In rS323851, some casts were adjusted in calls to nvlist_next() and
nvlist_get_pararr() in order to make scan-build happy. I think these changes
just confused scan-build into not reporting the strict-aliasing violation.

For example, nvlist_xdescriptors() is causing nvlist_next() to write to its
local variable nvp of type nvpair_t * using the lvalue *cookiep of type
void *, which is not allowed. Given the APIs of nvlist_next(),
nvlist_get_parent() and nvlist_get_pararr(), one possible fix is to create a
local void *cookie in nvlist_xdescriptors() and other places, and to convert
the value to nvpair_t * when necessary. This patch implements that fix.

An rg '\(void\s*\*\*\)\s*&' finds many cases in the kernel where an
address of something is cast to void **, but only few in userland. This
matches that the kernel configures the compiler for a dialect of C without
type based aliasing restrictions (i.e., -fno-strict-aliasing), but userland
does not.

Install world and kernel in a VM and run lib/libnv and lib/libcasper tests.
All tests passed except the cap_dns ones which failed the same way as
unpatched (because my VM does not have a direct network connection).