Limit the number of non-open general circuits
With some proposal 171 options, it's pretty easy for an ill-conceived configuration and a/or a hostile application/server combination to provoke a huge number of circuits. For example, if the user foolishly chooses IsolateDestAddr or IsolateDestPort on a port that they then use for web browsing, a hostile webpage can trivially make Tor try connections to an arbitrarily large number of addresses, or to every possible port.
We could say "Don't do that then", but there's always some genius who wants to ship a "sooper secure" bundle with all the options turned on. So instead, let's have an option to limit the number of general circuits that can be in a "building" state at a time.
This should have a reasonably safe default and a reasonably high maximum.