tor-proto: Circuit::chan_sender should participate in memquota
Currently Circuit::chan_sender is a SometimesUnboundedSink. When the circuit reactor sends a relay cell in send_relay_cell(), it uses SometimesUnboundedSink::send_unbounded(). The SometimesUnboundedSink contains an internal VecDeque which is used if the Sink (the outgoing Tor channel) is unable to take the cell.
Since this VecDeque is being used to queue cells on the circuit, I think it needs to participate in the memquota system.
The documentation for Circuit::chan_sender says:
/// Sender object used to actually send cells.
///
/// NOTE: Control messages could potentially add unboundedly to this, although that's
/// not likely to happen (and isn't triggereable from the network, either).
pub(super) chan_sender: SometimesUnboundedSink<AnyChanCell, ChannelSender>,but this doesn't seem right to me. AFAICT we use send_unbounded for all relay cells that we are sending from this circuit. So I think this queue is currently unbounded. But due to circuit sendme windows, in practice it shouldn't exceed a certain size. This may be different with congestion control though.
Also see #2111.