WiredTiger's page-swap function error handling is wrong.

There are 5 callers of the page-swap function: 2 in the walk code, 2 in the row-store search code, 1 in the column-store search code. They expect to handle following errors:

1. walk #1: handles no errors
2. walk #2: handles both restart and notfound errors
3. row-store search #1, #2 and column-store search: all handle restart errors

The underlying function:

• returns the error in the case of either restart or notfound, without discarding the originally held page,
• discards both the originally held and desired page on other error (the desired page is discarded when the desired page is successfully acquired, but the originally held page is not successfully discarded).

If the caller discards the originally held page on error, they will attempt to discard an already discarded hazard pointer in cases where no page is held when the underlying function returns.

If the caller doesn't discard the originally held page on error, they will fail to discard a hazard pointer should the underlying function return a notfound or restart error they're not prepared to handle.