COMMUNICATIONS

ACM
CACM.ACM.ORG OF THE 02/2019 VOL.62 NO.02

A New Golden Age for

Computer Architecture
Agriculture Technology
Monitoring Noise Pollution
The Computational Sprinting Game
Blockchain from a Distributed
Computing Perspective

Association for
Computing Machinery
 Call for Nominations
Editor-in-Chief
ACM Books
The ACM Publications Board is seeking an Editor-in-Chief for ACM Books
(http://books.acm.org).
Established in 2012 as a series of high-quality books for the computer
science community, the ACM Books program now lists approximately 25
published titles with a similar number in preparation.
This EiC position is responsible for the editorial management of the Books
series, consistent with general ACM policies.
The Publications Board relies on the Books EiC to ensure content maintains
its exceptional quality and that the editorial process is both timely and fair.
The EiC will work with the in-house ACM editor to develop an editorial
board and appoint associate editors.

Nominations are invited for a three- Nominating committee members are:

year term as ACM Books Editor-in-Chief, Ron Perrot,
beginning on 1st May 2019. University of Oxford, UK, (Chair);
The EiC appointment may be renewed at David Abramson,
most one time. University of Queensland, Australia;
This is an entirely voluntary position, but ACM Tiziana Catarci,
will provide appropriate administrative support. University of Rome, Italy;
Nominations should include a brief statement Mathai Joseph,
as to why the nominee should be considered Maharashtra, India;
and a short statement on the candidate’s vision
Y Annie Liu,
for the future development of ACM Books.
Stony Brook University, USA;
Self-nominations are most welcomed.
Thomas J. Misa,
Please send all nominations to
University of Minnesota, USA;
Ron Perrot r.perrott@gmail.com or
Achi Dosanjh achi.dosanjh@hq.acm.org. Chris Hankin,
ACM Publications Board Liaison,
The ACM Publications Board has established
a nominating committee to assist in selecting Divesh Srivastava,
the next EiC. ACM Publications Board Liaison
Communications of the ACM
Europe Region
Special Section
A collection of articles spotlighting many of the leading-edge
industry, academic, and government initiatives under way
throughout Europe is coming to Communications this spring.
Articles will be authored by many of the region’s leading computing
professionals, highlighting exciting advances in technologies,
diversity, and educational directives.

Among the topics to be explored:

† Web Science: Constructive, Analytics, Truly Social
† The European Perspective on Responsible Computing
† Information for All—A European Initiative
† Connected Things (Connecting Europe)
† Women in STEM in Europe
† EuroHPC

Plus the latest news about

Europe’s ICT agenda,
well-connected consumers,
HiPEAC network,
enterprises that lead
ICT innovation,
and much more.
COMMUNICATIONS OF THE ACM

Departments News Viewpoints

5 Cerf’s Up 20 Privacy and Security

Libraries Considered Hazardous 2018: A Big Year for Privacy
By Vinton G. Cerf Retracing the pivotal privacy and
security-related events and ensuing
6 Letters to the Editor issues from the past year.
Between the Lines in By Carl Landwher
the China Region Special Section
23 Broadening Participation
8 BLOG@CACM How Computer Science at CMU Is
Seeking Digital Humanities, Attracting and Retaining Women
IT Tech Support Carnegie Mellon University’s
Herbert Bruderer explains why successful efforts enrolling,
the opposite of digital is not analog; sustaining, and graduating women
Robin K. Hill describes how in computer science challenge
the challenges of user support 11 the belief in a gender divide
are aggravated by indeterminate in CS education.
client responsibility. 11 A Brave New World By Carol Frieze and Jeria L. Quesenberry
of Genetic Engineering
31 Calendar Genetic engineering technologies 27 Kode Vicious
are advancing at a furious rate, Writing a Test Plan
117 Careers changing the world one cell at a time. Establish your hypotheses,
By Samuel Greengard methodologies, and expected results.
By George V. Neville-Neil
Last Byte 14 Technologizing Agriculture
An array of technologies 28 Viewpoint
120 Future Tense are making farms more efficient, Tony’s Law
Hawking’s Nightmare safer, and profitable. Seeking to promote regulations for
By David Allen Batchelor By Keith Kirkpatrick reliable software for the long-term
prosperity of the software industry.
17 Being Recognized Everywhere By Dror G. Feitelson
How facial and voice recognition
are reshaping society. 32 Viewpoint
By Logan Kugler Do We Really Need
Computational Thinking?
Considering the expression
“computational thinking” as an
entry point to understand why
the fundamental contribution of
computing to science is the shift
from solving problems to having
problems solved.
By Enrico Nardelli

About the Cover:

John L. Hennessy and
David A. Patterson’s
IMAGE BY YURC HA NKA SIA RHEI

Turing Lecture (p. 48)

traces computing
architecture from the
1960s to present day and
presents their projections
for the field’s next “Golden
Age” in the coming decade.
Cover illustration by Peter
Crowther Associates.

2 COMMUNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 02/2019 VOL. 62 NO. 02

Practice Contributed Articles Review Articles

48 Turing Lecture 78 Blockchains from a Distributed

A New Golden Age for Computing Perspective
Computer Architecture The roots of blockchain
Innovations like domain-specific technologies are deeply interwoven
hardware, enhanced security, open in distributed computing.
instruction sets, and agile chip By Maurice Herlihy
development will lead the way.
By John L. Hennessy Watch the author discuss
his work in the exclusive
and David A. Patterson Communications video.
https://cacm.acm.org/
videos/blockchains-from-
a-distributed-computing-
perspective
To watch Hennessy and
Patterson’s full Turing
Lecture, see https://
www.acm.org/hennessy- 86 Separation Logic
36 patterson-turing-lecture Separation logic is a key development
in formal reasoning about programs,
36 CodeFlow: 61 Even Central Users Do Not Always opening up new lines of attack on
Improving the Code Review Drive Information Diffusion longstanding problems.
Process at Microsoft Diffusion speed and scale depend By Peter O’Hearn
A discussion with Jacek Czerwonka, on all kinds of information,
Michaela Greiler, Christian Bird, not just which users have
Lucas Panjer, and Terry Coatta the most or fewest connections. Research Highlights
By Chao Gao, Zhen Su, Jiming Liu,
45 The Importance of a Great Finish and Jürgen Kurths 97 Technical Perspective
You have to finish strong, every time. How Economic Theories Can
By Kate Matsudaira 68 SONYC: A System for Monitoring, Help Computers Beat the Heat
Analyzing, and Mitigating Urban By Thomas F. Wenisch
Articles’ development led by Noise Pollution
queue.acm.org
SONYC integrates sensors, machine 98 Distributed Strategies for
listening, data analytics, and citizen Computational Sprints
science to address noise pollution By Songchun Fan, Seyed Majid Zahedi,
in New York City. and Benjamin C. Lee
By Juan P. Bello, Claudio Silva,
Oded Nov, R. Luke Dubois, 107 Technical Perspective
Anish Arora, Justin Salamon, To Do or Not to Do:
Charles Mydlarz, Extending SQL with Integer
and Harish Doraiswamy Linear Programming?
By Surajit Chaudhuri

Watch the authors discuss 108 Scalable Computation of High-Order

this work in the exclusive Optimization Queries
IMAGE BY AND RIJ BORYS ASSOCIAT ES/SHUT TERSTOCK

Communications video.
https://cacm.acm.org/ By Matteo Brucato, Azza Abouzied,
videos/sonyc and Alexandra Meliou

Association for Computing Machinery

Advancing Computing as a Science & Profession

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF THE ACM 3

 COMMUNICATIONS OF THE ACM
Trusted insights for computing’s leading professionals.

Communications of the ACM is the leading monthly print and online magazine for the computing and information technology fields.
Communications is recognized as the most trusted and knowledgeable source of industry information for today’s computing professional.
Communications brings its readership in-depth coverage of emerging areas of computer science, new trends in information technology,
and practical applications. Industry leaders use Communications as a platform to present and debate various technology implications,
public policies, engineering challenges, and market trends. The prestige and unmatched reputation that Communications of the ACM
enjoys today is built upon a 50-year commitment to high-quality editorial content and a steadfast dedication to advancing the arts,
sciences, and applications of information technology.

ACM, the world’s largest educational STA F F EDITORIAL BOARD ACM Copyright Notice
and scientific computing society, delivers DIRECTOR OF PU BL ICATIONS E DITOR- IN- C HIE F Copyright © 2019 by Association for
resources that advance computing as a Scott E. Delman Andrew A. Chien Computing Machinery, Inc. (ACM).
science and profession. ACM provides the cacm-publisher@cacm.acm.org eic@cacm.acm.org Permission to make digital or hard copies
computing field’s premier Digital Library Deputy to the Editor-in-Chief of part or all of this work for personal
and serves its members and the computing Executive Editor Lihan Chen or classroom use is granted without
profession with leading-edge publications, Diane Crawford cacm.deputy.to.eic@gmail.com fee provided that copies are not made
conferences, and career resources. Managing Editor S E NIOR E DITOR or distributed for profit or commercial
Thomas E. Lambert Moshe Y. Vardi advantage and that copies bear this
Executive Director and CEO Senior Editor notice and full citation on the first
Vicki L. Hanson Andrew Rosenbloom NE W S page. Copyright for components of this
Deputy Executive Director and COO Senior Editor/News Co-Chairs work owned by others than ACM must
Patricia Ryan Lawrence M. Fisher Marc Snir and Alain Chesnais be honored. Abstracting with credit is
Director, Office of Information Systems Web Editor Board Members permitted. To copy otherwise, to republish,
Wayne Graves David Roman Monica Divitini; Mei Kobayashi; to post on servers, or to redistribute to
Director, Office of Financial Services Editorial Assistant Rajeev Rastogi; François Sillion lists, requires prior specific permission
Darren Ramdin Danbi Yu and/or fee. Request permission to publish
Director, Office of SIG Services VIE W P OINTS from permissions@hq.acm.org or fax
Donna Cappo Art Director (212) 869-0481.
Co-Chairs
Director, Office of Publications Andrij Borys
Tim Finin; Susanne E. Hambrusch;
Scott E. Delman Associate Art Director For other copying of articles that carry a
John Leslie King; Paul Rosenbloom
Margaret Gray code at the bottom of the first or last page
Board Members
Assistant Art Director or screen display, copying is permitted
ACM CO U N C I L Michael L. Best; Judith Bishop; Andrew W. Cross;
Mia Angelica Balaquiot provided that the per-copy fee indicated
President James Grimmelmann; Mark Guzdial;
Production Manager in the code is paid through the Copyright
Cherri M. Pancake Haym B. Hirsch; Richard Ladner;
Bernadette Shade Clearance Center; www.copyright.com.
Vice-President Carl Landwehr; Beng Chin Ooi;
Intellectual Property Rights Coordinator
Elizabeth Churchill Francesca Rossi; Loren Terveen;
Barbara Ryan Subscriptions
Secretary/Treasurer Marshall Van Alstyne; Jeannette Wing;
Advertising Sales Account Manager An annual subscription cost is included
Yannis Ioannidis Susan J. Winter
Ilia Rodriguez in ACM member dues of $99 ($40 of
Past President
Alexander L. Wolf which is allocated to a subscription to
Chair, SGB Board Columnists P R AC TIC E Communications); for students, cost
Jeff Jortner David Anderson; Michael Cusumano; Co-Chairs is included in $42 dues ($20 of which
Co-Chairs, Publications Board Peter J. Denning; Mark Guzdial; Stephen Bourne and Theo Schlossnagle is allocated to a Communications
Jack Davidson and Joseph Konstan Thomas Haigh; Leah Hoffmann; Mari Sako; Board Members subscription). A nonmember annual
Members-at-Large Pamela Samuelson; Marshall Van Alstyne Eric Allman; Samy Bahra; Peter Bailis; subscription is $269.
Gabriele Anderst-Kotis; Susan Dumais; Betsy Beyer; Terry Coatta; Stuart Feldman;
Renée McCauley; Claudia Bauzer Mederios; C O N TAC T P O IN TS Nicole Forsgren; Camille Fournier; ACM Media Advertising Policy
Elizabeth D. Mynatt; Pamela Samuelson; Copyright permission Jessie Frazelle; Benjamin Fried; Tom Killalea; Communications of the ACM and other
Theo Schlossnagle; Eugene H. Spafford permissions@hq.acm.org Tom Limoncelli; Kate Matsudaira; ACM Media publications accept advertising
SGB Council Representatives Calendar items Marshall Kirk McKusick; Erik Meijer; in both print and electronic formats. All
Sarita Adve; Jeanna Neefe Matthews calendar@cacm.acm.org George Neville-Neil; Jim Waldo; advertising in ACM Media publications is
Change of address Meredith Whittaker at the discretion of ACM and is intended
BOARD C HA I R S acmhelp@acm.org to provide financial support for the various
Letters to the Editor activities and services for ACM members.
Education Board C ONTR IB U TE D A RTIC LES
letters@cacm.acm.org Current advertising rates can be found
Mehran Sahami and Jane Chu Prey Co-Chairs
by visiting http://www.acm-media.org or
Practitioners Board James Larus and Gail Murphy
W E B S IT E by contacting ACM Media Sales at
Terry Coatta Board Members
http://cacm.acm.org (212) 626-0686.
William Aiello; Robert Austin; Kim Bruce;
REGIONA L C O U N C I L C HA I R S Alan Bundy; Peter Buneman; Jeff Chase;
WEB BOARD Single Copies
ACM Europe Council Carl Gutwin; Yannis Ioannidis;
Chair Single copies of Communications of the
Chris Hankin Gal A. Kaminka; Ashish Kapoor;
James Landay ACM are available for purchase. Please
ACM India Council Kristin Lauter; Igor Markov; Bernhard Nebel;
Board Members contact acmhelp@acm.org.
Abhiram Ranade Lionel M. Ni; Adrian Perrig; Marie-Christine
Marti Hearst; Jason I. Hong;
ACM China Council Rousset; Krishan Sabnani; m.c. schraefel;
Jeff Johnson; Wendy E. MacKay COMMUN ICATION S OF THE ACM
Wenguang Chen Ron Shamir; Alex Smola; Josep Torrellas;
Sebastian Uchitel; Hannes Werthner; (ISSN 0001-0782) is published monthly
AU T H O R G U ID E L IN ES by ACM Media, 2 Penn Plaza, Suite 701,
http://cacm.acm.org/about- Reinhard Wilhelm
PUB LICATI O N S BOA R D New York, NY 10121-0701. Periodicals
Co-Chairs communications/author-center postage paid at New York, NY 10001,
RES E A R C H HIGHLIGHTS
Jack Davidson; Joseph Konstan and other mailing offices.
Board Members Co-Chairs
ACM ADVERTISIN G DEPARTM E NT Azer Bestavros and Shriram Krishnamurthi
Phoebe Ayers; Edward A. Fox; Chris Hankin; 2 Penn Plaza, Suite 701, New York, NY POSTMASTER
Xiang-Yang Li; Nenad Medvidovic; Board Members
10121-0701 Please send address changes to
Sue Moon; Michael L. Nelson; Martin Abadi; Amr El Abbadi; Sanjeev Arora;
T (212) 626-0686 Communications of the ACM
Sharon Oviatt; Eugene H. Spafford; Michael Backes; Maria-Florina Balcan;
F (212) 869-0481 2 Penn Plaza, Suite 701
Stephen N. Spencer; Divesh Srivastava; David Brooks; Stuart K. Card; Jon Crowcroft;
New York, NY 10121-0701 USA
Robert Walker; Julie R. Williamson Alexei Efros; Bryan Ford; Alon Halevy;
Advertising Sales Account Manager Gernot Heiser; Takeo Igarashi; Sven Koenig;
Ilia Rodriguez Greg Morrisett; Tim Roughgarden;
ACM U.S. Public Policy Office ilia.rodriguez@hq.acm.org Printed in the USA.
Adam Eisgrau, Guy Steele, Jr.; Robert Williamson;
Director of Global Policy and Public Affairs Margaret H. Wright; Nicholai Zeldovich;
Media Kit acmmediasales@acm.org
1701 Pennsylvania Ave NW, Suite 300, Andreas Zeller
Washington, DC 20006 USA
Association for Computing Machinery S P EC IA L S EC TIONS
T (202) 659-9711; F (202) 667-1066
(ACM) Co-Chairs
Computer Science Teachers Association 2 Penn Plaza, Suite 701 Sriram Rajamani and Jakob Rehof A
SE
REC
Y

Jake Baskin New York, NY 10121-0701 USA Board Members

E

CL
PL

Executive Director T (212) 869-7440; F (212) 869-0481 Tao Xie; Kenjiro Taura; David Padua
NE
TH

S
I

Z
I

M AGA

4 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 cerf’s up

DOI:10.1145/3302508 Vinton G. Cerf

Libraries Considered Hazardous

Do you remember the story of the room full
of immortal monkeys typing on typewriters
forever? Eventually they would produce all
works ever written and that would ever be
written. They would capture all truth reality. Even when they are not quite based on AI and machine learning.
but also everything that is false or only right, some theories can still be very The libraries of the future cannot
partly true. Were we to walk into such a useful. Newton’s laws are useful for merely be catalogs of digital (and older
place we would be confronted with an many computations but under condi- media) content. The objects in the dig-
ultimate challenge: How to tell that tions of acceleration, high-speed or in- ital library will need to interact in some
which was true from everything else in tense gravity, one needs Einstein’s re- fashion so that truth value of their con-
this ultimate library? finements. And when we get to the tents can be adjusted as new knowl-
In some ways, the contents of the ultra-small, we must move to quantum edge becomes available and is ab-
Internet and especially the World theory, but it doesn’t account for gravi- sorbed into the library. Such a process
Wide Web pose a similar challenge. ty! The challenge for us is to know un- may actually prove feasible for factual
About half the world’s population is der what conditions the approxima- knowledge but even there, fact can be
now online according to estimates by tions are applicable. elusive. Just as relativity theory shows
the International Telecommunica- How does all this apply to librar- us that two observers of the same two
tion Union.a These approximately 3.8 ies? Libraries are organized accumu- events may legitimately disagree as to
billion people produce enormous lations of information. I almost wrote the order in which these events oc-
quantities of information on Web “knowledge” but that term seems to curred, it is not always clear what is
pages, in databases, in social media, connote “truth” and we know now factual and what is speculation.
and other online platforms. While I that all information is not true. As we All this tells us is that persistent
do not mean to suggest these Inter- accumulate more and more informa- accumulation of knowledge requires
nauts are no better than monkeys tion, how can we curate this content care and curation over time. One
typing at random, there is a great so as to correctly distinguish truth might even imagine that digital on-
deal of misinformation mixed in from fiction? How do we cope with line libraries might have the ability to
with very high-quality content. Some the discovery that what we thought update themselves as new knowledge
of that misinformation is a conse- was true is, in fact, false in the light of is added. John McCarthyb once said
quence of ignorance, but some is de- new information? Librarians have a to me, “Do you know, 100 years from
liberately produced disinformation role to play here as keepers of knowl- now they will say, ‘100 years ago they
intended to confuse or to bend pub- edge, but even they cannot be expect- had books that didn’t talk to each
lic opinion to achieve questionable ed to be omniscient. What about digi- other!’” It will be an enormous task to
ends. Ironically, some of the best tal content? What about online devise methods to accumulate and
quality, highly endorsed information content? Can the curators of knowl- curate digital content and its relevant
is also wrong, not out of malevolent edge use online digital libraries to metadata including provenance and
intent, but because it has been inval- maintain and curate content, helping validity. Will computer, information,
idated by the scientific method: the- the users of the library to find truth and library science be up to the task?
ory, experiment, and measurement and reject fiction (except, perhaps, We can but try.
leading to proof or refutation. when looking for entertainment)?
If we are honest with ourselves, sci- The task of curating the Internet’s b 1971 ACM A.M. Turing Award honoree.
ence is, at best, an approximation of contents is well beyond any one per-
son’s ability, or even any particular Vinton G. Cerf is vice president and Chief Internet Evangelist
a https://www.voanews.com/a/more-than-half-
group. If we are to curate this content, at Google. He served as ACM president from 2012–2014.

the-world-s-population-is-using-the-inter- we will need widespread collabora-

net/4692926.html tion, some of it with automated tools Copyright held by author.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF THE ACM 5

letters to the editor

DOI:10.1145/3302011

Between the Lines in the

China Region Special Section

A
the special section
S I RE A D plications of technology in society. We More to Learn
on the China Region (Nov. should be suspicious of government About Machine Learning
2018), I thought privacy agencies and regulators redefining pri- In their Viewpoint “Learning Machine
in China deserved bet- vacy or downgrading it or citing nation- Learning” (Dec. 2018), Ted G. Lewis
ter treatment than was al security to make such applications fit and Peter J. Denning used a Q&A for-
expressed in the section’s foreword their agenda. A similar observation can mat to address machine learning and
“Welcome to the China Region Spe- be made about privately run corpora- neural nets but, in my view, omitted
cial Section” by co-organizers Wen- tions as well, especially social networks. two fundamental and important ques-
guang Chen and Xiang-Yang Li, that Articles and columns in Commu- tions. The first is:
“People in China seem less sensitive nications should include, along with Q. Is machine learning the best way
about privacy.” It sounded almost technological achievement, consider- to get the most reliable and efficient
identical to what Robin Li, CEO and ations on how they might be abused solution to a problem?
co-founder of Baidu, said in a talk at and the lessons that should be learned A. Not generally.
the March 2018 China Development when they are. It would mean extra To explain my answer, I need a defi-
Forum that was not well received by work for every author, as well as in- nition of “machine learning.” Machine
China’s Internet users.2 creased reader skepticism, but would learning is a machine collecting data
A March 2018 survey of 100,000 surely increase awareness. while providing service and using the
Chinese households by CCTV and Ten- As a New Year’s resolution, I re- data to improve the speed or accuracy of
cent Research reported 76.3% of par- spectfully invite everyone to read or re- the service. This is neither new nor un-
ticipants view AI as a threat to privacy.1 read the ACM Code of Ethics and Pro- usual. For example, a search program
Other global privacy surveys, including fessional Conduct (https://www.acm. can reorder its search list to move the
one by KPMG, reported privacy aware- org/code-of-ethics), especially sections most frequently requested items toward
ness in China as far more prevalent 1.1, 1.2, and 1.6, and incorporate it into the top of the list. This improves per-
than the authors seemed to imply. their research and professional prac- formance until there is a major change
One of the few critical notes in the tice, especially those with authority in the probability of the items being
special section came near the end of the and influence—or who publish in its requested. When this happens, perfor-
Elliott Zaagman’s article “China’s Com- leading publication. mance may degrade until the machine
puting Ambitions” when it called the “learns” the new probabilities. Sugges-
References
lack of (Western-style) legal protections 1. Hersey, F. Almost 80% of Chinese concerned about
tions offered by a search engine are also
and transparency “a real concern.” This AI threat to privacy, 32% already feel a threat to based on data collected while serving
their work. TechNode (Mar. 2, 2018); https://technode.
was followed by a quote on the weakness- com/2018/03/02/almost-80-chinese-concerned-ai- users; the search engine uses the data to
es of more-open digital societies. When threat-privacy-32-already-feel-threat-work/ “learn” what users are likely to ask.
2. Li, R. Are Chinese people ‘less sensitive’ about
lack of privacy rights was mentioned privacy? Sixth Tone (Mar. 27, 2018); http://www. When machine learning is used to
elsewhere in the special section, it was sixthtone.com/news/1001996/are-chinese-people- “discover” an algorithm, it may find a
less-sensitive-about-privacy%3F
described as “an accepted observation.” local optimum, or an algorithm that is
Feng Chucheng of risk-analysis firm  incent Van Den Berghe,
V better than similar algorithms but very
Blackpeak, said, “Rather than simply Leuven, Belgium different from a much better one. A hu-
reflecting [the status quo] that privacy man who took the time to understand
protections are not well-developed in the situation might find that algo-
this society, [Baidu] should be leading Response from the Editor-in-Chief rithm. Machine learning is often a lazy
the charge to improve privacy rights.”2 Van Den Berghe’s letter raises a good programmer’s way to solve a problem.
Perhaps the professors and analysts point—that articles discussing technology Using machine learning may save the
who contributed articles to the sec- can and should be enriched by discussion programmer time but fail to find the
tion should have tried to do the same. of their societal context, including potential best solution. Further, the trained net-
It would not have detracted from the abuses. I am pleased to see this topic being work may fail unexpectedly when it en-
quality of their articles. raised in the context of the China Region counters data radically different from
The “West” itself shows signs of mov- special section and believe it applies much its training set.
ing toward being a surveillance society, more broadly, both globally and across The second Q&A pair Lewis and
and no amount of “privacy rights” will a variety of topics. This is an important Denning should have addressed con-
change that historical direction. More challenge to Communications authors. I am cerns “neural networks”:
than a few Western governments are sure they will rise to it. Q. If developers have constructed
actually envious of China’s unique ap- Andrew A. Chien, Chicago, IL, USA (or simulated) a physical neural net-

6 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 letters to the editor

work and trained it to have the behav- reason beyond the standard criterion— evant data and would contribute to the
ior they want, is it possible to replace it technical merit of the papers. health of the field of computer science.
with more conventional hardware and Although the title of the Viewpoint Paul B. Schneck, Bala Cynwyd, PA, USA
software with the same behavior? referred specifically to computer sci-
A. Yes. ence conferences, Cabot et al. pointed
In other words, there is no problem out that the database of papers they Authors Respond:
that can be solved using neural nets included in their survey was limited We agree there is no evidence that opening
that could not be solved using other to the area of computer software. They up conferences increases their technical
more conventional hardware and pro- should thus have limited any conclu- quality, at least not right away, but believe it
gramming languages. Some claim the sions to conferences likewise devoted is still an important goal for the community
neural net will be faster (or more ef- to computer software. and one that will prove beneficial in the
ficient in some sense), an assertion They defined newcomer papers long term. We also agree an extended data
that remains to be proved. Any perfor- as “ … research papers where all au- analysis would be beneficial to continue the
mance advantage observed today can thors are new to the conference; that discussion. We hope the column triggers it
be attributed to the highly parallel spe- is, none of the authors has ever pub- and generates replication studies and some
cialized processors used to implement lished a paper of any kind in that pressure on conference managements to
the nets. Better performance can often same conference.” This brings up two release additional (anonymized) data.
be obtained by programming the hard- problematic analytical issues. First, Jordi Cabot, Barcelona, Spain,
ware directly. is newcomer status binary? That is, Javier Luis Cánovas Izquierdo,
David Lorge Parnas, Ottawa, Canada does publication of a single paper in a Barcelona, Spain, and
conference render a newcomer author Valerio Cosentino, Madrid, Spain
(to use their phrase) a “member of the
Authors Respond: community?” Second, how different
Given the space, we would have answered would their statistics have been if they Home Monitoring for Parkinson’s
Parnas’s provocative questions much the had used a data-collection period dif- Patients Already . . .
same way he did. We would have added ferent from the seven years on which Near the end of Leah Hoffman’s interview
how difficult it is to beat the performance they based their analysis? These ques- with Dina Katabi “Reaping the Benefits of
of neural networks on special-purpose tions went unanswered. a Diverse Background” (Oct. 2018), Kata-
hardware. We also cannot ignore AlphaGo, Moreover, they said, “  … analysis bi said, “I couldn’t tell you if . . . we
the machine that played against itself for suggests that newcomer paper sub- should change the dose of her Parkin-
several days with no outside information missions represent at least one-third son’s medication.” In fact, the winner of
and became a grandmaster at Go. The of the total number of submissions” the 2018 Human-Competitive Award at
previous IBM chess supercomputer based on the data of one of the View- the ACM Genetic and Evolutionary Com-
was carefully designed by industrious point authors as a member of the putation Conference in Kyoto, Japan
programmers over many years. Speed to program committee of four software (see http://www.human-competitive.org/
solution is a powerful motivator, even if the conferences. We cannot ignore the awards) has already done just that.
solution may not be understandable. potential correlation among the con- The prize went to Stephen L. Smith,
Ted G. Lewis and Peter J. Denning, ferences where he was a committee a senior lecturer in the Department of
Monterey, CA, USA member. It thus seems unreasonable Electronics in the University of York,
to conclude the data suggests anything York, U.K., for a home-monitoring de-
about the set of 65 conferences cov- vice for Parkinson’s dyskinesia (invol-
No Lack of Newcomer ered in the study survey. Further, their untary muscle movement).1 ClearSky’s
Authors at CS Conferences suggestion that at least one-third of LID-Monitor, which includes novel
Jordi Cabot et al. first outlined their submissions are from newcomer au- signal processing developed through
hypothesis about lack of “newcomer” thors was weakened by their later con- Cartesian genetic programming, re-
authors being accepted at computer jecture that “some potential newcom- ports the severity of shaking associated
science conferences in their Viewpoint ers refrain from submitting in the first with the disease to the patient’s medi-
“Are CS Conferences (Too) Closed Com- place,” saying, “[t]he overall presence cal team, assisting in setting the correct
munities?” (Oct. 2018) and then, seeking of newcomers decreases over time.” dose of Levodopa.
data to evaluate it, succumbed to confir- This suggests that either newcomers
mation bias, unintentionally undermin- are becoming “established members Reference
1. Lones, M.A. et al. A new evolutionary algorithm-based
ing their own hypothesis. Their stated of the conference community” or the home-monitoring device for Parkinson’s dyskinesia.
objective of “opening up” computer sci- Journal of Medical Systems 41, 11 (Nov. 2017), article
field itself is shrinking. The possibility 176; http://doi.org/10.1007/s10916-017-0811-7
ence conferences may be a laudable so- of computer software research shrink-
cial goal, but they presented no evidence ing is unlikely. W.B. Langdon, London, U.K.
that the technical quality of conferences It is thus not apparent there is a
would be enhanced by doing so. More- “problem” involving lack of newcom- Communications welcomes your opinion. To submit a
Letter to the Editor, please limit yourself to 500 words or
over, they presented little, if any, com- ers submitting papers to computer less, and send to letters@cacm.acm.org.
pelling evidence that the claimed lack science conferences or that Cabot et
of newcomer submissions is due to any al.’s suggestions are supported by rel- © 2019 ACM 0001-0782/19/02

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF THE ACM 7

 The Communications Web site, http://cacm.acm.org,
features more than a dozen bloggers in the BLOG@CACM
community. In each issue of Communications, we’ll publish
selected posts or excerpts.

Follow us on Twitter at http://twitter.com/blogCACM

DOI:10.1145/3297799 http://cacm.acm.org/blogs/blog-cacm

Seeking Digital computers. The shift from mechanics

to electronics, which began mainly in

Humanities,
the 1970s, replaced analog slide rules
and digital mechanical calculators with
digital electronic computers. For many

IT Tech Support years, analog and digital electronic com-

puters competed against each other.
In my opinion, the humanities are
Herbert Bruderer explains why the opposite of digital is not analog; neither analog nor digital. They increas-
Robin K. Hill describes how the challenges of user support ingly using digital resources. It would
be better to speak of computer-aided or
are aggravated by indeterminate client responsibility. computer-assisted humanities. The pre-
digital era must have been before the
Greek abacus.
Herbert Bruderer century BC) was digital. The abacus is re-
There Are garded as the oldest digital calculating Robin K. Hill
No Digital Humanities aid. The Romans also used digital bead Tech User
https://cacm.acm. frames. Similar devices are offered today Responsibility
org/blogs/blog- at flea markets. Digital calculating ma- https://cacm.acm.
cacm/232969-there- chines appeared in the 17th century (in- org/blogs/blog-
are-no-digital-humanities/fulltext ventions by Wilhelm Schickard, Blaise cacm/231489-tech-
November 26, 2018 Pascal, Gottfried Wilhelm Leibniz). In user-responsibility/fulltext
Digitization and the digital revolution 1614, the Scotsman John Napier invent- September 30, 2018
are quite confusing. Probably most ed digital Napier rods, used for multipli- Some years of experience with faculty
people believe digital is something cation and division. Since the middle of assistance has led me to speculate that
new. Many think the opposite of digi- the 19th century, mechanical calculating the well-known frustrations of IT user
tal is analog or mechanical. However, machines have been mass-produced in support hide even deeper problems.
the forerunners of electronic or digital France (Thomas Arithmometer, patent Many of us with such experience know
journals and books are printed works. I 1820). Charles Babbage’s (unfinished) the chronic difficulty suffered by both
would not call them analog. Historians analytical engine (1834) and a similar client and consultant in the support
sometimes speak of a pre-digital era. machine of the Spanish engineer Leon- scenario. Each day promises, and deliv-
Even museum experts are surprised ardo Torres Quevedo (1920) were also ers, repeated problems, trivial issues,
when historical mechanical calculat- digital, as were the widely used punch and deep misunderstandings attendant
ing machines are described as digital. card machines (Herman Hollerith, on the use of applications and devices.
For them, digital and electronic are 1890). Users ask the same questions, indi-
synonymous. A new field of the human- Digitalization is therefore nothing vidually and severally, over and over,
ities is named digital humanities. new. The first mathematical instrument requesting help when what they really
However, the equation digital = new, was not an analog but a digital device, want is someone who will do it for them.
analog = old does not work. Digital is not the abacus. Significant phases of digi- In my own experience providing techni-
an achievement of the 21st century. Even tization began in the 1940s and 1950s cal support to faculty and also to mem-
the antique Salamis counting board (4th with the advent of relay and vacuum tube bers of a volunteer civic organization, I

8 COMMUNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 blog@cacm

deal with well-educated and competent consultant. Subsequently we see attenu- lie? Garrath Williams’s treatment of the
people. Whereas most clients are coop- ation of commitment, where follow-up notion of responsibility1 notes the emer-
erative and grateful, some are brusque tasks are put aside until a better time, gence of that notion only in the last two
and demanding, some are apologetic the initial momentum fades away, and or three centuries, a brevity consistent
and jocular, many are just not listening. the skills necessary for effective partici- with the lack of scholarship on client
On the tech support side, malfea- pation decay. This leads to an adversari- responsibility (also raising the ques-
sance includes overexplanation, under- al stance, where frustration morphs into tion whether there really is any such
explanation, incorrect explanation, and resentment. Whose fault is this? thing). He locates responsibility not in
impatience, all transgressions of which I Although there is plenty of research the person, but in the multifarious mod-
have been guilty from time to time. Why and commentary on the responsibility ern world. “What is central is the moral
is this all so difficult? As the perceived of the vendor, there appears to be no in- division of labor created by our institu-
burdens of technology build up on users, quiry into the responsibility of the con- tional fabric. This scheme of coopera-
cheerful cooperation gives way to weary sumer with respect to technology selec- tion delimits the normative demands
resignation and then to foot-dragging tion, mastery, and use. Should there be? upon each of us, by defining particular
resentment. And this against an activity Let’s interrogate some analogies: We spheres of responsibility. Given the flu-
that is for their own good! Users resist impose a minimal degree of responsi- idity, plurality and disagreement associ-
reading manuals, or even short instruc- bility on someone checking a book out ated with normative demands in mod-
tions, let alone working through a check- of a library—he or she should return it. ern societies, this limitation is crucial.”
list, though learning the fundamentals The reading of it may a norm, not an ob- If there is a limit on each sphere of
would help them immensely. I have of- ligation. We impose a high degree of re- responsibility, then there should be a
fered the briefest possible explanations sponsibility for driving a car, because it boundary on user support. Right now,
of the client-server environment (“where can kill people. We expect some degree no one understands the proper extent of
your programs run”), HTML URLs (“how of responsibility in the use of natural re- support; no limiting structure is defined
to reach websites”), and cloud storage sources, because the effects are broadly for the benefit of user or support staff.
(“where your files are stored”), to no dispersed. In domestic finances and To define such a limit is to grant support
avail. Direct orders, such as “Read this” budgeting, we assume the agent eventu- staff authority to demur. Unthinkable
or “Practice this,” even to people who are ally will achieve independence, making as it may seem, modern technological
sincerely motivated (no matter their in- unaided decisions and taking appropri- society needs to consider, define, and
telligence, job satisfaction, rank, or per- ate actions, out of self-interest. It’s not sanction a point at which consultants
sonality), have no effect. I have gradually clear that any of those inform our view of can say “no.” Better yet, they won’t need
come to the unsettling belief that this is the products of technology. Indeed, the to, because everyone will understand
not just exasperating, but revealing. (We very idea that software and hardware us- the limits; everyone will know where
acknowledge without comment the obvi- ers have any responsibility toward their user support ends and user responsibil-
ous possibility that I, and my fellow user technology appears to stand in direct ity begins. Everyone will know that the
support professionals, are just lousy in- conflict to pervasive expectations on manual should be read (and should be
structors or repellent individuals.) their part, as expressed thus: written in the first place), and they will
On the happy assumption that the This is a nuisance. know from accepted and ingrained cul-
average reader thinks the philosophy of My duties involve real things, where- tural mores rather than from simply be-
computer science deals with lofty issues, as this is just management of those ing told so by pesky IT people.
this may seem pedestrian. Yet a problem things, not what I signed up for. Record But we can’t work that out here and
so perplexing and intractable is ripe for a keeping and bean counting should not now! In the best case, the tribulation of
bit of philosophy. We might learn some- take time from the job. tech help is a temporary issue, reflecting
thing about education or training from This is clerical. workplace stress in the face of upheaval,
its apparent failure in such cases and These tools are complex, sure, and similar to legal and safety compliance
thereby something about intelligence. they require skill, the kind of skill embod- demands. The problem will resolve as
We might learn something about the ied in a good secretary, who can handle te- society grasps tech more firmly; that,
acceptance of responsibility from its ap- dium, the quirks, and the exceptions. But however, will take time. We wait for the
parent failure in such cases and thereby I deliberately avoided that career. emergence of norms of responsibility in
something about ethical duty. This is supposed to be easy. this and other aspects of technology.
As we look more closely (at naive us- These products are supposed to
ers, at technically competent users, and magically improve my life—vocational, Reference
even at us experts when we are faced social, and intellectual—immediately 1. Williams, G. Responsibility as a Virtue. Ethical Theory
with new technology), we see a reluc- and Moral Practice. 11:4, 455-–470.
and painlessly. (This attitude, of course, DOI: 10.1007/s10677-008-9109-7.
tance to learn definitions, commands, is cultivated by technology vendors and
good practices, and workflow. The hap- promoters.) Because the product is fab- Herbert Bruderer is a retired lecturer in didactics
less user does not build the cognitive ulous, and intended explicitly for me, of computer science at ETH Zürich. Robin K. Hill is
a lecturer in the Department of Computer Science
scaffolding necessary to organize the the trouble must lie with IT. and an affiliate of both the Department of Philosophy
concepts, so does not grasp which fea- There’s not much in those expecta- and Religious Studies and the Wyoming Institute for
Humanities Research at the University of Wyoming.
ture is relevant to what; that context is tions that can be corrected by user sup-
then even farther out of reach for the port staff. So where does responsibility © 2019 ACM 0001-0782/19/2 $15.00

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF THE ACM 9

 13TH ACM INTERNATIONAL CONFERENCE ON DISTRIBUTED AND EVENT-BASED SYSTEMS

DEBS 2019
24 –28th June, 2019
Darmstad�um, Schlo�graben 1, ��2�� Darmstadt, �ermany

“A forum for academia and industry to discuss cu�ng-edge research in

event-based compu�ng related to Big Data, AI�ML, IoT, and Distributed
Systems.”
h�p:�����.debs2019.org

Topics: Submission Dates:

iAr��cial Intelligence and Real-Time Processes iAbstract submission February 19th, 2019

iIn�orma�on-Centric Networking
iResearch and industry paper February 26th, 2019
iMachine Learning and its Applicability submission
iProgrammable hardware and its impact on
efficient event processing
iTutorial submission March 22nd, 2019
iBusiness Processes and Event Processing
iIn-Network Processing in Distributed and i�rand challenge solu�on April 7th, 2019
Networked Systems submission

iMul�media Analy�cs and Event-Based iAuthor no��ca�on research April 9th, 2019
Systems and industry track
iSmart Contracts and Blockchains iDoctoral symposium poster & April 22nd, 2019
demo submissions

General Chairs: Program Chairs:

Boris Koldehofe Badrish Chandramouli
TU Darmstadt, Germany �i�roso� Resear��
Guido Salvaneschi Leonardo Querzoni
TU Darmstadt, Germany Sapienza University of Rome
N
news

Science | DOI:10.1145/3297801 Samuel Greengard

A Brave New World

of Genetic Engineering
Genetic engineering technologies are advancing
at a furious rate, changing the world one cell at a time.

A
LTERING THE GENETIC code
of plants and animals is
not a job for the faint of
heart. Nevertheless, in re-
search labs around the
world, scientists are increasingly peer-
ing into the cellular structures of living
things—and recombining DNA and
RNA molecules to produce everything
from new tomatoes to new medicines.
“The tools and technologies used for
viewing and manipulating genetic ma-
terials have become more widely avail-
able and much easier to use,” observes
George Church, a professor of genetics
at Harvard Medical School and a pio-
neer in genomic research.
It is no small matter, even if the
matter involved is at the molecular
level. CRISPR, a powerful gene-
editing toolkit, is advancing the field
of programmable biology by leaps
and bounds. It allows researchers to
reconfigure genes and create new ver-
sions of things. Another technology,
cryo-electron microscopy (Cryo-EM),
IMAGE BY YURC HA NKA SIA RHEI

is helping scientists peer into genet-

ic material at a resolution that was and change as they perform various “Although these two techniques
once unimaginable. They can view functions. Both of these tools, as are very different, they both are re-
the intricate structures of proteins, well as more advanced computing shaping biology and genetic engi-
nucleic acids and other biomole- models, have introduced a brave new neering,” states Eva Nogales, a pro-
cules, and even study how they move world to genetic research. fessor in the Department of Molecular

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 11
news

and Cell Biology at the University of says Nogales, who visualizes CRISPR but this will likely change over the
California, Berkeley, and senior fac- molecules using cryo-EM. coming years.”
ulty scientist at Lawrence Berkeley For example, Synthego, which Church Further advances in software and
National Laboratory. “CRISPR and is affiliated with, has introduced kits de- algorithms will drive smarter and
Cryo-EM allow researchers to perform signed to address different gene editing better gene editing tools, Nogales
an array of tasks faster and better.” tasks. Its $1,495 Gene Knockout Kit adds. For instance, Inscripta, head-
Adds Richard Henderson, re- (GKO) drops powerful capabilities into quartered in Boulder, CO, has focused
search scientist at the Medical Re- the hands of researchers. It taps predic- on developing a biological genetic en-
search Counsel Laboratory of Molec- tive software and automation tools that gineering framework that resembles
ular Biology in Cambridge, U.K., and help a researcher select a human gene to the all-in-one capabilities of a personal
a recipient of the 2017 Nobel Prize in modify. It then applies a synthetic RNA computer, while San Francisco-based
Chemistry for his pioneering work on gene to direct a protein to the specific Twist Biosciences is developing a sys-
Cryo-EM, “We are at the cusp of re- location required for a DNA cut. The tem that places custom strands of syn-
markable advances in agriculture, firm claims this toolkit has boosted the thetic DNA—the As, Ts, Cs, and Gs that
medicine, and many other fields. accuracy of CRISPR editing methods serve as building blocks for biology—
These technologies will reshape sci- from around 50% to as much as 80%, or on semiconductor chips. This allows
ence and the world.” even more. The net result is an ability to researchers to make up to a million
cycle through variations of edited genes CRISPR edits with a single chip, rather
Cracking the Code on CRISPR faster, speeding research and develop- than using multiple systems and soft-
In only a few short years, the ability to ment for new procedures and drugs. ware to accomplish the task. The com-
reengineer the genetic structure of liv- Paul Dabrowski, co-founder and CEO pany’s self-described “smart algo-
ing things has moved from obscure re- of Redwood City, CA-based Synthego, rithm” informs users within seconds
search labs to the mainstream of sci- has said the firm’s gene editing system whether the sequence they are testing
ence. CRISPR, which stands for reduces the time it takes for a scientist to can be synthesized.
Clustered Regularly Interspaced Short perform gene edits from several months
Palindromic Repeats, beckons with the to approximately one month. This, he Cryo-EM Enters the Picture
promise of producing better tomatoes, has noted, helps researchers focus on re- Although gene editing has introduced
insect-resistant grains, malaria-resis- sults and outcomes, rather than the me- powerful capabilities into the research
tant mosquitos, and new types of phar- chanics of an experiment. lab, scientists continue to struggle with
maceutical drugs to combat conditions Nogales says that while CRISPR understanding the mechanical func-
ranging from sickle cell anemia and tools fundamentally change the na- tions of basic biological structures.
Alzheimer’s disease to cancer. Users ture of research, they also present From the invention of the microscope
can perform direct operations on challenges. For one thing, because in the 13th century to more advanced
genes by modifying and recombining of uncertainty about errors caused forms of electron microscopy, improv-
molecular structures. “As the tech- by systems, CRISPR is not yet been ing resolution and reducing noise—
nology has advanced, the need to approved for medical use by the U.S. particularly at extremely high levels of
build everything from scratch in a Food and Drug Administration. For magnification—has proved vexing.
lab has been replaced with commer- another, there is a learning curve as- “Obtaining clearer images is an ongo-
cially available products that produce sociated with the technology. “Mak- ing challenge,” states Craig Yoshioka,
effective results,” Church says. ing a cut in the wrong place could be research assistant professor and co-di-
Indeed, commercial firms with very deleterious. This is one of the rector of the Pacific Northwest Cryo-
names like Synthego, Inscripta, and reasons why CRISPR is used for agri- EM Center at Oregon Health Sciences
Twist Biosciences have developed kits culture more than human treatment, University (OHSU) in Portland, OR.
that advance gene editing in much For instance, one issue with cryo-
the way same way visual program- electron microscopy is that bombard-
ming replaced the need to manually “We are at the cusp of ing a frozen sample with electrons can
write endless lines of code for some vaporize the specimen. As a result, Yo-
software application. Although these remarkable advances shioka says, scientists must essential-
firms take aim at the task through ap- in agriculture, ly collect their images in “low light,”
proaches that range from providing thereby reducing specimen damage,
molecular resources to computation- medicine, and many but also resulting in noisy data. The
al tools in software packages, the other fields. These resulting noise makes it more difficult
common denominator for the end- to view the behavior of the molecules
technologies will
 
user is an ability to conduct research and understand how they react to dif-
faster, more effectively, and at a lower reshape ... the world.” ferent conditions.
cost. In fact, gene-editing tools that Meanwhile, another technique,
once had a price tag extending into called X-ray Crystallography, can pro-
the billions of dollars are now avail- duce a three-dimensional (3D) image of
able for less than $1,000. Essentially, a molecular structure at high resolu-
“Any cell biology lab can use CRISPR,” tion by measuring how diffracted X-ray

12 COM MUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 news

beams scatter from crystallized mole- Massachusetts, Amherst, researchers

cules, but is difficult to apply to all sam- led by computational biophysicist Ji-
ples. “It can be exceedingly difficult to Conventional electron anhan Chen are developing sophisti-
get proteins to crystalize, sometimes microscopy is “a bit cated computer modeling algorithms
nearly impossible,” Yoshioka explains. and molecular simulation models
Cryo-electron microscopy funda- like looking for a roe that allow researchers to study a new-
mentally changes the equation. Re- deer in a forest with ly recognized class of substances
searchers place biological specimens called intrinsically disordered pro-
under a transmission electron micro- dappled sunshine. teins (IDPs). These proteins contain
scope and study them under cryogenic It’s not easy to pick highly flexible 3D structural proper-
temperature conditions: -130oF or less. ties that are extraordinarily difficult
The system produces digital images them out because to observe. Chen’s technique relies
that are run through specialized algo- they’re disguised.” on sheer computational power, be-
rithms that dramatically reduce noise cause high-resolution imaging tech-
and sharpen the image using a meth- niques like X-ray crystallography and
od of frame alignment that studies nuclear magnetic resonance (NMR)
particle behavior in different images. cannot provide data about the highly
“The software processes the images flexible and fast-changing nature of
and identifies the values of the key pa- them so that the user has a choice these proteins.
rameters,” says Henderson, who pio- about which operations to combine for Nogales believes these different ge-
neered imaging techniques that, along best performance,” he explains. netic observation and engineering tech-
with fellow 2017 Nobel Prize winners The result, Yoshioka says, is a new niques will continue to break barriers
Jacques Dubochet and Joachim Frank, era in understanding the mecha- and further advance science. “We are
led to modern Cryo-EM. nisms of life at a molecular scale. Al- beginning to understand biology, chem-
Henderson says Cryo-EM address- though Cryo-EM microscopes can istry, and physics at deeper and broader
es a basic problem with conventional cost $6 million or more, their use lets levels than ever before. We are now
electron microscopy: the interaction researchers visualize biological mole- studying molecules that were almost un-
of electrons with organic matter cules at an atomic scale, and see them known in the past, and we are putting
causes a breakdown in their molecu- in their natural state. In contrast, X- the knowledge to work through gene ed-
lar structure, which generates a high ray crystallography requires scientists iting tools such as CRISPR. We will see
level of visual noise. “It’s a bit like to order billions of molecules into enormous changes in the biological
looking for a roe deer in a forest with well-ordered crystals, which can com- world as a result of these techniques.”
dappled sunshine. It’s not easy to pick plicate the process of understanding
them out because they’re disguised,” of how they appear or function in a liv-
Further Reading
he explains. To bypass the problem, ing cell. Using Cryo-EM, “We are bet-
Cryo-EM combines more advanced ter able to understand how proteins Noble, C., Adlam, B., Church, G.M.,
Esvelt, K.M., and Nowak, M.A.
hardware with image-processing soft- behave, how different substances or
Current CRISPR Gene Drive Systems are
ware that averages the position and drugs affect them, and how modifica- Likely to be Highly Invasive in Wild
behavior of thousands of individual tions can change the way a drug binds Populations, eLife, e 2018;7:e33423. DOI:
particles and extrapolates the data to to the protein,” Frank says. https://doi.org/10.7554/eLife.33423.
produce much clearer images of a bio- Cheng, Y., Glaeser, R.M., and Nogales, E.
logical structure. As a result, Cryo-EM Beyond Image How Cryo-EM Became so Hot. Benchmarks.
can achieve atomic-level resolution Genetic research is also leading biolo- Volume 171, Issue 6, 30 November 2017,
Pages 1229-1231. https://doi.org/10.1016/j.
models of complex, dynamic molecu- gists down the path of other compu-
cell.2017.11.016.
lar assemblies. tational methods that extend the
Nobel laureate Frank, a professor of boundaries of programmable biolo- Wright, VW., Liu, J., Knott, G.J., Doxzen, K.W.,
Nogales, E., and Doudna, J.A.
biochemistry and molecular biophys- gy. For instance, at the University of Structures of the CRISPR genome
ics at Columbia University in New York, Groningen in the Netherlands, bio- integration complex. Science, 20 Jul 2017:
says advances in graphics processing technologists have used a modeling eaao0679. DOI: 10.1126/science.aao0679.
units (GPUs) and better algorithms method to redesign the enzyme as- http://science.sciencemag.org/content/
have revolutionized the field. “Speed is partase and convert it into a catalyst early/2017/07/19/science.aao0679
no longer a problem, with the emer- for asymmetric hydro-amination reac- Russo, C.J. and Henderson, R.
gence of GPU software and clever algo- tions that produce larger quantities of Microscopic Charge Fluctuations Cause
Minimal Contrast Loss in Cryo-EM,
rithms,” he explains. Moreover, the the substance. Working with research- Ultramicroscopy, Volume 187, April 2018,
field is continuing to advance and in- ers in China, the group was able to Pages 56-63. https://doi.org/10.1016/j.
corporate new computational meth- produce high volumes of extremely ultramic.2018.01.011
ods. For example, “There are now soft- pure building blocks of aspartase that
ware platforms … that combine could be used in pharmaceuticals and Samuel Greengard is an author and journalist based in
West Linn, OR, USA.
different packages under one umbrella other bioactive compounds.
and provide interoperability among Meanwhile, at the University of © 2019 ACM 0001-0782/19/2 $15.00

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 13
news

Technology | DOI:10.1145/3297805 Keith Kirkpatrick

Technologizing
Agriculture
An array of technologies are making farms
more efficient, safer, and profitable.

A
G R I C U LT U R A L BUSINESSES
usually have a massive
number of trackable as-
sets (plants, livestock, and
machinery), often oper-
ate in wide geographic areas in which
these assets are located, and are sub-
ject to operational factors often be-
yond their control, such as the amount
of sunlight or rainfall they receive, or
temperature fluctuations. As such,
agriculture is ripe for the adoption of
new technologies to help monitor and
manage assets on a granular level, and
everything from Internet of Things
(IoT) sensors, robots, and drones are
being used by farms around the globe.
The U.S. Department of Agricul-
ture’s National Institute of Food and
Agriculture notes that the farms of to-
day are avid users of agriculture tech-
nologies such as robots, temperature
and moisture sensors, aerial imaging,
and GPS technology, which are more A robotic tractor (left) cultivates a field alongside a tractor operated by a human, during a
precise and efficient than humans demonstration in Fukushima, Japan.
alone, and allow for safer, more effi-
cient, and more profitable operations. founder of Root AI, a company devel- the side of the robot to provide a visual
One example of how technology en- oping a robotic platform that allows frame of reference.
ables new farming techniques is the the inspection, analysis, and harvest- The platform uses a customized
use of robotic harvesting on indoor ing of leafy vine plants grown indoors, convolutional neural network to de-
farms, which today account for a tiny such as tomatoes. “[A lot] of work has tect objects of interest and label them
fraction of the 900 million acres of tra- been done specifically in precision with bounding boxes, which are used
ditional farmland in the U.S. However, agriculture. ‘How do I reduce the to train and build up the system’s
these indoor farms are well suited to amount of herbicide; how do I reduce knowledge. While rolling between
the growth of vegetables such as toma- the amount of pesticide?’” rows of plants, the camera captures
toes, lettuce, and other leafy greens, Lessing notes indoor agricultural the location of each fruit or vegetable,
are highly sustainable, generally fea- practices expands a farm’s margins, be- while also measuring properties such
ture an average yield per acre more cause less is spent on pesticides, since as ripeness, size, and quality grading.
than 10 times higher than that of out- insects can be kept out of the green- The data capture is done in real time,
door farms, and represent a continua- house. Furthermore, reducing the use on the robot itself, without requiring
PHOTO BY KYODO NEW S VIA GETT Y IMAGES

tion of the agricultural sector’s trend of chemicals can also limit the environ- access to a data center or the cloud.
toward incorporating precision agri- mental impact of the operation. The robot also uses a soft gripper,
culture techniques to improve yields Root AI’s robot uses multiple cam- which looks like a pair of plastic salad
and become more sustainable. eras to collect color images and three- tongs, that can pick a fruit or vegetable
“Whether it’s indoor or outdoor dimensional (3D) depth information without damaging it. The idea is to al-
farmers, finding technologies that on growing plants. One camera is lo- low the cultivation of these types of
drive efficiencies is a big deal for cated in the arm of the robot itself, plants continuously and more effec-
[farmers],” says Josh Lessing, co- while a secondary camera is affixed to tively than humans can do, while aug-

14 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 news

menting the labor force.

“What we’re specializing in is be-
“With the drone, you
ACM
ing able to contact pieces of produce
and harvest them without damage,”
says Lessing. “The customers that I’m
can go from visual Member
working with, one of the major prob- data to multispectral News
lems that they’re running into is they data, to thermal data,
can’t find enough labor to expand their
operations. So we’re supplementing to hyperspectral data, AT THE INTERSECTION
OF CS AND
the labor force, and we’re delivering to all in one flight.” COMPUTATIONAL BIOLOGY
“I had an
growing managers intelligence to every
analog
piece of the operation.” computer kit
Another challenge faced by crop when I was a
growers is weed control. Tradition- kid, where you
turned a dial
ally, farmers would spray herbicides and it did
broadly across their crops, which not data 2.5 times more efficiently and 25% something,” says Dan Gusfield,
only was wasteful, but also potentially more accurately, and the collection Distinguished Professor of
harmful to humans, as crops were itself was more objective, repeatable, Computer Science at the
University of California, Davis
often overexposed to the chemicals. and standardized. (UC Davis). Despite his
Companies such as EcoRobotix, and Thomas Haun, senior vice president enchantment with that early
Blue River Technology with its See & of partnerships with South Carolina- computer, Gusfield soon
learned his real attraction was
Spray agricultural machines equipped based commercial drone and data com- for discrete math, which offered
with computer vision and machine pany Precision Hawk, says drones pro- a natural segue into computer
learning capabilities, claim they can vide a significant advantage over not only science once he entered college.
eliminate 90% of herbicide volumes traditional ground-based visual inspec- Gusfield earned his
undergraduate degree in
typically used on farms today. tions, but also over satellite-based inspec- computer science at the
The presence of weeds is not the tion. From a drone flying overhead, sen- University of California at
only enemy of crops (and farmers). sors can monitor a variety of conditions, Berkeley, and his master’s
Plant diseases, if they are not detected including plant yields and growth infor- degree in the same discipline
from the University of California
quickly, can spread rapidly, and even mation, as well as identifying indications at Los Angeles. After receiving
incremental changes in the soil’s of disease or insect/animal damage, and his Ph.D. in engineering science
composition can have a drastic im- even tracking temperatures. from the University of California
at Berkeley, he spent six years
pact on crop yields. “With the drone, you can go from vi- as an assistant professor at Yale
“In terms of precision agriculture, sual data to multispectral data (image University, before moving to the
[farms] are using more connected sen- data at specific frequencies), to ther- University of California, Davis
sors on the ground to test nitrogen lev- mal data, to hyperspectral data (from (UC Davis), where he has worked
ever since.
els, for instance,” says Nisarg Desai, across the electromagnetic spectrum) He says his interests meet
director of product management, IoT, all in one flight,” Haun says, noting that at the intersection of computer
GlobalSign, a networking technology satellites are generally not equipped science and computational
biology, an area on which he is
company that has worked with agri- with sensing technologies that allow a writing his third book. Gusfield
culture companies to implement IoT very granular view of crops or plants. explains that the field of biology
communication security technology for “We’re capturing data at sub-centime- is becoming more quantitative,
plant sensor networks. Desai says IoT ter resolution. There’s an actual spatial mathematical, and algorithmic,
and these techniques are
sensors are used to test soil moisture resolution that our [sensors] are get- percolating down to biologists.
levels to identify flooding, overwatering, ting, providing a real advantage.” In support of that, he is helping
or ground freezing; IoT-enabled water Currently, most drone operators to establish an undergraduate
and fertilizer delivery valves can also be major in quantitative biology at
are limited by operational regulations,
UC Davis.
remotely monitored and managed. which limit drone flights to those that With retirement on the
Some farms are turning to drone can be observed by the human operat- horizon in a few years, Gusfield
technology, using unmanned aerial ve- ing the drone with his or her own eyes. has no plans to end his career.
He considers most of his
hicles (UAVs) equipped with a package This generally limits drone operations academic work has been on
of high-definition cameras, IR sensors, to about one square mile, according to computational techniques for
and image-recognition capabilities Haun, though companies can apply for problems that arise in biology,
to monitor crops, which can provide a Beyond Visual Line of Sight Waiver but he has never had the
opportunity to take the next step
significant increases in efficiency. In from the U.S. Federal Aviation Admin- and apply his techniques and
a recent study, drone operator Pre- istration (FAA), although few such programs to specific diseases.
cisionHawk found that farmers who waivers are granted). “I want to delve more into a
real disease,” he says.
used drone-based aerial intelligence Precision Hawk has a waiver that al- —John Delaney
instead of taking plot-based crop mea- lows the company to operate drones up
surements by hand were able to collect to four miles away from an operator,

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 15
news

but the company expects that as time The sensor has sold more than 25,000
goes on and the FAA becomes more units, and the company also offers two
comfortable with drones, other com- Livestock other applications, including Breedma-
mercial drone operators—and eventu- management also nager, a free herd management soft-
ally farmers themselves—will be able ware app that displays the herd based
to fly drones over a wider expanse be- is changing, as on breeding status; and Mooheat, a col-
yond visual contact. managers monitor lar worn by a bull, along with a RFID ear
However, drones are hardly the only tag for each cow or heifer, that can pro-
technology that allow agricultural as- herds in real time vide detailed information such as exact
set monitoring and management. Us- with Internet- times of standing heat, due dates, and
ing IoT-connected sensors placed near in-calf notifications.
plants, farm operators can capture and connected collars GlobalSign’s Desai notes that this
record environmental conditions, and and tags. type of tagging can be used to keep
then send the data back to the farm’s track of livestock herds across a wide
data center for analysis and action via grazing area. “We have a customer who
a wireless connection. In some farming is providing a solution for automated
regions, there is a robust commercial cattle tracking across a large ranch,”
wireless network (or networks) that can Desai says. “What we came up with as a
serve as a backbone for IoT-connected smart tractors and harvesters, which solution, for lack of better terms, is like
sensors, and agriculture companies can include automated functionality, a Fitbit for cows,” with tracking collars
simply need to purchase and place sen- allowing them to easily “carry” the net- with signed and encrypted certificates
sors throughout their fields. While they work wherever they are working with- affixed to cows in the herd, to ensure
need a sophisticated data capture and out requiring a pre-built networking data cannot be stolen and used by ma-
analytics solution in order to leverage infrastructure. levolent third parties. Information on
the data captured, farms like those in “The producers in Latin America, cattle movement, individually and col-
the U.S. are generally able to quickly specifically in Brazil, do not have con- lectively, is collected and analyzed to
cover their harvesting area and begin nectivity in the field,” says Joeval Mar- determine whether a specific animal or
to yield real insights by capturing data tins, Rajant channel sales director for group of animals have been separated
from the sensors, and acting on those Latin America. Martins explains that from the herd, or are ill or injured.
insights immediately. Rajant’s mobile wireless networking “The technology greatly reduces
However, in other parts of the world, technology is a more affordable build- the amount of human intervention
particularly in developing regions such ing out a fixed network that covers the or human labor actually required
as South America, Africa, and parts of entire acreage of a farm. to go and check on these animals,”
Asia, commercial wireless coverage is Food production is not limited to Desai says, reducing labor costs and
not ubiquitous, as in low-population crops. The management of livestock increasing efficiency and margins for
areas where much of the farming and is also changing, as managers of cows, the producer.
harvesting is done. Rajant Corp. of Mal- hogs, and other animals seek to moni-
verne, PA, is a provider of wireless mesh tor their herds in real time, using
Further Reading
networking technology that works with Internet-connected collars and tags.
large agriculture companies in South Moocall’s Calving Sensor was devel- TongKe, F.
Smart Agriculture Based
America to provide the connectivity re- oped in 2014 by founder Niall Austin,
on Cloud Computing and IOT,
quired to monitor the huge fields of sug- who lost a heifer and her calf during Journal of Convergence Information
ar cane, soybean, corn, and other agri- a difficult birth. Noting that cows’ tail Technology, January 2013,
culture crops, which are often located in movement often predicts the onset https://pdfs.semanticscholar.org/62ee/
remote areas with no wireless coverage. of calving, Austin and his partners b701c40626811a1111ca5d1db37650f1ea0b.
pdf
Through the use of Rajant’s mo- launched the Calving Sensor, which
bile mesh networking technology, in- clips on the tail of the cow. Luciano, M.
Satisfying Three Necessary Components for
telligent nodes called BreadCrumbs “Based on the movement of the
BVLOS Flight,
can be spread out across the fields to tail and the temperature reading, it Wireless Design Magazine, May 9, 2018,
capture a variety of attributes, includ- detects when the cow is actually calv- https://www.wirelessdesignmag.com/
ing soil nutrient content, soil pH, and ing, and it sends an SMS to the farmer, blog/2018/05/satisfying-three-necessary-
moisture levels that can be tracked who then immediately takes action,” components-bvlos-flight-operations
in real time, and alerts can signal says Ludovico Fassati, Head of IoT, Vo- Root AI-Reveal
farmers when a correction is needed. dafone Americas, which provides the August 8, 2018
https://www.youtube.com/watch?v=c-
Farmers can then make the necessary wireless infrastructure for the service.
JduOfLEpc
adjustments by adding chemicals, “In the past, the farmer needed to kind
water, or nutrients during the prime of sleep with the cow, but now, he can Keith Kirkpatrick is principal of 4K Research &
growing season. be there only when needed. It optimizes Consulting, LLC, based in Lynbrook, NY, USA.
Moreover, the mesh networking the farmer’s time,” and can reduce the
technology can be integrated with mortality rate of the calving process. © 2019 ACM 0001-0782/19/2 $15.00

16 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 news

Society | DOI:10.1145/3297803 Logan Kugler

Being Recognized
Everywhere
How facial and voice recognition are reshaping society.

T
HANKS TO ADVANCES in artifi-
cial intelligence (AI), society is
now facing a unique challenge:
how do we regulate the usage
of human faces and voices?
Facial recognition is the ability of
computer systems to identify and us by
our faces. Voice recognition is the abil-
ity of computer systems to do the same
for our words. Both are powered by AI,
and both create benefits for consum-
ers and citizens.
These technologies also raise diffi-
cult questions about privacy and per-
sonal rights.
Voice recognition powers popular
consumer devices like Siri and Alexa,
but it is also possible these devices are
surreptitiously logging conversations
and providing law enforcement with
information on individuals.
Consider: Amazon sold 2.5 million
of its Echo voice-assisted devices in the
first quarter of 2018, according to Geek- A Transportation Security Administration (TSA) screener uses a biometric facial recognition
Wire, while Google sold 3.2 million of scanner on a traveler at Washington Dulles International Airport.
its Google Home devices. Both devices
represent one of the main ways that in- In an age where technology can rec- to identify specific human faces in
dividuals are being listened to by ma- ognize you everywhere, visually or audi- photos or video. This technology can
chines and, in turn, by the makers of bly, how do you retain your privacy and identify and log facial details of indi-
those machines. personal agency? viduals by using cloud infrastructure
Facial recognition can be used by “Digitization facilitates the tracking to process images from a computer,
law enforcement to identify crimi- of everything we do online,” says Ei- smartphone, or camera. This infor-
nals faster, but it is also used by the leen Donahoe, executive director of the mation then may be used for a range
Chinese government for mass surveil- Global Digital Policy Incubator at Stan- of purposes, from recommending
lance of its citizenry. ford University’s Center for Democra- someone to tag on Facebook to catch-
Facebook alone has more than two cy, Development, and the Rule of Law. ing criminals.
PHOTO BY BILL O’ LEARY/TH E WASH INGTO N POST VIA GETT Y IMAGES

billion monthly active users, and any “If everything we do can be tracked and For instance, Amazon has sold fa-
of them who post photos are subject monitored by government, it will have cial recognition technology to U.S.
to the firm’s facial recognition algo- a chilling effect on what we feel free to law enforcement, where it is used to
rithms, which identify and suggest say, with whom we feel free to meet, identify persons of interest. It is also
tags to users. This is to say nothing and where we choose to go. used for mundane functions like
of widespread video surveillance “This loss of privacy in digitized so- checking for identity theft and fraud
used by national governments to ciety goes to the heart of free expres- at a Department of Motor Vehicles
identify citizens. For instance, large- sion, freedom of movement, freedom (DMV), says Clare Garvie, a facial rec-
scale facial recognition will be used of assembly and association.” ognition technology expert at George-
to identify and monitor hundreds of town University.
thousands of people during the 2020 The Dangers of Facial Recognition Facial recognition also gives cen-
Summer Olympics in Tokyo. Facial recognition is, broadly, the tralized authorities like governments
This all raises the question: ability of computer vision systems and multinational firms the power to

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 17
news

identify people and to control them mentally changes how we must view concept that government is account-
at scale. privacy and anonymity in public spac- able to the people.”
“In China, the government aims to es,” says Garvie. “With access to the Garvie observes that facial recogni-
enroll all citizens into a facial recog- right databases, law enforcement may tion is “not a monolith”; the technol-
nition database, to facilitate ubiqui- now be able to locate and identify any ogy is used by many different parties
tous tracking and identification,” says person walking by a security camera.” for many different purposes. It can
Garvie. “In Russia, face surveillance If the data produced by facial rec- enhance security and empower law en-
has been used to monitor and intimi- ognition is flawed or biased, it is pos- forcement, or it can be used to collect
date counter-government protests. In sible law enforcement and govern- data on citizens.
the United States, the Department of ment bodies could risk infringing on “As a society, we must think very
Homeland Security and some state the rights of citizens by using imper- carefully not just about its benefits, but
and local jurisdictions are exploring fect data to make legal or enforce- its risks, and use legislation to guard
the reaches of the technology as well.” ment decisions. against the latter.”
Facial recognition raises ques- “Facial recognition technology will Unfortunately, the laws governing
tions about a citizen’s right to priva- take this loss of privacy and liberty to a the use of facial recognition technol-
cy. The Electronic Frontier Founda- new level by taking choice about utili- ogy are murky at best, according to
tion (EFF) published a whitepaper in zation of the technology away from citi- WIRED magazine, which points out
which it posits that “face recognition zens,” says Donahoe. that “state and federal laws gener-
disproportionately impacts people “One of the most concerning dimen- ally leave police departments free to
of color” by misidentifying African sions of facial recognition technology do things like search video or images
Americans and minorities at higher is that it will be embedded in many collected from public cameras for
rates than whites. different dimensions of daily exis- particular faces.”
This matters, given the ubiquity of tence without any choice among citi-
facial recognition systems in modern zens, and without even the awareness Always Listening
public life. of citizens. When people lose aware- Voice recognition is the ability of
“As one of the first viable technolo- ness of and choice about when they natural language processing (NLP)
gies for conducting biometric sur- are being watched by government, it software to “understand” human
veillance, facial recognition funda- risks inverting the core democratic language. A system like Siri or Alexa

Milestones

ACM Names 2018 Fellows

ACM has named 56 members as Rastislav Bodik, University of Dan Halperin, Tel Aviv University Frank Mueller, North Carolina
2018 ACM Fellows for theoretical Washington Johan Håstad, KTH Royal Institute State University
and specific achievements Katy Borner, Indiana University of Technology, Stockholm David Parkes, Harvard University
in computer architecture, Amy S. Bruckman, Georgia Tian He, University of Minnesota, Gurudatta Parulkar, Open
mobile networks, robotics, and Institute of Technology Twin Cities Networking Foundation (ONF)
systems security, underpinning Jan Camenisch, IBM Research/ Wendi Beth Heinzelman, Toniann Pitassi, University of
the technologies that define DFINITY Labs Zurich University of Rochester Toronto
the digital age and have had Adnan Darwiche, University of Aaron Hertzmann, Adobe Research Lili Qiu, University of Texas at
significant ramifications in California, Los Angeles Jessica K. Hodgins, Carnegie Austin
our lives. Andre M. Dehon, University of Mellon University Matthew Roughan, University of
Said ACM President Cherri M. Pennsylvania John Hughes, Chalmers University Adelaide
Pancake, “We are honored to add Premkumar T. Devanbu, Charles Lee Isbell, Georgia Amit Sahai, University of
a new class of Fellows to ACM’s University of California, Davis Institute of Technology California, Los Angeles
ranks and we look forward to the Tamal Dey, Ohio State University Kimberly Keeton, Hewlett Packard Alex Snoeren, University of
guidance and counsel they will Sandhya Dwarkadas, University of Laboratories California, San Diego
provide to our organization.” Rochester Sanjeev Khanna, University of Gerald Tesauro, IBM Research,
Steven Feiner, Columbia University Pennsylvania Yorktown
THE NEW ACM FELLOWS ARE: Tim Finin, University of Maryland, Lillian Lee, Cornell University Bhavani Thuraisingham,
Baltimore County Tom Leighton, Akamai University of Texas at Dallas
Gul Agha, University of Illinois at Thomas Funkhouser, Princeton Technologies Salil Vadhan, Harvard University
Urbana-Champaign University, Google Fei-Fei Li, Stanford University Ellen M. Voorhees, National
Krste Asanovic, University of Minos Garofalakis, Athena Michael Littman, Brown University Institute of Standards and
California, Berkeley Research Center, Technical Huan Liu, Arizona State University Technology
N. Asokan, Aalto University University of Crete Jiebo Luo, University of Rochester Avi Wigderson, Institute for
Paul Barham, Google Brain Mario Gerla, University of Bruce M. Maggs, Duke University Advanced Study
Peter L. Bartlett, University of California, Los Angeles Bangalore S. Manjunath, Alec Wolman, Microsoft Research
California, Berkeley Juan E. Gilbert, University of University of California, Santa
David Basin, ETH Zurich Florida Barbara More information on the new ACM Fellows
Elizabeth M. Belding , University Mohammad T. Hajiaghayi, Vishal Misra, Columbia University, is available through the ACM Fellows site
of California, Santa Barbara University of Maryland, College Park Google at https://awards.acm.org/fellows.

18 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 news

hears your voice, processes the lan- social control. The mere possibility of
guage of your speech, then responds surveillance has the potential to make
to the content of your queries. Amazon says people feel extremely uncomfortable,
We see the value of these systems the Echo is cause people to alter their behavior,
every day. Voice assistants increasingly and lead to self-censorship and inhi-
help us search online and find relevant “constantly bition.’”
content to serve consumer needs. In listening but Donahoe is equally skeptical that
fact, about 50% of all online searches governments will make the right call
will be voice searches by 2020, accord- not recording, when it comes to balancing security
ing to media measurement and analyt- and nothing is and liberty. “The ease of use of facial
ics firm Comscore. recognition technology for security
“Voice recognition technology will streamed to purposes will make it less likely that
expand accessibility to many devices or stored in governments will protect citizen liber-
and applications, especially for people ty to the extent required by democratic
who are visually impaired,” says Do- the cloud without values,” she says.
nahoe. “I can imagine voice recogni- the wake word “A core challenge for democratic gov-
tion technologies bringing many ben- ernments will be continued adherence
eficial applications and efficiencies to being detected.” to the rule of law, where restrictions on
society, and expanding accessibility.” individual liberty that flow from use of
These could include making search- this technology must be justified by ne-
ing for information, and purchasing cessity, legitimate purpose, and use of
online, easier for consumers. the least restrictive means available.”
However, she notes, there are
downsides. No Easy Answers
Further Reading
While voice recognition may em- Given the increasing ubiquity of facial
power individuals, the technology also and voice recognition, serious impacts Simonite, T.
Few Rules Govern Police Use of Facial
may impact privacy. Voice recognition on society are inevitable.
Recognition, WIRED, May 22, 2018,
devices are listening constantly, ac- “I don’t think society is ready for the https://www.wired.com/story/few-rules-
cording to The Washington Post. These new potential of state power to track peo- govern-police-use-of-facial-recognition-
devices are listening for the “wake ple,” says Martin Chorzempa, a research technology/
up” words that activate them, such fellow at the Peterson Institute for In- Lynch, J.
as “Hey, Google” or “Alexa,” that us- ternational Economics in Washington, Face Off: Law Enforcement Use
ers must speak to alert the devices D.C. He cites the Chinese government’s of Facial Recognition Technology, EFF,
February 12, 2018,
that a request is about to be made. use of facial recognition for law enforce-
https://www.eff.org/wp/law-enforcement-
There have been allegations that ment purposes to track down everyone use-face-recognition
these devices are always listening, from wanted criminals to jaywalkers.
Lapowsky, I.
and this information is then being “It will be increasingly difficult for Schools Can Now Get Facial
logged in ways that violate user privacy. individuals to avoid broadcasting to Recognition Tech for Free. Should They?
Amazon has denied its voice- the world where they are,” Chorzem- WIRED, July 17, 2018,
controlled Echo is always capturing pa says. “For example, someone who https://www.wired.com/story/realnetworks-
what is said in its presence, saying, passes by Times Square on their way facial-recognition-technology-schools/
“that allegation—that the Echo is to work will likely show up in tourist Levy, N.
possibly recording at all times with- photos that are posted on social me- Amazon Hands Over Alexa Data
in Arkansas Hot Tub Murder Case,
out the ‘wake word’ being issued—is dia, and facial recognition could easily But 1st Amendment Questions Remain,
incorrect,” according to an Amazon piece together their route to work and GeekWire, March 7, 2017,
spokesperson. “The device is con- their schedule using the photos and https://www.geekwire.com/2017/amazon-
stantly listening but not recording, the times or dates they were taken.” hands-over-alexa-data-in-arkansas-hot-
and nothing is streamed to or stored In an era where devices are always tub-murder-case-but-questions-of-1st-
amendment-rights-remain/
in the cloud without the wake word watching and listening, personal priva-
being detected.” cy is more likely than ever to be assault- Olson, C.
Just Say It: The Future of Search
This has not stopped law enforce- ed by official institutions, even well- Is Voice and Personal Digital Assistants,
ment from lobbying Amazon for user meaning democratic governments. Campaign, April 25, 2016,
data when investigating potential “We risk chilling free speech and https://www.campaignlive.co.uk/article/
crimes, in an effort to pull voice logs assembly—rights guaranteed to us just-say-it-future-search-voice-personal-
from the company’s servers. Amazon under the First Amendment,” says digital-assistants/1392459
dropped a motion to protect audio re- Garvie. “Law enforcement agencies
Logan Kugler is a freelance technology writer based
cordings from one of its Echo devices themselves recognized this risk in a in Tampa, FL, USA. He has written for over 60 major
that belonged to a murder suspect. The 2011 Privacy Impact Assessment, stat- publications.
company had originally argued the data ing: ‘The potential harm of surveil-
was protected by the First Amendment. lance comes from its use as a tool of © 2019 ACM 0001-0782/19/2 $15.00

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 19
V
viewpoints

DOI:10.1145/3300224 Carl Landwher

Privacy and Security

2018: A Big Year
for Privacy
Retracing the pivotal privacy and security-related
events and ensuing issues from the past year.

T
HE YEAR 2018may in the fu- estimated that today approximately On the policy front, the long-await-
ture be seen as a turning 60% of Americans of European de- ed implementation of the EU’s General
point for privacy incidents scent could be identified from their Data Protection Regulation (GDPR) in
and associated privacy- DNA, even if they had never regis- late May12 triggered many reviews of
policy concerns. In March, tered their DNA with any site.6 Fur- corporate data privacy policies glob-
the Cambridge Analytica/Facebook ther, they forecast the figure will rise ally. These revisions required untold
incident opened many eyes to the to 90% in only two or three years.9 numbers of clicks by users asked to ac-
unanticipated places personal data The John Hancock Life Insurance knowledge policy changes.
reaches, and it continues to gener- Company announced it would sell About a month later, under threat
ate repercussions.4 Google shut down life insurance only through “interac- from a strong privacy ballot initia-
its struggling Google Plus social net- tive” policies that provide financial tive, California passed the Califor-
working system in October, after an- incentives to track policyholders’ fit- nia Consumer Privacy Act of 2018.1
nouncing it had exposed the data of ness and health data through wear- It incorporates some features of the
approximately 500,000 users,15 only able devices and smartphones;2 and GDPR and gives California consum-
1% as many as involved in the Cam- the latest Apple Watch can take your ers the right to know what personal
bridge Analytica case. Facebook re- electrocardiogram. information businesses have about
vealed another data breach in Octo- them. Consumers control whom the
ber, this one affecting a reported 29 information is shared with or sold to,
million users.14 Innovation has and can request that information be
The open GEDmatch genomics deleted. This law begins to require
database, developed for genealogy its downside and consumer-facing businesses to live
research, was used by police and loss of privacy is up to some of the Fair Information
genetics experts to identify alleged Practice Principles that were mandat-
murderers in two “cold cases” and not easy to remedy. ed for U.S. government systems (but
several other crimes. 8 The site’s not commercial enterprises) by the
founders, at first uncomfortable Privacy Act of 1974.13
with its use by law enforcement, “Personal information” in the
seem to now be more comfortable California law is broadly defined. It
with it. Researchers subsequently includes biometric information, but

20 COM MUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 viewpoints

also “information that identifies, re- cations for, among other things, Inter- privacy practices that will help com-
lates to, describes, is capable of being net-based transactions of all kinds. panies assess privacy risk and adopt
associated with, or could reasonably The 5-4 decision had four separate measures appropriate to the risk. In
be linked, directly or indirectly, with dissenting opinions. The majority char- parallel, the NTIA, also part of the
a particular consumer or household.” acterized the decision as “narrow” Department of Commerce, released
The law enumerates almost a dozen because it did not overturn the third a Request for Comments (RFC) on a
categories of personal information, party doctrine per se. Rather, it rec- two-part approach to consumer pri-
but exempts “publicly available” in- ognized the information in this case vacy: the first part describes desired
formation (also defined in the law). (cellphone site location information user-centric privacy outcomes and
Implementation details must be or CSLI records) deserves separate the second sets high-level goals out-
worked out before the law takes effect treatment because it is so invasive lining an ecosystem to achieve those
in 2020. The law has triggered nation- of “the privacies of life.” Further, outcomes.5 The RFC proposes no
al discussion and legislative propos- Justice Gorsuch’s dissent argues for changes to existing sectoral privacy
als in other states. overturning the third-party doctrine. laws, and, perhaps because it was de-
Also in June, the U.S. Supreme Court He proposes the consumer may well veloped in cooperation with the Na-
handed down a decision in Carpenter have a property interest in CSLI re- tional Economic Council, the second
v. U.S.3 This decision represents a no- cords held by the telephone compa- part on high-level goals emphasizes
table limitation of the “third-party ny, although that argument was not maintaining “the flexibility to inno-
doctrine” wherein a government put forth in this case. Other classes vate” and proposes to employ a “risk
IMAGE BY AND RIJ BORYS ASSOCIAT ES/SHUT TERSTOCK

request to a third party to produce of data routinely collected by third and outcome-based” approach as op-
data an individual has voluntarily parties could be equally invasive to posed to one of compliance.
surrendered to it does not require the privacies of life; more litigation While no one loves red tape, inno-
a warrant. This doctrine, in place in may follow. vation has its downside (remember
the U.S. since 1979, is the basis for In the fall, NIST initiated the de- those innovative collateralized debt
the idea that once a consumer sur- velopment of a privacy framework.10 obligations?), and loss of privacy is
renders data to a company as part Like the cybersecurity framework it not easy to remedy. Companies al-
of a transaction, the consumer loses released in 2014 and updated in April ready have the option of building in
any expectation of privacy for that 2018,11 the privacy framework is not to “privacy by design,” but relatively few
data. As such, it has had major impli- be a standard, but a guide to common have done so. To me, a requirement

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 21
viewpoints

for some baseline of measures seems abuse data entrusted to them must ex-
warranted, even essential. pect to be held accountable.
And Congress, for the first time in Congress, for Facebook/Cambridge Analytica was
years, is showing some interest in the first time not the first example of abuse, nor will
drafting comprehensive privacy legis- it be the last. The FTC’s privacy protec-
lation. This may become a hot topic in years, tion is evidently not working very well.
for the 116th U.S. Congress if public in- is showing Maybe the time has come for compre-
terest continues to be strong. hensive privacy legislation focused on
Returning to the Facebook/Cam- some interest aligning corporate incentives so their
bridge Analytica incident, this is of in drafting products provide the privacy people
immediate importance to those in expect and deserve. The California law
the computing profession, particu- comprehensive might be a step in this direction.
larly those conducting research. A re- privacy legislation. A society where individuals are
searcher with academic connections willing to share data for social benefit
gained permission from Facebook must make individuals confident that
to put up an app to collect data for shared data are unlikely to be abused
research purposes in 2014. This app and that abusers can be identified
collected data from some Facebook and made accountable.
users who consented to the collec- those commercial entities that use
tion, but also from millions of others Facebook data. The U.K. has already a Research into the weaknesses of anonymiza-
tion or de-identification schemes is needed
without their knowledge or consent. levied a fine of £500,000, the largest
to understand the limitations of these tech-
This collection would now violate its legislation allows, but this is un- niques. Like research that exposes security
Facebook’s policies, but it was not a likely to provide much incentive to a weaknesses in systems, it must respect the
violation at the time. The researcher company whose 2017 net income was concerns of those whose data is being studied.
provided this data to Cambridge An- over $15 billion. The GDPR permits
alytica, presumably in violation of penalties of up to 4% of global rev- References
1. Assembly Bill 375, California Consumer Privacy Act of
Facebook’s policies. Cambridge Ana- enues, which for Facebook would be 2018; https://bit.ly/2z68PCO
lytica exploited the data for commer- well over $1 billion, but the incident 2. Barlyn, S. Strap on the Fitbit: John Hancock to sell
only interactive life insurance. Reuters (Sept. 19,
cial purposes. occurred before the GDPR took effect. 2018); https://reut.rs/2DbAq84
The primary issue here is account- The threat of future fines should give 3. Carpenter v. U.S. 16-402. Decided June 22, 2018;
https://bit.ly/2MdFKaE
ability. This was either a violation of Facebook incentive to prevent recur- 4. Confessore, N. Audit approved of Facebook policies,
even after Cambridge Analytica leak. The New York
the academic’s agreement with Face- rence. Times (Apr. 19, 2018); https://nyti.ms/2vBniFI
book, or evidence that the agreements Fines levied by the FTC go into the 5. Department of Commerce, NTIA, RIN 0660–XC043.
Developing the administration’s approach to consumer
were insufficient to meet Facebook’s U.S. Treasury. Facebook’s users took privacy. Federal Register 83,187 (Sept. 26, 2018);
2011 consent decree with the Fed- the risks and are suffering the con- https://bit.ly/2AErrZP
6. Erlich, Y. et al. Identity inference of genomic data
eral Trade Commission (FTC). The sequences. Should they be compen- using long-range familial searches. Science (Oct. 11,
privacy of millions of people was vio- sated? A penny or dime for each user 2018); https://bit.ly/2CadGTP
7. Hempel, J. A short history of Facebook’s privacy
lated and the reputation of legitimate whose privacy was violated might not gaffes. WIRED (Mar. 30, 2018); https://bit.ly/2GjTPVD
academic researchers was tarnished. be the answer. Perhaps more progress 8. Murphy, H. How an unlikely family history website
transformed cold case investigations. The New York
Facebook apparently had little incen- would come from financing investi- Times (Oct. 15, 2018); https://nyti.ms/2EnGHhE
tive to hold the researcher and Cam- gative journalism or other controls, 9. Murphy, H. Most white Americans’ DNA can be
identified through genealogy databases. The New York
bridge Analytica to account. Aware but might not be within the scope of Times (Oct. 11, 2018); https://nyti.ms/2pRFhBX
of what happened over a year before actions regulatory agencies can take. 10. NIST Privacy Framework Fact Sheet, Sept. 2018;
https://bit.ly/2AcYZ0H
the disclosure, Facebook belatedly is- Imagination might be required to 11. NIST Framework for Improving Critical
sued yet another in a long history of help Facebook hold their clients to ac- Infrastructure Cybersecurity, Version 1.1 (Apr. 16,
2018); https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.
privacy apologies.7 count in ways that compensate Face- CSWP.04162018.pdf
12. Official Journal of the European Union. General Data
The FTC and the Securities and Ex- book users. Protection Regulation. 4.5.2016. (English version);
change Commission (SEC) are inves- Computing professionals involved https://bit.ly/2s7bupy
13. Public Law 93-579. Privacy Act of 1974. (Dec. 31,
tigating this incident. The SEC could in “big data” research should pay at- 1974); https://bit.ly/2yKCboa
find Facebook liable for failing to in- tention if they wish to gain access to da- 14. Vengattil, M. and Paresh, D. Facebook now says data
breach affected 29 million users, details impact.
form its shareholders of the incident tasets containing or derived from per- Reuters (Oct. 12, 2018); https://reut.rs/2CGewZz
when discovered. The FTC could find sonal information. They must abide by 15. Wasabayashi, D. Google Plus will be shut down after
user information exposed. The New York Times (Oct. 8,
Facebook violated the terms of their agreements made with dataset provid- 2018); https://nyti.ms/2OKoFtH
2011 consent agreement by failing to ers and remember that exposing data
protect their customers’ data in ac- improperly damages public trust in Carl Landwehr (carl.landwehr@gmail.com) is Lead
cordance with the consent decree. research. Accidental or intentional re- Research Scientist the Cyber Security Policy and Research
Institute (CSPRI) at George Washington University in
A court could make Facebook pay lease of personal data provided for re- Washington, D.C., and Visiting McDevitt Professor of
fines large enough to give it suffi- search purposes to anyone else, even if Computer Science at LeMoyne College in Syracuse, NY.

cient incentive to enforce the correct aggregated and anonymizeda attracts

privacy policies on researchers and public attention. Researchers who Copyright held by author.

22 COMM UNICATIO NS O F THE AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 V
viewpoints

DOI:10.1145/3300226 Carol Frieze and Jeria L. Quesenberry

• Richard Ladner, Column Editor

Broadening Participation
How Computer Science
at CMU Is Attracting
and Retaining Women
Carnegie Mellon University’s successful efforts enrolling,
sustaining, and graduating women in computer science challenge
the belief in a gender divide in CS education.

T
HE PERSISTENT UNDERREP-
of women in
R E S E N TAT I O N
computing has gained the
attention of employers,
educators, and researchers
for many years. In spite of numerous
studies, reports, and recommenda-
tions we have seen little change in the
representation of women in computer
science (CS)—consider that only 17.9%
of bachelor’s degrees in computer sci-
ence were awarded to women in 2016
according to the annual Taulbee Sur-
vey.15 At Carnegie Mellon University
(CMU) we do not believe the situation
is an intractable problem.
By paying close attention to culture
and environment, and taking a cultural
approach rather than a gender differ-
Women comprised more than 48% of incoming first-year undergraduate students at Carnegie
ence approach, our efforts continue to Mellon University’s School of Computer Science in fall 2016, establishing a new school
pay off. The percentage of women en- benchmark for diversity.
rolling and graduating in CS at CMU
has exceeded national averages for success in addressing the gender gap. taining, and graduating women in CS.
many years (see the accompanying Harvey Mudd College, for example, Since 2002 we have conducted ongoing
PHOTO C OURT ESY OF CA RNEGIE M ELLON UNIVERSIT Y

figure and table). Indeed, the school went from 10% women in CS in 2006, case studies to understand the CMU
gained attention when 48% (of the to- the year Maria Klawe took over as col- story.b We have learned many valuable
tal 166 students), 49+% women (of the lege president, to 40% women in CS by lessons. In a nutshell, for women to be
total 205 students), and just shy of 50% 2012.2 These institutions, and the many
when 105 women (out of 211 students) others who are investing in change b Case studies were conducted in 2002, 2004,
entered the CS major in 2016, 2017, to improve gender balance, are proof 2009–2010, 2011–2012, and 2016–2017 and
and 2018 respectively.a But CMU is not that—as CMU CS Professor Lenore included a variety of data-collection tools in-
cluding face-to-face interviews, surveys, focus
alone—other institutions have also had Blum says—“it’s not rocket science!” groups, and observations. Participants in-
This column summarizes CMU’s cluded current undergraduate and graduate
a See https://bit.ly/2ULGgBS successful efforts in enrolling, sus- students, faculty, and staff.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 23
viewpoints

Percentage of male and female first-year students by year of enrollment. benefit of all students. CMU, with its
School of Computer Science and the
seven departments within the school,
120 Male Female offers a wide variety of courses—some
100 of which are applications focused—
but the core CS curriculum and a wide
80
# of Students

variety of advanced courses have be-

60 come increasingly theory driven and
rigorous without impacting students’
40
retention and success.
20
Cultural Change Is Key—And
0
2010 2011 2012 2013 2014 2015 2016 2017 2018
It Can Change at the Micro Level
Year
In 1999, CMU dropped the program-
ming/CS background requirement
from the admissions criteria and add-
ed leadership potential while keeping
First-year enrollment by gender (rounded to the nearest full number). high SAT scores, particularly in math
and science. Dropping this require-
Year Enrolled # Male % Male # Female % Female ment was prompted by a valuable
2010 143 106 74% 37 26% finding from the 1995–1999 research
2011 152 104 68% 48 32% studies.11 Various entry levels into the
2012 127 89 70% 38 30% first-year courses were created for stu-
2013 136 89 65% 47 35% dents with little to no background.
2014 138 82 59% 56 41% Other major contributing factors in-
2015 147 101 69% 46 31% cluded: CMU Dean Raj Reddy’s vision
2016 166 86 52% 80 48% to produce leaders in the field that
2017 205 103 50% 102 50% also brought institutional support for
2018 211 106 50% 105 50% change; Lenore Blum joined the CS
faculty bringing long-standing exper-
tise and advocacy for women in sci-
successful in CS we needed to change our experiences, we summarize five key ence and math; and the development
the culture and environment, and de- takeaways we believe may be replicated of Women@SCS, an organization of
velop and sustain programs that work at other institutions where there is the faculty and students (mostly, but not
to level the playing field without mak- motivation for change. all, women) led by a Student Advisory
ing women feel like a separate species. Committee, working to ensure that
However, we did not need to change Women Do Not Need the professional experiences and so-
the curriculum to be “pink” in any way. a Female-Friendly Curriculum cial opportunities for women reflect
Indeed, gender difference approaches, From 1999 onward some dramatic the implicit opportunities for those in
which tend to assume CS should be changes occurred at CMU, changes the majority (see https://www.women.
changed to suit women’s presumed in- that contributed to a successful and cs.cmu.edu/).
terests, have not provided satisfactory much-improved undergraduate experi- These changes brought in many
explanations for the low participation ence for students in the CS major. Most more women, and more students—
of women in CS. Indeed, beliefs in a significantly these changes led from both male and female—with a broader
gender divide may actually be deter- women feeling out of place and small range of characteristics and interests.
ring women from seeing themselves in in number to being well represented, We started to see a more balanced
male-dominated fields. being an integral part of the CS culture, student body, balanced in terms of
We hope the CMU story can help contributing to the culture, and being gender, of student characteristics,
challenge the gender divide in CS, show successful in the field alongside their and balanced in terms of leveling-the-
that women can master this field suc- male peers. Indeed, men and women playing-field opportunities for women
cessfully, and inspire others to think graduate at the same rate. This suc- through Women@SCS. In this more
more broadly about intellectual and ac- cess occurred without compromises balanced environment our observa-
ademic expectations. We acknowledge to academic integrity, without chang- tions and series of studies, including
that the CMU experience may not be ing the curriculum to suit women, nor our 2016–2017 study,3–7 found CMU
fully generalizable. For example, CMU by accommodating what are perceived students relating to CS through a spec-
is a private institution that may not to be “women’s” learning styles and trum of attitudes along with many
have some of the constraints state in- attitudes to CS. Changes to the CMU more similarities than differences.
stitutions have because of various laws curriculum, as in any department com- For example, we found most students
and regulations. While recognizing the mitted to providing the best academic (men and women) have a deep inter-
potentially limited generalizability of program possible are made for the est in computer science and want to

24 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 viewpoints

do something useful with their skills in needed. Our latest intervention—Bias-

order to contribute to the social good. Busters@CMU—developed in collabo-
We see culture as ration with CMU’s College of Engineer-
Institutional Support Is Critical a dynamic process; ing and Google, works with the entire
We believe sustained student leader- campus on the difficult issue of miti-
ship, with women at the helm, has shaping and being gating implicit bias.8
been critical for building a more in- shaped by those Interventions from Women@SCS
clusive community at CMU, and for have increased the visibility of women,
enhancing the academic and social life who occupy it, placing them in leadership positions,
of the entire community. At the same in a synergistic providing opportunities for them to
time, cultural change requires serious demonstrate their abilities, and to
institutional support and cannot be diffusive process. challenge stereotypes, all with the
left to chance, especially in a stubborn- critical support of our deans, faculty
ly male-dominated field like CS. and staff. For example, recognizing
At CMU, we have found that institu- an often-familiar situation in which
tional investment, providing funding, students can go through their entire
guidance, and endorsement for pro- school life without having a female
grams developed through Women@ in computing in Mauritius and in Ma- instructor, Women@SCS developed a
SCS, has paid off. The organization has laysia found no problem with women’s faculty-student lunch series, provid-
become a valuable resource for every- participation concluding “the under- ing female students an opportunity to
one while strengthening the image of representation of women in CS is not a meet role models and have personal
women in CS and challenging the ste- universal problem.”9 interactions in an informal setting.
reotypes about who fits the field. But the gender difference mind- Most importantly Women@SCS has
set—epitomized by the bestseller not been inward-looking. The organi-
Cultural Factors Are More Men Are from Mars, Women Are from zation has facilitated many outside the
Important than Gender Differences Venus10—has a strong hold on public classroom programs for the benefit of
Gender difference approaches often thinking in the U.S. and many parts the entire student body such as peer-
argue that there are strong gender dif- of the Western world. For example, to-peer interview and speaking skills
ferences in the way girls and boys, or “… anonymous, aggregate data from workshops, outreach in the commu-
men and women, relate to the field; Google searches suggests that con- nity, and peer-to-peer advice sessions.
gender differences that work in favor temporary American parents are far In 2014, Women@SCS was asked to
of men and against women. To solve more likely to want their boys smart take the lead on SCS4ALL—http://
this problem and increase women’s and their girls skinny.”13 The belief that www.scs4all.cs.cmu.edu/—a student
participation in CS it is suggested men are innately better at coding than organization reaching out beyond
that we need to pay more attention to women, is a case in point. This mind- gender. Women@SCS has shown that
women’s interests and attitudes and set, fed by stereotypes, is relentlessly a women’s organization can be much
change CS accordingly. But approach- perpetuated. In turn stereotypes feed more than a “support” group for each
es that recommend accommodating our unconscious biases, which, if left other, they can be a valuable resource
differences—without recognizing that unchecked, can often lead to negative for building an inclusive community.
such differences can change according consequences for women in comput-
to the culture and environment—risk ing, and ultimately for the field itself. Conclusion
perpetuating the gender divide. We have found that cultural change,
This has not been our approach. Cultural Interventions not curriculum change (often rec-
Indeed, we questioned these assump- Are Needed for Change ommended by gender-difference ap-
tions and constraints. Gender is first We see culture as a dynamic process; proaches), is the key to sustaining a
and foremost a cultural issue not a shaping and being shaped by those community of women in CS. Indeed,
women’s issue, so rather than looking who occupy it, in a synergistic diffu- we advise caution when making chang-
at “gender differences” as our working sive process. A cultural approach ex- es based on appealing to stereotypes—
model we need to address the underly- amines a range of factors beyond gen- this may perpetuate the gender divide.
ing culture in which attitudes and op- der as determinants of women’s Institutional support is also critical
portunities for equality are influenced participation in CS including (but for real change and ultimate success—
and situated. This approach is sup- not limited to) the parts played by this includes funding, guidance, and
ported by evidence from other cultures the K–12 curriculum, stereotype philosophical advocacy for leveling the
outside the U.S. Galpin describes the threat, opportunities for engage- playing field. CMU has not been afraid
participation of women in undergrad- ment in CS, opportunities for leader- to give women a voice, to listen to
uate computing in more than 30 coun- ship, confidence levels, gender ra- women, and let women take the lead,
tries concluding “(t)he reasons that tios, implicit bias, myths and enabling them to play a valuable role in
women choose to study computing will stereotypes. A cultural approach ex- changing the culture.
vary from culture to culture, and from amines these factors and develops ac- We suggest monitoring student at-
country to country.” Studies of women tions and programs to intervene as titudes toward, and experiences in, the

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 25
viewpoints

and potentially open to the changes

Coming Next Month in COMMUNICATIONS we seek. This means we aim to con-
The persistent tinue to pay close attention to the is-
gender gap sue, provide institutional support, a
willingness to act, and flexibility to en-
The Seven Tools in computer science able change. The CMU approach rec-
of Causal Inference
is well documented, ognizes that ultimately diversity and
inclusion benefit the school, the com-
With Reflections on but there is munity, and field of computing.
Machine Learning less sharing References
of success stories. 1. Adams, J. Bauer, V. and Baichoo, S. An expanding
pipeline: Gender in Mauritius. In Proceedings of the
Metamorphic Testing 2003 ACM SIGCSE (Reno, Nevada, 2003), ACM Press,
New York, 59–63.
of Driverless Cars 2. Alvarado, C., Dodds, Z., and Libeskind-Hadas, R.
Increasing Women’s participation in computing at Harvey
Mudd College. ACM Inroads, 4 (Apr. 2012), 55–64.
Beyond Worst-Case 3. Blum, L. and Frieze, C. As the culture of computing
evolves, similarity can be the difference. Frontiers 26, 1
Analysis (Jan. 2005), 110–125.
CS major. Are men and women getting 4. Blum, L. and Frieze, C. In a more balanced computer
science environment, similarity is the difference and
similar opportunities for such things computer science is the winner. Computing Research
Telling Stories about Birds as leadership, visibility, networking, News 17, 3 (Mar. 2005).
5. Frieze, C. et al. Where are you really from? Mitigating
From Telemetric Data mentoring, and advocacy? Are women unconscious bias on campus. EasyChair Preprint no.
involved and given a central voice in 531 (2108); https://doi.org/10.29007/345g
6. Frieze, C. and Quesenberry, J.L. Kicking Butt in
The Compositional shaping the culture? Computer Science: Women in Computing at Carnegie
While a good academic life is criti- Mellon University. Dog Ear Publishing, 2015.
Architecture cal for success, students also need to
7. Frieze, C. and Quesenberry, J.L. From difference to
diversity: Including women in The Changing Face of
of the Internet feel like they belong socially14— this Computing. In Proceedings of the 2013 ACM SIGCSE
(Denver, Colorado, 2013), ACM Press, New York,
will enhance their sense of academic 445–450.
fit. Indeed college life is best viewed 8. Frieze, C. et al. Diversity or difference? New research
From Computational supports the case for a cultural perspective on women
Thinking to holistically. Do not underestimate the in computing. Journal of Science Education and
Technology 21, 4 (Apr. 2011), 423–439.
value of student organizations, and of
Computational Action social events where information is ex-
9. Galpin, V. Women in computing around the world.
ACM SIGCSE Bulletin–Women in Computing 34, 2
(Feb. 2002), 94–100.v
changed, friendships and communi- 10. Gray, J. Men Are from Mars, Women Are from Venus.
Benchmarking ties are formed, and where everyone HarperCollins, New York, 1992.
11. Margolis, J., and Fisher, A. Unlocking the Clubhouse:
‘Hello, World!’ gets a chance to be included in the lat- Women in Computing. MIT Press, Cambridge, MA, 2002.
est student discussions. 12. Othman, M. and Latih, R. Women in computer science:
No shortage here!” Commun. ACM 49, 3 (Mar. 2006),
The persistent gender gap in CS 111–114.
Understanding Database
is well documented, but there is less 13. Stephens-Davidowitz, S. Google, tell me. Is my son a
Reconstruction sharing of the success stories. By tell-
genius? The New York Times (Jan. 18, 2014).
14. Veilleux, N. et al. The relationship between belonging
ing the CMU story we hope to illustrate and ability in computer science. In Proceedings of the
44th ACM Technical Symposium on Computer Science
Attacks on Public Data a successful approach, one that can Education (2013), 65–70.
help the field of computing become 15. Zweben, S. and Bizot, B. 2016 Taulbee Survey.
Computing Research Association 29, 5 (May 2017),
more inclusive.c At the same time, we 3–51; https://bit.ly/2STxBeJ
Design Patterns
cannot become complacent. Gender
for Managing Up balance at the undergraduate level Carol Frieze (cfrieze@cs.cmu.edu) is Director of
Women@SCS and SCS4ALL, organizations that build
is not an end in itself and our efforts community on campus, provide leadership and networking
A Hitchhiker’s Guide to need to continue. Success with gender opportunities, and promote diversity in computer science,
at the School of Computer Science, Carnegie Mellon
the Blockchain Universe diversity is one important step in de- University, Pittsburgh, PA, USA.
veloping strategies to be more inclu- Jeria L. Quesenberry (jeriaq@andrew.cmu.edu) is an
sive of all who are underrepresented Associate Teaching Professor of Information Systems in
Predicting Program in the field of computing. In doing so the Dietrich College of Humanities and Social Sciences at
Carnegie Mellon University, Pittsburgh, PA, USA.
Properties From Big Code we believe the CMU approach, with a
focus on culture is particularly advan- This column is derived from the authors’ book Kicking
tageous because culture is mutable Butt in Computer Science: Women in Computing at
Carnegie Mellon University;6 the authors’ next book, Global
Perspectives on Women in Computing (working title), will
c We recognize that women and men are not be published in early 2019 by Cambridge University Press.
single separate categories and yet we are as
guilty as anyone for using the term “women” The opinions expressed in this column are the authors
Plus the latest news about and “men.” We are all shaped by complex alone and do not reflect the opinions of the Carnegie
rare Earth, exoskeletons, and Mellon University or any other employee thereof.
identities and experiences and a multitude of
advances in energy storage. determinants are involved in our choosing or
not choosing to study computer science. Copyright held by authors.

26 COM MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 V
viewpoints

DOI:10.1145/3300228 George V. Neville-Neil

Article development led by
queue.acm.org
out any messages being dropped, lost,
or corrupted.”

Kode Vicious
If your test has special setup require-
ments, such as a particular configuration
of software or hardware, these must also

Writing a Test Plan

be included in the plan, probably under
their own section marked “Configura-
tion.” At the present time, you are the one
Establish your hypotheses, methodologies, and expected results. writing the plan and the tests and proba-
bly executing them, but in the future, it
Dear KV, may not be you running the tests. All the
We are getting ready for a project re- assumptions that are in your head while
lease at work, and since we are a small writing the test plan must be sought out
startup, all the developers have been and then written down. A test plan that
asked to test the code of one of the oth- leaves out an important but obvious (to
er developers. We did this by lottery, you, anyway) requirement is going to be a
each of us drawing a name from a hat source of maddening frustration for the
(we were not allowed to draw our own next person who tries to use it.
name). It was an odd way to select tes- Two more items to note in the test
ters, but it seems no worse than the pro- plan are the framework you are using
cesses I have seen at larger companies. word hypothesis, but each test is basically and where it will store its results. Unlike
The problem for me is not that I have to testing one. The plan should start with an a lab report, your test plan does not need
write tests, but that I also have to write a outline so that you know you are covering to contain the results of running the test,
test plan, one of the requirements im- the basics and the main thrust of the and, in fact, I would expect that the re-
posed by our CEO, who is also the VP of code. In place of a hypothesis, you have a sults would be stored somewhere by the
engineering, aka my boss. I have never statement about what you expect the test framework that you are using.
written an actual test plan, just collec- code to do: “Given input X, we expect to If you can think of each of your tests
tions of tests. Of course, I test my own see output Y.” Of course, it is not enough as an experiment with a hypothesis, a
code, but because I wrote the code, I to have just a hypothesis; you have to say test methodology, and a test result, it
know what I am testing, and it has always how you’re going to prove or disprove the should all fall into place rather than fall-
been a straightforward process. Should I hypothesis. What is your test method? Do ing through the cracks.
just write the tests and then list them in not answer this with, “Run the code.” KV
the plan? Somehow that does not seem Now that you know you have to do
to be what my boss is looking for. more than “run the code,” let’s look at
Related articles
A Man Without a Plan some more useful valid test methods. De-
on queue.acm.org
scribing the test inputs you intend to use
is a good start. You do not need to list Debugging on Live Systems
Kode Vicious
Dear Planless, every possible input, but you should de- https://queue.acm.org/detail.cfm?id=2031677
Ah, a test plan, which can be an incredibly scribe the range or shape of what the
Quality Assurance: Much More than Testing
useful document or a massive time sink inputs might be. For a networked system, Stuart Feldman
and distraction. Most good test plans you might describe the types of messages https://queue.acm.org/detail.cfm?id=1046943
start out as one-page documents, be- you will use in your test: “We will send
Thinking Clearly about Performance
cause what you must avoid is setting out packets of between 64 and 1,500 bytes, Cary Millsap
to test everything—all at once. Instead of with most messages being power-of-two https://queue.acm.org/detail.cfm?id=1854041
just trying to poke at various things that size bytes and containing random bit pat-
you think you need to test, you need to terns in their payload sections.” That is George V. Neville-Neil (kv@acm.org) is the proprietor of
Neville-Neil Consulting and co-chair of the ACM Queue
have a plan of attack as to what and how the test input, but you also must de- editorial board. He works on networking and operating
IMAGE BY MA KSIM M

to test your colleague’s code. scribe the test output. Again, taking a systems code for fun and profit, teaches courses on
various programming-related subjects, and encourages
A good test plan is a lot like the lab re- networked system as an example, you your comments, quips, and code snips pertaining to his
ports some of us had to write for high might say, “A correct test result is one Communications column.

school science classes. You won’t use the where all messages are forwarded with- Copyright held by author.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 27
V
viewpoints

DOI:10.1145/3299800 Dror G. Feitelson

Viewpoint
Tony’s Law
Seeking to promote regulations for reliable software
for the long-term prosperity of the software industry.

S
O M EO N E D I D N OT tighten
the lid, and the ants got into
the honey again. This can
be prevented by placing the
honey jar in a saucer of wa-
ter, but it is a nuisance, occupies more
counter space, and one must remem-
ber to replenish the water. So we try at
least to remember to tighten the lid.
In the context of security, the soft-
ware industry does not always tighten
the lid. In some cases it fails to put the lid
on at all, leaving the honey exposed and
inviting. Perhaps the most infamous ex-
ample of recent years is the WINvote vot-
ing machine, dubbed the worst voting
machine in the U.S. A security analysis
by the Virginia Information Technolo-
gies Agency in 2015 found, among other
issues, the machines used the depre- cluding airspace utilization (distances ers whether they wished us to provide
cated WEP encryption protocol, that between planes), aircrew work sched- an option to switch off these checks in
the WEP password was hardwired to ules, aircraft noise levels, and more. the interests of efficiency on production
“abcde,” that the underlying Windows Advertisers are required to add warn- runs. Unanimously, they urged us not
XP (which had not been patched since ing labels on advertising for cigarettes to—they already knew how frequently
2004) administrator password was set and other tobacco products. subscript errors occur on production
to “admin” with no interface to replace Computers are regulated in terms runs where failure to detect them could
it, and that the votes database was not of electrical properties, such as the be disastrous. I note with fear and hor-
secured and could be modified.7 These FCC regulations on radiation and com- ror that even in 1980, language design-
machines had been used in real elec- munication. But the software running ers and users have not learned this
tions for more than 10 years. on computers is not regulated. Nearly lesson. In any respectable branch of en-
Such cases constitute malpractice, 40 years ago, in his ACM A.M. Turing gineering, failure to observe such elemen-
and call for regulation. Regulation is Award acceptance speech, Tony Hoare tary precautions would have long been
IMAGE BY AND RIJ BORYS ASSOCIAT ES/SHUT TERSTOCK

necessary because not everything can had the following to say about the prin- against the law.” [emphasis added].
be trusted to market forces. There are ciples that guided the implementation Hoare said this when personal com-
many examples in diverse industries. of a subset of Algol 60:2 “The first prin- puters and the Internet were in their
The sale of alcohol to minors is pro- ciple was security. [...] A consequence of infancy, long before the Web, DDoS
hibited. Construction and housing this principle is that every occurrence attacks, and data breaches. Indeed, a
cannot use asbestos and lead-based of every subscript of every subscripted lot has changed during this time (see
paints due to public health concerns. variable was on every occasion checked Table 1). But one thing that has not
The automotive industry is required to at runtime against both the upper and changed is the lack of any meaningful
install seat belts and report pollution the lower declared bounds of the array. regulation on the software industry.
levels. Aviation is strictly regulated, in- Many years later we asked our custom- In retrospect, Hoare’s pronounce-

28 COMMUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 viewpoints

ment exhibited great foresight. To this Table 1. Changes in software and computing in the last 30 years.
day buffer errors represent the single
most common vulnerability,a even more
so among high-severity vulnerabilities 1980s 2010s
(see Figure 1 and Figure 2). Just imagine C pointers Java garbage collection
if a law requiring bounds checks had Emacs Eclipse
been enacted more than 40 years ago, Math library Frameworks
and there were no buffer overflows to- Ad hoc programming Agile methodology
day. As it stands, Microsoft for one insti- Waterfall Evolution/continuous integration
tuted its Security Development Lifecycle Flowcharts UML
as a mandatory policy in 2004. This in- Write your own sort Copy from Stack Overflow
cludes—among many other features— Computer room Computer in your pocket
the option to require compilation with Hard disk Cloud
flags that insert bounds checks and the Text terminals Touch screens
option to ban unsafe library functions. Email Internet of Things
On the one hand this demonstrates that No regulation No regulation
such practices are just a matter of decid-
ing to use them. On the other hand they
are still not universally required, and
indeed even Microsoft products still oc- Figure 1. The number of software vulnerabilities cataloged by the NIST National Vulner-
ability Database skyrocketed in 2017, and the fraction of vulnerabilities involving buffers
casionally suffer from buffer issues.b (either categorized as “buffer error” or containing the keyword “buffer”) kept pace.
Similar sentiments have been repeat-
ed several times since Hoare’s speech.
Twelve years ago, ACM President David Other Vulnerabilities Buffer Related
Patterson put forward the “SPUR mani-
12000
festo,”3 suggesting the development
of 21st-century computer (software) 10000
systems should focus on security, pri-
Vulnerabilities

vacy, usability, and reliability—SPUR. 8000

The goal should be to be as safe as 20th- 6000
century banking, as low maintenance
as 20th-century radio, and as reliable as 4000
20th-century telephony. But more than
2000
a decade has passed, and it seems the
focus on low cost, multiple features, 0
and above all time to market is as strong 1995 2000 2005 2010 2015
as ever. Manufacturers of home appli-
ances compete, among other ways, by
offering superior warranties for their
products. The software industry, in con- Figure 2. According to the National Vulnerability Database, since the beginning of the
decade approximately 15% of all vulnerabilities have been related to buffer errors, and
tradistinction, has been getting away this rises to between one-quarter and one-third of the vulnerabilities if only those with
with software that comes “without war- a high severity score are considered.
ranty of any kind, expressed or implied,
including, but not limited to, the im-
plied warranties of merchantability and 35
fitness for a particular purpose.” Of High Severity
30 Vulnerabilities
Indeed, lectures such as Patterson’s
Percent Categorized

are typically either ignored or stir up a

As “Buffer Errors”

25
chorus of naysayers. The typical argu-
20
Of All
a The NIST National Vulnerability Database Vulnerabilities
uses 124 of the nearly 1,000 types listed in the 15
Common Weakness Enumeration to catego-
rize vulnerabilities. In 2015–1017, buffer er- 10
rors CWE-119 accounted for 15.2%–18.4% of
all vulnerabilities each year. The next highest 5
categories were information leak/disclosure
0
CWE-200 at 9.3%–10.9%, permissions, privileg-
es, and access control CWE-264 at 8.2%–10.0%, 2007 2009 2011 2013 2015 2017
and cross-site scripting CWE-79 at 7.3%–11.2%.
b One example: Microsoft Office Equation Editor
stack buffer overflow; see https://bit.ly/2zTngss

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 29
viewpoints

Table 2. Notable security incidents from 2007–2017.

Year Incident Significance

2007 Massive DDoS attacks on organizations and First demonstration of extensive countrywide
infrastructure in Estonia disruptions, possibly in connection to
international relations
2010 The Stuxnet cyber-weapon is used to disable Demonstration of potential impact on
physical centrifuges used in Iran’s nuclear computer-controlled physical infrastructure,
program and demonstration of cyber-weapons that
jump air-gaps and remain undetected for
long periods
2013 Yahoo is hacked and data about all three Biggest data breach of its kind
billion user accounts is stolen
2016 Hackers break into DNC computers and Strategic hacking with possible effect on
disseminate confidential documents the outcome of the U.S. presidential election
——————————————— ———————————————
DDoS attacks using a botnet of some 1.5 Demonstration of new vulnerabilities
million IoT devices (ironically, mainly security resulting from technological progress and

Advertise with ACM! 2017

cameras)
The WannaCry ransomware infects more
insufficient consideration of security
Demonstration of global-scale cyber crime
than 200,000 computers in 150 countries, and putting human lives at risk
Reach the innovators causing disruptions such as the closing down
of 16 hospitals in the U.K.
and thought leaders
working at the ments are the perceived monetary costs, try to take the required actions.1,6 Buyers
cutting edge the difficulties or even the impossibil- will not pay a premium for value (secu-
ity of implementation, and the fear of rity) they cannot measure, and which in
of computing reduced innovation and technological many cases does not affect them person-
and information progress. Schneider, in a recent Com- ally and directly. Approaches suggested
munications Viewpoint, also notes the by economists to measure the value of
technology through need for a detailed cost/benefit analy- protection do not help because the cost
ACM’s magazines, sis to ascertain what society is willing of a security catastrophe is up to anyone’s
to pay for improved security, where the imagination. This has prevented an in-
websites costs also include reduced convenience surance industry for software producers
and newsletters. (due to the need for authentication) and from emerging, and as Anderson and
functionality (due to isolation).4 And in- Moore write, “if this were the law, it is un-
deed all regulations are, by definition, likely that Microsoft would be able to buy
◊◆◊◆◊ limiting. But do we really need to wait insurance.”1 In practice, the reduction in
for a large-scale security catastrophe, stock value after disclosing a vulnerabil-
possibly including significant loss of ity is less than 1%.5 The abstract danger
Request a media kit life, before we act at all? As the Micro- of large-scale attacks leading to financial
with specifications soft example shows, extensive techno- loss and even loss of human life is not
logical solutions and best practices enough to change this.
and pricing: actually already exist. It is just a matter At the same time, we are inundated
of making their use pervasive. by increasing numbers of reports of
Ilia Rodriguez So why are software security faults data breaches and hackers infiltrating
tolerated? A possible explanation is various systems (see Table 2 for promi-
+1 212-626-0686 that software deficiencies have so far nent recent examples). Some of these
acmmediasales@acm.org been less tangible than those of tradi- incidents demonstrate that extensive
tional industries. Many people install physical civil infrastructures are at per-
multiple locks on their doors and would il across the globe—including hospi-
consider holding intruders to their tals, power plants, water works, trans-
homes at gunpoint, but fail to take suf- portation systems, and even nuclear
ficient safeguards to protect their home facilities. And the root cause at least
computers from hackers. The problems in some cases is the failure of the soft-
resulting from identity theft are much ware to take appropriate precautions.
more common but also much more bu- The software systems in a modern
reaucratic, boring, and less visual com- car—not to mention a passenger plane
pared to more dramatic problems such or a jet fighter—are of a scope and com-
as exploding gas tanks in pickup trucks. plexity that rivals any operating system
But above all else, it seems there is a or database produced by the traditional
market failure in incentivizing the indus- software industry. Indeed, every industry

30 COMMUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 viewpoints

is now a software industry. And the prod-

ucts of every industry are vulnerable due
Regulation is in
Calendar
to software defects. In such a context, re-
quired software regulation includes:
˲˲ Transparency: the obligation to
the interest of of Events
investigate and report all exploits in- the long-term February 11–15
cluding their technical details.
˲˲ The prohibition of dangerous
prosperity of WSDM 2019: The 12th ACM
International Conference on
practices, such as not using type-safe the software Web Search and Data Mining,
Melbourne, VIC, Australia,
languages and appropriate encryption.
˲˲ Holding companies accountable
industry. Co-Sponsored: ACM/SIG,
Contact: Alistair M. Moffat,
Email: ammoffat@unimelb.
for their unsafe practices. edu.au
These requirements need the
backing of legal regulations, because February 16–20
market forces compel industry not to try. However, these are not required by PPoPP ‘19: 24th ACM SIGPLAN
Symposium on Principles
invest in security too much. The mar- any formal regulations. and Practice of Parallel
ket promotes a race to the bottom; Protracted discussions on what to Programming,
except in niche applications, whoever do and what we are willing to pay for Washington, DC,
is faster to market and cheaper wins, are counterproductive. Such things Co-Sponsored: ACM/SIG,
Contact: Jeff Hollingsworth,
and whoever is tardy due to excessive cannot be planned in advance. Instead Email: hollings@cs.umd.edu
investment in security loses. Regula- we should learn from the iterative ap-
tion is the only way to level the play- proach to constructing software: try to February 24–26
ing field, forcing everybody to invest identify the regulations that promise FPGA ‘19: The 2019 ACM/SIGDA
International Symposium
in what they know to be needed but the highest reward for the lowest cost, on Field-Programmable
think they cannot afford to do when work to enact them, learn from the pro- Gate Arrays,
the competition does not. cess and the results, and repeat. Seaside, CA,
Sponsored: ACM/SIG,
Of course, it will not be easy to imple- Regulation is in the interest of the Contact: Kia Bazargan,
ment these ideas and agree on the myr- long-term prosperity of the software Email: generalchair@isfpga.org
iad details that need to be settled. Who industry no less than in the interest of
gets to decide what is a “dangerous prac- society as a whole. Software vendors February 25–26
HotMobile ‘19: The 20th
tice”? How do we deal with installed sys- with integrity should stop resisting International Workshop
tems and legacy code? Who is charged regulation and instead work to ad- on Mobile Computing Systems
with enforcing compliance? Moreover, vance it. The experience gained will be and Applications,
it is not clear how to make this happen extremely important in discussing and Santa Cruz, CA,
Sponsored: ACM/SIG,
at the political level. In addition, no enacting further regulations, both in a Contact: Alec Wolman,
single country has jurisdiction over all preemptive manner and—in the worst- Email: alec.wolman@gmail.
software production. So a system of cer- case scenario—in the aftermath of a com
tification is required to enable software security catastrophe.
February 25–March 3
developers to identify reliable software, SIGCSE ‘19: The 50th ACM
and to perform due diligence in select- References
Technical Symposium on
1. Anderson, R. and Moore, T. The economics of
ing what other software to use. information security. Science 314, 5799 (Oct. 26, Computing Science Education,
2006), 610–613; https://bit.ly/2GctSYd. Minneapolis, MN,
International frameworks already 2. Hoare, C.A.R. The emperor’s old clothes. Sponsored: ACM/SIG,
exist demonstrating these issues can Commun. ACM 24, 2 (Feb. 1981), 75–83; DOI: Contact: Manuel A. Perez-
10.1145/358549.358561.
be solved. The EU General Data Pro- 3. Patterson, D.A. 20th century vs. 21st century C&C: The
Quinones,
tection Regulation (GDPR), which con- SPUR manifesto. Commun. ACM 48, 3 (Mar. 2005), Email: perez.quinones@uncc.
15–16; DOI: 10.1145/1047671.1047688. edu
cerns the rights of individuals to con- 4. Schneider, F.B. Impediments with policy interventions
trol how their personal information is to foster cybersecurity. Commun. ACM 61, 3 (Mar.
2018), 36–38; DOI: 10.1145/3180493.
collected and processed, is an encour- 5. Telang, R. and Wattal, S. An empirical analysis of the March
aging example. Another example is impact of software vulnerability announcements on
firm stock price. IEEE Trans. Softw. Eng. 33, 8 (Aug. March 10–14
the Common Criteria for Information 2007), 544–557; DOI: 10.1109/TSE.2007.70712.
CHIIR ‘19: Conference on
Technology Security Evaluation, an in- 6. Vardi, M.Y. Cyber insecurity and cyber libertarianism.
Human Information Interaction
Commun. ACM 60, 5 (May 2017), DOI:
ternational framework for the mutual 10.1145/3073731. and Retrieval,
recognition of secure IT products. But 7. Virginia Information Technologies Agency. Security Glasgow, United Kingdom,
assessment of WINvote voting equipment for Sponsored: ACM/SIG,
this covers only high-level desiderata department of elections. (Apr. 14, 2015); https://bit.
ly/2EgvBct Contact: Martin Halvey,
for security, not the regulation of low- Email: martin.halvey@gmail.
level technicalities. This gap is partly com
Dror G. Feitelson (feit@cs.huji.ac.il) is the Berthold
filled by the Motor Industry Software Badler Chair in Computer Science at The Rachel and
Reliability Association (MISRA), which Selim Benin School of Computer Science and Engineering,
The Hebrew University of Jerusalem, Israel.
has defined a set of suggested safe cod-
ing practices for the automotive indus- Copyright held by author.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 31
V
viewpoints

DOI:10.1145/3231587 Enrico Nardelli

Viewpoint
Do We Really Need
Computational Thinking?
Considering the expression “computational thinking” as an entry point to understand why the fundamental
contribution of computing to science is the shift from solving problems to having problems solved.

