In src/cursor/cur_layered.c, the function __wt_clayered_range_truncate_stable_replay dereferences trunc_info->start at lines 962, 966, 967, and 972–974 without any null guard. This is asymmetric with trunc_info->stop, which has an explicit assertion at line 968:

WT_ASSERT(session, trunc_info->stop != NULL);

There is no corresponding assertion or null check for trunc_info->start.

The call site in src/schema/schema_truncate.c (line 245–246) invokes this function on the ingest replay path without calling __cursor_needkey to validate the start cursor. The non-replay truncate path at line 248 does perform that validation. WT_ASSERT expands to a no-op in release builds and cannot substitute for a real precondition guard.

Suggested fix: Add WT_ASSERT(session, trunc_info->start != NULL) at function entry alongside the existing stop assertion, and/or propagate __cursor_needkey validation to the replay call site in schema_truncate.c to match the non-replay path.

Affected files: src/cursor/cur_layered.c, src/schema/schema_truncate.c
Coverity CIDs: 205923, 205922