Check the calculations in cc_stats_refill_bucket using non fatal assertions

In legacy/trac#25128 (moved), we removed an incorrect non-fatal assertion in cc_stats_refill_bucket() to silence a warning:

  /* This function is not allowed to make the bucket count smaller */
  tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket);

But we could have fixed the check instead, and added another check:

  /* This function is not allowed to make the bucket count larger than the burst value */
  tor_assert_nonfatal(new_circuit_bucket_count <= dos_cc_circuit_burst);
  /* This function is not allowed to make the bucket count smaller, unless it is
   * decreasing it to a newly configured, lower burst value. We allow the bucket to
   * stay the same size, in case the circuit rate is zero. */
  tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket ||
    new_circuit_bucket_count == dos_cc_circuit_burst);

We could be even more clever, and skip parts of the function if the rate is zero. That's probably unnecessary. I'll think about it.

I should get a chance to turn this into a proper branch over the next week or so. If someone else wants to do it before then, go for it!