I
CONFESS UPFRONT, the title of this
Viewpoint is meant to attract
readers’ attention. As a com-
puter scientist, I am convinced
we need the concept of compu-
tational thinking, interpreted as “being
able to think like a computer scientist
and being able to apply this competence
to every field of human endeavor.”
The focus of this Viewpoint is to dis-
cuss to what extent we need the expres-
sion “computational thinking” (CT). The
term was already known through the
work of Seymour Papert,13 many com-
putational scientists,5 and a recent pa-
per15 clarifies both its historical devel-
opment and intellectual roots. After the
widely cited Communications Viewpoint
by Jeannette Wing,19 and thanks to her
role at NSF,6 an extensive discussion
opened with hundreds of subsequent
papers dissecting the expression. There
is not yet a commonly agreed definition
of CT—what I consider in this View- Wing discussed CT to argue it is im- Forsythe, a former ACM president and
point is whether we really need a defini- portant every student is taught “how one of the founding fathers of computer
tion and for which goal. a computer scientist thinks,”19 which science education in academia, in 1968
To anticipate the conclusion, we I interpret to mean it is important to wrote: “The most valuable acquisition
probably need the expression as an in- teach computer science to every stu- in a scientific or technical education are
strument, as a shorthand reference to dent. From this perspective, what is the general-purpose mental tools which
a well-structured concept, but it might important is stressing the educational remain serviceable for a lifetime. I rate
be dangerous to insist too much on it value of informatics for all students— natural language and mathematics as
and to try to precisely characterize it. Wing was in line with what other well- the most important of these tools, and
It should serve just as a brief explana- known scientists had said earlier; I computer science as a third.”9 Even if
tion of why computer science (or infor- mention several here. both citations are not relative to a school
matics, or computing: I will use these Donald Knuth, well known by math- education context, in my view they clearly
terms interchangeably) is a novel and ematicians and computer scientists, in support the importance of teaching com-
IMAGE BY VA LLIA

independent scientific subject and to 1974 wrote: “Actually, a person does not puter science in schools to all students.
argue for the need of teaching infor- really understand something until he However, the wide popularity gained
matics in schools. can teach it to a computer.”10 George by CT after Wing’s Communications

32 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 viewpoints

Viewpoint risks spoiling the original jor countries. Here, I discuss the three a different way of thinking, called CT”
aim. Increasingly, people are consider- most relevant ones. and “learning about programming is a
ing CT a new subject, somehow different In England, the national computing way to discover the rudiments of CT.”
or distinct from computer science. In programmes of study,a published by the It emerges, from these three ex-
the quest to identify the definition that Department of Education in September amples, that CT is not a new subject
Wing did not provide, people are stress- 2013 and mandatory since school year to teach and what should be taught in
ing one or other aspect (abstraction, 2014–2015, uses CT in the presented school is informatics.
recursivity, problem solving, …) and in sense of what one gets by the study and But on the other side, the high num-
doing so they obscure its meaning. See practice of computing. In fact, it uses it ber of papers published with CT in their
Armoni2 and Denning5 for clear and illu- in the opening statement “A high-qual- title or abstract (the ACM Digital Library
minating discussions of this issue. ity computing education equips pupils alone contains more than 400) indi-
This situation becomes even more to use CT and creativity to understand cates a lot of people seem to argue (and
garbled when it comes to education. and change the world” and then just even Wing seemed to agree21) that CT
Speaking about teaching CT is a very two more times, in goals for Key Stage is something new and different. Some
risky attitude: philosophers, rightly, ask 3 “understand several key algorithms even say “coding” (which they consider
what we mean by “teaching thinking”; that reflect CT” and KS4 “develop and different from “programming”) is all
mathematicians appropriately observe apply their analytic, problem-solving, you need to learn it! A discussion of
that many characteristics of CT (such as design, and CT skills.” The curricu- risks related to this approach and other
abstraction, recursivity, problem solv- lum never defines the term. delicate issues regarding CT appeared
ing, …) are also proper of mathematics In the U.S., the “Every Student Suc- in a recent Communications column.8
(which they do not call “mathematical ceeds Act” (ESSA), approved by Congress I am convinced that considering
thinking”); pedagogues ask how we can in 2015 with bipartisan support, has in- CT as something new and different is
be sure CT is really effective in educa- troduced computer science among the misleading: in the long run it will do
tion; teachers want to know which are “well rounded educational subjects” more harm than benefit to informatics.
the methods and the tools for teaching that needs to be taught in schools “with After all, they do not teach “linguistic
this new discipline and how they can the purpose of providing all students thinking” or “mathematical thinking”
learn to teach it; and parents are alter- access to an enriched curriculum and in schools and they do not have “body
nately happy because it appears school educational experience,” and does not of knowledge” or “assessment meth-
has finally started to align itself to the contain at all the term “computational ods” for these subjects. They just teach
digital society while they are also con- thinking.” In January 2016, President (and assess competences in) “English”b
cerned about what will happen to their Obama launched the initiative “CS and “Mathematics.” Subsequently, the
children in the future if they just learn For All” whose goal is “to empower all various linguistic (resp. mathematical)
to code with the language of today. American students from kindergarten competences gained by study of Eng-
I think a large part of the commu- through high school to learn computer lish (resp. Mathematics), beyond be-
nity of computing scientists and edu- science and be equipped with the CT ing used in themselves, find additional
cators is convinced the original Com- skills they need …”. Once again, CT is uses in other disciplines. Between CT
munications Viewpoint by Wing was what you get when you have learned and computing there exists the same
aiming at “start rolling the ball” and computer science. relation. Therefore, we should discuss
what needs to be done is teaching in- In France, the Académie des Scienc- what to teach and how to evaluate com-
formatics in schools, possibly begin- es—the highest institution represent- petences regarding informatics in pri-
ning at an early age. Moreover, I am ing French scientists—published in mary/middle/secondary schools, and
convinced the same people are fully May 2013 the report “L’enseignement forget about teaching and evaluating
able to understand the meaning of de l’informatique en France. Il est ur- competences in CT.
Wing’s expression “to think like a com- gent de ne plus attendre,” (“Teaching In summary, speaking about CT
puter scientist” without the need of ex- computer science in France. Tomorrow helps people understand that: we are
actly explaining it. Or, if it is absolutely can’t wait.”) recommending—for what focusing on scientific and cultural as-
needed, they might agree with the regard the teaching of computer science pects of computing; we are not dealing
self-referential sentence “CT is the set (“informatique”)—“teaching should with system and tools, but with principles
of mental and cognitive competences start at the primary level, through ex- and methods; we are focusing on the
obtained by the study and practice of posure to the notions of computer sci- core scientific concepts of computing,
computer science”: the “tacit knowl- ence and algorithms, … <and> should on its conceptual kernel.11 Different from
edge” defined by Polanyi.14 be further developed in middle and sec- what happens with language and math,
Already in 1974 Knuth warned, in ondary school.” Analyzing their use of we are forced to explicit this distinction
discussing computer science, that CT (“pensée informatique”), it is clear since computers are what embodies
“the underlying concepts are much that in their vision the term denotes the informatics for most of people. In addi-
more important than the name.”10 It is specific habits of thinking developed by tion, we do not think the “computer sci-
much more so, I think, for CT. What re- learning computer science. Just a cou- entists’ way of thinking” is better than
ally counts is the fact that computing is ple of examples: “computing … leads to others, just that it offers a complemen-
taught early in schools. This is actually
the path being followed by some ma- a See https://bit.ly/1f7PIFU b Or the relevant native language.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 33
viewpoints

Modeling a situation and specifying the ways an information-processing agent can Indeed, in looking backward to-
effectively operate within it to reach an externally specified (set of) goal(s). ward how computer science was born,
it is clear the cultural seeds are in the
mathematicians’ quest for automatiz-
thought ing theorem proving, in their efforts
person
processes information to unload the burden of solving prob-
processing or
machine lems onto machines. This shift in view-
agent
point, from solving problems to having
problems solved is the intellectual birth
specifying
of informatics and is the “difference
modeling
effectiveness which makes a difference,”3 setting in-
formatics in its own proper and unique
place in the context of all sciences. The
importance of the “automaton” to give
to reach externally full sense to CT was also made explicitc
specified goals and emphasized.1,6
I also dare to provide, for the same
demonstrative purpose, a more gen-
eral explanation of what CT is, which is
somehow along a direction already hint-
ed at by Wing,16 who clarified: “My in-
terpretation of the words ‘problem’ and
‘solution’ is broad. I mean not just math-
tary and useful conceptual paradigm to ematician’s answer is: “Let R be the ring ematically well-defined problems whose
describe reality.7 of integer matrices; in this ring the sum solutions are completely analyzable,
At this point people usually ask which of two principal left ideals is principal, for example, a proof, an algorithm, or a
is this “conceptual kernel” and which ex- so let D be such that R A + R B = R D. Then program, but also real-world problems
amples can we provide. This is a critical D is the greatest common right divisor whose solutions might be in the form
passage to explain to people the novelty of A and B.”10 Clearly unsatisfactory for of large, complex software systems.”
of informatics among scientific disci- a computer scientist, for whom a solu- Nevertheless, Wing still used the word
plines and its educational value. For this tion is provided by a process computing “problem,” which conveys the meaning
purpose, the formulation attributed to the answer and not by an equation defin- of something that needs to be solved.
Cuny, Snyder and Wing16 is appropriate: ing the answer. I have intentionally used Since solving a problem is just
“CT is the thought processes involved the word “process” instead of the more an instance of a situation where one
in formulating problems and their so- usual “algorithm” to stress the fact that wants to reach a specified goal, here is
lutions so that the solutions are repre- we have a “process” only when the algo- my formulation: Computational think-
sented in a form that can be effectively rithm has been implemented in a suit- ing is the thought processes involved in
carried out by an information-process- able “language” and an “automaton” modeling a situation and specifying the
ing agent.” This is almost the same def- executes the obtained code. In such a ways an information-processing agent
inition given by Aho1 “CT is the thought way three of the main pillars on which can effectively operate within it to reach
processes involved in formulating computer science is based—algorithm, an externally specified (set of) goal(s).”
problems so their solutions can be rep- language, and machine—are all in- (See the accompanying figure.)
resented as computational steps and al- volved in characterizing the difference There are two main differences: one
gorithms” and Wing acknowledges the between the viewpoints of the math- is speaking about a situation where the
input received by him.20 The big issue, as ematician and the computer scientist. agent operates instead of a problem it
Armoni has clearly pointed out,2 is that I therefore think that, whenever has to solve, the other is clarifying the
by taking any of these as the definition of either the Cuny, Snyder, and Wing’s agent does not define by itself its overall
a new discipline instead of as an expla- formulation or Aho’s one is used for (set of) goal(s) but gets it from the out-
nation and trying to fully operationalize this explanatory purpose, the utmost side.d My formulation is also closer to
it causes more problems than benefits. stress must be put on the involve- more recent characterizations of com-
The issue of explaining in which sense ment of the information processing putation as an unbounded process.18
“the way a computer scientist thinks” agent (that is, the “automaton,” be it a
is different from “the way a mathemati- machine or a person acting mechani- c Aho wrote: “An important part of this process
cian thinks” is indeed an important one. cally). Without the agent and its capa- is finding appropriate models of computa-
Knuth had a brilliant example in his bility to operate effectively, there is no tion with which to formulate the problem and
1974 paper, which, unfortunately, is not informatics, just mathematics, which derive its solutions.” We could say, in a some-
at a level laypeople can understand. It indeed has been solving problems for what literary style, “the model is the agent is
the model.”
regarded the problem of finding the millennia, discovering and applying d If we allowed the agent to choose its own goals,
“greatest common right divisor” of two along the way abstraction, decompo- we would leave computing and enter the realm
n x n integer matrices A and B. The math- sition, recursion, and so on. of free-will entities.

34 COMMUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 viewpoints

We have thus a more general ex- sidering it as a foundational discipline, 14. Polanyi, M. The Tacit Dimension. The University of
Chicago Press, 1966.
planation of what CT is, covering on par with mathematics.4,17 15. Tedre, M. and Denning, P.J. The long quest for
also cases that are of high interest for computational thinking. In Proceedings of the 16th Koli
Calling Conference on Computing Education Research.
schools and education: simulations References (Nov. 2016), 120–129.
1. Aho, A.V. Computation and computational thinking. 16. The LINK. Research Notebook: Computational
in other disciplines, where one has Ubiquity, vol.2011, issue January, Article no. 1, Thinking—What and Why?. The Magazine of Carnegie
to build and manipulate a visible rep- January 2011. ACM Press. DOI: https://doi.org/ Mellon University’s School of Computer Science,
10.1145/1922681.1922682 March 2011; https://bit.ly/2UTeAed
resentation of physical laws and/or 2. Armoni, M. Computer science, computational thinking, 17. Vahrenhold, J. et al. Informatics Education in Europe:
natural/social phenomena (that is, to programming, coding: The anomalies of transitivity in Are We All In The Same Boat? ACM/Informatics
K–12 computer science education. ACM Inroads 7, 4 Europe, NY, 2017; https://doi.org/10.1145/3106077
model a situation and explore its pos- Dec. 2015), 24–27. 18. van Leeuwen, J. and Wiedermann, J. Computation as
sible evolution) rather than to solve 3. Bateson, G. Form, substance and difference. In Steps to an unbounded process. Theoretical Computer Science
an Ecology of Mind. University of Chicago Press, 1972. 429, (2012), 202–212.
a problem. Simulation is a very pow- 4. Caspersen, M.E. et al. Informatics for All: The 19. Wing, J. Computational thinking, Commun. ACM 49, 3
Strategy. ACM/Informatics Europe, NY, 2017;
erful tool to improve understanding https://doi.org/10.1145/3185594
(Mar. 2006), 33–35.
20. Wing, J. Computational thinking benefit society.
and computing is unique in its capa- 5. Denning, P.J. Computational thinking in science. Social Issues in Computing blog, January 2014;
American Scientist 105, (Jan.–Feb. 2017); 13–17.
bility of making concrete the abstract 6. Denning, P. Remaining trouble spots with
https://bit.ly/2SOnisk
21. Wing, J. Computational thinking and thinking about
models defined by a simulation.2 In computational thinking. Commun. ACM 60, 6 (June computing, Philosophical Transactions of The Royal
2017), 33–39.
addition, we have a formulation that 7. Denning, P.J. and Rosenbloom, P.S. Computing: The
Society A366, 37 (2008): 3717–3725.
can be used to explain why mathemat- fourth great domain of science. Commun. ACM 52, 9
(Sept. 2009), 27–29. Enrico Nardelli (nardelli@mat.uniroma2.it) is a
ics or other sciences are not enough 8. Denning, P.J., Tedre, M., and Yongpradit, P. Full Professor in Informatics in the Department of
for these purposes. Misconceptions about computer science. Commun. Mathematics at the University of Rome “Tor Vergata,”
ACM 60, 3 (Mar. 2017), 31–33. Italy. He is currently the president of Informatics Europe,
In such a way informatics can more 9. Forsythe, G.E. What to do till the computer scientist the association representing the academic and research
clearly explain its dual role12 both as a comes. The American Mathematical Monthly 75, (May Informatics community in Europe.
1968), 454–462; https://bit.ly/2S19xXo
fundamental scientific subject, with its 10. Knuth, D.E. Computer science and its relation to
own independent set of concepts, and mathematics. The American Mathematical Monthly Discussions with Mehdi Jazayeri, Jan van Leeuwen,
81, 4 (Apr. 1974), 323–343; https://bit.ly/2ErRMMU Michael Lodi, Simone Martini, and Guido Proietti have been
as a discipline of transversal value, pro- 11. Lodi, M., Martini, S., and Nardelli, E. Abbiamo davvero useful to focus ideas and improve presentation; comments
viding methods contributing to a bet- bisogno del pensiero computazionale? Mondo Digitale from referees have also been greatly helpful. Many of the
72 (Nov. 2017), AICA, Milan; https://bit.ly/2CLJcr5 ideas first presented in this Viewpoint have been further
ter understanding of other disciplines.7 12. Nardelli, E. Informatica nella scuola: disciplina developed by the author in subsequent papers since
fondamentale e trasversale, ovvero “di cosa parliamo this material was reviewed, revised, and accepted for
This latter role of computing is also of quando parliamo di pensiero computazionale.” publication in early 2017.
particular importance for its introduc- Scienze e Ricerche Magazine (Apr. 2017), 36-40;
https://bit.ly/2GqszFk
tion as a regular subject in schools, and 13. Papert, S. Mindstorms: Children, Computers, and
can constitute a solid argument for con- Powerful Ideas. Basic Books, 1980. Copyright held by author.

“The indispensable guide to “An inspirational must-read and delightful guide “What Can Be Computed? should
numerical trickery, deception, for anyone interested in traveling from the succeed brilliantly in capturing the
and flimflam!” computational past through to the present.” imagination of students.”
—Harry Lewis, —Andrew Adamatzky, —Matt Franklin,
coauthor of Blown to Bits University of the West of England University of California, Davis
Cloth $22.95 Cloth $27.95 Cloth $85.00

Social icon

Rounded square
Only use blue and/or white.

For more details check out our

Brand Guidelines.

DO NOT PRINT THIS INFORMATION 19-216 COMMUNICATIONS

F E B R UA RY 2OF
0 1 9THE
| VOACM
L. 6 2 | N O. 2FEBRUARY
| C OM M U N2019
IC AT ION S OF T HE ACM 35
practice
DOI:10.1145/ 3287289
can amount to something quite im-

Article development led by
queue.acm.org
pressive indeed.
That is only one of the reasons that
Jacek Czerwonka and his Tools for
A discussion with Jacek Czerwonka, Software Engineers (TSE) team at Mi-
Michaela Greiler, Christian Bird, crosoft set out to study how the code-
review process plays out across the
Lucas Panjer, and Terry Coatta company. Another reason had to do
with taking on a challenge they found

CodeFlow:
interesting in the sense that, beyond
their important role in software engi-
neering integration, code reviews in-
volve some rather complex social dy-

Improving
namics that elude simple modeling.
Then there also was the fact that
Microsoft’s code-review tool repre-
sented an opportunity to touch every

the Code
developer throughout the entire com-
pany. For a group charged with boost-
ing developer productivity, that is just
the sort of lever dreams are made of.

Review
What’s more, the tool also offered
TSE’s researchers something they
could instrument to collect data and
generate metrics that, in turn, could

Process at
be used to enable further research.
So, that is why the group set out on
this journey. To recount what it was
like, where it led, and what was learned

Microsoft
along the way, Czerwonka discusses
the undertaking here, along with fel-
low researchers Michaela Greiler and
Christian Bird. Also on hand to help
steer the discussion are Lucas Panjer,
the senior director of engineering at
Tasktop, and Terry Coatta, the CTO at
Marine Learning Systems, a Vancou-
ver-based startup working to develop
a learning platform.
YOU M AY B E wondering, “Code review process? Isn’t LUCAS PANJER: What exactly is it that
initially moved you to zero in on the
that obvious?” But code reviews are pervasive. Any code-review process?
developer is likely to be asked at any time to review JACEK CZERWONKA: This group was

someone else’s code. And you can be sure your code formed several years ago with the goal
of encouraging the adoption of a com-
is reviewed. For some developers, code reviews take mon set of software engineering tools
up a portion of each day. So there is your answer: large across the whole of Microsoft. We have
been on this path for a while now. We
numbers of very well-compensated people spend are not done yet. But there are a few
a great deal of time on this activity, meaning the places where we’ve managed to cen-
aggregate costs are substantial. If you’re talking about tralize the tools quickly, and one of
those is in code-review tooling.
a development shop the size of, say, Microsoft … well, Clearly, in looking at that aspect
then, the investment regularly made in code reviews of the engineering workflow, we saw

36 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 there were already some tools in with open source? How does it work doesn’t seem like we’re getting all that
place, so we just concentrated on de- within Microsoft? And what happens much out of it?”
termining what we could do to make when we find ourselves collaborating CB: Mostly it was because this was
improvements. First we wanted to with others? an area where the data was both plenti-
learn what we could from actual expe- LP: What did you end up initially fo- ful and readily available. With that be-
rience since you always want to start cusing on? ing said, once people found out what
with a foundation grounded in prac- CHRISTIAN BIRD: In general, we wanted we were doing, they proved to be quite
tice, as well as theory. So, we started to find out what prompted people to receptive. It wasn’t like they wondered
looking at any qualitative or quanti- do code reviews in the first place. How why we were doing this research. In
IMAGE BY AND RIJ BORYS ASSOCIAT ES/SHUT TERSTOCK

tative data we could get our hands on many people were usually involved? fact, it was just the opposite. People
that had to do with the code-review What types of issues were being raised? generally were very supportive of im-
tooling and process already in place What was it that led people to make proving the code-review process and, if
at Microsoft. That’s how we started changes? And what typically led people anything, said they wished it was treat-
on this journey of trying to under- not to make changes? ed as a first-class citizen. Also, many
stand where the process originated TERRY COATTA: Were the engineering were pretty excited to learn there was
and how it has evolved over time. teams themselves pushing for this line data available they would be able to
What are the factors that drove that of inquiry? That is, were people com- track themselves.
evolution? How is the process cur- ing to you to say, “We’re sure spending LP: Once people engaged with you
rently applied? How does it work a lot of time with code reviews, but it and told you what they thought was

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 37
practice

JACEK CZERWONKA

One of the most

interesting things
to surface from
instrumenting
CodeFlow was
just how much
time people were
actively spending in
the review tool.
valuable, did they also let you know TC: Since you say this tooling for
what else they wanted? code reviews is something everybody
CB: What people wanted for the at Microsoft now uses, can you give us
most part was the ability to do their a brief description of the features it of-
own tracking, along with a way to look fers and how you think those compare
at how they were doing in compari- with what is available to most people
son to other teams. We came up with outside of Microsoft?
metrics that align with some of the JC: Well, we’re talking now about
targets teams at Microsoft have for things we did with our tool [called Code
what they want to achieve at different Flow] a few years ago, and tooling has
points in the software development a way of converging out in the world at
process. For example, they would large over that much time. So, some of
want to know if they were on track for the changes we made back then might
getting a commit into master within now seem fairly obvious to people who
a month. Or they would want to see if are using other code-review tools that
they were well on their way to achiev- have since come to work in much the
ing 80% test coverage. same way.
Similarly, for code review some The brief summary is that we made
teams had targets, while others did not a number of changes to finely tune the
since they didn’t have a way to mea- underlying subsystem. We also trained
sure that. So, they might decide that the tool to be super-precise in terms
at least two people should sign off on of tracking changes as people move
every code review and that each review through numerous software iterations.
would have to be completed within a That is, as you move from one revision
24-hour period. Until we started col- to the next, you can imagine that your
lecting the data around code reviews, code changes end up moving around
analyzing it, and then making it more as some code gets deleted, some new
generally available, teams had no way lines are added, and chunks of code
of measuring that. Yet they wanted to are shuffled around. That can throw
be able to do that since they were al- your comment tracking severely out
ready measuring other parts of their of sync with what you had once in-
development process. As a conse- tended. Overcoming that took work,
quence, people started coming to tell but we now know from feedback that
us what metrics they would find useful. it’s greatly appreciated and thus well
Then we would just add those to met- worth the effort.
rics we were already collecting. It turns Another thing we focused on was
out that much of our effort was actually performance. For that reason, even
driven by what the development teams today CodeFlow remains a tool that
themselves were telling us they wanted works client-side, meaning you can
to be able to measure. download your change first and then

38 COM MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 practice

MICHAELA GREILER

While the popular

notion is that code
reviews are mostly
about finding bugs,
only a very small
percentage of
the code-review
comments we
studied actually had
interact with it, which makes switch- of diffs. I mean, you also can add com- anything to do with
ing between files and different regions
very, very fast.
ments, but, in the end, that just makes
it more difficult to track things or navi-
bugs at all.
It also helps that CodeFlow has gate everything effectively.
essentially become ubiquitous So, the fact that CodeFlow is native
throughout Microsoft. That’s be- and is treated like a first-class citizen
cause we used something like a viral on the desktop makes it more usable.
marketing strategy in that the mo- MICHAELA GREILER: I also really like
ment you were added as a reviewer, the richness of CodeFlow’s comment-
you received a notification, which al- ing features. You can, for example,
lowed you to open the review by sim- mark just a single character within a
ply clicking on a link. Then the Co- line instead of calling out the whole
deFlow client would be installed and line of code. That way, people can
the review would be opened. So, soon immediately see exactly where the is-
after the tool was introduced to a sue is. Also, to this day, very few code-
group, it would start to permeate the review tools let you span regions, but
fabric of that team pretty much all on with CodeFlow you can attach a com-
its own. The choice not to require a ment at the same time to a number of
special install for CodeFlow proved deleted lines and inserted lines—and
to be a really good one. then track all of that through succeed-
LP: Is there anything in particular ing iterations. Another feature worth
from the user’s perspective that dis- pointing out is comment thread-
tinguishes CodeFlow from either Git ing, which lets you resolve an entire
or Gerrit? How would you say it differs thread of comments at the same time
from what you find with pull requests rather than dealing with each com-
and patch set-based tooling? ment individually.
CB: It comes down to being a na-
tive app rather than a Web capability,
meaning it enables much richer inter- Code reviews generally conjure up
actions than you would get otherwise. notions of troubleshooting. More
I’ve been through the Git and the pull specifically, people tend to associate
request stuff, and it’s absolutely the them with the never-ending search
case that you can easily jump around for bugs.
from comment to comment, and you It turns out that is not nearly as
also get things that work like score central to the code-review process as
boxes. Which is to say they feel like rich you might think. Which is not to say
native clients, so I realize you can ac- that finding bugs is unimportant or
complish this with a Web experience. discouraged. And yet it seems the real
As for Git and Gerrit code reviews, win comes in the form of improved
what you get there just amounts to lists long-term code maintainability.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 39
practice

CHRISTIAN BIRD

The code-review
process we now
have at Microsoft
has more or less
grown organically—
through
experimentation—
from the grassroots.

the reviewers were interested in, it was

LP: Which problems did you decide to the comments that added to the value
attack first? of the review. On the other hand, some
JC: Most of the issues we chose to comments just increase the burden of
focus on were process oriented. The the code review and slow down the de-
tool itself is quite flexible and adapt- velopment process. So then we wanted
able to practically any process. We to know what kinds of comments they
spent a lot of time trying to under- found most useful, since we could then
stand the benefits of code review and start thinking about how to encourage
what was getting in the way of achiev- and lend greater emphasis to those.
ing those advantages. Also, we wanted JC: Just as this interesting question
to understand how the existing code- of usefulness led to practical implica-
review tool was being used. We were tions later on, the same might be said
interested in learning more about the of the work that was done to look into
costs and the turnaround times in other process-related questions. For
hopes we would be better able to see example, how many people should
what the drivers were. you include in a code review? Is there
MG: Also, one of the issues we looked a number beyond which it becomes
at was how to create a reviewer recom- counterproductive? We all intuitively
mender since programmers had been feel that smaller reviews are better, but
complaining to us about how difficult where exactly to draw that line? And
it was to find the right people to look what’s the optimal amount of time to
over their code. Chris started working allow for a review?
on a tool that would deliver a listing MG: Another interesting thing we
of people with the expertise to match found is that, while the popular no-
the sorts of problems addressed by tion is that code reviews are mostly
your code, along with suggestions as to about finding bugs, only a very small
which of these people you might want percentage of the code-review com-
to add to a review. ments we studied actually had any-
Something else Chris and I studied thing to do with bugs at all. In fact,
for a while was code-review usefulness. most of the comments were about
That wasn’t a problem we were trying structural issues and style problems.
to solve, of course, but we did want to Sometimes they were even about re-
understand which aspects of code re- ally minor issues, like spelling. Basi-
views tend to be most valued by engi- cally, what we found was that many
neers—that is, by both reviewers and reviewers were using their comment-
programmers. What did they see as be- ing platform to discuss these issues
ing most useful? It didn’t take us long and share their knowledge.
to conclude that it was not the mere de- We found it very enlightening to
cision to accept or rework the code that categorize these comments and do

40 COM MUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 practice

LUCAS PANJER

Are you saying

that after you have
created these
tools for research
purposes, other
teams will go on
to use them to
reflect on their own
processes?
some mappings to determine which into a machine-learning classifier we
ones were thought to be the most in- had built to categorize code reviews.
teresting or useful. It turns out that We ended up using that to classify
generally proved to be comments that three million reviews of code that had
identified functional issues, pointed been written by tens of thousands
out missing validation checks, or of- of developers and drawn from every
fered suggestions related to API usage codebase across the whole of Micro-
or best practices. soft—meaning we are easily talking
LP: Just for context, can you also about hundreds of millions of lines of
speak to the scale of this research—the code. Obviously, the quantitative data
size of the codebase you were working analysis we were able to perform there
with, the number of code reviews you was based on a substantial amount of
analyzed, or the number of developers data. The qualitative observational
who were involved? studies, on the other hand, were typi-
CB: We did a number of different cally much smaller.
studies, many of which were more MG: We definitely had a tremen-
quantitative than observational. In one dous amount of data available—es-
case, we did an initial study where it sentially all the code written for
became clear that the depth of knowl- Office, Windows, Windows Phone,
edge someone has of a certain piece Azure, and Visual Studio, as well as
of code will definitely show up in the many smaller projects.
quality of feedback they are able to of- JC: We also enjoy an advantage here
fer as a reviewer. Which is to say, to get at Microsoft in that we have so many
higher-quality comments, you need different product types. We look at the
reviews from people who have some work people do on operating systems,
experience with that particular piece of as well as apps and large-scale services
software. Then, to check out that con- and small-scale services and every-
clusion, we spoke with and observed thing in between. We are very aware of
some engineers who had submitted re- the different demands in each of these
views for code already familiar to them. areas, and we make a point of keeping
We also observed some engineers who that in mind as we do our studies.
had been asked to review code they had LP: In those cases where you could
no prior experience with. That was a derive data from the use of CodeFlow,
small study, but it left us with some were you also able to further instru-
definite impressions. ment the tool to augment your studies?
There also were those studies Mi- JC: One of the most interesting
chaela just mentioned, where we con- things to surface from instrument-
sidered comment usefulness. That ing CodeFlow was just how much
was based on data gathered from time people were actively spending
across all of Microsoft and then fed in the review tool. That’s because

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 41
practice

TERRY COATTA

With an eye to the

people outside of
Microsoft that don’t
have your tooling,
do you have any
recommendations
from your
experience that
might prove
relevant? we have found that people will often ate need for some of that data, you
open multiple instances of the tool might find a use for it later as new
and then, as they get a bit of free studies come up. Which means you
time, do a small review here and won’t be faced with needing to go
then another small review there. back and update your data-collec-
So, just because you can see the tool tion system to provide for that. The
has been open for a certain amount downside is that you will also have
of time doesn’t mean you can assume all this raw information on your
there has been activity for that whole hands that hasn’t been processed
time. We have the telemetry to deter- for use, which means some engineer
mine just how long you were navigat- is going to have to come along later
ing around within the app. That has to build a metrics layer on top of all
allowed us to determine that people, that. That will leave you with two lev-
on average, spend about 20 minutes els of data—the analytics layer and
per day actively working in Code- another layer containing the raw ob-
Flow—which amounts to a significant ject model data—which people can
amount of time once you multiply dive into later if they are looking to
that by 40,000 people. get their hands really dirty.
CB: From all that, we have been That sort of layering turned out to
able to make a number of general be a really smart move for us since we
observations we’re always happy to now can cater not only to the casual
pass along as recommendations. user who simply wants to look at met-
In fact, one suggestion I would of- rics and reviews but also to someone
fer to anyone looking to do some- who wants to dive into things.
thing similar to what we’ve done in LP: Are you saying that after you have
analyzing their own organization’s created these tools for your research
code-review process is that, in con- purposes, other teams will go on to use
sidering what data to collect, stay as them to reflect on their own processes?
close as possible to the actual object CB: Yes. In fact, we did a study a few
model employed by the application years ago where we contacted some
itself. For example, there is almost of the teams that were using our data
a 1:1 correspondence between the to discover exactly what they were do-
tables in our database and the class- ing with it, as well as to see whether
es in the application. As a result, we they had managed to improve the
didn’t have to think very hard about process in any way. We thought that
whether to collect something or not. this might be a way to find out where
We just grabbed everything. we needed to take our own research.
So, we ended up collecting all this We found that some teams were
raw data, and one advantage of that using the data to generate score-
is, even if you don’t see an immedi- cards, whereas some were using it to

42 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 practice

discover where people were having are followed at companies other than JC: One of our top goals was to re-
problems understanding the code- Microsoft—or, for that matter, by duce the amount of time required to
base and then using those insights open source projects. do a code review on average. We looked
to drive their training programs. We to discover where it was that people
ended up talking with at least another seemed to be spending an inordinate
dozen teams, and it was interesting LP: Looking back to when you first amount of time, and that is what led
and surprising to learn about the dif- started this project, what would you to the creation of a reviewer recom-
ferent ways some of those teams had say came up most whenever you ques- mender. It’s such a simple thing, re-
used our data. tioned people about their primary mo- ally, but it can be hard to find people
LP: What were some of the bigger tives for doing code reviews? with the right experience if you are part
surprises? MG: We did a survey where we asked of a large team. Having an automated
CB: The biggest surprise for me was people to rank their reasons. What system to identify those engineers
learning that some teams would use our came out of that tended to be fairly who have some familiarity with the file
tools to identify code reviews that took obvious: improving the code, finding where some changes have been made
too long or contained only a few com- defects, knowledge transfer … that sort can help cut down on the time required
ments. Then they would open the code of thing. But then, when we launched to get those changes reviewed.
reviews based on that data, and the re- this other study to categorize the com- Something else we’ve done, quite
views would tell them what code had ments that had been left in the actual recently, is to give the developers a
been used and what part of the code code, we found they only rarely aligned way to explain what it was they were
was being reviewed. They would dig with those stated motivations. trying to accomplish. This is because
into that and quickly determine, “Oh, LP: Interesting. What did those com- a complaint we commonly hear from
it looks like people are having a tough ments chiefly focus on? reviewers is that it can be quite chal-
time reviewing code that uses this par- MG: There were a lot of comments lenging to understand the reasoning
ticular API.” That’s how they would de- about the documentation, of course. behind a code change. Which is to say
termine that their next training session And you would see some remarks hav- they would like some way to get into
ought to be devoted to that API. ing to do with alternative solutions. the mindset of the person who made
TC: Have you developed any metrics There also were comments about vali- that change so they can better under-
for essentially grading the quality of dation, which admittedly leaned in the stand whether it actually makes any
code reviews? direction of bug resolution since peo- sense or not.
CB: Not as such, but I know some ple would say, “You know, if this partic- One way of dealing with this is to
teams have built live dashboards ular corner case went away, you would show more than just the isolated sec-
around this data. Some develop- be able to eliminate some of these tion of code where a change has been
ment teams have mounted a massive problems.” People also had things to made. Instead, we show entire files
TV monitor right on the wall where say about API usage—and best practic- so reviewers can get a better sense of
metrics like “Time since last bug” or es as well. On the whole, I’d say these the code around each change. We also
“Time to delivery of next release” can sorts of comments far outweighed any wanted to provide some means for the
be displayed. One team told us they that focused on specific defects. author of a change to offer additional
also put code-review data up on their JC: To Michaela’s point regarding information so reviewers could better
scoreboard so people could see how this mismatch between expectations understand their reasoning. Toward
many code reviews are on backlog or and reality, despite the fact that peo- that end, our system now lets authors
how much time on average is required ple consistently said their primary put tags on files and regions to indi-
to complete a code review. From what reason for doing code reviews was cate which files are at the heart of a
they told us, it seems that having that to discover bugs in code, only 15% of change and so should probably be giv-
data up on a real-time dashboard, the comments we found in code actu- en particular attention. For example,
mission-control style, has proved to be ally related to bugs. For example, we the tags can be used to quickly indi-
quite motivating. would find comments about control- cate which changes have been made
flow issues or use of the wrong API— to test cases as opposed to the product
or even use of the right API but in codes. Or they can be used to call out
Delivering a new set of capabilities for the wrong way. On the other hand, at certain files or changes with potential
managing and improving Microsoft’s least half of the comments were about security implications.
code-review process was the primary maintainability. So, it would seem LP: Do you have any other new capa-
goal right from the start. In the course that for the reviewers themselves, bilities in the works?
of accomplishing that, much was also identifying maintainability issues JC: The fundamental underlying fac-
learned about certain general code- proves to be more of a priority than tor we’re trying to address is the size of
review principles—guidelines that uncovering bugs. code reviews since that affects both the
might also be applied to beneficial LP: Now that your work has been out time required to produce a review and
effect elsewhere. In fact, subsequent there for a number of years, what sort the usefulness of the comments that
research has offered surprising evi- of impact have you seen on code-review come out of it. It’s a difficult problem
dence of just how similar the impact policies and practices across all the dif- to address because some of the issues
can be when many of these principles ferent development teams? are cultural in nature, and some relate

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 43
practice

to workflow. Still, there are times when study of all the data at our disposal, otherwise be using to create code. If
two unrelated concerns end up getting we’ve concluded that for more than developers are rewarded only for add-
crammed into a single review, so we 20 files the density and usefulness ing functionality, that’s going to end
are hoping we will be able to untangle of comments degrades significantly. up crippling the code-review process,
some reviews by automatically split- This is actually more a rule of thumb which in turn will almost certainly have
ting those concerns into two smaller than a precise limit, but it is useful to an adverse effect on the maintainabil-
reviews. On average, that ought to lead keep in mind. ity of the code that’s generated.
to better turnaround times, as well as Also, if your organization has data CB: One thing I would like to add is
better outcomes. from past reviews, I would suggest in- that the code-review process we now
LP: Have you taken any steps to get vesting in a recommender system that have at Microsoft has more or less
development teams to focus their can help make some of the administra- grown organically—through experi-
code-review time on correctness and tive steps a little less tedious. You can mentation—from the grassroots. I
content versus style? Have any tool even use these systems to automatical- mention this only because I think it
changes or process changes been im- ly address some of your maintainabil- might also work well for smaller com-
plemented toward that end? ity issues, which is something we’re panies, instead of having some process
JC: We haven’t done a proper study starting to get into these days. That is, that’s mandated from the top down.
of that, but there is a team here that’s you can imagine that some of these Also, each product group at Micro-
done something along those lines. maintainability issues are essentially soft does code reviews a little differ-
This is something that had to do with things that might be autodiscovered ently, with each group using its own
some factoring changes they consid- and flagged, which means you then set of policies that have essentially
ered to be low-risk—such as the re- don’t have to expend any human re- come together organically. While this
naming of methods or local variables. sources to get this accomplished. probably won’t come as a ground-
For example, this might involve put- Another thing, as we just dis- breaking revelation, it can definitely
ting a special tag on a review to say, cussed, is the idea that two signoffs be said that there is no one-size-fits-
“We don’t really need to have two on every change might be too many. all solution for code reviews. This
people look at this. One is enough If you look at the distribution of com- only serves to reinforce the impor-
since it’s very unlikely we’ll have any ments made by either the first or the tance of being willing to let your ap-
functionality issues here.” Modest as second reviewer, you’ll find that your proach evolve organically such that it
that might seem, it can also prove pro- first reviewer typically discovers the ends up fitting in with your work pro-
found since it turns out there are many most egregious problems. In many cesses with the least amount of fric-
changes like this floating through a cases, waiting for a second reviewer tion while putting the lightest burden
legacy system—clogging the system. to corroborate those findings before possible on your developers.
The thing to remember is that it’s allowing the commit into the main Another important point is some-
not just about making one change go source tree might be less efficient. thing Michaela talked about earlier,
faster, since what you’re dealing with MG: My biggest takeaway from the which is that treating code review as a
here is a pipeline of changes—mean- survey is to always make the burden of first-class citizen—just as many com-
ing that any change you can redirect to code reviews just as small as you pos- panies are likely to treat testing—is
a lighter-weight path is going to lower sibly can. Part of that comes down to probably the best way to get the most
the load on your key people and get it having a good code-review process that bang for your buck. If, instead, it be-
out of the way of other changes wait- enables and encourages comments comes something you are just expect-
ing to be reviewed. That’s just the sort that can be easily reviewed. ed to do, like flossing your teeth daily,
of thing that makes for a more efficient Another important consideration then you’ll find people aren’t going to
system all the way around. has to do with supporting the review- embrace it. But if you say this is impor-
TC: With an eye to the people out- ers themselves by giving them advance tant and so will be tracked and evalu-
side of Microsoft that don’t have your notice about any reviews that might be ated, then people are likely to respond
tooling, do you have any recommenda- coming up and giving them enough to that. Certainly, that’s how it has
tions from your experience that might context so they will be able to dive worked out here.
prove relevant? right into a review without having to And then the other thing I would
JC: I would say the one thing to figure all that out for themselves. Do- add is that it’s instructive to think in
recognize is that comments related ing what you can to reduce the size of some depth about what it is you’re re-
to maintainability are primarily what reviews can also be helpful. But I think ally looking to get out of code reviews.
you are going to get out of the code- what is really important is to make the Then, of course, you should also think
review process. Contrary to popular reviews just as uncomplicated as pos- about how you can go about measur-
opinion, locating bugs is not the pri- sible, since, otherwise, you may end up ing that. To the degree that you can
mary outcome. The other important with reviewers who have no clue about track those metrics and set targets,
thing to bear in mind is that the small- where even to start. you’re always going to achieve more.
er a review is, the better it’s going to Also, organizations need to show
be. In our case, we’ve found that if a they recognize the value of code reviews
review contains more than 20 files, since there’s no question that they take
it’s too big already. In fact, from our away from the time developers could © 2019 ACM 0001-0782/19/2 $15.00.

44 COMM UNICATIO NS O F THE AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 DOI:10.1145/ 3 2 8 72 9 7


Article development led by
queue.acm.org

You have to finish strong,

every time.
BY KATE MATSUDAIRA

The
Importance
of a Great
Finish

felt super excited about the start

H AV E YOU E V E R
of a project, but as time went on your excitement
(and motivation) started to wane?
Unfortunately, not all work is created equal. It is
often the work through the bulk of a project that is not
remembered or recognized.
The work that tends to be remem- How can you make sure you are rec-
bered from any given project is the ognized as a valuable member of your
work that happened last. It is the final team, whose work is seen as critical to
step that most people will think of, be- the team’s success?
cause it happened most recently. This You have to finish strong, every time.
is especially true of the people who Here is how to keep your momentum
have the most power over your promo- up and make the right moves to be a
tions and future opportunities, who visible contributor to the final success
don’t see what you accomplish day to of every project.
day. They just see the results.
I have worked with hundreds of en- The Psychology of a Strong Finish
gineers during my career, and I have Humans tend to remember the end-
seen this happen over and over again. ing of something far more clearly
Projects start with a bang and end with than any other part—even if other
a whimper, and the people on the team parts were more significant or impor-
are surprised when their hard work tant. Why is that?
isn’t viewed as positively as they think Essentially, our brains can process
it should be. only so much. We take in so much in-

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 45
practice

formation every day that it is impos- every project you work on has a suc- done because you would have a bug-
sible to remember everything com- cessful, strong conclusion. If you are in gy, clunky product. When the details
pletely. As a result, our brains have to a position to present the project to your are done right, it looks seamless and
give priority to certain pieces of infor- leadership, make sure they see how you forget about how much work went
mation over others. your hard work applies to their goals into finishing.
This means we usually have the and the things that are most important Unfortunately, letting these boring
clearest recall for things that were as- to them. details go is akin to undoing all the ex-
sociated with strong emotions and citing work you already put in on the
things that happened most recently. Why So Few People Finish Strong project. If you want the beautiful thing
This is known as the Peak-End Rule Starting work on a new project or goal you built to stay standing, you have to
(https://en.wikipedia.org/wiki/Peak– is usually an exciting time. In the be- finish it out right.
end_rule). ginning, there is a lot of momentum.
This applies to all areas of our You are excited to tackle a big prob- How To Make a Great Finish
lives. It’s why you should always stay lem, and energy is high in meetings. a Priority
at the nicest hotel at the very end of The first 80% of a project is all about The next time you are hard at work on
your vacation—it’s the one you will building up; there is a thrill in creating a big project, make sure you allot time
remember most when you think something new. and energy for a strong finish. Set aside
about that trip. By the end, though, energy is low. time in your project plans for the bor-
At work, your performance reviews You push to get things done by a ing detail work; that way, it won’t catch
are usually weighted toward the work deadline, and you procrastinate on you by surprise. Make it seem just as
you did most recently. Why? Because it the boring stuff that still has to get important as all the rest of the work
is freshest in your manager’s mind. done, like extra testing, polishing, you do—because it is.
So, when you are working on a documentation, and boundary cases As you get to work on your next big
project, think about how it will be you missed earlier. goal, keep in mind these three ways
perceived by your leadership, keep- The less elegant work is not as much to make sure you finish strong and
ing in mind the importance of the fun to work on, so people don’t really make the biggest possible impact
end result. work on it. Plus, there is very little rec- with your work.
While you might remember the ognition for this kind of work.
long hours you worked to build a new Our brains are resistant to work- 1. Think Big Picture
feature one night, your boss may have ing on tasks that don’t seem to offer When you are working on a project,
a different perspective. If, for example, some kind of reward. They seem too always keep the bigger-picture goals
that feature you built had bugs that had small, or too tedious. It can be men- in mind. What is the overall impact of
to be fixed at the last minute, or opera- tally, and even physically, taxing to this project on your company? What
tional problems that generated nega- spend time on a job that you do not does your manager see as your team’s
tive attention, that’s what the boss will want to do or know you will not be biggest goal?
IMAGE BY PK.PH UKET ST UDIO

remember more than the many hours directly rewarded for. You may remember an amazing so-
you put in. These mundane tasks, when done lution you came up with early in the
Therefore, if you want to make a big correctly, make the problems they project, but your manager or executive
impact at work, you need to take advan- are solving invisible. You would only team—who were not in the trenches
tage of the Peak-End Rule by ensuring ever notice if that work had not been with you every day, and who instead are

46 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 practice

making judgments based on limited a team that executed well. In time, you
information channeled up to them— will become known for always being on
have only so many details to go on. One the team that succeeds.
of the biggest factors they use to deter-
mine success or failure is how a project
wrapped up. When people 3. Channel Your Ability
To Keep Going
Did the project miss the deadline?
Were tons of bugs reported right after
lose momentum Have you ever heard a story about a
mother who lifted a car to save her
the launch? Did your team have to ex- on a project, child? What about marathon runners
plain to the boss why x, y, z didn’t work?
Whenever you are choosing what
it is usually right who talk about having “nothing left”
but go on to finish the race?
to work on or where to apply your around the time We all have extreme strength within
best efforts, take a moment to step
back. Zoom out from your own pref-
the shiniest, us; we just don’t usually see it because
it comes out only in extreme circum-
erences and remind yourself what most interesting stances.
the bigger-picture goals are. Where
will your work mean the most to the work gets In normal life, your brain commu-
nicates with your body about what you
people in charge? completed. can and cannot do. Your brain says,
If you are not sure, ask. Go to your
manager and say, “I am thinking about Don’t let “Hey, that will hurt,” and your body
slows down. In most situations, this
working on A or B next. Which is most
important? Or is there another place I
this happen serves you well. You cannot actually
lift a car every day, and you would not
should be focusing?” to you. want to try.
It may seem counterintuitive—you However, the ability to power
might worry that asking about priori- through challenges that you normally
ties might make you look stupid—but don’t face is in your toolkit. Remember
checking in with your manager is actu- that the next time you are nearing the
ally really smart. Not only do you en- end of a long, exhausting project. You
sure you are working on the right pri- can do it. You might feel like you have
orities, but it is also a great way to keep nothing left, but the end is the most
your manager up to date about your important part—so, draw on your re-
contributions and show that you are sources and make the last steps count.
focused on the big-picture goals that If you work hard on a project, your
matter most to managers. hours will not be worth as much if
you are not seen delivering a strong
2. Make the Unglamorous a Priority finish. So, make all that work worth
When people lose momentum on a it, and follow through on every single
project, it is usually right around the step. Dot your i’s, cross your t’s, and
time the shiniest, most interesting deliver amazing results that will take
work gets completed. Don’t let this you far in your career.
happen to you.
One way to approach the boring de-
Related articles
tails of a project—bug fixes, use cases, on queue.acm.org
among others—is to reframe them in
The Small Batches Principle
your mind. Tell yourself that this is ac-
Thomas A. Limoncelli
tually some of the most important work https://queue.acm.org/detail.cfm?id=2945077
you’ll do because you will be helping the
outcome to be as perfect as it can be. Kode Vicious Unleashed
George Neville-Neil
Look for opportunities to make
https://queue.acm.org/detail.cfm?id=1046939
these tasks more challenging or in-
teresting. Instead of slogging through Culture Surprises in Remote Software
boring details, try to bring new energy Development Teams
Judith S. Olson, Gary M. Olson
to them.
https://queue.acm.org/detail.cfm?id=966804
Although this work may not be all
that visible, it is still important. Re-
Kate Matsudaira (katemats.com) is an experienced
member that a rising tide lifts all boats. technology leader. She has worked at Microsoft and
Even if you do not get the glory for fixing Amazon and successful startups before starting her own
company, Popforms, which was acquired by Safari Books.
small final details, your work will make
the overall project more successful in Copyright held by owner/author.
the end, and you will have been part of Publication rights licensed to ACM. $15.00.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 47
turing lecture
DOI:10.1145/ 3282307

Innovations like domain-specific hardware,

enhanced security, open instruction sets, and
agile chip development will lead the way.
BY JOHN L. HENNESSY AND DAVID A. PATTERSON

A New Golden
Age for
Computer
Architecture
WE BEGAN OUR Turing Lecture June 4, 201811 with a review
of computer architecture since the 1960s. In addition
to that review, here, we highlight current challenges
and identify future opportunities, projecting another
golden age for the field of computer architecture in
the next decade, much like the 1980s when we did the
research that led to our award, delivering gains in cost, engineers, including ACM A.M. Tur-
energy, and security, as well as performance. ing Award laureate Fred Brooks, Jr.,
thought they could create a single ISA
that would efficiently unify all four of
“Those who cannot remember the past are condemned these ISA bases.
to repeat it.” —George Santayana, 1905 They needed a technical solution
for how computers as inexpensive as

Software talks to hardware through a vocabulary key insights

called an instruction set architecture (ISA). By the early ˽˽ Software advances can inspire
1960s, IBM had four incompatible lines of computers, architecture innovation.
˽˽ Elevating the hardware/software
each with its own ISA, software stack, I/O system, interface creates opportunities for
architecture innovation.
and market niche—targeting small business, large ˽˽ The marketplace ultimately settles
business, scientific, and real time, respectively. IBM architecture debates.

48 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 those with 8-bit data paths and as fast one control line, each row was a mi- ly 6. The most expensive computers
as those with 64-bit data paths could croinstruction, and writing microin- had the widest control stores because
share a single ISA. The data paths are structions was called microprogram- more complicated data paths used
the “brawn” of the processor in that ming.39 A control store contains an more control lines. The least-costly
they perform the arithmetic but are rela- ISA interpreter written using micro- computers had narrower control
tively easy to “widen” or “narrow.” The instructions, so execution of a con- stores due to simpler hardware but
greatest challenge for computer de- ventional instruction takes several mi- needed more microinstructions since
ILLUSTRATION BY PETER CROW TH ER ASSO CIATES

signers then and now is the “brains” croinstructions. The control store was they took more clock cycles to execute
of the processor—the control hard- implemented through memory, which a System/360 instruction.
ware. Inspired by software program- was much less costly than logic gates. Facilitated by microprogramming,
ming, computing pioneer and Turing The table here lists four models IBM bet the future of the company
laureate Maurice Wilkes proposed of the new System/360 ISA IBM an- that the new ISA would revolutionize
how to simplify control. Control was nounced April 7, 1964. The data paths the computing industry and won the
specified as a two-dimensional ar- vary by a factor of 8, memory capacity bet. IBM dominated its markets, and
ray he called a “control store.” Each by a factor of 16, clock rate by nearly 4, IBM mainframe descendants of the
column of the array corresponded to performance by 50, and cost by near- computer family announced 55 years

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 49
turing lecture

ago still bring in $10 billion in rev- ated for the Xerox Palo Alto Research operating system written in the then-
enue per year. Center in 1973. It was indeed the first new programming language Ada.
As seen repeatedly, although the personal computer, sporting the first This ambitious project was alas sev-
marketplace is an imperfect judge of bit-mapped display and first Ethernet eral years late, forcing Intel to start an
technological issues, given the close local-area network. The device control- emergency replacement effort in Santa
ties between architecture and com- lers for the novel display and network Clara to deliver a 16-bit microproces-
mercial computers, it eventually deter- were microprograms stored in a 4,096- sor in 1979. Intel gave the new team 52
mines the success of architecture inno- word × 32-bit WCS. weeks to develop the new “8086” ISA
vations that often require significant Microprocessors were still in the and design and build the chip. Given
engineering investment. 8-bit era in the 1970s (such as the In- the tight schedule, designing the ISA
Integrated circuits, CISC, 432, 8086, tel 8080) and programmed primarily took only 10 person-weeks over three
IBM PC. When computers began us- in assembly language. Rival design- regular calendar weeks, essentially by
ing integrated circuits, Moore’s Law ers would add novel instructions to extending the 8-bit registers and in-
meant control stores could become outdo one another, showing their ad- struction set of the 8080 to 16 bits. The
much larger. Larger memories in turn vantages through assembly language team completed the 8086 on schedule
allowed much more complicated ISAs. examples. but to little fanfare when announced.
Consider that the control store of the Gordon Moore believed Intel’s To Intel’s great fortune, IBM was
VAX-11/780 from Digital Equipment next ISA would last the lifetime of developing a personal computer to
Corp. in 1977 was 5,120 words × 96 Intel, so he hired many clever com- compete with the Apple II and needed
bits, while its predecessor used only puter science Ph.D.’s and sent them a 16-bit microprocessor. IBM was in-
256 words × 56 bits. to a new facility in Portland to invent terested in the Motorola 68000, which
Some manufacturers chose to make the next great ISA. The 8800, as Intel had an ISA similar to the IBM 360, but
microprogramming available by let- originally named it, was an ambi- it was behind IBM’s aggressive sched-
ting select customers add custom tious computer architecture project ule. IBM switched instead to an 8-bit
features they called “writable control for any era, certainly the most ag- bus version of the 8086. When IBM an-
store” (WCS). The most famous WCS gressive of the 1980s. It had 32-bit nounced the PC on August 12, 1981, the
computer was the Alto36 Turing laure- capability-based addressing, ob- hope was to sell 250,000 PCs by 1986.
ates Chuck Thacker and Butler Lamp- ject-oriented architecture, variable- The company instead sold 100 million
son, together with their colleagues, cre- bit-length instructions, and its own worldwide, bestowing a very bright fu-
ture on the emergency replacement
Features of four models of the IBM System/360 family; IPS is instructions per second. Intel ISA.
Intel’s original 8800 project was
Model M30 M40 M50 M65 renamed iAPX-432 and finally an-
Datapath width 8 bits 16 bits 32 bits 64 bits nounced in 1981, but it required sev-
Control store size 4k x 50 4k x 52 2.75k x 85 2.75k x 87 eral chips and had severe performance
Clock rate 1.3 MHz 1.6 MHz 2 MHz 5 MHz problems. It was discontinued in 1986,
(ROM cycle time) (750 ns) (625 ns) (500 ns) (200 ns)
the year after Intel extended the 16-
Memory capacity 8–64 KiB 16–256 KiB 64–512 KiB 128–1,024 KiB bit 8086 ISA in the 80386 by expand-
Performance (commercial) 29,000 IPS 75,000 IPS 169,000 IPS 567,000 IPS ing its registers from 16 bits to 32 bits.
Performance (scientific) 10,200 IPS 40,000 IPS 133,000 IPS 563,000 IPS Moore’s prediction was thus correct
Price (1964 $) $192,000 $216,000 $460,000 $1,080,000 that the next ISA would last as long as
Price (2018 $) $1,560,000 $1,760,000 $3,720,000 $8,720,000 Intel did, but the marketplace chose
the emergency replacement 8086 rath-
er than the anointed 432. As the archi-
Figure 1. University of California, Berkeley, RISC-I and Stanford University MIPS tects of the Motorola 68000 and iAPX-
microprocessors.
432 both learned, the marketplace is
rarely patient.
From complex to reduced instruc-
tion set computers. The early 1980s
saw several investigations into com-
plex instruction set computers (CISC)
enabled by the big microprograms in
the larger control stores. With Unix
demonstrating that even operating sys-
tems could use high-level languages,
the critical question became: “What in-
structions would compilers generate?”
instead of “What assembly language
would programmers use?” Significant-
ly raising the hardware/software inter-

50 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 turing lecture

face created an opportunity for archi- datapath, along with instruction and
tecture innovation. data caches, in a single chip.
Turing laureate John Cocke and his For example, Figure 1 shows the
colleagues developed simpler ISAs and RISC-I8 and MIPS12 microprocessors
compilers for minicomputers. As an
experiment, they retargeted their re- In today’s post-PC developed at the University of Califor-
nia, Berkeley, and Stanford University
search compilers to use only the simple
register-register operations and load-
era, x86 shipments in 1982 and 1983, respectively, that
demonstrated the benefits of RISC.
store data transfers of the IBM 360 ISA, have fallen almost These chips were eventually presented
avoiding the more complicated instruc-
tions. They found that programs ran up
10% per year since at the leading circuit conference, the
IEEE International Solid-State Circuits
to three times faster using the simple the peak in 2011, Conference, in 1984.33,35 It was a re-
subset. Emer and Clark6 found 20% of
the VAX instructions needed 60% of the
while chips with markable moment when a few gradu-
ate students at Berkeley and Stanford
microcode and represented only 0.2% RISC processors could build microprocessors that were
of the execution time. One author (Pat-
terson) spent a sabbatical at DEC to have skyrocketed arguably superior to what industry
could build.
help reduce bugs in VAX microcode. If to 20 billion. These academic chips inspired
microprocessor manufacturers were many companies to build RISC micro-
going to follow the CISC ISA designs processors, which were the fastest for
of the larger computers, he thought the next 15 years. The explanation is
they would need a way to repair the due to the following formula for pro-
microcode bugs. He wrote such a cessor performance:
paper, 31 but the journal Computer Time/Program = Instructions /
rejected it. Reviewers opined that it was Program × (Clock cycles) /
a terrible idea to build microproces- Instruction × Time / (Clock cycle)
sors with ISAs so complicated that they DEC engineers later showed2 that
needed to be repaired in the field. That the more complicated CISC ISA execut-
rejection called into question the value ed about 75% of the number instruc-
of CISC ISAs for microprocessors. Iron- tions per program as RISC (the first
ically, modern CISC microprocessors term), but in a similar technology CISC
do indeed include microcode repair executed about five to six more clock
mechanisms, but the main result of his cycles per instruction (the second
paper rejection was to inspire him to term), making RISC microprocessors
work on less-complex ISAs for micro- approximately 4× faster.
processors—reduced instruction set Such formulas were not part of com-
computers (RISC). puter architecture books in the 1980s,
These observations and the shift to leading us to write Computer Architec-
high-level languages led to the opportu- ture: A Quantitative Approach13 in 1989.
nity to switch from CISC to RISC. First, The subtitle suggested the theme of the
the RISC instructions were simplified book: Use measurements and bench-
so there was no need for a microcod- marks to evaluate trade-offs quanti-
ed interpreter. The RISC instructions tatively instead of relying more on the
were typically as simple as microin- architect’s intuition and experience, as
structions and could be executed di- in the past. The quantitative approach
rectly by the hardware. Second, the we used was also inspired by what Tur-
fast memory, formerly used for the ing laureate Donald Knuth’s book had
microcode interpreter of a CISC ISA, done for algorithms.20
was repurposed to be a cache of RISC VLIW, EPIC, Itanium. The next ISA
instructions. (A cache is a small, fast innovation was supposed to succeed
memory that buffers recently execut- both RISC and CISC. Very long instruc-
ed instructions, as such instructions tion word (VLIW)7 and its cousin, the
are likely to be reused soon.) Third, explicitly parallel instruction computer
register allocators based on Gregory (EPIC), the name Intel and Hewlett
Chaitin’s graph-coloring scheme made Packard gave to the approach, used wide
it much easier for compilers to efficient- instructions with multiple independent
ly use registers, which benefited these operations bundled together in each
register-register ISAs.3 Finally, Moore’s instruction. VLIW and EPIC advocates
Law meant there were enough transis- at the time believed if a single instruc-
tors in the 1980s to include a full 32-bit tion could specify, say, six independent

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 51
turing lecture

Figure 2. Transistors per chip of Intel microprocessors vs. Moore’s Law. tion of the RISC microinstructions.
Any ideas RISC designers were using
Moore’s Law vs. Intel Microprocessor Density for performance—separate instruc-
Moore’s Law (1975 version) Density tion and data caches, second-level
10,000,000 caches on chip, deep pipelines, and
1,000,000 fetching and executing several in-
structions simultaneously—could
100,000
then be incorporated into the x86.
10,000 AMD and Intel shipped roughly 350
million x86 microprocessors annually
1,000
at the peak of the PC era in 2011. The
100 high volumes and low margins of the
PC industry also meant lower prices
10
than RISC computers.
Given the hundreds of millions
1980 1990 2000 2010
of PCs sold worldwide each year, PC
software became a giant market.
Whereas software providers for the
Figure 3. Transistors per chip and power per mm2. Unix marketplace would offer differ-
ent software versions for the differ-
Technology (nm) Power/nm2
ent commercial RISC ISAs—Alpha,
200 4.5 HP-PA, MIPS, Power, and SPARC—the
180 4 PC market enjoyed a single ISA, so

Relative Power per nm2

160
3.5 software developers shipped “shrink
140
Nanometers

120
3 wrap” software that was binary com-
100
2.5 patible with only the x86 ISA. A much
80 2 larger software base, similar perfor-
60 1.5 mance, and lower prices led the x86
40 1 to dominate both desktop computers
20 0.5 and small-server markets by 2000.
0 0 Apple helped launch the post-PC
2000 2002 2004 2006 2008 2010 2012 2014 2016 2018 2020
era with the iPhone in 2007. Instead of
buying microprocessors, smartphone
companies built their own systems
operations—two data transfers, two in- to write.” Pundits noted delays and on a chip (SoC) using designs from
teger operations, and two floating point underperformance of Itanium and re- other companies, including RISC
operations—and compiler technology christened it “Itanic” after the ill-fated processors from ARM. Mobile-device
could efficiently assign operations into Titantic passenger ship. The market- designers valued die area and energy
the six instruction slots, the hardware place again eventually ran out of pa- efficiency as much as performance,
could be made simpler. Like the RISC tience, leading to a 64-bit version of disadvantaging CISC ISAs. Moreover,
approach, VLIW and EPIC shifted work the x86 as the successor to the 32-bit arrival of the Internet of Things vastly
from the hardware to the compiler. x86, and not Itanium. increased both the number of proces-
Working together, Intel and Hewlett The good news is VLIW still matches sors and the required trade-offs in die
Packard designed a 64-bit processor based narrower applications with small pro- size, power, cost, and performance.
on EPIC ideas to replace the 32-bit x86. grams and simpler branches and omit This trend increased the importance
High expectations were set for the first caches, including digital-signal processing. of design time and cost, further dis-
EPIC processor, called Itanium by In- advantaging CISC processors. In to-
tel and Hewlett Packard, but the real- RISC vs. CISC in the day’s post-PC era, x86 shipments have
ity did not match its developers’ early PC and Post-PC Eras fallen almost 10% per year since the
claims. Although the EPIC approach AMD and Intel used 500-person de- peak in 2011, while chips with RISC
worked well for highly structured sign teams and superior semicon- processors have skyrocketed to 20 bil-
floating-point programs, it struggled ductor technology to close the per- lion. Today, 99% of 32-bit and 64-bit
to achieve high performance for in- formance gap between x86 and RISC. processors are RISC.
teger programs that had less predict- Again inspired by the performance Concluding this historical review,
able cache misses or less-predictable advantages of pipelining simple vs. we can say the marketplace settled the
branches. As Donald Knuth later complex instructions, the instruction RISC-CISC debate; CISC won the later
noted:21 “The Itanium approach ... decoder translated the complex x86 stages of the PC era, but RISC is win-
was supposed to be so terrific—un- instructions into internal RISC-like ning the post-PC era. There have been
til it turned out that the wished-for microinstructions on the fly. AMD no new CISC ISAs in decades. To our
compilers were basically impossible and Intel then pipelined the execu- surprise, the consensus on the best

52 COMM UNICATIO NS O F THE AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 turing lecture

ISA principles for general-purpose generation of technology, computers cluding approximately 15 branches,
processors today is still RISC, 35 years would become more energy efficient. as they represent approximately 25%
after their introduction. Dennard scaling began to slow sig- of executed instructions. To keep the
nificantly in 2007 and faded to almost pipeline full, branches are predicted
Current Challenges for nothing by 2012 (see Figure 3). and code is speculatively placed into
Processor Architecture Between 1986 and about 2002, the the pipeline for execution. The use
“If a problem has no solution, it may exploitation of instruction level paral- of speculation is both the source of
not be a problem, but a fact—not to be lelism (ILP) was the primary architec- ILP performance and of inefficiency.
solved, but to be coped with over time.” tural method for gaining performance When branch prediction is perfect,
—Shimon Peres and, along with improvements in speed speculation improves performance
While the previous section focused of transistors, led to an annual perfor- yet involves little added energy cost—
on the design of the instruction set mance increase of approximately 50%. it can even save energy—but when it
architecture (ISA), most computer The end of Dennard scaling meant ar- “mispredicts” branches, the proces-
architects do not design new ISAs chitects had to find more efficient ways sor must throw away the incorrectly
but implement existing ISAs in the to exploit parallelism. speculated instructions, and their
prevailing implementation technol- To understand why increasing ILP computational work and energy are
ogy. Since the late 1970s, the technol- caused greater inefficiency, consider wasted. The internal state of the pro-
ogy of choice has been metal oxide a modern processor core like those cessor must also be restored to the
semiconductor (MOS)-based inte- from ARM, Intel, and AMD. Assume it state that existed before the mispre-
grated circuits, first n-type metal–ox- has a 15-stage pipeline and can issue dicted branch, expending additional
ide semiconductor (nMOS) and then four instructions every clock cycle. It time and energy.
complementary metal–oxide semi- thus has up to 60 instructions in the To see how challenging such a design
conductor (CMOS). The stunning rate pipeline at any moment in time, in- is, consider the difficulty of correctly
of improvement in MOS technology—
captured in Gordon Moore’s predic- Figure 4. Wasted instructions as a percentage of all instructions completed on an Intel
Core i7 for a variety of SPEC integer benchmarks.
tions—has been the driving factor
enabling architects to design more-
aggressive methods for achieving 40% 39% 38%
performance for a given ISA. Moore’s 35% 32%
30%
original prediction in 196526 called 25%
25% 24%
for a doubling in transistor density 22%
20%
yearly; in 1975, he revised it, project- 15% 15%
11%
ing a doubling every two years.28 It 10%
6% 7%
eventually became called Moore’s 5% 5%
1%
Law. Because transistor density grows 0
LIBQUANTUM

XALANCBMK
OMNETPP
PERLBEN

H264REF
quadratically while speed grows lin-
HMMER
GOBMK

SJENG

ASTAR
BZIP2

MCF
GCC

early, architects used more transis-

tors to improve performance.

