i'm skeptical that this is a real-world problem. i've not run out of memory without hosing the system to the point where it needed to be rebooted.
the problem we face is that we can't isolate our programs on dedicated hardware the way you isolate venti for example. if you ran a standalone venti server and ran out of memory you could argue that the crap has hit the fan irrevocably. some of our code looks a lot like a meta-kernel: we provide the capabilities for running other programs on many machines concurrently. in more cases than anyone will admit, those programs misbehave badly but we can't afford to throw the towel every time. to illustrate from experience, just in the space of one month this year, we ran out of memory, out of processes to run, out of time and out of file descriptors in trivial cases. we simply must keep going or at least sit quietly and wait for the storm to pass... i'm sorry if i'm not explaining the situation too well.
