Bug 3717: assertion failed with dstdom_regex with IP based URL

Bug 3717: assertion failed with dstdom_regex with IP based URL

A combination of ACL negation and async lookup leads to
Checklist.cc:287:"!needsAsync && !matchFinished" assertions.

The lower-level ACL code says "not a match because I need an async lookup" but
the negation-handling code in ACL::matches() ignores the "need an async
lookup" part and converts "not a match" into a "match". This patch prevents
that conversion, while allowing Checklist code to decide what to do with
an async lookup (depending on whether the directive being checked supports
slow ACLs).

Note that this change prevents admins from negating async lookups in
directives that do not support them: both "!foo" and "foo" will probably not
match in those directives if ACL foo needs an async lookup.