Professional Documents
Culture Documents
ACM
cACM.acm.org OF THE 07/2011 VOL.54 NO.7
DSL For
The Uninitiated
Association for
Computing Machinery
34th International Conference on
Software Engineering
ICSE 2012
June 2-9, 2012
Zurich • Switzerland
Submit to
ICSE 2012!
Mark your agenda
Mauro Pezzè, University of Lugano, Switzerland and
Program Co-Chairs: Gail Murphy, University of British Columbia, Canada
Department of Informatics
SI-SE
General Chair:
http://www.icse2012.org
Call for Nominations
The ACM Doctoral Dissertation Competition
Sponsorship Award
Each nomination shall be forwarded by the thesis advisor The Doctoral Dissertation Award is accompanied by a prize
and must include the endorsement of the department head. of $20,000 and the Honorable Mention Award is accompanied
A one-page summary of the significance of the dissertation by a prize of $10,000. Financial sponsorship of the award
written by the advisor must accompany the transmittal. is provided by Google.
Deadline
Submissions must be received by October 31, 2011 For Submission Procedure
to qualify for consideration. See http://awards.acm.org/html/dda.cfm
communications of the acm
Communications of the ACM is the leading monthly print and online magazine for the computing and information technology fields.
Communications is recognized as the most trusted and knowledgeable source of industry information for today’s computing professional.
Communications brings its readership in-depth coverage of emerging areas of computer science, new trends in information technology,
and practical applications. Industry leaders use Communications as a platform to present and debate various technology implications,
public policies, engineering challenges, and market trends. The prestige and unmatched reputation that Communications of the ACM
enjoys today is built upon a 50-year commitment to high-quality editorial content and a steadfast dedication to advancing the arts,
sciences, and applications of information technology.
CL
PL
T (212) 869-7440; F (212) 869-0481 Jason I. Hong; Jeff Johnson; Wendy E. MacKay Printed in the U.S.A.
NE
TH
S
I
Z
I
M AGA
4 communication s of th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
editor’s letter
DOI:10.1145/1965724.1965726
T
im Wu’s Viewpoint “Bell act with an anode was obviously useful ogenous cost relational databases bear
Labs and Centralized Inno- in any attempt to improve the anode’s to correct for a deficiency. The truth is
vation” (May 2011) was inac- design. actually the opposite; consistency is
curate regarding a specific William Zaumen, Palo Alto, CA a central obligation of any database-
example of research at Bell management system. The lack of con-
Labs. straint-checking in key-value systems
Wu wrote, “Bell’s scientists did Author’s Response: imposes the constraint-checking bur-
cutting-edge work in fields as diverse Zaumen is correct. Davisson demonstrated den on the application, a situation the
as quantum physics and data theory. It that all particles, not light, have wave-like Relational Model was invented specifi-
was a Bell Labs employee named Clin- properties; for example, electrons, and even cally to correct.
ton Davisson who would win a Nobel people, have a wave-like nature. Zaumen is Codd encountered a similar lack of
Prize for demonstrating the wave na- also correct in saying that Einstein worked understanding in his day. In the same
ture of matter, an insight more typi- in a field that assumed light was wave-like, proceedings paper, he wrote, “In com-
cally credited to Einstein than to a tele- showing its particle-like properties. paring data models people often ig-
phone company employee.” However, Tim Wu, New York nore the operators and integrity rules
Albert Einstein actually discovered that altogether. When this occurs, the re-
some perplexing data regarding the sulting comparisons run the risk of be-
photoelectric effect could be explained No Reconciling ing meaningless.”
through a hypothesis proposing that Irreconcilable Models Codd’s landmark article “A Rela-
light, previously described purely as Erik Meijer’s and Gavin Bierman’s ar- tional Model of Data for Large Shared
waves, could behave as particles, now ticle “A Co-Relational Model of Data for Data Banks” (Communications, June
called photons. Others, in particular Large Shared Data Banks” (Apr. 2011) 1970) addressed other points raised by
Louis de Broglie, proposed that matter, overreached by claiming equivalence Meijer and Bierman, including path
previously viewed as particles, could between the Relational Model and independence. An interested reader
be described by waves. While the Da- NoSQL “key-value pairs” without re- would learn much in an evening spent
visson-Germer experiment confirmed gard to the definition of a data model with that one article alone.
de Broglie, neither Davisson nor Les- by E.F. Codd more than 30 years ago. Object Relational Mapping libraries
ter Germer at the time knew about de Finding similarity in NoSQL systems and NoSQL systems attempt to solve
Broglie’s research; see http://courses. to some parts of the Relational Model, (through technical means) a nontech-
science.fau.edu/voss/modphys/pdf/ Meijer and Bierman mistakenly con- nical problem: reluctance of talented
Ch05_2.pdf. cluded the two are equivalent. people to master the Relational Model,
Germer (a casual acquaintance) told Codd, in his paper “Data Models in and thus benefit from its data consis-
me he and Davisson did not realize the Database Management” in Proceedings tency and logical inferencing capabili-
data showed the wave nature of matter of the 1980 Workshop on Data Abstrac- ties. Rather than exploit it and demand
initially due to the wave nature of mat- tion, Databases and Conceptual Mod- more relational functionality from
ter being a rather esoteric idea at the eling (http://portal.acm.org/citation. DBMS vendors, they seek to avoid and
time. That is, they discovered some- cfm?id=806891) defined a data model replace it, unwittingly advocating a re-
thing very important but somewhat by as comprising three components: data turn to the fragile, unreliable, illogical
accident. It took time before these two structures to represent well-formed systems of the 1960s, minus the green-
researchers realized what they had ac- expressions in first-order logic; op- bar fanfold paper.
tually measured. erators closed over these structures, James K. Lowden, New York
There were practical reasons (of permitting inferencing; and integrity
interest to a telephone company) for constraints to enforce internal consis-
Davisson’s and Germer’s research, tency. Authors’ Response:
including vacuum tubes, which were NoSQL systems have no data model Lowden’s comment contains a number of
then used in amplifiers. Electrons ar- so defined. All else is commentary. errors. Our article was, in fact, explicitly
rive at a vacuum tube’s anode with Meijer and Bierman ignored logic critical of the lack of an agreed data model
enough energy to cause secondary and inferencing and did not explain for NoSQL. We didn’t ignore “inferencing,”
emission of electrons at the anode, in how key-value systems recognize, let proposing instead a query language based
some cases degrading a vacuum tube’s alone enforce, integrity constraints. on monad comprehensions—interestingly,
performance. They cited referential integrity—a the same query language we prefer for the
Understanding how electrons inter- form of integrity constraint—as an ex- relational model. We did not assert that
the relational and key-value models are One-Second War” (May 2011) was en- huge boxes with a few attached terminals
equivalent, but rather dual. The issue of lightening and, from the perspective and printer, all these ideas would work,
weakening consistency checking goes to the of an old-time (ex)hardware engineer, as indeed a number of them did, from the
heart of the interest in NoSQL systems and entertaining. The reason solder jock- invention of the computer to the mid-1980s.
is beyond the scope of our article. eys (hardware engineers) don’t see leap Like today’s deployed bad hack—leap
Erik Meijer, Redmond, WA seconds as a problem is they presume seconds—all the schemes Byrd proposes
Gavin Bierman, Cambridge, U.K. computers know only what they’ve rely on somebody measuring what the
been told; if the system clock slows by planet does and everybody else reacting to
1/86,400th of a second per second, the it on short notice. His ideas do not improve
Financial Incentives vs. system’s software won’t have the slight- the current situation in any way but do
Algorithms in Social Networks est idea it happened, nor will it care. reintroduce at least one bad idea already
I thank John C. Tang et al. for their By extension, astronomers using discarded—variable-length seconds.
analysis of the crowdsourcing strat- terrestrial time are (by definition) off Poul-Henning Kamp,
egies of three successful teams in by some indeterminate amount until Slagelse, Denmark
their article “Reflecting on the DARPA leap time, then off in another direction
Red Balloon Challenge” (Apr. 2011). after the leap. Garden-variety system Communications welcomes your opinion. To submit a
Letter to the Editor, please limit yourself to 500 words or
Though the iSchools team might have clocks (not directly atomically con- less, and send to letters@cacm.acm.org.
had better data-mining algorithms, it trolled) are constantly in need of ad-
was the MIT team that recognized and justment and aren’t very accurate over © 2011 ACM 0001-0782/11/07 $10.00
exploited financial incentives as the days at a time. Diddling a fraction of a
most effective way to be first to identify millisecond out of a second only disap-
the 10 red balloons DARPA scattered pears in the noise. Since atomic clocks
across the U.S. last year. are the reference standard, they can
In retrospect, the recursive incen- skip however many beats are needed
tive strategy adopted by the MIT team to ensure the seconds counter always
is used in many network-marketing sit- reads 86,400 when the solar year ends.
uations worldwide. I first came across Why not make the (invisible to code)
it almost 20 years ago when trying to system clock adjustable so it always
sell a database management system to counts to 86,400 seconds until the mo-
one of India’s oldest non-banking fi- ment the year counter ticks over? To
nance companies, which happened to the code, a second is whatever a regis-
employ a motivated network of insur- ter says it is. Hardware, not software,
ance agents throughout India. These counts electrical oscillations, and if it
agents were required to recruit other includes an “add x seconds in y years”
agents, with the initial premium for pair of adjustment thumbwheels, the
the first few months from each new result is that 86,400 will have gone by
account they signed up distributed hi- exactly when the (real) year turns over.
erarchically, though not in the precise Adjusting to leap seconds can be ACM’s
geometric progression the MIT team simple, unless programmers try turn- interactions
used in the DARPA Challenge. This ing a timing-gate issue into a planetary magazine explores
way, the company’s senior agents, hav- software project. Let astronomers use critical relationships
ing recruited a large network, could vir- whatever time-sync definition they between experiences, people,
tually sit back and watch as the money want, but if system clocks are adjusted and technology, showcasing
poured in. I suppose this, too, is how in tiny amounts to keep “better” time, emerging innovations and industry
most Ponzi schemes work, though, in telescopes will be more accurate than leaders from around the world
this case, nothing illegal was involved, if they were abruptly forced to catch up across important applications of
as is generally implied by the term. by a full second each year. design thinking and the broadening
The important takeaway from the Just tell the electrical engineers the field of the interaction design.
Tang et al. analysis is that motivating numbers and let them provide them to Our readers represent a growing
people is the key to success and that astronomers, system administrators, community of practice that
money is often the most effective mo- home users, and everyone else. is of increasing and vital
tivation in any given social network. David Byrd, Arlington, VA global importance.
Whether that is good or bad is a ques-
e
ib
cr
Poul-Henning Kamp’s article “The all are bad hacks. If computers were still
Special rates for residents of developing countries: Special rates for members of sister societies:
http://www.acm.org/membership/L2-3/ http://www.acm.org/membership/dues.html
Please print clearly
Purposes of ACM
ACM is dedicated to:
Name
1) advancing the art, science, engineering,
and application of information technology
2) fostering the open interchange of
Address information to serve both professionals and
the public
3) promoting the highest professional and
City State/Province Postal code/Zip ethics standards
I agree with the Purposes of ACM:
Country E-mail address
Signature
Area code & Daytime phone Fax Member number, if applicable ACM Code of Ethics:
http://www.acm.org/serving/ethics.html
o ACM Professional Membership plus the ACM Digital Library: o ACM Student Membership plus the ACM Digital Library: $42 USD
$198 USD ($99 dues + $99 DL) o ACM Student Membership PLUS Print CACM Magazine: $42 USD
o ACM Digital Library: $99 USD (must be an ACM member) o ACM Student Membership w/Digital Library PLUS Print
CACM Magazine: $62 USD
DOI:10.1145/1965724.1965727
doi:10.1145/1965724.1965728 http://cacm.acm.org/blogs/blog-cacm
10 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
blog@cacm
they need to rely on the judgment of Yes, we need to filter research papers. eral experiments in open peer review
experts to determine scientific truth But the Web, open source software, and (such as done by Nature in 2006, British
and how to interpret scientific results. Wikipedia have shown us that filtering after Medical Journal in 1999, and Journal of
We want policymakers in the admin- publication, rather than before, can work Interactive Media in Education in 1996)
istration and Congress to base policy too. And filtering is not so hard. have had mixed results in terms of the
decisions on facts, on evidence, and on Filtering after publication is clearly the quality and tone of the reviews. Inter-
data. So it is important for policymak- future. It is more demanding from an IT point estingly, and perhaps unsurprisingly,
ers that, to the best of our ability, we, as of view. It could not work in a paper-based many of those who are invited to review
scientists, publish results that are cor- culture. But there is no reason why it can’t under the new model decline to do so,
rect. That’s why peer review matters. work in the near future. And the Perelman potentially reducing the pool of review-
While I argue peer review matters, example shows that it already works. ers. This is particularly worrisome for
it’s a whole other question of what the —Daniel Lemire academic conferences and journals, at
best process is for carrying out peer re- a time when we desperately need more
view. In this day and age of collective Ed H. Chi reviewers due to the growth of the num-
intelligence through social networks, “How Should Peer ber of submissions.
we should think creatively about how Review Evolve?” A competing proposal might be
to harness our own technology to sup- http://cacm.acm.org/ open peer commentary, which elicits
plement or supplant the traditional blogs/blog-cacm/100284 and publishes commentary on peer-re-
means used by journals, conferences, Peer review publications viewed articles. This can be done prior
and funding agencies. Peer review mat- have been around scientific academ- to publication or after the date of pub-
ters, and now is the time to revisit our ic scholarship since 1665, when the lication. In fact, recent SIGCHI confer-
processes—not just procedures and Royal Society’s funding editor Henry ences have already started experiment-
mechanisms, but what it is we review Oldenburg created the first scientific ing with this idea, with several popular
(papers, data, software, and tools), our journal. As Jeannette Wing nicely ar- paper panels in which papers are first
evaluation criteria, and our incentives gued in her “Why Peer Review Matters” presented, and opinions from a panel is
for active participation. post, it is the public, formal, and final openly discussed with an audience. The
archival nature of the process of the primary focus here is to increase par-
Comments Oldenburg model that established the ticipation, while also improve transpar-
It is important for us, as scientists, not to importance of publications to scien- ency. The idea of an open debate, with
lose the public trust in science. That’s why tific authors, as well as their academic improved transparency, is of course the
peer review matters. standings and careers. cornerstone of the Wikipedia editing
I think we must continue to educate Recently, as the communication model (and the PARC research project
our students and the public about truth. of research results reaches breakneck WikiDashboard).
Even if a research paper is published in the speeds, some have argued that it is time Finally, it is worth pointing out the
most respectable venue possible, it could to fundamentally examine the peer re- context under which these proposals
still be wrong. Conventional peer review is view model, and perhaps to modify it might be evaluated. We live in a differ-
essentially an insider game: It does nothing somewhat to suit the modern times. ent time than Oldenburg. In the mean
against systematic biases. One such proposal recently posed to me time, communication technology has
In physics, almost everyone posts via email is open peer review, a model already experienced several revolutions
his papers on arXiv. It is not peer review not entirely unlike the Wikipedia edit- of gigantic proportions. Now, real-
in the conventional sense. Yet, our trust ing model in many ways. Astute readers time research results are often distrib-
in physics has not gone down. In fact, will realize the irony of how the Wiki- uted, blogged, tweeted, Facebooked,
Perelman proved the Poincaré conjecture pedia editing model makes academics Googled, and discussed in virtual meet-
and posted his solution on arXiv, bypassing squirm in their seats. ings. As researchers, we can ill-afford to
conventional peer review entirely. Yet, his The proposal for open peer review stare at these changes and not respond.
work was peer reviewed, and very carefully. suggests that the incumbent peer re- Beyond fixing problems and issues
We must urgently acknowledge that our view process has problems in bias, of bias, suppression, and transparency,
traditional peer review is an honor-based suppression, and control by elites we also need to be vigilant of the speed
system. When people try to game the against competing non-mainstream of innovation and whether our pub-
system, they may get away with it. Thus, it is theories, models, and methodologies. lication processes can keep up. Web
not the gold standard we make it out to be. By opening up the peer review system, review-management systems like Pre-
Moreover, conventional peer review puts we might increase accountability and cisionConference have gone a long way
a high value in getting papers published. transparency of the process, and miti- in scaling up the peer-review process.
It is the very source of the paper-counting gate other flaws. Unfortunately, while What else can we do to respond to this
routine we go through. If it was as easy to we have anecdotal evidence of these speed of growth yet remain true to the
publish a research paper as it is to publish issues, there remains significant prob- openness and quality of research?
a blog post, nobody would be counting lems in quantifying these flaws with
research papers. Thus, we must realize that hard numbers and data, since reviews Jeannette M. Wing is a professor at Carnegie Mellon
University. Ed H. Chi is a research scientist at Google.
conventional peer review also has some often remain confidential.
unintended consequences. Perhaps more distressing is that sev- © 2011 ACM 0001-0782/11/07 $10.00
ACM
Member
News
DOI:10.1145/1965724.1965729 Scott E. Delman Edward W. Felten,
FTC Chief Technologist
Publication Statistics in
computer
science
community,
I
n t h e h i s tory of speculative
fiction, from the golden age
of science fiction to the pres-
ent, there are many examples
of artificial intelligences en-
gaging their interlocutors in dialogue
that exhibits self-awareness, personal-
ity, and even empathy. Several fields in
computer science, including machine
learning and natural language process-
ing, have been steadily approaching
the point at which real-world systems
will be able to approximate this kind of
interaction. IBM’s Watson computer,
the latest example in a long series of
efforts in this area, made a television
appearance earlier this year in a wide-
ly promoted human-versus-machine
“Jeopardy!” game show contest. To
many observers, Watson’s appearance
on “Jeopardy!” marked a milestone on
the path toward achieving the kind of
sophisticated, knowledge-based inter- IBM’s Watson soundly defeated the two most successful contestants in the history of the game
action that has traditionally been rel- show “Jeopardy!,” Ken Jennings and Brad Rutter, in a three-day competition in February.
egated to the realm of fiction.
The “Jeopardy!” event, in which Watson’s quirky personality shone 50 practice matches against former
Watson competed against Ken Jen- through, with the machine wagering “Jeopardy!” contestants, and was re-
nings and Brad Rutter, the two most oddly precise amounts, guessing at quired to pass the same tests that hu-
successful contestants in the game answers after wildly misinterpreting mans must take to qualify for the show
photo c ourt esy ibm
show’s history, created a wave of cov- clues, but ultimately prevailing against and compete against Jennings, who
erage across mainstream and social its formidable human opponents. broke the “Jeopardy!” record for the
media. During the three-day contest in Leading up to the million-dollar most consecutive games played, result-
February, hints of what might be called challenge, Watson played more than ing in winnings of more than $2.5 mil-
lion, and Rutter, whose total winnings feat of engineering. Richard Doherty, says Ferrucci. Rather, the idea was to
amounted to $3.25 million, the most the research director at Envisioneering build Watson’s intelligence from a
money ever won by a single “Jeopar- Group, a technology consulting firm broad collection of algorithms that
dy!” player. At the end of the three-day based in Seaford, NY, was quoted in an would probabilistically and imper-
event, Watson finished with $77,147, Associated Press story as saying that fectly interpret language and score
beating Jennings, who had $24,000, Watson is “the most significant break- evidence from different perspectives.
and Rutter, who had $21,600. The through of this century.” Watson’s candidate answers, those an-
million-dollar prize money awarded to Doherty was not alone in making swers in which Watson has the most
Watson went to charity. such claims, although the research- confidence, are produced from hun-
Named after IBM founder Thomas ers on the IBM team responsible for dreds of parallel hypotheses collected
J. Watson, the Watson system was built designing Watson have been far more and scored from contextual evidence.
by a team of IBM scientists whose goal modest in their assessment of the Ferrucci says this approach re-
was to create a standalone platform technology they created. “Watson is a quired innovation at the systems
that could rival a human’s ability to novel approach and a powerful archi- level so individual algorithms could
answer questions posed in natural tecture,” says David Ferrucci, director be developed independently, then
language. During the “Jeopardy!” chal- of the IBM DeepQA research team that evaluated for their contribution to the
lenge, Watson was not connected to the created Watson. Ferrucci does charac- system’s overall performance. The ap-
Internet or any external data sources. terize Watson as a breakthrough in ar- proach allowed for loosely coupled in-
Instead, Watson operated as an inde- tificial intelligence, but he is careful to teraction between algorithm compo-
pendent system contained in several qualify this assertion by saying that the nents, which Ferrucci says ultimately
large floor units housing 90 IBM Power breakthrough is in the development of reduced the need for team-wide agree-
750 servers with a total of 2,880 pro- artificial-intelligence systems. ment. “If every algorithm developer
cessing cores and 15 terabytes of mem- “The breakthrough is how we pulled had to agree with every other or reach
ory. Watson’s technology, developed by everything together, how we integrated some sort of consensus, progress
IBM and several contributing universi- natural language processing, informa- would have been slowed,” he says.
ties, was guided by principles described tion retrieval, knowledge representa- “The key was to let different mem-
in the Open Advancement of Question- tion, machine learning, and a general bers of the team develop diverse algo-
Answering (OAQA) framework, which is reasoning paradigm,” says Ferrucci. “I rithms independently, but regularly
still operating today and facilitating on- think this represents a breakthrough. perform rigorous integration testing
going input from outside institutions. We would have failed had we not in- to evaluate relative impact in the con-
Judging by the sizeable coverage of vested in a rigorous scientific method text of the whole system.”
the event, Watson piqued the interest and systems engineering. Both were Ferrucci and the DeepQA team are
of technology enthusiasts and the gen- needed to succeed.” expected to release more details later
eral public alike, earning “Jeopardy!” this year in a series of papers that will
the highest viewer numbers it had Contextual Evidence outline how they dealt with specific as-
achieved in several years and leading The DeepQA team was inspired by pects of the Watson design. For now,
to analysts and other industry observ- several overarching design principles, only bits and pieces of the complete
ers speculating about whether Watson with the core idea being that no single picture are being disclosed. Ferrucci
represents a fundamental new idea algorithm or formula would accurately says that, looking ahead, his team’s re-
in computer science or merely a solid understand or answer all questions, search agenda is to focus on how Wat-
son can understand, learn, and interact
more effectively. “Natural language un-
derstanding remains a tremendously
difficult challenge, and while Watson
demonstrated a powerful approach,
we have only scratched the surface,” he
says. “The challenge continues to be
about how you build systems to accu-
rately connect language to some repre-
sentation, so the system can automati-
cally learn from text and then reason to
discover evidence and answers.”
Lillian Lee, a professor in the com-
puter science department at Cornell
University, says the reactions about
Watson’s victory echo the reactions fol-
photo c ourt esy ibm
14 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
news
language processing, points out that positive feedback loop of extracting ba-
some observers were dismissive about sic syntax and local semantics from lan-
Deep Blue’s victory, suggesting that “Natural language guage, learning from context, and then
the system’s capability was due largely understanding interacting with users and a broader
to brute-force reasoning rather than community to acquire knowledge that
machine learning. The same criticism, remains a is otherwise difficult to extract,” he
she says, cannot be leveled at Watson tremendously says. “The system must be able to boot-
because the overall system needed to strap and learn from its own failing
determine how to assess and integrate difficult challenge, with the help of this loop.”
diverse responses. and while Watson In an ideal future, says Ferrucci, Wat-
“Watson incorporates machine son will operate much like the ship com-
learning in several crucial stages of its demonstrated puter on “Star Trek,” where the input
processing pipeline,” Lee says. “For a powerful approach, can be expressed in human terms and
example, reinforcement learning was the output is accurate and understand-
used to enable Watson to engage in we have only able. Of course, the “Star Trek” ship com-
strategic game play, and the key prob- scratched puter was largely humorless and devoid
lem of determining how confident to of personality, responding to queries
be in an answer was approached using the surface,” and commands with a consistently even
machine-learning techniques, too.” says David Ferrucci. tone. If the “Jeopardy!” challenge serves
Lee says that while there has been as a small glimpse of things to come for
substantial research on the particular Watson—in particular, Watson’s pre-
problems the “Jeopardy!” challenge cise wagers, which produced laughter
involved for Watson, that prior work in the audience, and Watson’s visualiza-
should not diminish the team’s ac- tion component, which appeared to ex-
complishment in advancing the state cases, and the latest science journals. press the state of a contemplative mind
of the art to Watson’s championship The first commercial offerings from through moving lines and colors—the
performance. “The contest really the collaboration are expected to be DeepQA team’s focus on active learning
showcased real-time, broad-domain available within two years. might also include a personality loop so
question-answering, and provided as Beyond medicine, likely application Watson can accommodate subtle emo-
comparison points two extremely for- areas for Watson’s technology would tional cues and engage in dialogue with
midable contestants,” she says. “Wat- be in law, education, or the financial the kind of good humor reminiscent of
son represents an absolutely extraor- industry. Of course, as with any tech- the most personable artificial intelli-
dinary achievement.” nology, glitches and inconsistencies gences in fiction.
Lee suggests that with language- will have to be worked out for each new
processing technologies now matur- domain. Glitches notwithstanding,
Further Reading
ing, with the most recent example of technology analysts say that Watson-
such maturation being Watson, the like technologies will have a significant Baker, S.
Final Jeopardy: Man vs. Machine and the
field appears to have passed through impact on computing in particular and
Quest to Know Everything. Houghton Mifflin
an important early stage. It now faces human life in general. Ferrucci, for his Harcourt, New York, NY, 2011.
an unprecedented opportunity in help- part, says these new technologies likely
Ferrucci, D., Brown, E., Chu-Carroll, J., Fan, J.,
ing sift through the massive amounts will mean a demand for higher-density Gondek, D., Kalyanpur, A.A., Lally, A., Murdock,
of user-generated content online, such hardware and for tools to help develop- J.W., Nyberg, E., Prager, J., Schlaefer, N.,
as opinion-oriented information in ers understand and debug machine- and Welty, C.
product reviews or political analysis, learning systems more effectively. Building Watson: An overview of the
DeepQA project, AI Magazine 59, Fall 2010.
according to Lee. Ferrucci also says it’s likely that user
While natural-language processing expectations will be raised, leading to Ferrucci, D., et al.
is already used, with varying degrees systems that do a better job at inter- Towards the Open Advancement of Question
Answering Systems. IBM Research Report
of success, in search engines and acting in natural language and sifting RC24789 (W0904-093), April 2009.
other applications, it might be some through unstructured content.
Simmons, R.F.
time before Watson’s unique ques- To this end, explains Ferrucci, the
Natural language question-answering
tion-answering capabilities will help DeepQA team is moving away from at- systems, Communications of the ACM 13, 1,
sift through online reviews and other tempting to squeeze ever-diminishing Jan. 1970.
user-generated content. Even so, that performance improvements out of Strzalkowski, T., and Harabagiu, S. (Eds.)
day might not be too far off, as IBM Watson in terms of parsers and local Advances in Open Domain Question
has already begun work with Nuance components. Instead, they are focusing Answering. Springer-Verlag, Secaucus, NJ,
Communications to commercialize on how to use context and information 2006.
the technology for medical applica- to evaluate competing interpretations
tions. The idea is for Watson to assist more effectively. “What we learned is Based in Los Angeles, Kirk L. Kroeker is a freelance
editor and writer specializing in science and technology.
physicians and nurses in finding infor- that, for this approach to extend beyond
mation buried in medical tomes, prior one domain, you need to implement a © 2011 ACM 0001-0782/11/07 $10.00
Automotive Autonomy
Self-driving cars are inching closer to the assembly line, thanks
to promising new projects from Google and the European Union.
A
t the 1939 World’s Fair,
General Motors’ fabled Fu-
turama exhibit introduced
the company’s vision for
a new breed of car “con-
trolled by the push of a button.” The
self-driving automobile would travel
along a network of “magic motorways”
outfitted with electrical conductors,
while its occupants would glide along
in comfort without ever touching the
steering wheel. “Your grandchildren
will snap across the continent in 24
hours,” promised Norman Bel Geddes,
the project’s chief architect.
Seventy years later, those grand-
children are still waiting for their self-
driving cars to roll off the assembly
lines. Most analysts agree that com-
mercially viable self-driving cars re-
main at least a decade away, but the
vision is finally coming closer to real-
ity, thanks to the advent of advanced
sensors and onboard computers One of Google’s seven self-driving, robotic Toyota Priuses steers its way through a tight,
equipped with increasingly sophisti- closed circuit course.
cated driving algorithms.
In theory, self-driving cars hold out improved fuel economy—not to men- could easily be mistaken for one of
enormous promise: lower accident tion the productivity gains in count- Google’s more familiar Street View
rates, reduced traffic congestion, and less hours reclaimed by workers oth- cars. The Googlized Prius contains far
erwise trapped in the purgatory of more advanced technology, however,
highway gridlock. Before self-driving including a high-powered Velodyne
The European cars make it to the showroom, how- laser rangefinder and an array of addi-
ever, car manufacturers will need to tional radar sensors.
Union-sponsored clear a series of formidable regulatory The Google car traces its ancestry to
SARTRE project and manufacturing hurdles. In the Thrun’s previous project, the Stanley
meantime, engineers are making big robot car, which won the U.S. Defense
is developing strides toward proving the concept’s Advanced Research Project Agency’s
technologies to allow technological viability. (DARPA’s) $2 million grand challenge
For the past year, Bay Area residents prize after driving without human as-
cars to join organized have noticed a fleet of seven curious- sistance for more than 125 miles in
platoons, with looking Toyota Priuses outfitted with desert conditions. That project caught
an array of sensors, sometimes spotted the attention of executives at Google,
a lead car operated driving the highways and city streets who have opened the company’s deep
by a human driver.
Photogra ph by Stev e J urvetson
of San Francisco, occasionally even pockets to help Thrun pursue his re-
swerving their way down the notorious- search agenda.
ly serpentine Lombard Street. At Google, Thrun has picked up
Designed by Sebastian Thrun, di- where the Stanley car left off, refin-
rector of Stanford University’s AI Lab- ing the sensor technology and driving
oratory currently on leave to work at algorithms to accommodate a wider
Google, the curious-looking Priuses range of potential real-world driving
conditions. The Google project has mous cars. “We wanted to drive these
made important advances over its pre- vehicles very close together because
decessor, consolidating down to one “Making a car drive that’s where we get the aerodynamic
laser rangefinder from five and incor- is fundamentally a gains,” says project lead Eric Chan, a
porating data from a broader range chief engineer at Ricardo, the SARTRE
of sources to help the car make more computer science project’s primary contractor.
informed decisions about how to re- issue,” says By grouping cars into platoons, the
spond to its external environment. SARTRE team projects a 20% increase
“The threshold for error is minus- Sebastian Thrun, in collective fuel efficiency for each pla-
cule,” says Thrun, who points out that “because you’re toon. If the project ultimately attracts
regulators will likely set a much higher European drivers in significant num-
bar for safety with a self-driving car taking in vast bers, it could also eventually begin to
than for one driven by notoriously er- amounts of data exert a smoothing effect on overall traf-
ror-prone humans. “Making a car drive fic flow, helping to reduce the “concer-
is fundamentally a computer science and you need tina effect,” the dreaded speed-up and
issue, because you’re taking in vast to make decisions slow-down dynamic that often creates
amounts of data and you need to make congestion on busy highways.
decisions on that data,” he says. “You on that data.” To realize those efficiency gains, the
need to worry about noise, uncertain- SARTRE team must develop a finely
ty, what the data entails.” For example, tuned algorithm capable of keep-
stray data might flow in from other ing a heterogeneous group of cars
cars, pedestrians, and bicyclists—each and trucks moving forward together
behaving differently and therefore re- in near-perfect lockstep. “The closer
quiring different handling. Europe’s Car Platoons together, the less time you have to re-
Google also has a powerful tool to If the Google project ultimately comes spond to various events,” says Chan,
help Thrun improve the accuracy of to fruition, it may do more than just im- “so cutting down latency and response
his driving algorithms: Google Maps. prove the lives of individual car owners; times is critical.” To achieve that goal,
By supplementing the company’s it could also open up new possibilities the system enables the vehicles to
publicly available mapping data with for car sharing and advanced “highway share data with each other on critical
details about traffic signage, lane trains” in which cars follow each other metrics like speed and acceleration.
markers, and other information, the on long-distance trips, improving fuel Chan says the team’s biggest tech-
car’s software can develop a working efficiency and reducing the cognitive nological hurdle has been developing
model of the environment in advance. burden on individual drivers. a system capable of controlling a vehi-
“We changed the paradigm a bit to- Researchers in Europe are pursu- cle at differing speeds. “When you’re
ward map-based driving, whereby we ing just such an approach, developing controlling the steering system at low
don’t drive a completely unknown, a less sophisticated but more cost-ef- speed versus high speed, the dynam-
unrehearsed road,” Thrun explains. ficient strategy in hopes of bringing a ics of the vehicle behave differently,”
Comparing real-time sensor inputs solution to market more quickly. The Chan says. “You have to use the con-
with previously captured data stored European Union-sponsored SARTRE trols in a slightly different way. At high
at Google enables the car’s algorithms project is developing technologies to speeds the vehicle dynamics become
to make more informed decisions and allow cars to join organized platoons, quite different and challenging.”
greatly reduce its margin of error. with a lead car operated by a human In order to keep the platoon ve-
Although the trial runs are promis- driver. Ultimately, the team envisions a hicles in sync at varying speeds, the
ing, Thrun acknowledges that the cars Web-based booking service that would team has developed a system that al-
must be put through many more paces allow drivers of properly equipped ve- lows the vehicles to communicate di-
before the project comes anywhere hicles to search for nearby platoons rectly with each other as well as with
close to market readiness. He freely ad- matching their travel itineraries. the lead vehicle. The systems within
mits the Google car is a long way from Two earlier European projects suc- the lead vehicle act as a kind of cen-
rolling off an assembly line. “We are cessfully demonstrated the viability of tral processor, responsible for manag-
still in a research stage,” says Thrun, this approach using self-driving trucks. ing the behavior of the whole platoon.
“but we believe that we can make these SARTRE now hopes to build on that The space between each vehicle is
cars safer and make driving more fun.” momentum to prove the viability of the controlled by the system depending
At press time, Google had hired a concept for both consumer and com- on weather or speed, but the lead driv-
lobbyist to promote two robotic car- mercial vehicles. er can also exert additional influence
related bills to the Nevada legislature. By limiting the project’s scope to through manual overrides.
One bill, an amendment to an existing vehicles traveling in formation on a In hopes of bringing the solution to
electric vehicle law, would permit the highway, the project team hopes to market within the next few years, the
licensing and testing of self-driving realize greater gains in fuel economy SARTRE team is focused on developing
cars. The second is an exemption to al- and congestion reduction than would with relatively low-cost systems and
low texting during driving. be possible with individual autono- sensors that are production-level or
close to it, as opposed to the more ex- next few years, self-driving cars will
pensive, laser-scanning sensors used continue to remain the province of re-
in the Google and DARPA projects. A human factors searchers, while the rest of us can only
The larger challenge for the SAR- issue for the SARTRE dream of someday driving the magic
TRE project may have less to do with motorway to Futurama.
sensors and algorithms than with ad- project is whether
dressing the potential adoption bar- consumers will Further Reading
riers that might prevent consumers
from embracing the platoon concept. embrace its car Albus, J, et al.
After all, part of the appeal of driv- platoon concept. 4D/RCS: A Reference Model Architecture
for Unmanned Vehicle Systems 2.0. NIST
ing a car lies in the freedom to go interagency/internal report, NISTIR 6910,
where you want, when you want. But Aug. 22, 2002.
will drivers be willing to adjust their O’Toole, R.
driving behavior in exchange for the Gridlock! Why We’re Stuck in Traffic
benefits of a kind of quasi-public and What to do About It. Cato Institute,
transportation option? asks Chan. “How much control should Washington, D.C., 2010.
“There’s a big human factors as- the operator really have?” Robinson, R., Chan, E., and Coelingh, E.
pect to this project,” says Chan, who The team is also considering the Operating platoons on public motorways:
acknowledges that predicting market potential impact on other drivers out- An introduction to the SARTRE platooning
program, 17th World Congress on
acceptance is a thorny issue. The team side the platoon, since the presence of Intelligent Transport Systems, Busan,
has been trying to understand the psy- a long train of vehicles will inevitably Korea, Oct. 25–29, 2010.
chological impact of autonomous driv- affect other traffic on the freeway. For
Thrun, S. et al.
ing on the human occupants formerly example, if the platoon is traveling in Stanley: The robot that won the DARPA
known as drivers. The developers have the slow lane on a multilane freeway, grand challenge,” Journal of Field Robotics
been running trials with human sub- it will inevitably have to react to occa- 23, 9, Sept. 2006.
jects to see how people react to differ- sional interlopers. Thrun, S.
ent gap sizes between cars, trying to Whether consumers will ultimately What we’re driving at, The Official Google
identify potential psychological issues embrace self-driving cars will likely Blog, Oct. 9, 2010.
that could affect users’ willingness to remain an open question for years to
relinquish control of their vehicles. come, but in the meantime the under- Alex Wright is a writer and information architect based in
Brooklyn, NY.
“How comfortable do people feel driv- lying technologies will undoubtedly
ing a short distance from another car?” undergo further refinement. For the © 2011 ACM 0001-0782/11/07 $10.00
Public Policy
Brave, New
Social World
How three different individuals in three different
countries—Brazil, Egypt, and Japan—use Facebook,
Twitter, and other social-media tools.
T
oda y , s oc i al m e d i a is
emerging as a dominant
form of instant global com-
munication. Growing more
addictively popular by the
day—nearly two-thirds of Internet us-
ers worldwide use some type of social
media, according to an industry esti-
mate—Facebook, Twitter, and other
easily accessible online tools deepen
our interaction with societies near
and far.
Consider these numbers: Facebook
is poised to hit 700 million users and,
as seven of 10 Facebook members re-
side outside the U.S., more than 70
global-language translations. Twitter’s
user numbers will reportedly hit 200
million later this year, and users can
tweet in multiple languages. In terms
of daily usage, Facebook generates the
second-most traffic of any site in the A protestor’s sign thanks the youth of Egypt and Facebook during the political unrest in Egypt
world, according to Alexa.com, a Web in late January. The photo, by an NBC foreign correspondent, first appeared on Twitter.
information company, at press time.
(Google is number one.) As for blog- The top five nations in terms of own individual voice through these
ging, which now seems likes a relative- social media usage are the U.S., Po- resources. In fact, we depended pri-
ly old-fashioned form of social media, land, Great Britain, South Korea, marily upon social media to initially
the dominant site, blogger.com, ranks and France, according to the Pew Re- reach them. One is a Japanese female
eighth. As for Twitter, it’s now 11th— search Center. But beyond interna- blogger who segues seamlessly from
and climbing. tional rankings and traffic numbers, pop-culture observations to revealing
there’s much diversity in the manner reflections on the nation’s recent earth-
Photogra ph t weet ed by Ri ch a rd Engel NBC on F riday Ja n 2 8, 2 011 WITNESS.o rg
in which the citizens of the world take quake, tsunami, and nuclear disaster.
Nearly two-thirds advantage of these tools, according to Another is a Brazilian businesswoman
Blogging Around the Globe: Motivations, who uses multiple digital outlets to
of Internet users Privacy Concerns and Social Network- expand her marketing reach through-
worldwide use some ing, an IBM Tokyo research report. In out the world. The third is an Egyptian
Japan, blogs often serve as outlets for newsman who is helping record his-
type of social media, personal expression and diary-style tory with his dispatches of daily life in
according to an postings. In the U.S., it’s mostly about a region undergoing dramatic politi-
earning income or promoting an cal change. (In terms of social media
industry estimate. agenda. In the U.K., it’s a combination usage, Brazil ranks eighth, Japan 12th,
of these needs, as well as professional and Egypt 18th, according to Pew.) Here
advancement and acting as a citizen are their stories.
journalist.