End of Moore’s Law and

Dennard Scaling
Although Moore’s Law held for many Figure 5. Effect of Amdahl’s Law on speedup as a fraction of clock cycle time in serial
mode.
decades (see Figure 2), it began to slow
sometime around 2000 and by 2018
showed a roughly 15-fold gap between 65
60
Moore’s prediction and current capa-
55
bility, an observation Moore made in
50
2003 that was inevitable.27 The current
45
expectation is that the gap will con-
40 1%
tinue to grow as CMOS technology ap-
Speedup

35
proaches fundamental limits. 30
Accompanying Moore’s Law was a 2%
25
projection made by Robert Dennard 20
4%
called “Dennard scaling,”5 stating that 15 6%
as transistor density increased, power 10 8%
10%
consumption per transistor would 5
drop, so the power per mm2 of sili- 0
1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65
con would be near constant. Since the
Processor Count
computational capability of a mm2 of
silicon was increasing with each new

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 53
turing lecture

predicting the outcome of 15 branches. ent approach to achieve performance a single core, assuming different por-
If a processor architect wants to limit improvements. The multicore era was tions of serial execution, where only
wasted work to only 10% of the time, thus born. one processor is active. For example,
the processor must predict each branch Multicore shifted responsibility for when only 1% of the time is serial, the
correctly 99.3% of the time. Few general- identifying parallelism and deciding speedup for a 64-processor configura-
purpose programs have branches that how to exploit it to the programmer tion is about 35. Unfortunately, the
can be predicted so accurately. and to the language system. Multicore power needed is proportional to 64
To appreciate how this wasted work does not resolve the challenge of ener- processors, so approximately 45% of
adds up, consider the data in Figure 4, gy-efficient computation that was exac- the energy is wasted.
showing the fraction of instructions erbated by the end of Dennard scaling. Real programs have more complex
that are effectively executed but turn Each active core burns power whether structures of course, with portions
out to be wasted because the proces- or not it contributes effectively to the that allow varying numbers of proces-
sor speculated incorrectly. On average, computation. A primary hurdle is an sors to be used at any given moment
19% of the instructions are wasted for old observation, called Amdahl’s Law, in time. Nonetheless, the need to com-
these benchmarks on an Intel Core i7. stating that the speedup from a paral- municate and synchronize periodically
The amount of wasted energy is great- lel computer is limited by the portion means most applications have some
er, however, since the processor must of a computation that is sequential. portions that can effectively use only
use additional energy to restore the To appreciate the importance of this a fraction of the processors. Although
state when it speculates incorrectly. observation, consider Figure 5, show- Amdahl’s Law is more than 50 years
Measurements like these led many to ing how much faster an application old, it remains a difficult hurdle.
conclude architects needed a differ- runs with up to 64 cores compared to With the end of Dennard scaling,
increasing the number of cores on a
Figure 6. Growth of computer performance using integer programs (SPECintCPU). chip meant power is also increasing
at nearly the same rate. Unfortunately,
End of the Line ⇒ 2X/20 years (3%/yr) the power that goes into a processor
Amdahl’s Law ⇒ 2X/6 years (12%/year) must also be removed as heat. Mul-
End of Dennard Scaling ⇒ Multicore 2X/3.5 years (23%/year) ticore processors are thus limited by
CISC 2X/2.5 years RISC 2X/1.5 years the thermal dissipation power (TDP),
(22%/year) (52%/year)
100,000 or average amount of power the pack-
age and cooling system can remove.
Although some high-end data centers
Performance vs. VAX11-780

10,000
may use more advanced packages and
cooling technology, no computer us-
1,000 ers would want to put a small heat
exchanger on their desks or wear a ra-
100 diator on their backs to cool their cell-
phones. The limit of TDP led directly
10 to the era of “dark silicon,” whereby
processors would slow on the clock
1 rate and turn off idle cores to prevent
1980 1985 1990 1995 2000 2005 2010 2015
overheating. Another way to view this
approach is that some chips can real-
locate their precious power from the
Figure 7. Potential speedup of matrix multiply in Python for four optimizations. idle cores to the active ones.
An era without Dennard scaling,
Matrix Multiply Speedup Over Native Python along with reduced Moore’s Law and
62,806 Amdahl’s Law in full effect means
100,000
inefficiency limits improvement in
6,727 performance to only a few percent
10,000
per year (see Figure 6). Achieving
Speedup

366 higher rates of performance improve-

1,000
ment—as was seen in the 1980s and
1990s—will require new architec-
100
47 tural approaches that use the inte-
10
grated-circuit capability much more
efficiently. We will return to what ap-
1
1
proaches might work after discussing
Python C + parallel + memory + SIMD another major shortcoming of mod-
loops optimization instructions
ern computers—their support, or
lack thereof, for computer security.

54 COM MUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 turing lecture

Overlooked Security to be attacked creates many new vul-

In the 1970s, processor architects nerabilities. Two more vulnerabilities
focused significant attention on en- in the virtual-machine architecture
hancing computer security with con- were subsequently reported.37,38 One
cepts ranging from protection rings
to capabilities. It was well under- The end of Dennard of them, called Foreshadow, allows
penetration of the Intel SGX security
stood by these architects that most
bugs would be in software, but they
scaling meant mechanisms designed to protect the
highest risk data (such as encryption
believed architectural support could architects had to keys). New vulnerabilities are being
help. These features were largely un-
used by operating systems that were
find more efficient discovered monthly.
Side-channel attacks are not new,
deliberately focused on supposedly ways to exploit but in most earlier cases, a software
benign environments (such as per-
sonal computers), and the features
parallelism. flaw allowed the attack to succeed. In
the Meltdown, Spectre, and other at-
involved significant overhead then, so tacks, it is a flaw in the hardware im-
were eliminated. In the software com- plementation that exposes protected
munity, many thought formal verifica- information. There is a fundamental
tion and techniques like microkernels difficulty in how processor architects
would provide effective mechanisms define what is a correct implementa-
for building highly secure software. tion of an ISA because the standard
Unfortunately, the scale of our collec- definition says nothing about the
tive software systems and the drive for performance effects of executing an
performance meant such techniques instruction sequence, only about the
could not keep up with processor per- ISA-visible architectural state of the
formance. The result is large software execution. Architects need to rethink
systems continue to have many securi- their definition of a correct implemen-
ty flaws, with the effect amplified due tation of an ISA to prevent such securi-
to the vast and increasing amount of ty flaws. At the same time, they should
personal information online and the be rethinking the attention they pay
use of cloud-based computing, which computer security and how architects
shares physical hardware among po- can work with software designers to
tential adversaries. implement more-secure systems. Ar-
Although computer architects and chitects (and everyone else) depend
others were perhaps slow to realize too much on more information sys-
the growing importance of security, tems to willingly allow security to be
they began to include hardware sup- treated as anything less than a first-
port for virtual machines and encryp- class design concern.
tion. Unfortunately, speculation in-
troduced an unknown but significant Future Opportunities in
security flaw into many processors. In Computer Architecture
particular, the Meltdown and Spectre “What we have before us are some breath-
security flaws led to new vulnerabili- taking opportunities disguised as insoluble
ties that exploit vulnerabilities in the problems.” —John Gardner, 1965
microarchitecture, allowing leakage Inherent inefficiencies in general-
of protected information at a high purpose processors, whether from ILP
rate.14 Both Meltdown and Spectre use techniques or multicore, combined
so-called side-channel attacks where- with the end of Dennard scaling and
by information is leaked by observing Moore’s Law, make it highly unlikely,
the time taken for a task and convert- in our view, that processor architects
ing information invisible at the ISA and designers can sustain significant
level into a timing visible attribute. In rates of performance improvements in
2018, researchers showed how to ex- general-purpose processors. Given the
ploit one of the Spectre variants to leak importance of improving performance
information over a network without to enable new software capabilities,
the attacker loading code onto the tar- we must ask: What other approaches
get processor.34 Although this attack, might be promising?
called NetSpectre, leaks information There are two clear opportunities, as
slowly, the fact that it allows any ma- well as a third created by combining the
chine on the same local-area network two. First, existing techniques for build-
(or within the same cluster in a cloud) ing software make extensive use of high-

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 55
turing lecture

Figure 8. Functional organization of Google Tensor Processing Unit (TPU v1).

14 GiB/s 30 GiB/s
DDR3 Weight FIFO
Interfaces (Weight Fetcher)

Control Control 30 GiB/s

Lo
165
10 GiB/s Unified Buffer (96K
Systolic GiB/s Matrix
(Local
Interface

Array Multiply Unit

Activation
PCIe

14 GiB/s 14 GiB/s Control (64K per cycle)

Interface

Storage)
Host

Control Accumulators
D
R
A
Activation M C
port
Instr

165 GiB/s
ddr3
Off-Chip I/O Normalize/Pool 3%
Data Buffer
Computation
Control Control
Control
Not to Scale

level languages with dynamic typing and An interesting research direction application-specific integrated cir-
storage management. Unfortunately, concerns whether some of the perfor- cuits (ASICs) that are often used for a
such languages are typically interpreted mance gap can be closed with new com- single function with code that rarely
and execute very inefficiently. Leiserson piler technology, possibly assisted by changes. DSAs are often called acceler-
et al.24 used a small example—perform- architectural enhancements. Although ators, since they accelerate some of an
ing matrix multiply—to illustrate this the challenges in efficiently translating application when compared to execut-
inefficiency. As in Figure 7, simply re- and implementing high-level scripting ing the entire application on a general-
writing the code in C from Python—a languages like Python are difficult, the purpose CPU. Moreover, DSAs can
typical high-level, dynamically typed lan- potential gain is enormous. Achieving achieve better performance because
guage—increases performance 47-fold. even 25% of the potential gain could they are more closely tailored to the
Using parallel loops running on many result in Python programs running needs of the application; examples of
cores yields a factor of approximately tens to hundreds of times faster. This DSAs include graphics processing
7. Optimizing the memory layout to ex- simple example illustrates how great units (GPUs), neural network proces-
ploit caches yields a factor of 20, and a the gap is between modern languages sors used for deep learning, and pro-
final factor of 9 comes from using the emphasizing programmer productivity cessors for software-defined networks
hardware extensions for doing single in- and traditional approaches emphasiz- (SDNs). DSAs can achieve higher per-
struction multiple data (SIMD) parallel- ing performance. formance and greater energy efficiency
ism operations that are able to perform Domain-specific architectures. A for four main reasons:
16 32-bit operations per instruction. more hardware-centric approach is to First and most important, DSAs
All told, the final, highly optimized ver- design architectures tailored to a spe- exploit a more efficient form of par-
sion runs more than 62,000× faster on cific problem domain and offer signif- allelism for the specific domain. For
a multicore Intel processor compared icant performance (and efficiency) example, single-instruction multiple
to the original Python version. This is of gains for that domain, hence, the data parallelism (SIMD), is more ef-
course a small example, one might ex- name “domain-specific architectures” ficient than multiple instruction mul-
pect programmers to use an optimized (DSAs), a class of processors tailored tiple data (MIMD) because it needs to
library for. Although it exaggerates the for a specific domain—programmable fetch only one instruction stream and
usual performance gap, there are likely and often Turing-complete but tai- processing units operate in lockstep.9
many programs for which factors of 100 lored to a specific class of applica- Although SIMD is less flexible than
to 1,000 could be achieved. tions. In this sense, they differ from MIMD, it is a good match for many

56 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 turing lecture

DSAs. DSAs may also use VLIW ap- cessors operate. For suitable applica- to the processor efficiently. Examples
proaches to ILP rather than specula- tions, user-controlled memories can of DSLs include Matlab, a language for
tive out-of-order mechanisms. As men- use much less energy than caches. operating on matrices, TensorFlow, a
tioned earlier, VLIW processors are a Third, DSAs can use less precision dataflow language used for program-
poor match for general-purpose code15 when it is adequate. General-purpose ming DNNs, P4, a language for pro-
but for limited domains can be much CPUs usually support 32- and 64-bit in- gramming SDNs, and Halide, a lan-
more efficient, since the control mech- teger and floating-point (FP) data. For guage for image processing specifying
anisms are simpler. In particular, most many applications in machine learn- high-level transformations.
high-end general-purpose processors ing and graphics, this is more accuracy The challenge when using DSLs is
are out-of-order superscalars that re- than is needed. For example, in deep how to retain enough architecture in-
quire complex control logic for both neural networks (DNNs), inference dependence that software written in
instruction initiation and instruction regularly uses 4-, 8-, or 16-bit integers, a DSL can be ported to different ar-
completion. In contrast, VLIWs per- improving both data and computation- chitectures while also achieving high
form the necessary analysis and sched- al throughput. Likewise, for DNN train- efficiency in mapping the software
uling at compile-time, which can work ing applications, FP is useful, but 32 to the underlying DSA. For example,
well for an explicitly parallel program. bits is enough and 16 bits often works. the XLA system translates Tensorflow
Second, DSAs can make more effec- Finally, DSAs benefit from targeting to heterogeneous processors that
tive use of the memory hierarchy. Mem- programs written in domain-specific use Nvidia GPUs or Tensor Processor
ory accesses have become much more languages (DSLs) that expose more Units (TPUs).40 Balancing portability
costly than arithmetic computations, parallelism, improve the structure and among DSAs along with efficiency is
as noted by Horowitz.16 For example, representation of memory access, and an interesting research challenge for
accessing a block in a 32-kilobyte cache make it easier to map the application ef- language designers, compiler creators,
involves an energy cost approximately ficiently to a domain-specific processor. and DSA architects.
200× higher than a 32-bit integer add. Example DSA: TPU v1. As an example
This enormous differential makes Domain-Specific Languages DSA, consider the Google TPU v1, which
optimizing memory accesses critical DSAs require targeting of high-level op- was designed to accelerate neural net
to achieving high-energy efficiency. erations to the architecture, but trying inference.17,18 The TPU has been in
General-purpose processors run code to extract such structure and informa- production since 2015 and powers ap-
in which memory accesses typically ex- tion from a general-purpose language plications ranging from search queries
hibit spatial and temporal locality but like Python, Java, C, or Fortran is sim- to language translation to image recog-
are otherwise not very predictable at ply too difficult. Domain specific lan- nition to AlphaGo and AlphaZero, the
compile time. CPUs thus use multilevel guages (DSLs) enable this process and DeepMind programs for playing Go and
caches to increase bandwidth and hide make it possible to program DSAs ef- Chess. The goal was to improve the per-
the latency in relatively slow, off-chip ficiently. For example, DSLs can make formance and energy efficiency of deep
DRAMs. These multilevel caches often vector, dense matrix, and sparse ma- neural net inference by a factor of 10.
consume approximately half the energy trix operations explicit, enabling the As shown in Figure 8, the TPU or-
of the processor but avoid almost all DSL compiler to map the operations ganization is radically different from a
accesses to the off-chip DRAMs that re-
quire approximately 10× the energy of a Figure 9. Agile hardware development methodology.
last-level cache access.
Caches have two notable disadvan-
tages: Big Chip
Tape-Out
When datasets are very large. Caches
simply do not work well when datasets Tape-Out
are very large and also have low tempo-
ral or spatial locality; and
When caches work well. When
Tape-In
caches work well, the locality is very
high, meaning, by definition, most
of the cache is idle most of the time. ASIC Flow
In applications where the memory-
access patterns are well defined and FPGA
discoverable at compile time, which
is true of typical DSLs, programmers C++
and compilers can optimize the use of
the memory better than can dynami-
cally allocated caches. DSAs thus usu-
ally use a hierarchy of memories with
movement controlled explicitly by the
software, similar to how vector pro-

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 57
turing lecture

general-purpose processor. The main amine and make complex trade-offs and Foundation (http://riscv.org/). Being
computational unit is a matrix unit, optimizations will be advantaged. open allows the ISA evolution to occur
a systolic array22 structure that pro- This opportunity has already led to in public, with hardware and software
vides 256 × 256 multiply-accumulates a surge of architecture innovation, at- experts collaborating before decisions
every clock cycle. The combination of tracting many competing architectural are finalized. An added benefit of an
8-bit precision, highly efficient sys- philosophies: open foundation is the ISA is unlikely to
tolic structure, SIMD control, and GPUs. Nvidia GPUs use many cores, expand primarily for marketing reasons,
dedication of significant chip area to each with large register files, many sometimes the only explanation for ex-
this function means the number of hardware threads, and caches;4 tensions of proprietary instruction sets.
multiply-accumulates per clock cycle TPUs. Google TPUs rely on large RISC-V is a modular instruction set.
is approximately 100× what a general- two-dimensional systolic multipli- A small base of instructions run the full
purpose single-core CPU can sustain. ers and software-controlled on-chip open source software stack, followed by
Rather than caches, the TPU uses a lo- memories;17 optional standard extensions designers
cal memory of 24 megabytes, approxi- FPGAs. Microsoft deploys field pro- can include or omit depending on their
mately double a 2015 general-purpose grammable gate arrays (FPGAs) in its needs. This base includes 32-bit address
CPU with the same power dissipa- data centers it tailors to neural network and 64-bit address versions. RISC-V can
tion. Finally, both the activation applications;10 and grow only through optional extensions;
memory and the weight memory (in- CPUs. Intel offers CPUs with many the software stack still runs fine even if
cluding a FIFO structure that holds cores enhanced by large multi-level architects do not embrace new exten-
weights) are linked through user- caches and one-dimensional SIMD in- sions. Proprietary architectures gener-
controlled high-bandwidth memory structions, the kind of FPGAs used by ally require upward binary compatibil-
channels. Using a weighted arith- Microsoft, and a new neural network ity, meaning when a processor company
metic mean based on six common processor that is closer to a TPU than adds new feature, all future processors
inference problems in Google data to a CPU.19 must also include it. Not so for RISC-V,
centers, the TPU is 29× faster than a In addition to these large players, whereby all enhancements are optional
general-purpose CPU. Since the TPU dozens of startups are pursuing their and can be deleted if not needed by an
requires less than half the power, it own proposals.25 To meet growing de- application. Here are the standard ex-
has an energy efficiency for this work- mand, architects are interconnecting tensions so far, using initials that stand
load that is more than 80× better than a hundreds to thousands of such chips to for their full names:
general-purpose CPU. form neural-network supercomputers. M. Integer multiply/divide;
This avalanche of DNN architec- A. Atomic memory operations;
Summary tures makes for interesting times in F/D. Single/double-precision float-
We have considered two different ap- computer architecture. It is difficult to ing-point; and
proaches to improve program perfor- predict in 2019 which (or even if any) of C. Compressed instructions.
mance by improving efficiency in the these many directions will win, but the A third distinguishing feature of
use of hardware technology: First, by marketplace will surely settle the com- RISC-V is the simplicity of the ISA.
improving the performance of modern petition just as it settled the architec- While not readily quantifiable, here are
high-level languages that are typically tural debates of the past. two comparisons to the ARMv8 archi-
interpreted; and second, by building do- tecture, as developed by the ARM com-
main-specific architectures that greatly Open Architectures pany contemporaneously:
improve performance and efficiency Inspired by the success of open source Fewer instructions. RISC-V has many
compared to general-purpose CPUs. software, the second opportunity in fewer instructions. There are 50 in
DSLs are another example of how to im- computer architecture is open ISAs. the base that are surprisingly similar
prove the hardware/software interface To create a “Linux for processors” the in number and nature to the origi-
that enables architecture innovations field needs industry-standard open nal RISC-I.30 The remaining standard
like DSAs. Achieving significant gains ISAs so the community can create extensions—M, A, F, and D—add 53
through such approaches will require open source cores, in addition to indi- instructions, plus C added another 34,
a vertically integrated design team that vidual companies owning proprietary totaling 137. ARMv8 has more than
understands applications, domain- ones. If many organizations design 500; and
specific languages and related compil- processors using the same ISA, the Fewer instruction formats. RISC-V
er technology, computer architecture greater competition may drive even has many fewer instruction formats,
and organization, and the underlying quicker innovation. The goal is to six, while ARMv8 has at least 14.
implementation technology. The need provide processors for chips that cost Simplicity reduces the effort to both
to vertically integrate and make design from a few cents to $100. design processors and verify hardware
decisions across levels of abstraction The first example is RISC-V (called correctness. As the RISC-V targets range
was characteristic of much of the early “RISC Five”), the fifth RISC architecture from data-center chips to IoT devices,
work in computing before the industry developed at the University of Califor- design verification can be a significant
became horizontally structured. In this nia, Berkeley.32 RISC-V’s has a commu- part of the cost of development.
new era, vertical integration has become nity that maintains the architecture Fourth, RISC-V is a clean-slate de-
more important, and teams that can ex- under the stewardship of the RISC-V sign, starting 25 years later, letting its

58 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 turing lecture

architects learn from mistakes of its tion in waterfall development. Small

predecessors. Unlike first-generation programming teams quickly developed
RISC architectures, it avoids microar- working-but-incomplete prototypes and
chitecture or technology-dependent got customer feedback before starting
features (such as delayed branches and
delayed loads) or innovations (such as Security experts the next iteration. The scrum version of
agile development assembles teams of
register windows) that were supersed-
ed by advances in compiler technology.
do not believe in five to 10 programmers doing sprints of
two to four weeks per iteration.
Finally, RISC-V supports DSAs by re- security through Once again inspired by a software
serving a vast opcode space for custom
accelerators.
obscurity, so open success, the third opportunity is ag-
ile hardware development. The good
Beyond RISC-V, Nvidia also an- implementations news for architects is that modern
nounced (in 2017) a free and open ar-
chitecture29 it calls Nvidia Deep Learn-
are attractive, electronic computer aided design
(ECAD) tools raise the level of abstrac-
ing Accelerator (NVDLA), a scalable, and open tion, enabling agile development, and
configurable DSA for machine-learning
inference. Configuration options in- implementations this higher level of abstraction increas-
es reuse across designs.
clude data type (int8, int16, or fp16 ) require an open It seems implausible to claim sprints
and the size of the two-dimensional
multiply matrix. Die size scales from architecture. of four weeks to apply to hardware, giv-
en the months between when a design
0.5 mm2 to 3 mm2 and power from 20 is “taped out” and a chip is returned.
milliWatts to 300 milliWatts. The ISA, Figure 9 outlines how an agile develop-
software stack, and implementation ment method can work by changing the
are all open. prototype at the appropriate level.23 The
Open simple architectures are syn- innermost level is a software simulator,
ergistic with security. First, security ex- the easiest and quickest place to make
perts do not believe in security through changes if a simulator could satisfy an
obscurity, so open implementations iteration. The next level is FPGAs that
are attractive, and open implementa- can run hundreds of times faster than a
tions require an open architecture. detailed software simulator. FPGAs can
Equally important is increasing the run operating systems and full bench-
number of people and organizations marks like those from the Standard
who can innovate around secure ar- Performance Evaluation Corporation
chitectures. Proprietary architectures (SPEC), allowing much more precise
limit participation to employees, but evaluation of prototypes. Amazon Web
open architectures allow all the best Services offers FPGAs in the cloud, so
minds in academia and industry to architects can use FPGAs without need-
help with security. Finally, the simplic- ing to first buy hardware and set up a
ity of RISC-V makes its implementa- lab. To have documented numbers for
tions easier to check. Moreover, the die area and power, the next outer level
open architectures, implementations, uses the ECAD tools to generate a chip’s
and software stacks, plus the plasticity layout. Even after the tools are run, some
of FPGAs, mean architects can deploy manual steps are required to refine the
and evaluate novel solutions online results before a new processor is ready to
and iterate them weekly instead of an- be manufactured. Processor designers
nually. While FPGAs are 10× slower call this next level a “tape in.” These first
than custom chips, such performance four levels all support four-week sprints.
is still fast enough to support online For research purposes, we could stop
users and thus subject security innova- at tape in, as area, energy, and perfor-
tions to real attackers. We expect open mance estimates are highly accurate.
architectures to become the exemplar However, it would be like running a
for hardware/software co-design by ar- long race and stopping 100 yards be-
chitects and security experts. fore the finish line because the runner
can accurately predict the final time.
Agile Hardware Development Despite all the hard work in race prepa-
The Manifesto for Agile Software Develop- ration, the runner would miss the thrill
ment (2001) by Beck et al.1 revolution- and satisfaction of actually crossing the
ized software development, overcoming finish line. One advantage hardware en-
the frequent failure of the traditional gineers have over software engineers is
elaborate planning and documenta- they build physical things. Getting chips

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 59
turing lecture

back to measure, run real programs, References

for Industrial and Applied Mathematics, Philadelphia,
PA, 1979, 256–282.
and show to their friends and family is 1. Beck, K., Beedle, M., Van Bennekum, A., Cockburn, A.,
23. Lee, Y., Waterman, A., Cook, H., Zimmer, B., Keller,
Cunningham, W., Fowler, M. . . . and Kern, J. Manifesto
a great joy of hardware design. for Agile Software Development, 2001; https://
B., Puggelli, A. . . . and Chiu, P. An agile approach to
building RISC-V microprocessors. IEEE Micro 36, 2
Many researchers assume they must agilemanifesto.org/
(Feb. 2016), 8–20.
2. Bhandarkar, D. and Clark, D.W. Performance from
stop short because fabricating chips is architecture: Comparing a RISC and a CISC with
24. Leiserson, C. et al. There’s plenty of room at the top.
To appear.
unaffordable. When designs are small, similar hardware organization. In Proceedings of the
25. Metz, C. Big bets on A.I. open a new frontier for chip
Fourth International Conference on Architectural
they are surprisingly inexpensive. Archi- start-ups, too. The New York Times (Jan. 14, 2018).
Support for Programming Languages and Operating
26. Moore, G. Cramming more components onto
tects can order 100 1-mm2 chips for only Systems (Santa Clara, CA, Apr. 8–11). ACM Press,
integrated circuits. Electronics 38, 8 (Apr. 19, 1965),
New York, 1991, 310–319.
$14,000. In 28 nm, 1 mm2 holds millions 56–59.
3. Chaitin, G. et al. Register allocation via coloring.
27. Moore, G. No exponential is forever: But ‘forever’ can
of transistors, enough area for both a Computer Languages 6, 1 (Jan. 1981), 47–57.
be delayed! [semiconductor industry]. In Proceedings
4. Dally, W. et al. Hardware-enabled artificial intelligence.
of the IEEE International Solid-State Circuits
RISC-V processor and an NVLDA accel- In Proceedings of the Symposia on VLSI Technology
Conference Digest of Technical Papers (San Francisco,
and Circuits (Honolulu, HI, June 18–22). IEEE Press,
erator. The outermost level is expensive 2018, 3–6.
CA, Feb. 13). IEEE, 2003, 20–23.
28. Moore, G. Progress in digital integrated electronics. In
if the designer aims to build a large chip, 5. Dennard, R. et al. Design of ion-implanted MOSFETs
Proceedings of the International Electronic Devices
with very small physical dimensions. IEEE Journal of
but an architect can demonstrate many Solid State Circuits 9, 5 (Oct. 1974), 256–268.
Meeting (Washington, D.C., Dec.). IEEE, New York,
1975, 11–13.
novel ideas with small chips. 6. Emer, J. and Clark, D. A characterization of processor
29. Nvidia. Nvidia Deep Learning Accelerator (NVDLA),
performance in the VAX-11/780. In Proceedings
2017; http://nvdla.org/
of the 11th International Symposium on Computer
30. Patterson, D. How Close is RISC-V to RISC-I?
Conclusion Architecture (Ann Arbor, MI, June). ACM Press, New
ASPIRE blog, June 19, 2017; https://aspire.eecs.
York, 1984, 301–310.
“The darkest hour is just before the 7. Fisher, J. The VLIW machine: A multiprocessor for
berkeley.edu/2017/06/how-close-is-risc-v-to-risc-i/
31. Patterson, D. RISCy history. Computer Architecture
dawn.” —Thomas Fuller, 1650 compiling scientific code. Computer 17, 7 (July 1984),
Today blog, May 30, 2018; https://www.sigarch.org/
45–53.
To benefit from the lessons of his- 8. Fitzpatrick, D.T., Foderaro, J.K., Katevenis, M.G.,
riscy-history/
32. Patterson, D. and Waterman, A. The RISC-V Reader:
tory, architects must appreciate that Landman, H.A., Patterson, D.A., Peek, J.B., Peshkess,
An Open Architecture Atlas. Strawberry Canyon LLC,
Z., Séquin, C.H., Sherburne, R.W., and Van Dyke, K.S. A
software innovations can also inspire San Francisco, CA, 2017.
RISCy approach to VLSI. ACM SIGARCH Computer
33. Rowen, C., Przbylski, S., Jouppi, N., Gross, T.,
architects, that raising the abstraction Architecture News 10, 1 (Jan. 1982), 28–32.
Shott, J., and Hennessy, J. A pipelined 32b NMOS
9. Flynn, M. Some computer organizations and their
level of the hardware/software interface microprocessor. In Proceedings of the IEEE
effectiveness. IEEE Transactions on Computers 21, 9
International Solid-State Circuits Conference Digest
yields opportunities for innovation, and (Sept. 1972), 948–960.
of Technical Papers (San Francisco, CA, Feb. 22–24)
10. Fowers, J. et al. A configurable cloud-scale DNN
IEEE, 1984, 180–181.
that the marketplace ultimately settles processor for real-time AI. In Proceedings of the 34. Schwarz, M., Schwarzl, M., Lipp, M., and Gruss, D.
45th ACM/IEEE Annual International Symposium on
computer architecture debates. The Computer Architecture (Los Angeles, CA, June 2–6).
Netspectre: Read arbitrary memory over network. arXiv
preprint, 2018; https://arxiv.org/pdf/1807.10535.pdf
iAPX-432 and Itanium illustrate how IEEE, 2018, 1–14.
35. Sherburne, R., Katevenis, M., Patterson, D., and Sequin,
11. Hennessy, J. and Patterson, D. A New Golden Age for
architecture investment can exceed re- Computer Architecture. Turing Lecture delivered at
C. A 32b NMOS microprocessor with a large register
file. In Proceedings of the IEEE International Solid-
turns, while the S/360, 8086, and ARM the 45th ACM/IEEE Annual International Symposium State Circuits Conference (San Francisco, CA, Feb.
on Computer Architecture (Los Angeles, CA, June 4,
deliver high annual returns lasting de- 2018); http://iscaconf.org/isca2018/turing_lecture.html;
22–24). IEEE Press, 1984, 168–169.
36. Thacker, C., MacCreight, E., and Lampson, B. Alto:
cades with no end in sight. https://www.youtube.com/watch?v=3LVeEjsn8Ts A Personal Computer. CSL-79-11, Xerox Palo Alto
12. Hennessy, J., Jouppi, N., Przybylski, S., Rowen,
The end of Dennard scaling and C., Gross, T., Baskett, F., and Gill, J. MIPS: A
Research Center, Palo Alto, CA, Aug. 7,1979; http://
people.scs.carleton.ca/~soma/distos/fall2008/alto.pdf
Moore’s Law and the deceleration of per- microprocessor architecture. ACM SIGMICRO 37. Turner, P., Parseghian, P., and Linton, M. Protecting
Newsletter 13, 4 (Oct. 5, 1982), 17–22.
formance gains for standard micropro- 13. Hennessy, J. and Patterson, D. Computer Architecture:
against the new ‘L1TF’ speculative vulnerabilities.
Google blog, Aug. 14, 2018; https://cloud.google.com/
cessors are not problems that must be A Quantitative Approach. Morgan Kauffman, San blog/products/gcp/protectingagainst-the-new-l1tf-
Francisco, CA, 1989. speculative-vulnerabilities
solved but facts that, recognized, offer 14. Hill, M. A primer on the meltdown and Spectre 38. Van Bulck, J. et al. Foreshadow: Extracting the keys
breathtaking opportunities. High-level, hardware security design flaws and their important to the Intel SGX kingdom with transient out-of-order
implications, Computer Architecture Today blog (Feb. execution. In Proceedings of the 27th USENIX Security
domain-specific languages and archi- 15, 2018); https://www.sigarch.org/a-primer-on-the- Symposium (Baltimore, MD, Aug. 15–17). USENIX
tectures, freeing architects from the meltdown-spectre-hardware-security-design-flaws- Association, Berkeley, CA, 2018.
and-their-important-implications/ 39. Wilkes, M. and Stringer, J. Micro-programming and the
chains of proprietary instruction sets, 15. Hopkins, M. A critical look at IA-64: Massive design of the control circuits in an electronic digital
resources, massive ILP, but can it deliver?
along with demand from the public for Microprocessor Report 14, 2 (Feb. 7, 2000), 1–5.
computer. Mathematical Proceedings of the Cambridge
Philosophical Society 49, 2 (Apr. 1953), 230–238.
improved security, will usher in a new 16. Horowitz M. Computing’s energy problem (and what 40. XLA Team. XLA – TensorFlow. Mar. 6, 2017; https://
we can do about it). In Proceedings of the IEEE
golden age for computer architects. International Solid-State Circuits Conference Digest of
developers.googleblog.com/2017/03/xlatensorflow-
compiled.html
Aided by open source ecosystems, ag- Technical Papers (San Francisco, CA, Feb. 9–13). IEEE
Press, 2014, 10–14.
ilely developed chips will convincingly 17. Jouppi, N., Young, C., Patil, N., and Patterson, D. A John L. Hennessy (hennnessy@stanford.edu) is
demonstrate advances and thereby domain-specific architecture for deep neural networks. Past-President of Stanford University, Stanford, CA, USA,
Commun. ACM 61, 9 (Sept. 2018), 50–58. and is Chairman of Alphabet Inc., Mountain View, CA, USA.
accelerate commercial adoption. The 18. Jouppi, N.P., Young, C., Patil, N., Patterson, D., Agrawal,
ISA philosophy of the general-purpose G., Bajwa, R., Bates, S., Bhatia, S., Boden, N., Borchers, David A. Patterson (pattrsn@berkeley.edu) is the Pardee
A., and Boyle, R. In-datacenter performance analysis Professor of Computer Science, Emeritus at the University
processors in these chips will likely be of a tensor processing unit. In Proceedings of the of California, Berkeley, CA, USA, and a Distinguished
RISC, which has stood the test of time. 44th ACM/IEEE Annual International Symposium on Engineer at Google, Mountain View, CA, USA.
Computer Architecture (Toronto, ON, Canada, June
Expect the same rapid improvement as 24–28). IEEE Computer Society, 2017, 1–12.
in the last golden age, but this time in 19. Kloss, C. Nervana Engine Delivers Deep Learning at © 2019 ACM 0001-0782/19/2 $15.00
Ludicrous Speed. Intel blog, May 18, 2016;
terms of cost, energy, and security, as https://ai.intel.com/nervana-engine-delivers-deep-
well as in performance. learning-at-ludicrous-speed/
20. Knuth, D. The Art of Computer Programming:
The next decade will see a Cambri- Fundamental Algorithms, First Edition. Addison
an explosion of novel computer archi- Wesley, Reading, MA, 1968.
21. Knuth, D. and Binstock, A. Interview with Donald
tectures, meaning exciting times for Knuth. InformIT, Hoboken, NJ, 2010; http://www. To watch Hennessy and
informit.com/articles/article.aspx Patterson’s full Turing Lecture, see
computer architects in academia and 22. Kung, H. and Leiserson, C. Systolic arrays (for VLSI). https://www.acm.org/hennessy-
in industry. Chapter in Sparse Matrix Proceedings Vol. 1. Society patterson-turing-lecture

60 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 DOI:10.1145 / 3 2 2 42 0 3

Diffusion speed and scale depend on

all kinds of information, not just which users
have the most or fewest connections.
BY CHAO GAO, ZHEN SU, JIMING LIU, AND JÜRGEN KURTHS

Even Central
Users Do Not
Always Drive
Information
Diffusion

COMMUNITY STRUCTURE, a significant and useful statistical

characteristic, is ubiquitous in social networks.17 Based
on it, a network can be viewed as consisting of multiple
units. The nodes (users) are highly connected to each
other inside a unit, while the connections between
units are sparse.4,17 For example, people with similar
interests or backgrounds might join organizations worldwide.15 The under-
together to form a community or web- lying attack reflects a malicious diffu-
pages with related topics might cluster sion in the presence of communities;
together. Different types of informa- that is, the homogeneous feature of
tion, including rumors,5 virus attacks,10 individuals leads to the community’s
and even cyber epidemics diffuse vulnerability. It is against this back-
through social networks,8 possibly lead- drop that understanding the potential
ing to unexpected social effects. A typi- dynamics could help network admin-
cal example is the worldwide cyberat- istrators gain insight into controlling
tack by WannaCry ransomware, as first unwanted information diffusion. Much
reported May 12, 2017, that resulted research today involves networks with
in the infections of more than 200,000 community structure (such as to detect

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 61
contributed articles

potential communities,21 model diffu- such a negative effect is unlikely to

sion dynamics,6 and control informa-
key insights show up in Figure 1b unless there are
tion dissemination and sharing19). In ˽˽ Central users do not always contribute to more initial source nodes.
particular, the influence of each node information diffusion due to a crossover Community structure. Global dif-
in the diffusion process must be taken point of two diffusion processes triggered fusion in a network with community
by source users with most and fewest
into consideration. In simulation ex- connections, respectively.
structure is restricted by intercommu-
periments, the source nodes that trig- nity links;16 that is, global diffusion
ger diffusion are selected by researchers ˽˽ A strong community structure decreases is facilitated only when the nodes on
the stability of the crossover point in terms
at random from a network or based on of influence of two diffusion processes. the intercommunity links (also called
predefined measures of centrality. “bridge nodes” by network archi-
In recent decades, multiple central- ˽˽ Compared to the influence of community tects) are infected. In Figure 1a, four
structure on the diffusion process,
ity measures have been proposed to the increment of source nodes leads nodes—“A,” “B,” “C,” and “D”—are
statistically evaluate the importance the diffusion scale to the appearance bridge nodes. The global diffusion is
or influence of a node (such as degree,2 of an earlier crossover point. suppressed temporarily because “D”
betweenness,11 coreness,14 and eigen- remains susceptible at t = 8. Although
vector3). Degree is used mainly for link connects different communities “D” is not infected by “C” in Figure 1b,
characterizing the partial influence of in the figure. Two diffusion processes the other source node initiates new
a node.2 Betweenness reflects the po- are triggered by the maximum degree propagation in other communities, en-
tential power of a node in controlling nodes, as in Figure 1a, and minimum hancing global diffusion.
information flow.11 Coreness implies degree nodes, as in Figure 1b, respec- Based on two factors—effective
that if a node lies in the core part of tively. Theoretically, the requirement diffusion links and community struc-
a network, the node is more impor- of simultaneous diffusion of source ture—the two diffusion processes—
tant.14 And eigenvector accounts for nodes is not necessary due to the in- maximum-degree-based and mini-
two factors: a node’s connections and dependent infection process between mum-degree-based—in Figure 1a and
its neighbors’ influences.3 State-of- each infected node and its susceptible Figure 1b might result in a crossover
the-art studies have looked into nodes neighbors. However, to ensure a clear, in terms of diffusion scale. The diffu-
with relatively greater centrality in quick observation of a diffusion phe- sion scale of Figure 1b would be great-
information diffusion. However, the nomenon, as in, say, letting source er than the diffusion scale of Figure 1a.
influence of nodes with relatively less nodes (represented by two red nodes Differing diffusion scales involve sever-
centrality on the diffusion process has in Figure 1) initiate a diffusion process al questions: For example, do the most
never been completely addressed. In simultaneously. Based on the propa- connected users always drive informa-
this article, we aim to explain the im- gation rules defined in a typical “two- tion diffusion in social networks? If
portance of two kinds of nodes in the state” diffusion model,22 each infected not, what kind of influence would the
information-diffusion process in a node tries to infect all its susceptible community structure have on the dif-
community-based network. Our find- neighbors with a certain probability at fusion process? To answer, we simu-
ings can help network administrators each time step, bringing uncertainty lated information diffusion in both
better understand the diversity of com- during the propagation process. For real-world and synthetic networks with
munities and associated complexity of example, as shown in Figure 1a, “A” community structure to investigate the
the diffusion process. is infected by “E” at t = 3, rather than potential crossover points of two diffu-
by its source node neighbor at t = 1 or sion processes.
Potential for a Crossover t = 2. Meanwhile, at t = 8, “D” remains
Centrality characterizes the influence susceptible until infected by “C” at t = Crossover in Terms of
of a node or user in a network. Intui- 10. In Figure 1a, information diffuses Propagation Scale
tively, nodes with relatively greater quickly at the initial stage. The speed Many real-world systems can be de-
centrality should be more important of diffusion could be enhanced by in- scribed as networks; examples are
than those with relatively less centrality, creasing the initial number of source email, social, and technological. Here,
as they can lead to fast, large-scale nodes. Note also two factors concern- we select a benchmark university email
diffusion. However, we often find ing the effect of network structure on dataset and construct an interaction
diffusion breaks out from a group of the potential diffusion process: network to demonstrate the influence
nodes with relatively less centrality in Effective diffusion links. The effective of two diffusion processes—maxi-
the real world. diffusion links represent the connec- mum-degree-based and minimum-de-
Figure 1 outlines two diffusion tions that make a key contribution to gree-based—triggered by two kinds of
processes as triggered by different the diffusion process;22 for example, initial source nodes with greatest- and
initial states in a community-based the link between the two source nodes least-degree centrality. The network
network. The dotted circles represent in Figure 1a does not benefit subse- includes 1,133 nodes and 5,451 links.9
different communities in a network. quent diffusion. With the increment The average degree and clustering coef-
With a strong community structure, of source nodes, there is a strong likeli- ficient in the network are 9.62 and 0.25,
the density of the intracommunity hood that some might cluster together, respectively. Specifically, the clustering
links is much greater than that of the as outlined in Figure 1a, thus decreas- coefficient is used to denote the degree
intercommunity; for instance, only one ing the effective diffusion links. But to which the neighbors of a user know

62 COM MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 contributed articles

Figure 1. Schematic of two diffusion processes: maximum-degree-based and minimum-degree-based.

During diffusion, all nodes in a network are divided into three categories: source nodes, infected nodes,
and susceptible nodes. The source nodes receive information first and trigger the overall diffusion
process. The infected and susceptible nodes represent nodes that have or have not received information.
At each time step, each infected node tries to infect all susceptible neighbors with a certain probability.
The final infected time of each node is labeled; for example, at time step t = 8, two snapshots are used to
present two diffusion processes: (a) the process is triggered by two highly connected source nodes; and
(b) the process starts from the relatively least-connected source nodes. In particular, solid and dashed
arrows associated with links denote successful and unsuccessful infection paths. Section (c) reports the
dynamic changes of infected nodes in (a) and (b) at each time step. The crossover of the two propagation
scales in (a) and (b) is plotted in (c).

t=2 t=0 t=11 t=13 Diffusion source

t=5
Susceptible node at t = 8
t=3 t=8
t=2 A B C D t=15 Infected node at t = 8
t=4 t=10 t=14 Successful infection path

E Unsuccessful infection path

t=0 t=1 t=7 t=6 t=12 t=14 18

The number of infected nodes

16
(a) Diffusion process triggered by nodes
with the maximum degree 14
Figure 1(b)
12
t=11 t=7 t=6 t=3
t=5 10 A crossover Figure 1(a)
8
t=4 t=6 6
t=14 A B C D t=5 Maximum degree
t=8 4
t=2 t=0
2 Minimum degree
0 2 4 6 8 10 12 14
t=0 t=3
t=12 t=9 t=12 t=9 The propagation step (t)

(b) Diffusion process triggered by nodes (c) Comparison of total number

with the minimum degree of infected nodes between (a) and (b)

each other.2 A greater value means a assuming the behavior of each user pose of giving an intuitive demonstra-
network’s greater inherent tendency to is independent, we used a Gaussian tion of a crossover, as plotted in Figure
cluster of a network. distribution to depict the features of 2a. We also investigated the dynamic
Simulation model. Each user is es- two behaviors when the sample size is changes of two propagation scales by
sentially represented by two states large.7 In this article, we use two nor- calculating the numerical difference
in the scenario of information diffu- mal distribution functions—N(40, 202) of two propagation processes at each
sion—“received” a message or “not and N(0.5, 0.32)—to represent the fea- time t, as plotted in Figure 2b. Three
received” a message. We adopt a typi- tures of checking intervals and clicking critical points are labeled t1, tc, and t2.
cal “two-state” diffusion model—the probability.7,22 When t < tc, the difference between
interactive email model proposed by Experimental settings. We set the per- propagation scales is positive, as shown
Zou et al.22 and implemented by Gao centage of initial source nodes at 20%. in Figure 2b. That difference corre-
et al.7—as a testbed for characterizing We simulated two diffusion processes sponds to the stage (see t < tc in Figure
various kinds of information-diffusion triggered by maximum-degree nodes 2a) when the propagation process, trig-
processes.6,7 Each node in the model and minimum-degree nodes in the gered by the maximum degree nodes,
reflects one of two corresponding email network simultaneously and diffuses more quickly than the other
states—“susceptible” or “infected”— independently. We averaged simula- process. The maximum difference is
and the transition cannot be reversed; tion results by following 100 runs for found the moment t = t1 in Figure 2b.
that is, a user who receives a message is wiping off the computational fluctua- However, as the propagation contin-
denoted as an “infected” node, and oth- tion. In each run, we terminated the ues (see t1 < t < t2), the numerical dif-
ers are denoted as “susceptible.” In a propagation process after 2,000 time ference decreases sharply, as plotted
diffusion process, a basic step that ben- steps to ensure the whole system is in Figure 2b. This unexpected change
efits the subsequent process is a user and would remain stable. implies the propagation process, trig-
must change state from “susceptible” Experimental results. In general, we gered by the minimum-degree nodes,
to “infected.” The diffusion process is used the proportion or total number represents relatively greater propaga-
triggered by user behavior—the email- of infected nodes to evaluate a propa- tion ability. The shift coincides with
checking time interval and the email- gation process. Here, we adopt the to- the dynamic change of the propagation
clicking probability. The diffusion rate tal number of infected nodes at time scale in Figure 2a. When t > tc, the shift
is thus different for different users. By t as the propagation scale for the pur- is completely reversed. The propaga-

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 63
contributed articles

tion process, triggered by minimum- we conducted more simulations, as we 631,632 links,18 looking to identify
degree nodes, leads to a larger scale of explore in two real-world networks in community-based features on co-au-
diffusion until the whole propagation the next section. thorship patterns. The average degree
system is stable. The maximum differ- and clustering coefficient of the Arxiv
ence is reached numerically at time t2, Nonlinear Crossover Phenomenon networks were 11.23 and 0.69, respec-
even exceeding that of time t1. The time To obtain a deeper understanding of tively, and the overall Arxiv network
tc is the exact crossover point of the two such a phenomenon, we simulated included 42 communities.
propagation processes in Figure 2. propagations in real-world networks: Experimental settings. The initial
During the propagation process, the Datasets. We included two real- proportion of source nodes we denote
most important period is between t1 world networks with a potential com- as i0 varied from 0.01 to 0.5 and was di-
and t2 when the two potential propaga- munity structure—a U.S. political vided into two parts. When the initial
tion processes undergo different tran- weblog network (PolBlogs)1 and a proportion is between 0.01 and 0.05,
sitions. The phenomenon in Figure 2 scientific collaboration network (Arx- the rate of increase increases by 1%, af-
shows that, compared to nodes with iv).18 The PolBlogs network includes ter which the rate of increase increases
relatively greater centrality, those with 1,490 nodes and 19,025 links. Its aver- to 5%. We selected the initial source
relatively less centrality could ensure age degree and clustering coefficient nodes based on four kinds of central-
the stability of propagation, reflecting were 22.44 and 0.36, respectively. Two ity measures: degree,2 betweenness,11
its vital role in long-term diffusion. political communities represent lib- k-core,14 and eigenvector.3
Such an interesting phenomenon also eral blogs and conservative blogs, Experimental results. Under the
implies that in some cases, even central respectively.1 Mark Newman of the same experimental conditions as
users may not always drive information University of Michigan analyzed the outlined in the previous section, two
diffusion. To validate this assumption, Arxiv network, with 56,276 nodes and propagation processes are triggered by
source nodes with relatively greatest
Figure 2. Crossover of two propagation processes in terms of propagation scale in a and relatively least centrality. Our focus
university email network.
is still on the critical crossover points.
Time tc represents the critical moment the crossover begins, indicating nodes with relatively greater
Since they are relevant to the time steps
centrality do not always drive diffusion. of each propagation, we recorded the
time each crossover point emerged
X102 X102
12 and normalized them based on tc/2000,
Maximum degree t1
of two propagation scales

where 2,000 was the total time steps, as

Numerical difference

Minimum degree 1
10 is plotted in Figure 3. Despite different
Propagation scale

centrality measures and networks, the

8
0
tc figure reveals several similarities:
6 Propagation scale. The crossover in
tc
terms of propagation scale emerges
4 –1 when the initial proportion of source
t1 t2 t2 nodes is low (such as 1%). Experiments
2
1 10 100 1000 1 10 100 1000 on different kinds of networks show
Propagation step (t) Propagation step (t) that a stable state, when the crossover
(a) (b) phenomenon can be triggered, is in-
deed possible when i0 increases;
Crossover points. The time of dif-
Figure 3. Nonlinear crossover phenomenon in networks with community structure. ferent crossover points is generally
a decreasing function of the initial
Each point represents the potential crossover point in terms of propagation scale. The results indicate proportion of source nodes i0; that
both community structure and initial proportion of source nodes have influence on such phenomena.
is, the crossover points come ear-
lier with the increment of the initial
1 1
Degree source nodes; and
Betweenness Strength of community structure.
K-core
crossover points

crossover points
Time of different

Time of different

0.1 Eigenvector 0.1 The different crossover points under

the same degree of centrality reveal
the strength of influence a commu-
0.01 0.01 nity structure exerts on the propaga-
tion process.
Experimental results in real-world
1E-3 1E-3
0.0 0.1 0.2 0.3 0.4 0.5 0.0 0.1 0.2 0.3 0.4 0.5 networks demonstrate our assumption
Initial proportion Initial proportion
of source nodes (i0) of source nodes (i0)
that central users (or nodes with rela-
(a) PolBlogs (b) Arxiv tively greatest centrality) do not always
drive information diffusion. Specifi-
cally, the crossover phenomenon pre-

64 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 contributed articles

vails and will intensify when the initial the diffusion network. Specifically, al-
proportion of source nodes increases. though the initial source nodes in two
We also investigated the influence of propagation processes share the same
different initial states on effective dif- proportion, the potential processes
fusion links to verify our hypothesis, as
proposed in Figure 1. The underlying can be different in light of the diversity
of the underlying diffusion network.
Diffusion links analysis. Taking the
email network as an example, we evalu-
attack reflects a Since both the initial proportion of
source nodes and the strength of com-
ated two opposite initial states under malicious diffusion munity structure influence potential
four kinds of centrality measures by cal-
culating the average distance of source
in the presence crossover points, we explored more
simulations in synthetic networks to
nodes. This distance can reveal the de- of communities; identify the influence of these factors.
gree to which source nodes are close to
each other. A shorter average distance
that is, the Influence Comparison
refers to a relatively greater probability homogeneous To help us understand the influence of
of being clustered together. Diffusion
links between source nodes could thus feature of the strength of community structure
on the diffusion process, we adopted
be decreased. As outlined in Figure 4, individuals leads a community-network generator12 with
under the condition of nodes with rela-
tively greatest centrality functioning as to the community’s tunable parameters:
Datasets. We built two synthetic net-
source nodes, the average distance of
these sources is much shorter than the
vulnerability. works by varying the mix parameter μ
= 0.05 and 0.5. This parameter controls
distance under nodes with relatively the strength of a community structure,
least centrality being treated as source indicating that with a smaller μ, the
nodes. The reason for the shorter dis- community structure of a synthetic
tance is that nodes with relatively least network is stronger. The generator in-
centrality are located at the boundary cludes two kinds of parameters—spec-
of a network, and vice versa. Hence, ified and default settings. We assigned
when nodes with relatively greatest the specified settings as follows: to-
centrality are selected as sources, the tal number of nodes = 1,000; average
increasing proportion of source nodes degree = 15; maximum degree in the
can lead to a relative decrease in effec- network = 50; and maximum and mini-
tive diffusion links. Moreover, the sub- mum community sizes = 50 and 20,
sequent propagation process would be respectively. We kept the default set-
suppressed. How nodes with relatively tings, with the exponent for the degree
greatest centrality might enhance in- distribution at 2; the exponent for the
formation diffusion depends on the community-size distribution at 1; and
number of initial source nodes cluster- the number of overlapping nodes and
ing together. In particular, when there number of memberships of the over-
are few initial source nodes (such as lapping nodes both at 0.
less than 1%), the propagation ability Experimental results. Following the
of nodes with relatively greatest cen- same experimental scenario, we per-
trality can take full effect.
Behind the crossover phenomenon, Figure 4. Average distance of source
nodes in the email network. Statistical
this shift is derived by taking into ac- results indicate source nodes with
count two propagation processes—great- relatively greater centrality tend to be
est-centrality-based and least-centrality- clustered together.
based—as triggered by different initial
states. In the domain of social net- 8
Minimum degree
works, analysis of a diffusion process is Minimum betweenness
6 Minimum k-core
Average distance

associated with a selected propagation

of source nodes

Minimum eigenvector
model and the topology of an underly- 4
ing network. In our experiments, we
simulated two propagation processes 2
Maximum degree
simultaneously based on the same Maximum betweenness
model, indicating the crossover phe- 0 Maximum k-core
Maximum eigenvector
nomenon is independent of the select-
0.0 0.1 0.2 0.3 0.4 0.5
ed simulation models. The only factor Initial proportion
that should be relevant to this observed of source nodes (i0)
phenomenon is thus the structure of

