Suppress Clang Static Analyzer warning in vdev_split()

Clang's static analyzer pointed out that we can have a NULL pointer
dereference if we ever attempt to split a vdev that has only 1 child. If
that happens, we are left with zero children, but then try to access a
non-existent child. Calling vdev_split() on a vdev with only 1 child
should be impossible due to how the code is structured. If this ever
happens, it would be best to stop execution immediately even in a
production environment to allow for the best possible chance of recovery
by an expert, so we use `VERIFY3U()` instead of `ASSERT3U()`.

Unfortunately, while that defensive assertion will prevent execution
from ever reaching the NULL pointer dereference, Clang's static analyzer
does not realize that, so we add an `ASSERT()` to inform it of this.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #14575

diff --git a/module/zfs/vdev.c b/module/zfs/vdev.c
index 8f3e461bae7b40673e921011262682d728c8a8ad..275d5cbbf504556f1ca702e8b6fc05f10ea610ad 100644 (file)
--- a/module/zfs/vdev.c
+++ b/module/zfs/vdev.c
@@ -5396,9 +5396,13 @@ vdev_split(vdev_t *vd)
 {
        vdev_t *cvd, *pvd = vd->vdev_parent;
 
+       VERIFY3U(pvd->vdev_children, >, 1);
+
        vdev_remove_child(pvd, vd);
        vdev_compact_children(pvd);
 
+       ASSERT3P(pvd->vdev_child, !=, NULL);
+
        cvd = pvd->vdev_child[0];
        if (pvd->vdev_children == 1) {
                vdev_remove_parent(cvd);