fix bugs in cancellable syscall asm

x86_64 was just plain wrong in the cancel-flag-already-set path, and
crashing.

the more subtle error was not clearing the saved stack pointer before
returning to c code. this could result in the signal handler
misidentifying c code as the pre-syscall part of the asm, and acting
on cancellation at the wrong time, and thus resource leak race
conditions.

also, now __cancel (in the c code) is responsible for clearing the
saved sp in the already-cancelled branch. this means we have to use
call rather than jmp to ensure the stack pointer in the c will never
match what the asm saved.

src/thread/cancel_impl.c

@@ -3,6 +3,7 @@
 void __cancel()
 {
 	pthread_t self = __pthread_self();
+	self->cp_sp = 0;
 	self->canceldisable = 1;
 	self->cancelasync = 0;
 	pthread_exit(PTHREAD_CANCELED);
@@ -24,8 +25,8 @@ long (__syscall_cp)(long nr, long u, long v, long w, long x, long y, long z)
 	self->cp_sp = 0;
 	self->cp_ip = 0;
 	r = __syscall_cp_asm(&self->cp_sp, nr, u, v, w, x, y, z);
-	self->cp_sp = old_sp;
 	self->cp_ip = old_ip;
+	self->cp_sp = old_sp;
 	if (r == -EINTR && self->cancel) __cancel();
 	return r;
 }

src/thread/i386/syscall_cp.s

@@ -28,9 +28,8 @@ __syscall_cp_asm:
 	popl %edi
 	popl %esi
 	popl %ebx
+	xorl %edx,%edx
+	movl 4(%esp),%ecx
+	movl %edx,(%ecx)
 	ret
-2:	xorl %eax,%eax
+2:	call __cancel
-	movl %eax,4(%ecx)
-	movl %eax,(%ecx)
-	pushl $-1
-	call __cancel

src/thread/x86_64/syscall_cp.s

@@ -8,6 +8,7 @@ __syscall_cp_asm:
 	mov 16(%rdi),%eax
 	test %eax,%eax
 	jnz 2f
+	mov %rdi,%r11
 	mov %rsi,%rax
 	mov %rdx,%rdi
 	mov %rcx,%rsi
@@ -15,10 +16,10 @@ __syscall_cp_asm:
 	mov %r9,%r10
 	mov 8(%rsp),%r8
 	mov 16(%rsp),%r9
+	mov %r11,8(%rsp)
 1:	syscall
+	xor %ecx,%ecx
+	mov 8(%rsp),%edi
+	mov %rcx,(%rdi)
 	ret
-2:	xor %edi,%edi
+2:	call __cancel
-	mov %rdi,8(%r10)
-	mov %rdi,(%r10)
-	dec %rdi
-	jmp __cancel