Communications connected with Me and Tokyo
three citizens in three different na- The contrast is striking: Before March
tions, each of whom are finding their 11, Mari Kanazawa’s blog, Watashi to
Tokyo (translation: Me and Tokyo), count of Twitter. “It doesn’t fit me,” she takes full advantage of the digital age
waxes whimsically about a recent tweet says of the latter. “My blog is an infor- to engage with high-profile leaders
in Japanese by the band Radiohead, mation hub for Japanese subculture. such as Robbins and Mark Victor Han-
as well as consumer products such as That’s my style. I wanted to tell people sen, co-author of the bestselling Chick-
Wasasco, a wasabi-flavored Tabasco. that we have more interesting, good en Soup for the Soul books. Robbins
After March 11, however, the con- things than sushi, sumo, tempura, gei- and Hansen are now Facebook friends
versation takes an abrupt turn. The shas, and ninjas.” with Maya, who they have advised and
day after the devastating To –hoku Since the disaster, like many Japa- encouraged to push beyond perceived
earthquake and tsunami, Kanazawa nese citizens posting blogs and Face- limitations in her work.
writes this unsettling passage: “Earth- book status updates, Kanazawa has Such international collaborations
quake, tsunami, fire and now we have a sought and published information have enabled Maya to create her own
nuclear meltdown … I was in the Mid- about the nation’s recovery efforts. signature style to market herself,
town Tower when it happened. Japa- “These tools are so effective in this di- which she calls a “Brazilian Carni-
nese people are used to earthquakes, saster,” she says. “People need to check val Style” approach to guide clients
we can usually sense them because for things such as the transportation to enjoying a happy, productive, and
the building sways, but this time it was situation and where the evacuation empowering life. Maya now sees up to
shaking up and down. Some people areas are. In To –hoku, when someone 300 clients a year in private sessions,
screamed and some hid under their tweeted ‘We need 600 rice balls here,’ and hosts as many as 500 group ses-
desks.” they were delivered within an hour. So- sions annually.
Within a week, Kanazawa casts a cial media went from being a commu- “I use blogs, Facebook, Twitter,
sense of humor about the situation: nication tool to a lifeline.” and Plaxo [an online address book] to
“I really don’t need to check Geiger promote my business,” Maya says. “I
counters and don’t need a lot of toi- Brazil—and Beyond am about to start podcasting, as well
let paper because earthquakes [don’t] In generations past, it would be diffi- as making YouTube videos on every
make me [go to the bathroom] more cult for a self-described life coach like channel that I can find on the Internet.
than usual.” Lygya Maya of Salvador, Brazil, to inter- Social media has opened up my busi-
A high-profile cyberpersonality in act with a motivational-speaking giant ness on many different levels. I am
Japan, Kanazawa has always perceived like Tony Robbins, an American who now able to promote it literally to the
her blog as equal parts diary and cul- has more than 200 books, audio CDs, world, free of charge.”
tural commentary. She was one of the and other products listed on Amazon. Maya has also established more
rare Japanese citizens who wrote a blog com. Perhaps she would have needed than 2,500 personal connections via
in English when she started in 2004, to take a trip to the U.S. in hopes of Facebook, LinkedIn, and other sites.
so her traffic numbers have spiked to speaking with Robbins at one of his She’ll send tweets several times a day,
a healthy 2,000 unique visitors a day. A tour stops. Or write him a letter and offering reflections like “When truth-
Web site manager, Kanazawa prefers hope he would answer with something fully expressed, words reflect our core
the free-form creativity of a blog, as op- beyond a polite thank you. value and spirit.” All of this has helped
posed to the restrictive 140-character But this is the 21st century, and Maya Maya promote her budding empire
of services and products, which will
Blogs: Motivations for writing and readership levels by region. soon include a book, Cheeka Cheeka
BOOM Through Life!: The Luscious
Story of a Daring Brazilian Woman. It’s
Region Motivation Readership
gotten to the point where—like some
Japan Personal diary, self-expression 74% Internet users, average 4.54 times/week,
of her counterparts in the U.S.—she
25% daily, highest in world must subcontract work just to keep
Korea Personal diary, personal scrapbook, 43% Internet users , average 2.03 times/week, up with it all.
online journalism ages 8–24: 4 times/week “I’m about to hire a team to work
ages 25–34: 3 times/week with me on Twitter and all the social
China 96% personal blogs loaded with photos, Highest for ages 18–24 (less than 3 times/ media out there that we can use to
audio, animations week), probably friends
support campaigns,” Maya says. “You
U.S. Make money, promote political or 27% Internet users, average 0.9 times/week,
professional agenda lower than Asia, higher than Europe
must have a great team to share quality
Germany For fun, like to write, personal diary Bloggers are regular readers of other blogs
work. Otherwise, you will have stress.
on average 21.15 (std dev 39, med 10) This allows me to promote my services
U.K. Connect with others, express opinions/ 23% Internet users (average 0.68 times/week) and products 24/7—and that includes
vent, make money, citizen journalist, while I’m sleeping.”
validation, professional advancement
Poland Self-expression, social interaction, Not available
A Witness in Egypt
entertainment
Source: Mei Kobayashi, Blogging Around the Globe: Motivations,
Amr Hassanein lists Babel, Fantasia,
Privacy Concerns and Social Networking, IBM Research-Tokyo, 2010. and The Last Temptation of Christ as
his favorite movies on his Facebook
page. And his organizations/activities
Milestones | doi:10.1145/1965724.1965733
A
CM r ece ntly ann oun c e d cations in areas like face and motion
the winners of six presti- detection and analysis, direct drive ma-
gious awards for innova- nipulators, three-dimensional shape
tions in computing tech- recovery from both stereo vision and
nology that have led to motional analysis, and video surveil-
practical solutions to a wide range of lance and monitoring.
challenges facing commerce, educa- Barbara Ericson, who directs the
tion, and society. Institute for Computing Education at
Craig Gentry, a researcher at IBM, Georgia Tech, and Mark Guzdial, di-
was awarded the Grace Murray Hopper rector of the Contextualized Support
Award for his breakthrough construc- for Learning at Georgia Tech, received
tion of a fully homomorphic encryp- the Karl V. Karlstom Outstanding Edu-
tion scheme, which enables computa- cator Award for their contributions to
tions to be performed on encrypted broadening participation in comput-
data without unscrambling it. This ing. They created the Media Compu-
long-unsolved mathematical puzzle tation (MediaComp) approach, which
requires immense computational ef- motivates students to write programs
fort, but Gentry’s innovative approach that manipulate and create digital me-
broke the theoretical barrier to this dia, such as pictures, sounds, and vid-
puzzle by double encrypting the data eos. Now in use in almost 200 schools
in such a way that unavoidable errors IBM researcher Craig Gentry, recipient of the around the world, MediaComp’s con-
could be removed without detection. Grace Murray Hopper Award. textualized approach to introductory
Kurt Mehlhorn, founding direc- computer science attracts students
tor of the Max Planck Institute for by a team at GroupLens. The team not motivated by classical algorithmic
Informatics and a professor at Saa- then brought automation to the pro- problems addressed in traditional CS
rland University, was awarded the cess, enabling wide-ranging research education.
Paris Kanellakis Theory and Practice and commercial applications. The Reinhard Wilhelm and Joseph S.
Award for contributions to algorithm GroupLens team includes John Riedl, DeBlasi were named recipients of the
engineering that led to creation of the University of Minnesota; Paul Resn- Distinguished Service Award. Wilhelm,
Library of Efficient Data Types and ick, University of Michigan; Joseph scientific director of the Schloss Dag-
Algorithms (LEDA). This software col- A. Konstan, University of Minnesota; stuhl–Leibniz Center for Informatics,
lection of data structures and algo- Neophytos Iacovou, COVOU Technolo- was honored for two decades of excep-
rithms, which Mehlhorn developed gists; Peter Bergstrom, Fluke Ther- tional service at the center, creating a
with Stefan Näher, provides practical mography; Mitesh Suchak, Massachu- stimulating environment for advanc-
solutions for problems that had previ- setts Institute of Technology; David ing research in informatics. Wilhelm
ously impeded progress in computer Maltz, Microsoft; Brad Miller, Luther brought together researchers from
graphics, computer-aided geometric College; Jon Herlocker, VMware, Inc.; complementary computing areas for
design, scientific computation, and Lee Gordon, Gordon Consulting, LLC; intensive workshops that promoted
computational biology. Sean McNee, FTI Consulting, Inc.; and new research collaborations and direc-
Photogra ph by Stev e M oors for T ech no lo gy R evi ew
GroupLens Collaborative Filtering Shyong (Tony) K. Lam, University of tions. DeBlasi, former executive direc-
Recommender Systems received the Minnesota. tor of ACM, was honored for his execu-
ACM Software System Award. These Takeo Kanade, the U.A. and Helen tive leadership from 1989–1999 that
systems show how a distributed set Whitaker University Professor of Com- transformed ACM into a financially
of users could receive personalized puter Science and Robotics at Carnegie sound, globally respected institution,
recommendations by sharing ratings, Mellon University, is the recipient of and for his foresight in implementing
leading to both commercial products the ACM/AAAI Allen Newell Award for programs and expanding internation-
and extensive research. Based on au- contributions to research in comput- al initiatives that continue to sustain
tomated collaborative filtering, these er vision and robotics. His approach ACM today.
recommender systems were intro- balanced fundamental theoretical in-
duced, refined, and commercialized sights with practical, real-world appli- © 2011 ACM 0001-0782/11/07 $10.00
Technology Strategy
and Management
Driving Power in
Global Supply Chains
How global and local influences affect product manufacturers.
S
u p p ly c h a i n s a r e increas- uct manufacturer to a component
ingly global. Consequent- manufacturer? What strategies are
ly, we pour energy into available to the final product manu-
managing existing global facturer to circumvent this migration
supply chains efficiently, of power in global supply chains?
with their risks (for example, risks
arising from geographic dispersion) What We Already Know
and rewards (such as the benefits de- Many readers of this column are likely
rived from cost arbitrage). Yet we do familiar with the fate of IBM. In its
not know enough about how profits initial era of dominance, IBM was a
are divided and distributed along a classic vertically integrated company.
global supply chain that changes over But faced with competition in the per-
time. This is a question worth posing sonal computer market, IBM decided
at a time when new locations have it could not keep up on all fronts and
become available not only for produc- outsourced its operating system to Mi-
tion but also for consumption, espe- crosoft and its microprocessors to Intel
cially in rapidly growing emerging in the 1980s. This was the beginning of
markets. For example, if the end mar- the end of IBM as a computer hardware
ket for electronic goods shifts from porate control without ownership, company. With IBM’s outsourcing deci-
Illustra ion by Andrij borys associates
the U.S. to China or India, would the what opportunities exist for creating sions, new players came to occupy hori-
supply chain become driven by global and capturing profit in global supply zontal industry segments—Microsoft
or local corporate entities? chains? By comparing the evolution in operating systems and applications
Any supplier to a famous brand, of major players across different in- software, Intel in microprocessors, and
be it Apple or Nike, knows all too dustries and service sectors, this col- Compaq and HP in IBM-compatible fi-
well that the corporate client does umn addresses the question: under nal assembly. Technological advances
not need ownership to exert power what circumstances do value-adding in subsystems made it more profitable
over the supplier. In this world of cor- activities migrate from the final prod- to make microprocessors and software
than hardware. The “Intel Inside” plat- there is a less well-known story behind Computer is the world’s largest manu-
form strategy to extract high profits this one, focused around the no-brand facturer. One in every three laptops is
extended from desktop computers to supply companies that actually make made by Quanta. Its factories make lap-
notebook PCs with the launch of inte- these products. top computers for brand owners rang-
grated chipsets.3 ing from Apple, Compaq, Dell, Fujitsu,
Was this horizontally disintegrat- A Bit of History: The Rise HP, Lenovo, Sharp, Sony, and Toshiba.
ed structure stable? No. Companies and Rise of Large Factories One thing it does not do is produce
sought opportunities to capture great- In the 19th century, improvements in its own brand of computers. Quanta
er profits, not only by specializing in transportation (especially railroads) Computer is the largest of the Taiwan-
focused technologies but also by bun- and communication (such as tele- ese personal computer manufacturers,
dling products and services. In particu- graphs) led to the development of mass whose combined output accounts for
lar, Microsoft strengthened its market markets. By the early 20th century, such over 90% of worldwide market share.
power by bundling its operating sys- markets demanded large volumes of Similarly, Hon Hai Precision In-
tem with applications software, Web standardized products, exemplified by dustry Co. (Foxconn) heads the league
browser, and networked services. In Ford’s Model T, produced in large verti- table of electronic manufacturing ser-
this competitive landscape, IBM with- cally integrated factories. Fast-forward vice (EMS) providers, which include
drew from hardware by selling its PC into the early 21st century, and we see such firms as Flextronics, Jabil Circuit,
division to Lenovo, and struck out for the current wave of improvements in Celestica, and Sanmina SCI. Having
new territory in business services. transportation (this time in container achieved a very rapid growth, FoxConn
A similar cycle of moving from verti- shipping) and communication (this employs nearly one million workers
cal integration to horizontal disintegra- time with digital technology) have had mostly in China to assemble Apple’s
tion and back again to reintegration a similar impact on the size of factory iPod, iPhone and iPad, cellphones for
is evident in the evolution of Apple to operations.4 We see the rise of large Nokia and Motorola, Nintendo’s video
become the world’s most valuable tech- horizontally integrated production fac- game consoles, and Sony’s PlayStation,
nology company in terms of stock mar- tories in low-cost locations supplying among other things.
ket value in May 2010.1 In the 1980s, products and services to the world.
Apple Computers was a vertically inte- Consider the case of athletic shoe- “Behind-the-Scenes Champions”
grated firm with its own in-house de- making. Several powerful brand own- Profit from Size and Diversification
sign and factories. The troubles in the ers exist in an oligopolistic market. These companies—Pou Chen, Quanta,
1990s culminated in Apple’s decision But today, the largest footwear manu- Foxconn—are no-brand manufactur-
to outsource final assembly to SCI Sys- facturer in the world is not one of the ing firms that supply retailers or brand-
tems in 1996, laying the groundwork brand owners such as Nike or Adidas, owning firms, some with no factories.
for modular thinking. The iPod is a pro- but Pou Chen Group. Its shoemaking They are called CM (contract manufac-
totypical modular product, enabling subsidiary, Yue Yuen Industrial Ltd., turers) or ODM (original design manu-
Apple to mix and match preexisting has a sales turnover of $5.8 billion, facturers) if they undertake design as
components. By leading in product in- employs around 300,000 workers, and well as the manufacture of products
novation and design, but without doing churns out 186 million pairs of shoes for sale under the client’s brand. The
any manufacturing, Apple pocketed per annum. That is, this company brand owners may command and
$80 in gross profit for each 30GB iPod makes one in every six pairs of athletic drive power in global supply chains,
sold at $299.2 The ongoing transforma- shoes sold in the world. but the behind-the-scene supply firms
tion of Apple Inc., bundling the iPod, Another good example is in laptop have not been totally powerless. The
iTunes, iPhone, and iPad, is a dramatic computers. In this market, Quanta most obvious source of bargaining
example of a company that has been power for these no-brand suppliers
able to reinvent itself by taking advan- is the sheer size of the operation. For
tage of global supply chains. Innova- Under what example, Quanta Computer supplies
tive companies such as Apple have the nine out of the world’s top 10 notebook
power to reshape the boundaries of the circumstances do PC brands. As such, it exercises power
industries in which they operate. value-adding by being discriminating among these
Thus, we know that value migrates clients, setting up dedicated business
from the final product manufacturer to activities migrate units with product development and
component suppliers as a result of the from the final product mass production capacity for some of
former’s outsourcing decisions and the best (but not all) clients.
the pursuit of platforms by the latter. manufacturer A small number of ODMs, such as
However, this could be reversed or cir- to a component Acer and Lenovo, transitioned to sell-
cumvented if the product manufactur- ing products with their own brand.
er regains control of its supply chain by manufacturer? However, turning your corporate cli-
reshaping its industry and developing ent into a competitor is a risky move,
an ecosystem of providers engaged in as Lenovo initially found out with IBM
complementary innovation. when it terminated its contract with
Important though this story is, Lenovo. As an alternative strategy,
Computing Ethics
Values in Design
Focusing on socio-technical design with values
as a critical component in the design process.
V
alues often play out in in- of decisions already made on their research program (see http://www.nyu.
formation technologies behalf (and often not to their benefit) edu/projects/nissenbaum/vid_council.
as disasters needing man- and impossible choices if they would html). This suite of projects is aimed
agement. When Facebook like to do things differently. Sensible at redesigning Internet architecture to
started sharing data about responses to this problem have been handle ever-expanding modes of usage
what people were buying or viewing, developed over the past 10 years, with fewer problems due to design mis-
it ended up with digital egg all over its and a community of researchers has takes about values. An initial meeting
face. Focusing the initial design pro- formed around the role of human of people from these projects revealed
cess on complicated values of privacy values in technology design.a A new three values that need immediate at-
might have helped Facebook avoid book on Values in Design from the tention. One involves the trade-off be-
this uproar. To use another example, MIT Press Infrastructures series illus- tween security and privacy: for example,
the “terms and conditions” that most trates the issues. can we design computing “clouds” so
users simply “accept” without read- Helen Nissenbaum has created a that search queries cannot be traced to
ing could be made easier to read and Values in Design Council, working with an individual user or IP except in care-
understand if the values inherent in the National Science Foundation on the fully controlled circumstances subject
fair contracting were incorporated Futures of Internet Architecture (FIA) to appropriate prior review. Not surpris-
in the design of such agreements ingly, the U.S. National Security Agency
in the first place. But conversations a Examples of existing work in along this theme wants to maintain loopholes that allow
and analyses of the values found in include Batya Friedman’s values-sensitive de- it to pursue the important value of na-
sign, Mary Flanagan and Helen Nissenbaum’s
technologies are generally engaged Values at Play, Phoebe Sengers’ reflective de-
tional security. Can these values be rec-
after design and launch, and most sign, T.L. Taylor’s values in design in ludic sys- onciled through a compromise design?
users are faced with a daunting set tems, and Ann Cavoukian’s privacy by design. Another involves hardwire design for
Digital Rights Management (DRM) that
protects digital rights while permitting
flexibility as information policy evolves.
A third concern, “cultural valence,”
means systems designed by one group
(for example, Americans) should not
impose American values about struc-
ture, protocol, use, and policy on non-
Americans as Internet architectures go
global. The point is not that designers
have the wrong values, but that one of
the key features of values is that differ-
ent people hold different values, and
often hold to those values very strongly.
Figure 2. Designer Mary Flanagan’s reconceptualized classic Atari video games with giant joystick;
http://www.maryflanagan.com/giant-joystick.
Inclusion of GPS capability creates geographic privacy and autonomy are around VID, or Values in Design (or
new opportunities regarding informa- compromised. more formally, Values in the Design
tion tied to geography. Mobile appli- Another good example of value of Information Systems and Technol-
cations coupled to social networks al- clashes concerns search engines. ogy). It consists of researchers and
low users to know when they are near Google might be the greatest infor- practitioners in computer science,
friends. Loopt and FourSquareb show mation retrieval tool in world history, engineering, human-computer in-
where friends have “checked in” and but it falls prey to the “Matthew ef- teraction, science and technology
their distances from a user’s current fect” named for a line in the Gospel studies, anthropology, communica-
location to facilitate social gathering of Matthew (25:29): “For to all those tions, law, philosophy, information
and serendipitous meeting. However, who have, more will be given, and science, and art and design. They
such technologies can cause tension they will have an abundance; but from find common ground through the in-
in social values as the benefit of po- those who have nothing, even what terdisciplinarity implied by the broad
tential meetings with friends causes they have will be taken away.” The re- spectrum of interests. Decades of re-
problems of attention and interroga- sults of a simple Google search on the search in the sociology of science and
tion, as when a paramour says, “You word “Cameroon” shown in Figure 1 technology have shown that technical
said you were going to the store, then indicate Wikipedia, the CIA, the U.S. infrastructures reveal human values
the library, and then home, but you State Department, and the BBC seem most often through counterpro-
never checked in. Where were you?” a to know more about Cameroon than ductivity, tension, or failure. Work-
GPS-based network applications may any of its inhabitants. The highest- shops conducted over the past six
increase locational accountability be- ranked site from the country does years by Helen Nissenbaum, Geof-
cause, unlike a phone call that might not appear until page 4, a link to the frey Bowker, and Susan Leigh Star
originate anywhere, GPS-enabled ap- country’s main newspaper. Given that have sparked conversations among
plications carry information about most users never go beyond the first people in these fields, producing a
specific geographic location. In prin- few links,d few will get to information cohort of interdisciplinary schol-
ciple, a user can work around “stalk- about Cameroon from Cameroon. The ars of values in design. This group
ing” and other problematic situations country is officially French-speaking, so departs from a traditional view of
with some mobile apps such as Tall sophisticated searchers might find bet- critical theory that tackles technol-
Tales and Google Latitudec that allow ter results searching for “Cameroun,” ogy once it is in place, and focuses
a user to lie about location, but equat- but few English-speaking users would instead on socio-technical design
ing privacy with lying creates its own do this. The algorithm that provides with values as a critical component
values-centric problems. An “open nearly universal access to knowledge in the design process. The objective
hand” of location-based transparency also unwittingly suppresses knowledge of VID is to create infrastructures
can easily become a “backhand” when of African countries. Or is this always un- that produce less friction over values
witting? A search on “Obamacare” pro- than those created in the past. This
b With over 4 million and 6.5 million registered
duces a taxpayer-paid-for link to http:// objective is timely given the rise of
users as of February 2011, respectively; see www.healthcare.gov as a top hit.1 social computing and networks,
http://about.loopt.com/tag/loopt/ and http:// games that address social problems
foursquare.com/about. Interdisciplinary Scholars and change (see http://www.gamesfor-
c http://itunes.apple.com/us/app/tall-tales-
A community of scholars has formed change.org/) and the interconnection
geolocation-spoofing/; http://mashable.
com/2009/02/04/google-latitude/; http://www. of corporate, government, and aca-
androidzoom.com/android_applications/ d http://seoblackhat.com/2006/08/11/tool- demic institutions’ interests ranging
fake%20locations clicks-by-rank-in-google-yahoo-msn/ from the individual to the transglobal.
Legally Speaking
Too Many Copyrights?
Reinstituting formalities—notice of copyright claims
and registration requirements—could help address problems
related to too many copyrights that last for too many years.
V
i r t ually all of the pho-
tographs on flickr, videos
on YouTube, and postings
in the blogosphere, as well
as routine business mem-
os and email messages, are original
works of authorship that qualify for
copyright protection automatically by
operation of law, even though their au-
thors really do not need copyright in-
centives to bring these works into be-
ing. Yet, copyrights in these works, like
those owned by best-selling authors,
will nonetheless last for 70 years after
the deaths of their authors in the U.S.
and EU (and 50 years post-mortem in
most other countries).
Are there too many copyrights in
the world, and if so, what should be
done to weed out unnecessary copy-
rights? Some copyright scholars and
practitioners who think there are too
many copyrights are exploring ways of
limiting the availability of copyright to
works that actually need the exclusive
rights that copyright law confers.1,3,4
Copyright Formalities quirements as “formalities,” for they ting copyright notices on copies of their
as an Opt-In Mechanism make the enjoyment or exercise of works sold in the market. When authors
One obvious way to eliminate unnec- copyright depend on taking some steps failed to comply with formalities, the
essary copyrights is to require authors to signal that copyright protection is works were generally in the public do-
who care about copyright to register important to their creators.4 main, freely available for reuses without
their claims, put copyright notices on Conditioning the availability of copy- seeking any permission. This enriched
Illustratio n by a lic ia kubi sta
copies of their works, and/or periodi- right on formalities is not exactly a new culture because these works were avail-
cally renew copyrights after a period of idea. For most of the past 300 years, able for educational uses, historical re-
years instead of granting rights that at- copyright was an opt-in system. That is, search, and creative reuses.
tach automatically and last far beyond copyright protection did not commence While many countries abandoned
the commercial life of the overwhelm- when a work was created; authors had to formality requirements in the late 19th
ing majority of works. opt-in to copyright by registering their and early 20th centuries, the U.S. main-
Copyright lawyers speak of such re- works with a central office or by put- tained notice-on-copies and registra-
tion-for-renewal formalities until 1989. Ronald Reagan—that the U.S. needed expression of the author’s personality
The U.S. still requires registration of to join the Berne Convention in order that deserved automatic respect from
copyrights as a precondition for U.S. to exercise influence on international the law.
authors to bring infringement actions, copyright policy. And so in 1989, under In the absence of organized con-
as well as for eligibility for attorney fee Reagan’s leadership, the U.S. joined stituencies in favor of preserving for-
and statutory damage awards. the Berne Convention and abandoned malities, the natural rights theory of
Formalities do a good job weeding the notice-on-copies and registration copyrights prevailed in much of Eu-
out who really cares about copyrights requirements that had served the na- rope, and with it, the idea that formali-
and who doesn’t. So why did the U.S. tion well since its founding. ties were inconsistent with the natural
abandon formalities? rights of authors in their works.
Why Is Berne Because the Berne Convention’s
Formalities Abandoned Hostile to Formalities? ban on formalities has been incorpo-
The U.S. had no choice but to aban- In the late 1880s when the Berne Union rated by reference into another major
don copyright formality requirements was first formed, each of the 10 partici- international treaty, the Agreement on
in the late 1980s because it wanted to pating countries had its own unique Trade-Related Aspects of Intellectual
exercise leadership on copyright policy formality requirements for copyright Property Rights (widely known as the
in the international arena. protection. One of the goals of the Ber- TRIPS Agreement), it would seem the
Then and now the only significant ne Union was to overcome obstacles world is now stuck with a no-formality
international forum for copyright pol- to international trade in copyrighted copyright regime. But should it be so?
icy discussions was the Berne Union. works such as burdens of complying
It is comprised of nations that have with multiple formalities. Has Technology Changed
agreed to abide by provisions of an in- The initial solution to the problem the Formalities Equation?
ternational treaty known as the Berne of too many formalities was a Berne In recent decades, two major changes
Convention for the Protection of Liter- Convention rule that provided if an have contributed to a renewed interest
ary and Artistic Works. Article 5(2) of author had complied with formalities in copyright formalities.
this treaty forbids member states from of his/her own national copyright law, One is that advances in information
conditioning the enjoyment or exer- other Berne Union countries would re- technologies and the ubiquity of global
cise of copyrights on formalities, such spect that and not insist on compliance digital networks have meant that more
as those long practiced in the U.S. with their formality requirements. people than ever before are creating
The Berne Union was first founded That was a reasonably good solution and disseminating literary and artistic
in the late 19th century, at a time when as far as it went, but it created some works, many of which are mashups or
the U.S. had little interest in interna- confusion. It was sometimes unclear, remixes of existing works.
tional copyrights. By the mid-1980s, for instance, whether works of foreign A second is that the Internet and
however, U.S. copyright industries authors sold in, say, France, had com- Web have made it possible to establish
were the strongest and most successful plied with the proper formalities in the scalable global registries and other in-
in the world. They had become not only works’ country of origin. If a work was formation resources that would make
significant contributors to the gross simultaneously published in two coun- compliance with formalities inexpen-
domestic product, but also a rapidly tries, was the author required to com- sive and easy (at least if competently
growing exporter of U.S. products. This ply with two sets of formalities or only done), thereby overcoming the prob-
made them care about the copyright one of them? It was also difficult for a lems that led to the Berne Convention
rules adopted in other countries. publisher to know whether a renewal ban on formalities.
In the late 1980s, these industries formality in a work’s country of origin Lawrence Lessig, among others,1,3
persuaded one of their own—President had been satisfied. has argued that reinstituting copyright
In part because of such confusions, formalities would be a very good idea.
the Berne Convention was amended in This would enable free reuses of many
Are there too 1908 to forbid Berne Union members existing commercially fallow works
from conditioning the enjoyment and that would contribute to and build
many copyrights exercise of copyright on compliance on our cultural heritage. It would also
in the world, and with formalities. help libraries and archives to preserve
While the main reason for aban- that part of our cultural heritage still
if so, what should doning formalities was pragmatic, in-copyright and to provide access to
be done to weed another factor contributing to the works of historical or scientific inter-
abandonment of formalities was the est now unavailable because of over-
out unnecessary influence in Europe of a theory that long copyrights. Many innovative new
copyrights? authors had natural rights to control services could be created to facilitate
the exploitation of their works. Some- new insights and value from existing
times this theory was predicated on works, such as those contemplated in
the labor expended by authors in cre- the Google Book Search settlement (for
ating their works, and sometimes on example, nonconsumptive research
the idea that each work was a unique services to advance knowledge in hu-
by enabling freer uses of works not so does not respect July 18–21
demarked, formalities contribute to International Conference
freer flows of information and to the copyright because on e-Business,
ongoing progress of culture. some aspects Seville, Spain,
Contact: David A. Marca,
One recent report2 has recom-
mended that the U.S. Copyright Of- of this law don’t Email: dmarca@openprocess.
com,
fice should develop standards for make much sense. Phone: 617-641-9474
enabling the creation of multiple in- July 18–21
teroperable copyright registries that International Conference
could serve the needs of particular on Security and Cryptology,
authorial communities, while also Seville, Spain,
Contact: Pierangela Samarati,
serving the needs of prospective us- Email: pierangela.samarti@
ers of copyrighted works by providing unimi.it,
better information about copyright tence of too many copyrights that last Phone: +39-0373-898-061
ownership and facilitating licensing. for too many years. Obviously the new
July 18–21
Perhaps unregistered works should formalities must be carefully designed International Conference
receive protection against wholesale so they do not unfairly disadvantage on Signal Processing and
copying for commercial purposes, authors and other owners. Multimedia Applications,
Seville, Spain,
while registered works might qualify Although the obstacles to adop- Contact: Mohammad S.
for a broader scope of protection and tion of reasonable formalities may be Obaidat,
more robust remedies. formidable, they are surmountable Email: obaidat@monmouth.
if the will can be found to overcome edu,
Phone: 201-837-8112
Conclusion them and if the technology infra-
Copyright industry representatives fre- structure for enabling them is built July 18–21
quently decry the lack of respect that by competent computing profession- International Symposium
the public has for copyrights. Yet, in als. One intellectual obstacle to rein- on Smart Graphics,
Bremen, Germany,
part, the public does not respect copy- stituting formalities is addressed in Contact: Rainer Malaka,
right because some aspects of this law a forthcoming book,4 which explains Email: malaka@tzi.de,
don’t make much sense. that formality requirements are more Phone: +49-421-21864402
An example is the rule that every consistent with natural rights theo-
July 20–22
modestly original writing, drawing, or ries than many commentators have Symposium on Geometry
photograph that every person creates is believed. Treaties can be amended Processing 2011,
automatically copyrighted and cannot and should be when circumstances Lausanne, Switzerland,
Contact: Mark Pauly,
be reused without permission for 100 warrant the changes.
Email: mark.pauly@epfl.ch
years or more (depending on how long
the author lives after a work is created). References
July 22–24
1. Lessig, L. The Future of Ideas: The Fate of the
If too many works are in-copyright Commons in a Connected World. Random House, New International Conference on
York, 2001. Advances in Computing and
for too long, then our culture suffers 2. Samuelson, P. et al. The Copyright Principles Project: Communications,
and we also lose the ability to distin- Directions for reform. Berkeley Technology Law Kochi, India,
Journal 25:0000 (2010).
guish in a meaningful way between 3. Springman, C. Reform(aliz)ing copyright. Stanford Law
Contact: Sabu M. Thampi,
those works that need copyright pro- Review 57:568 (2004). Email: smtlbs@in.com
4. van Gompel, S. Formalities in Copyright Law: An
tection and those that don’t. Analysis of their History, Rationales and Possible July 25–27
This column has explained that Future. Kluwer Law International, Alphen aan den 19th International Symposium
Rijn, The Netherlands, forthcoming 2011.
formalities in copyright law serve a on Modeling, Analysis, and
number of positive functions and has Simulation of Computer and
Pamela Samuelson (pam@law.berkeley.edu) is the Telecommunication Systems,
argued that reinstituting formalities Richard M. Sherman Distinguished Professor of Law and
Singapore,
Information at the University of California, Berkeley.
would go a long way toward address- Contact: Cai Wentong,
ing the problems arising from the exis- Copyright held by author. Email: aswtcai@ntu.edu.sg
Broadening Participation
The Status of Women of Color
in Computer Science
Addressing the challenges of increasing the number
of women of color in computing and ensuring their success.
T
o r e m a i n e co n o m i call y
and globally competitive,
the U.S. needs to increase its
advanced domestic science
and technology work force.1
As U.S. colleges are already majority
female and are increasingly enrolling
more minority students, women of
color represent a growing potential
source of domestic talent to meet the
needs of the country. Thus, it is in
the interest of all of us to ensure that
women of color are well represented in
science, technology, engineering, and
mathematics (STEM) fields.
There is also the social justice argu-
ment for promoting women of color
in STEM. The history of exclusion in
science and technology fields and
in the U.S. at large has resulted in an
unfortunate outcome of underrepre-
sentation that should be actively ad-
dressed. It is important to continue
The Spelman College Spelbots provide hands-on robotics education and research for women
to recognize and challenge sexism computer science students by competing in U.S. and International RoboCup 4-Legged
and racism that remains pervasive— competitions.
though perhaps more subtle than 30
years ago—and which is experienced tracting and retaining women, espe- dian/Alaska Natives at the Ph.D. level,
by women of color in multiplicative cially women of color, into computing. where men and women both earned
ways. Moreover, women of color are Among U.S. citizens and permanent no degrees.2
often the breadwinners, main sup- residents receiving 2008 degrees in the Of serious concern is the decline of
Photogra ph courtesy of Andrew william s
porters of children, and community computer sciences, women of color Hispanic women earning Ph.D.s in CS.
leaders, so their successes and fail- fared worse compared to their White An examination of doctorate attain-
ures in a well-paid and well-respected female counterparts at both the bach- ment over the past decade reveals that
field such as computer science could elor’s and Ph.D. levels. Within every their numbers peaked in 2004 at nine
have significant impacts on more gen- racial group, men outearned women Ph.D.s but have declined since, and
eral community issues. in terms of CS degrees awarded, with they received only two of the CS Ph.D.s
As the accompanying table shows, two exceptions: Blacks at the Ph.D. lev- awarded in 2008. Of continuing dis-
the current outlook presents chal- el, where both men and women both quiet is the status of American Indian/
lenges for addressing the need of at- earned 12 degrees, and American In- Alaska Native women in CS. Between
32 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
viewpoints
2000 and 2008 this group has only search in this area are discussed later lot of the projects were group [work] and
earned a total of seven Ph.D.s.2 in this column. so I found two… [minority] groupmates,
Preparation and the “digital divide.” who were heaven-sent. And we stuck by
The “Inside the Double Bind” Study Several research studies pointed to the each other and actually, after we found
Policies aimed at increasing women of “digital divide” that leaves girls and each other, planned all of our schedules
color in computing should be based on women of color underexposed to tech- in sync with each other, so we took the
empirical research on this population. nology and basic computer skills in same classes in order to get through the
Unfortunately, not much research ex- their upbringing. The underexposure, undergraduate experience together. Be-
ists. While there have been many stud- researchers claim, may be due to a cause a part of being a minority is that
ies since 1970 on the experiences of number of factors, including socioeco- people don’t want to work with you. They
women in STEM and on those of minor- nomic inequalities and gendered be- don’t look at you and sense that you are
ities in STEM, the unique experiences liefs that females lack potential for tech- a smart person they want to work with.
of women of color, who encounter the nical fluency. This divide can put them So finding people who believe in you and
challenges of race and gender simul- at a disadvantage compared to their you believe in, and then sticking togeth-
taneously, are often excluded from the White and male peers in knowledge er, was really important. (“Serena,” in
research agenda. Studies that do ex- and in comfort in dealing with com- Ong and Hodari.5)
ist have been difficult to find because puters, thus hindering their entry and This woman’s strategy of working
they are scattered throughout journals, retention into computer science fields. with other minorities helped her to
book chapters, reports, and unpub- Social challenges for women of color persist through her undergraduate
lished dissertations. in CS. Fields that are heavily White program, but sadly, the cumulative
The NSF-funded project, “Inside and male, such as physics, engineer- social challenges she encountered ul-
the Double Bind: A Synthesis of Em- ing, and computer science, pose some timately deterred her from pursuing
pirical Literature on Women of Color unique social challenges for women computer science in graduate school
in STEM,” aimed to gather, analyze, of color students. At predominantly or as a career. This story of attrition is
and synthesize empirical research that White institutions (PWIs), they often far too common. Fortunately, though,
had been produced between 1970 and experience being the only woman or an increasing number of organizations
2008. The project team, co-led by Gary minority—or, at most, one of a few—in and CS departments are putting tre-
Orfield (UCLA) and myself, identified their class or laboratory. Research sug- mendous amounts of time and energy
116 works of empirical research litera- gests that in CS, their sense of isolation to establish more welcoming social en-
ture produced since 1970 on women of is often heightened by what they per- vironments for all of their members.
color in STEM higher education and ceive as an unwelcoming environment Family and school balance. There
careers. The resulting “Inside the Dou- and others’ lowered expectations of is a serious dearth of research about
ble Bind” synthesis3,4 highlights gen- them. In my current study, a comment family-school and family-work bal-
eral empirical findings and identifies by a young professional woman of color ance for women of color in STEM and
research gaps in STEM. Specific find- who had majored in computer science in CS, but what we’ve learned so far is
ings on women of color in computer provides a vivid illustration of this ex- worth noting. The few studies we iden-
science are summarized here. perience: In my computer science class, a tified on the topic reveal that a com-
We identified 19 sources on wom-
en of color in computer science— Computer sciences degrees awarded to U.S. citizens and permanent residents (2008).
not many at all, considering that our
search covered nearly 40 years’ worth
of literature. Studies in computing are Bachelor’s Degrees Ph.D.s
relatively new: 16 of the works have Female 6,473 (17.4%) 153 (22.9%)
been produced since 2002. Most of White 3,235 (8.7%) 89 (13.3%)
the literature focuses on higher educa- Asian/Pacific Islander 597 (1.6%) 17 (2.5%)
tion, and the research covers an array Black 1,338 (3.6%) 12 (1.8%)
of topics, including the “digital divide” Hispanic 551 (1.5%) 2 (0.3%)
that separates girls and women of col- American Indian/Alaska Native 55 (0.1%) 0 (0.0%)
or from others, social challenges for Other or unknown race/ethnicity 697 (1.9%) 33 (4.9%)
women of color students, the roles of
Male 30,639 (82.6%) 514 (77.1%)
minority-serving institutions, and non-
White 19,954 (53.8%) 357 (53.5%)
traditional pathways to CS degrees.
Asian/Pacific Islander 2,536 (6.8%) 70 (10.5%)
The reader should be forewarned that
Black 2,673 (7.2%) 12 (1.8%)
our searches were thorough but not
Hispanic 2,372 (6.4%) 14 (2.1%)
exhaustive, and with only 19 identi-
American Indian/Alaska Native 166 (0.4%) 0 (0.0%)
fied works, there are many gaps and
Other or unknown race/ethnicity 2,938 (7.9%) 61 (9.1%)
incomplete descriptions about the
status and experiences of women of Source: National Science Foundation, 2011. Note: Percentages reflect the proportion of the total number of CS bachelor’s
degrees and Ph.D.s awarded, respectively, to U.S. citizens and permanent residents.
color in computing. Some policy im-
plications and future directions for re-
mon challenge for women of color stu- ways to bring more women of color into
dents involves tensions between their the field. Future studies should include
demanding CS programs and external Future research women in all racial/ethnic groups, but
pressures to manage and participate in needs to address especially for those groups about whom
the family structure and to contribute information is scarce: Latinas/Hispan-
to the family income. Exacerbating the educational and ics, American Indians/Alaska Natives,
issue are rigid course schedules, faculty career choices and and Asian Americans/Pacific Island-
who do not understand the cultural ex- ers. Future research needs to address
pectations upon these students, family career trajectories educational and career choices and
members who do not understand the of women of color. career trajectories of women of color,
time commitment required to pursue and more should be learned about the
a computer science degree, and lack of paths of nontraditional students into
job opportunities for students in CS- computing careers. Many more stud-
related fields. ies on women of color in computing
The role of minority-serving insti- regarding balance between family and
tutions. Minority-serving institutions programs and activities that attract school or work should be conducted.
(MSIs), including Historically Black and retain them, and types of degrees Future research should highlight ele-
Colleges and Universities (HBCUs), and employment they gain. ments of success for women of color in
Hispanic-serving institutions (HSIs), CS, rather than dwelling on challenges.
and Tribal Colleges and Universi- Policy Implications and For example, at the institutional, de-
ties (TCUs), have a strong history of Future Directions for Research partmental, and programmatic levels,
producing a disproportionate num- The existing research indicates some effective recruitment and retention
ber of minority female STEM majors potential, immediate steps for institu- practices at MSIs, predominantly White
who continue on to Ph.D.s. The field tional policy and action. To help wom- institutions, and community colleges
of computer science is no exception. en of color traverse the digital divide need to be better studied so that others
While more research is needed in this and feel they belong in CS, institutions may learn from them. Addressing these
area, especially for HSIs and TCUs, might offer real-world opportunities to knowledge gaps will point us to practi-
existing research attributes the per- gain computer expertise—and thereby cal solutions to increase the numbers
sistence of women of color in CS to a sense of empowerment—in the class- of women of color in computing and to
MSIs’ nurturing environments, fac- room. They could also provide mean- ensure their success.
ulty who believe in their students, a ingful and well-paid CS-related employ-
collaborative peer culture, and special ment, such as research and tutoring References
1. National Academies. Rising Above the Gathering
programs such as summer research opportunities, and develop and sustain Storm, Revisited: Rapidly Approaching Category 5.
experiences. Researchers also credit a supportive learning community that National Academies Press, Washington, D.C., 2010.
