Parent-child interaction in detail

On a conceptual level, the session-creation procedure as described in Section Services and sessions appears as a synchronous interaction between the parent and its child components. The interaction serves three purposes. First, it is used to communicate information between different protection domains, in this case the parent, the client, and the server. Second, it implicitly dictates the flow of control between the involved parties because the caller blocks until the callee replies. Third, the interplay delegates authority (in particular authority to access the server's session object) between protection domains. The latter is realized with the kernel's ability to carry capabilities as IPC message payload.

Figure 1 img/async_session_seq
Parent-child interplay during the creation of a new session. The dotted lines are asynchronous notifications, which have fire-and-forget semantics. A component that triggers a signal does not block.

On the surface, the interaction looks like a sequence of synchronous RPC calls. However, under the hood, the interplay between the parent and its children is based on a combination of asynchronous notifications from the parent to the children and synchronous RPC from the children to the parent. The protocol is designed such that the parent's liveliness remains independent from the behavior of its children, which must generally be regarded as untrusted from the parent's perspective. The sequence of creating a session is depicted in Figure 1. The following points are worth noting: