Implement a "lightweight" form of pathbias detection.

We now track, for every guard: the total number of successful circuits we've built through it, along with the total number of "indeterminate" circuits.

Recall that a circuit's status is "indeterminate" if it has failed for a reason that might be the guard's fault, or might not be the guard's fault. For example, if extending to the second hop of the circuit fails, we have no way to know whether the guard deliberately refused to connect there, or whether the second hop is just offline.

But we don't want to forgive all indeterminate circuit failures: if we did, then a malicious guard could simply reject any second hops that it didn't like, thereby filtering the client into a chosen set of circuits.

As a stopgap solution, this patch now makes guards become permanently disabled if the fraction of their circuit failures becomes too high.

See also general-purpose path bias selection (#65 (closed)), and Mike's idea for changing the guard reachability definition (torspec#67). This patch doesn't do either of those.

Closes #185 (closed).