Re: Reliability of RPC services

[Jonathan S. Shapiro]

On Tue, 2006-04-25 at 13:16 +0200, Marcus Brinkmann wrote:

> In the move-only-and-send-exactly-once model, there is no
> communication possible between A and B if S properly handles the reply
> capabilities.  If S does _not_ properly handle the reply capabilities,
> all bets are off anyway.  That would just be an exploit of a bug in S,
> not of the system architecture.

Yes. This is true in the "move-only" model also. Whether the capability
is "send-at-most-once" is orthogonal.

A caution about "send-exactly-once": there is no such thing. One of the
things that we should try to preserve is the possibility of extending
capabilities across a network. It is well known that (1)
"send-exactly-once" cannot be implemented across a network, and (2) if a
watchdog terminates a connection, there is a fundamental race: the
server will not know that the session is gone until it tries to reply,
which may be after it completes the operation. All of this is true
because of network partitions.

*Because* we want to preserve this possibility, I think that this is
also the correct baseline architecture for local failures. If we
introduce a cancellation mechanism, we must understand that cancellation
is best-effort, and not guaranteed.

shap