The old behavior was susceptible to the compiler optimizing out our assertion check, *and* could still overflow size_t on 32-bit systems even when it did work.
