git-compat-util: suppress Coverity false positives from CONST_OUTPARAM

The CONST_OUTPARAM macro uses a dead ternary branch for
compile-time type checking:

    (0 ? (*(out) = (in)), (out)) : (out))

The write *(out) = (in) never executes (guarded by "0 ?"), but
it ensures that *out and in have compatible types. When
skip_prefix(p, "literal", &p) expands, the third argument to
skip_prefix_impl contains this dead write to p while the first
argument reads p. Coverity's EVALUATION_ORDER checker does not
eliminate the dead branch and flags this as an unsequenced
read/write of the same variable, producing 122 false positives
across the codebase.

Model files cannot suppress this because the issue is in macro
expansion, which happens before Coverity's function-level
modeling. An earlier attempt to model skip_prefix_impl() in
the Coverity model file had no effect because Coverity inlines
the static inline function rather than using the model.

Simplify CONST_OUTPARAM to just (out) under __COVERITY__,
dropping the type-checking branch that confuses the checker. The
type safety is preserved for real builds.

Assisted-by: Claude Opus 4.6
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

git-compat-util.h

@@ -499,8 +499,19 @@ void set_die_is_recursing_routine(int (*routine)(void));
  *
  *  See the skip_prefix macro below for an example of use.
  */
+/*
+ * Coverity's EVALUATION_ORDER checker mistakes the dead ternary branch
+ * for a live side effect: in skip_prefix(p, "x", &p) the expansion
+ * contains *(out) = (in) in a 0-conditional, which Coverity reads as a
+ * write to p while p is also read as the first argument.  Simplify the
+ * macro for Coverity to suppress 120+ false positives.
+ */
+#ifdef __COVERITY__
+#define CONST_OUTPARAM(in, out) (out)
+#else
 #define CONST_OUTPARAM(in, out) \
 	((const char **)(0 ? ((*(out) = (in)),(out)) : (out)))
+#endif
 
 /*
  * If the string "str" begins with the string found in "prefix", return true.