rand: add a note about a potentially misleading code analyzer warning.

When seeding from a parent DRBG, the pointer to the child is used as
additional data.  This triggers static code analysers.  Rearrange and
expand the comments to make this more obvious.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12724)

providers/implementations/rands/drbg.c

@@ -183,17 +183,23 @@ static size_t prov_drbg_get_entropy(PROV_DRBG *drbg, unsigned char **pout,
         if (buffer != NULL) {
             size_t bytes = 0;
 
+            if (drbg->parent_generate == NULL)
+                goto err;
             /*
-             * Get random data from parent. Include our address as additional input,
-             * in order to provide some additional distinction between different
-             * DRBG child instances.
              * Our lock is already held, but we need to lock our parent before
              * generating bits from it. (Note: taking the lock will be a no-op
              * if locking if drbg->parent->lock == NULL.)
              */
-            if (drbg->parent_generate == NULL)
-                goto err;
             drbg_lock_parent(drbg);
+            /*
+             * Get random data from parent.  Include our DRBG address as
+             * additional input, in order to provide a distinction between
+             * different DRBG child instances.
+             *
+             * Note: using the sizeof() operator on a pointer triggers
+             *       a warning in some static code analyzers, but it's
+             *       intentional and correct here.
+             */
             if (drbg->parent_generate(drbg->parent, buffer, bytes_needed,
                                       drbg->strength, prediction_resistance,
                                       (unsigned char *)&drbg,