2. National Science Foundation, National Center for
the persistence of women of color in includes women of color and other Science and Engineering Statistics. Women, Minorities,
and Persons with Disabilities in Science and Engineering:
computing to the personal drive of the marginalized students. Practices of or- 2011, tables 5-7 and 7-7, NSF 11-309. Arlington, VA,
women themselves. ganizations and departments that have 2011; http://www.nsf.gov/statistics/wmpd/.
3. Ong, M., Wright, C., Espinosa, L., and Orfield, G. Inside
Nontraditional pathways. More already made great strides in this area the Double Bind: A Synthesis of Empirical Research on
than their White female counterparts, should be documented, widely dissemi- Women of Color in Science, Technology, Engineering,
and Mathematics. White Paper presented to the
women of color take nontraditional nated, and adapted by others. Further, National Science Foundation, Washington, D.C. (NSF/
paths to computer science. Many institutions should explore ways to REESE Project DRL-0635577), March 31, 2010; http://
www.terc.edu/work/1513.html.
come to CS education later in their adapt some practices of MSIs and pro- 4. Ong, M., Wright, C., Espinosa, E., and Orfield, G. Inside
lives, long after leaving school with grams that successfully serve nontra- the double bind: A synthesis of empirical research on
undergraduate and graduate women of color in science,
non-CS degrees or no degree at all, ditional students in computer science. technology, engineering, and mathematics. Harvard
and perhaps after starting a family or To address tensions between family Educational Review 81, 2 (Summer 2011), 172–208.
5. Ong, M. and Hodari, A.K. Beyond the double bind:
working full-time. Many begin their and academic demands, departments Women of color in STEM. NSF/REESE research project
computer science education in com- might offer more flexibility in their pro- funded by NSF-DRL 0909762, 2009–2012.
munity colleges, and while some di- grams, including offering some online
Maria (Mia) Ong (mia_ong@terc.edu) is a social scientist
rectly transfer afterward to a four-year courses and scheduling courses more at TERC in Cambridge, MA, specializing in the experiences
institution, others periodically “stop than once a year; allow for a fully inte- of women of color in STEM in higher education and
careers. She is a member of the Committee on Equal
out,” taking months or years off be- grated, part-time academic track; and Opportunities in Science and Engineering (CEOSE), a
fore returning to study. Studies reveal increase the number of CS research sti- congressionally mandated advisory committee to the
National Science Foundation, and a member of the Social
that persistence through programs by pends and work opportunities. Finally, Science Advisory Board of the National Center for Women
nontraditional women of color result high-level recognition of the many ac- in Information Technology (NCWIT).
of nontraditional students, academic New research will reveal effective Copyright held by author.
Viewpoint
Non-Myths About
Programming
Viewing computer science in a broader context to dispel
common misperceptions about studying computer science.
T
h i s V i e w p o i n t i s based on
my keynote speech at the
Sixth International Com-
puting Education Research
Workshop, held in Aarhus,
Denmark last summer. The talk began
with the presentation of a short play,
Aunt Jennifer, in which Tiffany, a high
school student, attributes her moth-
er’s dreary and poverty-stricken life as
a checkout clerk in a supermarket to
rotten luck, while attributing the pleas-
ant life of her Aunt Jennifer, a software
engineer, to good luck. Despite her
high grades in mathematics, Tiffany
rejects her guidance counselor’s of-
fer to help her obtain a scholarship to
study computer science.a
The decline of interest in studying
computer science is usually attrib-
uted to a set of perceptions that stu-
dents have about the subject. Many
educators react to these perceptions
as if they were myths and try to refute Margaret Hamilton, chief software engineer for the development of the NASA Apollo program
flight software, sitting in a mockup of the Apollo space capsule while checking programs
them. I believe the perceptions of stu- she and her team developed. Hamilton received an Exceptional Space Act Award, one of only
dents are roughly true when viewed in 128 awards granted from 1990 through 2003.
isolation, and that the proper way to
address these non-myths is to look at Here, I will express the non-myths must do. But even prestigious profes-
them within the context of “real life.” in terms of programming. sions are not exempt from boredom:
When examined in a broader context, a I have heard physicians and attorneys
more valid image of computer science Non-Myth #1: complain about boredom. Consider
can be sketched, and this can be used Programming is Boring physicians: either you become a gen-
to provide more accurate guidance to It is one of the unfortunate facts of life eral practitioner and at least 9 out of
photogra ph court esy of NASA
students who are deliberating whether that all professions become routine 10 patients come to you with routine,
to study computer science. and even boring once you develop a “boring,” complaints, or you become a
certain level of skill. Of course there are specialist, adept at performing a small
a The script of the play can be downloaded from
innumerable “McJobs”—intrinsically number of procedures. After you have
http://stwww.weizmann.ac.il/g-cs/benari/articles/ boring occupations in factories and done them hundreds or thousand
aunt-jennifer.pdf. service industries—that many people times, surely boredom sets in.
ly, but she must remember that she software is being outsourced. It is more she pursue a CS degree part time while
will not become a friend to her clients. likely that her jewelry business will fail she tries to advance her singing career.
when confronted with outsourced prod-
Non-Myth #5: Programming Is Only ucts than it is that her programming job The Real World Is Not So Bad
for Those Who Think Logically at Boeing or Airbus will be outsourced. I found the striking image appearing
Well, yes. The nature of programming the beginning of this Viewpoint on
needs clarification. I define program- Non-Myth #7. Programming the NASA Web site. The image shows
ming as any activity where a computa- Is a Well-Paid Profession Margaret Hamilton sitting in a mock-
tion is described according for formal That’s great. Potential earnings up of the Apollo space capsule. Ham-
rules. Painting a picture is not program- shouldn’t be the only consideration ilton was the chief software engineer
ming: first, it obviously does not de- when choosing a profession, but it is for the development of the Apollo
scribe a computation, and, second, you not immoral to consider what sort of flight software. She and her team de-
are free to break whatever rules there future you will be offering your family. veloped new techniques of software
are. At worst, they will call you an “Im- It would be a good idea to remind Tif- engineering, which enabled their
pressionist” and not buy your paintings fany that the chasm between the life- software to perform flawlessly on all
until after you are dead. Constructing styles of her mother and Aunt Jennifer Apollo missions. Later, she went on to
a Web site and building a spreadsheet is not the result of luck. establish her own software company.
are both programming, because you I recently read the controversial Hamilton looks like she is having a
have to learn the rules for describing book Freakonomics by Steven D. Lev- lot of fun checking out the programs
the desired output (even if the rules itt and Stephen J. Dubner.1 The third that she and her team developed. I am
concern a sequence of menu selec- chapter—“Why Do Drug Dealers Still sure the long hours and whatever rou-
tions and drag-and-drop operations), Live with Their Moms?”—based upon tine work the job involved were placed
and you have to debug incorrect results the work of sociologist Sudhir Ven- into perspective by the magnitude of
that result from not following the rules. katesh3 is quite relevant to the issue of the challenge, and there is no question
Tiffany’s good grades in mathemat- potential earnings. As a graduate stu- she felt immense satisfaction when her
ics imply she has the ability to think dent, Venkatesh was able to observe software successfully landed Neil Arm-
logically. She may prefer to study music and document the lives of the mem- strong and Buzz Aldrin on the moon. I
so she can play violin in a symphony bers of a drug gang, and he eventually do not know if Hamilton felt locked out
orchestra, but she should certainly con- obtained their financial records. These of the male-dominated “clubhouse,”2
sider studying computer science and were analyzed by Levitt, an economist, but my guess is that the difficulty of the
her guidance counselor should insist who came up with the following con- task, the short schedule and the weight
this alternative be thoroughly explored. clusion, expressed as a question: So if of the responsibility felt by the whole
crack dealing is the most dangerous job team would have made such issues
Non-Myth #6: Software in America, and if the salary was only practically nonexistent.
Is Being Outsourced $3.30 an hour, why on earth would any- Teachers, parents, and guidance
Of course it is. However, the share of one take such a job? The answer: Well, counselors have the responsibility
software being outsourced is relatively for the same reason that a pretty Wiscon- to explain the facts of life to talented
small compared with that in manufac- sin farm girl moves to Hollywood. For the young people: computer science and
turing. This is not a fluke but an intrinsic same reason that a high-school quarter- programming may seem like bor-
aspect of software. Almost by definition, back wakes up at 5 a.m. to lift weights. ing activities suitable only for asocial
“soft”-ware is used whenever flexibil- They all want to succeed in an extremely geeks, but a career like Margaret Ham-
ity and adaptation to requirements is competitive field in which, if you reach ilton’s is more fulfilling and more re-
needed. If a machine tool is going to the top, you are paid a fortune (to say warding than what awaits those who
turn out the same screw throughout its nothing of the attendant glory and pow- do not study science and engineering
entire lifetime, it can be outsourced and er). The result: The problem with crack based upon superficial perceptions of
programmed in “hard”-ware. dealing is the same as in every other these professions.
Software development can also be a glamour profession: a lot of people are
path to other professional activities like competing for a very few prizes. Earning References
1. Levitt, S.D. and Dubner, S.J. Freakonomics: A Rogue
systems design and marketing, since big money in the crack gang wasn’t much Economist Explores the Hidden Side of Everything.
software reifies the proprietary knowledge more likely than the Wisconsin farm girl Allan Lane, London, 2005.
2. Margolis, J. and Fisher, A. Unlocking the Clubhouse:
of a firm. A bank might outsource the becoming a movie star or the high-school Women in Computing. MIT Press, Cambridge, MA, 2002.
building of its Web site, but it is not like- quarterback playing in the NFL. 3. Venkatesh, S. Gang Leader for a Day: A Rogue
Sociologist Crosses the Line. Allan Lane, London, 2008.
ly to outsource the development of soft- Ambition to succeed in a glam-
ware to implement algorithms for pric- our profession is not something to be Mordechai (Moti) Ben-Ari (benari@acm.org) is an
ing options or analyzing risk, because deplored, but a young person must associate professor in the Department of Science Teaching
at Weizmann Institute of Science in Rehovot, Israel, and
this proprietary knowledge is what con- receive advice and support on what an ACM Distinguished Educator.
tributes directly to the bank’s success. to do if she is not the 1 in 10,000 who
It would be reasonable for Tiffany succeeds. If Tiffany wants to become a I would like to thank Mark Guzdial for his helpful
comments on an earlier version of this Viewpoint.
to prefer designing jewelry over study- professional singer, I would not try to
ing computer science, but not because dissuade her, but I would prefer that Copyright held by author.
Passing
the other hand, is more difficult to
support, because it usually demands
closer integration between the host
program and the script, and FFI alone
a Language
does not suffice.
In this article we discuss how em-
beddability can impact the design of
a language, and in particular how it
impacted the design of Lua from day
Through the
one. Lua3,4 is a scripting language with
a particularly strong emphasis on em-
beddability. It has been embedded in
a wide range of applications and is a
Eye of a Needle
leading language for scripting games.2
bulk of control communication be- fluence from the API. All error han- local ok, errorobject = pcall(function()
tween Lua and C, there are other dling in Lua is based on the longjump --here goes the protected code
forms of control exposed through the mechanism of C. It is an example of a ...
API: iterators, error handling, and co- feature exported from the API to the end)
routines. Iterators in Lua allow con- language. if not ok then
structions such as the following one, The API supports two mechanisms --here goes the error handling code
which iterates over all lines of a file: for calling a Lua function: unprotected --(errorobject has more information about
and protected. An unprotected call the error)
for line in io.lines(file) do does not handle errors: any error dur- ...
print(line) ing the call long jumps through this end
end code to land in a protected call farther
down the call stack. A protected call This is certainly more cumbersome
Although iterators present a new sets a recovery point using setjmp, than a try-catch primitive mechanism
syntax, they are built on top of first- so that any error during the call is built into the language, but it has a
class functions. In our example, the captured; the call always returns with perfect fit with the C API and a very
call io.lines(file) returns an itera- a proper error code. Such protected light implementation.
tion function, which returns a new line calls are very important in an embed- The design of coroutines in Lua is
from the file each time it is called. So, ded scenario where a host program another area where the API had a great
the API does not need anything spe- cannot afford to abort because of oc- impact. Coroutines come in two fla-
cial to handle iterators. It is easy both casional errors in a script. The bare- vors: symmetric and asymmetric.1 Sym-
for Lua code to use iterators written bones application just presented metric coroutines offer a single con-
in C (as is the case of io.lines) and uses lua _ pcall (protected call) to trol-transfer primitive, typically called
for C code to iterate using an iterator call each compiled line in protected transfer, that acts like a goto: it can
written in Lua. For this case there is mode. transfer control from any coroutine
no syntactic support; the C code must The standard Lua library simply ex- to any other. Asymmetric coroutines
do explicitly all that the for construct ports the protected-call API function offer two control-transfer primitives,
does implicitly in Lua. to Lua under the name of pcall. With typically called resume and yield, that
Error handling is another area pcall, the equivalent of a try-catch in act like a pair call–return: a resume
where Lua has suffered a strong in- Lua looks like this: can transfer control to any other co-
routine; a yield stops the current co-
Figure 1. Passing an array through an API with eval. routine and goes back to the one that
resumed the one yielding.
void copy (int ar[], int n) { It is easy to think of a coroutine as a
int i; call stack (a continuation) that encodes
eval(“ar = {}”); /* create an empty array */
for (i =0; i <n; i++){
which computations a program must
char buff[100]; do to finish that coroutine. The trans-
sprintf(buff, “ar[%d] = %d”, i + 1, ar[i]); fer primitive of symmetric coroutines
eval(buff); /* assign i-th element */ corresponds to replacing the entire
}
} call stack of the running coroutine by
the call stack of the transfer target. On
the other hand, the resume primitive
adds the target stack on top of the cur-
Figure 2. The bare-bones Lua application. rent one.
A symmetric coroutine is simpler
#include <stdio.h> than an asymmetric one but poses a big
#include “lauxlib.h” problem for an embeddable language
#include “lualib.h” such as Lua. Any active C function in a
int main (void) {
script must have a corresponding ac-
char line[256]; tivation register in the C stack. At any
lua_State *L = luaL_newstate(); /* create a new state */ point during the execution of a script,
luaL_openlibs(L); /* open the standard libraries */ the call stack may have a mix of C func-
/* reads lines and executes them */ tions and Lua functions. (In particular,
while (fgets(line, sizeof(line), stdin) != NULL) { the bottom of the call stack always has
luaL_loadstring(L, line); /* compile line to a function */ a C function, which is the host program
lua_pcall(L, 0, 0, 0); /* call the function */
that initiated the script.) A program
}
cannot remove these C entries from
lua_close(L); the call stack, however, because C does
return 0; not offer any mechanism for manipu-
}
lating its call stack. Therefore, the pro-
gram cannot make any transfer.
Asymmetric coroutines do not with the stack containing only the ar- tion lua _ pushcfunction. Once cre-
have this problem, because the resume guments given to getenv, with the first ated as a Lua function, this new value
primitive does not affect the current argument at position 1 in the stack. can be manipulated just as any other
stack. There is still a restriction that a The first thing os _ getenv does is Lua value. The second added line in
program cannot yield across a C call— to call luaL _ checkstring, which the new code calls lua _ setglobal
that is, there cannot be a C function in checks whether the Lua value at posi- to set the value on the top of the stack
the stack between the resume and the tion 1 is really a string and returns a (the new function) as the value of the
yield. This restriction is a small price to pointer to the corresponding C string. global variable getenv.
pay for allowing portable coroutines in (If the value is not a string, luaL _ Besides being first-class values,
Lua. checkstring signals an error using a functions in Lua are always anony-
longjump, so that it does not return to mous. A declaration such as
Data os _ getenv.)
One of the main problems with the Next, the function calls getenv function inc (x) return x + 1 end
minimalist eval approach for an API from the C library, which does the real
is the need to serialize all data either work. Then it calls lua _ pushstring, is syntactic sugar for an assignment:
as a string or a code segment that re- which converts the C string value into
builds the data. A practical API should a Lua string and pushes that string inc = function (x) return x + 1 end
therefore offer other more efficient onto the stack. Finally, os _ getenv
mechanisms to transfer data between returns 1. This return tells the Lua in- The API code we used to register
the host program and the scripting en- terpreter how many values on the top function getenv does exactly the same
vironment. of the stack should be considered the thing as a declaration in Lua: it creates
When the host calls a script, data function results. (Functions in Lua an anonymous function and assigns it
flows from the host program to the may return multiple results.) to a global variable.
scripting environment as arguments, Now let’s return to the problem In the same vein, the API does not
and it flows in the opposite direction of how to register os _ getenv as need different facilities to call different
as results. When the script calls a host getenv in the scripting environment. kinds of Lua functions, such as global
function, we have the reverse. In both One simple way is by changing our pre- functions, local functions, and meth-
cases, data must be able to flow in both vious example of the basic standalone ods. To call any function, the host first
directions. Most issues related to data Lua program as follows: uses the regular data-manipulation fa-
transfer are therefore relevant both for cilities of the API to push the function
embedding and extending. lua _ State *L = luaL _ newstate(); onto the stack, and then pushes the ar-
To discuss how the Lua–C API han- /* creates a new state */ guments. Once the function (as a first-
dles this flow of data, let’s start with an luaL _ openlibs(L); class value) and the arguments are in
example of how to extend Lua. Figure /* opens the standard libraries */ the stack, the host can call it with a sin-
3 shows shows the implementation of gle API primitive, regardless of where
function io.getenv, which accesses +
lua _ pushcfunction(L, os _ getenv); the function came from.
environment variables of the host pro- + lua _ setglobal(L, “getenv”); One of the most distinguishing
gram. features of Lua is its pervasive use of
For a script to be able to call this The first added line is all the magic tables. A table is essentially an asso-
function, we must register it into the we need to extend Lua with host func- ciative array. Tables are the only data-
script environment. We will see how tions. Function lua _ pushcfunc- structure mechanisms in Lua, so they
to do this in a moment; for now, let us tion receives a pointer to a C func- play a much larger role than in other
assume that it has been registered as tion and pushes on the stack a (Lua) languages with similar constructions.
a global variable getenv, which can be function that, when called, calls its Lua uses tables not only for all its data
used like this: corresponding C function. Because structures (records and arrays among
functions in Lua are first-class values, others), but also for other language
print(getenv(“PATH”)) the API does not need extra facilities mechanisms, such as modules, ob-
to register global functions, local func- jects, and environments.
The first thing to note in this code tions, methods, and so forth. The API The example in Figure 4 illustrates
is the prototype of os _ getenv. The needs only the single injection func- the manipulation of tables through the
only parameter of that function is a
Figure 3. A simple C function.
Lua state. The interpreter passes the
actual arguments to the function (in
this example, the name of the environ- static int os_getenv (lua_State *L) {
ment variable) through a data struc- const char *varname = luaL_checkstring(L, 1);
ture inside this state. This data struc- const char *value = getenv(varname);
lua_pushstring(L, value);
ture is a stack of Lua values; given its return 1;
importance, we refer to it as the stack. }
When the Lua script calls getenv,
the Lua interpreter calls os _ getenv
API. Function os _ environ creates table is back on the top. The final re- returns. This approach is simpler and
and returns a table with all environ- turn1 tells Lua that this table is the safer than a manual counting of refer-
ment variables available to a process. only result of os _ environ. ences, but the programmer loses con-
The function assumes access to the A key property of the Lua API is that trol of the lifetime of objects. Any object
environ array, which is predefined in it offers no way for C code to refer di- created in a function can be released
POSIX systems; each entry in this array rectly to Lua objects; any value to be only when the function returns. In con-
is a string of the form NAME=VALUE, de- manipulated by C code must be on the trast, the stack allows the programmer
scribing an environment variable. stack. In our last example, function to control the lifetime of any object in a
The first step of os _ environ is os _ environ creates a Lua table, fills safe way. While an object is in the stack,
to create a new table on the top of the it with some entries, and returns it to it cannot be collected; once out of the
stack by calling lua _ newtable. Then the interpreter. All the time, the table stack, it cannot be manipulated. More-
the function traverses the array envi- remains on the stack. over, the stack offers a natural way to
ron to build a table in Lua reflecting We can contrast this approach with pass parameters and results.
the contents of that array. For each en- using some kind of C type to refer to The pervasive use of tables in Lua
try in environ, the function pushes values of the language. For example, has a clear impact on the C API. Any-
the variable name on the stack, push- Python has the type PyObject; JNI thing in Lua represented as a table can
es the variable value, and then calls (Java Native Interface) has jobject. be manipulated with exactly the same
lua _ settable to store the pair in the Earlier versions of Lua also offered operations. As an example, modules in
new table. (Unlike lua _ pushstring, something similar: a lua _ Object Lua are implemented as tables. A Lua
which assumes a zero-terminated type. After some time, however, we de- module is nothing more than a table
string, lua _ pushlstring receives an cided to change the API.6 containing the module functions and
explicit length.) The main problem of a lua _ Ob- occasional data. (Remember, functions
Function lua _ settable assumes ject type is the interaction with the are first-class values in Lua.) When you
that the key and the value for the new garbage collector. In Python, the pro- write something like math.sin(x), you
entry are on the top of the stack; the grammer is responsible for calling think of it as calling the sin function
argument –3 in the call tells where the macros such as Py _ INCREF and DE- from the math module, but you are ac-
table is in the stack. (Negative numbers CREF to increment and decrement tually calling the contents of field “sin”
index from the top, so –3 means three the reference count of objects being in the table stored in the global variable
slots from the top.) manipulated by the API. This explicit math. Therefore, it is very easy for the
Function lua _ settable pops counting is both complex and error host to create modules, to add func-
both the key and the value, but leaves prone. In JNI (and in earlier versions tions to existing modules, to “import”
the table where it was in the stack. of Lua), a reference to an object is valid modules written in Lua, and the like.
Therefore, after each iteration, the until the function where it was created Objects in Lua follow a similar pat-
tern. Lua uses a prototype-based style
Figure 4. A C function that returns a table.
for object-oriented programming,
where objects are represented by ta-
extern char **environ; bles. Methods are implemented as
static int os_environ (lua_State *L) { functions stored in prototypes. Similar-
int i; ly to modules, it is very easy for the host
/* push a new table onto the stack */
to create objects, to call methods, and
lua_newtable(L); so on. In class-based systems, instanc-
es of a class and its subclasses must
/* repeat for each environment variable */
share some structure. Prototype-based
for (i = 0; environ[i] != NULL; i++) {
systems do not have this requirement,
/* find the ’=’ in NAME=VALUE */ so host objects can inherit behavior
char *eq = strchr(environ[i], ’=’); from scripting objects and vice versa.
if (eq) {
/* push name */ eval and Environments
lua_pushlstring(L, environ[i], eq -environ[i]); A primary characteristic of a dynamic
language is the presence of an eval
/* push value */
lua_pushstring(L, eq + 1); construction, which allows the execu-
tion of code built at runtime. As we dis-
/* table[name] = value */ cussed, an eval function is also a basic
lua_settable(L, -3);
}
element in an API for a scripting lan-
} guage. In particular, eval is the basic
means for a host to run scripts.
/* result is the table */ Lua does not directly offer an eval
return 1;
} function. Instead, it offers a load func-
tion. (The code in Figure 2 uses the
luaL _ loadstring function, which
is a variant of load.) This function does cal declaration is considered global. example. Lua supports modules with
not execute a piece of code; instead, Semantically, these unbound names a minimum of extra mechanisms, fa-
it produces a Lua function that, when refer to fields in a particular table asso- voring simplicity and embeddability at
called, executes the given piece of code. ciated with the enclosing function; this the expense of some facilities such as
Of course, it is easy to convert eval table is called the environment of that unqualified imports. Another example
into load and vice versa. Despite this function. In a typical program, most is the support for lexical scoping. Here
equivalence, we think load has some (or all) functions share a single envi- we chose better static verification to
advantages over eval. Conceptually, ronment table, which then plays the the detriment of its embeddability. We
load maps the program text to a value role of a global environment. are happy with the balance of trade-
in the language instead of mapping it Global variables are easily acces- offs in Lua, but it was a learning experi-
to an action. An eval function is usually sible through the API. Because they ence for us to pass through the eye of
the most complex function in an API. are table fields, they can be accessed that needle.
By separating “compilation” from ex- through the regular API to manipu-
ecution, it becomes a little simpler; in late tables. For example, function
Related articles
particular, unlike eval, load never has lua _ setglobal, which appears in on queue.acm.org
side effects. the bare-bones Lua application code
Purpose-Built Languages
The separation between compila- shown earlier, is actually a simple Mike Shapiro
tion and execution also avoids a combi- macro written on top of table-manip- http://queue.acm.org/detail.cfm?id=1508217
natorial problem. Lua has three differ- ulation primitives.
A Conversation with Will Harvey
ent load functions, depending on the Local variables, on the other hand, Chris Dibona
source: one for loading strings, one for follow strict lexical-scoping rules, so http://queue.acm.org/detail.cfm?id=971586
loading files, and one for loading data they do not take part in the API at all. Be- People in Our Software
read by a given reader function. (The cause C code cannot be lexically nested John Richards, Jim Christensen
former two functions are implemented inside Lua code, C code cannot access http://queue.acm.org/detail.cfm?id=971596
on top of the latter.) local variables in Lua (except through
Because there are two ways to call some debug facilities). This is practi- References
1. de Moura, A., Ierusalimschy, R. Revisiting coroutines.
functions (protected and unprotected), cally the only mechanism in Lua that ACM Trans. Programming Languages and Systems 31,
we would need six different eval func- cannot be emulated through the API. 2 (2009), 6.1–6.31.
2. DeLoura, M. The engine survey: general results.
tions to cover all possibilities. There are several reasons for this Gamasutra; http://www.gamasutra.com/blogs/
Error handling is also simpler, as exception. Lexical scoping is an old MarkDeLoura/20090302/581/The_Engine_Survey_
General_results.php.
static and dynamic errors occur sepa- and powerful concept that should fol- 3. Ierusalimschy, R. Programming in Lua, 2nd Ed. Lua.org,
Rio de Janeiro, Brazil, 2006.
rately. Finally, load ensures that all Lua low the standard behavior. Moreover, 4. Ierusalimschy, R., de Figueiredo, L. H., Celes, W. Lua—
code is always inside some function, because local variables cannot be ac- An extensible extension language. Software: Practice
and Experience 26, 6 (1996), 635–652.
which gives more regularity to the lan- cessed from outside their scopes, 5. Ierusalimschy, R., de Figueiredo, L. H., Celes, W.
guage. lexical scoping offers programmers a The implementation of Lua 5.0. Journal of Universal
Computer Science 11, 7 (2005): 1159–1176.
Closely related to the eval function foundation for access control and en- 6. Ierusalimschy, R., de Figueiredo, L. H., Celes, W.
is the concept of environment. Every capsulation. For example, any file of The evolution of Lua. In Proceedings of the 3rd ACM
SIGPLAN Conference on History of Programming
Turing-complete language can inter- Lua code can declare local variables Languages (San Diego, CA, June 2007).
pret itself; this is a hallmark of Turing that are visible only inside the file. 7. Ousterhout, J.K. Scripting: Higher-level programming for
the 21st century. IEEE Computer 31, 3 (1998), 23–30.
machines. What makes eval special Finally, the static nature of local vari- 8. Python Software Foundation. Extending and
is that it executes dynamic code in the ables allows the compiler to place all embedding the Python interpreter, Release 2.7 (Apr.
2011); http://docs.python.org/extending/.
same environment as the program that local variables in registers in the regis-
is using it. In other words, an eval ter-based virtual machine of Lua.5
Roberto Ierusalimschy is an associate professor
construction offers some level of re- of computer science at PUC-Rio (Pontifical Catholic
flection. For example, it is not too dif- Conclusion University of Rio de Janeiro), where he works on
programming-language design and implementation. He
ficult to write a C interpreter in C. But We have argued that providing an API is the leading architect of the Lua programming language
and the author of Programming in Lua (now in its second
faced with a statement such as x=1, to the outside world is not a detail in edition).
this interpreter has no way of access- the implementation of a scripting lan-
Luiz Henrique de Figueiredo is a full researcher and
ing variable x in the program, if there guage, but instead is a decision that a member of the Vision and Graphics Laboratory at the
is one. (Some non-ANSI facilities, such may affect the entire language. We National Institute for Pure and Applied Mathematics
in Rio de Janeiro. He is also a consultant for geometric
as those related to dynamic-linking li- have shown how the design of Lua was modeling and software tools at Tecgraf, the Computer
braries, allow a C program to find the affected by its API and vice versa. Graphics Technology Group of PUC-Rio, where he helped
create Lua.
address of a given global symbol, but The design of any programming
the program still cannot find anything language involves many such trade- Waldemar Celes is an assistant professor in the
computer science department at Pontifical Catholic
about its type.) offs. Some language attributes, such as University of Rio de Janeiro (PUC-Rio) and a former
An environment in Lua is simply a simplicity, favor embeddability, while postdoctoral associate at the Program of Computer
Graphics, Cornell University. He is part of the computer
table. Lua offers only two kinds of vari- others, such as static verification, do graphics technology group of PUC-Rio, where he
coordinates the visualization group. He is also one of the
ables: local variables and table fields. not. The design of Lua involves sev- authors of the Lua programming language.
Syntactically, Lua also offers global eral trade-offs around embeddability.
variables: any name not bound to a lo- The support for modules is a typical © 2011 ACM 0001-0782/11/07 $10.00
that models the syntax and semantics development of the application solely Later we show how to accomplish this
at the same level of abstraction as the based on that dictionary. In a DSL- embedding process to create a mini-
domain itself.4 based development, you actually de- language while using the infrastruc-
You may be wondering how this velop DSL constructs using the shared ture of the underlying implementa-
particular DSL example developed vocabulary as the building blocks of tion language.
from the domain model and the com- your business rules. The actual rules Martin Fowler classified DSLs
mon vocabulary business users speak. get developed on top of these syntac- based on the way they are implement-
It involved four major steps: tic constructs. ed.3 A DSL implemented on top of an
1. In collaboration with the busi- 4. Then you develop the business underlying programming language
ness users, you derive the common rules using the syntax of the previous is called an internal DSL, embedded
vocabulary of the domain that needs step. In some cases the actual domain within the language that implements
to be used in all aspects the develop- users may also participate in the de- it (hence, it is also known as an embed-
ment cycle. velopment. ded DSL). An internal DSL script is, in
2. You build the domain model us- essence, a program written in the host
ing the common vocabulary and the An Introduction to DSL language and uses the entire infra-
programming language abstractions Designing a DSL is not nearly as structure of the host.
of the underlying host language. daunting a task as designing a gener- A DSL designed as an independent
3. Again in collaboration with the al-purpose programming language. A language without using the infrastruc-
business users, you develop syntactic DSL has a very limited focus, and its ture of an existing host language is
constructs that glue together the vari- surface area is restricted to only the called an external DSL. It has its own
ous domain model elements, publish- current domain being modeled. In syntax, semantics, and language in-
ing the syntax for the DSL users. This fact, most of the common DSLs used frastructure implemented separately
is a major advantage over a process today are designed as pure embed- by the designer (hence, it is also called
where you come up with a shared vo- ded programs within the structure of a standalone DSL).
cabulary up front and then drive the an existing programming language. This article focuses primarily on in-
ternal, or embedded, DSLs.
Figure 1. Anatomy of a DSL.
Advantages of Using a DSL
A DSL is designed to make the busi-
DSL ness rules of the domain more explicit
API in the programs. Here are some of the
Offers DSL expressivity advantages of a DSL:
on top of ˲˲ Easier collaboration with business
DSL Façade
base abstractions users. Since a DSL shares a common
vocabulary with the problem domain,
the business users can collaborate
with the programmers more effec-
tively throughout the life cycle of the
… Offers core implementation project. They can participate in the de-
velopment of the actual DSL syntax on
Base abstractions Domain Model top of the domain model and can help
in developing some of the business
rules using that syntax. Even when the
business users cannot program using
the syntax, they can validate the im-
Figure 2. DSL snippet showing domain vocabulary and bubble words. plementation of the rules when they
are being programmed and can par-
ticipate in developing some of the test
Domain Vocabulary scripts ready to be executed.
˲˲ Better expressiveness in domain
new_trade 'T-12435' for account 'acc-123' rules. A well-designed DSL is devel-
oped at a higher level of abstraction.
to buy 100 shares of 'IBM', Bubble Words The user of the DSL does not have to
care about low-level implementation
at UnitPrice=100, Principal-12000, Tax=500
strategies such as resource alloca-
Bubble Words tion or management of complex data
structures. This makes the DSL code
Domain Vocabulary
easier to maintain by programmers
who did not develop it.
˲˲ Concise surface area of DSL-based
46 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
practice
the underlying host language. structure between new _ trade ‘T-12435’ for account ‘acc-123’
48 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
practice
Case classes also offer pattern PartialFunction[Market, Trade val forDefault: CashValueCalcu-
matching by virtue of their magical => NetAmount]. lationStrategy = {
autogeneration of the extractors. We case _ => { trade =>
used pattern matching on case classes Besides expressing the market- //.. logic for cash value calcu-
when we designed our DSL. For more based dispatch structure of the calcu- lation for other markets
details on how case classes make good lation logic as an abstract data type, }
algebraic data types, refer to Program- PartialFunction in Scala is exten- }
ming in Scala.2 sible and can be chained together
using combinators such as andThen This strategy is selected for any
The Embedded DSL and orElse. For more details on how market for which it is used. The “_” is
Before we dig into the implementa- to compose using PartialFunction, a placeholder that matches any mar-
tion of the DSL that models the net refer to the Scala Web site.5 ket passed to it.
cash-value calculation of a trade, here For convenience let’s define a cou- A DSL is useful when the user can
are some of the business rules that we ple of type aliases that abstract the compose multiple DSL abstractions
must consider in the design: users from the actual underlying data to form larger ones. In our case we
˲˲ Net cash-value calculation logic structure that the DSL uses: have designed individual snippets
varies with the market where the trade for selecting the appropriate strategy
is being executed. type NetAmount = BigDecimal that calculates the net cash value of
˲˲ We can have specific market rules type CashValueCalculationStrategy a trade. How do we compose them so
for individual markets such as Hong = PartialFunction[Market, Trade the user can use the DSL without car-
Kong or Singapore. => NetAmount] ing about the individual market-spe-
˲˲ We can have default rules that ap- cific dispatch logic?
ply to all other markets. As the problem domain suggests, We use an orElse combinator that
˲˲ If required, the user can also spec- we can have a specialized strategy of traverses the chain of individual Par-
ify custom strategies and domain- the cash-value calculation logic for tialFunctions and selects the first
specific optimizations for cash-value specific markets. As an example, here matching market. If no market-spe-
calculation in the DSL. is how we model a DSL for the Hong- cific strategy is found, then it selects
In the example, the DSL constructs Kong market: the default. Here is how we wire these
are designed as linguistic abstractions snippets together:
on top of the domain model. Business val forHongKong: CashValueCal-
users have a major role to play in col- culationStrategy = { lazy val cashValueComputation:
laborating with the developers to en- case HongKong => { trade => CashValueCalculationStrategy =
sure the right amount of expressive- //.. logic for cash value calcu- forHongKong orElse
ness is put in the published syntax. It lation for HongKong forSingapore orElse forDe-
must be loosely coupled from the core } fault
abstractions (Trade, Account, In- }
strument, and so on) and must speak This is the DSL that does a dynamic
the domain language of the users. The Note how this abstraction is free dispatch for the appropriate cash-value
DSL syntax also needs to be compos- of unnecessary complexity. It is de- calculation strategy together with a fall-
able, so that users can extend the lan- fined only for the HongKong market back for the default. It addresses the
guage with custom domain logic on and returns a function that accepts first three business rules enumerated
top of what the base language offers. a trade and returns a calculated cash at the beginning of the section. The
Once you have the syntactic con- value. (The actual logic of calculation abstraction above is concise, speaks
structs, you can use them to develop is elided and may not be relevant to the domain language, and makes the
the application business rules. In the the current context.) Similarly, we can sequencing of the dispatch logic very
following example we develop the define another specialization for the explicit. A business user who is not a
business rule for the cash-value cal- Singapore market: programmer will be able to verify the
culation logic of trades on top of the appropriate domain rule.
syntax the DSL publishes. One of the benefits of a well-de-
val forSingapore: CashValueCal-
Scala offers a rich type system we signed DSL is extensibility. The fourth
culationStrategy = {
can use to model some of the business business rule is a use case for that. How
case Singapore => { trade =>
rules. We model the cash-value cal- can we extend our DSL to allow users to
//.. logic for cash value calcu-
culation logic of a trade as a function plug in custom cash-value calculation
lation for Singapore
from Trade to NetAmount, which is logic they may want to add for another
}
expressed in Scala as Trade => NetA- market? Or they may want to override
}
mount. Now each such strategy of cal- the current logic for an existing market
culation is driven by a Market, which to add some newly introduced market
means every such function is defined Let’s see how the default strategy is rules. We can compose the user-spec-
only for a specific value of the Market. selected through a match-any-market ified strategy with our existing one us-
We model this as: parameter: ing the orElse combinator.
// pf is the user supplied custom abstracted from the DSL users, so they of the exposed API.
logic can focus on building the business You can be productive with DSLs
lazy val cashValue = { pf: Cash- functionalities and using the syntax with either statically or dynamically
ValueCalculationStrategy => and semantics of the domain. typed languages. You just need to use
pf orElse cashValueComputation In our example, the combinator the idioms that make the language
} orElse of PartialFunction hides all powerful. DSLs in Action1 has a detailed
This DSL is very intuitive: it invokes details of composing multiple strate- treatment of how to use the power of
the custom strategy that the user sup- gies of the cash-value calculation logic. multiple languages idiomatically to de-
plied. If it fails to find a match, then it Also, the DSL can be extended for com- sign and implement DSLs.
invokes our earlier strategy. Consider position with custom logic without any
the case where the user defines a cus- incidental complexity. Thus, the user Conclusion
tom strategy for the Tokyo market and can focus on implementing the cus- The main value DSLs add to the devel-
would like to use it instead of the de- tom abstractions. opment life cycle of a project is to en-
fault fallback strategy: We have discussed in detail how to courage better collaboration between
embed a DSL into its host language the developers and business users.
val pf: CashValueCalculation- and make use of the type system to There are multiple ways to implement
Strategy = { model domain-specific abstractions. DSLs. Here, I discussed one that uses
case Tokyo => { trade => You can also design embedded DSLs embedding within a statically typed
//.. custom logic for Tokyo using dynamically typed languages programming language. This allows
} such as Groovy, Ruby, or Clojure. you to use the infrastructure of the
} These languages offer strong meta- host language and focus on develop-
programming facilities that allow ing domain-friendly linguistic abstrac-
Now the user can do the following users to generate code during com- tions. The abstractions you develop
to supply the preferred strategy to the pile time or runtime. DSLs developed need to be composable and extensible,
calculation logic: using these features also lead to en- so the user can build larger abstrac-
hanced developer productivity, since tions out of smaller ones. Finally, the
val trade = //.. trade instance you get to write only the core business abstractions need to speak the domain
cashValue(pf)(trade.market)(trade) functionalities using the DSL, and the vocabulary, closely matching the se-
verbose boilerplates are generated by mantics the domain user uses.
Our example uses the rich type sys- the language infrastructure. Consider
tem of Scala and its powerful function- the following example of defining a do-
Related articles
al abstractions to design a DSL that is main object in Rails: on queue.acm.org
embedded within the type system of
No Source Code? No Problem!
the host language. Note how we ex- class Trade < ActiveRecord::Base
Peter Phillips, George Phillips
press domain-specific rules (such as has _ one :ref _ no http://queue.acm.org/detail.cfm?id=945155
the need for the calculation logic to has _ one :account
Languages, Levels, Libraries, and Longevity
vary with specific markets) declara- has _ one :instrument John R. Mashey
tively, using only the constraints of the has _ one :currency http://queue.acm.org/detail.cfm?id=1039532
static type system. The resulting DSL has _ many :tax _ fees Testable System Administration
has the following characteristics: ## .. Mark Burgess
˲˲ It has a small surface area so that validates _ presence _ of :ac- http://queue.acm.org/detail.cfm?id=1937179
it’s easier to comprehend, trouble- count, :instrument, :currency
shoot, and maintain. validates _ uniqueness _ of References
˲˲ It is expressive enough to make the 1. Ghosh, D. DSLs in Action. Manning Publications, 2010.
