Handling resource exhaustion

Memory exhaustion

(See also dos-spec.md.)

If RAM becomes low, an OR should begin destroying circuits until more memory is free again. We recommend the following algorithm:

• Set a threshold amount of RAM to recover at 10% of the total RAM.

     - Sort the circuits by their 'staleness', defined as the age of the
       oldest data queued on the circuit.  This data can be:

          * Bytes that are waiting to flush to or from a stream on that
            circuit.

          * Bytes that are waiting to flush from a connection created with
            BEGIN_DIR.

          * Cells that are waiting to flush or be processed.

     - While we have not yet recovered enough RAM:

          * Free all memory held by the most stale circuit, and send DESTROY
            cells in both directions on that circuit.  Count the amount of
            memory we recovered towards the total.