coverity: silence CID 1691836 / 1691837

CID 1691837 (NULL_RETURNS) in rlm_kafka's kafka_xlat_produce():
Coverity doesn't trust the xlat framework's required=true contract
and flags the downstream derefs of key_vb and value_vb.  Add an
fr_assert after the vars to document the invariant and silence it.

CID 1691836 (RESOURCE_LEAK) in fr_atomic_ring_push():
Coverity doesn't track atomic stores as reference publication, so
when we atomic_store_explicit() `n` into h->next and ring->head it
still considers `n` leaked once the local goes out of scope.  It
isn't - the consumer frees it via atomic_ring_entry_free() once it
advances past.  Annotate with /* coverity[leaked_storage] */.

Author: arr2036

src/lib/io/atomic_queue.c

@@ -569,6 +569,16 @@ bool fr_atomic_ring_push(fr_atomic_ring_t *ring, void *data)
 	atomic_store_explicit(&h->next, n, memory_order_release);
 	atomic_store_explicit(&ring->head, n, memory_order_relaxed);
 
+	/*
+	 *	coverity[leaked_storage]
+	 *
+	 *	Coverity doesn't track atomic stores as reference
+	 *	publication, so it sees `n` going out of scope and
+	 *	flags it as leaked.  It isn't: the two atomic stores
+	 *	above have published `n` into both `h->next` and
+	 *	`ring->head`, and the consumer will free it via
+	 *	atomic_ring_entry_free() once it advances past.
+	 */
 	return fr_atomic_queue_push(n->q, data);
 }
 

src/modules/rlm_kafka/rlm_kafka.c

@@ -790,6 +790,15 @@ static xlat_action_t kafka_xlat_produce(UNUSED TALLOC_CTX *xctx_ctx, UNUSED fr_d
 	uint8_t const			*key = NULL;
 	size_t				key_len = 0;
 
+	/*
+	 *	The xlat framework enforces the arg contract before calling
+	 *	us: `required = true` for topic + value, and the required
+	 *	value slot after key keeps key's position filled even when
+	 *	the caller passes `null`.  Assert the invariant so Coverity
+	 *	stops flagging the downstream derefs.
+	 */
+	fr_assert(topic_vb && key_vb && value_vb);
+
 	/*
 	 *	Fast path: a literal topic argument was pre-resolved to
 	 *	an rd_kafka_topic_t at xlat_instantiate time.