Fix segfault in ArrayVec<Vec<T>>::into_vec

[philipc]

Fixes #599

[philipc]

The new asserts are enough for this to be covered by existing tests. The error was also detected by miri, and this is now fixed.

[cbiffle]

Out of curiosity, I notice that after the fix the code is still constructing a prefix of a slice using from_raw_parts_mut in DerefMut/Deref, and only checking bounds in debug builds. What performance benefit did you measure from skipping the bounds checks in release builds, rather than using bounds-checked prefixing (&mut slice[..len]), which would turn this class of mistake into a panic rather than a segfault?

(Just finished tracking down an intermittent crash in our debugger due to this.)

[philipc]

I didn't check for this PR, but when the ArrayVec implementation was first introduced it had a measurable difference in the existing benchmarks.