:ref _ no 2. Odersky, M., Spoon, L., Venners, B. Programming in
business user understand and verify ## .. Scala. Artima, 2010.
3. Fowler, M. Domain Specific Languages, Addison
the correctness. end Wesley, 2010.
˲˲ It is extensible in that it allows cus- 4. Fowler, M. Introducing Domain-Specific Languages.
DSL Developer’s Conference, 2009; http://msdn.
tom plug-in logic (which may include This example defines a Trade ab- microsoft.com/en-us/data/dd727707.aspx.
domain-specific optimizations) to be straction and its associations with 5. Scala; http://www.scala-lang.org.
6. Thomas, D., Fowler, C., Hunt, A. Programming Ruby
composed into the base combinator in other entities in a declarative way. The 1.9. Pragmatic Press, 2009.
a completely noninvasive way. methods has _ one and validates _ 7. Coplien, J. O. Multiparadigm Design in C++. Addison-
Wesley Professional, Reading, PA, 1988.
presence _ of express the intent 8. Evans, E. Domain-Driven Design: Tackling Complexity
Productivity and DSLs clearly without any verbosity. These are in the Heart of Software. Addison-Wesley Professional,
Reading, PA, 2003.
An embedded DSL encourages pro- class methods in Ruby6 that use meta-
gramming at a higher level of abstrac- programming to generate appropriate Debasish Ghosh (dghosh@acm.org) is the chief
tion. The underlying infrastructure of code snippets during runtime. The technology evangelist at Anshinsoft, where he specializes
in leading delivery of enterprise-scale solutions for clients
the host language, the details of the DSL that you use for defining Trade ranging from small to Fortune 500 companies. He is the
type system, the lower-level data struc- remains concise, as well as expressive, author of DSLs In Action (Manning, 2010) and writes a
programming blog at http://debasishg.blogspot.com.
tures, and other concerns such as re- while all incidental complexities are
source management are completely abstracted away from the surface area © 2011 ACM 0001-0782/11/07 $10.00
50 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
doi:10.1145/1965724 . 1 9 6 5 7 4 1
Microsoft’s
Protocol
Documentation
Program:
Interoperability
Testing at Scale
began the difficult process of
I n 2 0 0 2 , M ic ro s oft
verifying much of the technical documentation for its
Windows communication protocols. The undertaking
came about as a consequence of a consent decree
Microsoft entered into with the U.S. Department of
Justice and several state attorneys general that called
for the company to make available cer- documentation, not software, which is
tain client-server communication pro- an inversion of the normal QA process;
tocols for third-party licensees. A series and the documentation in question
of RFC-like technical documents were was extensive, consisting of more than
then written for the relevant Windows 250 documents—30,000 pages in all.
client-server and server-server commu- In addition, the compliance deadlines
nication protocols, but to ensure in- were tight. To succeed, the Microsoft
teroperability Microsoft needed to ver- team would have to find an efficient
ify the accuracy and completeness of testing methodology, identify the ap-
those documents. From the start, it was propriate technology, and train an
clear this wouldn’t be a typical quality army of testers—all within a very short
assurance (QA) project. First and fore- period of time.
most, a team would be required to test This case study considers how the
Wolfgang Grieskamp
One of the
challenges for
our project was
to make sure
the functions
performed by
Windows servers
could also be
performed by
other servers.
team arrived at an approach to that For this case study, Binder spoke
enormous testing challenge. More spe- with Kicillof and Grieskamp regard-
cifically, it focuses on one of the testing ing some of the key challenges they’ve
methodologies used—model-based faced over the course of their large-
testing—and the primary challenges scale testing effort.
that have emerged in adopting that ap- Bob Binder: When you first got in-
proach for a very large-scale project. volved with the Winterop Team [the
Two lead engineers from the Micro- group responsible for driving the cre-
soft team and an engineer who played ation, publication, and QA of the Win-
a role in reviewing the Microsoft effort dows communication protocols], what
tell the story. were some of the key challenges?
Now with Google, Wolfgang Gries- Nico Kicillof: The single great-
kamp at the time of this project was est challenge was that we were faced
part of Microsoft’s Windows Server with testing protocol documentation
and Cloud Interoperability Group rather than protocol software. We had
(Winterop), the group charged with prior expertise in testing software,
testing Microsoft’s protocol documen- but this project called for us to define
tation and, more generally, with en- some new processes we could use to
suring that Microsoft’s platforms are test more than 30,000 pages of docu-
interoperable with software from the mentation against existing software
world beyond Microsoft. Previously, implementations already released to
Grieskamp was a researcher at Micro- the world at large, even in some cases
soft Research, where he was involved in where the original developers were no
efforts to develop model-based testing longer with Microsoft. And that meant
Illustratio n based o n a ph otograp h c ourt esy of Wol fga ng grieska mp
plying it to a mission-critical problem between client and server—for ex- IP. What types of challenges have you
and getting a lot of people up to speed ample, how the server should respond encountered in the course of dealing
just as fast as possible—that was really whenever the client sends the wrong with these different underlying stacks?
something. message. Grieskamp: First off, we put the data
Binder: What did these documents One of the challenges for our proj- more or less directly on the wire so we
contain, and what were they intended ect was to make sure the functions per- can just bypass some of those layers.
to convey? formed by Windows servers could also For example, there are some layers in
Grieskamp: They’re actually similar be performed by other servers. Suppose the Windows stack that allow you to
to the RFCs (request for comments) you have a Windows-based server that’s send data over TCP without establish-
used to describe Internet protocol stan- sharing files and a Windows-based cli- ing a direct TCP connection, but we
dards, and they include descriptions ent accessing them. That’s all Micro- chose not to use that. Instead, we talk
of the data messages sent by the pro- soft infrastructure, so they should be directly to the TCP socket to send and
tocol over the wire. They also contain able to talk to each other without any receive messages.
descriptions of the protocol behaviors problems. Tests were performed some That allows us to navigate around
that should surface whenever data is time ago to make sure of that. But now one part of the stack problem. Another
sent—that is, how some internal data suppose the server providing the share issue is that some protocols travel over
states ought to be updated and the se- is running Unix, and a Windows cli- other protocols—just as TCP, for ex-
quence in which that is expected to oc- ent is running in that same constella- ample, usually travels over IP, which in
cur. Toward that end, these documents tion. You still should be able to access turn travels over Ethernet. So what we
follow a pretty strict template, which is the share on the Unix file server in the did to account for that was to assume
to say they have a very regular structure. same way, with the same reliability and a certain componentization in our test-
Binder: How did your testing ap- quality as if it were a Windows-based ing approach. That allows us to test the
proach compare with the techniques file server. In order to accomplish that, protocol just at the level of abstraction
typically used to verify specifications? however, the Unix-based server would we’re concerned with—working on the
Grieskamp: When it comes to testing need to follow the same protocol as the assumption the underlying transport
one of these documents, you end up Windows-based server. That’s where layers in the stack are behaving just as
testing each normative statement con- the challenge tends to get a little more they ought to be. If we weren’t able to
tained in the document. That means interesting. make that assumption, our task would
making sure each testable normative Kicillof: That sets the context for be nearly impossible.
statement conforms to whatever it is saying something about the conditions
the existing Microsoft implementation under which we had to test. In particu-
for that protocol actually does. So if the lar, if you’re accounting for the fact that Because of the project’s unique con-
document says the server should do X, the Windows server might eventually straints, the protocol documentation
but you find the actual server imple- be replaced by a Unix server, you have team needed to find a testing meth-
mentation does Y, there’s obviously a to think in terms of black-box testing. odology that was an ideal fit for their
problem. We can’t just assume we know how the problem. Early efforts focused on col-
In our case, for the most part, that server is implemented or what its code lecting data from real interactions be-
would mean we’ve got a problem in looks like. Indeed, many of these same tween systems and then filtering that
the document, since the implemen- tests have been run against non-Micro- information to compare the behaviors
tation—right or wrong—has already soft implementations as part of our ef- of systems under test with those de-
been out in the field for some time. fort to check for interoperability. scribed in the protocol documenta-
That’s completely different from the Grieskamp: Besides running these tion. The problem with this approach
approach typically taken, where you tests internally to make sure the Win- was that it was a bit like boiling the
would test the software against the dows server actually behaves the way ocean. Astronomical amounts of data
spec before deploying it. our documents say it ought to, we also had to be collected and sifted through
Binder: Generally speaking, a pro- make those same tests available for to obtain sufficient information to cov-
tocol refers to a data-formatting stan- PlugFests, where licensees who have er thoroughly all the possible protocol
dard and some rules regarding how implemented comparable servers are states and behaviors described in the
the messages following those formats invited to run the tests against their documentation—bearing in mind that
ought to be sequenced, but I think the servers. The goal there is to achieve this arduous process would then have
protocols we’re talking about here go a interoperability, and the most funda- to be repeated for more than 250 proto-
little beyond that. In that context, can mental way to accomplish that is to ini- cols altogether.
you explain more about the protocols tiate tests on a client that can basically Eventually the team, in consultation
involved here? be run against any arbitrary server in with the U.S. Technical Committee re-
Grieskamp: We’re talking about net- the network, be it a Windows server, a sponsible for overseeing their efforts,
work communication protocols that Unix server, or something else. began to consider model-based test-
apply to traffic sent over network con- Binder: Many of the protocols you’ve ing. In contrast to traditional forms of
nections. Beyond the data packets tested use the Microsoft remote pro- testing, model-based testing involves
themselves, those protocols include cedure call stack—in addition to stan- generating automated tests from an
many rules governing the interactions dard protocols such as SOAP and TCP/ accurate model of the system under
test. In this case, the system under test crosoft Research to help with the vali- capture all those requirements. This
would not be an entire software system dation effort. demanded some higher-level means
but rather just the protocols described Kicillof: The specific approach to for measuring so you could make sure
in the documentation, meaning the model-based testing we had taken you had actually managed to account
team could focus on modeling the pro- in Microsoft Research was one that for all the requirements. For your aver-
tocols’ state and behavior and then tar- proved to be well suited to this particu- age protocol, we’re talking here about
get the tests that followed on just those lar problem. Using the tool we had cre- something on the order of many hun-
levels of the stack of interest for testing ated, Spec Explorer, you could produce dreds of different requirements. In
purposes. models of software that specified a set some cases, you might even have many
A team at Microsoft Research had of rules spelling out how the software thousands of requirements, so this is a
been experimenting with model-based was expected to behave and how the pretty large-scale undertaking.
testing since 2002 and had applied it state was expected to change as a con- But the general idea is to go from the
successfully, albeit on a much smaller sequence of each potential interaction document to the requirements, and
scale, to a variety of testing situations— between the software and its environ- from there to either a model or a tra-
including the testing of protocols for ment. On the basis of that, test cases ditional test design—whichever one is
Microsoft’s Web Services implemen- could then be generated that included consistent with your overall approach.
tation. In the course of those initial not only pre-scripted test sequences
efforts, the Microsoft Research team but also the oracle, which is a catalog
had already managed to tackle some of all the outcomes that might be ex- Microsoft encountered challenges
of the thorniest concerns, such as for pected to follow from each step taken. because of its choice to adopt model-
the handling of nondeterminism. They In this way it was possible to cre- based testing for the project. On the
also had managed to create a testing ate tests that would allow you to check one hand, the technology and meth-
tool, Spec Explorer, which would prove along the entire sequence to make sure odology Microsoft Research had de-
to be invaluable to the Winterop team. the system was responding in just the veloped seemed to fit perfectly with
ways you expected it to. And that per- the problem of testing protocol docu-
fectly matches the way communication ments. On the other hand, it was an
Binder: Please say a little about how you protocol documents are written, be- immature technology that presented
came to settle on model-based testing cause they’re intended to be interpret- a steep learning curve. Nonetheless,
as an appropriate testing methodology. ed as the rules that govern which mes- with the support of the Technical Com-
Grieskamp: In looking at the prob- sages you should expect to receive, as mittee, the team decided to move for-
lem from the outset, it was clear it was well as the messages that should then ward with a plan to quickly develop the
going to be something huge that re- be sent in response. technology from Microsoft Research
quired lots of time and resources. Our Binder: That implies a lot of interest- into something suitable for a produc-
challenge was to find a smart technol- ing things. It’s easy enough to say, “We tion-testing environment.
ogy that would help us achieve quality have a model and some support for Not surprisingly, this did not prove
results while also letting us optimize automating exploration of the model.” easy. In addition to the ordinary set-
our use of resources. A number of But how did you manage to obtain that backs that might be expected to crop
people, including some of the folks on model in the first place? What was the up with any software engineering proj-
the Technical Committee, suggested process involved in going through the ect on an extremely tight deadline, the
model-based testing as a promising fairly dense prose in each one of those Microsoft protocol documentation
technology we should consider. All of protocol documents and then translat- team faced the challenge of training
that took place before either Nico or I ing all that into a model? hundreds of test developers in China
joined the team. Grieskamp: The first step with mod- and India on the basics of a new, unfa-
The team then looked around to el-based testing involved extracting miliar testing methodology.
find some experts in model-based test- normative statements from all those Even after they had a cadre of well-
ing, and it turned out we already had documents. That had to be done man- trained testers in place, many hurdles
a few in Microsoft Research. That led ually since it’s not something we’re yet still remained. While the tool-engi-
to some discussions about a few test able to automate—and we won’t be neering team faced the pressure of
cases in which model-based testing able to automate it until computers are stabilizing and essentially produc-
had been employed and the poten- able to read and understand natural tizing the Spec Explorer software at
tial the technology might hold for this human language. breakneck speed, the testing team had
particular project. One of those test The next step involved converting to start slogging through hundreds
cases had to do with the SMB (Server all those normative statements into a of documents, extracting normative
Message Block) file-sharing protocol. “requirement specification,” which is statements, building requirements
The results were impressive enough to a big table where each of the normative specifications, and constructing mod-
make people think that perhaps we re- statements has been numbered and els to generate automated test suites.
ally should move forward with model- all its properties have been described. Although Spec Explorer provides a way
based testing. That’s when some of us After that followed another manual to automate tests, there still were sev-
with model-based testing experience step in which a model was created eral important steps in the process that
ended up being brought over from Mi- that attempted to exercise and then required human judgment. These ar-
Nico Kicillof
Increasing the
interoperability
of our products
is a worthy goal
in and of itself.
We’re obviously
in a world of
heterogeneous
technology where
customers expect
eas ended up presenting the team with responding update should be per- products to
some of its greatest challenges. formed on state.
From a developer’s perspective, interoperate.
however, a program is never just a set
Binder: How did you manage to con- of rules. There’s a control flow they cre-
vince yourselves you could take several ate and have complete control over. A
hundred test developers who had vir- programmer will know exactly what’s
tually no experience in this area and to be executed first and what’s then
teach them a fairly esoteric technique supposed to follow according to the in-
for translating words into rule sys- puts received.
tems? What’s fortuitous in our case is that
Grieskamp: That really was the core we’re working from protocol speci-
risk in terms of taking the model-based fications that are themselves sets of
testing approach. Until recently, mod- rules that let you know, for example,
el-based testing technology had been that if you’ve received message A, then
thought of as something that could be you should update your abstract data
applied only by experts, even though it model and your internal state in a cer-
has been applied inside Microsoft for tain way, after which you should issue
years in many different ways. message B. It doesn’t explain how a
Many of the concerns about model- protocol flows from that point on. The
based testing have to do with the learn- combination of all those rules is what
ing curve involved, which is admittedly determines the actual behavior of the
a pretty steep one, but it’s not a partic- protocol. So there was often a direct
ularly high one. That is, it’s a different correspondence between certain state-
paradigm that requires a real mental ments in each of these technical docu-
Illustratio n based o n a ph otograp h c ourt esy of Nico kicilllof
shift, but it’s not really all that com- ments and the kinds of models we’ve
plex. So it’s not as though it’s acces- had to build. That’s made it really
sible only to engineers with advanced easy to build the models, as well as to
degrees—everybody can do it. But the check to make sure they’ve been built
first time you’re confronted with it, correctly according to the statements
things do look a little unusual. found in the documents.
Binder: Why is that? What are some Grieskamp: Because this isn’t really
of those key differences people have to all that complex, our greatest concern
get accustomed to? had to do with just getting people used
Kicillof: The basic difference is that to a new way of thinking. So to get
a model actually consists of a rule sys- testers past that initial challenge, we
tem. So the models we build are made counted a lot on getting a good train-
up of rules indicating that under some ing program in place. That at first in-
certain enabling condition, some cor- volved hiring people to provide the
Bob Binder
technology. You know how prototypes of finding the right way to slice the
are—they crash and you end up having space would end up being a problem—
to do workarounds and so forth. We’ve we had expected that. We actually had
had a development team working to already added some things to the tool
improve the tool over the past three to deal with that, which is probably one
years, and thousands of fixes have of the reasons the project has proved to
come out of that. be a success.
Another potential issue had to do Kicillof: The secret is to use test pur-
with something that often crops up in poses as the criterion for slicing.
model-based testing: a state-explosion Binder: With that being only a sub-
problem. Whenever you model—if set of all the behaviors you would be
you naively define some rules to up- looking at in some particular use case?
date your state whenever certain con- Grieskamp: Right. So that’s why it has
to be clear that whenever you’re doing all worldview and engineering culture. now show empirically how we man-
some slicing, you’re cutting away some aged essentially to double our efficien-
of the system potential, which means cy by using model-based testing. The
you may lose some test coverage. Binder: Within Microsoft, do you see a ability to actually document that is a
That’s why this ends up being so chal- broader role for the sort of work you’re really big deal.
lenging. As Nico was saying, however, doing? Or does it pretty much just begin Binder: Yes, that’s huge.
since the slicing is also closely coupled and end with compliance to the court Grieskamp: There are people in the
with your test purposes, you still ought decree? model-based testing community who
to end up being able to cover all the re- Kicillof: It goes beyond the decree. have been predicting tenfold gains in
quirements in your documentation. Increasing the interoperability of our efficiency. That might, in fact, be pos-
Kicillof: Yes, coupling to test pur- products is a worthy goal in and of itself. sible if all your users have Ph.Ds or are
poses is key because if the slicing were We’re obviously in a world of heteroge- super adept at model-based testing. But
done just according to your use cases, neous technology where customers ex- what I think we’ve been able to show is
only the most common usage patterns pect products to interoperate. a significant—albeit less dramatic—im-
of the system might end up being test- That’s also changing the way prod- provement with a user population made
ed. But that’s not the case here. ucts are developed. In fact, one of our up of normal people who have no back-
Also, throughout the tool chain, we goals is to improve the way protocols are ground in model-based testing whatso-
provide complete traceability between created inside Microsoft. That involves ever. Also, our numbers include all the
the statements taken from the specifi- the way we design protocols, the way ramp-up and education time we had to
cation and the steps noted in a test log. we document protocols such that third invest to bring our testers up to speed.
We have tools that can tell you wheth- parties can use them to talk to our prod- Anyway, after accounting for all
er the way you’ve decided to slice the ucts, and the way we check to make sure that plus the time taken to do a docu-
model leaves out any requirements you our documentation is correct. ment study and accomplish all kinds
were intending to test. Then at the end Grieskamp: One aspect of that has to of other things, we were able to show a
you get a report that tells you whether do with the recognition that a more sys- 42% reduction in effort when using the
your slicing proved to be excessive or tematic approach to protocol develop- model-based testing approach. I think
adequate. ment is needed. For one thing, we cur- that ought to prove pretty compelling
rently spend a lot of money on quality not just for Microsoft’s management
assurance, and the fact that we used to but also for a lot of people outside Mi-
By all accounts, the testing project has create documentation for products af- crosoft.
been extremely successful in helping ter they had already been shipped has
ensure that Microsoft’s protocol docu- much to do with that. So, right there
Related articles
ments are of sufficiently high qual- we had an opportunity to save a lot of on queue.acm.org
ity to satisfy the company’s regulatory money.
Too Darned Big to Test
obligations related to Windows Client Specification or model-driven devel- Keith Stobie
and Windows Server communications. opment is one possible approach for http://queue.acm.org/detail.cfm?id=1046944
But the effort hasn’t stopped there, optimizing all of this, and we’re already concurrency_s_shysters
as much the same approach has been looking into that. The idea is that from Comments are More Important than Code
used to test the protocol documenta- each artifact of the development pro- Jef Raskin
tion for Office, SharePoint Server, SQL cess you can derive documentation, http://queue.acm.org/detail.cfm?id=1053354
Server, and Exchange Server. code stubs, and testable specifications Finding Usability Bugs
This work, done with the goal of that are correct by definition. That way, with Automated Tests
providing for interoperability with Mi- we won’t end up with all these differ- Julian Harty
http://queue.acm.org/detail.cfm?id=1925091
crosoft’s high-volume products, was ent independently created artifacts that
well suited to the model-based test- then have to be pieced together after the
Further Reading
ing technology that was productized fact for testing purposes. 1. Grieskamp, W., Kicillof, N., MacDonald, D., Nandan, A.,
to support the court-ordered protocol For model-based testing in particu- Stobie, K., Wurden, F., Zhang, D. Model-based quality
assurance of the SMB2 protocol documentation. In
documentation program. Because lar, I think this project serves as a pow- Proceedings of the 8th International Conference on
projects can be scaled by dividing the erful proof point of the efficiencies and Quality Software (2008).
2. Grieskamp, W., Kicillof, N., MacDonald, D., Stobie, K.,
work into well-defined units with no economies that can be realized using Wurden, F., Nandan, A. Model-based quality assurance
cross dependencies, the size of a test- this technology. That’s because this is of Windows protocol documentation. In Proceedings
of the 1st International Conference on Software
ing project is limited only by the num- by far the largest undertaking in an in- Testing, V & V (2008).
3. Grieskamp, W., Kicillof, N., Stobie, K., Braberman,
ber of available testers. Because of this dustrial setting where, within the same V. Model-based quality assurance of protocol
scalability, projects can also be com- project, both traditional testing meth- documentation: Tools and methodology. Journal of
Software Testing, Verification, Validation and Reliability
pleted efficiently, which bodes well for odologies and model-based testing 21 (Mar. 2011), 55–71.
the technology’s continued use within have been used. This has created a rare 4. Stobie, K., Kicillof, N., Grieskamp, W. Discretizing
technical documentation for end-to-end traceability
Microsoft—and beyond. What’s more, opportunity to draw some side-by-side tests. In Proceedings of the 2nd International
Microsoft’s protocol documentation comparisons of the two. Conference on Advances in System Testing and
Validation Lifecycle (Best paper award, 2010).
testing effort appears to have had a We have been carefully measuring
profound effect on the company’s over- various metrics throughout, so we can © 2011 ACM 0001-0782/11/07 $10.00
Algorithmic
mic composition from the pre- and
post-digital computer age, concentrat-
ing, but not exclusively, on how it de-
veloped out of the avant-garde Western
Composition:
classical tradition in the second half of
the 20th century. This survey is more
illustrative than all-inclusive, present-
ing examples of particular techniques
Computational
and some of the music that has been
produced with them.
A Brief History
Thinking
Models of musical process are argu-
ably natural to human musical activ-
ity. Listening involves both the enjoy-
ment of the sensual sonic experience
in Music
and the setting up of expectations and
possibilities of what is to come: musi-
cologist Erik Christensen described
it as follows: “Retention in short-term
though perhaps not quite as well as legend would have it.b lead to startlingly original results.
Figure 1. First part of Mozart’s Musikalisches Würfelspiel (“Musical Dice”): Letters over melody varied according to the vowels
columns refer to eight parts of a waltz; numbers to the left of rows indicate possible in the text.22 The 14th and 15th centu-
values of two thrown dice; and numbers in the matrix refer to bar numbers of four pages ries saw development of the quasi-algo-
of musical fragments combined to create the algorithmic waltz.
rithmic isorhythmic technique, where
rhythmic cycles (talea) are repeated,
often with melodic cycles (color) of the
A B C D E F G H same or differing lengths, potentially,
2 96 22 141 41 105 122 11 30 though not generally in practice, lead-
3 32 6 128 63 146 46 134 81 ing to very long forms before the begin-
4 69 95 158 13 153 55 110 24 ning of a rhythmic and melodic repeat
5 40 17 113 85 161 2 159 100 coincide. Across ages and cultures, rep-
6 148 74 163 45 80 97 36 107 etition, and therefore memory (of short
7 104 157 27 167 154 68 118 91 motifs, longer themes, and whole sec-
8 152 60 171 53 99 133 21 127 tions) is central to the development of
9 119 84 114 50 140 86 169 94 musical form. In the Western context,
2 98 142 42 156 75 129 62 123 this repetition is seen in various guises,
11 3 87 165 61 135 47 147 33 including the Classical rondo (with sec-
12 54 130 10 103 28 37 106 5 tion structures, such as ABACA); the Ba-
roque fugue; and the Classical sonata
form, with its return not just of themes
but to tonality, too.
Compositions based on number ra-
tios are also found throughout Western
musical history; for example, Guillau-
me Dufay’s (1400–1474) isorhythmic
motet Nuper Rosarum Flores, written
for the consecration of Florence Ca-
thedral, March 25, 1436. The temporal
structure of the motet is based on the
ratios 6:4:2:3, these being the propor-
tions of the nave, the crossing, the
apse, and the height of the arch of the
cathedral. A subject of much debate
is how far the use of proportional sys-
tems was conscious on the part of vari-
ous composers, especially with regards
to Fibonacci numbers and the Golden
Section.d Evidence of Fibonacci rela-
tionships haas been found in, for in-
stance, the music of Bach,32 Schubert,19
Figure 2. Part of an advertisement for The Geniac Electric Brain, a DIY music-computer kit. and Bartók,27 as well as in various other
works of the 20th century.25
memory permits the experience of co- were present in its totality. The interac- Mozart is thought to have used al-
herent musical entities, comparison tion of association, abstraction, mem- gorithmic techniques explicitly at least
with other events in the musical flow, ory, and prediction is the prerequisite once. His Musikalisches Würfelspiel
conscious or subconscious compari- for the formation of the web of relations (“Musical Dice”)e uses musical frag-
son with previous musical experience that renders the conception of musical ments that are to be combined random-
stored in long-term memory, and the form possible.”30 ly according to dice throws (see Figure
continuous formation of expectations For centuries, composers have tak- 1). Such formalization procedures are
of coming musical events.”9 en advantage of this property of music
This second active part of musical cognition to formalize compositional
listening is what gives rise to the possi- structure. We cannot, of course, con- d Fibonacci was an Italian mathematician
(c.1170–c.1250) for whom the famous num-
bility and development of musical form; flate formal planning with algorithmic ber series is named. This is a simple progres-
composer György Ligeti wrote, “Because techniques, but that the former should sion where successive numbers are the sum
we spontaneously compare any new fea- lead to the latter was, as I argue here, of the previous two: (0), 1, 1, 2, 3, 5, 8, 13, 21...
ture appearing in consciousness with an historical inevitability. Ascending the sequence, the ratio of two ad-
the features already experienced, and Around 1026, Guido d’Arezzo (the in- jacent numbers gets closer to the so-called
Golden Ratio (approximately 1:1.618).
from this comparison draw conclusions ventor of staff notation) developed a for- e Attributed to Mozart though not officially au-
about coming features, we pass through mal technique to set a text to music. A thenticated despite being designated K. Anh.
the musical edifice as if its construction pitch was assigned to each vowel so the 294d in the Köchel Catalogue of his works.
designs and space exploration, and cept of “recombinacy,” where new mu-
several films.”16 It premiered at the sic is created from existing works, thus
University of Illinois, Urbana-Cham- allowing the recreation of music in the
paign, in 1969. Summarizing per- style of various classical composers, to
spicaciously an essential difference
between traditional and computer- Algorithmic the shock and delight of many.
Xenakis. Known primarily for his in-
assisted composition, Cage said in
an interview during the composi-
composition is often strumental compositions but also as an
engineer and architect, Iannis Xenakis
tion of HPSCHD, “Formerly, when viewed as a sideline was a pioneer of algorithmic composi-
one worked alone, at a given point a
decision was made, and one went in
in contemporary tion and computer music. Using lan-
guage typical of the sci-fi age, he wrote,
one direction rather than another; musical activity, “With the aid of electronic computers,
whereas, in the case of working with
another person and with computer
as opposed to a the composer becomes a sort of pilot:
he presses buttons, introduces coordi-
facilities, the need to work as though logical application nates, and supervises the controls of
decisions were scarce—as though you
had to limit yourself to one idea—is and incorporation a cosmic vessel sailing in the space of
sound, across sonic constellations and
no longer pressing. It’s a change from
the influences of scarcity or economy
of compositional galaxies that he could formerly glimpse
only in a distant dream.”40
to the influences of abundance and— technique into Xenakis’s approach, which led to the
I’d be willing to say—waste.”3
Stochastic versus deterministic pro-
the digital domain. Stochastic Music Programme (henceforth
SMP) and radically new pieces (such as
cedures. A basic historical division in Pithoprakta, 1956), used formulae origi-
the world of algorithmic composition nally developed by scientists to explain
is between indeterminate and determi- the behavior of gas particles (Maxwell’s
nate models, or those that use stochas- and Boltzmann’s Kinetic Theory of
tic/random procedures (such as Mar- Gases).31 He saw his stochastic com-
kov chains) and those where results positions as clouds of sound, with in-
are fixed by the algorithms and remain dividual notesj as the analogue of gas
unchanged no matter how often the al- particles. The choice and distribution
gorithms are run. Examples of the lat- of notes was determined by procedures
ter are cellular automata (though they involving random choice, probability
can be deterministic or stochastic34); tables weighing the occurrence of spe-
Lindenmayer Systems (see the section cific events against those of others. Xe-
on the deterministic versus stochastic nakis created several works with SMP,
debate in this context); Charles Ames’s often more than one with the output of
constrained search algorithms for se- a single computer batch process,k prob-
lecting material properties against a ably due to limited access to the IBM
series of constraints1; and the com- 7090 he used. His Eonta (1963–1964) for
positions of David Cope that use his two trumpets, three tenor trombones,
Experiments in Musical Intelligence sys- and piano was composed with SMP. The
tem.10 The latter is based on the con- program was applied in particular to the
creation of the massively complex open-
Figure 3. Simple L-System rules. ing piano solo.
Like another algorithmic compo-
sition and computer-music pioneer,
1→23
2→13
Gottfried Michael Koenig (1926–), Xe-
3→21 nakis had no compunction adapting
the output of his algorithms as he saw
fit. Regarding Atrées (1962), Xenakis’s
biographer Nouritza Matossian claims
Figure 4. Step-by-step generation of results Xenakis used “75% computer material,
from simple L-System rules and a seed.
composing the remainder himself.”31 Figure 5. Larger result set from simple L-System rules.
At least in Koenig’s Projekt 1 (1964)l Koe-
nig saw transcription (from computer
output to musical score) as an impor- 2 3 2 1 1 3 2 3 2 3 2 1 1 3 2 1 1 3 2 1 1 3 2 3 2 3 2
tant part of the process of algorithmic 1 1 3 2 3 2 3 2 1 1 3 2 3 2 3 2 1 1 3 2 1 1 3 2 1 1 3
2 3 2 3 2 1 1 3 2 1 1 3 2 1 1 3 2 3 2 3 2 1 1 3 2 1 1
composition, writing, “Neither the his- 3 2 1 1 3 2 3 2 3 2 1 1 3 2 3 2 3 2 1 1 3 2 3 2 3 2 1
tograms nor the connection algorithm
contains any hints about the envisaged,
‘unfolded’ score, which consists of in-
structions for dividing the labor of the fied in machine-readable form) or his- Eno said about his Discreet Music
production changes mode, that is, the torical style. While naturally significant (1975), “Since I have always preferred
division into performance parts. The to AI research, linguistics, and com- making plans to executing them, I
histogram, unfolded to reveal the indi- puter science, such systems tend to be have gravitated towards situations and
vidual time and parameter values, has of limited use to composers writing mu- systems that, once set into operation,
to be split up into voices.”24 sic in a modern and personal style that could create music with little or no in-
Hiller, on the other hand, believed perhaps resists codification because tervention on my part. That is to say, I
that if the output of the algorithm is of its notational and sonic complexity tend towards the roles of planner and
deemed insufficient, then the program and, more simply, its lack of sufficient programmer, and then become an au-
should be modified and the output and stylistically consistent data—the dience to the results.”18
regenerated.34 Several programs that so-called sparse-data problem. But this Improvisation systems. Algorithmic
facilitate algorithmic composition in- is also to some extent indicative of the composition techniques are, then,
clude direct connection to their own general difficulty of modeling language clearly not limited to music of a cer-
or to third-party computer sound gen- and human cognition; the software tain aesthetic or stylistic persuasion.
eration.m This connection obviates the codification of the workings of a spoken Nor are they limited to a completely
need for transcription and even hin- language understood by many and rea- fixed view of composition, where all
ders this arguably fruitful intervention. sonably standardized is one thing; the the pitches and rhythms are set down
Furthermore, such systems allow the codification of the quickly developing in advance. George Lewis’s Voyager
traditional or even conceptual score to and widely divergent field of contempo- is a work for human improvisors and
be redundant. Thus algorithmic com- rary music is another thing altogether. “computer-driven, interactive ‘virtual
position techniques allow a fluid and Thus we can witness a division between improvising orchestra.’”29 Its roots
unified relationship between macro- composers concerned with creating are, according to Lewis, in the African-
structural musical form and micro- new music with personalized systems American tradition of multi-domi-
structural sound synthesis/processing, and researchers interested in develop- nance, described by him (borrowing
as evidenced again by Xenakis in his ing systems for machine learning and from Jeff Donaldson) as involving mul-
Dynamic Stochastic Synthesis program AI. The latter may quite understandably tiple simultaneous structural streams,
Gendy3 (1992).40 find it more useful to generate music these being in the case of Voyager at
More current examples. Contem- in well-known styles not only because “both the logical structure of the soft-
porary (late 20th century) techniques there is extant data but also because ware and its performance articula-
tend to be hybrids of deterministic familiarity of material simplifies some tion.”29 Lewis programmed Voyager in
and stochastic approaches. Systems aspects of the assessment of results. the Forth language popular with com-
using techniques from artificial intel- Naturally though, more collaboration puter musicians in the 1980s. Though
ligence (AI) and/or linguistics are the between composers and researchers in Voyager the computer is used to
generative-grammarn-based system Bol could lead to fruitful, aesthetically pro- analyze and respond to a human im-
Processor software4 and expert systems gressive results. proviser, such input is not essential
(such as Kemal Ebcioglu’s CHORAL11). Outside academia. Application of for the program to generate music
Other statistical approaches that use, algorithmic-composition techniques (via MIDIo). Lewis wrote, “I conceive
say, Hidden Markov Models (as in Jor- is not restricted to academia or to the a performance of Voyager as multiple
danous and Smaill20), tend to need a classical avant garde. Pop/ambient mu- parallel streams of music generation,
significant amount of data to train the sician Brian Eno (1948–) is known for emanating from both the computers
system; they therefore rely on and gen- his admiration and use of generative and the humans—a nonhierarchi-
erate pastiche copies of the music of a systems in Music for Airports (1978) and cal, improvisational, subject-subject
particular composer (that must be codi- other pieces. Eno was inspired by the model of discourse, rather than a
American minimalists, in particular stimulus/response setup.”29 A related
l Written to test the rules of serial music but in- Steve Reich (1936–) and his tape piece improvisation system, OMAX, from
volving random decisions.23 It’s Gonna Rain (1965). This is not com- the Institut de Recherche et Coordina-
m Especially modern examples (such as Com- puter music but process music, where-
mon Music, Pure Data, and SuperCollider). by a system is devised—usually repeti-
n Such systems are generally inspired by Chom- o Musical Instrument Digital Interface, or MIDI,
sky’s grammar models8 and Lerdahl’s and
tive in the case of the minimalists—and the standard music-industry protocol for in-
Jackendorff’s applications of such approaches allowed to run, generating music in the terconnecting electronic instruments and re-
to generative music theory.28 form of notation or electronic sound. lated devices.
tion Acoustique/Musique in Paris, is Figure 6. Fibonacci-based transition from material 0 to material 1. Note the first
available within the now more widely appearance of 1 is at position 13, with the next eight positions after that, the next again
used computer-music systems Max/ five positions after that, and so on; all these numbers are so-called Fibonacci numbers.
MSP and Open-Music. OMAX uses AI-
based machine-learning techniques
to parse incoming musical data from 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0
0 1 0 0 1 0 1 0 1 0 1 1 0 1 0 1 0 1 0 1 1 0 1 1 0 1 1 1 1 0 1 1
human musicians, then the results of
1 1 1 1 1 1
analysis to generate new material in
an improvisatory context.2
slippery chicken. In my own case,
work on the specialized algorithmic
composition program slippery chick-
en13 is ongoing since 2000. Written in
Common Lisp and its object-oriented
extension, the Common Lisp Object
Figure 7. Extract beginning bar 293 of the author’s Tramontana for viola and computer.