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 65
contributed articles

formed extensive simulations in two cludes average time and standard devi- ther detail, in addition to the crossover
such synthetic networks.12 Compar- ation of different crossover points with phenomenon:
ing the influence of the initial propor- respect to four kinds of centrality mea- Crossover points. Comparing the
tion of source nodes and the strength sures: degree,2 betweenness,11 k-core,14 statistical results in the phase II seg-
of community structure, Figure 5 in- and eigenvector.3 Figure 5 includes fur- ment of the figure, although the incre-
ment of the mix parameter μ triggers
Figure 5. Average time of crossover points in synthetic networks with different community the crossover points slightly earlier,
structures.
it is still far less than the influence
The mix parameter μ controls the strength of community structure of the synthetic networks.
resulting from increasing the initial
Each subgraph includes the average crossover point of four measures of centrality and the standard source nodes; and
deviation. The statistical results indicate the increment of the initial source nodes is the main factor Deviation. The deviation of different
causing earlier crossover points, while the stronger a community structure a network has, the less crossover points tends to be stable in
stable are the crossover points.
the wake of a weaker community struc-
1 1
ture, or greater value for μ.
On the basis of the simulation re-
of different crossover points

of different crossover points

µ=0.05 µ=0.50 sults in synthetic networks, we found
0.1 0.1 two types of non-centrality-related net-
Average time

Average time

work influence:
Phase II Phase II
Strength of community structure.
0.01 0.01
The stability of crossover points is
Phase I Phase I
inversely related to the strength of a
1E-3 1E-3
community structure, demonstrating
0.0 0.1 0.2 0.3 0.4 0.5 0.0 0.1 0.2 0.3 0.4 0.5 the strong (though indirect) influence
Initial proportion Initial proportion of community structure on the diffu-
of source nodes (i0) of source nodes (i0)
sion process; and
(a) Synthetic network with µ = 0.05 (b) Synthetic network with µ = 0.50
Increment of initial source nodes. The
increment of the initial source nodes is
the primary factor resulting in an ear-
Figure 6. Visualization of two propagation processes—maximum-degree-based and lier crossover phenomenon.
minimum-degree-based—in the synthetic network with μ = 0.05 when the crossover
phenomenon emerges; the susceptible nodes are marked in cyan.
We likewise analyzed the influence of
community structure on two diffusion
processes—maximum-degree-based
The infected nodes, highlighted in red or blue, belong solely to the maximum-degree-based process or
and minimum-degree-based—to verify
the minimum-degree-based process, respectively. The black ones represent the infected nodes in both
processes. Five communities—“C0,” “C1,” “C2,” “C3,” and “C4”—include two kinds of nodes, demonstrating our hypothesis, as proposed in Figure 1.
that a strong community structure could hinder or even prevent global diffusion. Influence of community structure.
Taking the synthetic network with μ
= 0.05 (Figure 5a) as an example, the
moment the crossover phenomenon
begins to emerge was visualized to
show the states of all nodes in two
propagation processes being initial-
ized based on degree of centrality.
C1 C2 Figure 6 highlights the detailed states
of nodes in each community in vari-
ous colors. Moreover, we extracted
C0 five communities we labeled as “C0”,
“C1,” “C2,” “C3,” and “C4” that include
only two kinds of nodes.
C3 C4 Figure 6 outlines that a strong
community structure does not ben-
efit a subsequent propagation process.
When nodes with relatively greater
centrality are treated as sources, source
nodes tend to be clustered together,
decreasing (to some extent) the effec-
tive diffusion links. In a network with
a strong community structure, global
diffusion can be enhanced only when
the nodes on the intercommunity links
become infected. In the worst case, all

66 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 contributed articles

source nodes are distributed over only of capturing both network topology (June 2012), 70–75.
6. Gao, C. and Liu, J.M. Network-based modeling for
one community, thereby suppressing and dynamical correlations remains characterizing human collective behaviors during
global diffusion. an open topic.20 Even with the con- extreme events. IEEE Transactions on System, Man,
and Cybernetics: Systems 47, 1 (Jan. 2017), 171–183.
However, diffusion is quite different tinuous-time Markov approach, the 7. Gao, C., and Liu, J.M. Modeling and restraining mobile
when nodes characterized by relatively complicated master equations lead virus propagation. IEEE Transactions on Mobile
Computing 12, 3 (Mar. 2013), 529–541.
least centrality are viewed as sources. to yet another challenge—that the 8. 8 Goel, S., Watts, D.J., and Goldstein, D.G. The
Source nodes under such conditions approach is unlikely to directly yield structure of online diffusion networks. In Proceedings
of the 13th ACM Conference on Electronic Commerce
are distributed over more communi- analytical or numerical results for (Valencia, Spain, June 4–8). ACM Press, New York,
2012, 623–638.
ties and more likely to facilitate global large-scale networks. Studies inves- 9. Guimerá, R., Danon, L., Díaz-Guilera, A., Giralt, F., and
diffusion. Moreover, the worst case tigating the balance between poten- Arenas, A. Self-similar community structure in a
network of human interactions. Physical Review E 68,
is unlikely to appear due to the rela- tial diffusion dynamics and solving 6 (Dec. 2003), 065103.
tively greater proportion of low-degree computational complexity are still 10. Howard, B. Analyzing online social networks.
Commun. ACM 51, 11 (Nov. 2008), 14–16.
nodes in a network. That is why there being challenged. 11. Kitsak, M., Gallos, L.K., Havlin, S., Liljeros, F., Muchnik,
are fewer red nodes in “C0,” “C1,” “C2,” This article has offered insight into L., Stanley, H.E., and Makse, H.A. Identification of
influential spreaders in complex networks. Nature
“C3,” and “C4” than blue nodes. As the the dynamics of information diffu- Physics 6, 11 (Aug. 2010), 888–893.
two propagation processes in Figure sion in community-based networks. 12. Lancichinetti, A., Fortunato, S., and Radicchi, F.
Benchmark graphs for testing community detection
6—maximum-degree-based and min- For instance, compared with the abil- algorithms. Physical Review E 78, 4 (Oct. 2008).
imum-degree-based—proceed, such ity of nodes with relatively greater 13. Leskovec, J., Kleinberg, J., and Faloutsos, C. Graph
evolution: Densification and shrinking diameters. ACM
phenomenon will intensify. Finally, the centrality to dramatically enhance Transactions on Knowledge Discovery from Data 1, 1
various diffusion scenarios we have ad- diffusion speed at the initial stage, (Mar. 2007).
14. Liu, Y.Y., Slotine, J.J., and Barabási, A.-L.
dressed also increase the fluctuation of nodes with relatively least centrality Controllability of complex networks. Nature 473, 7346
crossover points. could in fact have a greater propaga- (May 2011), 167–173.
15. McGoogan, C. What is WannaCry and how does
For networks with weak community tion effect in the long term, especially ransomware work? The Telegraph (May 18,
2017); http://www.telegraph.co.uk/technology/0/
structures, the increasing proportion when a network includes more initial ransomware-does-work/
of intracommunity links makes global source nodes. However, we are not 16. Nematzadeh, A., Ferrara, E., Flammini, A., and Ahn,
Y.-Y. Optimal network modularity for information
diffusion more likely, making cross- saying nodes with relatively least cen- diffusion. Physical Review Letters 113, 8 (Aug. 2014),
over points relatively stable. trality are critically important. It is the 088701.
17. Newman, M.E.J. Modularity and community structure
topological structure that establishes in networks. Proceedings of the National Academy of
Conclusion an explicit and complex connection Sciences 103, 23 (June 2006), 8577–8582.
18. Newman, M.E.J. Co-authorship networks and patterns
We have explored the nonlinear cross- between the two kinds of nodes. In of scientific collaboration. Proceedings of the National
over of two diffusion processes—cen- some cases, such connections suggest Academy of Sciences 101, Supplement 1 (Apr. 2004),
5200–5205.
tral-user-based and boundary-user- users with relatively least centrality 19. Ranjbar, A. and Maheswaran, M. Using community
based—triggered by two opposite should be taken into consideration, as structure to control information sharing in online
social networks. Computer Communications 41 (Jan.
initial states in networks with commu- they could still significantly influence 2014), 11–21.
nity structure. We first considered the global diffusion. 20. Wang, W., Tang, M., Stanley, H.E., and Braunstein, L.A.
Unification of theoretical approaches for epidemic
universality of the crossover phenom- spreading on complex networks. Reports on Progress
enon, then offered a detailed compari- Acknowledgments in Physics 80, 3 (Feb. 2017), 036603.
21. Xie, J.R., Kelley, S., and Szymanski, B.K. Overlapping
son with respect to the influence of This work was supported by the Na- community detection in networks: The state-of-the-
art and comparative study. ACM Computing Surveys
community structure and initial pro- tional Natural Science Foundation 45, 4 (Aug. 2013), 43:1–43:35.
portion of source nodes on the diffu- of China (grant No. 61402379), Hong 22. Zou, C.C., Towsley D., and Gong W. Modeling and
simulation study of the propagation and defense
sion process. The results were twofold: Kong Research Grants Council (No. of Internet e-mail worms. IEEE Transactions on
Networks with weak community struc- HKBU12202415), CQ CSTC (grant No. Dependable and Secure Computing 4, 2 (Apr. 2007),
105–118.
ture could increase the stability of cstc2018jcyjAX0274), the Fundamen-
crossover points; and compared to the tal Research Funds for the Central Uni-
Chao Gao (cgao@swu.edu.cn) is a professor in the
influence of community structure, the versities (grant No. XDJK2016A008), College of Computer and Information Science, Southwest
increment of the initial source nodes and Chongqing Graduate Student Re- University, Chongqing, China, and a visiting scholar in the
Humboldt University of Berlin, Germany.
is the primary factor leading to an ear- search Innovation Project (grant No.
Zhen Su (zsstarry@outlook.com) is pursuing a master’s
lier crossover phenomenon. CYS17075). degree in the College of Computer and Information
The crossover phenomenon shows Science, Southwest University, Chongqing, China.
the topology of a network is a major References Jiming Liu (jiming@comp.hkbu.edu.hk) (corresponding
factor affecting the diffusion process. 1. Adamic, L.A. and Glance, N. The political blogosphere author) is a professor of computer science and associate
and the 2004 U.S. election: Divided they blog. In vice president (research) at Hong Kong Baptist University,
A deep understanding of diffusion Proceedings of the Third International Workshop on Hong Kong, China.
dynamics requires consideration of Link Discovery (Chicago, IL, Aug. 21–25). ACM Press,
Jürgen Kurths (Juergen.Kurths@pik-potsdam.de)
New York, 2005, 36–43.
both network topology and dynamical 2. Albert, R. and Barabási, A.-L. Statistical mechanics of is a professor of nonlinear dynamics in the Humboldt
complex networks. Reviews of Modern Physics 74, 1 University of Berlin, Germany, and Chair of the Research
correlations. Many popular theoreti- Domain Transdisciplinary Concepts in the Potsdam
(Jan. 2002), 47–97.
cal approaches (such as mean field, 3. Borgatti, S.P. Centrality and network flow. Social Institute for Climate Impact Research, Potsdam,
Networks 27, 1 (Jan. 2005), 55–71. Germany.
dynamical message passing, and pair- 4. De Meo, P., Ferrara, E., Fiumara, G., and Provetti, A. On
wise approximation) are used to study Facebook, most ties are weak. Commun. ACM 57, 11
(Oct. 2014), 78–84.
the dynamics of different kinds of in- 5. Doerr, B., Fouz, M., and Friedrich, T. Why rumors spread
formation diffusion, but the difficulty so quickly in social networks. Commun. ACM 55, 6 © 2019 ACM 0001-0782/19/2 $15.00

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 67
contributed articles
DOI:10.1145/ 3224204
decreased memory capacity, reading
SONYC integrates sensors, machine listening, skills, and test scores.2,5
The economic impact of noise is
data analytics, and citizen science to address also significant. The World Health Or-
noise pollution in New York City. ganization estimates that, as of 2012,
one million healthy life-years in West-
BY JUAN P. BELLO, CLAUDIO SILVA, ODED NOV, ern Europe were being lost annually
R. LUKE DUBOIS, ANISH ARORA, JUSTIN SALAMON, to environmental noise.11 Other esti-
CHARLES MYDLARZ, AND HARISH DORAISWAMY mates put the external cost of noise-re-
lated health issues in the E.U. between

SONYC:
0.3%–0.4% of GDP14 and 0.2% of GDP
in Japan.16 Studies in the U.S. and Eu-
rope also demonstrate the relationship
between environmental noise and real

A System
estate markets, with housing prices
falling as much as 2% per decibel (dB)
of noise increase.21,30 Noise pollution

for Monitoring,
is not merely an annoyance but an im-
portant problem with broad societal
effects that apply to a significant por-
tion of the population. It is clear that

Analyzing, and
effective noise mitigation is in the pub-
lic interest, with the promise of health,
economic, and quality-of-life benefits.

Mitigating Urban Mitigation

Noise can be mitigated at the receiver’s

Noise Pollution
end by, say, wearing earplugs or along
the transmission path by, say, erecting
sound barriers along major roads. These
strategies do not, however, reduce noise
emissions but instead put the burden of
mitigation on the receiver.12 Alternative-
ly, noise can be mitigated at the source
(such as by designing aircraft with
quieter engines, acoustically treating
NOISE IS UNWANTED or harmful sound from night clubs, muffling jackhammers for
roadwork, and stopping unnecessary
environmental sources, including traffic, construction,
industrial, and social activity. Noise pollution is one key insights
of the topmost quality-of-life concerns for urban ˽˽ Public exposure to noise is a growing
concern in cities, leading to substantial
residents in the U.S., with more than 70 million people health, educational and economic costs,
nationwide exposed to noise levels beyond the limit the but noise is ephemeral and invisible,
making it dificult for city agencies to
U.S. Environmental Protection Agency (EPA) considers monitor it effectively.

harmful.12 Such levels have proven effects on health, ˽˽ An interdisciplinary effort explores
new ways to use both fixed and mobile
including sleep disruption, hypertension, heart disease, sensors, with output annotated by
citizen scientists, for training novel
and hearing loss.5,11,12 In addition, there is evidence machine-listening models and analyzing
spatiotemporal noise patterns.
of harmful effects on educational performance, with ˽˽ The resulting fine-grain and aggregate
studies showing noise pollution causing learning and analytics layers help public agencies
monitor the local environment and
cognitive impairment in children, resulting in intervene to mitigate noise pollution.

68 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 honking). These actions are commonly for any other type of complaint.a This tan, Brooklyn, and the Bronx; and low-
encouraged and incentivized through averages approximately 834 com- income and unemployed New Yorkers
a regulatory framework that uses fines plaints a day, the most comprehen- among the most frequently exposed.
and other penalties to raise the cost of sive citizen noise-reporting system in In contrast, 311 noise-complaint data
emitting noise.20 However, enforcing the world. However, research by New collected for the same period empha-
noise codes in large urban areas, to the York City’s Department of Health and sized social noise (such as parties, car
point where they effectively deter noise Mental Hygiene (DOHMH) found 311 alarms, loud talking, music, and TV),
PHOTO BY VIEW A PA RT /SH UT TERSTOCK.COM

emissions, is far from trivial. data does not accurately capture in- with fewer complaints citing traffic
Consider New York City. Beyond formation about all noise exposure in or construction. Notably, residents of
the occasional physical inspection, the city.22 It identified the top sources Manhattan, home to many affluent
the city government monitors noise of disruptive noise to be traffic, si- New Yorkers, are more than twice as
through its 311 service for civil com- rens, and construction; the effect to likely to file 311 complaints than those
plaints. Since 2010, 311 has logged be similar in the boroughs of Manhat- in the other boroughs. This pattern
more than 2.7 million noise-related clearly highlights the need to collect
complaints, significantly more than a http://www1.nyc.gov/311 objective noise measurements across

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 69
contributed articles

Figure 1. The SONYC cyber-physical system loop, including intelligent sensing, noise analysis at city-scale, and data-driven mitigation. SONYC
supports new research in the social sciences and public health while providing the data citizens need to improve their communities.

the city, along with citizen reporting, weighted decibels (dBA)20 that aggre- ducted in 2017 showing how SONYC
to fully characterize the phenomenon. gate all sound energy in an acoustic can help understand and address im-
A closely related challenge involves scene. Existing technologies are un- portant gaps in the process of urban
how to respond to potential violations able to isolate the effect of offending noise mitigation.
of the noise code. In New York, the sources, especially in urban environ-
subset of noise complaints pertain- ments flooded with multiple sounds. SONYC
ing to static, systemic sources (such as As a result, inspectors resort to long, Multiple research projects have sought
construction, animals, traffic, air con- complicated measurement strategies to create technological solutions to
ditioning, and ventilation units) are that often require help from the peo- improve the cycle of urban noise pol-
routed to the city’s Department of En- ple responsible for the violation in the lution. For example, some have used
vironmental Protection (DEP), which first place, an additional factor con- mobile devices to crowdsource instan-
employs approximately 50 highly tributing to the difficulty and reduced taneous SPL measurements, noise la-
qualified inspectors to measure sound efficiency of the enforcement process. bels, and subjective responses3,24,28 but
levels and issue a notice of violation Here, we outline the opportunities generally lag well behind the coverage
as needed. Unfortunately, the limited and challenges associated with SONYC, in space-time of civic complaint sys-
human resources and high number of our cyber-physical systems approach tems like 311, while the reliability of
complaints result in average response to the monitoring, analysis, and mit- their objective measurements suffers
times of more than five days. Given igation of urban noise pollution. from a lack of adequate calibration.
the ephemeral nature of sound, a very Connecting various subfields of com- Others have deployed static-sensing
small proportion of inspections actu- puting, including wireless sensor net- solutions that are often too costly to
ally result in a violation observed, let works, machine learning, collaborative scale up or go beyond the capabilities
alone penalized. and social computing, and computer of standard noise meters.4,23,29 On the
To complicate matters, even when graphics, it creates a potentially analytical side, a significant amount of
noise sources are active during in- transformative solution to this im- work has focused on noise maps gener-
spections, isolating their individual portant quality-of-life issue affecting ated from sound propagation models
effect is difficult. Noise is commonly millions of people worldwide. To il- for major urban noise sources (such as
measured in overall sound pressure lustrate this potential, we present industrial activity and road, rail, and
levels (SPL) expressed in so-called A- findings from an initial study we con- air traffic).13,17 However, these maps

70 COMMUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 contributed articles

lack temporal dynamics and make an inspector issuing a violation. Sta- cilitate seamless interaction between
modeling assumptions that often tistical analysis can then be used by humans and cyber-infrastructure.
render them too inaccurate to sup- researchers or city officials to validate Worth emphasizing is that this line of
port mitigation or action planning. 1 whether the action is short-lived in work is fundamentally different from
Few of these initiatives involve act- time or whether its effect propagates current research on human-in-the-
ing on the sensed or modeled data to neighboring construction sites or loop cyber-physical systems that often
to affect noise emissions, and even distant ones by the same company. By focuses on applications in which con-
fewer have included participation from systematically monitoring interven- trol is centralized and fully or mostly
local governments.15 tions, inspectors can understand how automated while usually only a single
SONYC (Sounds of New York City), often penalties need to be issued be- human is involved (such as in assis-
our novel solution, as outlined in Fig- fore the effect becomes long term. The tive robots and intelligent prosthet-
ure 1, aims to address these limitations overarching goal is to understand how ics). The synthesis of approaches from
through an integrated cyber-physical to minimize the cost of interventions social computing, citizen science, and
systems’ approach to noise pollution. while maximizing noise mitigation, data science to advance integration,
First, it includes a low-cost, intelli- a classic resource-allocation prob- management, and control of large and
gent sensing platform capable of con- lem that motivates much research in variable numbers of human agents in
tinuous, real-time, accurate, source- smart-cities initiatives. cyber-physical systems is potentially
specific noise monitoring. It is scalable All this is made possible by formu- transformative, addressing a crucial
in terms of coverage and power con- lating our solution in terms of a cyber- bottleneck for the widespread adop-
sumption, does not suffer from the physical system. However, unlike most tion of similar methods in all kinds
same biases as 311-style reporting, and cyber-physical systems covered in the of socio-technical systems, including
goes well beyond SPL-based measure- literature, the distributed and decen- transportation networks, power grids,
ments of the acoustic environment. tralized nature of the noise-pollution smart buildings, environmental con-
Second, SONYC adds new layers of problem requires multiple socioeco- trol, and smart cities.
cutting-edge data-science methods for nomic incentives (such as fines and Finally, SONYC uses New York
large-scale noise analysis, including peer comparisons) to exercise indi- City, the largest, densest, noisiest city
predictive noise modeling in off-net- rect control over tens of thousands of in North America, as its test site. The
work locations using spatial statistics subsystems contributing noise emis- city has long been at the forefront of
and physical modeling, development sions. It also calls for developing and discussions about noise pollution,
of interactive 3D visualizations of noise implementating a set of novel mecha- has an exemplary noise codeb and,
activity across time and space to enable nisms for integrating humans in the in 311, the most comprehensive citi-
better understanding of noise patterns, cyber-physical system loop at scale zen noise-reporting system. Beyond
and novel information-retrieval tools and at multiple levels of the system’s noise, the city collects vast amounts
that exploit the topology of noise events management hierarchy, including ex- of data about everything from public
to facilitate search and discovery. And tensive use of human-computer inter-
third, it uses this sensing and analysis action (HCI) research in, say, citizen b http://www.nyc.gov/html/dep/html/noise/
framework to improve mitigation in science and data visualization, to fa- index.shtml
two ways—first by enabling optimized,
data-driven planning and scheduling Figure 2. Acoustic sensing unit deployed on a New York City street.
of inspections by the local government,
thus making it more likely code viola-
tions will be detected and enforced; and
second, by increasing the flow of infor-
mation to those in a position to control
emissions (such as building and con-
struction-site managers, drivers, and
neighbors) thus providing credible in-
centives for self-regulation. Because the
system is constantly monitoring and
analyzing noise pollution, it generates
information that can be used to vali-
date, and iteratively refine, any noise-
mitigating strategy.
Consider a scenario in which a sys-
tem integrates information from the
sensor network and 311 to identify a
pattern of after-hours jackhammer
activity around a construction site.
This information triggers targeted in-
spections by the DEP that results in

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 71
contributed articles

safety, traffic, and taxi activity to con- housed in an aluminum casing we methods to automatically detect specif-
struction, making much of it publicly chose to reduce RFI interference and ic types of sound sources (such as jack-
available.c Our work involves close solar heat gain. The microphone mod- hammers, idling engines, car horns,
collaboration with city agencies, in- ule is mounted externally via a flexible and police sirens) from environmental
cluding DEP, DOHMH, various busi- metal gooseneck attachment, making audio. Detection is a challenge, given
ness improvement districts, and it possible to reconfigure the sensor the complexity and diversity of sources,
private initiatives (such as LinkNYC) node for deployment in varying loca- auditory scenes, and background con-
that provide access to existing infra- tions, including sides of buildings, ditions routinely found in noisy urban
structure. As a powerful sensing-and- light poles, and building ledges. acoustic environments.
analysis infrastructure, SONYC thus Apart from continuous SPL measure- We thus created an urban sound tax-
holds the potential to empower new ments, we designed the nodes to onomy, annotated datasets, and vari-
research in environmental psychol- sample 10-second audio snippets at ous cutting-edge methods for urban
ogy, public health, and public policy, random intervals over a limited peri- sound-source identification.25,26 Our
as well as empower citizens seeking od of time, collecting data to train research shows that feature learning,
to improve their own communities. and benchmark our machine-listen- using even simple dictionary-based
We next describe the technology and ing solutions. SONYC compresses the methods (such as spherical k-means)
methods underpinning the project, audio using the lossless FLAC audio makes for significant improvement in
presenting some of our early findings coding format, using 4,096-bit AES performance over the traditional ap-
and future challenges. encryption and the RSA public/pri- proach of feature engineering. More-
vate key-pair encryption algorithm. over, we have found that temporal-
Acoustic Sensor Network Sensor nodes communicate with the shift invariance, whether through
As mentioned earlier, SONYC’s intel- server via a virtual private network, up- modulation spectra or deep convolu-
ligent sensing platform should be loading audio and SPL data at one- tional networks, is crucial not only for
scalable and capable of source iden- minute intervals. overall accuracy but also to increase
tification and high-quality, round- As of December 2018, the parts of robustness in low signal-to-noise-ra-
the-clock noise monitoring. To that each sensor cost approximately $80 tio (SNR) conditions, as when sources
end we have developed an acoustic using mostly off-the-shelf compo- of interest are in the background of
sensor18 (see Figure 2) based on the nents. We fully expect to reduce the acoustic scenes. Shift invariance also
popular Raspberry Pi single-board unit cost significantly through custom results in more compact machines
computer outfitted with a custom redesign for high-volume, third-party that can be trained with less data,
microelectromechanical systems assembly. However, even at the cur- thus adding greater value for edge-
(MEMS) microphone module. We rent price, SONYC sensors are signifi- computing solutions. More recent re-
chose MEMS microphones for their cantly more affordable, and thus ame- sults highlight the benefits of using
low cost and consistency across units nable to large-scale deployment, than convolutional recurrent architectures,
and size, which can be 10x smaller existing noise-monitoring solutions. as well as ensembles of various models
than conventional microphones. Moreover, this reduced cost does not via late fusion.
Our custom standalone microphone come at the expense of measurement Deep-learning models necessitate
module includes additional circuitry, accuracy, with our sensors’ perfor- large volumes of labeled data tradi-
including in-house analog-to-digital mance comparable to high-quality tionally unavailable for environmental
converters and pre-amp stages, as devices that are orders of magnitude sound. Addressing this lack of data, we
well as an on-board microcontroller more costly while outperforming solu- have developed an audio data augmen-
that enables preprocessing of the tions in the same price range. Finally, tation framework that systematically
incoming audio signal to compen- the dedicated computing core opens deforms the data using well-known
sate for the microphone’s frequency the possibility for edge computing, audio transformations (such as time
response. The digital MEMS micro- particularly for in-situ machine lis- stretching, pitch shifting, dynamic
phone features a wide dynamic range tening intended to automatically and range compression, and addition of
of 32dBA–120dBA, ensuring all urban robustly identify the presence of com- background noise at different SNRs),
sound pressure levels are monitored mon sound sources. This unique fea- significantly increasing the amount of
effectively. We calibrated it using a ture of SONYC goes well beyond the data available for model training. We
precision-grade sound-level meter as capabilities of existing noise-monitor- also developed an open source tool
reference under low-noise anecho- ing solutions. for soundscape synthesis.27 Given a
ic conditions and was empirically collection of isolated sound events,
shown to produce sound-pressure- Machine Listening at the Edge it functions as a high-level sequencer
level data at an accuracy level compli- Machine listening is the auditory coun- that can generate multiple sound-
ant with the ANSI Type-2 standard20 terpart to computer vision, combining scapes from a single probabilistically
required by most local and national techniques from signal processing and defined “specification.” We generated
noise codes. machine learning to develop systems large datasets of perfectly annotated
The sensor’s computing core is able to extract meaningful information data in order to assess algorithmic
from sound. In the context of SONYC, performance as a function of, say,
c https://nycopendata.socrata.com we focus on developing computational maximum polyphony and SNR ratio,

72 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 contributed articles

studies that would be prohibitive at fectively over time, suggesting we

this scale and precision using manu- can expect higher-quality annota-
ally annotated data. tions with only a small amount of ad-
The combination of an augmented ditional training.
training set and increased capacity and
representational power of deep-learn- It is scalable in We found the value of additional
annotators decreased after five to 10
ing models yields state-of-the-art perfor-
mance. Our current machine-listening
terms of coverage annotators and that having 16 an-
notators was sufficient for capturing
models can perform robust multi-label and power 90% of the gain in annotation qual-
classification for 10 common classes of
urban sound sources in real time run-
consumption, ity. However, when resources are lim-
ited and cost is a concern, our find-
ning on a laptop. We will soon adapt does not suffer ings suggest five annotators may be
them to run under the computational
constraints of the Raspberry Pi.
from the same a reasonable choice for reliable an-
notation with respect to the trade-off
However, despite the advantages biases as 311-style between cost and quality. These find-
of data augmentation and synthesis,
the lack of a significant amount of an- reporting, and ings are valuable for the design of
audio-annotation interfaces and the
notated data for supervised learning goes well beyond use of crowdsourcing and citizen sci-
remains the main bottleneck in the
development of machine-listening so- SPL-based ence strategies for audio annotation
at scale.
lutions that can detect more sources
of noise. To address this need, we de-
measurements Noise Analytics
veloped a framework for Web-based of the acoustic One main SONYC promise is its future
human audio annotation and con-
ducted a large-scale, experimental
environment. ability to analyze and understand noise
pollution at city-scale in an interactive
study on how visualization aids and and efficient manner. As of December
acoustic conditions affect the annota- 2018, we had deployed 56 sensors, pri-
tion process and its effectiveness.6 We marily in the city’s Greenwich Village
aimed to quantify the reliability/re- neighborhood, as well as in other lo-
dundancy trade-off in crowdsourced cations in Manhattan, Brooklyn, and
soundscape annotation, investigate Queens. Collectively, the sensors have
how visualizations affect accuracy gathered the equivalent of 30 years of
and efficiency, and characterize how audio data and more than 60 years of
performance varies as a function of sound-pressure levels and telemetry.
audio characteristics. Our study fol- These numbers are a clear indication of
lowed a between-subjects factorial ex- the magnitude of the challenge from a
perimental design in which we tested data-analytics perspective.
18 different experimental conditions We are currently developing a flex-
with 540 participants we recruited ible, powerful visual-analytics frame-
through Amazon’s Mechanical Turk. work that enables visualization of
We found more complex audio noise levels in the context of the city,
scenes result in lower annotator together with other related urban data
agreement and that spectrogram streams. Working with urban data
visualizations are superior at pro- poses further research challenges.
ducing higher-quality annotations Although much work has focused on
at lower cost in terms of time and scaling databases for big data, exist-
human labor. Given enough time, ing data-management technologies do
all tested visualization aids enable not meet the requirements needed to
annotators to identify sound events interactively explore massive or even
with similar recall, but the spec- reasonable-size datasets.8
trogram visualization enables an- Accomplishing interactivity re-
notators to identify sounds more quires not only efficient techniques
quickly. We speculate this may be for data and query management but
because annotators are able to more for scalable visualization techniques
easily identify visual patterns in the capable of rendering large amounts of
spectrogram, in turn enabling them information.
to identify sound events and their In addition, visualizations and in-
boundaries more precisely and effi- terfaces must be rendered in a form
ciently. We also found participants that is easily understood by domain
learn to use each interface more ef- experts and non-expert users alike, in-

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 73
contributed articles

Figure 3. (left) Interactive 3D visualization of a New York neighborhood using Urbane. By selecting specific sensors (red pins) and buildings
(purple) researchers can retrieve and visualize multiple data streams associated with these locations. (right) SPL data at various resolutions
and time scales retrieved using the time lattice. Each sub-figure reflects different individual (gray) and aggregated (red) sensor data for the
three sensor units highlighted in the left plot.

Figure 4. Case study involving the area around Washington Square Park: (a) Distribution of 311 outdoor noise complaints in the focus area
during the study period; the bar graph shows clear predominance of after-hours construction noise. (b) Distribution of complaint resolution for
after-hours construction complaints; almost all complaints result in “violation not observed” status. (c) Sensor data for the after-hours period
corresponding to six complaints: continuous SPL data (blue), background level (green), event-detection threshold at 10dB above background
level (black), and potential noise code violation events (red).
(c) Decibels A-weighted (dBA)

(a) Complaint type

(b) After-hours construction

complaint resolution
Time (HH:MM)

74 COM MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 contributed articles

cluding crowdsourcing workers and the analysis of a subset of our own sen- sensor data of a potential violation.
volunteers, and bear meaningful rela- sor data during the same period, and How does this evidence stack up
tionship to the properties of the data information gathered through inter- against the enforcement record for
in the physical world that, in the case actions and site visits with inspectors the complaints? Citizen complaints
of sound, implies the need for three- from the DEP tasked with enforcing submitted via 311 and routed to the
dimensional visualization. the city’s noise code. DEP trigger an inspection, and pub-
We have been working on a three- For the study we chose an area in lic-record repositories made avail-
dimensional, urban geographic in- Greenwich Village with a relatively able by the city include information
formation system (GIS) framework dense deployment of 17 nodes. We about how each complaint was re-
called Urbane9 (see Figure 3), an established a 100-meter boundary solved. Examining the records, we
interactive tool, including a novel around each node and merged them found that, for all complaints in this
three-dimensional map layer, we de- to form the focus area. From 311, study, 78% resulted in a “No viola-
veloped from the ground up to take we collected all non-duplicate noise tion could be observed” status and
advantage of the GPU capabilities complaints occurring within this area only 2% in a violation ticket being is-
of modern computing systems. It that had been routed to the DEP while sued. Figure 4b shows, in the specific
allows for fast, potentially real-time neighboring sensors were active. Note case of after-hours construction
computation, as well as integration this criterion discards complaints noise, no violation could be observed
and visualization of multiple data about noise from residents that are in 89% of all cases, and none of the in-
streams commonly found in major routed to the police department and spections resulted in a violation ticket
cities like New York City. In the con- tend to dominate the 311 log; see Fig- being issued.
text of SONYC, we have expanded ure 4a for a breakdown of selected There are multiple possible expla-
Urbane’s capabilities to include ef- complaint types. nations for the significant gap be-
ficient management of high-reso- Over an 11-month period—May tween the evidence collected by the
lution temporal data. We achieve 2016 to April 2017—51% of all noise sensor network and the results of the
this efficiency through a novel data complaints in the focus area were re- inspections. For example, we specu-
structure we call the “time lattice” lated to after-hours construction ac- late it is due in part to the delay in the
that allows for fast retrieval, visual- tivity (6 P.M.–7 A.M.), three times the city’s response to complaints, four to
ization, and analysis of individual amount in the next category. Note com- five days on average, which is too
and aggregate sensor data at multi- bining all construction-related com- great for phenomena that are both
ple time scales (such as hours, days, plaints adds up to 70% of this sample, transient and traceless. Another fac-
weeks, and months). An example of highlighting how disruptive to the lives tor is the conspicuousness of the in-
data retrieved through this capabil- of ordinary citizens this particular cat- spection crew that alone modifies the
ity can be seen in Figure 3, right plot. egory of noise can be. behavior of potentially offending
We have since used Urbane and the Figure 4c includes SPL values (blue sources, as we observed during our
time lattice to support the prelimi- line) at a five-minute resolution for site visits with the DEP. Moreover, un-
nary noise analysis we cover in the the after-hours period during or im- der some circumstances the city gov-
next section, but their applicability mediately preceding a subset of the ernment grants special, after-hours
goes well beyond audio. complaints. Dotted green lines corre- construction permits under the as-
We are currently expanding Ur- spond to background levels, comput- sumption of minimal noise impact,
bane to support visual spatiotempo- ed as the moving average of SPL mea- as defined by the noise code. It is
ral queries over noise data, including surements within a two-hour window. thus possible that some after-hours
computational-topology methods for Dotted black lines correspond to SPL activity results from such permits.
pattern detection and retrieval. Similar values 10dB above the background, We are currently mining after-hours-
tools have proved useful in smart-cities the threshold defined by the city’s construction-permit data to under-
research projects, including prior col- noise code to indicate potential vio- stand this relationship better.
laborations between team members lations. Finally, we were able to iden- In all cases, the SONYC sensing
and the New York City Department of tify events (in red) in which instanta- and analytical framework is able to
Transportation and Taxi and Limou- neous SPL measurements were above address the shortcomings of cur-
sine Commission.7,10 the threshold. Our analysis resulted rent monitoring and enforcement
in detection of 324 such events we mechanisms by providing hard data
Data-Driven Mitigation classified by noise source and deter- to: quantify the actual impact of af-
We conducted a preliminary study in mined 76% (246) were related to con- ter-hours construction permits on
2017 on the validity and response of struction as follows: jackhammer- the acoustic environment, and thus
noise complaints around the Wash- ing (223), compressor engines (16), nearby residents; provide historical
ington Square Park area of Manhattan metallic banging/scraping (7), and data that can validate complaints
using SONYC’s sensing and analytics the remainder to non-construction and thus support inspection efforts
infrastructure.19 The study combined sources, mainly sirens and other traf- on an inconspicuous and continuous
information mined from the log of civ- fic noise. Our analysis found for 94% basis; and develop novel, data-driven
ic complaints made to the city over the of all after-hours construction com- strategies for the efficient alloca-
study period through the 311 system, plaints quantitative evidence in our tion of inspection crews in space and

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 75
contributed articles

time using the same tools from oper- citizens will necessarily be sparse in
ations research that optimize routes space and time. In order to perform
for delivery trucks and taxis. Worth meaningful analyses and help inform
noting is that, even though our pre- decisions by city agencies, it is essen-
liminary study focused on validating
311 complaints, SONYC can be used The dedicated tial for the system to compensate for
this sparseness. Several open datas-
to gain insight beyond complaint computing core ets are available that could, directly
or indirectly, provide information
opens the possibility
data, allowing researchers and city
officials to understand the extent and on the noise levels in the city; for
type of unreported noise events, iden-
tify biases in complaint behavior, and
for edge computing, example, locations of restaurants,
night clubs, and tourist attractions
accurately measure the level of noise particularly for indicate areas where sources of so-
pollution in the local environment.
in-situ machine cial noise are likely, while social me-
dia data streams can be used to un-
Looking Forward listening intended derstand the temporal dynamics of
The SONYC project is currently in
the third of five years of its research to automatically crowd behavior. Likewise, multiple
data streams associated with taxi,
and development agenda. Its initial and robustly identify bus, and aircraft traffic can pro-
focus was on developing and deploy-
ing intelligent sensing infrastructure the presence vide indirect information on traf-
fic-based noise levels. We plan to
but has progressively shifted toward
analytics and mitigation in collabo-
of common develop noise models that use spa-
tiotemporal covariance to predict
ration with city agencies and other sound sources. unseen acoustic responses through
stakeholders. Here are some areas we a combination of sensor and open
intend to address in future work: data. We will also explore combina-
Low-power mesh sensor network. To tions of data-driven modeling, ap-
support deployment of sensors at plying physical models that exploit
significant distances from Wi-Fi or the three-dimensional geometry of
other communication infrastruc- the city, sound type and localization
ture and at locations lacking ready cues from sensors and 311, and basic
access to electrical power, we are de- principles of sound propagation. We
veloping a second generation of the expect that through a combination
sensor node to be mesh-enabled and of techniques from data mining, sta-
battery/solar powered. Each sensor tistics, and acoustics, as well as our
node will serve as a router in a low- own expertise developing models
power multi-hop wireless network in suitable for GPU implementation
the 915MHz band, using FCC-compat- using ray-casting queries in the con-
ible cognitive radio techniques over text of computer graphics, we will
relatively long links and energy-effi- be able to create accurate, dynamic,
cient multi-channel routing for com- three-dimensional urban noise maps
municating to and from infrastruc- in real time.
ture-connected base stations. The Citizen science and civic participa-
sensor design will further reduce pow- tion. The role of humans in SONYC is
er consumption for multi-label noise not limited to annotating sound. In
classification by leveraging heteroge- addition to the fixed sensors located
neous processors for duty-cycled/ in various parts of the city, we will be
event-driven hierarchical computing. designing a SONYC mobile platform
Specifically, the design of the sensor aimed at enabling ordinary citizens
node will be based on a low-power sys- to record and annotate sounds in
tem-on-chip—the Ineda i7d—for situ, view existing data contributed
which we are redesigning “mote-scale” and analyzed by others, and contact
computation techniques originally city authorities about noise-related
developed for single microcontroller concerns. A mobile platform will
devices to support heterogeneous allow them to leverage slices taken
processor-specific operating sys- from this rich dataset to describe
tems via hardware virtualization. and support these concerns with
Modeling. The combination of evidence as they approach city au-
noise data collected by sensors and thorities, regulators, and policymak-
ers. Citizens will not only be more
d http://inedasystems.com/wearables.php informed and engaged with their envi-

76 COMM UNICATIO NS O F THE AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 contributed articles

ronment, they will be better equipped Work and Social Computing (Jersey City, NJ, Nov. Pervasive Computing and Communications Workshops
3–7). ACM Press, New York, 2018, 29:1–29:21. (San Diego, CA, Mar. 18–22). IEEE, Piscataway, NJ,
to voice their concerns when interact- 7. Doraiswamy, H., Ferreira, N., Damoulas, T., Freire, 670–675.
ing with city authorities. J., and Silva, C. T. Using topological analysis to 25. Salamon, J. and Bello, J. Deep convolutional neural
support event-guided exploration in urban data. IEEE networks and data augmentation for environmental
Transactions on Visualization and Computer Graphics sound classification. IEEE Signal Processing Letters
Conclusion 20, 12 (Dec. 2014), 2634–2643. 24, 3 (Mar. 2017), 279–283.
8. Fekete, J.-D. and Silva, C. Managing data for visual 26. Salamon, J., Jacoby, C., and Bello, J.P. A dataset and
SONYC is a smart-cities, next-gener- analytics: Opportunities and challenges. IEEE Data taxonomy for urban sound research. In Proceedings of
ation application of a cyber-physical Engineering Bulletin 35, 3 (Sept. 2012), 27–36. the 22nd ACM International Conference on Multimedia
9. Ferreira, N., Lage, M., Doraiswamy, H., Vo, H., Wilson, (Orlando, FL, Nov. 3–7). ACM Press, New York, 2014.
system. Its development calls for in- L.,Werner, H., Park, M.C., and Silva, C. Urbane: A 27. Salamon, J., McConnell, D., Cartwright, M., Li, P.,
3D framework to support data-driven decision and Bello, J. SCAPER: A library for soundscape
novation in various fields of com- synthesis and augmentation. In Proceedings of the
making in urban development. In Proceedings of the
puting and engineering, including IEEE Conference on Visual Analytics Science and IEEE Workshop on Applications of Signal Processing
Technology (Chicago, IL, Oct. 25–30), 2015, 97–104. to Audio and Acoustics (Mohonk, New Paltz, NY, Oct.
sensor networks, machine learning, 10. Ferreira, N., Poco, J., Vo, H.T., Freire, J., and Silva, C.T. 15–18). IEEE, Piscataway, NJ, 2017.
human-computer interaction, citizen Visual exploration of big spatiotemporal urban data: A 28. Schweizer, I., Meurisch, C., Gedeon, J., Bärtl, R.,
study of New York City taxi trips. IEEE Transactions and Mühlhäuser, M. Noisemap: Multi-tier incentive
science, and data science. The tech- on Visualization and Computer Graphics 19, 12 (Dec. mechanisms for participative urban sensing. In
nology will be able to support novel 2013), 2149–2158. Proceedings of the Third International Workshop on
11. Fritschi, L., Brown, L., Kim, R., Schwela, D., Sensing Applications on Mobile Phones (Toronto, ON,
scholarly work on the effects of noise and Kephalopolos, S. Burden of disease from Canada, Nov. 6–9). ACM Press, New York, 2012, 9.
pollution on public health, public environmental noise: Quantification of healthy 29. Steele, D., Krijnders, D., and Guastavino, C. The Sensor
years life lost in Europe. World Health Organization, City Initiative: Cognitive sensors for soundscape
policy, environmental psychology, Bonn, Germany, 2012; http://www.euro.who.int/en/ transformations. In Proceedings of GIS Ostrava 2013:
and economics. But the project is far publications/abstracts/burden-of-disease-from- Geoinformatics for City Transformation (Ostrava,
environmental-noise.-quantification-of-healthy-life- Czech Republic, Jan. 21–23). Technical University of
from purely scholarly. By seeking to years-lost-in-europe Ostrava, 2013.
improve urban-noise mitigation, a 12. Hammer, M.S., Swinburn, T.K., and Neitzel, R.L. 30. Theebe, M.A. Planes, trains, and automobiles: The
Environmental noise pollution in the United States: impact of traffic noise on house prices. The Journal
critical quality-of-life issue, SONYC Developing an effective public health response. of Real Estate Finance and Economics 28, 2–3 (Mar.
promises to benefit urban citizens Environmental Health Perspectives 122, 2 (Feb. 2014), 2004), 209–234.
115–119.
worldwide. Our agenda calls for the 13. Kaliski, K., Duncan, E., and Cowan, J. Community and
system to be deployed, tested, and regional noise mapping in the United States. Sound Juan Pablo Bello (jpbello@nyu.edu) is a professor of
and Vibration 41, 9 (Sept. 2007), 12. music technology and computer science and engineering
used in real-world urban conditions, 14. Maibach, M., Schreyer, C., Sutter, D., Van Essen, H., at New York University, New York, USA, and director of the
potentially resulting in a model that Boon, B., Smokers, R., Schroten, A., Doll, C., Pawlowska, Center for Urban Science of Progress and of the Music and
B., and Bak, M. Handbook on estimation of external Audio Research Laboratory.
can be scaled and replicated through- costs in the transport sector. CE Delft, Feb. 2008;
out the U.S. and beyond. https://ec.europa.eu/transport/sites/transport/files/ Claudio Silva (csilva@nyu.edu) is a professor of computer
themes/sustainable/doc/2008_costs_handbook.pdf science and engineering and data science at New York
15. Manvell, D., Marcos, L.B., Stapelfeldt, H., and Sanzb, University, New York, USA.
Acknowledgments R. SADMAM—Combining measurements and
Oded Nov (onov@nyu.edu) is an associate professor of
calculations to map noise in Madrid. In Proceedings
This work is supported in part by the of the 33rd Congress and Exposition on Noise Control technology management and innovation at New York
Engineering (Internoise) (Prague, Czech Republic, Aug. University, New York, USA.
National Science Foundation (Award 22–25). Institute of Noise Control Engineering, Reston,
R. Luke DuBois (dubois@nyu.edu) is co-director and an
# 1544753), NYU’s Center for Urban VA, 2004.
associate professor of integrated digital media at New
16. Mizutani, F., Suzuki, Y., and Sakai, H. Estimation of
Science and Progress, NYU’s Tandon social costs of transport in Japan. Urban Studies 48,
York University, New York, USA.
School of Engineering, and the Trans- 16 (Apr. 2011), 3537–3559. Anish Arora (arora.9@osu.edu) is a professor of computer
17. Murphy, E. and King, E. Strategic environmental
lational Data Analytics Institute at The noise mapping: Methodological issues concerning
science and engineering at The Ohio State University,
Columbus, OH, USA.
Ohio State University. the implementation of the EU Environmental Noise
Directive and their policy implications. Environment Justin Salamon (justin.salamon@nyu.edu) is a senior
International 36, 3 (Apr. 2010), 290–298. research scientist at the Music and Audio Research
References 18. Mydlarz, C., Salamon, J., and Bello, J. The Laboratory and the Center for Urban Science and Progress
1. Ausejo, M., Recuero, M., Asensio, C., Pavón, I., and implementation of low-cost urban acoustic monitoring at New York University, New York, USA.
Pagán, R. Study of uncertainty in noise mapping. In devices. Applied Acoustics, Special Issue on Acoustics
for Smart Cities 117, B (Feb. 2017), 207–218. Charles Mydlarz (cmydlarz@nyu.edu) is a senior
Proceedings of 39th International Congress on Noise
19. Mydlarz, C., Shamoon, C., and Bello, J. Noise research scientist at the Music and Audio Research
Control Engineering, Internoise (Lisbon, Portugal,
monitoring and enforcement in New York City using Laboratory and the Center for Urban Science and Progress
June 13–16). Portuguese Acoustical Society, Lisbon,
a remote acoustic sensor network. In Proceedings at New York University, New York, USA.
2010, 6210–6219.
2. Basner, M., Babisch, W., Davis, A., Brink, M., Clark, of the INTER-NOISE and NOISE CON Congress and
Harish Doraiswamy (harishd@nyu.edu) is a research
C., Janssen, S., and Stansfeld, S. Auditory and non- Conference (Hong Kong, China, Aug. 27–30). Institute
assistant professor of computer science and engineering
auditory effects of noise on health. The Lancet 383, of Noise Control Engineering, Reston, VA, 2017.
and a research scientist at the Center for Data Science at
9925 (Apr. 2014), 1325–1332. 20. National Academy of Engineering. Technology for a
New York University, New York, USA.
3. Becker, M., Caminiti, S., Fiorella, D., Francis, L., Quieter America: NAEPR-06-01-A. Technical Report.
Gravino, P., Haklay, M. M., Hotho, A., Loreto, V., The National Academies Press, Washington, D.C.,
Mueller, J., Ricchiuti, F. et al. Awareness and learning Sept. 2010; https://www.nap.edu/catalog/12928/
in participatory noise sensing. PloS One 8, 12 (Dec. Technology-for-a-quieter-america Copyright held by authors.
2013), 1–12. 21. Nelson, J. P. Highway noise and property values:
4. Bell, M.C. and Galatioto, F. Novel wireless pervasive A survey of recent evidence. Journal of Transport
sensor network to improve the understanding of noise Economics and Policy 16, 2 (May 1982), 117–138.
in street canyons. Applied Acoustics 74, 1 (Jan. 2013), 22. New York City Department of Health and Mental
169–180. Hygiene. Ambient Noise Disruption in New York City,
5. Bronzaft, A. and Van Ryzin, G. Neighborhood Noise Data Brief 45. New York City Department of Health
and Its Consequences: Implications for Tracking and Mental Hygiene, Apr. 2014; https://www1.nyc.gov/
Effectiveness of NYC Revised Noise Code. Special assets/doh/downloads/pdf/epi/databrief45.pdf
Report #14. Survey Research Unit, School of Public 23. Pham, C. and Cousin, P. Streaming the sound of smart
Affairs, Baruch College, CUNY, New York, Apr. 2007; cities: Experimentations on the SmartSantander test-
http://www.noiseoff.org/document/cenyc.noise. bed. In Proceedings of IEEE International Conference
report.14.pdf on Green Computing and Communications, IEEE
6. Cartwright, M., Seals, A., Salamon, J., Williams, A., Internet of Things, and IEEE Cyber, Physical and
Mikloska, S., McConnell, D., Law, E., Bello, J., and Social Computing (Beijing, China, Aug. 20–23). IEEE,
Nov, O. Seeing sound: Investigating the effects of Piscataway, NJ, 2013, 611–618. Watch the authors discuss
visualizations and complexity on crowdsourced 24. Ruge, L., Altakrouri, B., and Schrader, A. Sound of the this work in the exclusive
audio annotations. In Proceedings of the 21st ACM city: Continuous noise monitoring for a healthy city. In Communications video.
Conference on Computer-Supported Cooperative Proceedings of the IEEE International Conference on https://cacm.acm.org/videos/sonyc

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 77
review articles
DOI:10.1145/ 3209623
This article is not a technical manu-
The roots of blockchain technologies are al, nor is it a broad survey of the litera-
ture (both widely available elsewhere).
deeply interwoven in distributed computing. Instead, it attempts to explain block-
chain research in terms of the many
BY MAURICE HERLIHY similarities, parallels, semi-reinven-
tions, and lessons not learned from

Blockchains
distributed computing.
This article is intended mostly to ap-
peal to blockchain novices, but perhaps
it will provide some insights to those

from a
familiar with blockchain research but
less familiar with its precursors.

The Ledger Abstraction

Distributed
The abstraction at the heart of block-
chain systems is the notion of a ledger,
an invention of the Italian Renais-
sance originally developed to support

Computing
double-entry bookkeeping, a distant
precursor of modern cryptocurren-
cies. For our purposes, a ledger is
just an indelible, append-only log of

Perspective
transactions that take place between
various parties. A ledger establishes
which transactions happened (“Alice
transferred 10 coins to Bob”), and
the order in which those transactions
happened (“Alice transferred 10 coins
to Bob, and then Bob transferred title
to his car to Alice”). Ledgers are pub-
lic, accessible to all parties, and they
BITCOIN FIRST APPEARED in a 2008 white paper authored must be tamper-proof: no party can
add, delete, or modify ledger entries
by someone called Satoshi Nakamoto,18 the mysterious once they have been recorded. In
deus absconditus of the blockchain world. Today, short, the algorithms that maintain
ledgers must be immune to attack, en-
cryptocurrencies and blockchains are very much in the suring the ledger remains secure even
news. Much of this coverage is lurid, sensationalistic,
and irresistible: roller-coaster prices and instant key insights
riches, vast sums of money stolen or inexplicably lost, ˽˽ The long-term scientific value of
blockchain algorithms and systems is
underground markets for drugs and weapons, and independent of the fates of today’s coins.

promises of libertarian utopias just around the corner. ˽˽ Many of the basic algorithms and
IMAGE BY AND RIJ BORYS ASSOCIAT ES/SHUT TERSTOCK

techniques used in blockchains are best

This article is a tutorial on the basic notions and understood as variations on familiar
algorithms and techniques from classic
mechanisms underlying blockchains, colored by distributed computing.

the perspective that much of the blockchain world ˽˽ A smart contract language should have
an explicit concurrency model to make
is a disguised, sometimes distorted, mirror image of programmers aware of well-known
concurrency-related pitfalls and hazards.
the distributeda computing world. ˽˽ The blockchain world encompasses both
“permissioned” and “permissionless”
a In this article, “distributed computing” is used to encompass both message passing chains, and a number of promising
and shared-memory models of concurrent computation. application areas beyond just coins.

78 COMM UNICATIO NS O F THE AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 79
review articles

if some parties misbehave, whether fault-tolerance are compartmentalized

accidentally or maliciously. in the consensus protocol.
Blockchain ledger precursors. It is A consensus protocol involves a col-
helpful to start by reviewing a blockchain lection of parties, some of whom are
precursor, the so-called universal con-
struction for lock-free data structures.13 Cryptocurrencies honest, and follow the protocol, and
some of whom are dishonest, and may
Alice runs an online news service.
Articles that arrive concurrently on
and blockchains depart from the protocol for any rea-
son. Consensus is a notion that applies
multiple channels are placed in an are very much in to a broad range of computational
in-memory table where they are in-
dexed for retrieval. At first, Alice used
the news. models. In some contexts, dishonest
parties might simply halt arbitrarily
a lock to synchronize concurrent ac- Much of the (so-called crash failures), while in
cess to the table, but every now and
then, the thread holding the lock
coverage is lurid, other contexts, they may behave arbi-
trarily, even maliciously (so-called Byz-
would take a page fault or a sched- sensationalistic, antine failures). In some contexts, par-
uling interrupt, leaving the articles
inaccessible for too long. Despite the and irresistible. ties communicate through objects in
a shared memory, and in others, they
availability of excellent textbooks on exchange messages. Some contexts re-
the subject,14 Alice was uninterested strict how many parties may be dishon-
in customized lock-free algorithms, est, some do not.
so she was in need of a simple way to In consensus, each party proposes
eliminate lock-based vulnerabilities. a transaction to append to the ledger,
She decided to implement her data and one of these proposed transac-
structure in two parts. To record ar- tions is chosen. Consensus ensures
ticles as they arrive, she created a led- agreement: All honest parties agree on
ger implemented as a simple linked which transaction was selected, termi-
list, where each list entry includes the nation: All honest parties eventually
article and a link to the entry before it. learn the selected transaction, and va-
When an article arrives, it is placed in lidity: The selected transaction is valid
a shared pool, and a set of dedicated for that application.
threads, called miners (for reasons to Consensus protocols have been the
be explained later), collectively and re- focus of decades of research in the dis-
peatedly run a protocol, called consen- tributed computing community. The
sus, to select which article to append literature contains many algorithms
to the ledger. Here, Alice’s consensus and impossibility results for many dif-
protocol can be simple: each thread ferent models of computation (see sur-
creates a list entry, then calls an atom- veys in Attiya1 and Herlihy14).
ic compare-and swapb instruction to at- Because ledgers are long-lived,
tempt to make that entry the new head they require the ability to do repeat-
of the list. ed consensus to append a stream of
Glossing over some technical de- transactions to the ledger. Usually,
tails, to query for a recent article, a consensus is organized in discrete
thread scans the linked-list ledger. To rounds, where parties start round r + 1
add a new article, a thread adds the ar- after round r is complete. Of course,
ticle to the pool, and waits for a miner this shared-memory universal con-
to append it to the ledger. struction is not yet a blockchain, be-
This use of a black-box consensus cause although it is concurrent, it is
protocol may seem cumbersome, and not distributed. Moreover, it does not
indeed, there are many ways it could tolerate truly malicious behavior (only
be made more efficient, but it has two crashes). Nevertheless, we have already
compelling advantages even without introduced the key concepts underly-
further optimization: First, it is univer- ing blockchains.
sal: it can implement any type of data Private blockchain ledgers. Alice
structure, no matter how complex. Sec- also owns a frozen yogurt parlor, and
ond, all questions of concurrency and her business is in trouble. Several re-
cent shipments of frozen yogurt have
been spoiled, and Bob, her supplier,
b The compare-and-swap instruction atomically
compares a memory location’s contents with a
denies responsibility. When she sued,
given expected value and, if they match, updates Bob’s lawyers successfully pleaded
that location’s contents to a new given value. that not only had Bob never handled

80 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 review articles

those shipments, but they were

spoiled when they were picked up at
the yogurt factory, and they were in
excellent condition when delivered to
Public and Private Keys
Modern cryptography is based on the notions of matching public and private keys.
Alice’s emporium. Any string encrypted by one can be decrypted by the other. Encrypting a message with
Alice decides it is time to “block- Alice’s public key yields a message only Alice can read, and encrypting a message with
chain” her supply chain. She rents Alice’s private key yields a digital signature, a message everyone can read, but only
some cloud storage to hold the ledger, Alice could have produced.
and installs Internet-enabled tempera-
ture sensors in each frozen yogurt con-
tainer. She is concerned that sensors
are not always reliable (and that Bob
may have tampered with some), so she Proof of Work Puzzles
wires the sensors to conduct a Byzan- Here is a puzzle typical of those used in PoW implementations. Let b be the block
tine fault-tolerant consensus protocol,4 the miner wants to append to the ledger, H(∙) a cryptographic hash function, and “∙”
concatenation of binary strings. The puzzle is to find a value c such that H(b∙c) < D,
which uses several rounds of voting to where D is a difficulty setting (the smaller D, the more difficult). Because H is difficult
ensure temperature readings cannot be to invert, there is no way to find c substantially more efficient than exhaustive search.
distorted by a small number of faulty or
corrupted sensors. At regular intervals,
the sensors reach consensus on the cur- served as consensus. Here, a list kept in Suppose Bob owns a coupon, and
rent temperature. They timestamp the cloud storage serves as a ledger, and a decides to transfer half of it to Carol,
temperature record, and add a hash of combination of Byzantine fault-tolerant and keep the other half for himself.
the prior record, so that any attempt to voting and human signatures serves as Bob and Carol each generate a pair of
tamper with earlier records will be de- consensus. Although the circumstances private and public keys. Bob creates a
tected when the hashes do not match. are quite different, the “ledger plus con- new ledger entry with his current pub-
They sign the record to establish au- sensus” structure is the same. lic key, his new public key, and Carol’s
thenticity, and then append the record Public blockchain ledgers. Alice public key, saying: “I, the owner of the
to the cloud storage’s list of records. sells her frozen yogurt business and private key matching the first public key,
Each time a frozen yogurt barrel decides to open a restaurant. Because do hereby transfer ownership of the cor-
is transferred from Carol’s factory rents are high and venture capitalists responding coupon to the owners of the
to Bob’s truck, Bob and Carol sign a rapacious, she decides to raise her own private keys matching the next two pub-
statement agreeing on the change of capital via an intriguing coupon offering lic keys.” Spending one of Alice’s cryp-
custody. (Alice and Bob do the same (ICO): she sells digital certificates re- tocoupons is like breaking a $20 bill
when the barrel is delivered to Al- deemable for discount meals when the into two $10 bills: the old coupon is
ice.) At each such transfer, the signed restaurant opens. Alice hopes that her consumed and replaced by two distinct
change-of custody certificate is time ICO will go viral, and soon people all coupons of smaller value. (This struc-
stamped, the prior record is hashed, over the world will be clamoring to buy ture is called the unspent transaction
the current record is appended to the Alice’s Restaurant’s coupons (many output (UTXO) model in the literature).
cloud storage’s list. with the intention of reselling them at Next, Alice must decide how to
Alice is happy because she can now a markup). manage her blockchain. Alice does
pinpoint when a yogurt shipment melt- Alice is media savvy, and she de- not want to do it herself because she
ed, and who had custody at the time. cides her coupons will be more attrac- knows that potential customers might
Bob is happy because he cannot be tive if she keeps them on a blockchain not trust her. She has a clever idea: she
blamed if the shipment had melted be- as cryptocoupons. Alice’s cryptocou- will crowdsource blockchain manage-
fore he picked it up at the factory, and pons have three components: a private ment by offering additional coupons
Carol is similarly protected. key, a public key, and a ledger entry (see as a fee to anyone who volunteers to be
Here is a point that will become the sidebar “Public and Private Keys”). a miner, that is, to do the work of run-
important later. At every stage, Alice’s Knowledge of the private key confers ning a consensus protocol. She sets
supply-chain blockchain includes ownership: anyone who knows that up a shared gossip network (some-
identities and access control. The tem- private key can transfer ownership of times called a peer-to-peer network)
perature sensors sign their votes, so (“spend”) the coupon. The public key to allow coupon aficionados to share
voter fraud is impossible. Only Alice, enables proof of ownership: anyone can data. Customers wishing to buy or sell
Bob, and Carol (and the sensors) have verify that a message encrypted with coupons send their transactions to
permission to write to the cloud stor- the private key came from the coupon’s this gossip network. A group of volun-
age, so it is possible to hold parties ac- owner. The ledger conveys value: it es- teer miners pick up these transactions,
countable if someone tries to tamper tablishes the link between the public batch them into blocks for efficiency,
with the ledger. key and the coupon with an entry say- and collectively execute repeated
In the shared-memory universal con- ing: “Anyone who knows the secret key consensus protocols to append these
struction, a linked list served as a led- matching the following public key owns blocks to the shared ledger, which is
ger, and an atomic memory operation one cryptocoupon.” itself broadcast over the gossip net-

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 81
review articles

longest, although other approaches

Cryptographic Hash Function

have been suggested.25
As a result, there is always some
uncertainty whether a transaction on
A cryptographic hash function H(∙) has the property that for any value v, it is easy to
compute H(v), but it is infeasible to discover a v′ ≠ v such that H(v′) = H(v). the blockchain is permanent, although
the probability that a block, once on
the blockchain, will be replaced de-
work. Every miner, and everyone else dresses are easily forged, and a victim creases exponentially with the number
who cares, keeps a local copy of the would have no recourse if Sybil were to of blocks that follow it.9,20 If Bob uses
ledger, kept more-or-less up-to-date steal his coupons. Alice’s cryptocoupons to buy a car from
over the gossip network. Essentially the same problem aris- Carol, Carol would be prudent to wait
Alice is still worried that crooked es when organizing a street gang: how until Bob’s transaction is fairly deep in
miners could cheat her customers. to ensure someone who wants to join the blockchain to minimize the chances
Most miners are probably honest, the gang is not a plainclothes police that it will be displaced by a fork.
content to collect their fees, but there officer, newspaper reporter, or just Although PoW is currently the basis
is still a threat that even a small num- a freeloader? One approach is what for the most popular cryptocurrencies,
ber of dishonest miners might collude sociologists call costly signaling:29 the it is not the only game in town. There
with one another to cheat Alice’s inves- candidate is required to do some- are multiple proposals where crypto-
tors. Alice’s first idea is to have miners, thing expensive and difficult to fake, currency ownership assumes the role
identified by their IP addresses, vote like robbing a store, or getting a gang of costly signaling, such as Ethereum’s
via the Byzantine fault-tolerant con- symbol tattoo. Casper2 or Algorand.10 Cachin and Vu-
sensus algorithm4 used in the frozen In the public blockchain world, the kolic3 give a comprehensive survey of
yogurt example. most common form of costly signaling blockchain consensus protocols.
Alice quickly realizes this is a bad is called proof of work (PoW). In PoW, Discussion. The distinction be-
idea. Alice has a nemesis, Sybil, who consensus is reached by holding a self- tween private (or permissioned) block-
is skilled in the art of manufacturing administered lottery among the miners chain systems, where parties have
fake IP addresses. Sybil could easily to decide which transaction is append- reliable identities, and only vetted
overwhelm any voting scheme simply ed next to the ledger. Here is the clever parties can participate, and public (or
by flooding the protocol with “sock- part: buying a lottery ticket is a form permissionless) blockchain systems,
puppet” miners who appear to be of costly signaling because, well, it is where parties cannot be reliably iden-
independent, but are actually under costly: expensive in terms of time wast- tified, and anyone can participate, is
Sybil’s control. ed and electricity bills. Sybil’s talent for critical for making sense of the block-
We noted earlier that the frozen yo- impersonation is useless to her if each chain landscape.
gurt supply chain blockchain was not of her sock puppet miners must buy an Private blockchains are better
vulnerable to this kind of “Sybil attack” expensive, long shot lottery ticket. suited for business applications, par-
because parties had reliable identities: Specifically, in the PoW lottery, min- ticularly in regulated industries, like
only Alice, Bob, and Carol were allowed ers compete to solve a puzzle, where finance, subject to know-your custom-
to participate, and even though they solving the puzzle is difficult, but prov- er and anti-money-laundering regula-
did not trust one another, each one ing one has solved the puzzle is easy tions. Private blockchains also tend to
knew they would be held accountable (see sidebar “Proof of Work Puzzles”). be better at governance. For example,
if caught cheating. By contrast, Alice’s Simplifying things for a moment, the the lack of any orderly procedure for
Restaurant’s cryptocoupon miners do first miner to solve the puzzle wins the updating the ledger protocol in re-
not have reliable identities, since IP ad- consensus, and gets to choose the next sponse to changing circumstances has
block to append to the ledger. If that caused feuding factions to split both
Figure 1. Pseudocode for DAO-like contract. block is valid, that miner also receives a Ethereum6 and Bitcoin12 into distinct,
reward (another coupon), but the other incompatible currencies. Most prior
function withdraw(unit amount){
client = msg.sender:
miners receive nothing, and must start work on distributed algorithms has fo-
if (balance[ client ] >=amount}{ over on a new puzzle. cused on systems where participants
if (client . call . sendMoney(amount)){ As hinted, the previous paragraph have reliable identities.
balance[ client ] ¬–=amount; was an oversimplification. In fact, Public blockchains are appealing
}}}
PoW consensus is not really consen- for applications such as Bitcoin, which
sus. If two miners both solve the puz- seek to ensure nobody can control who
zle at about the same time, they could can participate, and participants may
Figure 2. Pseudocode for DAO-like exploit. append blocks to the blockchain in not be eager to have their identities
parallel, so that neither block pre- known. Although PoW was invented
function sendMoney(unit amount){
victim = msg.sender;
cedes the other in the chain. When by Dwork and Naor7 as a way to control
balance += amount; this happens, the blockchain is said to spam, Nakamoto’s application of PoW
victim.withdraw(amount) fork. Which block should subsequent to large-scale consensus was a genuine
} miners build on? The usual answer is innovation, one that launched the en-
to build on the block whose chain is tire blockchain field.

