POSIX extern long timezone object and
the offsets used in POSIX-form TZ strings, which represent the offset
from local time to UTC. previously we were storing these negated
offsets in tm_gmtoff too.

programs which only used this field indirectly via strftime were not
affected since strftime performed the negation for presentation.
however, some programs and libraries accesse tm_gmtoff directly and
were obtaining negated time zone offsets.

treat empty TZ environment variable as GMT rather than default

this improves compatibility with the behavior of other systems and
with some applications which set an empty TZ var to disable use of
local time by mktime, etc.

make all objects used with atomic operations volatile

the memory model we use internally for atomics permits plain loads of
values which may be subject to concurrent modification without
requiring that a special load function be used. since a compiler is
free to make transformations that alter the number of loads or the way
in which loads are performed, the compiler is theoretically free to
break this usage. the most obvious concern is with atomic cas
constructs: something of the form tmp=*p;a_cas(p,tmp,f(tmp)); could be
transformed to a_cas(p,*p,f(*p)); where the latter is intended to show
multiple loads of *p whose resulting values might fail to be equal;
this would break the atomicity of the whole operation. but even more
fundamental breakage is possible.

with the changes being made now, objects that may be modified by
atomics are modeled as volatile, and the atomic operations performed
on them by other threads are modeled as asynchronous stores by
hardware which happens to be acting on the request of another thread.
such modeling of course does not itself address memory synchronization
between cores/cpus, but that aspect was already handled. this all
seems less than ideal, but it's the best we can do without mandating a
C11 compiler and using the C11 model for atomics.

in the case of pthread_once_t, the ABI type of the underlying object
is not volatile-qualified. so we are assuming that accessing the
object through a volatile-qualified lvalue via casts yields volatile
access semantics. the language of the C standard is somewhat unclear
on this matter, but this is an assumption the linux kernel also makes,
and seems to be the correct interpretation of the standard.

fix handling of negative offsets in timezone spec strings

previously, the hours were considered as a signed quantity while
minutes and seconds were always treated as positive offsets. however,
semantically the '-' sign should negate the whole hh:mm:ss offset.
this bug only affected timezones east of GMT with non-whole-hours
offsets, such as those used in India and Nepal.

use default timezone from /etc/localtime if $TZ is unset/blank

the way this is implemented, it also allows explicit setting of
TZ=/etc/localtime even for suid programs. this is not a problem
because /etc/localtime is a trusted path, much like the trusted
zoneinfo search path.

perform minimal sanity checks on zoneinfo files loaded via TZ variable

previously, setting TZ to the pathname of a file which was not a valid
zoneinfo file would usually cause programs using local time zone based
operations to crash. the new code checks the file size and magic at
the beginning of the file, which seems sufficient to prevent
accidental misconfiguration from causing crashes. attempting to make
fully-robust validation would be futile unless we wanted to drop use
of mmap (shared zoneinfo) and instead read it into a local buffer,
since such validation would be subject to race conditions with
modification of the file.

do not try to interpret implementation specific strings as tz definition

allow zoneinfo-path-relative filenames with no slashes in TZ variable

since the form TZ=name is reserved for POSIX-form time zone strings,
TZ=:name needs to be used when the zoneinfo filename is in the
top-level zoneinfo directory and therefore does not contain a slash.
previously the leading colon was merely dropped, making it impossible
to access such zones without a full absolute pathname.

changes based on patch by Timo Teräs.

fix handling of overly-long TZ environment variable values

the rest of the code is not prepared to handle an empty TZ string, so
falling back to __gmt ("GMT"), just as if TZ had been blank or unset,
is the preferable action.

timezone parser: fix iteration over search dir paths

try+l points to \0, so only one iteration was ever tried.

timezone parser: fix offset to transition table in 64bit code path

we need to skip to the second TZif header, which starts at
skip+44, and then skip another header (20 bytes) plus the following
6 32bit values.

fix timezone parser code crashing on 64bit sys

if sizeof(time_t) == 8, this code path was missing the correct
offset into the zoneinfo file, using the header magic to do
offset calculations.
the 6 32bit fields to be read start at offset 20.

properly fill in tzname[] for old (pre-64-bit-format) zoneinfo files

in this case, the first standard-time and first daylight-time rules
should be taken as the "default" ones to expose.

minor fix to tz name checking

if a zoneinfo file is not (or is no longer) in use, don't check the
abbrevs pointers, which may be invalid.

fix strftime handling of time zone data

this may need further revision in the future, since POSIX is rather
unclear on the requirements, and is designed around the assumption of
POSIX TZ specifiers which are not sufficiently powerful to represent
real-world timezones (this is why zoneinfo support was added).

the basic issue is that strftime gets the string and numeric offset
for the timezone from the extra fields in struct tm, which are
initialized when calling localtime/gmtime/etc. however, a conforming
application might have created its own struct tm without initializing
these fields, in which case using __tm_zone (a pointer) could crash.
other zoneinfo-based implementations simply check for a null pointer,
but otherwise can still crash of the field contains junk.

simply ignoring __tm_zone and using tzname[] would "work" but would
give incorrect results in time zones with more complex rules. I feel
like this would lower the quality of implementation.

instead, simply validate __tm_zone: unless it points to one of the
zone name strings managed by the timezone system, assume it's invalid.

this commit also fixes several other minor bugs with formatting:
tm_isdst being negative is required to suppress printing of the zone
formats, and %z was using the wrong format specifiers since the type
of val was changed, resulting in bogus output.

fix mishandling of empty or blank TZ environment variable

the empty TZ string was matching equal to the initial value of the
cached TZ name, thus causing do_tzset never to run and never to
initialize the time zone data.

the big time handling overhaul

this commit has two major user-visible parts: zoneinfo-format time
zones are now supported, and overflow handling is intended to be
complete in the sense that all functions return a correct result if
and only if the result fits in the destination type, and otherwise
return an error. also, some noticable bugs in the way DST detection
and normalization worked have been fixed, and performance may be
better than before, but it has not been tested.