Better, fairer circuit OOM handling
With our second attempt at a #9063 (moved) fix, merged into 0.2.4.14-alpha, I introduced an OOM handler that kills circuits if we're too low on memory. But the obvious algorithm I used ("Algorithm 1" as described on #9072 (moved)) is not as good as it could be or should be.
Currently, I favor looking for a good estimator of "How long will this circuit take to drain all of its currently queued cells?" and using that for deciding which circuits to kill when low on RAM. There are other suggestions on #9072 (moved) too. And to those a suggestion from IRC that we look at the age of the oldest cell on the circuit.
If we find something that uses data that Tor currently captures (for example, with the ewma machinery), it will be much easier to deploy.
For whatever we pick, we need to analyze its security implications and look for ways to game it to provoke relays to do something stupid.
It would be good to have a default OOM threshold computed in some sane (though probably nonportable) way based on available RAM, with a reasonable cap. That might be ridiculously hard though.
It would also be good to see about taking more potentially-big things into account, not just circuit queues.