82 COMMUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 review articles

Smart Contracts 4. Bob sends s to Alice’s contract,

Most blockchain systems also provide acquiring the coupons and completing
some form of scripting language to the swap.
make it easier to add functionality to If Alice or Bob crashes during steps
ledgers. Bitcoin provides a rudimen-
tary stack-based language, while Ethe- Public blockchains one or two, then the contracts time out
and refund their assets to the original
reum8 provides a Turing-complete im-
perative language similar to JavaScript.
are appealing for owners. If either crashes during steps

applications such as
three and four, then only the party who
Such programs are often called crashes ends up worse off. If either par-
smart contracts (or contracts) (though
they are arguably neither smart nor
Bitcoin, which seek ty tries to cheat, for example, by pub-
lishing an incorrect contract, then the
contracts). Here we focus on Ethere- to ensure nobody other party can simply stop participat-
um-style contracts.
Here are some examples of simple
can control ing and its asset will be refunded. Al-
ice’s contract needs a 48-hour timelock
contract functionality. A hashlock h pre- who can participate, to give Bob enough time to react when
vents an asset from being transferred
until the contract receives a matching and participants she releases her secret before her 24
hours are up.
secret s, where h = H(s), for H a crypto- may not be eager This example illustrates the power
graphic hash function (see the sidebar
“Cryptographic Hash Function”). to have their of smart contracts. There are many
other uses for smart contracts, includ-
Similarly, a timelock t prevents an asset
from being transferred until a specified
identities known. ing finance,23 digital rights manage-
ment,26 supply chain,19 insurance,16
future time t. and even off-chain transactions,21 a
Suppose Alice wants to trade some way of streamlining commerce by con-
of her coupons to Bob in return for ducting most business off-chain, and
some bitcoins. Alice’s coupons live on falling back to the blockchain only as
one blockchain, and Bob’s bitcoins necessary to settle balances.
live on another, so they must devise Smart contracts as objects. A smart
an atomic cross-chain swap protocol to contract resembles an object in an
consummate their deal. Naturally, nei- object-oriented programming lan-
ther one trusts the other. guage. A contract encapsulates long-
Here is a simple protocol. Let us lived state, a constructor to initialize
generously assume 24 hours is enough that state, and one or more functions
time for anyone to publish a smart con- (methods) to manage that state. Con-
tract on either blockchain, and for the tracts can call one another’s functions.
other party to detect that the contract In Ethereum, all contracts are re-
has been published. corded on the blockchain, and the
1. Alice creates a secret s, h = H(s), ledger includes those contracts’ cur-
and publishes a contract on the cou- rent states. When a miner constructs
pon blockchain with hashlock h and a block, if fills that block with calls
timelock 48 hours in the future, ensur- to smart contract functions, and ex-
ing the contract will transfer the cou- ecutes them one-by-one, where each
pons to Bob if Bob can produce s with- contract’s final state is the next con-
in 48 hours. If he cannot, the coupons tract’s initial state. These contract
will be refunded to Alice. executions occur in order, so it would
2. When Bob confirms that Alice’s appear there is no need to worry about
contract has been published on the concurrency.
coupon blockchain, he publishes a Smart contracts as monitors. The
contract on the Bitcoin blockchain Decentralized Autonomous Organiza-
with the same hashlock h but with tion (DAO) was an investment fund set
timelock 24 hours in the future, en- up in 2016 to be managed entirely by
suring the contract will transfer the smart contracts, with no direct human
bitcoins to Alice if Alice can produce s administration. Investors could vote
within 24 hours. If she cannot, the bit- on how the fund’s funds would be in-
coins will be refunded to Bob. vested. At the time, there were breath-
3. When Alice confirms that Bob’s less journalistic accounts explaining
contract has been published on the Bit- how the DAO would change forever
coin blockchain, she sends the secret s the shape of investing.22,27
to Bob’s contract, taking possession of Figure 1 shows a fragment of a
the bitcoins, and revealing s to Bob. DAO-like contract, illustrating a func-

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 83
review articles

Figure 3. ERC20 Token example. a method, or by suspending via wait().

If we view smart contracts through
contract ERC20Example { the lens of monitors and monitor in-
// Balances for each account
variants, then the re-entrancy vulner-
mapping(address => uint256) balances;
// Owner of account approves the transfer of an amount to another account ability looks very familiar. An external
mapping(address => mapping (address => uint256)) allowed; call is like a wait() suspension, be-
// other fields omitted cause even though there is no explicit
...
// Allow spender to withdraw from your account, multiple times, up to the amount.
lock, the call makes it possible for a
function approve(address spender, uint amount)public returns (bool success) { second program counter to execute that
allowed[msg.sender][spender] = amount; // alter approval contract’s code concurrently with the
Approval(msg.sender, spender, amount); // blockchain event
first program counter. The DAO-like
return true;
} contract shown here implicitly assumed
function allowance(address tokenOwner, address spender)public returns(uint the invariant that each client’s entry in
remaining){ the balance table reflects its actual bal-
return allowed[tokenOwner][spender];
}
ance. The error occurred when the in-
function transferFrom(address from, address to, uint tokens)public(boolsuccess){ variant, which was temporarily violated
balances[from]= balances[from].sub(tokens); between Lines 3 and 5, was not restored
allowed[from][msg.sender]= allowed[from][msg.sender].sub(tokens); before giving up the (virtual) monitor
balances[to]= balances[to].add(tokens);
Transfer (from, to, tokens); lock by making an external call.
return true; Here is why the distributed com-
} puting perspective is valuable. When
... // other functions omitted
}
explained in terms of monitors and
monitor invariants, the re-entrancy
vulnerability is a familiar, classic con-
tion that allows an investor to with- and the funds are transferred a second currency bug, but when expressed in
draw funds. First, the function ex- time, then a third, and so on, stopping terms of smart contracts, it took re-
tracts the client’s address (Line 2), only when the call stack overflows. spected, expert programmers by sur-
then checks whether the client has This kind of re-entrancy attack may prise, resulting in substantial disrup-
enough funds to cover the withdrawal at first glance seem like an exotic haz- tion and embarrassment for the DAO
(Line 3). If so, the funds are sent to the ard introduced by a radically new style investors, and required rolling back
client through an external function of programming, but if we change our troublesome but technically legal
call (Line 4), and if the transfer is suc- perspective slightly, we can recognize transactions and proceeding as if they
cessful, the client’s balance is decre- a pitfall familiar to any undergraduate had never taken place.6
mented (Line 5). who has taken a concurrent program- Smart contracts as read-modify-
This code is fatally flawed. In June ming course. write operations. The ERC20 token
2016, someone exploited this func- First, some background. A monitor standard28 is the basis for many recent
tion to steal about $50 million in funds is a concurrent programming language initial coin offerings (ICOs), a popular
from the DAO. As noted, the expres- construct invented by Hoare15 and Brin- way to raise capital for an undertak-
sion in Line 3 is a call to a function in ch Hansen.11 A monitor is an object with ing without actually selling ownership.
the client’s contract. Figure 2 shows a built-in mutex lock, which is acquired The issuer of an ERC20 token controls
the client’s code. The client’s contract automatically when a method is called token creation. Tokens can be traded
immediately calls withdraw() again and released when the method returns. or sold, much like Alice’s Restaurant’s
(Line 4). This re-entrant call again tests (Such methods are called synchronized coupons discussed earlier. ERC20 is
whether the client has enough funds methods in Java.) Monitors also pro- a standard, like a Java interface, not a
to cover the withdrawal (Line 3), and vide a wait() call that allows a thread particular implementation.
because withdraw() decrements the to releases the monitor lock, suspend, As illustrated in Figure 3, an ERC20
balance only after the nested call is eventually awaken, and reacquire the token contract keeps track of how many
complete, the test erroneously passes, lock. For example, a thread attempting tokens each account owns (the balances
to consume an item from an empty buf- mapping at Line 3), and also how many
Figure 4. An incorrect atomic decrement fer could call wait() to suspend until tokens each account will allow to be
operation.
there was an item to consume. transferred to each other’s account (the
class Counter { The principal tool for reasoning allowed mapping at Line 5). The ap-
private int counter; about the correctness of a monitor prove() function (Lines 9–13) adjusts
public void dec() { implementation is the monitor invari- the limit on how many tokens can be
int temp = counter
temp = temp – 1;
ant, an assertion that holds whenever transferred at one time to another ac-
counter = temp; no thread is executing in the monitor. count. It updates the allowed table (Line
} The invariant can be violated while a 10), and generates a blockchain event
… thread is holding the monitor lock, but to make these changes easier to track
}
it must be restored when the thread re- (Line 11). The allowance() function
lease the lock, either by returning from queries this allowance (Lines 14–16).

84 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 review articles

The transferFrom() function ous, but when expressed in terms of fork-return-dao-investor-funds/.

7. Dwork, C. and Naor, M. Pricing via Processing or
(Lines 17–23) transfers tokens from smart contracts that ostensibly do not Combatting Junk Mail. Springer Berlin Heidelberg,
one account to another, and decreas- need a concurrency model, the same 1993, 139–147.
8. Ethereum; https://github.com/ethereum/.
es the allowance by a corresponding design flaw was immortalized in a to- 9. Garay, J., Kiayias, A., and Leonardos, N. The Bitcoin
amount. This function assumes the re- ken standard with a valuation estimat- Backbone Protocol: Analysis and Applications. Springer
Berlin, Heidelberg, 2015, 281–310.
cipient has sufficient allowance for the ed in billions of dollars. 10. Gilad, Y., Hemo, R., Micali, S., Vlachos, G., and
transfer to occur. Discussion. We have seen the no- Zeldovich, N. Algorand: Scaling Byzantine agreements
for cryptocurrencies. In Proceedings of the 26th
Here is how this specification can tion that smart contracts do not need Symposium on Operating Systems Principles, (2017)
51–68.
lead to undesired behavior. Alice calls a concurrency model because execu- 11. Hansen, P.B. Operating System Principles. Prentice-
approve() to authorize Bob to trans- tion is single-threaded is a dangerous Hall, Inc., 1973.
12. Hearn, M. The resolution of the Bitcoin experiment,
fer as many as 1,000 tokens from her illusion. Sergey and Hobor24 give an (2016); https://blog.plan99.net/the-resolution-of-the-
account to his. Alice has a change of excellent survey of pitfalls and com- bitcoin-experiment-dabb30201f7.
13. Herlihy, M. Wait-free synchronization. ACM Trans.
heart, and issues a transaction to re- mon bugs in smart contracts, explain- Program. Lang. Syst. 13, 1 (1991) 124–149.
duce Bob’s allowance to a mere 100 ing how they are disguised versions of 14. Herlihy, M. and Shavit, N. The Art of Multiprocessor
Programming. Morgan Kaufmann Publishers, Inc., 2008.
tokens. Bob learns of this change, familiar concurrency pitfalls and bugs. 15. Hoare, C.A.R. Monitors: An operating system
and before Alice’s transaction makes Atzei et al. provide a comprehensive structuring concept. Commun. ACM 17, 10 (Oct. 1974),
549–557.
it onto the blockchain, Bob issues a survey of vulnerabilities in Ethereum’s 16. Marr, B. Blockchain implications every
transferFrom() call for 1,000 to- smart contract design. Some of today’s insurance company needs to consider now.
Forbes, (2017); https://www.forbes.com/sites/
kens to a friendly miner, who ensures languages’ pitfalls and traps can be bernardmarr/2017/10/31/ blockchain-implications-
Bob’s transaction precedes Alice’s in avoided by carefully following codes of every-insurance-company-needs-to-consider-
now/2#982922468825.
the next block. In this way, Bob suc- best practices.5,17 17. Maurelian. Beyond Smart Contract Best Practices
cessfully withdraws his old allowance for UX and Interoperability; https://medium.com/@
maurelian/beyond-smart-contract-best-practices-for-
of 1,000 tokens, setting his authori- Conclusion ux-and-interoperability-6d94d27c1e0f.
18. Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash
zation to zero, and then, just to spite Radical innovation often emerges System, (2009); http://www.bitcoin.org/bitcoin.pdf.
Alice, he withdraws his new allowance more readily from outside an estab- 19. O’Byrne, R. How Blockchain Can Transform the Supply
Chain, (2017); https://www.logisticsbureau.com/how-
of 100 tokens. In the end, Alice’s at- lished research community than from blockchain-can-transform-the-supply-chain/.
tempt to reduce Bob’s allowance from inside. Would Nakamoto’s original Bit- 20. Pass, R., Seeman, L., and Shelat, A. Analysis of the
Blockchain Protocol in Asynchronous Networks.
1,000 to 10 made it possible for Bob coin paper have been accepted to one Cryptology ePrint Archive Report 2016/454; https://
to withdraw 1,100 tokens, which was of the principal distributed conferenc- eprint.iacr.org/2016/454.
21. Poon, J. and Dryja, T. The Bitcoin Lightning Network:
not her intent. es back in 2008? We will never know, of Scalable Off-Chain Instant Payments, (2016); https://
In practice, ERC20 token imple- course, but the paper’s lack of a formal lightning.network/lightning-network-paper.pdf.
22. Popper, N. A venture fund with plenty of virtual capital,
mentations often employ ad-hoc work- model, absence of rigorous proofs, and but no capitalist. New York Times (May 22, 2016);
arounds to avoid this vulnerability, the lack of performance numbers would https://www.nytimes.com/2016/05/22/business/
dealbook/crypto-ether-bitcoin-currency.html.
most common being to redefine the have been a severe handicap. 23. Prisco, G. Smart Contracts and the Future of Banking,
meaning of allow() so that it will reset Today, blockchain research is one (2017); https://www.nasdaq.com/article/smart-
contracts-and-the-future-of-banking-cm849118.
an allowance from a positive value to of the more vibrant areas of com- 24. Sergey, I. and Hobor, A. A Concurrent Perspective
zero, and in a later call, from zero to the puter science, with the potential of on Smart Contracts. CoRR abs/1702.05511 (2017).
arXiv:1702.05511; http://arxiv.org/abs/1702.05511
new positive value, but will fail if asked revolutionizing how our society deals 25. Sompolinsky, Y., Lewenberg, Y. and Zohar, A.
SPECTRE: A Fast and Scalable Cryptocurrency
to reset an allowance from one positive with trust. The observation that many Protocol. Cryptology ePrint Archive, Report
value to another. blockchain constructs have under- 2016/1159; http://eprint.iacr.org/2016/1159.pdf
26. Tapscott, D. and Tapscott, A. Blockchain could help
The problem is that approve() acknowledged doppelgängers (or at artists profit more from their creative works. HBR,
blindly overwrites the old allowance least, precursors) is not a criticism of (2017); https://hbr.org/2017/03/blockchain-could-help-
artists-profit-more-from-their-creative-works.
with the new allowance, regardless either research community, but rather 27. Vigna, P. Chiefless Company rakes in more than
of whether the old allowance has an appeal to each side to pay more at- $100 million. WSJ, (2016); https://www.wsj.com/
articles/ chiefless-company-rakes-in-more-than-100-
changed. This practice is analogous to tention to the other. million-1463399393.
trying to implement an atomic decre- 28. Vogelsteller, F. and Buterin, V. ERC-20 Token Standard;
https: //github.com/ethereum/EIPs/blob/master/
ment as shown in Figure 4. Here, the References EIPS/eip-20.md.
1. Attiya, H. and Welch, J. Distributed Computing:
decrement method reads the shared Fundamentals, Simulations and Advanced Topics.
29. Wikipedia. Signalling Theory; https://en.wikipedia.org/
wiki/Signalling_theory.
counter state into a local variable John Wiley & Sons, 2004.
2. Buterin, V. and Griffith, V. Casper the Friendly Finality
(Line 4), increments the local variable Gadget, (2017); https://github.com/ethereum/ Maurice Herlihy (maurice.herlihy@gmail.com) is the
(Line 5), and stores the result back in research/commits/master/papers/casper-basics/ An Wang Professor of Computer Science at Brown
casper_basics.pdf. University, Providence, RI, USA.
the shared state (Line 6). It is not dif- 3. Cachinm, C. and Vukolic, M. Blockchain consensus
ficult to see that this method is incor- protocols in the wild (Keynote Talk). In Proceedings
of the 31st International Symposium on Distributed © 2019 ACM 0001-0782/19/2 $15.00
rect if it can be called by concurrent Computing. Andréa W. Richa, ed. (2017), 1:1–1:16.
threads, because the shared counter 4. Castro, M. and Liskov, B. Practical Byzantine fault
tolerance and proactive recovery. ACM Trans. Comput.
state can change between when it was Syst. 20, 4, (2002) 398–461.
5. Consensys, Inc. Ethereum Smart Contract Security Watch the authors discuss
read at Line 4 and when it was written Best Practices; https://consensys.github.io/smart- this work in the exclusive
at Line 6. When explained in terms of contract-best-practices/ Communications video.
6. del Castillo, M. Ethereum Executes Blockchain Hard https://cacm.acm.org/videos/
elementary concurrent programming, Fork to Return DAO Funds, (2016); https://www. blockchains-from-a-distributed-
the ERC20 concurrency flaw is obvi- coindesk.com/ethereum-executes-blockchain-hard- computing-perspective

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 85
review articles
DOI:10.1145/ 3211968
embedded pointers. One of the found-
Separation logic is a key development in ing papers of separation logic summa-
rized the problem as follows.32
formal reasoning about programs, opening up "The main difficulty is not one of find-
new lines of attack on longstanding problems. ing an in-principle adequate axiomatiza-
tion of pointer operations; rather there
BY PETER O’HEARN is a mismatch between simple intu-

Separation
itions about the way that pointer opera-
tions work and the complexity of their
axiomatic treatments. … when there is
aliasing, arising from several pointers to
a given cell, an alteration to a cell may af-

Logic
fect the values of many syntactically un-
related expressions."
Bornat provided a good description
of the struggles in reasoning about mu-
table data structures up to 2000.6
In joint work with John Reynolds and
others we developed separation logic
(SL) to address the fundamental prob-
lem of reasoning about programs that
mutate data structures. From a special
logic for heaps, it gradually evolved into
a general theory for modular reasoning
A FUNDAMENTAL TECHNIQUE in reasoning about programs about concurrent as well as sequential
is the use of logical assertions to describe properties of programs. Efforts by many research-
ers established that the logic provides a
program states. Turing used assertions to argue about basis for efficient proof search in auto-
the correctness of a particular program in 1949,40 and matic and semi-automatic proof tools,
they were incorporated into general formal systems for for example, giving rise to the Infer static
analyzer, a tool that is in deployment at
program proving starting with the work of Floyd21 and Facebook where it catches thousands
Hoare22 in the 1960s. Hoare logic, which separation of bugs per month before code reaches
logic builds upon, is a formal system for proving production in products used daily by
over one billion people.
specifications of the form Separation logic is an extension of
Hoare logic, which employs novel logi-
cal operators, most importantly the sep-
arating conjunction * (pronounced “and
where the precondition and postcondition are
vassertions describing properties of the input and key insights
output states. For example, ˽˽ Separation logic supports in-place
updating of facts as we reason, in a way
that mirrors in-place update of memory
during execution, and this leads to logical
can serve as a specification of an imperative program proofs about imperative programs that
match computational intuition.
that computes the factorial of the value held in variable x ˽˽ Separation logic supports scalable
and places it in y. reasoning by using an inference rule
(the frame rule) that allows a proof to be
Hoare logic and related systems worked very well for localized to the resources that a program
component accesses (its footprint).
programs manipulating simple primitive data types ˽˽ Concurrent separation logic shows
such as for integers or strings, but proofs became more that modular reasoning about threads
that share storage and other resources
complex when dealing with structured data containing is possible.

86 COMMUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 separately”) when writing assertions. The use of * rather than the usual Bool- conjunction; he defined an intuitionis-
For example, we might write: ean conjunction ∧ ensures x and y are not tic (constructive) logic with *,37 building
aliases—distinct names for the same lo- on earlier ideas of Burstall.10 O’Hearn,
cation—so that we have a two-element and Ishtiaq26 realized the assertion lan-
cyclic list in the postcondition. A central guage could be seen as an instance of the
principle is that a command that mu- resource logic BI of O’Hearn and Pym;31
as a specification of code that wires to- tates a single location affects only one they independently discovered the same
gether two memory locations into a cyclic *-conjunct: operational in-place update intuitionistic logic as Reynolds, and
linked list. Here x  v says that pointer is mirrored in the logic, addressing the also saw that a more powerful Boolean
IMAGE BY ANNA GARMATIY

variable x holds the address of a memory key difficulty where “an alteration to a (nonconstructive) variant was possible
location where v is stored (or more brief- cell may affect the values of many syntac- in which one could reason about explicit
ly, x points to v), and a command of the tically unrelated expressions.” memory management (Reynolds had as-
form [x] = v updates the location referred Reynolds was the first to describe a sumed garbage collection). They also in-
to by x so that its contents becomes v′. program logic including the separating troduced the separating implication –*.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 87
review articles

Figure 1. Picture semantics. proposed a concurrent separation logic

(CSL). CSL showed efficient reasoning
( ) ( ) about threads that share access to stor-
age, proofs that mirrored design prin-
ciples espoused by Dijkstra at the birth
x y
of concurrent programming.16 The cor-
rectness of CSL’s proof rules (its ‘sound-
ness’) turned out to be a formidable
problem, solved eventually by Brookes.
x = 10 10 42 Brookes and O’Hearn were awarded
y = 42 42 10 the 2016 Gödel prize for their papers on
CSL,8,30 the significance of which was
decomposes into summed up as follows:
"For the last 30 years experts have
x y x y regarded pointer manipulation as an
and unsolved challenge for program verifica-
separately tion and shared-memory concurrency as
an even greater challenge. Now, thanks
x = 10 42
to CSL, both of these problems have
x = 10 10
y = 42 10
been elegantly and efficiently solved;
y = 42 42
and they have the same solution."
—2016 Gödel Prize citationa
It is worth remarking that the first
Figure 2. Mathematical semantics. part of this citation, about pointer ma-
nipulation, applies to sequential and
not just concurrent SL.
After the early papers, research on SL
expanded rapidly. Starting from a spe-
cial logic for heaps SL has evolved into
a general theory for modular reasoning.
Non-standard models of SL based on an
abstract model theory due to Pym pro-
vided many potential avenues for wider
application, and Gardner and others
realized that there exist non-standard
models that support modular reason-
ing about intertwined structures as if
they were separate. SL has even been
applied to interfering processes using
fine-grained concurrency, a situation far
removed from the original intuitions of
the logic.
SL is the basis of numerous auto-
mated proof tools, and it has been used
in significant verification efforts. It has
been used to provide the first verifica-
SL for sequential programs reached A proof rule—the frame rule—al- tion of a crash-proof file system,14 and
maturity in a further paper of O’Hearn, lowed to infer that cells remain un- to provide the first verification of a com-
Reynolds and Yang.32 In that work changed when they are not mentioned mercial, preemptive OS microkernel.41
O’Hearn proposed the following prin- in a precondition. The frame rule was These verification efforts are semi-
ciple of local reasoning, both as a way to named in homage to the frame problem automatic, done by a human together
describe what was special about SL and from artificial intelligence, which con- with a proof assistant (in these cases,
as a guiding principle for development cerns axiomatizing state changes with- the Coq proof assistant). SL has also
of reasoning methods. out enumerating all of the things that do been used in static program analysis,
"To understand how a program not change. The frame rule is the key to where weaker properties than full cor-
works, it should be possible for reason- scalable reasoning in SL. rectness are targeted but with higher
ing and specification to be confined to Reynolds’ influential survey article automation, so that the tool can scale
the cells that the program actually ac- summarized the early developments better both in the sizes of codebases
cesses. The value of any other cell will up to 2002.38 At the end of this early pe-
automatically remain unchanged." riod, O’Hearn circulated a note that a https://bit.ly/2ywwlpp

88 COM MUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 review articles

covered and the number of program- * is often used with linked struc- A * (A –* B)  B
mers served. Static analysis with SL has tures. If list (x, y) describes an acyclic
matured to the point where it has been linked list running from x to y, then we (where  reads “entails”) is a SL relative
applied industrially in the Facebook can describes a structure with a list seg- of “modus ponens.”
Infer program analyzer, an open source ment, followed by a single pointer, fol- Although we will concentrate on the
tool used at Facebook, Mozilla, Spotify, lowed by a further list running up to 0 informal picture semantics in this ar-
Amazon Web Services, and other com- (null), as follows: ticle, for the theoretically inclined we
panies (www.fbinfer.com). have included a glimpse of the formal
The purpose of this article is to de- x t y semantics in Figure 2.
scribe the basic ideas of SL as well as
these and other developments. Rules for Program Proof
This is the kind of structure you Figure 3 contains a selection of proof
Separating Conjunction might need to consider when deleting rules of SL. The rules are divided into
and Implication an element from a list, or inserting one axioms for basic mutation commands
Mathematical semantics has been into it. (the “small axioms”) and inference
critical to the discovery and further SL There is a further connective, the sep- rules for modular reasoning. An infer-
development, but many of the main arating implication or “magic wand.” ence rule says “if you can derive what
points can be gleaned from “picture P –* Q says that whenever the current is above the line, then so can you what
semantics.” Consider the first picture heaplet is extended with a separate is below,” and the axioms are deriv-
in Figure 1. We read the formula at heaplet satisfying P, the resulting com- able true statements that are given.
the top of this figure as “x points to bined heaplet will satisfy Q. For exam- The small axioms are for a program-
y and separately y points to x.” Go- ple, (x  –) * ((x  3) –*Q) says that x is ming language with load and store
ing down the middle of the diagram allocated in the current heap, and that if instructions similar to an assembly
is a line that represents a heap par- you mutate its contents to 3 then Q will language. If we vary the programming
titioning: a separating conjunction hold. This describes the “weakest pre- language the small axioms change.
asks for a partitioning that divides condition” for the mutation [x] = 3 with The concurrency rule uses a composi-
the heap into parts, heaplets, satisfy- postcondition Q.26 tion operator || for running two pro-
ing its two conjuncts. At the bottom Finally, there is an assertion emp cesses in parallel, derived from Dijks-
of the first picture is an example of which says “the heaplet is empty,” emp tra’s parbegin/parend.16
a concrete memory description that is the unit of *, so that P = emp * P = P * The first small axiom just says that if
corresponds to the diagram. There, emp. Also, –* and * fit together is a way x points to something beforehand, then
x and y have values 10 and 42 (in the similarly to how implication ⇒ and con- it points to v afterward, and it says this
“environment,” or “register bank”), junction ∧ do in standard logic. For ex- for a small portion of the state in which x
and 10 and 42 are themselves loca- ample, the entailment is the only active cell.
tions with the indicated contents (in
the “heaplet,” or even “RAM”). Figure 3. Separation logic proof system (a selection).
The indicated separating con-
junction here is true of the pictured
memory because the parts satisfy the
conjuncts, as indicated in the second
picture. The meaning of “x points to
y and yet to nothing” is precisely dis-
ambiguated in the RAM description
below the diagram: x and y denote val-
ues (10 and 42), x’s value is an allocat-
ed memory address which contains
y’s value, but y’s value is not allocated.
The separating conjunction splits the
heap/RAM, but it does not split the as-
sociation of variables to values.
Generally speaking, the separating
conjunction P * Q is true of a heap if it
can be split into two heaplets, one of
which makes P true and the other of
which makes Q true. A distinction be-
tween * and Boolean conjunction ∧ is
that P * P ≠ P where P ∧ P = P. In particu-
lar, x  v * x  v is always false: there is
no way to divide any heap in such a way
that a cell x goes to both partitions.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 89
review articles

The second axiom says that if x points come as a shock: aren’t they too sim- for the second step of the code to wire up
to v and we read x into y, then y will have ple? Previous approaches had complex a cyclic linked list described at the start
value v. Here, we distinguish between descriptions accounting for the effect of the paper.
the value in a variable or register (x and of mutations on global properties of The ultimate theoretical support for
y) and the r-value in a heap cell whose l- graph-like structures.6 the small axioms came from a complete-
value is the value held in x. The second In actuality, there is a sense in which ness theorem in Yang’s Ph.D. thesis.42
axiom assumes that x does not appear the small axioms capture all that is He showed the small axioms and frame
in syntactic expression v (see O’Hearn et needed to know about the statements rule and several other inference rules
al.32 for a precise description of this and they describe. In intuitive terms, we can (particularly Hoare’s rules for strength-
other variable side conditions). say that imperative computation pro- ening preconditions and weakening
The allocation axiom says: If you start ceeds by in-place update, where these postconditions, and a rule for existential
with no heap, then you end with a heap primitive statements update or access a quantifiers) can be used to derive all true
of size 1. Conversely the De-Allocation single memory cell at a time; describing Hoare triples for these statements.
axiom starts with a hap of size 1 and what happens to only that cell should be Locality properties of program be-
ends with the empty heap. The Appli- enough. The small axioms are thus an havior, and their connection to logic,13,44
cation axiom assumes that allocation extreme illustration of the principle of are critical for these results:
always succeeds. To model a case where local reasoning. "An assertion talks about a heaplet
allocation might fail we could use a dis- The frame rule in Figure 3 provides rather than the global heap, and a spec
junctive postcondition, like x  – ∨ x == logical support for this intuition. It al- {P} C {Q} says that if C is given a heaplet
0; this is what tools such as SpaceInvad- lows us to extend reasoning from one satisfying P then it will never try to ac-
er and Infer, discussed later, do for mal- to multiple cells; so the seeming restric- cess heap outside of P (other than cells
loc() in C. tion to one cell in the small axioms is not allocated during execution) and it will
The small axioms are so named be- a restriction at all, but rather a pleasantly deliver a heaplet satisfying Q if it termi-
cause each mentions a small amount succinct description. For instance, if we nates.2"
of memory: a single memory cell. When choose x  y as our frame then the first In-place reasoning as with the two-
people first see the axioms they can instance in Figure 4 gives the reasoning element cyclic list has been applied to
many imperative programs. As an ex-
Figure 4. Frame and concurrency examples. ample, consider the insertion of a node
y into a linked list after position x. We
can do this in two steps: first we swing
x’s pointer so it points to y, and then we
swing y to point to z (the node after x).

Here, in the precondition for each

Figure 5. deletetree example. step we write the frame in red; it is the
blue that is updated in place. The reader
can see how, using the small axiom for
free together with the frame rule, we
could reason about the converse case of
removing an element from a list.
This example generalizes to many
other list and tree algorithms: inser-
tion, deletion, reversal, and so on. The
SL proofs resemble the box-and-pointer
arguments that have long been used
root
x
l r y
informally in describing data structure
mutation.
These ideas extend to concurrent
programs; for example, the second rule
instance in Figure 4 uses the concurren-
cy rule to reasons about our two-element
cyclic list, but wired up concurrently
rather than sequentially. The * in the
precondition in this instance ensures
that x and y are not aliases, so there is no
data race in the parallel program.

90 COMMUNICATIO NS O F TH E ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 review articles

The concurrency rule is the main rule and is a typical pattern in SL reasoning: cal tree. An assertion like this would tell
of CSL. In applying CSL to languages “small specifications” are used which us that we could mutate one of the trees
with dynamic thread creation instead mention only the cells touched by the without affecting the other (at which
of parbegin/-parend different rules are program component (its footprint). point they would cease to represent the
needed, but the basic point that sepa- The critical part of the proof of the same tree).
ration allows independent reasoning program is presented in (4), where the For data structures without much
about processes carries over. precondition at the beginning is ob- sharing, such as variations on lists and
SL’s concurrency rule took inspira- tained by unwinding the recursive defi- trees, reasoning in SL is reminiscent
tion from the “disjoint concurrency nition using the if condition root ! = 0. of reasoning about purely functional
rule” of Hoare.23 Hoare’s rule used ∧ in The proof steps then follow the intuitive programs: you unroll an inductive defi-
place of * together with side conditions description of the algorithm: the first nition, then mutate, then roll it back
to rule out interference.b * allows us to recursive call deletes the left subtree, up. Inductive definitions using * and
extend its applicability to pointer struc- the second call deletes the right sub- mutation go well together. The first SL
tures. But even without pointers, the tree, and the final statement deletes the proof to address complex sharing was
CSL rule is more powerful. Indeed, upon root node. In the pictured reasoning, done by Yang in his Ph.D. thesis, where
seeing CSL the overall specification of the proce- he provided a verification of the classic
Hoare immediately exclaimed to the dure is applied as an induction hypoth- Schorr-Waite graph-marking algorithm.
author: “We can prove parallel quick- esis at each call site, together with the The algorithm works by reversing links
sort!” A direct proof can be given using Frame Rule for showing that the parts during search, and then restoring them
* to recognize and unite disjoint array not touched by recursive calls are left later: A space-saving representation of
partitions.30 unchanged. For instance, the asser- the stack of a recursive algorithm. Part
tions for the second recursive call are of the main invariant in Yang’s proof is
Frames, Footprints, an instance of the Frame Rule with the
and Local Reasoning triple {tree(right)} deletetree(right)
The previous section describes how the {emp} as the premise. * –*
separating conjunction leads to simple The simplicity of this proof comes
proofs of the individual steps of heap about because of the principle of local capturing the idea that if you replace
mutations, and how the frame rule em- reasoning. The frame rule allows in- the list of marked nodes by a restored
beds reasoning about small chunks of place reasoning for larger-scale opera- list, then you get a spanning tree. Yang’s
memory within larger memories. Here, tions (entire procedures) than individual proof reflected the intuition that the al-
the rules' more fundamental role as a ba- heap mutations. And it allows the speci- gorithm works by a series of local sur-
sis for scalable reasoning is explained. fication to concentrate on the footprint geries that mutate small parts of the
I illustrate by reasoning about a re- of a procedure instead of the global state. structure: The proof decomposed into
cursive program for deleting the nodes Put contrapositively, the deletetree verifications of the surgeries, and ways
in a binary tree. Consider the C program procedure could not be verified without of combining them.
in (1) of Figure 5. This program satis- the frame rule, unless we were to compli- The idiomatic use of –* in assertions
fies the specification in (2) of the figure, cate the initial specification by including of the form A * (B –* C) to describe gen-
where the tree predicate says that its ar- some representation of frame axioms eralized update was elevated to a general
gument points to a binary tree in mem- (saying what does not change) to enable principle in work of Hobor and Villard.25
ory. The predicate is defined recursively the proofs at the recursive call sites. They give proofs of a number of pro-
in (3), with a diagram below depicting This reasoning uses a tree predicate grams with significant sharing, includ-
what is described by the else part of the suitable for reasoning about mem- ing graphs, dags, overlaid structures (for
definition. Note that here we are using a ory safety; it mentions that we have a example, a list overlaying a tree), and
“points-to” predicate root  [l : x, r : y] tree, but not what data it holds. For culminating in the copying algorithm in
for describing records with l and r fields. functional correctness reasoning, it Cheney’s garbage collector.
The use of emp in the if branch of is typical to use inductive predicates Many papers on SL have avoided –*,
the definition means that tree(r) is true that connect memory structures to often on the grounds that it complicates
of a heaplet that contains all and only mathematical entities. In place of tree automation and is only needed for pro-
the cells in the tree; there are no ad- (root) we could have a predicate tree (τ, grams with significant sharing. How-
ditional cells. Thus, the specification root) that says root points to an area of ever, –* is recently making something of
of deletetree(r) does not mention memory representing the mathemati- a comeback. For example, it is used rou-
nodes not in in the tree. This is analo- cal binary tree τ, where a mathemati- tinely as a basic tool in the Iris higher-
gous to what we did with the small axi- cal tree is either empty or an atom or order logic.29
oms for basic statements in Figure 3, a pair of trees. We could then specify
a procedure for copying a tree using a Concurrency, Ownership,
postcondition of the form and Separation
b There are variable conditions in some pre- The concurrency rule in Figure 3 says:
sentations of SL, that can technically be done
away with eliminated by using a version of *
To prove a parallel composition we give
that separates variables as well as heap.34 This that says we have two structures in mem- each process a separate piece of state,
article glosses over this issue. ory representing the same mathemati- and separately combine the postcon-

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 91
review articles

Figure 6. Concurrency proofs. Reynolds), in 2004, proved the theorem,

which justified the logic.

Abstraction and
the Fiction of Separation
There was considerable work on extend-
ing SL after those early papers. Some of it
concentrated on different programming
paradigms, such as object-oriented pro-
gramming or scripting languages, or
on additional programming primitives
such as message passing, reentrant lock
and fork/join concurrency. Besides ex-
tensions to cover an ever-greater variety
of programming, two conceptual devel-
opments opened major new directions.
ditions for each process. The rule sup- We could not prove a mutation were ˲˲ In his Ph.D. thesis, Parkinson
ports completely independent reason- we to place it there, because emp is not showed how abstract predicates (predi-
ing about processes. This rule can be a sufficient precondition for any muta- cate variables) fit together nearly with *
used to provide straightforward proofs tion; that is fortunate as such a muta- in the description of classes and other
of processes that don’t share access to tion could lead to a race condition. But stateful data abstractions.33
storage. We mentioned parallel quick- it is not the case that we know the glob- ˲˲ Gardner and others emphasized a
sort earlier, and deletetree() pro- al heap is empty, because the pointer concept of fictional separation, where
vides another illustration: we can run x could still persist. Rather, the knowl- strong separation properties could be
the two recursive calls in parallel rather edge that it points to something has assumed of data abstractions, even for
than sequentially, as presented in the been forgotten, transferred to the sec- implementations relying on sharing.
proof outline (1) in Figure 6. ond process where it materializes as These ideas were first described in
In work on CSL, proof outlines are y  –. A reading of assertions began a sequential setting. Dinsdale-Young,
often presented in a spatial fashion like to form based on the “right to deref- Gardner and Wheelhouse described
this: this outline shows the premises of erence” or “ownership” (taken as syn- an implementation of a module of se-
the concurrency rule in the left and right onymous with right to dereference). quences in terms of linked lists and not-
Hoare triples, the overall precondition On this reading emp says “I don’t have ed a mismatch: at the abstract level an
(the pre1 * pre2) at the beginning, and permission to dereference any heap,” operation might affect a small part of a
the post at the end. or “I own nothing,” rather than “the sequence, where at the implementation
While this reasoning is simple, if CSL heap is empty.” Similarly, x  – says “I level its footprint could involve the en-
had only been able to reason about dis- own x” (where “I” is the process from tire list; conversely, locality can increase
joint concurrency, where there is no inter- which the assertion is made). with abstraction.19 Meanwhile, Parkin-
process interaction, then it would have The ownership transfer example son initially targeted a sequential subset
rightly been considered rather restrictive. made it clear that quite a few concur- of Java. Subsequent work showed how
An important early example done with CSL rent programs would have much sim- abstract predicates could be understood
was a pointer-transferring buffer, where pler proofs than before. Modular proofs using higher-order versions of SL.5
one thread allocates a pointer and puts it were provided of semaphore programs, While they could be expressed in a
into a buffer while the other thread reads it of a toy memory manager, and programs sequential setting, the ideas took flight
out and frees it. Crucially, not only is the with interacting resources. It seemed as when transported to concurrency. The
pointer deemed to transfer from one pro- if the proofs mirrored design principles CAP logic18 combined insights on ab-
cess to another, but the “knowledge that it used to simplify reasoning about con- stract predicates and fiction, along
is allocated” transfers with the proof. The current processes, such as in Dijkstra’s with those of CSL, to reason about data
proof establishing absence of memory er- idea of loosely connected processes: abstractions with interference in their
rors is shown in (2) of Figure 6. A way to “[A]part from the (rare) moments of implementations. The views theory17
implement the buffer code for put and explicit intercommunication, the indi- provided a foundation where separa-
get is to use locks to synchronize access to vidual processes are to be regarded as tion does not appear in the normal exe-
a shared variable and a Boolean to signal completely independent of each other.”16 cution semantics of programs, but only
when the buffer is full. We will not delve However, the very feature that gave in an abstraction of it. Views showed
into the subproofs of buffer operations rise to the unexpected power, ownership that a simple version of CSL can embed
here—for that, consult O’Hearn30—but transfer, made soundness (whether the many other techniques including even
we want to talk about a shift in perspec- rules prove only true statements) non- the classic rely-guarantee method;27
tive on the meanings of logical assertions obvious. O’Hearn worked on soundness this is surprising because rely-guaran-
that the proof (2) led to. during 2001 and 2002, without success. tee was invented for reasoning about
Notice the assertion emp after the In May of 2002 he turned to Brookes who interference, almost the opposite of
put(x) statement in the left process. eventually (with important input from the basis of original SL.

92 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 review articles

Today, advanced logics are often for- O’Hearn, was the first SL verification used to prove crypto code. For example,
mulated as variations on the theme of tool. Given procedure pre/post specs, OpenSSL’s HMAC authentication code,
“higher-order concurrent separation loop invariants and invariants governing comprising 134 lines of C, was proven
logic.” One of these, Verifiable C, is the lock usage, Smallfoot attempts to con- using 2,832 lines of Coq.4
foundation of Appel’s Verified Software struct a proof. For the pointer-transfer- A larger example is the FSCQ file sys-
Toolchain,1 and includes an expressive ring buffer, given a buffer invariant and tem.14 The code and the proof are both
higher-order logic supporting recursive pre/post specs for put and get it can done in Coq, taking up 31k lines of
predicates. Iris29 encompasses reason- verify memory safety and race freedom. proof+code. This compares to 3k lines of
ing about fine-grained concurrency and Smallfoot used a decidable fragment C for a related unverified file system. Al-
even relaxed memory, based on differ- of SL dubbed “symbolic heap,” formu- though the initial effort, which included
ent instantiations of a single generic lae of the form B ∧ H where H is a sepa- development of a program logic frame-
model. Iris has been used to provide rating conjunction of heap facts and B work in Coq, took several person years,
a foundation of the type system of the is a Boolean assertion over non-heap experiments show incremental, lower
Rust programming language,28 which data. The format was chosen to make cost when modifying code+proof.
is very natural when you consider that in-place symbolic execution efficient. A commercial example concerns
ownership transfer is one of the central Smallfoot’s heap facts were restricted key modules of a preemptive OS ker-
ideas in Rust. to points-to assertions, linked lists and nel, the μC/OS-II.41 Modules verified
Technically, these works are based on trees. Subsequent works extended sym- include the scheduler, interrupt han-
“non-standard models” of SL, different bolic heaps in numerous directions, dlers, and message queues. 1.3k lines
from the heaplet model but instances of covering more inductive definitions as of C were proven using 216k lines of
Pym’s resource semantics as in Figure well as arrays and arithmetic; see appen- Coq. It took four person years to de-
2; see Pym et al.36 There are many such dix (https://bit.ly/2CQD9CU). velop the framework, one-person year
models, including ones incorporating Some of the most substantial auto- to prove the first module, and then the
read and other permissions,7 auxiliary matic verifications done with SL have remaining modules, around 900 lines
state,39 time,39 protocols,29 and others. been carried out with the VeriFast tool of of C, took six person-months.
Abstract SL13 showed how general pro- Jacobs and colleagues. VeriFast employs Automatic program analysis. With a
gram logic could be defined based on a symbolic execution engine like Small- verification-oriented program analysis
these models, and the works just men- foot, but integrates a dedicated SL theo- the annotations that a human would
tioned and others showed that some of rem prover with a classical SMT solver supply to a mostly automatic verifier
them had surprising ramifications. for non-heap data. A paper reports on like Smallfoot—invariants and pre/post
Fictional separation and views the verification of several industrial case specs—are inferred. A tool will be able
worked to reimagine fundamental con- studies, including Java Card programs to prove weaker properties when the hu-
cepts. The programs being proven go and device drivers written in C;35 see Ver- man is not supplying annotations, but
beyond the loosely connected processes iFast’s GitHub site for these and many can more easily be deployed broadly to
that CSL was originally designed for. other examples (https://github.com/ many programmers.
Significant new theoretical insights and verifast/verifast). Program analysis with SL has re-
soundness arguments were needed to Interactive verification. In an auto- ceived a great deal of attention. At first,
justify the program-proof rules support- matic verifier like Smallfoot, the proof analysis was formulated for simple
ing the fine-grained concurrency exam- construction is automatic, given the linked lists,20 and progressively re-
ples.17 This led to a flowering of interest pre/post annotations plus invariants. searchers moved on to more involved
and new ideas which is still in progress. In interactive verification the human data structures. A practical high point
A recent survey on CSL provides many helps guide the proof search, com- in this line of work was the verification
more references in addition to those monly using a proof assistant such of pointer safety in Linux and Win-
mentioned here.9 as Coq, HOL4, or Isabelle. Interactive dows device drivers up to 10k LOC by
verification can often prove stronger the SpaceInvader program analyzer.43
Directions in properties than automatic verifiers, SpaceInvader was an academic tool;
Mechanized Reasoning but the cost is higher. its sibling, SLAyer,3 developed in par-
SL spawned new approaches to verifi- Interactive verifiers have been used allel at Microsoft, was used internally
cation tools. In order to provide a taste to prove small, intricate algorithms. A to find 10s of memory safety errors in
of where the field has gone, we present recent paper reports on the verification Windows device drivers. SpaceInvader
a sampling of practical achievements; of low-level concurrent algorithms in- and SLAyer were able to analyze com-
that is, we focus on the end points rath- cluding a CAS-lock, a ticketed lock, a GC plex, linear data structures: for exam-
er than the (important) advancements allocator, and a non-blocking stack.39 An ple, oneWindows driver manipulated
along the way that helped get there. emphasis is placed on reusability; for in- five-cyclic doubly linked lists sharing a
Further references to the literature, in- stance, the stack uses the GC allocator, common header node, three of which
cluding discussion on intermediate ad- which in turn uses a lock, but the stack had acyclic sublists.
vances, may be found in the appendix uses the spec of the allocator and the Like much research in verification-
(https://bit.ly/2CQD9CU). allocator uses the spec rather than the oriented program analysis these tech-
Mostly automatic verification. Small- implementation of a lock. niques worked in a whole-program
foot,2 from Calcagno, Berdine, and The verifiable C logic1 has been fashion: you start from main() or

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 93
review articles

other entry points and explore the pro- sis not infrequently finds more general
gram graph, perhaps visiting proce- specifications than a top-down analysis
dure bodies multiple times. This can With bi-abduction we can automate that dives into procedures at call sites;
be expensive. While accurate analysis the local reasoning idea by abducing finding general specs is important for
of 10k LOC can be a leading research assertions that describe preconditions, both scalability and precision.
achievement, 10k is tiny compared to and using frame inference to keep speci- The main bi-abduction paper12
software found in the wild. A single fications small. Let us illustrate with the contributed proof techniques and al-
company can have tens of millions of program we started the paper with. We gorithms for abduction, and a novel
lines of code. Progress toward big code begin symbolic execution with nothing compositional algorithm for generat-
called for a radical departure. in the precondition, and we ask a bi- ing pre/post specs of program compo-
abduction question, using the current nents. Experimental results scaled to
Bi-Abduction and Facebook Infer state emp as the A part of the bi-abduc- hundreds of thousands of lines, and a
In 2008 Calcagno asked: What is the main tion query and the pre of the small axi- part of Linux of 3M lines. This form of
obstacle blocking application of SpaceIn- om for [x] = y as B. analysis finds preconditions support-
vader and similar tools to programs in the ing safety proofs of clusters of proce-
millions of LOC? O’Hearn answered: The dures as well as indicating potential
need for the human to supply precondi- bugs where proofs failed.
tions. He proposed that a “truly modu- This work led to the program proof
lar” analysis based on local reasoning startup Monoidics, founded by Calc-
could accept a program component with agno, Distefano and O’Hearn in 2009.
no human annotations, and generate Monoidics developed and marketed the
a pre/post spec where the precondition Now, we move the abduced anti-frame Infer tool, based on the abductive tech-
approximates the footprint. The analysis to the overall precondition, we take nique. Monoidics was acquired by Face-
would then “stitch” these specifications one step of symbolic execution using book in 2013 at which point Calcagno,
together to obtain results for larger pro- the small axiom for Pointer Write from Distefano, and O’Hearn moved to Face-
gram parts. The analysis would be com- Figure 2, we install the post of the small book with the Monoidics engineering
positional, in that a spec for a procedure axiom as the pre of the next instruction, team (www.fbinfer.com).
could be obtained without knowing its and we continue. The compositional nature of In-
callers, and the hypothesis was that it fer turned out to be a remarkable fit
would scale because procedures could be for Facebook’s software development
visited independently. This implied giv- process.11 A codebase with millions
ing up on whole-program analysis. of lines is altered thousands of times
Calcagno, O’Hearn, Distefano and per day in “code diffs” submitted by
Yang set to work on realizing a truly the programmers. Instead of doing
modular analysis. Yang developed a a whole-program analysis for each
scheme based on gleaning information The formula y  – in the bi-abduc- diff, Infer analyzes changes (the diffs)
from failed proofs to discover a foot- tion query is the precondition of the compositionally, and reports regres-
print. Distefano made a breakthrough small axiom for the pointer write [y] = x: sions as a bot participating in the in-
on the stitching issue for the modular we abduce it as the anti-frame, and add ternal code review process. Using bi-
analysis that involved a new inference it to the overall precondition. The frame abduction, the frame rule picks off (an
problem: rule tells us that the inferred frame x  approximation of) just enough state
Bi-abduction: given A and B, find y is unaltered by [y] = x, when it is sepa- to analyze a diff, instead of consider-
?frame and ?anti-frame such that rately conjoined with y  –, and this ing the entire global program state.
with the small axiom gives us our overall The way that compositional analysis
postcondition in supports incremental diff analysis is
even more important than the ability
where  is read ‘entails’ or ‘implies.’ to scale; a linear-time analysis operat-
The inference of ?frame (the leftover ing on the whole program would usu-
part in A but not B) was present in ally be too slow for this deployment
Smallfoot, and is used in many tools. model. Indeed, Infer has evolved from
The ?anti-frame part (the missing bit So, starting from specifications for a standalone SL-based analyzer to a
needed to establish B), is abduction, primitive statements, we can infer both general framework for compositional
or inference of hypotheses, an infer- a precondition and a postcondition for analyses (http://fbinfer.com/docs/
ence problem identified by the philos- a compound statement by repeated ap- checkers.html and appendix; https://
opher Charles Peirce in his conceptu- plications of bi-abduction and the frame bit.ly/2CQD9CU).
al analysis of the scientific method. As rule. This facility leads to a high degree
a simple example, of automation. Also, note that the pre- Conclusion
condition here is more general than the Some time during 2001, while sitting
one at the start of the paper, because it together in his back garden, Reynolds
can be solved with does not mention 0. Bi-abductive analy- turned to me and exclaimed: “The

