Fix build warnings from Coverity related to our BUG macro

In the Linux kernel, the BUG() macro causes an instant panic.  Our
BUG() macro is different, however: it generates a nonfatal assertion
failure, and is usable as an expression.

Additionally, this patch tells util_bug.h to make all assertion
failures into fatal conditions when we're building with a static
analysis tool, so that the analysis tool can look for instances
where they're reachable.

Fixes bug 23030.

changes/bug23030_029

@@ -0,0 +1,7 @@
+  o Minor bugfixes (coverity builds):
+    - Avoid Coverity build warnings related to our BUG() macro. By
+      default, Coverity treats BUG() as the Linux kernel does: an
+      instant abort(). We need to override that so our BUG() macro
+      doesn't prevent Coverity from analyzing functions that use it.
+      Fixes bug 23030; bugfix on 0.2.9.1-alpha.
+

src/common/util_bug.h

@@ -58,6 +58,19 @@
  *     return -1;
  */
 
+#ifdef __COVERITY__
+#undef BUG
+// Coverity defines this in global headers; let's override it.  This is a
+// magic coverity-only preprocessor thing.
+#nodef BUG(x) ((x)?(__coverity_panic__(),1):0)
+#endif
+
+#if defined(__COVERITY__) || defined(__clang_analyzer__)
+// We're running with a static analysis tool: let's treat even nonfatal
+// assertion failures as something that we need to avoid.
+#define ALL_BUGS_ARE_FATAL
+#endif
+
 #ifdef ALL_BUGS_ARE_FATAL
 #define tor_assert_nonfatal_unreached() tor_assert(0)
 #define tor_assert_nonfatal(cond) tor_assert((cond))