From c79cee71363ddaeb3c5ab7d3ccb87a11e1860d95 Mon Sep 17 00:00:00 2001
From: Kyle Evans <kevans@FreeBSD.org>
Date: Wed, 13 May 2020 18:07:37 +0000
Subject: [PATCH] kernel: provide panicky version of __unreachable

__builtin_unreachable doesn't raise any compile-time warnings/errors on its
own, so problems with its usage can't be easily detected. While it would be
nice for this situation to change and compilers to at least add a warning
for trivial cases where local state means the instruction can't be reached,
this isn't the case at the moment and likely will not happen.

This commit adds an __assert_unreachable, whose intent is incredibly clear:
it asserts that this instruction is unreachable. On INVARIANTS builds, it's
a panic(), and on non-INVARIANTS it expands to  __unreachable().

Existing users of __unreachable() are converted to __assert_unreachable,
to improve debuggability if this assumption is violated.

Reviewed by:	mjg
Differential Revision:	https://reviews.freebsd.org/D23793
---
 sys/ddb/db_expr.c         | 5 +++--
 sys/dev/amdtemp/amdtemp.c | 4 ++--
 sys/dev/nvdimm/nvdimm.c   | 3 ++-
 sys/dev/ow/ow.c           | 2 +-
 sys/net/mppcc.c           | 2 +-
 sys/sys/systm.h           | 4 ++++
 sys/vm/vm_radix.c         | 2 +-
 7 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/sys/ddb/db_expr.c b/sys/ddb/db_expr.c
index b3198611a04..34095108924 100644
--- a/sys/ddb/db_expr.c
+++ b/sys/ddb/db_expr.c
@@ -34,6 +34,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/systm.h>
 
 #include <ddb/ddb.h>
 #include <ddb/db_lex.h>
@@ -229,7 +230,7 @@ db_add_expr(db_expr_t *valuep)
 		lhs |= rhs;
 		break;
 	    default:
-		__unreachable();
+		__assert_unreachable();
 	    }
 	    t = db_read_token();
 	}
@@ -313,7 +314,7 @@ db_logical_relation_expr(
 		    lhs = (lhs <= rhs);
 		    break;
 		default:
-		    __unreachable();
+		    __assert_unreachable();
 	    }
 	    t = db_read_token();
 	}
diff --git a/sys/dev/amdtemp/amdtemp.c b/sys/dev/amdtemp/amdtemp.c
index 597737c98c8..80c0e3c538e 100644
--- a/sys/dev/amdtemp/amdtemp.c
+++ b/sys/dev/amdtemp/amdtemp.c
@@ -666,7 +666,7 @@ amdtemp_gettemp0f(device_t dev, amdsensor_t sensor)
 			temp |= AMDTEMP_TTSR_SELCORE;
 		break;
 	default:
-		__unreachable();
+		__assert_unreachable();
 	}
 	pci_write_config(dev, AMDTEMP_THERMTP_STAT, temp, 1);
 
@@ -766,7 +766,7 @@ amdtemp_gettemp17h(device_t dev, amdsensor_t sensor)
 		    ("sensor %d: not valid", (int)sensor));
 		return (amdtemp_decode_fam10h_to_17h(sc->sc_offset, val, true));
 	default:
-		__unreachable();
+		__assert_unreachable();
 	}
 }
 
diff --git a/sys/dev/nvdimm/nvdimm.c b/sys/dev/nvdimm/nvdimm.c
index 4f3696fefd5..66638636ef0 100644
--- a/sys/dev/nvdimm/nvdimm.c
+++ b/sys/dev/nvdimm/nvdimm.c
@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$");
 #include "opt_ddb.h"
 
 #include <sys/param.h>
+#include <sys/systm.h>
 #include <sys/bio.h>
 #include <sys/bitstring.h>
 #include <sys/bus.h>
@@ -236,7 +237,7 @@ read_label(struct nvdimm_dev *nv, int num)
 			return (0);
 		}
 	}
-	__unreachable();
+	__assert_unreachable();
 }
 
 static int
diff --git a/sys/dev/ow/ow.c b/sys/dev/ow/ow.c
index eda33ea986d..a6583accaa5 100644
--- a/sys/dev/ow/ow.c
+++ b/sys/dev/ow/ow.c
@@ -507,7 +507,7 @@ again:
 					return (EIO);
 				goto again;
 			default: /* NOTREACHED */
-				__unreachable();
+				__assert_unreachable();
 			}
 			if (dir) {
 				OWLL_WRITE_ONE(lldev, &timing_regular);
diff --git a/sys/net/mppcc.c b/sys/net/mppcc.c
index 8ec21ad7c65..c1bf566c790 100644
--- a/sys/net/mppcc.c
+++ b/sys/net/mppcc.c
@@ -232,7 +232,7 @@ int MPPC_Compress(u_char **src, u_char **dst, u_long *srcCnt, u_long *dstCnt, ch
 	} else if (off < 8192) {	/* 16-bit offset; 320 <= offset < 8192 */
 	    putbits16(*dst, 0xc000|(off-320), 16, &olen, &l);
 	} else {		/* NOTREACHED */
-	    __unreachable();
+	    __assert_unreachable();
 	    rtn &= ~MPPC_OK;
 	    return (rtn);
 	}
diff --git a/sys/sys/systm.h b/sys/sys/systm.h
index 628dd4e0f5b..b105a27a6f7 100644
--- a/sys/sys/systm.h
+++ b/sys/sys/systm.h
@@ -117,6 +117,9 @@ void	kassert_panic(const char *fmt, ...)  __printflike(1, 2);
 	VNASSERT(exp, vp, ("condition %s not met at %s:%d (%s)",	\
 	    _exp, __FILE__, __LINE__, __func__));			\
 } while (0)
+#define	__assert_unreachable() \
+	panic("executing segment marked as unreachable at %s:%d (%s)\n", \
+	    __FILE__, __LINE__, __func__)
 #else
 #define	KASSERT(exp,msg) do { \
 } while (0)
@@ -125,6 +128,7 @@ void	kassert_panic(const char *fmt, ...)  __printflike(1, 2);
 } while (0)
 #define	VNPASS(exp, vp) do { \
 } while (0)
+#define	__assert_unreachable()	__unreachable()
 #endif
 
 #ifndef CTASSERT	/* Allow lint to override */
diff --git a/sys/vm/vm_radix.c b/sys/vm/vm_radix.c
index ce9edad13c1..31666f0053c 100644
--- a/sys/vm/vm_radix.c
+++ b/sys/vm/vm_radix.c
@@ -209,7 +209,7 @@ vm_radix_node_load(smrnode_t *p, enum vm_radix_access access)
 	case SMR:
 		return (smr_entered_load(p, vm_radix_smr));
 	}
-	__unreachable();
+	__assert_unreachable();
 }
 
 static __inline void