Add Asserts to validate prevbit values in bms_prev_member

bms_prev_member() could attempt to access memory outside of the words[]
array in cases where the prevbit was a number < -1 or > a->nwords *
BITS_PER_BITMAPWORD + 1.

Here we add the Asserts to help draw attention to bogus callers so we're
more likely to catch them during development.

In passing, fix wording of bms_prev_member's header comment which talks
about how we expect the callers to ensure only valid prevbit values are
used.

Author: Greg Burd <greg@burd.me>
Reviewed-by: David Rowley <dgrowleyml@gmail.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/2000A717-1FFE-4031-827B-9330FB2E9065%40getmailspring.com

src/backend/nodes/bitmapset.c

@@ -1343,7 +1343,7 @@ bms_next_member(const Bitmapset *a, int prevbit)
  *
  * Returns largest member less than "prevbit", or -2 if there is none.
  * "prevbit" must NOT be more than one above the highest possible bit that can
- * be set at the Bitmapset at its current size.
+ * be set in the Bitmapset at its current size.
  *
  * To ease finding the highest set bit for the initial loop, the special
  * prevbit value of -1 can be passed to have the function find the highest
@@ -1379,6 +1379,10 @@ bms_prev_member(const Bitmapset *a, int prevbit)
 	if (a == NULL || prevbit == 0)
 		return -2;
 
+	/* Validate callers didn't give us something out of range */
+	Assert(prevbit <= a->nwords * BITS_PER_BITMAPWORD);
+	Assert(prevbit >= -1);
+
 	/* transform -1 to the highest possible bit we could have set */
 	if (prevbit == -1)
 		prevbit = a->nwords * BITS_PER_BITMAPWORD - 1;