94 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 review articles

logic is nice, but it’s the model that’s mental understanding and in mecha- concurrent programs. In Proceedings of POPL, 2013,
287–300.
really important.” My own prejudice nized techniques that help program- 18. Dinsdale-Young, T., Dodds, M., Gardner, M., Parkinson,
for semantics made me agree imme- mers in their daily work. I hope that M.J. and Vafeiadis, V. Concurrent abstract predicates. In
Proceedings of ECOOP, 2010, 504–528.
diately. We were both beguiled by the scientists and engineers will continue to 19. Dinsdale-Young, T., Gardner, P. and Wheelhouse, M.J.
fact that this funky species of logic innovate on the fascinating problems in Abstraction and refinement for local reasoning. In
Proceedings of VSTTE, 2010, 199–215.
could be described using down-to- this area. 20. Distefano, D., O’Hearn, P.W. and Yang, H. A local shape
earth computer science concepts like Acknowledgments. This article is analysis based on separation logic. In Proceedings of
TACAS, 2006, 287–302.
RAMs and access bits. dedicated to the memory of John C. 21. Floyd, R.W. Assigning meanings to programs. In
Proceedings of the Symposium on Applied Mathematics.
What happened later came as a sur- Reynolds (1935–2013). Our work to- J.T. Schwartz, ed. AMS, 1967, 19–32.
prise. The specific heap/RAM model gether at the formative stage of sepa- 22. Hoare, C.A.R. An axiomatic basis for computer
programming. Commun. ACM 12, 10 (1969), 576–580.
gave way in importance to a more gen- ration logic was incredibly intense, 23. Hoare, C.A.R. Towards a theory of parallel
eral class of nonstandard models based exciting, and huge fun. I am fortunate programming. Operati ng Systems Techniques.
Academic Press, 1972.
on fictional rather than down-to-earth to have worked so closely with such 24. Hoare, T., Möller, B., Struth, G. and Wehrman, I.
separation. And the logic itself, particu- a brilliantly insightful scientist, who Concurrent Kleene algebra and its foundations. J. Log.
Algebr. Program 80, 6 (2011), 266–296.
larly its proof theory, turned out to be ex- was also a valued friend. 25. Hobor, A. and Villard, J. The ramifications of sharing
tremely useful in automatic verification, I thank my many other collabo- in data structures. In Proceedings of 40th POPL, 2013,
523–536.
leading to many novel research tools rators in the development of this 26. Ishtiaq, S.S. and O’Hearn, P.W. BI as an assertion
and eventually to Facebook Infer. research, particularly David Pym, language for mutable data structures. In Proceedings of
POPL, 2001, 14–26.
Still, I expect that in the long run it Hongseok Yang, Richard Bornat, Cris- 27. Jones, C.B. Specification and design of (parallel)
will be the spirit rather than the letter of tiano Calcagno, Josh Berdine, Dino programs. In Proceedings of IFIP Congress, 1983,
321–332.
SL that is more significant. Concepts of Distefano, Steve Brookes, Matthew 28. Jung , R. Jourdan, J.-H., Krebbers, R. and Dreyer.
frames, footprints, and separation as a Parkinson, Philippa Gardner, and D. RustBelt: Securing the foundations of the Rust
programming language. In Proceedings of PACMPL,
basis for modular reasoning seem to be Tony Hoare. Finally, thanks to my col- 2018.
29. Krebbers, R., Jung, R., Bizjak, A., Jourdan, J-H, Dreyer, D.
of fundamental importance, indepen- leagues at Facebook for our work to- and Birkedal, L. The essence of higher-order concurrent
dently of the syntax used to describe gether and for teaching me about ap- separation logic. In Proceedings of ESOP, 2017,
696–723.
them. Indeed, one of the more impor- plying logic in the real world. 30. O’Hearn, P.W. Resources, concurrency, and local
tant directions I see for further work is reasoning. Theor. Comput. Sci. 375, 1-3 (2007), 271–307.
31. O’Hearn, P.W and Pym, D.J. The logic of bunched
in theoretical foundations that get at References implications. Bulletin of Symbolic Logic 5, 2 (1999),
1. Appel, A.W. Program Logics for Certified Compilers.
the essence of scalable, modular rea- Cambridge University Press, U.K., 2014.
215–244.
32. O’Hearn, P.W., Reynolds, J.C. and Yang, H. Local
soning in as formalism-independent 2. Berdine, J. Calcagno, C. and O’Hearn, P.W. Smallfoot: reasoning about programs that alter data structures. In
Modular automatic assertion checking with separation
a way as possible. Theoretical synthe- logic. LNCS FMCO 4111 (2005) 115–137, 2005.
Proceedings of CSL, 2001, 1–19.
33. Parkinson. M.J. Local reasoning for Java. Ph.D. thesis.
sis would be extremely useful for three 3. Berdine, J., Cook, B. and Ishtiaq, S. SLAyer: Memory University of Cambridge, U.K., 2005.
safety for systems-level code. In Proceedings of CAV,
reasons: To make it easier for people 2011, 178–183.
34. Parkinson, M.J., Bornat, R. and Calcagno, C. Variables
as resource in Hoare logics. In Proceedings of 21st LIC,
to understand what has been achieved 4. Beringer, L., Petcher, A., Ye, K.Q. and Appel, A.W. Verified 2006, 137–146.
correctness and security of OpenSSL HMAC. In 35. Philippaerts, P., Mühlberg, J.T., Penninckx, W., Smans,
by each new idea; to provide a simpler Proceedings of 24th USENIX Security Symposium, 2015, J., Jacobs, B. and Piessens, F. Software verification with
jumping-off point for future work than 207–221. verifast: Industrial case studies. Sci. Comput. Program.
5. Biering, B., Birkedal, L. and Torp-Smith, N. BI- 82 (2014), 77–97.
the union of the many specific advanc- hyperdoctrines, higher-order separation logic, and 36. Pym, D., O’Hearn, P. and Yang, H. Possible worlds and
es; and, to suggest new, unexplored abstraction. ACM TOPLAS 29, 4 (2007). resources: The semantics of BI. Theoret. Comp. Sci. 315,
6. Bornat, R. Proving pointer programs in Hoare logic. 1 (2004), 257–305.
avenues. Hoare has been advancing LNCS MPC 1837 (2000) 102–126. 37. Reynolds, J,C. Intuitionistic reasoning about shared
an abstract, algebraic theory related to 7. Bornat, R., Calcagno, C., O’Hearn, P.W. and Parkinson, mutable data structure. Millennial Perspectives in
M.J. Permission accounting in separation logic. In Computer Science, Cornerstones of Computing. Palgrave
CSL, which has components covering Proceedings of POPL, 2005, 259–270. Macmillan, 2000.
semantics, proof theory, and testing,24 8. Brookes, S. A semantics for concurrent separation logic. 38. Reynolds, J.C. Separation logic: A logic for shared
Theor. Comput. Sci., 375, 1–3 (2007), 227–270. mutable data structures. LICS, 2002, 55–74.
and work along these lines is well worth 9. Brookes, S. and O’Hearn, P.W. Concurrent separation 39. Sergey, I., Nanevski, A. and Banerjee, A. Mechanized
logic. SIGLOG News 3, 3 (2016), 47–65.
exploring further. 10. Burstall, R.M. Some techniques for proving correctness
verification of fine-grained concurrent programs. In
Proceedings of 36th PLDI, 2015, 77–87.
Other relevant reference points are of programs which alter data structures. Machine 40. Turing, A.M. Checking a large routine. Report of a
Intelligence 7, 1 (1972), 23–50.
works on general versions of SL,13,17 11. Calcagno, C. et al. Moving fast with software verification.
Conference on High-Speed Automatic Calculating
Machines. Univ. Math. Lab., Cambridge, U.K., 1949,
abstract interpretation,15 and work on In Proceedings of NASA Formal Methods Symposium, 67–69.
2015, 3–11.
“separation without SL” discussed in 12. Calcagno, C., Distefano, D., O’Hearn, P.W. and Yang, H.
41. Xu, F., Fu, M., Feng, X., Zhang, X., Zhang, H. and Li, Z.
A practical verification framework for preemptive OS
the appendix (https://bit.ly/2CQD9CU). Compositional shape analysis by means of bi-abduction. kernels. In Proceedings of CAV, 2016.
J. ACM 58, 6 (2011), 26. Preliminary version in 42. Yang, H. Local Reasoning for Stateful Programs. Ph.D.
Semantic fundamentals would be cru- Proceedings of POPL’09. thesis. University of Illinois, 2001.
cial to an adequate general foundation, 13. Calcagno, C., O’Hearn, P.W. and Yang, H. Local action and 43. Yang, H., Lee, O., Berdine, J., Calcagno, C., Cook, B.,
abstract separation logic. LICS, 2007, 366–378. Distefano, D. and O’Hearn, P.W. Scalable shape analysis
but I stress that proof theoretic and es- 14. Chen, H., Ziegler, F., Chajed, T., Chlipala, A., Kaashoek, for systems code. In Proceedings of CAV, 2008,
pecially algorithmic aspects addressing M.F. and Zeldovich, N. Using Crash Hoare logic for 385–398.
certifying the FSCQ file system. In Proceedings of 44. Yang, H. and O’Hearn, P.W. A semantic basis for local
the central problem of scale should be SOSP, pages 18–37, 2015. reasoning. In Proceedings of FoSSaCS, 2002, 402–416.
covered as well. 15. Cousot, P. and Cousot, R. Abstract interpretation: A
unified lattice model for static analysis of programs
In conclusion, scalable reasoning by construction or approximation of fixpoints. In
Peter O’Hearn (p.ohearn@ucl.ac.uk) is a research
about code has come a long way since Proceedings of POPL, 1977, 238–252.
scientist at Facebook and professor of computer science
16. Dijkstra, E.W. Cooperating sequential processes.
at University College London, U.K.
the birth of SL around the turn of the Programming Languages, Academic Press, 1968,
43–112.
millennium, but it seems to me that 17. Dinsdale-Young, T., Birkedal, L., Gardner, P., Parkinson,
much more is possible both in funda- M.J. and Yang, H. Views: Compositional reasoning for © 2019 ACM 0001-0782/19/2 $15.00

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 95
research highlights
P. 97 P. 98
Technical
Perspective Distributed Strategies for
How Economic Computational Sprints
Theories Can By Songchun Fan, Seyed Majid Zahedi, and Benjamin C. Lee
Help Computers
Beat the Heat
By Thomas F. Wenisch

P. 107 P. 108
Technical
Perspective Scalable Computation of High-
To Do or Not to Do: Order Optimization Queries
Extending SQL By Matteo Brucato, Azza Abouzied, and Alexandra Meliou
with Integer Linear
Programming?
By Surajit Chaudhuri

96 COMM UNICATIO NS O F THE ACM | F EBR UA RY 201 9 | VO L . 62 | NO. 2

 DOI:10.1145/ 3 2 9 9 8 8 3

Technical Perspective
To view the accompanying paper,
visit doi.acm.org/10.1145/3299885 rh

How Economic Theories Can

Help Computers Beat the Heat
By Thomas F. Wenisch

N E A R LY E V E R Y C O M P U T E R system today Current datacenters must either run are free to choose when to sprint, but
runs hot … too hot. For over a decade, complex, centralized control systems to must wait for a cool-off period before
thermal constraints have limited the allocate power and thermal budgets at sprinting again. Moreover, if too many
computational capability of computing fine granularity, or reserve large guard- nodes sprint at once, supplemental bat-
systems of all sizes—from mobile bands to avoid power or thermal emer- tery power must be used to avoid trip-
phones to datacenters. And, for nearly gencies. But, because they require fre- ping circuit breakers; servers connected
that long, system designers have cheated quent communication, centralized to that power circuit are not allowed to
those thermal limits, allowing systems systems are prone to failure and notori- sprint again until the battery recharg-
to burn more power, and produce more ously difficult to scale—the frequent es. To “win” in this game, agents must
heat, for short periods to deliver bursts communication rapidly becomes a bot- choose to sprint when they achieve the
of peak performance beyond what can tleneck. Moreover, workloads benefit to maximum performance benefit while
be sustained. This idea—running a com- different degrees at different times from taking into account the risk they incur
puter too hot for a short period of time to computational sprinting; judicious use that too many concurrent sprinters
get a burst of performance—is called of scarce power and cooling budgets can cause a circuit to trip.
computational sprinting. lead to better overall performance. The To optimize the datacenter as a
We have likely all experienced compu- challenges of allocating budgets grow whole, each agent provides a broker with
tational sprinting on our smartphones; even more daunting in cloud computing its best estimate of its utility curve—how
it turns out that, if all the cores, accelera- environments, where each cloud tenant much benefit it gains from sprinting for
tors, and peripherals on a modern smart- seeks to maximize its own performance various fractions of its execution while
phone are turned on at once, the phone and may have no incentive to cooperate. taking into account the risks of a circuit
will generate several times more heat Economics has long studied the chal- breaker trip. The broker then solves for a
than can be dissipated through its case. If lenges of allocating scarce resources. global equilibrium that maximizes util-
you play a demanding 3D video game for Game theory, in particular, studies ity, and provides each agent the strategy
more than a few minutes, you might no- resource allocation among strategic it should follow to reach that equilib-
tice the phone get uncomfortably warm. agents that seek to maximize their indi- rium. The strength of the underlying
As the phone heats up, eventually, pro- vidual utility and might even lie about economic theory is that agents prov-
cessing speeds have to slow to keep tem- their preferences to do so. ably cannot gain an advantage from ly-
perature rise in check. When the phone The authors of the following paper, ing about their utility curve or deviating
cools, its processor can run full-tilt again. Distributed Strategies for Computational from their assigned strategy … so, they
What might be less widely known Sprints, bring this rich theory to the are incentivized to cooperate.
is that modern datacenters can play challenge of managing computational The beauty of this approach is that
similar tricks; they oversubscribe both sprinting in datacenters. They formu- it provides nearly the effectiveness of
power delivery and cooling capability late the problem of managing compu- perfect centralized control while requir-
to eke out greater efficiency. Individual tational sprinting as a repeated game: ing only simple, infrequent interactions
servers may sprint by consuming more agents managing individual workloads with the broker. Because agents can-
than their fair share of power to maxi- not gain an advantage by cheating, this
mize performance when their workload kind of coordination mechanism can be
is high. In a datacenter running diverse When we consider the used even among mutually distrusting
workloads, different systems will likely agents, as in the cloud. More generally,
sprint at different times, and the aver- resource management the paper teaches us that, when we con-
age demands of the facility will (prob- challenges that arise sider the myriad resource management
ably) remain sustainable. But, a local challenges that arise in computer sys-
spike in one server rack might draw too in computer systems, tems, we ought to look beyond the con-
much power from a particular circuit, we should look fines of our own discipline; economics
risking that a circuit breaker trips. Or, provides a rich toolset from which all of
all the cores in a particular server might beyond the confines us can learn.
run a sustained compute job at full bore of our own discipline.
and risk local over-heating. To maximize Thomas F. Wenisch is an associate professor of
computer science and engineering at the University of
efficiency, a datacenter should sprint as Michigan, Ann Arbor, MI, USA.
close to its power and thermal limits as
it can … without going over them. Copyright held by author/owner.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 97
research highlights
DOI:10.1145/ 32 9 9 8 8 5

Distributed Strategies for

Computational Sprints
By Songchun Fan,† Seyed Majid Zahedi,† and Benjamin C. Lee

Abstract mechanisms couple performance opportunities with

Computational sprinting is a class of mechanisms that boost management constraints.
performance but dissipate additional power. We describe a We face fundamental management questions when
sprinting architecture in which many, independent chip ­servers sprint independently but share a power supply –
multiprocessors share a power supply and sprints are con- which processors should sprint and when should they
strained by the chips’ thermal limits and the rack’s power sprint? Each processor’s workload derives extra perfor-
­limits. Moreover, we present the computational sprinting mance from sprinting that depends on its computational
game, a multi-agent perspective on managing sprints. phase. Ideally, sprinters would be the processors that ben-
Strategic agents decide whether to sprint based on applica- efit most from boosted capability at any given time.
tion phases and system conditions. The game produces an Moreover, the number of sprinters would be small enough
equilibrium that improves task throughput for data analytics to avoid power emergencies, which constrain future
workloads by 4–6× over prior greedy heuristics and performs sprints. Policies that achieve these goals are prerequisites
within 90% of an upper bound on throughput from a globally for sprinting to full advantage.
optimized policy. We present the computational sprinting game to manage
a collection of sprinters. The sprinting architecture, which
defines the sprinting mechanism as well as power and cool-
1. INTRODUCTION ing constraints, determines rules of the game. A strategic
Modern datacenters oversubscribe their power supplies to agent, representing a multiprocessor and its workload,
enhance performance and efficiency. A conservative data- independently decides whether to sprint at the beginning of
center that deploys servers according to their expected an epoch. The agent anticipates her action’s outcomes,
power draw will under-utilize provisioned power, operate knowing that the chip must cool before sprinting again.
power supplies at sub-optimal loads, and forgo opportuni- Moreover, she analyzes system dynamics, accounting for
ties for higher performance. In contrast, efficient datacen- competitors’ decisions and risk of power emergencies.
ters deploy more servers than it can power fully and rely on We find the equilibrium in the computational sprinting
varying computational load across servers to modulate game, which permits distributed management. In an equi-
demand for power.4 Such a strategy requires responsive librium, no agent can benefit by deviating from her optimal
mechanisms for delivering power to the computation that strategy. The datacenter relies on agents’ incentives to
needs it most. decentralize management as each agent self-enforces her
Computational sprinting is a class of mechanisms that part of the sprinting policy. Decentralized equilibria allow
supply additional power for short durations to enhance per- datacenters to avoid high communication costs and
formance. In chip multiprocessors, for example, sprints unwieldy enforcement mechanisms in centralized manage-
activate additional cores and boost their voltage and frequency. ment. Moreover, equilibria outperform prior heuristics.
Although originally proposed for mobile systems,13, 14 sprint-
ing has found numerous applications in datacenter systems. 2. THE SPRINTING ARCHITECTURE
It can accelerate computation for complex tasks or accom- We present a sprinting architecture for chip multiproces-
modate transient activity spikes.16, 21 sors in datacenters. Multiprocessors sprint by activating
The system architecture determines sprint duration additional cores and increasing their voltage and frequency.
and frequency. Sprinting multiprocessors generate extra Datacenter applications, with their abundant task parallel-
heat, absorbed by thermal packages and phase change ism, scale across additional cores as they become available.
materials (PCMs),14, 16 and require time to release this heat In Figure 1, Spark benchmarks perform 2–7× better on a
between sprints. At scale, uncoordinated multiprocessors sprinting multiprocessor, but dissipates 1.8× the power.
that sprint simultaneously could overwhelm a rack or Power produces heat.
cluster’s power supply. Uninterruptible power supplies Sprinters require infrastructure to manage heat and
reduce the risk of tripping circuit breakers and triggering power. First, the chip multiprocessor’s thermal package
power emergencies. But the system requires time to
recharge batteries between sprints. Given these physical
The original version of this paper is entitled “The
constraints in chip multiprocessors and the datacenter
Computational Sprinting Game” and was published in
rack, sprinters require recovery time. Thus, sprinting
Proceedings of the International Conference on Architectural
Support for Programming Languages and Operating Systems
(2016), ACM, NY.
†
  These authors contributed equally to this work.

98 COM MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | NO. 2

Figure 1. Normalized speedup, power, and temperature for varied Spark benchmarks when sprinting. Nominal operation supplies three cores
at 1.2GHz. Sprint supplies twelve cores at 2.7GHz.

Non−sprinting Sprinting

1.5

Average temperature (°C)

6
50
Normalized speedup

Normalized power
5
40
4 1.0
30
3
2 0.5 20

1 10
0 0.0 0

le
Pa elat S

ia C
L M
e ar

ge ion
le
Pa elat S

SV t
ia C
L M
e ar

ge ion

Co ans
SV t

c ve
le
Pa elat S

nk
ia C
L M
e ar
Co ans

ad n
ge ion
c ve

SV t
ad n

nk

Co ans
c ve

nk
ad n

ien
ien

rr AL
ien

Tr C
rr AL

Tr C

Gr isio
rr AL

ng
Gr isio

Tr C
ng

Kmine
Gr isio

ng
Kmine

Kmine

De Na i
De Na i

ra
De Na i
ra

ra
and heat sink must absorb surplus heat during a sprint.14, 15 Figure 2. Typical trip curve of a circuit breaker.5
Second, the datacenter rack must employ batteries to guard
against power emergencies caused by a surplus of sprinters 3600
on a shared power supply. Third, the system must imple- Long-delay

ment management policies that determine which chips Conventional

tripping
sprint.
120 Non-deterministic Short circuit

2.1. System architecture

Chip multiprocessors and thermal packages. The quality
of the multiprocessor’s thermal package, measured by its ∆tsprint
thermal capacitance and conductance, determines the
Trip time (sec)

To
chip’s maximum power level and dictates the duration of a 2 ler
an P =1
sprint.13, 15 More expensive heat sinks employ PCMs, which Ptrip=0 ce trip
ba
increase thermal capacitance, and permit sprint durations nd Tripped
on the order of minutes if not hours. We estimate a chip 0.1
with paraffin wax can sprint with durations on the order of
150s.
After a sprint, the thermal package must release its heat
before the chip can sprint again. The average cooling dura- Not tripped
tion, denoted as ∆tcool, is the time required before the PCM
returns to ambient temperature. The rate at which the PCM
dissipates heat depends on its melting point and the ther-
mal resistance between the material and the ambient. Both 1 2 3 5 10 20
factors can be engineered and, with paraffin wax, we esti- Current normalized to rated current
mate a cooling duration on the order of 300s, twice the
sprint’s duration.
Power delivery and circuit breakers. Datacenter archi- to the number of simultaneous sprints as each sprinter con-
tects deploy servers and multiprocessors to oversubscribe tributes to the load above rated current. Higher currents
power distribution units for efficiency. Oversubscription increase the probability of tripping the breaker.
utilizes a larger fraction of the facility’s provisioned power. Let nS denote the number of sprinters and let Ptrip denote
But it relies on power capping and varied computational the probability of tripping the breaker. The breaker occupies
load across servers to avoid tripping circuit breakers or vio- one of the following regions:
lating contracts with utility providers.4 Although sprints
can boost computation, the risk of a power emergency • Non-Tripped. Ptrip is zero when nS < Nmin
increases with the number of sprinters in a power capped • Non-Deterministic. Ptrip is a non-decreasing function of
datacenter. nS when Nmin ≤ nS < Nmax
Figure 2 presents the circuit breaker’s trip curve, which • Tripped. Ptrip is one when nS ≥ Nmax
specifies how sprint duration and power combine to deter-
mine whether the breaker trips. The trip time corresponds Note that Nmin and Nmax depend on the breaker’s trip curve and
to the sprint’s duration. Longer sprints increase the proba- the application’s demand for power when sprinting. For
bility of tripping the breaker. The current draw corresponds Spark on chip multiprocessors, we find that the breaker does

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T HE ACM 99
research highlights

not trip when less than 25% of the chips sprint and definitely ­ arallelism when sprinting powers-on cores and tolerates
p
trips when more than 75% of the chips sprint. In other faults when cooling and recovery powers-off cores.
words, Nmin = 0.25N and Nmax = 0.75N. We consider circuit Agents are strategic and selfish entities that act on users’
breakers that can be overloaded to 125–175% of rated current behalf. They decide whether to sprint by continuously ana-
for a 150s sprint.18, 21 lyzing fine-grained application phases. Because sprints are
Uninterruptible power supplies. When the breaker trips followed by cooling and recovery, an agent sprints judi-
and resets, power distribution switches from the branch cir- ciously and targets application phases that benefit most
cuit to the uninterruptible power supply (UPS).7 The rack from extra capability. Agents use predictors that estimate
augments power delivery with batteries to complete sprints utility from sprinting based on software profiles and hard-
in progress. Lead acid batteries support discharge times of ware counters. Each agent represents a user and her applica-
5–120min, long enough to support the duration of a sprint. tion on a chip multiprocessor.
After completing sprints and resetting the breaker, servers Coordination. The coordinator collects profiles from
resume computation on the branch circuit. all agents and assigns tailored sprinting strategies to each
Servers are forbidden from sprinting again until UPS bat- agent. The coordinator interfaces with strategic agents who
teries are recharged. Sprints before recovery compromises may attempt to manipulate system outcomes by misreport-
server availability and increases vulnerability to power emer- ing profiles or deviating from assigned strategies.
gencies. Moreover, frequent discharges without recharges Fortunately, our game-theoretic mechanism guards against
shorten battery life. The average recovery duration, denoted such behavior.
by ∆trecover, depends on the UPS discharge depth and recharg- First, agents will truthfully report their performance pro-
ing time. A battery can be recharged to 85% capacity in 8–10× files. In large systems, game theory provides incentive com-
the discharge time, which corresponds to 8–10× the sprint patibility, which means that agents cannot improve their
duration. utility by misreporting their preferences. An agent who mis-
reports her profile has little influence on conditions in a
2.2 Management architecture large system. Not only does she fail to affect others, an agent
Figure 3 illustrates the management framework for a rack who misreports suffers degraded performance as the coor-
of sprinting chip multiprocessors. The framework sup- dinator assigns her a poorly suited strategy based on inac-
ports policies that pursue the performance of sprints curate profiles.
while avoiding system instability. Unmanaged and exces- Second, agents will implement their assigned strategies
sive sprints may trip breakers, trigger emergencies, and because the coordinator optimizes those strategies to pro-
degrade performance at scale. The framework achieves its duce an equilibrium. In equilibrium, every agent imple-
objectives with strategic agents and coarse-grained ments her strategy and no agent benefits by deviating from
coordination. it. An equilibrium has compelling implications for manage-
Users and agents. Each user deploys three run-time com- ment overheads. If each agent knows that every other agent
ponents: executor, agent, and predictor. Executors provide is playing her assigned strategy, she will do the same without
clean abstractions, encapsulating applications that could further communication with the coordinator. Global com-
employ different software frameworks.10 The executor sup- munication between agents and the coordinator is infre-
ports task-parallel computation by dividing an application quent and occurs only when system profiles change. In
into tasks, constructing a task dependence graph, and effect, an equilibrium permits the distributed enforcement
scheduling tasks dynamically based on available resources. of sprinting policies.
Task scheduling is particularly important as it increases Equilibria are especially compelling when compared to
the centralized enforcement of coordinated policies, which
Figure 3. Users deploy task executors and agents that decide when poses several challenges. First, centralized enforcement
to sprint. Agents send performance profiles to a coordinator and requires frequent and global communication as each agent
receives optimized sprinting strategies. decides whether to sprint by querying the coordinator at the
Coordinator start of each epoch. The length of an epoch is short and cor-
responds to sprint duration. Moreover, without equilibria,
Alg 1 agents with kernel privileges could ignore prescribed poli-
cies, sprint at will, and cause power emergencies that harm
all agents.
fi le
Pro gy
ate
Str 3. THE SPRINTING GAME
User User We design a sprinting game to govern power supply and
Agent Predictor Agent Predictor manage system dynamics. The game divides time into

Executor engine
... Executor engine
epochs and asks agents to play repeatedly. Agents represent
chip multiprocessors that share power. Each agent chooses
to sprint independently, pursuing benefits in the current
Task Task epoch and estimating repercussions in future epochs. An
agent’s utility from sprinting varies across epochs according
to her application’s phases. Multiple agents can sprint

100 CO MM UNICATIO NS O F T H E AC M | F EBR UA RY 201 9 | VO L . 62 | N O. 2

simultaneously, but they risk tripping the circuit breaker method when analyzing individual agents in a large system
and triggering power emergencies that harm global is intractable.1 First, we define key probability distributions
performance. on population behavior. Second, we optimize each agent’s
The game considers N agents who run task-parallel appli- strategy in response to the population rather than individual
cations on N chip multiprocessors. Each agent computes in competitors. Third, we find an equilibrium in which no
either normal or sprinting mode. The normal mode uses a agent can perform better by deviating from her optimal
fraction of the cores at low frequency whereas sprints use all strategy. Thus, we reason about the population and neglect
cores at high frequency. Sprints rely on the executor to individual agents because any one agent has little impact on
increase task parallelism and exploit extra cores. In this arti- overall behavior in a large system.
cle, we consider three cores at 1.2GHz in normal mode and The mean field analysis for the sprinting game focuses on
twelve cores at 2.7GHz in a sprint. the sprint distribution, which characterizes the number of
In any given epoch, an agent occupies one of three states— agents who sprint when the system is not in recovery.
active (A), chip cooling (C), and rack recovery (R)—according In equilibrium, the sprint distribution is stationary and
to her actions and those of others in the rack. An agent’s does not change across epochs. In any given epoch, some
state describes whether she can sprint, and describes how agents complete a sprint and enter the cooling state while
cooling and recovery impose constraints on her actions. others leave the cooling state and begin a sprint. Yet the
Active (A) – Agent can safely sprint. An agent in the active number of agents who sprint is unchanged in expectation.
state operates her chip in normal mode by default. The The stationary distribution for the number of sprinters
agent may decide to sprint by comparing benefits in the cur- translates into stationary distributions for the rack’s cur-
rent epoch against benefits from deferring the sprint to a rent draw and the probability of tripping the circuit
future epoch. If the agent sprints, her state in the next epoch breaker. Given the tripping probability, which concisely
is cooling. describes population dynamics, an agent can formulate
Chip cooling (C) – Agent cannot sprint. After a sprint, an her best response and optimize her sprinting strategy to
agent remains in the cooling state until excess heat has been maximize performance. We find an equilibrium by speci-
dissipated. Cooling requires a number of epochs ∆tcool, fying an initial value for the tripping probability and
which depends on the chip’s thermal package. An agent in iterating.
the cooling state stays in this state with probability pc and
returns to the active state with probability 1 − pc. Probability • Optimize sprint strategy (§4.2). Given the probability of
pc is defined so that 1/(1 − pc) = ∆tcool. tripping the breaker Ptrip, each agent optimizes her
Rack recovery (R) – Agent cannot sprint. When multiple sprinting strategy to maximize her performance. She
chips sprint simultaneously, total current draw may trip the sprints if performance gains from doing so exceed
circuit breaker, trigger a power emergency, and require sup- some threshold. Optimizing her strategy means setting
plemental current from batteries. After an emergency, all her threshold uT.
agents remain in the recovery state until batteries recharge. • Characterize sprint distribution (§4.3). Given that each
Recovery requires a number of epochs ∆trecover, which agent sprints according to her threshold uT, the game
depends on the power supply and battery capacity. Agents in characterizes population behavior. It estimates the
the recovery state stay in this state with probability pr and expected number of sprinters nS, calculates their
return to the active state with probability 1 − pr. Probability demand for power, and updates the probability of trip-
pr is defined so that 1/(1 − pr) = ∆trecover. ping the breaker .
• Check for equilibrium. The game is in equilibrium if
4. GAME DYNAMICS AND STRATEGIES = Ptrip. Otherwise, iterate with the new probability of
Strategic agents decide between sprinting or not to maxi- tripping the breaker.
mize utilities. Sophisticated strategies produce several
desirable outcomes. Agents sprint during the epochs that 4.2 Optimizing the sprint strategy
benefit most from additional cores and higher frequencies. Sprinting defines a repeated game in which an agent acts in
Moreover, agents consider other agents’ strategies because the current epoch and encounters consequences of that
the probability of triggering a power emergency and enter- action in future epochs. An agent optimizes her sprinting
ing the recovery state increases with the number of strategy accounting for the probability of tripping the circuit
sprinters. breaker Ptrip, her utility from sprinting u, and her state. To
We analyze the game’s dynamics to optimize each agent’s decide whether to sprint, each agent optimizes the following
strategy for her performance. A comprehensive approach to Bellman equation.
optimizing strategies considers each agent—her state, util-
ity, and history—to determine whether sprinting maximizes (1)
her performance given her competitor’s strategies and sys-
tem state. In practice, however, this optimization is intrac- The equation quantifies value when an agent acts optimally
table for hundreds or thousands of agents. in every epoch. VS and V¬ S are the expected values from sprint-
ing and not sprinting, respectively. If VS(u, A) > V¬S(u, A),
4.1 Mean field equilibrium then sprinting is optimal. The game solves the Bellman
The mean field equilibrium (MFE) is an approximation equation and identifies actions that maximize value with

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 101

research highlights

dynamic programming. Markov chain that describes each agent’s behavior. As agents
Value in active state. An action’s value depends on bene- play their strategies, the Markov chain converges to a station-
fits in the current epoch plus the discounted value from ary distribution in which each agent is active with probability
future epochs. Suppose an agent in the active state decides pA. Given N agents, the expected number of sprinters is
to sprint. Her value from sprinting is her immediate utility u
plus her discounted future utility. When she sprints, future (9)
utility is calculated for the cooling state V (C) or the recovery
state V (R) when her sprint trips the breaker. Given the expected number of sprinters, the game
updates the probability of tripping the breaker according to
(2) its trip curve (e.g., Figure 2).

However, an agent who does not sprint will remain in the

active state unless other sprinting agents trip the circuit  (10)
breaker and require recovery.

(3)
Ptrip may change uT and nS, which may produce a new . If
V (A) denotes an agent’s expected value from being in the Ptrip = , then agents are playing optimized strategies that
active state. The game profiles an application and its time- produce an equilibrium.
varying computational phases to obtain a density function
f(u), which characterizes how often an agent derives utility u 4.4 Finding the equilibrium
from sprinting. With this density, the game estimates When the game begins, agents make initial assumptions
expected value. about population behavior and the probability of tripping
the breaker. Agents optimize their strategies in response to
(4) population behavior. Strategies produce sprints that affect
the probability of tripping the breaker. Over time, popula-
Value in cooling and recovery states. An active agent transi- tion behavior and agent strategies converge to a stationary
tions into cooling and recovery states when she and/or oth- distribution. The game is in equilibrium if the following
ers sprint. conditions hold.

(5) • Given tripping probability Ptrip, the sprinting strategy

dictated by threshold uT is optimal and solves the
Bellman equation in Equations (1)–(3).
(6) • Given sprinting strategy uT, the probability of tripping
the circuit breaker is Ptrip and is calculated by Equations
Parameters pc and pr are technology-specific probabilities of (8)–(10).
an agent in cooling and recovery states staying in those
states. The game tunes these parameters to reflect the time In equilibrium, every agent plays her optimal strategy and
required for chip cooling after a sprint and for rack recovery no agent benefits when deviating from her strategy. In prac-
after a power emergency. tice, the coordinator in the management framework finds
Threshold strategy. An agent should sprint if her utility and maintains an equilibrium with a mix of offline analysis
from doing so is greater than not. Equation (7), which fol- and online play.
lows from Equations (2) and (3), states that an agent should Offline analysis. Agents sample epochs and measure util-
sprint if her utility u is greater than her optimal threshold for ity from sprinting to produce a density function f(u), which
sprinting uT. Applying this strategy in every epoch maximizes characterizes how often an agent sees utility u from sprint-
expected value across time in the repeated game. ing. The coordinator collects agents’ density functions, ana-
lyzes population dynamics, and tailors sprinting strategies
for each agent. Finally, the coordinator assigns optimized
strategies to support online sprinting decisions.
(7)
Algorithm 1 describes the coordinator’s offline analysis.
It initializes the probability of tripping the breaker. Then, it
iteratively analyzes population dynamics to find an equilib-
4.3 Characterizing the sprint distribution rium. Each iteration proceeds in three steps. First, the coor-
Given threshold uT, an agent estimates the probability that dinator optimizes sprinting threshold uT by solving the
she sprints, ps, in a given epoch. dynamic program defined in Equations (1)–(7). Second, it
estimates the number of sprinters according to Equation (9).
 (8) Finally, it updates the probability of tripping the breaker
according to Equation (10). The algorithm terminates when
The probabilities of sprinting (ps) and cooling (pc) define a thresholds, number of sprinters, and tripping probability

102 COMM UNICATIO NS O F T H E ACM | F EBR UA RY 201 9 | VO L . 62 | N O. 2

Algorithm 1: Optimizing the Sprint Strategy modes and we estimate speedups by comparing the two
traces, epoch by epoch. In a practical system, online pro-
input : Density for sprinting utilities ( f (u) ) filing and heuristics would be required to estimate
output: Optimal sprinting threshold (uT) speedups.
j←1 Datacenter simulation. We simulate 1000 users and eval-
P0lstrip ← 1 uate their performance in the sprinting game. The simula-
while P trip
j
not converged do tor uses server traces and models system dynamics as agents
sprint, cool, and recover. Simulations evaluate homoge-
neous agents who arrive randomly and launch the same type
of Spark application; randomized arrivals cause application
phases to overlap in diverse ways. Diverse phase behavior
exercises the sprinting game as agents optimize strategies
in response to varied competitors’.
Table 1 summarizes technology and system parameters.
end
Parameters Nmin and Nmax are set by the circuit breaker’s trip-
ping curve. Parameters pc and pr are set by the chip’s cooling
mechanism and the system’s batteries. These probabilities
are stationary. decrease as cooling efficiency and recharge speed increase.
The analysis runs periodically to update sprinting strate-
gies and the tripping probability as application mix and sys- 6. EVALUATION
tem conditions evolve. The analysis does not affect an We evaluate the sprinting game and its equilibrium thresh-
application’s critical path as agents use updated strategies old against several alternatives that represent broader per-
when they become available but need not wait for them. On spectives on power management. First, greedy heuristics
an Intel® Core™ i5 processor with 4GB of memory, the analy- focus on the present and neglect the future.21 Second, control-
sis completes in less than 10s, on average. theoretic heuristics are reactive rather than proactive.2
Online play. An agent decides whether to sprint at the Third, centralized heuristics focus on the system and neglect
start of each epoch by estimating a sprint’s utility and com- individual users. Unlike these approaches, the sprinting
paring it against her threshold. Estimation could be imple- game anticipates the future and models strategic agents in a
mented in several ways. An agent could use the first few shared system.
seconds of an epoch to profile her normal and sprinting per- Greedy (G) permits agents to sprint as long as the chip is
formance. Alternatively, an agent could use heuristics to not cooling and the rack is not recovering. This mechanism
estimate utility from additional cores and higher clock rates. may frequently trip the breaker and require rack recovery.
For example, task queue occupancy and cache misses are Greedy produces a poor equilibrium—knowing that every-
associated with a sprint’s impact on task parallelism and one is sprinting, an agent’s best response is to sprint as well.
instruction throughput, respectively. Comparisons with a Exponential Backoff (E-B) throttles the frequency at which
threshold are trivial. agents sprint. An agent sprints greedily until the breaker
trips. After the t-th trip, agents wait for some number of
5. EXPERIMENTAL METHODOLOGY epochs drawn randomly from [0, 2t − 1] before sprinting
Server measurements. The agent and its application are again. The waiting interval contracts by half if the breaker
pinned to a chip multiprocessor, an Intel® Xeon® E5-2697 v2. has not been tripped in the past 100 epochs.
In normal mode, the agent uses three 1.2GHz cores. In Cooperative Threshold (C-T) assigns each agent the globally
sprinting mode, the agent uses twelve 2.7GHz cores. We turn optimal sprinting threshold. The coordinator identifies and
cores on and off with Linux sysfs. In principle, sprinting enforces thresholds that maximize system performance.
represents any mechanism that performs better but con- Although these thresholds provide an upper bound on perfor-
sumes more power. mance, they do not produce an equilibrium because thresh-
We evaluate Apache Spark workloads. The Spark run- olds do not reflect agents’ best responses to system dynamics.
time engine dynamically schedules tasks to use available Equilibrium Threshold (E-T) assigns each agent her opti-
cores and maximize parallelism, adapting as sprints cause mal threshold from the sprinting game. The coordinator
the number of available cores to vary across epochs. We pro- collects performance profiles and finds thresholds that
file workloads by modifying Spark (v1.3.1) to log the IDs of
jobs, stages, and tasks as they complete. We profile system
Table 1. Experimental Parameters.
and power temperature using the Intel® Performance
Counter Monitor 2.8. Description Symbol Value
We measure workload performance in terms of tasks Min # sprinters Nmin 250
completed per second (TPS). The total number of tasks in Max # sprinters Nmax 750
a job is constant and independent of the available hard- Prob. of staying in cooling pc 0.50
ware resources such that TPS measures performance for a Prob. of staying in recovery pr 0.88
Discount factor δ 0.99
fixed amount of work. In our experiments, we trace TPS
during application execution in normal and sprinting

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 103

research highlights

reflect agents’ best responses to system dynamics. These well by embracing agents’ strategies. E-T produces an equi-
thresholds produce an equilibrium and agents cannot ben- librium in which agents play their optimal strategies and
efit by deviating from their assigned strategy. converge to a stationary distribution. In equilibrium, the
number of sprinters is just slightly above Nmin, the number
6.1 Sprinting behavior that causes a breaker to transition from the non-tripped
Figure 4 compares sprinting policies and resulting system region to the tolerance band. After emergency and recovery,
dynamics as 1000 instances of Decision Tree, a representa- the system quickly returns to equilibrium.
tive application, computes across over time. Sprinting poli- Figure 5 shows the percentage of time an agent spends in
cies determine how often agents sprint and whether sprints each state. E-T and C-T sprints are timely as strategic agents
trigger emergencies. Ideally, policies would permit agents sprint only when estimated benefits exceed an optimized
to sprint up until they trip the circuit breaker. In this exam- threshold. A sprint in E-T or C-T contributes more to perfor-
ple, 250 of the 1000 agents can sprint before triggering a mance than one in G or E-B. Moreover, G and E-B ignore the
power emergency. consequences of a sprint. With G, an agent spends more
Greedy heuristics are aggressive and inefficient. A than 50% of its time in recovery, waiting for batteries to
sprint in the present precludes a sprint in the near future, recharge after an emergency. With E-B, an agent spends
harming subsequent tasks that could have benefited more nearly 40% of its time in active mode but not sprinting.
from the sprint. Moreover, frequent sprints risk power
emergencies and require rack-level recovery. G produces 6.2 Sprinting performance
an unstable system, oscillating between full-system Figure 6 shows task throughput under varied policies. The
sprints that trigger emergencies and idle recovery that sprinting game outperforms greedy heuristics and is com-
harms performance. petitive with globally optimized heuristics. Rather than
Control-theoretic approaches are more conservative, sprinting greedily, E-T uses equilibrium thresholds to select
throttling sprints in response to power emergencies. E-B more profitable epochs for sprinting. E-T outperforms G
adaptively responds to feedback, producing a more stable and E-B by up to 6.8× and 4.8×, respectively. Agents who use
system with fewer sprints and emergencies. Indeed, E-B may their own strategies to play the game competitively produce
be too conservative, throttling sprints beyond what is neces- outcomes that rival expensive cooperation. E-T’s task
sary to avoid tripping the circuit breaker. The number of throughput is 90% that of C-T’s for most applications.
sprinters is consistently lower than Nmin, which is safe but Linear Regression and Correlation are outliers, achieving
leaves sprinting opportunities unexploited. In neither G nor only 36% and 65% of cooperative performance. For these
E-B do agents sprint to full advantage. applications, E-T performs as badly as G and E-B because
In contrast, the computational sprinting game performs the applications’ performance profiles exhibit little variance

Figure 4. Sprinting behavior for a representative application, Decision Tree. Black line denotes number of sprinters. Gray line denotes the
point at which sprinters risk a power emergency, Nmin.
300 600

Greedy
Number of sprinting users
300 600 0

Exponential backoff
300 600 0

Cooperative threshold
300 600 0

Equilibrium threshold
0

0 200 400 600 800 1000

Epoch index

104 COMM UNICATIO NS O F T H E AC M | F EBR UA RY 201 9 | VO L . 62 | N O. 2

Figure 5. Percentage of time spent in agent states for a representative Figure 7. Probability density for sprinting speedups.
application, Decision Tree.
Linear regression Pagerank

0.4
Active (not sprinting) Global recovery
Local cooling Sprinting
100%

0.2 0.3

0.20
Density

Density
0.10
75%

0.1

0.00
50%

0.0
2 3 4 5 6 0 5 10 15
Normalized TPS Normalized TPS
25%

0%
Greedy Exponential Equilibrium Cooperative Figure 8. Probability of sprinting.

1.0

0.8

Probability of sprinting
Figure 6. Performance, measured in tasks per second and
normalized against greedy, for a single application type. 0.6

Greedy
6

0.4
Performance (Normalized to Greedy)

Exponential backoff
Equilibrium threshold
5

Cooperative threshold 0.2

4

0.0
3

le
S

CC
M

ar

n
t

ns
ive

nk
n
ien

io
AL
io

ng
SV

ne

ea

ra
at
Na

cis

ad

ia
2

Li

ge
Km

el

Tr
De

Gr

rr

Pa
Co
1
0

le
S

CC
M

ar

n
t

ns
ive

k
n

ien

io
AL

n
io

ng
SV

ne

ea

ra
at
Na

cis

ad

ia
Li

ge
el
Km

majority of applications, however, resemble PageRank with

Tr
De

Gr

rr

Pa
Co

higher thresholds and judicious sprints.

and all epochs benefit similarly from sprinting. When an 6.4 Equilibrium versus cooperation
agent cannot distinguish between epochs, she sets a low Equilibrium thresholds are robust to strategic behavior and
threshold and sprints for every epoch. In effect, for such perform well, but cooperative thresholds can perform even
applications, E-T produces a greedy equilibrium. better. The sprinting game’s equilibrium delivers 90% of the
performance from cooperation because the penalties from
6.3 Sprinting strategies non-cooperative behavior are low. Figure 9 shows how effi-
Figure 7 uses density plots for two representative applica- ciency falls as recovery from power emergencies become
tions, Linear Regression and PageRank, to show how often and increasingly expensive. Recall that pr is the probability an
how much their tasks benefit from sprinting. Linear Regression agent in recovery stays in that state.
presents a narrower distribution and performance gains The sprinting game fails when an emergency requires indefi-
from sprinting vary in a band between 3× and 5×. In contrast, nite recovery and pr is one. This game has no equilibrium that
PageRank’s performance gains can often exceed 10×. avoids tripping the breaker and triggering indefinite recovery.
The coordinator uses density plots to optimize threshold If a strategic agent were to observe system dynamics that avoid
strategies. Linear Regression’s strategy is aggressive and uses a tripping the breaker, which means Ptrip is zero, she would realize
low threshold that often induces sprints. This strategy arises that other agents have set high thresholds to avoid sprints. Her
from its relatively low variance in performance gains. If sprint- best response would be lowering her threshold and sprinting
ing’s benefits are indistinguishable across tasks and epochs, more often. Others would behave similarly and drive Ptrip
an agent sprints indiscriminately and at every opportunity. higher. In equilibrium, Ptrip would rise above zero and agents
PageRank’s strategy is more nuanced and uses a high thresh- would eventually trip the breaker, putting the system into
old, which cuts her bimodal distribution and implements indefinite recovery. Thus, selfish agents would produce inef-
judicious sprinting. She sprints for tasks and epochs that ficient equilibria—the Prisoner’s Dilemma in which each
benefit most (i.e., those that see performance gains greater agent’s best response performs worse than a cooperative one.
than 10×). The Folk theorem guides agents to a more efficient equilib-
Figure 8 illustrates diversity in agents’ strategies by rium by punishing agents whose responses harm the system.
reporting their propensities to sprint. Linear Regression and The coordinator would assign agents the best cooperative
Correlation’s narrow density functions and low thresholds thresholds to maximize system performance from sprinting.
cause these applications to sprint at every opportunity. The When an agent deviates, she is punished such that

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 105

research highlights

3. Chase, J.S., Anderson, D.C., Thakar, P.N., (Austin, TX, USA, 2017), 421–432.
Figure 9. Efficiency of equilibrium thresholds. Vahdat, A.M., Doyle, R.P. Managing 13. Raghavan, A., Emurian, L., Shao, L.,
energy and server resources in Papaefthymiou, M., Pipe, K.P.,
Efficiency of equilibrium hosting centers. In Proceedings of the Wenisch, T.F., Martin, M.M.
18th Symposium on Operating Computational sprinting on a
Systems Principles (SOSP) (Banff, hardware/software testbed. In
Alberta, Canada, 2001), 103–116. Proceedings of the 18th International
0.8
4. Fan, X., Weber, W.-D., Barroso, L.A. Conference on Architectural Support
Power provisioning for a warehouse- for Programming Languages and
sized computer. In Proceedings of the Operating Systems (ASPLOS)
34th Annual International (Houston, TX, USA, 2013), 155–166.
0.4

Symposium on Computer 14. Raghavan, A., Luo, Y., Chandawalla, A.,

Architecture (ISCA) (San Diego, CA, Papaefthymiou, M., Pipe, K.P.,
USA, 2007), 13–23. Wenisch, T.F., Martin, M.M.K.
5. Fu, X., Wang, X., Lefurgy, C. How much Computational sprinting. In
power oversubscription is safe and Proceedings of the 18th IEEE
0.0

allowed in data centers. In Proceedings International Symposium on High

of the 8th ACM International Performance Computer Architecture
0.0 0.2 0.4 0.6 0.8 1.0 Conference on Autonomic Computing (HPCA) (New Orleans, LA, USA,
(ICAC) (Karlsruhe, Germany, 2011), 2012), 1–12.
Pr 21–30. 15. Shao, L., Raghavan, A., Emurian, L.,
6. Ghodsi, A., Zaharia, M., Hindman, B., Papaefthymiou, M.C., Wenisch, T.F.,
Konwinski, A., Shenker, S., Stoica, I. Martin, M.M., Pipe, K.P. On-chip phase
Dominant resource fairness: Fair change heat sinks designed for
allocation of multiple resource types. computational sprinting. In
performance lost exceeds performance gained. In our exam- In Proceedings of the 8th USENIX Proceedings of the 30th Annual
ple, punishments would allow the system to escape inefficient Conference on Networked Systems Semiconductor Thermal
Design and Implementation (NSDI) Measurement and Management
equilibria as agents are compelled to increase their thresholds (Boston, MA, USA, 2011), 323–336. Symposium (San Jose, CA, USA,
and ensure Ptrip remains zero. The coordinator could monitor 7. Govindan, S., Sivasubramaniam, A., 2014),29–34.
Urgaonkar, B. Benefits and limitations 16. Skach, M., Arora, M., Hsu, C.-H., Li, Q.,
sprints, detect deviations from assigned strategies, and forbid of tapping into stored energy for Tullsen, D., Tang, L., Mars, J.
datacenters. In Proceeding of the Thermal time shifting: Leveraging
agents who deviate from ever sprinting again. Note that threat 38th Annual International phase change materials to reduce
of punishment is sufficient to shape the equilibrium. Symposium on Computer cooling costs in warehouse-scale
Architecture (ISCA) (San Jose, CA, computers. In Proceedings of the
USA, 2011), 341–351. 42nd Annual International
7. CONCLUSION 8. Guevara, M., Lubin, B., Lee, B.C.. Symposium on Computer
Navigating heterogeneous processors Architecture (ISCA) (Portland, OR,
Economics and game theory have proven effective in data- with market mechanisms. In USA, 2015), 439–449.
center power and resource management. Game-theoretic Proceeding of the 19th IEEE 17. Somu Muthukaruppan, T., Pathania, A.,
International Symposium on High Mitra, T. Price theory based power
notions of fairness can incentivize strategic users when shar- Performance Computer Architecture management for heterogeneous
ing hardware.6,12,19,20 Markets and price theory can allocate and (HPCA) (Shenzhen, China, 2013), multi-cores. In Proceedings of the
95–106. 19th International Conference on
manage heterogeneous servers.8,9,17 Demand response mod- 9. Guevara, M., Lubin, B., Lee, B.C. Architectural Support for Programming
els can handle power emergencies.3,11 Strategies for anticipating risk in Languages and Operating Systems
heterogeneous system design. In (ASPLOS) (Salt Lake City, UT, USA,
We link system architecture and algorithmic economics Proceeding of the 20th IEEE 2014), 161–176.
to decentralize the allocation of shared resources to strate- International Symposium on High 18. Wang, X., Chen, M., Lefurgy, C., Keller, T.W.
Performance Computer Architecture Ship: A scalable hierarchical power
gic users. The computational sprinting game is a manage- (HPCA) (Orlando, FL, USA, 2014), control architecture for large-scale
ment architecture that governs how independent chip 154–164. data centers. IEEE Trans. Parallel
10. Hindman, B., Konwinski, A., Distrib. Syst. 23, 1 (2012), 168–176.
multiprocessors share a power supply. The approach gener- Zaharia, M., Ghodsi, A., Joseph, A.D., 19. Zahedi, S.M., Lee, B.C. Sharing
Katz, R., Shenker, S., Stoica, I. Mesos: incentives and fair division for
alizes beyond datacenters and is relevant to systems that are A platform for fine-grained resource multiprocessors. IEEE Micro 35, 3
distributed, heterogeneous, and dynamic. The game’s sharing in the data center. In (2015), 92–100.
Proceedings of the 8th USENIX 20. Zahedi, S.M., Llull, Q., Lee, B.C.
approach to sprinting applies to any mechanism that briey Conference on Networked Systems Amdahl’s Law in the datacenter
accelerates performance using additional resources be they Design and Implementation (NSDI) era: A market for fair processor
(Boston, MA, USA, 2011), 295–308. allocation. In Proceedings of the 24rd
processor, memory, network, or power. The game’s equilib- 11. Liu, Z., Wierman, A., Chen, Y., Razon, IEEE International Symposium on
rium highlights a path to scalable management because B., Chen, N. Data center demand High-Performance Computer
response: Avoiding the coincident Architecture (HPCA) (Vienna,
mean field analysis provides tractability when the number peak via workload shifting and local Austria, 2018).
of system components is large. However, finding the equi- generation. Perform. Eval. 70, 10 21. Zheng, W., Wang, X. Data center
(2013), 770–791. sprinting: Enabling computational
librium requires statistical distributions of agent behaviors 12. Llull, Q., Fan, S., Zahedi, S.M., sprinting at the data center level. In
and further research is needed to reduce offline profiling Lee, B.C. Cooper: Task colocation with Proceedings of the 35th International
cooperative games. In Proceedings of Conference on Distributed Computing
costs and accelerate online utility prediction. the 23rd IEEE International Systems (ICDCS) (Columbus, OH,
Symposium on High-Performance USA, 2015), 175–184.
Computer Architecture (HPCA)
Acknowledgments
This work is supported by National Science Foundation grants
CCF-1149252, CCF-1337215, SHF-1527610, and AF-1408784.
This work is also supported by STARnet, a SRC program, Songchun Fan† (songchun.fan@duke. Seyed Majid Zahedi† and Benjamin C. Lee
sponsored by MARCO and DARPA. edu), Duke University, California, USA. ({seyedmajid.zahedi, benjamin.c.lee}@duke.
edu), Duke University, Durham, NC, USA.
References thermal management for
1. Adlakha, S., Johari, R. Mean high-performance microprocessors.
field equilibrium in dynamic In Proceedings of the 7th IEEE
games with strategic International Symposium on High
complementarities. Oper. Res. 61, 4 Performance Computer Architecture
(2013), 971–989. (HPCA) (Monterrey, Nuevo Leon,
2. Brooks, D. Martonosi, M. Dynamic Mexico, 2001), 171–182.
© 2019 ACM 0001-0782/19/2 $15.00

106 COM MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | N O. 2

 DOI:10.1145 / 3 2 9 9 8 79

Technical Perspective
To view the accompanying paper,
visit doi.acm.org/10.1145/3299881 rh

To Do or Not to Do:
Extending SQL with Integer
Linear Programming?
By Surajit Chaudhuri

have
R E L AT I O N A L Q U E R Y L A N G U A G E S Despite the advances that have al- Java or C#) other than the native SQL.
enabled the programmer to express ready taken place along these three The paper also addresses techniques
queries using a logical model of data dimensions, there continues to be for solving large ILP problems using of-
without any knowledge of the under- proposals from time to time to fur- fline partitioning and approximation
lying physical structures. To help ap- ther enrich functionality of relation- techniques to break down the global ILP
plications realize the benefits of such al databases to support important instance into smaller ILP sub-problems.
declarative querying of data fully, there classes of applications. However, while their offline partitioning
has been much work along the follow- The following paper by Brucato et al. is a good physical design optimization
ing three dimensions: is one such proposal for making relation- to have in the repertoire, its applicabil-
a) Application programming inter- al databases do more. It makes a case ity also depends on the characteristics of
faces (for example, ODBC, JDBC) have for marrying the well-established para- the production workload on the system.
been developed to enable applications digms of constrained optimization (spe- Adding any new functionality to
connect to and access data in a rela- cifically, ILP or integer linear program- a query language as rich as SQL has
tional database system. However, when ming) and traditional SQL querying. complex trade-offs. Issues that influ-
connecting using these interfaces, the The challenge of augmenting query ence such a decision are ease of speci-
application programmer must still han- languages with the power of specify- fication of the new functionality in the
dle two different programming models. ing constraints has been well studied query, execution efficiency of the en-
Language integrated query (LINQ) is an in the literature, both in the context of riched query system, data movement,
elegant example of integration where database querying as well as logic pro- and increased software complexity of
query expressions are introduced as a gramming. Earlier research has stud- the database systems. Moreover, even
first-class citizen in the programming ied schemes for adding constraints on when a new functionality is incorporat-
languages to avoid the above problem, individual rows (beyond simple selec- ed, there is a question of whether the
and a mapping tool (LINQ to SQL) trans- tion) as well as aggregate constraints core SQL should be enriched like other
lates language-integrated queries into that the set of answer rows to a query examples in (c), as suggested by this pa-
SQL for the database backend. More re- must satisfy collectively. Introduction per, or if the functionality should be in-
cently, databases have been exposing a of aggregate constraints makes query corporated strictly via the extensibility
REST API for the ease of mobile and web evaluation especially challenging. The mechanisms. Specifically, in this case,
applications. paper demonstrates that when you add an alternative to extending SQL will be
b) Modern database systems pro- an optimization criterion to a query to have a separate domain-specific lan-
vide extensibility so that applications language with aggregate constraints guage (potentially using a syntax like
programmers are not limited to using to choose among qualifying sets of an- that of package queries), interpreted by
the built-in types and functions in SQL. swer sets, the query evaluation can be the ILP solver runtime, and integrated
All major database systems support us- accomplished by a combination of the with the database system.
er-defined functions that may be used relational query execution engine and If you are interested in the topic of
in selection, aggregation, or table ex- an off-the-shelf ILP solver. constraint specification and optimiza-
pressions in a query. These user-defined The authors explain how such que- tion over data stored in databases, this
functions (potentially with parameters) ries may be specified declaratively (re- paper is sure to interest you. Also, it is
are written in native SQL or program- ferred to as package queries). These worth a read for anyone who wants to
ming languages for which the database package queries are evaluated by first consider adding extensions to SQL to
server provides runtime support. Such executing the traditional relational part ease application tasks, as the authors
extensibility mechanisms have been of the query and then mapping the con- illustrate the key dimensions of what it
used by database systems to add sup- straint satisfaction and objective crite- takes to add any new functionality to re-
port for data types such as geospatial. rion as an instance of the ILP problem. lational querying: language extension,
c) The SQL standard has added The extensibility features of the data- changes to the query execution engine,
new operators and constructs to make base system, as explained in (b), may and techniques to cope with scale.
declarative querying in relational lan- be used to add such an ILP solver to the
guages more convenient or expressive, database systems just like the support Surajit Chaudhuri is a Distinguished Scientist at Microsoft
Research, Redmond, WA, USA.
for example, recursion, window func- for user defined functions written in
tions, grouping sets, within group. programming languages (for example, Copyright held by author.

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 107

research highlights
DOI:10.1145/ 3 2 9 9 8 8 1

Scalable Computation of High-

Order Optimization Queries
By Matteo Brucato, Azza Abouzied, and Alexandra Meliou

Abstract relevant to these problems typically resides: the database.

Constrained optimization problems are at the heart of We present a complete system that supports package que-
­significant applications in a broad range of domains, includ- ries, a new query model that extends traditional database
ing finance, transportation, manufacturing, and healthcare. queries to handle complex constraints and preferences
Modeling and solving these problems has relied on applica- over answer sets, allowing the declarative specification and
tion-specific solutions, which are often complex, error- efficient evaluation of a significant class of constrained
prone, and do not generalize. Our goal is to create a optimization problems—ILP—within a database. Package
domain-­independent, declarative approach, supported and queries are defined over traditional relations, but return
powered by the system where the data relevant to these packages. A package is a collection of tuples that (a) individ-
problems typically resides: the database. We present a com- ually satisfy base predicates (traditional selection predi-
plete system that supports package queries, a new query cates), and (b) collectively satisfy global predicates
model that extends traditional database queries to handle (package-specific predicates). Package queries are combi-
complex constraints and preferences over answer sets, natorial in nature: the result of a package query is a (poten-
allowing the declarative specification and efficient evalua- tially infinite) set of packages, and an objective criterion can
tion of a significant class of constrained optimization prob- define a preference ranking among them.
lems—integer linear programs (ILP)—within a database. Extending traditional database functionality to provide
support for packages, rather than supporting packages at
the application level, is justified by two reasons: First, the
1. INTRODUCTION features of packages and the algorithms for constructing
Traditional database queries follow a simple model: they them are not unique to each application; therefore, the bur-
define constraints, in the form of selection predicates, that den of package support should be lifted off application
each tuple in the result must satisfy. This model is computa- developers, and database systems should support package
tionally efficient, as the database system can evaluate each queries like traditional queries. Second, the data used to
tuple individually to determine whether it satisfies the query construct packages typically reside in a database system,
conditions. However, many practical, real-world problems and packages themselves are structured data objects that
require a collection of result tuples to satisfy constraints col- should naturally be stored in and manipulated by a data-
lectively, rather than individually. base system.
Our work addresses three important challenges. The first
Example 1 (Meal planner). A dietitian needs to design a challenge is to support declarative specification of packages.
daily meal plan for a patient. She wants a set of three gluten- SQL enables the declarative specification of properties that
free meals, between 2000 and 2500 calories in total, and with a result tuples should satisfy. In Example 1, it is easy to specify
low total intake of saturated fats. the exclusion of meals with gluten using a regular selection
predicate in SQL. However, it is difficult to specify global con-
Similar scenarios, requiring complex, high-order con- straints (e.g., total calories of a set of meals should be between
straints arise frequently, and in many practical settings. 2000 and 2500 calories). Expressing such a query in SQL
A broad set of domains have applications that boil down to requires either complex self-joins that explode the size of the
modeling and solving constrained optimization problems, query, or recursion, which results in extremely complex que-
for example, coordinating fleet and crew assignments in air- ries that are hard to specify and optimize. Our goal is to main-
line scheduling to reduce delays and costs,19 managing tain the declarative power of SQL, while extending its
delinquent consumer credit to minimize losses,14 optimizing expressiveness to allow for the easy specification of packages.
organ transplant allocation and acceptance,1 and planning The second challenge relates to the evaluation of pack-
of cancer radiotherapy treatments.20, 21 A significant class of age queries. Due to their combinatorial complexity, pack-
constrained optimization problems are integer linear pro- age queries are harder to evaluate than traditional
grams (ILP). ILP solutions alone account for billions in US database queries.10 Package queries are in fact as hard as
dollars of projected benefits within each of these and other ILP.5 Existing database technology is ineffective at
industry sectors.7
Modeling and solving these problems has relied on
The original version of this paper is entitled "Scalable
application-specific solutions,2, 9, 13, 17, 23, 18 which can often
Package Queries in Relational Database Systems” and
be complex and error-prone, and fail to generalize. Our goal
was published in the Proceedings of the VLDB Endowment,
is to create a domain-independent, declarative approach,
Vol. 9, No. 7 (2016), 576–587.
supported and powered by the system where the data

108 COMM UNICATIO NS O F T H E AC M | F EBR UA RY 201 9 | VO L . 62 | N O. 2

evaluating package queries, even if one were to express order of magnitude faster than the ILP solver used directly
them in SQL. Figure 1 shows the performance of evaluating on the entire problem; (2) scales up to sizes that the solver
a package query expressed as a multi-way self-join query in cannot manage directly; (3) produces packages of very good
traditional SQL. As the cardinality of the package increases, quality in terms of objective value.
so does the number of joins, and the runtime quickly
becomes prohibitive: In a small set of 100 tuples from the 2. LANGUAGE SUPPORT FOR PACKAGES
Sloan Digital Sky Survey (SDSS) dataset,22 SQL evaluation Database systems do not natively support package queries.
takes almost 24 hours to construct a package of 7 tuples. While there are ways to express package queries in SQL,
Our goal is to extend the database evaluation engine to take these are cumbersome and inefficient.
advantage of external tools, such as ILP solvers, which are Specifying packages with self-joins. In the limited case of
more effective for combinatorial problems. packages with strict cardinality, that is, a fixed number of
The third challenge pertains to query evaluation perfor- tuples, it is possible to express package queries using rela-
mance and scaling to large datasets. Integer programming tional self-joins. The query of Example 1 requires three
solvers have two major limitations: they require the entire meals (a package with cardinality three) and can be
problem to fit in main memory, and they fail when the prob- expressed as a three-way self-join:
lem is too complex (e.g., too many variables and/or too many
constraints). Our goal is to overcome these limitations SELECT *  FROM Recipes R1, Recipes R2, Recipes R3
through sophisticated evaluation methods that allow solv- WHERE R1.pk < R2.pk AND R2.pk < R3.pk AND
ers to scale to large data sizes.  R1.gluten = ‘free’ AND R2.gluten = ‘free’ AND R3.gluten = ‘free’
Our work addresses these challenges through the design  AND R1.kcal + R2.kcal + R3.kcal BETWEEN 2.0 AND 2.5
of language and algorithmic support for the specification ORDER BY R1.saturated_fat + R2.saturated_fat +
and evaluation of package queries. We present PaQL R3.saturated_fat
(Package Query Language), a declarative language that pro-
vides simple extensions to standard SQL to support con- Such a query is efficient only for constructing packages with
straints at the package level. PaQL is at least as expressive as very small cardinality: larger cardinality requires a larger
ILP, which implies that evaluation of package queries is number of self-joins, quickly rendering evaluation time pro-
NP-hard.5 We present a fundamental evaluation strategy, hibitive (Figure 1). The benefit of this specification is that
Direct, that combines the capabilities of databases and the optimizer can use the traditional relational algebra oper-
constraint optimization solvers to derive solutions to pack- ators and augment its decisions with package-specific strat-
age queries. The core of our approach is a set of translation egies. However, this method does not apply for packages of
rules that transform a package query to an ILP. This transla- unbounded cardinality.
tion allows for the use of highly-optimized external solvers Specifying packages using recursion. SQL can express
for the evaluation of package queries. We introduce an package queries by generating and testing each possible
offline data partitioning strategy that allows package query subset of the input relation. This requires recursion to build
evaluation to scale to large data sizes. The core of our evalu- a powerset table; checking each set in the powerset table for
ation strategy, SketchRefine, lies in separating the pack- the query conditions will yield the result packages. This
age computation into multiple stages, each with small approach has three major drawbacks. First, it is not declara-
subproblems, which the solver can evaluate efficiently. In tive, and the specification is tedious and complex. Second, it
the first stage, the algorithm “sketches” an initial sample is not amenable to optimization in existing systems. Third,
package from a set of representative tuples, while the subse- it is extremely inefficient to evaluate, because the powerset
quent stages “refine” the current package by solving an ILP table generates an exponential number of candidates.
within each partition. SketchRefine offers strong approxi-
mation guarantees for the package results compared to 2.1. PaQL: The package query language
Direct. We present an extensive experimental evaluation Our goal is to support declarative and intuitive package
on real-world data that shows that our query evaluation specification. In this section, we describe PaQL, a declara-
method SketchRefine: (1) is able to produce packages an tive query language that introduces simple extensions to
SQL to define package semantics and package-level con-
straints. Figure 2 shows the general syntax of PaQL (left) and
Figure 1. Traditional database technology is ineffective at package
evaluation, and the runtime of a SQL formulation of a package query
the specification for the query of Example 1 (right), which we
grows exponentially. In contrast, tools such as ILP solvers are more use as a running example to demonstrate PaQL’s features.
effective. Square brackets enclose optional clauses and arguments,
and a vertical bar separates syntax alternatives. In this speci-
SQL Formulation ILP Formulation
105 fication, repeat is a non-negative integer; w_expression
Time (s)

is a Boolean expression over tuple values (as in standard

101 SQL) and can only contain references to relation_name
and relation_alias; st_expression is a Boolean
10–3
1 2 3 4 5 6 7 expression and obj_expression is an expression over
Package cardinality aggregate functions or SQL subqueries with aggregate func-
tions; both st_expression and obj_expression can

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 109

research highlights

Figure 2. Specification of the PaQL syntax (left), and the PaQL query for Example 1 (right).

