Always panic if an invalid capability is passed to capable(..) instead of
just with INVARIANTS

rwatson's point was valid in the sense that if the data passed at runtime is
invalid, it should always trip the invariant, not just in the debug case.
This is a deterrent against malicious input, or input caused by hardware
errors.

MFC after: 4 days
X-MFC with: r302577
Requested by: rwatson
Sponsored by: EMC / Isilon Storage Division