System, it is mainly deterministic but
also has stochastic elements. It has Figure 8. Foreground melodic pattern (scale steps) of Désordre.26
been used to create musical structure
for pieces since its inception and is
now at the stage where it can gener- Right hand (white notes), 26 notes, 14 bars
Phrase a: 0 0 1 0 2 1 -1
ate, in a single pass, complete musical
Phrase a’: -1 -1 2 1 3 2 -2
scores for traditional instruments or Phrase b: 2 2 4 3 5 4 -1 0 3 2 6 5
with the same data write sound files
using samplesp or MIDI file realiza- Left hand (black notes), 33 notes, 18 bars
Phrase a: 0 0 1 0 2 2 0
tions of the instrumental score.q The Phrase a’: 1 1 2 1
-2
-2 -1
project’s main aim is to facilitate a Phrase b: 1 1 2 2 0 -1 -4 -3 0
-1 3 2 1 -1 0
-3
-2
-3 -5
melding of electronic and instrumen-
tal sound worlds, not just at the sonic
but at the structural level. Hence cer-
tain processes common in one me- rithm is deemed necessary, no matter sulting self-similarity make them ideal
dium (such as audio slicing and loop- how small, then rerunning the proce- for composition. Take a simple exam-
ing) are transferred to another (such dure is essential. But rerunning will ple, where a set of rules is defined and
as the slicing up of notated musical generate a different set of randomly associates a key with a result of two fur-
phrases and instigation of sub-phrase controlled results, perhaps now lack- ther keys that in turn form indices for
loops). Also offered are techniques for ing some characteristics the compos- an arbitrary number of iterations of key
innovative combination of rhythmic er deemed musically significant after substitution (see Figure 3).
and pitch data, which is, in my opin- the first pass.r Given a starting seed for the lookup
ion, one of the most difficult aspects of Deterministic procedures can be and substitution procedure (or rewrit-
making convincing musical algorithms. more apposite. For instance, Linden- ing, as it is more generally known), an
Lindenmayer systems. Like writing mayer Systemss (henceforth L-Systems) infinite number of results can be gen-
a paper, composing music, especially whose simplicity and elegance yet re- erated (see Figure 4).
with computer-based algorithms, is Self-similarity is clear when larger
most often an iterative process. Mate- result sets are produced; see Figure
r This is a simplistic description. Most sto-
rial is first set down in raw form, only chastic procedures involve encapsulation of 5, noting the repetitions of sequenc-
to be edited, developed, and reworked various tendencies over arbitrarily large data es (such as 2 1 1 3 and 2 3 2 3). These
over several passes before the final sets, the random details of which are insignifi- numbers can be applied to any musi-
refined form is achieved. For the com- cant compared to the structure of the whole. cal parameter or material, including
Still, some details may take on more musical
poser, stochastic procedures, if not importance than intended, and losing them
pitch, rhythm, dynamic, phrase, and
simply to be used to generate mate- may detrimentally affect the composition. The harmony. Seen musically, the results
rial to be reworked by hand or in some composer could avoid such problems by using of such simple L-Systems tend toward
other fashion, represent particular a random number generator with fixed and stasis in that only results that are part
problems. If an alteration of the algo- stored seed, guaranteeing the pseudo-random of the original rules are returned, and
numbers are generated in the same order each
time the process is restarted. Better still would
all results are present throughout the
p Samples are usually short digital sound files be to modify the algorithm to take these sa- returned sequence. However, the re-
of individual or arbitrary number of notes/ lient, though originally unforeseen features, sult is dependent on the rules defined:
sonic events. into account. subtle manipulations of more com-
q To accomplish this, the software interfaces s Named for biologist Aristid Lindenmayer
plex/numerous rules can result in mu-
with parts of the open-source software systems (1925–1989) who developed this system (or
Common Music, Common Lisp Music, and formal language, based on grammars by Noam sically interesting developments. For
Common Music Notation all freely available Chomsky33) that can model various natural- instance, composers have used more
from http://ccrma.stanford.edu/software. growth processes (such as those of plants). finessed L-Systems—where the result
64 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
contributed articles
yet beautifully elegant in effect, where tial data states is instructive and fun. the middle of the piano outward, to
the clearly deterministic algorithmic Désordre’s algorithms. The main the high and low extremes.
thinking lends itself quite naturally to argument of Désordre consists of fore- The foreground rhythmic process
software implementation; ground and background textures: consists of slower-moving, irregular
Algorithmic composition. Ligeti was Foreground (accented, loud). Two si- combinations of quaver-multiples that
a major composer, admired by experts multaneous instances of the same basic tend to reduce in duration over the
and non-experts alike, and is gener- process, melodic/rhythmic, one in each melodic cycle repeats to create an ac-
ally not associated with algorithmic hand, both doubled at the octave, and celeration toward continuous quaver
composition; indeed, Désordre was al- white note (righthand) and black-notew pulses (see Figure 9).
most certainly composed “algorithmi- (pentatonic, lefthand) modes; and The similarity between the two
cally” by hand, with pencil and paper, Background (quiet). Continuous, hands’ foreground rhythmic structure
as opposed to at a computer keyboard. generally rising quaver (eighth-note) is obvious, but the duration of seven
As such, Désordre illustrates the clear pulse notes, centered between the fore- quavers in the right hand at the end
link in the history of composition to ground octaves, one in each hand, in of cycle 1a, as opposed to eight in the
algorithmic/computational thinking, the same mode as the foreground hand. left, makes for the clearly audible de-
bringing algorithmic composition into In the first part of the piece the coupling of the two parts. This is the
mainstream musical focus; and basic foreground process consists beginning of the process of disorder,
Algorithmic models. I have imple- of a melodic pattern cycle consist- or chaos, and is reflected in the unsyn-
mented algorithmic models of the ing of the scale-step shape in Figure chronized bar lines of the score starting
first part of Désordre in the open- 8. This cycle is stated on successively at this point (see Figure 10).
source software system Pure Data, higher (right-hand, 14 times, one dia- In Désordre we experience a clear,
which, along with the following dis- tonic step transposition) and lower compelling, yet not entirely predict-
cussion, is based on analyses by To- (lefthand, 11 times, two diatonic steps able musical development of rhythmic
bias Kunze,26 used here with permis- transposition) degrees. Thus, a global, acceleration coupled with a movement
sion, and Hartmut Kinzler.21 It is freely long-term movement is created from from the middle piano register to the
downloadable from my Web site http:// extremes of high and low, all expressed
www.michael-edwards.org/software/ w White and black here refer to the color of the through two related and repeating
desordre.zip12; tinkering with the ini- keys on the modern piano. melodic cycles with slightly differing
lengths resulting in a combination
Figure 9. Foreground rhythmic pattern (quaver/eighth-note durations) of Désordre.26 that dislocates and leads to metrical
disorder. I invite the reader to investi-
right hand: left hand: gate this in more detail by download-
cycle 1: a: 3 5 3 5 5 3 7 3 5 3 5 5 3 8 ing my software implementation.12
a’: 3 5 3 5 5 3 7 3 5 3 5 5 3 8
b: 3 5 3 5 5 3 3 4 5 3 3 5 3 5 3 5 5 3 3 5 5 3 3 5 3 5 3 5 5 3 8
3 5 3 5 5 3 8
Conclusion
cycle 2: 3 5 3 4 5 3 8
3 5 3 4 5 3 8 3 5 3 5 5 3 8 There has been (and still is) consider-
3 5 3 4 5 3 3 5 5 3 3 4 3 5 3 5 5 3 3 5 5 3 3 5 3 5 3 5 5 3 8 able resistance to algorithmic compo-
cycle 3: 3 5 3 5 5 3 7 3 5 3 5 5 3 8 sition from all sides, from musicians
3 5 3 5 5 3 7 3 5 3 5 5 2 7
3 5 3 5 5 3 3 4 5 3 3 5 3 4 3 4 4 2 2 4 4 2 2 3 2 3 1 3 3 1 4
to the general public. This resistance
cycle 4: 3 5 3 4 5 2 7 1 3 1 2 2 1 3 bears comparison to the reception
2 4 2 4 4 2 5 1 2 1 2 2 1 3 of the supposedly overly mathemati-
2 3 2 3 3 1 1 3 3 1 1 3 1 2 1 2 2 1 1 2 2 1 1 2 1 2 1 2 2 1 3
cal serial approach introduced by the
cycle 5: 1 2 1 2 2 1 3 1 3 1 2 2 1 3
1 2 1 2 2 1 3 1 2 1 2 2 1 3 composers of the Second Viennese
1 2 1 2 2 1 1 2 2 1 1 2 1 2 1 2 2 1 1 2 2 1 1 2 1 2 1 2 2 1 2 School of the 1920s and 1930s. Along-
... ... side the techniques of other music
composed from the beginning of the
20th century onward, the serial princi-
ple itself is frequently considered to be
the reason the music—so-called mod-
ern music, though now close to 100
years old—may not appeal. I propose
that a more enlightened approach to
the arts in general, especially those
that present a challenge, would be a
more inward-looking examination of
the individual response, a deferral of
judgment and acknowledgment that,
first and foremost, a lack of famil-
Figure 10. Désordre. First system of score © 1986 Schott Music GmbH & Co. KG, Mainz, iarity with the style and content may
Germany. Reproduced by permission. All rights reserved. lead to a neutral or negative audience
66 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
contributed articles
response. Only after further investiga- years ago, it takes a good composer to 5. Bewley, J. Lejaren A. Hiller: Computer Music Pioneer.
Music Library Exhibit, University of Buffalo, 2004;
tion and familiarization can deficien- design algorithms that result in music http://library.buffalo.edu/libraries/units/music/exhibits/
cies in the work be considered.x that captures the imagination.34 hillerexhibitsummary.pdf
6. Boulez, P. Schönberg est mort. Score 6 (Feb. 1952), 18–22.
Algorithmic composition is often Furthermore, using algorithmic- 7. Brümmer, L. Using a digital synthesis language in
viewed as a sideline in contemporary composition techniques does not by ne- composition. Computer Music Journal 18, 4 (1994),
35–46.
musical activity, as opposed to a logi- cessity imply less composition work or a 8. Chomsky, N. Syntactic Structures. Mouton, The Hague,
cal application and incorporation of shortcut to musical results; rather, it is a 1957.
9. Christensen, E. The Musical Timespace, a Theory of
compositional technique into the digi- change of focus from note-to-note com- Music Listening. Aalborg University Press, Aalborg,
tal domain. Without wishing to im- position to a top-down formalization of Denmark, 1996.
10. Cope, D. Experiments in Musical Intelligence. A-R
ply that instrumental composition is compositional process. Composition is, Editions, Madison, WI, 1996.
11. Ebcioglu, K. An expert system for harmonizing four-part
in a general state of stagnation, if the in fact, often slowed by the requirement chorales. Computer Music Journal 12, 3 (1988), 43–51.
computer is the universal tool, there that musical ideas be expressed and 12. Edwards, M. A Pure Data implementation of Ligeti’s
Désordre. Open-source music software; http://www.
is surely no doubt that not applying it their characteristics encapsulated in a michaeledwards.org/software/desordre.zip
to composition would be, if not exactly highly structured and non-musical gen- 13. Edwards, M. slippery chicken: A Specialized Algorithmic
Composition Program. Unpublished object-oriented
an example of Luddism, then at least eral programming language. Learning Common Lisp software; http://www.michael-edwards.
to risk missing important aesthetic de- the discipline of programming is itself org/slippery-chicken
14. Edwards, M. Tramontana. Sheet music, Sumtone, 2004;
velopments that only the computer can a time-consuming and, for some com- http://www.sumtone.com/work.php?workid=101
facilitate, and that other artistic fields posers, an insurmountable problem. 15. Eisen, C. and Keefe, S.P., Eds. The Cambridge Mozart
Encyclopedia. Cambridge University Press, Cambridge,
already take advantage of. That algo- Perhaps counterintuitively, such England, 2006.
rithmic thinking is present in Western formalization of personal composi- 16. The Electronic Music Foundation. HPSCHD; http://
emfnstitute.emf.org/exhibits/hpschd.html
composition for at least 1,000 years has tion technique allows the composer to 17. Hiller, L. Computer music. Scientific American 201, 6
been established. That such thinking proceed from concrete musical or ab- (Dec. 1959), 109–120.
18. Holmes, T. Electronic and Experimental Music. Taylor &
should lend itself to formalization in stract formal ideas into realms hitherto Francis Ltd, London, 2003.
software algorithms was inevitable. unimagined, sometimes impossible 19. Howat, R. Architecture as drama in late Schubert. In
Schubert Studies, B. Newbould, Ed. Ashgate Press,
However, Hiller’s work and 1959 to achieve through any other means London, 1998, 168–192.
Scientific American article17 led to than computer software. As composer 20. Jordanous, A. and Smaill, A. Investigating the role of
score following in automatic musical accompaniment.
much controversy and press attention. Helmut Lachenmann wrote, “A com- Journal of New Music Research 38, 2 (2009), 197–209.
Hostility to his achievementsy was poser who knows exactly what he wants, 21. Kinzler, H. and Ligeti, G. Decision and automatism in
Désordre 1er étude, premier livre. Interface, Journal of
such that the Grove Dictionary of Music wants only what he knows—and that is New Music Research 20, 2 (1991), 89–124.
and Musiciansz did not include an ar- one way or another too little.”35 The com- 22. Kirchmeyer, H. On the historical construction of
rationalistic music. Die Reihe 8 (1962), 11–29.
ticle on it until shortly before his death puter can help composers overcome 23. Koenig, G.M. Project 1; http://home.planet.nl/gkoenig/
in 1994. This hostility arose no doubt recreating what they already know by indexe.htm
24. Koenig, G.M. Aesthetic integration of computer-composer
more from a misperception of compo- aiding more thorough investigations of scores. Computer Music Journal 7, 4 (1983), 27–32.
sitional practice than from anything the material, once procedures are pro- 25. Kramer, J. The Fibonacci series in 20th century music.
Journal of Music Theory 17 (1973), 111–148.
intrinsic to Hiller’s work. grammed, modifications and manipu- 26. Kunze, T. Désordre (unpublished article); http://www.
fictive.com/t/pbl/1999 desordre/ligeti.html
Much of the resistance to algorith- lations are simpler than with pencil and 27. Lendvai, E. Bela Bartók: An Analysis of His Music. Kahn
mic composition that persists to this paper. By “pressing buttons, introduc- & Averill, London, 1971.
28. Lerdahl, F. and Jackendorff, R. A Generative Theory of
day stems from the misguided bias that ing coordinates, and supervising the Tonal Music. MIT Press, Cambridge, MA, 1983.
the computer, not the composer, com- controls,” to quote Xenakis again,40 the 29. Lewis, G. Too many notes: Computers, complexity, and
culture in Voyager. Leonardo Music Journal 10 (2000),
poses the music. In the vast majority of composer is able to stand back and de- 33–39.
cases where the composer is also the velop compositional material en masse, 30. Ligeti, G. Über form in der neuen musik. Darmstädter
Beiträge zur neuen Musik 10 (1966), 23–35.
programmer, this is simply not true. applying procedures and assessing, re- 31. Matossian, N. Xenakis. Kahn & Averill, London, 1986.
As composer and computer musician jecting, accepting, or further processing 32. Norden, H. Proportions in music. Fibonacci Quarterly 2,
3 (1964), 219–222.
Curtis Roads pointed out more than 15 results of an often-surprising nature. 33. Prusinkiewicz, P. and Lindenmayer, A. The Algorithmic
Algorithmic composition techniques Beauty of Plants. Springer-Verlag, New York, 1990.
34. Roads, C. The Computer Music Tutorial. MIT Press,
x To paraphrase Ludger Brümmer, from infor- clearly further individual musical and Cambridge, MA, 1996.
mation theory we know that new information compositional development through 35. Ryan, D. and Lachenmann, H. Composer in interview:
is perceived as chaotic or interesting but not Helmut Lachenmann. Tempo 210 (1999), 20–24.
computer programming-enabled voy- 36. Sowa, J. A Machine to Compose Music: Instruction Manual
expressive. New information must be struc- for GENIAC. Oliver Garfield Co., New Haven, CT, 1956.
tured before it can be understood, and, in the ages of musical discovery. 37. Steinitz, R. Music, maths & chaos. Musical Times 137,
case of aesthetic experience, this structuring 1837 (Mar. 1996), 14–20.
involves comparison to an ideal, or an estab- 38. Supper, M. A few remarks on algorithmic composition.
References
Computer Music Journal 25, 1 (2001), 48–53.
lished notion of beauty.7 1. Ames, C. Stylistic automata in Gradient. Computer 39. Winkler, G.E. Hybrid II: Networks. CD recording, 2003.
y Concerning the reaction to The Illiac Suite, Hill- Music Journal 7, 4 (1983), 45–56. sumtone cd1: stryngebite; http://www.sumtone.com/
er said “There was a great [deal] of hostility, cer- 2. Assayag, G., Bloch, G., Chemillier, M., Cont, A., and recording.php?id=17
tainly in the musical world...I was immediately Dubnov, S. OMax brothers: A dynamic topology of 40. Xenakis, I. Formalized Music. Pendragon, Hillsdale, NY,
agents for improvization learning. In Proceedings of the 1992.
pigeonholed as an ex-chemist who had bungled First ACM Workshop on Audio and Music Computing
into writing music and probably wouldn’t know Multimedia (Santa Barbara, CA). ACM Press, New York,
how to resolve a dominant seventh chord”; in- 2006, 125–132. Michael Edwards (michael.edwards@ed.ac.uk) is
terview with Vincent Plush, 1983.5 3. Austin, L., Cage, J., and Hiller, L. An interview with John a Reader in Music Technology in the School of Arts,
Cage and Lejaren Hiller. Computer Music Journal 16, 4 Culture and Environment of the University of Edinburgh,
z The Grove is the English-speaking world’s (1992), 15–29. Edinburgh, U.K.
most widely used and arguably most authori- 4. Bel, B. Migrating musical concepts: An overview of the Bol
tative musicological resource. processor. Computer Music Journal 22, 2 (1998), 56–64. © 2011 ACM 0001-0782/11/07 $10.00
A Decade
time have a very low false-error rate. To
scale the SLAM engine, we constructed
abstractions that retain only informa-
tion about certain predicates related to
of Software
the property being checked. To reduce
false errors, we refined abstractions
automatically using counterexamples
from the model checker. Constructing
Model
and refining abstractions for scaling
model checking has been known for
more than 15 years; Kurshan35 is the
earliest reference we know.
Checking
SLAM automated the process of
abstraction and refinement with
counterexamples for programs writ-
ten in common programming lan-
with SLAM
guages (such as C) by introducing
new techniques to handle program-
ming-language constructs (such as
pointers, procedure calls, and scop-
ing constructs for variables).2,4–8 In-
dependently and simultaneously
with our work, Clarke et al.17 auto-
mated abstraction and refinement
with counterexamples in the con-
text of hardware, coining the term
“counterexample-driven abstraction
is a notoriously
L arge-s cale s oft war e de v elop m e n t refinement,” or CEGAR, which we use
difficult problem. Software is built in layers, and APIs to refer to this technique throughout
are exposed by each layer to its clients. APIs come with key insights
usage rules, and clients must satisfy them while using E ven though programs have many
the APIs. Violations of API rules can cause runtime states, it is possible to construct an
abstraction of a program fine enough
errors. Thus, it is useful to consider whether API rules to represent parts of a program
relevant to an API usage rule and
can be formally documented so programs using the coarse enough for a model checker
APIs can be checked at compile time for compliance to explore all the states.
can be checked by compilers. However, certain rules S LAM showed that such abstractions
can be constructed automatically
involve hidden state; for example, consider the rule for real-world programs, becoming
the basis of Microsoft’s Static Driver
that the acquire method and release method of a Verifier tool.
68 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
this article. The automation of CE- tegically important for the Windows abstraction, and model checking.”
GAR for software is technically more device ecosystem, which encourages Over time, we used SLAM more as a
intricate, since software, unlike hard- and relies on hardware vendors mak- forceful verb; to “SLAM” a program
ware, is infinite state, and program- ing devices and writing Windows de- is to exhaustively explore its paths
ming languages have more expres- vice drivers while requiring vendors and eliminate its errors. We also de-
sive and complex features compared to provide evidence that the devices signed the “Specification Language
to hardware-description languages. and drivers perform acceptably. Be- for Interface Checking,” or SLIC,9 to
Programming languages allow pro- cause many drivers use the same Win- specify stateful API rules and created
cedures with unbounded call stacks dows-driver API, the cost of manually the SLAM tool as a flexible verifier to
(handled by SLAM using pushdown specifying the API rules and writing check if code that uses the API follows
model-checking techniques), scoping them down is amortized over the the SLIC rules. We wanted to build a
of variables (exploited by SLAM for ef- value obtained by checking the same verifier covering all possible behav-
ficiency), and pointers allowing the rules over many device drivers. iors of the program while checking
same memory to be aliased by differ- Here, we offer a 10-year retrospec- the rule, as opposed to a testing tool
ent variables (handled by SLAM using tive of SLAM and SDV, including a self- that checks the rule on a subset of be-
pointer-alias-analysis techniques). contained overview of SLAM, our ex- haviors covered by the test.
We also identified a “killer-app” perience taking SLAM to a full-fledged In order for the solution to scale
for SLAM—checking if Windows de- SDV product, a description of how we while covering all possible behaviors,
illustratio n by rya n a lexander
vice drivers satisfy driver API usage built and deployed SDV, and results we introduced Boolean programs.
rules. We wrapped SLAM with a set of obtained from the use of SDV. Boolean programs are like C programs
rules specific to the Windows driver in the sense that they have all the con-
API and a tool chain to enable push- SLAM trol constructs of C programs—se-
button validation of Windows drivers, Initially, we coined the label SLAM quencing, conditionals, loops, and pro-
resulting in a tool called “static driver as an acronym for “software (speci- cedure calls—but allow only Boolean
verifier,” or SDV. Such tools are stra- fications), programming languages, variables (with local, as well as global,
scope). Boolean programs made sense A SLIC rule includes three compo- is the same code after it has been in-
as an abstraction for device drivers nents: a static set of state variables, strumented with calls to the appropri-
because we found that most of the described as a C structure; a set of ate event handlers. We return to this
API rules drivers must follow tend to events and event handlers that specify example later.
be control-dominated, and so can be state transitions on the events; and a CEGAR via predicate abstraction.
checked by modeling control flow in set of annotations that bind the rule Figure 2 presents ML-style pseudo-
the program accurately and modeling to various object instances in the pro- code of the CEGAR process. The goal of
only a few predicates about data rel- gram (not shown in this example). SLAM is to check if all executions of the
evant to each rule being checked. As an example of a rule, consider the given C program P (type cprog) satisfy a
The predicates that need to be locking rule in Figure 1a. Line 1 de- SLIC rule S (type spec).
“pulled into” the model are dependent clares a C structure containing one The instrument function takes the
on how the client code manages state field state, an enumeration that program P and SLIC rule S as inputs
relevant to the rule. CEGAR is used to can be either Unlocked or Locked, and produces an instrumented pro-
discover the relevant state automatical- to capture the state of the lock. Lines gram P´ as output, based on the prod-
ly so as to balance the dual objectives of 3–5 describe an event handler for uct-construction technique for safety
scaling to large programs and reducing calls to KeInitializeSpinLock. properties described in Vardi and Wol-
false errors. Lines 7–13 describe an event han- per.44 It hooks up relevant events via
SLIC specification language. We de- dler for calls to the function KeAc- calls to event handlers specified in the
signed SLAM to check temporal safety quireSpinLock. The code for the rule S, maps the error statements in
properties of programs using a well- handler expects the state to be in the SLIC rule to a unique error state in
defined interface or API. Safety proper- Unlocked and moves it to Locked P´, and guarantees that P satisfies S if
ties are properties whose violation is (specified in line 9). If the state is and only if the instrumented program
witnessed by a finite execution path. already Locked, then the program P´ never reaches the error state. Thus,
A simple example of a safety property has called KeAcquireSpinLock this function reduces the problem of
is that a lock should be alternatively twice without an intervening call to checking if P satisfies S to checking if
acquired and released. SLIC allows KeReleaseSpinLock and is an er- P´ can reach the error state.
us to encode temporal safety proper- ror (line 9). Lines 15–21 similarly de- The function slam takes a C pro-
ties in a C-like language that defines scribe an event handler for calls to gram P and SLIC rule specification S
a safety automaton44 that monitors a the function KeReleaseSpinLocka. as input and passes the instrumented
program’s execution behavior at the Figure 1b is a piece of code that uses C program to the tail-recursive func-
level of function calls and returns. The the functions KeAcquireSpinLock tion cegar, along with the predicates
automaton can read (but not modify) and KeReleaseSpinLock. Figure 1c extracted from the specification S
the state of the C program that is vis- (specifically, the guards that appear in
ible at the function call/return inter- a A more detailed example of this rule would han-
S as predicates).
face, maintain a history, and signal the dle different instances of locks, but we cover The first step of the cegar function is
occurrence of a bad state. the simple version here for ease of exposition. to abstract program P´ with respect to
Figure 1. (a) Simplified SLIC locking rule; (b) code fragment using spinlocks; (c) fragment after instrumentation.
the predicate set preds to create a Bool- uses ideas from interprocedural data unsatisfiability, reduces it to a smaller
ean program abstraction B. The auto- flow analysis42,43 and builds summaries proof of unsatisfiability, and returns
mated transformation of a C program for each procedure to handle recursion the set of constituent predicates from
into a Boolean program uses a tech- and variable scoping. this smaller proof. The function refine
nique called predicate abstraction, If the check function returns Ab- guarantees that the trace trc is not an
first introduced in Graf and Saïdi29 and stractPass, then the error state is not execution trace of the Boolean program
later extended to work with program- reachable in B and therefore is also
ming-language features in Ball et al.2 not reachable in P´. In this case, SLAM abstract (P´, preds ∪ refine(pr f))
and Ball et al.3 has proved that the C program P satis-
The program B has exactly the same fies the specification S. However, if the The ability to refine the (Boolean pro-
control-flow skeleton as program P´. check function returns AbstractFail gram) abstraction to rule out a spurious
By construction, for any set of predi- with witness trace trc, the error state counterexample is known as the prog-
cates preds, every execution trace of is reachable in the Boolean program ress property of the CEGAR process.
the C program P´ also is an execution B but not necessarily in the C program Despite the progress property, the
trace of B = abstract(P´, preds); that is, P´. Therefore, the trace trc must be CEGAR process offers no guarantee
the execution traces of P´ are a subset validated in the context of P´ to prove it of terminating since the program P´
of those of B. The Boolean program B really is an execution trace of P´. may have an intractably large or in-
models only the portions of the state of The function symexec symbolically finite number of states; it can refine
P´ relevant to the current SLIC rule, us- executes the trace trc in the context of the Boolean program forever without
ing nondeterminism to abstract away the C program P´. Specifically, it con- discovering a proof of correctness or
irrelevant state in P´. structs a formula φ(P´, trc) that is satis- proof of error.
Once the Boolean program B is con- fiable if and only if there exists an input However, as each Boolean program
structed, the check function exhaus- that would cause program P´ to execute is guaranteed to overapproximate the
tively explores the state space of B to trace trc. If symexec returns Satisfiable, behavior of the C program, stopping
determine if the (unique) error state is then SLAM has proved program P does the CEGAR process before it terminates
reachable. Even though all variables in not satisfy specification S and returns with a definitive result is no different
B are Boolean, it can have procedure the counterexample trace trc. from any terminating program analysis
calls and a potentially unbounded call If the function symexec returns that produces false alarms. In practice,
stack. Our model checker performs Unsatisfiable(prf), then it has found SLAM terminates with a definite result
symbolic reachability analysis of the a proof prf that there is no input that over 96% of the time on large classes
Boolean program (a pushdown system) would cause P´ to execute trace trc. of device drivers: for Windows Driver
using binary decision diagrams.11 It The function refine takes this proof of Framework (WDF) drivers, the figure is
abstract
cprog P
predicates bprog B
validated trace
CEGAR
P fails S
type cprog, spec, predicates, bprog, trace, proof let rec cegar (P’:cprog) (preds :predicates) : result =
let B: bprog = abstract (P’,preds) in
type result = match check(B) with
Pass | Fail of trace | AbstractPass -> Pass
| AbstractFail(trc) ->
type chkresult = match symexec(P’, trc) with
AbstractPass | AbstractFail of trace | Satisable -> Fail(trc)
| Unsatisable(prf) -> cegar P’ ( preds ∪ (refine prf))
type excresult =
Satisable | Unsatisable of proof let slam ( P:cprog) (S:spec) : result =
cegar (instrument (P,S)) (preds S)
100%, and for Windows Driver Model Figure 3b is the Boolean program related. In particular, the trace is not
(WDM) drivers, the figure is 97%. abstraction of the SLIC-instrumented executable because there does not ex-
Example. We illustrate the CEGAR C program from Figure 1c. Note the ist a value for variable x such that (x
process using the SLIC rule from Fig- Boolean program has the same control > 0) is false (skipping the body of the
ure 1a and the example code fragment flow as the C program, including proce- first conditional) and such that (x > 0)
in Figure 1b. In the program, we have a dure calls. However, the conditionals is true (entering the body of the sec-
single spinlock being initialized at line at lines 7 and 12 of the Boolean pro- ond conditional). That is, the formula
4. The spinlock is acquired at line 8 gram are nondeterministic since the ∃x.(x ≤ 0) ^ (x > 0) is unsatisfiable. The
and released at line 12. However, both Boolean program does not have a pred- result of the refine function is to add
calls KeAcquireSpinLock and KeR- icate that refers to the value of variable the predicate {x>0} to the Boolean
eleaseSpinLock are guarded by the x. Also note that the references to vari- program to refine it. This addition
conditional (x > 0). Thus, tracking cor- ables count, devicebuffer, and lo- results in the Boolean program ab-
relations between such conditionals calbuffer are elided in lines 10 and straction in Figure 3c, including the
is important for proving this property. 11 (replaced by skip statements in the Boolean variable {x>0}, in addition to
Figures 3a and 3b show the Boolean Boolean program) since the Boolean {state==Locked}.
program obtained by the first applica- program does not have predicates that Using these two Boolean variables,
tion of the abstract function to the code refer to these variables. the abstraction in Figure 3c is strong
from Figures 1a and 1c, respectively. The abstraction in Figure 3b, though enough to prove slic _ error is un-
Figure 3a is the Boolean program a valid abstraction of the instrumented reachable for all possible executions of
abstraction of the SLIC event handler C, is not strong enough to prove the the Boolean program, and hence SLAM
code. Recall that the instrumentation program conforms to the SLIC rule. proves this Boolean program satisfies
step guarantees there is a unique error In particular, the reachability analysis the SLIC rule. Since the Boolean pro-
state. The function slic _ error at of the Boolean program performed gram is constructed to be an overap-
line 1 represents that state; that is, the by the check function will find that proximation of the C program in Fig-
function slic _ error is unreach- slic _ error is reachable via the trace ure 1c, the C program indeed satisfies
able if and only if the program satis- 1, 2, 3, 4, 5, 6, 7, 10, 11, 12, the SLIC rule.
fies the SLIC rule. There is one Boolean 13, which skips the call to SLIC _ Ke-
variable named {state==Locked}; AcquireSpinLock _ call at line 8 and From SLAM to SDV
by convention, we name each Boolean performs the call to SLIC _ KeReleas- SDV is a completely automatic tool
variable with the predicate it stands eSpinLock _ call at line 13. Since the (based on SLAM) device-driver devel-
for, enclosed in curly braces. In this Boolean variable state==Lock is false, opers can use at compile time. Requir-
case, the predicate comes from the slic _ error will be called in line 11 of ing nothing more than the build script
guard in the SLIC rule (Figure 1a, line Figure 3a. of the driver, the SDV tool runs fully
8). Lines 5–8 and lines 10–13 of Figure SLAM feeds this error trace to the automatically and checks a set of pre-
3a show the Boolean procedures cor- symexec function that executes it packaged API usage rules on the device
responding to the SLIC event handlers symbolically over the instrumented C driver. For every usage rule violated by
SLIC _ KeAcquireSpinLock _ call program in Figure 1c and determines the driver, SDV presents a possible ex-
and SLIC _ KeReleaseSpinLock_ call the trace is not executable since the ecution trace through the driver that
from Figure 1a. branches in “if” conditions are cor- shows how the rule can be violated.
Figure 3. (a) Boolean program abstraction for locking and unlocking routines; (b) Boolean program: CEGAR iteration 1;
(c) Boolean program: CEGAR iteration 2.
all possible
practice, in addition to state-space API rules.
explosion, several other obstacles can Environment models. SLAM is de-
inhibit model checking being a “push-
button” technology: First, users must
behaviors of the signed as a generic engine for check-
ing properties of a closed C program.
specify the properties they want to program while However, a device driver is not a closed
check, without which there is nothing
for a model checker to do. In complex
checking the rule, program with a main procedure but
rather a library with many entry points
systems (such as the Windows driver as opposed to a (registered with and called by the op-
interface), specifying such properties
is difficult, and these properties must testing tool that erating system). This problem is stan-
dard to both program analysis and
be debugged. Second, due to the state- checks the rule on a model checking.
explosion problem, the code analyzed
by the model checker is not the full sys- subset of behaviors Before applying SLAM to a driver’s
code, we first “close” the driver pro-
tem in all its gory complexity but rath-
er the composition of some detailed
covered by the test. gram with a suitable environment con-
sisting of a top layer called the harness,
component (like a device driver) with a main procedure that calls the driver’s
a so-called “environment model” that entry points, and a bottom layer of stubs
is a highly abstract, human-written for the Windows API functions that can
description of the other components be called by the device driver. Thus, the
of the system—in our case, kernel harness calls into the driver, and the
procedures of the Windows operating driver calls the stubs.
system. Third, to be a practical tool in Most API rules are local to a driver’s
the toolbox of a driver developer, the entry points, meaning a rule can be
model checker must be encapsulated checked independently on each entry
in a script incorporating it in the driver point. However, some complex rules
development environment, then feed deal with sequences of entry points.
it with the driver’s source code and re- For the rules of the first type, the body
port results to the user. Thus, creating of the harness is a nondeterministic
a push-button experience for users re- switch in which each branch calls a
quires much more than just building a single and different entry point of the
good model-checking engine. driver. For more complex rules, the
Here, we explore the various com- harness contains a sequence of such
ponents of the SDV tool besides SLAM: nondeterministic switches.
driver API rules, environment models, A stub is a simplified implementa-
scripts, and user interface, describ- tion of an API function intended to ap-
ing how they’ve evolved over the years, proximate the input-output relation of
starting with the formation of the SDV the API function. Ideally, this relation
team in Windows in 2002 and several should be an overapproximation of the
internal and external releases of SDV. API function. In many cases, a driver
API rules. Different classes of devic- API function returns a scalar indicating
es have different requirements, lead- success or failure. In these cases, the
ing to class-specific driver APIs. Thus, API stub usually ends with a nondeter-
networking drivers use the NDIS API, ministic switch over possible return val-
storage drivers use the StorPort and ues. In many cases, a driver API function
MPIO APIs, and display drivers the allocates a memory object and returns
WDDM API. A new API called WDF was its address, sometimes through an out-
designed to provide higher-level ab- put pointer parameter. In these cases,
stractions for common device drivers. the harness allocates a small set of such
As described earlier, SLIC rules capture memory objects, and the stub picks up
API-level interactions, though they are one of them and returns its address.
not specific to a particular device driver Scaling rules and models. Initially,
but to a whole class of drivers that use we (the SDV team) wrote the API rules
a common API. Such a specification in SLIC based on input from driver API
the complete
rules.” Since then, we’ve invested sig- sure these scripts would provide a very
nificant effort in creating a discipline high degree of automation for the user.
for writing SLIC rules and spreading
it among device-driver API developers
automation The user need not specify anything oth-
er than the build scripts used to build
and testers. of CEGAR for the driver.
In 2007, the SDV team refined
the API rules and formulated a set of
software written SDV Experience
guidelines for rule development and in expressive The first version of SDV (1.3, not re-
driver environment model construc-
tion. This helped us transfer rule de- programming leased externally outside Microsoft)
found, on average, one real bug per
velopment to two software engineers languages driver in 30 sample drivers shipped
with backgrounds far removed from
formal verification, enabling them (such as C). with the Driver Development Kit
(DDK) for Windows Server 2003. These
to succeed and later spread this form sample drivers were already well test-
of rule development to others. Since ed. Eliminating defects in the WDK
2007, driver API teams have been us- samples is important since code from
ing summer interns to develop new sample drivers is often copied by third-
API rules for WDF, NDIS, StorPort, and party driver developers.
MPIO APIs and for an API used to write Versions 1.4 and 1.5 of SDV were ap-
file system mini-filters (such as antivi- plied to Windows Vista drivers. In the
ruses) and Windows services. Remark- sample WDM drivers shipped with the
ably, all interns have written API rules Vista WDK (WDK, the renamed DDK),
that found true bugs in real drivers. SDV found, on average, approximately
SDV today includes more than 470 one real bug per two drivers. These
API rules. The latest version SDV 2.0 samples were mostly modifications
(released with Windows 7 in 2009) in- of sample drivers from the Windows
cludes more than 210 API rules for the Server 2003 DDK, with fixes applied for
WDM, WDF, and NDIS APIs, of which the defects found by SDV 1.3. The new-
only 60 were written by formal verifica- ly found defects were due to improve-
tion experts. The remaining 150 were ments in the set of SDV rules and to de-
written or modified from earlier drafts fects introduced due to modifications
by software engineers or interns with in the drivers.
no experience in formal verification. For Windows Server 2008, SDV ver-
Worth noting is that the SLIC rules sion 1.6 contained new rules for WDF
for WDF were developed during the de- drivers, with which SDV found one real
sign phase of WDF, whereas the WDM bug per three WDF sample drivers. The
rules were developed long after WDM low bug count is explained by simplic-
came into existence. The formaliza- ity of the WDF driver model described
tion of the WDF rules influenced WDF earlier and co-development of sample
design; if a rule could not be expressed drivers, together with the WDF rules.
naturally in SLIC, the WDF designers For the Windows 7 WDK, SDV 2.0
tried to refactor the API to make it eas- found, on average, one new real bug
ier to verify. This experience showed per WDF sample driver and few bugs
that verification tools (such as SLAM) on all the WDM sample drivers. This
can be forward-looking design aids, in data is explained by more focused ef-
addition to being checkers for legacy forts to refine WDF rules and few mod-
APIs (such as WDM). ifications in the WDM sample drivers.
Scripts. SDV includes a set of scripts SDV 2.0 shipped with 74 WDM rules,
that perform various functions: com- 94 WDF rules, and 36 NDIS rules. On
bining rules and environment models; WDM drivers, 90% of the defects re-
detecting source files of a driver and ported by SDV are true bugs, and the
its build parameters; running the SLIC rest are false errors. Further, SDV re-
compiler on rules and the C compiler ports nonresults (such as timeouts
and spaceouts) on only 3.5% of all and protocol design.32 In compiler and terpolants” as a more systematic and
checks. On WDF drivers, 98% of de- programming languages, abstract in- general way to perform refinement;
fects reported by SDV are true bugs, terpretation21 provides a broad and ge- Henzinger et al.30 found predicates
and non-results are reported on only neric framework to compute fixpoints generated from interpolants have nice
0.04% of all checks. During the devel- using abstract lattices. The particular local properties that were then used to
opment cycle of Windows 7, SDV 2.0 abstraction used by SLAM was called implement local abstractions in Blast.
was applied as a quality gate to drivers “predicate abstraction” by Graf and Other contemporary techniques
written by Microsoft and sample driv- Saïdi.29 Our contribution was to show for analyzing C code against temporal
ers shipped with the WDK. SDV was how to perform predicate abstraction rules include the meta-level compila-
applied later in the cycle after all other on C programs with such language tion approach of Engler et al.24 and an
tools, yet found 270 real bugs in 140 features as pointers and procedure extension of SPIN developed by Holz-
WDM and WDF drivers. All bugs found calls in a modular manner.2,3 The mann33 to handle ANSI C.33 The Cqual
by SDV in Microsoft drivers were fixed predicate-abstraction algorithm uses project uses “type qualifiers” to specify
by Microsoft. We do not have reliable an automated theorem prover. Our ini- API usage rules, using type inference to
data on bugs found by SDV in third- tial implementation of SLAM used the check C code against the type-qualifier
party device drivers. Simplify theorem prover.23 Our current annotations.26
Here, we give performance statis- implementation uses the Z3 theorem SLAM works by computing an
tics from a recent run of SDV on 100 prover.22 overapproximation of the C program,
drivers and 80 SLIC rules. The largest The Bandera project explored the or a “may analysis,” as described by
driver in the set is about 30,000 lines idea of user-guided finite-state abstrac- Godefroid et al.28 The may analysis is
of code, and the total size of all drivers tions for Java programs20 based on refined using symbolic execution on
is 450,000 lines of code. The total run- predicate abstraction and manual ab- traces, as inspired by the PREfix tool,12
time for the 8,000 runs (each driver- straction but without automatic refine- or a “must analysis.” In the past few
rule combination is a run) is about 30 ment of abstractions. It also explored years, must analysis using efficient
hours on an eight-core machine. We the use of program slicing for reducing symbolic execution on a subset of
kill a run if it exceeds 20 minutes, and the state space of models. SLAM was paths in the program has been shown
SDV yields useful results (either a bug influenced by techniques used in Ban- to be very effective in finding bugs.27
or a pass) on over 97% of the runs. We dera to check typestate properties on The Yogi project has explored ways
thus find SDV checks drivers with ac- all objects of a given type. to combine may and must analysis in
ceptable performance, yielding useful SLAM’s Boolean program model more general ways.28 Another way to
results on a large fraction of the runs. checker (Bebop) computes fixpoints perform underapproximation or must
Limitations. SLAM and SDV also on the state space of the generated analysis is to unroll loops a fixed num-
involve several notable limitations. Boolean program that can include re- ber of times and perform “bounded
Even with CEGAR, SLAM is unable to cursive procedures. Bebop uses the model checking”14 using satisfiabil-
handle very large programs (with hun- Context Free Language Reachability al- ity solvers, an idea pursued by several
dreds of thousands of lines of code). gorithm,42,43 implementing it symboli- projects, including CBMC,18 F-Soft,34
However, we also found SDV is able to cally using Binary Decision Diagrams.11 and Saturn.1
give useful results for control-domi- Bebop was the first symbolic model CEGAR has been generalized to
nated properties and programs with checker for pushdown systems. Since check properties of heap-manipulat-
tens of thousands of lines of code. then, other symbolic checkers have ing programs,10 as well as the problem
Though SLAM handles pointers in a been built for similar purposes,25,36 and of program termination.19 The Magic
sound manner, in practice, it is un- Boolean programs generated by SLAM model checker checks properties of
able to prove properties that depend have been used to study and improve concurrent programs where threads
on establishing invariants of heap their performance. interact through message passing.13
data structures. SLAM handles only SLAM and its practical application And Qadeer and Wu40 used SLAM to
sequential programs, though oth- to checking device drivers has been analyze concurrent programs through
ers have extended SLAM to deal with enthusiastically received by the re- an encoding that models all interleav-
bounded context switches in concur- search community, and several related ings with two context switches as a se-
rent programs.40 Our experience with projects have been started by research quential program.
