fix bad character checking in wordexp

the character sequence '$((' was incorrectly interpreted as the
opening of arithmetic even within single-quoted contexts, thereby
suppressing the checks for bad characters after the closing quote.

presently bad character checking is only performed when the WRDE_NOCMD
is used; this patch only corrects checking in that case.

fix and refactor child reaping logic in wordexp

loop condition was incorrect and confusing and caused an infinite loop
when (broken) applications reaped the pid from a signal handler or
another thread before wordexp's call to waitpid could do so.

fix fd leak and case where fd 1 is already closed in wordexp

fix resource exhaustion and zero-word cases in wordexp

when WRDE_NOSPACE is returned, the we_wordv and we_wordc members must
be valid, because the interface contract allows them to return partial
results.

in the case of zero results (due either to resource exhaustion or a
zero-word input) the we_wordv array still should contain a terminating
null pointer and the initial we_offs null pointers. this is impossible
on resource exhaustion, so a correct application must presumably check
for a null pointer in we_wordv; POSIX however seems to ignore the
issue. the previous code may have crashed under this situation.

improve robustness of wordexp and fix handling of 0-word case

avoid using exit status to determine if a shell error occurred, since
broken programs may install SIGCHLD handlers which reap all zombies,
including ones that don't belong to them. using clone and __WCLONE
does not seem to work for avoiding this problem since exec resets the
exit signal to SIGCHLD.

instead, the new code uses a dummy word at the beginning of the
shell's output, which is ignored, to determine whether the command was
executed successfully. this also fixes a corner case where a word
string containing zero words was interpreted as a single zero-length
word rather than no words at all. POSIX does not seem to require this
case to be supported anyway, though.

in addition, the new code uses the correct retry idiom for waitpid to
ensure that spurious STOP/CONT signals in the child and/or EINTR in
the parent do not prevent successful wait for the child, and blocks
signals in the child.

use restrict everywhere it's required by c99 and/or posix 2008

to deal with the fact that the public headers may be used with pre-c99
compilers, __restrict is used in place of restrict, and defined
appropriately for any supported compiler. we also avoid the form
[restrict] since older versions of gcc rejected it due to a bug in the
original c99 standard, and instead use the form *restrict.

wordexp must set the we_offs entries of we_wordv to null pointers

fix crash in wordfree if we_offs is not initialized by the caller

I'm not sure if it's legal for wordexp to modify this field, but this
is the only easy/straightforward fix, and applications should not
care. if it's an issue, i can work out a different (but more complex)
solution later.

wordexp cannot use we_offs unless WRDE_DOOFFS flag is set

previously, a potentially-indeterminate value from we_offs was being
used, resulting in wrong we_wordc and subsequent crashes in the
caller.

block cancellation in wordexp, handle more errors

avoid malloc of potentially-large string in wordexp

remove stupid debug code in wordexp

implement wordexp. first try, may be buggy. intended to be safe.