Coverity deadcode shenanigans on BUG() macro.

We don't actually want Coverity to complain when a BUG() check can
never fail, since such checks can prevent us from introducing bugs
later on.

Closes ticket 23054. Closes CID 1415720, 1415724.

changes/bug23054

@@ -0,0 +1,4 @@
+  o Minor features (static analysis):
+    - The BUG() macro has been changed slightly so that Coverity no
+      longer complains about dead code if the bug is impossible. Closes
+      ticket 23054.

src/common/util_bug.c

@@ -13,6 +13,10 @@
 #include "backtrace.h"
 #include "container.h"
 
+#ifdef __COVERITY__
+int bug_macro_deadcode_dummy__ = 0;
+#endif
+
 #ifdef TOR_UNIT_TESTS
 static void (*failed_assertion_cb)(void) = NULL;
 static int n_bugs_to_capture = 0;

src/common/util_bug.h

@@ -59,10 +59,13 @@
  */
 
 #ifdef __COVERITY__
+extern int bug_macro_deadcode_dummy__;
 #undef BUG
 // Coverity defines this in global headers; let's override it.  This is a
 // magic coverity-only preprocessor thing.
-#nodef BUG(x) ((x)?(__coverity_panic__(),1):0)
+// We use this "deadcode_dummy__" trick to prevent coverity from
+// complaining about unreachable bug cases.
+#nodef BUG(x) ((x)?(__coverity_panic__(),1):(0+bug_macro_deadcode_dummy__))
 #endif
 
 #if defined(__COVERITY__) || defined(__clang_analyzer__)