SDV shows that in spite of these limi- groups in universities and industry.
tations, SLAM is very successful in the At Microsoft, the ESP and Vault proj- Conclusion
domain of device-driver verification. ects were started in the same group The past decade has seen a resurgence
as SLAM, exploring different ways of of interest in the automated analysis of
Related Work checking API usage rules.37 The Blast software for the dual purpose of defect
SLAM builds on decades of research in project31 at the University of Califor- detection and program verification, as
formal methods. Model checking15,16,41 nia, Berkeley, proposed a technique well as advances in program analysis,
has been used extensively to algorith- called “lazy abstraction” to optimize model checking, and automated theo-
mically check temporal logic proper- constructing and maintaining the ab- rem proving. A unique SLAM contri-
ties of models. Early applications of stractions across the iterations in the bution is the complete automation of
model checking were in hardware38 CEGAR loop. McMillan39 proposed “in- CEGAR for software written in expres-
sive programming languages (such as 8. Ball, T. and Rajamani, S.K. The SLAM project: Diego, CA, Feb. 10–13). The Internet Society, 2008.
Debugging system software via static analysis. In 28. Godefroid, P., Nori, A.V., Rajamani, S.K., and Tetali,
C). We achieved this automation by Proceedings of the 29th ACM SIGPLAN-SIGACT S.D. Compositional may-must program analysis:
combining and extending such diverse Symposium on Principles of Programming Languages Unleashing the power of alternation. In Proceedings
(Portland, OR, Jan. 16–18). ACM Press, New York, Jan. of the 37th ACM SIGPLAN-SIGACT Symposium on
ideas as predicate abstraction, inter- 2002, 1–3. Principles of Programming Languages (Madrid, Jan.
procedural data-flow analysis, symbol- 9. Ball, T. and Rajamani, S.K. SLIC: A Specification 17–23). ACM Press, New York, 2010, 43–56.
Language for Interface Checking. Technical Report 29. Graf, S. and Saïdi, H. Construction of abstract
ic model checking, and alias analysis. MSR-TR-2001-21. Microsoft Research, Redmond, WA, state graphs with PVS. In Proceedings of the Ninth
Windows device drivers provided the 2001. International Conference on Computer-Aided
10. Beyer, D., Henzinger, T.A., Théoduloz, G., and Zufferey, Verification (Haifa, June 22–25). Springer, 72–83.
crucible in which SLAM was tested D. Shape refinement through explicit heap analysis. 30. Henzinger, T.A., Jhala, R., Majumdar, R., and McMillan,
and refined, resulting in the SDV tool, In Proceedings of the 13th International Conference K.L. Abstractions from proofs. In Proceedings of
on Fundamental Approaches to Software Engineering the 31st ACM SIGPLAN-SIGACT Symposium on
which ships as part of the Windows (Paphos, Cyprus, Mar. 20–28). Springer, 2010, Principles of Programming Languages (Venice, Jan.
263–277. 14–16). ACM Press, New York, 2004, 232–244.
Driver Kit. 11. Bryant, R. Graph-based algorithms for Boolean 31. Henzinger, T.A., Jhala, R., Majumdar, R., and Sutre,
function manipulation. IEEE Transactions on G. Lazy abstraction. In Proceedings of the 29th
Computers C-35, 8 (Aug. 1986), 677–691. ACM SIGPLAN-SIGACT Symposium Principles of
Acknowledgments 12. Bush, W.R., Pincus, J.D., and Siela, D.J. A static Programming Languages (Portland, OR, Jan. 16–18).
For their many contributions to SLAM analyzer for finding dynamic programming errors. ACM Press, New York, 2002, 58–70.
Software-Practice and Experience 30, 7 (June 2000), 32. Holzmann, G. The SPIN model checker. IEEE
and SDV, directly and indirectly, we 775–802. Transactions on Software Engineering 23, 5 (May
thank Nikolaj Bjørner, Ella Bounimova, 13. Chaki, S., Clarke, E., Groce, A., Jha, S., and Veith, H. 1997), 279–295.
Modular verification of software components in C. In 33. Holzmann, G. Logic verification of ANSI-C code with
Sagar Chaki, Byron Cook, Manuvir Das, Proceedings of the 25th International Conference on SPIN. In Proceedings of the Seventh International
Satyaki Das, Giorgio Delzanno, Leon- Software Engineering (Portland, OR, May 3–10). IEEE SPIN Workshop on Model Checking and Software
Computer Society, 2003, 385–395. Verification (Stanford, CA, Aug. 30–Sept. 1). Springer,
ardo de Moura, Manuel Fähndrich, Nar 14. Clarke, E., Grumberg, O., and Peled, D. Model Checking. 2000, 131–147.
Ganapathy, Jon Hagen, Rahul Kumar, MIT Press, Cambridge, MA, 1999. 34. Ivancic, F., Yang, Z., Ganai, M.K., Gupta, A., and Ashar,
15. Clarke, E.M. and Emerson, E.A. Synthesis of P. Efficient SAT-based bounded model checking for
Shuvendu Lahiri, Jim Larus, Rustan synchronization skeletons for branching time temporal software verification. Theoretical Computer Science
Leino, Xavier Leroy, Juncao Li, Jakob logic. In Proceedings of the Workshop on Logic of 404, 3 (Sept. 2008), 256–274.
Programs (Yorktown Heights, NY, May 1981). Springer, 35. Kurshan, R. Computer-aided Verification of
Lichtenberg, Rupak Majumdar, Johan 1982, 52–71. Coordinating Processes. Princeton University Press,
Marien, Con McGarvey, Todd Mill- 16. Clarke, E.M., Emerson, E.A., and Sifakis, J. Model Princeton, NJ, 1994.
checking: Algorithmic verification and debugging. 36. La Torre, S., Parthasarathy, M., and Parlato, G.
stein, Arvind Murching, Mayur Naik, Commun. ACM 52, 11 (Nov. 2009), 74–84. Analyzing recursive programs using a fixed-point
17. Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., and Veith, calculus. In Proceedings of the 2009 ACM SIGPLAN
Aditya Nori, Bohus Ondrusek, Adrian H. Counterexample-guided abstraction refinement. Conference on Programming Language Design and
Oney, Onur Oyzer, Edgar Pek, Andreas In Proceedings of the 12 International Conference on Implementation (Dublin, June 15–21). ACM Press,
Computer-Aided Verification (Chicago, July 15–19). New York, 2009, 211–222.
Podelski, Shaz Qadeer, Bob Rinne, Springer, 2000, 154–169. 37. Larus, J.R., Ball, T., Das, M., DeLine, R., Fähndrich,
Robby, Stefan Schwoon, Adam Sha- 18. Clarke, E.M., Kroening, D., and Lerda, F. A tool for M., Pincus, J., Rajamani, S.K., and Venkatapathy, R.
checking ANSI-C programs. In Proceedings of the 10th Righting software. IEEE Software 21, 3 (May/June
piro, Rob Short, Fabio Somenzi, Am- International Conference on Tools and Algorithms for 2004), 92–100.
itabh Srivastava, Antonios Stampoulis, the Construction and Analysis of Systems (Barcelona, 38. McMillan, K. Symbolic Model Checking: An Approach
Mar. 29–Apr. 2). Springer, 2004, 168–176. to the State-Explosion Problem. Kluwer Academic
Donn Terry, Abdullah Ustuner, Westley 19. Cook, B., Podelski, A., and Rybalchenko, A. Abstraction Publishers, 1993.
Weimer, Georg Weissenbacher, Peter refinement for termination. In Proceedings of the 12th 39. McMillan, K.L. Interpolation and SAT-based model
International Static Analysis Symposium (London, checking. In Proceedings of the 15th International
Wieland, and Fei Xie. Sept. 7–9). Springer, 2005, 87–101. Conference on Computer-Aided Verification (Boulder,
20. Corbett, J., Dwyer, M., Hatcliff, J., Pasareanu, C., CO, July 8–12). Springer, 2003, 1–13.
Robby, Laubach, S., and Zheng, H. Bandera: Extracting 40. Qadeer, S. and Wu, D. KISS: Keep it simple and
References finite-state models from Java source code. In sequential. In Proceedings of the ACM SIGPLAN 2004
1. Aiken, A., Bugrara, S., Dillig, I., Dillig, T., Hackett, B., Proceedings of the 22nd International Conference on Conference on Programming Language Design and
and Hawkins, P. An overview of the Saturn project. In Software Engineering (Limerick, Ireland, June 4–11). Implementation (Washington, D.C., June 9–12). ACM
Proceedings of the 2007 ACM SIGPLAN-SIGSOFT ACM Press, New York, 2000, 439–448. Press, New York, 2004, 14–24.
Workshop on Program Analysis for Software Tools and 21. Cousot, P. and Cousot, R. Abstract interpretation: 41. Queille, J. and Sifakis, J. Specification and verification
Engineering (San Diego, June 13–14). ACM Press, New A unified lattice model for the static analysis of of concurrent systems in CESAR. In Proceedings of
York, 2007, 43–48. programs by construction or approximation of fixpoints. the Fifth International Symposium on Programming
2. Ball, T., Majumdar, R., Millstein, T., and Rajamani, In Proceedings of the Fourth ACM Symposium on (Torino, Italy, Apr. 6–8). Springer, 1982, 337–350.
S.K. Automatic predicate abstraction of C programs. Principles of Programming Languages (Los Angeles, 42. Reps, T., Horwitz, S., and Sagiv, M. Precise
In Proceedings of the 2001 ACM SIGPLAN Jan.). ACM Press, New York, 1977, 238–252. interprocedural data flow analysis via graph
Conference on Programming Language Design and 22. de Moura, L. and Bjørner, N. Z3: An efficient SMT reachability. In Proceedings of the 22nd ACM
Implementation (Snowbird, UT, June 20–22). ACM solver. In Proceedings of the 14th International SIGPLAN-SIGACT Symposium on Principles of
Press, New York, 2001, 203–213. Conference on Tools and Algorithms for the Programming Languages (San Francisco, Jan.
Construction and Analysis of Systems (Budapest, Mar. 23–25). ACM Press, New York, 1995, 49–61.
3. Ball, T., Millstein, T.D., and Rajamani, S.K. Polymorphic
29–Apr. 6). Springer, 2008, 337–340. 43. Sharir, M. and Pnueli, A. Two approaches to
predicate abstraction. ACM Transactions on Programming
23. Detlefs, D., Nelson, G., and Saxe, J.B. Simplify: A interprocedural data flow analysis. In Program Flow
Languages and Systems 27, 2 (Mar. 2005), 314–343.
theorem prover for program checking. Journal of the Analysis: Theory and Applications, N.D. Jones and
4. Ball, T., Podelski, A., and Rajamani, S.K. Boolean S.S. Muchnick, Eds. Prentice-Hall, 1981, 189–233.
ACM 52, 3 (May 2005), 365–473.
and Cartesian abstractions for model checking 44. Vardi, M.Y. and Wolper, P. An automata theoretic
C programs. In Proceedings of the Seventh 24. Engler, D., Chelf, B., Chou, A., and Hallem, S. Checking
system rules using system-specific, programmer- approach to automatic program verification. In
International Conference on Tools and Algorithms for Proceedings of the Symposium Logic in Computer
Construction and Analysis of Systems (Genova, Italy, written compiler extensions. In Proceedings of the
Fourth Symposium on Operating System Design and Science (Cambridge, MA, June 16–18). IEEE
Apr. 2–6). Springer, 2001, 268–283. Computer Society Press, 1986, 332–344.
Implementation (San Diego, Oct. 23–25). Usenix
5. Ball, T. and Rajamani, S.K. Bebop: A symbolic model Association, 2000, 1–16.
checker for Boolean programs. In Proceedings of 25. Esparza, J. and Schwoon, S. A BDD-based model
the Seventh International SPIN Workshop on Model Thomas Ball (tball@microsoft.com) is a principal
checker for recursive programs. In Proceedings researcher, managing the Software Reliability Research
Checking and Software Verification (Stanford, CA, Aug. of the 13th International Conference on Computer
30–Sept. 1). Springer, 2000, 113–130. group in Microsoft Research, Redmond, WA.
Aided Verification (Paris, July 18–22). Springer, 2001,
6. Ball, T. and Rajamani, S.K. Boolean Programs: A Model 324–336. Vladimir Levin (vladlev@microsoft.com) is a principal
and Process for Software Analysis. Technical Report 26. Foster, J.S., Terauchi, T., and Aiken, A. Flow-sensitive software design engineer and the technical lead of the
MSR-TR-2000-14. Microsoft Research, Redmond, WA, type qualifiers. In Proceedings of the 2002 ACM Static Driver Verification project in Windows in Microsoft,
Feb. 2000. SIGPLAN Conference on Programming Language Redmond, WA.
7. Ball, T. and Rajamani, S.K. Automatically validating Design and Implementation (Berlin, June 17–19). ACM
temporal safety properties of interfaces. In Press, New York, 2002, 1–12. Sriram Rajamani (sriram@microsoft.com) is assistant
Proceedings of the Eighth International SPIN 27. Godefroid, P., Levin, M.Y., and Molnar, D.A. Automated managing director of Microsoft Research India, Bangalore.
Workshop on Model Checking of Software Verification whitebox fuzz testing. In Proceedings of the Network
(Toronto, May 19–20). Springer, 2001, 103–122. and Distributed System Security Symposium (San © 2011 ACM 0001-0782/11/07 $10.00
Searching
for Jim Gray:
A Technical
Overview
28, 2007, noted computer
O n Su n day Ja n ua r y
scientist Jim Gray disappeared at sea in his sloop
Tenacious. He was sailing singlehanded, with plans to
scatter his mother’s ashes near the Farallon Islands,
some 27 miles outside San Francisco’s Golden Gate.
As news of Gray’s disappearance spread through his
social network, his friends and col- ness leaders, venture capitalists, and
leagues began discussing ways to mo- entrepreneurs, many of whom had
bilize their skills and resources to help never met one another before. There
authorities locate Tenacious and res- was ample access to funds, technol-
cue Gray. That discussion evolved over
days and weeks into an unprecedented key insights
civilian search-and-rescue (SARa) exer-
cise involving satellites, private planes, L oosely coupled teams quickly evolved
automated image analysis, ocean cur- software polytechtures with varying
interfaces, decoupling data acquisition
rent simulations, and crowdsourced from analysis to enable use of expertise
human computing, in collaboration at a distance.
with the U.S. Coast Guard. The team
T he U.S. Coast Guard developed software
that emerged included computer sci- to aid search and rescue and is an
entists, engineers, graduate students, interesting potential research partner for
oceanographers, astronomers, busi- computer scientists.
ogy, organizational skills and know- inform efforts launched during larger of famous-scientist-gone-missing at-
how, and a willingness to work round life-threatening scenarios, including tracted significant media interest, pro-
the clock. civilian-driven efforts toward disas- viding public awareness that attracted
Even with these advantages, the ter response and SAR during natural help with manual image analysis and
odds of finding Tenacious were never disasters and military conflict. More- information on sightings of debris and
good. On February 16, 2007, in consul- over, as part of the meeting, we also wreckage.
tation with the Coast Guard and Gray’s brainstormed about the challenges of On the other hand, a number of
family, the team agreed to call off the safety and prevention. general features the team would wres-
search. Tenacious remains lost to this This article aims to distill some of tle with seem relatively universal to
day, despite a subsequent extensive that discussion within computer sci- volunteer SAR efforts. First, the search
underwater search of the San Francis- ence, which is increasingly interested got off to a slow start, as volunteers
co coastline.4 in disaster response (such as following emerged and organized to take con-
Gray was famous for many things, the 2007 Kenyan election crisis1 and crete action. By the time all the exper-
including his determination to work 2010 Haiti earthquake2). We document tise was in place, the odds of finding
with practitioners to transform the the emergent structure of the team and a survivor or even a boat were signifi-
practical challenges they faced into its communication, the “polytechture” cantly diminished. Second, almost no
scientific questions that could be of the systems built during the search, one involved in the volunteer search
formalized and addressed by the re- and some of the related challenges; a had any SAR experience. Finally, at ev-
search community. As the search for longer version of this article3 includes ery stage of the search, the supposition
Tenacious wound down, a number of additional figures, discussion, and was that it would last only a day or two
us felt that even though the effort was technical challenges. more. As a result, there were disincen-
not successful on its own terms, it of- tives to invest time in improving exist-
fered a Jim-Gray-like opportunity to Background ing practices and tools and positive
convert the particulars of the experi- The amateur effort to find Tenacious incentives for decentralized and light-
ence into higher-level technical obser- and its skipper began with optimism weight development of custom-crafted
vations of more general interest. One but little context as to the task at hand. tools and practices.
goal was to encourage efforts to “de- We had no awareness of SAR prac- If there are lessons to be learned,
mocratize” the ability of families and tice and technology, and only a vague they revolve around questions of both
friends to use technology to assist SAR, sense of the special resources Gray’s the uniqueness of the case and its
so people whose social network is not friends could bring to bear on a prob- universal properties. The first catego-
as well-connected as Gray’s could un- lem. With the benefit of hindsight, ry motivated efforts to democratize
dertake analogous efforts. In addition, we provide a backdrop for our discus- techniques used to search for Tena-
we hoped to review the techniques we sion of computer science challenges cious, some of which didn’t have to be
used and ask how to improve them in SAR, reflecting first on the unique as complex or expensive as they were
further to make the next search effort character of the search for Tenacious, in this instance. The second category
more effective. To that end, in May then on the basics of maritime SAR as motivated efforts to address common
2008, the day after a public tribute to practiced today. technological problems arising in any
Gray at the University of California, Tenacious SAR. The search for Te- volunteer emergency-response situa-
Berkeley, we convened a meeting of nacious was in some ways unique and tion.
search participants, including the in others a typical volunteer SAR. The Maritime SAR. Given our experi-
Coast Guard. This was the first oppor- uniqueness had its roots in Gray’s ence, maritime SAR is the focus of
tunity for the virtual organization that persona. In addition to being a singu- our discussion here. As it happens,
had searched for Tenacious to meet lar scientist and engineer, he was dis- maritime SAR in the U.S. is better un-
face-to-face and compare stories and tinctly social, cultivating friendships derstood and more professionally con-
perspectives. and collaborations across industries ducted than land-based SAR. Maritime
One sober conclusion the group and sciences. The social network he SAR is the responsibility of a single fed-
quickly reached was that its specific built over decades brought enormous eral agency: the Coast Guard, a branch
lessons on maritime SAR could have advantages to many aspects of the of the U.S. Department of Homeland
only modest impact, as we detail here. search, in ways that would be very dif- Security. By contrast, land-based SAR
However, we still felt it would be con- ficult to replicate. First, the team that is managed in an ad hoc manner by
structive to cull lessons learned and assembled to find Tenacious included local law-enforcement authorities.
identify technical challenges. First, leaders in such diverse areas as com- Our experience with the Coast Guard
maritime search is not a solved prob- puting, astronomy, oceanography, and was altogether positive; not only were
lem, and even though the number of business management. Second, due its members eminently good at their
lives to be saved is small, each life is to Gray’s many contacts in the busi- jobs, they were technically sophisti-
precious. Second, history shows that ness and scientific worlds, funds and cated and encouraging of our (often
technologies developed in one applica- resources were essentially unlimited, naïve) ideas, providing advice and co-
tion setting often have greater impact including planes, pilots, satellite im- ordination despite their own limited
in others. We were hopeful that les- agery, and control of well-provisioned time and resources. In the U.S. at least,
sons learned searching for Gray could computing resources. Finally, the story maritime settings are a good incubator
Some of the remote imagery sources considered during the search for Jim Gray.
RADARSAT-1 A commercial earth-observing satellite (EOS) from Canada, whose products are distributed by MDA Geospatial Services. NASA has access to
RADARSAT-1 data, in exchange for having provided a rocket to launch the satellite; http://en.wikipedia.org/wiki/RADARSAT-1
Ikonos A commercial EOS operated by GeoEye (U.S.); http://en.wikipedia.org/wiki/IKONOS
QuickBird A commercial EOS owned and operated by Digital Globe (U.S.) in use at the time by Google Earth and Microsoft Virtual Earth;
http://en.wikipedia.org/wiki/QuickBird
ER-2 A high-altitude aircraft operated by NASA similar to the U.S. Air Force U2-S reconnaissance platform; http://www.nasa.gov/centers/dryden/
research/AirSci/ER-2/index.html
SPOT-5 A commercial EOS operated by SPOT Image (France); http://en.wikipedia.org/wiki/SPOT\_(satellites)
Envisat A commercial EOS launched by the European Space Agency. Data products are distributed by the SARCOM consortium,
created and led by SPOT Image; http://en.wikipedia.org/wiki/Envisat
and, given the sense of urgency, it including point-to-point email and te- constraint is critical: In an emergency,
was often difficult to decide whether lephony, broadcast via blogs and Web people do not reach for new software
to bring them to the attention of busy pages, and multicast via conference tools, so it is important to attack the
people: the Coast Guard, the police, calls, wikis, and mailing lists. This mix challenges in a way that augments
Gray’s family, and technical experts of technologies was natural and expe- popular tools, rather than seeking to
in image analysis and oceanography. dient in the moment but meant com- replace or recreate them.
In some cases, tipsters got in contact munication and coordination were a
repeatedly, and it became necessary to challenge. It was difficult to work with Imagery Acquisition
assemble conversations over several the information being exchanged, rep- When the volunteer search began, our
days to establish a particular tipster’s resented in natural-language text and hope was to use our special skills and
credibility. This became burdensome stored in multiple separate reposito- resources to augment the Coast Guard
as email volume grew. ries. As a matter of expedience in the with satellite imagery and private
Discussion. On reflection, the or- first week, the communications co- planes. However, as we learned, real-
ganization’s evolution was one of the ordinator relied on mental models of time search for boats at sea is not as
most interesting aspects of its develop- basic information, like who knew what simple as getting a satellite feed from
ment. Leadership roles emerged fairly information and who was working on a mapping service or borrowing a pri-
organically, and subgroups formed what tasks. Emphasizing mental note vate jet.
with little discussion or contention taking made sense in the short term Experience. The day after Tenacious
over process or outcome. Some people but limited the coordinator’s ability to went missing, Gray’s friends and col-
had certain baseline competencies; for share responsibility with others as the leagues began trying to access satellite
example, the aircraft coordinator was “crisis watch” extended from hours to imagery and planes. One of the first
a recreational pilot, and the analysis days to weeks. connections was to colleagues in earth
coordinator had both management ex- Various aspects of this problem are science with expertise in remote sens-
perience and contacts with image-pro- addressable through well-known in- ing. In an email message in the first few
cessing experts in industry and govern- formation-management techniques. days concerning the difficulty of using
ment. In general, though, leadership But in using current communication satellite imagery to find Tenacious, one
developed by individuals stepping up software and online services, it re- earth scientist said, “The problem is
to take responsibility and others step- mains difficult to manage an evolving that the kind of sensors that can see a
ping back to let them do their jobs, discussion that includes individu- 40ft (12m) boat have a correspondingly
then jumping in to help as needed. als, restricted groups, and public an- narrow field of view, i.e., they can’t see
The grace with which this happened nouncements, especially in a quickly too far either side of straight down…
was a bit surprising, given the kind of changing “crisis mode” of operation. So if they don’t just happen to be over-
ambitious people who had surround- Identifying people and their relation- head when you need them, you may
ed Gray, and the fact that the organiza- ships is challenging across multiple have a long wait before they show up
tion evolved largely through email. The communication tools and recipient again. …[A]t this resolution, it’s strictly
evolution of the team seems worthy of endpoints. Standard search and visu- target-of-opportunity.”
a case study in ad hoc organizational alization metaphors—folders, tags, Undeterred, the team pursued mul-
development during crisis. threads—are not well-matched to tiple avenues to acquire remote imag-
It became clear that better software group coordination. ery through connections at NASA and
is needed to facilitate group communi- Brokering volunteers and tasks other government agencies, as well as
cation and coordination during crises. introduces further challenges, some at various commercial satellite-imag-
By the end of the search for Tenacious— discussed in more detail in the longer ery providers, while the satellite-data
February 16, 2007—various standard version of this article.3 In any software teams at both Google and Microsoft
communication methods were in use, approach to addressing them, one directed us to their commercial pro-
vider, Digital Globe. The table here cess it, and this early learning proved pass over specific areas of interest and
outlines the data sources considered critical to getting the various pieces of record various forms of digital imag-
during the search. the image-processing pipeline in place ery due to a combination of fortunate
As we discovered, distribution of and tested. As the search progressed, circumstance and a well-connected so-
satellite data is governed by national Digital Globe was able to acquire im- cial network. Unfortunately, a camera
and international law. We attempted agery solidly within the primary search failure early in the ER-2 flight limited
from the start to get data from the area, and the image captures provided data collection.
SPOT-5 satellite but were halted by the to the team were some of the biggest In addition to these relatively rare
U.S. State Department, which invoked data products Digital Globe had ever imaging resources, we chartered pri-
the International Charter on Space generated: more than 87 gigapixels. vate planes to fly over the ocean, en-
and Major Disasters to claim exclu- Even so, the areas covered by the sat- abling volunteer spotters to look for
sive access to the data over the study ellite captures were dwarfed by the air- Tenacious with their naked eyes and re-
area, retroactive to the day before our borne search conducted by the Coast cord digital imagery. This effort ended
request. We also learned, when getting Guard immediately after Gray went up being more limited than we expect-
data from Digital Globe’s QuickBird missing (see Figure 5 of the longer ver- ed. One cannot simply charter or bor-
satellite, that full-resolution imagery sion of this article3). row a private jet and fly it out over the
is available only after a government- We were able to establish contacts ocean. Light planes are not designed or
mandated 24-hour delay; before that at NASA regarding planned flights of allowed to fly far offshore. Few people
time, Digital Globe could provide only its ER-2 “flying laboratory” aircraft maintain planes equipped for deep-
reduced-resolution images. over the California coast. The ER-2 sea search, and flights over deep sea
The first data acquired from the is typically booked on scientific mis- can be undertaken only by pilots with
QuickBird satellite was focused well sions and requires resources—fuel, appropriate maritime survival training
south of San Francisco, near Catalina airport time, staffing, wear-and-tear— and certification. Finally, aircraft of
Island, and the odds of Tenacious be- to launch under any circumstances. As any size require a flight plan to be filed
ing found in that region were short. On it happened, the ER-2 was scheduled and approved with a U.S. Flight Service
the other hand, it seemed important to for training flights in the area where Station in order to cross the U.S. Air
begin experimenting with real data to Tenacious disappeared. Our contacts Defense Identification Zone begin-
see how effectively the team could pro- were able to arrange flight plans to ning a few miles offshore. As a result
of these limitations and many days of
Rough dataflow for image processing; red arrows represent images; others represent bad weather, we were able to arrange
metadata.
only a small number of private over-
flights, with all but one close to shore.
Another source of imagery consid-
Staging Common Operating Picture ered was land-based video cameras
Headers that could perhaps have more accu-
FTP Server Georeferencing rately established a time of departure
Images Map
San Diego for Tenacious, beyond what we knew
Supercomputer Center University of Texas
Digital Globe from Gray’s mobile phone calls to fam-
ily members on his way out. The Coast
Image Preprocessing
Guard operates a camera on the San
Batch Preprocessing Francisco Bay that is sometimes point-
ed out toward the Golden Gate and
Image Review the ocean, but much of the imagery
Self-Serve Web Site
captured for that day was in a state of
Expert Image Review Novice Image Review “white-out,” rather than useful imag-
ery, perhaps due to foggy weather.
Image Scoring
Discussion. The search effort was
Johns Hopkins predicated on quick access to satellite
imagery and was surprisingly success-
ful, with more than 87 gigapixels of
satellite imagery acquired from Digi-
Naval Naval
Expert Expert Drift Modeling
MBARI tal Globe alone within about four days
NRL
of capture. Yet in retrospect we would
Qualified
Coordinates have wanted much more data, with
Drift Modeling NASA
Target Ames fewer delays. The longer version of this
Declaration
article3 reviews some of the limitations
we encountered, as well as ideas for
Target Qualification Ocean Drift Modeling
improving the ability to acquire imag-
ery in life-threatening emergencies.
Policy concerns naturally come up
when discussing large volumes of re- ing the ad hoc pipeline developed for ordinate and perform the review func-
mote imagery, and various members Digital Globe’s satellite imagery. In tion (“Image Review” in the figure).
of the amateur team voiced concern the paragraphs that follow, we also Shifting to the start of the pipeline,
about personal privacy during the pro- discuss the Mechanical Turk pipeline each image data set required a degree
cess. Although popular media-sharing developed early on and used to process of preprocessing prior to human anal-
Web sites provide widespread ac- NASA ER-2 overflight imagery but that ysis of the imagery, a step performed
cess to crowdsourced and aggregated was replaced by the ad hoc pipeline. by members of Johns Hopkins’s De-
imagery, they have largely confined Before exploring the details, it partment of Physics and Astronomy in
themselves to benign settings (such would be instructive to work “up- collaboration with experts at CalTech
as tourism and ornithology), whereas stream” through the pipeline, from and the University of Hawaii. At the
maritime SAR applications (such as final qualified targets back to initial same time, a separate team at the Uni-
monitoring marinas and shipping imagery. The objective of the image- versity of Texas’s Center for Space Re-
lanes) seem closer to pure surveil- processing effort was to identify one search georeferenced the image-file
lance. The potential for infringing on or more sets of qualified search co- headers onto a map included in a Web
privacy raises understandable con- ordinates to which aircraft could be interface for tracking the progress of
cern, and the policy issues are not sim- dispatched (lower right of the figure). image analysis (“Image Preprocess-
ple. Perhaps our main observation on To do so, it was not sufficient to sim- ing,” “Common Operating Picture,”
this front was the need for a contextual ply identify the coordinates of quali- and “Staging” in the figure).
treatment of policy, balancing general- fied targets on the imagery; rather, we The eventual workflow was a dis-
case social concerns against specific had to apply a mapping function to the tributed, multiparty process. Its com-
circumstances for using the data, in coordinates to compensate for drift ponents were designed and built indi-
our case, trying to rescue a friend. On of the target from the time of image vidually, “bottom-up,” by independent
the other hand, while the search for Te- capture to flight time. This mapping volunteer teams at various institu-
nacious and its lone sailor was unique- function was provided by two indepen- tions. The teams also had to quickly
ly urgent for us, similar life-and-death dent “drift teams” of volunteer ocean- craft interfaces to stitch together the
scenarios occur on a national scale ographers, one based at the Monterey end-to-end workflow with minimal
with some frequency. So, we would Bay Aquarium Institute and Naval friction. An interesting and diverse set
encourage research into technical so- Research Lab, another at NASA Ames of design styles emerged, depending
lutions that can aggressively harvest (“Ocean Drift Modeling” in the figure). on a variety of factors. In the following
and process imagery while provably The careful qualification of target sections, we cover these components
respecting policies that limit image re- coordinates was particularly impor- in greater detail, this time from start
lease based on context. tant. It was quickly realized that many to finish:
of the potential search coordinates Preprocessing. Once the image pro-
From Imagery to Coordinates would be far out at sea and, as men- viders had data and the clearance to
Here, we discuss the processing tioned earlier, require specialized air- send it, they typically sent notification
pipeline(s) and coordination mecha- craft and crews. Furthermore, flying of availability via email to the image-
nisms used to reduce the raw image low-altitude search patterns offshore analysis coordinator, together with an
data to qualified search coordinates— in single-engine aircraft implied a de- ftp address and the header file describ-
the locations to which planes were dis- gree of risk to the search team. Thus, ing the collected imagery (“the collec-
patched for a closer look. This aspect it was incumbent on the analysis team tion”).
of the search was largely data-driven, to weigh this risk before declaring a Upon notification, the preprocess-
involving significant technical exper- target to be qualified. A key step in the ing team at Johns Hopkins began
tise and much more structured and process was a review of targets by naval copying the data to its cluster. Mean-
tool-intensive processes than those experts prior to their final qualification while, the common storage repository
described earlier. On the other hand, (“Target Qualification” in the figure). at the San Diego Supercomputer Cen-
since time was short and the relevant Prior to target qualification, an ter began ftp-ing the data to ensure its
expertise so specialized, it also led to enormous set of images had to be re- availability, with a copy of the header
simple interfaces between teams and viewed and winnowed down to a small passed to a separate geo-coordination
their software. The resulting amalgam set of candidates that appeared to con- team at the University of Texas that
of software was not the result of a spe- tain boats. To our surprise and disap- mapped the location covered by the
cific architecture, in the usual sense pointment, there were no computer- collection, adding it to a Web site. That
of the word (archi- “chief” + techton vision algorithms at hand well suited site provided the overall shared picture
“builder”). A more apt term for the to this task, so it was done manually. of imagery collected and analyses com-
software and workflow described here At first, image-analysis tasking was pleted and was used by many groups
might be a polytechture, the kind of managed using Amazon’s Mechanical within the search team to track prog-
system that emerges from the design Turk infrastructure to coordinate vol- ress and solicit further collections.
efforts of many independent actors. unteers from around the world. Sub- Analysis tasking and result process-
Overview. The figure here outlines sequently, a distributed team of volun- ing. Two approaches to the parallel
the ultimate critical-path data and teers with expertise in image analysis processing of the tiled images were
control flow that emerged, depict- used a collection of ad hoc tools to co- used during the course of the search.
In each, image tiles (or smaller sub- in other crowdsourcing settings. among the co-located expert analysts
tiles) had to be farmed out to human A significant cluster of our image who worked in “shifts” and had sub-
analysts and the results of their anal- reviewers were co-located at the Johns team leaders who would gather and
ysis collated and further filtered to Hopkins astronomy research center. score the most promising targets.
avoid a deluge of false positives. These volunteers, with ample exper- Though scoring of extremely promis-
The initial approach was to use tise, bandwidth, high-quality displays, ing targets was performed immediate-
Amazon’s Mechanical Turk service to and a sense of personal urgency, real- ly, the periodic and collective reviews
solicit and task a large pool of anony- ized they could process the imagery that took place at the end of each shift
mous reviewers whose credentials and much faster than novices scheduled by promoted discussion among the ana-
expertise were not known to us. Mechanical Turk. This led to two mod- lysts, allowing them to learn from one
Mechanical Turk is a “crowdsourc- ifications in the granularity of tasking: another and adjust their individual
ing marketplace” for coordinating the larger sub-tiles and a Web-based visual standards of reporting.
efforts of humans performing simple interface to coordinate downloading In summary, we started with a
tasks from their own computers. Given them to client-specific tools. system centered on crowdsourced
that the connectivity and display qual- They were accustomed to looking amateur analysts and converged on
ity available to them was unknown, for anomalies in astronomical imagery a solution in which individuals with
the Mechanical Turk was configured and were typically able to rapidly dis- some expertise, though not in this
to supply users with work items called play, scan, and discard sub-tiles that domain, were able to operate at a very
Human Interface Tasks (HITs), each were three-to-four times larger than quick pace, greatly outperforming the
consisting of a few 300×300-pixel im- those presented to amateurs. This abil- crowdsourced alternative. This operat-
age sub-tiles. Using a template image ity yielded an individual processing ing point, in and of itself, was an inter-
we provided of what we were looking rate of approximately one (larger) sub- esting result.
for, the volunteers were asked to score tile every four seconds, including tiles Target qualification. The analysis
each sub-tile for evidence of similar requiring detailed examination and coordinator examined reports from
features and provide comments on ar- entry of commentary, as compared to the analysis pipelines to identify tar-
tifacts of interest. This was an exceed- the 20–30-second turnaround for each gets for submission to the qualifica-
ingly slow process due to the number Mechanical Turk HIT. The overall im- tion step. With Mechanical Turk, this
of HITs required to process a collec- provement in productivity over Me- involved a few hours sifting through
tion. chanical Turk was considerably better the output of the second Mechanical
In addition to handling the parti- than these numbers indicate, because Turk stage. Once the expert pipeline
tioning of the imagery across volun- the analysts’ experience reduced the was in place, the coordinator needed
teers, Mechanical Turk bookkeeping overhead of redundant analysis, and to examine only a few filtered and
was used to ensure that each sub-tile their physical proximity facilitated scored targets per shift.
was redundantly viewed by multiple communication and cross-training. Promising targets were then sub-
volunteers prior to declaring the pipe- A further improvement was that the mitted to a panel of two reviewers,
line “complete.” Upon completion, 256 sub-tiles within each full-size tile each with expertise in identifying
and at checkpoints along the way, the were packaged into a single zip file. engineered artifacts in marine imag-
system also generated reports aggre- Volunteers could then use their favor- ery. The analysis coordinator isolated
gating the results received concerning ite image-browsing tools to page from these reviewers from one another, in
each sub-tile. one sub-tile to the next with a single part to avoid cross-contamination, but
False positives were a significant mouse click. To automate tasking also from having to individually carry
concern, even in the early stages of and results collection, this team used the weight of a potentially risky deci-
processing. So a virtual team of vol- scripting tools to create a Web-based sion to initiate a search mission while
unteers who identified themselves as visual interface through which it (and avoiding overly biasing them in a nega-
having some familiarity with image similarly equipped volunteers world- tive direction. Having discussed their
analysis (typically astronomical or wide) could visually identify individual findings with each reviewer, the coor-
medical imagery rather than satellite tiles requiring work, download them, dinator would then make the final de-
imagery) was assembled to perform and then submit their reports. cision to designate a target as qualified
this filtering. In order to distribute the In this interface, tiles were super- and thus worthy of search.
high-scoring sub-tiles among them, imposed on a low-resolution graphic Given the dangers of deep-sea
the image-analysis team configured of the collection that was, in turn, flights, this review step included an
an iterative application of Mechanical geo-referenced and superimposed on intentional bias by imposing less rig-
Turk accessible only to the sub-team, a map. This allowed the volunteers orous constraints on targets that had
with the high-scoring sub-titles from to prioritize their time by working on likely drifted close to shore than on
the first pipeline fed into it. The coor- the most promising tiles first (such as those farther out at sea.
dinator then used the reports gener- those not heavily obscured by cloud Drift modeling. Relatively early in
ated by this second pipeline to drive cover). the analysis process, a volunteer with
the target-qualification process. This The self-tasking capability afforded marine expertise recognized that,
design pattern of an “expertise hierar- by the visual interface also support- should a target be qualified, it would
chy” seems likely to have application ed collaboration and coordination be necessary to estimate its move-
84 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
contributed articles
ment since the time of image capture. and the resulting analysis, includ-
A drift-modeling team was formed, ul- ing maps of likely drift patterns, were
timately consisting of two sub-teams posted back to the coordinator via the
of oceanographers with access to two drift team’s Web site. Geolocations in
alternative drift models. As image pro-
cessing proceeded, these sub-teams A more apt term latitude/longitude are difficult to tran-
scribe accurately over the phone, so
worked in the background to param- for the software and using the site helped ensure correct
workflow described
eterize their models with weather and inputs to the modeling process.
ocean-surface data during the course Analysis results. The goal of the
of the search. Thus, once targets were
identified, the sub-teams could quick-
here might be analysis team was to identify quali-
fied search coordinates. During the
ly estimate likely drift patterns. a polytechture, search, it identified numerous targets,
The drift models utilized a particle-
filtering approach of virtual buoys that
the kind of system but only two were qualified: One was
in ER-2 flyover imagery near Monterey,
could be released at an arbitrary time that emerges originally flagged by Mechanical Turk
and location, and for which the model
would then produce a projected track from the design volunteers; the other was in Digital
Globe imagery near the Farallon Is-
and likely endpoint at a specified end efforts of many lands, identified by a member of the
time. In practice, one must release a
string of adjacent virtual buoys to ac- independent actors. more experienced image-processing
team.3 Though the low number might
count for the uncertainty in the ini- suggest our filtering of targets was
tial location and the models’ sensitiv- overly aggressive, we have no reason to
ity to local effects that can have fairly believe potential targets were missed.
large influence on buoy dispersion. Our conclusion is simply that the
The availability of two independent ocean surface is not only very large but
models, with multiple virtual buoys also very empty.
per model, greatly increased our con- Once qualified, these two targets
fidence in the prediction of regions to were then drift-modeled to identify
search. coordinates for search boxes. For the
Worth noting is that, although first target, the drift models indicated
these drift models were developed it should have washed ashore in Mon-
by leading scientists in the field, the terey Bay. Because this was a region
results often involved significant un- close to shore, it was relatively easy to
certainty. This was particularly true send a private plane to the region, and
in the early part of the search, when we did. The second target was initially
drift modeling was used to provide a not far from the Farallon Islands, with
“search box” for Gray’s boat and had both models predicting it would have
to account for many scenarios, includ- drifted into a reasonably bounded
ing whether the boat was under sail or search box within a modest distance
with engines running. These scenarios from the initial location. Given our
reflected very large uncertainty and led knowledge of Gray’s intended course
to large search boxes. By the time the for the day, this was a very promising
image processing and weather allowed target, so we arranged a private off-
for target qualification, the plausible shore SAR flight. Though we did not
scenario was reduced to a boat adrift find Tenacious, we did observe a few
from a relatively recent starting point. fishing vessels of Tenacious’s approxi-
Our colleagues in oceanography and mate size in the area. It is possible
the Coast Guard said the problem of that the target we identified was one
ocean-drift modeling merits more re- of these vessels. Though the goal of
search and funding; it would also seem the search was not met, this particular
to be a good area for collaboration with identification provided some valida-
computer science. tion of the targeting process.
