kernel: provide panicky version of __unreachable

__builtin_unreachable doesn't raise any compile-time warnings/errors on its
own, so problems with its usage can't be easily detected. While it would be
nice for this situation to change and compilers to at least add a warning
for trivial cases where local state means the instruction can't be reached,
this isn't the case at the moment and likely will not happen.

This commit adds an __assert_unreachable, whose intent is incredibly clear:
it asserts that this instruction is unreachable. On INVARIANTS builds, it's
a panic(), and on non-INVARIANTS it expands to  __unreachable().

Existing users of __unreachable() are converted to __assert_unreachable,
to improve debuggability if this assumption is violated.

Reviewed by:	mjg
Differential Revision:	https://reviews.freebsd.org/D23793

sys/ddb/db_expr.c

@@ -34,6 +34,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/systm.h>
 
 #include <ddb/ddb.h>
 #include <ddb/db_lex.h>
@@ -229,7 +230,7 @@ db_add_expr(db_expr_t *valuep)
 		lhs |= rhs;
 		break;
 	    default:
-		__unreachable();
+		__assert_unreachable();
 	    }
 	    t = db_read_token();
 	}
@@ -313,7 +314,7 @@ db_logical_relation_expr(
 		    lhs = (lhs <= rhs);
 		    break;
 		default:
-		    __unreachable();
+		    __assert_unreachable();
 	    }
 	    t = db_read_token();
 	}

sys/dev/amdtemp/amdtemp.c

@@ -666,7 +666,7 @@ amdtemp_gettemp0f(device_t dev, amdsensor_t sensor)
 			temp |= AMDTEMP_TTSR_SELCORE;
 		break;
 	default:
-		__unreachable();
+		__assert_unreachable();
 	}
 	pci_write_config(dev, AMDTEMP_THERMTP_STAT, temp, 1);
 
@@ -766,7 +766,7 @@ amdtemp_gettemp17h(device_t dev, amdsensor_t sensor)
 		    ("sensor %d: not valid", (int)sensor));
 		return (amdtemp_decode_fam10h_to_17h(sc->sc_offset, val, true));
 	default:
-		__unreachable();
+		__assert_unreachable();
 	}
 }
 

sys/dev/nvdimm/nvdimm.c

@@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$");
 #include "opt_ddb.h"
 
 #include <sys/param.h>
+#include <sys/systm.h>
 #include <sys/bio.h>
 #include <sys/bitstring.h>
 #include <sys/bus.h>
@@ -236,7 +237,7 @@ read_label(struct nvdimm_dev *nv, int num)
 			return (0);
 		}
 	}
-	__unreachable();
+	__assert_unreachable();
 }
 
 static int

sys/dev/ow/ow.c

@@ -507,7 +507,7 @@ ow_enumerate(device_t dev, ow_enum_fn *enumfp, ow_found_fn *foundfp)
 					return (EIO);
 				goto again;
 			default: /* NOTREACHED */
-				__unreachable();
+				__assert_unreachable();
 			}
 			if (dir) {
 				OWLL_WRITE_ONE(lldev, &timing_regular);

sys/net/mppcc.c

@@ -232,7 +232,7 @@ int MPPC_Compress(u_char **src, u_char **dst, u_long *srcCnt, u_long *dstCnt, ch
 	} else if (off < 8192) {	/* 16-bit offset; 320 <= offset < 8192 */
 	    putbits16(*dst, 0xc000|(off-320), 16, &olen, &l);
 	} else {		/* NOTREACHED */
-	    __unreachable();
+	    __assert_unreachable();
 	    rtn &= ~MPPC_OK;
 	    return (rtn);
 	}

sys/sys/systm.h

@@ -117,6 +117,9 @@ void	kassert_panic(const char *fmt, ...)  __printflike(1, 2);
 	VNASSERT(exp, vp, ("condition %s not met at %s:%d (%s)",	\
 	    _exp, __FILE__, __LINE__, __func__));			\
 } while (0)
+#define	__assert_unreachable() \
+	panic("executing segment marked as unreachable at %s:%d (%s)\n", \
+	    __FILE__, __LINE__, __func__)
 #else
 #define	KASSERT(exp,msg) do { \
 } while (0)
@@ -125,6 +128,7 @@ void	kassert_panic(const char *fmt, ...)  __printflike(1, 2);
 } while (0)
 #define	VNPASS(exp, vp) do { \
 } while (0)
+#define	__assert_unreachable()	__unreachable()
 #endif
 
 #ifndef CTASSERT	/* Allow lint to override */

sys/vm/vm_radix.c

@@ -209,7 +209,7 @@ vm_radix_node_load(smrnode_t *p, enum vm_radix_access access)
 	case SMR:
 		return (smr_entered_load(p, vm_radix_smr));
 	}
-	__unreachable();
+	__assert_unreachable();
 }
 
 static __inline void