PaQL syntax specification PaQL query for Example 1

SELECT PACKAGE (∗|column_name [, . . .]) [AS] package_name : SELECT PACKAGE (∗) AS P
FROM relation_name [AS] relation_alias FROM Recipes R REPEAT 0
[REPEAT repeat] [, . . .] WHERE R.gluten = ‘free’
[WHERE w_expression ] SUCH THAT COUNT (P.∗) = 3 AND
[SUCH THAT st_expression ] SUM(P.kcal) BETWEEN 2.0 AND 2.5
[ (MINIMIZE|MAXIMIZE) obj_expression ] MINIMIZE SUM(P.sat_fat)

only contain references to package_name, which specifies constraints, they are specified over the package result P, for
the name of the package result. example, COUNT(P.*) = 3, which limits the query results to
Basic package query. The new keyword PACKAGE differ- packages of exactly 3 tuples.
entiates PaQL from traditional SQL queries. The global predicates in query abbreviate aggregates
that are in reality SQL subqueries. For example, COUNT(P.*)
1
:  SELECT  * 2
:  SELECT  PACKAGE(*) AS P = 3, abbreviates (SELECT COUNT(*) FROM P) = 3. Using sub-
    FROM     Recipes R      FROM Recipes R queries, PaQL can express arbitrarily complex global con-
straints among aggregates over a package.
The semantics of 1 and 2 are fundamentally different: 1 is Objective clause. The objective clause specifies a ranking
a traditional SQL query, with a unique, finite result set (the among candidate package results and appears with either
entire Recipes table), whereas there are infinitely many pack- the MINIMIZE or MAXIMIZE keyword. It is a condition on the
ages that satisfy the package query 2: all possible multisets of package-level, and hence it is specified over the package
tuples from the input relation. The result of a package query result P, for example, MINIMIZE SUM(P.sat_fat). Similar to
like 2 is a set of packages. Each package resembles a relational global predicates, this form is a shorthand for MINIMIZE
table containing a collection of tuples (with possible repeti- (SELECT SUM(sat_fat) FROM P). A PaQL query with an objec-
tions) from relation Recipes, and therefore a package result of tive clause returns a single result: the package that optimizes
2
follows the schema of Recipes. Similar to SQL, the PaQL syn- the value of the objective. The evaluation methods that we
tax allows the specification of the output schema in the SELECT present in this work focus on such queries. In prior work,6
clause. For example, PACKAGE(sat_fat, kcal) only returns the we described preliminary techniques for returning multiple
saturated fat and calorie attributes of the package. packages in the absence of optimization objectives, but a
Although semantically valid, a query like 2 would not thorough study of such methods is left to future work.
occur in practice, as most application scenarios expect few, Expressiveness and complexity. PaQL can express gen-
or even exactly one result. We proceed to describe the addi- eral ILP, which means that evaluation of package queries is
tional constraints in the example query (Figure 2) that NP-complete.4, 5 As a first step in package evaluation, we pro-
restrict the number of package results. ceed to show how a PaQL query can be transformed into a
Repetition constraints. The REPEAT 0 statement in linear program and solved using general ILP solvers.
query from Figure 2 specifies that each tuple from the
input relation Recipe can appear in a package result at 3. ILP FORMULATION
most once (no repetitions are allowed). If this restriction is In this section, we present an ILP formulation for package
absent (as in query 2), the multiplicity of a tuple is queries, which is at the core of our evaluation methods
unbounded. By allowing no repetitions, restricts the Direct and SketchRefine. The results in this section are
package space from infinite to 2n, where n is the size of the inspired by the translation rules employed by Tiresias15 to
input relation. Generalizing, REPEAT ρ allows a package to answer how-to queries.
repeat tuples up to ρ times, resulting in (2 + ρ)n candidate
packages. 3.1. PaQL to ILP translation
Base and global predicates. A package query defines two Let R indicate the input relation of the package query, n = |R|
types of predicates. A base predicate, defined in the WHERE be the number of tuples in R, R.attr an attribute of R, P a pack-
clause, is equivalent to a selection predicate and can be eval- age, f a linear aggregate function (such as COUNT and SUM),
uated with standard SQL: any tuple in the package needs to  ∈ {≤,≥} a constraint inequality, and v ∈ R a constant. For
individually satisfy the base predicate. For example, query each tuple ti from R, 1 ≤ i ≤ n, the ILP problem includes a
from Figure 2 specifies the base predicate: R.gluten = ‘free’. nonnegative integer variable xi, xi ≥ 0, indicating the number
Since base predicates directly filter input tuples, they are of times ti is included in an answer package. We also use
specified over the input relation R. Global predicates are the to denote the vector of all integer variables.
core of package queries, and they appear in the new SUCH A PaQL query is formulated as an ILP problem using the fol-
THAT clause. Global predicates are higher-order than base lowing translation rules.
predicates: they cannot be evaluated on individual tuples, Repetition constraint. The REPEAT keyword, expressible
but on tuple collections. Since they describe package-level in the FROM clause, restricts the domain that the variables

110 CO MM UNICATIO NS O F T H E AC M | F EBR UA RY 201 9 | VO L . 62 | N O. 2

can take on. Specifically, REPEAT ρ implies 0 ≤ xi ≤ ρ + 1. Figure 3. Example ILP formulation and solution for query Q, on a
Base predicate. Let b be a base predicate, for example, sample Recipe dataset. There are only two packages that satisfy all
R.gluten = ‘free’, and Rb the relation containing tuples from the constraints, namely {t2, t3, t5} and {t1, t2, t5}, but the first one is the
R satisfying b. We encode b by setting xi = 0 for every tuple optimal because it minimizes the objective function.
t i ∉ R b. Recipes 7.1x1 + 5.2x2 + 3.2x3 + 6.5x4 + 2.0x5
min
Global predicate. Each global predicate in the SUCH sat_fat kcal s.t. x1 + x2 + x3 + x4 + x5 = 3
t1 7.1 0.45 x1 = 0 0.45x1 + 0.55x2 + 0.25x3
THAT clause takes the form f(P)  v. For each such predicate,
t2 5.2 0.55 x2 = 1 + 0.15x4 + 1.20x5 ≥ 2.0
we derive a linear function over the integer variables. t3 3.2 0.25 x3 = 1 0.45x1 + 0.55x2 + 0.25x3
A cardinality constraint f(P) = COUNT(P.*) is translated into a t4 6.5 0.15 x4 = 0 + 0.15x4 + 1.20x5 ≤ 2.5
t5 2.0 1.20 x5 = 1 x1,x2,x3,x4,x5 ∈ {0, 1}
linear function . A summation constraint f(P) =
SUM(P.attr) is translated into a linear function
. Other nontrivial constraints and general
Boolean expressions over the global predicates can be not included in the output package, and xi = k means that
encoded into a linear program with the help of Boolean vari- tuple ti is included k times. Thus, the result of is the package:
ables and linear transformation tricks found in the litera- {t2, t3, t5}.
ture.3 We refer to the original version of this paper for further
details.4, 5 4. SCALABLE PACKAGE EVALUATION
Objective clause. We encode MAXIMIZE f(P) as max , The Direct algorithm has two crucial drawbacks. First, it is
where is the encoding of f(P). Similarly MINIMIZE f(P) is only applicable if the input relation is small enough to fit
encoded as min . entirely in main memory: ILP solvers, such as IBM’s CPLEX,
require the entire problem to be loaded in memory before
Example 2 (ILP translation). Figure 3 shows a toy example execution. Second, even for problems that fit in main mem-
of the Recipes table, with two columns and 5 tuples. To trans- ory, this approach may fail due to the complexity of the inte-
form into an ILP, we first create a non-negative, integer vari- ger problem. In fact, ILP is a notoriously hard problem, and
able for each tuple: x1, …, x5. The cardinality constraint modern ILP solvers use algorithms, such as branch-and-
specifies that the sum of the xi variables should be exactly 3. cut,16 that often perform well in practice, but can “choke”
The global constraint on SUM(P.kcal) is formed by multiplying even on small problem sizes due to their exponential worst-
each xi with the value of the kcal column of the corresponding case complexity.8 This may result in unreasonable perfor-
tuple, and specifying that the sum should be between 2 and 2.5. mance if the solvers use too many resources (main memory,
The objective of minimizing SUM(P.sat_fat) is similarly formed virtual memory, CPU time), eventually thrashing the entire
by multiplying each xi with the sat_fat value of the correspond- system.
ing tuple. In this section, we present SketchRefine, an approxi-
mate divide-and-conquer evaluation technique for efficiently
answering package queries on large datasets. Rather than
3.2. Query evaluation with DIRECT solving the original large problem with Direct, SketchRefine
Using the ILP formulation, we develop Direct, our basic smartly decomposes a query into smaller queries, formulates
evaluation method for package queries. In Section 4, we them as ILP problems, and employs an ILP solver as a black-
extend this technique to our main algorithm, SketchRefine, box evaluation method to answer each individual query. By
which supports efficient package evaluation in large datas- breaking down the problem into smaller subproblems, the
ets. Package evaluation with Direct employs three steps: algorithm avoids the drawbacks of Direct.
The algorithm is based on an important observation: sim-
1.  Base Relations: We first compute the base relations, ilar tuples are likely to be interchangeable within packages. A
such as Rb, Rc, and Rp, with a series of standard SQL group of similar tuples can therefore be “compressed” to a
queries, one for each, or by simply scanning R once single representative tuple for the entire group.
and populating these relations simultaneously. SketchRefine sketches an initial answer package using
2.  ILP Formulation: We transform the PaQL query to an only the set of representative tuples, which is substantially
ILP problem using the rules described in Section 3.1. smaller than the original dataset. This initial solution is
After this phase, all variables xi such that xi = 0 can then refined by evaluating a subproblem for each group, iter-
be eliminated from the ILP problem because the cor- atively replacing the representative tuples in the current
responding tuple ti cannot appear in any package package solution with original tuples from the dataset.
solution. Figure 4 provides a high-level illustration of the three main
3.  ILP Execution: We employ an off-the-shelf ILP solver, steps of SketchRefine:
as a black box, to get a solution to each of the integer
variables xi. Each xi informs the number of times tuple 1.  Offline Partitioning (Section 4.1): The algorithm
ti should be included in the answer package. assumes a partitioning of the data into groups of similar
tuples, with a representative tuple chosen for each
Example 3 (ILP solution). The ILP solver operating on the group. This partitioning is performed offline (not at
program of Figure 3 returns the variable assignments to xi query time).
that lead to the optimal solution; xi = 0 means that tuple ti is 2.  Sketch (Section 4.2.1): SketchRefine sketches an

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 111

research highlights

Figure 4. The original tuples (a) are partitioned into four groups and a representative is constructed for each group (b). The initial sketch
package (c) contains only representative tuples, with possible repetitions up the size of each group. The refine query for group G1 (d)
involves the original tuples from G1 and the aggregated solutions to all other groups (G2, G3, and G4). Group G2 can be skipped (e) because no
representatives could be picked from it. Any solution to previously refined groups is used while refining the solution for the remaining groups
(f and g). The final approximate package (h) contains only original tuples.
Multiplicity of representative Representative and original tuples selected during previous steps, shown by
tuples in the initial package hatching lines, are aggregated and used to modify later refinement queries
G1 G2 G1 G2 G1 G2 G1 G2
2 0 0

G3 G3 G3 G3
2 1 2 1 2 1 1
G4 G4 G4 G4
(a) Original tuples (b) Initial query using (c) Initial package (d) Refinement (e) Skipping G2 (f) Refinement (g) Refinement (h) Final approximate
representative tuples query for group G1 query for group G3 query for group G4 package
PARTITION SKETCH REFINE

initial package by evaluating the package query only setting can lead to an order of magnitude improvement in
over the set of representative tuples. query response time.
3.  Refine (Section 4.2.2): Finally, SketchRefine transforms The diameter bounds, wi j, are not required, but they can
the initial package into a complete package by replacing be enforced to ensure a desired approximation guarantee.
each representative tuple with some of the original tuples In general, enforcing the diameter limits may cause the
from the same group, one group at a time. resulting partitions to become excessively small. While still
SketchRefine always constructs approximate feasible obeying the approximation guarantees, this could increase
packages, that is, packages that satisfy all the query con- the number of resulting partitions and thus degrade the
straints, but with a possibly sub-optimal objective value that running time performance of SketchRefine. This is an
is guaranteed to be within certain approximation bounds. important trade-off between running time and quality that
SketchRefine may suffer from false infeasibility, which we also observe in our experiments, and it is a very common
happens when the algorithm reports a feasible query to be characteristic of most approximation schemes.24
infeasible. The probability of false infeasibility is, however, low Partitioning method. Our partitioning procedure is
and bounded. We formalize these properties in Section 4.3. based on k-dimensional quad-tree indexing.11 The method
In the subsequent discussion, we use R(attr1, …, attrk) to recursively partitions a relation into groups until all the
denote an input relation with k attributes. R is partitioned groups satisfy the size threshold and meet the diameter
into m groups G1, …, Gm. Each group Gi ⊆ R, 1 ≤ i ≤ m, has a limits. First, relation R is augmented with an extra group
representative tuple , which may not always appear in R. ID column gid, such that t.gid = i if tuple t is assigned to
We denote the partitioned space with . group Gi. The procedure initially creates a single group G1
We refer to packages that contain representative tuples as that includes all the original tuples from relation R, by ini-
sketch packages and packages with only original tuples as tializing gid = 1 for all tuples. Our method recursively com-
complete packages (or simply packages). We denote a com- putes the sizes and diameters of the current groups, as well
plete package with p and a sketch package with p , where as the centroid of each group. It then partitions the groups that
 ⊆  is the set of groups that are yet to be refined to trans- violate either the size or the diameter limits, using the cen-
form p to a complete answer package p. troids as partitioning boundaries. In the last iteration, the
centroids for each group become the representative tuples,
~
4.1. Offline partitioning , 1 ≤ i ≤ m, and get stored in a new representative relation R
SketchRefine relies on an offline partitioning of the input (gid, attr1, …, attrk).
relation R into groups of similar tuples. Partitioning is based One-time cost. Partitioning is an expensive procedure.
on a set of partitioning attributes from the input relation R, a Partitioning the data in advance avoids this cost at query
size threshold, and a set of diameter bounds. The size thresh- time. For a known workload, our experiments show that
old t, 1 ≤ t ≤ n, restricts the size of each partitioning group Gi, partitioning the dataset on the union of all query attributes
1 ≤ i ≤ m, to a maximum of t original tuples, that is, |Gi| ≤ t. provides the best performance in terms of query evaluation
The diameter di j ≥ 0 of a group Gi, 1 ≤ i ≤ m, on attribute attrj, 1 time and approximation error for the computed answer
≤ j ≤ k, is the greatest absolute distance between all pairs of package. We also demonstrate that our query evaluation
tuples within group Gi. The diameter bounds, wi j ≥ 0, 1 ≤ i ≤ m, approach is robust to a wide range of partition sizes, and to
1 ≤ j ≤ k, require all diameters to be bounded by di j ≤ wi j. imperfect partitions that cover more or fewer attributes
Setting the partitioning parameters. The size threshold, than those used in a particular query. This means that,
t, affects the number of partitions, m: a lower t leads to even without a known workload, a partitioning performed
smaller partitions, but more of them (larger m). For best on all of the data attributes still provides good perfor-
response time of SketchRefine, t should be set so that mance. Note that the same partitioning can be used to sup-
both m and t are small. Our experiments show that a proper port different queries over the same dataset. In our

112 COMM UNICATIO NS O F T H E ACM | F EBR UA RY 201 9 | VO L . 62 | N O. 2

experiments, we show that a single partitioning performs • It derives package from p , by eliminating all
consistently well across different queries. instances of from p . That is, = p  \  . This is a solu-
tion to all groups except Gi.
4.2. Query evaluation with SketchRefine • The algorithm then constructs a refine query, i(p ),
During query evaluation, SketchRefine first sketches a which searches for a set of tuples pi ⊆ Gi to replace the
package solution using the representative tuples (Sketch), eliminated representatives:
and then it refines it by replacing representative tuples with
original tuples (Refine). We describe these steps using the i
( p ): SELECT   PACKAGE(*) AS pi
example query from Figure 2. FROM   Gi REPEAT 0
~
Sketch. Using the representative relation R produced by WHERE    Gi .gluten = ‘free’
the partitioning, the Sketch procedure constructs and eval- SUCH THAT
~
uates a sketch query, (R). The result is an initial sketch pack- COUNT( pi.*) + COUNT( .*) = 3 AND
age, p , containing representative tuples that satisfy the SUM(pi.kcal) + SUM( .kcal) BETWEEN 2.0 AND 2.5
same constraints as the original query : MINIMIZE    SUM(pi.sat_fat)

~
(R): SELECT    PACKAGE(*) AS p •  The algorithm adds the result of i(p ), pi, in the current
~
FROM     R solution, p . Now, group Gi is refined with actual tuples.
~
WHERE    R.gluten = ‘free’
SUCH THAT In i( p ), COUNT( .*) and SUM( .kcal) are values com-
COUNT( p .*) = 3 AND puted directly on before the query is formed. They are
SUM( p .kcal) BETWEEN 2.0 AND 2.5 AND
  used to modify the original constraint bounds to account for
(select count(*) from p where gid = 1) ≤ |G1| tuples and representatives already chosen for all the other
AND … groups. The global constraints in i(p ) ensure that the combi-
(select count(*) from p where gid = m) ≤ |Gm| nation of tuples in pi and satisfy the original query .
MINIMIZE  SUM( p .sat_fat) Thus, this step produces the new refined sketch package
p′ ′ = pi ∪ pi, where ′ = .
The new global constraints (in bold) ensure that every Since Gi has at most t tuples, the ILP problem correspond-
representative tuple does not appear in p more times ing to i(p ) has at most t variables. This is typically small
than the size of its group, Gi. This accounts for the repeti- enough for the black-box ILP solver to solve using the Direct
tion constraint REPEAT 0 in the original query. method. Similar to the sketch query, if t is too large,
Generalizing, with REPEAT ρ, each can be repeated up to SketchRefine can evaluate the query recursively: the tuples in
~
|Gi|(1 + ρ) times. These constraints are omitted from (R) if group Gi are further partitioned into smaller groups until the
the original query does not contain a repetition subproblems reach a size that can be efficiently solved
constraint. directly.
~
Since the representative relation R contains exactly m Ideally, the Refine step will only process each group with
representative tuples, the ILP problem corresponding to representatives in the initial sketch package once. However,
this query has only m variables. This is typically small the order of refinement matters as each refinement step is
enough for the black-box ILP solver to manage directly, greedy: it selects tuples to replace the representatives of a
and thus we can solve this package query using the Direct single group, without considering the effects of this choice
method. If m is too large, we can solve this query recur- on other groups. As a result, a particular refinement step
sively with SketchRefine: the set of m representatives may render the query infeasible (no tuples from the remain-
is further partitioned into smaller groups until ing groups can satisfy the constraints). When this occurs,
the subproblems reach a size that can be efficiently Refine employs a greedy backtracking strategy that recon-
solved directly. siders groups in a different order.
~
The Sketch procedure fails if the sketch query (R) is Greedy backtracking. Refine activates backtracking when
infeasible, in which case SketchRefine reports the orig- it encounters an infeasible refine query, i(p ). Backtracking
inal query as infeasible. This may constitute false infea- greedily prioritizes the infeasible groups. This choice is moti-
sibility, if is actually feasible. In Section 4.3, we show vated by a simple heuristic: if the refinement on Gi fails, it is
that the probability of false infeasibility is low and likely due to choices made by previous refinements; there-
bounded. fore, by prioritizing Gi, we reduce the impact of other groups
Refine. Using the sketched solution over the represen- on the feasibility of i(p ). This heuristic does not affect the
tative tuples, the Refine procedure iteratively replaces approximation guarantees.
the representative tuples with tuples from the original The algorithm logically traverses a search tree (which is
relation R, until no more representatives are present in only constructed as new branches are created and new
the package. The algorithm refines the sketch package nodes visited), where each node corresponds to a unique
p one group at a time. For a group Gi with representative sketch package p . The traversal starts from the root, corre-
, let ⊆ p be the set of representatives picked from sponding to the initial sketch package, where no groups
Gi (i.e., with possible duplicates). The algorithm pro- have been refined ( = ), and finishes at the first encoun-
ceeds as follows: tered leaf, corresponding to a complete package ( = ). The

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 113

research highlights

algorithm terminates as soon as it encounters a complete our techniques for package query execution on real-world
package, which it returns. The algorithm assumes a (ini- data. The results show the following properties of our meth-
tially random) refinement order for all groups in and ods: (1) SketchRefine evaluates package queries an order of
places them in a priority queue. During refinement, this magnitude faster than Direct; (2) SketchRefine scales up to
group order can change by prioritizing groups with infea- sizes that Direct cannot handle directly; (3) SketchRefine
sible refinements. produces packages of high quality (similar objective value as
Runtime complexity. In the best case, all refine queries the packages returned by Direct). We have also performed
are feasible and the algorithm never backtracks. In this case, extensive experiments on benchmark data that demonstrate
the algorithm makes up to m calls to the ILP solver to solve the robustness of SketchRefine under imperfect partition-
problems of size up to t, one for each refining group. In the ing and different approximation parameters.4, 5
worst case, SketchRefine tries every group ordering lead-
ing to an exponential number of calls to the ILP solver. Our 5.1. Experimental setup
experiments show that the best case is the most common We implemented our package evaluation system as a layer
and backtracking occurs infrequently. on top of PostgreSQL.a The system interacts with the DBMS
via SQL and uses IBM’s CPLEX12 as the black-box ILP solver.
4.3. Theoretical guarantees A package is materialized into the DBMS as a relation, only
We present two important results on the theoretical guaran- when necessary (e.g., to compute its objective value). The
tees of SketchRefine: (1) it produces packages that closely experiments compare Direct with SketchRefine. Both
approximate the objective value of the packages produced methods use the PaQL to ILP translation presented in
by Direct; (2) the probability of false negatives (i.e., queries Section 3.1: Direct translates and solves the original query;
incorrectly deemed infeasible) is low and bounded. The SketchRefine translates and solves the subqueries. We
extended version of this work4 includes the formal proofs of demonstrate the performance of our query evaluation meth-
both results. ods using a real-world dataset consisting of approximately
For a desired approximation parameter e, we can derive 5.5 million tuples extracted from the Galaxy view of the
diameter bounds wi j for the offline partitioning that guaran- SDSS,22 and a workload of seven feasible package queries
tee that SketchRefine will produce a package with objec- (Figure 5) constructed by adapting some of the real-world
tive value (1±e)-factor close to the objective value of the sample SQL queries available directly from the SDSS
solution generated by Direct for the same query. Website. The experiments use the following efficiency and
effectiveness metrics:
Theorem 1 (Approximation Bounds). Let R(attr1, . . ., attrk) Response time. We measure response time as wall-clock
be a relation with k attributes, and let be a feasible package time to generate an answer package. This includes the time
query with a maximization (minimization, resp.) objective over to translate the PaQL query into one or several ILP problems,
R. Let S be an exact solver that produces an answer to with the time to load the problems to the solver, and the time the
optimal objective value OPT. We denote with ALG the objective solver takes to produce a solution.
value of the package returned by SketchRefine using S as a Approximation ratio. We compare the objective value of a
black-box solver. For any e ∈ [0, 1) (e ∈ [0, ∞), resp.), there package returned by SketchRefine with the objective value
exists b ∈ [0, 1) (b ∈ [1, ∞), resp.) that depends on e, such that if of the package returned by Direct on the same query. Using
R is partitioned into m groups with diameter limits: ObjS and ObjD to denote the objective values of SketchRefine
and Direct, respectively, we report the empirical approxima-
(1) tion ratio for maximization queries, and for minimiza-
tion queries. An approximation ratio of one indicates that
then ALG ≥ (1 − e)OPT (ALG ≤ (1 + e)OPT, resp.). SketchRefine produces a solution with same objective
value as the solution produced by the solver on the entire
For a feasible query , false infeasibility may happen in two problem. The higher the approximation ratio, the lower the
~
cases: (1) when the sketch query (R) is infeasible; (2) when quality of the result package.
greedy backtracking fails (possibly due to suboptimal parti-
tioning). In both cases, SketchRefine would (incorrectly) 5.2. Results and discussion
report a feasible package query as infeasible. False negatives We evaluate two fundamental aspects of our algorithms: (1)
are, however, extremely rare, as the following theorem
establishes. a
  Our code is publicly available on our project Website: http://packagebuilder.
cs.umass.edu.
Theorem 2 (False-infeasibility Bounds). For any query
and any random package P, if P is feasible for , then with high
~ Figure 5. Summary of queries in the Galaxy workload. The full PaQL
probability: (1) the Sketch query (R) is feasible; (2) all queries appear in the extended version of this work.4
Refine queries i(p ), 1 ≤ i ≤ m, are feasible. Thus,
Query
SketchRefine returns a feasible result. Objective
1
max min
2 3
min min
4
min
5
min
6
max
7

# of SUM constraints 2 4 2 1 1 5 5
5. EXPERIMENTAL EVALUATION COUNT (∗) BETWEEN 5 AND 10

This section presents an extensive experimental evaluation of

114 CO M MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | N O. 2

their query response time and approximation ratio with for this query across all data sizes. We observe that Direct
increasing dataset sizes; (2) the impact of varying partition- can scale up to millions of tuples in three of the seven que-
ing size thresholds, t, on SketchRefine’s performance. ries. Its runtime performance degrades, as expected, when
Query performance as dataset size increases. The first set data size increases, but even for very large datasets Direct is
of experiments evaluates the scalability of our methods on usually able to answer the package queries in less than a few
input relations of increasing size. First, we partition each minutes. However, Direct has high failure rate for some of
dataset using the union of all package query attributes in the the queries, indicated by the missing data points in some
workload: we refer to these partitioning attributes as the graphs (queries Q2, Q3, Q6, and Q7). This happens when
workload attributes. We do not enforce diameter conditions, CPLEX uses the entire available main memory while solving
wi j, during partitioning for three reasons: (1) because the the corresponding ILP problems. For some queries, such as
diameter conditions may affect the size of the resulting par- Q3 and Q7, this occurs with bigger dataset sizes. However,
titions, and we want to tightly control the partition size for queries Q2 and Q6, Direct even fails on small data. This
through the parameter t; (2) to show that an offline parti- is a clear demonstration of one of the major limitations of
tioning can be used to answer efficiently and effectively both ILP solvers: they can fail even when the dataset can fit in
maximization and minimization queries, even though they main memory, due to the complexity of the integer problem.
would normally require different diameters; (3) to demon- In contrast, our scalable SketchRefine algorithm is able to
strate the effectiveness of SketchRefine in practice, even perform well on all dataset sizes and across all queries.
without having theoretical guarantees in place. SketchRefine consistently performs about an order of
We perform offline partitioning with partition size magnitude faster than Direct across all queries. Its run-
threshold t set to 10% of the dataset size. We derive the par- ning time is consistently below one or two minutes, even
titionings for the smaller data sizes (less than 100% of the when constructing packages from millions of tuples.
dataset), by randomly removing tuples from the original Both the mean and median approximation ratios are very
partitions. This operation is guaranteed to maintain the low, usually all close to one or two. This shows that the sub-
size condition. stantial gain in running time of SketchRefine over Direct
Figure 6 reports our scalability results on the Galaxy does not compromise the quality of the resulting packages.
workload. The figure displays the query response time in Our results indicate that the overhead of partitioning with
seconds on a logarithmic scale, averaged across 10 runs for diameter limits is often unnecessary in practice. Since the
each datapoint. At the bottom of each plot, we also report approximation ratio is not enforced, SketchRefine can
the mean and median approximation ratios across all data- potentially produce bad solutions, but this happens rarely.
set sizes. The graph for Q2 does not report approximation Effect of varying partition size threshold. In the second
ratios because Direct evaluation fails to produce a solution set of experiments, we vary t, which is used during

Figure 6. Scalability on the Galaxy workload. SketchRefine uses an offline partitioning computed on the full dataset, using the workload
attributes, t = 10% of the dataset size, and no diameter condition. Direct scales up to millions of tuples in about half of the queries, but it fails
on the other half. SketchRefine scales well in all cases and runs about an order of magnitude faster than Direct. Its approximation ratio is
always low, even though the partitioning is constructed without diameter conditions.
Direct SketchRefine
1 2 3 4 5 6 7

102
10 2
10 2 102 10 2
10 2
Time (s)

101 101 10 1 101 101 10 1

101
0
10
10% 40% 70% 100% 10% 40% 70% 100% 10% 40% 70% 100% 10% 40% 70% 100% 10% 40% 70% 100% 10% 40% 70% 100% 10% 40% 70% 100%
Dataset size Dataset size Dataset size Dataset size Dataset size Dataset size Dataset size
Approximation ratio: Approximation ratio: Approximation ratio: Approximation ratio: Approximation ratio: Approximation ratio: Approximation ratio:
Mean: 1.00, Median: 1.00 Mean: —, Median: — Mean: 1.13, Median: 1.06 Mean: 2.76, Median: 2.67 Mean: 1.00, Median: 1.00 Mean: 1.00, Median: 1.00 Mean: 1.01, Median: 1.00

Figure 7. Impact of partition size threshold t on the Galaxy workload, using 30% of the original dataset. Partitioning is performed at each
value of t using all the workload attributes, and with no diameter condition. The baseline Direct and the approximation ratios are only shown
when Direct is successful. The results show that t has a major impact on the running time of SketchRefine, but almost no impact on the
approximation ratio. Direct can be an order of magnitude faster than Direct with proper tuning of t.
Direct SketchRefine
1 2 3 4 5 6 7

102 102 102

10 2 10 2 102 102
Time (s)

10 1
101 101 101
101 101 101
6 4 2 6 4 2 6 4 2 6 4 2
106 104 102 106 104 102 10 10 10 10 10 10 10 10 10 10 10 10 106 104 102
Partition size threshold Partition size threshold Partition size threshold Partition size threshold Partition size threshold Partition size threshold Partition size threshold
Approximation ratio: Approximation ratio: Approximation ratio: Approximation ratio: Approximation ratio: Approximation ratio: Approximation ratio:
Mean: 1.00, Median: 1.00 Mean: —, Median: — Mean: —, Median: — Mean: 1.78, Median: 1.01 Mean: 1.00, Median: 1.00 Mean: —, Median: — Mean: 1.01, Median: 1.00

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 115

research highlights

partitioning to limit the size of each partition, to study its efficiently, that behave well under the many possible realiza-
effects on the query response time and the approximation tions of the uncertain data.
ratio of SketchRefine. In all cases, along the lines of the Another open problem is to efficiently handle incremental
previous experiments, we do not enforce diameter condi- package queries to enable user-facing, interactive constrained
tions. Figure 7 show the results obtained on the Galaxy work- optimization applications such as vacation planning. Rather
load, using 30% of the original data. We vary t from higher than calling the solver for each incremental query variation
values corresponding to fewer but larger partitions, on the from scratch, we are exploring the use of efficient database
left-hand size of the x-axis, to lower values, corresponding to techniques, such as top-k querying, to provide faster, albeit
more but smaller partitions. When Direct is able to pro- approximate, solutions for interactive applications.
duce a solution, we also report its running time (horizontal
line) as a baseline for comparison. Acknowledgments
The results show that the partition size threshold has a This research is supported by the National Science Foundation
major impact on the execution time of SketchRefine, with under grants IIS-1420941, IIS-1421322, and IIS-1453543.
extreme values of t (either too low or too high) often resulting References In KDD '09 Proceedings of the 15th
in slower running times than Direct. With bigger partitions, 1. Alagoz, O., Schaefer, A.J., Roberts, M.S. ACM SIGKDD International
Optimizing Organ Allocation and Conference on Knowledge Discovery
on the left-hand side of the x-axis, SketchRefine takes about Acceptance. Springer, Boston, MA, and Data Mining (Paris, France, June
the same time as Direct because both algorithms solve prob- 2009, 1–24. 28–July 01, 2009) ACM, NY, 467–476.
2. Baykasoglu, A., Dereli, T., Das, S. 14. Makuch, W.M., Dodge, J.L., Ecker, J.G.,
lems of comparable size. When the size of each partition starts Project team selection using fuzzy Granfors, D.C., Hahn, G.J. Managing
to decrease, moving from left to right on the x-axis, the optimization approach. Cybern. Syst. consumer credit delinquency in the us
38, 2 (2007), 155–185. economy: A multi-billion dollar
response time of SketchRefine decreases rapidly, reaching 3. Bisschop, J. AIMMS Optimization management science application.
about an order of magnitude improvement with respect to Modeling. Paragon Decision Interfaces 22, 1 (1992), 90–109.
Technology, 2006. 15. Meliou, A., Suciu, D. Tiresias: The
Direct. Most of the queries show that there is a “sweet spot” 4. Brucato, M., Abouzied, A., Meliou, A. database oracle for how-to queries.
at which the response time is the lowest: when all partitions Package queries: efficient and In SIGMOD '12 Proceedings of the
scalable computation of high-order 2012 ACM SIGMOD International
are small, and there are not too many of them. This point is constraints. VLDB J. (Oct. 2017). Conference on Management of Data
consistent across different queries, showing that it only 5. Brucato, M., Beltran, J.F., Abouzied, (Scottsdale, Arizona, USA, May
A., Meliou, A. Scalable package 20–24, 2012) ACM, NY, 337–348.
depends on the input data size. After that point, although the queries in relational database 16. Padberg, M., Rinaldi, G. A branch-and-
partitions become smaller, the number of partitions starts to systems. PVLDB 9, 7 (2016), 576–587. cut algorithm for the resolution of
6. Brucato, M., Ramakrishna, R., Abouzied, large-scale symmetric traveling
increase significantly. This increase has two negative effects: it A., Meliou, A. PackageBuilder: From salesman problems. SIAM Rev. 33, 1
tuples to packages. PVLDB 7, 13 (2014), (1991), 60–100.
increases the number of representative tuples, and thus the 1593–1596. 17. Parameswaran, A.G., Venetis, P.,
size and complexity of the initial Sketch query, and it 7. Chen, D.-S., Batson, R.G., Dang, Y. Garcia-Molina, H. Recommendation
Applied Integer Programming: systems with complex constraints: A
increases the number of groups that Refine may need to Modeling and Solution. John Wiley & course recommendation perspective.
refine to construct the final package. This causes the running Sons, 2011. ACM TOIS 29, 4 (2011), 1–33.
8. Cook, W., Hartmann, M. On the 18. Pinel, F., Varshney, L.R. Computational
time of SketchRefine, on the right-hand side of the x-axis, to complexity of branch and cut creativity for culinary recipes. In CHI
increase again and reach or surpass the running time of methods for the traveling salesman EA ‘14 CHI ‘14 Extended Abstracts on
problem. Polyhedral Comb. 1 (1990), Human Factors in Computing Systems
Direct. The mean and median approximation ratios are in all 75–82. (Toronto, Ontario, Canada, April
cases very close to one, indicating that SketchRefine retains 9. De Choudhury, M., Feldman, M., 26–May 01, 2014) ACM, NY, 439–442.
Amer-Yahia, S., Golbandi, N., Lempel, R., 19. Rushmeier, R.A., Kontogiorgis, S.A.
very good quality regardless of the partition size threshold. Yu, C. Automatic construction of travel Advances in the optimization of airline
itineraries using social breadcrumbs. fleet assignment. Transp. Sci. 31, 2
In Proceedings of the 21st ACM (1997), 159–169.
6. CONCLUSION AND FUTURE WORK Conference on Hypertext and 20. Sauer, O.A., Shepard, D.M., Mackie, T.R.
We introduced a complete system that supports the declarative Hypermedia (Toronto, Ontario, Canada, Application of constrained optimization
June 13–16, 2010) ACM, NY, 35–44. to radiotherapy planning. Med. Phys.
specification and efficient evaluation of package queries. We 10. Deng, T., Fan, W., Geerts, F. On the 26, 11 (1999), 2359–2366.
presented PaQL, a declarative extension to SQL, and we devel- complexity of package 21. Terrer, J.M.A., Benede, M.A.N.,
recommendation problems. In PODS del Rio, E.B., Llanas, S.C. A feasible
oped a flexible approximation method, with strong theoretical ‘12 Proceedings of the 31st ACM application of constrained optimization
SIGMOD-SIGACT-SIGAI in the IMRT system. IEEE Trans.
guarantees, for the evaluation of PaQL queries on large-scale Symposium on Principles of Database Biomed. Eng. 54, 3 (2007), 370–379.
datasets. Our experiments on real-world data demonstrate that Systems (Scottsdale, Arizona, USA, 22. The Sloan Digital Sky Survey. http://
May 21–23, 2012) ACM, NY, 261–272. www.sdss.org/.
our scalable evaluation strategy is effective and efficient over 11. Finkel, R.A., Bentley, J.L. Quad trees 23. Wang, X., Dong, X.L., Meliou, A. In
varied data sizes and queries. We have further extended our a data structure for retrieval on SIGMOD '15 Proceedings of the 2015
composite keys. Acta Inf. 4, 1 ACM SIGMOD International
techniques and experimental evaluation and placed our (1974), 1–9. Conference on Management of Data
research in the context of related work.4 12. IBM CPLEX Optimization Studio. (Melbourne, Victoria, Australia, May
http://www.ibm.com/software/ 31–June 04, 2015) ACM, NY,
Our work so far focused on deterministic package queries, commerce/optimization/cplex- 1231–1245.
but many applications of constrained optimization require sup- optimizer/. 24. Williamson, D.P., Shmoys, D.B. The
13. Lappas, T., Liu, K., Terzi, E. Finding a Design of Approximation Algorithms.
port for uncertainty: airline fleet scheduling has uncertain pas- team of experts in social networks. Cambridge University Press, 2011.
senger demands, or investment portfolio optimization deals
with uncertain returns and risks, etc. We are currently working Matteo Brucato and Alexandra Meliou Azza Abouzied (azza@nyu.edu),
on extending our system to support optimization of the ({matteo,ameli}@cs.umass.edu), College Computer Science, New York University,
of Information and Computer Sciences, Abu Dhabi, UAE.
expected value of an objective function subject to expectation University of Massachusetts, Amherst,
constraints of the form E(SUM(x) ) ≥ b, or probabilistic con- MA, USA.

straints of the form SUM(x) ≥ b WITH PROBABILITY ≥ 95%. The

challenge is to ensure robust optimal solutions, computed © 2019 ACM 0001-0782/19/2 $15.00

116 CO M MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | N O. 2

 CAREERS

Southern University of Science and To apply, please provide a cover letter iden- level of appointment. Successful applicants are
Technology (SUSTech) tifying the primary area of research, curriculum expected to show evidence of a quality research
Tenure-Track Faculty Positions vitae, and research and teaching statements, and program, effective collaboration with other fac-
forward them to cshire@sustc.edu.cn. ulty, and excellence in teaching at both the gradu-
The Department of Computer Science and Engi- ate and undergraduate levels.
neering (CSE, http://cse.sustc.edu.cn/en/), South- The Computer Science Department has 25
ern University of Science and Technology (SUS- Stevens Institute of Technology faculty members (17 tenured/tenure-track facul-
Tech) has multiple Tenure-track faculty openings ECE Department ty), over 700 undergraduates in an ABET-accred-
at all ranks, including Professor/Associate Profes- Assistant/Associate/Full Professor ited program, and approximately 40 graduate
sor/Assistant Professor. We are looking for out- students. Current faculty members are funded
standing candidates with demonstrated research The Department of Electrical and Computer at by agencies such as NSF, Google, Departments of
achievements and keen interest in teaching, in Stevens Institute of Technology invites applica- Education and Commerce, various Defense agen-
the following areas (but are not restricted to): tions for several tenure-track/tenured faculty cies, multiple State agencies and other sponsors.
˲˲ Data Science positions at the rank of Assistant/Associate/Full Applicants should apply online at https://fac-
˲˲ Artificial Intelligence Professors, starting on August 16, 2019 or later. ultyjobs.ua.edu. For additional details, please
˲˲ Computer Systems (including Networks, Cloud Qualified candidates can also be considered for contact Dr. Yang Xiao (yangxiao@cs.ua.edu) or
Computing, IoT, Software Engineering, etc.) an endowed chair professor position. visit http://cs.ua.edu.
˲˲ Cognitive Robotics and Autonomous Systems Applicants should have earned a Ph.D. in Elec- The University of Alabama is an Equal Em-
˲˲ Cybersecurity (including Cryptography) trical or Computer Engineering or a related disci- ployment/Equal Educational Opportunity In-
Applicants should have an earned Ph.D. de- pline. The department is looking for researchers stitution. All qualified applicants will receive
gree and demonstrated achievements in both with a strong funding and publication record consideration for employment without regard to
research and teaching. The teaching language at in key areas of interest: artificial intelligence, race, color, religion, national origin, sex, sexual
SUSTech is bilingual, either English or Putong- computer architecture, smart and automated orientation, gender identity, gender expression,
hua. It is perfectly acceptable to use English in all systems, electronics and digital system design. pregnancy, age, genetic or family medical history
lectures, assignments, exams. In fact, our exist- Successful applicants are expected to develop a information, disability, or protected veteran sta-
ing faculty members include several non-Chinese strong externally funded, globally recognized re- tus, or any other legally protected basis, and will
speaking professors. search program. They should also possess a pas- not be discriminated against because of their pro-
Established in 2012, the Southern University sion for and be committed to excellence in both tected status. Applicants to and employees of this
of Science and Technology (SUSTech) is a public undergraduate and graduate education. institution are protected under Federal law from
institution funded by the municipal of Shenzhen, Stevens Institute of Technology is a private discrimination on several bases.
a special economic zone city in China. Shenzhen university located in Hoboken, New Jersey. Ste-
is a major city located in Southern China, situ- vens is an Equal Opportunity Employer that is
ated immediately north to Hong Kong Special building a diverse faculty, staff and student body University of South Carolina
Administrative Region. As one of China’s major and strongly encourages applications from fe- Director of Artificial Intelligence Institute
gateways to the world, Shenzhen is the country’s male and minority candidates as well as veterans
fastest-growing city in the past two decades. The and individuals with disabilities. Stevens is an The University of South Carolina is initiating a
city is the high-tech and manufacturing hub of NSF ADVANCE institution committed to equi- search for the Director of the new Artificial Intel-
southern China, home to the world’s third-busiest table practices and policies. ligence Institute. The pan-University Institute
container port, and the fourth-busiest airport on Applications will be accepted until the po- is expected to engage core and affiliated faculty
the Chinese mainland. As a picturesque coastal sitions are filled. All applications must be sub- from a range of disciplines. The College of En-
city, Shenzhen is also a popular tourist destina- mitted electronically through the HR website at gineering and Computing is well positioned to
tion and was named one of the world’s 31 must- https://stevens.wd5.myworkdayjobs.com/en-US/ support this University-wide Institute and is in
see tourist destinations in 2010 by The New York External/job/Hoboken-NJ---Main-Campus/Assis- the midst of expanding its tenured and tenure-
Times. Shenzhen ranks the 66th place on the 2017 tant-Associate-Professor--Electrical-and-Com- track ranks by over 40 faculty members. The Di-
Global City Competitiveness List, released by puter-Engineering_RQ22188. Applicants should rector will be expected to create the vision for the
the National Academy of Economic Strategy, the submit their curriculum vitae, a research plan Institute and lead it to international prominence
Chinese Academy of Social Sciences and United (3-5 pages), teaching interests and philosophy, in several areas of research, real-world applica-
Nations Habitat. By the end of 2016, there were and contact information including at least three tions, work-force preparation, and job creation
around 20 million residents in Shenzhen. references to the HR system. For any inquiries, in intelligent systems.
SUSTech is committed to increase the di- please contact the Search Committee Chair, Prof. The new Director will have the opportunity to
versity of its faculty, and has a range of family- Hong Man (hong.man@stevens.edu). grow strategic areas of research and oversee in-
friendly policies in place. The university offers novation of curricula, as well as hire the core fac-
competitive salaries and fringe benefits includ- ulty and attract as affiliates several dozen faculty
ing medical insurance, retirement and housing University of Alabama members across the university, and spanning all
subsidy, which are among the best in China. Sal- Computer Science Faculty Position – fields (medicine, pharmacy, public health, educa-
ary and rank will commensurate with qualifica- Cybersecurity tion, journalism, social work, nursing, business,
tions and experience. humanities, physical sciences, engineering, and
We provide some of the best start-up packages The University of Alabama is accepting applica- computing). The Institute will be housed centrally
in the sector to our faculty members, including tions for an Associate or Full Professor in the area in the University, and the Director will have signif-
one PhD studentship per year, in addition to a of Cybersecurity to begin August 2019. A Ph.D. icant input into design and function of the space.
significant amount of start-up funding (which in Computer Science or a closely related field is The Director will be expected to:
can be used to fund additional PhD students required. Applicants must demonstrate a strong ˲˲ Conduct convergent, team-oriented, high im-
and postdocs, research travels, and research external funding record, publication record, and pact research, with a substantial portfolio of com-
equipments). Ph.D. graduation rate commensurate with this petitive and institute-scale research funds from

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 117

CAREERS

external sponsors. lated field) must be commensurate with appoint-

˲˲ Engage with key industries/services in the re- ment as a full professor with tenure. The applicant
gion and foster an entrepreneurial ecosystem must also show clear evidence of commitment to
ACM Journal of with joint projects, technology transfer, and start- diversity, equity, and inclusion through research,
up formation. teaching, and/or service efforts.
Data and ˲˲ Advance AI education and training programs Review of applications will begin immediately
across the University and the State. and continue until the position is filled. Expected
Information Quality ˲˲ Position the Institute for national prominence
in niche areas within 5 years.
start date is August 16, 2019. Interested appli-
cants will apply online at http://uscjobs.sc.edu/
Providing Research and Tools ˲˲ Lead multidisciplinary project teams postings/46728 with: (1) a letter of intent, (2)
˲˲ Serve as a mentor to junior faculty and stu- curriculum vitae, (3) a concise description of re-
for Better Data dents. search plans, and (4) names and contact informa-
Applicants must be of international stature tion of 5 references.
with an exceptional record of published research Questions about the search may be directed
in high-quality journals, demonstrated ability to to: DirectorAIsearch@cec.sc.edu.
ACM JDIQ is a multi- attract significant funding from multiple sources,
outstanding leadership and administrative skills,
The University of South Carolina does not dis-
criminate in educational or employment oppor-
disciplinary journal and a history of successful graduate student su-
pervision. Their record (including an earned
tunities on the basis of race, color, religion, na-
tional origin, sex, sexual orientation, gender, age,
that attracts papers Ph.D. degree in computer science or a closely-re- disability, protected veteran status, or genetics.

ranging from
theoretical research
to algorithmic solutions
to empirical research
to experiential
evaluations. Its
mission is to publish ADVERTISING IN
high impact articles CAREER OPPORTUNITIES
contributing to the
field of data and How to Submit a Classified Line Ad:
Send an e-mail to acmmediasales@acm.org. Please include text,
information quality (IQ). and indicate the issue/or issues where the ad will appear, and a
contact name and number.

Estimates:
An insertion order will then be e-mailed back to you. The ad will
by typeset according to CACM guidelines. NO PROOFS can be sent.
Classified line ads are NOT commissionable.

Deadlines:
20th of the month/2 months prior to issue date. For latest deadline
info, please contact:
acmmediasales@acm.org

Career Opportunities Online:

Classified and recruitment display ads receive a free duplicate
listing on our website at:
http://jobs.acm.org
For further information
Ads are listed for a period of 30 days.
or to submit your For More Information Contact:
manuscript, ACM Media Sales
at 212-626-0686 or
visit jdiq.acm.org acmmediasales@acm.org

118 COM MUNICATIO NS O F TH E AC M | F EBR UA RY 201 9 | VO L . 62 | N O. 2

 last byte

[ C ONTI N U E D FRO M P. 120] I had to porated the now-networked humans

compete with only a few other can- into a new node of the swarm.
didates to get this six-month detail. Power consumption Once the alien swarm had as-
Do you think there are beings on Prox skyrocketed similated them into its hive mind, it
Cen b who can receive the message, quickly assessed and identified the
as modulated in the infrared beam, as the networked most advanced human technology
and actually respond?” humans on Earth it could exploit—blockchain.1 The
Shekhov grinned, “Now you are test- alien hive quivered with delight at
ing my faith in the mission and the and aliens aboard the prospect of adding ironclad re-
skills of its managers in mission con- the mother ship liability to each transaction among
trol on Earth. I would not be here long network members in its Wi-Fi net-
if I doubted the mission’s scientific burdened each work by implementing distributed
value and ultimate success.” transaction virtual ledgers. With blockchain, ra-
Caruthers said, “Stephen Hawking, dio interference would never corrupt
the English professor, warned that if we with cryptographic the network’s transactions, ensuring
contacted space aliens, we would inevi- virtual ledger perfect command and control of its
tably risk some kind of attack. We’d be at members and their collective will.
such a disadvantage technologically and updates. The swarm thus converted all of its
intellectually. We’d be overwhelmed in transactions to blockchain and sent a
no time and decimated like the indige- radio transmission back to Prox Cen
nous natives of the Americas at the time b mission control propagating the
of the conquistadors. Our command blockchain technology to neighbor-
of all the resources on our ancient but ing nodes in the Earthly galactic arm.
familiar Earth and Moon wouldn’t be swarm in the Earth’s arm of the Milky Power consumption skyrocketed
enough to protect us.” Way Galaxy, compliant with the hive as the networked humans on Earth
“Hawking was projecting his guilt imperative to exploit Solar System re- and aliens aboard the mother ship
for the sins of the European empires sources. burdened each transaction with cryp-
in the colonies, along with his own The mother ship now disgorged tographic virtual ledger updates. Un-
infirmities and impending mortal- several thermonuclear devices, deto- sustainable heat built up in the cir-
ity. Just a timid old professor, he was. nating them in low orbits above ma- cuits, the mother ship’s processors
I think aliens really might respond to jor cities where the electromagnetic were overwhelmed and exploded, and
the message in the laser beam. They pulses would render human power the neural connectors to the humans
might greet us as fellow intelligent be- and computer grids nonfunctional. shorted out, leaving only an eerie elec-
ings in the endless Universe, but there The descriptions of human culture tric blue glow that briefly filled the So-
is no chance they could harm us. For and technology the swarm received in lar System, before winking out.
one thing, they are probably simply too the laser transmission back on Prox Shekhov, Caruthers, and the other
far away, not only in distance but in the Cen b, and now on their mother ship, humans still on the Moon heard pan-
technological advancement we can ex- made the task straightforward. A few icked messages from the last free hu-
pect from future human generations as retaliatory ICBMs were launched by mans on Earth via the comsat. They
they come and go many times over.” Russia, the U.K., and the U.S. but were feared for all humankind, but the
Caruthers said, “Do you think they quickly disabled by the mother ship’s exponential blockchain wave of net-
could decode the message in the laser high-energy particle cannons, doing worked destruction made short work
modulation?” no damage other than alert the Earth’s of the aliens and their threat. The
“It’s complex,” Shekhov admitted. human population to the aliens’ over- crew of the Hawking’s Nightmare fa-
“If aliens really do exist, we probably whelming force. cility then received another message
will have to wait for them to decipher It seemed Hawking would be proved from mission control in Moscow via
it and compose an intelligent reply we right. the comsat: Shut the laser. It had ful-
would be able to interpret.” Pods filled with billions of filled its purpose—establishing we
... minidrones entered the atmosphere are not alone but would probably pre-
Even as Shekhov gave Caruthers a and aerobraked until they reached the fer to be.
tour of the habitat, the alien mother troposphere, then dispersed on wings
ship from the Prox Cen b node used its like a swarm of attacking hornets. They Reference
1. Church, Z. Blockchain, explained. MIT Sloan School of
titanic antimatter engines to deceler- flew through the night air, identifying Management, May 25, 2017; http://mitsloan.mit.edu/
humans and their structures through ideas-made-to-matter/blockchain-explained
ate into an orbit 200 km above Earth’s
equator and scanned the now-terrified their infrared profiles and attached
David Allen Batchelor (batchelor@alum.mit.edu) is
population centers below. The primi- themselves with neural-connection a scientist and computer engineer for data systems at
tives, in their view, were still using electrodes to their brainstems, reduc- NASA Goddard Space Flight Center, Greenbelt, MD. His
first science fiction novel, The Metalmark Contract, was
vulnerable electromagnetic technol- ing them to compliant zombies. An published in 2011 by Black Rose Writing, Castroville, TX.
ogy so would be easily subdued into alien global Wi-Fi network of neural
harmless members of the processor commands and control quickly incor- © 2019 ACM 0001-0782/19/2 $15.00

F E B R UA RY 2 0 1 9 | VO L. 6 2 | N O. 2 | C OM M U N IC AT ION S OF T H E ACM 119

last byte

From the intersection of computational science and technological speculation,

with boundaries limited only by our ability to imagine what could be.

DOI:10.1145/3303769 David Allen Batchelor

Future Tense
Hawking’s Nightmare
Stephen Hawking warned us not to contact E.T.

YU R I SH EKH OV WA S outside the lunar rendezvous with an orbiting booster

habitat in his space suit, preparing to for its return to Earth. Shekhov and
watch the supply shuttle from Earth the newcomer cycled through the
fire its retro rockets and land. The sun habitat airlock and removed their
glinted off the windows of the boxy helmets inside the habitat.
crew module, attached to its strange The newcomer’s helmet came off
collection of spherical pressurized fuel and freed a glorious halo of curly red
tanks, rocket nozzles, and articulated hair that expanded into the low-gravity
cushioned footpads, as it hovered sus- environment. “Andrea Caruthers re-
pended atop its rocket exhaust, care- porting for duty sir,” she said.
fully lowering itself onto the landing “Welcome,” said Shekhov. “Today
pad. In the airless lunar environment, we are having borscht and roast beef.
the shuttle did not need to obey any Enjoy.”
aerodynamic forms or compensate for The food was surprisingly savory
more than lunar gravity. considering it included no naturally
Shekhov had talked with the pilot, raised animal protein but was as nu-
who reported a nominal status during tritious as an Earthly steak and po-
the shuttle’s orbit and braking maneu- tato, along with an extra-nutritious
vers just above the east edge of the lu- quarters as comfortable as a Caribbean dessert. As they dug into the des-
nar hemisphere that was visible from villa in tourist season. sert, with the taste and consistency
Earth. It looked to be a flawless landing When the shuttle was secured to the of sherbet, chilled, as it was, in a
near his optical-beacon habitat, locat- pad and its engines safely deactivated, sunless crater beneath the far side’s
ed at 98 degrees east longitude, eight Shekhov bounced over to it in the light Earthless skies, she said, “It was
degrees around to the lunar far side in gravity (one-sixth Earth equivalent) spectacular orbiting the Moon. De-
the crater named for American rock- and pulled the latch that released the scending over the Neper and Jansky
etry genius James H. Wyld. The pilot supply capsule from the shuttle. The craters, the view was awesome.”
had deftly avoided the structure behind capsule deployed its wheels and start- “Awesome, indeed,” Shekhov agreed.
him that itself embodied the purpose ed to roll on a 100-meter roadway to the “But the crater walls keep me from see-
of the billion-dollar lunar base—a giant habitat. The process was automated, ing Earth. We always keep the laser from
45-meter telescope financed and built leaving him to turn his attention to pointing directly toward Earth, but it has
by wealthy Russian fracking tycoon the space-suited figure of a passenger been a lonely six months. I am able to ex-
Oleg Volkov. The telescope pointed exiting the airlock of the crew mod- change messages with home only when
approximately 45 degrees southward, ule. Giving a friendly wave, he radioed, the comsat flies over, but that is not at all
toward the nearest star, Proxima Cen- “Welcome to Hawking’s Nightmare. the same as being in Moscow.”
tauri, and its planetary consort, Prox You’re in time for lunch.” After living “I’m amazed the laser has been op-
Cen b. A nuclear power plant buried 20 here practically alone for six months erating continuously for eight years!
feet below the lunar surface nearby sup- to manage the base, he was glad to Most people on Earth have dismissed
plied a two-megawatt laser that pulsed welcome a new crew member, any new the project as Volkov’s folly. Few
with infrared light, round the clock, crew member. know the light-travel-time for our
IMAGE BY HELEN F IELD

directed by the telescope with milli-arc- The supply capsule docked with messages to Prox Cen b has passed,
second accuracy, toward the exoplanet the habitat, and the shuttle ignited plus enough time for a reply message
four light years away. It also supplied its engines to propel it back to lunar to arrive at the speed of light. It’s
enough direct heat to make the human orbit and where it was scheduled to no wonder [C O NTINUED O N P. 119]

120 COMM UNICATIO NS O F T H E ACM | F EBR UA RY 201 9 | VO L . 62 | N O. 2

 Let the good talks roll!
SIGUCCS 47th Annual Conference
November 3-6, 2019 | New Orleans, LA

Call for Proposals Proposals may be accepted in

The ACM SIGUCCS annual conference brings together IT any area of IT support, including:
support professionals from academic institutions around • Strategy and governance
the world to share ideas and experiences delivering • Infrastructure and operations
information technology in aid of teaching, research, and • Instructional technology and design
• Leadership and career development
administration. Join them by proposing a paper, poster, • Service management
panel, or lightning talk to be delivered at this year’s • Lab management and desktop support
conference in New Orleans on November 3-6, 2019.

Submit an abstract of your proposed presentation by visiting http://bit.ly/siguccs2019cfp no

later than March 8th. Then join us in New Orleans in November to enjoy the conference and
the city from ASCII to zydeco!

Learn more about the conference here:

http://bit.ly/siguccsNOLA
ACM SIGUCCS is the Special Interest Group on University and College Computing Services
This book celebrates Michael Stonebraker’s accomplishments that led to his 2014
ACM A.M. Turing Award “for fundamental contributions to the concepts and practices
underlying modern database systems.”

The book describes, for the broad computing community, the unique nature,
significance, and impact of Mike’s achievements in advancing modern database
systems over more than forty years. Today, data is considered the world’s most
valuable resource, whether it is in the tens of millions of databases used to manage
the world’s businesses and governments, in the billions of databases in our
smartphones and watches, or residing elsewhere, as
yet unmanaged, awaiting the elusive next generation of
database systems. Every one of the millions or billions
of databases includes features that are celebrated by
the 2014 Turing Award and are described in this book.