The drift-modeling team developed Discussion. The image-process-
its own wiki-based workflow interface. ing effort was the most structured
The analysis coordinator was given and technical aspect of the volunteer
a Web site where he could enter a re- search. In trying to cull its lessons,
quest to release virtual “drifters” near we highlight three rough topics: poly-
a particular geolocation at a particu- techtural design style, networked
lar time. Requests were processed by approaches to search, and civilian
the two trajectory-modeling teams, computer-vision research targeted at
86 co mm unicati on s o f th e acm | j u ly 2 0 1 1 | vo l . 5 4 | n o. 7
contributed articles
methodology in which the relevant researchers. The problem of using re- nologies enabled a group of acquain-
components of the search process are mote imagery for SAR operations is a tances and strangers to quickly self-
decoupled in a manner akin to our vol- topic for which computer vision would organize, coordinate, build complex
unteer search, but more patiently ar- seem to have a lot to offer, especially at working systems, and attack problems
chitected, evolved, and integrated. For sea, where obstructions are few. in a data-driven manner. Still, the pro-
example, Coast Guard imagery experts cess of coordinating diverse volunteer
need not be available to board search Reflection skills in an emerging crisis was quite
planes nationwide; instead, a remote Having described the amateur SAR difficult, and there is significant room
image-analysis team could examine processes cobbled together to find for improvement over standard email
streaming (and archived) footage from Tenacious, we return to some of the is- and blogging tools. A major challenge
multiple planes in different locales. sues we outlined initially when we met is to deliver solutions that exploit the
Weather hazards and other issues sug- in Berkeley in 2008. software that people already use in
gest removing people boarding planes On the computational front, there their daily lives.
entirely; imagery could be acquired are encouraging signs that SAR can The efforts documented here are
via satellites and unmanned aerial ve- be “democratized” to the point where not the whole story of the search for
hicles, which are constantly improv- a similar search could be conducted Tenacious and its skipper; in addition
ing. Furthermore, a component-based without extraordinary access to ex- to incredible work by the Coast Guard,
approach takes advantage of the in- pertise and resources. The price of there were other, quieter efforts among
dependent evolution of technologies computer hardware has continued to Gray’s colleagues and family outside
and the ability to quickly train domain shrink, and cloud services are com- the public eye. Though we were frus-
experts on each component. Image- moditizing access to large computa- trated achieving our primary goal, the
analysis tools can improve separately tional clusters; it is now affordable to work done in the volunteer effort was
from imaging equipment, which can get quick access to enormous comput- remarkable in many ways, and the
evolve separately from devices flying ing resources without social connec- tools and systems developed so quick-
the equipment. The networking of tions or up-front costs. In contrast, ly by an amateur team worked well in
components and expertise is becom- custom software pipelines for tasks many cases. This was due in part to
ing relatively common in military set- like image processing, drift modeling, the incredible show of heart and hard
tings and public-sector medical imag- and command-and-control coordina- work from the volunteers, for which
ing. It would be useful to explore these tion are not widely available. This soft- many people will always be grateful. It
ideas further for civilian settings like ware vacuum is not an inherent prob- is also due to the quickly maturing con-
SAR, especially in light of their poten- lem but is an area where small teams vergence of people, communication,
tial application to adjacent topics like of open-source developers and soft- computation, and sensing on the In-
disaster response. ware researchers could have signifi- ternet. Jim Gray was a shrewd observer
Automated image analysis. The vol- cant impact. The key barrier to SAR de- of technology trends, along with what
unteer search team included experts mocratization may be access to data. they suggest about the next important
in image processing in astronomy, as Not clear is whether data providers steps in research. We hope the search
well as in computer vision. The con- (such as those in satellite imagery and for Tenacious sheds some light on
sensus early on was that off-the-shelf in plane leasing) would be able to sup- those directions as well.
image-recognition software wouldn’t port large-scale, near-real-time feeds
be accurate enough for the urgent task of public-safety-related imagery. Also References
1. Goldstein, J. and Rotich, J. Digitally Networked
of identifying boats in satellite imag- not clear, from a policy perspective, Technology in Kenya’s 2007–2008 Post-Election
ery of open ocean. During the course Crisis. Technical Report 2008–2009. Berkman Center
is whether such a service is an agreed- for Internet and Society at Harvard University,
of the search a number of machine- upon social good. This topic deserves Cambridge, MA, Sept. 2008.
2. Heinzelman, J. and Waters, C. Crowdsourcing Crisis
vision experts examined the available more public discussion and technical Information in Disaster-Affected Haiti. Technical
data sets, concluding they were not investigation. Sometimes the best way Report, Special Report 252. United States Institute of
Peace, Washington, D.C., Oct. 2010.
of sufficient quality for automated to democratize access to resources is 3. Hellerstein, J.M. and Tennenhouse, D.L. Searching
processing, though it may have been to build disruptive low-fidelity proto- for Jim Gray: A Technical Overview, Technical Report
UCB/EECS-2010-142. EECS Department, University of
because we lacked access to the “raw types; perhaps then this discussion California, Berkeley, Dec. 2010.
bits” obtained by satellite-based sen- can be accelerated through low-fidelity 4. Saade, E. Search survey for S/V Tenacious: Gulf of
Farallones and approaches to San Francisco Bay. ACM
sors. Though some experts attempted open-source prototypes that make the SIGMOD Record 37, 2 (June 2008), 70–77.
a simple form of automated screen- best of publicly available data (such as 5. U.S. Coast Guard. Search and Rescue Optimal
Planning System (SAROPS) 2009; http://www.uscg.
ing by looking for clusters of adjacent by aggregating multiple volunteer We- mil/acquisition/international/sarops.asp
pixels that stood out from the back- bcams3).
ground, even these efforts were rela- The volunteer search team’s experi- Joseph M. Hellerstein (hellerstein@berkeley.edu) is a
professor in the EECS Computer Science Division of the
tively unsuccessful. ence reinforces the need for technical University of California, Berkeley.
It would be good to know if the advances in social computing. In the
David L. Tennenhouse (dtennenhouse@nvpllc.com) is a
problem of finding small boats in sat- end, the team exploited technology for partner in New Venture Partners, a venture-capital firm
ellite imagery of the ocean is inherent- many uses, not just the high-profile with offices in California, New Jersey, and the U.K., and
former head of research at Intel.
ly difficult or simply requires more fo- task of locating Tenacious in images
cused attention from computer-vision from space. Modern networked tech- © 2011 ACM 0001-0782/11/07 $10.00
Cellular
services has led cellular technology to
play an increasingly important role in
economic and social networks, from
forming the basis for new markets to
Telephony
facilitating political action across the
globe. It is thus critical to recognize
that cellular telephony is a surveillance
technology that generates a vast store
and the
of personal information, information
that has become a focus for law en-
forcement and marketing. The subse-
quent use of the collected data, both
Question
overt and covert, affects the use of cel-
lular technology, as well as the individ-
uals who use it and the society in which
it has become ubiquitous.
In this article, I review how the
of Privacy
courts have attempted to balance the
needs of law enforcement and market-
ers against the privacy rights of indi-
viduals. The social science literature
on the impact of surveillance on the
individual and on society is surveyed
and then applied to the specific case
of cellular telephony. I conclude with
a closer look at the mechanics of cel-
lular data collection and a demonstra-
to invasion of the privacy of the
T he e vil in c id e n t
telephone is far greater than that involved in tampering key insights
with the mails. Whenever a telephone line is tapped, the T he consolidation of all major forms of
privacy of the persons at both ends of the line is invaded, modern electronic communication onto
the cellular platform and the ubiquity
and all conversations between them upon any subject, and power of the cellular platform have
led to major changes in personal and
and although proper, confidential, and privileged, social dynamics, political action, and
economics. It is thus vitally important
may be overheard. Moreover, the tapping of one man’s to recognize that cellular telephony is a
telephone line involves the tapping of the telephone of surveillance technology.
every other person whom he may call, or who may call P rofessionals interested in the design and
deployment of cellular technology will
him. As a means of espionage, writs of assistance and receive an overview of the current legal
status of cellular databases, as well as
general warrants are but puny instruments of tyranny the impact of the use of this data on the
individual and society.
and oppression when compared with wiretapping. A “private overlay” will allow cellular
Justice Louis Brandeis, Dissenting Opinion subscribers to enjoy the same user
experience without providing private
Olmstead v. United States, 277 U.S. 438 (1928) information.
The Fourth Amendment protects evidence was secured by the use of the Likening this type of warrant to the
against “unreasonable searches and sense of hearing and that only. There general warrants used by the British in
seizures,” and states that no warrant was no entry of the houses or offices of the American colonies, the Court over-
shall issue “but upon probable cause.” the defendants. turned the New York statute. In doing
The amendment’s language says noth- Chief Justice William Howard Taft so, the Court held that conversations
ing, however, about telephones or elec- Olmstead v. United States, were indeed protected by the Fourth
tronic communication. The means 277 U.S. 438 (1928) Amendment, and that the intercep-
varying levels of protection for various the Disclosure of Prospective Cell Site Info.,
types of electronic communication: b A trap and trace device is similar to a pen reg- 2006 WL 2871743 (E.D. Wis. Oct. 6, 2006); In
˲˲ Title I: Electronic Communications ister, but instead of capturing numbers dialed re Application of the United States of America,
in Transit; from a given number, it captures the numbers 441 F. Supp. 2d 816 (S.D. Tex. 2006); In re Ap-
of parties that dial to a given number. plication for an Order Authorizing the Instal-
˲˲ Title II: Stored Electronic Communi-
c See In re Applications, 509 F. Supp. 2d 76 lation and Use of a Pen Register and Directing
cation; and (D. Mass. 2007); In re Application, 2007 WL the Disclosure of Telecomm. Records, 439 F.
˲˲ Title III: Pen Register/Trap and 3036849 (S.D. Tex. Oct. 17, 2007). Supp. 2d 456 (D. Md. 2006).
Judge Orenstein foundh that a cell- communications service.”j of Internet traffic. The URLs visited
phone was in fact a tracking device, Perhaps the most significant im- from a cellular platform, for example,
and that a showing of probable cause pact of CALEA on cellular systems will thus receive the low level of protection
was necessary to obtain prospective be through its amended provisions provided by Title III of the ECPA.
cell site data. On Sept. 7, 2010 the Unit- affecting voice-over-IP (VoIP). Under ˲˲ Section 217 permits government
ed States Court of Appeals for the Third CALEA, VoIP service providers cannot interception of the “communications
Circuit upheld a lower court’s opinion release IP calls to travel freely between of a computer trespasser” if the owner
that a cellular telephone was in fact a subscriber terminal adapters; instead, or operator of a “protected computer”
tracking device, and further ruled that the service provider must anchor most authorizes the interception.
it is within a magistrate judge’s discre- calls, creating a fixed point that must The last of the provisions, common-
tion to require a showing of probable be traversed by call packets in both di- ly referred to as the “computer trespass-
cause before granting a request for his- rections.k Upon the presentation of an er” provision, has caused concern as it
torical cell site data.i appropriate warrant, a duplicate call appears to allow interception of all traf-
CALEA and the USA PATRIOT Act. stream is generated at this fixed point fic through intermediate routers and
Clearly the information made avail- and passed to a law enforcement agen- switches if the owners of the equipment
able by the cellular architecture has cy. Such restrictions will almost cer- authorize the interception. This could,
motivated law enforcement to pursue tainly apply to 4G cellular platforms, for example, include all traffic through
it. And having gotten used to this mas- which will implement all-IP solutions a gateway GPRS support node—the in-
sive source of personal information, for voice and data.l terface between 3G cellular networks
law enforcement would like to keep the Several of the provisions of the USA and the Internet. Given that the service
data conduits open. The development PATRIOT Actm also have current and fu- providers have been granted immunity
and commercialization of new tele- ture implications for cellular systems. from lawsuits filed in response to their
phone technologies in the 1980s and The PATRIOT Act amended much of cooperation with intelligence agen-
1990s caused concern that less sur- the legislation discussed earlier,n the cies,27 this provision was particularly
veillance-friendly architectures were following provides a brief summary of troubling to some privacy advocates.p
becoming the norm. This prompted a few key elements. It should be noted that some re-
law enforcement to ask Congress for ˲˲ Section 204 amended Title II of the searchers have argued that the PATRI-
legislation that would require service ECPA so that stored voicemail can be OT Act has simply clarified existing
providers to provide a common means obtained by the government through a policy. Orin Kerr, for example, has pro-
for surveillance regardless of the tech- search warrant rather than through the vided a detailed argument that “none
nology in use. The Director of the FBI more stringent process of obtaining a of the changes altered the basic statu-
made the point quite clearly in testi- wiretap order.o tory structure of the Electronic Com-
mony before Congress: ˲˲ Section 216 expanded the pen reg- munications Privacy Act of 1986.”26
ister and trap and trace provisions of The Right to Market. Thus far, I have
The purpose of this legislation, quite the ECPA to explicitly cover the context focused on the laws and regulations
simply, is to maintain technological ca- that limit law enforcement’s access
pabilities commensurate with existing j 47 U.S.C. Section 1002(a) to the data collected by cellular ser-
statutory authority; that is, to prevent k The fixed point often takes the form of a Ses- vice providers. But what of the service
sion Border Controller (SBC). See, for exam-
advanced telecommunications technol- ple, The Benefits of Router-Integrated Session
providers themselves? A quick tour
ogy from repealing, de facto, statutory Border Control, White paper, Juniper Net- through some recent case law is inter-
authority now existing and conferred to works, http://www.juniper.net/us/en/local/pdf/ esting in that it shows how the carriers
us by the Congress. whitepapers/2000311-en.pdf and http://tools. view their right to use this informa-
ietf.org/html/draft-ietf-sipping-sbc-funcs-00.
Former FBI Director Louis Freeh18 tion, and the commercial value that
l For a discussion of potential vulnerabilities of
CALEA monitoring systems, see Pfitzmann et they place on it. In what follows there
The result of this effort—the Com- al.35 and Sherr et al.41 will be two basic questions: Are the car-
munications Assistance for Law En- m Uniting and Strengthening America by Provid- riers limited in how they may use the
forcement Act (CALEA4)—was passed ing Appropriate Tools Required to Intercept data for their own marketing? Are they
and Obstruct Terrorism Act of 2001, signed
on the last night of the 1994 congressio- limited in their ability to sell the data to
into law Oct. 26, 2001.
nal session. CALEA requires that ser- n A detailed discussion can be found at http:// third parties?
vice providers “facilitat[e] authorized epic.org/privacy/terrorism/usapatriot/#history. On January 3, 1996 Congress
communications interceptions and Many of the provisions discussed here had as- passed the Telecommunications Act
access to call-identifying information sociated sunset clauses, but as recently as Mar. of 1996, the first major restructuring
1, 2010, Congress has continued to provide ex-
unobtrusively and with a minimum of tensions to these clauses.
of telecom law since 1934. Section
interference with any subscriber’s tele- o For a comparison of the two procedures, see, 222 of the Act states that “[e]very tele-
for example, Susan Friewald:19 “Because of communications carrier has a duty
h 384 F. Supp.2d 562 (E.D.N.Y. 2005) the particular dangers of abusing electronic to protect the confidentiality of pro-
i See The Matter Of The Application Of The Unit- surveillance, the Court required that agents prietary information of, and relating
ed States Of America For An Order Directing A who wanted to conduct it had to surmount
Provider Of Electronic Communication Service several procedural hurdles significantly more
To Disclose Records To The Government, 3d. demanding than the probable cause warrant p See, for example, http://epic.org/privacy/ter-
Cir., 08-4227. needed to search a home.” rorism/usapatriot/.
the FCC’s rules, asserting that they government. Privacy is thus connect- protest against Philippine President
were “proportionate to the interests ed to personal as well as societal de- Joseph Estrada and the Ukranian “Or-
sought to be advanced.” velopment and well-being. ange Revolution” of 2004.
Which brings us up to date: an opt- An overlapping yet distinct issue re- A Kenyan example typifies both the
out rule governs the carriers’ use of lated to the cellular platform is the po- use of the platform as a political tool
CPNI in their own marketing, while an tential for manipulation through the and the potential consequences of
opt-in rule covers the transfer of this use of personal information. As we will surveillance. In January 2008, it was
data to third parties for their own mar- see, the availability of personal infor- reported that incumbent presidential
keting purposes. mation increases the efficacy of adver- candidate Mwai Kibaki had rigged the
Concluding thoughts on the law. In tising and other attempts to drive the Kenyan presidential election. A texting
summary, the surveillance architec- agent to particular thoughts or actions. campaign to promote demonstrations
ture adopted for cellular networks gen- The agent’s autonomy is thus at risk, began almost immediately, with the
erates a pool of data that feeds into law implicating another of the values im- discourse quickly devolving into racial
enforcement’s and marketers’ desire portant to democratic government.6,11 hatred.21 Instead of shutting down the
for personal information. The result From the standpoint of the cellular SMS system, the Kenyan authorities
has been a long-running legal battle in platform, then, there are two issues to sent messages of peace and calm to the
which the privacy rights of individuals be addressed: the relatively passive in- nine million Safaricom subscribers.
are continuously traded off against le- fringement on the zone of seclusion After the violence subsided, cellular
gal and economic imperatives. through eavesdropping and data col- service providers gave the Kenyan gov-
lection, and the more active infringe- ernment a list of some 1,700 individu-
The Impact of Cellular Surveillance ment through manipulation based on als who had allegedly used texting to
The social science literature on sur- collected data. The passive infringers promote mob violence.36 The Kenyan
veillance and privacy covers a great generally consist of service providers Parliament is debating a law that places
deal of ground, so I will begin with a and law enforcement agencies, while limits on the contents of text messages.
few basic assumptions that will nar- the more active take the form of mar- Cellular networks have thus be-
row the field a bit. We first assume keters, a group including service pro- come a key platform for political
that the primary impact of surveil- viders as well as third parties that have speech. The impact of surveillance on
lance is a reduction in privacy. The purchased the collected data. such use can be developed through
next step—a definition for privacy— Passive surveillance. Passive privacy analogy to Jeremy Bentham’s Panopti-
has proven in the past to be a notori- infringement has its impact through con.2 The Panopticon was a proposed
ously difficult problem. Attempts at the cellular user community’s aware- prison in which the cells were arranged
definitions are usually followed by ness of the potential for surveillance. radially about a central tower. The cells
a flurry of articles pointing out why The omnipresent potential for sur- were backlit so that a guard in the tower
the definition doesn’t work in one or veillance affects several aspects of the could always see the prisoners, but the
more contexts.r An all-encompassing use of the cellular platform, including prisoners could never see the guards.
definition is not necessary for our pur- social networking, family interaction, Bentham characterized the Panopti-
poses, however, as we are focusing on and political expression. We will con- con as providing a “new mode of ob-
the impact of surveillance on the use sider the latter as an exemplary case, taining power of mind over mind, in a
of the cellular platform. We need only but it should be borne in mind that this quantity hitherto without example.”
note that a common element of most is but one dimension of a multidimen- The analogy is obvious—we know
privacy theories is the metaphor of sional problem. that wiretapping or location data col-
a zone of seclusion, a zone in which The cellular platform has become lection through use of the cellular
the agent can control access to vari- increasingly important as a means for platform is possible, we just do not
ous types of personal information.33 conveying political speech and orga- know whether or when it is happen-
The value of such a zone lies in part in nizing political behavior. The copiers ing. It follows that in dynamic political
the agent’s perception of solitude and and FAX machines that enabled the situations, many users will be aware of
safety. The agent feels free to exercise movements that brought down the the potential for surveillance, and will
various thoughts and behaviors with- Soviet empires have been replaced by thus put self-imposed limitations on
out threat of censure, and is thus able the cellphone and its immediately their use of cellular technology. Cel-
to develop a sense of self-realization. available, highly portable texting and lular networks are thus a distributed
Self-realization is a core personal and video capabilities. Some of the more form of Panopticon.45
social value—it has been cited as the salient examples of the political use of The self-imposition of discipline is
basis for valuing free speech,37 thus the cellular platform have involved the a key element in this analysis. In Dis-
enmeshing privacy in a web of values coordination of mass action against cipline and Punish, Michel Foucault
that animate democratic systems of political corruption, such as the 2001 characterized the impact of the Panop-
ticon’s pervasive and undetectable sur-
veillance as assuring “the automatic
r A sense of the back and forth can be obtained s See, for example, Endre Dányi’s Xerox Project:
by starting at the beginning of Schoeman’s Photocopy Machines as a Metaphor for an
functioning of power.”17 Foucault ar-
excellent anthology38 and reading straight ‘Open Society.’ The Information Society 22, 2 gued that this led to an internalization
through. (Apr. 2006), 111–115. of discipline that resulted in “docile
bodies,” bodies that were ideal for the evant information has been presented.
regimented classrooms, factories, and Framing plays an important role
military of the modern state. Docility in advertising. In Decoding Advertise-
can take many forms: Dawn Schrader, ments,48 Williamson uses the psycho-
for example, has noted the impact of analytic methodologies of Lacan and
surveillance/observation on knowl- Althusser to describe how targeted ad-
edge acquisition patterns; the indi- vertisements invite the individual into
vidual under surveillance is intellectu- a conceptual framework, creating a
ally docile, less likely to experiment or sense of identity in which the individu-
to engage in what she calls “epistemic al will naturally buy the proffered prod-
stretch.”39 Surveillance can literally uct or service. Personal information is
make us dumber over time. The impact used in this process to fine-tune the
of the perception of surveillance on cel- frame, enhancing the sense in which
lular users is thus to limit experimen- the advertisement “names” the indi-
tation by the users, who subsequently vidual reader or viewer and thus draws
channel speech into “safe” and innoc- the consumer in and drives him or her
uous pathways. It follows that given to the desired behavior.
the growing importance of the cellu- The ability of the marketer to fine-
lar platform as a means for political tune efforts is greatly enhanced when
speech, the surveillance capabilities the customer’s response to advertis-
inherent in the design of cellular net- ing can be directly observed, as is the
works are a problem with deep politi- case with the cellular platform. This is
cal ramifications. made possible through real-time inter-
Active surveillance creates another, active technologies that are embedded
overlapping, set of problems for the in- in cellphones, such as Web browsers
dividual and society. The first lies in the with Internet connectivity. A simple ex-
use of the data to sort individuals into ample (an example to which the author
categories that may limit their options is highly susceptible) involves an email
in various ways. In the second, the in- message describing a newly released
formation flows themselves are manip- book that is available at a notable Web
ulative. We begin with the problem of other services. retailer. The advertiser will know when
sorting, and then move on to the latter There is an extensive literature on the email went out, when the link was
form of manipulation. how individual information flows can followed to the Web site, and whether
In The Panoptic Sort, Oscar Gandy in- be manipulative. For example, in his or not a purchase was made. Cell-based
vestigated the means by which panoptic “Postscript on the Societies of Con- social networking applications such as
data is used to classify and sort individ- trol,” Gilles Deleuze introduces the Foursquare and Loopt take the process
uals.20 Law enforcement, for example, concept of “modulation” as an adap- a step further by using subscriber loca-
uses data to “profile” and thereby sort tive control mechanism in which an in- tion information as the basis for deliv-
people into those who are suspicious formation stream from the individual ering location-based advertising. For
and those who appear relatively harm- is used to fine-tune the information example, a user may be informed that
less. Credit agencies use personal data provided to the individual, driving the she is close to a restaurant that hap-
to perform a finer sort, allocating indi- individual to the desired state of behav- pens to serve her favorite food. She may
viduals into varying levels of credit wor- ior or belief.9 even be offered a discount, further add-
thiness. Direct marketers use a similar The general idea here is that infor- ing to the attraction. The efficacy of the
approach to determine who is most mation about an individual is used to advertising can then be measured by
likely to buy a given range of products. frame a decision problem in such a determining whether the user actually
Gandy notes that the latter creates an in- manner that the individual is guided to enters the restaurant.28
sidious form of discrimination, as indi- make the choice desired by the framer. The problematic nature of such ex-
viduals are relegated to different infor- This has become an important concept amples is not always clear, as some
mation streams based on the likelihood in economics and game theory; Tver- would argue that they are pleased to
they will buy a given item or service, and sky and Kahneman, for example, have receive the advertisements and to be
individual perspectives and life oppor- shown that the rational actor’s percep- informed, for example, of the availabil-
tunities are correspondingly limited. tion of a decision problem is substan- ity of their favorite food. So what is the
Illustratio n by a lex william so n
In the cellular context, such sort- tially dependent on the how the prob- problem? Primarily, it lies in transpar-
ing is performed by both the service lem is presented—what Tversky and ency—the user may not understand the
providers and third-party marketers. Kahneman refer to as the “framing” of nature of location data collection, or the
As we have seen, exemplars from both the problem.46 Framing is so important process that led to one restaurant or ser-
groups have fought against FCC re- to decision making that individuals vice being proffered instead of another.
strictions on the use of CPNI for selec- have been shown to come to differing There has been a pre-selection process
tive marketing of communication and conclusions depending on how the rel- that has taken place outside of the cellu-
lar user’s field of vision and cognizance. In order to perform this routing and
The opportunity to explore and learn paging process, the network must keep
on one’s own has been correspondingly track of the location of the cellular tele-
limited and channeled, affecting both phone. This is done through the regis-
self-realization and autonomy.11 The
“tightness” of this Deleuzean feedback It remains possible, tration process. All cellular telephones
that are powered on periodically trans-
loop—its bandwidth and precision—is however, to mit registration messages that are re-
secure cellular
particularly troubling. ceived by one or more nearby cell tow-
ers and then processed by the network.
Cellular Architecture,
Cellular Databases
networks against The resulting location information
thus acquired is stored with varying lev-
What it is about the cellular network surveillance. els of granularity in several databases.
that makes it so surveillance friendly, The databases of interest to us here
and a potential threat to the individual are the Home Location Register (HLR)
user and to society? The answer lies and the Visitor Location Register (VLR).
in a series of design choices, choices The HLR is a centralized database that
made in an attempt to solve the prob- contains a variety of subscriber infor-
lem of establishing and maintaining mation, including a relatively coarse
contact with a mobile user. The details estimate of the subscriber’s current lo-
have filled many books (see, for exam- cation. HLRs are generally quite large;
ple, Etemad,13 Holma and Toskala,22 there need be only one per cellular net-
Kaarenenetal et al.,24 and Mouly and work. VLRs, generally associated with
Pautet.30), but we need only trace the local switches, contain local registra-
path of a call that is incoming to a cel- tion data, including the identity of the
lular user to see how personal data is be- cell site through which registration
ing collected and put to use. messages are received. There is typical-
The coverage area of a cellular net- ly one VLR per mobile switching center
work is partitioned into relatively small (MSC) or equivalent.
areas called cells, with each cell receiv- The VLR stores the identification
ing a subset of the radio resources of number for the cell site through which
the overall network. Two cells may be the registration message was received.
assigned identical spectral resources— The identity of the MSC associated with
a process called frequency reuse—if the VLR is forwarded to the Home Loca-
the cells are far enough apart to prevent tion Register (HLR) that maintains the
their radio transmissions from interfer- records for the registering platform.
ing with each other. A cell tower sits at We can now track the progress of
the center of each cell, establishing con- an incoming call in more detail. Calls
nections between mobile users and the from outside the cellular network will
wired cellular infrastructure. Location generally enter the network through a
areas are defined to consist of one or a gateway MSC. The gateway MSC will use
small number of cells. As we will see, the the called number to identify and query
location area is the finest level of granu- the appropriate HLR to determine how
larity used by the network in trying to to route the call. The call is then for-
complete a call to a cellular platform. warded to the MSC associated with the
We now consider an incoming call. last registration message, which in turn
To complete an incoming call to a cellu- queries the VLR to determine in which
lar phone, the network routes the call to location area to attempt to contact the
a mobile switching center (MSCt) that subscriber. The base station controller
is near the phone. Through a process associated with the location area then
called paging, the MSC then causes the causes a paging message to be sent to
called cellular phone to ring. When the the called cellular telephone, causing
cellular user answers his or her phone, it to ring. If the subscriber answers the
the MSC completes the call and com- call, the MSC connects a pair of voice
munication can commence. channels (to and from the cellular plat-
form), and completes call setup.
The HLR and VLRs (or equivalents)
t As space is limited and such details are not im-
are thus the sources of the historic
portant to the theme of this article, I will not
attempt to track vocabulary distinctions be- and prospective cell site data dis-
tween second-, third-, and fourth-generation cussed earlier in the survey of tele-
cellular systems. phone privacy law.
The question of whether a cellular named subscriber. In this section we as before, with the difference that the
telephone is a tracking device has often will consider the possibility of creating HLR and VLR location information is
hinged on the resolution of the cell site a private overlay for cellular systems associated with the RET, as opposed to
data. If the data consists solely of the that protects user privacy by strictly a phone number. Data calls can be kept
cell site ID, then the precision of the lo- separating equipment identity from private by associating the RET with a
cation information is clearly a function user identity. The proposed overlay re- temporary IP address.v
of the size of the cell. Cell sizes vary sig- quires the addition of a Public Key In- Incoming calls require that calling
nificantly, but the following can be used frastructure (PKI).10 The PKI provides parties know the RET. In order for the
as a rough rule of thumb:u the network and all subscribers with RET to be associated with the correct
a public encryption key and a private HLR, it will also be necessary that the
Urban: 1 mile radius decryption key. With this addition, a calling party identify the service pro-
Suburban: 2 mile radius private overlay to the existing cellular vider that serves the called party. The
Rural: >4 mile radius infrastructure can be established as user in private cellular mode must thus
described below. distribute, using public key encryp-
It follows that through registration The scenario assumed here is that tion, his or her RET and the identity
messages alone, a subscriber’s location of a cellular telephone with standard of the service provider to those parties
is recorded to the level of a metropolitan capabilities to which has been add- from whom he or she would be willing
area at a minimum, and sometimes to ed the ability to operate in a private to receive a call.
the level of a neighborhood. mode, a private mode in which the Calls can be placed from the cellu-
So far I have focused on voice calls. service provider is unable to associ- lar platform in private mode using the
With regard to data “calls,” it should ate location data for the phone with private context developed for incoming
be noted that 3G cellular separates the a specific user. The private mode is calls, or it may prove desirable to reg-
core network into circuit-switched and predicated on a private registration ister outgoing calls on a call-by-call ba-
packet-switched domains, while 4G process, which is enabled by having sis using distinct random strings. This
is purely packet-switched. Data calls the network transmit once a day (or would reduce the amount of informa-
are set up in packet-switched domains at some suitable interval) an identi- tion associated with a single random
through the support of a serving and a cal certification message to each au- string, thus reducing the ability of the
gateway General Packet Radio Service thorized subscriber. The certification service provider to associate the private
(GPRS) support node. The HLR and VLR message that is sent to each subscrib- context with a specific user.
play registration, roaming, and mobil- er is encrypted using that subscriber’s We now must confront the prob-
ity management roles for data calls that public encryption key. lems of cloning and billing. Both can
are similar to those provided in voice When the user enables the private be addressed by building a Trusted
calls, so I will not go into further details cellular mode, the cellular platform Platform Module (TPM)1 into the cel-
here except to note that location data is sends a Privacy Enabling Registration lular platform. The TPM (or an equiv-
accumulated in a similar manner. (PER) message to the network. The alent device) can be programmed to
In summary, the functionality of a PER, consisting of the certification keep the certification message in a
cellular network is based on the net- message and a Random Equipment Tag cryptographically secure vault, and
work’s ability to track the cellular sub- (RET), is encrypted using the network’s thus unavailable to anyone wishing to
scriber. It was designed to collect and public encryption key. The certifica- transfer it to another platform. When
store location information, inadver- tion message acts as a zero-knowledge the network receives a PER message, it
tently creating an attractive informa- proof, showing the network that the can thus be assured that the transmit-
tion source for law enforcement and PER was sent by a valid user, but with- ting phone actually received the certifi-
marketing professionals, as described out actually identifying the user (we cation message from the network. Re-
previously. Next, we will see this need will address the problem of cloning in mote attestation can be used to ensure
not be the case. a moment). The RET is a random num- that the software controlling the TPM
ber that will be entered into the VLR has not been altered.
A Private Overlay and the HLR and treated as if it were a The problem of billing has to be
So long as the cellular concept requires phone number. The VLR and the HLR clearly addressed, for the service pro-
that a piece of equipment be located will thus collect all of the informa- vider faces the uncomfortable task
within a particular cell, there will be a tion needed to establish and maintain of providing service to an unknown
requirement in cellular systems that an phone calls to the cellular platform, party. The solution lies, once again, in
MSC be able to locate user equipment but will not associate this information
at the level of one or a small number with a particular individual or phone v One version of the GPRS standard allowed for
of cell sites. It is important to note, number. So long as the user chooses to an anonymous Packet Data Protocol (PDP)
however, that it is the equipment that remain in private cellular mode, sub- context. This context associated a PDP address
needs to be located and not a specific, sequent registration messages will in- at the SGSN with a temporary logical link iden-
clude the RET as opposed to the user’s tifier—the IMSI was not associated with the
PDP address, and the context was thus anony-
u Jeff Pool, Innopath, private correspondence.
telephone number. mous. The details were described in early ver-
These areas are further reduced if the cell has Call setup, mobility management, sions of section 9.2.2.3 of ETSI GSM 03.60, but
multiple sectors. and roaming will all be handled exactly were later removed from the standard.
the TPM. The number of private call cial, economic, and political contexts. and services. Joint Hearings on H.R. 4922 and S. 2375,
103d Cong. 7, 1994.
minutes available to the platform can It remains possible, however, to secure 19. Freiwald, S. First principles of communication privacy.
be controlled through software in the cellular networks against surveillance. Stanford Technology Law Review 3 (2007).
20. Gandy, O.H. The Panoptic Sort: A Political Economy of
platform, with the software certified by The private cellular overlay proposed Personal Information. Westview Publishers, 1993.
remote attestation. If need be, the pri- here would serve this purpose while 21. Goldstein, J., and Rotich, J. Digitally networked
technology in kenya’s 2007–2008 post-election crisis.
vate call minutes can be prepaid. potentially putting the subscriber in Tech. Rep. 2008–09, Harvard University, Berkman
The potential for considering the control of his or her personal informa- Center for Internet & Society, Sept. 2008.
22. Holma, H., and Toskala, A. WCDMA for UMTS: Radio
private mode as a prepaid service may tion. Legal issues remain and legisla- Access for Third Generation Mobile Communications,
have a significant advantage with re- tion may be necessary before a private 3rd Ed. Wiley, NY, 2004.
23. IMT-2000. International mobile
spect to CALEA, as CALEA does not cellular system can be made available telecommunications-2000 standard.
24. Kaaranen, H., Ahtiainen, A., Laitinen, L., Naghian, S.
currently cover prepaid cellular tele- to the public, but a public discussion and Niemi, V. UMTS Networks, 2nd Ed. Wiley and Sons,
phones. In the U.S. and many other as to whether we want a technology as Hoboken, NJ 2005.
25. Katz v. United States, 389 U.S. 347 (1967).
countries, one may buy and use a pre- important as cellular to be open to co- 26. Kerr, O.S. Internet surveillance law after the USA
paid cellular telephone without associ- vert surveillance would be a good and Patriot Act: The big brother that isn’t. Northwestern
University Law Review 97, 2 (2002–2003), 607–611.
ating one’s name with the phone.w The highly democratic idea. 27. Lichtblau, E. Telecoms win dismissal of wiretap suits.
proposed privacy overlay would thus New York Times (June 3 2009).
28. Loopt2010. Loopt strengthens its location-based
provide postpaid cellular telephone Acknowledgments advertising offerings, sets sights on hyperlocal
users with the privacy benefits of pre- This work was funded in part by the Na- marketing. Mobile Marketing Watch (Feb. 17, 2010).
29. United States v. Miller, 425 U.S. 435 (1976).
paid cellular.x tional Science Foundation TRUST Sci- 30. Mouly, M., and Pautet, M.-B. The GSM System for
Other problems remain to be ad- ence and Technology Center and the Mobile Communications. Self-published, 1992.
31. Nardone v. United States, 302 U.S. 379 (1937).
dressed, of course. For example, NSF Trustworthy Computing Program. 32. Networks, J. The benefits of router-integrated session
Cortes, Pregibon, and Volinsky have The author gratefully acknowledges border control. Tech. rep., Juniper Networks, 2009.
33. Nissenbaum, H. Privacy in Context: Technology, Policy,
shown that it is possible to identify the technical and editorial assistance and the Integrity of Social Life. Stanford University
fraudulent users of a cellular system of Sarah Hale, Lee Humphries, and Press, Palo Alto, CA, 2010.
34. Olmstead v. United States, 277 U.S. 438 (1928).
by using call data to construct dy- Jeff Pool. He also extends thanks to the 35. Pfitzmann, A., Pfitzmann, B., and Waidner, M. ISDN-
namic graphs, and then performing MIXes: Untraceable communication with very small
anonymous reviewers for their exten- bandwidth overhead. In Proceedings of the GI/ITG
a comparative analysis of subgraphs sive and insightful comments. Conference on Communication in Distributed Systems
(1991). Springer-Verlag, 451–463.
that form “communities of interest.”7 36. Querengesser, T. Kenya: Hate speech SMS offenders
A similar comparative analysis can be References already tracked (Mar. 2008).
1. TPM Main, Part 1 Design Principles, Specification 37. Redish, M. Freedom of Expression: A Critical Analysis.
used for deanonymizing users of the Version 1.2, Level 2 Revision 103. Tech. rep., Trusted Michie Co, Charlottesville, NC, 984.
proposed system unless the random Computing Group (July 9 2007). 38. Schoeman, F.D., Ed. Philosophical Dimensions of
2. Bentham, J. The Panopticon; or The Inspection House. Privacy: An Anthology. Cambridge University Press,
tag is changed fairly frequently. London, 1787. Miran Božovi (Ed.). Verso, London, UK, 1984.
1995. 39. Schrader, D.E. Intellectual safety, moral atmosphere,
3. Berger v. New York, 388 U.S. 41 (1967). and epistemology in college classrooms. Journal of
Conclusion 4. Communications Assistance for Law Enforcement Act Adult Development 11, 2 (Apr. 2004).
We have seen that cellular telephony (CALEA, 47 U.S.C. xx10011010). 40. Semayne’s Case. Coke’s Rep. 91a, 77 Eng. Rep. 194
5. Clarke, R.A. Information technology and dataveillance. (K.B. 1604).
is a surveillance technology. Cellular Commun. ACM 31, 5 (May 1988), 498–512. 41. Sherr, M., Cronin, E., Clark, S., and Blaze, M. Signaling
networks were designed, however un- 6. Cohen, J. E. Examined lives: Informational privacy and vulnerabilities in wiretapping systems. IEEE Security
the subject as object. Stanford Law Review (2000). & Privacy 3, 6 (2005), 13-25.
intentionally, to collect personal data, 7. Cortes, C., Pregibon, D., and Volinsky, C. Communities 42. Smith v. Maryland, 442 U.S. 735 (1979).
thus creating an extremely attractive of interest. In Proceedings of the 4th International 43. Solove, D.J., and Schwartz, P.M. Privacy, Information,
Conference on Advances in Intelligent Data Analysis and Technology; 2nd Ed. Aspen Publishers, Inc., 2008.
source of information for law enforce- (2001), 105-114. 44. Telecommunications Act of 1996.
45. Toeniskoetter, S.B. Preventing a modern panopticon:
ment agencies and marketers. The im- 8. Cuddihy, W.J. The Fourth Amendment: Origins and
Law enforcement acquisition of real-time cellular
Original Meaning, 602–1791. Oxford University Press,
pact of this surveillance on the users 2009. (See also the Ph.D. thesis with the same title, tracking data. Rich. J.L. & Tech. 13, 4 (2007), 1–49.
46. Tversky, A., and Kahneman, D. The framing of
and uses of the cellular platform is be- Claremont Graduate School, 1990).
decisions and the psychology of choice. Science 211,
9. Deleuze, G. Postscript on the societies of control.
coming increasingly important as the October 59 (1992), 3–7. (Winter). 4481 (Jan. 30 1981), 453-458.
47. U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999).
platform plays a prominent role in so- 10. Diffie, W., and Hellman, M. New directions in
48. Williamson, J. Decoding Advertisements: Ideology and
cryptography. IEEE Transactions on Information
Meaning in Advertising. Marion Boyars Publishers Ltd,
Theory 22, 6 (1976), 644–654.
1978.
11. Dworkin, G. The Theory and Practice of Autonomy.
w According to the UPI, many of the cell phones University Press, Cambridge, 1988.
used to coordinate action in the Philippine up- 12. Electronic Communications Privacy Act. Stephen B. Wicker (wicker@ece.cornell.edu) is a
13. Etemad, K. CDMA 2000 Evolution: System Concepts professor in the School of Electrical and Computer
risings against former President Estrada were and Design Principles. Wiley, NY, 2004. Engineering, Cornell University, Ithaca, NY.
unregistered, prepaid phones. See http://www. 14. Implementation of the Telecommunications Act of
upiasia.com/Politics/2008/01/21/texting_as_ 1996: Telecommunications Carriers Use of Customer
an_activist_tool/6075/. Proprietary Network Information and Other Customer
Information (1998).
x On May 26, 2010, Senators Charles Schumer 15. Implementation of the Telecommunications Act of
(D-NY) and John Cornyn (R-TX) introduced 1996: Telecommunications Carriers Use of Customer
a bill—S.3427: The Pre-Paid Mobile Device Proprietary Network Information and Other Customer
Information, 17 F.C.C.R. 14860 (2002).
Identification Act—that would require that a
16. Implementation of the Telecommunications Act of
consumer provide his or her name, address, 1996: Telecommunications Carriers Use of Customer
and date of birth prior to the purchase of a Proprietary Network Information and Other Customer
pre-paid mobile device or SIM card. As of May Information.
17. Foucault, M. Discipline and Punish. Vintage, 1995,
2010, the bill had been read twice and referred (Surveiller et punir: Naissance de la Prison, 1975).
to the Committee on Commerce, Science, and 18. Freeh, L.J. Digital telephony and law enforcement
Transportation. access to advanced telecommunications technologies © 2011 ACM 0001-0782/11/07 $10.00
p. 110 p. 111
Technical Debugging in the (Very) Large:
Perspective
Is Scale Your Enemy, Ten Years of Implementation
Or Is Scale Your and Experience
Friend? By Kinshuman Kinshumann, Kirk Glerum, Steve Greenberg,
By John Ousterhout Gabriel Aul, Vince Orgovan, Greg Nichols, David Grant,
Gretchen Loihle, and Galen Hunt
Technical Perspective
FAWN: A Fast Array
of Wimpy Nodes
By Luiz André Barroso
systems
I n n ovat i o n i n co m p u t i n g nologies could help lower the substan- ed to use both FLASH and disk drives
thrives at the beginning and the end tial energy-related costs of WSCs. effectively.
of technology cycles. When facing Given all this potential, how can we The lesson here is that to extract the
the limits of an existing technology explain the rather slow pace of adop- most value from compelling new tech-
or contemplating the applications tion of these technologies in commer- nology one often needs to consider
of a brand new one, system design- cial WSCs? At first glance, wimpy pro- the system more broadly, and rethink
ers are at their creative best. The past cessors and FLASH seem compelling how applications and infrastructure
decade has been rich on both fronts, enough to fit within existing data center components might be changed in
particularly for computer architects. hardware and software architectures light of new hardware component
CMOS technology scaling is no longer without the need for substantial rede- characteristics. This is precisely what
yielding the energy savings it used to sign of major infrastructure compo- the authors of the following article on
provide across generations, resulting nents, thus facilitating rapid adoption. FAWN have done.
in severe thermal constraints lead- In reality, there are obstacles to extract- FAWN presents a new storage
ing to increased attention to so called ing the maximum value from them. hardware architecture that takes ad-
“wimpy processors.” These proces- Hölzle1 summarized some of the chal- vantage of wimpy cores and FLASH
sors achieve high performance and lenges facing wimpy cores in commer- devices, but does so alongside a new
energy efficiency by using a larger cial deployments, including parallel- datastore software system infrastruc-
number of low-to-modest-speed CPU ization overheads (Amdahl’s Law) and ture (FAWN-DS) that is specifically
cores. Also in the past decade, the programmer productivity concerns. targeted to the new hardware compo-
consumer electronics industry’s in- FLASH adoption has also suffered due nent characteristics. The system is not
vestment in non-volatile storage tech- to software related issues. FLASH will a generic distributed storage system,
nologies has resulted in NAND FLASH not fully replace disks for most work- but one that is specialized for work-
devices that are becoming competitive loads due to its higher costs, therefore loads that require high rates of key-
for general-purpose computing usage storage system software must be adapt- value lookup queries. By co-designing
as they fit nicely within the huge cost/ the hardware and software, and by
performance gap between DRAM and targeting the system for a particular
magnetic disks. FLASH-based storage FAWN combines (but compelling) use case, the authors
devices are over 100 times faster than present a solution that has greater po-
disks, although at over 10 times the wimpy cores tential to realize the full value of new
cost per byte stored. and FLASH to energy-efficient components. Their
The emergence of wimpy proces- approach, which includes building
sors and FLASH met a promising de- create an efficient, and experimenting with actual soft-
ployment scenario in the field of large- high-throughput, ware and hardware artifacts, is a mod-
scale data centers for Internet services. el worthy of being followed by future
These warehouse-scale computing key-value systems research projects.
(WSC) systems tend to run workloads storage system. Reference
that are rich in request-level parallel-
1. Hölzle, U. Brawny cores still beat wimpy cores, most
ism—a match for the increased paral- of the time. IEEE Micro (Aug/Sept. 2010).
lelism of wimpy CPUs—and are very
data intensive—a match for the high Luiz André Barroso (luiz@google.com) is a Distinguished
Engineer at Google.
input-output rates that are possible
with FLASH technology. The energy
efficiency potential of both these tech- © 2011 ACM 0001-0782/11/07 $10.00
We have built a prototype 21-node FAWN cluster using consumption,2 requiring that all components be scaled back
500 MHz embedded CPUs. Each node can serve up to 1300 with demand. As a result, a computer may consume over 50%
256 byte queries/s, exploiting nearly all of the raw I/O capa- of its peak power when running at only 20% of its capacity.20
bility of their attached flash devices, and consumes under Despite improved power scaling technology, systems remain
5 W when network and support hardware is taken into most energy efficient when operating at peak utilization.
account. The FAWN cluster achieves 330 queries/J—two A promising path to energy proportionality is turning
orders of magnitude better than traditional disk-based machines off entirely.6 Unfortunately, these techniques do
clusters. not apply well to FAWN-KV’s target workloads: key-value
systems must often meet service-level agreements for query
2. WHY FAWN? throughput and latency of hundreds of milliseconds; the
The FAWN approach to building well-matched cluster sys- inter-arrival time and latency bounds of the requests pre-
tems has the potential to achieve high performance and vent shutting machines down (and taking many seconds to
be fundamentally more energy-efficient than conven- wake them up again) during low load.2
tional architectures for serving massive-scale I/O and data- Finally, energy proportionality alone is not a panacea:
intensive workloads. We measure system performance in Systems should be both proportional and efficient at 100%
queries per second and measure energy efficiency in queries load. FAWN specifically addresses efficiency, and clus-
per Joule (equivalently, queries per second per Watt). FAWN ter techniques that improve proportionality should apply
is inspired by several fundamental trends: universally.
Increasing CPU-I/O gap: Over the past several decades,
the gap between CPU performance and I/O bandwidth has 3. DESIGN AND IMPLEMENTATION
continually grown. For data-intensive computing workloads, We describe the design and implementation of the system
storage, network, and memory bandwidth bottlenecks often components from the bottom up: a brief overview of flash
cause low CPU utilization. storage (Section 3.2), the per node FAWN-DS datastore
FAWN approach: To efficiently run I/O-bound data- (Section 3.3), and the FAWN-KV cluster key-value lookup sys-
intensive, computationally simple applications, FAWN uses tem (Section 3.4), including replication and consistency.
wimpy processors selected to reduce I/O-induced idle cycles
while maintaining high performance. The reduced proces- 3.1. Design overview
sor speed then benefits from a second trend. Figure 1 gives an overview of the entire FAWN system.
CPU power consumption grows super-linearly with Client requests enter the system at one of several front ends.
speed: Higher frequencies require more energy, and tech- The front-end nodes forward the request to the back-end
niques to mask the CPU-memory bottleneck come at the FAWN-KV node responsible for serving that particular key.
cost of energy efficiency. Branch prediction, speculative The back-end node serves the request from its FAWN-DS
execution, out-of-order execution and large on-chip caches datastore and returns the result to the front end (which in
all require additional die area; modern processors dedi- turn replies to the client). Writes proceed similarly.
cate as much as half their die to L2/3 caches.9 These tech- The large number of back-end FAWN-KV storage nodes
niques do not increase the speed of basic computations, is organized into a ring using consistent hashing. As in sys-
but do increase power consumption, making faster CPUs tems such as Chord,18 keys are mapped to the node that fol-
less energy efficient. lows the key in the ring (its successor). To balance load and
FAWN approach: A FAWN cluster’s slower CPUs dedi- reduce failover times, each physical node joins the ring as a
cate proportionally more transistors to basic operations. small number (V) of virtual nodes, each virtual node repre-
These CPUs execute significantly more instructions per senting a virtual ID (“VID”) in the ring space. Each physical
Joule than their faster counterparts: multi-GHz superscalar node is thus responsible for V different (noncontiguous) key
quad-core processors can execute approximately 100 mil- ranges. The data associated with each virtual ID is stored on
lion instructions/J, assuming all cores are active and avoid flash using FAWN-DS.
stalls or mispredictions. Lower-frequency in-order CPUs,
in contrast, can provide over 1 billion instructions/J—an Figure 1. FAWN-KV architecture.
order of magnitude more efficient while running at 1/3 the
frequency. FAWN back-end
E2
Worse yet, running fast processors below their full capacity FAWN-DS A1
draws a disproportionate amount of power. B2
B1
Dynamic power scaling on traditional systems is sur-
prisingly inefficient: A primary energy-saving benefit of Requests F2
dynamic voltage and frequency scaling (DVFS) was its abil-
Switch
ity to reduce voltage as it reduced frequency, but modern Front-end
CPUs already operate near minimum voltage at the highest D1
frequencies. Front-end A2 E1
Even if processor energy was completely proportional D2
F1
Responses
to load, non-CPU components such as memory, mother-
boards, and power supplies have begun to dominate energy
Figure 2. (a) FAWN-DS appends writes to the end of the Data Log. (b) Split requires a sequential scan of the data region, transferring
out-of-range entries to the new store. (c) After scan completes, the datastore list is atomically updated to add the new store.
Compaction of the original store cleans up out-of-range entries.
160-bit key Log entry Datastore list Data in original range Datastore list
KeyFrag Atomic update
Data in new range
Key Len Data of datastore list
In-memory Scan and split
Hash Index Data log
Concurrent
inserts
Inserted values
KeyFrag Valid Offset are appended
Reconstruction: The Data Log contains all the informa- entries into the new datastore.
tion necessary to reconstruct the Hash Index from scratch. Compact cleans up entries in a datastore, similar to
As an optimization, FAWN-DS periodically checkpoints the garbage collection in a log-structured filesystem. It skips
index by writing the Hash Index and a pointer to the last entries that fall outside of the datastore’s key range, which
log entry to flash. After a failure, FAWN-DS uses the check- may be leftover after a split. It also skips orphaned entries
point as a starting point to reconstruct the in-memory that no in-memory hash table entry points to, and then skips
Hash Index. any delete entries corresponding to those entries. It writes all
Virtual IDs and semi-random writes: A physical node has other valid entries into the output datastore.
a separate FAWN-DS datastore file for each of its virtual IDs,
and FAWN-DS appends new or updated data items to the 3.3.3. Concurrent maintenance and operation
appropriate datastore. Sequentially appending to a small All FAWN-DS maintenance functions allow concurrent reads
number of files is termed semi-random writes. With many and writes to the datastore. Stores and Deletes only
flash devices, these semi-random writes are nearly as fast modify hash table entries and write to the end of the log.
as a single sequential append.15 We take advantage of this Maintenance operations (Split, Merge, and Compact)
property to retain fast write performance while allowing sequentially parse the Data Log, which may be growing due
key ranges to be stored in independent files to speed the to deletes and stores. Because the log is append only, a log
maintenance operations described in the following. entry once parsed will never be changed. These operations
each create one new output datastore logfile. The mainte-
3.3.1. Basic functions: Store, lookup, delete nance operations run until they reach the end of the log, and
Store appends an entry to the log, updates the corre- then briefly lock the datastore, ensure that all values flushed
sponding hash table entry to point to the offset of the newly to the old log have been processed, update the FAWN-DS
appended entry within the Data Log, and sets the valid bit datastore list to point to the newly created log, and release
to true. If the key written already existed, the old value is the lock (Figure 2c).
now orphaned (no hash entry points to it) for later garbage
collection. 3.4. The FAWN key-value system
Lookup retrieves the hash entry containing the offset, In FAWN-KV, client applications send requests to front ends
indexes into the Data Log, and returns the data blob. using a standard put/get interface. Front ends send the
Delete invalidates the hash entry corresponding to the request to the back-end node that owns the key space for the
key and writes a Delete entry to the end of the data file. The request. The back-end node satisfies the request using its
delete entry is necessary for fault tolerance—the invalidated FAWN-DS and replies to the front ends.
hash table entry is not immediately committed to non-
volatile storage to avoid random writes, so a failure follow- 3.4.1. Consistent hashing: Key ranges to nodes
ing a delete requires a log to ensure that recovery will delete A typical FAWN cluster will have several front ends and
the entry upon reconstruction. Because of its log structure, many back ends. FAWN-KV organizes the back-end VIDs
FAWN-DS deletes are similar to store operations with 0 into a storage ring-structure using consistent hashing.18
byte values. Deletes do not immediately reclaim space and Front ends maintain the entire node membership list and
require compaction to perform garbage collection. This directly forward queries to the back-end node that contains
design defers the cost of a random write to a later sequential a particular data item.
write operation. Each front-end node manages the VID membership list
and queries for a large contiguous chunk of the key space.
3.3.2. Maintenance: Split, merge, compact A front end receiving queries for keys outside of its range
Inserting a new virtual node into the ring causes one key forwards the queries to the appropriate front-end node.
range to split into two, with the new virtual node gaining This design either requires clients to be roughly aware of
responsibility for the first part of it. Nodes handling these the front-end mapping or doubles the traffic that front ends
VIDs must therefore Split their datastore into two datas- must handle, but it permits front ends to cache values with-
tores, one for each key range. When a virtual node departs the out a cache consistency protocol.
system, two adjacent key ranges must similarly Merge into The key space is allocated to front ends by a single man-
a single datastore. In addition, a virtual node must periodi- agement node; we envision this node being replicated
cally Compact its datastores to clean up stale or orphaned using a small Paxos cluster,13 but we have not (yet) imple-
entries created by Split, Store, and Delete. mented this. There would be 80 or more back-end nodes
These maintenance functions are designed to work well per front-end node with our current hardware prototypes,
on flash, requiring only scans of one datastore and sequen- so the amount of information this management node
tial writes into another. maintains is small and changes infrequently—a list of 125
Split parses the Data Log sequentially, writing each front ends would suffice for a 10,000 node FAWN cluster.
entry in a new datastore if its key falls in the new datastore’s When a back-end node joins, it obtains the list of front-
range. end IDs. It uses this list to determine which front ends to
Merge writes every log entry from one datastore into the contact to join the ring, one VID at a time. We chose this
other datastore; because the key ranges are independent, design so that the system would be robust to front-end node
it does so as an append. Split and Merge propagate delete failures: The back-end node identifier (and thus, what keys
and to a 27 W Intel Atom-based front-end node using two entries of 1KB each (2GB total) into a single FAWN-DS log
16-port Netgear GS116 GigE Ethernet switches. proceeds at 23.2MB/s (nearly 24,000 entries/s), which is 96%
Evaluation workload: We show query performance for of the raw speed that the flash can be written through the
256 byte and 1KB values. We select these sizes as proxies filesystem.
for small text posts, user reviews or status messages, image
thumbnails, and so on. They represent a quite challenging Put speed: Each FAWN-KV node has R * V FAWN-DS files:
regime for conventional disk-bound systems and stress the each virtual ID adds one primary data range, plus an addi-
limited memory and CPU of our wimpy nodes. tional R − 1 replicated ranges. A node receiving puts for dif-
ferent ranges will concurrently append to a small number of
4.1. Individual node performance files (“semi-random writes”). Good semi-random write per-
We benchmark the I/O capability of the FAWN nodes using formance is central to FAWN-DS’s per range data layout that
iozone and Flexible I/O tester. The flash is formatted with enables single-pass maintenance operations. Our recent
the ext2 filesystem. These tests read and write 1KB entries, work confirms that modern flash devices can provide good
the lowest record size available in iozone. The filesystem I/O semi-random write performance.1
performance using a 3.5GB file is shown in Table 1.
4.1.2. Comparison with BerkeleyDB
4.1.1. FAWN-DS single node local benchmarks To understand the benefit of FAWN-DS’s log structure, we
Lookup speed: This test shows the query throughput compare with a general purpose disk-based database that
achieved by a local client issuing queries for randomly is not optimized for flash. BerkeleyDB provides a simple
distributed, existing keys on a single node. We report the put/get interface, can be used without heavy-weight trans-
average of three runs (the standard deviations were below actions or rollback, and performs well vs. other memory
5%). Table 2 shows FAWN-DS 1KB and 256 byte random or disk-based databases. We configured BerkeleyDB using
read queries/s as a function of the DS size. If the datastore both its default settings and using the reference guide sug-
fits in the buffer cache, the node locally retrieves 50,000– gestions for flash-based operation.3 The best performance
85,000 queries/s. As the datastore exceeds the 256MB of we achieved required 6 hours to insert 7 million, 200 byte
RAM available on the nodes, a larger fraction of requests entries to create a 1.5GB B-Tree database. This corresponds
go to flash. to an insert rate of 0.07MB/s.
FAWN-DS imposes modest overhead from hash look- The problem was, of course, small writes: When the
ups, data copies, and key comparisons; and it must read BDB store was larger than the available RAM on the nodes
slightly more data than the iozone tests (each stored entry (<256MB), BDB had to flush pages to disk, causing many
has a header). The query throughput, however, remains writes that were much smaller than the size of an erase
high: tests reading a 3.5 GB datastore using 1 KB values block.
achieved 1,150 queries/s compared to 1,424 queries/s That comparing FAWN-DS and BDB seems unfair is ex
from the filesystem. Using 256 byte entries achieved 1,298 actly the point: even a well-understood, high-performance
queries/s from a 3.5 GB datastore. By comparison, the raw database will perform poorly when its write pattern has
filesystem achieved 1,454 random 256 byte reads/s using not been specifically optimized to flash characteristics.
Flexible I/O. We evaluated BDB on top of NILFS2, a log-structured
Bulk store speed: The log structure of FAWN-DS ensures Linux filesystem for block devices, to understand whether
that data insertion is entirely sequential. Inserting 2 million log-structured writing could turn the random writes into
sequential writes. Unfortunately, this combination was
Table 1. Baseline CompactFlash statistics for 1KB entries. not suitable because of the amount of metadata created for
QPS = Queries/second. small writes for use in filesystem checkpointing and roll-
back, features not needed for FAWN-KV—writing 200MB
Seq. Read Rand Read Seq. Write Rand. Write
worth of 256 bytes key-value pairs generated 3.5GB of meta-
28.5MB/s 1424 QPS 24MB/s 110 QPS data. Other existing Linux log-structured flash filesystems,
such as JFFS2, are designed to work on raw flash, but mod-
ern SSDs, compact flash, and SD cards all include a Flash
Table 2. Local random read speed of FAWN-DS. Translation Layer that hides the raw flash chips. While
future improvements to filesystems can speed up naive DB
1KB Rand Read 256 bytes Rand Read performance on flash, the pure log structure of FAWN-DS
DS Size (in queries/s) (in queries/s) remains necessary even if we could use a more conven-
10KB 72352 85012 tional back end: It provides the basis for replication and
125MB 51968 65412 consistency across an array of nodes.
250MB 6824 5902
500MB 2016 2449 4.1.3. Read-intensive vs. write-intensive workloads
1GB 1595 1964
Most read-intensive workloads have some writes. For exam-
2GB 1446 1613
3.5GB 1150 1298
ple, Facebook’s memcached workloads have a 1:6 ratio of
application-level puts to gets.11 We therefore measured the
aggregate query rate as the fraction of puts ranging from 0
Power (W)
90
Queries per second
8000 80
Gets Idle Puts
6000 70
1 FAWN-DS file
4000 60
2000 8 FAWN-DS files
0 50 100 150 200 250 300 350
0
0 0.2 0.4 0.6 0.8 1 Time (s)
Fraction of put requests
Figure 7. Query throughput on 21-node FAWN-KV system for 1KB and 5. ALTERNATIVE ARCHITECTURES
256 bytes entry sizes. When is the FAWN approach likely to beat traditional archi-
tectures? We examine this question by comparing the 3
40,000 year total cost of ownership (TCO) for six systems: three
Queries per second
using a low-power CPU that consumes 10W–20 W and costs Figure 9. Solution space for lowest 3 year TCO as a function of
∼$150 in volume. We in turn give the benefit of the doubt to dataset size and query rate.
the server systems we compare against—we assume a 2 TB
10,000
disk exists that serves 300 queries/s at 10 W.
Our results indicate that both FAWN and traditional sys- 1000 FAWN + Disk
tems have their place—but for the small random-access
Dataset size in TB
workloads we study, traditional systems are surprisingly 100
FAWN + Flash
absent from much of the solution space, in favor of FAWN
nodes using either disks, flash, or DRAM. 10 AM
DR
Key to the analysis is a question: why does a cluster need al+
1 ition
nodes? The answer is, of course, for both storage space and ad
Tr FAWN + DRAM
query rate. Storing a DS gigabyte dataset with query rate QR 0.1
requires N nodes: 0.1 1 10 100 1000
Query rate (Millions/s)
and 1 billion/s.
Large datasets, low query rates: FAWN + Disk has the
With large datasets with low query rates, the number of lowest total cost per GB. While not shown on our graph,
nodes required is dominated by the storage capacity per a traditional system wins for exabyte-sized workloads if it
node: thus, the important metric is the total cost per GB for can be configured with sufficient disks per node (over 50),
an individual node. Conversely, for small datasets with high though packing 50 disks per machine poses reliability
query rates, the per node query capacity dictates the number challenges.
of nodes: the dominant metric is queries per second per dol- Small datasets, high query rates: FAWN + DRAM costs the
lar. Between these extremes, systems must provide the best fewest dollars per queries per second, keeping in mind that
trade-off between per node storage capacity, query rate, and we do not examine workloads that fit entirely in L2 cache on
power cost. a traditional node. This somewhat counterintuitive result is
Table 3 shows these cost and speculative performance similar to that made by the intelligent RAM project, which
statistics for several candidate systems circa 2009; while coupled processors and DRAM to achieve similar benefits4
the numbers are outdated, the trends likely still apply. The by avoiding the memory wall. We assume the FAWN nodes
“traditional” nodes use 200 W servers that cost $1,000 each. can only accept 2GB of DRAM per node, so for larger data-
Traditional + Disk pairs a single server with five 2 TB high- sets, a traditional DRAM system provides a high query rate
speed (10,000 RPM) disks capable of 300 queries/s, each disk and requires fewer nodes to store the same amount of data
consuming 10 W. Traditional + SSD uses two PCI-E Fusion-IO (64GB vs. 2GB/node).
80GB flash SSDs, each also consuming about 10 W (Cost: Middle range: FAWN + SSDs provide the best balance
$3 K). Traditional + DRAM uses 8GB server-quality DRAM of storage capacity, query rate, and total cost. If SSD cost
modules, each consuming 10 W. FAWN + Disk nodes use per GB improves relative to magnetic disks, this combina-
one 2 TB 7200 RPM disk: FAWN nodes have fewer connec- tion is likely to continue expanding into the range served
tors available on the board. FAWN + SSD uses one 32GB Intel by FAWN + Disk; if the SSD cost per performance ratio
SATA flash SSD capable of 35,000 random reads/s,17 con- improves relative to DRAM, so will it reach into DRAM
suming 2 W ($400). FAWN + DRAM uses a single 2GB, slower territory. It is therefore conceivable that FAWN + SSD could
DRAM module, also consuming 2 W. become the dominant architecture for many random-
Figure 9 shows which base system has the lowest cost for access workloads.
a particular dataset size and query rate, with dataset sizes Are traditional systems obsolete? We emphasize that this
between 100GB and 10PB and query rates between 100 K analysis applies only to small, random-access workloads.
Technical Perspective
Is Scale Your Enemy,
Or Is Scale Your Friend?
By John Ousterhout
topic of the
A lt h o u g h t h e n o m i n al as the scale of Windows deployment complete data enables the third and
following paper is managing crash increased. As the number of Windows fourth steps.
reports from an installed software installation skyrocketed, so did the The third step is to use the data to
base, the paper’s greatest contribu- rate of error reports. In addition, the make better decisions. At this point the
tions are its insights about managing size and complexity of the Windows scale of the system becomes an asset:
large-scale systems. Kinshumann et system increased, making it more dif- the more data, the better. For example,
al. describe how the Windows error ficult to track down problems. For WER analyzes error statistics to discov-
reporting process became almost un- example, a buggy third-party device er correlations with particular system
manageable as the scale of Windows driver could cause crashes that were configurations (a particular error might
deployment increased. They then difficult to distinguish from problems occur only when a particular device driv-
show how an automated reporting in the main kernel. er is present). WER also identifies the
and management system (Windows In reading this paper and observ- buckets with the most reports so they
Error Reporting, or WER) not only ing other large-scale systems, I have can be addressed first.
eliminated the existing problems, but noticed four common steps by which The fourth and final step is that pro-
capitalized on the scale of the system scale can be converted from enemy to cesses change in fundamental ways to
to provide features that would not be friend. The first and most important capitalize on the level of automation
possible at smaller scale. WER turned step is automation: humans must be and data analysis. For example, WER
scale from enemy to friend. removed from the most important and allows a bug fix to be associated with a
Scale has been the single most im- common processes. In any system of particular error bucket; when the same
portant force driving changes in sys- sufficiently large scale, automation error is reported in the future, WER
tem software over the last decade, and is not only necessary, but it is cheap: can offer the fix to the user at the time
this trend will probably continue for it’s much less expensive to build tools the error happens. This allows fixes to
the next decade. The impact of scale is than to manage a large system manu- be disseminated much more rapidly,
most obvious in the Web arena, where ally. WER automated the process of de- which is crucial in situations such as
a single large application today can tecting errors, collecting information virus attacks.
harness 1,000–10,000 times as many about them, and reporting that infor- Other systems besides WER are also
servers as the largest pre-Web applica- mation back to Microsoft. taking advantage of scale. For exam-
tions of 10–20 years ago and supports The second step in capitalizing on ple, Web search indexes initially kept
1,000 times as many users. However, scale is to maintain records; this is usu- independent caches of index data in
scale also impacts developers outside ally easy once the processes have been the main memory of each server. As
the Web; in this paper, scale comes automated. In the case of WER the data the number of servers increased they
from the large installed base of Win- consists of information about each er- discovered that the sum total of all
dows and the correspondingly large ror, such as a stack trace. The authors the caches was greater than the total
number of error reports emanating developed mechanisms for categoriz- amount of index data; by reorganizing
from the installed base. ing errors into buckets, such that all their servers to eliminate duplication
Scale creates numerous problems the errors in a bucket probably share they were able to keep the entire index
for system developers and managers. the same root cause. Accurate and in DRAM. This enabled higher perfor-
Manual techniques that are sufficient mance and new features. Another ex-
at small scale become unworkable at ample is that many large-scale Web
large scale. Rare corner cases that are In any system sites use an incremental release pro-
unnoticeable at small scale become cess to test new features on a small sub-
common occurrences that impact of sufficiently set of users before exposing them to the
overall system behavior at large scale. large scale, full user base.
It would be easy to conclude that scale I hope you enjoy reading this paper,
offers nothing to developers except an automation is not as I did, and that it will stimulate you
unending parade of problems to over- only necessary, to think about scale as an opportunity,
come. not an obstacle.
Microsoft, like most companies, but it is cheap.
originally used an error reporting pro- John Ousterhout (http://www.stanford.edu/~ouster) is
Professor (Research) of CS at Stanford University.
cess with a significant manual com-
ponent, but it gradually broke down © 2011 ACM 0001-0782/11/07 $10.00
telecommunication networks to deliver core dumps to the would absolutely overwhelm programmers. The ideal
computer manufacturer.4 bucketing algorithm would map all error reports caused by
WER is the first system to provide automatic error diag- the one bug into one unique bucket with no other bugs in
nosis, the first to use progressive data collection to reduce that bucket. Because we know of no such algorithm, WER
overheads, and the first to automatically direct users to instead employs a set of bucketing heuristics in two phases.
available fixes based on automated error diagnosis. WER First, errors are labeled, assigned to a first bucket based on
remains unique in four aspects: immediate evidence available at the client with the goal
that each bucket contains error reports from just one bug.
1. WER is the largest automated error-reporting system in Second, errors are classified at the WER service; they are
existence. Approximately one billion computers run WER consolidated to new buckets as additional data is analyzed
client code: every Windows system since Windows XP. with the goal of minimizing programmer effort by placing
2. WER automates the collection of additional client-side error reports from just one bug into just one final bucket.
data for hard-to-debug problems. When initial error Bucketing enables automatic diagnosis and progressive
reports provide insufficient data to debug a problem, data collection. Good bucketing relieves programmers and
programmers can request that WER collect more data in the system of the burden of processing redundant error
future error reports including: broader memory dumps, reports, helps prioritize programmer effort by bucket prev-
environment data, log files, and program settings. alence, and can be used to link users to updates when the
3. WER automatically directs users to solutions for cor- bugs has been fixed. In WER, bucketing is progressive. As
rected errors. For example, 47% of kernel crash reports additional data related to an error report is collected, such
result in a direction to an appropriate software update as symbolic information to translate from an offset in a
or work around. module to a named function, the report is associated with a
4. WER is general purpose. It is used for operating sys- new bucket. Although the design of optimal bucketing algo-
tems and applications, by Microsoft and non-Microsoft rithms remains an open problem, the bucketing algorithms
programmers. WER collects error reports for crashes, used by WER are in practice quite effective.
non-fatal assertion failures, hangs, setup failures,
abnormal executions, and hardware failures. 2.2. Progressive data collection
WER uses a progressive data collection strategy to reduce the
2. PROBLEM, SCALE, AND STRATEGY cost of error reporting so that the system can scale to high
The goal of WER is to allow us to diagnose and correct every volume while providing sufficient detail for debugging. Most
software error on every Windows system. We realized early on error reports consist of no more than a simple bucket iden-
that scale presented both the primary obstacle and the primary tifier, which just increments its count. If additional data is
solution to address the goals of WER. If we could remove needed, WER will next collect a minidump (an abbreviated
humans from the critical path and scale the error reporting stack and memory dump) and the configuration of the fault-
mechanism to admit millions of error reports, then we could ing system into a compressed cabinet archive file (the CAB
use the law of large numbers to our advantage. For example, file). If data beyond the minidump is required to diagnose the
we did not need to collect all error reports, just a statistically error, WER can progress to collecting full memory dumps,
significant sample. And we did not need to collect complete memory dumps from related programs, related files, or addi-
diagnostic samples for all occurrences of an error with the tional data queried from the reporting computer. Progressive
same root cause, just enough samples to diagnose the prob- data collection reduces the scale of incoming data enough
lem and suggest correlation. Moreover, once we had enough that one pair of SQL servers can record every error on every
data to allow us to fix the most frequently occurring errors, Windows system worldwide. Progressive data collection also
then their occurrence would decrease, bringing the remaining reduces the cost to users in time and bandwidth of reporting
errors to the forefront. Finally, even if we made some mistakes, errors, thus encouraging user participation.
such as incorrectly diagnosing two errors as having the same
root cause, once we fixed the first then the occurrences of the 2.3. Minimizing human interaction
second would reappear and dominate future samples. WER removes users from all but the authorization step of error
Realizing the value of scale, five strategies emerged as nec- reporting and removes programmers from initial error diag-
essary components to achieving sufficient scale to produce nosis. User interaction is reduced in most cases to a yes/no
an effective system: automatic bucketing of error reports, col- authorization (see Figure 1). Users may permanently opt in or
lecting data progressively, minimizing human interaction, out of future authorization requests. WER servers analyze each
preserving user privacy, and directing users to solutions. error report automatically to direct users to existing fixes, or, as
needed, ask the client to collect additional data. Programmers
2.1. Automatic bucketing are notified only after WER determines that a sufficient num-
WER automatically aggregates error reports likely originating ber of error reports have been collected for an unresolved bug.
from the same bug into a collection called a bucket.b If not,
WER data naively collected with no filtering or organization, 2.4. Preserving user privacy
We take considerable care to avoid knowingly collecting per-
b
bucket (noun): a collection of error reports likely caused by the same bug; sonal identifying information (PII). This encourages user
bucket (verb): to triage error reports into buckets. participation and reduces regulatory burden. For example,
Programmers sort their buckets and prioritize debugging Figure 2. Renos Malware: Number of error reports per day. Black bar
effort on the buckets with largest volumes of error reports, thus shows when a fix was released through WU.
helping the most users per unit of work. Often, programmers
1,200,000
will aggregate error counts by function and then work through
the buckets for the function in order of decreasing bucket 1,000,000
50%
3.0 2005
2006
0% 2.5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
2.0
100% 1.5
Outlook
Relative #
of reports
1.0
50%
0.5
0% 0.0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
rs
ng
re
ia
e
u
la
ag
kin
tin
ed
ive
lu
vir
ni
sp
or
in
i
or
tim
ur
fa
dr
ti-
Di
Pr
St
100%
w
-b
e
An
ul
n
Powerpoint
t
ar
CD
tio
Ne
Relative #
of reports
M
w
ica
rd
pl
Ha
50%
Ap
0%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
WER for the first time. In 30 days the vendor addressed the top
100%
Word 20 reported issues for their code. Within 5 months, as WER
of reports
Relative #
80%
end solution for reporting and recovering from errors. WER
60% provides programmers with real-time data about errors
actually experienced by users and provides them with an
40% incomparable billion-computer feedback loop to improve
software quality.
20%
References 4. Lee, I., Iyer, R.K. Faults, symptoms,
0% 1. Bush, W.R., Pincus, J.D., Sielaff, D.J. and software fault tolerance in the
A static analyzer for finding dynamic tandem GUARDIAN90 operating
1 4 7 10 13 16 19 22 25 28 programming errors. Softw. Pract. Exp. system. In Digest of Papers of
30 (5) (2000), 775–802. the Twenty-Third International
2. Everett, R.R. The Whirlwind I computer. Symposium on Fault-Tolerant
In Proceedings of the 1951 Joint Computing (FTCS-23). IEEE,
AIEE–IRE Computer Conference Toulouse, France, 1993.
deployments. While WER does not make debugging in the (Philadelphia, PA), 1951. 5. Walter, E.S., Wallace, V.L. Further
small significantly easier (other than perhaps providing pro- 3. Gray, J. Why do computers stop and what analysis of a computing center
can we do about it. In Proceedings of the environment. Commun. ACM 10 (5)
grammers with better analysis of core dumps), WER has 6th International Conference on Reliability (1967), 266–272.
enabled a new class of debugging in the large. The statistics and Distributed Databases, 1986, 3–12.
CURE:
START YOUR NEW
Advertising in
CAREER AT BERICO Career Opportunities
If you are a skilled Software Engineer with How to Submit a Classified Line Ad: Send an e-mail
passion and expertise in any of the following
- to acmmediasales@acm.org. Please include text,
and indicate the issue/or issues where the ad will
areas, we invite you to apply. appear, and a contact name and number.
• Cloud Computing • Web Development Estimates: An insertion order will then be e-mailed
back to you. The ad will by typeset according
• Application • Mobile Application to CACM guidelines. NO PROOFS can be sent.
Development Development Classified line ads are NOT commissionable.
Rates: $325.00 for six lines of text, 40 characters
per line. $32.50 for each additional line after the
first six. The MINIMUM is six lines.
Deadlines: 20th of the month/2 months prior
To learn more about Berico and our to issue date. For latest deadline info, please
career opportunities, please visit contact: acmmediasales@acm.org
www.bericotechnologies.com Career Opportunities Online: Classified and
recruitment display ads receive a free duplicate
or email your resume to listing on our website at: http://jobs.acm.org
recruiting@bericotechnologies.com Ads are listed for a period of 30 days.
For More Information Contact:
ACM Media Sales
at 212-626-0686 or
acmmediasales@acm.org
The Apps are freely available to download from the Apple iTunes Store, but users must be registered
individual members of ACM with valid Web Accounts to receive regularly updated content.
http://www.apple.com/iphone/apps-for-iphone/ http://www.apple.com/ipad/apps-for-ipad/
ACM TechNews
last byte
Future Tense, one of the revolving features on this page, presents stories and
essays from the intersection of computational science and technological speculation,
their boundaries limited only by our ability to imagine what will and could be.
Future Tense
My Office Mate
I became a biocomputational zombie for science…and for love.
You ’ d b e s u r p r i s ed what poor equip- and, yes, I’m taping this, Fletcher. A
ment the profs have in our CS depart- rich compost of Harry data. It’s ready
ment. Until quite recently, my office to germinate, ready to come to life. But
mate Harry’s computer was a primeval these brittle machines thwart my im-
beige box lurking beneath his desk. mortality at every turn.”
Moreover, it had taken to making an “You’d just be modeling yourself
irritating whine, and the techs didn’t as a super chatbot, Harry. In the real
want to bother with it. world, we all die.” I paused, thinking
One rainy Tuesday during his office about Harry’s attractive woman friend
hour, Harry snapped. He interrupted a of many years. “It’s a shame you never
conversation with an earnest student married Velma. You two could have had
by jumping to his feet, yelling a curse, kids. Biology is the easy path to self-rep-
and savagely kicking the computer. The lication.”
whine stopped; the machine was dead. “You’re not married either,” said
Frightened and bewildered, the stu- Harry, glaring at me. “And Velma says
dent left. what you said, too.” As if reaching a
“Now they’ll have to replace this momentous decision, he snatched the
clunker,” said Harry. “And you keep shapely sandwich computer off his desk
your trap shut, Fletcher.” and put it on mine. “Very well then! I’ll
“What if the student talks?” tem. Once again its peppy screen shone make my desk into a stinky bio farm.”
“Nobody listens to them.” atop his desk. But now Harry sulked, Sure enough, when I came into the
In a few days, a new computer ap- not wanting to use it. office on Monday, I found Harry’s desk
peared on Harry’s desk, an elegant new “This is about my soul,” he told me. encumbered with a small biological
model the size of a sandwich, with a “I’ve spent, what, 30 years creating a laboratory. Harry and his woman friend
wafer-thin display propped up like a software replica of myself. Everything Velma were leaning over it, fitting a
portrait frame. I’ve written: my email messages, my data cable into a socket in the side of a
Although my office mate is a bril- photos, and a lot of my conversations— Petri dish that sat beneath a bell jar.
liant man, he’s a thumb-fingered klutz. “Hi Fletch,” said Velma brightly. She
For firmly held reasons of principle, was a terminally cheerful genomics
he wanted to tweak the settings of his “My entire wetware professor with curly hair. “Harry wants
lovely new machine to make it use a me to help him reproduce as a slime
reverse Polish notation command-line database is flowing mold.”
interface; this had to do with the mas- into every one of “How romantic,” I said. “Do you
sive digital archiving project on which think it’ll work?”
he was forever working. The new ma- these slime mold “Biocomputation has blossomed
cells. They like
photogra ph by f lickr user d otliza rd
chine demurred at adopting reverse this year,” said Velma. “The Durban-
Polish. Harry downloaded some free- Krush mitochondrial protocols have
ware patches, intending to teach the reverse Polish.” solved our input/output problems.”
device a lesson. You can guess how that “A cell’s as much a universal com-
worked out. puter as any of our department’s junk-
The techs took Harry’s dead sand- boxes,” put in Harry. “And just look at
wich back to their lair, wiped its mem- this! My entire wetware database is flow-
ory, and reinstalled the operating sys- ing into every [co ntinue d o n p. 1 1 9 ]